Merge pull request #3245 from fosrl/dev

Bugfixes
Properly hide things with disable enterprise flag
2026-06-12 10:29:51 +00:00 · 2026-06-11 16:17:41 -07:00 · 2026-06-11 16:10:29 -07:00 · 2026-06-11 16:01:32 -07:00 · 2026-06-11 15:02:29 -07:00 · 2026-06-11 12:38:08 -07:00
353 changed files with 16042 additions and 14650 deletions
--- a/.cursor/rules/Button-loading-state.mdc
+++ b/.cursor/rules/Button-loading-state.mdc
@@ -0,0 +1,5 @@
+---
+alwaysApply: true
+---
+
+When adding submit buttons, don't change the text of the button during the loading state. Text should stay static and you should use the loading prop on the button.
--- a/.cursor/rules/Components.mdc
+++ b/.cursor/rules/Components.mdc
@@ -0,0 +1,5 @@
+---
+alwaysApply: true
+---
+
+When creating UI for popup dialogs or modals, use the Credenza componennt. This component is mobile responsive and works on desktop and wraps the dialog component and sheet into one.
--- a/.cursor/rules/TypeScript-rules.mdc
+++ b/.cursor/rules/TypeScript-rules.mdc
@@ -0,0 +1,7 @@
+---
+alwaysApply: true
+---
+
+When writing TypeScript:
+
+Prefer to use types instead of interfaces.
--- a/.cursor/rules/Use-React-form-and-Zod-schemas.mdc
+++ b/.cursor/rules/Use-React-form-and-Zod-schemas.mdc
@@ -0,0 +1,5 @@
+---
+alwaysApply: true
+---
+
+When creating forms, use React form for validation and use Zod schemas.
--- a/.dockerignore
+++ b/.dockerignore
@@ -34,4 +34,5 @@ build.ts
 tsconfig.json
 Dockerfile*
 drizzle.config.ts
-allowedDevOrigins.json
+allowedDevOrigins.json
+scratch/
--- a/cli/commands/setServerAdmin.ts
+++ b/cli/commands/setServerAdmin.ts
@@ -4,19 +4,26 @@ import { eq } from "drizzle-orm";

 type SetServerAdminArgs = {
    email: string;
+    remove: boolean;
 };

 export const setServerAdmin: CommandModule<{}, SetServerAdminArgs> = {
    command: "set-server-admin",
-    describe: "Mark any user as a server admin by email address",
+    describe: "Add or remove server admin by email address",
    builder: (yargs) => {
-        return yargs.option("email", {
-            type: "string",
-            demandOption: true,
-            describe: "User email address"
-        });
+        return yargs
+            .option("email", {
+                type: "string",
+                demandOption: true,
+                describe: "User email address"
+            })
+            .option("remove", {
+                type: "boolean",
+                default: false,
+                describe: "Remove server admin status from the user"
+            });
    },
-    handler: async (argv: { email: string }) => {
+    handler: async (argv: SetServerAdminArgs) => {
        try {
            const email = argv.email.trim().toLowerCase();

@@ -31,6 +38,33 @@ export const setServerAdmin: CommandModule<{}, SetServerAdminArgs> = {
                process.exit(1);
            }

+            if (argv.remove) {
+                if (!user.serverAdmin) {
+                    console.log(`User '${email}' is not a server admin`);
+                    process.exit(0);
+                }
+
+                const serverAdmins = await db
+                    .select()
+                    .from(users)
+                    .where(eq(users.serverAdmin, true));
+
+                if (serverAdmins.length <= 1) {
+                    console.error(
+                        "Cannot remove server admin: at least one server admin must exist"
+                    );
+                    process.exit(1);
+                }
+
+                await db
+                    .update(users)
+                    .set({ serverAdmin: false })
+                    .where(eq(users.userId, user.userId));
+
+                console.log(`Server admin status removed from user '${email}'`);
+                process.exit(0);
+            }
+
            if (user.serverAdmin) {
                console.log(`User '${email}' is already a server admin`);
                process.exit(0);
--- a/install/config/config.yml
+++ b/install/config/config.yml
@@ -38,7 +38,5 @@ flags:
    disable_user_create_org: false
    allow_raw_resources: true

-{{if .IsPostgreSQL}}
-postgres:
-  connection_string: postgresql://pangolin:{{.IsPostgreSQLPass}}@postgres:5432/pangolin
-{{end}}
+{{if .IsPostgreSQL}}postgres:
+    connection_string: postgresql://pangolin:{{.IsPostgreSQLPass}}@postgres:5432/pangolin{{end}}
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -7,23 +7,17 @@ services:
    deploy:
      resources:
        limits:
-          memory: 1g
+          memory: 2g
        reservations:
-          memory: 256m
-{{if or .IsPostgreSQL .IsRedis}}
-    depends_on:
-    {{if .IsPostgreSQL}}
-      postgres:
-        condition: service_healthy
-    {{end}}
-    {{if .IsRedis}}
-      redis:
-        condition: service_healthy
-    {{end}}
+          memory: 512m
+    {{if or .IsPostgreSQL .IsRedis}}depends_on:
+      {{if .IsPostgreSQL}}postgres:
+          condition: service_healthy{{end}}
+      {{if .IsRedis}}redis:
+          condition: service_healthy{{end}}
    networks:
      - default
-      - backend
-{{end}}
+      - backend{{end}}
    volumes:
      - ./config:/app/config
    healthcheck:
@@ -31,8 +25,8 @@ services:
      interval: "10s"
      timeout: "10s"
      retries: 15
-{{if .InstallGerbil}}
-  gerbil:
+
+  {{if .InstallGerbil}}gerbil:
    image: docker.io/fosrl/gerbil:{{.GerbilVersion}}
    container_name: gerbil
    restart: unless-stopped
@@ -53,17 +47,16 @@ services:
      - 21820:21820/udp
      - 443:443
      - 443:443/udp # For http3 QUIC if desired
-      - 80:80
-{{end}}
+      - 80:80{{end}}
+
  traefik:
    image: docker.io/traefik:v3.6
    container_name: traefik
    restart: unless-stopped
-{{if .InstallGerbil}}    network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
+    {{if .InstallGerbil}}network_mode: service:gerbil # Ports appear on the gerbil service{{end}}{{if not .InstallGerbil}}
    ports:
      - 443:443
-      - 80:80
-{{end}}
+      - 80:80{{end}}
    depends_on:
      pangolin:
        condition: service_healthy
@@ -74,8 +67,7 @@ services:
      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
      - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs

-{{if .IsPostgreSQL}}
-  postgres:
+  {{if .IsPostgreSQL}}postgres:
    image: postgres:18
    container_name: postgres
    restart: unless-stopped
@@ -91,11 +83,9 @@ services:
      timeout: 5s
      retries: 5
    networks:
-      - backend
-{{end}}
+      - backend{{end}}

-{{if .IsRedis}}
-  redis:
+  {{if .IsRedis}}redis:
    image: redis:8-trixie
    container_name: redis
    restart: unless-stopped
@@ -113,17 +103,14 @@ services:
      retries: 3
      start_period: 10s
    networks:
-      - backend
-{{end}}
+      - backend{{end}}

 networks:
  default:
    driver: bridge
    name: pangolin_frontend
 {{if .EnableIPv6}}    enable_ipv6: true{{end}}
-{{if or .IsPostgreSQL .IsRedis}}
-  backend:
+{{if or .IsPostgreSQL .IsRedis}}  backend:
    driver: bridge
    name: pangolin_backend
-    internal: true
-{{end}}
+    internal: true{{end}}
--- a/install/config/privateConfig.yml
+++ b/install/config/privateConfig.yml
@@ -1,6 +1,4 @@
-{{if .IsRedis}}
-redis:
+{{if .IsRedis}}redis:
  host: "redis"
  port: 6379
-  password: "{{.IsRedisPass}}"
-{{end}}
+  password: "{{.IsRedisPass}}"{{end}}
--- a/install/main.go
+++ b/install/main.go
@@ -71,9 +71,12 @@ const (
 	Undefined SupportedContainer = "undefined"
 )

+var redisFlag *bool
+
 func main() {

 	crowdsecFlag := flag.Bool("crowdsec", false, "Enable the CrowdSec installation prompt")
+	redisFlag = flag.Bool("redis", false, "Install Redis as cacheing solution. Required for HA. Not required for the Enterprise version.")
 	flag.Parse()

 	// print a banner about prerequisites - opening port 80, 443, 51820, and 21820 on the VPS and firewall and pointing your domain to the VPS IP with a records. Docs are at http://localhost:3000/Getting%20Started/dns-networking
@@ -491,13 +494,13 @@ func collectUserInput() Config {

 	config.IsEnterprise = readBoolNoDefault("Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
    if config.IsEnterprise {
-        config.IsRedis = readBool("Do you want to run the Redis containers locally? Required for HA.")
-        if config.IsRedis {
+        if *redisFlag {
+			config.IsRedis = true
            config.IsRedisPass = readPassword("Enter a unique password for the Redis service.")
        }
    }

-    config.IsPostgreSQL = readBool("Do you want to run the PostgreSQL containers locally? Otherwise, default to the local SQLite database only.", false)
+    config.IsPostgreSQL = readBool("Do you want to use PostgreSQL (not recommended for most users)?", false)
 	if config.IsPostgreSQL {
 		config.IsPostgreSQLPass = readPassword("Enter a unique password for the PostgreSQL pangolin user.")
 	}
@@ -544,7 +547,7 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Advanced Configuration ===")

 	config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
-	config.EnableMaxMind = readBool("Do you want to download the MaxMind GeoLite2 Country and ADN databases for blocking functionality?", true)
+	config.EnableMaxMind = readBool("Do you want to download the MaxMind GeoLite2 Country and ASN databases for blocking functionality?", true)

 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "Моля, изберете ресурс",
    "proxyResourceTitle": "Управление на обществени ресурси",
    "proxyResourceDescription": "Създайте и управлявайте ресурси, които са общодостъпни чрез уеб браузър.",
-    "proxyResourcesBannerTitle": "Публичен достъп чрез уеб.",
-    "proxyResourcesBannerDescription": "Публичните ресурси са HTTPS или TCP/UDP проксита, достъпни за всеки в интернет чрез уеб браузър. За разлика от частните ресурси, те не изискват софтуер от страна на клиента и могат да включват издентити и контексто-осъзнати политики за достъп.",
+    "publicResourcesBannerTitle": "Публичен достъп чрез уеб.",
+    "publicResourcesBannerDescription": "Публичните ресурси са HTTPS или TCP/UDP проксита, достъпни за всеки в интернет чрез уеб браузър. За разлика от частните ресурси, те не изискват софтуер от страна на клиента и могат да включват издентити и контексто-осъзнати политики за достъп.",
    "clientResourceTitle": "Управление на частни ресурси",
    "clientResourceDescription": "Създайте и управлявайте ресурси, които са достъпни само чрез свързан клиент.",
    "privateResourcesBannerTitle": "Достъп до частни ресурси с нулево доверие.",
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "Zvolte prosím zdroj",
    "proxyResourceTitle": "Spravovat veřejné zdroje",
    "proxyResourceDescription": "Vytváření a správa zdrojů, které jsou veřejně přístupné prostřednictvím webového prohlížeče",
-    "proxyResourcesBannerTitle": "Veřejný přístup založený na webu",
-    "proxyResourcesBannerDescription": "Veřejné prostředky jsou HTTPS nebo TCP/UDP proxy, které jsou přístupné každému na internetu prostřednictvím webového prohlížeče. Na rozdíl od soukromých prostředků nevyžadují software na straně klienta a mohou zahrnovat politiky přístupu orientované na identitu a kontext.",
+    "publicResourcesBannerTitle": "Veřejný přístup založený na webu",
+    "publicResourcesBannerDescription": "Veřejné prostředky jsou HTTPS nebo TCP/UDP proxy, které jsou přístupné každému na internetu prostřednictvím webového prohlížeče. Na rozdíl od soukromých prostředků nevyžadují software na straně klienta a mohou zahrnovat politiky přístupu orientované na identitu a kontext.",
    "clientResourceTitle": "Spravovat soukromé zdroje",
    "clientResourceDescription": "Vytváření a správa zdrojů, které jsou přístupné pouze prostřednictvím připojeného klienta",
    "privateResourcesBannerTitle": "Zero-Trust soukromý přístup",
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "Bitte wählen Sie eine Ressource",
    "proxyResourceTitle": "Öffentliche Ressourcen verwalten",
    "proxyResourceDescription": "Erstelle und verwalte Ressourcen, die über einen Webbrowser öffentlich zugänglich sind",
-    "proxyResourcesBannerTitle": "Web-basierter öffentlicher Zugang",
-    "proxyResourcesBannerDescription": "Öffentliche Ressourcen sind HTTPS oder TCP/UDP-Proxys, die über einen Webbrowser für jeden zugänglich sind. Im Gegensatz zu privaten Ressourcen benötigen sie keine Client-seitige Software und können Identitäts- und kontextbezogene Zugriffsrichtlinien beinhalten.",
+    "publicResourcesBannerTitle": "Web-basierter öffentlicher Zugang",
+    "publicResourcesBannerDescription": "Öffentliche Ressourcen sind HTTPS oder TCP/UDP-Proxys, die über einen Webbrowser für jeden zugänglich sind. Im Gegensatz zu privaten Ressourcen benötigen sie keine Client-seitige Software und können Identitäts- und kontextbezogene Zugriffsrichtlinien beinhalten.",
    "clientResourceTitle": "Private Ressourcen verwalten",
    "clientResourceDescription": "Erstelle und verwalte Ressourcen, die nur über einen verbundenen Client zugänglich sind",
    "privateResourcesBannerTitle": "Zero-Trust-Zugriff auf private Ressourcen",
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -101,6 +101,8 @@
    "sitesTableViewPrivateResources": "View Private Resources",
    "siteInstallNewt": "Install Site",
    "siteInstallNewtDescription": "Install the site connector for your system",
+    "siteInstallKubernetesDocsDescription": "For more and up to date Kubernetes installation information, see <docsLink>docs.pangolin.net/manage/sites/install-kubernetes</docsLink>.",
+    "siteInstallAdvantechDocsDescription": "For Advantech modem installation instructions, see <docsLink>docs.pangolin.net/manage/sites/install-advantech</docsLink>.",
    "WgConfiguration": "WireGuard Configuration",
    "WgConfigurationDescription": "Use the following configuration to connect to the network",
    "operatingSystem": "Operating System",
@@ -148,16 +150,16 @@
    "siteCredentialsSaveDescription": "You will only be able to see this once. Make sure to copy it to a secure place.",
    "siteInfo": "Site Information",
    "status": "Status",
-    "shareTitle": "Manage Share Links",
+    "shareTitle": "Manage Shareable Links",
    "shareDescription": "Create shareable links to grant temporary or permanent access to proxy resources",
-    "shareSearch": "Search share links...",
-    "shareCreate": "Create Share Link",
+    "shareSearch": "Search shareable links...",
+    "shareCreate": "Create Shareable Link",
    "shareErrorDelete": "Failed to delete link",
    "shareErrorDeleteMessage": "An error occurred deleting link",
    "shareDeleted": "Link deleted",
    "shareDeletedDescription": "The link has been deleted",
-    "shareDelete": "Delete Share Link",
-    "shareDeleteConfirm": "Confirm Delete Share Link",
+    "shareDelete": "Delete Shareable Link",
+    "shareDeleteConfirm": "Confirm Delete Shareable Link",
    "shareQuestionRemove": "Are you sure you want to delete this share link?",
    "shareMessageRemove": "Once deleted, the link will no longer work and anyone using it will lose access to the resource.",
    "shareTokenDescription": "The access token can be passed in two ways: as a query parameter or in the request headers. These must be passed from the client on every request for authenticated access.",
@@ -177,6 +179,7 @@
    "shareCreateDescription": "Anyone with this link can access the resource",
    "shareTitleOptional": "Title (optional)",
    "sharePathOptional": "Path (optional)",
+    "sharePathDescription": "The link will redirect users to this path after authentication.",
    "expireIn": "Expire In",
    "neverExpire": "Never expire",
    "shareExpireDescription": "Expiration time is how long the link will be usable and provide access to the resource. After this time, the link will no longer work, and users who used this link will lose access to the resource.",
@@ -200,8 +203,8 @@
    "shareErrorSelectResource": "Please select a resource",
    "proxyResourceTitle": "Manage Public Resources",
    "proxyResourceDescription": "Create and manage resources that are publicly accessible through a web browser",
-    "proxyResourcesBannerTitle": "Web-based Public Access",
-    "proxyResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
+    "publicResourcesBannerTitle": "Web-based Public Access",
+    "publicResourcesBannerDescription": "Public resources are HTTPS proxies accessible to anyone on the internet through a web browser. Unlike private resources, they do not require client-side software and can include identity and context-aware access policies.",
    "clientResourceTitle": "Manage Private Resources",
    "clientResourceDescription": "Create and manage resources that are only accessible through a connected client",
    "privateResourcesBannerTitle": "Zero-Trust Private Access",
@@ -209,15 +212,19 @@
    "resourcesSearch": "Search resources...",
    "resourceAdd": "Add Resource",
    "resourceErrorDelte": "Error deleting resource",
-    "resourcePoliciesTitle": "Manage Resource Policies",
-    "resourcePoliciesAttachedResourcesColumnTitle": "Attached resources",
+    "resourcePoliciesBannerTitle": "Re-use Authentication and Access Rules",
+    "resourcePoliciesBannerDescription": "Shared resource policies let you define authentication methods and access rules once, then attach them to multiple public resources. When you update a policy, every linked resource inherits the change automatically.",
+    "resourcePoliciesBannerButtonText": "Learn More",
+    "resourcePoliciesTitle": "Manage Public Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Resources",
    "resourcePoliciesAttachedResources": "{count} resource(s)",
+    "resourcePoliciesAttachedResourcesCount": "{count, plural, one {# resource} other {# resources}}",
    "resourcePoliciesAttachedResourcesEmpty": "no resources",
-    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your resources",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your public resources",
    "resourcePoliciesSearch": "Search policies...",
    "resourcePoliciesAdd": "Add Policy",
    "resourcePoliciesDefaultBadgeText": "Default policy",
-    "resourcePoliciesCreate": "Create Resource Policy",
+    "resourcePoliciesCreate": "Create Public Resource Policy",
    "resourcePoliciesCreateDescription": "Follow the steps below to create a new policy",
    "resourcePolicyName": "Policy Name",
    "resourcePolicyNameDescription": "Give this policy a name to identify it across your resources",
@@ -274,7 +281,7 @@
    "back": "Back",
    "cancel": "Cancel",
    "resourceConfig": "Configuration Snippets",
-    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource",
+    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource.",
    "resourceAddEntrypoints": "Traefik: Add Entrypoints",
    "resourceExposePorts": "Gerbil: Expose Ports in Docker Compose",
    "resourceLearnRaw": "Learn how to configure TCP/UDP resources",
@@ -287,6 +294,8 @@
    "labelDelete": "Delete Label",
    "labelAdd": "Add Label",
    "labelCreateSuccessMessage": "Label Created Successfully",
+    "labelDuplicateError": "Duplicate Label",
+    "labelDuplicateErrorDescription": "A label with this name already exists.",
    "labelEditSuccessMessage": "Label Modified Successfully",
    "labelNameField": "Label Name",
    "labelColorField": "Label Color",
@@ -311,7 +320,7 @@
    "rules": "Rules",
    "resourceSettingDescription": "Configure the settings on the resource",
    "resourceSetting": "{resourceName} Settings",
-    "resourcePolicySettingDescription": "Configure the settings on the resource policy",
+    "resourcePolicySettingDescription": "Configure the settings on this public resource policy",
    "resourcePolicySetting": "{policyName} Settings",
    "alwaysAllow": "Bypass Auth",
    "alwaysDeny": "Block Access",
@@ -719,7 +728,7 @@
    "targetSubmit": "Add Target",
    "targetNoOne": "This resource doesn't have any targets. Add a target to configure where to send requests to the backend.",
    "targetNoOneDescription": "Adding more than one target above will enable load balancing.",
-    "targetsSubmit": "Save Targets",
+    "targetsSubmit": "Save Settings",
    "addTarget": "Add Target",
    "proxyMultiSiteRoundRobinNodeHelp": "Round robin routing will not work between sites that are not connected to the same node, but failover will work.",
    "targetErrorInvalidIp": "Invalid IP address",
@@ -753,11 +762,11 @@
    "rulesErrorDuplicate": "Duplicate rule",
    "rulesErrorDuplicateDescription": "A rule with these settings already exists",
    "rulesErrorInvalidIpAddressRange": "Invalid CIDR",
-    "rulesErrorInvalidIpAddressRangeDescription": "Please enter a valid CIDR value",
-    "rulesErrorInvalidUrl": "Invalid URL path",
-    "rulesErrorInvalidUrlDescription": "Please enter a valid URL path value",
-    "rulesErrorInvalidIpAddress": "Invalid IP",
-    "rulesErrorInvalidIpAddressDescription": "Please enter a valid IP address",
+    "rulesErrorInvalidIpAddressRangeDescription": "Enter a valid CIDR range (e.g., 10.0.0.0/8).",
+    "rulesErrorInvalidUrl": "Invalid path",
+    "rulesErrorInvalidUrlDescription": "Enter a valid URL path or pattern (e.g., /api/*).",
+    "rulesErrorInvalidIpAddress": "Invalid IP address",
+    "rulesErrorInvalidIpAddressDescription": "Enter a valid IPv4 or IPv6 address.",
    "rulesErrorUpdate": "Failed to update rules",
    "rulesErrorUpdateDescription": "An error occurred while updating rules",
    "rulesUpdated": "Enable Rules",
@@ -765,15 +774,24 @@
    "rulesMatchIpAddressRangeDescription": "Enter an address in CIDR format (e.g., 103.21.244.0/22)",
    "rulesMatchIpAddress": "Enter an IP address (e.g., 103.21.244.12)",
    "rulesMatchUrl": "Enter a URL path or pattern (e.g., /api/v1/todos or /api/v1/*)",
-    "rulesErrorInvalidPriority": "Invalid Priority",
-    "rulesErrorInvalidPriorityDescription": "Please enter a valid priority",
-    "rulesErrorDuplicatePriority": "Duplicate Priorities",
-    "rulesErrorDuplicatePriorityDescription": "Please enter unique priorities",
+    "rulesErrorInvalidPriority": "Invalid priority",
+    "rulesErrorInvalidPriorityDescription": "Enter a whole number of 1 or higher.",
+    "rulesErrorDuplicatePriority": "Duplicate priorities",
+    "rulesErrorDuplicatePriorityDescription": "Each rule must have a unique priority number.",
+    "rulesErrorValidation": "Invalid rules",
+    "rulesErrorValidationRuleDescription": "Rule {ruleNumber}: {message}",
+    "rulesErrorInvalidMatchTypeDescription": "Select a valid match type (path, IP, CIDR, country, region, or ASN).",
+    "rulesErrorValueRequired": "Enter a value for this rule.",
+    "rulesErrorInvalidCountry": "Invalid country",
+    "rulesErrorInvalidCountryDescription": "Select a valid country.",
+    "rulesErrorInvalidAsn": "Invalid ASN",
+    "rulesErrorInvalidAsnDescription": "Enter a valid ASN (e.g., AS15169).",
    "ruleUpdated": "Rules updated",
    "ruleUpdatedDescription": "Rules updated successfully",
    "ruleErrorUpdate": "Operation failed",
    "ruleErrorUpdateDescription": "An error occurred during the save operation",
    "rulesPriority": "Priority",
+    "rulesReorderDragHandle": "Drag to reorder rule priority",
    "rulesAction": "Action",
    "rulesMatchType": "Match Type",
    "value": "Value",
@@ -792,7 +810,7 @@
    "rulesResource": "Resource Rules Configuration",
    "rulesResourceDescription": "Configure rules to control access to the resource",
    "ruleSubmit": "Add Rule",
-    "rulesNoOne": "No rules. Add a rule using the form.",
+    "rulesNoOne": "No rules yet.",
    "rulesOrder": "Rules are evaluated by priority in ascending order.",
    "rulesSubmit": "Save Rules",
    "policyErrorCreate": "Error creating policy",
@@ -803,7 +821,48 @@
    "policyErrorUpdateMessageDescription": "An unexpected error occurred",
    "policyCreatedSuccess": "Resource policy succesfully created",
    "policyUpdatedSuccess": "Resource policy succesfully updated",
-    "authMethodsSave": "Save auth methods",
+    "authMethodsSave": "Save Settings",
+    "policyAuthStackTitle": "Authentication",
+    "policyAuthStackDescription": "Control which authentication methods are required to access this resource",
+    "policyAuthOrLogicTitle": "Multiple authentication methods active",
+    "policyAuthOrLogicBanner": "Visitors may authenticate using any one of the active methods below. They do not need to complete all of them.",
+    "policyAuthMethodActive": "Active",
+    "policyAuthMethodOff": "Off",
+    "policyAuthSsoTitle": "Platform SSO",
+    "policyAuthSsoDescription": "Require sign-in through your organization's identity provider",
+    "policyAuthSsoSummary": "{idp} · {users} users, {roles} roles",
+    "policyAuthSsoDefaultIdp": "Default provider",
+    "policyAuthAddDefaultIdentityProvider": "Add Default Identity Provider",
+    "policyAuthOtherMethodsTitle": "Other Methods",
+    "policyAuthOtherMethodsDescription": "Optional methods visitors can use instead of or alongside platform SSO",
+    "policyAuthPasscodeTitle": "Passcode",
+    "policyAuthPasscodeDescription": "Require a shared alphanumeric passcode to access the resource",
+    "policyAuthPasscodeSummary": "Passcode set",
+    "policyAuthPincodeTitle": "PIN Code",
+    "policyAuthPincodeDescription": "A short numeric code required to access the resource",
+    "policyAuthPincodeSummary": "6-digit PIN set",
+    "policyAuthEmailTitle": "Email Whitelist",
+    "policyAuthEmailDescription": "Allow listed email addresses with one-time passwords",
+    "policyAuthEmailSummary": "{count} addresses allowed",
+    "policyAuthEmailOtpCallout": "Enabling email whitelist sends a one-time password to the visitor's email on login.",
+    "policyAuthHeaderAuthTitle": "Basic Header Auth",
+    "policyAuthHeaderAuthDescription": "Validate a custom HTTP header name and value on each request",
+    "policyAuthHeaderAuthSummary": "Header configured",
+    "policyAuthHeaderName": "Header name",
+    "policyAuthHeaderValue": "Expected value",
+    "policyAuthSetPasscode": "Set Passcode",
+    "policyAuthSetPincode": "Set PIN Code",
+    "policyAuthSetEmailWhitelist": "Set Email Whitelist",
+    "policyAuthSetHeaderAuth": "Set Basic Header Auth",
+    "policyAccessRulesTitle": "Access Rules",
+    "policyAccessRulesEnableDescription": "When enabled, rules are evaluated in descending order until one evaluates as true.",
+    "policyAccessRulesFirstMatch": "Rules are evaluated top to bottom. The first matching rule decides the outcome.",
+    "policyAccessRulesHowItWorks": "Rules match requests by path, IP address, location, or other criteria. Each rule applies an action: bypass authentication, block access, or pass to authentication. If no rule matches, traffic continues to authentication.",
+    "policyAccessRulesFallthroughOff": "When rules are disabled, all traffic passes through to authentication.",
+    "policyAccessRulesFallthroughOn": "When no rule matches, traffic passes through to authentication.",
+    "rulesPlaceholderCidr": "10.0.0.0/8",
+    "rulesPlaceholderPath": "/admin/*",
+    "rulesPlaceholderGeo": "RU, KP",
    "rulesSave": "Save Rules",
    "resourceErrorCreate": "Error creating resource",
    "resourceErrorCreateDescription": "An error occurred when creating the resource",
@@ -824,9 +883,9 @@
    "resourcesErrorUpdateDescription": "An error occurred while updating the resource",
    "access": "Access",
    "accessControl": "Access Control",
-    "shareLink": "{resource} Share Link",
+    "shareLink": "{resource} Shareable Link",
    "resourceSelect": "Select resource",
-    "shareLinks": "Share Links",
+    "shareLinks": "Shareable Links",
    "share": "Shareable Links",
    "shareDescription2": "Create shareable links to resources. Links provide temporary or unlimited access to your resource. You can configure the expiration duration of the link when you create one.",
    "shareEasyCreate": "Easy to create and share",
@@ -916,10 +975,18 @@
    "resourceRoleDescription": "Admins can always access this resource.",
    "resourcePolicySelectTitle": "Resource Access Policy",
    "resourcePolicySelectDescription": "Select the resource policy type for authentication",
+    "resourcePolicyTypeLabel": "Policy type",
+    "resourcePolicyLabel": "Resource policy",
    "resourcePolicyInline": "Inline Resource Policy",
    "resourcePolicyInlineDescription": "Access Policy scoped to only this resource",
    "resourcePolicyShared": "Shared Resource Policy",
-    "resourcePolicySharedDescription": "This resource uses a shared policy. Policy-level settings (auth methods, email whitelist) are locked. You can add resource-specific rules, roles, and users below.",
+    "resourcePolicySharedDescription": "This resource uses a shared policy.",
+    "sharedPolicy": "Shared Policy",
+    "sharedPolicyNoneDescription": "This resource has its own policy.",
+    "resourceSharedPolicyOwnDescription": "This resource has its own authentication and access rules controls.",
+    "resourceSharedPolicyInheritedDescription": "This resource inherits from <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyAuthenticationNotice": "This resource is using a shared policy. Some authentication settings can be edited on this resource to add to the policy. To change the underlying policy, you must edit to <policyLink>{policyName}</policyLink>.",
+    "resourceSharedPolicyRulesNotice": "This resource is using a shared policy. Some access rules can be edited on this resource. To change the underlying policy, you must edit <policyLink>{policyName}</policyLink>.",
    "resourceUsersRoles": "Access Controls",
    "resourceUsersRolesDescription": "Configure which users and roles can visit this resource",
    "resourceUsersRolesSubmit": "Save Access Controls",
@@ -944,7 +1011,14 @@
    "resourceVisibilityTitle": "Visibility",
    "resourceVisibilityTitleDescription": "Completely enable or disable resource visibility",
    "resourceGeneral": "General Settings",
-    "resourceGeneralDescription": "Configure the general settings for this resource",
+    "resourceGeneralDescription": "Configure name, address, and access policy for this resource.",
+    "resourceGeneralDetailsSubsection": "Resource Details",
+    "resourceGeneralDetailsSubsectionDescription": "Set the display name, identifier, and publicly accessible domain for this resource.",
+    "resourceGeneralDetailsSubsectionPortDescription": "Set the display name, identifier, and public port for this resource.",
+    "resourceGeneralPublicAddressSubsection": "Public Address",
+    "resourceGeneralPublicAddressSubsectionDescription": "Configure how users reach this resource.",
+    "resourceGeneralAuthenticationAccessSubsection": "Authentication & Access",
+    "resourceGeneralAuthenticationAccessSubsectionDescription": "Choose whether this resource uses its own policy or inherits from a shared policy.",
    "resourceEnable": "Enable Resource",
    "resourceTransfer": "Transfer Resource",
    "resourceTransferDescription": "Transfer this resource to a different site",
@@ -1220,11 +1294,14 @@
    "addLabels": "Add labels",
    "siteLabelsTab": "Labels",
    "siteLabelsDescription": "Manage labels associated with this site.",
-    "labelsNotFound": "Labels not found",
+    "labelsNotFound": "No labels found.",
+    "labelsEmptyCreateHint": "Start typing above to create a label.",
    "labelSearch": "Search labels",
+    "labelSearchOrCreate": "Search or create a label",
    "accessLabelFilterCount": "{count, plural, one {# label} other {# labels}}",
    "labelOverflowCount": "+{count, plural, one {# label} other {# labels}}",
    "accessLabelFilterClear": "Clear label filters",
+    "accessFilterClear": "Clear filters",
    "selectColor": "Select color",
    "createNewLabel": "Create new org label \"{label}\"",
    "inviteInvalidDescription": "The invite link is invalid.",
@@ -1461,8 +1538,8 @@
    "sidebarResources": "Resources",
    "sidebarProxyResources": "Public",
    "sidebarClientResources": "Private",
-    "sidebarPolicies": "Policies",
-    "sidebarResourcePolicies": "Resources",
+    "sidebarPolicies": "Shared Policies",
+    "sidebarResourcePolicies": "Public Resources",
    "sidebarAccessControl": "Access Control",
    "sidebarLogsAndAnalytics": "Logs & Analytics",
    "sidebarTeam": "Team",
@@ -1470,7 +1547,7 @@
    "sidebarAdmin": "Admin",
    "sidebarInvitations": "Invitations",
    "sidebarRoles": "Roles",
-    "sidebarShareableLinks": "Links",
+    "sidebarShareableLinks": "Shareable Links",
    "sidebarApiKeys": "API Keys",
    "sidebarProvisioning": "Provisioning",
    "sidebarSettings": "Settings",
@@ -1647,7 +1724,7 @@
    "standaloneHcFilterResourceIdFallback": "Resource {id}",
    "blueprints": "Blueprints",
    "blueprintsLog": "Blueprints Log",
-    "blueprintsDescription": "View past blueprint applications and their results",
+    "blueprintsDescription": "View past blueprint applications and their results or apply a new blueprint",
    "blueprintAdd": "Add Blueprint",
    "blueprintGoBack": "See all Blueprints",
    "blueprintCreate": "Create Blueprint",
@@ -1667,10 +1744,10 @@
    "enableDockerSocket": "Enable Docker Blueprint",
    "enableDockerSocketDescription": "Enable Docker Socket label scraping for blueprint labels. Socket path must be provided to the site connector. Read about how this works in <docsLink>the documentation</docsLink>.",
    "newtAutoUpdate": "Enable Site Auto-Update",
-    "newtAutoUpdateDescription": "When enabled, site connectors will automatically update to the latest version when a new release is available.",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically download the latest version and restart themselves. This can be overridden on a per-site basis.",
    "siteAutoUpdate": "Site Auto-Update",
    "siteAutoUpdateLabel": "Enable Auto-Update",
-    "siteAutoUpdateDescription": "Control whether this site's connector automatically downloads the latest version.",
+    "siteAutoUpdateDescription": "When enabled, this site's connector will automatically download the latest version and restart itself.",
    "siteAutoUpdateOrgDefault": "Organization default: {state}",
    "siteAutoUpdateOverriding": "Overriding organization setting",
    "siteAutoUpdateResetToOrg": "Reset to Organization Default",
@@ -1768,9 +1845,9 @@
    "accountSetupSuccess": "Account setup completed! Welcome to Pangolin!",
    "documentation": "Documentation",
    "saveAllSettings": "Save All Settings",
-    "saveResourceTargets": "Save Targets",
-    "saveResourceHttp": "Save Proxy Settings",
-    "saveProxyProtocol": "Save Proxy protocol settings",
+    "saveResourceTargets": "Save Settings",
+    "saveResourceHttp": "Save Settings",
+    "saveProxyProtocol": "Save Settings",
    "settingsUpdated": "Settings updated",
    "settingsUpdatedDescription": "Settings updated successfully",
    "settingsErrorUpdate": "Failed to update settings",
@@ -2027,13 +2104,13 @@
    "healthCheckUnknown": "Unknown",
    "healthCheck": "Health Check",
    "configureHealthCheck": "Configure Health Check",
-    "configureHealthCheckDescription": "Set up health monitoring for {target}",
+    "configureHealthCheckDescription": "Set up monitoring for your resource to ensure it is always available",
    "enableHealthChecks": "Enable Health Checks",
    "healthCheckDisabledStateDescription": "When disabled, the site will not perform health checks and the state will be considered unknown.",
    "enableHealthChecksDescription": "Monitor the health of this target. You can monitor a different endpoint than the target if required.",
    "healthScheme": "Method",
    "healthSelectScheme": "Select Method",
-    "healthCheckPortInvalid": "Health check port must be between 1 and 65535",
+    "healthCheckPortInvalid": "Port must be between 1 and 65535",
    "healthCheckPath": "Path",
    "healthHostname": "IP / Host",
    "healthPort": "Port",
@@ -2046,6 +2123,7 @@
    "requireDeviceApproval": "Require Device Approvals",
    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
    "sshSettings": "SSH Settings",
+    "sshAccess": "SSH Access",
    "rdpSettings": "RDP Settings",
    "vncSettings": "VNC Settings",
    "sshServer": "SSH Server",
@@ -2072,8 +2150,13 @@
    "sshDaemonDisclaimer": "Ensure your target host is properly configured to run the auth daemon before completing this setup, or provisioning will fail.",
    "sshDaemonPort": "Daemon Port",
    "sshServerDestination": "Server Destination",
-    "sshServerDestinationDescription": "Configure the destination and port of the SSH server",
+    "sshServerDestinationDescription": "Configure the destination of the SSH server",
    "destination": "Destination",
+    "destinationRequired": "Destination is required.",
+    "domainRequired": "Domain is required.",
+    "proxyPortRequired": "Port is required.",
+    "invalidPathConfiguration": "Invalid path configuration.",
+    "invalidRewritePathConfiguration": "Invalid rewrite path configuration.",
    "bgTargetMultiSiteDisclaimer": "Selecting multiple sites enables resilient routing and failover for high availability.",
    "roleAllowSsh": "Allow SSH",
    "roleAllowSshAllow": "Allow",
@@ -2088,10 +2171,25 @@
    "sshSudoModeCommandsDescription": "User can run only the specified commands with sudo.",
    "sshSudo": "Allow sudo",
    "sshSudoCommands": "Sudo Commands",
-    "sshSudoCommandsDescription": "Comma separated list of commands the user is allowed to run with sudo. Absolute paths must be used.",
+    "sshSudoCommandsDescription": "List of commands the user is allowed to run with sudo, separated by commas, spaces, or new lines. Absolute paths must be used.",
    "sshCreateHomeDir": "Create Home Directory",
    "sshUnixGroups": "Unix Groups",
-    "sshUnixGroupsDescription": "Comma separated Unix groups to add the user to on the target host.",
+    "sshUnixGroupsDescription": "Unix groups to add the user to on the target host, separated by commas, spaces, or new lines.",
+    "roleTextFieldPlaceholder": "Enter values, or drop a .txt or .csv file",
+    "roleTextImportTitle": "Import from File",
+    "roleTextImportDescription": "Importing {fileName} into {fieldLabel}.",
+    "roleTextImportSkipHeader": "Skip First Row (Header)",
+    "roleTextImportOverride": "Replace Existing",
+    "roleTextImportAppend": "Append to Existing",
+    "roleTextImportMode": "Import Mode",
+    "roleTextImportPreview": "Preview",
+    "roleTextImportItemCount": "{count, plural, =0 {No items to import} one {1 item to import} other {# items to import}}",
+    "roleTextImportTotalCount": "{existing} existing + {imported} imported = {total} total",
+    "roleTextImportConfirm": "Import",
+    "roleTextImportInvalidFile": "Unsupported file type",
+    "roleTextImportInvalidFileDescription": "Only .txt and .csv files are supported.",
+    "roleTextImportEmpty": "No items found in file",
+    "roleTextImportEmptyDescription": "The file does not contain any importable items.",
    "retryAttempts": "Retry Attempts",
    "expectedResponseCodes": "Expected Response Codes",
    "expectedResponseCodesDescription": "HTTP status code that indicates healthy status. If left blank, 200-300 is considered healthy.",
@@ -2875,9 +2973,10 @@
    "enableProxyProtocol": "Enable Proxy Protocol",
    "proxyProtocolInfo": "Preserve client IP addresses for TCP backends",
    "proxyProtocolVersion": "Proxy Protocol Version",
-    "version1": " Version 1 (Recommended)",
+    "version1": "Version 1 (Recommended)",
    "version2": "Version 2",
-    "versionDescription": "Version 1 is text-based and widely supported. Version 2 is binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
+    "version1Description": "Text-based and widely supported. Make sure servers transport is added to dynamic config.",
+    "version2Description": "Binary and more efficient but less compatible. Make sure servers transport is added to dynamic config.",
    "warning": "Warning",
    "proxyProtocolWarning": "The backend application must be configured to accept Proxy Protocol connections. If your backend doesn't support Proxy Protocol, enabling this will break all connections so only enable this if you know what you're doing. Make sure to configure your backend to trust Proxy Protocol headers from Traefik.",
    "restarting": "Restarting...",
@@ -3034,7 +3133,7 @@
    "enterConfirmation": "Enter confirmation",
    "blueprintViewDetails": "Details",
    "defaultIdentityProvider": "Default Identity Provider",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "The user will be automatically redirected to this identity provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Network Settings",
    "editInternalResourceDialogAccessPolicy": "Access Policy",
    "editInternalResourceDialogAddRoles": "Add Roles",
@@ -3075,6 +3174,7 @@
    "maintenanceModeType": "Maintenance Mode Type",
    "showMaintenancePage": "Show a maintenance page to visitors",
    "enableMaintenanceMode": "Enable Maintenance Mode",
+    "enableMaintenanceModeDescription": "When enabled, visitors will see a maintenance page instead of your resource.",
    "automatic": "Automatic",
    "automaticModeDescription": " Show maintenance page only when all backend targets are down or unhealthy. Your resource continues working normally as long as at least one target is healthy.",
    "forced": "Forced",
@@ -3082,6 +3182,8 @@
    "warning:": "Warning:",
    "forcedeModeWarning": "All traffic will be directed to the maintenance page. Your backend resources will not receive any requests.",
    "pageTitle": "Page Title",
+    "maintenancePageContentSubsection": "Page Content",
+    "maintenancePageContentSubsectionDescription": "Customize the content displayed on the maintenance page",
    "pageTitleDescription": "The main heading displayed on the maintenance page",
    "maintenancePageMessage": "Maintenance Message",
    "maintenancePageMessagePlaceholder": "We'll be back soon! Our site is currently undergoing scheduled maintenance.",
@@ -3441,18 +3543,58 @@
    "sshConnecting": "Connecting…",
    "sshInitializing": "Initializing…",
    "sshSignInTitle": "Sign in to SSH",
-    "sshSignInDescription": "Enter your SSH credentials",
+    "sshSignInDescription": "Enter your SSH credentials to connect",
    "sshPasswordTab": "Password",
    "sshPrivateKeyTab": "Private Key",
    "sshPrivateKeyField": "Private Key",
    "sshPrivateKeyDisclaimer": "Your private key is not stored or visible to Pangolin. Alternatively, you can use short-lived certificates for seamless authentication using your existing Pangolin identity.",
    "sshLearnMore": "Learn more",
    "sshPrivateKeyFile": "Private Key File",
-    "sshAuthenticate": "Authenticate",
+    "sshAuthenticate": "Connect",
    "sshTerminate": "Terminate",
    "sshPoweredBy": "Powered by",
    "sshErrorNoTarget": "No target specified",
    "sshErrorWebSocket": "WebSocket connection failed",
    "sshErrorAuthFailed": "Authentication failed",
-    "sshErrorConnectionClosed": "Connection closed before authentication completed"
+    "sshErrorConnectionClosed": "Connection closed before authentication completed",
+    "sitePangolinSshDescription": "Allow SSH access to resources on this site. This can be changed later.",
+    "browserGatewayNoResourceForDomain": "No resource found for this domain",
+    "browserGatewayNoTarget": "No target",
+    "browserGatewayConnect": "Connect",
+    "browserGatewayCtrlAltDel": "Ctrl+Alt+Del",
+    "sshErrorSignKeyFailed": "Failed to sign SSH key for PAM push authentication. Did you sign in as a user?",
+    "sshTerminalError": "Error: {error}",
+    "sshConnectionClosedCode": "Connection closed (code {code})",
+    "sshPrivateKeyPlaceholder": "-----BEGIN OPENSSH PRIVATE KEY-----",
+    "sshPrivateKeyRequired": "Private key is required",
+    "vncTitle": "VNC",
+    "vncSignInDescription": "Enter your VNC password to connect",
+    "vncPasswordOptional": "Password (optional)",
+    "vncNoResourceTarget": "No resource target is available",
+    "vncFailedToLoadNovnc": "Failed to load noVNC",
+    "vncAuthFailedStatus": "Status {status}",
+    "vncPasteClipboard": "Paste clipboard",
+    "rdpTitle": "RDP",
+    "rdpSignInTitle": "Sign in to Remote Desktop",
+    "rdpSignInDescription": "Enter Windows credentials to connect",
+    "rdpLoadingModule": "Loading module...",
+    "rdpFailedToLoadModule": "Failed to load RDP module",
+    "rdpNotReady": "Not ready",
+    "rdpModuleInitializing": "RDP module is still initializing",
+    "rdpDownloadingFiles": "Downloading {count} file(s) from remote…",
+    "rdpDownloadFailed": "Download failed: {fileName}",
+    "rdpUploaded": "Uploaded: {fileName}",
+    "rdpNoConnectionTarget": "No connection target available",
+    "rdpConnectionFailed": "Connection failed",
+    "rdpFit": "Fit",
+    "rdpFull": "Full",
+    "rdpReal": "Real",
+    "rdpMeta": "Meta",
+    "rdpUploadFiles": "Upload files",
+    "rdpFilesReadyToPaste": "Files ready to paste",
+    "rdpFilesReadyToPasteDescription": "{count} file(s) copied to remote clipboard — press Ctrl+V on the remote desktop to paste.",
+    "rdpUploadFailed": "Upload failed",
+    "rdpUnicodeKeyboardMode": "Unicode keyboard mode",
+    "sessionToolbarShow": "Show toolbar",
+    "sessionToolbarHide": "Hide toolbar"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "Por favor, seleccione un recurso",
    "proxyResourceTitle": "Administrar recursos públicos",
    "proxyResourceDescription": "Crear y administrar recursos que sean accesibles públicamente a través de un navegador web",
-    "proxyResourcesBannerTitle": "Acceso público basado en web",
-    "proxyResourcesBannerDescription": "Los recursos públicos son proxies HTTPS o TCP/UDP accesibles a cualquiera en Internet a través de un navegador web. A diferencia de los recursos privados, no requieren software del lado del cliente e incluye políticas de acceso basadas en identidad y contexto.",
+    "publicResourcesBannerTitle": "Acceso público basado en web",
+    "publicResourcesBannerDescription": "Los recursos públicos son proxies HTTPS o TCP/UDP accesibles a cualquiera en Internet a través de un navegador web. A diferencia de los recursos privados, no requieren software del lado del cliente e incluye políticas de acceso basadas en identidad y contexto.",
    "clientResourceTitle": "Administrar recursos privados",
    "clientResourceDescription": "Crear y administrar recursos que sólo son accesibles a través de un cliente conectado",
    "privateResourcesBannerTitle": "Acceso privado de confianza cero",
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "Veuillez sélectionner une ressource",
    "proxyResourceTitle": "Gérer les ressources publiques",
    "proxyResourceDescription": "Créer et gérer des ressources accessibles au public via un navigateur web",
-    "proxyResourcesBannerTitle": "Accès public basé sur le Web",
-    "proxyResourcesBannerDescription": "Les ressources publiques sont des proxys HTTPS ou TCP/UDP accessibles par tout le monde sur Internet via un navigateur Web. Contrairement aux ressources privées, elles n'exigent pas de logiciel côté client et peuvent inclure des politiques d'accès basées sur l'identité et le contexte.",
+    "publicResourcesBannerTitle": "Accès public basé sur le Web",
+    "publicResourcesBannerDescription": "Les ressources publiques sont des proxys HTTPS ou TCP/UDP accessibles par tout le monde sur Internet via un navigateur Web. Contrairement aux ressources privées, elles n'exigent pas de logiciel côté client et peuvent inclure des politiques d'accès basées sur l'identité et le contexte.",
    "clientResourceTitle": "Gérer les ressources privées",
    "clientResourceDescription": "Créer et gérer des ressources qui ne sont accessibles que via un client connecté",
    "privateResourcesBannerTitle": "Accès privé sans confiance",
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "Seleziona una risorsa",
    "proxyResourceTitle": "Gestisci Risorse Pubbliche",
    "proxyResourceDescription": "Creare e gestire risorse pubbliche accessibili tramite un browser web",
-    "proxyResourcesBannerTitle": "Accesso Pubblico Basato sul Web",
-    "proxyResourcesBannerDescription": "Le risorse pubbliche sono proxy HTTPS o TCP/UDP accessibili da chiunque tramite Internet da un browser web. A differenza delle risorse private non richiedono software lato client e possono includere politiche di accesso basate su identità e contesto.",
+    "publicResourcesBannerTitle": "Accesso Pubblico Basato sul Web",
+    "publicResourcesBannerDescription": "Le risorse pubbliche sono proxy HTTPS o TCP/UDP accessibili da chiunque tramite Internet da un browser web. A differenza delle risorse private non richiedono software lato client e possono includere politiche di accesso basate su identità e contesto.",
    "clientResourceTitle": "Gestisci Risorse Private",
    "clientResourceDescription": "Crea e gestisci risorse accessibili solo tramite un client connesso",
    "privateResourcesBannerTitle": "Accesso Privato Zero-Trust",
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "리소스를 선택하세요",
    "proxyResourceTitle": "공개 리소스 관리",
    "proxyResourceDescription": "웹 브라우저를 통해 공용으로 접근할 수 있는 리소스를 생성하고 관리하세요.",
-    "proxyResourcesBannerTitle": "웹 기반 공공 접근",
-    "proxyResourcesBannerDescription": "공공 자원은 누구나 웹 브라우저를 통해 접근 가능한 HTTPS 또는 TCP/UDP 프록시입니다. 개인 자원과 달리 클라이언트 측 소프트웨어가 필요하지 않으며, 아이덴티티 및 컨텍스트 인지 접근 정책을 포함할 수 있습니다.",
+    "publicResourcesBannerTitle": "웹 기반 공공 접근",
+    "publicResourcesBannerDescription": "공공 자원은 누구나 웹 브라우저를 통해 접근 가능한 HTTPS 또는 TCP/UDP 프록시입니다. 개인 자원과 달리 클라이언트 측 소프트웨어가 필요하지 않으며, 아이덴티티 및 컨텍스트 인지 접근 정책을 포함할 수 있습니다.",
    "clientResourceTitle": "개인 리소스 관리",
    "clientResourceDescription": "연결된 클라이언트를 통해서만 접근할 수 있는 리소스를 생성하고 관리하세요.",
    "privateResourcesBannerTitle": "제로 트러스트 개인 접근",
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "Vennligst velg en ressurs",
    "proxyResourceTitle": "Administrere offentlige ressurser",
    "proxyResourceDescription": "Opprett og administrer ressurser som er offentlig tilgjengelige via en nettleser",
-    "proxyResourcesBannerTitle": "Nettbasert offentlig tilgang",
-    "proxyResourcesBannerDescription": "Offentlige ressurser er HTTPS- eller TCP/UDP-proxyer tilgjengelige for alle på internett via en nettleser. I motsetning til private ressurser, krever de ikke klient-basert programvare og kan inkludere identitets- og kontekstbevisste tilgangspolicyer.",
+    "publicResourcesBannerTitle": "Nettbasert offentlig tilgang",
+    "publicResourcesBannerDescription": "Offentlige ressurser er HTTPS- eller TCP/UDP-proxyer tilgjengelige for alle på internett via en nettleser. I motsetning til private ressurser, krever de ikke klient-basert programvare og kan inkludere identitets- og kontekstbevisste tilgangspolicyer.",
    "clientResourceTitle": "Administrer private ressurser",
    "clientResourceDescription": "Opprette og administrere ressurser som bare er tilgjengelige via en tilkoblet klient",
    "privateResourcesBannerTitle": "Zero-Trust privat tilgang",
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "Selecteer een bron",
    "proxyResourceTitle": "Openbare bronnen beheren",
    "proxyResourceDescription": "Creëer en beheer bronnen die openbaar toegankelijk zijn via een webbrowser",
-    "proxyResourcesBannerTitle": "Webgebaseerde openbare toegang",
-    "proxyResourcesBannerDescription": "Openbare bronnen zijn HTTPS of TCP/UDP-proxies die toegankelijk zijn voor iedereen op het internet via een webbrowser. In tegenstelling tot priv<69><76>bronnen vereisen ze geen client-side software maar kunnen ze identiteits- en context-bewuste toegangsrichtlijnen bevatten.",
+    "publicResourcesBannerTitle": "Webgebaseerde openbare toegang",
+    "publicResourcesBannerDescription": "Openbare bronnen zijn HTTPS of TCP/UDP-proxies die toegankelijk zijn voor iedereen op het internet via een webbrowser. In tegenstelling tot priv<69><76>bronnen vereisen ze geen client-side software maar kunnen ze identiteits- en context-bewuste toegangsrichtlijnen bevatten.",
    "clientResourceTitle": "Privébronnen beheren",
    "clientResourceDescription": "Creëer en beheer bronnen die alleen toegankelijk zijn via een verbonden client",
    "privateResourcesBannerTitle": "Zero-Trust Private Access",
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "Wybierz zasób",
    "proxyResourceTitle": "Zarządzaj zasobami publicznymi",
    "proxyResourceDescription": "Twórz i zarządzaj zasobami, które są publicznie dostępne w przeglądarce internetowej",
-    "proxyResourcesBannerTitle": "Publiczny dostęp za pośrednictwem sieci Web",
-    "proxyResourcesBannerDescription": "Zasoby publiczne to proxy HTTPS lub TCP/UDP dostępne dla każdego w internecie za pośrednictwem przeglądarki internetowej. W przeciwieństwie do zasobów prywatnych, nie wymagają oprogramowania po stronie klienta i mogą obejmować polityki dostępu świadome tożsamości i kontekstu.",
+    "publicResourcesBannerTitle": "Publiczny dostęp za pośrednictwem sieci Web",
+    "publicResourcesBannerDescription": "Zasoby publiczne to proxy HTTPS lub TCP/UDP dostępne dla każdego w internecie za pośrednictwem przeglądarki internetowej. W przeciwieństwie do zasobów prywatnych, nie wymagają oprogramowania po stronie klienta i mogą obejmować polityki dostępu świadome tożsamości i kontekstu.",
    "clientResourceTitle": "Zarządzaj zasobami prywatnymi",
    "clientResourceDescription": "Twórz i zarządzaj zasobami, które są dostępne tylko za pośrednictwem połączonego klienta",
    "privateResourcesBannerTitle": "Zero zaufania do prywatnego dostępu",
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "Por favor, selecione um recurso",
    "proxyResourceTitle": "Gerenciar Recursos Públicos",
    "proxyResourceDescription": "Criar e gerenciar recursos que são acessíveis publicamente por meio de um navegador da web",
-    "proxyResourcesBannerTitle": "Acesso Público via Web",
-    "proxyResourcesBannerDescription": "Os recursos públicos são proxies HTTPS ou TCP/UDP acessíveis a qualquer pessoa na internet por meio de um navegador web. Ao contrário dos recursos privados, eles não requerem software do lado do cliente e podem incluir políticas de acesso conscientes de identidade e contexto.",
+    "publicResourcesBannerTitle": "Acesso Público via Web",
+    "publicResourcesBannerDescription": "Os recursos públicos são proxies HTTPS ou TCP/UDP acessíveis a qualquer pessoa na internet por meio de um navegador web. Ao contrário dos recursos privados, eles não requerem software do lado do cliente e podem incluir políticas de acesso conscientes de identidade e contexto.",
    "clientResourceTitle": "Gerenciar recursos privados",
    "clientResourceDescription": "Criar e gerenciar recursos que só são acessíveis por meio de um cliente conectado",
    "privateResourcesBannerTitle": "Acesso Privado com Confiança Zero",
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "Пожалуйста, выберите ресурс",
    "proxyResourceTitle": "Управление публичными ресурсами",
    "proxyResourceDescription": "Создание и управление ресурсами, которые доступны через веб-браузер",
-    "proxyResourcesBannerTitle": "Общедоступный доступ через веб",
-    "proxyResourcesBannerDescription": "Общедоступные ресурсы - это прокси-по HTTPS или TCP/UDP, доступные любому пользователю в Интернете через веб-браузер. В отличие от частных ресурсов, они не требуют программного обеспечения на стороне клиента и могут включать политики доступа на основе идентификации и контекста.",
+    "publicResourcesBannerTitle": "Общедоступный доступ через веб",
+    "publicResourcesBannerDescription": "Общедоступные ресурсы - это прокси-по HTTPS или TCP/UDP, доступные любому пользователю в Интернете через веб-браузер. В отличие от частных ресурсов, они не требуют программного обеспечения на стороне клиента и могут включать политики доступа на основе идентификации и контекста.",
    "clientResourceTitle": "Управление приватными ресурсами",
    "clientResourceDescription": "Создание и управление ресурсами, которые доступны только через подключенный клиент",
    "privateResourcesBannerTitle": "Частный доступ с нулевым доверием",
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "Lütfen bir kaynak seçin",
    "proxyResourceTitle": "Herkese Açık Kaynakları Yönet",
    "proxyResourceDescription": "Bir web tarayıcısı aracılığıyla kamuya açık kaynaklar oluşturun ve yönetin",
-    "proxyResourcesBannerTitle": "Web Tabanlı Genel Erişim",
-    "proxyResourcesBannerDescription": "Genel kaynaklar, web tarayıcısı aracılığıyla herkesin internette erişebileceği HTTPS veya TCP/UDP proxy'leridir. Özel kaynakların aksine, istemci tarafı yazılıma ihtiyaç duymazlar ve kimlik ve bağlam farkındalığı erişim politikalarını içerebilirler.",
+    "publicResourcesBannerTitle": "Web Tabanlı Genel Erişim",
+    "publicResourcesBannerDescription": "Genel kaynaklar, web tarayıcısı aracılığıyla herkesin internette erişebileceği HTTPS veya TCP/UDP proxy'leridir. Özel kaynakların aksine, istemci tarafı yazılıma ihtiyaç duymazlar ve kimlik ve bağlam farkındalığı erişim politikalarını içerebilirler.",
    "clientResourceTitle": "Özel Kaynakları Yönet",
    "clientResourceDescription": "Sadece bağlı bir istemci aracılığıyla erişilebilen kaynakları oluşturun ve yönetin",
    "privateResourcesBannerTitle": "Sıfır Güven Özel Erişim",
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -200,8 +200,8 @@
    "shareErrorSelectResource": "请选择一个资源",
    "proxyResourceTitle": "管理公共资源",
    "proxyResourceDescription": "创建和管理可通过 Web 浏览器公开访问的资源",
-    "proxyResourcesBannerTitle": "基于Web的公共访问",
-    "proxyResourcesBannerDescription": "公共资源是可以通过网络浏览器在互联网上任何人访问的HTTPS或TCP/UDP代理。与私人资源不同，它们不需要客户端软件，并且可以包含身份和上下文感知访问策略。",
+    "publicResourcesBannerTitle": "基于Web的公共访问",
+    "publicResourcesBannerDescription": "公共资源是可以通过网络浏览器在互联网上任何人访问的HTTPS或TCP/UDP代理。与私人资源不同，它们不需要客户端软件，并且可以包含身份和上下文感知访问策略。",
    "clientResourceTitle": "管理私有资源",
    "clientResourceDescription": "创建和管理只能通过连接客户端访问的资源",
    "privateResourcesBannerTitle": "零信任的私人访问",
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
@@ -152,8 +152,8 @@
    "shareErrorSelectResource": "請選擇一個資源",
    "proxyResourceTitle": "管理公開資源",
    "proxyResourceDescription": "建立和管理可透過網頁瀏覽器公開存取的資源",
-    "proxyResourcesBannerTitle": "基於網頁的公開存取",
-    "proxyResourcesBannerDescription": "公開資源是任何人都可以透過網頁瀏覽器存取的 HTTPS 或 TCP/UDP 代理。與私有資源不同，它們不需要客戶端軟體，並且可以包含基於身份和情境感知的存取策略。",
+    "publicResourcesBannerTitle": "基於網頁的公開存取",
+    "publicResourcesBannerDescription": "公開資源是任何人都可以透過網頁瀏覽器存取的 HTTPS 或 TCP/UDP 代理。與私有資源不同，它們不需要客戶端軟體，並且可以包含基於身份和情境感知的存取策略。",
    "clientResourceTitle": "管理私有資源",
    "clientResourceDescription": "建立和管理只能透過已連接的客戶端存取的資源",
    "privateResourcesBannerTitle": "零信任私有存取",
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -87,7 +87,7 @@ function createDb() {

 export const db = createDb();
 export default db;
-export const primaryDb = db.$primary as typeof db; // is this typeof a problem - techincally they are different types
+export const primaryDb = db.$primary as typeof db; // is this typeof a problem - technically they are different types
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
 >[0];
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -2,7 +2,7 @@ import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
-import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
+import { db as mainDb } from "./driver";
 import { createPool } from "./poolConfig";

 function createLogsDb() {
@@ -63,8 +63,7 @@ function createLogsDb() {
            })
        );
    } else {
-        const maxReplicaConnections =
-            poolConfig?.max_replica_connections || 20;
+        const maxReplicaConnections = poolConfig?.max_replica_connections || 20;
        for (const conn of replicaConnections) {
            const replicaPool = createPool(
                conn.connection_string,
@@ -91,4 +90,4 @@ function createLogsDb() {

 export const logsDb = createLogsDb();
 export default logsDb;
-export const primaryLogsDb = logsDb.$primary;
+export const primaryLogsDb = logsDb.$primary;
--- a/server/db/pg/poolConfig.ts
+++ b/server/db/pg/poolConfig.ts
@@ -1,5 +1,4 @@
 import { Pool, PoolConfig } from "pg";
-import logger from "@server/logger";

 export function createPoolConfig(
    connectionString: string,
@@ -27,7 +26,7 @@ export function attachPoolErrorHandlers(pool: Pool, label: string): void {
    pool.on("error", (err) => {
        // This catches errors on idle clients in the pool. Without this
        // handler an unexpected disconnect would crash the process.
-        logger.error(
+        console.error(
            `Unexpected error on idle ${label} database client: ${err.message}`
        );
    });
@@ -36,7 +35,7 @@ export function attachPoolErrorHandlers(pool: Pool, label: string): void {
        // Set a statement timeout on every new connection so a single slow
        // query can't block the pool forever
        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
-            logger.warn(
+            console.warn(
                `Failed to set statement_timeout on ${label} client: ${err.message}`
            );
        });
@@ -60,4 +59,4 @@ export function createPool(
    );
    attachPoolErrorHandlers(pool, label);
    return pool;
-}
+}
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -580,24 +580,6 @@ export const trialNotifications = pgTable("trialNotifications", {
    sentAt: bigint("sentAt", { mode: "number" }).notNull()
 });

-export const browserGatewayTarget = pgTable("browserGatewayTarget", {
-    browserGatewayTargetId: serial("browserGatewayTargetId").primaryKey(),
-    resourceId: integer("resourceId")
-        .references(() => resources.resourceId, {
-            onDelete: "cascade"
-        })
-        .notNull(),
-    siteId: integer("siteId")
-        .references(() => sites.siteId, {
-            onDelete: "cascade"
-        })
-        .notNull(),
-    authToken: varchar("authToken").notNull(),
-    type: varchar("type").notNull(), // "ssh", "rdp", "vnc"
-    destination: varchar("destination").notNull(),
-    destinationPort: integer("destinationPort").notNull()
-});
-
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -645,6 +627,3 @@ export type AlertEmailRecipients = InferSelectModel<
 >;
 export type AlertWebhookActions = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
-export type BrowserGatewayTarget = InferSelectModel<
-    typeof browserGatewayTarget
->;
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -147,12 +147,10 @@ export const resources = pgTable("resources", {
    }),
    ssl: boolean("ssl").notNull().default(false),
    blockAccess: boolean("blockAccess").notNull().default(false),
-    sso: boolean("sso").notNull().default(true),
    proxyPort: integer("proxyPort"),
-    emailWhitelistEnabled: boolean("emailWhitelistEnabled")
-        .notNull()
-        .default(false),
-    applyRules: boolean("applyRules").notNull().default(false),
+    sso: boolean("sso"),
+    emailWhitelistEnabled: boolean("emailWhitelistEnabled"),
+    applyRules: boolean("applyRules"),
    enabled: boolean("enabled").notNull().default(true),
    stickySession: boolean("stickySession").notNull().default(false),
    tlsServerName: varchar("tlsServerName"),
@@ -290,7 +288,12 @@ export const targets = pgTable("targets", {
    pathMatchType: text("pathMatchType"), // exact, prefix, regex
    rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
    rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
-    priority: integer("priority").notNull().default(100)
+    priority: integer("priority").notNull().default(100),
+    mode: varchar("mode")
+        .$type<"http" | "tcp" | "udp" | "ssh" | "rdp" | "vnc">()
+        .notNull()
+        .default("http"),
+    authToken: varchar("authToken")
 });

 export const targetHealthCheck = pgTable("targetHealthCheck", {
@@ -886,7 +889,9 @@ export const resourcePolicyRules = pgTable("resourcePolicyRules", {
    enabled: boolean("enabled").notNull().default(true),
    priority: integer("priority").notNull(),
    action: varchar("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
-    match: varchar("match").$type<"CIDR" | "PATH" | "IP">().notNull(),
+    match: varchar("match")
+        .$type<"CIDR" | "PATH" | "IP" | "COUNTRY" | "ASN" | "REGION">()
+        .notNull(),
    value: varchar("value").notNull()
 });

--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -45,9 +45,9 @@ export type ResourceWithAuth = {
    password: ResourcePassword | ResourcePolicyPassword | null;
    headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
-    applyRules: boolean;
-    sso: boolean;
-    emailWhitelistEnabled: boolean;
+    applyRules: boolean | null;
+    sso: boolean | null;
+    emailWhitelistEnabled: boolean | null;
    org: Org;
 };

--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -588,26 +588,6 @@ export const trialNotifications = sqliteTable("trialNotifications", {
    sentAt: integer("sentAt").notNull()
 });

-export const browserGatewayTarget = sqliteTable("browserGatewayTarget", {
-    browserGatewayTargetId: integer("browserGatewayTargetId").primaryKey({
-        autoIncrement: true
-    }),
-    resourceId: integer("resourceId")
-        .references(() => resources.resourceId, {
-            onDelete: "cascade"
-        })
-        .notNull(),
-    siteId: integer("siteId")
-        .references(() => sites.siteId, {
-            onDelete: "cascade"
-        })
-        .notNull(),
-    authToken: text("authToken").notNull(),
-    type: text("type").notNull(), // "ssh", "rdp", "vnc"
-    destination: text("destination").notNull(),
-    destinationPort: integer("destinationPort").notNull()
-});
-
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -647,6 +627,3 @@ export type AlertEmailAction = InferSelectModel<typeof alertEmailActions>;
 export type AlertEmailRecipient = InferSelectModel<typeof alertEmailRecipients>;
 export type AlertWebhookAction = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
-export type BrowserGatewayTarget = InferSelectModel<
-    typeof browserGatewayTarget
->;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -165,14 +165,12 @@ export const resources = sqliteTable("resources", {
    blockAccess: integer("blockAccess", { mode: "boolean" })
        .notNull()
        .default(false),
-    sso: integer("sso", { mode: "boolean" }).notNull().default(true),
    proxyPort: integer("proxyPort"),
-    emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
-        .notNull()
-        .default(false),
-    applyRules: integer("applyRules", { mode: "boolean" })
-        .notNull()
-        .default(false),
+    sso: integer("sso", { mode: "boolean" }),
+    emailWhitelistEnabled: integer("emailWhitelistEnabled", {
+        mode: "boolean"
+    }),
+    applyRules: integer("applyRules", { mode: "boolean" }),
    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
    stickySession: integer("stickySession", { mode: "boolean" })
        .notNull()
@@ -322,7 +320,12 @@ export const targets = sqliteTable("targets", {
    pathMatchType: text("pathMatchType"), // exact, prefix, regex
    rewritePath: text("rewritePath"), // if set, rewrites the path to this value before sending to the target
    rewritePathType: text("rewritePathType"), // exact, prefix, regex, stripPrefix
-    priority: integer("priority").notNull().default(100)
+    priority: integer("priority").notNull().default(100),
+    mode: text("mode")
+        .$type<"http" | "tcp" | "udp" | "ssh" | "rdp" | "vnc">()
+        .notNull()
+        .default("http"),
+    authToken: text("authToken")
 });

 export const targetHealthCheck = sqliteTable("targetHealthCheck", {
@@ -1248,7 +1251,9 @@ export const resourcePolicyRules = sqliteTable("resourcePolicyRules", {
    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
    priority: integer("priority").notNull(),
    action: text("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
-    match: text("match").$type<"CIDR" | "PATH" | "IP">().notNull(),
+    match: text("match")
+        .$type<"CIDR" | "PATH" | "IP" | "COUNTRY" | "ASN" | "REGION">()
+        .notNull(),
    value: text("value").notNull()
 });

--- a/server/integrationApiServer.ts
+++ b/server/integrationApiServer.ts
@@ -157,7 +157,9 @@ function getOpenApiDocumentation() {
                        content: {
                            "application/json": {
                                schema: z.object({
-                                    data: z.unknown().nullable(),
+                                    data: z
+                                        .record(z.string(), z.any())
+                                        .nullable(),
                                    success: z.boolean(),
                                    error: z.boolean(),
                                    message: z.string(),
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -31,7 +31,7 @@ export enum TierFeature {
 }

 export const tierMatrix: Record<TierFeature, Tier[]> = {
-    [TierFeature.Labels]: ["tier2", "tier3", "enterprise"],
+    [TierFeature.Labels]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.OrgOidc]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.LoginPageDomain]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.DeviceApprovals]: ["tier1", "tier3", "enterprise"],
@@ -71,16 +71,6 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
    [TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.NewtAutoUpdate]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.ResourcePolicies]: ["tier3", "enterprise"],
-    [TierFeature.AdvancedPublicResources]: [
-        "tier1",
-        "tier2",
-        "tier3",
-        "enterprise"
-    ],
-    [TierFeature.AdvancedPrivateResources]: [
-        "tier1",
-        "tier2",
-        "tier3",
-        "enterprise"
-    ]
+    [TierFeature.AdvancedPublicResources]: ["tier3", "enterprise"],
+    [TierFeature.AdvancedPrivateResources]: ["tier3", "enterprise"]
 };
--- a/server/lib/blueprints/applyBlueprint.ts
+++ b/server/lib/blueprints/applyBlueprint.ts
@@ -10,16 +10,23 @@ import {
    clientSiteResources
 } from "@server/db";
 import { Config, ConfigSchema } from "./types";
-import { ProxyResourcesResults, updateProxyResources } from "./proxyResources";
+import {
+    PublicResourcesResults,
+    updatePublicResources
+} from "./publicResources";
 import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
 import { sites } from "@server/db";
 import { eq, and, isNotNull } from "drizzle-orm";
-import { addTargets as addProxyTargets } from "@server/routers/newt/targets";
+import {
+    addTargets as addProxyTargets,
+    sendBrowserGatewayTargets
+} from "@server/routers/newt/targets";
 import {
    ClientResourcesResults,
-    updateClientResources
-} from "./clientResources";
+    updatePrivateResources
+} from "./privateResources";
+import { updateResourcePolicies } from "./resourcePolicies";
 import { BlueprintSource } from "@server/routers/blueprints/types";
 import { stringify as stringifyYaml } from "yaml";
 import { generateName } from "@server/db/names";
@@ -53,16 +60,18 @@ export async function applyBlueprint({
    let error: any | null = null;

    try {
-        let proxyResourcesResults: ProxyResourcesResults = [];
+        let proxyResourcesResults: PublicResourcesResults = [];
        let clientResourcesResults: ClientResourcesResults = [];
        await db.transaction(async (trx) => {
-            proxyResourcesResults = await updateProxyResources(
+            await updateResourcePolicies(orgId, config, trx);
+
+            proxyResourcesResults = await updatePublicResources(
                orgId,
                config,
                trx,
                siteId
            );
-            clientResourcesResults = await updateClientResources(
+            clientResourcesResults = await updatePrivateResources(
                orgId,
                config,
                trx,
@@ -101,13 +110,27 @@ export async function applyBlueprint({
                                (hc) => hc.targetId === target.targetId
                            );

-                        await addProxyTargets(
-                            site.newt.newtId,
-                            [target],
-                            matchingHealthcheck ? [matchingHealthcheck] : [],
-                            result.proxyResource.mode === "udp" ? "udp" : "tcp",
-                            site.newt.version
-                        );
+                        if (["http", "tcp", "udp"].includes(target.mode)) {
+                            await addProxyTargets(
+                                site.newt.newtId,
+                                [target],
+                                matchingHealthcheck
+                                    ? [matchingHealthcheck]
+                                    : [],
+                                result.proxyResource.mode === "udp"
+                                    ? "udp"
+                                    : "tcp",
+                                site.newt.version
+                            );
+                        } else if (
+                            ["ssh", "rdp", "vnc"].includes(target.mode)
+                        ) {
+                            await sendBrowserGatewayTargets(
+                                site.newt.newtId,
+                                [target],
+                                site.newt.version
+                            );
+                        }
                    }
                }
            }
--- a/server/lib/blueprints/privateResources.ts
+++ b/server/lib/blueprints/privateResources.ts
@@ -23,6 +23,8 @@ import logger from "@server/logger";
 import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
 import { getNextAvailableAliasAddress } from "../ip";
 import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
+import { tierMatrix } from "../billing/tierMatrix";

 async function getDomainForSiteResource(
    siteResourceId: number | undefined,
@@ -103,7 +105,7 @@ export type ClientResourcesResults = {
    oldSites: { siteId: number }[];
 }[];

-export async function updateClientResources(
+export async function updatePrivateResources(
    orgId: string,
    config: Config,
    trx: Transaction,
@@ -114,6 +116,30 @@ export async function updateClientResources(
    for (const [resourceNiceId, resourceData] of Object.entries(
        config["client-resources"]
    )) {
+        if (resourceData.mode === "http") {
+            const hasHttpFeature = await isLicensedOrSubscribed(
+                orgId,
+                tierMatrix.advancedPrivateResources
+            );
+            if (!hasHttpFeature) {
+                throw new Error(
+                    "HTTP private resources are not included in your current plan. Please upgrade."
+                );
+            }
+        }
+
+        if (resourceData.mode === "ssh") {
+            const hasSshFeature = await isLicensedOrSubscribed(
+                orgId,
+                tierMatrix.advancedPrivateResources
+            );
+            if (!hasSshFeature) {
+                throw new Error(
+                    "SSH private resources are not included in your current plan. Please upgrade."
+                );
+            }
+        }
+
        const [existingResource] = await trx
            .select()
            .from(siteResources)
@@ -366,7 +392,9 @@ export async function updateClientResources(
                        }))
                    );
                    existingRoles.push(created);
-                    logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
+                    logger.info(
+                        `Auto-created role "${name}" in org ${orgId} from blueprint`
+                    );
                }

                const roleIds = existingRoles.map((role) => role.roleId);
@@ -387,7 +415,11 @@ export async function updateClientResources(
        } else {
            let aliasAddress: string | null = null;
            let releaseAliasLock: (() => Promise<void>) | null = null;
-            if (resourceData.mode === "host" || resourceData.mode === "http") {
+            if (
+                resourceData.mode === "host" ||
+                resourceData.mode === "http" ||
+                resourceData.mode === "ssh"
+            ) {
                const { value, release } = await getNextAvailableAliasAddress(
                    orgId,
                    trx
@@ -510,7 +542,9 @@ export async function updateClientResources(
                        }))
                    );
                    existingRoles.push(created);
-                    logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
+                    logger.info(
+                        `Auto-created role "${name}" in org ${orgId} from blueprint`
+                    );
                }

                const roleIds = existingRoles.map((role) => role.roleId);
--- a/server/lib/blueprints/publicResources.ts
+++ b/server/lib/blueprints/publicResources.ts
@@ -47,20 +47,24 @@ import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { fireHealthCheckUnknownAlert } from "@server/lib/alerts";
 import { tierMatrix } from "../billing/tierMatrix";
 import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
+import { build } from "@server/build";
+import { encrypt } from "@server/lib/crypto";
+import { generateId } from "@server/auth/sessions/app";
+import serverConfig from "@server/lib/config";

-export type ProxyResourcesResults = {
+export type PublicResourcesResults = {
    proxyResource: Resource;
    targetsToUpdate: Target[];
    healthchecksToUpdate: TargetHealthCheck[];
 }[];

-export async function updateProxyResources(
+export async function updatePublicResources(
    orgId: string,
    config: Config,
    trx: Transaction,
    siteId?: number
-): Promise<ProxyResourcesResults> {
-    const results: ProxyResourcesResults = [];
+): Promise<PublicResourcesResults> {
+    const results: PublicResourcesResults = [];

    for (const [resourceNiceId, resourceData] of Object.entries(
        config["proxy-resources"]
@@ -79,7 +83,7 @@ export async function updateProxyResources(
            if (targetSiteId) {
                // Look up site by niceId
                [site] = await trx
-                    .select({ siteId: sites.siteId })
+                    .select({ siteId: sites.siteId, type: sites.type })
                    .from(sites)
                    .where(
                        and(
@@ -91,7 +95,7 @@ export async function updateProxyResources(
            } else if (siteId) {
                // Use the provided siteId directly, but verify it belongs to the org
                [site] = await trx
-                    .select({ siteId: sites.siteId })
+                    .select({ siteId: sites.siteId, type: sites.type })
                    .from(sites)
                    .where(
                        and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
@@ -118,6 +122,15 @@ export async function updateProxyResources(
                internalPortToCreate = targetData["internal-port"];
            }

+            let authToken: string | undefined;
+            if (site.type !== "local") {
+                const plainToken = generateId(48);
+                authToken = encrypt(
+                    plainToken,
+                    serverConfig.getRawConfig().server.secret!
+                );
+            }
+
            // Create target
            const [newTarget] = await trx
                .insert(targets)
@@ -125,10 +138,12 @@ export async function updateProxyResources(
                    resourceId: resourceId,
                    siteId: site.siteId,
                    ip: targetData.hostname,
+                    mode: resourceData.mode as Target["mode"],
                    method: targetData.method,
                    port: targetData.port,
                    enabled: targetData.enabled,
                    internalPort: internalPortToCreate,
+                    authToken: authToken,
                    path: targetData.path,
                    pathMatchType: targetData["path-match"],
                    rewritePath:
@@ -222,17 +237,59 @@ export async function updateProxyResources(
            headers = JSON.stringify(resourceData.headers);
        }

+        if (["ssh", "rdp", "vnc"].includes(resourceData.mode || "")) {
+            const isLicensed = await isLicensedOrSubscribed(
+                orgId,
+                tierMatrix.advancedPublicResources
+            );
+            if (!isLicensed) {
+                throw new Error(
+                    "Your current subscription does not support browser gateway resources. Please upgrade to access this feature."
+                );
+            }
+        }
+
+        if (resourceData.policy) {
+            const isLicensed = await isLicensedOrSubscribed(
+                orgId,
+                tierMatrix.resourcePolicies
+            );
+            if (!isLicensed) {
+                throw new Error(
+                    "Your current subscription does not support shared resource policies. Please upgrade to access this feature."
+                );
+            }
+        }
+
        if (existingResource) {
            let domain;
            if (
                ["http", "ssh", "rdp", "vnc"].includes(resourceData.mode || "")
            ) {
+                if (resourceData["full-domain"]?.startsWith("*.")) {
+                    const isLicensed = await isLicensedOrSubscribed(
+                        orgId,
+                        tierMatrix.wildcardSubdomain
+                    );
+                    if (!isLicensed) {
+                        throw new Error(
+                            "Wildcard subdomains are not supported on your current plan. Please upgrade to access this feature."
+                        );
+                    }
+                }
+
                domain = await getDomain(
                    existingResource.resourceId,
                    resourceData["full-domain"]!,
                    orgId,
                    trx
                );
+
+                await enforceDomainNamespacePaywall(
+                    orgId,
+                    domain.domainId,
+                    trx
+                );
            }

            // check if the only key in the resource is targets, if so, skip the update
@@ -522,6 +579,13 @@ export async function updateProxyResources(
                                    ? (resourceData["proxy-protocol-version"] ??
                                      1)
                                    : 1,
+                            pamMode:
+                                resourceData["auth-daemon"]?.pam ||
+                                "passthrough",
+                            authDaemonMode:
+                                resourceData["auth-daemon"]?.mode || "native",
+                            authDaemonPort:
+                                resourceData["auth-daemon"]?.port || 22123,
                            resourcePolicyId: null,
                            defaultResourcePolicyId: inlinePolicyId
                        })
@@ -664,7 +728,8 @@ export async function updateProxyResources(
                                    ? "/"
                                    : undefined),
                            rewritePathType: targetData["rewrite-match"],
-                            priority: targetData.priority
+                            priority: targetData.priority,
+                            mode: resourceData.mode
                        })
                        .where(eq(targets.targetId, existingTarget.targetId))
                        .returning();
@@ -906,12 +971,30 @@ export async function updateProxyResources(
            if (
                ["http", "ssh", "rdp", "vnc"].includes(resourceData.mode || "")
            ) {
+                if (resourceData["full-domain"]?.startsWith("*.")) {
+                    const isLicensed = await isLicensedOrSubscribed(
+                        orgId,
+                        tierMatrix.wildcardSubdomain
+                    );
+                    if (!isLicensed) {
+                        throw new Error(
+                            "Wildcard subdomains are not supported on your current plan. Please upgrade to access this feature."
+                        );
+                    }
+                }
+
                domain = await getDomain(
                    undefined,
                    resourceData["full-domain"]!,
                    orgId,
                    trx
                );
+
+                await enforceDomainNamespacePaywall(
+                    orgId,
+                    domain.domainId,
+                    trx
+                );
            }

            const isLicensed = await isLicensedOrSubscribed(
@@ -1384,17 +1467,6 @@ async function syncWhitelistUsers(
        .where(eq(resourceWhitelist.resourceId, resourceId));

    for (const email of whitelistUsers) {
-        const [user] = await trx
-            .select()
-            .from(users)
-            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
-            .where(and(eq(users.email, email), eq(userOrgs.orgId, orgId)))
-            .limit(1);
-
-        if (!user) {
-            throw new Error(`User not found: ${email} in org ${orgId}`);
-        }
-
        const existingWhitelistEntry = existingWhitelist.find(
            (w) => w.email === email
        );
@@ -1866,6 +1938,37 @@ function checkIfTargetChanged(
    return false;
 }

+async function enforceDomainNamespacePaywall(
+    orgId: string,
+    domainId: string,
+    trx: Transaction
+) {
+    if (build !== "saas") {
+        return;
+    }
+
+    const hasDomainNamespaceAccess = await isLicensedOrSubscribed(
+        orgId,
+        tierMatrix.domainNamespaces
+    );
+
+    if (hasDomainNamespaceAccess) {
+        return;
+    }
+
+    const [namespaceDomain] = await trx
+        .select()
+        .from(domainNamespaces)
+        .where(eq(domainNamespaces.domainId, domainId))
+        .limit(1);
+
+    if (namespaceDomain) {
+        throw new Error(
+            "Your current subscription does not support custom domain namespaces. Please upgrade to access this feature."
+        );
+    }
+}
+
 export async function getDomain(
    resourceId: number | undefined,
    fullDomain: string,
--- a/server/lib/blueprints/resourcePolicies.ts
+++ b/server/lib/blueprints/resourcePolicies.ts
@@ -0,0 +1,653 @@
+import {
+    db,
+    idp,
+    idpOrg,
+    resourcePolicies,
+    resourcePolicyHeaderAuth,
+    resourcePolicyPassword,
+    resourcePolicyPincode,
+    resourcePolicyRules,
+    resourcePolicyWhiteList,
+    rolePolicies,
+    roles,
+    Transaction,
+    userOrgs,
+    userPolicies,
+    users
+} from "@server/db";
+import { eq, and, or } from "drizzle-orm";
+import { Config, ResourcePolicyData } from "./types";
+import logger from "@server/logger";
+import { getUniqueResourcePolicyName } from "@server/db/names";
+import { hashPassword } from "@server/auth/password";
+import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
+import { tierMatrix } from "../billing/tierMatrix";
+
+export type ResourcePoliciesResults = {
+    resourcePolicyId: number;
+    niceId: string;
+}[];
+
+export async function updateResourcePolicies(
+    orgId: string,
+    config: Config,
+    trx: Transaction
+): Promise<ResourcePoliciesResults> {
+    const results: ResourcePoliciesResults = [];
+
+    for (const [policyNiceId, policyData] of Object.entries(
+        config["public-policies"]
+    )) {
+        const isLicensed = await isLicensedOrSubscribed(
+            orgId,
+            tierMatrix.resourcePolicies
+        );
+        if (!isLicensed) {
+            throw new Error(
+                "Your current subscription does not support shared resource policies. Please upgrade to access this feature."
+            );
+        }
+
+        // Validate rules
+        for (const rule of policyData.rules) {
+            if (rule.match === "cidr" && !isValidCIDR(rule.value)) {
+                throw new Error(
+                    `Invalid CIDR provided in resource policy '${policyNiceId}': ${rule.value}`
+                );
+            } else if (rule.match === "ip" && !isValidIP(rule.value)) {
+                throw new Error(
+                    `Invalid IP provided in resource policy '${policyNiceId}': ${rule.value}`
+                );
+            } else if (
+                rule.match === "path" &&
+                !isValidUrlGlobPattern(rule.value)
+            ) {
+                throw new Error(
+                    `Invalid URL glob pattern provided in resource policy '${policyNiceId}': ${rule.value}`
+                );
+            }
+        }
+
+        // Validate auto-login-idp if provided
+        if (policyData["auto-login-idp"]) {
+            const [provider] = await trx
+                .select()
+                .from(idp)
+                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
+                .where(
+                    and(
+                        eq(idp.idpId, policyData["auto-login-idp"]),
+                        eq(idpOrg.orgId, orgId)
+                    )
+                )
+                .limit(1);
+
+            if (!provider) {
+                throw new Error(
+                    `Identity provider not found for policy '${policyNiceId}' in this organization`
+                );
+            }
+        }
+
+        // Look up the admin role
+        const [adminRole] = await trx
+            .select()
+            .from(roles)
+            .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
+            .limit(1);
+
+        if (!adminRole) {
+            throw new Error("Admin role not found");
+        }
+
+        // Find existing policy by niceId and orgId
+        const [existingPolicy] = await trx
+            .select()
+            .from(resourcePolicies)
+            .where(
+                and(
+                    eq(resourcePolicies.niceId, policyNiceId),
+                    eq(resourcePolicies.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        let resourcePolicyId: number;
+
+        if (existingPolicy) {
+            // Update the existing policy
+            await trx
+                .update(resourcePolicies)
+                .set({
+                    name: policyData.name,
+                    sso: policyData.sso ?? true,
+                    idpId: policyData["auto-login-idp"] ?? null,
+                    emailWhitelistEnabled:
+                        policyData["email-whitelist-enabled"] ??
+                        policyData["whitelist-users"].length > 0,
+                    applyRules:
+                        policyData["apply-rules"] || policyData.rules.length > 0
+                })
+                .where(
+                    eq(
+                        resourcePolicies.resourcePolicyId,
+                        existingPolicy.resourcePolicyId
+                    )
+                );
+
+            resourcePolicyId = existingPolicy.resourcePolicyId;
+
+            // Sync password
+            await trx
+                .delete(resourcePolicyPassword)
+                .where(
+                    eq(
+                        resourcePolicyPassword.resourcePolicyId,
+                        resourcePolicyId
+                    )
+                );
+            if (policyData.password) {
+                const passwordHash = await hashPassword(policyData.password);
+                await trx.insert(resourcePolicyPassword).values({
+                    resourcePolicyId,
+                    passwordHash
+                });
+            }
+
+            // Sync pincode
+            await trx
+                .delete(resourcePolicyPincode)
+                .where(
+                    eq(resourcePolicyPincode.resourcePolicyId, resourcePolicyId)
+                );
+            if (policyData.pincode) {
+                const pincodeHash = await hashPassword(policyData.pincode);
+                await trx.insert(resourcePolicyPincode).values({
+                    resourcePolicyId,
+                    pincodeHash,
+                    digitLength: 6
+                });
+            }
+
+            // Sync header auth
+            await trx
+                .delete(resourcePolicyHeaderAuth)
+                .where(
+                    eq(
+                        resourcePolicyHeaderAuth.resourcePolicyId,
+                        resourcePolicyId
+                    )
+                );
+            if (policyData["basic-auth"]) {
+                const basicAuth = policyData["basic-auth"];
+                const headerAuthHash = await hashPassword(
+                    Buffer.from(
+                        `${basicAuth.user}:${basicAuth.password}`
+                    ).toString("base64")
+                );
+                await trx.insert(resourcePolicyHeaderAuth).values({
+                    resourcePolicyId,
+                    headerAuthHash,
+                    extendedCompatibility:
+                        basicAuth["extended-compatibility"] ?? true
+                });
+            }
+
+            // Sync SSO roles
+            await syncRolePolicies(
+                resourcePolicyId,
+                policyData["sso-roles"],
+                orgId,
+                adminRole.roleId,
+                trx
+            );
+
+            // Sync SSO users
+            await syncUserPolicies(
+                resourcePolicyId,
+                policyData["sso-users"],
+                orgId,
+                trx
+            );
+
+            // Sync whitelist users
+            await syncWhitelistPolicyUsers(
+                resourcePolicyId,
+                policyData["whitelist-users"],
+                trx
+            );
+
+            // Sync rules
+            await syncPolicyRules(resourcePolicyId, policyData.rules, trx);
+
+            logger.debug(
+                `Updated resource policy ${resourcePolicyId} (${policyNiceId})`
+            );
+        } else {
+            // Create a new policy
+            const [newPolicy] = await trx
+                .insert(resourcePolicies)
+                .values({
+                    niceId: policyNiceId,
+                    orgId,
+                    name: policyData.name,
+                    sso: policyData.sso ?? true,
+                    idpId: policyData["auto-login-idp"] ?? null,
+                    emailWhitelistEnabled:
+                        policyData["email-whitelist-enabled"] ??
+                        policyData["whitelist-users"].length > 0,
+                    applyRules:
+                        policyData["apply-rules"] ||
+                        policyData.rules.length > 0,
+                    scope: "global"
+                })
+                .returning();
+
+            resourcePolicyId = newPolicy.resourcePolicyId;
+
+            // Always add admin role
+            await trx.insert(rolePolicies).values({
+                roleId: adminRole.roleId,
+                resourcePolicyId
+            });
+
+            // Add SSO roles
+            await addRolePolicies(
+                resourcePolicyId,
+                policyData["sso-roles"],
+                orgId,
+                adminRole.roleId,
+                trx
+            );
+
+            // Add SSO users
+            await addUserPolicies(
+                resourcePolicyId,
+                policyData["sso-users"],
+                orgId,
+                trx
+            );
+
+            // Add password
+            if (policyData.password) {
+                const passwordHash = await hashPassword(policyData.password);
+                await trx.insert(resourcePolicyPassword).values({
+                    resourcePolicyId,
+                    passwordHash
+                });
+            }
+
+            // Add pincode
+            if (policyData.pincode) {
+                const pincodeHash = await hashPassword(policyData.pincode);
+                await trx.insert(resourcePolicyPincode).values({
+                    resourcePolicyId,
+                    pincodeHash,
+                    digitLength: 6
+                });
+            }
+
+            // Add header auth
+            if (policyData["basic-auth"]) {
+                const basicAuth = policyData["basic-auth"];
+                const headerAuthHash = await hashPassword(
+                    Buffer.from(
+                        `${basicAuth.user}:${basicAuth.password}`
+                    ).toString("base64")
+                );
+                await trx.insert(resourcePolicyHeaderAuth).values({
+                    resourcePolicyId,
+                    headerAuthHash,
+                    extendedCompatibility:
+                        basicAuth["extended-compatibility"] ?? true
+                });
+            }
+
+            // Add whitelist users
+            if (policyData["whitelist-users"].length > 0) {
+                await trx.insert(resourcePolicyWhiteList).values(
+                    policyData["whitelist-users"].map((email) => ({
+                        email,
+                        resourcePolicyId
+                    }))
+                );
+            }
+
+            // Add rules
+            if (policyData.rules.length > 0) {
+                await trx.insert(resourcePolicyRules).values(
+                    policyData.rules.map((rule, index) => ({
+                        resourcePolicyId,
+                        action: getRuleAction(rule.action),
+                        match: getRuleMatch(rule.match),
+                        value: rule.value,
+                        priority: rule.priority ?? index + 1,
+                        enabled: rule.enabled ?? true
+                    }))
+                );
+            }
+
+            logger.debug(
+                `Created resource policy ${resourcePolicyId} (${policyNiceId})`
+            );
+        }
+
+        results.push({ resourcePolicyId, niceId: policyNiceId });
+    }
+
+    return results;
+}
+
+function getRuleAction(input: string): "ACCEPT" | "DROP" | "PASS" {
+    if (input === "allow") return "ACCEPT";
+    if (input === "deny") return "DROP";
+    return "PASS";
+}
+
+function getRuleMatch(
+    input: string
+): "CIDR" | "IP" | "PATH" | "COUNTRY" | "ASN" | "REGION" {
+    return input.toUpperCase() as
+        | "CIDR"
+        | "IP"
+        | "PATH"
+        | "COUNTRY"
+        | "ASN"
+        | "REGION";
+}
+
+async function syncRolePolicies(
+    policyId: number,
+    ssoRoles: string[],
+    orgId: string,
+    adminRoleId: number,
+    trx: Transaction
+) {
+    const existingRolePolicies = await trx
+        .select()
+        .from(rolePolicies)
+        .where(eq(rolePolicies.resourcePolicyId, policyId));
+
+    for (const roleName of ssoRoles) {
+        const [role] = await trx
+            .select()
+            .from(roles)
+            .where(and(eq(roles.name, roleName), eq(roles.orgId, orgId)))
+            .limit(1);
+
+        if (!role) {
+            logger.warn(
+                `Role '${roleName}' not found in org '${orgId}', skipping`
+            );
+            continue;
+        }
+
+        if (role.isAdmin) {
+            continue; // admin role is always included, skip
+        }
+
+        const alreadyExists = existingRolePolicies.some(
+            (rp) => rp.roleId === role.roleId
+        );
+
+        if (!alreadyExists) {
+            await trx.insert(rolePolicies).values({
+                roleId: role.roleId,
+                resourcePolicyId: policyId
+            });
+        }
+    }
+
+    // Remove roles no longer in the list (except admin)
+    for (const existingRolePolicy of existingRolePolicies) {
+        if (existingRolePolicy.roleId === adminRoleId) {
+            continue;
+        }
+
+        const [role] = await trx
+            .select()
+            .from(roles)
+            .where(eq(roles.roleId, existingRolePolicy.roleId))
+            .limit(1);
+
+        if (role?.isAdmin) {
+            continue;
+        }
+
+        if (role && !ssoRoles.includes(role.name)) {
+            await trx
+                .delete(rolePolicies)
+                .where(
+                    and(
+                        eq(rolePolicies.resourcePolicyId, policyId),
+                        eq(rolePolicies.roleId, existingRolePolicy.roleId)
+                    )
+                );
+        }
+    }
+}
+
+async function addRolePolicies(
+    policyId: number,
+    ssoRoles: string[],
+    orgId: string,
+    adminRoleId: number,
+    trx: Transaction
+) {
+    for (const roleName of ssoRoles) {
+        const [role] = await trx
+            .select()
+            .from(roles)
+            .where(and(eq(roles.name, roleName), eq(roles.orgId, orgId)))
+            .limit(1);
+
+        if (!role) {
+            logger.warn(
+                `Role '${roleName}' not found in org '${orgId}', skipping`
+            );
+            continue;
+        }
+
+        if (role.isAdmin) {
+            continue; // admin already added
+        }
+
+        await trx.insert(rolePolicies).values({
+            roleId: role.roleId,
+            resourcePolicyId: policyId
+        });
+    }
+}
+
+async function syncUserPolicies(
+    policyId: number,
+    ssoUsers: string[],
+    orgId: string,
+    trx: Transaction
+) {
+    const existingUserPolicies = await trx
+        .select()
+        .from(userPolicies)
+        .where(eq(userPolicies.resourcePolicyId, policyId));
+
+    for (const username of ssoUsers) {
+        const [user] = await trx
+            .select()
+            .from(users)
+            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
+            .where(
+                and(
+                    or(eq(users.username, username), eq(users.email, username)),
+                    eq(userOrgs.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!user) {
+            logger.warn(
+                `User '${username}' not found in org '${orgId}', skipping`
+            );
+            continue;
+        }
+
+        const alreadyExists = existingUserPolicies.some(
+            (up) => up.userId === user.user.userId
+        );
+
+        if (!alreadyExists) {
+            await trx.insert(userPolicies).values({
+                userId: user.user.userId,
+                resourcePolicyId: policyId
+            });
+        }
+    }
+
+    // Remove users no longer in the list
+    for (const existingUserPolicy of existingUserPolicies) {
+        const [user] = await trx
+            .select()
+            .from(users)
+            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
+            .where(
+                and(
+                    eq(users.userId, existingUserPolicy.userId),
+                    eq(userOrgs.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (
+            user &&
+            user.user.username &&
+            !ssoUsers.includes(user.user.username) &&
+            !ssoUsers.includes(user.user.email ?? "")
+        ) {
+            await trx
+                .delete(userPolicies)
+                .where(
+                    and(
+                        eq(userPolicies.resourcePolicyId, policyId),
+                        eq(userPolicies.userId, existingUserPolicy.userId)
+                    )
+                );
+        }
+    }
+}
+
+async function addUserPolicies(
+    policyId: number,
+    ssoUsers: string[],
+    orgId: string,
+    trx: Transaction
+) {
+    for (const username of ssoUsers) {
+        const [user] = await trx
+            .select()
+            .from(users)
+            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
+            .where(
+                and(
+                    or(eq(users.username, username), eq(users.email, username)),
+                    eq(userOrgs.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!user) {
+            logger.warn(
+                `User '${username}' not found in org '${orgId}', skipping`
+            );
+            continue;
+        }
+
+        await trx.insert(userPolicies).values({
+            userId: user.user.userId,
+            resourcePolicyId: policyId
+        });
+    }
+}
+
+async function syncWhitelistPolicyUsers(
+    policyId: number,
+    whitelistUsers: string[],
+    trx: Transaction
+) {
+    const existingWhitelist = await trx
+        .select()
+        .from(resourcePolicyWhiteList)
+        .where(eq(resourcePolicyWhiteList.resourcePolicyId, policyId));
+
+    for (const email of whitelistUsers) {
+        const alreadyExists = existingWhitelist.some((w) => w.email === email);
+
+        if (!alreadyExists) {
+            await trx.insert(resourcePolicyWhiteList).values({
+                email,
+                resourcePolicyId: policyId
+            });
+        }
+    }
+
+    for (const existingEntry of existingWhitelist) {
+        if (!whitelistUsers.includes(existingEntry.email)) {
+            await trx
+                .delete(resourcePolicyWhiteList)
+                .where(
+                    and(
+                        eq(resourcePolicyWhiteList.resourcePolicyId, policyId),
+                        eq(resourcePolicyWhiteList.email, existingEntry.email)
+                    )
+                );
+        }
+    }
+}
+
+async function syncPolicyRules(
+    policyId: number,
+    rules: ResourcePolicyData["rules"],
+    trx: Transaction
+) {
+    const existingRules = await trx
+        .select()
+        .from(resourcePolicyRules)
+        .where(eq(resourcePolicyRules.resourcePolicyId, policyId))
+        .orderBy(resourcePolicyRules.priority);
+
+    for (const [index, rule] of rules.entries()) {
+        const intendedPriority = rule.priority ?? index + 1;
+        const existingRule = existingRules[index];
+
+        if (existingRule) {
+            await trx
+                .update(resourcePolicyRules)
+                .set({
+                    action: getRuleAction(rule.action),
+                    match: getRuleMatch(rule.match),
+                    value: rule.value,
+                    priority: intendedPriority,
+                    enabled: rule.enabled ?? true
+                })
+                .where(eq(resourcePolicyRules.ruleId, existingRule.ruleId));
+        } else {
+            await trx.insert(resourcePolicyRules).values({
+                resourcePolicyId: policyId,
+                action: getRuleAction(rule.action),
+                match: getRuleMatch(rule.match),
+                value: rule.value,
+                priority: intendedPriority,
+                enabled: rule.enabled ?? true
+            });
+        }
+    }
+
+    // Remove extra rules
+    if (existingRules.length > rules.length) {
+        const rulesToDelete = existingRules.slice(rules.length);
+        for (const rule of rulesToDelete) {
+            await trx
+                .delete(resourcePolicyRules)
+                .where(eq(resourcePolicyRules.ruleId, rule.ruleId));
+        }
+    }
+}
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -1,8 +1,23 @@
 import { z } from "zod";
+import { existsSync } from "node:fs";
 import { portRangeStringSchema } from "@server/lib/ip";
 import { MaintenanceSchema } from "#dynamic/lib/blueprints/MaintenanceSchema";
 import { isValidRegionId } from "@server/db/regions";
 import { wildcardSubdomainSchema } from "@server/lib/schemas";
+import config from "@server/lib/config";
+
+const maxmindDbPath = config.getRawConfig().server.maxmind_db_path;
+const maxmindAsnPath = config.getRawConfig().server.maxmind_asn_path;
+
+const hasMaxmindCountryDb =
+    typeof maxmindDbPath === "string" &&
+    maxmindDbPath.length > 0 &&
+    existsSync(maxmindDbPath);
+
+const hasMaxmindAsnDb =
+    typeof maxmindAsnPath === "string" &&
+    maxmindAsnPath.length > 0 &&
+    existsSync(maxmindAsnPath);

 export const SiteSchema = z.object({
    name: z.string().min(1).max(100),
@@ -83,7 +98,8 @@ export const RuleSchema = z
        action: z.enum(["allow", "deny", "pass"]),
        match: z.enum(["cidr", "path", "ip", "country", "asn", "region"]),
        value: z.coerce.string(),
-        priority: z.int().optional()
+        priority: z.int().optional(),
+        enabled: z.boolean().optional().default(true)
    })
    .refine(
        (rule) => {
@@ -116,6 +132,9 @@ export const RuleSchema = z
    .refine(
        (rule) => {
            if (rule.match === "country") {
+                if (!hasMaxmindCountryDb) {
+                    return false;
+                }
                // Check if it's a valid 2-letter country code or "ALL"
                return /^[A-Z]{2}$/.test(rule.value) || rule.value === "ALL";
            }
@@ -124,12 +143,15 @@ export const RuleSchema = z
        {
            path: ["value"],
            message:
-                "Value must be a 2-letter country code or 'ALL' when match is 'country'"
+                "Country rules require a valid existing server.maxmind_db_path and value must be a 2-letter country code or 'ALL'"
        }
    )
    .refine(
        (rule) => {
            if (rule.match === "asn") {
+                if (!hasMaxmindCountryDb || !hasMaxmindAsnDb) {
+                    return false;
+                }
                // Check if it's either AS<number> format or "ALL"
                const asNumberPattern = /^AS\d+$/i;
                return asNumberPattern.test(rule.value) || rule.value === "ALL";
@@ -139,7 +161,7 @@ export const RuleSchema = z
        {
            path: ["value"],
            message:
-                "Value must be 'AS<number>' format or 'ALL' when match is 'asn'"
+                "ASN rules require valid existing server.maxmind_db_path and server.maxmind_asn_path, and value must be 'AS<number>' format or 'ALL'"
        }
    )
    .refine(
@@ -267,8 +289,37 @@ export const PublicResourceSchema = z
                return true;
            }

-            // If protocol/mode is http, it must have a full-domain
-            if ((resource.mode ?? resource.protocol) === "http") {
+            const effectiveProtocol = resource.mode ?? resource.protocol;
+            if (effectiveProtocol !== "ssh") {
+                return true;
+            }
+
+            const authDaemonMode = resource["auth-daemon"]?.mode;
+            if (authDaemonMode !== "native" && authDaemonMode !== "site") {
+                return true;
+            }
+
+            return (
+                resource.targets.filter((target) => target != null).length <= 1
+            );
+        },
+        {
+            path: ["targets"],
+            error: "When protocol is 'ssh' and auth-daemon mode is 'native' or 'site', only one target/site is allowed"
+        }
+    )
+    .refine(
+        (resource) => {
+            if (isTargetsOnlyResource(resource)) {
+                return true;
+            }
+
+            // If protocol/mode is http, ssh, rdp, or vnc, it must have a full-domain
+            const effectiveProtocol = resource.mode ?? resource.protocol;
+            if (
+                effectiveProtocol !== undefined &&
+                ["http", "ssh", "rdp", "vnc"].includes(effectiveProtocol)
+            ) {
                return (
                    resource["full-domain"] !== undefined &&
                    resource["full-domain"].length > 0
@@ -278,7 +329,7 @@ export const PublicResourceSchema = z
        },
        {
            path: ["full-domain"],
-            error: "When protocol is 'http', a 'full-domain' must be provided"
+            error: "When protocol is 'http', 'ssh', 'rdp', or 'vnc', a 'full-domain' must be provided"
        }
    )
    .refine(
@@ -505,7 +556,90 @@ export const PrivateResourceSchema = z
        {
            message: "Destination must be a valid CIDR notation for cidr mode"
        }
-    );
+    )
+    .refine(
+        (data) => {
+            if (data.mode !== "ssh") {
+                return true;
+            }
+
+            const authDaemonMode = data["auth-daemon"]?.mode;
+            if (authDaemonMode !== "native" && authDaemonMode !== "site") {
+                return true;
+            }
+
+            const uniqueSites = new Set<string>();
+            if (data.site) {
+                uniqueSites.add(data.site);
+            }
+            for (const site of data.sites) {
+                uniqueSites.add(site);
+            }
+
+            return uniqueSites.size <= 1;
+        },
+        {
+            path: ["sites"],
+            message:
+                "When mode is 'ssh' and auth-daemon mode is 'native' or 'site', only one site/target is allowed"
+        }
+    )
+    .transform((data) => {
+        if (
+            data.mode === "ssh" &&
+            data.destination !== undefined &&
+            data["destination-port"] === undefined
+        ) {
+            data["destination-port"] = 22;
+        }
+        return data;
+    });
+
+export const ResourcePolicyRuleSchema = RuleSchema;
+
+export const ResourcePolicySchema = z.object({
+    name: z.string().min(1).max(255),
+    sso: z.boolean().optional().default(true),
+    "auto-login-idp": z.int().positive().optional().nullable(),
+    "sso-roles": z
+        .array(z.string())
+        .optional()
+        .default([])
+        .refine((roles) => !roles.includes("Admin"), {
+            error: "Admin role cannot be included in sso-roles"
+        }),
+    "sso-users": z.array(z.string()).optional().default([]),
+    password: z.string().min(4).max(100).optional().nullable(),
+    pincode: z
+        .string()
+        .regex(/^\d{6}$/)
+        .optional()
+        .nullable(),
+    "basic-auth": z
+        .object({
+            user: z.string().min(4).max(100),
+            password: z.string().min(4).max(100),
+            "extended-compatibility": z.boolean().default(true)
+        })
+        .optional()
+        .nullable(),
+    "email-whitelist-enabled": z.boolean().optional().default(false),
+    "whitelist-users": z
+        .array(
+            z.email().or(
+                z.string().regex(/^\*@[\w.-]+\.[a-zA-Z]{2,}$/, {
+                    error: "Invalid email address. Wildcard (*) must be the entire local part."
+                })
+            )
+        )
+        .max(50)
+        .transform((v) => v.map((e) => e.toLowerCase()))
+        .optional()
+        .default([]),
+    "apply-rules": z.boolean().optional().default(false),
+    rules: z.array(ResourcePolicyRuleSchema).optional().default([])
+});
+export type ResourcePolicyData = z.infer<typeof ResourcePolicySchema>;

 // Schema for the entire configuration object
 export const ConfigSchema = z
@@ -526,6 +660,10 @@ export const ConfigSchema = z
            .record(z.string(), PrivateResourceSchema)
            .optional()
            .prefault({}),
+        "public-policies": z
+            .record(z.string(), ResourcePolicySchema)
+            .optional()
+            .prefault({}),
        sites: z.record(z.string(), SiteSchema).optional().prefault({})
    })
    .transform((data) => {
@@ -556,6 +694,10 @@ export const ConfigSchema = z
                string,
                z.infer<typeof PrivateResourceSchema>
            >;
+            "public-policies": Record<
+                string,
+                z.infer<typeof ResourcePolicySchema>
+            >;
            sites: Record<string, z.infer<typeof SiteSchema>>;
        };
    })
@@ -695,3 +837,4 @@ export type Site = z.infer<typeof SiteSchema>;
 export type Target = z.infer<typeof TargetSchema>;
 export type Resource = z.infer<typeof PublicResourceSchema>;
 export type Config = z.infer<typeof ConfigSchema>;
+export type BlueprintResourcePolicy = z.infer<typeof ResourcePolicySchema>;
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -504,7 +504,7 @@ export function generateRemoteSubnets(
                const parseResult = cidrSchema.safeParse(sr.destination);
                return parseResult.success;
            }
-            if (sr.mode === "host") {
+            if (sr.mode === "host" || sr.mode === "ssh") {
                // check if its a valid IP using zod
                const ipSchema = z.union([z.ipv4(), z.ipv6()]);
                const parseResult = ipSchema.safeParse(sr.destination);
@@ -514,7 +514,7 @@ export function generateRemoteSubnets(
        })
        .map((sr) => {
            if (sr.mode === "cidr") return sr.destination;
-            if (sr.mode === "host") {
+            if (sr.mode === "host" || sr.mode === "ssh") {
                return `${sr.destination}/32`;
            }
            return ""; // This should never be reached due to filtering, but satisfies TypeScript
@@ -531,7 +531,7 @@ export function generateAliasConfig(allSiteResources: SiteResource[]): Alias[] {
        .filter(
            (sr) =>
                sr.aliasAddress &&
-                ((sr.alias && sr.mode == "host") ||
+                ((sr.alias && (sr.mode == "host" || sr.mode == "ssh")) ||
                    (sr.fullDomain && sr.mode == "http"))
        )
        .map((sr) => ({
@@ -577,6 +577,10 @@ export function generateSubnetProxyTargets(
            continue;
        }

+        if (!siteResource.destination) {
+            continue;
+        }
+
        const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
        const portRange = [
            ...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
@@ -584,7 +588,7 @@ export function generateSubnetProxyTargets(
        ];
        const disableIcmp = siteResource.disableIcmp ?? false;

-        if (siteResource.mode == "host") {
+        if (siteResource.mode == "host" || siteResource.mode == "ssh") {
            let destination = siteResource.destination;
            // check if this is a valid ip
            const ipSchema = z.union([z.ipv4(), z.ipv6()]);
@@ -665,7 +669,12 @@ export async function generateSubnetProxyTargetV2(
        return;
    }

-    let targets: SubnetProxyTargetV2[] = [];
+    if (!siteResource.destination) {
+        // ssh can have no destination
+        return;
+    }
+
+    const targets: SubnetProxyTargetV2[] = [];

    const portRange = [
        ...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
@@ -673,7 +682,7 @@ export async function generateSubnetProxyTargetV2(
    ];
    const disableIcmp = siteResource.disableIcmp ?? false;

-    if (siteResource.mode == "host") {
+    if (siteResource.mode == "host" || siteResource.mode == "ssh") {
        let destination = siteResource.destination;
        // check if this is a valid ip
        const ipSchema = z.union([z.ipv4(), z.ipv6()]);
--- a/server/lib/telemetry.ts
+++ b/server/lib/telemetry.ts
@@ -181,6 +181,7 @@ class TelemetryClient {
            let numPrivResourceHosts = 0;
            let numPrivResourceCidr = 0;
            let numPrivResourceHttp = 0;
+            let numPrivResourceSsh = 0;
            for (const res of allPrivateResources) {
                if (res.mode === "host") {
                    numPrivResourceHosts += 1;
@@ -188,6 +189,8 @@ class TelemetryClient {
                    numPrivResourceCidr += 1;
                } else if (res.mode === "http") {
                    numPrivResourceHttp += 1;
+                } else if (res.mode === "ssh") {
+                    numPrivResourceSsh += 1;
                }

                if (res.alias) {
@@ -207,6 +210,7 @@ class TelemetryClient {
                numPrivateResourceHosts: numPrivResourceHosts,
                numPrivateResourceCidr: numPrivResourceCidr,
                numPrivateResourceHttp: numPrivResourceHttp,
+                numPrivateResourceSsh: numPrivResourceSsh,
                numAlertRules: numAlertRules.count,
                numUserDevices: userDevicesCount.count,
                numMachineClients: machineClients.count,
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -44,7 +44,8 @@ export async function getTraefikConfig(
    filterOutNamespaceDomains = false, // UNUSED BUT USED IN PRIVATE
    generateLoginPageRouters = false, // UNUSED BUT USED IN PRIVATE
    allowRawResources = true,
-    allowMaintenancePage = true // UNUSED BUT USED IN PRIVATE
+    allowMaintenancePage = true, // UNUSED BUT USED IN PRIVATE
+    allowBrowserGatewayResources = true
 ): Promise<any> {
    // Get resources with their targets and sites in a single optimized query
    // Start from sites on this exit node, then join to targets and resources
@@ -240,7 +241,7 @@ export async function getTraefikConfig(
            continue;
        }

-        if (resource.http) {
+        if (resource.mode === "http") {
            if (!resource.domainId || !resource.fullDomain) {
                continue;
            }
@@ -572,7 +573,7 @@ export async function getTraefikConfig(
                    serviceName
                ].loadBalancer.serversTransport = transportName;
            }
-        } else {
+        } else if (resource.mode === "tcp" || resource.mode === "udp") {
            // Non-HTTP (TCP/UDP) configuration
            if (!resource.enableProxy || !resource.proxyPort) {
                continue;
--- a/server/lib/validators.ts
+++ b/server/lib/validators.ts
@@ -1,5 +1,7 @@
 import z from "zod";
 import ipaddr from "ipaddr.js";
+import { COUNTRIES } from "@server/db/countries";
+import { isValidRegionId } from "@server/db/regions";

 export function isValidCIDR(cidr: string): boolean {
    return (
@@ -67,6 +69,45 @@ export function isValidUrlGlobPattern(pattern: string): boolean {
    return true;
 }

+export const RESOURCE_RULE_MATCH_TYPES = [
+    "CIDR",
+    "IP",
+    "PATH",
+    "COUNTRY",
+    "ASN",
+    "REGION"
+] as const;
+
+export type ResourceRuleMatchType = (typeof RESOURCE_RULE_MATCH_TYPES)[number];
+
+export function getResourceRuleValueValidationError(
+    match: ResourceRuleMatchType,
+    value: string
+): string | null {
+    switch (match) {
+        case "CIDR":
+            return isValidCIDR(value) ? null : "Invalid CIDR provided";
+        case "IP":
+            return isValidIP(value) ? null : "Invalid IP provided";
+        case "PATH":
+            return isValidUrlGlobPattern(value)
+                ? null
+                : "Invalid URL glob pattern provided";
+        case "REGION":
+            return isValidRegionId(value) ? null : "Invalid region ID provided";
+        case "COUNTRY":
+            return COUNTRIES.some((country) => country.code === value)
+                ? null
+                : "Invalid country code provided";
+        case "ASN":
+            return /^AS\d+$/i.test(value.trim())
+                ? null
+                : "Invalid ASN provided";
+        default:
+            return "Invalid rule match type provided";
+    }
+}
+
 export function isUrlValid(url: string | undefined) {
    if (!url) return true; // the link is optional in the schema so if it's empty it's valid
    var pattern = new RegExp(
--- a/server/middlewares/verifyResourceAccess.ts
+++ b/server/middlewares/verifyResourceAccess.ts
@@ -1,11 +1,15 @@
 import { Request, Response, NextFunction } from "express";
 import { db, Resource } from "@server/db";
-import { resources, userOrgs, userResources, roleResources } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { resources, userOrgs } from "@server/db";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import {
+    getRoleResourceAccess,
+    getUserResourceAccess
+} from "@server/db/queries/verifySessionQueries";

 export async function verifyResourceAccess(
    req: Request,
@@ -116,37 +120,22 @@ export async function verifyResourceAccess(

        const roleResourceAccess =
            (req.userOrgRoleIds?.length ?? 0) > 0
-                ? await db
-                      .select()
-                      .from(roleResources)
-                      .where(
-                          and(
-                              eq(roleResources.resourceId, resource.resourceId),
-                              inArray(
-                                  roleResources.roleId,
-                                  req.userOrgRoleIds!
-                              )
-                          )
-                      )
-                      .limit(1)
-                : [];
+                ? await getRoleResourceAccess(
+                      resource.resourceId,
+                      req.userOrgRoleIds!
+                  )
+                : null;

-        if (roleResourceAccess.length > 0) {
+        if (roleResourceAccess) {
            return next();
        }

-        const userResourceAccess = await db
-            .select()
-            .from(userResources)
-            .where(
-                and(
-                    eq(userResources.userId, userId),
-                    eq(userResources.resourceId, resource.resourceId)
-                )
-            )
-            .limit(1);
+        const userResourceAccess = await getUserResourceAccess(
+            userId,
+            resource.resourceId
+        );

-        if (userResourceAccess.length > 0) {
+        if (userResourceAccess) {
            return next();
        }

--- a/server/middlewares/verifySiteAccess.test.ts
+++ b/server/middlewares/verifySiteAccess.test.ts
@@ -0,0 +1,322 @@
+import { assertEquals } from "@test/assert";
+
+/**
+ * Tests for the cross-organization site binding prevention in verifySiteAccess.
+ *
+ * verifySiteAccess now includes a check: if req.userOrgId is already set by a
+ * previous middleware (e.g. verifyResourceAccess or verifyTargetAccess), and the
+ * loaded site's orgId differs from req.userOrgId, the request is rejected with
+ * 403 Forbidden.
+ *
+ * Route stacks after fix:
+ *   PUT /resource/:resourceId/target
+ *     → verifyResourceAccess → verifySiteAccess → verifyLimits → ...
+ *   POST /target/:targetId
+ *     → verifyTargetAccess → verifySiteAccess → verifyLimits → ...
+ *
+ * verifyResourceAccess sets req.userOrgId to the resource's org.
+ * verifyTargetAccess sets req.userOrgId to the target's resource org.
+ * verifySiteAccess then checks site.orgId against req.userOrgId before
+ * overwriting it with the site's org.
+ */
+
+// --- Core org-matching logic (mirrors the check in verifySiteAccess) ---
+function siteOrgMatchesExpectedOrg(
+    siteOrgId: string | null | undefined,
+    expectedOrgId: string | null | undefined
+): boolean {
+    if (!siteOrgId || !expectedOrgId) {
+        return false;
+    }
+    return siteOrgId === expectedOrgId;
+}
+
+// Simulates the condition check in verifySiteAccess:
+//   if (req.userOrgId && site.orgId !== req.userOrgId) { reject }
+function shouldRejectCrossOrgSite(
+    siteOrgId: string,
+    reqUserOrgId: string | undefined
+): boolean {
+    // The actual check in verifySiteAccess is:
+    //   if (req.userOrgId && site.orgId !== req.userOrgId) { reject }
+    return !!(reqUserOrgId && siteOrgId !== reqUserOrgId);
+}
+
+// --- Tests ---
+
+function testSiteOrgMatchLogic() {
+    console.log("Running verifySiteAccess org-match logic tests...");
+
+    // Test 1: Same org — should match
+    {
+        const result = siteOrgMatchesExpectedOrg(
+            "org-attacker",
+            "org-attacker"
+        );
+        assertEquals(result, true, "Same org should match");
+    }
+
+    // Test 2: Different org — should NOT match (cross-org bypass scenario)
+    {
+        const result = siteOrgMatchesExpectedOrg("org-victim", "org-attacker");
+        assertEquals(
+            result,
+            false,
+            "Cross-org site should NOT match expected org"
+        );
+    }
+
+    // Test 3: Site orgId is null — should NOT match
+    {
+        const result = siteOrgMatchesExpectedOrg(null, "org-attacker");
+        assertEquals(result, false, "Null site orgId should NOT match");
+    }
+
+    // Test 4: Expected orgId is null — should NOT match
+    {
+        const result = siteOrgMatchesExpectedOrg("org-attacker", null);
+        assertEquals(result, false, "Null expected orgId should NOT match");
+    }
+
+    // Test 5: Both null — should NOT match
+    {
+        const result = siteOrgMatchesExpectedOrg(null, null);
+        assertEquals(result, false, "Both null should NOT match");
+    }
+
+    // Test 6: Empty string orgIds — should NOT match (empty string is falsy)
+    {
+        const result = siteOrgMatchesExpectedOrg("", "org-attacker");
+        assertEquals(result, false, "Empty site orgId should NOT match");
+    }
+
+    // Test 7: Undefined orgIds — should NOT match
+    {
+        const result = siteOrgMatchesExpectedOrg(undefined, "org-attacker");
+        assertEquals(result, false, "Undefined site orgId should NOT match");
+    }
+
+    console.log("All verifySiteAccess org-match logic tests passed.");
+}
+
+function testShouldRejectCrossOrgSite() {
+    console.log(
+        "Running shouldRejectCrossOrgSite tests (mirrors verifySiteAccess check)..."
+    );
+
+    // Test: No prior org context (undefined) — should NOT reject
+    // This is the normal case for site-only routes (e.g. PUT /site/:siteId)
+    // where verifySiteAccess runs without a prior verifyResourceAccess.
+    {
+        const shouldReject = shouldRejectCrossOrgSite("org-victim", undefined);
+        assertEquals(
+            shouldReject,
+            false,
+            "No prior org context should NOT reject (normal site routes)"
+        );
+    }
+
+    // Test: Same org — should NOT reject
+    {
+        const shouldReject = shouldRejectCrossOrgSite(
+            "org-attacker",
+            "org-attacker"
+        );
+        assertEquals(shouldReject, false, "Same org should NOT reject");
+    }
+
+    // Test: Different org — should reject
+    {
+        const shouldReject = shouldRejectCrossOrgSite(
+            "org-victim",
+            "org-attacker"
+        );
+        assertEquals(shouldReject, true, "Cross-org site should be rejected");
+    }
+
+    // Test: Empty string userOrgId — should NOT reject (falsy, check is skipped)
+    {
+        const shouldReject = shouldRejectCrossOrgSite("org-victim", "");
+        assertEquals(
+            shouldReject,
+            false,
+            "Empty string userOrgId should NOT reject (check is skipped)"
+        );
+    }
+
+    console.log("All shouldRejectCrossOrgSite tests passed.");
+}
+
+// --- Route stack validation tests ---
+
+function testRouteStackOrdering() {
+    console.log("Running route stack ordering tests...");
+
+    const createTargetStack = [
+        "verifyResourceAccess",
+        "verifySiteAccess",
+        "verifyLimits",
+        "verifyUserHasAction",
+        "logActionAudit",
+        "createTarget"
+    ];
+
+    const updateTargetStack = [
+        "verifyTargetAccess",
+        "verifySiteAccess",
+        "verifyLimits",
+        "verifyUserHasAction",
+        "logActionAudit",
+        "updateTarget"
+    ];
+
+    // Verify verifySiteAccess comes after resource/target access middleware
+    {
+        const siteAccessIndex = createTargetStack.indexOf("verifySiteAccess");
+        const resourceAccessIndex = createTargetStack.indexOf(
+            "verifyResourceAccess"
+        );
+        assertEquals(
+            siteAccessIndex > resourceAccessIndex,
+            true,
+            "verifySiteAccess must come after verifyResourceAccess in create target stack"
+        );
+    }
+
+    {
+        const siteAccessIndex = updateTargetStack.indexOf("verifySiteAccess");
+        const targetAccessIndex =
+            updateTargetStack.indexOf("verifyTargetAccess");
+        assertEquals(
+            siteAccessIndex > targetAccessIndex,
+            true,
+            "verifySiteAccess must come after verifyTargetAccess in update target stack"
+        );
+    }
+
+    // Verify verifySiteAccess comes before the handler
+    {
+        const siteAccessIndex = createTargetStack.indexOf("verifySiteAccess");
+        const handlerIndex = createTargetStack.indexOf("createTarget");
+        assertEquals(
+            siteAccessIndex < handlerIndex,
+            true,
+            "verifySiteAccess must come before createTarget handler"
+        );
+    }
+
+    {
+        const siteAccessIndex = updateTargetStack.indexOf("verifySiteAccess");
+        const handlerIndex = updateTargetStack.indexOf("updateTarget");
+        assertEquals(
+            siteAccessIndex < handlerIndex,
+            true,
+            "verifySiteAccess must come before updateTarget handler"
+        );
+    }
+
+    console.log("All route stack ordering tests passed.");
+}
+
+// --- Security scenario tests ---
+
+function testSecurityScenarios() {
+    console.log("Running security scenario tests...");
+
+    // Scenario 1: Attacker has resource access in org_attacker, but tries to
+    // bind target to a site in org_victim.
+    // verifyResourceAccess passes (sets req.userOrgId = "org_attacker").
+    // verifySiteAccess loads site (org_victim), checks site.orgId !== req.userOrgId.
+    // Expected: 403 Forbidden.
+    {
+        const shouldReject = shouldRejectCrossOrgSite(
+            "org_victim",
+            "org_attacker"
+        );
+        assertEquals(
+            shouldReject,
+            true,
+            "Scenario 1: Cross-org site binding must be rejected"
+        );
+    }
+
+    // Scenario 2: Attacker has resource access AND site access in another org.
+    // Even though the user has site access, verifySiteAccess rejects because
+    // the org-match check runs before the site access check.
+    // Expected: 403 Forbidden (org mismatch caught before site access check).
+    {
+        const shouldReject = shouldRejectCrossOrgSite(
+            "org_victim",
+            "org_attacker"
+        );
+        assertEquals(
+            shouldReject,
+            true,
+            "Scenario 2: Cross-org site must be rejected even if user has site access"
+        );
+    }
+
+    // Scenario 3: Legitimate user creates target with site in same org.
+    // verifyResourceAccess passes, verifySiteAccess org-match passes (same org),
+    // verifySiteAccess site access passes.
+    // Expected: 201 Created.
+    {
+        const shouldReject = shouldRejectCrossOrgSite(
+            "org_attacker",
+            "org_attacker"
+        );
+        assertEquals(
+            shouldReject,
+            false,
+            "Scenario 3: Same-org site must be allowed"
+        );
+    }
+
+    // Scenario 4: WireGuard site in victim org — org mismatch is caught before
+    // any DB write, pickPort, addPeer, or addTargets side effect.
+    {
+        const shouldReject = shouldRejectCrossOrgSite(
+            "org_victim",
+            "org_attacker"
+        );
+        assertEquals(
+            shouldReject,
+            true,
+            "Scenario 4: WireGuard cross-org site must be rejected before addPeer"
+        );
+    }
+
+    // Scenario 5: Newt site in victim org — same as scenario 4 but for newt.
+    {
+        const shouldReject = shouldRejectCrossOrgSite(
+            "org_victim",
+            "org_attacker"
+        );
+        assertEquals(
+            shouldReject,
+            true,
+            "Scenario 5: Newt cross-org site must be rejected before addTargets"
+        );
+    }
+
+    // Scenario 6: Normal site-only route (e.g. PUT /site/:siteId) where
+    // verifySiteAccess runs without a prior verifyResourceAccess.
+    // req.userOrgId is undefined, so the org-match check is skipped.
+    // Normal site access verification proceeds.
+    {
+        const shouldReject = shouldRejectCrossOrgSite("org_victim", undefined);
+        assertEquals(
+            shouldReject,
+            false,
+            "Scenario 6: Site-only routes should skip org-match check"
+        );
+    }
+
+    console.log("All security scenario tests passed.");
+}
+
+// Run all tests
+testSiteOrgMatchLogic();
+testShouldRejectCrossOrgSite();
+testRouteStackOrdering();
+testSecurityScenarios();
--- a/server/middlewares/verifySiteAccess.ts
+++ b/server/middlewares/verifySiteAccess.ts
@@ -71,6 +71,15 @@ export async function verifySiteAccess(
            );
        }

+        if (req.userOrgId && site.orgId !== req.userOrgId) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have access to this site"
+                )
+            );
+        }
+
        if (!req.userOrg) {
            // Get user's role ID in the organization
            const userOrgRole = await db
@@ -128,10 +137,7 @@ export async function verifySiteAccess(
                      .where(
                          and(
                              eq(roleSites.siteId, site.siteId),
-                              inArray(
-                                  roleSites.roleId,
-                                  req.userOrgRoleIds!
-                              )
+                              inArray(roleSites.roleId, req.userOrgRoleIds!)
                          )
                      )
                      .limit(1)
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -109,7 +109,11 @@ export const privateConfigSchema = z
                enable_redis: z.boolean().optional().default(false),
                use_pangolin_dns: z.boolean().optional().default(false),
                use_org_only_idp: z.boolean().optional(),
-                enable_acme_cert_sync: z.boolean().optional().default(true)
+                enable_acme_cert_sync: z.boolean().optional().default(true),
+                disable_private_http_placeholder: z
+                    .boolean()
+                    .optional()
+                    .default(false)
            })
            .optional()
            .prefault({}),
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -12,7 +12,6 @@
 */

 import {
-    browserGatewayTarget,
    certificates,
    db,
    domainNamespaces,
@@ -172,8 +171,15 @@ export async function getTraefikConfig(
                ),
                inArray(sites.type, siteTypes),
                allowRawResources
-                    ? inArray(resources.mode, ["http", "udp", "tcp"]) // allow all three
-                    : eq(resources.mode, "http")
+                    ? inArray(resources.mode, [
+                          "http",
+                          "udp",
+                          "tcp",
+                          "vnc",
+                          "ssh",
+                          "rdp"
+                      ]) // allow all three
+                    : inArray(resources.mode, ["http", "vnc", "ssh", "rdp"])
            )
        )
        .orderBy(desc(targets.priority), targets.targetId); // stable ordering
@@ -181,7 +187,10 @@ export async function getTraefikConfig(
    // Group by resource and include targets with their unique site data
    const resourcesMap = new Map();

-    resourcesWithTargetsAndSites.forEach((row) => {
+    for (const row of resourcesWithTargetsAndSites) {
+        if (!["http", "tcp", "udp"].includes(row.mode)) {
+            continue;
+        }
        const resourceId = row.resourceId;
        const resourceName = sanitize(row.resourceName) || "";
        const targetPath = encodePath(row.path); // Use encodePath to avoid collisions (e.g. "/a/b" vs "/a-b")
@@ -191,7 +200,7 @@ export async function getTraefikConfig(
        const priority = row.priority ?? 100;

        if (filterOutNamespaceDomains && row.domainNamespaceId) {
-            return;
+            continue;
        }

        // Create a unique key combining resourceId, path config, and rewrite config
@@ -218,7 +227,7 @@ export async function getTraefikConfig(
                logger.debug(
                    `Invalid path rewrite configuration for resource ${resourceId}: ${validation.error}`
                );
-                return;
+                continue;
            }

            resourcesMap.set(mapKey, {
@@ -275,7 +284,7 @@ export async function getTraefikConfig(
                online: row.siteOnline
            }
        });
-    });
+    }

    // Group browser gateway targets by resource
    type BrowserGatewayResourceEntry = {
@@ -295,13 +304,12 @@ export async function getTraefikConfig(
        maintenanceMessage: string | null;
        maintenanceEstimatedTime: string | null;
        targets: {
-            browserGatewayTargetId: number;
+            targetId: number;
            bgType: string;
            siteId: number;
            siteType: string;
            siteOnline: boolean | null;
            subnet: string | null;
-            siteExitNodeId: number | null;
        }[];
    };
    const browserGatewayResourcesMap = new Map<
@@ -310,66 +318,10 @@ export async function getTraefikConfig(
    >();

    if (allowBrowserGatewayResources) {
-        // Query browser gateway targets for this exit node
-        const browserGatewayRows = await db
-            .select({
-                // Resource fields
-                resourceId: resources.resourceId,
-                resourceName: resources.name,
-                fullDomain: resources.fullDomain,
-                ssl: resources.ssl,
-                subdomain: resources.subdomain,
-                domainId: resources.domainId,
-                enabled: resources.enabled,
-                wildcard: resources.wildcard,
-                domainCertResolver: domains.certResolver,
-                preferWildcardCert: domains.preferWildcardCert,
-                domainNamespaceId: domainNamespaces.domainNamespaceId,
-                // Maintenance fields
-                maintenanceModeEnabled: resources.maintenanceModeEnabled,
-                maintenanceModeType: resources.maintenanceModeType,
-                maintenanceTitle: resources.maintenanceTitle,
-                maintenanceMessage: resources.maintenanceMessage,
-                maintenanceEstimatedTime: resources.maintenanceEstimatedTime,
-                // Browser gateway target fields
-                browserGatewayTargetId:
-                    browserGatewayTarget.browserGatewayTargetId,
-                bgType: browserGatewayTarget.type,
-                // Site fields
-                siteId: sites.siteId,
-                siteType: sites.type,
-                siteOnline: sites.online,
-                subnet: sites.subnet,
-                siteExitNodeId: sites.exitNodeId
-            })
-            .from(browserGatewayTarget)
-            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
-            .innerJoin(
-                resources,
-                eq(resources.resourceId, browserGatewayTarget.resourceId)
-            )
-            .leftJoin(domains, eq(domains.domainId, resources.domainId))
-            .leftJoin(
-                domainNamespaces,
-                eq(domainNamespaces.domainId, resources.domainId)
-            )
-            .where(
-                and(
-                    eq(resources.enabled, true),
-                    or(
-                        eq(sites.exitNodeId, exitNodeId),
-                        and(
-                            isNull(sites.exitNodeId),
-                            sql`(${siteTypes.includes("local") ? 1 : 0} = 1)`,
-                            eq(sites.type, "local"),
-                            sql`(${build != "saas" ? 1 : 0} = 1)`
-                        )
-                    ),
-                    inArray(sites.type, siteTypes)
-                )
-            );
-
-        for (const row of browserGatewayRows) {
+        for (const row of resourcesWithTargetsAndSites) {
+            if (!["ssh", "vnc", "rdp"].includes(row.mode)) {
+                continue;
+            }
            if (filterOutNamespaceDomains && row.domainNamespaceId) {
                continue;
            }
@@ -394,13 +346,12 @@ export async function getTraefikConfig(
                });
            }
            browserGatewayResourcesMap.get(row.resourceId)!.targets.push({
-                browserGatewayTargetId: row.browserGatewayTargetId,
-                bgType: row.bgType,
+                targetId: row.targetId,
+                bgType: row.mode,
                siteId: row.siteId,
                siteType: row.siteType,
                siteOnline: row.siteOnline,
-                subnet: row.subnet,
-                siteExitNodeId: row.siteExitNodeId
+                subnet: row.subnet
            });
        }
    }
@@ -410,7 +361,11 @@ export async function getTraefikConfig(
        fullDomain: string | null;
        mode: "http" | "host" | "cidr" | "ssh";
    }[] = [];
-    if (build == "enterprise") {
+    if (
+        build == "enterprise" &&
+        !privateConfig.getRawPrivateConfig().flags
+            .disable_private_http_placeholder
+    ) {
        // we dont want to do this on the cloud
        // Query siteResources in HTTP mode with SSL enabled and aliases - cert generation / HTTPS edge
        siteResourcesWithFullDomain = await db
@@ -493,16 +448,29 @@ export async function getTraefikConfig(
        const transportName = `${key}-transport`;
        const headersMiddlewareName = `${key}-headers-middleware`;

+        logger.debug(
+            `Processing resource ${resource.name} with domain ${fullDomain} and ${targets.length} targets`
+        );
+
        if (!resource.enabled) {
+            logger.debug(
+                `Resource ${resource.name} is disabled, skipping Traefik config`
+            );
            continue;
        }

-        if (resource.http) {
+        if (resource.mode == "http") {
            if (!resource.domainId) {
+                logger.debug(
+                    `Resource ${resource.name} does not have a domainId, skipping Traefik config`
+                );
                continue;
            }

            if (!resource.fullDomain) {
+                logger.debug(
+                    `Resource ${resource.name} does not have a fullDomain, skipping Traefik config`
+                );
                continue;
            }

@@ -958,7 +926,7 @@ export async function getTraefikConfig(
                    serviceName
                ].loadBalancer.serversTransport = transportName;
            }
-        } else {
+        } else if (resource.mode == "tcp" || resource.mode == "udp") {
            // Non-HTTP (TCP/UDP) configuration
            if (!resource.enableProxy) {
                continue;
--- a/server/private/routers/alertRule/createAlertRule.ts
+++ b/server/private/routers/alertRule/createAlertRule.ts
@@ -208,7 +208,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/alertRule/deleteAlertRule.ts
+++ b/server/private/routers/alertRule/deleteAlertRule.ts
@@ -44,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
@@ -112,4 +112,4 @@ export async function deleteAlertRule(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
-}
+}
--- a/server/private/routers/alertRule/getAlertRule.ts
+++ b/server/private/routers/alertRule/getAlertRule.ts
@@ -32,7 +32,10 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { and, eq } from "drizzle-orm";
 import { decrypt } from "@server/lib/crypto";
 import config from "@server/lib/config";
-import { GetAlertRuleResponse, WebhookAlertConfig } from "@server/routers/alertRule/types";
+import {
+    GetAlertRuleResponse,
+    WebhookAlertConfig
+} from "@server/routers/alertRule/types";

 const paramsSchema = z
    .object({
@@ -55,7 +58,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/alertRule/listAlertRules.ts
+++ b/server/private/routers/alertRule/listAlertRules.ts
@@ -101,7 +101,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/auditLogs/exportAccessAuditLog.ts
+++ b/server/private/routers/auditLogs/exportAccessAuditLog.ts
@@ -44,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/auditLogs/exportActionAuditLog.ts
+++ b/server/private/routers/auditLogs/exportActionAuditLog.ts
@@ -44,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/auditLogs/exportConnectionAuditLog.ts
+++ b/server/private/routers/auditLogs/exportConnectionAuditLog.ts
@@ -44,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
@@ -72,7 +72,9 @@ export async function exportConnectionAuditLogs(
            );
        }

-        const parsedParams = queryConnectionAuditLogsParams.safeParse(req.params);
+        const parsedParams = queryConnectionAuditLogsParams.safeParse(
+            req.params
+        );
        if (!parsedParams.success) {
            return next(
                createHttpError(
@@ -112,4 +114,4 @@ export async function exportConnectionAuditLogs(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
-}
+}
--- a/server/private/routers/auditLogs/queryAccessAuditLog.ts
+++ b/server/private/routers/auditLogs/queryAccessAuditLog.ts
@@ -11,7 +11,14 @@
 * This file is not licensed under the AGPLv3.
 */

-import { accessAuditLog, logsDb, resources, siteResources, db, primaryDb } from "@server/db";
+import {
+    accessAuditLog,
+    logsDb,
+    resources,
+    siteResources,
+    db,
+    primaryDb
+} from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
@@ -150,21 +157,30 @@ export function queryAccess(data: Q) {
        .orderBy(desc(accessAuditLog.timestamp), desc(accessAuditLog.id));
 }

-async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryAccess>>) {
+async function enrichWithResourceDetails(
+    logs: Awaited<ReturnType<typeof queryAccess>>
+) {
    const resourceIds = logs
-        .map(log => log.resourceId)
+        .map((log) => log.resourceId)
        .filter((id): id is number => id !== null && id !== undefined);

    const siteResourceIds = logs
-        .filter(log => log.resourceId == null && log.siteResourceId != null)
-        .map(log => log.siteResourceId)
+        .filter((log) => log.resourceId == null && log.siteResourceId != null)
+        .map((log) => log.siteResourceId)
        .filter((id): id is number => id !== null && id !== undefined);

    if (resourceIds.length === 0 && siteResourceIds.length === 0) {
-        return logs.map(log => ({ ...log, resourceName: null, resourceNiceId: null }));
+        return logs.map((log) => ({
+            ...log,
+            resourceName: null,
+            resourceNiceId: null
+        }));
    }

-    const resourceMap = new Map<number, { name: string | null; niceId: string | null }>();
+    const resourceMap = new Map<
+        number,
+        { name: string | null; niceId: string | null }
+    >();

    if (resourceIds.length > 0) {
        const resourceDetails = await primaryDb
@@ -181,7 +197,10 @@ async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryAc
        }
    }

-    const siteResourceMap = new Map<number, { name: string | null; niceId: string | null }>();
+    const siteResourceMap = new Map<
+        number,
+        { name: string | null; niceId: string | null }
+    >();

    if (siteResourceIds.length > 0) {
        const siteResourceDetails = await primaryDb
@@ -194,12 +213,15 @@ async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryAc
            .where(inArray(siteResources.siteResourceId, siteResourceIds));

        for (const r of siteResourceDetails) {
-            siteResourceMap.set(r.siteResourceId, { name: r.name, niceId: r.niceId });
+            siteResourceMap.set(r.siteResourceId, {
+                name: r.name,
+                niceId: r.niceId
+            });
        }
    }

    // Enrich logs with resource details
-    return logs.map(log => {
+    return logs.map((log) => {
        if (log.resourceId != null) {
            const details = resourceMap.get(log.resourceId);
            return {
@@ -273,11 +295,11 @@ async function queryUniqueFilterAttributes(

    // Fetch resource names from main database for the unique resource IDs
    const resourceIds = uniqueResources
-        .map(row => row.id)
+        .map((row) => row.id)
        .filter((id): id is number => id !== null);

    const siteResourceIds = uniqueSiteResources
-        .map(row => row.id)
+        .map((row) => row.id)
        .filter((id): id is number => id !== null);

    let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
@@ -293,7 +315,7 @@ async function queryUniqueFilterAttributes(

        resourcesWithNames = [
            ...resourcesWithNames,
-            ...resourceDetails.map(r => ({
+            ...resourceDetails.map((r) => ({
                id: r.resourceId,
                name: r.name
            }))
@@ -311,7 +333,7 @@ async function queryUniqueFilterAttributes(

        resourcesWithNames = [
            ...resourcesWithNames,
-            ...siteResourceDetails.map(r => ({
+            ...siteResourceDetails.map((r) => ({
                id: r.siteResourceId,
                name: r.name
            }))
@@ -344,7 +366,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/auditLogs/queryActionAuditLog.ts
+++ b/server/private/routers/auditLogs/queryActionAuditLog.ts
@@ -171,7 +171,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/auditLogs/queryConnectionAuditLog.ts
+++ b/server/private/routers/auditLogs/queryConnectionAuditLog.ts
@@ -459,7 +459,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/auth/transferSession.ts
+++ b/server/private/routers/auth/transferSession.ts
@@ -17,8 +17,7 @@ import createHttpError from "http-errors";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
-import { sessions, sessionTransferToken } from "@server/db";
-import { db } from "@server/db";
+import { db, safeRead, sessions, sessionTransferToken } from "@server/db";
 import { eq } from "drizzle-orm";
 import { response } from "@server/lib/response";
 import { encodeHexLowerCase } from "@oslojs/encoding";
@@ -57,15 +56,19 @@ export async function transferSession(
            sha256(new TextEncoder().encode(token))
        );

-        const [existing] = await db
-            .select()
-            .from(sessionTransferToken)
-            .where(eq(sessionTransferToken.token, tokenRaw))
-            .innerJoin(
-                sessions,
-                eq(sessions.sessionId, sessionTransferToken.sessionId)
-            )
-            .limit(1);
+        const result = await safeRead((db) =>
+            db
+                .select()
+                .from(sessionTransferToken)
+                .where(eq(sessionTransferToken.token, tokenRaw))
+                .innerJoin(
+                    sessions,
+                    eq(sessions.sessionId, sessionTransferToken.sessionId)
+                )
+                .limit(1)
+        );
+
+        const [existing] = result;

        if (!existing) {
            return next(
--- a/server/private/routers/billing/getOrgUsage.ts
+++ b/server/private/routers/billing/getOrgUsage.ts
@@ -45,7 +45,7 @@ const getOrgSchema = z.strictObject({
 // content: {
 // "application/json": {
 // schema: z.object({
-// data: z.unknown().nullable(),
+// data: z.record(z.string(), z.any()).nullable(),
 // success: z.boolean(),
 // error: z.boolean(),
 // message: z.string(),
--- a/server/private/routers/browserGatewayTarget/createBrowserGatewayTarget.ts
+++ b/server/private/routers/browserGatewayTarget/createBrowserGatewayTarget.ts
@@ -1,187 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import {
-    browserGatewayTarget,
-    BrowserGatewayTarget,
-    db,
-    newts,
-    resources,
-    sites
-} from "@server/db";
-import { eq, and } from "drizzle-orm";
-import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import logger from "@server/logger";
-import { fromError } from "zod-validation-error";
-import { OpenAPITags, registry } from "@server/openApi";
-import { encrypt } from "@server/lib/crypto";
-import config from "@server/lib/config";
-import { sendBrowserGatewayTargets } from "@server/routers/newt/targets";
-import { generateId } from "@server/auth/sessions/app";
-
-const paramsSchema = z.strictObject({
-    orgId: z.string().nonempty(),
-    resourceId: z.string().transform(Number).pipe(z.number().int().positive())
-});
-
-const bodySchema = z.strictObject({
-    siteId: z.number().int().positive(),
-    type: z.enum(["ssh", "rdp", "vnc"]),
-    destination: z.string().nonempty(),
-    destinationPort: z.number().int().min(1).max(65535)
-});
-
-export type CreateBrowserGatewayTargetResponse = BrowserGatewayTarget;
-
-registry.registerPath({
-    method: "put",
-    path: "/org/{orgId}/resource/{resourceId}/browser-gateway-target",
-    description: "Create a browser gateway target for a resource.",
-    tags: [OpenAPITags.Org],
-    request: {
-        params: paramsSchema,
-        body: {
-            content: {
-                "application/json": {
-                    schema: bodySchema
-                }
-            }
-        }
-    },
-    responses: {}
-});
-
-export async function createBrowserGatewayTarget(
-    req: Request,
-    res: Response,
-    next: NextFunction
-): Promise<any> {
-    try {
-        const parsedParams = paramsSchema.safeParse(req.params);
-        if (!parsedParams.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedParams.error).toString()
-                )
-            );
-        }
-
-        const { orgId, resourceId } = parsedParams.data;
-
-        const parsedBody = bodySchema.safeParse(req.body);
-        if (!parsedBody.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedBody.error).toString()
-                )
-            );
-        }
-
-        const { siteId, type, destination, destinationPort } = parsedBody.data;
-
-        const [resource] = await db
-            .select()
-            .from(resources)
-            .where(
-                and(
-                    eq(resources.resourceId, resourceId),
-                    eq(resources.orgId, orgId)
-                )
-            )
-            .limit(1);
-
-        if (!resource) {
-            return next(
-                createHttpError(
-                    HttpCode.NOT_FOUND,
-                    `Resource with ID ${resourceId} not found in organization ${orgId}`
-                )
-            );
-        }
-
-        const [site] = await db
-            .select()
-            .from(sites)
-            .where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
-            .limit(1);
-
-        if (!site) {
-            return next(
-                createHttpError(
-                    HttpCode.NOT_FOUND,
-                    `Site with ID ${siteId} not found in organization ${orgId}`
-                )
-            );
-        }
-
-        const plainToken = generateId(48);
-        const encryptedToken = encrypt(
-            plainToken,
-            config.getRawConfig().server.secret!
-        );
-
-        const [record] = await db
-            .insert(browserGatewayTarget)
-            .values({
-                resourceId,
-                siteId,
-                type,
-                destination,
-                destinationPort,
-                authToken: encryptedToken
-            })
-            .returning();
-
-        if (site.type === "newt") {
-            const [newt] = await db
-                .select()
-                .from(newts)
-                .where(eq(newts.siteId, siteId))
-                .limit(1);
-
-            if (newt) {
-                await sendBrowserGatewayTargets(
-                    newt.newtId,
-                    [record],
-                    newt.version
-                );
-            }
-        }
-
-        logger.info(
-            `Created browser gateway target ${record.browserGatewayTargetId} for resource ${resourceId}`
-        );
-
-        return response<CreateBrowserGatewayTargetResponse>(res, {
-            data: record,
-            success: true,
-            error: false,
-            message: "Browser gateway target created successfully",
-            status: HttpCode.CREATED
-        });
-    } catch (error) {
-        logger.error(error);
-        return next(
-            createHttpError(
-                HttpCode.INTERNAL_SERVER_ERROR,
-                "Failed to create browser gateway target"
-            )
-        );
-    }
-}
--- a/server/private/routers/browserGatewayTarget/deleteBrowserGatewayTarget.ts
+++ b/server/private/routers/browserGatewayTarget/deleteBrowserGatewayTarget.ts
@@ -1,130 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import { browserGatewayTarget, db, newts, sites } from "@server/db";
-import { eq, and } from "drizzle-orm";
-import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import logger from "@server/logger";
-import { fromError } from "zod-validation-error";
-import { OpenAPITags, registry } from "@server/openApi";
-import { removeBrowserGatewayTarget } from "@server/routers/newt/targets";
-
-const paramsSchema = z.strictObject({
-    orgId: z.string().nonempty(),
-    browserGatewayTargetId: z
-        .string()
-        .transform(Number)
-        .pipe(z.number().int().positive())
-});
-
-registry.registerPath({
-    method: "delete",
-    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
-    description: "Delete a browser gateway target.",
-    tags: [OpenAPITags.Org],
-    request: {
-        params: paramsSchema
-    },
-    responses: {}
-});
-
-export async function deleteBrowserGatewayTarget(
-    req: Request,
-    res: Response,
-    next: NextFunction
-): Promise<any> {
-    try {
-        const parsedParams = paramsSchema.safeParse(req.params);
-        if (!parsedParams.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedParams.error).toString()
-                )
-            );
-        }
-
-        const { orgId, browserGatewayTargetId } = parsedParams.data;
-
-        const [existing] = await db
-            .select({ bgt: browserGatewayTarget, site: sites })
-            .from(browserGatewayTarget)
-            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
-            .where(
-                and(
-                    eq(
-                        browserGatewayTarget.browserGatewayTargetId,
-                        browserGatewayTargetId
-                    ),
-                    eq(sites.orgId, orgId)
-                )
-            )
-            .limit(1);
-
-        if (!existing) {
-            return next(
-                createHttpError(
-                    HttpCode.NOT_FOUND,
-                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
-                )
-            );
-        }
-
-        await db
-            .delete(browserGatewayTarget)
-            .where(
-                eq(
-                    browserGatewayTarget.browserGatewayTargetId,
-                    browserGatewayTargetId
-                )
-            );
-
-        if (existing.site.type === "newt") {
-            const [newt] = await db
-                .select()
-                .from(newts)
-                .where(eq(newts.siteId, existing.bgt.siteId))
-                .limit(1);
-
-            if (newt) {
-                await removeBrowserGatewayTarget(
-                    newt.newtId,
-                    browserGatewayTargetId,
-                    newt.version
-                );
-            }
-        }
-
-        logger.info(`Deleted browser gateway target ${browserGatewayTargetId}`);
-
-        return response(res, {
-            data: null,
-            success: true,
-            error: false,
-            message: "Browser gateway target deleted successfully",
-            status: HttpCode.OK
-        });
-    } catch (error) {
-        logger.error(error);
-        return next(
-            createHttpError(
-                HttpCode.INTERNAL_SERVER_ERROR,
-                "Failed to delete browser gateway target"
-            )
-        );
-    }
-}
--- a/server/private/routers/browserGatewayTarget/getBrowserGatewayTarget.ts
+++ b/server/private/routers/browserGatewayTarget/getBrowserGatewayTarget.ts
@@ -1,109 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import {
-    browserGatewayTarget,
-    BrowserGatewayTarget,
-    db,
-    sites
-} from "@server/db";
-import { eq, and } from "drizzle-orm";
-import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import logger from "@server/logger";
-import { fromError } from "zod-validation-error";
-import { OpenAPITags, registry } from "@server/openApi";
-
-const paramsSchema = z.strictObject({
-    orgId: z.string().nonempty(),
-    browserGatewayTargetId: z
-        .string()
-        .transform(Number)
-        .pipe(z.number().int().positive())
-});
-
-export type GetBrowserGatewayTargetResponse = BrowserGatewayTarget;
-
-registry.registerPath({
-    method: "get",
-    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
-    description: "Get a browser gateway target.",
-    tags: [OpenAPITags.Org],
-    request: {
-        params: paramsSchema
-    },
-    responses: {}
-});
-
-export async function getBrowserGatewayTarget(
-    req: Request,
-    res: Response,
-    next: NextFunction
-): Promise<any> {
-    try {
-        const parsedParams = paramsSchema.safeParse(req.params);
-        if (!parsedParams.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedParams.error).toString()
-                )
-            );
-        }
-
-        const { orgId, browserGatewayTargetId } = parsedParams.data;
-
-        const [result] = await db
-            .select({ bgt: browserGatewayTarget })
-            .from(browserGatewayTarget)
-            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
-            .where(
-                and(
-                    eq(
-                        browserGatewayTarget.browserGatewayTargetId,
-                        browserGatewayTargetId
-                    ),
-                    eq(sites.orgId, orgId)
-                )
-            )
-            .limit(1);
-
-        if (!result) {
-            return next(
-                createHttpError(
-                    HttpCode.NOT_FOUND,
-                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
-                )
-            );
-        }
-
-        return response<GetBrowserGatewayTargetResponse>(res, {
-            data: result.bgt,
-            success: true,
-            error: false,
-            message: "Browser gateway target retrieved successfully",
-            status: HttpCode.OK
-        });
-    } catch (error) {
-        logger.error(error);
-        return next(
-            createHttpError(
-                HttpCode.INTERNAL_SERVER_ERROR,
-                "Failed to retrieve browser gateway target"
-            )
-        );
-    }
-}
--- a/server/private/routers/browserGatewayTarget/getBrowserTarget.ts
+++ b/server/private/routers/browserGatewayTarget/getBrowserTarget.ts
@@ -13,9 +13,8 @@

 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { browserGatewayTarget, db } from "@server/db";
-import { resources, targets } from "@server/db";
-import { eq } from "drizzle-orm";
+import { db, resources, targets } from "@server/db";
+import { eq, and, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -51,31 +50,30 @@ export async function getBrowserTarget(

        logger.info(`Retrieving browser target for domain: ${fullDomain}`);

-        const [browserTarget] = await db
+        const [row] = await db
            .select({
-                destination: browserGatewayTarget.destination,
-                destinationPort: browserGatewayTarget.destinationPort,
-                authToken: browserGatewayTarget.authToken,
+                ip: targets.ip,
+                port: targets.port,
+                authToken: targets.authToken,
                resourceId: resources.resourceId,
                niceId: resources.niceId,
+                name: resources.name,
                orgId: resources.orgId,
                pamMode: resources.pamMode,
                authDaemonMode: resources.authDaemonMode
            })
-            .from(browserGatewayTarget)
-            .innerJoin(
-                resources,
-                eq(browserGatewayTarget.resourceId, resources.resourceId)
+            .from(targets)
+            .innerJoin(resources, eq(targets.resourceId, resources.resourceId))
+            .where(
+                and(
+                    eq(resources.fullDomain, fullDomain),
+                    eq(targets.enabled, true),
+                    inArray(targets.mode, ["ssh", "rdp", "vnc"])
+                )
            )
-            .where(eq(resources.fullDomain, fullDomain))
            .limit(1);

-        const decryptedAuthToken = decrypt(
-            browserTarget.authToken,
-            config.getRawConfig().server.secret!
-        );
-
-        if (!browserTarget) {
+        if (!row) {
            return next(
                createHttpError(
                    HttpCode.NOT_FOUND,
@@ -84,16 +82,21 @@ export async function getBrowserTarget(
            );
        }

+        const decryptedAuthToken = row.authToken
+            ? decrypt(row.authToken, config.getRawConfig().server.secret!)
+            : "";
+
        return response<GetBrowserTargetResponse>(res, {
            data: {
-                ip: browserTarget.destination,
-                port: browserTarget.destinationPort,
+                ip: row.ip,
+                port: row.port,
                authToken: decryptedAuthToken,
-                pamMode: browserTarget.pamMode,
-                authDaemonMode: browserTarget.authDaemonMode,
-                orgId: browserTarget.orgId,
-                resourceId: browserTarget.resourceId,
-                niceId: browserTarget.niceId
+                pamMode: row.pamMode,
+                authDaemonMode: row.authDaemonMode,
+                orgId: row.orgId,
+                resourceId: row.resourceId,
+                niceId: row.niceId,
+                name: row.name ?? ""
            },
            success: true,
            error: false,
--- a/server/private/routers/browserGatewayTarget/index.ts
+++ b/server/private/routers/browserGatewayTarget/index.ts
@@ -11,9 +11,4 @@
 * This file is not licensed under the AGPLv3.
 */

-export * from "./createBrowserGatewayTarget";
-export * from "./updateBrowserGatewayTarget";
-export * from "./deleteBrowserGatewayTarget";
-export * from "./getBrowserGatewayTarget";
-export * from "./listBrowserGatewayTargets";
 export * from "./getBrowserTarget";
--- a/server/private/routers/browserGatewayTarget/listBrowserGatewayTargets.ts
+++ b/server/private/routers/browserGatewayTarget/listBrowserGatewayTargets.ts
@@ -1,159 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import {
-    browserGatewayTarget,
-    BrowserGatewayTarget,
-    db,
-    resources,
-    sites
-} from "@server/db";
-import { eq, and } from "drizzle-orm";
-import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import logger from "@server/logger";
-import { fromError } from "zod-validation-error";
-import { OpenAPITags, registry } from "@server/openApi";
-
-const paramsSchema = z.strictObject({
-    orgId: z.string().nonempty(),
-    resourceId: z.string().transform(Number).pipe(z.number().int().positive())
-});
-
-const querySchema = z.object({
-    limit: z
-        .string()
-        .optional()
-        .default("1000")
-        .transform(Number)
-        .pipe(z.number().int().positive()),
-    offset: z
-        .string()
-        .optional()
-        .default("0")
-        .transform(Number)
-        .pipe(z.number().int().nonnegative())
-});
-
-export type ListBrowserGatewayTargetsResponse = {
-    targets: BrowserGatewayTarget[];
-    total: number;
-    limit: number;
-    offset: number;
-};
-
-registry.registerPath({
-    method: "get",
-    path: "/org/{orgId}/resource/{resourceId}/browser-gateway-targets",
-    description: "List browser gateway targets for a resource.",
-    tags: [OpenAPITags.Org],
-    request: {
-        params: paramsSchema,
-        query: querySchema
-    },
-    responses: {}
-});
-
-export async function listBrowserGatewayTargets(
-    req: Request,
-    res: Response,
-    next: NextFunction
-): Promise<any> {
-    try {
-        const parsedParams = paramsSchema.safeParse(req.params);
-        if (!parsedParams.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedParams.error).toString()
-                )
-            );
-        }
-
-        const { orgId, resourceId } = parsedParams.data;
-
-        const parsedQuery = querySchema.safeParse(req.query);
-        if (!parsedQuery.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedQuery.error).toString()
-                )
-            );
-        }
-
-        const { limit, offset } = parsedQuery.data;
-
-        const [resource] = await db
-            .select()
-            .from(resources)
-            .where(
-                and(
-                    eq(resources.resourceId, resourceId),
-                    eq(resources.orgId, orgId)
-                )
-            )
-            .limit(1);
-
-        if (!resource) {
-            return next(
-                createHttpError(
-                    HttpCode.NOT_FOUND,
-                    `Resource with ID ${resourceId} not found in organization ${orgId}`
-                )
-            );
-        }
-
-        const rows = await db
-            .select({
-                browserGatewayTargetId:
-                    browserGatewayTarget.browserGatewayTargetId,
-                resourceId: browserGatewayTarget.resourceId,
-                siteId: browserGatewayTarget.siteId,
-                authToken: browserGatewayTarget.authToken,
-                type: browserGatewayTarget.type,
-                destination: browserGatewayTarget.destination,
-                destinationPort: browserGatewayTarget.destinationPort,
-                siteName: sites.name
-            })
-            .from(browserGatewayTarget)
-            .leftJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
-            .where(eq(browserGatewayTarget.resourceId, resourceId))
-            .limit(limit)
-            .offset(offset);
-
-        return response<ListBrowserGatewayTargetsResponse>(res, {
-            data: {
-                targets: rows as any,
-                total: rows.length,
-                limit,
-                offset
-            },
-            success: true,
-            error: false,
-            message: "Browser gateway targets retrieved successfully",
-            status: HttpCode.OK
-        });
-    } catch (error) {
-        logger.error(error);
-        return next(
-            createHttpError(
-                HttpCode.INTERNAL_SERVER_ERROR,
-                "Failed to list browser gateway targets"
-            )
-        );
-    }
-}
--- a/server/private/routers/browserGatewayTarget/updateBrowserGatewayTarget.ts
+++ b/server/private/routers/browserGatewayTarget/updateBrowserGatewayTarget.ts
@@ -1,180 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import {
-    browserGatewayTarget,
-    BrowserGatewayTarget,
-    db,
-    newts,
-    sites
-} from "@server/db";
-import { eq, and } from "drizzle-orm";
-import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import logger from "@server/logger";
-import { fromError } from "zod-validation-error";
-import { OpenAPITags, registry } from "@server/openApi";
-import { sendBrowserGatewayTargets } from "@server/routers/newt/targets";
-
-const paramsSchema = z.strictObject({
-    orgId: z.string().nonempty(),
-    browserGatewayTargetId: z
-        .string()
-        .transform(Number)
-        .pipe(z.number().int().positive())
-});
-
-const bodySchema = z.strictObject({
-    siteId: z.number().int().positive().optional(),
-    type: z.enum(["ssh", "rdp", "vnc"]).optional(),
-    destination: z.string().nonempty().optional(),
-    destinationPort: z.number().int().min(1).max(65535).optional()
-});
-
-export type UpdateBrowserGatewayTargetResponse = BrowserGatewayTarget;
-
-registry.registerPath({
-    method: "post",
-    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
-    description: "Update a browser gateway target.",
-    tags: [OpenAPITags.Org],
-    request: {
-        params: paramsSchema,
-        body: {
-            content: {
-                "application/json": {
-                    schema: bodySchema
-                }
-            }
-        }
-    },
-    responses: {}
-});
-
-export async function updateBrowserGatewayTarget(
-    req: Request,
-    res: Response,
-    next: NextFunction
-): Promise<any> {
-    try {
-        const parsedParams = paramsSchema.safeParse(req.params);
-        if (!parsedParams.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedParams.error).toString()
-                )
-            );
-        }
-
-        const { orgId, browserGatewayTargetId } = parsedParams.data;
-
-        const parsedBody = bodySchema.safeParse(req.body);
-        if (!parsedBody.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedBody.error).toString()
-                )
-            );
-        }
-
-        const { siteId, type, destination, destinationPort } = parsedBody.data;
-
-        const [existing] = await db
-            .select({ bgt: browserGatewayTarget, site: sites })
-            .from(browserGatewayTarget)
-            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
-            .where(
-                and(
-                    eq(
-                        browserGatewayTarget.browserGatewayTargetId,
-                        browserGatewayTargetId
-                    ),
-                    eq(sites.orgId, orgId)
-                )
-            )
-            .limit(1);
-
-        if (!existing) {
-            return next(
-                createHttpError(
-                    HttpCode.NOT_FOUND,
-                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
-                )
-            );
-        }
-
-        const updateValues: Partial<BrowserGatewayTarget> = {};
-        if (siteId !== undefined) updateValues.siteId = siteId;
-        if (type !== undefined) updateValues.type = type;
-        if (destination !== undefined) updateValues.destination = destination;
-        if (destinationPort !== undefined)
-            updateValues.destinationPort = destinationPort;
-
-        const [updated] = await db
-            .update(browserGatewayTarget)
-            .set(updateValues)
-            .where(
-                eq(
-                    browserGatewayTarget.browserGatewayTargetId,
-                    browserGatewayTargetId
-                )
-            )
-            .returning();
-
-        const targetSiteId = siteId ?? existing.bgt.siteId;
-        const [site] = await db
-            .select()
-            .from(sites)
-            .where(eq(sites.siteId, targetSiteId))
-            .limit(1);
-
-        if (site && site.type === "newt") {
-            const [newt] = await db
-                .select()
-                .from(newts)
-                .where(eq(newts.siteId, targetSiteId))
-                .limit(1);
-
-            if (newt) {
-                await sendBrowserGatewayTargets(
-                    newt.newtId,
-                    [updated],
-                    newt.version
-                );
-            }
-        }
-
-        logger.info(`Updated browser gateway target ${browserGatewayTargetId}`);
-
-        return response<UpdateBrowserGatewayTargetResponse>(res, {
-            data: updated,
-            success: true,
-            error: false,
-            message: "Browser gateway target updated successfully",
-            status: HttpCode.OK
-        });
-    } catch (error) {
-        logger.error(error);
-        return next(
-            createHttpError(
-                HttpCode.INTERNAL_SERVER_ERROR,
-                "Failed to update browser gateway target"
-            )
-        );
-    }
-}
--- a/server/private/routers/certificates/getCertificate.ts
+++ b/server/private/routers/certificates/getCertificate.ts
@@ -121,7 +121,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/certificates/restartCertificate.ts
+++ b/server/private/routers/certificates/restartCertificate.ts
@@ -46,7 +46,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/domain/checkDomainNamespaceAvailability.ts
+++ b/server/private/routers/domain/checkDomainNamespaceAvailability.ts
@@ -29,7 +29,7 @@ import { tierMatrix } from "@server/lib/billing/tierMatrix";
 const paramsSchema = z.strictObject({});

 const querySchema = z.strictObject({
-    subdomain: z.string(),
+    subdomain: z.string()
    // orgId: build === "saas" ? z.string() : z.string().optional() // Required for saas, optional otherwise
 });

@@ -48,7 +48,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts
@@ -33,7 +33,8 @@ const paramsSchema = z
 registry.registerPath({
    method: "delete",
    path: "/org/{orgId}/event-streaming-destination/{destinationId}",
-    description: "Delete an event streaming destination for a specific organization.",
+    description:
+        "Delete an event streaming destination for a specific organization.",
    tags: [OpenAPITags.Org],
    request: {
        params: paramsSchema
@@ -44,7 +45,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
@@ -115,4 +116,4 @@ export async function deleteEventStreamingDestination(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
-}
+}
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -31,7 +31,6 @@ import * as siteProvisioning from "#private/routers/siteProvisioning";
 import * as eventStreamingDestination from "#private/routers/eventStreamingDestination";
 import * as alertRule from "#private/routers/alertRule";
 import * as healthChecks from "#private/routers/healthChecks";
-import * as browserGatewayTarget from "#private/routers/browserGatewayTarget";
 import * as labels from "#private/routers/labels";
 import * as client from "@server/routers/client";
 import * as resource from "#private/routers/resource";
@@ -879,48 +878,3 @@ authenticated.post(
    verifyClientAccess,
    client.rebuildClientAssociationsCacheRoute
 );
-
-authenticated.put(
-    "/org/:orgId/resource/:resourceId/browser-gateway-target",
-    verifyValidLicense,
-    verifyOrgAccess,
-    verifyLimits,
-    verifyUserHasAction(ActionsEnum.createBrowserGatewayTarget),
-    logActionAudit(ActionsEnum.createBrowserGatewayTarget),
-    browserGatewayTarget.createBrowserGatewayTarget
-);
-
-authenticated.get(
-    "/org/:orgId/resource/:resourceId/browser-gateway-targets",
-    verifyValidLicense,
-    verifyOrgAccess,
-    verifyUserHasAction(ActionsEnum.listBrowserGatewayTargets),
-    browserGatewayTarget.listBrowserGatewayTargets
-);
-
-authenticated.get(
-    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
-    verifyValidLicense,
-    verifyOrgAccess,
-    verifyUserHasAction(ActionsEnum.getBrowserGatewayTarget),
-    browserGatewayTarget.getBrowserGatewayTarget
-);
-
-authenticated.post(
-    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
-    verifyValidLicense,
-    verifyOrgAccess,
-    verifyLimits,
-    verifyUserHasAction(ActionsEnum.updateBrowserGatewayTarget),
-    logActionAudit(ActionsEnum.updateBrowserGatewayTarget),
-    browserGatewayTarget.updateBrowserGatewayTarget
-);
-
-authenticated.delete(
-    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
-    verifyValidLicense,
-    verifyOrgAccess,
-    verifyUserHasAction(ActionsEnum.deleteBrowserGatewayTarget),
-    logActionAudit(ActionsEnum.deleteBrowserGatewayTarget),
-    browserGatewayTarget.deleteBrowserGatewayTarget
-);
--- a/server/private/routers/healthChecks/deleteHealthCheck.ts
+++ b/server/private/routers/healthChecks/deleteHealthCheck.ts
@@ -47,7 +47,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/healthChecks/listHealthChecks.ts
+++ b/server/private/routers/healthChecks/listHealthChecks.ts
@@ -74,7 +74,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -79,7 +79,10 @@ import logger from "@server/logger";
 import { decrypt } from "@server/lib/crypto";
 import config from "@server/lib/config";
 import { exchangeSession } from "@server/routers/badger";
-import { validateResourceSessionToken } from "@server/auth/sessions/resource";
+import {
+    ResourceSessionValidationResult,
+    validateResourceSessionToken
+} from "@server/auth/sessions/resource";
 import { checkExitNodeOrg, resolveExitNodes } from "#private/lib/exitNodes";
 import { maxmindLookup } from "@server/db/maxmind";
 import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
@@ -216,9 +219,9 @@ export type ResourceWithAuth = {
    password: ResourcePassword | ResourcePolicyPassword | null;
    headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
-    applyRules: boolean;
-    sso: boolean;
-    emailWhitelistEnabled: boolean;
+    applyRules: boolean | null;
+    sso: boolean | null;
+    emailWhitelistEnabled: boolean | null;
    org: Org;
 };

@@ -1754,11 +1757,34 @@ hybridRouter.post(
                resourceId
            );

+            // this is for backward compatibility with nodes that did not have the policy id checking
+            const modifiedResult: ResourceSessionValidationResult = {
+                ...result,
+                resourceSession: result.resourceSession
+                    ? {
+                          ...result.resourceSession,
+                          // Prefer policy IDs, but keep legacy IDs populated for older nodes.
+                          pincodeId:
+                              result.resourceSession.policyPincodeId ??
+                              result.resourceSession.pincodeId ??
+                              null,
+                          passwordId:
+                              result.resourceSession.policyPasswordId ??
+                              result.resourceSession.passwordId ??
+                              null,
+                          whitelistId:
+                              result.resourceSession.policyWhitelistId ??
+                              result.resourceSession.whitelistId ??
+                              null
+                      }
+                    : null
+            };
+
            return response(res, {
-                data: result,
+                data: modifiedResult,
                success: true,
                error: false,
-                message: result.resourceSession
+                message: modifiedResult.resourceSession
                    ? "Resource session token is valid"
                    : "Resource session token is invalid or expired",
                status: HttpCode.OK
--- a/server/private/routers/integration.ts
+++ b/server/private/routers/integration.ts
@@ -16,7 +16,6 @@ import * as org from "#private/routers/org";
 import * as logs from "#private/routers/auditLogs";
 import * as alertEvents from "#private/routers/alertEvents";
 import * as certificates from "#private/routers/certificates";
-import * as browserGatewayTarget from "#private/routers/browserGatewayTarget";

 import {
    verifyApiKeyHasAction,
@@ -216,43 +215,3 @@ authenticated.delete(
    logActionAudit(ActionsEnum.removeUserRole),
    user.removeUserRole
 );
-
-authenticated.put(
-    "/org/:orgId/resource/:resourceId/browser-gateway-target",
-    verifyApiKeyOrgAccess,
-    verifyLimits,
-    verifyApiKeyHasAction(ActionsEnum.createBrowserGatewayTarget),
-    logActionAudit(ActionsEnum.createBrowserGatewayTarget),
-    browserGatewayTarget.createBrowserGatewayTarget
-);
-
-authenticated.get(
-    "/org/:orgId/resource/:resourceId/browser-gateway-targets",
-    verifyApiKeyOrgAccess,
-    verifyApiKeyHasAction(ActionsEnum.listBrowserGatewayTargets),
-    browserGatewayTarget.listBrowserGatewayTargets
-);
-
-authenticated.get(
-    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
-    verifyApiKeyOrgAccess,
-    verifyApiKeyHasAction(ActionsEnum.getBrowserGatewayTarget),
-    browserGatewayTarget.getBrowserGatewayTarget
-);
-
-authenticated.post(
-    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
-    verifyApiKeyOrgAccess,
-    verifyLimits,
-    verifyApiKeyHasAction(ActionsEnum.updateBrowserGatewayTarget),
-    logActionAudit(ActionsEnum.updateBrowserGatewayTarget),
-    browserGatewayTarget.updateBrowserGatewayTarget
-);
-
-authenticated.delete(
-    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
-    verifyApiKeyOrgAccess,
-    verifyApiKeyHasAction(ActionsEnum.deleteBrowserGatewayTarget),
-    logActionAudit(ActionsEnum.deleteBrowserGatewayTarget),
-    browserGatewayTarget.deleteBrowserGatewayTarget
-);
--- a/server/private/routers/internal.ts
+++ b/server/private/routers/internal.ts
@@ -17,9 +17,9 @@ import * as orgIdp from "#private/routers/orgIdp";
 import * as billing from "#private/routers/billing";
 import * as license from "#private/routers/license";
 import * as resource from "#private/routers/resource";
-import * as browserTarget from "#private/routers/browserGatewayTarget";
 import * as ssh from "#private/routers/ssh";
 import * as ws from "@server/routers/ws";
+import * as browserTarget from "#private/routers/browserGatewayTarget";

 import {
    verifySessionUserMiddleware,
--- a/server/private/routers/labels/createOrgLabel.ts
+++ b/server/private/routers/labels/createOrgLabel.ts
@@ -22,7 +22,7 @@ import response from "@server/lib/response";
 import logger from "@server/logger";
 import type { CreateOrEditLabelResponse } from "@server/routers/labels/types";
 import HttpCode from "@server/types/HttpCode";
-import { and, eq } from "drizzle-orm";
+import { and, eq, sql } from "drizzle-orm";
 import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
 import { z } from "zod";
@@ -107,6 +107,26 @@ export async function createOrgLabel(
            }
        }

+        const [existingLabel] = await db
+            .select({ labelId: labels.labelId })
+            .from(labels)
+            .where(
+                and(
+                    eq(labels.orgId, orgId),
+                    sql`LOWER(${labels.name}) = ${name.toLowerCase()}`
+                )
+            )
+            .limit(1);
+
+        if (existingLabel) {
+            return next(
+                createHttpError(
+                    HttpCode.CONFLICT,
+                    "A label with this name already exists"
+                )
+            );
+        }
+
        const label = await db.transaction(async (tx) => {
            const [label] = await tx
                .insert(labels)
--- a/server/private/routers/labels/updateOrgLabel.ts
+++ b/server/private/routers/labels/updateOrgLabel.ts
@@ -16,7 +16,7 @@ import response from "@server/lib/response";
 import logger from "@server/logger";
 import type { CreateOrEditLabelResponse } from "@server/routers/labels/types";
 import HttpCode from "@server/types/HttpCode";
-import { and, eq } from "drizzle-orm";
+import { and, eq, ne, sql } from "drizzle-orm";
 import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
 import { z } from "zod";
@@ -74,6 +74,29 @@ export async function updateOrgLabel(

        const { name, color } = parsedBody.data;

+        if (name && name.toLowerCase() !== existing.name.toLowerCase()) {
+            const [duplicateLabel] = await db
+                .select({ labelId: labels.labelId })
+                .from(labels)
+                .where(
+                    and(
+                        eq(labels.orgId, orgId),
+                        ne(labels.labelId, labelId),
+                        sql`LOWER(${labels.name}) = ${name.toLowerCase()}`
+                    )
+                )
+                .limit(1);
+
+            if (duplicateLabel) {
+                return next(
+                    createHttpError(
+                        HttpCode.CONFLICT,
+                        "A label with this name already exists"
+                    )
+                );
+            }
+        }
+
        const [label] = await db
            .update(labels)
            .set({
--- a/server/private/routers/orgIdp/createOrgOidcIdp.ts
+++ b/server/private/routers/orgIdp/createOrgOidcIdp.ts
@@ -69,7 +69,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
@@ -127,7 +127,8 @@ export async function createOrgOidcIdp(

        let { autoProvision } = parsedBody.data;

-        if (build == "saas") { // this is not paywalled with a ee license because this whole endpoint is restricted
+        if (build == "saas") {
+            // this is not paywalled with a ee license because this whole endpoint is restricted
            const subscribed = await isSubscribed(
                orgId,
                tierMatrix.deviceApprovals
--- a/server/private/routers/orgIdp/deleteOrgIdp.ts
+++ b/server/private/routers/orgIdp/deleteOrgIdp.ts
@@ -44,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/orgIdp/getOrgIdp.ts
+++ b/server/private/routers/orgIdp/getOrgIdp.ts
@@ -62,7 +62,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/orgIdp/listOrgIdps.ts
+++ b/server/private/routers/orgIdp/listOrgIdps.ts
@@ -78,7 +78,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/policy/createResourcePolicy.ts
+++ b/server/private/routers/policy/createResourcePolicy.ts
@@ -33,9 +33,8 @@ import {
 import { getUniqueResourcePolicyName } from "@server/db/names";
 import response from "@server/lib/response";
 import {
-    isValidCIDR,
-    isValidIP,
-    isValidUrlGlobPattern
+    getResourceRuleValueValidationError,
+    RESOURCE_RULE_MATCH_TYPES
 } from "@server/lib/validators";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -56,9 +55,9 @@ const ruleSchema = z.strictObject({
        enum: ["ACCEPT", "DROP", "PASS"],
        description: "rule action"
    }),
-    match: z.enum(["CIDR", "IP", "PATH"]).openapi({
+    match: z.enum(RESOURCE_RULE_MATCH_TYPES).openapi({
        type: "string",
-        enum: ["CIDR", "IP", "PATH"],
+        enum: [...RESOURCE_RULE_MATCH_TYPES],
        description: "rule match"
    }),
    value: z.string().min(1),
@@ -261,26 +260,13 @@ export async function createResourcePolicy(
        const niceId = await getUniqueResourcePolicyName(orgId);

        for (const rule of rules) {
-            if (rule.match === "CIDR" && !isValidCIDR(rule.value)) {
+            const validationError = getResourceRuleValueValidationError(
+                rule.match,
+                rule.value
+            );
+            if (validationError) {
                return next(
-                    createHttpError(
-                        HttpCode.BAD_REQUEST,
-                        "Invalid CIDR provided"
-                    )
-                );
-            } else if (rule.match === "IP" && !isValidIP(rule.value)) {
-                return next(
-                    createHttpError(HttpCode.BAD_REQUEST, "Invalid IP provided")
-                );
-            } else if (
-                rule.match === "PATH" &&
-                !isValidUrlGlobPattern(rule.value)
-            ) {
-                return next(
-                    createHttpError(
-                        HttpCode.BAD_REQUEST,
-                        "Invalid URL glob pattern provided"
-                    )
+                    createHttpError(HttpCode.BAD_REQUEST, validationError)
                );
            }
        }
--- a/server/private/routers/policy/listResourcePolicies.ts
+++ b/server/private/routers/policy/listResourcePolicies.ts
@@ -216,6 +216,7 @@ export async function listResourcePolicies(
                : await db
                      .select({
                          resourceId: resources.resourceId,
+                          niceId: resources.niceId,
                          name: resources.name,
                          fullDomain: resources.fullDomain,
                          resourcePolicyId: resources.resourcePolicyId
--- a/server/private/routers/remoteExitNode/exitNodeReconnectScheduler.ts
+++ b/server/private/routers/remoteExitNode/exitNodeReconnectScheduler.ts
@@ -0,0 +1,202 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import axios from "axios";
+import { db, exitNodes, newts, sites } from "@server/db";
+import { eq } from "drizzle-orm";
+import logger from "@server/logger";
+import redisManager from "#private/lib/redis";
+import { sendToClient } from "#private/routers/ws";
+
+const INITIAL_DELAY_MS = 15 * 1000; // 15 seconds before first check
+const CHECK_INTERVAL_MS = 10 * 1000; // Check every 10 seconds
+const MAX_DURATION_MS = 5 * 60 * 1000; // Give up after 5 minutes
+const REDIS_PENDING_SET = "exit-node-reconnect-pending";
+const REDIS_HASH_PREFIX = "exit-node-reconnect:";
+
+interface PendingReconnect {
+    startTime: number;
+    reachableAt: string;
+}
+
+// In-memory tracking for this node
+const pendingReconnects = new Map<number, PendingReconnect>();
+
+let schedulerInterval: NodeJS.Timeout | null = null;
+
+/**
+ * Schedules a reconnect check for newts connected to the given exit node.
+ * Called when an exit node transitions from offline to online.
+ */
+export async function scheduleExitNodeReconnect(
+    exitNodeId: number,
+    reachableAt: string
+): Promise<void> {
+    logger.info(
+        `Scheduling newt reconnect for exit node ${exitNodeId} (reachableAt: ${reachableAt})`
+    );
+
+    const entry: PendingReconnect = {
+        startTime: Date.now(),
+        reachableAt
+    };
+
+    pendingReconnects.set(exitNodeId, entry);
+
+    // Store in Redis if available for cross-node coordination
+    if (redisManager.isRedisEnabled()) {
+        await redisManager.sadd(REDIS_PENDING_SET, exitNodeId.toString());
+        await redisManager.hset(
+            `${REDIS_HASH_PREFIX}${exitNodeId}`,
+            "startTime",
+            entry.startTime.toString()
+        );
+        await redisManager.hset(
+            `${REDIS_HASH_PREFIX}${exitNodeId}`,
+            "reachableAt",
+            reachableAt
+        );
+    }
+}
+
+/**
+ * Starts the background interval that checks pending exit node reconnects.
+ */
+export function startExitNodeReconnectScheduler(): void {
+    if (schedulerInterval) {
+        return;
+    }
+
+    schedulerInterval = setInterval(async () => {
+        try {
+            await processPendingReconnects();
+        } catch (error) {
+            logger.error("Error in exit node reconnect scheduler", { error });
+        }
+    }, CHECK_INTERVAL_MS);
+
+    logger.debug("Started exit node reconnect scheduler");
+}
+
+async function processPendingReconnects(): Promise<void> {
+    // Merge in-memory and Redis-tracked pending reconnects
+    const toProcess = new Map(pendingReconnects);
+
+    if (redisManager.isRedisEnabled()) {
+        const redisIds = await redisManager.smembers(REDIS_PENDING_SET);
+        for (const idStr of redisIds) {
+            const id = parseInt(idStr, 10);
+            if (!toProcess.has(id)) {
+                const startTimeStr = await redisManager.hget(
+                    `${REDIS_HASH_PREFIX}${id}`,
+                    "startTime"
+                );
+                const reachableAt = await redisManager.hget(
+                    `${REDIS_HASH_PREFIX}${id}`,
+                    "reachableAt"
+                );
+                if (startTimeStr && reachableAt) {
+                    toProcess.set(id, {
+                        startTime: parseInt(startTimeStr, 10),
+                        reachableAt
+                    });
+                }
+            }
+        }
+    }
+
+    const now = Date.now();
+
+    for (const [exitNodeId, entry] of toProcess) {
+        const elapsed = now - entry.startTime;
+
+        // Give up after max duration
+        if (elapsed >= MAX_DURATION_MS) {
+            logger.warn(
+                `Exit node reconnect check timed out for exit node ${exitNodeId} after 5 minutes`
+            );
+            await removePending(exitNodeId);
+            continue;
+        }
+
+        // Respect initial delay
+        if (elapsed < INITIAL_DELAY_MS) {
+            continue;
+        }
+
+        // Check if the exit node HTTP endpoint is reachable
+        const pingUrl = `${entry.reachableAt}/ping`;
+        try {
+            await axios.get(pingUrl, { timeout: 5000 });
+        } catch {
+            logger.debug(
+                `Exit node ${exitNodeId} not yet reachable at ${pingUrl}`
+            );
+            continue;
+        }
+
+        // Node is reachable — send reconnect to all connected newts
+        logger.info(
+            `Exit node ${exitNodeId} is reachable. Sending newt/wg/reconnect to connected newts.`
+        );
+
+        await sendReconnectToNewts(exitNodeId);
+        await removePending(exitNodeId);
+    }
+}
+
+async function sendReconnectToNewts(exitNodeId: number): Promise<void> {
+    try {
+        const connectedNewts = await db
+            .select({ newtId: newts.newtId })
+            .from(newts)
+            .innerJoin(sites, eq(newts.siteId, sites.siteId))
+            .where(eq(sites.exitNodeId, exitNodeId));
+
+        if (connectedNewts.length === 0) {
+            logger.debug(
+                `No newts found for exit node ${exitNodeId}, nothing to reconnect`
+            );
+            return;
+        }
+
+        logger.info(
+            `Sending newt/wg/reconnect to ${connectedNewts.length} newt(s) for exit node ${exitNodeId}`
+        );
+
+        const reconnectMessage = {
+            type: "newt/wg/reconnect",
+            data: {}
+        };
+
+        await Promise.allSettled(
+            connectedNewts.map(({ newtId }) =>
+                sendToClient(newtId, reconnectMessage)
+            )
+        );
+    } catch (error) {
+        logger.error(
+            `Failed to send reconnect messages for exit node ${exitNodeId}`,
+            { error }
+        );
+    }
+}
+
+async function removePending(exitNodeId: number): Promise<void> {
+    pendingReconnects.delete(exitNodeId);
+
+    if (redisManager.isRedisEnabled()) {
+        await redisManager.srem(REDIS_PENDING_SET, exitNodeId.toString());
+        await redisManager.del(`${REDIS_HASH_PREFIX}${exitNodeId}`);
+    }
+}
--- a/server/private/routers/remoteExitNode/handleRemoteExitNodePingMessage.ts
+++ b/server/private/routers/remoteExitNode/handleRemoteExitNodePingMessage.ts
@@ -16,6 +16,7 @@ import { MessageHandler } from "@server/routers/ws";
 import { RemoteExitNode } from "@server/db";
 import { eq } from "drizzle-orm";
 import logger from "@server/logger";
+import { scheduleExitNodeReconnect } from "./exitNodeReconnectScheduler";

 /**
 * Handles ping messages from clients and responds with pong
@@ -37,6 +38,13 @@ export const handleRemoteExitNodePingMessage: MessageHandler = async (
    }

    try {
+        // Fetch the current state before updating so we can detect the offline→online transition
+        const [currentExitNode] = await db
+            .select({ online: exitNodes.online, reachableAt: exitNodes.reachableAt })
+            .from(exitNodes)
+            .where(eq(exitNodes.exitNodeId, remoteExitNode.exitNodeId))
+            .limit(1);
+
        // Update the exit node's last ping timestamp
        await db
            .update(exitNodes)
@@ -45,6 +53,16 @@ export const handleRemoteExitNodePingMessage: MessageHandler = async (
                online: true
            })
            .where(eq(exitNodes.exitNodeId, remoteExitNode.exitNodeId));
+
+        // If the exit node was offline and is now coming online, schedule newt reconnects
+        if (currentExitNode && !currentExitNode.online && currentExitNode.reachableAt) {
+            scheduleExitNodeReconnect(
+                remoteExitNode.exitNodeId,
+                currentExitNode.reachableAt
+            ).catch((error) => {
+                logger.error("Failed to schedule exit node reconnect", { error });
+            });
+        }
    } catch (error) {
        logger.error("Error handling ping message", { error });
    }
--- a/server/private/routers/remoteExitNode/index.ts
+++ b/server/private/routers/remoteExitNode/index.ts
@@ -22,3 +22,4 @@ export * from "./listRemoteExitNodes";
 export * from "./pickRemoteExitNodeDefaults";
 export * from "./quickStartRemoteExitNode";
 export * from "./offlineChecker";
+export * from "./exitNodeReconnectScheduler";
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -12,6 +12,7 @@
 */

 import { Request, Response, NextFunction } from "express";
+import { randomInt } from "crypto";
 import { z } from "zod";
 import {
    actionAuditLog,
@@ -29,8 +30,7 @@ import {
    userOrgs,
    sites,
    Resource,
-    SiteResource,
-    browserGatewayTarget
+    SiteResource
 } from "@server/db";
 import { logAccessAudit } from "#private/lib/logAccessAudit";
 import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
@@ -290,16 +290,15 @@ export async function signSshKey(
            const publicResource = resource as Resource;
            const targetRows = await db
                .select({
-                    siteId: browserGatewayTarget.siteId,
-                    ip: browserGatewayTarget.destination
+                    siteId: targets.siteId,
+                    ip: targets.ip
                })
-                .from(browserGatewayTarget)
+                .from(targets)
                .where(
                    and(
-                        eq(
-                            browserGatewayTarget.resourceId,
-                            publicResource.resourceId
-                        )
+                        eq(targets.resourceId, publicResource.resourceId),
+                        eq(targets.enabled, true),
+                        eq(targets.mode, "ssh")
                    )
                );

@@ -392,7 +391,7 @@ export async function signSshKey(
                if (existingUserWithSameName) {
                    let foundUniqueUsername = false;
                    for (let attempt = 0; attempt < 20; attempt++) {
-                        const randomNum = Math.floor(Math.random() * 101); // 0 to 100
+                        const randomNum = randomInt(0, 101); // 0 to 100
                        const candidateUsername = `${usernameToUse}${randomNum}`;

                        const [existingUser] = await db
--- a/server/private/routers/user/addUserRole.ts
+++ b/server/private/routers/user/addUserRole.ts
@@ -44,7 +44,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/user/removeUserRole.ts
+++ b/server/private/routers/user/removeUserRole.ts
@@ -45,7 +45,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/private/routers/ws/messageHandlers.ts
+++ b/server/private/routers/ws/messageHandlers.ts
@@ -14,7 +14,8 @@
 import {
    handleRemoteExitNodeRegisterMessage,
    handleRemoteExitNodePingMessage,
-    startRemoteExitNodeOfflineChecker
+    startRemoteExitNodeOfflineChecker,
+    startExitNodeReconnectScheduler
 } from "#private/routers/remoteExitNode";
 import { MessageHandler } from "@server/routers/ws";
 import { build } from "@server/build";
@@ -29,4 +30,5 @@ export const messageHandlers: Record<string, MessageHandler> = {

 if (build != "saas") {
    startRemoteExitNodeOfflineChecker(); // this is to handle the offline check for remote exit nodes
+    startExitNodeReconnectScheduler(); // check pending exit node reconnects and notify newts
 }
--- a/server/routers/accessToken/deleteAccessToken.ts
+++ b/server/routers/accessToken/deleteAccessToken.ts
@@ -28,7 +28,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/routers/accessToken/generateAccessToken.ts
+++ b/server/routers/accessToken/generateAccessToken.ts
@@ -61,7 +61,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/routers/accessToken/listAccessTokens.ts
+++ b/server/routers/accessToken/listAccessTokens.ts
@@ -135,7 +135,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
@@ -164,7 +164,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/routers/apiKeys/deleteApiKey.ts
+++ b/server/routers/apiKeys/deleteApiKey.ts
@@ -28,7 +28,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/routers/apiKeys/setApiKeyActions.ts
+++ b/server/routers/apiKeys/setApiKeyActions.ts
@@ -42,7 +42,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/server/routers/auditLogs/exportRequestAuditLog.ts
+++ b/server/routers/auditLogs/exportRequestAuditLog.ts
@@ -35,7 +35,7 @@ registry.registerPath({
            content: {
                "application/json": {
                    schema: z.object({
-                        data: z.unknown().nullable(),
+                        data: z.record(z.string(), z.any()).nullable(),
                        success: z.boolean(),
                        error: z.boolean(),
                        message: z.string(),
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Owen Schwartz	6e271028f3	Merge pull request #3245 from fosrl/dev Bugfixes	2026-06-11 16:17:41 -07:00
Owen	820f66e58f	Properly hide things with disable enterprise flag	2026-06-11 16:10:29 -07:00
Owen	b0fdc10e06	Properly hide things with disable enterprise flag	2026-06-11 16:01:32 -07:00
miloschwartz	b82b41ed26	fix migration	2026-06-11 15:02:29 -07:00
miloschwartz	3e977ba00d	make paid alert position more consistent on resource	2026-06-11 12:38:08 -07:00
Owen Schwartz	a724b07846	Merge pull request #3244 from fosrl/dev fix paywalling	2026-06-11 12:27:49 -07:00
Owen	5f0bc71bcd	Merge branch 'main' into dev	2026-06-11 12:26:31 -07:00
miloschwartz	aea7827c1a	fix paywalling	2026-06-11 12:26:01 -07:00
Owen Schwartz	d865c4c55b	Merge pull request #3242 from fosrl/dev Use ssh like mode host	2026-06-11 11:29:45 -07:00
Owen	5baf0c3c09	Use ssh like mode host	2026-06-11 11:11:50 -07:00
Owen Schwartz	cfe33eb974	Merge pull request #3241 from fosrl/dev dev	2026-06-10 21:47:44 -07:00
Owen	71273e1b1c	Try to fix large query problem	2026-06-10 21:41:34 -07:00
Owen	02f6e2a8c3	Add ; fix lint	2026-06-10 20:56:26 -07:00
Owen Schwartz	3cc244a1d3	Merge pull request #3240 from fosrl/dev Fix small bugs with paid features, ui, docs	2026-06-10 20:49:59 -07:00
Owen	1d9c4dd9e2	Fix padding	2026-06-10 20:46:53 -07:00
Owen	b9dd0c8e43	Add advantech install link	2026-06-10 20:46:43 -07:00
Owen	cd052976eb	Properly paywall the edit policy screen	2026-06-10 20:38:59 -07:00
Owen	cc498f0e33	Properly paywall ui for labels	2026-06-10 20:32:07 -07:00
Owen	1a942937e6	Remove precheck on websocket for now	2026-06-10 20:24:41 -07:00
Owen	d81d1a6b7f	Merge branch 'dev' of github.com:fosrl/pangolin into dev	2026-06-10 20:24:22 -07:00
Owen	f64d04e827	Add loading back to create resource	2026-06-10 18:23:01 -07:00
miloschwartz	540aee3fe2	update docs links	2026-06-10 17:52:42 -07:00
Owen Schwartz	10542d7282	Merge pull request #3239 from fosrl/dev 1.19.0	2026-06-10 16:50:32 -07:00
Owen	b1d52ad1a3	Update tiers	2026-06-10 16:27:25 -07:00
Owen	ce2fbef805	Filter only newt sites in the browser gateway	2026-06-10 16:16:42 -07:00
Owen	e312b31e02	Merge branch 'dev' of github.com:fosrl/pangolin into dev	2026-06-10 15:50:52 -07:00
Owen	bc156c715d	24 hour requirement for updates	2026-06-10 15:50:43 -07:00
miloschwartz	9a4c1f23c6	support remove server admin	2026-06-10 15:10:58 -07:00
miloschwartz	6921447fab	fix typo	2026-06-10 11:55:20 -07:00
Owen	d47449b082	Add notes about inline policy to api endpoints	2026-06-10 10:24:31 -07:00
Owen	665806dfe8	Add some documentation; pull the override values	2026-06-10 10:03:16 -07:00
Owen	e248571268	Merge branch 'dev' of github.com:fosrl/pangolin into dev	2026-06-09 22:02:24 -07:00
miloschwartz	fcf03854ff	fix tag input wrapping	2026-06-09 22:01:13 -07:00
Owen	dd1fba4e45	Also clear the roles and users	2026-06-09 21:59:30 -07:00
miloschwartz	a1ab8d8f35	standardize client titles	2026-06-09 21:47:15 -07:00
miloschwartz	c789e967db	standardize client titles	2026-06-09 21:36:54 -07:00
Owen	d870b9ff49	Drop the not null on resource columns	2026-06-09 21:36:27 -07:00
miloschwartz	9c09019ddb	add protocol filter	2026-06-09 21:33:56 -07:00
Owen	9d88683fc5	Reset resource info when on inline policy	2026-06-09 21:28:25 -07:00
miloschwartz	dd2c9f2a02	check resource policy in verifyResourceAccess middleware	2026-06-09 17:52:31 -07:00
miloschwartz	bdb38db5bc	fix form responsiveness	2026-06-09 16:52:18 -07:00
Owen	96a54fc9cc	Fix import issue in migrations	2026-06-09 16:51:55 -07:00
Owen	3a485f74f1	Move session migration out of the loop	2026-06-09 16:16:14 -07:00
Owen	92b0340324	Merge branch 'dev' of github.com:fosrl/pangolin into dev	2026-06-09 16:10:35 -07:00
miloschwartz	9257ac01c7	add learn more links to auto update	2026-06-09 16:08:07 -07:00
Owen	4d1d0d9fcb	Add warning if we cant reach the vnc server	2026-06-09 16:02:52 -07:00
Owen	f186e7e99e	Dont allow asn or country without having maxmind	2026-06-09 16:02:52 -07:00
miloschwartz	1aa6e3511f	dont show policy on tcp/udp resources	2026-06-09 15:56:24 -07:00
miloschwartz	fb6f5b3953	form layout improvements	2026-06-09 15:42:28 -07:00
Owen	c85a7f6ac5	Migrate unkown openapi response from string to {}	2026-06-09 15:35:08 -07:00
Owen	dd54be523f	Dont need to check user exists for the whitelist	2026-06-09 15:26:35 -07:00
Owen	d57f064d4c	Fix spelling	2026-06-09 15:26:35 -07:00
miloschwartz	34799b7de2	move maintenance page config to tab	2026-06-09 15:07:55 -07:00
miloschwartz	20a66bba6f	fix resource context updating problem	2026-06-09 14:49:57 -07:00
miloschwartz	cdb43d9658	dont set whitelist until click set button in dialog	2026-06-09 14:36:50 -07:00
miloschwartz	6581ccafa3	fix toggle on pin or passcode not working on policy form	2026-06-09 14:34:58 -07:00
miloschwartz	a3a45b4239	add safe read	2026-06-09 14:09:36 -07:00
Owen	d6634b6e8a	Add types	2026-06-09 12:16:00 -07:00
Owen	1089cfbacc	Update query to be more efficient	2026-06-09 11:54:46 -07:00
Owen	1907a3c93b	Link to primary org only when you can see billing	2026-06-09 10:33:42 -07:00
miloschwartz	407ba567a0	various visual changes	2026-06-08 22:07:53 -07:00
Owen	f28571629f	Make sure the pamMode is push for host resources	2026-06-08 21:54:06 -07:00
Owen	5a575c916b	Handle backward compatability	2026-06-08 21:11:57 -07:00
Owen	9a7e534b10	Ssh session closed card	2026-06-08 17:44:48 -07:00
Owen	42974d1739	Make sure the skip to idp is pulled	2026-06-08 17:41:59 -07:00
Owen	780e8babe4	Perfect toolbar	2026-06-08 17:39:07 -07:00
Owen	2c7b8006cf	Add gray bar	2026-06-08 16:07:36 -07:00
Owen	35066c1388	Add pulldown toolbar	2026-06-08 16:00:38 -07:00
miloschwartz	135a5d38af	make form grids more consistent	2026-06-08 16:00:30 -07:00
Owen	1b7c1ffa70	Set the target port from the resource	2026-06-08 15:39:26 -07:00
Owen	641f643d2d	Prefil the port with the best guess port	2026-06-08 15:39:26 -07:00
Owen	b4ecfceb5e	Show more information about error	2026-06-08 15:39:25 -07:00
Owen	08a84d4bb1	Add some connection feedback	2026-06-08 15:39:25 -07:00
Owen	4dbad7ab24	Close the tab when exiting	2026-06-08 15:39:25 -07:00
miloschwartz	859c0c9477	add description text to share link path input	2026-06-08 15:33:12 -07:00
miloschwartz	d294bf8534	support uploading csv or txt to sudo commands and groups	2026-06-08 15:30:03 -07:00
miloschwartz	3c8fea382f	improve unix group and sudo commands inputs	2026-06-08 14:36:10 -07:00
Owen	b81bfcfcee	Fix type error	2026-06-08 12:21:43 -07:00
Milo Schwartz	56c415ca05	Merge pull request #3219 from Fredkiss3/refactor/standardize-clear-buttons feat: make clear filter buttons more consistent accross tables	2026-06-08 12:07:55 -07:00
Owen	74fdcceace	Reconnect newts when a exit node comes back online	2026-06-08 12:02:12 -07:00
Owen	7dec8ba998	Add exit node if the sites dont have one	2026-06-08 12:02:12 -07:00
miloschwartz	c9dc6affe7	Merge branch 'dev' into resource-policies-restyle	2026-06-08 12:00:08 -07:00
miloschwartz	8fe45ba78c	prevent duplicate label names	2026-06-08 11:59:15 -07:00
Fred KISSIE	934886caea	Merge branch 'dev' into refactor/standardize-clear-buttons	2026-06-08 20:42:11 +02:00
miloschwartz	fae258b145	add labels to user-resources query	2026-06-08 10:55:24 -07:00
miloschwartz	9f224f655f	Merge branch 'resource-policies-restyle' into dev	2026-06-08 10:38:13 -07:00
miloschwartz	aea7df7dc2	rename share links	2026-06-08 10:37:46 -07:00
miloschwartz	3b675f7de1	policies and policy on resource structure in a good place	2026-06-07 12:19:33 -07:00
Owen	8daf7c2872	Rename and add browser target update	2026-06-07 12:07:08 -07:00
Owen	c394490473	Update browser targets	2026-06-07 10:43:16 -07:00
Owen	3b6b78b3e1	Update traefik config	2026-06-06 16:14:20 -07:00
miloschwartz	aa47f522ef	move toggle on general page	2026-06-06 15:34:34 -07:00
Owen	8658198a93	Remove unnessicary auth token	2026-06-06 13:47:23 -07:00
Owen	4b770d1385	Fix issues	2026-06-06 13:34:24 -07:00
miloschwartz	cd4d7372a0	Merge branch 'resource-policies-restyle' into dev	2026-06-06 12:27:59 -07:00
Owen	dc8243cb51	Fix form rendering issue	2026-06-06 12:27:14 -07:00
miloschwartz	7b1f8d98f3	make the rule rows draggable	2026-06-06 12:27:11 -07:00
miloschwartz	dd8bcbb3e3	first pass restyle of auth methods and rules	2026-06-05 21:04:03 -07:00
Owen	d1af7a153f	Enforece some more things on the types	2026-06-05 16:57:53 -07:00
Owen	13efa47db7	Merge branch 'dev' of github.com:fosrl/pangolin into dev	2026-06-05 16:12:46 -07:00
Owen	69bd61c308	Update migrations	2026-06-05 16:02:28 -07:00
Owen	7b7ff51289	Add target mode and auth token	2026-06-05 15:37:21 -07:00
Owen	772ac8af73	Remove browser gateway targets for regular targets	2026-06-05 15:30:42 -07:00
miloschwartz	8ee520dbb5	form validation improvements	2026-06-05 14:55:27 -07:00
Owen	8e5d9e94a9	Fix delete site only working on newt site	2026-06-05 14:37:44 -07:00
Owen	c9cb28af45	Rename to public-policies	2026-06-05 14:30:36 -07:00
Fred KISSIE	a994f8ff07	💄 Column filter buttons for log tables	2026-06-05 21:47:08 +02:00
miloschwartz	ea8eaf9736	adjust targets input styles	2026-06-05 12:43:00 -07:00
miloschwartz	b78db3daef	move policies routes	2026-06-05 12:43:00 -07:00
Owen	7cf3f8df92	Rename proxy -> public	2026-06-05 12:12:27 -07:00
Owen	f2b5cff3f9	Fix resource protection status showing wrong	2026-06-05 12:12:27 -07:00
Owen	6de9ab8f05	Add watermark on missing login pages	2026-06-05 12:12:27 -07:00
Owen	ad0e800d8d	Fix validation error and bring alias back to table	2026-06-05 12:12:27 -07:00
miloschwartz	65470fb64b	adjust styles	2026-06-05 12:04:33 -07:00
miloschwartz	f23142336b	enable editing resource policy niceID	2026-06-05 11:57:55 -07:00
miloschwartz	2da4987cd3	rename policies	2026-06-05 11:52:51 -07:00
miloschwartz	253ba554a2	fix resources cell styling	2026-06-05 11:46:30 -07:00
Fred KISSIE	95ce91d94b	Merge branch 'dev' into refactor/standardize-clear-buttons	2026-06-05 20:21:34 +02:00
Fred KISSIE	a4548fd874	💄 Break all text	2026-06-05 19:59:28 +02:00
Fred KISSIE	eb03fb7060	♻️ standardize http request log data-tables	2026-06-05 19:28:30 +02:00
miloschwartz	add9b8dfb0	many minor visual improvements	2026-06-04 22:25:18 -07:00
Owen	2adb7b64cb	Add the resource name	2026-06-04 22:10:38 -07:00
Owen	84fef5f1d6	Resource policy api backward compatability	2026-06-04 22:02:42 -07:00
Owen	def1e9c851	Add region back to the rules	2026-06-04 21:28:29 -07:00
Owen	67b08ca61e	Properly do disable enterprise features this time	2026-06-04 21:18:04 -07:00
Owen	614df75880	Add policy to blueprints	2026-06-04 21:18:04 -07:00
Owen	676cf37ee2	Make sure things are paywalled in the blueprints	2026-06-04 21:18:04 -07:00
Owen	6b96e3dce6	Make sure the disableEnterpriseFeatures works	2026-06-04 21:18:04 -07:00
miloschwartz	b67037e2ea	use default animation speed on dialog	2026-06-04 18:19:23 -07:00
miloschwartz	5a5b77cf62	update project cursor rules	2026-06-04 18:13:26 -07:00
miloschwartz	d2793dfad7	use react forms	2026-06-04 18:07:50 -07:00
miloschwartz	ff507f1275	use standard error alert	2026-06-04 17:44:45 -07:00
miloschwartz	6b04bcb383	translate strings in auth pages for ssh, vnc, and rdp	2026-06-04 17:35:43 -07:00
miloschwartz	b2f1115ef8	standardize and fix branding on new resources auth pages	2026-06-04 17:24:06 -07:00
Owen	567ef23ac4	Add initial advantech install commands	2026-06-04 16:59:58 -07:00
Owen	6affebc666	Finish adding ssh toggle	2026-06-04 16:59:58 -07:00
miloschwartz	889f78ddb8	use resource name in ssh/rdp/vnc page meta	2026-06-04 16:45:35 -07:00
Owen	9d3f96cf83	Add disable_private_http_placeholder	2026-06-04 16:41:07 -07:00
miloschwartz	e5d0673bbf	prefill site field on create private resource when filtering sites	2026-06-04 16:30:14 -07:00
miloschwartz	0907c0346f	remove check on oidc login	2026-06-04 16:24:29 -07:00
Owen	6420a90d08	Replace tab component	2026-06-04 16:21:30 -07:00
Owen Schwartz	7fa1180d10	Merge pull request #3221 from fosrl/dev 1.19.0-rc.1	2026-06-04 15:45:27 -07:00
Owen	769d36e289	Fix http resources not being pulled	2026-06-04 15:36:25 -07:00
Owen	a7a41b820e	Add missing sshAccess key	2026-06-04 15:20:52 -07:00
Fred KISSIE	33fdc9a94f	🚧 wip: column filter button	2026-06-04 21:04:15 +02:00
Owen Schwartz	8b50f1fb65	Merge pull request #3218 from fosrl/dev Fix installer	2026-06-04 11:21:59 -07:00
Owen	2d78a4b628	Fix installer	2026-06-04 11:21:40 -07:00
Fred KISSIE	c86026c941	♻️ refactor	2026-06-04 20:09:07 +02:00
Fred KISSIE	db014e3446	♻️ use the same `clear filter` text for clearing filters in the column filter buttons	2026-06-04 20:08:27 +02:00
Fred KISSIE	feb8045643	♻️ refactor	2026-06-04 19:54:43 +02:00
Fred KISSIE	d485a09318	♻️ use site label filter column	2026-06-04 19:45:54 +02:00
Fred KISSIE	9cff5f66b1	🚧 wip: site label column filter standardized	2026-06-04 19:40:24 +02:00
Owen Schwartz	527d4cc777	Merge pull request #3215 from fosrl/dev 1.19.0-rc.0	2026-06-04 10:34:20 -07:00
Owen Schwartz	01361884eb	Potential fix for pull request finding 'CodeQL / Insecure randomness' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>	2026-06-04 10:33:15 -07:00
Owen	6c4cbcab5d	Fix eslint errors	2026-06-04 10:22:29 -07:00
Owen Schwartz	aac25f0a53	Merge pull request #3214 from marcschaeferger/dev Prevent cross-org site binding in target create/update	2026-06-04 10:11:53 -07:00
Marc Schäfer	f617f93a94	test(middleware): add regression tests for cross-org site binding prevention Test the org-match logic in verifySiteAccess: - Same org: allowed - Cross-org: rejected with 403 - No prior org context (site-only routes): check skipped, normal flow Test route stack ordering: - verifySiteAccess runs after verifyResourceAccess/verifyTargetAccess - verifySiteAccess runs before the target create/update handler Test security scenarios for both WireGuard and newt site types. Signed-off-by: Marc Schäfer <git@marcschaeferger.de>	2026-05-29 22:57:39 +00:00
Marc Schäfer	51629247a5	fix(middleware): prevent cross-org site binding in target create/update Extend verifySiteAccess to check that when req.userOrgId is already set by a prior middleware (e.g. verifyResourceAccess/verifyTargetAccess), the site from req.body.siteId belongs to the same organization. This prevents the cross-organization tunnel boundary bypass where an attacker with resource access in one org binds that resource's target to a site in another org. Add verifySiteAccess to both target route stacks: - PUT /resource/:resourceId/target (after verifyResourceAccess) - POST /target/:targetId (after verifyTargetAccess) The org-match check runs before req.userOrg is overwritten, so the resource's organization context is preserved for comparison. Signed-off-by: Marc Schäfer <git@marcschaeferger.de>	2026-05-29 22:44:16 +00:00