Bump the prod-patch-updates group across 1 directory with 7 updates

Bumps the prod-patch-updates group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@asteasolutions/zod-to-openapi](https://github.com/asteasolutions/zod-to-openapi) | `8.4.0` | `8.4.1` | | [@react-email/components](https://github.com/resend/react-email/tree/HEAD/packages/components) | `1.0.7` | `1.0.8` | | [@react-email/tailwind](https://github.com/resend/react-email/tree/HEAD/packages/tailwind) | `2.0.4` | `2.0.5` | | [@simplewebauthn/server](https://github.com/MasterKale/SimpleWebAuthn/tree/HEAD/packages/server) | `13.2.2` | `13.2.3` | | [glob](https://github.com/isaacs/node-glob) | `13.0.3` | `13.0.6` | | [next-intl](https://github.com/amannn/next-intl) | `4.8.2` | `4.8.3` | | [react-hook-form](https://github.com/react-hook-form/react-hook-form) | `7.71.1` | `7.71.2` | Updates `@asteasolutions/zod-to-openapi` from 8.4.0 to 8.4.1 - [Release notes](https://github.com/asteasolutions/zod-to-openapi/releases) - [Commits](https://github.com/asteasolutions/zod-to-openapi/compare/v8.4.0...v8.4.1) Updates `@react-email/components` from 1.0.7 to 1.0.8 - [Release notes](https://github.com/resend/react-email/releases) - [Changelog](https://github.com/resend/react-email/blob/canary/packages/components/CHANGELOG.md) - [Commits](https://github.com/resend/react-email/commits/@react-email/components@1.0.8/packages/components) Updates `@react-email/tailwind` from 2.0.4 to 2.0.5 - [Release notes](https://github.com/resend/react-email/releases) - [Changelog](https://github.com/resend/react-email/blob/canary/packages/tailwind/CHANGELOG.md) - [Commits](https://github.com/resend/react-email/commits/@react-email/tailwind@2.0.5/packages/tailwind) Updates `@simplewebauthn/server` from 13.2.2 to 13.2.3 - [Release notes](https://github.com/MasterKale/SimpleWebAuthn/releases) - [Changelog](https://github.com/MasterKale/SimpleWebAuthn/blob/master/CHANGELOG.md) - [Commits](https://github.com/MasterKale/SimpleWebAuthn/commits/v13.2.3/packages/server) Updates `glob` from 13.0.3 to 13.0.6 - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](https://github.com/isaacs/node-glob/compare/v13.0.3...v13.0.6) Updates `next-intl` from 4.8.2 to 4.8.3 - [Release notes](https://github.com/amannn/next-intl/releases) - [Changelog](https://github.com/amannn/next-intl/blob/main/CHANGELOG.md) - [Commits](https://github.com/amannn/next-intl/compare/v4.8.2...v4.8.3) Updates `react-hook-form` from 7.71.1 to 7.71.2 - [Release notes](https://github.com/react-hook-form/react-hook-form/releases) - [Changelog](https://github.com/react-hook-form/react-hook-form/blob/master/CHANGELOG.md) - [Commits](https://github.com/react-hook-form/react-hook-form/compare/v7.71.1...v7.71.2) --- updated-dependencies: - dependency-name: "@asteasolutions/zod-to-openapi" dependency-version: 8.4.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates - dependency-name: "@react-email/components" dependency-version: 1.0.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates - dependency-name: "@react-email/tailwind" dependency-version: 2.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates - dependency-name: "@simplewebauthn/server" dependency-version: 13.2.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates - dependency-name: glob dependency-version: 13.0.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates - dependency-name: next-intl dependency-version: 4.8.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates - dependency-name: react-hook-form dependency-version: 7.71.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates ... Signed-off-by: dependabot[bot] <support@github.com>
Fix orgid issue when regen credentials
2026-02-25 14:26:39 +00:00 · 2026-02-25 01:37:31 +00:00 · 2026-02-24 14:26:10 -08:00 · 2026-02-23 22:01:11 -08:00 · 2026-02-23 16:39:39 -08:00 · 2026-02-22 22:05:02 -08:00
81 changed files with 967 additions and 1342 deletions
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "SEE LICENSE IN LICENSE AND README.md",
            "dependencies": {
-                "@asteasolutions/zod-to-openapi": "8.4.0",
+                "@asteasolutions/zod-to-openapi": "8.4.1",
                "@aws-sdk/client-s3": "3.989.0",
                "@faker-js/faker": "10.3.0",
                "@headlessui/react": "2.2.9",
@@ -36,11 +36,11 @@
                "@radix-ui/react-tabs": "1.1.13",
                "@radix-ui/react-toast": "1.2.15",
                "@radix-ui/react-tooltip": "1.2.8",
-                "@react-email/components": "1.0.7",
+                "@react-email/components": "1.0.8",
                "@react-email/render": "2.0.4",
-                "@react-email/tailwind": "2.0.4",
+                "@react-email/tailwind": "2.0.5",
                "@simplewebauthn/browser": "13.2.2",
-                "@simplewebauthn/server": "13.2.2",
+                "@simplewebauthn/server": "13.2.3",
                "@tailwindcss/forms": "0.5.11",
                "@tanstack/react-query": "5.90.21",
                "@tanstack/react-table": "8.21.3",
@@ -58,7 +58,7 @@
                "drizzle-orm": "0.45.1",
                "express": "5.2.1",
                "express-rate-limit": "8.2.1",
-                "glob": "13.0.3",
+                "glob": "13.0.6",
                "helmet": "8.1.0",
                "http-errors": "2.0.1",
                "input-otp": "1.4.2",
@@ -70,7 +70,7 @@
                "maxmind": "5.0.5",
                "moment": "2.30.1",
                "next": "15.5.12",
-                "next-intl": "4.8.2",
+                "next-intl": "4.8.3",
                "next-themes": "0.4.6",
                "nextjs-toploader": "3.9.17",
                "node-cache": "5.1.2",
@@ -83,7 +83,7 @@
                "react-day-picker": "9.13.2",
                "react-dom": "19.2.4",
                "react-easy-sort": "1.8.0",
-                "react-hook-form": "7.71.1",
+                "react-hook-form": "7.71.2",
                "react-icons": "5.5.0",
                "recharts": "2.15.4",
                "reodotdev": "1.0.0",
@@ -179,9 +179,9 @@
            }
        },
        "node_modules/@asteasolutions/zod-to-openapi": {
-            "version": "8.4.0",
-            "resolved": "https://registry.npmjs.org/@asteasolutions/zod-to-openapi/-/zod-to-openapi-8.4.0.tgz",
-            "integrity": "sha512-Ckp971tmTw4pnv+o7iK85ldBHBKk6gxMaoNyLn3c2Th/fKoTG8G3jdYuOanpdGqwlDB0z01FOjry2d32lfTqrA==",
+            "version": "8.4.1",
+            "resolved": "https://registry.npmjs.org/@asteasolutions/zod-to-openapi/-/zod-to-openapi-8.4.1.tgz",
+            "integrity": "sha512-WmJUsFINbnWxGvHSd16aOjgKf+5GsfdxruO2YDLcgplsidakCauik1lhlk83YDH06265Yd1XtUyF24o09uygpw==",
            "license": "MIT",
            "dependencies": {
                "openapi3-ts": "^4.1.2"
@@ -1086,7 +1086,6 @@
            "integrity": "sha512-vMqyb7XCDMPvJFFOaT9kxtiRh42GwlZEg1/uIgtZshS5a/8OaduUfCi7kynKgc3Tw/6Uo2D+db9qBttghhmxwQ==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@ampproject/remapping": "^2.2.0",
                "@babel/code-frame": "^7.26.2",
@@ -2662,16 +2661,6 @@
                "tslib": "^2.8.1"
            }
        },
-        "node_modules/@formatjs/ecma402-abstract/node_modules/@formatjs/intl-localematcher": {
-            "version": "0.8.1",
-            "resolved": "https://registry.npmjs.org/@formatjs/intl-localematcher/-/intl-localematcher-0.8.1.tgz",
-            "integrity": "sha512-xwEuwQFdtSq1UKtQnyTZWC+eHdv7Uygoa+H2k/9uzBVQjDyp9r20LNDNKedWXll7FssT3GRHvqsdJGYSUWqYFA==",
-            "license": "MIT",
-            "dependencies": {
-                "@formatjs/fast-memoize": "3.1.0",
-                "tslib": "^2.8.1"
-            }
-        },
        "node_modules/@formatjs/fast-memoize": {
            "version": "3.1.0",
            "resolved": "https://registry.npmjs.org/@formatjs/fast-memoize/-/fast-memoize-3.1.0.tgz",
@@ -2703,12 +2692,13 @@
            }
        },
        "node_modules/@formatjs/intl-localematcher": {
-            "version": "0.5.10",
-            "resolved": "https://registry.npmjs.org/@formatjs/intl-localematcher/-/intl-localematcher-0.5.10.tgz",
-            "integrity": "sha512-af3qATX+m4Rnd9+wHcjJ4w2ijq+rAVP3CCinJQvFv1kgSu1W6jypUmvleJxcewdxmutM8dmIRZFxO/IQBZmP2Q==",
+            "version": "0.8.1",
+            "resolved": "https://registry.npmjs.org/@formatjs/intl-localematcher/-/intl-localematcher-0.8.1.tgz",
+            "integrity": "sha512-xwEuwQFdtSq1UKtQnyTZWC+eHdv7Uygoa+H2k/9uzBVQjDyp9r20LNDNKedWXll7FssT3GRHvqsdJGYSUWqYFA==",
            "license": "MIT",
            "dependencies": {
-                "tslib": "2"
+                "@formatjs/fast-memoize": "3.1.0",
+                "tslib": "^2.8.1"
            }
        },
        "node_modules/@headlessui/react": {
@@ -2818,7 +2808,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -2841,7 +2830,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -2864,7 +2852,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2881,7 +2868,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2898,7 +2884,6 @@
            "cpu": [
                "arm"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2915,7 +2900,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2932,7 +2916,6 @@
            "cpu": [
                "ppc64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2949,7 +2932,6 @@
            "cpu": [
                "s390x"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2966,7 +2948,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -2983,7 +2964,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -3000,7 +2980,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -3017,7 +2996,6 @@
            "cpu": [
                "arm"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -3040,7 +3018,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -3063,7 +3040,6 @@
            "cpu": [
                "ppc64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -3086,7 +3062,6 @@
            "cpu": [
                "s390x"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -3109,7 +3084,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -3132,7 +3106,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -3155,7 +3128,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "Apache-2.0",
            "optional": true,
            "os": [
@@ -3178,7 +3150,6 @@
            "cpu": [
                "wasm32"
            ],
-            "dev": true,
            "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT",
            "optional": true,
            "dependencies": {
@@ -3198,7 +3169,6 @@
            "cpu": [
                "arm64"
            ],
-            "dev": true,
            "license": "Apache-2.0 AND LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -3218,7 +3188,6 @@
            "cpu": [
                "ia32"
            ],
-            "dev": true,
            "license": "Apache-2.0 AND LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -3238,7 +3207,6 @@
            "cpu": [
                "x64"
            ],
-            "dev": true,
            "license": "Apache-2.0 AND LGPL-3.0-or-later",
            "optional": true,
            "os": [
@@ -3284,6 +3252,7 @@
            "version": "9.0.0",
            "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-9.0.0.tgz",
            "integrity": "sha512-AokJm4tuBHillT+FpMtxQ60n8ObyXBatq7jD2/JA9dxbDDokKQm8KMht5ibGzLVU9IJDIKK4TPKgMHEYMn3lMg==",
+            "dev": true,
            "engines": {
                "node": ">=18"
            }
@@ -3520,7 +3489,6 @@
            "integrity": "sha512-2I0gnIVPtfnMw9ee9h1dJG7tp81+8Ob3OJb3Mv37rx5L40/b0i7djjCVvGOVqc9AEIQyvyu1i6ypKdFw8R8gQw==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "engines": {
                "node": "^14.21.3 || >=16"
            },
@@ -4505,92 +4473,92 @@
            }
        },
        "node_modules/@peculiar/asn1-cms": {
-            "version": "2.6.0",
-            "resolved": "https://registry.npmjs.org/@peculiar/asn1-cms/-/asn1-cms-2.6.0.tgz",
-            "integrity": "sha512-2uZqP+ggSncESeUF/9Su8rWqGclEfEiz1SyU02WX5fUONFfkjzS2Z/F1Li0ofSmf4JqYXIOdCAZqIXAIBAT1OA==",
+            "version": "2.6.1",
+            "resolved": "https://registry.npmjs.org/@peculiar/asn1-cms/-/asn1-cms-2.6.1.tgz",
+            "integrity": "sha512-vdG4fBF6Lkirkcl53q6eOdn3XYKt+kJTG59edgRZORlg/3atWWEReRCx5rYE1ZzTTX6vLK5zDMjHh7vbrcXGtw==",
            "license": "MIT",
            "dependencies": {
                "@peculiar/asn1-schema": "^2.6.0",
-                "@peculiar/asn1-x509": "^2.6.0",
-                "@peculiar/asn1-x509-attr": "^2.6.0",
+                "@peculiar/asn1-x509": "^2.6.1",
+                "@peculiar/asn1-x509-attr": "^2.6.1",
                "asn1js": "^3.0.6",
                "tslib": "^2.8.1"
            }
        },
        "node_modules/@peculiar/asn1-csr": {
-            "version": "2.6.0",
-            "resolved": "https://registry.npmjs.org/@peculiar/asn1-csr/-/asn1-csr-2.6.0.tgz",
-            "integrity": "sha512-BeWIu5VpTIhfRysfEp73SGbwjjoLL/JWXhJ/9mo4vXnz3tRGm+NGm3KNcRzQ9VMVqwYS2RHlolz21svzRXIHPQ==",
+            "version": "2.6.1",
+            "resolved": "https://registry.npmjs.org/@peculiar/asn1-csr/-/asn1-csr-2.6.1.tgz",
+            "integrity": "sha512-WRWnKfIocHyzFYQTka8O/tXCiBquAPSrRjXbOkHbO4qdmS6loffCEGs+rby6WxxGdJCuunnhS2duHURhjyio6w==",
            "license": "MIT",
            "dependencies": {
                "@peculiar/asn1-schema": "^2.6.0",
-                "@peculiar/asn1-x509": "^2.6.0",
+                "@peculiar/asn1-x509": "^2.6.1",
                "asn1js": "^3.0.6",
                "tslib": "^2.8.1"
            }
        },
        "node_modules/@peculiar/asn1-ecc": {
-            "version": "2.6.0",
-            "resolved": "https://registry.npmjs.org/@peculiar/asn1-ecc/-/asn1-ecc-2.6.0.tgz",
-            "integrity": "sha512-FF3LMGq6SfAOwUG2sKpPXblibn6XnEIKa+SryvUl5Pik+WR9rmRA3OCiwz8R3lVXnYnyRkSZsSLdml8H3UiOcw==",
+            "version": "2.6.1",
+            "resolved": "https://registry.npmjs.org/@peculiar/asn1-ecc/-/asn1-ecc-2.6.1.tgz",
+            "integrity": "sha512-+Vqw8WFxrtDIN5ehUdvlN2m73exS2JVG0UAyfVB31gIfor3zWEAQPD+K9ydCxaj3MLen9k0JhKpu9LqviuCE1g==",
            "license": "MIT",
            "dependencies": {
                "@peculiar/asn1-schema": "^2.6.0",
-                "@peculiar/asn1-x509": "^2.6.0",
+                "@peculiar/asn1-x509": "^2.6.1",
                "asn1js": "^3.0.6",
                "tslib": "^2.8.1"
            }
        },
        "node_modules/@peculiar/asn1-pfx": {
-            "version": "2.6.0",
-            "resolved": "https://registry.npmjs.org/@peculiar/asn1-pfx/-/asn1-pfx-2.6.0.tgz",
-            "integrity": "sha512-rtUvtf+tyKGgokHHmZzeUojRZJYPxoD/jaN1+VAB4kKR7tXrnDCA/RAWXAIhMJJC+7W27IIRGe9djvxKgsldCQ==",
+            "version": "2.6.1",
+            "resolved": "https://registry.npmjs.org/@peculiar/asn1-pfx/-/asn1-pfx-2.6.1.tgz",
+            "integrity": "sha512-nB5jVQy3MAAWvq0KY0R2JUZG8bO/bTLpnwyOzXyEh/e54ynGTatAR+csOnXkkVD9AFZ2uL8Z7EV918+qB1qDvw==",
            "license": "MIT",
            "dependencies": {
-                "@peculiar/asn1-cms": "^2.6.0",
-                "@peculiar/asn1-pkcs8": "^2.6.0",
-                "@peculiar/asn1-rsa": "^2.6.0",
+                "@peculiar/asn1-cms": "^2.6.1",
+                "@peculiar/asn1-pkcs8": "^2.6.1",
+                "@peculiar/asn1-rsa": "^2.6.1",
                "@peculiar/asn1-schema": "^2.6.0",
                "asn1js": "^3.0.6",
                "tslib": "^2.8.1"
            }
        },
        "node_modules/@peculiar/asn1-pkcs8": {
-            "version": "2.6.0",
-            "resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs8/-/asn1-pkcs8-2.6.0.tgz",
-            "integrity": "sha512-KyQ4D8G/NrS7Fw3XCJrngxmjwO/3htnA0lL9gDICvEQ+GJ+EPFqldcJQTwPIdvx98Tua+WjkdKHSC0/Km7T+lA==",
+            "version": "2.6.1",
+            "resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs8/-/asn1-pkcs8-2.6.1.tgz",
+            "integrity": "sha512-JB5iQ9Izn5yGMw3ZG4Nw3Xn/hb/G38GYF3lf7WmJb8JZUydhVGEjK/ZlFSWhnlB7K/4oqEs8HnfFIKklhR58Tw==",
            "license": "MIT",
            "dependencies": {
                "@peculiar/asn1-schema": "^2.6.0",
-                "@peculiar/asn1-x509": "^2.6.0",
+                "@peculiar/asn1-x509": "^2.6.1",
                "asn1js": "^3.0.6",
                "tslib": "^2.8.1"
            }
        },
        "node_modules/@peculiar/asn1-pkcs9": {
-            "version": "2.6.0",
-            "resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs9/-/asn1-pkcs9-2.6.0.tgz",
-            "integrity": "sha512-b78OQ6OciW0aqZxdzliXGYHASeCvvw5caqidbpQRYW2mBtXIX2WhofNXTEe7NyxTb0P6J62kAAWLwn0HuMF1Fw==",
+            "version": "2.6.1",
+            "resolved": "https://registry.npmjs.org/@peculiar/asn1-pkcs9/-/asn1-pkcs9-2.6.1.tgz",
+            "integrity": "sha512-5EV8nZoMSxeWmcxWmmcolg22ojZRgJg+Y9MX2fnE2bGRo5KQLqV5IL9kdSQDZxlHz95tHvIq9F//bvL1OeNILw==",
            "license": "MIT",
            "dependencies": {
-                "@peculiar/asn1-cms": "^2.6.0",
-                "@peculiar/asn1-pfx": "^2.6.0",
-                "@peculiar/asn1-pkcs8": "^2.6.0",
+                "@peculiar/asn1-cms": "^2.6.1",
+                "@peculiar/asn1-pfx": "^2.6.1",
+                "@peculiar/asn1-pkcs8": "^2.6.1",
                "@peculiar/asn1-schema": "^2.6.0",
-                "@peculiar/asn1-x509": "^2.6.0",
-                "@peculiar/asn1-x509-attr": "^2.6.0",
+                "@peculiar/asn1-x509": "^2.6.1",
+                "@peculiar/asn1-x509-attr": "^2.6.1",
                "asn1js": "^3.0.6",
                "tslib": "^2.8.1"
            }
        },
        "node_modules/@peculiar/asn1-rsa": {
-            "version": "2.6.0",
-            "resolved": "https://registry.npmjs.org/@peculiar/asn1-rsa/-/asn1-rsa-2.6.0.tgz",
-            "integrity": "sha512-Nu4C19tsrTsCp9fDrH+sdcOKoVfdfoQQ7S3VqjJU6vedR7tY3RLkQ5oguOIB3zFW33USDUuYZnPEQYySlgha4w==",
+            "version": "2.6.1",
+            "resolved": "https://registry.npmjs.org/@peculiar/asn1-rsa/-/asn1-rsa-2.6.1.tgz",
+            "integrity": "sha512-1nVMEh46SElUt5CB3RUTV4EG/z7iYc7EoaDY5ECwganibQPkZ/Y2eMsTKB/LeyrUJ+W/tKoD9WUqIy8vB+CEdA==",
            "license": "MIT",
            "dependencies": {
                "@peculiar/asn1-schema": "^2.6.0",
-                "@peculiar/asn1-x509": "^2.6.0",
+                "@peculiar/asn1-x509": "^2.6.1",
                "asn1js": "^3.0.6",
                "tslib": "^2.8.1"
            }
@@ -4607,9 +4575,9 @@
            }
        },
        "node_modules/@peculiar/asn1-x509": {
-            "version": "2.6.0",
-            "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509/-/asn1-x509-2.6.0.tgz",
-            "integrity": "sha512-uzYbPEpoQiBoTq0/+jZtpM6Gq6zADBx+JNFP3yqRgziWBxQ/Dt/HcuvRfm9zJTPdRcBqPNdaRHTVwpyiq6iNMA==",
+            "version": "2.6.1",
+            "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509/-/asn1-x509-2.6.1.tgz",
+            "integrity": "sha512-O9jT5F1A2+t3r7C4VT7LYGXqkGLK7Kj1xFpz7U0isPrubwU5PbDoyYtx6MiGst29yq7pXN5vZbQFKRCP+lLZlA==",
            "license": "MIT",
            "dependencies": {
                "@peculiar/asn1-schema": "^2.6.0",
@@ -4619,21 +4587,21 @@
            }
        },
        "node_modules/@peculiar/asn1-x509-attr": {
-            "version": "2.6.0",
-            "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509-attr/-/asn1-x509-attr-2.6.0.tgz",
-            "integrity": "sha512-MuIAXFX3/dc8gmoZBkwJWxUWOSvG4MMDntXhrOZpJVMkYX+MYc/rUAU2uJOved9iJEoiUx7//3D8oG83a78UJA==",
+            "version": "2.6.1",
+            "resolved": "https://registry.npmjs.org/@peculiar/asn1-x509-attr/-/asn1-x509-attr-2.6.1.tgz",
+            "integrity": "sha512-tlW6cxoHwgcQghnJwv3YS+9OO1737zgPogZ+CgWRUK4roEwIPzRH4JEiG770xe5HX2ATfCpmX60gurfWIF9dcQ==",
            "license": "MIT",
            "dependencies": {
                "@peculiar/asn1-schema": "^2.6.0",
-                "@peculiar/asn1-x509": "^2.6.0",
+                "@peculiar/asn1-x509": "^2.6.1",
                "asn1js": "^3.0.6",
                "tslib": "^2.8.1"
            }
        },
        "node_modules/@peculiar/x509": {
-            "version": "1.14.2",
-            "resolved": "https://registry.npmjs.org/@peculiar/x509/-/x509-1.14.2.tgz",
-            "integrity": "sha512-r2w1Hg6pODDs0zfAKHkSS5HLkOLSeburtcgwvlLLWWCixw+MmW3U6kD5ddyvc2Y2YdbGuVwCF2S2ASoU1cFAag==",
+            "version": "1.14.3",
+            "resolved": "https://registry.npmjs.org/@peculiar/x509/-/x509-1.14.3.tgz",
+            "integrity": "sha512-C2Xj8FZ0uHWeCXXqX5B4/gVFQmtSkiuOolzAgutjTfseNOHT3pUjljDZsTSxXFGgio54bCzVFqmEOUrIVk8RDA==",
            "license": "MIT",
            "dependencies": {
                "@peculiar/asn1-cms": "^2.6.0",
@@ -4649,7 +4617,7 @@
                "tsyringe": "^4.10.0"
            },
            "engines": {
-                "node": ">=22.0.0"
+                "node": ">=20.0.0"
            }
        },
        "node_modules/@posthog/core": {
@@ -6959,9 +6927,9 @@
            }
        },
        "node_modules/@react-email/components": {
-            "version": "1.0.7",
-            "resolved": "https://registry.npmjs.org/@react-email/components/-/components-1.0.7.tgz",
-            "integrity": "sha512-mY+v4C1SMaGOKuKp0QWDQLGK+3fvH06ZE10EVavv+T6tQneDHq9cpQ9NdCrvuO1nWZnWrA/0tRpvyqyF0uo93w==",
+            "version": "1.0.8",
+            "resolved": "https://registry.npmjs.org/@react-email/components/-/components-1.0.8.tgz",
+            "integrity": "sha512-zY81ED6o5MWMzBkr9uZFuT24lWarT+xIbOZxI6C9dsFmCWBczM8IE1BgOI8rhpUK4JcYVDy1uKxYAFqsx2Bc4w==",
            "license": "MIT",
            "dependencies": {
                "@react-email/body": "0.2.1",
@@ -6982,7 +6950,7 @@
                "@react-email/render": "2.0.4",
                "@react-email/row": "0.0.13",
                "@react-email/section": "0.0.17",
-                "@react-email/tailwind": "2.0.4",
+                "@react-email/tailwind": "2.0.5",
                "@react-email/text": "0.1.6"
            },
            "engines": {
@@ -7888,9 +7856,9 @@
            }
        },
        "node_modules/@react-email/tailwind": {
-            "version": "2.0.4",
-            "resolved": "https://registry.npmjs.org/@react-email/tailwind/-/tailwind-2.0.4.tgz",
-            "integrity": "sha512-cDp8Ss6LJKI8zBLKE+tsXFurn6I2nnQNg1qqjfZuNPNoToN1Uyx3egW0bwSVk1JjrNWx/Xnme7ZxvNLRrU9K0Q==",
+            "version": "2.0.5",
+            "resolved": "https://registry.npmjs.org/@react-email/tailwind/-/tailwind-2.0.5.tgz",
+            "integrity": "sha512-7Ey+kiWliJdxPMCLYsdDts8ffp4idlP//w4Ui3q/A5kokVaLSNKG8DOg/8qAuzWmRiGwNQVOKBk7PXNlK5W+sg==",
            "license": "MIT",
            "dependencies": {
                "tailwindcss": "^4.1.18"
@@ -7950,7 +7918,6 @@
            "resolved": "https://registry.npmjs.org/@react-email/text/-/text-0.1.6.tgz",
            "integrity": "sha512-TYqkioRS45wTR5il3dYk/SbUjjEdhSwh9BtRNB99qNH1pXAwA45H7rAuxehiu8iJQJH0IyIr+6n62gBz9ezmsw==",
            "license": "MIT",
-            "peer": true,
            "engines": {
                "node": ">=20.0.0"
            },
@@ -8028,19 +7995,19 @@
            "license": "MIT"
        },
        "node_modules/@simplewebauthn/server": {
-            "version": "13.2.2",
-            "resolved": "https://registry.npmjs.org/@simplewebauthn/server/-/server-13.2.2.tgz",
-            "integrity": "sha512-HcWLW28yTMGXpwE9VLx9J+N2KEUaELadLrkPEEI9tpI5la70xNEVEsu/C+m3u7uoq4FulLqZQhgBCzR9IZhFpA==",
+            "version": "13.2.3",
+            "resolved": "https://registry.npmjs.org/@simplewebauthn/server/-/server-13.2.3.tgz",
+            "integrity": "sha512-ZhcVBOw63birYx9jVfbhK6rTehckVes8PeWV324zpmdxr0BUfylospwMzcrxrdMcOi48MHWj2LCA+S528LnGvg==",
            "license": "MIT",
            "dependencies": {
                "@hexagon/base64": "^1.1.27",
                "@levischuck/tiny-cbor": "^0.2.2",
-                "@peculiar/asn1-android": "^2.3.10",
-                "@peculiar/asn1-ecc": "^2.3.8",
-                "@peculiar/asn1-rsa": "^2.3.8",
-                "@peculiar/asn1-schema": "^2.3.8",
-                "@peculiar/asn1-x509": "^2.3.8",
-                "@peculiar/x509": "^1.13.0"
+                "@peculiar/asn1-android": "^2.6.0",
+                "@peculiar/asn1-ecc": "^2.6.1",
+                "@peculiar/asn1-rsa": "^2.6.1",
+                "@peculiar/asn1-schema": "^2.6.0",
+                "@peculiar/asn1-x509": "^2.6.1",
+                "@peculiar/x509": "^1.14.3"
            },
            "engines": {
                "node": ">=20.0.0"
@@ -9369,7 +9336,6 @@
            "version": "5.90.21",
            "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.90.21.tgz",
            "integrity": "sha512-0Lu6y5t+tvlTJMTO7oh5NSpJfpg/5D41LlThfepTixPYkJ0sE2Jj0m0f6yYqujBwIXlId87e234+MxG3D3g7kg==",
-            "peer": true,
            "dependencies": {
                "@tanstack/query-core": "5.90.20"
            },
@@ -9485,7 +9451,6 @@
            "integrity": "sha512-NMv9ASNARoKksWtsq/SHakpYAYnhBrQgGD8zkLYk/jaK8jUGn08CfEdTRgYhMypUQAfzSP8W6gNLe0q19/t4VA==",
            "devOptional": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@types/node": "*"
            }
@@ -9826,7 +9791,6 @@
            "integrity": "sha512-sKYVuV7Sv9fbPIt/442koC7+IIwK5olP1KWeD88e/idgoJqDm3JV/YUiPwkoKK92ylff2MGxSz1CSjsXelx0YA==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@types/body-parser": "*",
                "@types/express-serve-static-core": "^5.0.0",
@@ -9921,7 +9885,6 @@
            "resolved": "https://registry.npmjs.org/@types/node/-/node-25.2.3.tgz",
            "integrity": "sha512-m0jEgYlYz+mDJZ2+F4v8D1AyQb+QzsNqRuI7xg1VQX/KlKS0qT9r1Mo16yo5F/MtifXFgaofIFsdFMox2SxIbQ==",
            "devOptional": true,
-            "peer": true,
            "dependencies": {
                "undici-types": "~7.16.0"
            }
@@ -9949,7 +9912,6 @@
            "integrity": "sha512-RmhMd/wD+CF8Dfo+cVIy3RR5cl8CyfXQ0tGgW6XBL8L4LM/UTEbNXYRbLwU6w+CgrKBNbrQWt4FUtTfaU5jSYQ==",
            "devOptional": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@types/node": "*",
                "pg-protocol": "*",
@@ -9975,7 +9937,6 @@
            "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.14.tgz",
            "integrity": "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==",
            "devOptional": true,
-            "peer": true,
            "dependencies": {
                "csstype": "^3.2.2"
            }
@@ -9986,7 +9947,6 @@
            "integrity": "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==",
            "devOptional": true,
            "license": "MIT",
-            "peer": true,
            "peerDependencies": {
                "@types/react": "^19.2.0"
            }
@@ -10073,7 +10033,8 @@
            "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
            "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
            "license": "MIT",
-            "optional": true
+            "optional": true,
+            "peer": true
        },
        "node_modules/@types/ws": {
            "version": "8.18.1",
@@ -10144,7 +10105,6 @@
            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.55.0.tgz",
            "integrity": "sha512-4z2nCSBfVIMnbuu8uinj+f0o4qOeggYJLbjpPHka3KH1om7e+H9yLKTYgksTaHcGco+NClhhY2vyO3HsMH1RGw==",
            "dev": true,
-            "peer": true,
            "dependencies": {
                "@typescript-eslint/scope-manager": "8.55.0",
                "@typescript-eslint/types": "8.55.0",
@@ -10634,7 +10594,6 @@
            "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "bin": {
                "acorn": "bin/acorn"
            },
@@ -11099,7 +11058,6 @@
            "integrity": "sha512-Ixm8tFfoKKIPYdCCKYTsqv+Fd4IJ0DQqMyEimo+pxUOMUR9cVPlwTrFt9Avu+3cb6Zp3mAzl+t1MrG2fxxKsxw==",
            "devOptional": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@babel/types": "^7.26.0"
            }
@@ -11166,7 +11124,6 @@
            "integrity": "sha512-Ba0KR+Fzxh2jDRhdg6TSH0SJGzb8C0aBY4hR8w8madIdIzzC6Y1+kx5qR6eS1Z+Gy20h6ZU28aeyg0z1VIrShQ==",
            "hasInstallScript": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "bindings": "^1.5.0",
                "prebuild-install": "^7.1.1"
@@ -11293,7 +11250,6 @@
                }
            ],
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "baseline-browser-mapping": "^2.9.0",
                "caniuse-lite": "^1.0.30001759",
@@ -12247,7 +12203,6 @@
            "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
            "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
            "license": "ISC",
-            "peer": true,
            "engines": {
                "node": ">=12"
            }
@@ -12688,6 +12643,7 @@
            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.7.tgz",
            "integrity": "sha512-WhL/YuveyGXJaerVlMYGWhvQswa7myDG17P7Vu65EWC05o8vfeNbvNf4d/BOvH99+ZW+LlQsc1GDKMa1vNK6dw==",
            "license": "(MPL-2.0 OR Apache-2.0)",
+            "peer": true,
            "optionalDependencies": {
                "@types/trusted-types": "^2.0.7"
            }
@@ -13801,7 +13757,6 @@
            "dev": true,
            "hasInstallScript": true,
            "license": "MIT",
-            "peer": true,
            "bin": {
                "esbuild": "bin/esbuild"
            },
@@ -13900,7 +13855,6 @@
            "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@eslint-community/eslint-utils": "^4.8.0",
                "@eslint-community/regexpp": "^4.12.1",
@@ -14086,7 +14040,6 @@
            "integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
            "dev": true,
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@rtsao/scc": "^1.1.0",
                "array-includes": "^3.1.9",
@@ -14406,7 +14359,6 @@
            "resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz",
            "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==",
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "accepts": "^2.0.0",
                "body-parser": "^2.2.1",
@@ -15063,16 +15015,17 @@
            "license": "MIT"
        },
        "node_modules/glob": {
-            "version": "13.0.3",
-            "resolved": "https://registry.npmjs.org/glob/-/glob-13.0.3.tgz",
-            "integrity": "sha512-/g3B0mC+4x724v1TgtBlBtt2hPi/EWptsIAmXUx9Z2rvBYleQcsrmaOzd5LyL50jf/Soi83ZDJmw2+XqvH/EeA==",
+            "version": "13.0.6",
+            "resolved": "https://registry.npmjs.org/glob/-/glob-13.0.6.tgz",
+            "integrity": "sha512-Wjlyrolmm8uDpm/ogGyXZXb1Z+Ca2B8NbJwqBVg0axK9GbBeoS7yGV6vjXnYdGm6X53iehEuxxbyiKp8QmN4Vw==",
+            "license": "BlueOak-1.0.0",
            "dependencies": {
-                "minimatch": "^10.2.0",
-                "minipass": "^7.1.2",
-                "path-scurry": "^2.0.0"
+                "minimatch": "^10.2.2",
+                "minipass": "^7.1.3",
+                "path-scurry": "^2.0.2"
            },
            "engines": {
-                "node": "20 || >=22"
+                "node": "18 || 20 || >=22"
            },
            "funding": {
                "url": "https://github.com/sponsors/isaacs"
@@ -15092,36 +15045,36 @@
            }
        },
        "node_modules/glob/node_modules/balanced-match": {
-            "version": "4.0.2",
-            "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.2.tgz",
-            "integrity": "sha512-x0K50QvKQ97fdEz2kPehIerj+YTeptKF9hyYkKf6egnwmMWAkADiO0QCzSp0R5xN8FTZgYaBfSaue46Ej62nMg==",
-            "dependencies": {
-                "jackspeak": "^4.2.3"
-            },
+            "version": "4.0.4",
+            "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
+            "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
+            "license": "MIT",
            "engines": {
-                "node": "20 || >=22"
+                "node": "18 || 20 || >=22"
            }
        },
        "node_modules/glob/node_modules/brace-expansion": {
-            "version": "5.0.2",
-            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.2.tgz",
-            "integrity": "sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==",
+            "version": "5.0.3",
+            "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.3.tgz",
+            "integrity": "sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==",
+            "license": "MIT",
            "dependencies": {
                "balanced-match": "^4.0.2"
            },
            "engines": {
-                "node": "20 || >=22"
+                "node": "18 || 20 || >=22"
            }
        },
        "node_modules/glob/node_modules/minimatch": {
-            "version": "10.2.0",
-            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.0.tgz",
-            "integrity": "sha512-ugkC31VaVg9cF0DFVoADH12k6061zNZkZON+aX8AWsR9GhPcErkcMBceb6znR8wLERM2AkkOxy2nWRLpT9Jq5w==",
+            "version": "10.2.3",
+            "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.3.tgz",
+            "integrity": "sha512-Rwi3pnapEqirPSbWbrZaa6N3nmqq4Xer/2XooiOKyV3q12ML06f7MOuc5DVH8ONZIFhwIYQ3yzPH4nt7iWHaTg==",
+            "license": "BlueOak-1.0.0",
            "dependencies": {
                "brace-expansion": "^5.0.2"
            },
            "engines": {
-                "node": "20 || >=22"
+                "node": "18 || 20 || >=22"
            },
            "funding": {
                "url": "https://github.com/sponsors/isaacs"
@@ -15389,9 +15342,9 @@
            }
        },
        "node_modules/icu-minify": {
-            "version": "4.8.2",
-            "resolved": "https://registry.npmjs.org/icu-minify/-/icu-minify-4.8.2.tgz",
-            "integrity": "sha512-LHBQV+skKkjZSPd590pZ7ZAHftUgda3eFjeuNwA8/15L8T8loCNBktKQyTlkodAU86KovFXeg/9WntlAo5wA5A==",
+            "version": "4.8.3",
+            "resolved": "https://registry.npmjs.org/icu-minify/-/icu-minify-4.8.3.tgz",
+            "integrity": "sha512-65Av7FLosNk7bPbmQx5z5XG2Y3T2GFppcjiXh4z1idHeVgQxlDpAmkGoYI0eFzAvrOnjpWTL5FmPDhsdfRMPEA==",
            "funding": [
                {
                    "type": "individual",
@@ -16028,6 +15981,7 @@
            "version": "4.2.3",
            "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-4.2.3.tgz",
            "integrity": "sha512-ykkVRwrYvFm1nb2AJfKKYPr0emF6IiXDYUaFx4Zn9ZuIH7MrzEZ3sD5RlqGXNRpHtvUHJyOnCEFxOlNDtGo7wg==",
+            "dev": true,
            "dependencies": {
                "@isaacs/cliui": "^9.0.0"
            },
@@ -16878,10 +16832,10 @@
            }
        },
        "node_modules/minipass": {
-            "version": "7.1.2",
-            "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
-            "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
-            "license": "ISC",
+            "version": "7.1.3",
+            "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.3.tgz",
+            "integrity": "sha512-tEBHqDnIoM/1rXME1zgka9g6Q2lcoCkxHLuc7ODJ5BxbP5d4c2Z5cGgtXAku59200Cx7diuHTOYfSBD8n6mm8A==",
+            "license": "BlueOak-1.0.0",
            "engines": {
                "node": ">=16 || 14 >=14.17"
            }
@@ -16916,6 +16870,7 @@
            "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.55.1.tgz",
            "integrity": "sha512-jz4x+TJNFHwHtwuV9vA9rMujcZRb0CEilTEwG2rRSpe/A7Jdkuj8xPKttCgOh+v/lkHy7HsZ64oj+q3xoAFl9A==",
            "license": "MIT",
+            "peer": true,
            "dependencies": {
                "dompurify": "3.2.7",
                "marked": "14.0.0"
@@ -16926,6 +16881,7 @@
            "resolved": "https://registry.npmjs.org/marked/-/marked-14.0.0.tgz",
            "integrity": "sha512-uIj4+faQ+MgHgwUW1l2PsPglZLOLOT1uErt06dAPtx2kjteLAkbsd/0FiYg/MGS+i7ZKLb7w2WClxHkzOOuryQ==",
            "license": "MIT",
+            "peer": true,
            "bin": {
                "marked": "bin/marked.js"
            },
@@ -17013,7 +16969,6 @@
            "version": "15.5.12",
            "resolved": "https://registry.npmjs.org/next/-/next-15.5.12.tgz",
            "integrity": "sha512-Fi/wQ4Etlrn60rz78bebG1i1SR20QxvV8tVp6iJspjLUSHcZoeUXCt+vmWoEcza85ElZzExK/jJ/F6SvtGktjA==",
-            "peer": true,
            "dependencies": {
                "@next/env": "15.5.12",
                "@swc/helpers": "0.5.15",
@@ -17062,9 +17017,9 @@
            }
        },
        "node_modules/next-intl": {
-            "version": "4.8.2",
-            "resolved": "https://registry.npmjs.org/next-intl/-/next-intl-4.8.2.tgz",
-            "integrity": "sha512-GuuwyvyEI49/oehQbBXEoY8KSIYCzmfMLhmIwhMXTb+yeBmly1PnJcpgph3KczQ+HTJMXwXCmkizgtT8jBMf3A==",
+            "version": "4.8.3",
+            "resolved": "https://registry.npmjs.org/next-intl/-/next-intl-4.8.3.tgz",
+            "integrity": "sha512-PvdBDWg+Leh7BR7GJUQbCDVVaBRn37GwDBWc9sv0rVQOJDQ5JU1rVzx9EEGuOGYo0DHAl70++9LQ7HxTawdL7w==",
            "funding": [
                {
                    "type": "individual",
@@ -17073,14 +17028,14 @@
            ],
            "license": "MIT",
            "dependencies": {
-                "@formatjs/intl-localematcher": "^0.5.4",
+                "@formatjs/intl-localematcher": "^0.8.1",
                "@parcel/watcher": "^2.4.1",
                "@swc/core": "^1.15.2",
-                "icu-minify": "^4.8.2",
+                "icu-minify": "^4.8.3",
                "negotiator": "^1.0.0",
-                "next-intl-swc-plugin-extractor": "^4.8.2",
+                "next-intl-swc-plugin-extractor": "^4.8.3",
                "po-parser": "^2.1.1",
-                "use-intl": "^4.8.2"
+                "use-intl": "^4.8.3"
            },
            "peerDependencies": {
                "next": "^12.0.0 || ^13.0.0 || ^14.0.0 || ^15.0.0 || ^16.0.0",
@@ -17094,9 +17049,9 @@
            }
        },
        "node_modules/next-intl-swc-plugin-extractor": {
-            "version": "4.8.2",
-            "resolved": "https://registry.npmjs.org/next-intl-swc-plugin-extractor/-/next-intl-swc-plugin-extractor-4.8.2.tgz",
-            "integrity": "sha512-sHDs36L1VZmFHj3tPHsD+KZJtnsRudHlNvT0ieIe3iFVn5OpGLTxW3d/Zc/2LXSj5GpGuR6wQeikbhFjU9tMQQ==",
+            "version": "4.8.3",
+            "resolved": "https://registry.npmjs.org/next-intl-swc-plugin-extractor/-/next-intl-swc-plugin-extractor-4.8.3.tgz",
+            "integrity": "sha512-YcaT+R9z69XkGhpDarVFWUprrCMbxgIQYPUaXoE6LGVnLjGdo8hu3gL6bramDVjNKViYY8a/pXPy7Bna0mXORg==",
            "license": "MIT"
        },
        "node_modules/next-themes": {
@@ -17883,16 +17838,16 @@
            "license": "MIT"
        },
        "node_modules/path-scurry": {
-            "version": "2.0.1",
-            "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-2.0.1.tgz",
-            "integrity": "sha512-oWyT4gICAu+kaA7QWk/jvCHWarMKNs6pXOGWKDTr7cw4IGcUbW+PeTfbaQiLGheFRpjo6O9J0PmyMfQPjH71oA==",
+            "version": "2.0.2",
+            "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-2.0.2.tgz",
+            "integrity": "sha512-3O/iVVsJAPsOnpwWIeD+d6z/7PmqApyQePUtCndjatj/9I5LylHvt5qluFaBT3I5h3r1ejfR056c+FCv+NnNXg==",
            "license": "BlueOak-1.0.0",
            "dependencies": {
                "lru-cache": "^11.0.0",
                "minipass": "^7.1.2"
            },
            "engines": {
-                "node": "20 || >=22"
+                "node": "18 || 20 || >=22"
            },
            "funding": {
                "url": "https://github.com/sponsors/isaacs"
@@ -17948,7 +17903,6 @@
            "resolved": "https://registry.npmjs.org/pg/-/pg-8.18.0.tgz",
            "integrity": "sha512-xqrUDL1b9MbkydY/s+VZ6v+xiMUmOUk7SS9d/1kpyQxoJ6U9AO1oIJyUWVZojbfe5Cc/oluutcgFG4L9RDP1iQ==",
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "pg-connection-string": "^2.11.0",
                "pg-pool": "^3.11.0",
@@ -18443,7 +18397,6 @@
            "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
            "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
            "license": "MIT",
-            "peer": true,
            "engines": {
                "node": ">=0.10.0"
            }
@@ -18473,7 +18426,6 @@
            "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.4.tgz",
            "integrity": "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==",
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "scheduler": "^0.27.0"
            },
@@ -19286,11 +19238,10 @@
            }
        },
        "node_modules/react-hook-form": {
-            "version": "7.71.1",
-            "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.71.1.tgz",
-            "integrity": "sha512-9SUJKCGKo8HUSsCO+y0CtqkqI5nNuaDqTxyqPsZPqIwudpj4rCrAz/jZV+jn57bx5gtZKOh3neQu94DXMc+w5w==",
+            "version": "7.71.2",
+            "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.71.2.tgz",
+            "integrity": "sha512-1CHvcDYzuRUNOflt4MOq3ZM46AronNJtQ1S7tnX6YN4y72qhgiUItpacZUAQ0TyWYci3yz1X+rXaSxiuEm86PA==",
            "license": "MIT",
-            "peer": true,
            "engines": {
                "node": ">=18.0.0"
            },
@@ -20760,8 +20711,7 @@
            "version": "4.1.18",
            "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.1.18.tgz",
            "integrity": "sha512-4+Z+0yiYyEtUVCScyfHCxOYP06L5Ne+JiHhY2IjR2KWMIWhJOYZKLSGZaP5HkZ8+bY0cxfzwDE5uOmzFXyIwxw==",
-            "license": "MIT",
-            "peer": true
+            "license": "MIT"
        },
        "node_modules/tapable": {
            "version": "2.3.0",
@@ -21235,7 +21185,6 @@
            "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
            "devOptional": true,
            "license": "Apache-2.0",
-            "peer": true,
            "bin": {
                "tsc": "bin/tsc",
                "tsserver": "bin/tsserver"
@@ -21425,9 +21374,9 @@
            }
        },
        "node_modules/use-intl": {
-            "version": "4.8.2",
-            "resolved": "https://registry.npmjs.org/use-intl/-/use-intl-4.8.2.tgz",
-            "integrity": "sha512-3VNXZgDnPFqhIYosQ9W1Hc6K5q+ZelMfawNbexdwL/dY7BTHbceLUBX5Eeex9lgogxTp0pf1SjHuhYNAjr9H3g==",
+            "version": "4.8.3",
+            "resolved": "https://registry.npmjs.org/use-intl/-/use-intl-4.8.3.tgz",
+            "integrity": "sha512-nLxlC/RH+le6g3amA508Itnn/00mE+J22ui21QhOWo5V9hCEC43+WtnRAITbJW0ztVZphev5X9gvOf2/Dk9PLA==",
            "funding": [
                {
                    "type": "individual",
@@ -21438,7 +21387,7 @@
            "dependencies": {
                "@formatjs/fast-memoize": "^3.1.0",
                "@schummar/icu-type-parser": "1.21.5",
-                "icu-minify": "^4.8.2",
+                "icu-minify": "^4.8.3",
                "intl-messageformat": "^11.1.0"
            },
            "peerDependencies": {
@@ -21662,7 +21611,6 @@
            "resolved": "https://registry.npmjs.org/winston/-/winston-3.19.0.tgz",
            "integrity": "sha512-LZNJgPzfKR+/J3cHkxcpHKpKKvGfDZVPS4hfJCc4cCG0CgYzvlD6yE/S3CIL/Yt91ak327YCpiF/0MyeZHEHKA==",
            "license": "MIT",
-            "peer": true,
            "dependencies": {
                "@colors/colors": "^1.6.0",
                "@dabh/diagnostics": "^2.0.8",
@@ -21869,7 +21817,6 @@
            "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
            "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
            "license": "MIT",
-            "peer": true,
            "funding": {
                "url": "https://github.com/sponsors/colinhacks"
            }
--- a/package.json
+++ b/package.json
@@ -32,7 +32,7 @@
        "format": "prettier --write ."
    },
    "dependencies": {
-        "@asteasolutions/zod-to-openapi": "8.4.0",
+        "@asteasolutions/zod-to-openapi": "8.4.1",
        "@aws-sdk/client-s3": "3.989.0",
        "@faker-js/faker": "10.3.0",
        "@headlessui/react": "2.2.9",
@@ -59,11 +59,11 @@
        "@radix-ui/react-tabs": "1.1.13",
        "@radix-ui/react-toast": "1.2.15",
        "@radix-ui/react-tooltip": "1.2.8",
-        "@react-email/components": "1.0.7",
+        "@react-email/components": "1.0.8",
        "@react-email/render": "2.0.4",
-        "@react-email/tailwind": "2.0.4",
+        "@react-email/tailwind": "2.0.5",
        "@simplewebauthn/browser": "13.2.2",
-        "@simplewebauthn/server": "13.2.2",
+        "@simplewebauthn/server": "13.2.3",
        "@tailwindcss/forms": "0.5.11",
        "@tanstack/react-query": "5.90.21",
        "@tanstack/react-table": "8.21.3",
@@ -81,7 +81,7 @@
        "drizzle-orm": "0.45.1",
        "express": "5.2.1",
        "express-rate-limit": "8.2.1",
-        "glob": "13.0.3",
+        "glob": "13.0.6",
        "helmet": "8.1.0",
        "http-errors": "2.0.1",
        "input-otp": "1.4.2",
@@ -93,7 +93,7 @@
        "maxmind": "5.0.5",
        "moment": "2.30.1",
        "next": "15.5.12",
-        "next-intl": "4.8.2",
+        "next-intl": "4.8.3",
        "next-themes": "0.4.6",
        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
@@ -106,7 +106,7 @@
        "react-day-picker": "9.13.2",
        "react-dom": "19.2.4",
        "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.71.1",
+        "react-hook-form": "7.71.2",
        "react-icons": "5.5.0",
        "recharts": "2.15.4",
        "reodotdev": "1.0.0",
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -1,7 +1,7 @@
 import { Request } from "express";
 import { db } from "@server/db";
-import { userActions, roleActions } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { userActions, roleActions, userOrgs } from "@server/db";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";

@@ -52,7 +52,6 @@ export enum ActionsEnum {
    listRoleResources = "listRoleResources",
    // listRoleActions = "listRoleActions",
    addUserRole = "addUserRole",
-    removeUserRole = "removeUserRole",
    // addUserSite = "addUserSite",
    // addUserAction = "addUserAction",
    // removeUserAction = "removeUserAction",
@@ -154,19 +153,29 @@ export async function checkUserActionPermission(
    }

    try {
-        let userOrgRoleIds = req.userOrgRoleIds;
+        let userOrgRoleId = req.userOrgRoleId;

-        if (userOrgRoleIds === undefined) {
-            const { getUserOrgRoleIds } = await import(
-                "@server/lib/userOrgRoles"
-            );
-            userOrgRoleIds = await getUserOrgRoleIds(userId, req.userOrgId!);
-            if (userOrgRoleIds.length === 0) {
+        // If userOrgRoleId is not available on the request, fetch it
+        if (userOrgRoleId === undefined) {
+            const userOrgRole = await db
+                .select()
+                .from(userOrgs)
+                .where(
+                    and(
+                        eq(userOrgs.userId, userId),
+                        eq(userOrgs.orgId, req.userOrgId!)
+                    )
+                )
+                .limit(1);
+
+            if (userOrgRole.length === 0) {
                throw createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have access to this organization"
                );
            }
+
+            userOrgRoleId = userOrgRole[0].roleId;
        }

        // Check if the user has direct permission for the action in the current org
@@ -177,7 +186,7 @@ export async function checkUserActionPermission(
                and(
                    eq(userActions.userId, userId),
                    eq(userActions.actionId, actionId),
-                    eq(userActions.orgId, req.userOrgId!)
+                    eq(userActions.orgId, req.userOrgId!) // TODO: we cant pass the org id if we are not checking the org
                )
            )
            .limit(1);
@@ -186,14 +195,14 @@ export async function checkUserActionPermission(
            return true;
        }

-        // If no direct permission, check role-based permission (any of user's roles)
+        // If no direct permission, check role-based permission
        const roleActionPermission = await db
            .select()
            .from(roleActions)
            .where(
                and(
                    eq(roleActions.actionId, actionId),
-                    inArray(roleActions.roleId, userOrgRoleIds),
+                    eq(roleActions.roleId, userOrgRoleId!),
                    eq(roleActions.orgId, req.userOrgId!)
                )
            )
--- a/server/auth/canUserAccessResource.ts
+++ b/server/auth/canUserAccessResource.ts
@@ -1,29 +1,26 @@
 import { db } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import { roleResources, userResources } from "@server/db";

 export async function canUserAccessResource({
    userId,
    resourceId,
-    roleIds
+    roleId
 }: {
    userId: string;
    resourceId: number;
-    roleIds: number[];
+    roleId: number;
 }): Promise<boolean> {
-    const roleResourceAccess =
-        roleIds.length > 0
-            ? await db
-                  .select()
-                  .from(roleResources)
-                  .where(
-                      and(
-                          eq(roleResources.resourceId, resourceId),
-                          inArray(roleResources.roleId, roleIds)
-                      )
-                  )
-                  .limit(1)
-            : [];
+    const roleResourceAccess = await db
+        .select()
+        .from(roleResources)
+        .where(
+            and(
+                eq(roleResources.resourceId, resourceId),
+                eq(roleResources.roleId, roleId)
+            )
+        )
+        .limit(1);

    if (roleResourceAccess.length > 0) {
        return true;
--- a/server/auth/canUserAccessSiteResource.ts
+++ b/server/auth/canUserAccessSiteResource.ts
@@ -1,29 +1,26 @@
 import { db } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import { roleSiteResources, userSiteResources } from "@server/db";

 export async function canUserAccessSiteResource({
    userId,
    resourceId,
-    roleIds
+    roleId
 }: {
    userId: string;
    resourceId: number;
-    roleIds: number[];
+    roleId: number;
 }): Promise<boolean> {
-    const roleResourceAccess =
-        roleIds.length > 0
-            ? await db
-                  .select()
-                  .from(roleSiteResources)
-                  .where(
-                      and(
-                          eq(roleSiteResources.siteResourceId, resourceId),
-                          inArray(roleSiteResources.roleId, roleIds)
-                      )
-                  )
-                  .limit(1)
-            : [];
+    const roleResourceAccess = await db
+        .select()
+        .from(roleSiteResources)
+        .where(
+            and(
+                eq(roleSiteResources.siteResourceId, resourceId),
+                eq(roleSiteResources.roleId, roleId)
+            )
+        )
+        .limit(1);

    if (roleResourceAccess.length > 0) {
        return true;
--- a/server/db/pg/index.ts
+++ b/server/db/pg/index.ts
@@ -1,4 +1,5 @@
 export * from "./driver";
+export * from "./logsDriver";
 export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -0,0 +1,89 @@
+import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
+import { Pool } from "pg";
+import { readConfigFile } from "@server/lib/readConfigFile";
+import { readPrivateConfigFile } from "@server/private/lib/readConfigFile";
+import { withReplicas } from "drizzle-orm/pg-core";
+import { build } from "@server/build";
+import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
+
+function createLogsDb() {
+    // Only use separate logs database in SaaS builds
+    if (build !== "saas") {
+        return mainDb;
+    }
+
+    const config = readConfigFile();
+    const privateConfig = readPrivateConfigFile();
+
+    // Merge configs, prioritizing private config
+    const logsConfig = privateConfig.postgres_logs || config.postgres_logs;
+
+    // Check environment variable first
+    let connectionString = process.env.POSTGRES_LOGS_CONNECTION_STRING;
+    let replicaConnections: Array<{ connection_string: string }> = [];
+
+    if (!connectionString && logsConfig) {
+        connectionString = logsConfig.connection_string;
+        replicaConnections = logsConfig.replicas || [];
+    }
+
+    // If POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS is set, use it
+    if (process.env.POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS) {
+        replicaConnections =
+            process.env.POSTGRES_LOGS_REPLICA_CONNECTION_STRINGS.split(",").map(
+                (conn) => ({
+                    connection_string: conn.trim()
+                })
+            );
+    }
+
+    // If no logs database is configured, fall back to main database
+    if (!connectionString) {
+        return mainDb;
+    }
+
+    // Create separate connection pool for logs database
+    const poolConfig = logsConfig?.pool || config.postgres?.pool;
+    const primaryPool = new Pool({
+        connectionString,
+        max: poolConfig?.max_connections || 20,
+        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
+        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
+    });
+
+    const replicas = [];
+
+    if (!replicaConnections.length) {
+        replicas.push(
+            DrizzlePostgres(primaryPool, {
+                logger: process.env.QUERY_LOGGING == "true"
+            })
+        );
+    } else {
+        for (const conn of replicaConnections) {
+            const replicaPool = new Pool({
+                connectionString: conn.connection_string,
+                max: poolConfig?.max_replica_connections || 20,
+                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
+                connectionTimeoutMillis:
+                    poolConfig?.connection_timeout_ms || 5000
+            });
+            replicas.push(
+                DrizzlePostgres(replicaPool, {
+                    logger: process.env.QUERY_LOGGING == "true"
+                })
+            );
+        }
+    }
+
+    return withReplicas(
+        DrizzlePostgres(primaryPool, {
+            logger: process.env.QUERY_LOGGING == "true"
+        }),
+        replicas as any
+    );
+}
+
+export const logsDb = createLogsDb();
+export default logsDb;
+export const primaryLogsDb = logsDb.$primary;
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -9,7 +9,6 @@ import {
    real,
    serial,
    text,
-    unique,
    varchar
 } from "drizzle-orm/pg-core";

@@ -333,6 +332,9 @@ export const userOrgs = pgTable("userOrgs", {
            onDelete: "cascade"
        })
        .notNull(),
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId),
    isOwner: boolean("isOwner").notNull().default(false),
    autoProvisioned: boolean("autoProvisioned").default(false),
    pamUsername: varchar("pamUsername") // cleaned username for ssh and such
@@ -381,22 +383,6 @@ export const roles = pgTable("roles", {
    sshUnixGroups: text("sshUnixGroups").default("[]")
 });

-export const userOrgRoles = pgTable(
-    "userOrgRoles",
-    {
-        userId: varchar("userId")
-            .notNull()
-            .references(() => users.userId, { onDelete: "cascade" }),
-        orgId: varchar("orgId")
-            .notNull()
-            .references(() => orgs.orgId, { onDelete: "cascade" }),
-        roleId: integer("roleId")
-            .notNull()
-            .references(() => roles.roleId, { onDelete: "cascade" })
-    },
-    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
-);
-
 export const roleActions = pgTable("roleActions", {
    roleId: integer("roleId")
        .notNull()
@@ -1045,7 +1031,6 @@ export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
-export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -12,7 +12,6 @@ import {
    resources,
    roleResources,
    sessions,
-    userOrgRoles,
    userOrgs,
    userResources,
    users,
@@ -105,57 +104,24 @@ export async function getUserSessionWithUser(
 }

 /**
- * Get user organization role (single role; prefer getUserOrgRoleIds + roles for multi-role).
- * @deprecated Use userOrgRoles table and getUserOrgRoleIds for multi-role support.
+ * Get user organization role
 */
 export async function getUserOrgRole(userId: string, orgId: string) {
-    const userOrg = await db
+    const userOrgRole = await db
        .select({
            userId: userOrgs.userId,
            orgId: userOrgs.orgId,
+            roleId: userOrgs.roleId,
            isOwner: userOrgs.isOwner,
-            autoProvisioned: userOrgs.autoProvisioned
+            autoProvisioned: userOrgs.autoProvisioned,
+            roleName: roles.name
        })
        .from(userOrgs)
        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
        .limit(1);

-    if (userOrg.length === 0) return null;
-
-    const [firstRole] = await db
-        .select({
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, orgId)
-            )
-        )
-        .limit(1);
-
-    return firstRole
-        ? {
-              ...userOrg[0],
-              roleId: firstRole.roleId,
-              roleName: firstRole.roleName
-          }
-        : { ...userOrg[0], roleId: null, roleName: null };
-}
-
-/**
- * Get role name by role ID (for display).
- */
-export async function getRoleName(roleId: number): Promise<string | null> {
-    const [row] = await db
-        .select({ name: roles.name })
-        .from(roles)
-        .where(eq(roles.roleId, roleId))
-        .limit(1);
-    return row?.name ?? null;
+    return userOrgRole.length > 0 ? userOrgRole[0] : null;
 }

 /**
--- a/server/db/sqlite/index.ts
+++ b/server/db/sqlite/index.ts
@@ -1,4 +1,5 @@
 export * from "./driver";
+export * from "./logsDriver";
 export * from "./safeRead";
 export * from "./schema/schema";
 export * from "./schema/privateSchema";
--- a/server/db/sqlite/logsDriver.ts
+++ b/server/db/sqlite/logsDriver.ts
@@ -0,0 +1,7 @@
+import { db as mainDb } from "./driver";
+
+// SQLite doesn't support separate databases for logs in the same way as Postgres
+// Always use the main database connection for SQLite
+export const logsDb = mainDb;
+export default logsDb;
+export const primaryLogsDb = logsDb;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -1,12 +1,6 @@
 import { randomUUID } from "crypto";
 import { InferSelectModel } from "drizzle-orm";
-import {
-    index,
-    integer,
-    sqliteTable,
-    text,
-    unique
-} from "drizzle-orm/sqlite-core";
+import { index, integer, sqliteTable, text } from "drizzle-orm/sqlite-core";

 export const domains = sqliteTable("domains", {
    domainId: text("domainId").primaryKey(),
@@ -641,6 +635,9 @@ export const userOrgs = sqliteTable("userOrgs", {
            onDelete: "cascade"
        })
        .notNull(),
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId),
    isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
    autoProvisioned: integer("autoProvisioned", {
        mode: "boolean"
@@ -695,22 +692,6 @@ export const roles = sqliteTable("roles", {
    sshUnixGroups: text("sshUnixGroups").default("[]")
 });

-export const userOrgRoles = sqliteTable(
-    "userOrgRoles",
-    {
-        userId: text("userId")
-            .notNull()
-            .references(() => users.userId, { onDelete: "cascade" }),
-        orgId: text("orgId")
-            .notNull()
-            .references(() => orgs.orgId, { onDelete: "cascade" }),
-        roleId: integer("roleId")
-            .notNull()
-            .references(() => roles.roleId, { onDelete: "cascade" })
-    },
-    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
-);
-
 export const roleActions = sqliteTable("roleActions", {
    roleId: integer("roleId")
        .notNull()
@@ -1145,7 +1126,6 @@ export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
-export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
--- a/server/index.ts
+++ b/server/index.ts
@@ -74,7 +74,7 @@ declare global {
            session: Session;
            userOrg?: UserOrg;
            apiKeyOrg?: ApiKeyOrg;
-            userOrgRoleIds?: number[];
+            userOrgRoleId?: number;
            userOrgId?: string;
            userOrgIds?: string[];
            remoteExitNode?: RemoteExitNode;
--- a/server/lib/blueprints/clientResources.ts
+++ b/server/lib/blueprints/clientResources.ts
@@ -11,7 +11,7 @@ import {
    userSiteResources
 } from "@server/db";
 import { sites } from "@server/db";
-import { eq, and, ne, inArray } from "drizzle-orm";
+import { eq, and, ne, inArray, or } from "drizzle-orm";
 import { Config } from "./types";
 import logger from "@server/logger";
 import { getNextAvailableAliasAddress } from "../ip";
@@ -142,7 +142,10 @@ export async function updateClientResources(
                    .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
                    .where(
                        and(
-                            inArray(users.username, resourceData.users),
+                            or(
+                                inArray(users.username, resourceData.users),
+                                inArray(users.email, resourceData.users)
+                            ),
                            eq(userOrgs.orgId, orgId)
                        )
                    );
@@ -276,7 +279,10 @@ export async function updateClientResources(
                    .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
                    .where(
                        and(
-                            inArray(users.username, resourceData.users),
+                            or(
+                                inArray(users.username, resourceData.users),
+                                inArray(users.email, resourceData.users)
+                            ),
                            eq(userOrgs.orgId, orgId)
                        )
                    );
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -212,7 +212,10 @@ export async function updateProxyResources(
            } else {
                // Update existing resource

-                const isLicensed = await isLicensedOrSubscribed(orgId, tierMatrix.maintencePage);
+                const isLicensed = await isLicensedOrSubscribed(
+                    orgId,
+                    tierMatrix.maintencePage
+                );
                if (!isLicensed) {
                    resourceData.maintenance = undefined;
                }
@@ -590,7 +593,10 @@ export async function updateProxyResources(
                        existingRule.action !== getRuleAction(rule.action) ||
                        existingRule.match !== rule.match.toUpperCase() ||
                        existingRule.value !==
-                        getRuleValue(rule.match.toUpperCase(), rule.value) ||
+                            getRuleValue(
+                                rule.match.toUpperCase(),
+                                rule.value
+                            ) ||
                        existingRule.priority !== intendedPriority
                    ) {
                        validateRule(rule);
@@ -648,7 +654,10 @@ export async function updateProxyResources(
                );
            }

-            const isLicensed = await isLicensedOrSubscribed(orgId, tierMatrix.maintencePage);
+            const isLicensed = await isLicensedOrSubscribed(
+                orgId,
+                tierMatrix.maintencePage
+            );
            if (!isLicensed) {
                resourceData.maintenance = undefined;
            }
@@ -935,7 +944,12 @@ async function syncUserResources(
            .select()
            .from(users)
            .innerJoin(userOrgs, eq(users.userId, userOrgs.userId))
-            .where(and(eq(users.username, username), eq(userOrgs.orgId, orgId)))
+            .where(
+                and(
+                    or(eq(users.username, username), eq(users.email, username)),
+                    eq(userOrgs.orgId, orgId)
+                )
+            )
            .limit(1);

        if (!user) {
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -69,7 +69,7 @@ export const AuthSchema = z.object({
        .refine((roles) => !roles.includes("Admin"), {
            error: "Admin role cannot be included in sso-roles"
        }),
-    "sso-users": z.array(z.email()).optional().default([]),
+    "sso-users": z.array(z.string()).optional().default([]),
    "whitelist-users": z.array(z.email()).optional().default([]),
    "auto-login-idp": z.int().positive().optional()
 });
@@ -335,7 +335,7 @@ export const ClientResourceSchema = z
            .refine((roles) => !roles.includes("Admin"), {
                error: "Admin role cannot be included in roles"
            }),
-        users: z.array(z.email()).optional().default([]),
+        users: z.array(z.string()).optional().default([]),
        machines: z.array(z.string()).optional().default([])
    })
    .refine(
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -10,7 +10,6 @@ import {
    roles,
    Transaction,
    userClients,
-    userOrgRoles,
    userOrgs
 } from "@server/db";
 import { getUniqueClientName } from "@server/db/names";
@@ -40,36 +39,20 @@ export async function calculateUserClientsForOrgs(
            return;
        }

-        // Get all user orgs with all roles (for org list and role-based logic)
-        const userOrgRoleRows = await transaction
+        // Get all user orgs
+        const allUserOrgs = await transaction
            .select()
            .from(userOrgs)
-            .innerJoin(
-                userOrgRoles,
-                and(
-                    eq(userOrgs.userId, userOrgRoles.userId),
-                    eq(userOrgs.orgId, userOrgRoles.orgId)
-                )
-            )
-            .innerJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+            .innerJoin(roles, eq(roles.roleId, userOrgs.roleId))
            .where(eq(userOrgs.userId, userId));

-        const userOrgIds = [...new Set(userOrgRoleRows.map((r) => r.userOrgs.orgId))];
-        const orgIdToRoleRows = new Map<
-            string,
-            (typeof userOrgRoleRows)[0][]
-        >();
-        for (const r of userOrgRoleRows) {
-            const list = orgIdToRoleRows.get(r.userOrgs.orgId) ?? [];
-            list.push(r);
-            orgIdToRoleRows.set(r.userOrgs.orgId, list);
-        }
+        const userOrgIds = allUserOrgs.map(({ userOrgs: uo }) => uo.orgId);

        // For each OLM, ensure there's a client in each org the user is in
        for (const olm of userOlms) {
-            for (const orgId of orgIdToRoleRows.keys()) {
-                const roleRowsForOrg = orgIdToRoleRows.get(orgId)!;
-                const userOrg = roleRowsForOrg[0].userOrgs;
+            for (const userRoleOrg of allUserOrgs) {
+                const { userOrgs: userOrg, roles: role } = userRoleOrg;
+                const orgId = userOrg.orgId;

                const [org] = await transaction
                    .select()
@@ -213,7 +196,7 @@ export async function calculateUserClientsForOrgs(
                const requireApproval =
                    build !== "oss" &&
                    isOrgLicensed &&
-                    roleRowsForOrg.some((r) => r.roles.requireDeviceApproval);
+                    role.requireDeviceApproval;

                const newClientData: InferInsertModel<typeof clients> = {
                    userId,
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -189,6 +189,46 @@ export const configSchema = z
                    .prefault({})
            })
            .optional(),
+        postgres_logs: z
+            .object({
+                connection_string: z
+                    .string()
+                    .optional()
+                    .transform(getEnvOrYaml("POSTGRES_LOGS_CONNECTION_STRING")),
+                replicas: z
+                    .array(
+                        z.object({
+                            connection_string: z.string()
+                        })
+                    )
+                    .optional(),
+                pool: z
+                    .object({
+                        max_connections: z
+                            .number()
+                            .positive()
+                            .optional()
+                            .default(20),
+                        max_replica_connections: z
+                            .number()
+                            .positive()
+                            .optional()
+                            .default(10),
+                        idle_timeout_ms: z
+                            .number()
+                            .positive()
+                            .optional()
+                            .default(30000),
+                        connection_timeout_ms: z
+                            .number()
+                            .positive()
+                            .optional()
+                            .default(5000)
+                    })
+                    .optional()
+                    .prefault({})
+            })
+            .optional(),
        traefik: z
            .object({
                http_entrypoint: z.string().optional().default("web"),
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -14,7 +14,6 @@ import {
    siteResources,
    sites,
    Transaction,
-    userOrgRoles,
    userOrgs,
    userSiteResources
 } from "@server/db";
@@ -78,10 +77,10 @@ export async function getClientSiteResourceAccess(
    // get all of the users in these roles
    const userIdsFromRoles = await trx
        .select({
-            userId: userOrgRoles.userId
+            userId: userOrgs.userId
        })
-        .from(userOrgRoles)
-        .where(inArray(userOrgRoles.roleId, roleIds))
+        .from(userOrgs)
+        .where(inArray(userOrgs.roleId, roleIds))
        .then((rows) => rows.map((row) => row.userId));

    const newAllUserIds = Array.from(
@@ -812,12 +811,12 @@ export async function rebuildClientAssociationsFromClient(

        // Role-based access
        const roleIds = await trx
-            .select({ roleId: userOrgRoles.roleId })
-            .from(userOrgRoles)
+            .select({ roleId: userOrgs.roleId })
+            .from(userOrgs)
            .where(
                and(
-                    eq(userOrgRoles.userId, client.userId),
-                    eq(userOrgRoles.orgId, client.orgId)
+                    eq(userOrgs.userId, client.userId),
+                    eq(userOrgs.orgId, client.orgId)
                )
            ) // this needs to be locked onto this org or else cross-org access could happen
            .then((rows) => rows.map((row) => row.roleId));
--- a/server/lib/userOrg.ts
+++ b/server/lib/userOrg.ts
@@ -6,7 +6,7 @@ import {
    siteResources,
    sites,
    Transaction,
-    userOrgRoles,
+    UserOrg,
    userOrgs,
    userResources,
    userSiteResources,
@@ -19,15 +19,9 @@ import { FeatureId } from "@server/lib/billing";
 export async function assignUserToOrg(
    org: Org,
    values: typeof userOrgs.$inferInsert,
-    roleId: number,
    trx: Transaction | typeof db = db
 ) {
    const [userOrg] = await trx.insert(userOrgs).values(values).returning();
-    await trx.insert(userOrgRoles).values({
-        userId: userOrg.userId,
-        orgId: userOrg.orgId,
-        roleId
-    });

    // calculate if the user is in any other of the orgs before we count it as an add to the billing org
    if (org.billingOrgId) {
@@ -64,14 +58,6 @@ export async function removeUserFromOrg(
    userId: string,
    trx: Transaction | typeof db = db
 ) {
-    await trx
-        .delete(userOrgRoles)
-        .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, org.orgId)
-            )
-        );
    await trx
        .delete(userOrgs)
        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, org.orgId)));
--- a/server/lib/userOrgRoles.ts
+++ b/server/lib/userOrgRoles.ts
@@ -1,22 +0,0 @@
-import { db, userOrgRoles } from "@server/db";
-import { and, eq } from "drizzle-orm";
-
-/**
- * Get all role IDs a user has in an organization.
- * Returns empty array if the user has no roles in the org (callers must treat as no access).
- */
-export async function getUserOrgRoleIds(
-    userId: string,
-    orgId: string
-): Promise<number[]> {
-    const rows = await db
-        .select({ roleId: userOrgRoles.roleId })
-        .from(userOrgRoles)
-        .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, orgId)
-            )
-        );
-    return rows.map((r) => r.roleId);
-}
--- a/server/middlewares/getUserOrgs.ts
+++ b/server/middlewares/getUserOrgs.ts
@@ -21,7 +21,8 @@ export async function getUserOrgs(
    try {
        const userOrganizations = await db
            .select({
-                orgId: userOrgs.orgId
+                orgId: userOrgs.orgId,
+                roleId: userOrgs.roleId
            })
            .from(userOrgs)
            .where(eq(userOrgs.userId, userId));
--- a/server/middlewares/verifyAccessTokenAccess.ts
+++ b/server/middlewares/verifyAccessTokenAccess.ts
@@ -6,7 +6,6 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyAccessTokenAccess(
    req: Request,
@@ -94,10 +93,7 @@ export async function verifyAccessTokenAccess(
                )
            );
        } else {
-            req.userOrgRoleIds = await getUserOrgRoleIds(
-                req.userOrg.userId,
-                resource[0].orgId!
-            );
+            req.userOrgRoleId = req.userOrg.roleId;
            req.userOrgId = resource[0].orgId!;
        }

@@ -122,7 +118,7 @@ export async function verifyAccessTokenAccess(
        const resourceAllowed = await canUserAccessResource({
            userId,
            resourceId,
-            roleIds: req.userOrgRoleIds ?? []
+            roleId: req.userOrgRoleId!
        });

        if (!resourceAllowed) {
--- a/server/middlewares/verifyAdmin.ts
+++ b/server/middlewares/verifyAdmin.ts
@@ -1,11 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { roles, userOrgs } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyAdmin(
    req: Request,
@@ -63,29 +62,13 @@ export async function verifyAdmin(
        }
    }

-    req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId!);
-
-    if (req.userOrgRoleIds.length === 0) {
-        return next(
-            createHttpError(
-                HttpCode.FORBIDDEN,
-                "User does not have Admin access"
-            )
-        );
-    }
-
-    const userAdminRoles = await db
+    const userRole = await db
        .select()
        .from(roles)
-        .where(
-            and(
-                inArray(roles.roleId, req.userOrgRoleIds),
-                eq(roles.isAdmin, true)
-            )
-        )
+        .where(eq(roles.roleId, req.userOrg.roleId))
        .limit(1);

-    if (userAdminRoles.length === 0) {
+    if (userRole.length === 0 || !userRole[0].isAdmin) {
        return next(
            createHttpError(
                HttpCode.FORBIDDEN,
--- a/server/middlewares/verifyApiKeyAccess.ts
+++ b/server/middlewares/verifyApiKeyAccess.ts
@@ -1,11 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { userOrgs, apiKeys, apiKeyOrg } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyApiKeyAccess(
    req: Request,
@@ -104,10 +103,8 @@ export async function verifyApiKeyAccess(
            }
        }

-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;

        return next();
    } catch (error) {
--- a/server/middlewares/verifyClientAccess.ts
+++ b/server/middlewares/verifyClientAccess.ts
@@ -1,12 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { Client, db } from "@server/db";
 import { userOrgs, clients, roleClients, userClients } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import logger from "@server/logger";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyClientAccess(
    req: Request,
@@ -114,30 +113,21 @@ export async function verifyClientAccess(
            }
        }

-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            client.orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
        req.userOrgId = client.orgId;

-        // Check role-based client access (any of user's roles)
-        const roleClientAccessList =
-            (req.userOrgRoleIds?.length ?? 0) > 0
-                ? await db
-                      .select()
-                      .from(roleClients)
-                      .where(
-                          and(
-                              eq(roleClients.clientId, client.clientId),
-                              inArray(
-                                  roleClients.roleId,
-                                  req.userOrgRoleIds!
-                              )
-                          )
-                      )
-                      .limit(1)
-                : [];
-        const [roleClientAccess] = roleClientAccessList;
+        // Check role-based site access first
+        const [roleClientAccess] = await db
+            .select()
+            .from(roleClients)
+            .where(
+                and(
+                    eq(roleClients.clientId, client.clientId),
+                    eq(roleClients.roleId, userOrgRoleId)
+                )
+            )
+            .limit(1);

        if (roleClientAccess) {
            // User has access to the site through their role
--- a/server/middlewares/verifyDomainAccess.ts
+++ b/server/middlewares/verifyDomainAccess.ts
@@ -1,11 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { db, domains, orgDomains } from "@server/db";
-import { userOrgs } from "@server/db";
+import { userOrgs, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyDomainAccess(
    req: Request,
@@ -64,7 +63,7 @@ export async function verifyDomainAccess(
                .where(
                    and(
                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, orgId)
+                        eq(userOrgs.orgId, apiKeyOrg.orgId)
                    )
                )
                .limit(1);
@@ -98,7 +97,8 @@ export async function verifyDomainAccess(
            }
        }

-        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;

        return next();
    } catch (error) {
--- a/server/middlewares/verifyOrgAccess.ts
+++ b/server/middlewares/verifyOrgAccess.ts
@@ -1,11 +1,10 @@
 import { Request, Response, NextFunction } from "express";
-import { db } from "@server/db";
+import { db, orgs } from "@server/db";
 import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyOrgAccess(
    req: Request,
@@ -65,8 +64,8 @@ export async function verifyOrgAccess(
            }
        }

-        // User has access, attach the user's role(s) to the request for potential future use
-        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
+        // User has access, attach the user's role to the request for potential future use
+        req.userOrgRoleId = req.userOrg.roleId;
        req.userOrgId = orgId;

        return next();
--- a/server/middlewares/verifyResourceAccess.ts
+++ b/server/middlewares/verifyResourceAccess.ts
@@ -1,11 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { db, Resource } from "@server/db";
 import { resources, userOrgs, userResources, roleResources } from "@server/db";
-import { and, eq, inArray } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyResourceAccess(
    req: Request,
@@ -108,28 +107,20 @@ export async function verifyResourceAccess(
            }
        }

-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            resource.orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
        req.userOrgId = resource.orgId;

-        const roleResourceAccess =
-            (req.userOrgRoleIds?.length ?? 0) > 0
-                ? await db
-                      .select()
-                      .from(roleResources)
-                      .where(
-                          and(
-                              eq(roleResources.resourceId, resource.resourceId),
-                              inArray(
-                                  roleResources.roleId,
-                                  req.userOrgRoleIds!
-                              )
-                          )
-                      )
-                      .limit(1)
-                : [];
+        const roleResourceAccess = await db
+            .select()
+            .from(roleResources)
+            .where(
+                and(
+                    eq(roleResources.resourceId, resource.resourceId),
+                    eq(roleResources.roleId, userOrgRoleId)
+                )
+            )
+            .limit(1);

        if (roleResourceAccess.length > 0) {
            return next();
--- a/server/middlewares/verifyRoleAccess.ts
+++ b/server/middlewares/verifyRoleAccess.ts
@@ -6,7 +6,6 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyRoleAccess(
    req: Request,
@@ -100,6 +99,7 @@ export async function verifyRoleAccess(
        }

        if (!req.userOrg) {
+            // get the userORg
            const userOrg = await db
                .select()
                .from(userOrgs)
@@ -109,7 +109,7 @@ export async function verifyRoleAccess(
                .limit(1);

            req.userOrg = userOrg[0];
-            req.userOrgRoleIds = await getUserOrgRoleIds(userId, orgId!);
+            req.userOrgRoleId = userOrg[0].roleId;
        }

        if (!req.userOrg) {
--- a/server/middlewares/verifySiteAccess.ts
+++ b/server/middlewares/verifySiteAccess.ts
@@ -1,11 +1,10 @@
 import { Request, Response, NextFunction } from "express";
 import { db } from "@server/db";
 import { sites, Site, userOrgs, userSites, roleSites, roles } from "@server/db";
-import { and, eq, inArray, or } from "drizzle-orm";
+import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifySiteAccess(
    req: Request,
@@ -113,29 +112,21 @@ export async function verifySiteAccess(
            }
        }

-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            site.orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
        req.userOrgId = site.orgId;

-        // Check role-based site access first (any of user's roles)
-        const roleSiteAccess =
-            (req.userOrgRoleIds?.length ?? 0) > 0
-                ? await db
-                      .select()
-                      .from(roleSites)
-                      .where(
-                          and(
-                              eq(roleSites.siteId, site.siteId),
-                              inArray(
-                                  roleSites.roleId,
-                                  req.userOrgRoleIds!
-                              )
-                          )
-                      )
-                      .limit(1)
-                : [];
+        // Check role-based site access first
+        const roleSiteAccess = await db
+            .select()
+            .from(roleSites)
+            .where(
+                and(
+                    eq(roleSites.siteId, site.siteId),
+                    eq(roleSites.roleId, userOrgRoleId)
+                )
+            )
+            .limit(1);

        if (roleSiteAccess.length > 0) {
            // User's role has access to the site
--- a/server/middlewares/verifySiteResourceAccess.ts
+++ b/server/middlewares/verifySiteResourceAccess.ts
@@ -1,12 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { db, roleSiteResources, userOrgs, userSiteResources } from "@server/db";
 import { siteResources } from "@server/db";
-import { eq, and, inArray } from "drizzle-orm";
+import { eq, and } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifySiteResourceAccess(
    req: Request,
@@ -110,34 +109,23 @@ export async function verifySiteResourceAccess(
            }
        }

-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            siteResource.orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;
        req.userOrgId = siteResource.orgId;

        // Attach the siteResource to the request for use in the next middleware/route
        req.siteResource = siteResource;

-        const roleResourceAccess =
-            (req.userOrgRoleIds?.length ?? 0) > 0
-                ? await db
-                      .select()
-                      .from(roleSiteResources)
-                      .where(
-                          and(
-                              eq(
-                                  roleSiteResources.siteResourceId,
-                                  siteResourceIdNum
-                              ),
-                              inArray(
-                                  roleSiteResources.roleId,
-                                  req.userOrgRoleIds!
-                              )
-                          )
-                      )
-                      .limit(1)
-                : [];
+        const roleResourceAccess = await db
+            .select()
+            .from(roleSiteResources)
+            .where(
+                and(
+                    eq(roleSiteResources.siteResourceId, siteResourceIdNum),
+                    eq(roleSiteResources.roleId, userOrgRoleId)
+                )
+            )
+            .limit(1);

        if (roleResourceAccess.length > 0) {
            return next();
--- a/server/middlewares/verifyTargetAccess.ts
+++ b/server/middlewares/verifyTargetAccess.ts
@@ -6,7 +6,6 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "../auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyTargetAccess(
    req: Request,
@@ -100,10 +99,7 @@ export async function verifyTargetAccess(
                )
            );
        } else {
-            req.userOrgRoleIds = await getUserOrgRoleIds(
-                req.userOrg.userId,
-                resource[0].orgId!
-            );
+            req.userOrgRoleId = req.userOrg.roleId;
            req.userOrgId = resource[0].orgId!;
        }

@@ -130,7 +126,7 @@ export async function verifyTargetAccess(
        const resourceAllowed = await canUserAccessResource({
            userId,
            resourceId,
-            roleIds: req.userOrgRoleIds ?? []
+            roleId: req.userOrgRoleId!
        });

        if (!resourceAllowed) {
--- a/server/middlewares/verifyUserInRole.ts
+++ b/server/middlewares/verifyUserInRole.ts
@@ -12,7 +12,7 @@ export async function verifyUserInRole(
        const roleId = parseInt(
            req.params.roleId || req.body.roleId || req.query.roleId
        );
-        const userOrgRoleIds = req.userOrgRoleIds ?? [];
+        const userRoleId = req.userOrgRoleId;

        if (isNaN(roleId)) {
            return next(
@@ -20,7 +20,7 @@ export async function verifyUserInRole(
            );
        }

-        if (userOrgRoleIds.length === 0) {
+        if (!userRoleId) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
@@ -29,7 +29,7 @@ export async function verifyUserInRole(
            );
        }

-        if (!userOrgRoleIds.includes(roleId)) {
+        if (userRoleId !== roleId) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
--- a/server/private/lib/logAccessAudit.ts
+++ b/server/private/lib/logAccessAudit.ts
@@ -11,7 +11,7 @@
 * This file is not licensed under the AGPLv3.
 */

-import { accessAuditLog, db, orgs } from "@server/db";
+import { accessAuditLog, logsDb, db, orgs } from "@server/db";
 import { getCountryCodeForIp } from "@server/lib/geoip";
 import logger from "@server/logger";
 import { and, eq, lt } from "drizzle-orm";
@@ -52,7 +52,7 @@ export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);

    try {
-        await db
+        await logsDb
            .delete(accessAuditLog)
            .where(
                and(
@@ -124,7 +124,7 @@ export async function logAccessAudit(data: {
            ? await getCountryCodeFromIp(data.requestIp)
            : undefined;

-        await db.insert(accessAuditLog).values({
+        await logsDb.insert(accessAuditLog).values({
            timestamp: timestamp,
            orgId: data.orgId,
            actorType,
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -83,6 +83,46 @@ export const privateConfigSchema = z.object({
                .optional()
        })
        .optional(),
+    postgres_logs: z
+        .object({
+            connection_string: z
+                .string()
+                .optional()
+                .transform(getEnvOrYaml("POSTGRES_LOGS_CONNECTION_STRING")),
+            replicas: z
+                .array(
+                    z.object({
+                        connection_string: z.string()
+                    })
+                )
+                .optional(),
+            pool: z
+                .object({
+                    max_connections: z
+                        .number()
+                        .positive()
+                        .optional()
+                        .default(20),
+                    max_replica_connections: z
+                        .number()
+                        .positive()
+                        .optional()
+                        .default(10),
+                    idle_timeout_ms: z
+                        .number()
+                        .positive()
+                        .optional()
+                        .default(30000),
+                    connection_timeout_ms: z
+                        .number()
+                        .positive()
+                        .optional()
+                        .default(5000)
+                })
+                .optional()
+                .prefault({})
+        })
+        .optional(),
    gerbil: z
        .object({
            local_exit_node_reachable_at: z
--- a/server/private/middlewares/logActionAudit.ts
+++ b/server/private/middlewares/logActionAudit.ts
@@ -12,7 +12,7 @@
 */

 import { ActionsEnum } from "@server/auth/actions";
-import { actionAuditLog, db, orgs } from "@server/db";
+import { actionAuditLog, logsDb, db, orgs } from "@server/db";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
 import { Request, Response, NextFunction } from "express";
@@ -54,7 +54,7 @@ export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);

    try {
-        await db
+        await logsDb
            .delete(actionAuditLog)
            .where(
                and(
@@ -123,7 +123,7 @@ export function logActionAudit(action: ActionsEnum) {
                metadata = JSON.stringify(req.params);
            }

-            await db.insert(actionAuditLog).values({
+            await logsDb.insert(actionAuditLog).values({
                timestamp,
                orgId,
                actorType,
--- a/server/private/middlewares/verifyIdpAccess.ts
+++ b/server/private/middlewares/verifyIdpAccess.ts
@@ -13,10 +13,9 @@

 import { Request, Response, NextFunction } from "express";
 import { userOrgs, db, idp, idpOrg } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyIdpAccess(
    req: Request,
@@ -85,10 +84,8 @@ export async function verifyIdpAccess(
            );
        }

-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            idpRes.idpOrg.orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;

        return next();
    } catch (error) {
--- a/server/private/middlewares/verifyRemoteExitNodeAccess.ts
+++ b/server/private/middlewares/verifyRemoteExitNodeAccess.ts
@@ -12,12 +12,11 @@
 */

 import { Request, Response, NextFunction } from "express";
-import { db, exitNodeOrgs, remoteExitNodes } from "@server/db";
-import { userOrgs } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { db, exitNodeOrgs, exitNodes, remoteExitNodes } from "@server/db";
+import { sites, userOrgs, userSites, roleSites, roles } from "@server/db";
+import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";

 export async function verifyRemoteExitNodeAccess(
    req: Request,
@@ -104,10 +103,8 @@ export async function verifyRemoteExitNodeAccess(
            );
        }

-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            exitNodeOrg.orgId
-        );
+        const userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleId = userOrgRoleId;

        return next();
    } catch (error) {
--- a/server/private/routers/auditLogs/queryAccessAuditLog.ts
+++ b/server/private/routers/auditLogs/queryAccessAuditLog.ts
@@ -11,11 +11,11 @@
 * This file is not licensed under the AGPLv3.
 */

-import { accessAuditLog, db, resources } from "@server/db";
+import { accessAuditLog, logsDb, resources, db, primaryDb } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
-import { eq, gt, lt, and, count, desc } from "drizzle-orm";
+import { eq, gt, lt, and, count, desc, inArray } from "drizzle-orm";
 import { OpenAPITags } from "@server/openApi";
 import { z } from "zod";
 import createHttpError from "http-errors";
@@ -115,15 +115,13 @@ function getWhere(data: Q) {
 }

 export function queryAccess(data: Q) {
-    return db
+    return logsDb
        .select({
            orgId: accessAuditLog.orgId,
            action: accessAuditLog.action,
            actorType: accessAuditLog.actorType,
            actorId: accessAuditLog.actorId,
            resourceId: accessAuditLog.resourceId,
-            resourceName: resources.name,
-            resourceNiceId: resources.niceId,
            ip: accessAuditLog.ip,
            location: accessAuditLog.location,
            userAgent: accessAuditLog.userAgent,
@@ -133,16 +131,46 @@ export function queryAccess(data: Q) {
            actor: accessAuditLog.actor
        })
        .from(accessAuditLog)
-        .leftJoin(
-            resources,
-            eq(accessAuditLog.resourceId, resources.resourceId)
-        )
        .where(getWhere(data))
        .orderBy(desc(accessAuditLog.timestamp), desc(accessAuditLog.id));
 }

+async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryAccess>>) {
+    // If logs database is the same as main database, we can do a join
+    // Otherwise, we need to fetch resource details separately
+    const resourceIds = logs
+        .map(log => log.resourceId)
+        .filter((id): id is number => id !== null && id !== undefined);
+
+    if (resourceIds.length === 0) {
+        return logs.map(log => ({ ...log, resourceName: null, resourceNiceId: null }));
+    }
+
+    // Fetch resource details from main database
+    const resourceDetails = await primaryDb
+        .select({
+            resourceId: resources.resourceId,
+            name: resources.name,
+            niceId: resources.niceId
+        })
+        .from(resources)
+        .where(inArray(resources.resourceId, resourceIds));
+
+    // Create a map for quick lookup
+    const resourceMap = new Map(
+        resourceDetails.map(r => [r.resourceId, { name: r.name, niceId: r.niceId }])
+    );
+
+    // Enrich logs with resource details
+    return logs.map(log => ({
+        ...log,
+        resourceName: log.resourceId ? resourceMap.get(log.resourceId)?.name ?? null : null,
+        resourceNiceId: log.resourceId ? resourceMap.get(log.resourceId)?.niceId ?? null : null
+    }));
+}
+
 export function countAccessQuery(data: Q) {
-    const countQuery = db
+    const countQuery = logsDb
        .select({ count: count() })
        .from(accessAuditLog)
        .where(getWhere(data));
@@ -161,7 +189,7 @@ async function queryUniqueFilterAttributes(
    );

    // Get unique actors
-    const uniqueActors = await db
+    const uniqueActors = await logsDb
        .selectDistinct({
            actor: accessAuditLog.actor
        })
@@ -169,7 +197,7 @@ async function queryUniqueFilterAttributes(
        .where(baseConditions);

    // Get unique locations
-    const uniqueLocations = await db
+    const uniqueLocations = await logsDb
        .selectDistinct({
            locations: accessAuditLog.location
        })
@@ -177,25 +205,40 @@ async function queryUniqueFilterAttributes(
        .where(baseConditions);

    // Get unique resources with names
-    const uniqueResources = await db
+    const uniqueResources = await logsDb
        .selectDistinct({
-            id: accessAuditLog.resourceId,
-            name: resources.name
+            id: accessAuditLog.resourceId
        })
        .from(accessAuditLog)
-        .leftJoin(
-            resources,
-            eq(accessAuditLog.resourceId, resources.resourceId)
-        )
        .where(baseConditions);

+    // Fetch resource names from main database for the unique resource IDs
+    const resourceIds = uniqueResources
+        .map(row => row.id)
+        .filter((id): id is number => id !== null);
+
+    let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
+
+    if (resourceIds.length > 0) {
+        const resourceDetails = await primaryDb
+            .select({
+                resourceId: resources.resourceId,
+                name: resources.name
+            })
+            .from(resources)
+            .where(inArray(resources.resourceId, resourceIds));
+
+        resourcesWithNames = resourceDetails.map(r => ({
+            id: r.resourceId,
+            name: r.name
+        }));
+    }
+
    return {
        actors: uniqueActors
            .map((row) => row.actor)
            .filter((actor): actor is string => actor !== null),
-        resources: uniqueResources.filter(
-            (row): row is { id: number; name: string | null } => row.id !== null
-        ),
+        resources: resourcesWithNames,
        locations: uniqueLocations
            .map((row) => row.locations)
            .filter((location): location is string => location !== null)
@@ -243,7 +286,10 @@ export async function queryAccessAuditLogs(

        const baseQuery = queryAccess(data);

-        const log = await baseQuery.limit(data.limit).offset(data.offset);
+        const logsRaw = await baseQuery.limit(data.limit).offset(data.offset);
+
+        // Enrich with resource details (handles cross-database scenario)
+        const log = await enrichWithResourceDetails(logsRaw);

        const totalCountResult = await countAccessQuery(data);
        const totalCount = totalCountResult[0].count;
--- a/server/private/routers/auditLogs/queryActionAuditLog.ts
+++ b/server/private/routers/auditLogs/queryActionAuditLog.ts
@@ -11,7 +11,7 @@
 * This file is not licensed under the AGPLv3.
 */

-import { actionAuditLog, db } from "@server/db";
+import { actionAuditLog, logsDb } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
@@ -97,7 +97,7 @@ function getWhere(data: Q) {
 }

 export function queryAction(data: Q) {
-    return db
+    return logsDb
        .select({
            orgId: actionAuditLog.orgId,
            action: actionAuditLog.action,
@@ -113,7 +113,7 @@ export function queryAction(data: Q) {
 }

 export function countActionQuery(data: Q) {
-    const countQuery = db
+    const countQuery = logsDb
        .select({ count: count() })
        .from(actionAuditLog)
        .where(getWhere(data));
@@ -132,14 +132,14 @@ async function queryUniqueFilterAttributes(
    );

    // Get unique actors
-    const uniqueActors = await db
+    const uniqueActors = await logsDb
        .selectDistinct({
            actor: actionAuditLog.actor
        })
        .from(actionAuditLog)
        .where(baseConditions);

-    const uniqueActions = await db
+    const uniqueActions = await logsDb
        .selectDistinct({
            action: actionAuditLog.action
        })
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -480,9 +480,9 @@ authenticated.get(

 authenticated.post(
    "/re-key/:clientId/regenerate-client-secret",
+    verifyClientAccess, // this is first to set the org id
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.rotateCredentials),
-    verifyClientAccess, // this is first to set the org id
    verifyLimits,
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateClientSecret
@@ -490,9 +490,9 @@ authenticated.post(

 authenticated.post(
    "/re-key/:siteId/regenerate-site-secret",
+    verifySiteAccess, // this is first to set the org id
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.rotateCredentials),
-    verifySiteAccess, // this is first to set the org id
    verifyLimits,
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateSiteSecret
--- a/server/private/routers/org/sendUsageNotifications.ts
+++ b/server/private/routers/org/sendUsageNotifications.ts
@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { userOrgs, userOrgRoles, users, roles, orgs } from "@server/db";
+import { userOrgs, users, roles, orgs } from "@server/db";
 import { eq, and, or } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -95,14 +95,7 @@ async function getOrgAdmins(orgId: string) {
        })
        .from(userOrgs)
        .innerJoin(users, eq(userOrgs.userId, users.userId))
-        .leftJoin(
-            userOrgRoles,
-            and(
-                eq(userOrgs.userId, userOrgRoles.userId),
-                eq(userOrgs.orgId, userOrgRoles.orgId)
-            )
-        )
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
        .where(
            and(
                eq(userOrgs.orgId, orgId),
@@ -110,11 +103,8 @@ async function getOrgAdmins(orgId: string) {
            )
        );

-    // Dedupe by userId (user may have multiple roles)
-    const byUserId = new Map(
-        admins.map((a) => [a.userId, a])
-    );
-    const orgAdmins = Array.from(byUserId.values()).filter(
+    // Filter to only include users with verified emails
+    const orgAdmins = admins.filter(
        (admin) => admin.email && admin.email.length > 0
    );

--- a/server/private/routers/remoteExitNode/createRemoteExitNode.ts
+++ b/server/private/routers/remoteExitNode/createRemoteExitNode.ts
@@ -79,7 +79,7 @@ export async function createRemoteExitNode(

        const { remoteExitNodeId, secret } = parsedBody.data;

-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (req.user && !req.userOrgRoleId) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -30,7 +30,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { and, eq, inArray, or } from "drizzle-orm";
+import { eq, or, and } from "drizzle-orm";
 import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResource";
 import { signPublicKey, getOrgCAKeys } from "#private/lib/sshCA";
 import config from "@server/lib/config";
@@ -122,7 +122,7 @@ export async function signSshKey(
            resource: resourceQueryString
        } = parsedBody.data;
        const userId = req.user?.userId;
-        const roleIds = req.userOrgRoleIds ?? [];
+        const roleId = req.userOrgRoleId!;

        if (!userId) {
            return next(
@@ -130,15 +130,6 @@ export async function signSshKey(
            );
        }

-        if (roleIds.length === 0) {
-            return next(
-                createHttpError(
-                    HttpCode.FORBIDDEN,
-                    "User has no role in organization"
-                )
-            );
-        }
-
        const [userOrg] = await db
            .select()
            .from(userOrgs)
@@ -319,11 +310,11 @@ export async function signSshKey(
            );
        }

-        // Check if the user has access to the resource (any of their roles)
+        // Check if the user has access to the resource
        const hasAccess = await canUserAccessSiteResource({
            userId: userId,
            resourceId: resource.siteResourceId,
-            roleIds
+            roleId: roleId
        });

        if (!hasAccess) {
@@ -335,39 +326,28 @@ export async function signSshKey(
            );
        }

-        const roleRows = await db
+        const [roleRow] = await db
            .select()
            .from(roles)
-            .where(inArray(roles.roleId, roleIds));
+            .where(eq(roles.roleId, roleId))
+            .limit(1);

-        const parsedSudoCommands: string[] = [];
-        const parsedGroupsSet = new Set<string>();
-        let homedir: boolean | null = null;
-        const sudoModeOrder = { none: 0, commands: 1, all: 2 };
-        let sudoMode: "none" | "commands" | "all" = "none";
-        for (const roleRow of roleRows) {
-            try {
-                const cmds = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
-                if (Array.isArray(cmds)) parsedSudoCommands.push(...cmds);
-            } catch {
-                // skip
-            }
-            try {
-                const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
-                if (Array.isArray(grps)) grps.forEach((g: string) => parsedGroupsSet.add(g));
-            } catch {
-                // skip
-            }
-            if (roleRow?.sshCreateHomeDir === true) homedir = true;
-            const m = roleRow?.sshSudoMode ?? "none";
-            if (sudoModeOrder[m as keyof typeof sudoModeOrder] > sudoModeOrder[sudoMode]) {
-                sudoMode = m as "none" | "commands" | "all";
-            }
+        let parsedSudoCommands: string[] = [];
+        let parsedGroups: string[] = [];
+        try {
+            parsedSudoCommands = JSON.parse(roleRow?.sshSudoCommands ?? "[]");
+            if (!Array.isArray(parsedSudoCommands)) parsedSudoCommands = [];
+        } catch {
+            parsedSudoCommands = [];
        }
-        const parsedGroups = Array.from(parsedGroupsSet);
-        if (homedir === null && roleRows.length > 0) {
-            homedir = roleRows[0].sshCreateHomeDir ?? null;
+        try {
+            parsedGroups = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
+            if (!Array.isArray(parsedGroups)) parsedGroups = [];
+        } catch {
+            parsedGroups = [];
        }
+        const homedir = roleRow?.sshCreateHomeDir ?? null;
+        const sudoMode = roleRow?.sshSudoMode ?? "none";

        // get the site
        const [newt] = await db
--- a/server/routers/accessToken/listAccessTokens.ts
+++ b/server/routers/accessToken/listAccessTokens.ts
@@ -208,7 +208,7 @@ export async function listAccessTokens(
                .where(
                    or(
                        eq(userResources.userId, req.user!.userId),
-                        inArray(roleResources.roleId, req.userOrgRoleIds!)
+                        eq(roleResources.roleId, req.userOrgRoleId!)
                    )
                );
        } else {
--- a/server/routers/auditLogs/queryRequestAnalytics.ts
+++ b/server/routers/auditLogs/queryRequestAnalytics.ts
@@ -1,4 +1,4 @@
-import { db, requestAuditLog, driver, primaryDb } from "@server/db";
+import { logsDb, requestAuditLog, driver, primaryLogsDb } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
@@ -74,12 +74,12 @@ async function query(query: Q) {
        );
    }

-    const [all] = await primaryDb
+    const [all] = await primaryLogsDb
        .select({ total: count() })
        .from(requestAuditLog)
        .where(baseConditions);

-    const [blocked] = await primaryDb
+    const [blocked] = await primaryLogsDb
        .select({ total: count() })
        .from(requestAuditLog)
        .where(and(baseConditions, eq(requestAuditLog.action, false)));
@@ -90,7 +90,7 @@ async function query(query: Q) {

    const DISTINCT_LIMIT = 500;

-    const requestsPerCountry = await primaryDb
+    const requestsPerCountry = await primaryLogsDb
        .selectDistinct({
            code: requestAuditLog.location,
            count: totalQ
@@ -118,7 +118,7 @@ async function query(query: Q) {
    const booleanTrue = driver === "pg" ? sql`true` : sql`1`;
    const booleanFalse = driver === "pg" ? sql`false` : sql`0`;

-    const requestsPerDay = await primaryDb
+    const requestsPerDay = await primaryLogsDb
        .select({
            day: groupByDayFunction.as("day"),
            allowedCount:
--- a/server/routers/auditLogs/queryRequestAuditLog.ts
+++ b/server/routers/auditLogs/queryRequestAuditLog.ts
@@ -1,8 +1,8 @@
-import { db, primaryDb, requestAuditLog, resources } from "@server/db";
+import { logsDb, primaryLogsDb, requestAuditLog, resources, db, primaryDb } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
-import { eq, gt, lt, and, count, desc } from "drizzle-orm";
+import { eq, gt, lt, and, count, desc, inArray } from "drizzle-orm";
 import { OpenAPITags } from "@server/openApi";
 import { z } from "zod";
 import createHttpError from "http-errors";
@@ -107,7 +107,7 @@ function getWhere(data: Q) {
 }

 export function queryRequest(data: Q) {
-    return primaryDb
+    return primaryLogsDb
        .select({
            id: requestAuditLog.id,
            timestamp: requestAuditLog.timestamp,
@@ -129,21 +129,49 @@ export function queryRequest(data: Q) {
            host: requestAuditLog.host,
            path: requestAuditLog.path,
            method: requestAuditLog.method,
-            tls: requestAuditLog.tls,
-            resourceName: resources.name,
-            resourceNiceId: resources.niceId
+            tls: requestAuditLog.tls
        })
        .from(requestAuditLog)
-        .leftJoin(
-            resources,
-            eq(requestAuditLog.resourceId, resources.resourceId)
-        ) // TODO: Is this efficient?
        .where(getWhere(data))
        .orderBy(desc(requestAuditLog.timestamp));
 }

+async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryRequest>>) {
+    // If logs database is the same as main database, we can do a join
+    // Otherwise, we need to fetch resource details separately
+    const resourceIds = logs
+        .map(log => log.resourceId)
+        .filter((id): id is number => id !== null && id !== undefined);
+
+    if (resourceIds.length === 0) {
+        return logs.map(log => ({ ...log, resourceName: null, resourceNiceId: null }));
+    }
+
+    // Fetch resource details from main database
+    const resourceDetails = await primaryDb
+        .select({
+            resourceId: resources.resourceId,
+            name: resources.name,
+            niceId: resources.niceId
+        })
+        .from(resources)
+        .where(inArray(resources.resourceId, resourceIds));
+
+    // Create a map for quick lookup
+    const resourceMap = new Map(
+        resourceDetails.map(r => [r.resourceId, { name: r.name, niceId: r.niceId }])
+    );
+
+    // Enrich logs with resource details
+    return logs.map(log => ({
+        ...log,
+        resourceName: log.resourceId ? resourceMap.get(log.resourceId)?.name ?? null : null,
+        resourceNiceId: log.resourceId ? resourceMap.get(log.resourceId)?.niceId ?? null : null
+    }));
+}
+
 export function countRequestQuery(data: Q) {
-    const countQuery = primaryDb
+    const countQuery = primaryLogsDb
        .select({ count: count() })
        .from(requestAuditLog)
        .where(getWhere(data));
@@ -185,36 +213,31 @@ async function queryUniqueFilterAttributes(
        uniquePaths,
        uniqueResources
    ] = await Promise.all([
-        primaryDb
+        primaryLogsDb
            .selectDistinct({ actor: requestAuditLog.actor })
            .from(requestAuditLog)
            .where(baseConditions)
            .limit(DISTINCT_LIMIT + 1),
-        primaryDb
+        primaryLogsDb
            .selectDistinct({ locations: requestAuditLog.location })
            .from(requestAuditLog)
            .where(baseConditions)
            .limit(DISTINCT_LIMIT + 1),
-        primaryDb
+        primaryLogsDb
            .selectDistinct({ hosts: requestAuditLog.host })
            .from(requestAuditLog)
            .where(baseConditions)
            .limit(DISTINCT_LIMIT + 1),
-        primaryDb
+        primaryLogsDb
            .selectDistinct({ paths: requestAuditLog.path })
            .from(requestAuditLog)
            .where(baseConditions)
            .limit(DISTINCT_LIMIT + 1),
-        primaryDb
+        primaryLogsDb
            .selectDistinct({
-                id: requestAuditLog.resourceId,
-                name: resources.name
+                id: requestAuditLog.resourceId
            })
            .from(requestAuditLog)
-            .leftJoin(
-                resources,
-                eq(requestAuditLog.resourceId, resources.resourceId)
-            )
            .where(baseConditions)
            .limit(DISTINCT_LIMIT + 1)
    ]);
@@ -231,13 +254,33 @@ async function queryUniqueFilterAttributes(
    //     throw new Error("Too many distinct filter attributes to retrieve. Please refine your time range.");
    // }

+    // Fetch resource names from main database for the unique resource IDs
+    const resourceIds = uniqueResources
+        .map(row => row.id)
+        .filter((id): id is number => id !== null);
+
+    let resourcesWithNames: Array<{ id: number; name: string | null }> = [];
+
+    if (resourceIds.length > 0) {
+        const resourceDetails = await primaryDb
+            .select({
+                resourceId: resources.resourceId,
+                name: resources.name
+            })
+            .from(resources)
+            .where(inArray(resources.resourceId, resourceIds));
+
+        resourcesWithNames = resourceDetails.map(r => ({
+            id: r.resourceId,
+            name: r.name
+        }));
+    }
+
    return {
        actors: uniqueActors
            .map((row) => row.actor)
            .filter((actor): actor is string => actor !== null),
-        resources: uniqueResources.filter(
-            (row): row is { id: number; name: string | null } => row.id !== null
-        ),
+        resources: resourcesWithNames,
        locations: uniqueLocations
            .map((row) => row.locations)
            .filter((location): location is string => location !== null),
@@ -280,7 +323,10 @@ export async function queryRequestAuditLogs(

        const baseQuery = queryRequest(data);

-        const log = await baseQuery.limit(data.limit).offset(data.offset);
+        const logsRaw = await baseQuery.limit(data.limit).offset(data.offset);
+
+        // Enrich with resource details (handles cross-database scenario)
+        const log = await enrichWithResourceDetails(logsRaw);

        const totalCountResult = await countRequestQuery(data);
        const totalCount = totalCountResult[0].count;
--- a/server/routers/badger/logRequestAudit.ts
+++ b/server/routers/badger/logRequestAudit.ts
@@ -1,4 +1,4 @@
-import { db, orgs, requestAuditLog } from "@server/db";
+import { logsDb, primaryLogsDb, db, orgs, requestAuditLog } from "@server/db";
 import logger from "@server/logger";
 import { and, eq, lt, sql } from "drizzle-orm";
 import cache from "@server/lib/cache";
@@ -69,7 +69,7 @@ async function flushAuditLogs() {
    try {
        // Use a transaction to ensure all inserts succeed or fail together
        // This prevents index corruption from partial writes
-        await db.transaction(async (tx) => {
+        await logsDb.transaction(async (tx) => {
            // Batch insert logs in groups of 25 to avoid overwhelming the database
            const BATCH_DB_SIZE = 25;
            for (let i = 0; i < logsToWrite.length; i += BATCH_DB_SIZE) {
@@ -162,7 +162,7 @@ export async function cleanUpOldLogs(orgId: string, retentionDays: number) {
    const cutoffTimestamp = calculateCutoffTimestamp(retentionDays);

    try {
-        await db
+        await logsDb
            .delete(requestAuditLog)
            .where(
                and(
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -3,13 +3,12 @@ import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToke
 import {
    getResourceByDomain,
    getResourceRules,
-    getRoleName,
    getRoleResourceAccess,
+    getUserOrgRole,
    getUserResourceAccess,
    getOrgLoginPage,
    getUserSessionWithUser
 } from "@server/db/queries/verifySessionQueries";
-import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 import {
    LoginPage,
    Org,
@@ -917,9 +916,9 @@ async function isUserAllowedToAccessResource(
        return null;
    }

-    const userOrgRoleIds = await getUserOrgRoleIds(user.userId, resource.orgId);
+    const userOrgRole = await getUserOrgRole(user.userId, resource.orgId);

-    if (!userOrgRoleIds.length) {
+    if (!userOrgRole) {
        return null;
    }

@@ -935,23 +934,17 @@ async function isUserAllowedToAccessResource(
        return null;
    }

-    const roleNames: string[] = [];
-    for (const roleId of userOrgRoleIds) {
-        const roleResourceAccess = await getRoleResourceAccess(
-            resource.resourceId,
-            roleId
-        );
-        if (roleResourceAccess) {
-            const roleName = await getRoleName(roleId);
-            if (roleName) roleNames.push(roleName);
-        }
-    }
-    if (roleNames.length > 0) {
+    const roleResourceAccess = await getRoleResourceAccess(
+        resource.resourceId,
+        userOrgRole.roleId
+    );
+
+    if (roleResourceAccess) {
        return {
            username: user.username,
            email: user.email,
            name: user.name,
-            role: roleNames.join(", ")
+            role: userOrgRole.roleName
        };
    }

@@ -961,15 +954,11 @@ async function isUserAllowedToAccessResource(
    );

    if (userResourceAccess) {
-        const names = await Promise.all(
-            userOrgRoleIds.map((id) => getRoleName(id))
-        );
-        const role = names.filter(Boolean).join(", ") || "";
        return {
            username: user.username,
            email: user.email,
            name: user.name,
-            role
+            role: userOrgRole.roleName
        };
    }

--- a/server/routers/client/createClient.ts
+++ b/server/routers/client/createClient.ts
@@ -92,7 +92,7 @@ export async function createClient(

        const { orgId } = parsedParams.data;

-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (req.user && !req.userOrgRoleId) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
@@ -234,7 +234,7 @@ export async function createClient(
                clientId: newClient.clientId
            });

-            if (req.user && !req.userOrgRoleIds?.includes(adminRole.roleId)) {
+            if (req.user && req.userOrgRoleId != adminRole.roleId) {
                // make sure the user can access the client
                trx.insert(userClients).values({
                    userId: req.user.userId,
--- a/server/routers/client/listClients.ts
+++ b/server/routers/client/listClients.ts
@@ -297,7 +297,7 @@ export async function listClients(
                .where(
                    or(
                        eq(userClients.userId, req.user!.userId),
-                        inArray(roleClients.roleId, req.userOrgRoleIds!)
+                        eq(roleClients.roleId, req.userOrgRoleId!)
                    )
                );
        } else {
--- a/server/routers/client/listUserDevices.ts
+++ b/server/routers/client/listUserDevices.ts
@@ -316,7 +316,7 @@ export async function listUserDevices(
                .where(
                    or(
                        eq(userClients.userId, req.user!.userId),
-                        inArray(roleClients.roleId, req.userOrgRoleIds!)
+                        eq(roleClients.roleId, req.userOrgRoleId!)
                    )
                );
        } else {
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -654,16 +654,6 @@ authenticated.post(
    user.addUserRole
 );

-authenticated.delete(
-    "/role/:roleId/remove/:userId",
-    verifyRoleAccess,
-    verifyUserAccess,
-    verifyLimits,
-    verifyUserHasAction(ActionsEnum.removeUserRole),
-    logActionAudit(ActionsEnum.removeUserRole),
-    user.removeUserRole
-);
-
 authenticated.post(
    "/resource/:resourceId/roles",
    verifyResourceAccess,
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -13,7 +13,6 @@ import {
    orgs,
    Role,
    roles,
-    userOrgRoles,
    userOrgs,
    users
 } from "@server/db";
@@ -571,28 +570,32 @@ export async function validateOidcCallback(
                    }
                }

-                // Ensure IDP-provided role exists for existing auto-provisioned orgs (add only; never delete other roles)
-                const userRolesInOrgs = await trx
-                    .select()
-                    .from(userOrgRoles)
-                    .where(eq(userOrgRoles.userId, userId!));
-                for (const currentOrg of autoProvisionedOrgs) {
-                    const newRole = userOrgInfo.find(
-                        (newOrg) => newOrg.orgId === currentOrg.orgId
-                    );
-                    if (!newRole) continue;
-                    const currentRolesInOrg = userRolesInOrgs.filter(
-                        (r) => r.orgId === currentOrg.orgId
-                    );
-                    const hasIdpRole = currentRolesInOrg.some(
-                        (r) => r.roleId === newRole.roleId
-                    );
-                    if (!hasIdpRole) {
-                        await trx.insert(userOrgRoles).values({
-                            userId: userId!,
-                            orgId: currentOrg.orgId,
-                            roleId: newRole.roleId
-                        });
+                // Update roles for existing auto-provisioned orgs where the role has changed
+                const orgsToUpdate = autoProvisionedOrgs.filter(
+                    (currentOrg) => {
+                        const newOrg = userOrgInfo.find(
+                            (newOrg) => newOrg.orgId === currentOrg.orgId
+                        );
+                        return newOrg && newOrg.roleId !== currentOrg.roleId;
+                    }
+                );
+
+                if (orgsToUpdate.length > 0) {
+                    for (const org of orgsToUpdate) {
+                        const newRole = userOrgInfo.find(
+                            (newOrg) => newOrg.orgId === org.orgId
+                        );
+                        if (newRole) {
+                            await trx
+                                .update(userOrgs)
+                                .set({ roleId: newRole.roleId })
+                                .where(
+                                    and(
+                                        eq(userOrgs.userId, userId!),
+                                        eq(userOrgs.orgId, org.orgId)
+                                    )
+                                );
+                        }
                    }
                }

@@ -616,9 +619,9 @@ export async function validateOidcCallback(
                                {
                                    orgId: org.orgId,
                                    userId: userId!,
+                                    roleId: org.roleId,
                                    autoProvisioned: true,
                                },
-                                org.roleId,
                                trx
                            );
                        }
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -532,16 +532,6 @@ authenticated.post(
    user.addUserRole
 );

-authenticated.delete(
-    "/role/:roleId/remove/:userId",
-    verifyApiKeyRoleAccess,
-    verifyApiKeyUserAccess,
-    verifyLimits,
-    verifyApiKeyHasAction(ActionsEnum.removeUserRole),
-    logActionAudit(ActionsEnum.removeUserRole),
-    user.removeUserRole
-);
-
 authenticated.post(
    "/resource/:resourceId/roles",
    verifyApiKeyResourceAccess,
--- a/server/routers/newt/createNewt.ts
+++ b/server/routers/newt/createNewt.ts
@@ -46,7 +46,7 @@ export async function createNewt(

        const { newtId, secret } = parsedBody.data;

-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (req.user && !req.userOrgRoleId) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
--- a/server/routers/olm/createOlm.ts
+++ b/server/routers/olm/createOlm.ts
@@ -46,7 +46,7 @@ export async function createNewt(

        const { newtId, secret } = parsedBody.data;

-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (req.user && !req.userOrgRoleId) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
--- a/server/routers/org/checkOrgUserAccess.ts
+++ b/server/routers/org/checkOrgUserAccess.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idp, idpOidcConfig } from "@server/db";
-import { roles, userOrgRoles, userOrgs, users } from "@server/db";
+import { roles, userOrgs, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -14,7 +14,7 @@ import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { CheckOrgAccessPolicyResult } from "@server/lib/checkOrgAccessPolicy";

 async function queryUser(orgId: string, userId: string) {
-    const [userRow] = await db
+    const [user] = await db
        .select({
            orgId: userOrgs.orgId,
            userId: users.userId,
@@ -22,7 +22,10 @@ async function queryUser(orgId: string, userId: string) {
            username: users.username,
            name: users.name,
            type: users.type,
+            roleId: userOrgs.roleId,
+            roleName: roles.name,
            isOwner: userOrgs.isOwner,
+            isAdmin: roles.isAdmin,
            twoFactorEnabled: users.twoFactorEnabled,
            autoProvisioned: userOrgs.autoProvisioned,
            idpId: users.idpId,
@@ -32,40 +35,13 @@ async function queryUser(orgId: string, userId: string) {
            idpAutoProvision: idp.autoProvision
        })
        .from(userOrgs)
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
        .leftJoin(users, eq(userOrgs.userId, users.userId))
        .leftJoin(idp, eq(users.idpId, idp.idpId))
        .leftJoin(idpOidcConfig, eq(idp.idpId, idpOidcConfig.idpId))
        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
        .limit(1);
-
-    if (!userRow) return undefined;
-
-    const roleRows = await db
-        .select({
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name,
-            isAdmin: roles.isAdmin
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, orgId)
-            )
-        );
-
-    const isAdmin = roleRows.some((r) => r.isAdmin);
-
-    return {
-        ...userRow,
-        isAdmin,
-        roleIds: roleRows.map((r) => r.roleId),
-        roles: roleRows.map((r) => ({
-            roleId: r.roleId,
-            name: r.roleName ?? ""
-        }))
-    };
+    return user;
 }

 export type CheckOrgUserAccessResponse = CheckOrgAccessPolicyResult;
--- a/server/routers/org/createOrg.ts
+++ b/server/routers/org/createOrg.ts
@@ -9,7 +9,6 @@ import {
    orgs,
    roleActions,
    roles,
-    userOrgRoles,
    userOrgs,
    users,
    actions
@@ -313,13 +312,9 @@ export async function createOrg(
                await trx.insert(userOrgs).values({
                    userId: req.user!.userId,
                    orgId: newOrg[0].orgId,
+                    roleId: roleId,
                    isOwner: true
                });
-                await trx.insert(userOrgRoles).values({
-                    userId: req.user!.userId,
-                    orgId: newOrg[0].orgId,
-                    roleId
-                });
                ownerUserId = req.user!.userId;
            } else {
                // if org created by root api key, set the server admin as the owner
@@ -337,13 +332,9 @@ export async function createOrg(
                await trx.insert(userOrgs).values({
                    userId: serverAdmin.userId,
                    orgId: newOrg[0].orgId,
+                    roleId: roleId,
                    isOwner: true
                });
-                await trx.insert(userOrgRoles).values({
-                    userId: serverAdmin.userId,
-                    orgId: newOrg[0].orgId,
-                    roleId
-                });
                ownerUserId = serverAdmin.userId;
            }

--- a/server/routers/org/getOrgOverview.ts
+++ b/server/routers/org/getOrgOverview.ts
@@ -117,26 +117,20 @@ export async function getOrgOverview(
            .from(userOrgs)
            .where(eq(userOrgs.orgId, orgId));

-        const roleIds = req.userOrgRoleIds ?? [];
-        const roleRows =
-            roleIds.length > 0
-                ? await db
-                      .select({ name: roles.name, isAdmin: roles.isAdmin })
-                      .from(roles)
-                      .where(inArray(roles.roleId, roleIds))
-                : [];
-        const userRoleName = roleRows.map((r) => r.name ?? "").join(", ") ?? "";
-        const isAdmin = roleRows.some((r) => r.isAdmin === true);
+        const [role] = await db
+            .select()
+            .from(roles)
+            .where(eq(roles.roleId, req.userOrg.roleId));

        return response<GetOrgOverviewResponse>(res, {
            data: {
                orgName: org[0].name,
                orgId: org[0].orgId,
-                userRoleName,
+                userRoleName: role.name,
                numSites,
                numUsers,
                numResources,
-                isAdmin,
+                isAdmin: role.isAdmin || false,
                isOwner: req.userOrg?.isOwner || false
            },
            success: true,
--- a/server/routers/org/listUserOrgs.ts
+++ b/server/routers/org/listUserOrgs.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, roles } from "@server/db";
-import { Org, orgs, userOrgRoles, userOrgs } from "@server/db";
+import { Org, orgs, userOrgs } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -82,7 +82,10 @@ export async function listUserOrgs(
        const { userId } = parsedParams.data;

        const userOrganizations = await db
-            .select({ orgId: userOrgs.orgId })
+            .select({
+                orgId: userOrgs.orgId,
+                roleId: userOrgs.roleId
+            })
            .from(userOrgs)
            .where(eq(userOrgs.userId, userId));

@@ -113,27 +116,10 @@ export async function listUserOrgs(
                userOrgs,
                and(eq(userOrgs.orgId, orgs.orgId), eq(userOrgs.userId, userId))
            )
+            .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
            .limit(limit)
            .offset(offset);

-        const roleRows = await db
-            .select({
-                orgId: userOrgRoles.orgId,
-                isAdmin: roles.isAdmin
-            })
-            .from(userOrgRoles)
-            .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-            .where(
-                and(
-                    eq(userOrgRoles.userId, userId),
-                    inArray(userOrgRoles.orgId, userOrgIds)
-                )
-            );
-
-        const orgHasAdmin = new Set(
-            roleRows.filter((r) => r.isAdmin).map((r) => r.orgId)
-        );
-
        const totalCountResult = await db
            .select({ count: sql<number>`cast(count(*) as integer)` })
            .from(orgs)
@@ -147,8 +133,8 @@ export async function listUserOrgs(
            if (val.userOrgs && val.userOrgs.isOwner) {
                res.isOwner = val.userOrgs.isOwner;
            }
-            if (val.orgs && orgHasAdmin.has(val.orgs.orgId)) {
-                res.isAdmin = true;
+            if (val.roles && val.roles.isAdmin) {
+                res.isAdmin = val.roles.isAdmin;
            }
            if (val.userOrgs?.isOwner && val.orgs?.isBillingOrg) {
                res.isPrimaryOrg = val.orgs.isBillingOrg;
--- a/server/routers/resource/createResource.ts
+++ b/server/routers/resource/createResource.ts
@@ -112,7 +112,7 @@ export async function createResource(

        const { orgId } = parsedParams.data;

-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (req.user && !req.userOrgRoleId) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
@@ -278,7 +278,7 @@ async function createHttpResource(
            resourceId: newResource[0].resourceId
        });

-        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
+        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
            // make sure the user can access the resource
            await trx.insert(userResources).values({
                userId: req.user?.userId!,
@@ -371,7 +371,7 @@ async function createRawResource(
            resourceId: newResource[0].resourceId
        });

-        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
+        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
            // make sure the user can access the resource
            await trx.insert(userResources).values({
                userId: req.user?.userId!,
--- a/server/routers/resource/getUserResources.ts
+++ b/server/routers/resource/getUserResources.ts
@@ -5,7 +5,6 @@ import {
    resources,
    userResources,
    roleResources,
-    userOrgRoles,
    userOrgs,
    resourcePassword,
    resourcePincode,
@@ -33,29 +32,22 @@ export async function getUserResources(
            );
        }

-        // Check user is in organization and get their role IDs
-        const [userOrg] = await db
-            .select()
+        // First get the user's role in the organization
+        const userOrgResult = await db
+            .select({
+                roleId: userOrgs.roleId
+            })
            .from(userOrgs)
            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
            .limit(1);

-        if (!userOrg) {
+        if (userOrgResult.length === 0) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User not in organization")
            );
        }

-        const userRoleIds = await db
-            .select({ roleId: userOrgRoles.roleId })
-            .from(userOrgRoles)
-            .where(
-                and(
-                    eq(userOrgRoles.userId, userId),
-                    eq(userOrgRoles.orgId, orgId)
-                )
-            )
-            .then((rows) => rows.map((r) => r.roleId));
+        const userRoleId = userOrgResult[0].roleId;

        // Get resources accessible through direct assignment or role assignment
        const directResourcesQuery = db
@@ -63,28 +55,20 @@ export async function getUserResources(
            .from(userResources)
            .where(eq(userResources.userId, userId));

-        const roleResourcesQuery =
-            userRoleIds.length > 0
-                ? db
-                      .select({ resourceId: roleResources.resourceId })
-                      .from(roleResources)
-                      .where(inArray(roleResources.roleId, userRoleIds))
-                : Promise.resolve([]);
+        const roleResourcesQuery = db
+            .select({ resourceId: roleResources.resourceId })
+            .from(roleResources)
+            .where(eq(roleResources.roleId, userRoleId));

        const directSiteResourcesQuery = db
            .select({ siteResourceId: userSiteResources.siteResourceId })
            .from(userSiteResources)
            .where(eq(userSiteResources.userId, userId));

-        const roleSiteResourcesQuery =
-            userRoleIds.length > 0
-                ? db
-                      .select({
-                          siteResourceId: roleSiteResources.siteResourceId
-                      })
-                      .from(roleSiteResources)
-                      .where(inArray(roleSiteResources.roleId, userRoleIds))
-                : Promise.resolve([]);
+        const roleSiteResourcesQuery = db
+            .select({ siteResourceId: roleSiteResources.siteResourceId })
+            .from(roleSiteResources)
+            .where(eq(roleSiteResources.roleId, userRoleId));

        const [directResources, roleResourceResults, directSiteResourceResults, roleSiteResourceResults] = await Promise.all([
            directResourcesQuery,
--- a/server/routers/resource/listResources.ts
+++ b/server/routers/resource/listResources.ts
@@ -276,7 +276,7 @@ export async function listResources(
                .where(
                    or(
                        eq(userResources.userId, req.user!.userId),
-                        inArray(roleResources.roleId, req.userOrgRoleIds!)
+                        eq(roleResources.roleId, req.userOrgRoleId!)
                    )
                );
        } else {
--- a/server/routers/role/deleteRole.ts
+++ b/server/routers/role/deleteRole.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { roles, userOrgRoles } from "@server/db";
+import { roles, userOrgs } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -114,11 +114,11 @@ export async function deleteRole(
        }

        await db.transaction(async (trx) => {
-            // move all users from userOrgRoles with roleId to newRoleId
+            // move all users from the userOrgs table with roleId to newRoleId
            await trx
-                .update(userOrgRoles)
+                .update(userOrgs)
                .set({ roleId: newRoleId })
-                .where(eq(userOrgRoles.roleId, roleId));
+                .where(eq(userOrgs.roleId, roleId));

            // delete the old role
            await trx.delete(roles).where(eq(roles.roleId, roleId));
--- a/server/routers/site/createSite.ts
+++ b/server/routers/site/createSite.ts
@@ -111,7 +111,7 @@ export async function createSite(

        const { orgId } = parsedParams.data;

-        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
+        if (req.user && !req.userOrgRoleId) {
            return next(
                createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
            );
@@ -399,7 +399,7 @@ export async function createSite(
                siteId: newSite.siteId
            });

-            if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
+            if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
                // make sure the user can access the site
                trx.insert(userSites).values({
                    userId: req.user?.userId!,
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@@ -235,7 +235,7 @@ export async function listSites(
                .where(
                    or(
                        eq(userSites.userId, req.user!.userId),
-                        inArray(roleSites.roleId, req.userOrgRoleIds!)
+                        eq(roleSites.roleId, req.userOrgRoleId!)
                    )
                );
        } else {
--- a/server/routers/user/acceptInvite.ts
+++ b/server/routers/user/acceptInvite.ts
@@ -165,9 +165,9 @@ export async function acceptInvite(
                org,
                {
                    userId: existingUser[0].userId,
-                    orgId: existingInvite.orgId
+                    orgId: existingInvite.orgId,
+                    roleId: existingInvite.roleId
                },
-                existingInvite.roleId,
                trx
            );

--- a/server/routers/user/addUserRole.ts
+++ b/server/routers/user/addUserRole.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { clients, db } from "@server/db";
-import { userOrgRoles, userOrgs, roles } from "@server/db";
+import { clients, db, UserOrg } from "@server/db";
+import { userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -111,23 +111,20 @@ export async function addUserRole(
            );
        }

-        let newUserRole: { userId: string; orgId: string; roleId: number } | null =
-            null;
+        let newUserRole: UserOrg | null = null;
        await db.transaction(async (trx) => {
-            const inserted = await trx
-                .insert(userOrgRoles)
-                .values({
-                    userId,
-                    orgId: role.orgId,
-                    roleId
-                })
-                .onConflictDoNothing()
+            [newUserRole] = await trx
+                .update(userOrgs)
+                .set({ roleId })
+                .where(
+                    and(
+                        eq(userOrgs.userId, userId),
+                        eq(userOrgs.orgId, role.orgId)
+                    )
+                )
                .returning();

-            if (inserted.length > 0) {
-                newUserRole = inserted[0];
-            }
-
+            // get the client associated with this user in this org
            const orgClients = await trx
                .select()
                .from(clients)
@@ -136,15 +133,17 @@ export async function addUserRole(
                        eq(clients.userId, userId),
                        eq(clients.orgId, role.orgId)
                    )
-                );
+                )
+                .limit(1);

            for (const orgClient of orgClients) {
+                // we just changed the user's role, so we need to rebuild client associations and what they have access to
                await rebuildClientAssociationsFromClient(orgClient, trx);
            }
        });

        return response(res, {
-            data: newUserRole ?? { userId, orgId: role.orgId, roleId },
+            data: newUserRole,
            success: true,
            error: false,
            message: "Role added to user successfully",
--- a/server/routers/user/createOrgUser.ts
+++ b/server/routers/user/createOrgUser.ts
@@ -221,16 +221,12 @@ export async function createOrgUser(
                        );
                    }

-                    await assignUserToOrg(
-                        org,
-                        {
-                            orgId,
-                            userId: existingUser.userId,
-                            autoProvisioned: false,
-                        },
-                        role.roleId,
-                        trx
-                    );
+                    await assignUserToOrg(org, {
+                        orgId,
+                        userId: existingUser.userId,
+                        roleId: role.roleId,
+                        autoProvisioned: false
+                    }, trx);
                } else {
                    userId = generateId(15);

@@ -248,16 +244,12 @@ export async function createOrgUser(
                        })
                        .returning();

-                        await assignUserToOrg(
-                            org,
-                            {
-                                orgId,
-                                userId: newUser.userId,
-                                autoProvisioned: false,
-                            },
-                            role.roleId,
-                            trx
-                        );
+                        await assignUserToOrg(org, {
+                            orgId,
+                            userId: newUser.userId,
+                            roleId: role.roleId,
+                            autoProvisioned: false
+                        }, trx);
                }

                await calculateUserClientsForOrgs(userId, trx);
--- a/server/routers/user/getOrgUser.ts
+++ b/server/routers/user/getOrgUser.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idp, idpOidcConfig } from "@server/db";
-import { roles, userOrgRoles, userOrgs, users } from "@server/db";
+import { roles, userOrgs, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -12,7 +12,7 @@ import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
 import { OpenAPITags, registry } from "@server/openApi";

 async function queryUser(orgId: string, userId: string) {
-    const [userRow] = await db
+    const [user] = await db
        .select({
            orgId: userOrgs.orgId,
            userId: users.userId,
@@ -20,7 +20,10 @@ async function queryUser(orgId: string, userId: string) {
            username: users.username,
            name: users.name,
            type: users.type,
+            roleId: userOrgs.roleId,
+            roleName: roles.name,
            isOwner: userOrgs.isOwner,
+            isAdmin: roles.isAdmin,
            twoFactorEnabled: users.twoFactorEnabled,
            autoProvisioned: userOrgs.autoProvisioned,
            idpId: users.idpId,
@@ -30,40 +33,13 @@ async function queryUser(orgId: string, userId: string) {
            idpAutoProvision: idp.autoProvision
        })
        .from(userOrgs)
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
        .leftJoin(users, eq(userOrgs.userId, users.userId))
        .leftJoin(idp, eq(users.idpId, idp.idpId))
        .leftJoin(idpOidcConfig, eq(idp.idpId, idpOidcConfig.idpId))
        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
        .limit(1);
-
-    if (!userRow) return undefined;
-
-    const roleRows = await db
-        .select({
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name,
-            isAdmin: roles.isAdmin
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(
-            and(
-                eq(userOrgRoles.userId, userId),
-                eq(userOrgRoles.orgId, orgId)
-            )
-        );
-
-    const isAdmin = roleRows.some((r) => r.isAdmin);
-
-    return {
-        ...userRow,
-        isAdmin,
-        roleIds: roleRows.map((r) => r.roleId),
-        roles: roleRows.map((r) => ({
-            roleId: r.roleId,
-            name: r.roleName ?? ""
-        }))
-    };
+    return user;
 }

 export type GetOrgUserResponse = NonNullable<
--- a/server/routers/user/index.ts
+++ b/server/routers/user/index.ts
@@ -2,7 +2,6 @@ export * from "./getUser";
 export * from "./removeUserOrg";
 export * from "./listUsers";
 export * from "./addUserRole";
-export * from "./removeUserRole";
 export * from "./inviteUser";
 export * from "./acceptInvite";
 export * from "./getOrgUser";
--- a/server/routers/user/listUsers.ts
+++ b/server/routers/user/listUsers.ts
@@ -1,11 +1,11 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, idpOidcConfig } from "@server/db";
-import { idp, roles, userOrgRoles, userOrgs, users } from "@server/db";
+import { idp, roles, userOrgs, users } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { sql } from "drizzle-orm";
+import { and, sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromZodError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -31,7 +31,7 @@ const listUsersSchema = z.strictObject({
 });

 async function queryUsers(orgId: string, limit: number, offset: number) {
-    const rows = await db
+    return await db
        .select({
            id: users.userId,
            email: users.email,
@@ -41,6 +41,8 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
            username: users.username,
            name: users.name,
            type: users.type,
+            roleId: userOrgs.roleId,
+            roleName: roles.name,
            isOwner: userOrgs.isOwner,
            idpName: idp.name,
            idpId: users.idpId,
@@ -50,39 +52,12 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
        })
        .from(users)
        .leftJoin(userOrgs, eq(users.userId, userOrgs.userId))
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
        .leftJoin(idp, eq(users.idpId, idp.idpId))
        .leftJoin(idpOidcConfig, eq(idpOidcConfig.idpId, idp.idpId))
        .where(eq(userOrgs.orgId, orgId))
        .limit(limit)
        .offset(offset);
-
-    const roleRows = await db
-        .select({
-            userId: userOrgRoles.userId,
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(eq(userOrgRoles.orgId, orgId));
-
-    const rolesByUser = new Map<
-        string,
-        { roleId: number; roleName: string }[]
-    >();
-    for (const r of roleRows) {
-        const list = rolesByUser.get(r.userId) ?? [];
-        list.push({ roleId: r.roleId, roleName: r.roleName ?? "" });
-        rolesByUser.set(r.userId, list);
-    }
-
-    return rows.map((row) => {
-        const userRoles = rolesByUser.get(row.id) ?? [];
-        return {
-            ...row,
-            roles: userRoles
-        };
-    });
 }

 export type ListUsersResponse = {
--- a/server/routers/user/myDevice.ts
+++ b/server/routers/user/myDevice.ts
@@ -1,5 +1,5 @@
 import { Request, Response, NextFunction } from "express";
-import { db, Olm, olms, orgs, userOrgRoles, userOrgs } from "@server/db";
+import { db, Olm, olms, orgs, userOrgs } from "@server/db";
 import { idp, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -84,31 +84,16 @@ export async function myDevice(
            .from(olms)
            .where(and(eq(olms.userId, userId), eq(olms.olmId, olmId)));

-        const userOrgRows = await db
+        const userOrganizations = await db
            .select({
                orgId: userOrgs.orgId,
-                orgName: orgs.name
+                orgName: orgs.name,
+                roleId: userOrgs.roleId
            })
            .from(userOrgs)
            .where(eq(userOrgs.userId, userId))
            .innerJoin(orgs, eq(userOrgs.orgId, orgs.orgId));

-        const roleRows = await db
-            .select({
-                orgId: userOrgRoles.orgId,
-                roleId: userOrgRoles.roleId
-            })
-            .from(userOrgRoles)
-            .where(eq(userOrgRoles.userId, userId));
-
-        const roleByOrg = new Map(
-            roleRows.map((r) => [r.orgId, r.roleId])
-        );
-        const userOrganizations = userOrgRows.map((row) => ({
-            ...row,
-            roleId: roleByOrg.get(row.orgId) ?? 0
-        }));
-
        return response<MyDeviceResponse>(res, {
            data: {
                user,
--- a/server/routers/user/removeUserRole.ts
+++ b/server/routers/user/removeUserRole.ts
@@ -1,157 +0,0 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import { db } from "@server/db";
-import { userOrgRoles, userOrgs, roles, clients } from "@server/db";
-import { eq, and } from "drizzle-orm";
-import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import logger from "@server/logger";
-import { fromError } from "zod-validation-error";
-import stoi from "@server/lib/stoi";
-import { OpenAPITags, registry } from "@server/openApi";
-import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
-
-const removeUserRoleParamsSchema = z.strictObject({
-    userId: z.string(),
-    roleId: z.string().transform(stoi).pipe(z.number())
-});
-
-registry.registerPath({
-    method: "delete",
-    path: "/role/{roleId}/remove/{userId}",
-    description: "Remove a role from a user. User must have at least one role left in the org.",
-    tags: [OpenAPITags.Role, OpenAPITags.User],
-    request: {
-        params: removeUserRoleParamsSchema
-    },
-    responses: {}
-});
-
-export async function removeUserRole(
-    req: Request,
-    res: Response,
-    next: NextFunction
-): Promise<any> {
-    try {
-        const parsedParams = removeUserRoleParamsSchema.safeParse(req.params);
-        if (!parsedParams.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromError(parsedParams.error).toString()
-                )
-            );
-        }
-
-        const { userId, roleId } = parsedParams.data;
-
-        if (req.user && !req.userOrg) {
-            return next(
-                createHttpError(
-                    HttpCode.FORBIDDEN,
-                    "You do not have access to this organization"
-                )
-            );
-        }
-
-        const [role] = await db
-            .select()
-            .from(roles)
-            .where(eq(roles.roleId, roleId))
-            .limit(1);
-
-        if (!role) {
-            return next(
-                createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID")
-            );
-        }
-
-        const [existingUser] = await db
-            .select()
-            .from(userOrgs)
-            .where(
-                and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role.orgId))
-            )
-            .limit(1);
-
-        if (!existingUser) {
-            return next(
-                createHttpError(
-                    HttpCode.NOT_FOUND,
-                    "User not found or does not belong to the specified organization"
-                )
-            );
-        }
-
-        if (existingUser.isOwner) {
-            return next(
-                createHttpError(
-                    HttpCode.FORBIDDEN,
-                    "Cannot change the roles of the owner of the organization"
-                )
-            );
-        }
-
-        const remainingRoles = await db
-            .select({ roleId: userOrgRoles.roleId })
-            .from(userOrgRoles)
-            .where(
-                and(
-                    eq(userOrgRoles.userId, userId),
-                    eq(userOrgRoles.orgId, role.orgId)
-                )
-            );
-
-        if (remainingRoles.length <= 1) {
-            const hasThisRole = remainingRoles.some((r) => r.roleId === roleId);
-            if (hasThisRole) {
-                return next(
-                    createHttpError(
-                        HttpCode.FORBIDDEN,
-                        "User must have at least one role in the organization. Remove the last role is not allowed."
-                    )
-                );
-            }
-        }
-
-        await db.transaction(async (trx) => {
-            await trx
-                .delete(userOrgRoles)
-                .where(
-                    and(
-                        eq(userOrgRoles.userId, userId),
-                        eq(userOrgRoles.orgId, role.orgId),
-                        eq(userOrgRoles.roleId, roleId)
-                    )
-                );
-
-            const orgClients = await trx
-                .select()
-                .from(clients)
-                .where(
-                    and(
-                        eq(clients.userId, userId),
-                        eq(clients.orgId, role.orgId)
-                    )
-                );
-
-            for (const orgClient of orgClients) {
-                await rebuildClientAssociationsFromClient(orgClient, trx);
-            }
-        });
-
-        return response(res, {
-            data: { userId, orgId: role.orgId, roleId },
-            success: true,
-            error: false,
-            message: "Role removed from user successfully",
-            status: HttpCode.OK
-        });
-    } catch (error) {
-        logger.error(error);
-        return next(
-            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
-        );
-    }
-}
--- a/server/types/Auth.ts
+++ b/server/types/Auth.ts
@@ -5,5 +5,5 @@ import { Session } from "@server/db";
 export interface AuthenticatedRequest extends Request {
    user: User;
    session: Session;
-    userOrgRoleIds?: number[];
+    userOrgRoleId?: number;
 }
--- a/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
+++ b/src/app/[orgId]/settings/access/users/[userId]/access-controls/page.tsx
@@ -8,6 +8,7 @@ import {
    FormLabel,
    FormMessage
 } from "@app/components/ui/form";
+import { Input } from "@app/components/ui/input";
 import {
    Select,
    SelectContent,
@@ -18,6 +19,7 @@ import {
 import { Checkbox } from "@app/components/ui/checkbox";
 import { toast } from "@app/hooks/useToast";
 import { zodResolver } from "@hookform/resolvers/zod";
+import { InviteUserResponse } from "@server/routers/user";
 import { AxiosResponse } from "axios";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -42,9 +44,6 @@ import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import IdpTypeBadge from "@app/components/IdpTypeBadge";
 import { UserType } from "@server/types/UserTypes";
-import { Badge } from "@app/components/ui/badge";
-
-type UserRole = { roleId: number; name: string };

 export default function AccessControlsPage() {
    const { orgUser: user } = userOrgUserContext();
@@ -55,12 +54,12 @@ export default function AccessControlsPage() {

    const [loading, setLoading] = useState(false);
    const [roles, setRoles] = useState<{ roleId: number; name: string }[]>([]);
-    const [userRoles, setUserRoles] = useState<UserRole[]>([]);

    const t = useTranslations();

    const formSchema = z.object({
        username: z.string(),
+        roleId: z.string().min(1, { message: t("accessRoleSelectPlease") }),
        autoProvisioned: z.boolean()
    });

@@ -68,17 +67,11 @@ export default function AccessControlsPage() {
        resolver: zodResolver(formSchema),
        defaultValues: {
            username: user.username!,
+            roleId: user.roleId?.toString(),
            autoProvisioned: user.autoProvisioned || false
        }
    });

-    const currentRoleIds = user.roleIds ?? [];
-    const currentRoles: UserRole[] = user.roles ?? [];
-
-    useEffect(() => {
-        setUserRoles(currentRoles);
-    }, [user.userId, currentRoleIds.join(",")]);
-
    useEffect(() => {
        async function fetchRoles() {
            const res = await api
@@ -101,67 +94,32 @@ export default function AccessControlsPage() {
        }

        fetchRoles();
+
+        form.setValue("roleId", user.roleId.toString());
        form.setValue("autoProvisioned", user.autoProvisioned || false);
    }, []);

-    async function handleAddRole(roleId: number) {
-        setLoading(true);
-        try {
-            await api.post(`/role/${roleId}/add/${user.userId}`);
-            toast({
-                variant: "default",
-                title: t("userSaved"),
-                description: t("userSavedDescription")
-            });
-            const role = roles.find((r) => r.roleId === roleId);
-            if (role) setUserRoles((prev) => [...prev, role]);
-        } catch (e) {
-            toast({
-                variant: "destructive",
-                title: t("accessRoleErrorAdd"),
-                description: formatAxiosError(
-                    e,
-                    t("accessRoleErrorAddDescription")
-                )
-            });
-        }
-        setLoading(false);
-    }
-
-    async function handleRemoveRole(roleId: number) {
-        setLoading(true);
-        try {
-            await api.delete(`/role/${roleId}/remove/${user.userId}`);
-            toast({
-                variant: "default",
-                title: t("userSaved"),
-                description: t("userSavedDescription")
-            });
-            setUserRoles((prev) => prev.filter((r) => r.roleId !== roleId));
-        } catch (e) {
-            toast({
-                variant: "destructive",
-                title: t("accessRoleErrorAdd"),
-                description: formatAxiosError(
-                    e,
-                    t("accessRoleErrorAddDescription")
-                )
-            });
-        }
-        setLoading(false);
-    }
-
    async function onSubmit(values: z.infer<typeof formSchema>) {
        setLoading(true);
+
        try {
-            await api.post(`/org/${orgId}/user/${user.userId}`, {
-                autoProvisioned: values.autoProvisioned
-            });
-            toast({
-                variant: "default",
-                title: t("userSaved"),
-                description: t("userSavedDescription")
-            });
+            // Execute both API calls simultaneously
+            const [roleRes, userRes] = await Promise.all([
+                api.post<AxiosResponse<InviteUserResponse>>(
+                    `/role/${values.roleId}/add/${user.userId}`
+                ),
+                api.post(`/org/${orgId}/user/${user.userId}`, {
+                    autoProvisioned: values.autoProvisioned
+                })
+            ]);
+
+            if (roleRes.status === 200 && userRes.status === 200) {
+                toast({
+                    variant: "default",
+                    title: t("userSaved"),
+                    description: t("userSavedDescription")
+                });
+            }
        } catch (e) {
            toast({
                variant: "destructive",
@@ -172,14 +130,10 @@ export default function AccessControlsPage() {
                )
            });
        }
+
        setLoading(false);
    }

-    const availableRolesToAdd = roles.filter(
-        (r) => !userRoles.some((ur) => ur.roleId === r.roleId)
-    );
-    const canRemoveRole = userRoles.length > 1;
-
    return (
        <SettingsContainer>
            <SettingsSection>
@@ -200,6 +154,7 @@ export default function AccessControlsPage() {
                                className="space-y-4"
                                id="access-controls-form"
                            >
+                                {/* IDP Type Display */}
                                {user.type !== UserType.Internal &&
                                    user.idpType && (
                                        <div className="flex items-center space-x-2 mb-4">
@@ -216,72 +171,49 @@ export default function AccessControlsPage() {
                                        </div>
                                    )}

-                                <FormItem>
-                                    <FormLabel>{t("role")}</FormLabel>
-                                    <div className="flex flex-wrap gap-2 items-center">
-                                        {userRoles.map((r) => (
-                                            <Badge
-                                                key={r.roleId}
-                                                variant="secondary"
-                                                className="flex items-center gap-1"
-                                            >
-                                                {r.name}
-                                                {canRemoveRole && (
-                                                    <button
-                                                        type="button"
-                                                        onClick={() =>
-                                                            handleRemoveRole(
-                                                                r.roleId
-                                                            )
-                                                        }
-                                                        disabled={loading}
-                                                        className="ml-1 rounded hover:bg-muted"
-                                                        aria-label={`Remove ${r.name}`}
-                                                    >
-                                                        ×
-                                                    </button>
-                                                )}
-                                            </Badge>
-                                        ))}
-                                        {availableRolesToAdd.length > 0 && (
+                                <FormField
+                                    control={form.control}
+                                    name="roleId"
+                                    render={({ field }) => (
+                                        <FormItem>
+                                            <FormLabel>{t("role")}</FormLabel>
                                            <Select
                                                onValueChange={(value) => {
-                                                    handleAddRole(
-                                                        parseInt(value, 10)
-                                                    );
+                                                    field.onChange(value);
+                                                    // If auto provision is enabled, set it to false when role changes
+                                                    if (user.idpAutoProvision) {
+                                                        form.setValue(
+                                                            "autoProvisioned",
+                                                            false
+                                                        );
+                                                    }
                                                }}
-                                                disabled={loading}
+                                                value={field.value}
                                            >
-                                                <SelectTrigger className="w-[180px]">
-                                                    <SelectValue
-                                                        placeholder={t(
-                                                            "accessRoleSelect"
-                                                        )}
-                                                    />
-                                                </SelectTrigger>
+                                                <FormControl>
+                                                    <SelectTrigger>
+                                                        <SelectValue
+                                                            placeholder={t(
+                                                                "accessRoleSelect"
+                                                            )}
+                                                        />
+                                                    </SelectTrigger>
+                                                </FormControl>
                                                <SelectContent>
-                                                    {availableRolesToAdd.map(
-                                                        (role) => (
-                                                            <SelectItem
-                                                                key={
-                                                                    role.roleId
-                                                                }
-                                                                value={role.roleId.toString()}
-                                                            >
-                                                                {role.name}
-                                                            </SelectItem>
-                                                        )
-                                                    )}
+                                                    {roles.map((role) => (
+                                                        <SelectItem
+                                                            key={role.roleId}
+                                                            value={role.roleId.toString()}
+                                                        >
+                                                            {role.name}
+                                                        </SelectItem>
+                                                    ))}
                                                </SelectContent>
                                            </Select>
-                                        )}
-                                    </div>
-                                    {userRoles.length === 0 && (
-                                        <p className="text-sm text-muted-foreground">
-                                            {t("accessRoleSelectPlease")}
-                                        </p>
+                                            <FormMessage />
+                                        </FormItem>
                                    )}
-                                </FormItem>
+                                />

                                {user.idpAutoProvision && (
                                    <FormField
@@ -299,9 +231,7 @@ export default function AccessControlsPage() {
                                                </FormControl>
                                                <div className="space-y-1 leading-none">
                                                    <FormLabel>
-                                                        {t(
-                                                            "autoProvisioned"
-                                                        )}
+                                                        {t("autoProvisioned")}
                                                    </FormLabel>
                                                    <p className="text-sm text-muted-foreground">
                                                        {t(
--- a/src/app/[orgId]/settings/access/users/page.tsx
+++ b/src/app/[orgId]/settings/access/users/page.tsx
@@ -88,9 +88,7 @@ export default async function UsersPage(props: UsersPageProps) {
            status: t("userConfirmed"),
            role: user.isOwner
                ? t("accessRoleOwner")
-                : user.roles?.length
-                  ? user.roles.map((r) => r.roleName).join(", ")
-                  : t("accessRoleMember"),
+                : user.roleName || t("accessRoleMember"),
            isOwner: user.isOwner || false
        };
    });
--- a/src/components/LayoutMobileMenu.tsx
+++ b/src/components/LayoutMobileMenu.tsx
@@ -5,11 +5,13 @@ import { SidebarNav } from "@app/components/SidebarNav";
 import { OrgSelector } from "@app/components/OrgSelector";
 import { cn } from "@app/lib/cn";
 import { ListUserOrgsResponse } from "@server/routers/org";
+import SupporterStatus from "@app/components/SupporterStatus";
 import { Button } from "@app/components/ui/button";
-import { ArrowRight, Menu, Server } from "lucide-react";
+import { ExternalLink, Menu, Server } from "lucide-react";
 import Link from "next/link";
 import { usePathname } from "next/navigation";
 import { useUserContext } from "@app/hooks/useUserContext";
+import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useTranslations } from "next-intl";
 import ProfileIcon from "@app/components/ProfileIcon";
 import ThemeSwitcher from "@app/components/ThemeSwitcher";
@@ -42,6 +44,7 @@ export function LayoutMobileMenu({
    const pathname = usePathname();
    const isAdminPage = pathname?.startsWith("/admin");
    const { user } = useUserContext();
+    const { env } = useEnvContext();
    const t = useTranslations();

    return (
@@ -80,7 +83,7 @@ export function LayoutMobileMenu({
                                        <div className="px-3 pt-3">
                                            {!isAdminPage &&
                                                user.serverAdmin && (
-                                                    <div className="mb-1">
+                                                    <div className="py-2">
                                                        <Link
                                                            href="/admin"
                                                            className={cn(
@@ -95,12 +98,11 @@ export function LayoutMobileMenu({
                                                            <span className="flex-shrink-0 mr-2">
                                                                <Server className="h-4 w-4" />
                                                            </span>
-                                                            <span className="flex-1">
+                                                            <span>
                                                                {t(
                                                                    "serverAdmin"
                                                                )}
                                                            </span>
-                                                            <ArrowRight className="h-4 w-4 shrink-0 ml-auto opacity-70" />
                                                        </Link>
                                                    </div>
                                                )}
@@ -113,6 +115,22 @@ export function LayoutMobileMenu({
                                        </div>
                                        <div className="sticky bottom-0 left-0 right-0 h-8 pointer-events-none bg-gradient-to-t from-card to-transparent" />
                                    </div>
+                                    <div className="px-3 pt-3 pb-3 space-y-4 border-t shrink-0">
+                                        <SupporterStatus />
+                                        {env?.app?.version && (
+                                            <div className="text-xs text-muted-foreground text-center">
+                                                <Link
+                                                    href={`https://github.com/fosrl/pangolin/releases/tag/${env.app.version}`}
+                                                    target="_blank"
+                                                    rel="noopener noreferrer"
+                                                    className="flex items-center justify-center gap-1"
+                                                >
+                                                    v{env.app.version}
+                                                    <ExternalLink size={12} />
+                                                </Link>
+                                            </div>
+                                        )}
+                                    </div>
                                </SheetContent>
                            </Sheet>
                        </div>
--- a/src/components/LayoutSidebar.tsx
+++ b/src/components/LayoutSidebar.tsx
@@ -146,46 +146,6 @@ export function LayoutSidebar({
            />
            <div className="flex-1 overflow-y-auto relative">
                <div className="px-2 pt-3">
-                    {!isAdminPage && user.serverAdmin && (
-                        <div
-                            className={cn(
-                                "shrink-0",
-                                isSidebarCollapsed ? "mb-4" : "mb-1"
-                            )}
-                        >
-                            <Link
-                                href="/admin"
-                                className={cn(
-                                    "flex items-center transition-colors text-muted-foreground hover:text-foreground text-sm w-full hover:bg-secondary/80 dark:hover:bg-secondary/50 rounded-md",
-                                    isSidebarCollapsed
-                                        ? "px-2 py-2 justify-center"
-                                        : "px-3 py-1.5"
-                                )}
-                                title={
-                                    isSidebarCollapsed
-                                        ? t("serverAdmin")
-                                        : undefined
-                                }
-                            >
-                                <span
-                                    className={cn(
-                                        "shrink-0",
-                                        !isSidebarCollapsed && "mr-2"
-                                    )}
-                                >
-                                    <Server className="h-4 w-4" />
-                                </span>
-                                {!isSidebarCollapsed && (
-                                    <>
-                                        <span className="flex-1">
-                                            {t("serverAdmin")}
-                                        </span>
-                                        <ArrowRight className="h-4 w-4 shrink-0 ml-auto opacity-70" />
-                                    </>
-                                )}
-                            </Link>
-                        </div>
-                    )}
                    <SidebarNav
                        sections={navItems}
                        isCollapsed={isSidebarCollapsed}
@@ -196,6 +156,40 @@ export function LayoutSidebar({
                <div className="sticky bottom-0 left-0 right-0 h-8 pointer-events-none bg-gradient-to-t from-card to-transparent" />
            </div>

+            {!isAdminPage && user.serverAdmin && (
+                <div className="shrink-0 px-2 pb-2">
+                    <Link
+                        href="/admin"
+                        className={cn(
+                            "flex items-center transition-colors text-muted-foreground hover:text-foreground text-sm w-full hover:bg-secondary/80 dark:hover:bg-secondary/50 rounded-md",
+                            isSidebarCollapsed
+                                ? "px-2 py-2 justify-center"
+                                : "px-3 py-1.5"
+                        )}
+                        title={
+                            isSidebarCollapsed ? t("serverAdmin") : undefined
+                        }
+                    >
+                        <span
+                            className={cn(
+                                "shrink-0",
+                                !isSidebarCollapsed && "mr-2"
+                            )}
+                        >
+                            <Server className="h-4 w-4" />
+                        </span>
+                        {!isSidebarCollapsed && (
+                            <>
+                                <span className="flex-1">
+                                    {t("serverAdmin")}
+                                </span>
+                                <ArrowRight className="h-4 w-4 shrink-0 ml-auto opacity-70" />
+                            </>
+                        )}
+                    </Link>
+                </div>
+            )}
+
            {isSidebarCollapsed && (
                <div className="shrink-0 flex justify-center py-2">
                    <TooltipProvider>
@@ -224,7 +218,7 @@ export function LayoutSidebar({

            <div className="w-full border-t border-border mb-3" />

-            <div className="p-4 pt-1 flex flex-col shrink-0">
+            <div className="p-4 pt-0 mt-0 flex flex-col shrink-0">
                {canShowProductUpdates && (
                    <div className="mb-3 empty:mb-0">
                        <ProductUpdates isCollapsed={isSidebarCollapsed} />
Author	SHA1	Message	Date
dependabot[bot]	2edebaddc2	Bump the prod-patch-updates group across 1 directory with 7 updates Bumps the prod-patch-updates group with 7 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [@asteasolutions/zod-to-openapi](https://github.com/asteasolutions/zod-to-openapi) \| `8.4.0` \| `8.4.1` \| \| [@react-email/components](https://github.com/resend/react-email/tree/HEAD/packages/components) \| `1.0.7` \| `1.0.8` \| \| [@react-email/tailwind](https://github.com/resend/react-email/tree/HEAD/packages/tailwind) \| `2.0.4` \| `2.0.5` \| \| [@simplewebauthn/server](https://github.com/MasterKale/SimpleWebAuthn/tree/HEAD/packages/server) \| `13.2.2` \| `13.2.3` \| \| [glob](https://github.com/isaacs/node-glob) \| `13.0.3` \| `13.0.6` \| \| [next-intl](https://github.com/amannn/next-intl) \| `4.8.2` \| `4.8.3` \| \| [react-hook-form](https://github.com/react-hook-form/react-hook-form) \| `7.71.1` \| `7.71.2` \| Updates `@asteasolutions/zod-to-openapi` from 8.4.0 to 8.4.1 - [Release notes](https://github.com/asteasolutions/zod-to-openapi/releases) - [Commits](https://github.com/asteasolutions/zod-to-openapi/compare/v8.4.0...v8.4.1) Updates `@react-email/components` from 1.0.7 to 1.0.8 - [Release notes](https://github.com/resend/react-email/releases) - [Changelog](https://github.com/resend/react-email/blob/canary/packages/components/CHANGELOG.md) - [Commits](https://github.com/resend/react-email/commits/@react-email/components@1.0.8/packages/components) Updates `@react-email/tailwind` from 2.0.4 to 2.0.5 - [Release notes](https://github.com/resend/react-email/releases) - [Changelog](https://github.com/resend/react-email/blob/canary/packages/tailwind/CHANGELOG.md) - [Commits](https://github.com/resend/react-email/commits/@react-email/tailwind@2.0.5/packages/tailwind) Updates `@simplewebauthn/server` from 13.2.2 to 13.2.3 - [Release notes](https://github.com/MasterKale/SimpleWebAuthn/releases) - [Changelog](https://github.com/MasterKale/SimpleWebAuthn/blob/master/CHANGELOG.md) - [Commits](https://github.com/MasterKale/SimpleWebAuthn/commits/v13.2.3/packages/server) Updates `glob` from 13.0.3 to 13.0.6 - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](https://github.com/isaacs/node-glob/compare/v13.0.3...v13.0.6) Updates `next-intl` from 4.8.2 to 4.8.3 - [Release notes](https://github.com/amannn/next-intl/releases) - [Changelog](https://github.com/amannn/next-intl/blob/main/CHANGELOG.md) - [Commits](https://github.com/amannn/next-intl/compare/v4.8.2...v4.8.3) Updates `react-hook-form` from 7.71.1 to 7.71.2 - [Release notes](https://github.com/react-hook-form/react-hook-form/releases) - [Changelog](https://github.com/react-hook-form/react-hook-form/blob/master/CHANGELOG.md) - [Commits](https://github.com/react-hook-form/react-hook-form/compare/v7.71.1...v7.71.2) --- updated-dependencies: - dependency-name: "@asteasolutions/zod-to-openapi" dependency-version: 8.4.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates - dependency-name: "@react-email/components" dependency-version: 1.0.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates - dependency-name: "@react-email/tailwind" dependency-version: 2.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates - dependency-name: "@simplewebauthn/server" dependency-version: 13.2.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates - dependency-name: glob dependency-version: 13.0.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates - dependency-name: next-intl dependency-version: 4.8.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates - dependency-name: react-hook-form dependency-version: 7.71.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: prod-patch-updates ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-25 01:37:31 +00:00
Owen	d6fe04ec4e	Fix orgid issue when regen credentials	2026-02-24 14:26:10 -08:00
Owen	b8a364af6a	Fix log query	2026-02-23 22:01:11 -08:00
Owen	5ef808d4a2	Merge branch 'main' into logs-database	2026-02-23 16:39:39 -08:00
Owen	a502780c9b	Fix sso username issue	2026-02-22 22:05:02 -08:00
Owen Schwartz	418e099804	Merge pull request #2521 from fosrl/dev 1.15.4-s.6	2026-02-22 21:13:51 -08:00
Owen	b622aca221	Try to route logs requests to a different database	2026-02-20 17:20:01 -08:00