Merge branch 'main' into dev

Merge pull request #2710 from fosrl/thundering-herd
thundering herd
2026-03-25 03:56:38 +00:00 · 2026-03-24 20:38:16 -07:00 · 2026-03-24 20:29:01 -07:00 · 2026-03-24 20:27:34 -07:00 · 2026-03-24 18:13:57 -07:00 · 2026-03-24 18:12:51 -07:00
86 changed files with 3161 additions and 2839 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -77,7 +77,7 @@ jobs:
                  fi
            - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -149,7 +149,7 @@ jobs:
                  fi
            - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -204,7 +204,7 @@ jobs:
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
              with:
                  registry: docker.io
                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -264,7 +264,7 @@ jobs:
              shell: bash
            - name: Install Go
-              uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+              uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
              with:
                  go-version: 1.24
@@ -299,7 +299,7 @@ jobs:
              shell: bash
            - name: Upload artifacts from /install/bin
-              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+              uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
              with:
                  name: install-bin
                  path: install/bin/
@@ -407,7 +407,7 @@ jobs:
              shell: bash
            - name: Login to GitHub Container Registry (for cosign)
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
              with:
                registry: ghcr.io
                username: ${{ github.actor }}
@@ -415,7 +415,7 @@ jobs:
            - name: Install cosign
              # cosign is used to sign and verify container images (key and keyless)
-              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+              uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
            - name: Dual-sign and verify (GHCR & Docker Hub)
              # Sign each image by digest using keyless (OIDC) and key-based signing,
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -24,7 +24,7 @@ jobs:
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
            - name: Set up Node.js
-              uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
              with:
                node-version: '24'
--- a/.github/workflows/mirror.yaml
+++ b/.github/workflows/mirror.yaml
@@ -23,7 +23,7 @@ jobs:
          skopeo --version
      - name: Install cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
      - name: Input check
        run: |
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,7 +17,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install Node
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: '24'
--- a/README.md
+++ b/README.md
@@ -43,7 +43,7 @@
 <p align="center">
    <strong>
-        Start testing Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
+        Get started with Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
    </strong>
 </p>
@@ -60,9 +60,9 @@ Pangolin is an open-source, identity-based remote access platform built on WireG
 | <img width=500 /> | Description |
 |-----------------|--------------|
 | **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing — no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/understanding-nodes) and connect to our control plane. |
 | **Self-Host: Community Edition** | Free, open source, and licensed under AGPL-3. |
 | **Self-Host: Enterprise Edition** | Licensed under Fossorial Commercial License. Free for personal and hobbyist use, and for businesses earning under \$100K USD annually. |
 | **Pangolin Cloud** | Fully managed service with instant setup and pay-as-you-go pricing — no infrastructure required. Or, self-host your own [remote node](https://docs.pangolin.net/manage/remote-node/nodes) and connect to our control plane. |
 ## Key Features
@@ -85,17 +85,16 @@ Download the Pangolin client for your platform:
 ## Get Started
 ### Sign up now
 Create an account at [app.pangolin.net](https://app.pangolin.net) to get started with Pangolin Cloud. A generous free tier is available.
 ### Check out the docs
 We encourage everyone to read the full documentation first, which is
 available at [docs.pangolin.net](https://docs.pangolin.net). This README provides only a very brief subset of
 the docs to illustrate some basic ideas.
 ### Sign up and try now
 For Pangolin's managed service, you will first need to create an account at
 [app.pangolin.net](https://app.pangolin.net). We have a generous free tier to get started.
 ## Licensing
 Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl.html). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).
--- a/install/go.mod
+++ b/install/go.mod
@@ -1,11 +1,11 @@
 module installer
-go 1.24.0
+go 1.25.0
 require (
 	github.com/charmbracelet/huh v0.8.0
 	github.com/charmbracelet/lipgloss v1.1.0
-	golang.org/x/term v0.40.0
+	golang.org/x/term v0.41.0
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -33,6 +33,6 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )
--- a/install/go.sum
+++ b/install/go.sum
@@ -69,10 +69,10 @@ golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
--- a/license.py
+++ b/license.py
@@ -0,0 +1,115 @@
 import os
 import sys
 # --- Configuration ---
 # The header text to be added to the files.
 HEADER_TEXT = """/*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 """
 def should_add_header(file_path):
    """
    Checks if a file should receive the commercial license header.
    Returns True if 'private' is in the path or file content.
    """
    # Check if 'private' is in the file path (case-insensitive)
    if 'server/private' in file_path.lower():
        return True
    # Check if 'private' is in the file content (case-insensitive)
    # try:
    #     with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
    #         content = f.read()
    #         if 'private' in content.lower():
    #             return True
    # except Exception as e:
    #     print(f"Could not read file {file_path}: {e}")
    return False
 def process_directory(root_dir):
    """
    Recursively scans a directory and adds headers to qualifying .ts or .tsx files,
    skipping any 'node_modules' directories.
    """
    print(f"Scanning directory: {root_dir}")
    files_processed = 0
    headers_added = 0
    for root, dirs, files in os.walk(root_dir):
        # --- MODIFICATION ---
        # Exclude 'node_modules' directories from the scan to improve performance.
        if 'node_modules' in dirs:
            dirs.remove('node_modules')
        for file in files:
            if file.endswith('.ts') or file.endswith('.tsx'):
                file_path = os.path.join(root, file)
                files_processed += 1
                try:
                    with open(file_path, 'r+', encoding='utf-8') as f:
                        original_content = f.read()
                        has_header = original_content.startswith(HEADER_TEXT.strip())
                        if should_add_header(file_path):
                            # Add header only if it's not already there
                            if not has_header:
                                f.seek(0, 0) # Go to the beginning of the file
                                f.write(HEADER_TEXT.strip() + '\n\n' + original_content)
                                print(f"Added header to: {file_path}")
                                headers_added += 1
                            else:
                                print(f"Header already exists in: {file_path}")
                        else:
                            # Remove header if it exists but shouldn't be there
                            if has_header:
                                # Find the end of the header and remove it (including following newlines)
                                header_with_newlines = HEADER_TEXT.strip() + '\n\n'
                                if original_content.startswith(header_with_newlines):
                                    content_without_header = original_content[len(header_with_newlines):]
                                else:
                                    # Handle case where there might be different newline patterns
                                    header_end = len(HEADER_TEXT.strip())
                                    # Skip any newlines after the header
                                    while header_end < len(original_content) and original_content[header_end] in '\n\r':
                                        header_end += 1
                                    content_without_header = original_content[header_end:]
                                f.seek(0)
                                f.write(content_without_header)
                                f.truncate()
                                print(f"Removed header from: {file_path}")
                                headers_added += 1  # Reusing counter for modifications
                except Exception as e:
                    print(f"Error processing file {file_path}: {e}")
    print("\n--- Scan Complete ---")
    print(f"Total .ts or .tsx files found: {files_processed}")
    print(f"Files modified (headers added/removed): {headers_added}")
 if __name__ == "__main__":
    # Get the target directory from the command line arguments.
    # If no directory is provided, it uses the current directory ('.').
    if len(sys.argv) > 1:
        target_directory = sys.argv[1]
    else:
        target_directory = '.' # Default to current directory
    if not os.path.isdir(target_directory):
        print(f"Error: Directory '{target_directory}' not found.")
        sys.exit(1)
    process_directory(os.path.abspath(target_directory))
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Прокси заявки чрез HTTPS, използвайки напълно квалифицирано име на домейн.",
    "resourceRaw": "Суров TCP/UDP ресурс",
    "resourceRawDescription": "Прокси заявки чрез сурови TCP/UDP, използвайки порт номер.",
-    "resourceRawDescriptionCloud": "Прокси заявките през суров TCP/UDP, използвайки номер на порт. ИЗИСКВА ИЗПОЛЗВАНЕ НА ОТДАЛЕЧЕН УЗЕЛ.",
+    "resourceRawDescriptionCloud": "Получавайте заявки чрез суров TCP/UDP с използване на портен номер. Изисква се сайтовете да се свързват към отдалечен възел.",
    "resourceCreate": "Създайте ресурс",
    "resourceCreateDescription": "Следвайте стъпките по-долу, за да създадете нов ресурс",
    "resourceSeeAll": "Вижте всички ресурси",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Име на пространство: {namespace}",
    "domainPickerShowMore": "Покажи повече",
    "regionSelectorTitle": "Избор на регион",
    "domainPickerRemoteExitNodeWarning": "Предоставените домейни не се поддържат, когато сайтовете се свързват към отдалечени крайни възли. За да бъдат ресурсите налични на отдалечени възли, използвайте персонализиран домейн вместо това.",
    "regionSelectorInfo": "Изборът на регион ни помага да предоставим по-добра производителност за вашето местоположение. Не е необходимо да сте в същия регион като сървъра.",
    "regionSelectorPlaceholder": "Изберете регион",
    "regionSelectorComingSoon": "Очаква се скоро",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Край на следващата година",
    "actionLogsDescription": "Прегледайте историята на действията, извършени в тази организация",
    "accessLogsDescription": "Прегледайте заявките за удостоверяване на достъпа до ресурсите в тази организация",
-    "licenseRequiredToUse": "Изисква се лиценз за <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink>, за да използвате тази функция. Тази функция е също достъпна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "Изисква се лиценз за <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> или <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> за използване на тази функция. <bookADemoLink>Резервирайте демонстрация или пробен POC</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "Необходимо е <enterpriseEditionLink>изданието Enterprise</enterpriseEditionLink>, за да използвате тази функция. Тази функция е също достъпна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> е необходим за използване на тази функция. Тази функция също е налична в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Резервирайте демонстрация или пробен POC</bookADemoLink>.",
    "certResolver": "Решавач на сертификати",
    "certResolverDescription": "Изберете решавач на сертификати за използване за този ресурс.",
    "selectCertResolver": "Изберете решавач на сертификати",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Активирайте одобрения на устройства",
    "approvalsEmptyStateStep2Description": "Редактирайте ролята и активирайте опцията 'Изискване на одобрения за устройства'. Потребители с тази роля ще трябва администраторско одобрение за нови устройства.",
    "approvalsEmptyStatePreviewDescription": "Преглед: Когато е активирано, чакащите заявки за устройства ще се появят тук за преглед",
-    "approvalsEmptyStateButtonText": "Управлявайте роли"
+    "approvalsEmptyStateButtonText": "Управлявайте роли",
    "domainErrorTitle": "Имаме проблем с проверката на вашия домейн"
 }
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy požadavky přes HTTPS pomocí plně kvalifikovaného názvu domény.",
    "resourceRaw": "Surový TCP/UDP zdroj",
    "resourceRawDescription": "Proxy požadavky přes nezpracovaný TCP/UDP pomocí čísla portu.",
-    "resourceRawDescriptionCloud": "Požadavky na proxy přes syrové TCP/UDP pomocí portového čísla. ŽÁDOSTI POUŽÍVAT POUŽITÍ Z REMOTE NODE.",
+    "resourceRawDescriptionCloud": "Proxy požadavky na syrové TCP/UDP pomocí čísla portu. Vyžaduje připojení stránek ke vzdálenému uzlu.",
    "resourceCreate": "Vytvořit zdroj",
    "resourceCreateDescription": "Postupujte podle níže uvedených kroků, abyste vytvořili a připojili nový zdroj",
    "resourceSeeAll": "Zobrazit všechny zdroje",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Jmenný prostor: {namespace}",
    "domainPickerShowMore": "Zobrazit více",
    "regionSelectorTitle": "Vybrat region",
    "domainPickerRemoteExitNodeWarning": "Poskytnuté domény nejsou podporovány, když se stránky připojují k vzdáleným výstupním uzlům. Pro dostupné zdroje na vzdálených uzlech použijte vlastní doménu.",
    "regionSelectorInfo": "Výběr regionu nám pomáhá poskytovat lepší výkon pro vaši polohu. Nemusíte být ve stejném regionu jako váš server.",
    "regionSelectorPlaceholder": "Vyberte region",
    "regionSelectorComingSoon": "Již brzy",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Konec následujícího roku",
    "actionLogsDescription": "Zobrazit historii akcí provedených v této organizaci",
    "accessLogsDescription": "Zobrazit žádosti o ověření přístupu pro zdroje v této organizaci",
-    "licenseRequiredToUse": "Pro použití této funkce je vyžadována licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> . Tato funkce je také dostupná v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "Pro použití této funkce je vyžadována licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> nebo <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Zarezervujte si demo nebo POC zkušební verzi</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> je vyžadována pro použití této funkce. Tato funkce je také k dispozici v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> je vyžadována pro použití této funkce. Tato funkce je také k dispozici v <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Rezervujte si demo nebo POC zkušební verzi</bookADemoLink>.",
    "certResolver": "Oddělovač certifikátů",
    "certResolverDescription": "Vyberte řešitele certifikátů pro tento dokument.",
    "selectCertResolver": "Vyberte řešič certifikátů",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Povolit schválení zařízení",
    "approvalsEmptyStateStep2Description": "Upravte roli a povolte možnost 'Vyžadovat schválení zařízení'. Uživatelé s touto rolí budou potřebovat schválení pro nová zařízení správce.",
    "approvalsEmptyStatePreviewDescription": "Náhled: Pokud je povoleno, čekající na zařízení se zde zobrazí žádosti o recenzi",
-    "approvalsEmptyStateButtonText": "Spravovat role"
+    "approvalsEmptyStateButtonText": "Spravovat role",
    "domainErrorTitle": "Máme problém s ověřením tvé domény"
 }
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy-Anfragen über HTTPS mit einem voll qualifizierten Domain-Namen.",
    "resourceRaw": "Direkte TCP/UDP Ressource (raw)",
    "resourceRawDescription": "Proxy-Anfragen über rohes TCP/UDP mit einer Portnummer.",
-    "resourceRawDescriptionCloud": "Proxy-Anfragen über rohe TCP/UDP mit einer Portnummer. Erfordert die NUTZUNG eines REMOTE Knotens.",
+    "resourceRawDescriptionCloud": "Proxy-Anfragen über rohe TCP/UDP mit Portnummer. Benötigt Sites, um sich mit einem entfernten Knoten zu verbinden.",
    "resourceCreate": "Ressource erstellen",
    "resourceCreateDescription": "Folgen Sie den Schritten unten, um eine neue Ressource zu erstellen",
    "resourceSeeAll": "Alle Ressourcen anzeigen",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Mehr anzeigen",
    "regionSelectorTitle": "Region auswählen",
    "domainPickerRemoteExitNodeWarning": "Angegebene Domains werden nicht unterstützt, wenn sich Websites mit externen Exit-Knoten verbinden. Damit Ressourcen auf entfernten Knoten verfügbar sind, verwenden Sie stattdessen eine eigene Domain.",
    "regionSelectorInfo": "Das Auswählen einer Region hilft uns, eine bessere Leistung für Ihren Standort bereitzustellen. Sie müssen sich nicht in derselben Region wie Ihr Server befinden.",
    "regionSelectorPlaceholder": "Wähle eine Region",
    "regionSelectorComingSoon": "Kommt bald",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Ende des folgenden Jahres",
    "actionLogsDescription": "Verlauf der in dieser Organisation durchgeführten Aktionen anzeigen",
    "accessLogsDescription": "Zugriffsauth-Anfragen für Ressourcen in dieser Organisation anzeigen",
-    "licenseRequiredToUse": "Um diese Funktion nutzen zu können, ist eine <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> Lizenz erforderlich. Diese Funktion ist auch in der <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> verfügbar.",
+    "licenseRequiredToUse": "Eine <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> Lizenz oder <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> wird benötigt, um diese Funktion nutzen zu können. <bookADemoLink>Buchen Sie eine Demo oder POC Testversion</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "Um diese Funktion nutzen zu können, ist die <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> erforderlich. Diese Funktion ist auch in der <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> verfügbar.",
+    "ossEnterpriseEditionRequired": "Die <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> wird benötigt, um diese Funktion nutzen zu können. Diese Funktion ist auch in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>verfügbar. <bookADemoLink>Buchen Sie eine Demo oder POC Testversion</bookADemoLink>.",
    "certResolver": "Zertifikatsauflöser",
    "certResolverDescription": "Wählen Sie den Zertifikatslöser aus, der für diese Ressource verwendet werden soll.",
    "selectCertResolver": "Zertifikatsauflöser auswählen",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Gerätegenehmigungen aktivieren",
    "approvalsEmptyStateStep2Description": "Bearbeite eine Rolle und aktiviere die Option 'Gerätegenehmigung erforderlich'. Benutzer mit dieser Rolle benötigen Administrator-Genehmigung für neue Geräte.",
    "approvalsEmptyStatePreviewDescription": "Vorschau: Wenn aktiviert, werden ausstehende Geräteanfragen hier zur Überprüfung angezeigt",
-    "approvalsEmptyStateButtonText": "Rollen verwalten"
+    "approvalsEmptyStateButtonText": "Rollen verwalten",
    "domainErrorTitle": "Wir haben Probleme mit der Überprüfung deiner Domain"
 }
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy requests over HTTPS using a fully qualified domain name.",
    "resourceRaw": "Raw TCP/UDP Resource",
    "resourceRawDescription": "Proxy requests over raw TCP/UDP using a port number.",
-    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. REQUIRES THE USE OF A REMOTE NODE.",
+    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Create Resource",
    "resourceCreateDescription": "Follow the steps below to create a new resource",
    "resourceSeeAll": "See All Resources",
@@ -1120,6 +1120,7 @@
    "setupTokenDescription": "Enter the setup token from the server console.",
    "setupTokenRequired": "Setup token is required",
    "actionUpdateSite": "Update Site",
    "actionResetSiteBandwidth": "Reset Organization Bandwidth",
    "actionListSiteRoles": "List Allowed Site Roles",
    "actionCreateResource": "Create Resource",
    "actionDeleteResource": "Delete Resource",
@@ -1427,6 +1428,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Show More",
    "regionSelectorTitle": "Select Region",
    "domainPickerRemoteExitNodeWarning": "Provided domains are not supported when sites connect to remote exit nodes. For resources to be available on remote nodes, use a custom domain instead.",
    "regionSelectorInfo": "Selecting a region helps us provide better performance for your location. You do not have to be in the same region as your server.",
    "regionSelectorPlaceholder": "Choose a region",
    "regionSelectorComingSoon": "Coming Soon",
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy proporciona solicitudes sobre HTTPS usando un nombre de dominio completamente calificado.",
    "resourceRaw": "Recurso TCP/UDP sin procesar",
    "resourceRawDescription": "Proxy proporciona solicitudes sobre TCP/UDP usando un número de puerto.",
-    "resourceRawDescriptionCloud": "Las peticiones de proxy sobre TCP/UDP crudas usando un número de puerto. REQUIERE EL USO DE UN NODO REMOTE.",
+    "resourceRawDescriptionCloud": "Las peticiones de proxy sobre TCP/UDP crudas usando un número de puerto. Requiere que los sitios se conecten a un nodo remoto.",
    "resourceCreate": "Crear Recurso",
    "resourceCreateDescription": "Siga los siguientes pasos para crear un nuevo recurso",
    "resourceSeeAll": "Ver todos los recursos",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Espacio de nombres: {namespace}",
    "domainPickerShowMore": "Mostrar más",
    "regionSelectorTitle": "Seleccionar Región",
    "domainPickerRemoteExitNodeWarning": "Los dominios suministrados no son compatibles cuando los sitios se conectan a nodos de salida remotos. Para que los recursos estén disponibles en nodos remotos, utilice un dominio personalizado en su lugar.",
    "regionSelectorInfo": "Seleccionar una región nos ayuda a brindar un mejor rendimiento para tu ubicación. No tienes que estar en la misma región que tu servidor.",
    "regionSelectorPlaceholder": "Elige una región",
    "regionSelectorComingSoon": "Próximamente",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Fin del año siguiente",
    "actionLogsDescription": "Ver un historial de acciones realizadas en esta organización",
    "accessLogsDescription": "Ver solicitudes de acceso a los recursos de esta organización",
-    "licenseRequiredToUse": "Se requiere una licencia <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> para utilizar esta función. Esta característica también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "Se requiere una licencia <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> o <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> para usar esta función. <bookADemoLink>Reserve una demostración o prueba POC</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "La <enterpriseEditionLink>versión Enterprise</enterpriseEditionLink> es necesaria para utilizar esta función. Esta función también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "ossEnterpriseEditionRequired": "La <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> es necesaria para utilizar esta función. Esta función también está disponible en <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Reserva una demostración o prueba POC</bookADemoLink>.",
    "certResolver": "Resolver certificado",
    "certResolverDescription": "Seleccione la resolución de certificados a utilizar para este recurso.",
    "selectCertResolver": "Seleccionar Resolver Certificado",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Habilitar aprobaciones de dispositivo",
    "approvalsEmptyStateStep2Description": "Editar un rol y habilitar la opción 'Requerir aprobaciones de dispositivos'. Los usuarios con este rol necesitarán la aprobación del administrador para nuevos dispositivos.",
    "approvalsEmptyStatePreviewDescription": "Vista previa: Cuando está habilitado, las solicitudes de dispositivo pendientes aparecerán aquí para su revisión",
-    "approvalsEmptyStateButtonText": "Administrar roles"
+    "approvalsEmptyStateButtonText": "Administrar roles",
    "domainErrorTitle": "Estamos teniendo problemas para verificar su dominio"
 }
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy les demandes sur HTTPS en utilisant un nom de domaine entièrement qualifié.",
    "resourceRaw": "Ressource TCP/UDP brute",
    "resourceRawDescription": "Proxy les demandes sur TCP/UDP brut en utilisant un numéro de port.",
-    "resourceRawDescriptionCloud": "Requêtes de proxy sur TCP/UDP brute en utilisant un numéro de port. REQUISE L'UTILISATION D'UN Nœud DE REMOTE.",
+    "resourceRawDescriptionCloud": "Requêtes de proxy sur TCP/UDP brute en utilisant un numéro de port. Nécessite des sites pour se connecter à un noeud distant.",
    "resourceCreate": "Créer une ressource",
    "resourceCreateDescription": "Suivez les étapes ci-dessous pour créer une nouvelle ressource",
    "resourceSeeAll": "Voir toutes les ressources",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Espace de noms : {namespace}",
    "domainPickerShowMore": "Afficher plus",
    "regionSelectorTitle": "Sélectionner Région",
    "domainPickerRemoteExitNodeWarning": "Les domaines fournis ne sont pas pris en charge lorsque les sites se connectent à des nœuds de sortie distants. Pour que les ressources soient disponibles sur des nœuds distants, utilisez un domaine personnalisé à la place.",
    "regionSelectorInfo": "Sélectionner une région nous aide à offrir de meilleures performances pour votre localisation. Vous n'avez pas besoin d'être dans la même région que votre serveur.",
    "regionSelectorPlaceholder": "Choisissez une région",
    "regionSelectorComingSoon": "Bientôt disponible",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Fin de l'année suivante",
    "actionLogsDescription": "Voir l'historique des actions effectuées dans cette organisation",
    "accessLogsDescription": "Voir les demandes d'authentification d'accès aux ressources de cette organisation",
-    "licenseRequiredToUse": "Une licence <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> est nécessaire pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "Une <enterpriseLicenseLink>licence Enterprise Edition</enterpriseLicenseLink> ou <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> est requise pour utiliser cette fonctionnalité. <bookADemoLink>Réservez une démonstration ou une évaluation de POC</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "La version <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> est requise pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "ossEnterpriseEditionRequired": "La version <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> est requise pour utiliser cette fonctionnalité. Cette fonctionnalité est également disponible dans <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Réservez une démo ou un essai POC</bookADemoLink>.",
    "certResolver": "Résolveur de certificat",
    "certResolverDescription": "Sélectionnez le solveur de certificat à utiliser pour cette ressource.",
    "selectCertResolver": "Sélectionnez le résolveur de certificat",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Activer les autorisations de l'appareil",
    "approvalsEmptyStateStep2Description": "Modifier un rôle et activer l'option 'Exiger les autorisations de l'appareil'. Les utilisateurs avec ce rôle auront besoin de l'approbation de l'administrateur pour les nouveaux appareils.",
    "approvalsEmptyStatePreviewDescription": "Aperçu: Lorsque cette option est activée, les demandes de périphérique en attente apparaîtront ici pour vérification",
-    "approvalsEmptyStateButtonText": "Gérer les rôles"
+    "approvalsEmptyStateButtonText": "Gérer les rôles",
    "domainErrorTitle": "Nous avons des difficultés à vérifier votre domaine"
 }
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Richieste proxy su HTTPS usando un nome di dominio completo.",
    "resourceRaw": "Risorsa Raw TCP/UDP",
    "resourceRawDescription": "Richieste proxy su TCP/UDP grezzo utilizzando un numero di porta.",
-    "resourceRawDescriptionCloud": "Richieste proxy su TCP/UDP grezzo utilizzando un numero di porta. RICHIEDE L'USO DI UN NODO REMOTO.",
+    "resourceRawDescriptionCloud": "Richiesta proxy su TCP/UDP grezzo utilizzando un numero di porta. Richiede siti per connettersi a un nodo remoto.",
    "resourceCreate": "Crea Risorsa",
    "resourceCreateDescription": "Segui i passaggi seguenti per creare una nuova risorsa",
    "resourceSeeAll": "Vedi Tutte Le Risorse",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Mostra Altro",
    "regionSelectorTitle": "Seleziona regione",
    "domainPickerRemoteExitNodeWarning": "I domini forniti non sono supportati quando i siti si connettono a nodi di uscita remoti. Affinché le risorse siano disponibili su nodi remoti, utilizza invece un dominio personalizzato.",
    "regionSelectorInfo": "Selezionare una regione ci aiuta a fornire migliori performance per la tua posizione. Non devi necessariamente essere nella stessa regione del tuo server.",
    "regionSelectorPlaceholder": "Scegli una regione",
    "regionSelectorComingSoon": "Prossimamente",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Fine dell'anno successivo",
    "actionLogsDescription": "Visualizza una cronologia delle azioni eseguite in questa organizzazione",
    "accessLogsDescription": "Visualizza le richieste di autenticazione di accesso per le risorse in questa organizzazione",
-    "licenseRequiredToUse": "Per utilizzare questa funzione è necessaria una licenza <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> . Questa funzionalità è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "Per utilizzare questa funzione è necessaria una licenza <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> o <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Prenota una demo o una prova POC</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "L' <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> è necessaria per utilizzare questa funzione. Questa funzionalità è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "ossEnterpriseEditionRequired": "L' <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> è necessaria per utilizzare questa funzione. Questa funzione è disponibile anche in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Prenota una demo o una prova POC</bookADemoLink>.",
    "certResolver": "Risolutore Di Certificato",
    "certResolverDescription": "Selezionare il risolutore di certificati da usare per questa risorsa.",
    "selectCertResolver": "Seleziona Risolutore Di Certificato",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Abilita Approvazioni Dispositivo",
    "approvalsEmptyStateStep2Description": "Modifica un ruolo e abilita l'opzione 'Richiedi l'approvazione del dispositivo'. Gli utenti con questo ruolo avranno bisogno dell'approvazione dell'amministratore per i nuovi dispositivi.",
    "approvalsEmptyStatePreviewDescription": "Anteprima: quando abilitato, le richieste di dispositivo in attesa appariranno qui per la revisione",
-    "approvalsEmptyStateButtonText": "Gestisci Ruoli"
+    "approvalsEmptyStateButtonText": "Gestisci Ruoli",
    "domainErrorTitle": "Stiamo avendo problemi a verificare il tuo dominio"
 }
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "완전한 도메인 이름을 사용해 RAW 또는 HTTPS로 프록시 요청을 수행합니다.",
    "resourceRaw": "원시 TCP/UDP 리소스",
    "resourceRawDescription": "포트 번호를 사용하여 RAW TCP/UDP로 요청을 프록시합니다.",
-    "resourceRawDescriptionCloud": "원시 TCP/UDP를 포트 번호를 사용하여 프록시 요청합니다. 원격 노드 사용이 필요합니다.",
+    "resourceRawDescriptionCloud": "포트 번호를 사용하여 원격 노드에 연결해야 합니다. 원격 노드에서 리소스를 사용하려면 사용자 지정 도메인을 사용하십시오.",
    "resourceCreate": "리소스 생성",
    "resourceCreateDescription": "아래 단계를 따라 새 리소스를 생성하세요.",
    "resourceSeeAll": "모든 리소스 보기",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "이름 공간: {namespace}",
    "domainPickerShowMore": "더보기",
    "regionSelectorTitle": "지역 선택",
    "domainPickerRemoteExitNodeWarning": "제공된 도메인은 원격 종료 노드에 연결된 사이트에서 지원되지 않습니다. 원격 노드에서 리소스를 사용하려면 사용자 지정 도메인을 사용하십시오.",
    "regionSelectorInfo": "지역을 선택하면 위치에 따라 더 나은 성능이 제공됩니다. 서버와 같은 지역에 있을 필요는 없습니다.",
    "regionSelectorPlaceholder": "지역 선택",
    "regionSelectorComingSoon": "곧 출시 예정",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "다음 연도 말",
    "actionLogsDescription": "이 조직에서 수행된 작업의 기록을 봅니다",
    "accessLogsDescription": "이 조직의 자원에 대한 접근 인증 요청을 확인합니다",
-    "licenseRequiredToUse": "이 기능을 사용하려면 <enterpriseLicenseLink>엔터프라이즈 에디션</enterpriseLicenseLink> 라이선스가 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다.",
+    "licenseRequiredToUse": "이 기능을 사용하려면 <enterpriseLicenseLink>엔터프라이즈 에디션</enterpriseLicenseLink> 라이선스가 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다. <bookADemoLink>데모 또는 POC 체험을 예약하세요</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "이 기능을 사용하려면 <enterpriseEditionLink>엔터프라이즈 에디션</enterpriseEditionLink>이 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다.",
+    "ossEnterpriseEditionRequired": "이 기능을 사용하려면 <enterpriseEditionLink>엔터프라이즈 에디션</enterpriseEditionLink>이(가) 필요합니다. 이 기능은 <pangolinCloudLink>판골린 클라우드</pangolinCloudLink>에서도 사용할 수 있습니다. <bookADemoLink>데모 또는 POC 체험을 예약하세요</bookADemoLink>.",
    "certResolver": "인증서 해결사",
    "certResolverDescription": "이 리소스에 사용할 인증서 해결사를 선택하세요.",
    "selectCertResolver": "인증서 해결사 선택",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "장치 승인 활성화",
    "approvalsEmptyStateStep2Description": "역할을 편집하고 '장치 승인 요구' 옵션을 활성화하세요. 이 역할을 가진 사용자는 새 장치에 대해 관리자의 승인이 필요합니다.",
    "approvalsEmptyStatePreviewDescription": "미리 보기: 활성화된 경우, 승인 대기 중인 장치 요청이 검토용으로 여기에 표시됩니다.",
-    "approvalsEmptyStateButtonText": "역할 관리"
+    "approvalsEmptyStateButtonText": "역할 관리",
    "domainErrorTitle": "도메인 확인에 문제가 발생했습니다."
 }
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy forespørsler over HTTPS ved å bruke et fullstendig kvalifisert domenenavn.",
    "resourceRaw": "Rå TCP/UDP-ressurs",
    "resourceRawDescription": "Proxy forespørsler over rå TCP/UDP ved å bruke et portnummer.",
-    "resourceRawDescriptionCloud": "Proxy ber om et portnummer. Om du vil bruke et sportsnummer.",
+    "resourceRawDescriptionCloud": "Proxy forespørsler om rå TCP/UDP ved hjelp av et portnummer. Krever sider for å koble til en ekstern node.",
    "resourceCreate": "Opprett ressurs",
    "resourceCreateDescription": "Følg trinnene nedenfor for å opprette en ny ressurs",
    "resourceSeeAll": "Se alle ressurser",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Navnerom: {namespace}",
    "domainPickerShowMore": "Vis mer",
    "regionSelectorTitle": "Velg Region",
    "domainPickerRemoteExitNodeWarning": "Tilbudte domener støttes ikke når sider kobles til eksterne avkjøringsnoder. For ressurser som skal være tilgjengelige på eksterne noder, brukes et egendefinert domene i stedet.",
    "regionSelectorInfo": "Å velge en region hjelper oss med å gi bedre ytelse for din lokasjon. Du trenger ikke være i samme region som serveren.",
    "regionSelectorPlaceholder": "Velg en region",
    "regionSelectorComingSoon": "Kommer snart",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Slutt på neste år",
    "actionLogsDescription": "Vis historikk for handlinger som er utført i denne organisasjonen",
    "accessLogsDescription": "Vis autoriseringsforespørsler for ressurser i denne organisasjonen",
-    "licenseRequiredToUse": "En <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisens er påkrevd for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "En <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisens eller <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> er påkrevd for å bruke denne funksjonen. <bookADemoLink>Bestill en demo eller POC prøveversjon</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> er nødvendig for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> er nødvendig for å bruke denne funksjonen. Denne funksjonen er også tilgjengelig i <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Bestill en demo eller POC studie</bookADemoLink>.",
    "certResolver": "Sertifikat løser",
    "certResolverDescription": "Velg sertifikatløser som skal brukes for denne ressursen.",
    "selectCertResolver": "Velg sertifikatløser",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Aktiver enhetsgodkjenninger",
    "approvalsEmptyStateStep2Description": "Rediger en rolle og aktiver alternativet 'Kreve enhetsgodkjenninger'. Brukere med denne rollen vil trenge administratorgodkjenning for nye enheter.",
    "approvalsEmptyStatePreviewDescription": "Forhåndsvisning: Når aktivert, ventende enhets forespørsler vil vises her for vurdering",
-    "approvalsEmptyStateButtonText": "Administrer Roller"
+    "approvalsEmptyStateButtonText": "Administrer Roller",
    "domainErrorTitle": "Vi har problemer med å verifisere domenet ditt"
 }
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxyverzoeken via HTTPS met een volledig gekwalificeerde domeinnaam.",
    "resourceRaw": "TCP/UDP bron",
    "resourceRawDescription": "Proxyverzoeken via ruwe TCP/UDP met een poortnummer.",
-    "resourceRawDescriptionCloud": "Proxy vraagt om onbewerkte TCP/UDP met behulp van een poortnummer. VEREIST HET GEBRUIK VAN EEN AFSTANDSBEDIENING NODE.",
+    "resourceRawDescriptionCloud": "Proxy verzoeken over rauwe TCP/UDP met behulp van een poortnummer. Vereist sites om verbinding te maken met een remote node.",
    "resourceCreate": "Bron maken",
    "resourceCreateDescription": "Volg de onderstaande stappen om een nieuwe bron te maken",
    "resourceSeeAll": "Alle bronnen bekijken",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Naamruimte: {namespace}",
    "domainPickerShowMore": "Meer weergeven",
    "regionSelectorTitle": "Selecteer Regio",
    "domainPickerRemoteExitNodeWarning": "Opgegeven domeinen worden niet ondersteund wanneer websites verbinding maken met externe sluitnodes. Gebruik in plaats daarvan een aangepast domein. Om bronnen beschikbaar te maken op externe nodes.",
    "regionSelectorInfo": "Het selecteren van een regio helpt ons om betere prestaties te leveren voor uw locatie. U hoeft niet in dezelfde regio als uw server te zijn.",
    "regionSelectorPlaceholder": "Kies een regio",
    "regionSelectorComingSoon": "Komt binnenkort",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Einde van volgend jaar",
    "actionLogsDescription": "Bekijk een geschiedenis van acties die worden uitgevoerd in deze organisatie",
    "accessLogsDescription": "Toegangsverificatieverzoeken voor resources in deze organisatie bekijken",
-    "licenseRequiredToUse": "Een <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> licentie is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "Een <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> licentie of <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is vereist om deze functie te gebruiken. <bookADemoLink>Boek een demo of POC trial</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "De <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "ossEnterpriseEditionRequired": "De <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is vereist om deze functie te gebruiken. Deze functie is ook beschikbaar in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Boek een demo of POC trial</bookADemoLink>.",
    "certResolver": "Certificaat Resolver",
    "certResolverDescription": "Selecteer de certificaat resolver die moet worden gebruikt voor deze resource.",
    "selectCertResolver": "Certificaat Resolver selecteren",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Toestel goedkeuringen inschakelen",
    "approvalsEmptyStateStep2Description": "Bewerk een rol en schakel de optie 'Vereist Apparaat Goedkeuringen' in. Gebruikers met deze rol hebben admin goedkeuring nodig voor nieuwe apparaten.",
    "approvalsEmptyStatePreviewDescription": "Voorbeeld: Indien ingeschakeld, zullen in afwachting van apparaatverzoeken hier verschijnen om te beoordelen",
-    "approvalsEmptyStateButtonText": "Rollen beheren"
+    "approvalsEmptyStateButtonText": "Rollen beheren",
    "domainErrorTitle": "We ondervinden problemen bij het controleren van uw domein"
 }
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxy zapytań przez HTTPS przy użyciu w pełni kwalifikowanej nazwy domeny.",
    "resourceRaw": "Surowy zasób TCP/UDP",
    "resourceRawDescription": "Proxy zapytań przez surowe TCP/UDP przy użyciu numeru portu.",
-    "resourceRawDescriptionCloud": "Proxy żądania przesyłania danych nad surowym TCP/UDP przy użyciu numeru portu. Wymaga UŻYTKOWANIA PALIWA węzła.",
+    "resourceRawDescriptionCloud": "Żądania proxy nad surowym TCP/UDP przy użyciu numeru portu. Wymaga stron aby połączyć się ze zdalnym węzłem.",
    "resourceCreate": "Utwórz zasób",
    "resourceCreateDescription": "Wykonaj poniższe kroki, aby utworzyć nowy zasób",
    "resourceSeeAll": "Zobacz wszystkie zasoby",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Przestrzeń nazw: {namespace}",
    "domainPickerShowMore": "Pokaż więcej",
    "regionSelectorTitle": "Wybierz region",
    "domainPickerRemoteExitNodeWarning": "Podane domeny nie są obsługiwane, gdy witryny łączą się ze zdalnymi węzłami wyjścia. Aby zasoby były dostępne w węzłach zdalnych, użyj domeny niestandardowej.",
    "regionSelectorInfo": "Wybór regionu pomaga nam zapewnić lepszą wydajność dla Twojej lokalizacji. Nie musisz być w tym samym regionie co Twój serwer.",
    "regionSelectorPlaceholder": "Wybierz region",
    "regionSelectorComingSoon": "Wkrótce dostępne",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Koniec następnego roku",
    "actionLogsDescription": "Zobacz historię działań wykonywanych w tej organizacji",
    "accessLogsDescription": "Wyświetl prośby o autoryzację dostępu do zasobów w tej organizacji",
-    "licenseRequiredToUse": "Do korzystania z tej funkcji wymagana jest licencja <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> . Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "Do korzystania z tej funkcji wymagana jest licencja <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lub <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> . <bookADemoLink>Zarezerwuj wersję demonstracyjną lub wersję próbną POC</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> jest wymagany do korzystania z tej funkcji. Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> jest wymagany do korzystania z tej funkcji. Ta funkcja jest również dostępna w <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Zarezerwuj demo lub okres próbny POC</bookADemoLink>.",
    "certResolver": "Rozwiązywanie certyfikatów",
    "certResolverDescription": "Wybierz resolver certyfikatów do użycia dla tego zasobu.",
    "selectCertResolver": "Wybierz Resolver certyfikatów",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Włącz zatwierdzanie urządzenia",
    "approvalsEmptyStateStep2Description": "Edytuj rolę i włącz opcję \"Wymagaj zatwierdzenia urządzenia\". Użytkownicy z tą rolą będą potrzebowali zatwierdzenia administratora dla nowych urządzeń.",
    "approvalsEmptyStatePreviewDescription": "Podgląd: Gdy włączone, oczekujące prośby o sprawdzenie pojawią się tutaj",
-    "approvalsEmptyStateButtonText": "Zarządzaj rolami"
+    "approvalsEmptyStateButtonText": "Zarządzaj rolami",
    "domainErrorTitle": "Mamy problem z weryfikacją Twojej domeny"
 }
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Proxies requests sobre HTTPS usando um nome de domínio totalmente qualificado.",
    "resourceRaw": "Recurso TCP/UDP bruto",
    "resourceRawDescription": "Proxies solicitações sobre TCP/UDP bruto usando um número de porta.",
-    "resourceRawDescriptionCloud": "Proxy solicita sobre TCP/UDP bruto usando um número de porta. OBRIGATÓRIO O USO DE UMA NOTA REMOTA.",
+    "resourceRawDescriptionCloud": "Proxy solicita por TCP/UDP bruto usando um número de porta. Requer que sites se conectem a um nó remoto.",
    "resourceCreate": "Criar Recurso",
    "resourceCreateDescription": "Siga os passos abaixo para criar um novo recurso",
    "resourceSeeAll": "Ver todos os recursos",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Namespace: {namespace}",
    "domainPickerShowMore": "Mostrar Mais",
    "regionSelectorTitle": "Selecionar Região",
    "domainPickerRemoteExitNodeWarning": "Domínios fornecidos não são suportados quando os sites se conectam a nós de saída remota. Para recursos disponíveis em nós remotos, use um domínio personalizado.",
    "regionSelectorInfo": "Selecionar uma região nos ajuda a fornecer melhor desempenho para sua localização. Você não precisa estar na mesma região que seu servidor.",
    "regionSelectorPlaceholder": "Escolher uma região",
    "regionSelectorComingSoon": "Em breve",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Fim do ano seguinte",
    "actionLogsDescription": "Visualizar histórico de ações realizadas nesta organização",
    "accessLogsDescription": "Ver solicitações de autenticação de recursos nesta organização",
-    "licenseRequiredToUse": "Uma licença <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> é necessária para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "Uma licença <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> ou <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> é necessária para usar este recurso. <bookADemoLink>Reserve um teste de demonstração ou POC</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "O <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> é necessário para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "ossEnterpriseEditionRequired": "O <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> é necessário para usar este recurso. Este recurso também está disponível no <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Reserve uma demonstração ou avaliação POC</bookADemoLink>.",
    "certResolver": "Resolvedor de Certificado",
    "certResolverDescription": "Selecione o resolvedor de certificados para este recurso.",
    "selectCertResolver": "Selecionar solucionador de certificado",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Habilitar Aprovações do Dispositivo",
    "approvalsEmptyStateStep2Description": "Editar uma função e habilitar a opção 'Exigir aprovação de dispositivos'. Usuários com essa função precisarão de aprovação de administrador para novos dispositivos.",
    "approvalsEmptyStatePreviewDescription": "Pré-visualização: Quando ativado, solicitações de dispositivo pendentes aparecerão aqui para revisão",
-    "approvalsEmptyStateButtonText": "Gerir Funções"
+    "approvalsEmptyStateButtonText": "Gerir Funções",
    "domainErrorTitle": "Estamos tendo problemas ao verificar seu domínio"
 }
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Проксировать запросы через HTTPS с использованием полного доменного имени.",
    "resourceRaw": "Сырой TCP/UDP-ресурс",
    "resourceRawDescription": "Проксировать запросы по сырому TCP/UDP с использованием номера порта.",
-    "resourceRawDescriptionCloud": "Прокси-запросы через необработанный TCP/UDP с использованием номера порта. ТРЕБУЕТЕСЬ ИСПОЛЬЗОВАТЬ НЕОБХОДИМЫ.",
+    "resourceRawDescriptionCloud": "Прокси запросы через необработанный TCP/UDP с использованием номера порта. Требуется подключение сайтов к удаленному узлу.",
    "resourceCreate": "Создание ресурса",
    "resourceCreateDescription": "Следуйте инструкциям ниже для создания нового ресурса",
    "resourceSeeAll": "Посмотреть все ресурсы",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Пространство имен: {namespace}",
    "domainPickerShowMore": "Показать еще",
    "regionSelectorTitle": "Выберите регион",
    "domainPickerRemoteExitNodeWarning": "Предоставленные домены не поддерживаются при подключении сайтов к удаленным узлам. Для доступа к ресурсам на удаленных узлах используйте пользовательский домен.",
    "regionSelectorInfo": "Выбор региона помогает нам обеспечить лучшее качество обслуживания для вашего расположения. Вам необязательно находиться в том же регионе, что и ваш сервер.",
    "regionSelectorPlaceholder": "Выбор региона",
    "regionSelectorComingSoon": "Скоро будет",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Конец следующего года",
    "actionLogsDescription": "Просмотр истории действий, выполненных в этой организации",
    "accessLogsDescription": "Просмотр запросов авторизации доступа к ресурсам этой организации",
-    "licenseRequiredToUse": "Лицензия на <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> требуется для использования этой функции. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "licenseRequiredToUse": "Требуется лицензия на <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> или <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> для использования этой функции. <bookADemoLink>Забронируйте демонстрацию или пробный POC</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "Для использования этой функции требуется <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink>. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
+    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> требуется для использования этой функции. Эта функция также доступна в <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Забронируйте демонстрацию или пробный POC</bookADemoLink>.",
    "certResolver": "Резольвер сертификата",
    "certResolverDescription": "Выберите резолвер сертификата, который будет использоваться для этого ресурса.",
    "selectCertResolver": "Выберите резолвер сертификата",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Включить утверждения устройства",
    "approvalsEmptyStateStep2Description": "Редактировать роль и включить опцию 'Требовать утверждения устройств'. Пользователям с этой ролью потребуется подтверждение администратора для новых устройств.",
    "approvalsEmptyStatePreviewDescription": "Предпросмотр: Если включено, ожидающие запросы на устройство появятся здесь для проверки",
-    "approvalsEmptyStateButtonText": "Управление ролями"
+    "approvalsEmptyStateButtonText": "Управление ролями",
    "domainErrorTitle": "У нас возникли проблемы с проверкой вашего домена"
 }
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "Tam nitelikli bir etki alanı adı kullanarak HTTPS üzerinden proxy isteklerini yönlendirin.",
    "resourceRaw": "Ham TCP/UDP Kaynağı",
    "resourceRawDescription": "Port numarası kullanarak ham TCP/UDP üzerinden proxy isteklerini yönlendirin.",
-    "resourceRawDescriptionCloud": "Bir port numarası kullanarak ham TCP/UDP üzerinden istekleri proxy ile yönlendirin. UZAKTAN BİR DÜĞÜM KULLANIMINI GEREKTİRİR.",
+    "resourceRawDescriptionCloud": "Proxy isteklerini bir port numarası kullanarak ham TCP/UDP üzerinden yapın. Sitelerin uzak bir düğüme bağlanması gereklidir.",
    "resourceCreate": "Kaynak Oluştur",
    "resourceCreateDescription": "Yeni bir kaynak oluşturmak için aşağıdaki adımları izleyin",
    "resourceSeeAll": "Tüm Kaynakları Gör",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "Ad Alanı: {namespace}",
    "domainPickerShowMore": "Daha Fazla Göster",
    "regionSelectorTitle": "Bölge Seç",
    "domainPickerRemoteExitNodeWarning": "Belirtilen alan adları, siteler uzak çıkış düğümlerine bağlandığında desteklenmez. Kaynakların uzak düğümlerde kullanılabilir olması için özel bir alan adı kullanın.",
    "regionSelectorInfo": "Bir bölge seçmek, konumunuz için daha iyi performans sağlamamıza yardımcı olur. Sunucunuzla aynı bölgede olmanıza gerek yoktur.",
    "regionSelectorPlaceholder": "Bölge Seçin",
    "regionSelectorComingSoon": "Yakında Geliyor",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "Bir sonraki yılın sonu",
    "actionLogsDescription": "Bu organizasyondaki eylemler geçmişini görüntüleyin",
    "accessLogsDescription": "Bu organizasyondaki kaynaklar için erişim kimlik doğrulama isteklerini görüntüleyin",
-    "licenseRequiredToUse": "Bu özelliği kullanmak için bir <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisansı gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>'da da mevcuttur.",
+    "licenseRequiredToUse": "Bu özelliği kullanmak için bir <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> lisansı veya <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> gereklidir. <bookADemoLink>Tanıtım veya POC denemesi ayarlayın</bookADemoLink>.",
-    "ossEnterpriseEditionRequired": "Bu özelliği kullanmak için <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>'da da mevcuttur.",
+    "ossEnterpriseEditionRequired": "Bu özelliği kullanmak için <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> gereklidir. Bu özellik ayrıca <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>’da da mevcuttur. <bookADemoLink>Tanıtım veya POC denemesi ayarlayın</bookADemoLink>.",
    "certResolver": "Sertifika Çözücü",
    "certResolverDescription": "Bu kaynak için kullanılacak sertifika çözücüsünü seçin.",
    "selectCertResolver": "Sertifika Çözücü Seçin",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "Cihaz Onaylarını Etkinleştir",
    "approvalsEmptyStateStep2Description": "Bir rolü düzenleyin ve 'Cihaz Onaylarını Gerektir' seçeneğini etkinleştirin. Bu role sahip kullanıcıların yeni cihazlar için yönetici onayına ihtiyacı olacaktır.",
    "approvalsEmptyStatePreviewDescription": "Önizleme: Etkinleştirildiğinde, bekleyen cihaz talepleri incelenmek üzere burada görünecektir.",
-    "approvalsEmptyStateButtonText": "Rolleri Yönet"
+    "approvalsEmptyStateButtonText": "Rolleri Yönet",
    "domainErrorTitle": "Alan adınızı doğrulamada sorun yaşıyoruz"
 }
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -175,7 +175,7 @@
    "resourceHTTPDescription": "通过使用完全限定的域名的HTTPS代理请求。",
    "resourceRaw": "TCP/UDP 资源",
    "resourceRawDescription": "通过使用端口号的原始TCP/UDP代理请求。",
-    "resourceRawDescriptionCloud": "正在使用端口号的 TCP/UDP 代理请求。请使用一个REMOTE",
+    "resourceRawDescriptionCloud": "正在使用端口号使用 TCP/UDP 代理请求。需要站点连接到远程节点。",
    "resourceCreate": "创建资源",
    "resourceCreateDescription": "按照下面的步骤创建新资源",
    "resourceSeeAll": "查看所有资源",
@@ -1426,6 +1426,7 @@
    "domainPickerNamespace": "命名空间：{namespace}",
    "domainPickerShowMore": "显示更多",
    "regionSelectorTitle": "选择区域",
    "domainPickerRemoteExitNodeWarning": "当站点连接到远程退出节点时不支持所提供的域。为了资源可在远程节点上使用，请使用自定义域名。",
    "regionSelectorInfo": "选择区域以帮助提升您所在地的性能。您不必与服务器在相同的区域。",
    "regionSelectorPlaceholder": "选择一个区域",
    "regionSelectorComingSoon": "即将推出",
@@ -2342,8 +2343,8 @@
    "logRetentionEndOfFollowingYear": "下一年结束",
    "actionLogsDescription": "查看此机构执行的操作历史",
    "accessLogsDescription": "查看此机构资源的访问认证请求",
-    "licenseRequiredToUse": "需要 <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> 许可才能使用此功能。此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> 中使用。",
+    "licenseRequiredToUse": "使用此功能需要<enterpriseLicenseLink>企业版</enterpriseLicenseLink>许可证或<pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>。<bookADemoLink>预约演示或POC试用</bookADemoLink>。",
-    "ossEnterpriseEditionRequired": "<enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> 需要使用此功能。此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> 中使用。",
+    "ossEnterpriseEditionRequired": "需要 <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> 才能使用此功能。 此功能也可在 <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>上获取。 <bookADemoLink>预订演示或POC 试用</bookADemoLink>。",
    "certResolver": "证书解决器",
    "certResolverDescription": "选择用于此资源的证书解析器。",
    "selectCertResolver": "选择证书解析",
@@ -2680,5 +2681,6 @@
    "approvalsEmptyStateStep2Title": "启用设备批准",
    "approvalsEmptyStateStep2Description": "编辑角色并启用“需要设备审批”选项。具有此角色的用户需要管理员批准新设备。",
    "approvalsEmptyStatePreviewDescription": "预览：如果启用，待处理设备请求将出现在这里供审核",
-    "approvalsEmptyStateButtonText": "管理角色"
+    "approvalsEmptyStateButtonText": "管理角色",
    "domainErrorTitle": "我们在验证您的域名时遇到了问题"
 }
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -33,7 +33,7 @@
    },
    "dependencies": {
        "@asteasolutions/zod-to-openapi": "8.4.1",
-        "@aws-sdk/client-s3": "3.1004.0",
+        "@aws-sdk/client-s3": "3.1011.0",
        "@faker-js/faker": "10.3.0",
        "@headlessui/react": "2.2.9",
        "@hookform/resolvers": "5.2.2",
@@ -62,8 +62,8 @@
        "@react-email/components": "1.0.8",
        "@react-email/render": "2.0.4",
        "@react-email/tailwind": "2.0.5",
-        "@simplewebauthn/browser": "13.2.2",
+        "@simplewebauthn/browser": "13.3.0",
-        "@simplewebauthn/server": "13.2.3",
+        "@simplewebauthn/server": "13.3.0",
        "@tailwindcss/forms": "0.5.11",
        "@tanstack/react-query": "5.90.21",
        "@tanstack/react-table": "8.21.3",
@@ -133,7 +133,7 @@
    "devDependencies": {
        "@dotenvx/dotenvx": "1.54.1",
        "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@react-email/preview-server": "5.2.8",
+        "@react-email/preview-server": "5.2.10",
        "@tailwindcss/postcss": "4.2.1",
        "@tanstack/react-query-devtools": "5.91.3",
        "@types/better-sqlite3": "7.6.13",
@@ -159,14 +159,14 @@
        "@types/ws": "8.18.1",
        "@types/yargs": "17.0.35",
        "babel-plugin-react-compiler": "1.0.0",
-        "drizzle-kit": "0.31.9",
+        "drizzle-kit": "0.31.10",
        "esbuild": "0.27.3",
        "esbuild-node-externals": "1.20.1",
-        "eslint": "9.39.2",
+        "eslint": "10.0.3",
-        "eslint-config-next": "16.1.6",
+        "eslint-config-next": "16.1.7",
-        "postcss": "8.5.6",
+        "postcss": "8.5.8",
        "prettier": "3.8.1",
-        "react-email": "5.2.8",
+        "react-email": "5.2.10",
        "tailwindcss": "4.2.1",
        "tsc-alias": "1.8.16",
        "tsx": "4.21.0",
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -19,6 +19,7 @@ export enum ActionsEnum {
    getSite = "getSite",
    listSites = "listSites",
    updateSite = "updateSite",
    resetSiteBandwidth = "resetSiteBandwidth",
    reGenerateSecret = "reGenerateSecret",
    createResource = "createResource",
    deleteResource = "deleteResource",
--- a/server/cleanup.ts
+++ b/server/cleanup.ts
@@ -1,8 +1,10 @@
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 import { cleanup as wsCleanup } from "#dynamic/routers/ws";
 async function cleanup() {
    await stopPingAccumulator();
    await flushBandwidthToDb();
    await flushSiteBandwidthToDb();
    await wsCleanup();
--- a/server/db/pg/driver.ts
+++ b/server/db/pg/driver.ts
@@ -1,7 +1,7 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
 import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { createPool } from "./poolConfig";
 function createDb() {
    const config = readConfigFile();
@@ -39,12 +39,17 @@ function createDb() {
    // Create connection pools instead of individual connections
    const poolConfig = config.postgres.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
    const primaryPool = createPool(
        connectionString,
-        max: poolConfig?.max_connections || 20,
+        maxConnections,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
+        idleTimeoutMs,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
+        connectionTimeoutMs,
-    });
+        "primary"
    );
    const replicas = [];
@@ -55,14 +60,16 @@ function createDb() {
            })
        );
    } else {
        const maxReplicaConnections =
            poolConfig?.max_replica_connections || 20;
        for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
+            const replicaPool = createPool(
-                connectionString: conn.connection_string,
+                conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
+                maxReplicaConnections,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
+                idleTimeoutMs,
-                connectionTimeoutMillis:
+                connectionTimeoutMs,
-                    poolConfig?.connection_timeout_ms || 5000
+                "replica"
-            });
+            );
            replicas.push(
                DrizzlePostgres(replicaPool, {
                    logger: process.env.QUERY_LOGGING == "true"
--- a/server/db/pg/logsDriver.ts
+++ b/server/db/pg/logsDriver.ts
@@ -1,9 +1,9 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
 import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
 import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
 import { createPool } from "./poolConfig";
 function createLogsDb() {
    // Only use separate logs database in SaaS builds
@@ -42,12 +42,17 @@ function createLogsDb() {
    // Create separate connection pool for logs database
    const poolConfig = logsConfig?.pool || config.postgres?.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
    const primaryPool = createPool(
        connectionString,
-        max: poolConfig?.max_connections || 20,
+        maxConnections,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
+        idleTimeoutMs,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
+        connectionTimeoutMs,
-    });
+        "logs-primary"
    );
    const replicas = [];
@@ -58,14 +63,16 @@ function createLogsDb() {
            })
        );
    } else {
        const maxReplicaConnections =
            poolConfig?.max_replica_connections || 20;
        for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
+            const replicaPool = createPool(
-                connectionString: conn.connection_string,
+                conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
+                maxReplicaConnections,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
+                idleTimeoutMs,
-                connectionTimeoutMillis:
+                connectionTimeoutMs,
-                    poolConfig?.connection_timeout_ms || 5000
+                "logs-replica"
-            });
+            );
            replicas.push(
                DrizzlePostgres(replicaPool, {
                    logger: process.env.QUERY_LOGGING == "true"
--- a/server/db/pg/poolConfig.ts
+++ b/server/db/pg/poolConfig.ts
@@ -0,0 +1,63 @@
 import { Pool, PoolConfig } from "pg";
 import logger from "@server/logger";
 export function createPoolConfig(
    connectionString: string,
    maxConnections: number,
    idleTimeoutMs: number,
    connectionTimeoutMs: number
 ): PoolConfig {
    return {
        connectionString,
        max: maxConnections,
        idleTimeoutMillis: idleTimeoutMs,
        connectionTimeoutMillis: connectionTimeoutMs,
        // TCP keepalive to prevent silent connection drops by NAT gateways,
        // load balancers, and other intermediate network devices (e.g. AWS
        // NAT Gateway drops idle TCP connections after ~350s)
        keepAlive: true,
        keepAliveInitialDelayMillis: 10000, // send first keepalive after 10s of idle
        // Allow connections to be released and recreated more aggressively
        // to avoid stale connections building up
        allowExitOnIdle: false
    };
 }
 export function attachPoolErrorHandlers(pool: Pool, label: string): void {
    pool.on("error", (err) => {
        // This catches errors on idle clients in the pool. Without this
        // handler an unexpected disconnect would crash the process.
        logger.error(
            `Unexpected error on idle ${label} database client: ${err.message}`
        );
    });
    pool.on("connect", (client) => {
        // Set a statement timeout on every new connection so a single slow
        // query can't block the pool forever
        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
            logger.warn(
                `Failed to set statement_timeout on ${label} client: ${err.message}`
            );
        });
    });
 }
 export function createPool(
    connectionString: string,
    maxConnections: number,
    idleTimeoutMs: number,
    connectionTimeoutMs: number,
    label: string
 ): Pool {
    const pool = new Pool(
        createPoolConfig(
            connectionString,
            maxConnections,
            idleTimeoutMs,
            connectionTimeoutMs
        )
    );
    attachPoolErrorHandlers(pool, label);
    return pool;
 }
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -216,18 +216,12 @@ export const exitNodes = pgTable("exitNodes", {
 export const siteResources = pgTable("siteResources", {
    // this is for the clients
    siteResourceId: serial("siteResourceId").primaryKey(),
    siteId: integer("siteId")
        .notNull()
        .references(() => sites.siteId, { onDelete: "cascade" }),
    orgId: varchar("orgId")
        .notNull()
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    networkId: integer("networkId").references(() => networks.networkId, {
        onDelete: "set null"
    }),
    defaultNetworkId: integer("defaultNetworkId").references(
        () => networks.networkId,
        {
            onDelete: "restrict"
        }
    ),
    niceId: varchar("niceId").notNull(),
    name: varchar("name").notNull(),
    mode: varchar("mode").$type<"host" | "cidr">().notNull(), // "host" | "cidr" | "port"
@@ -247,32 +241,6 @@ export const siteResources = pgTable("siteResources", {
        .default("site")
 });
 export const networks = pgTable("networks", {
    networkId: serial("networkId").primaryKey(),
    niceId: text("niceId"),
    name: text("name"),
    scope: varchar("scope")
        .$type<"global" | "resource">()
        .notNull()
        .default("global"),
    orgId: varchar("orgId")
        .references(() => orgs.orgId, {
            onDelete: "cascade"
        })
        .notNull()
 });
 export const siteNetworks = pgTable("siteNetworks", {
    siteId: integer("siteId")
        .notNull()
        .references(() => sites.siteId, {
            onDelete: "cascade"
        }),
    networkId: integer("networkId")
        .notNull()
        .references(() => networks.networkId, { onDelete: "cascade" })
 });
 export const clientSiteResources = pgTable("clientSiteResources", {
    clientId: integer("clientId")
        .notNull()
@@ -1106,4 +1074,3 @@ export type RequestAuditLog = InferSelectModel<typeof requestAuditLog>;
 export type RoundTripMessageTracker = InferSelectModel<
    typeof roundTripMessageTracker
 >;
 export type Network = InferSelectModel<typeof networks>;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -82,9 +82,6 @@ export const sites = sqliteTable("sites", {
    exitNodeId: integer("exitNode").references(() => exitNodes.exitNodeId, {
        onDelete: "set null"
    }),
    networkId: integer("networkId").references(() => networks.networkId, {
        onDelete: "set null"
    }),
    name: text("name").notNull(),
    pubKey: text("pubKey"),
    subnet: text("subnet"),
@@ -242,16 +239,12 @@ export const siteResources = sqliteTable("siteResources", {
    siteResourceId: integer("siteResourceId").primaryKey({
        autoIncrement: true
    }),
    siteId: integer("siteId")
        .notNull()
        .references(() => sites.siteId, { onDelete: "cascade" }),
    orgId: text("orgId")
        .notNull()
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    networkId: integer("networkId").references(() => networks.networkId, {
        onDelete: "set null"
    }),
    defaultNetworkId: integer("defaultNetworkId").references(
        () => networks.networkId,
        { onDelete: "restrict" }
    ),
    niceId: text("niceId").notNull(),
    name: text("name").notNull(),
    mode: text("mode").$type<"host" | "cidr">().notNull(), // "host" | "cidr" | "port"
@@ -273,30 +266,6 @@ export const siteResources = sqliteTable("siteResources", {
        .default("site")
 });
 export const networks = sqliteTable("networks", {
    networkId: integer("networkId").primaryKey({ autoIncrement: true }),
    niceId: text("niceId"),
    name: text("name"),
    scope: text("scope")
        .$type<"global" | "resource">()
        .notNull()
        .default("global"),
    orgId: text("orgId")
        .notNull()
        .references(() => orgs.orgId, { onDelete: "cascade" })
 });
 export const siteNetworks = sqliteTable("siteNetworks", {
    siteId: integer("siteId")
        .notNull()
        .references(() => sites.siteId, {
            onDelete: "cascade"
        }),
    networkId: integer("networkId")
        .notNull()
        .references(() => networks.networkId, { onDelete: "cascade" })
 });
 export const clientSiteResources = sqliteTable("clientSiteResources", {
    clientId: integer("clientId")
        .notNull()
@@ -1189,7 +1158,6 @@ export type ApiKey = InferSelectModel<typeof apiKeys>;
 export type ApiKeyAction = InferSelectModel<typeof apiKeyActions>;
 export type ApiKeyOrg = InferSelectModel<typeof apiKeyOrg>;
 export type SiteResource = InferSelectModel<typeof siteResources>;
 export type Network = InferSelectModel<typeof networks>;
 export type OrgDomains = InferSelectModel<typeof orgDomains>;
 export type SetupToken = InferSelectModel<typeof setupTokens>;
 export type HostMeta = InferSelectModel<typeof hostMeta>;
--- a/server/lib/blueprints/applyBlueprint.ts
+++ b/server/lib/blueprints/applyBlueprint.ts
@@ -121,8 +121,8 @@ export async function applyBlueprint({
            for (const result of clientResourcesResults) {
                if (
                    result.oldSiteResource &&
-                    JSON.stringify(result.newSites?.sort()) !==
+                    result.oldSiteResource.siteId !=
-                        JSON.stringify(result.oldSites?.sort())
+                        result.newSiteResource.siteId
                ) {
                    // query existing associations
                    const existingRoleIds = await trx
@@ -222,15 +222,13 @@ export async function applyBlueprint({
                        trx
                    );
                } else {
-                    let good = true;
+                    const [newSite] = await trx
                    for (const newSite of result.newSites) {
                        const [site] = await trx
                        .select()
                        .from(sites)
                        .innerJoin(newts, eq(sites.siteId, newts.siteId))
                        .where(
                            and(
-                                    eq(sites.siteId, newSite.siteId),
+                                eq(sites.siteId, result.newSiteResource.siteId),
                                eq(sites.orgId, orgId),
                                eq(sites.type, "newt"),
                                isNotNull(sites.pubKey)
@@ -238,30 +236,24 @@ export async function applyBlueprint({
                        )
                        .limit(1);
-                        if (!site) {
+                    if (!newSite) {
                        logger.debug(
-                                `No newt sites found for client resource ${result.newSiteResource.siteResourceId}, skipping target update`
+                            `No newt site found for client resource ${result.newSiteResource.siteResourceId}, skipping target update`
                        );
                            good = false;
                            break;
                        }
                        logger.debug(
                            `Updating client resource ${result.newSiteResource.siteResourceId} on site ${newSite.siteId}`
                        );
                    }
                    if (!good) {
                        continue;
                    }
                    logger.debug(
                        `Updating client resource ${result.newSiteResource.siteResourceId} on site ${newSite.sites.siteId}`
                    );
                    await handleMessagingForUpdatedSiteResource(
                        result.oldSiteResource,
                        result.newSiteResource,
-                        result.newSites.map((site) => ({
+                        {
-                            siteId: site.siteId,
+                            siteId: newSite.sites.siteId,
-                            orgId: result.newSiteResource.orgId
+                            orgId: newSite.sites.orgId
-                        })),
+                        },
                        trx
                    );
                }
--- a/server/lib/blueprints/clientResources.ts
+++ b/server/lib/blueprints/clientResources.ts
@@ -3,15 +3,12 @@ import {
    clientSiteResources,
    roles,
    roleSiteResources,
    Site,
    SiteResource,
    siteNetworks,
    siteResources,
    Transaction,
    userOrgs,
    users,
-    userSiteResources,
+    userSiteResources
    networks
 } from "@server/db";
 import { sites } from "@server/db";
 import { eq, and, ne, inArray, or } from "drizzle-orm";
@@ -22,8 +19,6 @@ import { getNextAvailableAliasAddress } from "../ip";
 export type ClientResourcesResults = {
    newSiteResource: SiteResource;
    oldSiteResource?: SiteResource;
    newSites: { siteId: number }[];
    oldSites: { siteId: number }[];
 }[];
 export async function updateClientResources(
@@ -48,21 +43,12 @@ export async function updateClientResources(
            )
            .limit(1);
        const existingSiteIds = existingResource?.networkId
            ? await trx
                  .select({ siteId: sites.siteId })
                  .from(siteNetworks)
                  .where(eq(siteNetworks.networkId, existingResource.networkId))
            : [];
        let allSites: { siteId: number }[] = [];
        if (resourceData.site) {
            let siteSingle;
        const resourceSiteId = resourceData.site;
        let site;
        if (resourceSiteId) {
            // Look up site by niceId
-                [siteSingle] = await trx
+            [site] = await trx
                .select({ siteId: sites.siteId })
                .from(sites)
                .where(
@@ -74,45 +60,20 @@ export async function updateClientResources(
                .limit(1);
        } else if (siteId) {
            // Use the provided siteId directly, but verify it belongs to the org
-                [siteSingle] = await trx
+            [site] = await trx
                .select({ siteId: sites.siteId })
                .from(sites)
-                    .where(
+                .where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
                        and(eq(sites.siteId, siteId), eq(sites.orgId, orgId))
                    )
                .limit(1);
        } else {
            throw new Error(`Target site is required`);
        }
-            if (!siteSingle) {
+        if (!site) {
            throw new Error(
                `Site not found: ${resourceSiteId} in org ${orgId}`
            );
        }
            allSites.push(siteSingle);
        }
        if (resourceData.sites) {
            for (const siteNiceId of resourceData.sites) {
                const [site] = await trx
                    .select({ siteId: sites.siteId })
                    .from(sites)
                    .where(
                        and(
                            eq(sites.niceId, siteNiceId),
                            eq(sites.orgId, orgId)
                        )
                    )
                    .limit(1);
                if (!site) {
                    throw new Error(
                        `Site not found: ${siteId} in org ${orgId}`
                    );
                }
                allSites.push(site);
            }
        }
        if (existingResource) {
            // Update existing resource
@@ -120,6 +81,7 @@ export async function updateClientResources(
                .update(siteResources)
                .set({
                    name: resourceData.name || resourceNiceId,
                    siteId: site.siteId,
                    mode: resourceData.mode,
                    destination: resourceData.destination,
                    enabled: true, // hardcoded for now
@@ -140,21 +102,6 @@ export async function updateClientResources(
            const siteResourceId = existingResource.siteResourceId;
            const orgId = existingResource.orgId;
            if (updatedResource.networkId) {
                await trx
                    .delete(siteNetworks)
                    .where(
                        eq(siteNetworks.networkId, updatedResource.networkId)
                    );
                for (const site of allSites) {
                    await trx.insert(siteNetworks).values({
                        siteId: site.siteId,
                        networkId: updatedResource.networkId
                    });
                }
            }
            await trx
                .delete(clientSiteResources)
                .where(eq(clientSiteResources.siteResourceId, siteResourceId));
@@ -257,9 +204,7 @@ export async function updateClientResources(
            results.push({
                newSiteResource: updatedResource,
-                oldSiteResource: existingResource,
+                oldSiteResource: existingResource
                newSites: allSites,
                oldSites: existingSiteIds
            });
        } else {
            let aliasAddress: string | null = null;
@@ -268,22 +213,13 @@ export async function updateClientResources(
                aliasAddress = await getNextAvailableAliasAddress(orgId);
            }
            const [network] = await trx
                .insert(networks)
                .values({
                    scope: "resource",
                    orgId: orgId
                })
                .returning();
            // Create new resource
            const [newResource] = await trx
                .insert(siteResources)
                .values({
                    orgId: orgId,
                    siteId: site.siteId,
                    niceId: resourceNiceId,
                    networkId: network.networkId,
                    defaultNetworkId: network.networkId,
                    name: resourceData.name || resourceNiceId,
                    mode: resourceData.mode,
                    destination: resourceData.destination,
@@ -299,13 +235,6 @@ export async function updateClientResources(
            const siteResourceId = newResource.siteResourceId;
            for (const site of allSites) {
                await trx.insert(siteNetworks).values({
                    siteId: site.siteId,
                    networkId: network.networkId
                });
            }
            const [adminRole] = await trx
                .select()
                .from(roles)
@@ -395,11 +324,7 @@ export async function updateClientResources(
                `Created new client resource ${newResource.name} (${newResource.siteResourceId}) for org ${orgId}`
            );
-            results.push({
+            results.push({ newSiteResource: newResource });
                newSiteResource: newResource,
                newSites: allSites,
                oldSites: existingSiteIds
            });
        }
    }
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -312,8 +312,7 @@ export const ClientResourceSchema = z
    .object({
        name: z.string().min(1).max(255),
        mode: z.enum(["host", "cidr"]),
-        site: z.string(), // DEPRECATED IN FAVOR OF sites
+        site: z.string(),
        sites: z.array(z.string()).optional().default([]),
        // protocol: z.enum(["tcp", "udp"]).optional(),
        // proxyPort: z.int().positive().optional(),
        // destinationPort: z.int().positive().optional(),
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -571,6 +571,129 @@ export function generateSubnetProxyTargets(
    return targets;
 }
 export type SubnetProxyTargetV2 = {
    sourcePrefixes: string[]; // must be cidrs
    destPrefix: string; // must be a cidr
    disableIcmp?: boolean;
    rewriteTo?: string; // must be a cidr
    portRange?: {
        min: number;
        max: number;
        protocol: "tcp" | "udp";
    }[];
 };
 export function generateSubnetProxyTargetV2(
    siteResource: SiteResource,
    clients: {
        clientId: number;
        pubKey: string | null;
        subnet: string | null;
    }[]
 ): SubnetProxyTargetV2 | undefined {
    if (clients.length === 0) {
        logger.debug(
            `No clients have access to site resource ${siteResource.siteResourceId}, skipping target generation.`
        );
        return;
    }
    let target: SubnetProxyTargetV2 | null = null;
    const portRange = [
        ...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
        ...parsePortRangeString(siteResource.udpPortRangeString, "udp")
    ];
    const disableIcmp = siteResource.disableIcmp ?? false;
    if (siteResource.mode == "host") {
        let destination = siteResource.destination;
        // check if this is a valid ip
        const ipSchema = z.union([z.ipv4(), z.ipv6()]);
        if (ipSchema.safeParse(destination).success) {
            destination = `${destination}/32`;
            target = {
                sourcePrefixes: [],
                destPrefix: destination,
                portRange,
                disableIcmp
            };
        }
        if (siteResource.alias && siteResource.aliasAddress) {
            // also push a match for the alias address
            target = {
                sourcePrefixes: [],
                destPrefix: `${siteResource.aliasAddress}/32`,
                rewriteTo: destination,
                portRange,
                disableIcmp
            };
        }
    } else if (siteResource.mode == "cidr") {
        target = {
            sourcePrefixes: [],
            destPrefix: siteResource.destination,
            portRange,
            disableIcmp
        };
    }
    if (!target) {
        return;
    }
    for (const clientSite of clients) {
        if (!clientSite.subnet) {
            logger.debug(
                `Client ${clientSite.clientId} has no subnet, skipping for site resource ${siteResource.siteResourceId}.`
            );
            continue;
        }
        const clientPrefix = `${clientSite.subnet.split("/")[0]}/32`;
        // add client prefix to source prefixes
        target.sourcePrefixes.push(clientPrefix);
    }
    // print a nice representation of the targets
    // logger.debug(
    //     `Generated subnet proxy targets for: ${JSON.stringify(targets, null, 2)}`
    // );
    return target;
 }
 /**
 * Converts a SubnetProxyTargetV2 to an array of SubnetProxyTarget (v1)
 * by expanding each source prefix into its own target entry.
 * @param targetV2 - The v2 target to convert
 * @returns Array of v1 SubnetProxyTarget objects
 */
 export function convertSubnetProxyTargetsV2ToV1(
     targetsV2: SubnetProxyTargetV2[]
 ): SubnetProxyTarget[] {
     return targetsV2.flatMap((targetV2) =>
         targetV2.sourcePrefixes.map((sourcePrefix) => ({
             sourcePrefix,
             destPrefix: targetV2.destPrefix,
             ...(targetV2.disableIcmp !== undefined && {
                 disableIcmp: targetV2.disableIcmp
             }),
             ...(targetV2.rewriteTo !== undefined && {
                 rewriteTo: targetV2.rewriteTo
             }),
             ...(targetV2.portRange !== undefined && {
                 portRange: targetV2.portRange
             })
         }))
     );
 }
 // Custom schema for validating port range strings
 // Format: "80,443,8000-9000" or "*" for all ports, or empty string
 export const portRangeStringSchema = z
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -302,8 +302,8 @@ export const configSchema = z
            .optional()
            .default({
                block_size: 24,
-                subnet_group: "100.90.128.0/24",
+                subnet_group: "100.90.128.0/20",
-                utility_subnet_group: "100.96.128.0/24"
+                utility_subnet_group: "100.96.128.0/20"
            }),
        rate_limits: z
            .object({
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -11,7 +11,6 @@ import {
    roleSiteResources,
    Site,
    SiteResource,
    siteNetworks,
    siteResources,
    sites,
    Transaction,
@@ -33,7 +32,7 @@ import logger from "@server/logger";
 import {
    generateAliasConfig,
    generateRemoteSubnets,
-    generateSubnetProxyTargets,
+    generateSubnetProxyTargetV2,
    parseEndpoint,
    formatEndpoint
 } from "@server/lib/ip";
@@ -48,23 +47,15 @@ export async function getClientSiteResourceAccess(
    siteResource: SiteResource,
    trx: Transaction | typeof db = db
 ) {
-    // get all sites associated with this siteResource via its network
+    // get the site
-    const sitesList = siteResource.networkId
+    const [site] = await trx
        ? await trx
        .select()
        .from(sites)
-              .innerJoin(
+        .where(eq(sites.siteId, siteResource.siteId))
-                  siteNetworks,
+        .limit(1);
                  eq(siteNetworks.siteId, sites.siteId)
              )
              .where(eq(siteNetworks.networkId, siteResource.networkId))
              .then((rows) => rows.map((row) => row.sites))
        : [];
-    if (sitesList.length === 0) {
+    if (!site) {
-        logger.warn(
+        throw new Error(`Site with ID ${siteResource.siteId} not found`);
            `No sites found for siteResource ${siteResource.siteResourceId} with networkId ${siteResource.networkId}`
        );
    }
    const roleIds = await trx
@@ -145,7 +136,7 @@ export async function getClientSiteResourceAccess(
    const mergedAllClientIds = mergedAllClients.map((c) => c.clientId);
    return {
-        sitesList,
+        site,
        mergedAllClients,
        mergedAllClientIds
    };
@@ -161,18 +152,17 @@ export async function rebuildClientAssociationsFromSiteResource(
        subnet: string | null;
    }[];
 }> {
-    const { sitesList, mergedAllClients, mergedAllClientIds } =
+    const siteId = siteResource.siteId;
    const { site, mergedAllClients, mergedAllClientIds } =
        await getClientSiteResourceAccess(siteResource, trx);
    /////////// process the client-siteResource associations ///////////
-    // get all of the clients associated with other resources in the same network,
+    // get all of the clients associated with other resources on this site
-    // joined through siteNetworks so we know which siteId each client belongs to
+    const allUpdatedClientsFromOtherResourcesOnThisSite = await trx
    const allUpdatedClientsFromOtherResourcesOnThisSite = siteResource.networkId
        ? await trx
        .select({
-                  clientId: clientSiteResourcesAssociationsCache.clientId,
+            clientId: clientSiteResourcesAssociationsCache.clientId
                  siteId: siteNetworks.siteId
        })
        .from(clientSiteResourcesAssociationsCache)
        .innerJoin(
@@ -182,30 +172,20 @@ export async function rebuildClientAssociationsFromSiteResource(
                siteResources.siteResourceId
            )
        )
              .innerJoin(
                  siteNetworks,
                  eq(siteNetworks.networkId, siteResources.networkId)
              )
        .where(
            and(
-                      eq(siteResources.networkId, siteResource.networkId),
+                eq(siteResources.siteId, siteId),
-                      ne(
+                ne(siteResources.siteResourceId, siteResource.siteResourceId)
                          siteResources.siteResourceId,
                          siteResource.siteResourceId
            )
-                  )
+        );
              )
        : [];
-    // Build a per-site map so the loop below can check by siteId rather than
+    const allClientIdsFromOtherResourcesOnThisSite = Array.from(
-    // across the entire network.
+        new Set(
-    const clientsFromOtherResourcesBySite = new Map<number, Set<number>>();
+            allUpdatedClientsFromOtherResourcesOnThisSite.map(
-    for (const row of allUpdatedClientsFromOtherResourcesOnThisSite) {
+                (row) => row.clientId
-        if (!clientsFromOtherResourcesBySite.has(row.siteId)) {
+            )
-            clientsFromOtherResourcesBySite.set(row.siteId, new Set());
+        )
-        }
+    );
        clientsFromOtherResourcesBySite.get(row.siteId)!.add(row.clientId);
    }
    const existingClientSiteResources = await trx
        .select({
@@ -279,39 +259,31 @@ export async function rebuildClientAssociationsFromSiteResource(
    /////////// process the client-site associations ///////////
    for (const site of sitesList) {
        const siteId = site.siteId;
    const existingClientSites = await trx
        .select({
            clientId: clientSitesAssociationsCache.clientId
        })
        .from(clientSitesAssociationsCache)
-            .where(eq(clientSitesAssociationsCache.siteId, siteId));
+        .where(eq(clientSitesAssociationsCache.siteId, siteResource.siteId));
    const existingClientSiteIds = existingClientSites.map(
        (row) => row.clientId
    );
    // Get full client details for existing clients (needed for sending delete messages)
-        const existingClients =
+    const existingClients = await trx
            existingClientSiteIds.length > 0
                ? await trx
        .select({
            clientId: clients.clientId,
            pubKey: clients.pubKey,
            subnet: clients.subnet
        })
        .from(clients)
-                      .where(inArray(clients.clientId, existingClientSiteIds))
+        .where(inArray(clients.clientId, existingClientSiteIds));
                : [];
        const otherResourceClientIds = clientsFromOtherResourcesBySite.get(siteId) ?? new Set<number>();
    const clientSitesToAdd = mergedAllClientIds.filter(
        (clientId) =>
            !existingClientSiteIds.includes(clientId) &&
-                !otherResourceClientIds.has(clientId) // dont add if already connected via another site resource
+            !allClientIdsFromOtherResourcesOnThisSite.includes(clientId) // dont remove if there is still another connection for another site resource
    );
    const clientSitesToInsert = clientSitesToAdd.map((clientId) => ({
@@ -330,7 +302,7 @@ export async function rebuildClientAssociationsFromSiteResource(
    const clientSitesToRemove = existingClientSiteIds.filter(
        (clientId) =>
            !mergedAllClientIds.includes(clientId) &&
-                !otherResourceClientIds.has(clientId) // dont remove if there is still another connection for another site resource
+            !allClientIdsFromOtherResourcesOnThisSite.includes(clientId) // dont remove if there is still another connection for another site resource
    );
    if (clientSitesToRemove.length > 0) {
@@ -347,6 +319,8 @@ export async function rebuildClientAssociationsFromSiteResource(
            );
    }
    /////////// send the messages ///////////
    // Now handle the messages to add/remove peers on both the newt and olm sides
    await handleMessagesForSiteClients(
        site,
@@ -357,12 +331,10 @@ export async function rebuildClientAssociationsFromSiteResource(
        clientSitesToRemove,
        trx
    );
    }
    // Handle subnet proxy target updates for the resource associations
    await handleSubnetProxyTargetUpdates(
        siteResource,
        sitesList,
        mergedAllClients,
        existingResourceClients,
        clientSiteResourcesToAdd,
@@ -651,7 +623,6 @@ export async function updateClientSiteDestinations(
 async function handleSubnetProxyTargetUpdates(
    siteResource: SiteResource,
    sitesList: Site[],
    allClients: {
        clientId: number;
        pubKey: string | null;
@@ -666,26 +637,22 @@ async function handleSubnetProxyTargetUpdates(
    clientSiteResourcesToRemove: number[],
    trx: Transaction | typeof db = db
 ): Promise<void> {
    const proxyJobs: Promise<any>[] = [];
    const olmJobs: Promise<any>[] = [];
    for (const siteData of sitesList) {
        const siteId = siteData.siteId;
    // Get the newt for this site
    const [newt] = await trx
        .select()
        .from(newts)
-            .where(eq(newts.siteId, siteId))
+        .where(eq(newts.siteId, siteResource.siteId))
        .limit(1);
    if (!newt) {
        logger.warn(
-                `Newt not found for site ${siteId}, skipping subnet proxy target updates`
+            `Newt not found for site ${siteResource.siteId}, skipping subnet proxy target updates`
        );
-            continue;
+        return;
    }
    const proxyJobs = [];
    const olmJobs = [];
    // Generate targets for added associations
    if (clientSiteResourcesToAdd.length > 0) {
        const addedClients = allClients.filter((client) =>
@@ -693,19 +660,16 @@ async function handleSubnetProxyTargetUpdates(
        );
        if (addedClients.length > 0) {
-                const targetsToAdd = generateSubnetProxyTargets(
+            const targetToAdd = generateSubnetProxyTargetV2(
                siteResource,
                addedClients
            );
-                if (targetsToAdd.length > 0) {
+            if (targetToAdd) {
                    logger.info(
                        `Adding ${targetsToAdd.length} subnet proxy targets for siteResource ${siteResource.siteResourceId} on site ${siteId}`
                    );
                proxyJobs.push(
                    addSubnetProxyTargets(
                        newt.newtId,
-                            targetsToAdd,
+                        [targetToAdd],
                        newt.version
                    )
                );
@@ -715,7 +679,7 @@ async function handleSubnetProxyTargetUpdates(
                olmJobs.push(
                    addPeerData(
                        client.clientId,
-                            siteId,
+                        siteResource.siteId,
                        generateRemoteSubnets([siteResource]),
                        generateAliasConfig([siteResource])
                    )
@@ -733,30 +697,23 @@ async function handleSubnetProxyTargetUpdates(
        );
        if (removedClients.length > 0) {
-                const targetsToRemove = generateSubnetProxyTargets(
+            const targetToRemove = generateSubnetProxyTargetV2(
                siteResource,
                removedClients
            );
-                if (targetsToRemove.length > 0) {
+            if (targetToRemove) {
                    logger.info(
                        `Removing ${targetsToRemove.length} subnet proxy targets for siteResource ${siteResource.siteResourceId} on site ${siteId}`
                    );
                proxyJobs.push(
                    removeSubnetProxyTargets(
                        newt.newtId,
-                            targetsToRemove,
+                        [targetToRemove],
                        newt.version
                    )
                );
            }
            for (const client of removedClients) {
-                    // Check if this client still has access to another resource
+                // Check if this client still has access to another resource on this site with the same destination
                    // on this specific site with the same destination. We scope
                    // by siteId (via siteNetworks) rather than networkId because
                    // removePeerData operates per-site — a resource on a different
                    // site sharing the same network should not block removal here.
                const destinationStillInUse = await trx
                    .select()
                    .from(siteResources)
@@ -767,17 +724,13 @@ async function handleSubnetProxyTargetUpdates(
                            siteResources.siteResourceId
                        )
                    )
                        .innerJoin(
                            siteNetworks,
                            eq(siteNetworks.networkId, siteResources.networkId)
                        )
                    .where(
                        and(
                            eq(
                                clientSiteResourcesAssociationsCache.clientId,
                                client.clientId
                            ),
-                                eq(siteNetworks.siteId, siteId),
+                            eq(siteResources.siteId, siteResource.siteId),
                            eq(
                                siteResources.destination,
                                siteResource.destination
@@ -798,7 +751,7 @@ async function handleSubnetProxyTargetUpdates(
                olmJobs.push(
                    removePeerData(
                        client.clientId,
-                            siteId,
+                        siteResource.siteId,
                        remoteSubnetsToRemove,
                        generateAliasConfig([siteResource])
                    )
@@ -806,7 +759,6 @@ async function handleSubnetProxyTargetUpdates(
            }
        }
    }
    }
    await Promise.all(proxyJobs);
 }
@@ -910,25 +862,10 @@ export async function rebuildClientAssociationsFromClient(
                  )
            : [];
-    // Group by siteId for site-level associations — look up via siteNetworks since
+    // Group by siteId for site-level associations
-    // siteResources no longer carries a direct siteId column.
+    const newSiteIds = Array.from(
-    const networkIds = Array.from(
+        new Set(newSiteResources.map((sr) => sr.siteId))
        new Set(
            newSiteResources
                .map((sr) => sr.networkId)
                .filter((id): id is number => id !== null)
        )
    );
    const newSiteIds =
        networkIds.length > 0
            ? await trx
                  .select({ siteId: siteNetworks.siteId })
                  .from(siteNetworks)
                  .where(inArray(siteNetworks.networkId, networkIds))
                  .then((rows) =>
                      Array.from(new Set(rows.map((r) => r.siteId)))
                  )
            : [];
    /////////// Process client-siteResource associations ///////////
@@ -1201,45 +1138,13 @@ async function handleMessagesForClientResources(
            resourcesToAdd.includes(r.siteResourceId)
        );
        // Build (resource, siteId) pairs by looking up siteNetworks for each resource's networkId
        const addedNetworkIds = Array.from(
            new Set(
                addedResources
                    .map((r) => r.networkId)
                    .filter((id): id is number => id !== null)
            )
        );
        const addedSiteNetworkRows =
            addedNetworkIds.length > 0
                ? await trx
                      .select({
                          networkId: siteNetworks.networkId,
                          siteId: siteNetworks.siteId
                      })
                      .from(siteNetworks)
                      .where(inArray(siteNetworks.networkId, addedNetworkIds))
                : [];
        const addedNetworkToSites = new Map<number, number[]>();
        for (const row of addedSiteNetworkRows) {
            if (!addedNetworkToSites.has(row.networkId)) {
                addedNetworkToSites.set(row.networkId, []);
            }
            addedNetworkToSites.get(row.networkId)!.push(row.siteId);
        }
        // Group by site for proxy updates
        const addedBySite = new Map<number, SiteResource[]>();
        for (const resource of addedResources) {
-            const siteIds =
+            if (!addedBySite.has(resource.siteId)) {
-                resource.networkId != null
+                addedBySite.set(resource.siteId, []);
                    ? (addedNetworkToSites.get(resource.networkId) ?? [])
                    : [];
            for (const siteId of siteIds) {
                if (!addedBySite.has(siteId)) {
                    addedBySite.set(siteId, []);
                }
                addedBySite.get(siteId)!.push(resource);
            }
            addedBySite.get(resource.siteId)!.push(resource);
        }
        // Add subnet proxy targets for each site
@@ -1258,7 +1163,7 @@ async function handleMessagesForClientResources(
            }
            for (const resource of resources) {
-                const targets = generateSubnetProxyTargets(resource, [
+                const target = generateSubnetProxyTargetV2(resource, [
                    {
                        clientId: client.clientId,
                        pubKey: client.pubKey,
@@ -1266,11 +1171,11 @@ async function handleMessagesForClientResources(
                    }
                ]);
-                if (targets.length > 0) {
+                if (target) {
                    proxyJobs.push(
                        addSubnetProxyTargets(
                            newt.newtId,
-                            targets,
+                            [target],
                            newt.version
                        )
                    );
@@ -1281,7 +1186,7 @@ async function handleMessagesForClientResources(
                    olmJobs.push(
                        addPeerData(
                            client.clientId,
-                            siteId,
+                            resource.siteId,
                            generateRemoteSubnets([resource]),
                            generateAliasConfig([resource])
                        )
@@ -1293,7 +1198,7 @@ async function handleMessagesForClientResources(
                        error.message.includes("not found")
                    ) {
                        logger.debug(
-                            `Olm data not found for client ${client.clientId} and site ${siteId}, skipping addition`
+                            `Olm data not found for client ${client.clientId} and site ${resource.siteId}, skipping removal`
                        );
                    } else {
                        throw error;
@@ -1310,45 +1215,13 @@ async function handleMessagesForClientResources(
            .from(siteResources)
            .where(inArray(siteResources.siteResourceId, resourcesToRemove));
        // Build (resource, siteId) pairs via siteNetworks
        const removedNetworkIds = Array.from(
            new Set(
                removedResources
                    .map((r) => r.networkId)
                    .filter((id): id is number => id !== null)
            )
        );
        const removedSiteNetworkRows =
            removedNetworkIds.length > 0
                ? await trx
                      .select({
                          networkId: siteNetworks.networkId,
                          siteId: siteNetworks.siteId
                      })
                      .from(siteNetworks)
                      .where(inArray(siteNetworks.networkId, removedNetworkIds))
                : [];
        const removedNetworkToSites = new Map<number, number[]>();
        for (const row of removedSiteNetworkRows) {
            if (!removedNetworkToSites.has(row.networkId)) {
                removedNetworkToSites.set(row.networkId, []);
            }
            removedNetworkToSites.get(row.networkId)!.push(row.siteId);
        }
        // Group by site for proxy updates
        const removedBySite = new Map<number, SiteResource[]>();
        for (const resource of removedResources) {
-            const siteIds =
+            if (!removedBySite.has(resource.siteId)) {
-                resource.networkId != null
+                removedBySite.set(resource.siteId, []);
                    ? (removedNetworkToSites.get(resource.networkId) ?? [])
                    : [];
            for (const siteId of siteIds) {
                if (!removedBySite.has(siteId)) {
                    removedBySite.set(siteId, []);
                }
                removedBySite.get(siteId)!.push(resource);
            }
            removedBySite.get(resource.siteId)!.push(resource);
        }
        // Remove subnet proxy targets for each site
@@ -1367,7 +1240,7 @@ async function handleMessagesForClientResources(
            }
            for (const resource of resources) {
-                const targets = generateSubnetProxyTargets(resource, [
+                const target = generateSubnetProxyTargetV2(resource, [
                    {
                        clientId: client.clientId,
                        pubKey: client.pubKey,
@@ -1375,22 +1248,18 @@ async function handleMessagesForClientResources(
                    }
                ]);
-                if (targets.length > 0) {
+                if (target) {
                    proxyJobs.push(
                        removeSubnetProxyTargets(
                            newt.newtId,
-                            targets,
+                            [target],
                            newt.version
                        )
                    );
                }
                try {
-                    // Check if this client still has access to another resource
+                    // Check if this client still has access to another resource on this site with the same destination
                    // on this specific site with the same destination. We scope
                    // by siteId (via siteNetworks) rather than networkId because
                    // removePeerData operates per-site — a resource on a different
                    // site sharing the same network should not block removal here.
                    const destinationStillInUse = await trx
                        .select()
                        .from(siteResources)
@@ -1401,17 +1270,13 @@ async function handleMessagesForClientResources(
                                siteResources.siteResourceId
                            )
                        )
                        .innerJoin(
                            siteNetworks,
                            eq(siteNetworks.networkId, siteResources.networkId)
                        )
                        .where(
                            and(
                                eq(
                                    clientSiteResourcesAssociationsCache.clientId,
                                    client.clientId
                                ),
-                                eq(siteNetworks.siteId, siteId),
+                                eq(siteResources.siteId, resource.siteId),
                                eq(
                                    siteResources.destination,
                                    resource.destination
@@ -1433,7 +1298,7 @@ async function handleMessagesForClientResources(
                    olmJobs.push(
                        removePeerData(
                            client.clientId,
-                            siteId,
+                            resource.siteId,
                            remoteSubnetsToRemove,
                            generateAliasConfig([resource])
                        )
@@ -1445,7 +1310,7 @@ async function handleMessagesForClientResources(
                        error.message.includes("not found")
                    ) {
                        logger.debug(
-                            `Olm data not found for client ${client.clientId} and site ${siteId}, skipping removal`
+                            `Olm data not found for client ${client.clientId} and site ${resource.siteId}, skipping removal`
                        );
                    } else {
                        throw error;
--- a/server/lib/sanitize.ts
+++ b/server/lib/sanitize.ts
@@ -0,0 +1,40 @@
 /**
 * Sanitize a string field before inserting into a database TEXT column.
 *
 * Two passes are applied:
 *
 * 1. Lone UTF-16 surrogates – JavaScript strings can hold unpaired surrogates
 *    (e.g. \uD800 without a following \uDC00-\uDFFF codepoint). These are
 *    valid in JS but cannot be encoded as UTF-8, triggering
 *    `report_invalid_encoding` in SQLite / Postgres. They are replaced with
 *    the Unicode replacement character U+FFFD so the data is preserved as a
 *    visible signal that something was malformed.
 *
 * 2. Null bytes and C0 control characters – SQLite stores TEXT as
 *    null-terminated C strings, so \x00 in a value causes
 *    `report_invalid_encoding`. Bots and scanners routinely inject null bytes
 *    into URLs (e.g. `/path\u0000.jpg`). All C0 control characters in the
 *    range \x00-\x1F are stripped except for the three that are legitimate in
 *    text payloads: HT (\x09), LF (\x0A), and CR (\x0D). DEL (\x7F) is also
 *    stripped.
 */
 export function sanitizeString(value: string): string;
 export function sanitizeString(
    value: string | null | undefined
 ): string | undefined;
 export function sanitizeString(
    value: string | null | undefined
 ): string | undefined {
    if (value == null) return undefined;
    return (
        value
            // Replace lone high surrogates (not followed by a low surrogate)
            // and lone low surrogates (not preceded by a high surrogate).
            .replace(
                /[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?<![\uD800-\uDBFF])[\uDC00-\uDFFF]/g,
                "\uFFFD"
            )
            // Strip null bytes, C0 control chars (except HT/LF/CR), and DEL.
            .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "")
    );
 }
--- a/server/lib/tokenCache.ts
+++ b/server/lib/tokenCache.ts
@@ -0,0 +1,22 @@
 /**
 * Returns a cached plaintext token from Redis if one exists and decrypts
 * cleanly, otherwise calls `createSession` to mint a fresh token, stores the
 * encrypted value in Redis with the given TTL, and returns it.
 *
 * Failures at the Redis layer are non-fatal – the function always falls
 * through to session creation so the caller is never blocked by a Redis outage.
 *
 * @param cacheKey   Unique Redis key, e.g. `"newt:token_cache:abc123"`
 * @param secret     Server secret used for AES encryption/decryption
 * @param ttlSeconds Cache TTL in seconds (should match session expiry)
 * @param createSession Factory that mints a new session and returns its raw token
 */
 export async function getOrCreateCachedToken(
    cacheKey: string,
    secret: string,
    ttlSeconds: number,
    createSession: () => Promise<string>
 ): Promise<string> {
    const token = await createSession();
    return token;
 }
--- a/server/private/cleanup.ts
+++ b/server/private/cleanup.ts
@@ -15,8 +15,10 @@ import { rateLimitService } from "#private/lib/rateLimit";
 import { cleanup as wsCleanup } from "#private/routers/ws";
 import { flushBandwidthToDb } from "@server/routers/newt/handleReceiveBandwidthMessage";
 import { flushSiteBandwidthToDb } from "@server/routers/gerbil/receiveBandwidth";
 import { stopPingAccumulator } from "@server/routers/newt/pingAccumulator";
 async function cleanup() {
    await stopPingAccumulator();
    await flushBandwidthToDb();
    await flushSiteBandwidthToDb();
    await rateLimitService.cleanup();
--- a/server/private/lib/cache.ts
+++ b/server/private/lib/cache.ts
@@ -1,3 +1,16 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import NodeCache from "node-cache";
 import logger from "@server/logger";
 import { redisManager } from "@server/private/lib/redis";
@@ -24,23 +37,31 @@ setInterval(() => {
 */
 class AdaptiveCache {
    private useRedis(): boolean {
-        return redisManager.isRedisEnabled() && redisManager.getHealthStatus().isHealthy;
+        return (
            redisManager.isRedisEnabled() &&
            redisManager.getHealthStatus().isHealthy
        );
    }
    /**
     * Set a value in the cache
     * @param key - Cache key
     * @param value - Value to cache (will be JSON stringified for Redis)
-     * @param ttl - Time to live in seconds (0 = no expiration)
+     * @param ttl - Time to live in seconds (0 = no expiration; omit = 3600s for Redis)
     * @returns boolean indicating success
     */
    async set(key: string, value: any, ttl?: number): Promise<boolean> {
        const effectiveTtl = ttl === 0 ? undefined : ttl;
        const redisTtl = ttl === 0 ? undefined : (ttl ?? 3600);
        if (this.useRedis()) {
            try {
                const serialized = JSON.stringify(value);
-                const success = await redisManager.set(key, serialized, effectiveTtl);
+                const success = await redisManager.set(
                    key,
                    serialized,
                    redisTtl
                );
                if (success) {
                    logger.debug(`Set key in Redis: ${key}`);
@@ -48,7 +69,9 @@ class AdaptiveCache {
                }
                // Redis failed, fall through to local cache
-                logger.debug(`Redis set failed for key ${key}, falling back to local cache`);
+                logger.debug(
                    `Redis set failed for key ${key}, falling back to local cache`
                );
            } catch (error) {
                logger.error(`Redis set error for key ${key}:`, error);
                // Fall through to local cache
@@ -120,9 +143,14 @@ class AdaptiveCache {
                }
                // Some Redis deletes failed, fall through to local cache
-                logger.debug(`Some Redis deletes failed, falling back to local cache`);
+                logger.debug(
                    `Some Redis deletes failed, falling back to local cache`
                );
            } catch (error) {
-                logger.error(`Redis del error for keys ${keys.join(", ")}:`, error);
+                logger.error(
                    `Redis del error for keys ${keys.join(", ")}:`,
                    error
                );
                // Fall through to local cache
                deletedCount = 0;
            }
@@ -195,7 +223,9 @@ class AdaptiveCache {
     */
    async flushAll(): Promise<void> {
        if (this.useRedis()) {
-            logger.warn("Adaptive cache flushAll called - Redis flush not implemented, only local cache will be flushed");
+            logger.warn(
                "Adaptive cache flushAll called - Redis flush not implemented, only local cache will be flushed"
            );
        }
        localCache.flushAll();
@@ -239,7 +269,9 @@ class AdaptiveCache {
    getTtl(key: string): number {
        // Note: This only works for local cache, Redis TTL is not supported
        if (this.useRedis()) {
-            logger.warn(`getTtl called for key ${key} but Redis TTL lookup is not implemented`);
+            logger.warn(
                `getTtl called for key ${key} but Redis TTL lookup is not implemented`
            );
        }
        const ttl = localCache.getTtl(key);
@@ -255,7 +287,9 @@ class AdaptiveCache {
     */
    keys(): string[] {
        if (this.useRedis()) {
-            logger.warn("keys() called but Redis keys are not included, only local cache keys returned");
+            logger.warn(
                "keys() called but Redis keys are not included, only local cache keys returned"
            );
        }
        return localCache.keys();
    }
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -57,7 +57,10 @@ export const privateConfigSchema = z.object({
        .object({
            host: z.string(),
            port: portSchema,
-            password: z.string().optional(),
+            password: z
                .string()
                .optional()
                .transform(getEnvOrYaml("REDIS_PASSWORD")),
            db: z.int().nonnegative().optional().default(0),
            replicas: z
                .array(
--- a/server/private/lib/tokenCache.ts
+++ b/server/private/lib/tokenCache.ts
@@ -0,0 +1,77 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import redisManager from "#private/lib/redis";
 import { encrypt, decrypt } from "@server/lib/crypto";
 import logger from "@server/logger";
 /**
 * Returns a cached plaintext token from Redis if one exists and decrypts
 * cleanly, otherwise calls `createSession` to mint a fresh token, stores the
 * encrypted value in Redis with the given TTL, and returns it.
 *
 * Failures at the Redis layer are non-fatal – the function always falls
 * through to session creation so the caller is never blocked by a Redis outage.
 *
 * @param cacheKey   Unique Redis key, e.g. `"newt:token_cache:abc123"`
 * @param secret     Server secret used for AES encryption/decryption
 * @param ttlSeconds Cache TTL in seconds (should match session expiry)
 * @param createSession Factory that mints a new session and returns its raw token
 */
 export async function getOrCreateCachedToken(
    cacheKey: string,
    secret: string,
    ttlSeconds: number,
    createSession: () => Promise<string>
 ): Promise<string> {
    if (redisManager.isRedisEnabled()) {
        try {
            const cached = await redisManager.get(cacheKey);
            if (cached) {
                const token = decrypt(cached, secret);
                if (token) {
                    logger.debug(`Token cache hit for key: ${cacheKey}`);
                    return token;
                }
                // Decryption produced an empty string – treat as a miss
                logger.warn(
                    `Token cache decryption returned empty string for key: ${cacheKey}, treating as miss`
                );
            }
        } catch (e) {
            logger.warn(
                `Token cache read/decrypt failed for key ${cacheKey}, falling through to session creation:`,
                e
            );
        }
    }
    const token = await createSession();
    if (redisManager.isRedisEnabled()) {
        try {
            const encrypted = encrypt(token, secret);
            await redisManager.set(cacheKey, encrypted, ttlSeconds);
            logger.debug(
                `Token cached in Redis for key: ${cacheKey} (TTL ${ttlSeconds}s)`
            );
        } catch (e) {
            logger.warn(
                `Token cache write failed for key ${cacheKey} (session was still created):`,
                e
            );
        }
    }
    return token;
 }
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -15,6 +15,7 @@ import { verifySessionRemoteExitNodeMiddleware } from "#private/middlewares/veri
 import { Router } from "express";
 import {
    db,
    logsDb,
    exitNodes,
    Resource,
    ResourcePassword,
@@ -81,6 +82,7 @@ import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToke
 import semver from "semver";
 import { maxmindAsnLookup } from "@server/db/maxmindAsn";
 import { checkOrgAccessPolicy } from "@server/lib/checkOrgAccessPolicy";
 import { sanitizeString } from "@server/lib/sanitize";
 // Zod schemas for request validation
 const getResourceByDomainParamsSchema = z.strictObject({
@@ -1859,24 +1861,24 @@ hybridRouter.post(
                })
                .map((logEntry) => ({
                    timestamp: logEntry.timestamp,
-                    orgId: logEntry.orgId,
+                    orgId: sanitizeString(logEntry.orgId),
-                    actorType: logEntry.actorType,
+                    actorType: sanitizeString(logEntry.actorType),
-                    actor: logEntry.actor,
+                    actor: sanitizeString(logEntry.actor),
-                    actorId: logEntry.actorId,
+                    actorId: sanitizeString(logEntry.actorId),
-                    metadata: logEntry.metadata,
+                    metadata: sanitizeString(logEntry.metadata),
                    action: logEntry.action,
                    resourceId: logEntry.resourceId,
                    reason: logEntry.reason,
-                    location: logEntry.location,
+                    location: sanitizeString(logEntry.location),
                    // userAgent: data.userAgent, // TODO: add this
                    // headers: data.body.headers,
                    // query: data.body.query,
-                    originalRequestURL: logEntry.originalRequestURL,
+                    originalRequestURL: sanitizeString(logEntry.originalRequestURL) ?? "",
-                    scheme: logEntry.scheme,
+                    scheme: sanitizeString(logEntry.scheme) ?? "",
-                    host: logEntry.host,
+                    host: sanitizeString(logEntry.host) ?? "",
-                    path: logEntry.path,
+                    path: sanitizeString(logEntry.path) ?? "",
-                    method: logEntry.method,
+                    method: sanitizeString(logEntry.method) ?? "",
-                    ip: logEntry.ip,
+                    ip: sanitizeString(logEntry.ip),
                    tls: logEntry.tls
                }));
@@ -1884,7 +1886,7 @@ hybridRouter.post(
            const batchSize = 100;
            for (let i = 0; i < logEntries.length; i += batchSize) {
                const batch = logEntries.slice(i, i + batchSize);
-                await db.insert(requestAuditLog).values(batch);
+                await logsDb.insert(requestAuditLog).values(batch);
            }
            return response(res, {
--- a/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
+++ b/server/private/routers/remoteExitNode/getRemoteExitNodeToken.ts
@@ -23,8 +23,10 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import {
    createRemoteExitNodeSession,
-    validateRemoteExitNodeSessionToken
+    validateRemoteExitNodeSessionToken,
    EXPIRES
 } from "#private/auth/sessions/remoteExitNode";
 import { getOrCreateCachedToken } from "@server/private/lib/tokenCache";
 import { verifyPassword } from "@server/auth/password";
 import logger from "@server/logger";
 import config from "@server/lib/config";
@@ -103,13 +105,22 @@ export async function getRemoteExitNodeToken(
            );
        }
-        const resToken = generateSessionToken();
+        // Return a cached token if one exists to prevent thundering herd on
        // simultaneous restarts; falls back to creating a fresh session when
        // Redis is unavailable or the cache has expired.
        const resToken = await getOrCreateCachedToken(
            `remote_exit_node:token_cache:${existingRemoteExitNode.remoteExitNodeId}`,
            config.getRawConfig().server.secret!,
            Math.floor(EXPIRES / 1000),
            async () => {
                const token = generateSessionToken();
                await createRemoteExitNodeSession(
-            resToken,
+                    token,
                    existingRemoteExitNode.remoteExitNodeId
                );
-
+                return token;
-        // logger.debug(`Created RemoteExitNode token response: ${JSON.stringify(resToken)}`);
+            }
        );
        return response<{ token: string }>(res, {
            data: {
--- a/server/private/routers/remoteExitNode/handleRemoteExitNodePingMessage.ts
+++ b/server/private/routers/remoteExitNode/handleRemoteExitNodePingMessage.ts
@@ -38,7 +38,7 @@ export const startRemoteExitNodeOfflineChecker = (): void => {
            );
            // Find clients that haven't pinged in the last 2 minutes and mark them as offline
-            const newlyOfflineNodes = await db
+            const offlineNodes = await db
                .update(exitNodes)
                .set({ online: false })
                .where(
@@ -53,32 +53,15 @@ export const startRemoteExitNodeOfflineChecker = (): void => {
                )
                .returning();
-            // Update the sites to offline if they have not pinged either
+            if (offlineNodes.length > 0) {
-            const exitNodeIds = newlyOfflineNodes.map(
+                logger.info(
-                (node) => node.exitNodeId
+                    `checkRemoteExitNodeOffline: Marked ${offlineNodes.length} remoteExitNode client(s) offline due to inactivity`
                );
-            const sitesOnNode = await db
+                for (const offlineClient of offlineNodes) {
-                .select()
+                    logger.debug(
-                .from(sites)
+                        `checkRemoteExitNodeOffline: Client ${offlineClient.exitNodeId} marked offline (lastPing: ${offlineClient.lastPing})`
                .where(
                    and(
                        eq(sites.online, true),
                        inArray(sites.exitNodeId, exitNodeIds)
                    )
                    );
            // loop through the sites and process their lastBandwidthUpdate as an iso string and if its more than 1 minute old then mark the site offline
            for (const site of sitesOnNode) {
                if (!site.lastBandwidthUpdate) {
                    continue;
                }
                const lastBandwidthUpdate = new Date(site.lastBandwidthUpdate);
                if (Date.now() - lastBandwidthUpdate.getTime() > 60 * 1000) {
                    await db
                        .update(sites)
                        .set({ online: false })
                        .where(eq(sites.siteId, site.siteId));
                }
            }
        } catch (error) {
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -21,9 +21,10 @@ import {
    roles,
    roundTripMessageTracker,
    siteResources,
-    siteNetworks,
+    sites,
    userOrgs
 } from "@server/db";
 import { logAccessAudit } from "#private/lib/logAccessAudit";
 import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import response from "@server/lib/response";
@@ -62,12 +63,10 @@ const bodySchema = z
 export type SignSshKeyResponse = {
    certificate: string;
    messageIds: number[];
    messageId: number;
    sshUsername: string;
    sshHost: string;
    resourceId: number;
    siteIds: number[];
    siteId: number;
    keyId: string;
    validPrincipals: string[];
@@ -252,7 +251,10 @@ export async function signSshKey(
                .update(userOrgs)
                .set({ pamUsername: usernameToUse })
                .where(
-                    and(eq(userOrgs.orgId, orgId), eq(userOrgs.userId, userId))
+                    and(
                        eq(userOrgs.orgId, orgId),
                        eq(userOrgs.userId, userId)
                    )
                );
        } else {
            usernameToUse = userOrg.pamUsername;
@@ -373,12 +375,21 @@ export async function signSshKey(
        const homedir = roleRow?.sshCreateHomeDir ?? null;
        const sudoMode = roleRow?.sshSudoMode ?? "none";
-        const sites = await db
+        // get the site
-            .select({ siteId: siteNetworks.siteId })
+        const [newt] = await db
-            .from(siteNetworks)
+            .select()
-            .where(eq(siteNetworks.networkId, resource.networkId!));
+            .from(newts)
            .where(eq(newts.siteId, resource.siteId))
            .limit(1);
-        const siteIds = sites.map((site) => site.siteId);
+        if (!newt) {
            return next(
                createHttpError(
                    HttpCode.INTERNAL_SERVER_ERROR,
                    "Site associated with resource not found"
                )
            );
        }
        // Sign the public key
        const now = BigInt(Math.floor(Date.now() / 1000));
@@ -392,24 +403,6 @@ export async function signSshKey(
            validBefore: now + validFor
        });
        const messageIds: number[] = [];
        for (const siteId of siteIds) {
            // get the site
            const [newt] = await db
                .select()
                .from(newts)
                .where(eq(newts.siteId, siteId))
                .limit(1);
            if (!newt) {
                return next(
                    createHttpError(
                        HttpCode.INTERNAL_SERVER_ERROR,
                        "Site associated with resource not found"
                    )
                );
            }
        const [message] = await db
            .insert(roundTripMessageTracker)
            .values({
@@ -428,8 +421,6 @@ export async function signSshKey(
            );
        }
            messageIds.push(message.messageId);
        await sendToClient(newt.newtId, {
            type: `newt/pam/connection`,
            data: {
@@ -449,7 +440,6 @@ export async function signSshKey(
                }
            }
        });
        }
        const expiresIn = Number(validFor); // seconds
@@ -470,20 +460,36 @@ export async function signSshKey(
            metadata: JSON.stringify({
                resourceId: resource.siteResourceId,
                resource: resource.name,
-                siteIds: siteIds
+                siteId: resource.siteId,
            })
        });
        await logAccessAudit({
            action: true,
            type: "ssh",
            orgId: orgId,
            resourceId: resource.siteResourceId,
            user: req.user
                ? { username: req.user.username ?? "", userId: req.user.userId }
                : undefined,
            metadata: {
                resourceName: resource.name,
                siteId: resource.siteId,
                sshUsername: usernameToUse,
                sshHost: sshHost
            },
            userAgent: req.headers["user-agent"],
            requestIp: req.ip
        });
        return response<SignSshKeyResponse>(res, {
            data: {
                certificate: cert.certificate,
-                messageIds: messageIds,
+                messageId: message.messageId,
                messageId: messageIds[0], // just pick the first one for backward compatibility
                sshUsername: usernameToUse,
                sshHost: sshHost,
                resourceId: resource.siteResourceId,
-                siteIds: siteIds,
+                siteId: resource.siteId,
                siteId: siteIds[0], // just pick the first one for backward compatibility
                keyId: cert.keyId,
                validPrincipals: cert.validPrincipals,
                validAfter: cert.validAfter.toISOString(),
--- a/server/private/routers/ws/ws.ts
+++ b/server/private/routers/ws/ws.ts
@@ -19,17 +19,14 @@ import { Socket } from "net";
 import {
    Newt,
    newts,
    NewtSession,
    olms,
    Olm,
-    OlmSession,
+    olms,
    RemoteExitNode,
    RemoteExitNodeSession,
    remoteExitNodes,
    sites
 } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
 import { recordPing } from "@server/routers/newt/pingAccumulator";
 import { validateNewtSessionToken } from "@server/auth/sessions/newt";
 import { validateOlmSessionToken } from "@server/auth/sessions/olm";
 import logger from "@server/logger";
@@ -197,11 +194,7 @@ const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
 // Config version tracking map (local to this node, resets on server restart)
 const clientConfigVersions: Map<string, number> = new Map();
-// Tracks the last Unix timestamp (seconds) at which a ping was flushed to the
+
 // DB for a given siteId. Resets on server restart which is fine – the first
 // ping after startup will always write, re-establishing the online state.
 const lastPingDbWrite: Map<number, number> = new Map();
 const PING_DB_WRITE_INTERVAL = 45; // seconds
 // Recovery tracking
 let isRedisRecoveryInProgress = false;
@@ -853,32 +846,16 @@ const setupConnection = async (
        );
    });
    // Handle WebSocket protocol-level pings from older newt clients that do
    // not send application-level "newt/ping" messages. Update the site's
    // online state and lastPing timestamp so the offline checker treats them
    // the same as modern newt clients.
    if (clientType === "newt") {
        const newtClient = client as Newt;
-        ws.on("ping", async () => {
+        ws.on("ping", () => {
            if (!newtClient.siteId) return;
-            const now = Math.floor(Date.now() / 1000);
+            // Record the ping in the accumulator instead of writing to the
-            const lastWrite = lastPingDbWrite.get(newtClient.siteId) ?? 0;
+            // database on every WS ping frame. The accumulator flushes all
-            if (now - lastWrite < PING_DB_WRITE_INTERVAL) return;
+            // pending pings in a single batched UPDATE every ~10s, which
-            lastPingDbWrite.set(newtClient.siteId, now);
+            // prevents connection pool exhaustion under load (especially
-            try {
+            // with cross-region latency to the database).
-                await db
+            recordPing(newtClient.siteId);
                    .update(sites)
                    .set({
                        online: true,
                        lastPing: now
                    })
                    .where(eq(sites.siteId, newtClient.siteId));
            } catch (error) {
                logger.error(
                    "Error updating newt site online state on WS ping",
                    { error }
                );
            }
        });
    }
--- a/server/routers/badger/logRequestAudit.ts
+++ b/server/routers/badger/logRequestAudit.ts
@@ -5,6 +5,8 @@ import cache from "#dynamic/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
 import { stripPortFromHost } from "@server/lib/ip";
 import { sanitizeString } from "@server/lib/sanitize";
 /**
 Reasons:
@@ -253,24 +255,23 @@ export async function logRequestAudit(
        // Add to buffer instead of writing directly to DB
        auditLogBuffer.push({
            timestamp,
-            orgId: data.orgId,
+            orgId: sanitizeString(data.orgId),
-            actorType,
+            actorType: sanitizeString(actorType),
-            actor,
+            actor: sanitizeString(actor),
-            actorId,
+            actorId: sanitizeString(actorId),
-            metadata,
+            metadata: sanitizeString(metadata),
            action: data.action,
            resourceId: data.resourceId,
            reason: data.reason,
-            location: data.location,
+            location: sanitizeString(data.location),
-            originalRequestURL: body.originalRequestURL,
+            originalRequestURL: sanitizeString(body.originalRequestURL) ?? "",
-            scheme: body.scheme,
+            scheme: sanitizeString(body.scheme) ?? "",
-            host: body.host,
+            host: sanitizeString(body.host) ?? "",
-            path: body.path,
+            path: sanitizeString(body.path) ?? "",
-            method: body.method,
+            method: sanitizeString(body.method) ?? "",
-            ip: clientIp,
+            ip: sanitizeString(clientIp),
            tls: body.tls
        });
        // Flush immediately if buffer is full, otherwise schedule a flush
        if (auditLogBuffer.length >= BATCH_SIZE) {
            // Fire and forget - don't block the caller
--- a/server/routers/client/listClients.ts
+++ b/server/routers/client/listClients.ts
@@ -70,7 +70,7 @@ async function getLatestOlmVersion(): Promise<string | null> {
        tags = tags.filter((version) => !version.name.includes("rc"));
        const latestVersion = tags[0].name;
-        olmVersionCache.set("latestOlmVersion", latestVersion);
+        olmVersionCache.set("latestOlmVersion", latestVersion, 3600);
        return latestVersion;
    } catch (error: any) {
--- a/server/routers/client/listUserDevices.ts
+++ b/server/routers/client/listUserDevices.ts
@@ -71,7 +71,7 @@ async function getLatestOlmVersion(): Promise<string | null> {
        tags = tags.filter((version) => !version.name.includes("rc"));
        const latestVersion = tags[0].name;
-        olmVersionCache.set("latestOlmVersion", latestVersion);
+        olmVersionCache.set("latestOlmVersion", latestVersion, 3600);
        return latestVersion;
    } catch (error: any) {
--- a/server/routers/client/targets.ts
+++ b/server/routers/client/targets.ts
@@ -1,15 +1,54 @@
 import { sendToClient } from "#dynamic/routers/ws";
-import { db, olms, Transaction } from "@server/db";
+import { db, newts, olms } from "@server/db";
 import {
    Alias,
    convertSubnetProxyTargetsV2ToV1,
    SubnetProxyTarget,
    SubnetProxyTargetV2
 } from "@server/lib/ip";
 import { canCompress } from "@server/lib/clientVersionChecks";
 import { Alias, SubnetProxyTarget } from "@server/lib/ip";
 import logger from "@server/logger";
 import { eq } from "drizzle-orm";
 import semver from "semver";
 const NEWT_V2_TARGETS_VERSION = ">=1.10.3";
 export async function convertTargetsIfNessicary(
    newtId: string,
    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[]
 ) {
    // get the newt
    const [newt] = await db
        .select()
        .from(newts)
        .where(eq(newts.newtId, newtId));
    if (!newt) {
        throw new Error(`No newt found for id: ${newtId}`);
    }
    // check the semver
    if (
        newt.version &&
        !semver.satisfies(newt.version, NEWT_V2_TARGETS_VERSION)
    ) {
        logger.debug(
            `addTargets Newt version ${newt.version} does not support targets v2 falling back`
        );
        targets = convertSubnetProxyTargetsV2ToV1(
            targets as SubnetProxyTargetV2[]
        );
    }
    return targets;
 }
 export async function addTargets(
    newtId: string,
-    targets: SubnetProxyTarget[],
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[],
    version?: string | null
 ) {
    targets = await convertTargetsIfNessicary(newtId, targets);
    await sendToClient(
        newtId,
        {
@@ -22,9 +61,11 @@ export async function addTargets(
 export async function removeTargets(
    newtId: string,
-    targets: SubnetProxyTarget[],
+    targets: SubnetProxyTarget[] | SubnetProxyTargetV2[],
    version?: string | null
 ) {
    targets = await convertTargetsIfNessicary(newtId, targets);
    await sendToClient(
        newtId,
        {
@@ -38,11 +79,39 @@ export async function removeTargets(
 export async function updateTargets(
    newtId: string,
    targets: {
-        oldTargets: SubnetProxyTarget[];
+        oldTargets: SubnetProxyTarget[] | SubnetProxyTargetV2[];
-        newTargets: SubnetProxyTarget[];
+        newTargets: SubnetProxyTarget[] | SubnetProxyTargetV2[];
    },
    version?: string | null
 ) {
    // get the newt
    const [newt] = await db
        .select()
        .from(newts)
        .where(eq(newts.newtId, newtId));
    if (!newt) {
        logger.error(`addTargetsL No newt found for id: ${newtId}`);
        return;
    }
    // check the semver
    if (
        newt.version &&
        !semver.satisfies(newt.version, NEWT_V2_TARGETS_VERSION)
    ) {
        logger.debug(
            `addTargets Newt version ${newt.version} does not support targets v2 falling back`
        );
        targets = {
            oldTargets: convertSubnetProxyTargetsV2ToV1(
                targets.oldTargets as SubnetProxyTargetV2[]
            ),
            newTargets: convertSubnetProxyTargetsV2ToV1(
                targets.newTargets as SubnetProxyTargetV2[]
            )
        };
    }
    await sendToClient(
        newtId,
        {
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -135,6 +135,13 @@ authenticated.post(
    logActionAudit(ActionsEnum.updateSite),
    site.updateSite
 );
 authenticated.post(
    "/org/:orgId/reset-bandwidth",
    verifyApiKeyOrgAccess,
    verifyApiKeyHasAction(ActionsEnum.resetSiteBandwidth),
    logActionAudit(ActionsEnum.resetSiteBandwidth),
    org.resetOrgBandwidth
 );
 authenticated.delete(
    "/site/:siteId",
--- a/server/routers/newt/buildConfiguration.ts
+++ b/server/routers/newt/buildConfiguration.ts
@@ -4,10 +4,8 @@ import {
    clientSitesAssociationsCache,
    db,
    ExitNode,
    networks,
    resources,
    Site,
    siteNetworks,
    siteResources,
    targetHealthCheck,
    targets
@@ -18,8 +16,8 @@ import { eq, and } from "drizzle-orm";
 import config from "@server/lib/config";
 import {
    formatEndpoint,
-    generateSubnetProxyTargets,
+    generateSubnetProxyTargetV2,
-    SubnetProxyTarget
+    SubnetProxyTargetV2
 } from "@server/lib/ip";
 export async function buildClientConfigurationForNewtClient(
@@ -139,16 +137,13 @@ export async function buildClientConfigurationForNewtClient(
    // Filter out any null values from peers that didn't have an olm
    const validPeers = peers.filter((peer) => peer !== null);
-    // Get all enabled site resources for this site by joining through siteNetworks and networks
+    // Get all enabled site resources for this site
    const allSiteResources = await db
        .select()
        .from(siteResources)
-        .innerJoin(networks, eq(siteResources.networkId, networks.networkId))
+        .where(eq(siteResources.siteId, siteId));
        .innerJoin(siteNetworks, eq(networks.networkId, siteNetworks.networkId))
        .where(eq(siteNetworks.siteId, siteId))
        .then((rows) => rows.map((r) => r.siteResources));
-    const targetsToSend: SubnetProxyTarget[] = [];
+    const targetsToSend: SubnetProxyTargetV2[] = [];
    for (const resource of allSiteResources) {
        // Get clients associated with this specific resource
@@ -173,12 +168,14 @@ export async function buildClientConfigurationForNewtClient(
                )
            );
-        const resourceTargets = generateSubnetProxyTargets(
+        const resourceTarget = generateSubnetProxyTargetV2(
            resource,
            resourceClients
        );
-        targetsToSend.push(...resourceTargets);
+        if (resourceTarget) {
            targetsToSend.push(resourceTarget);
        }
    }
    return {
--- a/server/routers/newt/getNewtToken.ts
+++ b/server/routers/newt/getNewtToken.ts
@@ -1,6 +1,8 @@
 import { generateSessionToken } from "@server/auth/sessions/app";
-import { db } from "@server/db";
+import { db, newtSessions } from "@server/db";
 import { newts } from "@server/db";
 import { getOrCreateCachedToken } from "#dynamic/lib/tokenCache";
 import { EXPIRES } from "@server/auth/sessions/newt";
 import HttpCode from "@server/types/HttpCode";
 import response from "@server/lib/response";
 import { eq } from "drizzle-orm";
@@ -92,8 +94,19 @@ export async function getNewtToken(
            );
        }
-        const resToken = generateSessionToken();
+        // Return a cached token if one exists to prevent thundering herd on
-        await createNewtSession(resToken, existingNewt.newtId);
+        // simultaneous restarts; falls back to creating a fresh session when
        // Redis is unavailable or the cache has expired.
        const resToken = await getOrCreateCachedToken(
            `newt:token_cache:${existingNewt.newtId}`,
            config.getRawConfig().server.secret!,
            Math.floor(EXPIRES / 1000),
            async () => {
                const token = generateSessionToken();
                await createNewtSession(token, existingNewt.newtId);
                return token;
            }
        );
        return response<{ token: string; serverVersion: string }>(res, {
            data: {
--- a/server/routers/newt/handleGetConfigMessage.ts
+++ b/server/routers/newt/handleGetConfigMessage.ts
@@ -6,6 +6,7 @@ import { db, ExitNode, exitNodes, Newt, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import { sendToExitNode } from "#dynamic/lib/exitNodes";
 import { buildClientConfigurationForNewtClient } from "./buildConfiguration";
 import { convertTargetsIfNessicary } from "../client/targets";
 import { canCompress } from "@server/lib/clientVersionChecks";
 const inputSchema = z.object({
@@ -127,13 +128,15 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
        exitNode
    );
    const targetsToSend = await convertTargetsIfNessicary(newt.newtId, targets);
    return {
        message: {
            type: "newt/wg/receive-config",
            data: {
                ipAddress: site.address,
                peers,
-                targets
+                targets: targetsToSend
            }
        },
        options: {
--- a/server/routers/newt/handleNewtDisconnectingMessage.ts
+++ b/server/routers/newt/handleNewtDisconnectingMessage.ts
@@ -6,7 +6,9 @@ import logger from "@server/logger";
 /**
 * Handles disconnecting messages from sites to show disconnected in the ui
 */
-export const handleNewtDisconnectingMessage: MessageHandler = async (context) => {
+export const handleNewtDisconnectingMessage: MessageHandler = async (
    context
 ) => {
    const { message, client: c, sendToClient } = context;
    const newt = c as Newt;
@@ -27,7 +29,7 @@ export const handleNewtDisconnectingMessage: MessageHandler = async (context) =>
            .set({
                online: false
            })
-            .where(eq(sites.siteId, sites.siteId));
+            .where(eq(sites.siteId, newt.siteId));
    } catch (error) {
        logger.error("Error handling disconnecting message", { error });
    }
--- a/server/routers/newt/handleNewtPingMessage.ts
+++ b/server/routers/newt/handleNewtPingMessage.ts
@@ -5,6 +5,7 @@ import { Newt } from "@server/db";
 import { eq, lt, isNull, and, or } from "drizzle-orm";
 import logger from "@server/logger";
 import { sendNewtSyncMessage } from "./sync";
 import { recordPing } from "./pingAccumulator";
 // Track if the offline checker interval is running
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
@@ -114,18 +115,12 @@ export const handleNewtPingMessage: MessageHandler = async (context) => {
        return;
    }
-    try {
+    // Record the ping in memory; it will be flushed to the database
-        // Mark the site as online and record the ping timestamp.
+    // periodically by the ping accumulator (every ~10s) in a single
-        await db
+    // batched UPDATE instead of one query per ping. This prevents
-            .update(sites)
+    // connection pool exhaustion under load, especially with
-            .set({
+    // cross-region latency to the database.
-                online: true,
+    recordPing(newt.siteId);
                lastPing: Math.floor(Date.now() / 1000)
            })
            .where(eq(sites.siteId, newt.siteId));
    } catch (error) {
        logger.error("Error updating online state on newt ping", { error });
    }
    // Check config version and sync if stale.
    const configVersion = await getClientConfigVersion(newt.newtId);
--- a/server/routers/newt/pingAccumulator.ts
+++ b/server/routers/newt/pingAccumulator.ts
@@ -0,0 +1,382 @@
 import { db } from "@server/db";
 import { sites, clients, olms } from "@server/db";
 import { eq, inArray } from "drizzle-orm";
 import logger from "@server/logger";
 /**
 * Ping Accumulator
 *
 * Instead of writing to the database on every single newt/olm ping (which
 * causes pool exhaustion under load, especially with cross-region latency),
 * we accumulate pings in memory and flush them to the database periodically
 * in a single batch.
 *
 * This is the same pattern used for bandwidth flushing in
 * receiveBandwidth.ts and handleReceiveBandwidthMessage.ts.
 *
 * Supports two kinds of pings:
 *   - **Site pings** (from newts): update `sites.online` and `sites.lastPing`
 *   - **Client pings** (from OLMs): update `clients.online`, `clients.lastPing`,
 *     `clients.archived`, and optionally reset `olms.archived`
 */
 const FLUSH_INTERVAL_MS = 10_000; // Flush every 10 seconds
 const MAX_RETRIES = 2;
 const BASE_DELAY_MS = 50;
 // ── Site (newt) pings ──────────────────────────────────────────────────
 // Map of siteId -> latest ping timestamp (unix seconds)
 const pendingSitePings: Map<number, number> = new Map();
 // ── Client (OLM) pings ────────────────────────────────────────────────
 // Map of clientId -> latest ping timestamp (unix seconds)
 const pendingClientPings: Map<number, number> = new Map();
 // Set of olmIds whose `archived` flag should be reset to false
 const pendingOlmArchiveResets: Set<string> = new Set();
 let flushTimer: NodeJS.Timeout | null = null;
 // ── Public API ─────────────────────────────────────────────────────────
 /**
 * Record a ping for a newt site. This does NOT write to the database
 * immediately. Instead it stores the latest ping timestamp in memory,
 * to be flushed periodically by the background timer.
 */
 export function recordSitePing(siteId: number): void {
    const now = Math.floor(Date.now() / 1000);
    pendingSitePings.set(siteId, now);
 }
 /** @deprecated Use `recordSitePing` instead. Alias kept for existing call-sites. */
 export const recordPing = recordSitePing;
 /**
 * Record a ping for an OLM client. Batches the `clients` table update
 * (`online`, `lastPing`, `archived`) and, when `olmArchived` is true,
 * also queues an `olms` table update to clear the archived flag.
 */
 export function recordClientPing(
    clientId: number,
    olmId: string,
    olmArchived: boolean
 ): void {
    const now = Math.floor(Date.now() / 1000);
    pendingClientPings.set(clientId, now);
    if (olmArchived) {
        pendingOlmArchiveResets.add(olmId);
    }
 }
 // ── Flush Logic ────────────────────────────────────────────────────────
 /**
 * Flush all accumulated site pings to the database.
 */
 async function flushSitePingsToDb(): Promise<void> {
    if (pendingSitePings.size === 0) {
        return;
    }
    // Snapshot and clear so new pings arriving during the flush go into a
    // fresh map for the next cycle.
    const pingsToFlush = new Map(pendingSitePings);
    pendingSitePings.clear();
    // Sort by siteId for consistent lock ordering (prevents deadlocks)
    const sortedEntries = Array.from(pingsToFlush.entries()).sort(
        ([a], [b]) => a - b
    );
    const BATCH_SIZE = 50;
    for (let i = 0; i < sortedEntries.length; i += BATCH_SIZE) {
        const batch = sortedEntries.slice(i, i + BATCH_SIZE);
        try {
            await withRetry(async () => {
                // Group by timestamp for efficient bulk updates
                const byTimestamp = new Map<number, number[]>();
                for (const [siteId, timestamp] of batch) {
                    const group = byTimestamp.get(timestamp) || [];
                    group.push(siteId);
                    byTimestamp.set(timestamp, group);
                }
                if (byTimestamp.size === 1) {
                    const [timestamp, siteIds] = Array.from(
                        byTimestamp.entries()
                    )[0];
                    await db
                        .update(sites)
                        .set({
                            online: true,
                            lastPing: timestamp
                        })
                        .where(inArray(sites.siteId, siteIds));
                } else {
                    await db.transaction(async (tx) => {
                        for (const [timestamp, siteIds] of byTimestamp) {
                            await tx
                                .update(sites)
                                .set({
                                    online: true,
                                    lastPing: timestamp
                                })
                                .where(inArray(sites.siteId, siteIds));
                        }
                    });
                }
            }, "flushSitePingsToDb");
        } catch (error) {
            logger.error(
                `Failed to flush site ping batch (${batch.length} sites), re-queuing for next cycle`,
                { error }
            );
            for (const [siteId, timestamp] of batch) {
                const existing = pendingSitePings.get(siteId);
                if (!existing || existing < timestamp) {
                    pendingSitePings.set(siteId, timestamp);
                }
            }
        }
    }
 }
 /**
 * Flush all accumulated client (OLM) pings to the database.
 */
 async function flushClientPingsToDb(): Promise<void> {
    if (pendingClientPings.size === 0 && pendingOlmArchiveResets.size === 0) {
        return;
    }
    // Snapshot and clear
    const pingsToFlush = new Map(pendingClientPings);
    pendingClientPings.clear();
    const olmResetsToFlush = new Set(pendingOlmArchiveResets);
    pendingOlmArchiveResets.clear();
    // ── Flush client pings ─────────────────────────────────────────────
    if (pingsToFlush.size > 0) {
        const sortedEntries = Array.from(pingsToFlush.entries()).sort(
            ([a], [b]) => a - b
        );
        const BATCH_SIZE = 50;
        for (let i = 0; i < sortedEntries.length; i += BATCH_SIZE) {
            const batch = sortedEntries.slice(i, i + BATCH_SIZE);
            try {
                await withRetry(async () => {
                    const byTimestamp = new Map<number, number[]>();
                    for (const [clientId, timestamp] of batch) {
                        const group = byTimestamp.get(timestamp) || [];
                        group.push(clientId);
                        byTimestamp.set(timestamp, group);
                    }
                    if (byTimestamp.size === 1) {
                        const [timestamp, clientIds] = Array.from(
                            byTimestamp.entries()
                        )[0];
                        await db
                            .update(clients)
                            .set({
                                lastPing: timestamp,
                                online: true,
                                archived: false
                            })
                            .where(inArray(clients.clientId, clientIds));
                    } else {
                        await db.transaction(async (tx) => {
                            for (const [timestamp, clientIds] of byTimestamp) {
                                await tx
                                    .update(clients)
                                    .set({
                                        lastPing: timestamp,
                                        online: true,
                                        archived: false
                                    })
                                    .where(
                                        inArray(clients.clientId, clientIds)
                                    );
                            }
                        });
                    }
                }, "flushClientPingsToDb");
            } catch (error) {
                logger.error(
                    `Failed to flush client ping batch (${batch.length} clients), re-queuing for next cycle`,
                    { error }
                );
                for (const [clientId, timestamp] of batch) {
                    const existing = pendingClientPings.get(clientId);
                    if (!existing || existing < timestamp) {
                        pendingClientPings.set(clientId, timestamp);
                    }
                }
            }
        }
    }
    // ── Flush OLM archive resets ───────────────────────────────────────
    if (olmResetsToFlush.size > 0) {
        const olmIds = Array.from(olmResetsToFlush).sort();
        const BATCH_SIZE = 50;
        for (let i = 0; i < olmIds.length; i += BATCH_SIZE) {
            const batch = olmIds.slice(i, i + BATCH_SIZE);
            try {
                await withRetry(async () => {
                    await db
                        .update(olms)
                        .set({ archived: false })
                        .where(inArray(olms.olmId, batch));
                }, "flushOlmArchiveResets");
            } catch (error) {
                logger.error(
                    `Failed to flush OLM archive reset batch (${batch.length} olms), re-queuing for next cycle`,
                    { error }
                );
                for (const olmId of batch) {
                    pendingOlmArchiveResets.add(olmId);
                }
            }
        }
    }
 }
 /**
 * Flush everything — called by the interval timer and during shutdown.
 */
 export async function flushPingsToDb(): Promise<void> {
    await flushSitePingsToDb();
    await flushClientPingsToDb();
 }
 // ── Retry / Error Helpers ──────────────────────────────────────────────
 /**
 * Simple retry wrapper with exponential backoff for transient errors
 * (connection timeouts, unexpected disconnects).
 */
 async function withRetry<T>(
    operation: () => Promise<T>,
    context: string
 ): Promise<T> {
    let attempt = 0;
    while (true) {
        try {
            return await operation();
        } catch (error: any) {
            if (isTransientError(error) && attempt < MAX_RETRIES) {
                attempt++;
                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
                const jitter = Math.random() * baseDelay;
                const delay = baseDelay + jitter;
                logger.warn(
                    `Transient DB error in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
                );
                await new Promise((resolve) => setTimeout(resolve, delay));
                continue;
            }
            throw error;
        }
    }
 }
 /**
 * Detect transient connection errors that are safe to retry.
 */
 function isTransientError(error: any): boolean {
    if (!error) return false;
    const message = (error.message || "").toLowerCase();
    const causeMessage = (error.cause?.message || "").toLowerCase();
    const code = error.code || "";
    // Connection timeout / terminated
    if (
        message.includes("connection timeout") ||
        message.includes("connection terminated") ||
        message.includes("timeout exceeded when trying to connect") ||
        causeMessage.includes("connection terminated unexpectedly") ||
        causeMessage.includes("connection timeout")
    ) {
        return true;
    }
    // PostgreSQL deadlock
    if (code === "40P01" || message.includes("deadlock")) {
        return true;
    }
    // ECONNRESET, ECONNREFUSED, EPIPE
    if (
        code === "ECONNRESET" ||
        code === "ECONNREFUSED" ||
        code === "EPIPE" ||
        code === "ETIMEDOUT"
    ) {
        return true;
    }
    return false;
 }
 // ── Lifecycle ──────────────────────────────────────────────────────────
 /**
 * Start the background flush timer. Call this once at server startup.
 */
 export function startPingAccumulator(): void {
    if (flushTimer) {
        return; // Already running
    }
    flushTimer = setInterval(async () => {
        try {
            await flushPingsToDb();
        } catch (error) {
            logger.error("Unhandled error in ping accumulator flush", {
                error
            });
        }
    }, FLUSH_INTERVAL_MS);
    // Don't prevent the process from exiting
    flushTimer.unref();
    logger.info(
        `Ping accumulator started (flush interval: ${FLUSH_INTERVAL_MS}ms)`
    );
 }
 /**
 * Stop the background flush timer and perform a final flush.
 * Call this during graceful shutdown.
 */
 export async function stopPingAccumulator(): Promise<void> {
    if (flushTimer) {
        clearInterval(flushTimer);
        flushTimer = null;
    }
    // Final flush to persist any remaining pings
    try {
        await flushPingsToDb();
    } catch (error) {
        logger.error("Error during final ping accumulator flush", { error });
    }
    logger.info("Ping accumulator stopped");
 }
 /**
 * Get the number of pending (unflushed) pings. Useful for monitoring.
 */
 export function getPendingPingCount(): number {
    return pendingSitePings.size + pendingClientPings.size;
 }
--- a/server/routers/olm/buildConfiguration.ts
+++ b/server/routers/olm/buildConfiguration.ts
@@ -4,8 +4,6 @@ import {
    clientSitesAssociationsCache,
    db,
    exitNodes,
    networks,
    siteNetworks,
    siteResources,
    sites
 } from "@server/db";
@@ -61,17 +59,9 @@ export async function buildSiteConfigurationForOlmClient(
                    clientSiteResourcesAssociationsCache.siteResourceId
                )
            )
            .innerJoin(
                networks,
                eq(siteResources.networkId, networks.networkId)
            )
            .innerJoin(
                siteNetworks,
                eq(networks.networkId, siteNetworks.networkId)
            )
            .where(
                and(
-                    eq(siteNetworks.siteId, site.siteId),
+                    eq(siteResources.siteId, site.siteId),
                    eq(
                        clientSiteResourcesAssociationsCache.clientId,
                        client.clientId
@@ -79,7 +69,6 @@ export async function buildSiteConfigurationForOlmClient(
                )
            );
        if (jitMode) {
            // Add site configuration to the array
            siteConfigurations.push({
--- a/server/routers/olm/getOlmToken.ts
+++ b/server/routers/olm/getOlmToken.ts
@@ -8,7 +8,7 @@ import {
    ExitNode,
    exitNodes,
    sites,
-    clientSitesAssociationsCache
+    clientSitesAssociationsCache,
 } from "@server/db";
 import { olms } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
@@ -20,8 +20,10 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import {
    createOlmSession,
-    validateOlmSessionToken
+    validateOlmSessionToken,
    EXPIRES
 } from "@server/auth/sessions/olm";
 import { getOrCreateCachedToken } from "#dynamic/lib/tokenCache";
 import { verifyPassword } from "@server/auth/password";
 import logger from "@server/logger";
 import config from "@server/lib/config";
@@ -132,8 +134,19 @@ export async function getOlmToken(
        logger.debug("Creating new olm session token");
-        const resToken = generateSessionToken();
+        // Return a cached token if one exists to prevent thundering herd on
-        await createOlmSession(resToken, existingOlm.olmId);
+        // simultaneous restarts; falls back to creating a fresh session when
        // Redis is unavailable or the cache has expired.
        const resToken = await getOrCreateCachedToken(
            `olm:token_cache:${existingOlm.olmId}`,
            config.getRawConfig().server.secret!,
            Math.floor(EXPIRES / 1000),
            async () => {
                const token = generateSessionToken();
                await createOlmSession(token, existingOlm.olmId);
                return token;
            }
        );
        let clientIdToUse;
        if (orgId) {
--- a/server/routers/olm/handleOlmPingMessage.ts
+++ b/server/routers/olm/handleOlmPingMessage.ts
@@ -3,6 +3,7 @@ import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
 import { clients, olms, Olm } from "@server/db";
 import { eq, lt, isNull, and, or } from "drizzle-orm";
 import { recordClientPing } from "@server/routers/newt/pingAccumulator";
 import logger from "@server/logger";
 import { validateSessionToken } from "@server/auth/sessions/app";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
@@ -201,22 +202,12 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
            await sendOlmSyncMessage(olm, client);
        }
-        // Update the client's last ping timestamp
+        // Record the ping in memory; it will be flushed to the database
-        await db
+        // periodically by the ping accumulator (every ~10s) in a single
-            .update(clients)
+        // batched UPDATE instead of one query per ping. This prevents
-            .set({
+        // connection pool exhaustion under load, especially with
-                lastPing: Math.floor(Date.now() / 1000),
+        // cross-region latency to the database.
-                online: true,
+        recordClientPing(olm.clientId, olm.olmId, !!olm.archived);
                archived: false
            })
            .where(eq(clients.clientId, olm.clientId));
        if (olm.archived) {
            await db
                .update(olms)
                .set({ archived: false })
                .where(eq(olms.olmId, olm.olmId));
        }
    } catch (error) {
        logger.error("Error handling ping message", { error });
    }
--- a/server/routers/olm/handleOlmServerInitAddPeerHandshake.ts
+++ b/server/routers/olm/handleOlmServerInitAddPeerHandshake.ts
@@ -4,12 +4,10 @@ import {
    db,
    exitNodes,
    Site,
-    siteNetworks,
+    siteResources
    siteResources,
    sites
 } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { clients, Olm } from "@server/db";
+import { clients, Olm, sites } from "@server/db";
 import { and, eq, or } from "drizzle-orm";
 import logger from "@server/logger";
 import { initPeerAddHandshake } from "./peers";
@@ -46,31 +44,20 @@ export const handleOlmServerInitAddPeerHandshake: MessageHandler = async (
    const { siteId, resourceId, chainId } = message.data;
-    const sendCancel = async () => {
+    let site: Site | null = null;
        await sendToClient(
            olm.olmId,
            {
                type: "olm/wg/peer/chain/cancel",
                data: { chainId }
            },
            { incrementConfigVersion: false }
        ).catch((error) => {
            logger.warn(`Error sending message:`, error);
        });
    };
    let sitesToProcess: Site[] = [];
    if (siteId) {
        // get the site
        const [siteRes] = await db
            .select()
            .from(sites)
            .where(eq(sites.siteId, siteId))
            .limit(1);
        if (siteRes) {
-            sitesToProcess = [siteRes];
+            site = siteRes;
        }
-    } else if (resourceId) {
+    }
    if (resourceId && !site) {
        const resources = await db
            .select()
            .from(siteResources)
@@ -85,17 +72,27 @@ export const handleOlmServerInitAddPeerHandshake: MessageHandler = async (
            );
        if (!resources || resources.length === 0) {
-            logger.error(
+            logger.error(`handleOlmServerPeerAddMessage: Resource not found`);
-                `handleOlmServerInitAddPeerHandshake: Resource not found`
+            // cancel the request from the olm side to not keep doing this
-            );
+            await sendToClient(
-            await sendCancel();
+                olm.olmId,
                {
                    type: "olm/wg/peer/chain/cancel",
                    data: {
                        chainId
                    }
                },
                { incrementConfigVersion: false }
            ).catch((error) => {
                logger.warn(`Error sending message:`, error);
            });
            return;
        }
        if (resources.length > 1) {
            // error but this should not happen because the nice id cant contain a dot and the alias has to have a dot and both have to be unique within the org so there should never be multiple matches
            logger.error(
-                `handleOlmServerInitAddPeerHandshake: Multiple resources found matching the criteria`
+                `handleOlmServerPeerAddMessage: Multiple resources found matching the criteria`
            );
            return;
        }
@@ -120,61 +117,47 @@ export const handleOlmServerInitAddPeerHandshake: MessageHandler = async (
        if (currentResourceAssociationCaches.length === 0) {
            logger.error(
-                `handleOlmServerInitAddPeerHandshake: Client ${client.clientId} does not have access to resource ${resource.siteResourceId}`
+                `handleOlmServerPeerAddMessage: Client ${client.clientId} does not have access to resource ${resource.siteResourceId}`
            );
-            await sendCancel();
+            // cancel the request from the olm side to not keep doing this
            await sendToClient(
                olm.olmId,
                {
                    type: "olm/wg/peer/chain/cancel",
                    data: {
                        chainId
                    }
                },
                { incrementConfigVersion: false }
            ).catch((error) => {
                logger.warn(`Error sending message:`, error);
            });
            return;
        }
-        if (!resource.networkId) {
+        const siteIdFromResource = resource.siteId;
            logger.error(
                `handleOlmServerInitAddPeerHandshake: Resource ${resource.siteResourceId} has no network`
            );
            await sendCancel();
            return;
        }
-        // Get all sites associated with this resource's network via siteNetworks
+        // get the site
-        const siteRows = await db
+        const [siteRes] = await db
            .select({ siteId: siteNetworks.siteId })
            .from(siteNetworks)
            .where(eq(siteNetworks.networkId, resource.networkId));
        if (!siteRows || siteRows.length === 0) {
            logger.error(
                `handleOlmServerInitAddPeerHandshake: No sites found for resource ${resource.siteResourceId}`
            );
            await sendCancel();
            return;
        }
        // Fetch full site objects for all network members
        const foundSites = await Promise.all(
            siteRows.map(async ({ siteId: sid }) => {
                const [s] = await db
            .select()
            .from(sites)
-                    .where(eq(sites.siteId, sid))
+            .where(eq(sites.siteId, siteIdFromResource));
-                    .limit(1);
+        if (!siteRes) {
                return s ?? null;
            })
        );
        sitesToProcess = foundSites.filter((s): s is Site => s !== null);
    }
    if (sitesToProcess.length === 0) {
            logger.error(
-            `handleOlmServerInitAddPeerHandshake: No sites to process`
+                `handleOlmServerPeerAddMessage: Site with ID ${site} not found`
            );
        await sendCancel();
            return;
        }
-    let handshakeInitiated = false;
+        site = siteRes;
    }
-    for (const site of sitesToProcess) {
+    if (!site) {
-        // Check if the client can access this site using the cache
+        logger.error(`handleOlmServerPeerAddMessage: Site not found`);
        return;
    }
    // check if the client can access this site using the cache
    const currentSiteAssociationCaches = await db
        .select()
        .from(clientSitesAssociationsCache)
@@ -186,19 +169,46 @@ export const handleOlmServerInitAddPeerHandshake: MessageHandler = async (
        );
    if (currentSiteAssociationCaches.length === 0) {
-            logger.warn(
+        logger.error(
-                `handleOlmServerInitAddPeerHandshake: Client ${client.clientId} does not have access to site ${site.siteId}, skipping`
+            `handleOlmServerPeerAddMessage: Client ${client.clientId} does not have access to site ${site.siteId}`
        );
-            continue;
+        // cancel the request from the olm side to not keep doing this
        await sendToClient(
            olm.olmId,
            {
                type: "olm/wg/peer/chain/cancel",
                data: {
                    chainId
                }
            },
            { incrementConfigVersion: false }
        ).catch((error) => {
            logger.warn(`Error sending message:`, error);
        });
        return;
    }
    if (!site.exitNodeId) {
        logger.error(
-                `handleOlmServerInitAddPeerHandshake: Site ${site.siteId} has no exit node, skipping`
+            `handleOlmServerPeerAddMessage: Site with ID ${site.siteId} has no exit node`
        );
-            continue;
+        // cancel the request from the olm side to not keep doing this
        await sendToClient(
            olm.olmId,
            {
                type: "olm/wg/peer/chain/cancel",
                data: {
                    chainId
                }
            },
            { incrementConfigVersion: false }
        ).catch((error) => {
            logger.warn(`Error sending message:`, error);
        });
        return;
    }
    // get the exit node from the side
    const [exitNode] = await db
        .select()
        .from(exitNodes)
@@ -206,13 +216,15 @@ export const handleOlmServerInitAddPeerHandshake: MessageHandler = async (
    if (!exitNode) {
        logger.error(
-                `handleOlmServerInitAddPeerHandshake: Exit node not found for site ${site.siteId}, skipping`
+            `handleOlmServerPeerAddMessage: Site with ID ${site.siteId} has no exit node`
        );
-            continue;
+        return;
    }
-        // Trigger the peer add handshake — if the peer was already added this will be a no-op
+    // also trigger the peer add handshake in case the peer was not already added to the olm and we need to hole punch
    // if it has already been added this will be a no-op
    await initPeerAddHandshake(
        // this will kick off the add peer process for the client
        client.clientId,
        {
            siteId: site.siteId,
@@ -225,15 +237,5 @@ export const handleOlmServerInitAddPeerHandshake: MessageHandler = async (
        chainId
    );
        handshakeInitiated = true;
    }
    if (!handshakeInitiated) {
        logger.error(
            `handleOlmServerInitAddPeerHandshake: No accessible sites with valid exit nodes found, cancelling chain`
        );
        await sendCancel();
    }
    return;
 };
--- a/server/routers/olm/handleOlmServerPeerAddMessage.ts
+++ b/server/routers/olm/handleOlmServerPeerAddMessage.ts
@@ -1,25 +1,43 @@
 import {
    Client,
    clientSiteResourcesAssociationsCache,
    db,
-    networks,
+    ExitNode,
-    siteNetworks,
+    Org,
    orgs,
    roleClients,
    roles,
    siteResources,
    Transaction,
    userClients,
    userOrgs,
    users
 } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
 import {
    clients,
    clientSitesAssociationsCache,
    exitNodes,
    Olm,
    olms,
    sites
 } from "@server/db";
 import { and, eq, inArray, isNotNull, isNull } from "drizzle-orm";
 import { addPeer, deletePeer } from "../newt/peers";
 import logger from "@server/logger";
 import { listExitNodes } from "#dynamic/lib/exitNodes";
 import {
    generateAliasConfig,
    getNextAvailableClientSubnet
 } from "@server/lib/ip";
 import { generateRemoteSubnets } from "@server/lib/ip";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { validateSessionToken } from "@server/auth/sessions/app";
 import config from "@server/lib/config";
 import {
    addPeer as newtAddPeer,
    deletePeer as newtDeletePeer
 } from "@server/routers/newt/peers";
 export const handleOlmServerPeerAddMessage: MessageHandler = async (
@@ -135,22 +153,14 @@ export const handleOlmServerPeerAddMessage: MessageHandler = async (
                clientSiteResourcesAssociationsCache.siteResourceId
            )
        )
        .innerJoin(
            networks,
            eq(siteResources.networkId, networks.networkId)
        )
        .innerJoin(
            siteNetworks,
            and(
                eq(networks.networkId, siteNetworks.networkId),
                eq(siteNetworks.siteId, site.siteId)
            )
        )
        .where(
            and(
                eq(siteResources.siteId, site.siteId),
                eq(
                    clientSiteResourcesAssociationsCache.clientId,
                    client.clientId
                )
            )
        );
    // Return connect message with all site configurations
--- a/server/routers/org/index.ts
+++ b/server/routers/org/index.ts
@@ -8,3 +8,4 @@ export * from "./getOrgOverview";
 export * from "./listOrgs";
 export * from "./pickOrgDefaults";
 export * from "./checkOrgUserAccess";
 export * from "./resetOrgBandwidth";
--- a/server/routers/org/resetOrgBandwidth.ts
+++ b/server/routers/org/resetOrgBandwidth.ts
@@ -0,0 +1,83 @@
 import { NextFunction, Request, Response } from "express";
 import { z } from "zod";
 import { db, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 const resetOrgBandwidthParamsSchema = z.strictObject({
    orgId: z.string()
 });
 registry.registerPath({
    method: "post",
    path: "/org/{orgId}/reset-bandwidth",
    description: "Reset all sites in selected organization bandwidth counters.",
    tags: [OpenAPITags.Org, OpenAPITags.Site],
    request: {
        params: resetOrgBandwidthParamsSchema
    },
    responses: {}
 });
 export async function resetOrgBandwidth(
    req: Request,
    res: Response,
    next: NextFunction
 ): Promise<any> {
    try {
        const parsedParams = resetOrgBandwidthParamsSchema.safeParse(
            req.params
        );
        if (!parsedParams.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedParams.error).toString()
                )
            );
        }
        const { orgId } = parsedParams.data;
        const [site] = await db
            .select({ siteId: sites.siteId })
            .from(sites)
            .where(eq(sites.orgId, orgId))
            .limit(1);
        if (!site) {
            return next(
                createHttpError(
                    HttpCode.NOT_FOUND,
                    `No sites found in org ${orgId}`
                )
            );
        }
        await db
            .update(sites)
            .set({
                megabytesIn: 0,
                megabytesOut: 0
            })
            .where(eq(sites.orgId, orgId));
        return response(res, {
            data: {},
            success: true,
            error: false,
            message: "Sites bandwidth reset successfully",
            status: HttpCode.OK
        });
    } catch (error) {
        logger.error(error);
        return next(
            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
        );
    }
 }
--- a/server/routers/site/deleteSite.ts
+++ b/server/routers/site/deleteSite.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, Site, siteNetworks, siteResources } from "@server/db";
+import { db, Site, siteResources } from "@server/db";
 import { newts, newtSessions, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -71,24 +71,19 @@ export async function deleteSite(
                    await deletePeer(site.exitNodeId!, site.pubKey);
                }
            } else if (site.type == "newt") {
-                const networks = await trx
+                // delete all of the site resources on this site
-                    .select({ networkId: siteNetworks.networkId })
+                const siteResourcesOnSite = trx
-                    .from(siteNetworks)
+                    .delete(siteResources)
-                    .where(eq(siteNetworks.siteId, siteId));
+                    .where(eq(siteResources.siteId, siteId))
                    .returning();
                // loop through them
-                for (const network of await networks) {
+                for (const removedSiteResource of await siteResourcesOnSite) {
                    const [siteResource] = await trx
                        .select()
                        .from(siteResources)
                        .where(eq(siteResources.networkId, network.networkId));
                    if (siteResource) {
                    await rebuildClientAssociationsFromSiteResource(
-                            siteResource,
+                        removedSiteResource,
                        trx
                    );
                }
                }
                // get the newt on the site by querying the newt table for siteId
                const [deletedNewt] = await trx
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@@ -55,7 +55,7 @@ async function getLatestNewtVersion(): Promise<string | null> {
        tags = tags.filter((version) => !version.name.includes("rc"));
        const latestVersion = tags[0].name;
-        await cache.set("latestNewtVersion", latestVersion);
+        await cache.set("latestNewtVersion", latestVersion, 3600);
        return latestVersion;
    } catch (error: any) {
@@ -180,7 +180,7 @@ registry.registerPath({
    method: "get",
    path: "/org/{orgId}/sites",
    description: "List all sites in an organization",
-    tags: [OpenAPITags.Site],
+    tags: [OpenAPITags.Org, OpenAPITags.Site],
    request: {
        params: listSitesParamsSchema,
        query: listSitesSchema
--- a/server/routers/siteResource/createSiteResource.ts
+++ b/server/routers/siteResource/createSiteResource.ts
@@ -5,8 +5,6 @@ import {
    orgs,
    roles,
    roleSiteResources,
    siteNetworks,
    networks,
    SiteResource,
    siteResources,
    sites,
@@ -25,7 +23,7 @@ import response from "@server/lib/response";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
 import HttpCode from "@server/types/HttpCode";
-import { and, eq, inArray } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
 import { z } from "zod";
@@ -39,7 +37,7 @@ const createSiteResourceSchema = z
    .strictObject({
        name: z.string().min(1).max(255),
        mode: z.enum(["host", "cidr", "port"]),
-        siteIds: z.array(z.int()),
+        siteId: z.int(),
        // protocol: z.enum(["tcp", "udp"]).optional(),
        // proxyPort: z.int().positive().optional(),
        // destinationPort: z.int().positive().optional(),
@@ -90,7 +88,7 @@ const createSiteResourceSchema = z
        },
        {
            message:
-                "Destination must be a valid IP address or valid domain AND alias is required"
+                "Destination must be a valid IPV4 address or valid domain AND alias is required"
        }
    )
    .refine(
@@ -161,7 +159,7 @@ export async function createSiteResource(
        const { orgId } = parsedParams.data;
        const {
            name,
-            siteIds,
+            siteId,
            mode,
            // protocol,
            // proxyPort,
@@ -180,16 +178,14 @@ export async function createSiteResource(
        } = parsedBody.data;
        // Verify the site exists and belongs to the org
-        const sitesToAssign = await db
+        const [site] = await db
            .select()
            .from(sites)
-            .where(and(inArray(sites.siteId, siteIds), eq(sites.orgId, orgId)))
+            .where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
            .limit(1);
-        if (sitesToAssign.length !== siteIds.length) {
+        if (!site) {
-            return next(
+            return next(createHttpError(HttpCode.NOT_FOUND, "Site not found"));
                createHttpError(HttpCode.NOT_FOUND, "Some site not found")
            );
        }
        const [org] = await db
@@ -291,29 +287,12 @@ export async function createSiteResource(
        let newSiteResource: SiteResource | undefined;
        await db.transaction(async (trx) => {
            const [network] = await trx
                .insert(networks)
                .values({
                    scope: "resource",
                    orgId: orgId
                })
                .returning();
            if (!network) {
                return next(
                    createHttpError(
                        HttpCode.INTERNAL_SERVER_ERROR,
                        `Failed to create network`
                    )
                );
            }
            // Create the site resource
            const insertValues: typeof siteResources.$inferInsert = {
                siteId,
                niceId,
                orgId,
                name,
                networkId: network.networkId,
                mode: mode as "host" | "cidr",
                destination,
                enabled,
@@ -338,13 +317,6 @@ export async function createSiteResource(
            //////////////////// update the associations ////////////////////
            for (const siteId of siteIds) {
                await trx.insert(siteNetworks).values({
                    siteId: siteId,
                    networkId: network.networkId
                });
            }
            const [adminRole] = await trx
                .select()
                .from(roles)
@@ -387,22 +359,17 @@ export async function createSiteResource(
                );
            }
            for (const siteToAssign of sitesToAssign) {
            const [newt] = await trx
                .select()
                .from(newts)
-                    .where(eq(newts.siteId, siteToAssign.siteId))
+                .where(eq(newts.siteId, site.siteId))
                .limit(1);
            if (!newt) {
                return next(
-                        createHttpError(
+                    createHttpError(HttpCode.NOT_FOUND, "Newt not found")
                            HttpCode.NOT_FOUND,
                            `Newt not found for site ${siteToAssign.siteId}`
                        )
                );
            }
            }
            await rebuildClientAssociationsFromSiteResource(
                newSiteResource,
@@ -420,7 +387,7 @@ export async function createSiteResource(
        }
        logger.info(
-            `Created site resource ${newSiteResource.siteResourceId} for org ${orgId}`
+            `Created site resource ${newSiteResource.siteResourceId} for site ${siteId}`
        );
        return response(res, {
--- a/server/routers/siteResource/deleteSiteResource.ts
+++ b/server/routers/siteResource/deleteSiteResource.ts
@@ -70,18 +70,17 @@ export async function deleteSiteResource(
                .where(and(eq(siteResources.siteResourceId, siteResourceId)))
                .returning();
-            // not sure why this is here...
+            const [newt] = await trx
-            // const [newt] = await trx
+                .select()
-            //     .select()
+                .from(newts)
-            //     .from(newts)
+                .where(eq(newts.siteId, removedSiteResource.siteId))
-            //     .where(eq(newts.siteId, removedSiteResource.siteId))
+                .limit(1);
            //     .limit(1);
-            // if (!newt) {
+            if (!newt) {
-            //     return next(
+                return next(
-            //         createHttpError(HttpCode.NOT_FOUND, "Newt not found")
+                    createHttpError(HttpCode.NOT_FOUND, "Newt not found")
-            //     );
+                );
-            // }
+            }
            await rebuildClientAssociationsFromSiteResource(
                removedSiteResource,
--- a/server/routers/siteResource/getSiteResource.ts
+++ b/server/routers/siteResource/getSiteResource.ts
@@ -17,34 +17,38 @@ const getSiteResourceParamsSchema = z.strictObject({
        .transform((val) => (val ? Number(val) : undefined))
        .pipe(z.int().positive().optional())
        .optional(),
    siteId: z.string().transform(Number).pipe(z.int().positive()),
    niceId: z.string().optional(),
    orgId: z.string()
 });
 async function query(
    siteResourceId?: number,
    siteId?: number,
    niceId?: string,
    orgId?: string
 ) {
-    if (siteResourceId && orgId) {
+    if (siteResourceId && siteId && orgId) {
        const [siteResource] = await db
            .select()
            .from(siteResources)
            .where(
                and(
                    eq(siteResources.siteResourceId, siteResourceId),
                    eq(siteResources.siteId, siteId),
                    eq(siteResources.orgId, orgId)
                )
            )
            .limit(1);
        return siteResource;
-    } else if (niceId && orgId) {
+    } else if (niceId && siteId && orgId) {
        const [siteResource] = await db
            .select()
            .from(siteResources)
            .where(
                and(
                    eq(siteResources.niceId, niceId),
                    eq(siteResources.siteId, siteId),
                    eq(siteResources.orgId, orgId)
                )
            )
@@ -80,6 +84,7 @@ registry.registerPath({
    request: {
        params: z.object({
            niceId: z.string(),
            siteId: z.number(),
            orgId: z.string()
        })
    },
@@ -102,10 +107,10 @@ export async function getSiteResource(
            );
        }
-        const { siteResourceId, niceId, orgId } = parsedParams.data;
+        const { siteResourceId, siteId, niceId, orgId } = parsedParams.data;
        // Get the site resource
-        const siteResource = await query(siteResourceId, niceId, orgId);
+        const siteResource = await query(siteResourceId, siteId, niceId, orgId);
        if (!siteResource) {
            return next(
--- a/server/routers/siteResource/listAllSiteResourcesByOrg.ts
+++ b/server/routers/siteResource/listAllSiteResourcesByOrg.ts
@@ -1,4 +1,4 @@
-import { db, SiteResource, siteNetworks, siteResources, sites } from "@server/db";
+import { db, SiteResource, siteResources, sites } from "@server/db";
 import response from "@server/lib/response";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -73,10 +73,9 @@ const listAllSiteResourcesByOrgQuerySchema = z.object({
 export type ListAllSiteResourcesByOrgResponse = PaginatedResponse<{
    siteResources: (SiteResource & {
-        siteIds: number[];
+        siteName: string;
-        siteNames: string[];
+        siteNiceId: string;
-        siteNiceIds: string[];
+        siteAddress: string | null;
        siteAddresses: (string | null)[];
    })[];
 }>;
@@ -84,6 +83,7 @@ function querySiteResourcesBase() {
    return db
        .select({
            siteResourceId: siteResources.siteResourceId,
            siteId: siteResources.siteId,
            orgId: siteResources.orgId,
            niceId: siteResources.niceId,
            name: siteResources.name,
@@ -100,20 +100,14 @@ function querySiteResourcesBase() {
            disableIcmp: siteResources.disableIcmp,
            authDaemonMode: siteResources.authDaemonMode,
            authDaemonPort: siteResources.authDaemonPort,
-            networkId: siteResources.networkId,
+            siteName: sites.name,
-            defaultNetworkId: siteResources.defaultNetworkId,
+            siteNiceId: sites.niceId,
-            siteNames: sql<string[]>`array_agg(${sites.name})`,
+            siteAddress: sites.address
            siteNiceIds: sql<string[]>`array_agg(${sites.niceId})`,
            siteIds: sql<number[]>`array_agg(${sites.siteId})`,
            siteAddresses: sql<(string | null)[]>`array_agg(${sites.address})`
        })
        .from(siteResources)
-        .innerJoin(siteNetworks, eq(siteResources.networkId, siteNetworks.networkId))
+        .innerJoin(sites, eq(siteResources.siteId, sites.siteId));
        .innerJoin(sites, eq(siteNetworks.siteId, sites.siteId))
        .groupBy(siteResources.siteResourceId);
 }
 registry.registerPath({
    method: "get",
    path: "/org/{orgId}/site-resources",
--- a/server/routers/siteResource/listSiteResources.ts
+++ b/server/routers/siteResource/listSiteResources.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, networks, siteNetworks } from "@server/db";
+import { db } from "@server/db";
 import { siteResources, sites, SiteResource } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -108,21 +108,13 @@ export async function listSiteResources(
            return next(createHttpError(HttpCode.NOT_FOUND, "Site not found"));
        }
-        // Get site resources by joining networks to siteResources via siteNetworks
+        // Get site resources
        const siteResourcesList = await db
            .select()
-            .from(siteNetworks)
+            .from(siteResources)
            .innerJoin(
                networks,
                eq(siteNetworks.networkId, networks.networkId)
            )
            .innerJoin(
                siteResources,
                eq(siteResources.networkId, networks.networkId)
            )
            .where(
                and(
-                    eq(siteNetworks.siteId, siteId),
+                    eq(siteResources.siteId, siteId),
                    eq(siteResources.orgId, orgId)
                )
            )
@@ -136,7 +128,6 @@ export async function listSiteResources(
            .limit(limit)
            .offset(offset);
        return response(res, {
            data: { siteResources: siteResourcesList },
            success: true,
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -8,9 +8,7 @@ import {
    orgs,
    roles,
    roleSiteResources,
    siteNetworks,
    sites,
    networks,
    Transaction,
    userSiteResources
 } from "@server/db";
@@ -18,7 +16,7 @@ import { siteResources, SiteResource } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { eq, and, ne, inArray } from "drizzle-orm";
+import { eq, and, ne } from "drizzle-orm";
 import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
@@ -26,7 +24,7 @@ import { updatePeerData, updateTargets } from "@server/routers/client/targets";
 import {
    generateAliasConfig,
    generateRemoteSubnets,
-    generateSubnetProxyTargets,
+    generateSubnetProxyTargetV2,
    isIpInCidr,
    portRangeStringSchema
 } from "@server/lib/ip";
@@ -44,7 +42,7 @@ const updateSiteResourceParamsSchema = z.strictObject({
 const updateSiteResourceSchema = z
    .strictObject({
        name: z.string().min(1).max(255).optional(),
-        siteIds: z.array(z.int()),
+        siteId: z.int(),
        // niceId: z.string().min(1).max(255).regex(/^[a-zA-Z0-9-]+$/, "niceId can only contain letters, numbers, and dashes").optional(),
        // mode: z.enum(["host", "cidr", "port"]).optional(),
        mode: z.enum(["host", "cidr"]).optional(),
@@ -168,7 +166,7 @@ export async function updateSiteResource(
        const { siteResourceId } = parsedParams.data;
        const {
            name,
-            siteIds, // because it can change
+            siteId, // because it can change
            mode,
            destination,
            alias,
@@ -183,6 +181,16 @@ export async function updateSiteResource(
            authDaemonMode
        } = parsedBody.data;
        const [site] = await db
            .select()
            .from(sites)
            .where(eq(sites.siteId, siteId))
            .limit(1);
        if (!site) {
            return next(createHttpError(HttpCode.NOT_FOUND, "Site not found"));
        }
        // Check if site resource exists
        const [existingSiteResource] = await db
            .select()
@@ -222,24 +230,6 @@ export async function updateSiteResource(
            );
        }
        // Verify the site exists and belongs to the org
        const sitesToAssign = await db
            .select()
            .from(sites)
            .where(
                and(
                    inArray(sites.siteId, siteIds),
                    eq(sites.orgId, existingSiteResource.orgId)
                )
            )
            .limit(1);
        if (sitesToAssign.length !== siteIds.length) {
            return next(
                createHttpError(HttpCode.NOT_FOUND, "Some site not found")
            );
        }
        // Only check if destination is an IP address
        const isIp = z
            .union([z.ipv4(), z.ipv6()])
@@ -257,24 +247,25 @@ export async function updateSiteResource(
            );
        }
-        let sitesChanged = false;
+        let existingSite = site;
-        const existingSiteIds = existingSiteResource.networkId
+        let siteChanged = false;
-            ? await db
+        if (existingSiteResource.siteId !== siteId) {
            siteChanged = true;
            // get the existing site
            [existingSite] = await db
                .select()
-                  .from(siteNetworks)
+                .from(sites)
-                  .where(
+                .where(eq(sites.siteId, existingSiteResource.siteId))
-                      eq(siteNetworks.networkId, existingSiteResource.networkId)
+                .limit(1);
            if (!existingSite) {
                return next(
                    createHttpError(
                        HttpCode.NOT_FOUND,
                        "Existing site not found"
                    )
-            : [];
+                );
-
+            }
        const existingSiteIdSet = new Set(existingSiteIds.map((s) => s.siteId));
        const newSiteIdSet = new Set(siteIds);
        if (
            existingSiteIdSet.size !== newSiteIdSet.size ||
            ![...existingSiteIdSet].every((id) => newSiteIdSet.has(id))
        ) {
            sitesChanged = true;
        }
        // make sure the alias is unique within the org if provided
@@ -304,7 +295,7 @@ export async function updateSiteResource(
        let updatedSiteResource: SiteResource | undefined;
        await db.transaction(async (trx) => {
            // if the site is changed we need to delete and recreate the resource to avoid complications with the rebuild function otherwise we can just update in place
-            if (sitesChanged) {
+            if (siteChanged) {
                // delete the existing site resource
                await trx
                    .delete(siteResources)
@@ -330,8 +321,7 @@ export async function updateSiteResource(
                const sshPamSet =
                    isLicensedSshPam &&
-                    (authDaemonPort !== undefined ||
+                    (authDaemonPort !== undefined || authDaemonMode !== undefined)
                        authDaemonMode !== undefined)
                        ? {
                              ...(authDaemonPort !== undefined && {
                                  authDaemonPort
@@ -345,6 +335,7 @@ export async function updateSiteResource(
                    .update(siteResources)
                    .set({
                        name: name,
                        siteId: siteId,
                        mode: mode,
                        destination: destination,
                        enabled: enabled,
@@ -432,8 +423,7 @@ export async function updateSiteResource(
                // Update the site resource
                const sshPamSet =
                    isLicensedSshPam &&
-                    (authDaemonPort !== undefined ||
+                    (authDaemonPort !== undefined || authDaemonMode !== undefined)
                        authDaemonMode !== undefined)
                        ? {
                              ...(authDaemonPort !== undefined && {
                                  authDaemonPort
@@ -447,6 +437,7 @@ export async function updateSiteResource(
                    .update(siteResources)
                    .set({
                        name: name,
                        siteId: siteId,
                        mode: mode,
                        destination: destination,
                        enabled: enabled,
@@ -463,20 +454,6 @@ export async function updateSiteResource(
                //////////////////// update the associations ////////////////////
                // delete the site - site resources associations
                await trx
                    .delete(siteNetworks)
                    .where(
                        eq(siteNetworks.networkId, updatedSiteResource.networkId!)
                    );
                for (const siteId of siteIds) {
                    await trx.insert(siteNetworks).values({
                        siteId: siteId,
                        networkId: updatedSiteResource.networkId!
                    });
                }
                await trx
                    .delete(clientSiteResources)
                    .where(
@@ -547,16 +524,13 @@ export async function updateSiteResource(
                }
                logger.info(
-                    `Updated site resource ${siteResourceId}`
+                    `Updated site resource ${siteResourceId} for site ${siteId}`
                );
                await handleMessagingForUpdatedSiteResource(
                    existingSiteResource,
                    updatedSiteResource,
-                    siteIds.map((siteId) => ({
+                    { siteId: site.siteId, orgId: site.orgId },
                        siteId,
                        orgId: existingSiteResource.orgId
                    })),
                    trx
                );
            }
@@ -583,7 +557,7 @@ export async function updateSiteResource(
 export async function handleMessagingForUpdatedSiteResource(
    existingSiteResource: SiteResource | undefined,
    updatedSiteResource: SiteResource,
-    sites: { siteId: number; orgId: string }[],
+    site: { siteId: number; orgId: string },
    trx: Transaction
 ) {
    logger.debug(
@@ -620,7 +594,6 @@ export async function handleMessagingForUpdatedSiteResource(
    // if the existingSiteResource is undefined (new resource) we don't need to do anything here, the rebuild above handled it all
    if (destinationChanged || aliasChanged || portRangesChanged) {
        for (const site of sites) {
        const [newt] = await trx
            .select()
            .from(newts)
@@ -635,23 +608,19 @@ export async function handleMessagingForUpdatedSiteResource(
        // Only update targets on newt if destination changed
        if (destinationChanged || portRangesChanged) {
-                const oldTargets = generateSubnetProxyTargets(
+            const oldTarget = generateSubnetProxyTargetV2(
                existingSiteResource,
                mergedAllClients
            );
-                const newTargets = generateSubnetProxyTargets(
+            const newTarget = generateSubnetProxyTargetV2(
                updatedSiteResource,
                mergedAllClients
            );
-                await updateTargets(
+            await updateTargets(newt.newtId, {
-                    newt.newtId,
+                oldTargets: oldTarget ? [oldTarget] : [],
-                    {
+                newTargets: newTarget ? [newTarget] : []
-                        oldTargets: oldTargets,
+            }, newt.version);
                        newTargets: newTargets
                    },
                    newt.version
                );
        }
        const olmJobs: Promise<void>[] = [];
@@ -668,20 +637,13 @@ export async function handleMessagingForUpdatedSiteResource(
                        siteResources.siteResourceId
                    )
                )
                    .innerJoin(
                        siteNetworks,
                        eq(
                            siteNetworks.networkId,
                            siteResources.networkId
                        )
                    )
                .where(
                    and(
                        eq(
                            clientSiteResourcesAssociationsCache.clientId,
                            client.clientId
                        ),
-                            eq(siteNetworks.siteId, site.siteId),
+                        eq(siteResources.siteId, site.siteId),
                        eq(
                            siteResources.destination,
                            existingSiteResource.destination
@@ -693,7 +655,6 @@ export async function handleMessagingForUpdatedSiteResource(
                    )
                );
            const oldDestinationStillInUseByASite =
                oldDestinationStillInUseSites.length > 0;
@@ -701,11 +662,10 @@ export async function handleMessagingForUpdatedSiteResource(
            olmJobs.push(
                updatePeerData(
                    client.clientId,
-                        site.siteId,
+                    updatedSiteResource.siteId,
                    destinationChanged
                        ? {
-                                  oldRemoteSubnets:
+                              oldRemoteSubnets: !oldDestinationStillInUseByASite
                                      !oldDestinationStillInUseByASite
                                  ? generateRemoteSubnets([
                                        existingSiteResource
                                    ])
@@ -731,5 +691,4 @@ export async function handleMessagingForUpdatedSiteResource(
        await Promise.all(olmJobs);
    }
    }
 }
--- a/server/routers/user/inviteUser.ts
+++ b/server/routers/user/inviteUser.ts
@@ -201,7 +201,7 @@ export async function inviteUser(
                );
            }
-            await cache.set(email, attempts + 1);
+            await cache.set("regenerateInvite:" + email, attempts + 1, 3600);
            const inviteId = existingInvite[0].inviteId; // Retrieve the original inviteId
            const token = generateRandomString(
--- a/server/routers/ws/messageHandlers.ts
+++ b/server/routers/ws/messageHandlers.ts
@@ -11,6 +11,7 @@ import {
    startNewtOfflineChecker,
    handleNewtDisconnectingMessage
 } from "../newt";
 import { startPingAccumulator } from "../newt/pingAccumulator";
 import {
    handleOlmRegisterMessage,
    handleOlmRelayMessage,
@@ -46,6 +47,10 @@ export const messageHandlers: Record<string, MessageHandler> = {
    "ws/round-trip/complete": handleRoundTripMessage
 };
 // Start the ping accumulator for all builds — it batches per-site online/lastPing
 // updates into periodic bulk writes, preventing connection pool exhaustion.
 startPingAccumulator();
 if (build != "saas") {
    startOlmOfflineChecker(); // this is to handle the offline check for olms
    startNewtOfflineChecker(); // this is to handle the offline check for newts
--- a/server/routers/ws/ws.ts
+++ b/server/routers/ws/ws.ts
@@ -6,6 +6,7 @@ import { Socket } from "net";
 import { Newt, newts, NewtSession, olms, Olm, OlmSession, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import { db } from "@server/db";
 import { recordPing } from "@server/routers/newt/pingAccumulator";
 import { validateNewtSessionToken } from "@server/auth/sessions/newt";
 import { validateOlmSessionToken } from "@server/auth/sessions/olm";
 import { messageHandlers } from "./messageHandlers";
@@ -386,22 +387,14 @@ const setupConnection = async (
    // the same as modern newt clients.
    if (clientType === "newt") {
        const newtClient = client as Newt;
-        ws.on("ping", async () => {
+        ws.on("ping", () => {
            if (!newtClient.siteId) return;
-            try {
+            // Record the ping in the accumulator instead of writing to the
-                await db
+            // database on every WS ping frame. The accumulator flushes all
-                    .update(sites)
+            // pending pings in a single batched UPDATE every ~10s, which
-                    .set({
+            // prevents connection pool exhaustion under load (especially
-                        online: true,
+            // with cross-region latency to the database).
-                        lastPing: Math.floor(Date.now() / 1000)
+            recordPing(newtClient.siteId);
                    })
                    .where(eq(sites.siteId, newtClient.siteId));
            } catch (error) {
                logger.error(
                    "Error updating newt site online state on WS ping",
                    { error }
                );
            }
        });
    }
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -275,6 +275,8 @@ export default function Page() {
        }
    }
    const disabled = !isPaidUser(tierMatrix.orgOidc);
    return (
        <>
            <div className="flex justify-between">
@@ -292,6 +294,9 @@ export default function Page() {
                </Button>
            </div>
            <PaidFeaturesAlert tiers={tierMatrix.orgOidc} />
            <fieldset disabled={disabled} className={disabled ? "opacity-50 pointer-events-none" : ""}>
            <SettingsContainer>
                <SettingsSection>
                    <SettingsSectionHeader>
@@ -812,9 +817,10 @@ export default function Page() {
                </Button>
                <Button
                    type="submit"
-                    disabled={createLoading || !isPaidUser(tierMatrix.orgOidc)}
+                    disabled={createLoading || disabled}
                    loading={createLoading}
                    onClick={() => {
                        if (disabled) return;
                        // log any issues with the form
                        console.log(form.formState.errors);
                        form.handleSubmit(onSubmit)();
@@ -823,6 +829,7 @@ export default function Page() {
                    {t("idpSubmit")}
                </Button>
            </div>
            </fieldset>
        </>
    );
 }
--- a/src/app/[orgId]/settings/logs/access/page.tsx
+++ b/src/app/[orgId]/settings/logs/access/page.tsx
@@ -493,7 +493,8 @@ export default function GeneralPage() {
                                {
                                    value: "whitelistedEmail",
                                    label: "Whitelisted Email"
-                                }
+                                },
                                { value: "ssh", label: "SSH" }
                            ]}
                            selectedValue={filters.type}
                            onValueChange={(value) =>
@@ -507,13 +508,12 @@ export default function GeneralPage() {
                );
            },
            cell: ({ row }) => {
-                // should be capitalized first letter
+                const typeLabel =
-                return (
+                    row.original.type === "ssh"
-                    <span>
+                        ? "SSH"
-                        {row.original.type.charAt(0).toUpperCase() +
+                        : row.original.type.charAt(0).toUpperCase() +
-                            row.original.type.slice(1) || "-"}
+                          row.original.type.slice(1);
-                    </span>
+                return <span>{typeLabel || "-"}</span>;
                );
            }
        },
        {
--- a/src/app/[orgId]/settings/resources/client/page.tsx
+++ b/src/app/[orgId]/settings/resources/client/page.tsx
@@ -60,17 +60,17 @@ export default async function ClientResourcesPage(
                id: siteResource.siteResourceId,
                name: siteResource.name,
                orgId: params.orgId,
-                siteNames: siteResource.siteNames,
+                siteName: siteResource.siteName,
-                siteAddresses: siteResource.siteAddresses || null,
+                siteAddress: siteResource.siteAddress || null,
                mode: siteResource.mode || ("port" as any),
                // protocol: siteResource.protocol,
                // proxyPort: siteResource.proxyPort,
-                siteIds: siteResource.siteIds,
+                siteId: siteResource.siteId,
                destination: siteResource.destination,
                // destinationPort: siteResource.destinationPort,
                alias: siteResource.alias || null,
                aliasAddress: siteResource.aliasAddress || null,
-                siteNiceIds: siteResource.siteNiceIds,
+                siteNiceId: siteResource.siteNiceId,
                niceId: siteResource.niceId,
                tcpPortRangeString: siteResource.tcpPortRangeString || null,
                udpPortRangeString: siteResource.udpPortRangeString || null,
--- a/src/app/[orgId]/settings/resources/proxy/create/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/create/page.tsx
@@ -1109,6 +1109,9 @@ export default function Page() {
                                    <SettingsSectionBody>
                                        <DomainPicker
                                            orgId={orgId as string}
                                            warnOnProvidedDomain={
                                                remoteExitNodes.length >= 1
                                            }
                                            onDomainChange={(res) => {
                                                if (!res) return;
--- a/src/components/ClientResourcesTable.tsx
+++ b/src/components/ClientResourcesTable.tsx
@@ -21,7 +21,6 @@ import {
    ArrowUp10Icon,
    ArrowUpDown,
    ArrowUpRight,
    ChevronDown,
    ChevronsUpDownIcon,
    MoreHorizontal
 } from "lucide-react";
@@ -44,14 +43,14 @@ export type InternalResourceRow = {
    id: number;
    name: string;
    orgId: string;
-    siteNames: string[];
+    siteName: string;
-    siteAddresses: (string | null)[];
+    siteAddress: string | null;
    siteIds: number[];
    siteNiceIds: string[];
    // mode: "host" | "cidr" | "port";
    mode: "host" | "cidr";
    // protocol: string | null;
    // proxyPort: number | null;
    siteId: number;
    siteNiceId: string;
    destination: string;
    // destinationPort: number | null;
    alias: string | null;
@@ -137,60 +136,6 @@ export default function ClientResourcesTable({
        }
    };
    function SiteCell({ resourceRow }: { resourceRow: InternalResourceRow }) {
        const { siteNames, siteNiceIds, orgId } = resourceRow;
        if (!siteNames || siteNames.length === 0) {
            return <span>-</span>;
        }
        if (siteNames.length === 1) {
            return (
                <Link
                    href={`/${orgId}/settings/sites/${siteNiceIds[0]}`}
                >
                    <Button variant="outline">
                        {siteNames[0]}
                        <ArrowUpRight className="ml-2 h-4 w-4" />
                    </Button>
                </Link>
            );
        }
        return (
            <DropdownMenu>
                <DropdownMenuTrigger asChild>
                    <Button
                        variant="outline"
                        size="sm"
                        className="flex items-center gap-2"
                    >
                        <span>
                            {siteNames.length} {t("sites")}
                        </span>
                        <ChevronDown className="h-3 w-3" />
                    </Button>
                </DropdownMenuTrigger>
                <DropdownMenuContent align="start">
                    {siteNames.map((siteName, idx) => (
                        <DropdownMenuItem
                            key={siteNiceIds[idx]}
                            asChild
                        >
                            <Link
                                href={`/${orgId}/settings/sites/${siteNiceIds[idx]}`}
                                className="flex items-center gap-2 cursor-pointer"
                            >
                                {siteName}
                                <ArrowUpRight className="h-3 w-3" />
                            </Link>
                        </DropdownMenuItem>
                    ))}
                </DropdownMenuContent>
            </DropdownMenu>
        );
    }
    const internalColumns: ExtendedColumnDef<InternalResourceRow>[] = [
        {
            accessorKey: "name",
@@ -240,11 +185,21 @@ export default function ClientResourcesTable({
            }
        },
        {
-            accessorKey: "siteNames",
+            accessorKey: "siteName",
            friendlyName: t("site"),
            header: () => <span className="p-3">{t("site")}</span>,
            cell: ({ row }) => {
-                return <SiteCell resourceRow={row.original} />;
+                const resourceRow = row.original;
                return (
                    <Link
                        href={`/${resourceRow.orgId}/settings/sites/${resourceRow.siteNiceId}`}
                    >
                        <Button variant="outline">
                            {resourceRow.siteName}
                            <ArrowUpRight className="ml-2 h-4 w-4" />
                        </Button>
                    </Link>
                );
            }
        },
        {
@@ -444,7 +399,7 @@ export default function ClientResourcesTable({
                    onConfirm={async () =>
                        deleteInternalResource(
                            selectedInternalResource!.id,
-                            selectedInternalResource!.siteIds[0]
+                            selectedInternalResource!.siteId
                        )
                    }
                    string={selectedInternalResource.name}
@@ -478,11 +433,7 @@ export default function ClientResourcesTable({
                <EditInternalResourceDialog
                    open={isEditDialogOpen}
                    setOpen={setIsEditDialogOpen}
-                    resource={{
+                    resource={editingResource}
                        ...editingResource,
                        siteName: editingResource.siteNames[0] ?? "",
                        siteId: editingResource.siteIds[0]
                    }}
                    orgId={orgId}
                    sites={sites}
                    onSuccess={() => {
--- a/src/components/DomainPicker.tsx
+++ b/src/components/DomainPicker.tsx
@@ -79,6 +79,7 @@ interface DomainPickerProps {
    defaultFullDomain?: string | null;
    defaultSubdomain?: string | null;
    defaultDomainId?: string | null;
    warnOnProvidedDomain?: boolean;
 }
 export default function DomainPicker({
@@ -88,7 +89,8 @@ export default function DomainPicker({
    hideFreeDomain = false,
    defaultSubdomain,
    defaultFullDomain,
-    defaultDomainId
+    defaultDomainId,
    warnOnProvidedDomain = false
 }: DomainPickerProps) {
    const { env } = useEnvContext();
    const api = createApiClient({ env });
@@ -689,6 +691,14 @@ export default function DomainPicker({
            {showProvidedDomainSearch && (
                <div className="space-y-4">
                    {warnOnProvidedDomain && (
                        <Alert variant="warning">
                            <AlertCircle className="h-4 w-4" />
                            <AlertDescription>
                                {t("domainPickerRemoteExitNodeWarning")}
                            </AlertDescription>
                        </Alert>
                    )}
                    {isChecking && (
                        <div className="flex items-center justify-center p-8">
                            <div className="flex items-center space-x-2 text-sm text-muted-foreground">
--- a/src/components/OrgSelector.tsx
+++ b/src/components/OrgSelector.tsx
@@ -29,6 +29,7 @@ import { usePathname, useRouter } from "next/navigation";
 import { useMemo, useState } from "react";
 import { useUserContext } from "@app/hooks/useUserContext";
 import { useTranslations } from "next-intl";
 import { build } from "@server/build";
 interface OrgSelectorProps {
    orgId?: string;
@@ -50,6 +51,11 @@ export function OrgSelector({
    const selectedOrg = orgs?.find((org) => org.orgId === orgId);
    let canCreateOrg = !env.flags.disableUserCreateOrg || user.serverAdmin;
    if (build === "saas" && user.type !== "internal") {
        canCreateOrg = false;
    }
    const sortedOrgs = useMemo(() => {
        if (!orgs?.length) return orgs ?? [];
        return [...orgs].sort((a, b) => {
@@ -161,7 +167,7 @@ export function OrgSelector({
                        </CommandGroup>
                    </CommandList>
                </Command>
-                {(!env.flags.disableUserCreateOrg || user.serverAdmin) && (
+                {canCreateOrg && (
                    <div className="p-2 border-t border-border">
                        <Button
                            variant="ghost"
--- a/src/components/PermissionsSelectBox.tsx
+++ b/src/components/PermissionsSelectBox.tsx
@@ -26,6 +26,7 @@ function getActionsCategories(root: boolean) {
            [t("actionGetOrg")]: "getOrg",
            [t("actionUpdateOrg")]: "updateOrg",
            [t("actionGetOrgUser")]: "getOrgUser",
            [t("actionResetSiteBandwidth")]: "resetSiteBandwidth",
            [t("actionInviteUser")]: "inviteUser",
            [t("actionRemoveInvitation")]: "removeInvitation",
            [t("actionListInvitations")]: "listInvitations",
Author	SHA1	Message	Date
Owen	ce59a8a52b	Merge branch 'main' into dev	2026-03-24 20:38:16 -07:00
Owen Schwartz	62c63ddcaa	Merge pull request #2710 from fosrl/thundering-herd thundering herd	2026-03-24 20:29:01 -07:00
Owen	dfd604c781	Fix import problems	2026-03-24 20:27:34 -07:00
Owen	38d30b0214	Add license script	2026-03-24 18:13:57 -07:00
Owen	c96c5e8ae8	Cache token for thundering hurd	2026-03-24 18:12:51 -07:00
Owen	6f71e9f0f2	Clean up	2026-03-24 17:55:14 -07:00
Owen	d17ec6dc1f	Try to solve th problem	2026-03-24 17:39:43 -07:00
Owen Schwartz	c36a019f5d	Merge pull request #2709 from fosrl/pool-update Update pool and disable idp	2026-03-24 16:48:28 -07:00
Owen	cf2dfdea5b	Add better pooling controls	2026-03-24 16:38:50 -07:00
Owen	985e1bb9ab	Disable everything if not paid	2026-03-24 16:38:46 -07:00
Owen	fff38aac85	Add ssh access log	2026-03-24 16:26:56 -07:00
Owen	5a2a97b23a	Add better pooling controls	2026-03-24 16:12:13 -07:00
Owen	5b894e8682	Disable everything if not paid	2026-03-24 16:01:54 -07:00
Owen Schwartz	19f8c1772f	Merge pull request #2698 from fosrl/msg-opt Improve proxy list message size	2026-03-23 16:05:24 -07:00
Owen	37d331e813	Update version	2026-03-23 16:05:05 -07:00
Owen	c660df55cd	Merge branch 'dev' into msg-opt	2026-03-23 16:00:50 -07:00
Owen Schwartz	7c8b865379	Merge pull request #2695 from noe-charmet/redis-password-env Allow setting Redis password from env	2026-03-23 12:02:45 -07:00
Noe Charmet	3cca0c09c0	Allow setting Redis password from env	2026-03-23 11:18:55 +01:00
Owen Schwartz	85335bfecc	Merge pull request #2685 from fosrl/dev 1.16.2-s.16	2026-03-21 10:47:18 -07:00
Owen	7c2b4f422a	Merge branch 'main' into dev	2026-03-21 10:45:13 -07:00
Owen	ad2a0ae127	Use the log database in hybrid as well	2026-03-21 10:42:31 -07:00
miloschwartz	6c2c620c99	set cache ttl and default ttl	2026-03-20 17:52:07 -07:00
miloschwartz	f643abf19a	dont show create org for oidc users	2026-03-20 16:04:00 -07:00
Owen Schwartz	a1729033cf	Merge pull request #2682 from fosrl/dev Fix offline issue	2026-03-20 15:31:38 -07:00
Owen	7311766512	Fix offline issue	2026-03-20 15:30:41 -07:00
Owen Schwartz	17105f3a51	Merge pull request #2681 from fosrl/dev Extend santize into hybrid	2026-03-20 14:33:23 -07:00
Owen	edcfbd26e4	Merge branch 'dev' of github.com:fosrl/pangolin into dev	2026-03-20 14:31:27 -07:00
Owen	0c4d9ea164	Extend santize into hybrid	2026-03-20 14:31:12 -07:00
Owen Schwartz	a5a5224f5c	Merge pull request #2680 from fosrl/dev Translation updates	2026-03-20 13:52:11 -07:00
Owen Schwartz	8773f7c0a7	Merge pull request #2679 from fosrl/crowdin_dev New Crowdin updates	2026-03-20 13:51:16 -07:00
Owen Schwartz	f385bc2d22	Merge pull request #2678 from fosrl/dev 1.16.2-s.14	2026-03-20 11:25:03 -07:00
Owen Schwartz	a8c9d2e7e6	New translations en-us.json (Spanish)	2026-03-20 11:16:17 -07:00
Owen Schwartz	db3f90318b	New translations en-us.json (Norwegian Bokmal)	2026-03-20 11:16:15 -07:00
Owen Schwartz	2d4d0df5ca	New translations en-us.json (Chinese Simplified)	2026-03-20 11:16:14 -07:00
Owen Schwartz	569ebc671d	New translations en-us.json (Turkish)	2026-03-20 11:16:12 -07:00
Owen Schwartz	8c8e4e6233	New translations en-us.json (Russian)	2026-03-20 11:16:11 -07:00
Owen Schwartz	c7901ef74b	New translations en-us.json (Portuguese)	2026-03-20 11:16:09 -07:00
Owen Schwartz	be3bd72c1b	New translations en-us.json (Polish)	2026-03-20 11:16:08 -07:00
Owen Schwartz	73d1f9288d	New translations en-us.json (Dutch)	2026-03-20 11:16:06 -07:00
Owen Schwartz	fb7e9f6898	New translations en-us.json (Korean)	2026-03-20 11:16:05 -07:00
Owen Schwartz	38e4b3077f	New translations en-us.json (Italian)	2026-03-20 11:16:03 -07:00
Owen Schwartz	312cdc563b	New translations en-us.json (German)	2026-03-20 11:16:02 -07:00
Owen Schwartz	48ff6dd705	New translations en-us.json (Czech)	2026-03-20 11:16:01 -07:00
Owen Schwartz	695e831090	New translations en-us.json (Bulgarian)	2026-03-20 11:15:59 -07:00
Owen Schwartz	046b431bb8	New translations en-us.json (French)	2026-03-20 11:15:58 -07:00
Owen	ce2704fc1a	Merge branch 'dev' of github.com:fosrl/pangolin into dev	2026-03-20 11:04:45 -07:00
Owen Schwartz	7e89b36188	Merge pull request #2677 from fosrl/crowdin_dev New Crowdin updates	2026-03-20 11:04:37 -07:00
Owen	222dd6bba3	Santize inserts	2026-03-20 10:27:18 -07:00
Owen Schwartz	ca9ab65228	New translations en-us.json (Spanish)	2026-03-19 21:38:08 -07:00
Owen Schwartz	ee4e8f7029	New translations en-us.json (Norwegian Bokmal)	2026-03-19 21:38:07 -07:00
Owen Schwartz	f86a1eb32b	New translations en-us.json (Chinese Simplified)	2026-03-19 21:38:06 -07:00
Owen Schwartz	ffd648ed74	New translations en-us.json (Turkish)	2026-03-19 21:38:05 -07:00
Owen Schwartz	b2b72169fd	New translations en-us.json (Russian)	2026-03-19 21:38:03 -07:00
Owen Schwartz	76746fb6e1	New translations en-us.json (Portuguese)	2026-03-19 21:38:02 -07:00
Owen Schwartz	6258787c73	New translations en-us.json (Polish)	2026-03-19 21:38:00 -07:00
Owen Schwartz	720080e487	New translations en-us.json (Dutch)	2026-03-19 21:37:59 -07:00
Owen Schwartz	46ad1317e4	New translations en-us.json (Korean)	2026-03-19 21:37:58 -07:00
Owen Schwartz	cd28720e46	New translations en-us.json (Italian)	2026-03-19 21:37:56 -07:00
Owen Schwartz	38af02ad3c	New translations en-us.json (German)	2026-03-19 21:37:55 -07:00
Owen Schwartz	5eed547f91	New translations en-us.json (Czech)	2026-03-19 21:37:54 -07:00
Owen Schwartz	d363ee02ed	New translations en-us.json (Bulgarian)	2026-03-19 21:37:53 -07:00
Owen Schwartz	594ee31f43	New translations en-us.json (French)	2026-03-19 21:37:51 -07:00
Owen	56e25d01ae	Fix spelling mistake	2026-03-19 20:54:05 -07:00
Owen Schwartz	d9766b0f99	New translations en-us.json (Spanish)	2026-03-19 14:39:09 -07:00
Owen Schwartz	eeaa1d56ad	New translations en-us.json (Norwegian Bokmal)	2026-03-19 14:39:07 -07:00
Owen Schwartz	e7f5bc585c	New translations en-us.json (Chinese Simplified)	2026-03-19 14:39:06 -07:00
Owen Schwartz	4f26fb7750	New translations en-us.json (Turkish)	2026-03-19 14:39:04 -07:00
Owen Schwartz	cdbc190bfc	New translations en-us.json (Russian)	2026-03-19 14:39:03 -07:00
Owen Schwartz	1b1f9ab4cf	New translations en-us.json (Portuguese)	2026-03-19 14:39:02 -07:00
Owen Schwartz	2efe6cfdb3	New translations en-us.json (Polish)	2026-03-19 14:39:00 -07:00
Owen Schwartz	517c607ecf	New translations en-us.json (Dutch)	2026-03-19 14:38:59 -07:00
Owen Schwartz	802e8f7a22	New translations en-us.json (Korean)	2026-03-19 14:38:57 -07:00
Owen Schwartz	c7cfe2efcb	New translations en-us.json (Italian)	2026-03-19 14:38:56 -07:00
Owen Schwartz	ae1f36f39a	New translations en-us.json (German)	2026-03-19 14:38:54 -07:00
Owen Schwartz	a479ef28ac	New translations en-us.json (Czech)	2026-03-19 14:38:53 -07:00
Owen Schwartz	ce2cf50b5a	New translations en-us.json (Bulgarian)	2026-03-19 14:38:52 -07:00
Owen Schwartz	f48d01acde	New translations en-us.json (French)	2026-03-19 14:38:50 -07:00
Owen	991fed93ee	Add warning when creating resource with provided	2026-03-19 14:26:14 -07:00
Owen	26ab63d0e4	Adjust remote node language	2026-03-19 12:10:58 -07:00
Owen Schwartz	4843268537	Merge pull request #2552 from huzky-v/feat-add-bandwidth-reset-api feat: Adding an organization sites bandwidth reset API	2026-03-18 16:17:43 -07:00
Owen Schwartz	f60ae13e4e	Merge pull request #2668 from LaurenceJJones/docs/improve-cloud-messaging chore(readme): Reorder and promote cloud	2026-03-18 15:32:53 -07:00
Owen Schwartz	e72697f8b8	Merge pull request #2669 from fosrl/dependabot/npm_and_yarn/multi-577d045ab6 Bump fast-xml-parser and @aws-sdk/xml-builder	2026-03-18 15:30:46 -07:00
dependabot[bot]	0c3dc1ad14	Bump fast-xml-parser and @aws-sdk/xml-builder Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) and [@aws-sdk/xml-builder](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/packages-internal/xml-builder). These dependencies needed to be updated together. Updates `fast-xml-parser` from 5.4.1 to 5.5.6 - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.4.1...v5.5.6) Updates `@aws-sdk/xml-builder` from 3.972.10 to 3.972.12 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/packages-internal/xml-builder/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/HEAD/packages-internal/xml-builder) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.5.6 dependency-type: indirect - dependency-name: "@aws-sdk/xml-builder" dependency-version: 3.972.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-18 22:30:09 +00:00
Owen Schwartz	840fe86f78	Merge pull request #2633 from fosrl/dependabot/npm_and_yarn/eslint-10.0.3 Bump eslint from 9.39.2 to 10.0.3	2026-03-18 15:28:51 -07:00
Owen Schwartz	e079927a5b	Merge pull request #2579 from fosrl/dependabot/github_actions/actions/setup-go-6.3.0 Bump actions/setup-go from 6.2.0 to 6.3.0	2026-03-18 15:28:26 -07:00
dependabot[bot]	63379964fa	Bump eslint from 9.39.2 to 10.0.3 Bumps [eslint](https://github.com/eslint/eslint) from 9.39.2 to 10.0.3. - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/compare/v9.39.2...v10.0.3) --- updated-dependencies: - dependency-name: eslint dependency-version: 10.0.3 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-18 22:28:22 +00:00
Owen Schwartz	0cfaf6ed7f	Merge pull request #2580 from fosrl/dependabot/github_actions/actions/upload-artifact-7.0.0 Bump actions/upload-artifact from 6.0.0 to 7.0.0	2026-03-18 15:28:12 -07:00
Owen Schwartz	043ee9e9d2	Merge pull request #2620 from fosrl/dependabot/github_actions/actions/setup-node-6.3.0 Bump actions/setup-node from 6.2.0 to 6.3.0	2026-03-18 15:27:52 -07:00
Owen Schwartz	b63e3e5888	Merge pull request #2621 from fosrl/dependabot/github_actions/docker/login-action-4.0.0 Bump docker/login-action from 3.7.0 to 4.0.0	2026-03-18 15:27:26 -07:00
Owen Schwartz	4f82470506	Merge pull request #2629 from fosrl/dependabot/npm_and_yarn/prod-minor-updates-47a8475ba0 Bump the prod-minor-updates group across 1 directory with 3 updates	2026-03-18 15:26:14 -07:00
Owen Schwartz	40e21b6f28	Merge pull request #2641 from fosrl/dependabot/go_modules/install/minor-updates-a98db8910e Bump golang.org/x/term from 0.40.0 to 0.41.0 in /install in the minor-updates group	2026-03-18 15:25:44 -07:00
Owen Schwartz	67fab1928d	Merge pull request #2656 from fosrl/dependabot/github_actions/sigstore/cosign-installer-4.1.0 Bump sigstore/cosign-installer from 4.0.0 to 4.1.0	2026-03-18 15:25:31 -07:00
Owen Schwartz	eb98374566	Merge pull request #2666 from fosrl/dependabot/npm_and_yarn/dev-patch-updates-6a5ea32984 Bump the dev-patch-updates group across 1 directory with 5 updates	2026-03-18 15:25:14 -07:00
Laurence	6c83e78256	chore(readme): Reorder and promote cloud Simply moving the items around and improve the messaging around the cloud	2026-03-18 16:06:50 +00:00
dependabot[bot]	0908f0f057	Bump the prod-minor-updates group across 1 directory with 3 updates Bumps the prod-minor-updates group with 3 updates in the / directory: [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3), [@simplewebauthn/browser](https://github.com/MasterKale/SimpleWebAuthn/tree/HEAD/packages/browser) and [@simplewebauthn/server](https://github.com/MasterKale/SimpleWebAuthn/tree/HEAD/packages/server). Updates `@aws-sdk/client-s3` from 3.1004.0 to 3.1006.0 - [Release notes](https://github.com/aws/aws-sdk-js-v3/releases) - [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1006.0/clients/client-s3) Updates `@simplewebauthn/browser` from 13.2.2 to 13.3.0 - [Release notes](https://github.com/MasterKale/SimpleWebAuthn/releases) - [Changelog](https://github.com/MasterKale/SimpleWebAuthn/blob/master/CHANGELOG.md) - [Commits](https://github.com/MasterKale/SimpleWebAuthn/commits/v13.3.0/packages/browser) Updates `@simplewebauthn/server` from 13.2.3 to 13.3.0 - [Release notes](https://github.com/MasterKale/SimpleWebAuthn/releases) - [Changelog](https://github.com/MasterKale/SimpleWebAuthn/blob/master/CHANGELOG.md) - [Commits](https://github.com/MasterKale/SimpleWebAuthn/commits/v13.3.0/packages/server) --- updated-dependencies: - dependency-name: "@aws-sdk/client-s3" dependency-version: 3.1006.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: "@simplewebauthn/browser" dependency-version: 13.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates - dependency-name: "@simplewebauthn/server" dependency-version: 13.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: prod-minor-updates ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-18 01:37:21 +00:00
dependabot[bot]	2785449c7a	Bump the dev-patch-updates group across 1 directory with 5 updates Bumps the dev-patch-updates group with 5 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [@react-email/preview-server](https://github.com/resend/react-email/tree/HEAD/packages/preview-server) \| `5.2.8` \| `5.2.10` \| \| [drizzle-kit](https://github.com/drizzle-team/drizzle-orm) \| `0.31.9` \| `0.31.10` \| \| [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) \| `16.1.6` \| `16.1.7` \| \| [postcss](https://github.com/postcss/postcss) \| `8.5.6` \| `8.5.8` \| \| [react-email](https://github.com/resend/react-email/tree/HEAD/packages/react-email) \| `5.2.8` \| `5.2.10` \| Updates `@react-email/preview-server` from 5.2.8 to 5.2.10 - [Release notes](https://github.com/resend/react-email/releases) - [Changelog](https://github.com/resend/react-email/blob/canary/packages/preview-server/CHANGELOG.md) - [Commits](https://github.com/resend/react-email/commits/@react-email/preview-server@5.2.10/packages/preview-server) Updates `drizzle-kit` from 0.31.9 to 0.31.10 - [Release notes](https://github.com/drizzle-team/drizzle-orm/releases) - [Commits](https://github.com/drizzle-team/drizzle-orm/compare/drizzle-kit@0.31.9...drizzle-kit@0.31.10) Updates `eslint-config-next` from 16.1.6 to 16.1.7 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](https://github.com/vercel/next.js/commits/v16.1.7/packages/eslint-config-next) Updates `postcss` from 8.5.6 to 8.5.8 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.8) Updates `react-email` from 5.2.8 to 5.2.10 - [Release notes](https://github.com/resend/react-email/releases) - [Changelog](https://github.com/resend/react-email/blob/canary/packages/react-email/CHANGELOG.md) - [Commits](https://github.com/resend/react-email/commits/react-email@5.2.10/packages/react-email) --- updated-dependencies: - dependency-name: "@react-email/preview-server" dependency-version: 5.2.10 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: drizzle-kit dependency-version: 0.31.10 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: eslint-config-next dependency-version: 16.1.7 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: postcss dependency-version: 8.5.8 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates - dependency-name: react-email dependency-version: 5.2.10 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: dev-patch-updates ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-18 01:36:08 +00:00
dependabot[bot]	d2419ba572	Bump golang.org/x/term in /install in the minor-updates group Bumps the minor-updates group in /install with 1 update: [golang.org/x/term](https://github.com/golang/term). Updates `golang.org/x/term` from 0.40.0 to 0.41.0 - [Commits](https://github.com/golang/term/compare/v0.40.0...v0.41.0) --- updated-dependencies: - dependency-name: golang.org/x/term dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-updates ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-18 01:34:08 +00:00
Owen Schwartz	aed86ce4ba	Merge pull request #2663 from fosrl/dev change route name	2026-03-16 20:03:56 -07:00
dependabot[bot]	10349932f4	Bump sigstore/cosign-installer from 4.0.0 to 4.1.0 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](`faadad0cce...ba7bc0a3fe`) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-16 01:35:18 +00:00
dependabot[bot]	2e2684c695	Bump docker/login-action from 3.7.0 to 4.0.0 Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](`c94ce9fb46...b45d80f862`) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-09 01:36:08 +00:00
dependabot[bot]	7e2fd8f49d	Bump actions/setup-node from 6.2.0 to 6.3.0 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.2.0 to 6.3.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](`6044e13b5d...53b83947a5`) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-09 01:36:02 +00:00
Owen	b01fcc70fe	Fix ts and add note about ipv4	2026-03-03 14:45:18 -08:00
Owen	35fed74e49	Merge branch 'dev' into msg-opt	2026-03-02 18:52:35 -08:00
Owen	6cf1b9b010	Support improved targets msg v2	2026-03-02 18:51:48 -08:00
Owen	dae169540b	Fix defaults for orgs	2026-03-02 16:49:17 -08:00
dependabot[bot]	a060c8029f	Bump actions/upload-artifact from 6.0.0 to 7.0.0 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](`b7c566a772...bbbca2ddaa`) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-02 01:36:11 +00:00
dependabot[bot]	aca9d1e070	Bump actions/setup-go from 6.2.0 to 6.3.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.2.0 to 6.3.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](`7a3fe6cf4c...4b73464bb3`) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-02 01:36:05 +00:00
Jacky Fong	5c4de03588	add reset bandwidth api for site Change endpoint update to reset all site in the organization move the logic to organization move the permission to organization	2026-02-28 15:47:03 +08:00