Merge pull request #3030 from fosrl/dev

1.18.3-s.2 fix
Cange to use primaryDb
2026-05-08 17:29:54 +00:00 · 2026-05-07 20:08:05 -07:00 · 2026-05-07 20:07:06 -07:00 · 2026-05-07 20:03:48 -07:00 · 2026-05-07 17:44:35 -07:00 · 2026-05-07 16:15:13 -07:00
195 changed files with 7719 additions and 3686 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -414,28 +414,18 @@ jobs:
                password: ${{ secrets.GITHUB_TOKEN }}
            - name: Install cosign
-              # cosign is used to sign and verify container images (key and keyless)
+              # cosign is used to sign container images using keyless (OIDC) signing
              uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
-            - name: Dual-sign and verify (GHCR & Docker Hub)
+            - name: Sign (GHCR, keyless)
-              # Sign each image by digest using keyless (OIDC) and key-based signing,
+              # Sign each GHCR image by digest using keyless (OIDC) signing via Sigstore/Rekor.
-              # then verify both the public key signature and the keyless OIDC signature.
+              # Signatures are stored in the registry alongside the image.
              env:
                  TAG: ${{ env.TAG }}
                  COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
                  COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
                  COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
                  COSIGN_YES: "true"
              run: |
                  set -euo pipefail
                  issuer="https://token.actions.githubusercontent.com"
                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
                  # Track failures
                  FAILED_TAGS=()
                  SUCCESSFUL_TAGS=()
                  # Determine if this is an RC release
                  IS_RC="false"
                  if [[ "$TAG" == *"-rc."* ]]; then
@@ -463,95 +453,47 @@ jobs:
                      )
                  fi
-                  # Sign each image variant for both registries
+                  FAILED_TAGS=()
-                  for BASE_IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                  SUCCESSFUL_TAGS=()
                  for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
-                      echo "Processing ${BASE_IMAGE}:${IMAGE_TAG}"
+                    echo "Processing ${GHCR_IMAGE}:${IMAGE_TAG}"
                    TAG_FAILED=false
                      # Wrap the entire tag processing in error handling
                    (
                      set -e
-                        DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
+                      DIGEST="$(skopeo inspect --retry-times 3 docker://${GHCR_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
-                        REF="${BASE_IMAGE}@${DIGEST}"
+                      REF="${GHCR_IMAGE}@${DIGEST}"
                      echo "Resolved digest: ${REF}"
                      echo "==> cosign sign (keyless) --recursive ${REF}"
                      cosign sign --recursive "${REF}"
                        echo "==> cosign sign (key) --recursive ${REF}"
                        cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
                        # Retry wrapper for verification to handle registry propagation delays
                        retry_verify() {
                          local cmd="$1"
                          local attempts=6
                          local delay=5
                          local i=1
                          until eval "$cmd"; do
                            if [ $i -ge $attempts ]; then
                              echo "Verification failed after $attempts attempts"
                              return 1
                            fi
                            echo "Verification not yet available. Retry $i/$attempts after ${delay}s..."
                            sleep $delay
                            i=$((i+1))
                            delay=$((delay*2))
                            # Cap the delay to avoid very long waits
                            if [ $delay -gt 60 ]; then delay=60; fi
                          done
                          return 0
                        }
                        echo "==> cosign verify (public key) ${REF}"
                        if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text"; then
                          VERIFIED_INDEX=true
                        else
                          VERIFIED_INDEX=false
                        fi
                        echo "==> cosign verify (keyless policy) ${REF}"
                        if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text"; then
                          VERIFIED_INDEX_KEYLESS=true
                        else
                          VERIFIED_INDEX_KEYLESS=false
                        fi
                        # Check if verification succeeded
                        if [ "${VERIFIED_INDEX}" != "true" ] && [ "${VERIFIED_INDEX_KEYLESS}" != "true" ]; then
                          echo "⚠️  WARNING: Verification not available for ${BASE_IMAGE}:${IMAGE_TAG}"
                          echo "This may be due to registry propagation delays. Continuing anyway."
                        fi
                    ) || TAG_FAILED=true
                    if [ "$TAG_FAILED" = "true" ]; then
-                        echo "⚠️  WARNING: Failed to sign/verify ${BASE_IMAGE}:${IMAGE_TAG}"
+                      echo "⚠️  WARNING: Failed to sign ${GHCR_IMAGE}:${IMAGE_TAG}"
-                        FAILED_TAGS+=("${BASE_IMAGE}:${IMAGE_TAG}")
+                      FAILED_TAGS+=("${GHCR_IMAGE}:${IMAGE_TAG}")
                    else
-                        echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
+                      echo "✓ Successfully signed ${GHCR_IMAGE}:${IMAGE_TAG}"
-                        SUCCESSFUL_TAGS+=("${BASE_IMAGE}:${IMAGE_TAG}")
+                      SUCCESSFUL_TAGS+=("${GHCR_IMAGE}:${IMAGE_TAG}")
                    fi
                  done
                  done
                  # Report summary
                  echo ""
                  echo "=========================================="
-                  echo "Sign and Verify Summary"
+                  echo "Sign Summary"
                  echo "=========================================="
                  echo "Successful: ${#SUCCESSFUL_TAGS[@]}"
                  echo "Failed: ${#FAILED_TAGS[@]}"
                  echo ""
                  if [ ${#FAILED_TAGS[@]} -gt 0 ]; then
                    echo "Failed tags:"
                    for tag in "${FAILED_TAGS[@]}"; do
                      echo "  - $tag"
                    done
-                    echo ""
+                    echo "⚠️  WARNING: Some tags failed to sign, but continuing anyway"
                    echo "⚠️  WARNING: Some tags failed to sign/verify, but continuing anyway"
                  else
-                    echo "✓ All images signed and verified successfully!"
+                    echo "✓ All images signed successfully!"
                  fi
              shell: bash
--- a/cli/commands/clearCertificates.ts
+++ b/cli/commands/clearCertificates.ts
@@ -0,0 +1,28 @@
 import { CommandModule } from "yargs";
 import { db, certificates } from "@server/db";
 type ClearCertificatesArgs = {};
 export const clearCertificates: CommandModule<{}, ClearCertificatesArgs> = {
    command: "clear-certificates",
    describe: "Delete all entries from the certificates table",
    builder: (yargs) => {
        return yargs;
    },
    handler: async (argv: {}) => {
        try {
            console.log("Clearing all certificates from the database...");
            const deleted = await db.delete(certificates).returning();
            console.log(
                `Deleted ${deleted.length} certificate(s) from the database`
            );
            process.exit(0);
        } catch (error) {
            console.error("Error:", error);
            process.exit(1);
        }
    }
 };
--- a/cli/commands/rotateServerSecret.ts
+++ b/cli/commands/rotateServerSecret.ts
@@ -1,5 +1,5 @@
 import { CommandModule } from "yargs";
-import { db, idpOidcConfig, licenseKey } from "@server/db";
+import { db, idpOidcConfig, licenseKey, certificates, eventStreamingDestinations, alertWebhookActions } from "@server/db";
 import { encrypt, decrypt } from "@server/lib/crypto";
 import { configFilePath1, configFilePath2 } from "@server/lib/consts";
 import { eq } from "drizzle-orm";
@@ -129,9 +129,15 @@ export const rotateServerSecret: CommandModule<
            console.log("\nReading encrypted data from database...");
            const idpConfigs = await db.select().from(idpOidcConfig);
            const licenseKeys = await db.select().from(licenseKey);
            const certs = await db.select().from(certificates);
            const streamingDestinations = await db.select().from(eventStreamingDestinations);
            const webhookActions = await db.select().from(alertWebhookActions);
            console.log(`Found ${idpConfigs.length} OIDC IdP configuration(s)`);
            console.log(`Found ${licenseKeys.length} license key(s)`);
            console.log(`Found ${certs.length} certificate(s)`);
            console.log(`Found ${streamingDestinations.length} event streaming destination(s)`);
            console.log(`Found ${webhookActions.length} alert webhook action(s)`);
            // Prepare all decrypted and re-encrypted values
            console.log("\nDecrypting and re-encrypting values...");
@@ -149,8 +155,27 @@ export const rotateServerSecret: CommandModule<
                encryptedInstanceId: string;
            };
            type CertUpdate = {
                certId: number;
                encryptedCertFile: string | null;
                encryptedKeyFile: string | null;
            };
            type StreamingDestinationUpdate = {
                destinationId: number;
                encryptedConfig: string;
            };
            type WebhookActionUpdate = {
                webhookActionId: number;
                encryptedConfig: string;
            };
            const idpUpdates: IdpUpdate[] = [];
            const licenseKeyUpdates: LicenseKeyUpdate[] = [];
            const certUpdates: CertUpdate[] = [];
            const streamingDestinationUpdates: StreamingDestinationUpdate[] = [];
            const webhookActionUpdates: WebhookActionUpdate[] = [];
            // Process idpOidcConfig entries
            for (const idpConfig of idpConfigs) {
@@ -217,6 +242,70 @@ export const rotateServerSecret: CommandModule<
                }
            }
            // Process certificate entries
            for (const cert of certs) {
                try {
                    const encryptedCertFile = cert.certFile
                        ? encrypt(decrypt(cert.certFile, oldSecret), newSecret)
                        : null;
                    const encryptedKeyFile = cert.keyFile
                        ? encrypt(decrypt(cert.keyFile, oldSecret), newSecret)
                        : null;
                    certUpdates.push({
                        certId: cert.certId,
                        encryptedCertFile,
                        encryptedKeyFile
                    });
                } catch (error) {
                    console.error(
                        `Error processing certificate ${cert.certId} (${cert.domain}):`,
                        error
                    );
                    throw error;
                }
            }
            // Process eventStreamingDestinations entries
            for (const dest of streamingDestinations) {
                try {
                    const decryptedConfig = decrypt(dest.config, oldSecret);
                    const encryptedConfig = encrypt(decryptedConfig, newSecret);
                    streamingDestinationUpdates.push({
                        destinationId: dest.destinationId,
                        encryptedConfig
                    });
                } catch (error) {
                    console.error(
                        `Error processing event streaming destination ${dest.destinationId}:`,
                        error
                    );
                    throw error;
                }
            }
            // Process alertWebhookActions entries
            for (const webhook of webhookActions) {
                try {
                    if (webhook.config == null) continue;
                    const decryptedConfig = decrypt(webhook.config, oldSecret);
                    const encryptedConfig = encrypt(decryptedConfig, newSecret);
                    webhookActionUpdates.push({
                        webhookActionId: webhook.webhookActionId,
                        encryptedConfig
                    });
                } catch (error) {
                    console.error(
                        `Error processing alert webhook action ${webhook.webhookActionId}:`,
                        error
                    );
                    throw error;
                }
            }
            // Perform all database updates in a single transaction
            console.log("\nUpdating database in transaction...");
            await db.transaction(async (trx) => {
@@ -250,10 +339,50 @@ export const rotateServerSecret: CommandModule<
                        instanceId: update.encryptedInstanceId
                    });
                }
                // Update certificate entries
                for (const update of certUpdates) {
                    await trx
                        .update(certificates)
                        .set({
                            certFile: update.encryptedCertFile,
                            keyFile: update.encryptedKeyFile
                        })
                        .where(eq(certificates.certId, update.certId));
                }
                // Update event streaming destination entries
                for (const update of streamingDestinationUpdates) {
                    await trx
                        .update(eventStreamingDestinations)
                        .set({ config: update.encryptedConfig })
                        .where(
                            eq(
                                eventStreamingDestinations.destinationId,
                                update.destinationId
                            )
                        );
                }
                // Update alert webhook action entries
                for (const update of webhookActionUpdates) {
                    await trx
                        .update(alertWebhookActions)
                        .set({ config: update.encryptedConfig })
                        .where(
                            eq(
                                alertWebhookActions.webhookActionId,
                                update.webhookActionId
                            )
                        );
                }
            });
            console.log(`Rotated ${idpUpdates.length} OIDC IdP configuration(s)`);
            console.log(`Rotated ${licenseKeyUpdates.length} license key(s)`);
            console.log(`Rotated ${certUpdates.length} certificate(s)`);
            console.log(`Rotated ${streamingDestinationUpdates.length} event streaming destination(s)`);
            console.log(`Rotated ${webhookActionUpdates.length} alert webhook action(s)`);
            // Update config file with new secret
            console.log("\nUpdating config file...");
@@ -270,6 +399,9 @@ export const rotateServerSecret: CommandModule<
            console.log(`\nSummary:`);
            console.log(`  - OIDC IdP configurations: ${idpUpdates.length}`);
            console.log(`  - License keys: ${licenseKeyUpdates.length}`);
            console.log(`  - Certificates: ${certUpdates.length}`);
            console.log(`  - Event streaming destinations: ${streamingDestinationUpdates.length}`);
            console.log(`  - Alert webhook actions: ${webhookActionUpdates.length}`);
            console.log(
                `\n  IMPORTANT: Restart the server for the new secret to take effect.`
            );
--- a/cli/index.ts
+++ b/cli/index.ts
@@ -9,6 +9,7 @@ import { rotateServerSecret } from "./commands/rotateServerSecret";
 import { clearLicenseKeys } from "./commands/clearLicenseKeys";
 import { deleteClient } from "./commands/deleteClient";
 import { generateOrgCaKeys } from "./commands/generateOrgCaKeys";
 import { clearCertificates } from "./commands/clearCertificates";
 yargs(hideBin(process.argv))
    .scriptName("pangctl")
@@ -19,5 +20,6 @@ yargs(hideBin(process.argv))
    .command(clearLicenseKeys)
    .command(deleteClient)
    .command(generateOrgCaKeys)
    .command(clearCertificates)
    .demandCommand()
    .help().argv;
--- a/docker-compose.mailpit.yml
+++ b/docker-compose.mailpit.yml
@@ -0,0 +1,12 @@
 services:
  mailer:
    image: axllent/mailpit
    ports:
      - 8025:8025
      - 1025:1025
    volumes:
      - mailpit-storage:/data
    environment:
      - MP_DATABASE=/data/mailpit.db
 volumes:
  mailpit-storage:
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Превишихте ограничението на текущия си план. Коригирайте проблема, като премахнете сайтове, потребители или други ресурси, за да оставате в рамките на плана си.",
    "trialBannerMessage": "Пробният Ви период изтича след {countdown}. Актуализирайте за запазване на достъпа.",
    "trialBannerExpired": "Пробният Ви период е изтекъл. Актуализирайте сега, за да възстановите достъпа.",
    "billingTrialBannerTitle": "Пробният период е активен",
    "billingTrialBannerDescription": "В момента сте в пробен период на бизнес ниво. След края на пробния период, вашият акаунт автоматично ще бъде върнат към функциите и ограниченията на основното ниво. Надградете по всяко време, за да запазите достъпа до текущите функции на плана.",
    "billingTrialBannerUpgrade": "Надградете сега",
    "billingTrialBadge": "Пробен период",
    "trialActive": "Активен пробен период",
    "trialExpired": "Пробният период е изтекъл",
    "trialHasEnded": "Пробният Ви период е приключил.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Крайна точка",
    "newtId": "Идентификационен номер",
    "newtSecretKey": "Секретен ключ",
    "newtVersion": "Версия",
    "architecture": "Архитектура",
    "sites": "Сайтове",
    "siteWgAnyClients": "Използвайте клиент на WireGuard, за да се свържете. Ще трябва да използвате вътрешните ресурси чрез IP адреса на връстника.",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Създаване на админ акаунт",
    "setupErrorCreateAdmin": "Възникна грешка при създаване на админ акаунт.",
    "certificateStatus": "Сертификат",
    "certificateStatusAutoRefreshHint": "Състоянието се опреснява автоматично.",
    "loading": "Зареждане",
    "loadingAnalytics": "Зареждане на анализи",
    "restart": "Рестарт",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Преглед на бележките за изданието",
    "newtUpdateAvailable": "Ново обновление",
    "newtUpdateAvailableInfo": "Нова версия на Newt е налична. Моля, обновете до последната версия за най-добро изживяване.",
    "pangolinNodeUpdateAvailableInfo": "Налична е нова версия на Pangolin Node. Моля, актуализирайте до последната версия за най-добро изживяване.",
    "domainPickerEnterDomain": "Домейн",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Въведете пълния домейн на ресурса, за да видите наличните опции.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Изберете своя доставчик на идентичност, за да продължите",
    "orgAuthNoIdpConfigured": "Тази организация няма конфигурирани доставчици на идентичност. Можете да влезете с вашата Pangolin идентичност.",
    "orgAuthSignInWithPangolin": "Впишете се с Pangolin",
-    "orgAuthSignInToOrg": "Влезте в организация",
+    "orgAuthSignInToOrg": "Идентификационен доставчик на организация (SSO)",
    "orgAuthSelectOrgTitle": "Вход в организация.",
    "orgAuthSelectOrgDescription": "Въведете идентификатора на вашата организация, за да продължите.",
    "orgAuthOrgIdPlaceholder": "вашата-организация",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "Няма валидни методи за удостоверение",
    "ip": "IP",
    "reason": "Причина",
-    "requestLogs": "Заявка за логове",
+    "requestLogs": "Логове за HTTP заявки",
    "requestAnalytics": "Анализи На Заявки",
    "host": "Хост",
    "location": "Местоположение",
    "actionLogs": "Дневници на действията",
-    "sidebarLogsRequest": "Заявка за логове",
+    "sidebarLogsRequest": "Логове за HTTP заявки",
    "sidebarLogsAccess": "Достъп до логове",
    "sidebarLogsAction": "Дневници на действията",
    "logRetention": "Задържане на логове",
    "logRetentionDescription": "Управлявайте времето за задържане на различни видове логове за тази организация или ги деактивирайте",
    "requestLogsDescription": "Прегледайте подробни логове на заявки за ресурси в тази организация",
    "requestAnalyticsDescription": "Вижте подробни анализи на заявки за ресурсите в тази организация",
-    "logRetentionRequestLabel": "Задържане на логове на заявки",
+    "logRetentionRequestLabel": "Задържане на логове за HTTP заявки",
    "logRetentionRequestDescription": "Колко дълго да се задържат логовете на заявките",
    "logRetentionAccessLabel": "Задържане на логове за достъп",
    "logRetentionAccessDescription": "Колко дълго да се задържат логовете за достъп",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Административни действия, извършени от потребители в организацията.",
    "httpDestConnectionLogsTitle": "Логове на връзката",
    "httpDestConnectionLogsDescription": "Събития на свързване и прекъсване на сайта и тунела, включително свръзки и прекъсвания.",
-    "httpDestRequestLogsTitle": "Заявки за логове",
+    "httpDestRequestLogsTitle": "Логове за HTTP заявки",
    "httpDestRequestLogsDescription": "Регистри за HTTP заявките към проксирани ресурси, включително метод, път и код на отговор.",
    "httpDestSaveChanges": "Запази промените",
    "httpDestCreateDestination": "Създаване на дестинация",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Уайлдкард подсайтове не са позволени.",
    "domainPickerWildcardCertWarning": "Ресурсите с уайлдкард може да изискват допълнителна конфигурация за правилна работа.",
    "domainPickerWildcardCertWarningLink": "Научете повече",
-    "health": "Здраве"
+    "health": "Здраве",
    "domainPendingErrorTitle": "Проблем при проверка",
    "memberPortalTitle": "Ресурси",
    "memberPortalDescription": "Ресурси, до които имате достъп в тази организация",
    "memberPortalSortBy": "Сортиране по...",
    "memberPortalSortNameAsc": "Име А-Я",
    "memberPortalSortNameDesc": "Име Я-А",
    "memberPortalSortDomainAsc": "Домен А-Я",
    "memberPortalSortDomainDesc": "Домен Я-А",
    "memberPortalSortEnabledFirst": "Активирани Първи",
    "memberPortalSortDisabledFirst": "Деактивирани Първи",
    "memberPortalRefresh": "Обнови",
    "memberPortalRefreshResources": "Обнови ресурсите",
    "memberPortalFailedToLoad": "Грешка при зареждане на ресурсите",
    "memberPortalFailedToLoadDescription": "Грешка при зареждане на ресурсите. Моля, проверете връзката си и опитайте отново.",
    "memberPortalUnableToLoad": "Неуспешно зареждане на ресурси",
    "memberPortalTryAgain": "Опитай отново",
    "memberPortalNoResourcesFound": "Няма намерени ресурси",
    "memberPortalNoResourcesAvailable": "Няма налични ресурси",
    "memberPortalNoResourcesMatchSearch": "Няма ресурси, съвпадащи с \"{query}\". Опитайте да промените търсените условия или нулирайте търсенето, за да видите всички ресурси.",
    "memberPortalNoResourcesAccess": "Още нямате достъп до ресурси. Свържете се с вашия администратор, за да получите достъп до нужните ресурси.",
    "memberPortalClearSearch": "Изчисти търсенето",
    "memberPortalPublicResources": "Публични ресурси",
    "memberPortalPublicResourcesDescription": "Уеб приложения и услуги, достъпни през браузър",
    "memberPortalCopiedToClipboard": "Копирано в клипборда",
    "memberPortalCopiedUrlDescription": "URL адресът на ресурса е копиран в клипборда.",
    "memberPortalOpenResource": "Отвори ресурса",
    "memberPortalPrivateResources": "Частни ресурси",
    "memberPortalPrivateResourcesDescription": "Ресурси на вътрешната мрежа, достъпни чрез клиент",
    "memberPortalResourceDetails": "Детайли за ресурса",
    "memberPortalMode": "Режим",
    "memberPortalDestination": "Дестинация",
    "memberPortalAlias": "Алиас",
    "memberPortalCopiedAliasDescription": "Алиасът на ресурса е копиран в клипборда.",
    "memberPortalCopiedDestinationDescription": "Дестинацията на ресурса е копирана в клипборда.",
    "memberPortalRequiresClientConnection": "Изисква връзка с клиента",
    "memberPortalAuthMethods": "Методи на удостоверяване",
    "memberPortalSso": "Единно вход (SSO)",
    "memberPortalPasswordProtected": "Защитено с парола",
    "memberPortalPinCode": "ПИН код",
    "memberPortalEmailWhitelist": "Бял списък на имейли",
    "memberPortalResourceDisabled": "Ресурсът е деактивиран",
    "memberPortalShowingResources": "Показва {start}-{end} от {total} ресурси",
    "memberPortalPrevious": "Предишен",
    "memberPortalNext": "Следващ"
 }
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Jste za hranicemi vašeho aktuálního plánu. Opravte problém odstraněním webů, uživatelů nebo jiných zdrojů, abyste zůstali ve vašem tarifu.",
    "trialBannerMessage": "Vaše zkušební verze vyprší za {countdown}. Pro udržení přístupu upgraduje.",
    "trialBannerExpired": "Vaše zkušební verze vypršela. Upgradujte nyní pro obnovu přístupu.",
    "billingTrialBannerTitle": "Aktivní zkušební verze",
    "billingTrialBannerDescription": "Právě používáte zkušební verzi na úrovni business. Po skončení zkušební verze se váš účet automaticky vrátí k funkcím a limitům úrovně Basic. Upgradujte kdykoli pro zachování přístupu k funkcím vašeho aktuálního plánu.",
    "billingTrialBannerUpgrade": "Upgradovat nyní",
    "billingTrialBadge": "Zkušební verze",
    "trialActive": "Zkušební verze je aktivní",
    "trialExpired": "Zkušební verze vypršela",
    "trialHasEnded": "Vaše zkušební verze skončila.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Tajný klíč",
    "newtVersion": "Verze",
    "architecture": "Architektura",
    "sites": "Stránky",
    "siteWgAnyClients": "K připojení použijte jakéhokoli klienta WireGuard. Budete muset řešit interní zdroje pomocí klientské IP adresy.",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Vytvořit účet správce",
    "setupErrorCreateAdmin": "Došlo k chybě při vytváření účtu správce serveru.",
    "certificateStatus": "Certifikát",
    "certificateStatusAutoRefreshHint": "Stav se automaticky obnovuje.",
    "loading": "Načítání",
    "loadingAnalytics": "Načítání analytiky",
    "restart": "Restartovat",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Zobrazit poznámky k vydání",
    "newtUpdateAvailable": "Dostupná aktualizace",
    "newtUpdateAvailableInfo": "Je k dispozici nová verze Newt. Pro nejlepší zážitek prosím aktualizujte na nejnovější verzi.",
    "pangolinNodeUpdateAvailableInfo": "Je k dispozici nová verze uzlu Pangolin. Pro nejlepší zážitek aktualizujte na nejnovější verzi.",
    "domainPickerEnterDomain": "Doména",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Zadejte úplnou doménu zdroje pro zobrazení dostupných možností.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Chcete-li pokračovat, vyberte svého poskytovatele identity",
    "orgAuthNoIdpConfigured": "Tato organizace nemá nakonfigurovány žádné poskytovatele identity. Místo toho se můžete přihlásit s vaší Pangolinovou identitou.",
    "orgAuthSignInWithPangolin": "Přihlásit se pomocí Pangolinu",
-    "orgAuthSignInToOrg": "Přihlásit se do organizace",
+    "orgAuthSignInToOrg": "Poskytovatel identity organizace (SSO)",
    "orgAuthSelectOrgTitle": "Přihlášení do organizace",
    "orgAuthSelectOrgDescription": "Zadejte ID vaší organizace pro pokračování",
    "orgAuthOrgIdPlaceholder": "vaše-organizace",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP adresa",
    "reason": "Důvod",
-    "requestLogs": "Záznamy požadavků",
+    "requestLogs": "Záznamy HTTP požadavků",
    "requestAnalytics": "Vyžádat analýzu",
    "host": "Hostitel",
    "location": "Poloha",
    "actionLogs": "Záznamy akcí",
-    "sidebarLogsRequest": "Záznamy požadavků",
+    "sidebarLogsRequest": "Záznamy HTTP požadavků",
    "sidebarLogsAccess": "Protokoly přístupu",
    "sidebarLogsAction": "Záznamy akcí",
    "logRetention": "Zaznamenávání záznamu",
    "logRetentionDescription": "Spravovat, jak dlouho jsou různé typy logů uloženy pro tuto organizaci nebo je zakázat",
    "requestLogsDescription": "Zobrazit podrobné protokoly požadavků pro zdroje v této organizaci",
    "requestAnalyticsDescription": "Zobrazit podrobnou analýzu požadavků pro zdroje v této organizaci",
-    "logRetentionRequestLabel": "Zachování logu žádosti",
+    "logRetentionRequestLabel": "Zachování logu HTTP požadavků",
    "logRetentionRequestDescription": "Jak dlouho uchovávat záznamy požadavků",
    "logRetentionAccessLabel": "Zachování záznamu přístupu",
    "logRetentionAccessDescription": "Jak dlouho uchovávat přístupové záznamy",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Správní opatření prováděná uživateli v rámci organizace.",
    "httpDestConnectionLogsTitle": "Protokoly připojení",
    "httpDestConnectionLogsDescription": "Události týkající se připojení lokality a tunelu, včetně připojení a odpojení.",
-    "httpDestRequestLogsTitle": "Záznamy požadavků",
+    "httpDestRequestLogsTitle": "Záznamy HTTP požadavků",
    "httpDestRequestLogsDescription": "HTTP záznamy požadavků pro proxy zdroje, včetně metod, cesty a kódu odpovědi.",
    "httpDestSaveChanges": "Uložit změny",
    "httpDestCreateDestination": "Vytvořit cíl",
@@ -3167,7 +3174,7 @@
    "publicIpEndpoint": "Koncový bod",
    "lastTriggeredAt": "Poslední spouštěč",
    "reject": "Odmítnout",
-    "uptimeDaysAgo": "{count} days ago",
+    "uptimeDaysAgo": "Před {count} dny",
    "uptimeToday": "Dnes",
    "uptimeNoDataAvailable": "Dostupná žádná data",
    "uptimeSuffix": "doba dostupnosti",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Zástupné poddomény nejsou povoleny.",
    "domainPickerWildcardCertWarning": "Zástupné zdroje mohou vyžadovat dodatečnou konfiguraci pro správnou funkci.",
    "domainPickerWildcardCertWarningLink": "Zjistit více",
-    "health": "Zdraví"
+    "health": "Zdraví",
    "domainPendingErrorTitle": "Problém s ověřením",
    "memberPortalTitle": "Zdroje",
    "memberPortalDescription": "Zdroje, ke kterým máte v této organizaci přístup",
    "memberPortalSortBy": "Řadit podle...",
    "memberPortalSortNameAsc": "Názvu A-Z",
    "memberPortalSortNameDesc": "Názvu Z-A",
    "memberPortalSortDomainAsc": "Domény A-Z",
    "memberPortalSortDomainDesc": "Domény Z-A",
    "memberPortalSortEnabledFirst": "Nejprve povoleno",
    "memberPortalSortDisabledFirst": "Nejprve zakázáno",
    "memberPortalRefresh": "Aktualizovat",
    "memberPortalRefreshResources": "Aktualizovat zdroje",
    "memberPortalFailedToLoad": "Nepodařilo se načíst zdroje",
    "memberPortalFailedToLoadDescription": "Nepodařilo se načíst zdroje. Zkontrolujte prosím své připojení a zkuste to znovu.",
    "memberPortalUnableToLoad": "Nelze načíst zdroje",
    "memberPortalTryAgain": "Zkusit znovu",
    "memberPortalNoResourcesFound": "Žádné zdroje nebyly nalezeny",
    "memberPortalNoResourcesAvailable": "Žádné zdroje nejsou k dispozici",
    "memberPortalNoResourcesMatchSearch": "Žádné zdroje neodpovídají \"{query}\". Zkuste přizpůsobit své vyhledávací termíny nebo vyčistit hledání, abyste viděli všechny zdroje.",
    "memberPortalNoResourcesAccess": "Zatím nemáte přístup k žádným zdrojům. Kontaktujte svého správce, aby vám poskytl přístup k potřebným zdrojům.",
    "memberPortalClearSearch": "Vymazat hledání",
    "memberPortalPublicResources": "Veřejné zdroje",
    "memberPortalPublicResourcesDescription": "Webové aplikace a služby přístupné přes prohlížeč",
    "memberPortalCopiedToClipboard": "Zkopírováno do schránky",
    "memberPortalCopiedUrlDescription": "URL zdroje byla zkopírována do vaší schránky.",
    "memberPortalOpenResource": "Otevřít zdroj",
    "memberPortalPrivateResources": "Soukromé zdroje",
    "memberPortalPrivateResourcesDescription": "Interní síťové zdroje přístupné přes klienta",
    "memberPortalResourceDetails": "Podrobnosti o zdroji",
    "memberPortalMode": "Režim",
    "memberPortalDestination": "Cíl",
    "memberPortalAlias": "Přezdívka",
    "memberPortalCopiedAliasDescription": "Alias zdroje byl zkopírován do vaší schránky.",
    "memberPortalCopiedDestinationDescription": "Cíl zdroje byl zkopírován do vaší schránky.",
    "memberPortalRequiresClientConnection": "Vyžaduje klientské připojení",
    "memberPortalAuthMethods": "Metody ověřování",
    "memberPortalSso": "Jedno přihlášení (SSO)",
    "memberPortalPasswordProtected": "Heslo chráněno",
    "memberPortalPinCode": "PIN kód",
    "memberPortalEmailWhitelist": "Seznam povolených emailů",
    "memberPortalResourceDisabled": "Zdroj je zakázán",
    "memberPortalShowingResources": "Zobrazeny {start}-{end} z {total} zdrojů",
    "memberPortalPrevious": "Předchozí",
    "memberPortalNext": "Následující"
 }
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Sie überschreiten Ihre Grenzen für Ihr aktuelles Paket. Korrigieren Sie das Problem, indem Sie Webseiten, Benutzer oder andere Ressourcen entfernen, um in Ihrem Paket zu bleiben.",
    "trialBannerMessage": "Ihre Testversion läuft in {countdown} ab. Upgraden, um den Zugriff zu behalten.",
    "trialBannerExpired": "Ihre Testversion ist abgelaufen. Jetzt upgraden, um den Zugriff wiederherzustellen.",
    "billingTrialBannerTitle": "Kostenlose Testversion aktiv",
    "billingTrialBannerDescription": "Sie nutzen derzeit eine kostenlose Testversion auf der Geschäftsstufe. Wenn die Testversion endet, wird Ihr Konto automatisch auf die Funktionen und Beschränkungen der Basisstufe zurückgesetzt. Upgraden Sie jederzeit, um weiterhin Zugriff auf die Funktionen Ihres aktuellen Plans zu behalten.",
    "billingTrialBannerUpgrade": "Jetzt upgraden",
    "billingTrialBadge": "Kostenlose Testversion",
    "trialActive": "Kostenlose Testversion aktiv",
    "trialExpired": "Testversion abgelaufen",
    "trialHasEnded": "Ihre Testversion ist beendet.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpunkt",
    "newtId": "ID",
    "newtSecretKey": "Geheimnis",
    "newtVersion": "Version",
    "architecture": "Architektur",
    "sites": "Standorte",
    "siteWgAnyClients": "Verwenden Sie jeden WireGuard-Client um sich zu verbinden. Sie müssen interne Ressourcen über die Peer-IP ansprechen.",
@@ -1432,7 +1437,7 @@
    "alertingTriggerHcToggle": "Gesundheits-Check-Status ändern",
    "alertingTriggerResourceHealthy": "Ressource gesund",
    "alertingTriggerResourceUnhealthy": "Ressource ungesund",
-    "alertingTriggerResourceDegraded": "Resource degraded",
+    "alertingTriggerResourceDegraded": "Ressource verschlechtert",
    "alertingSearchHealthChecks": "Gesundheits-Checks suchen…",
    "alertingHealthChecksEmpty": "Keine Gesundheits-Checks verfügbar.",
    "alertingTriggerResourceToggle": "Ressourcenstatus ändern",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Admin-Konto erstellen",
    "setupErrorCreateAdmin": "Beim Erstellen des Server-Admin-Kontos ist ein Fehler aufgetreten.",
    "certificateStatus": "Zertifikat",
    "certificateStatusAutoRefreshHint": "Der Status wird automatisch aktualisiert.",
    "loading": "Laden",
    "loadingAnalytics": "Analytik wird geladen",
    "restart": "Neustart",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Versionshinweise anzeigen",
    "newtUpdateAvailable": "Update verfügbar",
    "newtUpdateAvailableInfo": "Eine neue Version von Newt ist verfügbar. Bitte aktualisieren Sie auf die neueste Version für das beste Erlebnis.",
    "pangolinNodeUpdateAvailableInfo": "Eine neue Version von Pangolin Node ist verfügbar. Bitte aktualisieren Sie auf die neueste Version für das beste Erlebnis.",
    "domainPickerEnterDomain": "Domäne",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Geben Sie die vollständige Domain der Ressource ein, um verfügbare Optionen zu sehen.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Wähle deinen Identitätsanbieter um fortzufahren",
    "orgAuthNoIdpConfigured": "Diese Organisation hat keine Identitätsanbieter konfiguriert. Sie können sich stattdessen mit Ihrer Pangolin-Identität anmelden.",
    "orgAuthSignInWithPangolin": "Mit Pangolin anmelden",
-    "orgAuthSignInToOrg": "Bei einer Organisation anmelden",
+    "orgAuthSignInToOrg": "Organisations-Identitätsanbieter (SSO)",
    "orgAuthSelectOrgTitle": "Organisations-Anmeldung",
    "orgAuthSelectOrgDescription": "Geben Sie Ihre Organisations-ID ein, um fortzufahren",
    "orgAuthOrgIdPlaceholder": "Ihre Organisation",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "Keine gültige Authentifizierungsmethode verfügbar",
    "ip": "IP",
    "reason": "Grund",
-    "requestLogs": "Logs anfordern",
+    "requestLogs": "HTTP Anforderungsprotokolle",
    "requestAnalytics": "Anfrage-Analyse anzeigen",
    "host": "Host",
    "location": "Standort",
    "actionLogs": "Aktionsprotokolle",
-    "sidebarLogsRequest": "Logs anfordern",
+    "sidebarLogsRequest": "HTTP Anforderungsprotokolle",
    "sidebarLogsAccess": "Zugriffsprotokolle",
    "sidebarLogsAction": "Aktionsprotokolle",
    "logRetention": "Log-Speicherung",
    "logRetentionDescription": "Verwalten, wie lange verschiedene Logs für diese Organisation gespeichert werden oder deaktivieren",
    "requestLogsDescription": "Detaillierte Request-Logs für Ressourcen in dieser Organisation anzeigen",
    "requestAnalyticsDescription": "Detaillierte Anfrage-Analyse für Ressourcen in dieser Organisation anzeigen",
-    "logRetentionRequestLabel": "Log-Speicherung anfordern",
+    "logRetentionRequestLabel": "HTTP Anforderungsprotokoll Aufbewahrung",
    "logRetentionRequestDescription": "Wie lange sollen Request-Logs gespeichert werden",
    "logRetentionAccessLabel": "Zugriffsprotokoll-Speicherung",
    "logRetentionAccessDescription": "Wie lange Zugriffsprotokolle beibehalten werden sollen",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Administrative Maßnahmen, die von Benutzern innerhalb der Organisation durchgeführt werden.",
    "httpDestConnectionLogsTitle": "Verbindungsprotokolle",
    "httpDestConnectionLogsDescription": "Site- und Tunnelverbindungen, einschließlich Verbindungen und Trennungen.",
-    "httpDestRequestLogsTitle": "Logs anfordern",
+    "httpDestRequestLogsTitle": "HTTP Anforderungsprotokolle",
    "httpDestRequestLogsDescription": "HTTP-Request-Protokolle für proxiierte Ressourcen, einschließlich Methode, Pfad und Antwort-Code.",
    "httpDestSaveChanges": "Änderungen speichern",
    "httpDestCreateDestination": "Ziel erstellen",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Wildcard-Subdomains sind nicht erlaubt.",
    "domainPickerWildcardCertWarning": "Wildcard-Ressourcen erfordern möglicherweise zusätzliche Konfigurationen, um ordnungsgemäß zu funktionieren.",
    "domainPickerWildcardCertWarningLink": "Mehr erfahren",
-    "health": "Gesundheit"
+    "health": "Gesundheit",
    "domainPendingErrorTitle": "Verifizierungsproblem",
    "memberPortalTitle": "Ressourcen",
    "memberPortalDescription": "Ressourcen, auf die Sie in dieser Organisation Zugriff haben",
    "memberPortalSortBy": "Sortieren nach...",
    "memberPortalSortNameAsc": "Name A-Z",
    "memberPortalSortNameDesc": "Name Z-A",
    "memberPortalSortDomainAsc": "Domain A-Z",
    "memberPortalSortDomainDesc": "Domain Z-A",
    "memberPortalSortEnabledFirst": "Zuerst aktiviert",
    "memberPortalSortDisabledFirst": "Zuerst deaktiviert",
    "memberPortalRefresh": "Aktualisieren",
    "memberPortalRefreshResources": "Ressourcen aktualisieren",
    "memberPortalFailedToLoad": "Fehler beim Laden der Ressourcen",
    "memberPortalFailedToLoadDescription": "Fehler beim Laden der Ressourcen. Bitte überprüfen Sie Ihre Verbindung und versuchen Sie es erneut.",
    "memberPortalUnableToLoad": "Ressourcen konnten nicht geladen werden",
    "memberPortalTryAgain": "Nochmal versuchen",
    "memberPortalNoResourcesFound": "Keine Ressourcen gefunden",
    "memberPortalNoResourcesAvailable": "Keine Ressourcen verfügbar",
    "memberPortalNoResourcesMatchSearch": "Keine Ressourcen passen zu \"{query}\". Versuchen Sie, Ihre Suchbegriffe anzupassen oder die Suche zu löschen, um alle Ressourcen anzuzeigen.",
    "memberPortalNoResourcesAccess": "Sie haben noch keinen Zugriff auf Ressourcen. Wenden Sie sich an Ihren Administrator, um Zugriff auf die benötigten Ressourcen zu erhalten.",
    "memberPortalClearSearch": "Suchverlauf löschen",
    "memberPortalPublicResources": "Öffentliche Ressourcen",
    "memberPortalPublicResourcesDescription": "Webanwendungen und Dienste, die über den Browser zugänglich sind",
    "memberPortalCopiedToClipboard": "In die Zwischenablage kopiert",
    "memberPortalCopiedUrlDescription": "Ressourcen-URL wurde in Ihre Zwischenablage kopiert.",
    "memberPortalOpenResource": "Ressource öffnen",
    "memberPortalPrivateResources": "Private Ressourcen",
    "memberPortalPrivateResourcesDescription": "Interne Netzwerkressourcen, die über den Client zugänglich sind",
    "memberPortalResourceDetails": "Ressourcendetails",
    "memberPortalMode": "Modus",
    "memberPortalDestination": "Ziel",
    "memberPortalAlias": "Alias",
    "memberPortalCopiedAliasDescription": "Ressourcenalias wurde in Ihre Zwischenablage kopiert.",
    "memberPortalCopiedDestinationDescription": "Ressourcenziel wurde in Ihre Zwischenablage kopiert.",
    "memberPortalRequiresClientConnection": "Erfordert Client-Verbindung",
    "memberPortalAuthMethods": "Authentifizierungsmethoden",
    "memberPortalSso": "Single Sign-On (SSO)",
    "memberPortalPasswordProtected": "Passwortgeschützt",
    "memberPortalPinCode": "PIN-Code",
    "memberPortalEmailWhitelist": "E-Mail-Whitelist",
    "memberPortalResourceDisabled": "Ressource deaktiviert",
    "memberPortalShowingResources": "Zeige {start}-{end} von {total} Ressourcen",
    "memberPortalPrevious": "Vorherige",
    "memberPortalNext": "Nächste"
 }
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "You're beyond your limits for your current plan. Correct the problem by removing sites, users, or other resources to stay within your plan.",
    "trialBannerMessage": "Your trial expires in {countdown}. Upgrade to keep access.",
    "trialBannerExpired": "Your trial has expired. Upgrade now to restore access.",
    "billingTrialBannerTitle": "Free Trial Active",
    "billingTrialBannerDescription": "You're currently on a free trial on the business tier. When the trial ends, your account will automatically revert to the Basic tier features and limits. Upgrade anytime to keep access to your current plan's features.",
    "billingTrialBannerUpgrade": "Upgrade Now",
    "billingTrialBadge": "Free Trial",
    "trialActive": "Free Trial Active",
    "trialExpired": "Trial Expired",
    "trialHasEnded": "Your trial has ended.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Secret",
    "newtVersion": "Version",
    "architecture": "Architecture",
    "sites": "Sites",
    "siteWgAnyClients": "Use any WireGuard client to connect. You will have to address internal resources using the peer IP.",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Create Admin Account",
    "setupErrorCreateAdmin": "An error occurred while creating the server admin account.",
    "certificateStatus": "Certificate",
    "certificateStatusAutoRefreshHint": "Status refreshes automatically.",
    "loading": "Loading",
    "loadingAnalytics": "Loading Analytics",
    "restart": "Restart",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "View Release Notes",
    "newtUpdateAvailable": "Update Available",
    "newtUpdateAvailableInfo": "A new version of Newt is available. Please update to the latest version for the best experience.",
    "pangolinNodeUpdateAvailableInfo": "A new version of Pangolin Node is available. Please update to the latest version for the best experience.",
    "domainPickerEnterDomain": "Domain",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Enter the full domain of the resource to see available options.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Choose your identity provider to continue",
    "orgAuthNoIdpConfigured": "This organization doesn't have any identity providers configured. You can log in with your Pangolin identity instead.",
    "orgAuthSignInWithPangolin": "Sign in with Pangolin",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Organization Identity Provider (SSO)",
    "orgAuthSelectOrgTitle": "Organization Sign In",
    "orgAuthSelectOrgDescription": "Enter your organization ID to continue",
    "orgAuthOrgIdPlaceholder": "your-organization",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Reason",
-    "requestLogs": "HTTPS Request Logs",
+    "requestLogs": "HTTP Request Logs",
    "requestAnalytics": "Request Analytics",
    "host": "Host",
    "location": "Location",
    "actionLogs": "Admin Action Logs",
-    "sidebarLogsRequest": "HTTPS Request Logs",
+    "sidebarLogsRequest": "HTTP Request Logs",
    "sidebarLogsAccess": "Authentication Logs",
    "sidebarLogsAction": "Admin Action Logs",
    "logRetention": "Log Retention",
    "logRetentionDescription": "Manage how long different types of logs are retained for this organization or disable them",
    "requestLogsDescription": "View detailed request logs for HTTPS resources in this organization",
    "requestAnalyticsDescription": "View detailed request analytics for resources in this organization",
-    "logRetentionRequestLabel": "HTTPS Request Log Retention",
+    "logRetentionRequestLabel": "HTTP Request Log Retention",
    "logRetentionRequestDescription": "How long to retain request logs",
    "logRetentionAccessLabel": "Authentication Log Retention",
    "logRetentionAccessDescription": "How long to retain access logs",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Administrative actions performed by users within the organization.",
    "httpDestConnectionLogsTitle": "Network Logs",
    "httpDestConnectionLogsDescription": "Site and tunnel connection events, including connects and disconnects.",
-    "httpDestRequestLogsTitle": "HTTPS Request Logs",
+    "httpDestRequestLogsTitle": "HTTP Request Logs",
    "httpDestRequestLogsDescription": "HTTP request logs for proxied resources, including method, path, and response code.",
    "httpDestSaveChanges": "Save Changes",
    "httpDestCreateDestination": "Create Destination",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Wildcard subdomains are not allowed.",
    "domainPickerWildcardCertWarning": "Wildcard resources may require additional configuration to work properly.",
    "domainPickerWildcardCertWarningLink": "Learn more",
-    "health": "Health"
+    "health": "Health",
    "domainPendingErrorTitle": "Verification Issue",
    "memberPortalTitle": "Resources",
    "memberPortalDescription": "Resources you have access to in this organization",
    "memberPortalSortBy": "Sort by...",
    "memberPortalSortNameAsc": "Name A-Z",
    "memberPortalSortNameDesc": "Name Z-A",
    "memberPortalSortDomainAsc": "Domain A-Z",
    "memberPortalSortDomainDesc": "Domain Z-A",
    "memberPortalSortEnabledFirst": "Enabled First",
    "memberPortalSortDisabledFirst": "Disabled First",
    "memberPortalRefresh": "Refresh",
    "memberPortalRefreshResources": "Refresh Resources",
    "memberPortalFailedToLoad": "Failed to load resources",
    "memberPortalFailedToLoadDescription": "Failed to load resources. Please check your connection and try again.",
    "memberPortalUnableToLoad": "Unable to Load Resources",
    "memberPortalTryAgain": "Try Again",
    "memberPortalNoResourcesFound": "No Resources Found",
    "memberPortalNoResourcesAvailable": "No Resources Available",
    "memberPortalNoResourcesMatchSearch": "No resources match \"{query}\". Try adjusting your search terms or clearing the search to see all resources.",
    "memberPortalNoResourcesAccess": "You don't have access to any resources yet. Contact your administrator to get access to resources you need.",
    "memberPortalClearSearch": "Clear Search",
    "memberPortalPublicResources": "Public Resources",
    "memberPortalPublicResourcesDescription": "Web applications and services accessible via browser",
    "memberPortalCopiedToClipboard": "Copied to clipboard",
    "memberPortalCopiedUrlDescription": "Resource URL has been copied to your clipboard.",
    "memberPortalOpenResource": "Open Resource",
    "memberPortalPrivateResources": "Private Resources",
    "memberPortalPrivateResourcesDescription": "Internal network resources accessible via client",
    "memberPortalResourceDetails": "Resource Details",
    "memberPortalMode": "Mode",
    "memberPortalDestination": "Destination",
    "memberPortalAlias": "Alias",
    "memberPortalCopiedAliasDescription": "Resource alias has been copied to your clipboard.",
    "memberPortalCopiedDestinationDescription": "Resource destination has been copied to your clipboard.",
    "memberPortalRequiresClientConnection": "Requires Client Connection",
    "memberPortalAuthMethods": "Authentication Methods",
    "memberPortalSso": "Single Sign-On (SSO)",
    "memberPortalPasswordProtected": "Password Protected",
    "memberPortalPinCode": "PIN Code",
    "memberPortalEmailWhitelist": "Email Whitelist",
    "memberPortalResourceDisabled": "Resource Disabled",
    "memberPortalShowingResources": "Showing {start}-{end} of {total} resources",
    "memberPortalPrevious": "Previous",
    "memberPortalNext": "Next"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Estás más allá de tus límites para tu plan actual. Corrija el problema eliminando sitios, usuarios u otros recursos para permanecer dentro de tu plan.",
    "trialBannerMessage": "Su prueba expira en {countdown}. Actualice para mantener el acceso.",
    "trialBannerExpired": "Su prueba ha expirado. Actualice ahora para restaurar el acceso.",
    "billingTrialBannerTitle": "Prueba gratuita activada",
    "billingTrialBannerDescription": "Actualmente estás en una prueba gratuita en el nivel empresarial. Cuando finalice la prueba, tu cuenta volverá automáticamente a las características y límites del nivel Básico. Mejora en cualquier momento para mantener el acceso a las características de tu plan actual.",
    "billingTrialBannerUpgrade": "Actualizar ahora",
    "billingTrialBadge": "Prueba Gratuita",
    "trialActive": "Prueba gratuita activa",
    "trialExpired": "Prueba expirada",
    "trialHasEnded": "Su prueba ha terminado.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Secreto",
    "newtVersion": "Versión",
    "architecture": "Arquitectura",
    "sites": "Sitios",
    "siteWgAnyClients": "Usa cualquier cliente de Wirex para conectarte. Tendrás que dirigirte a los recursos internos usando la IP de compañeros.",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Crear cuenta de administrador",
    "setupErrorCreateAdmin": "Se produjo un error al crear la cuenta de administrador del servidor.",
    "certificateStatus": "Certificado",
    "certificateStatusAutoRefreshHint": "El estado se actualiza automáticamente.",
    "loading": "Cargando",
    "loadingAnalytics": "Cargando analíticas",
    "restart": "Reiniciar",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Ver notas de lanzamiento",
    "newtUpdateAvailable": "Nueva actualización disponible",
    "newtUpdateAvailableInfo": "Hay una nueva versión de Newt disponible. Actualice a la última versión para la mejor experiencia.",
    "pangolinNodeUpdateAvailableInfo": "Hay una nueva versión de Pangolin Node disponible. Actualice a la última versión para la mejor experiencia.",
    "domainPickerEnterDomain": "Dominio",
    "domainPickerPlaceholder": "miapp.ejemplo.com",
    "domainPickerDescription": "Ingresa el dominio completo del recurso para ver las opciones disponibles.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Elige tu proveedor de identidad para continuar",
    "orgAuthNoIdpConfigured": "Esta organización no tiene ningún proveedor de identidad configurado. En su lugar puedes iniciar sesión con tu identidad de Pangolin.",
    "orgAuthSignInWithPangolin": "Iniciar sesión con Pangolin",
-    "orgAuthSignInToOrg": "Iniciar sesión en una organización",
+    "orgAuthSignInToOrg": "Proveedor de identidad de la organización (SSO)",
    "orgAuthSelectOrgTitle": "Inicio de sesión de organización",
    "orgAuthSelectOrgDescription": "Ingrese el ID de su organización para continuar",
    "orgAuthOrgIdPlaceholder": "tu-organización",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Razón",
-    "requestLogs": "Registros de Solicitud",
+    "requestLogs": "Registros de Solicitud HTTP",
    "requestAnalytics": "Analítica de Solicitud",
    "host": "Anfitrión",
    "location": "Ubicación",
    "actionLogs": "Registros de acción",
-    "sidebarLogsRequest": "Registros de Solicitud",
+    "sidebarLogsRequest": "Registros de Solicitud HTTP",
    "sidebarLogsAccess": "Registros de acceso",
    "sidebarLogsAction": "Registros de acción",
    "logRetention": "Retención de Log",
    "logRetentionDescription": "Administrar cuánto tiempo se conservan los diferentes tipos de registros para esta organización o desactivarlos",
    "requestLogsDescription": "Ver registros de solicitudes detallados para los recursos de esta organización",
    "requestAnalyticsDescription": "Ver análisis de solicitudes detalladas de recursos en esta organización",
-    "logRetentionRequestLabel": "Retención de Registro de Solicitud",
+    "logRetentionRequestLabel": "Retención de Registro de Solicitud HTTP",
    "logRetentionRequestDescription": "Cuánto tiempo conservar los registros de solicitudes",
    "logRetentionAccessLabel": "Retención de Log de Acceso",
    "logRetentionAccessDescription": "Cuánto tiempo retener los registros de acceso",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Acciones administrativas realizadas por los usuarios dentro de la organización.",
    "httpDestConnectionLogsTitle": "Registros de conexión",
    "httpDestConnectionLogsDescription": "Eventos de conexión de sitios y túneles, incluyendo conexiones y desconexiones.",
-    "httpDestRequestLogsTitle": "Registros de Solicitud",
+    "httpDestRequestLogsTitle": "Registros de Solicitud HTTP",
    "httpDestRequestLogsDescription": "Registros de peticiones HTTP para recursos proxyficados, incluyendo método, ruta y código de respuesta.",
    "httpDestSaveChanges": "Guardar Cambios",
    "httpDestCreateDestination": "Crear destino",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "No se permiten subdominios comodín.",
    "domainPickerWildcardCertWarning": "Los recursos comodín pueden requerir configuración adicional para funcionar correctamente.",
    "domainPickerWildcardCertWarningLink": "Más información",
-    "health": "Salud"
+    "health": "Salud",
    "domainPendingErrorTitle": "Problema de verificación",
    "memberPortalTitle": "Recursos",
    "memberPortalDescription": "Recursos a los que tiene acceso en esta organización",
    "memberPortalSortBy": "Ordenar por...",
    "memberPortalSortNameAsc": "Nombre A-Z",
    "memberPortalSortNameDesc": "Nombre Z-A",
    "memberPortalSortDomainAsc": "Dominio A-Z",
    "memberPortalSortDomainDesc": "Dominio Z-A",
    "memberPortalSortEnabledFirst": "Habilitado Primero",
    "memberPortalSortDisabledFirst": "Deshabilitado Primero",
    "memberPortalRefresh": "Actualizar",
    "memberPortalRefreshResources": "Actualizar Recursos",
    "memberPortalFailedToLoad": "No se pudieron cargar los recursos",
    "memberPortalFailedToLoadDescription": "No se pudieron cargar los recursos. Por favor, revise su conexión e intente de nuevo.",
    "memberPortalUnableToLoad": "No se pudieron cargar los recursos",
    "memberPortalTryAgain": "Intentar de Nuevo",
    "memberPortalNoResourcesFound": "No se encontraron Recursos",
    "memberPortalNoResourcesAvailable": "No Hay Recursos Disponibles",
    "memberPortalNoResourcesMatchSearch": "No hay recursos que coincidan con \"{query}\". Intenta ajustar tus términos de búsqueda o limpiar la búsqueda para ver todos los recursos.",
    "memberPortalNoResourcesAccess": "Aún no tiene acceso a ningún recurso. Comuníquese con su administrador para obtener acceso a los recursos que necesita.",
    "memberPortalClearSearch": "Limpiar Búsqueda",
    "memberPortalPublicResources": "Recursos Públicos",
    "memberPortalPublicResourcesDescription": "Aplicaciones web y servicios accesibles vía navegador",
    "memberPortalCopiedToClipboard": "Copiado al portapapeles",
    "memberPortalCopiedUrlDescription": "La URL del recurso ha sido copiada a su portapapeles.",
    "memberPortalOpenResource": "Abrir Recurso",
    "memberPortalPrivateResources": "Recursos Privados",
    "memberPortalPrivateResourcesDescription": "Recursos de red interna accesibles vía cliente",
    "memberPortalResourceDetails": "Detalles del Recurso",
    "memberPortalMode": "Modo",
    "memberPortalDestination": "Destino",
    "memberPortalAlias": "Alias",
    "memberPortalCopiedAliasDescription": "El alias del recurso ha sido copiado a su portapapeles.",
    "memberPortalCopiedDestinationDescription": "El destino del recurso ha sido copiado a su portapapeles.",
    "memberPortalRequiresClientConnection": "Requiere Conexión de Cliente",
    "memberPortalAuthMethods": "Métodos de Autenticación",
    "memberPortalSso": "Inicio de Sesión Único (SSO)",
    "memberPortalPasswordProtected": "Protegido por Contraseña",
    "memberPortalPinCode": "Código PIN",
    "memberPortalEmailWhitelist": "Lista Blanca de Correo",
    "memberPortalResourceDisabled": "Recurso Deshabilitado",
    "memberPortalShowingResources": "Mostrando {start}-{end} de {total} recursos",
    "memberPortalPrevious": "Anterior",
    "memberPortalNext": "Siguiente"
 }
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Vous dépassez vos limites pour votre forfait actuel. Corrigez le problème en supprimant des sites, des utilisateurs ou d'autres ressources pour rester dans votre forfait.",
    "trialBannerMessage": "Votre essai expire dans {countdown}. Passez à l'abonnement pour garder l'accès.",
    "trialBannerExpired": "Votre essai a expiré. Passez à l'abonnement maintenant pour restaurer l'accès.",
    "billingTrialBannerTitle": "Essai gratuit actif",
    "billingTrialBannerDescription": "Vous êtes actuellement en essai gratuit sur le niveau business. À la fin de l'essai, votre compte basculera automatiquement aux fonctionnalités et limites du niveau Basique. Mettez à jour à tout moment pour conserver l'accès aux fonctionnalités de votre plan actuel.",
    "billingTrialBannerUpgrade": "Passer à la version supérieure maintenant",
    "billingTrialBadge": "Essai gratuit",
    "trialActive": "Essai gratuit actif",
    "trialExpired": "Essai expiré",
    "trialHasEnded": "Votre essai est terminé.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Secrète",
    "newtVersion": "Version",
    "architecture": "Architecture",
    "sites": "Nœuds",
    "siteWgAnyClients": "Utilisez n'importe quel client WireGuard pour vous connecter. Vous devrez adresser des ressources internes en utilisant l'adresse IP du pair.",
@@ -1351,7 +1356,7 @@
    "sidebarSites": "Nœuds",
    "sidebarApprovals": "Demandes d'approbation",
    "sidebarResources": "Ressource",
-    "sidebarProxyResources": "Publique",
+    "sidebarProxyResources": "Publiques",
    "sidebarClientResources": "Privé",
    "sidebarAccessControl": "Contrôle d'accès",
    "sidebarLogsAndAnalytics": "Journaux & Analytiques",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Créer un compte administrateur",
    "setupErrorCreateAdmin": "Une erreur s'est produite lors de la création du compte administrateur du serveur.",
    "certificateStatus": "Certificat",
    "certificateStatusAutoRefreshHint": "L'état se rafraîchit automatiquement.",
    "loading": "Chargement",
    "loadingAnalytics": "Chargement de l'analyse",
    "restart": "Redémarrer",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Voir les notes de publication",
    "newtUpdateAvailable": "Mise à jour disponible",
    "newtUpdateAvailableInfo": "Une nouvelle version de Newt est disponible. Veuillez mettre à jour vers la dernière version pour une meilleure expérience.",
    "pangolinNodeUpdateAvailableInfo": "Une nouvelle version de Pangolin Node est disponible. Veuillez mettre à jour vers la dernière version pour une meilleure expérience.",
    "domainPickerEnterDomain": "Domaine",
    "domainPickerPlaceholder": "monapp.exemple.com",
    "domainPickerDescription": "Entrez le domaine complet de la ressource pour voir les options disponibles.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Choisissez votre fournisseur d'identité pour continuer",
    "orgAuthNoIdpConfigured": "Cette organisation n'a aucun fournisseur d'identité configuré. Vous pouvez vous connecter avec votre identité Pangolin à la place.",
    "orgAuthSignInWithPangolin": "Se connecter avec Pangolin",
-    "orgAuthSignInToOrg": "Se connecter à une organisation",
+    "orgAuthSignInToOrg": "Fournisseur d'identité d'organisation (SSO)",
    "orgAuthSelectOrgTitle": "Connexion à l'organisation",
    "orgAuthSelectOrgDescription": "Entrez votre identifiant d'organisation pour continuer",
    "orgAuthOrgIdPlaceholder": "votre-organisation",
@@ -2451,8 +2458,8 @@
    "manageUserDevicesDescription": "Voir et gérer les appareils que les utilisateurs utilisent pour se connecter en privé aux ressources",
    "downloadClientBannerTitle": "Télécharger le client Pangolin",
    "downloadClientBannerDescription": "Téléchargez le client Pangolin pour votre système afin de vous connecter au réseau Pangolin et accéder aux ressources de manière privée.",
-    "manageMachineClients": "Gérer les clients de la machine",
+    "manageMachineClients": "Gérer les machines",
-    "manageMachineClientsDescription": "Créer et gérer des clients que les serveurs et les systèmes utilisent pour se connecter en privé aux ressources",
+    "manageMachineClientsDescription": "Créer et gérer les clients que les serveurs et systèmes utilisent pour se connecter en privé aux ressources",
    "machineClientsBannerTitle": "Serveurs & Systèmes automatisés",
    "machineClientsBannerDescription": "Les clients de machine sont conçus pour les serveurs et les systèmes automatisés qui ne sont pas associés à un utilisateur spécifique. Ils s'authentifient avec un identifiant et une clé secrète, et peuvent être exécutés avec Pangolin CLI, Olm CLI ou Olm en tant que conteneur.",
    "machineClientsBannerPangolinCLI": "Pangolin CLI",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Raison",
-    "requestLogs": "Journal des requêtes",
+    "requestLogs": "Journal des Requêtes HTTP",
    "requestAnalytics": "Demander des analyses",
    "host": "Hôte",
    "location": "Localisation",
    "actionLogs": "Journaux des actions",
-    "sidebarLogsRequest": "Journal des requêtes",
+    "sidebarLogsRequest": "Journal des Requêtes HTTP",
    "sidebarLogsAccess": "Journaux d'accès",
    "sidebarLogsAction": "Journaux des actions",
    "logRetention": "Journaliser la rétention",
    "logRetentionDescription": "Gérer la durée de conservation des différents types de logs pour cette organisation ou les désactiver",
    "requestLogsDescription": "Voir les journaux détaillés des requêtes pour les ressources de cette organisation",
    "requestAnalyticsDescription": "Voir les analyses détaillées des demandes pour les ressources de cette organisation",
-    "logRetentionRequestLabel": "Demander la rétention des journaux",
+    "logRetentionRequestLabel": "Rétention des Journaux de Requêtes HTTP",
    "logRetentionRequestDescription": "Durée de conservation des journaux de requêtes",
    "logRetentionAccessLabel": "Rétention du journal d'accès",
    "logRetentionAccessDescription": "Durée de conservation des journaux d'accès",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Actions administratives effectuées par les utilisateurs au sein de l'organisation.",
    "httpDestConnectionLogsTitle": "Journaux de connexion",
    "httpDestConnectionLogsDescription": "Événements de connexion du site et du tunnel, y compris les connexions et les déconnexions.",
-    "httpDestRequestLogsTitle": "Journal des requêtes",
+    "httpDestRequestLogsTitle": "Journal des Requêtes HTTP",
    "httpDestRequestLogsDescription": "Journaux des requêtes HTTP pour les ressources proxiées, y compris la méthode, le chemin et le code de réponse.",
    "httpDestSaveChanges": "Enregistrer les modifications",
    "httpDestCreateDestination": "Créer une destination",
@@ -3147,6 +3154,7 @@
    "healthCheckTabAdvanced": "Avancé",
    "healthCheckStrategyNotAvailable": "Cette stratégie n'est pas disponible. Veuillez contacter le service commercial pour activer cette fonctionnalité.",
    "uptime30d": "Disponibilité (30j)",
    "uptimeNoData": "Aucune donnée",
    "idpAddActionCreateNew": "Créer un nouveau fournisseur d'identité",
    "idpAddActionImportFromOrg": "Importer d'une autre organisation",
    "idpImportDialogTitle": "Importer le fournisseur d'identité",
@@ -3200,5 +3208,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Les sous-domaines Joker ne sont pas autorisés.",
    "domainPickerWildcardCertWarning": "Les ressources Joker peuvent nécessiter une configuration supplémentaire pour fonctionner correctement.",
    "domainPickerWildcardCertWarningLink": "En savoir plus",
-    "health": "Santé"
+    "health": "Santé",
    "domainPendingErrorTitle": "Problème de vérification",
    "memberPortalTitle": "Ressources",
    "memberPortalDescription": "Ressources auxquelles vous avez accès dans cette organisation",
    "memberPortalSortBy": "Trier par...",
    "memberPortalSortNameAsc": "Nom A-Z",
    "memberPortalSortNameDesc": "Nom Z-A",
    "memberPortalSortDomainAsc": "Domaine A-Z",
    "memberPortalSortDomainDesc": "Domaine Z-A",
    "memberPortalSortEnabledFirst": "Activé en premier",
    "memberPortalSortDisabledFirst": "Désactivé en premier",
    "memberPortalRefresh": "Actualiser",
    "memberPortalRefreshResources": "Actualiser les ressources",
    "memberPortalFailedToLoad": "Échec du chargement des ressources",
    "memberPortalFailedToLoadDescription": "Échec du chargement des ressources. Veuillez vérifier votre connexion et réessayer.",
    "memberPortalUnableToLoad": "Impossible de charger les ressources",
    "memberPortalTryAgain": "Réessayer",
    "memberPortalNoResourcesFound": "Aucune ressource trouvée",
    "memberPortalNoResourcesAvailable": "Aucune ressource disponible",
    "memberPortalNoResourcesMatchSearch": "Aucune ressource ne correspond à \"{query}\". Essayez d'ajuster vos termes de recherche ou de vider la recherche pour voir toutes les ressources.",
    "memberPortalNoResourcesAccess": "Vous n'avez encore accès à aucune ressource. Contactez votre administrateur pour obtenir l'accès aux ressources dont vous avez besoin.",
    "memberPortalClearSearch": "Effacer la recherche",
    "memberPortalPublicResources": "Ressources publiques",
    "memberPortalPublicResourcesDescription": "Applications et services web accessibles via un navigateur",
    "memberPortalCopiedToClipboard": "Copié dans le presse-papiers",
    "memberPortalCopiedUrlDescription": "L'URL de la ressource a été copiée dans votre presse-papiers.",
    "memberPortalOpenResource": "Ouvrir la ressource",
    "memberPortalPrivateResources": "Ressources privées",
    "memberPortalPrivateResourcesDescription": "Ressources réseau internes accessibles via un client",
    "memberPortalResourceDetails": "Détails de la ressource",
    "memberPortalMode": "Mode",
    "memberPortalDestination": "Destination",
    "memberPortalAlias": "Alias",
    "memberPortalCopiedAliasDescription": "L'alias de la ressource a été copié dans votre presse-papiers.",
    "memberPortalCopiedDestinationDescription": "La destination de la ressource a été copiée dans votre presse-papiers.",
    "memberPortalRequiresClientConnection": "Nécessite une connexion client",
    "memberPortalAuthMethods": "Méthodes d'authentification",
    "memberPortalSso": "Authentification unique (SSO)",
    "memberPortalPasswordProtected": "Protégé par un mot de passe",
    "memberPortalPinCode": "Code PIN",
    "memberPortalEmailWhitelist": "Liste blanche des e-mails",
    "memberPortalResourceDisabled": "Ressource désactivée",
    "memberPortalShowingResources": "Affichage de {start}-{end} sur {total} ressources",
    "memberPortalPrevious": "Précédent",
    "memberPortalNext": "Suivant"
 }
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Hai superato i tuoi limiti per il tuo piano attuale. Correggi il problema rimuovendo siti, utenti o altre risorse per rimanere all'interno del tuo piano.",
    "trialBannerMessage": "Il tuo periodo di prova scade tra {countdown}. Aggiorna per mantenere l'accesso.",
    "trialBannerExpired": "Il tuo periodo di prova è scaduto. Aggiorna ora per ripristinare l'accesso.",
    "billingTrialBannerTitle": "Prova Gratuita Attiva",
    "billingTrialBannerDescription": "Attualmente sei in una prova gratuita sul livello business. Quando la prova terminerà, il tuo account tornerà automaticamente alle funzionalità e ai limiti del piano Basic. Effettua l'upgrade in qualsiasi momento per mantenere l'accesso alle funzionalità del tuo piano attuale.",
    "billingTrialBannerUpgrade": "Effettua l'Upgrade Ora",
    "billingTrialBadge": "Prova Gratuita",
    "trialActive": "Prova Gratuita Attiva",
    "trialExpired": "Prova scaduta",
    "trialHasEnded": "La tua prova è terminata.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Segreto",
    "newtVersion": "Versione",
    "architecture": "Architettura",
    "sites": "Siti",
    "siteWgAnyClients": "Usa qualsiasi client WireGuard per connetterti. Dovrai indirizzare le risorse interne utilizzando l'IP del peer.",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Crea Account Admin",
    "setupErrorCreateAdmin": "Si è verificato un errore durante la creazione dell'account amministratore del server.",
    "certificateStatus": "Certificato",
    "certificateStatusAutoRefreshHint": "Lo stato si aggiorna automaticamente.",
    "loading": "Caricamento",
    "loadingAnalytics": "Caricamento Delle Analisi",
    "restart": "Riavvia",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Visualizza Note Di Rilascio",
    "newtUpdateAvailable": "Aggiornamento Disponibile",
    "newtUpdateAvailableInfo": "È disponibile una nuova versione di Newt. Si prega di aggiornare all'ultima versione per la migliore esperienza.",
    "pangolinNodeUpdateAvailableInfo": "È disponibile una nuova versione di Pangolin Node. Si prega di aggiornare all'ultima versione per la migliore esperienza.",
    "domainPickerEnterDomain": "Dominio",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Inserisci il dominio completo della risorsa per vedere le opzioni disponibili.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Scegli il tuo provider di identità per continuare",
    "orgAuthNoIdpConfigured": "Questa organizzazione non ha nessun provider di identità configurato. Puoi accedere con la tua identità Pangolin.",
    "orgAuthSignInWithPangolin": "Accedi con Pangolino",
-    "orgAuthSignInToOrg": "Accedi a un'organizzazione",
+    "orgAuthSignInToOrg": "Provider di identità dell'organizzazione (SSO)",
    "orgAuthSelectOrgTitle": "Accesso Organizzazione",
    "orgAuthSelectOrgDescription": "Inserisci l'ID dell'organizzazione per continuare",
    "orgAuthOrgIdPlaceholder": "la-tua-organizzazione",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Motivo",
-    "requestLogs": "Log Richiesta",
+    "requestLogs": "Log Richieste HTTP",
    "requestAnalytics": "Richiedi Analisi",
    "host": "Host",
    "location": "Posizione",
    "actionLogs": "Log Azioni",
-    "sidebarLogsRequest": "Log Richiesta",
+    "sidebarLogsRequest": "Log Richieste HTTP",
    "sidebarLogsAccess": "Log Accesso",
    "sidebarLogsAction": "Log Azioni",
    "logRetention": "Ritenzione Registro",
    "logRetentionDescription": "Gestisci per quanto tempo i diversi tipi di log sono mantenuti per questa organizzazione o disabilitali",
    "requestLogsDescription": "Visualizza i registri di richiesta dettagliati per le risorse in questa organizzazione",
    "requestAnalyticsDescription": "Visualizza le analisi dettagliate della richiesta per le risorse in questa organizzazione",
-    "logRetentionRequestLabel": "Richiedi Ritenzione Log",
+    "logRetentionRequestLabel": "Conservazione Log Richieste HTTP",
    "logRetentionRequestDescription": "Per quanto tempo conservare i log delle richieste",
    "logRetentionAccessLabel": "Ritenzione Registro Accesso",
    "logRetentionAccessDescription": "Per quanto tempo conservare i log di accesso",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Azioni amministrative eseguite dagli utenti all'interno dell'organizzazione.",
    "httpDestConnectionLogsTitle": "Log Di Connessione",
    "httpDestConnectionLogsDescription": "Eventi di connessione al sito e al tunnel, inclusi collegamenti e disconnessioni.",
-    "httpDestRequestLogsTitle": "Log Richiesta",
+    "httpDestRequestLogsTitle": "Log Richieste HTTP",
    "httpDestRequestLogsDescription": "Registri di richiesta HTTP per le risorse proxy, inclusi metodo, percorso e codice di risposta.",
    "httpDestSaveChanges": "Salva Modifiche",
    "httpDestCreateDestination": "Crea Destinazione",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "I sottodomini wildcard non sono permessi.",
    "domainPickerWildcardCertWarning": "Le risorse wildcard potrebbero richiedere configurazioni aggiuntive per funzionare correttamente.",
    "domainPickerWildcardCertWarningLink": "Scopri di più",
-    "health": "Salute"
+    "health": "Salute",
    "domainPendingErrorTitle": "Problema di Verifica",
    "memberPortalTitle": "Risorse",
    "memberPortalDescription": "Risorse a cui hai accesso in questa organizzazione",
    "memberPortalSortBy": "Ordina per...",
    "memberPortalSortNameAsc": "Nome A-Z",
    "memberPortalSortNameDesc": "Nome Z-A",
    "memberPortalSortDomainAsc": "Dominio A-Z",
    "memberPortalSortDomainDesc": "Dominio Z-A",
    "memberPortalSortEnabledFirst": "Abilitati per primi",
    "memberPortalSortDisabledFirst": "Disabilitati per primi",
    "memberPortalRefresh": "Aggiorna",
    "memberPortalRefreshResources": "Aggiorna Risorse",
    "memberPortalFailedToLoad": "Caricamento delle risorse non riuscito",
    "memberPortalFailedToLoadDescription": "Caricamento delle risorse non riuscito. Controlla la tua connessione e riprova.",
    "memberPortalUnableToLoad": "Impossibile caricare le risorse",
    "memberPortalTryAgain": "Riprova",
    "memberPortalNoResourcesFound": "Nessuna risorsa trovata",
    "memberPortalNoResourcesAvailable": "Nessuna risorsa disponibile",
    "memberPortalNoResourcesMatchSearch": "Nessuna risorsa corrisponde a \"{query}\". Prova ad aggiustare i termini di ricerca o a cancellare la ricerca per vedere tutte le risorse.",
    "memberPortalNoResourcesAccess": "Non hai ancora accesso a nessuna risorsa. Contatta il tuo amministratore per ottenere l'accesso alle risorse di cui hai bisogno.",
    "memberPortalClearSearch": "Cancella Ricerca",
    "memberPortalPublicResources": "Risorse Pubbliche",
    "memberPortalPublicResourcesDescription": "Applicazioni web e servizi accessibili tramite browser",
    "memberPortalCopiedToClipboard": "Copiato negli appunti",
    "memberPortalCopiedUrlDescription": "L'URL della risorsa è stato copiato negli appunti.",
    "memberPortalOpenResource": "Apri Risorsa",
    "memberPortalPrivateResources": "Risorse Private",
    "memberPortalPrivateResourcesDescription": "Risorse di rete interne accessibili tramite client",
    "memberPortalResourceDetails": "Dettagli della Risorsa",
    "memberPortalMode": "Modalità",
    "memberPortalDestination": "Destinazione",
    "memberPortalAlias": "Alias",
    "memberPortalCopiedAliasDescription": "L'alias della risorsa è stato copiato negli appunti.",
    "memberPortalCopiedDestinationDescription": "La destinazione della risorsa è stata copiata negli appunti.",
    "memberPortalRequiresClientConnection": "Richiede Connessione Client",
    "memberPortalAuthMethods": "Metodi di Autenticazione",
    "memberPortalSso": "Accesso unico (Single Sign-On, SSO)",
    "memberPortalPasswordProtected": "Protetto da password",
    "memberPortalPinCode": "Codice PIN",
    "memberPortalEmailWhitelist": "Lista Autorizzazioni Email",
    "memberPortalResourceDisabled": "Risorsa Disabilitata",
    "memberPortalShowingResources": "Mostrando {start}-{end} di {total} risorse",
    "memberPortalPrevious": "Precedente",
    "memberPortalNext": "Successivo"
 }
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "현재 계획의 한계를 초과했습니다. 사이트, 사용자 또는 기타 리소스를 제거하여 계획 내에 머물도록 해결하세요.",
    "trialBannerMessage": "시험 사용 기간이 {countdown} 안에 만료됩니다. 업그레이드하여 액세스를 유지하세요.",
    "trialBannerExpired": "시험 사용 기간이 만료되었습니다. 지금 업그레이드하여 액세스를 복구하세요.",
    "billingTrialBannerTitle": "무료 평가판 활성화",
    "billingTrialBannerDescription": "현재 비즈니스 티어의 무료 평가판을 사용 중입니다. 평가판이 종료되면 계정은 자동으로 기본 티어 기능 및 제한으로 돌아갑니다. 현재 계획의 기능을 유지하려면 언제든지 업그레이드 하세요.",
    "billingTrialBannerUpgrade": "지금 업그레이드",
    "billingTrialBadge": "무료 평가판",
    "trialActive": "무료 체험 활성화됨",
    "trialExpired": "체험 만료됨",
    "trialHasEnded": "시험 사용 기간이 종료되었습니다.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "엔드포인트",
    "newtId": "ID",
    "newtSecretKey": "비밀",
    "newtVersion": "버전",
    "architecture": "아키텍처",
    "sites": "사이트",
    "siteWgAnyClients": "WireGuard 클라이언트를 사용하여 연결하십시오. 피어 IP를 사용하여 내부 리소스에 접근해야 합니다.",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "관리자 계정 생성",
    "setupErrorCreateAdmin": "서버 관리자 계정을 생성하는 동안 오류가 발생했습니다.",
    "certificateStatus": "인증서",
    "certificateStatusAutoRefreshHint": "상태가 자동으로 새로 고쳐집니다.",
    "loading": "로딩 중",
    "loadingAnalytics": "분석 로딩 중",
    "restart": "재시작",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "릴리스 노트 보기",
    "newtUpdateAvailable": "업데이트 가능",
    "newtUpdateAvailableInfo": "뉴트의 새 버전이 출시되었습니다. 최상의 경험을 위해 최신 버전으로 업데이트하세요.",
    "pangolinNodeUpdateAvailableInfo": "Pangolin Node의 새 버전이 출시되었습니다. 최상의 경험을 위해 최신 버전으로 업데이트하세요.",
    "domainPickerEnterDomain": "도메인",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "리소스의 전체 도메인을 입력하여 사용 가능한 옵션을 확인하십시오.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "계속하려면 신원 공급자를 선택하세요.",
    "orgAuthNoIdpConfigured": "이 조직은 구성된 신원 공급자가 없습니다. 대신 Pangolin 아이덴티티로 로그인할 수 있습니다.",
    "orgAuthSignInWithPangolin": "Pangolin으로 로그인",
-    "orgAuthSignInToOrg": "조직에 로그인",
+    "orgAuthSignInToOrg": "조직 아이덴티티 제공자 (SSO)",
    "orgAuthSelectOrgTitle": "조직 로그인",
    "orgAuthSelectOrgDescription": "계속하려면 조직 ID를 입력하십시오.",
    "orgAuthOrgIdPlaceholder": "your-organization",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "유효한 인증 없음",
    "ip": "IP",
    "reason": "이유",
-    "requestLogs": "요청 로그",
+    "requestLogs": "HTTP 요청 로그",
    "requestAnalytics": "요청 분석",
    "host": "호스트",
    "location": "위치",
    "actionLogs": "작업 로그",
-    "sidebarLogsRequest": "요청 로그",
+    "sidebarLogsRequest": "HTTP 요청 로그",
    "sidebarLogsAccess": "접근 로그",
    "sidebarLogsAction": "작업 로그",
    "logRetention": "로그 보관",
    "logRetentionDescription": "다양한 유형의 로그를 이 조직에 대해 얼마나 오래 보관할지 관리하거나 비활성화합니다",
    "requestLogsDescription": "이 조직의 자원에 대한 상세한 요청 로그를 봅니다",
    "requestAnalyticsDescription": "이 조직의 리소스에 대한 자세한 요청 분석 보기",
-    "logRetentionRequestLabel": "요청 로그 보관",
+    "logRetentionRequestLabel": "HTTP 요청 로그 보관",
    "logRetentionRequestDescription": "요청 로그를 얼마나 오래 보관할지",
    "logRetentionAccessLabel": "접근 로그 보관",
    "logRetentionAccessDescription": "접근 로그를 얼마나 오래 보관할지",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "조직 내에서 사용자가 수행한 관리 작업.",
    "httpDestConnectionLogsTitle": "연결 로그",
    "httpDestConnectionLogsDescription": "사이트 및 터널 연결 이벤트, 연결 및 연결 끊기를 포함합니다.",
-    "httpDestRequestLogsTitle": "요청 로그",
+    "httpDestRequestLogsTitle": "HTTP 요청 로그",
    "httpDestRequestLogsDescription": "프록시된 리소스에 대한 HTTP 요청 로그, 메서드, 경로 및 응답 코드를 포함합니다.",
    "httpDestSaveChanges": "변경 사항 저장",
    "httpDestCreateDestination": "대상지 생성",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "와일드카드 서브도메인은 허용되지 않습니다.",
    "domainPickerWildcardCertWarning": "와일드카드 리소스는 올바르게 작동하려면 추가 구성이 필요할 수 있습니다.",
    "domainPickerWildcardCertWarningLink": "자세히 알아보기",
-    "health": "건강"
+    "health": "건강",
    "domainPendingErrorTitle": "확인 문제",
    "memberPortalTitle": "리소스",
    "memberPortalDescription": "이 조직에서 접근할 수 있는 리소스",
    "memberPortalSortBy": "정렬 기준...",
    "memberPortalSortNameAsc": "이름 A-Z",
    "memberPortalSortNameDesc": "이름 Z-A",
    "memberPortalSortDomainAsc": "도메인 A-Z",
    "memberPortalSortDomainDesc": "도메인 Z-A",
    "memberPortalSortEnabledFirst": "사용 활성화 우선",
    "memberPortalSortDisabledFirst": "사용 비활성화 우선",
    "memberPortalRefresh": "새로 고침",
    "memberPortalRefreshResources": "리소스 새로 고침",
    "memberPortalFailedToLoad": "리소스를 불러오는 데 실패했습니다",
    "memberPortalFailedToLoadDescription": "리소스를 불러오는 데 실패했습니다. 연결을 확인하고 다시 시도해 주십시오.",
    "memberPortalUnableToLoad": "리소스를 가져오는 데 실패했습니다",
    "memberPortalTryAgain": "다시 시도",
    "memberPortalNoResourcesFound": "리소스를 발견하지 못했습니다",
    "memberPortalNoResourcesAvailable": "사용 가능한 리소스가 없습니다",
    "memberPortalNoResourcesMatchSearch": "\"{query}\"와 일치하는 리소스가 없습니다. 검색어를 수정하거나 검색을 초기화하여 모든 리소스를 확인하십시오.",
    "memberPortalNoResourcesAccess": "아직 접근할 수 있는 리소스가 없습니다. 필요한 리소스 접근을 위해 관리자에게 문의하세요.",
    "memberPortalClearSearch": "검색 초기화",
    "memberPortalPublicResources": "공공 리소스",
    "memberPortalPublicResourcesDescription": "브라우저를 통해 접근 가능한 웹 애플리케이션 및 서비스",
    "memberPortalCopiedToClipboard": "클립보드에 복사됨",
    "memberPortalCopiedUrlDescription": "리소스 URL이 클립보드에 복사되었습니다.",
    "memberPortalOpenResource": "리소스 열기",
    "memberPortalPrivateResources": "비공개 리소스",
    "memberPortalPrivateResourcesDescription": "클라이언트를 통해 접근 가능한 내부 네트워크 리소스",
    "memberPortalResourceDetails": "리소스 세부 정보",
    "memberPortalMode": "모드",
    "memberPortalDestination": "대상지",
    "memberPortalAlias": "별칭",
    "memberPortalCopiedAliasDescription": "리소스 별칭이 클립보드에 복사되었습니다.",
    "memberPortalCopiedDestinationDescription": "리소스 대상지가 클립보드에 복사되었습니다.",
    "memberPortalRequiresClientConnection": "클라이언트 연결 필요",
    "memberPortalAuthMethods": "인증 방법",
    "memberPortalSso": "싱글 사인온 (SSO)",
    "memberPortalPasswordProtected": "비밀번호 보호",
    "memberPortalPinCode": "PIN 코드",
    "memberPortalEmailWhitelist": "이메일 화이트리스트",
    "memberPortalResourceDisabled": "리소스 비활성화됨",
    "memberPortalShowingResources": "{start}-{end} 중 {total}개의 리소스를 표시 중",
    "memberPortalPrevious": "이전",
    "memberPortalNext": "다음"
 }
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Du er utenfor grensen for gjeldende plan. Rett problemet ved å fjerne nettsteder, brukere eller andre ressurser for å bli innenfor planen din.",
    "trialBannerMessage": "Din prøveperiode utløper om {countdown}. Oppgrader for å beholde tilgangen.",
    "trialBannerExpired": "Prøveperioden din har utløpt. Oppgrader nå for å gjenopprette tilgangen.",
    "billingTrialBannerTitle": "Prøveversjon Aktiv",
    "billingTrialBannerDescription": "Du har for øyeblikket en gratis prøveversjon på forretningsnivået. Når prøven avsluttes, vil kontoen din automatisk gå tilbake til funksjoner og begrensninger på Basis-nivået. Oppgrader når som helst for å beholde tilgang til de nåværende planens funksjoner.",
    "billingTrialBannerUpgrade": "Oppgrader nå",
    "billingTrialBadge": "Prøveversjon",
    "trialActive": "Gratis prøveversjon aktiv",
    "trialExpired": "Prøveperioden er utløpt",
    "trialHasEnded": "Din prøveperiode har avsluttet.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Sikkerhetsnøkkel",
    "newtVersion": "Versjon",
    "architecture": "Arkitektur",
    "sites": "Områder",
    "siteWgAnyClients": "Bruk hvilken som helst WireGuard klient til å koble til. Du må adressere interne ressurser ved hjelp av peer IP.",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Opprett administratorkonto",
    "setupErrorCreateAdmin": "En feil oppstod under opprettelsen av serveradministratorkontoen.",
    "certificateStatus": "Sertifikat",
    "certificateStatusAutoRefreshHint": "Status oppdateres automatisk.",
    "loading": "Laster inn",
    "loadingAnalytics": "Laster inn analyser",
    "restart": "Start på nytt",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Se utgivelsesnotater",
    "newtUpdateAvailable": "Oppdatering tilgjengelig",
    "newtUpdateAvailableInfo": "En ny versjon av Newt er tilgjengelig. Vennligst oppdater til den nyeste versjonen for den beste opplevelsen.",
    "pangolinNodeUpdateAvailableInfo": "En ny versjon av Pangolin Node er tilgjengelig. Vennligst oppdater til den nyeste versjonen for den beste opplevelsen.",
    "domainPickerEnterDomain": "Domene",
    "domainPickerPlaceholder": "minapp.eksempel.no",
    "domainPickerDescription": "Skriv inn hele domenet til ressursen for å se tilgjengelige alternativer.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Velg din identitet leverandør for å fortsette",
    "orgAuthNoIdpConfigured": "Denne organisasjonen har ikke noen identitetstjeneste konfigurert. Du kan i stedet logge inn med Pangolin identiteten din.",
    "orgAuthSignInWithPangolin": "Logg inn med Pangolin",
-    "orgAuthSignInToOrg": "Logg inn på en organisasjon",
+    "orgAuthSignInToOrg": "Organisasjonens identitetsleverandør (SSO)",
    "orgAuthSelectOrgTitle": "Organisasjonsinnlogging",
    "orgAuthSelectOrgDescription": "Skriv inn organisasjons-ID-en din for å fortsette",
    "orgAuthOrgIdPlaceholder": "din-organisasjon",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Grunn",
-    "requestLogs": "Forespørselslogger (Automatic Translation)",
+    "requestLogs": "HTTP-forespørselslogger",
    "requestAnalytics": "Be om analyser",
    "host": "Vert",
    "location": "Sted",
    "actionLogs": "Handlingslogger",
-    "sidebarLogsRequest": "Forespørselslogger (Automatic Translation)",
+    "sidebarLogsRequest": "HTTP-forespørselslogger",
    "sidebarLogsAccess": "Tilgangslogger (Automatic Translation)",
    "sidebarLogsAction": "Handlingslogger",
    "logRetention": "Logg tilbaketrekning",
    "logRetentionDescription": "Håndter hvor lenge ulike typer logger beholdes for denne organisasjonen, eller deaktiver dem",
    "requestLogsDescription": "Se detaljerte forespørselslogger for ressurser i denne organisasjonen",
    "requestAnalyticsDescription": "Se detaljert rekvisisjonsanalyse for ressurser i denne organisasjonen",
-    "logRetentionRequestLabel": "Be om loggoverføring",
+    "logRetentionRequestLabel": "Be om loggbevaring",
    "logRetentionRequestDescription": "Hvor lenge du vil beholde forespørselslogger",
    "logRetentionAccessLabel": "Få tilgang til loggoverføring",
    "logRetentionAccessDescription": "Hvor lenge du vil beholde adgangslogger",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Administrative tiltak som utføres av brukere innenfor organisasjonen.",
    "httpDestConnectionLogsTitle": "Loggfiler for tilkobling",
    "httpDestConnectionLogsDescription": "Utstyrs- og tunneltilkoblingshendelser, inkludert forbindelser og frakobling.",
-    "httpDestRequestLogsTitle": "Forespørselslogger (Automatic Translation)",
+    "httpDestRequestLogsTitle": "HTTP-forespørselslogger",
    "httpDestRequestLogsDescription": "HTTP-forespørsel logger for bekreftede ressurser, inkludert metode, bane og responskode.",
    "httpDestSaveChanges": "Lagre endringer",
    "httpDestCreateDestination": "Opprett mål",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Jokertegnsubdomener er ikke tillatt.",
    "domainPickerWildcardCertWarning": "Jokertegnressurser kan kreve ekstra konfigurasjon for å fungere skikkelig.",
    "domainPickerWildcardCertWarningLink": "Lær mer",
-    "health": "Helse"
+    "health": "Helse",
    "domainPendingErrorTitle": "Verifiseringsproblem",
    "memberPortalTitle": "Ressurser",
    "memberPortalDescription": "Ressurser du har tilgang til i denne organisasjonen",
    "memberPortalSortBy": "Sorter etter...",
    "memberPortalSortNameAsc": "Navn A-Å",
    "memberPortalSortNameDesc": "Navn Å-A",
    "memberPortalSortDomainAsc": "Domene A-Å",
    "memberPortalSortDomainDesc": "Domene Å-A",
    "memberPortalSortEnabledFirst": "Aktivert først",
    "memberPortalSortDisabledFirst": "Deaktivert først",
    "memberPortalRefresh": "Oppdater",
    "memberPortalRefreshResources": "Oppdater ressurser",
    "memberPortalFailedToLoad": "Kunne ikke laste inn ressurser",
    "memberPortalFailedToLoadDescription": "Kunne ikke laste inn ressurser. Vennligst sjekk tilkoblingen din og prøv igjen.",
    "memberPortalUnableToLoad": "Kan ikke laste inn ressurser",
    "memberPortalTryAgain": "Prøv igjen",
    "memberPortalNoResourcesFound": "Ingen ressurser funnet",
    "memberPortalNoResourcesAvailable": "Ingen ressurser tilgjengelig",
    "memberPortalNoResourcesMatchSearch": "Ingen ressurser samsvarer med \"{query}\". Prøv å justere søkeordene dine eller fjern søket for å se alle ressurser.",
    "memberPortalNoResourcesAccess": "Du har ennå ikke tilgang til noen ressurser. Kontakt administratoren din for å få tilgang til de ressursene du trenger.",
    "memberPortalClearSearch": "Fjern søk",
    "memberPortalPublicResources": "Offentlige ressurser",
    "memberPortalPublicResourcesDescription": "Webapplikasjoner og -tjenester tilgjengelige via nettleser",
    "memberPortalCopiedToClipboard": "Kopiert til utklippstavlen",
    "memberPortalCopiedUrlDescription": "Ressurs-URL er kopiert til utklippstavlen din.",
    "memberPortalOpenResource": "Åpne ressurs",
    "memberPortalPrivateResources": "Private ressurser",
    "memberPortalPrivateResourcesDescription": "Interne nettverksressurser tilgjengelige via klient",
    "memberPortalResourceDetails": "Ressursdetaljer",
    "memberPortalMode": "Modus",
    "memberPortalDestination": "Destinasjon",
    "memberPortalAlias": "Navn",
    "memberPortalCopiedAliasDescription": "Ressursalias er kopiert til utklippstavlen din.",
    "memberPortalCopiedDestinationDescription": "Ressursdestinasjon er kopiert til utklippstavlen din.",
    "memberPortalRequiresClientConnection": "Krever klienttilkobling",
    "memberPortalAuthMethods": "Autentiseringsmetoder",
    "memberPortalSso": "Enkeltpålogging (SSO)",
    "memberPortalPasswordProtected": "Passordbeskyttet",
    "memberPortalPinCode": "PIN-kode",
    "memberPortalEmailWhitelist": "E-post-hviteliste",
    "memberPortalResourceDisabled": "Ressurs deaktivert",
    "memberPortalShowingResources": "Viser {start}-{end} av {total} ressurser",
    "memberPortalPrevious": "Forrige",
    "memberPortalNext": "Neste"
 }
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "U overschrijdt uw huidige abonnement. Corrigeer het probleem door sites, gebruikers of andere bronnen te verwijderen om binnen uw plan te blijven.",
    "trialBannerMessage": "Uw proefversie verloopt over {countdown}. Upgrade om toegang te behouden.",
    "trialBannerExpired": "Uw proefperiode is verlopen. Upgrade nu om toegang te herstellen.",
    "billingTrialBannerTitle": "Proefperiode Actief",
    "billingTrialBannerDescription": "Je bent momenteel bezig met een gratis proefperiode op het zakelijke niveau. Wanneer de proefperiode eindigt, wordt je account automatisch teruggezet naar de functies en limieten van het Basic-niveau. Upgrade op elk moment om toegang te houden tot de functies van je huidige plan.",
    "billingTrialBannerUpgrade": "Nu Upgraden",
    "billingTrialBadge": "Gratis Proefversie",
    "trialActive": "Gratis proefversie actief",
    "trialExpired": "Proefversie verlopen",
    "trialHasEnded": "Uw proefperiode is geëindigd.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Geheim",
    "newtVersion": "Versie",
    "architecture": "Architectuur",
    "sites": "Sites",
    "siteWgAnyClients": "Gebruik een willekeurige WireGuard client om verbinding te maken. Je zult interne bronnen moeten aanspreken met behulp van de peer IP.",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Maak een beheeraccount aan",
    "setupErrorCreateAdmin": "Er is een fout opgetreden bij het maken van het serverbeheerdersaccount.",
    "certificateStatus": "Certificaat",
    "certificateStatusAutoRefreshHint": "Status ververst automatisch.",
    "loading": "Bezig met laden",
    "loadingAnalytics": "Laden van Analytics",
    "restart": "Herstarten",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Uitgaveopmerkingen bekijken",
    "newtUpdateAvailable": "Update beschikbaar",
    "newtUpdateAvailableInfo": "Er is een nieuwe versie van Newt beschikbaar. Update naar de nieuwste versie voor de beste ervaring.",
    "pangolinNodeUpdateAvailableInfo": "Er is een nieuwe versie van Pangolin Node beschikbaar. Update naar de nieuwste versie voor de beste ervaring.",
    "domainPickerEnterDomain": "Domein",
    "domainPickerPlaceholder": "mijnapp.voorbeeld.nl",
    "domainPickerDescription": "Voer de volledige domein van de bron in om beschikbare opties te zien.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Kies uw identiteitsprovider om door te gaan",
    "orgAuthNoIdpConfigured": "Deze organisatie heeft geen identiteitsproviders geconfigureerd. Je kunt in plaats daarvan inloggen met je Pangolin-identiteit.",
    "orgAuthSignInWithPangolin": "Log in met Pangolin",
-    "orgAuthSignInToOrg": "Log in bij een organisatie",
+    "orgAuthSignInToOrg": "Organisatie Identiteitsprovider (SSO)",
    "orgAuthSelectOrgTitle": "Organisatie Inloggen",
    "orgAuthSelectOrgDescription": "Voer je organisatie-ID in om verder te gaan",
    "orgAuthOrgIdPlaceholder": "jouw-organisatie",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP-adres",
    "reason": "Reden",
-    "requestLogs": "Logboeken aanvragen",
+    "requestLogs": "HTTP-aanvraaglogboeken",
    "requestAnalytics": "Analytics opvragen",
    "host": "Hostnaam",
    "location": "Locatie",
    "actionLogs": "Actie logs",
-    "sidebarLogsRequest": "Logboeken aanvragen",
+    "sidebarLogsRequest": "HTTP-aanvraaglogboeken",
    "sidebarLogsAccess": "Toegang tot logboek",
    "sidebarLogsAction": "Actie logs",
    "logRetention": "Log bewaring",
    "logRetentionDescription": "Beheren hoe lang verschillende soorten logs bewaard worden voor deze organisatie of schakel ze uit",
    "requestLogsDescription": "Bekijk gedetailleerde verzoeklogboeken voor resources in deze organisatie",
    "requestAnalyticsDescription": "Bekijk gedetailleerde request analytics voor resources in deze organisatie",
-    "logRetentionRequestLabel": "Logboekbewaring aanvragen",
+    "logRetentionRequestLabel": "Bewaring van HTTP-aanvraaglogboeken",
    "logRetentionRequestDescription": "Hoe lang de aanvraaglogboeken te behouden",
    "logRetentionAccessLabel": "Toegang logboek bewaring",
    "logRetentionAccessDescription": "Hoe lang de toegangslogboeken behouden blijven",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Administratieve acties uitgevoerd door gebruikers binnen de organisatie.",
    "httpDestConnectionLogsTitle": "Connectie Logs",
    "httpDestConnectionLogsDescription": "Verbinding met de Site en tunnel maken verbroken, inclusief verbindingen en verbindingen.",
-    "httpDestRequestLogsTitle": "Logboeken aanvragen",
+    "httpDestRequestLogsTitle": "HTTP-aanvraaglogboeken",
    "httpDestRequestLogsDescription": "HTTP request logs voor proxied hulpmiddelen, waaronder methode, pad en response code.",
    "httpDestSaveChanges": "Wijzigingen opslaan",
    "httpDestCreateDestination": "Maak bestemming aan",
@@ -3167,7 +3174,7 @@
    "publicIpEndpoint": "Eindpunt",
    "lastTriggeredAt": "Laatste Trigger",
    "reject": "Afwijzen",
-    "uptimeDaysAgo": "{count} days ago",
+    "uptimeDaysAgo": "{count} dagen geleden",
    "uptimeToday": "Vandaag",
    "uptimeNoDataAvailable": "Geen gegevens beschikbaar",
    "uptimeSuffix": "werktijd",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Wildcard-subdomeinen zijn niet toegestaan.",
    "domainPickerWildcardCertWarning": "Wildcard-bronnen hebben mogelijk extra configuratie nodig om correct te werken.",
    "domainPickerWildcardCertWarningLink": "Meer informatie",
-    "health": "Gezondheid"
+    "health": "Gezondheid",
    "domainPendingErrorTitle": "Verificatieprobleem",
    "memberPortalTitle": "Bronnen",
    "memberPortalDescription": "Bronnen waartoe je toegang hebt binnen deze organisatie",
    "memberPortalSortBy": "Sorteren op...",
    "memberPortalSortNameAsc": "Naam A-Z",
    "memberPortalSortNameDesc": "Naam Z-A",
    "memberPortalSortDomainAsc": "Domein A-Z",
    "memberPortalSortDomainDesc": "Domein Z-A",
    "memberPortalSortEnabledFirst": "Ingeschakeld Eerst",
    "memberPortalSortDisabledFirst": "Uitgeschakeld Eerst",
    "memberPortalRefresh": "Vernieuwen",
    "memberPortalRefreshResources": "Bronnen Vernieuwen",
    "memberPortalFailedToLoad": "Fout bij het laden van bronnen",
    "memberPortalFailedToLoadDescription": "Fout bij het laden van bronnen. Controleer uw verbinding en probeer het opnieuw.",
    "memberPortalUnableToLoad": "Niet in staat om bronnen te laden",
    "memberPortalTryAgain": "Probeer Opnieuw",
    "memberPortalNoResourcesFound": "Geen Bronnen Gevonden",
    "memberPortalNoResourcesAvailable": "Geen Bronnen Beschikbaar",
    "memberPortalNoResourcesMatchSearch": "Geen bronnen komen overeen met \"{query}\". Probeer uw zoektermen aan te passen of wis de zoekopdracht om alle bronnen te zien.",
    "memberPortalNoResourcesAccess": "Je hebt nog geen toegang tot bronnen. Neem contact op met je beheerder om toegang te krijgen tot de benodigde bronnen.",
    "memberPortalClearSearch": "Zoekopdracht Wissen",
    "memberPortalPublicResources": "Publieke Bronnen",
    "memberPortalPublicResourcesDescription": "Webapplicaties en services toegankelijk via browser",
    "memberPortalCopiedToClipboard": "Gekopieerd naar klembord",
    "memberPortalCopiedUrlDescription": "Bron URL is naar uw klembord gekopieerd.",
    "memberPortalOpenResource": "Bron Openen",
    "memberPortalPrivateResources": "Privé Bronnen",
    "memberPortalPrivateResourcesDescription": "Interne netwerkbronnen toegankelijk via client",
    "memberPortalResourceDetails": "Bron Details",
    "memberPortalMode": "Modus",
    "memberPortalDestination": "Bestemming",
    "memberPortalAlias": "Alias",
    "memberPortalCopiedAliasDescription": "Bron alias is naar uw klembord gekopieerd.",
    "memberPortalCopiedDestinationDescription": "Bron bestemming is naar uw klembord gekopieerd.",
    "memberPortalRequiresClientConnection": "Clientverbinding Vereist",
    "memberPortalAuthMethods": "Authenticatiemethoden",
    "memberPortalSso": "Single Sign-On (SSO)",
    "memberPortalPasswordProtected": "Wachtwoord Beveiligd",
    "memberPortalPinCode": "Pincode",
    "memberPortalEmailWhitelist": "E-mail whitelist",
    "memberPortalResourceDisabled": "Bron Uitgeschakeld",
    "memberPortalShowingResources": "Toont {start}-{end} van {total} bronnen",
    "memberPortalPrevious": "Vorige",
    "memberPortalNext": "Volgende"
 }
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Nie masz ograniczeń dla aktualnego planu. Popraw problem poprzez usunięcie stron, użytkowników lub innych zasobów, aby pozostać w swoim planie.",
    "trialBannerMessage": "Twój okres próbny wygasa za {countdown}. Uaktualnij, aby zachować dostęp.",
    "trialBannerExpired": "Twój okres próbny wygasł. Uaktualnij teraz, aby przywrócić dostęp.",
    "billingTrialBannerTitle": "Bezpłatna wersja próbna aktywna",
    "billingTrialBannerDescription": "Obecnie korzystasz z bezpłatnej wersji próbnej na poziomie biznesowym. Po zakończeniu wersji próbnej, Twoje konto automatycznie powróci do funkcji i limitów poziomu Podstawowego. Możesz dokonać uaktualnienia w każdej chwili, aby zachować dostęp do funkcji obecnego planu.",
    "billingTrialBannerUpgrade": "Uaktualnij teraz",
    "billingTrialBadge": "Bezpłatna wersja próbna",
    "trialActive": "Okres próbny aktywny",
    "trialExpired": "Okres próbny wygasł",
    "trialHasEnded": "Twój okres próbny dobiegł końca.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Sekret",
    "newtVersion": "Wersja",
    "architecture": "Architektura",
    "sites": "Witryny",
    "siteWgAnyClients": "Użyj dowolnego klienta WireGuard, aby się połączyć. Będziesz musiał przekierować wewnętrzne zasoby za pomocą adresu IP.",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Utwórz konto administratora",
    "setupErrorCreateAdmin": "Wystąpił błąd podczas tworzenia konta administratora serwera.",
    "certificateStatus": "Certyfikat",
    "certificateStatusAutoRefreshHint": "Status odświeża się automatycznie.",
    "loading": "Ładowanie",
    "loadingAnalytics": "Ładowanie Analityki",
    "restart": "Uruchom ponownie",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Zobacz informacje o wydaniu",
    "newtUpdateAvailable": "Dostępna aktualizacja",
    "newtUpdateAvailableInfo": "Nowa wersja Newt jest dostępna. Prosimy o aktualizację do najnowszej wersji dla najlepszej pracy.",
    "pangolinNodeUpdateAvailableInfo": "Nowa wersja Pangolin Node jest dostępna. Prosimy o aktualizację do najnowszej wersji dla najlepszej pracy.",
    "domainPickerEnterDomain": "Domena",
    "domainPickerPlaceholder": "mojapp.example.com",
    "domainPickerDescription": "Wpisz pełną domenę zasobu, aby zobaczyć dostępne opcje.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Wybierz swojego dostawcę tożsamości, aby kontynuować",
    "orgAuthNoIdpConfigured": "Ta organizacja nie ma skonfigurowanych żadnych dostawców tożsamości. Zamiast tego możesz zalogować się za pomocą swojej tożsamości Pangolin.",
    "orgAuthSignInWithPangolin": "Zaloguj się używając Pangolin",
-    "orgAuthSignInToOrg": "Zaloguj się do organizacji",
+    "orgAuthSignInToOrg": "Dostawca tożsamości organizacji (SSO)",
    "orgAuthSelectOrgTitle": "Logowanie do organizacji",
    "orgAuthSelectOrgDescription": "Wprowadź identyfikator organizacji, aby kontynuować",
    "orgAuthOrgIdPlaceholder": "twoja-organizacja",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Powód",
-    "requestLogs": "Dzienniki żądań",
+    "requestLogs": "Dzienniki żądań HTTP",
    "requestAnalytics": "Żądanie Analityki",
    "host": "Host",
    "location": "Lokalizacja",
    "actionLogs": "Dzienniki działań",
-    "sidebarLogsRequest": "Dzienniki żądań",
+    "sidebarLogsRequest": "Dzienniki żądań HTTP",
    "sidebarLogsAccess": "Logi dostępu",
    "sidebarLogsAction": "Dzienniki działań",
    "logRetention": "Zachowanie dziennika",
    "logRetentionDescription": "Zarządzaj jak długo różne typy logów są zachowane dla tej organizacji lub wyłącz je",
    "requestLogsDescription": "Zobacz szczegółowe dzienniki żądań zasobów w tej organizacji",
    "requestAnalyticsDescription": "Zobacz szczegółowe analizy żądań dla zasobów w tej organizacji",
-    "logRetentionRequestLabel": "Zachowanie dziennika żądań",
+    "logRetentionRequestLabel": "Przechowywanie dzienników żądań HTTP",
    "logRetentionRequestDescription": "Jak długo zachować dzienniki żądań",
    "logRetentionAccessLabel": "Zachowanie dziennika dostępu",
    "logRetentionAccessDescription": "Jak długo zachować dzienniki dostępu",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Działania administracyjne wykonywane przez użytkowników w organizacji.",
    "httpDestConnectionLogsTitle": "Dzienniki połączeń",
    "httpDestConnectionLogsDescription": "Zdarzenia związane z miejscem i tunelem, w tym połączenia i rozłączenia.",
-    "httpDestRequestLogsTitle": "Dzienniki żądań",
+    "httpDestRequestLogsTitle": "Dzienniki żądań HTTP",
    "httpDestRequestLogsDescription": "Logi żądań HTTP dla zasobów proxy, w tym metody, ścieżki i kodu odpowiedzi.",
    "httpDestSaveChanges": "Zapisz zmiany",
    "httpDestCreateDestination": "Utwórz cel",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Uniwersalne subdomeny nie są dozwolone.",
    "domainPickerWildcardCertWarning": "Uniwersalne zasoby mogą wymagać dodatkowej konfiguracji, aby działać poprawnie.",
    "domainPickerWildcardCertWarningLink": "Dowiedz się więcej",
-    "health": "Zdrowie"
+    "health": "Zdrowie",
    "domainPendingErrorTitle": "Problem z weryfikacją",
    "memberPortalTitle": "Zasoby",
    "memberPortalDescription": "Zasoby, do których masz dostęp w tej organizacji",
    "memberPortalSortBy": "Sortuj według...",
    "memberPortalSortNameAsc": "Nazwa A-Z",
    "memberPortalSortNameDesc": "Nazwa Z-A",
    "memberPortalSortDomainAsc": "Domena A-Z",
    "memberPortalSortDomainDesc": "Domena Z-A",
    "memberPortalSortEnabledFirst": "Włączone najpierw",
    "memberPortalSortDisabledFirst": "Wyłączone najpierw",
    "memberPortalRefresh": "Odśwież",
    "memberPortalRefreshResources": "Odśwież zasoby",
    "memberPortalFailedToLoad": "Nie udało się załadować zasobów",
    "memberPortalFailedToLoadDescription": "Nie udało się załadować zasobów. Sprawdź połączenie i spróbuj ponownie.",
    "memberPortalUnableToLoad": "Nie można załadować zasobów",
    "memberPortalTryAgain": "Spróbuj ponownie",
    "memberPortalNoResourcesFound": "Nie znaleziono zasobów",
    "memberPortalNoResourcesAvailable": "Brak dostępnych zasobów",
    "memberPortalNoResourcesMatchSearch": "Żadne zasoby nie pasują do „{query}”. Spróbuj dostosować swoje warunki wyszukiwania lub wyczyść wyszukiwanie, aby zobaczyć wszystkie zasoby.",
    "memberPortalNoResourcesAccess": "Nie masz jeszcze dostępu do żadnych zasobów. Skontaktuj się z administratorem, aby uzyskać dostęp do potrzebnych zasobów.",
    "memberPortalClearSearch": "Wyczyść wyszukiwanie",
    "memberPortalPublicResources": "Publiczne zasoby",
    "memberPortalPublicResourcesDescription": "Aplikacje i usługi internetowe dostępne za pośrednictwem przeglądarki",
    "memberPortalCopiedToClipboard": "Skopiowano do schowka",
    "memberPortalCopiedUrlDescription": "URL zasobu został skopiowany do schowka.",
    "memberPortalOpenResource": "Otwórz zasób",
    "memberPortalPrivateResources": "Prywatne zasoby",
    "memberPortalPrivateResourcesDescription": "Zasoby sieci wewnętrznej dostępne za pośrednictwem klienta",
    "memberPortalResourceDetails": "Szczegóły zasobu",
    "memberPortalMode": "Tryb",
    "memberPortalDestination": "Miejsce docelowe",
    "memberPortalAlias": "Pseudonim",
    "memberPortalCopiedAliasDescription": "Alias zasobu został skopiowany do schowka.",
    "memberPortalCopiedDestinationDescription": "Miejsce docelowe zasobu zostało skopiowane do schowka.",
    "memberPortalRequiresClientConnection": "Wymaga połączenia z klientem",
    "memberPortalAuthMethods": "Metody uwierzytelniania",
    "memberPortalSso": "Jednorazowe logowanie (SSO)",
    "memberPortalPasswordProtected": "Chronione hasłem",
    "memberPortalPinCode": "Kod PIN",
    "memberPortalEmailWhitelist": "Biała lista e-mail",
    "memberPortalResourceDisabled": "Zasób wyłączony",
    "memberPortalShowingResources": "Wyświetlanie zasobów od {start} do {end} z {total}",
    "memberPortalPrevious": "Poprzedni",
    "memberPortalNext": "Następny"
 }
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Você está além dos seus limites para o seu plano atual. Corrija o problema removendo sites, usuários, ou outros recursos para ficar em seu plano.",
    "trialBannerMessage": "Sua avaliação termina em {countdown}. Faça o upgrade para manter o acesso.",
    "trialBannerExpired": "Sua avaliação expirou. Faça o upgrade agora para restaurar o acesso.",
    "billingTrialBannerTitle": "Teste Gratuito Ativo",
    "billingTrialBannerDescription": "Atualmente, você está em um teste gratuito no nível empresarial. Quando o teste terminar, sua conta reverterá automaticamente para os recursos e limites do nível Básico. Atualize a qualquer momento para manter o acesso aos recursos do seu plano atual.",
    "billingTrialBannerUpgrade": "Atualize Agora",
    "billingTrialBadge": "Teste Gratuito",
    "trialActive": "Avaliação Gratuita Ativa",
    "trialExpired": "Avaliação Expirada",
    "trialHasEnded": "Sua avaliação terminou.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Chave Secreta",
    "newtVersion": "Versão",
    "architecture": "Arquitetura",
    "sites": "sites",
    "siteWgAnyClients": "Use qualquer cliente do WireGuard para se conectar. Você terá que endereçar recursos internos usando o IP de pares.",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Criar Conta de Administrador",
    "setupErrorCreateAdmin": "Ocorreu um erro ao criar a conta de administrador do servidor.",
    "certificateStatus": "Certificado",
    "certificateStatusAutoRefreshHint": "Status atualiza automaticamente.",
    "loading": "Carregando",
    "loadingAnalytics": "Carregando Analytics",
    "restart": "Reiniciar",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Ver notas de versão",
    "newtUpdateAvailable": "Nova Atualização Disponível",
    "newtUpdateAvailableInfo": "Uma nova versão do Newt está disponível. Atualize para a versão mais recente para uma melhor experiência.",
    "pangolinNodeUpdateAvailableInfo": "Uma nova versão do Pangolin Node está disponível. Atualize para a versão mais recente para uma melhor experiência.",
    "domainPickerEnterDomain": "Domínio",
    "domainPickerPlaceholder": "myapp.exemplo.com",
    "domainPickerDescription": "Insira o domínio completo do recurso para ver as opções disponíveis.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Escolha o seu provedor de identidade para continuar",
    "orgAuthNoIdpConfigured": "Esta organização não tem nenhum provedor de identidade configurado. Você pode entrar com a identidade do seu Pangolin.",
    "orgAuthSignInWithPangolin": "Entrar com o Pangolin",
-    "orgAuthSignInToOrg": "Fazer login em uma organização",
+    "orgAuthSignInToOrg": "Provedor de Identidade da Organização (SSO)",
    "orgAuthSelectOrgTitle": "Entrada da Organização",
    "orgAuthSelectOrgDescription": "Digite seu ID da organização para continuar",
    "orgAuthOrgIdPlaceholder": "sua-organização",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "PI",
    "reason": "Motivo",
-    "requestLogs": "Registro de pedidos",
+    "requestLogs": "Registros de Pedidos HTTP",
    "requestAnalytics": "Solicitar análise",
    "host": "Servidor",
    "location": "Local:",
    "actionLogs": "Logs de Ações",
-    "sidebarLogsRequest": "Registro de pedidos",
+    "sidebarLogsRequest": "Registros de Pedidos HTTP",
    "sidebarLogsAccess": "Logs de Acesso",
    "sidebarLogsAction": "Logs de Ações",
    "logRetention": "Retenção de Log",
    "logRetentionDescription": "Gerenciar quanto tempo os diferentes tipos de logs são mantidos para esta organização ou desativá-los",
    "requestLogsDescription": "Ver registros de pedidos detalhados de recursos nesta organização",
    "requestAnalyticsDescription": "Exibir análise detalhada de pedidos para recursos nesta organização",
-    "logRetentionRequestLabel": "Solicitar retenção de registro",
+    "logRetentionRequestLabel": "Retenção de Registro de Pedido HTTP",
    "logRetentionRequestDescription": "Por quanto tempo manter os registros de pedidos",
    "logRetentionAccessLabel": "Retenção de Log de Acesso",
    "logRetentionAccessDescription": "Por quanto tempo manter os registros de acesso",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Ações administrativas realizadas por usuários dentro da organização.",
    "httpDestConnectionLogsTitle": "Logs da conexão",
    "httpDestConnectionLogsDescription": "Eventos de conexão de site e túnel, incluindo conexões e desconexões.",
-    "httpDestRequestLogsTitle": "Registro de pedidos",
+    "httpDestRequestLogsTitle": "Registros de Pedidos HTTP",
    "httpDestRequestLogsDescription": "Logs de solicitação HTTP para recursos proxy incluindo o método, o caminho e o código de resposta.",
    "httpDestSaveChanges": "Salvar as alterações",
    "httpDestCreateDestination": "Criar destino",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Subdomínios curinga não são permitidos.",
    "domainPickerWildcardCertWarning": "Recursos curinga podem exigir configurações adicionais para funcionarem corretamente.",
    "domainPickerWildcardCertWarningLink": "Saiba mais",
-    "health": "Saúde"
+    "health": "Saúde",
    "domainPendingErrorTitle": "Problema de Verificação",
    "memberPortalTitle": "Recursos",
    "memberPortalDescription": "Recursos aos quais você tem acesso nesta organização",
    "memberPortalSortBy": "Ordenar por...",
    "memberPortalSortNameAsc": "Nome A-Z",
    "memberPortalSortNameDesc": "Nome Z-A",
    "memberPortalSortDomainAsc": "Domínio A-Z",
    "memberPortalSortDomainDesc": "Domínio Z-A",
    "memberPortalSortEnabledFirst": "Habilitados Primeiro",
    "memberPortalSortDisabledFirst": "Desabilitados Primeiro",
    "memberPortalRefresh": "Atualizar",
    "memberPortalRefreshResources": "Atualizar Recursos",
    "memberPortalFailedToLoad": "Falha ao carregar recursos",
    "memberPortalFailedToLoadDescription": "Falha ao carregar recursos. Por favor, verifique sua conexão e tente novamente.",
    "memberPortalUnableToLoad": "Incapaz de Carregar Recursos",
    "memberPortalTryAgain": "Tentar Novamente",
    "memberPortalNoResourcesFound": "Nenhum Recurso Encontrado",
    "memberPortalNoResourcesAvailable": "Nenhum Recurso Disponível",
    "memberPortalNoResourcesMatchSearch": "Nenhum recurso corresponde a \"{query}\". Tente ajustar seus termos de pesquisa ou limpe a pesquisa para ver todos os recursos.",
    "memberPortalNoResourcesAccess": "Você ainda não tem acesso a nenhum recurso. Entre em contato com seu administrador para obter acesso aos recursos que precisa.",
    "memberPortalClearSearch": "Limpar Pesquisa",
    "memberPortalPublicResources": "Recursos Públicos",
    "memberPortalPublicResourcesDescription": "Aplicações e serviços web acessíveis via navegador",
    "memberPortalCopiedToClipboard": "Copiado para a área de transferência",
    "memberPortalCopiedUrlDescription": "A URL do recurso foi copiada para sua área de transferência.",
    "memberPortalOpenResource": "Abrir Recurso",
    "memberPortalPrivateResources": "Recursos Privados",
    "memberPortalPrivateResourcesDescription": "Recursos da rede interna acessíveis via cliente",
    "memberPortalResourceDetails": "Detalhes do Recurso",
    "memberPortalMode": "Modo",
    "memberPortalDestination": "Destino",
    "memberPortalAlias": "Apelido",
    "memberPortalCopiedAliasDescription": "O apelido do recurso foi copiado para sua área de transferência.",
    "memberPortalCopiedDestinationDescription": "O destino do recurso foi copiado para sua área de transferência.",
    "memberPortalRequiresClientConnection": "Requer Conexão de Cliente",
    "memberPortalAuthMethods": "Métodos de Autenticação",
    "memberPortalSso": "Logon Único (SSO)",
    "memberPortalPasswordProtected": "Protegido por Senha",
    "memberPortalPinCode": "Código PIN",
    "memberPortalEmailWhitelist": "Lista de E-mails Permitidos",
    "memberPortalResourceDisabled": "Recurso Desativado",
    "memberPortalShowingResources": "Mostrando {start}-{end} de {total} recursos",
    "memberPortalPrevious": "Anterior",
    "memberPortalNext": "Próximo"
 }
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Вы превысили лимиты для вашего текущего плана. Исправьте проблему, удалив сайты, пользователей или другие ресурсы, чтобы остаться в пределах вашего плана.",
    "trialBannerMessage": "Ваш пробный период истекает через {countdown}. Обновите, чтобы сохранить доступ.",
    "trialBannerExpired": "Ваш пробный период истек. Обновите сейчас, чтобы восстановить доступ.",
    "billingTrialBannerTitle": "Бесплатная версия активна",
    "billingTrialBannerDescription": "Вы в настоящее время находитесь на бесплатном пробном периоде бизнес-уровня. Когда пробный период закончится, ваш аккаунт автоматически вернётся к функциям и лимитам базового уровня. Обновите в любое время, чтобы сохранить доступ к функциям текущего плана.",
    "billingTrialBannerUpgrade": "Обновить сейчас",
    "billingTrialBadge": "Бесплатная версия",
    "trialActive": "Бесплатный пробный период активен",
    "trialExpired": "Пробный период истек",
    "trialHasEnded": "Ваш пробный период окончен.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "Секретный ключ",
    "newtVersion": "Версия",
    "architecture": "Архитектура",
    "sites": "Сайты",
    "siteWgAnyClients": "Для подключения используйте любой клиент WireGuard. Вы должны будете адресовать внутренние ресурсы, используя IP адрес пира.",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Создать учётную запись администратора",
    "setupErrorCreateAdmin": "Произошла ошибка при создании учётной записи администратора сервера.",
    "certificateStatus": "Сертификат",
    "certificateStatusAutoRefreshHint": "Статус обновляется автоматически.",
    "loading": "Загрузка",
    "loadingAnalytics": "Загрузка аналитики",
    "restart": "Перезагрузка",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Просмотреть примечания к выпуску",
    "newtUpdateAvailable": "Доступно обновление",
    "newtUpdateAvailableInfo": "Доступна новая версия Newt. Пожалуйста, обновитесь до последней версии для лучшего опыта.",
    "pangolinNodeUpdateAvailableInfo": "Доступна новая версия Pangolin Node. Пожалуйста, обновитесь до последней версии для лучшего опыта.",
    "domainPickerEnterDomain": "Домен",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Введите полный домен ресурса, чтобы увидеть доступные опции.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Выберите своего поставщика удостоверений личности для продолжения",
    "orgAuthNoIdpConfigured": "Эта организация не имеет настроенных поставщиков идентификационных данных. Вместо этого вы можете войти в свой Pangolin.",
    "orgAuthSignInWithPangolin": "Войти через Pangolin",
-    "orgAuthSignInToOrg": "Войти в организацию",
+    "orgAuthSignInToOrg": "Поставщик удостоверений организации (SSO)",
    "orgAuthSelectOrgTitle": "Вход в организацию",
    "orgAuthSelectOrgDescription": "Введите ID вашей организации, чтобы продолжить",
    "orgAuthOrgIdPlaceholder": "ваша-организация",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "No Valid Auth",
    "ip": "IP",
    "reason": "Причина",
-    "requestLogs": "Запросить журналы",
+    "requestLogs": "HTTP Запросы Логи",
    "requestAnalytics": "Аналитика запроса",
    "host": "Хост",
    "location": "Местоположение",
    "actionLogs": "Журнал действий",
-    "sidebarLogsRequest": "Запросить журналы",
+    "sidebarLogsRequest": "HTTP Запросы Логи",
    "sidebarLogsAccess": "Журналы доступа",
    "sidebarLogsAction": "Журнал действий",
    "logRetention": "Сохранение журнала",
    "logRetentionDescription": "Управление сохранением различных типов журналов для этой организации или отключение их",
    "requestLogsDescription": "Просмотреть подробные журналы запроса ресурсов в этой организации",
    "requestAnalyticsDescription": "Просмотреть подробную аналитику запроса для ресурсов в этой организации",
-    "logRetentionRequestLabel": "Запросить сохранение журнала",
+    "logRetentionRequestLabel": "Сохранение HTTP Запросов Лога",
    "logRetentionRequestDescription": "Как долго сохранять журналы запросов",
    "logRetentionAccessLabel": "Хранение журнала доступа",
    "logRetentionAccessDescription": "Как долго сохранять журналы доступа",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Административные меры, осуществляемые пользователями в рамках организации.",
    "httpDestConnectionLogsTitle": "Журнал подключений",
    "httpDestConnectionLogsDescription": "События связи с сайтами и туннелями, включая соединения и отключения.",
-    "httpDestRequestLogsTitle": "Запросить журналы",
+    "httpDestRequestLogsTitle": "HTTP Запросы Логи",
    "httpDestRequestLogsDescription": "Журналы запросов HTTP для проксируемых ресурсов, включая метод, путь и код ответа.",
    "httpDestSaveChanges": "Сохранить изменения",
    "httpDestCreateDestination": "Создать адрес назначения",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Wildcard поддомены не допускаются.",
    "domainPickerWildcardCertWarning": "Wildcard ресурсы могут потребовать дополнительной настройки для правильной работы.",
    "domainPickerWildcardCertWarningLink": "Узнать больше",
-    "health": "Состояние"
+    "health": "Состояние",
    "domainPendingErrorTitle": "Проблема с подтверждением",
    "memberPortalTitle": "Ресурсы",
    "memberPortalDescription": "Ресурсы, к которым у вас есть доступ в этой организации",
    "memberPortalSortBy": "Сортировать по...",
    "memberPortalSortNameAsc": "Имя A-Я",
    "memberPortalSortNameDesc": "Имя Я-A",
    "memberPortalSortDomainAsc": "Домен A-Я",
    "memberPortalSortDomainDesc": "Домен Я-A",
    "memberPortalSortEnabledFirst": "Включённые сначала",
    "memberPortalSortDisabledFirst": "Отключённые сначала",
    "memberPortalRefresh": "Обновить",
    "memberPortalRefreshResources": "Обновить ресурсы",
    "memberPortalFailedToLoad": "Не удалось загрузить ресурсы",
    "memberPortalFailedToLoadDescription": "Не удалось загрузить ресурсы. Пожалуйста, проверьте подключение и попробуйте снова.",
    "memberPortalUnableToLoad": "Не удалось загрузить ресурсы",
    "memberPortalTryAgain": "Попробуйте снова",
    "memberPortalNoResourcesFound": "Ресурсы не найдены",
    "memberPortalNoResourcesAvailable": "Нет доступных ресурсов",
    "memberPortalNoResourcesMatchSearch": "Нет ресурсов, соответствующих \"{query}\". Попробуйте изменить условия поиска или очистить поиск, чтобы увидеть все ресурсы.",
    "memberPortalNoResourcesAccess": "У вас пока нет доступа к ресурсам. Свяжитесь с администратором, чтобы получить доступ к нужным вам ресурсам.",
    "memberPortalClearSearch": "Очистить поиск",
    "memberPortalPublicResources": "Публичные ресурсы",
    "memberPortalPublicResourcesDescription": "Веб-приложения и сервисы, доступные через браузер",
    "memberPortalCopiedToClipboard": "Скопировано в буфер обмена",
    "memberPortalCopiedUrlDescription": "URL ресурса был скопирован в ваш буфер обмена.",
    "memberPortalOpenResource": "Открыть ресурс",
    "memberPortalPrivateResources": "Приватные ресурсы",
    "memberPortalPrivateResourcesDescription": "Ресурсы внутренней сети, доступные через клиент",
    "memberPortalResourceDetails": "Детали ресурса",
    "memberPortalMode": "Режим",
    "memberPortalDestination": "Назначение",
    "memberPortalAlias": "Псевдоним",
    "memberPortalCopiedAliasDescription": "Псевдоним ресурса был скопирован в ваш буфер обмена.",
    "memberPortalCopiedDestinationDescription": "Назначение ресурса было скопировано в ваш буфер обмена.",
    "memberPortalRequiresClientConnection": "Требуется подключение клиента",
    "memberPortalAuthMethods": "Методы аутентификации",
    "memberPortalSso": "Единый вход (SSO)",
    "memberPortalPasswordProtected": "Защищено паролем",
    "memberPortalPinCode": "PIN-код",
    "memberPortalEmailWhitelist": "Белый список email",
    "memberPortalResourceDisabled": "Ресурс отключён",
    "memberPortalShowingResources": "Показаны {start}-{end} из {total} ресурсов",
    "memberPortalPrevious": "Предыдущий",
    "memberPortalNext": "Следующий"
 }
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "Geçerli planınız için limitlerinizi aştınız. Planınız dahilinde kalmak için siteleri, kullanıcıları veya diğer kaynakları kaldırarak sorunu düzeltin.",
    "trialBannerMessage": "Deneme süreniz {countdown} içinde sona eriyor. Erişimi sürdürmek için yükseltin.",
    "trialBannerExpired": "Deneme süreniz sona erdi. Erişimi geri yüklemek için şimdi yükseltin.",
    "billingTrialBannerTitle": "Ücretsiz Deneme Aktif",
    "billingTrialBannerDescription": "Şu anda iş seviyesi için ücretsiz deneme sürümündesiniz. Deneme süresi sona erdiğinde, hesabınız otomatik olarak Temel seviye özelliklerine ve limitlerine geri dönecektir. Mevcut planınızın özelliklerine erişimi sürdürmek için istediğiniz zaman yükseltin.",
    "billingTrialBannerUpgrade": "Şimdi Yükselt",
    "billingTrialBadge": "Ücretsiz Deneme",
    "trialActive": "Ücretsiz Deneme Aktif",
    "trialExpired": "Deneme Süresi Doldu",
    "trialHasEnded": "Deneme süreniz sona erdi.",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Uç Nokta",
    "newtId": "Kimlik",
    "newtSecretKey": "Gizli",
    "newtVersion": "Sürüm",
    "architecture": "Mimari",
    "sites": "Siteler",
    "siteWgAnyClients": "Herhangi bir WireGuard istemcisi kullanarak bağlanın. Dahili kaynaklara eş IP adresini kullanarak erişmeniz gerekecek.",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "Yönetici Hesabı Oluştur",
    "setupErrorCreateAdmin": "Sunucu yönetici hesabı oluşturulurken bir hata oluştu.",
    "certificateStatus": "Sertifika",
    "certificateStatusAutoRefreshHint": "Durum otomatik olarak yenilenir.",
    "loading": "Yükleniyor",
    "loadingAnalytics": "Analiz Yükleniyor",
    "restart": "Yeniden Başlat",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "Yayın Notlarını Görüntüle",
    "newtUpdateAvailable": "Güncelleme Mevcut",
    "newtUpdateAvailableInfo": "Newt'in yeni bir versiyonu mevcut. En iyi deneyim için lütfen en son sürüme güncelleyin.",
    "pangolinNodeUpdateAvailableInfo": "Pangolin Node'un yeni bir sürümü mevcut. En iyi deneyim için lütfen en son sürüme güncelleyin.",
    "domainPickerEnterDomain": "Alan Adı",
    "domainPickerPlaceholder": "myapp.example.com",
    "domainPickerDescription": "Mevcut seçenekleri görmek için kaynağın tam etki alanını girin.",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "Devam etmek için kimlik sağlayıcınızı seçin",
    "orgAuthNoIdpConfigured": "Bu kuruluşta yapılandırılmış kimlik sağlayıcı yok. Bunun yerine Pangolin kimliğinizle giriş yapabilirsiniz.",
    "orgAuthSignInWithPangolin": "Pangolin ile Giriş Yap",
-    "orgAuthSignInToOrg": "Bir kuruluşa giriş yapın",
+    "orgAuthSignInToOrg": "Kuruluş Kimlik Sağlayıcısı (SSO)",
    "orgAuthSelectOrgTitle": "Kuruluş Giriş",
    "orgAuthSelectOrgDescription": "Devam etmek için kuruluş kimliğinizi girin",
    "orgAuthOrgIdPlaceholder": "kuruluşunuz",
@@ -2653,19 +2660,19 @@
    "noMoreAuthMethods": "Daha Fazla Kimlik Doğrulama Yöntemi Yok",
    "ip": "IP",
    "reason": "Sebep",
-    "requestLogs": "İstek Günlükleri",
+    "requestLogs": "HTTP İstek Günlükleri",
    "requestAnalytics": "İstek Analizi",
    "host": "Sunucu",
    "location": "Konum",
    "actionLogs": "Eylem Günlükleri",
-    "sidebarLogsRequest": "İstek Günlükleri",
+    "sidebarLogsRequest": "HTTP İstek Günlükleri",
    "sidebarLogsAccess": "Erişim Günlükleri",
    "sidebarLogsAction": "Eylem Günlükleri",
    "logRetention": "Kayıt Saklama",
    "logRetentionDescription": "Bu organizasyon için farklı türdeki günlüklerin ne kadar süre saklanacağını yönetin veya devre dışı bırakın",
    "requestLogsDescription": "Bu organizasyondaki kaynaklar için ayrıntılı istek günlüklerini görüntüleyin",
    "requestAnalyticsDescription": "Bu organizasyondaki kaynaklar için ayrıntılı istek analizlerini görüntüleyin.",
-    "logRetentionRequestLabel": "İstek Günlüğü Saklama",
+    "logRetentionRequestLabel": "HTTP İstek Günlüğü Saklama",
    "logRetentionRequestDescription": "İstek günlüklerini ne kadar süre tutacağını belirle",
    "logRetentionAccessLabel": "Erişim Günlüğü Saklama",
    "logRetentionAccessDescription": "Erişim günlüklerini ne kadar süre tutacağını belirle",
@@ -3127,7 +3134,7 @@
    "httpDestActionLogsDescription": "Kullanıcılar tarafından organizasyon içerisinde yapılan yönetici eylemleri.",
    "httpDestConnectionLogsTitle": "Bağlantı Kayıtları",
    "httpDestConnectionLogsDescription": "Site ve tünel bağlantı olayları, bağlantılar ve bağlantı kesilmeleri dahil.",
-    "httpDestRequestLogsTitle": "İstek Kayıtları",
+    "httpDestRequestLogsTitle": "HTTP İstek Günlükleri",
    "httpDestRequestLogsDescription": "Yönlendirilmiş kaynaklar için HTTP istek kayıtları, yöntem, yol ve yanıt kodu dahil.",
    "httpDestSaveChanges": "Değişiklikleri Kaydet",
    "httpDestCreateDestination": "Hedef Oluştur",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "Genel alt alanlara izin verilmiyor.",
    "domainPickerWildcardCertWarning": "Genel kaynaklar düzgün çalışmak için ek yapılandırma gerektirebilir.",
    "domainPickerWildcardCertWarningLink": "Daha fazla bilgi",
-    "health": "Sağlık"
+    "health": "Sağlık",
    "domainPendingErrorTitle": "Doğrulama Sorunu",
    "memberPortalTitle": "Kaynaklar",
    "memberPortalDescription": "Bu organizasyondaki erişiminiz olan kaynaklar",
    "memberPortalSortBy": "Şuna göre sırala...",
    "memberPortalSortNameAsc": "İsim A-Z",
    "memberPortalSortNameDesc": "İsim Z-A",
    "memberPortalSortDomainAsc": "Alan A-Z",
    "memberPortalSortDomainDesc": "Alan Z-A",
    "memberPortalSortEnabledFirst": "İlk Etkinleştirilenler",
    "memberPortalSortDisabledFirst": "İlk Devre Dışı Bırakılanlar",
    "memberPortalRefresh": "Yenile",
    "memberPortalRefreshResources": "Kaynakları Yenile",
    "memberPortalFailedToLoad": "Kaynaklar yüklenemedi",
    "memberPortalFailedToLoadDescription": "Kaynaklar yüklenemedi. Lütfen bağlantınızı kontrol edin ve tekrar deneyin.",
    "memberPortalUnableToLoad": "Kaynaklar Yüklenemiyor",
    "memberPortalTryAgain": "Tekrar Dene",
    "memberPortalNoResourcesFound": "Hiçbir Kaynak Bulunamadı",
    "memberPortalNoResourcesAvailable": "Uygun Kaynak Yok",
    "memberPortalNoResourcesMatchSearch": "Hiçbir kaynak \"{query}\" ile eşleşmiyor. Arama terimlerinizi değiştirerek veya tüm kaynakları görmek için aramayı temizleyerek deneyin.",
    "memberPortalNoResourcesAccess": "Henüz herhangi bir kaynağa erişiminiz yok. İhtiyacınız olan kaynaklara erişim sağlamak için yöneticinizle iletişime geçin.",
    "memberPortalClearSearch": "Aramayı Temizle",
    "memberPortalPublicResources": "Genel Kaynaklar",
    "memberPortalPublicResourcesDescription": "Tarayıcı üzerinden erişilebilen web uygulamaları ve hizmetler",
    "memberPortalCopiedToClipboard": "Panoya kopyalandı",
    "memberPortalCopiedUrlDescription": "Kaynak URL'si panonuza kopyalandı.",
    "memberPortalOpenResource": "Kaynağı Aç",
    "memberPortalPrivateResources": "Özel Kaynaklar",
    "memberPortalPrivateResourcesDescription": "İstemci üzerinden erişilebilen dahili ağ kaynakları",
    "memberPortalResourceDetails": "Kaynak Detayları",
    "memberPortalMode": "Mod",
    "memberPortalDestination": "Hedef",
    "memberPortalAlias": "Takma İsim",
    "memberPortalCopiedAliasDescription": "Kaynak takma adı panonuza kopyalandı.",
    "memberPortalCopiedDestinationDescription": "Kaynak hedefi panonuza kopyalandı.",
    "memberPortalRequiresClientConnection": "İstemci Bağlantısı Gerektirir",
    "memberPortalAuthMethods": "Kimlik Doğrulama Yöntemleri",
    "memberPortalSso": "Tek Oturum Açma (SSO)",
    "memberPortalPasswordProtected": "Parola ile Korunan",
    "memberPortalPinCode": "PIN Kodu",
    "memberPortalEmailWhitelist": "E-posta Beyaz Listesi",
    "memberPortalResourceDisabled": "Kaynak Devre Dışı",
    "memberPortalShowingResources": "{total} kaynaktan {start}-{end} gösteriliyor",
    "memberPortalPrevious": "Önceki",
    "memberPortalNext": "Sonraki"
 }
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -25,6 +25,10 @@
    "subscriptionViolationMessage": "您的当前计划超出了您的限制。通过移除站点、用户或其他资源以保持在您的计划范围内来纠正问题。",
    "trialBannerMessage": "您的试用将在 {countdown} 到期。升级以保持访问。",
    "trialBannerExpired": "您的试用已到期。立即升级以恢复访问。",
    "billingTrialBannerTitle": "免费试用激活中",
    "billingTrialBannerDescription": "您目前正在商用层进行免费试用。试用结束后，您的账户将自动回到基础层功能和限制。可随时升级以保持当前计划的功能访问。",
    "billingTrialBannerUpgrade": "立即升级",
    "billingTrialBadge": "免费试用",
    "trialActive": "免费试用中",
    "trialExpired": "试用到期",
    "trialHasEnded": "您的试用已结束。",
@@ -763,6 +767,7 @@
    "newtEndpoint": "Endpoint",
    "newtId": "ID",
    "newtSecretKey": "密钥",
    "newtVersion": "版本",
    "architecture": "架构",
    "sites": "站点",
    "siteWgAnyClients": "使用任何 WireGuard 客户端连接。您必须使用对等IP解决内部资源问题。",
@@ -1597,6 +1602,7 @@
    "createAdminAccount": "创建管理员帐户",
    "setupErrorCreateAdmin": "创建服务器管理员账户时发生错误。",
    "certificateStatus": "证书",
    "certificateStatusAutoRefreshHint": "状态自动刷新。",
    "loading": "加载中",
    "loadingAnalytics": "加载分析",
    "restart": "重启",
@@ -1665,6 +1671,7 @@
    "pangolinUpdateAvailableReleaseNotes": "查看发布说明",
    "newtUpdateAvailable": "更新可用",
    "newtUpdateAvailableInfo": "新版本的 Newt 已可用。请更新到最新版本以获得最佳体验。",
    "pangolinNodeUpdateAvailableInfo": "新版本的 Pangolin Node 已可用。请更新到最新版本以获得最佳体验。",
    "domainPickerEnterDomain": "域名",
    "domainPickerPlaceholder": "example.com",
    "domainPickerDescription": "输入资源的完整域名以查看可用选项。",
@@ -2352,7 +2359,7 @@
    "orgAuthChooseIdpDescription": "选择您的身份提供商以继续",
    "orgAuthNoIdpConfigured": "此机构没有配置任何身份提供者。您可以使用您的 Pangolin 身份登录。",
    "orgAuthSignInWithPangolin": "使用 Pangolin 登录",
-    "orgAuthSignInToOrg": "登录到组织",
+    "orgAuthSignInToOrg": "组织身份提供商 (SSO)",
    "orgAuthSelectOrgTitle": "组织登录",
    "orgAuthSelectOrgDescription": "输入您的组织ID以继续",
    "orgAuthOrgIdPlaceholder": "您的组织",
@@ -2665,7 +2672,7 @@
    "logRetentionDescription": "管理不同类型的日志为这个机构保留多长时间或禁用这些日志",
    "requestLogsDescription": "查看此机构资源的详细请求日志",
    "requestAnalyticsDescription": "查看此机构资源的详细请求分析",
-    "logRetentionRequestLabel": "请求日志保留",
+    "logRetentionRequestLabel": "HTTP 请求日志保留",
    "logRetentionRequestDescription": "保留请求日志的时间",
    "logRetentionAccessLabel": "访问日志保留",
    "logRetentionAccessDescription": "保留访问日志的时间",
@@ -3200,5 +3207,49 @@
    "domainPickerWildcardSubdomainNotAllowed": "不允许使用通配符子域。",
    "domainPickerWildcardCertWarning": "通配符资源可能需要额外配置才能正常工作。",
    "domainPickerWildcardCertWarningLink": "了解更多",
-    "health": "健康"
+    "health": "健康",
    "domainPendingErrorTitle": "验证问题",
    "memberPortalTitle": "资源",
    "memberPortalDescription": "您在此组织中可以访问的资源",
    "memberPortalSortBy": "排序依据……",
    "memberPortalSortNameAsc": "名称 A-Z",
    "memberPortalSortNameDesc": "名称 Z-A",
    "memberPortalSortDomainAsc": "域名 A-Z",
    "memberPortalSortDomainDesc": "域名 Z-A",
    "memberPortalSortEnabledFirst": "启用优先",
    "memberPortalSortDisabledFirst": "禁用优先",
    "memberPortalRefresh": "刷新",
    "memberPortalRefreshResources": "刷新资源",
    "memberPortalFailedToLoad": "加载资源失败",
    "memberPortalFailedToLoadDescription": "加载资源失败。请检查您的连接并再试一次。",
    "memberPortalUnableToLoad": "无法加载资源",
    "memberPortalTryAgain": "再试一次",
    "memberPortalNoResourcesFound": "找不到资源",
    "memberPortalNoResourcesAvailable": "无可用资源",
    "memberPortalNoResourcesMatchSearch": "没有与\"{query}\"匹配的资源。尝试调整您的搜索词或清除搜索以查看所有资源。",
    "memberPortalNoResourcesAccess": "您尚无访问任何资源的权限。请联系您的管理员获取所需资源的访问权限。",
    "memberPortalClearSearch": "清除搜索",
    "memberPortalPublicResources": "公共资源",
    "memberPortalPublicResourcesDescription": "通过浏览器可访问的网络应用和服务",
    "memberPortalCopiedToClipboard": "已复制到剪贴板",
    "memberPortalCopiedUrlDescription": "资源 URL 已复制到您的剪贴板。",
    "memberPortalOpenResource": "打开资源",
    "memberPortalPrivateResources": "私有资源",
    "memberPortalPrivateResourcesDescription": "通过客户端可访问的内部网络资源",
    "memberPortalResourceDetails": "资源详情",
    "memberPortalMode": "模式",
    "memberPortalDestination": "目标",
    "memberPortalAlias": "别名",
    "memberPortalCopiedAliasDescription": "资源别名已复制到您的剪贴板。",
    "memberPortalCopiedDestinationDescription": "资源目的地已复制到您的剪贴板。",
    "memberPortalRequiresClientConnection": "需要客户端连接",
    "memberPortalAuthMethods": "身份验证方法",
    "memberPortalSso": "单一登录 (SSO)",
    "memberPortalPasswordProtected": "密码保护",
    "memberPortalPinCode": "PIN 码",
    "memberPortalEmailWhitelist": "电子邮件白名单",
    "memberPortalResourceDisabled": "资源已禁用",
    "memberPortalShowingResources": "显示 {start}-{end} 共 {total} 个资源",
    "memberPortalPrevious": "上一页",
    "memberPortalNext": "下一页"
 }
--- a/public/screenshots/hero.png
+++ b/public/screenshots/hero.png
--- a/public/screenshots/private-resources.png
+++ b/public/screenshots/private-resources.png
--- a/public/screenshots/public-resources.png
+++ b/public/screenshots/public-resources.png
--- a/public/screenshots/sites.png
+++ b/public/screenshots/sites.png
--- a/public/screenshots/user-devices.png
+++ b/public/screenshots/user-devices.png
--- a/public/screenshots/users.png
+++ b/public/screenshots/users.png
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -122,8 +122,6 @@ export enum ActionsEnum {
    createOrgDomain = "createOrgDomain",
    deleteOrgDomain = "deleteOrgDomain",
    restartOrgDomain = "restartOrgDomain",
    sendUsageNotification = "sendUsageNotification",
    sendTrialNotification = "sendTrialNotification",
    createRemoteExitNode = "createRemoteExitNode",
    updateRemoteExitNode = "updateRemoteExitNode",
    getRemoteExitNode = "getRemoteExitNode",
--- a/server/db/mac_models.json
+++ b/server/db/mac_models.json
@@ -1,94 +1,53 @@
 {
  "PowerMac4,4": "eMac",
  "PowerMac6,4": "eMac",
  "PowerBook2,1": "iBook",
  "PowerBook2,2": "iBook",
  "PowerBook4,1": "iBook",
  "PowerBook4,2": "iBook",
  "PowerBook4,3": "iBook",
  "PowerBook6,3": "iBook",
  "PowerBook6,5": "iBook",
  "PowerBook6,7": "iBook",
  "iMac,1": "iMac",
  "PowerMac2,1": "iMac",
  "PowerMac2,2": "iMac",
  "PowerMac4,1": "iMac",
  "PowerMac4,2": "iMac",
  "PowerMac4,5": "iMac",
  "PowerMac6,1": "iMac",
  "PowerMac6,3*": "iMac",
  "PowerMac6,3": "iMac",
  "PowerMac8,1": "iMac",
  "PowerMac8,2": "iMac",
  "PowerMac12,1": "iMac",
  "iMac4,1": "iMac",
  "iMac4,2": "iMac",
  "iMac5,2": "iMac",
  "iMac5,1": "iMac",
  "iMac6,1": "iMac",
  "iMac7,1": "iMac",
  "iMac8,1": "iMac",
  "iMac9,1": "iMac",
  "iMac10,1": "iMac",
  "iMac11,1": "iMac",
  "iMac11,2": "iMac",
  "iMac11,3": "iMac",
  "iMac12,1": "iMac",
  "iMac12,2": "iMac",
  "iMac13,1": "iMac",
  "iMac13,2": "iMac",
  "iMac14,1": "iMac",
  "iMac14,3": "iMac",
  "iMac14,2": "iMac",
  "iMac14,4": "iMac",
  "iMac15,1": "iMac",
  "iMac16,1": "iMac",
  "iMac16,2": "iMac",
  "iMac17,1": "iMac",
  "iMac18,1": "iMac",
  "iMac18,2": "iMac",
  "iMac18,3": "iMac",
  "iMac19,2": "iMac",
  "iMac19,1": "iMac",
  "iMac20,1": "iMac",
  "iMac20,2": "iMac",
  "iMac21,2": "iMac",
  "iMac21,1": "iMac",
  "iMacPro1,1": "iMac Pro",
  "PowerMac10,1": "Mac mini",
  "PowerMac10,2": "Mac mini",
  "Macmini1,1": "Mac mini",
  "Macmini2,1": "Mac mini",
  "Macmini3,1": "Mac mini",
  "Macmini4,1": "Mac mini",
  "Macmini5,1": "Mac mini",
  "Macmini5,2": "Mac mini",
  "Macmini5,3": "Mac mini",
  "Macmini6,1": "Mac mini",
  "Macmini6,2": "Mac mini",
  "Macmini7,1": "Mac mini",
  "Macmini8,1": "Mac mini",
  "ADP3,2": "Mac mini",
  "Macmini9,1": "Mac mini",
  "Mac14,3": "Mac mini",
  "Mac14,12": "Mac mini",
  "MacPro1,1*": "Mac Pro",
  "MacPro2,1": "Mac Pro",
  "MacPro3,1": "Mac Pro",
  "MacPro4,1": "Mac Pro",
  "MacPro5,1": "Mac Pro",
  "MacPro6,1": "Mac Pro",
  "MacPro7,1": "Mac Pro",
  "N/A*": "Power Macintosh",
  "PowerMac1,1": "Power Macintosh",
  "PowerMac3,1": "Power Macintosh",
  "PowerMac3,3": "Power Macintosh",
  "PowerMac3,4": "Power Macintosh",
  "PowerMac3,5": "Power Macintosh",
  "PowerMac3,6": "Power Macintosh",
  "Mac13,1": "Mac Studio",
  "Mac13,2": "Mac Studio",
  "Mac14,10": "MacBook Pro",
  "Mac14,12": "Mac mini",
  "Mac14,13": "Mac Studio",
  "Mac14,14": "Mac Studio",
  "Mac14,15": "MacBook Air",
  "Mac14,2": "MacBook Air",
  "Mac14,3": "Mac mini",
  "Mac14,5": "MacBook Pro",
  "Mac14,6": "MacBook Pro",
  "Mac14,7": "MacBook Pro",
  "Mac14,8": "Mac Pro",
  "Mac14,9": "MacBook Pro",
  "Mac15,10": "MacBook Pro",
  "Mac15,11": "MacBook Pro",
  "Mac15,12": "MacBook Air",
  "Mac15,13": "MacBook Air",
  "Mac15,14": "Mac Studio",
  "Mac15,3": "MacBook Pro",
  "Mac15,4": "iMac",
  "Mac15,5": "iMac",
  "Mac15,6": "MacBook Pro",
  "Mac15,7": "MacBook Pro",
  "Mac15,8": "MacBook Pro",
  "Mac15,9": "MacBook Pro",
  "Mac16,1": "MacBook Pro",
  "Mac16,10": "Mac mini",
  "Mac16,11": "Mac mini",
  "Mac16,12": "MacBook Air",
  "Mac16,13": "MacBook Air",
  "Mac16,2": "iMac",
  "Mac16,3": "iMac",
  "Mac16,5": "MacBook Pro",
  "Mac16,6": "MacBook Pro",
  "Mac16,7": "MacBook Pro",
  "Mac16,8": "MacBook Pro",
  "Mac16,9": "Mac Studio",
  "Mac17,2": "MacBook Pro",
  "Mac17,3": "MacBook Air",
  "Mac17,4": "MacBook Air",
  "Mac17,5": "MacBook Neo",
  "Mac17,6": "MacBook Pro",
  "Mac17,7": "MacBook Pro",
  "Mac17,8": "MacBook Pro",
  "Mac17,9": "MacBook Pro",
  "MacBook1,1": "MacBook",
  "MacBook10,1": "MacBook",
  "MacBook2,1": "MacBook",
  "MacBook3,1": "MacBook",
  "MacBook4,1": "MacBook",
@@ -98,8 +57,8 @@
  "MacBook7,1": "MacBook",
  "MacBook8,1": "MacBook",
  "MacBook9,1": "MacBook",
  "MacBook10,1": "MacBook",
  "MacBookAir1,1": "MacBook Air",
  "MacBookAir10,1": "MacBook Air",
  "MacBookAir2,1": "MacBook Air",
  "MacBookAir3,1": "MacBook Air",
  "MacBookAir3,2": "MacBook Air",
@@ -114,88 +73,163 @@
  "MacBookAir8,1": "MacBook Air",
  "MacBookAir8,2": "MacBook Air",
  "MacBookAir9,1": "MacBook Air",
  "MacBookAir10,1": "MacBook Air",
  "Mac14,2": "MacBook Air",
  "MacBookPro1,1": "MacBook Pro",
  "MacBookPro1,2": "MacBook Pro",
  "MacBookPro2,2": "MacBook Pro",
  "MacBookPro2,1": "MacBook Pro",
  "MacBookPro3,1": "MacBook Pro",
  "MacBookPro4,1": "MacBook Pro",
  "MacBookPro5,1": "MacBook Pro",
  "MacBookPro5,2": "MacBook Pro",
  "MacBookPro5,5": "MacBook Pro",
  "MacBookPro5,4": "MacBook Pro",
  "MacBookPro5,3": "MacBook Pro",
  "MacBookPro7,1": "MacBook Pro",
  "MacBookPro6,2": "MacBook Pro",
  "MacBookPro6,1": "MacBook Pro",
  "MacBookPro8,1": "MacBook Pro",
  "MacBookPro8,2": "MacBook Pro",
  "MacBookPro8,3": "MacBook Pro",
  "MacBookPro9,2": "MacBook Pro",
  "MacBookPro9,1": "MacBook Pro",
  "MacBookPro10,1": "MacBook Pro",
  "MacBookPro10,2": "MacBook Pro",
  "MacBookPro11,1": "MacBook Pro",
  "MacBookPro11,2": "MacBook Pro",
  "MacBookPro11,3": "MacBook Pro",
  "MacBookPro12,1": "MacBook Pro",
  "MacBookPro11,4": "MacBook Pro",
  "MacBookPro11,5": "MacBook Pro",
  "MacBookPro12,1": "MacBook Pro",
  "MacBookPro13,1": "MacBook Pro",
  "MacBookPro13,2": "MacBook Pro",
  "MacBookPro13,3": "MacBook Pro",
  "MacBookPro14,1": "MacBook Pro",
  "MacBookPro14,2": "MacBook Pro",
  "MacBookPro14,3": "MacBook Pro",
  "MacBookPro15,2": "MacBook Pro",
  "MacBookPro15,1": "MacBook Pro",
  "MacBookPro15,2": "MacBook Pro",
  "MacBookPro15,3": "MacBook Pro",
  "MacBookPro15,4": "MacBook Pro",
  "MacBookPro16,1": "MacBook Pro",
  "MacBookPro16,3": "MacBook Pro",
  "MacBookPro16,2": "MacBook Pro",
  "MacBookPro16,3": "MacBook Pro",
  "MacBookPro16,4": "MacBook Pro",
  "MacBookPro17,1": "MacBook Pro",
  "MacBookPro18,3": "MacBook Pro",
  "MacBookPro18,4": "MacBook Pro",
  "MacBookPro18,1": "MacBook Pro",
  "MacBookPro18,2": "MacBook Pro",
-  "Mac14,7": "MacBook Pro",
+  "MacBookPro18,3": "MacBook Pro",
-  "Mac14,9": "MacBook Pro",
+  "MacBookPro18,4": "MacBook Pro",
-  "Mac14,5": "MacBook Pro",
+  "MacBookPro2,1": "MacBook Pro",
-  "Mac14,10": "MacBook Pro",
+  "MacBookPro2,2": "MacBook Pro",
-  "Mac14,6": "MacBook Pro",
+  "MacBookPro3,1": "MacBook Pro",
-  "PowerMac1,2": "Power Macintosh",
+  "MacBookPro4,1": "MacBook Pro",
-  "PowerMac5,1": "Power Macintosh",
+  "MacBookPro5,1": "MacBook Pro",
-  "PowerMac7,2": "Power Macintosh",
+  "MacBookPro5,2": "MacBook Pro",
-  "PowerMac7,3": "Power Macintosh",
+  "MacBookPro5,3": "MacBook Pro",
-  "PowerMac9,1": "Power Macintosh",
+  "MacBookPro5,4": "MacBook Pro",
-  "PowerMac11,2": "Power Macintosh",
+  "MacBookPro5,5": "MacBook Pro",
  "MacBookPro6,1": "MacBook Pro",
  "MacBookPro6,2": "MacBook Pro",
  "MacBookPro7,1": "MacBook Pro",
  "MacBookPro8,1": "MacBook Pro",
  "MacBookPro8,2": "MacBook Pro",
  "MacBookPro8,3": "MacBook Pro",
  "MacBookPro9,1": "MacBook Pro",
  "MacBookPro9,2": "MacBook Pro",
  "MacPro1,1": "Mac Pro",
  "MacPro2,1": "Mac Pro",
  "MacPro3,1": "Mac Pro",
  "MacPro4,1": "Mac Pro",
  "MacPro5,1": "Mac Pro",
  "MacPro6,1": "Mac Pro",
  "MacPro7,1": "Mac Pro",
  "Macmini1,1": "Mac mini",
  "Macmini2,1": "Mac mini",
  "Macmini3,1": "Mac mini",
  "Macmini4,1": "Mac mini",
  "Macmini5,1": "Mac mini",
  "Macmini5,2": "Mac mini",
  "Macmini5,3": "Mac mini",
  "Macmini6,1": "Mac mini",
  "Macmini6,2": "Mac mini",
  "Macmini7,1": "Mac mini",
  "Macmini8,1": "Mac mini",
  "Macmini9,1": "Mac mini",
  "PowerBook1,1": "PowerBook",
  "PowerBook2,1": "iBook",
  "PowerBook2,2": "iBook",
  "PowerBook3,1": "PowerBook",
  "PowerBook3,2": "PowerBook",
  "PowerBook3,3": "PowerBook",
  "PowerBook3,4": "PowerBook",
  "PowerBook3,5": "PowerBook",
-  "PowerBook6,1": "PowerBook",
+  "PowerBook4,1": "iBook",
  "PowerBook4,2": "iBook",
  "PowerBook4,3": "iBook",
  "PowerBook5,1": "PowerBook",
  "PowerBook6,2": "PowerBook",
  "PowerBook5,2": "PowerBook",
  "PowerBook5,3": "PowerBook",
  "PowerBook6,4": "PowerBook",
  "PowerBook5,4": "PowerBook",
  "PowerBook5,5": "PowerBook",
  "PowerBook6,8": "PowerBook",
  "PowerBook5,6": "PowerBook",
  "PowerBook5,7": "PowerBook",
  "PowerBook5,8": "PowerBook",
  "PowerBook5,9": "PowerBook",
  "PowerBook6,1": "PowerBook",
  "PowerBook6,2": "PowerBook",
  "PowerBook6,3": "iBook",
  "PowerBook6,4": "PowerBook",
  "PowerBook6,5": "iBook",
  "PowerBook6,7": "iBook",
  "PowerBook6,8": "PowerBook",
  "PowerMac1,1": "Power Macintosh",
  "PowerMac1,2": "Power Macintosh",
  "PowerMac10,1": "Mac mini",
  "PowerMac10,2": "Mac mini",
  "PowerMac11,2": "Power Macintosh",
  "PowerMac12,1": "iMac",
  "PowerMac2,1": "iMac",
  "PowerMac2,2": "iMac",
  "PowerMac3,1": "Mac Server",
  "PowerMac3,3": "Power Macintosh",
  "PowerMac3,4": "Power Macintosh",
  "PowerMac3,5": "Power Macintosh",
  "PowerMac3,6": "Power Macintosh",
  "PowerMac4,1": "iMac",
  "PowerMac4,2": "iMac",
  "PowerMac4,4": "eMac",
  "PowerMac4,5": "iMac",
  "PowerMac5,1": "Power Macintosh",
  "PowerMac6,1": "iMac",
  "PowerMac6,3": "iMac",
  "PowerMac6,4": "eMac",
  "PowerMac7,2": "Power Macintosh",
  "PowerMac7,3": "Power Macintosh",
  "PowerMac8,1": "iMac",
  "PowerMac8,2": "iMac",
  "PowerMac9,1": "Power Macintosh",
  "RackMac1,1": "Xserve",
  "RackMac1,2": "Xserve",
  "RackMac3,1": "Xserve",
  "Xserve1,1": "Xserve",
  "Xserve2,1": "Xserve",
-  "Xserve3,1": "Xserve"
+  "Xserve3,1": "Xserve",
  "iMac,1": "iMac",
  "iMac10,1": "iMac",
  "iMac11,1": "iMac",
  "iMac11,2": "iMac",
  "iMac11,3": "iMac",
  "iMac12,1": "iMac",
  "iMac12,2": "iMac",
  "iMac13,1": "iMac",
  "iMac13,2": "iMac",
  "iMac14,1": "iMac",
  "iMac14,2": "iMac",
  "iMac14,3": "iMac",
  "iMac14,4": "iMac",
  "iMac15,1": "iMac",
  "iMac16,1": "iMac",
  "iMac16,2": "iMac",
  "iMac17,1": "iMac",
  "iMac18,1": "iMac",
  "iMac18,2": "iMac",
  "iMac18,3": "iMac",
  "iMac19,1": "iMac",
  "iMac19,2": "iMac",
  "iMac20,1": "iMac",
  "iMac20,2": "iMac",
  "iMac21,1": "iMac",
  "iMac21,2": "iMac",
  "iMac4,1": "iMac",
  "iMac4,2": "iMac",
  "iMac5,1": "iMac",
  "iMac5,2": "iMac",
  "iMac6,1": "iMac",
  "iMac7,1": "iMac",
  "iMac8,1": "iMac",
  "iMac9,1": "iMac",
  "iMacPro1,1": "iMac Pro"
 }
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -87,7 +87,7 @@ function createDb() {
 export const db = createDb();
 export default db;
-export const primaryDb = db.$primary;
+export const primaryDb = db.$primary as typeof db; // is this typeof a problem - techincally they are different types
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
 >[0];
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -566,6 +566,17 @@ export const alertWebhookActions = pgTable("alertWebhookActions", {
    lastSentAt: bigint("lastSentAt", { mode: "number" }) // nullable
 });
 export const trialNotifications = pgTable("trialNotifications", {
    notificationId: serial("notificationId").primaryKey(),
    subscriptionId: varchar("subscriptionId", { length: 255 })
        .notNull()
        .references(() => subscriptions.subscriptionId, {
            onDelete: "cascade"
        }),
    notificationType: varchar("notificationType", { length: 50 }).notNull(), // trial_ending_5d, trial_ending_24h, trial_ended
    sentAt: bigint("sentAt", { mode: "number" }).notNull()
 });
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -604,3 +615,12 @@ export type EventStreamingCursor = InferSelectModel<
    typeof eventStreamingCursors
 >;
 export type AlertResources = InferSelectModel<typeof alertResources>;
 export type AlertHealthChecks = InferSelectModel<typeof alertHealthChecks>;
 export type AlertSites = InferSelectModel<typeof alertSites>;
 export type AlertRules = InferSelectModel<typeof alertRules>;
 export type AlertEmailActions = InferSelectModel<typeof alertEmailActions>;
 export type AlertEmailRecipients = InferSelectModel<
    typeof alertEmailRecipients
 >;
 export type AlertWebhookActions = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
--- a/server/db/sqlite/driver.ts
+++ b/server/db/sqlite/driver.ts
@@ -1,5 +1,6 @@
 import { drizzle as DrizzleSqlite } from "drizzle-orm/better-sqlite3";
 import Database from "better-sqlite3";
 import type BetterSqlite3 from "better-sqlite3";
 import * as schema from "./schema/schema";
 import path from "path";
 import fs from "fs";
@@ -11,8 +12,69 @@ export const exists = checkFileExists(location);
 bootstrapVolume();
 /**
 * Wraps better-sqlite3 Statement to call `finalize()` immediately after
 * execution, freeing native sqlite3_stmt memory deterministically instead
 * of waiting for GC. Fixes steady off-heap growth under load (#2120).
 * WARNING: Finalizes after first execution — incompatible with drizzle's
 * reusable .prepare() builders. No such usage exists in this codebase.
 */
 function autoFinalizeStatement(
    stmt: BetterSqlite3.Statement
 ): BetterSqlite3.Statement {
    const wrapExec = <T extends (...args: any[]) => any>(fn: T): T => {
        return function (this: any, ...args: any[]) {
            try {
                return fn.apply(this, args);
            } finally {
                try {
                    // finalize() exists on the native Statement at runtime but
                    // is missing from @types/better-sqlite3.
                    (stmt as any).finalize();
                } catch {
                    // Already finalized — harmless
                }
            }
        } as unknown as T;
    };
    stmt.run = wrapExec(stmt.run);
    stmt.get = wrapExec(stmt.get);
    stmt.all = wrapExec(stmt.all);
    return stmt;
 }
 function createDb() {
    const sqlite = new Database(location);
    if (process.env.ENABLE_SQLITE_WAL_MODE == "true") {
        // Enable WAL mode — allows concurrent readers + single writer, preventing
        // contention across subsystems (verifySession, Traefik, audit, ping).
        sqlite.pragma("journal_mode = WAL");
        // NORMAL sync mode: safe with WAL, reduces write lock hold time.
        sqlite.pragma("synchronous = NORMAL");
    }
    // Wait up to 5s on SQLITE_BUSY instead of failing — prevents audit log
    // retry loops that accumulate memory.
    sqlite.pragma("busy_timeout = 5000");
    // 64 MB page cache (default 2 MB) — reduces I/O round-trips on large
    // TraefikConfigManager JOINs that block the event loop.
    sqlite.pragma("cache_size = -65536");
    // 256 MB memory-mapped I/O — OS serves reads from page cache directly,
    // reducing event-loop blocking.
    sqlite.pragma("mmap_size = 268435456");
    // Wrap prepare() so every drizzle-orm statement is auto-finalized after
    // first use, preventing sqlite3_stmt accumulation between GC cycles.
    const originalPrepare = sqlite.prepare.bind(sqlite);
    (sqlite as any).prepare = function autoFinalizePrepare(source: string) {
        return autoFinalizeStatement(originalPrepare(source));
    };
    return DrizzleSqlite(sqlite, {
        schema
    });
@@ -23,7 +85,7 @@ export default db;
 export const primaryDb = db;
 export type Transaction = Parameters<
    Parameters<(typeof db)["transaction"]>[0]
-    >[0];
+>[0];
 export const DB_TYPE: "pg" | "sqlite" = "sqlite";
 function checkFileExists(filePath: string): boolean {
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -21,6 +21,9 @@ import {
    targetHealthCheck,
    users
 } from "./schema";
 import { serial, varchar } from "drizzle-orm/mysql-core";
 import { pgTable } from "drizzle-orm/pg-core";
 import { bigint } from "zod";
 export const certificates = sqliteTable("certificates", {
    certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -569,6 +572,19 @@ export const alertWebhookActions = sqliteTable("alertWebhookActions", {
    lastSentAt: integer("lastSentAt")
 });
 export const trialNotifications = sqliteTable("trialNotifications", {
    notificationId: integer("notificationId").primaryKey({
        autoIncrement: true
    }),
    subscriptionId: text("subscriptionId")
        .notNull()
        .references(() => subscriptions.subscriptionId, {
            onDelete: "cascade"
        }),
    notificationType: text("notificationType").notNull(), // trial_ending_5d, trial_ending_24h, trial_ended
    sentAt: integer("sentAt").notNull()
 });
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -601,3 +617,10 @@ export type EventStreamingCursor = InferSelectModel<
    typeof eventStreamingCursors
 >;
 export type AlertResources = InferSelectModel<typeof alertResources>;
 export type AlertHealthChecks = InferSelectModel<typeof alertHealthChecks>;
 export type AlertSites = InferSelectModel<typeof alertSites>;
 export type AlertRule = InferSelectModel<typeof alertRules>;
 export type AlertEmailAction = InferSelectModel<typeof alertEmailActions>;
 export type AlertEmailRecipient = InferSelectModel<typeof alertEmailRecipients>;
 export type AlertWebhookAction = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
--- a/server/emails/templates/NotifyTrialExpiring.tsx
+++ b/server/emails/templates/NotifyTrialExpiring.tsx
@@ -64,7 +64,7 @@ export const NotifyTrialExpiring = ({
                                <EmailText>
                                    Some features and resources may now be
-                                    restricted or disconnected. To restore full
+                                    restricted. To restore full
                                    access and continue using all the features
                                    you had during your trial, please upgrade to
                                    a paid plan.
@@ -85,7 +85,7 @@ export const NotifyTrialExpiring = ({
                                    <strong>{orgName}</strong> will end on{" "}
                                    <strong>{trialEndsAt}</strong>
                                    {isLastDay
-                                        ? " — that's tomorrow!"
+                                        ? " - that's tomorrow!"
                                        : `, in ${daysRemaining} days`}
                                    .
                                </EmailText>
@@ -93,8 +93,7 @@ export const NotifyTrialExpiring = ({
                                <EmailText>
                                    After your trial ends, your account will be
                                    moved to the free plan and some
-                                    functionality may be restricted or your
+                                    functionality may be restricted.
                                    sites may disconnect.
                                </EmailText>
                                <EmailText>
--- a/server/lib/alerts/events/healthCheckEvents.ts
+++ b/server/lib/alerts/events/healthCheckEvents.ts
@@ -1,27 +1,153 @@
-// stub
+import logger from "@server/logger";
 import { processAlerts } from "#dynamic/lib/alerts";
 import {
    db,
    statusHistory,
    targetHealthCheck,
    targets,
    resources,
    Transaction,
    logsDb
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
 import {
    fireResourceDegradedAlert,
    fireResourceHealthyAlert,
    fireResourceUnhealthyAlert,
    fireResourceUnknownAlert
 } from "./resourceEvents";
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
 /**
 * Fire a `health_check_healthy` alert for the given health check.
 *
 * Call this after a previously-failing health check has recovered so that any
 * matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId         - Organisation that owns the health check.
 * @param healthCheckId - Numeric primary key of the health check.
 * @param healthCheckName - Human-readable name shown in notifications (optional).
 * @param extra         - Any additional key/value pairs to include in the payload.
 */
 export async function fireHealthCheckHealthyAlert(
    orgId: string,
    healthCheckId: number,
-    healthCheckName?: string,
+    healthCheckName?: string | null,
    healthCheckTargetId?: number | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "health_check",
            entityId: healthCheckId,
            orgId: orgId,
            status: "healthy",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("health_check", healthCheckId);
        await handleResource(orgId, healthCheckTargetId, send, trx);
        if (!send) {
            return;
        }
        await processAlerts({
            eventType: "health_check_healthy",
            orgId,
            healthCheckId,
            data: {
                ...(healthCheckName != null ? { healthCheckName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "health_check_toggle",
            orgId,
            healthCheckId,
            data: {
                healthCheckId,
                status: "healthy",
                ...(healthCheckName != null ? { healthCheckName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireHealthCheckHealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
            err
        );
    }
 }
 /**
 * Fire a `health_check_unhealthy` alert for the given health check.
 *
 * Call this after a health check has been detected as failing so that any
 * matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId         - Organisation that owns the health check.
 * @param healthCheckId - Numeric primary key of the health check.
 * @param healthCheckName - Human-readable name shown in notifications (optional).
 * @param extra         - Any additional key/value pairs to include in the payload.
 */
 export async function fireHealthCheckUnhealthyAlert(
    orgId: string,
    healthCheckId: number,
-    healthCheckName?: string,
+    healthCheckName?: string | null,
    healthCheckTargetId?: number | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "health_check",
            entityId: healthCheckId,
            orgId: orgId,
            status: "unhealthy",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("health_check", healthCheckId);
        await handleResource(orgId, healthCheckTargetId, send, trx);
        if (!send) {
            return;
        }
        await processAlerts({
            eventType: "health_check_unhealthy",
            orgId,
            healthCheckId,
            data: {
                ...(healthCheckName != null ? { healthCheckName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "health_check_toggle",
            orgId,
            healthCheckId,
            data: {
                healthCheckId,
                status: "unhealthy",
                ...(healthCheckName != null ? { healthCheckName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireHealthCheckUnhealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
            err
        );
    }
 }
 export async function fireHealthCheckUnknownAlert(
@@ -31,7 +157,137 @@ export async function fireHealthCheckUnknownAlert(
    healthCheckTargetId?: number | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "health_check",
            entityId: healthCheckId,
            orgId: orgId,
            status: "unknown",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("health_check", healthCheckId);
        await handleResource(orgId, healthCheckTargetId, send, trx);
        if (!send) {
            return;
        }
    } catch (err) {
        logger.error(
            `fireHealthCheckUnknownAlert: unexpected error for healthCheckId ${healthCheckId}`,
            err
        );
    }
 }
 async function handleResource(
    orgId: string,
    healthCheckTargetId?: number | null,
    send: boolean = true,
    trx: Transaction | typeof db = db
 ) {
    if (!healthCheckTargetId) {
        return;
    }
    // we have targets lets get them
    const [target] = await trx
        .select()
        .from(targets)
        .where(eq(targets.targetId, healthCheckTargetId))
        .limit(1);
    if (!target) {
        return;
    }
    const [resource] = await trx
        .select()
        .from(resources)
        .where(eq(resources.resourceId, target.resourceId))
        .limit(1);
    if (!resource) {
        return;
    }
    const otherTargets = await trx
        .select({ hcHealth: targetHealthCheck.hcHealth })
        .from(targets)
        .innerJoin(
            targetHealthCheck,
            eq(targetHealthCheck.targetId, targets.targetId)
        )
        .where(eq(targets.resourceId, resource.resourceId));
    let health = "healthy";
    const allUnknown = otherTargets.every((t) => t.hcHealth === "unknown");
    const allHealthy = otherTargets.every((t) => t.hcHealth === "healthy");
    const allUnhealthy = otherTargets.every((t) => t.hcHealth === "unhealthy");
    if (allUnknown) {
        logger.debug(
            `Marking resource ${resource.resourceId} as unknown because all health checks are disabled`
        );
        health = "unknown";
    } else if (allHealthy) {
        health = "healthy";
    } else if (allUnhealthy) {
        logger.debug(
            `Marking resource ${resource.resourceId} as unhealthy because all targets are unhealthy`
        );
        health = "unhealthy";
    } else {
        logger.debug(
            `Marking resource ${resource.resourceId} as degraded because some targets are unhealthy`
        );
        health = "degraded";
    }
    if (health != resource.health) {
        // it changed
        await trx
            .update(resources)
            .set({ health })
            .where(eq(resources.resourceId, resource.resourceId));
        if (health === "unknown") {
            await fireResourceUnknownAlert(
                orgId,
                resource.resourceId,
                resource.name,
                undefined,
                send,
                trx
            );
        } else if (health === "unhealthy") {
            await fireResourceUnhealthyAlert(
                orgId,
                resource.resourceId,
                resource.name,
                undefined,
                send,
                trx
            );
        } else if (health === "healthy") {
            await fireResourceHealthyAlert(
                orgId,
                resource.resourceId,
                resource.name,
                undefined,
                send,
                trx
            );
        } else if (health === "degraded") {
            await fireResourceDegradedAlert(
                orgId,
                resource.resourceId,
                resource.name,
                undefined,
                send,
                trx
            );
        }
    }
 }
--- a/server/lib/alerts/events/resourceEvents.ts
+++ b/server/lib/alerts/events/resourceEvents.ts
@@ -1,26 +1,243 @@
 import logger from "@server/logger";
 import { processAlerts } from "#dynamic/lib/alerts";
 import { db, logsDb, statusHistory, Transaction } from "@server/db";
 import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
 /**
 * Fire a `resource_healthy` alert for the given resource.
 *
 * Call this after a previously-unhealthy resource has recovered so that any
 * matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId        - Organisation that owns the resource.
 * @param resourceId   - Numeric primary key of the resource.
 * @param resourceName - Human-readable name shown in notifications (optional).
 * @param extra        - Any additional key/value pairs to include in the payload.
 */
 export async function fireResourceHealthyAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
+    trx: Transaction | typeof db = db
-): Promise<void> {}
+): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "resource",
            entityId: resourceId,
            orgId: orgId,
            status: "healthy",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("resource", resourceId);
        if (!send) {
            return;
        }
        await processAlerts({
            eventType: "resource_healthy",
            orgId,
            resourceId,
            data: {
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "resource_toggle",
            orgId,
            resourceId,
            data: {
                resourceId,
                status: "healthy",
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireResourceHealthyAlert: unexpected error for resourceId ${resourceId}`,
            err
        );
    }
 }
 /**
 * Fire a `resource_unhealthy` alert for the given resource.
 *
 * Call this after a resource has been detected as unhealthy so that any
 * matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId        - Organisation that owns the resource.
 * @param resourceId   - Numeric primary key of the resource.
 * @param resourceName - Human-readable name shown in notifications (optional).
 * @param extra        - Any additional key/value pairs to include in the payload.
 */
 export async function fireResourceUnhealthyAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
+    trx: Transaction | typeof db = db
-): Promise<void> {}
+): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "resource",
            entityId: resourceId,
            orgId: orgId,
            status: "unhealthy",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("resource", resourceId);
-export async function fireResourceToggleAlert(
+        if (!send) {
            return;
        }
        await processAlerts({
            eventType: "resource_unhealthy",
            orgId,
            resourceId,
            data: {
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "resource_toggle",
            orgId,
            resourceId,
            data: {
                resourceId,
                status: "unhealthy",
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireResourceUnhealthyAlert: unexpected error for resourceId ${resourceId}`,
            err
        );
    }
 }
 /**
 * Fire a `resource_degraded` alert for the given resource.
 *
 * Call this after a resource has been detected as degraded so that any
 * matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId        - Organisation that owns the resource.
 * @param resourceId   - Numeric primary key of the resource.
 * @param resourceName - Human-readable name shown in notifications (optional).
 * @param extra        - Any additional key/value pairs to include in the payload.
 */
 export async function fireResourceDegradedAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
-    trx?: unknown
+    trx: Transaction | typeof db = db
-): Promise<void> {}
+): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "resource",
            entityId: resourceId,
            orgId: orgId,
            status: "degraded",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("resource", resourceId);
        if (!send) {
            return;
        }
        await processAlerts({
            eventType: "resource_degraded",
            orgId,
            resourceId,
            data: {
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "resource_toggle",
            orgId,
            resourceId,
            data: {
                resourceId,
                status: "degraded",
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireResourceDegradedAlert: unexpected error for resourceId ${resourceId}`,
            err
        );
    }
 }
 /**
 * Fire a `resource_unknown` alert for the given resource.
 *
 * Call this when all health checks on a resource are disabled so that the
 * resource status transitions to unknown.
 *
 * @param orgId        - Organisation that owns the resource.
 * @param resourceId   - Numeric primary key of the resource.
 * @param resourceName - Human-readable name shown in notifications (optional).
 * @param extra        - Any additional key/value pairs to include in the payload.
 */
 export async function fireResourceUnknownAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "resource",
            entityId: resourceId,
            orgId: orgId,
            status: "unknown",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("resource", resourceId);
        if (!send) {
            return;
        }
        await processAlerts({
            eventType: "resource_toggle",
            orgId,
            resourceId,
            data: {
                resourceId,
                status: "unknown",
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireResourceUnknownAlert: unexpected error for resourceId ${resourceId}`,
            err
        );
    }
 }
--- a/server/lib/alerts/events/siteEvents.ts
+++ b/server/lib/alerts/events/siteEvents.ts
@@ -1,21 +1,156 @@
-// stub
+import logger from "@server/logger";
 import { processAlerts } from "#dynamic/lib/alerts";
 import {
    db,
    logsDb,
    statusHistory,
    targetHealthCheck,
    Transaction
 } from "@server/db";
 import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
 import { and, eq, inArray } from "drizzle-orm";
 import { fireHealthCheckUnhealthyAlert } from "./healthCheckEvents";
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
 /**
 * Fire a `site_online` alert for the given site.
 *
 * Call this after the site has been confirmed reachable / connected so that
 * any matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId    - Organisation that owns the site.
 * @param siteId   - Numeric primary key of the site.
 * @param siteName - Human-readable name shown in notifications (optional).
 * @param extra    - Any additional key/value pairs to include in the payload.
 */
 export async function fireSiteOnlineAlert(
    orgId: string,
    siteId: number,
    siteName?: string,
    extra?: Record<string, unknown>,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    return;
+    try {
        await logsDb.insert(statusHistory).values({
            entityType: "site",
            entityId: siteId,
            orgId: orgId,
            status: "online",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("site", siteId);
        await processAlerts({
            eventType: "site_online",
            orgId,
            siteId,
            data: {
                ...(siteName != null ? { siteName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "site_toggle",
            orgId,
            siteId,
            data: {
                siteId,
                status: "online",
                ...(siteName != null ? { siteName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireSiteOnlineAlert: unexpected error for siteId ${siteId}`,
            err
        );
    }
 }
 /**
 * Fire a `site_offline` alert for the given site.
 *
 * Call this after the site has been detected as unreachable / disconnected so
 * that any matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId    - Organisation that owns the site.
 * @param siteId   - Numeric primary key of the site.
 * @param siteName - Human-readable name shown in notifications (optional).
 * @param extra    - Any additional key/value pairs to include in the payload.
 */
 export async function fireSiteOfflineAlert(
    orgId: string,
    siteId: number,
    siteName?: string,
    extra?: Record<string, unknown>,
-    trx?: unknown
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    return;
+    try {
        await logsDb.insert(statusHistory).values({
            entityType: "site",
            entityId: siteId,
            orgId: orgId,
            status: "offline",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("site", siteId);
        const unhealthyHealthChecks = await trx
            .update(targetHealthCheck)
            .set({ hcHealth: "unhealthy" })
            .where(
                and(
                    eq(targetHealthCheck.orgId, orgId),
                    eq(targetHealthCheck.siteId, siteId),
                    eq(targetHealthCheck.hcEnabled, true) // only effect the ones that are enabled
                )
            )
            .returning();
        for (const healthCheck of unhealthyHealthChecks) {
            logger.info(
                `Marking health check ${healthCheck.targetHealthCheckId} unhealthy due to site ${siteId} being marked offline`
            );
            await fireHealthCheckUnhealthyAlert(
                healthCheck.orgId,
                healthCheck.targetHealthCheckId,
                healthCheck.name,
                healthCheck.targetId, // for the resource if we have one
                undefined,
                true,
                trx
            );
        }
        await processAlerts({
            eventType: "site_offline",
            orgId,
            siteId,
            data: {
                ...(siteName != null ? { siteName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "site_toggle",
            orgId,
            siteId,
            data: {
                siteId,
                status: "offline",
                ...(siteName != null ? { siteName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireSiteOfflineAlert: unexpected error for siteId ${siteId}`,
            err
        );
    }
 }
--- a/server/lib/alerts/index.ts
+++ b/server/lib/alerts/index.ts
@@ -1,3 +1,4 @@
 export * from "./events/siteEvents";
 export * from "./events/healthCheckEvents";
 export * from "./events/resourceEvents";
 export * from "./processAlerts";
--- a/server/lib/alerts/processAlerts.ts
+++ b/server/lib/alerts/processAlerts.ts
@@ -0,0 +1,5 @@
 import { AlertContext } from "@server/routers/alertRule/types";
 export async function processAlerts(context: AlertContext): Promise<void> {
    return;
 }
--- a/server/lib/billing/getOrgTierData.ts
+++ b/server/lib/billing/getOrgTierData.ts
@@ -1,8 +1,9 @@
 export async function getOrgTierData(
    orgId: string
-): Promise<{ tier: string | null; active: boolean }> {
+): Promise<{ tier: string | null; active: boolean; isTrial: boolean }> {
    const tier = null;
    const active = false;
    const isTrial = false;
-    return { tier, active };
+    return { tier, active, isTrial };
 }
--- a/server/lib/billing/limitSet.ts
+++ b/server/lib/billing/limitSet.ts
@@ -25,7 +25,7 @@ export const tier1LimitSet: LimitSet = {
 export const tier2LimitSet: LimitSet = {
    [FeatureId.USERS]: {
-        value: 100,
+        value: 50,
        description: "Team limit"
    },
    [FeatureId.SITES]: {
@@ -48,7 +48,7 @@ export const tier2LimitSet: LimitSet = {
 export const tier3LimitSet: LimitSet = {
    [FeatureId.USERS]: {
-        value: 500,
+        value: 250,
        description: "Business limit"
    },
    [FeatureId.SITES]: {
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -64,7 +64,7 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
    [TierFeature.SIEM]: ["enterprise"],
    [TierFeature.HTTPPrivateResources]: ["tier3", "enterprise"],
    [TierFeature.DomainNamespaces]: ["tier1", "tier2", "tier3", "enterprise"],
-    [TierFeature.StandaloneHealthChecks]: ["tier2", "tier3", "enterprise"],
+    [TierFeature.StandaloneHealthChecks]: ["tier3", "enterprise"],
-    [TierFeature.AlertingRules]: ["tier2", "tier3", "enterprise"],
+    [TierFeature.AlertingRules]: ["tier3", "enterprise"],
    [TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"]
 };
--- a/server/lib/blueprints/clientResources.ts
+++ b/server/lib/blueprints/clientResources.ts
@@ -131,42 +131,23 @@ export async function updateClientResources(
            : [];
        const allSites: { siteId: number }[] = [];
        if (resourceData.site) {
            let siteSingle;
            const resourceSiteId = resourceData.site;
-            if (resourceSiteId) {
+        if (resourceData.site) {
            // Look up site by niceId
-                [siteSingle] = await trx
+            const [siteSingle] = await trx
                .select({ siteId: sites.siteId })
                .from(sites)
                .where(
                    and(
-                            eq(sites.niceId, resourceSiteId),
+                        eq(sites.niceId, resourceData.site),
                        eq(sites.orgId, orgId)
                    )
                )
                .limit(1);
-            } else if (siteId) {
+            if (siteSingle) {
                // Use the provided siteId directly, but verify it belongs to the org
                [siteSingle] = await trx
                    .select({ siteId: sites.siteId })
                    .from(sites)
                    .where(
                        and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
                    )
                    .limit(1);
            } else {
                throw new Error(`Target site is required`);
            }
            if (!siteSingle) {
                throw new Error(
                    `Site not found: ${resourceSiteId} in org ${orgId}`
                );
            }
                allSites.push(siteSingle);
            }
        }
        if (resourceData.sites) {
            for (const siteNiceId of resourceData.sites) {
@@ -180,14 +161,30 @@ export async function updateClientResources(
                        )
                    )
                    .limit(1);
-                if (!site) {
+                if (site) {
                    throw new Error(
                        `Site not found: ${siteId} in org ${orgId}`
                    );
                }
                    allSites.push(site);
                }
            }
        }
        if (siteId && allSites.length === 0) {
            // only add if there are not provided sites
            // Use the provided siteId directly, but verify it belongs to the org
            const [siteSingle] = await trx
                .select({ siteId: sites.siteId })
                .from(sites)
                .where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
                .limit(1);
            if (siteSingle) {
                allSites.push(siteSingle);
            }
        }
        if (allSites.length === 0) {
            throw new Error(
                `No valid sites found for private private resource ${resourceNiceId} in org ${orgId}`
            );
        }
        if (existingResource) {
            let domainInfo:
@@ -364,7 +361,7 @@ export async function updateClientResources(
        } else {
            let aliasAddress: string | null = null;
            if (resourceData.mode === "host" || resourceData.mode === "http") {
-                aliasAddress = await getNextAvailableAliasAddress(orgId);
+                aliasAddress = await getNextAvailableAliasAddress(orgId, trx);
            }
            let domainInfo:
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -34,7 +34,7 @@ import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
 import { isValidRegionId } from "@server/db/regions";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
-import { fireHealthCheckUnknownAlert } from "#dynamic/lib/alerts";
+import { fireHealthCheckUnknownAlert } from "@server/lib/alerts";
 import { tierMatrix } from "../billing/tierMatrix";
 export type ProxyResourcesResults = {
@@ -165,7 +165,8 @@ export async function updateProxyResources(
                    hcStatus: healthcheckData?.status,
                    hcHealth: "unknown",
                    hcHealthyThreshold: healthcheckData?.["healthy-threshold"],
-                    hcUnhealthyThreshold: healthcheckData?.["unhealthy-threshold"]
+                    hcUnhealthyThreshold:
                        healthcheckData?.["unhealthy-threshold"]
                })
                .returning();
@@ -544,8 +545,10 @@ export async function updateProxyResources(
                                healthcheckData?.["follow-redirects"],
                            hcMethod: healthcheckData?.method,
                            hcStatus: healthcheckData?.status,
-                            hcHealthyThreshold: healthcheckData?.["healthy-threshold"],
+                            hcHealthyThreshold:
-                            hcUnhealthyThreshold: healthcheckData?.["unhealthy-threshold"]
+                                healthcheckData?.["healthy-threshold"],
                            hcUnhealthyThreshold:
                                healthcheckData?.["unhealthy-threshold"]
                        })
                        .where(
                            eq(
@@ -1120,8 +1123,10 @@ function checkIfHealthcheckChanged(
        JSON.stringify(incoming.hcHeaders)
    )
        return true;
-    if (existing.hcHealthyThreshold !== incoming.hcHealthyThreshold) return true;
+    if (existing.hcHealthyThreshold !== incoming.hcHealthyThreshold)
-    if (existing.hcUnhealthyThreshold !== incoming.hcUnhealthyThreshold) return true;
+        return true;
    if (existing.hcUnhealthyThreshold !== incoming.hcUnhealthyThreshold)
        return true;
    return false;
 }
@@ -1184,7 +1189,11 @@ async function getDomainId(
    orgId: string,
    fullDomain: string,
    trx: Transaction
-): Promise<{ subdomain: string | null; domainId: string; wildcard: boolean } | null> {
+): Promise<{
    subdomain: string | null;
    domainId: string;
    wildcard: boolean;
 } | null> {
    const isWildcardFullDomain = fullDomain.startsWith("*.");
    const possibleDomains = await trx
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -25,9 +25,162 @@ import { tierMatrix } from "./billing/tierMatrix";
 export async function calculateUserClientsForOrgs(
    userId: string,
-    trx?: Transaction
+    trx: Transaction | typeof db = db
 ): Promise<void> {
-    const execute = async (transaction: Transaction) => {
+    const execute = async (transaction: Transaction | typeof db) => {
        const orgCache = new Map<string, typeof orgs.$inferSelect | null>();
        const adminRoleCache = new Map<
            string,
            typeof roles.$inferSelect | null
        >();
        const exitNodesCache = new Map<
            string,
            Awaited<ReturnType<typeof listExitNodes>>
        >();
        const isOrgLicensedCache = new Map<string, boolean>();
        const existingClientCache = new Map<
            string,
            typeof clients.$inferSelect | null
        >();
        const roleClientAccessCache = new Map<string, boolean>();
        const userClientAccessCache = new Map<string, boolean>();
        const getOrgOlmKey = (orgId: string, olmId: string) =>
            `${orgId}:${olmId}`;
        const getRoleClientKey = (roleId: number, clientId: number) =>
            `${roleId}:${clientId}`;
        const getUserClientKey = (cachedUserId: string, clientId: number) =>
            `${cachedUserId}:${clientId}`;
        const getOrg = async (orgId: string) => {
            if (orgCache.has(orgId)) {
                return orgCache.get(orgId) ?? null;
            }
            const [org] = await transaction
                .select()
                .from(orgs)
                .where(eq(orgs.orgId, orgId));
            orgCache.set(orgId, org ?? null);
            return org ?? null;
        };
        const getAdminRole = async (orgId: string) => {
            if (adminRoleCache.has(orgId)) {
                return adminRoleCache.get(orgId) ?? null;
            }
            const [adminRole] = await transaction
                .select()
                .from(roles)
                .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
                .limit(1);
            adminRoleCache.set(orgId, adminRole ?? null);
            return adminRole ?? null;
        };
        const getExitNodes = async (orgId: string) => {
            if (exitNodesCache.has(orgId)) {
                return exitNodesCache.get(orgId)!;
            }
            const exitNodes = await listExitNodes(orgId);
            exitNodesCache.set(orgId, exitNodes);
            return exitNodes;
        };
        const getIsOrgLicensed = async (orgId: string) => {
            if (isOrgLicensedCache.has(orgId)) {
                return isOrgLicensedCache.get(orgId)!;
            }
            const isOrgLicensed = await isLicensedOrSubscribed(
                orgId,
                tierMatrix.deviceApprovals
            );
            isOrgLicensedCache.set(orgId, isOrgLicensed);
            return isOrgLicensed;
        };
        const getExistingClient = async (orgId: string, olmId: string) => {
            const key = getOrgOlmKey(orgId, olmId);
            if (existingClientCache.has(key)) {
                return existingClientCache.get(key) ?? null;
            }
            const [existingClient] = await transaction
                .select()
                .from(clients)
                .where(
                    and(
                        eq(clients.userId, userId),
                        eq(clients.orgId, orgId),
                        eq(clients.olmId, olmId)
                    )
                )
                .limit(1);
            existingClientCache.set(key, existingClient ?? null);
            return existingClient ?? null;
        };
        const hasRoleClientAccess = async (
            roleId: number,
            clientId: number
        ) => {
            const key = getRoleClientKey(roleId, clientId);
            if (roleClientAccessCache.has(key)) {
                return roleClientAccessCache.get(key)!;
            }
            const [existingRoleClient] = await transaction
                .select()
                .from(roleClients)
                .where(
                    and(
                        eq(roleClients.roleId, roleId),
                        eq(roleClients.clientId, clientId)
                    )
                )
                .limit(1);
            const hasAccess = Boolean(existingRoleClient);
            roleClientAccessCache.set(key, hasAccess);
            return hasAccess;
        };
        const hasUserClientAccess = async (
            cachedUserId: string,
            clientId: number
        ) => {
            const key = getUserClientKey(cachedUserId, clientId);
            if (userClientAccessCache.has(key)) {
                return userClientAccessCache.get(key)!;
            }
            const [existingUserClient] = await transaction
                .select()
                .from(userClients)
                .where(
                    and(
                        eq(userClients.userId, cachedUserId),
                        eq(userClients.clientId, clientId)
                    )
                )
                .limit(1);
            const hasAccess = Boolean(existingUserClient);
            userClientAccessCache.set(key, hasAccess);
            return hasAccess;
        };
        // Get all OLMs for this user
        const userOlms = await transaction
            .select()
@@ -54,7 +207,9 @@ export async function calculateUserClientsForOrgs(
            .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
            .where(eq(userOrgs.userId, userId));
-        const userOrgIds = [...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))];
+        const userOrgIds = [
            ...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))
        ];
        const orgIdToRoleRows = new Map<
            string,
            (typeof userOrgRoleRows)[0][]
@@ -64,6 +219,13 @@ export async function calculateUserClientsForOrgs(
            list.push(r);
            orgIdToRoleRows.set(r.userOrgs.orgId, list);
        }
        const orgRequiresDeviceApprovalRole = new Map<string, boolean>();
        for (const [orgId, roleRowsForOrg] of orgIdToRoleRows.entries()) {
            orgRequiresDeviceApprovalRole.set(
                orgId,
                roleRowsForOrg.some((r) => r.roles.requireDeviceApproval)
            );
        }
        // For each OLM, ensure there's a client in each org the user is in
        for (const olm of userOlms) {
@@ -71,10 +233,7 @@ export async function calculateUserClientsForOrgs(
                const roleRowsForOrg = orgIdToRoleRows.get(orgId)!;
                const userOrg = roleRowsForOrg[0].userOrgs;
-                const [org] = await transaction
+                const org = await getOrg(orgId);
                    .select()
                    .from(orgs)
                    .where(eq(orgs.orgId, orgId));
                if (!org) {
                    logger.warn(
@@ -91,11 +250,7 @@ export async function calculateUserClientsForOrgs(
                }
                // Get admin role for this org (needed for access grants)
-                const [adminRole] = await transaction
+                const adminRole = await getAdminRole(orgId);
                    .select()
                    .from(roles)
                    .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
                    .limit(1);
                if (!adminRole) {
                    logger.warn(
@@ -105,64 +260,50 @@ export async function calculateUserClientsForOrgs(
                }
                // Check if a client already exists for this OLM+user+org combination
-                const [existingClient] = await transaction
+                const existingClient = await getExistingClient(
-                    .select()
+                    orgId,
-                    .from(clients)
+                    olm.olmId
-                    .where(
+                );
                        and(
                            eq(clients.userId, userId),
                            eq(clients.orgId, orgId),
                            eq(clients.olmId, olm.olmId)
                        )
                    )
                    .limit(1);
                if (existingClient) {
                    // Ensure admin role has access to the client
-                    const [existingRoleClient] = await transaction
+                    const hasRoleAccess = await hasRoleClientAccess(
-                        .select()
+                        adminRole.roleId,
                        .from(roleClients)
                        .where(
                            and(
                                eq(roleClients.roleId, adminRole.roleId),
                                eq(
                                    roleClients.clientId,
                        existingClient.clientId
-                                )
+                    );
                            )
                        )
                        .limit(1);
-                    if (!existingRoleClient) {
+                    if (!hasRoleAccess) {
                        await transaction.insert(roleClients).values({
                            roleId: adminRole.roleId,
                            clientId: existingClient.clientId
                        });
                        roleClientAccessCache.set(
                            getRoleClientKey(
                                adminRole.roleId,
                                existingClient.clientId
                            ),
                            true
                        );
                        logger.debug(
                            `Granted admin role access to existing client ${existingClient.clientId} for OLM ${olm.olmId} in org ${orgId} (user ${userId})`
                        );
                    }
                    // Ensure user has access to the client
-                    const [existingUserClient] = await transaction
+                    const hasUserAccess = await hasUserClientAccess(
-                        .select()
+                        userId,
                        .from(userClients)
                        .where(
                            and(
                                eq(userClients.userId, userId),
                                eq(
                                    userClients.clientId,
                        existingClient.clientId
-                                )
+                    );
                            )
                        )
                        .limit(1);
-                    if (!existingUserClient) {
+                    if (!hasUserAccess) {
                        await transaction.insert(userClients).values({
                            userId,
                            clientId: existingClient.clientId
                        });
                        userClientAccessCache.set(
                            getUserClientKey(userId, existingClient.clientId),
                            true
                        );
                        logger.debug(
                            `Granted user access to existing client ${existingClient.clientId} for OLM ${olm.olmId} in org ${orgId} (user ${userId})`
                        );
@@ -175,7 +316,7 @@ export async function calculateUserClientsForOrgs(
                }
                // Get exit nodes for this org
-                const exitNodesList = await listExitNodes(orgId);
+                const exitNodesList = await getExitNodes(orgId);
                if (exitNodesList.length === 0) {
                    logger.warn(
@@ -206,14 +347,11 @@ export async function calculateUserClientsForOrgs(
                const niceId = await getUniqueClientName(orgId);
-                const isOrgLicensed = await isLicensedOrSubscribed(
+                const isOrgLicensed = await getIsOrgLicensed(userOrg.orgId);
                    userOrg.orgId,
                    tierMatrix.deviceApprovals
                );
                const requireApproval =
                    build !== "oss" &&
                    isOrgLicensed &&
-                    roleRowsForOrg.some((r) => r.roles.requireDeviceApproval);
+                    orgRequiresDeviceApprovalRole.get(orgId) === true;
                const newClientData: InferInsertModel<typeof clients> = {
                    userId,
@@ -232,6 +370,10 @@ export async function calculateUserClientsForOrgs(
                    .insert(clients)
                    .values(newClientData)
                    .returning();
                existingClientCache.set(
                    getOrgOlmKey(orgId, olm.olmId),
                    newClient
                );
                // create approval request
                if (requireApproval) {
@@ -257,12 +399,20 @@ export async function calculateUserClientsForOrgs(
                    roleId: adminRole.roleId,
                    clientId: newClient.clientId
                });
                roleClientAccessCache.set(
                    getRoleClientKey(adminRole.roleId, newClient.clientId),
                    true
                );
                // Grant user access to the client
                await transaction.insert(userClients).values({
                    userId,
                    clientId: newClient.clientId
                });
                userClientAccessCache.set(
                    getUserClientKey(userId, newClient.clientId),
                    true
                );
                logger.debug(
                    `Created client for OLM ${olm.olmId} in org ${orgId} (user ${userId}) with access granted to admin role and user`
@@ -287,7 +437,7 @@ export async function calculateUserClientsForOrgs(
 async function cleanupOrphanedClients(
    userId: string,
-    trx: Transaction,
+    trx: Transaction | typeof db,
    userOrgIds: string[] = []
 ): Promise<void> {
    // Find all OLM clients for this user that should be deleted
--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";
 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.18.0";
+export const APP_VERSION = "1.18.3";
 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -6,6 +6,7 @@ import z from "zod";
 import logger from "@server/logger";
 import semver from "semver";
 import { getValidCertificatesForDomains } from "#dynamic/lib/certificates";
 import { lockManager } from "#dynamic/lib/lock";
 interface IPRange {
    start: bigint;
@@ -327,6 +328,9 @@ export async function getNextAvailableClientSubnet(
    orgId: string,
    transaction: Transaction | typeof db = db
 ): Promise<string> {
    return await lockManager.withLock(
        `client-subnet-allocation:${orgId}`,
        async () => {
            const [org] = await transaction
                .select()
                .from(orgs)
@@ -337,7 +341,9 @@ export async function getNextAvailableClientSubnet(
            }
            if (!org.subnet) {
-        throw new Error(`Organization with ID ${orgId} has no subnet defined`);
+                throw new Error(
                    `Organization with ID ${orgId} has no subnet defined`
                );
            }
            const existingAddressesSites = await transaction
@@ -352,7 +358,9 @@ export async function getNextAvailableClientSubnet(
                    address: clients.subnet
                })
                .from(clients)
-        .where(and(isNotNull(clients.subnet), eq(clients.orgId, orgId)));
+                .where(
                    and(isNotNull(clients.subnet), eq(clients.orgId, orgId))
                );
            const addresses = [
                ...existingAddressesSites.map(
@@ -369,19 +377,30 @@ export async function getNextAvailableClientSubnet(
            }
            return subnet;
        }
    );
 }
 export async function getNextAvailableAliasAddress(
-    orgId: string
+    orgId: string,
    trx: Transaction | typeof db = db
 ): Promise<string> {
-    const [org] = await db.select().from(orgs).where(eq(orgs.orgId, orgId));
+    return await lockManager.withLock(
        `alias-address-allocation:${orgId}`,
        async () => {
            const [org] = await trx
                .select()
                .from(orgs)
                .where(eq(orgs.orgId, orgId));
            if (!org) {
                throw new Error(`Organization with ID ${orgId} not found`);
            }
            if (!org.subnet) {
-        throw new Error(`Organization with ID ${orgId} has no subnet defined`);
+                throw new Error(
                    `Organization with ID ${orgId} has no subnet defined`
                );
            }
            if (!org.utilitySubnet) {
@@ -390,7 +409,7 @@ export async function getNextAvailableAliasAddress(
                );
            }
-    const existingAddresses = await db
+            const existingAddresses = await trx
                .select({
                    aliasAddress: siteResources.aliasAddress
                })
@@ -410,7 +429,11 @@ export async function getNextAvailableAliasAddress(
                `${org.utilitySubnet.split("/")[0]}/29`
            ].filter((address) => address !== null) as string[];
-    let subnet = findNextAvailableCidr(addresses, 32, org.utilitySubnet);
+            let subnet = findNextAvailableCidr(
                addresses,
                32,
                org.utilitySubnet
            );
            if (!subnet) {
                throw new Error("No available subnets remaining in space");
            }
@@ -419,9 +442,12 @@ export async function getNextAvailableAliasAddress(
            subnet = subnet.split("/")[0];
            return subnet;
        }
    );
 }
 export async function getNextAvailableOrgSubnet(): Promise<string> {
    return await lockManager.withLock("org-subnet-allocation", async () => {
        const existingAddresses = await db
            .select({
                subnet: orgs.subnet
@@ -441,6 +467,7 @@ export async function getNextAvailableOrgSubnet(): Promise<string> {
        }
        return subnet;
    });
 }
 export function generateRemoteSubnets(
@@ -478,7 +505,12 @@ export type Alias = { alias: string | null; aliasAddress: string | null };
 export function generateAliasConfig(allSiteResources: SiteResource[]): Alias[] {
    return allSiteResources
-        .filter((sr) => sr.aliasAddress && ((sr.alias && sr.mode == "host") || (sr.fullDomain && sr.mode == "http")))
+        .filter(
            (sr) =>
                sr.aliasAddress &&
                ((sr.alias && sr.mode == "host") ||
                    (sr.fullDomain && sr.mode == "http"))
        )
        .map((sr) => ({
            alias: sr.alias || sr.fullDomain,
            aliasAddress: sr.aliasAddress
--- a/server/lib/statusHistory.ts
+++ b/server/lib/statusHistory.ts
@@ -24,8 +24,11 @@ export async function getCachedStatusHistory(
        return cached;
    }
-    const nowSec = Math.floor(Date.now() / 1000);
+    // Anchor to UTC midnight so the query window aligns with stable calendar days
-    const startSec = nowSec - days * 86400;
+    const utcToday = new Date();
    utcToday.setUTCHours(0, 0, 0, 0);
    const todayMidnightSec = Math.floor(utcToday.getTime() / 1000);
    const startSec = todayMidnightSec - days * 86400;
    const events = await logsDb
        .select()
@@ -110,11 +113,18 @@ export function computeBuckets(
    days: number
 ): { buckets: StatusHistoryDayBucket[]; totalDowntime: number } {
    const nowSec = Math.floor(Date.now() / 1000);
    // Anchor bucket boundaries to UTC midnight so dates are stable calendar days
    // and don't drift as the cache expires and is recomputed
    const utcToday = new Date();
    utcToday.setUTCHours(0, 0, 0, 0);
    const todayMidnightSec = Math.floor(utcToday.getTime() / 1000);
    const buckets: StatusHistoryDayBucket[] = [];
    let totalDowntime = 0;
    for (let d = 0; d < days; d++) {
-        const dayStartSec = nowSec - (days - d) * 86400;
+        const dayStartSec = todayMidnightSec - (days - 1 - d) * 86400;
        const dayEndSec = dayStartSec + 86400;
        const dayEvents = events.filter(
--- a/server/lib/traefik/TraefikConfigManager.ts
+++ b/server/lib/traefik/TraefikConfigManager.ts
@@ -535,6 +535,24 @@ export class TraefikConfigManager {
                        if (match && match[1]) {
                            domains.add(match[1]);
                        }
                        // Match HostRegexp(`^[^.]+\.parent.domain$`) generated for wildcard resources
                        const hostRegexpMatch = router.rule.match(
                            /HostRegexp\(`([^`]+)`\)/
                        );
                        if (hostRegexpMatch && hostRegexpMatch[1]) {
                            const innerRegex = hostRegexpMatch[1];
                            // Pattern is always ^[^.]+\.PARENT_DOMAIN$ where dots are escaped as \.
                            const domainMatch = innerRegex.match(
                                /^\^\[\^\.\]\+\\\.(.+)\$$/
                            );
                            if (domainMatch && domainMatch[1]) {
                                const parentDomain = domainMatch[1].replace(
                                    /\\\./g,
                                    "."
                                );
                                domains.add(`*.${parentDomain}`);
                            }
                        }
                    }
                }
            }
--- a/server/private/lib/acmeCertSync.ts
+++ b/server/private/lib/acmeCertSync.ts
@@ -12,6 +12,7 @@
 */
 import fs from "fs";
 import path from "path";
 import crypto from "crypto";
 import {
    certificates,
@@ -250,71 +251,129 @@ function extractFirstCert(pemBundle: string): string | null {
    return match ? match[0] : null;
 }
-async function syncAcmeCerts(
+/**
-    acmeJsonPath: string,
+ * Determine whether an ACME cert entry represents a wildcard cert by checking
-    resolver: string
+ * both the primary domain (`main`) and the SANs. Some ACME clients (notably
-): Promise<void> {
+ * Traefik) store the bare apex in `main` and only put the wildcard form in
-    let raw: string;
+ * `sans` (e.g. main="access.example.com", sans=["*.access.example.com"]).
 */
 function detectWildcard(
    main: string,
    sans: string[] | undefined
 ): { wildcard: boolean; wildcardSan: string | null } {
    if (main.startsWith("*.")) {
        return { wildcard: true, wildcardSan: null };
    }
    if (Array.isArray(sans)) {
        for (const san of sans) {
            if (typeof san !== "string") continue;
            if (san === `*.${main}` || san.startsWith("*.")) {
                return { wildcard: true, wildcardSan: san };
            }
        }
    }
    return { wildcard: false, wildcardSan: null };
 }
 interface HttpCert {
    wildcard: boolean;
    altName: string;
    certName: string;
    commonName: string;
    certFile: string;
    keyFile: string;
 }
 async function syncAcmeCertsFromHttp(endpoint: string): Promise<void> {
    let response: Response;
    try {
-        raw = fs.readFileSync(acmeJsonPath, "utf8");
+        response = await fetch(endpoint);
    } catch (err) {
-        logger.debug(`acmeCertSync: could not read ${acmeJsonPath}: ${err}`);
+        logger.debug(
            `acmeCertSync: could not reach HTTP endpoint ${endpoint}: ${err}`
        );
        return;
    }
-    let acmeJson: AcmeJson;
+    if (!response.ok) {
        logger.debug(
            `acmeCertSync: HTTP endpoint returned status ${response.status}`
        );
        return;
    }
    let httpCerts: HttpCert[];
    try {
-        acmeJson = JSON.parse(raw);
+        httpCerts = await response.json();
    } catch (err) {
        logger.debug(`acmeCertSync: could not parse acme.json: ${err}`);
        return;
    }
    const resolverData = acmeJson[resolver];
    if (!resolverData || !Array.isArray(resolverData.Certificates)) {
        logger.debug(
-            `acmeCertSync: no certificates found for resolver "${resolver}"`
+            `acmeCertSync: could not parse JSON from HTTP endpoint: ${err}`
        );
        return;
    }
-    for (const cert of resolverData.Certificates) {
+    if (!Array.isArray(httpCerts) || httpCerts.length === 0) {
        const domain = cert.domain?.main;
        const wildcard = domain.startsWith("*.");
        if (!domain) {
            logger.debug(`acmeCertSync: skipping cert with missing domain`);
            continue;
        }
        if (!cert.certificate || !cert.key) {
        logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - empty certificate or key field`
+            `acmeCertSync: no certificates returned from HTTP endpoint`
        );
-            continue;
+        return;
    }
-        const certPem = Buffer.from(cert.certificate, "base64").toString(
+    for (const cert of httpCerts) {
-            "utf8"
+        const domain = cert?.certName;
        );
        const keyPem = Buffer.from(cert.key, "base64").toString("utf8");
-        if (!certPem.trim() || !keyPem.trim()) {
+        if (!domain || typeof domain !== "string") {
            logger.debug(
-                `acmeCertSync: skipping cert for ${domain} - blank PEM after base64 decode`
+                `acmeCertSync: skipping HTTP cert with missing certName`
            );
            continue;
        }
-        // Check if cert already exists in DB
+        const certPem = cert.certFile;
        const keyPem = cert.keyFile;
        if (!certPem?.trim() || !keyPem?.trim()) {
            logger.debug(
                `acmeCertSync: skipping HTTP cert for ${domain} - empty certFile or keyFile`
            );
            continue;
        }
        const firstCertPemForValidation = extractFirstCert(certPem);
        if (!firstCertPemForValidation) {
            logger.debug(
                `acmeCertSync: skipping HTTP cert for ${domain} - no PEM certificate block found`
            );
            continue;
        }
        let validatedX509: crypto.X509Certificate;
        try {
            validatedX509 = new crypto.X509Certificate(
                firstCertPemForValidation
            );
        } catch (err) {
            logger.debug(
                `acmeCertSync: skipping HTTP cert for ${domain} - invalid X.509 certificate: ${err}`
            );
            continue;
        }
        try {
            crypto.createPrivateKey(keyPem);
        } catch (err) {
            logger.debug(
                `acmeCertSync: skipping HTTP cert for ${domain} - invalid private key: ${err}`
            );
            continue;
        }
        const wildcard = cert.wildcard ?? false;
        const existing = await db
            .select()
            .from(certificates)
-            .where(
+            .where(eq(certificates.domain, domain))
                and(
                    eq(certificates.domain, domain)
                )
            )
            .limit(1);
        let oldCertPem: string | null = null;
@@ -326,14 +385,10 @@ async function syncAcmeCerts(
                    existing[0].certFile,
                    config.getRawConfig().server.secret!
                );
-                if (storedCertPem === certPem) {
+                const wildcardUnchanged = existing[0].wildcard === wildcard;
-                    logger.debug(
+                if (storedCertPem === certPem && wildcardUnchanged) {
                        `acmeCertSync: cert for ${domain} is unchanged, skipping`
                    );
                    continue;
                }
                // Cert has changed; capture old values so we can send a correct
                // update message to the newt after the DB write.
                oldCertPem = storedCertPem;
                if (existing[0].keyFile) {
                    try {
@@ -348,26 +403,22 @@ async function syncAcmeCerts(
                    }
                }
            } catch (err) {
                // Decryption failure means we should proceed with the update
                logger.debug(
                    `acmeCertSync: could not decrypt stored cert for ${domain}, will update: ${err}`
                );
            }
        }
        // Parse cert expiry from the first cert in the PEM bundle
        let expiresAt: number | null = null;
        const firstCertPem = extractFirstCert(certPem);
        if (firstCertPem) {
        try {
-                const x509 = new crypto.X509Certificate(firstCertPem);
+            expiresAt = Math.floor(
-                expiresAt = Math.floor(new Date(x509.validTo).getTime() / 1000);
+                new Date(validatedX509.validTo).getTime() / 1000
            );
        } catch (err) {
            logger.debug(
                `acmeCertSync: could not parse cert expiry for ${domain}: ${err}`
            );
        }
        }
        const encryptedCert = encrypt(
            certPem,
@@ -379,6 +430,126 @@ async function syncAcmeCerts(
        );
        const now = Math.floor(Date.now() / 1000);
        const domainId = await findDomainId(domain);
        if (domainId) {
            logger.debug(
                `acmeCertSync: resolved domainId "${domainId}" for HTTP cert domain "${domain}"`
            );
        } else {
            logger.debug(
                `acmeCertSync: no matching domain record found for HTTP cert domain "${domain}"`
            );
        }
        if (existing.length > 0) {
            logger.debug(
                `acmeCertSync: updating existing certificate (HTTP) for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
            );
            await db
                .update(certificates)
                .set({
                    certFile: encryptedCert,
                    keyFile: encryptedKey,
                    status: "valid",
                    expiresAt,
                    updatedAt: now,
                    wildcard,
                    ...(domainId !== null && { domainId })
                })
                .where(eq(certificates.domain, domain));
            await pushCertUpdateToAffectedNewts(
                domain,
                domainId,
                oldCertPem,
                oldKeyPem
            );
        } else {
            logger.debug(
                `acmeCertSync: inserting new certificate (HTTP) for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
            );
            await db.insert(certificates).values({
                domain,
                domainId,
                certFile: encryptedCert,
                keyFile: encryptedKey,
                status: "valid",
                expiresAt,
                createdAt: now,
                updatedAt: now,
                wildcard
            });
            await pushCertUpdateToAffectedNewts(domain, domainId, null, null);
        }
    }
 }
 async function storeCertForDomain(
    domain: string,
    certPem: string,
    keyPem: string,
    validatedX509: crypto.X509Certificate
 ): Promise<void> {
    const wildcard = domain.startsWith("*.");
    const existing = await db
        .select()
        .from(certificates)
        .where(eq(certificates.domain, domain))
        .limit(1);
    let oldCertPem: string | null = null;
    let oldKeyPem: string | null = null;
    if (existing.length > 0 && existing[0].certFile) {
        try {
            const storedCertPem = decrypt(
                existing[0].certFile,
                config.getRawConfig().server.secret!
            );
            const wildcardUnchanged = existing[0].wildcard === wildcard;
            if (storedCertPem === certPem && wildcardUnchanged) {
                return;
            }
            oldCertPem = storedCertPem;
            if (existing[0].keyFile) {
                try {
                    oldKeyPem = decrypt(
                        existing[0].keyFile,
                        config.getRawConfig().server.secret!
                    );
                } catch (keyErr) {
                    logger.debug(
                        `acmeCertSync: could not decrypt stored key for ${domain}: ${keyErr}`
                    );
                }
            }
        } catch (err) {
            logger.debug(
                `acmeCertSync: could not decrypt stored cert for ${domain}, will update: ${err}`
            );
        }
    }
    let expiresAt: number | null = null;
    try {
        expiresAt = Math.floor(
            new Date(validatedX509.validTo).getTime() / 1000
        );
    } catch (err) {
        logger.debug(
            `acmeCertSync: could not parse cert expiry for ${domain}: ${err}`
        );
    }
    const encryptedCert = encrypt(
        certPem,
        config.getRawConfig().server.secret!
    );
    const encryptedKey = encrypt(keyPem, config.getRawConfig().server.secret!);
    const now = Math.floor(Date.now() / 1000);
    const domainId = await findDomainId(domain);
    if (domainId) {
        logger.debug(
@@ -437,9 +608,196 @@ async function syncAcmeCerts(
            `acmeCertSync: inserted new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
        );
            // For a brand-new cert, push to any SSL resources that were waiting for it
        await pushCertUpdateToAffectedNewts(domain, domainId, null, null);
    }
 }
 function findAcmeJsonFiles(dirPath: string): string[] {
    const results: string[] = [];
    let entries: fs.Dirent[];
    try {
        entries = fs.readdirSync(dirPath, { withFileTypes: true });
    } catch (err) {
        logger.warn(
            `acmeCertSync: could not read directory "${dirPath}": ${err}`
        );
        return results;
    }
    for (const entry of entries) {
        const fullPath = path.join(dirPath, entry.name);
        if (entry.isDirectory()) {
            results.push(...findAcmeJsonFiles(fullPath));
        } else if (entry.isFile()) {
            // check if it is a json file
            if (entry.name.endsWith(".json")) {
                let raw: string;
                try {
                    raw = fs.readFileSync(fullPath, "utf8");
                } catch (err) {
                    logger.warn(
                        `acmeCertSync: could not read file "${fullPath}": ${err}`
                    );
                    continue;
                }
                let parsed: any;
                try {
                    parsed = JSON.parse(raw);
                } catch (err) {
                    logger.warn(
                        `acmeCertSync: could not parse "${fullPath}" as JSON: ${err}`
                    );
                    continue;
                }
            }
            results.push(fullPath);
        }
    }
    return results;
 }
 async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
    let raw: string;
    try {
        raw = fs.readFileSync(acmeJsonPath, "utf8");
    } catch (err) {
        logger.warn(`acmeCertSync: could not read "${acmeJsonPath}": ${err}`);
        return;
    }
    let acmeJson: AcmeJson;
    try {
        acmeJson = JSON.parse(raw);
    } catch (err) {
        logger.warn(
            `acmeCertSync: could not parse "${acmeJsonPath}" as JSON: ${err}`
        );
        return;
    }
    const resolvers = Object.keys(acmeJson || {});
    if (resolvers.length === 0) {
        logger.debug(`acmeCertSync: no resolvers found in acme.json`);
        return;
    }
    // Collect certificates from every resolver. If the same domain appears in
    // multiple resolvers, the last one wins (resolvers iterated in object order).
    const allCerts: AcmeCert[] = [];
    for (const resolver of resolvers) {
        const resolverData = acmeJson[resolver];
        if (!resolverData || !Array.isArray(resolverData.Certificates)) {
            logger.debug(
                `acmeCertSync: no certificates found for resolver "${resolver}"`
            );
            continue;
        }
        logger.debug(
            `acmeCertSync: found ${resolverData.Certificates.length} certificate(s) for resolver "${resolver}"`
        );
        for (const cert of resolverData.Certificates) {
            allCerts.push(cert);
        }
    }
    for (const cert of allCerts) {
        const mainDomain = cert?.domain?.main;
        if (!mainDomain || typeof mainDomain !== "string") {
            logger.debug(`acmeCertSync: skipping cert with missing domain`);
            continue;
        }
        if (!cert.certificate || !cert.key) {
            logger.debug(
                `acmeCertSync: skipping cert for ${mainDomain} - empty certificate or key field`
            );
            continue;
        }
        let certPem: string;
        let keyPem: string;
        try {
            certPem = Buffer.from(cert.certificate, "base64").toString("utf8");
            keyPem = Buffer.from(cert.key, "base64").toString("utf8");
        } catch (err) {
            logger.debug(
                `acmeCertSync: skipping cert for ${mainDomain} - failed to base64-decode cert/key: ${err}`
            );
            continue;
        }
        if (!certPem.trim() || !keyPem.trim()) {
            logger.debug(
                `acmeCertSync: skipping cert for ${mainDomain} - blank PEM after base64 decode`
            );
            continue;
        }
        // Validate that the decoded data actually parses as a real X.509 cert
        // before we touch the database. This prevents importing partially-written
        // or corrupted entries from acme.json.
        const firstCertPemForValidation = extractFirstCert(certPem);
        if (!firstCertPemForValidation) {
            logger.debug(
                `acmeCertSync: skipping cert for ${mainDomain} - no PEM certificate block found`
            );
            continue;
        }
        let validatedX509: crypto.X509Certificate;
        try {
            validatedX509 = new crypto.X509Certificate(
                firstCertPemForValidation
            );
        } catch (err) {
            logger.debug(
                `acmeCertSync: skipping cert for ${mainDomain} - invalid X.509 certificate: ${err}`
            );
            continue;
        }
        // Sanity-check the private key parses too
        try {
            crypto.createPrivateKey(keyPem);
        } catch (err) {
            logger.debug(
                `acmeCertSync: skipping cert for ${mainDomain} - invalid private key: ${err}`
            );
            continue;
        }
        // Collect all domains covered by this cert: main + every SAN.
        // Each domain gets its own row in the certificates table so that
        // lookups by any hostname on the cert succeed independently.
        const allDomains = new Set<string>([mainDomain]);
        if (Array.isArray(cert.domain?.sans)) {
            for (const san of cert.domain.sans) {
                if (typeof san === "string" && san.trim()) {
                    allDomains.add(san.trim());
                }
            }
        }
        logger.debug(
            `acmeCertSync: cert for ${mainDomain} covers ${allDomains.size} domain(s): ${[...allDomains].join(", ")}`
        );
        for (const domain of allDomains) {
            try {
                await storeCertForDomain(
                    domain,
                    certPem,
                    keyPem,
                    validatedX509
                );
            } catch (err) {
                logger.error(
                    `acmeCertSync: error storing cert for domain "${domain}": ${err}`
                );
            }
        }
    }
 }
@@ -468,21 +826,63 @@ export function initAcmeCertSync(): void {
    const acmeJsonPath =
        privateConfigData.acme?.acme_json_path ??
        "config/letsencrypt/acme.json";
    const resolver = privateConfigData.acme?.resolver ?? "letsencrypt";
    const intervalMs = privateConfigData.acme?.sync_interval_ms ?? 5000;
    const httpEndpoint = privateConfigData.acme?.acme_http_endpoint;
    logger.debug(
-        `acmeCertSync: starting ACME cert sync from "${acmeJsonPath}" using resolver "${resolver}" every ${intervalMs}ms`
+        `acmeCertSync: starting ACME cert sync from "${acmeJsonPath}" across all resolvers every ${intervalMs}ms`
    );
    if (httpEndpoint) {
        logger.debug(
            `acmeCertSync: also syncing from HTTP endpoint "${httpEndpoint}" every ${intervalMs}ms`
        );
    }
-    // Run immediately on init, then on the configured interval
+    const runSync = () => {
-    syncAcmeCerts(acmeJsonPath, resolver).catch((err) => {
+        if (httpEndpoint) {
-        logger.error(`acmeCertSync: error during initial sync: ${err}`);
+            syncAcmeCertsFromHttp(httpEndpoint).catch((err) => {
                logger.error(`acmeCertSync: error during HTTP sync: ${err}`);
            });
        } else {
            // only run the file-based sync if the HTTP endpoint is not configured, to avoid doubling up
            let stat: fs.Stats | null = null;
            try {
                stat = fs.statSync(acmeJsonPath);
            } catch (err) {
                logger.warn(
                    `acmeCertSync: cannot stat path "${acmeJsonPath}": ${err}`
                );
                return;
            }
-    setInterval(() => {
+            if (stat.isDirectory()) {
-        syncAcmeCerts(acmeJsonPath, resolver).catch((err) => {
+                const files = findAcmeJsonFiles(acmeJsonPath);
                if (files.length === 0) {
                    logger.debug(
                        `acmeCertSync: no acme.json files found in directory "${acmeJsonPath}"`
                    );
                    return;
                }
                logger.debug(
                    `acmeCertSync: found ${files.length} acme.json file(s) in directory "${acmeJsonPath}"`
                );
                for (const file of files) {
                    syncAcmeCerts(file).catch((err) => {
                        logger.error(
                            `acmeCertSync: error during sync of "${file}": ${err}`
                        );
                    });
                }
            } else {
                syncAcmeCerts(acmeJsonPath).catch((err) => {
                    logger.error(`acmeCertSync: error during sync: ${err}`);
                });
-    }, intervalMs);
+            }
        }
    };
    // Run immediately on init, then on the configured interval
    runSync();
    setInterval(runSync, intervalMs);
 }
--- a/server/private/lib/alerts/events/healthCheckEvents.ts
+++ b/server/private/lib/alerts/events/healthCheckEvents.ts
@@ -1,306 +0,0 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025-2026 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import logger from "@server/logger";
 import { processAlerts } from "../processAlerts";
 import {
    db,
    statusHistory,
    targetHealthCheck,
    targets,
    resources,
    Transaction,
    logsDb
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
 import {
    fireResourceDegradedAlert,
    fireResourceHealthyAlert,
    fireResourceUnhealthyAlert,
    fireResourceUnknownAlert
 } from "./resourceEvents";
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
 /**
 * Fire a `health_check_healthy` alert for the given health check.
 *
 * Call this after a previously-failing health check has recovered so that any
 * matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId         - Organisation that owns the health check.
 * @param healthCheckId - Numeric primary key of the health check.
 * @param healthCheckName - Human-readable name shown in notifications (optional).
 * @param extra         - Any additional key/value pairs to include in the payload.
 */
 export async function fireHealthCheckHealthyAlert(
    orgId: string,
    healthCheckId: number,
    healthCheckName?: string | null,
    healthCheckTargetId?: number | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "health_check",
            entityId: healthCheckId,
            orgId: orgId,
            status: "healthy",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("health_check", healthCheckId);
        await handleResource(orgId, healthCheckTargetId, send, trx);
        if (!send) {
            return;
        }
        await processAlerts({
            eventType: "health_check_healthy",
            orgId,
            healthCheckId,
            data: {
                ...(healthCheckName != null ? { healthCheckName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "health_check_toggle",
            orgId,
            healthCheckId,
            data: {
                healthCheckId,
                status: "healthy",
                ...(healthCheckName != null ? { healthCheckName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireHealthCheckHealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
            err
        );
    }
 }
 /**
 * Fire a `health_check_unhealthy` alert for the given health check.
 *
 * Call this after a health check has been detected as failing so that any
 * matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId         - Organisation that owns the health check.
 * @param healthCheckId - Numeric primary key of the health check.
 * @param healthCheckName - Human-readable name shown in notifications (optional).
 * @param extra         - Any additional key/value pairs to include in the payload.
 */
 export async function fireHealthCheckUnhealthyAlert(
    orgId: string,
    healthCheckId: number,
    healthCheckName?: string | null,
    healthCheckTargetId?: number | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "health_check",
            entityId: healthCheckId,
            orgId: orgId,
            status: "unhealthy",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("health_check", healthCheckId);
        await handleResource(orgId, healthCheckTargetId, send, trx);
        if (!send) {
            return;
        }
        await processAlerts({
            eventType: "health_check_unhealthy",
            orgId,
            healthCheckId,
            data: {
                ...(healthCheckName != null ? { healthCheckName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "health_check_toggle",
            orgId,
            healthCheckId,
            data: {
                healthCheckId,
                status: "unhealthy",
                ...(healthCheckName != null ? { healthCheckName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireHealthCheckUnhealthyAlert: unexpected error for healthCheckId ${healthCheckId}`,
            err
        );
    }
 }
 export async function fireHealthCheckUnknownAlert(
    orgId: string,
    healthCheckId: number,
    healthCheckName?: string | null,
    healthCheckTargetId?: number | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "health_check",
            entityId: healthCheckId,
            orgId: orgId,
            status: "unknown",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("health_check", healthCheckId);
        await handleResource(orgId, healthCheckTargetId, send, trx);
        if (!send) {
            return;
        }
    } catch (err) {
        logger.error(
            `fireHealthCheckUnknownAlert: unexpected error for healthCheckId ${healthCheckId}`,
            err
        );
    }
 }
 async function handleResource(
    orgId: string,
    healthCheckTargetId?: number | null,
    send: boolean = true,
    trx: Transaction | typeof db = db
 ) {
    if (!healthCheckTargetId) {
        return;
    }
    // we have targets lets get them
    const [target] = await trx
        .select()
        .from(targets)
        .where(eq(targets.targetId, healthCheckTargetId))
        .limit(1);
    if (!target) {
        return;
    }
    const [resource] = await trx
        .select()
        .from(resources)
        .where(eq(resources.resourceId, target.resourceId))
        .limit(1);
    if (!resource) {
        return;
    }
    const otherTargets = await trx
        .select({ hcHealth: targetHealthCheck.hcHealth })
        .from(targets)
        .innerJoin(
            targetHealthCheck,
            eq(targetHealthCheck.targetId, targets.targetId)
        )
        .where(eq(targets.resourceId, resource.resourceId));
    let health = "healthy";
    const allUnknown = otherTargets.every((t) => t.hcHealth === "unknown");
    const allHealthy = otherTargets.every((t) => t.hcHealth === "healthy");
    const allUnhealthy = otherTargets.every((t) => t.hcHealth === "unhealthy");
    if (allUnknown) {
        logger.debug(
            `Marking resource ${resource.resourceId} as unknown because all health checks are disabled`
        );
        health = "unknown";
    } else if (allHealthy) {
        health = "healthy";
    } else if (allUnhealthy) {
        logger.debug(
            `Marking resource ${resource.resourceId} as unhealthy because all targets are unhealthy`
        );
        health = "unhealthy";
    } else {
        logger.debug(
            `Marking resource ${resource.resourceId} as degraded because some targets are unhealthy`
        );
        health = "degraded";
    }
    if (health != resource.health) {
        // it changed
        await trx
            .update(resources)
            .set({ health })
            .where(eq(resources.resourceId, resource.resourceId));
        if (health === "unknown") {
            await fireResourceUnknownAlert(
                orgId,
                resource.resourceId,
                resource.name,
                undefined,
                send,
                trx
            );
        } else if (health === "unhealthy") {
            await fireResourceUnhealthyAlert(
                orgId,
                resource.resourceId,
                resource.name,
                undefined,
                send,
                trx
            );
        } else if (health === "healthy") {
            await fireResourceHealthyAlert(
                orgId,
                resource.resourceId,
                resource.name,
                undefined,
                send,
                trx
            );
        } else if (health === "degraded") {
            await fireResourceDegradedAlert(
                orgId,
                resource.resourceId,
                resource.name,
                undefined,
                send,
                trx
            );
        }
    }
 }
--- a/server/private/lib/alerts/events/resourceEvents.ts
+++ b/server/private/lib/alerts/events/resourceEvents.ts
@@ -1,256 +0,0 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025-2026 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import logger from "@server/logger";
 import { processAlerts } from "../processAlerts";
 import { db, logsDb, statusHistory, Transaction } from "@server/db";
 import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
 /**
 * Fire a `resource_healthy` alert for the given resource.
 *
 * Call this after a previously-unhealthy resource has recovered so that any
 * matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId        - Organisation that owns the resource.
 * @param resourceId   - Numeric primary key of the resource.
 * @param resourceName - Human-readable name shown in notifications (optional).
 * @param extra        - Any additional key/value pairs to include in the payload.
 */
 export async function fireResourceHealthyAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "resource",
            entityId: resourceId,
            orgId: orgId,
            status: "healthy",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("resource", resourceId);
        if (!send) {
            return;
        }
        await processAlerts({
            eventType: "resource_healthy",
            orgId,
            resourceId,
            data: {
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "resource_toggle",
            orgId,
            resourceId,
            data: {
                resourceId,
                status: "healthy",
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireResourceHealthyAlert: unexpected error for resourceId ${resourceId}`,
            err
        );
    }
 }
 /**
 * Fire a `resource_unhealthy` alert for the given resource.
 *
 * Call this after a resource has been detected as unhealthy so that any
 * matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId        - Organisation that owns the resource.
 * @param resourceId   - Numeric primary key of the resource.
 * @param resourceName - Human-readable name shown in notifications (optional).
 * @param extra        - Any additional key/value pairs to include in the payload.
 */
 export async function fireResourceUnhealthyAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "resource",
            entityId: resourceId,
            orgId: orgId,
            status: "unhealthy",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("resource", resourceId);
        if (!send) {
            return;
        }
        await processAlerts({
            eventType: "resource_unhealthy",
            orgId,
            resourceId,
            data: {
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "resource_toggle",
            orgId,
            resourceId,
            data: {
                resourceId,
                status: "unhealthy",
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireResourceUnhealthyAlert: unexpected error for resourceId ${resourceId}`,
            err
        );
    }
 }
 /**
 * Fire a `resource_degraded` alert for the given resource.
 *
 * Call this after a resource has been detected as degraded so that any
 * matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId        - Organisation that owns the resource.
 * @param resourceId   - Numeric primary key of the resource.
 * @param resourceName - Human-readable name shown in notifications (optional).
 * @param extra        - Any additional key/value pairs to include in the payload.
 */
 export async function fireResourceDegradedAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "resource",
            entityId: resourceId,
            orgId: orgId,
            status: "degraded",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("resource", resourceId);
        if (!send) {
            return;
        }
        await processAlerts({
            eventType: "resource_degraded",
            orgId,
            resourceId,
            data: {
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "resource_toggle",
            orgId,
            resourceId,
            data: {
                resourceId,
                status: "degraded",
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireResourceDegradedAlert: unexpected error for resourceId ${resourceId}`,
            err
        );
    }
 }
 /**
 * Fire a `resource_unknown` alert for the given resource.
 *
 * Call this when all health checks on a resource are disabled so that the
 * resource status transitions to unknown.
 *
 * @param orgId        - Organisation that owns the resource.
 * @param resourceId   - Numeric primary key of the resource.
 * @param resourceName - Human-readable name shown in notifications (optional).
 * @param extra        - Any additional key/value pairs to include in the payload.
 */
 export async function fireResourceUnknownAlert(
    orgId: string,
    resourceId: number,
    resourceName?: string | null,
    extra?: Record<string, unknown>,
    send: boolean = true,
    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "resource",
            entityId: resourceId,
            orgId: orgId,
            status: "unknown",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("resource", resourceId);
        if (!send) {
            return;
        }
        await processAlerts({
            eventType: "resource_toggle",
            orgId,
            resourceId,
            data: {
                resourceId,
                status: "unknown",
                ...(resourceName != null ? { resourceName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireResourceUnknownAlert: unexpected error for resourceId ${resourceId}`,
            err
        );
    }
 }
--- a/server/private/lib/alerts/events/siteEvents.ts
+++ b/server/private/lib/alerts/events/siteEvents.ts
@@ -1,169 +0,0 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025-2026 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import logger from "@server/logger";
 import { processAlerts } from "../processAlerts";
 import {
    db,
    logsDb,
    statusHistory,
    targetHealthCheck,
    Transaction
 } from "@server/db";
 import { invalidateStatusHistoryCache } from "@server/lib/statusHistory";
 import { and, eq, inArray } from "drizzle-orm";
 import { fireHealthCheckUnhealthyAlert } from "./healthCheckEvents";
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------
 /**
 * Fire a `site_online` alert for the given site.
 *
 * Call this after the site has been confirmed reachable / connected so that
 * any matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId    - Organisation that owns the site.
 * @param siteId   - Numeric primary key of the site.
 * @param siteName - Human-readable name shown in notifications (optional).
 * @param extra    - Any additional key/value pairs to include in the payload.
 */
 export async function fireSiteOnlineAlert(
    orgId: string,
    siteId: number,
    siteName?: string,
    extra?: Record<string, unknown>,
    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "site",
            entityId: siteId,
            orgId: orgId,
            status: "online",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("site", siteId);
        await processAlerts({
            eventType: "site_online",
            orgId,
            siteId,
            data: {
                ...(siteName != null ? { siteName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "site_toggle",
            orgId,
            siteId,
            data: {
                siteId,
                status: "online",
                ...(siteName != null ? { siteName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireSiteOnlineAlert: unexpected error for siteId ${siteId}`,
            err
        );
    }
 }
 /**
 * Fire a `site_offline` alert for the given site.
 *
 * Call this after the site has been detected as unreachable / disconnected so
 * that any matching `alertRules` can dispatch their email and webhook actions.
 *
 * @param orgId    - Organisation that owns the site.
 * @param siteId   - Numeric primary key of the site.
 * @param siteName - Human-readable name shown in notifications (optional).
 * @param extra    - Any additional key/value pairs to include in the payload.
 */
 export async function fireSiteOfflineAlert(
    orgId: string,
    siteId: number,
    siteName?: string,
    extra?: Record<string, unknown>,
    trx: Transaction | typeof db = db
 ): Promise<void> {
    try {
        await logsDb.insert(statusHistory).values({
            entityType: "site",
            entityId: siteId,
            orgId: orgId,
            status: "offline",
            timestamp: Math.floor(Date.now() / 1000)
        });
        await invalidateStatusHistoryCache("site", siteId);
        const unhealthyHealthChecks = await trx
            .update(targetHealthCheck)
            .set({ hcHealth: "unhealthy" })
            .where(
                and(
                    eq(targetHealthCheck.orgId, orgId),
                    eq(targetHealthCheck.siteId, siteId),
                    eq(targetHealthCheck.hcEnabled, true) // only effect the ones that are enabled
                )
            )
            .returning();
        for (const healthCheck of unhealthyHealthChecks) {
            logger.info(
                `Marking health check ${healthCheck.targetHealthCheckId} unhealthy due to site ${siteId} being marked offline`
            );
            await fireHealthCheckUnhealthyAlert(
                healthCheck.orgId,
                healthCheck.targetHealthCheckId,
                healthCheck.name,
                healthCheck.targetId, // for the resource if we have one
                undefined,
                true,
                trx
            );
        }
        await processAlerts({
            eventType: "site_offline",
            orgId,
            siteId,
            data: {
                ...(siteName != null ? { siteName } : {}),
                ...extra
            }
        });
        await processAlerts({
            eventType: "site_toggle",
            orgId,
            siteId,
            data: {
                siteId,
                status: "offline",
                ...(siteName != null ? { siteName } : {}),
                ...extra
            }
        });
    } catch (err) {
        logger.error(
            `fireSiteOfflineAlert: unexpected error for siteId ${siteId}`,
            err
        );
    }
 }
--- a/server/private/lib/alerts/index.ts
+++ b/server/private/lib/alerts/index.ts
@@ -14,6 +14,3 @@
 export * from "./processAlerts";
 export * from "./sendAlertWebhook";
 export * from "./sendAlertEmail";
 export * from "./events/siteEvents";
 export * from "./events/healthCheckEvents";
 export * from "./events/resourceEvents";
--- a/server/private/lib/alerts/processAlerts.ts
+++ b/server/private/lib/alerts/processAlerts.ts
@@ -29,7 +29,10 @@ import { decrypt } from "@server/lib/crypto";
 import logger from "@server/logger";
 import { sendAlertWebhook } from "./sendAlertWebhook";
 import { sendAlertEmail } from "./sendAlertEmail";
-import { AlertContext, WebhookAlertConfig } from "@server/routers/alertRule/types";
+import {
    AlertContext,
    WebhookAlertConfig
 } from "@server/routers/alertRule/types";
 /**
 * Core alert processing pipeline.
@@ -99,7 +102,10 @@ export async function processAlerts(context: AlertContext): Promise<void> {
                    baseConditions,
                    or(
                        eq(alertRules.allHealthChecks, true),
-                        eq(alertHealthChecks.healthCheckId, context.healthCheckId)
+                        eq(
                            alertHealthChecks.healthCheckId,
                            context.healthCheckId
                        )
                    )
                )
            );
@@ -208,14 +214,19 @@ async function processRule(
    for (const action of emailActions) {
        try {
-            const recipients = await resolveEmailRecipients(action.emailActionId);
+            const recipients = await resolveEmailRecipients(
                action.emailActionId
            );
            if (recipients.length > 0) {
                await sendAlertEmail(recipients, context);
                await db
                    .update(alertEmailActions)
                    .set({ lastSentAt: now })
                    .where(
-                        eq(alertEmailActions.emailActionId, action.emailActionId)
+                        eq(
                            alertEmailActions.emailActionId,
                            action.emailActionId
                        )
                    );
            }
        } catch (err) {
@@ -269,7 +280,7 @@ async function processRule(
                    )
                );
        } catch (err) {
-            logger.error(
+            logger.warn(
                `processAlerts: failed to send alert webhook for action ${action.webhookActionId}`,
                err
            );
@@ -289,7 +300,9 @@ async function processRule(
 * - All users in a role (by `roleId`, resolved via `userOrgRoles`)
 * - Direct external email addresses
 */
-async function resolveEmailRecipients(emailActionId: number): Promise<string[]> {
+async function resolveEmailRecipients(
    emailActionId: number
 ): Promise<string[]> {
    const rows = await db
        .select()
        .from(alertEmailRecipients)
--- a/server/private/lib/alerts/sendAlertWebhook.ts
+++ b/server/private/lib/alerts/sendAlertWebhook.ts
@@ -42,17 +42,23 @@ export async function sendAlertWebhook(
    webhookConfig: WebhookAlertConfig,
    context: AlertContext
 ): Promise<void> {
-    const payload = {
+    const eventType = context.eventType;
-        event: context.eventType,
+    const timestamp = new Date().toISOString();
-        timestamp: new Date().toISOString(),
+    const status = deriveStatus(eventType, context.data);
-        status: deriveStatus(context.eventType, context.data),
+    const data = { orgId: context.orgId, ...context.data };
-        data: {
+
-            orgId: context.orgId,
+    let body: string;
-            ...context.data
+    if (webhookConfig.useBodyTemplate && webhookConfig.bodyTemplate?.trim()) {
-        }
+        body = renderTemplate(webhookConfig.bodyTemplate, {
-    };
+            event: eventType,
            timestamp,
            status,
            data
        });
    } else {
        body = JSON.stringify({ event: eventType, timestamp, status, data });
    }
    const body = JSON.stringify(payload);
    const headers = buildHeaders(webhookConfig);
    let lastError: Error | undefined;
@@ -217,3 +223,80 @@ function buildHeaders(
    return headers;
 }
 // ---------------------------------------------------------------------------
 // Body template rendering
 // ---------------------------------------------------------------------------
 interface TemplateContext {
    event: string;
    timestamp: string;
    status: string;
    data: Record<string, unknown>;
 }
 /**
 * Render a body template with {{event}}, {{timestamp}}, {{status}}, {{data}},
 * and individual data-field placeholders (e.g. {{orgId}}, {{siteId}}, …).
 *
 * Replacement order:
 *   1. {{data}} → raw JSON of the full data object (prevents re-expansion of
 *      nested values that might look like placeholders).
 *   2. Top-level scalar fields from data (string values are JSON-escaped;
 *      numbers and booleans are rendered as-is). Unknown placeholders are
 *      left untouched.
 *   3. The fixed top-level keys: event, timestamp, status.
 */
 function renderTemplate(template: string, ctx: TemplateContext): string {
    // Step 1 – expand {{data}} first so its contents are already serialised
    // and won't be touched by later passes.
    let rendered = template.replace(/\{\{data\}\}/g, JSON.stringify(ctx.data));
    // Step 2 – expand individual data fields. Only replace placeholders whose
    // key actually exists in ctx.data; leave everything else as-is.
    for (const [key, value] of Object.entries(ctx.data)) {
        if (value === null || value === undefined) continue;
        const placeholder = new RegExp(
            `\\{\\{${key.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\}\\}`,
            "g"
        );
        let serialised: string;
        if (typeof value === "string") {
            serialised = escapeJsonString(value);
        } else if (typeof value === "number" || typeof value === "boolean") {
            serialised = String(value);
        } else {
            serialised = escapeJsonString(JSON.stringify(value));
        }
        rendered = rendered.replace(placeholder, serialised);
    }
    // Step 3 – expand the fixed top-level keys.
    rendered = rendered
        .replace(/\{\{event\}\}/g, escapeJsonString(ctx.event))
        .replace(/\{\{timestamp\}\}/g, escapeJsonString(ctx.timestamp))
        .replace(/\{\{status\}\}/g, escapeJsonString(ctx.status));
    // Validate the rendered result is valid JSON; if not, log a warning and
    // fall back to the default payload so the webhook still fires.
    try {
        JSON.parse(rendered);
        return rendered;
    } catch {
        logger.warn(
            `sendAlertWebhook: body template produced invalid JSON for event ` +
                `"${ctx.event}" destined for a webhook. Falling back to default ` +
                `payload. Check that {{data}} is NOT wrapped in quotes in your template.`
        );
        return JSON.stringify({
            event: ctx.event,
            timestamp: ctx.timestamp,
            status: ctx.status,
            data: ctx.data
        });
    }
 }
 function escapeJsonString(value: string): string {
    return JSON.stringify(value).slice(1, -1);
 }
--- a/server/private/lib/alerts/types.ts
+++ b/server/private/lib/alerts/types.ts
@@ -45,6 +45,10 @@ export interface WebhookAlertConfig {
    headers?: Array<{ key: string; value: string }>;
    /** HTTP method (default POST) */
    method?: string;
    /** Whether to use a custom body template */
    useBodyTemplate?: boolean;
    /** Mustache-style body template with {{event}}, {{timestamp}}, {{status}}, {{data}} placeholders */
    bodyTemplate?: string;
 }
 // ---------------------------------------------------------------------------
--- a/server/private/lib/billing/getOrgTierData.ts
+++ b/server/private/lib/billing/getOrgTierData.ts
@@ -19,12 +19,13 @@ import { eq, and, ne } from "drizzle-orm";
 export async function getOrgTierData(
    orgId: string
-): Promise<{ tier: Tier | null; active: boolean }> {
+): Promise<{ tier: Tier | null; active: boolean; isTrial: boolean }> {
    let tier: Tier | null = null;
    let active = false;
    let isTrial = false;
    if (build !== "saas") {
-        return { tier, active };
+        return { tier, active, isTrial };
    }
    try {
@@ -35,7 +36,7 @@ export async function getOrgTierData(
            .limit(1);
        if (!org) {
-            return { tier, active };
+            return { tier, active, isTrial };
        }
        let orgIdToUse = org.orgId;
@@ -44,7 +45,7 @@ export async function getOrgTierData(
                logger.warn(
                    `Org ${orgId} is not a billing org and does not have a billingOrgId`
                );
-                return { tier, active };
+                return { tier, active, isTrial };
            }
            orgIdToUse = org.billingOrgId;
        }
@@ -57,7 +58,7 @@ export async function getOrgTierData(
            .limit(1);
        if (!customer) {
-            return { tier, active };
+            return { tier, active, isTrial };
        }
        // Query for active subscriptions that are not license type
@@ -84,11 +85,13 @@ export async function getOrgTierData(
                tier = subscription.type;
                active = true;
            }
            isTrial = subscription.trial ?? false;
        }
    } catch (error) {
        // If org not found or error occurs, return null tier and inactive
        // This is acceptable behavior as per the function signature
    }
-    return { tier, active };
+    return { tier, active, isTrial };
 }
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -21,7 +21,8 @@ import { getEnvOrYaml } from "@server/lib/getEnvOrYaml";
 const portSchema = z.number().positive().gt(0).lte(65535);
-export const privateConfigSchema = z.object({
+export const privateConfigSchema = z
    .object({
        app: z
            .object({
                region: z.string().optional().default("default"),
@@ -70,10 +71,7 @@ export const privateConfigSchema = z.object({
                    .optional(),
                tls: z
                    .object({
-                    rejectUnauthorized: z
+                        rejectUnauthorized: z.boolean().optional().default(true)
                        .boolean()
                        .optional()
                        .default(true)
                    })
                    .optional()
            })
@@ -102,7 +100,7 @@ export const privateConfigSchema = z.object({
                    .string()
                    .optional()
                    .default("config/letsencrypt/acme.json"),
-            resolver: z.string().optional().default("letsencrypt"),
+                acme_http_endpoint: z.string().optional(),
                sync_interval_ms: z.number().optional().default(5000)
            })
            .optional(),
@@ -182,13 +180,13 @@ export const privateConfigSchema = z.object({
                webhook_secret: z
                    .string()
                    .optional()
-                .transform(getEnvOrYaml("STRIPE_WEBHOOK_SECRET")),
+                    .transform(getEnvOrYaml("STRIPE_WEBHOOK_SECRET"))
                // s3Bucket: z.string(),
                // s3Region: z.string().default("us-east-1"),
                // localFilePath: z.string().optional()
            })
            .optional()
-})
+    })
    .transform((data) => {
        // this to maintain backwards compatibility with the old config file
        const identityProviderMode = data.app?.identity_provider_mode;
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -277,8 +277,15 @@ export async function getTraefikConfig(
        });
    });
    let siteResourcesWithFullDomain: {
        siteResourceId: number;
        fullDomain: string | null;
        mode: "http" | "host" | "cidr";
    }[] = [];
    if (build == "enterprise") {
        // we dont want to do this on the cloud
        // Query siteResources in HTTP mode with SSL enabled and aliases - cert generation / HTTPS edge
-    const siteResourcesWithFullDomain = await db
+        siteResourcesWithFullDomain = await db
            .select({
                siteResourceId: siteResources.siteResourceId,
                fullDomain: siteResources.fullDomain,
@@ -296,18 +303,11 @@ export async function getTraefikConfig(
                    isNotNull(siteResources.fullDomain),
                    eq(siteResources.mode, "http"),
                    eq(siteResources.ssl, true),
                or(
                    eq(sites.exitNodeId, exitNodeId),
                    and(
                        isNull(sites.exitNodeId),
                        sql`(${siteTypes.includes("local") ? 1 : 0} = 1)`,
                        eq(sites.type, "local"),
                        sql`(${build != "saas" ? 1 : 0} = 1)`
                    )
                ),
                    inArray(sites.type, siteTypes)
                )
            );
    }
    let validCerts: CertificateResult[] = [];
    if (privateConfig.getRawPrivateConfig().flags.use_pangolin_dns) {
--- a/server/private/routers/alertEvents/triggerHealthCheckAlert.ts
+++ b/server/private/routers/alertEvents/triggerHealthCheckAlert.ts
@@ -24,7 +24,7 @@ import { eq, and } from "drizzle-orm";
 import {
    fireHealthCheckHealthyAlert,
    fireHealthCheckUnhealthyAlert
-} from "#private/lib/alerts/events/healthCheckEvents";
+} from "@server/lib/alerts";
 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty(),
@@ -73,10 +73,7 @@ export async function triggerHealthCheckAlert(
            .from(targetHealthCheck)
            .where(
                and(
-                    eq(
+                    eq(targetHealthCheck.targetHealthCheckId, healthCheckId),
                        targetHealthCheck.targetHealthCheckId,
                        healthCheckId
                    ),
                    eq(targetHealthCheck.orgId, orgId)
                )
            )
--- a/server/private/routers/alertEvents/triggerResourceAlert.ts
+++ b/server/private/routers/alertEvents/triggerResourceAlert.ts
@@ -25,7 +25,7 @@ import {
    fireResourceHealthyAlert,
    fireResourceUnhealthyAlert,
    fireResourceDegradedAlert
-} from "#private/lib/alerts/events/resourceEvents";
+} from "@server/lib/alerts";
 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty(),
--- a/server/private/routers/alertEvents/triggerSiteAlert.ts
+++ b/server/private/routers/alertEvents/triggerSiteAlert.ts
@@ -21,10 +21,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { eq, and } from "drizzle-orm";
-import {
+import { fireSiteOnlineAlert, fireSiteOfflineAlert } from "@server/lib/alerts";
    fireSiteOnlineAlert,
    fireSiteOfflineAlert
 } from "#private/lib/alerts/events/siteEvents";
 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty(),
--- a/server/private/routers/billing/featureLifecycle.ts
+++ b/server/private/routers/billing/featureLifecycle.ts
@@ -30,8 +30,10 @@ import {
    userOrgRoles,
    siteProvisioningKeyOrg,
    siteProvisioningKeys,
    alertRules,
    targetHealthCheck
 } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, isNull } from "drizzle-orm";
 /**
 * Get the maximum allowed retention days for a given tier
@@ -318,6 +320,14 @@ async function disableFeature(
                await disableSiteProvisioningKeys(orgId);
                break;
            case TierFeature.AlertingRules:
                await disableAlertingRules(orgId);
                break;
            case TierFeature.StandaloneHealthChecks:
                await disableStandaloneHealthChecks(orgId);
                break;
            default:
                logger.warn(
                    `Unknown feature ${feature} for org ${orgId}, skipping`
@@ -360,8 +370,7 @@ async function disableFullRbac(orgId: string): Promise<void> {
 async function disableSiteProvisioningKeys(orgId: string): Promise<void> {
    const rows = await db
        .select({
-            siteProvisioningKeyId:
+            siteProvisioningKeyId: siteProvisioningKeyOrg.siteProvisioningKeyId
                siteProvisioningKeyOrg.siteProvisioningKeyId
        })
        .from(siteProvisioningKeyOrg)
        .where(eq(siteProvisioningKeyOrg.orgId, orgId));
@@ -525,6 +534,29 @@ async function disablePasswordExpirationPolicies(orgId: string): Promise<void> {
    logger.info(`Disabled password expiration policies for org ${orgId}`);
 }
 async function disableAlertingRules(orgId: string): Promise<void> {
    await db
        .update(alertRules)
        .set({ enabled: false })
        .where(eq(alertRules.orgId, orgId));
    logger.info(`Disabled all alert rules for org ${orgId}`);
 }
 async function disableStandaloneHealthChecks(orgId: string): Promise<void> {
    await db
        .update(targetHealthCheck)
        .set({ hcEnabled: false })
        .where(
            and(
                eq(targetHealthCheck.orgId, orgId),
                isNull(targetHealthCheck.targetId)
            )
        );
    logger.info(`Disabled standalone health checks for org ${orgId}`);
 }
 async function disableAutoProvisioning(orgId: string): Promise<void> {
    // Get all IDP IDs for this org through the idpOrg join table
    const orgIdps = await db
--- a/server/private/routers/billing/hooks/handleCustomerCreated.ts
+++ b/server/private/routers/billing/hooks/handleCustomerCreated.ts
@@ -16,6 +16,7 @@ import { customers, db, subscriptions } from "@server/db";
 import { eq } from "drizzle-orm";
 import logger from "@server/logger";
 import { generateId } from "@server/auth/sessions/app";
 import { handleSubscriptionLifesycle } from "../subscriptionLifecycle";
 export async function handleCustomerCreated(
    customer: Stripe.Customer
@@ -62,6 +63,13 @@ export async function handleCustomerCreated(
                expiresAt: trialExpiresAt,
                trial: true
            });
            // update to the business limits for the trial
            await handleSubscriptionLifesycle(
                customer.metadata.orgId,
                "active",
                "tier3"
            );
        });
        logger.info(`Customer with ID ${customer.id} created successfully.`);
--- a/server/private/routers/billing/hooks/handleSubscriptionCreated.ts
+++ b/server/private/routers/billing/hooks/handleSubscriptionCreated.ts
@@ -174,6 +174,19 @@ export async function handleSubscriptionCreated(
                    // TODO: update user in Sendy
                }
            }
            // delete the trial subscrition if we have one
            await db
                .delete(subscriptions)
                .where(
                    and(
                        eq(
                            subscriptions.customerId,
                            subscription.customer as string
                        ),
                        eq(subscriptions.trial, true)
                    )
                );
        } else if (type === "license") {
            logger.debug(
                `License subscription created for org ${customer.orgId}, no lifecycle handling needed.`
--- a/server/private/routers/billing/subscriptionLifecycle.ts
+++ b/server/private/routers/billing/subscriptionLifecycle.ts
@@ -44,7 +44,7 @@ function getLimitSetForSubscriptionType(
 export async function handleSubscriptionLifesycle(
    orgId: string,
    status: string,
-    subType: SubscriptionType | null
+    subType: SubscriptionType | null = null
 ) {
    switch (status) {
        case "active":
--- a/server/private/routers/certificates/createCertificate.ts
+++ b/server/private/routers/certificates/createCertificate.ts
@@ -79,7 +79,7 @@ export async function createCertificate(
    let domainToWrite = domain;
    if (
-        domainRecord.type == "wildcard" &&
+        domainRecord.type == "wildcard" && // this is to fix the wildcard certs for traefik in self hosted NOT ON THE CLOUD
        domainRecord.preferWildcardCert &&
        !domain.startsWith("*.")
    ) {
@@ -89,6 +89,15 @@ export async function createCertificate(
            domainToWrite = parts.slice(1).join(".");
            domainToWrite = `*.${domainToWrite}`;
        }
    } else if (domainRecord.type == "ns") {
        if (domain == domainRecord.baseDomain) {
            domainToWrite = domainRecord.baseDomain;
        } else {
            const parts = domain.split(".");
            if (parts.length > 2) {
                domainToWrite = parts.slice(1).join(".");
            }
        }
    }
    // No cert found, create a new one in pending state
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -165,7 +165,6 @@ authenticated.get(
 authenticated.get(
    "/org/:orgId/certificate/:domainId/:domain",
    verifyValidLicense,
    verifyOrgAccess,
    verifyCertificateAccess,
    verifyUserHasAction(ActionsEnum.getCertificate),
--- a/server/private/routers/healthChecks/createHealthCheck.ts
+++ b/server/private/routers/healthChecks/createHealthCheck.ts
@@ -22,7 +22,7 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { addStandaloneHealthCheck } from "@server/routers/newt/targets";
-import { fireHealthCheckUnhealthyAlert } from "#private/lib/alerts";
+import { fireHealthCheckUnhealthyAlert } from "@server/lib/alerts";
 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
--- a/server/private/routers/healthChecks/updateHealthCheck.ts
+++ b/server/private/routers/healthChecks/updateHealthCheck.ts
@@ -22,7 +22,11 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { and, eq, isNull } from "drizzle-orm";
 import { addStandaloneHealthCheck } from "@server/routers/newt/targets";
-import { fireHealthCheckUnhealthyAlert, fireHealthCheckUnknownAlert, fireHealthCheckHealthyAlert } from "#private/lib/alerts";
+import {
    fireHealthCheckUnhealthyAlert,
    fireHealthCheckUnknownAlert,
    fireHealthCheckHealthyAlert
 } from "@server/lib/alerts";
 const paramsSchema = z
    .object({
@@ -234,7 +238,10 @@ export async function updateHealthCheck(
            )
            .returning();
-        if (updated.hcHealth === "unhealthy" && existingHealthCheck.hcHealth !== "unhealthy") {
+        if (
            updated.hcHealth === "unhealthy" &&
            existingHealthCheck.hcHealth !== "unhealthy"
        ) {
            await fireHealthCheckUnhealthyAlert(
                updated.orgId,
                updated.targetHealthCheckId,
@@ -243,7 +250,10 @@ export async function updateHealthCheck(
                undefined,
                false // dont send the alert because we just want to create the alert, not notify users yet
            );
-        } else if (updated.hcHealth === "unknown" && existingHealthCheck.hcHealth !== "unknown") {
+        } else if (
            updated.hcHealth === "unknown" &&
            existingHealthCheck.hcHealth !== "unknown"
        ) {
            // if the health is unknown, we want to fire an alert to notify users to enable health checks
            await fireHealthCheckUnknownAlert(
                updated.orgId,
@@ -253,7 +263,10 @@ export async function updateHealthCheck(
                undefined,
                false // dont send the alert because we just want to create the alert, not notify users yet
            );
-        } else if (updated.hcHealth === "healthy" && existingHealthCheck.hcHealth !== "healthy") {
+        } else if (
            updated.hcHealth === "healthy" &&
            existingHealthCheck.hcHealth !== "healthy"
        ) {
            await fireHealthCheckHealthyAlert(
                updated.orgId,
                updated.targetHealthCheckId,
@@ -264,7 +277,6 @@ export async function updateHealthCheck(
            );
        }
        // Push updated health check to newt if the site is a newt site
        const [newt] = await db
            .select()
--- a/server/private/routers/integration.ts
+++ b/server/private/routers/integration.ts
@@ -67,23 +67,19 @@ if (build == "saas") {
        verifyApiKeyIsRoot,
        certificates.syncCertToNewts
    );
 }
-authenticated.post(
+    authenticated.post(
        `/org/:orgId/send-usage-notification`,
        verifyApiKeyIsRoot, // We are the only ones who can use root key so its fine
    verifyApiKeyHasAction(ActionsEnum.sendUsageNotification),
    logActionAudit(ActionsEnum.sendUsageNotification),
        org.sendUsageNotification
-);
+    );
-authenticated.post(
+    authenticated.post(
        `/org/:orgId/send-trial-notification`,
        verifyApiKeyIsRoot,
    verifyApiKeyHasAction(ActionsEnum.sendTrialNotification),
    logActionAudit(ActionsEnum.sendTrialNotification),
        org.sendTrialNotification
-);
+    );
 }
 authenticated.delete(
    "/idp/:idpId",
--- a/server/private/routers/org/sendTrialNotification.ts
+++ b/server/private/routers/org/sendTrialNotification.ts
@@ -24,13 +24,18 @@ import { fromError } from "zod-validation-error";
 import { sendEmail } from "@server/emails";
 import NotifyTrialExpiring from "@server/emails/templates/NotifyTrialExpiring";
 import config from "@server/lib/config";
 import { handleSubscriptionLifesycle } from "../billing/subscriptionLifecycle";
 const sendTrialNotificationParamsSchema = z.object({
    orgId: z.string()
 });
 const sendTrialNotificationBodySchema = z.object({
-    notificationType: z.enum(["trial_ending_5d", "trial_ending_24h", "trial_ended"]),
+    notificationType: z.enum([
        "trial_ending_5d",
        "trial_ending_24h",
        "trial_ended"
    ]),
    orgName: z.string(),
    trialEndsAt: z.number(),
    billingLink: z.string().optional()
@@ -69,9 +74,7 @@ async function getOrgAdmins(orgId: string) {
            )
        );
-    const byUserId = new Map(
+    const byUserId = new Map(admins.map((a) => [a.userId, a]));
        admins.map((a) => [a.userId, a])
    );
    const orgAdmins = Array.from(byUserId.values()).filter(
        (admin) => admin.email && admin.email.length > 0
    );
@@ -108,8 +111,12 @@ export async function sendTrialNotification(
        }
        const { orgId } = parsedParams.data;
-        const { notificationType, orgName, trialEndsAt, billingLink: bodyBillingLink } =
+        const {
-            parsedBody.data;
+            notificationType,
            orgName,
            trialEndsAt,
            billingLink: bodyBillingLink
        } = parsedBody.data;
        // Verify organization exists
        const org = await db
@@ -146,13 +153,17 @@ export async function sendTrialNotification(
            bodyBillingLink ??
            `${config.getRawConfig().app.dashboard_url}/${orgId}/settings/billing`;
-        const trialEndsAtFormatted = new Date(trialEndsAt * 1000).toLocaleDateString(
+        const trialEndsAtFormatted = new Date(
-            "en-US",
+            trialEndsAt * 1000
-            { year: "numeric", month: "long", day: "numeric" }
+        ).toLocaleDateString("en-US", {
-        );
+            year: "numeric",
            month: "long",
            day: "numeric"
        });
        let daysRemaining: number | null;
        let subject: string;
        let resetLimits = false;
        if (notificationType === "trial_ending_5d") {
            daysRemaining = 5;
@@ -163,6 +174,7 @@ export async function sendTrialNotification(
        } else {
            daysRemaining = null;
            subject = "Your trial has ended";
            resetLimits = true;
        }
        let emailsSent = 0;
@@ -201,6 +213,14 @@ export async function sendTrialNotification(
            }
        }
        if (resetLimits) {
            // this will only fire if they have not upgraded yet because when upgrading we delete the trial
            await handleSubscriptionLifesycle(orgId, "cancled");
            logger.debug(
                `Trial ended for org ${orgId}, limits reset to free tier`
            );
        }
        return response<SendTrialNotificationResponse>(res, {
            data: {
                success: true,
--- a/server/private/routers/remoteExitNode/listRemoteExitNodes.ts
+++ b/server/private/routers/remoteExitNode/listRemoteExitNodes.ts
@@ -22,6 +22,91 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { ListRemoteExitNodesResponse } from "@server/routers/remoteExitNode/types";
 import cache from "#private/lib/cache";
 import semver from "semver";
 let stalePangolinNodeVersion: string | null = null;
 async function getLatestPangolinNodeVersion(): Promise<string | null> {
    try {
        const cachedVersion = await cache.get<string>(
            "cache:latestPangolinNodeVersion"
        );
        if (cachedVersion) {
            return cachedVersion;
        }
        const controller = new AbortController();
        const timeoutId = setTimeout(() => controller.abort(), 1500);
        const res = await fetch(
            "https://api.github.com/repos/fosrl/pangolin-node/tags",
            { signal: controller.signal }
        );
        clearTimeout(timeoutId);
        if (!res.ok) {
            logger.warn(
                `Failed to fetch latest pangolin-node version from GitHub: ${res.status} ${res.statusText}`
            );
            return stalePangolinNodeVersion;
        }
        let tags = await res.json();
        if (!Array.isArray(tags) || tags.length === 0) {
            logger.warn("No tags found for pangolin-node repository");
            return stalePangolinNodeVersion;
        }
        tags = tags.filter((tag: any) => !tag.name.includes("rc"));
        tags.sort((a: any, b: any) => {
            const va = semver.coerce(a.name);
            const vb = semver.coerce(b.name);
            if (!va && !vb) return 0;
            if (!va) return 1;
            if (!vb) return -1;
            return semver.rcompare(va, vb);
        });
        const seen = new Set<string>();
        tags = tags.filter((tag: any) => {
            const normalised = semver.coerce(tag.name)?.version;
            if (!normalised || seen.has(normalised)) return false;
            seen.add(normalised);
            return true;
        });
        if (tags.length === 0) {
            logger.warn(
                "No valid semver tags found for pangolin-node repository"
            );
            return stalePangolinNodeVersion;
        }
        const latestVersion = tags[0].name;
        stalePangolinNodeVersion = latestVersion;
        await cache.set("cache:latestPangolinNodeVersion", latestVersion, 3600);
        return latestVersion;
    } catch (error: any) {
        if (error.name === "AbortError") {
            logger.warn(
                "Request to fetch latest pangolin-node version timed out (1.5s)"
            );
        } else if (error.cause?.code === "UND_ERR_CONNECT_TIMEOUT") {
            logger.warn(
                "Connection timeout while fetching latest pangolin-node version"
            );
        } else {
            logger.warn(
                "Error fetching latest pangolin-node version:",
                error.message || error
            );
        }
        return stalePangolinNodeVersion;
    }
 }
 const listRemoteExitNodesParamsSchema = z.strictObject({
    orgId: z.string()
@@ -118,9 +203,41 @@ export async function listRemoteExitNodes(
        const totalCountResult = await countQuery;
        const totalCount = totalCountResult[0].count;
        const latestPangolinNodeVersionPromise = getLatestPangolinNodeVersion();
        const nodesWithUpdates = remoteExitNodesList.map((node) => ({
            ...node,
            updateAvailable: false
        }));
        try {
            const latestPangolinNodeVersion =
                await latestPangolinNodeVersionPromise;
            if (latestPangolinNodeVersion) {
                nodesWithUpdates.forEach((node) => {
                    if (node.version) {
                        try {
                            node.updateAvailable = semver.lt(
                                node.version,
                                latestPangolinNodeVersion
                            );
                        } catch {
                            node.updateAvailable = false;
                        }
                    }
                });
            }
        } catch (error) {
            logger.warn(
                "Failed to check for pangolin-node updates, continuing without update info:",
                error
            );
        }
        return response<ListRemoteExitNodesResponse>(res, {
            data: {
-                remoteExitNodes: remoteExitNodesList,
+                remoteExitNodes: nodesWithUpdates,
                pagination: {
                    total: totalCount,
                    limit,
--- a/server/private/routers/user/addUserRole.ts
+++ b/server/private/routers/user/addUserRole.ts
@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import stoi from "@server/lib/stoi";
-import { clients, db } from "@server/db";
+import { clients, db, primaryDb, Client } from "@server/db";
 import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -122,8 +122,12 @@ export async function addUserRole(
            );
        }
-        let newUserRole: { userId: string; orgId: string; roleId: number } | null =
+        let newUserRole: {
-            null;
+            userId: string;
            orgId: string;
            roleId: number;
        } | null = null;
        let orgClientsToRebuild: Client[] = [];
        await db.transaction(async (trx) => {
            const inserted = await trx
                .insert(userOrgRoles)
@@ -149,11 +153,19 @@ export async function addUserRole(
                    )
                );
-            for (const orgClient of orgClients) {
+            orgClientsToRebuild = orgClients;
                await rebuildClientAssociationsFromClient(orgClient, trx);
            }
        });
        for (const orgClient of orgClientsToRebuild) {
            rebuildClientAssociationsFromClient(orgClient, primaryDb).catch(
                (e) => {
                    logger.error(
                        `Failed to rebuild client associations for client ${orgClient.clientId} after adding role: ${e}`
                    );
                }
            );
        }
        return response(res, {
            data: newUserRole ?? { userId, orgId: role.orgId, roleId },
            success: true,
--- a/server/private/routers/user/removeUserRole.ts
+++ b/server/private/routers/user/removeUserRole.ts
@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import stoi from "@server/lib/stoi";
-import { db } from "@server/db";
+import { db, primaryDb, Client } from "@server/db";
 import { userOrgRoles, userOrgs, roles, clients } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -129,6 +129,7 @@ export async function removeUserRole(
            }
        }
        let orgClientsToRebuild: Client[] = [];
        await db.transaction(async (trx) => {
            await trx
                .delete(userOrgRoles)
@@ -150,11 +151,19 @@ export async function removeUserRole(
                    )
                );
-            for (const orgClient of orgClients) {
+            orgClientsToRebuild = orgClients;
                await rebuildClientAssociationsFromClient(orgClient, trx);
            }
        });
        for (const orgClient of orgClientsToRebuild) {
            rebuildClientAssociationsFromClient(orgClient, primaryDb).catch(
                (e) => {
                    logger.error(
                        `Failed to rebuild client associations for client ${orgClient.clientId} after removing role: ${e}`
                    );
                }
            );
        }
        return response(res, {
            data: { userId, orgId: role.orgId, roleId },
            success: true,
--- a/server/private/routers/user/setUserOrgRoles.ts
+++ b/server/private/routers/user/setUserOrgRoles.ts
@@ -13,7 +13,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { clients, db } from "@server/db";
+import { clients, db, primaryDb, Client } from "@server/db";
 import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -115,6 +115,7 @@ export async function setUserOrgRoles(
            );
        }
        let orgClientsToRebuild: Client[] = [];
        await db.transaction(async (trx) => {
            await trx
                .delete(userOrgRoles)
@@ -142,11 +143,19 @@ export async function setUserOrgRoles(
                    and(eq(clients.userId, userId), eq(clients.orgId, orgId))
                );
-            for (const orgClient of orgClients) {
+            orgClientsToRebuild = orgClients;
                await rebuildClientAssociationsFromClient(orgClient, trx);
            }
        });
        for (const orgClient of orgClientsToRebuild) {
            rebuildClientAssociationsFromClient(orgClient, primaryDb).catch(
                (e) => {
                    logger.error(
                        `Failed to rebuild client associations for client ${orgClient.clientId} after setting roles: ${e}`
                    );
                }
            );
        }
        return response(res, {
            data: { userId, orgId, roleIds: uniqueRoleIds },
            success: true,
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -22,7 +22,7 @@ import {
    Olm,
    olms,
    RemoteExitNode,
-    remoteExitNodes,
+    remoteExitNodes
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
@@ -194,8 +194,6 @@ const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
 // Config version tracking map (local to this node, resets on server restart)
 const clientConfigVersions: Map<string, number> = new Map();
 // Recovery tracking
 let isRedisRecoveryInProgress = false;
@@ -406,6 +404,9 @@ const removeClient = async (
    const updatedClients = existingClients.filter((client) => client !== ws);
    if (updatedClients.length === 0) {
        connectedClients.delete(mapKey);
        // Remove clientId from clientConfigVersions on disconnect — prevents
        // unbounded memory growth from stale entries.
        clientConfigVersions.delete(clientId);
        if (redisManager.isRedisEnabled()) {
            try {
@@ -1097,6 +1098,11 @@ const disconnectClient = async (clientId: string): Promise<boolean> => {
        }
    });
    // Eagerly remove client — close event may not fire if socket is already
    // CLOSING, leaving zombie entries.
    connectedClients.delete(mapKey);
    clientConfigVersions.delete(clientId);
    return true;
 };
--- a/server/routers/alertRule/types.ts
+++ b/server/routers/alertRule/types.ts
@@ -80,6 +80,10 @@ export interface WebhookAlertConfig {
    headers?: Array<{ key: string; value: string }>;
    /** HTTP method (default POST) */
    method?: string;
    /** Whether to use a custom body template */
    useBodyTemplate?: boolean;
    /** Mustache-style body template with {{event}}, {{timestamp}}, {{status}}, {{data}} placeholders */
    bodyTemplate?: string;
 }
 // ---------------------------------------------------------------------------
--- a/server/routers/auth/deleteMyAccount.ts
+++ b/server/routers/auth/deleteMyAccount.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, orgs, userOrgs, users } from "@server/db";
+import { db, orgs, userOrgs, users, primaryDb } from "@server/db";
 import { eq, and, inArray, not } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -104,8 +104,9 @@ export async function deleteMyAccount(
                (r) => r.isBillingOrg && r.isOwner
            )?.orgId;
            if (primaryOrgId) {
-                const { tier, active } = await getOrgTierData(primaryOrgId);
+                const { tier, active, isTrial } =
-                if (active && tier) {
+                    await getOrgTierData(primaryOrgId);
                if (active && tier && !isTrial) {
                    return next(
                        createHttpError(
                            HttpCode.BAD_REQUEST,
@@ -217,13 +218,18 @@ export async function deleteMyAccount(
        await db.transaction(async (trx) => {
            await trx.delete(users).where(eq(users.userId, userId));
            await calculateUserClientsForOrgs(userId, trx);
            // loop through the other orgs and decrement the count
            for (const userOrg of otherOrgsTheUserWasIn) {
                await usageService.add(userOrg.orgId, FeatureId.USERS, -1, trx);
            }
        });
        calculateUserClientsForOrgs(userId, primaryDb).catch((e) => {
            logger.error(
                `Failed to calculate user clients after deleting account for user ${userId}: ${e}`
            );
        });
        try {
            await invalidateSession(session.sessionId);
        } catch (error) {
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -1003,7 +1003,11 @@ async function checkRules(
            isIpInCidr(clientIp, rule.value)
        ) {
            return rule.action as any;
-        } else if (clientIp && rule.match == "IP" && clientIp == rule.value) {
+        } else if (
            clientIp &&
            rule.match == "IP" &&
            clientIp == rule.value
        ) {
            return rule.action as any;
        } else if (
            path &&
@@ -1013,16 +1017,35 @@ async function checkRules(
            return rule.action as any;
        } else if (
            clientIp &&
-            rule.match == "COUNTRY" &&
+            rule.match == "COUNTRY"
            (await isIpInGeoIP(ipCC, rule.value))
        ) {
            // COUNTRY=ALL should not affect local/private/CGNAT addresses.
            if (
                rule.value.toUpperCase() === "ALL" &&
                isLocalOrCarrierGradeNatIp(clientIp)
            ) {
                continue;
            }
            if (await isIpInGeoIP(ipCC, rule.value)) {
                return rule.action as any;
            }
        } else if (
            clientIp &&
-            rule.match == "ASN" &&
+            rule.match == "ASN"
            (await isIpInAsn(ipAsn, rule.value))
        ) {
            // ASN=ALL/AS0 should not affect local/private/CGNAT addresses.
            if (
                (rule.value.toUpperCase() === "ALL" ||
                    rule.value.toUpperCase() === "AS0") &&
                isLocalOrCarrierGradeNatIp(clientIp)
            ) {
                continue;
            }
            if (await isIpInAsn(ipAsn, rule.value)) {
                return rule.action as any;
            }
        } else if (
            clientIp &&
            rule.match == "REGION" &&
@@ -1184,6 +1207,26 @@ async function isIpInGeoIP(
    return ipCountryCode?.toUpperCase() === checkCountryCode.toUpperCase();
 }
 function isLocalOrCarrierGradeNatIp(ip: string): boolean {
    const localAndCgnatCidrs = [
        "10.0.0.0/8",
        "172.16.0.0/12",
        "192.168.0.0/16",
        "100.64.0.0/10",
        "127.0.0.0/8",
        "169.254.0.0/16",
        "::1/128",
        "fc00::/7",
        "fe80::/10"
    ];
    try {
        return localAndCgnatCidrs.some((cidr) => isIpInCidr(ip, cidr));
    } catch {
        return false;
    }
 }
 async function isIpInAsn(
    ipAsn: number | undefined,
    checkAsn: string
--- a/server/routers/client/createClient.ts
+++ b/server/routers/client/createClient.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db } from "@server/db";
+import { db, primaryDb } from "@server/db";
 import {
    roles,
    Client,
@@ -92,7 +92,10 @@ export async function createClient(
        const { orgId } = parsedParams.data;
-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (
            req.user &&
            (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)
        ) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
@@ -198,7 +201,10 @@ export async function createClient(
            if (!randomExitNode) {
                return next(
-                    createHttpError(HttpCode.NOT_FOUND, `No exit nodes available. ${build == "saas" ? "Please contact support." : "You need to install gerbil to use the clients."}`)
+                    createHttpError(
                        HttpCode.NOT_FOUND,
                        `No exit nodes available. ${build == "saas" ? "Please contact support." : "You need to install gerbil to use the clients."}`
                    )
                );
            }
@@ -256,10 +262,18 @@ export async function createClient(
                clientId: newClient.clientId,
                dateCreated: moment().toISOString()
            });
            await rebuildClientAssociationsFromClient(newClient, trx);
        });
        if (newClient) {
            rebuildClientAssociationsFromClient(newClient, primaryDb).catch(
                (e) => {
                    logger.error(
                        `Failed to rebuild client associations after creating client: ${e}`
                    );
                }
            );
        }
        return response<CreateClientResponse>(res, {
            data: newClient,
            success: true,
--- a/server/routers/client/createUserClient.ts
+++ b/server/routers/client/createUserClient.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db } from "@server/db";
+import { db, primaryDb } from "@server/db";
 import {
    roles,
    Client,
@@ -237,10 +237,18 @@ export async function createUserClient(
                userId,
                clientId: newClient.clientId
            });
            await rebuildClientAssociationsFromClient(newClient, trx);
        });
        if (newClient) {
            rebuildClientAssociationsFromClient(newClient, primaryDb).catch(
                (e) => {
                    logger.error(
                        `Failed to rebuild client associations after creating user client: ${e}`
                    );
                }
            );
        }
        return response<CreateClientAndOlmResponse>(res, {
            data: newClient,
            success: true,
--- a/server/routers/client/deleteClient.ts
+++ b/server/routers/client/deleteClient.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, olms } from "@server/db";
+import { db, olms, primaryDb, Client, Olm } from "@server/db";
 import { clients, clientSitesAssociationsCache } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -71,14 +71,17 @@ export async function deleteClient(
            );
        }
        let deletedClient: Client | undefined;
        let olm: Olm | undefined;
        await db.transaction(async (trx) => {
            // Then delete the client itself
-            const [deletedClient] = await trx
+            [deletedClient] = await trx
                .delete(clients)
                .where(eq(clients.clientId, clientId))
                .returning();
-            const [olm] = await trx
+            [olm] = await trx
                .select()
                .from(olms)
                .where(eq(olms.clientId, clientId))
@@ -88,14 +91,29 @@ export async function deleteClient(
            if (!client.userId && client.olmId) {
                await trx.delete(olms).where(eq(olms.olmId, client.olmId));
            }
            await rebuildClientAssociationsFromClient(deletedClient, trx);
            if (olm) {
                await sendTerminateClient(deletedClient.clientId, OlmErrorCodes.TERMINATED_DELETED, olm.olmId); //  the olmId needs to be provided because it cant look it up after deletion
            }
        });
        if (deletedClient) {
            rebuildClientAssociationsFromClient(deletedClient, primaryDb).catch(
                (e) => {
                    logger.error(
                        `Failed to rebuild client associations after deleting client ${clientId}: ${e}`
                    );
                }
            );
            if (olm) {
                sendTerminateClient(
                    deletedClient.clientId,
                    OlmErrorCodes.TERMINATED_DELETED,
                    olm.olmId
                ).catch((e) => {
                    logger.error(
                        `Failed to send terminate message for client ${deletedClient?.clientId} after deleting client ${clientId}: ${e}`
                    );
                });
            }
        }
        return response(res, {
            data: null,
            success: true,
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -38,10 +38,7 @@ import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsFor
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import {
+import { assignUserToOrg, removeUserFromOrg } from "@server/lib/userOrg";
    assignUserToOrg,
    removeUserFromOrg
 } from "@server/lib/userOrg";
 import { unwrapRoleMapping } from "@app/lib/idpRoleMapping";
 const ensureTrailingSlash = (url: string): string => {
@@ -336,31 +333,15 @@ export async function validateOidcCallback(
                    .innerJoin(orgs, eq(orgs.orgId, idpOrg.orgId));
                allOrgs = idpOrgs.map((o) => o.orgs);
-                // TODO: when there are multiple orgs we need to do this better!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1
+                for (const org of allOrgs) {
                if (allOrgs.length > 1) {
                    // for some reason there is more than one org
                    logger.error(
                        "More than one organization linked to this IdP. This should not happen with auto-provisioning enabled."
                    );
                    return next(
                        createHttpError(
                            HttpCode.INTERNAL_SERVER_ERROR,
                            "Multiple organizations linked to this IdP. Please contact support."
                        )
                    );
                }
                    const subscribed = await isSubscribed(
-                    allOrgs[0].orgId,
+                        org.orgId,
                        tierMatrix.autoProvisioning
                    );
                    if (!subscribed) {
-                    return next(
+                        // filter out the org
-                        createHttpError(
+                        allOrgs = allOrgs.filter((o) => o.orgId !== org.orgId);
-                            HttpCode.FORBIDDEN,
+                    }
                            "This organization's current plan does not support this feature."
                        )
                    );
                }
            } else {
                allOrgs = await db.select().from(orgs);
@@ -405,16 +386,14 @@ export async function validateOidcCallback(
                    idpOrgRes?.roleMapping || defaultRoleMapping;
                if (roleMapping) {
                    logger.debug("Role Mapping", { roleMapping });
-                    const roleMappingJmes = unwrapRoleMapping(
+                    const roleMappingJmes =
-                        roleMapping
+                        unwrapRoleMapping(roleMapping).evaluationExpression;
                    ).evaluationExpression;
                    const roleMappingResult = jmespath.search(
                        claims,
                        roleMappingJmes
                    );
-                    const roleNames = normalizeRoleMappingResult(
+                    const roleNames =
-                        roleMappingResult
+                        normalizeRoleMappingResult(roleMappingResult);
                    );
                    const supportsMultiRole = await isLicensedOrSubscribed(
                        org.orgId,
@@ -504,7 +483,14 @@ export async function validateOidcCallback(
                            }
                        }
-                        await calculateUserClientsForOrgs(existingUser.userId);
+                        calculateUserClientsForOrgs(existingUser.userId).catch(
                            (err) => {
                                logger.error(
                                    "Error calculating user clients after removing all orgs for user with no valid IdP mappings",
                                    { error: err }
                                );
                            }
                        );
                        return next(
                            createHttpError(
@@ -526,10 +512,9 @@ export async function validateOidcCallback(
            const orgUserCounts: { orgId: string; userCount: number }[] = [];
            let userId = existingUser?.userId;
            // sync the user with the orgs and roles
            await db.transaction(async (trx) => {
                let userId = existingUser?.userId;
                // create user if not exists
                if (!existingUser) {
                    userId = generateId(15);
@@ -637,7 +622,7 @@ export async function validateOidcCallback(
                                {
                                    orgId: org.orgId,
                                    userId: userId!,
-                                    autoProvisioned: true,
+                                    autoProvisioned: true
                                },
                                org.roleIds,
                                trx
@@ -659,8 +644,15 @@ export async function validateOidcCallback(
                        userCount: userCount.length
                    });
                }
            });
            db.transaction(async (trx) => {
                await calculateUserClientsForOrgs(userId!, trx);
            }).catch((err) => {
                logger.error(
                    "Error calculating user clients after syncing orgs and roles for OIDC user",
                    { error: err }
                );
            });
            for (const orgCount of orgUserCounts) {
@@ -767,9 +759,7 @@ function hydrateOrgMapping(
    return orgMapping.split("{{orgId}}").join(orgId);
 }
-function normalizeRoleMappingResult(
+function normalizeRoleMappingResult(result: unknown): string[] {
    result: unknown
 ): string[] {
    if (typeof result === "string") {
        const role = result.trim();
        return role ? [role] : [];
@@ -779,7 +769,9 @@ function normalizeRoleMappingResult(
        return [
            ...new Set(
                result
-                    .filter((value): value is string => typeof value === "string")
+                    .filter(
                        (value): value is string => typeof value === "string"
                    )
                    .map((value) => value.trim())
                    .filter(Boolean)
            )
--- a/server/routers/newt/handleNewtDisconnectingMessage.ts
+++ b/server/routers/newt/handleNewtDisconnectingMessage.ts
@@ -1,12 +1,8 @@
 import { MessageHandler } from "@server/routers/ws";
-import {
+import { db, Newt, sites } from "@server/db";
    db,
    Newt,
    sites
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import logger from "@server/logger";
-import { fireSiteOfflineAlert } from "#dynamic/lib/alerts";
+import { fireSiteOfflineAlert } from "@server/lib/alerts";
 /**
 * Handles disconnecting messages from sites to show disconnected in the ui
@@ -38,7 +34,13 @@ export const handleNewtDisconnectingMessage: MessageHandler = async (
                .where(eq(sites.siteId, newt.siteId!))
                .returning();
-            await fireSiteOfflineAlert(site.orgId, site.siteId, site.name, undefined, trx);
+            await fireSiteOfflineAlert(
                site.orgId,
                site.siteId,
                site.name,
                undefined,
                trx
            );
        });
    } catch (error) {
        logger.error("Error handling disconnecting message", { error });
--- a/server/routers/newt/offlineChecker.ts
+++ b/server/routers/newt/offlineChecker.ts
@@ -1,12 +1,8 @@
-import {
+import { db, newts, sites } from "@server/db";
    db,
    newts,
    sites
 } from "@server/db";
 import { hasActiveConnections } from "#dynamic/routers/ws";
 import { eq, lt, isNull, and, or, ne, not, inArray } from "drizzle-orm";
 import logger from "@server/logger";
-import { fireSiteOfflineAlert, fireSiteOnlineAlert } from "#dynamic/lib/alerts";
+import { fireSiteOfflineAlert, fireSiteOnlineAlert } from "@server/lib/alerts";
 // Track if the offline checker interval is running
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
--- a/server/routers/newt/pingAccumulator.ts
+++ b/server/routers/newt/pingAccumulator.ts
@@ -2,7 +2,7 @@ import { db } from "@server/db";
 import { sites, clients, olms } from "@server/db";
 import { and, eq, inArray } from "drizzle-orm";
 import logger from "@server/logger";
-import { fireSiteOnlineAlert } from "#dynamic/lib/alerts";
+import { fireSiteOnlineAlert } from "@server/lib/alerts";
 /**
 * Ping Accumulator
@@ -127,7 +127,11 @@ async function flushSitePingsToDb(): Promise<void> {
                            eq(sites.online, false)
                        )
                    )
-                    .returning({ siteId: sites.siteId, orgId: sites.orgId, name: sites.name });
+                    .returning({
                        siteId: sites.siteId,
                        orgId: sites.orgId,
                        name: sites.name
                    });
                // Update lastPing for sites that were already online.
                // After the update above, the newly-online sites now have
@@ -148,7 +152,13 @@ async function flushSitePingsToDb(): Promise<void> {
            for (const site of newlyOnlineSites) {
                await db.transaction(async (trx) => {
-                    await fireSiteOnlineAlert(site.orgId, site.siteId, site.name, undefined, trx);
+                    await fireSiteOnlineAlert(
                        site.orgId,
                        site.siteId,
                        site.name,
                        undefined,
                        trx
                    );
                });
            }
        } catch (error) {
--- a/server/routers/olm/createUserOlm.ts
+++ b/server/routers/olm/createUserOlm.ts
@@ -1,5 +1,5 @@
 import { NextFunction, Request, Response } from "express";
-import { db, olms } from "@server/db";
+import { db, olms, primaryDb } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
 import { z } from "zod";
 import createHttpError from "http-errors";
@@ -81,8 +81,7 @@ export async function createUserOlm(
        const secretHash = await hashPassword(secret);
-        await db.transaction(async (trx) => {
+        await db.insert(olms).values({
            await trx.insert(olms).values({
            olmId: olmId,
            userId,
            name,
@@ -90,7 +89,11 @@ export async function createUserOlm(
            dateCreated: moment().toISOString()
        });
-            await calculateUserClientsForOrgs(userId, trx);
+        calculateUserClientsForOrgs(userId, primaryDb).catch((e) => {
            console.error(
                "Error calculating user clients after creating olm:",
                e
            );
        });
        return response<CreateOlmResponse>(res, {
--- a/server/routers/olm/deleteUserOlm.ts
+++ b/server/routers/olm/deleteUserOlm.ts
@@ -1,5 +1,5 @@
 import { NextFunction, Request, Response } from "express";
-import { Client, db } from "@server/db";
+import { Client, db, Olm, primaryDb } from "@server/db";
 import { olms, clients, clientSitesAssociationsCache } from "@server/db";
 import { eq } from "drizzle-orm";
 import HttpCode from "@server/types/HttpCode";
@@ -49,6 +49,7 @@ export async function deleteUserOlm(
        const { olmId } = parsedParams.data;
        let deletedClient: Client | undefined;
        // Delete associated clients and the OLM in a transaction
        await db.transaction(async (trx) => {
            // Find all clients associated with this OLM
@@ -57,7 +58,6 @@ export async function deleteUserOlm(
                .from(clients)
                .where(eq(clients.olmId, olmId));
            let deletedClient: Client | null = null;
            // Delete all associated clients
            if (associatedClients.length > 0) {
                [deletedClient] = await trx
@@ -67,22 +67,27 @@ export async function deleteUserOlm(
            }
            // Finally, delete the OLM itself
-            const [olm] = await trx
+            await trx.delete(olms).where(eq(olms.olmId, olmId)).returning();
-                .delete(olms)
+        });
                .where(eq(olms.olmId, olmId))
                .returning();
        if (deletedClient) {
-                await rebuildClientAssociationsFromClient(deletedClient, trx);
+            rebuildClientAssociationsFromClient(deletedClient, primaryDb).catch(
-                if (olm) {
+                (e) => {
-                    await sendTerminateClient(
+                    logger.error(
                        `Failed to rebuild client-site associations after deleting OLM ${olmId}: ${e}`
                    );
                }
            );
            sendTerminateClient(
                deletedClient.clientId,
                OlmErrorCodes.TERMINATED_DELETED,
-                        olm.olmId
+                olmId
-                    ); //  the olmId needs to be provided because it cant look it up after deletion
+            ).catch((e) => {
-                }
+                logger.error(
-            }
+                    `Failed to send terminate message for client ${deletedClient?.clientId} after deleting OLM ${olmId}: ${e}`
                );
            });
        }
        return response(res, {
            data: null,
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -22,14 +22,14 @@ import { canCompress } from "@server/lib/clientVersionChecks";
 import config from "@server/lib/config";
 export const handleOlmRegisterMessage: MessageHandler = async (context) => {
-    logger.info("Handling register olm message!");
+    logger.info("[handleOlmRegisterMessage] Handling register olm message");
    const { message, client: c, sendToClient } = context;
    const olm = c as Olm;
    const now = Math.floor(Date.now() / 1000);
    if (!olm) {
-        logger.warn("Olm not found");
+        logger.warn("[handleOlmRegisterMessage] Olm not found");
        return;
    }
@@ -46,16 +46,19 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    } = message.data;
    if (!olm.clientId) {
-        logger.warn("Olm client ID not found");
+        logger.warn("[handleOlmRegisterMessage] Olm client ID not found");
        sendOlmError(OlmErrorCodes.CLIENT_ID_NOT_FOUND, olm.olmId);
        return;
    }
-    logger.debug("Handling fingerprint insertion for olm register...", {
+    logger.debug(
        "[handleOlmRegisterMessage] Handling fingerprint insertion for olm register...",
        {
            olmId: olm.olmId,
            fingerprint,
            postures
-    });
+        }
    );
    const isUserDevice = olm.userId !== null && olm.userId !== undefined;
@@ -85,14 +88,17 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        .limit(1);
    if (!client) {
-        logger.warn("Client ID not found");
+        logger.warn("[handleOlmRegisterMessage] Client not found", {
            clientId: olm.clientId
        });
        sendOlmError(OlmErrorCodes.CLIENT_NOT_FOUND, olm.olmId);
        return;
    }
    if (client.blocked) {
        logger.debug(
-            `Client ${client.clientId} is blocked. Ignoring register.`
+            `[handleOlmRegisterMessage] Client ${client.clientId} is blocked. Ignoring register.`,
            { orgId: client.orgId }
        );
        sendOlmError(OlmErrorCodes.CLIENT_BLOCKED, olm.olmId);
        return;
@@ -100,7 +106,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    if (client.approvalState == "pending") {
        logger.debug(
-            `Client ${client.clientId} approval is pending. Ignoring register.`
+            `[handleOlmRegisterMessage] Client ${client.clientId} approval is pending. Ignoring register.`,
            { orgId: client.orgId }
        );
        sendOlmError(OlmErrorCodes.CLIENT_PENDING, olm.olmId);
        return;
@@ -128,14 +135,18 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        .limit(1);
    if (!org) {
-        logger.warn("Org not found");
+        logger.warn("[handleOlmRegisterMessage] Org not found", {
            orgId: client.orgId
        });
        sendOlmError(OlmErrorCodes.ORG_NOT_FOUND, olm.olmId);
        return;
    }
    if (orgId) {
        if (!olm.userId) {
-            logger.warn("Olm has no user ID");
+            logger.warn("[handleOlmRegisterMessage] Olm has no user ID", {
                orgId: client.orgId
            });
            sendOlmError(OlmErrorCodes.USER_ID_NOT_FOUND, olm.olmId);
            return;
        }
@@ -143,12 +154,18 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        const { session: userSession, user } =
            await validateSessionToken(userToken);
        if (!userSession || !user) {
-            logger.warn("Invalid user session for olm register");
+            logger.warn(
                "[handleOlmRegisterMessage] Invalid user session for olm register",
                { orgId: client.orgId }
            );
            sendOlmError(OlmErrorCodes.INVALID_USER_SESSION, olm.olmId);
            return;
        }
        if (user.userId !== olm.userId) {
-            logger.warn("User ID mismatch for olm register");
+            logger.warn(
                "[handleOlmRegisterMessage] User ID mismatch for olm register",
                { orgId: client.orgId }
            );
            sendOlmError(OlmErrorCodes.USER_ID_MISMATCH, olm.olmId);
            return;
        }
@@ -163,11 +180,15 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            sessionId // this is the user token passed in the message
        });
-        logger.debug("Policy check result:", policyCheck);
+        logger.debug("[handleOlmRegisterMessage] Policy check result", {
            orgId: client.orgId,
            policyCheck
        });
        if (policyCheck?.error) {
            logger.error(
-                `Error checking access policies for olm user ${olm.userId} in org ${orgId}: ${policyCheck?.error}`
+                `[handleOlmRegisterMessage] Error checking access policies for olm user ${olm.userId} in org ${orgId}: ${policyCheck?.error}`,
                { orgId: client.orgId }
            );
            sendOlmError(OlmErrorCodes.ORG_ACCESS_POLICY_DENIED, olm.olmId);
            return;
@@ -175,7 +196,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        if (policyCheck.policies?.passwordAge?.compliant === false) {
            logger.warn(
-                `Olm user ${olm.userId} has non-compliant password age for org ${orgId}`
+                `[handleOlmRegisterMessage] Olm user ${olm.userId} has non-compliant password age for org ${orgId}`,
                { orgId: client.orgId }
            );
            sendOlmError(
                OlmErrorCodes.ORG_ACCESS_POLICY_PASSWORD_EXPIRED,
@@ -186,7 +208,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            policyCheck.policies?.maxSessionLength?.compliant === false
        ) {
            logger.warn(
-                `Olm user ${olm.userId} has non-compliant session length for org ${orgId}`
+                `[handleOlmRegisterMessage] Olm user ${olm.userId} has non-compliant session length for org ${orgId}`,
                { orgId: client.orgId }
            );
            sendOlmError(
                OlmErrorCodes.ORG_ACCESS_POLICY_SESSION_EXPIRED,
@@ -195,7 +218,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            return;
        } else if (policyCheck.policies?.requiredTwoFactor === false) {
            logger.warn(
-                `Olm user ${olm.userId} does not have 2FA enabled for org ${orgId}`
+                `[handleOlmRegisterMessage] Olm user ${olm.userId} does not have 2FA enabled for org ${orgId}`,
                { orgId: client.orgId }
            );
            sendOlmError(
                OlmErrorCodes.ORG_ACCESS_POLICY_2FA_REQUIRED,
@@ -204,7 +228,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            return;
        } else if (!policyCheck.allowed) {
            logger.warn(
-                `Olm user ${olm.userId} does not pass access policies for org ${orgId}: ${policyCheck.error}`
+                `[handleOlmRegisterMessage] Olm user ${olm.userId} does not pass access policies for org ${orgId}: ${policyCheck.error}`,
                { orgId: client.orgId }
            );
            sendOlmError(OlmErrorCodes.ORG_ACCESS_POLICY_DENIED, olm.olmId);
            return;
@@ -226,29 +251,39 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        sitesCountResult.length > 0 ? sitesCountResult[0].count : 0;
    // Prepare an array to store site configurations
-    logger.debug(`Found ${sitesCount} sites for client ${client.clientId}`);
+    logger.debug(
        `[handleOlmRegisterMessage] Found ${sitesCount} sites for client ${client.clientId}`,
        { orgId: client.orgId }
    );
    let jitMode = false;
    if (sitesCount > 250 && build == "saas") {
        // THIS IS THE MAX ON THE BUSINESS TIER
        // we have too many sites
        // If we have too many sites we need to drop into fully JIT mode by not sending any of the sites
-        logger.info("Too many sites (%d), dropping into JIT mode", sitesCount);
+        logger.info(
            `[handleOlmRegisterMessage] Too many sites (${sitesCount}), dropping into JIT mode`,
            { orgId: client.orgId }
        );
        jitMode = true;
    }
    logger.debug(
-        `Olm client ID: ${client.clientId}, Public Key: ${publicKey}, Relay: ${relay}`
+        `[handleOlmRegisterMessage] Olm client ID: ${client.clientId}, Public Key: ${publicKey}, Relay: ${relay}`,
        { orgId: client.orgId }
    );
    if (!publicKey) {
-        logger.warn("Public key not provided");
+        logger.warn("[handleOlmRegisterMessage] Public key not provided", {
            orgId: client.orgId
        });
        return;
    }
    if (client.pubKey !== publicKey || client.archived) {
        logger.info(
-            "Public key mismatch. Updating public key and clearing session info..."
+            "[handleOlmRegisterMessage] Public key mismatch. Updating public key and clearing session info...",
            { orgId: client.orgId }
        );
        // Update the client's public key
        await db
@@ -274,7 +309,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
    // TODO: I still think there is a better way to do this rather than locking it out here but ???
    if (now - (client.lastHolePunch || 0) > 5 && sitesCount > 0) {
        logger.warn(
-            `Client last hole punch is too old and we have sites to send; skipping this register. The client is failing to hole punch and identify its network address with the server. Can the client reach the server on UDP port ${config.getRawConfig().gerbil.clients_start_port}?`
+            `[handleOlmRegisterMessage] Client last hole punch is too old and we have sites to send; skipping this register. The client is failing to hole punch and identify its network address with the server. Can the client reach the server on UDP port ${config.getRawConfig().gerbil.clients_start_port}?`,
            { orgId: client.orgId }
        );
        return;
    }
--- a/server/routers/remoteExitNode/types.ts
+++ b/server/routers/remoteExitNode/types.ts
@@ -21,6 +21,7 @@ export type ListRemoteExitNodesResponse = {
        remoteExitNodeId: string;
        dateCreated: string;
        version: string | null;
        updateAvailable?: boolean;
        exitNodeId: number | null;
        name: string;
        address: string;
--- a/server/routers/resource/getUserResources.ts
+++ b/server/routers/resource/getUserResources.ts
@@ -151,6 +151,8 @@ export async function getUserResources(
            destination: string;
            mode: string;
            scheme: string | null;
            ssl: boolean;
            fullDomain: string | null;
            enabled: boolean;
            alias: string | null;
            aliasAddress: string | null;
@@ -164,6 +166,8 @@ export async function getUserResources(
                    destination: siteResources.destination,
                    mode: siteResources.mode,
                    scheme: siteResources.scheme,
                    ssl: siteResources.ssl,
                    fullDomain: siteResources.fullDomain,
                    enabled: siteResources.enabled,
                    alias: siteResources.alias,
                    aliasAddress: siteResources.aliasAddress
@@ -251,6 +255,8 @@ export async function getUserResources(
                destination: siteResource.destination,
                mode: siteResource.mode,
                protocol: siteResource.scheme,
                ssl: siteResource.ssl,
                fullDomain: siteResource.fullDomain,
                enabled: siteResource.enabled,
                alias: siteResource.alias,
                aliasAddress: siteResource.aliasAddress,
@@ -296,6 +302,8 @@ export type GetUserResourcesResponse = {
            destination: string;
            mode: string;
            protocol: string | null;
            ssl: boolean;
            fullDomain: string | null;
            enabled: boolean;
            alias: string | null;
            aliasAddress: string | null;
--- a/server/routers/resource/listResources.ts
+++ b/server/routers/resource/listResources.ts
@@ -152,7 +152,7 @@ export type ResourceWithTargets = {
        siteId: number;
        siteName: string;
        siteNiceId: string;
-        online: boolean;
+        online?: boolean; // undefined for local sites
    }>;
 };
@@ -383,12 +383,8 @@ export async function listResources(
                .select({ resourceId: targets.resourceId })
                .from(targets)
                .innerJoin(sites, eq(targets.siteId, sites.siteId))
-                .where(
+                .where(and(eq(sites.orgId, orgId), eq(sites.siteId, siteId)));
-                    and(eq(sites.orgId, orgId), eq(sites.siteId, siteId))
+            conditions.push(inArray(resources.resourceId, resourcesWithSite));
                );
            conditions.push(
                inArray(resources.resourceId, resourcesWithSite)
            );
        }
        const baseQuery = queryResourcesBase().where(and(...conditions));
@@ -426,7 +422,8 @@ export async function listResources(
                          hcEnabled: targetHealthCheck.hcEnabled,
                          siteName: sites.name,
                          siteNiceId: sites.niceId,
-                          siteOnline: sites.online
+                          siteOnline: sites.online,
                          siteType: sites.type
                      })
                      .from(targets)
                      .where(inArray(targets.resourceId, resourceIdList))
@@ -481,18 +478,19 @@ export async function listResources(
                    siteId: number;
                    siteName: string;
                    siteNiceId: string;
-                    online: boolean;
+                    online?: boolean;
                }
            >();
            for (const t of raw) {
                if (typeof t.siteId !== "number" || siteById.has(t.siteId)) {
                    continue;
                }
                const isLocal = t.siteType === "local";
                siteById.set(t.siteId, {
                    siteId: t.siteId,
                    siteName: t.siteName ?? "",
                    siteNiceId: t.siteNiceId ?? "",
-                    online: Boolean(t.siteOnline)
+                    online: isLocal ? undefined : Boolean(t.siteOnline)
                });
            }
            entry.sites = Array.from(siteById.values());
--- a/server/routers/site/getSite.ts
+++ b/server/routers/site/getSite.ts
@@ -42,9 +42,12 @@ async function query(siteId?: number, niceId?: string, orgId?: string) {
    }
 }
-export type GetSiteResponse = NonNullable<
+type SiteQueryRow = NonNullable<Awaited<ReturnType<typeof query>>>;
-    Awaited<ReturnType<typeof query>>
+
->["sites"] & { newtId: string | null };
+export type GetSiteResponse = SiteQueryRow["sites"] & {
    newtId: string | null;
    newtVersion: string | null;
 };
 registry.registerPath({
    method: "get",
@@ -100,7 +103,8 @@ export async function getSite(
        const data: GetSiteResponse = {
            ...site.sites,
-            newtId: site.newt ? site.newt.newtId : null
+            newtId: site.newt ? site.newt.newtId : null,
            newtVersion: site.newt?.version ?? null
        };
        return response<GetSiteResponse>(res, {
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@@ -31,7 +31,9 @@ let staleNewtVersion: string | null = null;
 async function getLatestNewtVersion(): Promise<string | null> {
    try {
-        const cachedVersion = await cache.get<string>("cache:latestNewtVersion");
+        const cachedVersion = await cache.get<string>(
            "cache:latestNewtVersion"
        );
        if (cachedVersion) {
            return cachedVersion;
        }
@@ -226,7 +228,10 @@ function querySitesBase() {
        );
 }
-type SiteWithUpdateAvailable = Awaited<ReturnType<typeof querySitesBase>>[0] & {
+type SiteRowBase = Awaited<ReturnType<typeof querySitesBase>>[0];
 type SiteWithUpdateAvailable = Omit<SiteRowBase, "online"> & {
    online?: SiteRowBase["online"]; // undefined for local sites
    newtUpdateAvailable?: boolean;
 };
@@ -338,7 +343,9 @@ export async function listSites(
        // we need to add `as` so that drizzle filters the result as a subquery
        const countQuery = db.$count(
-            querySitesBase().where(and(...conditions)).as("filtered_sites")
+            querySitesBase()
                .where(and(...conditions))
                .as("filtered_sites")
        );
        const siteListQuery = baseQuery
@@ -397,9 +404,13 @@ export async function listSites(
            );
        }
        const sitesPayload = sitesWithUpdates.map((site) =>
            site.type === "local" ? { ...site, online: undefined } : site
        );
        return response<ListSitesResponse>(res, {
            data: {
-                sites: sitesWithUpdates,
+                sites: sitesPayload,
                pagination: {
                    total: totalCount,
                    pageSize,
--- a/server/routers/siteResource/batchAddClientToSiteResources.ts
+++ b/server/routers/siteResource/batchAddClientToSiteResources.ts
@@ -5,7 +5,8 @@ import {
    clients,
    clientSiteResources,
    siteResources,
-    apiKeyOrg
+    apiKeyOrg,
    primaryDb
 } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -220,8 +221,12 @@ export async function batchAddClientToSiteResources(
                    siteResourceId: siteResource.siteResourceId
                });
            }
        });
-            await rebuildClientAssociationsFromClient(client, trx);
+        rebuildClientAssociationsFromClient(client, primaryDb).catch((e) => {
            logger.error(
                `Failed to rebuild client associations after batch adding site resources for client ${clientId}: ${e}`
            );
        });
        return response(res, {
--- a/server/routers/siteResource/createSiteResource.ts
+++ b/server/routers/siteResource/createSiteResource.ts
@@ -10,7 +10,8 @@ import {
    SiteResource,
    siteResources,
    sites,
-    userSiteResources
+    userSiteResources,
    primaryDb
 } from "@server/db";
 import { getUniqueSiteResourceName } from "@server/db/names";
 import {
@@ -46,7 +47,7 @@ const createSiteResourceSchema = z
        mode: z.enum(["host", "cidr", "http"]),
        ssl: z.boolean().optional(), // only used for http mode
        scheme: z.enum(["http", "https"]).optional(),
-        siteIds: z.array(z.int()),
+        siteIds: z.array(z.int()).optional(),
        siteId: z.number().int().positive().optional(), // DEPRECATED: for backward compatibility, we will convert this to siteIds array if provided
        // proxyPort: z.int().positive().optional(),
        destinationPort: z.int().positive().optional(),
@@ -74,7 +75,6 @@ const createSiteResourceSchema = z
    .refine(
        (data) => {
            if (data.mode === "host") {
                if (data.mode == "host") {
                // Check if it's a valid IP address using zod (v4 or v6)
                const isValidIP = z
                    // .union([z.ipv4(), z.ipv6()])
@@ -84,7 +84,6 @@ const createSiteResourceSchema = z
                if (isValidIP) {
                    return true;
                }
                }
                // Check if it's a valid domain (hostname pattern, TLD not required)
                const domainRegex =
@@ -96,17 +95,12 @@ const createSiteResourceSchema = z
                    data.alias.trim() !== "";
                return isValidDomain && isValidAlias; // require the alias to be set in the case of domain
            } else if (data.mode === "http") {
                // we have to have a domainId defined
                if (!data.domainId) {
                    return false;
                }
-            return true;
+            } else if (data.mode === "cidr") {
        },
        {
            message:
                "Destination must be a valid IPV4 address or valid domain AND alias is required"
        }
    )
    .refine(
        (data) => {
            if (data.mode === "cidr") {
                // Check if it's a valid CIDR (v4 or v6)
                const isValidCIDR = z
                    .union([z.cidrv4(), z.cidrv6()])
@@ -116,7 +110,8 @@ const createSiteResourceSchema = z
            return true;
        },
        {
-            message: "Destination must be a valid CIDR notation for cidr mode"
+            message:
                "Destination must be a valid IPV4 address or valid domain AND alias is required"
        }
    )
    .refine(
@@ -133,6 +128,17 @@ const createSiteResourceSchema = z
            message:
                "HTTP mode requires scheme (http or https) and a valid destination port"
        }
    )
    .refine(
        (data) => {
            return (
                (data.siteIds !== undefined && data.siteIds.length > 0) ||
                data.siteId !== undefined
            );
        },
        {
            message: "At least one of siteIds or siteId must be provided"
        }
    );
 export type CreateSiteResourceBody = z.infer<typeof createSiteResourceSchema>;
@@ -188,7 +194,7 @@ export async function createSiteResource(
        const {
            name,
            niceId,
-            siteIds: siteIdsInput,
+            siteIds: siteIdsInput = [],
            siteId,
            mode,
            scheme,
@@ -485,11 +491,6 @@ export async function createSiteResource(
                    );
                }
            }
            await rebuildClientAssociationsFromSiteResource(
                newSiteResource,
                trx
            ); // we need to call this because we added to the admin role
        });
        if (!newSiteResource) {
@@ -515,6 +516,20 @@ export async function createSiteResource(
            await createCertificate(domainId, fullDomain, db);
        }
        // Run in the background after the response is sent. Wrapped in its
        // own transaction so it always executes on the primary — avoiding any
        // replica-lag issues while still allowing the HTTP response to return
        // early.
        rebuildClientAssociationsFromSiteResource(
            newSiteResource!,
            primaryDb
        ).catch((err) => {
            logger.error(
                `Error rebuilding client associations for site resource ${newSiteResource!.siteResourceId}:`,
                err
            );
        });
        return response(res, {
            data: newSiteResource,
            success: true,
--- a/server/routers/siteResource/deleteSiteResource.ts
+++ b/server/routers/siteResource/deleteSiteResource.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, newts, sites } from "@server/db";
+import { db, newts, primaryDb, sites } from "@server/db";
 import { siteResources } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -63,16 +63,23 @@ export async function deleteSiteResource(
            );
        }
        await db.transaction(async (trx) => {
        // Delete the site resource
-            const [removedSiteResource] = await trx
+        const [removedSiteResource] = await db
            .delete(siteResources)
            .where(eq(siteResources.siteResourceId, siteResourceId))
            .returning();
-            await rebuildClientAssociationsFromSiteResource(
+        // Run in the background after the response is sent. Wrapped in its
        // own transaction so it always executes on the primary — avoiding any
        // replica-lag issues while still allowing the HTTP response to return
        // early.
        rebuildClientAssociationsFromSiteResource(
            removedSiteResource,
-                trx
+            primaryDb
        ).catch((err) => {
            logger.error(
                `Error rebuilding client associations for site resource ${removedSiteResource!.siteResourceId}:`,
                err
            );
        });
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -43,7 +43,7 @@ const updateSiteResourceParamsSchema = z.strictObject({
 const updateSiteResourceSchema = z
    .strictObject({
        name: z.string().min(1).max(255).optional(),
-        siteIds: z.array(z.int()),
+        siteIds: z.array(z.int()).optional(),
        siteId: z.int().positive().optional(),
        // niceId: z.string().min(1).max(255).regex(/^[a-zA-Z0-9-]+$/, "niceId can only contain letters, numbers, and dashes").optional(),
        niceId: z
@@ -104,6 +104,17 @@ const updateSiteResourceSchema = z
                    data.alias.trim() !== "";
                return isValidDomain && isValidAlias; // require the alias to be set in the case of domain
            } else if (data.mode === "cidr" && data.destination) {
                // Check if it's a valid CIDR (v4 or v6)
                const isValidCIDR = z
                    .union([z.cidrv4(), z.cidrv6()])
                    .safeParse(data.destination).success;
                return isValidCIDR;
            } else if (data.mode === "http") {
                // we have to have a domainId defined
                if (!data.domainId) {
                    return false;
                }
            }
            return true;
        },
@@ -112,21 +123,6 @@ const updateSiteResourceSchema = z
                "Destination must be a valid IP address or valid domain AND alias is required"
        }
    )
    .refine(
        (data) => {
            if (data.mode === "cidr" && data.destination) {
                // Check if it's a valid CIDR (v4 or v6)
                const isValidCIDR = z
                    .union([z.cidrv4(), z.cidrv6()])
                    .safeParse(data.destination).success;
                return isValidCIDR;
            }
            return true;
        },
        {
            message: "Destination must be a valid CIDR notation for cidr mode"
        }
    )
    .refine(
        (data) => {
            if (data.mode !== "http") return true;
@@ -143,6 +139,17 @@ const updateSiteResourceSchema = z
            message:
                "HTTP mode requires scheme (http or https) and a valid destination port"
        }
    )
    .refine(
        (data) => {
            return (
                (data.siteIds !== undefined && data.siteIds.length > 0) ||
                data.siteId !== undefined
            );
        },
        {
            message: "At least one of siteIds or siteId must be provided"
        }
    );
 export type UpdateSiteResourceBody = z.infer<typeof updateSiteResourceSchema>;
@@ -197,7 +204,7 @@ export async function updateSiteResource(
        const { siteResourceId } = parsedParams.data;
        const {
            name,
-            siteIds: siteIdsInput, // because it can change
+            siteIds: siteIdsInput = [], // because it can change
            siteId,
            niceId,
            mode,
@@ -420,9 +427,6 @@ export async function updateSiteResource(
                    })
                    .returning();
                // wait some time to allow for messages to be handled
                await new Promise((resolve) => setTimeout(resolve, 750));
                const sshPamSet =
                    isLicensedSshPam &&
                    (authDaemonPort !== undefined ||
@@ -545,11 +549,6 @@ export async function updateSiteResource(
                        }))
                    );
                }
                await rebuildClientAssociationsFromSiteResource(
                    updatedSiteResource,
                    trx
                );
            } else {
                // Update the site resource
                const sshPamSet =
@@ -679,7 +678,24 @@ export async function updateSiteResource(
                }
                logger.info(`Updated site resource ${siteResourceId}`);
            }
        });
        // Background: wait for removal messages to propagate, then rebuild
        // associations for the re-created resource. Own transaction ensures
        // execution on the primary against fully committed state.
        (async () => {
            await db.transaction(async (trx) => {
                if (!updatedSiteResource) {
                    throw new Error("No updated resource found after update");
                }
                if (sitesChanged) {
                    await new Promise((resolve) => setTimeout(resolve, 750));
                    await rebuildClientAssociationsFromSiteResource(
                        updatedSiteResource,
                        trx
                    );
                }
                await handleMessagingForUpdatedSiteResource(
                    existingSiteResource,
                    updatedSiteResource,
@@ -689,7 +705,12 @@ export async function updateSiteResource(
                    })),
                    trx
                );
-            }
+            });
        })().catch((err) => {
            logger.error(
                `Error rebuilding client associations for site resource ${updatedSiteResource?.siteResourceId}:`,
                err
            );
        });
        return response(res, {
--- a/server/routers/target/createTarget.ts
+++ b/server/routers/target/createTarget.ts
@@ -23,7 +23,7 @@ import {
    fireHealthCheckHealthyAlert,
    fireHealthCheckUnhealthyAlert,
    fireHealthCheckUnknownAlert
-} from "#dynamic/lib/alerts";
+} from "@server/lib/alerts";
 const createTargetParamsSchema = z.strictObject({
    resourceId: z.string().transform(Number).pipe(z.int().positive())
--- a/Show More
+++ b/Show More