Merge pull request #2971 from fosrl/dev

1.18.2
Merge pull request #2970 from fosrl/crowdin_dev
2026-05-07 08:49:53 +00:00 · 2026-05-02 20:59:51 -07:00 · 2026-05-02 20:59:16 -07:00 · 2026-05-02 20:57:57 -07:00 · 2026-05-02 20:57:55 -07:00 · 2026-05-02 20:57:54 -07:00
117 changed files with 3385 additions and 1788 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -414,28 +414,18 @@ jobs:
                password: ${{ secrets.GITHUB_TOKEN }}

            - name: Install cosign
-              # cosign is used to sign and verify container images (key and keyless)
+              # cosign is used to sign container images using keyless (OIDC) signing
              uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1

-            - name: Dual-sign and verify (GHCR & Docker Hub)
-              # Sign each image by digest using keyless (OIDC) and key-based signing,
-              # then verify both the public key signature and the keyless OIDC signature.
+            - name: Sign (GHCR, keyless)
+              # Sign each GHCR image by digest using keyless (OIDC) signing via Sigstore/Rekor.
+              # Signatures are stored in the registry alongside the image.
              env:
                  TAG: ${{ env.TAG }}
-                  COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-                  COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-                  COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
                  COSIGN_YES: "true"
              run: |
                  set -euo pipefail

-                  issuer="https://token.actions.githubusercontent.com"
-                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
-
-                  # Track failures
-                  FAILED_TAGS=()
-                  SUCCESSFUL_TAGS=()
-
                  # Determine if this is an RC release
                  IS_RC="false"
                  if [[ "$TAG" == *"-rc."* ]]; then
@@ -463,95 +453,47 @@ jobs:
                      )
                  fi

-                  # Sign each image variant for both registries
-                  for BASE_IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
-                    for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
-                      echo "Processing ${BASE_IMAGE}:${IMAGE_TAG}"
-                      TAG_FAILED=false
+                  FAILED_TAGS=()
+                  SUCCESSFUL_TAGS=()

-                      # Wrap the entire tag processing in error handling
-                      (
-                        set -e
-                        DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
-                        REF="${BASE_IMAGE}@${DIGEST}"
-                        echo "Resolved digest: ${REF}"
+                  for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
+                    echo "Processing ${GHCR_IMAGE}:${IMAGE_TAG}"
+                    TAG_FAILED=false

-                        echo "==> cosign sign (keyless) --recursive ${REF}"
-                        cosign sign --recursive "${REF}"
+                    (
+                      set -e
+                      DIGEST="$(skopeo inspect --retry-times 3 docker://${GHCR_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
+                      REF="${GHCR_IMAGE}@${DIGEST}"
+                      echo "Resolved digest: ${REF}"

-                        echo "==> cosign sign (key) --recursive ${REF}"
-                        cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+                      echo "==> cosign sign (keyless) --recursive ${REF}"
+                      cosign sign --recursive "${REF}"
+                    ) || TAG_FAILED=true

-                        # Retry wrapper for verification to handle registry propagation delays
-                        retry_verify() {
-                          local cmd="$1"
-                          local attempts=6
-                          local delay=5
-                          local i=1
-                          until eval "$cmd"; do
-                            if [ $i -ge $attempts ]; then
-                              echo "Verification failed after $attempts attempts"
-                              return 1
-                            fi
-                            echo "Verification not yet available. Retry $i/$attempts after ${delay}s..."
-                            sleep $delay
-                            i=$((i+1))
-                            delay=$((delay*2))
-                            # Cap the delay to avoid very long waits
-                            if [ $delay -gt 60 ]; then delay=60; fi
-                          done
-                          return 0
-                        }
-
-                        echo "==> cosign verify (public key) ${REF}"
-                        if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text"; then
-                          VERIFIED_INDEX=true
-                        else
-                          VERIFIED_INDEX=false
-                        fi
-
-                        echo "==> cosign verify (keyless policy) ${REF}"
-                        if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text"; then
-                          VERIFIED_INDEX_KEYLESS=true
-                        else
-                          VERIFIED_INDEX_KEYLESS=false
-                        fi
-
-                        # Check if verification succeeded
-                        if [ "${VERIFIED_INDEX}" != "true" ] && [ "${VERIFIED_INDEX_KEYLESS}" != "true" ]; then
-                          echo "⚠️  WARNING: Verification not available for ${BASE_IMAGE}:${IMAGE_TAG}"
-                          echo "This may be due to registry propagation delays. Continuing anyway."
-                        fi
-                      ) || TAG_FAILED=true
-
-                      if [ "$TAG_FAILED" = "true" ]; then
-                        echo "⚠️  WARNING: Failed to sign/verify ${BASE_IMAGE}:${IMAGE_TAG}"
-                        FAILED_TAGS+=("${BASE_IMAGE}:${IMAGE_TAG}")
-                      else
-                        echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
-                        SUCCESSFUL_TAGS+=("${BASE_IMAGE}:${IMAGE_TAG}")
-                      fi
-                    done
+                    if [ "$TAG_FAILED" = "true" ]; then
+                      echo "⚠️  WARNING: Failed to sign ${GHCR_IMAGE}:${IMAGE_TAG}"
+                      FAILED_TAGS+=("${GHCR_IMAGE}:${IMAGE_TAG}")
+                    else
+                      echo "✓ Successfully signed ${GHCR_IMAGE}:${IMAGE_TAG}"
+                      SUCCESSFUL_TAGS+=("${GHCR_IMAGE}:${IMAGE_TAG}")
+                    fi
                  done

-                  # Report summary
                  echo ""
                  echo "=========================================="
-                  echo "Sign and Verify Summary"
+                  echo "Sign Summary"
                  echo "=========================================="
                  echo "Successful: ${#SUCCESSFUL_TAGS[@]}"
                  echo "Failed: ${#FAILED_TAGS[@]}"
-                  echo ""

                  if [ ${#FAILED_TAGS[@]} -gt 0 ]; then
                    echo "Failed tags:"
                    for tag in "${FAILED_TAGS[@]}"; do
                      echo "  - $tag"
                    done
-                    echo ""
-                    echo "⚠️  WARNING: Some tags failed to sign/verify, but continuing anyway"
+                    echo "⚠️  WARNING: Some tags failed to sign, but continuing anyway"
                  else
-                    echo "✓ All images signed and verified successfully!"
+                    echo "✓ All images signed successfully!"
                  fi
              shell: bash

--- a/cli/commands/rotateServerSecret.ts
+++ b/cli/commands/rotateServerSecret.ts
@@ -1,5 +1,5 @@
 import { CommandModule } from "yargs";
-import { db, idpOidcConfig, licenseKey } from "@server/db";
+import { db, idpOidcConfig, licenseKey, certificates, eventStreamingDestinations, alertWebhookActions } from "@server/db";
 import { encrypt, decrypt } from "@server/lib/crypto";
 import { configFilePath1, configFilePath2 } from "@server/lib/consts";
 import { eq } from "drizzle-orm";
@@ -129,9 +129,15 @@ export const rotateServerSecret: CommandModule<
            console.log("\nReading encrypted data from database...");
            const idpConfigs = await db.select().from(idpOidcConfig);
            const licenseKeys = await db.select().from(licenseKey);
+            const certs = await db.select().from(certificates);
+            const streamingDestinations = await db.select().from(eventStreamingDestinations);
+            const webhookActions = await db.select().from(alertWebhookActions);

            console.log(`Found ${idpConfigs.length} OIDC IdP configuration(s)`);
            console.log(`Found ${licenseKeys.length} license key(s)`);
+            console.log(`Found ${certs.length} certificate(s)`);
+            console.log(`Found ${streamingDestinations.length} event streaming destination(s)`);
+            console.log(`Found ${webhookActions.length} alert webhook action(s)`);

            // Prepare all decrypted and re-encrypted values
            console.log("\nDecrypting and re-encrypting values...");
@@ -149,8 +155,27 @@ export const rotateServerSecret: CommandModule<
                encryptedInstanceId: string;
            };

+            type CertUpdate = {
+                certId: number;
+                encryptedCertFile: string | null;
+                encryptedKeyFile: string | null;
+            };
+
+            type StreamingDestinationUpdate = {
+                destinationId: number;
+                encryptedConfig: string;
+            };
+
+            type WebhookActionUpdate = {
+                webhookActionId: number;
+                encryptedConfig: string;
+            };
+
            const idpUpdates: IdpUpdate[] = [];
            const licenseKeyUpdates: LicenseKeyUpdate[] = [];
+            const certUpdates: CertUpdate[] = [];
+            const streamingDestinationUpdates: StreamingDestinationUpdate[] = [];
+            const webhookActionUpdates: WebhookActionUpdate[] = [];

            // Process idpOidcConfig entries
            for (const idpConfig of idpConfigs) {
@@ -217,6 +242,70 @@ export const rotateServerSecret: CommandModule<
                }
            }

+            // Process certificate entries
+            for (const cert of certs) {
+                try {
+                    const encryptedCertFile = cert.certFile
+                        ? encrypt(decrypt(cert.certFile, oldSecret), newSecret)
+                        : null;
+                    const encryptedKeyFile = cert.keyFile
+                        ? encrypt(decrypt(cert.keyFile, oldSecret), newSecret)
+                        : null;
+
+                    certUpdates.push({
+                        certId: cert.certId,
+                        encryptedCertFile,
+                        encryptedKeyFile
+                    });
+                } catch (error) {
+                    console.error(
+                        `Error processing certificate ${cert.certId} (${cert.domain}):`,
+                        error
+                    );
+                    throw error;
+                }
+            }
+
+            // Process eventStreamingDestinations entries
+            for (const dest of streamingDestinations) {
+                try {
+                    const decryptedConfig = decrypt(dest.config, oldSecret);
+                    const encryptedConfig = encrypt(decryptedConfig, newSecret);
+
+                    streamingDestinationUpdates.push({
+                        destinationId: dest.destinationId,
+                        encryptedConfig
+                    });
+                } catch (error) {
+                    console.error(
+                        `Error processing event streaming destination ${dest.destinationId}:`,
+                        error
+                    );
+                    throw error;
+                }
+            }
+
+            // Process alertWebhookActions entries
+            for (const webhook of webhookActions) {
+                try {
+                    if (webhook.config == null) continue;
+
+                    const decryptedConfig = decrypt(webhook.config, oldSecret);
+                    const encryptedConfig = encrypt(decryptedConfig, newSecret);
+
+                    webhookActionUpdates.push({
+                        webhookActionId: webhook.webhookActionId,
+                        encryptedConfig
+                    });
+                } catch (error) {
+                    console.error(
+                        `Error processing alert webhook action ${webhook.webhookActionId}:`,
+                        error
+                    );
+                    throw error;
+                }
+            }
+
            // Perform all database updates in a single transaction
            console.log("\nUpdating database in transaction...");
            await db.transaction(async (trx) => {
@@ -250,10 +339,50 @@ export const rotateServerSecret: CommandModule<
                        instanceId: update.encryptedInstanceId
                    });
                }
+
+                // Update certificate entries
+                for (const update of certUpdates) {
+                    await trx
+                        .update(certificates)
+                        .set({
+                            certFile: update.encryptedCertFile,
+                            keyFile: update.encryptedKeyFile
+                        })
+                        .where(eq(certificates.certId, update.certId));
+                }
+
+                // Update event streaming destination entries
+                for (const update of streamingDestinationUpdates) {
+                    await trx
+                        .update(eventStreamingDestinations)
+                        .set({ config: update.encryptedConfig })
+                        .where(
+                            eq(
+                                eventStreamingDestinations.destinationId,
+                                update.destinationId
+                            )
+                        );
+                }
+
+                // Update alert webhook action entries
+                for (const update of webhookActionUpdates) {
+                    await trx
+                        .update(alertWebhookActions)
+                        .set({ config: update.encryptedConfig })
+                        .where(
+                            eq(
+                                alertWebhookActions.webhookActionId,
+                                update.webhookActionId
+                            )
+                        );
+                }
            });

            console.log(`Rotated ${idpUpdates.length} OIDC IdP configuration(s)`);
            console.log(`Rotated ${licenseKeyUpdates.length} license key(s)`);
+            console.log(`Rotated ${certUpdates.length} certificate(s)`);
+            console.log(`Rotated ${streamingDestinationUpdates.length} event streaming destination(s)`);
+            console.log(`Rotated ${webhookActionUpdates.length} alert webhook action(s)`);

            // Update config file with new secret
            console.log("\nUpdating config file...");
@@ -270,6 +399,9 @@ export const rotateServerSecret: CommandModule<
            console.log(`\nSummary:`);
            console.log(`  - OIDC IdP configurations: ${idpUpdates.length}`);
            console.log(`  - License keys: ${licenseKeyUpdates.length}`);
+            console.log(`  - Certificates: ${certUpdates.length}`);
+            console.log(`  - Event streaming destinations: ${streamingDestinationUpdates.length}`);
+            console.log(`  - Alert webhook actions: ${webhookActionUpdates.length}`);
            console.log(
                `\n  IMPORTANT: Restart the server for the new secret to take effect.`
            );
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Крайна точка",
    "newtId": "Идентификационен номер",
    "newtSecretKey": "Секретен ключ",
+    "newtVersion": "Версия",
    "architecture": "Архитектура",
    "sites": "Сайтове",
    "siteWgAnyClients": "Използвайте клиент на WireGuard, за да се свържете. Ще трябва да използвате вътрешните ресурси чрез IP адреса на връстника.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Създаване на админ акаунт",
    "setupErrorCreateAdmin": "Възникна грешка при създаване на админ акаунт.",
    "certificateStatus": "Сертификат",
+    "certificateStatusAutoRefreshHint": "Състоянието се опреснява автоматично.",
    "loading": "Зареждане",
    "loadingAnalytics": "Зареждане на анализи",
    "restart": "Рестарт",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Преглед на бележките за изданието",
    "newtUpdateAvailable": "Ново обновление",
    "newtUpdateAvailableInfo": "Нова версия на Newt е налична. Моля, обновете до последната версия за най-добро изживяване.",
+    "pangolinNodeUpdateAvailableInfo": "Налична е нова версия на Pangolin Node. Моля, актуализирайте до последната версия за най-добро изживяване.",
    "domainPickerEnterDomain": "Домейн",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Въведете пълния домейн на ресурса, за да видите наличните опции.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Изберете своя доставчик на идентичност, за да продължите",
    "orgAuthNoIdpConfigured": "Тази организация няма конфигурирани доставчици на идентичност. Можете да влезете с вашата Pangolin идентичност.",
    "orgAuthSignInWithPangolin": "Впишете се с Pangolin",
-    "orgAuthSignInToOrg": "Влезте в организация",
+    "orgAuthSignInToOrg": "Идентификационен доставчик на организация (SSO)",
    "orgAuthSelectOrgTitle": "Вход в организация.",
    "orgAuthSelectOrgDescription": "Въведете идентификатора на вашата организация, за да продължите.",
    "orgAuthOrgIdPlaceholder": "вашата-организация",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "Уайлдкард подсайтове не са позволени.",
    "domainPickerWildcardCertWarning": "Ресурсите с уайлдкард може да изискват допълнителна конфигурация за правилна работа.",
    "domainPickerWildcardCertWarningLink": "Научете повече",
-    "health": "Здраве"
+    "health": "Здраве",
+    "domainPendingErrorTitle": "Проблем при проверка"
 }
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Tajný klíč",
+    "newtVersion": "Verze",
    "architecture": "Architektura",
    "sites": "Stránky",
    "siteWgAnyClients": "K připojení použijte jakéhokoli klienta WireGuard. Budete muset řešit interní zdroje pomocí klientské IP adresy.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Vytvořit účet správce",
    "setupErrorCreateAdmin": "Došlo k chybě při vytváření účtu správce serveru.",
    "certificateStatus": "Certifikát",
+    "certificateStatusAutoRefreshHint": "Stav se automaticky obnovuje.",
    "loading": "Načítání",
    "loadingAnalytics": "Načítání analytiky",
    "restart": "Restartovat",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Zobrazit poznámky k vydání",
    "newtUpdateAvailable": "Dostupná aktualizace",
    "newtUpdateAvailableInfo": "Je k dispozici nová verze Newt. Pro nejlepší zážitek prosím aktualizujte na nejnovější verzi.",
+    "pangolinNodeUpdateAvailableInfo": "Je k dispozici nová verze uzlu Pangolin. Pro nejlepší zážitek aktualizujte na nejnovější verzi.",
    "domainPickerEnterDomain": "Doména",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Zadejte úplnou doménu zdroje pro zobrazení dostupných možností.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Chcete-li pokračovat, vyberte svého poskytovatele identity",
    "orgAuthNoIdpConfigured": "Tato organizace nemá nakonfigurovány žádné poskytovatele identity. Místo toho se můžete přihlásit s vaší Pangolinovou identitou.",
    "orgAuthSignInWithPangolin": "Přihlásit se pomocí Pangolinu",
-    "orgAuthSignInToOrg": "Přihlásit se do organizace",
+    "orgAuthSignInToOrg": "Poskytovatel identity organizace (SSO)",
    "orgAuthSelectOrgTitle": "Přihlášení do organizace",
    "orgAuthSelectOrgDescription": "Zadejte ID vaší organizace pro pokračování",
    "orgAuthOrgIdPlaceholder": "vaše-organizace",
@@ -3167,7 +3170,7 @@
    "publicIpEndpoint": "Koncový bod",
    "lastTriggeredAt": "Poslední spouštěč",
    "reject": "Odmítnout",
-    "uptimeDaysAgo": "{count} days ago",
+    "uptimeDaysAgo": "Před {count} dny",
    "uptimeToday": "Dnes",
    "uptimeNoDataAvailable": "Dostupná žádná data",
    "uptimeSuffix": "doba dostupnosti",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "Zástupné poddomény nejsou povoleny.",
    "domainPickerWildcardCertWarning": "Zástupné zdroje mohou vyžadovat dodatečnou konfiguraci pro správnou funkci.",
    "domainPickerWildcardCertWarningLink": "Zjistit více",
-    "health": "Zdraví"
+    "health": "Zdraví",
+    "domainPendingErrorTitle": "Problém s ověřením"
 }
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Endpunkt",
    "newtId": "ID",
    "newtSecretKey": "Geheimnis",
+    "newtVersion": "Version",
    "architecture": "Architektur",
    "sites": "Standorte",
    "siteWgAnyClients": "Verwenden Sie jeden WireGuard-Client um sich zu verbinden. Sie müssen interne Ressourcen über die Peer-IP ansprechen.",
@@ -1432,7 +1433,7 @@
    "alertingTriggerHcToggle": "Gesundheits-Check-Status ändern",
    "alertingTriggerResourceHealthy": "Ressource gesund",
    "alertingTriggerResourceUnhealthy": "Ressource ungesund",
-    "alertingTriggerResourceDegraded": "Resource degraded",
+    "alertingTriggerResourceDegraded": "Ressource verschlechtert",
    "alertingSearchHealthChecks": "Gesundheits-Checks suchen…",
    "alertingHealthChecksEmpty": "Keine Gesundheits-Checks verfügbar.",
    "alertingTriggerResourceToggle": "Ressourcenstatus ändern",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Admin-Konto erstellen",
    "setupErrorCreateAdmin": "Beim Erstellen des Server-Admin-Kontos ist ein Fehler aufgetreten.",
    "certificateStatus": "Zertifikat",
+    "certificateStatusAutoRefreshHint": "Der Status wird automatisch aktualisiert.",
    "loading": "Laden",
    "loadingAnalytics": "Analytik wird geladen",
    "restart": "Neustart",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Versionshinweise anzeigen",
    "newtUpdateAvailable": "Update verfügbar",
    "newtUpdateAvailableInfo": "Eine neue Version von Newt ist verfügbar. Bitte aktualisieren Sie auf die neueste Version für das beste Erlebnis.",
+    "pangolinNodeUpdateAvailableInfo": "Eine neue Version von Pangolin Node ist verfügbar. Bitte aktualisieren Sie auf die neueste Version für das beste Erlebnis.",
    "domainPickerEnterDomain": "Domäne",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Geben Sie die vollständige Domain der Ressource ein, um verfügbare Optionen zu sehen.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Wähle deinen Identitätsanbieter um fortzufahren",
    "orgAuthNoIdpConfigured": "Diese Organisation hat keine Identitätsanbieter konfiguriert. Sie können sich stattdessen mit Ihrer Pangolin-Identität anmelden.",
    "orgAuthSignInWithPangolin": "Mit Pangolin anmelden",
-    "orgAuthSignInToOrg": "Bei einer Organisation anmelden",
+    "orgAuthSignInToOrg": "Organisations-Identitätsanbieter (SSO)",
    "orgAuthSelectOrgTitle": "Organisations-Anmeldung",
    "orgAuthSelectOrgDescription": "Geben Sie Ihre Organisations-ID ein, um fortzufahren",
    "orgAuthOrgIdPlaceholder": "Ihre Organisation",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "Wildcard-Subdomains sind nicht erlaubt.",
    "domainPickerWildcardCertWarning": "Wildcard-Ressourcen erfordern möglicherweise zusätzliche Konfigurationen, um ordnungsgemäß zu funktionieren.",
    "domainPickerWildcardCertWarningLink": "Mehr erfahren",
-    "health": "Gesundheit"
+    "health": "Gesundheit",
+    "domainPendingErrorTitle": "Verifizierungsproblem"
 }
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Secret",
+    "newtVersion": "Version",
    "architecture": "Architecture",
    "sites": "Sites",
    "siteWgAnyClients": "Use any WireGuard client to connect. You will have to address internal resources using the peer IP.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Create Admin Account",
    "setupErrorCreateAdmin": "An error occurred while creating the server admin account.",
    "certificateStatus": "Certificate",
+    "certificateStatusAutoRefreshHint": "Status refreshes automatically.",
    "loading": "Loading",
    "loadingAnalytics": "Loading Analytics",
    "restart": "Restart",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "View Release Notes",
    "newtUpdateAvailable": "Update Available",
    "newtUpdateAvailableInfo": "A new version of Newt is available. Please update to the latest version for the best experience.",
+    "pangolinNodeUpdateAvailableInfo": "A new version of Pangolin Node is available. Please update to the latest version for the best experience.",
    "domainPickerEnterDomain": "Domain",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Enter the full domain of the resource to see available options.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Choose your identity provider to continue",
    "orgAuthNoIdpConfigured": "This organization doesn't have any identity providers configured. You can log in with your Pangolin identity instead.",
    "orgAuthSignInWithPangolin": "Sign in with Pangolin",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Organization Identity Provider (SSO)",
    "orgAuthSelectOrgTitle": "Organization Sign In",
    "orgAuthSelectOrgDescription": "Enter your organization ID to continue",
    "orgAuthOrgIdPlaceholder": "your-organization",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "Wildcard subdomains are not allowed.",
    "domainPickerWildcardCertWarning": "Wildcard resources may require additional configuration to work properly.",
    "domainPickerWildcardCertWarningLink": "Learn more",
-    "health": "Health"
+    "health": "Health",
+    "domainPendingErrorTitle": "Verification Issue"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Secreto",
+    "newtVersion": "Versión",
    "architecture": "Arquitectura",
    "sites": "Sitios",
    "siteWgAnyClients": "Usa cualquier cliente de Wirex para conectarte. Tendrás que dirigirte a los recursos internos usando la IP de compañeros.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Crear cuenta de administrador",
    "setupErrorCreateAdmin": "Se produjo un error al crear la cuenta de administrador del servidor.",
    "certificateStatus": "Certificado",
+    "certificateStatusAutoRefreshHint": "El estado se actualiza automáticamente.",
    "loading": "Cargando",
    "loadingAnalytics": "Cargando analíticas",
    "restart": "Reiniciar",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Ver notas de lanzamiento",
    "newtUpdateAvailable": "Nueva actualización disponible",
    "newtUpdateAvailableInfo": "Hay una nueva versión de Newt disponible. Actualice a la última versión para la mejor experiencia.",
+    "pangolinNodeUpdateAvailableInfo": "Hay una nueva versión de Pangolin Node disponible. Actualice a la última versión para la mejor experiencia.",
    "domainPickerEnterDomain": "Dominio",
    "domainPickerPlaceholder": "miapp.ejemplo.com",
    "domainPickerDescription": "Ingresa el dominio completo del recurso para ver las opciones disponibles.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Elige tu proveedor de identidad para continuar",
    "orgAuthNoIdpConfigured": "Esta organización no tiene ningún proveedor de identidad configurado. En su lugar puedes iniciar sesión con tu identidad de Pangolin.",
    "orgAuthSignInWithPangolin": "Iniciar sesión con Pangolin",
-    "orgAuthSignInToOrg": "Iniciar sesión en una organización",
+    "orgAuthSignInToOrg": "Proveedor de identidad de la organización (SSO)",
    "orgAuthSelectOrgTitle": "Inicio de sesión de organización",
    "orgAuthSelectOrgDescription": "Ingrese el ID de su organización para continuar",
    "orgAuthOrgIdPlaceholder": "tu-organización",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "No se permiten subdominios comodín.",
    "domainPickerWildcardCertWarning": "Los recursos comodín pueden requerir configuración adicional para funcionar correctamente.",
    "domainPickerWildcardCertWarningLink": "Más información",
-    "health": "Salud"
+    "health": "Salud",
+    "domainPendingErrorTitle": "Problema de verificación"
 }
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Secrète",
+    "newtVersion": "Version",
    "architecture": "Architecture",
    "sites": "Nœuds",
    "siteWgAnyClients": "Utilisez n'importe quel client WireGuard pour vous connecter. Vous devrez adresser des ressources internes en utilisant l'adresse IP du pair.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Créer un compte administrateur",
    "setupErrorCreateAdmin": "Une erreur s'est produite lors de la création du compte administrateur du serveur.",
    "certificateStatus": "Certificat",
+    "certificateStatusAutoRefreshHint": "L'état se rafraîchit automatiquement.",
    "loading": "Chargement",
    "loadingAnalytics": "Chargement de l'analyse",
    "restart": "Redémarrer",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Voir les notes de publication",
    "newtUpdateAvailable": "Mise à jour disponible",
    "newtUpdateAvailableInfo": "Une nouvelle version de Newt est disponible. Veuillez mettre à jour vers la dernière version pour une meilleure expérience.",
+    "pangolinNodeUpdateAvailableInfo": "Une nouvelle version de Pangolin Node est disponible. Veuillez mettre à jour vers la dernière version pour une meilleure expérience.",
    "domainPickerEnterDomain": "Domaine",
    "domainPickerPlaceholder": "monapp.exemple.com",
    "domainPickerDescription": "Entrez le domaine complet de la ressource pour voir les options disponibles.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Choisissez votre fournisseur d'identité pour continuer",
    "orgAuthNoIdpConfigured": "Cette organisation n'a aucun fournisseur d'identité configuré. Vous pouvez vous connecter avec votre identité Pangolin à la place.",
    "orgAuthSignInWithPangolin": "Se connecter avec Pangolin",
-    "orgAuthSignInToOrg": "Se connecter à une organisation",
+    "orgAuthSignInToOrg": "Fournisseur d'identité d'organisation (SSO)",
    "orgAuthSelectOrgTitle": "Connexion à l'organisation",
    "orgAuthSelectOrgDescription": "Entrez votre identifiant d'organisation pour continuer",
    "orgAuthOrgIdPlaceholder": "votre-organisation",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "Les sous-domaines Joker ne sont pas autorisés.",
    "domainPickerWildcardCertWarning": "Les ressources Joker peuvent nécessiter une configuration supplémentaire pour fonctionner correctement.",
    "domainPickerWildcardCertWarningLink": "En savoir plus",
-    "health": "Santé"
+    "health": "Santé",
+    "domainPendingErrorTitle": "Problème de vérification"
 }
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Segreto",
+    "newtVersion": "Versione",
    "architecture": "Architettura",
    "sites": "Siti",
    "siteWgAnyClients": "Usa qualsiasi client WireGuard per connetterti. Dovrai indirizzare le risorse interne utilizzando l'IP del peer.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Crea Account Admin",
    "setupErrorCreateAdmin": "Si è verificato un errore durante la creazione dell'account amministratore del server.",
    "certificateStatus": "Certificato",
+    "certificateStatusAutoRefreshHint": "Lo stato si aggiorna automaticamente.",
    "loading": "Caricamento",
    "loadingAnalytics": "Caricamento Delle Analisi",
    "restart": "Riavvia",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Visualizza Note Di Rilascio",
    "newtUpdateAvailable": "Aggiornamento Disponibile",
    "newtUpdateAvailableInfo": "È disponibile una nuova versione di Newt. Si prega di aggiornare all'ultima versione per la migliore esperienza.",
+    "pangolinNodeUpdateAvailableInfo": "È disponibile una nuova versione di Pangolin Node. Si prega di aggiornare all'ultima versione per la migliore esperienza.",
    "domainPickerEnterDomain": "Dominio",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Inserisci il dominio completo della risorsa per vedere le opzioni disponibili.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Scegli il tuo provider di identità per continuare",
    "orgAuthNoIdpConfigured": "Questa organizzazione non ha nessun provider di identità configurato. Puoi accedere con la tua identità Pangolin.",
    "orgAuthSignInWithPangolin": "Accedi con Pangolino",
-    "orgAuthSignInToOrg": "Accedi a un'organizzazione",
+    "orgAuthSignInToOrg": "Provider di identità dell'organizzazione (SSO)",
    "orgAuthSelectOrgTitle": "Accesso Organizzazione",
    "orgAuthSelectOrgDescription": "Inserisci l'ID dell'organizzazione per continuare",
    "orgAuthOrgIdPlaceholder": "la-tua-organizzazione",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "I sottodomini wildcard non sono permessi.",
    "domainPickerWildcardCertWarning": "Le risorse wildcard potrebbero richiedere configurazioni aggiuntive per funzionare correttamente.",
    "domainPickerWildcardCertWarningLink": "Scopri di più",
-    "health": "Salute"
+    "health": "Salute",
+    "domainPendingErrorTitle": "Problema di Verifica"
 }
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "엔드포인트",
    "newtId": "ID",
    "newtSecretKey": "비밀",
+    "newtVersion": "버전",
    "architecture": "아키텍처",
    "sites": "사이트",
    "siteWgAnyClients": "WireGuard 클라이언트를 사용하여 연결하십시오. 피어 IP를 사용하여 내부 리소스에 접근해야 합니다.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "관리자 계정 생성",
    "setupErrorCreateAdmin": "서버 관리자 계정을 생성하는 동안 오류가 발생했습니다.",
    "certificateStatus": "인증서",
+    "certificateStatusAutoRefreshHint": "상태가 자동으로 새로 고쳐집니다.",
    "loading": "로딩 중",
    "loadingAnalytics": "분석 로딩 중",
    "restart": "재시작",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "릴리스 노트 보기",
    "newtUpdateAvailable": "업데이트 가능",
    "newtUpdateAvailableInfo": "뉴트의 새 버전이 출시되었습니다. 최상의 경험을 위해 최신 버전으로 업데이트하세요.",
+    "pangolinNodeUpdateAvailableInfo": "Pangolin Node의 새 버전이 출시되었습니다. 최상의 경험을 위해 최신 버전으로 업데이트하세요.",
    "domainPickerEnterDomain": "도메인",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "리소스의 전체 도메인을 입력하여 사용 가능한 옵션을 확인하십시오.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "계속하려면 신원 공급자를 선택하세요.",
    "orgAuthNoIdpConfigured": "이 조직은 구성된 신원 공급자가 없습니다. 대신 Pangolin 아이덴티티로 로그인할 수 있습니다.",
    "orgAuthSignInWithPangolin": "Pangolin으로 로그인",
-    "orgAuthSignInToOrg": "조직에 로그인",
+    "orgAuthSignInToOrg": "조직 아이덴티티 제공자 (SSO)",
    "orgAuthSelectOrgTitle": "조직 로그인",
    "orgAuthSelectOrgDescription": "계속하려면 조직 ID를 입력하십시오.",
    "orgAuthOrgIdPlaceholder": "your-organization",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "와일드카드 서브도메인은 허용되지 않습니다.",
    "domainPickerWildcardCertWarning": "와일드카드 리소스는 올바르게 작동하려면 추가 구성이 필요할 수 있습니다.",
    "domainPickerWildcardCertWarningLink": "자세히 알아보기",
-    "health": "건강"
+    "health": "건강",
+    "domainPendingErrorTitle": "확인 문제"
 }
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Sikkerhetsnøkkel",
+    "newtVersion": "Versjon",
    "architecture": "Arkitektur",
    "sites": "Områder",
    "siteWgAnyClients": "Bruk hvilken som helst WireGuard klient til å koble til. Du må adressere interne ressurser ved hjelp av peer IP.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Opprett administratorkonto",
    "setupErrorCreateAdmin": "En feil oppstod under opprettelsen av serveradministratorkontoen.",
    "certificateStatus": "Sertifikat",
+    "certificateStatusAutoRefreshHint": "Status oppdateres automatisk.",
    "loading": "Laster inn",
    "loadingAnalytics": "Laster inn analyser",
    "restart": "Start på nytt",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Se utgivelsesnotater",
    "newtUpdateAvailable": "Oppdatering tilgjengelig",
    "newtUpdateAvailableInfo": "En ny versjon av Newt er tilgjengelig. Vennligst oppdater til den nyeste versjonen for den beste opplevelsen.",
+    "pangolinNodeUpdateAvailableInfo": "En ny versjon av Pangolin Node er tilgjengelig. Vennligst oppdater til den nyeste versjonen for den beste opplevelsen.",
    "domainPickerEnterDomain": "Domene",
    "domainPickerPlaceholder": "minapp.eksempel.no",
    "domainPickerDescription": "Skriv inn hele domenet til ressursen for å se tilgjengelige alternativer.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Velg din identitet leverandør for å fortsette",
    "orgAuthNoIdpConfigured": "Denne organisasjonen har ikke noen identitetstjeneste konfigurert. Du kan i stedet logge inn med Pangolin identiteten din.",
    "orgAuthSignInWithPangolin": "Logg inn med Pangolin",
-    "orgAuthSignInToOrg": "Logg inn på en organisasjon",
+    "orgAuthSignInToOrg": "Organisasjonens identitetsleverandør (SSO)",
    "orgAuthSelectOrgTitle": "Organisasjonsinnlogging",
    "orgAuthSelectOrgDescription": "Skriv inn organisasjons-ID-en din for å fortsette",
    "orgAuthOrgIdPlaceholder": "din-organisasjon",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "Jokertegnsubdomener er ikke tillatt.",
    "domainPickerWildcardCertWarning": "Jokertegnressurser kan kreve ekstra konfigurasjon for å fungere skikkelig.",
    "domainPickerWildcardCertWarningLink": "Lær mer",
-    "health": "Helse"
+    "health": "Helse",
+    "domainPendingErrorTitle": "Verifiseringsproblem"
 }
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Geheim",
+    "newtVersion": "Versie",
    "architecture": "Architectuur",
    "sites": "Sites",
    "siteWgAnyClients": "Gebruik een willekeurige WireGuard client om verbinding te maken. Je zult interne bronnen moeten aanspreken met behulp van de peer IP.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Maak een beheeraccount aan",
    "setupErrorCreateAdmin": "Er is een fout opgetreden bij het maken van het serverbeheerdersaccount.",
    "certificateStatus": "Certificaat",
+    "certificateStatusAutoRefreshHint": "Status ververst automatisch.",
    "loading": "Bezig met laden",
    "loadingAnalytics": "Laden van Analytics",
    "restart": "Herstarten",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Uitgaveopmerkingen bekijken",
    "newtUpdateAvailable": "Update beschikbaar",
    "newtUpdateAvailableInfo": "Er is een nieuwe versie van Newt beschikbaar. Update naar de nieuwste versie voor de beste ervaring.",
+    "pangolinNodeUpdateAvailableInfo": "Er is een nieuwe versie van Pangolin Node beschikbaar. Update naar de nieuwste versie voor de beste ervaring.",
    "domainPickerEnterDomain": "Domein",
    "domainPickerPlaceholder": "mijnapp.voorbeeld.nl",
    "domainPickerDescription": "Voer de volledige domein van de bron in om beschikbare opties te zien.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Kies uw identiteitsprovider om door te gaan",
    "orgAuthNoIdpConfigured": "Deze organisatie heeft geen identiteitsproviders geconfigureerd. Je kunt in plaats daarvan inloggen met je Pangolin-identiteit.",
    "orgAuthSignInWithPangolin": "Log in met Pangolin",
-    "orgAuthSignInToOrg": "Log in bij een organisatie",
+    "orgAuthSignInToOrg": "Organisatie Identiteitsprovider (SSO)",
    "orgAuthSelectOrgTitle": "Organisatie Inloggen",
    "orgAuthSelectOrgDescription": "Voer je organisatie-ID in om verder te gaan",
    "orgAuthOrgIdPlaceholder": "jouw-organisatie",
@@ -3167,7 +3170,7 @@
    "publicIpEndpoint": "Eindpunt",
    "lastTriggeredAt": "Laatste Trigger",
    "reject": "Afwijzen",
-    "uptimeDaysAgo": "{count} days ago",
+    "uptimeDaysAgo": "{count} dagen geleden",
    "uptimeToday": "Vandaag",
    "uptimeNoDataAvailable": "Geen gegevens beschikbaar",
    "uptimeSuffix": "werktijd",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "Wildcard-subdomeinen zijn niet toegestaan.",
    "domainPickerWildcardCertWarning": "Wildcard-bronnen hebben mogelijk extra configuratie nodig om correct te werken.",
    "domainPickerWildcardCertWarningLink": "Meer informatie",
-    "health": "Gezondheid"
+    "health": "Gezondheid",
+    "domainPendingErrorTitle": "Verificatieprobleem"
 }
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Sekret",
+    "newtVersion": "Wersja",
    "architecture": "Architektura",
    "sites": "Witryny",
    "siteWgAnyClients": "Użyj dowolnego klienta WireGuard, aby się połączyć. Będziesz musiał przekierować wewnętrzne zasoby za pomocą adresu IP.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Utwórz konto administratora",
    "setupErrorCreateAdmin": "Wystąpił błąd podczas tworzenia konta administratora serwera.",
    "certificateStatus": "Certyfikat",
+    "certificateStatusAutoRefreshHint": "Status odświeża się automatycznie.",
    "loading": "Ładowanie",
    "loadingAnalytics": "Ładowanie Analityki",
    "restart": "Uruchom ponownie",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Zobacz informacje o wydaniu",
    "newtUpdateAvailable": "Dostępna aktualizacja",
    "newtUpdateAvailableInfo": "Nowa wersja Newt jest dostępna. Prosimy o aktualizację do najnowszej wersji dla najlepszej pracy.",
+    "pangolinNodeUpdateAvailableInfo": "Nowa wersja Pangolin Node jest dostępna. Prosimy o aktualizację do najnowszej wersji dla najlepszej pracy.",
    "domainPickerEnterDomain": "Domena",
    "domainPickerPlaceholder": "mojapp.example.com",
    "domainPickerDescription": "Wpisz pełną domenę zasobu, aby zobaczyć dostępne opcje.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Wybierz swojego dostawcę tożsamości, aby kontynuować",
    "orgAuthNoIdpConfigured": "Ta organizacja nie ma skonfigurowanych żadnych dostawców tożsamości. Zamiast tego możesz zalogować się za pomocą swojej tożsamości Pangolin.",
    "orgAuthSignInWithPangolin": "Zaloguj się używając Pangolin",
-    "orgAuthSignInToOrg": "Zaloguj się do organizacji",
+    "orgAuthSignInToOrg": "Dostawca tożsamości organizacji (SSO)",
    "orgAuthSelectOrgTitle": "Logowanie do organizacji",
    "orgAuthSelectOrgDescription": "Wprowadź identyfikator organizacji, aby kontynuować",
    "orgAuthOrgIdPlaceholder": "twoja-organizacja",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "Uniwersalne subdomeny nie są dozwolone.",
    "domainPickerWildcardCertWarning": "Uniwersalne zasoby mogą wymagać dodatkowej konfiguracji, aby działać poprawnie.",
    "domainPickerWildcardCertWarningLink": "Dowiedz się więcej",
-    "health": "Zdrowie"
+    "health": "Zdrowie",
+    "domainPendingErrorTitle": "Problem z weryfikacją"
 }
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Chave Secreta",
+    "newtVersion": "Versão",
    "architecture": "Arquitetura",
    "sites": "sites",
    "siteWgAnyClients": "Use qualquer cliente do WireGuard para se conectar. Você terá que endereçar recursos internos usando o IP de pares.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Criar Conta de Administrador",
    "setupErrorCreateAdmin": "Ocorreu um erro ao criar a conta de administrador do servidor.",
    "certificateStatus": "Certificado",
+    "certificateStatusAutoRefreshHint": "Status atualiza automaticamente.",
    "loading": "Carregando",
    "loadingAnalytics": "Carregando Analytics",
    "restart": "Reiniciar",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Ver notas de versão",
    "newtUpdateAvailable": "Nova Atualização Disponível",
    "newtUpdateAvailableInfo": "Uma nova versão do Newt está disponível. Atualize para a versão mais recente para uma melhor experiência.",
+    "pangolinNodeUpdateAvailableInfo": "Uma nova versão do Pangolin Node está disponível. Atualize para a versão mais recente para uma melhor experiência.",
    "domainPickerEnterDomain": "Domínio",
    "domainPickerPlaceholder": "myapp.exemplo.com",
    "domainPickerDescription": "Insira o domínio completo do recurso para ver as opções disponíveis.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Escolha o seu provedor de identidade para continuar",
    "orgAuthNoIdpConfigured": "Esta organização não tem nenhum provedor de identidade configurado. Você pode entrar com a identidade do seu Pangolin.",
    "orgAuthSignInWithPangolin": "Entrar com o Pangolin",
-    "orgAuthSignInToOrg": "Fazer login em uma organização",
+    "orgAuthSignInToOrg": "Provedor de Identidade da Organização (SSO)",
    "orgAuthSelectOrgTitle": "Entrada da Organização",
    "orgAuthSelectOrgDescription": "Digite seu ID da organização para continuar",
    "orgAuthOrgIdPlaceholder": "sua-organização",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "Subdomínios curinga não são permitidos.",
    "domainPickerWildcardCertWarning": "Recursos curinga podem exigir configurações adicionais para funcionarem corretamente.",
    "domainPickerWildcardCertWarningLink": "Saiba mais",
-    "health": "Saúde"
+    "health": "Saúde",
+    "domainPendingErrorTitle": "Problema de Verificação"
 }
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Секретный ключ",
+    "newtVersion": "Версия",
    "architecture": "Архитектура",
    "sites": "Сайты",
    "siteWgAnyClients": "Для подключения используйте любой клиент WireGuard. Вы должны будете адресовать внутренние ресурсы, используя IP адрес пира.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Создать учётную запись администратора",
    "setupErrorCreateAdmin": "Произошла ошибка при создании учётной записи администратора сервера.",
    "certificateStatus": "Сертификат",
+    "certificateStatusAutoRefreshHint": "Статус обновляется автоматически.",
    "loading": "Загрузка",
    "loadingAnalytics": "Загрузка аналитики",
    "restart": "Перезагрузка",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Просмотреть примечания к выпуску",
    "newtUpdateAvailable": "Доступно обновление",
    "newtUpdateAvailableInfo": "Доступна новая версия Newt. Пожалуйста, обновитесь до последней версии для лучшего опыта.",
+    "pangolinNodeUpdateAvailableInfo": "Доступна новая версия Pangolin Node. Пожалуйста, обновитесь до последней версии для лучшего опыта.",
    "domainPickerEnterDomain": "Домен",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Введите полный домен ресурса, чтобы увидеть доступные опции.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Выберите своего поставщика удостоверений личности для продолжения",
    "orgAuthNoIdpConfigured": "Эта организация не имеет настроенных поставщиков идентификационных данных. Вместо этого вы можете войти в свой Pangolin.",
    "orgAuthSignInWithPangolin": "Войти через Pangolin",
-    "orgAuthSignInToOrg": "Войти в организацию",
+    "orgAuthSignInToOrg": "Поставщик удостоверений организации (SSO)",
    "orgAuthSelectOrgTitle": "Вход в организацию",
    "orgAuthSelectOrgDescription": "Введите ID вашей организации, чтобы продолжить",
    "orgAuthOrgIdPlaceholder": "ваша-организация",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "Wildcard поддомены не допускаются.",
    "domainPickerWildcardCertWarning": "Wildcard ресурсы могут потребовать дополнительной настройки для правильной работы.",
    "domainPickerWildcardCertWarningLink": "Узнать больше",
-    "health": "Состояние"
+    "health": "Состояние",
+    "domainPendingErrorTitle": "Проблема с подтверждением"
 }
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Uç Nokta",
    "newtId": "Kimlik",
    "newtSecretKey": "Gizli",
+    "newtVersion": "Sürüm",
    "architecture": "Mimari",
    "sites": "Siteler",
    "siteWgAnyClients": "Herhangi bir WireGuard istemcisi kullanarak bağlanın. Dahili kaynaklara eş IP adresini kullanarak erişmeniz gerekecek.",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "Yönetici Hesabı Oluştur",
    "setupErrorCreateAdmin": "Sunucu yönetici hesabı oluşturulurken bir hata oluştu.",
    "certificateStatus": "Sertifika",
+    "certificateStatusAutoRefreshHint": "Durum otomatik olarak yenilenir.",
    "loading": "Yükleniyor",
    "loadingAnalytics": "Analiz Yükleniyor",
    "restart": "Yeniden Başlat",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Yayın Notlarını Görüntüle",
    "newtUpdateAvailable": "Güncelleme Mevcut",
    "newtUpdateAvailableInfo": "Newt'in yeni bir versiyonu mevcut. En iyi deneyim için lütfen en son sürüme güncelleyin.",
+    "pangolinNodeUpdateAvailableInfo": "Pangolin Node'un yeni bir sürümü mevcut. En iyi deneyim için lütfen en son sürüme güncelleyin.",
    "domainPickerEnterDomain": "Alan Adı",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Mevcut seçenekleri görmek için kaynağın tam etki alanını girin.",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "Devam etmek için kimlik sağlayıcınızı seçin",
    "orgAuthNoIdpConfigured": "Bu kuruluşta yapılandırılmış kimlik sağlayıcı yok. Bunun yerine Pangolin kimliğinizle giriş yapabilirsiniz.",
    "orgAuthSignInWithPangolin": "Pangolin ile Giriş Yap",
-    "orgAuthSignInToOrg": "Bir kuruluşa giriş yapın",
+    "orgAuthSignInToOrg": "Kuruluş Kimlik Sağlayıcısı (SSO)",
    "orgAuthSelectOrgTitle": "Kuruluş Giriş",
    "orgAuthSelectOrgDescription": "Devam etmek için kuruluş kimliğinizi girin",
    "orgAuthOrgIdPlaceholder": "kuruluşunuz",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "Genel alt alanlara izin verilmiyor.",
    "domainPickerWildcardCertWarning": "Genel kaynaklar düzgün çalışmak için ek yapılandırma gerektirebilir.",
    "domainPickerWildcardCertWarningLink": "Daha fazla bilgi",
-    "health": "Sağlık"
+    "health": "Sağlık",
+    "domainPendingErrorTitle": "Doğrulama Sorunu"
 }
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -763,6 +763,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "密钥",
+    "newtVersion": "版本",
    "architecture": "架构",
    "sites": "站点",
    "siteWgAnyClients": "使用任何 WireGuard 客户端连接。您必须使用对等IP解决内部资源问题。",
@@ -1597,6 +1598,7 @@
    "createAdminAccount": "创建管理员帐户",
    "setupErrorCreateAdmin": "创建服务器管理员账户时发生错误。",
    "certificateStatus": "证书",
+    "certificateStatusAutoRefreshHint": "状态自动刷新。",
    "loading": "加载中",
    "loadingAnalytics": "加载分析",
    "restart": "重启",
@@ -1665,6 +1667,7 @@
    "pangolinUpdateAvailableReleaseNotes": "查看发布说明",
    "newtUpdateAvailable": "更新可用",
    "newtUpdateAvailableInfo": "新版本的 Newt 已可用。请更新到最新版本以获得最佳体验。",
+    "pangolinNodeUpdateAvailableInfo": "新版本的 Pangolin Node 已可用。请更新到最新版本以获得最佳体验。",
    "domainPickerEnterDomain": "域名",
    "domainPickerPlaceholder": "example.com",
    "domainPickerDescription": "输入资源的完整域名以查看可用选项。",
@@ -2352,7 +2355,7 @@
    "orgAuthChooseIdpDescription": "选择您的身份提供商以继续",
    "orgAuthNoIdpConfigured": "此机构没有配置任何身份提供者。您可以使用您的 Pangolin 身份登录。",
    "orgAuthSignInWithPangolin": "使用 Pangolin 登录",
-    "orgAuthSignInToOrg": "登录到组织",
+    "orgAuthSignInToOrg": "组织身份提供商 (SSO)",
    "orgAuthSelectOrgTitle": "组织登录",
    "orgAuthSelectOrgDescription": "输入您的组织ID以继续",
    "orgAuthOrgIdPlaceholder": "您的组织",
@@ -3200,5 +3203,6 @@
    "domainPickerWildcardSubdomainNotAllowed": "不允许使用通配符子域。",
    "domainPickerWildcardCertWarning": "通配符资源可能需要额外配置才能正常工作。",
    "domainPickerWildcardCertWarningLink": "了解更多",
-    "health": "健康"
+    "health": "健康",
+    "domainPendingErrorTitle": "验证问题"
 }
--- a/public/screenshots/hero.png
+++ b/public/screenshots/hero.png
--- a/public/screenshots/private-resources.png
+++ b/public/screenshots/private-resources.png
--- a/public/screenshots/public-resources.png
+++ b/public/screenshots/public-resources.png
--- a/public/screenshots/sites.png
+++ b/public/screenshots/sites.png
--- a/public/screenshots/user-devices.png
+++ b/public/screenshots/user-devices.png
--- a/public/screenshots/users.png
+++ b/public/screenshots/users.png
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -122,8 +122,6 @@ export enum ActionsEnum {
    createOrgDomain = "createOrgDomain",
    deleteOrgDomain = "deleteOrgDomain",
    restartOrgDomain = "restartOrgDomain",
-    sendUsageNotification = "sendUsageNotification",
-    sendTrialNotification = "sendTrialNotification",
    createRemoteExitNode = "createRemoteExitNode",
    updateRemoteExitNode = "updateRemoteExitNode",
    getRemoteExitNode = "getRemoteExitNode",
--- a/server/db/mac_models.json
+++ b/server/db/mac_models.json
@@ -1,94 +1,53 @@
 {
-  "PowerMac4,4": "eMac",
-  "PowerMac6,4": "eMac",
-  "PowerBook2,1": "iBook",
-  "PowerBook2,2": "iBook",
-  "PowerBook4,1": "iBook",
-  "PowerBook4,2": "iBook",
-  "PowerBook4,3": "iBook",
-  "PowerBook6,3": "iBook",
-  "PowerBook6,5": "iBook",
-  "PowerBook6,7": "iBook",
-  "iMac,1": "iMac",
-  "PowerMac2,1": "iMac",
-  "PowerMac2,2": "iMac",
-  "PowerMac4,1": "iMac",
-  "PowerMac4,2": "iMac",
-  "PowerMac4,5": "iMac",
-  "PowerMac6,1": "iMac",
-  "PowerMac6,3*": "iMac",
-  "PowerMac6,3": "iMac",
-  "PowerMac8,1": "iMac",
-  "PowerMac8,2": "iMac",
-  "PowerMac12,1": "iMac",
-  "iMac4,1": "iMac",
-  "iMac4,2": "iMac",
-  "iMac5,2": "iMac",
-  "iMac5,1": "iMac",
-  "iMac6,1": "iMac",
-  "iMac7,1": "iMac",
-  "iMac8,1": "iMac",
-  "iMac9,1": "iMac",
-  "iMac10,1": "iMac",
-  "iMac11,1": "iMac",
-  "iMac11,2": "iMac",
-  "iMac11,3": "iMac",
-  "iMac12,1": "iMac",
-  "iMac12,2": "iMac",
-  "iMac13,1": "iMac",
-  "iMac13,2": "iMac",
-  "iMac14,1": "iMac",
-  "iMac14,3": "iMac",
-  "iMac14,2": "iMac",
-  "iMac14,4": "iMac",
-  "iMac15,1": "iMac",
-  "iMac16,1": "iMac",
-  "iMac16,2": "iMac",
-  "iMac17,1": "iMac",
-  "iMac18,1": "iMac",
-  "iMac18,2": "iMac",
-  "iMac18,3": "iMac",
-  "iMac19,2": "iMac",
-  "iMac19,1": "iMac",
-  "iMac20,1": "iMac",
-  "iMac20,2": "iMac",
-  "iMac21,2": "iMac",
-  "iMac21,1": "iMac",
-  "iMacPro1,1": "iMac Pro",
-  "PowerMac10,1": "Mac mini",
-  "PowerMac10,2": "Mac mini",
-  "Macmini1,1": "Mac mini",
-  "Macmini2,1": "Mac mini",
-  "Macmini3,1": "Mac mini",
-  "Macmini4,1": "Mac mini",
-  "Macmini5,1": "Mac mini",
-  "Macmini5,2": "Mac mini",
-  "Macmini5,3": "Mac mini",
-  "Macmini6,1": "Mac mini",
-  "Macmini6,2": "Mac mini",
-  "Macmini7,1": "Mac mini",
-  "Macmini8,1": "Mac mini",
  "ADP3,2": "Mac mini",
-  "Macmini9,1": "Mac mini",
-  "Mac14,3": "Mac mini",
-  "Mac14,12": "Mac mini",
-  "MacPro1,1*": "Mac Pro",
-  "MacPro2,1": "Mac Pro",
-  "MacPro3,1": "Mac Pro",
-  "MacPro4,1": "Mac Pro",
-  "MacPro5,1": "Mac Pro",
-  "MacPro6,1": "Mac Pro",
-  "MacPro7,1": "Mac Pro",
-  "N/A*": "Power Macintosh",
-  "PowerMac1,1": "Power Macintosh",
-  "PowerMac3,1": "Power Macintosh",
-  "PowerMac3,3": "Power Macintosh",
-  "PowerMac3,4": "Power Macintosh",
-  "PowerMac3,5": "Power Macintosh",
-  "PowerMac3,6": "Power Macintosh",
  "Mac13,1": "Mac Studio",
  "Mac13,2": "Mac Studio",
+  "Mac14,10": "MacBook Pro",
+  "Mac14,12": "Mac mini",
+  "Mac14,13": "Mac Studio",
+  "Mac14,14": "Mac Studio",
+  "Mac14,15": "MacBook Air",
+  "Mac14,2": "MacBook Air",
+  "Mac14,3": "Mac mini",
+  "Mac14,5": "MacBook Pro",
+  "Mac14,6": "MacBook Pro",
+  "Mac14,7": "MacBook Pro",
+  "Mac14,8": "Mac Pro",
+  "Mac14,9": "MacBook Pro",
+  "Mac15,10": "MacBook Pro",
+  "Mac15,11": "MacBook Pro",
+  "Mac15,12": "MacBook Air",
+  "Mac15,13": "MacBook Air",
+  "Mac15,14": "Mac Studio",
+  "Mac15,3": "MacBook Pro",
+  "Mac15,4": "iMac",
+  "Mac15,5": "iMac",
+  "Mac15,6": "MacBook Pro",
+  "Mac15,7": "MacBook Pro",
+  "Mac15,8": "MacBook Pro",
+  "Mac15,9": "MacBook Pro",
+  "Mac16,1": "MacBook Pro",
+  "Mac16,10": "Mac mini",
+  "Mac16,11": "Mac mini",
+  "Mac16,12": "MacBook Air",
+  "Mac16,13": "MacBook Air",
+  "Mac16,2": "iMac",
+  "Mac16,3": "iMac",
+  "Mac16,5": "MacBook Pro",
+  "Mac16,6": "MacBook Pro",
+  "Mac16,7": "MacBook Pro",
+  "Mac16,8": "MacBook Pro",
+  "Mac16,9": "Mac Studio",
+  "Mac17,2": "MacBook Pro",
+  "Mac17,3": "MacBook Air",
+  "Mac17,4": "MacBook Air",
+  "Mac17,5": "MacBook Neo",
+  "Mac17,6": "MacBook Pro",
+  "Mac17,7": "MacBook Pro",
+  "Mac17,8": "MacBook Pro",
+  "Mac17,9": "MacBook Pro",
  "MacBook1,1": "MacBook",
+  "MacBook10,1": "MacBook",
  "MacBook2,1": "MacBook",
  "MacBook3,1": "MacBook",
  "MacBook4,1": "MacBook",
@@ -98,8 +57,8 @@
  "MacBook7,1": "MacBook",
  "MacBook8,1": "MacBook",
  "MacBook9,1": "MacBook",
-  "MacBook10,1": "MacBook",
  "MacBookAir1,1": "MacBook Air",
+  "MacBookAir10,1": "MacBook Air",
  "MacBookAir2,1": "MacBook Air",
  "MacBookAir3,1": "MacBook Air",
  "MacBookAir3,2": "MacBook Air",
@@ -114,88 +73,163 @@
  "MacBookAir8,1": "MacBook Air",
  "MacBookAir8,2": "MacBook Air",
  "MacBookAir9,1": "MacBook Air",
-  "MacBookAir10,1": "MacBook Air",
-  "Mac14,2": "MacBook Air",
  "MacBookPro1,1": "MacBook Pro",
  "MacBookPro1,2": "MacBook Pro",
-  "MacBookPro2,2": "MacBook Pro",
-  "MacBookPro2,1": "MacBook Pro",
-  "MacBookPro3,1": "MacBook Pro",
-  "MacBookPro4,1": "MacBook Pro",
-  "MacBookPro5,1": "MacBook Pro",
-  "MacBookPro5,2": "MacBook Pro",
-  "MacBookPro5,5": "MacBook Pro",
-  "MacBookPro5,4": "MacBook Pro",
-  "MacBookPro5,3": "MacBook Pro",
-  "MacBookPro7,1": "MacBook Pro",
-  "MacBookPro6,2": "MacBook Pro",
-  "MacBookPro6,1": "MacBook Pro",
-  "MacBookPro8,1": "MacBook Pro",
-  "MacBookPro8,2": "MacBook Pro",
-  "MacBookPro8,3": "MacBook Pro",
-  "MacBookPro9,2": "MacBook Pro",
-  "MacBookPro9,1": "MacBook Pro",
  "MacBookPro10,1": "MacBook Pro",
  "MacBookPro10,2": "MacBook Pro",
  "MacBookPro11,1": "MacBook Pro",
  "MacBookPro11,2": "MacBook Pro",
  "MacBookPro11,3": "MacBook Pro",
-  "MacBookPro12,1": "MacBook Pro",
  "MacBookPro11,4": "MacBook Pro",
  "MacBookPro11,5": "MacBook Pro",
+  "MacBookPro12,1": "MacBook Pro",
  "MacBookPro13,1": "MacBook Pro",
  "MacBookPro13,2": "MacBook Pro",
  "MacBookPro13,3": "MacBook Pro",
  "MacBookPro14,1": "MacBook Pro",
  "MacBookPro14,2": "MacBook Pro",
  "MacBookPro14,3": "MacBook Pro",
-  "MacBookPro15,2": "MacBook Pro",
  "MacBookPro15,1": "MacBook Pro",
+  "MacBookPro15,2": "MacBook Pro",
  "MacBookPro15,3": "MacBook Pro",
  "MacBookPro15,4": "MacBook Pro",
  "MacBookPro16,1": "MacBook Pro",
-  "MacBookPro16,3": "MacBook Pro",
  "MacBookPro16,2": "MacBook Pro",
+  "MacBookPro16,3": "MacBook Pro",
  "MacBookPro16,4": "MacBook Pro",
  "MacBookPro17,1": "MacBook Pro",
-  "MacBookPro18,3": "MacBook Pro",
-  "MacBookPro18,4": "MacBook Pro",
  "MacBookPro18,1": "MacBook Pro",
  "MacBookPro18,2": "MacBook Pro",
-  "Mac14,7": "MacBook Pro",
-  "Mac14,9": "MacBook Pro",
-  "Mac14,5": "MacBook Pro",
-  "Mac14,10": "MacBook Pro",
-  "Mac14,6": "MacBook Pro",
-  "PowerMac1,2": "Power Macintosh",
-  "PowerMac5,1": "Power Macintosh",
-  "PowerMac7,2": "Power Macintosh",
-  "PowerMac7,3": "Power Macintosh",
-  "PowerMac9,1": "Power Macintosh",
-  "PowerMac11,2": "Power Macintosh",
+  "MacBookPro18,3": "MacBook Pro",
+  "MacBookPro18,4": "MacBook Pro",
+  "MacBookPro2,1": "MacBook Pro",
+  "MacBookPro2,2": "MacBook Pro",
+  "MacBookPro3,1": "MacBook Pro",
+  "MacBookPro4,1": "MacBook Pro",
+  "MacBookPro5,1": "MacBook Pro",
+  "MacBookPro5,2": "MacBook Pro",
+  "MacBookPro5,3": "MacBook Pro",
+  "MacBookPro5,4": "MacBook Pro",
+  "MacBookPro5,5": "MacBook Pro",
+  "MacBookPro6,1": "MacBook Pro",
+  "MacBookPro6,2": "MacBook Pro",
+  "MacBookPro7,1": "MacBook Pro",
+  "MacBookPro8,1": "MacBook Pro",
+  "MacBookPro8,2": "MacBook Pro",
+  "MacBookPro8,3": "MacBook Pro",
+  "MacBookPro9,1": "MacBook Pro",
+  "MacBookPro9,2": "MacBook Pro",
+  "MacPro1,1": "Mac Pro",
+  "MacPro2,1": "Mac Pro",
+  "MacPro3,1": "Mac Pro",
+  "MacPro4,1": "Mac Pro",
+  "MacPro5,1": "Mac Pro",
+  "MacPro6,1": "Mac Pro",
+  "MacPro7,1": "Mac Pro",
+  "Macmini1,1": "Mac mini",
+  "Macmini2,1": "Mac mini",
+  "Macmini3,1": "Mac mini",
+  "Macmini4,1": "Mac mini",
+  "Macmini5,1": "Mac mini",
+  "Macmini5,2": "Mac mini",
+  "Macmini5,3": "Mac mini",
+  "Macmini6,1": "Mac mini",
+  "Macmini6,2": "Mac mini",
+  "Macmini7,1": "Mac mini",
+  "Macmini8,1": "Mac mini",
+  "Macmini9,1": "Mac mini",
  "PowerBook1,1": "PowerBook",
+  "PowerBook2,1": "iBook",
+  "PowerBook2,2": "iBook",
  "PowerBook3,1": "PowerBook",
  "PowerBook3,2": "PowerBook",
  "PowerBook3,3": "PowerBook",
  "PowerBook3,4": "PowerBook",
  "PowerBook3,5": "PowerBook",
-  "PowerBook6,1": "PowerBook",
+  "PowerBook4,1": "iBook",
+  "PowerBook4,2": "iBook",
+  "PowerBook4,3": "iBook",
  "PowerBook5,1": "PowerBook",
-  "PowerBook6,2": "PowerBook",
  "PowerBook5,2": "PowerBook",
  "PowerBook5,3": "PowerBook",
-  "PowerBook6,4": "PowerBook",
  "PowerBook5,4": "PowerBook",
  "PowerBook5,5": "PowerBook",
-  "PowerBook6,8": "PowerBook",
  "PowerBook5,6": "PowerBook",
  "PowerBook5,7": "PowerBook",
  "PowerBook5,8": "PowerBook",
  "PowerBook5,9": "PowerBook",
+  "PowerBook6,1": "PowerBook",
+  "PowerBook6,2": "PowerBook",
+  "PowerBook6,3": "iBook",
+  "PowerBook6,4": "PowerBook",
+  "PowerBook6,5": "iBook",
+  "PowerBook6,7": "iBook",
+  "PowerBook6,8": "PowerBook",
+  "PowerMac1,1": "Power Macintosh",
+  "PowerMac1,2": "Power Macintosh",
+  "PowerMac10,1": "Mac mini",
+  "PowerMac10,2": "Mac mini",
+  "PowerMac11,2": "Power Macintosh",
+  "PowerMac12,1": "iMac",
+  "PowerMac2,1": "iMac",
+  "PowerMac2,2": "iMac",
+  "PowerMac3,1": "Mac Server",
+  "PowerMac3,3": "Power Macintosh",
+  "PowerMac3,4": "Power Macintosh",
+  "PowerMac3,5": "Power Macintosh",
+  "PowerMac3,6": "Power Macintosh",
+  "PowerMac4,1": "iMac",
+  "PowerMac4,2": "iMac",
+  "PowerMac4,4": "eMac",
+  "PowerMac4,5": "iMac",
+  "PowerMac5,1": "Power Macintosh",
+  "PowerMac6,1": "iMac",
+  "PowerMac6,3": "iMac",
+  "PowerMac6,4": "eMac",
+  "PowerMac7,2": "Power Macintosh",
+  "PowerMac7,3": "Power Macintosh",
+  "PowerMac8,1": "iMac",
+  "PowerMac8,2": "iMac",
+  "PowerMac9,1": "Power Macintosh",
  "RackMac1,1": "Xserve",
  "RackMac1,2": "Xserve",
  "RackMac3,1": "Xserve",
  "Xserve1,1": "Xserve",
  "Xserve2,1": "Xserve",
-  "Xserve3,1": "Xserve"
-}
+  "Xserve3,1": "Xserve",
+  "iMac,1": "iMac",
+  "iMac10,1": "iMac",
+  "iMac11,1": "iMac",
+  "iMac11,2": "iMac",
+  "iMac11,3": "iMac",
+  "iMac12,1": "iMac",
+  "iMac12,2": "iMac",
+  "iMac13,1": "iMac",
+  "iMac13,2": "iMac",
+  "iMac14,1": "iMac",
+  "iMac14,2": "iMac",
+  "iMac14,3": "iMac",
+  "iMac14,4": "iMac",
+  "iMac15,1": "iMac",
+  "iMac16,1": "iMac",
+  "iMac16,2": "iMac",
+  "iMac17,1": "iMac",
+  "iMac18,1": "iMac",
+  "iMac18,2": "iMac",
+  "iMac18,3": "iMac",
+  "iMac19,1": "iMac",
+  "iMac19,2": "iMac",
+  "iMac20,1": "iMac",
+  "iMac20,2": "iMac",
+  "iMac21,1": "iMac",
+  "iMac21,2": "iMac",
+  "iMac4,1": "iMac",
+  "iMac4,2": "iMac",
+  "iMac5,1": "iMac",
+  "iMac5,2": "iMac",
+  "iMac6,1": "iMac",
+  "iMac7,1": "iMac",
+  "iMac8,1": "iMac",
+  "iMac9,1": "iMac",
+  "iMacPro1,1": "iMac Pro"
+}
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -566,6 +566,17 @@ export const alertWebhookActions = pgTable("alertWebhookActions", {
    lastSentAt: bigint("lastSentAt", { mode: "number" }) // nullable
 });

+export const trialNotifications = pgTable("trialNotifications", {
+    notificationId: serial("notificationId").primaryKey(),
+    subscriptionId: varchar("subscriptionId", { length: 255 })
+        .notNull()
+        .references(() => subscriptions.subscriptionId, {
+            onDelete: "cascade"
+        }),
+    notificationType: varchar("notificationType", { length: 50 }).notNull(), // trial_ending_5d, trial_ending_24h, trial_ended
+    sentAt: bigint("sentAt", { mode: "number" }).notNull()
+});
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -604,3 +615,12 @@ export type EventStreamingCursor = InferSelectModel<
    typeof eventStreamingCursors
 >;
 export type AlertResources = InferSelectModel<typeof alertResources>;
+export type AlertHealthChecks = InferSelectModel<typeof alertHealthChecks>;
+export type AlertSites = InferSelectModel<typeof alertSites>;
+export type AlertRules = InferSelectModel<typeof alertRules>;
+export type AlertEmailActions = InferSelectModel<typeof alertEmailActions>;
+export type AlertEmailRecipients = InferSelectModel<
+    typeof alertEmailRecipients
+>;
+export type AlertWebhookActions = InferSelectModel<typeof alertWebhookActions>;
+export type TrialNotification = InferSelectModel<typeof trialNotifications>;
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -21,6 +21,9 @@ import {
    targetHealthCheck,
    users
 } from "./schema";
+import { serial, varchar } from "drizzle-orm/mysql-core";
+import { pgTable } from "drizzle-orm/pg-core";
+import { bigint } from "zod";

 export const certificates = sqliteTable("certificates", {
    certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -569,6 +572,19 @@ export const alertWebhookActions = sqliteTable("alertWebhookActions", {
    lastSentAt: integer("lastSentAt")
 });

+export const trialNotifications = sqliteTable("trialNotifications", {
+    notificationId: integer("notificationId").primaryKey({
+        autoIncrement: true
+    }),
+    subscriptionId: text("subscriptionId")
+        .notNull()
+        .references(() => subscriptions.subscriptionId, {
+            onDelete: "cascade"
+        }),
+    notificationType: text("notificationType").notNull(), // trial_ending_5d, trial_ending_24h, trial_ended
+    sentAt: integer("sentAt").notNull()
+});
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -601,3 +617,10 @@ export type EventStreamingCursor = InferSelectModel<
    typeof eventStreamingCursors
 >;
 export type AlertResources = InferSelectModel<typeof alertResources>;
+export type AlertHealthChecks = InferSelectModel<typeof alertHealthChecks>;
+export type AlertSites = InferSelectModel<typeof alertSites>;
+export type AlertRule = InferSelectModel<typeof alertRules>;
+export type AlertEmailAction = InferSelectModel<typeof alertEmailActions>;
+export type AlertEmailRecipient = InferSelectModel<typeof alertEmailRecipients>;
+export type AlertWebhookAction = InferSelectModel<typeof alertWebhookActions>;
+export type TrialNotification = InferSelectModel<typeof trialNotifications>;
--- a/server/emails/templates/NotifyTrialExpiring.tsx
+++ b/server/emails/templates/NotifyTrialExpiring.tsx
@@ -64,7 +64,7 @@ export const NotifyTrialExpiring = ({

                                <EmailText>
                                    Some features and resources may now be
-                                    restricted or disconnected. To restore full
+                                    restricted. To restore full
                                    access and continue using all the features
                                    you had during your trial, please upgrade to
                                    a paid plan.
@@ -85,7 +85,7 @@ export const NotifyTrialExpiring = ({
                                    <strong>{orgName}</strong> will end on{" "}
                                    <strong>{trialEndsAt}</strong>
                                    {isLastDay
-                                        ? " — that's tomorrow!"
+                                        ? " - that's tomorrow!"
                                        : `, in ${daysRemaining} days`}
                                    .
                                </EmailText>
@@ -93,8 +93,7 @@ export const NotifyTrialExpiring = ({
                                <EmailText>
                                    After your trial ends, your account will be
                                    moved to the free plan and some
-                                    functionality may be restricted or your
-                                    sites may disconnect.
+                                    functionality may be restricted.
                                </EmailText>

                                <EmailText>
--- a/server/lib/alerts/events/healthCheckEvents.ts
+++ b/server/lib/alerts/events/healthCheckEvents.ts
@@ -1,27 +1,153 @@
-// stub
+import logger from "@server/logger";
+import { processAlerts } from "#dynamic/lib/alerts";
+import {
+    db,
+    statusHistory,
+    targetHealthCheck,
+    targets,
+    resources,
+    Transaction,
+    logsDb
+} from "@server/db";
+import { eq } from "drizzle-orm";
+import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
+import {
+    fireResourceDegradedAlert,
+    fireResourceHealthyAlert,
+    fireResourceUnhealthyAlert,
+    fireResourceUnknownAlert
+} from "./resourceEvents";

+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Fire a `health_check_healthy` alert for the given health check.
+ *
+ * Call this after a previously-failing health check has recovered so that any
+ * matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId         - Organisation that owns the health check.
+ * @param healthCheckId - Numeric primary key of the health check.
+ * @param healthCheckName - Human-readable name shown in notifications (optional).
+ * @param extra         - Any additional key/value pairs to include in the payload.
+ */
 export async function fireHealthCheckHealthyAlert(
    orgId: string,
    healthCheckId: number,
-    healthCheckName?: string,
+    healthCheckName?: string | null,
    healthCheckTargetId?: number | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    return;
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "health_check",
+            entityId: healthCheckId,
+            orgId: orgId,
+            status: "healthy",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("health_check", healthCheckId);
+
+        await handleResource(orgId, healthCheckTargetId, send, trx);
+
+        if (!send) {
+            return;
+        }
+
+        await processAlerts({
+            eventType: "health_check_healthy",
+            orgId,
+            healthCheckId,
+            data: {
+                ...(healthCheckName != null ? { healthCheckName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "health_check_toggle",
+            orgId,
+            healthCheckId,
+            data: {
+                healthCheckId,
+                status: "healthy",
+                ...(healthCheckName != null ? { healthCheckName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireHealthCheckHealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
+            err
+        );
+    }
 }

+/**
+ * Fire a `health_check_unhealthy` alert for the given health check.
+ *
+ * Call this after a health check has been detected as failing so that any
+ * matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId         - Organisation that owns the health check.
+ * @param healthCheckId - Numeric primary key of the health check.
+ * @param healthCheckName - Human-readable name shown in notifications (optional).
+ * @param extra         - Any additional key/value pairs to include in the payload.
+ */
 export async function fireHealthCheckUnhealthyAlert(
    orgId: string,
    healthCheckId: number,
-    healthCheckName?: string,
+    healthCheckName?: string | null,
    healthCheckTargetId?: number | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    return;
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "health_check",
+            entityId: healthCheckId,
+            orgId: orgId,
+            status: "unhealthy",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("health_check", healthCheckId);
+
+        await handleResource(orgId, healthCheckTargetId, send, trx);
+
+        if (!send) {
+            return;
+        }
+
+        await processAlerts({
+            eventType: "health_check_unhealthy",
+            orgId,
+            healthCheckId,
+            data: {
+                ...(healthCheckName != null ? { healthCheckName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "health_check_toggle",
+            orgId,
+            healthCheckId,
+            data: {
+                healthCheckId,
+                status: "unhealthy",
+                ...(healthCheckName != null ? { healthCheckName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireHealthCheckUnhealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
+            err
+        );
+    }
 }

 export async function fireHealthCheckUnknownAlert(
@@ -31,7 +157,137 @@ export async function fireHealthCheckUnknownAlert(
    healthCheckTargetId?: number | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    return;
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "health_check",
+            entityId: healthCheckId,
+            orgId: orgId,
+            status: "unknown",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("health_check", healthCheckId);
+
+        await handleResource(orgId, healthCheckTargetId, send, trx);
+
+        if (!send) {
+            return;
+        }
+    } catch (err) {
+        logger.error(
+            `fireHealthCheckUnknownAlert: unexpected error for healthCheckId ${healthCheckId}`,
+            err
+        );
+    }
+}
+
+async function handleResource(
+    orgId: string,
+    healthCheckTargetId?: number | null,
+    send: boolean = true,
+    trx: Transaction | typeof db = db
+) {
+    if (!healthCheckTargetId) {
+        return;
+    }
+    // we have targets lets get them
+    const [target] = await trx
+        .select()
+        .from(targets)
+        .where(eq(targets.targetId, healthCheckTargetId))
+        .limit(1);
+
+    if (!target) {
+        return;
+    }
+
+    const [resource] = await trx
+        .select()
+        .from(resources)
+        .where(eq(resources.resourceId, target.resourceId))
+        .limit(1);
+
+    if (!resource) {
+        return;
+    }
+
+    const otherTargets = await trx
+        .select({ hcHealth: targetHealthCheck.hcHealth })
+        .from(targets)
+        .innerJoin(
+            targetHealthCheck,
+            eq(targetHealthCheck.targetId, targets.targetId)
+        )
+        .where(eq(targets.resourceId, resource.resourceId));
+
+    let health = "healthy";
+    const allUnknown = otherTargets.every((t) => t.hcHealth === "unknown");
+    const allHealthy = otherTargets.every((t) => t.hcHealth === "healthy");
+    const allUnhealthy = otherTargets.every((t) => t.hcHealth === "unhealthy");
+
+    if (allUnknown) {
+        logger.debug(
+            `Marking resource ${resource.resourceId} as unknown because all health checks are disabled`
+        );
+        health = "unknown";
+    } else if (allHealthy) {
+        health = "healthy";
+    } else if (allUnhealthy) {
+        logger.debug(
+            `Marking resource ${resource.resourceId} as unhealthy because all targets are unhealthy`
+        );
+        health = "unhealthy";
+    } else {
+        logger.debug(
+            `Marking resource ${resource.resourceId} as degraded because some targets are unhealthy`
+        );
+        health = "degraded";
+    }
+
+    if (health != resource.health) {
+        // it changed
+        await trx
+            .update(resources)
+            .set({ health })
+            .where(eq(resources.resourceId, resource.resourceId));
+
+        if (health === "unknown") {
+            await fireResourceUnknownAlert(
+                orgId,
+                resource.resourceId,
+                resource.name,
+                undefined,
+                send,
+                trx
+            );
+        } else if (health === "unhealthy") {
+            await fireResourceUnhealthyAlert(
+                orgId,
+                resource.resourceId,
+                resource.name,
+                undefined,
+                send,
+                trx
+            );
+        } else if (health === "healthy") {
+            await fireResourceHealthyAlert(
+                orgId,
+                resource.resourceId,
+                resource.name,
+                undefined,
+                send,
+                trx
+            );
+        } else if (health === "degraded") {
+            await fireResourceDegradedAlert(
+                orgId,
+                resource.resourceId,
+                resource.name,
+                undefined,
+                send,
+                trx
+            );
+        }
+    }
 }
--- a/server/lib/alerts/events/resourceEvents.ts
+++ b/server/lib/alerts/events/resourceEvents.ts
@@ -1,26 +1,243 @@
+import logger from "@server/logger";
+import { processAlerts } from "#dynamic/lib/alerts";
+import { db, logsDb, statusHistory, Transaction } from "@server/db";
+import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Fire a `resource_healthy` alert for the given resource.
+ *
+ * Call this after a previously-unhealthy resource has recovered so that any
+ * matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId        - Organisation that owns the resource.
+ * @param resourceId   - Numeric primary key of the resource.
+ * @param resourceName - Human-readable name shown in notifications (optional).
+ * @param extra        - Any additional key/value pairs to include in the payload.
+ */
 export async function fireResourceHealthyAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
-): Promise<void> {}
+    trx: Transaction | typeof db = db
+): Promise<void> {
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "resource",
+            entityId: resourceId,
+            orgId: orgId,
+            status: "healthy",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("resource", resourceId);

+        if (!send) {
+            return;
+        }
+
+        await processAlerts({
+            eventType: "resource_healthy",
+            orgId,
+            resourceId,
+            data: {
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "resource_toggle",
+            orgId,
+            resourceId,
+            data: {
+                resourceId,
+                status: "healthy",
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireResourceHealthyAlert: unexpected error for resourceId ${resourceId}`,
+            err
+        );
+    }
+}
+
+/**
+ * Fire a `resource_unhealthy` alert for the given resource.
+ *
+ * Call this after a resource has been detected as unhealthy so that any
+ * matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId        - Organisation that owns the resource.
+ * @param resourceId   - Numeric primary key of the resource.
+ * @param resourceName - Human-readable name shown in notifications (optional).
+ * @param extra        - Any additional key/value pairs to include in the payload.
+ */
 export async function fireResourceUnhealthyAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
-): Promise<void> {}
+    trx: Transaction | typeof db = db
+): Promise<void> {
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "resource",
+            entityId: resourceId,
+            orgId: orgId,
+            status: "unhealthy",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("resource", resourceId);

-export async function fireResourceToggleAlert(
+        if (!send) {
+            return;
+        }
+
+        await processAlerts({
+            eventType: "resource_unhealthy",
+            orgId,
+            resourceId,
+            data: {
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "resource_toggle",
+            orgId,
+            resourceId,
+            data: {
+                resourceId,
+                status: "unhealthy",
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireResourceUnhealthyAlert: unexpected error for resourceId ${resourceId}`,
+            err
+        );
+    }
+}
+
+/**
+ * Fire a `resource_degraded` alert for the given resource.
+ *
+ * Call this after a resource has been detected as degraded so that any
+ * matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId        - Organisation that owns the resource.
+ * @param resourceId   - Numeric primary key of the resource.
+ * @param resourceName - Human-readable name shown in notifications (optional).
+ * @param extra        - Any additional key/value pairs to include in the payload.
+ */
+export async function fireResourceDegradedAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
-): Promise<void> {}
+    trx: Transaction | typeof db = db
+): Promise<void> {
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "resource",
+            entityId: resourceId,
+            orgId: orgId,
+            status: "degraded",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("resource", resourceId);
+
+        if (!send) {
+            return;
+        }
+
+        await processAlerts({
+            eventType: "resource_degraded",
+            orgId,
+            resourceId,
+            data: {
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "resource_toggle",
+            orgId,
+            resourceId,
+            data: {
+                resourceId,
+                status: "degraded",
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireResourceDegradedAlert: unexpected error for resourceId ${resourceId}`,
+            err
+        );
+    }
+}
+
+/**
+ * Fire a `resource_unknown` alert for the given resource.
+ *
+ * Call this when all health checks on a resource are disabled so that the
+ * resource status transitions to unknown.
+ *
+ * @param orgId        - Organisation that owns the resource.
+ * @param resourceId   - Numeric primary key of the resource.
+ * @param resourceName - Human-readable name shown in notifications (optional).
+ * @param extra        - Any additional key/value pairs to include in the payload.
+ */
+export async function fireResourceUnknownAlert(
+    orgId: string,
+    resourceId: number,
+    resourceName?: string | null,
+    extra?: Record<string, unknown>,
+    send: boolean = true,
+    trx: Transaction | typeof db = db
+): Promise<void> {
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "resource",
+            entityId: resourceId,
+            orgId: orgId,
+            status: "unknown",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("resource", resourceId);
+
+        if (!send) {
+            return;
+        }
+
+        await processAlerts({
+            eventType: "resource_toggle",
+            orgId,
+            resourceId,
+            data: {
+                resourceId,
+                status: "unknown",
+                ...(resourceName != null ? { resourceName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireResourceUnknownAlert: unexpected error for resourceId ${resourceId}`,
+            err
+        );
+    }
+}
--- a/server/lib/alerts/events/siteEvents.ts
+++ b/server/lib/alerts/events/siteEvents.ts
@@ -1,21 +1,156 @@
-// stub
+import logger from "@server/logger";
+import { processAlerts } from "#dynamic/lib/alerts";
+import {
+    db,
+    logsDb,
+    statusHistory,
+    targetHealthCheck,
+    Transaction
+} from "@server/db";
+import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
+import { and, eq, inArray } from "drizzle-orm";
+import { fireHealthCheckUnhealthyAlert } from "./healthCheckEvents";

+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Fire a `site_online` alert for the given site.
+ *
+ * Call this after the site has been confirmed reachable / connected so that
+ * any matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId    - Organisation that owns the site.
+ * @param siteId   - Numeric primary key of the site.
+ * @param siteName - Human-readable name shown in notifications (optional).
+ * @param extra    - Any additional key/value pairs to include in the payload.
+ */
 export async function fireSiteOnlineAlert(
    orgId: string,
    siteId: number,
    siteName?: string,
    extra?: Record<string, unknown>,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    return;
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "site",
+            entityId: siteId,
+            orgId: orgId,
+            status: "online",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("site", siteId);
+
+        await processAlerts({
+            eventType: "site_online",
+            orgId,
+            siteId,
+            data: {
+                ...(siteName != null ? { siteName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "site_toggle",
+            orgId,
+            siteId,
+            data: {
+                siteId,
+                status: "online",
+                ...(siteName != null ? { siteName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireSiteOnlineAlert: unexpected error for siteId ${siteId}`,
+            err
+        );
+    }
 }

+/**
+ * Fire a `site_offline` alert for the given site.
+ *
+ * Call this after the site has been detected as unreachable / disconnected so
+ * that any matching `alertRules` can dispatch their email and webhook actions.
+ *
+ * @param orgId    - Organisation that owns the site.
+ * @param siteId   - Numeric primary key of the site.
+ * @param siteName - Human-readable name shown in notifications (optional).
+ * @param extra    - Any additional key/value pairs to include in the payload.
+ */
 export async function fireSiteOfflineAlert(
    orgId: string,
    siteId: number,
    siteName?: string,
    extra?: Record<string, unknown>,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    return;
-}
+    try {
+        await logsDb.insert(statusHistory).values({
+            entityType: "site",
+            entityId: siteId,
+            orgId: orgId,
+            status: "offline",
+            timestamp: Math.floor(Date.now() / 1000)
+        });
+        await invalidateStatusHistoryCache("site", siteId);
+
+        const unhealthyHealthChecks = await trx
+            .update(targetHealthCheck)
+            .set({ hcHealth: "unhealthy" })
+            .where(
+                and(
+                    eq(targetHealthCheck.orgId, orgId),
+                    eq(targetHealthCheck.siteId, siteId),
+                    eq(targetHealthCheck.hcEnabled, true) // only effect the ones that are enabled
+                )
+            )
+            .returning();
+
+        for (const healthCheck of unhealthyHealthChecks) {
+            logger.info(
+                `Marking health check ${healthCheck.targetHealthCheckId} unhealthy due to site ${siteId} being marked offline`
+            );
+
+            await fireHealthCheckUnhealthyAlert(
+                healthCheck.orgId,
+                healthCheck.targetHealthCheckId,
+                healthCheck.name,
+                healthCheck.targetId, // for the resource if we have one
+                undefined,
+                true,
+                trx
+            );
+        }
+
+        await processAlerts({
+            eventType: "site_offline",
+            orgId,
+            siteId,
+            data: {
+                ...(siteName != null ? { siteName } : {}),
+                ...extra
+            }
+        });
+        await processAlerts({
+            eventType: "site_toggle",
+            orgId,
+            siteId,
+            data: {
+                siteId,
+                status: "offline",
+                ...(siteName != null ? { siteName } : {}),
+                ...extra
+            }
+        });
+    } catch (err) {
+        logger.error(
+            `fireSiteOfflineAlert: unexpected error for siteId ${siteId}`,
+            err
+        );
+    }
+}
--- a/server/lib/alerts/index.ts
+++ b/server/lib/alerts/index.ts
@@ -1,3 +1,4 @@
 export * from "./events/siteEvents";
 export * from "./events/healthCheckEvents";
 export * from "./events/resourceEvents";
+export * from "./processAlerts";
--- a/server/lib/alerts/processAlerts.ts
+++ b/server/lib/alerts/processAlerts.ts
@@ -0,0 +1,5 @@
+import { AlertContext } from "@server/routers/alertRule/types";
+
+export async function processAlerts(context: AlertContext): Promise<void> {
+    return;
+}
--- a/server/lib/billing/getOrgTierData.ts
+++ b/server/lib/billing/getOrgTierData.ts
@@ -1,8 +1,9 @@
 export async function getOrgTierData(
    orgId: string
-): Promise<{ tier: string | null; active: boolean }> {
+): Promise<{ tier: string | null; active: boolean; isTrial: boolean }> {
    const tier = null;
    const active = false;
+    const isTrial = false;

-    return { tier, active };
+    return { tier, active, isTrial };
 }
--- a/server/lib/billing/limitSet.ts
+++ b/server/lib/billing/limitSet.ts
@@ -25,7 +25,7 @@ export const tier1LimitSet: LimitSet = {

 export const tier2LimitSet: LimitSet = {
    [FeatureId.USERS]: {
-        value: 100,
+        value: 50,
        description: "Team limit"
    },
    [FeatureId.SITES]: {
@@ -48,7 +48,7 @@ export const tier2LimitSet: LimitSet = {

 export const tier3LimitSet: LimitSet = {
    [FeatureId.USERS]: {
-        value: 500,
+        value: 250,
        description: "Business limit"
    },
    [FeatureId.SITES]: {
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -64,7 +64,7 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
    [TierFeature.SIEM]: ["enterprise"],
    [TierFeature.HTTPPrivateResources]: ["tier3", "enterprise"],
    [TierFeature.DomainNamespaces]: ["tier1", "tier2", "tier3", "enterprise"],
-    [TierFeature.StandaloneHealthChecks]: ["tier2", "tier3", "enterprise"],
-    [TierFeature.AlertingRules]: ["tier2", "tier3", "enterprise"],
+    [TierFeature.StandaloneHealthChecks]: ["tier3", "enterprise"],
+    [TierFeature.AlertingRules]: ["tier3", "enterprise"],
    [TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"]
 };
--- a/server/lib/blueprints/clientResources.ts
+++ b/server/lib/blueprints/clientResources.ts
@@ -131,41 +131,22 @@ export async function updateClientResources(
            : [];

        const allSites: { siteId: number }[] = [];
+
        if (resourceData.site) {
-            let siteSingle;
-            const resourceSiteId = resourceData.site;
-
-            if (resourceSiteId) {
-                // Look up site by niceId
-                [siteSingle] = await trx
-                    .select({ siteId: sites.siteId })
-                    .from(sites)
-                    .where(
-                        and(
-                            eq(sites.niceId, resourceSiteId),
-                            eq(sites.orgId, orgId)
-                        )
+            // Look up site by niceId
+            const [siteSingle] = await trx
+                .select({ siteId: sites.siteId })
+                .from(sites)
+                .where(
+                    and(
+                        eq(sites.niceId, resourceData.site),
+                        eq(sites.orgId, orgId)
                    )
-                    .limit(1);
-            } else if (siteId) {
-                // Use the provided siteId directly, but verify it belongs to the org
-                [siteSingle] = await trx
-                    .select({ siteId: sites.siteId })
-                    .from(sites)
-                    .where(
-                        and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
-                    )
-                    .limit(1);
-            } else {
-                throw new Error(`Target site is required`);
+                )
+                .limit(1);
+            if (siteSingle) {
+                allSites.push(siteSingle);
            }
-
-            if (!siteSingle) {
-                throw new Error(
-                    `Site not found: ${resourceSiteId} in org ${orgId}`
-                );
-            }
-            allSites.push(siteSingle);
        }

        if (resourceData.sites) {
@@ -180,15 +161,31 @@ export async function updateClientResources(
                        )
                    )
                    .limit(1);
-                if (!site) {
-                    throw new Error(
-                        `Site not found: ${siteId} in org ${orgId}`
-                    );
+                if (site) {
+                    allSites.push(site);
                }
-                allSites.push(site);
            }
        }

+        if (siteId && allSites.length === 0) {
+            // only add if there are not provided sites
+            // Use the provided siteId directly, but verify it belongs to the org
+            const [siteSingle] = await trx
+                .select({ siteId: sites.siteId })
+                .from(sites)
+                .where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
+                .limit(1);
+            if (siteSingle) {
+                allSites.push(siteSingle);
+            }
+        }
+
+        if (allSites.length === 0) {
+            throw new Error(
+                `No valid sites found for private private resource ${resourceNiceId} in org ${orgId}`
+            );
+        }
+
        if (existingResource) {
            let domainInfo:
                | { subdomain: string | null; domainId: string }
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -34,7 +34,7 @@ import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
 import { isValidRegionId } from "@server/db/regions";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
-import { fireHealthCheckUnknownAlert } from "#dynamic/lib/alerts";
+import { fireHealthCheckUnknownAlert } from "@server/lib/alerts";
 import { tierMatrix } from "../billing/tierMatrix";

 export type ProxyResourcesResults = {
@@ -165,7 +165,8 @@ export async function updateProxyResources(
                    hcStatus: healthcheckData?.status,
                    hcHealth: "unknown",
                    hcHealthyThreshold: healthcheckData?.["healthy-threshold"],
-                    hcUnhealthyThreshold: healthcheckData?.["unhealthy-threshold"]
+                    hcUnhealthyThreshold:
+                        healthcheckData?.["unhealthy-threshold"]
                })
                .returning();

@@ -544,8 +545,10 @@ export async function updateProxyResources(
                                healthcheckData?.["follow-redirects"],
                            hcMethod: healthcheckData?.method,
                            hcStatus: healthcheckData?.status,
-                            hcHealthyThreshold: healthcheckData?.["healthy-threshold"],
-                            hcUnhealthyThreshold: healthcheckData?.["unhealthy-threshold"]
+                            hcHealthyThreshold:
+                                healthcheckData?.["healthy-threshold"],
+                            hcUnhealthyThreshold:
+                                healthcheckData?.["unhealthy-threshold"]
                        })
                        .where(
                            eq(
@@ -1120,8 +1123,10 @@ function checkIfHealthcheckChanged(
        JSON.stringify(incoming.hcHeaders)
    )
        return true;
-    if (existing.hcHealthyThreshold !== incoming.hcHealthyThreshold) return true;
-    if (existing.hcUnhealthyThreshold !== incoming.hcUnhealthyThreshold) return true;
+    if (existing.hcHealthyThreshold !== incoming.hcHealthyThreshold)
+        return true;
+    if (existing.hcUnhealthyThreshold !== incoming.hcUnhealthyThreshold)
+        return true;

    return false;
 }
@@ -1184,7 +1189,11 @@ async function getDomainId(
    orgId: string,
    fullDomain: string,
    trx: Transaction
-): Promise<{ subdomain: string | null; domainId: string; wildcard: boolean } | null> {
+): Promise<{
+    subdomain: string | null;
+    domainId: string;
+    wildcard: boolean;
+} | null> {
    const isWildcardFullDomain = fullDomain.startsWith("*.");

    const possibleDomains = await trx
--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";

 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.18.0";
+export const APP_VERSION = "1.18.2";

 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
--- a/server/lib/traefik/TraefikConfigManager.ts
+++ b/server/lib/traefik/TraefikConfigManager.ts
@@ -535,6 +535,24 @@ export class TraefikConfigManager {
                        if (match && match[1]) {
                            domains.add(match[1]);
                        }
+                        // Match HostRegexp(`^[^.]+\.parent.domain$`) generated for wildcard resources
+                        const hostRegexpMatch = router.rule.match(
+                            /HostRegexp\(`([^`]+)`\)/
+                        );
+                        if (hostRegexpMatch && hostRegexpMatch[1]) {
+                            const innerRegex = hostRegexpMatch[1];
+                            // Pattern is always ^[^.]+\.PARENT_DOMAIN$ where dots are escaped as \.
+                            const domainMatch = innerRegex.match(
+                                /^\^\[\^\.\]\+\\\.(.+)\$$/
+                            );
+                            if (domainMatch && domainMatch[1]) {
+                                const parentDomain = domainMatch[1].replace(
+                                    /\\\./g,
+                                    "."
+                                );
+                                domains.add(`*.${parentDomain}`);
+                            }
+                        }
                    }
                }
            }
--- a/server/private/lib/acmeCertSync.ts
+++ b/server/private/lib/acmeCertSync.ts
@@ -12,6 +12,7 @@
 */

 import fs from "fs";
+import path from "path";
 import crypto from "crypto";
 import {
    certificates,
@@ -250,71 +251,129 @@ function extractFirstCert(pemBundle: string): string | null {
    return match ? match[0] : null;
 }

-async function syncAcmeCerts(
-    acmeJsonPath: string,
-    resolver: string
-): Promise<void> {
-    let raw: string;
-    try {
-        raw = fs.readFileSync(acmeJsonPath, "utf8");
-    } catch (err) {
-        logger.debug(`acmeCertSync: could not read ${acmeJsonPath}: ${err}`);
-        return;
+/**
+ * Determine whether an ACME cert entry represents a wildcard cert by checking
+ * both the primary domain (`main`) and the SANs. Some ACME clients (notably
+ * Traefik) store the bare apex in `main` and only put the wildcard form in
+ * `sans` (e.g. main="access.example.com", sans=["*.access.example.com"]).
+ */
+function detectWildcard(
+    main: string,
+    sans: string[] | undefined
+): { wildcard: boolean; wildcardSan: string | null } {
+    if (main.startsWith("*.")) {
+        return { wildcard: true, wildcardSan: null };
    }
-
-    let acmeJson: AcmeJson;
-    try {
-        acmeJson = JSON.parse(raw);
-    } catch (err) {
-        logger.debug(`acmeCertSync: could not parse acme.json: ${err}`);
-        return;
+    if (Array.isArray(sans)) {
+        for (const san of sans) {
+            if (typeof san !== "string") continue;
+            if (san === `*.${main}` || san.startsWith("*.")) {
+                return { wildcard: true, wildcardSan: san };
+            }
+        }
    }
+    return { wildcard: false, wildcardSan: null };
+}

-    const resolverData = acmeJson[resolver];
-    if (!resolverData || !Array.isArray(resolverData.Certificates)) {
+interface HttpCert {
+    wildcard: boolean;
+    altName: string;
+    certName: string;
+    commonName: string;
+    certFile: string;
+    keyFile: string;
+}
+
+async function syncAcmeCertsFromHttp(endpoint: string): Promise<void> {
+    let response: Response;
+    try {
+        response = await fetch(endpoint);
+    } catch (err) {
        logger.debug(
-            `acmeCertSync: no certificates found for resolver "${resolver}"`
+            `acmeCertSync: could not reach HTTP endpoint ${endpoint}: ${err}`
        );
        return;
    }

-    for (const cert of resolverData.Certificates) {
-        const domain = cert.domain?.main;
-        const wildcard = domain.startsWith("*.");
-
-        if (!domain) {
-            logger.debug(`acmeCertSync: skipping cert with missing domain`);
-            continue;
-        }
-
-        if (!cert.certificate || !cert.key) {
-            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - empty certificate or key field`
-            );
-            continue;
-        }
-
-        const certPem = Buffer.from(cert.certificate, "base64").toString(
-            "utf8"
+    if (!response.ok) {
+        logger.debug(
+            `acmeCertSync: HTTP endpoint returned status ${response.status}`
        );
-        const keyPem = Buffer.from(cert.key, "base64").toString("utf8");
+        return;
+    }

-        if (!certPem.trim() || !keyPem.trim()) {
+    let httpCerts: HttpCert[];
+    try {
+        httpCerts = await response.json();
+    } catch (err) {
+        logger.debug(
+            `acmeCertSync: could not parse JSON from HTTP endpoint: ${err}`
+        );
+        return;
+    }
+
+    if (!Array.isArray(httpCerts) || httpCerts.length === 0) {
+        logger.debug(
+            `acmeCertSync: no certificates returned from HTTP endpoint`
+        );
+        return;
+    }
+
+    for (const cert of httpCerts) {
+        const domain = cert?.certName;
+
+        if (!domain || typeof domain !== "string") {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - blank PEM after base64 decode`
+                `acmeCertSync: skipping HTTP cert with missing certName`
            );
            continue;
        }

-        // Check if cert already exists in DB
+        const certPem = cert.certFile;
+        const keyPem = cert.keyFile;
+
+        if (!certPem?.trim() || !keyPem?.trim()) {
+            logger.debug(
+                `acmeCertSync: skipping HTTP cert for ${domain} - empty certFile or keyFile`
+            );
+            continue;
+        }
+
+        const firstCertPemForValidation = extractFirstCert(certPem);
+        if (!firstCertPemForValidation) {
+            logger.debug(
+                `acmeCertSync: skipping HTTP cert for ${domain} - no PEM certificate block found`
+            );
+            continue;
+        }
+
+        let validatedX509: crypto.X509Certificate;
+        try {
+            validatedX509 = new crypto.X509Certificate(
+                firstCertPemForValidation
+            );
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: skipping HTTP cert for ${domain} - invalid X.509 certificate: ${err}`
+            );
+            continue;
+        }
+
+        try {
+            crypto.createPrivateKey(keyPem);
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: skipping HTTP cert for ${domain} - invalid private key: ${err}`
+            );
+            continue;
+        }
+
+        const wildcard = cert.wildcard ?? false;
+
        const existing = await db
            .select()
            .from(certificates)
-            .where(
-                and(
-                    eq(certificates.domain, domain)
-                )
-            )
+            .where(eq(certificates.domain, domain))
            .limit(1);

        let oldCertPem: string | null = null;
@@ -326,10 +385,262 @@ async function syncAcmeCerts(
                    existing[0].certFile,
                    config.getRawConfig().server.secret!
                );
-                if (storedCertPem === certPem) {
-                    logger.debug(
-                        `acmeCertSync: cert for ${domain} is unchanged, skipping`
-                    );
+                const wildcardUnchanged = existing[0].wildcard === wildcard;
+                if (storedCertPem === certPem && wildcardUnchanged) {
+                    continue;
+                }
+                oldCertPem = storedCertPem;
+                if (existing[0].keyFile) {
+                    try {
+                        oldKeyPem = decrypt(
+                            existing[0].keyFile,
+                            config.getRawConfig().server.secret!
+                        );
+                    } catch (keyErr) {
+                        logger.debug(
+                            `acmeCertSync: could not decrypt stored key for ${domain}: ${keyErr}`
+                        );
+                    }
+                }
+            } catch (err) {
+                logger.debug(
+                    `acmeCertSync: could not decrypt stored cert for ${domain}, will update: ${err}`
+                );
+            }
+        }
+
+        let expiresAt: number | null = null;
+        try {
+            expiresAt = Math.floor(
+                new Date(validatedX509.validTo).getTime() / 1000
+            );
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: could not parse cert expiry for ${domain}: ${err}`
+            );
+        }
+
+        const encryptedCert = encrypt(
+            certPem,
+            config.getRawConfig().server.secret!
+        );
+        const encryptedKey = encrypt(
+            keyPem,
+            config.getRawConfig().server.secret!
+        );
+        const now = Math.floor(Date.now() / 1000);
+
+        const domainId = await findDomainId(domain);
+        if (domainId) {
+            logger.debug(
+                `acmeCertSync: resolved domainId "${domainId}" for HTTP cert domain "${domain}"`
+            );
+        } else {
+            logger.debug(
+                `acmeCertSync: no matching domain record found for HTTP cert domain "${domain}"`
+            );
+        }
+
+        if (existing.length > 0) {
+            logger.debug(
+                `acmeCertSync: updating existing certificate (HTTP) for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+            );
+            await db
+                .update(certificates)
+                .set({
+                    certFile: encryptedCert,
+                    keyFile: encryptedKey,
+                    status: "valid",
+                    expiresAt,
+                    updatedAt: now,
+                    wildcard,
+                    ...(domainId !== null && { domainId })
+                })
+                .where(eq(certificates.domain, domain));
+
+            await pushCertUpdateToAffectedNewts(
+                domain,
+                domainId,
+                oldCertPem,
+                oldKeyPem
+            );
+        } else {
+            logger.debug(
+                `acmeCertSync: inserting new certificate (HTTP) for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+            );
+            await db.insert(certificates).values({
+                domain,
+                domainId,
+                certFile: encryptedCert,
+                keyFile: encryptedKey,
+                status: "valid",
+                expiresAt,
+                createdAt: now,
+                updatedAt: now,
+                wildcard
+            });
+
+            await pushCertUpdateToAffectedNewts(domain, domainId, null, null);
+        }
+    }
+}
+
+function findAcmeJsonFiles(dirPath: string): string[] {
+    const results: string[] = [];
+    let entries: fs.Dirent[];
+    try {
+        entries = fs.readdirSync(dirPath, { withFileTypes: true });
+    } catch (err) {
+        logger.warn(
+            `acmeCertSync: could not read directory "${dirPath}": ${err}`
+        );
+        return results;
+    }
+    for (const entry of entries) {
+        const fullPath = path.join(dirPath, entry.name);
+        if (entry.isDirectory()) {
+            results.push(...findAcmeJsonFiles(fullPath));
+        } else if (entry.isFile() && entry.name === "acme.json") {
+            results.push(fullPath);
+        }
+    }
+    return results;
+}
+
+async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
+    let raw: string;
+    try {
+        raw = fs.readFileSync(acmeJsonPath, "utf8");
+    } catch (err) {
+        logger.warn(`acmeCertSync: could not read "${acmeJsonPath}": ${err}`);
+        return;
+    }
+
+    let acmeJson: AcmeJson;
+    try {
+        acmeJson = JSON.parse(raw);
+    } catch (err) {
+        logger.warn(
+            `acmeCertSync: could not parse "${acmeJsonPath}" as JSON: ${err}`
+        );
+        return;
+    }
+
+    const resolvers = Object.keys(acmeJson || {});
+    if (resolvers.length === 0) {
+        logger.debug(`acmeCertSync: no resolvers found in acme.json`);
+        return;
+    }
+
+    // Collect certificates from every resolver. If the same domain appears in
+    // multiple resolvers, the last one wins (resolvers iterated in object order).
+    const allCerts: AcmeCert[] = [];
+    for (const resolver of resolvers) {
+        const resolverData = acmeJson[resolver];
+        if (!resolverData || !Array.isArray(resolverData.Certificates)) {
+            logger.debug(
+                `acmeCertSync: no certificates found for resolver "${resolver}"`
+            );
+            continue;
+        }
+        logger.debug(
+            `acmeCertSync: found ${resolverData.Certificates.length} certificate(s) for resolver "${resolver}"`
+        );
+        for (const cert of resolverData.Certificates) {
+            allCerts.push(cert);
+        }
+    }
+
+    for (const cert of allCerts) {
+        const domain = cert?.domain?.main;
+
+        if (!domain || typeof domain !== "string") {
+            logger.debug(`acmeCertSync: skipping cert with missing domain`);
+            continue;
+        }
+
+        const { wildcard } = detectWildcard(domain, cert.domain?.sans);
+
+        if (!cert.certificate || !cert.key) {
+            logger.debug(
+                `acmeCertSync: skipping cert for ${domain} - empty certificate or key field`
+            );
+            continue;
+        }
+
+        let certPem: string;
+        let keyPem: string;
+        try {
+            certPem = Buffer.from(cert.certificate, "base64").toString("utf8");
+            keyPem = Buffer.from(cert.key, "base64").toString("utf8");
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: skipping cert for ${domain} - failed to base64-decode cert/key: ${err}`
+            );
+            continue;
+        }
+
+        if (!certPem.trim() || !keyPem.trim()) {
+            logger.debug(
+                `acmeCertSync: skipping cert for ${domain} - blank PEM after base64 decode`
+            );
+            continue;
+        }
+
+        // Validate that the decoded data actually parses as a real X.509 cert
+        // before we touch the database. This prevents importing partially-written
+        // or corrupted entries from acme.json.
+        const firstCertPemForValidation = extractFirstCert(certPem);
+        if (!firstCertPemForValidation) {
+            logger.debug(
+                `acmeCertSync: skipping cert for ${domain} - no PEM certificate block found`
+            );
+            continue;
+        }
+
+        let validatedX509: crypto.X509Certificate;
+        try {
+            validatedX509 = new crypto.X509Certificate(
+                firstCertPemForValidation
+            );
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: skipping cert for ${domain} - invalid X.509 certificate: ${err}`
+            );
+            continue;
+        }
+
+        // Sanity-check the private key parses too
+        try {
+            crypto.createPrivateKey(keyPem);
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: skipping cert for ${domain} - invalid private key: ${err}`
+            );
+            continue;
+        }
+
+        // Check if cert already exists in DB
+        const existing = await db
+            .select()
+            .from(certificates)
+            .where(and(eq(certificates.domain, domain)))
+            .limit(1);
+
+        let oldCertPem: string | null = null;
+        let oldKeyPem: string | null = null;
+
+        if (existing.length > 0 && existing[0].certFile) {
+            try {
+                const storedCertPem = decrypt(
+                    existing[0].certFile,
+                    config.getRawConfig().server.secret!
+                );
+                const wildcardUnchanged = existing[0].wildcard === wildcard;
+                if (storedCertPem === certPem && wildcardUnchanged) {
+                    // logger.debug(
+                    // `acmeCertSync: cert for ${domain} is unchanged, skipping`
+                    // );
                    continue;
                }
                // Cert has changed; capture old values so we can send a correct
@@ -355,18 +666,16 @@ async function syncAcmeCerts(
            }
        }

-        // Parse cert expiry from the first cert in the PEM bundle
+        // Parse cert expiry from the validated X.509 certificate
        let expiresAt: number | null = null;
-        const firstCertPem = extractFirstCert(certPem);
-        if (firstCertPem) {
-            try {
-                const x509 = new crypto.X509Certificate(firstCertPem);
-                expiresAt = Math.floor(new Date(x509.validTo).getTime() / 1000);
-            } catch (err) {
-                logger.debug(
-                    `acmeCertSync: could not parse cert expiry for ${domain}: ${err}`
-                );
-            }
+        try {
+            expiresAt = Math.floor(
+                new Date(validatedX509.validTo).getTime() / 1000
+            );
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: could not parse cert expiry for ${domain}: ${err}`
+            );
        }

        const encryptedCert = encrypt(
@@ -468,21 +777,63 @@ export function initAcmeCertSync(): void {
    const acmeJsonPath =
        privateConfigData.acme?.acme_json_path ??
        "config/letsencrypt/acme.json";
-    const resolver = privateConfigData.acme?.resolver ?? "letsencrypt";
    const intervalMs = privateConfigData.acme?.sync_interval_ms ?? 5000;
+    const httpEndpoint = privateConfigData.acme?.acme_http_endpoint;

    logger.debug(
-        `acmeCertSync: starting ACME cert sync from "${acmeJsonPath}" using resolver "${resolver}" every ${intervalMs}ms`
+        `acmeCertSync: starting ACME cert sync from "${acmeJsonPath}" across all resolvers every ${intervalMs}ms`
    );
+    if (httpEndpoint) {
+        logger.debug(
+            `acmeCertSync: also syncing from HTTP endpoint "${httpEndpoint}" every ${intervalMs}ms`
+        );
+    }
+
+    const runSync = () => {
+        if (httpEndpoint) {
+            syncAcmeCertsFromHttp(httpEndpoint).catch((err) => {
+                logger.error(`acmeCertSync: error during HTTP sync: ${err}`);
+            });
+        } else {
+            // only run the file-based sync if the HTTP endpoint is not configured, to avoid doubling up
+            let stat: fs.Stats | null = null;
+            try {
+                stat = fs.statSync(acmeJsonPath);
+            } catch (err) {
+                logger.warn(
+                    `acmeCertSync: cannot stat path "${acmeJsonPath}": ${err}`
+                );
+                return;
+            }
+
+            if (stat.isDirectory()) {
+                const files = findAcmeJsonFiles(acmeJsonPath);
+                if (files.length === 0) {
+                    logger.debug(
+                        `acmeCertSync: no acme.json files found in directory "${acmeJsonPath}"`
+                    );
+                    return;
+                }
+                logger.debug(
+                    `acmeCertSync: found ${files.length} acme.json file(s) in directory "${acmeJsonPath}"`
+                );
+                for (const file of files) {
+                    syncAcmeCerts(file).catch((err) => {
+                        logger.error(
+                            `acmeCertSync: error during sync of "${file}": ${err}`
+                        );
+                    });
+                }
+            } else {
+                syncAcmeCerts(acmeJsonPath).catch((err) => {
+                    logger.error(`acmeCertSync: error during sync: ${err}`);
+                });
+            }
+        }
+    };

    // Run immediately on init, then on the configured interval
-    syncAcmeCerts(acmeJsonPath, resolver).catch((err) => {
-        logger.error(`acmeCertSync: error during initial sync: ${err}`);
-    });
+    runSync();

-    setInterval(() => {
-        syncAcmeCerts(acmeJsonPath, resolver).catch((err) => {
-            logger.error(`acmeCertSync: error during sync: ${err}`);
-        });
-    }, intervalMs);
+    setInterval(runSync, intervalMs);
 }
--- a/server/private/lib/alerts/events/healthCheckEvents.ts
+++ b/server/private/lib/alerts/events/healthCheckEvents.ts
@@ -1,306 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import logger from "@server/logger";
-import { processAlerts } from "../processAlerts";
-import {
-    db,
-    statusHistory,
-    targetHealthCheck,
-    targets,
-    resources,
-    Transaction,
-    logsDb
-} from "@server/db";
-import { eq } from "drizzle-orm";
-import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
-import {
-    fireResourceDegradedAlert,
-    fireResourceHealthyAlert,
-    fireResourceUnhealthyAlert,
-    fireResourceUnknownAlert
-} from "./resourceEvents";
-
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-
-/**
- * Fire a `health_check_healthy` alert for the given health check.
- *
- * Call this after a previously-failing health check has recovered so that any
- * matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId         - Organisation that owns the health check.
- * @param healthCheckId - Numeric primary key of the health check.
- * @param healthCheckName - Human-readable name shown in notifications (optional).
- * @param extra         - Any additional key/value pairs to include in the payload.
- */
-export async function fireHealthCheckHealthyAlert(
-    orgId: string,
-    healthCheckId: number,
-    healthCheckName?: string | null,
-    healthCheckTargetId?: number | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "health_check",
-            entityId: healthCheckId,
-            orgId: orgId,
-            status: "healthy",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("health_check", healthCheckId);
-
-        await handleResource(orgId, healthCheckTargetId, send, trx);
-
-        if (!send) {
-            return;
-        }
-
-        await processAlerts({
-            eventType: "health_check_healthy",
-            orgId,
-            healthCheckId,
-            data: {
-                ...(healthCheckName != null ? { healthCheckName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "health_check_toggle",
-            orgId,
-            healthCheckId,
-            data: {
-                healthCheckId,
-                status: "healthy",
-                ...(healthCheckName != null ? { healthCheckName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireHealthCheckHealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
-            err
-        );
-    }
-}
-
-/**
- * Fire a `health_check_unhealthy` alert for the given health check.
- *
- * Call this after a health check has been detected as failing so that any
- * matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId         - Organisation that owns the health check.
- * @param healthCheckId - Numeric primary key of the health check.
- * @param healthCheckName - Human-readable name shown in notifications (optional).
- * @param extra         - Any additional key/value pairs to include in the payload.
- */
-export async function fireHealthCheckUnhealthyAlert(
-    orgId: string,
-    healthCheckId: number,
-    healthCheckName?: string | null,
-    healthCheckTargetId?: number | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "health_check",
-            entityId: healthCheckId,
-            orgId: orgId,
-            status: "unhealthy",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("health_check", healthCheckId);
-
-        await handleResource(orgId, healthCheckTargetId, send, trx);
-
-        if (!send) {
-            return;
-        }
-
-        await processAlerts({
-            eventType: "health_check_unhealthy",
-            orgId,
-            healthCheckId,
-            data: {
-                ...(healthCheckName != null ? { healthCheckName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "health_check_toggle",
-            orgId,
-            healthCheckId,
-            data: {
-                healthCheckId,
-                status: "unhealthy",
-                ...(healthCheckName != null ? { healthCheckName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireHealthCheckUnhealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
-            err
-        );
-    }
-}
-
-export async function fireHealthCheckUnknownAlert(
-    orgId: string,
-    healthCheckId: number,
-    healthCheckName?: string | null,
-    healthCheckTargetId?: number | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "health_check",
-            entityId: healthCheckId,
-            orgId: orgId,
-            status: "unknown",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("health_check", healthCheckId);
-
-        await handleResource(orgId, healthCheckTargetId, send, trx);
-
-        if (!send) {
-            return;
-        }
-    } catch (err) {
-        logger.error(
-            `fireHealthCheckUnknownAlert: unexpected error for healthCheckId ${healthCheckId}`,
-            err
-        );
-    }
-}
-
-async function handleResource(
-    orgId: string,
-    healthCheckTargetId?: number | null,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-) {
-    if (!healthCheckTargetId) {
-        return;
-    }
-    // we have targets lets get them
-    const [target] = await trx
-        .select()
-        .from(targets)
-        .where(eq(targets.targetId, healthCheckTargetId))
-        .limit(1);
-
-    if (!target) {
-        return;
-    }
-
-    const [resource] = await trx
-        .select()
-        .from(resources)
-        .where(eq(resources.resourceId, target.resourceId))
-        .limit(1);
-
-    if (!resource) {
-        return;
-    }
-
-    const otherTargets = await trx
-        .select({ hcHealth: targetHealthCheck.hcHealth })
-        .from(targets)
-        .innerJoin(
-            targetHealthCheck,
-            eq(targetHealthCheck.targetId, targets.targetId)
-        )
-        .where(eq(targets.resourceId, resource.resourceId));
-
-    let health = "healthy";
-    const allUnknown = otherTargets.every((t) => t.hcHealth === "unknown");
-    const allHealthy = otherTargets.every((t) => t.hcHealth === "healthy");
-    const allUnhealthy = otherTargets.every((t) => t.hcHealth === "unhealthy");
-
-    if (allUnknown) {
-        logger.debug(
-            `Marking resource ${resource.resourceId} as unknown because all health checks are disabled`
-        );
-        health = "unknown";
-    } else if (allHealthy) {
-        health = "healthy";
-    } else if (allUnhealthy) {
-        logger.debug(
-            `Marking resource ${resource.resourceId} as unhealthy because all targets are unhealthy`
-        );
-        health = "unhealthy";
-    } else {
-        logger.debug(
-            `Marking resource ${resource.resourceId} as degraded because some targets are unhealthy`
-        );
-        health = "degraded";
-    }
-
-    if (health != resource.health) {
-        // it changed
-        await trx
-            .update(resources)
-            .set({ health })
-            .where(eq(resources.resourceId, resource.resourceId));
-
-        if (health === "unknown") {
-            await fireResourceUnknownAlert(
-                orgId,
-                resource.resourceId,
-                resource.name,
-                undefined,
-                send,
-                trx
-            );
-        } else if (health === "unhealthy") {
-            await fireResourceUnhealthyAlert(
-                orgId,
-                resource.resourceId,
-                resource.name,
-                undefined,
-                send,
-                trx
-            );
-        } else if (health === "healthy") {
-            await fireResourceHealthyAlert(
-                orgId,
-                resource.resourceId,
-                resource.name,
-                undefined,
-                send,
-                trx
-            );
-        } else if (health === "degraded") {
-            await fireResourceDegradedAlert(
-                orgId,
-                resource.resourceId,
-                resource.name,
-                undefined,
-                send,
-                trx
-            );
-        }
-    }
-}
--- a/server/private/lib/alerts/events/resourceEvents.ts
+++ b/server/private/lib/alerts/events/resourceEvents.ts
@@ -1,256 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import logger from "@server/logger";
-import { processAlerts } from "../processAlerts";
-import { db, logsDb, statusHistory, Transaction } from "@server/db";
-import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
-
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-
-/**
- * Fire a `resource_healthy` alert for the given resource.
- *
- * Call this after a previously-unhealthy resource has recovered so that any
- * matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId        - Organisation that owns the resource.
- * @param resourceId   - Numeric primary key of the resource.
- * @param resourceName - Human-readable name shown in notifications (optional).
- * @param extra        - Any additional key/value pairs to include in the payload.
- */
-export async function fireResourceHealthyAlert(
-    orgId: string,
-    resourceId: number,
-    resourceName?: string | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "resource",
-            entityId: resourceId,
-            orgId: orgId,
-            status: "healthy",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("resource", resourceId);
-
-        if (!send) {
-            return;
-        }
-
-        await processAlerts({
-            eventType: "resource_healthy",
-            orgId,
-            resourceId,
-            data: {
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "resource_toggle",
-            orgId,
-            resourceId,
-            data: {
-                resourceId,
-                status: "healthy",
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireResourceHealthyAlert: unexpected error for resourceId ${resourceId}`,
-            err
-        );
-    }
-}
-
-/**
- * Fire a `resource_unhealthy` alert for the given resource.
- *
- * Call this after a resource has been detected as unhealthy so that any
- * matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId        - Organisation that owns the resource.
- * @param resourceId   - Numeric primary key of the resource.
- * @param resourceName - Human-readable name shown in notifications (optional).
- * @param extra        - Any additional key/value pairs to include in the payload.
- */
-export async function fireResourceUnhealthyAlert(
-    orgId: string,
-    resourceId: number,
-    resourceName?: string | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "resource",
-            entityId: resourceId,
-            orgId: orgId,
-            status: "unhealthy",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("resource", resourceId);
-
-        if (!send) {
-            return;
-        }
-
-        await processAlerts({
-            eventType: "resource_unhealthy",
-            orgId,
-            resourceId,
-            data: {
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "resource_toggle",
-            orgId,
-            resourceId,
-            data: {
-                resourceId,
-                status: "unhealthy",
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireResourceUnhealthyAlert: unexpected error for resourceId ${resourceId}`,
-            err
-        );
-    }
-}
-
-/**
- * Fire a `resource_degraded` alert for the given resource.
- *
- * Call this after a resource has been detected as degraded so that any
- * matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId        - Organisation that owns the resource.
- * @param resourceId   - Numeric primary key of the resource.
- * @param resourceName - Human-readable name shown in notifications (optional).
- * @param extra        - Any additional key/value pairs to include in the payload.
- */
-export async function fireResourceDegradedAlert(
-    orgId: string,
-    resourceId: number,
-    resourceName?: string | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "resource",
-            entityId: resourceId,
-            orgId: orgId,
-            status: "degraded",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("resource", resourceId);
-
-        if (!send) {
-            return;
-        }
-
-        await processAlerts({
-            eventType: "resource_degraded",
-            orgId,
-            resourceId,
-            data: {
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "resource_toggle",
-            orgId,
-            resourceId,
-            data: {
-                resourceId,
-                status: "degraded",
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireResourceDegradedAlert: unexpected error for resourceId ${resourceId}`,
-            err
-        );
-    }
-}
-
-/**
- * Fire a `resource_unknown` alert for the given resource.
- *
- * Call this when all health checks on a resource are disabled so that the
- * resource status transitions to unknown.
- *
- * @param orgId        - Organisation that owns the resource.
- * @param resourceId   - Numeric primary key of the resource.
- * @param resourceName - Human-readable name shown in notifications (optional).
- * @param extra        - Any additional key/value pairs to include in the payload.
- */
-export async function fireResourceUnknownAlert(
-    orgId: string,
-    resourceId: number,
-    resourceName?: string | null,
-    extra?: Record<string, unknown>,
-    send: boolean = true,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "resource",
-            entityId: resourceId,
-            orgId: orgId,
-            status: "unknown",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("resource", resourceId);
-
-        if (!send) {
-            return;
-        }
-
-        await processAlerts({
-            eventType: "resource_toggle",
-            orgId,
-            resourceId,
-            data: {
-                resourceId,
-                status: "unknown",
-                ...(resourceName != null ? { resourceName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireResourceUnknownAlert: unexpected error for resourceId ${resourceId}`,
-            err
-        );
-    }
-}
--- a/server/private/lib/alerts/events/siteEvents.ts
+++ b/server/private/lib/alerts/events/siteEvents.ts
@@ -1,169 +0,0 @@
-/*
- * This file is part of a proprietary work.
- *
- * Copyright (c) 2025-2026 Fossorial, Inc.
- * All rights reserved.
- *
- * This file is licensed under the Fossorial Commercial License.
- * You may not use this file except in compliance with the License.
- * Unauthorized use, copying, modification, or distribution is strictly prohibited.
- *
- * This file is not licensed under the AGPLv3.
- */
-
-import logger from "@server/logger";
-import { processAlerts } from "../processAlerts";
-import {
-    db,
-    logsDb,
-    statusHistory,
-    targetHealthCheck,
-    Transaction
-} from "@server/db";
-import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
-import { and, eq, inArray } from "drizzle-orm";
-import { fireHealthCheckUnhealthyAlert } from "./healthCheckEvents";
-
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-
-/**
- * Fire a `site_online` alert for the given site.
- *
- * Call this after the site has been confirmed reachable / connected so that
- * any matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId    - Organisation that owns the site.
- * @param siteId   - Numeric primary key of the site.
- * @param siteName - Human-readable name shown in notifications (optional).
- * @param extra    - Any additional key/value pairs to include in the payload.
- */
-export async function fireSiteOnlineAlert(
-    orgId: string,
-    siteId: number,
-    siteName?: string,
-    extra?: Record<string, unknown>,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "site",
-            entityId: siteId,
-            orgId: orgId,
-            status: "online",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("site", siteId);
-
-        await processAlerts({
-            eventType: "site_online",
-            orgId,
-            siteId,
-            data: {
-                ...(siteName != null ? { siteName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "site_toggle",
-            orgId,
-            siteId,
-            data: {
-                siteId,
-                status: "online",
-                ...(siteName != null ? { siteName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireSiteOnlineAlert: unexpected error for siteId ${siteId}`,
-            err
-        );
-    }
-}
-
-/**
- * Fire a `site_offline` alert for the given site.
- *
- * Call this after the site has been detected as unreachable / disconnected so
- * that any matching `alertRules` can dispatch their email and webhook actions.
- *
- * @param orgId    - Organisation that owns the site.
- * @param siteId   - Numeric primary key of the site.
- * @param siteName - Human-readable name shown in notifications (optional).
- * @param extra    - Any additional key/value pairs to include in the payload.
- */
-export async function fireSiteOfflineAlert(
-    orgId: string,
-    siteId: number,
-    siteName?: string,
-    extra?: Record<string, unknown>,
-    trx: Transaction | typeof db = db
-): Promise<void> {
-    try {
-        await logsDb.insert(statusHistory).values({
-            entityType: "site",
-            entityId: siteId,
-            orgId: orgId,
-            status: "offline",
-            timestamp: Math.floor(Date.now() / 1000)
-        });
-        await invalidateStatusHistoryCache("site", siteId);
-
-        const unhealthyHealthChecks = await trx
-            .update(targetHealthCheck)
-            .set({ hcHealth: "unhealthy" })
-            .where(
-                and(
-                    eq(targetHealthCheck.orgId, orgId),
-                    eq(targetHealthCheck.siteId, siteId),
-                    eq(targetHealthCheck.hcEnabled, true) // only effect the ones that are enabled
-                )
-            )
-            .returning();
-
-        for (const healthCheck of unhealthyHealthChecks) {
-            logger.info(
-                `Marking health check ${healthCheck.targetHealthCheckId} unhealthy due to site ${siteId} being marked offline`
-            );
-
-            await fireHealthCheckUnhealthyAlert(
-                healthCheck.orgId,
-                healthCheck.targetHealthCheckId,
-                healthCheck.name,
-                healthCheck.targetId, // for the resource if we have one
-                undefined,
-                true,
-                trx
-            );
-        }
-
-        await processAlerts({
-            eventType: "site_offline",
-            orgId,
-            siteId,
-            data: {
-                ...(siteName != null ? { siteName } : {}),
-                ...extra
-            }
-        });
-        await processAlerts({
-            eventType: "site_toggle",
-            orgId,
-            siteId,
-            data: {
-                siteId,
-                status: "offline",
-                ...(siteName != null ? { siteName } : {}),
-                ...extra
-            }
-        });
-    } catch (err) {
-        logger.error(
-            `fireSiteOfflineAlert: unexpected error for siteId ${siteId}`,
-            err
-        );
-    }
-}
--- a/server/private/lib/alerts/index.ts
+++ b/server/private/lib/alerts/index.ts
@@ -14,6 +14,3 @@
 export * from "./processAlerts";
 export * from "./sendAlertWebhook";
 export * from "./sendAlertEmail";
-export * from "./events/siteEvents";
-export * from "./events/healthCheckEvents";
-export * from "./events/resourceEvents";
--- a/server/private/lib/alerts/sendAlertWebhook.ts
+++ b/server/private/lib/alerts/sendAlertWebhook.ts
@@ -42,17 +42,23 @@ export async function sendAlertWebhook(
    webhookConfig: WebhookAlertConfig,
    context: AlertContext
 ): Promise<void> {
-    const payload = {
-        event: context.eventType,
-        timestamp: new Date().toISOString(),
-        status: deriveStatus(context.eventType, context.data),
-        data: {
-            orgId: context.orgId,
-            ...context.data
-        }
-    };
+    const eventType = context.eventType;
+    const timestamp = new Date().toISOString();
+    const status = deriveStatus(eventType, context.data);
+    const data = { orgId: context.orgId, ...context.data };
+
+    let body: string;
+    if (webhookConfig.useBodyTemplate && webhookConfig.bodyTemplate?.trim()) {
+        body = renderTemplate(webhookConfig.bodyTemplate, {
+            event: eventType,
+            timestamp,
+            status,
+            data
+        });
+    } else {
+        body = JSON.stringify({ event: eventType, timestamp, status, data });
+    }

-    const body = JSON.stringify(payload);
    const headers = buildHeaders(webhookConfig);

    let lastError: Error | undefined;
@@ -217,3 +223,52 @@ function buildHeaders(

    return headers;
 }
+
+// ---------------------------------------------------------------------------
+// Body template rendering
+// ---------------------------------------------------------------------------
+
+interface TemplateContext {
+    event: string;
+    timestamp: string;
+    status: string;
+    data: Record<string, unknown>;
+}
+
+/**
+ * Render a body template with {{event}}, {{timestamp}}, {{status}}, and
+ * {{data}} placeholders, mirroring the logic in HttpLogDestination.
+ *
+ * {{data}} is replaced first (as raw JSON) so that any literal "{{…}}"
+ * strings inside data values are not re-expanded.
+ */
+function renderTemplate(template: string, ctx: TemplateContext): string {
+    const rendered = template
+        .replace(/\{\{data\}\}/g, JSON.stringify(ctx.data))
+        .replace(/\{\{event\}\}/g, escapeJsonString(ctx.event))
+        .replace(/\{\{timestamp\}\}/g, escapeJsonString(ctx.timestamp))
+        .replace(/\{\{status\}\}/g, escapeJsonString(ctx.status));
+
+    // Validate the rendered result is valid JSON; if not, log a warning and
+    // fall back to the default payload so the webhook still fires.
+    try {
+        JSON.parse(rendered);
+        return rendered;
+    } catch {
+        logger.warn(
+            `sendAlertWebhook: body template produced invalid JSON for event ` +
+                `"${ctx.event}" destined for a webhook. Falling back to default ` +
+                `payload. Check that {{data}} is NOT wrapped in quotes in your template.`
+        );
+        return JSON.stringify({
+            event: ctx.event,
+            timestamp: ctx.timestamp,
+            status: ctx.status,
+            data: ctx.data
+        });
+    }
+}
+
+function escapeJsonString(value: string): string {
+    return JSON.stringify(value).slice(1, -1);
+}
--- a/server/private/lib/alerts/types.ts
+++ b/server/private/lib/alerts/types.ts
@@ -45,6 +45,10 @@ export interface WebhookAlertConfig {
    headers?: Array<{ key: string; value: string }>;
    /** HTTP method (default POST) */
    method?: string;
+    /** Whether to use a custom body template */
+    useBodyTemplate?: boolean;
+    /** Mustache-style body template with {{event}}, {{timestamp}}, {{status}}, {{data}} placeholders */
+    bodyTemplate?: string;
 }

 // ---------------------------------------------------------------------------
@@ -60,4 +64,4 @@ export interface AlertContext {
    healthCheckId?: number;
    /** Human-readable context data included in emails and webhook payloads */
    data: Record<string, unknown>;
-}
+}
--- a/server/private/lib/billing/getOrgTierData.ts
+++ b/server/private/lib/billing/getOrgTierData.ts
@@ -19,12 +19,13 @@ import { eq, and, ne } from "drizzle-orm";

 export async function getOrgTierData(
    orgId: string
-): Promise<{ tier: Tier | null; active: boolean }> {
+): Promise<{ tier: Tier | null; active: boolean; isTrial: boolean }> {
    let tier: Tier | null = null;
    let active = false;
+    let isTrial = false;

    if (build !== "saas") {
-        return { tier, active };
+        return { tier, active, isTrial };
    }

    try {
@@ -35,7 +36,7 @@ export async function getOrgTierData(
            .limit(1);

        if (!org) {
-            return { tier, active };
+            return { tier, active, isTrial };
        }

        let orgIdToUse = org.orgId;
@@ -44,7 +45,7 @@ export async function getOrgTierData(
                logger.warn(
                    `Org ${orgId} is not a billing org and does not have a billingOrgId`
                );
-                return { tier, active };
+                return { tier, active, isTrial };
            }
            orgIdToUse = org.billingOrgId;
        }
@@ -57,7 +58,7 @@ export async function getOrgTierData(
            .limit(1);

        if (!customer) {
-            return { tier, active };
+            return { tier, active, isTrial };
        }

        // Query for active subscriptions that are not license type
@@ -84,11 +85,13 @@ export async function getOrgTierData(
                tier = subscription.type;
                active = true;
            }
+
+            isTrial = subscription.trial ?? false;
        }
    } catch (error) {
        // If org not found or error occurs, return null tier and inactive
        // This is acceptable behavior as per the function signature
    }

-    return { tier, active };
+    return { tier, active, isTrial };
 }
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -21,174 +21,172 @@ import { getEnvOrYaml } from "@server/lib/getEnvOrYaml";

 const portSchema = z.number().positive().gt(0).lte(65535);

-export const privateConfigSchema = z.object({
-    app: z
-        .object({
-            region: z.string().optional().default("default"),
-            base_domain: z.string().optional(),
-            identity_provider_mode: z.enum(["global", "org"]).optional()
-        })
-        .optional()
-        .default({
-            region: "default"
-        }),
-    server: z
-        .object({
-            reo_client_id: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("REO_CLIENT_ID")),
-            fossorial_api: z
-                .string()
-                .optional()
-                .default("https://api.fossorial.io"),
-            fossorial_api_key: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("FOSSORIAL_API_KEY"))
-        })
-        .optional()
-        .prefault({}),
-    redis: z
-        .object({
-            host: z.string(),
-            port: portSchema,
-            password: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("REDIS_PASSWORD")),
-            db: z.int().nonnegative().optional().default(0),
-            replicas: z
-                .array(
-                    z.object({
-                        host: z.string(),
-                        port: portSchema,
-                        password: z.string().optional(),
-                        db: z.int().nonnegative().optional().default(0)
+export const privateConfigSchema = z
+    .object({
+        app: z
+            .object({
+                region: z.string().optional().default("default"),
+                base_domain: z.string().optional(),
+                identity_provider_mode: z.enum(["global", "org"]).optional()
+            })
+            .optional()
+            .default({
+                region: "default"
+            }),
+        server: z
+            .object({
+                reo_client_id: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("REO_CLIENT_ID")),
+                fossorial_api: z
+                    .string()
+                    .optional()
+                    .default("https://api.fossorial.io"),
+                fossorial_api_key: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("FOSSORIAL_API_KEY"))
+            })
+            .optional()
+            .prefault({}),
+        redis: z
+            .object({
+                host: z.string(),
+                port: portSchema,
+                password: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("REDIS_PASSWORD")),
+                db: z.int().nonnegative().optional().default(0),
+                replicas: z
+                    .array(
+                        z.object({
+                            host: z.string(),
+                            port: portSchema,
+                            password: z.string().optional(),
+                            db: z.int().nonnegative().optional().default(0)
+                        })
+                    )
+                    .optional(),
+                tls: z
+                    .object({
+                        rejectUnauthorized: z.boolean().optional().default(true)
                    })
-                )
-                .optional(),
-            tls: z
-                .object({
-                    rejectUnauthorized: z
-                        .boolean()
-                        .optional()
-                        .default(true)
-                })
-                .optional()
-        })
-        .optional(),
-    gerbil: z
-        .object({
-            local_exit_node_reachable_at: z
-                .string()
-                .optional()
-                .default("http://gerbil:3004")
-        })
-        .optional()
-        .prefault({}),
-    flags: z
-        .object({
-            enable_redis: z.boolean().optional().default(false),
-            use_pangolin_dns: z.boolean().optional().default(false),
-            use_org_only_idp: z.boolean().optional(),
-            enable_acme_cert_sync: z.boolean().optional().default(true)
-        })
-        .optional()
-        .prefault({}),
-    acme: z
-        .object({
-            acme_json_path: z
-                .string()
-                .optional()
-                .default("config/letsencrypt/acme.json"),
-            resolver: z.string().optional().default("letsencrypt"),
-            sync_interval_ms: z.number().optional().default(5000)
-        })
-        .optional(),
-    branding: z
-        .object({
-            app_name: z.string().optional(),
-            background_image_path: z.string().optional(),
-            colors: z
-                .object({
-                    light: colorsSchema.optional(),
-                    dark: colorsSchema.optional()
-                })
-                .optional(),
-            logo: z
-                .object({
-                    light_path: z.string().optional(),
-                    dark_path: z.string().optional(),
-                    auth_page: z
-                        .object({
-                            width: z.number().optional(),
-                            height: z.number().optional()
-                        })
-                        .optional(),
-                    navbar: z
-                        .object({
-                            width: z.number().optional(),
-                            height: z.number().optional()
-                        })
-                        .optional()
-                })
-                .optional(),
-            footer: z
-                .array(
-                    z.object({
-                        text: z.string(),
-                        href: z.string().optional()
+                    .optional()
+            })
+            .optional(),
+        gerbil: z
+            .object({
+                local_exit_node_reachable_at: z
+                    .string()
+                    .optional()
+                    .default("http://gerbil:3004")
+            })
+            .optional()
+            .prefault({}),
+        flags: z
+            .object({
+                enable_redis: z.boolean().optional().default(false),
+                use_pangolin_dns: z.boolean().optional().default(false),
+                use_org_only_idp: z.boolean().optional(),
+                enable_acme_cert_sync: z.boolean().optional().default(true)
+            })
+            .optional()
+            .prefault({}),
+        acme: z
+            .object({
+                acme_json_path: z
+                    .string()
+                    .optional()
+                    .default("config/letsencrypt/acme.json"),
+                acme_http_endpoint: z.string().optional(),
+                sync_interval_ms: z.number().optional().default(5000)
+            })
+            .optional(),
+        branding: z
+            .object({
+                app_name: z.string().optional(),
+                background_image_path: z.string().optional(),
+                colors: z
+                    .object({
+                        light: colorsSchema.optional(),
+                        dark: colorsSchema.optional()
                    })
-                )
-                .optional(),
-            hide_auth_layout_footer: z.boolean().optional().default(false),
-            login_page: z
-                .object({
-                    subtitle_text: z.string().optional()
-                })
-                .optional(),
-            signup_page: z
-                .object({
-                    subtitle_text: z.string().optional()
-                })
-                .optional(),
-            resource_auth_page: z
-                .object({
-                    show_logo: z.boolean().optional(),
-                    hide_powered_by: z.boolean().optional(),
-                    title_text: z.string().optional(),
-                    subtitle_text: z.string().optional()
-                })
-                .optional(),
-            emails: z
-                .object({
-                    signature: z.string().optional(),
-                    colors: z
-                        .object({
-                            primary: z.string().optional()
+                    .optional(),
+                logo: z
+                    .object({
+                        light_path: z.string().optional(),
+                        dark_path: z.string().optional(),
+                        auth_page: z
+                            .object({
+                                width: z.number().optional(),
+                                height: z.number().optional()
+                            })
+                            .optional(),
+                        navbar: z
+                            .object({
+                                width: z.number().optional(),
+                                height: z.number().optional()
+                            })
+                            .optional()
+                    })
+                    .optional(),
+                footer: z
+                    .array(
+                        z.object({
+                            text: z.string(),
+                            href: z.string().optional()
                        })
-                        .optional()
-                })
-                .optional()
-        })
-        .optional(),
-    stripe: z
-        .object({
-            secret_key: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("STRIPE_SECRET_KEY")),
-            webhook_secret: z
-                .string()
-                .optional()
-                .transform(getEnvOrYaml("STRIPE_WEBHOOK_SECRET")),
-            // s3Bucket: z.string(),
-            // s3Region: z.string().default("us-east-1"),
-            // localFilePath: z.string().optional()
-        })
-        .optional()
-})
+                    )
+                    .optional(),
+                hide_auth_layout_footer: z.boolean().optional().default(false),
+                login_page: z
+                    .object({
+                        subtitle_text: z.string().optional()
+                    })
+                    .optional(),
+                signup_page: z
+                    .object({
+                        subtitle_text: z.string().optional()
+                    })
+                    .optional(),
+                resource_auth_page: z
+                    .object({
+                        show_logo: z.boolean().optional(),
+                        hide_powered_by: z.boolean().optional(),
+                        title_text: z.string().optional(),
+                        subtitle_text: z.string().optional()
+                    })
+                    .optional(),
+                emails: z
+                    .object({
+                        signature: z.string().optional(),
+                        colors: z
+                            .object({
+                                primary: z.string().optional()
+                            })
+                            .optional()
+                    })
+                    .optional()
+            })
+            .optional(),
+        stripe: z
+            .object({
+                secret_key: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("STRIPE_SECRET_KEY")),
+                webhook_secret: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("STRIPE_WEBHOOK_SECRET"))
+                // s3Bucket: z.string(),
+                // s3Region: z.string().default("us-east-1"),
+                // localFilePath: z.string().optional()
+            })
+            .optional()
+    })
    .transform((data) => {
        // this to maintain backwards compatibility with the old config file
        const identityProviderMode = data.app?.identity_provider_mode;
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -277,37 +277,37 @@ export async function getTraefikConfig(
        });
    });

-    // Query siteResources in HTTP mode with SSL enabled and aliases - cert generation / HTTPS edge
-    const siteResourcesWithFullDomain = await db
-        .select({
-            siteResourceId: siteResources.siteResourceId,
-            fullDomain: siteResources.fullDomain,
-            mode: siteResources.mode
-        })
-        .from(siteResources)
-        .innerJoin(
-            siteNetworks,
-            eq(siteResources.networkId, siteNetworks.networkId)
-        )
-        .innerJoin(sites, eq(siteNetworks.siteId, sites.siteId))
-        .where(
-            and(
-                eq(siteResources.enabled, true),
-                isNotNull(siteResources.fullDomain),
-                eq(siteResources.mode, "http"),
-                eq(siteResources.ssl, true),
-                or(
-                    eq(sites.exitNodeId, exitNodeId),
-                    and(
-                        isNull(sites.exitNodeId),
-                        sql`(${siteTypes.includes("local") ? 1 : 0} = 1)`,
-                        eq(sites.type, "local"),
-                        sql`(${build != "saas" ? 1 : 0} = 1)`
-                    )
-                ),
-                inArray(sites.type, siteTypes)
+    let siteResourcesWithFullDomain: {
+        siteResourceId: number;
+        fullDomain: string | null;
+        mode: "http" | "host" | "cidr";
+    }[] = [];
+    if (build == "enterprise") {
+        // we dont want to do this on the cloud
+        // Query siteResources in HTTP mode with SSL enabled and aliases - cert generation / HTTPS edge
+        siteResourcesWithFullDomain = await db
+            .select({
+                siteResourceId: siteResources.siteResourceId,
+                fullDomain: siteResources.fullDomain,
+                mode: siteResources.mode
+            })
+            .from(siteResources)
+            .innerJoin(
+                siteNetworks,
+                eq(siteResources.networkId, siteNetworks.networkId)
            )
-        );
+            .innerJoin(sites, eq(siteNetworks.siteId, sites.siteId))
+            .where(
+                and(
+                    eq(siteResources.enabled, true),
+                    isNotNull(siteResources.fullDomain),
+                    eq(siteResources.mode, "http"),
+                    eq(siteResources.ssl, true),
+                    eq(sites.exitNodeId, exitNodeId),
+                    inArray(sites.type, siteTypes)
+                )
+            );
+    }

    let validCerts: CertificateResult[] = [];
    if (privateConfig.getRawPrivateConfig().flags.use_pangolin_dns) {
--- a/server/private/routers/alertEvents/triggerHealthCheckAlert.ts
+++ b/server/private/routers/alertEvents/triggerHealthCheckAlert.ts
@@ -24,7 +24,7 @@ import { eq, and } from "drizzle-orm";
 import {
    fireHealthCheckHealthyAlert,
    fireHealthCheckUnhealthyAlert
-} from "#private/lib/alerts/events/healthCheckEvents";
+} from "@server/lib/alerts";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty(),
@@ -73,10 +73,7 @@ export async function triggerHealthCheckAlert(
            .from(targetHealthCheck)
            .where(
                and(
-                    eq(
-                        targetHealthCheck.targetHealthCheckId,
-                        healthCheckId
-                    ),
+                    eq(targetHealthCheck.targetHealthCheckId, healthCheckId),
                    eq(targetHealthCheck.orgId, orgId)
                )
            )
--- a/server/private/routers/alertEvents/triggerResourceAlert.ts
+++ b/server/private/routers/alertEvents/triggerResourceAlert.ts
@@ -25,7 +25,7 @@ import {
    fireResourceHealthyAlert,
    fireResourceUnhealthyAlert,
    fireResourceDegradedAlert
-} from "#private/lib/alerts/events/resourceEvents";
+} from "@server/lib/alerts";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty(),
--- a/server/private/routers/alertEvents/triggerSiteAlert.ts
+++ b/server/private/routers/alertEvents/triggerSiteAlert.ts
@@ -21,10 +21,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { eq, and } from "drizzle-orm";
-import {
-    fireSiteOnlineAlert,
-    fireSiteOfflineAlert
-} from "#private/lib/alerts/events/siteEvents";
+import { fireSiteOnlineAlert, fireSiteOfflineAlert } from "@server/lib/alerts";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty(),
--- a/server/private/routers/billing/featureLifecycle.ts
+++ b/server/private/routers/billing/featureLifecycle.ts
@@ -30,8 +30,10 @@ import {
    userOrgRoles,
    siteProvisioningKeyOrg,
    siteProvisioningKeys,
+    alertRules,
+    targetHealthCheck
 } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, isNull } from "drizzle-orm";

 /**
 * Get the maximum allowed retention days for a given tier
@@ -318,6 +320,14 @@ async function disableFeature(
                await disableSiteProvisioningKeys(orgId);
                break;

+            case TierFeature.AlertingRules:
+                await disableAlertingRules(orgId);
+                break;
+
+            case TierFeature.StandaloneHealthChecks:
+                await disableStandaloneHealthChecks(orgId);
+                break;
+
            default:
                logger.warn(
                    `Unknown feature ${feature} for org ${orgId}, skipping`
@@ -360,8 +370,7 @@ async function disableFullRbac(orgId: string): Promise<void> {
 async function disableSiteProvisioningKeys(orgId: string): Promise<void> {
    const rows = await db
        .select({
-            siteProvisioningKeyId:
-                siteProvisioningKeyOrg.siteProvisioningKeyId
+            siteProvisioningKeyId: siteProvisioningKeyOrg.siteProvisioningKeyId
        })
        .from(siteProvisioningKeyOrg)
        .where(eq(siteProvisioningKeyOrg.orgId, orgId));
@@ -525,6 +534,29 @@ async function disablePasswordExpirationPolicies(orgId: string): Promise<void> {
    logger.info(`Disabled password expiration policies for org ${orgId}`);
 }

+async function disableAlertingRules(orgId: string): Promise<void> {
+    await db
+        .update(alertRules)
+        .set({ enabled: false })
+        .where(eq(alertRules.orgId, orgId));
+
+    logger.info(`Disabled all alert rules for org ${orgId}`);
+}
+
+async function disableStandaloneHealthChecks(orgId: string): Promise<void> {
+    await db
+        .update(targetHealthCheck)
+        .set({ hcEnabled: false })
+        .where(
+            and(
+                eq(targetHealthCheck.orgId, orgId),
+                isNull(targetHealthCheck.targetId)
+            )
+        );
+
+    logger.info(`Disabled standalone health checks for org ${orgId}`);
+}
+
 async function disableAutoProvisioning(orgId: string): Promise<void> {
    // Get all IDP IDs for this org through the idpOrg join table
    const orgIdps = await db
--- a/server/private/routers/billing/hooks/handleSubscriptionCreated.ts
+++ b/server/private/routers/billing/hooks/handleSubscriptionCreated.ts
@@ -174,6 +174,19 @@ export async function handleSubscriptionCreated(
                    // TODO: update user in Sendy
                }
            }
+
+            // delete the trial subscrition if we have one
+            await db
+                .delete(subscriptions)
+                .where(
+                    and(
+                        eq(
+                            subscriptions.customerId,
+                            subscription.customer as string
+                        ),
+                        eq(subscriptions.trial, true)
+                    )
+                );
        } else if (type === "license") {
            logger.debug(
                `License subscription created for org ${customer.orgId}, no lifecycle handling needed.`
--- a/server/private/routers/certificates/createCertificate.ts
+++ b/server/private/routers/certificates/createCertificate.ts
@@ -79,7 +79,7 @@ export async function createCertificate(

    let domainToWrite = domain;
    if (
-        domainRecord.type == "wildcard" &&
+        domainRecord.type == "wildcard" && // this is to fix the wildcard certs for traefik in self hosted NOT ON THE CLOUD
        domainRecord.preferWildcardCert &&
        !domain.startsWith("*.")
    ) {
@@ -89,6 +89,16 @@ export async function createCertificate(
            domainToWrite = parts.slice(1).join(".");
            domainToWrite = `*.${domainToWrite}`;
        }
+    } else if (domainRecord.type == "ns") {
+        // first if we have a * in the domain for this case we dont want to include it because it will mess with the cert generator so remove it
+        if (domain.startsWith("*.")) {
+            domain = domain.slice(2);
+        }
+
+        const parts = domain.split(".");
+        if (parts.length > 2) {
+            domainToWrite = parts.slice(1).join(".");
+        }
    }

    // No cert found, create a new one in pending state
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -165,7 +165,6 @@ authenticated.get(

 authenticated.get(
    "/org/:orgId/certificate/:domainId/:domain",
-    verifyValidLicense,
    verifyOrgAccess,
    verifyCertificateAccess,
    verifyUserHasAction(ActionsEnum.getCertificate),
--- a/server/private/routers/healthChecks/createHealthCheck.ts
+++ b/server/private/routers/healthChecks/createHealthCheck.ts
@@ -22,7 +22,7 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { addStandaloneHealthCheck } from "@server/routers/newt/targets";
-import { fireHealthCheckUnhealthyAlert } from "#private/lib/alerts";
+import { fireHealthCheckUnhealthyAlert } from "@server/lib/alerts";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
--- a/server/private/routers/healthChecks/updateHealthCheck.ts
+++ b/server/private/routers/healthChecks/updateHealthCheck.ts
@@ -22,7 +22,11 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { and, eq, isNull } from "drizzle-orm";
 import { addStandaloneHealthCheck } from "@server/routers/newt/targets";
-import { fireHealthCheckUnhealthyAlert, fireHealthCheckUnknownAlert, fireHealthCheckHealthyAlert } from "#private/lib/alerts";
+import {
+    fireHealthCheckUnhealthyAlert,
+    fireHealthCheckUnknownAlert,
+    fireHealthCheckHealthyAlert
+} from "@server/lib/alerts";

 const paramsSchema = z
    .object({
@@ -234,7 +238,10 @@ export async function updateHealthCheck(
            )
            .returning();

-        if (updated.hcHealth === "unhealthy" && existingHealthCheck.hcHealth !== "unhealthy") {
+        if (
+            updated.hcHealth === "unhealthy" &&
+            existingHealthCheck.hcHealth !== "unhealthy"
+        ) {
            await fireHealthCheckUnhealthyAlert(
                updated.orgId,
                updated.targetHealthCheckId,
@@ -243,7 +250,10 @@ export async function updateHealthCheck(
                undefined,
                false // dont send the alert because we just want to create the alert, not notify users yet
            );
-        } else if (updated.hcHealth === "unknown" && existingHealthCheck.hcHealth !== "unknown") {
+        } else if (
+            updated.hcHealth === "unknown" &&
+            existingHealthCheck.hcHealth !== "unknown"
+        ) {
            // if the health is unknown, we want to fire an alert to notify users to enable health checks
            await fireHealthCheckUnknownAlert(
                updated.orgId,
@@ -253,7 +263,10 @@ export async function updateHealthCheck(
                undefined,
                false // dont send the alert because we just want to create the alert, not notify users yet
            );
-        } else if (updated.hcHealth === "healthy" && existingHealthCheck.hcHealth !== "healthy") {
+        } else if (
+            updated.hcHealth === "healthy" &&
+            existingHealthCheck.hcHealth !== "healthy"
+        ) {
            await fireHealthCheckHealthyAlert(
                updated.orgId,
                updated.targetHealthCheckId,
@@ -264,7 +277,6 @@ export async function updateHealthCheck(
            );
        }

-
        // Push updated health check to newt if the site is a newt site
        const [newt] = await db
            .select()
--- a/server/private/routers/integration.ts
+++ b/server/private/routers/integration.ts
@@ -67,24 +67,20 @@ if (build == "saas") {
        verifyApiKeyIsRoot,
        certificates.syncCertToNewts
    );
+
+    authenticated.post(
+        `/org/:orgId/send-usage-notification`,
+        verifyApiKeyIsRoot, // We are the only ones who can use root key so its fine
+        org.sendUsageNotification
+    );
+
+    authenticated.post(
+        `/org/:orgId/send-trial-notification`,
+        verifyApiKeyIsRoot,
+        org.sendTrialNotification
+    );
 }

-authenticated.post(
-    `/org/:orgId/send-usage-notification`,
-    verifyApiKeyIsRoot, // We are the only ones who can use root key so its fine
-    verifyApiKeyHasAction(ActionsEnum.sendUsageNotification),
-    logActionAudit(ActionsEnum.sendUsageNotification),
-    org.sendUsageNotification
-);
-
-authenticated.post(
-    `/org/:orgId/send-trial-notification`,
-    verifyApiKeyIsRoot,
-    verifyApiKeyHasAction(ActionsEnum.sendTrialNotification),
-    logActionAudit(ActionsEnum.sendTrialNotification),
-    org.sendTrialNotification
-);
-
 authenticated.delete(
    "/idp/:idpId",
    verifyApiKeyIsRoot,
--- a/server/private/routers/remoteExitNode/listRemoteExitNodes.ts
+++ b/server/private/routers/remoteExitNode/listRemoteExitNodes.ts
@@ -22,6 +22,91 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { ListRemoteExitNodesResponse } from "@server/routers/remoteExitNode/types";
+import cache from "#private/lib/cache";
+import semver from "semver";
+
+let stalePangolinNodeVersion: string | null = null;
+
+async function getLatestPangolinNodeVersion(): Promise<string | null> {
+    try {
+        const cachedVersion = await cache.get<string>(
+            "cache:latestPangolinNodeVersion"
+        );
+        if (cachedVersion) {
+            return cachedVersion;
+        }
+
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), 1500);
+
+        const res = await fetch(
+            "https://api.github.com/repos/fosrl/pangolin-node/tags",
+            { signal: controller.signal }
+        );
+
+        clearTimeout(timeoutId);
+
+        if (!res.ok) {
+            logger.warn(
+                `Failed to fetch latest pangolin-node version from GitHub: ${res.status} ${res.statusText}`
+            );
+            return stalePangolinNodeVersion;
+        }
+
+        let tags = await res.json();
+        if (!Array.isArray(tags) || tags.length === 0) {
+            logger.warn("No tags found for pangolin-node repository");
+            return stalePangolinNodeVersion;
+        }
+
+        tags = tags.filter((tag: any) => !tag.name.includes("rc"));
+        tags.sort((a: any, b: any) => {
+            const va = semver.coerce(a.name);
+            const vb = semver.coerce(b.name);
+            if (!va && !vb) return 0;
+            if (!va) return 1;
+            if (!vb) return -1;
+            return semver.rcompare(va, vb);
+        });
+
+        const seen = new Set<string>();
+        tags = tags.filter((tag: any) => {
+            const normalised = semver.coerce(tag.name)?.version;
+            if (!normalised || seen.has(normalised)) return false;
+            seen.add(normalised);
+            return true;
+        });
+
+        if (tags.length === 0) {
+            logger.warn(
+                "No valid semver tags found for pangolin-node repository"
+            );
+            return stalePangolinNodeVersion;
+        }
+
+        const latestVersion = tags[0].name;
+        stalePangolinNodeVersion = latestVersion;
+        await cache.set("cache:latestPangolinNodeVersion", latestVersion, 3600);
+
+        return latestVersion;
+    } catch (error: any) {
+        if (error.name === "AbortError") {
+            logger.warn(
+                "Request to fetch latest pangolin-node version timed out (1.5s)"
+            );
+        } else if (error.cause?.code === "UND_ERR_CONNECT_TIMEOUT") {
+            logger.warn(
+                "Connection timeout while fetching latest pangolin-node version"
+            );
+        } else {
+            logger.warn(
+                "Error fetching latest pangolin-node version:",
+                error.message || error
+            );
+        }
+        return stalePangolinNodeVersion;
+    }
+}

 const listRemoteExitNodesParamsSchema = z.strictObject({
    orgId: z.string()
@@ -118,9 +203,41 @@ export async function listRemoteExitNodes(
        const totalCountResult = await countQuery;
        const totalCount = totalCountResult[0].count;

+        const latestPangolinNodeVersionPromise = getLatestPangolinNodeVersion();
+
+        const nodesWithUpdates = remoteExitNodesList.map((node) => ({
+            ...node,
+            updateAvailable: false
+        }));
+
+        try {
+            const latestPangolinNodeVersion =
+                await latestPangolinNodeVersionPromise;
+
+            if (latestPangolinNodeVersion) {
+                nodesWithUpdates.forEach((node) => {
+                    if (node.version) {
+                        try {
+                            node.updateAvailable = semver.lt(
+                                node.version,
+                                latestPangolinNodeVersion
+                            );
+                        } catch {
+                            node.updateAvailable = false;
+                        }
+                    }
+                });
+            }
+        } catch (error) {
+            logger.warn(
+                "Failed to check for pangolin-node updates, continuing without update info:",
+                error
+            );
+        }
+
        return response<ListRemoteExitNodesResponse>(res, {
            data: {
-                remoteExitNodes: remoteExitNodesList,
+                remoteExitNodes: nodesWithUpdates,
                pagination: {
                    total: totalCount,
                    limit,
--- a/server/routers/alertRule/types.ts
+++ b/server/routers/alertRule/types.ts
@@ -80,6 +80,10 @@ export interface WebhookAlertConfig {
    headers?: Array<{ key: string; value: string }>;
    /** HTTP method (default POST) */
    method?: string;
+    /** Whether to use a custom body template */
+    useBodyTemplate?: boolean;
+    /** Mustache-style body template with {{event}}, {{timestamp}}, {{status}}, {{data}} placeholders */
+    bodyTemplate?: string;
 }

 // ---------------------------------------------------------------------------
--- a/server/routers/auth/deleteMyAccount.ts
+++ b/server/routers/auth/deleteMyAccount.ts
@@ -104,8 +104,9 @@ export async function deleteMyAccount(
                (r) => r.isBillingOrg && r.isOwner
            )?.orgId;
            if (primaryOrgId) {
-                const { tier, active } = await getOrgTierData(primaryOrgId);
-                if (active && tier) {
+                const { tier, active, isTrial } =
+                    await getOrgTierData(primaryOrgId);
+                if (active && tier && !isTrial) {
                    return next(
                        createHttpError(
                            HttpCode.BAD_REQUEST,
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -336,31 +336,22 @@ export async function validateOidcCallback(
                    .innerJoin(orgs, eq(orgs.orgId, idpOrg.orgId));
                allOrgs = idpOrgs.map((o) => o.orgs);

-                // TODO: when there are multiple orgs we need to do this better!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1
-                if (allOrgs.length > 1) {
-                    // for some reason there is more than one org
-                    logger.error(
-                        "More than one organization linked to this IdP. This should not happen with auto-provisioning enabled."
+                for (const org of allOrgs) {
+                    const subscribed = await isSubscribed(
+                        org.orgId,
+                        tierMatrix.autoProvisioning
                    );
-                    return next(
-                        createHttpError(
-                            HttpCode.INTERNAL_SERVER_ERROR,
-                            "Multiple organizations linked to this IdP. Please contact support."
-                        )
-                    );
-                }
+                    if (!subscribed) {
+                        // filter out the org
+                        allOrgs = allOrgs.filter((o) => o.orgId !== org.orgId);

-                const subscribed = await isSubscribed(
-                    allOrgs[0].orgId,
-                    tierMatrix.autoProvisioning
-                );
-                if (!subscribed) {
-                    return next(
-                        createHttpError(
-                            HttpCode.FORBIDDEN,
-                            "This organization's current plan does not support this feature."
-                        )
-                    );
+                        // return next(
+                        //     createHttpError(
+                        //         HttpCode.FORBIDDEN,
+                        //         "This organization's current plan does not support this feature."
+                        //     )
+                        // );
+                    }
                }
            } else {
                allOrgs = await db.select().from(orgs);
--- a/server/routers/newt/handleNewtDisconnectingMessage.ts
+++ b/server/routers/newt/handleNewtDisconnectingMessage.ts
@@ -1,12 +1,8 @@
 import { MessageHandler } from "@server/routers/ws";
-import {
-    db,
-    Newt,
-    sites
-} from "@server/db";
+import { db, Newt, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import logger from "@server/logger";
-import { fireSiteOfflineAlert } from "#dynamic/lib/alerts";
+import { fireSiteOfflineAlert } from "@server/lib/alerts";

 /**
 * Handles disconnecting messages from sites to show disconnected in the ui
@@ -38,7 +34,13 @@ export const handleNewtDisconnectingMessage: MessageHandler = async (
                .where(eq(sites.siteId, newt.siteId!))
                .returning();

-            await fireSiteOfflineAlert(site.orgId, site.siteId, site.name, undefined, trx);
+            await fireSiteOfflineAlert(
+                site.orgId,
+                site.siteId,
+                site.name,
+                undefined,
+                trx
+            );
        });
    } catch (error) {
        logger.error("Error handling disconnecting message", { error });
--- a/server/routers/newt/offlineChecker.ts
+++ b/server/routers/newt/offlineChecker.ts
@@ -1,12 +1,8 @@
-import {
-    db,
-    newts,
-    sites
-} from "@server/db";
+import { db, newts, sites } from "@server/db";
 import { hasActiveConnections } from "#dynamic/routers/ws";
 import { eq, lt, isNull, and, or, ne, not, inArray } from "drizzle-orm";
 import logger from "@server/logger";
-import { fireSiteOfflineAlert, fireSiteOnlineAlert } from "#dynamic/lib/alerts";
+import { fireSiteOfflineAlert, fireSiteOnlineAlert } from "@server/lib/alerts";

 // Track if the offline checker interval is running
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
--- a/server/routers/newt/pingAccumulator.ts
+++ b/server/routers/newt/pingAccumulator.ts
@@ -2,7 +2,7 @@ import { db } from "@server/db";
 import { sites, clients, olms } from "@server/db";
 import { and, eq, inArray } from "drizzle-orm";
 import logger from "@server/logger";
-import { fireSiteOnlineAlert } from "#dynamic/lib/alerts";
+import { fireSiteOnlineAlert } from "@server/lib/alerts";

 /**
 * Ping Accumulator
@@ -127,7 +127,11 @@ async function flushSitePingsToDb(): Promise<void> {
                            eq(sites.online, false)
                        )
                    )
-                    .returning({ siteId: sites.siteId, orgId: sites.orgId, name: sites.name });
+                    .returning({
+                        siteId: sites.siteId,
+                        orgId: sites.orgId,
+                        name: sites.name
+                    });

                // Update lastPing for sites that were already online.
                // After the update above, the newly-online sites now have
@@ -148,7 +152,13 @@ async function flushSitePingsToDb(): Promise<void> {

            for (const site of newlyOnlineSites) {
                await db.transaction(async (trx) => {
-                    await fireSiteOnlineAlert(site.orgId, site.siteId, site.name, undefined, trx);
+                    await fireSiteOnlineAlert(
+                        site.orgId,
+                        site.siteId,
+                        site.name,
+                        undefined,
+                        trx
+                    );
                });
            }
        } catch (error) {
--- a/server/routers/remoteExitNode/types.ts
+++ b/server/routers/remoteExitNode/types.ts
@@ -21,6 +21,7 @@ export type ListRemoteExitNodesResponse = {
        remoteExitNodeId: string;
        dateCreated: string;
        version: string | null;
+        updateAvailable?: boolean;
        exitNodeId: number | null;
        name: string;
        address: string;
--- a/server/routers/resource/listResources.ts
+++ b/server/routers/resource/listResources.ts
@@ -152,7 +152,7 @@ export type ResourceWithTargets = {
        siteId: number;
        siteName: string;
        siteNiceId: string;
-        online: boolean;
+        online?: boolean; // undefined for local sites
    }>;
 };

@@ -383,12 +383,8 @@ export async function listResources(
                .select({ resourceId: targets.resourceId })
                .from(targets)
                .innerJoin(sites, eq(targets.siteId, sites.siteId))
-                .where(
-                    and(eq(sites.orgId, orgId), eq(sites.siteId, siteId))
-                );
-            conditions.push(
-                inArray(resources.resourceId, resourcesWithSite)
-            );
+                .where(and(eq(sites.orgId, orgId), eq(sites.siteId, siteId)));
+            conditions.push(inArray(resources.resourceId, resourcesWithSite));
        }

        const baseQuery = queryResourcesBase().where(and(...conditions));
@@ -426,7 +422,8 @@ export async function listResources(
                          hcEnabled: targetHealthCheck.hcEnabled,
                          siteName: sites.name,
                          siteNiceId: sites.niceId,
-                          siteOnline: sites.online
+                          siteOnline: sites.online,
+                          siteType: sites.type
                      })
                      .from(targets)
                      .where(inArray(targets.resourceId, resourceIdList))
@@ -481,18 +478,19 @@ export async function listResources(
                    siteId: number;
                    siteName: string;
                    siteNiceId: string;
-                    online: boolean;
+                    online?: boolean;
                }
            >();
            for (const t of raw) {
                if (typeof t.siteId !== "number" || siteById.has(t.siteId)) {
                    continue;
                }
+                const isLocal = t.siteType === "local";
                siteById.set(t.siteId, {
                    siteId: t.siteId,
                    siteName: t.siteName ?? "",
                    siteNiceId: t.siteNiceId ?? "",
-                    online: Boolean(t.siteOnline)
+                    online: isLocal ? undefined : Boolean(t.siteOnline)
                });
            }
            entry.sites = Array.from(siteById.values());
--- a/server/routers/site/getSite.ts
+++ b/server/routers/site/getSite.ts
@@ -42,9 +42,12 @@ async function query(siteId?: number, niceId?: string, orgId?: string) {
    }
 }

-export type GetSiteResponse = NonNullable<
-    Awaited<ReturnType<typeof query>>
->["sites"] & { newtId: string | null };
+type SiteQueryRow = NonNullable<Awaited<ReturnType<typeof query>>>;
+
+export type GetSiteResponse = SiteQueryRow["sites"] & {
+    newtId: string | null;
+    newtVersion: string | null;
+};

 registry.registerPath({
    method: "get",
@@ -100,7 +103,8 @@ export async function getSite(

        const data: GetSiteResponse = {
            ...site.sites,
-            newtId: site.newt ? site.newt.newtId : null
+            newtId: site.newt ? site.newt.newtId : null,
+            newtVersion: site.newt?.version ?? null
        };

        return response<GetSiteResponse>(res, {
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@@ -31,7 +31,9 @@ let staleNewtVersion: string | null = null;

 async function getLatestNewtVersion(): Promise<string | null> {
    try {
-        const cachedVersion = await cache.get<string>("cache:latestNewtVersion");
+        const cachedVersion = await cache.get<string>(
+            "cache:latestNewtVersion"
+        );
        if (cachedVersion) {
            return cachedVersion;
        }
@@ -226,7 +228,10 @@ function querySitesBase() {
        );
 }

-type SiteWithUpdateAvailable = Awaited<ReturnType<typeof querySitesBase>>[0] & {
+type SiteRowBase = Awaited<ReturnType<typeof querySitesBase>>[0];
+
+type SiteWithUpdateAvailable = Omit<SiteRowBase, "online"> & {
+    online?: SiteRowBase["online"]; // undefined for local sites
    newtUpdateAvailable?: boolean;
 };

@@ -338,7 +343,9 @@ export async function listSites(

        // we need to add `as` so that drizzle filters the result as a subquery
        const countQuery = db.$count(
-            querySitesBase().where(and(...conditions)).as("filtered_sites")
+            querySitesBase()
+                .where(and(...conditions))
+                .as("filtered_sites")
        );

        const siteListQuery = baseQuery
@@ -397,9 +404,13 @@ export async function listSites(
            );
        }

+        const sitesPayload = sitesWithUpdates.map((site) =>
+            site.type === "local" ? { ...site, online: undefined } : site
+        );
+
        return response<ListSitesResponse>(res, {
            data: {
-                sites: sitesWithUpdates,
+                sites: sitesPayload,
                pagination: {
                    total: totalCount,
                    pageSize,
--- a/server/routers/siteResource/createSiteResource.ts
+++ b/server/routers/siteResource/createSiteResource.ts
@@ -46,7 +46,7 @@ const createSiteResourceSchema = z
        mode: z.enum(["host", "cidr", "http"]),
        ssl: z.boolean().optional(), // only used for http mode
        scheme: z.enum(["http", "https"]).optional(),
-        siteIds: z.array(z.int()),
+        siteIds: z.array(z.int()).optional(),
        siteId: z.number().int().positive().optional(), // DEPRECATED: for backward compatibility, we will convert this to siteIds array if provided
        // proxyPort: z.int().positive().optional(),
        destinationPort: z.int().positive().optional(),
@@ -133,6 +133,17 @@ const createSiteResourceSchema = z
            message:
                "HTTP mode requires scheme (http or https) and a valid destination port"
        }
+    )
+    .refine(
+        (data) => {
+            return (
+                (data.siteIds !== undefined && data.siteIds.length > 0) ||
+                data.siteId !== undefined
+            );
+        },
+        {
+            message: "At least one of siteIds or siteId must be provided"
+        }
    );

 export type CreateSiteResourceBody = z.infer<typeof createSiteResourceSchema>;
@@ -188,7 +199,7 @@ export async function createSiteResource(
        const {
            name,
            niceId,
-            siteIds: siteIdsInput,
+            siteIds: siteIdsInput = [],
            siteId,
            mode,
            scheme,
@@ -485,11 +496,6 @@ export async function createSiteResource(
                    );
                }
            }
-
-            await rebuildClientAssociationsFromSiteResource(
-                newSiteResource,
-                trx
-            ); // we need to call this because we added to the admin role
        });

        if (!newSiteResource) {
@@ -515,6 +521,22 @@ export async function createSiteResource(
            await createCertificate(domainId, fullDomain, db);
        }

+        // Run in the background after the response is sent. Wrapped in its
+        // own transaction so it always executes on the primary — avoiding any
+        // replica-lag issues while still allowing the HTTP response to return
+        // early.
+        db.transaction(async (trx) => {
+            await rebuildClientAssociationsFromSiteResource(
+                newSiteResource!,
+                trx
+            );
+        }).catch((err) => {
+            logger.error(
+                `Error rebuilding client associations for site resource ${newSiteResource!.siteResourceId}:`,
+                err
+            );
+        });
+
        return response(res, {
            data: newSiteResource,
            success: true,
--- a/server/routers/siteResource/deleteSiteResource.ts
+++ b/server/routers/siteResource/deleteSiteResource.ts
@@ -63,17 +63,26 @@ export async function deleteSiteResource(
            );
        }

-        await db.transaction(async (trx) => {
-            // Delete the site resource
-            const [removedSiteResource] = await trx
-                .delete(siteResources)
-                .where(eq(siteResources.siteResourceId, siteResourceId))
-                .returning();
+        // Delete the site resource
+        const [removedSiteResource] = await db
+            .delete(siteResources)
+            .where(eq(siteResources.siteResourceId, siteResourceId))
+            .returning();

+        // Run in the background after the response is sent. Wrapped in its
+        // own transaction so it always executes on the primary — avoiding any
+        // replica-lag issues while still allowing the HTTP response to return
+        // early.
+        db.transaction(async (trx) => {
            await rebuildClientAssociationsFromSiteResource(
                removedSiteResource,
                trx
            );
+        }).catch((err) => {
+            logger.error(
+                `Error rebuilding client associations for site resource ${removedSiteResource!.siteResourceId}:`,
+                err
+            );
        });

        logger.info(`Deleted site resource ${siteResourceId}`);
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -43,7 +43,7 @@ const updateSiteResourceParamsSchema = z.strictObject({
 const updateSiteResourceSchema = z
    .strictObject({
        name: z.string().min(1).max(255).optional(),
-        siteIds: z.array(z.int()),
+        siteIds: z.array(z.int()).optional(),
        siteId: z.int().positive().optional(),
        // niceId: z.string().min(1).max(255).regex(/^[a-zA-Z0-9-]+$/, "niceId can only contain letters, numbers, and dashes").optional(),
        niceId: z
@@ -143,6 +143,17 @@ const updateSiteResourceSchema = z
            message:
                "HTTP mode requires scheme (http or https) and a valid destination port"
        }
+    )
+    .refine(
+        (data) => {
+            return (
+                (data.siteIds !== undefined && data.siteIds.length > 0) ||
+                data.siteId !== undefined
+            );
+        },
+        {
+            message: "At least one of siteIds or siteId must be provided"
+        }
    );

 export type UpdateSiteResourceBody = z.infer<typeof updateSiteResourceSchema>;
@@ -197,7 +208,7 @@ export async function updateSiteResource(
        const { siteResourceId } = parsedParams.data;
        const {
            name,
-            siteIds: siteIdsInput, // because it can change
+            siteIds: siteIdsInput = [], // because it can change
            siteId,
            niceId,
            mode,
@@ -420,9 +431,6 @@ export async function updateSiteResource(
                    })
                    .returning();

-                // wait some time to allow for messages to be handled
-                await new Promise((resolve) => setTimeout(resolve, 750));
-
                const sshPamSet =
                    isLicensedSshPam &&
                    (authDaemonPort !== undefined ||
@@ -545,11 +553,6 @@ export async function updateSiteResource(
                        }))
                    );
                }
-
-                await rebuildClientAssociationsFromSiteResource(
-                    updatedSiteResource,
-                    trx
-                );
            } else {
                // Update the site resource
                const sshPamSet =
@@ -679,7 +682,24 @@ export async function updateSiteResource(
                }

                logger.info(`Updated site resource ${siteResourceId}`);
+            }
+        });

+        // Background: wait for removal messages to propagate, then rebuild
+        // associations for the re-created resource. Own transaction ensures
+        // execution on the primary against fully committed state.
+        (async () => {
+            await db.transaction(async (trx) => {
+                if (!updatedSiteResource) {
+                    throw new Error("No updated resource found after update");
+                }
+                if (sitesChanged) {
+                    await new Promise((resolve) => setTimeout(resolve, 750));
+                    await rebuildClientAssociationsFromSiteResource(
+                        updatedSiteResource,
+                        trx
+                    );
+                }
                await handleMessagingForUpdatedSiteResource(
                    existingSiteResource,
                    updatedSiteResource,
@@ -689,7 +709,12 @@ export async function updateSiteResource(
                    })),
                    trx
                );
-            }
+            });
+        })().catch((err) => {
+            logger.error(
+                `Error rebuilding client associations for site resource ${updatedSiteResource?.siteResourceId}:`,
+                err
+            );
        });

        return response(res, {
--- a/server/routers/target/createTarget.ts
+++ b/server/routers/target/createTarget.ts
@@ -23,7 +23,7 @@ import {
    fireHealthCheckHealthyAlert,
    fireHealthCheckUnhealthyAlert,
    fireHealthCheckUnknownAlert
-} from "#dynamic/lib/alerts";
+} from "@server/lib/alerts";

 const createTargetParamsSchema = z.strictObject({
    resourceId: z.string().transform(Number).pipe(z.int().positive())
--- a/server/routers/target/handleHealthcheckStatusMessage.ts
+++ b/server/routers/target/handleHealthcheckStatusMessage.ts
@@ -6,7 +6,7 @@ import logger from "@server/logger";
 import {
    fireHealthCheckHealthyAlert,
    fireHealthCheckUnhealthyAlert
-} from "#dynamic/lib/alerts";
+} from "@server/lib/alerts";

 interface TargetHealthStatus {
    status: string;
--- a/server/routers/target/updateTarget.ts
+++ b/server/routers/target/updateTarget.ts
@@ -10,7 +10,11 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { addPeer } from "../gerbil/peers";
 import { addTargets } from "../newt/targets";
-import { fireHealthCheckHealthyAlert, fireHealthCheckUnknownAlert, fireHealthCheckUnhealthyAlert } from "#dynamic/lib/alerts";
+import {
+    fireHealthCheckHealthyAlert,
+    fireHealthCheckUnknownAlert,
+    fireHealthCheckUnhealthyAlert
+} from "@server/lib/alerts";
 import { pickPort } from "./helpers";
 import { isTargetValid } from "@server/lib/validators";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -169,7 +173,7 @@ export async function updateTarget(
        let updatedTarget: any;
        let updatedHc: any;
        await db.transaction(async (trx) => {
-             [updatedTarget] = await trx
+            [updatedTarget] = await trx
                .update(targets)
                .set({
                    siteId: parsedBody.data.siteId,
@@ -181,8 +185,12 @@ export async function updateTarget(
                    path: parsedBody.data.path,
                    pathMatchType: parsedBody.data.pathMatchType,
                    priority: parsedBody.data.priority,
-                    rewritePath: pathMatchTypeRemoved ? null : parsedBody.data.rewritePath,
-                    rewritePathType: pathMatchTypeRemoved ? null : parsedBody.data.rewritePathType
+                    rewritePath: pathMatchTypeRemoved
+                        ? null
+                        : parsedBody.data.rewritePath,
+                    rewritePathType: pathMatchTypeRemoved
+                        ? null
+                        : parsedBody.data.rewritePathType
                })
                .where(eq(targets.targetId, targetId))
                .returning();
@@ -213,7 +221,8 @@ export async function updateTarget(
            // If hcEnabled is being turned on (was false, now true), set to "unhealthy"
            // so the target must pass a health check before being considered healthy.
            const hcEnabledTurnedOn =
-                parsedBody.data.hcEnabled === true && existingHc.hcEnabled === false;
+                parsedBody.data.hcEnabled === true &&
+                existingHc.hcEnabled === false;

            let hcHealthValue: "unknown" | "healthy" | "unhealthy" | undefined;
            if (
@@ -253,7 +262,10 @@ export async function updateTarget(
                .where(eq(targetHealthCheck.targetId, targetId))
                .returning();

-            if (updatedHc.hcHealth === "unhealthy" && existingHc.hcHealth !== "unhealthy") {
+            if (
+                updatedHc.hcHealth === "unhealthy" &&
+                existingHc.hcHealth !== "unhealthy"
+            ) {
                logger.debug(
                    `Health check ${updatedHc.targetHealthCheckId} for target ${targetId} is now unhealthy, firing alert`
                );
@@ -266,7 +278,10 @@ export async function updateTarget(
                    false, // dont send the alert because we just want to create the alert, not notify users yet
                    trx
                );
-            } else if (updatedHc.hcHealth === "unknown" && existingHc.hcHealth !== "unknown") {
+            } else if (
+                updatedHc.hcHealth === "unknown" &&
+                existingHc.hcHealth !== "unknown"
+            ) {
                logger.debug(
                    `Health check ${updatedHc.targetHealthCheckId} for target ${targetId} is now unknown, firing alert`
                );
@@ -280,7 +295,10 @@ export async function updateTarget(
                    false, // dont send the alert because we just want to create the alert, not notify users yet
                    trx
                );
-            } else if (updatedHc.hcHealth === "healthy" && existingHc.hcHealth !== "healthy") {
+            } else if (
+                updatedHc.hcHealth === "healthy" &&
+                existingHc.hcHealth !== "healthy"
+            ) {
                logger.debug(
                    `Health check ${updatedHc.targetHealthCheckId} for target ${targetId} is now healthy, firing alert`
                );
--- a/server/setup/scriptsPg/1.18.0.ts
+++ b/server/setup/scriptsPg/1.18.0.ts
@@ -16,6 +16,9 @@ export default async function migration() {
                thc."targetId",
                t."siteId",
                s."orgId",
+                r."name" AS "resourceName",
+                t."ip",
+                t."port",
                thc."hcEnabled",
                thc."hcPath",
                thc."hcScheme",
@@ -33,13 +36,17 @@ export default async function migration() {
                thc."hcTlsServerName"
            FROM "targetHealthCheck" thc
            JOIN "targets" t ON thc."targetId" = t."targetId"
-            JOIN "sites" s ON t."siteId" = s."siteId"`
+            JOIN "sites" s ON t."siteId" = s."siteId"
+            JOIN "resources" r ON t."resourceId" = r."resourceId"`
    );
    const existingHealthChecks = healthChecksQuery.rows as {
        targetHealthCheckId: number;
        targetId: number;
        siteId: number;
        orgId: string;
+        resourceName: string;
+        ip: string;
+        port: number;
        hcEnabled: boolean;
        hcPath: string | null;
        hcScheme: string | null;
@@ -385,6 +392,7 @@ export default async function migration() {
                        "targetId",
                        "orgId",
                        "siteId",
+                        "name",
                        "hcEnabled",
                        "hcPath",
                        "hcScheme",
@@ -405,6 +413,7 @@ export default async function migration() {
                        ${hc.targetId},
                        ${hc.orgId},
                        ${hc.siteId},
+                        ${`Resource ${hc.resourceName} - ${hc.ip}:${hc.port}`},
                        ${hc.hcEnabled},
                        ${hc.hcPath},
                        ${hc.hcScheme},
@@ -545,6 +554,72 @@ export default async function migration() {
        throw e;
    }

+    // Recompute resource health by aggregating across the resource's targets'
+    // target health checks, then update the resources.health column to match.
+    try {
+        const resourceTargetHealthQuery = await db.execute(
+            sql`SELECT
+                    r."resourceId" AS "resourceId",
+                    thc."hcHealth" AS "hcHealth"
+                FROM "resources" r
+                LEFT JOIN "targets" t ON t."resourceId" = r."resourceId"
+                LEFT JOIN "targetHealthCheck" thc ON thc."targetId" = t."targetId"`
+        );
+        const resourceTargetHealthRows =
+            resourceTargetHealthQuery.rows as {
+                resourceId: number;
+                hcHealth: string | null;
+            }[];
+
+        const resourceHealthMap = new Map<
+            number,
+            { hasHealthy: boolean; hasUnhealthy: boolean; hasUnknown: boolean }
+        >();
+        for (const row of resourceTargetHealthRows) {
+            const entry = resourceHealthMap.get(row.resourceId) ?? {
+                hasHealthy: false,
+                hasUnhealthy: false,
+                hasUnknown: false
+            };
+            const status = row.hcHealth ?? "unknown";
+            if (status === "healthy") entry.hasHealthy = true;
+            else if (status === "unhealthy") entry.hasUnhealthy = true;
+            else entry.hasUnknown = true;
+            resourceHealthMap.set(row.resourceId, entry);
+        }
+
+        let updatedResourceCount = 0;
+        for (const [resourceId, flags] of resourceHealthMap.entries()) {
+            let aggregated: "healthy" | "unhealthy" | "degraded" | "unknown";
+            if (flags.hasHealthy && flags.hasUnhealthy) {
+                aggregated = "degraded";
+            } else if (flags.hasHealthy) {
+                aggregated = "healthy";
+            } else if (flags.hasUnhealthy) {
+                aggregated = "unhealthy";
+            } else {
+                aggregated = "unknown";
+            }
+
+            await db.execute(sql`
+                UPDATE "resources"
+                SET "health" = ${aggregated}
+                WHERE "resourceId" = ${resourceId}
+            `);
+            updatedResourceCount++;
+        }
+
+        console.log(
+            `Recomputed health for ${updatedResourceCount} resource(s) based on target health checks`
+        );
+    } catch (e) {
+        console.error(
+            "Error while recomputing resource health from target health checks:",
+            e
+        );
+        throw e;
+    }
+
    // Seed statusHistory for all existing health checks
    try {
        const healthChecksQuery = await db.execute(
--- a/server/setup/scriptsSqlite/1.18.0.ts
+++ b/server/setup/scriptsSqlite/1.18.0.ts
@@ -22,6 +22,9 @@ export default async function migration() {
                    thc."targetId",
                    t."siteId",
                    s."orgId",
+                    r."name" AS "resourceName",
+                    t."ip",
+                    t."port",
                    thc."hcEnabled",
                    thc."hcPath",
                    thc."hcScheme",
@@ -39,13 +42,17 @@ export default async function migration() {
                    thc."hcTlsServerName"
                FROM 'targetHealthCheck' thc
                JOIN 'targets' t ON thc."targetId" = t."targetId"
-                JOIN 'sites' s ON t."siteId" = s."siteId"`
+                JOIN 'sites' s ON t."siteId" = s."siteId"
+                JOIN 'resources' r ON t."resourceId" = r."resourceId"`
            )
            .all() as {
            targetHealthCheckId: number;
            targetId: number;
            siteId: number;
            orgId: string;
+            resourceName: string;
+            ip: string;
+            port: number;
            hcEnabled: number;
            hcPath: string | null;
            hcScheme: string | null;
@@ -255,7 +262,7 @@ export default async function migration() {
            ).run();
            db.prepare(
                `
-                INSERT INTO '__new_siteResources'("siteResourceId", "orgId", "networkId", "defaultNetworkId", "niceId", "name", "ssl", "mode", "scheme", "proxyPort", "destinationPort", "destination", "enabled", "alias", "aliasAddress", "tcpPortRangeString", "udpPortRangeString", "disableIcmp", "authDaemonPort", "authDaemonMode", "domainId", "subdomain", "fullDomain") SELECT "siteResourceId", "orgId", NULL, NULL, "niceId", "name", 0, "mode", NULL, "proxyPort", "destinationPort", "destination", "enabled", "alias", "aliasAddress", "tcpPortRangeString", "udpPortRangeString", "disableIcmp", "authDaemonPort", "authDaemonMode", NULL, NULL, NULL FROM 'siteResources';
+                INSERT INTO '__new_siteResources'("siteResourceId", "orgId", "networkId", "defaultNetworkId", "niceId", "name", "ssl", "mode", "scheme", "proxyPort", "destinationPort", "destination", "enabled", "alias", "aliasAddress", "tcpPortRangeString", "udpPortRangeString", "disableIcmp", "authDaemonPort", "authDaemonMode", "domainId", "subdomain", "fullDomain") SELECT "siteResourceId", "orgId", NULL, NULL, "niceId", "name", 0, "mode", NULL, "proxyPort", "destinationPort", "destination", "enabled", "alias", "aliasAddress", COALESCE("tcpPortRangeString", '*'), COALESCE("udpPortRangeString", '*'), COALESCE("disableIcmp", 0), "authDaemonPort", "authDaemonMode", NULL, NULL, NULL FROM 'siteResources';
            `
            ).run();
            db.prepare(
@@ -392,6 +399,7 @@ export default async function migration() {
                    "targetId",
                    "orgId",
                    "siteId",
+                    "name",
                    "hcEnabled",
                    "hcPath",
                    "hcScheme",
@@ -407,7 +415,7 @@ export default async function migration() {
                    "hcStatus",
                    "hcHealth",
                    "hcTlsServerName"
-                ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+                ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
            );

            const insertAll = db.transaction(() => {
@@ -417,6 +425,7 @@ export default async function migration() {
                        hc.targetId,
                        hc.orgId,
                        hc.siteId,
+                        `Resource ${hc.resourceName} - ${hc.ip}:${hc.port}`,
                        hc.hcEnabled,
                        hc.hcPath,
                        hc.hcScheme,
@@ -509,6 +518,70 @@ export default async function migration() {
            `Seeded statusHistory for ${allResources.length} resource(s)`
        );

+        // Recompute resource health by aggregating across the resource's
+        // targets' target health checks, then update resources.health.
+        const resourceTargetHealthRows = db
+            .prepare(
+                `SELECT
+                    r."resourceId" AS "resourceId",
+                    thc."hcHealth" AS "hcHealth"
+                 FROM 'resources' r
+                 LEFT JOIN 'targets' t ON t."resourceId" = r."resourceId"
+                 LEFT JOIN 'targetHealthCheck' thc ON thc."targetId" = t."targetId"`
+            )
+            .all() as {
+            resourceId: number;
+            hcHealth: string | null;
+        }[];
+
+        const resourceHealthMap = new Map<
+            number,
+            {
+                hasHealthy: boolean;
+                hasUnhealthy: boolean;
+                hasUnknown: boolean;
+            }
+        >();
+        for (const row of resourceTargetHealthRows) {
+            const entry = resourceHealthMap.get(row.resourceId) ?? {
+                hasHealthy: false,
+                hasUnhealthy: false,
+                hasUnknown: false
+            };
+            const status = row.hcHealth ?? "unknown";
+            if (status === "healthy") entry.hasHealthy = true;
+            else if (status === "unhealthy") entry.hasUnhealthy = true;
+            else entry.hasUnknown = true;
+            resourceHealthMap.set(row.resourceId, entry);
+        }
+
+        const updateResourceHealth = db.prepare(
+            `UPDATE 'resources' SET "health" = ? WHERE "resourceId" = ?`
+        );
+        const recomputeResourceHealth = db.transaction(() => {
+            for (const [resourceId, flags] of resourceHealthMap.entries()) {
+                let aggregated:
+                    | "healthy"
+                    | "unhealthy"
+                    | "degraded"
+                    | "unknown";
+                if (flags.hasHealthy && flags.hasUnhealthy) {
+                    aggregated = "degraded";
+                } else if (flags.hasHealthy) {
+                    aggregated = "healthy";
+                } else if (flags.hasUnhealthy) {
+                    aggregated = "unhealthy";
+                } else {
+                    aggregated = "unknown";
+                }
+                updateResourceHealth.run(aggregated, resourceId);
+            }
+        });
+        recomputeResourceHealth();
+        console.log(
+            `Recomputed health for ${resourceHealthMap.size} resource(s) based on target health checks`
+        );
+
        // Seed statusHistory for all existing health checks
        const allHealthChecks = db
            .prepare(
--- a/src/app/[orgId]/settings/(private)/remote-exit-nodes/page.tsx
+++ b/src/app/[orgId]/settings/(private)/remote-exit-nodes/page.tsx
@@ -45,6 +45,7 @@ export default async function RemoteExitNodesPage(
                type: node.type,
                dateCreated: node.dateCreated,
                version: node.version || undefined,
+                updateAvailable: node.updateAvailable,
                orgId: params.orgId
            };
        }
--- a/src/app/[orgId]/settings/resources/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/page.tsx
@@ -120,6 +120,7 @@ export default async function ProxyResourcesPage(
                  : "not_protected",
            enabled: resource.enabled,
            domainId: resource.domainId || undefined,
+            fullDomain: resource.fullDomain ?? null,
            ssl: resource.ssl,
            targets: resource.targets?.map((target) => ({
                targetId: target.targetId,
--- a/src/app/auth/login/page.tsx
+++ b/src/app/auth/login/page.tsx
@@ -160,6 +160,18 @@ export default async function Page(props: {
                                redirect={redirectUrl}
                                forceLogin={forceLogin}
                                defaultUser={defaultUser}
+                                orgSignIn={
+                                    !isInvite &&
+                                    (build === "saas" ||
+                                        env.app.identityProviderMode === "org")
+                                        ? {
+                                              href: `/auth/org${buildQueryString(searchParams)}`,
+                                              linkText: t("orgAuthSignInToOrg"),
+                                              descriptionText:
+                                                  t("needToSignInToOrg")
+                                          }
+                                        : undefined
+                                }
                            />
                        </CardContent>
                    </Card>
@@ -195,7 +207,8 @@ export default async function Page(props: {
                </p>
            )}

-            {!isInvite &&
+            {!useSmartLogin &&
+            !isInvite &&
            (build === "saas" || env.app.identityProviderMode === "org") ? (
                <OrgSignInLink
                    href={`/auth/org${buildQueryString(searchParams)}`}
--- a/src/app/layout.tsx
+++ b/src/app/layout.tsx
@@ -23,7 +23,7 @@ import { TanstackQueryProvider } from "@app/components/TanstackQueryProvider";
 import { TailwindIndicator } from "@app/components/TailwindIndicator";
 import { ViewportHeightFix } from "@app/components/ViewportHeightFix";
 import StoreInternalRedirect from "@app/components/StoreInternalRedirect";
-import { Inter, Mona_Sans } from "next/font/google";
+import localFont from "next/font/local";

 export const metadata: Metadata = {
    title: `Dashboard - ${process.env.BRANDING_APP_NAME || "Pangolin"}`,
@@ -32,12 +32,30 @@ export const metadata: Metadata = {

 export const dynamic = "force-dynamic";

-const inter = Inter({
-    subsets: ["latin"]
-});
-
-const monaSans = Mona_Sans({
-    subsets: ["latin"]
+const monaSans = localFont({
+    src: [
+        {
+            path: "../fonts/mona-sans/MonaSans-Regular.woff2",
+            weight: "400",
+            style: "normal"
+        },
+        {
+            path: "../fonts/mona-sans/MonaSans-Medium.woff2",
+            weight: "500",
+            style: "normal"
+        },
+        {
+            path: "../fonts/mona-sans/MonaSans-SemiBold.woff2",
+            weight: "600",
+            style: "normal"
+        },
+        {
+            path: "../fonts/mona-sans/MonaSans-Bold.woff2",
+            weight: "700",
+            style: "normal"
+        }
+    ],
+    display: "swap"
 });

 const fontClassName = monaSans.className;
--- a/src/components/AuthPageSettings.tsx
+++ b/src/components/AuthPageSettings.tsx
@@ -399,11 +399,10 @@ function AuthPageSettings({
                                        </div>
                                    )}

-                                    {env.flags.usePangolinDns &&
-                                        (build === "enterprise" ||
-                                            !isPaidUser(
-                                                tierMatrix.loginPageDomain
-                                            )) &&
+                                    {build !== "oss" && (build === "enterprise" ||
+                                        !isPaidUser(
+                                            tierMatrix.loginPageDomain
+                                        )) &&
                                        loginPage?.domainId &&
                                        loginPage?.fullDomain &&
                                        !hasUnsavedChanges && (
--- a/src/components/CertificateStatus.tsx
+++ b/src/components/CertificateStatus.tsx
@@ -1,43 +1,38 @@
 "use client";

 import { Button } from "@/components/ui/button";
-import { Loader2, RotateCw } from "lucide-react";
+import { FileBadge, RotateCw } from "lucide-react";
 import { useCertificate } from "@app/hooks/useCertificate";
+import type { GetCertificateResponse } from "@server/routers/certificates/types";
 import { useTranslations } from "next-intl";

-type CertificateStatusProps = {
-    orgId: string;
-    domainId: string;
-    fullDomain: string;
-    autoFetch?: boolean;
+export type CertificateStatusContentProps = {
+    cert: GetCertificateResponse | null;
+    certLoading: boolean;
+    certError: string | null;
+    refreshing: boolean;
+    refreshCert: () => Promise<void>;
    showLabel?: boolean;
    className?: string;
    onRefresh?: () => void;
-    polling?: boolean;
-    pollingInterval?: number;
 };

-export default function CertificateStatus({
-    orgId,
-    domainId,
-    fullDomain,
-    autoFetch = true,
+/** Presentation-only certificate row (shared hook state possible via props). */
+export function CertificateStatusContent({
+    cert,
+    certLoading,
+    certError,
+    refreshing,
+    refreshCert,
    showLabel = true,
    className = "",
-    onRefresh,
-    polling = false,
-    pollingInterval = 5000
-}: CertificateStatusProps) {
+    onRefresh
+}: CertificateStatusContentProps) {
    const t = useTranslations();
-    const { cert, certLoading, certError, refreshing, refreshCert } =
-        useCertificate({
-            orgId,
-            domainId,
-            fullDomain,
-            autoFetch,
-            polling,
-            pollingInterval
-        });
+
+    const labelClass =
+        "inline-flex shrink-0 items-center self-center text-sm font-medium leading-none";
+    const valueClass = "inline-flex items-center gap-2 text-sm leading-none";

    const handleRefresh = async () => {
        await refreshCert();
@@ -74,13 +69,13 @@ export default function CertificateStatus({
        return (
            <div className={`flex items-center gap-2 ${className}`}>
                {showLabel && (
-                    <span className="text-sm font-medium">
+                    <span className={labelClass}>
                        {t("certificateStatus")}:
                    </span>
                )}
-                <span className="inline-flex items-center gap-1.5 text-sm text-muted-foreground">
-                    <Loader2
-                        className="h-3.5 w-3.5 shrink-0 animate-spin"
+                <span className={valueClass}>
+                    <FileBadge
+                        className="h-4 w-4 shrink-0 animate-pulse text-muted-foreground"
                        aria-hidden
                    />
                    {t("loading")}
@@ -93,11 +88,17 @@ export default function CertificateStatus({
        return (
            <div className={`flex items-center gap-2 ${className}`}>
                {showLabel && (
-                    <span className="text-sm font-medium">
+                    <span className={labelClass}>
                        {t("certificateStatus")}:
                    </span>
                )}
-                <span className="text-sm text-red-500">{certError}</span>
+                <span className={valueClass}>
+                    <FileBadge
+                        className="h-4 w-4 shrink-0 text-red-500"
+                        aria-hidden
+                    />
+                    {certError}
+                </span>
            </div>
        );
    }
@@ -106,11 +107,15 @@ export default function CertificateStatus({
        return (
            <div className={`flex items-center gap-2 ${className}`}>
                {showLabel && (
-                    <span className="text-sm font-medium">
+                    <span className={labelClass}>
                        {t("certificateStatus")}:
                    </span>
                )}
-                <span className="text-sm text-muted-foreground">
+                <span className={valueClass}>
+                    <FileBadge
+                        className="h-4 w-4 shrink-0 text-muted-foreground"
+                        aria-hidden
+                    />
                    {t("none", { defaultValue: "None" })}
                </span>
            </div>
@@ -123,50 +128,102 @@ export default function CertificateStatus({
    return (
        <div className={`flex items-center gap-2 ${className}`}>
            {showLabel && (
-                <span className="text-sm font-medium">
-                    {t("certificateStatus")}:
-                </span>
+                <span className={labelClass}>{t("certificateStatus")}:</span>
            )}
-            {isPending ? (
+            {isPending && !disableRestartButton ? (
                <Button
                    variant="ghost"
-                    className={`h-auto p-0 text-sm ${getStatusColor(cert.status)}`}
+                    className="h-auto min-h-0 shrink-0 p-0 text-sm font-normal leading-none inline-flex items-center self-center"
                    onClick={handleRefresh}
-                    disabled={refreshing || disableRestartButton}
+                    disabled={refreshing}
                    title={t("restartCertificate", {
                        defaultValue: "Restart Certificate"
                    })}
                >
-                    <span className="inline-flex items-center gap-1">
-                        {cert.status.charAt(0).toUpperCase() + cert.status.slice(1)}
+                    <span className="inline-flex items-center gap-2 leading-none">
+                        <FileBadge
+                            className={`h-4 w-4 shrink-0 ${getStatusColor(cert.status)}`}
+                            aria-hidden
+                        />
+                        {cert.status.charAt(0).toUpperCase() +
+                            cert.status.slice(1)}
                        <RotateCw
-                            className={`h-3 w-3 ${refreshing ? "animate-spin" : ""}`}
+                            className={`h-3 w-3 shrink-0 ${refreshing ? "animate-spin" : ""}`}
                        />
                    </span>
                </Button>
            ) : (
-                <span className={`text-sm ${getStatusColor(cert.status)}`}>
-                    <span className="inline-flex items-center gap-1">
-                        {cert.status.charAt(0).toUpperCase() + cert.status.slice(1)}
-                        {shouldShowRefreshButton(cert.status, cert.updatedAt) && (
-                            <Button
-                                size="icon"
-                                variant="ghost"
-                                className="p-0 w-3 h-auto align-middle"
-                                onClick={handleRefresh}
-                                disabled={refreshing || disableRestartButton}
-                                title={t("restartCertificate", {
-                                    defaultValue: "Restart Certificate"
-                                })}
-                            >
-                                <RotateCw
-                                    className={`w-3 h-3 ${refreshing ? "animate-spin" : ""}`}
-                                />
-                            </Button>
-                        )}
-                    </span>
+                <span className={valueClass}>
+                    <FileBadge
+                        className={`h-4 w-4 shrink-0 ${getStatusColor(cert.status)}`}
+                        aria-hidden
+                    />
+                    {cert.status.charAt(0).toUpperCase() + cert.status.slice(1)}
+                    {shouldShowRefreshButton(cert.status, cert.updatedAt) &&
+                    !disableRestartButton ? (
+                        <Button
+                            size="icon"
+                            variant="ghost"
+                            className="inline-flex h-auto min-h-0 w-3 shrink-0 items-center justify-center self-center p-0"
+                            onClick={handleRefresh}
+                            disabled={refreshing}
+                            title={t("restartCertificate", {
+                                defaultValue: "Restart Certificate"
+                            })}
+                        >
+                            <RotateCw
+                                className={`h-3 w-3 shrink-0 ${refreshing ? "animate-spin" : ""}`}
+                            />
+                        </Button>
+                    ) : null}
                </span>
            )}
        </div>
    );
 }
+
+type CertificateStatusProps = {
+    orgId: string;
+    domainId: string;
+    fullDomain: string;
+    autoFetch?: boolean;
+    showLabel?: boolean;
+    className?: string;
+    onRefresh?: () => void;
+    polling?: boolean;
+    pollingInterval?: number;
+};
+
+export default function CertificateStatus({
+    orgId,
+    domainId,
+    fullDomain,
+    autoFetch = true,
+    showLabel = true,
+    className = "",
+    onRefresh,
+    polling = false,
+    pollingInterval = 5000
+}: CertificateStatusProps) {
+    const hook = useCertificate({
+        orgId,
+        domainId,
+        fullDomain,
+        autoFetch,
+        polling,
+        pollingInterval
+    });
+
+    return (
+        <CertificateStatusContent
+            cert={hook.cert}
+            certLoading={hook.certLoading}
+            certError={hook.certError}
+            refreshing={hook.refreshing}
+            refreshCert={hook.refreshCert}
+            showLabel={showLabel}
+            className={className}
+            onRefresh={onRefresh}
+        />
+    );
+}
--- a/src/components/ClientResourcesTable.tsx
+++ b/src/components/ClientResourcesTable.tsx
@@ -51,6 +51,8 @@ import {
    ResourceSitesStatusCell,
    type ResourceSiteRow
 } from "@app/components/ResourceSitesStatusCell";
+import { ResourceAccessCertIndicator } from "@app/components/ResourceAccessCertIndicator";
+import { build } from "@server/build";

 export type InternalResourceSiteRow = ResourceSiteRow;

@@ -440,13 +442,34 @@ export default function ClientResourcesTable({
                    );
                }
                if (resourceRow.mode === "http") {
-                    const url = `${resourceRow.ssl ? "https" : "http"}://${resourceRow.fullDomain}`;
+                    const domainId = resourceRow.domainId;
+                    const fullDomain = resourceRow.fullDomain;
+                    const url = `${resourceRow.ssl ? "https" : "http"}://${fullDomain}`;
+                    const did =
+                        build !== "oss" &&
+                        resourceRow.ssl &&
+                        domainId != null &&
+                        domainId !== "" &&
+                        fullDomain != null &&
+                        fullDomain !== "";
+
                    return (
-                        <CopyToClipboard
-                            text={url}
-                            isLink={isSafeUrlForLink(url)}
-                            displayText={url}
-                        />
+                        <div className="flex items-center gap-2 min-w-0">
+                            {did ? (
+                                <ResourceAccessCertIndicator
+                                    orgId={resourceRow.orgId}
+                                    domainId={domainId}
+                                    fullDomain={fullDomain}
+                                />
+                            ) : null}
+                            <div className="">
+                                <CopyToClipboard
+                                    text={url}
+                                    isLink={isSafeUrlForLink(url)}
+                                    displayText={url}
+                                />
+                            </div>
+                        </div>
                    );
                }
                return <span>-</span>;
--- a/src/components/Credenza.tsx
+++ b/src/components/Credenza.tsx
@@ -145,21 +145,19 @@ const CredenzaTitle = ({ className, children, ...props }: CredenzaProps) => {
 };

 const CredenzaBody = ({ className, children, ...props }: CredenzaProps) => {
-    // return (
-    //     <div className={cn("px-4 md:px-0 mb-4", className)} {...props}>
-    //         {children}
-    //     </div>
-    // );
-
    return (
        <div
            className={cn(
-                "min-h-0 min-w-0 flex-1 space-y-4 overflow-y-auto overflow-x-hidden px-0",
+                "relative min-h-0 min-w-0 flex-1 overflow-y-auto overflow-x-hidden px-0",
                className
            )}
            {...props}
        >
-            {children}
+            <div className="space-y-4">{children}</div>
+            <div
+                className="sticky bottom-0 left-0 right-0 h-8 pointer-events-none bg-gradient-to-t from-card to-transparent"
+                aria-hidden
+            />
        </div>
    );
 };
@@ -172,7 +170,7 @@ const CredenzaFooter = ({ className, children, ...props }: CredenzaProps) => {
    return (
        <CredenzaFooter
            className={cn(
-                "mt-8 shrink-0 border-t border-border py-4 -mx-6 gap-2 px-6 bg-card md:mt-0 md:-mb-4 md:gap-0",
+                "-mt-4 shrink-0 border-t border-border py-4 -mx-6 gap-2 px-6 bg-card md:-mb-4 md:gap-0",
                className
            )}
            {...props}
--- a/src/components/ExitNodesTable.tsx
+++ b/src/components/ExitNodesTable.tsx
@@ -21,6 +21,7 @@ import { createApiClient } from "@app/lib/api";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import { Badge } from "@app/components/ui/badge";
+import { InfoPopup } from "@app/components/ui/info-popup";

 export type RemoteExitNodeRow = {
    id: string;
@@ -33,6 +34,7 @@ export type RemoteExitNodeRow = {
    online: boolean;
    dateCreated: string;
    version?: string;
+    updateAvailable?: boolean;
 };

 type ExitNodesTableProps = {
@@ -233,13 +235,18 @@ export default function ExitNodesTable({
                const originalRow = row.original;
                return (
                    <div className="flex items-center space-x-1">
-                        {originalRow.version && originalRow.version ? (
+                        {originalRow.version ? (
                            <Badge variant="secondary">
                                {"v" + originalRow.version}
                            </Badge>
                        ) : (
                            "-"
                        )}
+                        {originalRow.updateAvailable && (
+                            <InfoPopup
+                                info={t("pangolinNodeUpdateAvailableInfo")}
+                            />
+                        )}
                    </div>
                );
            }
--- a/src/components/HealthCheckCredenza.tsx
+++ b/src/components/HealthCheckCredenza.tsx
@@ -485,6 +485,7 @@ export function HealthCheckCredenza(props: HealthCheckCredenzaProps) {
                                                    onSelectSite={(site) => {
                                                        setSelectedSite(site);
                                                    }}
+                                                    filterTypes={["newt"]}
                                                />
                                            </PopoverContent>
                                        </Popover>
--- a/src/components/InternalResourceForm.tsx
+++ b/src/components/InternalResourceForm.tsx
@@ -55,6 +55,7 @@ import { MachinesSelector } from "./machines-selector";
 import DomainPicker from "@app/components/DomainPicker";
 import { SwitchInput } from "@app/components/SwitchInput";
 import CertificateStatus from "@app/components/CertificateStatus";
+import { build } from "@server/build";

 // --- Helpers (shared) ---

@@ -156,7 +157,7 @@ export type InternalResourceData = {
 const tagSchema = z.object({ id: z.string(), text: z.string() });

 function buildSelectedSitesForResource(
-    resource: InternalResourceData,
+    resource: InternalResourceData
 ): Selectedsite[] {
    return resource.siteIds.map((siteId, idx) => ({
        name: resource.siteNames[idx] ?? "",
@@ -609,9 +610,7 @@ export function InternalResourceForm({
                    users: [],
                    clients: []
                });
-                setSelectedSites(
-                    buildSelectedSitesForResource(resource)
-                );
+                setSelectedSites(buildSelectedSitesForResource(resource));
                setTcpPortMode(
                    getPortModeFromString(resource.tcpPortRangeString)
                );
@@ -800,7 +799,9 @@ export function InternalResourceForm({
                                                                    );
                                                                    field.onChange(
                                                                        sites.map(
-                                                                            (s) =>
+                                                                            (
+                                                                                s
+                                                                            ) =>
                                                                                s.siteId
                                                                        )
                                                                    );
@@ -822,15 +823,21 @@ export function InternalResourceForm({
                                                    [
                                                        {
                                                            value: "host",
-                                                            label: t(modeHostKey)
+                                                            label: t(
+                                                                modeHostKey
+                                                            )
                                                        },
                                                        {
                                                            value: "cidr",
-                                                            label: t(modeCidrKey)
+                                                            label: t(
+                                                                modeCidrKey
+                                                            )
                                                        },
                                                        {
                                                            value: "http",
-                                                            label: t(modeHttpKey)
+                                                            label: t(
+                                                                modeHttpKey
+                                                            )
                                                        }
                                                    ];
                                                return (
@@ -839,7 +846,9 @@ export function InternalResourceForm({
                                                            {t(modeLabelKey)}
                                                        </FormLabel>
                                                        <OptionSelect<InternalResourceMode>
-                                                            options={modeOptions}
+                                                            options={
+                                                                modeOptions
+                                                            }
                                                            value={field.value}
                                                            onChange={
                                                                field.onChange
@@ -899,7 +908,9 @@ export function InternalResourceForm({
                                                            field.value ??
                                                            "http"
                                                        }
-                                                        disabled={httpSectionDisabled}
+                                                        disabled={
+                                                            httpSectionDisabled
+                                                        }
                                                    >
                                                        <FormControl>
                                                            <SelectTrigger className="w-full">
@@ -940,7 +951,10 @@ export function InternalResourceForm({
                                                    <Input
                                                        {...field}
                                                        className="w-full"
-                                                        disabled={isHttpMode && httpSectionDisabled}
+                                                        disabled={
+                                                            isHttpMode &&
+                                                            httpSectionDisabled
+                                                        }
                                                    />
                                                </FormControl>
                                                <FormMessage />
@@ -996,7 +1010,9 @@ export function InternalResourceForm({
                                                                field.value ??
                                                                ""
                                                            }
-                                                            disabled={httpSectionDisabled}
+                                                            disabled={
+                                                                httpSectionDisabled
+                                                            }
                                                            onChange={(e) => {
                                                                const raw =
                                                                    e.target
@@ -1031,7 +1047,9 @@ export function InternalResourceForm({
                        </div>

                        {isHttpMode && (
-                            <PaidFeaturesAlert tiers={tierMatrix.httpPrivateResources} />
+                            <PaidFeaturesAlert
+                                tiers={tierMatrix.httpPrivateResources}
+                            />
                        )}

                        {isHttpMode ? (
@@ -1044,55 +1062,61 @@ export function InternalResourceForm({
                                        {t(httpConfigurationDescriptionKey)}
                                    </div>
                                </div>
-                                <div className={httpSectionDisabled ? "pointer-events-none opacity-50" : undefined}>
-                                <DomainPicker
-                                    key={
-                                        variant === "edit" && siteResourceId
-                                            ? `http-domain-${siteResourceId}`
-                                            : "http-domain-create"
+                                <div
+                                    className={
+                                        httpSectionDisabled
+                                            ? "pointer-events-none opacity-50"
+                                            : undefined
                                    }
-                                    orgId={orgId}
-                                    cols={2}
-                                    hideFreeDomain
-                                    defaultSubdomain={
-                                        httpConfigSubdomain ?? undefined
-                                    }
-                                    defaultDomainId={
-                                        httpConfigDomainId ?? undefined
-                                    }
-                                    defaultFullDomain={
-                                        httpConfigFullDomain ?? undefined
-                                    }
-                                    onDomainChange={(res) => {
-                                        if (res === null) {
+                                >
+                                    <DomainPicker
+                                        key={
+                                            variant === "edit" && siteResourceId
+                                                ? `http-domain-${siteResourceId}`
+                                                : "http-domain-create"
+                                        }
+                                        orgId={orgId}
+                                        cols={2}
+                                        hideFreeDomain
+                                        defaultSubdomain={
+                                            httpConfigSubdomain ?? undefined
+                                        }
+                                        defaultDomainId={
+                                            httpConfigDomainId ?? undefined
+                                        }
+                                        defaultFullDomain={
+                                            httpConfigFullDomain ?? undefined
+                                        }
+                                        onDomainChange={(res) => {
+                                            if (res === null) {
+                                                form.setValue(
+                                                    "httpConfigSubdomain",
+                                                    null
+                                                );
+                                                form.setValue(
+                                                    "httpConfigDomainId",
+                                                    null
+                                                );
+                                                form.setValue(
+                                                    "httpConfigFullDomain",
+                                                    null
+                                                );
+                                                return;
+                                            }
                                            form.setValue(
                                                "httpConfigSubdomain",
-                                                null
+                                                res.subdomain ?? null
                                            );
                                            form.setValue(
                                                "httpConfigDomainId",
-                                                null
+                                                res.domainId
                                            );
                                            form.setValue(
                                                "httpConfigFullDomain",
-                                                null
+                                                res.fullDomain
                                            );
-                                            return;
-                                        }
-                                        form.setValue(
-                                            "httpConfigSubdomain",
-                                            res.subdomain ?? null
-                                        );
-                                        form.setValue(
-                                            "httpConfigDomainId",
-                                            res.domainId
-                                        );
-                                        form.setValue(
-                                            "httpConfigFullDomain",
-                                            res.fullDomain
-                                        );
-                                    }}
-                                />
+                                        }}
+                                    />
                                </div>
                                <div className="flex items-start justify-between gap-4">
                                    <FormField
@@ -1103,7 +1127,9 @@ export function InternalResourceForm({
                                                <FormControl>
                                                    <SwitchInput
                                                        id="internal-resource-ssl"
-                                                        label={t(enableSslLabelKey)}
+                                                        label={t(
+                                                            enableSslLabelKey
+                                                        )}
                                                        description={t(
                                                            enableSslDescriptionKey
                                                        )}
@@ -1111,7 +1137,9 @@ export function InternalResourceForm({
                                                        onCheckedChange={
                                                            field.onChange
                                                        }
-                                                        disabled={httpSectionDisabled}
+                                                        disabled={
+                                                            httpSectionDisabled
+                                                        }
                                                    />
                                                </FormControl>
                                            </FormItem>
@@ -1120,15 +1148,22 @@ export function InternalResourceForm({
                                    {variant === "edit" &&
                                        resource?.domainId &&
                                        httpConfigFullDomain &&
+                                        httpConfigDomainId ===
+                                            resource.domainId &&
+                                        httpConfigFullDomain ===
+                                            resource.fullDomain &&
+                                        build != "oss" &&
                                        form.watch("ssl") && (
-                                            <div className="flex items-center gap-1 pt-1">
-                                                <span className="text-sm font-medium text-muted-foreground">
+                                            <div className="flex items-center gap-2 pt-1">
+                                                <span className="text-sm font-medium">
                                                    {t("certificateStatus")}:
                                                </span>
                                                <CertificateStatus
                                                    orgId={resource.orgId}
                                                    domainId={resource.domainId}
-                                                    fullDomain={httpConfigFullDomain}
+                                                    fullDomain={
+                                                        httpConfigFullDomain
+                                                    }
                                                    autoFetch={true}
                                                    showLabel={false}
                                                    polling={true}
--- a/src/components/OrgSignInLink.tsx
+++ b/src/components/OrgSignInLink.tsx
@@ -5,11 +5,15 @@ import { useRouter } from "next/navigation";
 import { useTranslations } from "next-intl";
 import { Alert, AlertDescription, AlertTitle } from "@app/components/ui/alert";
 import { Button } from "@app/components/ui/button";
+import { cn } from "@app/lib/cn";
+import { Building2 } from "lucide-react";

 type OrgSignInLinkProps = {
    href: string;
    linkText: string;
    descriptionText: string;
+    primaryActionVariant?: "link" | "button";
+    className?: string;
 };

 const STORAGE_KEY_CLICKED = "orgSignInLinkClicked";
@@ -18,7 +22,9 @@ const STORAGE_KEY_ACKNOWLEDGED = "orgSignInTipAcknowledged";
 export default function OrgSignInLink({
    href,
    linkText,
-    descriptionText
+    descriptionText,
+    primaryActionVariant = "link",
+    className
 }: OrgSignInLinkProps) {
    const router = useRouter();
    const t = useTranslations();
@@ -93,14 +99,32 @@ export default function OrgSignInLink({
                    </AlertDescription>
                </Alert>
            )}
-            <div className="text-sm text-center text-muted-foreground mt-8 flex flex-col items-center">
-                <span>{descriptionText}</span>
-                <button
-                    onClick={handleClick}
-                    className="underline text-inherit bg-transparent border-none p-0 cursor-pointer"
-                >
-                    {linkText}
-                </button>
+            <div
+                className={cn(
+                    "",
+                    primaryActionVariant === "button" && "gap-3",
+                    className
+                )}
+            >
+                {primaryActionVariant === "button" ? (
+                    <Button
+                        type="button"
+                        variant="outline"
+                        className="w-full inline-flex items-center gap-2"
+                        onClick={handleClick}
+                    >
+                        <Building2 className="size-4 shrink-0" aria-hidden />
+                        <span>{linkText}</span>
+                    </Button>
+                ) : (
+                    <button
+                        type="button"
+                        onClick={handleClick}
+                        className="underline text-inherit bg-transparent border-none p-0 cursor-pointer"
+                    >
+                        {linkText}
+                    </button>
+                )}
            </div>
        </>
    );
--- a/src/components/ProductUpdates.tsx
+++ b/src/components/ProductUpdates.tsx
@@ -81,10 +81,10 @@ export default function ProductUpdates({

    const showNewVersionPopup = Boolean(
        latestVersion &&
-        valid(latestVersion) &&
-        valid(currentVersion) &&
-        ignoredVersionUpdate !== latestVersion &&
-        gt(latestVersion, currentVersion)
+            valid(latestVersion) &&
+            valid(currentVersion) &&
+            ignoredVersionUpdate !== latestVersion &&
+            gt(latestVersion, currentVersion)
    );

    const filteredUpdates = data.updates.filter(
@@ -103,40 +103,51 @@ export default function ProductUpdates({
            )}
        >
            <div className="flex flex-col gap-1">
-                {filteredUpdates.length > 1 && (
-                    <small
-                        className={cn(
-                            "text-xs text-muted-foreground flex items-center gap-1 mt-2",
-                            showMoreUpdatesText
-                                ? "animate-in fade-in duration-300"
-                                : "opacity-0"
+                {filteredUpdates.length > 0 && (
+                    <div className="mt-3 flex flex-col gap-2">
+                        {filteredUpdates.length > 1 && (
+                            <small
+                                className={cn(
+                                    "text-xs text-muted-foreground flex items-center gap-1",
+                                    showMoreUpdatesText
+                                        ? "animate-in fade-in duration-300"
+                                        : "opacity-0"
+                                )}
+                            >
+                                <BellIcon className="flex-none size-3" />
+                                <span>
+                                    {showNewVersionPopup
+                                        ? t("productUpdateMoreInfo", {
+                                              noOfUpdates:
+                                                  filteredUpdates.length
+                                          })
+                                        : t("productUpdateInfo", {
+                                              noOfUpdates:
+                                                  filteredUpdates.length
+                                          })}
+                                </span>
+                            </small>
                        )}
-                    >
-                        <BellIcon className="flex-none size-3" />
-                        <span>
-                            {showNewVersionPopup
-                                ? t("productUpdateMoreInfo", {
-                                      noOfUpdates: filteredUpdates.length
-                                  })
-                                : t("productUpdateInfo", {
-                                      noOfUpdates: filteredUpdates.length
-                                  })}
-                        </span>
-                    </small>
+                        <ProductUpdatesListPopup
+                            updates={filteredUpdates}
+                            show={filteredUpdates.length > 0}
+                            onDimissAll={() =>
+                                setProductUpdatesRead([
+                                    ...productUpdatesRead,
+                                    ...filteredUpdates.map(
+                                        (update) => update.id
+                                    )
+                                ])
+                            }
+                            onDimiss={(id) =>
+                                setProductUpdatesRead([
+                                    ...productUpdatesRead,
+                                    id
+                                ])
+                            }
+                        />
+                    </div>
                )}
-                <ProductUpdatesListPopup
-                    updates={filteredUpdates}
-                    show={filteredUpdates.length > 0}
-                    onDimissAll={() =>
-                        setProductUpdatesRead([
-                            ...productUpdatesRead,
-                            ...filteredUpdates.map((update) => update.id)
-                        ])
-                    }
-                    onDimiss={(id) =>
-                        setProductUpdatesRead([...productUpdatesRead, id])
-                    }
-                />
            </div>

            <NewVersionAvailable
--- a/src/components/ProxyResourcesTable.tsx
+++ b/src/components/ProxyResourcesTable.tsx
@@ -64,6 +64,8 @@ import z from "zod";
 import { ColumnFilterButton } from "./ColumnFilterButton";
 import { ControlledDataTable } from "./ui/controlled-data-table";
 import UptimeMiniBar from "./UptimeMiniBar";
+import { ResourceAccessCertIndicator } from "@app/components/ResourceAccessCertIndicator";
+import { build } from "@server/build";

 export type TargetHealth = {
    targetId: number;
@@ -86,6 +88,8 @@ export type ResourceRow = {
    proxyPort: number | null;
    enabled: boolean;
    domainId?: string;
+    /** Hostname for certificate API (without scheme); distinct from `domain` URL shown in Access column */
+    fullDomain?: string | null;
    ssl: boolean;
    targetHost?: string;
    targetPort?: number;
@@ -266,7 +270,7 @@ export default function ProxyResourcesTable({
                        <StatusIcon status={overallStatus} />
                        <span className="text-sm">
                            {overallStatus === "healthy" &&
-                                    t("resourcesTableHealthy")}
+                                t("resourcesTableHealthy")}
                            {overallStatus === "degraded" &&
                                t("resourcesTableDegraded")}
                            {overallStatus === "unhealthy" &&
@@ -488,7 +492,12 @@ export default function ProxyResourcesTable({
            ),
            cell: ({ row }) => {
                const resourceRow = row.original;
-                return <TargetStatusCell targets={resourceRow.targets} healthStatus={resourceRow.health} />;
+                return (
+                    <TargetStatusCell
+                        targets={resourceRow.targets}
+                        healthStatus={resourceRow.health}
+                    />
+                );
            },
            sortingFn: (rowA, rowB) => {
                const statusA = rowA.original.health;
@@ -520,24 +529,52 @@ export default function ProxyResourcesTable({
            header: () => <span className="p-3">{t("access")}</span>,
            cell: ({ row }) => {
                const resourceRow = row.original;
-                return (
-                    <div className="flex items-center space-x-2">
-                        {!resourceRow.http ? (
+
+                if (!resourceRow.http) {
+                    return (
+                        <div className="flex items-center gap-2 min-w-0">
                            <CopyToClipboard
                                text={resourceRow.proxyPort?.toString() || ""}
                                isLink={false}
                            />
-                        ) : !resourceRow.domainId ? (
+                        </div>
+                    );
+                }
+
+                if (!resourceRow.domainId) {
+                    return (
+                        <div className="flex items-center gap-2 min-w-0">
                            <InfoPopup
                                info={t("domainNotFoundDescription")}
                                text={t("domainNotFound")}
                            />
-                        ) : (
+                        </div>
+                    );
+                }
+
+                const domainId = resourceRow.domainId;
+                const certHostname = resourceRow.fullDomain;
+                const showHttpsCertIndicator =
+                    build !== "oss" &&
+                    resourceRow.ssl &&
+                    certHostname != null &&
+                    certHostname !== "";
+
+                return (
+                    <div className="flex items-center gap-2 min-w-0">
+                        {showHttpsCertIndicator ? (
+                            <ResourceAccessCertIndicator
+                                orgId={resourceRow.orgId}
+                                domainId={domainId}
+                                fullDomain={certHostname}
+                            />
+                        ) : null}
+                        <div className="">
                            <CopyToClipboard
                                text={resourceRow.domain}
                                isLink={true}
                            />
-                        )}
+                        </div>
                    </div>
                );
            }
--- a/src/components/ResourceAccessCertIndicator.tsx
+++ b/src/components/ResourceAccessCertIndicator.tsx
@@ -0,0 +1,179 @@
+"use client";
+
+import { CertificateStatusContent } from "@app/components/CertificateStatus";
+import {
+    Popover,
+    PopoverAnchor,
+    PopoverContent
+} from "@app/components/ui/popover";
+import { useCertificate } from "@app/hooks/useCertificate";
+import { cn } from "@app/lib/cn";
+import { FileBadge } from "lucide-react";
+import { useTranslations } from "next-intl";
+import {
+    useCallback,
+    useEffect,
+    useRef,
+    useState,
+    type ReactNode
+} from "react";
+
+type ResourceAccessCertIndicatorProps = {
+    orgId: string;
+    domainId: string;
+    fullDomain: string;
+};
+
+function getStatusColor(status: string) {
+    switch (status) {
+        case "valid":
+            return "text-green-500";
+        case "pending":
+        case "requested":
+            return "text-yellow-500";
+        case "expired":
+        case "failed":
+            return "text-red-500";
+        default:
+            return "text-muted-foreground";
+    }
+}
+
+/** Compact cert icon + hover popover with full certificate status (shared by proxy and client resource tables). */
+export function ResourceAccessCertIndicator({
+    orgId,
+    domainId,
+    fullDomain
+}: ResourceAccessCertIndicatorProps) {
+    const t = useTranslations();
+    const [open, setOpen] = useState(false);
+    const closeTimerRef = useRef<ReturnType<typeof setTimeout> | null>(null);
+
+    const certificate = useCertificate({
+        orgId,
+        domainId,
+        fullDomain,
+        autoFetch: true,
+        polling: open,
+        pollingInterval: 5000
+    });
+
+    const { cert, certLoading, certError, refreshing, fetchCert } = certificate;
+
+    useEffect(() => {
+        if (!open) return;
+        void fetchCert(false);
+    }, [open, fetchCert]);
+
+    const clearCloseTimer = useCallback(() => {
+        if (closeTimerRef.current != null) {
+            clearTimeout(closeTimerRef.current);
+            closeTimerRef.current = null;
+        }
+    }, []);
+
+    const scheduleClose = useCallback(() => {
+        clearCloseTimer();
+        closeTimerRef.current = setTimeout(() => setOpen(false), 280);
+    }, [clearCloseTimer]);
+
+    const handleEnterOpen = useCallback(() => {
+        clearCloseTimer();
+        setOpen(true);
+    }, [clearCloseTimer]);
+
+    useEffect(() => {
+        return () => clearCloseTimer();
+    }, [clearCloseTimer]);
+
+    let triggerBody: ReactNode;
+    if (certLoading) {
+        triggerBody = (
+            <div
+                className={cn(
+                    "h-4 w-4 shrink-0 rounded-[2px] animate-pulse",
+                    "bg-neutral-200 dark:bg-neutral-700"
+                )}
+                aria-busy="true"
+                aria-label={t("loading")}
+            />
+        );
+    } else if (refreshing) {
+        triggerBody = (
+            <FileBadge
+                className={cn(
+                    "h-4 w-4 shrink-0 animate-spin",
+                    cert ? getStatusColor(cert.status) : "text-muted-foreground"
+                )}
+                aria-hidden
+            />
+        );
+    } else if (certError) {
+        triggerBody = (
+            <FileBadge className="h-4 w-4 shrink-0 text-red-500" aria-hidden />
+        );
+    } else if (cert) {
+        triggerBody = (
+            <FileBadge
+                className={cn("h-4 w-4", getStatusColor(cert.status))}
+                aria-hidden
+            />
+        );
+    } else {
+        triggerBody = (
+            <FileBadge
+                className="h-4 w-4 shrink-0 text-muted-foreground"
+                aria-hidden
+            />
+        );
+    }
+
+    return (
+        <Popover open={open} onOpenChange={setOpen}>
+            <PopoverAnchor asChild>
+                <button
+                    type="button"
+                    className={cn(
+                        "inline-flex items-center justify-center shrink-0 rounded-[2px] outline-offset-2",
+                        "focus-visible:outline focus-visible:outline-2 focus-visible:outline-ring",
+                        certError && "text-red-500"
+                    )}
+                    onMouseEnter={handleEnterOpen}
+                    onMouseLeave={scheduleClose}
+                    onClick={(e) => {
+                        e.preventDefault();
+                        setOpen((v) => !v);
+                    }}
+                    aria-expanded={open}
+                    aria-haspopup="dialog"
+                    aria-label={t("certificateStatus")}
+                >
+                    {triggerBody}
+                </button>
+            </PopoverAnchor>
+            <PopoverContent
+                className="w-72 p-4"
+                align="start"
+                side="bottom"
+                sideOffset={6}
+                onMouseEnter={clearCloseTimer}
+                onMouseLeave={scheduleClose}
+                onOpenAutoFocus={(e) => e.preventDefault()}
+            >
+                <div className="space-y-3">
+                    <CertificateStatusContent
+                        cert={certificate.cert}
+                        certLoading={certificate.certLoading}
+                        certError={certificate.certError}
+                        refreshing={certificate.refreshing}
+                        refreshCert={certificate.refreshCert}
+                        showLabel
+                    />
+                    <p className="text-sm text-muted-foreground">
+                        {t("certificateStatusAutoRefreshHint")}
+                    </p>
+                </div>
+            </PopoverContent>
+        </Popover>
+    );
+}
--- a/src/components/ResourceInfoBox.tsx
+++ b/src/components/ResourceInfoBox.tsx
@@ -1,7 +1,15 @@
 "use client";

 import { Alert, AlertDescription, AlertTitle } from "@/components/ui/alert";
-import { ShieldCheck, ShieldOff, Eye, EyeOff, CheckCircle2, XCircle, Clock } from "lucide-react";
+import {
+    ShieldCheck,
+    ShieldOff,
+    Eye,
+    EyeOff,
+    CheckCircle2,
+    XCircle,
+    Clock
+} from "lucide-react";
 import { useResourceContext } from "@app/hooks/useResourceContext";
 import CopyToClipboard from "@app/components/CopyToClipboard";
 import {
@@ -13,7 +21,7 @@ import {
 import { useTranslations } from "next-intl";
 import CertificateStatus from "@app/components/CertificateStatus";
 import { toUnicode } from "punycode";
-import { useEnvContext } from "@app/hooks/useEnvContext";
+import { build } from "@server/build";

 type ResourceInfoBoxType = {};

@@ -28,7 +36,7 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
        <Alert>
            <AlertDescription>
                {/* 4 cols because of the certs */}
-                <InfoSections cols={resource.http ? 6 : 5}>
+                <InfoSections cols={resource.http && build != "oss" ? 6 : 5}>
                    <InfoSection>
                        <InfoSectionTitle>{t("identifier")}</InfoSectionTitle>
                        <InfoSectionContent>
@@ -61,12 +69,12 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                                    authInfo.whitelist ||
                                    authInfo.headerAuth ? (
                                        <div className="flex items-start space-x-2">
-                                            <ShieldCheck className="w-4 h-4 mt-0.5 flex-shrink-0 text-green-500" />
+                                            <ShieldCheck className="w-4 h-4 flex-shrink-0 text-green-500" />
                                            <span>{t("protected")}</span>
                                        </div>
                                    ) : (
-                                        <div className="flex items-center space-x-2 text-yellow-500">
-                                            <ShieldOff className="w-4 h-4 flex-shrink-0" />
+                                        <div className="flex items-center space-x-2">
+                                            <ShieldOff className="w-4 h-4 flex-shrink-0 text-yellow-500" />
                                            <span>{t("notProtected")}</span>
                                        </div>
                                    )}
@@ -137,7 +145,8 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                    {/* Certificate Status Column */}
                    {resource.http &&
                        resource.domainId &&
-                        resource.fullDomain && (
+                        resource.fullDomain &&
+                        build != "oss" && (
                            <InfoSection>
                                <InfoSectionTitle>
                                    {t("certificateStatus", {
@@ -177,8 +186,9 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                                    <span>{t("resourcesTableUnhealthy")}</span>
                                </div>
                            )}
-                            {(!resource.health || resource.health === "unknown") && (
-                                <div className="flex items-center space-x-2 text-muted-foreground">
+                            {(!resource.health ||
+                                resource.health === "unknown") && (
+                                <div className="flex items-center space-x-2">
                                    <Clock className="w-4 h-4 flex-shrink-0" />
                                    <span>{t("resourcesTableUnknown")}</span>
                                </div>
--- a/src/components/ResourceSitesStatusCell.tsx
+++ b/src/components/ResourceSitesStatusCell.tsx
@@ -16,10 +16,10 @@ export type ResourceSiteRow = {
    siteId: number;
    siteName: string;
    siteNiceId: string;
-    online: boolean;
+    online?: boolean | null;
 };

-type AggregateSitesStatus = "allOnline" | "partial" | "allOffline";
+type AggregateSitesStatus = "allOnline" | "partial" | "allOffline" | "unknown";

 function aggregateSitesStatus(
    resourceSites: ResourceSiteRow[]
@@ -27,8 +27,17 @@ function aggregateSitesStatus(
    if (resourceSites.length === 0) {
        return "allOffline";
    }
-    const onlineCount = resourceSites.filter((rs) => rs.online).length;
-    if (onlineCount === resourceSites.length) return "allOnline";
+
+    const knownStatuses = resourceSites
+        .map((rs) => rs.online)
+        .filter((status): status is boolean => typeof status === "boolean");
+
+    if (knownStatuses.length === 0) {
+        return "unknown";
+    }
+
+    const onlineCount = knownStatuses.filter(Boolean).length;
+    if (onlineCount === knownStatuses.length) return "allOnline";
    if (onlineCount > 0) return "partial";
    return "allOffline";
 }
@@ -40,8 +49,10 @@ function aggregateStatusDotClass(status: AggregateSitesStatus): string {
        case "partial":
            return "bg-yellow-500";
        case "allOffline":
-        default:
            return "bg-neutral-500";
+        case "unknown":
+        default:
+            return "border border-muted-foreground/50 bg-transparent";
    }
 }

@@ -84,6 +95,7 @@ export function ResourceSitesStatusCell({
            <DropdownMenuContent align="start" className="min-w-56">
                {resourceSites.map((site) => {
                    const isOnline = site.online;
+                    const hasKnownStatus = typeof isOnline === "boolean";
                    return (
                        <DropdownMenuItem key={site.siteId} asChild>
                            <Link
@@ -94,9 +106,11 @@ export function ResourceSitesStatusCell({
                                    <div
                                        className={cn(
                                            "h-2 w-2 shrink-0 rounded-full",
-                                            isOnline
-                                                ? "bg-green-500"
-                                                : "bg-neutral-500"
+                                            !hasKnownStatus
+                                                ? "border border-muted-foreground/50 bg-transparent"
+                                                : isOnline
+                                                  ? "bg-green-500"
+                                                  : "bg-neutral-500"
                                        )}
                                    />
                                    <span className="truncate">
@@ -106,12 +120,16 @@ export function ResourceSitesStatusCell({
                                <span
                                    className={cn(
                                        "shrink-0 capitalize",
-                                        isOnline
+                                        hasKnownStatus && isOnline
                                            ? "text-green-600"
                                            : "text-muted-foreground"
                                    )}
                                >
-                                    {isOnline ? t("online") : t("offline")}
+                                    {!hasKnownStatus
+                                        ? t("resourcesTableUnknown")
+                                        : isOnline
+                                        ? t("online")
+                                        : t("offline")}
                                </span>
                            </Link>
                        </DropdownMenuItem>
--- a/src/components/SiteInfoCard.tsx
+++ b/src/components/SiteInfoCard.tsx
@@ -1,6 +1,6 @@
 "use client";

-import { Alert, AlertDescription, AlertTitle } from "@/components/ui/alert";
+import { Alert, AlertDescription } from "@/components/ui/alert";
 import { useSiteContext } from "@app/hooks/useSiteContext";
 import {
    InfoSection,
@@ -9,77 +9,137 @@ import {
    InfoSectionTitle
 } from "@app/components/InfoSection";
 import { useTranslations } from "next-intl";
-import { useEnvContext } from "@app/hooks/useEnvContext";

 type SiteInfoCardProps = {};

-export default function SiteInfoCard({}: SiteInfoCardProps) {
-    const { site, updateSite } = useSiteContext();
-    const t = useTranslations();
-    const { env } = useEnvContext();
+function formatPublicEndpoint(endpoint: string) {
+    return endpoint.includes(":")
+        ? endpoint.substring(0, endpoint.lastIndexOf(":"))
+        : endpoint;
+}

-    const getConnectionTypeString = (type: string) => {
-        if (type === "newt") {
-            return "Newt";
-        } else if (type === "wireguard") {
-            return "WireGuard";
-        } else if (type === "local") {
-            return t("local");
-        } else {
-            return t("unknown");
-        }
-    };
+export default function SiteInfoCard({}: SiteInfoCardProps) {
+    const { site } = useSiteContext();
+    const t = useTranslations();
+
+    const identifierSection = (
+        <InfoSection>
+            <InfoSectionTitle>{t("identifier")}</InfoSectionTitle>
+            <InfoSectionContent>{site.niceId}</InfoSectionContent>
+        </InfoSection>
+    );
+
+    const statusSection = (
+        <InfoSection>
+            <InfoSectionTitle>{t("status")}</InfoSectionTitle>
+            <InfoSectionContent>
+                {site.online ? (
+                    <div className="text-green-500 flex items-center space-x-2">
+                        <div className="w-2 h-2 bg-green-500 rounded-full"></div>
+                        <span>{t("online")}</span>
+                    </div>
+                ) : (
+                    <div className="text-neutral-500 flex items-center space-x-2">
+                        <div className="w-2 h-2 bg-neutral-500 rounded-full"></div>
+                        <span>{t("offline")}</span>
+                    </div>
+                )}
+            </InfoSectionContent>
+        </InfoSection>
+    );
+
+    const endpointSection = site.endpoint ? (
+        <InfoSection>
+            <InfoSectionTitle>{t("publicIpEndpoint")}</InfoSectionTitle>
+            <InfoSectionContent>
+                {formatPublicEndpoint(site.endpoint)}
+            </InfoSectionContent>
+        </InfoSection>
+    ) : null;
+
+    if (site.type === "newt") {
+        return (
+            <Alert>
+                <AlertDescription>
+                    <InfoSections cols={site.endpoint ? 5 : 4}>
+                        {identifierSection}
+                        {statusSection}
+                        <InfoSection>
+                            <InfoSectionTitle>
+                                {t("connectionType")}
+                            </InfoSectionTitle>
+                            <InfoSectionContent>Newt</InfoSectionContent>
+                        </InfoSection>
+                        <InfoSection>
+                            <InfoSectionTitle>
+                                {t("newtVersion")}
+                            </InfoSectionTitle>
+                            <InfoSectionContent>
+                                {site.newtVersion
+                                    ? `v${site.newtVersion}`
+                                    : "-"}
+                            </InfoSectionContent>
+                        </InfoSection>
+                        {endpointSection}
+                    </InfoSections>
+                </AlertDescription>
+            </Alert>
+        );
+    }
+
+    if (site.type === "wireguard") {
+        return (
+            <Alert>
+                <AlertDescription>
+                    <InfoSections cols={site.endpoint ? 4 : 3}>
+                        {identifierSection}
+                        {statusSection}
+                        <InfoSection>
+                            <InfoSectionTitle>
+                                {t("connectionType")}
+                            </InfoSectionTitle>
+                            <InfoSectionContent>WireGuard</InfoSectionContent>
+                        </InfoSection>
+                        {endpointSection}
+                    </InfoSections>
+                </AlertDescription>
+            </Alert>
+        );
+    }
+
+    if (site.type === "local") {
+        return (
+            <Alert>
+                <AlertDescription>
+                    <InfoSections cols={site.endpoint ? 3 : 2}>
+                        {identifierSection}
+                        <InfoSection>
+                            <InfoSectionTitle>
+                                {t("connectionType")}
+                            </InfoSectionTitle>
+                            <InfoSectionContent>
+                                {t("local")}
+                            </InfoSectionContent>
+                        </InfoSection>
+                        {endpointSection}
+                    </InfoSections>
+                </AlertDescription>
+            </Alert>
+        );
+    }

    return (
        <Alert>
            <AlertDescription>
-                <InfoSections cols={site.endpoint ? 4 : 3}>
-                    <InfoSection>
-                        <InfoSectionTitle>{t("identifier")}</InfoSectionTitle>
-                        <InfoSectionContent>{site.niceId}</InfoSectionContent>
-                    </InfoSection>
-                    {(site.type == "newt" || site.type == "wireguard") && (
-                        <>
-                            <InfoSection>
-                                <InfoSectionTitle>
-                                    {t("status")}
-                                </InfoSectionTitle>
-                                <InfoSectionContent>
-                                    {site.online ? (
-                                        <div className="text-green-500 flex items-center space-x-2">
-                                            <div className="w-2 h-2 bg-green-500 rounded-full"></div>
-                                            <span>{t("online")}</span>
-                                        </div>
-                                    ) : (
-                                        <div className="text-neutral-500 flex items-center space-x-2">
-                                            <div className="w-2 h-2 bg-neutral-500 rounded-full"></div>
-                                            <span>{t("offline")}</span>
-                                        </div>
-                                    )}
-                                </InfoSectionContent>
-                            </InfoSection>
-                        </>
-                    )}
+                <InfoSections cols={site.endpoint ? 3 : 2}>
+                    {identifierSection}
                    <InfoSection>
                        <InfoSectionTitle>
                            {t("connectionType")}
                        </InfoSectionTitle>
-                        <InfoSectionContent>
-                            {getConnectionTypeString(site.type)}
-                        </InfoSectionContent>
+                        <InfoSectionContent>{t("unknown")}</InfoSectionContent>
                    </InfoSection>
-                    {site.endpoint && (
-                        <InfoSection>
-                            <InfoSectionTitle>
-                                {t("publicIpEndpoint")}
-                            </InfoSectionTitle>
-                            <InfoSectionContent>
-                                {site.endpoint.includes(":")
-                                    ? site.endpoint.substring(0, site.endpoint.lastIndexOf(":"))
-                                    : site.endpoint}
-                            </InfoSectionContent>
-                        </InfoSection>
-                    )}
+                    {endpointSection}
                </InfoSections>
            </AlertDescription>
        </Alert>
--- a/src/components/SitesTable.tsx
+++ b/src/components/SitesTable.tsx
@@ -60,7 +60,7 @@ export type SiteRow = {
    type: "newt" | "wireguard" | "local";
    newtVersion?: string;
    newtUpdateAvailable?: boolean;
-    online: boolean;
+    online?: boolean | null;
    address?: string;
    exitNodeName?: string;
    exitNodeEndpoint?: string;
--- a/src/components/SmartLoginForm.tsx
+++ b/src/components/SmartLoginForm.tsx
@@ -15,15 +15,18 @@ import {
    FormMessage
 } from "@app/components/ui/form";
 import { Alert, AlertDescription } from "@app/components/ui/alert";
+import Link from "next/link";
 import { useRouter } from "next/navigation";
 import { useUserLookup } from "@app/hooks/useUserLookup";
+import { useEnvContext } from "@app/hooks/useEnvContext";
 import { LookupUserResponse } from "@server/routers/auth/lookupUser";
 import { useTranslations } from "next-intl";
 import LoginPasswordForm from "@app/components/LoginPasswordForm";
 import LoginOrgSelector from "@app/components/LoginOrgSelector";
 import UserProfileCard from "@app/components/UserProfileCard";
-import { ArrowLeft } from "lucide-react";
 import SecurityKeyAuthButton from "@app/components/SecurityKeyAuthButton";
+import { Separator } from "@app/components/ui/separator";
+import OrgSignInLink from "@app/components/OrgSignInLink";

 const identifierSchema = z.object({
    identifier: z.string().min(1, "Username or email is required")
@@ -39,10 +42,17 @@ const isValidEmail = (str: string): boolean => {
    }
 };

+type OrgSignInConfig = {
+    href: string;
+    linkText: string;
+    descriptionText: string;
+};
+
 type SmartLoginFormProps = {
    redirect?: string;
    forceLogin?: boolean;
    defaultUser?: string;
+    orgSignIn?: OrgSignInConfig;
 };

 type ViewState =
@@ -58,12 +68,31 @@ type ViewState =
          lookupResult: LookupUserResponse;
      };

+function buildResetPasswordHref(
+    dashboardUrl: string,
+    identifier: string,
+    redirectParam?: string
+) {
+    const trimmed = identifier.trim();
+    const params = new URLSearchParams();
+    if (isValidEmail(trimmed)) {
+        params.set("email", trimmed);
+    }
+    if (redirectParam) {
+        params.set("redirect", redirectParam);
+    }
+    const qs = params.toString();
+    return `${dashboardUrl}/auth/reset-password${qs ? `?${qs}` : ""}`;
+}
+
 export default function SmartLoginForm({
    redirect,
    forceLogin,
-    defaultUser
+    defaultUser,
+    orgSignIn
 }: SmartLoginFormProps) {
    const router = useRouter();
+    const { env } = useEnvContext();
    const { lookup, loading, error } = useUserLookup();
    const t = useTranslations();
    const [viewState, setViewState] = useState<ViewState>({ type: "initial" });
@@ -78,6 +107,13 @@ export default function SmartLoginForm({
        }
    });

+    const watchedIdentifier = form.watch("identifier");
+    const resetPasswordHref = buildResetPasswordHref(
+        env.app.dashboardUrl,
+        watchedIdentifier,
+        redirect
+    );
+
    const hasAutoLookedUp = useRef(false);
    useEffect(() => {
        if (defaultUser?.trim() && !hasAutoLookedUp.current) {
@@ -209,6 +245,15 @@ export default function SmartLoginForm({
                        )}
                    />

+                    <div className="text-center">
+                        <Link
+                            href={resetPasswordHref}
+                            className="text-sm text-muted-foreground"
+                        >
+                            {t("passwordForgot")}
+                        </Link>
+                    </div>
+
                    {(error || securityKeyError) && (
                        <Alert variant="destructive">
                            <AlertDescription>
@@ -219,7 +264,7 @@ export default function SmartLoginForm({
                </form>
            </Form>

-            <div className="space-y-2">
+            <div className="space-y-4">
                <Button
                    type="submit"
                    form="form"
@@ -236,6 +281,28 @@ export default function SmartLoginForm({
                    onError={setSecurityKeyError}
                    disabled={loading}
                />
+
+                {orgSignIn && (
+                    <>
+                        <div className="relative my-4">
+                            <div className="absolute inset-0 flex items-center">
+                                <Separator />
+                            </div>
+                            <div className="relative flex justify-center text-xs uppercase">
+                                <span className="px-2 bg-card text-muted-foreground">
+                                    {t("idpContinue")}
+                                </span>
+                            </div>
+                        </div>
+                        <OrgSignInLink
+                            href={orgSignIn.href}
+                            linkText={orgSignIn.linkText}
+                            descriptionText={orgSignIn.descriptionText}
+                            primaryActionVariant="button"
+                            className="mt-0"
+                        />
+                    </>
+                )}
            </div>
        </div>
    );
--- a/src/components/alert-rule-editor/AlertRuleFields.tsx
+++ b/src/components/alert-rule-editor/AlertRuleFields.tsx
@@ -12,12 +12,15 @@ import {
 } from "@app/components/ui/command";
 import {
    FormControl,
+    FormDescription,
    FormField,
    FormItem,
    FormLabel,
    FormMessage
 } from "@app/components/ui/form";
 import { Input } from "@app/components/ui/input";
+import { Switch } from "@app/components/ui/switch";
+import { Textarea } from "@app/components/ui/textarea";
 import {
    Popover,
    PopoverContent,
@@ -962,6 +965,69 @@ function WebhookActionFields({
                />
            </div>
            <WebhookHeadersField index={index} control={control} form={form} />
+            {/* Body Template */}
+            <div className="space-y-3">
+                <div>
+                    <label className="font-medium text-sm block">
+                        {t("httpDestBodyTemplateTitle")}
+                    </label>
+                    <p className="text-xs text-muted-foreground mt-0.5">
+                        {t("httpDestBodyTemplateDescription")}
+                    </p>
+                </div>
+                <FormField
+                    control={control}
+                    name={`actions.${index}.useBodyTemplate`}
+                    render={({ field }) => (
+                        <FormItem>
+                            <div className="flex items-center gap-3">
+                                <FormControl>
+                                    <Switch
+                                        id={`body-template-${index}`}
+                                        checked={field.value}
+                                        onCheckedChange={field.onChange}
+                                    />
+                                </FormControl>
+                                <Label
+                                    htmlFor={`body-template-${index}`}
+                                    className="cursor-pointer"
+                                >
+                                    {t("httpDestEnableBodyTemplate")}
+                                </Label>
+                            </div>
+                        </FormItem>
+                    )}
+                />
+                {useWatch({
+                    control,
+                    name: `actions.${index}.useBodyTemplate`
+                }) && (
+                    <FormField
+                        control={control}
+                        name={`actions.${index}.bodyTemplate`}
+                        render={({ field }) => (
+                            <FormItem>
+                                <FormLabel>
+                                    {t("httpDestBodyTemplateLabel")}
+                                </FormLabel>
+                                <FormControl>
+                                    <Textarea
+                                        {...field}
+                                        placeholder={
+                                            '{\n  "event": "{{event}}",\n  "timestamp": "{{timestamp}}",\n  "status": "{{status}}",\n  "data": {{data}}\n}'
+                                        }
+                                        className="font-mono text-xs min-h-45 resize-y"
+                                    />
+                                </FormControl>
+                                <FormDescription>
+                                    {t("httpDestBodyTemplateHint")}
+                                </FormDescription>
+                                <FormMessage />
+                            </FormItem>
+                        )}
+                    />
+                )}
+            </div>
        </div>
    );
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Owen Schwartz	cf596d980f	Merge pull request #2971 from fosrl/dev 1.18.2	2026-05-02 20:59:51 -07:00
Owen Schwartz	70f619b726	Merge pull request #2970 from fosrl/crowdin_dev New Crowdin updates	2026-05-02 20:59:16 -07:00
Owen Schwartz	7743e3890b	New translations en-us.json (Spanish) [ci skip]	2026-05-02 20:57:57 -07:00
Owen Schwartz	d8df250555	New translations en-us.json (Norwegian Bokmal) [ci skip]	2026-05-02 20:57:55 -07:00
Owen Schwartz	45c9f217c6	New translations en-us.json (Chinese Simplified) [ci skip]	2026-05-02 20:57:54 -07:00
Owen Schwartz	8371692cc5	New translations en-us.json (Turkish) [ci skip]	2026-05-02 20:57:52 -07:00
Owen Schwartz	5377dc7a1c	New translations en-us.json (Russian) [ci skip]	2026-05-02 20:57:51 -07:00
Owen Schwartz	02649468e0	New translations en-us.json (Portuguese) [ci skip]	2026-05-02 20:57:49 -07:00
Owen Schwartz	c5ef00fb0e	New translations en-us.json (Polish) [ci skip]	2026-05-02 20:57:48 -07:00
Owen Schwartz	6f4325e9a0	New translations en-us.json (Dutch) [ci skip]	2026-05-02 20:57:45 -07:00
Owen Schwartz	a2a031dfe7	New translations en-us.json (Korean) [ci skip]	2026-05-02 20:57:44 -07:00
Owen Schwartz	e34a4c82eb	New translations en-us.json (Italian) [ci skip]	2026-05-02 20:57:42 -07:00
Owen Schwartz	52fd7df727	New translations en-us.json (German) [ci skip]	2026-05-02 20:57:41 -07:00
Owen Schwartz	d5f08437d7	New translations en-us.json (Czech) [ci skip]	2026-05-02 20:57:39 -07:00
Owen Schwartz	9ee07ba343	New translations en-us.json (Bulgarian) [ci skip]	2026-05-02 20:57:38 -07:00
Owen Schwartz	4baaa5fc14	New translations en-us.json (French) [ci skip]	2026-05-02 20:57:36 -07:00
Owen	61de100630	Fix imports	2026-05-02 20:46:52 -07:00
miloschwartz	3694f43ae8	dont early return on multi org	2026-05-02 20:38:14 -07:00
Owen	279211142d	Bump version	2026-05-02 13:48:25 -07:00
Owen	b8822b4d25	Fix CE not processing alert status Fixes #2968	2026-05-02 13:38:05 -07:00
Owen	e1afbc226c	Allow configuring the webhook body	2026-05-02 13:26:54 -07:00
miloschwartz	96c450fd08	update private resources screenshot	2026-05-02 13:19:00 -07:00
Owen Schwartz	587e4d104b	New translations en-us.json (Spanish) [ci skip]	2026-05-02 13:16:28 -07:00
Owen Schwartz	368c5c374f	New translations en-us.json (Norwegian Bokmal) [ci skip]	2026-05-02 13:16:26 -07:00
Owen Schwartz	7675b6409c	New translations en-us.json (Chinese Simplified) [ci skip]	2026-05-02 13:16:24 -07:00
Owen Schwartz	d31da1a41e	New translations en-us.json (Turkish) [ci skip]	2026-05-02 13:16:23 -07:00
Owen Schwartz	49e259e259	New translations en-us.json (Russian) [ci skip]	2026-05-02 13:16:21 -07:00
Owen Schwartz	f4684c1858	New translations en-us.json (Portuguese) [ci skip]	2026-05-02 13:16:19 -07:00
Owen Schwartz	6e223bb363	New translations en-us.json (Polish) [ci skip]	2026-05-02 13:16:18 -07:00
Owen Schwartz	22e7038b2c	New translations en-us.json (Dutch) [ci skip]	2026-05-02 13:16:16 -07:00
Owen Schwartz	76ba4c1fdf	New translations en-us.json (Korean) [ci skip]	2026-05-02 13:16:14 -07:00
Owen Schwartz	7f25d94a83	New translations en-us.json (Italian) [ci skip]	2026-05-02 13:16:13 -07:00
Owen Schwartz	769ba27e3a	New translations en-us.json (German) [ci skip]	2026-05-02 13:16:11 -07:00
Owen Schwartz	a188552ba0	New translations en-us.json (Czech) [ci skip]	2026-05-02 13:16:09 -07:00
Owen Schwartz	208132082e	New translations en-us.json (Bulgarian) [ci skip]	2026-05-02 13:16:08 -07:00
Owen Schwartz	fcd5789221	New translations en-us.json (French) [ci skip]	2026-05-02 13:16:06 -07:00
miloschwartz	c6a8b09cff	log in page improvements	2026-05-02 12:46:39 -07:00
miloschwartz	380ff381fc	fix credenza scroll extra spacing above footer	2026-05-02 12:19:00 -07:00
Owen Schwartz	5eb3951f00	New translations en-us.json (Spanish) [ci skip]	2026-05-02 12:13:08 -07:00
Owen Schwartz	c30e94da98	New translations en-us.json (Norwegian Bokmal) [ci skip]	2026-05-02 12:13:06 -07:00
Owen Schwartz	6ca24d51a1	New translations en-us.json (Chinese Simplified) [ci skip]	2026-05-02 12:13:05 -07:00
Owen Schwartz	13f512aed6	New translations en-us.json (Turkish) [ci skip]	2026-05-02 12:13:03 -07:00
Owen Schwartz	2bdbc9d688	New translations en-us.json (Russian) [ci skip]	2026-05-02 12:13:02 -07:00
Owen Schwartz	8e2f30d8de	New translations en-us.json (Portuguese) [ci skip]	2026-05-02 12:13:00 -07:00
Owen Schwartz	a84e1cc9e0	New translations en-us.json (Polish) [ci skip]	2026-05-02 12:12:58 -07:00
Owen Schwartz	6b28f0c81e	New translations en-us.json (Dutch) [ci skip]	2026-05-02 12:12:56 -07:00
Owen Schwartz	d28d3ba6ea	New translations en-us.json (Korean) [ci skip]	2026-05-02 12:12:55 -07:00
Owen Schwartz	6efaf9f40d	New translations en-us.json (Italian) [ci skip]	2026-05-02 12:12:53 -07:00
Owen Schwartz	5379b32959	New translations en-us.json (German) [ci skip]	2026-05-02 12:12:51 -07:00
Owen Schwartz	9bb936a40d	New translations en-us.json (Czech) [ci skip]	2026-05-02 12:12:50 -07:00
Owen Schwartz	960fe760f1	New translations en-us.json (Bulgarian) [ci skip]	2026-05-02 12:12:48 -07:00
Owen Schwartz	2f2105a085	New translations en-us.json (French) [ci skip]	2026-05-02 12:12:46 -07:00
miloschwartz	de92a28435	update mac models	2026-05-02 12:09:55 -07:00
Owen	d8c3484ed5	Have to import from private	2026-05-02 12:00:51 -07:00
Owen	726e000154	Show remote nodes update in table	2026-05-02 11:55:01 -07:00
Owen Schwartz	9df46f7014	Merge pull request #2966 from fosrl/dev Try to pull domains from host regex	2026-05-01 20:54:09 -07:00
Owen	908f0d54e2	Try to pull domains from host regex	2026-05-01 20:53:39 -07:00
Milo Schwartz	f0010ea12a	Merge pull request #2965 from fosrl/dev add new screenshots	2026-05-01 17:35:29 -07:00
miloschwartz	cab8be1a9a	add new screenshots	2026-05-01 17:34:05 -07:00
Owen Schwartz	0a9dab7cca	Merge pull request #2964 from fosrl/dev Update translations	2026-05-01 17:02:41 -07:00
Owen Schwartz	889ab1f8a8	Merge pull request #2963 from fosrl/crowdin_dev New Crowdin updates	2026-05-01 17:02:10 -07:00
Owen Schwartz	a9019cfb23	New translations en-us.json (Spanish) [ci skip]	2026-05-01 17:00:49 -07:00
Owen Schwartz	441d4bce6e	New translations en-us.json (Norwegian Bokmal) [ci skip]	2026-05-01 17:00:47 -07:00
Owen Schwartz	dd1e681a9c	New translations en-us.json (Chinese Simplified) [ci skip]	2026-05-01 17:00:45 -07:00
Owen Schwartz	a882619eaf	New translations en-us.json (Turkish) [ci skip]	2026-05-01 17:00:43 -07:00
Owen Schwartz	f43baaaf1f	New translations en-us.json (Russian) [ci skip]	2026-05-01 17:00:41 -07:00
Owen Schwartz	c3dc0bd015	New translations en-us.json (Portuguese) [ci skip]	2026-05-01 17:00:39 -07:00
Owen Schwartz	1fd2a0fae2	New translations en-us.json (Polish) [ci skip]	2026-05-01 17:00:37 -07:00
Owen Schwartz	8ba5b43569	New translations en-us.json (Dutch) [ci skip]	2026-05-01 17:00:35 -07:00
Owen Schwartz	6deefcd003	New translations en-us.json (Korean) [ci skip]	2026-05-01 17:00:33 -07:00
Owen Schwartz	4d6cea5fcd	New translations en-us.json (Italian) [ci skip]	2026-05-01 17:00:31 -07:00
Owen Schwartz	f175ac774f	New translations en-us.json (German) [ci skip]	2026-05-01 17:00:29 -07:00
Owen Schwartz	0fe2b24f6b	New translations en-us.json (Czech) [ci skip]	2026-05-01 17:00:27 -07:00
Owen Schwartz	6ad06e6faf	New translations en-us.json (Bulgarian) [ci skip]	2026-05-01 17:00:25 -07:00
Owen Schwartz	d47faeced1	New translations en-us.json (French) [ci skip]	2026-05-01 17:00:23 -07:00
Owen Schwartz	498f586eeb	New translations en-us.json (Spanish) [ci skip]	2026-05-01 16:57:38 -07:00
Owen Schwartz	e94fc6bc65	New translations en-us.json (Norwegian Bokmal) [ci skip]	2026-05-01 16:57:37 -07:00
Owen Schwartz	0a1fe1b725	New translations en-us.json (Chinese Simplified) [ci skip]	2026-05-01 16:57:35 -07:00
Owen Schwartz	eb40b04b43	New translations en-us.json (Turkish) [ci skip]	2026-05-01 16:57:33 -07:00
Owen Schwartz	6685afdcf9	New translations en-us.json (Russian) [ci skip]	2026-05-01 16:57:32 -07:00
Owen Schwartz	49232e32bf	New translations en-us.json (Portuguese) [ci skip]	2026-05-01 16:57:30 -07:00
Owen Schwartz	aec0aed211	New translations en-us.json (Polish) [ci skip]	2026-05-01 16:57:28 -07:00
Owen Schwartz	d43b3176f5	New translations en-us.json (Dutch) [ci skip]	2026-05-01 16:57:26 -07:00
Owen Schwartz	190074ea0c	New translations en-us.json (Korean) [ci skip]	2026-05-01 16:57:24 -07:00
Owen Schwartz	c5a7719239	New translations en-us.json (Italian) [ci skip]	2026-05-01 16:57:22 -07:00
Owen Schwartz	5eac131d2e	New translations en-us.json (German) [ci skip]	2026-05-01 16:57:21 -07:00
Owen Schwartz	0bc3276ee2	New translations en-us.json (Czech) [ci skip]	2026-05-01 16:57:18 -07:00
Owen Schwartz	5073507b90	New translations en-us.json (Bulgarian) [ci skip]	2026-05-01 16:57:16 -07:00
Owen Schwartz	805e6f856a	New translations en-us.json (French) [ci skip]	2026-05-01 16:57:14 -07:00
Owen Schwartz	412a9b5294	Merge pull request #2962 from fosrl/dev 1.18.1-s.6	2026-05-01 16:54:37 -07:00
Owen	fbf95c5363	Start creating ns one level down	2026-05-01 16:51:42 -07:00
Owen	b907850344	Add missing heading	2026-05-01 16:51:42 -07:00
miloschwartz	22116373e3	increase target site selector width	2026-05-01 16:33:40 -07:00
miloschwartz	9757c3d8b6	show newt version on site	2026-05-01 16:26:45 -07:00
miloschwartz	f8b85d4b4e	fix sidebar product updates spacing	2026-05-01 16:14:06 -07:00
Owen	4651f19c53	Support acme_json_path as a directory of acme file Fixes #2961	2026-05-01 16:06:37 -07:00
Owen	4524bdc094	Add http cert syncing for use with the controller	2026-05-01 15:42:38 -07:00
Owen Schwartz	741850880e	Merge pull request #2959 from fosrl/dev 1.18.1-s.4	2026-05-01 15:05:59 -07:00
Owen	53e096f7cb	Allow deleting account with trial	2026-05-01 15:01:48 -07:00
Owen	3dfd7e8a43	Update limits	2026-05-01 11:47:14 -07:00
Owen	db6e60d0a3	Adjust language	2026-05-01 10:48:09 -07:00
Owen	54d2d689c1	Run messaging for delete in the background as well	2026-04-30 14:38:03 -07:00
Owen Schwartz	bb5853827b	Merge pull request #2948 from fosrl/dev 1.18.1-s.3	2026-04-30 14:11:16 -07:00
Owen	68f5512732	Handle messaging in the background; dont time out	2026-04-30 14:00:32 -07:00
Owen	416e124c02	Rotate the secret on the new things using it	2026-04-30 11:53:55 -07:00
Owen	d3e4d8cda8	Fix pr blueprints not picking up site	2026-04-30 11:39:37 -07:00
Owen	81972dbb73	Add name to migration Fixes #2943	2026-04-30 10:56:12 -07:00
Owen Schwartz	b715786a1e	Merge pull request #2939 from fosrl/dev 1.18.1-s.2	2026-04-29 21:33:03 -07:00
Owen	ae24eb2d2c	Disable the alerts and hc when downgrading	2026-04-29 21:31:02 -07:00
Owen	20fc59dcda	Delete trial when upgrading	2026-04-29 21:25:58 -07:00
Owen	93b09de425	Adjust cloud api endpoints	2026-04-29 21:04:11 -07:00
Owen	bacc130453	Clean up sign and verify	2026-04-29 17:14:22 -07:00
Owen Schwartz	79541ec7b8	Merge pull request #2936 from fosrl/dev 1.18.1 patch over	2026-04-29 16:43:06 -07:00
Owen	81197f8a86	Update the database if the wildcard changes	2026-04-29 16:42:10 -07:00
miloschwartz	dcfc7822f4	hide cert in public resources col on oss	2026-04-29 16:03:59 -07:00
Owen Schwartz	269bd9aa0f	Merge pull request #2934 from fosrl/dev 1.18.1-s.1	2026-04-29 15:18:28 -07:00
Owen	0a0817b860	Restrict alerting	2026-04-29 15:15:53 -07:00
Owen Schwartz	b7a903ab32	Merge pull request #2933 from fosrl/dev 1.18.1	2026-04-29 15:00:29 -07:00
Owen Schwartz	ab60438aa7	Merge pull request #2917 from fosrl/crowdin_dev New Crowdin updates	2026-04-29 14:55:53 -07:00
Owen Schwartz	b9f3f90de6	New translations en-us.json (Spanish) [ci skip]	2026-04-29 14:54:32 -07:00
Owen Schwartz	b53cc397be	New translations en-us.json (Norwegian Bokmal) [ci skip]	2026-04-29 14:54:30 -07:00
Owen Schwartz	994fb456c2	New translations en-us.json (Chinese Simplified) [ci skip]	2026-04-29 14:54:29 -07:00
Owen Schwartz	b36927c7a0	New translations en-us.json (Turkish) [ci skip]	2026-04-29 14:54:27 -07:00
Owen Schwartz	1c57473b6d	New translations en-us.json (Russian) [ci skip]	2026-04-29 14:54:25 -07:00
Owen Schwartz	c02c3eaa4a	New translations en-us.json (Portuguese) [ci skip]	2026-04-29 14:54:23 -07:00
Owen Schwartz	3c265ee577	New translations en-us.json (Polish) [ci skip]	2026-04-29 14:54:22 -07:00
Owen Schwartz	98dfd05f06	New translations en-us.json (Dutch) [ci skip]	2026-04-29 14:54:20 -07:00
Owen Schwartz	faa2e97530	New translations en-us.json (Korean) [ci skip]	2026-04-29 14:54:18 -07:00
Owen Schwartz	175f10a51d	New translations en-us.json (Italian) [ci skip]	2026-04-29 14:54:16 -07:00
Owen Schwartz	6284930fce	New translations en-us.json (German) [ci skip]	2026-04-29 14:54:15 -07:00
Owen Schwartz	6c93aca444	New translations en-us.json (Czech) [ci skip]	2026-04-29 14:54:13 -07:00
Owen Schwartz	d83318cbfc	New translations en-us.json (Bulgarian) [ci skip]	2026-04-29 14:54:11 -07:00
Owen Schwartz	143f362a48	New translations en-us.json (French) [ci skip]	2026-04-29 14:54:09 -07:00
miloschwartz	698cd868a8	show cert status in public reosurces table	2026-04-29 14:47:34 -07:00
Owen	a55842ffff	Scrape certs from ALL resolvers	2026-04-29 14:29:15 -07:00
Owen	2ffe254879	Dont include site resources on the cloud	2026-04-29 14:08:42 -07:00
miloschwartz	e173f59d89	visual improvements	2026-04-29 13:44:35 -07:00
miloschwartz	d3870f4920	cert status in priv resources table first pass	2026-04-29 13:05:26 -07:00
miloschwartz	227501d8f8	fix rounded buttons in target input	2026-04-29 12:39:08 -07:00
miloschwartz	a16f805709	fix style for unknown status	2026-04-29 12:36:47 -07:00
miloschwartz	a029b107ae	dont show site online status for local sites	2026-04-29 12:35:08 -07:00
miloschwartz	f03389a9a0	fix cert styling	2026-04-29 12:18:52 -07:00
Owen	78fff6bfde	Filter to only allow newt sites	2026-04-29 12:18:28 -07:00
Owen	bc585c24fc	Calculate actual resource status Fixes #2930	2026-04-29 12:07:32 -07:00
miloschwartz	0f6c66dc67	use localfont and updated mona sans closes #2924	2026-04-29 11:58:06 -07:00
Owen	6be150bafe	Handle possible not null for tcp, udp, and icmp Fixes #2929	2026-04-29 11:42:18 -07:00
Owen	1eac7741a5	Show the certs elsewhere when required	2026-04-29 11:34:10 -07:00
Owen	b8ca0499af	Dont show the cert box oss and dont check license	2026-04-29 11:28:30 -07:00
Owen	b39a2bcfb1	Quiet logs	2026-04-29 11:25:43 -07:00
Owen	d45b727dca	Dont show cert status because not saved yet	2026-04-29 11:06:14 -07:00
Owen	5c31d35e28	Handle sans in the acme.json	2026-04-29 10:59:49 -07:00
Owen	8c645315f3	Handle when siteIds is not provided	2026-04-29 10:59:36 -07:00
Milo Schwartz	ab6377e086	Merge pull request #2923 from fosrl/miloschwartz-patch-2 Update README.md	2026-04-28 23:03:31 -07:00
Owen Schwartz	8ed9adbfae	New translations en-us.json (German) [ci skip]	2026-04-28 16:21:16 -07:00