Merge branch 'dev' into msg-delivery

feat: device approvals

.github/workflows/cicd.yml

@@ -329,20 +329,89 @@ jobs:
                   skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
               shell: bash
 
-            - name: Copy tag from Docker Hub to GHCR
-              # Mirror the already-built image (all architectures) to GHCR so we can sign it
+            - name: Copy tags from Docker Hub to GHCR
+              # Mirror the already-built images (all architectures) to GHCR so we can sign them
               # Wait a bit for both architectures to be available in Docker Hub manifest
               env:
                   REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
               run: |
                   set -euo pipefail
                   TAG=${{ env.TAG }}
-                  echo "Waiting for multi-arch manifest to be ready..."
+                  MAJOR_TAG=$(echo $TAG | cut -d. -f1)
+                  MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
+                  
+                  echo "Waiting for multi-arch manifests to be ready..."
                   sleep 30
-                  echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
-                  skopeo copy --all --retry-times 3 \
-                    docker://$DOCKERHUB_IMAGE:$TAG \
-                    docker://$GHCR_IMAGE:$TAG
+                  
+                  # Determine if this is an RC release
+                  IS_RC="false"
+                  if echo "$TAG" | grep -qE "rc[0-9]+$"; then
+                      IS_RC="true"
+                  fi
+                  
+                  if [ "$IS_RC" = "true" ]; then
+                      echo "RC release detected - copying version-specific tags only"
+                      
+                      # SQLite OSS
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:$TAG \
+                        docker://$GHCR_IMAGE:$TAG
+                      
+                      # PostgreSQL OSS
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:postgresql-$TAG \
+                        docker://$GHCR_IMAGE:postgresql-$TAG
+                      
+                      # SQLite Enterprise
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:ee-$TAG \
+                        docker://$GHCR_IMAGE:ee-$TAG
+                      
+                      # PostgreSQL Enterprise
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG \
+                        docker://$GHCR_IMAGE:ee-postgresql-$TAG
+                  else
+                      echo "Regular release detected - copying all tags (latest, major, minor, full version)"
+                      
+                      # SQLite OSS - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:$TAG_SUFFIX
+                      done
+                      
+                      # PostgreSQL OSS - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:postgresql-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:postgresql-$TAG_SUFFIX
+                      done
+                      
+                      # SQLite Enterprise - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:ee-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:ee-$TAG_SUFFIX
+                      done
+                      
+                      # PostgreSQL Enterprise - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:ee-postgresql-$TAG_SUFFIX
+                      done
+                  fi
+                  
+                  echo "All images copied successfully to GHCR!"
               shell: bash
 
             - name: Login to GitHub Container Registry (for cosign)
@@ -371,28 +440,62 @@ jobs:
                   issuer="https://token.actions.githubusercontent.com"
                   id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
 
-                  for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
-                    echo "Processing ${IMAGE}:${TAG}"
+                  # Determine if this is an RC release
+                  IS_RC="false"
+                  if echo "$TAG" | grep -qE "rc[0-9]+$"; then
+                      IS_RC="true"
+                  fi
 
-                    DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
-                    REF="${IMAGE}@${DIGEST}"
-                    echo "Resolved digest: ${REF}"
+                  # Define image variants to sign
+                  if [ "$IS_RC" = "true" ]; then
+                      echo "RC release - signing version-specific tags only"
+                      IMAGE_TAGS=(
+                          "${TAG}"
+                          "postgresql-${TAG}"
+                          "ee-${TAG}"
+                          "ee-postgresql-${TAG}"
+                      )
+                  else
+                      echo "Regular release - signing all tags"
+                      MAJOR_TAG=$(echo $TAG | cut -d. -f1)
+                      MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
+                      IMAGE_TAGS=(
+                          "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"
+                          "postgresql-latest" "postgresql-$MAJOR_TAG" "postgresql-$MINOR_TAG" "postgresql-$TAG"
+                          "ee-latest" "ee-$MAJOR_TAG" "ee-$MINOR_TAG" "ee-$TAG"
+                          "ee-postgresql-latest" "ee-postgresql-$MAJOR_TAG" "ee-postgresql-$MINOR_TAG" "ee-postgresql-$TAG"
+                      )
+                  fi
 
-                    echo "==> cosign sign (keyless) --recursive ${REF}"
-                    cosign sign --recursive "${REF}"
+                  # Sign each image variant for both registries
+                  for BASE_IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                    for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
+                      echo "Processing ${BASE_IMAGE}:${IMAGE_TAG}"
 
-                    echo "==> cosign sign (key) --recursive ${REF}"
-                    cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+                      DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
+                      REF="${BASE_IMAGE}@${DIGEST}"
+                      echo "Resolved digest: ${REF}"
 
-                    echo "==> cosign verify (public key) ${REF}"
-                    cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+                      echo "==> cosign sign (keyless) --recursive ${REF}"
+                      cosign sign --recursive "${REF}"
 
-                    echo "==> cosign verify (keyless policy) ${REF}"
-                    cosign verify \
-                      --certificate-oidc-issuer "${issuer}" \
-                      --certificate-identity-regexp "${id_regex}" \
-                      "${REF}" -o text
+                      echo "==> cosign sign (key) --recursive ${REF}"
+                      cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+
+                      echo "==> cosign verify (public key) ${REF}"
+                      cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+
+                      echo "==> cosign verify (keyless policy) ${REF}"
+                      cosign verify \
+                        --certificate-oidc-issuer "${issuer}" \
+                        --certificate-identity-regexp "${id_regex}" \
+                        "${REF}" -o text
+                      
+                      echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
+                    done
                   done
+                  
+                  echo "All images signed and verified successfully!"
               shell: bash
 
     post-run:

.github/workflows/cicd.yml.backup

@@ -0,0 +1,426 @@
+name: CI/CD Pipeline
+
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+# Required secrets:
+# - DOCKER_HUB_USERNAME / DOCKER_HUB_ACCESS_TOKEN: push to Docker Hub
+# - GITHUB_TOKEN: used for GHCR login and OIDC keyless signing
+# - COSIGN_PRIVATE_KEY / COSIGN_PASSWORD / COSIGN_PUBLIC_KEY: for key-based signing
+
+on:
+    push:
+        tags:
+            - "[0-9]+.[0-9]+.[0-9]+"
+            - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+    pre-run:
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-arm tag=$TAG
+                  else
+                      make build-release-arm tag=$TAG
+                  fi
+                  echo "Built & pushed ARM64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+    release-amd:
+        name: Build and Release (AMD64)
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - AMD64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-amd tag=$TAG
+                  else
+                      make build-release-amd tag=$TAG
+                  fi
+                  echo "Built & pushed AMD64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+    create-manifest:
+        name: Create Multi-Arch Manifests
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success'
+            }}
+        timeout-minutes: 30
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Create multi-arch manifests
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make create-manifests-rc tag=$TAG
+                  else
+                      make create-manifests tag=$TAG
+                  fi
+                  echo "Created multi-arch manifests for tag: ${TAG}"
+              shell: bash
+
+    sign-and-package:
+        name: Sign and Package
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd, create-manifest]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success' &&
+                needs.create-manifest.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Install Go
+              uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+              with:
+                  go-version: 1.24
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Pull latest Gerbil version
+              id: get-gerbil-tag
+              run: |
+                  LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name')
+                  echo "LATEST_GERBIL_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Pull latest Badger version
+              id: get-badger-tag
+              run: |
+                  LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name')
+                  echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update install/main.go
+              run: |
+                  PANGOLIN_VERSION=${{ env.TAG }}
+                  GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }}
+                  BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
+                  sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$PANGOLIN_VERSION\"/" install/main.go
+                  sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$GERBIL_VERSION\"/" install/main.go
+                  sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go
+                  echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION"
+                  cat install/main.go
+              shell: bash
+
+            - name: Build installer
+              working-directory: install
+              run: |
+                  make go-build-release
+
+            - name: Upload artifacts from /install/bin
+              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+              with:
+                  name: install-bin
+                  path: install/bin/
+
+            - name: Install skopeo + jq
+              # skopeo: copy/inspect images between registries
+              # jq: JSON parsing tool used to extract digest values
+              run: |
+                  sudo apt-get update -y
+                  sudo apt-get install -y skopeo jq
+                  skopeo --version
+              shell: bash
+
+            - name: Login to GHCR
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
+              run: |
+                  mkdir -p "$(dirname "$REGISTRY_AUTH_FILE")"
+                  skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
+              shell: bash
+
+            - name: Copy tag from Docker Hub to GHCR
+              # Mirror the already-built image (all architectures) to GHCR so we can sign it
+              # Wait a bit for both architectures to be available in Docker Hub manifest
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
+              run: |
+                  set -euo pipefail
+                  TAG=${{ env.TAG }}
+                  echo "Waiting for multi-arch manifest to be ready..."
+                  sleep 30
+                  echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
+                  skopeo copy --all --retry-times 3 \
+                    docker://$DOCKERHUB_IMAGE:$TAG \
+                    docker://$GHCR_IMAGE:$TAG
+              shell: bash
+
+            - name: Login to GitHub Container Registry (for cosign)
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                registry: ghcr.io
+                username: ${{ github.actor }}
+                password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Install cosign
+              # cosign is used to sign and verify container images (key and keyless)
+              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+            - name: Dual-sign and verify (GHCR & Docker Hub)
+              # Sign each image by digest using keyless (OIDC) and key-based signing,
+              # then verify both the public key signature and the keyless OIDC signature.
+              env:
+                  TAG: ${{ env.TAG }}
+                  COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+                  COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+                  COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+                  COSIGN_YES: "true"
+              run: |
+                  set -euo pipefail
+
+                  issuer="https://token.actions.githubusercontent.com"
+                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
+
+                  for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                    echo "Processing ${IMAGE}:${TAG}"
+
+                    DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
+                    REF="${IMAGE}@${DIGEST}"
+                    echo "Resolved digest: ${REF}"
+
+                    echo "==> cosign sign (keyless) --recursive ${REF}"
+                    cosign sign --recursive "${REF}"
+
+                    echo "==> cosign sign (key) --recursive ${REF}"
+                    cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+
+                    echo "==> cosign verify (public key) ${REF}"
+                    cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+
+                    echo "==> cosign verify (keyless policy) ${REF}"
+                    cosign verify \
+                      --certificate-oidc-issuer "${issuer}" \
+                      --certificate-identity-regexp "${id_regex}" \
+                      "${REF}" -o text
+                  done
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm, release-amd, create-manifest, sign-and-package]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure') &&
+                (needs.release-amd.result == 'success' || needs.release-amd.result == 'skipped' || needs.release-amd.result == 'failure') &&
+                (needs.create-manifest.result == 'success' || needs.create-manifest.result == 'skipped' || needs.create-manifest.result == 'failure') &&
+                (needs.sign-and-package.result == 'success' || needs.sign-and-package.result == 'skipped' || needs.sign-and-package.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+                  echo "EC2 instances stopped"

.github/workflows/saas.yml

@@ -0,0 +1,125 @@
+name: CI/CD Pipeline
+
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+on:
+    push:
+        tags:
+            - "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+    pre-run:
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Login to Amazon ECR
+              id: login-ecr
+              uses: aws-actions/amazon-ecr-login@v2
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  make build-saas tag=$TAG
+                  echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances stopped"

.gitignore

@@ -50,4 +50,5 @@ dynamic/
 *.mmdb
 scratch/
 tsconfig.json
-hydrateSaas.ts
+hydrateSaas.ts
+CLAUDE.md

Dockerfile

@@ -1,10 +1,20 @@
 FROM node:24-alpine AS builder
 
+# OCI Image Labels - Build Args for dynamic values
+ARG VERSION="dev"
+ARG REVISION=""
+ARG CREATED=""
+ARG LICENSE="AGPL-3.0"
+
 WORKDIR /app
 
 ARG BUILD=oss
 ARG DATABASE=sqlite
 
+# Derive title and description based on BUILD type
+ARG IMAGE_TITLE="Pangolin"
+ARG IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
+
 RUN apk add --no-cache curl tzdata python3 make g++
 
 # COPY package.json package-lock.json ./
@@ -69,4 +79,17 @@ RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
 COPY server/db/names.json ./dist/names.json
 COPY public ./public
 
+# OCI Image Labels
+# https://github.com/opencontainers/image-spec/blob/main/annotations.md
+LABEL org.opencontainers.image.source="https://github.com/fosrl/pangolin" \
+      org.opencontainers.image.url="https://github.com/fosrl/pangolin" \
+      org.opencontainers.image.documentation="https://docs.pangolin.net" \
+      org.opencontainers.image.vendor="Fossorial" \
+      org.opencontainers.image.licenses="${LICENSE}" \
+      org.opencontainers.image.title="${IMAGE_TITLE}" \
+      org.opencontainers.image.description="${IMAGE_DESCRIPTION}" \
+      org.opencontainers.image.version="${VERSION}" \
+      org.opencontainers.image.revision="${REVISION}" \
+      org.opencontainers.image.created="${CREATED}"
+
 CMD ["npm", "run", "start"]

Makefile

@@ -3,6 +3,25 @@
 major_tag := $(shell echo $(tag) | cut -d. -f1)
 minor_tag := $(shell echo $(tag) | cut -d. -f1,2)
 
+# OCI label variables
+CREATED := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
+REVISION := $(shell git rev-parse HEAD 2>/dev/null || echo "unknown")
+
+# Common OCI build args for OSS builds
+OCI_ARGS_OSS = --build-arg VERSION=$(tag) \
+	--build-arg REVISION=$(REVISION) \
+	--build-arg CREATED=$(CREATED) \
+	--build-arg IMAGE_TITLE="Pangolin" \
+	--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
+
+# Common OCI build args for Enterprise builds
+OCI_ARGS_EE = --build-arg VERSION=$(tag) \
+	--build-arg REVISION=$(REVISION) \
+	--build-arg CREATED=$(CREATED) \
+	--build-arg LICENSE="Fossorial Commercial" \
+	--build-arg IMAGE_TITLE="Pangolin EE" \
+	--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere"
+
 .PHONY: build-release build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql
 
 build-release: build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql
@@ -15,6 +34,7 @@ build-sqlite:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		$(OCI_ARGS_OSS) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:latest \
 		--tag fosrl/pangolin:$(major_tag) \
@@ -30,6 +50,7 @@ build-postgresql:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		$(OCI_ARGS_OSS) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:postgresql-latest \
 		--tag fosrl/pangolin:postgresql-$(major_tag) \
@@ -45,6 +66,7 @@ build-ee-sqlite:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		$(OCI_ARGS_EE) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-latest \
 		--tag fosrl/pangolin:ee-$(major_tag) \
@@ -60,6 +82,7 @@ build-ee-postgresql:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		$(OCI_ARGS_EE) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-latest \
 		--tag fosrl/pangolin:ee-postgresql-$(major_tag) \
@@ -67,6 +90,18 @@ build-ee-postgresql:
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .
 
+build-saas:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build \
+		--build-arg BUILD=saas \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64 \
+		--tag $(AWS_IMAGE):$(tag) \
+		--push .
+
 build-release-arm:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release-arm tag=<tag>"; \
@@ -74,9 +109,16 @@ build-release-arm:
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
+	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:latest-arm64 \
 		--tag fosrl/pangolin:$$MAJOR_TAG-arm64 \
@@ -86,6 +128,11 @@ build-release-arm:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:postgresql-latest-arm64 \
 		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-arm64 \
@@ -95,6 +142,12 @@ build-release-arm:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-latest-arm64 \
 		--tag fosrl/pangolin:ee-$$MAJOR_TAG-arm64 \
@@ -104,6 +157,12 @@ build-release-arm:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-postgresql-latest-arm64 \
 		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-arm64 \
@@ -118,9 +177,16 @@ build-release-amd:
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
+	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:latest-amd64 \
 		--tag fosrl/pangolin:$$MAJOR_TAG-amd64 \
@@ -130,6 +196,11 @@ build-release-amd:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:postgresql-latest-amd64 \
 		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-amd64 \
@@ -139,6 +210,12 @@ build-release-amd:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-latest-amd64 \
 		--tag fosrl/pangolin:ee-$$MAJOR_TAG-amd64 \
@@ -148,6 +225,12 @@ build-release-amd:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-latest-amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-amd64 \
@@ -201,27 +284,51 @@ build-rc:
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .
@@ -231,27 +338,51 @@ build-rc-arm:
 		echo "Error: tag is required. Usage: make build-rc-arm tag=<tag>"; \
 		exit 1; \
 	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
 		--push .
@@ -261,27 +392,51 @@ build-rc-amd:
 		echo "Error: tag is required. Usage: make build-rc-amd tag=<tag>"; \
 		exit 1; \
 	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-$(tag)-amd64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag)-amd64 \
 		--push .
@@ -314,16 +469,52 @@ create-manifests-rc:
 	echo "All RC multi-arch manifests created successfully!"
 
 build-arm:
-	docker buildx build --platform linux/arm64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		-t fosrl/pangolin:latest .
 
 build-x86:
-	docker buildx build --platform linux/amd64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		-t fosrl/pangolin:latest .
 
 dev-build-sqlite:
-	docker build --build-arg DATABASE=sqlite -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker build \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		-t fosrl/pangolin:latest .
 
 dev-build-pg:
-	docker build --build-arg DATABASE=pg -t fosrl/pangolin:postgresql-latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker build \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		-t fosrl/pangolin:postgresql-latest .
 
 test:
 	docker run -it -p 3000:3000 -p 3001:3001 -p 3002:3002 -v ./config:/app/config fosrl/pangolin:latest

config/traefik/dynamic_config.yml

@@ -1,5 +1,9 @@
 http:
   middlewares:
+    badger:
+      plugin:
+        badger:
+          disableForwardAuth: true
     redirect-to-https:
       redirectScheme:
         scheme: https
@@ -13,6 +17,7 @@ http:
         - web
       middlewares:
         - redirect-to-https
+        - badger
 
     # Next.js router (handles everything except API and WebSocket paths)
     next-router:
@@ -21,6 +26,8 @@ http:
       priority: 10
       entryPoints:
         - websecure
+      middlewares:
+        - badger
       tls:
         certResolver: letsencrypt
 
@@ -31,6 +38,8 @@ http:
       priority: 100
       entryPoints:
         - websecure
+      middlewares:
+        - badger
       tls:
         certResolver: letsencrypt
 

install/config/traefik/traefik_config.yml

@@ -43,9 +43,12 @@ entryPoints:
     http:
       tls:
         certResolver: "letsencrypt"
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true
 
 serversTransport:
   insecureSkipVerify: true
 
 ping:
-  entryPoint: "web"
+  entryPoint: "web"

install/main.go

@@ -340,7 +340,7 @@ func collectUserInput(reader *bufio.Reader) Config {
 	// Basic configuration
 	fmt.Println("\n=== Basic Configuration ===")
 
-	config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for persoal use or for businesses making less than 100k USD annually.")
+	config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
 
 	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
 

messages/bg-BG.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "Свържете се с мрежа.",
     "sitesBannerDescription": "Сайтът е връзка с отдалечена мрежа, която позволява на Pangolin да предоставя достъп до ресурси, било то публични или частни, на потребители навсякъде. Инсталирайте мрежовия конектор на сайта (Newt) навсякъде, където можете да стартирате бинарен или контейнер, за да създадете връзката.",
     "sitesBannerButtonText": "Инсталиране на сайт.",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "Създайте сайт",
     "siteCreateDescription2": "Следвайте стъпките по-долу, за да създадете и свържете нов сайт",
     "siteCreateDescription": "Създайте нов сайт, за да започнете да свързвате ресурси",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "Търсене на роли...",
     "accessRolesAdd": "Добавете роля",
     "accessRoleDelete": "Изтриване на роля",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "Описание",
     "inviteTitle": "Отворени покани",
     "inviteDescription": "Управлявайте покани за други потребители да се присъединят към организацията",
@@ -455,18 +450,6 @@
     "selectDuration": "Изберете продължителност",
     "selectResource": "Изберете Ресурс",
     "filterByResource": "Филтрирай По Ресурс",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Нулиране на Филтрите",
     "totalBlocked": "Заявки Блокирани От Pangolin",
     "totalRequests": "Общо Заявки",
@@ -746,28 +729,16 @@
     "countries": "Държави",
     "accessRoleCreate": "Създайте роля",
     "accessRoleCreateDescription": "Създайте нова роля за групиране на потребители и управление на техните разрешения.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Създайте роля",
     "accessRoleCreated": "Ролята е създадена",
     "accessRoleCreatedDescription": "Ролята беше успешно създадена.",
     "accessRoleErrorCreate": "Неуспешно създаване на роля",
     "accessRoleErrorCreateDescription": "Възникна грешка при създаването на ролята.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "Нова роля е необходима",
     "accessRoleErrorRemove": "Неуспешно премахване на роля",
     "accessRoleErrorRemoveDescription": "Възникна грешка при премахването на роля.",
     "accessRoleName": "Име на роля",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "Ще изтриете ролята {name}. Не можете да отмените това действие.",
     "accessRoleRemove": "Премахни роля",
     "accessRoleRemoveDescription": "Премахни роля от организацията",
     "accessRoleRemoveSubmit": "Премахни роля",
@@ -903,7 +874,7 @@
     "inviteAlready": "Изглежда, че сте били поканени!",
     "inviteAlreadyDescription": "За да приемете поканата, трябва да влезете или да създадете акаунт.",
     "signupQuestion": "Вече имате акаунт?",
-    "login": "Log In",
+    "login": "Влизане",
     "resourceNotFound": "Ресурсът не е намерен",
     "resourceNotFoundDescription": "Ресурсът, който се опитвате да достъпите, не съществува.",
     "pincodeRequirementsLength": "ПИН трябва да бъде точно 6 цифри",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "Тази организация изисква да сменяте паролата си на всеки {maxDays} дни.",
     "changePasswordNow": "Сменете паролата сега",
     "pincodeAuth": "Код на удостоверителя",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "Изпрати код",
     "passwordResetSubmit": "Заявка за нулиране",
     "passwordResetAlreadyHaveCode": "Въведете код.",
     "passwordResetSmtpRequired": "Моля, свържете се с вашия администратор",
     "passwordResetSmtpRequiredDescription": "Кодът за нулиране на парола е задължителен за нулиране на паролата ви. Моля, свържете се с вашия администратор за помощ.",
     "passwordBack": "Назад към Парола",
-    "loginBack": "Go back to main login page",
+    "loginBack": "Връщане към вход",
     "signup": "Регистрация",
     "loginStart": "Влезте, за да започнете",
     "idpOidcTokenValidating": "Валидиране на OIDC токен",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "Актуализиране на IdP организация",
     "actionCreateClient": "Създаване на клиент",
     "actionDeleteClient": "Изтриване на клиент",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Актуализиране на клиент",
     "actionListClients": "Списък с клиенти",
     "actionGetClient": "Получаване на клиент",
@@ -1167,14 +1134,14 @@
     "searchProgress": "Търсене...",
     "create": "Създаване",
     "orgs": "Организации",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "Възникна грешка при влизане",
+    "loginRequiredForDevice": "Необходим е вход за удостоверяване на вашето устройство.",
     "passwordForgot": "Забравена парола?",
     "otpAuth": "Двуфакторно удостоверяване",
     "otpAuthDescription": "Въведете кода от приложението за удостоверяване или един от вашите резервни кодове за еднократна употреба.",
     "otpAuthSubmit": "Изпрати код",
     "idpContinue": "Или продължете със",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "Назад към Вход",
     "navbar": "Навигационно меню",
     "navbarDescription": "Главно навигационно меню за приложението",
     "navbarDocsLink": "Документация",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "Общ преглед",
     "sidebarHome": "Начало",
     "sidebarSites": "Сайтове",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Ресурси",
     "sidebarProxyResources": "Публично",
     "sidebarClientResources": "Частно",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "Идентификационни доставчици",
     "sidebarLicense": "Лиценз",
     "sidebarClients": "Клиенти",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "Потребители",
     "sidebarMachineClients": "Машини",
     "sidebarDomains": "Домейни",
     "sidebarGeneral": "Управление.",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "Възникна грешка при създаване на админ акаунт.",
     "certificateStatus": "Статус на сертификата",
     "loading": "Зареждане",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "Рестарт",
     "domains": "Домейни",
     "domainsDescription": "Създайте и управлявайте наличните домейни в организацията",
@@ -1339,7 +1304,6 @@
     "refreshError": "Неуспешно обновяване на данни",
     "verified": "Потвърдено",
     "pending": "Чакащо",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Фактуриране",
     "billing": "Фактуриране",
     "orgBillingDescription": "Управлявайте информацията за плащане и абонаментите",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "Ключът за защита е премахнат успешно",
     "securityKeyRemoveError": "Неуспешно премахване на ключ за защита",
     "securityKeyLoadError": "Неуспешно зареждане на ключове за защита",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "Продължете с ключа за сигурност",
     "securityKeyAuthError": "Неуспешно удостоверяване с ключ за сигурност",
     "securityKeyRecommendation": "Регистрирайте резервен ключ за безопасност на друго устройство, за да сте сигурни, че винаги ще имате достъп до профила си",
     "registering": "Регистрация...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "Интервал за здраве",
     "timeoutSeconds": "Време за изчакване (сек)",
     "timeIsInSeconds": "Времето е в секунди",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "Опити за повторно",
     "expectedResponseCodes": "Очаквани кодове за отговор",
     "expectedResponseCodesDescription": "HTTP статус код, указващ здравословно състояние. Ако бъде оставено празно, между 200-300 се счита за здравословно.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Изберете своя доставчик на идентичност, за да продължите",
     "orgAuthNoIdpConfigured": "Тази организация няма конфигурирани доставчици на идентичност. Можете да влезете с вашата Pangolin идентичност.",
     "orgAuthSignInWithPangolin": "Впишете се с Pangolin",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Влезте в организация.",
     "orgAuthSelectOrgTitle": "Вход в организация.",
     "orgAuthSelectOrgDescription": "Въведете идентификатора на вашата организация, за да продължите.",
     "orgAuthOrgIdPlaceholder": "вашата-организация",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "Кодът трябва да бъде 9 символа (напр. A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Невалиден или изтекъл код",
     "deviceCodeVerifyFailed": "Неуспешна проверка на кода на устройството",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Вписан като",
     "deviceCodeEnterPrompt": "Въведете кода, показан на устройството",
     "continue": "Продължете",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "Достъп до всички организации, до които има достъп акаунтът ви",
     "deviceAuthorize": "Разрешете {applicationName}",
     "deviceConnected": "Устройството е свързано!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "Устройството е разрешено да има достъп до вашия акаунт.",
     "pangolinCloud": "Pangolin Cloud",
     "viewDevices": "Преглед на устройствата",
     "viewDevicesDescription": "Управлявайте свързаните си устройства",
@@ -2346,7 +2306,6 @@
     "identifier": "Идентификатор",
     "deviceLoginUseDifferentAccount": "Не сте вие? Използвайте друг акаунт.",
     "deviceLoginDeviceRequestingAccessToAccount": "Устройство запитващо достъп до този акаунт.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "Няма Данни",
     "machineClients": "Машинни клиенти",
     "install": "Инсталирай",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "Услугата временно недостъпна.",
     "maintenanceScreenMessage": "В момента срещаме технически затруднения. Моля, проверете отново скоро.",
     "maintenanceScreenEstimatedCompletion": "Прогнозно завършване:",
-    "createInternalResourceDialogDestinationRequired": "Дестинацията е задължителна.",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "Дестинацията е задължителна."
 }

messages/cs-CZ.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "Připojit jakoukoli síť",
     "sitesBannerDescription": "Lokalita je připojení k vzdálené síti, která umožňuje Pangolinu poskytovat přístup k prostředkům, ať už veřejným nebo soukromým, uživatelům kdekoli. Nainstalujte síťový konektor (Newt) kamkoli, kam můžete spustit binární soubor nebo kontejner, aby bylo možné připojení navázat.",
     "sitesBannerButtonText": "Nainstalovat lokalitu",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "Vytvořit lokalitu",
     "siteCreateDescription2": "Postupujte podle níže uvedených kroků, abyste vytvořili a připojili novou lokalitu",
     "siteCreateDescription": "Vytvořit nový web pro zahájení připojování zdrojů",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "Hledat role...",
     "accessRolesAdd": "Přidat roli",
     "accessRoleDelete": "Odstranit roli",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "L 343, 22.12.2009, s. 1).",
     "inviteTitle": "Otevřít pozvánky",
     "inviteDescription": "Spravovat pozvánky pro ostatní uživatele do organizace",
@@ -455,18 +450,6 @@
     "selectDuration": "Vyberte dobu trvání",
     "selectResource": "Vybrat dokument",
     "filterByResource": "Filtrovat podle zdroje",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Resetovat filtry",
     "totalBlocked": "Požadavky blokovány Pangolinem",
     "totalRequests": "Celkem požadavků",
@@ -746,28 +729,16 @@
     "countries": "Země",
     "accessRoleCreate": "Vytvořit roli",
     "accessRoleCreateDescription": "Vytvořte novou roli pro seskupení uživatelů a spravujte jejich oprávnění.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Vytvořit roli",
     "accessRoleCreated": "Role vytvořena",
     "accessRoleCreatedDescription": "Role byla úspěšně vytvořena.",
     "accessRoleErrorCreate": "Nepodařilo se vytvořit roli",
     "accessRoleErrorCreateDescription": "Došlo k chybě při vytváření role.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "Je vyžadována nová role",
     "accessRoleErrorRemove": "Nepodařilo se odstranit roli",
     "accessRoleErrorRemoveDescription": "Došlo k chybě při odstraňování role.",
     "accessRoleName": "Název role",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "Chystáte se odstranit {name} roli. Tuto akci nelze vrátit zpět.",
     "accessRoleRemove": "Odstranit roli",
     "accessRoleRemoveDescription": "Odebrat roli z organizace",
     "accessRoleRemoveSubmit": "Odstranit roli",
@@ -903,7 +874,7 @@
     "inviteAlready": "Vypadá to, že jste byli pozváni!",
     "inviteAlreadyDescription": "Chcete-li přijmout pozvánku, musíte se přihlásit nebo vytvořit účet.",
     "signupQuestion": "Již máte účet?",
-    "login": "Log In",
+    "login": "Přihlásit se",
     "resourceNotFound": "Zdroj nebyl nalezen",
     "resourceNotFoundDescription": "Dokument, ke kterému se snažíte přistupovat, neexistuje.",
     "pincodeRequirementsLength": "PIN musí být přesně 6 číslic",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "Tato organizace vyžaduje změnu hesla každých {maxDays} dní.",
     "changePasswordNow": "Změnit heslo",
     "pincodeAuth": "Ověřovací kód",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "Odeslat kód",
     "passwordResetSubmit": "Žádost o obnovení",
     "passwordResetAlreadyHaveCode": "Zadejte kód",
     "passwordResetSmtpRequired": "Obraťte se na správce",
     "passwordResetSmtpRequiredDescription": "Pro obnovení hesla je vyžadován kód pro obnovení hesla. Kontaktujte prosím svého administrátora.",
     "passwordBack": "Zpět na heslo",
-    "loginBack": "Go back to main login page",
+    "loginBack": "Přejít zpět na přihlášení",
     "signup": "Zaregistrovat se",
     "loginStart": "Přihlaste se a začněte",
     "idpOidcTokenValidating": "Ověřování OIDC tokenu",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "Aktualizovat IDP Org",
     "actionCreateClient": "Vytvořit klienta",
     "actionDeleteClient": "Odstranit klienta",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Aktualizovat klienta",
     "actionListClients": "Seznam klientů",
     "actionGetClient": "Získat klienta",
@@ -1167,14 +1134,14 @@
     "searchProgress": "Hledat...",
     "create": "Vytvořit",
     "orgs": "Organizace",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "Při přihlášení došlo k chybě",
+    "loginRequiredForDevice": "Pro ověření vašeho zařízení je nutné se přihlásit.",
     "passwordForgot": "Zapomněli jste heslo?",
     "otpAuth": "Dvoufaktorové ověření",
     "otpAuthDescription": "Zadejte kód z vaší autentizační aplikace nebo jeden z vlastních záložních kódů.",
     "otpAuthSubmit": "Odeslat kód",
     "idpContinue": "Nebo pokračovat s",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "Zpět na přihlášení",
     "navbar": "Navigation Menu",
     "navbarDescription": "Hlavní navigační menu aplikace",
     "navbarDocsLink": "Dokumentace",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "Přehled",
     "sidebarHome": "Domů",
     "sidebarSites": "Stránky",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Zdroje",
     "sidebarProxyResources": "Veřejnost",
     "sidebarClientResources": "Soukromé",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "Poskytovatelé identity",
     "sidebarLicense": "Licence",
     "sidebarClients": "Klienti",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "Uživatelé",
     "sidebarMachineClients": "Stroje a přístroje",
     "sidebarDomains": "Domény",
     "sidebarGeneral": "Spravovat",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "Došlo k chybě při vytváření účtu správce serveru.",
     "certificateStatus": "Stav certifikátu",
     "loading": "Načítání",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "Restartovat",
     "domains": "Domény",
     "domainsDescription": "Vytvořit a spravovat domény dostupné v organizaci",
@@ -1339,7 +1304,6 @@
     "refreshError": "Obnovení dat se nezdařilo",
     "verified": "Ověřeno",
     "pending": "Nevyřízeno",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Fakturace",
     "billing": "Fakturace",
     "orgBillingDescription": "Spravovat fakturační informace a předplatné",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "Bezpečnostní klíč byl úspěšně odstraněn",
     "securityKeyRemoveError": "Odstranění bezpečnostního klíče se nezdařilo",
     "securityKeyLoadError": "Nepodařilo se načíst bezpečnostní klíče",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "Pokračovat s bezpečnostním klíčem",
     "securityKeyAuthError": "Ověření bezpečnostním klíčem se nezdařilo",
     "securityKeyRecommendation": "Registrujte záložní bezpečnostní klíč na jiném zařízení, abyste zajistili, že budete mít vždy přístup ke svému účtu.",
     "registering": "Registrace...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "Interval zdraví",
     "timeoutSeconds": "Časový limit (sek)",
     "timeIsInSeconds": "Čas je v sekundách",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "Opakovat pokusy",
     "expectedResponseCodes": "Očekávané kódy odezvy",
     "expectedResponseCodesDescription": "HTTP kód stavu, který označuje zdravý stav. Ponecháte-li prázdné, 200-300 je považováno za zdravé.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Chcete-li pokračovat, vyberte svého poskytovatele identity",
     "orgAuthNoIdpConfigured": "Tato organizace nemá nakonfigurovány žádné poskytovatele identity. Místo toho se můžete přihlásit s vaší Pangolinovou identitou.",
     "orgAuthSignInWithPangolin": "Přihlásit se pomocí Pangolinu",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Přihlaste se do organizace",
     "orgAuthSelectOrgTitle": "Přihlášení do organizace",
     "orgAuthSelectOrgDescription": "Zadejte ID vaší organizace pro pokračování",
     "orgAuthOrgIdPlaceholder": "vaše-organizace",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "Kód musí být 9 znaků (např. A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Neplatný nebo prošlý kód",
     "deviceCodeVerifyFailed": "Ověření kódu zařízení se nezdařilo",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Přihlášen jako",
     "deviceCodeEnterPrompt": "Zadejte kód zobrazený na zařízení",
     "continue": "Pokračovat",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "Přístup ke všem organizacím má přístup k vašemu účtu",
     "deviceAuthorize": "Autorizovat {applicationName}",
     "deviceConnected": "Zařízení připojeno!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "Zařízení má oprávnění k přístupu k vašemu účtu.",
     "pangolinCloud": "Pangolin Cloud",
     "viewDevices": "Zobrazit zařízení",
     "viewDevicesDescription": "Spravovat připojená zařízení",
@@ -2346,7 +2306,6 @@
     "identifier": "Identifier",
     "deviceLoginUseDifferentAccount": "Nejste vy? Použijte jiný účet.",
     "deviceLoginDeviceRequestingAccessToAccount": "Zařízení žádá o přístup k tomuto účtu.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "Žádná data",
     "machineClients": "Strojoví klienti",
     "install": "Instalovat",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "Služba dočasně nedostupná",
     "maintenanceScreenMessage": "Momentálně máme technické potíže. Zkontrolujte později.",
     "maintenanceScreenEstimatedCompletion": "Odhadované dokončení:",
-    "createInternalResourceDialogDestinationRequired": "Cíl je povinný",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "Cíl je povinný"
 }

messages/de-DE.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "Verbinde ein beliebiges Netzwerk",
     "sitesBannerDescription": "Ein Standort ist eine Verbindung zu einem Remote-Netzwerk, die es Pangolin ermöglicht, Zugriff auf öffentliche oder private Ressourcen für Benutzer überall zu gewähren. Installieren Sie den Site Netzwerk Connector (Newt) wo auch immer Sie eine Binärdatei oder einen Container starten können, um die Verbindung herzustellen.",
     "sitesBannerButtonText": "Standort installieren",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "Standort erstellen",
     "siteCreateDescription2": "Folge den nachfolgenden Schritten, um einen neuen Standort zu erstellen und zu verbinden",
     "siteCreateDescription": "Erstellen Sie einen neuen Standort, um Ressourcen zu verbinden",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "Rollen suchen...",
     "accessRolesAdd": "Rolle hinzufügen",
     "accessRoleDelete": "Rolle löschen",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "Beschreibung",
     "inviteTitle": "Einladungen öffnen",
     "inviteDescription": "Einladungen für andere Benutzer verwalten, der Organisation beizutreten",
@@ -455,18 +450,6 @@
     "selectDuration": "Dauer auswählen",
     "selectResource": "Ressource auswählen",
     "filterByResource": "Nach Ressource filtern",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Filter zurücksetzen",
     "totalBlocked": "Anfragen blockiert von Pangolin",
     "totalRequests": "Gesamte Anfragen",
@@ -746,28 +729,16 @@
     "countries": "Länder",
     "accessRoleCreate": "Rolle erstellen",
     "accessRoleCreateDescription": "Erstellen Sie eine neue Rolle, um Benutzer zu gruppieren und ihre Berechtigungen zu verwalten.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Rolle erstellen",
     "accessRoleCreated": "Rolle erstellt",
     "accessRoleCreatedDescription": "Die Rolle wurde erfolgreich erstellt.",
     "accessRoleErrorCreate": "Fehler beim Erstellen der Rolle",
     "accessRoleErrorCreateDescription": "Beim Erstellen der Rolle ist ein Fehler aufgetreten.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "Neue Rolle ist erforderlich",
     "accessRoleErrorRemove": "Fehler beim Entfernen der Rolle",
     "accessRoleErrorRemoveDescription": "Beim Entfernen der Rolle ist ein Fehler aufgetreten.",
     "accessRoleName": "Rollenname",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "Sie sind dabei, die Rolle {name} zu löschen. Diese Aktion kann nicht rückgängig gemacht werden.",
     "accessRoleRemove": "Rolle entfernen",
     "accessRoleRemoveDescription": "Eine Rolle aus der Organisation entfernen",
     "accessRoleRemoveSubmit": "Rolle entfernen",
@@ -903,7 +874,7 @@
     "inviteAlready": "Sieht aus, als wären Sie eingeladen worden!",
     "inviteAlreadyDescription": "Um die Einladung anzunehmen, müssen Sie sich einloggen oder ein Konto erstellen.",
     "signupQuestion": "Haben Sie bereits ein Konto?",
-    "login": "Log In",
+    "login": "Anmelden",
     "resourceNotFound": "Ressource nicht gefunden",
     "resourceNotFoundDescription": "Die Ressource, auf die Sie zugreifen möchten, existiert nicht.",
     "pincodeRequirementsLength": "PIN muss genau 6 Ziffern lang sein",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "Diese Organisation erfordert, dass Sie Ihr Passwort alle {maxDays} Tage ändern.",
     "changePasswordNow": "Passwort jetzt ändern",
     "pincodeAuth": "Authentifizierungscode",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "Code absenden",
     "passwordResetSubmit": "Zurücksetzung anfordern",
     "passwordResetAlreadyHaveCode": "Code eingeben",
     "passwordResetSmtpRequired": "Bitte kontaktieren Sie Ihren Administrator",
     "passwordResetSmtpRequiredDescription": "Zum Zurücksetzen Ihres Passworts ist ein Passwort erforderlich. Bitte wenden Sie sich an Ihren Administrator.",
     "passwordBack": "Zurück zum Passwort",
-    "loginBack": "Go back to main login page",
+    "loginBack": "Zurück zur Anmeldung",
     "signup": "Registrieren",
     "loginStart": "Melden Sie sich an, um zu beginnen",
     "idpOidcTokenValidating": "OIDC-Token wird validiert",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "IDP-Organisation aktualisieren",
     "actionCreateClient": "Client erstellen",
     "actionDeleteClient": "Client löschen",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Client aktualisieren",
     "actionListClients": "Clients auflisten",
     "actionGetClient": "Clients abrufen",
@@ -1167,14 +1134,14 @@
     "searchProgress": "Suche...",
     "create": "Erstellen",
     "orgs": "Organisationen",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Anmeldung ist für Ihr Gerät erforderlich.",
+    "loginError": "Beim Anmelden ist ein Fehler aufgetreten",
+    "loginRequiredForDevice": "Zur Authentifizierung Ihres Geräts ist eine Anmeldung erforderlich",
     "passwordForgot": "Passwort vergessen?",
     "otpAuth": "Zwei-Faktor-Authentifizierung",
     "otpAuthDescription": "Geben Sie den Code aus Ihrer Authenticator-App oder einen Ihrer einmaligen Backup-Codes ein.",
     "otpAuthSubmit": "Code absenden",
     "idpContinue": "Oder weiter mit",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "Zurück zur Anmeldung",
     "navbar": "Navigationsmenü",
     "navbarDescription": "Hauptnavigationsmenü für die Anwendung",
     "navbarDocsLink": "Dokumentation",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "Übersicht",
     "sidebarHome": "Zuhause",
     "sidebarSites": "Standorte",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Ressourcen",
     "sidebarProxyResources": "Öffentlich",
     "sidebarClientResources": "Privat",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "Identitätsanbieter",
     "sidebarLicense": "Lizenz",
     "sidebarClients": "Clients",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "Benutzergeräte",
     "sidebarMachineClients": "Maschinen",
     "sidebarDomains": "Domänen",
     "sidebarGeneral": "Verwalten",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "Beim Erstellen des Server-Admin-Kontos ist ein Fehler aufgetreten.",
     "certificateStatus": "Zertifikatsstatus",
     "loading": "Laden",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "Neustart",
     "domains": "Domänen",
     "domainsDescription": "Erstellen und verwalten der in der Organisation verfügbaren Domänen",
@@ -1339,7 +1304,6 @@
     "refreshError": "Datenaktualisierung fehlgeschlagen",
     "verified": "Verifiziert",
     "pending": "Ausstehend",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Abrechnung",
     "billing": "Abrechnung",
     "orgBillingDescription": "Zahlungsinformationen und Abonnements verwalten",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "Sicherheitsschlüssel erfolgreich entfernt",
     "securityKeyRemoveError": "Fehler beim Entfernen des Sicherheitsschlüssels",
     "securityKeyLoadError": "Fehler beim Laden der Sicherheitsschlüssel",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "Mit dem Sicherheitsschlüssel fortfahren",
     "securityKeyAuthError": "Fehler bei der Authentifizierung mit Sicherheitsschlüssel",
     "securityKeyRecommendation": "Erwägen Sie die Registrierung eines weiteren Sicherheitsschlüssels auf einem anderen Gerät, um sicherzustellen, dass Sie sich nicht aus Ihrem Konto aussperren.",
     "registering": "Registrierung...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "Gesunder Intervall",
     "timeoutSeconds": "Timeout (Sek.)",
     "timeIsInSeconds": "Zeit ist in Sekunden",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "Wiederholungsversuche",
     "expectedResponseCodes": "Erwartete Antwortcodes",
     "expectedResponseCodesDescription": "HTTP-Statuscode, der einen gesunden Zustand anzeigt. Wenn leer gelassen, wird 200-300 als gesund angesehen.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Wähle deinen Identitätsanbieter um fortzufahren",
     "orgAuthNoIdpConfigured": "Diese Organisation hat keine Identitätsanbieter konfiguriert. Sie können sich stattdessen mit Ihrer Pangolin-Identität anmelden.",
     "orgAuthSignInWithPangolin": "Mit Pangolin anmelden",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Bei einer Organisation anmelden",
     "orgAuthSelectOrgTitle": "Organisations-Anmeldung",
     "orgAuthSelectOrgDescription": "Geben Sie Ihre Organisations-ID ein, um fortzufahren",
     "orgAuthOrgIdPlaceholder": "Ihre Organisation",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "Code muss 9 Zeichen lang sein (z.B. A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Ungültiger oder abgelaufener Code",
     "deviceCodeVerifyFailed": "Fehler beim Überprüfen des Gerätecodes",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Angemeldet als",
     "deviceCodeEnterPrompt": "Geben Sie den auf dem Gerät angezeigten Code ein",
     "continue": "Weiter",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "Zugriff auf alle Organisationen, auf die Ihr Konto Zugriff hat",
     "deviceAuthorize": "{applicationName} autorisieren",
     "deviceConnected": "Gerät verbunden!",
-    "deviceAuthorizedMessage": "Gerät ist berechtigt, auf Ihr Konto zuzugreifen. Bitte kehren Sie zur Client-Anwendung zurück.",
+    "deviceAuthorizedMessage": "Gerät ist berechtigt, auf Ihr Konto zuzugreifen.",
     "pangolinCloud": "Pangolin Cloud",
     "viewDevices": "Geräte anzeigen",
     "viewDevicesDescription": "Verwalten Sie Ihre verbundenen Geräte",
@@ -2346,7 +2306,6 @@
     "identifier": "Identifier",
     "deviceLoginUseDifferentAccount": "Nicht du? Verwenden Sie ein anderes Konto.",
     "deviceLoginDeviceRequestingAccessToAccount": "Ein Gerät fordert Zugriff auf dieses Konto an.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "Keine Daten",
     "machineClients": "Maschinen-Clients",
     "install": "Installieren",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "Dienst vorübergehend nicht verfügbar",
     "maintenanceScreenMessage": "Wir haben derzeit technische Schwierigkeiten. Bitte schauen Sie bald noch einmal vorbei.",
     "maintenanceScreenEstimatedCompletion": "Geschätzter Abschluss:",
-    "createInternalResourceDialogDestinationRequired": "Ziel ist erforderlich",
-    "available": "Verfügbar",
-    "archived": "Archiviert",
-    "noArchivedDevices": "Keine archivierten Geräte gefunden",
-    "deviceArchived": "Gerät archiviert",
-    "deviceArchivedDescription": "Das Gerät wurde erfolgreich archiviert.",
-    "errorArchivingDevice": "Fehler beim Archivieren des Geräts",
-    "failedToArchiveDevice": "Archivierung des Geräts fehlgeschlagen",
-    "deviceQuestionArchive": "Sind Sie sicher, dass Sie dieses Gerät archivieren möchten?",
-    "deviceMessageArchive": "Das Gerät wird archiviert und aus Ihrer Liste der aktiven Geräte entfernt.",
-    "deviceArchiveConfirm": "Gerät archivieren",
-    "archiveDevice": "Gerät archivieren",
-    "archive": "Archiv",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "Ziel ist erforderlich"
 }

messages/en-US.json

@@ -257,6 +257,8 @@
     "accessRolesSearch": "Search roles...",
     "accessRolesAdd": "Add Role",
     "accessRoleDelete": "Delete Role",
+    "accessApprovalsManage": "Manage Approvals",
+    "accessApprovalsDescription": "Manage approval requests in the organization",
     "description": "Description",
     "inviteTitle": "Open Invitations",
     "inviteDescription": "Manage invitations for other users to join the organization",
@@ -450,6 +452,18 @@
     "selectDuration": "Select duration",
     "selectResource": "Select Resource",
     "filterByResource": "Filter By Resource",
+    "selectApprovalState": "Select Approval State",
+    "filterByApprovalState": "Filter By Approval State",
+    "approvalListEmpty": "No approvals",
+    "approvalState": "Approval State",
+    "approve": "Approve",
+    "approved": "Approved",
+    "denied": "Denied",
+    "deniedApproval": "Denied Approval",
+    "all": "All",
+    "deny": "Deny",
+    "viewDetails": "View Details",
+    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Reset Filters",
     "totalBlocked": "Requests Blocked By Pangolin",
     "totalRequests": "Total Requests",
@@ -729,16 +743,28 @@
     "countries": "Countries",
     "accessRoleCreate": "Create Role",
     "accessRoleCreateDescription": "Create a new role to group users and manage their permissions.",
+    "accessRoleEdit": "Edit Role",
+    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Create Role",
     "accessRoleCreated": "Role created",
     "accessRoleCreatedDescription": "The role has been successfully created.",
     "accessRoleErrorCreate": "Failed to create role",
     "accessRoleErrorCreateDescription": "An error occurred while creating the role.",
+    "accessRoleUpdateSubmit": "Update Role",
+    "accessRoleUpdated": "Role updated",
+    "accessRoleUpdatedDescription": "The role has been successfully updated.",
+    "accessApprovalUpdated": "Approval processed",
+    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
+    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
+    "accessRoleErrorUpdate": "Failed to update role",
+    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
+    "accessApprovalErrorUpdate": "Failed to process approval",
+    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "New role is required",
     "accessRoleErrorRemove": "Failed to remove role",
     "accessRoleErrorRemoveDescription": "An error occurred while removing the role.",
     "accessRoleName": "Role Name",
-    "accessRoleQuestionRemove": "You're about to delete the {name} role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
     "accessRoleRemove": "Remove Role",
     "accessRoleRemoveDescription": "Remove a role from the organization",
     "accessRoleRemoveSubmit": "Remove Role",
@@ -874,7 +900,7 @@
     "inviteAlready": "Looks like you've been invited!",
     "inviteAlreadyDescription": "To accept the invite, you must log in or create an account.",
     "signupQuestion": "Already have an account?",
-    "login": "Log in",
+    "login": "Log In",
     "resourceNotFound": "Resource Not Found",
     "resourceNotFoundDescription": "The resource you're trying to access does not exist.",
     "pincodeRequirementsLength": "PIN must be exactly 6 digits",
@@ -954,13 +980,13 @@
     "passwordExpiryDescription": "This organization requires you to change your password every {maxDays} days.",
     "changePasswordNow": "Change Password Now",
     "pincodeAuth": "Authenticator Code",
-    "pincodeSubmit2": "Submit Code",
+    "pincodeSubmit2": "Submit code",
     "passwordResetSubmit": "Request Reset",
     "passwordResetAlreadyHaveCode": "Enter Code",
     "passwordResetSmtpRequired": "Please contact your administrator",
     "passwordResetSmtpRequiredDescription": "A password reset code is required to reset your password. Please contact your administrator for assistance.",
     "passwordBack": "Back to Password",
-    "loginBack": "Go back to log in",
+    "loginBack": "Go back to main login page",
     "signup": "Sign up",
     "loginStart": "Log in to get started",
     "idpOidcTokenValidating": "Validating OIDC token",
@@ -1118,6 +1144,10 @@
     "actionUpdateIdpOrg": "Update IDP Org",
     "actionCreateClient": "Create Client",
     "actionDeleteClient": "Delete Client",
+    "actionArchiveClient": "Archive Client",
+    "actionUnarchiveClient": "Unarchive Client",
+    "actionBlockClient": "Block Client",
+    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Update Client",
     "actionListClients": "List Clients",
     "actionGetClient": "Get Client",
@@ -1134,14 +1164,14 @@
     "searchProgress": "Search...",
     "create": "Create",
     "orgs": "Organizations",
-    "loginError": "An error occurred while logging in",
-    "loginRequiredForDevice": "Login is required to authenticate your device.",
+    "loginError": "An unexpected error occurred. Please try again.",
+    "loginRequiredForDevice": "Login is required for your device.",
     "passwordForgot": "Forgot your password?",
     "otpAuth": "Two-Factor Authentication",
     "otpAuthDescription": "Enter the code from your authenticator app or one of your single-use backup codes.",
     "otpAuthSubmit": "Submit Code",
     "idpContinue": "Or continue with",
-    "otpAuthBack": "Back to Log In",
+    "otpAuthBack": "Back to Password",
     "navbar": "Navigation Menu",
     "navbarDescription": "Main navigation menu for the application",
     "navbarDocsLink": "Documentation",
@@ -1189,6 +1219,7 @@
     "sidebarOverview": "Overview",
     "sidebarHome": "Home",
     "sidebarSites": "Sites",
+    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Resources",
     "sidebarProxyResources": "Public",
     "sidebarClientResources": "Private",
@@ -1205,7 +1236,7 @@
     "sidebarIdentityProviders": "Identity Providers",
     "sidebarLicense": "License",
     "sidebarClients": "Clients",
-    "sidebarUserDevices": "Users",
+    "sidebarUserDevices": "User Devices",
     "sidebarMachineClients": "Machines",
     "sidebarDomains": "Domains",
     "sidebarGeneral": "Manage",
@@ -1304,6 +1335,7 @@
     "refreshError": "Failed to refresh data",
     "verified": "Verified",
     "pending": "Pending",
+    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Billing",
     "billing": "Billing",
     "orgBillingDescription": "Manage billing information and subscriptions",
@@ -1420,7 +1452,7 @@
     "securityKeyRemoveSuccess": "Security key removed successfully",
     "securityKeyRemoveError": "Failed to remove security key",
     "securityKeyLoadError": "Failed to load security keys",
-    "securityKeyLogin": "Continue with security key",
+    "securityKeyLogin": "Use Security Key",
     "securityKeyAuthError": "Failed to authenticate with security key",
     "securityKeyRecommendation": "Register a backup security key on another device to ensure you always have access to your account.",
     "registering": "Registering...",
@@ -1547,6 +1579,8 @@
     "IntervalSeconds": "Healthy Interval",
     "timeoutSeconds": "Timeout (sec)",
     "timeIsInSeconds": "Time is in seconds",
+    "requireDeviceApproval": "Require Device Approvals",
+    "requireDeviceApprovalDescription": "Users with this role need their devices approved by an admin before they can access resources",
     "retryAttempts": "Retry Attempts",
     "expectedResponseCodes": "Expected Response Codes",
     "expectedResponseCodesDescription": "HTTP status code that indicates healthy status. If left blank, 200-300 is considered healthy.",
@@ -2232,6 +2266,8 @@
     "deviceCodeInvalidFormat": "Code must be 9 characters (e.g., A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Invalid or expired code",
     "deviceCodeVerifyFailed": "Failed to verify device code",
+    "deviceCodeValidating": "Validating device code...",
+    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Signed in as",
     "deviceCodeEnterPrompt": "Enter the code displayed on the device",
     "continue": "Continue",
@@ -2244,7 +2280,7 @@
     "deviceOrganizationsAccess": "Access to all organizations your account has access to",
     "deviceAuthorize": "Authorize {applicationName}",
     "deviceConnected": "Device Connected!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account.",
+    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
     "pangolinCloud": "Pangolin Cloud",
     "viewDevices": "View Devices",
     "viewDevicesDescription": "Manage your connected devices",
@@ -2306,6 +2342,7 @@
     "identifier": "Identifier",
     "deviceLoginUseDifferentAccount": "Not you? Use a different account.",
     "deviceLoginDeviceRequestingAccessToAccount": "A device is requesting access to this account.",
+    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "No Data",
     "machineClients": "Machine Clients",
     "install": "Install",
@@ -2394,5 +2431,56 @@
     "maintenanceScreenTitle": "Service Temporarily Unavailable",
     "maintenanceScreenMessage": "We are currently experiencing technical difficulties. Please check back soon.",
     "maintenanceScreenEstimatedCompletion": "Estimated Completion:",
-    "createInternalResourceDialogDestinationRequired": "Destination is required"
+    "createInternalResourceDialogDestinationRequired": "Destination is required",
+    "available": "Available",
+    "archived": "Archived",
+    "noArchivedDevices": "No archived devices found",
+    "deviceArchived": "Device archived",
+    "deviceArchivedDescription": "The device has been successfully archived.",
+    "errorArchivingDevice": "Error archiving device",
+    "failedToArchiveDevice": "Failed to archive device",
+    "deviceQuestionArchive": "Are you sure you want to archive this device?",
+    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
+    "deviceArchiveConfirm": "Archive Device",
+    "archiveDevice": "Archive Device",
+    "archive": "Archive",
+    "deviceUnarchived": "Device unarchived",
+    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
+    "errorUnarchivingDevice": "Error unarchiving device",
+    "failedToUnarchiveDevice": "Failed to unarchive device",
+    "unarchive": "Unarchive",
+    "archiveClient": "Archive Client",
+    "archiveClientQuestion": "Are you sure you want to archive this client?",
+    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
+    "archiveClientConfirm": "Archive Client",
+    "blockClient": "Block Client",
+    "blockClientQuestion": "Are you sure you want to block this client?",
+    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
+    "blockClientConfirm": "Block Client",
+    "active": "Active",
+    "usernameOrEmail": "Username or Email",
+    "selectYourOrganization": "Select your organization",
+    "signInTo": "Log in in to",
+    "signInWithPassword": "Continue with Password",
+    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
+    "enterPassword": "Enter your password",
+    "enterMfaCode": "Enter the code from your authenticator app",
+    "securityKeyRequired": "Please use your security key to sign in.",
+    "needToUseAnotherAccount": "Need to use a different account?",
+    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
+    "termsOfService": "Terms of Service",
+    "privacyPolicy": "Privacy Policy",
+    "userNotFoundWithUsername": "No user found with that username.",
+    "verify": "Verify",
+    "signIn": "Sign In",
+    "forgotPassword": "Forgot password?",
+    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
+    "continueAnyway": "Continue anyway",
+    "dontShowAgain": "Don't show again",
+    "orgSignInNotice": "Did you know?",
+    "signupOrgNotice": "Trying to sign in?",
+    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
+    "signupOrgLink": "Sign in or sign up with your organization instead",
+    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
+    "logIn": "Log In"
 }

messages/es-ES.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "Conectar cualquier red",
     "sitesBannerDescription": "Un sitio es una conexión a una red remota que permite a Pangolin proporcionar acceso a recursos, públicos o privados, a usuarios en cualquier lugar. Instale el conector de red del sitio (Newt) en cualquier lugar donde pueda ejecutar un binario o contenedor para establecer la conexión.",
     "sitesBannerButtonText": "Instalar sitio",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "Crear sitio",
     "siteCreateDescription2": "Siga los pasos siguientes para crear y conectar un nuevo sitio",
     "siteCreateDescription": "Crear un nuevo sitio para empezar a conectar recursos",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "Buscar roles...",
     "accessRolesAdd": "Añadir rol",
     "accessRoleDelete": "Eliminar rol",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "Descripción",
     "inviteTitle": "Invitaciones abiertas",
     "inviteDescription": "Administrar invitaciones para que otros usuarios se unan a la organización",
@@ -455,18 +450,6 @@
     "selectDuration": "Seleccionar duración",
     "selectResource": "Seleccionar Recurso",
     "filterByResource": "Filtrar por Recurso",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Reiniciar filtros",
     "totalBlocked": "Solicitudes bloqueadas por Pangolin",
     "totalRequests": "Solicitudes totales",
@@ -746,28 +729,16 @@
     "countries": "Países",
     "accessRoleCreate": "Crear rol",
     "accessRoleCreateDescription": "Crear un nuevo rol para agrupar usuarios y administrar sus permisos.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Crear rol",
     "accessRoleCreated": "Rol creado",
     "accessRoleCreatedDescription": "El rol se ha creado correctamente.",
     "accessRoleErrorCreate": "Error al crear el rol",
     "accessRoleErrorCreateDescription": "Se ha producido un error al crear el rol.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "Se requiere un nuevo rol",
     "accessRoleErrorRemove": "Error al eliminar el rol",
     "accessRoleErrorRemoveDescription": "Ocurrió un error mientras se eliminaba el rol.",
     "accessRoleName": "Nombre del Rol",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "Estás a punto de eliminar el rol {name} . No puedes deshacer esta acción.",
     "accessRoleRemove": "Quitar rol",
     "accessRoleRemoveDescription": "Eliminar un rol de la organización",
     "accessRoleRemoveSubmit": "Quitar rol",
@@ -903,7 +874,7 @@
     "inviteAlready": "¡Parece que has sido invitado!",
     "inviteAlreadyDescription": "Para aceptar la invitación, debes iniciar sesión o crear una cuenta.",
     "signupQuestion": "¿Ya tienes una cuenta?",
-    "login": "Log In",
+    "login": "Iniciar sesión",
     "resourceNotFound": "Recurso no encontrado",
     "resourceNotFoundDescription": "El recurso al que intentas acceder no existe.",
     "pincodeRequirementsLength": "El PIN debe tener exactamente 6 dígitos",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "Esta organización requiere que cambies tu contraseña cada {maxDays} días.",
     "changePasswordNow": "Cambiar Contraseña Ahora",
     "pincodeAuth": "Código de autenticación",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "Enviar código",
     "passwordResetSubmit": "Reiniciar Solicitud",
     "passwordResetAlreadyHaveCode": "Ingresar código",
     "passwordResetSmtpRequired": "Póngase en contacto con su administrador",
     "passwordResetSmtpRequiredDescription": "Se requiere un código de restablecimiento de contraseña para restablecer su contraseña. Póngase en contacto con su administrador para obtener asistencia.",
     "passwordBack": "Volver a la contraseña",
-    "loginBack": "Go back to main login page",
+    "loginBack": "Volver a iniciar sesión",
     "signup": "Regístrate",
     "loginStart": "Inicia sesión para empezar",
     "idpOidcTokenValidating": "Validando token OIDC",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "Actualizar IDP Org",
     "actionCreateClient": "Crear cliente",
     "actionDeleteClient": "Eliminar cliente",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Actualizar cliente",
     "actionListClients": "Listar clientes",
     "actionGetClient": "Obtener cliente",
@@ -1167,14 +1134,14 @@
     "searchProgress": "Buscar...",
     "create": "Crear",
     "orgs": "Organizaciones",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "Se ha producido un error al iniciar sesión",
+    "loginRequiredForDevice": "Es necesario iniciar sesión para autenticar tu dispositivo.",
     "passwordForgot": "¿Olvidaste tu contraseña?",
     "otpAuth": "Autenticación de dos factores",
     "otpAuthDescription": "Introduzca el código de su aplicación de autenticación o uno de sus códigos de copia de seguridad de un solo uso.",
     "otpAuthSubmit": "Enviar código",
     "idpContinue": "O continuar con",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "Volver a iniciar sesión",
     "navbar": "Menú de navegación",
     "navbarDescription": "Menú de navegación principal para la aplicación",
     "navbarDocsLink": "Documentación",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "Resumen",
     "sidebarHome": "Inicio",
     "sidebarSites": "Sitios",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Recursos",
     "sidebarProxyResources": "Público",
     "sidebarClientResources": "Privado",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "Proveedores de identidad",
     "sidebarLicense": "Licencia",
     "sidebarClients": "Clientes",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "Usuarios",
     "sidebarMachineClients": "Máquinas",
     "sidebarDomains": "Dominios",
     "sidebarGeneral": "Gestionar",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "Se produjo un error al crear la cuenta de administrador del servidor.",
     "certificateStatus": "Estado del certificado",
     "loading": "Cargando",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "Reiniciar",
     "domains": "Dominios",
     "domainsDescription": "Crear y administrar dominios disponibles en la organización",
@@ -1339,7 +1304,6 @@
     "refreshError": "Error al actualizar datos",
     "verified": "Verificado",
     "pending": "Pendiente",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Facturación",
     "billing": "Facturación",
     "orgBillingDescription": "Administrar información de facturación y suscripciones",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "Llave de seguridad eliminada exitosamente",
     "securityKeyRemoveError": "Error al eliminar la llave de seguridad",
     "securityKeyLoadError": "Error al cargar las llaves de seguridad",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "Continuar con clave de seguridad",
     "securityKeyAuthError": "Error al autenticar con llave de seguridad",
     "securityKeyRecommendation": "Considere registrar otra llave de seguridad en un dispositivo diferente para asegurarse de no quedar bloqueado de su cuenta.",
     "registering": "Registrando...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "Intervalo Saludable",
     "timeoutSeconds": "Tiempo agotado (seg)",
     "timeIsInSeconds": "El tiempo está en segundos",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "Intentos de Reintento",
     "expectedResponseCodes": "Códigos de respuesta esperados",
     "expectedResponseCodesDescription": "Código de estado HTTP que indica un estado saludable. Si se deja en blanco, se considera saludable de 200 a 300.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Elige tu proveedor de identidad para continuar",
     "orgAuthNoIdpConfigured": "Esta organización no tiene ningún proveedor de identidad configurado. En su lugar puedes iniciar sesión con tu identidad de Pangolin.",
     "orgAuthSignInWithPangolin": "Iniciar sesión con Pangolin",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Iniciar sesión en una organización",
     "orgAuthSelectOrgTitle": "Inicio de sesión de organización",
     "orgAuthSelectOrgDescription": "Ingrese el ID de su organización para continuar",
     "orgAuthOrgIdPlaceholder": "tu-organización",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "El código debe tener 9 caracteres (por ejemplo, A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Código no válido o caducado",
     "deviceCodeVerifyFailed": "Error al verificar el código del dispositivo",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Conectado como",
     "deviceCodeEnterPrompt": "Introduzca el código mostrado en el dispositivo",
     "continue": "Continuar",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "Acceso a todas las organizaciones a las que su cuenta tiene acceso",
     "deviceAuthorize": "Autorizar a {applicationName}",
     "deviceConnected": "¡Dispositivo conectado!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "El dispositivo está autorizado para acceder a su cuenta.",
     "pangolinCloud": "Nube de Pangolin",
     "viewDevices": "Ver dispositivos",
     "viewDevicesDescription": "Administra tus dispositivos conectados",
@@ -2346,7 +2306,6 @@
     "identifier": "Identifier",
     "deviceLoginUseDifferentAccount": "¿No tú? Utilice una cuenta diferente.",
     "deviceLoginDeviceRequestingAccessToAccount": "Un dispositivo está solicitando acceso a esta cuenta.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "Sin datos",
     "machineClients": "Clientes de la máquina",
     "install": "Instalar",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "Servicio temporalmente no disponible",
     "maintenanceScreenMessage": "Actualmente estamos experimentando dificultades técnicas. Por favor regrese pronto.",
     "maintenanceScreenEstimatedCompletion": "Estimado completado:",
-    "createInternalResourceDialogDestinationRequired": "Se requiere destino",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "Se requiere destino"
 }

messages/fr-FR.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "Se connecter à n'importe quel réseau",
     "sitesBannerDescription": "Un site est une connexion à un réseau distant qui permet à Pangolin de fournir aux utilisateurs l'accès à des ressources, publiques ou privées, n'importe où. Installez le connecteur de réseau du site (Newt) partout où vous pouvez exécuter un binaire ou un conteneur pour établir la connexion.",
     "sitesBannerButtonText": "Installer le site",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "Créer un nœud",
     "siteCreateDescription2": "Suivez les étapes ci-dessous pour créer et connecter un nouveau nœud",
     "siteCreateDescription": "Créer un nouveau site pour commencer à connecter des ressources",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "Chercher des rôles...",
     "accessRolesAdd": "Ajouter un rôle",
     "accessRoleDelete": "Supprimer le rôle",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "Libellé",
     "inviteTitle": "Invitations actives",
     "inviteDescription": "Gérer les invitations des autres utilisateurs à rejoindre l'organisation",
@@ -455,18 +450,6 @@
     "selectDuration": "Sélectionner la durée",
     "selectResource": "Sélectionner une ressource",
     "filterByResource": "Filtrer par ressource",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Réinitialiser les filtres",
     "totalBlocked": "Demandes bloquées par le Pangolin",
     "totalRequests": "Total des demandes",
@@ -746,28 +729,16 @@
     "countries": "Pays",
     "accessRoleCreate": "Créer un rôle",
     "accessRoleCreateDescription": "Créer un nouveau rôle pour regrouper les utilisateurs et gérer leurs permissions.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Créer un rôle",
     "accessRoleCreated": "Rôle créé",
     "accessRoleCreatedDescription": "Le rôle a été créé avec succès.",
     "accessRoleErrorCreate": "Échec de la création du rôle",
     "accessRoleErrorCreateDescription": "Une erreur s'est produite lors de la création du rôle.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "Un nouveau rôle est requis",
     "accessRoleErrorRemove": "Échec de la suppression du rôle",
     "accessRoleErrorRemoveDescription": "Une erreur s'est produite lors de la suppression du rôle.",
     "accessRoleName": "Nom du rôle",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "Vous êtes sur le point de supprimer le rôle {name}. Cette action est irréversible.",
     "accessRoleRemove": "Supprimer le rôle",
     "accessRoleRemoveDescription": "Retirer un rôle de l'organisation",
     "accessRoleRemoveSubmit": "Supprimer le rôle",
@@ -903,7 +874,7 @@
     "inviteAlready": "On dirait que vous avez été invité !",
     "inviteAlreadyDescription": "Pour accepter l'invitation, vous devez vous connecter ou créer un compte.",
     "signupQuestion": "Vous avez déjà un compte ?",
-    "login": "Log In",
+    "login": "Se connecter",
     "resourceNotFound": "Ressource introuvable",
     "resourceNotFoundDescription": "La ressource que vous essayez d'accéder n'existe pas.",
     "pincodeRequirementsLength": "Le code PIN doit comporter exactement 6 chiffres",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "Cette organisation vous demande de changer votre mot de passe tous les {maxDays} jours.",
     "changePasswordNow": "Changer le mot de passe maintenant",
     "pincodeAuth": "Code d'authentification",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "Soumettre le code",
     "passwordResetSubmit": "Demander la réinitialisation",
     "passwordResetAlreadyHaveCode": "Entrer le code",
     "passwordResetSmtpRequired": "Veuillez contacter votre administrateur",
     "passwordResetSmtpRequiredDescription": "Un code de réinitialisation du mot de passe est requis pour réinitialiser votre mot de passe. Veuillez contacter votre administrateur pour obtenir de l'aide.",
     "passwordBack": "Retour au mot de passe",
-    "loginBack": "Go back to main login page",
+    "loginBack": "Retour à la connexion",
     "signup": "S'inscrire",
     "loginStart": "Connectez-vous pour commencer",
     "idpOidcTokenValidating": "Validation du jeton OIDC",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "Mettre à jour une organisation IDP",
     "actionCreateClient": "Créer un client",
     "actionDeleteClient": "Supprimer le client",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Mettre à jour le client",
     "actionListClients": "Liste des clients",
     "actionGetClient": "Obtenir le client",
@@ -1167,14 +1134,14 @@
     "searchProgress": "Rechercher...",
     "create": "Créer",
     "orgs": "Organisations",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "Une erreur s'est produite lors de la connexion",
+    "loginRequiredForDevice": "La connexion est requise pour authentifier votre appareil.",
     "passwordForgot": "Mot de passe oublié ?",
     "otpAuth": "Authentification à deux facteurs",
     "otpAuthDescription": "Entrez le code de votre application d'authentification ou l'un de vos codes de secours à usage unique.",
     "otpAuthSubmit": "Soumettre le code",
     "idpContinue": "Ou continuer avec",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "Retour à la connexion",
     "navbar": "Menu de navigation",
     "navbarDescription": "Menu de navigation principal de l'application",
     "navbarDocsLink": "Documentation",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "Aperçu",
     "sidebarHome": "Domicile",
     "sidebarSites": "Nœuds",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Ressource",
     "sidebarProxyResources": "Publique",
     "sidebarClientResources": "Privé",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "Fournisseurs d'identité",
     "sidebarLicense": "Licence",
     "sidebarClients": "Clients",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "Utilisateurs",
     "sidebarMachineClients": "Machines",
     "sidebarDomains": "Domaines",
     "sidebarGeneral": "Gérer",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "Une erreur s'est produite lors de la création du compte administrateur du serveur.",
     "certificateStatus": "Statut du certificat",
     "loading": "Chargement",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "Redémarrer",
     "domains": "Domaines",
     "domainsDescription": "Créer et gérer les domaines disponibles dans l'organisation",
@@ -1339,7 +1304,6 @@
     "refreshError": "Échec de l'actualisation des données",
     "verified": "Vérifié",
     "pending": "En attente",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Facturation",
     "billing": "Facturation",
     "orgBillingDescription": "Gérer les informations de facturation et les abonnements",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "Clé de sécurité supprimée avec succès",
     "securityKeyRemoveError": "Échec de la suppression de la clé de sécurité",
     "securityKeyLoadError": "Échec du chargement des clés de sécurité",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "Continuer avec une clé de sécurité",
     "securityKeyAuthError": "Échec de l'authentification avec la clé de sécurité",
     "securityKeyRecommendation": "Envisagez d'enregistrer une autre clé de sécurité sur un appareil différent pour vous assurer de ne pas être bloqué de votre compte.",
     "registering": "Enregistrement...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "Intervalle sain",
     "timeoutSeconds": "Délai d'attente (sec)",
     "timeIsInSeconds": "Le temps est exprimé en secondes",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "Tentatives de réessai",
     "expectedResponseCodes": "Codes de réponse attendus",
     "expectedResponseCodesDescription": "Code de statut HTTP indiquant un état de santé satisfaisant. Si non renseigné, 200-300 est considéré comme satisfaisant.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Choisissez votre fournisseur d'identité pour continuer",
     "orgAuthNoIdpConfigured": "Cette organisation n'a aucun fournisseur d'identité configuré. Vous pouvez vous connecter avec votre identité Pangolin à la place.",
     "orgAuthSignInWithPangolin": "Se connecter avec Pangolin",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Connectez-vous à une organisation",
     "orgAuthSelectOrgTitle": "Connexion à l'organisation",
     "orgAuthSelectOrgDescription": "Entrez votre identifiant d'organisation pour continuer",
     "orgAuthOrgIdPlaceholder": "votre-organisation",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "Le code doit contenir 9 caractères (par exemple, A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Code invalide ou expiré",
     "deviceCodeVerifyFailed": "Impossible de vérifier le code de l'appareil",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Connecté en tant que",
     "deviceCodeEnterPrompt": "Entrez le code affiché sur l'appareil",
     "continue": "Continuer",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "Accès à toutes les organisations auxquelles votre compte a accès",
     "deviceAuthorize": "Autoriser {applicationName}",
     "deviceConnected": "Appareil connecté !",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "L'appareil est autorisé à accéder à votre compte.",
     "pangolinCloud": "Nuage de Pangolin",
     "viewDevices": "Voir les appareils",
     "viewDevicesDescription": "Gérer vos appareils connectés",
@@ -2346,7 +2306,6 @@
     "identifier": "Identifiant",
     "deviceLoginUseDifferentAccount": "Pas vous ? Utilisez un autre compte.",
     "deviceLoginDeviceRequestingAccessToAccount": "Un appareil demande l'accès à ce compte.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "Aucune donnée",
     "machineClients": "Clients Machines",
     "install": "Installer",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "Service temporairement indisponible",
     "maintenanceScreenMessage": "Nous rencontrons actuellement des difficultés techniques. Veuillez vérifier ultérieurement.",
     "maintenanceScreenEstimatedCompletion": "Achèvement estimé :",
-    "createInternalResourceDialogDestinationRequired": "La destination est requise",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "La destination est requise"
 }

messages/it-IT.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "Connetti Qualsiasi Rete",
     "sitesBannerDescription": "Un sito è una connessione a una rete remota che consente a Pangolin di fornire accesso alle risorse, pubbliche o private, agli utenti ovunque. Installa il connettore di rete del sito (Newt) ovunque tu possa eseguire un binario o un container per stabilire la connessione.",
     "sitesBannerButtonText": "Installa Sito",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "Crea Sito",
     "siteCreateDescription2": "Segui i passaggi qui sotto per creare e collegare un nuovo sito",
     "siteCreateDescription": "Crea un nuovo sito per iniziare a connettere le risorse",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "Ricerca ruoli...",
     "accessRolesAdd": "Aggiungi Ruolo",
     "accessRoleDelete": "Elimina Ruolo",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "Descrizione",
     "inviteTitle": "Inviti Aperti",
     "inviteDescription": "Gestisci gli inviti per gli altri utenti a unirsi all'organizzazione",
@@ -455,18 +450,6 @@
     "selectDuration": "Seleziona durata",
     "selectResource": "Seleziona Risorsa",
     "filterByResource": "Filtra Per Risorsa",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Ripristina Filtri",
     "totalBlocked": "Richieste Bloccate Da Pangolino",
     "totalRequests": "Totale Richieste",
@@ -746,28 +729,16 @@
     "countries": "Paesi",
     "accessRoleCreate": "Crea Ruolo",
     "accessRoleCreateDescription": "Crea un nuovo ruolo per raggruppare gli utenti e gestire i loro permessi.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Crea Ruolo",
     "accessRoleCreated": "Ruolo creato",
     "accessRoleCreatedDescription": "Il ruolo è stato creato con successo.",
     "accessRoleErrorCreate": "Impossibile creare il ruolo",
     "accessRoleErrorCreateDescription": "Si è verificato un errore durante la creazione del ruolo.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "Nuovo ruolo richiesto",
     "accessRoleErrorRemove": "Impossibile rimuovere il ruolo",
     "accessRoleErrorRemoveDescription": "Si è verificato un errore durante la rimozione del ruolo.",
     "accessRoleName": "Nome Del Ruolo",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "Stai per eliminare il ruolo {name}. Non puoi annullare questa azione.",
     "accessRoleRemove": "Rimuovi Ruolo",
     "accessRoleRemoveDescription": "Rimuovi un ruolo dall'organizzazione",
     "accessRoleRemoveSubmit": "Rimuovi Ruolo",
@@ -903,7 +874,7 @@
     "inviteAlready": "Sembra che sei stato invitato!",
     "inviteAlreadyDescription": "Per accettare l'invito, devi accedere o creare un account.",
     "signupQuestion": "Hai già un account?",
-    "login": "Log In",
+    "login": "Accedi",
     "resourceNotFound": "Risorsa Non Trovata",
     "resourceNotFoundDescription": "La risorsa che stai cercando di accedere non esiste.",
     "pincodeRequirementsLength": "Il PIN deve essere esattamente di 6 cifre",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "Questa organizzazione richiede di cambiare la password ogni {maxDays} giorni.",
     "changePasswordNow": "Cambia Password Ora",
     "pincodeAuth": "Codice Autenticatore",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "Invia Codice",
     "passwordResetSubmit": "Richiedi Reset",
     "passwordResetAlreadyHaveCode": "Inserisci Codice",
     "passwordResetSmtpRequired": "Si prega di contattare l'amministratore",
     "passwordResetSmtpRequiredDescription": "Per reimpostare la password è necessario un codice di reimpostazione della password. Si prega di contattare l'amministratore per assistenza.",
     "passwordBack": "Torna alla Password",
-    "loginBack": "Go back to main login page",
+    "loginBack": "Torna al login",
     "signup": "Registrati",
     "loginStart": "Accedi per iniziare",
     "idpOidcTokenValidating": "Convalida token OIDC",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "Aggiorna Org IDP",
     "actionCreateClient": "Crea Client",
     "actionDeleteClient": "Elimina Client",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Aggiorna Client",
     "actionListClients": "Elenco Clienti",
     "actionGetClient": "Ottieni Client",
@@ -1167,14 +1134,14 @@
     "searchProgress": "Ricerca...",
     "create": "Crea",
     "orgs": "Organizzazioni",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "Si è verificato un errore durante l'accesso",
+    "loginRequiredForDevice": "È richiesto il login per autenticare il dispositivo.",
     "passwordForgot": "Password dimenticata?",
     "otpAuth": "Autenticazione a Due Fattori",
     "otpAuthDescription": "Inserisci il codice dalla tua app di autenticazione o uno dei tuoi codici di backup monouso.",
     "otpAuthSubmit": "Invia Codice",
     "idpContinue": "O continua con",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "Torna al Login",
     "navbar": "Menu di Navigazione",
     "navbarDescription": "Menu di navigazione principale dell'applicazione",
     "navbarDocsLink": "Documentazione",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "Panoramica",
     "sidebarHome": "Home",
     "sidebarSites": "Siti",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Risorse",
     "sidebarProxyResources": "Pubblico",
     "sidebarClientResources": "Privato",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "Fornitori Di Identità",
     "sidebarLicense": "Licenza",
     "sidebarClients": "Client",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "Utenti",
     "sidebarMachineClients": "Macchine",
     "sidebarDomains": "Domini",
     "sidebarGeneral": "Gestisci",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "Si è verificato un errore durante la creazione dell'account amministratore del server.",
     "certificateStatus": "Stato del Certificato",
     "loading": "Caricamento",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "Riavvia",
     "domains": "Domini",
     "domainsDescription": "Creare e gestire i domini disponibili nell'organizzazione",
@@ -1339,7 +1304,6 @@
     "refreshError": "Impossibile aggiornare i dati",
     "verified": "Verificato",
     "pending": "In attesa",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Fatturazione",
     "billing": "Fatturazione",
     "orgBillingDescription": "Gestisci le informazioni di fatturazione e gli abbonamenti",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "Chiave di sicurezza rimossa con successo",
     "securityKeyRemoveError": "Errore durante la rimozione della chiave di sicurezza",
     "securityKeyLoadError": "Errore durante il caricamento delle chiavi di sicurezza",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "Continua con la chiave di sicurezza",
     "securityKeyAuthError": "Errore durante l'autenticazione con chiave di sicurezza",
     "securityKeyRecommendation": "Considera di registrare un'altra chiave di sicurezza su un dispositivo diverso per assicurarti di non rimanere bloccato fuori dal tuo account.",
     "registering": "Registrazione in corso...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "Intervallo Sano",
     "timeoutSeconds": "Timeout (sec)",
     "timeIsInSeconds": "Il tempo è in secondi",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "Tentativi di Riprova",
     "expectedResponseCodes": "Codici di Risposta Attesi",
     "expectedResponseCodesDescription": "Codice di stato HTTP che indica lo stato di salute. Se lasciato vuoto, considerato sano è compreso tra 200-300.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Scegli il tuo provider di identità per continuare",
     "orgAuthNoIdpConfigured": "Questa organizzazione non ha nessun provider di identità configurato. Puoi accedere con la tua identità Pangolin.",
     "orgAuthSignInWithPangolin": "Accedi con Pangolino",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Accedi a un'organizzazione",
     "orgAuthSelectOrgTitle": "Accesso Organizzazione",
     "orgAuthSelectOrgDescription": "Inserisci l'ID dell'organizzazione per continuare",
     "orgAuthOrgIdPlaceholder": "la-tua-organizzazione",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "Il codice deve contenere 9 caratteri (es. A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Codice non valido o scaduto",
     "deviceCodeVerifyFailed": "Impossibile verificare il codice del dispositivo",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Accesso come",
     "deviceCodeEnterPrompt": "Inserisci il codice visualizzato sul dispositivo",
     "continue": "Continua",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "Accesso a tutte le organizzazioni a cui il tuo account ha accesso",
     "deviceAuthorize": "Autorizza {applicationName}",
     "deviceConnected": "Dispositivo Connesso!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "Il dispositivo è autorizzato ad accedere al tuo account.",
     "pangolinCloud": "Pangolin Cloud",
     "viewDevices": "Visualizza Dispositivi",
     "viewDevicesDescription": "Gestisci i tuoi dispositivi connessi",
@@ -2346,7 +2306,6 @@
     "identifier": "Identifier",
     "deviceLoginUseDifferentAccount": "Non tu? Usa un account diverso.",
     "deviceLoginDeviceRequestingAccessToAccount": "Un dispositivo sta richiedendo l'accesso a questo account.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "Nessun Dato",
     "machineClients": "Machine Clients",
     "install": "Installa",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "Servizio Temporaneamente Non Disponibile",
     "maintenanceScreenMessage": "Stiamo attualmente riscontrando difficoltà tecniche. Si prega di ricontrollare a breve.",
     "maintenanceScreenEstimatedCompletion": "Completamento Stimato:",
-    "createInternalResourceDialogDestinationRequired": "Destinazione richiesta",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "Destinazione richiesta"
 }

messages/ko-KR.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "모든 네트워크 연결",
     "sitesBannerDescription": "사이트는 원격 네트워크와의 연결로 Pangolin이 어디서나 사용자에게 공공 및 개인 리소스에 대한 접근을 제공할 수 있게 해 줍니다. 연결을 설정하려면 바이너리 또는 컨테이너로 실행할 수 있는 어디서든 사이트 네트워크 커넥터(Newt)를 설치하세요.",
     "sitesBannerButtonText": "사이트 설치",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "사이트 생성",
     "siteCreateDescription2": "아래 단계를 따라 새 사이트를 생성하고 연결하십시오",
     "siteCreateDescription": "리소스를 연결하기 위해 새 사이트를 생성하세요.",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "역할 검색...",
     "accessRolesAdd": "역할 추가",
     "accessRoleDelete": "역할 삭제",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "설명",
     "inviteTitle": "열린 초대",
     "inviteDescription": "다른 사용자가 조직에 참여하도록 초대장을 관리합니다.",
@@ -455,18 +450,6 @@
     "selectDuration": "지속 시간 선택",
     "selectResource": "리소스 선택",
     "filterByResource": "리소스별 필터",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "필터 재설정",
     "totalBlocked": "Pangolin으로 차단된 요청",
     "totalRequests": "총 요청 수",
@@ -746,28 +729,16 @@
     "countries": "국가",
     "accessRoleCreate": "역할 생성",
     "accessRoleCreateDescription": "사용자를 그룹화하고 권한을 관리하기 위해 새 역할을 생성하세요.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "역할 생성",
     "accessRoleCreated": "역할이 생성되었습니다.",
     "accessRoleCreatedDescription": "역할이 성공적으로 생성되었습니다.",
     "accessRoleErrorCreate": "역할 생성 실패",
     "accessRoleErrorCreateDescription": "역할 생성 중 오류가 발생했습니다.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "새 역할이 필요합니다.",
     "accessRoleErrorRemove": "역할 제거에 실패했습니다.",
     "accessRoleErrorRemoveDescription": "역할을 제거하는 동안 오류가 발생했습니다.",
     "accessRoleName": "역할 이름",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "{name} 역할을 삭제하려고 합니다. 이 작업은 취소할 수 없습니다.",
     "accessRoleRemove": "역할 제거",
     "accessRoleRemoveDescription": "조직에서 역할 제거",
     "accessRoleRemoveSubmit": "역할 제거",
@@ -903,7 +874,7 @@
     "inviteAlready": "초대받은 것 같습니다!",
     "inviteAlreadyDescription": "초대를 수락하려면 로그인하거나 계정을 생성해야 합니다.",
     "signupQuestion": "이미 계정이 있습니까?",
-    "login": "Log In",
+    "login": "로그인",
     "resourceNotFound": "리소스를 찾을 수 없습니다",
     "resourceNotFoundDescription": "접근하려는 리소스가 존재하지 않습니다.",
     "pincodeRequirementsLength": "PIN은 정확히 6자리여야 합니다",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "이 조직은 {maxDays}일마다 비밀번호 변경을 요구합니다.",
     "changePasswordNow": "지금 비밀번호 변경",
     "pincodeAuth": "인증 코드",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "코드 제출",
     "passwordResetSubmit": "재설정 요청",
     "passwordResetAlreadyHaveCode": "코드를 입력하십시오.",
     "passwordResetSmtpRequired": "관리자에게 문의하십시오",
     "passwordResetSmtpRequiredDescription": "비밀번호를 재설정하려면 비밀번호 초기화 코드가 필요합니다. 지원을 받으려면 관리자에게 문의하십시오.",
     "passwordBack": "비밀번호로 돌아가기",
-    "loginBack": "Go back to main login page",
+    "loginBack": "로그인으로 돌아가기",
     "signup": "가입하기",
     "loginStart": "시작하려면 로그인하세요.",
     "idpOidcTokenValidating": "OIDC 토큰 검증 중",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "IDP 조직 업데이트",
     "actionCreateClient": "클라이언트 생성",
     "actionDeleteClient": "클라이언트 삭제",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "클라이언트 업데이트",
     "actionListClients": "클라이언트 목록",
     "actionGetClient": "클라이언트 가져오기",
@@ -1167,14 +1134,14 @@
     "searchProgress": "검색...",
     "create": "생성",
     "orgs": "조직",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "로그인 중 오류가 발생했습니다",
+    "loginRequiredForDevice": "장치를 인증하려면 로그인이 필요합니다.",
     "passwordForgot": "비밀번호를 잊으셨나요?",
     "otpAuth": "이중 인증",
     "otpAuthDescription": "인증 앱에서 코드를 입력하거나 단일 사용 백업 코드 중 하나를 입력하세요.",
     "otpAuthSubmit": "코드 제출",
     "idpContinue": "또는 계속 진행하십시오.",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "로그인으로 돌아가기",
     "navbar": "탐색 메뉴",
     "navbarDescription": "애플리케이션의 주요 탐색 메뉴",
     "navbarDocsLink": "문서",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "개요",
     "sidebarHome": "홈",
     "sidebarSites": "사이트",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "리소스",
     "sidebarProxyResources": "공유",
     "sidebarClientResources": "비공개",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "신원 공급자",
     "sidebarLicense": "라이선스",
     "sidebarClients": "클라이언트",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "사용자",
     "sidebarMachineClients": "기계",
     "sidebarDomains": "도메인",
     "sidebarGeneral": "관리",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "서버 관리자 계정을 생성하는 동안 오류가 발생했습니다.",
     "certificateStatus": "인증서 상태",
     "loading": "로딩 중",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "재시작",
     "domains": "도메인",
     "domainsDescription": "조직에서 사용 가능한 도메인 생성 및 관리",
@@ -1339,7 +1304,6 @@
     "refreshError": "데이터 새로고침 실패",
     "verified": "검증됨",
     "pending": "대기 중",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "청구",
     "billing": "청구",
     "orgBillingDescription": "청구 정보 및 구독을 관리하세요",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "보안 키가 성공적으로 제거되었습니다",
     "securityKeyRemoveError": "보안 키 제거 실패",
     "securityKeyLoadError": "보안 키를 불러오는 데 실패했습니다",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "보안 키로 계속하기",
     "securityKeyAuthError": "보안 키를 사용한 인증 실패",
     "securityKeyRecommendation": "항상 계정에 액세스할 수 있도록 다른 장치에 백업 보안 키를 등록하세요.",
     "registering": "등록 중...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "정상 간격",
     "timeoutSeconds": "타임아웃(초)",
     "timeIsInSeconds": "시간은 초 단위입니다",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "재시도 횟수",
     "expectedResponseCodes": "예상 응답 코드",
     "expectedResponseCodesDescription": "정상 상태를 나타내는 HTTP 상태 코드입니다. 비워 두면 200-300이 정상으로 간주됩니다.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "계속하려면 신원 공급자를 선택하세요.",
     "orgAuthNoIdpConfigured": "이 조직은 구성된 신원 공급자가 없습니다. 대신 Pangolin 아이덴티티로 로그인할 수 있습니다.",
     "orgAuthSignInWithPangolin": "Pangolin으로 로그인",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "조직에 로그인합니다.",
     "orgAuthSelectOrgTitle": "조직 로그인",
     "orgAuthSelectOrgDescription": "계속하려면 조직 ID를 입력하십시오.",
     "orgAuthOrgIdPlaceholder": "your-organization",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "코드는 9자리여야 합니다 (예: A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "무효하거나 만료된 코드",
     "deviceCodeVerifyFailed": "이메일 확인에 실패했습니다:",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "로그인한 사용자",
     "deviceCodeEnterPrompt": "기기에 표시된 코드를 입력하세요",
     "continue": "계속 진행하기",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "계정이 접근할 수 있는 모든 조직에 대한 접근",
     "deviceAuthorize": "{applicationName} 권한 부여",
     "deviceConnected": "장치가 연결되었습니다!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "장치가 계정에 액세스할 수 있도록 승인되었습니다.",
     "pangolinCloud": "판골린 클라우드",
     "viewDevices": "장치 보기",
     "viewDevicesDescription": "연결된 장치를 관리하십시오",
@@ -2346,7 +2306,6 @@
     "identifier": "식별자",
     "deviceLoginUseDifferentAccount": "본인이 아닙니까? 다른 계정을 사용하세요.",
     "deviceLoginDeviceRequestingAccessToAccount": "장치가 이 계정에 접근하려고 합니다.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "데이터 없음",
     "machineClients": "기계 클라이언트",
     "install": "설치",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "서비스 일시 중단",
     "maintenanceScreenMessage": "현재 기술적 문제를 겪고 있습니다. 곧 다시 확인하십시오.",
     "maintenanceScreenEstimatedCompletion": "예상 완료:",
-    "createInternalResourceDialogDestinationRequired": "목적지가 필요합니다.",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "목적지가 필요합니다."
 }

messages/nb-NO.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "Koble til alle nettverk",
     "sitesBannerDescription": "Et nettverk er en tilkobling til et eksternt nettverk som tillater Pangolin å gi tilgang til ressurser, enten offentlige eller private, til brukere hvor som helst. Installer nettverkskontaktet (Newt) hvor som helst du kan kjøre en binærfil eller container for å opprette forbindelsen.",
     "sitesBannerButtonText": "Installer nettsted",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "Opprett område",
     "siteCreateDescription2": "Følg trinnene nedenfor for å opprette og koble til et nytt område",
     "siteCreateDescription": "Opprett et nytt nettsted for å koble til ressurser",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "Søk etter roller...",
     "accessRolesAdd": "Legg til rolle",
     "accessRoleDelete": "Slett rolle",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "Beskrivelse",
     "inviteTitle": "Åpne invitasjoner",
     "inviteDescription": "Administrer invitasjoner til andre brukere for å bli med i organisasjonen",
@@ -455,18 +450,6 @@
     "selectDuration": "Velg varighet",
     "selectResource": "Velg ressurs",
     "filterByResource": "Filtrer etter ressurser",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Tilbakestill filtre",
     "totalBlocked": "Forespørsler blokkert av Pangolin",
     "totalRequests": "Totalt antall forespørsler",
@@ -746,28 +729,16 @@
     "countries": "Land",
     "accessRoleCreate": "Opprett rolle",
     "accessRoleCreateDescription": "Opprett en ny rolle for å gruppere brukere og administrere deres tillatelser.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Opprett rolle",
     "accessRoleCreated": "Rolle opprettet",
     "accessRoleCreatedDescription": "Rollen er vellykket opprettet.",
     "accessRoleErrorCreate": "Klarte ikke å opprette rolle",
     "accessRoleErrorCreateDescription": "Det oppstod en feil under opprettelse av rollen.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "Ny rolle kreves",
     "accessRoleErrorRemove": "Kunne ikke fjerne rolle",
     "accessRoleErrorRemoveDescription": "Det oppstod en feil under fjerning av rollen.",
     "accessRoleName": "Rollenavn",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "Du er i ferd med å slette rollen {name}. Du kan ikke angre denne handlingen.",
     "accessRoleRemove": "Fjern Rolle",
     "accessRoleRemoveDescription": "Fjern en rolle fra organisasjonen",
     "accessRoleRemoveSubmit": "Fjern Rolle",
@@ -903,7 +874,7 @@
     "inviteAlready": "Ser ut til at du har blitt invitert!",
     "inviteAlreadyDescription": "For å godta invitasjonen, må du logge inn eller opprette en konto.",
     "signupQuestion": "Har du allerede en konto?",
-    "login": "Log In",
+    "login": "Logg inn",
     "resourceNotFound": "Ressurs ikke funnet",
     "resourceNotFoundDescription": "Ressursen du prøver å få tilgang til eksisterer ikke.",
     "pincodeRequirementsLength": "PIN må være nøyaktig 6 siffer",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "Denne organisasjonen krever at du bytter passord hver {maxDays} dag.",
     "changePasswordNow": "Bytt passord nå",
     "pincodeAuth": "Autentiseringskode",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "Send inn kode",
     "passwordResetSubmit": "Be om tilbakestilling",
     "passwordResetAlreadyHaveCode": "Skriv inn koden",
     "passwordResetSmtpRequired": "Kontakt din administrator",
     "passwordResetSmtpRequiredDescription": "En passord tilbakestillingskode kreves for å tilbakestille passordet. Kontakt systemansvarlig for assistanse.",
     "passwordBack": "Tilbake til passord",
-    "loginBack": "Go back to main login page",
+    "loginBack": "Gå tilbake til innlogging",
     "signup": "Registrer deg",
     "loginStart": "Logg inn for å komme i gang",
     "idpOidcTokenValidating": "Validerer OIDC-token",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "Oppdater IDP-organisasjon",
     "actionCreateClient": "Opprett Klient",
     "actionDeleteClient": "Slett klient",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Oppdater klient",
     "actionListClients": "List klienter",
     "actionGetClient": "Hent klient",
@@ -1167,14 +1134,14 @@
     "searchProgress": "Søker...",
     "create": "Opprett",
     "orgs": "Organisasjoner",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "En feil oppstod under innlogging",
+    "loginRequiredForDevice": "Innlogging kreves for å godkjenne enheten.",
     "passwordForgot": "Glemt passordet ditt?",
     "otpAuth": "Tofaktorautentisering",
     "otpAuthDescription": "Skriv inn koden fra autentiseringsappen din eller en av dine engangs reservekoder.",
     "otpAuthSubmit": "Send inn kode",
     "idpContinue": "Eller fortsett med",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "Tilbake til innlogging",
     "navbar": "Navigasjonsmeny",
     "navbarDescription": "Hovednavigasjonsmeny for applikasjonen",
     "navbarDocsLink": "Dokumentasjon",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "Oversikt",
     "sidebarHome": "Hjem",
     "sidebarSites": "Områder",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Ressurser",
     "sidebarProxyResources": "Offentlig",
     "sidebarClientResources": "Privat",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "Identitetsleverandører",
     "sidebarLicense": "Lisens",
     "sidebarClients": "Klienter",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "Brukere",
     "sidebarMachineClients": "Maskiner",
     "sidebarDomains": "Domener",
     "sidebarGeneral": "Administrer",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "En feil oppstod under opprettelsen av serveradministratorkontoen.",
     "certificateStatus": "Sertifikatstatus",
     "loading": "Laster inn",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "Start på nytt",
     "domains": "Domener",
     "domainsDescription": "Opprett og behandle domener som er tilgjengelige i organisasjonen",
@@ -1339,7 +1304,6 @@
     "refreshError": "Klarte ikke å oppdatere data",
     "verified": "Verifisert",
     "pending": "Venter",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Fakturering",
     "billing": "Fakturering",
     "orgBillingDescription": "Administrer faktureringsinformasjon og abonnementer",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "Sikkerhetsnøkkel fjernet",
     "securityKeyRemoveError": "Klarte ikke å fjerne sikkerhetsnøkkel",
     "securityKeyLoadError": "Klarte ikke å laste inn sikkerhetsnøkler",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "Fortsett med sikkerhetsnøkkel",
     "securityKeyAuthError": "Klarte ikke å autentisere med sikkerhetsnøkkel",
     "securityKeyRecommendation": "Registrer en reservesikkerhetsnøkkel på en annen enhet for å sikre at du alltid har tilgang til kontoen din.",
     "registering": "Registrerer...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "Sunt intervall",
     "timeoutSeconds": "Tidsavbrudd (sek)",
     "timeIsInSeconds": "Tid er i sekunder",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "Forsøk på nytt",
     "expectedResponseCodes": "Forventede svarkoder",
     "expectedResponseCodesDescription": "HTTP-statuskode som indikerer sunn status. Hvis den blir stående tom, regnes 200-300 som sunn.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Velg din identitet leverandør for å fortsette",
     "orgAuthNoIdpConfigured": "Denne organisasjonen har ikke noen identitetstjeneste konfigurert. Du kan i stedet logge inn med Pangolin identiteten din.",
     "orgAuthSignInWithPangolin": "Logg inn med Pangolin",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Logg inn på en organisasjon",
     "orgAuthSelectOrgTitle": "Organisasjonsinnlogging",
     "orgAuthSelectOrgDescription": "Skriv inn organisasjons-ID-en din for å fortsette",
     "orgAuthOrgIdPlaceholder": "din-organisasjon",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "Kode må inneholde 9 tegn (f.eks A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Ugyldig eller utløpt kode",
     "deviceCodeVerifyFailed": "Klarte ikke å bekrefte enhetskoden",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Logget inn som",
     "deviceCodeEnterPrompt": "Skriv inn koden som vises på enheten",
     "continue": "Fortsett",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "Tilgang til alle organisasjoner din konto har tilgang til",
     "deviceAuthorize": "Autoriser {applicationName}",
     "deviceConnected": "Enhet tilkoblet!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "Enhet er autorisert for tilgang til kontoen din.",
     "pangolinCloud": "Pangolin Sky",
     "viewDevices": "Vis enheter",
     "viewDevicesDescription": "Administrer tilkoblede enheter",
@@ -2346,7 +2306,6 @@
     "identifier": "Identifier",
     "deviceLoginUseDifferentAccount": "Ikke du? Bruk en annen konto.",
     "deviceLoginDeviceRequestingAccessToAccount": "En enhet ber om tilgang til denne kontoen.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "Ingen data",
     "machineClients": "Maskinklienter",
     "install": "Installer",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "Tjenesten er midlertidig utilgjengelig",
     "maintenanceScreenMessage": "Vi opplever for øyeblikket tekniske problemer. Vennligst sjekk igjen snart.",
     "maintenanceScreenEstimatedCompletion": "Estimert ferdigstillelse:",
-    "createInternalResourceDialogDestinationRequired": "Destinasjonen er nødvendig",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "Destinasjonen er nødvendig"
 }

messages/nl-NL.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "Verbind elk netwerk",
     "sitesBannerDescription": "Een site is een verbinding met een extern netwerk waarmee Pangolin toegang biedt tot bronnen, zowel openbaar als privé, aan gebruikers overal. Installeer de sitedatacenterconnector (Newt) overal waar je een binaire of container kunt uitvoeren om de verbinding tot stand te brengen.",
     "sitesBannerButtonText": "Site installeren",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "Site maken",
     "siteCreateDescription2": "Volg de onderstaande stappen om een nieuwe site aan te maken en te verbinden",
     "siteCreateDescription": "Maak een nieuwe site aan om bronnen te verbinden",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "Rollen zoeken...",
     "accessRolesAdd": "Rol toevoegen",
     "accessRoleDelete": "Verwijder rol",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "Beschrijving",
     "inviteTitle": "Open uitnodigingen",
     "inviteDescription": "Beheer uitnodigingen voor andere gebruikers om deel te nemen aan de organisatie",
@@ -455,18 +450,6 @@
     "selectDuration": "Selecteer duur",
     "selectResource": "Selecteer Document",
     "filterByResource": "Filter op pagina",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Filters resetten",
     "totalBlocked": "Verzoeken geblokkeerd door Pangolin",
     "totalRequests": "Totaal verzoeken",
@@ -746,28 +729,16 @@
     "countries": "Landen",
     "accessRoleCreate": "Rol aanmaken",
     "accessRoleCreateDescription": "Maak een nieuwe rol aan om gebruikers te groeperen en hun rechten te beheren.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Rol aanmaken",
     "accessRoleCreated": "Rol aangemaakt",
     "accessRoleCreatedDescription": "De rol is succesvol aangemaakt.",
     "accessRoleErrorCreate": "Rol aanmaken mislukt",
     "accessRoleErrorCreateDescription": "Fout opgetreden tijdens het aanmaken van de rol.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "Nieuwe rol is vereist",
     "accessRoleErrorRemove": "Rol verwijderen mislukt",
     "accessRoleErrorRemoveDescription": "Er is een fout opgetreden tijdens het verwijderen van de rol.",
     "accessRoleName": "Rol naam",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "U staat op het punt de {name} rol te verwijderen. U kunt deze actie niet ongedaan maken.",
     "accessRoleRemove": "Rol verwijderen",
     "accessRoleRemoveDescription": "Verwijder een rol van de organisatie",
     "accessRoleRemoveSubmit": "Rol verwijderen",
@@ -903,7 +874,7 @@
     "inviteAlready": "Het lijkt erop dat je bent uitgenodigd!",
     "inviteAlreadyDescription": "Om de uitnodiging te accepteren, moet je inloggen of een account aanmaken.",
     "signupQuestion": "Heeft u al een account?",
-    "login": "Log In",
+    "login": "Inloggen",
     "resourceNotFound": "Bron niet gevonden",
     "resourceNotFoundDescription": "De bron die u probeert te benaderen bestaat niet.",
     "pincodeRequirementsLength": "Pincode moet precies 6 cijfers zijn",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "Deze organisatie vereist dat u om de {maxDays} dagen uw wachtwoord wijzigt.",
     "changePasswordNow": "Wijzig wachtwoord nu",
     "pincodeAuth": "Authenticatiecode",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "Code indienen",
     "passwordResetSubmit": "Opnieuw instellen aanvragen",
     "passwordResetAlreadyHaveCode": "Code invoeren",
     "passwordResetSmtpRequired": "Neem contact op met uw beheerder",
     "passwordResetSmtpRequiredDescription": "Er is een wachtwoord reset code nodig om uw wachtwoord opnieuw in te stellen. Neem contact op met uw beheerder voor hulp.",
     "passwordBack": "Terug naar wachtwoord",
-    "loginBack": "Go back to main login page",
+    "loginBack": "Ga terug naar login",
     "signup": "Registreer nu",
     "loginStart": "Log in om te beginnen",
     "idpOidcTokenValidating": "Valideer OIDC-token",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "IDP-org bijwerken",
     "actionCreateClient": "Client aanmaken",
     "actionDeleteClient": "Verwijder klant",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Klant bijwerken",
     "actionListClients": "Lijst klanten",
     "actionGetClient": "Client ophalen",
@@ -1167,14 +1134,14 @@
     "searchProgress": "Zoeken...",
     "create": "Aanmaken",
     "orgs": "Organisaties",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "Er is een fout opgetreden tijdens het inloggen",
+    "loginRequiredForDevice": "Inloggen is vereist om je apparaat te verifiëren.",
     "passwordForgot": "Wachtwoord vergeten?",
     "otpAuth": "Tweestapsverificatie verificatie",
     "otpAuthDescription": "Voer de code van je authenticator-app of een van je reservekopiecodes voor het eenmalig gebruik in.",
     "otpAuthSubmit": "Code indienen",
     "idpContinue": "Of ga verder met",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "Terug naar inloggen",
     "navbar": "Navigatiemenu",
     "navbarDescription": "Hoofd navigatie menu voor de applicatie",
     "navbarDocsLink": "Documentatie",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "Overzicht.",
     "sidebarHome": "Startpagina",
     "sidebarSites": "Werkruimtes",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Bronnen",
     "sidebarProxyResources": "Openbaar",
     "sidebarClientResources": "Privé",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "Identiteit aanbieders",
     "sidebarLicense": "Licentie",
     "sidebarClients": "Clienten",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "Gebruikers",
     "sidebarMachineClients": "Machines",
     "sidebarDomains": "Domeinen",
     "sidebarGeneral": "Beheren",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "Er is een fout opgetreden bij het maken van het serverbeheerdersaccount.",
     "certificateStatus": "Certificaatstatus",
     "loading": "Bezig met laden",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "Herstarten",
     "domains": "Domeinen",
     "domainsDescription": "Maak en beheer domeinen die beschikbaar zijn in de organisatie",
@@ -1339,7 +1304,6 @@
     "refreshError": "Het vernieuwen van gegevens is mislukt",
     "verified": "Gecontroleerd",
     "pending": "In afwachting",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Facturering",
     "billing": "Facturering",
     "orgBillingDescription": "Beheer factureringsinformatie en abonnementen",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "Beveiligingssleutel succesvol verwijderd",
     "securityKeyRemoveError": "Fout bij verwijderen van beveiligingssleutel",
     "securityKeyLoadError": "Fout bij laden van beveiligingssleutels",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "Doorgaan met beveiligingssleutel",
     "securityKeyAuthError": "Fout bij authenticatie met beveiligingssleutel",
     "securityKeyRecommendation": "Overweeg om een andere beveiligingssleutel te registreren op een ander apparaat om ervoor te zorgen dat u niet buitengesloten raakt van uw account.",
     "registering": "Registreren...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "Gezonde Interval",
     "timeoutSeconds": "Timeout (sec)",
     "timeIsInSeconds": "Tijd is in seconden",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "Herhaal Pogingen",
     "expectedResponseCodes": "Verwachte Reactiecodes",
     "expectedResponseCodesDescription": "HTTP-statuscode die gezonde status aangeeft. Indien leeg wordt 200-300 als gezond beschouwd.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Kies uw identiteitsprovider om door te gaan",
     "orgAuthNoIdpConfigured": "Deze organisatie heeft geen identiteitsproviders geconfigureerd. Je kunt in plaats daarvan inloggen met je Pangolin-identiteit.",
     "orgAuthSignInWithPangolin": "Log in met Pangolin",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Meld u aan bij een organisatie",
     "orgAuthSelectOrgTitle": "Organisatie Inloggen",
     "orgAuthSelectOrgDescription": "Voer je organisatie-ID in om verder te gaan",
     "orgAuthOrgIdPlaceholder": "jouw-organisatie",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "Code moet 9 tekens bevatten (bijv. A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Ongeldige of verlopen code",
     "deviceCodeVerifyFailed": "Apparaatcode verifiëren mislukt",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Ingelogd als",
     "deviceCodeEnterPrompt": "Voer de op het apparaat weergegeven code in",
     "continue": "Doorgaan",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "Toegang tot alle organisaties waar uw account toegang tot heeft",
     "deviceAuthorize": "Autoriseer {applicationName}",
     "deviceConnected": "Apparaat verbonden!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "Apparaat is gemachtigd om toegang te krijgen tot je account.",
     "pangolinCloud": "Pangoline Cloud",
     "viewDevices": "Bekijk apparaten",
     "viewDevicesDescription": "Beheer uw aangesloten apparaten",
@@ -2346,7 +2306,6 @@
     "identifier": "Identifier",
     "deviceLoginUseDifferentAccount": "Niet u? Gebruik een ander account.",
     "deviceLoginDeviceRequestingAccessToAccount": "Een apparaat vraagt om toegang tot dit account.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "Geen gegevens",
     "machineClients": "Machine Clienten",
     "install": "Installeren",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "Dienst tijdelijk niet beschikbaar",
     "maintenanceScreenMessage": "We hebben momenteel technische problemen. Probeer het later opnieuw.",
     "maintenanceScreenEstimatedCompletion": "Geschatte voltooiing:",
-    "createInternalResourceDialogDestinationRequired": "Bestemming is vereist",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "Bestemming is vereist"
 }

messages/pl-PL.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "Połącz dowolną sieć",
     "sitesBannerDescription": "Witryna to połączenie z siecią zdalną, które umożliwia Pangolinowi zapewnienie dostępu do zasobów, publicznych lub prywatnych, użytkownikom w dowolnym miejscu. Zainstaluj łącznik sieci w witrynie (Newt) w dowolnym miejscu, w którym możesz uruchomić binarkę lub kontener, aby ustanowić połączenie.",
     "sitesBannerButtonText": "Zainstaluj witrynę",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "Utwórz witrynę",
     "siteCreateDescription2": "Wykonaj poniższe kroki, aby utworzyć i połączyć nową witrynę",
     "siteCreateDescription": "Utwórz nową witrynę, aby rozpocząć łączenie zasobów",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "Szukaj ról...",
     "accessRolesAdd": "Dodaj rolę",
     "accessRoleDelete": "Usuń rolę",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "Opis",
     "inviteTitle": "Otwórz zaproszenia",
     "inviteDescription": "Zarządzaj zaproszeniami dla innych użytkowników do dołączenia do organizacji",
@@ -455,18 +450,6 @@
     "selectDuration": "Wybierz okres",
     "selectResource": "Wybierz zasób",
     "filterByResource": "Filtruj według zasobów",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Resetuj filtry",
     "totalBlocked": "Żądania zablokowane przez Pangolina",
     "totalRequests": "Wszystkich Żądań",
@@ -746,28 +729,16 @@
     "countries": "Kraje",
     "accessRoleCreate": "Utwórz rolę",
     "accessRoleCreateDescription": "Utwórz nową rolę aby zgrupować użytkowników i zarządzać ich uprawnieniami.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Utwórz rolę",
     "accessRoleCreated": "Rola utworzona",
     "accessRoleCreatedDescription": "Rola została pomyślnie utworzona.",
     "accessRoleErrorCreate": "Nie udało się utworzyć roli",
     "accessRoleErrorCreateDescription": "Wystąpił błąd podczas tworzenia roli.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "Nowa rola jest wymagana",
     "accessRoleErrorRemove": "Nie udało się usunąć roli",
     "accessRoleErrorRemoveDescription": "Wystąpił błąd podczas usuwania roli.",
     "accessRoleName": "Nazwa roli",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "Zamierzasz usunąć rolę {name}. Tej akcji nie można cofnąć.",
     "accessRoleRemove": "Usuń rolę",
     "accessRoleRemoveDescription": "Usuń rolę z organizacji",
     "accessRoleRemoveSubmit": "Usuń rolę",
@@ -903,7 +874,7 @@
     "inviteAlready": "Wygląda na to, że zostałeś już zaproszony!",
     "inviteAlreadyDescription": "Aby zaakceptować zaproszenie, musisz się zalogować lub utworzyć konto.",
     "signupQuestion": "Masz już konto?",
-    "login": "Log In",
+    "login": "Zaloguj się",
     "resourceNotFound": "Nie znaleziono zasobu",
     "resourceNotFoundDescription": "Zasób, do którego próbujesz uzyskać dostęp, nie istnieje.",
     "pincodeRequirementsLength": "PIN musi składać się dokładnie z 6 cyfr",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "Organizacja wymaga zmiany hasła co {maxDays} dni.",
     "changePasswordNow": "Zmień hasło teraz",
     "pincodeAuth": "Kod uwierzytelniający",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "Wyślij kod",
     "passwordResetSubmit": "Zażądaj resetowania",
     "passwordResetAlreadyHaveCode": "Wprowadź kod",
     "passwordResetSmtpRequired": "Skontaktuj się z administratorem",
     "passwordResetSmtpRequiredDescription": "Aby zresetować hasło, wymagany jest kod resetowania hasła. Skontaktuj się z administratorem.",
     "passwordBack": "Powrót do hasła",
-    "loginBack": "Go back to main login page",
+    "loginBack": "Wróć do logowania",
     "signup": "Zarejestruj się",
     "loginStart": "Zaloguj się, aby rozpocząć",
     "idpOidcTokenValidating": "Walidacja tokena OIDC",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "Aktualizuj organizację IDP",
     "actionCreateClient": "Utwórz klienta",
     "actionDeleteClient": "Usuń klienta",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Aktualizuj klienta",
     "actionListClients": "Lista klientów",
     "actionGetClient": "Pobierz klienta",
@@ -1167,14 +1134,14 @@
     "searchProgress": "Szukaj...",
     "create": "Utwórz",
     "orgs": "Organizacje",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "Wystąpił błąd podczas logowania",
+    "loginRequiredForDevice": "Logowanie jest wymagane do uwierzytelnienia urządzenia.",
     "passwordForgot": "Zapomniałeś hasła?",
     "otpAuth": "Uwierzytelnianie dwuskładnikowe",
     "otpAuthDescription": "Wprowadź kod z aplikacji uwierzytelniającej lub jeden z jednorazowych kodów zapasowych.",
     "otpAuthSubmit": "Wyślij kod",
     "idpContinue": "Lub kontynuuj z",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "Powrót do logowania",
     "navbar": "Menu nawigacyjne",
     "navbarDescription": "Główne menu nawigacyjne aplikacji",
     "navbarDocsLink": "Dokumentacja",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "Przegląd",
     "sidebarHome": "Strona główna",
     "sidebarSites": "Witryny",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Zasoby",
     "sidebarProxyResources": "Publiczne",
     "sidebarClientResources": "Prywatny",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "Dostawcy tożsamości",
     "sidebarLicense": "Licencja",
     "sidebarClients": "Klienty",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "Użytkownicy",
     "sidebarMachineClients": "Maszyny",
     "sidebarDomains": "Domeny",
     "sidebarGeneral": "Zarządzaj",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "Wystąpił błąd podczas tworzenia konta administratora serwera.",
     "certificateStatus": "Status certyfikatu",
     "loading": "Ładowanie",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "Uruchom ponownie",
     "domains": "Domeny",
     "domainsDescription": "Tworzenie domen dostępnych w organizacji i zarządzanie nimi",
@@ -1339,7 +1304,6 @@
     "refreshError": "Nie udało się odświeżyć danych",
     "verified": "Zatwierdzony",
     "pending": "Oczekuje",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Fakturowanie",
     "billing": "Fakturowanie",
     "orgBillingDescription": "Zarządzaj informacjami rozliczeniowymi i subskrypcjami",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "Klucz bezpieczeństwa został pomyślnie usunięty",
     "securityKeyRemoveError": "Błąd podczas usuwania klucza bezpieczeństwa",
     "securityKeyLoadError": "Błąd podczas ładowania kluczy bezpieczeństwa",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "Zaloguj się kluczem bezpieczeństwa",
     "securityKeyAuthError": "Błąd podczas uwierzytelniania kluczem bezpieczeństwa",
     "securityKeyRecommendation": "Rozważ zarejestrowanie innego klucza bezpieczeństwa na innym urządzeniu, aby upewnić się, że nie zostaniesz zablokowany z dostępu do swojego konta.",
     "registering": "Rejestracja...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "Interwał Zdrowy",
     "timeoutSeconds": "Limit czasu (sek)",
     "timeIsInSeconds": "Czas w sekundach",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "Próby Ponowienia",
     "expectedResponseCodes": "Oczekiwane Kody Odpowiedzi",
     "expectedResponseCodesDescription": "Kod statusu HTTP, który wskazuje zdrowy status. Jeśli pozostanie pusty, uznaje się 200-300 za zdrowy.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Wybierz swojego dostawcę tożsamości, aby kontynuować",
     "orgAuthNoIdpConfigured": "Ta organizacja nie ma skonfigurowanych żadnych dostawców tożsamości. Zamiast tego możesz zalogować się za pomocą swojej tożsamości Pangolin.",
     "orgAuthSignInWithPangolin": "Zaloguj się używając Pangolin",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Zaloguj się do organizacji",
     "orgAuthSelectOrgTitle": "Logowanie do organizacji",
     "orgAuthSelectOrgDescription": "Wprowadź identyfikator organizacji, aby kontynuować",
     "orgAuthOrgIdPlaceholder": "twoja-organizacja",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "Kod musi mieć 9 znaków (np. A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Nieprawidłowy lub wygasły kod",
     "deviceCodeVerifyFailed": "Nie udało się zweryfikować kodu urządzenia",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Zalogowany jako",
     "deviceCodeEnterPrompt": "Wprowadź kod wyświetlany na urządzeniu",
     "continue": "Kontynuuj",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "Dostęp do wszystkich organizacji, do których Twoje konto ma dostęp",
     "deviceAuthorize": "Autoryzuj {applicationName}",
     "deviceConnected": "Urządzenie podłączone!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "Urządzenie jest upoważnione do dostępu do Twojego konta.",
     "pangolinCloud": "Chmura Pangolin",
     "viewDevices": "Zobacz urządzenia",
     "viewDevicesDescription": "Zarządzaj podłączonymi urządzeniami",
@@ -2346,7 +2306,6 @@
     "identifier": "Identifier",
     "deviceLoginUseDifferentAccount": "Nie ty? Użyj innego konta.",
     "deviceLoginDeviceRequestingAccessToAccount": "Urządzenie żąda dostępu do tego konta.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "Brak danych",
     "machineClients": "Klienci maszyn",
     "install": "Zainstaluj",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "Usługa chwilowo niedostępna",
     "maintenanceScreenMessage": "Obecnie doświadczamy problemów technicznych. Proszę sprawdzić ponownie wkrótce.",
     "maintenanceScreenEstimatedCompletion": "Szacowane zakończenie:",
-    "createInternalResourceDialogDestinationRequired": "Miejsce docelowe jest wymagane",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "Miejsce docelowe jest wymagane"
 }

messages/pt-PT.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "Conectar a Qualquer Rede",
     "sitesBannerDescription": "Um site é uma conexão a uma rede remota que permite ao Pangolin fornecer acesso a recursos, sejam eles públicos ou privados, a usuários em qualquer lugar. Instale o conector de rede do site (Newt) em qualquer lugar onde você possa executar um binário ou contêiner para estabelecer a conexão.",
     "sitesBannerButtonText": "Instalar Site",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "Criar site",
     "siteCreateDescription2": "Siga os passos abaixo para criar e conectar um novo site",
     "siteCreateDescription": "Crie um novo site para começar a conectar os recursos",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "Pesquisar funções...",
     "accessRolesAdd": "Adicionar função",
     "accessRoleDelete": "Excluir Papel",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "Descrição:",
     "inviteTitle": "Convites Abertos",
     "inviteDescription": "Gerenciar convites para outros usuários participarem da organização",
@@ -455,18 +450,6 @@
     "selectDuration": "Selecionar duração",
     "selectResource": "Selecionar Recurso",
     "filterByResource": "Filtrar por Recurso",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Redefinir filtros",
     "totalBlocked": "Solicitações bloqueadas pelo Pangolin",
     "totalRequests": "Total de pedidos",
@@ -746,28 +729,16 @@
     "countries": "Países",
     "accessRoleCreate": "Criar Função",
     "accessRoleCreateDescription": "Crie uma nova função para agrupar utilizadores e gerir suas permissões.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Criar Função",
     "accessRoleCreated": "Função criada",
     "accessRoleCreatedDescription": "A função foi criada com sucesso.",
     "accessRoleErrorCreate": "Falha ao criar função",
     "accessRoleErrorCreateDescription": "Ocorreu um erro ao criar a função.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "Nova função é necessária",
     "accessRoleErrorRemove": "Falha ao remover função",
     "accessRoleErrorRemoveDescription": "Ocorreu um erro ao remover a função.",
     "accessRoleName": "Nome da Função",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "Você está prestes a apagar a função {name}. Você não pode desfazer esta ação.",
     "accessRoleRemove": "Remover Função",
     "accessRoleRemoveDescription": "Remover uma função da organização",
     "accessRoleRemoveSubmit": "Remover Função",
@@ -903,7 +874,7 @@
     "inviteAlready": "Parece que já foi convidado!",
     "inviteAlreadyDescription": "Para aceitar o convite, deve iniciar sessão ou criar uma conta.",
     "signupQuestion": "Já tem uma conta?",
-    "login": "Log In",
+    "login": "Iniciar sessão",
     "resourceNotFound": "Recurso Não Encontrado",
     "resourceNotFoundDescription": "O recurso que está a tentar aceder não existe.",
     "pincodeRequirementsLength": "O PIN deve ter exatamente 6 dígitos",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "Esta organização exige que você altere sua senha a cada {maxDays} dias.",
     "changePasswordNow": "Alterar a senha agora",
     "pincodeAuth": "Código do Autenticador",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "Submeter Código",
     "passwordResetSubmit": "Solicitar Redefinição",
     "passwordResetAlreadyHaveCode": "Inserir Código",
     "passwordResetSmtpRequired": "Por favor, contate o administrador",
     "passwordResetSmtpRequiredDescription": "É necessário um código de redefinição de senha para redefinir sua senha. Por favor, contate o administrador para assistência.",
     "passwordBack": "Voltar à Palavra-passe",
-    "loginBack": "Go back to main login page",
+    "loginBack": "Voltar ao início de sessão",
     "signup": "Registar",
     "loginStart": "Inicie sessão para começar",
     "idpOidcTokenValidating": "A validar token OIDC",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "Atualizar Organização IDP",
     "actionCreateClient": "Criar Cliente",
     "actionDeleteClient": "Excluir Cliente",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Atualizar Cliente",
     "actionListClients": "Listar Clientes",
     "actionGetClient": "Obter Cliente",
@@ -1167,14 +1134,14 @@
     "searchProgress": "Pesquisar...",
     "create": "Criar",
     "orgs": "Organizações",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "Ocorreu um erro ao iniciar sessão",
+    "loginRequiredForDevice": "É necessário entrar para autenticar seu dispositivo.",
     "passwordForgot": "Esqueceu a sua palavra-passe?",
     "otpAuth": "Autenticação de Dois Fatores",
     "otpAuthDescription": "Insira o código da sua aplicação de autenticação ou um dos seus códigos de backup de uso único.",
     "otpAuthSubmit": "Submeter Código",
     "idpContinue": "Ou continuar com",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "Voltar ao Início de Sessão",
     "navbar": "Menu de Navegação",
     "navbarDescription": "Menu de navegação principal da aplicação",
     "navbarDocsLink": "Documentação",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "Geral",
     "sidebarHome": "Residencial",
     "sidebarSites": "sites",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Recursos",
     "sidebarProxyResources": "Público",
     "sidebarClientResources": "Privado",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "Provedores de identidade",
     "sidebarLicense": "Tipo:",
     "sidebarClients": "Clientes",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "Utilizadores",
     "sidebarMachineClients": "Máquinas",
     "sidebarDomains": "Domínios",
     "sidebarGeneral": "Gerir",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "Ocorreu um erro ao criar a conta de administrador do servidor.",
     "certificateStatus": "Status do Certificado",
     "loading": "Carregando",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "Reiniciar",
     "domains": "Domínios",
     "domainsDescription": "Criar e gerenciar domínios disponíveis na organização",
@@ -1339,7 +1304,6 @@
     "refreshError": "Falha ao atualizar dados",
     "verified": "Verificado",
     "pending": "Pendente",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Faturamento",
     "billing": "Faturamento",
     "orgBillingDescription": "Gerenciar informações e assinaturas de cobrança",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "Chave de segurança removida com sucesso",
     "securityKeyRemoveError": "Erro ao remover chave de segurança",
     "securityKeyLoadError": "Erro ao carregar chaves de segurança",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "Continuar com a chave de segurança",
     "securityKeyAuthError": "Erro ao autenticar com chave de segurança",
     "securityKeyRecommendation": "Considere registrar outra chave de segurança em um dispositivo diferente para garantir que você não fique bloqueado da sua conta.",
     "registering": "Registrando...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "Intervalo Saudável",
     "timeoutSeconds": "Tempo limite (seg)",
     "timeIsInSeconds": "O tempo está em segundos",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "Tentativas de Repetição",
     "expectedResponseCodes": "Códigos de Resposta Esperados",
     "expectedResponseCodesDescription": "Código de status HTTP que indica estado saudável. Se deixado em branco, 200-300 é considerado saudável.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Escolha o seu provedor de identidade para continuar",
     "orgAuthNoIdpConfigured": "Esta organização não tem nenhum provedor de identidade configurado. Você pode entrar com a identidade do seu Pangolin.",
     "orgAuthSignInWithPangolin": "Entrar com o Pangolin",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Entrar em uma organização",
     "orgAuthSelectOrgTitle": "Entrada da Organização",
     "orgAuthSelectOrgDescription": "Digite seu ID da organização para continuar",
     "orgAuthOrgIdPlaceholder": "sua-organização",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "O código deve ter 9 caracteres (ex.: A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Código inválido ou expirado",
     "deviceCodeVerifyFailed": "Falha ao verificar o código do dispositivo",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Sessão iniciada como",
     "deviceCodeEnterPrompt": "Digite o código exibido no dispositivo",
     "continue": "Continuar",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "Acesso a todas as organizações que sua conta tem acesso a",
     "deviceAuthorize": "Autorizar {applicationName}",
     "deviceConnected": "Dispositivo Conectado!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "O dispositivo está autorizado a acessar sua conta.",
     "pangolinCloud": "Nuvem do Pangolin",
     "viewDevices": "Ver Dispositivos",
     "viewDevicesDescription": "Gerencie seus dispositivos conectados",
@@ -2346,7 +2306,6 @@
     "identifier": "Identifier",
     "deviceLoginUseDifferentAccount": "Não é você? Use uma conta diferente.",
     "deviceLoginDeviceRequestingAccessToAccount": "Um dispositivo está solicitando acesso a essa conta.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "Nenhum dado encontrado",
     "machineClients": "Clientes de máquina",
     "install": "Instale",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "Serviço Temporariamente Indisponível",
     "maintenanceScreenMessage": "Estamos enfrentando dificuldades técnicas no momento. Por favor, volte em breve.",
     "maintenanceScreenEstimatedCompletion": "Conclusão Estimada:",
-    "createInternalResourceDialogDestinationRequired": "Destino é obrigatório",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "Destino é obrigatório"
 }

messages/ru-RU.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "Подключить любую сеть",
     "sitesBannerDescription": "Сайт — это соединение с удаленной сетью, которое позволяет Pangolin предоставлять доступ к ресурсам, будь они общедоступными или частными, пользователям в любом месте. Установите сетевой коннектор сайта (Newt) там, где можно запустить исполняемый файл или контейнер, чтобы установить соединение.",
     "sitesBannerButtonText": "Установить сайт",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "Создать сайт",
     "siteCreateDescription2": "Следуйте инструкциям ниже для создания и подключения нового сайта",
     "siteCreateDescription": "Создайте новый сайт для начала подключения ресурсов",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "Поиск ролей...",
     "accessRolesAdd": "Добавить роль",
     "accessRoleDelete": "Удалить роль",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "Описание",
     "inviteTitle": "Открытые приглашения",
     "inviteDescription": "Управление приглашениями для присоединения других пользователей к организации",
@@ -455,18 +450,6 @@
     "selectDuration": "Укажите срок действия",
     "selectResource": "Выберите ресурс",
     "filterByResource": "Фильтровать по ресурсам",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Сбросить фильтры",
     "totalBlocked": "Запросы заблокированы Панголином",
     "totalRequests": "Всего запросов",
@@ -746,28 +729,16 @@
     "countries": "Страны",
     "accessRoleCreate": "Создание роли",
     "accessRoleCreateDescription": "Создайте новую роль для группы пользователей и выдавайте им разрешения.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Создать роль",
     "accessRoleCreated": "Роль создана",
     "accessRoleCreatedDescription": "Роль была успешно создана.",
     "accessRoleErrorCreate": "Не удалось создать роль",
     "accessRoleErrorCreateDescription": "Произошла ошибка при создании роли.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "Новая роль обязательна",
     "accessRoleErrorRemove": "Не удалось удалить роль",
     "accessRoleErrorRemoveDescription": "Произошла ошибка при удалении роли.",
     "accessRoleName": "Название роли",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "Вы собираетесь удалить роль {name}. Это действие нельзя отменить.",
     "accessRoleRemove": "Удалить роль",
     "accessRoleRemoveDescription": "Удалить роль из организации",
     "accessRoleRemoveSubmit": "Удалить роль",
@@ -903,7 +874,7 @@
     "inviteAlready": "Похоже, вы были приглашены!",
     "inviteAlreadyDescription": "Чтобы принять приглашение, вы должны войти или создать учётную запись.",
     "signupQuestion": "Уже есть учётная запись?",
-    "login": "Log In",
+    "login": "Войти",
     "resourceNotFound": "Ресурс не найден",
     "resourceNotFoundDescription": "Ресурс, к которому вы пытаетесь получить доступ, не существует.",
     "pincodeRequirementsLength": "PIN должен состоять ровно из 6 цифр",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "Эта организация требует смены пароля каждые {maxDays} дней.",
     "changePasswordNow": "Изменить пароль сейчас",
     "pincodeAuth": "Код аутентификатора",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "Отправить код",
     "passwordResetSubmit": "Запросить сброс",
     "passwordResetAlreadyHaveCode": "Введите код",
     "passwordResetSmtpRequired": "Пожалуйста, обратитесь к администратору",
     "passwordResetSmtpRequiredDescription": "Для сброса пароля необходим код сброса пароля. Обратитесь к администратору за помощью.",
     "passwordBack": "Назад к паролю",
-    "loginBack": "Go back to main login page",
+    "loginBack": "Вернуться к входу",
     "signup": "Регистрация",
     "loginStart": "Войдите для начала работы",
     "idpOidcTokenValidating": "Проверка OIDC токена",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "Обновить организацию IDP",
     "actionCreateClient": "Создать Клиента",
     "actionDeleteClient": "Удалить Клиента",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Обновить Клиента",
     "actionListClients": "Список Клиентов",
     "actionGetClient": "Получить Клиента",
@@ -1167,14 +1134,14 @@
     "searchProgress": "Поиск...",
     "create": "Создать",
     "orgs": "Организации",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "Произошла ошибка при входе",
+    "loginRequiredForDevice": "Для аутентификации устройства необходимо войти в систему.",
     "passwordForgot": "Забыли пароль?",
     "otpAuth": "Двухфакторная аутентификация",
     "otpAuthDescription": "Введите код из вашего приложения-аутентификатора или один из ваших одноразовых резервных кодов.",
     "otpAuthSubmit": "Отправить код",
     "idpContinue": "Или продолжить с",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "Вернуться к входу",
     "navbar": "Навигационное меню",
     "navbarDescription": "Главное навигационное меню приложения",
     "navbarDocsLink": "Документация",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "Обзор",
     "sidebarHome": "Главная",
     "sidebarSites": "Сайты",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Ресурсы",
     "sidebarProxyResources": "Публичный",
     "sidebarClientResources": "Приватный",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "Поставщики удостоверений",
     "sidebarLicense": "Лицензия",
     "sidebarClients": "Клиенты",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "Пользователи",
     "sidebarMachineClients": "Машины",
     "sidebarDomains": "Домены",
     "sidebarGeneral": "Управление",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "Произошла ошибка при создании учётной записи администратора сервера.",
     "certificateStatus": "Статус сертификата",
     "loading": "Загрузка",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "Перезагрузка",
     "domains": "Домены",
     "domainsDescription": "Создание и управление доменами, доступными в организации",
@@ -1339,7 +1304,6 @@
     "refreshError": "Не удалось обновить данные",
     "verified": "Подтверждено",
     "pending": "В ожидании",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Выставление счетов",
     "billing": "Выставление счетов",
     "orgBillingDescription": "Управление платежной информацией и подписками",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "Ключ безопасности успешно удален",
     "securityKeyRemoveError": "Не удалось удалить ключ безопасности",
     "securityKeyLoadError": "Не удалось загрузить ключи безопасности",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "Продолжить с ключом безопасности",
     "securityKeyAuthError": "Не удалось аутентифицироваться с ключом безопасности",
     "securityKeyRecommendation": "Зарегистрируйте резервный ключ безопасности на другом устройстве, чтобы всегда иметь доступ к вашему аккаунту.",
     "registering": "Регистрация...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "Интервал здоровых состояний",
     "timeoutSeconds": "Таймаут (сек)",
     "timeIsInSeconds": "Время указано в секундах",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "Количество попыток повторного запроса",
     "expectedResponseCodes": "Ожидаемые коды ответов",
     "expectedResponseCodesDescription": "HTTP-код состояния, указывающий на здоровое состояние. Если оставить пустым, 200-300 считается здоровым.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Выберите своего поставщика удостоверений личности для продолжения",
     "orgAuthNoIdpConfigured": "Эта организация не имеет настроенных поставщиков идентификационных данных. Вместо этого вы можете войти в свой Pangolin.",
     "orgAuthSignInWithPangolin": "Войти через Pangolin",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Войдите в организацию",
     "orgAuthSelectOrgTitle": "Вход в организацию",
     "orgAuthSelectOrgDescription": "Введите ID вашей организации, чтобы продолжить",
     "orgAuthOrgIdPlaceholder": "ваша-организация",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "Код должен быть 9 символов (например, A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Неверный или просроченный код",
     "deviceCodeVerifyFailed": "Не удалось проверить код устройства",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Вы вошли как",
     "deviceCodeEnterPrompt": "Введите код, отображаемый на устройстве",
     "continue": "Продолжить",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "Доступ ко всем организациям, к которым ваш аккаунт имеет доступ",
     "deviceAuthorize": "Авторизовать {applicationName}",
     "deviceConnected": "Устройство подключено!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "Устройство авторизовано для доступа к вашей учетной записи.",
     "pangolinCloud": "Облако Панголина",
     "viewDevices": "Просмотр устройств",
     "viewDevicesDescription": "Управление подключенными устройствами",
@@ -2346,7 +2306,6 @@
     "identifier": "Identifier",
     "deviceLoginUseDifferentAccount": "Не вы? Используйте другую учетную запись.",
     "deviceLoginDeviceRequestingAccessToAccount": "Устройство запрашивает доступ к этой учетной записи.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "Нет данных",
     "machineClients": "Машинные клиенты",
     "install": "Установить",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "Сервис временно недоступен",
     "maintenanceScreenMessage": "В настоящее время мы испытываем технические трудности. Пожалуйста, зайдите позже.",
     "maintenanceScreenEstimatedCompletion": "Предполагаемое завершение:",
-    "createInternalResourceDialogDestinationRequired": "Укажите адрес назначения. Это может быть имя хоста или IP-адрес.",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "Укажите адрес назначения. Это может быть имя хоста или IP-адрес."
 }

messages/tr-TR.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "Herhangi Bir Ağa Bağlan",
     "sitesBannerDescription": "Bir site, Pangolin'in kullanıcılara, halka açık veya özel kaynaklara, her yerden erişim sağlamak için uzak bir ağa bağlantı sunmasıdır. Site ağı bağlantısını (Newt) çalıştırabileceğiniz her yere kurarak bağlantıyı kurunuz.",
     "sitesBannerButtonText": "Site Kur",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "Site Oluştur",
     "siteCreateDescription2": "Yeni bir site oluşturup bağlanmak için aşağıdaki adımları izleyin",
     "siteCreateDescription": "Kaynaklarınızı bağlamaya başlamak için yeni bir site oluşturun",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "Rolleri ara...",
     "accessRolesAdd": "Rol Ekle",
     "accessRoleDelete": "Rolü Sil",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "Açıklama",
     "inviteTitle": "Açık Davetiyeler",
     "inviteDescription": "Organizasyona katılmak için diğer kullanıcılar için davetleri yönetin",
@@ -455,18 +450,6 @@
     "selectDuration": "Süreyi seçin",
     "selectResource": "Kaynak Seçin",
     "filterByResource": "Kaynağa Göre Filtrele",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "Filtreleri Sıfırla",
     "totalBlocked": "Pangolin Tarafından Engellenen İstekler",
     "totalRequests": "Toplam İstekler",
@@ -746,28 +729,16 @@
     "countries": "Ülkeler",
     "accessRoleCreate": "Rol Oluştur",
     "accessRoleCreateDescription": "Kullanıcıları gruplamak ve izinlerini yönetmek için yeni bir rol oluşturun.",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "Rol Oluştur",
     "accessRoleCreated": "Rol oluşturuldu",
     "accessRoleCreatedDescription": "Rol başarıyla oluşturuldu.",
     "accessRoleErrorCreate": "Rol oluşturulamadı",
     "accessRoleErrorCreateDescription": "Rol oluşturulurken bir hata oluştu.",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "Yeni rol gerekli",
     "accessRoleErrorRemove": "Rol kaldırılamadı",
     "accessRoleErrorRemoveDescription": "Rol kaldırılırken bir hata oluştu.",
     "accessRoleName": "Rol Adı",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "{name} rolünü silmek üzeresiniz. Bu eylemi geri alamazsınız.",
     "accessRoleRemove": "Rolü Kaldır",
     "accessRoleRemoveDescription": "Kuruluştan bir rol kaldır",
     "accessRoleRemoveSubmit": "Rolü Kaldır",
@@ -903,7 +874,7 @@
     "inviteAlready": "Davetiye gönderilmiş gibi görünüyor!",
     "inviteAlreadyDescription": "Daveti kabul etmek için giriş yapmalı veya bir hesap oluşturmalısınız.",
     "signupQuestion": "Zaten bir hesabınız var mı?",
-    "login": "Log In",
+    "login": "Giriş yap",
     "resourceNotFound": "No resources found",
     "resourceNotFoundDescription": "Erişmeye çalıştığınız kaynak mevcut değil.",
     "pincodeRequirementsLength": "PIN kesinlikle 6 haneli olmalıdır",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "Bu kuruluş, parolanızı {maxDays} günde bir değiştirmenizi gerektirir.",
     "changePasswordNow": "Şifrenizi Şimdi Değiştirin",
     "pincodeAuth": "Kimlik Doğrulama Kodu",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "Kodu Gönder",
     "passwordResetSubmit": "Sıfırlama İsteği",
     "passwordResetAlreadyHaveCode": "Kodu Girin",
     "passwordResetSmtpRequired": "Yönetici ile iletişime geçin",
     "passwordResetSmtpRequiredDescription": "Parolanızı sıfırlamak için bir parola sıfırlama kodu gereklidir. Yardım için yönetici ile iletişime geçin.",
     "passwordBack": "Şifreye Geri Dön",
-    "loginBack": "Go back to main login page",
+    "loginBack": "Girişe geri dön",
     "signup": "Kaydol",
     "loginStart": "Başlamak için giriş yapın",
     "idpOidcTokenValidating": "OIDC token'ı doğrulanıyor",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "Kimlik Sağlayıcı Organizasyonu Güncelle",
     "actionCreateClient": "Müşteri Oluştur",
     "actionDeleteClient": "Müşteri Sil",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "Müşteri Güncelle",
     "actionListClients": "Müşterileri Listele",
     "actionGetClient": "Müşteriyi Al",
@@ -1167,14 +1134,14 @@
     "searchProgress": "Ara...",
     "create": "Oluştur",
     "orgs": "Organizasyonlar",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "Giriş yaparken bir hata oluştu",
+    "loginRequiredForDevice": "Cihazınızı kimlik doğrulamak için giriş yapılması gereklidir.",
     "passwordForgot": "Şifrenizi mi unuttunuz?",
     "otpAuth": "İki Faktörlü Kimlik Doğrulama",
     "otpAuthDescription": "Authenticator uygulamanızdan veya tek kullanımlık yedek kodlarınızdan birini girin.",
     "otpAuthSubmit": "Kodu Gönder",
     "idpContinue": "Veya devam et:",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "Girişe Dön",
     "navbar": "Navigasyon Menüsü",
     "navbarDescription": "Uygulamanın ana navigasyon menüsü",
     "navbarDocsLink": "Dokümantasyon",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "Genel Bakış",
     "sidebarHome": "Ana Sayfa",
     "sidebarSites": "Siteler",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "Kaynaklar",
     "sidebarProxyResources": "Herkese Açık",
     "sidebarClientResources": "Özel",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "Kimlik Sağlayıcılar",
     "sidebarLicense": "Lisans",
     "sidebarClients": "İstemciler",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "Kullanıcılar",
     "sidebarMachineClients": "Makineler",
     "sidebarDomains": "Alan Adları",
     "sidebarGeneral": "Yönet",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "Sunucu yönetici hesabı oluşturulurken bir hata oluştu.",
     "certificateStatus": "Sertifika Durumu",
     "loading": "Yükleniyor",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "Yeniden Başlat",
     "domains": "Alan Adları",
     "domainsDescription": "Organizasyonda kullanılabilir alan adlarını oluşturun ve yönetin",
@@ -1339,7 +1304,6 @@
     "refreshError": "Veriler yenilenemedi",
     "verified": "Doğrulandı",
     "pending": "Beklemede",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "Faturalama",
     "billing": "Faturalama",
     "orgBillingDescription": "Fatura bilgilerinizi ve aboneliklerinizi yönetin",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "Güvenlik anahtarı başarıyla kaldırıldı",
     "securityKeyRemoveError": "Güvenlik anahtarı kaldırılırken hata oluştu",
     "securityKeyLoadError": "Güvenlik anahtarları yüklenirken hata oluştu",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "Güvenlik anahtarı ile devam edin",
     "securityKeyAuthError": "Güvenlik anahtarı ile kimlik doğrulama başarısız oldu",
     "securityKeyRecommendation": "Hesabınızdan kilitlenmediğinizden emin olmak için farklı bir cihazda başka bir güvenlik anahtarı kaydetmeyi düşünün.",
     "registering": "Kaydediliyor...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "Sağlıklı Aralık",
     "timeoutSeconds": "Zaman Aşımı (saniye)",
     "timeIsInSeconds": "Zaman saniye cinsindendir",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "Tekrar Deneme Girişimleri",
     "expectedResponseCodes": "Beklenen Yanıt Kodları",
     "expectedResponseCodesDescription": "Sağlıklı durumu gösteren HTTP durum kodu. Boş bırakılırsa, 200-300 arası sağlıklı kabul edilir.",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "Devam etmek için kimlik sağlayıcınızı seçin",
     "orgAuthNoIdpConfigured": "Bu kuruluşta yapılandırılmış kimlik sağlayıcı yok. Bunun yerine Pangolin kimliğinizle giriş yapabilirsiniz.",
     "orgAuthSignInWithPangolin": "Pangolin ile Giriş Yap",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "Bir kuruluşa giriş yapın",
     "orgAuthSelectOrgTitle": "Kuruluş Giriş",
     "orgAuthSelectOrgDescription": "Devam etmek için kuruluş kimliğinizi girin",
     "orgAuthOrgIdPlaceholder": "kuruluşunuz",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "Kod 9 karakter olmalı (ör. A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "Geçersiz veya süresi dolmuş kod",
     "deviceCodeVerifyFailed": "Cihaz kodu doğrulanamadı",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "Olarak giriş yapıldı",
     "deviceCodeEnterPrompt": "Cihazda gösterilen kodu girin",
     "continue": "Devam Et",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "Hesabınızın erişim hakkına sahip olduğu tüm organizasyonlara erişim",
     "deviceAuthorize": "{uygulamaAdi} yetkilendir",
     "deviceConnected": "Cihaz Bağlandı!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "Cihazınız, hesabınıza erişim izni almıştır.",
     "pangolinCloud": "Pangolin Cloud",
     "viewDevices": "Cihazları Görüntüle",
     "viewDevicesDescription": "Bağlantılı cihazlarınızı yönetin",
@@ -2346,7 +2306,6 @@
     "identifier": "Tanımlayıcı",
     "deviceLoginUseDifferentAccount": "Siz değil misiniz? Farklı bir hesap kullanın.",
     "deviceLoginDeviceRequestingAccessToAccount": "Bir cihaz bu hesaba erişim talep ediyor.",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "Veri Yok",
     "machineClients": "Makine İstemcileri",
     "install": "Yükle",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "Servis Geçici Olarak Kullanılamıyor",
     "maintenanceScreenMessage": "Şu anda teknik zorluklar yaşıyoruz. Lütfen yakında tekrar kontrol edin.",
     "maintenanceScreenEstimatedCompletion": "Tahmini Tamamlama:",
-    "createInternalResourceDialogDestinationRequired": "Hedef gereklidir",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "Hedef gereklidir"
 }

messages/zh-CN.json

@@ -56,9 +56,6 @@
     "sitesBannerTitle": "连接任何网络",
     "sitesBannerDescription": "站点是连接到远程网络的链接，允许Pangolin为用户提供资源访问，无论是公共还是私人。可以在任何可以运行二进制文件或容器的地方安装站点网络连接器（Newt）以建立连接。",
     "sitesBannerButtonText": "安装站点",
-    "approvalsBannerTitle": "Approve or Deny Device Access",
-    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
-    "approvalsBannerButtonText": "Learn More",
     "siteCreate": "创建站点",
     "siteCreateDescription2": "按照下面的步骤创建和连接一个新站点",
     "siteCreateDescription": "创建一个新站点开始连接资源",
@@ -260,8 +257,6 @@
     "accessRolesSearch": "搜索角色...",
     "accessRolesAdd": "添加角色",
     "accessRoleDelete": "删除角色",
-    "accessApprovalsManage": "Manage Approvals",
-    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
     "description": "描述",
     "inviteTitle": "打开邀请",
     "inviteDescription": "管理其他用户加入机构的邀请",
@@ -455,18 +450,6 @@
     "selectDuration": "选择持续时间",
     "selectResource": "选择资源",
     "filterByResource": "按资源过滤",
-    "selectApprovalState": "Select Approval State",
-    "filterByApprovalState": "Filter By Approval State",
-    "approvalListEmpty": "No approvals",
-    "approvalState": "Approval State",
-    "approve": "Approve",
-    "approved": "Approved",
-    "denied": "Denied",
-    "deniedApproval": "Denied Approval",
-    "all": "All",
-    "deny": "Deny",
-    "viewDetails": "View Details",
-    "requestingNewDeviceApproval": "requested a new device",
     "resetFilters": "重置过滤器",
     "totalBlocked": "被Pangolin阻止的请求",
     "totalRequests": "总请求",
@@ -746,28 +729,16 @@
     "countries": "国家",
     "accessRoleCreate": "创建角色",
     "accessRoleCreateDescription": "创建一个新角色来分组用户并管理他们的权限。",
-    "accessRoleEdit": "Edit Role",
-    "accessRoleEditDescription": "Edit role information.",
     "accessRoleCreateSubmit": "创建角色",
     "accessRoleCreated": "角色已创建",
     "accessRoleCreatedDescription": "角色已成功创建。",
     "accessRoleErrorCreate": "创建角色失败",
     "accessRoleErrorCreateDescription": "创建角色时出错。",
-    "accessRoleUpdateSubmit": "Update Role",
-    "accessRoleUpdated": "Role updated",
-    "accessRoleUpdatedDescription": "The role has been successfully updated.",
-    "accessApprovalUpdated": "Approval processed",
-    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
-    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
-    "accessRoleErrorUpdate": "Failed to update role",
-    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
-    "accessApprovalErrorUpdate": "Failed to process approval",
-    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
     "accessRoleErrorNewRequired": "需要新角色",
     "accessRoleErrorRemove": "删除角色失败",
     "accessRoleErrorRemoveDescription": "删除角色时出错。",
     "accessRoleName": "角色名称",
-    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "您即将删除 {name} 角色。 此操作无法撤销。",
     "accessRoleRemove": "删除角色",
     "accessRoleRemoveDescription": "从组织中删除角色",
     "accessRoleRemoveSubmit": "删除角色",
@@ -903,7 +874,7 @@
     "inviteAlready": "看起来您已被邀请！",
     "inviteAlreadyDescription": "要接受邀请，您必须登录或创建一个帐户。",
     "signupQuestion": "已经有一个帐户？",
-    "login": "Log In",
+    "login": "登录",
     "resourceNotFound": "找不到资源",
     "resourceNotFoundDescription": "您要访问的资源不存在。",
     "pincodeRequirementsLength": "PIN码必须是6位数字",
@@ -983,13 +954,13 @@
     "passwordExpiryDescription": "该机构要求您每 {maxDays} 天更改一次密码。",
     "changePasswordNow": "现在更改密码",
     "pincodeAuth": "验证器代码",
-    "pincodeSubmit2": "Submit code",
+    "pincodeSubmit2": "提交代码",
     "passwordResetSubmit": "请求重置",
     "passwordResetAlreadyHaveCode": "输入代码",
     "passwordResetSmtpRequired": "请联系您的管理员",
     "passwordResetSmtpRequiredDescription": "需要密码重置密码。请联系您的管理员寻求帮助。",
     "passwordBack": "回到密码",
-    "loginBack": "Go back to main login page",
+    "loginBack": "返回登录",
     "signup": "注册",
     "loginStart": "登录以开始",
     "idpOidcTokenValidating": "正在验证 OIDC 令牌",
@@ -1147,10 +1118,6 @@
     "actionUpdateIdpOrg": "更新 IDP组织",
     "actionCreateClient": "创建客户端",
     "actionDeleteClient": "删除客户端",
-    "actionArchiveClient": "Archive Client",
-    "actionUnarchiveClient": "Unarchive Client",
-    "actionBlockClient": "Block Client",
-    "actionUnblockClient": "Unblock Client",
     "actionUpdateClient": "更新客户端",
     "actionListClients": "列出客户端",
     "actionGetClient": "获取客户端",
@@ -1167,14 +1134,14 @@
     "searchProgress": "搜索中...",
     "create": "创建",
     "orgs": "组织",
-    "loginError": "An unexpected error occurred. Please try again.",
-    "loginRequiredForDevice": "Login is required for your device.",
+    "loginError": "登录时出错",
+    "loginRequiredForDevice": "需要登录才能验证您的设备。",
     "passwordForgot": "忘记密码？",
     "otpAuth": "两步验证",
     "otpAuthDescription": "从您的身份验证程序中输入代码或您的单次备份代码。",
     "otpAuthSubmit": "提交代码",
     "idpContinue": "或者继续",
-    "otpAuthBack": "Back to Password",
+    "otpAuthBack": "返回登录",
     "navbar": "导航菜单",
     "navbarDescription": "应用程序的主导航菜单",
     "navbarDocsLink": "文件",
@@ -1222,7 +1189,6 @@
     "sidebarOverview": "概览",
     "sidebarHome": "首页",
     "sidebarSites": "站点",
-    "sidebarApprovals": "Approval Requests",
     "sidebarResources": "资源",
     "sidebarProxyResources": "公开的",
     "sidebarClientResources": "非公开的",
@@ -1239,7 +1205,7 @@
     "sidebarIdentityProviders": "身份提供商",
     "sidebarLicense": "证书",
     "sidebarClients": "客户端",
-    "sidebarUserDevices": "User Devices",
+    "sidebarUserDevices": "用户",
     "sidebarMachineClients": "机",
     "sidebarDomains": "域",
     "sidebarGeneral": "管理",
@@ -1311,7 +1277,6 @@
     "setupErrorCreateAdmin": "创建服务器管理员账户时发生错误。",
     "certificateStatus": "证书状态",
     "loading": "加载中",
-    "loadingAnalytics": "Loading Analytics",
     "restart": "重启",
     "domains": "域",
     "domainsDescription": "创建和管理组织中可用的域",
@@ -1339,7 +1304,6 @@
     "refreshError": "刷新数据失败",
     "verified": "已验证",
     "pending": "待定",
-    "pendingApproval": "Pending Approval",
     "sidebarBilling": "计费",
     "billing": "计费",
     "orgBillingDescription": "管理账单信息和订阅",
@@ -1456,7 +1420,7 @@
     "securityKeyRemoveSuccess": "安全密钥删除成功",
     "securityKeyRemoveError": "删除安全密钥失败",
     "securityKeyLoadError": "加载安全密钥失败",
-    "securityKeyLogin": "Use Security Key",
+    "securityKeyLogin": "使用安全密钥继续",
     "securityKeyAuthError": "使用安全密钥认证失败",
     "securityKeyRecommendation": "考虑在其他设备上注册另一个安全密钥，以确保不会被锁定在您的账户之外。",
     "registering": "注册中...",
@@ -1583,8 +1547,6 @@
     "IntervalSeconds": "正常间隔",
     "timeoutSeconds": "超时(秒)",
     "timeIsInSeconds": "时间以秒为单位",
-    "requireDeviceApproval": "Require Device Approvals",
-    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
     "retryAttempts": "重试次数",
     "expectedResponseCodes": "期望响应代码",
     "expectedResponseCodesDescription": "HTTP 状态码表示健康状态。如留空，200-300 被视为健康。",
@@ -1914,7 +1876,7 @@
     "orgAuthChooseIdpDescription": "选择您的身份提供商以继续",
     "orgAuthNoIdpConfigured": "此机构没有配置任何身份提供者。您可以使用您的 Pangolin 身份登录。",
     "orgAuthSignInWithPangolin": "使用 Pangolin 登录",
-    "orgAuthSignInToOrg": "Sign in to an organization",
+    "orgAuthSignInToOrg": "登录到一个组织",
     "orgAuthSelectOrgTitle": "组织登录",
     "orgAuthSelectOrgDescription": "输入您的组织ID以继续",
     "orgAuthOrgIdPlaceholder": "您的组织",
@@ -2270,8 +2232,6 @@
     "deviceCodeInvalidFormat": "代码必须是9个字符(如A1AJ-N5JD)",
     "deviceCodeInvalidOrExpired": "无效或过期的代码",
     "deviceCodeVerifyFailed": "验证设备代码失败",
-    "deviceCodeValidating": "Validating device code...",
-    "deviceCodeVerifying": "Verifying device authorization...",
     "signedInAs": "登录为",
     "deviceCodeEnterPrompt": "输入设备上显示的代码",
     "continue": "继续",
@@ -2284,7 +2244,7 @@
     "deviceOrganizationsAccess": "访问您的帐户拥有访问权限的所有组织",
     "deviceAuthorize": "授权{applicationName}",
     "deviceConnected": "设备已连接！",
-    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
+    "deviceAuthorizedMessage": "设备被授权访问您的帐户。",
     "pangolinCloud": "邦戈林云",
     "viewDevices": "查看设备",
     "viewDevicesDescription": "管理您已连接的设备",
@@ -2346,7 +2306,6 @@
     "identifier": "Identifier",
     "deviceLoginUseDifferentAccount": "不是你？使用一个不同的帐户。",
     "deviceLoginDeviceRequestingAccessToAccount": "设备正在请求访问此帐户。",
-    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
     "noData": "无数据",
     "machineClients": "机器客户端",
     "install": "安装",
@@ -2435,92 +2394,5 @@
     "maintenanceScreenTitle": "服务暂时不可用",
     "maintenanceScreenMessage": "我们目前遇到技术问题。 请稍后再回来查看。",
     "maintenanceScreenEstimatedCompletion": "预计完成时间：",
-    "createInternalResourceDialogDestinationRequired": "需要目标地址",
-    "available": "Available",
-    "archived": "Archived",
-    "noArchivedDevices": "No archived devices found",
-    "deviceArchived": "Device archived",
-    "deviceArchivedDescription": "The device has been successfully archived.",
-    "errorArchivingDevice": "Error archiving device",
-    "failedToArchiveDevice": "Failed to archive device",
-    "deviceQuestionArchive": "Are you sure you want to archive this device?",
-    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
-    "deviceArchiveConfirm": "Archive Device",
-    "archiveDevice": "Archive Device",
-    "archive": "Archive",
-    "deviceUnarchived": "Device unarchived",
-    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
-    "errorUnarchivingDevice": "Error unarchiving device",
-    "failedToUnarchiveDevice": "Failed to unarchive device",
-    "unarchive": "Unarchive",
-    "archiveClient": "Archive Client",
-    "archiveClientQuestion": "Are you sure you want to archive this client?",
-    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
-    "archiveClientConfirm": "Archive Client",
-    "blockClient": "Block Client",
-    "blockClientQuestion": "Are you sure you want to block this client?",
-    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
-    "blockClientConfirm": "Block Client",
-    "active": "Active",
-    "usernameOrEmail": "Username or Email",
-    "selectYourOrganization": "Select your organization",
-    "signInTo": "Log in in to",
-    "signInWithPassword": "Continue with Password",
-    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
-    "enterPassword": "Enter your password",
-    "enterMfaCode": "Enter the code from your authenticator app",
-    "securityKeyRequired": "Please use your security key to sign in.",
-    "needToUseAnotherAccount": "Need to use a different account?",
-    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
-    "termsOfService": "Terms of Service",
-    "privacyPolicy": "Privacy Policy",
-    "userNotFoundWithUsername": "No user found with that username.",
-    "verify": "Verify",
-    "signIn": "Sign In",
-    "forgotPassword": "Forgot password?",
-    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
-    "continueAnyway": "Continue anyway",
-    "dontShowAgain": "Don't show again",
-    "orgSignInNotice": "Did you know?",
-    "signupOrgNotice": "Trying to sign in?",
-    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
-    "signupOrgLink": "Sign in or sign up with your organization instead",
-    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
-    "logIn": "Log In",
-    "deviceInformation": "Device Information",
-    "deviceInformationDescription": "Information about the device and agent",
-    "platform": "Platform",
-    "macosVersion": "macOS Version",
-    "windowsVersion": "Windows Version",
-    "iosVersion": "iOS Version",
-    "androidVersion": "Android Version",
-    "osVersion": "OS Version",
-    "kernelVersion": "Kernel Version",
-    "deviceModel": "Device Model",
-    "serialNumber": "Serial Number",
-    "hostname": "Hostname",
-    "firstSeen": "First Seen",
-    "lastSeen": "Last Seen",
-    "deviceSettingsDescription": "View device information and settings",
-    "devicePendingApprovalDescription": "This device is waiting for approval",
-    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
-    "unblockClient": "Unblock Client",
-    "unblockClientDescription": "The device has been unblocked",
-    "unarchiveClient": "Unarchive Client",
-    "unarchiveClientDescription": "The device has been unarchived",
-    "block": "Block",
-    "unblock": "Unblock",
-    "deviceActions": "Device Actions",
-    "deviceActionsDescription": "Manage device status and access",
-    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
-    "connected": "Connected",
-    "disconnected": "Disconnected",
-    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
-    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
-    "approvalsEmptyStateStep1Title": "Go to Roles",
-    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
-    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
-    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
-    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
-    "approvalsEmptyStateButtonText": "Manage Roles"
+    "createInternalResourceDialogDestinationRequired": "需要目标地址"
 }

package.json

@@ -3,7 +3,7 @@
     "version": "0.0.0",
     "private": true,
     "type": "module",
-    "description": "Tunneled Reverse Proxy Management Server with Identity and Access Control and Dashboard UI",
+    "description": "Identity-aware VPN and proxy for remote access to anything, anywhere and Dashboard UI",
     "homepage": "https://github.com/fosrl/pangolin",
     "repository": {
         "type": "git",

server/auth/actions.ts

@@ -78,6 +78,10 @@ export enum ActionsEnum {
     updateSiteResource = "updateSiteResource",
     createClient = "createClient",
     deleteClient = "deleteClient",
+    archiveClient = "archiveClient",
+    unarchiveClient = "unarchiveClient",
+    blockClient = "blockClient",
+    unblockClient = "unblockClient",
     updateClient = "updateClient",
     listClients = "listClients",
     getClient = "getClient",
@@ -125,7 +129,9 @@ export enum ActionsEnum {
     getBlueprint = "getBlueprint",
     applyBlueprint = "applyBlueprint",
     viewLogs = "viewLogs",
-    exportLogs = "exportLogs"
+    exportLogs = "exportLogs",
+    listApprovals = "listApprovals",
+    updateApprovals = "updateApprovals"
 }
 
 export async function checkUserActionPermission(

server/db/ios_models.json

@@ -0,0 +1,150 @@
+{
+  "iPad1,1": "iPad",
+  "iPad2,1": "iPad 2",
+  "iPad2,2": "iPad 2",
+  "iPad2,3": "iPad 2",
+  "iPad2,4": "iPad 2",
+  "iPad3,1": "iPad 3rd Gen",
+  "iPad3,3": "iPad 3rd Gen",
+  "iPad3,2": "iPad 3rd Gen",
+  "iPad3,4": "iPad 4th Gen",
+  "iPad3,5": "iPad 4th Gen",
+  "iPad3,6": "iPad 4th Gen",
+  "iPad6,11": "iPad 9.7 5th Gen",
+  "iPad6,12": "iPad 9.7 5th Gen",
+  "iPad7,5": "iPad 9.7 6th Gen",
+  "iPad7,6": "iPad 9.7 6th Gen",
+  "iPad7,11": "iPad 10.2 7th Gen",
+  "iPad7,12": "iPad 10.2 7th Gen",
+  "iPad11,6": "iPad 10.2 8th Gen",
+  "iPad11,7": "iPad 10.2 8th Gen",
+  "iPad12,1": "iPad 10.2 9th Gen",
+  "iPad12,2": "iPad 10.2 9th Gen",
+  "iPad13,18": "iPad 10.9 10th Gen",
+  "iPad13,19": "iPad 10.9 10th Gen",
+  "iPad4,1": "iPad Air",
+  "iPad4,2": "iPad Air",
+  "iPad4,3": "iPad Air",
+  "iPad5,3": "iPad Air 2",
+  "iPad5,4": "iPad Air 2",
+  "iPad11,3": "iPad Air 3rd Gen",
+  "iPad11,4": "iPad Air 3rd Gen",
+  "iPad13,1": "iPad Air 4th Gen",
+  "iPad13,2": "iPad Air 4th Gen",
+  "iPad13,16": "iPad Air 5th Gen",
+  "iPad13,17": "iPad Air 5th Gen",
+  "iPad14,8": "iPad Air M2 11",
+  "iPad14,9": "iPad Air M2 11",
+  "iPad14,10": "iPad Air M2 13",
+  "iPad14,11": "iPad Air M2 13",
+  "iPad2,5": "iPad mini",
+  "iPad2,6": "iPad mini",
+  "iPad2,7": "iPad mini",
+  "iPad4,4": "iPad mini 2",
+  "iPad4,5": "iPad mini 2",
+  "iPad4,6": "iPad mini 2",
+  "iPad4,7": "iPad mini 3",
+  "iPad4,8": "iPad mini 3",
+  "iPad4,9": "iPad mini 3",
+  "iPad5,1": "iPad mini 4",
+  "iPad5,2": "iPad mini 4",
+  "iPad11,1": "iPad mini 5th Gen",
+  "iPad11,2": "iPad mini 5th Gen",
+  "iPad14,1": "iPad mini 6th Gen",
+  "iPad14,2": "iPad mini 6th Gen",
+  "iPad6,7": "iPad Pro 12.9",
+  "iPad6,8": "iPad Pro 12.9",
+  "iPad6,3": "iPad Pro 9.7",
+  "iPad6,4": "iPad Pro 9.7",
+  "iPad7,3": "iPad Pro 10.5",
+  "iPad7,4": "iPad Pro 10.5",
+  "iPad7,1": "iPad Pro 12.9",
+  "iPad7,2": "iPad Pro 12.9",
+  "iPad8,1": "iPad Pro 11",
+  "iPad8,2": "iPad Pro 11",
+  "iPad8,3": "iPad Pro 11",
+  "iPad8,4": "iPad Pro 11",
+  "iPad8,5": "iPad Pro 12.9",
+  "iPad8,6": "iPad Pro 12.9",
+  "iPad8,7": "iPad Pro 12.9",
+  "iPad8,8": "iPad Pro 12.9",
+  "iPad8,9": "iPad Pro 11",
+  "iPad8,10": "iPad Pro 11",
+  "iPad8,11": "iPad Pro 12.9",
+  "iPad8,12": "iPad Pro 12.9",
+  "iPad13,4": "iPad Pro 11",
+  "iPad13,5": "iPad Pro 11",
+  "iPad13,6": "iPad Pro 11",
+  "iPad13,7": "iPad Pro 11",
+  "iPad13,8": "iPad Pro 12.9",
+  "iPad13,9": "iPad Pro 12.9",
+  "iPad13,10": "iPad Pro 12.9",
+  "iPad13,11": "iPad Pro 12.9",
+  "iPad14,3": "iPad Pro 11",
+  "iPad14,4": "iPad Pro 11",
+  "iPad14,5": "iPad Pro 12.9",
+  "iPad14,6": "iPad Pro 12.9",
+  "iPad16,3": "iPad Pro M4 11",
+  "iPad16,4": "iPad Pro M4 11",
+  "iPad16,5": "iPad Pro M4 13",
+  "iPad16,6": "iPad Pro M4 13",
+  "iPhone1,1": "iPhone",
+  "iPhone1,2": "iPhone 3G",
+  "iPhone2,1": "iPhone 3GS",
+  "iPhone3,1": "iPhone 4",
+  "iPhone3,2": "iPhone 4",
+  "iPhone3,3": "iPhone 4",
+  "iPhone4,1": "iPhone 4S",
+  "iPhone5,1": "iPhone 5",
+  "iPhone5,2": "iPhone 5",
+  "iPhone5,3": "iPhone 5c",
+  "iPhone5,4": "iPhone 5c",
+  "iPhone6,1": "iPhone 5s",
+  "iPhone6,2": "iPhone 5s",
+  "iPhone7,2": "iPhone 6",
+  "iPhone7,1": "iPhone 6 Plus",
+  "iPhone8,1": "iPhone 6s",
+  "iPhone8,2": "iPhone 6s Plus",
+  "iPhone8,4": "iPhone SE",
+  "iPhone9,1": "iPhone 7",
+  "iPhone9,3": "iPhone 7",
+  "iPhone9,2": "iPhone 7 Plus",
+  "iPhone9,4": "iPhone 7 Plus",
+  "iPhone10,1": "iPhone 8",
+  "iPhone10,4": "iPhone 8",
+  "iPhone10,2": "iPhone 8 Plus",
+  "iPhone10,5": "iPhone 8 Plus",
+  "iPhone10,3": "iPhone X",
+  "iPhone10,6": "iPhone X",
+  "iPhone11,2": "iPhone Xs",
+  "iPhone11,6": "iPhone Xs Max",
+  "iPhone11,8": "iPhone XR",
+  "iPhone12,1": "iPhone 11",
+  "iPhone12,3": "iPhone 11 Pro",
+  "iPhone12,5": "iPhone 11 Pro Max",
+  "iPhone12,8": "iPhone SE",
+  "iPhone13,1": "iPhone 12 mini",
+  "iPhone13,2": "iPhone 12",
+  "iPhone13,3": "iPhone 12 Pro",
+  "iPhone13,4": "iPhone 12 Pro Max",
+  "iPhone14,4": "iPhone 13 mini",
+  "iPhone14,5": "iPhone 13",
+  "iPhone14,2": "iPhone 13 Pro",
+  "iPhone14,3": "iPhone 13 Pro Max",
+  "iPhone14,6": "iPhone SE",
+  "iPhone14,7": "iPhone 14",
+  "iPhone14,8": "iPhone 14 Plus",
+  "iPhone15,2": "iPhone 14 Pro",
+  "iPhone15,3": "iPhone 14 Pro Max",
+  "iPhone15,4": "iPhone 15",
+  "iPhone15,5": "iPhone 15 Plus",
+  "iPhone16,1": "iPhone 15 Pro",
+  "iPhone16,2": "iPhone 15 Pro Max",
+  "iPod1,1": "iPod touch Original",
+  "iPod2,1": "iPod touch 2nd",
+  "iPod3,1": "iPod touch 3rd Gen",
+  "iPod4,1": "iPod touch 4th",
+  "iPod5,1": "iPod touch 5th",
+  "iPod7,1": "iPod touch 6th Gen",
+  "iPod9,1": "iPod touch 7th Gen"
+}

server/db/mac_models.json

@@ -0,0 +1,201 @@
+{
+  "PowerMac4,4": "eMac",
+  "PowerMac6,4": "eMac",
+  "PowerBook2,1": "iBook",
+  "PowerBook2,2": "iBook",
+  "PowerBook4,1": "iBook",
+  "PowerBook4,2": "iBook",
+  "PowerBook4,3": "iBook",
+  "PowerBook6,3": "iBook",
+  "PowerBook6,5": "iBook",
+  "PowerBook6,7": "iBook",
+  "iMac,1": "iMac",
+  "PowerMac2,1": "iMac",
+  "PowerMac2,2": "iMac",
+  "PowerMac4,1": "iMac",
+  "PowerMac4,2": "iMac",
+  "PowerMac4,5": "iMac",
+  "PowerMac6,1": "iMac",
+  "PowerMac6,3*": "iMac",
+  "PowerMac6,3": "iMac",
+  "PowerMac8,1": "iMac",
+  "PowerMac8,2": "iMac",
+  "PowerMac12,1": "iMac",
+  "iMac4,1": "iMac",
+  "iMac4,2": "iMac",
+  "iMac5,2": "iMac",
+  "iMac5,1": "iMac",
+  "iMac6,1": "iMac",
+  "iMac7,1": "iMac",
+  "iMac8,1": "iMac",
+  "iMac9,1": "iMac",
+  "iMac10,1": "iMac",
+  "iMac11,1": "iMac",
+  "iMac11,2": "iMac",
+  "iMac11,3": "iMac",
+  "iMac12,1": "iMac",
+  "iMac12,2": "iMac",
+  "iMac13,1": "iMac",
+  "iMac13,2": "iMac",
+  "iMac14,1": "iMac",
+  "iMac14,3": "iMac",
+  "iMac14,2": "iMac",
+  "iMac14,4": "iMac",
+  "iMac15,1": "iMac",
+  "iMac16,1": "iMac",
+  "iMac16,2": "iMac",
+  "iMac17,1": "iMac",
+  "iMac18,1": "iMac",
+  "iMac18,2": "iMac",
+  "iMac18,3": "iMac",
+  "iMac19,2": "iMac",
+  "iMac19,1": "iMac",
+  "iMac20,1": "iMac",
+  "iMac20,2": "iMac",
+  "iMac21,2": "iMac",
+  "iMac21,1": "iMac",
+  "iMacPro1,1": "iMac Pro",
+  "PowerMac10,1": "Mac mini",
+  "PowerMac10,2": "Mac mini",
+  "Macmini1,1": "Mac mini",
+  "Macmini2,1": "Mac mini",
+  "Macmini3,1": "Mac mini",
+  "Macmini4,1": "Mac mini",
+  "Macmini5,1": "Mac mini",
+  "Macmini5,2": "Mac mini",
+  "Macmini5,3": "Mac mini",
+  "Macmini6,1": "Mac mini",
+  "Macmini6,2": "Mac mini",
+  "Macmini7,1": "Mac mini",
+  "Macmini8,1": "Mac mini",
+  "ADP3,2": "Mac mini",
+  "Macmini9,1": "Mac mini",
+  "Mac14,3": "Mac mini",
+  "Mac14,12": "Mac mini",
+  "MacPro1,1*": "Mac Pro",
+  "MacPro2,1": "Mac Pro",
+  "MacPro3,1": "Mac Pro",
+  "MacPro4,1": "Mac Pro",
+  "MacPro5,1": "Mac Pro",
+  "MacPro6,1": "Mac Pro",
+  "MacPro7,1": "Mac Pro",
+  "N/A*": "Power Macintosh",
+  "PowerMac1,1": "Power Macintosh",
+  "PowerMac3,1": "Power Macintosh",
+  "PowerMac3,3": "Power Macintosh",
+  "PowerMac3,4": "Power Macintosh",
+  "PowerMac3,5": "Power Macintosh",
+  "PowerMac3,6": "Power Macintosh",
+  "Mac13,1": "Mac Studio",
+  "Mac13,2": "Mac Studio",
+  "MacBook1,1": "MacBook",
+  "MacBook2,1": "MacBook",
+  "MacBook3,1": "MacBook",
+  "MacBook4,1": "MacBook",
+  "MacBook5,1": "MacBook",
+  "MacBook5,2": "MacBook",
+  "MacBook6,1": "MacBook",
+  "MacBook7,1": "MacBook",
+  "MacBook8,1": "MacBook",
+  "MacBook9,1": "MacBook",
+  "MacBook10,1": "MacBook",
+  "MacBookAir1,1": "MacBook Air",
+  "MacBookAir2,1": "MacBook Air",
+  "MacBookAir3,1": "MacBook Air",
+  "MacBookAir3,2": "MacBook Air",
+  "MacBookAir4,1": "MacBook Air",
+  "MacBookAir4,2": "MacBook Air",
+  "MacBookAir5,1": "MacBook Air",
+  "MacBookAir5,2": "MacBook Air",
+  "MacBookAir6,1": "MacBook Air",
+  "MacBookAir6,2": "MacBook Air",
+  "MacBookAir7,1": "MacBook Air",
+  "MacBookAir7,2": "MacBook Air",
+  "MacBookAir8,1": "MacBook Air",
+  "MacBookAir8,2": "MacBook Air",
+  "MacBookAir9,1": "MacBook Air",
+  "MacBookAir10,1": "MacBook Air",
+  "Mac14,2": "MacBook Air",
+  "MacBookPro1,1": "MacBook Pro",
+  "MacBookPro1,2": "MacBook Pro",
+  "MacBookPro2,2": "MacBook Pro",
+  "MacBookPro2,1": "MacBook Pro",
+  "MacBookPro3,1": "MacBook Pro",
+  "MacBookPro4,1": "MacBook Pro",
+  "MacBookPro5,1": "MacBook Pro",
+  "MacBookPro5,2": "MacBook Pro",
+  "MacBookPro5,5": "MacBook Pro",
+  "MacBookPro5,4": "MacBook Pro",
+  "MacBookPro5,3": "MacBook Pro",
+  "MacBookPro7,1": "MacBook Pro",
+  "MacBookPro6,2": "MacBook Pro",
+  "MacBookPro6,1": "MacBook Pro",
+  "MacBookPro8,1": "MacBook Pro",
+  "MacBookPro8,2": "MacBook Pro",
+  "MacBookPro8,3": "MacBook Pro",
+  "MacBookPro9,2": "MacBook Pro",
+  "MacBookPro9,1": "MacBook Pro",
+  "MacBookPro10,1": "MacBook Pro",
+  "MacBookPro10,2": "MacBook Pro",
+  "MacBookPro11,1": "MacBook Pro",
+  "MacBookPro11,2": "MacBook Pro",
+  "MacBookPro11,3": "MacBook Pro",
+  "MacBookPro12,1": "MacBook Pro",
+  "MacBookPro11,4": "MacBook Pro",
+  "MacBookPro11,5": "MacBook Pro",
+  "MacBookPro13,1": "MacBook Pro",
+  "MacBookPro13,2": "MacBook Pro",
+  "MacBookPro13,3": "MacBook Pro",
+  "MacBookPro14,1": "MacBook Pro",
+  "MacBookPro14,2": "MacBook Pro",
+  "MacBookPro14,3": "MacBook Pro",
+  "MacBookPro15,2": "MacBook Pro",
+  "MacBookPro15,1": "MacBook Pro",
+  "MacBookPro15,3": "MacBook Pro",
+  "MacBookPro15,4": "MacBook Pro",
+  "MacBookPro16,1": "MacBook Pro",
+  "MacBookPro16,3": "MacBook Pro",
+  "MacBookPro16,2": "MacBook Pro",
+  "MacBookPro16,4": "MacBook Pro",
+  "MacBookPro17,1": "MacBook Pro",
+  "MacBookPro18,3": "MacBook Pro",
+  "MacBookPro18,4": "MacBook Pro",
+  "MacBookPro18,1": "MacBook Pro",
+  "MacBookPro18,2": "MacBook Pro",
+  "Mac14,7": "MacBook Pro",
+  "Mac14,9": "MacBook Pro",
+  "Mac14,5": "MacBook Pro",
+  "Mac14,10": "MacBook Pro",
+  "Mac14,6": "MacBook Pro",
+  "PowerMac1,2": "Power Macintosh",
+  "PowerMac5,1": "Power Macintosh",
+  "PowerMac7,2": "Power Macintosh",
+  "PowerMac7,3": "Power Macintosh",
+  "PowerMac9,1": "Power Macintosh",
+  "PowerMac11,2": "Power Macintosh",
+  "PowerBook1,1": "PowerBook",
+  "PowerBook3,1": "PowerBook",
+  "PowerBook3,2": "PowerBook",
+  "PowerBook3,3": "PowerBook",
+  "PowerBook3,4": "PowerBook",
+  "PowerBook3,5": "PowerBook",
+  "PowerBook6,1": "PowerBook",
+  "PowerBook5,1": "PowerBook",
+  "PowerBook6,2": "PowerBook",
+  "PowerBook5,2": "PowerBook",
+  "PowerBook5,3": "PowerBook",
+  "PowerBook6,4": "PowerBook",
+  "PowerBook5,4": "PowerBook",
+  "PowerBook5,5": "PowerBook",
+  "PowerBook6,8": "PowerBook",
+  "PowerBook5,6": "PowerBook",
+  "PowerBook5,7": "PowerBook",
+  "PowerBook5,8": "PowerBook",
+  "PowerBook5,9": "PowerBook",
+  "RackMac1,1": "Xserve",
+  "RackMac1,2": "Xserve",
+  "RackMac3,1": "Xserve",
+  "Xserve1,1": "Xserve",
+  "Xserve2,1": "Xserve",
+  "Xserve3,1": "Xserve"
+}

server/db/names.ts

@@ -16,6 +16,24 @@ if (!dev) {
 }
 export const names = JSON.parse(readFileSync(file, "utf-8"));
 
+// Load iOS and Mac model mappings
+let iosModelsFile: string;
+let macModelsFile: string;
+if (!dev) {
+    iosModelsFile = join(__DIRNAME, "ios_models.json");
+    macModelsFile = join(__DIRNAME, "mac_models.json");
+} else {
+    iosModelsFile = join("server/db/ios_models.json");
+    macModelsFile = join("server/db/mac_models.json");
+}
+
+const iosModels: Record<string, string> = JSON.parse(
+    readFileSync(iosModelsFile, "utf-8")
+);
+const macModels: Record<string, string> = JSON.parse(
+    readFileSync(macModelsFile, "utf-8")
+);
+
 export async function getUniqueClientName(orgId: string): Promise<string> {
     let loops = 0;
     while (true) {
@@ -159,3 +177,29 @@ export function generateName(): string {
     // clean out any non-alphanumeric characters except for dashes
     return name.replace(/[^a-z0-9-]/g, "");
 }
+
+export function getMacDeviceName(macIdentifier?: string | null): string | null {
+    if (macIdentifier && macModels[macIdentifier]) {
+        return macModels[macIdentifier];
+    }
+    return null;
+}
+
+export function getIosDeviceName(iosIdentifier?: string | null): string | null {
+    if (iosIdentifier && iosModels[iosIdentifier]) {
+        return iosModels[iosIdentifier];
+    }
+    return null;
+}
+
+export function getUserDeviceName(
+    model: string | null,
+    fallBack: string | null
+): string {
+    return (
+        getMacDeviceName(model) ||
+        getIosDeviceName(model) ||
+        fallBack ||
+        "Unknown Device"
+    );
+}

server/db/pg/schema/privateSchema.ts

@@ -10,7 +10,15 @@ import {
     index
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
-import { domains, orgs, targets, users, exitNodes, sessions } from "./schema";
+import {
+    domains,
+    orgs,
+    targets,
+    users,
+    exitNodes,
+    sessions,
+    clients
+} from "./schema";
 
 export const certificates = pgTable("certificates", {
     certId: serial("certId").primaryKey(),
@@ -289,6 +297,33 @@ export const accessAuditLog = pgTable(
     ]
 );
 
+export const approvals = pgTable("approvals", {
+    approvalId: serial("approvalId").primaryKey(),
+    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    clientId: integer("clientId").references(() => clients.clientId, {
+        onDelete: "cascade"
+    }), // clients reference user devices (in this case)
+    userId: varchar("userId")
+        .references(() => users.userId, {
+            // optionally tied to a user and in this case delete when the user deletes
+            onDelete: "cascade"
+        })
+        .notNull(),
+    decision: varchar("decision")
+        .$type<"approved" | "denied" | "pending">()
+        .default("pending")
+        .notNull(),
+    type: varchar("type")
+        .$type<"user_device" /*| 'proxy' // for later */>()
+        .notNull()
+});
+
+export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
 export type Certificate = InferSelectModel<typeof certificates>;

server/db/pg/schema/schema.ts

@@ -365,7 +365,8 @@ export const roles = pgTable("roles", {
         .notNull(),
     isAdmin: boolean("isAdmin"),
     name: varchar("name").notNull(),
-    description: varchar("description")
+    description: varchar("description"),
+    requireDeviceApproval: boolean("requireDeviceApproval").default(false)
 });
 
 export const roleActions = pgTable("roleActions", {
@@ -591,7 +592,8 @@ export const idp = pgTable("idp", {
     type: varchar("type").notNull(),
     defaultRoleMapping: varchar("defaultRoleMapping"),
     defaultOrgMapping: varchar("defaultOrgMapping"),
-    autoProvision: boolean("autoProvision").notNull().default(false)
+    autoProvision: boolean("autoProvision").notNull().default(false),
+    tags: text("tags")
 });
 
 export const idpOidcConfig = pgTable("idpOidcConfig", {
@@ -688,7 +690,12 @@ export const clients = pgTable("clients", {
     online: boolean("online").notNull().default(false),
     // endpoint: varchar("endpoint"),
     lastHolePunch: integer("lastHolePunch"),
-    maxConnections: integer("maxConnections")
+    maxConnections: integer("maxConnections"),
+    archived: boolean("archived").notNull().default(false),
+    blocked: boolean("blocked").notNull().default(false),
+    approvalState: varchar("approvalState").$type<
+        "pending" | "approved" | "denied"
+    >()
 });
 
 export const clientSitesAssociationsCache = pgTable(
@@ -712,6 +719,49 @@ export const clientSiteResourcesAssociationsCache = pgTable(
     }
 );
 
+export const clientPostureSnapshots = pgTable("clientPostureSnapshots", {
+    snapshotId: serial("snapshotId").primaryKey(),
+
+    clientId: integer("clientId").references(() => clients.clientId, {
+        onDelete: "cascade"
+    }),
+
+    // Platform-agnostic checks
+
+    biometricsEnabled: boolean("biometricsEnabled").notNull().default(false),
+    diskEncrypted: boolean("diskEncrypted").notNull().default(false),
+    firewallEnabled: boolean("firewallEnabled").notNull().default(false),
+    autoUpdatesEnabled: boolean("autoUpdatesEnabled").notNull().default(false),
+    tpmAvailable: boolean("tpmAvailable").notNull().default(false),
+
+    // Windows-specific posture check information
+
+    windowsDefenderEnabled: boolean("windowsDefenderEnabled")
+        .notNull()
+        .default(false),
+
+    // macOS-specific posture check information
+
+    macosSipEnabled: boolean("macosSipEnabled").notNull().default(false),
+    macosGatekeeperEnabled: boolean("macosGatekeeperEnabled")
+        .notNull()
+        .default(false),
+    macosFirewallStealthMode: boolean("macosFirewallStealthMode")
+        .notNull()
+        .default(false),
+
+    // Linux-specific posture check information
+
+    linuxAppArmorEnabled: boolean("linuxAppArmorEnabled")
+        .notNull()
+        .default(false),
+    linuxSELinuxEnabled: boolean("linuxSELinuxEnabled")
+        .notNull()
+        .default(false),
+
+    collectedAt: integer("collectedAt").notNull()
+});
+
 export const olms = pgTable("olms", {
     olmId: varchar("id").primaryKey(),
     secretHash: varchar("secretHash").notNull(),
@@ -726,7 +776,29 @@ export const olms = pgTable("olms", {
     userId: text("userId").references(() => users.userId, {
         // optionally tied to a user and in this case delete when the user deletes
         onDelete: "cascade"
-    })
+    }),
+    archived: boolean("archived").notNull().default(false)
+});
+
+export const fingerprints = pgTable("fingerprints", {
+    fingerprintId: serial("id").primaryKey(),
+
+    olmId: text("olmId")
+        .references(() => olms.olmId, { onDelete: "cascade" })
+        .notNull(),
+
+    firstSeen: integer("firstSeen").notNull(),
+    lastSeen: integer("lastSeen").notNull(),
+
+    username: text("username"),
+    hostname: text("hostname"),
+    platform: text("platform"), // macos | windows | linux | ios | android | unknown
+    osVersion: text("osVersion"),
+    kernelVersion: text("kernelVersion"),
+    arch: text("arch"),
+    deviceModel: text("deviceModel"),
+    serialNumber: text("serialNumber"),
+    platformFingerprint: varchar("platformFingerprint")
 });
 
 export const olmSessions = pgTable("clientSession", {

server/db/queries/verifySessionQueries.ts

@@ -1,4 +1,4 @@
-import { db, loginPage, LoginPage, loginPageOrg, Org, orgs } from "@server/db";
+import { db, loginPage, LoginPage, loginPageOrg, Org, orgs, roles } from "@server/db";
 import {
     Resource,
     ResourcePassword,
@@ -108,9 +108,17 @@ export async function getUserSessionWithUser(
  */
 export async function getUserOrgRole(userId: string, orgId: string) {
     const userOrgRole = await db
-        .select()
+        .select({
+            userId: userOrgs.userId,
+            orgId: userOrgs.orgId,
+            roleId: userOrgs.roleId,
+            isOwner: userOrgs.isOwner,
+            autoProvisioned: userOrgs.autoProvisioned,
+            roleName: roles.name
+        })
         .from(userOrgs)
         .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
         .limit(1);
 
     return userOrgRole.length > 0 ? userOrgRole[0] : null;

server/db/sqlite/schema/privateSchema.ts

@@ -6,7 +6,7 @@ import {
     sqliteTable,
     text
 } from "drizzle-orm/sqlite-core";
-import { domains, exitNodes, orgs, sessions, users } from "./schema";
+import { clients, domains, exitNodes, orgs, sessions, users } from "./schema";
 
 export const certificates = sqliteTable("certificates", {
     certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -289,6 +289,31 @@ export const accessAuditLog = sqliteTable(
     ]
 );
 
+export const approvals = sqliteTable("approvals", {
+    approvalId: integer("approvalId").primaryKey({ autoIncrement: true }),
+    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    clientId: integer("clientId").references(() => clients.clientId, {
+        onDelete: "cascade"
+    }), // olms reference user devices clients
+    userId: text("userId").references(() => users.userId, {
+        // optionally tied to a user and in this case delete when the user deletes
+        onDelete: "cascade"
+    }),
+    decision: text("decision")
+        .$type<"approved" | "denied" | "pending">()
+        .default("pending")
+        .notNull(),
+    type: text("type")
+        .$type<"user_device" /*| 'proxy' // for later */>()
+        .notNull()
+});
+
+export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
 export type Certificate = InferSelectModel<typeof certificates>;

server/db/sqlite/schema/schema.ts

@@ -255,7 +255,9 @@ export const siteResources = sqliteTable("siteResources", {
     aliasAddress: text("aliasAddress"),
     tcpPortRangeString: text("tcpPortRangeString").notNull().default("*"),
     udpPortRangeString: text("udpPortRangeString").notNull().default("*"),
-    disableIcmp: integer("disableIcmp", { mode: "boolean" }).notNull().default(false)
+    disableIcmp: integer("disableIcmp", { mode: "boolean" })
+        .notNull()
+        .default(false)
 });
 
 export const clientSiteResources = sqliteTable("clientSiteResources", {
@@ -383,7 +385,12 @@ export const clients = sqliteTable("clients", {
     type: text("type").notNull(), // "olm"
     online: integer("online", { mode: "boolean" }).notNull().default(false),
     // endpoint: text("endpoint"),
-    lastHolePunch: integer("lastHolePunch")
+    lastHolePunch: integer("lastHolePunch"),
+    archived: integer("archived", { mode: "boolean" }).notNull().default(false),
+    blocked: integer("blocked", { mode: "boolean" }).notNull().default(false),
+    approvalState: text("approvalState").$type<
+        "pending" | "approved" | "denied"
+    >()
 });
 
 export const clientSitesAssociationsCache = sqliteTable(
@@ -409,6 +416,69 @@ export const clientSiteResourcesAssociationsCache = sqliteTable(
     }
 );
 
+export const clientPostureSnapshots = sqliteTable("clientPostureSnapshots", {
+    snapshotId: integer("snapshotId").primaryKey({ autoIncrement: true }),
+
+    clientId: integer("clientId").references(() => clients.clientId, {
+        onDelete: "cascade"
+    }),
+
+    // Platform-agnostic checks
+
+    biometricsEnabled: integer("biometricsEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    diskEncrypted: integer("diskEncrypted", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    firewallEnabled: integer("firewallEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    autoUpdatesEnabled: integer("autoUpdatesEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    tpmAvailable: integer("tpmAvailable", { mode: "boolean" })
+        .notNull()
+        .default(false),
+
+    // Windows-specific posture check information
+
+    windowsDefenderEnabled: integer("windowsDefenderEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+
+    // macOS-specific posture check information
+
+    macosSipEnabled: integer("macosSipEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    macosGatekeeperEnabled: integer("macosGatekeeperEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+    macosFirewallStealthMode: integer("macosFirewallStealthMode", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+
+    // Linux-specific posture check information
+
+    linuxAppArmorEnabled: integer("linuxAppArmorEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    linuxSELinuxEnabled: integer("linuxSELinuxEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+
+    collectedAt: integer("collectedAt").notNull()
+});
+
 export const olms = sqliteTable("olms", {
     olmId: text("id").primaryKey(),
     secretHash: text("secretHash").notNull(),
@@ -423,7 +493,29 @@ export const olms = sqliteTable("olms", {
     userId: text("userId").references(() => users.userId, {
         // optionally tied to a user and in this case delete when the user deletes
         onDelete: "cascade"
-    })
+    }),
+    archived: integer("archived", { mode: "boolean" }).notNull().default(false)
+});
+
+export const fingerprints = sqliteTable("fingerprints", {
+    fingerprintId: integer("id").primaryKey({ autoIncrement: true }),
+
+    olmId: text("olmId")
+        .references(() => olms.olmId, { onDelete: "cascade" })
+        .notNull(),
+
+    firstSeen: integer("firstSeen").notNull(),
+    lastSeen: integer("lastSeen").notNull(),
+
+    username: text("username"),
+    hostname: text("hostname"),
+    platform: text("platform"), // macos | windows | linux | ios | android | unknown
+    osVersion: text("osVersion"),
+    kernelVersion: text("kernelVersion"),
+    arch: text("arch"),
+    deviceModel: text("deviceModel"),
+    serialNumber: text("serialNumber"),
+    platformFingerprint: text("platformFingerprint")
 });
 
 export const twoFactorBackupCodes = sqliteTable("twoFactorBackupCodes", {
@@ -515,7 +607,10 @@ export const roles = sqliteTable("roles", {
         .notNull(),
     isAdmin: integer("isAdmin", { mode: "boolean" }),
     name: text("name").notNull(),
-    description: text("description")
+    description: text("description"),
+    requireDeviceApproval: integer("requireDeviceApproval", {
+        mode: "boolean"
+    }).default(false)
 });
 
 export const roleActions = sqliteTable("roleActions", {
@@ -774,7 +869,8 @@ export const idp = sqliteTable("idp", {
         mode: "boolean"
     })
         .notNull()
-        .default(false)
+        .default(false),
+    tags: text("tags")
 });
 
 // Identity Provider OAuth Configuration

server/lib/blueprints/types.ts

@@ -290,8 +290,8 @@ export const ClientResourceSchema = z
         alias: z
             .string()
             .regex(
-                /^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/,
-                "Alias must be a fully qualified domain name (e.g., example.com)"
+                /^(?:[a-zA-Z0-9*?](?:[a-zA-Z0-9*?-]{0,61}[a-zA-Z0-9*?])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/,
+                "Alias must be a fully qualified domain name with optional wildcards (e.g., example.com, *.example.com, host-0?.example.internal)"
             )
             .optional(),
         roles: z

server/lib/calculateUserClientsForOrgs.ts

@@ -1,21 +1,24 @@
+import { listExitNodes } from "#dynamic/lib/exitNodes";
+import { build } from "@server/build";
 import {
+    approvals,
     clients,
     db,
     olms,
     orgs,
     roleClients,
     roles,
+    Transaction,
     userClients,
-    userOrgs,
-    Transaction
+    userOrgs
 } from "@server/db";
-import { eq, and, notInArray } from "drizzle-orm";
-import { listExitNodes } from "#dynamic/lib/exitNodes";
-import { getNextAvailableClientSubnet } from "@server/lib/ip";
-import logger from "@server/logger";
-import { rebuildClientAssociationsFromClient } from "./rebuildClientAssociations";
-import { sendTerminateClient } from "@server/routers/client/terminate";
 import { getUniqueClientName } from "@server/db/names";
+import { getNextAvailableClientSubnet } from "@server/lib/ip";
+import { isLicensedOrSubscribed } from "@server/lib/isLicencedOrSubscribed";
+import logger from "@server/logger";
+import { sendTerminateClient } from "@server/routers/client/terminate";
+import { and, eq, notInArray, type InferInsertModel } from "drizzle-orm";
+import { rebuildClientAssociationsFromClient } from "./rebuildClientAssociations";
 
 export async function calculateUserClientsForOrgs(
     userId: string,
@@ -38,13 +41,15 @@ export async function calculateUserClientsForOrgs(
         const allUserOrgs = await transaction
             .select()
             .from(userOrgs)
+            .innerJoin(roles, eq(roles.roleId, userOrgs.roleId))
             .where(eq(userOrgs.userId, userId));
 
-        const userOrgIds = allUserOrgs.map((uo) => uo.orgId);
+        const userOrgIds = allUserOrgs.map(({ userOrgs: uo }) => uo.orgId);
 
         // For each OLM, ensure there's a client in each org the user is in
         for (const olm of userOlms) {
-            for (const userOrg of allUserOrgs) {
+            for (const userRoleOrg of allUserOrgs) {
+                const { userOrgs: userOrg, roles: role } = userRoleOrg;
                 const orgId = userOrg.orgId;
 
                 const [org] = await transaction
@@ -182,21 +187,46 @@ export async function calculateUserClientsForOrgs(
 
                 const niceId = await getUniqueClientName(orgId);
 
+                const isOrgLicensed = await isLicensedOrSubscribed(
+                    userOrg.orgId
+                );
+                const requireApproval =
+                    build !== "oss" &&
+                    isOrgLicensed &&
+                    role.requireDeviceApproval;
+
+                const newClientData: InferInsertModel<typeof clients> = {
+                    userId,
+                    orgId: userOrg.orgId,
+                    exitNodeId: randomExitNode.exitNodeId,
+                    name: olm.name || "User Client",
+                    subnet: updatedSubnet,
+                    olmId: olm.olmId,
+                    type: "olm",
+                    niceId,
+                    approvalState: requireApproval ? "pending" : null
+                };
+
                 // Create the client
                 const [newClient] = await transaction
                     .insert(clients)
-                    .values({
-                        userId,
-                        orgId: userOrg.orgId,
-                        exitNodeId: randomExitNode.exitNodeId,
-                        name: olm.name || "User Client",
-                        subnet: updatedSubnet,
-                        olmId: olm.olmId,
-                        type: "olm",
-                        niceId
-                    })
+                    .values(newClientData)
                     .returning();
 
+                // create approval request
+                if (requireApproval) {
+                    await transaction
+                        .insert(approvals)
+                        .values({
+                            timestamp: Math.floor(new Date().getTime() / 1000),
+                            orgId: userOrg.orgId,
+                            clientId: newClient.clientId,
+                            userId,
+                            type: "user_device"
+                        })
+                        .returning();
+                }
+
                 await rebuildClientAssociationsFromClient(
                     newClient,
                     transaction

server/lib/cleanupLogs.ts

@@ -26,6 +26,7 @@ export function initLogCleanupInterval() {
                     )
                 );
 
+            // TODO: handle when there are multiple nodes doing this clearing using redis
             for (const org of orgsToClean) {
                 const {
                     orgId,

server/middlewares/integration/index.ts

@@ -13,3 +13,4 @@ export * from "./verifyApiKeyIsRoot";
 export * from "./verifyApiKeyApiKeyAccess";
 export * from "./verifyApiKeyClientAccess";
 export * from "./verifyApiKeySiteResourceAccess";
+export * from "./verifyApiKeyIdpAccess";

server/middlewares/integration/verifyApiKeyIdpAccess.ts

@@ -0,0 +1,88 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { idp, idpOrg, apiKeyOrg } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeyIdpAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const apiKey = req.apiKey;
+        const idpId = req.params.idpId || req.body.idpId || req.query.idpId;
+        const orgId = req.params.orgId;
+
+        if (!apiKey) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+            );
+        }
+
+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
+        if (!idpId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid IDP ID")
+            );
+        }
+
+        if (apiKey.isRoot) {
+            // Root keys can access any IDP in any org
+            return next();
+        }
+
+        const [idpRes] = await db
+            .select()
+            .from(idp)
+            .innerJoin(idpOrg, eq(idp.idpId, idpOrg.idpId))
+            .where(and(eq(idp.idpId, idpId), eq(idpOrg.orgId, orgId)))
+            .limit(1);
+
+        if (!idpRes || !idpRes.idp || !idpRes.idpOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `IdP with ID ${idpId} not found for organization ${orgId}`
+                )
+            );
+        }
+
+        if (!req.apiKeyOrg) {
+            const apiKeyOrgRes = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, idpRes.idpOrg.orgId)
+                    )
+                );
+            req.apiKeyOrg = apiKeyOrgRes[0];
+        }
+
+        if (!req.apiKeyOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have access to this organization"
+                )
+            );
+        }
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying IDP access"
+            )
+        );
+    }
+}

server/private/lib/config.ts

@@ -139,6 +139,10 @@ export class PrivateConfig {
             process.env.USE_PANGOLIN_DNS =
                 this.rawPrivateConfig.flags.use_pangolin_dns.toString();
         }
+        if (this.rawPrivateConfig.flags.use_org_only_idp) {
+            process.env.USE_ORG_ONLY_IDP =
+                this.rawPrivateConfig.flags.use_org_only_idp.toString();
+        }
     }
 
     public getRawPrivateConfig() {

server/private/lib/exitNodes/exitNodeComms.ts

@@ -50,10 +50,14 @@ export async function sendToExitNode(
             );
         }
 
-        return sendToClient(remoteExitNode.remoteExitNodeId, {
-            type: request.remoteType,
-            data: request.data
-        });
+        return sendToClient(
+            remoteExitNode.remoteExitNodeId,
+            {
+                type: request.remoteType,
+                data: request.data
+            },
+            { incrementConfigVersion: true }
+        );
     } else {
         let hostname = exitNode.reachableAt;
 

server/private/lib/exitNodes/exitNodes.ts

@@ -288,7 +288,7 @@ export function selectBestExitNode(
     const validNodes = pingResults.filter((n) => !n.error && n.weight > 0);
 
     if (validNodes.length === 0) {
-        logger.error("No valid exit nodes available");
+        logger.debug("No valid exit nodes available");
         return null;
     }
 

server/private/lib/lock.ts

@@ -24,7 +24,9 @@ export class LockManager {
      */
     async acquireLock(
         lockKey: string,
-        ttlMs: number = 30000
+        ttlMs: number = 30000,
+        maxRetries: number = 3,
+        retryDelayMs: number = 100
     ): Promise<boolean> {
         if (!redis || !redis.status || redis.status !== "ready") {
             return true;
@@ -35,49 +37,67 @@ export class LockManager {
         }:${Date.now()}`;
         const redisKey = `lock:${lockKey}`;
 
-        try {
-            // Use SET with NX (only set if not exists) and PX (expire in milliseconds)
-            // This is atomic and handles both setting and expiration
-            const result = await redis.set(
-                redisKey,
-                lockValue,
-                "PX",
-                ttlMs,
-                "NX"
-            );
-
-            if (result === "OK") {
-                logger.debug(
-                    `Lock acquired: ${lockKey} by ${
-                        config.getRawConfig().gerbil.exit_node_name
-                    }`
+        for (let attempt = 0; attempt < maxRetries; attempt++) {
+            try {
+                // Use SET with NX (only set if not exists) and PX (expire in milliseconds)
+                // This is atomic and handles both setting and expiration
+                const result = await redis.set(
+                    redisKey,
+                    lockValue,
+                    "PX",
+                    ttlMs,
+                    "NX"
                 );
-                return true;
-            }
 
-            // Check if the existing lock is from this worker (reentrant behavior)
-            const existingValue = await redis.get(redisKey);
-            if (
-                existingValue &&
-                existingValue.startsWith(
-                    `${config.getRawConfig().gerbil.exit_node_name}:`
-                )
-            ) {
-                // Extend the lock TTL since it's the same worker
-                await redis.pexpire(redisKey, ttlMs);
-                logger.debug(
-                    `Lock extended: ${lockKey} by ${
-                        config.getRawConfig().gerbil.exit_node_name
-                    }`
-                );
-                return true;
-            }
+                if (result === "OK") {
+                    logger.debug(
+                        `Lock acquired: ${lockKey} by ${
+                            config.getRawConfig().gerbil.exit_node_name
+                        }`
+                    );
+                    return true;
+                }
 
-            return false;
-        } catch (error) {
-            logger.error(`Failed to acquire lock ${lockKey}:`, error);
-            return false;
+                // Check if the existing lock is from this worker (reentrant behavior)
+                const existingValue = await redis.get(redisKey);
+                if (
+                    existingValue &&
+                    existingValue.startsWith(
+                        `${config.getRawConfig().gerbil.exit_node_name}:`
+                    )
+                ) {
+                    // Extend the lock TTL since it's the same worker
+                    await redis.pexpire(redisKey, ttlMs);
+                    logger.debug(
+                        `Lock extended: ${lockKey} by ${
+                            config.getRawConfig().gerbil.exit_node_name
+                        }`
+                    );
+                    return true;
+                }
+
+                // If this isn't our last attempt, wait before retrying with exponential backoff
+                if (attempt < maxRetries - 1) {
+                    const delay = retryDelayMs * Math.pow(2, attempt);
+                    logger.debug(
+                        `Lock ${lockKey} not available, retrying in ${delay}ms (attempt ${attempt + 1}/${maxRetries})`
+                    );
+                    await new Promise((resolve) => setTimeout(resolve, delay));
+                }
+            } catch (error) {
+                logger.error(`Failed to acquire lock ${lockKey} (attempt ${attempt + 1}/${maxRetries}):`, error);
+                // On error, still retry if we have attempts left
+                if (attempt < maxRetries - 1) {
+                    const delay = retryDelayMs * Math.pow(2, attempt);
+                    await new Promise((resolve) => setTimeout(resolve, delay));
+                }
+            }
         }
+
+        logger.debug(
+            `Failed to acquire lock ${lockKey} after ${maxRetries} attempts`
+        );
+        return false;
     }
 
     /**

server/private/lib/readConfigFile.ts

@@ -83,7 +83,8 @@ export const privateConfigSchema = z.object({
     flags: z
         .object({
             enable_redis: z.boolean().optional().default(false),
-            use_pangolin_dns: z.boolean().optional().default(false)
+            use_pangolin_dns: z.boolean().optional().default(false),
+            use_org_only_idp: z.boolean().optional().default(false)
         })
         .optional()
         .prefault({}),

server/private/lib/redis.ts

@@ -573,6 +573,20 @@ class RedisManager {
         }
     }
 
+    public async incr(key: string): Promise<number> {
+        if (!this.isRedisEnabled() || !this.writeClient) return 0;
+
+        try {
+            return await this.executeWithRetry(
+                () => this.writeClient!.incr(key),
+                "Redis INCR"
+            );
+        } catch (error) {
+            logger.error("Redis INCR error:", error);
+            return 0;
+        }
+    }
+
     public async sadd(key: string, member: string): Promise<boolean> {
         if (!this.isRedisEnabled() || !this.writeClient) return false;
 

server/private/lib/traefik/getTraefikConfig.ts

@@ -456,11 +456,11 @@ export async function getTraefikConfig(
                     // );
                 } else if (resource.maintenanceModeType === "automatic") {
                     showMaintenancePage = !hasHealthyServers;
-                    if (showMaintenancePage) {
-                        logger.warn(
-                            `Resource ${resource.name} (${fullDomain}) has no healthy servers - showing maintenance page (AUTOMATIC mode)`
-                        );
-                    }
+                    // if (showMaintenancePage) {
+                    //     logger.warn(
+                    //         `Resource ${resource.name} (${fullDomain}) has no healthy servers - showing maintenance page (AUTOMATIC mode)`
+                    //     );
+                    // }
                 }
             }
 

server/private/middlewares/verifySubscription.ts

@@ -27,7 +27,18 @@ export async function verifyValidSubscription(
             return next();
         }
 
-        const tier = await getOrgTierData(req.params.orgId);
+        const orgId = req.params.orgId || req.body.orgId || req.query.orgId || req.userOrgId;
+
+        if (!orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Organization ID is required to verify subscription"
+                )
+            );
+        }
+
+        const tier = await getOrgTierData(orgId);
 
         if (!tier.active) {
             return next(

server/private/routers/approvals/index.ts

@@ -0,0 +1,15 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./listApprovals";
+export * from "./processPendingApproval";

server/private/routers/approvals/listApprovals.ts

@@ -0,0 +1,188 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+import type { Request, Response, NextFunction } from "express";
+import { build } from "@server/build";
+import { getOrgTierData } from "@server/lib/billing";
+import { TierId } from "@server/lib/billing/tiers";
+import { approvals, clients, db, users, type Approval } from "@server/db";
+import { eq, isNull, sql, not, and, desc } from "drizzle-orm";
+import response from "@server/lib/response";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string()
+});
+
+const querySchema = z.strictObject({
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.int().nonnegative()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.int().nonnegative()),
+    approvalState: z
+        .enum(["pending", "approved", "denied", "all"])
+        .optional()
+        .default("all")
+        .catch("all")
+});
+
+async function queryApprovals(
+    orgId: string,
+    limit: number,
+    offset: number,
+    approvalState: z.infer<typeof querySchema>["approvalState"]
+) {
+    let state: Array<Approval["decision"]> = [];
+    switch (approvalState) {
+        case "pending":
+            state = ["pending"];
+            break;
+        case "approved":
+            state = ["approved"];
+            break;
+        case "denied":
+            state = ["denied"];
+            break;
+        default:
+            state = ["approved", "denied", "pending"];
+    }
+
+    const res = await db
+        .select({
+            approvalId: approvals.approvalId,
+            orgId: approvals.orgId,
+            clientId: approvals.clientId,
+            decision: approvals.decision,
+            type: approvals.type,
+            user: {
+                name: users.name,
+                userId: users.userId,
+                username: users.username
+            }
+        })
+        .from(approvals)
+        .innerJoin(users, and(eq(approvals.userId, users.userId)))
+        .leftJoin(
+            clients,
+            and(
+                eq(approvals.clientId, clients.clientId),
+                not(isNull(clients.userId)) // only user devices
+            )
+        )
+        .where(
+            and(
+                eq(approvals.orgId, orgId),
+                sql`${approvals.decision} in ${state}`
+            )
+        )
+        .orderBy(
+            sql`CASE ${approvals.decision} WHEN 'pending' THEN 0 ELSE 1 END`,
+            desc(approvals.timestamp)
+        )
+        .limit(limit)
+        .offset(offset);
+    return res;
+}
+
+export type ListApprovalsResponse = {
+    approvals: NonNullable<Awaited<ReturnType<typeof queryApprovals>>>;
+    pagination: { total: number; limit: number; offset: number };
+};
+
+export async function listApprovals(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+        const { limit, offset, approvalState } = parsedQuery.data;
+
+        const { orgId } = parsedParams.data;
+
+        if (build === "saas") {
+            const { tier } = await getOrgTierData(orgId);
+            const subscribed = tier === TierId.STANDARD;
+            if (!subscribed) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "This organization's current plan does not support this feature."
+                    )
+                );
+            }
+        }
+
+        const approvalsList = await queryApprovals(
+            orgId.toString(),
+            limit,
+            offset,
+            approvalState
+        );
+
+        const [{ count }] = await db
+            .select({ count: sql<number>`count(*)` })
+            .from(approvals);
+
+        return response<ListApprovalsResponse>(res, {
+            data: {
+                approvals: approvalsList,
+                pagination: {
+                    total: count,
+                    limit,
+                    offset
+                }
+            },
+            success: true,
+            error: false,
+            message: "Approvals retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/private/routers/approvals/processPendingApproval.ts

@@ -0,0 +1,142 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+import { build } from "@server/build";
+import { approvals, clients, db, orgs, type Approval } from "@server/db";
+import { getOrgTierData } from "@server/lib/billing";
+import { TierId } from "@server/lib/billing/tiers";
+import response from "@server/lib/response";
+import { and, eq, type InferInsertModel } from "drizzle-orm";
+import type { NextFunction, Request, Response } from "express";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string(),
+    approvalId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+const bodySchema = z.strictObject({
+    decision: z.enum(["approved", "denied"])
+});
+
+export type ProcessApprovalResponse = Approval;
+
+export async function processPendingApproval(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = bodySchema.safeParse(req.body);
+
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { orgId, approvalId } = parsedParams.data;
+
+        if (build === "saas") {
+            const { tier } = await getOrgTierData(orgId);
+            const subscribed = tier === TierId.STANDARD;
+            if (!subscribed) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "This organization's current plan does not support this feature."
+                    )
+                );
+            }
+        }
+
+        const updateData = parsedBody.data;
+
+        const approval = await db
+            .select()
+            .from(approvals)
+            .where(
+                and(
+                    eq(approvals.approvalId, approvalId),
+                    eq(approvals.decision, "pending")
+                )
+            )
+            .innerJoin(orgs, eq(approvals.orgId, approvals.orgId))
+            .limit(1);
+
+        if (approval.length === 0) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Pending Approval with ID ${approvalId} not found`
+                )
+            );
+        }
+
+        const [updatedApproval] = await db
+            .update(approvals)
+            .set(updateData)
+            .where(eq(approvals.approvalId, approvalId))
+            .returning();
+
+        // Update user device approval state too
+        if (
+            updatedApproval.type === "user_device" &&
+            updatedApproval.clientId
+        ) {
+            const updateDataBody: Partial<InferInsertModel<typeof clients>> = {
+                approvalState: updateData.decision
+            };
+
+            if (updateData.decision === "denied") {
+                updateDataBody.blocked = true;
+            }
+
+            await db
+                .update(clients)
+                .set(updateDataBody)
+                .where(eq(clients.clientId, updatedApproval.clientId));
+        }
+
+        return response(res, {
+            data: updatedApproval,
+            success: true,
+            error: false,
+            message: "Approval updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/private/routers/external.ts

@@ -24,6 +24,7 @@ import * as generateLicense from "./generatedLicense";
 import * as logs from "#private/routers/auditLogs";
 import * as misc from "#private/routers/misc";
 import * as reKey from "#private/routers/re-key";
+import * as approval from "#private/routers/approvals";
 
 import {
     verifyOrgAccess,
@@ -311,6 +312,24 @@ authenticated.get(
     loginPage.getLoginPage
 );
 
+authenticated.get(
+    "/org/:orgId/approvals",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listApprovals),
+    logActionAudit(ActionsEnum.listApprovals),
+    approval.listApprovals
+);
+
+authenticated.put(
+    "/org/:orgId/approvals/:approvalId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.updateApprovals),
+    logActionAudit(ActionsEnum.updateApprovals),
+    approval.processPendingApproval
+);
+
 authenticated.get(
     "/org/:orgId/login-page-branding",
     verifyValidLicense,
@@ -436,18 +455,18 @@ authenticated.get(
 
 authenticated.post(
     "/re-key/:clientId/regenerate-client-secret",
+    verifyClientAccess, // this is first to set the org id
     verifyValidLicense,
     verifyValidSubscription,
-    verifyClientAccess,
     verifyUserHasAction(ActionsEnum.reGenerateSecret),
     reKey.reGenerateClientSecret
 );
 
 authenticated.post(
     "/re-key/:siteId/regenerate-site-secret",
+    verifySiteAccess, // this is first to set the org id
     verifyValidLicense,
     verifyValidSubscription,
-    verifySiteAccess,
     verifyUserHasAction(ActionsEnum.reGenerateSecret),
     reKey.reGenerateSiteSecret
 );

server/private/routers/integration.ts

@@ -18,7 +18,8 @@ import * as logs from "#private/routers/auditLogs";
 import {
     verifyApiKeyHasAction,
     verifyApiKeyIsRoot,
-    verifyApiKeyOrgAccess
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess
 } from "@server/middlewares";
 import {
     verifyValidSubscription,
@@ -31,6 +32,8 @@ import {
     authenticated as a
 } from "@server/routers/integration";
 import { logActionAudit } from "#private/middlewares";
+import config from "#private/lib/config";
+import { build } from "@server/build";
 
 export const unauthenticated = ua;
 export const authenticated = a;
@@ -88,3 +91,49 @@ authenticated.get(
     logActionAudit(ActionsEnum.exportLogs),
     logs.exportAccessAuditLogs
 );
+
+authenticated.put(
+    "/org/:orgId/idp/oidc",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.createIdp),
+    logActionAudit(ActionsEnum.createIdp),
+    orgIdp.createOrgOidcIdp
+);
+
+authenticated.post(
+    "/org/:orgId/idp/:idpId/oidc",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess,
+    verifyApiKeyHasAction(ActionsEnum.updateIdp),
+    logActionAudit(ActionsEnum.updateIdp),
+    orgIdp.updateOrgOidcIdp
+);
+
+authenticated.delete(
+    "/org/:orgId/idp/:idpId",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess,
+    verifyApiKeyHasAction(ActionsEnum.deleteIdp),
+    logActionAudit(ActionsEnum.deleteIdp),
+    orgIdp.deleteOrgIdp
+);
+
+authenticated.get(
+    "/org/:orgId/idp/:idpId",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess,
+    verifyApiKeyHasAction(ActionsEnum.getIdp),
+    orgIdp.getOrgIdp
+);
+
+authenticated.get(
+    "/org/:orgId/idp",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.listIdps),
+    orgIdp.listOrgIdps
+);

server/private/routers/loginPage/getLoginPageBranding.ts

@@ -29,11 +29,9 @@ import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { build } from "@server/build";
 
-const paramsSchema = z
-    .object({
-        orgId: z.string()
-    })
-    .strict();
+const paramsSchema = z.strictObject({
+    orgId: z.string()
+});
 
 export async function getLoginPageBranding(
     req: Request,

server/private/routers/loginPage/upsertLoginPageBranding.ts

@@ -28,6 +28,7 @@ import { eq, InferInsertModel } from "drizzle-orm";
 import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { build } from "@server/build";
+import config from "@server/private/lib/config";
 
 const paramsSchema = z.strictObject({
     orgId: z.string()
@@ -94,8 +95,10 @@ export async function upsertLoginPageBranding(
             typeof loginPageBranding
         >;
 
-        if (build !== "saas") {
-            // org branding settings are only considered in the saas build
+        if (
+            build !== "saas" &&
+            !config.getRawPrivateConfig().flags.use_org_only_idp
+        ) {
             const { orgTitle, orgSubtitle, ...rest } = updateData;
             updateData = rest;
         }

server/private/routers/orgIdp/createOrgOidcIdp.ts

@@ -43,25 +43,27 @@ const bodySchema = z.strictObject({
     scopes: z.string().nonempty(),
     autoProvision: z.boolean().optional(),
     variant: z.enum(["oidc", "google", "azure"]).optional().default("oidc"),
-    roleMapping: z.string().optional()
+    roleMapping: z.string().optional(),
+    tags: z.string().optional()
 });
 
-// registry.registerPath({
-//     method: "put",
-//     path: "/idp/oidc",
-//     description: "Create an OIDC IdP.",
-//     tags: [OpenAPITags.Idp],
-//     request: {
-//         body: {
-//             content: {
-//                 "application/json": {
-//                     schema: bodySchema
-//                 }
-//             }
-//         }
-//     },
-//     responses: {}
-// });
+registry.registerPath({
+    method: "put",
+    path: "/org/{orgId}/idp/oidc",
+    description: "Create an OIDC IdP for a specific organization.",
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
 
 export async function createOrgOidcIdp(
     req: Request,
@@ -103,7 +105,8 @@ export async function createOrgOidcIdp(
             name,
             autoProvision,
             variant,
-            roleMapping
+            roleMapping,
+            tags
         } = parsedBody.data;
 
         if (build === "saas") {
@@ -131,7 +134,8 @@ export async function createOrgOidcIdp(
                 .values({
                     name,
                     autoProvision,
-                    type: "oidc"
+                    type: "oidc",
+                    tags
                 })
                 .returning();
 

server/private/routers/orgIdp/deleteOrgIdp.ts

@@ -32,9 +32,9 @@ const paramsSchema = z
 
 registry.registerPath({
     method: "delete",
-    path: "/idp/{idpId}",
-    description: "Delete IDP.",
-    tags: [OpenAPITags.Idp],
+    path: "/org/{orgId}/idp/{idpId}",
+    description: "Delete IDP for a specific organization.",
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
     request: {
         params: paramsSchema
     },

server/private/routers/orgIdp/getOrgIdp.ts

@@ -48,16 +48,16 @@ async function query(idpId: number, orgId: string) {
     return res;
 }
 
-// registry.registerPath({
-//     method: "get",
-//     path: "/idp/{idpId}",
-//     description: "Get an IDP by its IDP ID.",
-//     tags: [OpenAPITags.Idp],
-//     request: {
-//         params: paramsSchema
-//     },
-//     responses: {}
-// });
+registry.registerPath({
+    method: "get",
+    path: "/org/:orgId/idp/:idpId",
+    description: "Get an IDP by its IDP ID for a specific organization.",
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
 
 export async function getOrgIdp(
     req: Request,

server/private/routers/orgIdp/listOrgIdps.ts

@@ -50,7 +50,8 @@ async function query(orgId: string, limit: number, offset: number) {
             orgId: idpOrg.orgId,
             name: idp.name,
             type: idp.type,
-            variant: idpOidcConfig.variant
+            variant: idpOidcConfig.variant,
+            tags: idp.tags
         })
         .from(idpOrg)
         .where(eq(idpOrg.orgId, orgId))
@@ -62,16 +63,17 @@ async function query(orgId: string, limit: number, offset: number) {
     return res;
 }
 
-// registry.registerPath({
-//     method: "get",
-//     path: "/idp",
-//     description: "List all IDP in the system.",
-//     tags: [OpenAPITags.Idp],
-//     request: {
-//         query: querySchema
-//     },
-//     responses: {}
-// });
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/idp",
+    description: "List all IDP for a specific organization.",
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
+    request: {
+        query: querySchema,
+        params: paramsSchema
+    },
+    responses: {}
+});
 
 export async function listOrgIdps(
     req: Request,

server/private/routers/orgIdp/updateOrgOidcIdp.ts

@@ -46,30 +46,31 @@ const bodySchema = z.strictObject({
     namePath: z.string().optional(),
     scopes: z.string().optional(),
     autoProvision: z.boolean().optional(),
-    roleMapping: z.string().optional()
+    roleMapping: z.string().optional(),
+    tags: z.string().optional()
 });
 
 export type UpdateOrgIdpResponse = {
     idpId: number;
 };
 
-// registry.registerPath({
-//     method: "post",
-//     path: "/idp/{idpId}/oidc",
-//     description: "Update an OIDC IdP.",
-//     tags: [OpenAPITags.Idp],
-//     request: {
-//         params: paramsSchema,
-//         body: {
-//             content: {
-//                 "application/json": {
-//                     schema: bodySchema
-//                 }
-//             }
-//         }
-//     },
-//     responses: {}
-// });
+registry.registerPath({
+    method: "post",
+    path: "/org/{orgId}/idp/{idpId}/oidc",
+    description: "Update an OIDC IdP for a specific organization.",
+    tags: [OpenAPITags.Idp, OpenAPITags.Org],
+    request: {
+        params: paramsSchema,
+        body: {
+            content: {
+                "application/json": {
+                    schema: bodySchema
+                }
+            }
+        }
+    },
+    responses: {}
+});
 
 export async function updateOrgOidcIdp(
     req: Request,
@@ -109,7 +110,8 @@ export async function updateOrgOidcIdp(
             namePath,
             name,
             autoProvision,
-            roleMapping
+            roleMapping,
+            tags
         } = parsedBody.data;
 
         if (build === "saas") {
@@ -167,7 +169,8 @@ export async function updateOrgOidcIdp(
         await db.transaction(async (trx) => {
             const idpData = {
                 name,
-                autoProvision
+                autoProvision,
+                tags
             };
 
             // only update if at least one key is not undefined

server/private/routers/ws/ws.ts

@@ -43,7 +43,8 @@ import {
     WSMessage,
     TokenPayload,
     WebSocketRequest,
-    RedisMessage
+    RedisMessage,
+    SendMessageOptions
 } from "@server/routers/ws";
 import { validateSessionToken } from "@server/auth/sessions/app";
 
@@ -118,12 +119,21 @@ const processMessage = async (
             if (response.broadcast) {
                 await broadcastToAllExcept(
                     response.message,
-                    response.excludeSender ? clientId : undefined
+                    response.excludeSender ? clientId : undefined,
+                    response.options
                 );
             } else if (response.targetClientId) {
-                await sendToClient(response.targetClientId, response.message);
+                await sendToClient(
+                    response.targetClientId,
+                    response.message,
+                    response.options
+                );
             } else {
-                ws.send(JSON.stringify(response.message));
+                await sendToClient(
+                    clientId,
+                    response.message,
+                    response.options
+                );
             }
         }
     } catch (error) {
@@ -172,6 +182,9 @@ const REDIS_CHANNEL = "websocket_messages";
 // Client tracking map (local to this node)
 const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
 
+// Config version tracking map (local to this node, resets on server restart)
+const clientConfigVersions: Map<string, number> = new Map();
+
 // Recovery tracking
 let isRedisRecoveryInProgress = false;
 
@@ -182,6 +195,8 @@ const getClientMapKey = (clientId: string) => clientId;
 const getConnectionsKey = (clientId: string) => `ws:connections:${clientId}`;
 const getNodeConnectionsKey = (nodeId: string, clientId: string) =>
     `ws:node:${nodeId}:${clientId}`;
+const getConfigVersionKey = (clientId: string) =>
+    `ws:configVersion:${clientId}`;
 
 // Initialize Redis subscription for cross-node messaging
 const initializeRedisSubscription = async (): Promise<void> => {
@@ -304,6 +319,45 @@ const addClient = async (
     existingClients.push(ws);
     connectedClients.set(mapKey, existingClients);
 
+    // Get or initialize config version
+    let configVersion = 0;
+
+    // Check Redis first if enabled
+    if (redisManager.isRedisEnabled()) {
+        try {
+            const redisVersion = await redisManager.get(getConfigVersionKey(clientId));
+            if (redisVersion !== null) {
+                configVersion = parseInt(redisVersion, 10);
+                // Sync to local cache
+                clientConfigVersions.set(clientId, configVersion);
+            } else if (!clientConfigVersions.has(clientId)) {
+                // No version in Redis or local cache, initialize to 0
+                await redisManager.set(getConfigVersionKey(clientId), "0");
+                clientConfigVersions.set(clientId, 0);
+            } else {
+                // Use local cache version and sync to Redis
+                configVersion = clientConfigVersions.get(clientId) || 0;
+                await redisManager.set(getConfigVersionKey(clientId), configVersion.toString());
+            }
+        } catch (error) {
+            logger.error("Failed to get/set config version in Redis:", error);
+            // Fall back to local cache
+            if (!clientConfigVersions.has(clientId)) {
+                clientConfigVersions.set(clientId, 0);
+            }
+            configVersion = clientConfigVersions.get(clientId) || 0;
+        }
+    } else {
+        // Redis not enabled, use local cache only
+        if (!clientConfigVersions.has(clientId)) {
+            clientConfigVersions.set(clientId, 0);
+        }
+        configVersion = clientConfigVersions.get(clientId) || 0;
+    }
+
+    // Set config version on websocket
+    ws.configVersion = configVersion;
+
     // Add to Redis tracking if enabled
     if (redisManager.isRedisEnabled()) {
         try {
@@ -322,7 +376,7 @@ const addClient = async (
     }
 
     logger.info(
-        `Client added to tracking - ${clientType.toUpperCase()} ID: ${clientId}, Connection ID: ${connectionId}, Total connections: ${existingClients.length}`
+        `Client added to tracking - ${clientType.toUpperCase()} ID: ${clientId}, Connection ID: ${connectionId}, Total connections: ${existingClients.length}, Config version: ${configVersion}`
     );
 };
 
@@ -377,53 +431,133 @@ const removeClient = async (
     }
 };
 
+// Helper to get the current config version for a client
+const getClientConfigVersion = async (clientId: string): Promise<number | undefined> => {
+    // Try Redis first if available
+    if (redisManager.isRedisEnabled()) {
+        try {
+            const redisVersion = await redisManager.get(
+                getConfigVersionKey(clientId)
+            );
+            if (redisVersion !== null) {
+                const version = parseInt(redisVersion, 10);
+                // Sync local cache with Redis
+                clientConfigVersions.set(clientId, version);
+                return version;
+            }
+        } catch (error) {
+            logger.error("Failed to get config version from Redis:", error);
+        }
+    }
+
+    // Fall back to local cache
+    return clientConfigVersions.get(clientId);
+};
+
+// Helper to increment and get the new config version for a client
+const incrementClientConfigVersion = async (
+    clientId: string
+): Promise<number> => {
+    let newVersion: number;
+
+    if (redisManager.isRedisEnabled()) {
+        try {
+            // Use Redis INCR for atomic increment across nodes
+            newVersion = await redisManager.incr(getConfigVersionKey(clientId));
+            // Sync local cache
+            clientConfigVersions.set(clientId, newVersion);
+            return newVersion;
+        } catch (error) {
+            logger.error("Failed to increment config version in Redis:", error);
+            // Fall through to local increment
+        }
+    }
+
+    // Local increment
+    const currentVersion = clientConfigVersions.get(clientId) || 0;
+    newVersion = currentVersion + 1;
+    clientConfigVersions.set(clientId, newVersion);
+    return newVersion;
+};
+
 // Local message sending (within this node)
 const sendToClientLocal = async (
     clientId: string,
-    message: WSMessage
+    message: WSMessage,
+    options: SendMessageOptions = {}
 ): Promise<boolean> => {
     const mapKey = getClientMapKey(clientId);
     const clients = connectedClients.get(mapKey);
     if (!clients || clients.length === 0) {
         return false;
     }
-    const messageString = JSON.stringify(message);
+
+    // Handle config version
+    let configVersion = await getClientConfigVersion(clientId);
+
+    // Add config version to message
+    const messageWithVersion = {
+        ...message,
+        configVersion
+    };
+
+    const messageString = JSON.stringify(messageWithVersion);
     clients.forEach((client) => {
         if (client.readyState === WebSocket.OPEN) {
             client.send(messageString);
         }
     });
 
-    logger.debug(
-        `sendToClient: Message type ${message.type} sent to clientId ${clientId}`
-    );
-
     return true;
 };
 
 const broadcastToAllExceptLocal = async (
     message: WSMessage,
-    excludeClientId?: string
+    excludeClientId?: string,
+    options: SendMessageOptions = {}
 ): Promise<void> => {
-    connectedClients.forEach((clients, mapKey) => {
+    for (const [mapKey, clients] of connectedClients.entries()) {
         const [type, id] = mapKey.split(":");
-        if (!(excludeClientId && id === excludeClientId)) {
+        const clientId = mapKey; // mapKey is the clientId
+        if (!(excludeClientId && clientId === excludeClientId)) {
+            // Handle config version per client
+            let configVersion = await getClientConfigVersion(clientId);
+            if (options.incrementConfigVersion) {
+                configVersion = await incrementClientConfigVersion(clientId);
+            }
+
+            // Add config version to message
+            const messageWithVersion = {
+                ...message,
+                configVersion
+            };
+
             clients.forEach((client) => {
                 if (client.readyState === WebSocket.OPEN) {
-                    client.send(JSON.stringify(message));
+                    client.send(JSON.stringify(messageWithVersion));
                 }
             });
         }
-    });
+    }
 };
 
 // Cross-node message sending (via Redis)
 const sendToClient = async (
     clientId: string,
-    message: WSMessage
+    message: WSMessage,
+    options: SendMessageOptions = {}
 ): Promise<boolean> => {
+    let configVersion = await getClientConfigVersion(clientId);
+    if (options.incrementConfigVersion) {
+        configVersion = await incrementClientConfigVersion(clientId);
+    }
+
+    logger.debug(
+        `sendToClient: Message type ${message.type} sent to clientId ${clientId} (new configVersion: ${configVersion})`
+    );
+
     // Try to send locally first
-    const localSent = await sendToClientLocal(clientId, message);
+    const localSent = await sendToClientLocal(clientId, message, options);
 
     // Only send via Redis if the client is not connected locally and Redis is enabled
     if (!localSent && redisManager.isRedisEnabled()) {
@@ -431,7 +565,10 @@ const sendToClient = async (
             const redisMessage: RedisMessage = {
                 type: "direct",
                 targetClientId: clientId,
-                message,
+                message: {
+                    ...message,
+                    configVersion
+                },
                 fromNodeId: NODE_ID
             };
 
@@ -458,19 +595,22 @@ const sendToClient = async (
 
 const broadcastToAllExcept = async (
     message: WSMessage,
-    excludeClientId?: string
+    excludeClientId?: string,
+    options: SendMessageOptions = {}
 ): Promise<void> => {
     // Broadcast locally
-    await broadcastToAllExceptLocal(message, excludeClientId);
+    await broadcastToAllExceptLocal(message, excludeClientId, options);
 
     // If Redis is enabled, also broadcast via Redis pub/sub to other nodes
+    // Note: For broadcasts, we include the options so remote nodes can handle versioning
     if (redisManager.isRedisEnabled()) {
         try {
             const redisMessage: RedisMessage = {
                 type: "broadcast",
                 excludeClientId,
                 message,
-                fromNodeId: NODE_ID
+                fromNodeId: NODE_ID,
+                options
             };
 
             await redisManager.publish(
@@ -936,5 +1076,6 @@ export {
     getActiveNodes,
     disconnectClient,
     NODE_ID,
-    cleanup
+    cleanup,
+    getClientConfigVersion
 };

server/routers/auth/index.ts

@@ -17,3 +17,4 @@ export * from "./securityKey";
 export * from "./startDeviceWebAuth";
 export * from "./verifyDeviceWebAuth";
 export * from "./pollDeviceWebAuth";
+export * from "./lookupUser";

server/routers/auth/lookupUser.ts

@@ -0,0 +1,224 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import {
+    users,
+    userOrgs,
+    orgs,
+    idpOrg,
+    idp,
+    idpOidcConfig
+} from "@server/db";
+import { eq, or, sql, and, isNotNull, inArray } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { UserType } from "@server/types/UserTypes";
+
+const lookupBodySchema = z.strictObject({
+    identifier: z.string().min(1).toLowerCase()
+});
+
+export type LookupUserResponse = {
+    found: boolean;
+    identifier: string;
+    accounts: Array<{
+        userId: string;
+        email: string | null;
+        username: string;
+        hasInternalAuth: boolean;
+        orgs: Array<{
+            orgId: string;
+            orgName: string;
+            idps: Array<{
+                idpId: number;
+                name: string;
+                variant: string | null;
+            }>;
+            hasInternalAuth: boolean;
+        }>;
+    }>;
+};
+
+// registry.registerPath({
+//     method: "post",
+//     path: "/auth/lookup-user",
+//     description: "Lookup user accounts by username or email and return available authentication methods.",
+//     tags: [OpenAPITags.Auth],
+//     request: {
+//         body: lookupBodySchema
+//     },
+//     responses: {}
+// });
+
+export async function lookupUser(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedBody = lookupBodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { identifier } = parsedBody.data;
+
+        // Query users matching identifier (case-insensitive)
+        // Match by username OR email
+        const matchingUsers = await db
+            .select({
+                userId: users.userId,
+                email: users.email,
+                username: users.username,
+                type: users.type,
+                passwordHash: users.passwordHash,
+                idpId: users.idpId
+            })
+            .from(users)
+            .where(
+                or(
+                    sql`LOWER(${users.username}) = ${identifier}`,
+                    sql`LOWER(${users.email}) = ${identifier}`
+                )
+            );
+
+        if (!matchingUsers || matchingUsers.length === 0) {
+            return response<LookupUserResponse>(res, {
+                data: {
+                    found: false,
+                    identifier,
+                    accounts: []
+                },
+                success: true,
+                error: false,
+                message: "No accounts found",
+                status: HttpCode.OK
+            });
+        }
+
+        // Get unique user IDs
+        const userIds = [...new Set(matchingUsers.map((u) => u.userId))];
+
+        // Get all org memberships for these users
+        const orgMemberships = await db
+            .select({
+                userId: userOrgs.userId,
+                orgId: userOrgs.orgId,
+                orgName: orgs.name
+            })
+            .from(userOrgs)
+            .innerJoin(orgs, eq(orgs.orgId, userOrgs.orgId))
+            .where(inArray(userOrgs.userId, userIds));
+
+        // Get unique org IDs
+        const orgIds = [...new Set(orgMemberships.map((m) => m.orgId))];
+
+        // Get all IdPs for these orgs
+        const orgIdps =
+            orgIds.length > 0
+                ? await db
+                      .select({
+                          orgId: idpOrg.orgId,
+                          idpId: idp.idpId,
+                          idpName: idp.name,
+                          variant: idpOidcConfig.variant
+                      })
+                      .from(idpOrg)
+                      .innerJoin(idp, eq(idp.idpId, idpOrg.idpId))
+                      .innerJoin(
+                          idpOidcConfig,
+                          eq(idpOidcConfig.idpId, idp.idpId)
+                      )
+                      .where(inArray(idpOrg.orgId, orgIds))
+                : [];
+
+        // Build response structure
+        const accounts: LookupUserResponse["accounts"] = [];
+
+        for (const user of matchingUsers) {
+            const hasInternalAuth =
+                user.type === UserType.Internal && user.passwordHash !== null;
+
+            // Get orgs for this user
+            const userOrgMemberships = orgMemberships.filter(
+                (m) => m.userId === user.userId
+            );
+
+            // Deduplicate orgs (user might have multiple memberships in same org)
+            const uniqueOrgs = new Map<string, typeof userOrgMemberships[0]>();
+            for (const membership of userOrgMemberships) {
+                if (!uniqueOrgs.has(membership.orgId)) {
+                    uniqueOrgs.set(membership.orgId, membership);
+                }
+            }
+
+            const orgsData = Array.from(uniqueOrgs.values()).map((membership) => {
+                // Get IdPs for this org where the user (with the exact identifier) is authenticated via that IdP
+                // Only show IdPs where the user's idpId matches
+                // Internal users don't have an idpId, so they won't see any IdPs
+                const orgIdpsList = orgIdps
+                    .filter((idp) => {
+                        if (idp.orgId !== membership.orgId) {
+                            return false;
+                        }
+                        // Only show IdPs where the user (with exact identifier) is authenticated via that IdP
+                        // This means user.idpId must match idp.idpId
+                        if (user.idpId !== null && user.idpId === idp.idpId) {
+                            return true;
+                        }
+                        return false;
+                    })
+                    .map((idp) => ({
+                        idpId: idp.idpId,
+                        name: idp.idpName,
+                        variant: idp.variant
+                    }));
+
+                // Check if user has internal auth for this org
+                // User has internal auth if they have an internal account type
+                const orgHasInternalAuth = hasInternalAuth;
+
+                return {
+                    orgId: membership.orgId,
+                    orgName: membership.orgName,
+                    idps: orgIdpsList,
+                    hasInternalAuth: orgHasInternalAuth
+                };
+            });
+
+            accounts.push({
+                userId: user.userId,
+                email: user.email,
+                username: user.username,
+                hasInternalAuth,
+                orgs: orgsData
+            });
+        }
+
+        return response<LookupUserResponse>(res, {
+            data: {
+                found: true,
+                identifier,
+                accounts
+            },
+            success: true,
+            error: false,
+            message: "User lookup completed",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}

server/routers/auth/verifyDeviceWebAuth.ts

@@ -10,6 +10,7 @@ import { eq, and, gt } from "drizzle-orm";
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
 import { unauthorized } from "@server/auth/unauthorizedResponse";
+import { getIosDeviceName, getMacDeviceName } from "@server/db/names";
 
 const bodySchema = z
     .object({
@@ -120,6 +121,11 @@ export async function verifyDeviceWebAuth(
             );
         }
 
+        const deviceName =
+            getMacDeviceName(deviceCode.deviceName) ||
+            getIosDeviceName(deviceCode.deviceName) ||
+            deviceCode.deviceName;
+
         // If verify is false, just return metadata without verifying
         if (!verify) {
             return response<VerifyDeviceWebAuthResponse>(res, {
@@ -129,7 +135,7 @@ export async function verifyDeviceWebAuth(
                     metadata: {
                         ip: deviceCode.ip,
                         city: deviceCode.city,
-                        deviceName: deviceCode.deviceName,
+                        deviceName: deviceName,
                         applicationName: deviceCode.applicationName,
                         createdAt: deviceCode.createdAt
                     }

server/routers/badger/logRequestAudit.ts

@@ -49,27 +49,43 @@ const auditLogBuffer: Array<{
 
 const BATCH_SIZE = 100; // Write to DB every 100 logs
 const BATCH_INTERVAL_MS = 5000; // Or every 5 seconds, whichever comes first
+const MAX_BUFFER_SIZE = 10000; // Prevent unbounded memory growth
 let flushTimer: NodeJS.Timeout | null = null;
+let isFlushInProgress = false;
 
 /**
  * Flush buffered logs to database
  */
 async function flushAuditLogs() {
-    if (auditLogBuffer.length === 0) {
+    if (auditLogBuffer.length === 0 || isFlushInProgress) {
         return;
     }
 
+    isFlushInProgress = true;
+
     // Take all current logs and clear buffer
     const logsToWrite = auditLogBuffer.splice(0, auditLogBuffer.length);
 
     try {
-        // Batch insert all logs at once
-        await db.insert(requestAuditLog).values(logsToWrite);
+        // Batch insert logs in groups of 25 to avoid overwhelming the database
+        const BATCH_DB_SIZE = 25;
+        for (let i = 0; i < logsToWrite.length; i += BATCH_DB_SIZE) {
+            const batch = logsToWrite.slice(i, i + BATCH_DB_SIZE);
+            await db.insert(requestAuditLog).values(batch);
+        }
         logger.debug(`Flushed ${logsToWrite.length} audit logs to database`);
     } catch (error) {
         logger.error("Error flushing audit logs:", error);
         // On error, we lose these logs - consider a fallback strategy if needed
         // (e.g., write to file, or put back in buffer with retry limit)
+    } finally {
+        isFlushInProgress = false;
+        // If buffer filled up while we were flushing, flush again
+        if (auditLogBuffer.length >= BATCH_SIZE) {
+            flushAuditLogs().catch((err) =>
+                logger.error("Error in follow-up flush:", err)
+            );
+        }
     }
 }
 
@@ -95,6 +111,10 @@ export async function shutdownAuditLogger() {
         clearTimeout(flushTimer);
         flushTimer = null;
     }
+    // Force flush even if one is in progress by waiting and retrying
+    while (isFlushInProgress) {
+        await new Promise((resolve) => setTimeout(resolve, 100));
+    }
     await flushAuditLogs();
 }
 
@@ -212,6 +232,14 @@ export async function logRequestAudit(
             ? stripPortFromHost(body.requestIp)
             : undefined;
 
+        // Prevent unbounded buffer growth - drop oldest entries if buffer is too large
+        if (auditLogBuffer.length >= MAX_BUFFER_SIZE) {
+            const dropped = auditLogBuffer.splice(0, BATCH_SIZE);
+            logger.warn(
+                `Audit log buffer exceeded max size (${MAX_BUFFER_SIZE}), dropped ${dropped.length} oldest entries`
+            );
+        }
+
         // Add to buffer instead of writing directly to DB
         auditLogBuffer.push({
             timestamp,

server/routers/badger/verifySession.ts

@@ -942,7 +942,7 @@ async function isUserAllowedToAccessResource(
             username: user.username,
             email: user.email,
             name: user.name,
-            role: user.role
+            role: userOrgRole.roleName
         };
     }
 
@@ -956,7 +956,7 @@ async function isUserAllowedToAccessResource(
             username: user.username,
             email: user.email,
             name: user.name,
-            role: user.role
+            role: userOrgRole.roleName
         };
     }
 
@@ -1035,14 +1035,25 @@ export function isPathAllowed(pattern: string, path: string): boolean {
     logger.debug(`Normalized pattern parts: [${patternParts.join(", ")}]`);
     logger.debug(`Normalized path parts: [${pathParts.join(", ")}]`);
 
+    // Maximum recursion depth to prevent stack overflow and memory issues
+    const MAX_RECURSION_DEPTH = 100;
+
     // Recursive function to try different wildcard matches
-    function matchSegments(patternIndex: number, pathIndex: number): boolean {
-        const indent = "  ".repeat(pathIndex); // Indent based on recursion depth
+    function matchSegments(patternIndex: number, pathIndex: number, depth: number = 0): boolean {
+        // Check recursion depth limit
+        if (depth > MAX_RECURSION_DEPTH) {
+            logger.warn(
+                `Path matching exceeded maximum recursion depth (${MAX_RECURSION_DEPTH}) for pattern "${pattern}" and path "${path}"`
+            );
+            return false;
+        }
+
+        const indent = "  ".repeat(depth); // Indent based on recursion depth
         const currentPatternPart = patternParts[patternIndex];
         const currentPathPart = pathParts[pathIndex];
 
         logger.debug(
-            `${indent}Checking patternIndex=${patternIndex} (${currentPatternPart || "END"}) vs pathIndex=${pathIndex} (${currentPathPart || "END"})`
+            `${indent}Checking patternIndex=${patternIndex} (${currentPatternPart || "END"}) vs pathIndex=${pathIndex} (${currentPathPart || "END"}) [depth=${depth}]`
         );
 
         // If we've consumed all pattern parts, we should have consumed all path parts
@@ -1075,7 +1086,7 @@ export function isPathAllowed(pattern: string, path: string): boolean {
             logger.debug(
                 `${indent}Trying to skip wildcard (consume 0 segments)`
             );
-            if (matchSegments(patternIndex + 1, pathIndex)) {
+            if (matchSegments(patternIndex + 1, pathIndex, depth + 1)) {
                 logger.debug(
                     `${indent}Successfully matched by skipping wildcard`
                 );
@@ -1086,7 +1097,7 @@ export function isPathAllowed(pattern: string, path: string): boolean {
             logger.debug(
                 `${indent}Trying to consume segment "${currentPathPart}" for wildcard`
             );
-            if (matchSegments(patternIndex, pathIndex + 1)) {
+            if (matchSegments(patternIndex, pathIndex + 1, depth + 1)) {
                 logger.debug(
                     `${indent}Successfully matched by consuming segment for wildcard`
                 );
@@ -1114,7 +1125,7 @@ export function isPathAllowed(pattern: string, path: string): boolean {
                 logger.debug(
                     `${indent}Segment with wildcard matches: "${currentPatternPart}" matches "${currentPathPart}"`
                 );
-                return matchSegments(patternIndex + 1, pathIndex + 1);
+                return matchSegments(patternIndex + 1, pathIndex + 1, depth + 1);
             }
 
             logger.debug(
@@ -1135,10 +1146,10 @@ export function isPathAllowed(pattern: string, path: string): boolean {
             `${indent}Segments match: "${currentPatternPart}" = "${currentPathPart}"`
         );
         // Move to next segments in both pattern and path
-        return matchSegments(patternIndex + 1, pathIndex + 1);
+        return matchSegments(patternIndex + 1, pathIndex + 1, depth + 1);
     }
 
-    const result = matchSegments(0, 0);
+    const result = matchSegments(0, 0, 0);
     logger.debug(`Final result: ${result}`);
     return result;
 }

server/routers/client/archiveClient.ts

@@ -0,0 +1,105 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { clients } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+import { sendTerminateClient } from "./terminate";
+
+const archiveClientSchema = z.strictObject({
+    clientId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/client/{clientId}/archive",
+    description: "Archive a client by its client ID.",
+    tags: [OpenAPITags.Client],
+    request: {
+        params: archiveClientSchema
+    },
+    responses: {}
+});
+
+export async function archiveClient(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = archiveClientSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { clientId } = parsedParams.data;
+
+        // Check if client exists
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, clientId))
+            .limit(1);
+
+        if (!client) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Client with ID ${clientId} not found`
+                )
+            );
+        }
+
+        if (client.archived) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `Client with ID ${clientId} is already archived`
+                )
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            // Archive the client
+            await trx
+                .update(clients)
+                .set({ archived: true })
+                .where(eq(clients.clientId, clientId));
+
+            // Rebuild associations to clean up related data
+            await rebuildClientAssociationsFromClient(client, trx);
+
+            // Send terminate signal if there's an associated OLM
+            if (client.olmId) {
+                await sendTerminateClient(client.clientId, client.olmId);
+            }
+        });
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Client archived successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to archive client"
+            )
+        );
+    }
+}

server/routers/client/blockClient.ts

@@ -0,0 +1,101 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { clients } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { sendTerminateClient } from "./terminate";
+
+const blockClientSchema = z.strictObject({
+    clientId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/client/{clientId}/block",
+    description: "Block a client by its client ID.",
+    tags: [OpenAPITags.Client],
+    request: {
+        params: blockClientSchema
+    },
+    responses: {}
+});
+
+export async function blockClient(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = blockClientSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { clientId } = parsedParams.data;
+
+        // Check if client exists
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, clientId))
+            .limit(1);
+
+        if (!client) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Client with ID ${clientId} not found`
+                )
+            );
+        }
+
+        if (client.blocked) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `Client with ID ${clientId} is already blocked`
+                )
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            // Block the client
+            await trx
+                .update(clients)
+                .set({ blocked: true, approvalState: "denied" })
+                .where(eq(clients.clientId, clientId));
+
+            // Send terminate signal if there's an associated OLM and it's connected
+            if (client.olmId && client.online) {
+                await sendTerminateClient(client.clientId, client.olmId);
+            }
+        });
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Client blocked successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to block client"
+            )
+        );
+    }
+}

server/routers/client/deleteClient.ts

@@ -60,11 +60,12 @@ export async function deleteClient(
             );
         }
 
+        // Only allow deletion of machine clients (clients without userId)
         if (client.userId) {
             return next(
                 createHttpError(
                     HttpCode.BAD_REQUEST,
-                    `Cannot delete a user client with this endpoint`
+                    `Cannot delete a user client. User clients must be archived instead.`
                 )
             );
         }

server/routers/client/getClient.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db, olms } from "@server/db";
-import { clients } from "@server/db";
+import { clients, fingerprints } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -10,6 +10,7 @@ import logger from "@server/logger";
 import stoi from "@server/lib/stoi";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
+import { getUserDeviceName } from "@server/db/names";
 
 const getClientSchema = z.strictObject({
     clientId: z
@@ -29,6 +30,7 @@ async function query(clientId?: number, niceId?: string, orgId?: string) {
             .from(clients)
             .where(eq(clients.clientId, clientId))
             .leftJoin(olms, eq(clients.clientId, olms.clientId))
+            .leftJoin(fingerprints, eq(olms.olmId, fingerprints.olmId))
             .limit(1);
         return res;
     } else if (niceId && orgId) {
@@ -37,6 +39,7 @@ async function query(clientId?: number, niceId?: string, orgId?: string) {
             .from(clients)
             .where(and(eq(clients.niceId, niceId), eq(clients.orgId, orgId)))
             .leftJoin(olms, eq(clients.clientId, olms.clientId))
+            .leftJoin(fingerprints, eq(olms.olmId, fingerprints.olmId))
             .limit(1);
         return res;
     }
@@ -105,8 +108,16 @@ export async function getClient(
             );
         }
 
+        // Replace name with device name if OLM exists
+        let clientName = client.clients.name;
+        if (client.olms) {
+            const model = client.fingerprints?.deviceModel || null;
+            clientName = getUserDeviceName(model, client.clients.name);
+        }
+
         const data: GetClientResponse = {
             ...client.clients,
+            name: clientName,
             olmId: client.olms ? client.olms.olmId : null
         };
 

server/routers/client/index.ts

@@ -1,6 +1,10 @@
 export * from "./pickClientDefaults";
 export * from "./createClient";
 export * from "./deleteClient";
+export * from "./archiveClient";
+export * from "./unarchiveClient";
+export * from "./blockClient";
+export * from "./unblockClient";
 export * from "./listClients";
 export * from "./updateClient";
 export * from "./getClient";

server/routers/client/listClients.ts

@@ -5,7 +5,8 @@ import {
     roleClients,
     sites,
     userClients,
-    clientSitesAssociationsCache
+    clientSitesAssociationsCache,
+    fingerprints
 } from "@server/db";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
@@ -27,6 +28,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import NodeCache from "node-cache";
 import semver from "semver";
+import { getUserDeviceName } from "@server/db/names";
 
 const olmVersionCache = new NodeCache({ stdTTL: 3600 });
 
@@ -136,12 +138,18 @@ function queryClients(
             username: users.username,
             userEmail: users.email,
             niceId: clients.niceId,
-            agent: olms.agent
+            agent: olms.agent,
+            approvalState: clients.approvalState,
+            olmArchived: olms.archived,
+            archived: clients.archived,
+            blocked: clients.blocked,
+            deviceModel: fingerprints.deviceModel
         })
         .from(clients)
         .leftJoin(orgs, eq(clients.orgId, orgs.orgId))
         .leftJoin(olms, eq(clients.clientId, olms.clientId))
         .leftJoin(users, eq(clients.userId, users.userId))
+        .leftJoin(fingerprints, eq(olms.olmId, fingerprints.olmId))
         .where(and(...conditions));
 }
 
@@ -160,21 +168,22 @@ async function getSiteAssociations(clientIds: number[]) {
         .where(inArray(clientSitesAssociationsCache.clientId, clientIds));
 }
 
-type OlmWithUpdateAvailable = Awaited<ReturnType<typeof queryClients>>[0] & {
+type ClientWithSites = Omit<
+    Awaited<ReturnType<typeof queryClients>>[0],
+    "deviceModel"
+> & {
+    sites: Array<{
+        siteId: number;
+        siteName: string | null;
+        siteNiceId: string | null;
+    }>;
     olmUpdateAvailable?: boolean;
 };
 
+type OlmWithUpdateAvailable = ClientWithSites;
+
 export type ListClientsResponse = {
-    clients: Array<
-        Awaited<ReturnType<typeof queryClients>>[0] & {
-            sites: Array<{
-                siteId: number;
-                siteName: string | null;
-                siteNiceId: string | null;
-            }>;
-            olmUpdateAvailable?: boolean;
-        }
-    >;
+    clients: Array<ClientWithSites>;
     pagination: { total: number; limit: number; offset: number };
 };
 
@@ -304,11 +313,17 @@ export async function listClients(
             >
         );
 
-        // Merge clients with their site associations
-        const clientsWithSites = clientsList.map((client) => ({
-            ...client,
-            sites: sitesByClient[client.clientId] || []
-        }));
+        // Merge clients with their site associations and replace name with device name
+        const clientsWithSites = clientsList.map((client) => {
+            const model = client.deviceModel || null;
+            const newName = getUserDeviceName(model, client.name);
+            const { deviceModel, ...clientWithoutDeviceModel } = client;
+            return {
+                ...clientWithoutDeviceModel,
+                name: newName,
+                sites: sitesByClient[client.clientId] || []
+            };
+        });
 
         const latestOlVersionPromise = getLatestOlmVersion();
 
@@ -347,7 +362,7 @@ export async function listClients(
 
         return response<ListClientsResponse>(res, {
             data: {
-                clients: clientsWithSites,
+                clients: olmsWithUpdates,
                 pagination: {
                     total: totalCount,
                     limit,

server/routers/client/targets.ts

@@ -28,7 +28,7 @@ export async function addTargets(newtId: string, targets: SubnetProxyTarget[]) {
         await sendToClient(newtId, {
             type: `newt/wg/targets/add`,
             data: batches[i]
-        });
+        }, { incrementConfigVersion: true });
     }
 }
 
@@ -44,7 +44,7 @@ export async function removeTargets(
         await sendToClient(newtId, {
             type: `newt/wg/targets/remove`,
             data: batches[i]
-        });
+        },{ incrementConfigVersion: true });
     }
 }
 
@@ -69,7 +69,7 @@ export async function updateTargets(
                 oldTargets: oldBatches[i] || [],
                 newTargets: newBatches[i] || []
             }
-        }).catch((error) => {
+        }, { incrementConfigVersion: true }).catch((error) => {
             logger.warn(`Error sending message:`, error);
         });
     }
@@ -101,7 +101,7 @@ export async function addPeerData(
             remoteSubnets: remoteSubnets,
             aliases: aliases
         }
-    }).catch((error) => {
+    }, { incrementConfigVersion: true }).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 }
@@ -132,7 +132,7 @@ export async function removePeerData(
             remoteSubnets: remoteSubnets,
             aliases: aliases
         }
-    }).catch((error) => {
+    }, { incrementConfigVersion: true }).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 }
@@ -173,7 +173,7 @@ export async function updatePeerData(
             ...remoteSubnets,
             ...aliases
         }
-    }).catch((error) => {
+    }, { incrementConfigVersion: true }).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 }

server/routers/client/unarchiveClient.ts

@@ -0,0 +1,93 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { clients } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const unarchiveClientSchema = z.strictObject({
+    clientId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/client/{clientId}/unarchive",
+    description: "Unarchive a client by its client ID.",
+    tags: [OpenAPITags.Client],
+    request: {
+        params: unarchiveClientSchema
+    },
+    responses: {}
+});
+
+export async function unarchiveClient(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = unarchiveClientSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { clientId } = parsedParams.data;
+
+        // Check if client exists
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, clientId))
+            .limit(1);
+
+        if (!client) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Client with ID ${clientId} not found`
+                )
+            );
+        }
+
+        if (!client.archived) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `Client with ID ${clientId} is not archived`
+                )
+            );
+        }
+
+        // Unarchive the client
+        await db
+            .update(clients)
+            .set({ archived: false })
+            .where(eq(clients.clientId, clientId));
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Client unarchived successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to unarchive client"
+            )
+        );
+    }
+}

server/routers/client/unblockClient.ts

@@ -0,0 +1,93 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { clients } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const unblockClientSchema = z.strictObject({
+    clientId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/client/{clientId}/unblock",
+    description: "Unblock a client by its client ID.",
+    tags: [OpenAPITags.Client],
+    request: {
+        params: unblockClientSchema
+    },
+    responses: {}
+});
+
+export async function unblockClient(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = unblockClientSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { clientId } = parsedParams.data;
+
+        // Check if client exists
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, clientId))
+            .limit(1);
+
+        if (!client) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Client with ID ${clientId} not found`
+                )
+            );
+        }
+
+        if (!client.blocked) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `Client with ID ${clientId} is not blocked`
+                )
+            );
+        }
+
+        // Unblock the client
+        await db
+            .update(clients)
+            .set({ blocked: false, approvalState: null })
+            .where(eq(clients.clientId, clientId));
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Client unblocked successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to unblock client"
+            )
+        );
+    }
+}

server/routers/external.ts

@@ -174,6 +174,38 @@ authenticated.delete(
     client.deleteClient
 );
 
+authenticated.post(
+    "/client/:clientId/archive",
+    verifyClientAccess,
+    verifyUserHasAction(ActionsEnum.archiveClient),
+    logActionAudit(ActionsEnum.archiveClient),
+    client.archiveClient
+);
+
+authenticated.post(
+    "/client/:clientId/unarchive",
+    verifyClientAccess,
+    verifyUserHasAction(ActionsEnum.unarchiveClient),
+    logActionAudit(ActionsEnum.unarchiveClient),
+    client.unarchiveClient
+);
+
+authenticated.post(
+    "/client/:clientId/block",
+    verifyClientAccess,
+    verifyUserHasAction(ActionsEnum.blockClient),
+    logActionAudit(ActionsEnum.blockClient),
+    client.blockClient
+);
+
+authenticated.post(
+    "/client/:clientId/unblock",
+    verifyClientAccess,
+    verifyUserHasAction(ActionsEnum.unblockClient),
+    logActionAudit(ActionsEnum.unblockClient),
+    client.unblockClient
+);
+
 authenticated.post(
     "/client/:clientId",
     verifyClientAccess, // this will check if the user has access to the client
@@ -554,6 +586,14 @@ authenticated.get(
     verifyUserHasAction(ActionsEnum.listRoles),
     role.listRoles
 );
+
+authenticated.post(
+    "/org/:orgId/role/:roleId",
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.updateRole),
+    logActionAudit(ActionsEnum.updateRole),
+    role.updateRole
+);
 // authenticated.get(
 //     "/role/:roleId",
 //     verifyRoleAccess,
@@ -808,11 +848,18 @@ authenticated.put("/user/:userId/olm", verifyIsLoggedInUser, olm.createUserOlm);
 
 authenticated.get("/user/:userId/olms", verifyIsLoggedInUser, olm.listUserOlms);
 
-authenticated.delete(
-    "/user/:userId/olm/:olmId",
+authenticated.post(
+    "/user/:userId/olm/:olmId/archive",
     verifyIsLoggedInUser,
     verifyOlmAccess,
-    olm.deleteUserOlm
+    olm.archiveUserOlm
+);
+
+authenticated.post(
+    "/user/:userId/olm/:olmId/unarchive",
+    verifyIsLoggedInUser,
+    verifyOlmAccess,
+    olm.unarchiveUserOlm
 );
 
 authenticated.get(
@@ -822,6 +869,12 @@ authenticated.get(
     olm.getUserOlm
 );
 
+authenticated.post(
+    "/user/:userId/olm/recover",
+    verifyIsLoggedInUser,
+    olm.recoverOlmWithFingerprint
+);
+
 authenticated.put(
     "/idp/oidc",
     verifyUserIsServerAdmin,
@@ -1068,6 +1121,21 @@ authRouter.post(
     auth.login
 );
 authRouter.post("/logout", auth.logout);
+authRouter.post(
+    "/lookup-user",
+    rateLimit({
+        windowMs: 15 * 60 * 1000,
+        max: 15,
+        keyGenerator: (req) =>
+            `lookupUser:${req.body.identifier || ipKeyGenerator(req.ip || "")}`,
+        handler: (req, res, next) => {
+            const message = `You can only lookup users ${15} times every ${15} minutes. Please try again later.`;
+            return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));
+        },
+        store: createStore()
+    }),
+    auth.lookupUser
+);
 authRouter.post(
     "/newt/get-token",
     rateLimit({

server/routers/idp/createOidcIdp.ts

@@ -24,7 +24,8 @@ const bodySchema = z.strictObject({
     emailPath: z.string().optional(),
     namePath: z.string().optional(),
     scopes: z.string().nonempty(),
-    autoProvision: z.boolean().optional()
+    autoProvision: z.boolean().optional(),
+    tags: z.string().optional()
 });
 
 export type CreateIdpResponse = {
@@ -75,7 +76,8 @@ export async function createOidcIdp(
             emailPath,
             namePath,
             name,
-            autoProvision
+            autoProvision,
+            tags
         } = parsedBody.data;
 
         const key = config.getRawConfig().server.secret!;
@@ -90,7 +92,8 @@ export async function createOidcIdp(
                 .values({
                     name,
                     autoProvision,
-                    type: "oidc"
+                    type: "oidc",
+                    tags
                 })
                 .returning();
 

server/routers/idp/listIdps.ts

@@ -33,7 +33,8 @@ async function query(limit: number, offset: number) {
             type: idp.type,
             variant: idpOidcConfig.variant,
             orgCount: sql<number>`count(${idpOrg.orgId})`,
-            autoProvision: idp.autoProvision
+            autoProvision: idp.autoProvision,
+            tags: idp.tags
         })
         .from(idp)
         .leftJoin(idpOrg, sql`${idp.idpId} = ${idpOrg.idpId}`)

server/routers/idp/updateOidcIdp.ts

@@ -30,7 +30,8 @@ const bodySchema = z.strictObject({
     scopes: z.string().optional(),
     autoProvision: z.boolean().optional(),
     defaultRoleMapping: z.string().optional(),
-    defaultOrgMapping: z.string().optional()
+    defaultOrgMapping: z.string().optional(),
+    tags: z.string().optional()
 });
 
 export type UpdateIdpResponse = {
@@ -94,7 +95,8 @@ export async function updateOidcIdp(
             name,
             autoProvision,
             defaultRoleMapping,
-            defaultOrgMapping
+            defaultOrgMapping,
+            tags
         } = parsedBody.data;
 
         // Check if IDP exists and is of type OIDC
@@ -127,7 +129,8 @@ export async function updateOidcIdp(
                 name,
                 autoProvision,
                 defaultRoleMapping,
-                defaultOrgMapping
+                defaultOrgMapping,
+                tags
             };
 
             // only update if at least one key is not undefined

server/routers/integration.ts

@@ -467,6 +467,14 @@ authenticated.put(
     role.createRole
 );
 
+authenticated.post(
+    "/org/:orgId/role/:roleId",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.updateRole),
+    logActionAudit(ActionsEnum.updateRole),
+    role.updateRole
+);
+
 authenticated.get(
     "/org/:orgId/roles",
     verifyApiKeyOrgAccess,
@@ -751,9 +759,10 @@ authenticated.post(
 );
 
 authenticated.get(
-    "/idp",
-    verifyApiKeyIsRoot,
-    verifyApiKeyHasAction(ActionsEnum.listIdps),
+    "/idp", // no guards on this because anyone can list idps for login purposes
+    // we do the same for the external api
+    // verifyApiKeyIsRoot,
+    // verifyApiKeyHasAction(ActionsEnum.listIdps),
     idp.listIdps
 );
 
@@ -842,6 +851,38 @@ authenticated.delete(
     client.deleteClient
 );
 
+authenticated.post(
+    "/client/:clientId/archive",
+    verifyApiKeyClientAccess,
+    verifyApiKeyHasAction(ActionsEnum.archiveClient),
+    logActionAudit(ActionsEnum.archiveClient),
+    client.archiveClient
+);
+
+authenticated.post(
+    "/client/:clientId/unarchive",
+    verifyApiKeyClientAccess,
+    verifyApiKeyHasAction(ActionsEnum.unarchiveClient),
+    logActionAudit(ActionsEnum.unarchiveClient),
+    client.unarchiveClient
+);
+
+authenticated.post(
+    "/client/:clientId/block",
+    verifyApiKeyClientAccess,
+    verifyApiKeyHasAction(ActionsEnum.blockClient),
+    logActionAudit(ActionsEnum.blockClient),
+    client.blockClient
+);
+
+authenticated.post(
+    "/client/:clientId/unblock",
+    verifyApiKeyClientAccess,
+    verifyApiKeyHasAction(ActionsEnum.unblockClient),
+    logActionAudit(ActionsEnum.unblockClient),
+    client.unblockClient
+);
+
 authenticated.post(
     "/client/:clientId",
     verifyApiKeyClientAccess,

server/routers/newt/buildConfiguration.ts

@@ -0,0 +1,278 @@
+import { clients, clientSiteResourcesAssociationsCache, clientSitesAssociationsCache, db, ExitNode, resources, Site, siteResources, targetHealthCheck, targets } from "@server/db";
+import logger from "@server/logger";
+import { initPeerAddHandshake, updatePeer } from "../olm/peers";
+import { eq, and } from "drizzle-orm";
+import config from "@server/lib/config";
+import { generateSubnetProxyTargets, SubnetProxyTarget } from "@server/lib/ip";
+
+export async function buildClientConfigurationForNewtClient(
+    site: Site,
+    exitNode?: ExitNode
+) {
+    const siteId = site.siteId;
+
+    // Get all clients connected to this site
+    const clientsRes = await db
+        .select()
+        .from(clients)
+        .innerJoin(
+            clientSitesAssociationsCache,
+            eq(clients.clientId, clientSitesAssociationsCache.clientId)
+        )
+        .where(eq(clientSitesAssociationsCache.siteId, siteId));
+
+    let peers: Array<{
+        publicKey: string;
+        allowedIps: string[];
+        endpoint?: string;
+    }> = [];
+
+    if (site.publicKey && site.endpoint && exitNode) {
+        // Prepare peers data for the response
+        peers = await Promise.all(
+            clientsRes
+                .filter((client) => {
+                    if (!client.clients.pubKey) {
+                        logger.warn(
+                            `Client ${client.clients.clientId} has no public key, skipping`
+                        );
+                        return false;
+                    }
+                    if (!client.clients.subnet) {
+                        logger.warn(
+                            `Client ${client.clients.clientId} has no subnet, skipping`
+                        );
+                        return false;
+                    }
+                    return true;
+                })
+                .map(async (client) => {
+                    // Add or update this peer on the olm if it is connected
+
+                    // const allSiteResources = await db // only get the site resources that this client has access to
+                    //     .select()
+                    //     .from(siteResources)
+                    //     .innerJoin(
+                    //         clientSiteResourcesAssociationsCache,
+                    //         eq(
+                    //             siteResources.siteResourceId,
+                    //             clientSiteResourcesAssociationsCache.siteResourceId
+                    //         )
+                    //     )
+                    //     .where(
+                    //         and(
+                    //             eq(siteResources.siteId, site.siteId),
+                    //             eq(
+                    //                 clientSiteResourcesAssociationsCache.clientId,
+                    //                 client.clients.clientId
+                    //             )
+                    //         )
+                    //     );
+
+                    // update the peer info on the olm
+                    // if the peer has not been added yet this will be a no-op
+                    await updatePeer(client.clients.clientId, {
+                        siteId: site.siteId,
+                        endpoint: site.endpoint!,
+                        relayEndpoint: `${exitNode.endpoint}:${config.getRawConfig().gerbil.clients_start_port}`,
+                        publicKey: site.publicKey!,
+                        serverIP: site.address,
+                        serverPort: site.listenPort
+                        // remoteSubnets: generateRemoteSubnets(
+                        //     allSiteResources.map(
+                        //         ({ siteResources }) => siteResources
+                        //     )
+                        // ),
+                        // aliases: generateAliasConfig(
+                        //     allSiteResources.map(
+                        //         ({ siteResources }) => siteResources
+                        //     )
+                        // )
+                    });
+
+                    // also trigger the peer add handshake in case the peer was not already added to the olm and we need to hole punch
+                    // if it has already been added this will be a no-op
+                    await initPeerAddHandshake(
+                        // this will kick off the add peer process for the client
+                        client.clients.clientId,
+                        {
+                            siteId,
+                            exitNode: {
+                                publicKey: exitNode.publicKey,
+                                endpoint: exitNode.endpoint
+                            }
+                        }
+                    );
+
+                    return {
+                        publicKey: client.clients.pubKey!,
+                        allowedIps: [
+                            `${client.clients.subnet.split("/")[0]}/32`
+                        ], // we want to only allow from that client
+                        endpoint: client.clientSitesAssociationsCache.isRelayed
+                            ? ""
+                            : client.clientSitesAssociationsCache.endpoint! // if its relayed it should be localhost
+                    };
+                })
+        );
+    }
+
+    // Filter out any null values from peers that didn't have an olm
+    const validPeers = peers.filter((peer) => peer !== null);
+
+    // Get all enabled site resources for this site
+    const allSiteResources = await db
+        .select()
+        .from(siteResources)
+        .where(eq(siteResources.siteId, siteId));
+
+    const targetsToSend: SubnetProxyTarget[] = [];
+
+    for (const resource of allSiteResources) {
+        // Get clients associated with this specific resource
+        const resourceClients = await db
+            .select({
+                clientId: clients.clientId,
+                pubKey: clients.pubKey,
+                subnet: clients.subnet
+            })
+            .from(clients)
+            .innerJoin(
+                clientSiteResourcesAssociationsCache,
+                eq(
+                    clients.clientId,
+                    clientSiteResourcesAssociationsCache.clientId
+                )
+            )
+            .where(
+                eq(
+                    clientSiteResourcesAssociationsCache.siteResourceId,
+                    resource.siteResourceId
+                )
+            );
+
+        const resourceTargets = generateSubnetProxyTargets(
+            resource,
+            resourceClients
+        );
+
+        targetsToSend.push(...resourceTargets);
+    }
+
+    return {
+        peers: validPeers,
+        targets: targetsToSend
+    };
+}
+
+export async function buildTargetConfigurationForNewtClient(siteId: number) {
+    // Get all enabled targets with their resource protocol information
+    const allTargets = await db
+        .select({
+            resourceId: targets.resourceId,
+            targetId: targets.targetId,
+            ip: targets.ip,
+            method: targets.method,
+            port: targets.port,
+            internalPort: targets.internalPort,
+            enabled: targets.enabled,
+            protocol: resources.protocol,
+            hcEnabled: targetHealthCheck.hcEnabled,
+            hcPath: targetHealthCheck.hcPath,
+            hcScheme: targetHealthCheck.hcScheme,
+            hcMode: targetHealthCheck.hcMode,
+            hcHostname: targetHealthCheck.hcHostname,
+            hcPort: targetHealthCheck.hcPort,
+            hcInterval: targetHealthCheck.hcInterval,
+            hcUnhealthyInterval: targetHealthCheck.hcUnhealthyInterval,
+            hcTimeout: targetHealthCheck.hcTimeout,
+            hcHeaders: targetHealthCheck.hcHeaders,
+            hcMethod: targetHealthCheck.hcMethod,
+            hcTlsServerName: targetHealthCheck.hcTlsServerName
+        })
+        .from(targets)
+        .innerJoin(resources, eq(targets.resourceId, resources.resourceId))
+        .leftJoin(
+            targetHealthCheck,
+            eq(targets.targetId, targetHealthCheck.targetId)
+        )
+        .where(and(eq(targets.siteId, siteId), eq(targets.enabled, true)));
+
+    const { tcpTargets, udpTargets } = allTargets.reduce(
+        (acc, target) => {
+            // Filter out invalid targets
+            if (!target.internalPort || !target.ip || !target.port) {
+                return acc;
+            }
+
+            // Format target into string
+            const formattedTarget = `${target.internalPort}:${target.ip}:${target.port}`;
+
+            // Add to the appropriate protocol array
+            if (target.protocol === "tcp") {
+                acc.tcpTargets.push(formattedTarget);
+            } else {
+                acc.udpTargets.push(formattedTarget);
+            }
+
+            return acc;
+        },
+        { tcpTargets: [] as string[], udpTargets: [] as string[] }
+    );
+
+    const healthCheckTargets = allTargets.map((target) => {
+        // make sure the stuff is defined
+        if (
+            !target.hcPath ||
+            !target.hcHostname ||
+            !target.hcPort ||
+            !target.hcInterval ||
+            !target.hcMethod
+        ) {
+            logger.debug(
+                `Skipping target ${target.targetId} due to missing health check fields`
+            );
+            return null; // Skip targets with missing health check fields
+        }
+
+        // parse headers
+        const hcHeadersParse = target.hcHeaders
+            ? JSON.parse(target.hcHeaders)
+            : null;
+        const hcHeadersSend: { [key: string]: string } = {};
+        if (hcHeadersParse) {
+            hcHeadersParse.forEach(
+                (header: { name: string; value: string }) => {
+                    hcHeadersSend[header.name] = header.value;
+                }
+            );
+        }
+
+        return {
+            id: target.targetId,
+            hcEnabled: target.hcEnabled,
+            hcPath: target.hcPath,
+            hcScheme: target.hcScheme,
+            hcMode: target.hcMode,
+            hcHostname: target.hcHostname,
+            hcPort: target.hcPort,
+            hcInterval: target.hcInterval, // in seconds
+            hcUnhealthyInterval: target.hcUnhealthyInterval, // in seconds
+            hcTimeout: target.hcTimeout, // in seconds
+            hcHeaders: hcHeadersSend,
+            hcMethod: target.hcMethod,
+            hcTlsServerName: target.hcTlsServerName
+        };
+    });
+
+    // Filter out any null values from health check targets
+    const validHealthCheckTargets = healthCheckTargets.filter(
+        (target) => target !== null
+    );
+
+    return {
+        validHealthCheckTargets,
+        tcpTargets,
+        udpTargets
+    };
+}

server/routers/newt/handleGetConfigMessage.ts

@@ -2,19 +2,10 @@ import { z } from "zod";
 import { MessageHandler } from "@server/routers/ws";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
-import {
-    db,
-    ExitNode,
-    exitNodes,
-    siteResources,
-    clientSiteResourcesAssociationsCache
-} from "@server/db";
-import { clients, clientSitesAssociationsCache, Newt, sites } from "@server/db";
+import { db, ExitNode, exitNodes, Newt, sites } from "@server/db";
 import { eq } from "drizzle-orm";
-import { initPeerAddHandshake, updatePeer } from "../olm/peers";
 import { sendToExitNode } from "#dynamic/lib/exitNodes";
-import { generateSubnetProxyTargets, SubnetProxyTarget } from "@server/lib/ip";
-import config from "@server/lib/config";
+import { buildClientConfigurationForNewtClient } from "./buildConfiguration";
 
 const inputSchema = z.object({
     publicKey: z.string(),
@@ -130,167 +121,18 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
         }
     }
 
-    // Get all clients connected to this site
-    const clientsRes = await db
-        .select()
-        .from(clients)
-        .innerJoin(
-            clientSitesAssociationsCache,
-            eq(clients.clientId, clientSitesAssociationsCache.clientId)
-        )
-        .where(eq(clientSitesAssociationsCache.siteId, siteId));
+    const { peers, targets } = await buildClientConfigurationForNewtClient(
+        site,
+        exitNode
+    );
 
-    let peers: Array<{
-        publicKey: string;
-        allowedIps: string[];
-        endpoint?: string;
-    }> = [];
-
-    if (site.publicKey && site.endpoint && exitNode) {
-        // Prepare peers data for the response
-        peers = await Promise.all(
-            clientsRes
-                .filter((client) => {
-                    if (!client.clients.pubKey) {
-                        logger.warn(
-                            `Client ${client.clients.clientId} has no public key, skipping`
-                        );
-                        return false;
-                    }
-                    if (!client.clients.subnet) {
-                        logger.warn(
-                            `Client ${client.clients.clientId} has no subnet, skipping`
-                        );
-                        return false;
-                    }
-                    return true;
-                })
-                .map(async (client) => {
-                    // Add or update this peer on the olm if it is connected
-
-                    // const allSiteResources = await db // only get the site resources that this client has access to
-                    //     .select()
-                    //     .from(siteResources)
-                    //     .innerJoin(
-                    //         clientSiteResourcesAssociationsCache,
-                    //         eq(
-                    //             siteResources.siteResourceId,
-                    //             clientSiteResourcesAssociationsCache.siteResourceId
-                    //         )
-                    //     )
-                    //     .where(
-                    //         and(
-                    //             eq(siteResources.siteId, site.siteId),
-                    //             eq(
-                    //                 clientSiteResourcesAssociationsCache.clientId,
-                    //                 client.clients.clientId
-                    //             )
-                    //         )
-                    //     );
-
-                    // update the peer info on the olm
-                    // if the peer has not been added yet this will be a no-op
-                    await updatePeer(client.clients.clientId, {
-                        siteId: site.siteId,
-                        endpoint: site.endpoint!,
-                        relayEndpoint: `${exitNode.endpoint}:${config.getRawConfig().gerbil.clients_start_port}`,
-                        publicKey: site.publicKey!,
-                        serverIP: site.address,
-                        serverPort: site.listenPort
-                        // remoteSubnets: generateRemoteSubnets(
-                        //     allSiteResources.map(
-                        //         ({ siteResources }) => siteResources
-                        //     )
-                        // ),
-                        // aliases: generateAliasConfig(
-                        //     allSiteResources.map(
-                        //         ({ siteResources }) => siteResources
-                        //     )
-                        // )
-                    });
-
-                    // also trigger the peer add handshake in case the peer was not already added to the olm and we need to hole punch
-                    // if it has already been added this will be a no-op
-                    await initPeerAddHandshake(
-                        // this will kick off the add peer process for the client
-                        client.clients.clientId,
-                        {
-                            siteId,
-                            exitNode: {
-                                publicKey: exitNode.publicKey,
-                                endpoint: exitNode.endpoint
-                            }
-                        }
-                    );
-
-                    return {
-                        publicKey: client.clients.pubKey!,
-                        allowedIps: [
-                            `${client.clients.subnet.split("/")[0]}/32`
-                        ], // we want to only allow from that client
-                        endpoint: client.clientSitesAssociationsCache.isRelayed
-                            ? ""
-                            : client.clientSitesAssociationsCache.endpoint! // if its relayed it should be localhost
-                    };
-                })
-        );
-    }
-
-    // Filter out any null values from peers that didn't have an olm
-    const validPeers = peers.filter((peer) => peer !== null);
-
-    // Get all enabled site resources for this site
-    const allSiteResources = await db
-        .select()
-        .from(siteResources)
-        .where(eq(siteResources.siteId, siteId));
-
-    const targetsToSend: SubnetProxyTarget[] = [];
-
-    for (const resource of allSiteResources) {
-        // Get clients associated with this specific resource
-        const resourceClients = await db
-            .select({
-                clientId: clients.clientId,
-                pubKey: clients.pubKey,
-                subnet: clients.subnet
-            })
-            .from(clients)
-            .innerJoin(
-                clientSiteResourcesAssociationsCache,
-                eq(
-                    clients.clientId,
-                    clientSiteResourcesAssociationsCache.clientId
-                )
-            )
-            .where(
-                eq(
-                    clientSiteResourcesAssociationsCache.siteResourceId,
-                    resource.siteResourceId
-                )
-            );
-
-        const resourceTargets = generateSubnetProxyTargets(
-            resource,
-            resourceClients
-        );
-
-        targetsToSend.push(...resourceTargets);
-    }
-
-    // Build the configuration response
-    const configResponse = {
-        ipAddress: site.address,
-        peers: validPeers,
-        targets: targetsToSend
-    };
-
-    logger.debug("Sending config: ", configResponse);
     return {
         message: {
             type: "newt/wg/receive-config",
             data: {
-                ...configResponse
+                ipAddress: site.address,
+                peers,
+                targets
             }
         },
         broadcast: false,

server/routers/newt/handleNewtPingMessage.ts

@@ -0,0 +1,163 @@
+import { db, sites } from "@server/db";
+import { disconnectClient, getClientConfigVersion } from "#dynamic/routers/ws";
+import { MessageHandler } from "@server/routers/ws";
+import { clients, Newt } from "@server/db";
+import { eq, lt, isNull, and, or } from "drizzle-orm";
+import logger from "@server/logger";
+import { validateSessionToken } from "@server/auth/sessions/app";
+import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { sendTerminateClient } from "../client/terminate";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { sha256 } from "@oslojs/crypto/sha2";
+import { sendNewtSyncMessage } from "./sync";
+
+// Track if the offline checker interval is running
+// let offlineCheckerInterval: NodeJS.Timeout | null = null;
+// const OFFLINE_CHECK_INTERVAL = 30 * 1000; // Check every 30 seconds
+// const OFFLINE_THRESHOLD_MS = 2 * 60 * 1000; // 2 minutes
+
+/**
+ * Starts the background interval that checks for clients that haven't pinged recently
+ * and marks them as offline
+ */
+// export const startNewtOfflineChecker = (): void => {
+//     if (offlineCheckerInterval) {
+//         return; // Already running
+//     }
+
+//     offlineCheckerInterval = setInterval(async () => {
+//         try {
+//             const twoMinutesAgo = Math.floor(
+//                 (Date.now() - OFFLINE_THRESHOLD_MS) / 1000
+//             );
+
+//             // TODO: WE NEED TO MAKE SURE THIS WORKS WITH DISTRIBUTED NODES ALL DOING THE SAME THING
+
+//             // Find clients that haven't pinged in the last 2 minutes and mark them as offline
+//             const offlineClients = await db
+//                 .update(clients)
+//                 .set({ online: false })
+//                 .where(
+//                     and(
+//                         eq(clients.online, true),
+//                         or(
+//                             lt(clients.lastPing, twoMinutesAgo),
+//                             isNull(clients.lastPing)
+//                         )
+//                     )
+//                 )
+//                 .returning();
+
+//             for (const offlineClient of offlineClients) {
+//                 logger.info(
+//                     `Kicking offline newt client ${offlineClient.clientId} due to inactivity`
+//                 );
+
+//                 if (!offlineClient.newtId) {
+//                     logger.warn(
+//                         `Offline client ${offlineClient.clientId} has no newtId, cannot disconnect`
+//                     );
+//                     continue;
+//                 }
+
+//                 // Send a disconnect message to the client if connected
+//                 try {
+//                     await sendTerminateClient(
+//                         offlineClient.clientId,
+//                         offlineClient.newtId
+//                     ); // terminate first
+//                     // wait a moment to ensure the message is sent
+//                     await new Promise((resolve) => setTimeout(resolve, 1000));
+//                     await disconnectClient(offlineClient.newtId);
+//                 } catch (error) {
+//                     logger.error(
+//                         `Error sending disconnect to offline newt ${offlineClient.clientId}`,
+//                         { error }
+//                     );
+//                 }
+//             }
+//         } catch (error) {
+//             logger.error("Error in offline checker interval", { error });
+//         }
+//     }, OFFLINE_CHECK_INTERVAL);
+
+//     logger.debug("Started offline checker interval");
+// };
+
+/**
+ * Stops the background interval that checks for offline clients
+ */
+// export const stopNewtOfflineChecker = (): void => {
+//     if (offlineCheckerInterval) {
+//         clearInterval(offlineCheckerInterval);
+//         offlineCheckerInterval = null;
+//         logger.info("Stopped offline checker interval");
+//     }
+// };
+
+/**
+ * Handles ping messages from clients and responds with pong
+ */
+export const handleNewtPingMessage: MessageHandler = async (context) => {
+    const { message, client: c, sendToClient } = context;
+    const newt = c as Newt;
+
+    if (!newt) {
+        logger.warn("Newt ping message: Newt not found");
+        return;
+    }
+
+    if (!newt.siteId) {
+        logger.warn("Newt ping message: has no site ID");
+        return;
+    }
+
+    // get the version
+    const configVersion = await getClientConfigVersion(newt.newtId);
+
+    if (message.configVersion && configVersion != null && configVersion != message.configVersion) {
+        logger.warn(
+            `Newt ping with outdated config version: ${message.configVersion} (current: ${configVersion})`
+        );
+
+        // get the site
+        const [site] = await db
+            .select()
+            .from(sites)
+            .where(eq(sites.siteId, newt.siteId))
+            .limit(1);
+
+        if (!site) {
+            logger.warn(
+                `Newt ping message: site with ID ${newt.siteId} not found`
+            );
+            return;
+        }
+
+        await sendNewtSyncMessage(newt, site);
+    }
+
+    // try {
+    //     // Update the client's last ping timestamp
+    //     await db
+    //         .update(clients)
+    //         .set({
+    //             lastPing: Math.floor(Date.now() / 1000),
+    //             online: true
+    //         })
+    //         .where(eq(clients.clientId, newt.clientId));
+    // } catch (error) {
+    //     logger.error("Error handling ping message", { error });
+    // }
+
+    return {
+        message: {
+            type: "pong",
+            data: {
+                timestamp: new Date().toISOString()
+            }
+        },
+        broadcast: false,
+        excludeSender: false
+    };
+};

server/routers/newt/handleNewtRegisterMessage.ts

@@ -18,6 +18,7 @@ import {
 } from "#dynamic/lib/exitNodes";
 import { fetchContainers } from "./dockerSocket";
 import { lockManager } from "#dynamic/lib/lock";
+import { buildTargetConfigurationForNewtClient } from "./buildConfiguration";
 
 export type ExitNodePingResult = {
     exitNodeId: number;
@@ -233,109 +234,8 @@ export const handleNewtRegisterMessage: MessageHandler = async (context) => {
             .where(eq(newts.newtId, newt.newtId));
     }
 
-    // Get all enabled targets with their resource protocol information
-    const allTargets = await db
-        .select({
-            resourceId: targets.resourceId,
-            targetId: targets.targetId,
-            ip: targets.ip,
-            method: targets.method,
-            port: targets.port,
-            internalPort: targets.internalPort,
-            enabled: targets.enabled,
-            protocol: resources.protocol,
-            hcEnabled: targetHealthCheck.hcEnabled,
-            hcPath: targetHealthCheck.hcPath,
-            hcScheme: targetHealthCheck.hcScheme,
-            hcMode: targetHealthCheck.hcMode,
-            hcHostname: targetHealthCheck.hcHostname,
-            hcPort: targetHealthCheck.hcPort,
-            hcInterval: targetHealthCheck.hcInterval,
-            hcUnhealthyInterval: targetHealthCheck.hcUnhealthyInterval,
-            hcTimeout: targetHealthCheck.hcTimeout,
-            hcHeaders: targetHealthCheck.hcHeaders,
-            hcMethod: targetHealthCheck.hcMethod,
-            hcTlsServerName: targetHealthCheck.hcTlsServerName
-        })
-        .from(targets)
-        .innerJoin(resources, eq(targets.resourceId, resources.resourceId))
-        .leftJoin(
-            targetHealthCheck,
-            eq(targets.targetId, targetHealthCheck.targetId)
-        )
-        .where(and(eq(targets.siteId, siteId), eq(targets.enabled, true)));
-
-    const { tcpTargets, udpTargets } = allTargets.reduce(
-        (acc, target) => {
-            // Filter out invalid targets
-            if (!target.internalPort || !target.ip || !target.port) {
-                return acc;
-            }
-
-            // Format target into string
-            const formattedTarget = `${target.internalPort}:${target.ip}:${target.port}`;
-
-            // Add to the appropriate protocol array
-            if (target.protocol === "tcp") {
-                acc.tcpTargets.push(formattedTarget);
-            } else {
-                acc.udpTargets.push(formattedTarget);
-            }
-
-            return acc;
-        },
-        { tcpTargets: [] as string[], udpTargets: [] as string[] }
-    );
-
-    const healthCheckTargets = allTargets.map((target) => {
-        // make sure the stuff is defined
-        if (
-            !target.hcPath ||
-            !target.hcHostname ||
-            !target.hcPort ||
-            !target.hcInterval ||
-            !target.hcMethod
-        ) {
-            logger.debug(
-                `Skipping target ${target.targetId} due to missing health check fields`
-            );
-            return null; // Skip targets with missing health check fields
-        }
-
-        // parse headers
-        const hcHeadersParse = target.hcHeaders
-            ? JSON.parse(target.hcHeaders)
-            : null;
-        const hcHeadersSend: { [key: string]: string } = {};
-        if (hcHeadersParse) {
-            hcHeadersParse.forEach(
-                (header: { name: string; value: string }) => {
-                    hcHeadersSend[header.name] = header.value;
-                }
-            );
-        }
-
-        return {
-            id: target.targetId,
-            hcEnabled: target.hcEnabled,
-            hcPath: target.hcPath,
-            hcScheme: target.hcScheme,
-            hcMode: target.hcMode,
-            hcHostname: target.hcHostname,
-            hcPort: target.hcPort,
-            hcInterval: target.hcInterval, // in seconds
-            hcUnhealthyInterval: target.hcUnhealthyInterval, // in seconds
-            hcTimeout: target.hcTimeout, // in seconds
-            hcHeaders: hcHeadersSend,
-            hcMethod: target.hcMethod,
-            hcTlsServerName: target.hcTlsServerName
-        };
-    });
-
-    // Filter out any null values from health check targets
-    const validHealthCheckTargets = healthCheckTargets.filter(
-        (target) => target !== null
-    );
+    const { tcpTargets, udpTargets, validHealthCheckTargets } =
+        await buildTargetConfigurationForNewtClient(siteId);
 
     logger.debug(
         `Sending health check targets to newt ${newt.newtId}: ${JSON.stringify(validHealthCheckTargets)}`

server/routers/newt/index.ts

@@ -6,3 +6,4 @@ export * from "./handleGetConfigMessage";
 export * from "./handleSocketMessages";
 export * from "./handleNewtPingRequestMessage";
 export * from "./handleApplyBlueprintMessage";
+export * from "./handleNewtPingMessage";

server/routers/newt/peers.ts

@@ -39,7 +39,7 @@ export async function addPeer(
     await sendToClient(newtId, {
         type: "newt/wg/peer/add",
         data: peer
-    }).catch((error) => {
+    }, { incrementConfigVersion: true }).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 
@@ -81,7 +81,7 @@ export async function deletePeer(
         data: {
             publicKey
         }
-    }).catch((error) => {
+    }, { incrementConfigVersion: true }).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 
@@ -128,7 +128,7 @@ export async function updatePeer(
             publicKey,
             ...peer
         }
-    }).catch((error) => {
+    }, { incrementConfigVersion: true }).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 

server/routers/newt/sync.ts

@@ -0,0 +1,41 @@
+import { ExitNode, exitNodes, Newt, Site, db } from "@server/db";
+import { eq } from "drizzle-orm";
+import { sendToClient } from "#dynamic/routers/ws";
+import logger from "@server/logger";
+import {
+    buildClientConfigurationForNewtClient,
+    buildTargetConfigurationForNewtClient
+} from "./buildConfiguration";
+
+export async function sendNewtSyncMessage(newt: Newt, site: Site) {
+    const { tcpTargets, udpTargets, validHealthCheckTargets } =
+        await buildTargetConfigurationForNewtClient(site.siteId);
+
+    let exitNode: ExitNode | undefined;
+    if (site.exitNodeId) {
+        [exitNode] = await db
+            .select()
+            .from(exitNodes)
+            .where(eq(exitNodes.exitNodeId, site.exitNodeId))
+            .limit(1);
+    }
+    const { peers, targets } = await buildClientConfigurationForNewtClient(
+        site,
+        exitNode
+    );
+
+    await sendToClient(newt.newtId, {
+        type: "newt/sync",
+        data: {
+            proxyTargets: {
+                udp: udpTargets,
+                tcp: tcpTargets
+            },
+            healthCheckTargets: validHealthCheckTargets,
+            peers: peers,
+            clientTargets: targets
+        }
+    }).catch((error) => {
+        logger.warn(`Error sending newt sync message:`, error);
+    });
+}

server/routers/newt/targets.ts

@@ -22,7 +22,7 @@ export async function addTargets(
         data: {
             targets: payloadTargets
         }
-    });
+    }, { incrementConfigVersion: true });
 
     // Create a map for quick lookup
     const healthCheckMap = new Map<number, TargetHealthCheck>();
@@ -103,7 +103,7 @@ export async function addTargets(
         data: {
             targets: validHealthCheckTargets
         }
-    });
+    }, { incrementConfigVersion: true });
 }
 
 export async function removeTargets(
@@ -124,7 +124,7 @@ export async function removeTargets(
         data: {
             targets: payloadTargets
         }
-    });
+    }, { incrementConfigVersion: true });
 
     const healthCheckTargets = targets.map((target) => {
         return target.targetId;
@@ -135,5 +135,5 @@ export async function removeTargets(
         data: {
             ids: healthCheckTargets
         }
-    });
+    }, { incrementConfigVersion: true });
 }

server/routers/olm/archiveUserOlm.ts

@@ -0,0 +1,81 @@
+import { NextFunction, Request, Response } from "express";
+import { db } from "@server/db";
+import { olms, clients } from "@server/db";
+import { eq } from "drizzle-orm";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import response from "@server/lib/response";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import logger from "@server/logger";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+import { sendTerminateClient } from "../client/terminate";
+
+const paramsSchema = z
+    .object({
+        userId: z.string(),
+        olmId: z.string()
+    })
+    .strict();
+
+export async function archiveUserOlm(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { olmId } = parsedParams.data;
+
+        // Archive the OLM and disconnect associated clients in a transaction
+        await db.transaction(async (trx) => {
+            // Find all clients associated with this OLM
+            const associatedClients = await trx
+                .select()
+                .from(clients)
+                .where(eq(clients.olmId, olmId));
+
+            // Disconnect clients from the OLM (set olmId to null)
+            for (const client of associatedClients) {
+                await trx
+                    .update(clients)
+                    .set({ olmId: null })
+                    .where(eq(clients.clientId, client.clientId));
+
+                await rebuildClientAssociationsFromClient(client, trx);
+                await sendTerminateClient(client.clientId, olmId);
+            }
+
+            // Archive the OLM (set archived to true)
+            await trx
+                .update(olms)
+                .set({ archived: true })
+                .where(eq(olms.olmId, olmId));
+        });
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Device archived successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to archive device"
+            )
+        );
+    }
+}

server/routers/olm/buildConfiguration.ts

@@ -0,0 +1,145 @@
+import { Client, clientSiteResourcesAssociationsCache, clientSitesAssociationsCache, db, exitNodes, siteResources, sites } from "@server/db";
+import { generateAliasConfig, generateRemoteSubnets } from "@server/lib/ip";
+import logger from "@server/logger";
+import { and, eq } from "drizzle-orm";
+import { addPeer, deletePeer } from "../newt/peers";
+import config from "@server/lib/config";
+
+export async function buildSiteConfigurationForOlmClient(
+    client: Client,
+    publicKey: string | null,
+    relay: boolean
+) {
+    const siteConfigurations = [];
+
+    // Get all sites data
+    const sitesData = await db
+        .select()
+        .from(sites)
+        .innerJoin(
+            clientSitesAssociationsCache,
+            eq(sites.siteId, clientSitesAssociationsCache.siteId)
+        )
+        .where(eq(clientSitesAssociationsCache.clientId, client.clientId));
+
+    // Process each site
+    for (const {
+        sites: site,
+        clientSitesAssociationsCache: association
+    } of sitesData) {
+        if (!site.exitNodeId) {
+            logger.warn(
+                `Site ${site.siteId} does not have exit node, skipping`
+            );
+            continue;
+        }
+
+        // Validate endpoint and hole punch status
+        if (!site.endpoint) {
+            logger.warn(
+                `In olm register: site ${site.siteId} has no endpoint, skipping`
+            );
+            continue;
+        }
+
+        // if (site.lastHolePunch && now - site.lastHolePunch > 6 && relay) {
+        //     logger.warn(
+        //         `Site ${site.siteId} last hole punch is too old, skipping`
+        //     );
+        //     continue;
+        // }
+
+        // If public key changed, delete old peer from this site
+        if (client.pubKey && client.pubKey != publicKey) {
+            logger.info(
+                `Public key mismatch. Deleting old peer from site ${site.siteId}...`
+            );
+            await deletePeer(site.siteId, client.pubKey!);
+        }
+
+        if (!site.subnet) {
+            logger.warn(`Site ${site.siteId} has no subnet, skipping`);
+            continue;
+        }
+
+        const [clientSite] = await db
+            .select()
+            .from(clientSitesAssociationsCache)
+            .where(
+                and(
+                    eq(clientSitesAssociationsCache.clientId, client.clientId),
+                    eq(clientSitesAssociationsCache.siteId, site.siteId)
+                )
+            )
+            .limit(1);
+
+        // Add the peer to the exit node for this site
+        if (clientSite.endpoint && publicKey) {
+            logger.info(
+                `Adding peer ${publicKey} to site ${site.siteId} with endpoint ${clientSite.endpoint}`
+            );
+            await addPeer(site.siteId, {
+                publicKey: publicKey,
+                allowedIps: [`${client.subnet.split("/")[0]}/32`], // we want to only allow from that client
+                endpoint: relay ? "" : clientSite.endpoint
+            });
+        } else {
+            logger.warn(
+                `Client ${client.clientId} has no endpoint, skipping peer addition`
+            );
+        }
+
+        let relayEndpoint: string | undefined = undefined;
+        if (relay) {
+            const [exitNode] = await db
+                .select()
+                .from(exitNodes)
+                .where(eq(exitNodes.exitNodeId, site.exitNodeId))
+                .limit(1);
+            if (!exitNode) {
+                logger.warn(`Exit node not found for site ${site.siteId}`);
+                continue;
+            }
+            relayEndpoint = `${exitNode.endpoint}:${config.getRawConfig().gerbil.clients_start_port}`;
+        }
+
+        const allSiteResources = await db // only get the site resources that this client has access to
+            .select()
+            .from(siteResources)
+            .innerJoin(
+                clientSiteResourcesAssociationsCache,
+                eq(
+                    siteResources.siteResourceId,
+                    clientSiteResourcesAssociationsCache.siteResourceId
+                )
+            )
+            .where(
+                and(
+                    eq(siteResources.siteId, site.siteId),
+                    eq(
+                        clientSiteResourcesAssociationsCache.clientId,
+                        client.clientId
+                    )
+                )
+            );
+
+        // Add site configuration to the array
+        siteConfigurations.push({
+            siteId: site.siteId,
+            name: site.name,
+            // relayEndpoint: relayEndpoint, // this can be undefined now if not relayed // lets not do this for now because it would conflict with the hole punch testing
+            endpoint: site.endpoint,
+            publicKey: site.publicKey,
+            serverIP: site.address,
+            serverPort: site.listenPort,
+            remoteSubnets: generateRemoteSubnets(
+                allSiteResources.map(({ siteResources }) => siteResources)
+            ),
+            aliases: generateAliasConfig(
+                allSiteResources.map(({ siteResources }) => siteResources)
+            )
+        });
+    }
+
+    return siteConfigurations;
+}

server/routers/olm/getUserOlm.ts

@@ -1,6 +1,6 @@
 import { NextFunction, Request, Response } from "express";
 import { db } from "@server/db";
-import { olms } from "@server/db";
+import { olms, clients, fingerprints } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -9,6 +9,7 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
+import { getUserDeviceName } from "@server/db/names";
 
 const paramsSchema = z
     .object({
@@ -17,6 +18,10 @@ const paramsSchema = z
     })
     .strict();
 
+const querySchema = z.object({
+    orgId: z.string().optional()
+});
+
 // registry.registerPath({
 //     method: "get",
 //     path: "/user/{userId}/olm/{olmId}",
@@ -44,15 +49,64 @@ export async function getUserOlm(
             );
         }
 
-        const { olmId, userId } = parsedParams.data;
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
 
-        const [olm] = await db
+        const { olmId, userId } = parsedParams.data;
+        const { orgId } = parsedQuery.data;
+
+        const [result] = await db
             .select()
             .from(olms)
-            .where(and(eq(olms.userId, userId), eq(olms.olmId, olmId)));
+            .where(and(eq(olms.userId, userId), eq(olms.olmId, olmId)))
+            .leftJoin(fingerprints, eq(olms.olmId, fingerprints.olmId))
+            .limit(1);
+
+        if (!result || !result.olms) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "Olm not found"
+                )
+            );
+        }
+
+        const olm = result.olms;
+
+        // If orgId is provided and olm has a clientId, fetch the client to check blocked status
+        let blocked: boolean | undefined;
+        if (orgId && olm.clientId) {
+            const [client] = await db
+                .select({ blocked: clients.blocked })
+                .from(clients)
+                .where(
+                    and(
+                        eq(clients.clientId, olm.clientId),
+                        eq(clients.orgId, orgId)
+                    )
+                )
+                .limit(1);
+
+            blocked = client?.blocked ?? false;
+        }
+
+        // Replace name with device name
+        const model = result.fingerprints?.deviceModel || null;
+        const newName = getUserDeviceName(model, olm.name);
+
+        const responseData = blocked !== undefined 
+            ? { ...olm, name: newName, blocked }
+            : { ...olm, name: newName };
 
         return response(res, {
-            data: olm,
+            data: responseData,
             success: true,
             error: false,
             message: "Successfully retrieved olm",

server/routers/olm/handleOlmPingMessage.ts

@@ -1,7 +1,7 @@
-import { db } from "@server/db";
-import { disconnectClient } from "#dynamic/routers/ws";
+import { disconnectClient, getClientConfigVersion } from "#dynamic/routers/ws";
+import { clientPostureSnapshots, db, fingerprints } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { clients, Olm } from "@server/db";
+import { clients, olms, Olm } from "@server/db";
 import { eq, lt, isNull, and, or } from "drizzle-orm";
 import logger from "@server/logger";
 import { validateSessionToken } from "@server/auth/sessions/app";
@@ -9,6 +9,7 @@ import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { sendTerminateClient } from "../client/terminate";
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
+import { sendOlmSyncMessage } from "./sync";
 
 // Track if the offline checker interval is running
 let offlineCheckerInterval: NodeJS.Timeout | null = null;
@@ -101,79 +102,178 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
     const { message, client: c, sendToClient } = context;
     const olm = c as Olm;
 
-    const { userToken } = message.data;
+    const { userToken, fingerprint, postures } = message.data;
 
     if (!olm) {
         logger.warn("Olm not found");
         return;
     }
 
-    if (olm.userId) {
-        // we need to check a user token to make sure its still valid
-        const { session: userSession, user } =
-            await validateSessionToken(userToken);
-        if (!userSession || !user) {
-            logger.warn("Invalid user session for olm ping");
-            return; // by returning here we just ignore the ping and the setInterval will force it to disconnect
-        }
-        if (user.userId !== olm.userId) {
-            logger.warn("User ID mismatch for olm ping");
-            return;
-        }
-
-        // get the client
-        const [client] = await db
-            .select()
-            .from(clients)
-            .where(
-                and(
-                    eq(clients.olmId, olm.olmId),
-                    eq(clients.userId, olm.userId)
-                )
-            )
-            .limit(1);
-
-        if (!client) {
-            logger.warn("Client not found for olm ping");
-            return;
-        }
-
-        const sessionId = encodeHexLowerCase(
-            sha256(new TextEncoder().encode(userToken))
-        );
-
-        const policyCheck = await checkOrgAccessPolicy({
-            orgId: client.orgId,
-            userId: olm.userId,
-            sessionId // this is the user token passed in the message
-        });
-
-        if (!policyCheck.allowed) {
-            logger.warn(
-                `Olm user ${olm.userId} does not pass access policies for org ${client.orgId}: ${policyCheck.error}`
-            );
-            return;
-        }
-    }
-
     if (!olm.clientId) {
         logger.warn("Olm has no client ID!");
         return;
     }
 
     try {
+        // get the client
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, olm.clientId))
+            .limit(1);
+
+        if (!client) {
+            logger.warn("Client not found for olm ping");
+            return;
+        }
+
+        if (client.blocked) {
+            // NOTE: by returning we dont update the lastPing, so the offline checker will eventually disconnect them
+            logger.debug(
+                `Blocked client ${client.clientId} attempted olm ping`
+            );
+            return;
+        }
+
+        if (olm.userId) {
+            // we need to check a user token to make sure its still valid
+            const { session: userSession, user } =
+                await validateSessionToken(userToken);
+            if (!userSession || !user) {
+                logger.warn("Invalid user session for olm ping");
+                return; // by returning here we just ignore the ping and the setInterval will force it to disconnect
+            }
+            if (user.userId !== olm.userId) {
+                logger.warn("User ID mismatch for olm ping");
+                return;
+            }
+            if (user.userId !== client.userId) {
+                logger.warn("Client user ID mismatch for olm ping");
+                return;
+            }
+
+            const sessionId = encodeHexLowerCase(
+                sha256(new TextEncoder().encode(userToken))
+            );
+
+            const policyCheck = await checkOrgAccessPolicy({
+                orgId: client.orgId,
+                userId: olm.userId,
+                sessionId // this is the user token passed in the message
+            });
+
+            if (!policyCheck.allowed) {
+                logger.warn(
+                    `Olm user ${olm.userId} does not pass access policies for org ${client.orgId}: ${policyCheck.error}`
+                );
+                return;
+            }
+        }
+
+        // get the version
+        logger.debug(`handleOlmPingMessage: About to get config version for olmId: ${olm.olmId}`);
+        const configVersion = await getClientConfigVersion(olm.olmId);
+        logger.debug(`handleOlmPingMessage: Got config version: ${configVersion} (type: ${typeof configVersion})`);
+
+        if (configVersion == null || configVersion === undefined) {
+            logger.debug(`handleOlmPingMessage: could not get config version from server for olmId: ${olm.olmId}`)
+        }
+
+        if (message.configVersion != null && configVersion != null && configVersion != message.configVersion) {
+            logger.debug(
+                `handleOlmPingMessage: Olm ping with outdated config version: ${message.configVersion} (current: ${configVersion})`
+            );
+            await sendOlmSyncMessage(olm, client);
+        }
+
         // Update the client's last ping timestamp
         await db
             .update(clients)
             .set({
                 lastPing: Math.floor(Date.now() / 1000),
-                online: true
+                online: true,
+                archived: false
             })
             .where(eq(clients.clientId, olm.clientId));
+
+        if (olm.archived) {
+            await db
+                .update(olms)
+                .set({ archived: false })
+                .where(eq(olms.olmId, olm.olmId));
+        }
     } catch (error) {
         logger.error("Error handling ping message", { error });
     }
 
+    const now = Math.floor(Date.now() / 1000);
+
+    if (fingerprint && olm.olmId) {
+        const [existingFingerprint] = await db
+            .select()
+            .from(fingerprints)
+            .where(eq(fingerprints.olmId, olm.olmId))
+            .limit(1);
+
+        if (!existingFingerprint) {
+            await db.insert(fingerprints).values({
+                olmId: olm.olmId,
+                firstSeen: now,
+                lastSeen: now,
+
+                username: fingerprint.username,
+                hostname: fingerprint.hostname,
+                platform: fingerprint.platform,
+                osVersion: fingerprint.osVersion,
+                kernelVersion: fingerprint.kernelVersion,
+                arch: fingerprint.arch,
+                deviceModel: fingerprint.deviceModel,
+                serialNumber: fingerprint.serialNumber,
+                platformFingerprint: fingerprint.platformFingerprint
+            });
+        } else {
+            await db
+                .update(fingerprints)
+                .set({
+                    lastSeen: now,
+
+                    username: fingerprint.username,
+                    hostname: fingerprint.hostname,
+                    platform: fingerprint.platform,
+                    osVersion: fingerprint.osVersion,
+                    kernelVersion: fingerprint.kernelVersion,
+                    arch: fingerprint.arch,
+                    deviceModel: fingerprint.deviceModel,
+                    serialNumber: fingerprint.serialNumber,
+                    platformFingerprint: fingerprint.platformFingerprint
+                })
+                .where(eq(fingerprints.olmId, olm.olmId));
+        }
+    }
+
+    if (postures && olm.clientId) {
+        await db.insert(clientPostureSnapshots).values({
+            clientId: olm.clientId,
+
+            biometricsEnabled: postures?.biometricsEnabled,
+            diskEncrypted: postures?.diskEncrypted,
+            firewallEnabled: postures?.firewallEnabled,
+            autoUpdatesEnabled: postures?.autoUpdatesEnabled,
+            tpmAvailable: postures?.tpmAvailable,
+
+            windowsDefenderEnabled: postures?.windowsDefenderEnabled,
+
+            macosSipEnabled: postures?.macosSipEnabled,
+            macosGatekeeperEnabled: postures?.macosGatekeeperEnabled,
+            macosFirewallStealthMode: postures?.macosFirewallStealthMode,
+
+            linuxAppArmorEnabled: postures?.linuxAppArmorEnabled,
+            linuxSELinuxEnabled: postures?.linuxSELinuxEnabled,
+
+            collectedAt: now
+        });
+    }
+
     return {
         message: {
             type: "pong",

server/routers/olm/handleOlmRegisterMessage.ts

@@ -1,6 +1,9 @@
 import {
+    Client,
+    clientPostureSnapshots,
     clientSiteResourcesAssociationsCache,
     db,
+    fingerprints,
     orgs,
     siteResources
 } from "@server/db";
@@ -13,7 +16,7 @@ import {
     olms,
     sites
 } from "@server/db";
-import { and, eq, inArray, isNull } from "drizzle-orm";
+import { and, count, eq, inArray, isNull } from "drizzle-orm";
 import { addPeer, deletePeer } from "../newt/peers";
 import logger from "@server/logger";
 import { generateAliasConfig } from "@server/lib/ip";
@@ -23,6 +26,7 @@ import { validateSessionToken } from "@server/auth/sessions/app";
 import config from "@server/lib/config";
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
+import { buildSiteConfigurationForOlmClient } from "./buildConfiguration";
 
 export const handleOlmRegisterMessage: MessageHandler = async (context) => {
     logger.info("Handling register olm message!");
@@ -36,8 +40,16 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         return;
     }
 
-    const { publicKey, relay, olmVersion, olmAgent, orgId, userToken } =
-        message.data;
+    const {
+        publicKey,
+        relay,
+        olmVersion,
+        olmAgent,
+        orgId,
+        userToken,
+        fingerprint,
+        postures
+    } = message.data;
 
     if (!olm.clientId) {
         logger.warn("Olm client ID not found");
@@ -55,6 +67,11 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         return;
     }
 
+    if (client.blocked) {
+        logger.debug(`Client ${client.clientId} is blocked. Ignoring register.`);
+        return;
+    }
+
     const [org] = await db
         .select()
         .from(orgs)
@@ -112,18 +129,20 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
 
     if (
         (olmVersion && olm.version !== olmVersion) ||
-        (olmAgent && olm.agent !== olmAgent)
+        (olmAgent && olm.agent !== olmAgent) ||
+        olm.archived
     ) {
         await db
             .update(olms)
             .set({
                 version: olmVersion,
-                agent: olmAgent
+                agent: olmAgent,
+                archived: false
             })
             .where(eq(olms.olmId, olm.olmId));
     }
 
-    if (client.pubKey !== publicKey) {
+    if (client.pubKey !== publicKey || client.archived) {
         logger.info(
             "Public key mismatch. Updating public key and clearing session info..."
         );
@@ -131,7 +150,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         await db
             .update(clients)
             .set({
-                pubKey: publicKey
+                pubKey: publicKey,
+                archived: false,
             })
             .where(eq(clients.clientId, client.clientId));
 
@@ -145,8 +165,8 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
     }
 
     // Get all sites data
-    const sitesData = await db
-        .select()
+    const sitesCountResult = await db
+        .select({ count: count() })
         .from(sites)
         .innerJoin(
             clientSitesAssociationsCache,
@@ -154,138 +174,93 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         )
         .where(eq(clientSitesAssociationsCache.clientId, client.clientId));
 
+    // Extract the count value from the result array
+    const sitesCount =
+        sitesCountResult.length > 0 ? sitesCountResult[0].count : 0;
+
     // Prepare an array to store site configurations
-    const siteConfigurations = [];
-    logger.debug(
-        `Found ${sitesData.length} sites for client ${client.clientId}`
-    );
+    logger.debug(`Found ${sitesCount} sites for client ${client.clientId}`);
 
     // this prevents us from accepting a register from an olm that has not hole punched yet.
     // the olm will pump the register so we can keep checking
     // TODO: I still think there is a better way to do this rather than locking it out here but ???
-    if (now - (client.lastHolePunch || 0) > 5 && sitesData.length > 0) {
+    if (now - (client.lastHolePunch || 0) > 5 && sitesCount > 0) {
         logger.warn(
             "Client last hole punch is too old and we have sites to send; skipping this register"
         );
         return;
     }
 
-    // Process each site
-    for (const {
-        sites: site,
-        clientSitesAssociationsCache: association
-    } of sitesData) {
-        if (!site.exitNodeId) {
-            logger.warn(
-                `Site ${site.siteId} does not have exit node, skipping`
-            );
-            continue;
-        }
+    // NOTE: its important that the client here is the old client and the public key is the new key
+    const siteConfigurations = await buildSiteConfigurationForOlmClient(
+        client,
+        publicKey,
+        relay
+    );
 
-        // Validate endpoint and hole punch status
-        if (!site.endpoint) {
-            logger.warn(
-                `In olm register: site ${site.siteId} has no endpoint, skipping`
-            );
-            continue;
-        }
-
-        // if (site.lastHolePunch && now - site.lastHolePunch > 6 && relay) {
-        //     logger.warn(
-        //         `Site ${site.siteId} last hole punch is too old, skipping`
-        //     );
-        //     continue;
-        // }
-
-        // If public key changed, delete old peer from this site
-        if (client.pubKey && client.pubKey != publicKey) {
-            logger.info(
-                `Public key mismatch. Deleting old peer from site ${site.siteId}...`
-            );
-            await deletePeer(site.siteId, client.pubKey!);
-        }
-
-        if (!site.subnet) {
-            logger.warn(`Site ${site.siteId} has no subnet, skipping`);
-            continue;
-        }
-
-        const [clientSite] = await db
+    if (fingerprint) {
+        const [existingFingerprint] = await db
             .select()
-            .from(clientSitesAssociationsCache)
-            .where(
-                and(
-                    eq(clientSitesAssociationsCache.clientId, client.clientId),
-                    eq(clientSitesAssociationsCache.siteId, site.siteId)
-                )
-            )
+            .from(fingerprints)
+            .where(eq(fingerprints.olmId, olm.olmId))
             .limit(1);
 
-        // Add the peer to the exit node for this site
-        if (clientSite.endpoint) {
-            logger.info(
-                `Adding peer ${publicKey} to site ${site.siteId} with endpoint ${clientSite.endpoint}`
-            );
-            await addPeer(site.siteId, {
-                publicKey: publicKey,
-                allowedIps: [`${client.subnet.split("/")[0]}/32`], // we want to only allow from that client
-                endpoint: relay ? "" : clientSite.endpoint
+        if (!existingFingerprint) {
+            await db.insert(fingerprints).values({
+                olmId: olm.olmId,
+                firstSeen: now,
+                lastSeen: now,
+
+                username: fingerprint.username,
+                hostname: fingerprint.hostname,
+                platform: fingerprint.platform,
+                osVersion: fingerprint.osVersion,
+                kernelVersion: fingerprint.kernelVersion,
+                arch: fingerprint.arch,
+                deviceModel: fingerprint.deviceModel,
+                serialNumber: fingerprint.serialNumber,
+                platformFingerprint: fingerprint.platformFingerprint
             });
         } else {
-            logger.warn(
-                `Client ${client.clientId} has no endpoint, skipping peer addition`
-            );
+            await db
+                .update(fingerprints)
+                .set({
+                    lastSeen: now,
+
+                    username: fingerprint.username,
+                    hostname: fingerprint.hostname,
+                    platform: fingerprint.platform,
+                    osVersion: fingerprint.osVersion,
+                    kernelVersion: fingerprint.kernelVersion,
+                    arch: fingerprint.arch,
+                    deviceModel: fingerprint.deviceModel,
+                    serialNumber: fingerprint.serialNumber,
+                    platformFingerprint: fingerprint.platformFingerprint
+                })
+                .where(eq(fingerprints.olmId, olm.olmId));
         }
+    }
 
-        let relayEndpoint: string | undefined = undefined;
-        if (relay) {
-            const [exitNode] = await db
-                .select()
-                .from(exitNodes)
-                .where(eq(exitNodes.exitNodeId, site.exitNodeId))
-                .limit(1);
-            if (!exitNode) {
-                logger.warn(`Exit node not found for site ${site.siteId}`);
-                continue;
-            }
-            relayEndpoint = `${exitNode.endpoint}:${config.getRawConfig().gerbil.clients_start_port}`;
-        }
+    if (postures && olm.clientId) {
+        await db.insert(clientPostureSnapshots).values({
+            clientId: olm.clientId,
 
-        const allSiteResources = await db // only get the site resources that this client has access to
-            .select()
-            .from(siteResources)
-            .innerJoin(
-                clientSiteResourcesAssociationsCache,
-                eq(
-                    siteResources.siteResourceId,
-                    clientSiteResourcesAssociationsCache.siteResourceId
-                )
-            )
-            .where(
-                and(
-                    eq(siteResources.siteId, site.siteId),
-                    eq(
-                        clientSiteResourcesAssociationsCache.clientId,
-                        client.clientId
-                    )
-                )
-            );
+            biometricsEnabled: postures?.biometricsEnabled,
+            diskEncrypted: postures?.diskEncrypted,
+            firewallEnabled: postures?.firewallEnabled,
+            autoUpdatesEnabled: postures?.autoUpdatesEnabled,
+            tpmAvailable: postures?.tpmAvailable,
 
-        // Add site configuration to the array
-        siteConfigurations.push({
-            siteId: site.siteId,
-            name: site.name,
-            // relayEndpoint: relayEndpoint, // this can be undefined now if not relayed // lets not do this for now because it would conflict with the hole punch testing
-            endpoint: site.endpoint,
-            publicKey: site.publicKey,
-            serverIP: site.address,
-            serverPort: site.listenPort,
-            remoteSubnets: generateRemoteSubnets(
-                allSiteResources.map(({ siteResources }) => siteResources)
-            ),
-            aliases: generateAliasConfig(
-                allSiteResources.map(({ siteResources }) => siteResources)
-            )
+            windowsDefenderEnabled: postures?.windowsDefenderEnabled,
+
+            macosSipEnabled: postures?.macosSipEnabled,
+            macosGatekeeperEnabled: postures?.macosGatekeeperEnabled,
+            macosFirewallStealthMode: postures?.macosFirewallStealthMode,
+
+            linuxAppArmorEnabled: postures?.linuxAppArmorEnabled,
+            linuxSELinuxEnabled: postures?.linuxSELinuxEnabled,
+
+            collectedAt: now
         });
     }
 

server/routers/olm/index.ts

@@ -3,9 +3,10 @@ export * from "./getOlmToken";
 export * from "./createUserOlm";
 export * from "./handleOlmRelayMessage";
 export * from "./handleOlmPingMessage";
-export * from "./deleteUserOlm";
+export * from "./archiveUserOlm";
+export * from "./unarchiveUserOlm";
 export * from "./listUserOlms";
-export * from "./deleteUserOlm";
 export * from "./getUserOlm";
 export * from "./handleOlmServerPeerAddMessage";
 export * from "./handleOlmUnRelayMessage";
+export * from "./recoverOlmWithFingerprint";

server/routers/olm/listUserOlms.ts

@@ -1,5 +1,5 @@
 import { NextFunction, Request, Response } from "express";
-import { db } from "@server/db";
+import { db, fingerprints } from "@server/db";
 import { olms } from "@server/db";
 import { eq, count, desc } from "drizzle-orm";
 import HttpCode from "@server/types/HttpCode";
@@ -9,6 +9,7 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
+import { getUserDeviceName } from "@server/db/names";
 
 const querySchema = z.object({
     limit: z
@@ -51,6 +52,7 @@ export type ListUserOlmsResponse = {
         name: string | null;
         clientId: number | null;
         userId: string | null;
+        archived: boolean;
     }>;
     pagination: {
         total: number;
@@ -89,7 +91,7 @@ export async function listUserOlms(
 
         const { userId } = parsedParams.data;
 
-        // Get total count
+        // Get total count (including archived OLMs)
         const [totalCountResult] = await db
             .select({ count: count() })
             .from(olms)
@@ -97,22 +99,31 @@ export async function listUserOlms(
 
         const total = totalCountResult?.count || 0;
 
-        // Get OLMs for the current user
-        const userOlms = await db
-            .select({
-                olmId: olms.olmId,
-                dateCreated: olms.dateCreated,
-                version: olms.version,
-                name: olms.name,
-                clientId: olms.clientId,
-                userId: olms.userId
-            })
+        // Get OLMs for the current user (including archived OLMs)
+        const list = await db
+            .select()
             .from(olms)
             .where(eq(olms.userId, userId))
+            .leftJoin(fingerprints, eq(olms.olmId, fingerprints.olmId))
             .orderBy(desc(olms.dateCreated))
             .limit(limit)
             .offset(offset);
 
+        const userOlms = list.map((item) => {
+            const model = item.fingerprints?.deviceModel || null;
+            const newName = getUserDeviceName(model, item.olms.name);
+
+            return {
+                olmId: item.olms.olmId,
+                dateCreated: item.olms.dateCreated,
+                version: item.olms.version,
+                name: newName,
+                clientId: item.olms.clientId,
+                userId: item.olms.userId,
+                archived: item.olms.archived
+            };
+        });
+
         return response<ListUserOlmsResponse>(res, {
             data: {
                 olms: userOlms,

server/routers/olm/peers.ts

@@ -32,20 +32,24 @@ export async function addPeer(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
-        type: "olm/wg/peer/add",
-        data: {
-            siteId: peer.siteId,
-            name: peer.name,
-            publicKey: peer.publicKey,
-            endpoint: peer.endpoint,
-            relayEndpoint: peer.relayEndpoint,
-            serverIP: peer.serverIP,
-            serverPort: peer.serverPort,
-            remoteSubnets: peer.remoteSubnets, // optional, comma-separated list of subnets that this site can access
-            aliases: peer.aliases
-        }
-    }).catch((error) => {
+    await sendToClient(
+        olmId,
+        {
+            type: "olm/wg/peer/add",
+            data: {
+                siteId: peer.siteId,
+                name: peer.name,
+                publicKey: peer.publicKey,
+                endpoint: peer.endpoint,
+                relayEndpoint: peer.relayEndpoint,
+                serverIP: peer.serverIP,
+                serverPort: peer.serverPort,
+                remoteSubnets: peer.remoteSubnets, // optional, comma-separated list of subnets that this site can access
+                aliases: peer.aliases
+            }
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 
@@ -70,13 +74,17 @@ export async function deletePeer(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
-        type: "olm/wg/peer/remove",
-        data: {
-            publicKey,
-            siteId: siteId
-        }
-    }).catch((error) => {
+    await sendToClient(
+        olmId,
+        {
+            type: "olm/wg/peer/remove",
+            data: {
+                publicKey,
+                siteId: siteId
+            }
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 
@@ -109,19 +117,23 @@ export async function updatePeer(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
-        type: "olm/wg/peer/update",
-        data: {
-            siteId: peer.siteId,
-            publicKey: peer.publicKey,
-            endpoint: peer.endpoint,
-            relayEndpoint: peer.relayEndpoint,
-            serverIP: peer.serverIP,
-            serverPort: peer.serverPort,
-            remoteSubnets: peer.remoteSubnets,
-            aliases: peer.aliases
-        }
-    }).catch((error) => {
+    await sendToClient(
+        olmId,
+        {
+            type: "olm/wg/peer/update",
+            data: {
+                siteId: peer.siteId,
+                publicKey: peer.publicKey,
+                endpoint: peer.endpoint,
+                relayEndpoint: peer.relayEndpoint,
+                serverIP: peer.serverIP,
+                serverPort: peer.serverPort,
+                remoteSubnets: peer.remoteSubnets,
+                aliases: peer.aliases
+            }
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 
@@ -151,17 +163,21 @@ export async function initPeerAddHandshake(
         olmId = olm.olmId;
     }
 
-    await sendToClient(olmId, {
-        type: "olm/wg/peer/holepunch/site/add",
-        data: {
-            siteId: peer.siteId,
-            exitNode: {
-                publicKey: peer.exitNode.publicKey,
-                relayPort: config.getRawConfig().gerbil.clients_start_port,
-                endpoint: peer.exitNode.endpoint
+    await sendToClient(
+        olmId,
+        {
+            type: "olm/wg/peer/holepunch/site/add",
+            data: {
+                siteId: peer.siteId,
+                exitNode: {
+                    publicKey: peer.exitNode.publicKey,
+                    relayPort: config.getRawConfig().gerbil.clients_start_port,
+                    endpoint: peer.exitNode.endpoint
+                }
             }
-        }
-    }).catch((error) => {
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 

server/routers/olm/recoverOlmWithFingerprint.ts

@@ -0,0 +1,120 @@
+import { db, fingerprints, olms } from "@server/db";
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import { and, eq } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import response from "@server/lib/response";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import { generateId } from "@server/auth/sessions/app";
+import { hashPassword } from "@server/auth/password";
+
+const paramsSchema = z
+    .object({
+        userId: z.string()
+    })
+    .strict();
+
+const bodySchema = z
+    .object({
+        platformFingerprint: z.string()
+    })
+    .strict();
+
+export async function recoverOlmWithFingerprint(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { userId } = parsedParams.data;
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { platformFingerprint } = parsedBody.data;
+
+        const result = await db
+            .select({
+                olm: olms,
+                fingerprint: fingerprints
+            })
+            .from(olms)
+            .innerJoin(fingerprints, eq(fingerprints.olmId, olms.olmId))
+            .where(
+                and(
+                    eq(olms.userId, userId),
+                    eq(olms.archived, false),
+                    eq(fingerprints.platformFingerprint, platformFingerprint)
+                )
+            )
+            .orderBy(fingerprints.lastSeen);
+
+        if (!result || result.length == 0) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "corresponding olm with this fingerprint not found"
+                )
+            );
+        }
+
+        if (result.length > 1) {
+            return next(
+                createHttpError(
+                    HttpCode.CONFLICT,
+                    "multiple matching fingerprints found, not resetting secrets"
+                )
+            );
+        }
+
+        const [{ olm: foundOlm }] = result;
+
+        const newSecret = generateId(48);
+        const newSecretHash = await hashPassword(newSecret);
+
+        await db
+            .update(olms)
+            .set({
+                secretHash: newSecretHash
+            })
+            .where(eq(olms.olmId, foundOlm.olmId));
+
+        return response(res, {
+            data: {
+                olmId: foundOlm.olmId,
+                secret: newSecret
+            },
+            success: true,
+            error: false,
+            message: "Successfully retrieved olm",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to recover olm using provided fingerprint input"
+            )
+        );
+    }
+}

server/routers/olm/sync.ts

@@ -0,0 +1,80 @@
+import { Client, db, exitNodes, Olm, sites, clientSitesAssociationsCache } from "@server/db";
+import { buildSiteConfigurationForOlmClient } from "./buildConfiguration";
+import { sendToClient } from "#dynamic/routers/ws";
+import logger from "@server/logger";
+import { eq, inArray } from "drizzle-orm";
+import config from "@server/lib/config";
+
+export async function sendOlmSyncMessage(olm: Olm, client: Client) {
+    // NOTE: WE ARE HARDCODING THE RELAY PARAMETER TO FALSE HERE BUT IN THE REGISTER MESSAGE ITS DEFINED BY THE CLIENT
+    const siteConfigurations = await buildSiteConfigurationForOlmClient(
+        client,
+        client.pubKey,
+        false
+    );
+
+    // Get all exit nodes from sites where the client has peers
+    const clientSites = await db
+        .select()
+        .from(clientSitesAssociationsCache)
+        .innerJoin(
+            sites,
+            eq(sites.siteId, clientSitesAssociationsCache.siteId)
+        )
+        .where(eq(clientSitesAssociationsCache.clientId, client.clientId));
+
+    // Extract unique exit node IDs
+    const exitNodeIds = Array.from(
+        new Set(
+            clientSites
+                .map(({ sites: site }) => site.exitNodeId)
+                .filter((id): id is number => id !== null)
+        )
+    );
+
+    let exitNodesData: {
+        publicKey: string;
+        relayPort: number;
+        endpoint: string;
+        siteIds: number[];
+    }[] = [];
+
+    if (exitNodeIds.length > 0) {
+        const allExitNodes = await db
+            .select()
+            .from(exitNodes)
+            .where(inArray(exitNodes.exitNodeId, exitNodeIds));
+
+        // Map exitNodeId to siteIds
+        const exitNodeIdToSiteIds: Record<number, number[]> = {};
+        for (const { sites: site } of clientSites) {
+            if (site.exitNodeId !== null) {
+                if (!exitNodeIdToSiteIds[site.exitNodeId]) {
+                    exitNodeIdToSiteIds[site.exitNodeId] = [];
+                }
+                exitNodeIdToSiteIds[site.exitNodeId].push(site.siteId);
+            }
+        }
+
+        exitNodesData = allExitNodes.map((exitNode) => {
+            return {
+                publicKey: exitNode.publicKey,
+                relayPort: config.getRawConfig().gerbil.clients_start_port,
+                endpoint: exitNode.endpoint,
+                siteIds: exitNodeIdToSiteIds[exitNode.exitNodeId] ?? []
+            };
+        });
+    }
+
+    logger.debug("sendOlmSyncMessage: sending sync message")
+
+    await sendToClient(olm.olmId, {
+        type: "olm/sync",
+        data: {
+            sites: siteConfigurations,
+            exitNodes: exitNodesData
+        }
+    }).catch((error) => {
+        logger.warn(`Error sending olm sync message:`, error);
+    });
+}

server/routers/olm/unarchiveUserOlm.ts

@@ -0,0 +1,84 @@
+import { NextFunction, Request, Response } from "express";
+import { db } from "@server/db";
+import { olms } from "@server/db";
+import { eq } from "drizzle-orm";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import response from "@server/lib/response";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import logger from "@server/logger";
+
+const paramsSchema = z
+    .object({
+        userId: z.string(),
+        olmId: z.string()
+    })
+    .strict();
+
+export async function unarchiveUserOlm(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { olmId } = parsedParams.data;
+
+        // Check if OLM exists and is archived
+        const [olm] = await db
+            .select()
+            .from(olms)
+            .where(eq(olms.olmId, olmId))
+            .limit(1);
+
+        if (!olm) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `OLM with ID ${olmId} not found`
+                )
+            );
+        }
+
+        if (!olm.archived) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `OLM with ID ${olmId} is not archived`
+                )
+            );
+        }
+
+        // Unarchive the OLM (set archived to false)
+        await db
+            .update(olms)
+            .set({ archived: false })
+            .where(eq(olms.olmId, olmId));
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Device unarchived successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to unarchive device"
+            )
+        );
+    }
+}

server/routers/role/createRole.ts

@@ -10,6 +10,8 @@ import { fromError } from "zod-validation-error";
 import { ActionsEnum } from "@server/auth/actions";
 import { eq, and } from "drizzle-orm";
 import { OpenAPITags, registry } from "@server/openApi";
+import { build } from "@server/build";
+import { isLicensedOrSubscribed } from "@server/lib/isLicencedOrSubscribed";
 
 const createRoleParamsSchema = z.strictObject({
     orgId: z.string()
@@ -17,7 +19,8 @@ const createRoleParamsSchema = z.strictObject({
 
 const createRoleSchema = z.strictObject({
     name: z.string().min(1).max(255),
-    description: z.string().optional()
+    description: z.string().optional(),
+    requireDeviceApproval: z.boolean().optional()
 });
 
 export const defaultRoleAllowedActions: ActionsEnum[] = [
@@ -97,6 +100,11 @@ export async function createRole(
             );
         }
 
+        const isLicensed = await isLicensedOrSubscribed(orgId);
+        if (build === "oss" || !isLicensed) {
+            roleData.requireDeviceApproval = undefined;
+        }
+
         await db.transaction(async (trx) => {
             const newRole = await trx
                 .insert(roles)

server/routers/role/listRoles.ts

@@ -1,15 +1,13 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import { db } from "@server/db";
-import { roles, orgs } from "@server/db";
+import { db, orgs, roles } from "@server/db";
 import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import { sql, eq } from "drizzle-orm";
 import logger from "@server/logger";
-import { fromError } from "zod-validation-error";
-import stoi from "@server/lib/stoi";
 import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import { eq, sql } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
 
 const listRolesParamsSchema = z.strictObject({
     orgId: z.string()
@@ -38,7 +36,8 @@ async function queryRoles(orgId: string, limit: number, offset: number) {
             isAdmin: roles.isAdmin,
             name: roles.name,
             description: roles.description,
-            orgName: orgs.name
+            orgName: orgs.name,
+            requireDeviceApproval: roles.requireDeviceApproval
         })
         .from(roles)
         .leftJoin(orgs, eq(roles.orgId, orgs.orgId))