From b64e2e11db5073e4dad5f1d95ceb597552c4389c Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 24 Dec 2025 12:20:22 -0500
Subject: [PATCH 001/154] Try to remove deadlocks on client updates

---
 .../newt/handleReceiveBandwidthMessage.ts     | 104 +++++++++++++-----
 1 file changed, 79 insertions(+), 25 deletions(-)

diff --git a/server/routers/newt/handleReceiveBandwidthMessage.ts b/server/routers/newt/handleReceiveBandwidthMessage.ts
index 3d060a0c..eb930e68 100644
--- a/server/routers/newt/handleReceiveBandwidthMessage.ts
+++ b/server/routers/newt/handleReceiveBandwidthMessage.ts
@@ -1,7 +1,7 @@
 import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { clients, Newt } from "@server/db";
-import { eq } from "drizzle-orm";
+import { clients } from "@server/db";
+import { eq, sql } from "drizzle-orm";
 import logger from "@server/logger";
 
 interface PeerBandwidth {
@@ -10,13 +10,57 @@ interface PeerBandwidth {
     bytesOut: number;
 }
 
+// Retry configuration for deadlock handling
+const MAX_RETRIES = 3;
+const BASE_DELAY_MS = 50;
+
+/**
+ * Check if an error is a deadlock error
+ */
+function isDeadlockError(error: any): boolean {
+    return (
+        error?.code === "40P01" ||
+        error?.cause?.code === "40P01" ||
+        (error?.message && error.message.includes("deadlock"))
+    );
+}
+
+/**
+ * Execute a function with retry logic for deadlock handling
+ */
+async function withDeadlockRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
 export const handleReceiveBandwidthMessage: MessageHandler = async (
     context
 ) => {
-    const { message, client, sendToClient } = context;
+    const { message } = context;
 
     if (!message.data.bandwidthData) {
         logger.warn("No bandwidth data provided");
+        return;
     }
 
     const bandwidthData: PeerBandwidth[] = message.data.bandwidthData;
@@ -25,30 +69,40 @@ export const handleReceiveBandwidthMessage: MessageHandler = async (
         throw new Error("Invalid bandwidth data");
     }
 
-    await db.transaction(async (trx) => {
-        for (const peer of bandwidthData) {
-            const { publicKey, bytesIn, bytesOut } = peer;
+    // Sort bandwidth data by publicKey to ensure consistent lock ordering across all instances
+    // This is critical for preventing deadlocks when multiple instances update the same clients
+    const sortedBandwidthData = [...bandwidthData].sort((a, b) =>
+        a.publicKey.localeCompare(b.publicKey)
+    );
 
-            // Find the client by public key
-            const [client] = await trx
-                .select()
-                .from(clients)
-                .where(eq(clients.pubKey, publicKey))
-                .limit(1);
+    const currentTime = new Date().toISOString();
 
-            if (!client) {
-                continue;
-            }
+    // Update each client individually with retry logic
+    // This reduces transaction scope and allows retries per-client
+    for (const peer of sortedBandwidthData) {
+        const { publicKey, bytesIn, bytesOut } = peer;
 
-            // Update the client's bandwidth usage
-            await trx
-                .update(clients)
-                .set({
-                    megabytesOut: (client.megabytesIn || 0) + bytesIn,
-                    megabytesIn: (client.megabytesOut || 0) + bytesOut,
-                    lastBandwidthUpdate: new Date().toISOString()
-                })
-                .where(eq(clients.clientId, client.clientId));
+        try {
+            await withDeadlockRetry(async () => {
+                // Use atomic SQL increment to avoid SELECT then UPDATE pattern
+                // This eliminates the need to read the current value first
+                await db
+                    .update(clients)
+                    .set({
+                        // Note: bytesIn from peer goes to megabytesOut (data sent to client)
+                        // and bytesOut from peer goes to megabytesIn (data received from client)
+                        megabytesOut: sql`COALESCE(${clients.megabytesOut}, 0) + ${bytesIn}`,
+                        megabytesIn: sql`COALESCE(${clients.megabytesIn}, 0) + ${bytesOut}`,
+                        lastBandwidthUpdate: currentTime
+                    })
+                    .where(eq(clients.pubKey, publicKey));
+            }, `update client bandwidth ${publicKey}`);
+        } catch (error) {
+            logger.error(
+                `Failed to update bandwidth for client ${publicKey}:`,
+                error
+            );
+            // Continue with other clients even if one fails
         }
-    });
+    }
 };

From c5ece144d0da460bd67ef466b3c3a1e5f35f6977 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 24 Dec 2025 12:25:11 -0500
Subject: [PATCH 002/154] Attempt to fix loginPageOrg undefined error

---
 server/private/routers/hybrid.ts              | 20 +++++++++----------
 .../routers/loginPage/loadLoginPage.ts        | 10 ++++++++++
 .../loginPage/loadLoginPageBranding.ts        |  5 +++++
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index bbc0e0c8..a398dfe6 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -618,6 +618,16 @@ hybridRouter.get(
                 )
                 .limit(1);
 
+            if (!result) {
+                return response<LoginPage | null>(res, {
+                    data: null,
+                    success: true,
+                    error: false,
+                    message: "Login page not found",
+                    status: HttpCode.OK
+                });
+            }
+
             if (
                 await checkExitNodeOrg(
                     remoteExitNode.exitNodeId,
@@ -633,16 +643,6 @@ hybridRouter.get(
                 );
             }
 
-            if (!result) {
-                return response<LoginPage | null>(res, {
-                    data: null,
-                    success: true,
-                    error: false,
-                    message: "Login page not found",
-                    status: HttpCode.OK
-                });
-            }
-
             return response<LoginPage>(res, {
                 data: result.loginPage,
                 success: true,
diff --git a/server/private/routers/loginPage/loadLoginPage.ts b/server/private/routers/loginPage/loadLoginPage.ts
index 1b10e205..7a631c8a 100644
--- a/server/private/routers/loginPage/loadLoginPage.ts
+++ b/server/private/routers/loginPage/loadLoginPage.ts
@@ -40,6 +40,11 @@ async function query(orgId: string | undefined, fullDomain: string) {
                 eq(loginPage.loginPageId, loginPageOrg.loginPageId)
             )
             .limit(1);
+
+        if (!res) {
+            return null;
+        }
+
         return {
             ...res.loginPage,
             orgId: res.loginPageOrg.orgId
@@ -65,6 +70,11 @@ async function query(orgId: string | undefined, fullDomain: string) {
             )
         )
         .limit(1);
+
+    if (!res) {
+        return null;
+    }
+
     return {
         ...res,
         orgId: orgLink.orgId
diff --git a/server/private/routers/loginPage/loadLoginPageBranding.ts b/server/private/routers/loginPage/loadLoginPageBranding.ts
index 823f75a6..1197bb10 100644
--- a/server/private/routers/loginPage/loadLoginPageBranding.ts
+++ b/server/private/routers/loginPage/loadLoginPageBranding.ts
@@ -48,6 +48,11 @@ async function query(orgId: string) {
             )
         )
         .limit(1);
+
+    if (!res) {
+        return null;
+    }
+
     return {
         ...res,
         orgId: orgLink.orgs.orgId,

From 9fba9bd6b7301679e775375d524c02cceb60a22b Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Wed, 24 Dec 2025 15:53:08 -0500
Subject: [PATCH 003/154] ui enhancements

---
 messages/en-US.json                           |  2 +-
 server/routers/client/getClient.ts            |  2 +-
 .../settings/(private)/idp/create/page.tsx    |  2 +-
 .../[orgId]/settings/(private)/idp/page.tsx   | 34 +-------
 .../resources/proxy/[niceId]/proxy/page.tsx   |  2 +-
 src/app/globals.css                           | 12 +++
 src/app/layout.tsx                            |  4 +-
 src/components/Layout.tsx                     |  4 +-
 src/components/LayoutMobileMenu.tsx           |  2 +-
 src/components/ProxyResourcesTable.tsx        |  2 +-
 src/components/ViewportHeightFix.tsx          | 79 +++++++++++++++++++
 src/components/ui/button.tsx                  | 43 +++++-----
 src/components/ui/checkbox.tsx                | 16 ++--
 13 files changed, 131 insertions(+), 73 deletions(-)
 create mode 100644 src/components/ViewportHeightFix.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 57821a6d..8b04e4ea 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "I agree to the",
         "termsOfService": "terms of service",
         "and": "and",
-        "privacyPolicy": "privacy policy"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Keep me in the loop with news, updates, and new features by email."
diff --git a/server/routers/client/getClient.ts b/server/routers/client/getClient.ts
index cfb2652b..f054ce80 100644
--- a/server/routers/client/getClient.ts
+++ b/server/routers/client/getClient.ts
@@ -36,7 +36,7 @@ async function query(clientId?: number, niceId?: string, orgId?: string) {
             .select()
             .from(clients)
             .where(and(eq(clients.niceId, niceId), eq(clients.orgId, orgId)))
-            .leftJoin(olms, eq(olms.clientId, olms.clientId))
+            .leftJoin(olms, eq(clients.clientId, olms.clientId))
             .limit(1);
         return res;
     }
diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 786c8635..f6260073 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -285,7 +285,7 @@ export default function Page() {
                 <Button
                     variant="outline"
                     onClick={() => {
-                        router.push("/admin/idp");
+                        router.push(`/${params.orgId}/settings/idp`);
                     }}
                 >
                     {t("idpSeeAll")}
diff --git a/src/app/[orgId]/settings/(private)/idp/page.tsx b/src/app/[orgId]/settings/(private)/idp/page.tsx
index 01845b18..f8d888c0 100644
--- a/src/app/[orgId]/settings/(private)/idp/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/page.tsx
@@ -1,17 +1,10 @@
-import { internal, priv } from "@app/lib/api";
+import { internal } from "@app/lib/api";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import IdpTable, { IdpRow } from "@app/components/private/OrgIdpTable";
 import { getTranslations } from "next-intl/server";
-import { Alert, AlertDescription } from "@app/components/ui/alert";
-import { cache } from "react";
-import {
-    GetOrgSubscriptionResponse,
-    GetOrgTierResponse
-} from "@server/routers/billing/types";
-import { TierId } from "@server/lib/billing/tiers";
-import { build } from "@server/build";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 
 type OrgIdpPageProps = {
     params: Promise<{ orgId: string }>;
@@ -35,21 +28,6 @@ export default async function OrgIdpPage(props: OrgIdpPageProps) {
 
     const t = await getTranslations();
 
-    let subscriptionStatus: GetOrgTierResponse | null = null;
-    try {
-        const getSubscription = cache(() =>
-            priv.get<AxiosResponse<GetOrgTierResponse>>(
-                `/org/${params.orgId}/billing/tier`
-            )
-        );
-        const subRes = await getSubscription();
-        subscriptionStatus = subRes.data.data;
-    } catch {}
-    const subscribed =
-        build === "enterprise"
-            ? true
-            : subscriptionStatus?.tier === TierId.STANDARD;
-
     return (
         <>
             <SettingsSectionTitle
@@ -57,13 +35,7 @@ export default async function OrgIdpPage(props: OrgIdpPageProps) {
                 description={t("idpManageDescription")}
             />
 
-            {build === "saas" && !subscribed ? (
-                <Alert variant="info" className="mb-6">
-                    <AlertDescription>
-                        {t("idpDisabled")} {t("subscriptionRequiredToUse")}
-                    </AlertDescription>
-                </Alert>
-            ) : null}
+            <PaidFeaturesAlert />
 
             <IdpTable idps={idps} orgId={params.orgId} />
         </>
diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
index 18e4e6b5..fd4eb33a 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
@@ -338,7 +338,7 @@ function ProxyResourceTargetsForm({
                                 <div
                                     className={`flex items-center gap-2 ${status === "healthy" ? "text-green-500" : status === "unhealthy" ? "text-destructive" : ""}`}
                                 >
-                                    <Settings className="h-3 w-3" />
+                                    <Settings className="h-4 w-4 text-foreground" />
                                     {getStatusText(status)}
                                 </div>
                             </Button>
diff --git a/src/app/globals.css b/src/app/globals.css
index 70c614c0..731e1bff 100644
--- a/src/app/globals.css
+++ b/src/app/globals.css
@@ -178,4 +178,16 @@ p {
     .animate-dot-pulse {
         animation: dot-pulse 1.4s ease-in-out infinite;
     }
+
+    /* Use JavaScript-set viewport height for mobile to handle keyboard properly */
+    .h-screen-safe {
+        height: 100vh; /* Default for desktop and fallback */
+    }
+
+    /* Only apply custom viewport height on mobile */
+    @media (max-width: 767px) {
+        .h-screen-safe {
+            height: var(--vh, 100vh); /* Use CSS variable set by ViewportHeightFix on mobile */
+        }
+    }
 }
diff --git a/src/app/layout.tsx b/src/app/layout.tsx
index e76a5d2f..203dd778 100644
--- a/src/app/layout.tsx
+++ b/src/app/layout.tsx
@@ -22,6 +22,7 @@ import { TopLoader } from "@app/components/Toploader";
 import Script from "next/script";
 import { TanstackQueryProvider } from "@app/components/TanstackQueryProvider";
 import { TailwindIndicator } from "@app/components/TailwindIndicator";
+import { ViewportHeightFix } from "@app/components/ViewportHeightFix";
 
 export const metadata: Metadata = {
     title: `Dashboard - ${process.env.BRANDING_APP_NAME || "Pangolin"}`,
@@ -77,7 +78,7 @@ export default async function RootLayout({
 
     return (
         <html suppressHydrationWarning lang={locale}>
-            <body className={`${font.className} h-screen overflow-hidden`}>
+            <body className={`${font.className} h-screen-safe overflow-hidden`}>
                 <TopLoader />
                 {build === "saas" && (
                     <Script
@@ -86,6 +87,7 @@ export default async function RootLayout({
                         strategy="afterInteractive"
                     />
                 )}
+                <ViewportHeightFix />
                 <NextIntlClientProvider>
                     <ThemeProvider
                         attribute="class"
diff --git a/src/components/Layout.tsx b/src/components/Layout.tsx
index 71dff6bf..a7704c8f 100644
--- a/src/components/Layout.tsx
+++ b/src/components/Layout.tsx
@@ -37,7 +37,7 @@ export async function Layout({
         (sidebarStateCookie !== "expanded" && defaultSidebarCollapsed);
 
     return (
-        <div className="flex h-screen overflow-hidden">
+        <div className="flex h-screen-safe overflow-hidden">
             {/* Desktop Sidebar */}
             {showSidebar && (
                 <LayoutSidebar
@@ -75,7 +75,7 @@ export async function Layout({
                     <div
                         className={cn(
                             "container mx-auto max-w-12xl mb-12",
-                            showHeader && "pt-16 md:pt-16" // Add top padding on mobile and desktop to account for fixed header
+                            showHeader && "md:pt-16" // Add top padding only on desktop to account for fixed header
                         )}
                     >
                         {children}
diff --git a/src/components/LayoutMobileMenu.tsx b/src/components/LayoutMobileMenu.tsx
index a7588f35..2b5fb320 100644
--- a/src/components/LayoutMobileMenu.tsx
+++ b/src/components/LayoutMobileMenu.tsx
@@ -48,7 +48,7 @@ export function LayoutMobileMenu({
     const t = useTranslations();
 
     return (
-        <div className="shrink-0 md:hidden fixed top-0 left-0 right-0 z-50 bg-card border-b border-border">
+        <div className="shrink-0 md:hidden sticky top-0 z-50">
             <div className="h-16 flex items-center px-2">
                 <div className="flex items-center gap-4">
                     {showSidebar && (
diff --git a/src/components/ProxyResourcesTable.tsx b/src/components/ProxyResourcesTable.tsx
index bd4bb4e1..69b180c4 100644
--- a/src/components/ProxyResourcesTable.tsx
+++ b/src/components/ProxyResourcesTable.tsx
@@ -198,7 +198,7 @@ export default function ProxyResourcesTable({
 
         if (!targets || targets.length === 0) {
             return (
-                <div className="flex items-center gap-2">
+                <div id="LOOK_FOR_ME" className="flex items-center gap-2">
                     <StatusIcon status="unknown" />
                     <span className="text-sm">
                         {t("resourcesTableNoTargets")}
diff --git a/src/components/ViewportHeightFix.tsx b/src/components/ViewportHeightFix.tsx
new file mode 100644
index 00000000..340bbcbb
--- /dev/null
+++ b/src/components/ViewportHeightFix.tsx
@@ -0,0 +1,79 @@
+"use client";
+
+import { useEffect } from "react";
+
+/**
+ * Fixes mobile viewport height issues when keyboard opens/closes
+ * by setting a CSS variable with a stable viewport height
+ * Only applies on mobile devices (< 768px, matching Tailwind's md breakpoint)
+ */
+export function ViewportHeightFix() {
+    useEffect(() => {
+        // Check if we're on mobile (md breakpoint is typically 768px)
+        const isMobile = () => window.innerWidth < 768;
+        
+        // On desktop, don't set --vh at all, let CSS use 100vh directly
+        if (!isMobile()) {
+            // Remove --vh if it was set, so CSS falls back to 100vh
+            document.documentElement.style.removeProperty("--vh");
+            return;
+        }
+
+        // Mobile-specific logic
+        let maxHeight = window.innerHeight;
+        let resizeTimer: NodeJS.Timeout;
+
+        // Set the viewport height as a CSS variable
+        const setViewportHeight = (height: number) => {
+            document.documentElement.style.setProperty("--vh", `${height}px`);
+        };
+
+        // Set initial value
+        setViewportHeight(maxHeight);
+
+        const handleResize = () => {
+            // If we switched to desktop, remove --vh and stop
+            if (!isMobile()) {
+                document.documentElement.style.removeProperty("--vh");
+                return;
+            }
+
+            clearTimeout(resizeTimer);
+            resizeTimer = setTimeout(() => {
+                const currentHeight = window.innerHeight;
+
+                // Track the maximum height we've seen (when keyboard is closed)
+                if (currentHeight > maxHeight) {
+                    maxHeight = currentHeight;
+                    setViewportHeight(maxHeight);
+                }
+                // If current height is close to max, update max (keyboard closed)
+                else if (currentHeight >= maxHeight * 0.9) {
+                    maxHeight = currentHeight;
+                    setViewportHeight(maxHeight);
+                }
+                // Otherwise, keep using the max height (keyboard is open)
+            }, 100);
+        };
+
+        const handleOrientationChange = () => {
+            // Reset on orientation change
+            setTimeout(() => {
+                maxHeight = window.innerHeight;
+                setViewportHeight(maxHeight);
+            }, 150);
+        };
+
+        window.addEventListener("resize", handleResize);
+        window.addEventListener("orientationchange", handleOrientationChange);
+
+        return () => {
+            window.removeEventListener("resize", handleResize);
+            window.removeEventListener("orientationchange", handleOrientationChange);
+            clearTimeout(resizeTimer);
+        };
+    }, []);
+
+    return null;
+}
+
diff --git a/src/components/ui/button.tsx b/src/components/ui/button.tsx
index 9f32e9ce..aca27270 100644
--- a/src/components/ui/button.tsx
+++ b/src/components/ui/button.tsx
@@ -73,35 +73,30 @@ const Button = React.forwardRef<HTMLButtonElement, ButtonProps>(
             >
                 {asChild ? (
                     props.children
-                ) : (
+                ) : loading ? (
                     <span className="relative inline-flex items-center justify-center">
-                        <span
-                            className={cn(
-                                "inline-flex items-center justify-center",
-                                loading && "opacity-0"
-                            )}
-                        >
+                        <span className="inline-flex items-center justify-center opacity-0">
                             {props.children}
                         </span>
-                        {loading && (
-                            <span className="absolute inset-0 flex items-center justify-center">
-                                <span className="flex items-center gap-1">
-                                    <span 
-                                        className="h-1 w-1 bg-current animate-dot-pulse" 
-                                        style={{ animationDelay: "0ms" }} 
-                                    />
-                                    <span 
-                                        className="h-1 w-1 bg-current animate-dot-pulse" 
-                                        style={{ animationDelay: "200ms" }} 
-                                    />
-                                    <span 
-                                        className="h-1 w-1 bg-current animate-dot-pulse" 
-                                        style={{ animationDelay: "400ms" }} 
-                                    />
-                                </span>
+                        <span className="absolute inset-0 flex items-center justify-center">
+                            <span className="flex items-center gap-1.5">
+                                <span
+                                    className="h-1 w-1 bg-current animate-dot-pulse"
+                                    style={{ animationDelay: "0ms" }}
+                                />
+                                <span
+                                    className="h-1 w-1 bg-current animate-dot-pulse"
+                                    style={{ animationDelay: "200ms" }}
+                                />
+                                <span
+                                    className="h-1 w-1 bg-current animate-dot-pulse"
+                                    style={{ animationDelay: "400ms" }}
+                                />
                             </span>
-                        )}
+                        </span>
                     </span>
+                ) : (
+                    props.children
                 )}
             </Comp>
         );
diff --git a/src/components/ui/checkbox.tsx b/src/components/ui/checkbox.tsx
index ab68e1bf..85825dc1 100644
--- a/src/components/ui/checkbox.tsx
+++ b/src/components/ui/checkbox.tsx
@@ -14,13 +14,13 @@ const checkboxVariants = cva(
         variants: {
             variant: {
                 outlinePrimary:
-                    "border rounded-[5px] border-primary data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
+                    "border rounded-[5px] border-input data-[state=checked]:border-primary data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
                 outline:
-                    "border rounded-[5px] border-input data-[state=checked]:bg-muted data-[state=checked]:text-accent-foreground",
+                    "border rounded-[5px] border-input data-[state=checked]:border-primary data-[state=checked]:bg-muted data-[state=checked]:text-accent-foreground",
                 outlinePrimarySquare:
-                    "border rounded-[5px] border-primary data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
+                    "border rounded-[5px] border-input data-[state=checked]:border-primary data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
                 outlineSquare:
-                    "border rounded-[5px] border-input data-[state=checked]:bg-muted data-[state=checked]:text-accent-foreground"
+                    "border rounded-[5px] border-input data-[state=checked]:border-primary data-[state=checked]:bg-muted data-[state=checked]:text-accent-foreground"
             }
         },
         defaultVariants: {
@@ -30,8 +30,7 @@ const checkboxVariants = cva(
 );
 
 interface CheckboxProps
-    extends
-        React.ComponentPropsWithoutRef<typeof CheckboxPrimitive.Root>,
+    extends React.ComponentPropsWithoutRef<typeof CheckboxPrimitive.Root>,
         VariantProps<typeof checkboxVariants> {}
 
 const Checkbox = React.forwardRef<
@@ -50,9 +49,8 @@ const Checkbox = React.forwardRef<
 ));
 Checkbox.displayName = CheckboxPrimitive.Root.displayName;
 
-interface CheckboxWithLabelProps extends React.ComponentPropsWithoutRef<
-    typeof Checkbox
-> {
+interface CheckboxWithLabelProps
+    extends React.ComponentPropsWithoutRef<typeof Checkbox> {
     label: string;
 }
 

From 5b9b53245885379dbd846a4f2662afb54ba61f81 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:22:54 -0500
Subject: [PATCH 004/154] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 00f2238e..1758aa4f 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Ingresar confirmación",
     "blueprintViewDetails": "Detalles",
     "defaultIdentityProvider": "Proveedor de identidad predeterminado",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Configuración de red",
     "editInternalResourceDialogAccessPolicy": "Política de acceso",
     "editInternalResourceDialogAddRoles": "Agregar roles",

From 808fd856d1b706183e70cbb0cf4a64a24c2e18bf Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:22:55 -0500
Subject: [PATCH 005/154] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 877b2250..9248f6e2 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Въведете потвърждение.",
     "blueprintViewDetails": "Подробности.",
     "defaultIdentityProvider": "По подразбиране доставчик на идентичност.",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Мрежови настройки.",
     "editInternalResourceDialogAccessPolicy": "Политика за достъп.",
     "editInternalResourceDialogAddRoles": "Добавяне на роли.",

From a67f88381f2fbed3d289393c240ce83e8d6117f5 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:22:57 -0500
Subject: [PATCH 006/154] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 32629d71..330e63ab 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Zadejte potvrzení",
     "blueprintViewDetails": "Detaily",
     "defaultIdentityProvider": "Výchozí poskytovatel identity",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Nastavení sítě",
     "editInternalResourceDialogAccessPolicy": "Přístupová politika",
     "editInternalResourceDialogAddRoles": "Přidat role",

From 3eed6364044cf24085eba7192e70103fe8ad865e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:22:58 -0500
Subject: [PATCH 007/154] New translations en-us.json (German)

---
 messages/de-DE.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 4a25cc43..02052495 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Bestätigung eingeben",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Standard Identitätsanbieter",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Netzwerkeinstellungen",
     "editInternalResourceDialogAccessPolicy": "Zugriffsrichtlinie",
     "editInternalResourceDialogAddRoles": "Rollen hinzufügen",

From 0f90e2a30f3b1ab5e5cd53ac9026f95116c7054b Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:22:59 -0500
Subject: [PATCH 008/154] New translations en-us.json (Italian)

---
 messages/it-IT.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index 48eccb2c..d6869131 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Inserisci conferma",
     "blueprintViewDetails": "Dettagli",
     "defaultIdentityProvider": "Provider di Identità Predefinito",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Impostazioni di Rete",
     "editInternalResourceDialogAccessPolicy": "Politica di Accesso",
     "editInternalResourceDialogAddRoles": "Aggiungi Ruoli",

From 00d9482a996033df9ced1f1a1722ca72bf248423 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:01 -0500
Subject: [PATCH 009/154] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index c8f2ed50..e4232a28 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "확인 입력",
     "blueprintViewDetails": "세부 정보",
     "defaultIdentityProvider": "기본 아이덴티티 공급자",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "네트워크 설정",
     "editInternalResourceDialogAccessPolicy": "액세스 정책",
     "editInternalResourceDialogAddRoles": "역할 추가",

From a96ad6bd07b1a53978bd75db2d99a6ed2acf88e3 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:02 -0500
Subject: [PATCH 010/154] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index cf59e0b7..18dbc7a5 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Bevestiging invoeren",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Standaard Identiteitsprovider",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Netwerkinstellingen",
     "editInternalResourceDialogAccessPolicy": "Toegangsbeleid",
     "editInternalResourceDialogAddRoles": "Rollen toevoegen",

From d5558f55ed3753074b5e76ef53680de118b8bb01 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:03 -0500
Subject: [PATCH 011/154] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index e907ea55..1be773f9 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Wprowadź potwierdzenie",
     "blueprintViewDetails": "Szczegóły",
     "defaultIdentityProvider": "Domyślny dostawca tożsamości",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Ustawienia sieci",
     "editInternalResourceDialogAccessPolicy": "Polityka dostępowa",
     "editInternalResourceDialogAddRoles": "Dodaj role",

From 8c62d9fe78d2ec28578ea5f38ffced1d5f6fff58 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:04 -0500
Subject: [PATCH 012/154] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index f20191dd..3ee3ed92 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Inserir confirmação",
     "blueprintViewDetails": "Detalhes",
     "defaultIdentityProvider": "Provedor de Identidade Padrão",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Configurações de Rede",
     "editInternalResourceDialogAccessPolicy": "Política de Acesso",
     "editInternalResourceDialogAddRoles": "Adicionar Funções",

From bfbfbe8b117a633fc52846ed51129500d43e17a9 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:06 -0500
Subject: [PATCH 013/154] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 7ea25778..4ad10ee8 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Введите подтверждение",
     "blueprintViewDetails": "Подробности",
     "defaultIdentityProvider": "Поставщик удостоверений по умолчанию",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Настройки сети",
     "editInternalResourceDialogAccessPolicy": "Политика доступа",
     "editInternalResourceDialogAddRoles": "Добавить роли",

From 09733137037705fa13197e40bdc894e408fa27f0 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:07 -0500
Subject: [PATCH 014/154] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 0c923286..af425c9f 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Onayı girin",
     "blueprintViewDetails": "Detaylar",
     "defaultIdentityProvider": "Varsayılan Kimlik Sağlayıcı",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Ağ Ayarları",
     "editInternalResourceDialogAccessPolicy": "Erişim Politikası",
     "editInternalResourceDialogAddRoles": "Roller Ekle",

From 93843ed733d8d489af752ae6865388250deb30f9 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:08 -0500
Subject: [PATCH 015/154] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index 953a292e..7c592249 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "输入确认",
     "blueprintViewDetails": "详细信息",
     "defaultIdentityProvider": "默认身份提供商",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "网络设置",
     "editInternalResourceDialogAccessPolicy": "访问策略",
     "editInternalResourceDialogAddRoles": "添加角色",

From 1c7fb476b068d496364a46b7ae29584b0908aa3d Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:10 -0500
Subject: [PATCH 016/154] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 6fbe819c..6940645a 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Skriv inn bekreftelse",
     "blueprintViewDetails": "Detaljer",
     "defaultIdentityProvider": "Standard identitetsleverandør",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Nettverksinnstillinger",
     "editInternalResourceDialogAccessPolicy": "Tilgangsregler for tilgang",
     "editInternalResourceDialogAddRoles": "Legg til roller",

From 818aca9ec887dea715059e4d39fd10bc6afd4b7b Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:28 -0500
Subject: [PATCH 017/154] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 1758aa4f..2ccf0e0a 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configurar acceso para una organización",
     "idpUpdatedDescription": "Proveedor de identidad actualizado correctamente",
     "redirectUrl": "URL de redirección",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Acerca de la URL de redirección",
     "redirectUrlAboutDescription": "Esta es la URL a la que los usuarios serán redireccionados después de la autenticación. Necesitas configurar esta URL en la configuración del proveedor de identidad.",
     "pangolinAuth": "Autenticación - Pangolin",

From 13f0fb25daf40908fa4d565afd3968e599ff126e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:30 -0500
Subject: [PATCH 018/154] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 9248f6e2..618c88d2 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Конфигуриране на достъп за организация",
     "idpUpdatedDescription": "Идентификационният доставчик беше актуализиран успешно",
     "redirectUrl": "URL за пренасочване",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "За URL за пренасочване",
     "redirectUrlAboutDescription": "Това е URL адресът, към който потребителите ще бъдат пренасочени след удостоверяване. Трябва да конфигурирате този URL адрес в настройките на доставчика на идентичност.",
     "pangolinAuth": "Authent - Pangolin",

From 6c0d5835571ee4bbae950d660474c996a284695c Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:31 -0500
Subject: [PATCH 019/154] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 330e63ab..7989b799 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Konfigurace přístupu pro organizaci",
     "idpUpdatedDescription": "Poskytovatel identity byl úspěšně aktualizován",
     "redirectUrl": "Přesměrovat URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "O přesměrování URL",
     "redirectUrlAboutDescription": "Toto je URL, na kterou budou uživatelé po ověření přesměrováni. Tuto URL je třeba nastavit v nastavení poskytovatele identity.",
     "pangolinAuth": "Auth - Pangolin",

From d7a44e75899685d19f5c196c82eb66f42a7bcb09 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:33 -0500
Subject: [PATCH 020/154] New translations en-us.json (Italian)

---
 messages/it-IT.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index d6869131..c50452f6 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configura l'accesso per un'organizzazione",
     "idpUpdatedDescription": "Provider di identità aggiornato con successo",
     "redirectUrl": "URL di Reindirizzamento",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Informazioni sull'URL di Reindirizzamento",
     "redirectUrlAboutDescription": "Questo è l'URL a cui gli utenti saranno reindirizzati dopo l'autenticazione. È necessario configurare questo URL nelle impostazioni del provider di identità.",
     "pangolinAuth": "Autenticazione - Pangolina",

From bf3a1e20fc29dda3186208539702cd7c2558f5f0 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:35 -0500
Subject: [PATCH 021/154] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index e4232a28..c58bc856 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "조직에 대한 접근을 구성하십시오.",
     "idpUpdatedDescription": "아이덴티티 제공자가 성공적으로 업데이트되었습니다",
     "redirectUrl": "리디렉션 URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "리디렉션 URL에 대한 정보",
     "redirectUrlAboutDescription": "사용자가 인증 후 리디렉션될 URL입니다. 이 URL을 신원 제공자 설정에서 구성해야 합니다.",
     "pangolinAuth": "인증 - 판골린",

From 653127a0f7910612489315cb7f07b86aa0a37b00 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:36 -0500
Subject: [PATCH 022/154] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 18dbc7a5..518dc1e7 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Toegang voor een organisatie configureren",
     "idpUpdatedDescription": "Identity provider succesvol bijgewerkt",
     "redirectUrl": "Omleidings URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Over omleidings-URL",
     "redirectUrlAboutDescription": "Dit is de URL waarnaar gebruikers worden doorverwezen na verificatie. U moet deze URL configureren in de instellingen van de identiteitsprovider.",
     "pangolinAuth": "Authenticatie - Pangolin",

From 4b6ace80d30ed38100c065bd0d56e29e895b8b7e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:37 -0500
Subject: [PATCH 023/154] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 1be773f9..5e28017f 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Skonfiguruj dostęp dla organizacji",
     "idpUpdatedDescription": "Dostawca tożsamości został pomyślnie zaktualizowany",
     "redirectUrl": "URL przekierowania",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "O URL przekierowania",
     "redirectUrlAboutDescription": "Jest to adres URL, na który użytkownicy zostaną przekierowani po uwierzytelnieniu. Musisz skonfigurować ten adres URL w ustawieniach dostawcy tożsamości.",
     "pangolinAuth": "Autoryzacja - Pangolin",

From 164ab26069496f0e951e89a36a276356ab3d04dc Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:39 -0500
Subject: [PATCH 024/154] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 3ee3ed92..3a25fe2d 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configurar acesso para uma organização",
     "idpUpdatedDescription": "Provedor de identidade atualizado com sucesso",
     "redirectUrl": "URL de Redirecionamento",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Sobre o URL de Redirecionamento",
     "redirectUrlAboutDescription": "Essa é a URL para a qual os usuários serão redirecionados após a autenticação. Você precisa configurar esta URL nas configurações do provedor de identidade.",
     "pangolinAuth": "Autenticação - Pangolin",

From 7345cc81c1d50630c56502ec93031f39d4c65282 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:40 -0500
Subject: [PATCH 025/154] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 4ad10ee8..f2d75098 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Настроить доступ для организации",
     "idpUpdatedDescription": "Поставщик удостоверений успешно обновлён",
     "redirectUrl": "URL редиректа",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "О редиректе URL",
     "redirectUrlAboutDescription": "Это URL, на который пользователи будут перенаправлены после аутентификации. Вам нужно настроить этот URL в настройках провайдера.",
     "pangolinAuth": "Аутентификация - Pangolin",

From 440bff57d0f0ea3a4a945317f8358e238e5f4825 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:41 -0500
Subject: [PATCH 026/154] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index af425c9f..0559fba0 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Bir kuruluş için erişimi yapılandırın",
     "idpUpdatedDescription": "Kimlik sağlayıcı başarıyla güncellendi",
     "redirectUrl": "Yönlendirme URL'si",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Yönlendirme URL'si Hakkında",
     "redirectUrlAboutDescription": "Bu, kimlik doğrulamasından sonra kullanıcıların yönlendirileceği URL'dir. Bu URL'yi kimlik sağlayıcınızın ayarlarında yapılandırmanız gerekir.",
     "pangolinAuth": "Yetkilendirme - Pangolin",

From e23711bcce33197eb8ca97a47b641bf2ec4dcf8d Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:42 -0500
Subject: [PATCH 027/154] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index 7c592249..f24ce24f 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "配置组织访问权限",
     "idpUpdatedDescription": "身份提供商更新成功",
     "redirectUrl": "重定向网址",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "关于重定向网址",
     "redirectUrlAboutDescription": "这是用户在验证后将被重定向到的URL。您需要在身份提供者的设置中配置此URL。",
     "pangolinAuth": "认证 - Pangolin",

From 831c63104894290257cd5a3c2f4bf14e8a4f4ea0 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:44 -0500
Subject: [PATCH 028/154] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 6940645a..0caffa72 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Konfigurer tilgang for en organisasjon",
     "idpUpdatedDescription": "Identitetsleverandør vellykket oppdatert",
     "redirectUrl": "Omdirigerings-URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Om omdirigerings-URL",
     "redirectUrlAboutDescription": "Dette er URLen som brukere vil bli omdirigert etter autentisering. Du må konfigurere denne URLen i identitetsleverandørens innstillinger.",
     "pangolinAuth": "Autentisering - Pangolin",

From 32054dc4f64bf3eb1182a2a9dabf85414b7f84a3 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:45 -0500
Subject: [PATCH 029/154] New translations en-us.json (French)

---
 messages/fr-FR.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index 0bb4b398..e6d732ff 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configurer l'accès pour une organisation",
     "idpUpdatedDescription": "Fournisseur d'identité mis à jour avec succès",
     "redirectUrl": "URL de redirection",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "À propos de l'URL de redirection",
     "redirectUrlAboutDescription": "C'est l'URL vers laquelle les utilisateurs seront redirigés après l'authentification. Vous devez configurer cette URL dans les paramètres du fournisseur d'identité.",
     "pangolinAuth": "Auth - Pangolin",
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Entrez la confirmation",
     "blueprintViewDetails": "Détails",
     "defaultIdentityProvider": "Fournisseur d'identité par défaut",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Paramètres réseau",
     "editInternalResourceDialogAccessPolicy": "Politique d'accès",
     "editInternalResourceDialogAddRoles": "Ajouter des rôles",

From 6280a68d512edfeae3f6013e79578ed7d2e07e14 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:22 -0500
Subject: [PATCH 030/154] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 2ccf0e0a..8e16b4d3 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Estoy de acuerdo con los",
         "termsOfService": "términos del servicio",
         "and": "y",
-        "privacyPolicy": "política de privacidad"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Mantenerme en el bucle con noticias, actualizaciones y nuevas características por correo electrónico."

From d04936917260c2847ec455b6a2ede6ce90ca3cfa Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:24 -0500
Subject: [PATCH 031/154] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 618c88d2..c3f6755e 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Съгласен съм с",
         "termsOfService": "условията за ползване",
         "and": "и",
-        "privacyPolicy": "политиката за поверителност"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Дръж ме в течение с новини, актуализации и нови функции чрез имейл."

From ee1eca9e66455885f04e97bea398315fdfa04514 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:25 -0500
Subject: [PATCH 032/154] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 7989b799..6d3ca4a7 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Souhlasím s",
         "termsOfService": "podmínky služby",
         "and": "a",
-        "privacyPolicy": "zásady ochrany osobních údajů"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Udržujte mě ve smyčce s novinkami, aktualizacemi a novými funkcemi e-mailem."

From e41a5ad6b000d0a9b1f564e5ac08756588e13780 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:26 -0500
Subject: [PATCH 033/154] New translations en-us.json (German)

---
 messages/de-DE.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 02052495..3e9c48bf 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Zugriff für eine Organisation konfigurieren",
     "idpUpdatedDescription": "Identitätsanbieter erfolgreich aktualisiert",
     "redirectUrl": "Weiterleitungs-URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Über die Weiterleitungs-URL",
     "redirectUrlAboutDescription": "Dies ist die URL, zu der Benutzer nach der Authentifizierung umgeleitet werden. Sie müssen diese URL in den Einstellungen des Identity Providers konfigurieren.",
     "pangolinAuth": "Authentifizierung - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Ich stimme den",
         "termsOfService": "Nutzungsbedingungen zu",
         "and": "und",
-        "privacyPolicy": "Datenschutzrichtlinie"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Halten Sie mich auf dem Laufenden mit Neuigkeiten, Updates und neuen Funktionen per E-Mail."

From 1721cce040e1a46409b3313ef95fda3e711ddc74 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:28 -0500
Subject: [PATCH 034/154] New translations en-us.json (Italian)

---
 messages/it-IT.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index c50452f6..c9c3dc5a 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Accetto i",
         "termsOfService": "termini di servizio",
         "and": "e",
-        "privacyPolicy": "informativa sulla privacy"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Tienimi in loop con notizie, aggiornamenti e nuove funzionalità via e-mail."

From ec6bcd41b0ccf1016518e3be6105e308c020bdaf Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:29 -0500
Subject: [PATCH 035/154] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index c58bc856..7c0cf028 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "동의합니다",
         "termsOfService": "서비스 약관",
         "and": "및",
-        "privacyPolicy": "개인 정보 보호 정책"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "이메일을 통해 소식, 업데이트 및 새로운 기능을 받아보세요."

From 657bc9cdf0d47fbf34ca3f199105db5079991f48 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:30 -0500
Subject: [PATCH 036/154] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 518dc1e7..0c6b003d 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Ik ga akkoord met de",
         "termsOfService": "servicevoorwaarden",
         "and": "en",
-        "privacyPolicy": "privacybeleid"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Houd me op de hoogte met nieuws, updates en nieuwe functies per e-mail."

From 52b1164e58ecc3de524026271780dc53a0cf0c81 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:32 -0500
Subject: [PATCH 037/154] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 5e28017f..81af7362 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Zgadzam się z",
         "termsOfService": "warunkami usługi",
         "and": "oraz",
-        "privacyPolicy": "polityką prywatności"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Zachowaj mnie w pętli z wiadomościami, aktualizacjami i nowymi funkcjami przez e-mail."

From 00cdd5833e00ea6bae6a3b4c702fc29a7ff1a953 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:33 -0500
Subject: [PATCH 038/154] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 3a25fe2d..2156cde6 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Concordo com",
         "termsOfService": "os termos de serviço",
         "and": "e",
-        "privacyPolicy": "política de privacidade"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Mantenha-me à disposição com notícias, atualizações e novos recursos por e-mail."

From 2c3fa54933145ea58cffddbc8e2e7a51b67aca27 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:34 -0500
Subject: [PATCH 039/154] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index f2d75098..ad34890e 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Я согласен с",
         "termsOfService": "условия использования",
         "and": "и",
-        "privacyPolicy": "политика конфиденциальности"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Держите меня в цикле с новостями, обновлениями и новыми функциями по электронной почте."

From 358e25b7c2ee9c33e4cc74e71199f506febd12e3 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:36 -0500
Subject: [PATCH 040/154] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 0559fba0..03f8b12d 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Kabul ediyorum",
         "termsOfService": "hizmet şartları",
         "and": "ve",
-        "privacyPolicy": "gizlilik politikası"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Bana e-posta yoluyla haberler, güncellemeler ve yeni özellikler hakkında bilgi verin."

From bfae7150760bf04542f139299611386462fc8dce Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:37 -0500
Subject: [PATCH 041/154] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index f24ce24f..3fe5f0a7 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "我同意",
         "termsOfService": "服务条款",
         "and": "和",
-        "privacyPolicy": "隐私政策"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "通过电子邮件让我在循环中保持新闻、更新和新功能。"

From a548f61ea6c331b53ada11dc031c615fde1768fc Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:38 -0500
Subject: [PATCH 042/154] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 0caffa72..00881d9c 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Jeg godtar",
         "termsOfService": "brukervilkårene",
         "and": "og",
-        "privacyPolicy": "personvernerklæringen"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Hold meg i løken med nyheter, oppdateringer og nye funksjoner via e-post."

From f82cacac6d31df6f269e9b58046dbbcb9d7f2eb1 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:39 -0500
Subject: [PATCH 043/154] New translations en-us.json (French)

---
 messages/fr-FR.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index e6d732ff..cf686fee 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Je suis d'accord avec",
         "termsOfService": "les conditions d'utilisation",
         "and": "et",
-        "privacyPolicy": "la politique de confidentialité"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Gardez-moi dans la boucle avec des nouvelles, des mises à jour et de nouvelles fonctionnalités par courriel."

From 99ded7454eb7a3353068cd6fb8b3a0f255630d95 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:06 -0500
Subject: [PATCH 044/154] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 8e16b4d3..78336315 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Configurar acceso para una organización",
     "idpUpdatedDescription": "Proveedor de identidad actualizado correctamente",
     "redirectUrl": "URL de redirección",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Redirigir URL",
     "redirectUrlAbout": "Acerca de la URL de redirección",
     "redirectUrlAboutDescription": "Esta es la URL a la que los usuarios serán redireccionados después de la autenticación. Necesitas configurar esta URL en la configuración del proveedor de identidad.",
     "pangolinAuth": "Autenticación - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Estoy de acuerdo con los",
         "termsOfService": "términos del servicio",
         "and": "y",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "política de privacidad."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Mantenerme en el bucle con noticias, actualizaciones y nuevas características por correo electrónico."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Ingresar confirmación",
     "blueprintViewDetails": "Detalles",
     "defaultIdentityProvider": "Proveedor de identidad predeterminado",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Cuando se selecciona un proveedor de identidad por defecto, el usuario será redirigido automáticamente al proveedor de autenticación.",
     "editInternalResourceDialogNetworkSettings": "Configuración de red",
     "editInternalResourceDialogAccessPolicy": "Política de acceso",
     "editInternalResourceDialogAddRoles": "Agregar roles",

From 1f138ab68c1dcb75b25eb3b391c87bf7c4c6e5f5 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:07 -0500
Subject: [PATCH 045/154] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index c3f6755e..f85b6c9e 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Конфигуриране на достъп за организация",
     "idpUpdatedDescription": "Идентификационният доставчик беше актуализиран успешно",
     "redirectUrl": "URL за пренасочване",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "URL адреси за пренасочване",
     "redirectUrlAbout": "За URL за пренасочване",
     "redirectUrlAboutDescription": "Това е URL адресът, към който потребителите ще бъдат пренасочени след удостоверяване. Трябва да конфигурирате този URL адрес в настройките на доставчика на идентичност.",
     "pangolinAuth": "Authent - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Съгласен съм с",
         "termsOfService": "условията за ползване",
         "and": "и",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "политика за поверителност."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Дръж ме в течение с новини, актуализации и нови функции чрез имейл."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Въведете потвърждение.",
     "blueprintViewDetails": "Подробности.",
     "defaultIdentityProvider": "По подразбиране доставчик на идентичност.",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Когато е избран основен доставчик на идентичност, потребителят ще бъде автоматично пренасочен към доставчика за удостоверяване.",
     "editInternalResourceDialogNetworkSettings": "Мрежови настройки.",
     "editInternalResourceDialogAccessPolicy": "Политика за достъп.",
     "editInternalResourceDialogAddRoles": "Добавяне на роли.",

From 99e2fcb2e86cfb95dfec67bac04c55dfe073f8cc Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:09 -0500
Subject: [PATCH 046/154] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 6d3ca4a7..50330652 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Konfigurace přístupu pro organizaci",
     "idpUpdatedDescription": "Poskytovatel identity byl úspěšně aktualizován",
     "redirectUrl": "Přesměrovat URL",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Přesměrovat URL",
     "redirectUrlAbout": "O přesměrování URL",
     "redirectUrlAboutDescription": "Toto je URL, na kterou budou uživatelé po ověření přesměrováni. Tuto URL je třeba nastavit v nastavení poskytovatele identity.",
     "pangolinAuth": "Auth - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Souhlasím s",
         "termsOfService": "podmínky služby",
         "and": "a",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "zásady ochrany osobních údajů."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Udržujte mě ve smyčce s novinkami, aktualizacemi a novými funkcemi e-mailem."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Zadejte potvrzení",
     "blueprintViewDetails": "Detaily",
     "defaultIdentityProvider": "Výchozí poskytovatel identity",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Pokud je vybrán výchozí poskytovatel identity, uživatel bude automaticky přesměrován na poskytovatele pro ověření.",
     "editInternalResourceDialogNetworkSettings": "Nastavení sítě",
     "editInternalResourceDialogAccessPolicy": "Přístupová politika",
     "editInternalResourceDialogAddRoles": "Přidat role",

From 88aba4e169021a6d8db06a1853077429c5a5a66a Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:10 -0500
Subject: [PATCH 047/154] New translations en-us.json (German)

---
 messages/de-DE.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 3e9c48bf..f9878faa 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Zugriff für eine Organisation konfigurieren",
     "idpUpdatedDescription": "Identitätsanbieter erfolgreich aktualisiert",
     "redirectUrl": "Weiterleitungs-URL",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Umleitungs-URLs",
     "redirectUrlAbout": "Über die Weiterleitungs-URL",
     "redirectUrlAboutDescription": "Dies ist die URL, zu der Benutzer nach der Authentifizierung umgeleitet werden. Sie müssen diese URL in den Einstellungen des Identity Providers konfigurieren.",
     "pangolinAuth": "Authentifizierung - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Ich stimme den",
         "termsOfService": "Nutzungsbedingungen zu",
         "and": "und",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "datenschutzrichtlinie."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Halten Sie mich auf dem Laufenden mit Neuigkeiten, Updates und neuen Funktionen per E-Mail."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Bestätigung eingeben",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Standard Identitätsanbieter",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Wenn ein Standard-Identity Provider ausgewählt ist, wird der Benutzer zur Authentifizierung automatisch an den Anbieter weitergeleitet.",
     "editInternalResourceDialogNetworkSettings": "Netzwerkeinstellungen",
     "editInternalResourceDialogAccessPolicy": "Zugriffsrichtlinie",
     "editInternalResourceDialogAddRoles": "Rollen hinzufügen",

From bfd14b87bdadcb60e92bde3ca85be05f322bfaf5 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:11 -0500
Subject: [PATCH 048/154] New translations en-us.json (Italian)

---
 messages/it-IT.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index c9c3dc5a..2ca14b0d 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Configura l'accesso per un'organizzazione",
     "idpUpdatedDescription": "Provider di identità aggiornato con successo",
     "redirectUrl": "URL di Reindirizzamento",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Reindirizza URL",
     "redirectUrlAbout": "Informazioni sull'URL di Reindirizzamento",
     "redirectUrlAboutDescription": "Questo è l'URL a cui gli utenti saranno reindirizzati dopo l'autenticazione. È necessario configurare questo URL nelle impostazioni del provider di identità.",
     "pangolinAuth": "Autenticazione - Pangolina",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Accetto i",
         "termsOfService": "termini di servizio",
         "and": "e",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "informativa sulla privacy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Tienimi in loop con notizie, aggiornamenti e nuove funzionalità via e-mail."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Inserisci conferma",
     "blueprintViewDetails": "Dettagli",
     "defaultIdentityProvider": "Provider di Identità Predefinito",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Quando viene selezionato un provider di identità predefinito, l'utente verrà automaticamente reindirizzato al provider per l'autenticazione.",
     "editInternalResourceDialogNetworkSettings": "Impostazioni di Rete",
     "editInternalResourceDialogAccessPolicy": "Politica di Accesso",
     "editInternalResourceDialogAddRoles": "Aggiungi Ruoli",

From 853d416b2f6be3534819cd6ac0593055c86473d8 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:13 -0500
Subject: [PATCH 049/154] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index 7c0cf028..83d8ae36 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "조직에 대한 접근을 구성하십시오.",
     "idpUpdatedDescription": "아이덴티티 제공자가 성공적으로 업데이트되었습니다",
     "redirectUrl": "리디렉션 URL",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "리디렉션 URL",
     "redirectUrlAbout": "리디렉션 URL에 대한 정보",
     "redirectUrlAboutDescription": "사용자가 인증 후 리디렉션될 URL입니다. 이 URL을 신원 제공자 설정에서 구성해야 합니다.",
     "pangolinAuth": "인증 - 판골린",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "동의합니다",
         "termsOfService": "서비스 약관",
         "and": "및",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "개인 정보 보호 정책."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "이메일을 통해 소식, 업데이트 및 새로운 기능을 받아보세요."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "확인 입력",
     "blueprintViewDetails": "세부 정보",
     "defaultIdentityProvider": "기본 아이덴티티 공급자",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "기본 ID 공급자가 선택되면, 사용자는 인증을 위해 자동으로 해당 공급자로 리디렉션됩니다.",
     "editInternalResourceDialogNetworkSettings": "네트워크 설정",
     "editInternalResourceDialogAccessPolicy": "액세스 정책",
     "editInternalResourceDialogAddRoles": "역할 추가",

From 87135c90bdb926ef2a4dcc7b1fc64f7b43195786 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:14 -0500
Subject: [PATCH 050/154] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 0c6b003d..5057a53b 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Toegang voor een organisatie configureren",
     "idpUpdatedDescription": "Identity provider succesvol bijgewerkt",
     "redirectUrl": "Omleidings URL",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "URL's omleiden",
     "redirectUrlAbout": "Over omleidings-URL",
     "redirectUrlAboutDescription": "Dit is de URL waarnaar gebruikers worden doorverwezen na verificatie. U moet deze URL configureren in de instellingen van de identiteitsprovider.",
     "pangolinAuth": "Authenticatie - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Ik ga akkoord met de",
         "termsOfService": "servicevoorwaarden",
         "and": "en",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "privacy beleid"
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Houd me op de hoogte met nieuws, updates en nieuwe functies per e-mail."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Bevestiging invoeren",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Standaard Identiteitsprovider",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Wanneer een standaard identity provider is geselecteerd, zal de gebruiker automatisch worden doorgestuurd naar de provider voor authenticatie.",
     "editInternalResourceDialogNetworkSettings": "Netwerkinstellingen",
     "editInternalResourceDialogAccessPolicy": "Toegangsbeleid",
     "editInternalResourceDialogAddRoles": "Rollen toevoegen",

From 4b9539cc6d3bd9e8564d346b4ff9ff91534a1390 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:15 -0500
Subject: [PATCH 051/154] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 81af7362..e01d64ca 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Skonfiguruj dostęp dla organizacji",
     "idpUpdatedDescription": "Dostawca tożsamości został pomyślnie zaktualizowany",
     "redirectUrl": "URL przekierowania",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Przekieruj adresy URL",
     "redirectUrlAbout": "O URL przekierowania",
     "redirectUrlAboutDescription": "Jest to adres URL, na który użytkownicy zostaną przekierowani po uwierzytelnieniu. Musisz skonfigurować ten adres URL w ustawieniach dostawcy tożsamości.",
     "pangolinAuth": "Autoryzacja - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Zgadzam się z",
         "termsOfService": "warunkami usługi",
         "and": "oraz",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "polityka prywatności."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Zachowaj mnie w pętli z wiadomościami, aktualizacjami i nowymi funkcjami przez e-mail."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Wprowadź potwierdzenie",
     "blueprintViewDetails": "Szczegóły",
     "defaultIdentityProvider": "Domyślny dostawca tożsamości",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Gdy zostanie wybrany domyślny dostawca tożsamości, użytkownik zostanie automatycznie przekierowany do dostawcy w celu uwierzytelnienia.",
     "editInternalResourceDialogNetworkSettings": "Ustawienia sieci",
     "editInternalResourceDialogAccessPolicy": "Polityka dostępowa",
     "editInternalResourceDialogAddRoles": "Dodaj role",

From 4df4cafd70c0585d8837a2adb331d469bb1bc311 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:16 -0500
Subject: [PATCH 052/154] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 2156cde6..2f4b5e79 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Configurar acesso para uma organização",
     "idpUpdatedDescription": "Provedor de identidade atualizado com sucesso",
     "redirectUrl": "URL de Redirecionamento",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Redirecionar URLs",
     "redirectUrlAbout": "Sobre o URL de Redirecionamento",
     "redirectUrlAboutDescription": "Essa é a URL para a qual os usuários serão redirecionados após a autenticação. Você precisa configurar esta URL nas configurações do provedor de identidade.",
     "pangolinAuth": "Autenticação - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Concordo com",
         "termsOfService": "os termos de serviço",
         "and": "e",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "política de privacidade."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Mantenha-me à disposição com notícias, atualizações e novos recursos por e-mail."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Inserir confirmação",
     "blueprintViewDetails": "Detalhes",
     "defaultIdentityProvider": "Provedor de Identidade Padrão",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Quando um provedor de identidade padrão for selecionado, o usuário será automaticamente redirecionado para o provedor de autenticação.",
     "editInternalResourceDialogNetworkSettings": "Configurações de Rede",
     "editInternalResourceDialogAccessPolicy": "Política de Acesso",
     "editInternalResourceDialogAddRoles": "Adicionar Funções",

From 03a326c8416563338e5ea47825fe80a3225ac7c0 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:18 -0500
Subject: [PATCH 053/154] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index ad34890e..f93b599a 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Настроить доступ для организации",
     "idpUpdatedDescription": "Поставщик удостоверений успешно обновлён",
     "redirectUrl": "URL редиректа",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Перенаправление URL",
     "redirectUrlAbout": "О редиректе URL",
     "redirectUrlAboutDescription": "Это URL, на который пользователи будут перенаправлены после аутентификации. Вам нужно настроить этот URL в настройках провайдера.",
     "pangolinAuth": "Аутентификация - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Я согласен с",
         "termsOfService": "условия использования",
         "and": "и",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "политика конфиденциальности."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Держите меня в цикле с новостями, обновлениями и новыми функциями по электронной почте."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Введите подтверждение",
     "blueprintViewDetails": "Подробности",
     "defaultIdentityProvider": "Поставщик удостоверений по умолчанию",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Когда выбран поставщик идентификации по умолчанию, пользователь будет автоматически перенаправлен на провайдер для аутентификации.",
     "editInternalResourceDialogNetworkSettings": "Настройки сети",
     "editInternalResourceDialogAccessPolicy": "Политика доступа",
     "editInternalResourceDialogAddRoles": "Добавить роли",

From f62b88b9306dd762955a7fa7516fc93a068098e9 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:19 -0500
Subject: [PATCH 054/154] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 03f8b12d..bbc6bbdf 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Bir kuruluş için erişimi yapılandırın",
     "idpUpdatedDescription": "Kimlik sağlayıcı başarıyla güncellendi",
     "redirectUrl": "Yönlendirme URL'si",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Yönlendirme URL'leri",
     "redirectUrlAbout": "Yönlendirme URL'si Hakkında",
     "redirectUrlAboutDescription": "Bu, kimlik doğrulamasından sonra kullanıcıların yönlendirileceği URL'dir. Bu URL'yi kimlik sağlayıcınızın ayarlarında yapılandırmanız gerekir.",
     "pangolinAuth": "Yetkilendirme - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Kabul ediyorum",
         "termsOfService": "hizmet şartları",
         "and": "ve",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "gizlilik politikası."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Bana e-posta yoluyla haberler, güncellemeler ve yeni özellikler hakkında bilgi verin."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Onayı girin",
     "blueprintViewDetails": "Detaylar",
     "defaultIdentityProvider": "Varsayılan Kimlik Sağlayıcı",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Varsayılan bir kimlik sağlayıcı seçildiğinde, kullanıcı kimlik doğrulaması için otomatik olarak sağlayıcıya yönlendirilecektir.",
     "editInternalResourceDialogNetworkSettings": "Ağ Ayarları",
     "editInternalResourceDialogAccessPolicy": "Erişim Politikası",
     "editInternalResourceDialogAddRoles": "Roller Ekle",

From 7ef86c57073735329b3cd5271409746d2752c6e2 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:20 -0500
Subject: [PATCH 055/154] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index 3fe5f0a7..6b487f8f 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "配置组织访问权限",
     "idpUpdatedDescription": "身份提供商更新成功",
     "redirectUrl": "重定向网址",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "重定向URL",
     "redirectUrlAbout": "关于重定向网址",
     "redirectUrlAboutDescription": "这是用户在验证后将被重定向到的URL。您需要在身份提供者的设置中配置此URL。",
     "pangolinAuth": "认证 - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "我同意",
         "termsOfService": "服务条款",
         "and": "和",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "隐私政策。"
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "通过电子邮件让我在循环中保持新闻、更新和新功能。"
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "输入确认",
     "blueprintViewDetails": "详细信息",
     "defaultIdentityProvider": "默认身份提供商",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "当选择默认身份提供商时，用户将自动重定向到提供商进行身份验证。",
     "editInternalResourceDialogNetworkSettings": "网络设置",
     "editInternalResourceDialogAccessPolicy": "访问策略",
     "editInternalResourceDialogAddRoles": "添加角色",

From 0c3ce7836c5b1fec2c9a92f0116773ad5b7a1f77 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:22 -0500
Subject: [PATCH 056/154] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 00881d9c..94b51c65 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Konfigurer tilgang for en organisasjon",
     "idpUpdatedDescription": "Identitetsleverandør vellykket oppdatert",
     "redirectUrl": "Omdirigerings-URL",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Omadressere URL'er",
     "redirectUrlAbout": "Om omdirigerings-URL",
     "redirectUrlAboutDescription": "Dette er URLen som brukere vil bli omdirigert etter autentisering. Du må konfigurere denne URLen i identitetsleverandørens innstillinger.",
     "pangolinAuth": "Autentisering - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Jeg godtar",
         "termsOfService": "brukervilkårene",
         "and": "og",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "retningslinjer for personvern"
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Hold meg i løken med nyheter, oppdateringer og nye funksjoner via e-post."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Skriv inn bekreftelse",
     "blueprintViewDetails": "Detaljer",
     "defaultIdentityProvider": "Standard identitetsleverandør",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Når en standard identitetsleverandør er valgt, vil brukeren automatisk bli omdirigert til leverandøren for autentisering.",
     "editInternalResourceDialogNetworkSettings": "Nettverksinnstillinger",
     "editInternalResourceDialogAccessPolicy": "Tilgangsregler for tilgang",
     "editInternalResourceDialogAddRoles": "Legg til roller",

From 982c692c40ff46776e0dcb4f0914b1c194f168cf Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:23 -0500
Subject: [PATCH 057/154] New translations en-us.json (French)

---
 messages/fr-FR.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index cf686fee..2447dd93 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Configurer l'accès pour une organisation",
     "idpUpdatedDescription": "Fournisseur d'identité mis à jour avec succès",
     "redirectUrl": "URL de redirection",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "URL de redirection",
     "redirectUrlAbout": "À propos de l'URL de redirection",
     "redirectUrlAboutDescription": "C'est l'URL vers laquelle les utilisateurs seront redirigés après l'authentification. Vous devez configurer cette URL dans les paramètres du fournisseur d'identité.",
     "pangolinAuth": "Auth - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Je suis d'accord avec",
         "termsOfService": "les conditions d'utilisation",
         "and": "et",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "politique de confidentialité."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Gardez-moi dans la boucle avec des nouvelles, des mises à jour et de nouvelles fonctionnalités par courriel."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Entrez la confirmation",
     "blueprintViewDetails": "Détails",
     "defaultIdentityProvider": "Fournisseur d'identité par défaut",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Lorsqu'un fournisseur d'identité par défaut est sélectionné, l'utilisateur sera automatiquement redirigé vers le fournisseur pour authentification.",
     "editInternalResourceDialogNetworkSettings": "Paramètres réseau",
     "editInternalResourceDialogAccessPolicy": "Politique d'accès",
     "editInternalResourceDialogAddRoles": "Ajouter des rôles",

From 9759e86921e64e0f9536ff0bdf977a3f4703c2b3 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 23 Dec 2025 12:35:03 -0500
Subject: [PATCH 058/154] add stripPortFromHost and reuse everywhere

---
 server/lib/ip.ts                          | 33 ++++++++++++++++++++++
 server/private/lib/logAccessAudit.ts      | 15 ++--------
 server/routers/auth/pollDeviceWebAuth.ts  | 27 ++----------------
 server/routers/auth/startDeviceWebAuth.ts | 27 ++----------------
 server/routers/badger/exchangeSession.ts  | 22 ++-------------
 server/routers/badger/logRequestAudit.ts  | 22 ++-------------
 server/routers/badger/verifySession.ts    | 34 ++---------------------
 7 files changed, 45 insertions(+), 135 deletions(-)

diff --git a/server/lib/ip.ts b/server/lib/ip.ts
index 280939f2..21ec78c1 100644
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -4,6 +4,7 @@ import { and, eq, isNotNull } from "drizzle-orm";
 import config from "@server/lib/config";
 import z from "zod";
 import logger from "@server/logger";
+import semver from "semver";
 
 interface IPRange {
     start: bigint;
@@ -683,3 +684,35 @@ export function parsePortRangeString(
 
     return result;
 }
+
+export function stripPortFromHost(ip: string, badgerVersion?: string): string {
+    const isNewerBadger =
+        badgerVersion &&
+        semver.valid(badgerVersion) &&
+        semver.gte(badgerVersion, "1.3.1");
+
+    if (isNewerBadger) {
+        return ip;
+    }
+
+    if (ip.startsWith("[") && ip.includes("]")) {
+        // if brackets are found, extract the IPv6 address from between the brackets
+        const ipv6Match = ip.match(/\[(.*?)\]/);
+        if (ipv6Match) {
+            return ipv6Match[1];
+        }
+    }
+
+    // Check if it looks like IPv4 (contains dots and matches IPv4 pattern)
+    // IPv4 format: x.x.x.x where x is 0-255
+    const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}/;
+    if (ipv4Pattern.test(ip)) {
+        const lastColonIndex = ip.lastIndexOf(":");
+        if (lastColonIndex !== -1) {
+            return ip.substring(0, lastColonIndex);
+        }
+    }
+
+    // Return as is
+    return ip;
+}
diff --git a/server/private/lib/logAccessAudit.ts b/server/private/lib/logAccessAudit.ts
index 5c423c60..33dcaf1f 100644
--- a/server/private/lib/logAccessAudit.ts
+++ b/server/private/lib/logAccessAudit.ts
@@ -17,6 +17,7 @@ import logger from "@server/logger";
 import { and, eq, lt } from "drizzle-orm";
 import cache from "@server/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+import { stripPortFromHost } from "@server/lib/ip";
 
 async function getAccessDays(orgId: string): Promise<number> {
     // check cache first
@@ -116,19 +117,7 @@ export async function logAccessAudit(data: {
         }
 
         const clientIp = data.requestIp
-            ? (() => {
-                  if (
-                      data.requestIp.startsWith("[") &&
-                      data.requestIp.includes("]")
-                  ) {
-                      // if brackets are found, extract the IPv6 address from between the brackets
-                      const ipv6Match = data.requestIp.match(/\[(.*?)\]/);
-                      if (ipv6Match) {
-                          return ipv6Match[1];
-                      }
-                  }
-                  return data.requestIp;
-              })()
+            ? stripPortFromHost(data.requestIp)
             : undefined;
 
         const countryCode = data.requestIp
diff --git a/server/routers/auth/pollDeviceWebAuth.ts b/server/routers/auth/pollDeviceWebAuth.ts
index a5c71362..30d7183e 100644
--- a/server/routers/auth/pollDeviceWebAuth.ts
+++ b/server/routers/auth/pollDeviceWebAuth.ts
@@ -10,6 +10,7 @@ import { eq, and, gt } from "drizzle-orm";
 import { createSession, generateSessionToken } from "@server/auth/sessions/app";
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
+import { stripPortFromHost } from "@server/lib/ip";
 
 const paramsSchema = z.object({
     code: z.string().min(1, "Code is required")
@@ -27,30 +28,6 @@ export type PollDeviceWebAuthResponse = {
     token?: string;
 };
 
-// Helper function to extract IP from request (same as in startDeviceWebAuth)
-function extractIpFromRequest(req: Request): string | undefined {
-    const ip = req.ip || req.socket.remoteAddress;
-    if (!ip) {
-        return undefined;
-    }
-
-    // Handle IPv6 format [::1] or IPv4 format
-    if (ip.startsWith("[") && ip.includes("]")) {
-        const ipv6Match = ip.match(/\[(.*?)\]/);
-        if (ipv6Match) {
-            return ipv6Match[1];
-        }
-    }
-
-    // Handle IPv4 with port (split at last colon)
-    const lastColonIndex = ip.lastIndexOf(":");
-    if (lastColonIndex !== -1) {
-        return ip.substring(0, lastColonIndex);
-    }
-
-    return ip;
-}
-
 export async function pollDeviceWebAuth(
     req: Request,
     res: Response,
@@ -70,7 +47,7 @@ export async function pollDeviceWebAuth(
     try {
         const { code } = parsedParams.data;
         const now = Date.now();
-        const requestIp = extractIpFromRequest(req);
+        const requestIp = req.ip ? stripPortFromHost(req.ip) : undefined;
 
         // Hash the code before querying
         const hashedCode = hashDeviceCode(code);
diff --git a/server/routers/auth/startDeviceWebAuth.ts b/server/routers/auth/startDeviceWebAuth.ts
index 85fb5262..e28e750c 100644
--- a/server/routers/auth/startDeviceWebAuth.ts
+++ b/server/routers/auth/startDeviceWebAuth.ts
@@ -12,6 +12,7 @@ import { TimeSpan } from "oslo";
 import { maxmindLookup } from "@server/db/maxmind";
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
+import { stripPortFromHost } from "@server/lib/ip";
 
 const bodySchema = z
     .object({
@@ -39,30 +40,6 @@ function hashDeviceCode(code: string): string {
     return encodeHexLowerCase(sha256(new TextEncoder().encode(code)));
 }
 
-// Helper function to extract IP from request
-function extractIpFromRequest(req: Request): string | undefined {
-    const ip = req.ip;
-    if (!ip) {
-        return undefined;
-    }
-
-    // Handle IPv6 format [::1] or IPv4 format
-    if (ip.startsWith("[") && ip.includes("]")) {
-        const ipv6Match = ip.match(/\[(.*?)\]/);
-        if (ipv6Match) {
-            return ipv6Match[1];
-        }
-    }
-
-    // Handle IPv4 with port (split at last colon)
-    const lastColonIndex = ip.lastIndexOf(":");
-    if (lastColonIndex !== -1) {
-        return ip.substring(0, lastColonIndex);
-    }
-
-    return ip;
-}
-
 // Helper function to get city from IP (if available)
 async function getCityFromIp(ip: string): Promise<string | undefined> {
     try {
@@ -112,7 +89,7 @@ export async function startDeviceWebAuth(
         const hashedCode = hashDeviceCode(code);
 
         // Extract IP from request
-        const ip = extractIpFromRequest(req);
+        const ip = req.ip ? stripPortFromHost(req.ip) : undefined;
 
         // Get city (optional, may return undefined)
         const city = ip ? await getCityFromIp(ip) : undefined;
diff --git a/server/routers/badger/exchangeSession.ts b/server/routers/badger/exchangeSession.ts
index 4017cfea..bde5518b 100644
--- a/server/routers/badger/exchangeSession.ts
+++ b/server/routers/badger/exchangeSession.ts
@@ -19,6 +19,7 @@ import {
 import { SESSION_COOKIE_EXPIRES as RESOURCE_SESSION_COOKIE_EXPIRES } from "@server/auth/sessions/resource";
 import config from "@server/lib/config";
 import { response } from "@server/lib/response";
+import { stripPortFromHost } from "@server/lib/ip";
 
 const exchangeSessionBodySchema = z.object({
     requestToken: z.string(),
@@ -62,26 +63,7 @@ export async function exchangeSession(
             cleanHost = cleanHost.slice(0, -1 * matched.length);
         }
 
-        const clientIp = requestIp
-            ? (() => {
-                  if (requestIp.startsWith("[") && requestIp.includes("]")) {
-                      const ipv6Match = requestIp.match(/\[(.*?)\]/);
-                      if (ipv6Match) {
-                          return ipv6Match[1];
-                      }
-                  }
-
-                  const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}/;
-                  if (ipv4Pattern.test(requestIp)) {
-                      const lastColonIndex = requestIp.lastIndexOf(":");
-                      if (lastColonIndex !== -1) {
-                          return requestIp.substring(0, lastColonIndex);
-                      }
-                  }
-
-                  return requestIp;
-              })()
-            : undefined;
+        const clientIp = requestIp ? stripPortFromHost(requestIp) : undefined;
 
         const [resource] = await db
             .select()
diff --git a/server/routers/badger/logRequestAudit.ts b/server/routers/badger/logRequestAudit.ts
index 80e3f419..aade2f98 100644
--- a/server/routers/badger/logRequestAudit.ts
+++ b/server/routers/badger/logRequestAudit.ts
@@ -3,6 +3,7 @@ import logger from "@server/logger";
 import { and, eq, lt } from "drizzle-orm";
 import cache from "@server/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+import { stripPortFromHost } from "@server/lib/ip";
 
 /**
 
@@ -208,26 +209,7 @@ export async function logRequestAudit(
         }
 
         const clientIp = body.requestIp
-            ? (() => {
-                  if (
-                      body.requestIp.startsWith("[") &&
-                      body.requestIp.includes("]")
-                  ) {
-                      // if brackets are found, extract the IPv6 address from between the brackets
-                      const ipv6Match = body.requestIp.match(/\[(.*?)\]/);
-                      if (ipv6Match) {
-                          return ipv6Match[1];
-                      }
-                  }
-
-                  // ivp4
-                  // split at last colon
-                  const lastColonIndex = body.requestIp.lastIndexOf(":");
-                  if (lastColonIndex !== -1) {
-                      return body.requestIp.substring(0, lastColonIndex);
-                  }
-                  return body.requestIp;
-              })()
+            ? stripPortFromHost(body.requestIp)
             : undefined;
 
         // Add to buffer instead of writing directly to DB
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index ca7c913e..0da83c03 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -21,7 +21,7 @@ import {
     resourceSessions
 } from "@server/db";
 import config from "@server/lib/config";
-import { isIpInCidr } from "@server/lib/ip";
+import { isIpInCidr, stripPortFromHost } from "@server/lib/ip";
 import { response } from "@server/lib/response";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
@@ -110,37 +110,7 @@ export async function verifyResourceSession(
         const clientHeaderAuth = extractBasicAuth(headers);
 
         const clientIp = requestIp
-            ? (() => {
-                  const isNewerBadger =
-                      badgerVersion &&
-                      semver.valid(badgerVersion) &&
-                      semver.gte(badgerVersion, "1.3.1");
-
-                  if (isNewerBadger) {
-                      return requestIp;
-                  }
-
-                  if (requestIp.startsWith("[") && requestIp.includes("]")) {
-                      // if brackets are found, extract the IPv6 address from between the brackets
-                      const ipv6Match = requestIp.match(/\[(.*?)\]/);
-                      if (ipv6Match) {
-                          return ipv6Match[1];
-                      }
-                  }
-
-                  // Check if it looks like IPv4 (contains dots and matches IPv4 pattern)
-                  // IPv4 format: x.x.x.x where x is 0-255
-                  const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}/;
-                  if (ipv4Pattern.test(requestIp)) {
-                      const lastColonIndex = requestIp.lastIndexOf(":");
-                      if (lastColonIndex !== -1) {
-                          return requestIp.substring(0, lastColonIndex);
-                      }
-                  }
-
-                  // Return as is
-                  return requestIp;
-              })()
+            ? stripPortFromHost(requestIp, badgerVersion)
             : undefined;
 
         logger.debug("Client IP:", { clientIp });

From d6e0024c961777884de6be298b65ebd6dde60dc7 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 23 Dec 2025 12:51:38 -0500
Subject: [PATCH 059/154] improved button loading animation

---
 src/app/globals.css          | 17 +++++++++++++++++
 src/components/ui/button.tsx | 31 ++++++++++++++++++++++++++-----
 2 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/src/app/globals.css b/src/app/globals.css
index bd5860a6..70c614c0 100644
--- a/src/app/globals.css
+++ b/src/app/globals.css
@@ -162,3 +162,20 @@ p {
 #nprogress .bar {
     background: var(--color-primary) !important;
 }
+
+@keyframes dot-pulse {
+    0%, 80%, 100% {
+        opacity: 0.3;
+        transform: scale(0.8);
+    }
+    40% {
+        opacity: 1;
+        transform: scale(1);
+    }
+}
+
+@layer utilities {
+    .animate-dot-pulse {
+        animation: dot-pulse 1.4s ease-in-out infinite;
+    }
+}
diff --git a/src/components/ui/button.tsx b/src/components/ui/button.tsx
index f530ace1..9f32e9ce 100644
--- a/src/components/ui/button.tsx
+++ b/src/components/ui/button.tsx
@@ -3,7 +3,6 @@ import { Slot } from "@radix-ui/react-slot";
 import { cva, type VariantProps } from "class-variance-authority";
 
 import { cn } from "@app/lib/cn";
-import { Loader2 } from "lucide-react";
 
 const buttonVariants = cva(
     "cursor-pointer inline-flex items-center justify-center whitespace-nowrap text-sm font-medium ring-offset-background transition-colors focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-0 disabled:pointer-events-none disabled:opacity-50",
@@ -75,12 +74,34 @@ const Button = React.forwardRef<HTMLButtonElement, ButtonProps>(
                 {asChild ? (
                     props.children
                 ) : (
-                    <>
+                    <span className="relative inline-flex items-center justify-center">
+                        <span
+                            className={cn(
+                                "inline-flex items-center justify-center",
+                                loading && "opacity-0"
+                            )}
+                        >
+                            {props.children}
+                        </span>
                         {loading && (
-                            <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                            <span className="absolute inset-0 flex items-center justify-center">
+                                <span className="flex items-center gap-1">
+                                    <span 
+                                        className="h-1 w-1 bg-current animate-dot-pulse" 
+                                        style={{ animationDelay: "0ms" }} 
+                                    />
+                                    <span 
+                                        className="h-1 w-1 bg-current animate-dot-pulse" 
+                                        style={{ animationDelay: "200ms" }} 
+                                    />
+                                    <span 
+                                        className="h-1 w-1 bg-current animate-dot-pulse" 
+                                        style={{ animationDelay: "400ms" }} 
+                                    />
+                                </span>
+                            </span>
                         )}
-                        {props.children}
-                    </>
+                    </span>
                 )}
             </Comp>
         );

From 8732e5004704e1355d0981aa06d7a5a9929c8c14 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 23 Dec 2025 13:33:24 -0500
Subject: [PATCH 060/154] add flag to disable product help banners

---
 server/lib/config.ts                 | 4 ++++
 server/lib/readConfigFile.ts         | 3 ++-
 src/components/DismissableBanner.tsx | 9 ++++++++-
 src/lib/pullEnv.ts                   | 6 +++++-
 src/lib/types/env.ts                 | 1 +
 5 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/server/lib/config.ts b/server/lib/config.ts
index 405db2d1..d3931ec3 100644
--- a/server/lib/config.ts
+++ b/server/lib/config.ts
@@ -84,6 +84,10 @@ export class Config {
             ?.disable_basic_wireguard_sites
             ? "true"
             : "false";
+        process.env.FLAGS_DISABLE_PRODUCT_HELP_BANNERS = parsedConfig.flags
+            ?.disable_product_help_banners
+            ? "true"
+            : "false";
 
         process.env.PRODUCT_UPDATES_NOTIFICATION_ENABLED = parsedConfig.app
             .notifications.product_updates
diff --git a/server/lib/readConfigFile.ts b/server/lib/readConfigFile.ts
index da567820..90ebdc89 100644
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -330,7 +330,8 @@ export const configSchema = z
                 enable_integration_api: z.boolean().optional(),
                 disable_local_sites: z.boolean().optional(),
                 disable_basic_wireguard_sites: z.boolean().optional(),
-                disable_config_managed_domains: z.boolean().optional()
+                disable_config_managed_domains: z.boolean().optional(),
+                disable_product_help_banners: z.boolean().optional()
             })
             .optional(),
         dns: z
diff --git a/src/components/DismissableBanner.tsx b/src/components/DismissableBanner.tsx
index 9d8b246e..c4230c54 100644
--- a/src/components/DismissableBanner.tsx
+++ b/src/components/DismissableBanner.tsx
@@ -1,9 +1,10 @@
 "use client";
 
-import React, { useState, useEffect, type ReactNode } from "react";
+import React, { useState, useEffect, type ReactNode, useEffectEvent } from "react";
 import { Card, CardContent } from "@app/components/ui/card";
 import { X } from "lucide-react";
 import { useTranslations } from "next-intl";
+import { useEnvContext } from "@app/hooks/useEnvContext";
 
 type DismissableBannerProps = {
     storageKey: string;
@@ -25,6 +26,12 @@ export const DismissableBanner = ({
     const [isDismissed, setIsDismissed] = useState(true);
     const t = useTranslations();
 
+    const { env } = useEnvContext();
+
+    if (env.flags.disableProductHelpBanners) {
+        return null;
+    }
+
     useEffect(() => {
         const dismissedData = localStorage.getItem(storageKey);
         if (dismissedData) {
diff --git a/src/lib/pullEnv.ts b/src/lib/pullEnv.ts
index dbe47bd5..ed0057de 100644
--- a/src/lib/pullEnv.ts
+++ b/src/lib/pullEnv.ts
@@ -59,7 +59,11 @@ export function pullEnv(): Env {
             hideSupporterKey:
                 process.env.HIDE_SUPPORTER_KEY === "true" ? true : false,
             usePangolinDns:
-                process.env.USE_PANGOLIN_DNS === "true" ? true : false
+                process.env.USE_PANGOLIN_DNS === "true" ? true : false,
+            disableProductHelpBanners:
+                process.env.FLAGS_DISABLE_PRODUCT_HELP_BANNERS === "true"
+                    ? true
+                    : false
         },
 
         branding: {
diff --git a/src/lib/types/env.ts b/src/lib/types/env.ts
index e40ac5d3..1f54f680 100644
--- a/src/lib/types/env.ts
+++ b/src/lib/types/env.ts
@@ -33,6 +33,7 @@ export type Env = {
         disableBasicWireguardSites: boolean;
         hideSupporterKey: boolean;
         usePangolinDns: boolean;
+        disableProductHelpBanners: boolean;
     };
     branding: {
         appName?: string;

From 768b9ffd091b70037f05c6db129ccc6a9fba9e50 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 23 Dec 2025 13:37:48 -0500
Subject: [PATCH 061/154] fix server admin spacing on mobile sidebar

---
 src/components/LayoutMobileMenu.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/components/LayoutMobileMenu.tsx b/src/components/LayoutMobileMenu.tsx
index 7c4da0bc..7c491d40 100644
--- a/src/components/LayoutMobileMenu.tsx
+++ b/src/components/LayoutMobileMenu.tsx
@@ -83,7 +83,7 @@ export function LayoutMobileMenu({
                                         <div className="px-3">
                                             {!isAdminPage &&
                                                 user.serverAdmin && (
-                                                    <div className="pb-3">
+                                                    <div className="py-2">
                                                         <Link
                                                             href="/admin"
                                                             className={cn(

From 5a30f036fffa25be5efb862d08bf947815c367da Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 23 Dec 2025 13:41:11 -0500
Subject: [PATCH 062/154] fade mobile footer

---
 src/components/LayoutMobileMenu.tsx | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/components/LayoutMobileMenu.tsx b/src/components/LayoutMobileMenu.tsx
index 7c491d40..f6898c0b 100644
--- a/src/components/LayoutMobileMenu.tsx
+++ b/src/components/LayoutMobileMenu.tsx
@@ -72,7 +72,7 @@ export function LayoutMobileMenu({
                                     <SheetDescription className="sr-only">
                                         {t("navbarDescription")}
                                     </SheetDescription>
-                                    <div className="flex-1 overflow-y-auto">
+                                    <div className="flex-1 overflow-y-auto relative">
                                         <div className="px-3">
                                             <OrgSelector
                                                 orgId={orgId}
@@ -113,6 +113,7 @@ export function LayoutMobileMenu({
                                                 }
                                             />
                                         </div>
+                                        <div className="sticky bottom-0 left-0 right-0 h-8 pointer-events-none bg-gradient-to-t from-card to-transparent" />
                                     </div>
                                     <div className="px-3 pt-3 pb-3 space-y-4 border-t shrink-0">
                                         <SupporterStatus />

From 2f561b56043af3fc5e3d0574ac5b4540652f4602 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 23 Dec 2025 13:57:44 -0500
Subject: [PATCH 063/154] adjustments to mobile header css closes #1930

---
 src/components/Layout.tsx           | 2 +-
 src/components/LayoutMobileMenu.tsx | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/components/Layout.tsx b/src/components/Layout.tsx
index 3523dbd7..71dff6bf 100644
--- a/src/components/Layout.tsx
+++ b/src/components/Layout.tsx
@@ -75,7 +75,7 @@ export async function Layout({
                     <div
                         className={cn(
                             "container mx-auto max-w-12xl mb-12",
-                            showHeader && "md:pt-16" // Add top padding only on desktop to account for fixed header
+                            showHeader && "pt-16 md:pt-16" // Add top padding on mobile and desktop to account for fixed header
                         )}
                     >
                         {children}
diff --git a/src/components/LayoutMobileMenu.tsx b/src/components/LayoutMobileMenu.tsx
index f6898c0b..a7588f35 100644
--- a/src/components/LayoutMobileMenu.tsx
+++ b/src/components/LayoutMobileMenu.tsx
@@ -48,7 +48,7 @@ export function LayoutMobileMenu({
     const t = useTranslations();
 
     return (
-        <div className="shrink-0 md:hidden">
+        <div className="shrink-0 md:hidden fixed top-0 left-0 right-0 z-50 bg-card border-b border-border">
             <div className="h-16 flex items-center px-2">
                 <div className="flex items-center gap-4">
                     {showSidebar && (

From db43cf1b302ad411b6f94b1f69a7b2c0728696c0 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 23 Dec 2025 14:58:58 -0500
Subject: [PATCH 064/154] add sticky actions col to org idp table

---
 src/components/private/OrgIdpDataTable.tsx | 2 ++
 src/components/private/OrgIdpTable.tsx     | 1 +
 2 files changed, 3 insertions(+)

diff --git a/src/components/private/OrgIdpDataTable.tsx b/src/components/private/OrgIdpDataTable.tsx
index a7dc1850..9a45f49e 100644
--- a/src/components/private/OrgIdpDataTable.tsx
+++ b/src/components/private/OrgIdpDataTable.tsx
@@ -27,6 +27,8 @@ export function IdpDataTable<TData, TValue>({
             searchColumn="name"
             addButtonText={t("idpAdd")}
             onAdd={onAdd}
+            enableColumnVisibility={true}
+            stickyRightColumn="actions"
         />
     );
 }
diff --git a/src/components/private/OrgIdpTable.tsx b/src/components/private/OrgIdpTable.tsx
index f5fdfe40..387fd3c7 100644
--- a/src/components/private/OrgIdpTable.tsx
+++ b/src/components/private/OrgIdpTable.tsx
@@ -118,6 +118,7 @@ export default function IdpTable({ idps, orgId }: Props) {
         },
         {
             id: "actions",
+            enableHiding: false,
             header: () => <span className="p-3">{t("actions")}</span>,
             cell: ({ row }) => {
                 const siteRow = row.original;

From a01c06bbc7e22b0261dbc1e3dd62117b263d002d Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 24 Dec 2025 10:47:01 -0500
Subject: [PATCH 065/154] Respect http status for url & maintenance mode

Fixes #2164
---
 .../resources/proxy/[niceId]/general/page.tsx   | 17 ++++++++++++++---
 src/components/ResourceInfoBox.tsx              | 12 ++++++------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx
index 7cf9339b..d8f050d3 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx
@@ -164,6 +164,10 @@ function MaintenanceSectionForm({
         return isEnterpriseNotLicensed || isSaasNotSubscribed;
     };
 
+    if (!resource.http) {
+        return null;
+    }
+
     return (
         <SettingsSection>
             <SettingsSectionHeader>
@@ -437,9 +441,16 @@ export default function GeneralForm() {
     );
 
     const resourceFullDomainName = useMemo(() => {
-        const url = new URL(resourceFullDomain);
-        return url.hostname;
-    }, [resourceFullDomain]);
+        if (!resource.fullDomain) {
+            return "";
+        }
+        try {
+            const url = new URL(resourceFullDomain);
+            return url.hostname;
+        } catch {
+            return "";
+        }
+    }, [resourceFullDomain, resource.fullDomain]);
 
     const [selectedDomain, setSelectedDomain] = useState<{
         domainId: string;
diff --git a/src/components/ResourceInfoBox.tsx b/src/components/ResourceInfoBox.tsx
index 6ef7521f..187edb5b 100644
--- a/src/components/ResourceInfoBox.tsx
+++ b/src/components/ResourceInfoBox.tsx
@@ -32,12 +32,6 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                 <InfoSections
                     cols={resource.http && env.flags.usePangolinDns ? 5 : 4}
                 >
-                    <InfoSection>
-                        <InfoSectionTitle>URL</InfoSectionTitle>
-                        <InfoSectionContent>
-                            <CopyToClipboard text={fullUrl} isLink={true} />
-                        </InfoSectionContent>
-                    </InfoSection>
                     <InfoSection>
                         <InfoSectionTitle>{t("identifier")}</InfoSectionTitle>
                         <InfoSectionContent>
@@ -46,6 +40,12 @@ export default function ResourceInfoBox({}: ResourceInfoBoxType) {
                     </InfoSection>
                     {resource.http ? (
                         <>
+                            <InfoSection>
+                                <InfoSectionTitle>URL</InfoSectionTitle>
+                                <InfoSectionContent>
+                                    <CopyToClipboard text={fullUrl} isLink={true} />
+                                </InfoSectionContent>
+                            </InfoSection>
                             <InfoSection>
                                 <InfoSectionTitle>
                                     {t("authentication")}

From dccf101554d3d56197c30e917619c9b501d77dca Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 24 Dec 2025 10:49:18 -0500
Subject: [PATCH 066/154] Allow all in country in blueprints

Fixes #2163
---
 server/lib/blueprints/types.ts | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/server/lib/blueprints/types.ts b/server/lib/blueprints/types.ts
index cbd2553f..650d5b18 100644
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -111,32 +111,30 @@ export const RuleSchema = z
     .refine(
         (rule) => {
             if (rule.match === "country") {
-                // Check if it's a valid 2-letter country code
-                return /^[A-Z]{2}$/.test(rule.value);
+                // Check if it's a valid 2-letter country code or "ALL"
+                return /^[A-Z]{2}$/.test(rule.value) || rule.value === "ALL";
             }
             return true;
         },
         {
             path: ["value"],
             message:
-                "Value must be a 2-letter country code when match is 'country'"
+                "Value must be a 2-letter country code or 'ALL' when match is 'country'"
         }
     )
     .refine(
         (rule) => {
             if (rule.match === "asn") {
-                // Check if it's either AS<number> format or just a number
+                // Check if it's either AS<number> format or "ALL"
                 const asNumberPattern = /^AS\d+$/i;
-                const isASFormat = asNumberPattern.test(rule.value);
-                const isNumeric = /^\d+$/.test(rule.value);
-                return isASFormat || isNumeric;
+                return asNumberPattern.test(rule.value) || rule.value === "ALL";
             }
             return true;
         },
         {
             path: ["value"],
             message:
-                "Value must be either 'AS<number>' format or a number when match is 'asn'"
+                "Value must be 'AS<number>' format or 'ALL' when match is 'asn'"
         }
     );
 

From 81a9a9426446a31185f14a1644f4b2c76b4698ae Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 24 Dec 2025 12:20:22 -0500
Subject: [PATCH 067/154] Try to remove deadlocks on client updates

---
 .../newt/handleReceiveBandwidthMessage.ts     | 104 +++++++++++++-----
 1 file changed, 79 insertions(+), 25 deletions(-)

diff --git a/server/routers/newt/handleReceiveBandwidthMessage.ts b/server/routers/newt/handleReceiveBandwidthMessage.ts
index 3d060a0c..eb930e68 100644
--- a/server/routers/newt/handleReceiveBandwidthMessage.ts
+++ b/server/routers/newt/handleReceiveBandwidthMessage.ts
@@ -1,7 +1,7 @@
 import { db } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { clients, Newt } from "@server/db";
-import { eq } from "drizzle-orm";
+import { clients } from "@server/db";
+import { eq, sql } from "drizzle-orm";
 import logger from "@server/logger";
 
 interface PeerBandwidth {
@@ -10,13 +10,57 @@ interface PeerBandwidth {
     bytesOut: number;
 }
 
+// Retry configuration for deadlock handling
+const MAX_RETRIES = 3;
+const BASE_DELAY_MS = 50;
+
+/**
+ * Check if an error is a deadlock error
+ */
+function isDeadlockError(error: any): boolean {
+    return (
+        error?.code === "40P01" ||
+        error?.cause?.code === "40P01" ||
+        (error?.message && error.message.includes("deadlock"))
+    );
+}
+
+/**
+ * Execute a function with retry logic for deadlock handling
+ */
+async function withDeadlockRetry<T>(
+    operation: () => Promise<T>,
+    context: string
+): Promise<T> {
+    let attempt = 0;
+    while (true) {
+        try {
+            return await operation();
+        } catch (error: any) {
+            if (isDeadlockError(error) && attempt < MAX_RETRIES) {
+                attempt++;
+                const baseDelay = Math.pow(2, attempt - 1) * BASE_DELAY_MS;
+                const jitter = Math.random() * baseDelay;
+                const delay = baseDelay + jitter;
+                logger.warn(
+                    `Deadlock detected in ${context}, retrying attempt ${attempt}/${MAX_RETRIES} after ${delay.toFixed(0)}ms`
+                );
+                await new Promise((resolve) => setTimeout(resolve, delay));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+
 export const handleReceiveBandwidthMessage: MessageHandler = async (
     context
 ) => {
-    const { message, client, sendToClient } = context;
+    const { message } = context;
 
     if (!message.data.bandwidthData) {
         logger.warn("No bandwidth data provided");
+        return;
     }
 
     const bandwidthData: PeerBandwidth[] = message.data.bandwidthData;
@@ -25,30 +69,40 @@ export const handleReceiveBandwidthMessage: MessageHandler = async (
         throw new Error("Invalid bandwidth data");
     }
 
-    await db.transaction(async (trx) => {
-        for (const peer of bandwidthData) {
-            const { publicKey, bytesIn, bytesOut } = peer;
+    // Sort bandwidth data by publicKey to ensure consistent lock ordering across all instances
+    // This is critical for preventing deadlocks when multiple instances update the same clients
+    const sortedBandwidthData = [...bandwidthData].sort((a, b) =>
+        a.publicKey.localeCompare(b.publicKey)
+    );
 
-            // Find the client by public key
-            const [client] = await trx
-                .select()
-                .from(clients)
-                .where(eq(clients.pubKey, publicKey))
-                .limit(1);
+    const currentTime = new Date().toISOString();
 
-            if (!client) {
-                continue;
-            }
+    // Update each client individually with retry logic
+    // This reduces transaction scope and allows retries per-client
+    for (const peer of sortedBandwidthData) {
+        const { publicKey, bytesIn, bytesOut } = peer;
 
-            // Update the client's bandwidth usage
-            await trx
-                .update(clients)
-                .set({
-                    megabytesOut: (client.megabytesIn || 0) + bytesIn,
-                    megabytesIn: (client.megabytesOut || 0) + bytesOut,
-                    lastBandwidthUpdate: new Date().toISOString()
-                })
-                .where(eq(clients.clientId, client.clientId));
+        try {
+            await withDeadlockRetry(async () => {
+                // Use atomic SQL increment to avoid SELECT then UPDATE pattern
+                // This eliminates the need to read the current value first
+                await db
+                    .update(clients)
+                    .set({
+                        // Note: bytesIn from peer goes to megabytesOut (data sent to client)
+                        // and bytesOut from peer goes to megabytesIn (data received from client)
+                        megabytesOut: sql`COALESCE(${clients.megabytesOut}, 0) + ${bytesIn}`,
+                        megabytesIn: sql`COALESCE(${clients.megabytesIn}, 0) + ${bytesOut}`,
+                        lastBandwidthUpdate: currentTime
+                    })
+                    .where(eq(clients.pubKey, publicKey));
+            }, `update client bandwidth ${publicKey}`);
+        } catch (error) {
+            logger.error(
+                `Failed to update bandwidth for client ${publicKey}:`,
+                error
+            );
+            // Continue with other clients even if one fails
         }
-    });
+    }
 };

From 284cccbe17ebc0fa6fe6e29696db83f5aa016972 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 24 Dec 2025 12:25:11 -0500
Subject: [PATCH 068/154] Attempt to fix loginPageOrg undefined error

---
 server/private/routers/hybrid.ts              | 20 +++++++++----------
 .../routers/loginPage/loadLoginPage.ts        | 10 ++++++++++
 .../loginPage/loadLoginPageBranding.ts        |  5 +++++
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index bbc0e0c8..a398dfe6 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -618,6 +618,16 @@ hybridRouter.get(
                 )
                 .limit(1);
 
+            if (!result) {
+                return response<LoginPage | null>(res, {
+                    data: null,
+                    success: true,
+                    error: false,
+                    message: "Login page not found",
+                    status: HttpCode.OK
+                });
+            }
+
             if (
                 await checkExitNodeOrg(
                     remoteExitNode.exitNodeId,
@@ -633,16 +643,6 @@ hybridRouter.get(
                 );
             }
 
-            if (!result) {
-                return response<LoginPage | null>(res, {
-                    data: null,
-                    success: true,
-                    error: false,
-                    message: "Login page not found",
-                    status: HttpCode.OK
-                });
-            }
-
             return response<LoginPage>(res, {
                 data: result.loginPage,
                 success: true,
diff --git a/server/private/routers/loginPage/loadLoginPage.ts b/server/private/routers/loginPage/loadLoginPage.ts
index 1b10e205..7a631c8a 100644
--- a/server/private/routers/loginPage/loadLoginPage.ts
+++ b/server/private/routers/loginPage/loadLoginPage.ts
@@ -40,6 +40,11 @@ async function query(orgId: string | undefined, fullDomain: string) {
                 eq(loginPage.loginPageId, loginPageOrg.loginPageId)
             )
             .limit(1);
+
+        if (!res) {
+            return null;
+        }
+
         return {
             ...res.loginPage,
             orgId: res.loginPageOrg.orgId
@@ -65,6 +70,11 @@ async function query(orgId: string | undefined, fullDomain: string) {
             )
         )
         .limit(1);
+
+    if (!res) {
+        return null;
+    }
+
     return {
         ...res,
         orgId: orgLink.orgId
diff --git a/server/private/routers/loginPage/loadLoginPageBranding.ts b/server/private/routers/loginPage/loadLoginPageBranding.ts
index 823f75a6..1197bb10 100644
--- a/server/private/routers/loginPage/loadLoginPageBranding.ts
+++ b/server/private/routers/loginPage/loadLoginPageBranding.ts
@@ -48,6 +48,11 @@ async function query(orgId: string) {
             )
         )
         .limit(1);
+
+    if (!res) {
+        return null;
+    }
+
     return {
         ...res,
         orgId: orgLink.orgs.orgId,

From c0c0d48edf7f0b3c6d05a94f2b6e3eb04a7e1900 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Wed, 24 Dec 2025 15:53:08 -0500
Subject: [PATCH 069/154] ui enhancements

---
 messages/en-US.json                           |  2 +-
 server/routers/client/getClient.ts            |  2 +-
 .../settings/(private)/idp/create/page.tsx    |  2 +-
 .../[orgId]/settings/(private)/idp/page.tsx   | 34 +-------
 .../resources/proxy/[niceId]/proxy/page.tsx   |  2 +-
 src/app/globals.css                           | 12 +++
 src/app/layout.tsx                            |  4 +-
 src/components/Layout.tsx                     |  4 +-
 src/components/LayoutMobileMenu.tsx           |  2 +-
 src/components/ProxyResourcesTable.tsx        |  2 +-
 src/components/ViewportHeightFix.tsx          | 79 +++++++++++++++++++
 src/components/ui/button.tsx                  | 43 +++++-----
 src/components/ui/checkbox.tsx                | 16 ++--
 13 files changed, 131 insertions(+), 73 deletions(-)
 create mode 100644 src/components/ViewportHeightFix.tsx

diff --git a/messages/en-US.json b/messages/en-US.json
index 57821a6d..8b04e4ea 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "I agree to the",
         "termsOfService": "terms of service",
         "and": "and",
-        "privacyPolicy": "privacy policy"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Keep me in the loop with news, updates, and new features by email."
diff --git a/server/routers/client/getClient.ts b/server/routers/client/getClient.ts
index cfb2652b..f054ce80 100644
--- a/server/routers/client/getClient.ts
+++ b/server/routers/client/getClient.ts
@@ -36,7 +36,7 @@ async function query(clientId?: number, niceId?: string, orgId?: string) {
             .select()
             .from(clients)
             .where(and(eq(clients.niceId, niceId), eq(clients.orgId, orgId)))
-            .leftJoin(olms, eq(olms.clientId, olms.clientId))
+            .leftJoin(olms, eq(clients.clientId, olms.clientId))
             .limit(1);
         return res;
     }
diff --git a/src/app/[orgId]/settings/(private)/idp/create/page.tsx b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
index 786c8635..f6260073 100644
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -285,7 +285,7 @@ export default function Page() {
                 <Button
                     variant="outline"
                     onClick={() => {
-                        router.push("/admin/idp");
+                        router.push(`/${params.orgId}/settings/idp`);
                     }}
                 >
                     {t("idpSeeAll")}
diff --git a/src/app/[orgId]/settings/(private)/idp/page.tsx b/src/app/[orgId]/settings/(private)/idp/page.tsx
index 01845b18..f8d888c0 100644
--- a/src/app/[orgId]/settings/(private)/idp/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/page.tsx
@@ -1,17 +1,10 @@
-import { internal, priv } from "@app/lib/api";
+import { internal } from "@app/lib/api";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import IdpTable, { IdpRow } from "@app/components/private/OrgIdpTable";
 import { getTranslations } from "next-intl/server";
-import { Alert, AlertDescription } from "@app/components/ui/alert";
-import { cache } from "react";
-import {
-    GetOrgSubscriptionResponse,
-    GetOrgTierResponse
-} from "@server/routers/billing/types";
-import { TierId } from "@server/lib/billing/tiers";
-import { build } from "@server/build";
+import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 
 type OrgIdpPageProps = {
     params: Promise<{ orgId: string }>;
@@ -35,21 +28,6 @@ export default async function OrgIdpPage(props: OrgIdpPageProps) {
 
     const t = await getTranslations();
 
-    let subscriptionStatus: GetOrgTierResponse | null = null;
-    try {
-        const getSubscription = cache(() =>
-            priv.get<AxiosResponse<GetOrgTierResponse>>(
-                `/org/${params.orgId}/billing/tier`
-            )
-        );
-        const subRes = await getSubscription();
-        subscriptionStatus = subRes.data.data;
-    } catch {}
-    const subscribed =
-        build === "enterprise"
-            ? true
-            : subscriptionStatus?.tier === TierId.STANDARD;
-
     return (
         <>
             <SettingsSectionTitle
@@ -57,13 +35,7 @@ export default async function OrgIdpPage(props: OrgIdpPageProps) {
                 description={t("idpManageDescription")}
             />
 
-            {build === "saas" && !subscribed ? (
-                <Alert variant="info" className="mb-6">
-                    <AlertDescription>
-                        {t("idpDisabled")} {t("subscriptionRequiredToUse")}
-                    </AlertDescription>
-                </Alert>
-            ) : null}
+            <PaidFeaturesAlert />
 
             <IdpTable idps={idps} orgId={params.orgId} />
         </>
diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
index 18e4e6b5..fd4eb33a 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx
@@ -338,7 +338,7 @@ function ProxyResourceTargetsForm({
                                 <div
                                     className={`flex items-center gap-2 ${status === "healthy" ? "text-green-500" : status === "unhealthy" ? "text-destructive" : ""}`}
                                 >
-                                    <Settings className="h-3 w-3" />
+                                    <Settings className="h-4 w-4 text-foreground" />
                                     {getStatusText(status)}
                                 </div>
                             </Button>
diff --git a/src/app/globals.css b/src/app/globals.css
index 70c614c0..731e1bff 100644
--- a/src/app/globals.css
+++ b/src/app/globals.css
@@ -178,4 +178,16 @@ p {
     .animate-dot-pulse {
         animation: dot-pulse 1.4s ease-in-out infinite;
     }
+
+    /* Use JavaScript-set viewport height for mobile to handle keyboard properly */
+    .h-screen-safe {
+        height: 100vh; /* Default for desktop and fallback */
+    }
+
+    /* Only apply custom viewport height on mobile */
+    @media (max-width: 767px) {
+        .h-screen-safe {
+            height: var(--vh, 100vh); /* Use CSS variable set by ViewportHeightFix on mobile */
+        }
+    }
 }
diff --git a/src/app/layout.tsx b/src/app/layout.tsx
index e76a5d2f..203dd778 100644
--- a/src/app/layout.tsx
+++ b/src/app/layout.tsx
@@ -22,6 +22,7 @@ import { TopLoader } from "@app/components/Toploader";
 import Script from "next/script";
 import { TanstackQueryProvider } from "@app/components/TanstackQueryProvider";
 import { TailwindIndicator } from "@app/components/TailwindIndicator";
+import { ViewportHeightFix } from "@app/components/ViewportHeightFix";
 
 export const metadata: Metadata = {
     title: `Dashboard - ${process.env.BRANDING_APP_NAME || "Pangolin"}`,
@@ -77,7 +78,7 @@ export default async function RootLayout({
 
     return (
         <html suppressHydrationWarning lang={locale}>
-            <body className={`${font.className} h-screen overflow-hidden`}>
+            <body className={`${font.className} h-screen-safe overflow-hidden`}>
                 <TopLoader />
                 {build === "saas" && (
                     <Script
@@ -86,6 +87,7 @@ export default async function RootLayout({
                         strategy="afterInteractive"
                     />
                 )}
+                <ViewportHeightFix />
                 <NextIntlClientProvider>
                     <ThemeProvider
                         attribute="class"
diff --git a/src/components/Layout.tsx b/src/components/Layout.tsx
index 71dff6bf..a7704c8f 100644
--- a/src/components/Layout.tsx
+++ b/src/components/Layout.tsx
@@ -37,7 +37,7 @@ export async function Layout({
         (sidebarStateCookie !== "expanded" && defaultSidebarCollapsed);
 
     return (
-        <div className="flex h-screen overflow-hidden">
+        <div className="flex h-screen-safe overflow-hidden">
             {/* Desktop Sidebar */}
             {showSidebar && (
                 <LayoutSidebar
@@ -75,7 +75,7 @@ export async function Layout({
                     <div
                         className={cn(
                             "container mx-auto max-w-12xl mb-12",
-                            showHeader && "pt-16 md:pt-16" // Add top padding on mobile and desktop to account for fixed header
+                            showHeader && "md:pt-16" // Add top padding only on desktop to account for fixed header
                         )}
                     >
                         {children}
diff --git a/src/components/LayoutMobileMenu.tsx b/src/components/LayoutMobileMenu.tsx
index a7588f35..2b5fb320 100644
--- a/src/components/LayoutMobileMenu.tsx
+++ b/src/components/LayoutMobileMenu.tsx
@@ -48,7 +48,7 @@ export function LayoutMobileMenu({
     const t = useTranslations();
 
     return (
-        <div className="shrink-0 md:hidden fixed top-0 left-0 right-0 z-50 bg-card border-b border-border">
+        <div className="shrink-0 md:hidden sticky top-0 z-50">
             <div className="h-16 flex items-center px-2">
                 <div className="flex items-center gap-4">
                     {showSidebar && (
diff --git a/src/components/ProxyResourcesTable.tsx b/src/components/ProxyResourcesTable.tsx
index bd4bb4e1..69b180c4 100644
--- a/src/components/ProxyResourcesTable.tsx
+++ b/src/components/ProxyResourcesTable.tsx
@@ -198,7 +198,7 @@ export default function ProxyResourcesTable({
 
         if (!targets || targets.length === 0) {
             return (
-                <div className="flex items-center gap-2">
+                <div id="LOOK_FOR_ME" className="flex items-center gap-2">
                     <StatusIcon status="unknown" />
                     <span className="text-sm">
                         {t("resourcesTableNoTargets")}
diff --git a/src/components/ViewportHeightFix.tsx b/src/components/ViewportHeightFix.tsx
new file mode 100644
index 00000000..340bbcbb
--- /dev/null
+++ b/src/components/ViewportHeightFix.tsx
@@ -0,0 +1,79 @@
+"use client";
+
+import { useEffect } from "react";
+
+/**
+ * Fixes mobile viewport height issues when keyboard opens/closes
+ * by setting a CSS variable with a stable viewport height
+ * Only applies on mobile devices (< 768px, matching Tailwind's md breakpoint)
+ */
+export function ViewportHeightFix() {
+    useEffect(() => {
+        // Check if we're on mobile (md breakpoint is typically 768px)
+        const isMobile = () => window.innerWidth < 768;
+        
+        // On desktop, don't set --vh at all, let CSS use 100vh directly
+        if (!isMobile()) {
+            // Remove --vh if it was set, so CSS falls back to 100vh
+            document.documentElement.style.removeProperty("--vh");
+            return;
+        }
+
+        // Mobile-specific logic
+        let maxHeight = window.innerHeight;
+        let resizeTimer: NodeJS.Timeout;
+
+        // Set the viewport height as a CSS variable
+        const setViewportHeight = (height: number) => {
+            document.documentElement.style.setProperty("--vh", `${height}px`);
+        };
+
+        // Set initial value
+        setViewportHeight(maxHeight);
+
+        const handleResize = () => {
+            // If we switched to desktop, remove --vh and stop
+            if (!isMobile()) {
+                document.documentElement.style.removeProperty("--vh");
+                return;
+            }
+
+            clearTimeout(resizeTimer);
+            resizeTimer = setTimeout(() => {
+                const currentHeight = window.innerHeight;
+
+                // Track the maximum height we've seen (when keyboard is closed)
+                if (currentHeight > maxHeight) {
+                    maxHeight = currentHeight;
+                    setViewportHeight(maxHeight);
+                }
+                // If current height is close to max, update max (keyboard closed)
+                else if (currentHeight >= maxHeight * 0.9) {
+                    maxHeight = currentHeight;
+                    setViewportHeight(maxHeight);
+                }
+                // Otherwise, keep using the max height (keyboard is open)
+            }, 100);
+        };
+
+        const handleOrientationChange = () => {
+            // Reset on orientation change
+            setTimeout(() => {
+                maxHeight = window.innerHeight;
+                setViewportHeight(maxHeight);
+            }, 150);
+        };
+
+        window.addEventListener("resize", handleResize);
+        window.addEventListener("orientationchange", handleOrientationChange);
+
+        return () => {
+            window.removeEventListener("resize", handleResize);
+            window.removeEventListener("orientationchange", handleOrientationChange);
+            clearTimeout(resizeTimer);
+        };
+    }, []);
+
+    return null;
+}
+
diff --git a/src/components/ui/button.tsx b/src/components/ui/button.tsx
index 9f32e9ce..aca27270 100644
--- a/src/components/ui/button.tsx
+++ b/src/components/ui/button.tsx
@@ -73,35 +73,30 @@ const Button = React.forwardRef<HTMLButtonElement, ButtonProps>(
             >
                 {asChild ? (
                     props.children
-                ) : (
+                ) : loading ? (
                     <span className="relative inline-flex items-center justify-center">
-                        <span
-                            className={cn(
-                                "inline-flex items-center justify-center",
-                                loading && "opacity-0"
-                            )}
-                        >
+                        <span className="inline-flex items-center justify-center opacity-0">
                             {props.children}
                         </span>
-                        {loading && (
-                            <span className="absolute inset-0 flex items-center justify-center">
-                                <span className="flex items-center gap-1">
-                                    <span 
-                                        className="h-1 w-1 bg-current animate-dot-pulse" 
-                                        style={{ animationDelay: "0ms" }} 
-                                    />
-                                    <span 
-                                        className="h-1 w-1 bg-current animate-dot-pulse" 
-                                        style={{ animationDelay: "200ms" }} 
-                                    />
-                                    <span 
-                                        className="h-1 w-1 bg-current animate-dot-pulse" 
-                                        style={{ animationDelay: "400ms" }} 
-                                    />
-                                </span>
+                        <span className="absolute inset-0 flex items-center justify-center">
+                            <span className="flex items-center gap-1.5">
+                                <span
+                                    className="h-1 w-1 bg-current animate-dot-pulse"
+                                    style={{ animationDelay: "0ms" }}
+                                />
+                                <span
+                                    className="h-1 w-1 bg-current animate-dot-pulse"
+                                    style={{ animationDelay: "200ms" }}
+                                />
+                                <span
+                                    className="h-1 w-1 bg-current animate-dot-pulse"
+                                    style={{ animationDelay: "400ms" }}
+                                />
                             </span>
-                        )}
+                        </span>
                     </span>
+                ) : (
+                    props.children
                 )}
             </Comp>
         );
diff --git a/src/components/ui/checkbox.tsx b/src/components/ui/checkbox.tsx
index ab68e1bf..85825dc1 100644
--- a/src/components/ui/checkbox.tsx
+++ b/src/components/ui/checkbox.tsx
@@ -14,13 +14,13 @@ const checkboxVariants = cva(
         variants: {
             variant: {
                 outlinePrimary:
-                    "border rounded-[5px] border-primary data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
+                    "border rounded-[5px] border-input data-[state=checked]:border-primary data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
                 outline:
-                    "border rounded-[5px] border-input data-[state=checked]:bg-muted data-[state=checked]:text-accent-foreground",
+                    "border rounded-[5px] border-input data-[state=checked]:border-primary data-[state=checked]:bg-muted data-[state=checked]:text-accent-foreground",
                 outlinePrimarySquare:
-                    "border rounded-[5px] border-primary data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
+                    "border rounded-[5px] border-input data-[state=checked]:border-primary data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
                 outlineSquare:
-                    "border rounded-[5px] border-input data-[state=checked]:bg-muted data-[state=checked]:text-accent-foreground"
+                    "border rounded-[5px] border-input data-[state=checked]:border-primary data-[state=checked]:bg-muted data-[state=checked]:text-accent-foreground"
             }
         },
         defaultVariants: {
@@ -30,8 +30,7 @@ const checkboxVariants = cva(
 );
 
 interface CheckboxProps
-    extends
-        React.ComponentPropsWithoutRef<typeof CheckboxPrimitive.Root>,
+    extends React.ComponentPropsWithoutRef<typeof CheckboxPrimitive.Root>,
         VariantProps<typeof checkboxVariants> {}
 
 const Checkbox = React.forwardRef<
@@ -50,9 +49,8 @@ const Checkbox = React.forwardRef<
 ));
 Checkbox.displayName = CheckboxPrimitive.Root.displayName;
 
-interface CheckboxWithLabelProps extends React.ComponentPropsWithoutRef<
-    typeof Checkbox
-> {
+interface CheckboxWithLabelProps
+    extends React.ComponentPropsWithoutRef<typeof Checkbox> {
     label: string;
 }
 

From 37e6f320fe654ac6abe3abfd5afd405db3abb595 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:22:54 -0500
Subject: [PATCH 070/154] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 00f2238e..1758aa4f 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Ingresar confirmación",
     "blueprintViewDetails": "Detalles",
     "defaultIdentityProvider": "Proveedor de identidad predeterminado",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Configuración de red",
     "editInternalResourceDialogAccessPolicy": "Política de acceso",
     "editInternalResourceDialogAddRoles": "Agregar roles",

From 9ea7431b7317cd536e1c7fec2e66b360bb30fb89 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:22:55 -0500
Subject: [PATCH 071/154] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 877b2250..9248f6e2 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Въведете потвърждение.",
     "blueprintViewDetails": "Подробности.",
     "defaultIdentityProvider": "По подразбиране доставчик на идентичност.",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Мрежови настройки.",
     "editInternalResourceDialogAccessPolicy": "Политика за достъп.",
     "editInternalResourceDialogAddRoles": "Добавяне на роли.",

From a8265a5286c71a429fef15a7ca53ab345183fd5e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:22:57 -0500
Subject: [PATCH 072/154] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 32629d71..330e63ab 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Zadejte potvrzení",
     "blueprintViewDetails": "Detaily",
     "defaultIdentityProvider": "Výchozí poskytovatel identity",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Nastavení sítě",
     "editInternalResourceDialogAccessPolicy": "Přístupová politika",
     "editInternalResourceDialogAddRoles": "Přidat role",

From 2362a9b4dd86f93bc72eb3d88f6d81e10b2ea96b Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:22:58 -0500
Subject: [PATCH 073/154] New translations en-us.json (German)

---
 messages/de-DE.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 4a25cc43..02052495 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Bestätigung eingeben",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Standard Identitätsanbieter",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Netzwerkeinstellungen",
     "editInternalResourceDialogAccessPolicy": "Zugriffsrichtlinie",
     "editInternalResourceDialogAddRoles": "Rollen hinzufügen",

From d49720703f02f1961f341a6c0728893d2403b741 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:22:59 -0500
Subject: [PATCH 074/154] New translations en-us.json (Italian)

---
 messages/it-IT.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index 48eccb2c..d6869131 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Inserisci conferma",
     "blueprintViewDetails": "Dettagli",
     "defaultIdentityProvider": "Provider di Identità Predefinito",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Impostazioni di Rete",
     "editInternalResourceDialogAccessPolicy": "Politica di Accesso",
     "editInternalResourceDialogAddRoles": "Aggiungi Ruoli",

From d9d8d85f6ece57b01d88ce3ac10cd55e6a94bc60 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:01 -0500
Subject: [PATCH 075/154] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index c8f2ed50..e4232a28 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "확인 입력",
     "blueprintViewDetails": "세부 정보",
     "defaultIdentityProvider": "기본 아이덴티티 공급자",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "네트워크 설정",
     "editInternalResourceDialogAccessPolicy": "액세스 정책",
     "editInternalResourceDialogAddRoles": "역할 추가",

From 8164d5c1ad773bf64048fa94f01168d683727972 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:02 -0500
Subject: [PATCH 076/154] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index cf59e0b7..18dbc7a5 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Bevestiging invoeren",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Standaard Identiteitsprovider",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Netwerkinstellingen",
     "editInternalResourceDialogAccessPolicy": "Toegangsbeleid",
     "editInternalResourceDialogAddRoles": "Rollen toevoegen",

From c92f2cd4baec04ec75eeebb20217240cde3ed628 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:03 -0500
Subject: [PATCH 077/154] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index e907ea55..1be773f9 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Wprowadź potwierdzenie",
     "blueprintViewDetails": "Szczegóły",
     "defaultIdentityProvider": "Domyślny dostawca tożsamości",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Ustawienia sieci",
     "editInternalResourceDialogAccessPolicy": "Polityka dostępowa",
     "editInternalResourceDialogAddRoles": "Dodaj role",

From 2996dfb33a83d328cdd48aad4b877b158c8f68ee Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:04 -0500
Subject: [PATCH 078/154] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index f20191dd..3ee3ed92 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Inserir confirmação",
     "blueprintViewDetails": "Detalhes",
     "defaultIdentityProvider": "Provedor de Identidade Padrão",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Configurações de Rede",
     "editInternalResourceDialogAccessPolicy": "Política de Acesso",
     "editInternalResourceDialogAddRoles": "Adicionar Funções",

From 6f0268f6c02cc48708e5c295d64520f58cc9e08b Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:06 -0500
Subject: [PATCH 079/154] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 7ea25778..4ad10ee8 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Введите подтверждение",
     "blueprintViewDetails": "Подробности",
     "defaultIdentityProvider": "Поставщик удостоверений по умолчанию",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Настройки сети",
     "editInternalResourceDialogAccessPolicy": "Политика доступа",
     "editInternalResourceDialogAddRoles": "Добавить роли",

From 5fd216adc210363f251571a4e5fbaabc65a397ad Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:07 -0500
Subject: [PATCH 080/154] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 0c923286..af425c9f 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Onayı girin",
     "blueprintViewDetails": "Detaylar",
     "defaultIdentityProvider": "Varsayılan Kimlik Sağlayıcı",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Ağ Ayarları",
     "editInternalResourceDialogAccessPolicy": "Erişim Politikası",
     "editInternalResourceDialogAddRoles": "Roller Ekle",

From 67dc10dfe9693c1087a2fc6212a1348a3af3f247 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:08 -0500
Subject: [PATCH 081/154] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index 953a292e..7c592249 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "输入确认",
     "blueprintViewDetails": "详细信息",
     "defaultIdentityProvider": "默认身份提供商",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "网络设置",
     "editInternalResourceDialogAccessPolicy": "访问策略",
     "editInternalResourceDialogAddRoles": "添加角色",

From f13ddde9888586cfe9a629cf7dfa618d1a1df42a Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 18:23:10 -0500
Subject: [PATCH 082/154] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 6fbe819c..6940645a 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -2349,6 +2349,7 @@
     "enterConfirmation": "Skriv inn bekreftelse",
     "blueprintViewDetails": "Detaljer",
     "defaultIdentityProvider": "Standard identitetsleverandør",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Nettverksinnstillinger",
     "editInternalResourceDialogAccessPolicy": "Tilgangsregler for tilgang",
     "editInternalResourceDialogAddRoles": "Legg til roller",

From 16ba56af84ea811a124330e0b9600f933b7728e4 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:28 -0500
Subject: [PATCH 083/154] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 1758aa4f..2ccf0e0a 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configurar acceso para una organización",
     "idpUpdatedDescription": "Proveedor de identidad actualizado correctamente",
     "redirectUrl": "URL de redirección",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Acerca de la URL de redirección",
     "redirectUrlAboutDescription": "Esta es la URL a la que los usuarios serán redireccionados después de la autenticación. Necesitas configurar esta URL en la configuración del proveedor de identidad.",
     "pangolinAuth": "Autenticación - Pangolin",

From ea72279080be0fe5f26df8414a02fdedf9b55972 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:30 -0500
Subject: [PATCH 084/154] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 9248f6e2..618c88d2 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Конфигуриране на достъп за организация",
     "idpUpdatedDescription": "Идентификационният доставчик беше актуализиран успешно",
     "redirectUrl": "URL за пренасочване",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "За URL за пренасочване",
     "redirectUrlAboutDescription": "Това е URL адресът, към който потребителите ще бъдат пренасочени след удостоверяване. Трябва да конфигурирате този URL адрес в настройките на доставчика на идентичност.",
     "pangolinAuth": "Authent - Pangolin",

From f32e31c73dffe96fd61d26a20ade31f0db57da78 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:31 -0500
Subject: [PATCH 085/154] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 330e63ab..7989b799 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Konfigurace přístupu pro organizaci",
     "idpUpdatedDescription": "Poskytovatel identity byl úspěšně aktualizován",
     "redirectUrl": "Přesměrovat URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "O přesměrování URL",
     "redirectUrlAboutDescription": "Toto je URL, na kterou budou uživatelé po ověření přesměrováni. Tuto URL je třeba nastavit v nastavení poskytovatele identity.",
     "pangolinAuth": "Auth - Pangolin",

From 476281db2bf3cbb986d98924dcde37bca5445401 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:33 -0500
Subject: [PATCH 086/154] New translations en-us.json (Italian)

---
 messages/it-IT.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index d6869131..c50452f6 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configura l'accesso per un'organizzazione",
     "idpUpdatedDescription": "Provider di identità aggiornato con successo",
     "redirectUrl": "URL di Reindirizzamento",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Informazioni sull'URL di Reindirizzamento",
     "redirectUrlAboutDescription": "Questo è l'URL a cui gli utenti saranno reindirizzati dopo l'autenticazione. È necessario configurare questo URL nelle impostazioni del provider di identità.",
     "pangolinAuth": "Autenticazione - Pangolina",

From 61dfa00222106d0d20e64e923f78e314d3870663 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:35 -0500
Subject: [PATCH 087/154] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index e4232a28..c58bc856 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "조직에 대한 접근을 구성하십시오.",
     "idpUpdatedDescription": "아이덴티티 제공자가 성공적으로 업데이트되었습니다",
     "redirectUrl": "리디렉션 URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "리디렉션 URL에 대한 정보",
     "redirectUrlAboutDescription": "사용자가 인증 후 리디렉션될 URL입니다. 이 URL을 신원 제공자 설정에서 구성해야 합니다.",
     "pangolinAuth": "인증 - 판골린",

From 74e6d39c24cbe02964909ba67d537a0e93f13109 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:36 -0500
Subject: [PATCH 088/154] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 18dbc7a5..518dc1e7 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Toegang voor een organisatie configureren",
     "idpUpdatedDescription": "Identity provider succesvol bijgewerkt",
     "redirectUrl": "Omleidings URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Over omleidings-URL",
     "redirectUrlAboutDescription": "Dit is de URL waarnaar gebruikers worden doorverwezen na verificatie. U moet deze URL configureren in de instellingen van de identiteitsprovider.",
     "pangolinAuth": "Authenticatie - Pangolin",

From 96a9bdb700d73741fb2d3107bafa116cce1fff4a Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:37 -0500
Subject: [PATCH 089/154] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 1be773f9..5e28017f 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Skonfiguruj dostęp dla organizacji",
     "idpUpdatedDescription": "Dostawca tożsamości został pomyślnie zaktualizowany",
     "redirectUrl": "URL przekierowania",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "O URL przekierowania",
     "redirectUrlAboutDescription": "Jest to adres URL, na który użytkownicy zostaną przekierowani po uwierzytelnieniu. Musisz skonfigurować ten adres URL w ustawieniach dostawcy tożsamości.",
     "pangolinAuth": "Autoryzacja - Pangolin",

From b0be82be86dcd0924ff912e1adaf7c68434d3e4b Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:39 -0500
Subject: [PATCH 090/154] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 3ee3ed92..3a25fe2d 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configurar acesso para uma organização",
     "idpUpdatedDescription": "Provedor de identidade atualizado com sucesso",
     "redirectUrl": "URL de Redirecionamento",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Sobre o URL de Redirecionamento",
     "redirectUrlAboutDescription": "Essa é a URL para a qual os usuários serão redirecionados após a autenticação. Você precisa configurar esta URL nas configurações do provedor de identidade.",
     "pangolinAuth": "Autenticação - Pangolin",

From 55f5a4175216a54d14a5070595363e1add4079d9 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:40 -0500
Subject: [PATCH 091/154] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index 4ad10ee8..f2d75098 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Настроить доступ для организации",
     "idpUpdatedDescription": "Поставщик удостоверений успешно обновлён",
     "redirectUrl": "URL редиректа",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "О редиректе URL",
     "redirectUrlAboutDescription": "Это URL, на который пользователи будут перенаправлены после аутентификации. Вам нужно настроить этот URL в настройках провайдера.",
     "pangolinAuth": "Аутентификация - Pangolin",

From c0e503b31f32df3b6b1839599e8e74b27a59d838 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:41 -0500
Subject: [PATCH 092/154] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index af425c9f..0559fba0 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Bir kuruluş için erişimi yapılandırın",
     "idpUpdatedDescription": "Kimlik sağlayıcı başarıyla güncellendi",
     "redirectUrl": "Yönlendirme URL'si",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Yönlendirme URL'si Hakkında",
     "redirectUrlAboutDescription": "Bu, kimlik doğrulamasından sonra kullanıcıların yönlendirileceği URL'dir. Bu URL'yi kimlik sağlayıcınızın ayarlarında yapılandırmanız gerekir.",
     "pangolinAuth": "Yetkilendirme - Pangolin",

From ea7a6188106f47e6985d7c10710af055bd19c29c Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:42 -0500
Subject: [PATCH 093/154] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index 7c592249..f24ce24f 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "配置组织访问权限",
     "idpUpdatedDescription": "身份提供商更新成功",
     "redirectUrl": "重定向网址",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "关于重定向网址",
     "redirectUrlAboutDescription": "这是用户在验证后将被重定向到的URL。您需要在身份提供者的设置中配置此URL。",
     "pangolinAuth": "认证 - Pangolin",

From 46aaadb76aa058bf51e59667e99e7c060a333c5b Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:44 -0500
Subject: [PATCH 094/154] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 6940645a..0caffa72 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Konfigurer tilgang for en organisasjon",
     "idpUpdatedDescription": "Identitetsleverandør vellykket oppdatert",
     "redirectUrl": "Omdirigerings-URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Om omdirigerings-URL",
     "redirectUrlAboutDescription": "Dette er URLen som brukere vil bli omdirigert etter autentisering. Du må konfigurere denne URLen i identitetsleverandørens innstillinger.",
     "pangolinAuth": "Autentisering - Pangolin",

From 258d1d82f34d604b2cbf3b5cef7c53108f2b23c5 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Mon, 22 Dec 2025 22:59:45 -0500
Subject: [PATCH 095/154] New translations en-us.json (French)

---
 messages/fr-FR.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index 0bb4b398..e6d732ff 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Configurer l'accès pour une organisation",
     "idpUpdatedDescription": "Fournisseur d'identité mis à jour avec succès",
     "redirectUrl": "URL de redirection",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "À propos de l'URL de redirection",
     "redirectUrlAboutDescription": "C'est l'URL vers laquelle les utilisateurs seront redirigés après l'authentification. Vous devez configurer cette URL dans les paramètres du fournisseur d'identité.",
     "pangolinAuth": "Auth - Pangolin",
@@ -2349,6 +2350,7 @@
     "enterConfirmation": "Entrez la confirmation",
     "blueprintViewDetails": "Détails",
     "defaultIdentityProvider": "Fournisseur d'identité par défaut",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
     "editInternalResourceDialogNetworkSettings": "Paramètres réseau",
     "editInternalResourceDialogAccessPolicy": "Politique d'accès",
     "editInternalResourceDialogAddRoles": "Ajouter des rôles",

From 2766758c66670315e2ab4f25b252bbb1cb48b129 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:22 -0500
Subject: [PATCH 096/154] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 2ccf0e0a..8e16b4d3 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Estoy de acuerdo con los",
         "termsOfService": "términos del servicio",
         "and": "y",
-        "privacyPolicy": "política de privacidad"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Mantenerme en el bucle con noticias, actualizaciones y nuevas características por correo electrónico."

From 998c1f52cab578d60d2d764da97221220f941435 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:24 -0500
Subject: [PATCH 097/154] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index 618c88d2..c3f6755e 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Съгласен съм с",
         "termsOfService": "условията за ползване",
         "and": "и",
-        "privacyPolicy": "политиката за поверителност"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Дръж ме в течение с новини, актуализации и нови функции чрез имейл."

From dc84935ee69050849085efaa99ff99d3f25e3d78 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:25 -0500
Subject: [PATCH 098/154] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 7989b799..6d3ca4a7 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Souhlasím s",
         "termsOfService": "podmínky služby",
         "and": "a",
-        "privacyPolicy": "zásady ochrany osobních údajů"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Udržujte mě ve smyčce s novinkami, aktualizacemi a novými funkcemi e-mailem."

From 307209e73f11735392c4b97b8ad2506105e4ffc8 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:26 -0500
Subject: [PATCH 099/154] New translations en-us.json (German)

---
 messages/de-DE.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 02052495..3e9c48bf 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -850,6 +850,7 @@
     "orgPolicyConfig": "Zugriff für eine Organisation konfigurieren",
     "idpUpdatedDescription": "Identitätsanbieter erfolgreich aktualisiert",
     "redirectUrl": "Weiterleitungs-URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
     "redirectUrlAbout": "Über die Weiterleitungs-URL",
     "redirectUrlAboutDescription": "Dies ist die URL, zu der Benutzer nach der Authentifizierung umgeleitet werden. Sie müssen diese URL in den Einstellungen des Identity Providers konfigurieren.",
     "pangolinAuth": "Authentifizierung - Pangolin",
@@ -1479,7 +1480,7 @@
         "IAgreeToThe": "Ich stimme den",
         "termsOfService": "Nutzungsbedingungen zu",
         "and": "und",
-        "privacyPolicy": "Datenschutzrichtlinie"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Halten Sie mich auf dem Laufenden mit Neuigkeiten, Updates und neuen Funktionen per E-Mail."

From e4c369deece0dda0b4e127a9f6419b01a608ada3 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:28 -0500
Subject: [PATCH 100/154] New translations en-us.json (Italian)

---
 messages/it-IT.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index c50452f6..c9c3dc5a 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Accetto i",
         "termsOfService": "termini di servizio",
         "and": "e",
-        "privacyPolicy": "informativa sulla privacy"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Tienimi in loop con notizie, aggiornamenti e nuove funzionalità via e-mail."

From 626d5df67eba5726551453bf4ff5f6e2001b5b47 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:29 -0500
Subject: [PATCH 101/154] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index c58bc856..7c0cf028 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "동의합니다",
         "termsOfService": "서비스 약관",
         "and": "및",
-        "privacyPolicy": "개인 정보 보호 정책"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "이메일을 통해 소식, 업데이트 및 새로운 기능을 받아보세요."

From 4d1a7ed69b127886e8a2197f730b14adda8a9430 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:30 -0500
Subject: [PATCH 102/154] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 518dc1e7..0c6b003d 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Ik ga akkoord met de",
         "termsOfService": "servicevoorwaarden",
         "and": "en",
-        "privacyPolicy": "privacybeleid"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Houd me op de hoogte met nieuws, updates en nieuwe functies per e-mail."

From c7737c444f4cfc9e9a7e6115761db95dfdc52840 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:32 -0500
Subject: [PATCH 103/154] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 5e28017f..81af7362 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Zgadzam się z",
         "termsOfService": "warunkami usługi",
         "and": "oraz",
-        "privacyPolicy": "polityką prywatności"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Zachowaj mnie w pętli z wiadomościami, aktualizacjami i nowymi funkcjami przez e-mail."

From 2500f99722747b62e65f207c2b30fc6c4192aae2 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:33 -0500
Subject: [PATCH 104/154] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 3a25fe2d..2156cde6 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Concordo com",
         "termsOfService": "os termos de serviço",
         "and": "e",
-        "privacyPolicy": "política de privacidade"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Mantenha-me à disposição com notícias, atualizações e novos recursos por e-mail."

From 848fca7e1b0f7f439d1bb08d5d335901049cd207 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:34 -0500
Subject: [PATCH 105/154] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index f2d75098..ad34890e 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Я согласен с",
         "termsOfService": "условия использования",
         "and": "и",
-        "privacyPolicy": "политика конфиденциальности"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Держите меня в цикле с новостями, обновлениями и новыми функциями по электронной почте."

From 0dd3c84b24a9a72d1880264f899631861fc28af6 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:36 -0500
Subject: [PATCH 106/154] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 0559fba0..03f8b12d 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Kabul ediyorum",
         "termsOfService": "hizmet şartları",
         "and": "ve",
-        "privacyPolicy": "gizlilik politikası"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Bana e-posta yoluyla haberler, güncellemeler ve yeni özellikler hakkında bilgi verin."

From bb47ca3d2ec5676373e6672cc7cc2de991991211 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:37 -0500
Subject: [PATCH 107/154] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index f24ce24f..3fe5f0a7 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "我同意",
         "termsOfService": "服务条款",
         "and": "和",
-        "privacyPolicy": "隐私政策"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "通过电子邮件让我在循环中保持新闻、更新和新功能。"

From 37082ae436c2d1c7ff90ed97cd7c0d8277366c9e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:38 -0500
Subject: [PATCH 108/154] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 0caffa72..00881d9c 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Jeg godtar",
         "termsOfService": "brukervilkårene",
         "and": "og",
-        "privacyPolicy": "personvernerklæringen"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Hold meg i løken med nyheter, oppdateringer og nye funksjoner via e-post."

From fd1cb6ca2392b9287d13c735edcd2dfc48ef2f1e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 15:56:39 -0500
Subject: [PATCH 109/154] New translations en-us.json (French)

---
 messages/fr-FR.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index e6d732ff..cf686fee 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Je suis d'accord avec",
         "termsOfService": "les conditions d'utilisation",
         "and": "et",
-        "privacyPolicy": "la politique de confidentialité"
+        "privacyPolicy": "privacy policy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Gardez-moi dans la boucle avec des nouvelles, des mises à jour et de nouvelles fonctionnalités par courriel."

From 956aa645199c2a61e9c2ad02e65dafed8df7ab29 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:06 -0500
Subject: [PATCH 110/154] New translations en-us.json (Spanish)

---
 messages/es-ES.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/es-ES.json b/messages/es-ES.json
index 8e16b4d3..78336315 100644
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Configurar acceso para una organización",
     "idpUpdatedDescription": "Proveedor de identidad actualizado correctamente",
     "redirectUrl": "URL de redirección",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Redirigir URL",
     "redirectUrlAbout": "Acerca de la URL de redirección",
     "redirectUrlAboutDescription": "Esta es la URL a la que los usuarios serán redireccionados después de la autenticación. Necesitas configurar esta URL en la configuración del proveedor de identidad.",
     "pangolinAuth": "Autenticación - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Estoy de acuerdo con los",
         "termsOfService": "términos del servicio",
         "and": "y",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "política de privacidad."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Mantenerme en el bucle con noticias, actualizaciones y nuevas características por correo electrónico."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Ingresar confirmación",
     "blueprintViewDetails": "Detalles",
     "defaultIdentityProvider": "Proveedor de identidad predeterminado",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Cuando se selecciona un proveedor de identidad por defecto, el usuario será redirigido automáticamente al proveedor de autenticación.",
     "editInternalResourceDialogNetworkSettings": "Configuración de red",
     "editInternalResourceDialogAccessPolicy": "Política de acceso",
     "editInternalResourceDialogAddRoles": "Agregar roles",

From 8d60a87aa105bf901c62fde117eaaa923bf5cf87 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:07 -0500
Subject: [PATCH 111/154] New translations en-us.json (Bulgarian)

---
 messages/bg-BG.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/bg-BG.json b/messages/bg-BG.json
index c3f6755e..f85b6c9e 100644
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Конфигуриране на достъп за организация",
     "idpUpdatedDescription": "Идентификационният доставчик беше актуализиран успешно",
     "redirectUrl": "URL за пренасочване",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "URL адреси за пренасочване",
     "redirectUrlAbout": "За URL за пренасочване",
     "redirectUrlAboutDescription": "Това е URL адресът, към който потребителите ще бъдат пренасочени след удостоверяване. Трябва да конфигурирате този URL адрес в настройките на доставчика на идентичност.",
     "pangolinAuth": "Authent - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Съгласен съм с",
         "termsOfService": "условията за ползване",
         "and": "и",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "политика за поверителност."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Дръж ме в течение с новини, актуализации и нови функции чрез имейл."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Въведете потвърждение.",
     "blueprintViewDetails": "Подробности.",
     "defaultIdentityProvider": "По подразбиране доставчик на идентичност.",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Когато е избран основен доставчик на идентичност, потребителят ще бъде автоматично пренасочен към доставчика за удостоверяване.",
     "editInternalResourceDialogNetworkSettings": "Мрежови настройки.",
     "editInternalResourceDialogAccessPolicy": "Политика за достъп.",
     "editInternalResourceDialogAddRoles": "Добавяне на роли.",

From fcbea08c87856fe0c14d928767c0532483063d44 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:09 -0500
Subject: [PATCH 112/154] New translations en-us.json (Czech)

---
 messages/cs-CZ.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/cs-CZ.json b/messages/cs-CZ.json
index 6d3ca4a7..50330652 100644
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Konfigurace přístupu pro organizaci",
     "idpUpdatedDescription": "Poskytovatel identity byl úspěšně aktualizován",
     "redirectUrl": "Přesměrovat URL",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Přesměrovat URL",
     "redirectUrlAbout": "O přesměrování URL",
     "redirectUrlAboutDescription": "Toto je URL, na kterou budou uživatelé po ověření přesměrováni. Tuto URL je třeba nastavit v nastavení poskytovatele identity.",
     "pangolinAuth": "Auth - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Souhlasím s",
         "termsOfService": "podmínky služby",
         "and": "a",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "zásady ochrany osobních údajů."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Udržujte mě ve smyčce s novinkami, aktualizacemi a novými funkcemi e-mailem."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Zadejte potvrzení",
     "blueprintViewDetails": "Detaily",
     "defaultIdentityProvider": "Výchozí poskytovatel identity",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Pokud je vybrán výchozí poskytovatel identity, uživatel bude automaticky přesměrován na poskytovatele pro ověření.",
     "editInternalResourceDialogNetworkSettings": "Nastavení sítě",
     "editInternalResourceDialogAccessPolicy": "Přístupová politika",
     "editInternalResourceDialogAddRoles": "Přidat role",

From 51dc1450d3a86089f64a212d3d67028cba1deb81 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:10 -0500
Subject: [PATCH 113/154] New translations en-us.json (German)

---
 messages/de-DE.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/de-DE.json b/messages/de-DE.json
index 3e9c48bf..f9878faa 100644
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Zugriff für eine Organisation konfigurieren",
     "idpUpdatedDescription": "Identitätsanbieter erfolgreich aktualisiert",
     "redirectUrl": "Weiterleitungs-URL",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Umleitungs-URLs",
     "redirectUrlAbout": "Über die Weiterleitungs-URL",
     "redirectUrlAboutDescription": "Dies ist die URL, zu der Benutzer nach der Authentifizierung umgeleitet werden. Sie müssen diese URL in den Einstellungen des Identity Providers konfigurieren.",
     "pangolinAuth": "Authentifizierung - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Ich stimme den",
         "termsOfService": "Nutzungsbedingungen zu",
         "and": "und",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "datenschutzrichtlinie."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Halten Sie mich auf dem Laufenden mit Neuigkeiten, Updates und neuen Funktionen per E-Mail."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Bestätigung eingeben",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Standard Identitätsanbieter",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Wenn ein Standard-Identity Provider ausgewählt ist, wird der Benutzer zur Authentifizierung automatisch an den Anbieter weitergeleitet.",
     "editInternalResourceDialogNetworkSettings": "Netzwerkeinstellungen",
     "editInternalResourceDialogAccessPolicy": "Zugriffsrichtlinie",
     "editInternalResourceDialogAddRoles": "Rollen hinzufügen",

From 31bc6d5773b44f3958755cfcd63f37a42d447e36 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:11 -0500
Subject: [PATCH 114/154] New translations en-us.json (Italian)

---
 messages/it-IT.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/it-IT.json b/messages/it-IT.json
index c9c3dc5a..2ca14b0d 100644
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Configura l'accesso per un'organizzazione",
     "idpUpdatedDescription": "Provider di identità aggiornato con successo",
     "redirectUrl": "URL di Reindirizzamento",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Reindirizza URL",
     "redirectUrlAbout": "Informazioni sull'URL di Reindirizzamento",
     "redirectUrlAboutDescription": "Questo è l'URL a cui gli utenti saranno reindirizzati dopo l'autenticazione. È necessario configurare questo URL nelle impostazioni del provider di identità.",
     "pangolinAuth": "Autenticazione - Pangolina",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Accetto i",
         "termsOfService": "termini di servizio",
         "and": "e",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "informativa sulla privacy."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Tienimi in loop con notizie, aggiornamenti e nuove funzionalità via e-mail."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Inserisci conferma",
     "blueprintViewDetails": "Dettagli",
     "defaultIdentityProvider": "Provider di Identità Predefinito",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Quando viene selezionato un provider di identità predefinito, l'utente verrà automaticamente reindirizzato al provider per l'autenticazione.",
     "editInternalResourceDialogNetworkSettings": "Impostazioni di Rete",
     "editInternalResourceDialogAccessPolicy": "Politica di Accesso",
     "editInternalResourceDialogAddRoles": "Aggiungi Ruoli",

From f75b9c6c863252dabacdddf9d8c1e43d0f19016e Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:13 -0500
Subject: [PATCH 115/154] New translations en-us.json (Korean)

---
 messages/ko-KR.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/ko-KR.json b/messages/ko-KR.json
index 7c0cf028..83d8ae36 100644
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "조직에 대한 접근을 구성하십시오.",
     "idpUpdatedDescription": "아이덴티티 제공자가 성공적으로 업데이트되었습니다",
     "redirectUrl": "리디렉션 URL",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "리디렉션 URL",
     "redirectUrlAbout": "리디렉션 URL에 대한 정보",
     "redirectUrlAboutDescription": "사용자가 인증 후 리디렉션될 URL입니다. 이 URL을 신원 제공자 설정에서 구성해야 합니다.",
     "pangolinAuth": "인증 - 판골린",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "동의합니다",
         "termsOfService": "서비스 약관",
         "and": "및",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "개인 정보 보호 정책."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "이메일을 통해 소식, 업데이트 및 새로운 기능을 받아보세요."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "확인 입력",
     "blueprintViewDetails": "세부 정보",
     "defaultIdentityProvider": "기본 아이덴티티 공급자",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "기본 ID 공급자가 선택되면, 사용자는 인증을 위해 자동으로 해당 공급자로 리디렉션됩니다.",
     "editInternalResourceDialogNetworkSettings": "네트워크 설정",
     "editInternalResourceDialogAccessPolicy": "액세스 정책",
     "editInternalResourceDialogAddRoles": "역할 추가",

From 00f84c9d8ea839278c1173b58d435db68189bc65 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:14 -0500
Subject: [PATCH 116/154] New translations en-us.json (Dutch)

---
 messages/nl-NL.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/nl-NL.json b/messages/nl-NL.json
index 0c6b003d..5057a53b 100644
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Toegang voor een organisatie configureren",
     "idpUpdatedDescription": "Identity provider succesvol bijgewerkt",
     "redirectUrl": "Omleidings URL",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "URL's omleiden",
     "redirectUrlAbout": "Over omleidings-URL",
     "redirectUrlAboutDescription": "Dit is de URL waarnaar gebruikers worden doorverwezen na verificatie. U moet deze URL configureren in de instellingen van de identiteitsprovider.",
     "pangolinAuth": "Authenticatie - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Ik ga akkoord met de",
         "termsOfService": "servicevoorwaarden",
         "and": "en",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "privacy beleid"
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Houd me op de hoogte met nieuws, updates en nieuwe functies per e-mail."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Bevestiging invoeren",
     "blueprintViewDetails": "Details",
     "defaultIdentityProvider": "Standaard Identiteitsprovider",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Wanneer een standaard identity provider is geselecteerd, zal de gebruiker automatisch worden doorgestuurd naar de provider voor authenticatie.",
     "editInternalResourceDialogNetworkSettings": "Netwerkinstellingen",
     "editInternalResourceDialogAccessPolicy": "Toegangsbeleid",
     "editInternalResourceDialogAddRoles": "Rollen toevoegen",

From f1f7e438b4b805569a823de2a4a8ea7c2ebadbc9 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:15 -0500
Subject: [PATCH 117/154] New translations en-us.json (Polish)

---
 messages/pl-PL.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/pl-PL.json b/messages/pl-PL.json
index 81af7362..e01d64ca 100644
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Skonfiguruj dostęp dla organizacji",
     "idpUpdatedDescription": "Dostawca tożsamości został pomyślnie zaktualizowany",
     "redirectUrl": "URL przekierowania",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Przekieruj adresy URL",
     "redirectUrlAbout": "O URL przekierowania",
     "redirectUrlAboutDescription": "Jest to adres URL, na który użytkownicy zostaną przekierowani po uwierzytelnieniu. Musisz skonfigurować ten adres URL w ustawieniach dostawcy tożsamości.",
     "pangolinAuth": "Autoryzacja - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Zgadzam się z",
         "termsOfService": "warunkami usługi",
         "and": "oraz",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "polityka prywatności."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Zachowaj mnie w pętli z wiadomościami, aktualizacjami i nowymi funkcjami przez e-mail."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Wprowadź potwierdzenie",
     "blueprintViewDetails": "Szczegóły",
     "defaultIdentityProvider": "Domyślny dostawca tożsamości",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Gdy zostanie wybrany domyślny dostawca tożsamości, użytkownik zostanie automatycznie przekierowany do dostawcy w celu uwierzytelnienia.",
     "editInternalResourceDialogNetworkSettings": "Ustawienia sieci",
     "editInternalResourceDialogAccessPolicy": "Polityka dostępowa",
     "editInternalResourceDialogAddRoles": "Dodaj role",

From 481beff0287cbd70e8ffa5ead554a0e3b335d51b Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:16 -0500
Subject: [PATCH 118/154] New translations en-us.json (Portuguese)

---
 messages/pt-PT.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/pt-PT.json b/messages/pt-PT.json
index 2156cde6..2f4b5e79 100644
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Configurar acesso para uma organização",
     "idpUpdatedDescription": "Provedor de identidade atualizado com sucesso",
     "redirectUrl": "URL de Redirecionamento",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Redirecionar URLs",
     "redirectUrlAbout": "Sobre o URL de Redirecionamento",
     "redirectUrlAboutDescription": "Essa é a URL para a qual os usuários serão redirecionados após a autenticação. Você precisa configurar esta URL nas configurações do provedor de identidade.",
     "pangolinAuth": "Autenticação - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Concordo com",
         "termsOfService": "os termos de serviço",
         "and": "e",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "política de privacidade."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Mantenha-me à disposição com notícias, atualizações e novos recursos por e-mail."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Inserir confirmação",
     "blueprintViewDetails": "Detalhes",
     "defaultIdentityProvider": "Provedor de Identidade Padrão",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Quando um provedor de identidade padrão for selecionado, o usuário será automaticamente redirecionado para o provedor de autenticação.",
     "editInternalResourceDialogNetworkSettings": "Configurações de Rede",
     "editInternalResourceDialogAccessPolicy": "Política de Acesso",
     "editInternalResourceDialogAddRoles": "Adicionar Funções",

From 493a5ad02ab951711227577a8bb6be4ef2902848 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:18 -0500
Subject: [PATCH 119/154] New translations en-us.json (Russian)

---
 messages/ru-RU.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/ru-RU.json b/messages/ru-RU.json
index ad34890e..f93b599a 100644
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Настроить доступ для организации",
     "idpUpdatedDescription": "Поставщик удостоверений успешно обновлён",
     "redirectUrl": "URL редиректа",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Перенаправление URL",
     "redirectUrlAbout": "О редиректе URL",
     "redirectUrlAboutDescription": "Это URL, на который пользователи будут перенаправлены после аутентификации. Вам нужно настроить этот URL в настройках провайдера.",
     "pangolinAuth": "Аутентификация - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Я согласен с",
         "termsOfService": "условия использования",
         "and": "и",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "политика конфиденциальности."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Держите меня в цикле с новостями, обновлениями и новыми функциями по электронной почте."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Введите подтверждение",
     "blueprintViewDetails": "Подробности",
     "defaultIdentityProvider": "Поставщик удостоверений по умолчанию",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Когда выбран поставщик идентификации по умолчанию, пользователь будет автоматически перенаправлен на провайдер для аутентификации.",
     "editInternalResourceDialogNetworkSettings": "Настройки сети",
     "editInternalResourceDialogAccessPolicy": "Политика доступа",
     "editInternalResourceDialogAddRoles": "Добавить роли",

From d14dfbf360cec7f28c1886770da0da0323a606f2 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:19 -0500
Subject: [PATCH 120/154] New translations en-us.json (Turkish)

---
 messages/tr-TR.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/tr-TR.json b/messages/tr-TR.json
index 03f8b12d..bbc6bbdf 100644
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Bir kuruluş için erişimi yapılandırın",
     "idpUpdatedDescription": "Kimlik sağlayıcı başarıyla güncellendi",
     "redirectUrl": "Yönlendirme URL'si",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Yönlendirme URL'leri",
     "redirectUrlAbout": "Yönlendirme URL'si Hakkında",
     "redirectUrlAboutDescription": "Bu, kimlik doğrulamasından sonra kullanıcıların yönlendirileceği URL'dir. Bu URL'yi kimlik sağlayıcınızın ayarlarında yapılandırmanız gerekir.",
     "pangolinAuth": "Yetkilendirme - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Kabul ediyorum",
         "termsOfService": "hizmet şartları",
         "and": "ve",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "gizlilik politikası."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Bana e-posta yoluyla haberler, güncellemeler ve yeni özellikler hakkında bilgi verin."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Onayı girin",
     "blueprintViewDetails": "Detaylar",
     "defaultIdentityProvider": "Varsayılan Kimlik Sağlayıcı",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Varsayılan bir kimlik sağlayıcı seçildiğinde, kullanıcı kimlik doğrulaması için otomatik olarak sağlayıcıya yönlendirilecektir.",
     "editInternalResourceDialogNetworkSettings": "Ağ Ayarları",
     "editInternalResourceDialogAccessPolicy": "Erişim Politikası",
     "editInternalResourceDialogAddRoles": "Roller Ekle",

From 5eb4691973fddb191ea16f7a7e276325447624c0 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:20 -0500
Subject: [PATCH 121/154] New translations en-us.json (Chinese Simplified)

---
 messages/zh-CN.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/zh-CN.json b/messages/zh-CN.json
index 3fe5f0a7..6b487f8f 100644
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "配置组织访问权限",
     "idpUpdatedDescription": "身份提供商更新成功",
     "redirectUrl": "重定向网址",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "重定向URL",
     "redirectUrlAbout": "关于重定向网址",
     "redirectUrlAboutDescription": "这是用户在验证后将被重定向到的URL。您需要在身份提供者的设置中配置此URL。",
     "pangolinAuth": "认证 - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "我同意",
         "termsOfService": "服务条款",
         "and": "和",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "隐私政策。"
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "通过电子邮件让我在循环中保持新闻、更新和新功能。"
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "输入确认",
     "blueprintViewDetails": "详细信息",
     "defaultIdentityProvider": "默认身份提供商",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "当选择默认身份提供商时，用户将自动重定向到提供商进行身份验证。",
     "editInternalResourceDialogNetworkSettings": "网络设置",
     "editInternalResourceDialogAccessPolicy": "访问策略",
     "editInternalResourceDialogAddRoles": "添加角色",

From 4183067c772d0d88433b402c0c0394217ddaf1fa Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:22 -0500
Subject: [PATCH 122/154] New translations en-us.json (Norwegian Bokmal)

---
 messages/nb-NO.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/nb-NO.json b/messages/nb-NO.json
index 00881d9c..94b51c65 100644
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Konfigurer tilgang for en organisasjon",
     "idpUpdatedDescription": "Identitetsleverandør vellykket oppdatert",
     "redirectUrl": "Omdirigerings-URL",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "Omadressere URL'er",
     "redirectUrlAbout": "Om omdirigerings-URL",
     "redirectUrlAboutDescription": "Dette er URLen som brukere vil bli omdirigert etter autentisering. Du må konfigurere denne URLen i identitetsleverandørens innstillinger.",
     "pangolinAuth": "Autentisering - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Jeg godtar",
         "termsOfService": "brukervilkårene",
         "and": "og",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "retningslinjer for personvern"
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Hold meg i løken med nyheter, oppdateringer og nye funksjoner via e-post."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Skriv inn bekreftelse",
     "blueprintViewDetails": "Detaljer",
     "defaultIdentityProvider": "Standard identitetsleverandør",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Når en standard identitetsleverandør er valgt, vil brukeren automatisk bli omdirigert til leverandøren for autentisering.",
     "editInternalResourceDialogNetworkSettings": "Nettverksinnstillinger",
     "editInternalResourceDialogAccessPolicy": "Tilgangsregler for tilgang",
     "editInternalResourceDialogAddRoles": "Legg til roller",

From 2ca400ab16d69087671d931717380ed1ef4a88b5 Mon Sep 17 00:00:00 2001
From: Owen Schwartz <owen@txv.io>
Date: Wed, 24 Dec 2025 16:09:23 -0500
Subject: [PATCH 123/154] New translations en-us.json (French)

---
 messages/fr-FR.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/messages/fr-FR.json b/messages/fr-FR.json
index cf686fee..2447dd93 100644
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -850,7 +850,7 @@
     "orgPolicyConfig": "Configurer l'accès pour une organisation",
     "idpUpdatedDescription": "Fournisseur d'identité mis à jour avec succès",
     "redirectUrl": "URL de redirection",
-    "orgIdpRedirectUrls": "Redirect URLs",
+    "orgIdpRedirectUrls": "URL de redirection",
     "redirectUrlAbout": "À propos de l'URL de redirection",
     "redirectUrlAboutDescription": "C'est l'URL vers laquelle les utilisateurs seront redirigés après l'authentification. Vous devez configurer cette URL dans les paramètres du fournisseur d'identité.",
     "pangolinAuth": "Auth - Pangolin",
@@ -1480,7 +1480,7 @@
         "IAgreeToThe": "Je suis d'accord avec",
         "termsOfService": "les conditions d'utilisation",
         "and": "et",
-        "privacyPolicy": "privacy policy."
+        "privacyPolicy": "politique de confidentialité."
     },
     "signUpMarketing": {
         "keepMeInTheLoop": "Gardez-moi dans la boucle avec des nouvelles, des mises à jour et de nouvelles fonctionnalités par courriel."
@@ -2350,7 +2350,7 @@
     "enterConfirmation": "Entrez la confirmation",
     "blueprintViewDetails": "Détails",
     "defaultIdentityProvider": "Fournisseur d'identité par défaut",
-    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
+    "defaultIdentityProviderDescription": "Lorsqu'un fournisseur d'identité par défaut est sélectionné, l'utilisateur sera automatiquement redirigé vers le fournisseur pour authentification.",
     "editInternalResourceDialogNetworkSettings": "Paramètres réseau",
     "editInternalResourceDialogAccessPolicy": "Politique d'accès",
     "editInternalResourceDialogAddRoles": "Ajouter des rôles",

From 9d849a0ceddad28fa3018332a990851157741eda Mon Sep 17 00:00:00 2001
From: ruxenburg <113439172+ruxenburg@users.noreply.github.com>
Date: Sat, 27 Dec 2025 03:20:09 +0100
Subject: [PATCH 124/154] Fix confirm delete button to require confirmation
 text before enabling it.

---
 src/components/ConfirmDeleteDialog.tsx | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/components/ConfirmDeleteDialog.tsx b/src/components/ConfirmDeleteDialog.tsx
index 86b25bb2..0c5d5107 100644
--- a/src/components/ConfirmDeleteDialog.tsx
+++ b/src/components/ConfirmDeleteDialog.tsx
@@ -63,6 +63,9 @@ export default function ConfirmDeleteDialog({
         }
     });
 
+    const confirmText = form.watch("string");
+    const isConfirmed = confirmText === string;
+
     async function onSubmit() {
         try {
             await onConfirm();
@@ -139,7 +142,8 @@ export default function ConfirmDeleteDialog({
                             type="submit"
                             form="confirm-delete-form"
                             loading={loading}
-                            disabled={loading}
+                            disabled={loading || !isConfirmed}
+                            className={!isConfirmed && !loading ? "opacity-50 cursor-not-allowed" : ""}
                         >
                             {buttonText}
                         </Button>

From 9467e6c0325fc416275db741f62ac7d47dc22685 Mon Sep 17 00:00:00 2001
From: ruxenburg <113439172+ruxenburg@users.noreply.github.com>
Date: Sat, 27 Dec 2025 03:39:22 +0100
Subject: [PATCH 125/154] improve delete confirmation logic

---
 src/components/ConfirmDeleteDialog.tsx | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/components/ConfirmDeleteDialog.tsx b/src/components/ConfirmDeleteDialog.tsx
index 0c5d5107..4c5c6ad6 100644
--- a/src/components/ConfirmDeleteDialog.tsx
+++ b/src/components/ConfirmDeleteDialog.tsx
@@ -63,8 +63,7 @@ export default function ConfirmDeleteDialog({
         }
     });
 
-    const confirmText = form.watch("string");
-    const isConfirmed = confirmText === string;
+    const isConfirmed = form.watch("string") === string;
 
     async function onSubmit() {
         try {
@@ -143,7 +142,7 @@ export default function ConfirmDeleteDialog({
                             form="confirm-delete-form"
                             loading={loading}
                             disabled={loading || !isConfirmed}
-                            className={!isConfirmed && !loading ? "opacity-50 cursor-not-allowed" : ""}
+                            className={!isConfirmed && !loading ? "opacity-50" : ""}
                         >
                             {buttonText}
                         </Button>

From a499ebc158fd3fa0f1f8d1bfd9665562cd010661 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Mon, 29 Dec 2025 10:17:26 -0500
Subject: [PATCH 126/154] add badger to dyn config example

---
 config/traefik/dynamic_config.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/config/traefik/dynamic_config.yml b/config/traefik/dynamic_config.yml
index 8465a9cf..c098ee4f 100644
--- a/config/traefik/dynamic_config.yml
+++ b/config/traefik/dynamic_config.yml
@@ -1,5 +1,9 @@
 http:
   middlewares:
+    badger:
+      plugin:
+        badger:
+          disableForwardAuth: true
     redirect-to-https:
       redirectScheme:
         scheme: https
@@ -13,6 +17,7 @@ http:
         - web
       middlewares:
         - redirect-to-https
+        - badger
 
     # Next.js router (handles everything except API and WebSocket paths)
     next-router:
@@ -21,6 +26,8 @@ http:
       priority: 10
       entryPoints:
         - websecure
+      middlewares:
+        - badger
       tls:
         certResolver: letsencrypt
 
@@ -31,6 +38,8 @@ http:
       priority: 100
       entryPoints:
         - websecure
+      middlewares:
+        - badger
       tls:
         certResolver: letsencrypt
 

From 0eb39abdb45ebba2385a3c1adf1aa723916e78ed Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 29 Dec 2025 10:22:06 -0500
Subject: [PATCH 127/154] Set hc to unknown when changing to local site

Fixes #2181
---
 server/routers/target/updateTarget.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/routers/target/updateTarget.ts b/server/routers/target/updateTarget.ts
index b00340ee..c5321e98 100644
--- a/server/routers/target/updateTarget.ts
+++ b/server/routers/target/updateTarget.ts
@@ -213,9 +213,11 @@ export async function updateTarget(
 
         // When health check is disabled, reset hcHealth to "unknown"
         // to prevent previously unhealthy targets from being excluded
+        // Also when the site is not a newt, set hcHealth to "unknown"
         const hcHealthValue =
             parsedBody.data.hcEnabled === false ||
-            parsedBody.data.hcEnabled === null
+            parsedBody.data.hcEnabled === null ||
+            site.type !== "newt"
                 ? "unknown"
                 : undefined;
 

From 87807e22e0f23aa8f539762a65e7a465d5e2f85a Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 29 Dec 2025 10:48:39 -0500
Subject: [PATCH 128/154] Add encoded chars to default traefik config

Closes #2176
---
 install/config/traefik/traefik_config.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/install/config/traefik/traefik_config.yml b/install/config/traefik/traefik_config.yml
index a9693ce6..0709b461 100644
--- a/install/config/traefik/traefik_config.yml
+++ b/install/config/traefik/traefik_config.yml
@@ -43,9 +43,12 @@ entryPoints:
     http:
       tls:
         certResolver: "letsencrypt"
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true
 
 serversTransport:
   insecureSkipVerify: true
 
 ping:
-  entryPoint: "web"
\ No newline at end of file
+  entryPoint: "web"

From 8a08bdf9f06b6efa60c31684d930ad4470b23476 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 29 Dec 2025 12:29:27 -0500
Subject: [PATCH 129/154] Add OCI labels

Fixes #2170
---
 Dockerfile   |  23 ++++++
 Makefile     | 193 +++++++++++++++++++++++++++++++++++++++++++++++++--
 package.json |   2 +-
 3 files changed, 210 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c59490b6..3d0a0f68 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,10 +1,20 @@
 FROM node:24-alpine AS builder
 
+# OCI Image Labels - Build Args for dynamic values
+ARG VERSION="dev"
+ARG REVISION=""
+ARG CREATED=""
+ARG LICENSE="AGPL-3.0"
+
 WORKDIR /app
 
 ARG BUILD=oss
 ARG DATABASE=sqlite
 
+# Derive title and description based on BUILD type
+ARG IMAGE_TITLE="Pangolin"
+ARG IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
+
 RUN apk add --no-cache curl tzdata python3 make g++
 
 # COPY package.json package-lock.json ./
@@ -69,4 +79,17 @@ RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
 COPY server/db/names.json ./dist/names.json
 COPY public ./public
 
+# OCI Image Labels
+# https://github.com/opencontainers/image-spec/blob/main/annotations.md
+LABEL org.opencontainers.image.source="https://github.com/fosrl/pangolin" \
+      org.opencontainers.image.url="https://github.com/fosrl/pangolin" \
+      org.opencontainers.image.documentation="https://docs.pangolin.net" \
+      org.opencontainers.image.vendor="Fossorial" \
+      org.opencontainers.image.licenses="${LICENSE}" \
+      org.opencontainers.image.title="${IMAGE_TITLE}" \
+      org.opencontainers.image.description="${IMAGE_DESCRIPTION}" \
+      org.opencontainers.image.version="${VERSION}" \
+      org.opencontainers.image.revision="${REVISION}" \
+      org.opencontainers.image.created="${CREATED}"
+
 CMD ["npm", "run", "start"]
diff --git a/Makefile b/Makefile
index ae31f50c..13dc601f 100644
--- a/Makefile
+++ b/Makefile
@@ -3,6 +3,25 @@
 major_tag := $(shell echo $(tag) | cut -d. -f1)
 minor_tag := $(shell echo $(tag) | cut -d. -f1,2)
 
+# OCI label variables
+CREATED := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
+REVISION := $(shell git rev-parse HEAD 2>/dev/null || echo "unknown")
+
+# Common OCI build args for OSS builds
+OCI_ARGS_OSS = --build-arg VERSION=$(tag) \
+	--build-arg REVISION=$(REVISION) \
+	--build-arg CREATED=$(CREATED) \
+	--build-arg IMAGE_TITLE="Pangolin" \
+	--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
+
+# Common OCI build args for Enterprise builds
+OCI_ARGS_EE = --build-arg VERSION=$(tag) \
+	--build-arg REVISION=$(REVISION) \
+	--build-arg CREATED=$(CREATED) \
+	--build-arg LICENSE="Fossorial Commercial" \
+	--build-arg IMAGE_TITLE="Pangolin EE" \
+	--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere"
+
 .PHONY: build-release build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql
 
 build-release: build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql
@@ -15,6 +34,7 @@ build-sqlite:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		$(OCI_ARGS_OSS) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:latest \
 		--tag fosrl/pangolin:$(major_tag) \
@@ -30,6 +50,7 @@ build-postgresql:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		$(OCI_ARGS_OSS) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:postgresql-latest \
 		--tag fosrl/pangolin:postgresql-$(major_tag) \
@@ -45,6 +66,7 @@ build-ee-sqlite:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		$(OCI_ARGS_EE) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-latest \
 		--tag fosrl/pangolin:ee-$(major_tag) \
@@ -60,6 +82,7 @@ build-ee-postgresql:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		$(OCI_ARGS_EE) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-latest \
 		--tag fosrl/pangolin:ee-postgresql-$(major_tag) \
@@ -74,9 +97,16 @@ build-release-arm:
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
+	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:latest-arm64 \
 		--tag fosrl/pangolin:$$MAJOR_TAG-arm64 \
@@ -86,6 +116,11 @@ build-release-arm:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:postgresql-latest-arm64 \
 		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-arm64 \
@@ -95,6 +130,12 @@ build-release-arm:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-latest-arm64 \
 		--tag fosrl/pangolin:ee-$$MAJOR_TAG-arm64 \
@@ -104,6 +145,12 @@ build-release-arm:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-postgresql-latest-arm64 \
 		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-arm64 \
@@ -118,9 +165,16 @@ build-release-amd:
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
+	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:latest-amd64 \
 		--tag fosrl/pangolin:$$MAJOR_TAG-amd64 \
@@ -130,6 +184,11 @@ build-release-amd:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:postgresql-latest-amd64 \
 		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-amd64 \
@@ -139,6 +198,12 @@ build-release-amd:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-latest-amd64 \
 		--tag fosrl/pangolin:ee-$$MAJOR_TAG-amd64 \
@@ -148,6 +213,12 @@ build-release-amd:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-latest-amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-amd64 \
@@ -201,27 +272,51 @@ build-rc:
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .
@@ -231,27 +326,51 @@ build-rc-arm:
 		echo "Error: tag is required. Usage: make build-rc-arm tag=<tag>"; \
 		exit 1; \
 	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
 		--push .
@@ -261,27 +380,51 @@ build-rc-amd:
 		echo "Error: tag is required. Usage: make build-rc-amd tag=<tag>"; \
 		exit 1; \
 	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-amd64 \
 		--push .
@@ -314,16 +457,52 @@ create-manifests-rc:
 	echo "All RC multi-arch manifests created successfully!"
 
 build-arm:
-	docker buildx build --platform linux/arm64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		-t fosrl/pangolin:latest .
 
 build-x86:
-	docker buildx build --platform linux/amd64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		-t fosrl/pangolin:latest .
 
 dev-build-sqlite:
-	docker build --build-arg DATABASE=sqlite -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker build \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		-t fosrl/pangolin:latest .
 
 dev-build-pg:
-	docker build --build-arg DATABASE=pg -t fosrl/pangolin:postgresql-latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker build \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		-t fosrl/pangolin:postgresql-latest .
 
 test:
 	docker run -it -p 3000:3000 -p 3001:3001 -p 3002:3002 -v ./config:/app/config fosrl/pangolin:latest
diff --git a/package.json b/package.json
index af6a8dde..9d8c409b 100644
--- a/package.json
+++ b/package.json
@@ -3,7 +3,7 @@
     "version": "0.0.0",
     "private": true,
     "type": "module",
-    "description": "Tunneled Reverse Proxy Management Server with Identity and Access Control and Dashboard UI",
+    "description": "Identity-aware VPN and proxy for remote access to anything, anywhere and Dashboard UI",
     "homepage": "https://github.com/fosrl/pangolin",
     "repository": {
         "type": "git",

From 6660c850f3b24b9b2466f1450143c92852e0ab2b Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 31 Dec 2025 10:31:40 -0500
Subject: [PATCH 130/154] Try to bound logs

Ref #2120
---
 server/routers/badger/logRequestAudit.ts | 34 +++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git a/server/routers/badger/logRequestAudit.ts b/server/routers/badger/logRequestAudit.ts
index aade2f98..026ee4bb 100644
--- a/server/routers/badger/logRequestAudit.ts
+++ b/server/routers/badger/logRequestAudit.ts
@@ -49,27 +49,43 @@ const auditLogBuffer: Array<{
 
 const BATCH_SIZE = 100; // Write to DB every 100 logs
 const BATCH_INTERVAL_MS = 5000; // Or every 5 seconds, whichever comes first
+const MAX_BUFFER_SIZE = 10000; // Prevent unbounded memory growth
 let flushTimer: NodeJS.Timeout | null = null;
+let isFlushInProgress = false;
 
 /**
  * Flush buffered logs to database
  */
 async function flushAuditLogs() {
-    if (auditLogBuffer.length === 0) {
+    if (auditLogBuffer.length === 0 || isFlushInProgress) {
         return;
     }
 
+    isFlushInProgress = true;
+
     // Take all current logs and clear buffer
     const logsToWrite = auditLogBuffer.splice(0, auditLogBuffer.length);
 
     try {
-        // Batch insert all logs at once
-        await db.insert(requestAuditLog).values(logsToWrite);
+        // Batch insert logs in groups of 25 to avoid overwhelming the database
+        const BATCH_DB_SIZE = 25;
+        for (let i = 0; i < logsToWrite.length; i += BATCH_DB_SIZE) {
+            const batch = logsToWrite.slice(i, i + BATCH_DB_SIZE);
+            await db.insert(requestAuditLog).values(batch);
+        }
         logger.debug(`Flushed ${logsToWrite.length} audit logs to database`);
     } catch (error) {
         logger.error("Error flushing audit logs:", error);
         // On error, we lose these logs - consider a fallback strategy if needed
         // (e.g., write to file, or put back in buffer with retry limit)
+    } finally {
+        isFlushInProgress = false;
+        // If buffer filled up while we were flushing, flush again
+        if (auditLogBuffer.length >= BATCH_SIZE) {
+            flushAuditLogs().catch((err) =>
+                logger.error("Error in follow-up flush:", err)
+            );
+        }
     }
 }
 
@@ -95,6 +111,10 @@ export async function shutdownAuditLogger() {
         clearTimeout(flushTimer);
         flushTimer = null;
     }
+    // Force flush even if one is in progress by waiting and retrying
+    while (isFlushInProgress) {
+        await new Promise((resolve) => setTimeout(resolve, 100));
+    }
     await flushAuditLogs();
 }
 
@@ -212,6 +232,14 @@ export async function logRequestAudit(
             ? stripPortFromHost(body.requestIp)
             : undefined;
 
+        // Prevent unbounded buffer growth - drop oldest entries if buffer is too large
+        if (auditLogBuffer.length >= MAX_BUFFER_SIZE) {
+            const dropped = auditLogBuffer.splice(0, BATCH_SIZE);
+            logger.warn(
+                `Audit log buffer exceeded max size (${MAX_BUFFER_SIZE}), dropped ${dropped.length} oldest entries`
+            );
+        }
+
         // Add to buffer instead of writing directly to DB
         auditLogBuffer.push({
             timestamp,

From f7fcde8312063c534345f9674a8018867dbbe287 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Wed, 31 Dec 2025 10:40:16 -0500
Subject: [PATCH 131/154] Add max recursion depth to matchSegments

---
 server/routers/badger/verifySession.ts | 27 ++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index 0da83c03..8dee788a 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -1035,14 +1035,25 @@ export function isPathAllowed(pattern: string, path: string): boolean {
     logger.debug(`Normalized pattern parts: [${patternParts.join(", ")}]`);
     logger.debug(`Normalized path parts: [${pathParts.join(", ")}]`);
 
+    // Maximum recursion depth to prevent stack overflow and memory issues
+    const MAX_RECURSION_DEPTH = 100;
+
     // Recursive function to try different wildcard matches
-    function matchSegments(patternIndex: number, pathIndex: number): boolean {
-        const indent = "  ".repeat(pathIndex); // Indent based on recursion depth
+    function matchSegments(patternIndex: number, pathIndex: number, depth: number = 0): boolean {
+        // Check recursion depth limit
+        if (depth > MAX_RECURSION_DEPTH) {
+            logger.warn(
+                `Path matching exceeded maximum recursion depth (${MAX_RECURSION_DEPTH}) for pattern "${pattern}" and path "${path}"`
+            );
+            return false;
+        }
+
+        const indent = "  ".repeat(depth); // Indent based on recursion depth
         const currentPatternPart = patternParts[patternIndex];
         const currentPathPart = pathParts[pathIndex];
 
         logger.debug(
-            `${indent}Checking patternIndex=${patternIndex} (${currentPatternPart || "END"}) vs pathIndex=${pathIndex} (${currentPathPart || "END"})`
+            `${indent}Checking patternIndex=${patternIndex} (${currentPatternPart || "END"}) vs pathIndex=${pathIndex} (${currentPathPart || "END"}) [depth=${depth}]`
         );
 
         // If we've consumed all pattern parts, we should have consumed all path parts
@@ -1075,7 +1086,7 @@ export function isPathAllowed(pattern: string, path: string): boolean {
             logger.debug(
                 `${indent}Trying to skip wildcard (consume 0 segments)`
             );
-            if (matchSegments(patternIndex + 1, pathIndex)) {
+            if (matchSegments(patternIndex + 1, pathIndex, depth + 1)) {
                 logger.debug(
                     `${indent}Successfully matched by skipping wildcard`
                 );
@@ -1086,7 +1097,7 @@ export function isPathAllowed(pattern: string, path: string): boolean {
             logger.debug(
                 `${indent}Trying to consume segment "${currentPathPart}" for wildcard`
             );
-            if (matchSegments(patternIndex, pathIndex + 1)) {
+            if (matchSegments(patternIndex, pathIndex + 1, depth + 1)) {
                 logger.debug(
                     `${indent}Successfully matched by consuming segment for wildcard`
                 );
@@ -1114,7 +1125,7 @@ export function isPathAllowed(pattern: string, path: string): boolean {
                 logger.debug(
                     `${indent}Segment with wildcard matches: "${currentPatternPart}" matches "${currentPathPart}"`
                 );
-                return matchSegments(patternIndex + 1, pathIndex + 1);
+                return matchSegments(patternIndex + 1, pathIndex + 1, depth + 1);
             }
 
             logger.debug(
@@ -1135,10 +1146,10 @@ export function isPathAllowed(pattern: string, path: string): boolean {
             `${indent}Segments match: "${currentPatternPart}" = "${currentPathPart}"`
         );
         // Move to next segments in both pattern and path
-        return matchSegments(patternIndex + 1, pathIndex + 1);
+        return matchSegments(patternIndex + 1, pathIndex + 1, depth + 1);
     }
 
-    const result = matchSegments(0, 0);
+    const result = matchSegments(0, 0, 0);
     logger.debug(`Final result: ${result}`);
     return result;
 }

From 9ed9472c017fcc610d0967c617f20ec9d5e0cf19 Mon Sep 17 00:00:00 2001
From: Jack Myers <jmyers@jackmyers.one>
Date: Fri, 2 Jan 2026 15:53:01 +0800
Subject: [PATCH 132/154] Fix spelling mistake in installer version prompt

---
 install/main.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/main.go b/install/main.go
index de001df2..a231da2d 100644
--- a/install/main.go
+++ b/install/main.go
@@ -340,7 +340,7 @@ func collectUserInput(reader *bufio.Reader) Config {
 	// Basic configuration
 	fmt.Println("\n=== Basic Configuration ===")
 
-	config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for persoal use or for businesses making less than 100k USD annually.")
+	config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
 
 	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
 

From a6db4f20add9d05cf362092235fd34ed594527b2 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 5 Jan 2026 10:33:50 -0500
Subject: [PATCH 133/154] Expand where org id is pulled for subscription

---
 server/private/middlewares/verifySubscription.ts | 13 ++++++++++++-
 server/private/routers/external.ts               |  4 ++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/server/private/middlewares/verifySubscription.ts b/server/private/middlewares/verifySubscription.ts
index 5249c026..8cda737e 100644
--- a/server/private/middlewares/verifySubscription.ts
+++ b/server/private/middlewares/verifySubscription.ts
@@ -27,7 +27,18 @@ export async function verifyValidSubscription(
             return next();
         }
 
-        const tier = await getOrgTierData(req.params.orgId);
+        const orgId = req.params.orgId || req.body.orgId || req.query.orgId || req.userOrgId;
+
+        if (!orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Organization ID is required to verify subscription"
+                )
+            );
+        }
+
+        const tier = await getOrgTierData(orgId);
 
         if (!tier.active) {
             return next(
diff --git a/server/private/routers/external.ts b/server/private/routers/external.ts
index d9608e21..97c6db9f 100644
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -436,18 +436,18 @@ authenticated.get(
 
 authenticated.post(
     "/re-key/:clientId/regenerate-client-secret",
+    verifyClientAccess, // this is first to set the org id
     verifyValidLicense,
     verifyValidSubscription,
-    verifyClientAccess,
     verifyUserHasAction(ActionsEnum.reGenerateSecret),
     reKey.reGenerateClientSecret
 );
 
 authenticated.post(
     "/re-key/:siteId/regenerate-site-secret",
+    verifySiteAccess, // this is first to set the org id
     verifyValidLicense,
     verifyValidSubscription,
-    verifySiteAccess,
     verifyUserHasAction(ActionsEnum.reGenerateSecret),
     reKey.reGenerateSiteSecret
 );

From d333cb5199a6dbccc82c68b35770598b575b7780 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 29 Dec 2025 10:48:39 -0500
Subject: [PATCH 134/154] Add encoded chars to default traefik config

Closes #2176
---
 install/config/traefik/traefik_config.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/install/config/traefik/traefik_config.yml b/install/config/traefik/traefik_config.yml
index a9693ce6..0709b461 100644
--- a/install/config/traefik/traefik_config.yml
+++ b/install/config/traefik/traefik_config.yml
@@ -43,9 +43,12 @@ entryPoints:
     http:
       tls:
         certResolver: "letsencrypt"
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true
 
 serversTransport:
   insecureSkipVerify: true
 
 ping:
-  entryPoint: "web"
\ No newline at end of file
+  entryPoint: "web"

From e42a732e93e424ac80c6535aafc324731c39d074 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 5 Jan 2026 11:16:30 -0500
Subject: [PATCH 135/154] Add saas workflow

---
 .github/workflows/saas.yml | 124 +++++++++++++++++++++++++++++++++++++
 Makefile                   |  12 ++++
 2 files changed, 136 insertions(+)
 create mode 100644 .github/workflows/saas.yml

diff --git a/.github/workflows/saas.yml b/.github/workflows/saas.yml
new file mode 100644
index 00000000..28d29293
--- /dev/null
+++ b/.github/workflows/saas.yml
@@ -0,0 +1,124 @@
+name: CI/CD Pipeline
+
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+on:
+    push:
+        tags:
+            - "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+    pre-run:
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  make build-saas tag=$TAG
+                  echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances stopped"
diff --git a/Makefile b/Makefile
index ae31f50c..5df500c4 100644
--- a/Makefile
+++ b/Makefile
@@ -67,6 +67,18 @@ build-ee-postgresql:
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .
 
+build-saas:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build \
+		--build-arg BUILD=saas \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64 \
+		--tag $(AWS_IMAGE):$(tag)
+		--push .
+
 build-release-arm:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release-arm tag=<tag>"; \

From 24e8455c7339ad6bce317aeee8830b02b4289b37 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 5 Jan 2026 11:20:25 -0500
Subject: [PATCH 136/154] Remove aws cli call

---
 .github/workflows/saas.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/saas.yml b/.github/workflows/saas.yml
index 28d29293..98b43953 100644
--- a/.github/workflows/saas.yml
+++ b/.github/workflows/saas.yml
@@ -75,9 +75,6 @@ jobs:
                   role-duration-seconds: 3600
                   aws-region: ${{ secrets.AWS_REGION }}
 
-            - name: Verify AWS identity
-              run: aws sts get-caller-identity
-
             - name: Extract tag name
               id: get-tag
               run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV

From 1e0b1a360730aeaf6e680cf71c884f1da8095da3 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 5 Jan 2026 11:23:10 -0500
Subject: [PATCH 137/154] Add missing \

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 5df500c4..1e96de75 100644
--- a/Makefile
+++ b/Makefile
@@ -76,7 +76,7 @@ build-saas:
 		--build-arg BUILD=saas \
 		--build-arg DATABASE=pg \
 		--platform linux/arm64 \
-		--tag $(AWS_IMAGE):$(tag)
+		--tag $(AWS_IMAGE):$(tag) \
 		--push .
 
 build-release-arm:

From 20088ef82b028997b013aa2a5e309a614936dd4f Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 5 Jan 2026 11:31:29 -0500
Subject: [PATCH 138/154] Log in to ecr

---
 .github/workflows/saas.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/saas.yml b/.github/workflows/saas.yml
index 98b43953..0c36de25 100644
--- a/.github/workflows/saas.yml
+++ b/.github/workflows/saas.yml
@@ -75,6 +75,10 @@ jobs:
                   role-duration-seconds: 3600
                   aws-region: ${{ secrets.AWS_REGION }}
 
+            - name: Login to Amazon ECR
+              id: login-ecr
+              uses: aws-actions/amazon-ecr-login@v2
+
             - name: Extract tag name
               id: get-tag
               run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV

From 53e7b9960537d5e9d0c3cdec87f459685693d525 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 5 Jan 2026 21:24:46 -0500
Subject: [PATCH 139/154] Quiet up logs

---
 server/private/lib/traefik/getTraefikConfig.ts | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/server/private/lib/traefik/getTraefikConfig.ts b/server/private/lib/traefik/getTraefikConfig.ts
index 18410e62..f0343c5d 100644
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -456,11 +456,11 @@ export async function getTraefikConfig(
                     // );
                 } else if (resource.maintenanceModeType === "automatic") {
                     showMaintenancePage = !hasHealthyServers;
-                    if (showMaintenancePage) {
-                        logger.warn(
-                            `Resource ${resource.name} (${fullDomain}) has no healthy servers - showing maintenance page (AUTOMATIC mode)`
-                        );
-                    }
+                    // if (showMaintenancePage) {
+                    //     logger.warn(
+                    //         `Resource ${resource.name} (${fullDomain}) has no healthy servers - showing maintenance page (AUTOMATIC mode)`
+                    //     );
+                    // }
                 }
             }
 

From 9ec94441f30f451c9f96814f3538b85ef73b11e0 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 5 Jan 2026 21:46:38 -0500
Subject: [PATCH 140/154] Try to open apps

---
 messages/en-US.json                        |  2 +-
 src/app/auth/login/device/success/page.tsx | 24 ++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 8b04e4ea..b7ff25dd 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2244,7 +2244,7 @@
     "deviceOrganizationsAccess": "Access to all organizations your account has access to",
     "deviceAuthorize": "Authorize {applicationName}",
     "deviceConnected": "Device Connected!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account.",
+    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
     "pangolinCloud": "Pangolin Cloud",
     "viewDevices": "View Devices",
     "viewDevicesDescription": "Manage your connected devices",
diff --git a/src/app/auth/login/device/success/page.tsx b/src/app/auth/login/device/success/page.tsx
index f725a867..49261cb6 100644
--- a/src/app/auth/login/device/success/page.tsx
+++ b/src/app/auth/login/device/success/page.tsx
@@ -7,6 +7,7 @@ import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
 import { CheckCircle2 } from "lucide-react";
 import { useTranslations } from "next-intl";
 import Link from "next/link";
+import { useEffect } from "react";
 
 export default function DeviceAuthSuccessPage() {
     const { env } = useEnvContext();
@@ -20,6 +21,29 @@ export default function DeviceAuthSuccessPage() {
         ? env.branding.logo?.authPage?.height || 58
         : 58;
 
+    useEffect(() => {
+        // Detect if we're on iOS or Android
+        const userAgent = navigator.userAgent || navigator.vendor || (window as any).opera;
+        const isIOS = /iPad|iPhone|iPod/.test(userAgent) && !(window as any).MSStream;
+        const isAndroid = /android/i.test(userAgent);
+
+        if (isIOS || isAndroid) {
+            // Wait 500ms then attempt to open the app
+            setTimeout(() => {
+                // Try to open the app using deep link
+                window.location.href = "pangolin://";
+
+                setTimeout(() => {
+                    if (isIOS) {
+                        window.location.href = "https://apps.apple.com/app/pangolin/net.pangolin.Pangolin.PangoliniOS";
+                    } else if (isAndroid) {
+                        window.location.href = "https://play.google.com/store/apps/details?id=net.pangolin.Pangolin";
+                    }
+                }, 2000);
+            }, 500);
+        }
+    }, []);
+
     return (
         <>
             <Card>

From 168ce549f7a0099ee4fa3bf985b5ff1e2a838620 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Tue, 6 Jan 2026 13:20:09 -0500
Subject: [PATCH 141/154] remove guards form list idp for integration api

---
 server/routers/integration.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/server/routers/integration.ts b/server/routers/integration.ts
index 4250458a..9db5fe71 100644
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -751,9 +751,10 @@ authenticated.post(
 );
 
 authenticated.get(
-    "/idp",
-    verifyApiKeyIsRoot,
-    verifyApiKeyHasAction(ActionsEnum.listIdps),
+    "/idp", // no guards on this because anyone can list idps for login purposes
+    // we do the same for the external api
+    // verifyApiKeyIsRoot,
+    // verifyApiKeyHasAction(ActionsEnum.listIdps),
     idp.listIdps
 );
 

From 57681dcd3d6e405ba378e11419481687a98147f5 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Wed, 7 Jan 2026 12:06:50 -0800
Subject: [PATCH 142/154] remove artificial delay

---
 src/components/DeviceLoginForm.tsx | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/components/DeviceLoginForm.tsx b/src/components/DeviceLoginForm.tsx
index 1eeeb5ae..777c1c03 100644
--- a/src/components/DeviceLoginForm.tsx
+++ b/src/components/DeviceLoginForm.tsx
@@ -85,8 +85,6 @@ export default function DeviceLoginForm({
                 data.code = data.code.slice(0, 4) + "-" + data.code.slice(4);
             }
 
-            await new Promise((resolve) => setTimeout(resolve, 300));
-
             // First check - get metadata
             const res = await api.post(
                 "/device-web-auth/verify?forceLogin=true",
@@ -117,8 +115,6 @@ export default function DeviceLoginForm({
         setLoading(true);
 
         try {
-            await new Promise((resolve) => setTimeout(resolve, 300));
-
             // Final verify
             await api.post("/device-web-auth/verify", {
                 code: code,

From 2810632f4afa25d02e5057d123b8a0694436b176 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Wed, 7 Jan 2026 20:40:59 -0800
Subject: [PATCH 143/154] add flag to enable org only idp in ee

---
 server/private/lib/config.ts                  |  4 ++
 server/private/lib/readConfigFile.ts          |  3 +-
 .../loginPage/upsertLoginPageBranding.ts      |  7 +++-
 .../[orgId]/settings/(private)/idp/layout.tsx | 18 ++++++++
 src/app/[orgId]/settings/layout.tsx           |  2 +-
 .../proxy/[niceId]/authentication/page.tsx    |  9 ++--
 src/app/admin/layout.tsx                      |  5 ++-
 src/app/auth/login/page.tsx                   |  4 +-
 src/app/auth/org/[orgId]/page.tsx             | 41 +++++++++----------
 src/app/auth/org/page.tsx                     |  6 +--
 src/app/auth/resource/[resourceGuid]/page.tsx |  2 +-
 src/app/navigation.tsx                        | 27 ++++++------
 src/components/AuthPageBrandingForm.tsx       |  6 ++-
 src/lib/pullEnv.ts                            |  4 +-
 src/lib/queries.ts                            | 15 ++++++-
 src/lib/types/env.ts                          |  1 +
 16 files changed, 101 insertions(+), 53 deletions(-)
 create mode 100644 src/app/[orgId]/settings/(private)/idp/layout.tsx

diff --git a/server/private/lib/config.ts b/server/private/lib/config.ts
index 97baf1e0..ae9ca5c7 100644
--- a/server/private/lib/config.ts
+++ b/server/private/lib/config.ts
@@ -139,6 +139,10 @@ export class PrivateConfig {
             process.env.USE_PANGOLIN_DNS =
                 this.rawPrivateConfig.flags.use_pangolin_dns.toString();
         }
+        if (this.rawPrivateConfig.flags.use_org_only_idp) {
+            process.env.USE_ORG_ONLY_IDP =
+                this.rawPrivateConfig.flags.use_org_only_idp.toString();
+        }
     }
 
     public getRawPrivateConfig() {
diff --git a/server/private/lib/readConfigFile.ts b/server/private/lib/readConfigFile.ts
index c986e62d..374dee7c 100644
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -83,7 +83,8 @@ export const privateConfigSchema = z.object({
     flags: z
         .object({
             enable_redis: z.boolean().optional().default(false),
-            use_pangolin_dns: z.boolean().optional().default(false)
+            use_pangolin_dns: z.boolean().optional().default(false),
+            use_org_only_idp: z.boolean().optional().default(false)
         })
         .optional()
         .prefault({}),
diff --git a/server/private/routers/loginPage/upsertLoginPageBranding.ts b/server/private/routers/loginPage/upsertLoginPageBranding.ts
index f9f9d08c..4e2b666b 100644
--- a/server/private/routers/loginPage/upsertLoginPageBranding.ts
+++ b/server/private/routers/loginPage/upsertLoginPageBranding.ts
@@ -28,6 +28,7 @@ import { eq, InferInsertModel } from "drizzle-orm";
 import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { build } from "@server/build";
+import config from "@server/private/lib/config";
 
 const paramsSchema = z.strictObject({
     orgId: z.string()
@@ -94,8 +95,10 @@ export async function upsertLoginPageBranding(
             typeof loginPageBranding
         >;
 
-        if (build !== "saas") {
-            // org branding settings are only considered in the saas build
+        if (
+            build !== "saas" &&
+            !config.getRawPrivateConfig().flags.use_org_only_idp
+        ) {
             const { orgTitle, orgSubtitle, ...rest } = updateData;
             updateData = rest;
         }
diff --git a/src/app/[orgId]/settings/(private)/idp/layout.tsx b/src/app/[orgId]/settings/(private)/idp/layout.tsx
new file mode 100644
index 00000000..dcb73afb
--- /dev/null
+++ b/src/app/[orgId]/settings/(private)/idp/layout.tsx
@@ -0,0 +1,18 @@
+import { pullEnv } from "@app/lib/pullEnv";
+import { build } from "@server/build";
+import { redirect } from "next/navigation";
+
+interface LayoutProps {
+    children: React.ReactNode;
+    params: Promise<{}>;
+}
+
+export default async function Layout(props: LayoutProps) {
+    const env = pullEnv();
+
+    if (build !== "saas" && !env.flags.useOrgOnlyIdp) {
+        redirect("/");
+    }
+
+    return props.children;
+}
diff --git a/src/app/[orgId]/settings/layout.tsx b/src/app/[orgId]/settings/layout.tsx
index 8f44c23c..34ed3ac2 100644
--- a/src/app/[orgId]/settings/layout.tsx
+++ b/src/app/[orgId]/settings/layout.tsx
@@ -82,7 +82,7 @@ export default async function SettingsLayout(props: SettingsLayoutProps) {
             <Layout
                 orgId={params.orgId}
                 orgs={orgs}
-                navItems={orgNavSections()}
+                navItems={orgNavSections(env)}
             >
                 {children}
             </Layout>
diff --git a/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx b/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
index 968b2700..f021076f 100644
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
@@ -36,8 +36,8 @@ import {
 import type { ResourceContextType } from "@app/contexts/resourceContext";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useOrgContext } from "@app/hooks/useOrgContext";
+import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { useResourceContext } from "@app/hooks/useResourceContext";
-import { useSubscriptionStatusContext } from "@app/hooks/useSubscriptionStatusContext";
 import { toast } from "@app/hooks/useToast";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { orgQueries, resourceQueries } from "@app/lib/queries";
@@ -95,7 +95,7 @@ export default function ResourceAuthenticationPage() {
     const router = useRouter();
     const t = useTranslations();
 
-    const subscription = useSubscriptionStatusContext();
+    const { isPaidUser } = usePaidStatus();
 
     const queryClient = useQueryClient();
     const { data: resourceRoles = [], isLoading: isLoadingResourceRoles } =
@@ -129,7 +129,8 @@ export default function ResourceAuthenticationPage() {
     );
     const { data: orgIdps = [], isLoading: isLoadingOrgIdps } = useQuery(
         orgQueries.identityProviders({
-            orgId: org.org.orgId
+            orgId: org.org.orgId,
+            useOrgOnlyIdp: env.flags.useOrgOnlyIdp
         })
     );
 
@@ -159,7 +160,7 @@ export default function ResourceAuthenticationPage() {
 
     const allIdps = useMemo(() => {
         if (build === "saas") {
-            if (subscription?.subscribed) {
+            if (isPaidUser) {
                 return orgIdps.map((idp) => ({
                     id: idp.idpId,
                     text: idp.name
diff --git a/src/app/admin/layout.tsx b/src/app/admin/layout.tsx
index 060f18ac..44d85b99 100644
--- a/src/app/admin/layout.tsx
+++ b/src/app/admin/layout.tsx
@@ -11,6 +11,7 @@ import { AxiosResponse } from "axios";
 import { authCookieHeader } from "@app/lib/api/cookies";
 import { Layout } from "@app/components/Layout";
 import { adminNavSections } from "../navigation";
+import { pullEnv } from "@app/lib/pullEnv";
 
 export const dynamic = "force-dynamic";
 
@@ -27,6 +28,8 @@ export default async function AdminLayout(props: LayoutProps) {
     const getUser = cache(verifySession);
     const user = await getUser();
 
+    const env = pullEnv();
+
     if (!user || !user.serverAdmin) {
         redirect(`/`);
     }
@@ -48,7 +51,7 @@ export default async function AdminLayout(props: LayoutProps) {
 
     return (
         <UserProvider user={user}>
-            <Layout orgs={orgs} navItems={adminNavSections}>
+            <Layout orgs={orgs} navItems={adminNavSections(env)}>
                 {props.children}
             </Layout>
         </UserProvider>
diff --git a/src/app/auth/login/page.tsx b/src/app/auth/login/page.tsx
index bd6327fd..fb327af5 100644
--- a/src/app/auth/login/page.tsx
+++ b/src/app/auth/login/page.tsx
@@ -70,7 +70,7 @@ export default async function Page(props: {
     }
 
     let loginIdps: LoginFormIDP[] = [];
-    if (build !== "saas") {
+    if (build === "oss" || !env.flags.useOrgOnlyIdp) {
         const idpsRes = await cache(
             async () => await priv.get<AxiosResponse<ListIdpsResponse>>("/idp")
         )();
@@ -121,7 +121,7 @@ export default async function Page(props: {
                 </p>
             )}
 
-            {!isInvite && build === "saas" ? (
+            {!isInvite && (build === "saas" || env.flags.useOrgOnlyIdp) ? (
                 <div className="text-center text-muted-foreground mt-12 flex flex-col items-center">
                     <span>{t("needToSignInToOrg")}</span>
                     <Link
diff --git a/src/app/auth/org/[orgId]/page.tsx b/src/app/auth/org/[orgId]/page.tsx
index 1958a388..73e5f39b 100644
--- a/src/app/auth/org/[orgId]/page.tsx
+++ b/src/app/auth/org/[orgId]/page.tsx
@@ -11,6 +11,7 @@ import {
 } from "@server/routers/loginPage/types";
 import { redirect } from "next/navigation";
 import OrgLoginPage from "@app/components/OrgLoginPage";
+import { pullEnv } from "@app/lib/pullEnv";
 
 export const dynamic = "force-dynamic";
 
@@ -21,7 +22,9 @@ export default async function OrgAuthPage(props: {
     const searchParams = await props.searchParams;
     const params = await props.params;
 
-    if (build !== "saas") {
+    const env = pullEnv();
+
+    if (build !== "saas" && !env.flags.useOrgOnlyIdp) {
         const queryString = new URLSearchParams(searchParams as any).toString();
         redirect(`/auth/login${queryString ? `?${queryString}` : ""}`);
     }
@@ -50,29 +53,25 @@ export default async function OrgAuthPage(props: {
     } catch (e) {}
 
     let loginIdps: LoginFormIDP[] = [];
-    if (build === "saas") {
-        const idpsRes = await priv.get<AxiosResponse<ListOrgIdpsResponse>>(
-            `/org/${orgId}/idp`
-        );
+    const idpsRes = await priv.get<AxiosResponse<ListOrgIdpsResponse>>(
+        `/org/${orgId}/idp`
+    );
 
-        loginIdps = idpsRes.data.data.idps.map((idp) => ({
-            idpId: idp.idpId,
-            name: idp.name,
-            variant: idp.variant
-        })) as LoginFormIDP[];
-    }
+    loginIdps = idpsRes.data.data.idps.map((idp) => ({
+        idpId: idp.idpId,
+        name: idp.name,
+        variant: idp.variant
+    })) as LoginFormIDP[];
 
     let branding: LoadLoginPageBrandingResponse | null = null;
-    if (build === "saas") {
-        try {
-            const res = await priv.get<
-                AxiosResponse<LoadLoginPageBrandingResponse>
-            >(`/login-page-branding?orgId=${orgId}`);
-            if (res.status === 200) {
-                branding = res.data.data;
-            }
-        } catch (error) {}
-    }
+    try {
+        const res = await priv.get<
+            AxiosResponse<LoadLoginPageBrandingResponse>
+        >(`/login-page-branding?orgId=${orgId}`);
+        if (res.status === 200) {
+            branding = res.data.data;
+        }
+    } catch (error) {}
 
     return (
         <OrgLoginPage
diff --git a/src/app/auth/org/page.tsx b/src/app/auth/org/page.tsx
index aee0ec40..8dd9c4a2 100644
--- a/src/app/auth/org/page.tsx
+++ b/src/app/auth/org/page.tsx
@@ -33,12 +33,12 @@ export default async function OrgAuthPage(props: {
     const forceLoginParam = searchParams.forceLogin;
     const forceLogin = forceLoginParam === "true";
 
-    if (build !== "saas") {
+    const env = pullEnv();
+
+    if (build !== "saas" && !env.flags.useOrgOnlyIdp) {
         redirect("/");
     }
 
-    const env = pullEnv();
-
     const authHeader = await authCookieHeader();
 
     if (searchParams.token) {
diff --git a/src/app/auth/resource/[resourceGuid]/page.tsx b/src/app/auth/resource/[resourceGuid]/page.tsx
index e6d87075..e2e0330c 100644
--- a/src/app/auth/resource/[resourceGuid]/page.tsx
+++ b/src/app/auth/resource/[resourceGuid]/page.tsx
@@ -204,7 +204,7 @@ export default async function ResourceAuthPage(props: {
     }
 
     let loginIdps: LoginFormIDP[] = [];
-    if (build === "saas") {
+    if (build === "saas" || env.flags.useOrgOnlyIdp) {
         if (subscribed) {
             const idpsRes = await cache(
                 async () =>
diff --git a/src/app/navigation.tsx b/src/app/navigation.tsx
index 54576c0c..345b5a4c 100644
--- a/src/app/navigation.tsx
+++ b/src/app/navigation.tsx
@@ -1,4 +1,5 @@
 import { SidebarNavItem } from "@app/components/SidebarNav";
+import { Env } from "@app/lib/types/env";
 import { build } from "@server/build";
 import {
     Settings,
@@ -39,7 +40,7 @@ export const orgLangingNavItems: SidebarNavItem[] = [
     }
 ];
 
-export const orgNavSections = (): SidebarNavSection[] => [
+export const orgNavSections = (env?: Env): SidebarNavSection[] => [
     {
         heading: "sidebarGeneral",
         items: [
@@ -92,8 +93,7 @@ export const orgNavSections = (): SidebarNavSection[] => [
                       {
                           title: "sidebarRemoteExitNodes",
                           href: "/{orgId}/settings/remote-exit-nodes",
-                          icon: <Server className="size-4 flex-none" />,
-                          showEE: true
+                          icon: <Server className="size-4 flex-none" />
                       }
                   ]
                 : [])
@@ -123,13 +123,12 @@ export const orgNavSections = (): SidebarNavSection[] => [
                 href: "/{orgId}/settings/access/roles",
                 icon: <Users className="size-4 flex-none" />
             },
-            ...(build == "saas"
+            ...(build == "saas" || env?.flags.useOrgOnlyIdp
                 ? [
                       {
                           title: "sidebarIdentityProviders",
                           href: "/{orgId}/settings/idp",
-                          icon: <Fingerprint className="size-4 flex-none" />,
-                          showEE: true
+                          icon: <Fingerprint className="size-4 flex-none" />
                       }
                   ]
                 : []),
@@ -228,7 +227,7 @@ export const orgNavSections = (): SidebarNavSection[] => [
     }
 ];
 
-export const adminNavSections: SidebarNavSection[] = [
+export const adminNavSections = (env?: Env): SidebarNavSection[] => [
     {
         heading: "sidebarAdmin",
         items: [
@@ -242,11 +241,15 @@ export const adminNavSections: SidebarNavSection[] = [
                 href: "/admin/api-keys",
                 icon: <KeyRound className="size-4 flex-none" />
             },
-            {
-                title: "sidebarIdentityProviders",
-                href: "/admin/idp",
-                icon: <Fingerprint className="size-4 flex-none" />
-            },
+            ...(build === "oss" || !env?.flags.useOrgOnlyIdp
+                ? [
+                      {
+                          title: "sidebarIdentityProviders",
+                          href: "/admin/idp",
+                          icon: <Fingerprint className="size-4 flex-none" />
+                      }
+                  ]
+                : []),
             ...(build == "enterprise"
                 ? [
                       {
diff --git a/src/components/AuthPageBrandingForm.tsx b/src/components/AuthPageBrandingForm.tsx
index 67e2232f..119a39cb 100644
--- a/src/components/AuthPageBrandingForm.tsx
+++ b/src/components/AuthPageBrandingForm.tsx
@@ -118,6 +118,7 @@ export default function AuthPageBrandingForm({
         const brandingData = form.getValues();
 
         if (!isValid || !isPaidUser) return;
+
         try {
             const updateRes = await api.put(
                 `/org/${orgId}/login-page-branding`,
@@ -289,7 +290,8 @@ export default function AuthPageBrandingForm({
                                     </div>
                                 </div>
 
-                                {build === "saas" && (
+                                {build === "saas" ||
+                                env.env.flags.useOrgOnlyIdp ? (
                                     <>
                                         <div className="mt-3 mb-6">
                                             <SettingsSectionTitle>
@@ -343,7 +345,7 @@ export default function AuthPageBrandingForm({
                                             />
                                         </div>
                                     </>
-                                )}
+                                ) : null}
 
                                 <div className="mt-3 mb-6">
                                     <SettingsSectionTitle>
diff --git a/src/lib/pullEnv.ts b/src/lib/pullEnv.ts
index ed0057de..319e08f0 100644
--- a/src/lib/pullEnv.ts
+++ b/src/lib/pullEnv.ts
@@ -63,7 +63,9 @@ export function pullEnv(): Env {
             disableProductHelpBanners:
                 process.env.FLAGS_DISABLE_PRODUCT_HELP_BANNERS === "true"
                     ? true
-                    : false
+                    : false,
+            useOrgOnlyIdp:
+                process.env.USE_ORG_ONLY_IDP === "true" ? true : false
         },
 
         branding: {
diff --git a/src/lib/queries.ts b/src/lib/queries.ts
index 5ea3c2f2..2034bba8 100644
--- a/src/lib/queries.ts
+++ b/src/lib/queries.ts
@@ -157,7 +157,13 @@ export const orgQueries = {
                 return res.data.data.domains;
             }
         }),
-    identityProviders: ({ orgId }: { orgId: string }) =>
+    identityProviders: ({
+        orgId,
+        useOrgOnlyIdp
+    }: {
+        orgId: string;
+        useOrgOnlyIdp?: boolean;
+    }) =>
         queryOptions({
             queryKey: ["ORG", orgId, "IDPS"] as const,
             queryFn: async ({ signal, meta }) => {
@@ -165,7 +171,12 @@ export const orgQueries = {
                     AxiosResponse<{
                         idps: { idpId: number; name: string }[];
                     }>
-                >(build === "saas" ? `/org/${orgId}/idp` : "/idp", { signal });
+                >(
+                    build === "saas" || useOrgOnlyIdp
+                        ? `/org/${orgId}/idp`
+                        : "/idp",
+                    { signal }
+                );
                 return res.data.data.idps;
             }
         })
diff --git a/src/lib/types/env.ts b/src/lib/types/env.ts
index 1f54f680..f99e1994 100644
--- a/src/lib/types/env.ts
+++ b/src/lib/types/env.ts
@@ -34,6 +34,7 @@ export type Env = {
         hideSupporterKey: boolean;
         usePangolinDns: boolean;
         disableProductHelpBanners: boolean;
+        useOrgOnlyIdp: boolean;
     };
     branding: {
         appName?: string;

From 4c8d2266ec949d452e4bfc9481f3ef5af75662c0 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Fri, 9 Jan 2026 14:41:22 -0800
Subject: [PATCH 144/154] clean up login page

---
 messages/en-US.json                   |  4 +--
 server/routers/auth/index.ts          |  2 +-
 src/app/auth/layout.tsx               | 22 +------------
 src/app/auth/login/page.tsx           | 33 +++----------------
 src/components/DashboardLoginForm.tsx | 47 ++++++++++++++++++++++++++-
 src/components/LoginForm.tsx          |  9 -----
 6 files changed, 54 insertions(+), 63 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 8b04e4ea..db649cdd 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1135,7 +1135,7 @@
     "create": "Create",
     "orgs": "Organizations",
     "loginError": "An error occurred while logging in",
-    "loginRequiredForDevice": "Login is required to authenticate your device.",
+    "loginRequiredForDevice": "Login is required for your device.",
     "passwordForgot": "Forgot your password?",
     "otpAuth": "Two-Factor Authentication",
     "otpAuthDescription": "Enter the code from your authenticator app or one of your single-use backup codes.",
@@ -1876,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Choose your identity provider to continue",
     "orgAuthNoIdpConfigured": "This organization doesn't have any identity providers configured. You can log in with your Pangolin identity instead.",
     "orgAuthSignInWithPangolin": "Sign in with Pangolin",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Use organization's identity provider",
     "orgAuthSelectOrgTitle": "Organization Sign In",
     "orgAuthSelectOrgDescription": "Enter your organization ID to continue",
     "orgAuthOrgIdPlaceholder": "your-organization",
diff --git a/server/routers/auth/index.ts b/server/routers/auth/index.ts
index 22040614..4600a4cc 100644
--- a/server/routers/auth/index.ts
+++ b/server/routers/auth/index.ts
@@ -16,4 +16,4 @@ export * from "./checkResourceSession";
 export * from "./securityKey";
 export * from "./startDeviceWebAuth";
 export * from "./verifyDeviceWebAuth";
-export * from "./pollDeviceWebAuth";
+export * from "./pollDeviceWebAuth";
\ No newline at end of file
diff --git a/src/app/auth/layout.tsx b/src/app/auth/layout.tsx
index 6a72006b..fae271f5 100644
--- a/src/app/auth/layout.tsx
+++ b/src/app/auth/layout.tsx
@@ -44,7 +44,7 @@ export default async function AuthLayout({ children }: AuthLayoutProps) {
 
     return (
         <div className="h-full flex flex-col">
-            <div className="flex justify-end items-center p-3 space-x-2">
+            <div className="hidden md:flex justify-end items-center p-3 space-x-2">
                 <ThemeSwitcher />
             </div>
 
@@ -127,26 +127,6 @@ export default async function AuthLayout({ children }: AuthLayoutProps) {
                                 </a>
                             </>
                         )}
-                        <Separator orientation="vertical" />
-                        <a
-                            href="https://docs.pangolin.net"
-                            target="_blank"
-                            rel="noopener noreferrer"
-                            aria-label="Built by Fossorial"
-                            className="flex items-center space-x-2 whitespace-nowrap"
-                        >
-                            <span>{t("docs")}</span>
-                        </a>
-                        <Separator orientation="vertical" />
-                        <a
-                            href="https://github.com/fosrl/pangolin"
-                            target="_blank"
-                            rel="noopener noreferrer"
-                            aria-label="GitHub"
-                            className="flex items-center space-x-2 whitespace-nowrap"
-                        >
-                            <span>{t("github")}</span>
-                        </a>
                     </div>
                 </footer>
             )}
diff --git a/src/app/auth/login/page.tsx b/src/app/auth/login/page.tsx
index fb327af5..0c9faafc 100644
--- a/src/app/auth/login/page.tsx
+++ b/src/app/auth/login/page.tsx
@@ -103,6 +103,10 @@ export default async function Page(props: {
                 redirect={redirectUrl}
                 idps={loginIdps}
                 forceLogin={forceLogin}
+                showOrgLogin={
+                    !isInvite && (build === "saas" || env.flags.useOrgOnlyIdp)
+                }
+                searchParams={searchParams}
             />
 
             {(!signUpDisabled || isInvite) && (
@@ -120,35 +124,6 @@ export default async function Page(props: {
                     </Link>
                 </p>
             )}
-
-            {!isInvite && (build === "saas" || env.flags.useOrgOnlyIdp) ? (
-                <div className="text-center text-muted-foreground mt-12 flex flex-col items-center">
-                    <span>{t("needToSignInToOrg")}</span>
-                    <Link
-                        href={`/auth/org${buildQueryString(searchParams)}`}
-                        className="underline"
-                    >
-                        {t("orgAuthSignInToOrg")}
-                    </Link>
-                </div>
-            ) : null}
         </>
     );
 }
-
-function buildQueryString(searchParams: {
-    [key: string]: string | string[] | undefined;
-}): string {
-    const params = new URLSearchParams();
-    const redirect = searchParams.redirect;
-    const forceLogin = searchParams.forceLogin;
-
-    if (redirect && typeof redirect === "string") {
-        params.set("redirect", redirect);
-    }
-    if (forceLogin && typeof forceLogin === "string") {
-        params.set("forceLogin", forceLogin);
-    }
-    const queryString = params.toString();
-    return queryString ? `?${queryString}` : "";
-}
diff --git a/src/components/DashboardLoginForm.tsx b/src/components/DashboardLoginForm.tsx
index ccb5c497..5082f00d 100644
--- a/src/components/DashboardLoginForm.tsx
+++ b/src/components/DashboardLoginForm.tsx
@@ -17,17 +17,26 @@ import { cleanRedirect } from "@app/lib/cleanRedirect";
 import BrandingLogo from "@app/components/BrandingLogo";
 import { useTranslations } from "next-intl";
 import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
+import Link from "next/link";
+import { Button } from "./ui/button";
+import { ArrowRight } from "lucide-react";
 
 type DashboardLoginFormProps = {
     redirect?: string;
     idps?: LoginFormIDP[];
     forceLogin?: boolean;
+    showOrgLogin?: boolean;
+    searchParams?: {
+        [key: string]: string | string[] | undefined;
+    };
 };
 
 export default function DashboardLoginForm({
     redirect,
     idps,
-    forceLogin
+    forceLogin,
+    showOrgLogin,
+    searchParams
 }: DashboardLoginFormProps) {
     const router = useRouter();
     const { env } = useEnvContext();
@@ -35,6 +44,9 @@ export default function DashboardLoginForm({
     const { isUnlocked } = useLicenseStatusContext();
 
     function getSubtitle() {
+        if (forceLogin) {
+            return t("loginRequiredForDevice");
+        }
         if (isUnlocked() && env.branding?.loginPage?.subtitleText) {
             return env.branding.loginPage.subtitleText;
         }
@@ -57,6 +69,22 @@ export default function DashboardLoginForm({
                 <div className="text-center space-y-1 pt-3">
                     <p className="text-muted-foreground">{getSubtitle()}</p>
                 </div>
+                {showOrgLogin && (
+                    <div className="space-y-2 mt-4">
+                        <Link
+                            href={`/auth/org${buildQueryString(searchParams || {})}`}
+                            className="underline"
+                        >
+                            <Button
+                                variant="secondary"
+                                className="w-full gap-2"
+                            >
+                                {t("orgAuthSignInToOrg")}
+                                <ArrowRight className="h-4 w-4" />
+                            </Button>
+                        </Link>
+                    </div>
+                )}
             </CardHeader>
             <CardContent className="pt-6">
                 <LoginForm
@@ -76,3 +104,20 @@ export default function DashboardLoginForm({
         </Card>
     );
 }
+
+function buildQueryString(searchParams: {
+    [key: string]: string | string[] | undefined;
+}): string {
+    const params = new URLSearchParams();
+    const redirect = searchParams.redirect;
+    const forceLogin = searchParams.forceLogin;
+
+    if (redirect && typeof redirect === "string") {
+        params.set("redirect", redirect);
+    }
+    if (forceLogin && typeof forceLogin === "string") {
+        params.set("forceLogin", forceLogin);
+    }
+    const queryString = params.toString();
+    return queryString ? `?${queryString}` : "";
+}
diff --git a/src/components/LoginForm.tsx b/src/components/LoginForm.tsx
index ce1f4dcb..49bcc69b 100644
--- a/src/components/LoginForm.tsx
+++ b/src/components/LoginForm.tsx
@@ -409,15 +409,6 @@ export default function LoginForm({
 
     return (
         <div className="space-y-4">
-            {forceLogin && (
-                <Alert variant="neutral">
-                    <AlertDescription className="flex items-center gap-2">
-                        <LockIcon className="w-4 h-4" />
-                        {t("loginRequiredForDevice")}
-                    </AlertDescription>
-                </Alert>
-            )}
-
             {showSecurityKeyPrompt && (
                 <Alert>
                     <FingerprintIcon className="w-5 h-5 mr-2" />

From 2ba49e84bbbb7de29a37515eb1a36efbfc90f60f Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Fri, 9 Jan 2026 18:00:00 -0800
Subject: [PATCH 145/154] add archive device instead of delete

---
 messages/en-US.json                  |  14 +-
 server/db/pg/schema/schema.ts        |   3 +-
 server/db/sqlite/schema/schema.ts    |   3 +-
 server/routers/external.ts           |   6 +-
 server/routers/olm/archiveUserOlm.ts |  93 ++++++++++
 server/routers/olm/index.ts          |   3 +-
 server/routers/olm/listUserOlms.ts   |   8 +-
 src/components/ViewDevicesDialog.tsx | 256 +++++++++++++++++++--------
 8 files changed, 300 insertions(+), 86 deletions(-)
 create mode 100644 server/routers/olm/archiveUserOlm.ts

diff --git a/messages/en-US.json b/messages/en-US.json
index db649cdd..35b7e925 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2394,5 +2394,17 @@
     "maintenanceScreenTitle": "Service Temporarily Unavailable",
     "maintenanceScreenMessage": "We are currently experiencing technical difficulties. Please check back soon.",
     "maintenanceScreenEstimatedCompletion": "Estimated Completion:",
-    "createInternalResourceDialogDestinationRequired": "Destination is required"
+    "createInternalResourceDialogDestinationRequired": "Destination is required",
+    "available": "Available",
+    "archived": "Archived",
+    "noArchivedDevices": "No archived devices found",
+    "deviceArchived": "Device archived",
+    "deviceArchivedDescription": "The device has been successfully archived.",
+    "errorArchivingDevice": "Error archiving device",
+    "failedToArchiveDevice": "Failed to archive device",
+    "deviceQuestionArchive": "Are you sure you want to archive this device?",
+    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
+    "deviceArchiveConfirm": "Archive Device",
+    "archiveDevice": "Archive Device",
+    "archive": "Archive"
 }
diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index e49ed352..571877cf 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -726,7 +726,8 @@ export const olms = pgTable("olms", {
     userId: text("userId").references(() => users.userId, {
         // optionally tied to a user and in this case delete when the user deletes
         onDelete: "cascade"
-    })
+    }),
+    archived: boolean("archived").notNull().default(false)
 });
 
 export const olmSessions = pgTable("clientSession", {
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 5f60b23e..69647229 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -423,7 +423,8 @@ export const olms = sqliteTable("olms", {
     userId: text("userId").references(() => users.userId, {
         // optionally tied to a user and in this case delete when the user deletes
         onDelete: "cascade"
-    })
+    }),
+    archived: integer("archived", { mode: "boolean" }).notNull().default(false)
 });
 
 export const twoFactorBackupCodes = sqliteTable("twoFactorBackupCodes", {
diff --git a/server/routers/external.ts b/server/routers/external.ts
index cb5328ab..71ea8ef1 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -808,11 +808,11 @@ authenticated.put("/user/:userId/olm", verifyIsLoggedInUser, olm.createUserOlm);
 
 authenticated.get("/user/:userId/olms", verifyIsLoggedInUser, olm.listUserOlms);
 
-authenticated.delete(
-    "/user/:userId/olm/:olmId",
+authenticated.post(
+    "/user/:userId/olm/:olmId/archive",
     verifyIsLoggedInUser,
     verifyOlmAccess,
-    olm.deleteUserOlm
+    olm.archiveUserOlm
 );
 
 authenticated.get(
diff --git a/server/routers/olm/archiveUserOlm.ts b/server/routers/olm/archiveUserOlm.ts
new file mode 100644
index 00000000..9664552f
--- /dev/null
+++ b/server/routers/olm/archiveUserOlm.ts
@@ -0,0 +1,93 @@
+import { NextFunction, Request, Response } from "express";
+import { db } from "@server/db";
+import { olms, clients } from "@server/db";
+import { eq } from "drizzle-orm";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import response from "@server/lib/response";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+import { sendTerminateClient } from "../client/terminate";
+
+const paramsSchema = z
+    .object({
+        userId: z.string(),
+        olmId: z.string()
+    })
+    .strict();
+
+// registry.registerPath({
+//     method: "post",
+//     path: "/user/{userId}/olm/{olmId}/archive",
+//     description: "Archive an olm for a user.",
+//     tags: [OpenAPITags.User, OpenAPITags.Client],
+//     request: {
+//         params: paramsSchema
+//     },
+//     responses: {}
+// });
+
+export async function archiveUserOlm(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { olmId } = parsedParams.data;
+
+        // Archive the OLM and disconnect associated clients in a transaction
+        await db.transaction(async (trx) => {
+            // Find all clients associated with this OLM
+            const associatedClients = await trx
+                .select()
+                .from(clients)
+                .where(eq(clients.olmId, olmId));
+
+            // Disconnect clients from the OLM (set olmId to null)
+            for (const client of associatedClients) {
+                await trx
+                    .update(clients)
+                    .set({ olmId: null })
+                    .where(eq(clients.clientId, client.clientId));
+
+                await rebuildClientAssociationsFromClient(client, trx);
+                await sendTerminateClient(client.clientId, olmId);
+            }
+
+            // Archive the OLM (set archived to true)
+            await trx
+                .update(olms)
+                .set({ archived: true })
+                .where(eq(olms.olmId, olmId));
+        });
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Device archived successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to archive device"
+            )
+        );
+    }
+}
diff --git a/server/routers/olm/index.ts b/server/routers/olm/index.ts
index 594ef9cb..4b75bdfc 100644
--- a/server/routers/olm/index.ts
+++ b/server/routers/olm/index.ts
@@ -3,9 +3,8 @@ export * from "./getOlmToken";
 export * from "./createUserOlm";
 export * from "./handleOlmRelayMessage";
 export * from "./handleOlmPingMessage";
-export * from "./deleteUserOlm";
+export * from "./archiveUserOlm";
 export * from "./listUserOlms";
-export * from "./deleteUserOlm";
 export * from "./getUserOlm";
 export * from "./handleOlmServerPeerAddMessage";
 export * from "./handleOlmUnRelayMessage";
diff --git a/server/routers/olm/listUserOlms.ts b/server/routers/olm/listUserOlms.ts
index 2756c917..16585e9f 100644
--- a/server/routers/olm/listUserOlms.ts
+++ b/server/routers/olm/listUserOlms.ts
@@ -51,6 +51,7 @@ export type ListUserOlmsResponse = {
         name: string | null;
         clientId: number | null;
         userId: string | null;
+        archived: boolean;
     }>;
     pagination: {
         total: number;
@@ -89,7 +90,7 @@ export async function listUserOlms(
 
         const { userId } = parsedParams.data;
 
-        // Get total count
+        // Get total count (including archived OLMs)
         const [totalCountResult] = await db
             .select({ count: count() })
             .from(olms)
@@ -97,7 +98,7 @@ export async function listUserOlms(
 
         const total = totalCountResult?.count || 0;
 
-        // Get OLMs for the current user
+        // Get OLMs for the current user (including archived OLMs)
         const userOlms = await db
             .select({
                 olmId: olms.olmId,
@@ -105,7 +106,8 @@ export async function listUserOlms(
                 version: olms.version,
                 name: olms.name,
                 clientId: olms.clientId,
-                userId: olms.userId
+                userId: olms.userId,
+                archived: olms.archived
             })
             .from(olms)
             .where(eq(olms.userId, userId))
diff --git a/src/components/ViewDevicesDialog.tsx b/src/components/ViewDevicesDialog.tsx
index 70c55ded..86417694 100644
--- a/src/components/ViewDevicesDialog.tsx
+++ b/src/components/ViewDevicesDialog.tsx
@@ -27,6 +27,7 @@ import {
     TableHeader,
     TableRow
 } from "@app/components/ui/table";
+import { Tabs, TabsList, TabsTrigger, TabsContent } from "@app/components/ui/tabs";
 import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
 import { Loader2, RefreshCw } from "lucide-react";
 import moment from "moment";
@@ -44,6 +45,7 @@ type Device = {
     name: string | null;
     clientId: number | null;
     userId: string | null;
+    archived: boolean;
 };
 
 export default function ViewDevicesDialog({
@@ -57,8 +59,9 @@ export default function ViewDevicesDialog({
 
     const [devices, setDevices] = useState<Device[]>([]);
     const [loading, setLoading] = useState(false);
-    const [isDeleteModalOpen, setIsDeleteModalOpen] = useState(false);
+    const [isArchiveModalOpen, setIsArchiveModalOpen] = useState(false);
     const [selectedDevice, setSelectedDevice] = useState<Device | null>(null);
+    const [activeTab, setActiveTab] = useState<"available" | "archived">("available");
 
     const fetchDevices = async () => {
         setLoading(true);
@@ -90,26 +93,31 @@ export default function ViewDevicesDialog({
         }
     }, [open]);
 
-    const deleteDevice = async (olmId: string) => {
+    const archiveDevice = async (olmId: string) => {
         try {
-            await api.delete(`/user/${user?.userId}/olm/${olmId}`);
+            await api.post(`/user/${user?.userId}/olm/${olmId}/archive`);
             toast({
-                title: t("deviceDeleted") || "Device deleted",
+                title: t("deviceArchived") || "Device archived",
                 description:
-                    t("deviceDeletedDescription") ||
-                    "The device has been successfully deleted."
+                    t("deviceArchivedDescription") ||
+                    "The device has been successfully archived."
             });
-            setDevices(devices.filter((d) => d.olmId !== olmId));
-            setIsDeleteModalOpen(false);
+            // Update the device's archived status in the local state
+            setDevices(
+                devices.map((d) =>
+                    d.olmId === olmId ? { ...d, archived: true } : d
+                )
+            );
+            setIsArchiveModalOpen(false);
             setSelectedDevice(null);
         } catch (error: any) {
-            console.error("Error deleting device:", error);
+            console.error("Error archiving device:", error);
             toast({
                 variant: "destructive",
-                title: t("errorDeletingDevice") || "Error deleting device",
+                title: t("errorArchivingDevice"),
                 description: formatAxiosError(
                     error,
-                    t("failedToDeleteDevice") || "Failed to delete device"
+                    t("failedToArchiveDevice")
                 )
             });
         }
@@ -118,7 +126,7 @@ export default function ViewDevicesDialog({
     function reset() {
         setDevices([]);
         setSelectedDevice(null);
-        setIsDeleteModalOpen(false);
+        setIsArchiveModalOpen(false);
     }
 
     return (
@@ -147,61 +155,159 @@ export default function ViewDevicesDialog({
                             <div className="flex items-center justify-center py-8">
                                 <Loader2 className="h-6 w-6 animate-spin" />
                             </div>
-                        ) : devices.length === 0 ? (
-                            <div className="text-center py-8 text-muted-foreground">
-                                {t("noDevices") || "No devices found"}
-                            </div>
                         ) : (
-                            <div className="rounded-md border">
-                                <Table>
-                                    <TableHeader>
-                                        <TableRow>
-                                            <TableHead className="pl-3">
-                                                {t("name") || "Name"}
-                                            </TableHead>
-                                            <TableHead>
-                                                {t("dateCreated") ||
-                                                    "Date Created"}
-                                            </TableHead>
-                                            <TableHead>
-                                                {t("actions") || "Actions"}
-                                            </TableHead>
-                                        </TableRow>
-                                    </TableHeader>
-                                    <TableBody>
-                                        {devices.map((device) => (
-                                            <TableRow key={device.olmId}>
-                                                <TableCell className="font-medium">
-                                                    {device.name ||
-                                                        t("unnamedDevice") ||
-                                                        "Unnamed Device"}
-                                                </TableCell>
-                                                <TableCell>
-                                                    {moment(
-                                                        device.dateCreated
-                                                    ).format("lll")}
-                                                </TableCell>
-                                                <TableCell>
-                                                    <Button
-                                                        variant="outline"
-                                                        onClick={() => {
-                                                            setSelectedDevice(
-                                                                device
-                                                            );
-                                                            setIsDeleteModalOpen(
-                                                                true
-                                                            );
-                                                        }}
-                                                    >
-                                                        {t("delete") ||
-                                                            "Delete"}
-                                                    </Button>
-                                                </TableCell>
-                                            </TableRow>
-                                        ))}
-                                    </TableBody>
-                                </Table>
-                            </div>
+                            <Tabs
+                                value={activeTab}
+                                onValueChange={(value) =>
+                                    setActiveTab(value as "available" | "archived")
+                                }
+                                className="w-full"
+                            >
+                                <TabsList className="grid w-full grid-cols-2">
+                                    <TabsTrigger value="available">
+                                        {t("available") || "Available"} (
+                                        {
+                                            devices.filter(
+                                                (d) => !d.archived
+                                            ).length
+                                        }
+                                        )
+                                    </TabsTrigger>
+                                    <TabsTrigger value="archived">
+                                        {t("archived") || "Archived"} (
+                                        {
+                                            devices.filter(
+                                                (d) => d.archived
+                                            ).length
+                                        }
+                                        )
+                                    </TabsTrigger>
+                                </TabsList>
+                                <TabsContent value="available" className="mt-4">
+                                    {devices.filter((d) => !d.archived)
+                                        .length === 0 ? (
+                                        <div className="text-center py-8 text-muted-foreground">
+                                            {t("noDevices") ||
+                                                "No devices found"}
+                                        </div>
+                                    ) : (
+                                        <div className="rounded-md border">
+                                            <Table>
+                                                <TableHeader>
+                                                    <TableRow>
+                                                        <TableHead className="pl-3">
+                                                        {t("name") || "Name"}
+                                                        </TableHead>
+                                                        <TableHead>
+                                                            {t("dateCreated") ||
+                                                                "Date Created"}
+                                                        </TableHead>
+                                                        <TableHead>
+                                                            {t("actions") ||
+                                                                "Actions"}
+                                                        </TableHead>
+                                                    </TableRow>
+                                                </TableHeader>
+                                                <TableBody>
+                                                    {devices
+                                                        .filter(
+                                                            (d) => !d.archived
+                                                        )
+                                                        .map((device) => (
+                                                            <TableRow
+                                                                key={device.olmId}
+                                                            >
+                                                                <TableCell className="font-medium">
+                                                                    {device.name ||
+                                                                        t(
+                                                                            "unnamedDevice"
+                                                                        ) ||
+                                                                        "Unnamed Device"}
+                                                                </TableCell>
+                                                                <TableCell>
+                                                                    {moment(
+                                                                        device.dateCreated
+                                                                    ).format(
+                                                                        "lll"
+                                                                    )}
+                                                                </TableCell>
+                                                                <TableCell>
+                                                                    <Button
+                                                                        variant="outline"
+                                                                        onClick={() => {
+                                                                            setSelectedDevice(
+                                                                                device
+                                                                            );
+                                                                            setIsArchiveModalOpen(
+                                                                                true
+                                                                            );
+                                                                        }}
+                                                                    >
+                                                                        {t(
+                                                                            "archive"
+                                                                        ) ||
+                                                                            "Archive"}
+                                                                    </Button>
+                                                                </TableCell>
+                                                            </TableRow>
+                                                        ))}
+                                                </TableBody>
+                                            </Table>
+                                        </div>
+                                    )}
+                                </TabsContent>
+                                <TabsContent value="archived" className="mt-4">
+                                    {devices.filter((d) => d.archived)
+                                        .length === 0 ? (
+                                        <div className="text-center py-8 text-muted-foreground">
+                                            {t("noArchivedDevices") ||
+                                                "No archived devices found"}
+                                        </div>
+                                    ) : (
+                                        <div className="rounded-md border">
+                                            <Table>
+                                                <TableHeader>
+                                                    <TableRow>
+                                                        <TableHead className="pl-3">
+                                                        {t("name") || "Name"}
+                                                        </TableHead>
+                                                        <TableHead>
+                                                            {t("dateCreated") ||
+                                                                "Date Created"}
+                                                        </TableHead>
+                                                    </TableRow>
+                                                </TableHeader>
+                                                <TableBody>
+                                                    {devices
+                                                        .filter(
+                                                            (d) => d.archived
+                                                        )
+                                                        .map((device) => (
+                                                            <TableRow
+                                                                key={device.olmId}
+                                                            >
+                                                                <TableCell className="font-medium">
+                                                                    {device.name ||
+                                                                        t(
+                                                                            "unnamedDevice"
+                                                                        ) ||
+                                                                        "Unnamed Device"}
+                                                                </TableCell>
+                                                                <TableCell>
+                                                                    {moment(
+                                                                        device.dateCreated
+                                                                    ).format(
+                                                                        "lll"
+                                                                    )}
+                                                                </TableCell>
+                                                            </TableRow>
+                                                        ))}
+                                                </TableBody>
+                                            </Table>
+                                        </div>
+                                    )}
+                                </TabsContent>
+                            </Tabs>
                         )}
                     </CredenzaBody>
                     <CredenzaFooter>
@@ -216,9 +322,9 @@ export default function ViewDevicesDialog({
 
             {selectedDevice && (
                 <ConfirmDeleteDialog
-                    open={isDeleteModalOpen}
+                    open={isArchiveModalOpen}
                     setOpen={(val) => {
-                        setIsDeleteModalOpen(val);
+                        setIsArchiveModalOpen(val);
                         if (!val) {
                             setSelectedDevice(null);
                         }
@@ -226,19 +332,19 @@ export default function ViewDevicesDialog({
                     dialog={
                         <div className="space-y-2">
                             <p>
-                                {t("deviceQuestionRemove") ||
-                                    "Are you sure you want to delete this device?"}
+                                {t("deviceQuestionArchive") ||
+                                    "Are you sure you want to archive this device?"}
                             </p>
                             <p>
-                                {t("deviceMessageRemove") ||
-                                    "This action cannot be undone."}
+                                {t("deviceMessageArchive") ||
+                                    "The device will be archived and removed from your active devices list."}
                             </p>
                         </div>
                     }
-                    buttonText={t("deviceDeleteConfirm") || "Delete Device"}
-                    onConfirm={async () => deleteDevice(selectedDevice.olmId)}
+                    buttonText={t("deviceArchiveConfirm") || "Archive Device"}
+                    onConfirm={async () => archiveDevice(selectedDevice.olmId)}
                     string={selectedDevice.name || selectedDevice.olmId}
-                    title={t("deleteDevice") || "Delete Device"}
+                    title={t("archiveDevice") || "Archive Device"}
                 />
             )}
         </>

From 192702daf9fa2506e19f6efea645aff957c451b2 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 11 Jan 2026 10:39:18 -0800
Subject: [PATCH 146/154] Quiet log

---
 server/private/lib/exitNodes/exitNodes.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/private/lib/exitNodes/exitNodes.ts b/server/private/lib/exitNodes/exitNodes.ts
index 556fdcf7..97c89614 100644
--- a/server/private/lib/exitNodes/exitNodes.ts
+++ b/server/private/lib/exitNodes/exitNodes.ts
@@ -288,7 +288,7 @@ export function selectBestExitNode(
     const validNodes = pingResults.filter((n) => !n.error && n.weight > 0);
 
     if (validNodes.length === 0) {
-        logger.error("No valid exit nodes available");
+        logger.debug("No valid exit nodes available");
         return null;
     }
 

From 78b00a18cc6e451efa3300bbbf60a2301381fee6 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 11 Jan 2026 10:39:28 -0800
Subject: [PATCH 147/154] Add retry to aquire

---
 server/private/lib/lock.ts | 100 ++++++++++++++++++++++---------------
 1 file changed, 60 insertions(+), 40 deletions(-)

diff --git a/server/private/lib/lock.ts b/server/private/lib/lock.ts
index 08496f65..7e68565e 100644
--- a/server/private/lib/lock.ts
+++ b/server/private/lib/lock.ts
@@ -24,7 +24,9 @@ export class LockManager {
      */
     async acquireLock(
         lockKey: string,
-        ttlMs: number = 30000
+        ttlMs: number = 30000,
+        maxRetries: number = 3,
+        retryDelayMs: number = 100
     ): Promise<boolean> {
         if (!redis || !redis.status || redis.status !== "ready") {
             return true;
@@ -35,49 +37,67 @@ export class LockManager {
         }:${Date.now()}`;
         const redisKey = `lock:${lockKey}`;
 
-        try {
-            // Use SET with NX (only set if not exists) and PX (expire in milliseconds)
-            // This is atomic and handles both setting and expiration
-            const result = await redis.set(
-                redisKey,
-                lockValue,
-                "PX",
-                ttlMs,
-                "NX"
-            );
-
-            if (result === "OK") {
-                logger.debug(
-                    `Lock acquired: ${lockKey} by ${
-                        config.getRawConfig().gerbil.exit_node_name
-                    }`
+        for (let attempt = 0; attempt < maxRetries; attempt++) {
+            try {
+                // Use SET with NX (only set if not exists) and PX (expire in milliseconds)
+                // This is atomic and handles both setting and expiration
+                const result = await redis.set(
+                    redisKey,
+                    lockValue,
+                    "PX",
+                    ttlMs,
+                    "NX"
                 );
-                return true;
-            }
 
-            // Check if the existing lock is from this worker (reentrant behavior)
-            const existingValue = await redis.get(redisKey);
-            if (
-                existingValue &&
-                existingValue.startsWith(
-                    `${config.getRawConfig().gerbil.exit_node_name}:`
-                )
-            ) {
-                // Extend the lock TTL since it's the same worker
-                await redis.pexpire(redisKey, ttlMs);
-                logger.debug(
-                    `Lock extended: ${lockKey} by ${
-                        config.getRawConfig().gerbil.exit_node_name
-                    }`
-                );
-                return true;
-            }
+                if (result === "OK") {
+                    logger.debug(
+                        `Lock acquired: ${lockKey} by ${
+                            config.getRawConfig().gerbil.exit_node_name
+                        }`
+                    );
+                    return true;
+                }
 
-            return false;
-        } catch (error) {
-            logger.error(`Failed to acquire lock ${lockKey}:`, error);
-            return false;
+                // Check if the existing lock is from this worker (reentrant behavior)
+                const existingValue = await redis.get(redisKey);
+                if (
+                    existingValue &&
+                    existingValue.startsWith(
+                        `${config.getRawConfig().gerbil.exit_node_name}:`
+                    )
+                ) {
+                    // Extend the lock TTL since it's the same worker
+                    await redis.pexpire(redisKey, ttlMs);
+                    logger.debug(
+                        `Lock extended: ${lockKey} by ${
+                            config.getRawConfig().gerbil.exit_node_name
+                        }`
+                    );
+                    return true;
+                }
+
+                // If this isn't our last attempt, wait before retrying with exponential backoff
+                if (attempt < maxRetries - 1) {
+                    const delay = retryDelayMs * Math.pow(2, attempt);
+                    logger.debug(
+                        `Lock ${lockKey} not available, retrying in ${delay}ms (attempt ${attempt + 1}/${maxRetries})`
+                    );
+                    await new Promise((resolve) => setTimeout(resolve, delay));
+                }
+            } catch (error) {
+                logger.error(`Failed to acquire lock ${lockKey} (attempt ${attempt + 1}/${maxRetries}):`, error);
+                // On error, still retry if we have attempts left
+                if (attempt < maxRetries - 1) {
+                    const delay = retryDelayMs * Math.pow(2, attempt);
+                    await new Promise((resolve) => setTimeout(resolve, delay));
+                }
+            }
         }
+
+        logger.debug(
+            `Failed to acquire lock ${lockKey} after ${maxRetries} attempts`
+        );
+        return false;
     }
 
     /**

From 89682a2ee453904125ad0ada2c2d440dc01e572b Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 11 Jan 2026 10:39:39 -0800
Subject: [PATCH 148/154] Try to intent:// into android app from tab

---
 src/app/auth/login/device/success/page.tsx | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/app/auth/login/device/success/page.tsx b/src/app/auth/login/device/success/page.tsx
index 49261cb6..6ee49587 100644
--- a/src/app/auth/login/device/success/page.tsx
+++ b/src/app/auth/login/device/success/page.tsx
@@ -27,18 +27,21 @@ export default function DeviceAuthSuccessPage() {
         const isIOS = /iPad|iPhone|iPod/.test(userAgent) && !(window as any).MSStream;
         const isAndroid = /android/i.test(userAgent);
 
-        if (isIOS || isAndroid) {
+        if (isAndroid) {
+            // For Android Chrome Custom Tabs, use intent:// scheme which works more reliably
+            // This explicitly tells Chrome to send an intent to the app, which will bring
+            // SignInCodeActivity back to the foreground (it has launchMode="singleTop")
+            setTimeout(() => {
+                window.location.href = "intent://auth-success#Intent;scheme=pangolin;package=net.pangolin.Pangolin;end";
+            }, 500);
+        } else if (isIOS) {
             // Wait 500ms then attempt to open the app
             setTimeout(() => {
                 // Try to open the app using deep link
                 window.location.href = "pangolin://";
 
                 setTimeout(() => {
-                    if (isIOS) {
-                        window.location.href = "https://apps.apple.com/app/pangolin/net.pangolin.Pangolin.PangoliniOS";
-                    } else if (isAndroid) {
-                        window.location.href = "https://play.google.com/store/apps/details?id=net.pangolin.Pangolin";
-                    }
+                    window.location.href = "https://apps.apple.com/app/pangolin/net.pangolin.Pangolin.PangoliniOS";
                 }, 2000);
             }, 500);
         }
@@ -79,4 +82,4 @@ export default function DeviceAuthSuccessPage() {
             </p>
         </>
     );
-}
+}
\ No newline at end of file

From 0a537c6830fd6c019d4f5b1a21558d557add6231 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Sun, 11 Jan 2026 10:44:32 -0800
Subject: [PATCH 149/154] add org only idp to integration api

---
 server/middlewares/integration/index.ts       |  1 +
 .../integration/verifyApiKeyIdpAccess.ts      | 88 +++++++++++++++++++
 server/private/routers/integration.ts         | 51 ++++++++++-
 .../routers/orgIdp/createOrgOidcIdp.ts        | 33 +++----
 server/private/routers/orgIdp/deleteOrgIdp.ts |  6 +-
 server/private/routers/orgIdp/getOrgIdp.ts    | 20 ++---
 server/private/routers/orgIdp/listOrgIdps.ts  | 21 ++---
 .../routers/orgIdp/updateOrgOidcIdp.ts        | 34 +++----
 src/components/PermissionsSelectBox.tsx       | 31 ++++---
 9 files changed, 216 insertions(+), 69 deletions(-)
 create mode 100644 server/middlewares/integration/verifyApiKeyIdpAccess.ts

diff --git a/server/middlewares/integration/index.ts b/server/middlewares/integration/index.ts
index 2e2e8ff0..56575191 100644
--- a/server/middlewares/integration/index.ts
+++ b/server/middlewares/integration/index.ts
@@ -13,3 +13,4 @@ export * from "./verifyApiKeyIsRoot";
 export * from "./verifyApiKeyApiKeyAccess";
 export * from "./verifyApiKeyClientAccess";
 export * from "./verifyApiKeySiteResourceAccess";
+export * from "./verifyApiKeyIdpAccess";
diff --git a/server/middlewares/integration/verifyApiKeyIdpAccess.ts b/server/middlewares/integration/verifyApiKeyIdpAccess.ts
new file mode 100644
index 00000000..99b7e76b
--- /dev/null
+++ b/server/middlewares/integration/verifyApiKeyIdpAccess.ts
@@ -0,0 +1,88 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { idp, idpOrg, apiKeyOrg } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeyIdpAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const apiKey = req.apiKey;
+        const idpId = req.params.idpId || req.body.idpId || req.query.idpId;
+        const orgId = req.params.orgId;
+
+        if (!apiKey) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+            );
+        }
+
+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
+        if (!idpId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid IDP ID")
+            );
+        }
+
+        if (apiKey.isRoot) {
+            // Root keys can access any IDP in any org
+            return next();
+        }
+
+        const [idpRes] = await db
+            .select()
+            .from(idp)
+            .innerJoin(idpOrg, eq(idp.idpId, idpOrg.idpId))
+            .where(and(eq(idp.idpId, idpId), eq(idpOrg.orgId, orgId)))
+            .limit(1);
+
+        if (!idpRes || !idpRes.idp || !idpRes.idpOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `IdP with ID ${idpId} not found for organization ${orgId}`
+                )
+            );
+        }
+
+        if (!req.apiKeyOrg) {
+            const apiKeyOrgRes = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, idpRes.idpOrg.orgId)
+                    )
+                );
+            req.apiKeyOrg = apiKeyOrgRes[0];
+        }
+
+        if (!req.apiKeyOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have access to this organization"
+                )
+            );
+        }
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying IDP access"
+            )
+        );
+    }
+}
diff --git a/server/private/routers/integration.ts b/server/private/routers/integration.ts
index 9eefff8f..25861a54 100644
--- a/server/private/routers/integration.ts
+++ b/server/private/routers/integration.ts
@@ -18,7 +18,8 @@ import * as logs from "#private/routers/auditLogs";
 import {
     verifyApiKeyHasAction,
     verifyApiKeyIsRoot,
-    verifyApiKeyOrgAccess
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess
 } from "@server/middlewares";
 import {
     verifyValidSubscription,
@@ -31,6 +32,8 @@ import {
     authenticated as a
 } from "@server/routers/integration";
 import { logActionAudit } from "#private/middlewares";
+import config from "#private/lib/config";
+import { build } from "@server/build";
 
 export const unauthenticated = ua;
 export const authenticated = a;
@@ -88,3 +91,49 @@ authenticated.get(
     logActionAudit(ActionsEnum.exportLogs),
     logs.exportAccessAuditLogs
 );
+
+authenticated.put(
+    "/org/:orgId/idp/oidc",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.createIdp),
+    logActionAudit(ActionsEnum.createIdp),
+    orgIdp.createOrgOidcIdp
+);
+
+authenticated.post(
+    "/org/:orgId/idp/:idpId/oidc",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess,
+    verifyApiKeyHasAction(ActionsEnum.updateIdp),
+    logActionAudit(ActionsEnum.updateIdp),
+    orgIdp.updateOrgOidcIdp
+);
+
+authenticated.delete(
+    "/org/:orgId/idp/:idpId",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess,
+    verifyApiKeyHasAction(ActionsEnum.deleteIdp),
+    logActionAudit(ActionsEnum.deleteIdp),
+    orgIdp.deleteOrgIdp
+);
+
+authenticated.get(
+    "/org/:orgId/idp/:idpId",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess,
+    verifyApiKeyHasAction(ActionsEnum.getIdp),
+    orgIdp.getOrgIdp
+);
+
+authenticated.get(
+    "/org/:orgId/idp",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.listIdps),
+    orgIdp.listOrgIdps
+);
diff --git a/server/private/routers/orgIdp/createOrgOidcIdp.ts b/server/private/routers/orgIdp/createOrgOidcIdp.ts
index 709f6167..36a5487e 100644
--- a/server/private/routers/orgIdp/createOrgOidcIdp.ts
+++ b/server/private/routers/orgIdp/createOrgOidcIdp.ts
@@ -46,22 +46,23 @@ const bodySchema = z.strictObject({
     roleMapping: z.string().optional()
 });
 
-// registry.registerPath({
-//     method: "put",
-//     path: "/idp/oidc",
-//     description: "Create an OIDC IdP.",
-//     tags: [OpenAPITags.Idp],
-//     request: {
-//         body: {
-//             content: {
-//                 "application/json": {
-//                     schema: bodySchema
-//                 }
-//             }
-//         }
-//     },
-//     responses: {}
-// });
+registry.registerPath({
+    method: "put",
+    path: "/org/{orgId}/idp/oidc",
+    description: "Create an OIDC IdP for a specific organization.",
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
 
 export async function createOrgOidcIdp(
     req: Request,
diff --git a/server/private/routers/orgIdp/deleteOrgIdp.ts b/server/private/routers/orgIdp/deleteOrgIdp.ts
index 721b91cb..176f4238 100644
--- a/server/private/routers/orgIdp/deleteOrgIdp.ts
+++ b/server/private/routers/orgIdp/deleteOrgIdp.ts
@@ -32,9 +32,9 @@ const paramsSchema = z
 
 registry.registerPath({
     method: "delete",
-    path: "/idp/{idpId}",
-    description: "Delete IDP.",
-    tags: [OpenAPITags.Idp],
+    path: "/org/{orgId}/idp/{idpId}",
+    description: "Delete IDP for a specific organization.",
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
     request: {
         params: paramsSchema
     },
diff --git a/server/private/routers/orgIdp/getOrgIdp.ts b/server/private/routers/orgIdp/getOrgIdp.ts
index 01ddc0f7..dd987c44 100644
--- a/server/private/routers/orgIdp/getOrgIdp.ts
+++ b/server/private/routers/orgIdp/getOrgIdp.ts
@@ -48,16 +48,16 @@ async function query(idpId: number, orgId: string) {
     return res;
 }
 
-// registry.registerPath({
-//     method: "get",
-//     path: "/idp/{idpId}",
-//     description: "Get an IDP by its IDP ID.",
-//     tags: [OpenAPITags.Idp],
-//     request: {
-//         params: paramsSchema
-//     },
-//     responses: {}
-// });
+registry.registerPath({
+    method: "get",
+    path: "/org/:orgId/idp/:idpId",
+    description: "Get an IDP by its IDP ID for a specific organization.",
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
 
 export async function getOrgIdp(
     req: Request,
diff --git a/server/private/routers/orgIdp/listOrgIdps.ts b/server/private/routers/orgIdp/listOrgIdps.ts
index 36cbc627..61049c49 100644
--- a/server/private/routers/orgIdp/listOrgIdps.ts
+++ b/server/private/routers/orgIdp/listOrgIdps.ts
@@ -62,16 +62,17 @@ async function query(orgId: string, limit: number, offset: number) {
     return res;
 }
 
-// registry.registerPath({
-//     method: "get",
-//     path: "/idp",
-//     description: "List all IDP in the system.",
-//     tags: [OpenAPITags.Idp],
-//     request: {
-//         query: querySchema
-//     },
-//     responses: {}
-// });
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/idp",
+    description: "List all IDP for a specific organization.",
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
+    request: {
+        query: querySchema,
+        params: paramsSchema
+    },
+    responses: {}
+});
 
 export async function listOrgIdps(
     req: Request,
diff --git a/server/private/routers/orgIdp/updateOrgOidcIdp.ts b/server/private/routers/orgIdp/updateOrgOidcIdp.ts
index f29e4fc2..6474abda 100644
--- a/server/private/routers/orgIdp/updateOrgOidcIdp.ts
+++ b/server/private/routers/orgIdp/updateOrgOidcIdp.ts
@@ -53,23 +53,23 @@ export type UpdateOrgIdpResponse = {
     idpId: number;
 };
 
-// registry.registerPath({
-//     method: "post",
-//     path: "/idp/{idpId}/oidc",
-//     description: "Update an OIDC IdP.",
-//     tags: [OpenAPITags.Idp],
-//     request: {
-//         params: paramsSchema,
-//         body: {
-//             content: {
-//                 "application/json": {
-//                     schema: bodySchema
-//                 }
-//             }
-//         }
-//     },
-//     responses: {}
-// });
+registry.registerPath({
+    method: "post",
+    path: "/org/{orgId}/idp/{idpId}/oidc",
+    description: "Update an OIDC IdP for a specific organization.",
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
 
 export async function updateOrgOidcIdp(
     req: Request,
diff --git a/src/components/PermissionsSelectBox.tsx b/src/components/PermissionsSelectBox.tsx
index 9cfe2aaf..a5cfad7b 100644
--- a/src/components/PermissionsSelectBox.tsx
+++ b/src/components/PermissionsSelectBox.tsx
@@ -114,6 +114,16 @@ function getActionsCategories(root: boolean) {
         }
     };
 
+    if (root || build === "saas" || env.flags.useOrgOnlyIdp) {
+        actionsByCategory["Identity Provider (IDP)"] = {
+            [t("actionCreateIdp")]: "createIdp",
+            [t("actionUpdateIdp")]: "updateIdp",
+            [t("actionDeleteIdp")]: "deleteIdp",
+            [t("actionListIdps")]: "listIdps",
+            [t("actionGetIdp")]: "getIdp"
+        };
+    }
+
     if (root) {
         actionsByCategory["Organization"] = {
             [t("actionListOrgs")]: "listOrgs",
@@ -128,24 +138,21 @@ function getActionsCategories(root: boolean) {
             ...actionsByCategory["Organization"]
         };
 
-        actionsByCategory["Identity Provider (IDP)"] = {
-            [t("actionCreateIdp")]: "createIdp",
-            [t("actionUpdateIdp")]: "updateIdp",
-            [t("actionDeleteIdp")]: "deleteIdp",
-            [t("actionListIdps")]: "listIdps",
-            [t("actionGetIdp")]: "getIdp",
-            [t("actionCreateIdpOrg")]: "createIdpOrg",
-            [t("actionDeleteIdpOrg")]: "deleteIdpOrg",
-            [t("actionListIdpOrgs")]: "listIdpOrgs",
-            [t("actionUpdateIdpOrg")]: "updateIdpOrg"
-        };
+        actionsByCategory["Identity Provider (IDP)"][t("actionCreateIdpOrg")] =
+            "createIdpOrg";
+        actionsByCategory["Identity Provider (IDP)"][t("actionDeleteIdpOrg")] =
+            "deleteIdpOrg";
+        actionsByCategory["Identity Provider (IDP)"][t("actionListIdpOrgs")] =
+            "listIdpOrgs";
+        actionsByCategory["Identity Provider (IDP)"][t("actionUpdateIdpOrg")] =
+            "updateIdpOrg";
 
         actionsByCategory["User"] = {
             [t("actionUpdateUser")]: "updateUser",
             [t("actionGetUser")]: "getUser"
         };
 
-        if (build == "saas") {
+        if (build === "saas") {
             actionsByCategory["SAAS"] = {
                 ["Send Usage Notification Email"]: "sendUsageNotification"
             };

From 69dbd20ea5ed86bc421779d9b8ae444ba9246baa Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 11 Jan 2026 13:39:46 -0800
Subject: [PATCH 150/154] Use same regex for blueprint aliases

Closes #2218
Fixes #2216
---
 server/lib/blueprints/types.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/lib/blueprints/types.ts b/server/lib/blueprints/types.ts
index 650d5b18..cba9bfa7 100644
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -290,8 +290,8 @@ export const ClientResourceSchema = z
         alias: z
             .string()
             .regex(
-                /^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/,
-                "Alias must be a fully qualified domain name (e.g., example.com)"
+                /^(?:[a-zA-Z0-9*?](?:[a-zA-Z0-9*?-]{0,61}[a-zA-Z0-9*?])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/,
+                "Alias must be a fully qualified domain name with optional wildcards (e.g., example.com, *.example.com, host-0?.example.internal)"
             )
             .optional(),
         roles: z

From 29a683a815a5dea53d7b7f06b3db1608f4ed61a7 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 11 Jan 2026 14:19:38 -0800
Subject: [PATCH 151/154] Copy all tags to github reg

---
 .github/workflows/cicd.yml        | 149 +++++++++--
 .github/workflows/cicd.yml.backup | 426 ++++++++++++++++++++++++++++++
 2 files changed, 552 insertions(+), 23 deletions(-)
 create mode 100644 .github/workflows/cicd.yml.backup

diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
index 09e406ad..38f55482 100644
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -329,20 +329,89 @@ jobs:
                   skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
               shell: bash
 
-            - name: Copy tag from Docker Hub to GHCR
-              # Mirror the already-built image (all architectures) to GHCR so we can sign it
+            - name: Copy tags from Docker Hub to GHCR
+              # Mirror the already-built images (all architectures) to GHCR so we can sign them
               # Wait a bit for both architectures to be available in Docker Hub manifest
               env:
                   REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
               run: |
                   set -euo pipefail
                   TAG=${{ env.TAG }}
-                  echo "Waiting for multi-arch manifest to be ready..."
+                  MAJOR_TAG=$(echo $TAG | cut -d. -f1)
+                  MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
+                  
+                  echo "Waiting for multi-arch manifests to be ready..."
                   sleep 30
-                  echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
-                  skopeo copy --all --retry-times 3 \
-                    docker://$DOCKERHUB_IMAGE:$TAG \
-                    docker://$GHCR_IMAGE:$TAG
+                  
+                  # Determine if this is an RC release
+                  IS_RC="false"
+                  if echo "$TAG" | grep -qE "rc[0-9]+$"; then
+                      IS_RC="true"
+                  fi
+                  
+                  if [ "$IS_RC" = "true" ]; then
+                      echo "RC release detected - copying version-specific tags only"
+                      
+                      # SQLite OSS
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:$TAG \
+                        docker://$GHCR_IMAGE:$TAG
+                      
+                      # PostgreSQL OSS
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:postgresql-$TAG \
+                        docker://$GHCR_IMAGE:postgresql-$TAG
+                      
+                      # SQLite Enterprise
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:ee-$TAG \
+                        docker://$GHCR_IMAGE:ee-$TAG
+                      
+                      # PostgreSQL Enterprise
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG \
+                        docker://$GHCR_IMAGE:ee-postgresql-$TAG
+                  else
+                      echo "Regular release detected - copying all tags (latest, major, minor, full version)"
+                      
+                      # SQLite OSS - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:$TAG_SUFFIX
+                      done
+                      
+                      # PostgreSQL OSS - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:postgresql-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:postgresql-$TAG_SUFFIX
+                      done
+                      
+                      # SQLite Enterprise - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:ee-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:ee-$TAG_SUFFIX
+                      done
+                      
+                      # PostgreSQL Enterprise - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:ee-postgresql-$TAG_SUFFIX
+                      done
+                  fi
+                  
+                  echo "All images copied successfully to GHCR!"
               shell: bash
 
             - name: Login to GitHub Container Registry (for cosign)
@@ -371,28 +440,62 @@ jobs:
                   issuer="https://token.actions.githubusercontent.com"
                   id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
 
-                  for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
-                    echo "Processing ${IMAGE}:${TAG}"
+                  # Determine if this is an RC release
+                  IS_RC="false"
+                  if echo "$TAG" | grep -qE "rc[0-9]+$"; then
+                      IS_RC="true"
+                  fi
 
-                    DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
-                    REF="${IMAGE}@${DIGEST}"
-                    echo "Resolved digest: ${REF}"
+                  # Define image variants to sign
+                  if [ "$IS_RC" = "true" ]; then
+                      echo "RC release - signing version-specific tags only"
+                      IMAGE_TAGS=(
+                          "${TAG}"
+                          "postgresql-${TAG}"
+                          "ee-${TAG}"
+                          "ee-postgresql-${TAG}"
+                      )
+                  else
+                      echo "Regular release - signing all tags"
+                      MAJOR_TAG=$(echo $TAG | cut -d. -f1)
+                      MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
+                      IMAGE_TAGS=(
+                          "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"
+                          "postgresql-latest" "postgresql-$MAJOR_TAG" "postgresql-$MINOR_TAG" "postgresql-$TAG"
+                          "ee-latest" "ee-$MAJOR_TAG" "ee-$MINOR_TAG" "ee-$TAG"
+                          "ee-postgresql-latest" "ee-postgresql-$MAJOR_TAG" "ee-postgresql-$MINOR_TAG" "ee-postgresql-$TAG"
+                      )
+                  fi
 
-                    echo "==> cosign sign (keyless) --recursive ${REF}"
-                    cosign sign --recursive "${REF}"
+                  # Sign each image variant for both registries
+                  for BASE_IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                    for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
+                      echo "Processing ${BASE_IMAGE}:${IMAGE_TAG}"
 
-                    echo "==> cosign sign (key) --recursive ${REF}"
-                    cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+                      DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
+                      REF="${BASE_IMAGE}@${DIGEST}"
+                      echo "Resolved digest: ${REF}"
 
-                    echo "==> cosign verify (public key) ${REF}"
-                    cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+                      echo "==> cosign sign (keyless) --recursive ${REF}"
+                      cosign sign --recursive "${REF}"
 
-                    echo "==> cosign verify (keyless policy) ${REF}"
-                    cosign verify \
-                      --certificate-oidc-issuer "${issuer}" \
-                      --certificate-identity-regexp "${id_regex}" \
-                      "${REF}" -o text
+                      echo "==> cosign sign (key) --recursive ${REF}"
+                      cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+
+                      echo "==> cosign verify (public key) ${REF}"
+                      cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+
+                      echo "==> cosign verify (keyless policy) ${REF}"
+                      cosign verify \
+                        --certificate-oidc-issuer "${issuer}" \
+                        --certificate-identity-regexp "${id_regex}" \
+                        "${REF}" -o text
+                      
+                      echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
+                    done
                   done
+                  
+                  echo "All images signed and verified successfully!"
               shell: bash
 
     post-run:
diff --git a/.github/workflows/cicd.yml.backup b/.github/workflows/cicd.yml.backup
new file mode 100644
index 00000000..09e406ad
--- /dev/null
+++ b/.github/workflows/cicd.yml.backup
@@ -0,0 +1,426 @@
+name: CI/CD Pipeline
+
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+# Required secrets:
+# - DOCKER_HUB_USERNAME / DOCKER_HUB_ACCESS_TOKEN: push to Docker Hub
+# - GITHUB_TOKEN: used for GHCR login and OIDC keyless signing
+# - COSIGN_PRIVATE_KEY / COSIGN_PASSWORD / COSIGN_PUBLIC_KEY: for key-based signing
+
+on:
+    push:
+        tags:
+            - "[0-9]+.[0-9]+.[0-9]+"
+            - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+    pre-run:
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-arm tag=$TAG
+                  else
+                      make build-release-arm tag=$TAG
+                  fi
+                  echo "Built & pushed ARM64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+    release-amd:
+        name: Build and Release (AMD64)
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - AMD64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-amd tag=$TAG
+                  else
+                      make build-release-amd tag=$TAG
+                  fi
+                  echo "Built & pushed AMD64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+    create-manifest:
+        name: Create Multi-Arch Manifests
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success'
+            }}
+        timeout-minutes: 30
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Create multi-arch manifests
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make create-manifests-rc tag=$TAG
+                  else
+                      make create-manifests tag=$TAG
+                  fi
+                  echo "Created multi-arch manifests for tag: ${TAG}"
+              shell: bash
+
+    sign-and-package:
+        name: Sign and Package
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd, create-manifest]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success' &&
+                needs.create-manifest.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Install Go
+              uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+              with:
+                  go-version: 1.24
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Pull latest Gerbil version
+              id: get-gerbil-tag
+              run: |
+                  LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name')
+                  echo "LATEST_GERBIL_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Pull latest Badger version
+              id: get-badger-tag
+              run: |
+                  LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name')
+                  echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update install/main.go
+              run: |
+                  PANGOLIN_VERSION=${{ env.TAG }}
+                  GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }}
+                  BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
+                  sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$PANGOLIN_VERSION\"/" install/main.go
+                  sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$GERBIL_VERSION\"/" install/main.go
+                  sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go
+                  echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION"
+                  cat install/main.go
+              shell: bash
+
+            - name: Build installer
+              working-directory: install
+              run: |
+                  make go-build-release
+
+            - name: Upload artifacts from /install/bin
+              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+              with:
+                  name: install-bin
+                  path: install/bin/
+
+            - name: Install skopeo + jq
+              # skopeo: copy/inspect images between registries
+              # jq: JSON parsing tool used to extract digest values
+              run: |
+                  sudo apt-get update -y
+                  sudo apt-get install -y skopeo jq
+                  skopeo --version
+              shell: bash
+
+            - name: Login to GHCR
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
+              run: |
+                  mkdir -p "$(dirname "$REGISTRY_AUTH_FILE")"
+                  skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
+              shell: bash
+
+            - name: Copy tag from Docker Hub to GHCR
+              # Mirror the already-built image (all architectures) to GHCR so we can sign it
+              # Wait a bit for both architectures to be available in Docker Hub manifest
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
+              run: |
+                  set -euo pipefail
+                  TAG=${{ env.TAG }}
+                  echo "Waiting for multi-arch manifest to be ready..."
+                  sleep 30
+                  echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
+                  skopeo copy --all --retry-times 3 \
+                    docker://$DOCKERHUB_IMAGE:$TAG \
+                    docker://$GHCR_IMAGE:$TAG
+              shell: bash
+
+            - name: Login to GitHub Container Registry (for cosign)
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                registry: ghcr.io
+                username: ${{ github.actor }}
+                password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Install cosign
+              # cosign is used to sign and verify container images (key and keyless)
+              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+            - name: Dual-sign and verify (GHCR & Docker Hub)
+              # Sign each image by digest using keyless (OIDC) and key-based signing,
+              # then verify both the public key signature and the keyless OIDC signature.
+              env:
+                  TAG: ${{ env.TAG }}
+                  COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+                  COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+                  COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+                  COSIGN_YES: "true"
+              run: |
+                  set -euo pipefail
+
+                  issuer="https://token.actions.githubusercontent.com"
+                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
+
+                  for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                    echo "Processing ${IMAGE}:${TAG}"
+
+                    DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
+                    REF="${IMAGE}@${DIGEST}"
+                    echo "Resolved digest: ${REF}"
+
+                    echo "==> cosign sign (keyless) --recursive ${REF}"
+                    cosign sign --recursive "${REF}"
+
+                    echo "==> cosign sign (key) --recursive ${REF}"
+                    cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+
+                    echo "==> cosign verify (public key) ${REF}"
+                    cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+
+                    echo "==> cosign verify (keyless policy) ${REF}"
+                    cosign verify \
+                      --certificate-oidc-issuer "${issuer}" \
+                      --certificate-identity-regexp "${id_regex}" \
+                      "${REF}" -o text
+                  done
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm, release-amd, create-manifest, sign-and-package]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure') &&
+                (needs.release-amd.result == 'success' || needs.release-amd.result == 'skipped' || needs.release-amd.result == 'failure') &&
+                (needs.create-manifest.result == 'success' || needs.create-manifest.result == 'skipped' || needs.create-manifest.result == 'failure') &&
+                (needs.sign-and-package.result == 'success' || needs.sign-and-package.result == 'skipped' || needs.sign-and-package.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+                  echo "EC2 instances stopped"

From b941b5571fd79bc8fed4b4fe86e9ad6dec4f504a Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Mon, 12 Jan 2026 15:52:06 -0800
Subject: [PATCH 152/154] add archive to org clients and add unarchive

---
 messages/en-US.json                           |  14 +-
 server/auth/actions.ts                        |   2 +
 server/db/pg/schema/schema.ts                 |   3 +-
 server/db/sqlite/schema/schema.ts             |   3 +-
 server/routers/client/archiveClient.ts        | 105 +++++++++++
 server/routers/client/deleteClient.ts         |   3 +-
 server/routers/client/index.ts                |   2 +
 server/routers/client/listClients.ts          |   4 +-
 server/routers/client/unarchiveClient.ts      |  93 ++++++++++
 server/routers/external.ts                    |  23 +++
 server/routers/integration.ts                 |  16 ++
 server/routers/olm/archiveUserOlm.ts          |  12 --
 server/routers/olm/handleOlmPingMessage.ts    |  15 +-
 server/routers/olm/index.ts                   |   1 +
 server/routers/olm/unarchiveUserOlm.ts        |  84 +++++++++
 .../[orgId]/settings/clients/machine/page.tsx |   3 +-
 .../[orgId]/settings/clients/user/page.tsx    |   3 +-
 src/components/MachineClientsTable.tsx        |  95 +++++++++-
 src/components/PermissionsSelectBox.tsx       |   2 +
 src/components/UserDevicesTable.tsx           | 110 +++++++++--
 src/components/ViewDevicesDialog.tsx          | 132 ++++++++-----
 src/components/ui/data-table.tsx              | 175 +++++++++++++++++-
 22 files changed, 800 insertions(+), 100 deletions(-)
 create mode 100644 server/routers/client/archiveClient.ts
 create mode 100644 server/routers/client/unarchiveClient.ts
 create mode 100644 server/routers/olm/unarchiveUserOlm.ts

diff --git a/messages/en-US.json b/messages/en-US.json
index 2aa312b7..0ddd883c 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1118,6 +1118,8 @@
     "actionUpdateIdpOrg": "Update IDP Org",
     "actionCreateClient": "Create Client",
     "actionDeleteClient": "Delete Client",
+    "actionArchiveClient": "Archive Client",
+    "actionUnarchiveClient": "Unarchive Client",
     "actionUpdateClient": "Update Client",
     "actionListClients": "List Clients",
     "actionGetClient": "Get Client",
@@ -2406,5 +2408,15 @@
     "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
     "deviceArchiveConfirm": "Archive Device",
     "archiveDevice": "Archive Device",
-    "archive": "Archive"
+    "archive": "Archive",
+    "deviceUnarchived": "Device unarchived",
+    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
+    "errorUnarchivingDevice": "Error unarchiving device",
+    "failedToUnarchiveDevice": "Failed to unarchive device",
+    "unarchive": "Unarchive",
+    "archiveClient": "Archive Client",
+    "archiveClientQuestion": "Are you sure you want to archive this client?",
+    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
+    "archiveClientConfirm": "Archive Client",
+    "active": "Active"
 }
diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index 71017f8d..e0f86244 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -78,6 +78,8 @@ export enum ActionsEnum {
     updateSiteResource = "updateSiteResource",
     createClient = "createClient",
     deleteClient = "deleteClient",
+    archiveClient = "archiveClient",
+    unarchiveClient = "unarchiveClient",
     updateClient = "updateClient",
     listClients = "listClients",
     getClient = "getClient",
diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index 571877cf..b5ae30c6 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -688,7 +688,8 @@ export const clients = pgTable("clients", {
     online: boolean("online").notNull().default(false),
     // endpoint: varchar("endpoint"),
     lastHolePunch: integer("lastHolePunch"),
-    maxConnections: integer("maxConnections")
+    maxConnections: integer("maxConnections"),
+    archived: boolean("archived").notNull().default(false)
 });
 
 export const clientSitesAssociationsCache = pgTable(
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 69647229..9d84d6b5 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -383,7 +383,8 @@ export const clients = sqliteTable("clients", {
     type: text("type").notNull(), // "olm"
     online: integer("online", { mode: "boolean" }).notNull().default(false),
     // endpoint: text("endpoint"),
-    lastHolePunch: integer("lastHolePunch")
+    lastHolePunch: integer("lastHolePunch"),
+    archived: integer("archived", { mode: "boolean" }).notNull().default(false)
 });
 
 export const clientSitesAssociationsCache = sqliteTable(
diff --git a/server/routers/client/archiveClient.ts b/server/routers/client/archiveClient.ts
new file mode 100644
index 00000000..330f6ed8
--- /dev/null
+++ b/server/routers/client/archiveClient.ts
@@ -0,0 +1,105 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { clients } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+import { sendTerminateClient } from "./terminate";
+
+const archiveClientSchema = z.strictObject({
+    clientId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/client/{clientId}/archive",
+    description: "Archive a client by its client ID.",
+    tags: [OpenAPITags.Client],
+    request: {
+        params: archiveClientSchema
+    },
+    responses: {}
+});
+
+export async function archiveClient(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = archiveClientSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { clientId } = parsedParams.data;
+
+        // Check if client exists
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, clientId))
+            .limit(1);
+
+        if (!client) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Client with ID ${clientId} not found`
+                )
+            );
+        }
+
+        if (client.archived) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `Client with ID ${clientId} is already archived`
+                )
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            // Archive the client
+            await trx
+                .update(clients)
+                .set({ archived: true })
+                .where(eq(clients.clientId, clientId));
+
+            // Rebuild associations to clean up related data
+            await rebuildClientAssociationsFromClient(client, trx);
+
+            // Send terminate signal if there's an associated OLM
+            if (client.olmId) {
+                await sendTerminateClient(client.clientId, client.olmId);
+            }
+        });
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Client archived successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to archive client"
+            )
+        );
+    }
+}
diff --git a/server/routers/client/deleteClient.ts b/server/routers/client/deleteClient.ts
index 775708ce..a16a2996 100644
--- a/server/routers/client/deleteClient.ts
+++ b/server/routers/client/deleteClient.ts
@@ -60,11 +60,12 @@ export async function deleteClient(
             );
         }
 
+        // Only allow deletion of machine clients (clients without userId)
         if (client.userId) {
             return next(
                 createHttpError(
                     HttpCode.BAD_REQUEST,
-                    `Cannot delete a user client with this endpoint`
+                    `Cannot delete a user client. User clients must be archived instead.`
                 )
             );
         }
diff --git a/server/routers/client/index.ts b/server/routers/client/index.ts
index 8e88c11e..72d64de2 100644
--- a/server/routers/client/index.ts
+++ b/server/routers/client/index.ts
@@ -1,6 +1,8 @@
 export * from "./pickClientDefaults";
 export * from "./createClient";
 export * from "./deleteClient";
+export * from "./archiveClient";
+export * from "./unarchiveClient";
 export * from "./listClients";
 export * from "./updateClient";
 export * from "./getClient";
diff --git a/server/routers/client/listClients.ts b/server/routers/client/listClients.ts
index 36e61c9d..41e995f4 100644
--- a/server/routers/client/listClients.ts
+++ b/server/routers/client/listClients.ts
@@ -136,7 +136,9 @@ function queryClients(
             username: users.username,
             userEmail: users.email,
             niceId: clients.niceId,
-            agent: olms.agent
+            agent: olms.agent,
+            olmArchived: olms.archived,
+            archived: clients.archived
         })
         .from(clients)
         .leftJoin(orgs, eq(clients.orgId, orgs.orgId))
diff --git a/server/routers/client/unarchiveClient.ts b/server/routers/client/unarchiveClient.ts
new file mode 100644
index 00000000..62c5c17c
--- /dev/null
+++ b/server/routers/client/unarchiveClient.ts
@@ -0,0 +1,93 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { clients } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const unarchiveClientSchema = z.strictObject({
+    clientId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/client/{clientId}/unarchive",
+    description: "Unarchive a client by its client ID.",
+    tags: [OpenAPITags.Client],
+    request: {
+        params: unarchiveClientSchema
+    },
+    responses: {}
+});
+
+export async function unarchiveClient(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = unarchiveClientSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { clientId } = parsedParams.data;
+
+        // Check if client exists
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, clientId))
+            .limit(1);
+
+        if (!client) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Client with ID ${clientId} not found`
+                )
+            );
+        }
+
+        if (!client.archived) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `Client with ID ${clientId} is not archived`
+                )
+            );
+        }
+
+        // Unarchive the client
+        await db
+            .update(clients)
+            .set({ archived: false })
+            .where(eq(clients.clientId, clientId));
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Client unarchived successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to unarchive client"
+            )
+        );
+    }
+}
diff --git a/server/routers/external.ts b/server/routers/external.ts
index 71ea8ef1..564a7531 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -174,6 +174,22 @@ authenticated.delete(
     client.deleteClient
 );
 
+authenticated.post(
+    "/client/:clientId/archive",
+    verifyClientAccess,
+    verifyUserHasAction(ActionsEnum.archiveClient),
+    logActionAudit(ActionsEnum.archiveClient),
+    client.archiveClient
+);
+
+authenticated.post(
+    "/client/:clientId/unarchive",
+    verifyClientAccess,
+    verifyUserHasAction(ActionsEnum.unarchiveClient),
+    logActionAudit(ActionsEnum.unarchiveClient),
+    client.unarchiveClient
+);
+
 authenticated.post(
     "/client/:clientId",
     verifyClientAccess, // this will check if the user has access to the client
@@ -815,6 +831,13 @@ authenticated.post(
     olm.archiveUserOlm
 );
 
+authenticated.post(
+    "/user/:userId/olm/:olmId/unarchive",
+    verifyIsLoggedInUser,
+    verifyOlmAccess,
+    olm.unarchiveUserOlm
+);
+
 authenticated.get(
     "/user/:userId/olm/:olmId",
     verifyIsLoggedInUser,
diff --git a/server/routers/integration.ts b/server/routers/integration.ts
index 9db5fe71..6de01843 100644
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -843,6 +843,22 @@ authenticated.delete(
     client.deleteClient
 );
 
+authenticated.post(
+    "/client/:clientId/archive",
+    verifyApiKeyClientAccess,
+    verifyApiKeyHasAction(ActionsEnum.archiveClient),
+    logActionAudit(ActionsEnum.archiveClient),
+    client.archiveClient
+);
+
+authenticated.post(
+    "/client/:clientId/unarchive",
+    verifyApiKeyClientAccess,
+    verifyApiKeyHasAction(ActionsEnum.unarchiveClient),
+    logActionAudit(ActionsEnum.unarchiveClient),
+    client.unarchiveClient
+);
+
 authenticated.post(
     "/client/:clientId",
     verifyApiKeyClientAccess,
diff --git a/server/routers/olm/archiveUserOlm.ts b/server/routers/olm/archiveUserOlm.ts
index 9664552f..46abd1a1 100644
--- a/server/routers/olm/archiveUserOlm.ts
+++ b/server/routers/olm/archiveUserOlm.ts
@@ -8,7 +8,6 @@ import response from "@server/lib/response";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
-import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
 import { sendTerminateClient } from "../client/terminate";
 
@@ -19,17 +18,6 @@ const paramsSchema = z
     })
     .strict();
 
-// registry.registerPath({
-//     method: "post",
-//     path: "/user/{userId}/olm/{olmId}/archive",
-//     description: "Archive an olm for a user.",
-//     tags: [OpenAPITags.User, OpenAPITags.Client],
-//     request: {
-//         params: paramsSchema
-//     },
-//     responses: {}
-// });
-
 export async function archiveUserOlm(
     req: Request,
     res: Response,
diff --git a/server/routers/olm/handleOlmPingMessage.ts b/server/routers/olm/handleOlmPingMessage.ts
index 0fa490c8..36ca0001 100644
--- a/server/routers/olm/handleOlmPingMessage.ts
+++ b/server/routers/olm/handleOlmPingMessage.ts
@@ -1,7 +1,7 @@
 import { db } from "@server/db";
 import { disconnectClient } from "#dynamic/routers/ws";
 import { MessageHandler } from "@server/routers/ws";
-import { clients, Olm } from "@server/db";
+import { clients, olms, Olm } from "@server/db";
 import { eq, lt, isNull, and, or } from "drizzle-orm";
 import logger from "@server/logger";
 import { validateSessionToken } from "@server/auth/sessions/app";
@@ -108,6 +108,8 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
         return;
     }
 
+    let client: (typeof clients.$inferSelect) | undefined;
+
     if (olm.userId) {
         // we need to check a user token to make sure its still valid
         const { session: userSession, user } =
@@ -122,7 +124,7 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
         }
 
         // get the client
-        const [client] = await db
+        const [userClient] = await db
             .select()
             .from(clients)
             .where(
@@ -133,11 +135,13 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
             )
             .limit(1);
 
-        if (!client) {
+        if (!userClient) {
             logger.warn("Client not found for olm ping");
             return;
         }
 
+        client = userClient;
+
         const sessionId = encodeHexLowerCase(
             sha256(new TextEncoder().encode(userToken))
         );
@@ -167,9 +171,12 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
             .update(clients)
             .set({
                 lastPing: Math.floor(Date.now() / 1000),
-                online: true
+                online: true,
+                archived: false
             })
             .where(eq(clients.clientId, olm.clientId));
+
+        await db.update(olms).set({ archived: false }).where(eq(olms.olmId, olm.olmId));
     } catch (error) {
         logger.error("Error handling ping message", { error });
     }
diff --git a/server/routers/olm/index.ts b/server/routers/olm/index.ts
index 4b75bdfc..6957c18b 100644
--- a/server/routers/olm/index.ts
+++ b/server/routers/olm/index.ts
@@ -4,6 +4,7 @@ export * from "./createUserOlm";
 export * from "./handleOlmRelayMessage";
 export * from "./handleOlmPingMessage";
 export * from "./archiveUserOlm";
+export * from "./unarchiveUserOlm";
 export * from "./listUserOlms";
 export * from "./getUserOlm";
 export * from "./handleOlmServerPeerAddMessage";
diff --git a/server/routers/olm/unarchiveUserOlm.ts b/server/routers/olm/unarchiveUserOlm.ts
new file mode 100644
index 00000000..28d540b8
--- /dev/null
+++ b/server/routers/olm/unarchiveUserOlm.ts
@@ -0,0 +1,84 @@
+import { NextFunction, Request, Response } from "express";
+import { db } from "@server/db";
+import { olms } from "@server/db";
+import { eq } from "drizzle-orm";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import response from "@server/lib/response";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import logger from "@server/logger";
+
+const paramsSchema = z
+    .object({
+        userId: z.string(),
+        olmId: z.string()
+    })
+    .strict();
+
+export async function unarchiveUserOlm(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { olmId } = parsedParams.data;
+
+        // Check if OLM exists and is archived
+        const [olm] = await db
+            .select()
+            .from(olms)
+            .where(eq(olms.olmId, olmId))
+            .limit(1);
+
+        if (!olm) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `OLM with ID ${olmId} not found`
+                )
+            );
+        }
+
+        if (!olm.archived) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `OLM with ID ${olmId} is not archived`
+                )
+            );
+        }
+
+        // Unarchive the OLM (set archived to false)
+        await db
+            .update(olms)
+            .set({ archived: false })
+            .where(eq(olms.olmId, olmId));
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Device unarchived successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to unarchive device"
+            )
+        );
+    }
+}
diff --git a/src/app/[orgId]/settings/clients/machine/page.tsx b/src/app/[orgId]/settings/clients/machine/page.tsx
index f2618bc2..88508475 100644
--- a/src/app/[orgId]/settings/clients/machine/page.tsx
+++ b/src/app/[orgId]/settings/clients/machine/page.tsx
@@ -59,7 +59,8 @@ export default async function ClientsPage(props: ClientsPageProps) {
             username: client.username,
             userEmail: client.userEmail,
             niceId: client.niceId,
-            agent: client.agent
+            agent: client.agent,
+            archived: client.archived || false
         };
     };
 
diff --git a/src/app/[orgId]/settings/clients/user/page.tsx b/src/app/[orgId]/settings/clients/user/page.tsx
index 28288fd2..52e5963f 100644
--- a/src/app/[orgId]/settings/clients/user/page.tsx
+++ b/src/app/[orgId]/settings/clients/user/page.tsx
@@ -55,7 +55,8 @@ export default async function ClientsPage(props: ClientsPageProps) {
             username: client.username,
             userEmail: client.userEmail,
             niceId: client.niceId,
-            agent: client.agent
+            agent: client.agent,
+            archived: client.archived || false
         };
     };
 
diff --git a/src/components/MachineClientsTable.tsx b/src/components/MachineClientsTable.tsx
index 67ed2e08..71c4ea7b 100644
--- a/src/components/MachineClientsTable.tsx
+++ b/src/components/MachineClientsTable.tsx
@@ -42,6 +42,7 @@ export type ClientRow = {
     userEmail: string | null;
     niceId: string;
     agent: string | null;
+    archived?: boolean;
 };
 
 type ClientTableProps = {
@@ -103,6 +104,40 @@ export default function MachineClientsTable({
             });
     };
 
+    const archiveClient = (clientId: number) => {
+        api.post(`/client/${clientId}/archive`)
+            .catch((e) => {
+                console.error("Error archiving client", e);
+                toast({
+                    variant: "destructive",
+                    title: "Error archiving client",
+                    description: formatAxiosError(e, "Error archiving client")
+                });
+            })
+            .then(() => {
+                startTransition(() => {
+                    router.refresh();
+                });
+            });
+    };
+
+    const unarchiveClient = (clientId: number) => {
+        api.post(`/client/${clientId}/unarchive`)
+            .catch((e) => {
+                console.error("Error unarchiving client", e);
+                toast({
+                    variant: "destructive",
+                    title: "Error unarchiving client",
+                    description: formatAxiosError(e, "Error unarchiving client")
+                });
+            })
+            .then(() => {
+                startTransition(() => {
+                    router.refresh();
+                });
+            });
+    };
+
     // Check if there are any rows without userIds in the current view's data
     const hasRowsWithoutUserId = useMemo(() => {
         return machineClients.some((client) => !client.userId) ?? false;
@@ -128,6 +163,19 @@ export default function MachineClientsTable({
                             <ArrowUpDown className="ml-2 h-4 w-4" />
                         </Button>
                     );
+                },
+                cell: ({ row }) => {
+                    const r = row.original;
+                    return (
+                        <div className="flex items-center gap-2">
+                            <span>{r.name}</span>
+                            {r.archived && (
+                                <Badge variant="secondary">
+                                    {t("archived")}
+                                </Badge>
+                            )}
+                        </div>
+                    );
                 }
             },
             {
@@ -307,14 +355,19 @@ export default function MachineClientsTable({
                                     </Button>
                                 </DropdownMenuTrigger>
                                 <DropdownMenuContent align="end">
-                                    {/* <Link */}
-                                    {/*     className="block w-full" */}
-                                    {/*     href={`/${clientRow.orgId}/settings/sites/${clientRow.nice}`} */}
-                                    {/* > */}
-                                    {/*     <DropdownMenuItem> */}
-                                    {/*         View settings */}
-                                    {/*     </DropdownMenuItem> */}
-                                    {/* </Link> */}
+                                    <DropdownMenuItem
+                                        onClick={() => {
+                                            if (clientRow.archived) {
+                                                unarchiveClient(clientRow.id);
+                                            } else {
+                                                archiveClient(clientRow.id);
+                                            }
+                                        }}
+                                    >
+                                        <span>
+                                            {clientRow.archived ? "Unarchive" : "Archive"}
+                                        </span>
+                                    </DropdownMenuItem>
                                     <DropdownMenuItem
                                         onClick={() => {
                                             setSelectedClient(clientRow);
@@ -383,6 +436,32 @@ export default function MachineClientsTable({
                 columnVisibility={defaultMachineColumnVisibility}
                 stickyLeftColumn="name"
                 stickyRightColumn="actions"
+                filters={[
+                    {
+                        id: "status",
+                        label: t("status") || "Status",
+                        multiSelect: true,
+                        displayMode: "calculated",
+                        options: [
+                            {
+                                id: "active",
+                                label: t("active") || "Active",
+                                value: false
+                            },
+                            {
+                                id: "archived",
+                                label: t("archived") || "Archived",
+                                value: true
+                            }
+                        ],
+                        filterFn: (row: ClientRow, selectedValues: (string | number | boolean)[]) => {
+                            if (selectedValues.length === 0) return true;
+                            const rowArchived = row.archived || false;
+                            return selectedValues.includes(rowArchived);
+                        },
+                        defaultValues: [false] // Default to showing active clients
+                    }
+                ]}
             />
         </>
     );
diff --git a/src/components/PermissionsSelectBox.tsx b/src/components/PermissionsSelectBox.tsx
index a5cfad7b..1b13066d 100644
--- a/src/components/PermissionsSelectBox.tsx
+++ b/src/components/PermissionsSelectBox.tsx
@@ -103,6 +103,8 @@ function getActionsCategories(root: boolean) {
         Client: {
             [t("actionCreateClient")]: "createClient",
             [t("actionDeleteClient")]: "deleteClient",
+            [t("actionArchiveClient")]: "archiveClient",
+            [t("actionUnarchiveClient")]: "unarchiveClient",
             [t("actionUpdateClient")]: "updateClient",
             [t("actionListClients")]: "listClients",
             [t("actionGetClient")]: "getClient"
diff --git a/src/components/UserDevicesTable.tsx b/src/components/UserDevicesTable.tsx
index e413207a..c68c6821 100644
--- a/src/components/UserDevicesTable.tsx
+++ b/src/components/UserDevicesTable.tsx
@@ -43,6 +43,7 @@ export type ClientRow = {
     userEmail: string | null;
     niceId: string;
     agent: string | null;
+    archived?: boolean;
 };
 
 type ClientTableProps = {
@@ -99,6 +100,40 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
             });
     };
 
+    const archiveClient = (clientId: number) => {
+        api.post(`/client/${clientId}/archive`)
+            .catch((e) => {
+                console.error("Error archiving client", e);
+                toast({
+                    variant: "destructive",
+                    title: "Error archiving client",
+                    description: formatAxiosError(e, "Error archiving client")
+                });
+            })
+            .then(() => {
+                startTransition(() => {
+                    router.refresh();
+                });
+            });
+    };
+
+    const unarchiveClient = (clientId: number) => {
+        api.post(`/client/${clientId}/unarchive`)
+            .catch((e) => {
+                console.error("Error unarchiving client", e);
+                toast({
+                    variant: "destructive",
+                    title: "Error unarchiving client",
+                    description: formatAxiosError(e, "Error unarchiving client")
+                });
+            })
+            .then(() => {
+                startTransition(() => {
+                    router.refresh();
+                });
+            });
+    };
+
     // Check if there are any rows without userIds in the current view's data
     const hasRowsWithoutUserId = useMemo(() => {
         return userClients.some((client) => !client.userId);
@@ -124,6 +159,19 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
                             <ArrowUpDown className="ml-2 h-4 w-4" />
                         </Button>
                     );
+                },
+                cell: ({ row }) => {
+                    const r = row.original;
+                    return (
+                        <div className="flex items-center gap-2">
+                            <span>{r.name}</span>
+                            {r.archived && (
+                                <Badge variant="secondary">
+                                    {t("archived")}
+                                </Badge>
+                            )}
+                        </div>
+                    );
                 }
             },
             {
@@ -348,7 +396,7 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
             header: () => <span className="p-3"></span>,
             cell: ({ row }) => {
                 const clientRow = row.original;
-                return !clientRow.userId ? (
+                return (
                     <div className="flex items-center gap-2 justify-end">
                         <DropdownMenu>
                             <DropdownMenuTrigger asChild>
@@ -358,34 +406,40 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
                                 </Button>
                             </DropdownMenuTrigger>
                             <DropdownMenuContent align="end">
-                                {/* <Link */}
-                                {/*     className="block w-full" */}
-                                {/*     href={`/${clientRow.orgId}/settings/sites/${clientRow.nice}`} */}
-                                {/* > */}
-                                {/*     <DropdownMenuItem> */}
-                                {/*         View settings */}
-                                {/*     </DropdownMenuItem> */}
-                                {/* </Link> */}
                                 <DropdownMenuItem
                                     onClick={() => {
-                                        setSelectedClient(clientRow);
-                                        setIsDeleteModalOpen(true);
+                                        if (clientRow.archived) {
+                                            unarchiveClient(clientRow.id);
+                                        } else {
+                                            archiveClient(clientRow.id);
+                                        }
                                     }}
                                 >
-                                    <span className="text-red-500">Delete</span>
+                                    <span>{clientRow.archived ? "Unarchive" : "Archive"}</span>
                                 </DropdownMenuItem>
+                                {!clientRow.userId && (
+                                    // Machine client - also show delete option
+                                    <DropdownMenuItem
+                                        onClick={() => {
+                                            setSelectedClient(clientRow);
+                                            setIsDeleteModalOpen(true);
+                                        }}
+                                    >
+                                        <span className="text-red-500">Delete</span>
+                                    </DropdownMenuItem>
+                                )}
                             </DropdownMenuContent>
                         </DropdownMenu>
                         <Link
                             href={`/${clientRow.orgId}/settings/clients/${clientRow.id}`}
                         >
                             <Button variant={"outline"}>
-                                Edit
+                                View
                                 <ArrowRight className="ml-2 w-4 h-4" />
                             </Button>
                         </Link>
                     </div>
-                ) : null;
+                );
             }
         });
 
@@ -394,7 +448,7 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
 
     return (
         <>
-            {selectedClient && (
+            {selectedClient && !selectedClient.userId && (
                 <ConfirmDeleteDialog
                     open={isDeleteModalOpen}
                     setOpen={(val) => {
@@ -429,6 +483,32 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
                 columnVisibility={defaultUserColumnVisibility}
                 stickyLeftColumn="name"
                 stickyRightColumn="actions"
+                filters={[
+                    {
+                        id: "status",
+                        label: t("status") || "Status",
+                        multiSelect: true,
+                        displayMode: "calculated",
+                        options: [
+                            {
+                                id: "active",
+                                label: t("active") || "Active",
+                                value: false
+                            },
+                            {
+                                id: "archived",
+                                label: t("archived") || "Archived",
+                                value: true
+                            }
+                        ],
+                        filterFn: (row: ClientRow, selectedValues: (string | number | boolean)[]) => {
+                            if (selectedValues.length === 0) return true;
+                            const rowArchived = row.archived || false;
+                            return selectedValues.includes(rowArchived);
+                        },
+                        defaultValues: [false] // Default to showing active clients
+                    }
+                ]}
             />
         </>
     );
diff --git a/src/components/ViewDevicesDialog.tsx b/src/components/ViewDevicesDialog.tsx
index 86417694..a54a71fd 100644
--- a/src/components/ViewDevicesDialog.tsx
+++ b/src/components/ViewDevicesDialog.tsx
@@ -123,6 +123,34 @@ export default function ViewDevicesDialog({
         }
     };
 
+    const unarchiveDevice = async (olmId: string) => {
+        try {
+            await api.post(`/user/${user?.userId}/olm/${olmId}/unarchive`);
+            toast({
+                title: t("deviceUnarchived") || "Device unarchived",
+                description:
+                    t("deviceUnarchivedDescription") ||
+                    "The device has been successfully unarchived."
+            });
+            // Update the device's archived status in the local state
+            setDevices(
+                devices.map((d) =>
+                    d.olmId === olmId ? { ...d, archived: false } : d
+                )
+            );
+        } catch (error: any) {
+            console.error("Error unarchiving device:", error);
+            toast({
+                variant: "destructive",
+                title: t("errorUnarchivingDevice") || "Error unarchiving device",
+                description: formatAxiosError(
+                    error,
+                    t("failedToUnarchiveDevice") || "Failed to unarchive device"
+                )
+            });
+        }
+    };
+
     function reset() {
         setDevices([]);
         setSelectedDevice(null);
@@ -186,29 +214,29 @@ export default function ViewDevicesDialog({
                                 <TabsContent value="available" className="mt-4">
                                     {devices.filter((d) => !d.archived)
                                         .length === 0 ? (
-                                        <div className="text-center py-8 text-muted-foreground">
+                            <div className="text-center py-8 text-muted-foreground">
                                             {t("noDevices") ||
                                                 "No devices found"}
-                                        </div>
-                                    ) : (
-                                        <div className="rounded-md border">
-                                            <Table>
-                                                <TableHeader>
-                                                    <TableRow>
-                                                        <TableHead className="pl-3">
-                                                        {t("name") || "Name"}
-                                                        </TableHead>
-                                                        <TableHead>
-                                                            {t("dateCreated") ||
-                                                                "Date Created"}
-                                                        </TableHead>
-                                                        <TableHead>
+                            </div>
+                        ) : (
+                            <div className="rounded-md border">
+                                <Table>
+                                    <TableHeader>
+                                        <TableRow>
+                                            <TableHead className="pl-3">
+                                                {t("name") || "Name"}
+                                            </TableHead>
+                                            <TableHead>
+                                                {t("dateCreated") ||
+                                                    "Date Created"}
+                                            </TableHead>
+                                            <TableHead>
                                                             {t("actions") ||
                                                                 "Actions"}
-                                                        </TableHead>
-                                                    </TableRow>
-                                                </TableHeader>
-                                                <TableBody>
+                                            </TableHead>
+                                        </TableRow>
+                                    </TableHeader>
+                                    <TableBody>
                                                     {devices
                                                         .filter(
                                                             (d) => !d.archived
@@ -217,43 +245,43 @@ export default function ViewDevicesDialog({
                                                             <TableRow
                                                                 key={device.olmId}
                                                             >
-                                                                <TableCell className="font-medium">
-                                                                    {device.name ||
+                                                <TableCell className="font-medium">
+                                                    {device.name ||
                                                                         t(
                                                                             "unnamedDevice"
                                                                         ) ||
-                                                                        "Unnamed Device"}
-                                                                </TableCell>
-                                                                <TableCell>
-                                                                    {moment(
-                                                                        device.dateCreated
+                                                        "Unnamed Device"}
+                                                </TableCell>
+                                                <TableCell>
+                                                    {moment(
+                                                        device.dateCreated
                                                                     ).format(
                                                                         "lll"
                                                                     )}
-                                                                </TableCell>
-                                                                <TableCell>
-                                                                    <Button
-                                                                        variant="outline"
-                                                                        onClick={() => {
-                                                                            setSelectedDevice(
-                                                                                device
-                                                                            );
+                                                </TableCell>
+                                                <TableCell>
+                                                    <Button
+                                                        variant="outline"
+                                                        onClick={() => {
+                                                            setSelectedDevice(
+                                                                device
+                                                            );
                                                                             setIsArchiveModalOpen(
-                                                                                true
-                                                                            );
-                                                                        }}
-                                                                    >
+                                                                true
+                                                            );
+                                                        }}
+                                                    >
                                                                         {t(
                                                                             "archive"
                                                                         ) ||
                                                                             "Archive"}
-                                                                    </Button>
-                                                                </TableCell>
-                                                            </TableRow>
-                                                        ))}
-                                                </TableBody>
-                                            </Table>
-                                        </div>
+                                                    </Button>
+                                                </TableCell>
+                                            </TableRow>
+                                        ))}
+                                    </TableBody>
+                                </Table>
+                            </div>
                                     )}
                                 </TabsContent>
                                 <TabsContent value="archived" className="mt-4">
@@ -275,6 +303,10 @@ export default function ViewDevicesDialog({
                                                             {t("dateCreated") ||
                                                                 "Date Created"}
                                                         </TableHead>
+                                                        <TableHead>
+                                                            {t("actions") ||
+                                                                "Actions"}
+                                                        </TableHead>
                                                     </TableRow>
                                                 </TableHeader>
                                                 <TableBody>
@@ -300,6 +332,16 @@ export default function ViewDevicesDialog({
                                                                         "lll"
                                                                     )}
                                                                 </TableCell>
+                                                                <TableCell>
+                                                                    <Button
+                                                                        variant="outline"
+                                                                        onClick={() => {
+                                                                            unarchiveDevice(device.olmId);
+                                                                        }}
+                                                                    >
+                                                                        {t("unarchive") || "Unarchive"}
+                                                                    </Button>
+                                                                </TableCell>
                                                             </TableRow>
                                                         ))}
                                                 </TableBody>
diff --git a/src/components/ui/data-table.tsx b/src/components/ui/data-table.tsx
index d6339081..af61bb53 100644
--- a/src/components/ui/data-table.tsx
+++ b/src/components/ui/data-table.tsx
@@ -33,7 +33,7 @@ import { Button } from "@app/components/ui/button";
 import { useEffect, useMemo, useRef, useState } from "react";
 import { Input } from "@app/components/ui/input";
 import { DataTablePagination } from "@app/components/DataTablePagination";
-import { Plus, Search, RefreshCw, Columns } from "lucide-react";
+import { Plus, Search, RefreshCw, Columns, Filter } from "lucide-react";
 import {
     Card,
     CardContent,
@@ -140,6 +140,22 @@ type TabFilter = {
     filterFn: (row: any) => boolean;
 };
 
+type FilterOption = {
+    id: string;
+    label: string;
+    value: string | number | boolean;
+};
+
+type DataTableFilter = {
+    id: string;
+    label: string;
+    options: FilterOption[];
+    multiSelect?: boolean;
+    filterFn: (row: any, selectedValues: (string | number | boolean)[]) => boolean;
+    defaultValues?: (string | number | boolean)[];
+    displayMode?: "label" | "calculated"; // How to display the filter button text
+};
+
 type DataTableProps<TData, TValue> = {
     columns: ExtendedColumnDef<TData, TValue>[];
     data: TData[];
@@ -156,6 +172,8 @@ type DataTableProps<TData, TValue> = {
     };
     tabs?: TabFilter[];
     defaultTab?: string;
+    filters?: DataTableFilter[];
+    filterDisplayMode?: "label" | "calculated"; // Global filter display mode (can be overridden per filter)
     persistPageSize?: boolean | string;
     defaultPageSize?: number;
     columnVisibility?: Record<string, boolean>;
@@ -178,6 +196,8 @@ export function DataTable<TData, TValue>({
     defaultSort,
     tabs,
     defaultTab,
+    filters,
+    filterDisplayMode = "label",
     persistPageSize = false,
     defaultPageSize = 20,
     columnVisibility: defaultColumnVisibility,
@@ -235,6 +255,15 @@ export function DataTable<TData, TValue>({
     const [activeTab, setActiveTab] = useState<string>(
         defaultTab || tabs?.[0]?.id || ""
     );
+    const [activeFilters, setActiveFilters] = useState<Record<string, (string | number | boolean)[]>>(
+        () => {
+            const initial: Record<string, (string | number | boolean)[]> = {};
+            filters?.forEach((filter) => {
+                initial[filter.id] = filter.defaultValues || [];
+            });
+            return initial;
+        }
+    );
 
     // Track initial values to avoid storing defaults on first render
     const initialPageSize = useRef(pageSize);
@@ -242,19 +271,32 @@ export function DataTable<TData, TValue>({
     const hasUserChangedPageSize = useRef(false);
     const hasUserChangedColumnVisibility = useRef(false);
 
-    // Apply tab filter to data
+    // Apply tab and custom filters to data
     const filteredData = useMemo(() => {
-        if (!tabs || activeTab === "") {
-            return data;
+        let result = data;
+
+        // Apply tab filter
+        if (tabs && activeTab !== "") {
+            const activeTabFilter = tabs.find((tab) => tab.id === activeTab);
+            if (activeTabFilter) {
+                result = result.filter(activeTabFilter.filterFn);
+            }
         }
 
-        const activeTabFilter = tabs.find((tab) => tab.id === activeTab);
-        if (!activeTabFilter) {
-            return data;
+        // Apply custom filters
+        if (filters && filters.length > 0) {
+            filters.forEach((filter) => {
+                const selectedValues = activeFilters[filter.id] || [];
+                if (selectedValues.length > 0) {
+                    result = result.filter((row) =>
+                        filter.filterFn(row, selectedValues)
+                    );
+                }
+            });
         }
 
-        return data.filter(activeTabFilter.filterFn);
-    }, [data, tabs, activeTab]);
+        return result;
+    }, [data, tabs, activeTab, filters, activeFilters]);
 
     const table = useReactTable({
         data: filteredData,
@@ -318,6 +360,64 @@ export function DataTable<TData, TValue>({
         setPagination((prev) => ({ ...prev, pageIndex: 0 }));
     };
 
+    const handleFilterChange = (
+        filterId: string,
+        optionValue: string | number | boolean,
+        checked: boolean
+    ) => {
+        setActiveFilters((prev) => {
+            const currentValues = prev[filterId] || [];
+            const filter = filters?.find((f) => f.id === filterId);
+            
+            if (!filter) return prev;
+
+            let newValues: (string | number | boolean)[];
+            
+            if (filter.multiSelect) {
+                // Multi-select: add or remove the value
+                if (checked) {
+                    newValues = [...currentValues, optionValue];
+                } else {
+                    newValues = currentValues.filter((v) => v !== optionValue);
+                }
+            } else {
+                // Single-select: replace the value
+                newValues = checked ? [optionValue] : [];
+            }
+
+            return {
+                ...prev,
+                [filterId]: newValues
+            };
+        });
+        // Reset to first page when changing filters
+        setPagination((prev) => ({ ...prev, pageIndex: 0 }));
+    };
+
+    // Calculate display text for a filter based on selected values
+    const getFilterDisplayText = (filter: DataTableFilter): string => {
+        const selectedValues = activeFilters[filter.id] || [];
+        
+        if (selectedValues.length === 0) {
+            return filter.label;
+        }
+
+        const selectedOptions = filter.options.filter((option) =>
+            selectedValues.includes(option.value)
+        );
+
+        if (selectedOptions.length === 0) {
+            return filter.label;
+        }
+
+        if (selectedOptions.length === 1) {
+            return selectedOptions[0].label;
+        }
+
+        // Multiple selections: always join with "and"
+        return selectedOptions.map((opt) => opt.label).join(" and ");
+    };
+
     // Enhanced pagination component that updates our local state
     const handlePageSizeChange = (newPageSize: number) => {
         hasUserChangedPageSize.current = true;
@@ -387,6 +487,63 @@ export function DataTable<TData, TValue>({
                             />
                             <Search className="h-4 w-4 absolute left-2 top-1/2 transform -translate-y-1/2 text-muted-foreground" />
                         </div>
+                        {filters && filters.length > 0 && (
+                            <div className="flex gap-2">
+                                {filters.map((filter) => {
+                                    const selectedValues = activeFilters[filter.id] || [];
+                                    const hasActiveFilters = selectedValues.length > 0;
+                                    const displayMode = filter.displayMode || filterDisplayMode;
+                                    const displayText = displayMode === "calculated" 
+                                        ? getFilterDisplayText(filter)
+                                        : filter.label;
+                                    
+                                    return (
+                                        <DropdownMenu key={filter.id}>
+                                            <DropdownMenuTrigger asChild>
+                                                <Button
+                                                    variant={"outline"}
+                                                    size="sm"
+                                                    className="h-9"
+                                                >
+                                                    <Filter className="h-4 w-4 mr-2" />
+                                                    {displayText}
+                                                    {displayMode === "label" && hasActiveFilters && (
+                                                        <span className="ml-2 bg-muted text-foreground rounded-full px-2 py-0.5 text-xs">
+                                                            {selectedValues.length}
+                                                        </span>
+                                                    )}
+                                                </Button>
+                                            </DropdownMenuTrigger>
+                                            <DropdownMenuContent align="start" className="w-48">
+                                                <DropdownMenuLabel>
+                                                    {filter.label}
+                                                </DropdownMenuLabel>
+                                                <DropdownMenuSeparator />
+                                                {filter.options.map((option) => {
+                                                    const isChecked = selectedValues.includes(option.value);
+                                                    return (
+                                                        <DropdownMenuCheckboxItem
+                                                            key={option.id}
+                                                            checked={isChecked}
+                                                            onCheckedChange={(checked) =>
+                                                                handleFilterChange(
+                                                                    filter.id,
+                                                                    option.value,
+                                                                    checked
+                                                                )
+                                                            }
+                                                            onSelect={(e) => e.preventDefault()}
+                                                        >
+                                                            {option.label}
+                                                        </DropdownMenuCheckboxItem>
+                                                    );
+                                                })}
+                                            </DropdownMenuContent>
+                                        </DropdownMenu>
+                                    );
+                                })}
+                            </div>
+                        )}
                         {tabs && tabs.length > 0 && (
                             <Tabs
                                 value={activeTab}

From 673cd0fcd13c1184dd34551ce1109ddd30f8e489 Mon Sep 17 00:00:00 2001
From: miloschwartz <mschwartz10612@gmail.com>
Date: Mon, 12 Jan 2026 20:37:53 -0800
Subject: [PATCH 153/154] add block client

---
 messages/en-US.json                           |   6 ++
 server/auth/actions.ts                        |   2 +
 server/db/pg/schema/schema.ts                 |   3 +-
 server/db/sqlite/schema/schema.ts             |   3 +-
 server/routers/client/blockClient.ts          | 101 ++++++++++++++++++
 server/routers/client/index.ts                |   2 +
 server/routers/client/listClients.ts          |   3 +-
 server/routers/client/unblockClient.ts        |  93 ++++++++++++++++
 server/routers/external.ts                    |  16 +++
 server/routers/integration.ts                 |  16 +++
 .../[orgId]/settings/clients/machine/page.tsx |   3 +-
 .../[orgId]/settings/clients/user/page.tsx    |   3 +-
 src/components/MachineClientsTable.tsx        | 101 +++++++++++++++++-
 src/components/PermissionsSelectBox.tsx       |   2 +
 src/components/UserDevicesTable.tsx           |  99 ++++++++++++++++-
 15 files changed, 438 insertions(+), 15 deletions(-)
 create mode 100644 server/routers/client/blockClient.ts
 create mode 100644 server/routers/client/unblockClient.ts

diff --git a/messages/en-US.json b/messages/en-US.json
index 0ddd883c..12e4f63f 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1120,6 +1120,8 @@
     "actionDeleteClient": "Delete Client",
     "actionArchiveClient": "Archive Client",
     "actionUnarchiveClient": "Unarchive Client",
+    "actionBlockClient": "Block Client",
+    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Update Client",
     "actionListClients": "List Clients",
     "actionGetClient": "Get Client",
@@ -2418,5 +2420,9 @@
     "archiveClientQuestion": "Are you sure you want to archive this client?",
     "archiveClientMessage": "The client will be archived and removed from your active clients list.",
     "archiveClientConfirm": "Archive Client",
+    "blockClient": "Block Client",
+    "blockClientQuestion": "Are you sure you want to block this client?",
+    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
+    "blockClientConfirm": "Block Client",
     "active": "Active"
 }
diff --git a/server/auth/actions.ts b/server/auth/actions.ts
index e0f86244..ea3ab6d1 100644
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -80,6 +80,8 @@ export enum ActionsEnum {
     deleteClient = "deleteClient",
     archiveClient = "archiveClient",
     unarchiveClient = "unarchiveClient",
+    blockClient = "blockClient",
+    unblockClient = "unblockClient",
     updateClient = "updateClient",
     listClients = "listClients",
     getClient = "getClient",
diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index b5ae30c6..a0b1e3be 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -689,7 +689,8 @@ export const clients = pgTable("clients", {
     // endpoint: varchar("endpoint"),
     lastHolePunch: integer("lastHolePunch"),
     maxConnections: integer("maxConnections"),
-    archived: boolean("archived").notNull().default(false)
+    archived: boolean("archived").notNull().default(false),
+    blocked: boolean("blocked").notNull().default(false)
 });
 
 export const clientSitesAssociationsCache = pgTable(
diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 9d84d6b5..84211a1e 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -384,7 +384,8 @@ export const clients = sqliteTable("clients", {
     online: integer("online", { mode: "boolean" }).notNull().default(false),
     // endpoint: text("endpoint"),
     lastHolePunch: integer("lastHolePunch"),
-    archived: integer("archived", { mode: "boolean" }).notNull().default(false)
+    archived: integer("archived", { mode: "boolean" }).notNull().default(false),
+    blocked: integer("blocked", { mode: "boolean" }).notNull().default(false)
 });
 
 export const clientSitesAssociationsCache = sqliteTable(
diff --git a/server/routers/client/blockClient.ts b/server/routers/client/blockClient.ts
new file mode 100644
index 00000000..e1a00ff6
--- /dev/null
+++ b/server/routers/client/blockClient.ts
@@ -0,0 +1,101 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { clients } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { sendTerminateClient } from "./terminate";
+
+const blockClientSchema = z.strictObject({
+    clientId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/client/{clientId}/block",
+    description: "Block a client by its client ID.",
+    tags: [OpenAPITags.Client],
+    request: {
+        params: blockClientSchema
+    },
+    responses: {}
+});
+
+export async function blockClient(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = blockClientSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { clientId } = parsedParams.data;
+
+        // Check if client exists
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, clientId))
+            .limit(1);
+
+        if (!client) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Client with ID ${clientId} not found`
+                )
+            );
+        }
+
+        if (client.blocked) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `Client with ID ${clientId} is already blocked`
+                )
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            // Block the client
+            await trx
+                .update(clients)
+                .set({ blocked: true })
+                .where(eq(clients.clientId, clientId));
+
+            // Send terminate signal if there's an associated OLM and it's connected
+            if (client.olmId && client.online) {
+                await sendTerminateClient(client.clientId, client.olmId);
+            }
+        });
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Client blocked successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to block client"
+            )
+        );
+    }
+}
diff --git a/server/routers/client/index.ts b/server/routers/client/index.ts
index 72d64de2..34614cc8 100644
--- a/server/routers/client/index.ts
+++ b/server/routers/client/index.ts
@@ -3,6 +3,8 @@ export * from "./createClient";
 export * from "./deleteClient";
 export * from "./archiveClient";
 export * from "./unarchiveClient";
+export * from "./blockClient";
+export * from "./unblockClient";
 export * from "./listClients";
 export * from "./updateClient";
 export * from "./getClient";
diff --git a/server/routers/client/listClients.ts b/server/routers/client/listClients.ts
index 41e995f4..18bc3e38 100644
--- a/server/routers/client/listClients.ts
+++ b/server/routers/client/listClients.ts
@@ -138,7 +138,8 @@ function queryClients(
             niceId: clients.niceId,
             agent: olms.agent,
             olmArchived: olms.archived,
-            archived: clients.archived
+            archived: clients.archived,
+            blocked: clients.blocked
         })
         .from(clients)
         .leftJoin(orgs, eq(clients.orgId, orgs.orgId))
diff --git a/server/routers/client/unblockClient.ts b/server/routers/client/unblockClient.ts
new file mode 100644
index 00000000..82b608a2
--- /dev/null
+++ b/server/routers/client/unblockClient.ts
@@ -0,0 +1,93 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { clients } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const unblockClientSchema = z.strictObject({
+    clientId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/client/{clientId}/unblock",
+    description: "Unblock a client by its client ID.",
+    tags: [OpenAPITags.Client],
+    request: {
+        params: unblockClientSchema
+    },
+    responses: {}
+});
+
+export async function unblockClient(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = unblockClientSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { clientId } = parsedParams.data;
+
+        // Check if client exists
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, clientId))
+            .limit(1);
+
+        if (!client) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Client with ID ${clientId} not found`
+                )
+            );
+        }
+
+        if (!client.blocked) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `Client with ID ${clientId} is not blocked`
+                )
+            );
+        }
+
+        // Unblock the client
+        await db
+            .update(clients)
+            .set({ blocked: false })
+            .where(eq(clients.clientId, clientId));
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Client unblocked successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to unblock client"
+            )
+        );
+    }
+}
diff --git a/server/routers/external.ts b/server/routers/external.ts
index 564a7531..9b6490a5 100644
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -190,6 +190,22 @@ authenticated.post(
     client.unarchiveClient
 );
 
+authenticated.post(
+    "/client/:clientId/block",
+    verifyClientAccess,
+    verifyUserHasAction(ActionsEnum.blockClient),
+    logActionAudit(ActionsEnum.blockClient),
+    client.blockClient
+);
+
+authenticated.post(
+    "/client/:clientId/unblock",
+    verifyClientAccess,
+    verifyUserHasAction(ActionsEnum.unblockClient),
+    logActionAudit(ActionsEnum.unblockClient),
+    client.unblockClient
+);
+
 authenticated.post(
     "/client/:clientId",
     verifyClientAccess, // this will check if the user has access to the client
diff --git a/server/routers/integration.ts b/server/routers/integration.ts
index 6de01843..3373285b 100644
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -859,6 +859,22 @@ authenticated.post(
     client.unarchiveClient
 );
 
+authenticated.post(
+    "/client/:clientId/block",
+    verifyApiKeyClientAccess,
+    verifyApiKeyHasAction(ActionsEnum.blockClient),
+    logActionAudit(ActionsEnum.blockClient),
+    client.blockClient
+);
+
+authenticated.post(
+    "/client/:clientId/unblock",
+    verifyApiKeyClientAccess,
+    verifyApiKeyHasAction(ActionsEnum.unblockClient),
+    logActionAudit(ActionsEnum.unblockClient),
+    client.unblockClient
+);
+
 authenticated.post(
     "/client/:clientId",
     verifyApiKeyClientAccess,
diff --git a/src/app/[orgId]/settings/clients/machine/page.tsx b/src/app/[orgId]/settings/clients/machine/page.tsx
index 88508475..6c39041c 100644
--- a/src/app/[orgId]/settings/clients/machine/page.tsx
+++ b/src/app/[orgId]/settings/clients/machine/page.tsx
@@ -60,7 +60,8 @@ export default async function ClientsPage(props: ClientsPageProps) {
             userEmail: client.userEmail,
             niceId: client.niceId,
             agent: client.agent,
-            archived: client.archived || false
+            archived: client.archived || false,
+            blocked: client.blocked || false
         };
     };
 
diff --git a/src/app/[orgId]/settings/clients/user/page.tsx b/src/app/[orgId]/settings/clients/user/page.tsx
index 52e5963f..79f9d800 100644
--- a/src/app/[orgId]/settings/clients/user/page.tsx
+++ b/src/app/[orgId]/settings/clients/user/page.tsx
@@ -56,7 +56,8 @@ export default async function ClientsPage(props: ClientsPageProps) {
             userEmail: client.userEmail,
             niceId: client.niceId,
             agent: client.agent,
-            archived: client.archived || false
+            archived: client.archived || false,
+            blocked: client.blocked || false
         };
     };
 
diff --git a/src/components/MachineClientsTable.tsx b/src/components/MachineClientsTable.tsx
index 71c4ea7b..85d09664 100644
--- a/src/components/MachineClientsTable.tsx
+++ b/src/components/MachineClientsTable.tsx
@@ -17,7 +17,8 @@ import {
     ArrowRight,
     ArrowUpDown,
     ArrowUpRight,
-    MoreHorizontal
+    MoreHorizontal,
+    CircleSlash
 } from "lucide-react";
 import { useTranslations } from "next-intl";
 import Link from "next/link";
@@ -43,6 +44,7 @@ export type ClientRow = {
     niceId: string;
     agent: string | null;
     archived?: boolean;
+    blocked?: boolean;
 };
 
 type ClientTableProps = {
@@ -59,6 +61,7 @@ export default function MachineClientsTable({
     const t = useTranslations();
 
     const [isDeleteModalOpen, setIsDeleteModalOpen] = useState(false);
+    const [isBlockModalOpen, setIsBlockModalOpen] = useState(false);
     const [selectedClient, setSelectedClient] = useState<ClientRow | null>(
         null
     );
@@ -138,6 +141,42 @@ export default function MachineClientsTable({
             });
     };
 
+    const blockClient = (clientId: number) => {
+        api.post(`/client/${clientId}/block`)
+            .catch((e) => {
+                console.error("Error blocking client", e);
+                toast({
+                    variant: "destructive",
+                    title: "Error blocking client",
+                    description: formatAxiosError(e, "Error blocking client")
+                });
+            })
+            .then(() => {
+                startTransition(() => {
+                    router.refresh();
+                    setIsBlockModalOpen(false);
+                    setSelectedClient(null);
+                });
+            });
+    };
+
+    const unblockClient = (clientId: number) => {
+        api.post(`/client/${clientId}/unblock`)
+            .catch((e) => {
+                console.error("Error unblocking client", e);
+                toast({
+                    variant: "destructive",
+                    title: "Error unblocking client",
+                    description: formatAxiosError(e, "Error unblocking client")
+                });
+            })
+            .then(() => {
+                startTransition(() => {
+                    router.refresh();
+                });
+            });
+    };
+
     // Check if there are any rows without userIds in the current view's data
     const hasRowsWithoutUserId = useMemo(() => {
         return machineClients.some((client) => !client.userId) ?? false;
@@ -174,6 +213,12 @@ export default function MachineClientsTable({
                                     {t("archived")}
                                 </Badge>
                             )}
+                            {r.blocked && (
+                                <Badge variant="destructive" className="flex items-center gap-1">
+                                    <CircleSlash className="h-3 w-3" />
+                                    {t("blocked")}
+                                </Badge>
+                            )}
                         </div>
                     );
                 }
@@ -368,6 +413,20 @@ export default function MachineClientsTable({
                                             {clientRow.archived ? "Unarchive" : "Archive"}
                                         </span>
                                     </DropdownMenuItem>
+                                    <DropdownMenuItem
+                                        onClick={() => {
+                                            if (clientRow.blocked) {
+                                                unblockClient(clientRow.id);
+                                            } else {
+                                                setSelectedClient(clientRow);
+                                                setIsBlockModalOpen(true);
+                                            }
+                                        }}
+                                    >
+                                        <span>
+                                            {clientRow.blocked ? "Unblock" : "Block"}
+                                        </span>
+                                    </DropdownMenuItem>
                                     <DropdownMenuItem
                                         onClick={() => {
                                             setSelectedClient(clientRow);
@@ -418,6 +477,27 @@ export default function MachineClientsTable({
                     title="Delete Client"
                 />
             )}
+            {selectedClient && (
+                <ConfirmDeleteDialog
+                    open={isBlockModalOpen}
+                    setOpen={(val) => {
+                        setIsBlockModalOpen(val);
+                        if (!val) {
+                            setSelectedClient(null);
+                        }
+                    }}
+                    dialog={
+                        <div className="space-y-2">
+                            <p>{t("blockClientQuestion")}</p>
+                            <p>{t("blockClientMessage")}</p>
+                        </div>
+                    }
+                    buttonText={t("blockClientConfirm")}
+                    onConfirm={async () => blockClient(selectedClient!.id)}
+                    string={selectedClient.name}
+                    title={t("blockClient")}
+                />
+            )}
 
             <DataTable
                 columns={columns}
@@ -446,20 +526,31 @@ export default function MachineClientsTable({
                             {
                                 id: "active",
                                 label: t("active") || "Active",
-                                value: false
+                                value: "active"
                             },
                             {
                                 id: "archived",
                                 label: t("archived") || "Archived",
-                                value: true
+                                value: "archived"
+                            },
+                            {
+                                id: "blocked",
+                                label: t("blocked") || "Blocked",
+                                value: "blocked"
                             }
                         ],
                         filterFn: (row: ClientRow, selectedValues: (string | number | boolean)[]) => {
                             if (selectedValues.length === 0) return true;
                             const rowArchived = row.archived || false;
-                            return selectedValues.includes(rowArchived);
+                            const rowBlocked = row.blocked || false;
+                            const isActive = !rowArchived && !rowBlocked;
+                            
+                            if (selectedValues.includes("active") && isActive) return true;
+                            if (selectedValues.includes("archived") && rowArchived) return true;
+                            if (selectedValues.includes("blocked") && rowBlocked) return true;
+                            return false;
                         },
-                        defaultValues: [false] // Default to showing active clients
+                        defaultValues: ["active"] // Default to showing active clients
                     }
                 ]}
             />
diff --git a/src/components/PermissionsSelectBox.tsx b/src/components/PermissionsSelectBox.tsx
index 1b13066d..73f8a212 100644
--- a/src/components/PermissionsSelectBox.tsx
+++ b/src/components/PermissionsSelectBox.tsx
@@ -105,6 +105,8 @@ function getActionsCategories(root: boolean) {
             [t("actionDeleteClient")]: "deleteClient",
             [t("actionArchiveClient")]: "archiveClient",
             [t("actionUnarchiveClient")]: "unarchiveClient",
+            [t("actionBlockClient")]: "blockClient",
+            [t("actionUnblockClient")]: "unblockClient",
             [t("actionUpdateClient")]: "updateClient",
             [t("actionListClients")]: "listClients",
             [t("actionGetClient")]: "getClient"
diff --git a/src/components/UserDevicesTable.tsx b/src/components/UserDevicesTable.tsx
index c68c6821..14d12373 100644
--- a/src/components/UserDevicesTable.tsx
+++ b/src/components/UserDevicesTable.tsx
@@ -17,7 +17,8 @@ import {
     ArrowRight,
     ArrowUpDown,
     ArrowUpRight,
-    MoreHorizontal
+    MoreHorizontal,
+    CircleSlash
 } from "lucide-react";
 import { useTranslations } from "next-intl";
 import Link from "next/link";
@@ -44,6 +45,7 @@ export type ClientRow = {
     niceId: string;
     agent: string | null;
     archived?: boolean;
+    blocked?: boolean;
 };
 
 type ClientTableProps = {
@@ -56,6 +58,7 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
     const t = useTranslations();
 
     const [isDeleteModalOpen, setIsDeleteModalOpen] = useState(false);
+    const [isBlockModalOpen, setIsBlockModalOpen] = useState(false);
     const [selectedClient, setSelectedClient] = useState<ClientRow | null>(
         null
     );
@@ -134,6 +137,42 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
             });
     };
 
+    const blockClient = (clientId: number) => {
+        api.post(`/client/${clientId}/block`)
+            .catch((e) => {
+                console.error("Error blocking client", e);
+                toast({
+                    variant: "destructive",
+                    title: "Error blocking client",
+                    description: formatAxiosError(e, "Error blocking client")
+                });
+            })
+            .then(() => {
+                startTransition(() => {
+                    router.refresh();
+                    setIsBlockModalOpen(false);
+                    setSelectedClient(null);
+                });
+            });
+    };
+
+    const unblockClient = (clientId: number) => {
+        api.post(`/client/${clientId}/unblock`)
+            .catch((e) => {
+                console.error("Error unblocking client", e);
+                toast({
+                    variant: "destructive",
+                    title: "Error unblocking client",
+                    description: formatAxiosError(e, "Error unblocking client")
+                });
+            })
+            .then(() => {
+                startTransition(() => {
+                    router.refresh();
+                });
+            });
+    };
+
     // Check if there are any rows without userIds in the current view's data
     const hasRowsWithoutUserId = useMemo(() => {
         return userClients.some((client) => !client.userId);
@@ -170,6 +209,12 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
                                     {t("archived")}
                                 </Badge>
                             )}
+                            {r.blocked && (
+                                <Badge variant="destructive" className="flex items-center gap-1">
+                                    <CircleSlash className="h-3 w-3" />
+                                    {t("blocked")}
+                                </Badge>
+                            )}
                         </div>
                     );
                 }
@@ -417,6 +462,18 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
                                 >
                                     <span>{clientRow.archived ? "Unarchive" : "Archive"}</span>
                                 </DropdownMenuItem>
+                                <DropdownMenuItem
+                                    onClick={() => {
+                                        if (clientRow.blocked) {
+                                            unblockClient(clientRow.id);
+                                        } else {
+                                            setSelectedClient(clientRow);
+                                            setIsBlockModalOpen(true);
+                                        }
+                                    }}
+                                >
+                                    <span>{clientRow.blocked ? "Unblock" : "Block"}</span>
+                                </DropdownMenuItem>
                                 {!clientRow.userId && (
                                     // Machine client - also show delete option
                                     <DropdownMenuItem
@@ -467,6 +524,27 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
                     title="Delete Client"
                 />
             )}
+            {selectedClient && (
+                <ConfirmDeleteDialog
+                    open={isBlockModalOpen}
+                    setOpen={(val) => {
+                        setIsBlockModalOpen(val);
+                        if (!val) {
+                            setSelectedClient(null);
+                        }
+                    }}
+                    dialog={
+                        <div className="space-y-2">
+                            <p>{t("blockClientQuestion")}</p>
+                            <p>{t("blockClientMessage")}</p>
+                        </div>
+                    }
+                    buttonText={t("blockClientConfirm")}
+                    onConfirm={async () => blockClient(selectedClient!.id)}
+                    string={selectedClient.name}
+                    title={t("blockClient")}
+                />
+            )}
 
             <ClientDownloadBanner />
 
@@ -493,20 +571,31 @@ export default function UserDevicesTable({ userClients }: ClientTableProps) {
                             {
                                 id: "active",
                                 label: t("active") || "Active",
-                                value: false
+                                value: "active"
                             },
                             {
                                 id: "archived",
                                 label: t("archived") || "Archived",
-                                value: true
+                                value: "archived"
+                            },
+                            {
+                                id: "blocked",
+                                label: t("blocked") || "Blocked",
+                                value: "blocked"
                             }
                         ],
                         filterFn: (row: ClientRow, selectedValues: (string | number | boolean)[]) => {
                             if (selectedValues.length === 0) return true;
                             const rowArchived = row.archived || false;
-                            return selectedValues.includes(rowArchived);
+                            const rowBlocked = row.blocked || false;
+                            const isActive = !rowArchived && !rowBlocked;
+                            
+                            if (selectedValues.includes("active") && isActive) return true;
+                            if (selectedValues.includes("archived") && rowArchived) return true;
+                            if (selectedValues.includes("blocked") && rowBlocked) return true;
+                            return false;
                         },
-                        defaultValues: [false] // Default to showing active clients
+                        defaultValues: ["active"] // Default to showing active clients
                     }
                 ]}
             />

From 552adf320055d2620fff61af7b610662affc7001 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 12 Jan 2026 21:14:18 -0800
Subject: [PATCH 154/154] Properly handle blocked devices

---
 server/routers/olm/handleOlmPingMessage.ts    | 113 +++++++++---------
 .../routers/olm/handleOlmRegisterMessage.ts   |  16 ++-
 2 files changed, 71 insertions(+), 58 deletions(-)

diff --git a/server/routers/olm/handleOlmPingMessage.ts b/server/routers/olm/handleOlmPingMessage.ts
index 36ca0001..9361193d 100644
--- a/server/routers/olm/handleOlmPingMessage.ts
+++ b/server/routers/olm/handleOlmPingMessage.ts
@@ -108,65 +108,65 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
         return;
     }
 
-    let client: (typeof clients.$inferSelect) | undefined;
-
-    if (olm.userId) {
-        // we need to check a user token to make sure its still valid
-        const { session: userSession, user } =
-            await validateSessionToken(userToken);
-        if (!userSession || !user) {
-            logger.warn("Invalid user session for olm ping");
-            return; // by returning here we just ignore the ping and the setInterval will force it to disconnect
-        }
-        if (user.userId !== olm.userId) {
-            logger.warn("User ID mismatch for olm ping");
-            return;
-        }
-
-        // get the client
-        const [userClient] = await db
-            .select()
-            .from(clients)
-            .where(
-                and(
-                    eq(clients.olmId, olm.olmId),
-                    eq(clients.userId, olm.userId)
-                )
-            )
-            .limit(1);
-
-        if (!userClient) {
-            logger.warn("Client not found for olm ping");
-            return;
-        }
-
-        client = userClient;
-
-        const sessionId = encodeHexLowerCase(
-            sha256(new TextEncoder().encode(userToken))
-        );
-
-        const policyCheck = await checkOrgAccessPolicy({
-            orgId: client.orgId,
-            userId: olm.userId,
-            sessionId // this is the user token passed in the message
-        });
-
-        if (!policyCheck.allowed) {
-            logger.warn(
-                `Olm user ${olm.userId} does not pass access policies for org ${client.orgId}: ${policyCheck.error}`
-            );
-            return;
-        }
-    }
-
     if (!olm.clientId) {
         logger.warn("Olm has no client ID!");
         return;
     }
 
     try {
-        // Update the client's last ping timestamp
+        // get the client
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, olm.clientId))
+            .limit(1);
+
+        if (!client) {
+            logger.warn("Client not found for olm ping");
+            return;
+        }
+
+        if (client.blocked) {
+            // NOTE: by returning we dont update the lastPing, so the offline checker will eventually disconnect them
+            logger.debug(`Blocked client ${client.clientId} attempted olm ping`);
+            return;
+        }
+
+        if (olm.userId) {
+            // we need to check a user token to make sure its still valid
+            const { session: userSession, user } =
+                await validateSessionToken(userToken);
+            if (!userSession || !user) {
+                logger.warn("Invalid user session for olm ping");
+                return; // by returning here we just ignore the ping and the setInterval will force it to disconnect
+            }
+            if (user.userId !== olm.userId) {
+                logger.warn("User ID mismatch for olm ping");
+                return;
+            }
+            if (user.userId !== client.userId) {
+                logger.warn("Client user ID mismatch for olm ping");
+                return;
+            }
+
+            const sessionId = encodeHexLowerCase(
+                sha256(new TextEncoder().encode(userToken))
+            );
+
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: client.orgId,
+                userId: olm.userId,
+                sessionId // this is the user token passed in the message
+            });
+
+            if (!policyCheck.allowed) {
+                logger.warn(
+                    `Olm user ${olm.userId} does not pass access policies for org ${client.orgId}: ${policyCheck.error}`
+                );
+                return;
+            }
+        }
+
         await db
             .update(clients)
             .set({
@@ -176,7 +176,12 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
             })
             .where(eq(clients.clientId, olm.clientId));
 
-        await db.update(olms).set({ archived: false }).where(eq(olms.olmId, olm.olmId));
+        if (olm.archived) {
+            await db
+                .update(olms)
+                .set({ archived: false })
+                .where(eq(olms.olmId, olm.olmId));
+        }
     } catch (error) {
         logger.error("Error handling ping message", { error });
     }
diff --git a/server/routers/olm/handleOlmRegisterMessage.ts b/server/routers/olm/handleOlmRegisterMessage.ts
index 0f71ee8b..3334101e 100644
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -55,6 +55,11 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         return;
     }
 
+    if (client.blocked) {
+        logger.debug(`Client ${client.clientId} is blocked. Ignoring register.`);
+        return;
+    }
+
     const [org] = await db
         .select()
         .from(orgs)
@@ -112,18 +117,20 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
 
     if (
         (olmVersion && olm.version !== olmVersion) ||
-        (olmAgent && olm.agent !== olmAgent)
+        (olmAgent && olm.agent !== olmAgent) ||
+        olm.archived
     ) {
         await db
             .update(olms)
             .set({
                 version: olmVersion,
-                agent: olmAgent
+                agent: olmAgent,
+                archived: false
             })
             .where(eq(olms.olmId, olm.olmId));
     }
 
-    if (client.pubKey !== publicKey) {
+    if (client.pubKey !== publicKey || client.archived) {
         logger.info(
             "Public key mismatch. Updating public key and clearing session info..."
         );
@@ -131,7 +138,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         await db
             .update(clients)
             .set({
-                pubKey: publicKey
+                pubKey: publicKey,
+                archived: false,
             })
             .where(eq(clients.clientId, client.clientId));