Bump next-intl from 4.8.3 to 4.9.2

Bumps [next-intl](https://github.com/amannn/next-intl) from 4.8.3 to 4.9.2. - [Release notes](https://github.com/amannn/next-intl/releases) - [Changelog](https://github.com/amannn/next-intl/blob/main/CHANGELOG.md) - [Commits](https://github.com/amannn/next-intl/compare/v4.8.3...v4.9.2) --- updated-dependencies: - dependency-name: next-intl dependency-version: 4.9.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Merge pull request #3030 from fosrl/dev
2026-05-08 09:19:53 +00:00 · 2026-05-08 03:38:24 +00:00 · 2026-05-07 20:08:05 -07:00 · 2026-05-07 20:07:06 -07:00 · 2026-05-07 20:03:48 -07:00 · 2026-05-07 17:44:35 -07:00
29 changed files with 531 additions and 429 deletions
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -1356,7 +1356,7 @@
    "sidebarSites": "Nœuds",
    "sidebarApprovals": "Demandes d'approbation",
    "sidebarResources": "Ressource",
-    "sidebarProxyResources": "Publique",
+    "sidebarProxyResources": "Publiques",
    "sidebarClientResources": "Privé",
    "sidebarAccessControl": "Contrôle d'accès",
    "sidebarLogsAndAnalytics": "Journaux & Analytiques",
@@ -2458,8 +2458,8 @@
    "manageUserDevicesDescription": "Voir et gérer les appareils que les utilisateurs utilisent pour se connecter en privé aux ressources",
    "downloadClientBannerTitle": "Télécharger le client Pangolin",
    "downloadClientBannerDescription": "Téléchargez le client Pangolin pour votre système afin de vous connecter au réseau Pangolin et accéder aux ressources de manière privée.",
-    "manageMachineClients": "Gérer les clients de la machine",
-    "manageMachineClientsDescription": "Créer et gérer des clients que les serveurs et les systèmes utilisent pour se connecter en privé aux ressources",
+    "manageMachineClients": "Gérer les machines",
+    "manageMachineClientsDescription": "Créer et gérer les clients que les serveurs et systèmes utilisent pour se connecter en privé aux ressources",
    "machineClientsBannerTitle": "Serveurs & Systèmes automatisés",
    "machineClientsBannerDescription": "Les clients de machine sont conçus pour les serveurs et les systèmes automatisés qui ne sont pas associés à un utilisateur spécifique. Ils s'authentifient avec un identifiant et une clé secrète, et peuvent être exécutés avec Pangolin CLI, Olm CLI ou Olm en tant que conteneur.",
    "machineClientsBannerPangolinCLI": "Pangolin CLI",
@@ -3154,6 +3154,7 @@
    "healthCheckTabAdvanced": "Avancé",
    "healthCheckStrategyNotAvailable": "Cette stratégie n'est pas disponible. Veuillez contacter le service commercial pour activer cette fonctionnalité.",
    "uptime30d": "Disponibilité (30j)",
+    "uptimeNoData": "Aucune donnée",
    "idpAddActionCreateNew": "Créer un nouveau fournisseur d'identité",
    "idpAddActionImportFromOrg": "Importer d'une autre organisation",
    "idpImportDialogTitle": "Importer le fournisseur d'identité",
--- a/package-lock.json
+++ b/package-lock.json
@@ -70,7 +70,7 @@
                "maxmind": "5.0.5",
                "moment": "2.30.1",
                "next": "15.5.15",
-                "next-intl": "4.8.3",
+                "next-intl": "4.9.2",
                "next-themes": "0.4.6",
                "nextjs-toploader": "3.9.17",
                "node-cache": "5.1.2",
@@ -1058,7 +1058,6 @@
            "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@babel/code-frame": "^7.29.0",
                "@babel/generator": "^7.29.0",
@@ -2195,56 +2194,34 @@
            "integrity": "sha512-aGTxbpbg8/b5JfU1HXSrbH3wXZuLPJcNEcZQFMxLs3oSzgtVu6nFPkbbGGUvBcUjKV2YyB9Wxxabo+HEH9tcRQ==",
            "license": "MIT"
        },
-        "node_modules/@formatjs/ecma402-abstract": {
-            "version": "3.1.1",
-            "resolved": "https://registry.npmjs.org/@formatjs/ecma402-abstract/-/ecma402-abstract-3.1.1.tgz",
-            "integrity": "sha512-jhZbTwda+2tcNrs4kKvxrPLPjx8QsBCLCUgrrJ/S+G9YrGHWLhAyFMMBHJBnBoOwuLHd7L14FgYudviKaxkO2Q==",
-            "license": "MIT",
-            "dependencies": {
-                "@formatjs/fast-memoize": "3.1.0",
-                "@formatjs/intl-localematcher": "0.8.1",
-                "decimal.js": "^10.6.0",
-                "tslib": "^2.8.1"
-            }
-        },
        "node_modules/@formatjs/fast-memoize": {
-            "version": "3.1.0",
-            "resolved": "https://registry.npmjs.org/@formatjs/fast-memoize/-/fast-memoize-3.1.0.tgz",
-            "integrity": "sha512-b5mvSWCI+XVKiz5WhnBCY3RJ4ZwfjAidU0yVlKa3d3MSgKmH1hC3tBGEAtYyN5mqL7N0G5x0BOUYyO8CEupWgg==",
-            "license": "MIT",
-            "dependencies": {
-                "tslib": "^2.8.1"
-            }
+            "version": "3.1.4",
+            "resolved": "https://registry.npmjs.org/@formatjs/fast-memoize/-/fast-memoize-3.1.4.tgz",
+            "integrity": "sha512-Lbke1aOrsygKKR09Ux0NrZgbTqpDmiwXOgzyDOJ8Owr1zd5qOKTauf62hH+Seeku3ju77rHWH9I5SfX2CN0vuA==",
+            "license": "MIT"
        },
        "node_modules/@formatjs/icu-messageformat-parser": {
-            "version": "3.5.1",
-            "resolved": "https://registry.npmjs.org/@formatjs/icu-messageformat-parser/-/icu-messageformat-parser-3.5.1.tgz",
-            "integrity": "sha512-sSDmSvmmoVQ92XqWb499KrIhv/vLisJU8ITFrx7T7NZHUmMY7EL9xgRowAosaljhqnj/5iufG24QrdzB6X3ItA==",
+            "version": "3.5.7",
+            "resolved": "https://registry.npmjs.org/@formatjs/icu-messageformat-parser/-/icu-messageformat-parser-3.5.7.tgz",
+            "integrity": "sha512-wJxRZ+SiUCIMTL86bQlZU9bEKDQqqvgk2ezQ1BySUdWRfHqOzj4IKUVFeUZKS9w58M4e7wMSG0Sl86LAPb7Qww==",
            "license": "MIT",
            "dependencies": {
-                "@formatjs/ecma402-abstract": "3.1.1",
-                "@formatjs/icu-skeleton-parser": "2.1.1",
-                "tslib": "^2.8.1"
+                "@formatjs/icu-skeleton-parser": "2.1.7"
            }
        },
        "node_modules/@formatjs/icu-skeleton-parser": {
-            "version": "2.1.1",
-            "resolved": "https://registry.npmjs.org/@formatjs/icu-skeleton-parser/-/icu-skeleton-parser-2.1.1.tgz",
-            "integrity": "sha512-PSFABlcNefjI6yyk8f7nyX1DC7NHmq6WaCHZLySEXBrXuLOB2f935YsnzuPjlz+ibhb9yWTdPeVX1OVcj24w2Q==",
-            "license": "MIT",
-            "dependencies": {
-                "@formatjs/ecma402-abstract": "3.1.1",
-                "tslib": "^2.8.1"
-            }
+            "version": "2.1.7",
+            "resolved": "https://registry.npmjs.org/@formatjs/icu-skeleton-parser/-/icu-skeleton-parser-2.1.7.tgz",
+            "integrity": "sha512-cIw1SFP0bi0CUBiJ2jzp99ws3OJNQDfStcHq9Z0iHWzItmiIikihFO+npR8C80yDlp7ZuBCLXCcKjgWjHicksA==",
+            "license": "MIT"
        },
        "node_modules/@formatjs/intl-localematcher": {
-            "version": "0.8.1",
-            "resolved": "https://registry.npmjs.org/@formatjs/intl-localematcher/-/intl-localematcher-0.8.1.tgz",
-            "integrity": "sha512-xwEuwQFdtSq1UKtQnyTZWC+eHdv7Uygoa+H2k/9uzBVQjDyp9r20LNDNKedWXll7FssT3GRHvqsdJGYSUWqYFA==",
+            "version": "0.8.6",
+            "resolved": "https://registry.npmjs.org/@formatjs/intl-localematcher/-/intl-localematcher-0.8.6.tgz",
+            "integrity": "sha512-AZRgUxj0q93lyF7Z5lFS85bLINXuBLX4R3tCKicO6fSWo6cvh9GQfoR3B1WlsqQwefZ1QORTivhInx7gM6HUzQ==",
            "license": "MIT",
            "dependencies": {
-                "@formatjs/fast-memoize": "3.1.0",
-                "tslib": "^2.8.1"
+                "@formatjs/fast-memoize": "3.1.4"
            }
        },
        "node_modules/@headlessui/react": {
@@ -2354,7 +2331,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -2377,7 +2353,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -2400,7 +2375,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2417,7 +2391,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2434,7 +2407,6 @@
            "cpu": [
                "arm"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2451,7 +2423,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2468,7 +2439,6 @@
            "cpu": [
                "ppc64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2485,7 +2455,6 @@
            "cpu": [
                "s390x"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2502,7 +2471,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2519,7 +2487,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2536,7 +2503,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2553,7 +2519,6 @@
            "cpu": [
                "arm"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -2576,7 +2541,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -2599,7 +2563,6 @@
            "cpu": [
                "ppc64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -2622,7 +2585,6 @@
            "cpu": [
                "s390x"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -2645,7 +2607,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -2668,7 +2629,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -2691,7 +2651,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -2714,7 +2673,6 @@
            "cpu": [
                "wasm32"
            ],
-            "dev": true,
            "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT",
            "optional": true,
            "dependencies": {
@@ -2734,7 +2692,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "Apache-2.0 AND LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2754,7 +2711,6 @@
            "cpu": [
                "ia32"
            ],
-            "dev": true,
            "license": "Apache-2.0 AND LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2774,7 +2730,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "Apache-2.0 AND LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -3034,7 +2989,6 @@
            "integrity": "sha512-2I0gnIVPtfnMw9ee9h1dJG7tp81+8Ob3OJb3Mv37rx5L40/b0i7djjCVvGOVqc9AEIQyvyu1i6ypKdFw8R8gQw==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "engines": {
                "node": "^14.21.3 || >=16"
            },
@@ -6981,7 +6935,6 @@
            "resolved": "https://registry.npmjs.org/@react-email/text/-/text-0.1.6.tgz",
            "integrity": "sha512-TYqkioRS45wTR5il3dYk/SbUjjEdhSwh9BtRNB99qNH1pXAwA45H7rAuxehiu8iJQJH0IyIr+6n62gBz9ezmsw==",
            "license": "MIT",
-            "peer": true,
            "engines": {
                "node": ">=20.0.0"
            },
@@ -8442,7 +8395,6 @@
            "version": "5.90.21",
            "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.90.21.tgz",
            "integrity": "sha512-0Lu6y5t+tvlTJMTO7oh5NSpJfpg/5D41LlThfepTixPYkJ0sE2Jj0m0f6yYqujBwIXlId87e234+MxG3D3g7kg==",
-            "peer": true,
            "dependencies": {
                "@tanstack/query-core": "5.90.20"
            },
@@ -8558,7 +8510,6 @@
            "integrity": "sha512-NMv9ASNARoKksWtsq/SHakpYAYnhBrQgGD8zkLYk/jaK8jUGn08CfEdTRgYhMypUQAfzSP8W6gNLe0q19/t4VA==",
            "devOptional": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@types/node": "*"
            }
@@ -8906,7 +8857,6 @@
            "integrity": "sha512-sKYVuV7Sv9fbPIt/442koC7+IIwK5olP1KWeD88e/idgoJqDm3JV/YUiPwkoKK92ylff2MGxSz1CSjsXelx0YA==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@types/body-parser": "*",
                "@types/express-serve-static-core": "^5.0.0",
@@ -9002,7 +8952,6 @@
            "integrity": "sha512-oX8xrhvpiyRCQkG1MFchB09f+cXftgIXb3a7UUa4Y3wpmZPw5tyZGTLWhlESOLq1Rq6oDlc8npVU2/9xiCuXMA==",
            "devOptional": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "undici-types": "~7.18.0"
            }
@@ -9030,7 +8979,6 @@
            "integrity": "sha512-gT+oueVQkqnj6ajGJXblFR4iavIXWsGAFCk3dP4Kki5+a9R4NMt0JARdk6s8cUKcfUoqP5dAtDSLU8xYUTFV+Q==",
            "devOptional": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@types/node": "*",
                "pg-protocol": "*",
@@ -9056,7 +9004,6 @@
            "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.14.tgz",
            "integrity": "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==",
            "devOptional": true,
-            "peer": true,
            "dependencies": {
                "csstype": "^3.2.2"
            }
@@ -9067,7 +9014,6 @@
            "integrity": "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==",
            "devOptional": true,
            "license": "MIT",
-            "peer": true,
            "peerDependencies": {
                "@types/react": "^19.2.0"
            }
@@ -9154,7 +9100,8 @@
            "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
            "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
            "license": "MIT",
-            "optional": true
+            "optional": true,
+            "peer": true
        },
        "node_modules/@types/ws": {
            "version": "8.18.1",
@@ -9228,7 +9175,6 @@
            "integrity": "sha512-klQbnPAAiGYFyI02+znpBRLyjL4/BrBd0nyWkdC0s/6xFLkXYQ8OoRrSkqacS1ddVxf/LDyODIKbQ5TgKAf/Fg==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@typescript-eslint/scope-manager": "8.56.1",
                "@typescript-eslint/types": "8.56.1",
@@ -9702,7 +9648,6 @@
            "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "bin": {
                "acorn": "bin/acorn"
            },
@@ -10152,7 +10097,6 @@
            "integrity": "sha512-Ixm8tFfoKKIPYdCCKYTsqv+Fd4IJ0DQqMyEimo+pxUOMUR9cVPlwTrFt9Avu+3cb6Zp3mAzl+t1MrG2fxxKsxw==",
            "devOptional": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@babel/types": "^7.26.0"
            }
@@ -10224,7 +10168,6 @@
            "integrity": "sha512-Ba0KR+Fzxh2jDRhdg6TSH0SJGzb8C0aBY4hR8w8madIdIzzC6Y1+kx5qR6eS1Z+Gy20h6ZU28aeyg0z1VIrShQ==",
            "hasInstallScript": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "bindings": "^1.5.0",
                "prebuild-install": "^7.1.1"
@@ -10353,7 +10296,6 @@
                }
            ],
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "baseline-browser-mapping": "^2.9.0",
                "caniuse-lite": "^1.0.30001759",
@@ -11260,7 +11202,6 @@
            "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
            "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
            "license": "ISC",
-            "peer": true,
            "engines": {
                "node": ">=12"
            }
@@ -11480,12 +11421,6 @@
                }
            }
        },
-        "node_modules/decimal.js": {
-            "version": "10.6.0",
-            "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.6.0.tgz",
-            "integrity": "sha512-YpgQiITW3JXGntzdUmyUR1V812Hn8T1YVXhCu+wO3OpS4eU9l4YdD3qjyiKdV6mvV29zapkMeD390UVEf2lkUg==",
-            "license": "MIT"
-        },
        "node_modules/decimal.js-light": {
            "version": "2.5.1",
            "resolved": "https://registry.npmjs.org/decimal.js-light/-/decimal.js-light-2.5.1.tgz",
@@ -11701,6 +11636,7 @@
            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.2.tgz",
            "integrity": "sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==",
            "license": "(MPL-2.0 OR Apache-2.0)",
+            "peer": true,
            "engines": {
                "node": ">=20"
            },
@@ -12335,7 +12271,6 @@
            "dev": true,
            "hasInstallScript": true,
            "license": "MIT",
-            "peer": true,
            "bin": {
                "esbuild": "bin/esbuild"
            },
@@ -12421,7 +12356,6 @@
            "integrity": "sha512-COV33RzXZkqhG9P2rZCFl9ZmJ7WL+gQSCRzE7RhkbclbQPtLAWReL7ysA0Sh4c8Im2U9ynybdR56PV0XcKvqaQ==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@eslint-community/eslint-utils": "^4.8.0",
                "@eslint-community/regexpp": "^4.12.2",
@@ -12558,7 +12492,6 @@
            "integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@rtsao/scc": "^1.1.0",
                "array-includes": "^3.1.9",
@@ -12952,7 +12885,6 @@
            "resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz",
            "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==",
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "accepts": "^2.0.0",
                "body-parser": "^2.2.1",
@@ -13878,9 +13810,9 @@
            }
        },
        "node_modules/icu-minify": {
-            "version": "4.8.3",
-            "resolved": "https://registry.npmjs.org/icu-minify/-/icu-minify-4.8.3.tgz",
-            "integrity": "sha512-65Av7FLosNk7bPbmQx5z5XG2Y3T2GFppcjiXh4z1idHeVgQxlDpAmkGoYI0eFzAvrOnjpWTL5FmPDhsdfRMPEA==",
+            "version": "4.11.0",
+            "resolved": "https://registry.npmjs.org/icu-minify/-/icu-minify-4.11.0.tgz",
+            "integrity": "sha512-XRvblCwLqWXio5ZLcmDqXvJv7alSACK6UjXuuMOdQWB//d25AQX6xlVlI1FEbc3Q6iPLXXo6HaVLn8LcAFhn1Q==",
            "funding": [
                {
                    "type": "individual",
@@ -13979,15 +13911,13 @@
            }
        },
        "node_modules/intl-messageformat": {
-            "version": "11.1.2",
-            "resolved": "https://registry.npmjs.org/intl-messageformat/-/intl-messageformat-11.1.2.tgz",
-            "integrity": "sha512-ucSrQmZGAxfiBHfBRXW/k7UC8MaGFlEj4Ry1tKiDcmgwQm1y3EDl40u+4VNHYomxJQMJi9NEI3riDRlth96jKg==",
+            "version": "11.2.4",
+            "resolved": "https://registry.npmjs.org/intl-messageformat/-/intl-messageformat-11.2.4.tgz",
+            "integrity": "sha512-iKP6+uJXn+XcfRgYfGPE3+mqCoODV2vATrXDLo/YkYgIdelJHJPBEbc0GZThipAYPuk+8QJFiPgOfblU085ABg==",
            "license": "BSD-3-Clause",
            "dependencies": {
-                "@formatjs/ecma402-abstract": "3.1.1",
-                "@formatjs/fast-memoize": "3.1.0",
-                "@formatjs/icu-messageformat-parser": "3.5.1",
-                "tslib": "^2.8.1"
+                "@formatjs/fast-memoize": "3.1.4",
+                "@formatjs/icu-messageformat-parser": "3.5.7"
            }
        },
        "node_modules/ioredis": {
@@ -15370,6 +15300,7 @@
            "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.55.1.tgz",
            "integrity": "sha512-jz4x+TJNFHwHtwuV9vA9rMujcZRb0CEilTEwG2rRSpe/A7Jdkuj8xPKttCgOh+v/lkHy7HsZ64oj+q3xoAFl9A==",
            "license": "MIT",
+            "peer": true,
            "dependencies": {
                "dompurify": "3.2.7",
                "marked": "14.0.0"
@@ -15380,6 +15311,7 @@
            "resolved": "https://registry.npmjs.org/marked/-/marked-14.0.0.tgz",
            "integrity": "sha512-uIj4+faQ+MgHgwUW1l2PsPglZLOLOT1uErt06dAPtx2kjteLAkbsd/0FiYg/MGS+i7ZKLb7w2WClxHkzOOuryQ==",
            "license": "MIT",
+            "peer": true,
            "bin": {
                "marked": "bin/marked.js"
            },
@@ -15468,7 +15400,6 @@
            "resolved": "https://registry.npmjs.org/next/-/next-15.5.15.tgz",
            "integrity": "sha512-VSqCrJwtLVGwAVE0Sb/yikrQfkwkZW9p+lL/J4+xe+G3ZA+QnWPqgcfH1tDUEuk9y+pthzzVFp4L/U8JerMfMQ==",
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@next/env": "15.5.15",
                "@swc/helpers": "0.5.15",
@@ -15517,9 +15448,9 @@
            }
        },
        "node_modules/next-intl": {
-            "version": "4.8.3",
-            "resolved": "https://registry.npmjs.org/next-intl/-/next-intl-4.8.3.tgz",
-            "integrity": "sha512-PvdBDWg+Leh7BR7GJUQbCDVVaBRn37GwDBWc9sv0rVQOJDQ5JU1rVzx9EEGuOGYo0DHAl70++9LQ7HxTawdL7w==",
+            "version": "4.9.2",
+            "resolved": "https://registry.npmjs.org/next-intl/-/next-intl-4.9.2.tgz",
+            "integrity": "sha512-AZoMRsVGLZczB2hisq1OTWmNAYAKwk/jaWH4+9pfl5TCG8kbILZZptZHux9zw7DyN1yzh6X7jmaQvoykHs9Y7Q==",
            "funding": [
                {
                    "type": "individual",
@@ -15531,16 +15462,15 @@
                "@formatjs/intl-localematcher": "^0.8.1",
                "@parcel/watcher": "^2.4.1",
                "@swc/core": "^1.15.2",
-                "icu-minify": "^4.8.3",
+                "icu-minify": "^4.9.2",
                "negotiator": "^1.0.0",
-                "next-intl-swc-plugin-extractor": "^4.8.3",
+                "next-intl-swc-plugin-extractor": "^4.9.2",
                "po-parser": "^2.1.1",
-                "use-intl": "^4.8.3"
+                "use-intl": "^4.9.2"
            },
            "peerDependencies": {
                "next": "^12.0.0 || ^13.0.0 || ^14.0.0 || ^15.0.0 || ^16.0.0",
-                "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0 || ^19.0.0",
-                "typescript": "^5.0.0"
+                "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0 || ^19.0.0"
            },
            "peerDependenciesMeta": {
                "typescript": {
@@ -15549,9 +15479,9 @@
            }
        },
        "node_modules/next-intl-swc-plugin-extractor": {
-            "version": "4.8.3",
-            "resolved": "https://registry.npmjs.org/next-intl-swc-plugin-extractor/-/next-intl-swc-plugin-extractor-4.8.3.tgz",
-            "integrity": "sha512-YcaT+R9z69XkGhpDarVFWUprrCMbxgIQYPUaXoE6LGVnLjGdo8hu3gL6bramDVjNKViYY8a/pXPy7Bna0mXORg==",
+            "version": "4.11.0",
+            "resolved": "https://registry.npmjs.org/next-intl-swc-plugin-extractor/-/next-intl-swc-plugin-extractor-4.11.0.tgz",
+            "integrity": "sha512-WUGBSxGNd8eQ0rAsJHFmRw2H7+SZAXQIY/HAnYM57JaUsj5D2vx4KOz4zFtXlyKDtsw9awHfgWVvBae2/RDF9A==",
            "license": "MIT"
        },
        "node_modules/next-themes": {
@@ -16428,7 +16358,6 @@
            "resolved": "https://registry.npmjs.org/pg/-/pg-8.20.0.tgz",
            "integrity": "sha512-ldhMxz2r8fl/6QkXnBD3CR9/xg694oT6DZQ2s6c/RI28OjtSOpxnPrUCGOBJ46RCUxcWdx3p6kw/xnDHjKvaRA==",
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "pg-connection-string": "^2.12.0",
                "pg-pool": "^3.13.0",
@@ -16936,7 +16865,6 @@
            "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
            "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
            "license": "MIT",
-            "peer": true,
            "engines": {
                "node": ">=0.10.0"
            }
@@ -16968,7 +16896,6 @@
            "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.4.tgz",
            "integrity": "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==",
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "scheduler": "^0.27.0"
            },
@@ -17261,7 +17188,6 @@
            "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.71.2.tgz",
            "integrity": "sha512-1CHvcDYzuRUNOflt4MOq3ZM46AronNJtQ1S7tnX6YN4y72qhgiUItpacZUAQ0TyWYci3yz1X+rXaSxiuEm86PA==",
            "license": "MIT",
-            "peer": true,
            "engines": {
                "node": ">=18.0.0"
            },
@@ -18723,8 +18649,7 @@
            "version": "4.2.2",
            "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.2.tgz",
            "integrity": "sha512-KWBIxs1Xb6NoLdMVqhbhgwZf2PGBpPEiwOqgI4pFIYbNTfBXiKYyWoTsXgBQ9WFg/OlhnvHaY+AEpW7wSmFo2Q==",
-            "license": "MIT",
-            "peer": true
+            "license": "MIT"
        },
        "node_modules/tapable": {
            "version": "2.3.2",
@@ -19197,9 +19122,8 @@
            "version": "5.9.3",
            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
            "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
-            "devOptional": true,
+            "dev": true,
            "license": "Apache-2.0",
-            "peer": true,
            "bin": {
                "tsc": "bin/tsc",
                "tsserver": "bin/tsserver"
@@ -19390,9 +19314,9 @@
            }
        },
        "node_modules/use-intl": {
-            "version": "4.8.3",
-            "resolved": "https://registry.npmjs.org/use-intl/-/use-intl-4.8.3.tgz",
-            "integrity": "sha512-nLxlC/RH+le6g3amA508Itnn/00mE+J22ui21QhOWo5V9hCEC43+WtnRAITbJW0ztVZphev5X9gvOf2/Dk9PLA==",
+            "version": "4.11.0",
+            "resolved": "https://registry.npmjs.org/use-intl/-/use-intl-4.11.0.tgz",
+            "integrity": "sha512-7ILhTLuo3fnSKhoTGDk5X9591pjtWr6qB4inrlvGkN9OEyKhoiG73GZFoLSs68wz3BsSGtoWa62iWvrYEYU+iA==",
            "funding": [
                {
                    "type": "individual",
@@ -19403,7 +19327,7 @@
            "dependencies": {
                "@formatjs/fast-memoize": "^3.1.0",
                "@schummar/icu-type-parser": "1.21.5",
-                "icu-minify": "^4.8.3",
+                "icu-minify": "^4.11.0",
                "intl-messageformat": "^11.1.0"
            },
            "peerDependencies": {
@@ -19627,7 +19551,6 @@
            "resolved": "https://registry.npmjs.org/winston/-/winston-3.19.0.tgz",
            "integrity": "sha512-LZNJgPzfKR+/J3cHkxcpHKpKKvGfDZVPS4hfJCc4cCG0CgYzvlD6yE/S3CIL/Yt91ak327YCpiF/0MyeZHEHKA==",
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@colors/colors": "^1.6.0",
                "@dabh/diagnostics": "^2.0.8",
@@ -19834,7 +19757,6 @@
            "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
            "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
            "license": "MIT",
-            "peer": true,
            "funding": {
                "url": "https://github.com/sponsors/colinhacks"
            }
--- a/package.json
+++ b/package.json
@@ -93,7 +93,7 @@
        "maxmind": "5.0.5",
        "moment": "2.30.1",
        "next": "15.5.15",
-        "next-intl": "4.8.3",
+        "next-intl": "4.9.2",
        "next-themes": "0.4.6",
        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -87,7 +87,7 @@ function createDb() {

 export const db = createDb();
 export default db;
-export const primaryDb = db.$primary;
+export const primaryDb = db.$primary as typeof db; // is this typeof a problem - techincally they are different types
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
 >[0];
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -25,9 +25,9 @@ import { tierMatrix } from "./billing/tierMatrix";

 export async function calculateUserClientsForOrgs(
    userId: string,
-    trx?: Transaction
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    const execute = async (transaction: Transaction) => {
+    const execute = async (transaction: Transaction | typeof db) => {
        const orgCache = new Map<string, typeof orgs.$inferSelect | null>();
        const adminRoleCache = new Map<
            string,
@@ -437,7 +437,7 @@ export async function calculateUserClientsForOrgs(

 async function cleanupOrphanedClients(
    userId: string,
-    trx: Transaction,
+    trx: Transaction | typeof db,
    userOrgIds: string[] = []
 ): Promise<void> {
    // Find all OLM clients for this user that should be deleted
--- a/server/lib/statusHistory.ts
+++ b/server/lib/statusHistory.ts
@@ -124,7 +124,7 @@ export function computeBuckets(
    let totalDowntime = 0;

    for (let d = 0; d < days; d++) {
-        const dayStartSec = todayMidnightSec - (days - d) * 86400;
+        const dayStartSec = todayMidnightSec - (days - 1 - d) * 86400;
        const dayEndSec = dayStartSec + 86400;

        const dayEvents = events.filter(
--- a/server/private/lib/acmeCertSync.ts
+++ b/server/private/lib/acmeCertSync.ts
@@ -485,6 +485,133 @@ async function syncAcmeCertsFromHttp(endpoint: string): Promise<void> {
    }
 }

+async function storeCertForDomain(
+    domain: string,
+    certPem: string,
+    keyPem: string,
+    validatedX509: crypto.X509Certificate
+): Promise<void> {
+    const wildcard = domain.startsWith("*.");
+
+    const existing = await db
+        .select()
+        .from(certificates)
+        .where(eq(certificates.domain, domain))
+        .limit(1);
+
+    let oldCertPem: string | null = null;
+    let oldKeyPem: string | null = null;
+
+    if (existing.length > 0 && existing[0].certFile) {
+        try {
+            const storedCertPem = decrypt(
+                existing[0].certFile,
+                config.getRawConfig().server.secret!
+            );
+            const wildcardUnchanged = existing[0].wildcard === wildcard;
+            if (storedCertPem === certPem && wildcardUnchanged) {
+                return;
+            }
+            oldCertPem = storedCertPem;
+            if (existing[0].keyFile) {
+                try {
+                    oldKeyPem = decrypt(
+                        existing[0].keyFile,
+                        config.getRawConfig().server.secret!
+                    );
+                } catch (keyErr) {
+                    logger.debug(
+                        `acmeCertSync: could not decrypt stored key for ${domain}: ${keyErr}`
+                    );
+                }
+            }
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: could not decrypt stored cert for ${domain}, will update: ${err}`
+            );
+        }
+    }
+
+    let expiresAt: number | null = null;
+    try {
+        expiresAt = Math.floor(
+            new Date(validatedX509.validTo).getTime() / 1000
+        );
+    } catch (err) {
+        logger.debug(
+            `acmeCertSync: could not parse cert expiry for ${domain}: ${err}`
+        );
+    }
+
+    const encryptedCert = encrypt(
+        certPem,
+        config.getRawConfig().server.secret!
+    );
+    const encryptedKey = encrypt(keyPem, config.getRawConfig().server.secret!);
+    const now = Math.floor(Date.now() / 1000);
+
+    const domainId = await findDomainId(domain);
+    if (domainId) {
+        logger.debug(
+            `acmeCertSync: resolved domainId "${domainId}" for cert domain "${domain}"`
+        );
+    } else {
+        logger.debug(
+            `acmeCertSync: no matching domain record found for cert domain "${domain}"`
+        );
+    }
+
+    if (existing.length > 0) {
+        logger.debug(
+            `acmeCertSync: updating existing certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+        );
+        await db
+            .update(certificates)
+            .set({
+                certFile: encryptedCert,
+                keyFile: encryptedKey,
+                status: "valid",
+                expiresAt,
+                updatedAt: now,
+                wildcard,
+                ...(domainId !== null && { domainId })
+            })
+            .where(eq(certificates.domain, domain));
+
+        logger.debug(
+            `acmeCertSync: updated certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+        );
+
+        await pushCertUpdateToAffectedNewts(
+            domain,
+            domainId,
+            oldCertPem,
+            oldKeyPem
+        );
+    } else {
+        logger.debug(
+            `acmeCertSync: inserting new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+        );
+        await db.insert(certificates).values({
+            domain,
+            domainId,
+            certFile: encryptedCert,
+            keyFile: encryptedKey,
+            status: "valid",
+            expiresAt,
+            createdAt: now,
+            updatedAt: now,
+            wildcard
+        });
+
+        logger.debug(
+            `acmeCertSync: inserted new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+        );
+
+        await pushCertUpdateToAffectedNewts(domain, domainId, null, null);
+    }
+}
+
 function findAcmeJsonFiles(dirPath: string): string[] {
    const results: string[] = [];
    let entries: fs.Dirent[];
@@ -575,18 +702,16 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
    }

    for (const cert of allCerts) {
-        const domain = cert?.domain?.main;
+        const mainDomain = cert?.domain?.main;

-        if (!domain || typeof domain !== "string") {
+        if (!mainDomain || typeof mainDomain !== "string") {
            logger.debug(`acmeCertSync: skipping cert with missing domain`);
            continue;
        }

-        const { wildcard } = detectWildcard(domain, cert.domain?.sans);
-
        if (!cert.certificate || !cert.key) {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - empty certificate or key field`
+                `acmeCertSync: skipping cert for ${mainDomain} - empty certificate or key field`
            );
            continue;
        }
@@ -598,14 +723,14 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
            keyPem = Buffer.from(cert.key, "base64").toString("utf8");
        } catch (err) {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - failed to base64-decode cert/key: ${err}`
+                `acmeCertSync: skipping cert for ${mainDomain} - failed to base64-decode cert/key: ${err}`
            );
            continue;
        }

        if (!certPem.trim() || !keyPem.trim()) {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - blank PEM after base64 decode`
+                `acmeCertSync: skipping cert for ${mainDomain} - blank PEM after base64 decode`
            );
            continue;
        }
@@ -616,7 +741,7 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
        const firstCertPemForValidation = extractFirstCert(certPem);
        if (!firstCertPemForValidation) {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - no PEM certificate block found`
+                `acmeCertSync: skipping cert for ${mainDomain} - no PEM certificate block found`
            );
            continue;
        }
@@ -628,7 +753,7 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
            );
        } catch (err) {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - invalid X.509 certificate: ${err}`
+                `acmeCertSync: skipping cert for ${mainDomain} - invalid X.509 certificate: ${err}`
            );
            continue;
        }
@@ -638,139 +763,40 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
            crypto.createPrivateKey(keyPem);
        } catch (err) {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - invalid private key: ${err}`
+                `acmeCertSync: skipping cert for ${mainDomain} - invalid private key: ${err}`
            );
            continue;
        }

-        // Check if cert already exists in DB
-        const existing = await db
-            .select()
-            .from(certificates)
-            .where(and(eq(certificates.domain, domain)))
-            .limit(1);
-
-        let oldCertPem: string | null = null;
-        let oldKeyPem: string | null = null;
-
-        if (existing.length > 0 && existing[0].certFile) {
-            try {
-                const storedCertPem = decrypt(
-                    existing[0].certFile,
-                    config.getRawConfig().server.secret!
-                );
-                const wildcardUnchanged = existing[0].wildcard === wildcard;
-                if (storedCertPem === certPem && wildcardUnchanged) {
-                    // logger.debug(
-                    // `acmeCertSync: cert for ${domain} is unchanged, skipping`
-                    // );
-                    continue;
+        // Collect all domains covered by this cert: main + every SAN.
+        // Each domain gets its own row in the certificates table so that
+        // lookups by any hostname on the cert succeed independently.
+        const allDomains = new Set<string>([mainDomain]);
+        if (Array.isArray(cert.domain?.sans)) {
+            for (const san of cert.domain.sans) {
+                if (typeof san === "string" && san.trim()) {
+                    allDomains.add(san.trim());
                }
-                // Cert has changed; capture old values so we can send a correct
-                // update message to the newt after the DB write.
-                oldCertPem = storedCertPem;
-                if (existing[0].keyFile) {
-                    try {
-                        oldKeyPem = decrypt(
-                            existing[0].keyFile,
-                            config.getRawConfig().server.secret!
-                        );
-                    } catch (keyErr) {
-                        logger.debug(
-                            `acmeCertSync: could not decrypt stored key for ${domain}: ${keyErr}`
-                        );
-                    }
-                }
-            } catch (err) {
-                // Decryption failure means we should proceed with the update
-                logger.debug(
-                    `acmeCertSync: could not decrypt stored cert for ${domain}, will update: ${err}`
-                );
            }
        }

-        // Parse cert expiry from the validated X.509 certificate
-        let expiresAt: number | null = null;
-        try {
-            expiresAt = Math.floor(
-                new Date(validatedX509.validTo).getTime() / 1000
-            );
-        } catch (err) {
-            logger.debug(
-                `acmeCertSync: could not parse cert expiry for ${domain}: ${err}`
-            );
-        }
-
-        const encryptedCert = encrypt(
-            certPem,
-            config.getRawConfig().server.secret!
+        logger.debug(
+            `acmeCertSync: cert for ${mainDomain} covers ${allDomains.size} domain(s): ${[...allDomains].join(", ")}`
        );
-        const encryptedKey = encrypt(
-            keyPem,
-            config.getRawConfig().server.secret!
-        );
-        const now = Math.floor(Date.now() / 1000);

-        const domainId = await findDomainId(domain);
-        if (domainId) {
-            logger.debug(
-                `acmeCertSync: resolved domainId "${domainId}" for cert domain "${domain}"`
-            );
-        } else {
-            logger.debug(
-                `acmeCertSync: no matching domain record found for cert domain "${domain}"`
-            );
-        }
-
-        if (existing.length > 0) {
-            logger.debug(
-                `acmeCertSync: updating existing certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
-            );
-            await db
-                .update(certificates)
-                .set({
-                    certFile: encryptedCert,
-                    keyFile: encryptedKey,
-                    status: "valid",
-                    expiresAt,
-                    updatedAt: now,
-                    wildcard,
-                    ...(domainId !== null && { domainId })
-                })
-                .where(eq(certificates.domain, domain));
-
-            logger.debug(
-                `acmeCertSync: updated certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
-            );
-
-            await pushCertUpdateToAffectedNewts(
-                domain,
-                domainId,
-                oldCertPem,
-                oldKeyPem
-            );
-        } else {
-            logger.debug(
-                `acmeCertSync: inserting new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
-            );
-            await db.insert(certificates).values({
-                domain,
-                domainId,
-                certFile: encryptedCert,
-                keyFile: encryptedKey,
-                status: "valid",
-                expiresAt,
-                createdAt: now,
-                updatedAt: now,
-                wildcard
-            });
-
-            logger.debug(
-                `acmeCertSync: inserted new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
-            );
-
-            // For a brand-new cert, push to any SSL resources that were waiting for it
-            await pushCertUpdateToAffectedNewts(domain, domainId, null, null);
+        for (const domain of allDomains) {
+            try {
+                await storeCertForDomain(
+                    domain,
+                    certPem,
+                    keyPem,
+                    validatedX509
+                );
+            } catch (err) {
+                logger.error(
+                    `acmeCertSync: error storing cert for domain "${domain}": ${err}`
+                );
+            }
        }
    }
 }
--- a/server/private/routers/user/addUserRole.ts
+++ b/server/private/routers/user/addUserRole.ts
@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import stoi from "@server/lib/stoi";
-import { clients, db } from "@server/db";
+import { clients, db, primaryDb, Client } from "@server/db";
 import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -122,8 +122,12 @@ export async function addUserRole(
            );
        }

-        let newUserRole: { userId: string; orgId: string; roleId: number } | null =
-            null;
+        let newUserRole: {
+            userId: string;
+            orgId: string;
+            roleId: number;
+        } | null = null;
+        let orgClientsToRebuild: Client[] = [];
        await db.transaction(async (trx) => {
            const inserted = await trx
                .insert(userOrgRoles)
@@ -149,11 +153,19 @@ export async function addUserRole(
                    )
                );

-            for (const orgClient of orgClients) {
-                await rebuildClientAssociationsFromClient(orgClient, trx);
-            }
+            orgClientsToRebuild = orgClients;
        });

+        for (const orgClient of orgClientsToRebuild) {
+            rebuildClientAssociationsFromClient(orgClient, primaryDb).catch(
+                (e) => {
+                    logger.error(
+                        `Failed to rebuild client associations for client ${orgClient.clientId} after adding role: ${e}`
+                    );
+                }
+            );
+        }
+
        return response(res, {
            data: newUserRole ?? { userId, orgId: role.orgId, roleId },
            success: true,
--- a/server/private/routers/user/removeUserRole.ts
+++ b/server/private/routers/user/removeUserRole.ts
@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import stoi from "@server/lib/stoi";
-import { db } from "@server/db";
+import { db, primaryDb, Client } from "@server/db";
 import { userOrgRoles, userOrgs, roles, clients } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -129,6 +129,7 @@ export async function removeUserRole(
            }
        }

+        let orgClientsToRebuild: Client[] = [];
        await db.transaction(async (trx) => {
            await trx
                .delete(userOrgRoles)
@@ -150,11 +151,19 @@ export async function removeUserRole(
                    )
                );

-            for (const orgClient of orgClients) {
-                await rebuildClientAssociationsFromClient(orgClient, trx);
-            }
+            orgClientsToRebuild = orgClients;
        });

+        for (const orgClient of orgClientsToRebuild) {
+            rebuildClientAssociationsFromClient(orgClient, primaryDb).catch(
+                (e) => {
+                    logger.error(
+                        `Failed to rebuild client associations for client ${orgClient.clientId} after removing role: ${e}`
+                    );
+                }
+            );
+        }
+
        return response(res, {
            data: { userId, orgId: role.orgId, roleId },
            success: true,
--- a/server/private/routers/user/setUserOrgRoles.ts
+++ b/server/private/routers/user/setUserOrgRoles.ts
@@ -13,7 +13,7 @@

 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { clients, db } from "@server/db";
+import { clients, db, primaryDb, Client } from "@server/db";
 import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -115,6 +115,7 @@ export async function setUserOrgRoles(
            );
        }

+        let orgClientsToRebuild: Client[] = [];
        await db.transaction(async (trx) => {
            await trx
                .delete(userOrgRoles)
@@ -142,11 +143,19 @@ export async function setUserOrgRoles(
                    and(eq(clients.userId, userId), eq(clients.orgId, orgId))
                );

-            for (const orgClient of orgClients) {
-                await rebuildClientAssociationsFromClient(orgClient, trx);
-            }
+            orgClientsToRebuild = orgClients;
        });

+        for (const orgClient of orgClientsToRebuild) {
+            rebuildClientAssociationsFromClient(orgClient, primaryDb).catch(
+                (e) => {
+                    logger.error(
+                        `Failed to rebuild client associations for client ${orgClient.clientId} after setting roles: ${e}`
+                    );
+                }
+            );
+        }
+
        return response(res, {
            data: { userId, orgId, roleIds: uniqueRoleIds },
            success: true,
--- a/server/routers/auth/deleteMyAccount.ts
+++ b/server/routers/auth/deleteMyAccount.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, orgs, userOrgs, users } from "@server/db";
+import { db, orgs, userOrgs, users, primaryDb } from "@server/db";
 import { eq, and, inArray, not } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -218,13 +218,18 @@ export async function deleteMyAccount(

        await db.transaction(async (trx) => {
            await trx.delete(users).where(eq(users.userId, userId));
-            await calculateUserClientsForOrgs(userId, trx);
            // loop through the other orgs and decrement the count
            for (const userOrg of otherOrgsTheUserWasIn) {
                await usageService.add(userOrg.orgId, FeatureId.USERS, -1, trx);
            }
        });

+        calculateUserClientsForOrgs(userId, primaryDb).catch((e) => {
+            logger.error(
+                `Failed to calculate user clients after deleting account for user ${userId}: ${e}`
+            );
+        });
+
        try {
            await invalidateSession(session.sessionId);
        } catch (error) {
--- a/server/routers/client/createClient.ts
+++ b/server/routers/client/createClient.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db } from "@server/db";
+import { db, primaryDb } from "@server/db";
 import {
    roles,
    Client,
@@ -92,7 +92,10 @@ export async function createClient(

        const { orgId } = parsedParams.data;

-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (
+            req.user &&
+            (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)
+        ) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
@@ -198,7 +201,10 @@ export async function createClient(

            if (!randomExitNode) {
                return next(
-                    createHttpError(HttpCode.NOT_FOUND, `No exit nodes available. ${build == "saas" ? "Please contact support." : "You need to install gerbil to use the clients."}`)
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        `No exit nodes available. ${build == "saas" ? "Please contact support." : "You need to install gerbil to use the clients."}`
+                    )
                );
            }

@@ -256,10 +262,18 @@ export async function createClient(
                clientId: newClient.clientId,
                dateCreated: moment().toISOString()
            });
-
-            await rebuildClientAssociationsFromClient(newClient, trx);
        });

+        if (newClient) {
+            rebuildClientAssociationsFromClient(newClient, primaryDb).catch(
+                (e) => {
+                    logger.error(
+                        `Failed to rebuild client associations after creating client: ${e}`
+                    );
+                }
+            );
+        }
+
        return response<CreateClientResponse>(res, {
            data: newClient,
            success: true,
--- a/server/routers/client/createUserClient.ts
+++ b/server/routers/client/createUserClient.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db } from "@server/db";
+import { db, primaryDb } from "@server/db";
 import {
    roles,
    Client,
@@ -237,10 +237,18 @@ export async function createUserClient(
                userId,
                clientId: newClient.clientId
            });
-
-            await rebuildClientAssociationsFromClient(newClient, trx);
        });

+        if (newClient) {
+            rebuildClientAssociationsFromClient(newClient, primaryDb).catch(
+                (e) => {
+                    logger.error(
+                        `Failed to rebuild client associations after creating user client: ${e}`
+                    );
+                }
+            );
+        }
+
        return response<CreateClientAndOlmResponse>(res, {
            data: newClient,
            success: true,
--- a/server/routers/client/deleteClient.ts
+++ b/server/routers/client/deleteClient.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, olms } from "@server/db";
+import { db, olms, primaryDb, Client, Olm } from "@server/db";
 import { clients, clientSitesAssociationsCache } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -71,14 +71,17 @@ export async function deleteClient(
            );
        }

+        let deletedClient: Client | undefined;
+        let olm: Olm | undefined;
+
        await db.transaction(async (trx) => {
            // Then delete the client itself
-            const [deletedClient] = await trx
+            [deletedClient] = await trx
                .delete(clients)
                .where(eq(clients.clientId, clientId))
                .returning();

-            const [olm] = await trx
+            [olm] = await trx
                .select()
                .from(olms)
                .where(eq(olms.clientId, clientId))
@@ -88,14 +91,29 @@ export async function deleteClient(
            if (!client.userId && client.olmId) {
                await trx.delete(olms).where(eq(olms.olmId, client.olmId));
            }
-
-            await rebuildClientAssociationsFromClient(deletedClient, trx);
-
-            if (olm) {
-                await sendTerminateClient(deletedClient.clientId, OlmErrorCodes.TERMINATED_DELETED, olm.olmId); //  the olmId needs to be provided because it cant look it up after deletion
-            }
        });

+        if (deletedClient) {
+            rebuildClientAssociationsFromClient(deletedClient, primaryDb).catch(
+                (e) => {
+                    logger.error(
+                        `Failed to rebuild client associations after deleting client ${clientId}: ${e}`
+                    );
+                }
+            );
+            if (olm) {
+                sendTerminateClient(
+                    deletedClient.clientId,
+                    OlmErrorCodes.TERMINATED_DELETED,
+                    olm.olmId
+                ).catch((e) => {
+                    logger.error(
+                        `Failed to send terminate message for client ${deletedClient?.clientId} after deleting client ${clientId}: ${e}`
+                    );
+                });
+            }
+        }
+
        return response(res, {
            data: null,
            success: true,
--- a/server/routers/olm/createUserOlm.ts
+++ b/server/routers/olm/createUserOlm.ts
@@ -1,5 +1,5 @@
 import { NextFunction, Request, Response } from "express";
-import { db, olms } from "@server/db";
+import { db, olms, primaryDb } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
 import { z } from "zod";
 import createHttpError from "http-errors";
@@ -81,16 +81,19 @@ export async function createUserOlm(

        const secretHash = await hashPassword(secret);

-        await db.transaction(async (trx) => {
-            await trx.insert(olms).values({
-                olmId: olmId,
-                userId,
-                name,
-                secretHash,
-                dateCreated: moment().toISOString()
-            });
+        await db.insert(olms).values({
+            olmId: olmId,
+            userId,
+            name,
+            secretHash,
+            dateCreated: moment().toISOString()
+        });

-            await calculateUserClientsForOrgs(userId, trx);
+        calculateUserClientsForOrgs(userId, primaryDb).catch((e) => {
+            console.error(
+                "Error calculating user clients after creating olm:",
+                e
+            );
        });

        return response<CreateOlmResponse>(res, {
--- a/server/routers/olm/deleteUserOlm.ts
+++ b/server/routers/olm/deleteUserOlm.ts
@@ -1,5 +1,5 @@
 import { NextFunction, Request, Response } from "express";
-import { Client, db } from "@server/db";
+import { Client, db, Olm, primaryDb } from "@server/db";
 import { olms, clients, clientSitesAssociationsCache } from "@server/db";
 import { eq } from "drizzle-orm";
 import HttpCode from "@server/types/HttpCode";
@@ -49,6 +49,7 @@ export async function deleteUserOlm(

        const { olmId } = parsedParams.data;

+        let deletedClient: Client | undefined;
        // Delete associated clients and the OLM in a transaction
        await db.transaction(async (trx) => {
            // Find all clients associated with this OLM
@@ -57,7 +58,6 @@ export async function deleteUserOlm(
                .from(clients)
                .where(eq(clients.olmId, olmId));

-            let deletedClient: Client | null = null;
            // Delete all associated clients
            if (associatedClients.length > 0) {
                [deletedClient] = await trx
@@ -67,23 +67,28 @@ export async function deleteUserOlm(
            }

            // Finally, delete the OLM itself
-            const [olm] = await trx
-                .delete(olms)
-                .where(eq(olms.olmId, olmId))
-                .returning();
-
-            if (deletedClient) {
-                await rebuildClientAssociationsFromClient(deletedClient, trx);
-                if (olm) {
-                    await sendTerminateClient(
-                        deletedClient.clientId,
-                        OlmErrorCodes.TERMINATED_DELETED,
-                        olm.olmId
-                    ); //  the olmId needs to be provided because it cant look it up after deletion
-                }
-            }
+            await trx.delete(olms).where(eq(olms.olmId, olmId)).returning();
        });

+        if (deletedClient) {
+            rebuildClientAssociationsFromClient(deletedClient, primaryDb).catch(
+                (e) => {
+                    logger.error(
+                        `Failed to rebuild client-site associations after deleting OLM ${olmId}: ${e}`
+                    );
+                }
+            );
+            sendTerminateClient(
+                deletedClient.clientId,
+                OlmErrorCodes.TERMINATED_DELETED,
+                olmId
+            ).catch((e) => {
+                logger.error(
+                    `Failed to send terminate message for client ${deletedClient?.clientId} after deleting OLM ${olmId}: ${e}`
+                );
+            });
+        }
+
        return response(res, {
            data: null,
            success: true,
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -22,14 +22,14 @@ import { canCompress } from "@server/lib/clientVersionChecks";
 import config from "@server/lib/config";

 export const handleOlmRegisterMessage: MessageHandler = async (context) => {
-    logger.info("Handling register olm message!");
+    logger.info("[handleOlmRegisterMessage] Handling register olm message");
    const { message, client: c, sendToClient } = context;
    const olm = c as Olm;

    const now = Math.floor(Date.now() / 1000);

    if (!olm) {
-        logger.warn("Olm not found");
+        logger.warn("[handleOlmRegisterMessage] Olm not found");
        return;
    }

@@ -46,16 +46,19 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    } = message.data;

    if (!olm.clientId) {
-        logger.warn("Olm client ID not found");
+        logger.warn("[handleOlmRegisterMessage] Olm client ID not found");
        sendOlmError(OlmErrorCodes.CLIENT_ID_NOT_FOUND, olm.olmId);
        return;
    }

-    logger.debug("Handling fingerprint insertion for olm register...", {
-        olmId: olm.olmId,
-        fingerprint,
-        postures
-    });
+    logger.debug(
+        "[handleOlmRegisterMessage] Handling fingerprint insertion for olm register...",
+        {
+            olmId: olm.olmId,
+            fingerprint,
+            postures
+        }
+    );

    const isUserDevice = olm.userId !== null && olm.userId !== undefined;

@@ -85,14 +88,17 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        .limit(1);

    if (!client) {
-        logger.warn("Client ID not found");
+        logger.warn("[handleOlmRegisterMessage] Client not found", {
+            clientId: olm.clientId
+        });
        sendOlmError(OlmErrorCodes.CLIENT_NOT_FOUND, olm.olmId);
        return;
    }

    if (client.blocked) {
        logger.debug(
-            `Client ${client.clientId} is blocked. Ignoring register.`
+            `[handleOlmRegisterMessage] Client ${client.clientId} is blocked. Ignoring register.`,
+            { orgId: client.orgId }
        );
        sendOlmError(OlmErrorCodes.CLIENT_BLOCKED, olm.olmId);
        return;
@@ -100,7 +106,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {

    if (client.approvalState == "pending") {
        logger.debug(
-            `Client ${client.clientId} approval is pending. Ignoring register.`
+            `[handleOlmRegisterMessage] Client ${client.clientId} approval is pending. Ignoring register.`,
+            { orgId: client.orgId }
        );
        sendOlmError(OlmErrorCodes.CLIENT_PENDING, olm.olmId);
        return;
@@ -128,14 +135,18 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        .limit(1);

    if (!org) {
-        logger.warn("Org not found");
+        logger.warn("[handleOlmRegisterMessage] Org not found", {
+            orgId: client.orgId
+        });
        sendOlmError(OlmErrorCodes.ORG_NOT_FOUND, olm.olmId);
        return;
    }

    if (orgId) {
        if (!olm.userId) {
-            logger.warn("Olm has no user ID");
+            logger.warn("[handleOlmRegisterMessage] Olm has no user ID", {
+                orgId: client.orgId
+            });
            sendOlmError(OlmErrorCodes.USER_ID_NOT_FOUND, olm.olmId);
            return;
        }
@@ -143,12 +154,18 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        const { session: userSession, user } =
            await validateSessionToken(userToken);
        if (!userSession || !user) {
-            logger.warn("Invalid user session for olm register");
+            logger.warn(
+                "[handleOlmRegisterMessage] Invalid user session for olm register",
+                { orgId: client.orgId }
+            );
            sendOlmError(OlmErrorCodes.INVALID_USER_SESSION, olm.olmId);
            return;
        }
        if (user.userId !== olm.userId) {
-            logger.warn("User ID mismatch for olm register");
+            logger.warn(
+                "[handleOlmRegisterMessage] User ID mismatch for olm register",
+                { orgId: client.orgId }
+            );
            sendOlmError(OlmErrorCodes.USER_ID_MISMATCH, olm.olmId);
            return;
        }
@@ -163,11 +180,15 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            sessionId // this is the user token passed in the message
        });

-        logger.debug("Policy check result:", policyCheck);
+        logger.debug("[handleOlmRegisterMessage] Policy check result", {
+            orgId: client.orgId,
+            policyCheck
+        });

        if (policyCheck?.error) {
            logger.error(
-                `Error checking access policies for olm user ${olm.userId} in org ${orgId}: ${policyCheck?.error}`
+                `[handleOlmRegisterMessage] Error checking access policies for olm user ${olm.userId} in org ${orgId}: ${policyCheck?.error}`,
+                { orgId: client.orgId }
            );
            sendOlmError(OlmErrorCodes.ORG_ACCESS_POLICY_DENIED, olm.olmId);
            return;
@@ -175,7 +196,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {

        if (policyCheck.policies?.passwordAge?.compliant === false) {
            logger.warn(
-                `Olm user ${olm.userId} has non-compliant password age for org ${orgId}`
+                `[handleOlmRegisterMessage] Olm user ${olm.userId} has non-compliant password age for org ${orgId}`,
+                { orgId: client.orgId }
            );
            sendOlmError(
                OlmErrorCodes.ORG_ACCESS_POLICY_PASSWORD_EXPIRED,
@@ -186,7 +208,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            policyCheck.policies?.maxSessionLength?.compliant === false
        ) {
            logger.warn(
-                `Olm user ${olm.userId} has non-compliant session length for org ${orgId}`
+                `[handleOlmRegisterMessage] Olm user ${olm.userId} has non-compliant session length for org ${orgId}`,
+                { orgId: client.orgId }
            );
            sendOlmError(
                OlmErrorCodes.ORG_ACCESS_POLICY_SESSION_EXPIRED,
@@ -195,7 +218,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            return;
        } else if (policyCheck.policies?.requiredTwoFactor === false) {
            logger.warn(
-                `Olm user ${olm.userId} does not have 2FA enabled for org ${orgId}`
+                `[handleOlmRegisterMessage] Olm user ${olm.userId} does not have 2FA enabled for org ${orgId}`,
+                { orgId: client.orgId }
            );
            sendOlmError(
                OlmErrorCodes.ORG_ACCESS_POLICY_2FA_REQUIRED,
@@ -204,7 +228,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            return;
        } else if (!policyCheck.allowed) {
            logger.warn(
-                `Olm user ${olm.userId} does not pass access policies for org ${orgId}: ${policyCheck.error}`
+                `[handleOlmRegisterMessage] Olm user ${olm.userId} does not pass access policies for org ${orgId}: ${policyCheck.error}`,
+                { orgId: client.orgId }
            );
            sendOlmError(OlmErrorCodes.ORG_ACCESS_POLICY_DENIED, olm.olmId);
            return;
@@ -226,29 +251,39 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        sitesCountResult.length > 0 ? sitesCountResult[0].count : 0;

    // Prepare an array to store site configurations
-    logger.debug(`Found ${sitesCount} sites for client ${client.clientId}`);
+    logger.debug(
+        `[handleOlmRegisterMessage] Found ${sitesCount} sites for client ${client.clientId}`,
+        { orgId: client.orgId }
+    );

    let jitMode = false;
    if (sitesCount > 250 && build == "saas") {
        // THIS IS THE MAX ON THE BUSINESS TIER
        // we have too many sites
        // If we have too many sites we need to drop into fully JIT mode by not sending any of the sites
-        logger.info("Too many sites (%d), dropping into JIT mode", sitesCount);
+        logger.info(
+            `[handleOlmRegisterMessage] Too many sites (${sitesCount}), dropping into JIT mode`,
+            { orgId: client.orgId }
+        );
        jitMode = true;
    }

    logger.debug(
-        `Olm client ID: ${client.clientId}, Public Key: ${publicKey}, Relay: ${relay}`
+        `[handleOlmRegisterMessage] Olm client ID: ${client.clientId}, Public Key: ${publicKey}, Relay: ${relay}`,
+        { orgId: client.orgId }
    );

    if (!publicKey) {
-        logger.warn("Public key not provided");
+        logger.warn("[handleOlmRegisterMessage] Public key not provided", {
+            orgId: client.orgId
+        });
        return;
    }

    if (client.pubKey !== publicKey || client.archived) {
        logger.info(
-            "Public key mismatch. Updating public key and clearing session info..."
+            "[handleOlmRegisterMessage] Public key mismatch. Updating public key and clearing session info...",
+            { orgId: client.orgId }
        );
        // Update the client's public key
        await db
@@ -274,12 +309,13 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    // TODO: I still think there is a better way to do this rather than locking it out here but ???
    if (now - (client.lastHolePunch || 0) > 5 && sitesCount > 0) {
        logger.warn(
-            `Client last hole punch is too old and we have sites to send; skipping this register. The client is failing to hole punch and identify its network address with the server. Can the client reach the server on UDP port ${config.getRawConfig().gerbil.clients_start_port}?`
+            `[handleOlmRegisterMessage] Client last hole punch is too old and we have sites to send; skipping this register. The client is failing to hole punch and identify its network address with the server. Can the client reach the server on UDP port ${config.getRawConfig().gerbil.clients_start_port}?`,
+            { orgId: client.orgId }
        );
        return;
    }

-   // NOTE: its important that the client here is the old client and the public key is the new key
+    // NOTE: its important that the client here is the old client and the public key is the new key
    const siteConfigurations = await buildSiteConfigurationForOlmClient(
        client,
        publicKey,
--- a/server/routers/siteResource/batchAddClientToSiteResources.ts
+++ b/server/routers/siteResource/batchAddClientToSiteResources.ts
@@ -5,7 +5,8 @@ import {
    clients,
    clientSiteResources,
    siteResources,
-    apiKeyOrg
+    apiKeyOrg,
+    primaryDb
 } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -220,8 +221,12 @@ export async function batchAddClientToSiteResources(
                    siteResourceId: siteResource.siteResourceId
                });
            }
+        });

-            await rebuildClientAssociationsFromClient(client, trx);
+        rebuildClientAssociationsFromClient(client, primaryDb).catch((e) => {
+            logger.error(
+                `Failed to rebuild client associations after batch adding site resources for client ${clientId}: ${e}`
+            );
        });

        return response(res, {
--- a/server/routers/siteResource/createSiteResource.ts
+++ b/server/routers/siteResource/createSiteResource.ts
@@ -10,7 +10,8 @@ import {
    SiteResource,
    siteResources,
    sites,
-    userSiteResources
+    userSiteResources,
+    primaryDb
 } from "@server/db";
 import { getUniqueSiteResourceName } from "@server/db/names";
 import {
@@ -519,12 +520,10 @@ export async function createSiteResource(
        // own transaction so it always executes on the primary — avoiding any
        // replica-lag issues while still allowing the HTTP response to return
        // early.
-        db.transaction(async (trx) => {
-            await rebuildClientAssociationsFromSiteResource(
-                newSiteResource!,
-                trx
-            );
-        }).catch((err) => {
+        rebuildClientAssociationsFromSiteResource(
+            newSiteResource!,
+            primaryDb
+        ).catch((err) => {
            logger.error(
                `Error rebuilding client associations for site resource ${newSiteResource!.siteResourceId}:`,
                err
--- a/server/routers/siteResource/deleteSiteResource.ts
+++ b/server/routers/siteResource/deleteSiteResource.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, newts, sites } from "@server/db";
+import { db, newts, primaryDb, sites } from "@server/db";
 import { siteResources } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -73,12 +73,10 @@ export async function deleteSiteResource(
        // own transaction so it always executes on the primary — avoiding any
        // replica-lag issues while still allowing the HTTP response to return
        // early.
-        db.transaction(async (trx) => {
-            await rebuildClientAssociationsFromSiteResource(
-                removedSiteResource,
-                trx
-            );
-        }).catch((err) => {
+        rebuildClientAssociationsFromSiteResource(
+            removedSiteResource,
+            primaryDb
+        ).catch((err) => {
            logger.error(
                `Error rebuilding client associations for site resource ${removedSiteResource!.siteResourceId}:`,
                err
--- a/server/routers/user/acceptInvite.ts
+++ b/server/routers/user/acceptInvite.ts
@@ -1,7 +1,13 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, orgs } from "@server/db";
-import { roles, userInviteRoles, userInvites, userOrgs, users } from "@server/db";
+import { db, orgs, primaryDb } from "@server/db";
+import {
+    roles,
+    userInviteRoles,
+    userInvites,
+    userOrgs,
+    users
+} from "@server/db";
 import { eq, and, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -146,9 +152,7 @@ export async function acceptInvite(
            .from(userInviteRoles)
            .where(eq(userInviteRoles.inviteId, inviteId));

-        const inviteRoleIds = [
-            ...new Set(inviteRoleRows.map((r) => r.roleId))
-        ];
+        const inviteRoleIds = [...new Set(inviteRoleRows.map((r) => r.roleId))];
        if (inviteRoleIds.length === 0) {
            return next(
                createHttpError(
@@ -193,13 +197,19 @@ export async function acceptInvite(
                .delete(userInvites)
                .where(eq(userInvites.inviteId, inviteId));

-            await calculateUserClientsForOrgs(existingUser[0].userId, trx);
-
            logger.debug(
                `User ${existingUser[0].userId} accepted invite to org ${existingInvite.orgId}`
            );
        });

+        calculateUserClientsForOrgs(existingUser[0].userId, primaryDb).catch(
+            (e) => {
+                logger.error(
+                    `Failed to calculate user clients after accepting invite for user ${existingUser[0].userId}: ${e}`
+                );
+            }
+        );
+
        return response<AcceptInviteResponse>(res, {
            data: { accepted: true, orgId: existingInvite.orgId },
            success: true,
--- a/server/routers/user/addUserRoleLegacy.ts
+++ b/server/routers/user/addUserRoleLegacy.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import stoi from "@server/lib/stoi";
-import { clients, db } from "@server/db";
+import { clients, db, primaryDb, Client } from "@server/db";
 import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -112,6 +112,8 @@ export async function addUserRoleLegacy(
            );
        }

+        let orgClientsToRebuild: Client[] = [];
+
        await db.transaction(async (trx) => {
            await trx
                .delete(userOrgRoles)
@@ -138,11 +140,19 @@ export async function addUserRoleLegacy(
                    )
                );

-            for (const orgClient of orgClients) {
-                await rebuildClientAssociationsFromClient(orgClient, trx);
-            }
+            orgClientsToRebuild = orgClients;
        });

+        for (const orgClient of orgClientsToRebuild) {
+            rebuildClientAssociationsFromClient(orgClient, primaryDb).catch(
+                (e) => {
+                    logger.error(
+                        `Failed to rebuild client associations for client ${orgClient.clientId} after adding role: ${e}`
+                    );
+                }
+            );
+        }
+
        return response(res, {
            data: { ...existingUser, roleId },
            success: true,
--- a/server/routers/user/adminRemoveUser.ts
+++ b/server/routers/user/adminRemoveUser.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db } from "@server/db";
+import { db, primaryDb } from "@server/db";
 import { users } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -53,8 +53,12 @@ export async function adminRemoveUser(

        await db.transaction(async (trx) => {
            await trx.delete(users).where(eq(users.userId, userId));
+        });

-            await calculateUserClientsForOrgs(userId, trx);
+        calculateUserClientsForOrgs(userId, primaryDb).catch((e) => {
+            logger.error(
+                `Failed to calculate user clients after removing user ${userId}: ${e}`
+            );
        });

        return response(res, {
--- a/server/routers/user/createOrgUser.ts
+++ b/server/routers/user/createOrgUser.ts
@@ -6,7 +6,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { db, orgs } from "@server/db";
+import { db, orgs, primaryDb } from "@server/db";
 import { and, eq, inArray } from "drizzle-orm";
 import { idp, idpOidcConfig, roles, userOrgs, users } from "@server/db";
 import { generateId } from "@server/auth/sessions/app";
@@ -34,8 +34,7 @@ const bodySchema = z
        roleId: z.number().int().positive().optional()
    })
    .refine(
-        (d) =>
-            (d.roleIds != null && d.roleIds.length > 0) || d.roleId != null,
+        (d) => (d.roleIds != null && d.roleIds.length > 0) || d.roleId != null,
        { message: "roleIds or roleId is required", path: ["roleIds"] }
    )
    .transform((data) => ({
@@ -100,8 +99,14 @@ export async function createOrgUser(
        }

        const { orgId } = parsedParams.data;
-        const { username, email, name, type, idpId, roleIds: uniqueRoleIds } =
-            parsedBody.data;
+        const {
+            username,
+            email,
+            name,
+            type,
+            idpId,
+            roleIds: uniqueRoleIds
+        } = parsedBody.data;

        if (build == "saas") {
            const usage = await usageService.getUsage(orgId, FeatureId.USERS);
@@ -232,6 +237,7 @@ export async function createOrgUser(
                );
            }

+            let userIdForClients: string | undefined;
            await db.transaction(async (trx) => {
                const [existingUser] = await trx
                    .select()
@@ -270,7 +276,7 @@ export async function createOrgUser(
                        {
                            orgId,
                            userId: existingUser.userId,
-                            autoProvisioned: false,
+                            autoProvisioned: false
                        },
                        uniqueRoleIds,
                        trx
@@ -292,20 +298,30 @@ export async function createOrgUser(
                        })
                        .returning();

-                        await assignUserToOrg(
-                            org,
-                            {
-                                orgId,
-                                userId: newUser.userId,
-                                autoProvisioned: false,
-                            },
-                            uniqueRoleIds,
-                            trx
-                        );
+                    await assignUserToOrg(
+                        org,
+                        {
+                            orgId,
+                            userId: newUser.userId,
+                            autoProvisioned: false
+                        },
+                        uniqueRoleIds,
+                        trx
+                    );
                }

-                await calculateUserClientsForOrgs(userId, trx);
+                userIdForClients = userId;
            });
+
+            if (userIdForClients) {
+                calculateUserClientsForOrgs(userIdForClients, primaryDb).catch(
+                    (e) => {
+                        logger.error(
+                            `Failed to calculate user clients after creating org user: ${e}`
+                        );
+                    }
+                );
+            }
        } else {
            return next(
                createHttpError(HttpCode.BAD_REQUEST, "User type is required")
--- a/server/routers/user/removeUserOrg.ts
+++ b/server/routers/user/removeUserOrg.ts
@@ -7,7 +7,8 @@ import {
    siteResources,
    sites,
    UserOrg,
-    userSiteResources
+    userSiteResources,
+    primaryDb
 } from "@server/db";
 import { userOrgs, userResources, users, userSites } from "@server/db";
 import { and, count, eq, exists, inArray } from "drizzle-orm";
@@ -91,25 +92,12 @@ export async function removeUserOrg(

        await db.transaction(async (trx) => {
            await removeUserFromOrg(org, userId, trx);
+        });

-            // if (build === "saas") {
-            //     const [rootUser] = await trx
-            //         .select()
-            //         .from(users)
-            //         .where(eq(users.userId, userId));
-            //
-            //     const [leftInOrgs] = await trx
-            //         .select({ count: count() })
-            //         .from(userOrgs)
-            //         .where(eq(userOrgs.userId, userId));
-            //
-            //     // if the user is not an internal user and does not belong to any org, delete the entire user
-            //     if (rootUser?.type !== UserType.Internal && !leftInOrgs.count) {
-            //         await trx.delete(users).where(eq(users.userId, userId));
-            //     }
-            // }
-
-            await calculateUserClientsForOrgs(userId, trx);
+        calculateUserClientsForOrgs(userId, primaryDb).catch((e) => {
+            logger.error(
+                `Failed to calculate user clients after removing user ${userId} from org ${orgId}: ${e}`
+            );
        });

        return response(res, {
--- a/server/setup/scriptsPg/1.18.3.ts
+++ b/server/setup/scriptsPg/1.18.3.ts
@@ -44,7 +44,7 @@ export default async function migration() {
        await db.execute(sql`BEGIN`);

        await db.execute(sql`
-            CREATE TABLE "trialNotifications" (
+            CREATE TABLE IF NOT EXISTS "trialNotifications" (
               	"notificationId" serial PRIMARY KEY NOT NULL,
               	"subscriptionId" varchar(255) NOT NULL,
               	"notificationType" varchar(50) NOT NULL,
@@ -52,10 +52,6 @@ export default async function migration() {
            );
        `);

-        await db.execute(sql`
-            ALTER TABLE "trialNotifications" ADD CONSTRAINT "trialNotifications_subscriptionId_subscriptions_subscriptionId_fk" FOREIGN KEY ("subscriptionId") REFERENCES "public"."subscriptions"("subscriptionId") ON DELETE cascade ON UPDATE no action;
-        `);
-
        await db.execute(sql`COMMIT`);
        console.log("Migrated database");
    } catch (e) {
--- a/server/setup/scriptsSqlite/1.18.3.ts
+++ b/server/setup/scriptsSqlite/1.18.3.ts
@@ -16,7 +16,7 @@ export default async function migration() {
        db.transaction(() => {
            db.prepare(
                `
-                    CREATE TABLE 'trialNotifications' (
+                    CREATE TABLE IF NOT EXISTS 'trialNotifications' (
                       	'notificationId' integer PRIMARY KEY AUTOINCREMENT NOT NULL,
                       	'subscriptionId' text NOT NULL,
                       	'notificationType' text NOT NULL,
--- a/src/app/[orgId]/settings/resources/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/page.tsx
@@ -55,7 +55,9 @@ export default async function ProxyResourcesPage(
        pagination = responseData.pagination;
    } catch (e) {}

-    const siteIdParam = parsePositiveInt(searchParams.get("siteId") ?? undefined);
+    const siteIdParam = parsePositiveInt(
+        searchParams.get("siteId") ?? undefined
+    );

    let initialFilterSite: {
        siteId: number;
@@ -122,6 +124,7 @@ export default async function ProxyResourcesPage(
            domainId: resource.domainId || undefined,
            fullDomain: resource.fullDomain ?? null,
            ssl: resource.ssl,
+            wildcard: resource.wildcard,
            targets: resource.targets?.map((target) => ({
                targetId: target.targetId,
                ip: target.ip,
--- a/src/components/ProxyResourcesTable.tsx
+++ b/src/components/ProxyResourcesTable.tsx
@@ -96,6 +96,7 @@ export type ResourceRow = {
    targets?: TargetHealth[];
    health?: "healthy" | "degraded" | "unhealthy" | "unknown";
    sites: ResourceSiteRow[];
+    wildcard?: boolean;
 };

 function StatusIcon({
@@ -570,10 +571,14 @@ export default function ProxyResourcesTable({
                            />
                        ) : null}
                        <div className="">
-                            <CopyToClipboard
-                                text={resourceRow.domain}
-                                isLink={true}
-                            />
+                            {!resourceRow.wildcard ? (
+                                <CopyToClipboard
+                                    text={resourceRow.domain}
+                                    isLink={true}
+                                />
+                            ) : (
+                                <span>{resourceRow.domain}</span>
+                            )}
                        </div>
                    </div>
                );
Author	SHA1	Message	Date
dependabot[bot]	f786d63b7b	Bump next-intl from 4.8.3 to 4.9.2 Bumps [next-intl](https://github.com/amannn/next-intl) from 4.8.3 to 4.9.2. - [Release notes](https://github.com/amannn/next-intl/releases) - [Changelog](https://github.com/amannn/next-intl/blob/main/CHANGELOG.md) - [Commits](https://github.com/amannn/next-intl/compare/v4.8.3...v4.9.2) --- updated-dependencies: - dependency-name: next-intl dependency-version: 4.9.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-08 03:38:24 +00:00
Owen Schwartz	10f95896aa	Merge pull request #3030 from fosrl/dev 1.18.3-s.2 fix	2026-05-07 20:08:05 -07:00
Owen	5b8994d143	Cange to use primaryDb	2026-05-07 20:07:06 -07:00
Owen	c46ef2fe9c	Fix ts type issue	2026-05-07 20:03:48 -07:00
Owen Schwartz	4cd025dd91	Merge pull request #3029 from fosrl/dev 1.18.3-s.2	2026-05-07 17:44:35 -07:00
Owen	ce04ea9720	Fix not including today Fixes #3028	2026-05-07 16:15:13 -07:00
Owen	a3ce382725	Pick up other domains in the sans field	2026-05-07 15:49:12 -07:00
Owen	4eb49e3e60	Make the rebuild long running function background	2026-05-07 15:40:34 -07:00
Owen	2a9481023a	Dont show link when wildcard	2026-05-07 15:15:03 -07:00
Owen	8ed01372b8	Add org to logs	2026-05-07 15:14:44 -07:00
Owen Schwartz	6a7d4fd385	Merge pull request #3021 from fosrl/dev If not exists on trial table	2026-05-06 20:00:55 -07:00
Owen	7bc08c0425	If not exists on trial table	2026-05-06 20:00:23 -07:00
Owen Schwartz	36a47c4cfb	Merge pull request #3015 from fosrl/dev Dev	2026-05-06 16:59:02 -07:00
Owen Schwartz	293d9865b4	Merge pull request #3014 from fosrl/dev 1.18.3	2026-05-06 16:30:36 -07:00