Support pin,pass,whitelist correctly on login

Resource rules go first
Overriding is working
2026-06-02 21:49:53 +00:00 · 2026-06-01 21:34:39 -07:00 · 2026-06-01 21:02:59 -07:00 · 2026-06-01 20:54:37 -07:00 · 2026-06-01 20:33:37 -07:00 · 2026-06-01 17:49:09 -07:00
426 changed files with 35547 additions and 11312 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -34,3 +34,4 @@ build.ts
 tsconfig.json
 Dockerfile*
 drizzle.config.ts
+allowedDevOrigins.json
--- a/.github/ISSUE_TEMPLATE/1.bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/1.bug_report.yml
@@ -14,12 +14,13 @@ body:
          label: Environment
          description: Please fill out the relevant details below for your environment.
          value: |
-              - OS Type & Version: (e.g., Ubuntu 22.04)
+              - OS Type & Version:
              - Pangolin Version:
+              - Edition (Community or Enterprise):
              - Gerbil Version:
              - Traefik Version:
              - Newt Version:
-              - Olm Version: (if applicable)
+              - Client Version:
      validations:
          required: true

--- a/.gitignore
+++ b/.gitignore
@@ -17,9 +17,9 @@ yarn-error.log*
 *.tsbuildinfo
 next-env.d.ts
 *.db
-*.sqlite
+*.sqlite*
 !Dockerfile.sqlite
-*.sqlite3
+*.sqlite3*
 *.log
 .machinelogs*.json
 *-audit.json
@@ -54,3 +54,5 @@ hydrateSaas.ts
 CLAUDE.md
 drizzle.config.ts
 server/setup/migrations.ts
+solo.yml
+allowedDevOrigins.json
--- a/README.md
+++ b/README.md
@@ -107,7 +107,7 @@ the docs to illustrate some basic ideas.

 ## Licensing

-Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl.html). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).
+Pangolin is dual licensed under the AGPL-3 and the [Fossorial Commercial License](https://pangolin.net/fcl). For inquiries about commercial licensing, please contact us at [contact@pangolin.net](mailto:contact@pangolin.net).

 ## Contributions

--- a/config/traefik/traefik_config.yml
+++ b/config/traefik/traefik_config.yml
@@ -1,54 +1,47 @@
 api:
  insecure: true
  dashboard: true
-
 providers:
  http:
-    endpoint: "http://pangolin:3001/api/v1/traefik-config"
-    pollInterval: "5s"
+    endpoint: http://pangolin:3001/api/v1/traefik-config
+    pollInterval: 5s
  file:
-    filename: "/etc/traefik/dynamic_config.yml"
-
+    filename: /etc/traefik/dynamic_config.yml
 experimental:
  plugins:
    badger:
-      moduleName: "github.com/fosrl/badger"
-      version: "{{.BadgerVersion}}"
-
+      moduleName: github.com/fosrl/badger
+      version: v1.4.1
 log:
-  level: "INFO"
-  format: "common"
+  level: INFO
+  format: common
  maxSize: 100
  maxBackups: 3
  maxAge: 3
  compress: true
-
 certificatesResolvers:
  letsencrypt:
    acme:
      httpChallenge:
        entryPoint: web
-      email: "{{.LetsEncryptEmail}}"
-      storage: "/letsencrypt/acme.json"
-      caServer: "https://acme-v02.api.letsencrypt.org/directory"
-
+      email: '{{.LetsEncryptEmail}}'
+      storage: /letsencrypt/acme.json
+      caServer: https://acme-v02.api.letsencrypt.org/directory
 entryPoints:
  web:
-    address: ":80"
+    address: ':80'
  websecure:
-    address: ":443"
+    address: ':443'
    transport:
      respondingTimeouts:
-        readTimeout: "30m"
+        readTimeout: 30m
    http:
      tls:
-        certResolver: "letsencrypt"
+        certResolver: letsencrypt
      encodedCharacters:
        allowEncodedSlash: true
        allowEncodedQuestionMark: true
-
 serversTransport:
  insecureSkipVerify: true
-
 ping:
-  entryPoint: "web"
+  entryPoint: web
--- a/install/config/config.yml
+++ b/install/config/config.yml
@@ -37,3 +37,8 @@ flags:
    disable_signup_without_invite: true
    disable_user_create_org: false
    allow_raw_resources: true
+
+{{if .IsPostgreSQL}}
+postgres:
+  connection_string: postgresql://pangolin:{{.IsPostgreSQLPass}}@postgres:5432/pangolin
+{{end}}
--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -1,7 +1,7 @@
 name: pangolin
 services:
  pangolin:
-    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{.PangolinVersion}}
+    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{if .IsPostgreSQL}}postgresql-{{end}}{{.PangolinVersion}}
    container_name: pangolin
    restart: unless-stopped
    deploy:
@@ -10,6 +10,20 @@ services:
          memory: 1g
        reservations:
          memory: 256m
+{{if or .IsPostgreSQL .IsRedis}}
+    depends_on:
+    {{if .IsPostgreSQL}}
+      postgres:
+        condition: service_healthy
+    {{end}}
+    {{if .IsRedis}}
+      redis:
+        condition: service_healthy
+    {{end}}
+    networks:
+      - default
+      - backend
+{{end}}
    volumes:
      - ./config:/app/config
    healthcheck:
@@ -60,8 +74,56 @@ services:
      - ./config/letsencrypt:/letsencrypt # Volume to store the Let's Encrypt certificates
      - ./config/traefik/logs:/var/log/traefik # Volume to store Traefik logs

+{{if .IsPostgreSQL}}
+  postgres:
+    image: postgres:18
+    container_name: postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: pangolin
+      POSTGRES_PASSWORD: {{.IsPostgreSQLPass}}
+      POSTGRES_DB: pangolin
+    volumes:
+      - ./postgres18:/var/lib/postgresql
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U pangolin"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - backend
+{{end}}
+
+{{if .IsRedis}}
+  redis:
+    image: redis:8-trixie
+    container_name: redis
+    restart: unless-stopped
+    command: >
+      redis-server
+      --save 3600 1000
+      --appendonly yes
+      --requirepass {{.IsRedisPass}}
+    volumes:
+      - ./redis8:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "-a", "{{.IsRedisPass}}", "ping"]
+      interval: 10s
+      timeout: 3s
+      retries: 3
+      start_period: 10s
+    networks:
+      - backend
+{{end}}
+
 networks:
  default:
    driver: bridge
-    name: pangolin
+    name: pangolin_frontend
 {{if .EnableIPv6}}    enable_ipv6: true{{end}}
+{{if or .IsPostgreSQL .IsRedis}}
+  backend:
+    driver: bridge
+    name: pangolin_backend
+    internal: true
+{{end}}
--- a/install/config/privateConfig.yml
+++ b/install/config/privateConfig.yml
@@ -0,0 +1,6 @@
+{{if .IsRedis}}
+redis:
+  host: "redis"
+  port: 6379
+  password: "{{.IsRedisPass}}"
+{{end}}
--- a/install/main.go
+++ b/install/main.go
@@ -55,8 +55,12 @@ type Config struct {
 	TraefikBouncerKey         string
 	DoCrowdsecInstall         bool
 	EnableMaxMind             bool
-    Secret                    string
+	Secret                    string
 	IsEnterprise              bool
+    IsPostgreSQL              bool
+	IsPostgreSQLPass          string
+    IsRedis                   bool
+	IsRedisPass               string
 }

 type SupportedContainer string
@@ -131,7 +135,7 @@ func main() {
 				fmt.Println("You can download it manually later if needed.")
 			}
 		}
-        
+
 		fmt.Println("\n=== Starting installation ===")

 		if readBool("Would you like to install and start the containers?", true) {
@@ -205,10 +209,10 @@ func main() {
 				fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
 				// add   maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
 				// add   maxmind_asn_path: "./config/GeoLite2-ASN.mmdb" under server
-                fmt.Println("Add the following lines under the 'server' section:")
+				fmt.Println("Add the following lines under the 'server' section:")
 				fmt.Println("  maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
 				fmt.Println("  maxmind_asn_path: \"./config/GeoLite2-ASN.mmdb\"")
-            }
+			}
 		}
 	}

@@ -486,6 +490,17 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Basic Configuration ===")

 	config.IsEnterprise = readBoolNoDefault("Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
+    if config.IsEnterprise {
+        config.IsRedis = readBool("Do you want to run the Redis containers locally? Required for HA.")
+        if config.IsRedis {
+            config.IsRedisPass = readPassword("Enter a unique password for the Redis service.")
+        }
+    }
+
+    config.IsPostgreSQL = readBool("Do you want to run the PostgreSQL containers locally? Otherwise, default to the local SQLite database only.", false)
+	if config.IsPostgreSQL {
+		config.IsPostgreSQLPass = readPassword("Enter a unique password for the PostgreSQL pangolin user.")
+	}

 	config.BaseDomain = readString("Enter your base domain (no subdomain e.g. example.com)", "")

@@ -530,7 +545,7 @@ func collectUserInput() Config {

 	config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
 	config.EnableMaxMind = readBool("Do you want to download the MaxMind GeoLite2 Country and ADN databases for blocking functionality?", true)
-    
+
 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
 		os.Exit(1)
@@ -793,7 +808,7 @@ func downloadMaxMindDatabase() error {
 		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-ASN.tar.gz"); err != nil {
 		return fmt.Errorf("failed to download GeoLite2 ASN database: %v", err)
 	}
-    
+
 	// Extract the Country database
 	if err := run("tar", "-xzf", "GeoLite2-Country.tar.gz"); err != nil {
 		return fmt.Errorf("failed to extract GeoLite2 Country database: %v", err)
@@ -801,7 +816,7 @@ func downloadMaxMindDatabase() error {
 	if err := run("tar", "-xzf", "GeoLite2-ASN.tar.gz"); err != nil {
 		return fmt.Errorf("failed to extract GeoLite2 ASN database: %v", err)
 	}
-    
+
 	// Find the .mmdb file and move it to the config directory
 	if err := run("bash", "-c", "mv GeoLite2-Country_*/GeoLite2-Country.mmdb config/"); err != nil {
 		return fmt.Errorf("failed to move GeoLite2 Country database to config directory: %v", err)
@@ -809,7 +824,7 @@ func downloadMaxMindDatabase() error {
 	if err := run("bash", "-c", "mv GeoLite2-ASN_*/GeoLite2-ASN.mmdb config/"); err != nil {
 		return fmt.Errorf("failed to move GeoLite2 ASN database to config directory: %v", err)
 	}
-    
+
 	// Clean up the downloaded files
 	if err := run("sh", "-c", "rm -rf GeoLite2-Country.tar.gz GeoLite2-Country_*"); err != nil {
 		fmt.Printf("Warning: failed to clean up temporary country files: %v\n", err)
@@ -817,7 +832,7 @@ func downloadMaxMindDatabase() error {
 	if err := run("sh", "-c", "rm -rf GeoLite2-ASN.tar.gz GeoLite2-ASN_*"); err != nil {
 		fmt.Printf("Warning: failed to clean up temporary ASN files: %v\n", err)
 	}
-    
+
 	fmt.Println("MaxMind GeoLite2 Country and ASN database downloaded successfully!")
 	return nil
 }
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Метод",
    "editInternalResourceDialogEnableSsl": "Активирайте TLS",
    "editInternalResourceDialogEnableSslDescription": "Активирайте SSL/TLS криптиране за сигурни HTTPS връзки към целта.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Метод",
    "createInternalResourceDialogScheme": "Метод",
    "createInternalResourceDialogEnableSsl": "Активирайте TLS",
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Schéma",
    "editInternalResourceDialogEnableSsl": "Povolit SSL",
    "editInternalResourceDialogEnableSslDescription": "Povolit šifrování SSL/TLS pro zabezpečené HTTPS připojení k cíli.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Schéma",
    "createInternalResourceDialogScheme": "Schéma",
    "createInternalResourceDialogEnableSsl": "Povolit SSL",
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Schema",
    "editInternalResourceDialogEnableSsl": "TLS aktivieren",
    "editInternalResourceDialogEnableSslDescription": "SSL/TLS-Verschlüsselung für sichere HTTPS-Verbindungen zum Ziel aktivieren.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Schema",
    "createInternalResourceDialogScheme": "Schema",
    "createInternalResourceDialogEnableSsl": "TLS aktivieren",
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -176,6 +176,7 @@
    "shareErrorCreateDescription": "An error occurred while creating the share link",
    "shareCreateDescription": "Anyone with this link can access the resource",
    "shareTitleOptional": "Title (optional)",
+    "sharePathOptional": "Path (optional)",
    "expireIn": "Expire In",
    "neverExpire": "Never expire",
    "shareExpireDescription": "Expiration time is how long the link will be usable and provide access to the resource. After this time, the link will no longer work, and users who used this link will lose access to the resource.",
@@ -208,11 +209,33 @@
    "resourcesSearch": "Search resources...",
    "resourceAdd": "Add Resource",
    "resourceErrorDelte": "Error deleting resource",
+    "resourcePoliciesTitle": "Manage Resource Policies",
+    "resourcePoliciesAttachedResourcesColumnTitle": "Attached resources",
+    "resourcePoliciesAttachedResources": "{count} resource(s)",
+    "resourcePoliciesAttachedResourcesEmpty": "no resources",
+    "resourcePoliciesDescription": "Create and manage authentication policies to control access to your resources",
+    "resourcePoliciesSearch": "Search policies...",
+    "resourcePoliciesAdd": "Add Policy",
+    "resourcePoliciesDefaultBadgeText": "Default policy",
+    "resourcePoliciesCreate": "Create Resource Policy",
+    "resourcePoliciesCreateDescription": "Follow the steps below to create a new policy",
+    "resourcePolicyName": "Policy Name",
+    "resourcePolicyNameDescription": "Give this policy a name to identify it across your resources",
+    "resourcePolicyNamePlaceholder": "e.g. Internal Access Policy",
+    "resourcePoliciesSeeAll": "See All Policies",
+    "resourcePolicyAuthMethodAdd": "Add Authentication Method",
+    "resourcePolicyOtpEmailAdd": "Add OTP emails",
+    "resourcePolicyRulesAdd": "Add Rules",
+    "resourcePolicyAuthMethodsDescription": "Allow access to resources via additional auth methods",
+    "resourcePolicyUsersRolesDescription": "Configure which users and roles can visit associated resources",
+    "rulesResourcePolicyDescription": "Configure rules to control access resources associated to this policy",
    "authentication": "Authentication",
    "protected": "Protected",
    "notProtected": "Not Protected",
    "resourceMessageRemove": "Once removed, the resource will no longer be accessible. All targets associated with the resource will also be removed.",
    "resourceQuestionRemove": "Are you sure you want to remove the resource from the organization?",
+    "resourcePolicyMessageRemove": "Once removed, the resource policy will no longer be accessible. All resources associated with the resource will be unlinked and left without authentication.",
+    "resourcePolicyQuestionRemove": "Are you sure you want to remove the resource policy from the organization?",
    "resourceHTTP": "HTTPS Resource",
    "resourceHTTPDescription": "Proxy requests over HTTPS using a fully qualified domain name.",
    "resourceRaw": "Raw TCP/UDP Resource",
@@ -220,8 +243,9 @@
    "resourceRawDescriptionCloud": "Proxy requests over raw TCP/UDP using a port number. Requires sites to connect to a remote node.",
    "resourceCreate": "Create Resource",
    "resourceCreateDescription": "Follow the steps below to create a new resource",
+    "resourceCreateGeneralDescription": "Configure the basic resource settings including the name and the type",
    "resourceSeeAll": "See All Resources",
-    "resourceInfo": "Resource Information",
+    "resourceCreateGeneral": "General",
    "resourceNameDescription": "This is the display name for the resource.",
    "siteSelect": "Select site",
    "siteSearch": "Search site",
@@ -231,12 +255,15 @@
    "noCountryFound": "No country found.",
    "siteSelectionDescription": "This site will provide connectivity to the target.",
    "resourceType": "Resource Type",
-    "resourceTypeDescription": "Determine how to access the resource",
+    "resourceTypeDescription": "This controls the resource protocol and how it will be rendered in the browser. This can’t be changed later.",
+    "resourceDomainDescription": "The resource will be served at this fully qualified domain name.",
    "resourceHTTPSSettings": "HTTPS Settings",
    "resourceHTTPSSettingsDescription": "Configure how the resource will be accessed over HTTPS",
+    "resourcePortDescription": "The external port on the Pangolin instance or node where the resource will be accessible.",
    "domainType": "Domain Type",
    "subdomain": "Subdomain",
    "baseDomain": "Base Domain",
+    "configure": "Configure",
    "subdomnainDescription": "The subdomain where the resource will be accessible.",
    "resourceRawSettings": "TCP/UDP Settings",
    "resourceRawSettingsDescription": "Configure how the resource will be accessed over TCP/UDP",
@@ -253,8 +280,27 @@
    "resourceLearnRaw": "Learn how to configure TCP/UDP resources",
    "resourceBack": "Back to Resources",
    "resourceGoTo": "Go to Resource",
+    "resourcePolicyDelete": "Delete Resource Policy",
+    "resourcePolicyDeleteConfirm": "Confirm Delete Resource Policy",
    "resourceDelete": "Delete Resource",
    "resourceDeleteConfirm": "Confirm Delete Resource",
+    "labelDelete": "Delete Label",
+    "labelAdd": "Add Label",
+    "labelCreateSuccessMessage": "Label Created Successfully",
+    "labelEditSuccessMessage": "Label Modified Successfully",
+    "labelNameField": "Label Name",
+    "labelColorField": "Label Color",
+    "labelPlaceholder": "Ex: homelab",
+    "labelCreate": "Create Label",
+    "createLabelDialogTitle": "Create Label",
+    "createLabelDialogDescription": "Create a new label that can be attached to this organization",
+    "labelEdit": "Edit Label",
+    "editLabelDialogTitle": "Update Label",
+    "editLabelDialogDescription": "Edit a new label that can be attached to this organization",
+    "labelDeleteConfirm": "Confirm Delete Label",
+    "labelErrorDelete": "Failed to delete label",
+    "labelMessageRemove": "This action is permanent. All sites, resources, and clients tagged with this label will be untagged.",
+    "labelQuestionRemove": "Are you sure you want to remove the label from the organization?",
    "visibility": "Visibility",
    "enabled": "Enabled",
    "disabled": "Disabled",
@@ -265,6 +311,8 @@
    "rules": "Rules",
    "resourceSettingDescription": "Configure the settings on the resource",
    "resourceSetting": "{resourceName} Settings",
+    "resourcePolicySettingDescription": "Configure the settings on the resource policy",
+    "resourcePolicySetting": "{policyName} Settings",
    "alwaysAllow": "Bypass Auth",
    "alwaysDeny": "Block Access",
    "passToAuth": "Pass to Auth",
@@ -747,6 +795,16 @@
    "rulesNoOne": "No rules. Add a rule using the form.",
    "rulesOrder": "Rules are evaluated by priority in ascending order.",
    "rulesSubmit": "Save Rules",
+    "policyErrorCreate": "Error creating policy",
+    "policyErrorCreateDescription": "An error occurred when creating the policy",
+    "policyErrorCreateMessageDescription": "An unexpected error occurred",
+    "policyErrorUpdate": "Error updating policy",
+    "policyErrorUpdateDescription": "An error occurred when updating the policy",
+    "policyErrorUpdateMessageDescription": "An unexpected error occurred",
+    "policyCreatedSuccess": "Resource policy succesfully created",
+    "policyUpdatedSuccess": "Resource policy succesfully updated",
+    "authMethodsSave": "Save auth methods",
+    "rulesSave": "Save Rules",
    "resourceErrorCreate": "Error creating resource",
    "resourceErrorCreateDescription": "An error occurred when creating the resource",
    "resourceErrorCreateMessage": "Error creating resource:",
@@ -810,6 +868,17 @@
    "pincodeAdd": "Add PIN Code",
    "pincodeRemove": "Remove PIN Code",
    "resourceAuthMethods": "Authentication Methods",
+    "resourcePolicyAuthMethodsEmpty": "No authentication method",
+    "resourcePolicyOtpEmpty": "No one time password",
+    "resourcePolicyReadOnly": "This policy is Read only",
+    "resourcePolicyReadOnlyDescription": "This resource policy is shared accross multiple resources, you cannot edit it on this page.",
+    "editSharedPolicy": "Edit Shared Policy",
+    "resourcePolicyTypeSave": "Save Resource type",
+    "resourcePolicySelect": "Select resource policy",
+    "resourcePolicySelectError": "Select a resource policy",
+    "resourcePolicyNotFound": "Policy not found",
+    "resourcePolicySearch": "Search policies",
+    "resourcePolicyRulesEmpty": "No authentication rules",
    "resourceAuthMethodsDescriptions": "Allow access to the resource via additional auth methods",
    "resourceAuthSettingsSave": "Saved successfully",
    "resourceAuthSettingsSaveDescription": "Authentication settings have been saved",
@@ -845,6 +914,12 @@
    "resourcePincodeSetupTitle": "Set Pincode",
    "resourcePincodeSetupTitleDescription": "Set a pincode to protect this resource",
    "resourceRoleDescription": "Admins can always access this resource.",
+    "resourcePolicySelectTitle": "Resource Access Policy",
+    "resourcePolicySelectDescription": "Select the resource policy type for authentication",
+    "resourcePolicyInline": "Inline Resource Policy",
+    "resourcePolicyInlineDescription": "Access Policy scoped to only this resource",
+    "resourcePolicyShared": "Shared Resource Policy",
+    "resourcePolicySharedDescription": "This resource uses a shared policy. Policy-level settings (auth methods, email whitelist) are locked. You can add resource-specific rules, roles, and users below.",
    "resourceUsersRoles": "Access Controls",
    "resourceUsersRolesDescription": "Configure which users and roles can visit this resource",
    "resourceUsersRolesSubmit": "Save Access Controls",
@@ -1140,6 +1215,18 @@
    "idpErrorConnectingTo": "There was a problem connecting to {name}. Please contact your administrator.",
    "idpErrorNotFound": "IdP not found",
    "inviteInvalid": "Invalid Invite",
+    "labels": "Labels",
+    "orgLabelsDescription": "Manage labels in this organization.",
+    "addLabels": "Add labels",
+    "siteLabelsTab": "Labels",
+    "siteLabelsDescription": "Manage labels associated with this site.",
+    "labelsNotFound": "Labels not found",
+    "labelSearch": "Search labels",
+    "accessLabelFilterCount": "{count, plural, one {# label} other {# labels}}",
+    "labelOverflowCount": "+{count, plural, one {# label} other {# labels}}",
+    "accessLabelFilterClear": "Clear label filters",
+    "selectColor": "Select color",
+    "createNewLabel": "Create new org label \"{label}\"",
    "inviteInvalidDescription": "The invite link is invalid.",
    "inviteErrorWrongUser": "Invite is not for this user",
    "inviteErrorUserNotExists": "User does not exist. Please create an account first.",
@@ -1374,6 +1461,8 @@
    "sidebarResources": "Resources",
    "sidebarProxyResources": "Public",
    "sidebarClientResources": "Private",
+    "sidebarPolicies": "Policies",
+    "sidebarResourcePolicies": "Resources",
    "sidebarAccessControl": "Access Control",
    "sidebarLogsAndAnalytics": "Logs & Analytics",
    "sidebarTeam": "Team",
@@ -1557,7 +1646,8 @@
    "standaloneHcFilterSiteIdFallback": "Site {id}",
    "standaloneHcFilterResourceIdFallback": "Resource {id}",
    "blueprints": "Blueprints",
-    "blueprintsDescription": "Apply declarative configurations and view previous runs",
+    "blueprintsLog": "Blueprints Log",
+    "blueprintsDescription": "View past blueprint applications and their results",
    "blueprintAdd": "Add Blueprint",
    "blueprintGoBack": "See all Blueprints",
    "blueprintCreate": "Create Blueprint",
@@ -1575,7 +1665,17 @@
    "contents": "Contents",
    "parsedContents": "Parsed Contents (Read Only)",
    "enableDockerSocket": "Enable Docker Blueprint",
-    "enableDockerSocketDescription": "Enable Docker Socket label scraping for blueprint labels. Socket path must be provided to Newt. Read about how this works in <docsLink>the documentation</docsLink>.",
+    "enableDockerSocketDescription": "Enable Docker Socket label scraping for blueprint labels. Socket path must be provided to the site connector. Read about how this works in <docsLink>the documentation</docsLink>.",
+    "newtAutoUpdate": "Enable Site Auto-Update",
+    "newtAutoUpdateDescription": "When enabled, site connectors will automatically update to the latest version when a new release is available.",
+    "siteAutoUpdate": "Site Auto-Update",
+    "siteAutoUpdateLabel": "Enable Auto-Update",
+    "siteAutoUpdateDescription": "Control whether this site's connector automatically downloads the latest version.",
+    "siteAutoUpdateOrgDefault": "Organization default: {state}",
+    "siteAutoUpdateOverriding": "Overriding organization setting",
+    "siteAutoUpdateResetToOrg": "Reset to Organization Default",
+    "siteAutoUpdateEnabled": "enabled",
+    "siteAutoUpdateDisabled": "disabled",
    "viewDockerContainers": "View Docker Containers",
    "containersIn": "Containers in {siteName}",
    "selectContainerDescription": "Select any container to use as a hostname for this target. Click a port to use a port.",
@@ -1620,6 +1720,7 @@
    "certificateStatus": "Certificate",
    "certificateStatusAutoRefreshHint": "Status refreshes automatically.",
    "loading": "Loading",
+    "loadingEllipsis": "Loading...",
    "loadingAnalytics": "Loading Analytics",
    "restart": "Restart",
    "domains": "Domains",
@@ -1846,6 +1947,7 @@
    "billingManageLicenseSubscription": "Manage your subscription for paid self-hosted license keys",
    "billingCurrentKeys": "Current Keys",
    "billingModifyCurrentPlan": "Modify Current Plan",
+    "billingManageLicenseSubscriptionDescription": "Manage your subscription for paid self-hosted license keys and download invoices.",
    "billingConfirmUpgrade": "Confirm Upgrade",
    "billingConfirmDowngrade": "Confirm Downgrade",
    "billingConfirmUpgradeDescription": "You are about to upgrade your plan. Review the new limits and pricing below.",
@@ -1943,7 +2045,36 @@
    "timeIsInSeconds": "Time is in seconds",
    "requireDeviceApproval": "Require Device Approvals",
    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
-    "sshAccess": "SSH Access",
+    "sshSettings": "SSH Settings",
+    "rdpSettings": "RDP Settings",
+    "vncSettings": "VNC Settings",
+    "sshServer": "SSH Server",
+    "rdpServer": "RDP Server",
+    "vncServer": "VNC Server",
+    "sshServerDescription": "Set up the authentication method, daemon location, and server destination",
+    "rdpServerDescription": "Configure the destination and port of the RDP server",
+    "vncServerDescription": "Configure the destination and port of the VNC server",
+    "sshServerMode": "Mode",
+    "sshServerModeStandard": "Standard SSH Server",
+    "sshServerModePangolin": "Pangolin SSH",
+    "sshServerModeStandardDescription": "Routes commands over network to an SSH server such as OpenSSH.",
+    "sshServerModeNative": "Native SSH Server",
+    "sshServerModeNativeDescription": "Executes commands directly on the host via the Site Connector. No network config required.",
+    "sshAuthenticationMethod": "Authentication Method",
+    "sshAuthMethodManual": "Manual Authentication",
+    "sshAuthMethodManualDescription": "Requires existing host credentials. Bypasses automatic provisioning.",
+    "sshAuthMethodAutomated": "Automated Provisioning",
+    "sshAuthMethodAutomatedDescription": "Automatically creates users, groups, and sudo permissions on host.",
+    "sshAuthDaemonLocation": "Auth Daemon Location",
+    "sshDaemonLocationSiteDescription": "Executes locally on the machine hosting the site connector.",
+    "sshDaemonLocationRemote": "On Remote Host",
+    "sshDaemonLocationRemoteDescription": "Executes on a separate target machine on the same network.",
+    "sshDaemonDisclaimer": "Ensure your target host is properly configured to run the auth daemon before completing this setup, or provisioning will fail.",
+    "sshDaemonPort": "Daemon Port",
+    "sshServerDestination": "Server Destination",
+    "sshServerDestinationDescription": "Configure the destination and port of the SSH server",
+    "destination": "Destination",
+    "bgTargetMultiSiteDisclaimer": "Selecting multiple sites enables resilient routing and failover for high availability.",
    "roleAllowSsh": "Allow SSH",
    "roleAllowSshAllow": "Allow",
    "roleAllowSshDisallow": "Disallow",
@@ -2049,6 +2180,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Scheme",
    "editInternalResourceDialogEnableSsl": "Enable TLS",
    "editInternalResourceDialogEnableSslDescription": "Enable SSL/TLS encryption for secure HTTPS connections to the destination.",
@@ -2098,6 +2230,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Scheme",
    "createInternalResourceDialogScheme": "Scheme",
    "createInternalResourceDialogEnableSsl": "Enable TLS",
@@ -2937,7 +3070,7 @@
    "learnMore": "Learn more",
    "backToHome": "Go back to home",
    "needToSignInToOrg": "Need to use your organization's identity provider?",
-    "maintenanceMode": "Maintenance Mode",
+    "maintenanceMode": "Maintenance Page",
    "maintenanceModeDescription": "Display a maintenance page to visitors",
    "maintenanceModeType": "Maintenance Mode Type",
    "showMaintenancePage": "Show a maintenance page to visitors",
@@ -2967,6 +3100,7 @@
    "maintenanceScreenEstimatedCompletion": "Estimated Completion:",
    "createInternalResourceDialogDestinationRequired": "Destination is required",
    "available": "Available",
+    "disabledResourceDescription": "When disabled, the resource will be inaccessible by everyone.",
    "archived": "Archived",
    "noArchivedDevices": "No archived devices found",
    "deviceArchived": "Device archived",
@@ -3296,5 +3430,8 @@
    "memberPortalResourceDisabled": "Resource Disabled",
    "memberPortalShowingResources": "Showing {start}-{end} of {total} resources",
    "memberPortalPrevious": "Previous",
-    "memberPortalNext": "Next"
+    "memberPortalNext": "Next",
+    "httpSettings": "HTTP Settings",
+    "tcpSettings": "TCP Settings",
+    "udpSettings": "UDP Settings"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Esquema",
    "editInternalResourceDialogEnableSsl": "Activar TLS",
    "editInternalResourceDialogEnableSslDescription": "Habilitar cifrado SSL/TLS para conexiones HTTPS seguras al destino.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Esquema",
    "createInternalResourceDialogScheme": "Esquema",
    "createInternalResourceDialogEnableSsl": "Activar TLS",
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Méthode HTTP",
    "editInternalResourceDialogEnableSsl": "Activer TLS",
    "editInternalResourceDialogEnableSslDescription": "Activer le cryptage SSL/TLS pour des connexions HTTPS sécurisées vers la destination.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Méthode HTTP",
    "createInternalResourceDialogScheme": "Méthode HTTP",
    "createInternalResourceDialogEnableSsl": "Activer TLS",
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Metodo HTTP",
    "editInternalResourceDialogEnableSsl": "Abilitare TLS",
    "editInternalResourceDialogEnableSslDescription": "Abilita la crittografia SSL/TLS per connessioni HTTPS sicure alla destinazione.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Metodo HTTP",
    "createInternalResourceDialogScheme": "Metodo HTTP",
    "createInternalResourceDialogEnableSsl": "Abilitare TLS",
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "스킴",
    "editInternalResourceDialogEnableSsl": "TLS 활성화",
    "editInternalResourceDialogEnableSslDescription": "목적지로의 안전한 HTTPS 연결을 위한 SSL/TLS 암호화 활성화.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "스킴",
    "createInternalResourceDialogScheme": "스킴",
    "createInternalResourceDialogEnableSsl": "TLS 활성화",
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Skjema",
    "editInternalResourceDialogEnableSsl": "Aktiver TLS",
    "editInternalResourceDialogEnableSslDescription": "Aktiver SSL/TLS-kryptering for sikre HTTPS-tilkoblinger til destinasjonen.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Skjema",
    "createInternalResourceDialogScheme": "Skjema",
    "createInternalResourceDialogEnableSsl": "Aktiver TLS",
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Schema",
    "editInternalResourceDialogEnableSsl": "TLS inschakelen",
    "editInternalResourceDialogEnableSslDescription": "Schakel SSL/TLS-encryptie in voor beveiligde HTTPS-verbindingen met de bestemming.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Schema",
    "createInternalResourceDialogScheme": "Schema",
    "createInternalResourceDialogEnableSsl": "TLS inschakelen",
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Schemat",
    "editInternalResourceDialogEnableSsl": "Włącz TLS",
    "editInternalResourceDialogEnableSslDescription": "Włącz szyfrowanie SSL/TLS dla bezpiecznych połączeń HTTPS z miejscem docelowym.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Schemat",
    "createInternalResourceDialogScheme": "Schemat",
    "createInternalResourceDialogEnableSsl": "Włącz TLS",
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Esquema",
    "editInternalResourceDialogEnableSsl": "Ativar TLS",
    "editInternalResourceDialogEnableSslDescription": "Ativar criptografia SSL/TLS para conexões HTTPS seguras com o destino.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Esquema",
    "createInternalResourceDialogScheme": "Esquema",
    "createInternalResourceDialogEnableSsl": "Ativar TLS",
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "СИДР",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Схема",
    "editInternalResourceDialogEnableSsl": "Включить TLS",
    "editInternalResourceDialogEnableSslDescription": "Включите шифрование SSL/TLS для защищенных HTTPS соединений с конечной точкой.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "СИДР",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Схема",
    "createInternalResourceDialogScheme": "Схема",
    "createInternalResourceDialogEnableSsl": "Включить TLS",
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "Şema",
    "editInternalResourceDialogEnableSsl": "TLS Etkinleştir",
    "editInternalResourceDialogEnableSslDescription": "Hedefe güvenli HTTPS bağlantıları için SSL/TLS şifrelemeyi etkinleştirin.",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "Şema",
    "createInternalResourceDialogScheme": "Şema",
    "createInternalResourceDialogEnableSsl": "TLS'yi Etkinleştir",
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -2049,6 +2049,7 @@
    "editInternalResourceDialogModeCidr": "CIDR",
    "editInternalResourceDialogModeHttp": "HTTP",
    "editInternalResourceDialogModeHttps": "HTTPS",
+    "editInternalResourceDialogModeSsh": "SSH",
    "editInternalResourceDialogScheme": "方案",
    "editInternalResourceDialogEnableSsl": "启用 TLS",
    "editInternalResourceDialogEnableSslDescription": "为目标的安全 HTTPS 连接启用 SSL/TLS 加密。",
@@ -2098,6 +2099,7 @@
    "createInternalResourceDialogModeCidr": "CIDR",
    "createInternalResourceDialogModeHttp": "HTTP",
    "createInternalResourceDialogModeHttps": "HTTPS",
+    "createInternalResourceDialogModeSsh": "SSH",
    "scheme": "方案",
    "createInternalResourceDialogScheme": "方案",
    "createInternalResourceDialogEnableSsl": "启用 TLS",
--- a/next.config.ts
+++ b/next.config.ts
@@ -1,12 +1,42 @@
 import type { NextConfig } from "next";
 import createNextIntlPlugin from "next-intl/plugin";
+import fs from "fs";
+import path from "path";

 const withNextIntl = createNextIntlPlugin();
+// read allowedDevOrigins.json if it exists
+let allowedDevOrigins: string[] = [];
+const allowedDevOriginsPath = path.join(
+    process.cwd(),
+    "allowedDevOrigins.json"
+);
+if (fs.existsSync(allowedDevOriginsPath)) {
+    try {
+        const data = fs.readFileSync(allowedDevOriginsPath, "utf-8");
+        allowedDevOrigins = JSON.parse(data);
+    } catch {}
+}

 const nextConfig: NextConfig = {
    reactStrictMode: false,
    reactCompiler: true,
-    output: "standalone"
+    transpilePackages: ["@novnc/novnc"],
+    output: "standalone",
+    allowedDevOrigins,
+    async redirects() {
+        return [
+            {
+                source: "/:orgId/settings/resources/proxy/:path*",
+                destination: "/:orgId/settings/resources/public/:path*",
+                permanent: true
+            },
+            {
+                source: "/:orgId/settings/resources/client/:path*",
+                destination: "/:orgId/settings/resources/private/:path*",
+                permanent: true
+            }
+        ];
+    }
 };

 export default withNextIntl(nextConfig);
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -33,12 +33,14 @@
    },
    "dependencies": {
        "@asteasolutions/zod-to-openapi": "8.5.0",
-        "@aws-sdk/client-s3": "3.1047.0",
-        "@faker-js/faker": "10.4.0",
+        "@devolutions/iron-remote-desktop": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-0.0.0.tgz",
+        "@devolutions/iron-remote-desktop-rdp": "https://static.pangolin.net/packages/devolutions-iron-remote-desktop-rdp-0.0.0.tgz",
+        "@aws-sdk/client-s3": "3.1056.0",
        "@headlessui/react": "2.2.10",
-        "@hookform/resolvers": "5.2.2",
+        "@hookform/resolvers": "5.4.0",
        "@monaco-editor/react": "4.7.0",
        "@node-rs/argon2": "2.0.2",
+        "@novnc/novnc": "^1.7.0",
        "@oslojs/crypto": "1.0.1",
        "@oslojs/encoding": "1.1.0",
        "@radix-ui/react-avatar": "1.1.11",
@@ -68,6 +70,9 @@
        "@tailwindcss/forms": "0.5.11",
        "@tanstack/react-query": "5.100.14",
        "@tanstack/react-table": "8.21.3",
+        "@xterm/addon-fit": "^0.11.0",
+        "@xterm/addon-web-links": "^0.12.0",
+        "@xterm/xterm": "^6.0.0",
        "arctic": "3.7.0",
        "axios": "1.16.1",
        "better-sqlite3": "11.9.1",
@@ -83,37 +88,37 @@
        "express": "5.2.1",
        "express-rate-limit": "8.5.2",
        "glob": "13.0.6",
-        "helmet": "8.1.0",
+        "helmet": "8.2.0",
        "http-errors": "2.0.1",
        "input-otp": "1.4.2",
-        "ioredis": "5.10.1",
+        "ioredis": "5.11.0",
        "jmespath": "0.16.0",
        "js-yaml": "4.1.1",
        "jsonwebtoken": "9.0.3",
-        "lucide-react": "0.577.0",
+        "lucide-react": "1.17.0",
        "maxmind": "5.0.6",
        "moment": "2.30.1",
        "next": "16.2.6",
-        "next-intl": "4.12.0",
+        "next-intl": "4.13.0",
        "next-themes": "0.4.6",
        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
        "nodemailer": "8.0.9",
        "oslo": "1.2.1",
-        "pg": "8.20.0",
-        "posthog-node": "5.34.1",
+        "pg": "8.21.0",
+        "posthog-node": "5.35.6",
        "qrcode.react": "4.2.0",
        "react": "19.2.6",
        "react-day-picker": "9.14.0",
        "react-dom": "19.2.6",
        "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.75.0",
+        "react-hook-form": "7.76.1",
        "react-icons": "5.6.0",
        "recharts": "3.8.1",
        "reodotdev": "1.1.0",
        "semver": "7.8.1",
        "sshpk": "1.18.0",
-        "stripe": "20.4.1",
+        "stripe": "22.2.0",
        "swagger-ui-express": "5.0.1",
        "tailwind-merge": "3.6.0",
        "topojson-client": "3.1.0",
@@ -124,18 +129,18 @@
        "visionscarto-world-atlas": "1.0.0",
        "winston": "3.19.0",
        "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.20.1",
+        "ws": "8.21.0",
        "yaml": "2.9.0",
        "yargs": "18.0.0",
        "zod": "4.4.3",
        "zod-validation-error": "5.0.0"
    },
    "devDependencies": {
-        "@dotenvx/dotenvx": "1.66.0",
+        "@dotenvx/dotenvx": "1.69.1",
        "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@react-email/ui": "^6.1.4",
+        "@react-email/ui": "^6.5.0",
        "@tailwindcss/postcss": "4.3.0",
-        "@tanstack/react-query-devtools": "5.100.10",
+        "@tanstack/react-query-devtools": "5.100.14",
        "@types/better-sqlite3": "7.6.13",
        "@types/cookie-parser": "1.4.10",
        "@types/cors": "2.8.19",
@@ -146,11 +151,11 @@
        "@types/jmespath": "0.15.2",
        "@types/js-yaml": "4.0.9",
        "@types/jsonwebtoken": "9.0.10",
-        "@types/node": "25.8.0",
+        "@types/node": "25.9.1",
        "@types/nodemailer": "8.0.0",
        "@types/nprogress": "0.2.3",
        "@types/pg": "8.20.0",
-        "@types/react": "19.2.14",
+        "@types/react": "19.2.15",
        "@types/react-dom": "19.2.3",
        "@types/semver": "7.7.1",
        "@types/sshpk": "1.17.4",
@@ -162,20 +167,20 @@
        "drizzle-kit": "0.31.10",
        "esbuild": "0.28.0",
        "esbuild-node-externals": "1.22.0",
-        "eslint": "10.3.0",
+        "eslint": "10.4.0",
        "eslint-config-next": "16.2.6",
-        "postcss": "8.5.14",
+        "postcss": "8.5.15",
        "prettier": "3.8.3",
-        "react-email": "6.1.4",
+        "react-email": "6.5.0",
        "tailwindcss": "4.3.0",
        "tsc-alias": "1.8.17",
-        "tsx": "4.22.0",
+        "tsx": "4.22.3",
        "typescript": "6.0.3",
-        "typescript-eslint": "8.59.3"
+        "typescript-eslint": "8.60.0"
    },
    "overrides": {
        "esbuild": "0.28.0",
        "dompurify": "3.4.0",
-        "postcss": "8.5.14"
+        "postcss": "8.5.15"
    }
 }
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -5,6 +5,7 @@ import { and, eq, inArray } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import logger from "@server/logger";

 export enum ActionsEnum {
    createOrgUser = "createOrgUser",
@@ -148,11 +149,36 @@ export enum ActionsEnum {
    updateAlertRule = "updateAlertRule",
    deleteAlertRule = "deleteAlertRule",
    listAlertRules = "listAlertRules",
+    listOrgLabels = "listOrgLabels",
+    createOrgLabel = "createOrgLabel",
+    updateOrgLabel = "updateOrgLabel",
+    deleteOrgLabel = "deleteOrgLabel",
+    attachLabelToItem = "attachLabelToItem",
+    detachLabelFromItem = "detachLabelFromItem",
    getAlertRule = "getAlertRule",
    createHealthCheck = "createHealthCheck",
    updateHealthCheck = "updateHealthCheck",
    deleteHealthCheck = "deleteHealthCheck",
-    listHealthChecks = "listHealthChecks"
+    listHealthChecks = "listHealthChecks",
+    createBrowserGatewayTarget = "createBrowserGatewayTarget",
+    updateBrowserGatewayTarget = "updateBrowserGatewayTarget",
+    deleteBrowserGatewayTarget = "deleteBrowserGatewayTarget",
+    getBrowserGatewayTarget = "getBrowserGatewayTarget",
+    listBrowserGatewayTargets = "listBrowserGatewayTargets",
+    listResourcePolicies = "listResourcePolicies",
+    getResourcePolicy = "getResourcePolicy",
+    createResourcePolicy = "createResourcePolicy",
+    updateResourcePolicy = "updateResourcePolicy",
+    deleteResourcePolicy = "deleteResourcePolicy",
+    listResourcePolicyRoles = "listResourcePolicyRoles",
+    setResourcePolicyRoles = "setResourcePolicyRoles",
+    listResourcePolicyUsers = "listResourcePolicyUsers",
+    setResourcePolicyUsers = "setResourcePolicyUsers",
+    setResourcePolicyPassword = "setResourcePolicyPassword",
+    setResourcePolicyPincode = "setResourcePolicyPincode",
+    setResourcePolicyHeaderAuth = "setResourcePolicyHeaderAuth",
+    setResourcePolicyWhitelist = "setResourcePolicyWhitelist",
+    setResourcePolicyRules = "setResourcePolicyRules"
 }

 export async function checkUserActionPermission(
@@ -185,6 +211,23 @@ export async function checkUserActionPermission(
            }
        }

+        // If no direct permission, check role-based permission (any of user's roles)
+        const roleActionPermission = await db
+            .select()
+            .from(roleActions)
+            .where(
+                and(
+                    eq(roleActions.actionId, actionId),
+                    inArray(roleActions.roleId, userOrgRoleIds),
+                    eq(roleActions.orgId, req.userOrgId!)
+                )
+            )
+            .limit(1);
+
+        if (roleActionPermission.length > 0) {
+            return true;
+        }
+
        // Check if the user has direct permission for the action in the current org
        const userActionPermission = await db
            .select()
@@ -202,20 +245,7 @@ export async function checkUserActionPermission(
            return true;
        }

-        // If no direct permission, check role-based permission (any of user's roles)
-        const roleActionPermission = await db
-            .select()
-            .from(roleActions)
-            .where(
-                and(
-                    eq(roleActions.actionId, actionId),
-                    inArray(roleActions.roleId, userOrgRoleIds),
-                    eq(roleActions.orgId, req.userOrgId!)
-                )
-            )
-            .limit(1);
-
-        return roleActionPermission.length > 0;
+        return false;
    } catch (error) {
        console.error("Error checking user action permission:", error);
        throw createHttpError(
--- a/server/auth/sessions/resource.ts
+++ b/server/auth/sessions/resource.ts
@@ -19,6 +19,9 @@ export async function createResourceSession(opts: {
    userSessionId?: string | null;
    whitelistId?: number | null;
    accessTokenId?: string | null;
+    policyPasswordId?: number | null;
+    policyPincodeId?: number | null;
+    policyWhitelistId?: number | null;
    doNotExtend?: boolean;
    expiresAt?: number | null;
    sessionLength?: number | null;
@@ -28,7 +31,10 @@ export async function createResourceSession(opts: {
        !opts.pincodeId &&
        !opts.whitelistId &&
        !opts.accessTokenId &&
-        !opts.userSessionId
+        !opts.userSessionId &&
+        !opts.policyPasswordId &&
+        !opts.policyPincodeId &&
+        !opts.policyWhitelistId
    ) {
        throw new Error("Auth method must be provided");
    }
@@ -49,6 +55,9 @@ export async function createResourceSession(opts: {
        whitelistId: opts.whitelistId || null,
        doNotExtend: opts.doNotExtend || false,
        accessTokenId: opts.accessTokenId || null,
+        policyPasswordId: opts.policyPasswordId || null,
+        policyPincodeId: opts.policyPincodeId || null,
+        policyWhitelistId: opts.policyWhitelistId || null,
        isRequestToken: opts.isRequestToken || false,
        userSessionId: opts.userSessionId || null,
        issuedAt: new Date().getTime()
--- a/server/db/names.ts
+++ b/server/db/names.ts
@@ -1,6 +1,12 @@
 import { join } from "path";
 import { readFileSync } from "fs";
-import { clients, db, resources, siteResources } from "@server/db";
+import {
+    clients,
+    db,
+    resourcePolicies,
+    resources,
+    siteResources
+} from "@server/db";
 import { randomInt } from "crypto";
 import { exitNodes, sites } from "@server/db";
 import { eq, and } from "drizzle-orm";
@@ -107,6 +113,35 @@ export async function getUniqueResourceName(orgId: string): Promise<string> {
    }
 }

+export async function getUniqueResourcePolicyName(
+    orgId: string
+): Promise<string> {
+    let loops = 0;
+    while (true) {
+        if (loops > 100) {
+            throw new Error("Could not generate a unique name");
+        }
+
+        const name = generateName();
+        const policyCount = await db
+            .select({
+                niceId: resourcePolicies.niceId,
+                orgId: resourcePolicies.orgId
+            })
+            .from(resourcePolicies)
+            .where(
+                and(
+                    eq(resourcePolicies.niceId, name),
+                    eq(resourcePolicies.orgId, orgId)
+                )
+            );
+        if (policyCount.length === 0) {
+            return name;
+        }
+        loops++;
+    }
+}
+
 export async function getUniqueSiteResourceName(
    orgId: string
 ): Promise<string> {
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -580,6 +580,24 @@ export const trialNotifications = pgTable("trialNotifications", {
    sentAt: bigint("sentAt", { mode: "number" }).notNull()
 });

+export const browserGatewayTarget = pgTable("browserGatewayTarget", {
+    browserGatewayTargetId: serial("browserGatewayTargetId").primaryKey(),
+    resourceId: integer("resourceId")
+        .references(() => resources.resourceId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    authToken: varchar("authToken").notNull(),
+    type: varchar("type").notNull(), // "ssh", "rdp", "vnc"
+    destination: varchar("destination").notNull(),
+    destinationPort: integer("destinationPort").notNull()
+});
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -627,3 +645,6 @@ export type AlertEmailRecipients = InferSelectModel<
 >;
 export type AlertWebhookActions = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
+export type BrowserGatewayTarget = InferSelectModel<
+    typeof browserGatewayTarget
+>;
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -65,7 +65,12 @@ export const orgs = pgTable("orgs", {
    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
    isBillingOrg: boolean("isBillingOrg"),
-    billingOrgId: varchar("billingOrgId")
+    billingOrgId: varchar("billingOrgId"),
+    settingsEnableGlobalNewtAutoUpdate: boolean(
+        "settingsEnableGlobalNewtAutoUpdate"
+    )
+        .notNull()
+        .default(false)
 });

 export const orgDomains = pgTable("orgDomains", {
@@ -103,6 +108,10 @@ export const sites = pgTable("sites", {
    lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
    listenPort: integer("listenPort"),
    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
+    autoUpdateEnabled: boolean("autoUpdateEnabled").notNull().default(false),
+    autoUpdateOverrideOrg: boolean("autoUpdateOverrideOrg")
+        .notNull()
+        .default(false),
    status: varchar("status")
        .$type<"pending" | "approved">()
        .default("approved")
@@ -110,6 +119,16 @@ export const sites = pgTable("sites", {

 export const resources = pgTable("resources", {
    resourceId: serial("resourceId").primaryKey(),
+    resourcePolicyId: integer("resourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        { onDelete: "set null" }
+    ),
+    defaultResourcePolicyId: integer("defaultResourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        {
+            onDelete: "restrict"
+        }
+    ),
    resourceGuid: varchar("resourceGuid", { length: 36 })
        .unique()
        .notNull()
@@ -129,8 +148,6 @@ export const resources = pgTable("resources", {
    ssl: boolean("ssl").notNull().default(false),
    blockAccess: boolean("blockAccess").notNull().default(false),
    sso: boolean("sso").notNull().default(true),
-    http: boolean("http").notNull().default(true),
-    protocol: varchar("protocol").notNull(),
    proxyPort: integer("proxyPort"),
    emailWhitelistEnabled: boolean("emailWhitelistEnabled")
        .notNull()
@@ -147,7 +164,6 @@ export const resources = pgTable("resources", {
    headers: text("headers"), // comma-separated list of headers to add to the request
    proxyProtocol: boolean("proxyProtocol").notNull().default(false),
    proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
-
    maintenanceModeEnabled: boolean("maintenanceModeEnabled")
        .notNull()
        .default(false),
@@ -159,9 +175,100 @@ export const resources = pgTable("resources", {
    maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
    postAuthPath: text("postAuthPath"),
    health: varchar("health").default("unknown"), // "healthy", "unhealthy", "unknown"
-    wildcard: boolean("wildcard").notNull().default(false)
+    wildcard: boolean("wildcard").notNull().default(false),
+    mode: text("mode").default("http").notNull(), // rdp, ssh, http, vnc
+    pamMode: varchar("pamMode", { length: 32 })
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: varchar("authDaemonMode", { length: 32 })
+        .$type<"site" | "remote" | "native">()
+        .default("site"),
+    authDaemonPort: integer("authDaemonPort").default(22123)
 });

+export const labels = pgTable("labels", {
+    labelId: serial("labelId").primaryKey(),
+    name: varchar("name").notNull(),
+    color: varchar("color").notNull(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
+export const siteLabels = pgTable(
+    "siteLabels",
+    {
+        siteLabelId: serial("siteLabelId").primaryKey(),
+        siteId: integer("siteId")
+            .references(() => sites.siteId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_label_uniq").on(t.siteId, t.labelId)]
+);
+
+export const resourceLabels = pgTable(
+    "resourceLabels",
+    {
+        resourceLabelId: serial("resourceLabelId").primaryKey(),
+        resourceId: integer("resourceId")
+            .references(() => resources.resourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("resource_label_uniq").on(t.resourceId, t.labelId)]
+);
+
+export const siteResourceLabels = pgTable(
+    "siteResourceLabels",
+    {
+        siteResourceLabelId: serial("siteResourceLabelId").primaryKey(),
+        siteResourceId: integer("siteResourceId")
+            .references(() => siteResources.siteResourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_resource_label_uniq").on(t.siteResourceId, t.labelId)]
+);
+
+export const clientLabels = pgTable(
+    "clientLabels",
+    {
+        clientLabelId: serial("clientLabelId").primaryKey(),
+        clientId: integer("clientId")
+            .references(() => clients.clientId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("client_label_uniq").on(t.clientId, t.labelId)]
+);
+
 export const targets = pgTable("targets", {
    targetId: serial("targetId").primaryKey(),
    resourceId: integer("resourceId")
@@ -196,9 +303,11 @@ export const targetHealthCheck = pgTable("targetHealthCheck", {
            onDelete: "cascade"
        })
        .notNull(),
-    siteId: integer("siteId").references(() => sites.siteId, {
-        onDelete: "cascade"
-    }).notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
    name: varchar("name"),
    hcEnabled: boolean("hcEnabled").notNull().default(false),
    hcPath: varchar("hcPath"),
@@ -254,11 +363,11 @@ export const siteResources = pgTable("siteResources", {
    niceId: varchar("niceId").notNull(),
    name: varchar("name").notNull(),
    ssl: boolean("ssl").notNull().default(false),
-    mode: varchar("mode").$type<"host" | "cidr" | "http">().notNull(), // "host" | "cidr" | "http"
+    mode: varchar("mode").$type<"host" | "cidr" | "http" | "ssh">().notNull(), // "host" | "cidr" | "http"
    scheme: varchar("scheme").$type<"http" | "https">(), // only for when we are doing https or http mode
    proxyPort: integer("proxyPort"), // only for port mode
    destinationPort: integer("destinationPort"), // only for port mode
-    destination: varchar("destination").notNull(), // ip, cidr, hostname; validate against the mode
+    destination: varchar("destination"), // ip, cidr, hostname; validate against the mode
    enabled: boolean("enabled").notNull().default(true),
    alias: varchar("alias"),
    aliasAddress: varchar("aliasAddress"),
@@ -266,8 +375,11 @@ export const siteResources = pgTable("siteResources", {
    udpPortRangeString: varchar("udpPortRangeString").notNull().default("*"),
    disableIcmp: boolean("disableIcmp").notNull().default(false),
    authDaemonPort: integer("authDaemonPort").default(22123),
+    pamMode: varchar("pamMode", { length: 32 })
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
    authDaemonMode: varchar("authDaemonMode", { length: 32 })
-        .$type<"site" | "remote">()
+        .$type<"site" | "remote" | "native">()
        .default("site"),
    domainId: varchar("domainId").references(() => domains.domainId, {
        onDelete: "set null"
@@ -521,6 +633,38 @@ export const userResources = pgTable("userResources", {
        .references(() => resources.resourceId, { onDelete: "cascade" })
 });

+export const rolePolicies = pgTable("rolePolicies", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const userPolicies = pgTable("userPolicies", {
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyWhiteList = pgTable("resourcePolicyWhitelist", {
+    whitelistId: serial("id").primaryKey(),
+    email: varchar("email").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
 export const userInvites = pgTable("userInvites", {
    inviteId: varchar("inviteId").primaryKey(),
    orgId: varchar("orgId")
@@ -586,6 +730,40 @@ export const resourceHeaderAuthExtendedCompatibility = pgTable(
    }
 );

+export const resourcePolicyPincode = pgTable("resourcePolicyPincode", {
+    pincodeId: serial("pincodeId").primaryKey(),
+    pincodeHash: varchar("pincodeHash").notNull(),
+    digitLength: integer("digitLength").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyPassword = pgTable("resourcePolicyPassword", {
+    passwordId: serial("passwordId").primaryKey(),
+    passwordHash: varchar("passwordHash").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyHeaderAuth = pgTable("resourcePolicyHeaderAuth", {
+    headerAuthId: serial("headerAuthId").primaryKey(),
+    headerAuthHash: varchar("headerAuthHash").notNull(),
+    extendedCompatibility: boolean("extendedCompatibility")
+        .notNull()
+        .default(true),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
 export const resourceAccessToken = pgTable("resourceAccessToken", {
    accessTokenId: varchar("accessTokenId").primaryKey(),
    orgId: varchar("orgId")
@@ -594,6 +772,7 @@ export const resourceAccessToken = pgTable("resourceAccessToken", {
    resourceId: integer("resourceId")
        .notNull()
        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    path: varchar("path"),
    tokenHash: varchar("tokenHash").notNull(),
    sessionLength: bigint("sessionLength", { mode: "number" }).notNull(),
    expiresAt: bigint("expiresAt", { mode: "number" }),
@@ -641,6 +820,24 @@ export const resourceSessions = pgTable("resourceSessions", {
            onDelete: "cascade"
        }
    ),
+    policyPasswordId: integer("policyPasswordId").references(
+        () => resourcePolicyPassword.passwordId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    policyPincodeId: integer("policyPincodeId").references(
+        () => resourcePolicyPincode.pincodeId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    policyWhitelistId: integer("policyWhitelistId").references(
+        () => resourcePolicyWhiteList.whitelistId,
+        {
+            onDelete: "cascade"
+        }
+    ),
    issuedAt: bigint("issuedAt", { mode: "number" })
 });

@@ -679,6 +876,43 @@ export const resourceRules = pgTable("resourceRules", {
    value: varchar("value").notNull()
 });

+export const resourcePolicyRules = pgTable("resourcePolicyRules", {
+    ruleId: serial("ruleId").primaryKey(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        }),
+    enabled: boolean("enabled").notNull().default(true),
+    priority: integer("priority").notNull(),
+    action: varchar("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
+    match: varchar("match").$type<"CIDR" | "PATH" | "IP">().notNull(),
+    value: varchar("value").notNull()
+});
+
+export const resourcePolicies = pgTable("resourcePolicies", {
+    resourcePolicyId: serial("resourcePolicyId").primaryKey(),
+    sso: boolean("sso").notNull().default(true),
+    applyRules: boolean("applyRules").notNull().default(false),
+    scope: varchar("scope")
+        .$type<"global" | "resource">()
+        .notNull()
+        .default("global"),
+    emailWhitelistEnabled: boolean("emailWhitelistEnabled")
+        .notNull()
+        .default(false),
+    idpId: integer("idpId").references(() => idp.idpId, {
+        onDelete: "set null"
+    }),
+    niceId: text("niceId").notNull(),
+    name: varchar("name").notNull(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
 export const supporterKey = pgTable("supporterKey", {
    keyId: serial("keyId").primaryKey(),
    key: varchar("key").notNull(),
@@ -1097,19 +1331,30 @@ export const roundTripMessageTracker = pgTable("roundTripMessageTracker", {
    complete: boolean("complete").notNull().default(false)
 });

-export const statusHistory = pgTable("statusHistory", {
-    id: serial("id").primaryKey(),
-    entityType: varchar("entityType").notNull(),
-    entityId: integer("entityId").notNull(),
-    orgId: varchar("orgId")
-        .notNull()
-        .references(() => orgs.orgId, { onDelete: "cascade" }),
-    status: varchar("status").notNull(),
-    timestamp: integer("timestamp").notNull(),
-}, (table) => [
-    index("idx_statusHistory_entity").on(table.entityType, table.entityId, table.timestamp),
-    index("idx_statusHistory_org_timestamp").on(table.orgId, table.timestamp),
-]);
+export const statusHistory = pgTable(
+    "statusHistory",
+    {
+        id: serial("id").primaryKey(),
+        entityType: varchar("entityType").notNull(),
+        entityId: integer("entityId").notNull(),
+        orgId: varchar("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        status: varchar("status").notNull(),
+        timestamp: integer("timestamp").notNull()
+    },
+    (table) => [
+        index("idx_statusHistory_entity").on(
+            table.entityType,
+            table.entityId,
+            table.timestamp
+        ),
+        index("idx_statusHistory_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);

 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
@@ -1179,3 +1424,7 @@ export type RoundTripMessageTracker = InferSelectModel<
 >;
 export type Network = InferSelectModel<typeof networks>;
 export type StatusHistory = InferSelectModel<typeof statusHistory>;
+export type Label = InferSelectModel<typeof labels>;
+export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
+export type RolePolicy = InferSelectModel<typeof rolePolicies>;
+export type UserPolicy = InferSelectModel<typeof userPolicies>;
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -17,10 +17,13 @@ import {
    resourceHeaderAuth,
    ResourceHeaderAuth,
    resourceRules,
+    resourcePolicyRules,
    resources,
    roleResources,
+    rolePolicies,
    sessions,
    userResources,
+    userPolicies,
    users,
    ResourceHeaderAuthExtendedCompatibility,
    resourceHeaderAuthExtendedCompatibility
@@ -154,58 +157,126 @@ export async function getRoleName(roleId: number): Promise<string | null> {
 }

 /**
- * Check if role has access to resource
+ * Check if role has access to resource (direct or via resource policy)
 */
 export async function getRoleResourceAccess(
    resourceId: number,
    roleIds: number[]
 ) {
-    const roleResourceAccess = await db
-        .select()
-        .from(roleResources)
-        .where(
-            and(
-                eq(roleResources.resourceId, resourceId),
-                inArray(roleResources.roleId, roleIds)
+    const [direct, viaPolicies] = await Promise.all([
+        db
+            .select()
+            .from(roleResources)
+            .where(
+                and(
+                    eq(roleResources.resourceId, resourceId),
+                    inArray(roleResources.roleId, roleIds)
+                )
+            ),
+        db
+            .select({
+                roleId: rolePolicies.roleId,
+                resourcePolicyId: rolePolicies.resourcePolicyId
+            })
+            .from(rolePolicies)
+            .innerJoin(
+                resources,
+                eq(resources.resourcePolicyId, rolePolicies.resourcePolicyId)
            )
-        );
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    inArray(rolePolicies.roleId, roleIds)
+                )
+            )
+    ]);

-    return roleResourceAccess.length > 0 ? roleResourceAccess : null;
+    const combined = [...direct, ...viaPolicies];
+    return combined.length > 0 ? combined : null;
 }

 /**
- * Check if user has direct access to resource
+ * Check if user has access to resource (direct or via resource policy)
 */
 export async function getUserResourceAccess(
    userId: string,
    resourceId: number
 ) {
-    const userResourceAccess = await db
-        .select()
-        .from(userResources)
-        .where(
-            and(
-                eq(userResources.userId, userId),
-                eq(userResources.resourceId, resourceId)
+    const [direct, viaPolicies] = await Promise.all([
+        db
+            .select()
+            .from(userResources)
+            .where(
+                and(
+                    eq(userResources.userId, userId),
+                    eq(userResources.resourceId, resourceId)
+                )
            )
-        )
-        .limit(1);
+            .limit(1),
+        db
+            .select({
+                userId: userPolicies.userId,
+                resourcePolicyId: userPolicies.resourcePolicyId
+            })
+            .from(userPolicies)
+            .innerJoin(
+                resources,
+                eq(resources.resourcePolicyId, userPolicies.resourcePolicyId)
+            )
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(userPolicies.userId, userId)
+                )
+            )
+            .limit(1)
+    ]);

-    return userResourceAccess.length > 0 ? userResourceAccess[0] : null;
+    return direct[0] ?? viaPolicies[0] ?? null;
 }

 /**
- * Get resource rules for a given resource
+ * Get resource rules for a given resource (direct and via resource policy)
 */
 export async function getResourceRules(
    resourceId: number
 ): Promise<ResourceRule[]> {
-    const rules = await db
-        .select()
-        .from(resourceRules)
-        .where(eq(resourceRules.resourceId, resourceId));
+    const [directRules, policyRules] = await Promise.all([
+        db
+            .select()
+            .from(resourceRules)
+            .where(eq(resourceRules.resourceId, resourceId)),
+        db
+            .select({
+                ruleId: resourcePolicyRules.ruleId,
+                resourceId: sql<number>`${resourceId}`,
+                enabled: resourcePolicyRules.enabled,
+                priority: resourcePolicyRules.priority,
+                action: resourcePolicyRules.action,
+                match: resourcePolicyRules.match,
+                value: resourcePolicyRules.value
+            })
+            .from(resourcePolicyRules)
+            .innerJoin(
+                resources,
+                eq(
+                    resources.resourcePolicyId,
+                    resourcePolicyRules.resourcePolicyId
+                )
+            )
+            .where(eq(resources.resourceId, resourceId))
+    ]);

-    return rules;
+    const maxDirectPriority = directRules.reduce(
+        (max, r) => Math.max(max, r.priority),
+        0
+    );
+    const offsetPolicyRules = policyRules.map((r) => ({
+        ...r,
+        priority: maxDirectPriority + r.priority
+    }));
+
+    return [...directRules, ...offsetPolicyRules] as ResourceRule[];
 }

 /**
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -588,6 +588,26 @@ export const trialNotifications = sqliteTable("trialNotifications", {
    sentAt: integer("sentAt").notNull()
 });

+export const browserGatewayTarget = sqliteTable("browserGatewayTarget", {
+    browserGatewayTargetId: integer("browserGatewayTargetId").primaryKey({
+        autoIncrement: true
+    }),
+    resourceId: integer("resourceId")
+        .references(() => resources.resourceId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    authToken: text("authToken").notNull(),
+    type: text("type").notNull(), // "ssh", "rdp", "vnc"
+    destination: text("destination").notNull(),
+    destinationPort: integer("destinationPort").notNull()
+});
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -627,3 +647,6 @@ export type AlertEmailAction = InferSelectModel<typeof alertEmailActions>;
 export type AlertEmailRecipient = InferSelectModel<typeof alertEmailRecipients>;
 export type AlertWebhookAction = InferSelectModel<typeof alertWebhookActions>;
 export type TrialNotification = InferSelectModel<typeof trialNotifications>;
+export type BrowserGatewayTarget = InferSelectModel<
+    typeof browserGatewayTarget
+>;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -62,7 +62,13 @@ export const orgs = sqliteTable("orgs", {
    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
    isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
-    billingOrgId: text("billingOrgId")
+    billingOrgId: text("billingOrgId"),
+    settingsEnableGlobalNewtAutoUpdate: integer(
+        "settingsEnableGlobalNewtAutoUpdate",
+        { mode: "boolean" }
+    )
+        .notNull()
+        .default(false)
 });

 export const userDomains = sqliteTable("userDomains", {
@@ -116,11 +122,29 @@ export const sites = sqliteTable("sites", {
    dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
        .notNull()
        .default(true),
+    autoUpdateEnabled: integer("autoUpdateEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    autoUpdateOverrideOrg: integer("autoUpdateOverrideOrg", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
    status: text("status").$type<"pending" | "approved">().default("approved")
 });

 export const resources = sqliteTable("resources", {
    resourceId: integer("resourceId").primaryKey({ autoIncrement: true }),
+    resourcePolicyId: integer("resourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        { onDelete: "set null" }
+    ),
+    defaultResourcePolicyId: integer("defaultResourcePolicyId").references(
+        () => resourcePolicies.resourcePolicyId,
+        {
+            onDelete: "restrict"
+        }
+    ),
    resourceGuid: text("resourceGuid", { length: 36 })
        .unique()
        .notNull()
@@ -142,8 +166,6 @@ export const resources = sqliteTable("resources", {
        .notNull()
        .default(false),
    sso: integer("sso", { mode: "boolean" }).notNull().default(true),
-    http: integer("http", { mode: "boolean" }).notNull().default(true),
-    protocol: text("protocol").notNull(),
    proxyPort: integer("proxyPort"),
    emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
        .notNull()
@@ -166,7 +188,6 @@ export const resources = sqliteTable("resources", {
        .notNull()
        .default(false),
    proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
-
    maintenanceModeEnabled: integer("maintenanceModeEnabled", {
        mode: "boolean"
    })
@@ -180,9 +201,106 @@ export const resources = sqliteTable("resources", {
    maintenanceEstimatedTime: text("maintenanceEstimatedTime"),
    postAuthPath: text("postAuthPath"),
    health: text("health").default("unknown"), // "healthy", "unhealthy", "unknown"
-    wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false)
+    wildcard: integer("wildcard", { mode: "boolean" }).notNull().default(false),
+    mode: text("mode").default("http").notNull(), // rdp, ssh, http, vnc
+    pamMode: text("pamMode")
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
+    authDaemonMode: text("authDaemonMode")
+        .$type<"site" | "remote" | "native">()
+        .default("site"),
+    authDaemonPort: integer("authDaemonPort").default(22123)
 });

+export const labels = sqliteTable("labels", {
+    labelId: integer("labelId").primaryKey({ autoIncrement: true }),
+    name: text("name").notNull(),
+    color: text("color").notNull(),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
+export const siteLabels = sqliteTable(
+    "siteLabels",
+    {
+        siteLabelId: integer("siteLabelId").primaryKey({ autoIncrement: true }),
+        siteId: integer("siteId")
+            .references(() => sites.siteId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_label_uniq").on(t.siteId, t.labelId)]
+);
+
+export const resourceLabels = sqliteTable(
+    "resourceLabels",
+    {
+        resourceLabelId: integer("resourceLabelId").primaryKey({
+            autoIncrement: true
+        }),
+        resourceId: integer("resourceId")
+            .references(() => resources.resourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("resource_label_uniq").on(t.resourceId, t.labelId)]
+);
+
+export const siteResourceLabels = sqliteTable(
+    "siteResourceLabels",
+    {
+        siteResourceLabelId: integer("siteResourceLabelId").primaryKey({
+            autoIncrement: true
+        }),
+        siteResourceId: integer("siteResourceId")
+            .references(() => siteResources.siteResourceId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("site_resource_label_uniq").on(t.siteResourceId, t.labelId)]
+);
+
+export const clientLabels = sqliteTable(
+    "clientLabels",
+    {
+        clientLabelId: integer("clientLabelId").primaryKey({
+            autoIncrement: true
+        }),
+        clientId: integer("clientId")
+            .references(() => clients.clientId, {
+                onDelete: "cascade"
+            })
+            .notNull(),
+        labelId: integer("labelId")
+            .references(() => labels.labelId, {
+                onDelete: "cascade"
+            })
+            .notNull()
+    },
+    (t) => [unique("client_label_uniq").on(t.clientId, t.labelId)]
+);
+
 export const targets = sqliteTable("targets", {
    targetId: integer("targetId").primaryKey({ autoIncrement: true }),
    resourceId: integer("resourceId")
@@ -219,9 +337,11 @@ export const targetHealthCheck = sqliteTable("targetHealthCheck", {
            onDelete: "cascade"
        })
        .notNull(),
-    siteId: integer("siteId").references(() => sites.siteId, {
-        onDelete: "cascade"
-    }).notNull(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
    name: text("name"),
    hcEnabled: integer("hcEnabled", { mode: "boolean" })
        .notNull()
@@ -281,11 +401,11 @@ export const siteResources = sqliteTable("siteResources", {
    niceId: text("niceId").notNull(),
    name: text("name").notNull(),
    ssl: integer("ssl", { mode: "boolean" }).notNull().default(false),
-    mode: text("mode").$type<"host" | "cidr" | "http">().notNull(), // "host" | "cidr" | "http"
+    mode: text("mode").$type<"host" | "cidr" | "http" | "ssh">().notNull(), // "host" | "cidr" | "http"
    scheme: text("scheme").$type<"http" | "https">(), // only for when we are doing https or http mode
    proxyPort: integer("proxyPort"), // only for port mode
    destinationPort: integer("destinationPort"), // only for port mode
-    destination: text("destination").notNull(), // ip, cidr, hostname
+    destination: text("destination"), // ip, cidr, hostname
    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
    alias: text("alias"),
    aliasAddress: text("aliasAddress"),
@@ -295,8 +415,11 @@ export const siteResources = sqliteTable("siteResources", {
        .notNull()
        .default(false),
    authDaemonPort: integer("authDaemonPort").default(22123),
+    pamMode: text("pamMode")
+        .$type<"passthrough" | "push">()
+        .default("passthrough"),
    authDaemonMode: text("authDaemonMode")
-        .$type<"site" | "remote">()
+        .$type<"site" | "remote" | "native">()
        .default("site"),
    domainId: text("domainId").references(() => domains.domainId, {
        onDelete: "set null"
@@ -909,6 +1032,47 @@ export const resourceHeaderAuth = sqliteTable("resourceHeaderAuth", {
    headerAuthHash: text("headerAuthHash").notNull()
 });

+export const resourcePolicyPincode = sqliteTable("resourcePolicyPincode", {
+    pincodeId: integer("pincodeId").primaryKey({ autoIncrement: true }),
+    pincodeHash: text("pincodeHash").notNull(),
+    digitLength: integer("digitLength").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyPassword = sqliteTable("resourcePolicyPassword", {
+    passwordId: integer("passwordId").primaryKey({ autoIncrement: true }),
+    passwordHash: text("passwordHash").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyHeaderAuth = sqliteTable(
+    "resourcePolicyHeaderAuth",
+    {
+        headerAuthId: integer("headerAuthId").primaryKey({
+            autoIncrement: true
+        }),
+        headerAuthHash: text("headerAuthHash").notNull(),
+        extendedCompatibility: integer("extendedCompatibility", {
+            mode: "boolean"
+        })
+            .notNull()
+            .default(true),
+        resourcePolicyId: integer("resourcePolicyId")
+            .notNull()
+            .references(() => resourcePolicies.resourcePolicyId, {
+                onDelete: "cascade"
+            })
+    }
+);
+
 export const resourceHeaderAuthExtendedCompatibility = sqliteTable(
    "resourceHeaderAuthExtendedCompatibility",
    {
@@ -937,6 +1101,7 @@ export const resourceAccessToken = sqliteTable("resourceAccessToken", {
    resourceId: integer("resourceId")
        .notNull()
        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    path: text("path"),
    tokenHash: text("tokenHash").notNull(),
    sessionLength: integer("sessionLength").notNull(),
    expiresAt: integer("expiresAt"),
@@ -983,6 +1148,24 @@ export const resourceSessions = sqliteTable("resourceSessions", {
            onDelete: "cascade"
        }
    ),
+    policyPasswordId: integer("policyPasswordId").references(
+        () => resourcePolicyPassword.passwordId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    policyPincodeId: integer("policyPincodeId").references(
+        () => resourcePolicyPincode.pincodeId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    policyWhitelistId: integer("policyWhitelistId").references(
+        () => resourcePolicyWhiteList.whitelistId,
+        {
+            onDelete: "cascade"
+        }
+    ),
    issuedAt: integer("issuedAt")
 });

@@ -1023,6 +1206,77 @@ export const resourceRules = sqliteTable("resourceRules", {
    value: text("value").notNull()
 });

+export const rolePolicies = sqliteTable("rolePolicies", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const userPolicies = sqliteTable("userPolicies", {
+    userId: text("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyWhiteList = sqliteTable("resourcePolicyWhitelist", {
+    whitelistId: integer("id").primaryKey({ autoIncrement: true }),
+    email: text("email").notNull(),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        })
+});
+
+export const resourcePolicyRules = sqliteTable("resourcePolicyRules", {
+    ruleId: integer("ruleId").primaryKey({ autoIncrement: true }),
+    resourcePolicyId: integer("resourcePolicyId")
+        .notNull()
+        .references(() => resourcePolicies.resourcePolicyId, {
+            onDelete: "cascade"
+        }),
+    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
+    priority: integer("priority").notNull(),
+    action: text("action").$type<"ACCEPT" | "DROP" | "PASS">().notNull(),
+    match: text("match").$type<"CIDR" | "PATH" | "IP">().notNull(),
+    value: text("value").notNull()
+});
+
+export const resourcePolicies = sqliteTable("resourcePolicies", {
+    resourcePolicyId: integer("resourcePolicyId").primaryKey(),
+    sso: integer("sso", { mode: "boolean" }).notNull().default(true),
+    applyRules: integer("applyRules", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    scope: text("scope")
+        .$type<"global" | "resource">()
+        .notNull()
+        .default("global"),
+    emailWhitelistEnabled: integer("emailWhitelistEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    niceId: text("niceId").notNull(),
+    idpId: integer("idpId").references(() => idp.idpId, {
+        onDelete: "set null"
+    }),
+    name: text("name").notNull(),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
 export const supporterKey = sqliteTable("supporterKey", {
    keyId: integer("keyId").primaryKey({ autoIncrement: true }),
    key: text("key").notNull(),
@@ -1196,19 +1450,30 @@ export const roundTripMessageTracker = sqliteTable("roundTripMessageTracker", {
    complete: integer("complete", { mode: "boolean" }).notNull().default(false)
 });

-export const statusHistory = sqliteTable("statusHistory", {
-    id: integer("id").primaryKey({ autoIncrement: true }),
-    entityType: text("entityType").notNull(), // "site" | "healthCheck"
-    entityId: integer("entityId").notNull(),  // siteId or targetHealthCheckId
-    orgId: text("orgId")
-        .notNull()
-        .references(() => orgs.orgId, { onDelete: "cascade" }),
-    status: text("status").notNull(), // "online"/"offline" for sites; "healthy"/"unhealthy"/"unknown" for healthChecks
-    timestamp: integer("timestamp").notNull(), // unix epoch seconds
-}, (table) => [
-    index("idx_statusHistory_entity").on(table.entityType, table.entityId, table.timestamp),
-    index("idx_statusHistory_org_timestamp").on(table.orgId, table.timestamp),
-]);
+export const statusHistory = sqliteTable(
+    "statusHistory",
+    {
+        id: integer("id").primaryKey({ autoIncrement: true }),
+        entityType: text("entityType").notNull(), // "site" | "healthCheck"
+        entityId: integer("entityId").notNull(), // siteId or targetHealthCheckId
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        status: text("status").notNull(), // "online"/"offline" for sites; "healthy"/"unhealthy"/"unknown" for healthChecks
+        timestamp: integer("timestamp").notNull() // unix epoch seconds
+    },
+    (table) => [
+        index("idx_statusHistory_entity").on(
+            table.entityType,
+            table.entityId,
+            table.timestamp
+        ),
+        index("idx_statusHistory_org_timestamp").on(
+            table.orgId,
+            table.timestamp
+        )
+    ]
+);

 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
@@ -1278,3 +1543,7 @@ export type RoundTripMessageTracker = InferSelectModel<
    typeof roundTripMessageTracker
 >;
 export type StatusHistory = InferSelectModel<typeof statusHistory>;
+export type Label = InferSelectModel<typeof labels>;
+export type ResourcePolicy = InferSelectModel<typeof resourcePolicies>;
+export type RolePolicy = InferSelectModel<typeof rolePolicies>;
+export type UserPolicy = InferSelectModel<typeof userPolicies>;
--- a/server/integrationApiServer.ts
+++ b/server/integrationApiServer.ts
@@ -152,11 +152,17 @@ function getOpenApiDocumentation() {

            if (!hasExistingResponses) {
                def.route.responses = {
-                    "*": {
-                        description: "",
+                    "200": {
+                        description: "Successful response",
                        content: {
                            "application/json": {
-                                schema: z.object({})
+                                schema: z.object({
+                                    data: z.unknown().nullable(),
+                                    success: z.boolean(),
+                                    error: z.boolean(),
+                                    message: z.string(),
+                                    status: z.number()
+                                })
                            }
                        }
                    }
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -24,10 +24,14 @@ export enum TierFeature {
    DomainNamespaces = "domainNamespaces", // handle downgrade by removing custom domain namespaces
    StandaloneHealthChecks = "standaloneHealthChecks",
    AlertingRules = "alertingRules",
-    WildcardSubdomain = "wildcardSubdomain"
+    WildcardSubdomain = "wildcardSubdomain",
+    Labels = "labels",
+    NewtAutoUpdate = "newtAutoUpdate",
+    ResourcePolicies = "resourcePolicies"
 }

 export const tierMatrix: Record<TierFeature, Tier[]> = {
+    [TierFeature.Labels]: ["tier2", "tier3", "enterprise"],
    [TierFeature.OrgOidc]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.LoginPageDomain]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.DeviceApprovals]: ["tier1", "tier3", "enterprise"],
@@ -66,5 +70,7 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
    [TierFeature.DomainNamespaces]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.StandaloneHealthChecks]: ["tier3", "enterprise"],
    [TierFeature.AlertingRules]: ["tier3", "enterprise"],
-    [TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"]
+    [TierFeature.WildcardSubdomain]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.NewtAutoUpdate]: ["tier1", "tier2", "tier3", "enterprise"],
+    [TierFeature.ResourcePolicies]: ["tier3", "enterprise"]
 };
--- a/server/lib/blueprints/applyBlueprint.ts
+++ b/server/lib/blueprints/applyBlueprint.ts
@@ -16,14 +16,13 @@ import logger from "@server/logger";
 import { sites } from "@server/db";
 import { eq, and, isNotNull } from "drizzle-orm";
 import { addTargets as addProxyTargets } from "@server/routers/newt/targets";
-import { addTargets as addClientTargets } from "@server/routers/client/targets";
 import {
    ClientResourcesResults,
    updateClientResources
 } from "./clientResources";
 import { BlueprintSource } from "@server/routers/blueprints/types";
 import { stringify as stringifyYaml } from "yaml";
-import { faker } from "@faker-js/faker";
+import { generateName } from "@server/db/names";
 import { handleMessagingForUpdatedSiteResource } from "@server/routers/siteResource";
 import { rebuildClientAssociationsFromSiteResource } from "../rebuildClientAssociations";

@@ -106,7 +105,7 @@ export async function applyBlueprint({
                            site.newt.newtId,
                            [target],
                            matchingHealthcheck ? [matchingHealthcheck] : [],
-                            result.proxyResource.protocol,
+                            result.proxyResource.mode === "udp" ? "udp" : "tcp",
                            site.newt.version
                        );
                    }
@@ -291,9 +290,7 @@ export async function applyBlueprint({
            .insert(blueprints)
            .values({
                orgId,
-                name:
-                    name ??
-                    `${faker.word.adjective()}-${faker.word.adjective()}-${faker.word.noun()}`,
+                name: name ?? generateName(),
                contents: stringifyYaml(configData),
                createdAt: Math.floor(Date.now() / 1000),
                succeeded: blueprintSucceeded,
--- a/server/lib/blueprints/applyNewtDockerBlueprint.ts
+++ b/server/lib/blueprints/applyNewtDockerBlueprint.ts
@@ -1,10 +1,56 @@
 import { sendToClient } from "#dynamic/routers/ws";
 import { processContainerLabels } from "./parseDockerContainers";
 import { applyBlueprint } from "./applyBlueprint";
+import { PrivateResourceSchema, PublicResourceSchema } from "./types";
 import { db, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import logger from "@server/logger";

+type BlueprintResult = ReturnType<typeof processContainerLabels>;
+
+function filterInvalidResources(blueprint: BlueprintResult): {
+    skippedCount: number;
+    skippedKeys: string[];
+} {
+    const skippedKeys: string[] = [];
+
+    for (const section of ["proxy-resources", "public-resources"] as const) {
+        const resources = blueprint[section];
+        for (const [key, value] of Object.entries(resources)) {
+            const result = PublicResourceSchema.safeParse(value);
+            if (!result.success) {
+                const errors = result.error.issues
+                    .map((i) => `${i.path.join(".")}: ${i.message}`)
+                    .join("; ");
+                logger.warn(
+                    `Skipping invalid Docker ${section} "${key}": ${errors}`
+                );
+                delete resources[key];
+                skippedKeys.push(`${section}.${key}`);
+            }
+        }
+    }
+
+    for (const section of ["client-resources", "private-resources"] as const) {
+        const resources = blueprint[section];
+        for (const [key, value] of Object.entries(resources)) {
+            const result = PrivateResourceSchema.safeParse(value);
+            if (!result.success) {
+                const errors = result.error.issues
+                    .map((i) => `${i.path.join(".")}: ${i.message}`)
+                    .join("; ");
+                logger.warn(
+                    `Skipping invalid Docker ${section} "${key}": ${errors}`
+                );
+                delete resources[key];
+                skippedKeys.push(`${section}.${key}`);
+            }
+        }
+    }
+
+    return { skippedCount: skippedKeys.length, skippedKeys };
+}
+
 export async function applyNewtDockerBlueprint(
    siteId: number,
    newtId: string,
@@ -21,17 +67,24 @@ export async function applyNewtDockerBlueprint(
        return;
    }

-    // logger.debug(`Applying Docker blueprint to site: ${siteId}`);
-    // logger.debug(`Containers: ${JSON.stringify(containers, null, 2)}`);
+    let skippedCount = 0;
+    let skippedKeys: string[] = [];

    try {
        const blueprint = processContainerLabels(containers);

-        logger.debug(`Received Docker blueprint: ${JSON.stringify(blueprint)}`);
+        logger.debug(
+            `Received Docker blueprint with ${Object.keys(blueprint["proxy-resources"]).length} proxy, ${Object.keys(blueprint["client-resources"]).length} client resource(s)`
+        );

-        // make sure this is not an empty object
-        if (isEmptyObject(blueprint)) {
-            return;
+        const filterResult = filterInvalidResources(blueprint);
+        skippedCount = filterResult.skippedCount;
+        skippedKeys = filterResult.skippedKeys;
+
+        if (skippedCount > 0) {
+            logger.warn(
+                `Filtered ${skippedCount} invalid resource(s) from Docker blueprint: ${skippedKeys.join(", ")}`
+            );
        }

        if (
@@ -40,6 +93,15 @@ export async function applyNewtDockerBlueprint(
            isEmptyObject(blueprint["public-resources"]) &&
            isEmptyObject(blueprint["private-resources"])
        ) {
+            if (skippedCount > 0) {
+                await sendToClient(newtId, {
+                    type: "newt/blueprint/results",
+                    data: {
+                        success: false,
+                        message: `All resources were invalid and skipped: ${skippedKeys.join(", ")}`
+                    }
+                });
+            }
            return;
        }

@@ -66,7 +128,10 @@ export async function applyNewtDockerBlueprint(
        type: "newt/blueprint/results",
        data: {
            success: true,
-            message: "Config updated successfully"
+            message:
+                skippedCount > 0
+                    ? `Config updated successfully. Skipped ${skippedCount} invalid resource(s): ${skippedKeys.join(", ")}`
+                    : "Config updated successfully"
        }
    });
 }
--- a/server/lib/blueprints/clientResources.ts
+++ b/server/lib/blueprints/clientResources.ts
@@ -3,6 +3,7 @@ import {
    clientSiteResources,
    domains,
    orgDomains,
+    roleActions,
    roles,
    roleSiteResources,
    Site,
@@ -19,6 +20,7 @@ import { sites } from "@server/db";
 import { eq, and, ne, inArray, or, isNotNull } from "drizzle-orm";
 import { Config } from "./types";
 import logger from "@server/logger";
+import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
 import { getNextAvailableAliasAddress } from "../ip";
 import { createCertificate } from "#dynamic/routers/certificates/createCertificate";

@@ -225,7 +227,11 @@ export async function updateClientResources(
                            : resourceData["udp-ports"],
                    fullDomain: resourceData["full-domain"] || null,
                    subdomain: domainInfo ? domainInfo.subdomain : null,
-                    domainId: domainInfo ? domainInfo.domainId : null
+                    domainId: domainInfo ? domainInfo.domainId : null,
+                    pamMode: resourceData["auth-daemon"]?.pam || "passthrough",
+                    authDaemonMode:
+                        resourceData["auth-daemon"]?.mode || "native",
+                    authDaemonPort: resourceData["auth-daemon"]?.port || 22123
                })
                .where(
                    eq(
@@ -332,8 +338,7 @@ export async function updateClientResources(
            }

            if (resourceData.roles.length > 0) {
-                // Re-add specified roles but we need to get the roleIds from the role name in the array
-                const rolesToUpdate = await trx
+                const existingRoles = await trx
                    .select()
                    .from(roles)
                    .where(
@@ -343,7 +348,28 @@ export async function updateClientResources(
                        )
                    );

-                const roleIds = rolesToUpdate.map((role) => role.roleId);
+                const foundNames = new Set(existingRoles.map((r) => r.name));
+                const missingNames = resourceData.roles.filter(
+                    (n) => !foundNames.has(n)
+                );
+
+                for (const name of missingNames) {
+                    const [created] = await trx
+                        .insert(roles)
+                        .values({ name, orgId })
+                        .returning();
+                    await trx.insert(roleActions).values(
+                        defaultRoleAllowedActions.map((action) => ({
+                            roleId: created.roleId,
+                            actionId: action,
+                            orgId
+                        }))
+                    );
+                    existingRoles.push(created);
+                    logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
+                }
+
+                const roleIds = existingRoles.map((role) => role.roleId);

                await trx
                    .insert(roleSiteResources)
@@ -360,8 +386,14 @@ export async function updateClientResources(
            });
        } else {
            let aliasAddress: string | null = null;
+            let releaseAliasLock: (() => Promise<void>) | null = null;
            if (resourceData.mode === "host" || resourceData.mode === "http") {
-                aliasAddress = await getNextAvailableAliasAddress(orgId, trx);
+                const { value, release } = await getNextAvailableAliasAddress(
+                    orgId,
+                    trx
+                );
+                aliasAddress = value;
+                releaseAliasLock = release;
            }

            let domainInfo:
@@ -415,10 +447,16 @@ export async function updateClientResources(
                            : resourceData["udp-ports"],
                    fullDomain: resourceData["full-domain"] || null,
                    subdomain: domainInfo ? domainInfo.subdomain : null,
-                    domainId: domainInfo ? domainInfo.domainId : null
+                    domainId: domainInfo ? domainInfo.domainId : null,
+                    pamMode: resourceData["auth-daemon"]?.pam || "passthrough",
+                    authDaemonMode:
+                        resourceData["auth-daemon"]?.mode || "native",
+                    authDaemonPort: resourceData["auth-daemon"]?.port || 22123
                })
                .returning();

+            await releaseAliasLock?.();
+
            const siteResourceId = newResource.siteResourceId;

            for (const site of allSites) {
@@ -444,8 +482,7 @@ export async function updateClientResources(
            });

            if (resourceData.roles.length > 0) {
-                // get roleIds from role names
-                const rolesToUpdate = await trx
+                const existingRoles = await trx
                    .select()
                    .from(roles)
                    .where(
@@ -455,7 +492,28 @@ export async function updateClientResources(
                        )
                    );

-                const roleIds = rolesToUpdate.map((role) => role.roleId);
+                const foundNames = new Set(existingRoles.map((r) => r.name));
+                const missingNames = resourceData.roles.filter(
+                    (n) => !foundNames.has(n)
+                );
+
+                for (const name of missingNames) {
+                    const [created] = await trx
+                        .insert(roles)
+                        .values({ name, orgId })
+                        .returning();
+                    await trx.insert(roleActions).values(
+                        defaultRoleAllowedActions.map((action) => ({
+                            roleId: created.roleId,
+                            actionId: action,
+                            orgId
+                        }))
+                    );
+                    existingRoles.push(created);
+                    logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
+                }
+
+                const roleIds = existingRoles.map((role) => role.roleId);

                await trx
                    .insert(roleSiteResources)
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -161,11 +161,34 @@ export const HeaderSchema = z.object({
    value: z.string().min(1)
 });

+export const AuthDaemonSchema = z
+    .object({
+        pam: z.enum(["passthrough", "push"]).optional().default("passthrough"),
+        mode: z.enum(["site", "remote", "native"]).optional().default("site"),
+        port: z.int().min(1).max(65535).optional()
+    })
+    .refine(
+        (data) => {
+            if (data.mode === "remote") {
+                return data.port !== undefined;
+            }
+            return true;
+        },
+        {
+            path: ["port"],
+            message: "port is required when auth-daemon mode is 'remote'"
+        }
+    );
+
 // Schema for individual resource
-export const ResourceSchema = z
+export const PublicResourceSchema = z
    .object({
        name: z.string().optional(),
-        protocol: z.enum(["http", "tcp", "udp"]).optional(),
+        protocol: z
+            .enum(["http", "tcp", "udp", "ssh", "rdp", "vnc"])
+            .optional(), // this was the old one and is now DEPRECATED in favor of the mode
+        mode: z.enum(["http", "tcp", "udp", "ssh", "rdp", "vnc"]).optional(),
+        policy: z.string().optional(),
        ssl: z.boolean().optional(),
        scheme: z.enum(["http", "https"]).optional(),
        "full-domain": z.string().optional(),
@@ -177,7 +200,8 @@ export const ResourceSchema = z
        "tls-server-name": z.string().optional(),
        headers: z.array(HeaderSchema).optional(),
        rules: z.array(RuleSchema).optional(),
-        maintenance: MaintenanceSchema.optional()
+        maintenance: MaintenanceSchema.optional(),
+        "auth-daemon": AuthDaemonSchema.optional()
    })
    .refine(
        (resource) => {
@@ -185,9 +209,10 @@ export const ResourceSchema = z
                return true;
            }

-            // Otherwise, require name and protocol for full resource definition
+            // Otherwise, require name and protocol/mode for full resource definition
            return (
-                resource.name !== undefined && resource.protocol !== undefined
+                resource.name !== undefined &&
+                (resource.mode !== undefined || resource.protocol !== undefined)
            );
        },
        {
@@ -201,8 +226,8 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is http, all targets must have method field
-            if (resource.protocol === "http") {
+            // If protocol/mode is http, all targets must have method field
+            if ((resource.mode ?? resource.protocol) === "http") {
                return resource.targets.every(
                    (target) => target == null || target.method !== undefined
                );
@@ -220,8 +245,9 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is tcp or udp, no target should have method field
-            if (resource.protocol === "tcp" || resource.protocol === "udp") {
+            // If protocol/mode is tcp or udp, no target should have method field
+            const effectiveProtocol1 = resource.mode ?? resource.protocol;
+            if (effectiveProtocol1 === "tcp" || effectiveProtocol1 === "udp") {
                return resource.targets.every(
                    (target) => target == null || target.method === undefined
                );
@@ -239,8 +265,8 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is http, it must have a full-domain
-            if (resource.protocol === "http") {
+            // If protocol/mode is http, it must have a full-domain
+            if ((resource.mode ?? resource.protocol) === "http") {
                return (
                    resource["full-domain"] !== undefined &&
                    resource["full-domain"].length > 0
@@ -259,8 +285,9 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is tcp or udp, it must have both proxy-port
-            if (resource.protocol === "tcp" || resource.protocol === "udp") {
+            // If protocol/mode is tcp or udp, it must have both proxy-port
+            const effectiveProtocol2 = resource.mode ?? resource.protocol;
+            if (effectiveProtocol2 === "tcp" || effectiveProtocol2 === "udp") {
                return resource["proxy-port"] !== undefined;
            }
            return true;
@@ -277,8 +304,9 @@ export const ResourceSchema = z
                return true;
            }

-            // If protocol is tcp or udp, it must not have auth
-            if (resource.protocol === "tcp" || resource.protocol === "udp") {
+            // If protocol/mode is tcp or udp, it must not have auth
+            const effectiveProtocol3 = resource.mode ?? resource.protocol;
+            if (effectiveProtocol3 === "tcp" || effectiveProtocol3 === "udp") {
                return resource.auth === undefined;
            }
            return true;
@@ -349,22 +377,29 @@ export const ResourceSchema = z
            message:
                'Wildcard full-domain must have "*" as the leftmost label only, followed by at least two valid hostname labels (e.g. "*.example.com" or "*.level1.example.com"). Patterns like "*example.com" or "level2.*.example.com" are not supported.'
        }
-    );
+    )
+    .transform((resource) => {
+        // Normalize: prefer mode, fall back to protocol for backwards compatibility
+        if (resource.mode === undefined && resource.protocol !== undefined) {
+            resource.mode = resource.protocol;
+        }
+        return resource;
+    });

 export function isTargetsOnlyResource(resource: any): boolean {
    return Object.keys(resource).length === 1 && resource.targets;
 }

-export const ClientResourceSchema = z
+export const PrivateResourceSchema = z
    .object({
        name: z.string().min(1).max(255),
-        mode: z.enum(["host", "cidr", "http"]),
+        mode: z.enum(["host", "cidr", "http", "ssh"]),
        site: z.string().optional(), // DEPRECATED IN FAVOR OF sites
        sites: z.array(z.string()).optional().default([]),
        // protocol: z.enum(["tcp", "udp"]).optional(),
        // proxyPort: z.int().positive().optional(),
        "destination-port": z.int().positive().optional(),
-        destination: z.string().min(1),
+        destination: z.string().min(1).optional(),
        // enabled: z.boolean().default(true),
        "tcp-ports": portRangeStringSchema.optional().default("*"),
        "udp-ports": portRangeStringSchema.optional().default("*"),
@@ -387,11 +422,31 @@ export const ClientResourceSchema = z
                error: "Admin role cannot be included in roles"
            }),
        users: z.array(z.string()).optional().default([]),
-        machines: z.array(z.string()).optional().default([])
+        machines: z.array(z.string()).optional().default([]),
+        "auth-daemon": AuthDaemonSchema.optional()
    })
+    .refine(
+        (data) => {
+            // destination is optional only for ssh+native; required for everything else
+            const isNativeSSH =
+                data.mode === "ssh" &&
+                (data["auth-daemon"] === undefined ||
+                    data["auth-daemon"].mode === "native");
+            if (!isNativeSSH && !data.destination) {
+                return false;
+            }
+            return true;
+        },
+        {
+            path: ["destination"],
+            message:
+                "destination is required unless mode is 'ssh' with auth-daemon mode 'native'"
+        }
+    )
    .refine(
        (data) => {
            if (data.mode === "host") {
+                if (!data.destination) return true; // caught by the destination-required refine
                // Check if it's a valid IP address using zod (v4 or v6)
                const isValidIP = z
                    .union([z.ipv4(), z.ipv6()])
@@ -419,6 +474,7 @@ export const ClientResourceSchema = z
    .refine(
        (data) => {
            if (data.mode === "cidr") {
+                if (!data.destination) return true; // caught by the destination-required refine
                // Check if it's a valid CIDR (v4 or v6)
                const isValidCIDR = z
                    .union([z.cidrv4(), z.cidrv6()])
@@ -436,19 +492,19 @@ export const ClientResourceSchema = z
 export const ConfigSchema = z
    .object({
        "proxy-resources": z
-            .record(z.string(), ResourceSchema)
+            .record(z.string(), PublicResourceSchema)
            .optional()
            .prefault({}),
        "public-resources": z
-            .record(z.string(), ResourceSchema)
+            .record(z.string(), PublicResourceSchema)
            .optional()
            .prefault({}),
        "client-resources": z
-            .record(z.string(), ClientResourceSchema)
+            .record(z.string(), PrivateResourceSchema)
            .optional()
            .prefault({}),
        "private-resources": z
-            .record(z.string(), ClientResourceSchema)
+            .record(z.string(), PrivateResourceSchema)
            .optional()
            .prefault({}),
        sites: z.record(z.string(), SiteSchema).optional().prefault({})
@@ -473,10 +529,13 @@ export const ConfigSchema = z
        }

        return data as {
-            "proxy-resources": Record<string, z.infer<typeof ResourceSchema>>;
+            "proxy-resources": Record<
+                string,
+                z.infer<typeof PublicResourceSchema>
+            >;
            "client-resources": Record<
                string,
-                z.infer<typeof ClientResourceSchema>
+                z.infer<typeof PrivateResourceSchema>
            >;
            sites: Record<string, z.infer<typeof SiteSchema>>;
        };
@@ -615,5 +674,5 @@ export const ConfigSchema = z
 // Type inference from the schema
 export type Site = z.infer<typeof SiteSchema>;
 export type Target = z.infer<typeof TargetSchema>;
-export type Resource = z.infer<typeof ResourceSchema>;
+export type Resource = z.infer<typeof PublicResourceSchema>;
 export type Config = z.infer<typeof ConfigSchema>;
--- a/server/lib/cache.ts
+++ b/server/lib/cache.ts
@@ -154,8 +154,19 @@ class AdaptiveCache {
    keys(): string[] {
        return localCache.keys();
    }
+
+    /**
+     * Get keys with a specific prefix
+     * @param prefix - Key prefix to match
+     * @returns Array of matching keys
+     */
+    async keysWithPrefix(prefix: string): Promise<string[]> {
+        const allKeys = localCache.keys();
+        return allKeys.filter((key) => key.startsWith(prefix));
+    }
 }

 // Export singleton instance
 export const cache = new AdaptiveCache();
+export const regionalCache = cache; // Alias for compatability with the private version
 export default cache;
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -331,16 +331,8 @@ export async function calculateUserClientsForOrgs(
                    ];

                // Get next available subnet
-                const newSubnet = await getNextAvailableClientSubnet(
-                    orgId,
-                    transaction
-                );
-                if (!newSubnet) {
-                    logger.warn(
-                        `Skipping org ${orgId} for OLM ${olm.olmId} (user ${userId}): no available subnet found`
-                    );
-                    continue;
-                }
+                const { value: newSubnet, release: releaseSubnetLock } =
+                    await getNextAvailableClientSubnet(orgId, transaction);

                const subnet = newSubnet.split("/")[0];
                const updatedSubnet = `${subnet}/${org.subnet.split("/")[1]}`;
@@ -370,6 +362,7 @@ export async function calculateUserClientsForOrgs(
                    .insert(clients)
                    .values(newClientData)
                    .returning();
+                await releaseSubnetLock();
                existingClientCache.set(
                    getOrgOlmKey(orgId, olm.olmId),
                    newClient
--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";

 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.18.4";
+export const APP_VERSION = "1.19.0";

 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -327,127 +327,145 @@ export function doCidrsOverlap(cidr1: string, cidr2: string): boolean {
 export async function getNextAvailableClientSubnet(
    orgId: string,
    transaction: Transaction | typeof db = db
-): Promise<string> {
-    return await lockManager.withLock(
-        `client-subnet-allocation:${orgId}`,
-        async () => {
-            const [org] = await transaction
-                .select()
-                .from(orgs)
-                .where(eq(orgs.orgId, orgId));
+): Promise<{ value: string; release: () => Promise<void> }> {
+    const lockKey = `client-subnet-allocation:${orgId}`;
+    const acquired = await lockManager.acquireLockWithRetry(lockKey, 6000);
+    if (!acquired) {
+        throw new Error(`Failed to acquire lock: ${lockKey}`);
+    }
+    const release = () => lockManager.releaseLock(lockKey);

-            if (!org) {
-                throw new Error(`Organization with ID ${orgId} not found`);
-            }
+    try {
+        const [org] = await transaction
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId));

-            if (!org.subnet) {
-                throw new Error(
-                    `Organization with ID ${orgId} has no subnet defined`
-                );
-            }
-
-            const existingAddressesSites = await transaction
-                .select({
-                    address: sites.address
-                })
-                .from(sites)
-                .where(and(isNotNull(sites.address), eq(sites.orgId, orgId)));
-
-            const existingAddressesClients = await transaction
-                .select({
-                    address: clients.subnet
-                })
-                .from(clients)
-                .where(
-                    and(isNotNull(clients.subnet), eq(clients.orgId, orgId))
-                );
-
-            const addresses = [
-                ...existingAddressesSites.map(
-                    (site) => `${site.address?.split("/")[0]}/32`
-                ), // we are overriding the 32 so that we pick individual addresses in the subnet of the org for the site and the client even though they are stored with the /block_size of the org
-                ...existingAddressesClients.map(
-                    (client) => `${client.address.split("/")}/32`
-                )
-            ].filter((address) => address !== null) as string[];
-
-            const subnet = findNextAvailableCidr(addresses, 32, org.subnet); // pick the sites address in the org
-            if (!subnet) {
-                throw new Error("No available subnets remaining in space");
-            }
-
-            return subnet;
+        if (!org) {
+            throw new Error(`Organization with ID ${orgId} not found`);
        }
-    );
+
+        if (!org.subnet) {
+            throw new Error(
+                `Organization with ID ${orgId} has no subnet defined`
+            );
+        }
+
+        const existingAddressesSites = await transaction
+            .select({
+                address: sites.address
+            })
+            .from(sites)
+            .where(and(isNotNull(sites.address), eq(sites.orgId, orgId)));
+
+        const existingAddressesClients = await transaction
+            .select({
+                address: clients.subnet
+            })
+            .from(clients)
+            .where(and(isNotNull(clients.subnet), eq(clients.orgId, orgId)));
+
+        const addresses = [
+            ...existingAddressesSites.map(
+                (site) => `${site.address?.split("/")[0]}/32`
+            ), // we are overriding the 32 so that we pick individual addresses in the subnet of the org for the site and the client even though they are stored with the /block_size of the org
+            ...existingAddressesClients.map(
+                (client) => `${client.address.split("/")[0]}/32`
+            )
+        ].filter((address) => address !== null) as string[];
+
+        const subnet = findNextAvailableCidr(addresses, 32, org.subnet); // pick the sites address in the org
+        if (!subnet) {
+            throw new Error("No available subnets remaining in space");
+        }
+
+        return { value: subnet, release };
+    } catch (e) {
+        await release();
+        throw e;
+    }
 }

 export async function getNextAvailableAliasAddress(
    orgId: string,
    trx: Transaction | typeof db = db
-): Promise<string> {
-    return await lockManager.withLock(
-        `alias-address-allocation:${orgId}`,
-        async () => {
-            const [org] = await trx
-                .select()
-                .from(orgs)
-                .where(eq(orgs.orgId, orgId));
+): Promise<{ value: string; release: () => Promise<void> }> {
+    const lockKey = `alias-address-allocation:${orgId}`;
+    const acquired = await lockManager.acquireLockWithRetry(lockKey, 6000);
+    if (!acquired) {
+        throw new Error(`Failed to acquire lock: ${lockKey}`);
+    }
+    const release = () => lockManager.releaseLock(lockKey);

-            if (!org) {
-                throw new Error(`Organization with ID ${orgId} not found`);
-            }
+    try {
+        const [org] = await trx
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId));

-            if (!org.subnet) {
-                throw new Error(
-                    `Organization with ID ${orgId} has no subnet defined`
-                );
-            }
-
-            if (!org.utilitySubnet) {
-                throw new Error(
-                    `Organization with ID ${orgId} has no utility subnet defined`
-                );
-            }
-
-            const existingAddresses = await trx
-                .select({
-                    aliasAddress: siteResources.aliasAddress
-                })
-                .from(siteResources)
-                .where(
-                    and(
-                        isNotNull(siteResources.aliasAddress),
-                        eq(siteResources.orgId, orgId)
-                    )
-                );
-
-            const addresses = [
-                ...existingAddresses.map(
-                    (site) => `${site.aliasAddress?.split("/")[0]}/32`
-                ),
-                // reserve a /29 for the dns server and other stuff
-                `${org.utilitySubnet.split("/")[0]}/29`
-            ].filter((address) => address !== null) as string[];
-
-            let subnet = findNextAvailableCidr(
-                addresses,
-                32,
-                org.utilitySubnet
-            );
-            if (!subnet) {
-                throw new Error("No available subnets remaining in space");
-            }
-
-            // remove the cidr
-            subnet = subnet.split("/")[0];
-
-            return subnet;
+        if (!org) {
+            throw new Error(`Organization with ID ${orgId} not found`);
        }
-    );
+
+        if (!org.subnet) {
+            throw new Error(
+                `Organization with ID ${orgId} has no subnet defined`
+            );
+        }
+
+        if (!org.utilitySubnet) {
+            throw new Error(
+                `Organization with ID ${orgId} has no utility subnet defined`
+            );
+        }
+
+        const existingAddresses = await trx
+            .select({
+                aliasAddress: siteResources.aliasAddress
+            })
+            .from(siteResources)
+            .where(
+                and(
+                    isNotNull(siteResources.aliasAddress),
+                    eq(siteResources.orgId, orgId)
+                )
+            );
+
+        const addresses = [
+            ...existingAddresses.map(
+                (site) => `${site.aliasAddress?.split("/")[0]}/32`
+            ),
+            // reserve a /29 for the dns server and other stuff
+            `${org.utilitySubnet.split("/")[0]}/29`
+        ].filter((address) => address !== null) as string[];
+
+        let subnet = findNextAvailableCidr(addresses, 32, org.utilitySubnet);
+        if (!subnet) {
+            throw new Error("No available subnets remaining in space");
+        }
+
+        // remove the cidr
+        subnet = subnet.split("/")[0];
+
+        return { value: subnet, release };
+    } catch (e) {
+        await release();
+        throw e;
+    }
 }

-export async function getNextAvailableOrgSubnet(): Promise<string> {
-    return await lockManager.withLock("org-subnet-allocation", async () => {
+export async function getNextAvailableOrgSubnet(): Promise<{
+    value: string;
+    release: () => Promise<void>;
+}> {
+    const lockKey = "org-subnet-allocation";
+    const acquired = await lockManager.acquireLockWithRetry(lockKey, 6000);
+    if (!acquired) {
+        throw new Error(`Failed to acquire lock: ${lockKey}`);
+    }
+    const release = () => lockManager.releaseLock(lockKey);
+
+    try {
        const existingAddresses = await db
            .select({
                subnet: orgs.subnet
@@ -466,8 +484,11 @@ export async function getNextAvailableOrgSubnet(): Promise<string> {
            throw new Error("No available subnets remaining in space");
        }

-        return subnet;
-    });
+        return { value: subnet, release };
+    } catch (e) {
+        await release();
+        throw e;
+    }
 }

 export function generateRemoteSubnets(
@@ -475,6 +496,8 @@ export function generateRemoteSubnets(
 ): string[] {
    const remoteSubnets = allSiteResources
        .filter((sr) => {
+            if (!sr.destination) return false;
+
            if (sr.mode === "cidr") {
                // check if its a valid CIDR using zod
                const cidrSchema = z.union([z.cidrv4(), z.cidrv6()]);
@@ -496,7 +519,7 @@ export function generateRemoteSubnets(
            }
            return ""; // This should never be reached due to filtering, but satisfies TypeScript
        })
-        .filter((subnet) => subnet !== ""); // Remove empty strings just to be safe
+        .filter((subnet): subnet is string => subnet !== "" && subnet !== null); // Remove invalid values just to be safe
    // remove duplicates
    return Array.from(new Set(remoteSubnets));
 }
@@ -581,7 +604,7 @@ export function generateSubnetProxyTargets(
                targets.push({
                    sourcePrefix: clientPrefix,
                    destPrefix: `${siteResource.aliasAddress}/32`,
-                    rewriteTo: destination,
+                    rewriteTo: destination!,
                    portRange,
                    disableIcmp
                });
@@ -589,7 +612,7 @@ export function generateSubnetProxyTargets(
        } else if (siteResource.mode == "cidr") {
            targets.push({
                sourcePrefix: clientPrefix,
-                destPrefix: siteResource.destination,
+                destPrefix: siteResource.destination!,
                portRange,
                disableIcmp
            });
@@ -671,7 +694,7 @@ export async function generateSubnetProxyTargetV2(
            targets.push({
                sourcePrefixes: [],
                destPrefix: `${siteResource.aliasAddress}/32`,
-                rewriteTo: destination,
+                rewriteTo: destination!,
                portRange,
                disableIcmp,
                resourceId: siteResource.siteResourceId
@@ -680,7 +703,7 @@ export async function generateSubnetProxyTargetV2(
    } else if (siteResource.mode == "cidr") {
        targets.push({
            sourcePrefixes: [],
-            destPrefix: siteResource.destination,
+            destPrefix: siteResource.destination!,
            portRange,
            disableIcmp,
            resourceId: siteResource.siteResourceId
@@ -738,7 +761,7 @@ export async function generateSubnetProxyTargetV2(
            protocol: siteResource.ssl ? "https" : "http",
            httpTargets: [
                {
-                    destAddr: siteResource.destination,
+                    destAddr: siteResource.destination!,
                    destPort: siteResource.destinationPort,
                    scheme: siteResource.scheme
                }
@@ -873,7 +896,13 @@ export const portRangeStringSchema = z
            message:
                'Port range must be "*" for all ports, or a comma-separated list of ports and ranges (e.g., "80,443,8000-9000"). Ports must be between 1 and 65535, and ranges must have start <= end.'
        }
-    );
+    )
+    .openapi({
+        type: "string",
+        description:
+            'Port range string. Use "*" for all ports, a comma-separated list of ports, or ranges (e.g., "80,443,8000-9000"). Ports must be between 1 and 65535.',
+        example: "80,443,8000-9000"
+    });

 /**
 * Parses a port range string into an array of port range objects
--- a/server/lib/openapi/createApiResponseSchema.ts
+++ b/server/lib/openapi/createApiResponseSchema.ts
@@ -0,0 +1,11 @@
+import { z } from "zod";
+
+export function createApiResponseSchema<T extends z.ZodTypeAny>(dataSchema: T) {
+    return z.object({
+        data: dataSchema.nullable(),
+        success: z.boolean(),
+        error: z.boolean(),
+        message: z.string(),
+        status: z.number()
+    });
+}
--- a/server/lib/rebuildClientAssociations.ts
+++ b/server/lib/rebuildClientAssociations.ts
@@ -890,6 +890,9 @@ async function handleSubnetProxyTargetUpdates(
                }

                for (const client of removedClients) {
+                    if (!siteResource.destination) {
+                        continue;
+                    }
                    // Check if this client still has access to another resource
                    // on this specific site with the same destination. We scope
                    // by siteId (via siteNetworks) rather than networkId because
@@ -1563,6 +1566,9 @@ async function handleMessagesForClientResources(
                }

                try {
+                    if (!resource.destination) {
+                        continue;
+                    }
                    // Check if this client still has access to another resource
                    // on this specific site with the same destination. We scope
                    // by siteId (via siteNetworks) rather than networkId because
--- a/server/lib/statusHistory.ts
+++ b/server/lib/statusHistory.ts
@@ -1,7 +1,7 @@
 import { z } from "zod";
 import { db, logsDb, statusHistory } from "@server/db";
 import { and, eq, gte, asc } from "drizzle-orm";
-import cache from "@server/lib/cache";
+import { regionalCache as cache } from "#dynamic/lib/cache";

 const STATUS_HISTORY_CACHE_TTL = 60; // seconds

@@ -66,7 +66,7 @@ export async function invalidateStatusHistoryCache(
    entityId: number
 ): Promise<void> {
    const prefix = `statusHistory:${entityType}:${entityId}:`;
-    const keys = cache.keys().filter((k) => k.startsWith(prefix));
+    const keys = await cache.keysWithPrefix(prefix);
    if (keys.length > 0) {
        await cache.del(keys);
    }
--- a/server/lib/telemetry.ts
+++ b/server/lib/telemetry.ts
@@ -2,7 +2,14 @@ import { PostHog } from "posthog-node";
 import config from "./config";
 import { getHostMeta } from "./hostMeta";
 import logger from "@server/logger";
-import { alertRules, apiKeys, blueprints, db, roles, siteResources } from "@server/db";
+import {
+    alertRules,
+    apiKeys,
+    blueprints,
+    db,
+    roles,
+    siteResources
+} from "@server/db";
 import { sites, users, orgs, resources, clients, idp } from "@server/db";
 import { eq, count, notInArray, and, isNotNull, isNull } from "drizzle-orm";
 import { APP_VERSION } from "./consts";
@@ -143,8 +150,7 @@ class TelemetryClient {
                .select({
                    name: resources.name,
                    sso: resources.sso,
-                    protocol: resources.protocol,
-                    http: resources.http
+                    mode: resources.mode
                })
                .from(resources);

@@ -311,7 +317,7 @@ class TelemetryClient {
                        (r) => r.sso
                    ).length,
                    num_resources_non_http: stats.resources.filter(
-                        (r) => !r.http
+                        (r) => r.mode !== "http"
                    ).length,
                    num_newt_sites: stats.sites.filter((s) => s.type === "newt")
                        .length,
--- a/server/lib/traefik/TraefikConfigManager.ts
+++ b/server/lib/traefik/TraefikConfigManager.ts
@@ -520,7 +520,8 @@ export class TraefikConfigManager {
                build != "oss", // generate the login pages on the cloud and hybrid,
                build == "saas"
                    ? false
-                    : config.getRawConfig().traefik.allow_raw_resources // dont allow raw resources on saas otherwise use config
+                    : config.getRawConfig().traefik.allow_raw_resources, // dont allow raw resources on saas otherwise use config
+                build != "oss" // generate browser gateway targets on cloud and enterprise
            );

            const domains = new Set<string>();
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -55,9 +55,7 @@ export async function getTraefikConfig(
            resourceName: resources.name,
            fullDomain: resources.fullDomain,
            ssl: resources.ssl,
-            http: resources.http,
            proxyPort: resources.proxyPort,
-            protocol: resources.protocol,
            subdomain: resources.subdomain,
            domainId: resources.domainId,
            enabled: resources.enabled,
@@ -68,6 +66,7 @@ export async function getTraefikConfig(
            headers: resources.headers,
            proxyProtocol: resources.proxyProtocol,
            proxyProtocolVersion: resources.proxyProtocolVersion,
+            mode: resources.mode,

            // Target fields
            targetId: targets.targetId,
@@ -115,8 +114,8 @@ export async function getTraefikConfig(
                ),
                inArray(sites.type, siteTypes),
                allowRawResources
-                    ? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true
-                    : eq(resources.http, true)
+                    ? inArray(resources.mode, ["http", "udp", "tcp"]) // allow all three
+                    : eq(resources.mode, "http")
            )
        )
        .orderBy(desc(targets.priority), targets.targetId); // stable ordering
@@ -166,9 +165,8 @@ export async function getTraefikConfig(
                key: key,
                fullDomain: row.fullDomain,
                ssl: row.ssl,
-                http: row.http,
+                mode: row.mode,
                proxyPort: row.proxyPort,
-                protocol: row.protocol,
                subdomain: row.subdomain,
                domainId: row.domainId,
                enabled: row.enabled,
@@ -580,7 +578,7 @@ export async function getTraefikConfig(
                continue;
            }

-            const protocol = resource.protocol.toLowerCase();
+            const protocol = resource.mode === "udp" ? "udp" : "tcp"; // all of the other ones are tcp
            const port = resource.proxyPort;

            if (!port) {
--- a/server/lib/validators.test.ts
+++ b/server/lib/validators.test.ts
@@ -244,4 +244,5 @@ try {
    runTests();
 } catch (error) {
    console.error("Test failed:", error);
+    process.exit(1);
 }
--- a/server/middlewares/index.ts
+++ b/server/middlewares/index.ts
@@ -28,7 +28,9 @@ export * from "./verifyApiKeyAccess";
 export * from "./verifySiteProvisioningKeyAccess";
 export * from "./verifyDomainAccess";
 export * from "./verifyUserIsOrgOwner";
+export * from "./verifyUserFromResourceSession";
 export * from "./verifySiteResourceAccess";
 export * from "./logActionAudit";
 export * from "./verifyOlmAccess";
 export * from "./verifyLimits";
+export * from "./verifyResourcePolicyAccess";
--- a/server/middlewares/integration/index.ts
+++ b/server/middlewares/integration/index.ts
@@ -16,3 +16,4 @@ export * from "./verifyApiKeyClientAccess";
 export * from "./verifyApiKeySiteResourceAccess";
 export * from "./verifyApiKeyIdpAccess";
 export * from "./verifyApiKeyDomainAccess";
+export * from "./verifyApiKeyResourcePolicyAccess";
--- a/server/middlewares/integration/verifyApiKeyResourcePolicyAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyResourcePolicyAccess.ts
@@ -0,0 +1,92 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { resourcePolicies, apiKeyOrg } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeyResourcePolicyAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    const apiKey = req.apiKey;
+    const resourcePolicyId =
+        req.params.resourcePolicyId ||
+        req.body.resourcePolicyId ||
+        req.query.resourcePolicyId;
+
+    if (!apiKey) {
+        return next(
+            createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+        );
+    }
+
+    try {
+        // Retrieve the resource policy
+        const [policy] = await db
+            .select()
+            .from(resourcePolicies)
+            .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId))
+            .limit(1);
+
+        if (!policy) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource policy with ID ${resourcePolicyId} not found`
+                )
+            );
+        }
+
+        if (apiKey.isRoot) {
+            // Root keys can access any resource policy in any org
+            return next();
+        }
+
+        if (!policy.orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    `Resource policy with ID ${resourcePolicyId} does not have an organization ID`
+                )
+            );
+        }
+
+        // Verify that the API key is linked to the resource policy's organization
+        if (!req.apiKeyOrg) {
+            const apiKeyOrgResult = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, policy.orgId)
+                    )
+                )
+                .limit(1);
+
+            if (apiKeyOrgResult.length > 0) {
+                req.apiKeyOrg = apiKeyOrgResult[0];
+            }
+        }
+
+        if (!req.apiKeyOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have access to this organization"
+                )
+            );
+        }
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying resource policy access"
+            )
+        );
+    }
+}
--- a/server/middlewares/verifyResourcePolicyAccess.ts
+++ b/server/middlewares/verifyResourcePolicyAccess.ts
@@ -0,0 +1,127 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { resourcePolicies, userOrgs } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+
+export async function verifyResourcePolicyAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    const userId = req.user!.userId;
+    const resourcePolicyIdStr =
+        req.params?.resourcePolicyId ||
+        req.body?.resourcePolicyId ||
+        req.query?.resourcePolicyId;
+    const niceId = req.params?.niceId || req.body?.niceId || req.query?.niceId;
+    const orgId = req.params?.orgId || req.body?.orgId || req.query?.orgId;
+
+    try {
+        if (!userId) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
+            );
+        }
+
+        let policy: typeof resourcePolicies.$inferSelect | null = null;
+
+        if (orgId && niceId) {
+            const [policyRes] = await db
+                .select()
+                .from(resourcePolicies)
+                .where(
+                    and(
+                        eq(resourcePolicies.niceId, niceId),
+                        eq(resourcePolicies.orgId, orgId)
+                    )
+                )
+                .limit(1);
+            policy = policyRes ?? null;
+        } else {
+            const resourcePolicyId = parseInt(resourcePolicyIdStr);
+            if (isNaN(resourcePolicyId)) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid resource policy ID"
+                    )
+                );
+            }
+            const [policyRes] = await db
+                .select()
+                .from(resourcePolicies)
+                .where(eq(resourcePolicies.resourcePolicyId, resourcePolicyId))
+                .limit(1);
+            policy = policyRes ?? null;
+        }
+
+        if (!policy) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource policy with ID ${resourcePolicyIdStr ?? niceId} not found`
+                )
+            );
+        }
+
+        if (!req.userOrg) {
+            const userOrgRes = await db
+                .select()
+                .from(userOrgs)
+                .where(
+                    and(
+                        eq(userOrgs.userId, userId),
+                        eq(userOrgs.orgId, policy.orgId)
+                    )
+                )
+                .limit(1);
+            req.userOrg = userOrgRes[0];
+        }
+
+        if (!req.userOrg || req.userOrg.orgId !== policy.orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have access to this organization"
+                )
+            );
+        }
+
+        if (req.orgPolicyAllowed === undefined && req.userOrg.orgId) {
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: req.userOrg.orgId,
+                userId,
+                session: req.session
+            });
+            req.orgPolicyAllowed = policyCheck.allowed;
+            if (!policyCheck.allowed || policyCheck.error) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Failed organization access policy check: " +
+                            (policyCheck.error || "Unknown error")
+                    )
+                );
+            }
+        }
+
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            policy.orgId
+        );
+        req.userOrgId = policy.orgId;
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying resource policy access"
+            )
+        );
+    }
+}
--- a/server/middlewares/verifyUserCanSetUserOrgRoles.ts
+++ b/server/middlewares/verifyUserCanSetUserOrgRoles.ts
@@ -38,7 +38,7 @@ export function verifyUserCanSetUserOrgRoles() {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
-                    "User does not have permission perform this action"
+                    "User does not have permission to set user organization roles"
                )
            );
        } catch (error) {
--- a/server/middlewares/verifyUserFromResourceSession.ts
+++ b/server/middlewares/verifyUserFromResourceSession.ts
@@ -0,0 +1,102 @@
+import { Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { resourceSessions, users } from "@server/db";
+import { eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getUserSessionWithUser } from "@server/db/queries/verifySessionQueries";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { sha256 } from "@oslojs/crypto/sha2";
+import config from "@server/lib/config";
+import logger from "@server/logger";
+
+export const verifyUserFromResourceSessionMiddleware = async (
+    req: any,
+    res: Response,
+    next: NextFunction
+) => {
+    if (!req.user) {
+        const sessionCookieName =
+            config.getRawConfig().server.session_cookie_name;
+
+        // Collect all resource session cookies (format: {name}[_s].{timestamp}=token)
+        const cookieHeader: string | undefined = req.headers.cookie;
+        const candidates: { timestamp: number; token: string }[] = [];
+
+        if (cookieHeader) {
+            for (const part of cookieHeader.split(";")) {
+                const trimmed = part.trim();
+                const eqIdx = trimmed.indexOf("=");
+                if (eqIdx === -1) continue;
+
+                const cookieName = trimmed.slice(0, eqIdx).trim();
+                const cookieValue = trimmed.slice(eqIdx + 1).trim();
+
+                // Match both secure (_s.timestamp) and non-secure (.timestamp) variants
+                const securePrefix = `${sessionCookieName}_s.`;
+                const httpPrefix = `${sessionCookieName}.`;
+
+                let timestampStr: string | null = null;
+                if (cookieName.startsWith(securePrefix)) {
+                    timestampStr = cookieName.slice(securePrefix.length);
+                } else if (cookieName.startsWith(httpPrefix)) {
+                    timestampStr = cookieName.slice(httpPrefix.length);
+                }
+
+                if (timestampStr !== null && /^\d+$/.test(timestampStr)) {
+                    candidates.push({
+                        timestamp: parseInt(timestampStr, 10),
+                        token: cookieValue
+                    });
+                }
+            }
+        }
+
+        // Pick the most recently issued session (highest timestamp)
+        candidates.sort((a, b) => b.timestamp - a.timestamp);
+        const best = candidates[0];
+
+        if (best) {
+            try {
+                const sessionId = encodeHexLowerCase(
+                    sha256(new TextEncoder().encode(best.token))
+                );
+
+                const [resourceSession] = await db
+                    .select()
+                    .from(resourceSessions)
+                    .where(eq(resourceSessions.sessionId, sessionId))
+                    .limit(1);
+
+                if (resourceSession && Date.now() < resourceSession.expiresAt) {
+                    if (resourceSession.userSessionId) {
+                        const result = await getUserSessionWithUser(
+                            resourceSession.userSessionId
+                        );
+
+                        if (result?.user && result?.session) {
+                            req.user = result.user;
+                            req.session = result.session;
+                        }
+                    }
+                }
+            } catch (e) {
+                logger.error(
+                    "verifyUserFromResourceSessionMiddleware: failed to validate resource session",
+                    e
+                );
+            }
+        }
+    }
+
+    // Populate userOrgRoleIds if an orgId is available in route params
+    if (req.user && req.params?.orgId && !req.userOrgRoleIds) {
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.user.userId,
+            req.params.orgId
+        );
+    }
+
+    next();
+};
--- a/server/openApi.ts
+++ b/server/openApi.ts
@@ -7,6 +7,7 @@ export enum OpenAPITags {
    Org = "Organization",
    PublicResource = "Public Resource",
    PrivateResource = "Private Resource",
+    Policy = "Policy",
    Role = "Role",
    User = "User",
    Invitation = "User Invitation",
--- a/server/private/lib/acmeCertSync.ts
+++ b/server/private/lib/acmeCertSync.ts
@@ -780,9 +780,9 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
            }
        }

-        logger.debug(
-            `acmeCertSync: cert for ${mainDomain} covers ${allDomains.size} domain(s): ${[...allDomains].join(", ")}`
-        );
+        // logger.debug(
+        //     `acmeCertSync: cert for ${mainDomain} covers ${allDomains.size} domain(s): ${[...allDomains].join(", ")}`
+        // );

        for (const domain of allDomains) {
            try {
--- a/server/private/lib/cache.ts
+++ b/server/private/lib/cache.ts
@@ -13,7 +13,7 @@

 import NodeCache from "node-cache";
 import logger from "@server/logger";
-import { redisManager } from "@server/private/lib/redis";
+import { redisManager, regionalRedisManager } from "@server/private/lib/redis";

 // Create local cache with maxKeys limit to prevent memory leaks
 // With ~10k requests/day and 5min TTL, 10k keys should be more than sufficient
@@ -298,3 +298,147 @@ class AdaptiveCache {
 // Export singleton instance
 export const cache = new AdaptiveCache();
 export default cache;
+
+/**
+ * Regional adaptive cache backed by the in-cluster Redis instance.
+ * Falls back to a local NodeCache when the regional Redis is unavailable.
+ * Use this for data that is regional in nature (e.g. status history) so
+ * reads are served from the same cluster the user is hitting.
+ */
+const regionalLocalCache = new NodeCache({
+    stdTTL: 3600,
+    checkperiod: 120,
+    maxKeys: 10000
+});
+
+class RegionalAdaptiveCache {
+    private useRedis(): boolean {
+        return (
+            regionalRedisManager.isRedisEnabled() &&
+            regionalRedisManager.getHealthStatus().isHealthy
+        );
+    }
+
+    async set(key: string, value: any, ttl?: number): Promise<boolean> {
+        const effectiveTtl = ttl === 0 ? undefined : ttl;
+        const redisTtl = ttl === 0 ? undefined : (ttl ?? 3600);
+
+        if (this.useRedis()) {
+            try {
+                const serialized = JSON.stringify(value);
+                const success = await regionalRedisManager.set(
+                    key,
+                    serialized,
+                    redisTtl
+                );
+                if (success) {
+                    logger.debug(`[regional] Set key in Redis: ${key}`);
+                    return true;
+                }
+            } catch (error) {
+                logger.error(
+                    `[regional] Redis set error for key ${key}:`,
+                    error
+                );
+            }
+        }
+
+        const success = regionalLocalCache.set(key, value, effectiveTtl || 0);
+        if (success) logger.debug(`[regional] Set key in local cache: ${key}`);
+        return success;
+    }
+
+    async get<T = any>(key: string): Promise<T | undefined> {
+        if (this.useRedis()) {
+            try {
+                const value = await regionalRedisManager.get(key);
+                if (value !== null) {
+                    logger.debug(`[regional] Cache hit in Redis: ${key}`);
+                    return JSON.parse(value) as T;
+                }
+                logger.debug(`[regional] Cache miss in Redis: ${key}`);
+                return undefined;
+            } catch (error) {
+                logger.error(
+                    `[regional] Redis get error for key ${key}:`,
+                    error
+                );
+            }
+        }
+
+        const value = regionalLocalCache.get<T>(key);
+        if (value !== undefined) {
+            logger.debug(`[regional] Cache hit in local cache: ${key}`);
+        } else {
+            logger.debug(`[regional] Cache miss in local cache: ${key}`);
+        }
+        return value;
+    }
+
+    async del(key: string | string[]): Promise<number> {
+        const keys = Array.isArray(key) ? key : [key];
+        let deletedCount = 0;
+
+        if (this.useRedis()) {
+            try {
+                for (const k of keys) {
+                    const success = await regionalRedisManager.del(k);
+                    if (success) {
+                        deletedCount++;
+                        logger.debug(`[regional] Deleted key from Redis: ${k}`);
+                    }
+                }
+                if (deletedCount === keys.length) return deletedCount;
+                deletedCount = 0;
+            } catch (error) {
+                logger.error(`[regional] Redis del error:`, error);
+                deletedCount = 0;
+            }
+        }
+
+        for (const k of keys) {
+            const count = regionalLocalCache.del(k);
+            if (count > 0) {
+                deletedCount++;
+                logger.debug(`[regional] Deleted key from local cache: ${k}`);
+            }
+        }
+        return deletedCount;
+    }
+
+    async has(key: string): Promise<boolean> {
+        if (this.useRedis()) {
+            try {
+                const value = await regionalRedisManager.get(key);
+                return value !== null;
+            } catch (error) {
+                logger.error(
+                    `[regional] Redis has error for key ${key}:`,
+                    error
+                );
+            }
+        }
+        return regionalLocalCache.has(key);
+    }
+
+    /**
+     * Returns keys matching the given prefix from whichever backend is active.
+     * Redis uses a KEYS scan; local cache filters in-memory keys.
+     */
+    async keysWithPrefix(prefix: string): Promise<string[]> {
+        if (this.useRedis()) {
+            try {
+                return await regionalRedisManager.keys(`${prefix}*`);
+            } catch (error) {
+                logger.error(`[regional] Redis keys error:`, error);
+            }
+        }
+        return regionalLocalCache.keys().filter((k) => k.startsWith(prefix));
+    }
+
+    getCurrentBackend(): "redis" | "local" {
+        return this.useRedis() ? "redis" : "local";
+    }
+}
+
+export const regionalCache = new RegionalAdaptiveCache();
--- a/server/private/lib/certificates.ts
+++ b/server/private/lib/certificates.ts
@@ -36,8 +36,6 @@ export async function getValidCertificatesForDomains(
    domains: Set<string>,
    useCache: boolean = true
 ): Promise<Array<CertificateResult>> {
-
-
    const finalResults: CertificateResult[] = [];
    const domainsToQuery = new Set<string>();

@@ -49,7 +47,26 @@ export async function getValidCertificatesForDomains(
            if (cachedCert) {
                finalResults.push(cachedCert); // Valid cache hit
            } else {
-                domainsToQuery.add(domain); // Cache miss or expired
+                // Also check for a wildcard cache entry covering this domain's parent
+                const parts = domain.split(".");
+                let wildcardHit = false;
+                if (parts.length > 1) {
+                    const parentDomain = parts.slice(1).join(".");
+                    const wildcardCacheKey = `cert:*.${parentDomain}`;
+                    const cachedWildcard =
+                        await cache.get<CertificateResult>(wildcardCacheKey);
+                    if (cachedWildcard) {
+                        // Re-stamp queriedDomain so callers see the originally requested domain
+                        finalResults.push({
+                            ...cachedWildcard,
+                            queriedDomain: domain
+                        });
+                        wildcardHit = true;
+                    }
+                }
+                if (!wildcardHit) {
+                    domainsToQuery.add(domain); // Cache miss or expired
+                }
            }
        }
    } else {
@@ -59,7 +76,10 @@ export async function getValidCertificatesForDomains(

    // 2. If all domains were resolved from the cache, return early
    if (domainsToQuery.size === 0) {
-        const decryptedResults = decryptFinalResults(finalResults, config.getRawConfig().server.secret!);
+        const decryptedResults = decryptFinalResults(
+            finalResults,
+            config.getRawConfig().server.secret!
+        );
        return decryptedResults;
    }

@@ -78,7 +98,8 @@ export async function getValidCertificatesForDomains(
    const parentDomainsArray = Array.from(parentDomainsToQuery);

    // Build wildcard variants: for each parent domain "example.com", also query "*.example.com"
-    const wildcardPrefixedArray = build != "saas" ? parentDomainsArray.map((d) => `*.${d}`) : [];
+    const wildcardPrefixedArray =
+        build != "saas" ? parentDomainsArray.map((d) => `*.${d}`) : [];

    // 4. Build and execute a single, efficient Drizzle query
    // This query fetches all potential exact and wildcard matches in one database round-trip.
@@ -172,11 +193,24 @@ export async function getValidCertificatesForDomains(
            if (useCache) {
                const cacheKey = `cert:${domain}`;
                await cache.set(cacheKey, resultCert, 180);
+
+                // Also cache wildcard certs under a pattern key so other subdomains
+                // can find them without a DB round-trip
+                if (resultCert.wildcard) {
+                    const normalizedCertDomain = normalizeWildcardDomain(
+                        resultCert.domain
+                    );
+                    const wildcardCacheKey = `cert:*.${normalizedCertDomain}`;
+                    await cache.set(wildcardCacheKey, resultCert, 180);
+                }
            }
        }
    }

-    const decryptedResults = decryptFinalResults(finalResults, config.getRawConfig().server.secret!);
+    const decryptedResults = decryptFinalResults(
+        finalResults,
+        config.getRawConfig().server.secret!
+    );
    return decryptedResults;
 }

--- a/server/private/lib/logStreaming/index.ts
+++ b/server/private/lib/logStreaming/index.ts
@@ -24,7 +24,8 @@ import { LogStreamingManager } from "./LogStreamingManager";
 */
 export const logStreamingManager = new LogStreamingManager();

-if (build != "saas") { // this is handled separately in the saas build, so we don't want to start it here
+if (build !== "saas") {
+    // this is handled separately in the saas build, so we don't want to start it here
    logStreamingManager.start();
 }

--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -73,6 +73,25 @@ export const privateConfigSchema = z
                    .object({
                        rejectUnauthorized: z.boolean().optional().default(true)
                    })
+                    .optional(),
+                regional_redis: z
+                    .object({
+                        host: z.string(),
+                        port: portSchema,
+                        password: z
+                            .string()
+                            .optional()
+                            .transform(getEnvOrYaml("REGIONAL_REDIS_PASSWORD")),
+                        db: z.int().nonnegative().optional().default(0),
+                        tls: z
+                            .object({
+                                rejectUnauthorized: z
+                                    .boolean()
+                                    .optional()
+                                    .default(true)
+                            })
+                            .optional()
+                    })
                    .optional()
            })
            .optional(),
--- a/server/private/lib/redis.ts
+++ b/server/private/lib/redis.ts
@@ -109,14 +109,14 @@ class RedisManager {
            password: redisConfig.password,
            db: redisConfig.db
        };
-        
+
        // Enable TLS if configured (required for AWS ElastiCache in-transit encryption)
        if (redisConfig.tls) {
            opts.tls = {
                rejectUnauthorized: redisConfig.tls.rejectUnauthorized ?? true
            };
        }
-        
+
        return opts;
    }

@@ -135,14 +135,14 @@ class RedisManager {
            password: replica.password,
            db: replica.db || redisConfig.db
        };
-        
+
        // Enable TLS if configured (required for AWS ElastiCache in-transit encryption)
        if (redisConfig.tls) {
            opts.tls = {
                rejectUnauthorized: redisConfig.tls.rejectUnauthorized ?? true
            };
        }
-        
+
        return opts;
    }

@@ -855,3 +855,163 @@ class RedisManager {
 export const redisManager = new RedisManager();
 export const redis = redisManager.getClient();
 export default redisManager;
+
+/**
+ * Lightweight Redis manager for the regional (in-cluster) Redis instance.
+ * Connects only when `redis.regional_redis` is present in the private config
+ * and `flags.enable_redis` is true. No pub/sub — designed for low-latency
+ * caching of regionally-scoped data.
+ */
+class RegionalRedisManager {
+    private writeClient: Redis | null = null;
+    private readClient: Redis | null = null;
+    private isEnabled: boolean = false;
+    private isHealthy: boolean = false;
+    private connectionTimeout: number = 5000;
+    private commandTimeout: number = 5000;
+
+    constructor() {
+        if (build === "oss") return;
+
+        const cfg = privateConfig.getRawPrivateConfig();
+        if (!cfg.flags.enable_redis || !cfg.redis?.regional_redis) return;
+
+        this.isEnabled = true;
+        this.initializeClients();
+    }
+
+    private getConfig(): RedisOptions {
+        const r = privateConfig.getRawPrivateConfig().redis!.regional_redis!;
+        const opts: RedisOptions = {
+            host: r.host,
+            port: r.port,
+            password: r.password,
+            db: r.db
+        };
+        if (r.tls) {
+            opts.tls = { rejectUnauthorized: r.tls.rejectUnauthorized ?? true };
+        }
+        return opts;
+    }
+
+    private initializeClients(): void {
+        const cfg = this.getConfig();
+        const baseOpts = {
+            ...cfg,
+            enableReadyCheck: false,
+            maxRetriesPerRequest: 3,
+            keepAlive: 10000,
+            connectTimeout: this.connectionTimeout,
+            commandTimeout: this.commandTimeout
+        };
+
+        try {
+            this.writeClient = new Redis(baseOpts);
+            // redis-1 (replica) handles reads; fall back to primary if not resolvable
+            this.readClient = new Redis({
+                ...baseOpts,
+                host: cfg.host!.replace(/^(.*?)(\.\S+)$/, (_, h, rest) => {
+                    // Derive replica hostname from the headless service pattern:
+                    // redis.redis.svc.cluster.local -> redis-1.redis-headless.redis.svc.cluster.local
+                    // If it doesn't look like a k8s service, just use the same host
+                    return h + rest;
+                })
+            });
+
+            // For simplicity use same host for both; callers can always read from primary
+            // The real replica routing is handled by the StatefulSet headless service
+            this.readClient = this.writeClient;
+
+            this.writeClient.on("ready", () => {
+                logger.info("Regional Redis client ready");
+                this.isHealthy = true;
+            });
+            this.writeClient.on("error", (err) => {
+                logger.error("Regional Redis client error:", err);
+                this.isHealthy = false;
+            });
+            this.writeClient.on("reconnecting", () => {
+                logger.info("Regional Redis client reconnecting...");
+                this.isHealthy = false;
+            });
+
+            logger.info("Regional Redis client initialized");
+        } catch (error) {
+            logger.error("Failed to initialize regional Redis client:", error);
+            this.isEnabled = false;
+        }
+    }
+
+    public isRedisEnabled(): boolean {
+        return this.isEnabled && this.writeClient !== null && this.isHealthy;
+    }
+
+    public getHealthStatus() {
+        return { isEnabled: this.isEnabled, isHealthy: this.isHealthy };
+    }
+
+    public async set(
+        key: string,
+        value: string,
+        ttl?: number
+    ): Promise<boolean> {
+        if (!this.isRedisEnabled() || !this.writeClient) return false;
+        try {
+            if (ttl) {
+                await this.writeClient.setex(key, ttl, value);
+            } else {
+                await this.writeClient.set(key, value);
+            }
+            return true;
+        } catch (error) {
+            logger.error("Regional Redis SET error:", error);
+            return false;
+        }
+    }
+
+    public async get(key: string): Promise<string | null> {
+        if (!this.isRedisEnabled() || !this.readClient) return null;
+        try {
+            return await this.readClient.get(key);
+        } catch (error) {
+            logger.error("Regional Redis GET error:", error);
+            return null;
+        }
+    }
+
+    public async del(key: string): Promise<boolean> {
+        if (!this.isRedisEnabled() || !this.writeClient) return false;
+        try {
+            await this.writeClient.del(key);
+            return true;
+        } catch (error) {
+            logger.error("Regional Redis DEL error:", error);
+            return false;
+        }
+    }
+
+    public async keys(pattern: string): Promise<string[]> {
+        if (!this.isRedisEnabled() || !this.readClient) return [];
+        try {
+            return await this.readClient.keys(pattern);
+        } catch (error) {
+            logger.error("Regional Redis KEYS error:", error);
+            return [];
+        }
+    }
+
+    public async disconnect(): Promise<void> {
+        try {
+            if (this.writeClient) {
+                await this.writeClient.quit();
+                this.writeClient = null;
+            }
+            this.readClient = null;
+            logger.info("Regional Redis client disconnected");
+        } catch (error) {
+            logger.error("Error disconnecting regional Redis client:", error);
+        }
+    }
+}
+
+export const regionalRedisManager = new RegionalRedisManager();
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -12,6 +12,7 @@
 */

 import {
+    browserGatewayTarget,
    certificates,
    db,
    domainNamespaces,
@@ -84,7 +85,8 @@ export async function getTraefikConfig(
    filterOutNamespaceDomains = false,
    generateLoginPageRouters = false,
    allowRawResources = true,
-    allowMaintenancePage = true
+    allowMaintenancePage = true,
+    allowBrowserGatewayResources = true
 ): Promise<any> {
    // Get resources with their targets and sites in a single optimized query
    // Start from sites on this exit node, then join to targets and resources
@@ -95,9 +97,7 @@ export async function getTraefikConfig(
            resourceName: resources.name,
            fullDomain: resources.fullDomain,
            ssl: resources.ssl,
-            http: resources.http,
            proxyPort: resources.proxyPort,
-            protocol: resources.protocol,
            subdomain: resources.subdomain,
            domainId: resources.domainId,
            enabled: resources.enabled,
@@ -109,6 +109,7 @@ export async function getTraefikConfig(
            proxyProtocol: resources.proxyProtocol,
            proxyProtocolVersion: resources.proxyProtocolVersion,
            wildcard: resources.wildcard,
+            mode: resources.mode,

            maintenanceModeEnabled: resources.maintenanceModeEnabled,
            maintenanceModeType: resources.maintenanceModeType,
@@ -171,8 +172,8 @@ export async function getTraefikConfig(
                ),
                inArray(sites.type, siteTypes),
                allowRawResources
-                    ? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true
-                    : eq(resources.http, true)
+                    ? inArray(resources.mode, ["http", "udp", "tcp"]) // allow all three
+                    : eq(resources.mode, "http")
            )
        )
        .orderBy(desc(targets.priority), targets.targetId); // stable ordering
@@ -226,9 +227,8 @@ export async function getTraefikConfig(
                key: key,
                fullDomain: row.fullDomain,
                ssl: row.ssl,
-                http: row.http,
                proxyPort: row.proxyPort,
-                protocol: row.protocol,
+                mode: row.mode,
                subdomain: row.subdomain,
                domainId: row.domainId,
                enabled: row.enabled,
@@ -277,10 +277,138 @@ export async function getTraefikConfig(
        });
    });

+    // Group browser gateway targets by resource
+    type BrowserGatewayResourceEntry = {
+        resourceId: number;
+        name: string;
+        fullDomain: string | null;
+        ssl: boolean | null;
+        subdomain: string | null;
+        domainId: string | null;
+        enabled: boolean | null;
+        wildcard: boolean | null;
+        domainCertResolver: string | null;
+        preferWildcardCert: boolean | null;
+        maintenanceModeEnabled: boolean | null;
+        maintenanceModeType: string | null;
+        maintenanceTitle: string | null;
+        maintenanceMessage: string | null;
+        maintenanceEstimatedTime: string | null;
+        targets: {
+            browserGatewayTargetId: number;
+            bgType: string;
+            siteId: number;
+            siteType: string;
+            siteOnline: boolean | null;
+            subnet: string | null;
+            siteExitNodeId: number | null;
+        }[];
+    };
+    const browserGatewayResourcesMap = new Map<
+        number,
+        BrowserGatewayResourceEntry
+    >();
+
+    if (allowBrowserGatewayResources) {
+        // Query browser gateway targets for this exit node
+        const browserGatewayRows = await db
+            .select({
+                // Resource fields
+                resourceId: resources.resourceId,
+                resourceName: resources.name,
+                fullDomain: resources.fullDomain,
+                ssl: resources.ssl,
+                subdomain: resources.subdomain,
+                domainId: resources.domainId,
+                enabled: resources.enabled,
+                wildcard: resources.wildcard,
+                domainCertResolver: domains.certResolver,
+                preferWildcardCert: domains.preferWildcardCert,
+                domainNamespaceId: domainNamespaces.domainNamespaceId,
+                // Maintenance fields
+                maintenanceModeEnabled: resources.maintenanceModeEnabled,
+                maintenanceModeType: resources.maintenanceModeType,
+                maintenanceTitle: resources.maintenanceTitle,
+                maintenanceMessage: resources.maintenanceMessage,
+                maintenanceEstimatedTime: resources.maintenanceEstimatedTime,
+                // Browser gateway target fields
+                browserGatewayTargetId:
+                    browserGatewayTarget.browserGatewayTargetId,
+                bgType: browserGatewayTarget.type,
+                // Site fields
+                siteId: sites.siteId,
+                siteType: sites.type,
+                siteOnline: sites.online,
+                subnet: sites.subnet,
+                siteExitNodeId: sites.exitNodeId
+            })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .innerJoin(
+                resources,
+                eq(resources.resourceId, browserGatewayTarget.resourceId)
+            )
+            .leftJoin(domains, eq(domains.domainId, resources.domainId))
+            .leftJoin(
+                domainNamespaces,
+                eq(domainNamespaces.domainId, resources.domainId)
+            )
+            .where(
+                and(
+                    eq(resources.enabled, true),
+                    or(
+                        eq(sites.exitNodeId, exitNodeId),
+                        and(
+                            isNull(sites.exitNodeId),
+                            sql`(${siteTypes.includes("local") ? 1 : 0} = 1)`,
+                            eq(sites.type, "local"),
+                            sql`(${build != "saas" ? 1 : 0} = 1)`
+                        )
+                    ),
+                    inArray(sites.type, siteTypes)
+                )
+            );
+
+        for (const row of browserGatewayRows) {
+            if (filterOutNamespaceDomains && row.domainNamespaceId) {
+                continue;
+            }
+            if (!browserGatewayResourcesMap.has(row.resourceId)) {
+                browserGatewayResourcesMap.set(row.resourceId, {
+                    resourceId: row.resourceId,
+                    name: sanitize(row.resourceName) || "",
+                    fullDomain: row.fullDomain,
+                    ssl: row.ssl,
+                    subdomain: row.subdomain,
+                    domainId: row.domainId,
+                    enabled: row.enabled,
+                    wildcard: row.wildcard,
+                    domainCertResolver: row.domainCertResolver,
+                    preferWildcardCert: row.preferWildcardCert,
+                    maintenanceModeEnabled: row.maintenanceModeEnabled,
+                    maintenanceModeType: row.maintenanceModeType,
+                    maintenanceTitle: row.maintenanceTitle,
+                    maintenanceMessage: row.maintenanceMessage,
+                    maintenanceEstimatedTime: row.maintenanceEstimatedTime,
+                    targets: []
+                });
+            }
+            browserGatewayResourcesMap.get(row.resourceId)!.targets.push({
+                browserGatewayTargetId: row.browserGatewayTargetId,
+                bgType: row.bgType,
+                siteId: row.siteId,
+                siteType: row.siteType,
+                siteOnline: row.siteOnline,
+                subnet: row.subnet,
+                siteExitNodeId: row.siteExitNodeId
+            });
+        }
+    }
+
    let siteResourcesWithFullDomain: {
        siteResourceId: number;
        fullDomain: string | null;
-        mode: "http" | "host" | "cidr";
+        mode: "http" | "host" | "cidr" | "ssh";
    }[] = [];
    if (build == "enterprise") {
        // we dont want to do this on the cloud
@@ -324,6 +452,12 @@ export async function getTraefikConfig(
                domains.add(sr.fullDomain);
            }
        }
+        // Include browser gateway resource domains
+        for (const bgResource of browserGatewayResourcesMap.values()) {
+            if (bgResource.enabled && bgResource.ssl && bgResource.fullDomain) {
+                domains.add(bgResource.fullDomain);
+            }
+        }
        // get the valid certs for these domains
        validCerts = await getValidCertificatesForDomains(domains, true); // we are caching here because this is called often
        // logger.debug(`Valid certs for domains: ${JSON.stringify(validCerts)}`);
@@ -589,7 +723,7 @@ export async function getTraefikConfig(
                            resource.ssl ? entrypointHttps : entrypointHttp
                        ],
                        service: maintenanceServiceName,
-                        rule: `${rule} && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`))`,
+                        rule: `${rule} && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`)) `,
                        priority: 2001,
                        ...(resource.ssl ? { tls } : {})
                    };
@@ -830,7 +964,7 @@ export async function getTraefikConfig(
                continue;
            }

-            const protocol = resource.protocol.toLowerCase();
+            const protocol = resource.mode == "udp" ? "udp" : "tcp";
            const port = resource.proxyPort;

            if (!port) {
@@ -925,6 +1059,267 @@ export async function getTraefikConfig(
        }
    }

+    if (allowBrowserGatewayResources) {
+        // Generate Traefik config for browser gateway resources
+        const browserGatewayPort = 39999;
+        for (const [, bgResource] of browserGatewayResourcesMap.entries()) {
+            if (!bgResource.enabled) continue;
+            if (!bgResource.domainId) continue;
+            if (!bgResource.fullDomain) continue;
+
+            if (!config_output.http.routers) config_output.http.routers = {};
+            if (!config_output.http.services) config_output.http.services = {};
+
+            const fullDomain = bgResource.fullDomain;
+            const additionalMiddlewares =
+                config.getRawConfig().traefik.additional_middlewares || [];
+            const routerMiddlewares = [
+                badgerMiddlewareName,
+                ...additionalMiddlewares
+            ];
+
+            const hostRule = `Host(\`${fullDomain}\`)`;
+
+            // Build TLS config
+            let tls = {};
+            if (!privateConfig.getRawPrivateConfig().flags.use_pangolin_dns) {
+                const domainParts = fullDomain.split(".");
+                let wildCard: string;
+                if (domainParts.length <= 2) {
+                    wildCard = `*.${domainParts.join(".")}`;
+                } else {
+                    wildCard = `*.${domainParts.slice(1).join(".")}`;
+                }
+                if (!bgResource.subdomain) {
+                    wildCard = fullDomain;
+                }
+
+                const globalDefaultResolver =
+                    config.getRawConfig().traefik.cert_resolver;
+                const globalDefaultPreferWildcard =
+                    config.getRawConfig().traefik.prefer_wildcard_cert;
+                const resolverName = bgResource.domainCertResolver
+                    ? bgResource.domainCertResolver.trim()
+                    : globalDefaultResolver;
+                const preferWildcard =
+                    bgResource.preferWildcardCert !== undefined &&
+                    bgResource.preferWildcardCert !== null
+                        ? bgResource.preferWildcardCert
+                        : globalDefaultPreferWildcard;
+
+                tls = {
+                    certResolver: resolverName,
+                    ...(preferWildcard ? { domains: [{ main: wildCard }] } : {})
+                };
+            } else {
+                const matchingCert = validCerts.find(
+                    (cert) => cert.queriedDomain === fullDomain
+                );
+                if (!matchingCert) {
+                    logger.debug(
+                        `No matching certificate found for browser gateway domain: ${fullDomain}`
+                    );
+                    continue;
+                }
+            }
+
+            const bgUiServiceName = `bg-r${bgResource.resourceId}-ui-service`;
+
+            if (bgResource.ssl) {
+                const redirectRouterName = `bg-r${bgResource.resourceId}-redirect`;
+                config_output.http.routers![redirectRouterName] = {
+                    entryPoints: [
+                        config.getRawConfig().traefik.http_entrypoint
+                    ],
+                    middlewares: [redirectHttpsMiddlewareName],
+                    service: bgUiServiceName,
+                    rule: hostRule,
+                    priority: 100
+                };
+            }
+
+            // Collect online sites for this resource (for any type)
+            const anySiteOnline = bgResource.targets.some((t) => t.siteOnline);
+
+            // Maintenance page logic for browser gateway resources
+            let showBgMaintenancePage = false;
+            if (bgResource.maintenanceModeEnabled) {
+                if (bgResource.maintenanceModeType === "forced") {
+                    showBgMaintenancePage = true;
+                } else if (bgResource.maintenanceModeType === "automatic") {
+                    showBgMaintenancePage = !anySiteOnline;
+                }
+            }
+
+            if (showBgMaintenancePage && allowMaintenancePage) {
+                const bgMaintenanceServiceName = `bg-r${bgResource.resourceId}-maintenance-service`;
+                const bgMaintenanceRouterName = `bg-r${bgResource.resourceId}-maintenance-router`;
+                const bgRewriteMiddlewareName = `bg-r${bgResource.resourceId}-maintenance-rewrite`;
+
+                const entrypointHttp =
+                    config.getRawConfig().traefik.http_entrypoint;
+                const entrypointHttps =
+                    config.getRawConfig().traefik.https_entrypoint;
+
+                const maintenancePort = config.getRawConfig().server.next_port;
+                const maintenanceHost =
+                    config.getRawConfig().server.internal_hostname;
+
+                if (!config_output.http.services)
+                    config_output.http.services = {};
+                if (!config_output.http.middlewares)
+                    config_output.http.middlewares = {};
+                if (!config_output.http.routers)
+                    config_output.http.routers = {};
+
+                config_output.http.services![bgMaintenanceServiceName] = {
+                    loadBalancer: {
+                        servers: [
+                            {
+                                url: `http://${maintenanceHost}:${maintenancePort}`
+                            }
+                        ],
+                        passHostHeader: true
+                    }
+                };
+
+                config_output.http.middlewares![bgRewriteMiddlewareName] = {
+                    replacePathRegex: {
+                        regex: "^/(.*)",
+                        replacement: "/maintenance-screen"
+                    }
+                };
+
+                config_output.http.routers![bgMaintenanceRouterName] = {
+                    entryPoints: [
+                        bgResource.ssl ? entrypointHttps : entrypointHttp
+                    ],
+                    service: bgMaintenanceServiceName,
+                    middlewares: [bgRewriteMiddlewareName],
+                    rule: hostRule,
+                    priority: 2000,
+                    ...(bgResource.ssl ? { tls } : {})
+                };
+
+                config_output.http.routers![
+                    `${bgMaintenanceRouterName}-assets`
+                ] = {
+                    entryPoints: [
+                        bgResource.ssl ? entrypointHttps : entrypointHttp
+                    ],
+                    service: bgMaintenanceServiceName,
+                    rule: `${hostRule} && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`))`,
+                    priority: 2001,
+                    ...(bgResource.ssl ? { tls } : {})
+                };
+
+                continue;
+            }
+
+            // Group targets by type and generate per-type websocket routers and services
+            const typeMap = new Map<string, typeof bgResource.targets>();
+            for (const t of bgResource.targets) {
+                if (!typeMap.has(t.bgType)) typeMap.set(t.bgType, []);
+                typeMap.get(t.bgType)!.push(t);
+            }
+
+            for (const [bgType, typedTargets] of typeMap.entries()) {
+                const bgKey = `bg-r${bgResource.resourceId}-${bgType}`;
+                const bgRouterName = `${bgKey}-router`;
+                const bgServiceName = `${bgKey}-service`;
+                const bgRule = `${hostRule} && PathPrefix(\`/gateway/${bgType}\`)`;
+
+                const servers = typedTargets
+                    .filter((t) => {
+                        if (!t.siteOnline && anySiteOnline) return false;
+                        if (t.siteType === "newt") return !!t.subnet;
+                        return false; // browser gateway only supported on newt sites
+                    })
+                    .map((t) => ({
+                        url: `http://${t.subnet!.split("/")[0]}:${browserGatewayPort}`
+                    }))
+                    .filter(
+                        (v, i, a) => a.findIndex((u) => u.url === v.url) === i
+                    );
+
+                config_output.http.routers![bgRouterName] = {
+                    entryPoints: [
+                        bgResource.ssl
+                            ? config.getRawConfig().traefik.https_entrypoint
+                            : config.getRawConfig().traefik.http_entrypoint
+                    ],
+                    middlewares: routerMiddlewares,
+                    service: bgServiceName,
+                    rule: bgRule,
+                    priority: 110, // highest - websocket path takes precedence
+                    ...(bgResource.ssl ? { tls } : {})
+                };
+
+                config_output.http.services![bgServiceName] = {
+                    loadBalancer: {
+                        servers
+                    }
+                };
+            }
+
+            // UI: serve the browser gateway page from the internal pangolin instance.
+            // The primary type is used for the path rewrite (e.g. /rdp), mirroring
+            // how the maintenance page rewrites everything to /maintenance-screen.
+            const primaryType = typeMap.keys().next().value as string;
+            const internalHost = config.getRawConfig().server.internal_hostname;
+            const internalPort = config.getRawConfig().server.next_port;
+            const uiRewriteMiddlewareName = `bg-r${bgResource.resourceId}-ui-rewrite`;
+            const entrypoint = bgResource.ssl
+                ? config.getRawConfig().traefik.https_entrypoint
+                : config.getRawConfig().traefik.http_entrypoint;
+
+            if (!config_output.http.middlewares) {
+                config_output.http.middlewares = {};
+            }
+
+            config_output.http.middlewares![uiRewriteMiddlewareName] = {
+                replacePathRegex: {
+                    regex: "^/(.*)",
+                    replacement: `/${primaryType}`
+                }
+            };
+
+            config_output.http.services![bgUiServiceName] = {
+                loadBalancer: {
+                    servers: [
+                        {
+                            url: `http://${internalHost}:${internalPort}`
+                        }
+                    ]
+                }
+            };
+
+            // Assets router at higher priority so /_next files load without rewrite
+            config_output.http.routers![
+                `bg-r${bgResource.resourceId}-assets-router`
+            ] = {
+                entryPoints: [entrypoint],
+                middlewares: routerMiddlewares,
+                service: bgUiServiceName,
+                rule: `${hostRule} && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`))`,
+                priority: 101,
+                ...(bgResource.ssl ? { tls } : {})
+            };
+
+            // Catch-all router rewrites everything on the domain to /{primaryType}
+            config_output.http.routers![
+                `bg-r${bgResource.resourceId}-ui-router`
+            ] = {
+                entryPoints: [entrypoint],
+                middlewares: [...routerMiddlewares, uiRewriteMiddlewareName],
+                service: bgUiServiceName,
+                rule: hostRule,
+                priority: 100,
+                ...(bgResource.ssl ? { tls } : {})
+            };
+        }
+    }
+
    // Add Traefik routes for siteResource aliases (HTTP mode + SSL) so that
    // Traefik generates TLS certificates for those domains even when no
    // matching resource exists yet.
@@ -1040,7 +1435,7 @@ export async function getTraefikConfig(
            config_output.http.routers[`${siteResourceRouterName}-assets`] = {
                entryPoints: [config.getRawConfig().traefik.https_entrypoint],
                service: siteResourceServiceName,
-                rule: `Host(\`${fullDomain}\`) && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`))`,
+                rule: `Host(\`${fullDomain}\`) && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`))`,
                priority: 101,
                tls
            };
@@ -1143,7 +1538,7 @@ export async function getTraefikConfig(
                        config.getRawConfig().traefik.https_entrypoint
                    ],
                    service: "landing-service",
-                    rule: `Host(\`${fullDomain}\`) && (PathRegexp(\`^/auth/resource/[^/]+$\`) || PathRegexp(\`^/auth/idp/[0-9]+/oidc/callback\`) || PathPrefix(\`/_next\`) || Path(\`/auth/org\`) || PathRegexp(\`^/__nextjs*\`))`,
+                    rule: `Host(\`${fullDomain}\`) && (PathRegexp(\`^/auth/resource/[^/]+$\`) || PathRegexp(\`^/auth/idp/[0-9]+/oidc/callback\`) || PathPrefix(\`/_next\`) || Path(\`/auth/org\`) || PathRegexp(\`^/__nextjs*\`) || Path(\`/favicon.ico\`))`,
                    priority: 203,
                    tls: tls
                };
--- a/server/private/middlewares/verifySubscription.ts
+++ b/server/private/middlewares/verifySubscription.ts
@@ -25,7 +25,7 @@ export function verifyValidSubscription(tiers: Tier[]) {
        next: NextFunction
    ): Promise<any> {
        try {
-            if (build != "saas") {
+            if (build !== "saas") {
                return next();
            }

--- a/server/private/routers/alertRule/createAlertRule.ts
+++ b/server/private/routers/alertRule/createAlertRule.ts
@@ -202,7 +202,22 @@ registry.registerPath({
            }
        }
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function createAlertRule(
--- a/server/private/routers/alertRule/deleteAlertRule.ts
+++ b/server/private/routers/alertRule/deleteAlertRule.ts
@@ -38,7 +38,22 @@ registry.registerPath({
    request: {
        params: paramsSchema
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function deleteAlertRule(
--- a/server/private/routers/alertRule/getAlertRule.ts
+++ b/server/private/routers/alertRule/getAlertRule.ts
@@ -49,7 +49,22 @@ registry.registerPath({
    request: {
        params: paramsSchema
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function getAlertRule(
--- a/server/private/routers/alertRule/listAlertRules.ts
+++ b/server/private/routers/alertRule/listAlertRules.ts
@@ -95,7 +95,22 @@ registry.registerPath({
        query: querySchema,
        params: paramsSchema
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function listAlertRules(
--- a/server/private/routers/alertRule/updateAlertRule.ts
+++ b/server/private/routers/alertRule/updateAlertRule.ts
@@ -13,6 +13,7 @@

 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
+import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import {
    alertRules,
@@ -148,6 +149,10 @@ const bodySchema = z
 export type UpdateAlertRuleResponse = {
    alertRuleId: number;
 };
+const UpdateAlertRuleResponseDataSchema = z.object({
+    alertRuleId: z.number()
+});
+

 registry.registerPath({
    method: "post",
@@ -164,7 +169,16 @@ registry.registerPath({
            }
        }
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: createApiResponseSchema(UpdateAlertRuleResponseDataSchema)
+                }
+            }
+        }
+    }
 });

 export async function updateAlertRule(
--- a/server/private/routers/approvals/processPendingApproval.ts
+++ b/server/private/routers/approvals/processPendingApproval.ts
@@ -24,7 +24,7 @@ import type { NextFunction, Request, Response } from "express";

 const paramsSchema = z.strictObject({
    orgId: z.string(),
-    approvalId: z.string().transform(Number).pipe(z.int().positive())
+    approvalId: z.coerce.number().int().positive()
 });

 const bodySchema = z.strictObject({
--- a/server/private/routers/auditLogs/exportAccessAuditLog.ts
+++ b/server/private/routers/auditLogs/exportAccessAuditLog.ts
@@ -18,6 +18,7 @@ import { OpenAPITags } from "@server/openApi";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
+import { z } from "zod";
 import logger from "@server/logger";
 import {
    queryAccessAuditLogsParams,
@@ -37,7 +38,22 @@ registry.registerPath({
        query: queryAccessAuditLogsQuery,
        params: queryAccessAuditLogsParams
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function exportAccessAuditLogs(
--- a/server/private/routers/auditLogs/exportActionAuditLog.ts
+++ b/server/private/routers/auditLogs/exportActionAuditLog.ts
@@ -18,6 +18,7 @@ import { OpenAPITags } from "@server/openApi";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
+import { z } from "zod";
 import logger from "@server/logger";
 import {
    queryActionAuditLogsParams,
@@ -37,7 +38,22 @@ registry.registerPath({
        query: queryActionAuditLogsQuery,
        params: queryActionAuditLogsParams
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function exportActionAuditLogs(
--- a/server/private/routers/auditLogs/exportConnectionAuditLog.ts
+++ b/server/private/routers/auditLogs/exportConnectionAuditLog.ts
@@ -18,6 +18,7 @@ import { OpenAPITags } from "@server/openApi";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
+import { z } from "zod";
 import logger from "@server/logger";
 import {
    queryConnectionAuditLogsParams,
@@ -37,7 +38,22 @@ registry.registerPath({
        query: queryConnectionAuditLogsQuery,
        params: queryConnectionAuditLogsParams
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function exportConnectionAuditLogs(
--- a/server/private/routers/auditLogs/queryAccessAuditLog.ts
+++ b/server/private/routers/auditLogs/queryAccessAuditLog.ts
@@ -93,6 +93,20 @@ export const queryAccessAuditLogsCombined = queryAccessAuditLogsQuery.merge(
 );
 type Q = z.infer<typeof queryAccessAuditLogsCombined>;

+function sortNamedFilterOptions<T extends { id: number; name: string | null }>(
+    items: T[]
+): T[] {
+    return [...items].sort((a, b) => {
+        const nameA = a.name ?? "";
+        const nameB = b.name ?? "";
+
+        if (nameA < nameB) return -1;
+        if (nameA > nameB) return 1;
+
+        return a.id - b.id;
+    });
+}
+
 function getWhere(data: Q) {
    return and(
        gt(accessAuditLog.timestamp, data.timeStart),
@@ -308,7 +322,7 @@ async function queryUniqueFilterAttributes(
        actors: uniqueActors
            .map((row) => row.actor)
            .filter((actor): actor is string => actor !== null),
-        resources: resourcesWithNames,
+        resources: sortNamedFilterOptions(resourcesWithNames),
        locations: uniqueLocations
            .map((row) => row.locations)
            .filter((location): location is string => location !== null)
@@ -324,7 +338,22 @@ registry.registerPath({
        query: queryAccessAuditLogsQuery,
        params: queryAccessAuditLogsParams
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function queryAccessAuditLogs(
--- a/server/private/routers/auditLogs/queryActionAuditLog.ts
+++ b/server/private/routers/auditLogs/queryActionAuditLog.ts
@@ -165,7 +165,22 @@ registry.registerPath({
        query: queryActionAuditLogsQuery,
        params: queryActionAuditLogsParams
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function queryActionAuditLogs(
--- a/server/private/routers/auditLogs/queryConnectionAuditLog.ts
+++ b/server/private/routers/auditLogs/queryConnectionAuditLog.ts
@@ -107,6 +107,20 @@ export const queryConnectionAuditLogsCombined =
    queryConnectionAuditLogsQuery.merge(queryConnectionAuditLogsParams);
 type Q = z.infer<typeof queryConnectionAuditLogsCombined>;

+function sortNamedFilterOptions<T extends { id: number; name: string | null }>(
+    items: T[]
+): T[] {
+    return [...items].sort((a, b) => {
+        const nameA = a.name ?? "";
+        const nameB = b.name ?? "";
+
+        if (nameA < nameB) return -1;
+        if (nameA > nameB) return 1;
+
+        return a.id - b.id;
+    });
+}
+
 function getWhere(data: Q) {
    return and(
        gt(connectionAuditLog.startedAt, data.timeStart),
@@ -425,7 +439,7 @@ async function queryUniqueFilterAttributes(
            .map((row) => row.destAddr)
            .filter((addr): addr is string => addr !== null),
        clients: clientsWithNames,
-        resources: resourcesWithNames,
+        resources: sortNamedFilterOptions(resourcesWithNames),
        users: usersWithEmails
    };
 }
@@ -439,7 +453,22 @@ registry.registerPath({
        query: queryConnectionAuditLogsQuery,
        params: queryConnectionAuditLogsParams
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function queryConnectionAuditLogs(
--- a/server/private/routers/billing/getOrgUsage.ts
+++ b/server/private/routers/billing/getOrgUsage.ts
@@ -39,7 +39,22 @@ const getOrgSchema = z.strictObject({
 //     request: {
 //         params: getOrgSchema
 //     },
-//     responses: {}
+// responses: {
+// 200: {
+// description: "Successful response",
+// content: {
+// "application/json": {
+// schema: z.object({
+// data: z.unknown().nullable(),
+// success: z.boolean(),
+// error: z.boolean(),
+// message: z.string(),
+// status: z.number()
+// })
+// }
+// }
+// }
+// }
 // });

 export async function getOrgUsage(
--- a/server/private/routers/browserGatewayTarget/createBrowserGatewayTarget.ts
+++ b/server/private/routers/browserGatewayTarget/createBrowserGatewayTarget.ts
@@ -0,0 +1,187 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    newts,
+    resources,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { encrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
+import { sendBrowserGatewayTargets } from "@server/routers/newt/targets";
+import { generateId } from "@server/auth/sessions/app";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    resourceId: z.string().transform(Number).pipe(z.number().int().positive())
+});
+
+const bodySchema = z.strictObject({
+    siteId: z.number().int().positive(),
+    type: z.enum(["ssh", "rdp", "vnc"]),
+    destination: z.string().nonempty(),
+    destinationPort: z.number().int().min(1).max(65535)
+});
+
+export type CreateBrowserGatewayTargetResponse = BrowserGatewayTarget;
+
+registry.registerPath({
+    method: "put",
+    path: "/org/{orgId}/resource/{resourceId}/browser-gateway-target",
+    description: "Create a browser gateway target for a resource.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function createBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, resourceId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { siteId, type, destination, destinationPort } = parsedBody.data;
+
+        const [resource] = await db
+            .select()
+            .from(resources)
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(resources.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!resource) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource with ID ${resourceId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        const [site] = await db
+            .select()
+            .from(sites)
+            .where(and(eq(sites.siteId, siteId), eq(sites.orgId, orgId)))
+            .limit(1);
+
+        if (!site) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Site with ID ${siteId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        const plainToken = generateId(48);
+        const encryptedToken = encrypt(
+            plainToken,
+            config.getRawConfig().server.secret!
+        );
+
+        const [record] = await db
+            .insert(browserGatewayTarget)
+            .values({
+                resourceId,
+                siteId,
+                type,
+                destination,
+                destinationPort,
+                authToken: encryptedToken
+            })
+            .returning();
+
+        if (site.type === "newt") {
+            const [newt] = await db
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, siteId))
+                .limit(1);
+
+            if (newt) {
+                await sendBrowserGatewayTargets(
+                    newt.newtId,
+                    [record],
+                    newt.version
+                );
+            }
+        }
+
+        logger.info(
+            `Created browser gateway target ${record.browserGatewayTargetId} for resource ${resourceId}`
+        );
+
+        return response<CreateBrowserGatewayTargetResponse>(res, {
+            data: record,
+            success: true,
+            error: false,
+            message: "Browser gateway target created successfully",
+            status: HttpCode.CREATED
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to create browser gateway target"
+            )
+        );
+    }
+}
--- a/server/private/routers/browserGatewayTarget/deleteBrowserGatewayTarget.ts
+++ b/server/private/routers/browserGatewayTarget/deleteBrowserGatewayTarget.ts
@@ -0,0 +1,130 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { browserGatewayTarget, db, newts, sites } from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { removeBrowserGatewayTarget } from "@server/routers/newt/targets";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    browserGatewayTargetId: z
+        .string()
+        .transform(Number)
+        .pipe(z.number().int().positive())
+});
+
+registry.registerPath({
+    method: "delete",
+    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
+    description: "Delete a browser gateway target.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function deleteBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, browserGatewayTargetId } = parsedParams.data;
+
+        const [existing] = await db
+            .select({ bgt: browserGatewayTarget, site: sites })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(
+                and(
+                    eq(
+                        browserGatewayTarget.browserGatewayTargetId,
+                        browserGatewayTargetId
+                    ),
+                    eq(sites.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
+                )
+            );
+        }
+
+        await db
+            .delete(browserGatewayTarget)
+            .where(
+                eq(
+                    browserGatewayTarget.browserGatewayTargetId,
+                    browserGatewayTargetId
+                )
+            );
+
+        if (existing.site.type === "newt") {
+            const [newt] = await db
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, existing.bgt.siteId))
+                .limit(1);
+
+            if (newt) {
+                await removeBrowserGatewayTarget(
+                    newt.newtId,
+                    browserGatewayTargetId,
+                    newt.version
+                );
+            }
+        }
+
+        logger.info(`Deleted browser gateway target ${browserGatewayTargetId}`);
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Browser gateway target deleted successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to delete browser gateway target"
+            )
+        );
+    }
+}
--- a/server/private/routers/browserGatewayTarget/getBrowserGatewayTarget.ts
+++ b/server/private/routers/browserGatewayTarget/getBrowserGatewayTarget.ts
@@ -0,0 +1,109 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    browserGatewayTargetId: z
+        .string()
+        .transform(Number)
+        .pipe(z.number().int().positive())
+});
+
+export type GetBrowserGatewayTargetResponse = BrowserGatewayTarget;
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
+    description: "Get a browser gateway target.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function getBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, browserGatewayTargetId } = parsedParams.data;
+
+        const [result] = await db
+            .select({ bgt: browserGatewayTarget })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(
+                and(
+                    eq(
+                        browserGatewayTarget.browserGatewayTargetId,
+                        browserGatewayTargetId
+                    ),
+                    eq(sites.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!result) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
+                )
+            );
+        }
+
+        return response<GetBrowserGatewayTargetResponse>(res, {
+            data: result.bgt,
+            success: true,
+            error: false,
+            message: "Browser gateway target retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to retrieve browser gateway target"
+            )
+        );
+    }
+}
--- a/server/private/routers/browserGatewayTarget/getBrowserTarget.ts
+++ b/server/private/routers/browserGatewayTarget/getBrowserTarget.ts
@@ -0,0 +1,112 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { browserGatewayTarget, db } from "@server/db";
+import { resources, targets } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { fromError } from "zod-validation-error";
+import logger from "@server/logger";
+import { decrypt } from "@server/lib/crypto";
+import config from "@server/lib/config";
+import { GetBrowserTargetResponse } from "@server/routers/browserGatewayTarget";
+
+const getBrowserTargetSchema = z
+    .object({
+        fullDomain: z.string().min(1, "fullDomain is required")
+    })
+    .strict();
+
+export async function getBrowserTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsed = getBrowserTargetSchema.safeParse(req.query);
+        if (!parsed.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsed.error).toString()
+                )
+            );
+        }
+
+        const { fullDomain } = parsed.data;
+
+        logger.info(`Retrieving browser target for domain: ${fullDomain}`);
+
+        const [browserTarget] = await db
+            .select({
+                destination: browserGatewayTarget.destination,
+                destinationPort: browserGatewayTarget.destinationPort,
+                authToken: browserGatewayTarget.authToken,
+                resourceId: resources.resourceId,
+                niceId: resources.niceId,
+                orgId: resources.orgId,
+                pamMode: resources.pamMode,
+                authDaemonMode: resources.authDaemonMode
+            })
+            .from(browserGatewayTarget)
+            .innerJoin(
+                resources,
+                eq(browserGatewayTarget.resourceId, resources.resourceId)
+            )
+            .where(eq(resources.fullDomain, fullDomain))
+            .limit(1);
+
+        const decryptedAuthToken = decrypt(
+            browserTarget.authToken,
+            config.getRawConfig().server.secret!
+        );
+
+        if (!browserTarget) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "No resource found for this domain"
+                )
+            );
+        }
+
+        return response<GetBrowserTargetResponse>(res, {
+            data: {
+                ip: browserTarget.destination,
+                port: browserTarget.destinationPort,
+                authToken: decryptedAuthToken,
+                pamMode: browserTarget.pamMode,
+                authDaemonMode: browserTarget.authDaemonMode,
+                orgId: browserTarget.orgId,
+                resourceId: browserTarget.resourceId,
+                niceId: browserTarget.niceId
+            },
+            success: true,
+            error: false,
+            message: "Browser target retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "An error occurred while retrieving the browser target"
+            )
+        );
+    }
+}
--- a/server/private/routers/browserGatewayTarget/index.ts
+++ b/server/private/routers/browserGatewayTarget/index.ts
@@ -0,0 +1,19 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./createBrowserGatewayTarget";
+export * from "./updateBrowserGatewayTarget";
+export * from "./deleteBrowserGatewayTarget";
+export * from "./getBrowserGatewayTarget";
+export * from "./listBrowserGatewayTargets";
+export * from "./getBrowserTarget";
--- a/server/private/routers/browserGatewayTarget/listBrowserGatewayTargets.ts
+++ b/server/private/routers/browserGatewayTarget/listBrowserGatewayTargets.ts
@@ -0,0 +1,159 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    resources,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    resourceId: z.string().transform(Number).pipe(z.number().int().positive())
+});
+
+const querySchema = z.object({
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.number().int().positive()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.number().int().nonnegative())
+});
+
+export type ListBrowserGatewayTargetsResponse = {
+    targets: BrowserGatewayTarget[];
+    total: number;
+    limit: number;
+    offset: number;
+};
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/resource/{resourceId}/browser-gateway-targets",
+    description: "List browser gateway targets for a resource.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        query: querySchema
+    },
+    responses: {}
+});
+
+export async function listBrowserGatewayTargets(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, resourceId } = parsedParams.data;
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+
+        const { limit, offset } = parsedQuery.data;
+
+        const [resource] = await db
+            .select()
+            .from(resources)
+            .where(
+                and(
+                    eq(resources.resourceId, resourceId),
+                    eq(resources.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!resource) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Resource with ID ${resourceId} not found in organization ${orgId}`
+                )
+            );
+        }
+
+        const rows = await db
+            .select({
+                browserGatewayTargetId:
+                    browserGatewayTarget.browserGatewayTargetId,
+                resourceId: browserGatewayTarget.resourceId,
+                siteId: browserGatewayTarget.siteId,
+                authToken: browserGatewayTarget.authToken,
+                type: browserGatewayTarget.type,
+                destination: browserGatewayTarget.destination,
+                destinationPort: browserGatewayTarget.destinationPort,
+                siteName: sites.name
+            })
+            .from(browserGatewayTarget)
+            .leftJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(eq(browserGatewayTarget.resourceId, resourceId))
+            .limit(limit)
+            .offset(offset);
+
+        return response<ListBrowserGatewayTargetsResponse>(res, {
+            data: {
+                targets: rows as any,
+                total: rows.length,
+                limit,
+                offset
+            },
+            success: true,
+            error: false,
+            message: "Browser gateway targets retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to list browser gateway targets"
+            )
+        );
+    }
+}
--- a/server/private/routers/browserGatewayTarget/updateBrowserGatewayTarget.ts
+++ b/server/private/routers/browserGatewayTarget/updateBrowserGatewayTarget.ts
@@ -0,0 +1,180 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import {
+    browserGatewayTarget,
+    BrowserGatewayTarget,
+    db,
+    newts,
+    sites
+} from "@server/db";
+import { eq, and } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { sendBrowserGatewayTargets } from "@server/routers/newt/targets";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty(),
+    browserGatewayTargetId: z
+        .string()
+        .transform(Number)
+        .pipe(z.number().int().positive())
+});
+
+const bodySchema = z.strictObject({
+    siteId: z.number().int().positive().optional(),
+    type: z.enum(["ssh", "rdp", "vnc"]).optional(),
+    destination: z.string().nonempty().optional(),
+    destinationPort: z.number().int().min(1).max(65535).optional()
+});
+
+export type UpdateBrowserGatewayTargetResponse = BrowserGatewayTarget;
+
+registry.registerPath({
+    method: "post",
+    path: "/org/{orgId}/browser-gateway-target/{browserGatewayTargetId}",
+    description: "Update a browser gateway target.",
+    tags: [OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
+
+export async function updateBrowserGatewayTarget(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { orgId, browserGatewayTargetId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { siteId, type, destination, destinationPort } = parsedBody.data;
+
+        const [existing] = await db
+            .select({ bgt: browserGatewayTarget, site: sites })
+            .from(browserGatewayTarget)
+            .innerJoin(sites, eq(sites.siteId, browserGatewayTarget.siteId))
+            .where(
+                and(
+                    eq(
+                        browserGatewayTarget.browserGatewayTargetId,
+                        browserGatewayTargetId
+                    ),
+                    eq(sites.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!existing) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Browser gateway target with ID ${browserGatewayTargetId} not found`
+                )
+            );
+        }
+
+        const updateValues: Partial<BrowserGatewayTarget> = {};
+        if (siteId !== undefined) updateValues.siteId = siteId;
+        if (type !== undefined) updateValues.type = type;
+        if (destination !== undefined) updateValues.destination = destination;
+        if (destinationPort !== undefined)
+            updateValues.destinationPort = destinationPort;
+
+        const [updated] = await db
+            .update(browserGatewayTarget)
+            .set(updateValues)
+            .where(
+                eq(
+                    browserGatewayTarget.browserGatewayTargetId,
+                    browserGatewayTargetId
+                )
+            )
+            .returning();
+
+        const targetSiteId = siteId ?? existing.bgt.siteId;
+        const [site] = await db
+            .select()
+            .from(sites)
+            .where(eq(sites.siteId, targetSiteId))
+            .limit(1);
+
+        if (site && site.type === "newt") {
+            const [newt] = await db
+                .select()
+                .from(newts)
+                .where(eq(newts.siteId, targetSiteId))
+                .limit(1);
+
+            if (newt) {
+                await sendBrowserGatewayTargets(
+                    newt.newtId,
+                    [updated],
+                    newt.version
+                );
+            }
+        }
+
+        logger.info(`Updated browser gateway target ${browserGatewayTargetId}`);
+
+        return response<UpdateBrowserGatewayTargetResponse>(res, {
+            data: updated,
+            success: true,
+            error: false,
+            message: "Browser gateway target updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to update browser gateway target"
+            )
+        );
+    }
+}
--- a/server/private/routers/certificates/getCertificate.ts
+++ b/server/private/routers/certificates/getCertificate.ts
@@ -115,7 +115,22 @@ registry.registerPath({
            orgId: z.string()
        })
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function getCertificate(
--- a/server/private/routers/certificates/restartCertificate.ts
+++ b/server/private/routers/certificates/restartCertificate.ts
@@ -25,7 +25,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";

 const restartCertificateParamsSchema = z.strictObject({
-    certId: z.string().transform(stoi).pipe(z.int().positive()),
+    certId: z.coerce.number().int().positive(),
    orgId: z.string()
 });

@@ -36,11 +36,26 @@ registry.registerPath({
    tags: ["Certificate"],
    request: {
        params: z.object({
-            certId: z.string().transform(stoi).pipe(z.int().positive()),
+            certId: z.coerce.number().int().positive(),
            orgId: z.string()
        })
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function restartCertificate(
--- a/server/private/routers/domain/checkDomainNamespaceAvailability.ts
+++ b/server/private/routers/domain/checkDomainNamespaceAvailability.ts
@@ -42,7 +42,22 @@ registry.registerPath({
        params: paramsSchema,
        query: querySchema
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function checkDomainNamespaceAvailability(
--- a/server/private/routers/domain/listDomainNamespaces.ts
+++ b/server/private/routers/domain/listDomainNamespaces.ts
@@ -25,6 +25,7 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { isSubscribed } from "#private/lib/isSubscribed";
 import { build } from "@server/build";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";

 const paramsSchema = z.strictObject({});

@@ -65,6 +66,20 @@ export type ListDomainNamespacesResponse = {
    pagination: { total: number; limit: number; offset: number };
 };

+const ListDomainNamespacesResponseDataSchema = z.object({
+    domainNamespaces: z.array(
+        z.object({
+            domainNamespaceId: z.string(),
+            domainId: z.string()
+        })
+    ),
+    pagination: z.object({
+        total: z.number(),
+        limit: z.number(),
+        offset: z.number()
+    })
+});
+
 registry.registerPath({
    method: "get",
    path: "/domains/namepaces",
@@ -73,7 +88,18 @@ registry.registerPath({
    request: {
        query: querySchema
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: createApiResponseSchema(
+                        ListDomainNamespacesResponseDataSchema
+                    )
+                }
+            }
+        }
+    }
 });

 export async function listDomainNamespaces(
--- a/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts
@@ -13,6 +13,7 @@

 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
+import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import { eventStreamingDestinations } from "@server/db";
 import { logStreamingManager } from "#private/lib/logStreaming";
@@ -42,6 +43,10 @@ const bodySchema = z.strictObject({
 export type CreateEventStreamingDestinationResponse = {
    destinationId: number;
 };
+const CreateEventStreamingDestinationResponseDataSchema = z.object({
+    destinationId: z.number()
+});
+

 registry.registerPath({
    method: "put",
@@ -58,7 +63,16 @@ registry.registerPath({
            }
        }
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: createApiResponseSchema(CreateEventStreamingDestinationResponseDataSchema)
+                }
+            }
+        }
+    }
 });

 export async function createEventStreamingDestination(
--- a/server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts
@@ -38,7 +38,22 @@ registry.registerPath({
    request: {
        params: paramsSchema
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function deleteEventStreamingDestination(
--- a/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
+++ b/server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts
@@ -24,6 +24,7 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { eq, sql } from "drizzle-orm";
 import { decrypt } from "@server/lib/crypto";
 import config from "@server/lib/config";
+import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
@@ -67,6 +68,31 @@ export type ListEventStreamingDestinationsResponse = {
    };
 };

+const ListEventStreamingDestinationsResponseDataSchema = z.object({
+    destinations: z.array(
+        z.object({
+            destinationId: z.number(),
+            orgId: z.string(),
+            type: z.string(),
+            config: z.string(),
+            enabled: z.boolean(),
+            lastError: z.string().nullable(),
+            lastErrorAt: z.number().nullable(),
+            createdAt: z.number(),
+            updatedAt: z.number(),
+            sendConnectionLogs: z.boolean(),
+            sendRequestLogs: z.boolean(),
+            sendActionLogs: z.boolean(),
+            sendAccessLogs: z.boolean()
+        })
+    ),
+    pagination: z.object({
+        total: z.number(),
+        limit: z.number(),
+        offset: z.number()
+    })
+});
+
 async function query(orgId: string, limit: number, offset: number) {
    const res = await db
        .select()
@@ -88,7 +114,18 @@ registry.registerPath({
        query: querySchema,
        params: paramsSchema
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: createApiResponseSchema(
+                        ListEventStreamingDestinationsResponseDataSchema
+                    )
+                }
+            }
+        }
+    }
 });

 export async function listEventStreamingDestinations(
--- a/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
+++ b/server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts
@@ -13,6 +13,7 @@

 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
+import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import { eventStreamingDestinations } from "@server/db";
 import response from "@server/lib/response";
@@ -45,6 +46,10 @@ const bodySchema = z.strictObject({
 export type UpdateEventStreamingDestinationResponse = {
    destinationId: number;
 };
+const UpdateEventStreamingDestinationResponseDataSchema = z.object({
+    destinationId: z.number()
+});
+

 registry.registerPath({
    method: "post",
@@ -61,7 +66,16 @@ registry.registerPath({
            }
        }
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: createApiResponseSchema(UpdateEventStreamingDestinationResponseDataSchema)
+                }
+            }
+        }
+    }
 });

 export async function updateEventStreamingDestination(
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -31,7 +31,11 @@ import * as siteProvisioning from "#private/routers/siteProvisioning";
 import * as eventStreamingDestination from "#private/routers/eventStreamingDestination";
 import * as alertRule from "#private/routers/alertRule";
 import * as healthChecks from "#private/routers/healthChecks";
+import * as browserGatewayTarget from "#private/routers/browserGatewayTarget";
+import * as labels from "#private/routers/labels";
 import * as client from "@server/routers/client";
+import * as resource from "#private/routers/resource";
+import * as policy from "#private/routers/policy";

 import {
    verifyOrgAccess,
@@ -45,7 +49,8 @@ import {
    verifyUserCanSetUserOrgRoles,
    verifySiteProvisioningKeyAccess,
    verifyIsLoggedInUser,
-    verifyAdmin
+    verifyAdmin,
+    verifyResourcePolicyAccess
 } from "@server/middlewares";
 import { ActionsEnum } from "@server/auth/actions";
 import {
@@ -383,6 +388,39 @@ authenticated.get(
    approval.countApprovals
 );

+authenticated.delete(
+    "/resource-policy/:resourcePolicyId",
+    verifyResourcePolicyAccess,
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.resourcePolicies),
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.deleteResourcePolicy),
+    logActionAudit(ActionsEnum.deleteResourcePolicy),
+    policy.deleteResourcePolicy
+);
+
+authenticated.get(
+    "/org/:orgId/resource-policies",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.resourcePolicies),
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.listResourcePolicies),
+    logActionAudit(ActionsEnum.listResourcePolicies),
+    policy.listResourcePolicies
+);
+
+authenticated.post(
+    "/org/:orgId/resource-policy",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.resourcePolicies),
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.createResourcePolicy),
+    logActionAudit(ActionsEnum.createResourcePolicy),
+    policy.createResourcePolicy
+);
+
 authenticated.put(
    "/org/:orgId/approvals/:approvalId",
    verifyValidLicense,
@@ -733,6 +771,59 @@ authenticated.get(
    alertRule.getAlertRule
 );

+authenticated.get(
+    "/org/:orgId/labels",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyValidSubscription(tierMatrix.labels),
+    verifyUserHasAction(ActionsEnum.listOrgLabels),
+    labels.listOrgLabels
+);
+
+authenticated.post(
+    "/org/:orgId/labels",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyValidSubscription(tierMatrix.labels),
+    verifyUserHasAction(ActionsEnum.createOrgLabel),
+    labels.createOrgLabel
+);
+
+authenticated.patch(
+    "/org/:orgId/label/:labelId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyValidSubscription(tierMatrix.labels),
+    verifyUserHasAction(ActionsEnum.updateOrgLabel),
+    labels.updateOrgLabel
+);
+
+authenticated.delete(
+    "/org/:orgId/label/:labelId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.deleteOrgLabel),
+    labels.deleteOrgLabel
+);
+
+authenticated.put(
+    "/org/:orgId/label/:labelId/attach",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyValidSubscription(tierMatrix.labels),
+    verifyUserHasAction(ActionsEnum.attachLabelToItem),
+    labels.attachLabelToItem
+);
+
+authenticated.put(
+    "/org/:orgId/label/:labelId/detach",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyValidSubscription(tierMatrix.labels),
+    verifyUserHasAction(ActionsEnum.detachLabelFromItem),
+    labels.detachLabelFromItem
+);
+
 authenticated.get(
    "/org/:orgId/health-checks",
    verifyValidLicense,
@@ -788,3 +879,48 @@ authenticated.post(
    verifyClientAccess,
    client.rebuildClientAssociationsCacheRoute
 );
+
+authenticated.put(
+    "/org/:orgId/resource/:resourceId/browser-gateway-target",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.createBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.createBrowserGatewayTarget),
+    browserGatewayTarget.createBrowserGatewayTarget
+);
+
+authenticated.get(
+    "/org/:orgId/resource/:resourceId/browser-gateway-targets",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listBrowserGatewayTargets),
+    browserGatewayTarget.listBrowserGatewayTargets
+);
+
+authenticated.get(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.getBrowserGatewayTarget),
+    browserGatewayTarget.getBrowserGatewayTarget
+);
+
+authenticated.post(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyLimits,
+    verifyUserHasAction(ActionsEnum.updateBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.updateBrowserGatewayTarget),
+    browserGatewayTarget.updateBrowserGatewayTarget
+);
+
+authenticated.delete(
+    "/org/:orgId/browser-gateway-target/:browserGatewayTargetId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.deleteBrowserGatewayTarget),
+    logActionAudit(ActionsEnum.deleteBrowserGatewayTarget),
+    browserGatewayTarget.deleteBrowserGatewayTarget
+);
--- a/server/private/routers/healthChecks/createHealthCheck.ts
+++ b/server/private/routers/healthChecks/createHealthCheck.ts
@@ -13,6 +13,7 @@

 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
+import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db, targetHealthCheck, newts, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -52,6 +53,10 @@ const bodySchema = z.strictObject({
 export type CreateHealthCheckResponse = {
    targetHealthCheckId: number;
 };
+const CreateHealthCheckResponseDataSchema = z.object({
+    targetHealthCheckId: z.number()
+});
+

 registry.registerPath({
    method: "put",
@@ -68,7 +73,16 @@ registry.registerPath({
            }
        }
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: createApiResponseSchema(CreateHealthCheckResponseDataSchema)
+                }
+            }
+        }
+    }
 });

 export async function createHealthCheck(
--- a/server/private/routers/healthChecks/deleteHealthCheck.ts
+++ b/server/private/routers/healthChecks/deleteHealthCheck.ts
@@ -41,7 +41,22 @@ registry.registerPath({
    request: {
        params: paramsSchema
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function deleteHealthCheck(
--- a/server/private/routers/healthChecks/listHealthChecks.ts
+++ b/server/private/routers/healthChecks/listHealthChecks.ts
@@ -68,7 +68,22 @@ registry.registerPath({
        params: paramsSchema,
        query: querySchema
    },
-    responses: {}
+    responses: {
+        200: {
+            description: "Successful response",
+            content: {
+                "application/json": {
+                    schema: z.object({
+                        data: z.unknown().nullable(),
+                        success: z.boolean(),
+                        error: z.boolean(),
+                        message: z.string(),
+                        status: z.number()
+                    })
+                }
+            }
+        }
+    }
 });

 export async function listHealthChecks(
--- a/Show More
+++ b/Show More