fix policy check on olm register

fix wrong redirect url when idp login with custom auth domain
Show the source in the UI
2026-01-29 06:10:47 +00:00 · 2026-01-22 16:28:15 -08:00 · 2026-01-22 15:46:48 -08:00 · 2026-01-22 15:18:27 -08:00 · 2026-01-22 15:18:27 -08:00 · 2026-01-22 15:18:27 -08:00
42 changed files with 232 additions and 270 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -442,7 +442,7 @@ jobs:

                  # Determine if this is an RC release
                  IS_RC="false"
-                  if echo "$TAG" | grep -qE "rc[0-9]+$"; then
+                  if [[ "$TAG" == *"-rc."* ]]; then
                      IS_RC="true"
                  fi

--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -4,13 +4,13 @@
    },
    "editor.defaultFormatter": "esbenp.prettier-vscode",
    "[jsonc]": {
-        "editor.defaultFormatter": "esbenp.prettier-vscode"
+        "editor.defaultFormatter": "vscode.json-language-features"
    },
    "[javascript]": {
        "editor.defaultFormatter": "esbenp.prettier-vscode"
    },
    "[typescript]": {
-        "editor.defaultFormatter": "esbenp.prettier-vscode"
+        "editor.defaultFormatter": "vscode.typescript-language-features"
    },
    "[typescriptreact]": {
        "editor.defaultFormatter": "esbenp.prettier-vscode"
@@ -19,4 +19,4 @@
        "editor.defaultFormatter": "esbenp.prettier-vscode"
    },
    "editor.formatOnSave": true
-}
+}
--- a/README.md
+++ b/README.md
@@ -35,6 +35,12 @@

 </div>

+<p align="center">
+    <a href="https://docs.pangolin.net/careers/join-us">
+        <img src="https://img.shields.io/badge/🚀_We're_Hiring!-Join_Our_Team-brightgreen?style=for-the-badge" alt="We're Hiring!" />
+    </a>
+</p>
+
 <p align="center">
    <strong>
        Start testing Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
@@ -74,6 +80,8 @@ Download the Pangolin client for your platform:
 - [Mac](https://pangolin.net/downloads/mac)
 - [Windows](https://pangolin.net/downloads/windows)
 - [Linux](https://pangolin.net/downloads/linux)
+- [iOS](https://pangolin.net/downloads/ios)
+- [Android](https://pangolin.net/downloads/android)

 ## Get Started

--- a/blueprint.py
+++ b/blueprint.py
@@ -1,72 +0,0 @@
-import requests
-import yaml
-import json
-import base64
-
-# The file path for the YAML file to be read
-# You can change this to the path of your YAML file
-YAML_FILE_PATH = 'blueprint.yaml'
-
-# The API endpoint and headers from the curl request
-API_URL = 'http://api.pangolin.net/v1/org/test/blueprint'
-HEADERS = {
-    'accept': '*/*',
-    'Authorization': 'Bearer <your_token_here>',
-    'Content-Type': 'application/json'
-}
-
-def convert_and_send(file_path, url, headers):
-    """
-    Reads a YAML file, converts its content to a JSON payload,
-    and sends it via a PUT request to a specified URL.
-    """
-    try:
-        # Read the YAML file content
-        with open(file_path, 'r') as file:
-            yaml_content = file.read()
-
-        # Parse the YAML string to a Python dictionary
-        # This will be used to ensure the YAML is valid before sending
-        parsed_yaml = yaml.safe_load(yaml_content)
-
-        # convert the parsed YAML to a JSON string
-        json_payload = json.dumps(parsed_yaml)
-        print("Converted JSON payload:")
-        print(json_payload)
-
-        # Encode the JSON string to Base64
-        encoded_json = base64.b64encode(json_payload.encode('utf-8')).decode('utf-8')
-
-        # Create the final payload with the base64 encoded data
-        final_payload = {
-            "blueprint": encoded_json
-        }
-
-        print("Sending the following Base64 encoded JSON payload:")
-        print(final_payload)
-        print("-" * 20)
-
-        # Make the PUT request with the base64 encoded payload
-        response = requests.put(url, headers=headers, json=final_payload)
-
-        # Print the API response for debugging
-        print(f"API Response Status Code: {response.status_code}")
-        print("API Response Content:")
-        print(response.text)
-
-        # Raise an exception for bad status codes (4xx or 5xx)
-        response.raise_for_status()
-
-    except FileNotFoundError:
-        print(f"Error: The file '{file_path}' was not found.")
-    except yaml.YAMLError as e:
-        print(f"Error parsing YAML file: {e}")
-    except requests.exceptions.RequestException as e:
-        print(f"An error occurred during the API request: {e}")
-    except Exception as e:
-        print(f"An unexpected error occurred: {e}")
-
-# Run the function
-if __name__ == "__main__":
-    convert_and_send(YAML_FILE_PATH, API_URL, HEADERS)
-
--- a/blueprint.yaml
+++ b/blueprint.yaml
@@ -1,70 +0,0 @@
-client-resources:
-  client-resource-nice-id-uno:
-    name: this is my resource
-    protocol: tcp
-    proxy-port: 3001
-    hostname: localhost
-    internal-port: 3000
-    site: lively-yosemite-toad
-  client-resource-nice-id-duce:
-    name: this is my resource
-    protocol: udp
-    proxy-port: 3000
-    hostname: localhost
-    internal-port: 3000
-    site: lively-yosemite-toad
-
-proxy-resources:
-  resource-nice-id-uno:
-    name: this is my resource
-    protocol: http
-    full-domain: duce.test.example.com
-    host-header: example.com
-    tls-server-name: example.com
-    # auth:
-      # pincode: 123456
-      # password: sadfasdfadsf
-      # sso-enabled: true
-      # sso-roles:
-      #   - Member
-      # sso-users:
-      #   - owen@pangolin.net
-      # whitelist-users:
-      #   - owen@pangolin.net
-      # auto-login-idp: 1
-    headers:
-      - name: X-Example-Header
-        value: example-value
-      - name: X-Another-Header
-        value: another-value
-    rules:
-      - action: allow
-        match: ip
-        value: 1.1.1.1
-      - action: deny
-        match: cidr 
-        value: 2.2.2.2/32
-      - action: pass
-        match: path
-        value: /admin
-    targets:
-    - site: lively-yosemite-toad
-      path: /path
-      pathMatchType: prefix
-      hostname: localhost
-      method: http
-      port: 8000
-    - site: slim-alpine-chipmunk
-      hostname: localhost
-      path: /yoman
-      pathMatchType: exact
-      method: http
-      port: 8001
-  resource-nice-id-duce:
-    name: this is other resource
-    protocol: tcp
-    proxy-port: 3000
-    targets:
-    - site: lively-yosemite-toad 
-      hostname: localhost
-      port: 3000
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "Активирана защитна стена.",
    "autoUpdatesEnabled": "Активирани автоматични актуализации.",
    "tpmAvailable": "TPM е на разположение.",
-    "windowsDefenderEnabled": "Windows Defender е активиран.",
    "macosSipEnabled": "Protection на системната цялост (SIP).",
    "macosGatekeeperEnabled": "Gatekeeper.",
    "macosFirewallStealthMode": "Скрит режим на защитната стена.",
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "Firewall povolen",
    "autoUpdatesEnabled": "Automatické aktualizace povoleny",
    "tpmAvailable": "TPM k dispozici",
-    "windowsDefenderEnabled": "Okna byla povolena",
    "macosSipEnabled": "Ochrana systémové integrity (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Režim neviditelnosti firewallu",
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "Firewall aktiviert",
    "autoUpdatesEnabled": "Automatische Updates aktiviert",
    "tpmAvailable": "TPM verfügbar",
-    "windowsDefenderEnabled": "Windows Defender aktiviert",
    "macosSipEnabled": "Schutz der Systemintegrität (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Firewall Stealth-Modus",
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2510,7 +2510,7 @@
    "firewallEnabled": "Firewall Enabled",
    "autoUpdatesEnabled": "Auto Updates Enabled",
    "tpmAvailable": "TPM Available",
-    "windowsDefenderEnabled": "Windows Defender Enabled",
+    "windowsAntivirusEnabled": "Antivirus Enabled",
    "macosSipEnabled": "System Integrity Protection (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Firewall Stealth Mode",
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "Cortafuegos activado",
    "autoUpdatesEnabled": "Actualizaciones automáticas habilitadas",
    "tpmAvailable": "TPM disponible",
-    "windowsDefenderEnabled": "Windows Defender activado",
    "macosSipEnabled": "Protección de integridad del sistema (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Modo Sigilo Firewall",
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "Pare-feu activé",
    "autoUpdatesEnabled": "Mises à jour automatiques activées",
    "tpmAvailable": "TPM disponible",
-    "windowsDefenderEnabled": "Windows Defender activé",
    "macosSipEnabled": "Protection contre l'intégrité du système (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Mode furtif du pare-feu",
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "Firewall Abilitato",
    "autoUpdatesEnabled": "Aggiornamenti Automatici Abilitati",
    "tpmAvailable": "TPM Disponibile",
-    "windowsDefenderEnabled": "Windows Defender Abilitato",
    "macosSipEnabled": "Protezione Dell'Integrità Del Sistema (Sip)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Modo Furtivo Del Firewall",
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "방화벽 활성화",
    "autoUpdatesEnabled": "자동 업데이트 활성화",
    "tpmAvailable": "TPM 사용 가능",
-    "windowsDefenderEnabled": "Windows Defender 활성화",
    "macosSipEnabled": "시스템 무결성 보호 (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "방화벽 스텔스 모드",
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "Brannmur aktivert",
    "autoUpdatesEnabled": "Automatiske oppdateringer aktivert",
    "tpmAvailable": "TPM tilgjengelig",
-    "windowsDefenderEnabled": "Windows svarer aktivert",
    "macosSipEnabled": "System Integritetsbeskyttelse (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Brannmur Usynlig Modus",
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "Firewall ingeschakeld",
    "autoUpdatesEnabled": "Auto Updates Ingeschakeld",
    "tpmAvailable": "TPM beschikbaar",
-    "windowsDefenderEnabled": "Windows Verdediger ingeschakeld",
    "macosSipEnabled": "Systeemintegriteitsbescherming (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Firewall Verberg Modus",
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "Zapora włączona",
    "autoUpdatesEnabled": "Automatyczne aktualizacje włączone",
    "tpmAvailable": "TPM dostępne",
-    "windowsDefenderEnabled": "Obrońca Windows włączony",
    "macosSipEnabled": "Ochrona integralności systemu (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Tryb Stealth zapory",
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "Firewall habilitado",
    "autoUpdatesEnabled": "Atualizações Automáticas Habilitadas",
    "tpmAvailable": "TPM disponível",
-    "windowsDefenderEnabled": "Defensor do Windows habilitado",
    "macosSipEnabled": "Proteção da Integridade do Sistema (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Modo Furtivo do Firewall",
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "Брандмауэр включен",
    "autoUpdatesEnabled": "Автоматические обновления включены",
    "tpmAvailable": "Доступно TPM",
-    "windowsDefenderEnabled": "Защитник Windows включен",
    "macosSipEnabled": "Защита целостности системы (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Стилс-режим брандмауэра",
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "Güvenlik Duvarı Etkin",
    "autoUpdatesEnabled": "Otomatik Güncellemeler Etkin",
    "tpmAvailable": "TPM Mevcut",
-    "windowsDefenderEnabled": "Windows Defender Etkin",
    "macosSipEnabled": "Sistem Bütünlüğü Koruması (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "Güvenlik Duvarı Gizlilik Modu",
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -2510,7 +2510,6 @@
    "firewallEnabled": "防火墙已启用",
    "autoUpdatesEnabled": "启用自动更新",
    "tpmAvailable": "TPM 可用",
-    "windowsDefenderEnabled": "Windows Defender 已启用",
    "macosSipEnabled": "系统完整性保护 (SIP)",
    "macosGatekeeperEnabled": "Gatekeeper",
    "macosFirewallStealthMode": "防火墙隐形模式",
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -778,7 +778,7 @@ export const currentFingerprint = pgTable("currentFingerprint", {

    // Windows-specific posture check information

-    windowsDefenderEnabled: boolean("windowsDefenderEnabled")
+    windowsAntivirusEnabled: boolean("windowsAntivirusEnabled")
        .notNull()
        .default(false),

@@ -830,7 +830,7 @@ export const fingerprintSnapshots = pgTable("fingerprintSnapshots", {

    // Windows-specific posture check information

-    windowsDefenderEnabled: boolean("windowsDefenderEnabled")
+    windowsAntivirusEnabled: boolean("windowsAntivirusEnabled")
        .notNull()
        .default(false),

--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -475,7 +475,7 @@ export const currentFingerprint = sqliteTable("currentFingerprint", {

    // Windows-specific posture check information

-    windowsDefenderEnabled: integer("windowsDefenderEnabled", {
+    windowsAntivirusEnabled: integer("windowsAntivirusEnabled", {
        mode: "boolean"
    })
        .notNull()
@@ -549,7 +549,7 @@ export const fingerprintSnapshots = sqliteTable("fingerprintSnapshots", {

    // Windows-specific posture check information

-    windowsDefenderEnabled: integer("windowsDefenderEnabled", {
+    windowsAntivirusEnabled: integer("windowsAntivirusEnabled", {
        mode: "boolean"
    })
        .notNull()
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -31,7 +31,7 @@ import { pickPort } from "@server/routers/target/helpers";
 import { resourcePassword } from "@server/db";
 import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
-import { isLicensedOrSubscribed } from "../isLicencedOrSubscribed";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { build } from "@server/build";

 export type ProxyResourcesResults = {
@@ -213,11 +213,7 @@ export async function updateProxyResources(
                // Update existing resource

                const isLicensed = await isLicensedOrSubscribed(orgId);
-                if (build == "enterprise" && !isLicensed) {
-                    logger.warn(
-                        "Server is not licensed! Clearing set maintenance screen values"
-                    );
-                    // null the maintenance mode fields if not licensed
+                if (!isLicensed) {
                    resourceData.maintenance = undefined;
                }

@@ -594,7 +590,7 @@ export async function updateProxyResources(
                        existingRule.action !== getRuleAction(rule.action) ||
                        existingRule.match !== rule.match.toUpperCase() ||
                        existingRule.value !==
-                            getRuleValue(rule.match.toUpperCase(), rule.value) ||
+                        getRuleValue(rule.match.toUpperCase(), rule.value) ||
                        existingRule.priority !== intendedPriority
                    ) {
                        validateRule(rule);
@@ -653,11 +649,7 @@ export async function updateProxyResources(
            }

            const isLicensed = await isLicensedOrSubscribed(orgId);
-            if (build == "enterprise" && !isLicensed) {
-                logger.warn(
-                    "Server is not licensed! Clearing set maintenance screen values"
-                );
-                // null the maintenance mode fields if not licensed
+            if (!isLicensed) {
                resourceData.maintenance = undefined;
            }

--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -14,7 +14,7 @@ import {
 } from "@server/db";
 import { getUniqueClientName } from "@server/db/names";
 import { getNextAvailableClientSubnet } from "@server/lib/ip";
-import { isLicensedOrSubscribed } from "@server/lib/isLicencedOrSubscribed";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import logger from "@server/logger";
 import { sendTerminateClient } from "@server/routers/client/terminate";
 import { and, eq, notInArray, type InferInsertModel } from "drizzle-orm";
--- a/server/lib/isLicencedOrSubscribed.ts
+++ b/server/lib/isLicencedOrSubscribed.ts
@@ -1,17 +1,3 @@
-import { build } from "@server/build";
-import license from "#dynamic/license/license";
-import { getOrgTierData } from "#dynamic/lib/billing";
-import { TierId } from "@server/lib/billing/tiers";
-
 export async function isLicensedOrSubscribed(orgId: string): Promise<boolean> {
-    if (build === "enterprise") {
-        return await license.isUnlocked();
-    }
-
-    if (build === "saas") {
-        const { tier } = await getOrgTierData(orgId);
-        return tier === TierId.STANDARD;
-    }
-
-    return true;
-}
+    return false;
+}
--- a/server/private/lib/isLicencedOrSubscribed.ts
+++ b/server/private/lib/isLicencedOrSubscribed.ts
@@ -0,0 +1,30 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { build } from "@server/build";
+import license from "#private/license/license";
+import { getOrgTierData } from "#private/lib/billing";
+import { TierId } from "@server/lib/billing/tiers";
+
+export async function isLicensedOrSubscribed(orgId: string): Promise<boolean> {
+    if (build === "enterprise") {
+        return await license.isUnlocked();
+    }
+
+    if (build === "saas") {
+        const { tier } = await getOrgTierData(orgId);
+        return tier === TierId.STANDARD;
+    }
+
+    return false;
+}
--- a/server/routers/blueprints/applyYAMLBlueprint.ts
+++ b/server/routers/blueprints/applyYAMLBlueprint.ts
@@ -26,7 +26,8 @@ const applyBlueprintSchema = z
                        message: `Invalid YAML: ${error instanceof Error ? error.message : "Unknown error"}`
                    });
                }
-            })
+            }),
+        source: z.enum(["API", "UI", "CLI"]).optional()
    })
    .strict();

@@ -84,7 +85,7 @@ export async function applyYAMLBlueprint(
            );
        }

-        const { blueprint: contents, name } = parsedBody.data;
+        const { blueprint: contents, name, source = "UI" } = parsedBody.data;

        logger.debug(`Received blueprint:`, contents);

@@ -107,7 +108,7 @@ export async function applyYAMLBlueprint(
            blueprint = await applyBlueprint({
                orgId,
                name,
-                source: "UI",
+                source,
                configData: parsedConfig
            });
        } catch (err) {
--- a/server/routers/blueprints/types.ts
+++ b/server/routers/blueprints/types.ts
@@ -1,6 +1,6 @@
 import type { Blueprint } from "@server/db";

-export type BlueprintSource = "API" | "UI" | "NEWT";
+export type BlueprintSource = "API" | "UI" | "NEWT" | "CLI";

 export type BlueprintData = Omit<Blueprint, "source"> & {
    source: BlueprintSource;
--- a/server/routers/client/getClient.ts
+++ b/server/routers/client/getClient.ts
@@ -12,6 +12,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { getUserDeviceName } from "@server/db/names";
 import { build } from "@server/build";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";

 const getClientSchema = z.strictObject({
    clientId: z
@@ -58,7 +59,7 @@ type PostureData = {
    firewallEnabled?: boolean | null;
    autoUpdatesEnabled?: boolean | null;
    tpmAvailable?: boolean | null;
-    windowsDefenderEnabled?: boolean | null;
+    windowsAntivirusEnabled?: boolean | null;
    macosSipEnabled?: boolean | null;
    macosGatekeeperEnabled?: boolean | null;
    macosFirewallStealthMode?: boolean | null;
@@ -75,78 +76,123 @@ function getPlatformPostureData(
    const normalizedPlatform = platform?.toLowerCase() || "unknown";
    const posture: PostureData = {};

-    // Windows: Hard drive encryption, Firewall, Auto updates, TPM availability, Windows Defender
+    // Windows: Hard drive encryption, Firewall, Auto updates, TPM availability, Windows Antivirus status
    if (normalizedPlatform === "windows") {
-        if (fingerprint.diskEncrypted !== null && fingerprint.diskEncrypted !== undefined) {
+        if (
+            fingerprint.diskEncrypted !== null &&
+            fingerprint.diskEncrypted !== undefined
+        ) {
            posture.diskEncrypted = fingerprint.diskEncrypted;
        }
-        if (fingerprint.firewallEnabled !== null && fingerprint.firewallEnabled !== undefined) {
+        if (
+            fingerprint.firewallEnabled !== null &&
+            fingerprint.firewallEnabled !== undefined
+        ) {
            posture.firewallEnabled = fingerprint.firewallEnabled;
        }
-        if (fingerprint.autoUpdatesEnabled !== null && fingerprint.autoUpdatesEnabled !== undefined) {
-            posture.autoUpdatesEnabled = fingerprint.autoUpdatesEnabled;
-        }
-        if (fingerprint.tpmAvailable !== null && fingerprint.tpmAvailable !== undefined) {
+        if (
+            fingerprint.tpmAvailable !== null &&
+            fingerprint.tpmAvailable !== undefined
+        ) {
            posture.tpmAvailable = fingerprint.tpmAvailable;
        }
-        if (fingerprint.windowsDefenderEnabled !== null && fingerprint.windowsDefenderEnabled !== undefined) {
-            posture.windowsDefenderEnabled = fingerprint.windowsDefenderEnabled;
+        if (
+            fingerprint.windowsAntivirusEnabled !== null &&
+            fingerprint.windowsAntivirusEnabled !== undefined
+        ) {
+            posture.windowsAntivirusEnabled =
+                fingerprint.windowsAntivirusEnabled;
        }
    }
    // macOS: Hard drive encryption, Biometric configuration, Firewall, System Integrity Protection (SIP), Gatekeeper, Firewall stealth mode
    else if (normalizedPlatform === "macos") {
-        if (fingerprint.diskEncrypted !== null && fingerprint.diskEncrypted !== undefined) {
+        if (
+            fingerprint.diskEncrypted !== null &&
+            fingerprint.diskEncrypted !== undefined
+        ) {
            posture.diskEncrypted = fingerprint.diskEncrypted;
        }
-        if (fingerprint.biometricsEnabled !== null && fingerprint.biometricsEnabled !== undefined) {
+        if (
+            fingerprint.biometricsEnabled !== null &&
+            fingerprint.biometricsEnabled !== undefined
+        ) {
            posture.biometricsEnabled = fingerprint.biometricsEnabled;
        }
-        if (fingerprint.firewallEnabled !== null && fingerprint.firewallEnabled !== undefined) {
+        if (
+            fingerprint.firewallEnabled !== null &&
+            fingerprint.firewallEnabled !== undefined
+        ) {
            posture.firewallEnabled = fingerprint.firewallEnabled;
        }
-        if (fingerprint.macosSipEnabled !== null && fingerprint.macosSipEnabled !== undefined) {
+        if (
+            fingerprint.macosSipEnabled !== null &&
+            fingerprint.macosSipEnabled !== undefined
+        ) {
            posture.macosSipEnabled = fingerprint.macosSipEnabled;
        }
-        if (fingerprint.macosGatekeeperEnabled !== null && fingerprint.macosGatekeeperEnabled !== undefined) {
+        if (
+            fingerprint.macosGatekeeperEnabled !== null &&
+            fingerprint.macosGatekeeperEnabled !== undefined
+        ) {
            posture.macosGatekeeperEnabled = fingerprint.macosGatekeeperEnabled;
        }
-        if (fingerprint.macosFirewallStealthMode !== null && fingerprint.macosFirewallStealthMode !== undefined) {
-            posture.macosFirewallStealthMode = fingerprint.macosFirewallStealthMode;
+        if (
+            fingerprint.macosFirewallStealthMode !== null &&
+            fingerprint.macosFirewallStealthMode !== undefined
+        ) {
+            posture.macosFirewallStealthMode =
+                fingerprint.macosFirewallStealthMode;
        }
-        if (fingerprint.autoUpdatesEnabled !== null && fingerprint.autoUpdatesEnabled !== undefined) {
+        if (
+            fingerprint.autoUpdatesEnabled !== null &&
+            fingerprint.autoUpdatesEnabled !== undefined
+        ) {
            posture.autoUpdatesEnabled = fingerprint.autoUpdatesEnabled;
        }
    }
    // Linux: Hard drive encryption, Firewall, AppArmor, SELinux, TPM availability
    else if (normalizedPlatform === "linux") {
-        if (fingerprint.diskEncrypted !== null && fingerprint.diskEncrypted !== undefined) {
+        if (
+            fingerprint.diskEncrypted !== null &&
+            fingerprint.diskEncrypted !== undefined
+        ) {
            posture.diskEncrypted = fingerprint.diskEncrypted;
        }
-        if (fingerprint.firewallEnabled !== null && fingerprint.firewallEnabled !== undefined) {
+        if (
+            fingerprint.firewallEnabled !== null &&
+            fingerprint.firewallEnabled !== undefined
+        ) {
            posture.firewallEnabled = fingerprint.firewallEnabled;
        }
-        if (fingerprint.linuxAppArmorEnabled !== null && fingerprint.linuxAppArmorEnabled !== undefined) {
+        if (
+            fingerprint.linuxAppArmorEnabled !== null &&
+            fingerprint.linuxAppArmorEnabled !== undefined
+        ) {
            posture.linuxAppArmorEnabled = fingerprint.linuxAppArmorEnabled;
        }
-        if (fingerprint.linuxSELinuxEnabled !== null && fingerprint.linuxSELinuxEnabled !== undefined) {
+        if (
+            fingerprint.linuxSELinuxEnabled !== null &&
+            fingerprint.linuxSELinuxEnabled !== undefined
+        ) {
            posture.linuxSELinuxEnabled = fingerprint.linuxSELinuxEnabled;
        }
-        if (fingerprint.tpmAvailable !== null && fingerprint.tpmAvailable !== undefined) {
+        if (
+            fingerprint.tpmAvailable !== null &&
+            fingerprint.tpmAvailable !== undefined
+        ) {
            posture.tpmAvailable = fingerprint.tpmAvailable;
        }
    }
    // iOS: Biometric configuration
    else if (normalizedPlatform === "ios") {
-        if (fingerprint.biometricsEnabled !== null && fingerprint.biometricsEnabled !== undefined) {
-            posture.biometricsEnabled = fingerprint.biometricsEnabled;
-        }
+        // none supported yet
    }
    // Android: Screen lock, Biometric configuration, Hard drive encryption
    else if (normalizedPlatform === "android") {
-        if (fingerprint.biometricsEnabled !== null && fingerprint.biometricsEnabled !== undefined) {
-            posture.biometricsEnabled = fingerprint.biometricsEnabled;
-        }
-        if (fingerprint.diskEncrypted !== null && fingerprint.diskEncrypted !== undefined) {
+        if (
+            fingerprint.diskEncrypted !== null &&
+            fingerprint.diskEncrypted !== undefined
+        ) {
            posture.diskEncrypted = fingerprint.diskEncrypted;
        }
    }
@@ -243,23 +289,27 @@ export async function getClient(
        // Build fingerprint data if available
        const fingerprintData = client.currentFingerprint
            ? {
-                username: client.currentFingerprint.username || null,
-                hostname: client.currentFingerprint.hostname || null,
-                platform: client.currentFingerprint.platform || null,
-                osVersion: client.currentFingerprint.osVersion || null,
-                kernelVersion:
-                    client.currentFingerprint.kernelVersion || null,
-                arch: client.currentFingerprint.arch || null,
-                deviceModel: client.currentFingerprint.deviceModel || null,
-                serialNumber: client.currentFingerprint.serialNumber || null,
-                firstSeen: client.currentFingerprint.firstSeen || null,
-                lastSeen: client.currentFingerprint.lastSeen || null
-            }
+                  username: client.currentFingerprint.username || null,
+                  hostname: client.currentFingerprint.hostname || null,
+                  platform: client.currentFingerprint.platform || null,
+                  osVersion: client.currentFingerprint.osVersion || null,
+                  kernelVersion:
+                      client.currentFingerprint.kernelVersion || null,
+                  arch: client.currentFingerprint.arch || null,
+                  deviceModel: client.currentFingerprint.deviceModel || null,
+                  serialNumber: client.currentFingerprint.serialNumber || null,
+                  firstSeen: client.currentFingerprint.firstSeen || null,
+                  lastSeen: client.currentFingerprint.lastSeen || null
+              }
            : null;

        // Build posture data if available (platform-specific)
+        // Only return posture data if org is licensed/subscribed
        let postureData: PostureData | null = null;
-        if (build !== "oss") {
+        const isOrgLicensed = await isLicensedOrSubscribed(
+            client.clients.orgId
+        );
+        if (isOrgLicensed) {
            postureData = getPlatformPostureData(
                client.currentFingerprint?.platform || null,
                client.currentFingerprint
--- a/server/routers/olm/fingerprintingUtils.ts
+++ b/server/routers/olm/fingerprintingUtils.ts
@@ -22,7 +22,7 @@ function fingerprintSnapshotHash(fingerprint: any, postures: any): string {
        autoUpdatesEnabled: postures.autoUpdatesEnabled ?? false,
        tpmAvailable: postures.tpmAvailable ?? false,

-        windowsDefenderEnabled: postures.windowsDefenderEnabled ?? false,
+        windowsAntivirusEnabled: postures.windowsAntivirusEnabled ?? false,

        macosSipEnabled: postures.macosSipEnabled ?? false,
        macosGatekeeperEnabled: postures.macosGatekeeperEnabled ?? false,
@@ -87,7 +87,7 @@ export async function handleFingerprintInsertion(
                autoUpdatesEnabled: postures.autoUpdatesEnabled,
                tpmAvailable: postures.tpmAvailable,

-                windowsDefenderEnabled: postures.windowsDefenderEnabled,
+                windowsAntivirusEnabled: postures.windowsAntivirusEnabled,

                macosSipEnabled: postures.macosSipEnabled,
                macosGatekeeperEnabled: postures.macosGatekeeperEnabled,
@@ -117,7 +117,7 @@ export async function handleFingerprintInsertion(
            autoUpdatesEnabled: postures.autoUpdatesEnabled,
            tpmAvailable: postures.tpmAvailable,

-            windowsDefenderEnabled: postures.windowsDefenderEnabled,
+            windowsAntivirusEnabled: postures.windowsAntivirusEnabled,

            macosSipEnabled: postures.macosSipEnabled,
            macosGatekeeperEnabled: postures.macosGatekeeperEnabled,
@@ -162,7 +162,7 @@ export async function handleFingerprintInsertion(
            autoUpdatesEnabled: postures.autoUpdatesEnabled,
            tpmAvailable: postures.tpmAvailable,

-            windowsDefenderEnabled: postures.windowsDefenderEnabled,
+            windowsAntivirusEnabled: postures.windowsAntivirusEnabled,

            macosSipEnabled: postures.macosSipEnabled,
            macosGatekeeperEnabled: postures.macosGatekeeperEnabled,
@@ -197,7 +197,7 @@ export async function handleFingerprintInsertion(
                autoUpdatesEnabled: postures.autoUpdatesEnabled,
                tpmAvailable: postures.tpmAvailable,

-                windowsDefenderEnabled: postures.windowsDefenderEnabled,
+                windowsAntivirusEnabled: postures.windowsAntivirusEnabled,

                macosSipEnabled: postures.macosSipEnabled,
                macosGatekeeperEnabled: postures.macosGatekeeperEnabled,
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -46,6 +46,12 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        return;
    }

+    logger.debug("Handling fingerprint insertion for olm register...", {
+        olmId: olm.olmId,
+        fingerprint,
+        postures
+    });
+
    await handleFingerprintInsertion(olm, fingerprint, postures);

    if (
@@ -143,7 +149,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            return;
        }

-        if (!policyCheck.policies?.passwordAge?.compliant === false) {
+        if (policyCheck.policies?.passwordAge?.compliant === false) {
            logger.warn(
                `Olm user ${olm.userId} has non-compliant password age for org ${orgId}`
            );
@@ -153,7 +159,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
            );
            return;
        } else if (
-            !policyCheck.policies?.maxSessionLength?.compliant === false
+            policyCheck.policies?.maxSessionLength?.compliant === false
        ) {
            logger.warn(
                `Olm user ${olm.userId} has non-compliant session length for org ${orgId}`
--- a/server/routers/org/updateOrg.ts
+++ b/server/routers/org/updateOrg.ts
@@ -13,7 +13,7 @@ import { build } from "@server/build";
 import { getOrgTierData } from "#dynamic/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { cache } from "@server/lib/cache";
-import { isLicensedOrSubscribed } from "@server/lib/isLicencedOrSubscribed";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";

 const updateOrgParamsSchema = z.strictObject({
    orgId: z.string()
@@ -89,7 +89,7 @@ export async function updateOrg(
        const { orgId } = parsedParams.data;

        const isLicensed = await isLicensedOrSubscribed(orgId);
-        if (build == "enterprise" && !isLicensed) {
+        if (!isLicensed) {
            parsedBody.data.requireTwoFactor = undefined;
            parsedBody.data.maxSessionLengthHours = undefined;
            parsedBody.data.passwordExpiryDays = undefined;
--- a/server/routers/resource/updateResource.ts
+++ b/server/routers/resource/updateResource.ts
@@ -23,7 +23,7 @@ import { OpenAPITags } from "@server/openApi";
 import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
 import { validateAndConstructDomain } from "@server/lib/domainUtils";
 import { build } from "@server/build";
-import { isLicensedOrSubscribed } from "@server/lib/isLicencedOrSubscribed";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";

 const updateResourceParamsSchema = z.strictObject({
    resourceId: z.string().transform(Number).pipe(z.int().positive())
@@ -342,11 +342,7 @@ async function updateHttpResource(
    }

    const isLicensed = await isLicensedOrSubscribed(resource.orgId);
-    if (build == "enterprise" && !isLicensed) {
-        logger.warn(
-            "Server is not licensed! Clearing set maintenance screen values"
-        );
-        // null the maintenance mode fields if not licensed
+    if (!isLicensed) {
        updateData.maintenanceModeEnabled = undefined;
        updateData.maintenanceModeType = undefined;
        updateData.maintenanceTitle = undefined;
--- a/server/routers/role/createRole.ts
+++ b/server/routers/role/createRole.ts
@@ -11,7 +11,7 @@ import { ActionsEnum } from "@server/auth/actions";
 import { eq, and } from "drizzle-orm";
 import { OpenAPITags, registry } from "@server/openApi";
 import { build } from "@server/build";
-import { isLicensedOrSubscribed } from "@server/lib/isLicencedOrSubscribed";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";

 const createRoleParamsSchema = z.strictObject({
    orgId: z.string()
@@ -101,7 +101,7 @@ export async function createRole(
        }

        const isLicensed = await isLicensedOrSubscribed(orgId);
-        if (build === "oss" || !isLicensed) {
+        if (!isLicensed) {
            roleData.requireDeviceApproval = undefined;
        }

--- a/server/routers/role/updateRole.ts
+++ b/server/routers/role/updateRole.ts
@@ -8,8 +8,7 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
-import { build } from "@server/build";
-import { isLicensedOrSubscribed } from "@server/lib/isLicencedOrSubscribed";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { OpenAPITags, registry } from "@server/openApi";

 const updateRoleParamsSchema = z.strictObject({
@@ -112,7 +111,7 @@ export async function updateRole(
        }

        const isLicensed = await isLicensedOrSubscribed(orgId);
-        if (build === "oss" || !isLicensed) {
+        if (!isLicensed) {
            updateData.requireDeviceApproval = undefined;
        }

--- a/server/setup/scriptsPg/1.15.0.ts
+++ b/server/setup/scriptsPg/1.15.0.ts
@@ -49,7 +49,7 @@ export default async function migration() {
               	"firewallEnabled" boolean DEFAULT false NOT NULL,
               	"autoUpdatesEnabled" boolean DEFAULT false NOT NULL,
               	"tpmAvailable" boolean DEFAULT false NOT NULL,
-               	"windowsDefenderEnabled" boolean DEFAULT false NOT NULL,
+               	"windowsAntivirusEnabled" boolean DEFAULT false NOT NULL,
               	"macosSipEnabled" boolean DEFAULT false NOT NULL,
               	"macosGatekeeperEnabled" boolean DEFAULT false NOT NULL,
               	"macosFirewallStealthMode" boolean DEFAULT false NOT NULL,
@@ -75,7 +75,7 @@ export default async function migration() {
               	"firewallEnabled" boolean DEFAULT false NOT NULL,
               	"autoUpdatesEnabled" boolean DEFAULT false NOT NULL,
               	"tpmAvailable" boolean DEFAULT false NOT NULL,
-               	"windowsDefenderEnabled" boolean DEFAULT false NOT NULL,
+               	"windowsAntivirusEnabled" boolean DEFAULT false NOT NULL,
               	"macosSipEnabled" boolean DEFAULT false NOT NULL,
               	"macosGatekeeperEnabled" boolean DEFAULT false NOT NULL,
               	"macosFirewallStealthMode" boolean DEFAULT false NOT NULL,
--- a/server/setup/scriptsSqlite/1.15.0.ts
+++ b/server/setup/scriptsSqlite/1.15.0.ts
@@ -53,7 +53,7 @@ CREATE TABLE 'currentFingerprint' (
 	'firewallEnabled' integer DEFAULT false NOT NULL,
 	'autoUpdatesEnabled' integer DEFAULT false NOT NULL,
 	'tpmAvailable' integer DEFAULT false NOT NULL,
-	'windowsDefenderEnabled' integer DEFAULT false NOT NULL,
+	'windowsAntivirusEnabled' integer DEFAULT false NOT NULL,
 	'macosSipEnabled' integer DEFAULT false NOT NULL,
 	'macosGatekeeperEnabled' integer DEFAULT false NOT NULL,
 	'macosFirewallStealthMode' integer DEFAULT false NOT NULL,
@@ -83,7 +83,7 @@ CREATE TABLE 'fingerprintSnapshots' (
 	'firewallEnabled' integer DEFAULT false NOT NULL,
 	'autoUpdatesEnabled' integer DEFAULT false NOT NULL,
 	'tpmAvailable' integer DEFAULT false NOT NULL,
-	'windowsDefenderEnabled' integer DEFAULT false NOT NULL,
+	'windowsAntivirusEnabled' integer DEFAULT false NOT NULL,
 	'macosSipEnabled' integer DEFAULT false NOT NULL,
 	'macosGatekeeperEnabled' integer DEFAULT false NOT NULL,
 	'macosFirewallStealthMode' integer DEFAULT false NOT NULL,
--- a/src/app/[orgId]/settings/clients/user/[niceId]/general/page.tsx
+++ b/src/app/[orgId]/settings/clients/user/[niceId]/general/page.tsx
@@ -656,17 +656,17 @@ export default function GeneralPage() {
                                            </InfoSection>
                                        )}

-                                    {client.posture.windowsDefenderEnabled !== null &&
-                                        client.posture.windowsDefenderEnabled !== undefined && (
+                                    {client.posture.windowsAntivirusEnabled !== null &&
+                                        client.posture.windowsAntivirusEnabled !== undefined && (
                                            <InfoSection>
                                                <InfoSectionTitle>
-                                                    {t("windowsDefenderEnabled")}
+                                                    {t("windowsAntivirusEnabled")}
                                                </InfoSectionTitle>
                                                <InfoSectionContent>
                                                    {isPaidUser
                                                        ? formatPostureValue(
                                                              client.posture
-                                                                  .windowsDefenderEnabled
+                                                                  .windowsAntivirusEnabled
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
--- a/src/components/BlueprintDetailsForm.tsx
+++ b/src/components/BlueprintDetailsForm.tsx
@@ -110,6 +110,15 @@ export default function BlueprintDetailsForm({
                                            Dashboard
                                        </Badge>
                                    )}{" "}
+                                    {blueprint.source === "CLI" && (
+                                        <Badge
+                                            variant="secondary"
+                                            className="inline-flex items-center gap-1 "
+                                        >
+                                            <Terminal className="w-3 h-3 flex-none" />
+                                            CLI
+                                        </Badge>
+                                    )}{" "}
                                </InfoSectionContent>
                            </InfoSection>
                            <InfoSection>
--- a/src/components/BlueprintsTable.tsx
+++ b/src/components/BlueprintsTable.tsx
@@ -128,6 +128,19 @@ export default function BlueprintsTable({ blueprints, orgId }: Props) {
                            </Badge>
                        );
                    }
+                    case "CLI": {
+                        return (
+                            <Badge
+                                variant="secondary"
+                                className="inline-flex items-center gap-1"
+                            >
+                                <span className="inline-flex items-center gap-1 ">
+                                    <Terminal className="w-3 h-3" />
+                                    CLI
+                                </span>
+                            </Badge>
+                        );
+                    }
                }
            }
        },
--- a/src/components/ClientDownloadBanner.tsx
+++ b/src/components/ClientDownloadBanner.tsx
@@ -4,6 +4,7 @@ import React from "react";
 import { Button } from "@app/components/ui/button";
 import { Download } from "lucide-react";
 import { FaApple, FaWindows, FaLinux } from "react-icons/fa";
+import { SiAndroid } from "react-icons/si";
 import { useTranslations } from "next-intl";
 import Link from "next/link";
 import DismissableBanner from "./DismissableBanner";
@@ -61,6 +62,34 @@ export const ClientDownloadBanner = () => {
                    Linux
                </Button>
            </Link>
+            <Link
+                href="https://pangolin.net/downloads/ios"
+                target="_blank"
+                rel="noopener noreferrer"
+            >
+                <Button
+                    variant="outline"
+                    size="sm"
+                    className="gap-2 hover:bg-primary/10 hover:border-primary/50 transition-colors"
+                >
+                    <FaApple className="w-4 h-4" />
+                    iOS
+                </Button>
+            </Link>
+            <Link
+                href="https://pangolin.net/downloads/android"
+                target="_blank"
+                rel="noopener noreferrer"
+            >
+                <Button
+                    variant="outline"
+                    size="sm"
+                    className="gap-2 hover:bg-primary/10 hover:border-primary/50 transition-colors"
+                >
+                    <SiAndroid className="w-4 h-4" />
+                    Android
+                </Button>
+            </Link>
        </DismissableBanner>
    );
 };
--- a/src/components/LoginOrgSelector.tsx
+++ b/src/components/LoginOrgSelector.tsx
@@ -143,7 +143,6 @@ export default function LoginOrgSelector({
                                <IdpLoginButtons
                                    idps={idps}
                                    redirect={redirect}
-                                    orgId={org.orgId}
                                />
                            </div>
                        </div>
Author	SHA1	Message	Date
miloschwartz	efcf46ce8a	fix policy check on olm register	2026-01-22 16:28:15 -08:00
miloschwartz	2085715965	fix wrong redirect url when idp login with custom auth domain	2026-01-22 15:46:48 -08:00
Owen	d227db7b7b	Show the source in the UI	2026-01-22 15:18:27 -08:00
Owen	2af67ad355	Fix the source of the cli blueprint	2026-01-22 15:18:27 -08:00
miloschwartz	f100854423	add ios and android to readme	2026-01-22 15:18:27 -08:00
miloschwartz	92331d7a33	clean up paid features check	2026-01-22 15:18:27 -08:00
Owen	9a5bcb9099	Hiring	2026-01-22 15:18:27 -08:00
miloschwartz	8eb6bb2a95	dont include posture in repsonse if not licensed or subscribed	2026-01-22 15:18:27 -08:00
miloschwartz	2aa65ccab3	add mobile links to download banner	2026-01-22 15:18:27 -08:00
miloschwartz	be1577a3e7	remove biometric support from ios	2026-01-22 15:18:27 -08:00
miloschwartz	c8e1b3bf29	rename windowsDefenderEnabled	2026-01-22 15:18:27 -08:00
Owen	e17b986628	Dont show bio info on android	2026-01-22 15:18:27 -08:00
Owen	0a7564acb6	Fix not detecting rc release in sign and package	2026-01-21 16:14:00 -08:00