Show the source in the UI

Fix the source of the cli blueprint
add ios and android to readme
2026-01-29 06:10:47 +00:00 · 2026-01-22 15:18:27 -08:00 · 2026-01-22 15:18:27 -08:00 · 2026-01-22 15:18:27 -08:00 · 2026-01-22 15:18:27 -08:00 · 2026-01-22 15:18:27 -08:00
324 changed files with 23912 additions and 7931 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -17,7 +17,7 @@ on:
    push:
        tags:
            - "[0-9]+.[0-9]+.[0-9]+"
-            - "[0-9]+.[0-9]+.[0-9]+.rc.[0-9]+"
+            - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"

 concurrency:
  group: ${{ github.ref }}
@@ -29,7 +29,7 @@ jobs:
        permissions: write-all
        steps:
            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v2
+              uses: aws-actions/configure-aws-credentials@v5
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
@@ -95,10 +95,25 @@ jobs:
                  cat server/lib/consts.ts
              shell: bash

+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
            - name: Build and push Docker images (Docker Hub - ARM64)
              run: |
                  TAG=${{ env.TAG }}
-                  make build-release-arm tag=$TAG
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-arm tag=$TAG
+                  else
+                      make build-release-arm tag=$TAG
+                  fi
                  echo "Built & pushed ARM64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
              shell: bash

@@ -152,15 +167,30 @@ jobs:
                  cat server/lib/consts.ts
              shell: bash

+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
            - name: Build and push Docker images (Docker Hub - AMD64)
              run: |
                  TAG=${{ env.TAG }}
-                  make build-release-amd tag=$TAG
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-amd tag=$TAG
+                  else
+                      make build-release-amd tag=$TAG
+                  fi
                  echo "Built & pushed AMD64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
              shell: bash

-    sign-and-package:
-        name: Sign and Package
+    create-manifest:
+        name: Create Multi-Arch Manifests
        runs-on: [self-hosted, linux, x64, us-east-1]
        needs: [release-arm, release-amd]
        if: >-
@@ -168,6 +198,55 @@ jobs:
                needs.release-arm.result == 'success' &&
                needs.release-amd.result == 'success'
            }}
+        timeout-minutes: 30
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Create multi-arch manifests
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make create-manifests-rc tag=$TAG
+                  else
+                      make create-manifests tag=$TAG
+                  fi
+                  echo "Created multi-arch manifests for tag: ${TAG}"
+              shell: bash
+
+    sign-and-package:
+        name: Sign and Package
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd, create-manifest]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success' &&
+                needs.create-manifest.result == 'success'
+            }}
        # Job-level timeout to avoid runaway or stuck runs
        timeout-minutes: 120
        env:
@@ -185,7 +264,7 @@ jobs:
              shell: bash

            - name: Install Go
-              uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+              uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
              with:
                  go-version: 1.24

@@ -228,7 +307,7 @@ jobs:
                  make go-build-release

            - name: Upload artifacts from /install/bin
-              uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
              with:
                  name: install-bin
                  path: install/bin/
@@ -243,22 +322,96 @@ jobs:
              shell: bash

            - name: Login to GHCR
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
              run: |
+                  mkdir -p "$(dirname "$REGISTRY_AUTH_FILE")"
                  skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
              shell: bash

-            - name: Copy tag from Docker Hub to GHCR
-              # Mirror the already-built image (all architectures) to GHCR so we can sign it
+            - name: Copy tags from Docker Hub to GHCR
+              # Mirror the already-built images (all architectures) to GHCR so we can sign them
              # Wait a bit for both architectures to be available in Docker Hub manifest
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
              run: |
                  set -euo pipefail
                  TAG=${{ env.TAG }}
-                  echo "Waiting for multi-arch manifest to be ready..."
+                  MAJOR_TAG=$(echo $TAG | cut -d. -f1)
+                  MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
+
+                  echo "Waiting for multi-arch manifests to be ready..."
                  sleep 30
-                  echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
-                  skopeo copy --all --retry-times 3 \
-                    docker://$DOCKERHUB_IMAGE:$TAG \
-                    docker://$GHCR_IMAGE:$TAG
+
+                  # Determine if this is an RC release
+                  IS_RC="false"
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      IS_RC="true"
+                  fi
+
+                  if [ "$IS_RC" = "true" ]; then
+                      echo "RC release detected - copying version-specific tags only"
+
+                      # SQLite OSS
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:$TAG \
+                        docker://$GHCR_IMAGE:$TAG
+
+                      # PostgreSQL OSS
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:postgresql-$TAG \
+                        docker://$GHCR_IMAGE:postgresql-$TAG
+
+                      # SQLite Enterprise
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:ee-$TAG \
+                        docker://$GHCR_IMAGE:ee-$TAG
+
+                      # PostgreSQL Enterprise
+                      echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG}"
+                      skopeo copy --all --retry-times 3 \
+                        docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG \
+                        docker://$GHCR_IMAGE:ee-postgresql-$TAG
+                  else
+                      echo "Regular release detected - copying all tags (latest, major, minor, full version)"
+
+                      # SQLite OSS - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:$TAG_SUFFIX
+                      done
+
+                      # PostgreSQL OSS - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:postgresql-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:postgresql-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:postgresql-$TAG_SUFFIX
+                      done
+
+                      # SQLite Enterprise - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:ee-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:ee-$TAG_SUFFIX
+                      done
+
+                      # PostgreSQL Enterprise - all tags
+                      for TAG_SUFFIX in "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"; do
+                          echo "Copying ${{ env.DOCKERHUB_IMAGE }}:ee-postgresql-${TAG_SUFFIX} -> ${{ env.GHCR_IMAGE }}:ee-postgresql-${TAG_SUFFIX}"
+                          skopeo copy --all --retry-times 3 \
+                            docker://$DOCKERHUB_IMAGE:ee-postgresql-$TAG_SUFFIX \
+                            docker://$GHCR_IMAGE:ee-postgresql-$TAG_SUFFIX
+                      done
+                  fi
+
+                  echo "All images copied successfully to GHCR!"
              shell: bash

            - name: Login to GitHub Container Registry (for cosign)
@@ -287,45 +440,80 @@ jobs:
                  issuer="https://token.actions.githubusercontent.com"
                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)

-                  for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
-                    echo "Processing ${IMAGE}:${TAG}"
+                  # Determine if this is an RC release
+                  IS_RC="false"
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      IS_RC="true"
+                  fi

-                    DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
-                    REF="${IMAGE}@${DIGEST}"
-                    echo "Resolved digest: ${REF}"
+                  # Define image variants to sign
+                  if [ "$IS_RC" = "true" ]; then
+                      echo "RC release - signing version-specific tags only"
+                      IMAGE_TAGS=(
+                          "${TAG}"
+                          "postgresql-${TAG}"
+                          "ee-${TAG}"
+                          "ee-postgresql-${TAG}"
+                      )
+                  else
+                      echo "Regular release - signing all tags"
+                      MAJOR_TAG=$(echo $TAG | cut -d. -f1)
+                      MINOR_TAG=$(echo $TAG | cut -d. -f1,2)
+                      IMAGE_TAGS=(
+                          "latest" "$MAJOR_TAG" "$MINOR_TAG" "$TAG"
+                          "postgresql-latest" "postgresql-$MAJOR_TAG" "postgresql-$MINOR_TAG" "postgresql-$TAG"
+                          "ee-latest" "ee-$MAJOR_TAG" "ee-$MINOR_TAG" "ee-$TAG"
+                          "ee-postgresql-latest" "ee-postgresql-$MAJOR_TAG" "ee-postgresql-$MINOR_TAG" "ee-postgresql-$TAG"
+                      )
+                  fi

-                    echo "==> cosign sign (keyless) --recursive ${REF}"
-                    cosign sign --recursive "${REF}"
+                  # Sign each image variant for both registries
+                  for BASE_IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                    for IMAGE_TAG in "${IMAGE_TAGS[@]}"; do
+                      echo "Processing ${BASE_IMAGE}:${IMAGE_TAG}"

-                    echo "==> cosign sign (key) --recursive ${REF}"
-                    cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+                      DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${IMAGE_TAG} | jq -r '.Digest')"
+                      REF="${BASE_IMAGE}@${DIGEST}"
+                      echo "Resolved digest: ${REF}"

-                    echo "==> cosign verify (public key) ${REF}"
-                    cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+                      echo "==> cosign sign (keyless) --recursive ${REF}"
+                      cosign sign --recursive "${REF}"

-                    echo "==> cosign verify (keyless policy) ${REF}"
-                    cosign verify \
-                      --certificate-oidc-issuer "${issuer}" \
-                      --certificate-identity-regexp "${id_regex}" \
-                      "${REF}" -o text
+                      echo "==> cosign sign (key) --recursive ${REF}"
+                      cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+
+                      echo "==> cosign verify (public key) ${REF}"
+                      cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+
+                      echo "==> cosign verify (keyless policy) ${REF}"
+                      cosign verify \
+                        --certificate-oidc-issuer "${issuer}" \
+                        --certificate-identity-regexp "${id_regex}" \
+                        "${REF}" -o text
+
+                      echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}"
+                    done
                  done
+
+                  echo "All images signed and verified successfully!"
              shell: bash

    post-run:
-        needs: [pre-run, release-arm, release-amd, sign-and-package]
+        needs: [pre-run, release-arm, release-amd, create-manifest, sign-and-package]
        if: >-
            ${{
                always() &&
                needs.pre-run.result == 'success' &&
                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure') &&
                (needs.release-amd.result == 'success' || needs.release-amd.result == 'skipped' || needs.release-amd.result == 'failure') &&
+                (needs.create-manifest.result == 'success' || needs.create-manifest.result == 'skipped' || needs.create-manifest.result == 'failure') &&
                (needs.sign-and-package.result == 'success' || needs.sign-and-package.result == 'skipped' || needs.sign-and-package.result == 'failure')
            }}
        runs-on: ubuntu-latest
        permissions: write-all
        steps:
            - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v2
+              uses: aws-actions/configure-aws-credentials@v5
              with:
                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
                  role-duration-seconds: 3600
--- a/.github/workflows/cicd.yml.backup
+++ b/.github/workflows/cicd.yml.backup
@@ -0,0 +1,426 @@
+name: CI/CD Pipeline
+
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+# Required secrets:
+# - DOCKER_HUB_USERNAME / DOCKER_HUB_ACCESS_TOKEN: push to Docker Hub
+# - GITHUB_TOKEN: used for GHCR login and OIDC keyless signing
+# - COSIGN_PRIVATE_KEY / COSIGN_PASSWORD / COSIGN_PUBLIC_KEY: for key-based signing
+
+on:
+    push:
+        tags:
+            - "[0-9]+.[0-9]+.[0-9]+"
+            - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+    pre-run:
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-arm tag=$TAG
+                  else
+                      make build-release-arm tag=$TAG
+                  fi
+                  echo "Built & pushed ARM64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+    release-amd:
+        name: Build and Release (AMD64)
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - AMD64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make build-rc-amd tag=$TAG
+                  else
+                      make build-release-amd tag=$TAG
+                  fi
+                  echo "Built & pushed AMD64 images to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}"
+              shell: bash
+
+    create-manifest:
+        name: Create Multi-Arch Manifests
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success'
+            }}
+        timeout-minutes: 30
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Log in to Docker Hub
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: docker.io
+                  username: ${{ secrets.DOCKER_HUB_USERNAME }}
+                  password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Check if release candidate
+              id: check-rc
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [[ "$TAG" == *"-rc."* ]]; then
+                      echo "IS_RC=true" >> $GITHUB_ENV
+                  else
+                      echo "IS_RC=false" >> $GITHUB_ENV
+                  fi
+              shell: bash
+
+            - name: Create multi-arch manifests
+              run: |
+                  TAG=${{ env.TAG }}
+                  if [ "$IS_RC" = "true" ]; then
+                      make create-manifests-rc tag=$TAG
+                  else
+                      make create-manifests tag=$TAG
+                  fi
+                  echo "Created multi-arch manifests for tag: ${TAG}"
+              shell: bash
+
+    sign-and-package:
+        name: Sign and Package
+        runs-on: [self-hosted, linux, x64, us-east-1]
+        needs: [release-arm, release-amd, create-manifest]
+        if: >-
+            ${{
+                needs.release-arm.result == 'success' &&
+                needs.release-amd.result == 'success' &&
+                needs.create-manifest.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Install Go
+              uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+              with:
+                  go-version: 1.24
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Pull latest Gerbil version
+              id: get-gerbil-tag
+              run: |
+                  LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name')
+                  echo "LATEST_GERBIL_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Pull latest Badger version
+              id: get-badger-tag
+              run: |
+                  LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name')
+                  echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update install/main.go
+              run: |
+                  PANGOLIN_VERSION=${{ env.TAG }}
+                  GERBIL_VERSION=${{ env.LATEST_GERBIL_TAG }}
+                  BADGER_VERSION=${{ env.LATEST_BADGER_TAG }}
+                  sed -i "s/config.PangolinVersion = \".*\"/config.PangolinVersion = \"$PANGOLIN_VERSION\"/" install/main.go
+                  sed -i "s/config.GerbilVersion = \".*\"/config.GerbilVersion = \"$GERBIL_VERSION\"/" install/main.go
+                  sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go
+                  echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION"
+                  cat install/main.go
+              shell: bash
+
+            - name: Build installer
+              working-directory: install
+              run: |
+                  make go-build-release
+
+            - name: Upload artifacts from /install/bin
+              uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+              with:
+                  name: install-bin
+                  path: install/bin/
+
+            - name: Install skopeo + jq
+              # skopeo: copy/inspect images between registries
+              # jq: JSON parsing tool used to extract digest values
+              run: |
+                  sudo apt-get update -y
+                  sudo apt-get install -y skopeo jq
+                  skopeo --version
+              shell: bash
+
+            - name: Login to GHCR
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
+              run: |
+                  mkdir -p "$(dirname "$REGISTRY_AUTH_FILE")"
+                  skopeo login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"
+              shell: bash
+
+            - name: Copy tag from Docker Hub to GHCR
+              # Mirror the already-built image (all architectures) to GHCR so we can sign it
+              # Wait a bit for both architectures to be available in Docker Hub manifest
+              env:
+                  REGISTRY_AUTH_FILE: ${{ runner.temp }}/containers/auth.json
+              run: |
+                  set -euo pipefail
+                  TAG=${{ env.TAG }}
+                  echo "Waiting for multi-arch manifest to be ready..."
+                  sleep 30
+                  echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}"
+                  skopeo copy --all --retry-times 3 \
+                    docker://$DOCKERHUB_IMAGE:$TAG \
+                    docker://$GHCR_IMAGE:$TAG
+              shell: bash
+
+            - name: Login to GitHub Container Registry (for cosign)
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                registry: ghcr.io
+                username: ${{ github.actor }}
+                password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Install cosign
+              # cosign is used to sign and verify container images (key and keyless)
+              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+            - name: Dual-sign and verify (GHCR & Docker Hub)
+              # Sign each image by digest using keyless (OIDC) and key-based signing,
+              # then verify both the public key signature and the keyless OIDC signature.
+              env:
+                  TAG: ${{ env.TAG }}
+                  COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+                  COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+                  COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
+                  COSIGN_YES: "true"
+              run: |
+                  set -euo pipefail
+
+                  issuer="https://token.actions.githubusercontent.com"
+                  id_regex="^https://github.com/${{ github.repository }}/.+"  # accept this repo (all workflows/refs)
+
+                  for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do
+                    echo "Processing ${IMAGE}:${TAG}"
+
+                    DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')"
+                    REF="${IMAGE}@${DIGEST}"
+                    echo "Resolved digest: ${REF}"
+
+                    echo "==> cosign sign (keyless) --recursive ${REF}"
+                    cosign sign --recursive "${REF}"
+
+                    echo "==> cosign sign (key) --recursive ${REF}"
+                    cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}"
+
+                    echo "==> cosign verify (public key) ${REF}"
+                    cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text
+
+                    echo "==> cosign verify (keyless policy) ${REF}"
+                    cosign verify \
+                      --certificate-oidc-issuer "${issuer}" \
+                      --certificate-identity-regexp "${id_regex}" \
+                      "${REF}" -o text
+                  done
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm, release-amd, create-manifest, sign-and-package]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure') &&
+                (needs.release-amd.result == 'success' || needs.release-amd.result == 'skipped' || needs.release-amd.result == 'failure') &&
+                (needs.create-manifest.result == 'success' || needs.create-manifest.result == 'skipped' || needs.create-manifest.result == 'failure') &&
+                (needs.sign-and-package.result == 'success' || needs.sign-and-package.result == 'skipped' || needs.sign-and-package.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v2
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_AMD_RUNNER }}
+                  echo "EC2 instances stopped"
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -24,7 +24,7 @@ jobs:
              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

            - name: Set up Node.js
-              uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+              uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
              with:
                node-version: '22'

--- a/.github/workflows/mirror.yaml
+++ b/.github/workflows/mirror.yaml
@@ -45,7 +45,7 @@ jobs:
        run: |
          set -euo pipefail
          skopeo list-tags --retry-times 3 docker://"${SOURCE_IMAGE}" \
-            | jq -r '.Tags[]' | sort -u > src-tags.txt
+            | jq -r '.Tags[]' | grep -v -e '-arm64' -e '-amd64' | sort -u > src-tags.txt
          echo "Found source tags: $(wc -l < src-tags.txt)"
          head -n 20 src-tags.txt || true

--- a/.github/workflows/restart-runners.yml
+++ b/.github/workflows/restart-runners.yml
@@ -14,7 +14,7 @@ jobs:
    permissions: write-all
    steps:
      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
          role-duration-seconds: 3600
--- a/.github/workflows/saas.yml
+++ b/.github/workflows/saas.yml
@@ -0,0 +1,125 @@
+name: CI/CD Pipeline
+
+# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries.
+# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events.
+
+permissions:
+  contents: read
+  packages: write      # for GHCR push
+  id-token: write      # for Cosign Keyless (OIDC) Signing
+
+on:
+    push:
+        tags:
+            - "[0-9]+.[0-9]+.[0-9]+-s.[0-9]+"
+
+concurrency:
+  group: ${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+    pre-run:
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v5
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Start EC2 instances
+              run: |
+                  aws ec2 start-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances started"
+
+
+    release-arm:
+        name: Build and Release (ARM64)
+        runs-on: [self-hosted, linux, arm64, us-east-1]
+        needs: [pre-run]
+        if: >-
+            ${{
+                needs.pre-run.result == 'success'
+            }}
+        # Job-level timeout to avoid runaway or stuck runs
+        timeout-minutes: 120
+        env:
+          # Target images
+          AWS_IMAGE: ${{ secrets.aws_account_id }}.dkr.ecr.us-east-1.amazonaws.com/${{ github.event.repository.name }}
+
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Monitor storage space
+              run: |
+                  THRESHOLD=75
+                  USED_SPACE=$(df / | grep / | awk '{ print $5 }' | sed 's/%//g')
+                  echo "Used space: $USED_SPACE%"
+                  if [ "$USED_SPACE" -ge "$THRESHOLD" ]; then
+                      echo "Used space is below the threshold of 75% free. Running Docker system prune."
+                      echo y | docker system prune -a
+                  else
+                      echo "Storage space is above the threshold. No action needed."
+                  fi
+
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v5
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.aws_account_id }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Login to Amazon ECR
+              id: login-ecr
+              uses: aws-actions/amazon-ecr-login@v2
+
+            - name: Extract tag name
+              id: get-tag
+              run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+              shell: bash
+
+            - name: Update version in package.json
+              run: |
+                  TAG=${{ env.TAG }}
+                  sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts
+                  cat server/lib/consts.ts
+              shell: bash
+
+            - name: Build and push Docker images (Docker Hub - ARM64)
+              run: |
+                  TAG=${{ env.TAG }}
+                  make build-saas tag=$TAG
+                  echo "Built & pushed ARM64 images to: ${{ env.AWS_IMAGE }}:${TAG}"
+              shell: bash
+
+    post-run:
+        needs: [pre-run, release-arm]
+        if: >-
+            ${{
+                always() &&
+                needs.pre-run.result == 'success' &&
+                (needs.release-arm.result == 'success' || needs.release-arm.result == 'skipped' || needs.release-arm.result == 'failure')
+            }}
+        runs-on: ubuntu-latest
+        permissions: write-all
+        steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v5
+              with:
+                  role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+                  role-duration-seconds: 3600
+                  aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Verify AWS identity
+              run: aws sts get-caller-identity
+
+            - name: Stop EC2 instances
+              run: |
+                  aws ec2 stop-instances --instance-ids ${{ secrets.EC2_INSTANCE_ID_ARM_RUNNER }}
+                  echo "EC2 instances stopped"
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,7 +17,7 @@ jobs:
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Install Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version: '22'

--- a/.gitignore
+++ b/.gitignore
@@ -50,4 +50,5 @@ dynamic/
 *.mmdb
 scratch/
 tsconfig.json
-hydrateSaas.ts
+hydrateSaas.ts
+CLAUDE.md
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -4,13 +4,13 @@
    },
    "editor.defaultFormatter": "esbenp.prettier-vscode",
    "[jsonc]": {
-        "editor.defaultFormatter": "esbenp.prettier-vscode"
+        "editor.defaultFormatter": "vscode.json-language-features"
    },
    "[javascript]": {
        "editor.defaultFormatter": "esbenp.prettier-vscode"
    },
    "[typescript]": {
-        "editor.defaultFormatter": "esbenp.prettier-vscode"
+        "editor.defaultFormatter": "vscode.typescript-language-features"
    },
    "[typescriptreact]": {
        "editor.defaultFormatter": "esbenp.prettier-vscode"
@@ -19,4 +19,4 @@
        "editor.defaultFormatter": "esbenp.prettier-vscode"
    },
    "editor.formatOnSave": true
-}
+}
--- a/25
+++ b/25
@@ -1,10 +1,20 @@
 FROM node:24-alpine AS builder

+# OCI Image Labels - Build Args for dynamic values
+ARG VERSION="dev"
+ARG REVISION=""
+ARG CREATED=""
+ARG LICENSE="AGPL-3.0"
+
 WORKDIR /app

 ARG BUILD=oss
 ARG DATABASE=sqlite

+# Derive title and description based on BUILD type
+ARG IMAGE_TITLE="Pangolin"
+ARG IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
+
 RUN apk add --no-cache curl tzdata python3 make g++

 # COPY package.json package-lock.json ./
@@ -67,6 +77,21 @@ COPY ./cli/wrapper.sh /usr/local/bin/pangctl
 RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs

 COPY server/db/names.json ./dist/names.json
+COPY server/db/ios_models.json ./dist/ios_models.json
+COPY server/db/mac_models.json ./dist/mac_models.json
 COPY public ./public

+# OCI Image Labels
+# https://github.com/opencontainers/image-spec/blob/main/annotations.md
+LABEL org.opencontainers.image.source="https://github.com/fosrl/pangolin" \
+      org.opencontainers.image.url="https://github.com/fosrl/pangolin" \
+      org.opencontainers.image.documentation="https://docs.pangolin.net" \
+      org.opencontainers.image.vendor="Fossorial" \
+      org.opencontainers.image.licenses="${LICENSE}" \
+      org.opencontainers.image.title="${IMAGE_TITLE}" \
+      org.opencontainers.image.description="${IMAGE_DESCRIPTION}" \
+      org.opencontainers.image.version="${VERSION}" \
+      org.opencontainers.image.revision="${REVISION}" \
+      org.opencontainers.image.created="${CREATED}"
+
 CMD ["npm", "run", "start"]
--- a/399
+++ b/399
@@ -1,8 +1,27 @@
-.PHONY: build build-pg build-release build-release-arm build-release-amd build-arm build-x86 test clean
+.PHONY: build build-pg build-release build-release-arm build-release-amd create-manifests build-arm build-x86 test clean

 major_tag := $(shell echo $(tag) | cut -d. -f1)
 minor_tag := $(shell echo $(tag) | cut -d. -f1,2)

+# OCI label variables
+CREATED := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
+REVISION := $(shell git rev-parse HEAD 2>/dev/null || echo "unknown")
+
+# Common OCI build args for OSS builds
+OCI_ARGS_OSS = --build-arg VERSION=$(tag) \
+	--build-arg REVISION=$(REVISION) \
+	--build-arg CREATED=$(CREATED) \
+	--build-arg IMAGE_TITLE="Pangolin" \
+	--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"
+
+# Common OCI build args for Enterprise builds
+OCI_ARGS_EE = --build-arg VERSION=$(tag) \
+	--build-arg REVISION=$(REVISION) \
+	--build-arg CREATED=$(CREATED) \
+	--build-arg LICENSE="Fossorial Commercial" \
+	--build-arg IMAGE_TITLE="Pangolin EE" \
+	--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere"
+
 .PHONY: build-release build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql

 build-release: build-sqlite build-postgresql build-ee-sqlite build-ee-postgresql
@@ -15,6 +34,7 @@ build-sqlite:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		$(OCI_ARGS_OSS) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:latest \
 		--tag fosrl/pangolin:$(major_tag) \
@@ -30,6 +50,7 @@ build-postgresql:
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		$(OCI_ARGS_OSS) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:postgresql-latest \
 		--tag fosrl/pangolin:postgresql-$(major_tag) \
@@ -45,6 +66,7 @@ build-ee-sqlite:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		$(OCI_ARGS_EE) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-latest \
 		--tag fosrl/pangolin:ee-$(major_tag) \
@@ -60,6 +82,7 @@ build-ee-postgresql:
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		$(OCI_ARGS_EE) \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-latest \
 		--tag fosrl/pangolin:ee-postgresql-$(major_tag) \
@@ -67,6 +90,18 @@ build-ee-postgresql:
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .

+build-saas:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
+		exit 1; \
+	fi
+	docker buildx build \
+		--build-arg BUILD=saas \
+		--build-arg DATABASE=pg \
+		--platform linux/arm64 \
+		--tag $(AWS_IMAGE):$(tag) \
+		--push .
+
 build-release-arm:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release-arm tag=<tag>"; \
@@ -74,41 +109,65 @@ build-release-arm:
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
+	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
-		--tag fosrl/pangolin:latest \
-		--tag fosrl/pangolin:$$MAJOR_TAG \
-		--tag fosrl/pangolin:$$MINOR_TAG \
-		--tag fosrl/pangolin:$(tag) \
+		--tag fosrl/pangolin:latest-arm64 \
+		--tag fosrl/pangolin:$$MAJOR_TAG-arm64 \
+		--tag fosrl/pangolin:$$MINOR_TAG-arm64 \
+		--tag fosrl/pangolin:$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
-		--tag fosrl/pangolin:postgresql-latest \
-		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG \
-		--tag fosrl/pangolin:postgresql-$$MINOR_TAG \
-		--tag fosrl/pangolin:postgresql-$(tag) \
+		--tag fosrl/pangolin:postgresql-latest-arm64 \
+		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-arm64 \
+		--tag fosrl/pangolin:postgresql-$$MINOR_TAG-arm64 \
+		--tag fosrl/pangolin:postgresql-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
-		--tag fosrl/pangolin:ee-latest \
-		--tag fosrl/pangolin:ee-$$MAJOR_TAG \
-		--tag fosrl/pangolin:ee-$$MINOR_TAG \
-		--tag fosrl/pangolin:ee-$(tag) \
+		--tag fosrl/pangolin:ee-latest-arm64 \
+		--tag fosrl/pangolin:ee-$$MAJOR_TAG-arm64 \
+		--tag fosrl/pangolin:ee-$$MINOR_TAG-arm64 \
+		--tag fosrl/pangolin:ee-$(tag)-arm64 \
 		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64 \
-		--tag fosrl/pangolin:ee-postgresql-latest \
-		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG \
-		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG \
-		--tag fosrl/pangolin:ee-postgresql-$(tag) \
+		--tag fosrl/pangolin:ee-postgresql-latest-arm64 \
+		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-arm64 \
+		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG-arm64 \
+		--tag fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
 		--push .

 build-release-amd:
@@ -118,84 +177,344 @@ build-release-amd:
 	fi
 	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
 	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
+	CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/amd64 \
+		--tag fosrl/pangolin:latest-amd64 \
+		--tag fosrl/pangolin:$$MAJOR_TAG-amd64 \
+		--tag fosrl/pangolin:$$MINOR_TAG-amd64 \
+		--tag fosrl/pangolin:$(tag)-amd64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:postgresql-latest-amd64 \
+		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG-amd64 \
+		--tag fosrl/pangolin:postgresql-$$MINOR_TAG-amd64 \
+		--tag fosrl/pangolin:postgresql-$(tag)-amd64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:ee-latest-amd64 \
+		--tag fosrl/pangolin:ee-$$MAJOR_TAG-amd64 \
+		--tag fosrl/pangolin:ee-$$MINOR_TAG-amd64 \
+		--tag fosrl/pangolin:ee-$(tag)-amd64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:ee-postgresql-latest-amd64 \
+		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG-amd64 \
+		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG-amd64 \
+		--tag fosrl/pangolin:ee-postgresql-$(tag)-amd64 \
+		--push .
+
+create-manifests:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make create-manifests tag=<tag>"; \
+		exit 1; \
+	fi
+	@MAJOR_TAG=$$(echo $(tag) | cut -d. -f1); \
+	MINOR_TAG=$$(echo $(tag) | cut -d. -f1,2); \
+	echo "Creating multi-arch manifests for sqlite (oss)..." && \
+	docker buildx imagetools create \
 		--tag fosrl/pangolin:latest \
 		--tag fosrl/pangolin:$$MAJOR_TAG \
 		--tag fosrl/pangolin:$$MINOR_TAG \
 		--tag fosrl/pangolin:$(tag) \
-		--push . && \
-	docker buildx build \
-		--build-arg BUILD=oss \
-		--build-arg DATABASE=pg \
-		--platform linux/amd64 \
+		fosrl/pangolin:latest-arm64 \
+		fosrl/pangolin:latest-amd64 && \
+	echo "Creating multi-arch manifests for postgresql (oss)..." && \
+	docker buildx imagetools create \
 		--tag fosrl/pangolin:postgresql-latest \
 		--tag fosrl/pangolin:postgresql-$$MAJOR_TAG \
 		--tag fosrl/pangolin:postgresql-$$MINOR_TAG \
 		--tag fosrl/pangolin:postgresql-$(tag) \
-		--push . && \
-	docker buildx build \
-		--build-arg BUILD=enterprise \
-		--build-arg DATABASE=sqlite \
-		--platform linux/amd64 \
+		fosrl/pangolin:postgresql-latest-arm64 \
+		fosrl/pangolin:postgresql-latest-amd64 && \
+	echo "Creating multi-arch manifests for sqlite (enterprise)..." && \
+	docker buildx imagetools create \
 		--tag fosrl/pangolin:ee-latest \
 		--tag fosrl/pangolin:ee-$$MAJOR_TAG \
 		--tag fosrl/pangolin:ee-$$MINOR_TAG \
 		--tag fosrl/pangolin:ee-$(tag) \
-		--push . && \
-	docker buildx build \
-		--build-arg BUILD=enterprise \
-		--build-arg DATABASE=pg \
-		--platform linux/amd64 \
+		fosrl/pangolin:ee-latest-arm64 \
+		fosrl/pangolin:ee-latest-amd64 && \
+	echo "Creating multi-arch manifests for postgresql (enterprise)..." && \
+	docker buildx imagetools create \
 		--tag fosrl/pangolin:ee-postgresql-latest \
 		--tag fosrl/pangolin:ee-postgresql-$$MAJOR_TAG \
 		--tag fosrl/pangolin:ee-postgresql-$$MINOR_TAG \
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
-		--push .
+		fosrl/pangolin:ee-postgresql-latest-arm64 \
+		fosrl/pangolin:ee-postgresql-latest-amd64 && \
+	echo "All multi-arch manifests created successfully!"

 build-rc:
 	@if [ -z "$(tag)" ]; then \
 		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=oss \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:postgresql-$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-$(tag) \
-		--push .
+		--push . && \
 	docker buildx build \
 		--build-arg BUILD=enterprise \
 		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
 		--platform linux/arm64,linux/amd64 \
 		--tag fosrl/pangolin:ee-postgresql-$(tag) \
 		--push .

+build-rc-arm:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-rc-arm tag=<tag>"; \
+		exit 1; \
+	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		--tag fosrl/pangolin:$(tag)-arm64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		--tag fosrl/pangolin:postgresql-$(tag)-arm64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		--tag fosrl/pangolin:ee-$(tag)-arm64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		--tag fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
+		--push .
+
+build-rc-amd:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make build-rc-amd tag=<tag>"; \
+		exit 1; \
+	fi
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:$(tag)-amd64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=oss \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:postgresql-$(tag)-amd64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:ee-$(tag)-amd64 \
+		--push . && \
+	docker buildx build \
+		--build-arg BUILD=enterprise \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=$(tag) \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg LICENSE="Fossorial Commercial" \
+		--build-arg IMAGE_TITLE="Pangolin EE" \
+		--build-arg IMAGE_DESCRIPTION="Pangolin Enterprise Edition - Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		--tag fosrl/pangolin:ee-postgresql-$(tag)-amd64 \
+		--push .
+
+create-manifests-rc:
+	@if [ -z "$(tag)" ]; then \
+		echo "Error: tag is required. Usage: make create-manifests-rc tag=<tag>"; \
+		exit 1; \
+	fi
+	@echo "Creating multi-arch manifests for RC sqlite (oss)..." && \
+	docker buildx imagetools create \
+		--tag fosrl/pangolin:$(tag) \
+		fosrl/pangolin:$(tag)-arm64 \
+		fosrl/pangolin:$(tag)-amd64 && \
+	echo "Creating multi-arch manifests for RC postgresql (oss)..." && \
+	docker buildx imagetools create \
+		--tag fosrl/pangolin:postgresql-$(tag) \
+		fosrl/pangolin:postgresql-$(tag)-arm64 \
+		fosrl/pangolin:postgresql-$(tag)-amd64 && \
+	echo "Creating multi-arch manifests for RC sqlite (enterprise)..." && \
+	docker buildx imagetools create \
+		--tag fosrl/pangolin:ee-$(tag) \
+		fosrl/pangolin:ee-$(tag)-arm64 \
+		fosrl/pangolin:ee-$(tag)-amd64 && \
+	echo "Creating multi-arch manifests for RC postgresql (enterprise)..." && \
+	docker buildx imagetools create \
+		--tag fosrl/pangolin:ee-postgresql-$(tag) \
+		fosrl/pangolin:ee-postgresql-$(tag)-arm64 \
+		fosrl/pangolin:ee-postgresql-$(tag)-amd64 && \
+	echo "All RC multi-arch manifests created successfully!"
+
 build-arm:
-	docker buildx build --platform linux/arm64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/arm64 \
+		-t fosrl/pangolin:latest .

 build-x86:
-	docker buildx build --platform linux/amd64 -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker buildx build \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		--platform linux/amd64 \
+		-t fosrl/pangolin:latest .

 dev-build-sqlite:
-	docker build --build-arg DATABASE=sqlite -t fosrl/pangolin:latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker build \
+		--build-arg DATABASE=sqlite \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		-t fosrl/pangolin:latest .

 dev-build-pg:
-	docker build --build-arg DATABASE=pg -t fosrl/pangolin:postgresql-latest .
+	@CREATED=$$(date -u +"%Y-%m-%dT%H:%M:%SZ"); \
+	REVISION=$$(git rev-parse HEAD 2>/dev/null || echo "unknown"); \
+	docker build \
+		--build-arg DATABASE=pg \
+		--build-arg VERSION=dev \
+		--build-arg REVISION=$$REVISION \
+		--build-arg CREATED=$$CREATED \
+		--build-arg IMAGE_TITLE="Pangolin" \
+		--build-arg IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere" \
+		-t fosrl/pangolin:postgresql-latest .

 test:
 	docker run -it -p 3000:3000 -p 3001:3001 -p 3002:3002 -v ./config:/app/config fosrl/pangolin:latest
--- a/README.md
+++ b/README.md
@@ -35,6 +35,12 @@

 </div>

+<p align="center">
+    <a href="https://docs.pangolin.net/careers/join-us">
+        <img src="https://img.shields.io/badge/🚀_We're_Hiring!-Join_Our_Team-brightgreen?style=for-the-badge" alt="We're Hiring!" />
+    </a>
+</p>
+
 <p align="center">
    <strong>
        Start testing Pangolin at <a href="https://app.pangolin.net/auth/signup">app.pangolin.net</a>
@@ -74,6 +80,8 @@ Download the Pangolin client for your platform:
 - [Mac](https://pangolin.net/downloads/mac)
 - [Windows](https://pangolin.net/downloads/windows)
 - [Linux](https://pangolin.net/downloads/linux)
+- [iOS](https://pangolin.net/downloads/ios)
+- [Android](https://pangolin.net/downloads/android)

 ## Get Started

--- a/blueprint.py
+++ b/blueprint.py
@@ -1,72 +0,0 @@
-import requests
-import yaml
-import json
-import base64
-
-# The file path for the YAML file to be read
-# You can change this to the path of your YAML file
-YAML_FILE_PATH = 'blueprint.yaml'
-
-# The API endpoint and headers from the curl request
-API_URL = 'http://api.pangolin.net/v1/org/test/blueprint'
-HEADERS = {
-    'accept': '*/*',
-    'Authorization': 'Bearer <your_token_here>',
-    'Content-Type': 'application/json'
-}
-
-def convert_and_send(file_path, url, headers):
-    """
-    Reads a YAML file, converts its content to a JSON payload,
-    and sends it via a PUT request to a specified URL.
-    """
-    try:
-        # Read the YAML file content
-        with open(file_path, 'r') as file:
-            yaml_content = file.read()
-
-        # Parse the YAML string to a Python dictionary
-        # This will be used to ensure the YAML is valid before sending
-        parsed_yaml = yaml.safe_load(yaml_content)
-
-        # convert the parsed YAML to a JSON string
-        json_payload = json.dumps(parsed_yaml)
-        print("Converted JSON payload:")
-        print(json_payload)
-
-        # Encode the JSON string to Base64
-        encoded_json = base64.b64encode(json_payload.encode('utf-8')).decode('utf-8')
-
-        # Create the final payload with the base64 encoded data
-        final_payload = {
-            "blueprint": encoded_json
-        }
-
-        print("Sending the following Base64 encoded JSON payload:")
-        print(final_payload)
-        print("-" * 20)
-
-        # Make the PUT request with the base64 encoded payload
-        response = requests.put(url, headers=headers, json=final_payload)
-
-        # Print the API response for debugging
-        print(f"API Response Status Code: {response.status_code}")
-        print("API Response Content:")
-        print(response.text)
-
-        # Raise an exception for bad status codes (4xx or 5xx)
-        response.raise_for_status()
-
-    except FileNotFoundError:
-        print(f"Error: The file '{file_path}' was not found.")
-    except yaml.YAMLError as e:
-        print(f"Error parsing YAML file: {e}")
-    except requests.exceptions.RequestException as e:
-        print(f"An error occurred during the API request: {e}")
-    except Exception as e:
-        print(f"An unexpected error occurred: {e}")
-
-# Run the function
-if __name__ == "__main__":
-    convert_and_send(YAML_FILE_PATH, API_URL, HEADERS)
-
--- a/blueprint.yaml
+++ b/blueprint.yaml
@@ -1,70 +0,0 @@
-client-resources:
-  client-resource-nice-id-uno:
-    name: this is my resource
-    protocol: tcp
-    proxy-port: 3001
-    hostname: localhost
-    internal-port: 3000
-    site: lively-yosemite-toad
-  client-resource-nice-id-duce:
-    name: this is my resource
-    protocol: udp
-    proxy-port: 3000
-    hostname: localhost
-    internal-port: 3000
-    site: lively-yosemite-toad
-
-proxy-resources:
-  resource-nice-id-uno:
-    name: this is my resource
-    protocol: http
-    full-domain: duce.test.example.com
-    host-header: example.com
-    tls-server-name: example.com
-    # auth:
-      # pincode: 123456
-      # password: sadfasdfadsf
-      # sso-enabled: true
-      # sso-roles:
-      #   - Member
-      # sso-users:
-      #   - owen@pangolin.net
-      # whitelist-users:
-      #   - owen@pangolin.net
-      # auto-login-idp: 1
-    headers:
-      - name: X-Example-Header
-        value: example-value
-      - name: X-Another-Header
-        value: another-value
-    rules:
-      - action: allow
-        match: ip
-        value: 1.1.1.1
-      - action: deny
-        match: cidr 
-        value: 2.2.2.2/32
-      - action: pass
-        match: path
-        value: /admin
-    targets:
-    - site: lively-yosemite-toad
-      path: /path
-      pathMatchType: prefix
-      hostname: localhost
-      method: http
-      port: 8000
-    - site: slim-alpine-chipmunk
-      hostname: localhost
-      path: /yoman
-      pathMatchType: exact
-      method: http
-      port: 8001
-  resource-nice-id-duce:
-    name: this is other resource
-    protocol: tcp
-    proxy-port: 3000
-    targets:
-    - site: lively-yosemite-toad 
-      hostname: localhost
-      port: 3000
--- a/cli/commands/clearLicenseKeys.ts
+++ b/cli/commands/clearLicenseKeys.ts
@@ -0,0 +1,36 @@
+import { CommandModule } from "yargs";
+import { db, licenseKey } from "@server/db";
+import { eq } from "drizzle-orm";
+
+type ClearLicenseKeysArgs = { };
+
+export const clearLicenseKeys: CommandModule<
+    {},
+    ClearLicenseKeysArgs
+> = {
+    command: "clear-license-keys",
+    describe:
+        "Clear all license keys from the database",
+    // no args
+    builder: (yargs) => {
+        return yargs;
+    },
+    handler: async (argv: {}) => {
+        try {
+
+            console.log(`Clearing all license keys from the database`);
+
+            // Delete all license keys
+            const deletedCount = await db
+                .delete(licenseKey)
+                .where(eq(licenseKey.licenseKeyId, licenseKey.licenseKeyId))  .returning();; // delete all
+
+            console.log(`Deleted ${deletedCount.length} license key(s) from the database`);
+
+            process.exit(0);
+        } catch (error) {
+            console.error("Error:", error);
+            process.exit(1);
+        }
+    }
+};
--- a/cli/commands/deleteClient.ts
+++ b/cli/commands/deleteClient.ts
@@ -0,0 +1,123 @@
+import { CommandModule } from "yargs";
+import { db, clients, olms, currentFingerprint, userClients, approvals } from "@server/db";
+import { eq, and, inArray } from "drizzle-orm";
+
+type DeleteClientArgs = {
+    orgId: string;
+    niceId: string;
+};
+
+export const deleteClient: CommandModule<{}, DeleteClientArgs> = {
+    command: "delete-client",
+    describe:
+        "Delete a client and all associated data (OLMs, current fingerprint, userClients, approvals). Snapshots are preserved.",
+    builder: (yargs) => {
+        return yargs
+            .option("orgId", {
+                type: "string",
+                demandOption: true,
+                describe: "The organization ID"
+            })
+            .option("niceId", {
+                type: "string",
+                demandOption: true,
+                describe: "The client niceId (identifier)"
+            });
+    },
+    handler: async (argv: { orgId: string; niceId: string }) => {
+        try {
+            const { orgId, niceId } = argv;
+
+            console.log(
+                `Deleting client with orgId: ${orgId}, niceId: ${niceId}...`
+            );
+
+            // Find the client
+            const [client] = await db
+                .select()
+                .from(clients)
+                .where(and(eq(clients.orgId, orgId), eq(clients.niceId, niceId)))
+                .limit(1);
+
+            if (!client) {
+                console.error(
+                    `Error: Client with orgId "${orgId}" and niceId "${niceId}" not found.`
+                );
+                process.exit(1);
+            }
+
+            const clientId = client.clientId;
+            console.log(`Found client with clientId: ${clientId}`);
+
+            // Find all OLMs associated with this client
+            const associatedOlms = await db
+                .select()
+                .from(olms)
+                .where(eq(olms.clientId, clientId));
+
+            console.log(`Found ${associatedOlms.length} OLM(s) associated with this client`);
+
+            // Delete in a transaction to ensure atomicity
+            await db.transaction(async (trx) => {
+                // Delete currentFingerprint entries for the associated OLMs
+                // Note: We delete these explicitly before deleting OLMs to ensure
+                // we have control, even though cascade would handle it
+                let fingerprintCount = 0;
+                if (associatedOlms.length > 0) {
+                    const olmIds = associatedOlms.map((olm) => olm.olmId);
+                    const deletedFingerprints = await trx
+                        .delete(currentFingerprint)
+                        .where(inArray(currentFingerprint.olmId, olmIds))
+                        .returning();
+                    fingerprintCount = deletedFingerprints.length;
+                }
+                console.log(`Deleted ${fingerprintCount} current fingerprint(s)`);
+
+                // Delete OLMs
+                // Note: OLMs have onDelete: "set null" for clientId, so we need to delete them explicitly
+                const deletedOlms = await trx
+                    .delete(olms)
+                    .where(eq(olms.clientId, clientId))
+                    .returning();
+                console.log(`Deleted ${deletedOlms.length} OLM(s)`);
+
+                // Delete approvals
+                // Note: Approvals have onDelete: "cascade" but we delete explicitly for clarity
+                const deletedApprovals = await trx
+                    .delete(approvals)
+                    .where(eq(approvals.clientId, clientId))
+                    .returning();
+                console.log(`Deleted ${deletedApprovals.length} approval(s)`);
+
+                // Delete userClients
+                // Note: userClients have onDelete: "cascade" but we delete explicitly for clarity
+                const deletedUserClients = await trx
+                    .delete(userClients)
+                    .where(eq(userClients.clientId, clientId))
+                    .returning();
+                console.log(`Deleted ${deletedUserClients.length} userClient association(s)`);
+
+                // Finally, delete the client itself
+                const deletedClients = await trx
+                    .delete(clients)
+                    .where(eq(clients.clientId, clientId))
+                    .returning();
+                console.log(`Deleted client: ${deletedClients[0]?.name || niceId}`);
+            });
+
+            console.log("\nClient deletion completed successfully!");
+            console.log("\nSummary:");
+            console.log(`  - Client: ${niceId} (clientId: ${clientId})`);
+            console.log(`  - Olm(s): ${associatedOlms.length}`);
+            console.log(`  - Current fingerprints: deleted`);
+            console.log(`  - Approvals: deleted`);
+            console.log(`  - UserClients: deleted`);
+            console.log(`  - Snapshots: preserved (not deleted)`);
+
+            process.exit(0);
+        } catch (error) {
+            console.error("Error deleting client:", error);
+            process.exit(1);
+        }
+    }
+};
--- a/cli/commands/rotateServerSecret.ts
+++ b/cli/commands/rotateServerSecret.ts
@@ -7,8 +7,8 @@ import fs from "fs";
 import yaml from "js-yaml";

 type RotateServerSecretArgs = {
-    oldSecret: string;
-    newSecret: string;
+    "old-secret": string;
+    "new-secret": string;
    force?: boolean;
 };

@@ -21,12 +21,12 @@ export const rotateServerSecret: CommandModule<
        "Rotate the server secret by decrypting all encrypted values with the old secret and re-encrypting with a new secret",
    builder: (yargs) => {
        return yargs
-            .option("oldSecret", {
+            .option("old-secret", {
                type: "string",
                demandOption: true,
                describe: "The current server secret (for verification)"
            })
-            .option("newSecret", {
+            .option("new-secret", {
                type: "string",
                demandOption: true,
                describe: "The new server secret to use"
@@ -42,8 +42,8 @@ export const rotateServerSecret: CommandModule<
            });
    },
    handler: async (argv: {
-        oldSecret: string;
-        newSecret: string;
+        "old-secret": string;
+        "new-secret": string;
        force?: boolean;
    }) => {
        try {
@@ -73,8 +73,8 @@ export const rotateServerSecret: CommandModule<
            }

            const configSecret = config.server.secret;
-            const oldSecret = argv.oldSecret;
-            const newSecret = argv.newSecret;
+            const oldSecret = argv["old-secret"];
+            const newSecret = argv["new-secret"];
            const force = argv.force || false;

            // Verify that the provided old secret matches the one in config
--- a/cli/index.ts
+++ b/cli/index.ts
@@ -6,6 +6,8 @@ import { setAdminCredentials } from "@cli/commands/setAdminCredentials";
 import { resetUserSecurityKeys } from "@cli/commands/resetUserSecurityKeys";
 import { clearExitNodes } from "./commands/clearExitNodes";
 import { rotateServerSecret } from "./commands/rotateServerSecret";
+import { clearLicenseKeys } from "./commands/clearLicenseKeys";
+import { deleteClient } from "./commands/deleteClient";

 yargs(hideBin(process.argv))
    .scriptName("pangctl")
@@ -13,5 +15,7 @@ yargs(hideBin(process.argv))
    .command(resetUserSecurityKeys)
    .command(clearExitNodes)
    .command(rotateServerSecret)
+    .command(clearLicenseKeys)
+    .command(deleteClient)
    .demandCommand()
    .help().argv;
--- a/config/config.example.yml
+++ b/config/config.example.yml
@@ -1,27 +1,30 @@
 # To see all available options, please visit the docs:
-# https://docs.pangolin.net/self-host/advanced/config-file
-
-app:
-  dashboard_url: http://localhost:3002
-  log_level: debug
-
-domains:
-  domain1:
-    base_domain: example.com
-
-server:
-  secret: my_secret_key
+# https://docs.pangolin.net/

 gerbil:
-  base_endpoint: example.com
+    start_port: 51820
+    base_endpoint: "{{.DashboardDomain}}"

-orgs:
-  block_size: 24
-  subnet_group: 100.90.137.0/20
+app:
+    dashboard_url: "https://{{.DashboardDomain}}"
+    log_level: "info"
+    telemetry:
+        anonymous_usage: true
+
+domains:
+    domain1:
+        base_domain: "{{.BaseDomain}}"
+
+server:
+    secret: "{{.Secret}}"
+    cors:
+        origins: ["https://{{.DashboardDomain}}"]
+        methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
+        allowed_headers: ["X-CSRF-Token", "Content-Type"]
+        credentials: false

 flags:
-  require_email_verification: false
-  disable_signup_without_invite: true
-  disable_user_create_org: true
-  allow_raw_resources: true
-  enable_integration_api: true
+    require_email_verification: false
+    disable_signup_without_invite: true
+    disable_user_create_org: false
+    allow_raw_resources: true
--- a/config/traefik/dynamic_config.yml
+++ b/config/traefik/dynamic_config.yml
@@ -1,5 +1,9 @@
 http:
  middlewares:
+    badger:
+      plugin:
+        badger:
+          disableForwardAuth: true
    redirect-to-https:
      redirectScheme:
        scheme: https
@@ -13,14 +17,16 @@ http:
        - web
      middlewares:
        - redirect-to-https
+        - badger

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
-      rule: "Host(`{{.DashboardDomain}}`)"
+      rule: "Host(`{{.DashboardDomain}}`) && !PathPrefix(`/api/v1`)"
      service: next-service
-      priority: 10
      entryPoints:
        - websecure
+      middlewares:
+        - badger
      tls:
        certResolver: letsencrypt

@@ -28,9 +34,10 @@ http:
    api-router:
      rule: "Host(`{{.DashboardDomain}}`) && PathPrefix(`/api/v1`)"
      service: api-service
-      priority: 100
      entryPoints:
        - websecure
+      middlewares:
+        - badger
      tls:
        certResolver: letsencrypt

@@ -44,3 +51,12 @@ http:
      loadBalancer:
        servers:
          - url: "http://pangolin:3000"  # API/WebSocket server
+
+tcp:
+  serversTransports:
+    pp-transport-v1:
+      proxyProtocol:
+        version: 1
+    pp-transport-v2:
+      proxyProtocol:
+        version: 2
--- a/config/traefik/traefik_config.yml
+++ b/config/traefik/traefik_config.yml
@@ -3,32 +3,52 @@ api:
  dashboard: true

 providers:
+  http:
+    endpoint: "http://pangolin:3001/api/v1/traefik-config"
+    pollInterval: "5s"
  file:
-    directory: "/var/dynamic"
-    watch: true
+    filename: "/etc/traefik/dynamic_config.yml"

 experimental:
  plugins:
    badger:
      moduleName: "github.com/fosrl/badger"
-      version: "v1.2.0"
+      version: "{{.BadgerVersion}}"

 log:
-  level: "DEBUG"
+  level: "INFO"
  format: "common"
  maxSize: 100
  maxBackups: 3
  maxAge: 3
  compress: true

+certificatesResolvers:
+  letsencrypt:
+    acme:
+      httpChallenge:
+        entryPoint: web
+      email: "{{.LetsEncryptEmail}}"
+      storage: "/letsencrypt/acme.json"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+
 entryPoints:
  web:
    address: ":80"
  websecure:
-    address: ":9443"
+    address: ":443"
    transport:
      respondingTimeouts:
        readTimeout: "30m"
+    http:
+      tls:
+        certResolver: "letsencrypt"
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true

 serversTransport:
  insecureSkipVerify: true
+
+ping:
+  entryPoint: "web"
--- a/install/config/crowdsec/dynamic_config.yml
+++ b/install/config/crowdsec/dynamic_config.yml
@@ -1,5 +1,9 @@
 http:
  middlewares:
+    badger:
+      plugin:
+        badger:
+          disableForwardAuth: true
    redirect-to-https:
      redirectScheme:
        scheme: https
@@ -63,6 +67,7 @@ http:
        - web
      middlewares:
        - redirect-to-https
+        - badger

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
@@ -72,6 +77,7 @@ http:
        - websecure
      middlewares:
        - security-headers # Add security headers middleware
+        - badger
      tls:
        certResolver: letsencrypt

@@ -83,6 +89,7 @@ http:
        - websecure
      middlewares:
        - security-headers # Add security headers middleware
+        - badger
      tls:
        certResolver: letsencrypt

@@ -94,6 +101,7 @@ http:
        - websecure
      middlewares:
        - security-headers # Add security headers middleware
+        - badger
      tls:
        certResolver: letsencrypt

--- a/install/config/docker-compose.yml
+++ b/install/config/docker-compose.yml
@@ -1,7 +1,7 @@
 name: pangolin
 services:
  pangolin:
-    image: docker.io/fosrl/pangolin:{{.PangolinVersion}}
+    image: docker.io/fosrl/pangolin:{{if .IsEnterprise}}ee-{{end}}{{.PangolinVersion}}
    container_name: pangolin
    restart: unless-stopped
    volumes:
--- a/install/config/traefik/dynamic_config.yml
+++ b/install/config/traefik/dynamic_config.yml
@@ -1,5 +1,9 @@
 http:
  middlewares:
+    badger:
+      plugin:
+        badger:
+          disableForwardAuth: true
    redirect-to-https:
      redirectScheme:
        scheme: https
@@ -13,6 +17,7 @@ http:
        - web
      middlewares:
        - redirect-to-https
+        - badger

    # Next.js router (handles everything except API and WebSocket paths)
    next-router:
@@ -20,6 +25,8 @@ http:
      service: next-service
      entryPoints:
        - websecure
+      middlewares:
+        - badger
      tls:
        certResolver: letsencrypt

@@ -29,6 +36,8 @@ http:
      service: api-service
      entryPoints:
        - websecure
+      middlewares:
+        - badger
      tls:
        certResolver: letsencrypt

@@ -38,6 +47,8 @@ http:
      service: api-service
      entryPoints:
        - websecure
+      middlewares:
+        - badger
      tls:
        certResolver: letsencrypt

@@ -59,4 +70,4 @@ tcp:
        version: 1
    pp-transport-v2:
      proxyProtocol:
-        version: 2
+        version: 2
--- a/install/config/traefik/traefik_config.yml
+++ b/install/config/traefik/traefik_config.yml
@@ -43,9 +43,12 @@ entryPoints:
    http:
      tls:
        certResolver: "letsencrypt"
+      encodedCharacters:
+        allowEncodedSlash: true
+        allowEncodedQuestionMark: true

 serversTransport:
  insecureSkipVerify: true

 ping:
-  entryPoint: "web"
+  entryPoint: "web"
--- a/install/containers.go
+++ b/install/containers.go
@@ -210,6 +210,47 @@ func isDockerRunning() bool {
 	return true
 }

+func isPodmanRunning() bool {
+	cmd := exec.Command("podman", "info")
+	if err := cmd.Run(); err != nil {
+		return false
+	}
+	return true
+}
+
+// detectContainerType detects whether the system is currently using Docker or Podman
+// by checking which container runtime is running and has containers
+func detectContainerType() SupportedContainer {
+	// Check if we have running containers with podman
+	if isPodmanRunning() {
+		cmd := exec.Command("podman", "ps", "-q")
+		output, err := cmd.Output()
+		if err == nil && len(strings.TrimSpace(string(output))) > 0 {
+			return Podman
+		}
+	}
+
+	// Check if we have running containers with docker
+	if isDockerRunning() {
+		cmd := exec.Command("docker", "ps", "-q")
+		output, err := cmd.Output()
+		if err == nil && len(strings.TrimSpace(string(output))) > 0 {
+			return Docker
+		}
+	}
+
+	// If no containers are running, check which one is installed and running
+	if isPodmanRunning() && isPodmanInstalled() {
+		return Podman
+	}
+
+	if isDockerRunning() && isDockerInstalled() {
+		return Docker
+	}
+
+	return Undefined
+}
+
 // executeDockerComposeCommandWithArgs executes the appropriate docker command with arguments supplied
 func executeDockerComposeCommandWithArgs(args ...string) error {
 	var cmd *exec.Cmd
--- a/install/crowdsec.go
+++ b/install/crowdsec.go
@@ -93,7 +93,7 @@ func installCrowdsec(config Config) error {

 	if checkIfTextInFile("config/traefik/dynamic_config.yml", "PUT_YOUR_BOUNCER_KEY_HERE_OR_IT_WILL_NOT_WORK") {
 		fmt.Println("Failed to replace bouncer key! Please retrieve the key and replace it in the config/traefik/dynamic_config.yml file using the following command:")
-		fmt.Println("	docker exec crowdsec cscli bouncers add traefik-bouncer")
+		fmt.Printf("	%s exec crowdsec cscli bouncers add traefik-bouncer\n", config.InstallationContainerType)
 	}

 	return nil
@@ -117,7 +117,7 @@ func GetCrowdSecAPIKey(containerType SupportedContainer) (string, error) {
 	}

 	// Execute the command to get the API key
-	cmd := exec.Command("docker", "exec", "crowdsec", "cscli", "bouncers", "add", "traefik-bouncer", "-o", "raw")
+	cmd := exec.Command(string(containerType), "exec", "crowdsec", "cscli", "bouncers", "add", "traefik-bouncer", "-o", "raw")
 	var out bytes.Buffer
 	cmd.Stdout = &out

--- a/install/go.mod
+++ b/install/go.mod
@@ -3,8 +3,8 @@ module installer
 go 1.24.0

 require (
-	golang.org/x/term v0.38.0
+	golang.org/x/term v0.39.0
 	gopkg.in/yaml.v3 v3.0.1
 )

-require golang.org/x/sys v0.39.0 // indirect
+require golang.org/x/sys v0.40.0 // indirect
--- a/install/go.sum
+++ b/install/go.sum
@@ -1,7 +1,7 @@
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
-golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
+golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/install/input.go
+++ b/install/input.go
@@ -54,13 +54,31 @@ func readBool(reader *bufio.Reader, prompt string, defaultValue bool) bool {
 	if defaultValue {
 		defaultStr = "yes"
 	}
-	input := readString(reader, prompt+" (yes/no)", defaultStr)
-	return strings.ToLower(input) == "yes"
+	for {
+		input := readString(reader, prompt+" (yes/no)", defaultStr)
+		lower := strings.ToLower(input)
+		if lower == "yes" {
+			return true
+		} else if lower == "no" {
+			return false
+		} else {
+			fmt.Println("Please enter 'yes' or 'no'.")
+		}
+	}
 }

 func readBoolNoDefault(reader *bufio.Reader, prompt string) bool {
-	input := readStringNoDefault(reader, prompt+" (yes/no)")
-	return strings.ToLower(input) == "yes"
+	for {
+		input := readStringNoDefault(reader, prompt+" (yes/no)")
+		lower := strings.ToLower(input)
+		if lower == "yes" {
+			return true
+		} else if lower == "no" {
+			return false
+		} else {
+			fmt.Println("Please enter 'yes' or 'no'.")
+		}
+	}
 }

 func readInt(reader *bufio.Reader, prompt string, defaultValue int) int {
--- a/install/main.go
+++ b/install/main.go
@@ -49,6 +49,7 @@ type Config struct {
 	DoCrowdsecInstall         bool
 	EnableGeoblocking         bool
 	Secret                    string
+	IsEnterprise              bool
 }

 type SupportedContainer string
@@ -179,7 +180,7 @@ func main() {
 					fmt.Println("You can try downloading it manually later if needed.")
 				}
 				// Now you need to update your config file accordingly to enable geoblocking
-				fmt.Println("Please remember to update your config/config.yml file to enable geoblocking! \n")
+				fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
 				// add   maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
 				fmt.Println("Add the following line under the 'server' section:")
 				fmt.Println("  maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
@@ -228,7 +229,16 @@ func main() {
 					}
 				}

-				config.InstallationContainerType = podmanOrDocker(reader)
+				// Try to detect container type from existing installation
+				detectedType := detectContainerType()
+				if detectedType == Undefined {
+					// If detection fails, prompt the user
+					fmt.Println("Unable to detect container type from existing installation.")
+					config.InstallationContainerType = podmanOrDocker(reader)
+				} else {
+					config.InstallationContainerType = detectedType
+					fmt.Printf("Detected container type: %s\n", config.InstallationContainerType)
+				}

 				config.DoCrowdsecInstall = true
 				err := installCrowdsec(config)
@@ -285,10 +295,10 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 			os.Exit(1)
 		}

-		if err := exec.Command("bash", "-c", "cat /etc/sysctl.conf | grep 'net.ipv4.ip_unprivileged_port_start='").Run(); err != nil {
+		if err := exec.Command("bash", "-c", "cat /etc/sysctl.d/99-podman.conf 2>/dev/null | grep 'net.ipv4.ip_unprivileged_port_start=' || cat /etc/sysctl.conf 2>/dev/null | grep 'net.ipv4.ip_unprivileged_port_start='").Run(); err != nil {
 			fmt.Println("Would you like to configure ports >= 80 as unprivileged ports? This enables podman containers to listen on low-range ports.")
 			fmt.Println("Pangolin will experience startup issues if this is not configured, because it needs to listen on port 80/443 by default.")
-			approved := readBool(reader, "The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf && sysctl -p\". Approve?", true)
+			approved := readBool(reader, "The installer is about to execute \"echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system\". Approve?", true)
 			if approved {
 				if os.Geteuid() != 0 {
 					fmt.Println("You need to run the installer as root for such a configuration.")
@@ -299,8 +309,8 @@ func podmanOrDocker(reader *bufio.Reader) SupportedContainer {
 				// container low-range ports as unprivileged ports.
 				// Linux only.

-				if err := run("bash", "-c", "echo 'net.ipv4.ip_unprivileged_port_start=80' >> /etc/sysctl.conf && sysctl -p"); err != nil {
-					fmt.Sprintf("failed to configure unprivileged ports: %v.\n", err)
+				if err := run("bash", "-c", "echo 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-podman.conf && sysctl --system"); err != nil {
+				    fmt.Printf("Error configuring unprivileged ports: %v\n", err)
 					os.Exit(1)
 				}
 			} else {
@@ -339,6 +349,8 @@ func collectUserInput(reader *bufio.Reader) Config {
 	// Basic configuration
 	fmt.Println("\n=== Basic Configuration ===")

+	config.IsEnterprise = readBoolNoDefault(reader, "Do you want to install the Enterprise version of Pangolin? The EE is free for personal use or for businesses making less than 100k USD annually.")
+
 	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")

 	// Set default dashboard domain after base domain is collected
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Създайте организацията, сайта и ресурсите",
+    "headerAuthCompatibilityInfo": "Активирайте това, за да принудите отговор '401 Неупълномощено', когато липсва токен за автентификация. Това е необходимо за браузъри или специфични HTTP библиотеки, които не изпращат идентификационни данни без сървърно предизвикателство.",
+    "headerAuthCompatibility": "Разширена съвместимост.",
    "setupNewOrg": "Нова организация",
    "setupCreateOrg": "Създаване на организация",
    "setupCreateResources": "Създаване на ресурси",
@@ -33,7 +35,7 @@
    "password": "Парола",
    "confirmPassword": "Потвърждение на паролата",
    "createAccount": "Създаване на профил",
-    "viewSettings": "Преглед на настройките",
+    "viewSettings": "Преглед на настройките.",
    "delete": "Изтриване",
    "name": "Име",
    "online": "На линия",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "Сигурни ли сте, че искате да премахнете сайта от организацията?",
    "siteManageSites": "Управление на сайтове",
    "siteDescription": "Създайте и управлявайте сайтове, за да осигурите свързаност със частни мрежи",
+    "sitesBannerTitle": "Свържете се с мрежа.",
+    "sitesBannerDescription": "Сайтът е връзка с отдалечена мрежа, която позволява на Pangolin да предоставя достъп до ресурси, било то публични или частни, на потребители навсякъде. Инсталирайте мрежовия конектор на сайта (Newt) навсякъде, където можете да стартирате бинарен или контейнер, за да създадете връзката.",
+    "sitesBannerButtonText": "Инсталиране на сайт.",
+    "approvalsBannerTitle": "Одобрете или откажете достъп до устройство",
+    "approvalsBannerDescription": "Прегледайте и одобрите или откажете искания за достъп до устройства от потребители. Когато се изисква одобрение на устройства, потребителите трябва да получат администраторско одобрение, преди техните устройства да могат да се свържат с ресурсите на вашата организация.",
+    "approvalsBannerButtonText": "Научете повече",
    "siteCreate": "Създайте сайт",
    "siteCreateDescription2": "Следвайте стъпките по-долу, за да създадете и свържете нов сайт",
    "siteCreateDescription": "Създайте нов сайт, за да започнете да свързвате ресурси",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "Определете как искате да се свържете със сайта",
    "siteNewtCredentials": "Пълномощия",
    "siteNewtCredentialsDescription": "Това е как сайтът ще се удостоверява с сървъра",
+    "remoteNodeCredentialsDescription": "Това е начинът, по който отдалеченият възел ще се автентифицира със сървъра.",
    "siteCredentialsSave": "Запазете Пълномощията",
    "siteCredentialsSaveDescription": "Ще можете да виждате това само веднъж. Уверете се да го копирате на сигурно място.",
    "siteInfo": "Информация за сайта",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "Моля, изберете ресурс",
    "proxyResourceTitle": "Управление на обществени ресурси",
    "proxyResourceDescription": "Създайте и управлявайте ресурси, които са общодостъпни чрез уеб браузър.",
+    "proxyResourcesBannerTitle": "Публичен достъп чрез уеб.",
+    "proxyResourcesBannerDescription": "Публичните ресурси са HTTPS или TCP/UDP проксита, достъпни за всеки в интернет чрез уеб браузър. За разлика от частните ресурси, те не изискват софтуер от страна на клиента и могат да включват издентити и контексто-осъзнати политики за достъп.",
    "clientResourceTitle": "Управление на частни ресурси",
    "clientResourceDescription": "Създайте и управлявайте ресурси, които са достъпни само чрез свързан клиент.",
+    "privateResourcesBannerTitle": "Достъп до частни ресурси с нулево доверие.",
+    "privateResourcesBannerDescription": "Частните ресурси използват сигурност с нулево доверие, осигурявайки че потребителите и машините могат да имат само достъп до ресурси, които вие изрично предоставяте. Свържете потребителските устройства или машинните клиенти, за да получите достъп до тези ресурси чрез сигурна виртуална частна мрежа.",
    "resourcesSearch": "Търсене на ресурси...",
    "resourceAdd": "Добавете ресурс",
    "resourceErrorDelte": "Грешка при изтриване на ресурс",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "След като се премахне, ресурсът няма повече да бъде достъпен. Всички цели, свързани с ресурса, също ще бъдат премахнати.",
    "resourceQuestionRemove": "Сигурни ли сте, че искате да премахнете ресурса от организацията?",
    "resourceHTTP": "HTTPS ресурс",
-    "resourceHTTPDescription": "Прокси заяви към приложението по HTTPS използвайки поддомейн или базов домейн.",
+    "resourceHTTPDescription": "Прокси заявки чрез HTTPS, използвайки напълно квалифицирано име на домейн.",
    "resourceRaw": "Суров TCP/UDP ресурс",
-    "resourceRawDescription": "Прокси заяви към приложението по TCP/UDP използвайки номер на порт. Това работи само когато сайтовете са свързани към възли.",
+    "resourceRawDescription": "Прокси заявки чрез сурови TCP/UDP, използвайки порт номер.",
    "resourceCreate": "Създайте ресурс",
    "resourceCreateDescription": "Следвайте стъпките по-долу, за да създадете нов ресурс",
    "resourceSeeAll": "Вижте всички ресурси",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "Търсене на роли...",
    "accessRolesAdd": "Добавете роля",
    "accessRoleDelete": "Изтриване на роля",
+    "accessApprovalsManage": "Управление на одобрения",
+    "accessApprovalsDescription": "Прегледайте и управлявайте чакащи одобрения за достъп до тази организация",
    "description": "Описание",
    "inviteTitle": "Отворени покани",
    "inviteDescription": "Управлявайте покани за други потребители да се присъединят към организацията",
@@ -419,7 +434,7 @@
    "userErrorExistsDescription": "Този потребител вече е член на организацията.",
    "inviteError": "Неуспешно поканване на потребител",
    "inviteErrorDescription": "Възникна грешка при поканването на потребителя",
-    "userInvited": "Потребителят е поканен",
+    "userInvited": "Потребителят е поканен.",
    "userInvitedDescription": "Потребителят беше успешно поканен.",
    "userErrorCreate": "Неуспешно създаване на потребител",
    "userErrorCreateDescription": "Възникна грешка при създаване на потребителя",
@@ -440,6 +455,18 @@
    "selectDuration": "Изберете продължителност",
    "selectResource": "Изберете Ресурс",
    "filterByResource": "Филтрирай По Ресурс",
+    "selectApprovalState": "Изберете състояние на одобрение",
+    "filterByApprovalState": "Филтрирайте по състояние на одобрение",
+    "approvalListEmpty": "Няма одобрения",
+    "approvalState": "Състояние на одобрение",
+    "approve": "Одобряване",
+    "approved": "Одобрен",
+    "denied": "Отказан",
+    "deniedApproval": "Одобрение е отказано",
+    "all": "Всички",
+    "deny": "Откажете",
+    "viewDetails": "Разгледай подробности",
+    "requestingNewDeviceApproval": "поискана нова устройство",
    "resetFilters": "Нулиране на Филтрите",
    "totalBlocked": "Заявки Блокирани От Pangolin",
    "totalRequests": "Общо Заявки",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "Администраторите винаги могат да имат достъп до този ресурс.",
    "resourceUsersRoles": "Контроли за достъп",
    "resourceUsersRolesDescription": "Конфигурирайте кои потребители и роли могат да посещават този ресурс",
-    "resourceUsersRolesSubmit": "Запазете потребители и роли",
+    "resourceUsersRolesSubmit": "Запазване на управлението на достъп.",
    "resourceWhitelistSave": "Успешно запазено",
    "resourceWhitelistSaveDescription": "Настройките на белия списък са запазени",
    "ssoUse": "Използвай платформен SSO",
@@ -719,16 +746,28 @@
    "countries": "Държави",
    "accessRoleCreate": "Създайте роля",
    "accessRoleCreateDescription": "Създайте нова роля за групиране на потребители и управление на техните разрешения.",
+    "accessRoleEdit": "Редактиране на роля",
+    "accessRoleEditDescription": "Редактирайте информацията за ролята.",
    "accessRoleCreateSubmit": "Създайте роля",
    "accessRoleCreated": "Ролята е създадена",
    "accessRoleCreatedDescription": "Ролята беше успешно създадена.",
    "accessRoleErrorCreate": "Неуспешно създаване на роля",
    "accessRoleErrorCreateDescription": "Възникна грешка при създаването на ролята.",
+    "accessRoleUpdateSubmit": "Обновете роля",
+    "accessRoleUpdated": "Ролята е актуализирана",
+    "accessRoleUpdatedDescription": "Ролята беше успешно актуализирана.",
+    "accessApprovalUpdated": "Одобрението е обработено",
+    "accessApprovalApprovedDescription": "Задайте решение на заявка за одобрение да бъде одобрено.",
+    "accessApprovalDeniedDescription": "Задайте решение на заявка за одобрение да бъде отказано.",
+    "accessRoleErrorUpdate": "Неуспешно актуализиране на ролята",
+    "accessRoleErrorUpdateDescription": "Възникна грешка при актуализиране на ролята.",
+    "accessApprovalErrorUpdate": "Неуспешно обработване на одобрение",
+    "accessApprovalErrorUpdateDescription": "Възникна грешка при обработване на одобрението.",
    "accessRoleErrorNewRequired": "Нова роля е необходима",
    "accessRoleErrorRemove": "Неуспешно премахване на роля",
    "accessRoleErrorRemoveDescription": "Възникна грешка при премахването на роля.",
    "accessRoleName": "Име на роля",
-    "accessRoleQuestionRemove": "Ще изтриете ролята {name}. Не можете да отмените това действие.",
+    "accessRoleQuestionRemove": "Ще изтриете ролята `{name}`. Не можете да отмените това действие.",
    "accessRoleRemove": "Премахни роля",
    "accessRoleRemoveDescription": "Премахни роля от организацията",
    "accessRoleRemoveSubmit": "Премахни роля",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "Конфигуриране на достъп за организация",
    "idpUpdatedDescription": "Идентификационният доставчик беше актуализиран успешно",
    "redirectUrl": "URL за пренасочване",
+    "orgIdpRedirectUrls": "URL адреси за пренасочване",
    "redirectUrlAbout": "За URL за пренасочване",
    "redirectUrlAboutDescription": "Това е URL адресът, към който потребителите ще бъдат пренасочени след удостоверяване. Трябва да конфигурирате този URL адрес в настройките на доставчика на идентичност.",
    "pangolinAuth": "Authent - Pangolin",
@@ -863,7 +903,7 @@
    "inviteAlready": "Изглежда, че сте били поканени!",
    "inviteAlreadyDescription": "За да приемете поканата, трябва да влезете или да създадете акаунт.",
    "signupQuestion": "Вече имате акаунт?",
-    "login": "Влизане",
+    "login": "Вход",
    "resourceNotFound": "Ресурсът не е намерен",
    "resourceNotFoundDescription": "Ресурсът, който се опитвате да достъпите, не съществува.",
    "pincodeRequirementsLength": "ПИН трябва да бъде точно 6 цифри",
@@ -943,13 +983,13 @@
    "passwordExpiryDescription": "Тази организация изисква да сменяте паролата си на всеки {maxDays} дни.",
    "changePasswordNow": "Сменете паролата сега",
    "pincodeAuth": "Код на удостоверителя",
-    "pincodeSubmit2": "Изпрати код",
+    "pincodeSubmit2": "Изпратете кода",
    "passwordResetSubmit": "Заявка за нулиране",
-    "passwordResetAlreadyHaveCode": "Въведете код за нулиране на парола",
+    "passwordResetAlreadyHaveCode": "Въведете код.",
    "passwordResetSmtpRequired": "Моля, свържете се с вашия администратор",
    "passwordResetSmtpRequiredDescription": "Кодът за нулиране на парола е задължителен за нулиране на паролата ви. Моля, свържете се с вашия администратор за помощ.",
    "passwordBack": "Назад към Парола",
-    "loginBack": "Връщане към вход",
+    "loginBack": "Върнете се на главната страница за вход",
    "signup": "Регистрация",
    "loginStart": "Влезте, за да започнете",
    "idpOidcTokenValidating": "Валидиране на OIDC токен",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "Актуализиране на Организационна Потребител",
    "createOrgUser": "Създаване на Организационна Потребител",
    "actionUpdateOrg": "Актуализиране на организацията",
+    "actionRemoveInvitation": "Премахване на поканата.",
    "actionUpdateUser": "Актуализиране на потребител",
    "actionGetUser": "Получаване на потребител",
    "actionGetOrgUser": "Вземете потребител на организация",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "Вземете сайт",
    "actionListSites": "Изброяване на сайтове",
    "actionApplyBlueprint": "Приложи Чернова",
+    "actionListBlueprints": "Списък с планове.",
+    "actionGetBlueprint": "Вземи план.",
    "setupToken": "Конфигурация на токен",
    "setupTokenDescription": "Въведете конфигурационния токен от сървърната конзола.",
    "setupTokenRequired": "Необходим е конфигурационен токен",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "Актуализиране на IdP организация",
    "actionCreateClient": "Създаване на клиент",
    "actionDeleteClient": "Изтриване на клиент",
+    "actionArchiveClient": "Архивиране на клиента",
+    "actionUnarchiveClient": "Разархивиране на клиента",
+    "actionBlockClient": "Блокиране на клиента",
+    "actionUnblockClient": "Деблокиране на клиента",
    "actionUpdateClient": "Актуализиране на клиент",
    "actionListClients": "Списък с клиенти",
    "actionGetClient": "Получаване на клиент",
@@ -1120,14 +1167,14 @@
    "searchProgress": "Търсене...",
    "create": "Създаване",
    "orgs": "Организации",
-    "loginError": "Възникна грешка при влизане",
-    "loginRequiredForDevice": "Необходим е вход за удостоверяване на вашето устройство.",
+    "loginError": "Възникна неочаквана грешка. Моля, опитайте отново.",
+    "loginRequiredForDevice": "Необходим е вход за вашето устройство.",
    "passwordForgot": "Забравена парола?",
    "otpAuth": "Двуфакторно удостоверяване",
    "otpAuthDescription": "Въведете кода от приложението за удостоверяване или един от вашите резервни кодове за еднократна употреба.",
    "otpAuthSubmit": "Изпрати код",
    "idpContinue": "Или продължете със",
-    "otpAuthBack": "Назад към Вход",
+    "otpAuthBack": "Назад към парола",
    "navbar": "Навигационно меню",
    "navbarDescription": "Главно навигационно меню за приложението",
    "navbarDocsLink": "Документация",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "Общ преглед",
    "sidebarHome": "Начало",
    "sidebarSites": "Сайтове",
+    "sidebarApprovals": "Заявки за одобрение",
    "sidebarResources": "Ресурси",
    "sidebarProxyResources": "Публично",
    "sidebarClientResources": "Частно",
@@ -1191,10 +1239,10 @@
    "sidebarIdentityProviders": "Идентификационни доставчици",
    "sidebarLicense": "Лиценз",
    "sidebarClients": "Клиенти",
-    "sidebarUserDevices": "Потребители",
+    "sidebarUserDevices": "Устройства на потребителя",
    "sidebarMachineClients": "Машини",
    "sidebarDomains": "Домейни",
-    "sidebarGeneral": "Общи",
+    "sidebarGeneral": "Управление.",
    "sidebarLogAndAnalytics": "Лог & Анализи",
    "sidebarBluePrints": "Чертежи",
    "sidebarOrganization": "Организация",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "Възникна грешка при създаване на админ акаунт.",
    "certificateStatus": "Статус на сертификата",
    "loading": "Зареждане",
+    "loadingAnalytics": "Зареждане на анализи",
    "restart": "Рестарт",
    "domains": "Домейни",
    "domainsDescription": "Създайте и управлявайте наличните домейни в организацията",
@@ -1290,6 +1339,7 @@
    "refreshError": "Неуспешно обновяване на данни",
    "verified": "Потвърдено",
    "pending": "Чакащо",
+    "pendingApproval": "Очаква одобрение",
    "sidebarBilling": "Фактуриране",
    "billing": "Фактуриране",
    "orgBillingDescription": "Управлявайте информацията за плащане и абонаментите",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "Настройката на профила завърши успешно! Добре дошли в Pangolin!",
    "documentation": "Документация",
    "saveAllSettings": "Запазване на всички настройки",
+    "saveResourceTargets": "Запазване на целеви ресурси.",
+    "saveResourceHttp": "Запазване на прокси настройките.",
+    "saveProxyProtocol": "Запазване на настройките на прокси протокола.",
    "settingsUpdated": "Настройките са обновени",
-    "settingsUpdatedDescription": "Всички настройки са успешно обновени",
+    "settingsUpdatedDescription": "Настройките са успешно актуализирани.",
    "settingsErrorUpdate": "Неуспешно обновяване на настройките",
    "settingsErrorUpdateDescription": "Възникна грешка при обновяване на настройките",
    "sidebarCollapse": "Свиване",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Ключът за защита е премахнат успешно",
    "securityKeyRemoveError": "Неуспешно премахване на ключ за защита",
    "securityKeyLoadError": "Неуспешно зареждане на ключове за защита",
-    "securityKeyLogin": "Продължете с ключа за сигурност",
+    "securityKeyLogin": "Използвайте ключ за защита",
    "securityKeyAuthError": "Неуспешно удостоверяване с ключ за сигурност",
    "securityKeyRecommendation": "Регистрирайте резервен ключ за безопасност на друго устройство, за да сте сигурни, че винаги ще имате достъп до профила си",
    "registering": "Регистрация...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "Съгласен съм с",
        "termsOfService": "условията за ползване",
        "and": "и",
-        "privacyPolicy": "политиката за поверителност"
+        "privacyPolicy": "политика за поверителност."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Дръж ме в течение с новини, актуализации и нови функции чрез имейл."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "Добави нова цел",
    "targetsList": "Списък с цели",
    "advancedMode": "Разширен режим",
+    "advancedSettings": "Разширени настройки.",
    "targetErrorDuplicateTargetFound": "Дублирана цел намерена",
    "healthCheckHealthy": "Здрав",
    "healthCheckUnhealthy": "Нездрав",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "Интервал за здраве",
    "timeoutSeconds": "Време за изчакване (сек)",
    "timeIsInSeconds": "Времето е в секунди",
+    "requireDeviceApproval": "Изискват одобрение на устройства",
+    "requireDeviceApprovalDescription": "Потребители с тази роля трябва да имат нови устройства одобрени от администратор преди да могат да се свържат и да имат достъп до ресурси.",
    "retryAttempts": "Опити за повторно",
    "expectedResponseCodes": "Очаквани кодове за отговор",
    "expectedResponseCodesDescription": "HTTP статус код, указващ здравословно състояние. Ако бъде оставено празно, между 200-300 се счита за здравословно.",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "Не са намерени вътрешни ресурси.",
    "resourcesTableDestination": "Дестинация",
    "resourcesTableAlias": "Псевдоним",
+    "resourcesTableAliasAddress": "Адрес на псевдоним.",
+    "resourcesTableAliasAddressInfo": "Този адрес е част от подсистемата на организацията. Използва се за разрешаване на псевдонимни записи чрез вътрешно DNS разрешаване.",
    "resourcesTableClients": "Клиенти",
    "resourcesTableAndOnlyAccessibleInternally": "и са достъпни само вътрешно при свързване с клиент.",
    "resourcesTableNoTargets": "Без цели",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "Свойства на ресурса",
    "createInternalResourceDialogName": "Име",
    "createInternalResourceDialogSite": "Сайт",
-    "createInternalResourceDialogSelectSite": "Изберете сайт...",
-    "createInternalResourceDialogSearchSites": "Търсене на сайтове...",
-    "createInternalResourceDialogNoSitesFound": "Не са намерени сайтове.",
+    "selectSite": "Изберете сайт...",
+    "noSitesFound": "Не са намерени сайтове.",
    "createInternalResourceDialogProtocol": "Протокол",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1658,7 +1715,7 @@
    "siteAddressDescription": "Вътрешният адрес на сайта. Трябва да пада в подмрежата на организацията.",
    "siteNameDescription": "Показваното име на сайта, което може да се промени по-късно.",
    "autoLoginExternalIdp": "Автоматично влизане с Външен IDP",
-    "autoLoginExternalIdpDescription": "Незабавно пренасочете потребителя към външния IDP за удостоверяване.",
+    "autoLoginExternalIdpDescription": "Незабавно пренасочване на потребителя към външния доставчик на идентичност за автентификация.",
    "selectIdp": "Изберете IDP",
    "selectIdpPlaceholder": "Изберете IDP...",
    "selectIdpRequired": "Моля, изберете IDP, когато автоматичното влизане е разрешено.",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "Не е получен URL за пренасочване от доставчика на идентификационни данни.",
    "autoLoginErrorGeneratingUrl": "Неуспешно генериране на URL за удостоверяване.",
    "remoteExitNodeManageRemoteExitNodes": "Отдалечени възли",
-    "remoteExitNodeDescription": "Самостоятелно хоствайте един или повече отдалечени възли, за да разширите мрежовата свързаност и да намалите зависимостта от облака",
+    "remoteExitNodeDescription": "Хоствайте вашите собствени отдалечени ретранслатори и прокси сървърни възли.",
    "remoteExitNodes": "Възли",
    "searchRemoteExitNodes": "Търсене на възли...",
    "remoteExitNodeAdd": "Добавяне на възел",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "Потвърдете изтриването на възела (\"Confirm Delete Site\" match)",
    "remoteExitNodeDelete": "Изтрийте възела (\"Delete Site\" match)",
    "sidebarRemoteExitNodes": "Отдалечени възли",
+    "remoteExitNodeId": "ID.",
+    "remoteExitNodeSecretKey": "Секретен ключ.",
    "remoteExitNodeCreate": {
-        "title": "Създаване на възел",
-        "description": "Създайте нов възел, за да разширите мрежовата свързаност",
+        "title": "Създаване на отдалечен възел.",
+        "description": "Създайте нов самохостнал отдалечен ретранслатор и прокси сървърен възел.",
        "viewAllButton": "Вижте всички възли",
        "strategy": {
            "title": "Стратегия на създаване",
-            "description": "Изберете това, за да конфигурирате ръчно възела или да генерирате нови идентификационни данни.",
+            "description": "Изберете как искате да създадете отдалечения възел.",
            "adopt": {
                "title": "Осиновете възел",
                "description": "Изберете това, ако вече имате кредити за възела."
            },
            "generate": {
                "title": "Генериране на ключове",
-                "description": "Изберете това, ако искате да генерирате нови ключове за възела"
+                "description": "Изберете това, ако искате да генерирате нови ключове за възела."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC доставчик",
    "subnet": "Подмрежа",
    "subnetDescription": "Подмрежата за конфигурацията на мрежата на тази организация.",
-    "authPage": "Страница за удостоверяване",
-    "authPageDescription": "Конфигурирайте страницата за автентикация за организацията",
+    "customDomain": "Персонализиран домейн.",
+    "authPage": "Страници за автентификация.",
+    "authPageDescription": "Задайте персонализиран домейн за страниците за автентификация на организацията.",
    "authPageDomain": "Домен на страницата за удостоверяване",
+    "authPageBranding": "Персонализиран брандинг.",
+    "authPageBrandingDescription": "Конфигурирайте брандинга, който се появява на страниците за автентификация за тази организация.",
+    "authPageBrandingUpdated": "Брандингът на страницата за автентификация е актуализиран успешно.",
+    "authPageBrandingRemoved": "Брандингът на страницата за автентификация е премахнат успешно.",
+    "authPageBrandingRemoveTitle": "Премахване на брандинга на страницата за автентификация.",
+    "authPageBrandingQuestionRemove": "Сигурни ли сте, че искате да премахнете брандинга за страниците за автентификация?",
+    "authPageBrandingDeleteConfirm": "Потвърждение на изтриване на брандинга.",
+    "brandingLogoURL": "URL адрес на логото.",
+    "brandingPrimaryColor": "Основен цвят.",
+    "brandingLogoWidth": "Ширина (px).",
+    "brandingLogoHeight": "Височина (px).",
+    "brandingOrgTitle": "Заглавие за страницата за автентификация на организацията.",
+    "brandingOrgDescription": "{orgName} ще бъде заменено с името на организацията.",
+    "brandingOrgSubtitle": "Подзаглавие за страницата за автентификация на организацията.",
+    "brandingResourceTitle": "Заглавие за страницата за автентификация на ресурса.",
+    "brandingResourceSubtitle": "Подзаглавие за страницата за автентификация на ресурса.",
+    "brandingResourceDescription": "{resourceName} ще бъде заменено с името на организацията.",
+    "saveAuthPageDomain": "Запазване на домейна.",
+    "saveAuthPageBranding": "Запазване на брандинга.",
+    "removeAuthPageBranding": "Премахване на брандинга.",
    "noDomainSet": "Няма зададен домейн",
    "changeDomain": "Смяна на домейн",
    "selectDomain": "Избор на домейн",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "Задаване на домейн на страницата за удостоверяване",
    "failedToFetchCertificate": "Неуспех при извличане на сертификат",
    "failedToRestartCertificate": "Неуспех при рестартиране на сертификат",
-    "addDomainToEnableCustomAuthPages": "Добавете домейн за да активирате персонализирани страници за автентикация за организацията",
+    "addDomainToEnableCustomAuthPages": "Потребителите ще имат достъп до страницата за вход на организацията и ще завършат автентификацията на ресурси, като използват този домейн.",
    "selectDomainForOrgAuthPage": "Изберете домейн за страницата за удостоверяване на организацията",
    "domainPickerProvidedDomain": "Предоставен домейн",
    "domainPickerFreeProvidedDomain": "Безплатен предоставен домейн",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "\"{sub}\" не може да се направи валиден за {domain}.",
    "domainPickerSubdomainSanitized": "Поддомен пречистен",
    "domainPickerSubdomainCorrected": "\"{sub}\" беше коригиран на \"{sanitized}\"",
-    "orgAuthSignInTitle": "Влезте в организацията",
+    "orgAuthSignInTitle": "Вход в организация.",
    "orgAuthChooseIdpDescription": "Изберете своя доставчик на идентичност, за да продължите",
    "orgAuthNoIdpConfigured": "Тази организация няма конфигурирани доставчици на идентичност. Можете да влезете с вашата Pangolin идентичност.",
    "orgAuthSignInWithPangolin": "Впишете се с Pangolin",
+    "orgAuthSignInToOrg": "Влезте в организация",
+    "orgAuthSelectOrgTitle": "Вход в организация.",
+    "orgAuthSelectOrgDescription": "Въведете идентификатора на вашата организация, за да продължите.",
+    "orgAuthOrgIdPlaceholder": "вашата-организация",
+    "orgAuthOrgIdHelp": "Въведете уникалния идентификатор на вашата организация.",
+    "orgAuthSelectOrgHelp": "След като въведете идентификатора на организацията си, ще бъдете насочени към страницата за вход на вашата организация, където можете да използвате SSO или вашите организационни удостоверения.",
+    "orgAuthRememberOrgId": "Запомнете този идентификатор на организацията.",
+    "orgAuthBackToSignIn": "Назад към стандартния вход.",
+    "orgAuthNoAccount": "Нямате профил?",
    "subscriptionRequiredToUse": "Необходим е абонамент, за да използвате тази функция.",
    "idpDisabled": "Доставчиците на идентичност са деактивирани.",
    "orgAuthPageDisabled": "Страницата за удостоверяване на организацията е деактивирана.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "Активирайте двуфакторното удостоверяване",
    "completeSecuritySteps": "Завършете стъпките за сигурност",
    "securitySettings": "Настройки за сигурност",
+    "dangerSection": "Зона на опасност.",
+    "dangerSectionDescription": "Премахване на всички данни, свързани с тази организация.",
    "securitySettingsDescription": "Конфигурирайте политики за сигурност за организацията",
    "requireTwoFactorForAllUsers": "Изисквайте двуфакторно удостоверяване за всички потребители",
    "requireTwoFactorDescription": "Когато е активирано, всички вътрешни потребители в организацията трябва да имат активирано двуфакторно удостоверяване, за да имат достъп до организацията.",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "Това ще засегне всички потребители в организацията",
    "authPageErrorUpdateMessage": "Възникна грешка при актуализирането на настройките на страницата за удостоверяване",
    "authPageErrorUpdate": "Неуспешно актуализиране на страницата за удостоверяване",
-    "authPageUpdated": "Страницата за удостоверяване е актуализирана успешно",
+    "authPageDomainUpdated": "Домейнът на страницата за автентификация е актуализиран успешно.",
    "healthCheckNotAvailable": "Локална",
    "rewritePath": "Пренапиши път",
    "rewritePathDescription": "По избор пренапиши пътя преди пренасочване към целта.",
@@ -1915,8 +2006,15 @@
    "beta": "Бета",
    "manageUserDevices": "Потребителски устройства",
    "manageUserDevicesDescription": "Прегледайте и управлявайте устройства, които потребителите използват за поверително свързване към ресурси",
+    "downloadClientBannerTitle": "Изтеглете Pangolin клиент.",
+    "downloadClientBannerDescription": "Изтеглете Pangolin клиента за вашата система, за да се свържете към мрежата Pangolin и да получите достъп до ресурси частно.",
    "manageMachineClients": "Управлявайте машинни клиенти",
    "manageMachineClientsDescription": "Създавайте и управлявайте клиенти, които сървърите и системите използват за поверително свързване към ресурси",
+    "machineClientsBannerTitle": "Сървъри и автоматизирани системи.",
+    "machineClientsBannerDescription": "Машинните клиенти са за сървъри и автоматизирани системи, които не са свързани с конкретен потребител. Те се автентифицират с ID и секретен ключ и могат да работят с Pangolin CLI, Olm CLI или Olm като контейнер.",
+    "machineClientsBannerPangolinCLI": "Pangolin CLI.",
+    "machineClientsBannerOlmCLI": "Olm CLI.",
+    "machineClientsBannerOlmContainer": "Olm Контейнер.",
    "clientsTableUserClients": "Потребител",
    "clientsTableMachineClients": "Машина",
    "licenseTableValidUntil": "Валиден до",
@@ -2060,13 +2158,15 @@
    "request": "Изискване",
    "requests": "Заявки",
    "logs": "Логове",
-    "logsSettingsDescription": "Следете логовете, събрани от тази организация",
+    "logsSettingsDescription": "Мониторинг на събраните от тази организация дневници.",
    "searchLogs": "Търсете в логовете...",
    "action": "Действие",
    "actor": "Извършващ",
    "timestamp": "Отбелязано време",
    "accessLogs": "Достъп до логове",
    "exportCsv": "Експортиране в CSV",
+    "exportError": "Неизвестна грешка при експортиране на CSV.",
+    "exportCsvTooltip": "В рамките на времевия диапазон.",
    "actorId": "ID на извършващия",
    "allowedByRule": "Разрешено от правило",
    "allowedNoAuth": "Разрешено без удостоверение",
@@ -2120,7 +2220,7 @@
    "unverified": "Невалидиран",
    "domainSetting": "Настройки на домейните",
    "domainSettingDescription": "Конфигурирайте настройките за домейна",
-    "preferWildcardCertDescription": "Опит за генериране на универсален сертификат (изисква правилно конфигуриран решавач на сертификати).",
+    "preferWildcardCertDescription": "Опитайте да генерирате универсален сертификат (изисква правилно конфигуриран разрешител на сертификати).",
    "recordName": "Име на запис",
    "auto": "Автоматично",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "Кодът трябва да бъде 9 символа (напр. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Невалиден или изтекъл код",
    "deviceCodeVerifyFailed": "Неуспешна проверка на кода на устройството",
+    "deviceCodeValidating": "Валидиране на кода на устройството...",
+    "deviceCodeVerifying": "Проверка на оторизацията на устройството...",
    "signedInAs": "Вписан като",
    "deviceCodeEnterPrompt": "Въведете кода, показан на устройството",
    "continue": "Продължете",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "Достъп до всички организации, до които има достъп акаунтът ви",
    "deviceAuthorize": "Разрешете {applicationName}",
    "deviceConnected": "Устройството е свързано!",
-    "deviceAuthorizedMessage": "Устройството е разрешено да има достъп до вашия акаунт.",
+    "deviceAuthorizedMessage": "Устройството е оторизирано да има достъп до акаунта ви. Моля, върнете се към клиентското приложение.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "Преглед на устройствата",
    "viewDevicesDescription": "Управлявайте свързаните си устройства",
@@ -2246,6 +2348,7 @@
    "identifier": "Идентификатор",
    "deviceLoginUseDifferentAccount": "Не сте вие? Използвайте друг акаунт.",
    "deviceLoginDeviceRequestingAccessToAccount": "Устройство запитващо достъп до този акаунт.",
+    "loginSelectAuthenticationMethod": "Изберете метод на удостоверяване, за да продължите.",
    "noData": "Няма Данни",
    "machineClients": "Машинни клиенти",
    "install": "Инсталирай",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "Неуспешно извличане на подмрежа по подразбиране",
    "setupSubnetAdvanced": "Подмрежа (Разширено)",
    "setupSubnetDescription": "Подмрежата за вътрешната мрежа на тази организация.",
+    "setupUtilitySubnet": "Помощен подсегмент (Напреднало).",
+    "setupUtilitySubnetDescription": "Подсегментът за псевдонимите на тази организация и DNS сървъра.",
    "siteRegenerateAndDisconnect": "Генериране и прекъсване на връзката",
    "siteRegenerateAndDisconnectConfirmation": "Сигурни ли сте, че искате да генерирате нови удостоверителни данни и да прекъснете тази връзка?",
    "siteRegenerateAndDisconnectWarning": "Това ще генерира нови удостоверителни данни и незабавно ще прекъсне връзката. На сайта ще трябва да се рестартира с новите удостоверителни данни.",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "Това ще генерира нови удостоверителни данни и незабавно ще прекъсне връзката на отдалечения възел. Отдалеченият възел ще трябва да се рестартира с новите удостоверителни данни.",
    "remoteExitNodeRegenerateCredentialsConfirmation": "Сигурни ли сте, че искате да генерирате новите удостоверителни данни за този отдалечен възел?",
    "remoteExitNodeRegenerateCredentialsWarning": "Това ще генерира нови удостоверителни данни. Отдалеченият възел ще остане свързан, докато не го рестартирате ръчно и използвате новите удостоверителни данни.",
-    "agent": "Агент"
+    "agent": "Агент",
+    "personalUseOnly": "Само за лична употреба.",
+    "loginPageLicenseWatermark": "Тази инстанция е лицензирана само за лична употреба.",
+    "instanceIsUnlicensed": "Тази инстанция е без лиценз.",
+    "portRestrictions": "Ограничения на портовете.",
+    "allPorts": "Всички.",
+    "custom": "Персонализирано.",
+    "allPortsAllowed": "Всички портове са разрешени.",
+    "allPortsBlocked": "Всички портове са блокирани.",
+    "tcpPortsDescription": "Посочете кои TCP портове са разрешени за този ресурс. Използвайте '*' за всички портове, оставете празно, за да блокирате всички, или въведете списък от отделени с запетая портове и диапазони (например: 80,443, 8000-9000).",
+    "udpPortsDescription": "Посочете кои UDP портове са разрешени за този ресурс. Използвайте '*' за всички портове, оставете празно, за да блокирате всички, или въведете списък от отделени с запетая портове и диапазони (например: 53,123, 500-600).",
+    "organizationLoginPageTitle": "Страница за вход на организацията.",
+    "organizationLoginPageDescription": "Персонализирайте страницата за влизане за тази организация.",
+    "resourceLoginPageTitle": "Страница за вход на ресурса.",
+    "resourceLoginPageDescription": "Персонализирайте страницата за вход за конкретни ресурси.",
+    "enterConfirmation": "Въведете потвърждение.",
+    "blueprintViewDetails": "Подробности.",
+    "defaultIdentityProvider": "По подразбиране доставчик на идентичност.",
+    "defaultIdentityProviderDescription": "Когато е избран основен доставчик на идентичност, потребителят ще бъде автоматично пренасочен към доставчика за удостоверяване.",
+    "editInternalResourceDialogNetworkSettings": "Мрежови настройки.",
+    "editInternalResourceDialogAccessPolicy": "Политика за достъп.",
+    "editInternalResourceDialogAddRoles": "Добавяне на роли.",
+    "editInternalResourceDialogAddUsers": "Добавяне на потребители.",
+    "editInternalResourceDialogAddClients": "Добавяне на клиенти.",
+    "editInternalResourceDialogDestinationLabel": "Дестинация.",
+    "editInternalResourceDialogDestinationDescription": "Посочете адреса дестинация за вътрешния ресурс. Това може да бъде име на хост, IP адрес или CIDR обхват в зависимост от избрания режим. По избор настройте вътрешен DNS алиас за по-лесно идентифициране.",
+    "editInternalResourceDialogPortRestrictionsDescription": "Ограничете достъпа до конкретни TCP/UDP портове или позволете/блокирайте всички портове.",
+    "editInternalResourceDialogTcp": "TCP.",
+    "editInternalResourceDialogUdp": "UDP.",
+    "editInternalResourceDialogIcmp": "ICMP.",
+    "editInternalResourceDialogAccessControl": "Контрол на достъпа.",
+    "editInternalResourceDialogAccessControlDescription": "Контролирайте кои роли, потребители и клиентски машини имат достъп до този ресурс, когато са свързани. Администраторите винаги имат достъп.",
+    "editInternalResourceDialogPortRangeValidationError": "Обхватът на портовете трябва да е \"*\" за всички портове или списък от разделени със запетая портове и диапазони (например: \"80,443,8000-9000\"). Портовете трябва да са между 1 и 65535.",
+    "orgAuthWhatsThis": "Къде мога да намеря идентификатора на организацията си?",
+    "learnMore": "Научете повече.",
+    "backToHome": "Връщане към началната страница.",
+    "needToSignInToOrg": "Трябва ли да използвате доставчика на идентичност на организацията си?",
+    "maintenanceMode": "Режим на поддръжка.",
+    "maintenanceModeDescription": "Показване на страницата за поддръжка на посетители.",
+    "maintenanceModeType": "Тип режим на поддръжка.",
+    "showMaintenancePage": "Показване на страницата за поддръжка на посетители.",
+    "enableMaintenanceMode": "Активиране на режим на поддръжка.",
+    "automatic": "Автоматично.",
+    "automaticModeDescription": "Показване на страницата за поддръжка само когато всички целеви подсистеми са неработоспособни или в лошо състояние. Вашият ресурс продължава да работи нормално, докато поне един целеви подсистемен елемент е в здравия диапазон.",
+    "forced": "Наложително.",
+    "forcedModeDescription": "Винаги показвайте страницата за поддръжка, без значение от състоянието на подсистемите. Използвайте това за планирана поддръжка, когато искате да предотвратите всякакъв достъпен достъп.",
+    "warning:": "Предупреждение:",
+    "forcedeModeWarning": "Целият трафик ще бъде пренасочен към страницата за поддръжка. Вашите подсистемни ресурси няма да получат никакви заявки.",
+    "pageTitle": "Заглавие на страницата.",
+    "pageTitleDescription": "Основното заглавие, показвано на страницата за поддръжка.",
+    "maintenancePageMessage": "Съобщение за поддръжка.",
+    "maintenancePageMessagePlaceholder": "Ще се върнем скоро! Нашият сайт понастоящем е в процес на планирана поддръжка.",
+    "maintenancePageMessageDescription": "Подробно съобщение, обясняващо поддръжката.",
+    "maintenancePageTimeTitle": "Очаквано време за завършване (по избор).",
+    "maintenanceTime": "например, 2 часа, 1 ноември в 17:00.",
+    "maintenanceEstimatedTimeDescription": "Кога очаквате поддръжката да бъде завършена?",
+    "editDomain": "Редактиране на домейна.",
+    "editDomainDescription": "Изберете домейн за вашия ресурс.",
+    "maintenanceModeDisabledTooltip": "Тази функция изисква валиден лиценз за активиране.",
+    "maintenanceScreenTitle": "Услугата временно недостъпна.",
+    "maintenanceScreenMessage": "В момента срещаме технически затруднения. Моля, проверете отново скоро.",
+    "maintenanceScreenEstimatedCompletion": "Прогнозно завършване:",
+    "createInternalResourceDialogDestinationRequired": "Дестинацията е задължителна.",
+    "available": "Налично",
+    "archived": "Архивирано",
+    "noArchivedDevices": "Не са намерени архивирани устройства.",
+    "deviceArchived": "Устройството е архивирано.",
+    "deviceArchivedDescription": "Устройството беше успешно архивирано.",
+    "errorArchivingDevice": "Грешка при архивиране на устройството.",
+    "failedToArchiveDevice": "Неуспех при архивиране на устройството.",
+    "deviceQuestionArchive": "Сигурни ли сте, че искате да архивирате това устройство?",
+    "deviceMessageArchive": "Устройството ще бъде архивирано и премахнато от вашия списък с активни устройства.",
+    "deviceArchiveConfirm": "Архивиране на устройството",
+    "archiveDevice": "Архивиране на устройство",
+    "archive": "Архив",
+    "deviceUnarchived": "Устройството е разархивирано.",
+    "deviceUnarchivedDescription": "Устройството беше успешно разархивирано.",
+    "errorUnarchivingDevice": "Грешка при разархивиране на устройството.",
+    "failedToUnarchiveDevice": "Неуспешно разархивиране на устройството.",
+    "unarchive": "Разархивиране",
+    "archiveClient": "Архивиране на клиента",
+    "archiveClientQuestion": "Сигурни ли сте, че искате да архивирате този клиент?",
+    "archiveClientMessage": "Клиентът ще бъде архивиран и премахнат от вашия списък с активни клиенти.",
+    "archiveClientConfirm": "Архивиране на клиента",
+    "blockClient": "Блокиране на клиента",
+    "blockClientQuestion": "Сигурни ли сте, че искате да блокирате този клиент?",
+    "blockClientMessage": "Устройството ще бъде принудено да прекъсне, ако е в момента свързано. Можете да го отблокирате по-късно.",
+    "blockClientConfirm": "Блокиране на клиента",
+    "active": "Активно",
+    "usernameOrEmail": "Потребителско име или имейл",
+    "selectYourOrganization": "Изберете вашата организация",
+    "signInTo": "Влезте в",
+    "signInWithPassword": "Продължете с парола",
+    "noAuthMethodsAvailable": "Няма налични методи за удостоверяване за тази организация.",
+    "enterPassword": "Въведете вашата парола",
+    "enterMfaCode": "Въведете кода от вашето приложение за удостоверяване",
+    "securityKeyRequired": "Моля, използвайте ключа за сигурност, за да влезете.",
+    "needToUseAnotherAccount": "Трябва ли да използвате различен акаунт?",
+    "loginLegalDisclaimer": "С натискането на бутоните по-долу, потвърждавате, че сте прочели, разбирате и се съгласявате с <termsOfService>Условията за ползване</termsOfService> и <privacyPolicy>Политиката за поверителност</privacyPolicy>.",
+    "termsOfService": "Условия за ползване",
+    "privacyPolicy": "Политика за поверителност",
+    "userNotFoundWithUsername": "Не е намерен потребител с това потребителско име.",
+    "verify": "Потвърждение",
+    "signIn": "Вход",
+    "forgotPassword": "Забравена парола?",
+    "orgSignInTip": "Ако сте влизали преди, можете да въведете вашето потребителско име или имейл по-горе, за да се удостовери с идентификатора на вашата организация. Лесно е!",
+    "continueAnyway": "Продължете въпреки това",
+    "dontShowAgain": "Не показвайте повече",
+    "orgSignInNotice": "Знаете ли?",
+    "signupOrgNotice": "Опитвате се да влезете?",
+    "signupOrgTip": "Опитвате ли се да влезете чрез идентификационния доставчик на вашата организация?",
+    "signupOrgLink": "Влезте или се регистрирайте с вашата организация вместо това.",
+    "verifyEmailLogInWithDifferentAccount": "Използвайте различен акаунт",
+    "logIn": "Вход",
+    "deviceInformation": "Информация за устройството",
+    "deviceInformationDescription": "Информация за устройството и агента",
+    "deviceSecurity": "Защита на устройството.",
+    "deviceSecurityDescription": "Информация за състоянието на защитата на устройството.",
+    "platform": "Платформа",
+    "macosVersion": "Версия на macOS",
+    "windowsVersion": "Версия на Windows",
+    "iosVersion": "Версия на iOS",
+    "androidVersion": "Версия на Android",
+    "osVersion": "Версия на ОС",
+    "kernelVersion": "Версия на ядрото",
+    "deviceModel": "Модел на устройството",
+    "serialNumber": "Сериен номер",
+    "hostname": "Име на хост",
+    "firstSeen": "Видян за първи път",
+    "lastSeen": "Последно видян",
+    "biometricsEnabled": "Активирани биометрични данни.",
+    "diskEncrypted": "Криптиран диск.",
+    "firewallEnabled": "Активирана защитна стена.",
+    "autoUpdatesEnabled": "Активирани автоматични актуализации.",
+    "tpmAvailable": "TPM е на разположение.",
+    "macosSipEnabled": "Protection на системната цялост (SIP).",
+    "macosGatekeeperEnabled": "Gatekeeper.",
+    "macosFirewallStealthMode": "Скрит режим на защитната стена.",
+    "linuxAppArmorEnabled": "AppArmor.",
+    "linuxSELinuxEnabled": "SELinux.",
+    "deviceSettingsDescription": "Разгледайте информация и настройки на устройството",
+    "devicePendingApprovalDescription": "Това устройство чака одобрение",
+    "deviceBlockedDescription": "Това устройство е в момента блокирано. Няма да може да се свърже с никакви ресурси, освен ако не бъде деблокирано.",
+    "unblockClient": "Деблокирайте клиента",
+    "unblockClientDescription": "Устройството е деблокирано",
+    "unarchiveClient": "Разархивиране на клиента",
+    "unarchiveClientDescription": "Устройството е разархивирано",
+    "block": "Блокирането",
+    "unblock": "Деблокиране",
+    "deviceActions": "Действия с устройствата",
+    "deviceActionsDescription": "Управлявайте състоянието и достъпа на устройството",
+    "devicePendingApprovalBannerDescription": "Това устройство чака одобрение. Няма да може да се свърже с ресурси, докато не бъде одобрено.",
+    "connected": "Свързан",
+    "disconnected": "Прекъснат",
+    "approvalsEmptyStateTitle": "Одобрения на устройство не са активирани",
+    "approvalsEmptyStateDescription": "Активирайте одобрения на устройства за роли, така че да изискват администраторско одобрение, преди потребителите да могат да свързват нови устройства.",
+    "approvalsEmptyStateStep1Title": "Отидете на роли",
+    "approvalsEmptyStateStep1Description": "Навигирайте до настройките на ролите на вашата организация, за да конфигурирате одобренията на устройства.",
+    "approvalsEmptyStateStep2Title": "Активирайте одобрения на устройства",
+    "approvalsEmptyStateStep2Description": "Редактирайте ролята и активирайте опцията 'Изискване на одобрения за устройства'. Потребители с тази роля ще трябва администраторско одобрение за нови устройства.",
+    "approvalsEmptyStatePreviewDescription": "Преглед: Когато е активирано, чакащите заявки за устройства ще се появят тук за преглед",
+    "approvalsEmptyStateButtonText": "Управлявайте роли"
 }
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Vytvořte organizaci, stránku a zdroje",
+    "headerAuthCompatibilityInfo": "Povolte toto, aby vyvolalo odpověď 401 Neoprávněné, když chybí autentizační token. Toto je potřeba pro prohlížeče nebo specifické HTTP knihovny, které neposílají přihlašovací údaje bez výzvy serveru.",
+    "headerAuthCompatibility": "Rozšířená kompatibilita",
    "setupNewOrg": "Nová organizace",
    "setupCreateOrg": "Vytvořit organizaci",
    "setupCreateResources": "Vytvořit zdroje",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "Jste si jisti, že chcete odstranit tuto stránku z organizace?",
    "siteManageSites": "Správa lokalit",
    "siteDescription": "Vytvořte a spravujte stránky pro povolení připojení k soukromým sítím",
+    "sitesBannerTitle": "Připojit jakoukoli síť",
+    "sitesBannerDescription": "Lokalita je připojení k vzdálené síti, která umožňuje Pangolinu poskytovat přístup k prostředkům, ať už veřejným nebo soukromým, uživatelům kdekoli. Nainstalujte síťový konektor (Newt) kamkoli, kam můžete spustit binární soubor nebo kontejner, aby bylo možné připojení navázat.",
+    "sitesBannerButtonText": "Nainstalovat lokalitu",
+    "approvalsBannerTitle": "Schválit nebo zakázat přístup k zařízení",
+    "approvalsBannerDescription": "Zkontrolovat a schválit nebo zakázat žádosti uživatelů o přístup k zařízení. Pokud jsou vyžadována schválení zařízení, musí být uživatelé oprávněni před tím, než se jejich zařízení mohou připojit k zdrojům vaší organizace.",
+    "approvalsBannerButtonText": "Zjistit více",
    "siteCreate": "Vytvořit lokalitu",
    "siteCreateDescription2": "Postupujte podle níže uvedených kroků, abyste vytvořili a připojili novou lokalitu",
    "siteCreateDescription": "Vytvořit nový web pro zahájení připojování zdrojů",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "Určete, jak se chcete připojit k webu",
    "siteNewtCredentials": "Pověření",
    "siteNewtCredentialsDescription": "Takto se bude stránka autentizovat se serverem",
+    "remoteNodeCredentialsDescription": "Takto se vzdálený uzel autentizuje s serverem",
    "siteCredentialsSave": "Uložit pověření",
    "siteCredentialsSaveDescription": "Toto nastavení uvidíte pouze jednou. Ujistěte se, že jej zkopírujete na bezpečné místo.",
    "siteInfo": "Údaje o lokalitě",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "Zvolte prosím zdroj",
    "proxyResourceTitle": "Spravovat veřejné zdroje",
    "proxyResourceDescription": "Vytváření a správa zdrojů, které jsou veřejně přístupné prostřednictvím webového prohlížeče",
+    "proxyResourcesBannerTitle": "Veřejný přístup založený na webu",
+    "proxyResourcesBannerDescription": "Veřejné prostředky jsou HTTPS nebo TCP/UDP proxy, které jsou přístupné každému na internetu prostřednictvím webového prohlížeče. Na rozdíl od soukromých prostředků nevyžadují software na straně klienta a mohou zahrnovat politiky přístupu orientované na identitu a kontext.",
    "clientResourceTitle": "Spravovat soukromé zdroje",
    "clientResourceDescription": "Vytváření a správa zdrojů, které jsou přístupné pouze prostřednictvím připojeného klienta",
+    "privateResourcesBannerTitle": "Zero-Trust soukromý přístup",
+    "privateResourcesBannerDescription": "Soukromé prostředky používají zero-trust zabezpečení, což zajišťuje, že uživatelé a zařízení mohou získat přístup pouze k prostředkům, k nimž máte explicitní práva. Připojte zařízení uživatele nebo klientské stroje, abyste získali přístup k těmto prostředkům přes zabezpečenou virtuální soukromou síť.",
    "resourcesSearch": "Prohledat zdroje...",
    "resourceAdd": "Přidat zdroj",
    "resourceErrorDelte": "Chyba při odstraňování zdroje",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "Jakmile zdroj odstraníte, nebude dostupný. Všechny související služby a cíle budou také odstraněny.",
    "resourceQuestionRemove": "Jste si jisti, že chcete odstranit zdroj z organizace?",
    "resourceHTTP": "Zdroj HTTPS",
-    "resourceHTTPDescription": "Požadavky na proxy pro aplikaci přes HTTPS pomocí subdomény nebo základní domény.",
+    "resourceHTTPDescription": "Proxy požadavky přes HTTPS pomocí plně kvalifikovaného názvu domény.",
    "resourceRaw": "Surový TCP/UDP zdroj",
-    "resourceRawDescription": "Proxy požadavky na aplikaci přes TCP/UDP pomocí čísla portu. To funguje pouze v případě, že jsou stránky připojeny k uzlům.",
+    "resourceRawDescription": "Proxy požadavky přes nezpracovaný TCP/UDP pomocí čísla portu.",
    "resourceCreate": "Vytvořit zdroj",
    "resourceCreateDescription": "Postupujte podle níže uvedených kroků, abyste vytvořili a připojili nový zdroj",
    "resourceSeeAll": "Zobrazit všechny zdroje",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "Hledat role...",
    "accessRolesAdd": "Přidat roli",
    "accessRoleDelete": "Odstranit roli",
+    "accessApprovalsManage": "Spravovat schválení",
+    "accessApprovalsDescription": "Zobrazit a spravovat čekající oprávnění pro přístup k této organizaci",
    "description": "L 343, 22.12.2009, s. 1).",
    "inviteTitle": "Otevřít pozvánky",
    "inviteDescription": "Spravovat pozvánky pro ostatní uživatele do organizace",
@@ -440,6 +455,18 @@
    "selectDuration": "Vyberte dobu trvání",
    "selectResource": "Vybrat dokument",
    "filterByResource": "Filtrovat podle zdroje",
+    "selectApprovalState": "Vyberte stát schválení",
+    "filterByApprovalState": "Filtrovat podle státu schválení",
+    "approvalListEmpty": "Žádná schválení",
+    "approvalState": "Země schválení",
+    "approve": "Schválit",
+    "approved": "Schváleno",
+    "denied": "Zamítnuto",
+    "deniedApproval": "Odmítnuto schválení",
+    "all": "Vše",
+    "deny": "Zamítnout",
+    "viewDetails": "Zobrazit detaily",
+    "requestingNewDeviceApproval": "vyžádal si nové zařízení",
    "resetFilters": "Resetovat filtry",
    "totalBlocked": "Požadavky blokovány Pangolinem",
    "totalRequests": "Celkem požadavků",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "Administrátoři mají vždy přístup k tomuto zdroji.",
    "resourceUsersRoles": "Kontrola přístupu",
    "resourceUsersRolesDescription": "Nastavení, kteří uživatelé a role mohou navštívit tento zdroj",
-    "resourceUsersRolesSubmit": "Uložit uživatele a role",
+    "resourceUsersRolesSubmit": "Uložit přístupové řízení",
    "resourceWhitelistSave": "Úspěšně uloženo",
    "resourceWhitelistSaveDescription": "Nastavení seznamu povolených položek bylo uloženo",
    "ssoUse": "Použít platformu SSO",
@@ -719,16 +746,28 @@
    "countries": "Země",
    "accessRoleCreate": "Vytvořit roli",
    "accessRoleCreateDescription": "Vytvořte novou roli pro seskupení uživatelů a spravujte jejich oprávnění.",
+    "accessRoleEdit": "Upravit roli",
+    "accessRoleEditDescription": "Upravit informace o roli.",
    "accessRoleCreateSubmit": "Vytvořit roli",
    "accessRoleCreated": "Role vytvořena",
    "accessRoleCreatedDescription": "Role byla úspěšně vytvořena.",
    "accessRoleErrorCreate": "Nepodařilo se vytvořit roli",
    "accessRoleErrorCreateDescription": "Došlo k chybě při vytváření role.",
+    "accessRoleUpdateSubmit": "Aktualizovat roli",
+    "accessRoleUpdated": "Role aktualizována",
+    "accessRoleUpdatedDescription": "Role byla úspěšně aktualizována.",
+    "accessApprovalUpdated": "Zpracovaná schválení",
+    "accessApprovalApprovedDescription": "Nastavit rozhodnutí o schválení žádosti o schválení.",
+    "accessApprovalDeniedDescription": "Nastavit žádost o schválení rozhodnutí o zamítnutí.",
+    "accessRoleErrorUpdate": "Nepodařilo se aktualizovat roli",
+    "accessRoleErrorUpdateDescription": "Došlo k chybě při aktualizaci role.",
+    "accessApprovalErrorUpdate": "Zpracování schválení se nezdařilo",
+    "accessApprovalErrorUpdateDescription": "Při zpracování schválení došlo k chybě.",
    "accessRoleErrorNewRequired": "Je vyžadována nová role",
    "accessRoleErrorRemove": "Nepodařilo se odstranit roli",
    "accessRoleErrorRemoveDescription": "Došlo k chybě při odstraňování role.",
    "accessRoleName": "Název role",
-    "accessRoleQuestionRemove": "Chystáte se odstranit {name} roli. Tuto akci nelze vrátit zpět.",
+    "accessRoleQuestionRemove": "Chystáte se odstranit roli `{name}`. Tuto akci nelze vrátit zpět.",
    "accessRoleRemove": "Odstranit roli",
    "accessRoleRemoveDescription": "Odebrat roli z organizace",
    "accessRoleRemoveSubmit": "Odstranit roli",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "Konfigurace přístupu pro organizaci",
    "idpUpdatedDescription": "Poskytovatel identity byl úspěšně aktualizován",
    "redirectUrl": "Přesměrovat URL",
+    "orgIdpRedirectUrls": "Přesměrovat URL",
    "redirectUrlAbout": "O přesměrování URL",
    "redirectUrlAboutDescription": "Toto je URL, na kterou budou uživatelé po ověření přesměrováni. Tuto URL je třeba nastavit v nastavení poskytovatele identity.",
    "pangolinAuth": "Auth - Pangolin",
@@ -945,11 +985,11 @@
    "pincodeAuth": "Ověřovací kód",
    "pincodeSubmit2": "Odeslat kód",
    "passwordResetSubmit": "Žádost o obnovení",
-    "passwordResetAlreadyHaveCode": "Zadejte kód pro obnovení hesla",
+    "passwordResetAlreadyHaveCode": "Zadejte kód",
    "passwordResetSmtpRequired": "Obraťte se na správce",
    "passwordResetSmtpRequiredDescription": "Pro obnovení hesla je vyžadován kód pro obnovení hesla. Kontaktujte prosím svého administrátora.",
    "passwordBack": "Zpět na heslo",
-    "loginBack": "Přejít zpět na přihlášení",
+    "loginBack": "Přejít zpět na hlavní přihlašovací stránku",
    "signup": "Zaregistrovat se",
    "loginStart": "Přihlaste se a začněte",
    "idpOidcTokenValidating": "Ověřování OIDC tokenu",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "Aktualizovat Org uživatele",
    "createOrgUser": "Vytvořit Org uživatele",
    "actionUpdateOrg": "Aktualizovat organizaci",
+    "actionRemoveInvitation": "Odstranit pozvání",
    "actionUpdateUser": "Aktualizovat uživatele",
    "actionGetUser": "Získat uživatele",
    "actionGetOrgUser": "Získat uživatele organizace",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "Získat web",
    "actionListSites": "Seznam stránek",
    "actionApplyBlueprint": "Použít plán",
+    "actionListBlueprints": "Seznam šablon",
+    "actionGetBlueprint": "Získat šablonu",
    "setupToken": "Nastavit token",
    "setupTokenDescription": "Zadejte nastavovací token z konzole serveru.",
    "setupTokenRequired": "Je vyžadován token nastavení",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "Aktualizovat IDP Org",
    "actionCreateClient": "Vytvořit klienta",
    "actionDeleteClient": "Odstranit klienta",
+    "actionArchiveClient": "Archivovat klienta",
+    "actionUnarchiveClient": "Zrušit archiv klienta",
+    "actionBlockClient": "Blokovat klienta",
+    "actionUnblockClient": "Odblokovat klienta",
    "actionUpdateClient": "Aktualizovat klienta",
    "actionListClients": "Seznam klientů",
    "actionGetClient": "Získat klienta",
@@ -1120,14 +1167,14 @@
    "searchProgress": "Hledat...",
    "create": "Vytvořit",
    "orgs": "Organizace",
-    "loginError": "Při přihlášení došlo k chybě",
-    "loginRequiredForDevice": "Pro ověření vašeho zařízení je nutné se přihlásit.",
+    "loginError": "Došlo k neočekávané chybě. Zkuste to prosím znovu.",
+    "loginRequiredForDevice": "Přihlášení je vyžadováno pro vaše zařízení.",
    "passwordForgot": "Zapomněli jste heslo?",
    "otpAuth": "Dvoufaktorové ověření",
    "otpAuthDescription": "Zadejte kód z vaší autentizační aplikace nebo jeden z vlastních záložních kódů.",
    "otpAuthSubmit": "Odeslat kód",
    "idpContinue": "Nebo pokračovat s",
-    "otpAuthBack": "Zpět na přihlášení",
+    "otpAuthBack": "Zpět na heslo",
    "navbar": "Navigation Menu",
    "navbarDescription": "Hlavní navigační menu aplikace",
    "navbarDocsLink": "Dokumentace",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "Přehled",
    "sidebarHome": "Domů",
    "sidebarSites": "Stránky",
+    "sidebarApprovals": "Žádosti o schválení",
    "sidebarResources": "Zdroje",
    "sidebarProxyResources": "Veřejnost",
    "sidebarClientResources": "Soukromé",
@@ -1191,10 +1239,10 @@
    "sidebarIdentityProviders": "Poskytovatelé identity",
    "sidebarLicense": "Licence",
    "sidebarClients": "Klienti",
-    "sidebarUserDevices": "Uživatelé",
+    "sidebarUserDevices": "Uživatelská zařízení",
    "sidebarMachineClients": "Stroje a přístroje",
    "sidebarDomains": "Domény",
-    "sidebarGeneral": "Obecná ustanovení",
+    "sidebarGeneral": "Spravovat",
    "sidebarLogAndAnalytics": "Log & Analytics",
    "sidebarBluePrints": "Plány",
    "sidebarOrganization": "Organizace",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "Došlo k chybě při vytváření účtu správce serveru.",
    "certificateStatus": "Stav certifikátu",
    "loading": "Načítání",
+    "loadingAnalytics": "Načítání analytiky",
    "restart": "Restartovat",
    "domains": "Domény",
    "domainsDescription": "Vytvořit a spravovat domény dostupné v organizaci",
@@ -1290,6 +1339,7 @@
    "refreshError": "Obnovení dat se nezdařilo",
    "verified": "Ověřeno",
    "pending": "Nevyřízeno",
+    "pendingApproval": "Čeká na schválení",
    "sidebarBilling": "Fakturace",
    "billing": "Fakturace",
    "orgBillingDescription": "Spravovat fakturační informace a předplatné",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "Nastavení účtu dokončeno! Vítejte v Pangolinu!",
    "documentation": "Dokumentace",
    "saveAllSettings": "Uložit všechna nastavení",
+    "saveResourceTargets": "Uložit cíle",
+    "saveResourceHttp": "Uložit nastavení proxy",
+    "saveProxyProtocol": "Uložit nastavení proxy protokolu",
    "settingsUpdated": "Nastavení aktualizováno",
-    "settingsUpdatedDescription": "Všechna nastavení byla úspěšně aktualizována",
+    "settingsUpdatedDescription": "Nastavení úspěšně aktualizována",
    "settingsErrorUpdate": "Aktualizace nastavení se nezdařila",
    "settingsErrorUpdateDescription": "Došlo k chybě při aktualizaci nastavení",
    "sidebarCollapse": "Sbalit",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Bezpečnostní klíč byl úspěšně odstraněn",
    "securityKeyRemoveError": "Odstranění bezpečnostního klíče se nezdařilo",
    "securityKeyLoadError": "Nepodařilo se načíst bezpečnostní klíče",
-    "securityKeyLogin": "Pokračovat s bezpečnostním klíčem",
+    "securityKeyLogin": "Použít bezpečnostní klíč",
    "securityKeyAuthError": "Ověření bezpečnostním klíčem se nezdařilo",
    "securityKeyRecommendation": "Registrujte záložní bezpečnostní klíč na jiném zařízení, abyste zajistili, že budete mít vždy přístup ke svému účtu.",
    "registering": "Registrace...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "Souhlasím s",
        "termsOfService": "podmínky služby",
        "and": "a",
-        "privacyPolicy": "zásady ochrany osobních údajů"
+        "privacyPolicy": "zásady ochrany osobních údajů."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Udržujte mě ve smyčce s novinkami, aktualizacemi a novými funkcemi e-mailem."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "Add New Target",
    "targetsList": "Seznam cílů",
    "advancedMode": "Pokročilý režim",
+    "advancedSettings": "Pokročilá nastavení",
    "targetErrorDuplicateTargetFound": "Byl nalezen duplicitní cíl",
    "healthCheckHealthy": "Zdravé",
    "healthCheckUnhealthy": "Nezdravé",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "Interval zdraví",
    "timeoutSeconds": "Časový limit (sek)",
    "timeIsInSeconds": "Čas je v sekundách",
+    "requireDeviceApproval": "Vyžadovat schválení zařízení",
+    "requireDeviceApprovalDescription": "Uživatelé s touto rolí potřebují nová zařízení schválená správcem, než se mohou připojit a přistupovat ke zdrojům.",
    "retryAttempts": "Opakovat pokusy",
    "expectedResponseCodes": "Očekávané kódy odezvy",
    "expectedResponseCodesDescription": "HTTP kód stavu, který označuje zdravý stav. Ponecháte-li prázdné, 200-300 je považováno za zdravé.",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "Nebyly nalezeny žádné vnitřní zdroje.",
    "resourcesTableDestination": "Místo určení",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Adresa aliasu",
+    "resourcesTableAliasAddressInfo": "Tato adresa je součástí subsítě veřejných služeb organizace. Používá se k řešení záznamů aliasů pomocí interního rozlišení DNS.",
    "resourcesTableClients": "Klienti",
    "resourcesTableAndOnlyAccessibleInternally": "a jsou interně přístupné pouze v případě, že jsou propojeni s klientem.",
    "resourcesTableNoTargets": "Žádné cíle",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "Vlastnosti zdroje",
    "createInternalResourceDialogName": "Jméno",
    "createInternalResourceDialogSite": "Lokalita",
-    "createInternalResourceDialogSelectSite": "Vybrat lokalitu...",
-    "createInternalResourceDialogSearchSites": "Hledat lokality...",
-    "createInternalResourceDialogNoSitesFound": "Nebyly nalezeny žádné stránky.",
+    "selectSite": "Vybrat lokalitu...",
+    "noSitesFound": "Nebyly nalezeny žádné lokality.",
    "createInternalResourceDialogProtocol": "Protokol",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1658,7 +1715,7 @@
    "siteAddressDescription": "Interní adresa webu. Musí spadat do podsítě organizace.",
    "siteNameDescription": "Zobrazovaný název stránky, který lze později změnit.",
    "autoLoginExternalIdp": "Automatické přihlášení pomocí externího IDP",
-    "autoLoginExternalIdpDescription": "Okamžitě přesměrujte uživatele na externí IDP k ověření.",
+    "autoLoginExternalIdpDescription": "Ihned přesměrujte uživatele na externího poskytovatele identity pro autentifikaci.",
    "selectIdp": "Vybrat IDP",
    "selectIdpPlaceholder": "Vyberte IDP...",
    "selectIdpRequired": "Prosím vyberte IDP, když je povoleno automatické přihlášení.",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "Od poskytovatele identity nebyla obdržena žádná adresa URL.",
    "autoLoginErrorGeneratingUrl": "Nepodařilo se vygenerovat ověřovací URL.",
    "remoteExitNodeManageRemoteExitNodes": "Vzdálené uzly",
-    "remoteExitNodeDescription": "Samohostitelská jedna nebo více vzdálených uzlů pro rozšíření připojení k síti a snížení závislosti na cloudu",
+    "remoteExitNodeDescription": "Hostujte vlastní vzdálený relační a proxy server uzly",
    "remoteExitNodes": "Uzly",
    "searchRemoteExitNodes": "Hledat uzly...",
    "remoteExitNodeAdd": "Přidat uzel",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "Potvrdit odstranění uzlu",
    "remoteExitNodeDelete": "Odstranit uzel",
    "sidebarRemoteExitNodes": "Vzdálené uzly",
+    "remoteExitNodeId": "ID",
+    "remoteExitNodeSecretKey": "Tajný klíč",
    "remoteExitNodeCreate": {
-        "title": "Vytvořit uzel",
-        "description": "Vytvořit nový uzel pro rozšíření síťového připojení",
+        "title": "Vytvořit vzdálený uzel",
+        "description": "Vytvořte nový vlastní hostovaný vzdálený relační a proxy server uzel",
        "viewAllButton": "Zobrazit všechny uzly",
        "strategy": {
            "title": "Strategie tvorby",
-            "description": "Zvolte pro ruční nastavení uzlu nebo vygenerování nových pověření.",
+            "description": "Vyberte, jak chcete vytvořit vzdálený uzel",
            "adopt": {
                "title": "Přijmout uzel",
                "description": "Zvolte tuto možnost, pokud již máte přihlašovací údaje k uzlu."
            },
            "generate": {
                "title": "Generovat klíče",
-                "description": "Vyberte tuto možnost, pokud chcete vygenerovat nové klíče pro uzel"
+                "description": "Vyberte tuto možnost, pokud chcete vygenerovat nové klíče pro uzel."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC provider",
    "subnet": "Podsíť",
    "subnetDescription": "Podsíť pro konfiguraci sítě této organizace.",
-    "authPage": "Auth stránka",
-    "authPageDescription": "Konfigurace autentizační stránky organizace",
+    "customDomain": "Vlastní doména",
+    "authPage": "Autentizační stránky",
+    "authPageDescription": "Nastavte vlastní doménu pro autentizační stránky organizace",
    "authPageDomain": "Doména ověření stránky",
+    "authPageBranding": "Vlastní branding",
+    "authPageBrandingDescription": "Nastavte branding, který se objeví na autentizačních stránkách této organizace",
+    "authPageBrandingUpdated": "Branding na autentizační stránce úspěšně aktualizován",
+    "authPageBrandingRemoved": "Branding na autentizační stránce úspěšně odstraněn",
+    "authPageBrandingRemoveTitle": "Odstranit branding autentizační stránky",
+    "authPageBrandingQuestionRemove": "Jste si jisti, že chcete odstranit branding autentizačních stránek?",
+    "authPageBrandingDeleteConfirm": "Potvrzení odstranění brandingu",
+    "brandingLogoURL": "URL loga",
+    "brandingPrimaryColor": "Primární barva",
+    "brandingLogoWidth": "Šířka (px)",
+    "brandingLogoHeight": "Výška (px)",
+    "brandingOrgTitle": "Název pro autentizační stránku organizace",
+    "brandingOrgDescription": "{orgName} bude nahrazeno názvem organizace",
+    "brandingOrgSubtitle": "Podtitul pro autentizační stránku organizace",
+    "brandingResourceTitle": "Název pro autentizační stránku prostředku",
+    "brandingResourceSubtitle": "Podtitul pro autentizační stránku prostředku",
+    "brandingResourceDescription": "{resourceName} bude nahrazeno názvem organizace",
+    "saveAuthPageDomain": "Uložit doménu",
+    "saveAuthPageBranding": "Uložit branding",
+    "removeAuthPageBranding": "Odstranit branding",
    "noDomainSet": "Není nastavena žádná doména",
    "changeDomain": "Změnit doménu",
    "selectDomain": "Vybrat doménu",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "Nastavit doménu autentické stránky",
    "failedToFetchCertificate": "Nepodařilo se načíst certifikát",
    "failedToRestartCertificate": "Restartování certifikátu se nezdařilo",
-    "addDomainToEnableCustomAuthPages": "Přidat doménu pro povolení vlastních ověřovacích stránek organizace",
+    "addDomainToEnableCustomAuthPages": "Uživatelé budou schopni přistupovat k přihlašovací stránce organizace a dokončit autentifikaci prostředků použitím této domény.",
    "selectDomainForOrgAuthPage": "Vyberte doménu pro ověřovací stránku organizace",
    "domainPickerProvidedDomain": "Poskytnutá doména",
    "domainPickerFreeProvidedDomain": "Zdarma poskytnutá doména",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "\"{sub}\" nemohl být platný pro {domain}.",
    "domainPickerSubdomainSanitized": "Upravená subdoména",
    "domainPickerSubdomainCorrected": "\"{sub}\" bylo opraveno na \"{sanitized}\"",
-    "orgAuthSignInTitle": "Přihlásit se k organizaci",
+    "orgAuthSignInTitle": "Přihlášení do organizace",
    "orgAuthChooseIdpDescription": "Chcete-li pokračovat, vyberte svého poskytovatele identity",
    "orgAuthNoIdpConfigured": "Tato organizace nemá nakonfigurovány žádné poskytovatele identity. Místo toho se můžete přihlásit s vaší Pangolinovou identitou.",
    "orgAuthSignInWithPangolin": "Přihlásit se pomocí Pangolinu",
+    "orgAuthSignInToOrg": "Přihlásit se do organizace",
+    "orgAuthSelectOrgTitle": "Přihlášení do organizace",
+    "orgAuthSelectOrgDescription": "Zadejte ID vaší organizace pro pokračování",
+    "orgAuthOrgIdPlaceholder": "vaše-organizace",
+    "orgAuthOrgIdHelp": "Zadejte jedinečný identifikátor vaší organizace",
+    "orgAuthSelectOrgHelp": "Po zadání ID vaší organizace budete přesměrováni na přihlašovací stránku vaší organizace, kde můžete použít SSO nebo přihlašovací údaje vaší organizace.",
+    "orgAuthRememberOrgId": "Zapamatujte si toto ID organizace",
+    "orgAuthBackToSignIn": "Zpět ke standardnímu přihlášení",
+    "orgAuthNoAccount": "Nemáte účet?",
    "subscriptionRequiredToUse": "Pro použití této funkce je vyžadováno předplatné.",
    "idpDisabled": "Poskytovatelé identit jsou zakázáni.",
    "orgAuthPageDisabled": "Ověřovací stránka organizace je zakázána.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "Povolit dvoufaktorové ověření",
    "completeSecuritySteps": "Dokončit bezpečnostní kroky",
    "securitySettings": "Nastavení zabezpečení",
+    "dangerSection": "Nebezpečná zóna",
+    "dangerSectionDescription": "Trvale smazat všechna data spojená s touto organizací",
    "securitySettingsDescription": "Konfigurace bezpečnostních pravidel organizace",
    "requireTwoFactorForAllUsers": "Vyžadovat dvoufaktorové ověření pro všechny uživatele",
    "requireTwoFactorDescription": "Pokud je povoleno, všichni interní uživatelé v této organizaci musí mít dvoufaktorové ověření povoleno pro přístup k organizaci.",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "Toto ovlivní všechny uživatele v organizaci",
    "authPageErrorUpdateMessage": "Při aktualizaci nastavení autentizační stránky došlo k chybě",
    "authPageErrorUpdate": "Nelze aktualizovat ověřovací stránku",
-    "authPageUpdated": "Autentizační stránka byla úspěšně aktualizována",
+    "authPageDomainUpdated": "Doména na autentizační stránce úspěšně aktualizována",
    "healthCheckNotAvailable": "Místní",
    "rewritePath": "Přepsat cestu",
    "rewritePathDescription": "Volitelně přepište cestu před odesláním na cíl.",
@@ -1915,8 +2006,15 @@
    "beta": "Beta",
    "manageUserDevices": "Uživatelská zařízení",
    "manageUserDevicesDescription": "Zobrazit a spravovat zařízení, která používají uživatelé k soukromím připojení k zdrojům",
+    "downloadClientBannerTitle": "Stáhnout klienta Pangolinu",
+    "downloadClientBannerDescription": "Stáhnout klienta Pangolinu do vašeho systému pro připojení k síti Pangolin a zajištění soukromého přístupu k prostředkům.",
    "manageMachineClients": "Správa automatických klientů",
    "manageMachineClientsDescription": "Vytvořte a spravujte klienty, které servery a systémy používají k soukromím připojování k zdrojům",
+    "machineClientsBannerTitle": "Servery & Automatizované systémy",
+    "machineClientsBannerDescription": "Klientské stroje jsou určeny pro servery a automatizované systémy, které nejsou přiřazeny k žádnému specifickému uživateli. Autentizují se pomocí ID a tajemství, a mohou běžet s Pangolin CLI, Olm CLI nebo Olm jako kontejner.",
+    "machineClientsBannerPangolinCLI": "Pangolin CLI",
+    "machineClientsBannerOlmCLI": "Olm CLI",
+    "machineClientsBannerOlmContainer": "Olm kontejner",
    "clientsTableUserClients": "Uživatel",
    "clientsTableMachineClients": "Stroj",
    "licenseTableValidUntil": "Platná do",
@@ -2060,13 +2158,15 @@
    "request": "Žádost",
    "requests": "Požadavky",
    "logs": "Logy",
-    "logsSettingsDescription": "Monitorovat logy shromážděné z této orginizace",
+    "logsSettingsDescription": "Sledujte protokoly sbírané z této organizace",
    "searchLogs": "Hledat logy...",
    "action": "Akce",
    "actor": "Aktér",
    "timestamp": "Časové razítko",
    "accessLogs": "Protokoly přístupu",
    "exportCsv": "Exportovat CSV",
+    "exportError": "Neznámá chyba při exportu CSV",
+    "exportCsvTooltip": "V zadaném časovém rozmezí",
    "actorId": "ID aktéra",
    "allowedByRule": "Povoleno pomocí pravidla",
    "allowedNoAuth": "Povoleno bez ověření",
@@ -2120,7 +2220,7 @@
    "unverified": "Neověřeno",
    "domainSetting": "Nastavení domény",
    "domainSettingDescription": "Konfigurace nastavení pro doménu",
-    "preferWildcardCertDescription": "Pokus o vygenerování zástupného certifikátu (vyžaduje správně nakonfigurovaný certifikát).",
+    "preferWildcardCertDescription": "Pokuste se vygenerovat certifikát se zástupným znakem (vyžaduje správně nakonfigurovaný resolver certifikátu).",
    "recordName": "Název záznamu",
    "auto": "Automaticky",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "Kód musí být 9 znaků (např. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Neplatný nebo prošlý kód",
    "deviceCodeVerifyFailed": "Ověření kódu zařízení se nezdařilo",
+    "deviceCodeValidating": "Ověřování kódu zařízení...",
+    "deviceCodeVerifying": "Ověřování autorizace zařízení...",
    "signedInAs": "Přihlášen jako",
    "deviceCodeEnterPrompt": "Zadejte kód zobrazený na zařízení",
    "continue": "Pokračovat",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "Přístup ke všem organizacím má přístup k vašemu účtu",
    "deviceAuthorize": "Autorizovat {applicationName}",
    "deviceConnected": "Zařízení připojeno!",
-    "deviceAuthorizedMessage": "Zařízení má oprávnění k přístupu k vašemu účtu.",
+    "deviceAuthorizedMessage": "Zařízení má oprávnění k přístupu k vašemu účtu. Vraťte se prosím do klientské aplikace.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "Zobrazit zařízení",
    "viewDevicesDescription": "Spravovat připojená zařízení",
@@ -2246,6 +2348,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Nejste vy? Použijte jiný účet.",
    "deviceLoginDeviceRequestingAccessToAccount": "Zařízení žádá o přístup k tomuto účtu.",
+    "loginSelectAuthenticationMethod": "Chcete-li pokračovat, vyberte metodu ověřování.",
    "noData": "Žádná data",
    "machineClients": "Strojoví klienti",
    "install": "Instalovat",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "Nepodařilo se načíst výchozí podsíť",
    "setupSubnetAdvanced": "Podsíť (předplacená)",
    "setupSubnetDescription": "Podsíť pro vnitřní síť této organizace.",
+    "setupUtilitySubnet": "Nástrojový podsíť (Pokročilé)",
+    "setupUtilitySubnetDescription": "Podsíť pro alias adresy a DNS server této organizace.",
    "siteRegenerateAndDisconnect": "Obnovit a odpojit",
    "siteRegenerateAndDisconnectConfirmation": "Opravdu chcete obnovit přihlašovací údaje a odpojit tuto stránku?",
    "siteRegenerateAndDisconnectWarning": "Toto obnoví přihlašovací údaje a okamžitě odpojí stránku. Stránka bude muset být restartována s novými přihlašovacími údaji.",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "Toto obnoví přihlašovací údaje a okamžitě odpojí vzdálený výstupní uzel. Vzdálený výstupní uzel bude muset být restartován s novými přihlašovacími údaji.",
    "remoteExitNodeRegenerateCredentialsConfirmation": "Jste si jisti, že chcete obnovit přihlašovací údaje pro tento vzdálený výstupní uzel?",
    "remoteExitNodeRegenerateCredentialsWarning": "Toto obnoví přihlašovací údaje. Vzdálený výstupní uzel zůstane připojen, dokud jej ručně nerestartujete a nepoužijete nové přihlašovací údaje.",
-    "agent": "Agent"
+    "agent": "Agent",
+    "personalUseOnly": "Pouze pro osobní použití",
+    "loginPageLicenseWatermark": "Tato instance je licencována pouze pro osobní použití.",
+    "instanceIsUnlicensed": "Tato instance není licencována.",
+    "portRestrictions": "Omezení portů",
+    "allPorts": "Vše",
+    "custom": "Vlastní",
+    "allPortsAllowed": "Všechny porty povoleny",
+    "allPortsBlocked": "Všechny porty blokovány",
+    "tcpPortsDescription": "Určete, které TCP porty jsou pro tento prostředek povoleny. Použijte „*“ pro všechny porty, nechte prázdné pro zablokování všech, nebo zadejte seznam portů a rozsahů oddělených čárkou (např. 80,443,8000-9000).",
+    "udpPortsDescription": "Určete, které UDP porty jsou pro tento prostředek povoleny. Použijte „*“ pro všechny porty, nechte prázdné pro zablokování všech, nebo zadejte seznam portů a rozsahů oddělených čárkou (např. 53,123,500-600).",
+    "organizationLoginPageTitle": "Přihlašovací stránka organizace",
+    "organizationLoginPageDescription": "Přizpůsobte přihlašovací stránku této organizace",
+    "resourceLoginPageTitle": "Přihlašovací stránka prostředku",
+    "resourceLoginPageDescription": "Přizpůsobte přihlašovací stránku jednotlivých prostředků",
+    "enterConfirmation": "Zadejte potvrzení",
+    "blueprintViewDetails": "Detaily",
+    "defaultIdentityProvider": "Výchozí poskytovatel identity",
+    "defaultIdentityProviderDescription": "Pokud je vybrán výchozí poskytovatel identity, uživatel bude automaticky přesměrován na poskytovatele pro ověření.",
+    "editInternalResourceDialogNetworkSettings": "Nastavení sítě",
+    "editInternalResourceDialogAccessPolicy": "Přístupová politika",
+    "editInternalResourceDialogAddRoles": "Přidat role",
+    "editInternalResourceDialogAddUsers": "Přidat uživatele",
+    "editInternalResourceDialogAddClients": "Přidat klienty",
+    "editInternalResourceDialogDestinationLabel": "Cíl",
+    "editInternalResourceDialogDestinationDescription": "Určete cílovou adresu pro interní prostředek. Může se jednat o hostname, IP adresu, nebo rozsah CIDR v závislosti na vybraném režimu. Volitelně nastavte interní DNS alias pro snazší identifikaci.",
+    "editInternalResourceDialogPortRestrictionsDescription": "Omezte přístup na specifické TCP/UDP porty nebo povolte/blokujte všechny porty.",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "Řízení přístupu",
+    "editInternalResourceDialogAccessControlDescription": "Kontrolujte, které role, uživatelé a klienti mohou přistupovat k tomuto prostředku, když jsou připojeni. Admini mají vždy přístup.",
+    "editInternalResourceDialogPortRangeValidationError": "Rozsah portů musí být \"*\" pro všechny porty, nebo seznam portů a rozsahů oddělených čárkou (např. \"80,443,8000-9000\"). Porty musí být mezi 1 a 65535.",
+    "orgAuthWhatsThis": "Kde najdu ID mé organizace?",
+    "learnMore": "Zjistit více",
+    "backToHome": "Zpět na domovskou stránku",
+    "needToSignInToOrg": "Potřebujete použít identitního poskytovatele vaší organizace?",
+    "maintenanceMode": "Režim údržby",
+    "maintenanceModeDescription": "Zobrazit stránku údržby návštěvníkům",
+    "maintenanceModeType": "Typ režimu údržby",
+    "showMaintenancePage": "Zobrazit stránku údržby návštěvníkům",
+    "enableMaintenanceMode": "Povolit režim údržby",
+    "automatic": "Automatické",
+    "automaticModeDescription": "Zobrazte stránku údržby pouze, když jsou všechny cílové servery uživatele nebo prostředku nefunkční nebo nezdravé. Vaše prostředky budou nadále fungovat normálně, pokud je alespoň jeden cíl v pořádku.",
+    "forced": "Nucené",
+    "forcedModeDescription": "Vždy zobrazujte stránku údržby bez ohledu na stav backendu. Použijte to pro plánovanou údržbu, když chcete zabránit všem přístupům.",
+    "warning:": "Varování:",
+    "forcedeModeWarning": "Veškerý provoz bude směrován na stránku údržby. Vaše prostředky backendu neobdrží žádné žádosti.",
+    "pageTitle": "Název stránky",
+    "pageTitleDescription": "Hlavní titulek zobrazovaný na stránce údržby",
+    "maintenancePageMessage": "Zpráva údržby",
+    "maintenancePageMessagePlaceholder": "Vrátíme se brzy! Naše stránka právě prochází plánovanou údrbou.",
+    "maintenancePageMessageDescription": "Podrobná zpráva vysvětlující údržbu",
+    "maintenancePageTimeTitle": "Odhadovaný čas dokončení (volitelný)",
+    "maintenanceTime": "např. 2 hodiny, 1. listopadu v 17:00",
+    "maintenanceEstimatedTimeDescription": "Kdy očekáváte, že údržba bude dokončena",
+    "editDomain": "Upravit doménu",
+    "editDomainDescription": "Vyberte doménu pro váš prostředek",
+    "maintenanceModeDisabledTooltip": "Tato funkce vyžaduje platnou licenci, aby ji bylo možné povolit.",
+    "maintenanceScreenTitle": "Služba dočasně nedostupná",
+    "maintenanceScreenMessage": "Momentálně máme technické potíže. Zkontrolujte později.",
+    "maintenanceScreenEstimatedCompletion": "Odhadované dokončení:",
+    "createInternalResourceDialogDestinationRequired": "Cíl je povinný",
+    "available": "Dostupné",
+    "archived": "Archivováno",
+    "noArchivedDevices": "Nebyla nalezena žádná archivovaná zařízení",
+    "deviceArchived": "Zařízení archivováno",
+    "deviceArchivedDescription": "Zařízení bylo úspěšně archivováno.",
+    "errorArchivingDevice": "Chyba při archivaci zařízení",
+    "failedToArchiveDevice": "Archivace zařízení se nezdařila",
+    "deviceQuestionArchive": "Opravdu chcete archivovat toto zařízení?",
+    "deviceMessageArchive": "Zařízení bude archivováno a odebráno ze seznamu aktivních zařízení.",
+    "deviceArchiveConfirm": "Archivovat zařízení",
+    "archiveDevice": "Archivovat zařízení",
+    "archive": "Archiv",
+    "deviceUnarchived": "Zařízení bylo odarchivováno",
+    "deviceUnarchivedDescription": "Zařízení bylo úspěšně odarchivováno.",
+    "errorUnarchivingDevice": "Chyba při odarchivování zařízení",
+    "failedToUnarchiveDevice": "Nepodařilo se odarchivovat zařízení",
+    "unarchive": "Zrušit archiv",
+    "archiveClient": "Archivovat klienta",
+    "archiveClientQuestion": "Jste si jisti, že chcete archivovat tohoto klienta?",
+    "archiveClientMessage": "Klient bude archivován a odstraněn z vašeho aktivního seznamu klientů.",
+    "archiveClientConfirm": "Archivovat klienta",
+    "blockClient": "Blokovat klienta",
+    "blockClientQuestion": "Jste si jisti, že chcete zablokovat tohoto klienta?",
+    "blockClientMessage": "Zařízení bude nuceno odpojit, pokud je připojeno. Zařízení můžete později odblokovat.",
+    "blockClientConfirm": "Blokovat klienta",
+    "active": "Aktivní",
+    "usernameOrEmail": "Uživatelské jméno nebo e-mail",
+    "selectYourOrganization": "Vyberte vaši organizaci",
+    "signInTo": "Přihlásit se do",
+    "signInWithPassword": "Pokračovat s heslem",
+    "noAuthMethodsAvailable": "Pro tuto organizaci nejsou k dispozici žádné metody ověřování.",
+    "enterPassword": "Zadejte své heslo",
+    "enterMfaCode": "Zadejte kód z vaší ověřovací aplikace",
+    "securityKeyRequired": "Pro přihlášení použijte svůj bezpečnostní klíč.",
+    "needToUseAnotherAccount": "Potřebujete použít jiný účet?",
+    "loginLegalDisclaimer": "Kliknutím na tlačítka níže potvrzujete, že jste si přečetli, chápali, a souhlasím s <termsOfService>obchodními podmínkami</termsOfService> a <privacyPolicy>Zásadami ochrany osobních údajů</privacyPolicy>.",
+    "termsOfService": "Podmínky služby",
+    "privacyPolicy": "Ochrana osobních údajů",
+    "userNotFoundWithUsername": "Nebyl nalezen žádný uživatel s tímto uživatelským jménem.",
+    "verify": "Ověřit",
+    "signIn": "Přihlásit se",
+    "forgotPassword": "Zapomněli jste heslo?",
+    "orgSignInTip": "Pokud jste se přihlásili dříve, můžete místo toho zadat své uživatelské jméno nebo e-mail výše pro ověření u poskytovatele identity vaší organizace. Je to jednodušší!",
+    "continueAnyway": "Přesto pokračovat",
+    "dontShowAgain": "Znovu nezobrazovat",
+    "orgSignInNotice": "Věděli jste, že?",
+    "signupOrgNotice": "Chcete se přihlásit?",
+    "signupOrgTip": "Snažíte se přihlásit prostřednictvím poskytovatele identity vaší organizace?",
+    "signupOrgLink": "Namísto toho se přihlaste nebo se zaregistrujte pomocí své organizace",
+    "verifyEmailLogInWithDifferentAccount": "Použít jiný účet",
+    "logIn": "Přihlásit se",
+    "deviceInformation": "Informace o zařízení",
+    "deviceInformationDescription": "Informace o zařízení a agentovi",
+    "deviceSecurity": "Zabezpečení zařízení",
+    "deviceSecurityDescription": "Informace o bezpečnostní pozici zařízení",
+    "platform": "Platforma",
+    "macosVersion": "macOS verze",
+    "windowsVersion": "Verze Windows",
+    "iosVersion": "Verze iOS",
+    "androidVersion": "Verze Androidu",
+    "osVersion": "Verze OS",
+    "kernelVersion": "Verze jádra",
+    "deviceModel": "Model zařízení",
+    "serialNumber": "Pořadové číslo",
+    "hostname": "Hostname",
+    "firstSeen": "První vidění",
+    "lastSeen": "Naposledy viděno",
+    "biometricsEnabled": "Biometrie povolena",
+    "diskEncrypted": "Šifrovaný disk",
+    "firewallEnabled": "Firewall povolen",
+    "autoUpdatesEnabled": "Automatické aktualizace povoleny",
+    "tpmAvailable": "TPM k dispozici",
+    "macosSipEnabled": "Ochrana systémové integrity (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Režim neviditelnosti firewallu",
+    "linuxAppArmorEnabled": "Pancíř aplikace",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Zobrazit informace o zařízení a nastavení",
+    "devicePendingApprovalDescription": "Toto zařízení čeká na schválení",
+    "deviceBlockedDescription": "Toto zařízení je momentálně blokováno. Nebude se moci připojit k žádným zdrojům, dokud nebude odblokováno.",
+    "unblockClient": "Odblokovat klienta",
+    "unblockClientDescription": "Zařízení bylo odblokováno",
+    "unarchiveClient": "Zrušit archiv klienta",
+    "unarchiveClientDescription": "Zařízení bylo odarchivováno",
+    "block": "Blokovat",
+    "unblock": "Odblokovat",
+    "deviceActions": "Akce zařízení",
+    "deviceActionsDescription": "Spravovat stav zařízení a přístup",
+    "devicePendingApprovalBannerDescription": "Toto zařízení čeká na schválení. Nebude se moci připojit ke zdrojům, dokud nebude schváleno.",
+    "connected": "Připojeno",
+    "disconnected": "Odpojeno",
+    "approvalsEmptyStateTitle": "Schvalování zařízení není povoleno",
+    "approvalsEmptyStateDescription": "Povolte oprávnění oprávnění pro role správce před připojením nových zařízení.",
+    "approvalsEmptyStateStep1Title": "Přejít na role",
+    "approvalsEmptyStateStep1Description": "Přejděte do nastavení rolí vaší organizace pro konfiguraci schválení zařízení.",
+    "approvalsEmptyStateStep2Title": "Povolit schválení zařízení",
+    "approvalsEmptyStateStep2Description": "Upravte roli a povolte možnost 'Vyžadovat schválení zařízení'. Uživatelé s touto rolí budou potřebovat schválení pro nová zařízení správce.",
+    "approvalsEmptyStatePreviewDescription": "Náhled: Pokud je povoleno, čekající na zařízení se zde zobrazí žádosti o recenzi",
+    "approvalsEmptyStateButtonText": "Spravovat role"
 }
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -1,8 +1,10 @@
 {
-    "setupCreate": "Organisation, Seite und Ressourcen erstellen",
+    "setupCreate": "Organisation, Standort und Ressourcen erstellen",
+    "headerAuthCompatibilityInfo": "Aktivieren Sie dies, um eine 401 Nicht autorisierte Antwort zu erzwingen, wenn ein Authentifizierungs-Token fehlt. Dies ist erforderlich für Browser oder bestimmte HTTP-Bibliotheken, die keine Anmeldedaten ohne Server-Challenge senden.",
+    "headerAuthCompatibility": "Erweiterte Kompatibilität",
    "setupNewOrg": "Neue Organisation",
    "setupCreateOrg": "Organisation erstellen",
-    "setupCreateResources": "Ressource erstellen",
+    "setupCreateResources": "Ressourcen erstellen",
    "setupOrgName": "Name der Organisation",
    "orgDisplayName": "Dies ist der Anzeigename der Organisation.",
    "orgId": "Organisations-ID",
@@ -45,19 +47,25 @@
    "tunnelType": "Tunneltyp",
    "local": "Lokal",
    "edit": "Bearbeiten",
-    "siteConfirmDelete": "Standort löschen bestätigen",
+    "siteConfirmDelete": "Löschen des Standorts bestätigen",
    "siteDelete": "Standort löschen",
-    "siteMessageRemove": "Sobald die Site entfernt ist, wird sie nicht mehr zugänglich sein. Alle mit der Site verbundenen Ziele werden ebenfalls entfernt.",
-    "siteQuestionRemove": "Sind Sie sicher, dass Sie die Site aus der Organisation entfernen möchten?",
+    "siteMessageRemove": "Sobald der Standort entfernt ist, wird sie nicht mehr zugänglich sein. Alle mit dem Standort verbundenen Ziele werden ebenfalls entfernt.",
+    "siteQuestionRemove": "Sind Sie sicher, dass Sie den Standort aus der Organisation entfernen möchten?",
    "siteManageSites": "Standorte verwalten",
-    "siteDescription": "Erstelle und verwalte Sites, um die Verbindung zu privaten Netzwerken zu ermöglichen",
+    "siteDescription": "Erstellen und Verwalten von Standorten, um die Verbindung zu privaten Netzwerken zu ermöglichen",
+    "sitesBannerTitle": "Verbinde ein beliebiges Netzwerk",
+    "sitesBannerDescription": "Ein Standort ist eine Verbindung zu einem Remote-Netzwerk, die es Pangolin ermöglicht, Zugriff auf öffentliche oder private Ressourcen für Benutzer überall zu gewähren. Installieren Sie den Site Netzwerk Connector (Newt) wo auch immer Sie eine Binärdatei oder einen Container starten können, um die Verbindung herzustellen.",
+    "sitesBannerButtonText": "Standort installieren",
+    "approvalsBannerTitle": "Gerätezugriff genehmigen oder verweigern",
+    "approvalsBannerDescription": "Überprüfen und genehmigen oder verweigern Gerätezugriffsanfragen von Benutzern. Wenn Gerätegenehmigungen erforderlich sind, müssen Benutzer eine Administratorgenehmigung erhalten, bevor ihre Geräte sich mit den Ressourcen Ihrer Organisation verbinden können.",
+    "approvalsBannerButtonText": "Mehr erfahren",
    "siteCreate": "Standort erstellen",
    "siteCreateDescription2": "Folge den nachfolgenden Schritten, um einen neuen Standort zu erstellen und zu verbinden",
-    "siteCreateDescription": "Erstellen Sie eine neue Seite, um Ressourcen zu verbinden",
+    "siteCreateDescription": "Erstellen Sie einen neuen Standort, um Ressourcen zu verbinden",
    "close": "Schließen",
    "siteErrorCreate": "Fehler beim Erstellen des Standortes",
    "siteErrorCreateKeyPair": "Schlüsselpaar oder Standardwerte nicht gefunden",
-    "siteErrorCreateDefaults": "Standardwerte der Site nicht gefunden",
+    "siteErrorCreateDefaults": "Standardwerte des Standortes nicht gefunden",
    "method": "Methode",
    "siteMethodDescription": "So werden Verbindungen freigegeben.",
    "siteLearnNewt": "Wie du Newt auf deinem System installieren kannst",
@@ -67,7 +75,7 @@
    "toggle": "Umschalten",
    "dockerCompose": "Docker Compose",
    "dockerRun": "Docker Run",
-    "siteLearnLocal": "Mehr Infos zu lokalen Sites",
+    "siteLearnLocal": "Mehr Infos zum lokalen Standort",
    "siteConfirmCopy": "Ich habe die Konfiguration kopiert",
    "searchSitesProgress": "Standorte durchsuchen...",
    "siteAdd": "Standort hinzufügen",
@@ -78,7 +86,7 @@
    "operatingSystem": "Betriebssystem",
    "commands": "Befehle",
    "recommended": "Empfohlen",
-    "siteNewtDescription": "Nutze Newt für die beste Benutzererfahrung. Newt verwendet WireGuard as Basis und erlaubt Ihnen, Ihre privaten Ressourcen über ihre LAN-Adresse in Ihrem privaten Netzwerk aus dem Pangolin-Dashboard heraus zu adressieren.",
+    "siteNewtDescription": "Nutze Newt für die beste Benutzererfahrung. Newt verwendet WireGuard als Basis und erlaubt Ihnen, Ihre privaten Ressourcen über ihre LAN-Adresse in Ihrem privaten Netzwerk aus dem Pangolin-Dashboard heraus zu adressieren.",
    "siteRunsInDocker": "Läuft in Docker",
    "siteRunsInShell": "Läuft in der Konsole auf macOS, Linux und Windows",
    "siteErrorDelete": "Fehler beim Löschen des Standortes",
@@ -87,9 +95,9 @@
    "siteUpdated": "Standort aktualisiert",
    "siteUpdatedDescription": "Der Standort wurde aktualisiert.",
    "siteGeneralDescription": "Allgemeine Einstellungen für diesen Standort konfigurieren",
-    "siteSettingDescription": "Einstellungen auf der Seite konfigurieren",
+    "siteSettingDescription": "Standorteinstellungen konfigurieren",
    "siteSetting": "{siteName} Einstellungen",
-    "siteNewtTunnel": "Neue Seite (empfohlen)",
+    "siteNewtTunnel": "Neuer Standort (empfohlen)",
    "siteNewtTunnelDescription": "Einfachster Weg, einen Einstiegspunkt in jedes Netzwerk zu erstellen. Keine zusätzliche Einrichtung.",
    "siteWg": "Einfacher WireGuard Tunnel",
    "siteWgDescription": "Verwende jeden WireGuard-Client, um einen Tunnel einzurichten. Manuelles NAT-Setup erforderlich.",
@@ -97,12 +105,13 @@
    "siteLocalDescription": "Nur lokale Ressourcen. Kein Tunneling.",
    "siteLocalDescriptionSaas": "Nur lokale Ressourcen. Kein Tunneling. Nur für entfernte Knoten verfügbar.",
    "siteSeeAll": "Alle Standorte anzeigen",
-    "siteTunnelDescription": "Legen Sie fest, wie Sie sich mit der Site verbinden möchten",
+    "siteTunnelDescription": "Legen Sie fest, wie Sie sich mit dem Standort verbinden möchten",
    "siteNewtCredentials": "Zugangsdaten",
    "siteNewtCredentialsDescription": "So wird sich die Seite mit dem Server authentifizieren",
+    "remoteNodeCredentialsDescription": "So wird sich der entfernte Node mit dem Server authentifizieren",
    "siteCredentialsSave": "Anmeldedaten speichern",
    "siteCredentialsSaveDescription": "Du kannst das nur einmal sehen. Stelle sicher, dass du es an einen sicheren Ort kopierst.",
-    "siteInfo": "Standort-Informationen",
+    "siteInfo": "Standortinformationen",
    "status": "Status",
    "shareTitle": "Links zum Teilen verwalten",
    "shareDescription": "Erstelle teilbare Links, um temporären oder permanenten Zugriff auf Proxy-Ressourcen zu gewähren",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "Bitte wählen Sie eine Ressource",
    "proxyResourceTitle": "Öffentliche Ressourcen verwalten",
    "proxyResourceDescription": "Erstelle und verwalte Ressourcen, die über einen Webbrowser öffentlich zugänglich sind",
+    "proxyResourcesBannerTitle": "Web-basierter öffentlicher Zugang",
+    "proxyResourcesBannerDescription": "Öffentliche Ressourcen sind HTTPS oder TCP/UDP-Proxys, die über einen Webbrowser für jeden zugänglich sind. Im Gegensatz zu privaten Ressourcen benötigen sie keine Client-seitige Software und können Identitäts- und kontextbezogene Zugriffsrichtlinien beinhalten.",
    "clientResourceTitle": "Private Ressourcen verwalten",
    "clientResourceDescription": "Erstelle und verwalte Ressourcen, die nur über einen verbundenen Client zugänglich sind",
+    "privateResourcesBannerTitle": "Zero-Trust Privater Zugang",
+    "privateResourcesBannerDescription": "Private Ressourcen nutzen Zero-Trust und stellen sicher, dass Benutzer und Maschinen nur auf Ressourcen zugreifen können, die Sie explizit gewähren. Verbinden Sie Benutzergeräte oder Maschinen-Clients, um auf diese Ressourcen über ein sicheres virtuelles privates Netzwerk zuzugreifen.",
    "resourcesSearch": "Suche Ressourcen...",
    "resourceAdd": "Ressource hinzufügen",
    "resourceErrorDelte": "Fehler beim Löschen der Ressource",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "Einmal entfernt, wird die Ressource nicht mehr zugänglich sein. Alle mit der Ressource verbundenen Ziele werden ebenfalls entfernt.",
    "resourceQuestionRemove": "Sind Sie sicher, dass Sie die Ressource aus der Organisation entfernen möchten?",
    "resourceHTTP": "HTTPS-Ressource",
-    "resourceHTTPDescription": "Proxy-Anfragen an die App über HTTPS unter Verwendung einer Subdomain oder einer Basis-Domain.",
+    "resourceHTTPDescription": "Proxy-Anfragen über HTTPS mit einem voll qualifizierten Domain-Namen.",
    "resourceRaw": "Direkte TCP/UDP Ressource (raw)",
-    "resourceRawDescription": "Proxy-Anfragen an die App über TCP/UDP mit einer Portnummer. Dies funktioniert nur, wenn Sites mit Knoten verbunden sind.",
+    "resourceRawDescription": "Proxy-Anfragen über rohes TCP/UDP mit einer Portnummer.",
    "resourceCreate": "Ressource erstellen",
    "resourceCreateDescription": "Folgen Sie den Schritten unten, um eine neue Ressource zu erstellen",
    "resourceSeeAll": "Alle Ressourcen anzeigen",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "Rollen suchen...",
    "accessRolesAdd": "Rolle hinzufügen",
    "accessRoleDelete": "Rolle löschen",
+    "accessApprovalsManage": "Genehmigungen verwalten",
+    "accessApprovalsDescription": "Zeige und verwalte ausstehende Genehmigungen für den Zugriff auf diese Organisation",
    "description": "Beschreibung",
    "inviteTitle": "Einladungen öffnen",
    "inviteDescription": "Einladungen für andere Benutzer verwalten, der Organisation beizutreten",
@@ -440,6 +455,18 @@
    "selectDuration": "Dauer auswählen",
    "selectResource": "Ressource auswählen",
    "filterByResource": "Nach Ressource filtern",
+    "selectApprovalState": "Genehmigungsstatus auswählen",
+    "filterByApprovalState": "Filtern nach Genehmigungsstatus",
+    "approvalListEmpty": "Keine Genehmigungen",
+    "approvalState": "Genehmigungsstatus",
+    "approve": "Bestätigen",
+    "approved": "Genehmigt",
+    "denied": "Verweigert",
+    "deniedApproval": "Genehmigung verweigert",
+    "all": "Alle",
+    "deny": "Leugnen",
+    "viewDetails": "Details anzeigen",
+    "requestingNewDeviceApproval": "hat ein neues Gerät angefordert",
    "resetFilters": "Filter zurücksetzen",
    "totalBlocked": "Anfragen blockiert von Pangolin",
    "totalRequests": "Gesamte Anfragen",
@@ -477,7 +504,7 @@
    "proxyErrorTls": "Ungültiger TLS-Servername. Verwenden Sie das Domain-Namensformat oder speichern Sie leer, um den TLS-Servernamen zu entfernen.",
    "proxyEnableSSL": "SSL aktivieren",
    "proxyEnableSSLDescription": "Aktiviere SSL/TLS-Verschlüsselung für sichere HTTPS-Verbindungen zu den Zielen.",
-    "target": "Target",
+    "target": "Ziel",
    "configureTarget": "Ziele konfigurieren",
    "targetErrorFetch": "Fehler beim Abrufen der Ziele",
    "targetErrorFetchDescription": "Beim Abrufen der Ziele ist ein Fehler aufgetreten",
@@ -501,7 +528,7 @@
    "proxyErrorUpdateDescription": "Beim Aktualisieren der Proxy-Einstellungen ist ein Fehler aufgetreten",
    "targetAddr": "Host",
    "targetPort": "Port",
-    "targetProtocol": "Protokoll",
+    "targetProtocol": "Protokoll des Ziels",
    "targetTlsSettings": "Sicherheitskonfiguration",
    "targetTlsSettingsDescription": "SSL/TLS Einstellungen für die Ressource konfigurieren",
    "targetTlsSettingsAdvanced": "Erweiterte TLS-Einstellungen",
@@ -510,8 +537,8 @@
    "targetTlsSubmit": "Einstellungen speichern",
    "targets": "Ziel-Konfiguration",
    "targetsDescription": "Ziele zur Routenplanung für Backend-Dienste festlegen",
-    "targetStickySessions": "Sticky Sessions aktivieren",
-    "targetStickySessionsDescription": "Verbindungen für die gesamte Sitzung auf demselben Backend-Ziel halten.",
+    "targetStickySessions": "Sitzungspersistenz aktivieren",
+    "targetStickySessionsDescription": "Verbindungen während der gesamten Sitzung auf das gleiche Backend-Ziel leiten",
    "methodSelect": "Methode auswählen",
    "targetSubmit": "Ziel hinzufügen",
    "targetNoOne": "Diese Ressource hat keine Ziele. Fügen Sie ein Ziel hinzu, um zu konfigurieren, wo Anfragen an das Backend gesendet werden sollen.",
@@ -522,8 +549,8 @@
    "targetErrorInvalidIpDescription": "Bitte geben Sie eine gültige IP-Adresse oder einen Hostnamen ein",
    "targetErrorInvalidPort": "Ungültiger Port",
    "targetErrorInvalidPortDescription": "Bitte geben Sie eine gültige Portnummer ein",
-    "targetErrorNoSite": "Keine Site ausgewählt",
-    "targetErrorNoSiteDescription": "Bitte wähle eine Seite für das Ziel aus",
+    "targetErrorNoSite": "Kein Standort ausgewählt",
+    "targetErrorNoSiteDescription": "Bitte wähle einen Standort für das Ziel aus",
    "targetCreated": "Ziel erstellt",
    "targetCreatedDescription": "Ziel wurde erfolgreich erstellt",
    "targetErrorCreate": "Fehler beim Erstellen des Ziels",
@@ -600,7 +627,7 @@
    "none": "Keine",
    "unknown": "Unbekannt",
    "resources": "Ressourcen",
-    "resourcesDescription": "Ressourcen sind Proxies zu Anwendungen, die im privaten Netzwerk ausgeführt werden. Erstellen Sie eine Ressource für jeden HTTP/HTTPS oder rohen TCP/UDP-Dienst in Ihrem privaten Netzwerk. Jede Ressource muss mit einer Website verbunden sein, um eine private, sichere Verbindung durch einen verschlüsselten WireGuard-Tunnel zu aktivieren.",
+    "resourcesDescription": "Ressourcen sind Proxies zu Anwendungen, die im privaten Netzwerk ausgeführt werden. Erstellen Sie eine Ressource für jeden HTTP/HTTPS oder rohen TCP/UDP-Dienst in Ihrem privaten Netzwerk. Jede Ressource muss mit einem Standort verbunden sein, um eine private, sichere Verbindung durch einen verschlüsselten WireGuard-Tunnel zu aktivieren.",
    "resourcesWireGuardConnect": "Sichere Verbindung mit WireGuard-Verschlüsselung",
    "resourcesMultipleAuthenticationMethods": "Mehrere Authentifizierungsmethoden konfigurieren",
    "resourcesUsersRolesAccess": "Benutzer- und rollenbasierte Zugriffskontrolle",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "Administratoren haben immer Zugriff auf diese Ressource.",
    "resourceUsersRoles": "Zugriffskontrolle",
    "resourceUsersRolesDescription": "Konfigurieren Sie, welche Benutzer und Rollen diese Ressource besuchen können",
-    "resourceUsersRolesSubmit": "Benutzer & Rollen speichern",
+    "resourceUsersRolesSubmit": "Zugriffskontrollen speichern",
    "resourceWhitelistSave": "Erfolgreich gespeichert",
    "resourceWhitelistSaveDescription": "Whitelist-Einstellungen wurden gespeichert",
    "ssoUse": "Plattform SSO verwenden",
@@ -719,16 +746,28 @@
    "countries": "Länder",
    "accessRoleCreate": "Rolle erstellen",
    "accessRoleCreateDescription": "Erstellen Sie eine neue Rolle, um Benutzer zu gruppieren und ihre Berechtigungen zu verwalten.",
+    "accessRoleEdit": "Rolle bearbeiten",
+    "accessRoleEditDescription": "Rolleninformationen bearbeiten.",
    "accessRoleCreateSubmit": "Rolle erstellen",
    "accessRoleCreated": "Rolle erstellt",
    "accessRoleCreatedDescription": "Die Rolle wurde erfolgreich erstellt.",
    "accessRoleErrorCreate": "Fehler beim Erstellen der Rolle",
    "accessRoleErrorCreateDescription": "Beim Erstellen der Rolle ist ein Fehler aufgetreten.",
+    "accessRoleUpdateSubmit": "Rolle aktualisieren",
+    "accessRoleUpdated": "Rolle aktualisiert",
+    "accessRoleUpdatedDescription": "Die Rolle wurde erfolgreich aktualisiert.",
+    "accessApprovalUpdated": "Genehmigung bearbeitet",
+    "accessApprovalApprovedDescription": "Entscheidung für Genehmigungsanfrage setzen.",
+    "accessApprovalDeniedDescription": "Entscheidung für Genehmigungsanfrage ablehnen.",
+    "accessRoleErrorUpdate": "Fehler beim Aktualisieren der Rolle",
+    "accessRoleErrorUpdateDescription": "Beim Aktualisieren der Rolle ist ein Fehler aufgetreten.",
+    "accessApprovalErrorUpdate": "Genehmigung konnte nicht verarbeitet werden",
+    "accessApprovalErrorUpdateDescription": "Bei der Bearbeitung der Genehmigung ist ein Fehler aufgetreten.",
    "accessRoleErrorNewRequired": "Neue Rolle ist erforderlich",
    "accessRoleErrorRemove": "Fehler beim Entfernen der Rolle",
    "accessRoleErrorRemoveDescription": "Beim Entfernen der Rolle ist ein Fehler aufgetreten.",
    "accessRoleName": "Rollenname",
-    "accessRoleQuestionRemove": "Sie sind dabei, die Rolle {name} zu löschen. Diese Aktion kann nicht rückgängig gemacht werden.",
+    "accessRoleQuestionRemove": "Du bist dabei die Rolle `{name}` zu löschen. Du kannst diese Aktion nicht rückgängig machen.",
    "accessRoleRemove": "Rolle entfernen",
    "accessRoleRemoveDescription": "Eine Rolle aus der Organisation entfernen",
    "accessRoleRemoveSubmit": "Rolle entfernen",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "Zugriff für eine Organisation konfigurieren",
    "idpUpdatedDescription": "Identitätsanbieter erfolgreich aktualisiert",
    "redirectUrl": "Weiterleitungs-URL",
+    "orgIdpRedirectUrls": "Umleitungs-URLs",
    "redirectUrlAbout": "Über die Weiterleitungs-URL",
    "redirectUrlAboutDescription": "Dies ist die URL, zu der Benutzer nach der Authentifizierung umgeleitet werden. Sie müssen diese URL in den Einstellungen des Identity Providers konfigurieren.",
    "pangolinAuth": "Authentifizierung - Pangolin",
@@ -943,13 +983,13 @@
    "passwordExpiryDescription": "Diese Organisation erfordert, dass Sie Ihr Passwort alle {maxDays} Tage ändern.",
    "changePasswordNow": "Passwort jetzt ändern",
    "pincodeAuth": "Authentifizierungscode",
-    "pincodeSubmit2": "Code absenden",
+    "pincodeSubmit2": "Code einreichen",
    "passwordResetSubmit": "Zurücksetzung anfordern",
-    "passwordResetAlreadyHaveCode": "Passwort zurücksetzen Code eingeben",
+    "passwordResetAlreadyHaveCode": "Code eingeben",
    "passwordResetSmtpRequired": "Bitte kontaktieren Sie Ihren Administrator",
    "passwordResetSmtpRequiredDescription": "Zum Zurücksetzen Ihres Passworts ist ein Passwort erforderlich. Bitte wenden Sie sich an Ihren Administrator.",
    "passwordBack": "Zurück zum Passwort",
-    "loginBack": "Zurück zur Anmeldung",
+    "loginBack": "Zurück zur Haupt-Login-Seite",
    "signup": "Registrieren",
    "loginStart": "Melden Sie sich an, um zu beginnen",
    "idpOidcTokenValidating": "OIDC-Token wird validiert",
@@ -1004,7 +1044,7 @@
    "supportKeyDescription": "Kaufen Sie einen Unterstützer-Schlüssel, um uns bei der Weiterentwicklung von Pangolin für die Community zu helfen. Ihr Beitrag ermöglicht es uns, mehr Zeit in die Wartung und neue Funktionen für alle zu investieren. Wir werden dies nie für Paywalls nutzen. Dies ist unabhängig von der Commercial Edition.",
    "supportKeyPet": "Sie können auch Ihr eigenes Pangolin-Haustier adoptieren und kennenlernen!",
    "supportKeyPurchase": "Zahlungen werden über GitHub abgewickelt. Danach können Sie Ihren Schlüssel auf",
-    "supportKeyPurchaseLink": "unserer Website",
+    "supportKeyPurchaseLink": "Unserer Website",
    "supportKeyPurchase2": "abrufen und hier einlösen.",
    "supportKeyLearnMore": "Mehr erfahren.",
    "supportKeyOptions": "Bitte wählen Sie die Option, die am besten zu Ihnen passt.",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "Org Benutzer aktualisieren",
    "createOrgUser": "Org Benutzer erstellen",
    "actionUpdateOrg": "Organisation aktualisieren",
+    "actionRemoveInvitation": "Einladung entfernen",
    "actionUpdateUser": "Benutzer aktualisieren",
    "actionGetUser": "Benutzer abrufen",
    "actionGetOrgUser": "Organisationsbenutzer abrufen",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "Standort abrufen",
    "actionListSites": "Standorte auflisten",
    "actionApplyBlueprint": "Blueprint anwenden",
+    "actionListBlueprints": "Blaupausen anzeigen",
+    "actionGetBlueprint": "Erhalte Blaupause",
    "setupToken": "Setup-Token",
    "setupTokenDescription": "Geben Sie das Setup-Token von der Serverkonsole ein.",
    "setupTokenRequired": "Setup-Token ist erforderlich",
@@ -1104,14 +1147,18 @@
    "actionUpdateIdpOrg": "IDP-Organisation aktualisieren",
    "actionCreateClient": "Client erstellen",
    "actionDeleteClient": "Client löschen",
+    "actionArchiveClient": "Kunde archivieren",
+    "actionUnarchiveClient": "Client dearchivieren",
+    "actionBlockClient": "Klient sperren",
+    "actionUnblockClient": "Client entsperren",
    "actionUpdateClient": "Client aktualisieren",
    "actionListClients": "Clients auflisten",
    "actionGetClient": "Clients abrufen",
-    "actionCreateSiteResource": "Site-Ressource erstellen",
-    "actionDeleteSiteResource": "Site-Ressource löschen",
-    "actionGetSiteResource": "Site-Ressource abrufen",
-    "actionListSiteResources": "Site-Ressourcen auflisten",
-    "actionUpdateSiteResource": "Site-Ressource aktualisieren",
+    "actionCreateSiteResource": "Standort Ressource erstellen",
+    "actionDeleteSiteResource": "Standort Ressource löschen",
+    "actionGetSiteResource": "Standort Ressource abrufen",
+    "actionListSiteResources": "Standort Ressource auflisten",
+    "actionUpdateSiteResource": "Standort Ressource aktualisieren",
    "actionListInvitations": "Einladungen auflisten",
    "actionExportLogs": "Logs exportieren",
    "actionViewLogs": "Logs anzeigen",
@@ -1120,14 +1167,14 @@
    "searchProgress": "Suche...",
    "create": "Erstellen",
    "orgs": "Organisationen",
-    "loginError": "Beim Anmelden ist ein Fehler aufgetreten",
-    "loginRequiredForDevice": "Anmeldung ist erforderlich, um Ihr Gerät zu authentifizieren.",
+    "loginError": "Ein unerwarteter Fehler ist aufgetreten. Bitte versuchen Sie es erneut.",
+    "loginRequiredForDevice": "Anmeldung ist für Ihr Gerät erforderlich.",
    "passwordForgot": "Passwort vergessen?",
    "otpAuth": "Zwei-Faktor-Authentifizierung",
    "otpAuthDescription": "Geben Sie den Code aus Ihrer Authenticator-App oder einen Ihrer einmaligen Backup-Codes ein.",
    "otpAuthSubmit": "Code absenden",
    "idpContinue": "Oder weiter mit",
-    "otpAuthBack": "Zurück zur Anmeldung",
+    "otpAuthBack": "Zurück zum Passwort",
    "navbar": "Navigationsmenü",
    "navbarDescription": "Hauptnavigationsmenü für die Anwendung",
    "navbarDocsLink": "Dokumentation",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "Übersicht",
    "sidebarHome": "Zuhause",
    "sidebarSites": "Standorte",
+    "sidebarApprovals": "Genehmigungsanfragen",
    "sidebarResources": "Ressourcen",
    "sidebarProxyResources": "Öffentlich",
    "sidebarClientResources": "Privat",
@@ -1191,15 +1239,15 @@
    "sidebarIdentityProviders": "Identitätsanbieter",
    "sidebarLicense": "Lizenz",
    "sidebarClients": "Clients",
-    "sidebarUserDevices": "Benutzer",
+    "sidebarUserDevices": "Benutzer-Geräte",
    "sidebarMachineClients": "Maschinen",
    "sidebarDomains": "Domänen",
-    "sidebarGeneral": "Allgemein",
+    "sidebarGeneral": "Verwalten",
    "sidebarLogAndAnalytics": "Log & Analytik",
-    "sidebarBluePrints": "Baupläne",
+    "sidebarBluePrints": "Blaupausen",
    "sidebarOrganization": "Organisation",
    "sidebarLogsAnalytics": "Analytik",
-    "blueprints": "Baupläne",
+    "blueprints": "Blaupausen",
    "blueprintsDescription": "Deklarative Konfigurationen anwenden und vorherige Abläufe anzeigen",
    "blueprintAdd": "Blueprint hinzufügen",
    "blueprintGoBack": "Alle Blueprints ansehen",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "Beim Erstellen des Server-Admin-Kontos ist ein Fehler aufgetreten.",
    "certificateStatus": "Zertifikatsstatus",
    "loading": "Laden",
+    "loadingAnalytics": "Analytik wird geladen",
    "restart": "Neustart",
    "domains": "Domänen",
    "domainsDescription": "Erstellen und verwalten der in der Organisation verfügbaren Domänen",
@@ -1290,6 +1339,7 @@
    "refreshError": "Datenaktualisierung fehlgeschlagen",
    "verified": "Verifiziert",
    "pending": "Ausstehend",
+    "pendingApproval": "Ausstehende Genehmigung",
    "sidebarBilling": "Abrechnung",
    "billing": "Abrechnung",
    "orgBillingDescription": "Zahlungsinformationen und Abonnements verwalten",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "Kontoeinrichtung abgeschlossen! Willkommen bei Pangolin!",
    "documentation": "Dokumentation",
    "saveAllSettings": "Alle Einstellungen speichern",
+    "saveResourceTargets": "Ziele speichern",
+    "saveResourceHttp": "Proxy-Einstellungen speichern",
+    "saveProxyProtocol": "Proxy-Protokolleinstellungen speichern",
    "settingsUpdated": "Einstellungen aktualisiert",
-    "settingsUpdatedDescription": "Alle Einstellungen wurden erfolgreich aktualisiert",
+    "settingsUpdatedDescription": "Einstellungen erfolgreich aktualisiert",
    "settingsErrorUpdate": "Einstellungen konnten nicht aktualisiert werden",
    "settingsErrorUpdateDescription": "Beim Aktualisieren der Einstellungen ist ein Fehler aufgetreten",
    "sidebarCollapse": "Zusammenklappen",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Sicherheitsschlüssel erfolgreich entfernt",
    "securityKeyRemoveError": "Fehler beim Entfernen des Sicherheitsschlüssels",
    "securityKeyLoadError": "Fehler beim Laden der Sicherheitsschlüssel",
-    "securityKeyLogin": "Mit dem Sicherheitsschlüssel fortfahren",
+    "securityKeyLogin": "Sicherheitsschlüssel verwenden",
    "securityKeyAuthError": "Fehler bei der Authentifizierung mit Sicherheitsschlüssel",
    "securityKeyRecommendation": "Erwägen Sie die Registrierung eines weiteren Sicherheitsschlüssels auf einem anderen Gerät, um sicherzustellen, dass Sie sich nicht aus Ihrem Konto aussperren.",
    "registering": "Registrierung...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "Ich stimme den",
        "termsOfService": "Nutzungsbedingungen zu",
        "and": "und",
-        "privacyPolicy": "Datenschutzrichtlinie"
+        "privacyPolicy": "datenschutzrichtlinie."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Halten Sie mich auf dem Laufenden mit Neuigkeiten, Updates und neuen Funktionen per E-Mail."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "Neues Ziel hinzufügen",
    "targetsList": "Ziel-Liste",
    "advancedMode": "Erweiterter Modus",
+    "advancedSettings": "Erweiterte Einstellungen",
    "targetErrorDuplicateTargetFound": "Doppeltes Ziel gefunden",
    "healthCheckHealthy": "Gesund",
    "healthCheckUnhealthy": "Ungesund",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "Gesunder Intervall",
    "timeoutSeconds": "Timeout (Sek.)",
    "timeIsInSeconds": "Zeit ist in Sekunden",
+    "requireDeviceApproval": "Gerätegenehmigungen erforderlich",
+    "requireDeviceApprovalDescription": "Benutzer mit dieser Rolle benötigen neue Geräte, die von einem Administrator genehmigt wurden, bevor sie sich verbinden und auf Ressourcen zugreifen können.",
    "retryAttempts": "Wiederholungsversuche",
    "expectedResponseCodes": "Erwartete Antwortcodes",
    "expectedResponseCodesDescription": "HTTP-Statuscode, der einen gesunden Zustand anzeigt. Wenn leer gelassen, wird 200-300 als gesund angesehen.",
@@ -1561,7 +1617,7 @@
    "domainPickerNotWorkSelfHosted": "Hinweis: Kostenlose bereitgestellte Domains sind derzeit nicht für selbstgehostete Instanzen verfügbar.",
    "resourceDomain": "Domäne",
    "resourceEditDomain": "Domain bearbeiten",
-    "siteName": "Site-Name",
+    "siteName": "Standortname",
    "proxyPort": "Port",
    "resourcesTableProxyResources": "Öffentlich",
    "resourcesTableClientResources": "Privat",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "Keine internen Ressourcen gefunden.",
    "resourcesTableDestination": "Ziel",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Alias-Adresse",
+    "resourcesTableAliasAddressInfo": "Diese Adresse ist Teil des Utility-Subnetzes der Organisation. Sie wird verwendet, um Alias-Einträge mit interner DNS-Auflösung aufzulösen.",
    "resourcesTableClients": "Clients",
    "resourcesTableAndOnlyAccessibleInternally": "und sind nur intern zugänglich, wenn mit einem Client verbunden.",
    "resourcesTableNoTargets": "Keine Ziele",
@@ -1582,7 +1640,7 @@
    "editInternalResourceDialogResourceProperties": "Ressourceneigenschaften",
    "editInternalResourceDialogName": "Name",
    "editInternalResourceDialogProtocol": "Protokoll",
-    "editInternalResourceDialogSitePort": "Site-Port",
+    "editInternalResourceDialogSitePort": "Standort Port",
    "editInternalResourceDialogTargetConfiguration": "Zielkonfiguration",
    "editInternalResourceDialogCancel": "Abbrechen",
    "editInternalResourceDialogSaveResource": "Ressource speichern",
@@ -1608,21 +1666,20 @@
    "editInternalResourceDialogDestinationCidrDescription": "Der CIDR-Bereich der Ressource im Netzwerk der Website.",
    "editInternalResourceDialogAlias": "Alias",
    "editInternalResourceDialogAliasDescription": "Ein optionaler interner DNS-Alias für diese Ressource.",
-    "createInternalResourceDialogNoSitesAvailable": "Keine Sites verfügbar",
-    "createInternalResourceDialogNoSitesAvailableDescription": "Sie müssen mindestens eine Newt-Site mit einem konfigurierten Subnetz haben, um interne Ressourcen zu erstellen.",
+    "createInternalResourceDialogNoSitesAvailable": "Kein Standort verfügbar",
+    "createInternalResourceDialogNoSitesAvailableDescription": "Sie müssen mindestens ein Newt-Standort mit einem konfigurierten Subnetz haben, um interne Ressourcen zu erstellen.",
    "createInternalResourceDialogClose": "Schließen",
    "createInternalResourceDialogCreateClientResource": "Private Ressource erstellen",
    "createInternalResourceDialogCreateClientResourceDescription": "Erstelle eine neue Ressource, die nur für Clients zugänglich ist, die mit der Organisation verbunden sind",
    "createInternalResourceDialogResourceProperties": "Ressourceneigenschaften",
    "createInternalResourceDialogName": "Name",
    "createInternalResourceDialogSite": "Standort",
-    "createInternalResourceDialogSelectSite": "Standort auswählen...",
-    "createInternalResourceDialogSearchSites": "Sites durchsuchen...",
-    "createInternalResourceDialogNoSitesFound": "Keine Standorte gefunden.",
+    "selectSite": "Standort auswählen...",
+    "noSitesFound": "Keine Standorte gefunden.",
    "createInternalResourceDialogProtocol": "Protokoll",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
-    "createInternalResourceDialogSitePort": "Site-Port",
+    "createInternalResourceDialogSitePort": "Standort Port",
    "createInternalResourceDialogSitePortDescription": "Verwenden Sie diesen Port, um bei Verbindung mit einem Client auf die Ressource an der Site zuzugreifen.",
    "createInternalResourceDialogTargetConfiguration": "Zielkonfiguration",
    "createInternalResourceDialogDestinationIPDescription": "Die IP-Adresse oder Hostname Adresse der Ressource im Netzwerk der Website.",
@@ -1635,7 +1692,7 @@
    "createInternalResourceDialogFailedToCreateInternalResource": "Interne Ressource konnte nicht erstellt werden",
    "createInternalResourceDialogNameRequired": "Name ist erforderlich",
    "createInternalResourceDialogNameMaxLength": "Der Name darf nicht länger als 255 Zeichen sein",
-    "createInternalResourceDialogPleaseSelectSite": "Bitte wählen Sie eine Site aus",
+    "createInternalResourceDialogPleaseSelectSite": "Bitte wählen Sie einen Standort aus",
    "createInternalResourceDialogProxyPortMin": "Proxy-Port muss mindestens 1 sein",
    "createInternalResourceDialogProxyPortMax": "Proxy-Port muss kleiner als 65536 sein",
    "createInternalResourceDialogInvalidIPAddressFormat": "Ungültiges IP-Adressformat",
@@ -1653,12 +1710,12 @@
    "createInternalResourceDialogAliasDescription": "Ein optionaler interner DNS-Alias für diese Ressource.",
    "siteConfiguration": "Konfiguration",
    "siteAcceptClientConnections": "Clientverbindungen akzeptieren",
-    "siteAcceptClientConnectionsDescription": "Erlaube Benutzer-Geräten und Clients Zugriff auf Ressourcen auf dieser Website. Dies kann später geändert werden.",
-    "siteAddress": "Site-Adresse (Erweitert)",
-    "siteAddressDescription": "Die interne Adresse der Website. Muss in das Subnetz der Organisation fallen.",
-    "siteNameDescription": "Der Anzeigename der Site, der später geändert werden kann.",
+    "siteAcceptClientConnectionsDescription": "Erlaube Benutzer-Geräten und Clients Zugriff auf Ressourcen auf diesem Standort. Dies kann später geändert werden.",
+    "siteAddress": "Standort-Adresse (Erweitert)",
+    "siteAddressDescription": "Die interne Adresse des Standorts. Sie muss im Subnetz der Organisation liegen.",
+    "siteNameDescription": "Der Anzeigename des Standorts, kann später geändert werden",
    "autoLoginExternalIdp": "Automatische Anmeldung mit externem IDP",
-    "autoLoginExternalIdpDescription": "Leiten Sie den Benutzer sofort zur Authentifizierung an den externen IDP weiter.",
+    "autoLoginExternalIdpDescription": "Den Nutzer zur Authentifizierung sofort an den externen Identifikationsanbieter weiterleiten.",
    "selectIdp": "IDP auswählen",
    "selectIdpPlaceholder": "Wählen Sie einen IDP...",
    "selectIdpRequired": "Bitte wählen Sie einen IDP aus, wenn automatische Anmeldung aktiviert ist.",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "Keine Weiterleitungs-URL vom Identitätsanbieter erhalten.",
    "autoLoginErrorGeneratingUrl": "Fehler beim Generieren der Authentifizierungs-URL.",
    "remoteExitNodeManageRemoteExitNodes": "Entfernte Knoten",
-    "remoteExitNodeDescription": "Self-Hoster einen oder mehrere entfernte Knoten, um die Netzwerkverbindung zu erweitern und die Abhängigkeit von der Cloud zu verringern",
+    "remoteExitNodeDescription": "Hosten Sie selbst Ihr eigenes Relay und ihre Server Nodes",
    "remoteExitNodes": "Knoten",
    "searchRemoteExitNodes": "Knoten suchen...",
    "remoteExitNodeAdd": "Knoten hinzufügen",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "Löschknoten bestätigen",
    "remoteExitNodeDelete": "Knoten löschen",
    "sidebarRemoteExitNodes": "Entfernte Knoten",
+    "remoteExitNodeId": "ID",
+    "remoteExitNodeSecretKey": "Geheimnis",
    "remoteExitNodeCreate": {
-        "title": "Knoten erstellen",
-        "description": "Erstelle einen neuen Knoten, um die Netzwerkverbindung zu erweitern",
+        "title": "Erstelle Remote Node",
+        "description": "Erstelle einen neues selbst gehostetes Relay und ihre Proxyserver Nodes",
        "viewAllButton": "Alle Knoten anzeigen",
        "strategy": {
            "title": "Erstellungsstrategie",
-            "description": "Wählen Sie diese Option, um den Knoten manuell zu konfigurieren oder neue Zugangsdaten zu generieren.",
+            "description": "Wählen Sie, wie Sie den entfernten Node erstellen möchten",
            "adopt": {
                "title": "Node übernehmen",
                "description": "Wählen Sie dies, wenn Sie bereits die Anmeldedaten für den Knoten haben."
            },
            "generate": {
                "title": "Schlüssel generieren",
-                "description": "Wählen Sie dies, wenn Sie neue Schlüssel für den Knoten generieren möchten"
+                "description": "Wählen Sie dies, wenn Sie neue Schlüssel für den Node generieren möchten."
            }
        },
        "adopt": {
@@ -1730,7 +1789,7 @@
    "remoteExitNodeSelectionDescription": "Wählen Sie einen Knoten aus, durch den Traffic für diese lokale Seite geleitet werden soll",
    "remoteExitNodeRequired": "Ein Knoten muss für lokale Seiten ausgewählt sein",
    "noRemoteExitNodesAvailable": "Keine Knoten verfügbar",
-    "noRemoteExitNodesAvailableDescription": "Für diese Organisation sind keine Knoten verfügbar. Erstellen Sie zuerst einen Knoten, um lokale Sites zu verwenden.",
+    "noRemoteExitNodesAvailableDescription": "Für diese Organisation sind keine Knoten verfügbar. Erstellen Sie zuerst einen Knoten, um lokale Standorte zu verwenden.",
    "exitNode": "Exit-Node",
    "country": "Land",
    "rulesMatchCountry": "Derzeit basierend auf der Quell-IP",
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC provider",
    "subnet": "Subnetz",
    "subnetDescription": "Das Subnetz für die Netzwerkkonfiguration dieser Organisation.",
-    "authPage": "Auth Seite",
-    "authPageDescription": "Konfigurieren Sie die Authentifizierungsseite für die Organisation",
+    "customDomain": "Eigene Domain",
+    "authPage": "Authentifizierungs-Seiten",
+    "authPageDescription": "Legen Sie eine eigene Domain für die Authentifizierungsseiten der Organisation fest",
    "authPageDomain": "Domain der Auth Seite",
+    "authPageBranding": "Eigenes Branding",
+    "authPageBrandingDescription": "Konfigurieren Sie das Branding, das auf Authentifizierungsseiten für diese Organisation erscheint",
+    "authPageBrandingUpdated": "Branding der Authentifizierungsseiten erfolgreich aktualisiert",
+    "authPageBrandingRemoved": "Branding der Authentifizierungsseiten erfolgreich entfernt",
+    "authPageBrandingRemoveTitle": "Authentifizierungsseiten Branding entfernen",
+    "authPageBrandingQuestionRemove": "Sind Sie sicher, dass Sie das Branding für Authentifizierungsseiten entfernen möchten?",
+    "authPageBrandingDeleteConfirm": "Branding löschen bestätigen",
+    "brandingLogoURL": "Logo URL",
+    "brandingPrimaryColor": "Primär-Farbe",
+    "brandingLogoWidth": "Breite (px)",
+    "brandingLogoHeight": "Höhe (px)",
+    "brandingOrgTitle": "Titel für die Authentifizierungsseite der Organisation",
+    "brandingOrgDescription": "{orgName} wird durch den Namen der Organisation ersetzt",
+    "brandingOrgSubtitle": "Untertitel für die Authentifizierungsseite der Organisation",
+    "brandingResourceTitle": "Titel für die Ressourcen-Authentifizierungsseite",
+    "brandingResourceSubtitle": "Untertitel für Ressourcen-Authentifizierungsseite",
+    "brandingResourceDescription": "{resourceName} wird durch den Namen der Organisation ersetzt",
+    "saveAuthPageDomain": "Domain speichern",
+    "saveAuthPageBranding": "Branding speichern",
+    "removeAuthPageBranding": "Branding entfernen",
    "noDomainSet": "Keine Domain gesetzt",
    "changeDomain": "Domain ändern",
    "selectDomain": "Domain auswählen",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "Domain der Auth Seite festlegen",
    "failedToFetchCertificate": "Zertifikat konnte nicht abgerufen werden",
    "failedToRestartCertificate": "Zertifikat konnte nicht neu gestartet werden",
-    "addDomainToEnableCustomAuthPages": "Füge eine Domain hinzu, um benutzerdefinierte Authentifizierungsseiten für die Organisation zu aktivieren",
+    "addDomainToEnableCustomAuthPages": "Benutzer können über diese Domain auf die Login-Seite der Organisation zugreifen und die Ressourcen-Authentifizierung durchführen.",
    "selectDomainForOrgAuthPage": "Wählen Sie eine Domain für die Authentifizierungsseite der Organisation",
    "domainPickerProvidedDomain": "Angegebene Domain",
    "domainPickerFreeProvidedDomain": "Kostenlose Domain",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "\"{sub}\" konnte nicht für {domain} gültig gemacht werden.",
    "domainPickerSubdomainSanitized": "Subdomain bereinigt",
    "domainPickerSubdomainCorrected": "\"{sub}\" wurde korrigiert zu \"{sanitized}\"",
-    "orgAuthSignInTitle": "In der Organisation anmelden",
+    "orgAuthSignInTitle": "Organisations-Anmeldung",
    "orgAuthChooseIdpDescription": "Wähle deinen Identitätsanbieter um fortzufahren",
    "orgAuthNoIdpConfigured": "Diese Organisation hat keine Identitätsanbieter konfiguriert. Sie können sich stattdessen mit Ihrer Pangolin-Identität anmelden.",
    "orgAuthSignInWithPangolin": "Mit Pangolin anmelden",
+    "orgAuthSignInToOrg": "Bei einer Organisation anmelden",
+    "orgAuthSelectOrgTitle": "Organisations-Anmeldung",
+    "orgAuthSelectOrgDescription": "Geben Sie Ihre Organisations-ID ein, um fortzufahren",
+    "orgAuthOrgIdPlaceholder": "Ihre Organisation",
+    "orgAuthOrgIdHelp": "Geben Sie die eindeutige Kennung Ihrer Organisation ein",
+    "orgAuthSelectOrgHelp": "Nachdem Sie Ihre Organisations-ID eingegeben haben, werden Sie auf die Anmeldeseite Ihrer Organisation gebracht, auf der Sie SSO oder die Zugangsdaten Ihrer Organisation verwenden können.",
+    "orgAuthRememberOrgId": "Diese Organisations-ID merken",
+    "orgAuthBackToSignIn": "Zurück zum Standard Login",
+    "orgAuthNoAccount": "Sie haben noch kein Konto?",
    "subscriptionRequiredToUse": "Um diese Funktion nutzen zu können, ist ein Abonnement erforderlich.",
    "idpDisabled": "Identitätsanbieter sind deaktiviert.",
    "orgAuthPageDisabled": "Organisations-Authentifizierungsseite ist deaktiviert.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "Zwei-Faktor-Authentifizierung aktivieren",
    "completeSecuritySteps": "Schließe Sicherheitsschritte ab",
    "securitySettings": "Sicherheitseinstellungen",
+    "dangerSection": "Gefahrenzone",
+    "dangerSectionDescription": "Alle mit dieser Organisation verbundenen Daten dauerhaft löschen",
    "securitySettingsDescription": "Sicherheitsrichtlinien für die Organisation konfigurieren",
    "requireTwoFactorForAllUsers": "Zwei-Faktor-Authentifizierung für alle Benutzer erforderlich",
    "requireTwoFactorDescription": "Wenn aktiviert, müssen alle internen Benutzer in dieser Organisation die Zwei-Faktor-Authentifizierung aktiviert haben, um auf die Organisation zuzugreifen.",
@@ -1887,9 +1978,9 @@
    "securityPolicyChangeWarningText": "Dies betrifft alle Benutzer in der Organisation",
    "authPageErrorUpdateMessage": "Beim Aktualisieren der Auth-Seiten-Einstellungen ist ein Fehler aufgetreten",
    "authPageErrorUpdate": "Auth Seite kann nicht aktualisiert werden",
-    "authPageUpdated": "Auth-Seite erfolgreich aktualisiert",
+    "authPageDomainUpdated": "Domain der Authentifizierungsseite erfolgreich aktualisiert",
    "healthCheckNotAvailable": "Lokal",
-    "rewritePath": "Pfad neu schreiben",
+    "rewritePath": "Pfad umschreiben",
    "rewritePathDescription": "Optional den Pfad umschreiben, bevor er an das Ziel weitergeleitet wird.",
    "continueToApplication": "Weiter zur Anwendung",
    "checkingInvite": "Einladung wird überprüft",
@@ -1915,8 +2006,15 @@
    "beta": "Beta",
    "manageUserDevices": "Benutzer-Geräte",
    "manageUserDevicesDescription": "Geräte anschauen und verwalten, die Benutzer für private Verbindungen zu Ressourcen verwenden",
+    "downloadClientBannerTitle": "Pangolin Client herunterladen",
+    "downloadClientBannerDescription": "Laden Sie den Pangolin Client für Ihr System herunter, um sich mit dem Pangolin Netzwerk zu verbinden und privat auf Ressourcen zuzugreifen.",
    "manageMachineClients": "Maschinen-Clients verwalten",
    "manageMachineClientsDescription": "Erstelle und verwalte Clients, die Server und Systeme nutzen, um privat mit Ressourcen zu verbinden",
+    "machineClientsBannerTitle": "Server & Automatisierte Systeme",
+    "machineClientsBannerDescription": "Maschinelle Clients sind für Server und automatisierte Systeme, die nicht einem bestimmten Benutzer zugeordnet sind. Sie authentifizieren sich mit einer ID und einem Geheimnis und können mit Pangolin CLI, Olm CLI oder Olm als Container laufen.",
+    "machineClientsBannerPangolinCLI": "Pangolin CLI",
+    "machineClientsBannerOlmCLI": "Olm CLI",
+    "machineClientsBannerOlmContainer": "Olm Container",
    "clientsTableUserClients": "Benutzer",
    "clientsTableMachineClients": "Maschine",
    "licenseTableValidUntil": "Gültig bis",
@@ -1987,7 +2085,7 @@
            "primaryUseQuestion": "Wofür planen Sie in erster Linie Pangolin zu benutzen?",
            "industryQuestion": "Was ist Ihre Branche?",
            "prospectiveUsersQuestion": "Wie viele Interessenten erwarten Sie?",
-            "prospectiveSitesQuestion": "Wie viele potentielle Standorte (Tunnel) erwarten Sie?",
+            "prospectiveSitesQuestion": "Wie viele potenzielle Standorte (Tunnel) erwarten Sie?",
            "companyName": "Firmenname",
            "countryOfResidence": "Land des Wohnsitzes",
            "stateProvinceRegion": "Bundesland / Provinz / Region",
@@ -2035,10 +2133,10 @@
    "pathRewriteModalTitle": "Pfad Rewriting konfigurieren",
    "pathRewriteModalDescription": "Transformieren Sie den übereinstimmenden Pfad bevor Sie zum Ziel weiterleiten.",
    "pathRewriteType": "Rewrite Typ",
-    "pathRewritePrefixOption": "Präfix - Präfix ersetzen",
+    "pathRewritePrefixOption": "Präfix ersetzen",
    "pathRewriteExactOption": "Exakt - Gesamten Pfad ersetzen",
    "pathRewriteRegexOption": "Regex - Musterersetzung",
-    "pathRewriteStripPrefixOption": "Präfix entfernen - Präfix entfernen",
+    "pathRewriteStripPrefixOption": "Präfix entfernen",
    "pathRewriteValue": "Wert umschreiben",
    "pathRewriteRegexPlaceholder": "/neu/$1",
    "pathRewriteDefaultPlaceholder": "/new-path",
@@ -2054,37 +2152,39 @@
    "sidebarEnableEnterpriseLicense": "Enterprise-Lizenz aktivieren",
    "cannotbeUndone": "Dies kann nicht rückgängig gemacht werden.",
    "toConfirm": "bestätigen.",
-    "deleteClientQuestion": "Sind Sie sicher, dass Sie den Client von der Website und der Organisation entfernen möchten?",
-    "clientMessageRemove": "Nach dem Entfernen kann sich der Client nicht mehr mit der Website verbinden.",
+    "deleteClientQuestion": "Sind Sie sicher, dass Sie den Client von dem Standort und der Organisation entfernen möchten?",
+    "clientMessageRemove": "Nach dem Entfernen kann sich der Client nicht mehr mit dem Standort verbinden.",
    "sidebarLogs": "Logs",
    "request": "Anfrage",
    "requests": "Anfragen",
    "logs": "Logs",
-    "logsSettingsDescription": "Aus dieser Orginisierung gesammelte Logs überwachen",
+    "logsSettingsDescription": "Protokolle aus dieser Organisation überwachen",
    "searchLogs": "Logs suchen...",
    "action": "Aktion",
    "actor": "Akteur",
    "timestamp": "Zeitstempel",
    "accessLogs": "Zugriffsprotokolle",
    "exportCsv": "CSV exportieren",
+    "exportError": "Unbekannter Fehler beim Exportieren von CSV",
+    "exportCsvTooltip": "Innerhalb des Zeitraums",
    "actorId": "Akteur-ID",
    "allowedByRule": "Erlaubt durch Regel",
    "allowedNoAuth": "Keine Auth erlaubt",
    "validAccessToken": "Gültiges Zugriffstoken",
-    "validHeaderAuth": "Valid header auth",
-    "validPincode": "Valid Pincode",
+    "validHeaderAuth": "Gültige Header-Authentifizierung",
+    "validPincode": "Gültiger PIN-Code",
    "validPassword": "Gültiges Passwort",
-    "validEmail": "Valid email",
-    "validSSO": "Valid SSO",
+    "validEmail": "Gültige E-Mail-Adresse",
+    "validSSO": "Gültige SSO-Anmeldung",
    "resourceBlocked": "Ressource blockiert",
    "droppedByRule": "Abgelegt durch Regel",
    "noSessions": "Keine Sitzungen",
    "temporaryRequestToken": "Temporäres Anfrage-Token",
-    "noMoreAuthMethods": "No Valid Auth",
+    "noMoreAuthMethods": "Keine gültige Authentifizierungsmethode verfügbar",
    "ip": "IP",
    "reason": "Grund",
    "requestLogs": "Logs anfordern",
-    "requestAnalytics": "Analytik anfordern",
+    "requestAnalytics": "Anfrage-Analyse anzeigen",
    "host": "Host",
    "location": "Standort",
    "actionLogs": "Aktionsprotokolle",
@@ -2094,7 +2194,7 @@
    "logRetention": "Log-Speicherung",
    "logRetentionDescription": "Verwalten, wie lange verschiedene Logs für diese Organisation gespeichert werden oder deaktivieren",
    "requestLogsDescription": "Detaillierte Request-Logs für Ressourcen in dieser Organisation anzeigen",
-    "requestAnalyticsDescription": "Detaillierte Anfrageanalytik für Ressourcen in dieser Organisation anzeigen",
+    "requestAnalyticsDescription": "Detaillierte Anfrage-Analyse für Ressourcen in dieser Organisation anzeigen",
    "logRetentionRequestLabel": "Log-Speicherung anfordern",
    "logRetentionRequestDescription": "Wie lange sollen Request-Logs gespeichert werden",
    "logRetentionAccessLabel": "Zugriffsprotokoll-Speicherung",
@@ -2120,7 +2220,7 @@
    "unverified": "Nicht verifiziert",
    "domainSetting": "Domänen-Einstellungen",
    "domainSettingDescription": "Einstellungen für die Domain konfigurieren",
-    "preferWildcardCertDescription": "Versuch ein Platzhalterzertifikat zu generieren (erfordert einen richtig konfigurierten Zertifikatslöser).",
+    "preferWildcardCertDescription": "Versuch, ein Wildcard Zertifikat zu generieren (erfordert einen richtig konfigurierten Zertifikats-Resolver).",
    "recordName": "Name des Datensatzes",
    "auto": "Auto",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "Code muss 9 Zeichen lang sein (z.B. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Ungültiger oder abgelaufener Code",
    "deviceCodeVerifyFailed": "Fehler beim Überprüfen des Gerätecodes",
+    "deviceCodeValidating": "Überprüfe Gerätecode...",
+    "deviceCodeVerifying": "Geräteautorisierung wird überprüft...",
    "signedInAs": "Angemeldet als",
    "deviceCodeEnterPrompt": "Geben Sie den auf dem Gerät angezeigten Code ein",
    "continue": "Weiter",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "Zugriff auf alle Organisationen, auf die Ihr Konto Zugriff hat",
    "deviceAuthorize": "{applicationName} autorisieren",
    "deviceConnected": "Gerät verbunden!",
-    "deviceAuthorizedMessage": "Gerät ist berechtigt, auf Ihr Konto zuzugreifen.",
+    "deviceAuthorizedMessage": "Gerät ist berechtigt, auf Ihr Konto zuzugreifen. Bitte kehren Sie zur Client-Anwendung zurück.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "Geräte anzeigen",
    "viewDevicesDescription": "Verwalten Sie Ihre verbundenen Geräte",
@@ -2246,6 +2348,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Nicht du? Verwenden Sie ein anderes Konto.",
    "deviceLoginDeviceRequestingAccessToAccount": "Ein Gerät fordert Zugriff auf dieses Konto an.",
+    "loginSelectAuthenticationMethod": "Wählen Sie eine Authentifizierungsmethode aus, um fortzufahren.",
    "noData": "Keine Daten",
    "machineClients": "Maschinen-Clients",
    "install": "Installieren",
@@ -2255,9 +2358,11 @@
    "setupFailedToFetchSubnet": "Fehler beim Abrufen des Standard-Subnetzes",
    "setupSubnetAdvanced": "Subnetz (Fortgeschritten)",
    "setupSubnetDescription": "Das Subnetz für das interne Netzwerk dieser Organisation.",
+    "setupUtilitySubnet": "Utility Subnetz (Erweitert)",
+    "setupUtilitySubnetDescription": "Das Subnetz für die Alias-Adressen und den DNS-Server dieser Organisation.",
    "siteRegenerateAndDisconnect": "Regenerieren und trennen",
-    "siteRegenerateAndDisconnectConfirmation": "Sind Sie sicher, dass Sie die Anmeldedaten neu generieren und diese Website trennen möchten?",
-    "siteRegenerateAndDisconnectWarning": "Dies wird die Anmeldeinformationen neu generieren und die Website sofort trennen. Die Seite muss mit den neuen Anmeldeinformationen neu gestartet werden.",
+    "siteRegenerateAndDisconnectConfirmation": "Sind Sie sicher, dass Sie die Anmeldedaten neu generieren und diesen Standort trennen möchten?",
+    "siteRegenerateAndDisconnectWarning": "Dies wird die Anmeldeinformationen neu generieren und den Standort sofort trennen. Der Standort muss mit den neuen Anmeldeinformationen neu gestartet werden.",
    "siteRegenerateCredentialsConfirmation": "Sind Sie sicher, dass Sie die Zugangsdaten für diese Seite neu generieren möchten?",
    "siteRegenerateCredentialsWarning": "Dies wird die Anmeldeinformationen neu generieren. Die Seite bleibt verbunden, bis Sie sie manuell neu starten und die neuen Anmeldeinformationen verwenden.",
    "clientRegenerateAndDisconnect": "Regenerieren und trennen",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "Dies wird die Anmeldeinformationen neu generieren und den Remote-Exit-Knoten sofort trennen. Der Remote-Exit-Knoten muss mit den neuen Anmeldeinformationen neu gestartet werden.",
    "remoteExitNodeRegenerateCredentialsConfirmation": "Sind Sie sicher, dass Sie die Zugangsdaten für diesen Remote-Exit-Knoten neu generieren möchten?",
    "remoteExitNodeRegenerateCredentialsWarning": "Dies wird die Anmeldeinformationen neu generieren. Der Remote-Exit-Knoten bleibt verbunden, bis Sie ihn manuell neu starten und die neuen Anmeldeinformationen verwenden.",
-    "agent": "Agent"
+    "agent": "Agent",
+    "personalUseOnly": "Nur für persönliche Nutzung",
+    "loginPageLicenseWatermark": "Diese Instanz ist nur für den persönlichen Gebrauch lizenziert.",
+    "instanceIsUnlicensed": "Diese Instanz ist nicht lizenziert.",
+    "portRestrictions": "Port Einschränkungen",
+    "allPorts": "Alle",
+    "custom": "Benutzerdefiniert",
+    "allPortsAllowed": "Alle Ports erlaubt",
+    "allPortsBlocked": "Alle Ports blockiert",
+    "tcpPortsDescription": "Legen Sie fest, welche TCP-Ports für diese Ressource erlaubt sind. Benutzen Sie '*' für alle Ports, lassen Sie leer um alle zu blockieren, oder geben Sie eine kommaseparierte Liste von Ports und Bereichen ein (z.B. 80,443,8000-9000).",
+    "udpPortsDescription": "Geben Sie an, welche UDP-Ports für diese Ressource erlaubt sind. Benutzen Sie '*' für alle Ports, lassen Sie leer um alle zu blockieren, oder geben Sie eine kommaseparierte Liste von Ports und Bereichen (z.B. 53,123,500-600) ein.",
+    "organizationLoginPageTitle": "Organisations-Anmeldeseite",
+    "organizationLoginPageDescription": "Die Anmeldeseite für diese Organisation anpassen",
+    "resourceLoginPageTitle": "Ressourcen-Anmeldeseite",
+    "resourceLoginPageDescription": "Anpassen der Anmeldeseite für einzelne Ressourcen",
+    "enterConfirmation": "Bestätigung eingeben",
+    "blueprintViewDetails": "Details",
+    "defaultIdentityProvider": "Standard Identitätsanbieter",
+    "defaultIdentityProviderDescription": "Wenn ein Standard-Identity Provider ausgewählt ist, wird der Benutzer zur Authentifizierung automatisch an den Anbieter weitergeleitet.",
+    "editInternalResourceDialogNetworkSettings": "Netzwerkeinstellungen",
+    "editInternalResourceDialogAccessPolicy": "Zugriffsrichtlinie",
+    "editInternalResourceDialogAddRoles": "Rollen hinzufügen",
+    "editInternalResourceDialogAddUsers": "Nutzer hinzufügen",
+    "editInternalResourceDialogAddClients": "Clients hinzufügen",
+    "editInternalResourceDialogDestinationLabel": "Ziel",
+    "editInternalResourceDialogDestinationDescription": "Geben Sie die Zieladresse für die interne Ressource an. Dies kann ein Hostname, eine IP-Adresse oder ein CIDR-Bereich sein, abhängig vom gewählten Modus. Legen Sie optional einen internen DNS-Alias für eine vereinfachte Identifizierung fest.",
+    "editInternalResourceDialogPortRestrictionsDescription": "Den Zugriff auf bestimmte TCP/UDP-Ports beschränken oder alle Ports erlauben/blockieren.",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "Zugriffskontrolle",
+    "editInternalResourceDialogAccessControlDescription": "Kontrollieren Sie, welche Rollen, Benutzer und Maschinen-Clients Zugriff auf diese Ressource haben, wenn sie verbunden sind. Admins haben immer Zugriff.",
+    "editInternalResourceDialogPortRangeValidationError": "Der Port-Bereich muss \"*\" für alle Ports sein, oder eine kommaseparierte Liste von Ports und Bereichen (z.B. \"80,443.8000-9000\"). Ports müssen zwischen 1 und 65535 liegen.",
+    "orgAuthWhatsThis": "Wo finde ich meine Organisations-ID?",
+    "learnMore": "Mehr erfahren",
+    "backToHome": "Zurück zur Startseite",
+    "needToSignInToOrg": "Benötigen Sie den Identitätsanbieter Ihres Unternehmens?",
+    "maintenanceMode": "Wartungsmodus",
+    "maintenanceModeDescription": "Eine Wartungsseite für Besucher anzeigen",
+    "maintenanceModeType": "Art des Wartungsmodus",
+    "showMaintenancePage": "Eine Wartungsseite für Besucher anzeigen",
+    "enableMaintenanceMode": "Wartungsmodus aktivieren",
+    "automatic": "Automatisch",
+    "automaticModeDescription": " Wartungsseite nur anzeigen, wenn alle Backend-Ziele deaktiviert oder ungesund sind. Deine Ressource funktioniert normal, solange mindestens ein Ziel gesund ist.",
+    "forced": "Erzwungen",
+    "forcedModeDescription": "Immer die Wartungsseite anzeigen, unabhängig von der Gesundheit des Backends. Verwenden Sie diese für geplante Wartung, wenn Sie alle Zugriffe verhindern möchten.",
+    "warning:": "Warnung:",
+    "forcedeModeWarning": "Der gesamte Datenverkehr wird zur Wartungsseite weitergeleitet. Ihre Backend-Ressourcen werden keine Anfragen erhalten.",
+    "pageTitle": "Seitentitel",
+    "pageTitleDescription": "Die Hauptüberschrift auf der Wartungsseite",
+    "maintenancePageMessage": "Wartungsmeldung",
+    "maintenancePageMessagePlaceholder": "Wir sind bald wieder da! Unsere Seite wird derzeit planmäßig gewartet.",
+    "maintenancePageMessageDescription": "Detaillierte Meldung zur Erklärung der Wartung",
+    "maintenancePageTimeTitle": "Geschätzte Abschlusszeit (Optional)",
+    "maintenanceTime": "z.B.: 2 Stunden, Nov 1 um 17:00 Uhr",
+    "maintenanceEstimatedTimeDescription": "Wann Sie den Abschluss der Wartung erwarten",
+    "editDomain": "Domain bearbeiten",
+    "editDomainDescription": "Wählen Sie eine Domain für Ihre Ressource",
+    "maintenanceModeDisabledTooltip": "Diese Funktion erfordert eine gültige Lizenz, um sie zu aktivieren.",
+    "maintenanceScreenTitle": "Dienst vorübergehend nicht verfügbar",
+    "maintenanceScreenMessage": "Wir haben derzeit technische Schwierigkeiten. Bitte schauen Sie bald noch einmal vorbei.",
+    "maintenanceScreenEstimatedCompletion": "Geschätzter Abschluss:",
+    "createInternalResourceDialogDestinationRequired": "Ziel ist erforderlich",
+    "available": "Verfügbar",
+    "archived": "Archiviert",
+    "noArchivedDevices": "Keine archivierten Geräte gefunden",
+    "deviceArchived": "Gerät archiviert",
+    "deviceArchivedDescription": "Das Gerät wurde erfolgreich archiviert.",
+    "errorArchivingDevice": "Fehler beim Archivieren des Geräts",
+    "failedToArchiveDevice": "Archivierung des Geräts fehlgeschlagen",
+    "deviceQuestionArchive": "Sind Sie sicher, dass Sie dieses Gerät archivieren möchten?",
+    "deviceMessageArchive": "Das Gerät wird archiviert und aus Ihrer Liste der aktiven Geräte entfernt.",
+    "deviceArchiveConfirm": "Gerät archivieren",
+    "archiveDevice": "Gerät archivieren",
+    "archive": "Archiv",
+    "deviceUnarchived": "Gerät nicht archiviert",
+    "deviceUnarchivedDescription": "Das Gerät wurde erfolgreich deinstalliert.",
+    "errorUnarchivingDevice": "Fehler beim Entarchivieren des Geräts",
+    "failedToUnarchiveDevice": "Fehler beim Entfernen des Geräts",
+    "unarchive": "Archivieren",
+    "archiveClient": "Kunde archivieren",
+    "archiveClientQuestion": "Sind Sie sicher, dass Sie diesen Client archivieren möchten?",
+    "archiveClientMessage": "Der Client wird archiviert und aus der Liste Ihrer aktiven Clients entfernt.",
+    "archiveClientConfirm": "Kunde archivieren",
+    "blockClient": "Klient sperren",
+    "blockClientQuestion": "Sind Sie sicher, dass Sie diesen Client blockieren möchten?",
+    "blockClientMessage": "Das Gerät wird gezwungen, die Verbindung zu trennen, wenn es gerade verbunden ist. Sie können das Gerät später entsperren.",
+    "blockClientConfirm": "Klient sperren",
+    "active": "Aktiv",
+    "usernameOrEmail": "Benutzername oder E-Mail",
+    "selectYourOrganization": "Wählen Sie Ihre Organisation",
+    "signInTo": "Einloggen in",
+    "signInWithPassword": "Mit Passwort fortfahren",
+    "noAuthMethodsAvailable": "Keine Authentifizierungsmethoden für diese Organisation verfügbar.",
+    "enterPassword": "Geben Sie Ihr Passwort ein",
+    "enterMfaCode": "Geben Sie den Code aus Ihrer Authentifizierungs-App ein",
+    "securityKeyRequired": "Bitte verwenden Sie Ihren Sicherheitsschlüssel zum Anmelden.",
+    "needToUseAnotherAccount": "Benötigen Sie ein anderes Konto?",
+    "loginLegalDisclaimer": "Indem Sie auf die Buttons unten klicken, bestätigen Sie, dass Sie gelesen haben, verstehen, und stimmen den <termsOfService>Nutzungsbedingungen</termsOfService> und <privacyPolicy>Datenschutzrichtlinien</privacyPolicy> zu.",
+    "termsOfService": "Nutzungsbedingungen",
+    "privacyPolicy": "Datenschutzerklärung",
+    "userNotFoundWithUsername": "Kein Benutzer mit diesem Benutzernamen gefunden.",
+    "verify": "Überprüfen",
+    "signIn": "Anmelden",
+    "forgotPassword": "Passwort vergessen?",
+    "orgSignInTip": "Wenn Sie sich vorher angemeldet haben, können Sie Ihren Benutzernamen oder Ihre E-Mail-Adresse eingeben, um sich stattdessen beim Identifikationsprovider Ihrer Organisation zu authentifizieren. Es ist einfacher!",
+    "continueAnyway": "Trotzdem fortfahren",
+    "dontShowAgain": "Nicht mehr anzeigen",
+    "orgSignInNotice": "Wussten Sie schon?",
+    "signupOrgNotice": "Versucht sich anzumelden?",
+    "signupOrgTip": "Versuchen Sie, sich über den Identitätsanbieter Ihrer Organisation anzumelden?",
+    "signupOrgLink": "Melden Sie sich an oder melden Sie sich stattdessen bei Ihrer Organisation an",
+    "verifyEmailLogInWithDifferentAccount": "Anderes Konto verwenden",
+    "logIn": "Anmelden",
+    "deviceInformation": "Geräteinformationen",
+    "deviceInformationDescription": "Informationen über das Gerät und den Agent",
+    "deviceSecurity": "Gerätesicherheit",
+    "deviceSecurityDescription": "Informationen zur Gerätesicherheit",
+    "platform": "Plattform",
+    "macosVersion": "macOS-Version",
+    "windowsVersion": "Windows-Version",
+    "iosVersion": "iOS-Version",
+    "androidVersion": "Android-Version",
+    "osVersion": "OS-Version",
+    "kernelVersion": "Kernel-Version",
+    "deviceModel": "Gerätemodell",
+    "serialNumber": "Seriennummer",
+    "hostname": "Hostname",
+    "firstSeen": "Erster Blick",
+    "lastSeen": "Zuletzt gesehen",
+    "biometricsEnabled": "Biometrie aktiviert",
+    "diskEncrypted": "Festplatte verschlüsselt",
+    "firewallEnabled": "Firewall aktiviert",
+    "autoUpdatesEnabled": "Automatische Updates aktiviert",
+    "tpmAvailable": "TPM verfügbar",
+    "macosSipEnabled": "Schutz der Systemintegrität (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Firewall Stealth-Modus",
+    "linuxAppArmorEnabled": "AppRüstung",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Geräteinformationen und -einstellungen anzeigen",
+    "devicePendingApprovalDescription": "Dieses Gerät wartet auf Freigabe",
+    "deviceBlockedDescription": "Dieses Gerät ist derzeit gesperrt. Es kann keine Verbindung zu anderen Ressourcen herstellen, es sei denn, es entsperrt.",
+    "unblockClient": "Client entsperren",
+    "unblockClientDescription": "Das Gerät wurde entsperrt",
+    "unarchiveClient": "Client dearchivieren",
+    "unarchiveClientDescription": "Das Gerät wurde nicht archiviert",
+    "block": "Blockieren",
+    "unblock": "Entsperren",
+    "deviceActions": "Geräte-Aktionen",
+    "deviceActionsDescription": "Gerätestatus und Zugriff verwalten",
+    "devicePendingApprovalBannerDescription": "Dieses Gerät wartet auf Genehmigung. Es kann sich erst mit Ressourcen verbinden.",
+    "connected": "Verbunden",
+    "disconnected": "Verbindung getrennt",
+    "approvalsEmptyStateTitle": "Gerätezulassungen nicht aktiviert",
+    "approvalsEmptyStateDescription": "Aktiviere Gerätegenehmigungen für Rollen, um Administratorgenehmigungen zu benötigen, bevor Benutzer neue Geräte verbinden können.",
+    "approvalsEmptyStateStep1Title": "Gehe zu Rollen",
+    "approvalsEmptyStateStep1Description": "Navigieren Sie zu den Rolleneinstellungen Ihrer Organisation, um die Gerätefreigaben zu konfigurieren.",
+    "approvalsEmptyStateStep2Title": "Gerätegenehmigungen aktivieren",
+    "approvalsEmptyStateStep2Description": "Bearbeite eine Rolle und aktiviere die Option 'Gerätegenehmigung erforderlich'. Benutzer mit dieser Rolle benötigen Administrator-Genehmigung für neue Geräte.",
+    "approvalsEmptyStatePreviewDescription": "Vorschau: Wenn aktiviert, werden ausstehende Geräteanfragen hier zur Überprüfung angezeigt",
+    "approvalsEmptyStateButtonText": "Rollen verwalten"
 }
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Create the organization, site, and resources",
+    "headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
+    "headerAuthCompatibility": "Extended compatibility",
    "setupNewOrg": "New Organization",
    "setupCreateOrg": "Create Organization",
    "setupCreateResources": "Create Resources",
@@ -54,6 +56,9 @@
    "sitesBannerTitle": "Connect Any Network",
    "sitesBannerDescription": "A site is a connection to a remote network that allows Pangolin to provide access to resources, whether public or private, to users anywhere. Install the site network connector (Newt) anywhere you can run a binary or container to establish the connection.",
    "sitesBannerButtonText": "Install Site",
+    "approvalsBannerTitle": "Approve or Deny Device Access",
+    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
+    "approvalsBannerButtonText": "Learn More",
    "siteCreate": "Create Site",
    "siteCreateDescription2": "Follow the steps below to create and connect a new site",
    "siteCreateDescription": "Create a new site to start connecting resources",
@@ -255,6 +260,8 @@
    "accessRolesSearch": "Search roles...",
    "accessRolesAdd": "Add Role",
    "accessRoleDelete": "Delete Role",
+    "accessApprovalsManage": "Manage Approvals",
+    "accessApprovalsDescription": "View and manage pending approvals for access to this organization",
    "description": "Description",
    "inviteTitle": "Open Invitations",
    "inviteDescription": "Manage invitations for other users to join the organization",
@@ -448,6 +455,18 @@
    "selectDuration": "Select duration",
    "selectResource": "Select Resource",
    "filterByResource": "Filter By Resource",
+    "selectApprovalState": "Select Approval State",
+    "filterByApprovalState": "Filter By Approval State",
+    "approvalListEmpty": "No approvals",
+    "approvalState": "Approval State",
+    "approve": "Approve",
+    "approved": "Approved",
+    "denied": "Denied",
+    "deniedApproval": "Denied Approval",
+    "all": "All",
+    "deny": "Deny",
+    "viewDetails": "View Details",
+    "requestingNewDeviceApproval": "requested a new device",
    "resetFilters": "Reset Filters",
    "totalBlocked": "Requests Blocked By Pangolin",
    "totalRequests": "Total Requests",
@@ -727,16 +746,28 @@
    "countries": "Countries",
    "accessRoleCreate": "Create Role",
    "accessRoleCreateDescription": "Create a new role to group users and manage their permissions.",
+    "accessRoleEdit": "Edit Role",
+    "accessRoleEditDescription": "Edit role information.",
    "accessRoleCreateSubmit": "Create Role",
    "accessRoleCreated": "Role created",
    "accessRoleCreatedDescription": "The role has been successfully created.",
    "accessRoleErrorCreate": "Failed to create role",
    "accessRoleErrorCreateDescription": "An error occurred while creating the role.",
+    "accessRoleUpdateSubmit": "Update Role",
+    "accessRoleUpdated": "Role updated",
+    "accessRoleUpdatedDescription": "The role has been successfully updated.",
+    "accessApprovalUpdated": "Approval processed",
+    "accessApprovalApprovedDescription": "Set Approval Request decision to approved.",
+    "accessApprovalDeniedDescription": "Set Approval Request decision to denied.",
+    "accessRoleErrorUpdate": "Failed to update role",
+    "accessRoleErrorUpdateDescription": "An error occurred while updating the role.",
+    "accessApprovalErrorUpdate": "Failed to process approval",
+    "accessApprovalErrorUpdateDescription": "An error occurred while processing the approval.",
    "accessRoleErrorNewRequired": "New role is required",
    "accessRoleErrorRemove": "Failed to remove role",
    "accessRoleErrorRemoveDescription": "An error occurred while removing the role.",
    "accessRoleName": "Role Name",
-    "accessRoleQuestionRemove": "You're about to delete the {name} role. You cannot undo this action.",
+    "accessRoleQuestionRemove": "You're about to delete the `{name}` role. You cannot undo this action.",
    "accessRoleRemove": "Remove Role",
    "accessRoleRemoveDescription": "Remove a role from the organization",
    "accessRoleRemoveSubmit": "Remove Role",
@@ -848,6 +879,7 @@
    "orgPolicyConfig": "Configure access for an organization",
    "idpUpdatedDescription": "Identity provider updated successfully",
    "redirectUrl": "Redirect URL",
+    "orgIdpRedirectUrls": "Redirect URLs",
    "redirectUrlAbout": "About Redirect URL",
    "redirectUrlAboutDescription": "This is the URL to which users will be redirected after authentication. You need to configure this URL in the identity provider's settings.",
    "pangolinAuth": "Auth - Pangolin",
@@ -871,7 +903,7 @@
    "inviteAlready": "Looks like you've been invited!",
    "inviteAlreadyDescription": "To accept the invite, you must log in or create an account.",
    "signupQuestion": "Already have an account?",
-    "login": "Log in",
+    "login": "Log In",
    "resourceNotFound": "Resource Not Found",
    "resourceNotFoundDescription": "The resource you're trying to access does not exist.",
    "pincodeRequirementsLength": "PIN must be exactly 6 digits",
@@ -951,13 +983,13 @@
    "passwordExpiryDescription": "This organization requires you to change your password every {maxDays} days.",
    "changePasswordNow": "Change Password Now",
    "pincodeAuth": "Authenticator Code",
-    "pincodeSubmit2": "Submit Code",
+    "pincodeSubmit2": "Submit code",
    "passwordResetSubmit": "Request Reset",
    "passwordResetAlreadyHaveCode": "Enter Code",
    "passwordResetSmtpRequired": "Please contact your administrator",
    "passwordResetSmtpRequiredDescription": "A password reset code is required to reset your password. Please contact your administrator for assistance.",
    "passwordBack": "Back to Password",
-    "loginBack": "Go back to log in",
+    "loginBack": "Go back to main login page",
    "signup": "Sign up",
    "loginStart": "Log in to get started",
    "idpOidcTokenValidating": "Validating OIDC token",
@@ -1115,6 +1147,10 @@
    "actionUpdateIdpOrg": "Update IDP Org",
    "actionCreateClient": "Create Client",
    "actionDeleteClient": "Delete Client",
+    "actionArchiveClient": "Archive Client",
+    "actionUnarchiveClient": "Unarchive Client",
+    "actionBlockClient": "Block Client",
+    "actionUnblockClient": "Unblock Client",
    "actionUpdateClient": "Update Client",
    "actionListClients": "List Clients",
    "actionGetClient": "Get Client",
@@ -1131,14 +1167,14 @@
    "searchProgress": "Search...",
    "create": "Create",
    "orgs": "Organizations",
-    "loginError": "An error occurred while logging in",
-    "loginRequiredForDevice": "Login is required to authenticate your device.",
+    "loginError": "An unexpected error occurred. Please try again.",
+    "loginRequiredForDevice": "Login is required for your device.",
    "passwordForgot": "Forgot your password?",
    "otpAuth": "Two-Factor Authentication",
    "otpAuthDescription": "Enter the code from your authenticator app or one of your single-use backup codes.",
    "otpAuthSubmit": "Submit Code",
    "idpContinue": "Or continue with",
-    "otpAuthBack": "Back to Log In",
+    "otpAuthBack": "Back to Password",
    "navbar": "Navigation Menu",
    "navbarDescription": "Main navigation menu for the application",
    "navbarDocsLink": "Documentation",
@@ -1186,6 +1222,7 @@
    "sidebarOverview": "Overview",
    "sidebarHome": "Home",
    "sidebarSites": "Sites",
+    "sidebarApprovals": "Approval Requests",
    "sidebarResources": "Resources",
    "sidebarProxyResources": "Public",
    "sidebarClientResources": "Private",
@@ -1202,7 +1239,7 @@
    "sidebarIdentityProviders": "Identity Providers",
    "sidebarLicense": "License",
    "sidebarClients": "Clients",
-    "sidebarUserDevices": "Users",
+    "sidebarUserDevices": "User Devices",
    "sidebarMachineClients": "Machines",
    "sidebarDomains": "Domains",
    "sidebarGeneral": "Manage",
@@ -1274,6 +1311,7 @@
    "setupErrorCreateAdmin": "An error occurred while creating the server admin account.",
    "certificateStatus": "Certificate Status",
    "loading": "Loading",
+    "loadingAnalytics": "Loading Analytics",
    "restart": "Restart",
    "domains": "Domains",
    "domainsDescription": "Create and manage domains available in the organization",
@@ -1301,6 +1339,7 @@
    "refreshError": "Failed to refresh data",
    "verified": "Verified",
    "pending": "Pending",
+    "pendingApproval": "Pending Approval",
    "sidebarBilling": "Billing",
    "billing": "Billing",
    "orgBillingDescription": "Manage billing information and subscriptions",
@@ -1417,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Security key removed successfully",
    "securityKeyRemoveError": "Failed to remove security key",
    "securityKeyLoadError": "Failed to load security keys",
-    "securityKeyLogin": "Continue with security key",
+    "securityKeyLogin": "Use Security Key",
    "securityKeyAuthError": "Failed to authenticate with security key",
    "securityKeyRecommendation": "Register a backup security key on another device to ensure you always have access to your account.",
    "registering": "Registering...",
@@ -1477,7 +1516,7 @@
        "IAgreeToThe": "I agree to the",
        "termsOfService": "terms of service",
        "and": "and",
-        "privacyPolicy": "privacy policy"
+        "privacyPolicy": "privacy policy."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Keep me in the loop with news, updates, and new features by email."
@@ -1522,6 +1561,7 @@
    "addNewTarget": "Add New Target",
    "targetsList": "Targets List",
    "advancedMode": "Advanced Mode",
+    "advancedSettings": "Advanced Settings",
    "targetErrorDuplicateTargetFound": "Duplicate target found",
    "healthCheckHealthy": "Healthy",
    "healthCheckUnhealthy": "Unhealthy",
@@ -1543,6 +1583,8 @@
    "IntervalSeconds": "Healthy Interval",
    "timeoutSeconds": "Timeout (sec)",
    "timeIsInSeconds": "Time is in seconds",
+    "requireDeviceApproval": "Require Device Approvals",
+    "requireDeviceApprovalDescription": "Users with this role need new devices approved by an admin before they can connect and access resources.",
    "retryAttempts": "Retry Attempts",
    "expectedResponseCodes": "Expected Response Codes",
    "expectedResponseCodesDescription": "HTTP status code that indicates healthy status. If left blank, 200-300 is considered healthy.",
@@ -1583,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "No internal resources found.",
    "resourcesTableDestination": "Destination",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Alias Address",
+    "resourcesTableAliasAddressInfo": "This address is part of the organization's utility subnet. It's used to resolve alias records using internal DNS resolution.",
    "resourcesTableClients": "Clients",
    "resourcesTableAndOnlyAccessibleInternally": "and are only accessible internally when connected with a client.",
    "resourcesTableNoTargets": "No targets",
@@ -2228,6 +2272,8 @@
    "deviceCodeInvalidFormat": "Code must be 9 characters (e.g., A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Invalid or expired code",
    "deviceCodeVerifyFailed": "Failed to verify device code",
+    "deviceCodeValidating": "Validating device code...",
+    "deviceCodeVerifying": "Verifying device authorization...",
    "signedInAs": "Signed in as",
    "deviceCodeEnterPrompt": "Enter the code displayed on the device",
    "continue": "Continue",
@@ -2240,7 +2286,7 @@
    "deviceOrganizationsAccess": "Access to all organizations your account has access to",
    "deviceAuthorize": "Authorize {applicationName}",
    "deviceConnected": "Device Connected!",
-    "deviceAuthorizedMessage": "Device is authorized to access your account.",
+    "deviceAuthorizedMessage": "Device is authorized to access your account. Please return to the client application.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "View Devices",
    "viewDevicesDescription": "Manage your connected devices",
@@ -2302,6 +2348,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Not you? Use a different account.",
    "deviceLoginDeviceRequestingAccessToAccount": "A device is requesting access to this account.",
+    "loginSelectAuthenticationMethod": "Select an authentication method to continue.",
    "noData": "No Data",
    "machineClients": "Machine Clients",
    "install": "Install",
@@ -2346,6 +2393,7 @@
    "enterConfirmation": "Enter confirmation",
    "blueprintViewDetails": "Details",
    "defaultIdentityProvider": "Default Identity Provider",
+    "defaultIdentityProviderDescription": "When a default identity provider is selected, the user will be automatically redirected to the provider for authentication.",
    "editInternalResourceDialogNetworkSettings": "Network Settings",
    "editInternalResourceDialogAccessPolicy": "Access Policy",
    "editInternalResourceDialogAddRoles": "Add Roles",
@@ -2363,5 +2411,131 @@
    "orgAuthWhatsThis": "Where can I find my organization ID?",
    "learnMore": "Learn more",
    "backToHome": "Go back to home",
-    "needToSignInToOrg": "Need to use your organization's identity provider?"
+    "needToSignInToOrg": "Need to use your organization's identity provider?",
+    "maintenanceMode": "Maintenance Mode",
+    "maintenanceModeDescription": "Display a maintenance page to visitors",
+    "maintenanceModeType": "Maintenance Mode Type",
+    "showMaintenancePage": "Show a maintenance page to visitors",
+    "enableMaintenanceMode": "Enable Maintenance Mode",
+    "automatic": "Automatic",
+    "automaticModeDescription": " Show maintenance page only when all backend targets are down or unhealthy. Your resource continues working normally as long as at least one target is healthy.",
+    "forced": "Forced",
+    "forcedModeDescription": "Always show the maintenance page regardless of backend health. Use this for planned maintenance when you want to prevent all access.",
+    "warning:" : "Warning:",
+    "forcedeModeWarning": "All traffic will be directed to the maintenance page. Your backend resources will not receive any requests.",
+    "pageTitle": "Page Title",
+    "pageTitleDescription": "The main heading displayed on the maintenance page",
+    "maintenancePageMessage": "Maintenance Message",
+    "maintenancePageMessagePlaceholder": "We'll be back soon! Our site is currently undergoing scheduled maintenance.",
+    "maintenancePageMessageDescription": "Detailed message explaining the maintenance",
+    "maintenancePageTimeTitle": "Estimated Completion Time (Optional)",
+    "maintenanceTime": "e.g., 2 hours, Nov 1 at 5:00 PM",
+    "maintenanceEstimatedTimeDescription": "When you expect maintenance to be completed",
+    "editDomain": "Edit Domain",
+    "editDomainDescription": "Select a domain for your resource",
+    "maintenanceModeDisabledTooltip": "This feature requires a valid license to enable.",
+    "maintenanceScreenTitle": "Service Temporarily Unavailable",
+    "maintenanceScreenMessage": "We are currently experiencing technical difficulties. Please check back soon.",
+    "maintenanceScreenEstimatedCompletion": "Estimated Completion:",
+    "createInternalResourceDialogDestinationRequired": "Destination is required",
+    "available": "Available",
+    "archived": "Archived",
+    "noArchivedDevices": "No archived devices found",
+    "deviceArchived": "Device archived",
+    "deviceArchivedDescription": "The device has been successfully archived.",
+    "errorArchivingDevice": "Error archiving device",
+    "failedToArchiveDevice": "Failed to archive device",
+    "deviceQuestionArchive": "Are you sure you want to archive this device?",
+    "deviceMessageArchive": "The device will be archived and removed from your active devices list.",
+    "deviceArchiveConfirm": "Archive Device",
+    "archiveDevice": "Archive Device",
+    "archive": "Archive",
+    "deviceUnarchived": "Device unarchived",
+    "deviceUnarchivedDescription": "The device has been successfully unarchived.",
+    "errorUnarchivingDevice": "Error unarchiving device",
+    "failedToUnarchiveDevice": "Failed to unarchive device",
+    "unarchive": "Unarchive",
+    "archiveClient": "Archive Client",
+    "archiveClientQuestion": "Are you sure you want to archive this client?",
+    "archiveClientMessage": "The client will be archived and removed from your active clients list.",
+    "archiveClientConfirm": "Archive Client",
+    "blockClient": "Block Client",
+    "blockClientQuestion": "Are you sure you want to block this client?",
+    "blockClientMessage": "The device will be forced to disconnect if currently connected. You can unblock the device later.",
+    "blockClientConfirm": "Block Client",
+    "active": "Active",
+    "usernameOrEmail": "Username or Email",
+    "selectYourOrganization": "Select your organization",
+    "signInTo": "Log in in to",
+    "signInWithPassword": "Continue with Password",
+    "noAuthMethodsAvailable": "No authentication methods available for this organization.",
+    "enterPassword": "Enter your password",
+    "enterMfaCode": "Enter the code from your authenticator app",
+    "securityKeyRequired": "Please use your security key to sign in.",
+    "needToUseAnotherAccount": "Need to use a different account?",
+    "loginLegalDisclaimer": "By clicking the buttons below, you acknowledge you have read, understand, and agree to the <termsOfService>Terms of Service</termsOfService> and <privacyPolicy>Privacy Policy</privacyPolicy>.",
+    "termsOfService": "Terms of Service",
+    "privacyPolicy": "Privacy Policy",
+    "userNotFoundWithUsername": "No user found with that username.",
+    "verify": "Verify",
+    "signIn": "Sign In",
+    "forgotPassword": "Forgot password?",
+    "orgSignInTip": "If you've logged in before, you can enter your username or email above to authenticate with your organization's identity provider instead. It's easier!",
+    "continueAnyway": "Continue anyway",
+    "dontShowAgain": "Don't show again",
+    "orgSignInNotice": "Did you know?",
+    "signupOrgNotice": "Trying to sign in?",
+    "signupOrgTip": "Are you trying to sign in through your organization's identity provider?",
+    "signupOrgLink": "Sign in or sign up with your organization instead",
+    "verifyEmailLogInWithDifferentAccount": "Use a Different Account",
+    "logIn": "Log In",
+    "deviceInformation": "Device Information",
+    "deviceInformationDescription": "Information about the device and agent",
+    "deviceSecurity": "Device Security",
+    "deviceSecurityDescription": "Device security posture information",
+    "platform": "Platform",
+    "macosVersion": "macOS Version",
+    "windowsVersion": "Windows Version",
+    "iosVersion": "iOS Version",
+    "androidVersion": "Android Version",
+    "osVersion": "OS Version",
+    "kernelVersion": "Kernel Version",
+    "deviceModel": "Device Model",
+    "serialNumber": "Serial Number",
+    "hostname": "Hostname",
+    "firstSeen": "First Seen",
+    "lastSeen": "Last Seen",
+    "biometricsEnabled": "Biometrics Enabled",
+    "diskEncrypted": "Disk Encrypted",
+    "firewallEnabled": "Firewall Enabled",
+    "autoUpdatesEnabled": "Auto Updates Enabled",
+    "tpmAvailable": "TPM Available",
+    "windowsAntivirusEnabled": "Antivirus Enabled",
+    "macosSipEnabled": "System Integrity Protection (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Firewall Stealth Mode",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "View device information and settings",
+    "devicePendingApprovalDescription": "This device is waiting for approval",
+    "deviceBlockedDescription": "This device is currently blocked. It won't be able to connect to any resources unless unblocked.",
+    "unblockClient": "Unblock Client",
+    "unblockClientDescription": "The device has been unblocked",
+    "unarchiveClient": "Unarchive Client",
+    "unarchiveClientDescription": "The device has been unarchived",
+    "block": "Block",
+    "unblock": "Unblock",
+    "deviceActions": "Device Actions",
+    "deviceActionsDescription": "Manage device status and access",
+    "devicePendingApprovalBannerDescription": "This device is pending approval. It won't be able to connect to resources until approved.",
+    "connected": "Connected",
+    "disconnected": "Disconnected",
+    "approvalsEmptyStateTitle": "Device Approvals Not Enabled",
+    "approvalsEmptyStateDescription": "Enable device approvals for roles to require admin approval before users can connect new devices.",
+    "approvalsEmptyStateStep1Title": "Go to Roles",
+    "approvalsEmptyStateStep1Description": "Navigate to your organization's roles settings to configure device approvals.",
+    "approvalsEmptyStateStep2Title": "Enable Device Approvals",
+    "approvalsEmptyStateStep2Description": "Edit a role and enable the 'Require Device Approvals' option. Users with this role will need admin approval for new devices.",
+    "approvalsEmptyStatePreviewDescription": "Preview: When enabled, pending device requests will appear here for review",
+    "approvalsEmptyStateButtonText": "Manage Roles"
 }
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Crear la organización, el sitio y los recursos",
+    "headerAuthCompatibilityInfo": "Habilite esto para forzar una respuesta 401 no autorizada cuando falte un token de autenticación. Esto es necesario para navegadores o bibliotecas HTTP específicas que no envían credenciales sin un desafío del servidor.",
+    "headerAuthCompatibility": "Compatibilidad extendida",
    "setupNewOrg": "Nueva organización",
    "setupCreateOrg": "Crear organización",
    "setupCreateResources": "Crear Recursos",
@@ -33,7 +35,7 @@
    "password": "Contraseña",
    "confirmPassword": "Confirmar contraseña",
    "createAccount": "Crear cuenta",
-    "viewSettings": "Ver ajustes",
+    "viewSettings": "Ver configuraciones",
    "delete": "Eliminar",
    "name": "Nombre",
    "online": "En línea",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "¿Está seguro que desea eliminar el sitio de la organización?",
    "siteManageSites": "Administrar Sitios",
    "siteDescription": "Crear y administrar sitios para permitir la conectividad a redes privadas",
+    "sitesBannerTitle": "Conectar cualquier red",
+    "sitesBannerDescription": "Un sitio es una conexión a una red remota que permite a Pangolin proporcionar acceso a recursos, públicos o privados, a usuarios en cualquier lugar. Instale el conector de red del sitio (Newt) en cualquier lugar donde pueda ejecutar un binario o contenedor para establecer la conexión.",
+    "sitesBannerButtonText": "Instalar sitio",
+    "approvalsBannerTitle": "Aprobar o denegar el acceso al dispositivo",
+    "approvalsBannerDescription": "Revisar y aprobar o denegar las solicitudes de acceso al dispositivo de los usuarios. Cuando se requieren aprobaciones de dispositivos, los usuarios deben obtener la aprobación del administrador antes de que sus dispositivos puedan conectarse a los recursos de su organización.",
+    "approvalsBannerButtonText": "Saber más",
    "siteCreate": "Crear sitio",
    "siteCreateDescription2": "Siga los pasos siguientes para crear y conectar un nuevo sitio",
    "siteCreateDescription": "Crear un nuevo sitio para empezar a conectar recursos",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "Determina cómo quieres conectarte al sitio",
    "siteNewtCredentials": "Credenciales",
    "siteNewtCredentialsDescription": "Así es como el sitio se autentificará con el servidor",
+    "remoteNodeCredentialsDescription": "Así es como el nodo remoto se autentificará con el servidor",
    "siteCredentialsSave": "Guardar las credenciales",
    "siteCredentialsSaveDescription": "Sólo podrás verlo una vez. Asegúrate de copiarlo a un lugar seguro.",
    "siteInfo": "Información del sitio",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "Por favor, seleccione un recurso",
    "proxyResourceTitle": "Administrar recursos públicos",
    "proxyResourceDescription": "Crear y administrar recursos que sean accesibles públicamente a través de un navegador web",
+    "proxyResourcesBannerTitle": "Acceso público basado en web",
+    "proxyResourcesBannerDescription": "Los recursos públicos son proxies HTTPS o TCP/UDP accesibles a cualquiera en Internet a través de un navegador web. A diferencia de los recursos privados, no requieren software del lado del cliente e incluye políticas de acceso basadas en identidad y contexto.",
    "clientResourceTitle": "Administrar recursos privados",
    "clientResourceDescription": "Crear y administrar recursos que sólo son accesibles a través de un cliente conectado",
+    "privateResourcesBannerTitle": "Acceso privado de confianza cero",
+    "privateResourcesBannerDescription": "Los recursos privados usan seguridad de confianza cero, asegurando que usuarios y máquinas solo puedan acceder a los recursos que usted conceda explícitamente. Conecte dispositivos de usuario o clientes de máquinas para acceder a estos recursos a través de una red privada virtual segura.",
    "resourcesSearch": "Buscar recursos...",
    "resourceAdd": "Añadir Recurso",
    "resourceErrorDelte": "Error al eliminar el recurso",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "Una vez eliminado, el recurso ya no será accesible. Todos los objetivos asociados con el recurso también serán eliminados.",
    "resourceQuestionRemove": "¿Está seguro que desea eliminar el recurso de la organización?",
    "resourceHTTP": "HTTPS Recurso",
-    "resourceHTTPDescription": "Solicitudes de proxy a la aplicación sobre HTTPS usando un subdominio o dominio base.",
+    "resourceHTTPDescription": "Proxy proporciona solicitudes sobre HTTPS usando un nombre de dominio completamente calificado.",
    "resourceRaw": "Recurso TCP/UDP sin procesar",
-    "resourceRawDescription": "Solicitudes de proxy a la aplicación a través de TCP/UDP usando un número de puerto. Esto solo funciona cuando los sitios están conectados a nodos.",
+    "resourceRawDescription": "Proxy proporciona solicitudes sobre TCP/UDP usando un número de puerto.",
    "resourceCreate": "Crear Recurso",
    "resourceCreateDescription": "Siga los siguientes pasos para crear un nuevo recurso",
    "resourceSeeAll": "Ver todos los recursos",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "Buscar roles...",
    "accessRolesAdd": "Añadir rol",
    "accessRoleDelete": "Eliminar rol",
+    "accessApprovalsManage": "Administrar aprobaciones",
+    "accessApprovalsDescription": "Ver y administrar aprobaciones pendientes para el acceso a esta organización",
    "description": "Descripción",
    "inviteTitle": "Invitaciones abiertas",
    "inviteDescription": "Administrar invitaciones para que otros usuarios se unan a la organización",
@@ -440,6 +455,18 @@
    "selectDuration": "Seleccionar duración",
    "selectResource": "Seleccionar Recurso",
    "filterByResource": "Filtrar por Recurso",
+    "selectApprovalState": "Seleccionar Estado de Aprobación",
+    "filterByApprovalState": "Filtrar por estado de aprobación",
+    "approvalListEmpty": "No hay aprobaciones",
+    "approvalState": "Estado de aprobación",
+    "approve": "Aprobar",
+    "approved": "Aprobado",
+    "denied": "Denegado",
+    "deniedApproval": "Aprobación denegada",
+    "all": "Todo",
+    "deny": "Denegar",
+    "viewDetails": "Ver detalles",
+    "requestingNewDeviceApproval": "solicitó un nuevo dispositivo",
    "resetFilters": "Reiniciar filtros",
    "totalBlocked": "Solicitudes bloqueadas por Pangolin",
    "totalRequests": "Solicitudes totales",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "Los administradores siempre pueden acceder a este recurso.",
    "resourceUsersRoles": "Controles de acceso",
    "resourceUsersRolesDescription": "Configurar qué usuarios y roles pueden visitar este recurso",
-    "resourceUsersRolesSubmit": "Guardar usuarios y roles",
+    "resourceUsersRolesSubmit": "Guardar controles de acceso",
    "resourceWhitelistSave": "Guardado correctamente",
    "resourceWhitelistSaveDescription": "Se han guardado los ajustes de la lista blanca",
    "ssoUse": "Usar Plataforma SSO",
@@ -719,16 +746,28 @@
    "countries": "Países",
    "accessRoleCreate": "Crear rol",
    "accessRoleCreateDescription": "Crear un nuevo rol para agrupar usuarios y administrar sus permisos.",
+    "accessRoleEdit": "Editar rol",
+    "accessRoleEditDescription": "Editar información de rol.",
    "accessRoleCreateSubmit": "Crear rol",
    "accessRoleCreated": "Rol creado",
    "accessRoleCreatedDescription": "El rol se ha creado correctamente.",
    "accessRoleErrorCreate": "Error al crear el rol",
    "accessRoleErrorCreateDescription": "Se ha producido un error al crear el rol.",
+    "accessRoleUpdateSubmit": "Actualizar rol",
+    "accessRoleUpdated": "Rol actualizado",
+    "accessRoleUpdatedDescription": "El rol se ha actualizado correctamente.",
+    "accessApprovalUpdated": "Aprobación procesada",
+    "accessApprovalApprovedDescription": "Establezca la decisión de Solicitud de Aprobación a aprobar.",
+    "accessApprovalDeniedDescription": "Define la decisión de Solicitud de Aprobación a denegar.",
+    "accessRoleErrorUpdate": "Error al actualizar el rol",
+    "accessRoleErrorUpdateDescription": "Se ha producido un error al actualizar el rol.",
+    "accessApprovalErrorUpdate": "Error al procesar la aprobación",
+    "accessApprovalErrorUpdateDescription": "Se ha producido un error al procesar la aprobación.",
    "accessRoleErrorNewRequired": "Se requiere un nuevo rol",
    "accessRoleErrorRemove": "Error al eliminar el rol",
    "accessRoleErrorRemoveDescription": "Ocurrió un error mientras se eliminaba el rol.",
    "accessRoleName": "Nombre del Rol",
-    "accessRoleQuestionRemove": "Estás a punto de eliminar el rol {name} . No puedes deshacer esta acción.",
+    "accessRoleQuestionRemove": "Estás a punto de eliminar el rol `{name}`. No puedes deshacer esta acción.",
    "accessRoleRemove": "Quitar rol",
    "accessRoleRemoveDescription": "Eliminar un rol de la organización",
    "accessRoleRemoveSubmit": "Quitar rol",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "Configurar acceso para una organización",
    "idpUpdatedDescription": "Proveedor de identidad actualizado correctamente",
    "redirectUrl": "URL de redirección",
+    "orgIdpRedirectUrls": "Redirigir URL",
    "redirectUrlAbout": "Acerca de la URL de redirección",
    "redirectUrlAboutDescription": "Esta es la URL a la que los usuarios serán redireccionados después de la autenticación. Necesitas configurar esta URL en la configuración del proveedor de identidad.",
    "pangolinAuth": "Autenticación - Pangolin",
@@ -945,11 +985,11 @@
    "pincodeAuth": "Código de autenticación",
    "pincodeSubmit2": "Enviar código",
    "passwordResetSubmit": "Reiniciar Solicitud",
-    "passwordResetAlreadyHaveCode": "Introduzca el código de restablecimiento de contraseña",
+    "passwordResetAlreadyHaveCode": "Ingresar código",
    "passwordResetSmtpRequired": "Póngase en contacto con su administrador",
    "passwordResetSmtpRequiredDescription": "Se requiere un código de restablecimiento de contraseña para restablecer su contraseña. Póngase en contacto con su administrador para obtener asistencia.",
    "passwordBack": "Volver a la contraseña",
-    "loginBack": "Volver a iniciar sesión",
+    "loginBack": "Volver a la página principal de acceso",
    "signup": "Regístrate",
    "loginStart": "Inicia sesión para empezar",
    "idpOidcTokenValidating": "Validando token OIDC",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "Actualizar usuario Org",
    "createOrgUser": "Crear usuario Org",
    "actionUpdateOrg": "Actualizar organización",
+    "actionRemoveInvitation": "Eliminar invitación",
    "actionUpdateUser": "Actualizar usuario",
    "actionGetUser": "Obtener usuario",
    "actionGetOrgUser": "Obtener usuario de la organización",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "Obtener sitio",
    "actionListSites": "Listar sitios",
    "actionApplyBlueprint": "Aplicar plano",
+    "actionListBlueprints": "Listar blueprints",
+    "actionGetBlueprint": "Obtener blueprint",
    "setupToken": "Configuración de token",
    "setupTokenDescription": "Ingrese el token de configuración desde la consola del servidor.",
    "setupTokenRequired": "Se requiere el token de configuración",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "Actualizar IDP Org",
    "actionCreateClient": "Crear cliente",
    "actionDeleteClient": "Eliminar cliente",
+    "actionArchiveClient": "Archivar cliente",
+    "actionUnarchiveClient": "Desarchivar cliente",
+    "actionBlockClient": "Bloquear cliente",
+    "actionUnblockClient": "Desbloquear cliente",
    "actionUpdateClient": "Actualizar cliente",
    "actionListClients": "Listar clientes",
    "actionGetClient": "Obtener cliente",
@@ -1120,14 +1167,14 @@
    "searchProgress": "Buscar...",
    "create": "Crear",
    "orgs": "Organizaciones",
-    "loginError": "Se ha producido un error al iniciar sesión",
-    "loginRequiredForDevice": "Es necesario iniciar sesión para autenticar tu dispositivo.",
+    "loginError": "Ocurrió un error inesperado. Por favor, inténtelo de nuevo.",
+    "loginRequiredForDevice": "Es necesario iniciar sesión para tu dispositivo.",
    "passwordForgot": "¿Olvidaste tu contraseña?",
    "otpAuth": "Autenticación de dos factores",
    "otpAuthDescription": "Introduzca el código de su aplicación de autenticación o uno de sus códigos de copia de seguridad de un solo uso.",
    "otpAuthSubmit": "Enviar código",
    "idpContinue": "O continuar con",
-    "otpAuthBack": "Volver a iniciar sesión",
+    "otpAuthBack": "Volver a la contraseña",
    "navbar": "Menú de navegación",
    "navbarDescription": "Menú de navegación principal para la aplicación",
    "navbarDocsLink": "Documentación",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "Resumen",
    "sidebarHome": "Inicio",
    "sidebarSites": "Sitios",
+    "sidebarApprovals": "Solicitudes de aprobación",
    "sidebarResources": "Recursos",
    "sidebarProxyResources": "Público",
    "sidebarClientResources": "Privado",
@@ -1191,10 +1239,10 @@
    "sidebarIdentityProviders": "Proveedores de identidad",
    "sidebarLicense": "Licencia",
    "sidebarClients": "Clientes",
-    "sidebarUserDevices": "Usuarios",
+    "sidebarUserDevices": "Dispositivos de usuario",
    "sidebarMachineClients": "Máquinas",
    "sidebarDomains": "Dominios",
-    "sidebarGeneral": "General",
+    "sidebarGeneral": "Gestionar",
    "sidebarLogAndAnalytics": "Registro y análisis",
    "sidebarBluePrints": "Planos",
    "sidebarOrganization": "Organización",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "Se produjo un error al crear la cuenta de administrador del servidor.",
    "certificateStatus": "Estado del certificado",
    "loading": "Cargando",
+    "loadingAnalytics": "Cargando analíticas",
    "restart": "Reiniciar",
    "domains": "Dominios",
    "domainsDescription": "Crear y administrar dominios disponibles en la organización",
@@ -1290,6 +1339,7 @@
    "refreshError": "Error al actualizar datos",
    "verified": "Verificado",
    "pending": "Pendiente",
+    "pendingApproval": "Pendientes de aprobación",
    "sidebarBilling": "Facturación",
    "billing": "Facturación",
    "orgBillingDescription": "Administrar información de facturación y suscripciones",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "¡Configuración de cuenta completada! ¡Bienvenido a Pangolin!",
    "documentation": "Documentación",
    "saveAllSettings": "Guardar todos los ajustes",
+    "saveResourceTargets": "Guardar objetivos",
+    "saveResourceHttp": "Guardar ajustes de proxy",
+    "saveProxyProtocol": "Guardar configuraciones del protocolo de proxy",
    "settingsUpdated": "Ajustes actualizados",
-    "settingsUpdatedDescription": "Todos los ajustes han sido actualizados exitosamente",
+    "settingsUpdatedDescription": "Configuraciones actualizadas correctamente",
    "settingsErrorUpdate": "Error al actualizar ajustes",
    "settingsErrorUpdateDescription": "Ocurrió un error al actualizar ajustes",
    "sidebarCollapse": "Colapsar",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Llave de seguridad eliminada exitosamente",
    "securityKeyRemoveError": "Error al eliminar la llave de seguridad",
    "securityKeyLoadError": "Error al cargar las llaves de seguridad",
-    "securityKeyLogin": "Continuar con clave de seguridad",
+    "securityKeyLogin": "Usar clave de seguridad",
    "securityKeyAuthError": "Error al autenticar con llave de seguridad",
    "securityKeyRecommendation": "Considere registrar otra llave de seguridad en un dispositivo diferente para asegurarse de no quedar bloqueado de su cuenta.",
    "registering": "Registrando...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "Estoy de acuerdo con los",
        "termsOfService": "términos del servicio",
        "and": "y",
-        "privacyPolicy": "política de privacidad"
+        "privacyPolicy": "política de privacidad."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Mantenerme en el bucle con noticias, actualizaciones y nuevas características por correo electrónico."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "Agregar nuevo destino",
    "targetsList": "Lista de destinos",
    "advancedMode": "Modo avanzado",
+    "advancedSettings": "Configuración avanzada",
    "targetErrorDuplicateTargetFound": "Se encontró un destino duplicado",
    "healthCheckHealthy": "Saludable",
    "healthCheckUnhealthy": "No saludable",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "Intervalo Saludable",
    "timeoutSeconds": "Tiempo agotado (seg)",
    "timeIsInSeconds": "El tiempo está en segundos",
+    "requireDeviceApproval": "Requiere aprobaciones del dispositivo",
+    "requireDeviceApprovalDescription": "Los usuarios con este rol necesitan nuevos dispositivos aprobados por un administrador antes de poder conectarse y acceder a los recursos.",
    "retryAttempts": "Intentos de Reintento",
    "expectedResponseCodes": "Códigos de respuesta esperados",
    "expectedResponseCodesDescription": "Código de estado HTTP que indica un estado saludable. Si se deja en blanco, se considera saludable de 200 a 300.",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "No se encontraron recursos internos.",
    "resourcesTableDestination": "Destino",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Dirección del alias",
+    "resourcesTableAliasAddressInfo": "Esta dirección es parte de la subred de utilidad de la organización. Se utiliza para resolver registros de alias usando resolución DNS interna.",
    "resourcesTableClients": "Clientes",
    "resourcesTableAndOnlyAccessibleInternally": "y solo son accesibles internamente cuando se conectan con un cliente.",
    "resourcesTableNoTargets": "Sin objetivos",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "Propiedades del recurso",
    "createInternalResourceDialogName": "Nombre",
    "createInternalResourceDialogSite": "Sitio",
-    "createInternalResourceDialogSelectSite": "Seleccionar sitio...",
-    "createInternalResourceDialogSearchSites": "Buscar sitios...",
-    "createInternalResourceDialogNoSitesFound": "Sitios no encontrados.",
+    "selectSite": "Seleccionar sitio...",
+    "noSitesFound": "Sitios no encontrados.",
    "createInternalResourceDialogProtocol": "Protocolo",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1658,7 +1715,7 @@
    "siteAddressDescription": "La dirección interna del sitio. Debe estar dentro de la subred de la organización.",
    "siteNameDescription": "El nombre mostrado del sitio que se puede cambiar más adelante.",
    "autoLoginExternalIdp": "Inicio de sesión automático con IDP externo",
-    "autoLoginExternalIdpDescription": "Redirigir inmediatamente al usuario al IDP externo para autenticación.",
+    "autoLoginExternalIdpDescription": "Redirigir inmediatamente al usuario al proveedor de identidad externo para autenticación.",
    "selectIdp": "Seleccionar IDP",
    "selectIdpPlaceholder": "Elegir un IDP...",
    "selectIdpRequired": "Por favor seleccione un IDP cuando el inicio de sesión automático esté habilitado.",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "No se recibió URL de redirección del proveedor de identidad.",
    "autoLoginErrorGeneratingUrl": "Error al generar URL de autenticación.",
    "remoteExitNodeManageRemoteExitNodes": "Nodos remotos",
-    "remoteExitNodeDescription": "Autoalojar uno o más nodos remotos para extender la conectividad de red y reducir la dependencia de la nube",
+    "remoteExitNodeDescription": "Aloje su propio nodo de retransmisión y proxy server sin depender de terceros.",
    "remoteExitNodes": "Nodos",
    "searchRemoteExitNodes": "Buscar nodos...",
    "remoteExitNodeAdd": "Añadir Nodo",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "Confirmar eliminar nodo",
    "remoteExitNodeDelete": "Eliminar Nodo",
    "sidebarRemoteExitNodes": "Nodos remotos",
+    "remoteExitNodeId": "ID",
+    "remoteExitNodeSecretKey": "Secreto",
    "remoteExitNodeCreate": {
-        "title": "Crear Nodo",
-        "description": "Crear un nuevo nodo para extender la conectividad de red",
+        "title": "Crear nodo remoto",
+        "description": "Crea un nuevo nodo de retransmisión y proxy server autogestionado",
        "viewAllButton": "Ver todos los nodos",
        "strategy": {
            "title": "Estrategia de Creación",
-            "description": "Elija esto para configurar manualmente el nodo o generar nuevas credenciales.",
+            "description": "Selecciona cómo quieres crear el nodo remoto",
            "adopt": {
                "title": "Adoptar Nodo",
                "description": "Elija esto si ya tiene las credenciales para el nodo."
            },
            "generate": {
                "title": "Generar Claves",
-                "description": "Elija esto si desea generar nuevas claves para el nodo"
+                "description": "Elija esto si desea generar nuevas claves para el nodo."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC provider",
    "subnet": "Subred",
    "subnetDescription": "La subred para la configuración de red de esta organización.",
-    "authPage": "Página Auth",
-    "authPageDescription": "Configurar la página de autenticación para la organización",
+    "customDomain": "Dominio personalizado",
+    "authPage": "Páginas de autenticación",
+    "authPageDescription": "Establecer un dominio personalizado para las páginas de autenticación de la organización",
    "authPageDomain": "Dominio de la página Auth",
+    "authPageBranding": "Marca personalizada",
+    "authPageBrandingDescription": "Configure la marca que aparece en las páginas de autenticación de esta organización",
+    "authPageBrandingUpdated": "Marca de la página de autenticación actualizada correctamente",
+    "authPageBrandingRemoved": "Marca de la página de autenticación eliminada correctamente",
+    "authPageBrandingRemoveTitle": "Eliminar marca de la página de autenticación",
+    "authPageBrandingQuestionRemove": "¿Está seguro de que desea eliminar la marca de las páginas de autenticación?",
+    "authPageBrandingDeleteConfirm": "Confirmar eliminación de la marca",
+    "brandingLogoURL": "URL del logotipo",
+    "brandingPrimaryColor": "Color primario",
+    "brandingLogoWidth": "Ancho (px)",
+    "brandingLogoHeight": "Altura (px)",
+    "brandingOrgTitle": "Título para la página de autenticación de la organización",
+    "brandingOrgDescription": "{orgName} será reemplazado por el nombre de la organización",
+    "brandingOrgSubtitle": "Subtítulo para la página de autenticación de la organización",
+    "brandingResourceTitle": "Título para la página de autenticación de recursos",
+    "brandingResourceSubtitle": "Subtítulo para la página de autenticación de recursos",
+    "brandingResourceDescription": "{resourceName} será reemplazado por el nombre de la organización",
+    "saveAuthPageDomain": "Guardar dominio",
+    "saveAuthPageBranding": "Guardar marca",
+    "removeAuthPageBranding": "Eliminar marca",
    "noDomainSet": "Ningún dominio establecido",
    "changeDomain": "Cambiar dominio",
    "selectDomain": "Seleccionar dominio",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "Establecer dominio Auth Page",
    "failedToFetchCertificate": "Error al obtener el certificado",
    "failedToRestartCertificate": "Error al reiniciar el certificado",
-    "addDomainToEnableCustomAuthPages": "Añadir un dominio para habilitar páginas de autenticación personalizadas para la organización",
+    "addDomainToEnableCustomAuthPages": "Los usuarios podrán acceder a la página de inicio de sesión de la organización y completar la autenticación de recursos utilizando este dominio.",
    "selectDomainForOrgAuthPage": "Seleccione un dominio para la página de autenticación de la organización",
    "domainPickerProvidedDomain": "Dominio proporcionado",
    "domainPickerFreeProvidedDomain": "Dominio proporcionado gratis",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "No se ha podido hacer válido \"{sub}\" para {domain}.",
    "domainPickerSubdomainSanitized": "Subdominio saneado",
    "domainPickerSubdomainCorrected": "\"{sub}\" fue corregido a \"{sanitized}\"",
-    "orgAuthSignInTitle": "Iniciar sesión en la organización",
+    "orgAuthSignInTitle": "Inicio de sesión de organización",
    "orgAuthChooseIdpDescription": "Elige tu proveedor de identidad para continuar",
    "orgAuthNoIdpConfigured": "Esta organización no tiene ningún proveedor de identidad configurado. En su lugar puedes iniciar sesión con tu identidad de Pangolin.",
    "orgAuthSignInWithPangolin": "Iniciar sesión con Pangolin",
+    "orgAuthSignInToOrg": "Iniciar sesión en una organización",
+    "orgAuthSelectOrgTitle": "Inicio de sesión de organización",
+    "orgAuthSelectOrgDescription": "Ingrese el ID de su organización para continuar",
+    "orgAuthOrgIdPlaceholder": "tu-organización",
+    "orgAuthOrgIdHelp": "Ingrese el identificador único de su organización",
+    "orgAuthSelectOrgHelp": "Después de ingresar el ID de su organización, se le llevará a la página de inicio de sesión de su organización donde podrá usar SSO o sus credenciales de organización.",
+    "orgAuthRememberOrgId": "Recordar este ID de organización",
+    "orgAuthBackToSignIn": "Volver a iniciar sesión estándar",
+    "orgAuthNoAccount": "¿No tienes una cuenta?",
    "subscriptionRequiredToUse": "Se requiere una suscripción para utilizar esta función.",
    "idpDisabled": "Los proveedores de identidad están deshabilitados.",
    "orgAuthPageDisabled": "La página de autenticación de la organización está deshabilitada.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "Habilitar autenticación de doble factor",
    "completeSecuritySteps": "Pasos de seguridad completos",
    "securitySettings": "Ajustes de seguridad",
+    "dangerSection": "Zona de peligro",
+    "dangerSectionDescription": "Eliminar permanentemente todos los datos asociados con esta organización",
    "securitySettingsDescription": "Configurar políticas de seguridad para la organización",
    "requireTwoFactorForAllUsers": "Requiere autenticación de doble factor para todos los usuarios",
    "requireTwoFactorDescription": "Cuando está activado, todos los usuarios internos de esta organización deben tener habilitada la autenticación de dos factores para acceder a la organización.",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "Esto afectará a todos los usuarios de la organización",
    "authPageErrorUpdateMessage": "Ocurrió un error mientras se actualizaban los ajustes de la página auth",
    "authPageErrorUpdate": "No se puede actualizar la página de autenticación",
-    "authPageUpdated": "Página auth actualizada correctamente",
+    "authPageDomainUpdated": "Dominio de la página de autenticación actualizado correctamente",
    "healthCheckNotAvailable": "Local",
    "rewritePath": "Reescribir Ruta",
    "rewritePathDescription": "Opcionalmente reescribe la ruta antes de reenviar al destino.",
@@ -1915,8 +2006,15 @@
    "beta": "Beta",
    "manageUserDevices": "Dispositivos de usuario",
    "manageUserDevicesDescription": "Ver y administrar dispositivos que los usuarios utilizan para conectarse a recursos privados",
+    "downloadClientBannerTitle": "Descargar cliente Pangolin",
+    "downloadClientBannerDescription": "Descargue el cliente Pangolin para su sistema para conectarse a la red Pangolin y acceder a recursos de forma privada.",
    "manageMachineClients": "Administrar clientes de máquinas",
    "manageMachineClientsDescription": "Crear y administrar clientes que servidores y sistemas utilizan para conectarse de forma privada a recursos",
+    "machineClientsBannerTitle": "Servidores y sistemas automatizados",
+    "machineClientsBannerDescription": "Los clientes de máquinas son para servidores y sistemas automatizados que no están asociados con un usuario específico. Se autentican con una ID y un secreto, y pueden ejecutarse con Pangolin CLI, Olm CLI o Olm como un contenedor.",
+    "machineClientsBannerPangolinCLI": "CLI de Pangolin",
+    "machineClientsBannerOlmCLI": "CLI de Olm",
+    "machineClientsBannerOlmContainer": "Contenedor de Olm",
    "clientsTableUserClients": "Usuario",
    "clientsTableMachineClients": "Maquina",
    "licenseTableValidUntil": "Válido hasta",
@@ -2060,13 +2158,15 @@
    "request": "Solicitud",
    "requests": "Solicitudes",
    "logs": "Registros",
-    "logsSettingsDescription": "Monitorear registros recogidos de esta orginización",
+    "logsSettingsDescription": "Monitorear registros recolectados de esta organización",
    "searchLogs": "Buscar registros...",
    "action": "Accin",
    "actor": "Actor",
    "timestamp": "Timestamp",
    "accessLogs": "Registros de acceso",
    "exportCsv": "Exportar CSV",
+    "exportError": "Error desconocido al exportar CSV",
+    "exportCsvTooltip": "Dentro del rango de tiempo",
    "actorId": "ID de Actor",
    "allowedByRule": "Permitido por regla",
    "allowedNoAuth": "No se permite autorización",
@@ -2120,7 +2220,7 @@
    "unverified": "Sin verificar",
    "domainSetting": "Ajustes de dominio",
    "domainSettingDescription": "Configurar ajustes para el dominio",
-    "preferWildcardCertDescription": "Intento de generar un certificado comodín (requiere una resolución de certificados correctamente configurada).",
+    "preferWildcardCertDescription": "Intentar generar un certificado comodín (requiere un resolvedor de certificados configurado correctamente).",
    "recordName": "Nombre del registro",
    "auto": "Auto",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "El código debe tener 9 caracteres (por ejemplo, A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Código no válido o caducado",
    "deviceCodeVerifyFailed": "Error al verificar el código del dispositivo",
+    "deviceCodeValidating": "Validando código de dispositivo...",
+    "deviceCodeVerifying": "Verificando autorización del dispositivo...",
    "signedInAs": "Conectado como",
    "deviceCodeEnterPrompt": "Introduzca el código mostrado en el dispositivo",
    "continue": "Continuar",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "Acceso a todas las organizaciones a las que su cuenta tiene acceso",
    "deviceAuthorize": "Autorizar a {applicationName}",
    "deviceConnected": "¡Dispositivo conectado!",
-    "deviceAuthorizedMessage": "El dispositivo está autorizado para acceder a su cuenta.",
+    "deviceAuthorizedMessage": "El dispositivo está autorizado para acceder a su cuenta. Por favor, vuelva a la aplicación cliente.",
    "pangolinCloud": "Nube de Pangolin",
    "viewDevices": "Ver dispositivos",
    "viewDevicesDescription": "Administra tus dispositivos conectados",
@@ -2246,6 +2348,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "¿No tú? Utilice una cuenta diferente.",
    "deviceLoginDeviceRequestingAccessToAccount": "Un dispositivo está solicitando acceso a esta cuenta.",
+    "loginSelectAuthenticationMethod": "Seleccione un método de autenticación para continuar.",
    "noData": "Sin datos",
    "machineClients": "Clientes de la máquina",
    "install": "Instalar",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "No se pudo obtener la subred por defecto",
    "setupSubnetAdvanced": "Subred (Avanzado)",
    "setupSubnetDescription": "La subred de la red interna de esta organización.",
+    "setupUtilitySubnet": "Subred de utilidad (Avanzado)",
+    "setupUtilitySubnetDescription": "La subred de direcciones alias y el servidor DNS de esta organización.",
    "siteRegenerateAndDisconnect": "Regenerar y desconectar",
    "siteRegenerateAndDisconnectConfirmation": "¿Está seguro que desea regenerar las credenciales y desconectar este sitio?",
    "siteRegenerateAndDisconnectWarning": "Esto regenerará las credenciales y desconectará inmediatamente el sitio. El sitio tendrá que reiniciarse con las nuevas credenciales.",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "Esto regenerará las credenciales y desconectará inmediatamente el nodo de salida remoto. El nodo de salida remoto tendrá que reiniciarse con las nuevas credenciales.",
    "remoteExitNodeRegenerateCredentialsConfirmation": "¿Estás seguro de que quieres regenerar las credenciales para este nodo de salida remoto?",
    "remoteExitNodeRegenerateCredentialsWarning": "Esto regenerará las credenciales. El nodo de salida remoto permanecerá conectado hasta que lo reinicie manualmente y utilice las nuevas credenciales.",
-    "agent": "Agente"
+    "agent": "Agente",
+    "personalUseOnly": "Solo para uso personal",
+    "loginPageLicenseWatermark": "Esta instancia está licenciada solo para uso personal.",
+    "instanceIsUnlicensed": "Esta instancia no tiene licencia.",
+    "portRestrictions": "Restricciones de puerto",
+    "allPorts": "Todo",
+    "custom": "Personalizado",
+    "allPortsAllowed": "Todos los puertos permitidos",
+    "allPortsBlocked": "Todos los puertos bloqueados",
+    "tcpPortsDescription": "Especifique qué puertos TCP están permitidos para este recurso. Use '*' para todos los puertos, déjelo vacío para bloquear todos, o ingrese una lista separada por comas de puertos y rangos (por ejemplo, 80,443,8000-9000).",
+    "udpPortsDescription": "Especifique qué puertos UDP están permitidos para este recurso. Use '*' para todos los puertos, déjelo vacío para bloquear todos, o ingrese una lista separada por comas de puertos y rangos (por ejemplo, 53,123,500-600).",
+    "organizationLoginPageTitle": "Página de inicio de sesión de la organización",
+    "organizationLoginPageDescription": "Personaliza la página de inicio de sesión para esta organización",
+    "resourceLoginPageTitle": "Página de inicio de sesión de recursos",
+    "resourceLoginPageDescription": "Personaliza la página de inicio de sesión para recursos individuales",
+    "enterConfirmation": "Ingresar confirmación",
+    "blueprintViewDetails": "Detalles",
+    "defaultIdentityProvider": "Proveedor de identidad predeterminado",
+    "defaultIdentityProviderDescription": "Cuando se selecciona un proveedor de identidad por defecto, el usuario será redirigido automáticamente al proveedor de autenticación.",
+    "editInternalResourceDialogNetworkSettings": "Configuración de red",
+    "editInternalResourceDialogAccessPolicy": "Política de acceso",
+    "editInternalResourceDialogAddRoles": "Agregar roles",
+    "editInternalResourceDialogAddUsers": "Agregar usuarios",
+    "editInternalResourceDialogAddClients": "Agregar clientes",
+    "editInternalResourceDialogDestinationLabel": "Destino",
+    "editInternalResourceDialogDestinationDescription": "Especifique la dirección de destino para el recurso interno. Puede ser un nombre de host, dirección IP o rango CIDR dependiendo del modo seleccionado. Opcionalmente establezca un alias DNS interno para una identificación más fácil.",
+    "editInternalResourceDialogPortRestrictionsDescription": "Restringir el acceso a puertos TCP/UDP específicos o permitir/bloquear todos los puertos.",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "Control de acceso",
+    "editInternalResourceDialogAccessControlDescription": "Controla qué roles, usuarios y clientes de máquinas tienen acceso a este recurso cuando están conectados. Los administradores siempre tienen acceso.",
+    "editInternalResourceDialogPortRangeValidationError": "El rango de puertos debe ser \"*\" para todos los puertos, o una lista separada por comas de puertos y rangos (por ejemplo, \"80,443,8000-9000\"). Los puertos deben estar entre 1 y 65535.",
+    "orgAuthWhatsThis": "¿Dónde puedo encontrar el ID de mi organización?",
+    "learnMore": "Más información",
+    "backToHome": "Volver a inicio",
+    "needToSignInToOrg": "¿Necesita usar el proveedor de identidad de su organización?",
+    "maintenanceMode": "Modo de mantenimiento",
+    "maintenanceModeDescription": "Muestra una página de mantenimiento a los visitantes",
+    "maintenanceModeType": "Tipo de modo de mantenimiento",
+    "showMaintenancePage": "Mostrar página de mantenimiento a los visitantes",
+    "enableMaintenanceMode": "Habilitar modo de mantenimiento",
+    "automatic": "Automático",
+    "automaticModeDescription": "Mostrar página de mantenimiento solo cuando todos los objetivos de backend están caídos o no saludables. Su recurso continúa funcionando normalmente siempre que al menos un objetivo esté saludable.",
+    "forced": "Forzado",
+    "forcedModeDescription": "Mostrar siempre la página de mantenimiento independientemente de la salud del backend. Use esto para mantenimiento planificado cuando desee evitar todo acceso.",
+    "warning:": "Advertencia:",
+    "forcedeModeWarning": "Todo el tráfico será dirigido a la página de mantenimiento. Sus recursos de backend no recibirán solicitudes.",
+    "pageTitle": "Título de la página",
+    "pageTitleDescription": "El encabezado principal visible en la página de mantenimiento",
+    "maintenancePageMessage": "Mensaje de mantenimiento",
+    "maintenancePageMessagePlaceholder": "¡Volveremos pronto! Nuestro sitio está actualmente en mantenimiento programado.",
+    "maintenancePageMessageDescription": "Mensaje detallado explicando el mantenimiento",
+    "maintenancePageTimeTitle": "Tiempo estimado de finalización (Opcional)",
+    "maintenanceTime": "Ej., 2 horas, 1 de noviembre a las 5:00 PM",
+    "maintenanceEstimatedTimeDescription": "Cuando espera que el mantenimiento esté terminado",
+    "editDomain": "Editar dominio",
+    "editDomainDescription": "Seleccione un dominio para su recurso",
+    "maintenanceModeDisabledTooltip": "Esta función requiere una licencia válida para ser habilitada.",
+    "maintenanceScreenTitle": "Servicio temporalmente no disponible",
+    "maintenanceScreenMessage": "Actualmente estamos experimentando dificultades técnicas. Por favor regrese pronto.",
+    "maintenanceScreenEstimatedCompletion": "Estimado completado:",
+    "createInternalResourceDialogDestinationRequired": "Se requiere destino",
+    "available": "Disponible",
+    "archived": "Archivado",
+    "noArchivedDevices": "No se encontraron dispositivos archivados",
+    "deviceArchived": "Dispositivo archivado",
+    "deviceArchivedDescription": "El dispositivo se ha archivado correctamente.",
+    "errorArchivingDevice": "Error al archivar dispositivo",
+    "failedToArchiveDevice": "Error al archivar el dispositivo",
+    "deviceQuestionArchive": "¿Está seguro que desea archivar este dispositivo?",
+    "deviceMessageArchive": "El dispositivo será archivado y eliminado de su lista de dispositivos activos.",
+    "deviceArchiveConfirm": "Archivar dispositivo",
+    "archiveDevice": "Archivar dispositivo",
+    "archive": "Archivar",
+    "deviceUnarchived": "Dispositivo desarchivado",
+    "deviceUnarchivedDescription": "El dispositivo se ha desarchivado correctamente.",
+    "errorUnarchivingDevice": "Error al desarchivar dispositivo",
+    "failedToUnarchiveDevice": "Error al desarchivar el dispositivo",
+    "unarchive": "Desarchivar",
+    "archiveClient": "Archivar cliente",
+    "archiveClientQuestion": "¿Está seguro que desea archivar este cliente?",
+    "archiveClientMessage": "El cliente será archivado y eliminado de su lista de clientes activos.",
+    "archiveClientConfirm": "Archivar cliente",
+    "blockClient": "Bloquear cliente",
+    "blockClientQuestion": "¿Estás seguro de que quieres bloquear a este cliente?",
+    "blockClientMessage": "El dispositivo será forzado a desconectarse si está conectado actualmente. Puede desbloquear el dispositivo más tarde.",
+    "blockClientConfirm": "Bloquear cliente",
+    "active": "Activo",
+    "usernameOrEmail": "Nombre de usuario o email",
+    "selectYourOrganization": "Seleccione su organización",
+    "signInTo": "Iniciar sesión en",
+    "signInWithPassword": "Continuar con la contraseña",
+    "noAuthMethodsAvailable": "No hay métodos de autenticación disponibles para esta organización.",
+    "enterPassword": "Introduzca su contraseña",
+    "enterMfaCode": "Introduzca el código de su aplicación de autenticación",
+    "securityKeyRequired": "Utilice su clave de seguridad para iniciar sesión.",
+    "needToUseAnotherAccount": "¿Necesitas usar una cuenta diferente?",
+    "loginLegalDisclaimer": "Al hacer clic en los botones de abajo, reconoces que has leído, comprendido, y acepta los <termsOfService>Términos de Servicio</termsOfService> y <privacyPolicy>Política de Privacidad</privacyPolicy>.",
+    "termsOfService": "Términos de Servicio",
+    "privacyPolicy": "Política de privacidad",
+    "userNotFoundWithUsername": "Ningún usuario encontrado con ese nombre de usuario.",
+    "verify": "Verificar",
+    "signIn": "Iniciar sesión",
+    "forgotPassword": "¿Olvidaste la contraseña?",
+    "orgSignInTip": "Si has iniciado sesión antes, puedes introducir tu nombre de usuario o correo electrónico arriba para autenticarte con el proveedor de identidad de tu organización. ¡Es más fácil!",
+    "continueAnyway": "Continuar de todos modos",
+    "dontShowAgain": "No volver a mostrar",
+    "orgSignInNotice": "¿Sabía usted?",
+    "signupOrgNotice": "¿Intentando iniciar sesión?",
+    "signupOrgTip": "¿Estás intentando iniciar sesión a través del proveedor de identidad de tu organización?",
+    "signupOrgLink": "Inicia sesión o regístrate con tu organización",
+    "verifyEmailLogInWithDifferentAccount": "Usar una cuenta diferente",
+    "logIn": "Iniciar sesión",
+    "deviceInformation": "Información del dispositivo",
+    "deviceInformationDescription": "Información sobre el dispositivo y el agente",
+    "deviceSecurity": "Seguridad del dispositivo",
+    "deviceSecurityDescription": "Información de postura de seguridad del dispositivo",
+    "platform": "Plataforma",
+    "macosVersion": "versión macOS",
+    "windowsVersion": "Versión de Windows",
+    "iosVersion": "Versión de iOS",
+    "androidVersion": "Versión de Android",
+    "osVersion": "Versión del SO",
+    "kernelVersion": "Versión de Kernel",
+    "deviceModel": "Modelo de dispositivo",
+    "serialNumber": "Número Serial",
+    "hostname": "Hostname",
+    "firstSeen": "Primer detectado",
+    "lastSeen": "Último Visto",
+    "biometricsEnabled": "Biometría habilitada",
+    "diskEncrypted": "Disco cifrado",
+    "firewallEnabled": "Cortafuegos activado",
+    "autoUpdatesEnabled": "Actualizaciones automáticas habilitadas",
+    "tpmAvailable": "TPM disponible",
+    "macosSipEnabled": "Protección de integridad del sistema (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Modo Sigilo Firewall",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Ver información y ajustes del dispositivo",
+    "devicePendingApprovalDescription": "Este dispositivo está esperando su aprobación",
+    "deviceBlockedDescription": "Este dispositivo está actualmente bloqueado. No podrá conectarse a ningún recurso a menos que sea desbloqueado.",
+    "unblockClient": "Desbloquear cliente",
+    "unblockClientDescription": "El dispositivo ha sido desbloqueado",
+    "unarchiveClient": "Desarchivar cliente",
+    "unarchiveClientDescription": "El dispositivo ha sido desarchivado",
+    "block": "Bloque",
+    "unblock": "Desbloquear",
+    "deviceActions": "Acciones del dispositivo",
+    "deviceActionsDescription": "Administrar estado y acceso al dispositivo",
+    "devicePendingApprovalBannerDescription": "Este dispositivo está pendiente de aprobación. No podrá conectarse a recursos hasta que sea aprobado.",
+    "connected": "Conectado",
+    "disconnected": "Desconectado",
+    "approvalsEmptyStateTitle": "Aprobaciones de dispositivo no habilitadas",
+    "approvalsEmptyStateDescription": "Habilita las aprobaciones de dispositivos para que los roles requieran aprobación del administrador antes de que los usuarios puedan conectar nuevos dispositivos.",
+    "approvalsEmptyStateStep1Title": "Ir a roles",
+    "approvalsEmptyStateStep1Description": "Navega a la configuración de roles de tu organización para configurar las aprobaciones de dispositivos.",
+    "approvalsEmptyStateStep2Title": "Habilitar aprobaciones de dispositivo",
+    "approvalsEmptyStateStep2Description": "Editar un rol y habilitar la opción 'Requerir aprobaciones de dispositivos'. Los usuarios con este rol necesitarán la aprobación del administrador para nuevos dispositivos.",
+    "approvalsEmptyStatePreviewDescription": "Vista previa: Cuando está habilitado, las solicitudes de dispositivo pendientes aparecerán aquí para su revisión",
+    "approvalsEmptyStateButtonText": "Administrar roles"
 }
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Créer l'organisation, le site et les ressources",
+    "headerAuthCompatibilityInfo": "Activez ceci pour forcer une réponse 401 Unauthorized lorsque le jeton d'authentification est manquant. Cela est nécessaire pour les navigateurs ou les bibliothèques HTTP spécifiques qui n'envoient pas de credentials sans un challenge du serveur.",
+    "headerAuthCompatibility": "Compatibilité étendue",
    "setupNewOrg": "Nouvelle organisation",
    "setupCreateOrg": "Créer une organisation",
    "setupCreateResources": "Créer des ressources",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "Êtes-vous sûr de vouloir supprimer ce nœud de l'organisation ?",
    "siteManageSites": "Gérer les nœuds",
    "siteDescription": "Créer et gérer des sites pour activer la connectivité aux réseaux privés",
+    "sitesBannerTitle": "Se connecter à n'importe quel réseau",
+    "sitesBannerDescription": "Un site est une connexion à un réseau distant qui permet à Pangolin de fournir aux utilisateurs l'accès à des ressources, publiques ou privées, n'importe où. Installez le connecteur de réseau du site (Newt) partout où vous pouvez exécuter un binaire ou un conteneur pour établir la connexion.",
+    "sitesBannerButtonText": "Installer le site",
+    "approvalsBannerTitle": "Approuver ou refuser l'accès à l'appareil",
+    "approvalsBannerDescription": "Examinez et approuvez ou refusez les demandes d'accès à l'appareil des utilisateurs. Lorsque les autorisations de l'appareil sont requises, les utilisateurs doivent obtenir l'approbation de l'administrateur avant que leurs appareils puissent se connecter aux ressources de votre organisation.",
+    "approvalsBannerButtonText": "En savoir plus",
    "siteCreate": "Créer un nœud",
    "siteCreateDescription2": "Suivez les étapes ci-dessous pour créer et connecter un nouveau nœud",
    "siteCreateDescription": "Créer un nouveau site pour commencer à connecter des ressources",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "Déterminer comment vous voulez vous connecter au site",
    "siteNewtCredentials": "Identifiants",
    "siteNewtCredentialsDescription": "Voici comment le site s'authentifiera avec le serveur",
+    "remoteNodeCredentialsDescription": "Voici comment le nœud distant s'authentifiera avec le serveur",
    "siteCredentialsSave": "Enregistrer les informations d'identification",
    "siteCredentialsSaveDescription": "Vous ne pourrez voir cela qu'une seule fois. Assurez-vous de l'enregistrer dans un endroit sécurisé.",
    "siteInfo": "Informations du nœud",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "Veuillez sélectionner une ressource",
    "proxyResourceTitle": "Gérer les ressources publiques",
    "proxyResourceDescription": "Créer et gérer des ressources accessibles au public via un navigateur web",
+    "proxyResourcesBannerTitle": "Accès public basé sur le Web",
+    "proxyResourcesBannerDescription": "Les ressources publiques sont des proxys HTTPS ou TCP/UDP accessibles par tout le monde sur Internet via un navigateur Web. Contrairement aux ressources privées, elles n'exigent pas de logiciel côté client et peuvent inclure des politiques d'accès basées sur l'identité et le contexte.",
    "clientResourceTitle": "Gérer les ressources privées",
    "clientResourceDescription": "Créer et gérer des ressources qui ne sont accessibles que via un client connecté",
+    "privateResourcesBannerTitle": "Accès privé sans confiance",
+    "privateResourcesBannerDescription": "Les ressources privées utilisent la sécurité sans confiance, garantissant que les utilisateurs et les machines ne peuvent accéder qu'aux ressources que vous accordez explicitement. Connectez les appareils utilisateur ou les clients machines à ces ressources via un réseau privé virtuel sécurisé.",
    "resourcesSearch": "Chercher des ressources...",
    "resourceAdd": "Ajouter une ressource",
    "resourceErrorDelte": "Erreur lors de la de suppression de la ressource",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "Une fois supprimée, la ressource ne sera plus accessible. Toutes les cibles associées à la ressource seront également supprimées.",
    "resourceQuestionRemove": "Êtes-vous sûr de vouloir retirer la ressource de l'organisation ?",
    "resourceHTTP": "Ressource HTTPS",
-    "resourceHTTPDescription": "Requêtes de proxy à l'application via HTTPS en utilisant un sous-domaine ou un domaine de base.",
+    "resourceHTTPDescription": "Proxy les demandes sur HTTPS en utilisant un nom de domaine entièrement qualifié.",
    "resourceRaw": "Ressource TCP/UDP brute",
-    "resourceRawDescription": "Demandes de proxy à l'application via TCP/UDP en utilisant un numéro de port. Cela ne fonctionne que lorsque les sites sont connectés à des nœuds.",
+    "resourceRawDescription": "Proxy les demandes sur TCP/UDP brut en utilisant un numéro de port.",
    "resourceCreate": "Créer une ressource",
    "resourceCreateDescription": "Suivez les étapes ci-dessous pour créer une nouvelle ressource",
    "resourceSeeAll": "Voir toutes les ressources",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "Chercher des rôles...",
    "accessRolesAdd": "Ajouter un rôle",
    "accessRoleDelete": "Supprimer le rôle",
+    "accessApprovalsManage": "Gérer les approbations",
+    "accessApprovalsDescription": "Voir et gérer les approbations en attente pour accéder à cette organisation",
    "description": "Libellé",
    "inviteTitle": "Invitations actives",
    "inviteDescription": "Gérer les invitations des autres utilisateurs à rejoindre l'organisation",
@@ -440,6 +455,18 @@
    "selectDuration": "Sélectionner la durée",
    "selectResource": "Sélectionner une ressource",
    "filterByResource": "Filtrer par ressource",
+    "selectApprovalState": "Sélectionnez l'État d'Approbation",
+    "filterByApprovalState": "Filtrer par État d'Approbation",
+    "approvalListEmpty": "Aucune approbation",
+    "approvalState": "État d'approbation",
+    "approve": "Approuver",
+    "approved": "Approuvé",
+    "denied": "Refusé",
+    "deniedApproval": "Approbation refusée",
+    "all": "Tous",
+    "deny": "Refuser",
+    "viewDetails": "Voir les détails",
+    "requestingNewDeviceApproval": "a demandé un nouvel appareil",
    "resetFilters": "Réinitialiser les filtres",
    "totalBlocked": "Demandes bloquées par le Pangolin",
    "totalRequests": "Total des demandes",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "Les administrateurs peuvent toujours accéder à cette ressource.",
    "resourceUsersRoles": "Contrôles d'accès",
    "resourceUsersRolesDescription": "Configurer quels utilisateurs et rôles peuvent visiter cette ressource",
-    "resourceUsersRolesSubmit": "Enregistrer les utilisateurs et les rôles",
+    "resourceUsersRolesSubmit": "Enregistrer les contrôles d'accès",
    "resourceWhitelistSave": "Enregistré avec succès",
    "resourceWhitelistSaveDescription": "Les paramètres de la liste blanche ont été enregistrés",
    "ssoUse": "Utiliser la SSO de la plateforme",
@@ -719,16 +746,28 @@
    "countries": "Pays",
    "accessRoleCreate": "Créer un rôle",
    "accessRoleCreateDescription": "Créer un nouveau rôle pour regrouper les utilisateurs et gérer leurs permissions.",
+    "accessRoleEdit": "Modifier le rôle",
+    "accessRoleEditDescription": "Modifier les informations du rôle.",
    "accessRoleCreateSubmit": "Créer un rôle",
    "accessRoleCreated": "Rôle créé",
    "accessRoleCreatedDescription": "Le rôle a été créé avec succès.",
    "accessRoleErrorCreate": "Échec de la création du rôle",
    "accessRoleErrorCreateDescription": "Une erreur s'est produite lors de la création du rôle.",
+    "accessRoleUpdateSubmit": "Mettre à jour un rôle",
+    "accessRoleUpdated": "Rôle mis à jour",
+    "accessRoleUpdatedDescription": "Le rôle a été mis à jour avec succès.",
+    "accessApprovalUpdated": "Approbation traitée",
+    "accessApprovalApprovedDescription": "Définir la décision de la demande d'approbation à approuver.",
+    "accessApprovalDeniedDescription": "Définir la décision de la demande d'approbation comme refusée.",
+    "accessRoleErrorUpdate": "Impossible de mettre à jour le rôle",
+    "accessRoleErrorUpdateDescription": "Une erreur s'est produite lors de la mise à jour du rôle.",
+    "accessApprovalErrorUpdate": "Impossible de traiter l'approbation",
+    "accessApprovalErrorUpdateDescription": "Une erreur s'est produite lors du traitement de l'approbation.",
    "accessRoleErrorNewRequired": "Un nouveau rôle est requis",
    "accessRoleErrorRemove": "Échec de la suppression du rôle",
    "accessRoleErrorRemoveDescription": "Une erreur s'est produite lors de la suppression du rôle.",
    "accessRoleName": "Nom du rôle",
-    "accessRoleQuestionRemove": "Vous êtes sur le point de supprimer le rôle {name}. Cette action est irréversible.",
+    "accessRoleQuestionRemove": "Vous êtes sur le point de supprimer le rôle `{name}`. Vous ne pouvez pas annuler cette action.",
    "accessRoleRemove": "Supprimer le rôle",
    "accessRoleRemoveDescription": "Retirer un rôle de l'organisation",
    "accessRoleRemoveSubmit": "Supprimer le rôle",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "Configurer l'accès pour une organisation",
    "idpUpdatedDescription": "Fournisseur d'identité mis à jour avec succès",
    "redirectUrl": "URL de redirection",
+    "orgIdpRedirectUrls": "URL de redirection",
    "redirectUrlAbout": "À propos de l'URL de redirection",
    "redirectUrlAboutDescription": "C'est l'URL vers laquelle les utilisateurs seront redirigés après l'authentification. Vous devez configurer cette URL dans les paramètres du fournisseur d'identité.",
    "pangolinAuth": "Auth - Pangolin",
@@ -945,11 +985,11 @@
    "pincodeAuth": "Code d'authentification",
    "pincodeSubmit2": "Soumettre le code",
    "passwordResetSubmit": "Demander la réinitialisation",
-    "passwordResetAlreadyHaveCode": "Entrez le code de réinitialisation du mot de passe",
+    "passwordResetAlreadyHaveCode": "Entrer le code",
    "passwordResetSmtpRequired": "Veuillez contacter votre administrateur",
    "passwordResetSmtpRequiredDescription": "Un code de réinitialisation du mot de passe est requis pour réinitialiser votre mot de passe. Veuillez contacter votre administrateur pour obtenir de l'aide.",
    "passwordBack": "Retour au mot de passe",
-    "loginBack": "Retour à la connexion",
+    "loginBack": "Revenir à la page de connexion principale",
    "signup": "S'inscrire",
    "loginStart": "Connectez-vous pour commencer",
    "idpOidcTokenValidating": "Validation du jeton OIDC",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "Mise à jour de l'utilisateur Org",
    "createOrgUser": "Créer un utilisateur Org",
    "actionUpdateOrg": "Mettre à jour l'organisation",
+    "actionRemoveInvitation": "Supprimer l'invitation",
    "actionUpdateUser": "Mettre à jour l'utilisateur",
    "actionGetUser": "Obtenir l'utilisateur",
    "actionGetOrgUser": "Obtenir l'utilisateur de l'organisation",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "Obtenir un site",
    "actionListSites": "Lister les sites",
    "actionApplyBlueprint": "Appliquer la Config",
+    "actionListBlueprints": "Lister les plans",
+    "actionGetBlueprint": "Obtenez un plan",
    "setupToken": "Jeton de configuration",
    "setupTokenDescription": "Entrez le jeton de configuration depuis la console du serveur.",
    "setupTokenRequired": "Le jeton de configuration est requis.",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "Mettre à jour une organisation IDP",
    "actionCreateClient": "Créer un client",
    "actionDeleteClient": "Supprimer le client",
+    "actionArchiveClient": "Archiver le client",
+    "actionUnarchiveClient": "Désarchiver le client",
+    "actionBlockClient": "Bloquer le client",
+    "actionUnblockClient": "Débloquer le client",
    "actionUpdateClient": "Mettre à jour le client",
    "actionListClients": "Liste des clients",
    "actionGetClient": "Obtenir le client",
@@ -1120,14 +1167,14 @@
    "searchProgress": "Rechercher...",
    "create": "Créer",
    "orgs": "Organisations",
-    "loginError": "Une erreur s'est produite lors de la connexion",
-    "loginRequiredForDevice": "La connexion est requise pour authentifier votre appareil.",
+    "loginError": "Une erreur inattendue s'est produite. Veuillez réessayer.",
+    "loginRequiredForDevice": "La connexion est requise pour votre appareil.",
    "passwordForgot": "Mot de passe oublié ?",
    "otpAuth": "Authentification à deux facteurs",
    "otpAuthDescription": "Entrez le code de votre application d'authentification ou l'un de vos codes de secours à usage unique.",
    "otpAuthSubmit": "Soumettre le code",
    "idpContinue": "Ou continuer avec",
-    "otpAuthBack": "Retour à la connexion",
+    "otpAuthBack": "Retour au mot de passe",
    "navbar": "Menu de navigation",
    "navbarDescription": "Menu de navigation principal de l'application",
    "navbarDocsLink": "Documentation",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "Aperçu",
    "sidebarHome": "Domicile",
    "sidebarSites": "Nœuds",
+    "sidebarApprovals": "Demandes d'approbation",
    "sidebarResources": "Ressource",
    "sidebarProxyResources": "Publique",
    "sidebarClientResources": "Privé",
@@ -1191,10 +1239,10 @@
    "sidebarIdentityProviders": "Fournisseurs d'identité",
    "sidebarLicense": "Licence",
    "sidebarClients": "Clients",
-    "sidebarUserDevices": "Utilisateurs",
+    "sidebarUserDevices": "Périphériques utilisateur",
    "sidebarMachineClients": "Machines",
    "sidebarDomains": "Domaines",
-    "sidebarGeneral": "Généraux",
+    "sidebarGeneral": "Gérer",
    "sidebarLogAndAnalytics": "Journaux & Analytiques",
    "sidebarBluePrints": "Configs",
    "sidebarOrganization": "Organisation",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "Une erreur s'est produite lors de la création du compte administrateur du serveur.",
    "certificateStatus": "Statut du certificat",
    "loading": "Chargement",
+    "loadingAnalytics": "Chargement de l'analyse",
    "restart": "Redémarrer",
    "domains": "Domaines",
    "domainsDescription": "Créer et gérer les domaines disponibles dans l'organisation",
@@ -1290,6 +1339,7 @@
    "refreshError": "Échec de l'actualisation des données",
    "verified": "Vérifié",
    "pending": "En attente",
+    "pendingApproval": "En attente d'approbation",
    "sidebarBilling": "Facturation",
    "billing": "Facturation",
    "orgBillingDescription": "Gérer les informations de facturation et les abonnements",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "Configuration du compte terminée! Bienvenue chez Pangolin !",
    "documentation": "Documentation",
    "saveAllSettings": "Enregistrer tous les paramètres",
+    "saveResourceTargets": "Enregistrer les cibles",
+    "saveResourceHttp": "Enregistrer les paramètres de proxy",
+    "saveProxyProtocol": "Enregistrer les paramètres du protocole proxy",
    "settingsUpdated": "Paramètres mis à jour",
-    "settingsUpdatedDescription": "Tous les paramètres ont été mis à jour avec succès",
+    "settingsUpdatedDescription": "Paramètres mis à jour avec succès",
    "settingsErrorUpdate": "Échec de la mise à jour des paramètres",
    "settingsErrorUpdateDescription": "Une erreur s'est produite lors de la mise à jour des paramètres",
    "sidebarCollapse": "Réduire",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Clé de sécurité supprimée avec succès",
    "securityKeyRemoveError": "Échec de la suppression de la clé de sécurité",
    "securityKeyLoadError": "Échec du chargement des clés de sécurité",
-    "securityKeyLogin": "Continuer avec une clé de sécurité",
+    "securityKeyLogin": "Utiliser la clé de sécurité",
    "securityKeyAuthError": "Échec de l'authentification avec la clé de sécurité",
    "securityKeyRecommendation": "Envisagez d'enregistrer une autre clé de sécurité sur un appareil différent pour vous assurer de ne pas être bloqué de votre compte.",
    "registering": "Enregistrement...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "Je suis d'accord avec",
        "termsOfService": "les conditions d'utilisation",
        "and": "et",
-        "privacyPolicy": "la politique de confidentialité"
+        "privacyPolicy": "politique de confidentialité."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Gardez-moi dans la boucle avec des nouvelles, des mises à jour et de nouvelles fonctionnalités par courriel."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "Ajouter une nouvelle cible",
    "targetsList": "Liste des cibles",
    "advancedMode": "Mode Avancé",
+    "advancedSettings": "Paramètres avancés",
    "targetErrorDuplicateTargetFound": "Cible en double trouvée",
    "healthCheckHealthy": "Sain",
    "healthCheckUnhealthy": "En mauvaise santé",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "Intervalle sain",
    "timeoutSeconds": "Délai d'attente (sec)",
    "timeIsInSeconds": "Le temps est exprimé en secondes",
+    "requireDeviceApproval": "Exiger les autorisations de l'appareil",
+    "requireDeviceApprovalDescription": "Les utilisateurs ayant ce rôle ont besoin de nouveaux périphériques approuvés par un administrateur avant de pouvoir se connecter et accéder aux ressources.",
    "retryAttempts": "Tentatives de réessai",
    "expectedResponseCodes": "Codes de réponse attendus",
    "expectedResponseCodesDescription": "Code de statut HTTP indiquant un état de santé satisfaisant. Si non renseigné, 200-300 est considéré comme satisfaisant.",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "Aucune ressource interne trouvée.",
    "resourcesTableDestination": "Destination",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Adresse de l'alias",
+    "resourcesTableAliasAddressInfo": "Cette adresse fait partie du sous-réseau utilitaire de l'organisation. Elle est utilisée pour résoudre les enregistrements d'alias en utilisant une résolution DNS interne.",
    "resourcesTableClients": "Clients",
    "resourcesTableAndOnlyAccessibleInternally": "et sont uniquement accessibles en interne lorsqu'elles sont connectées avec un client.",
    "resourcesTableNoTargets": "Aucune cible",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "Propriétés de la ressource",
    "createInternalResourceDialogName": "Nom",
    "createInternalResourceDialogSite": "Site",
-    "createInternalResourceDialogSelectSite": "Sélectionner un site...",
-    "createInternalResourceDialogSearchSites": "Rechercher des sites...",
-    "createInternalResourceDialogNoSitesFound": "Aucun site trouvé.",
+    "selectSite": "Sélectionner un site...",
+    "noSitesFound": "Aucun site trouvé.",
    "createInternalResourceDialogProtocol": "Protocole",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1658,7 +1715,7 @@
    "siteAddressDescription": "L'adresse interne du site. Doit être dans le sous-réseau de l'organisation.",
    "siteNameDescription": "Le nom d'affichage du site qui peut être modifié plus tard.",
    "autoLoginExternalIdp": "Connexion automatique avec IDP externe",
-    "autoLoginExternalIdpDescription": "Rediriger immédiatement l'utilisateur vers l'IDP externe pour l'authentification.",
+    "autoLoginExternalIdpDescription": "Redirigez immédiatement l'utilisateur vers le fournisseur d'identité externe pour l'authentification.",
    "selectIdp": "Sélectionner l'IDP",
    "selectIdpPlaceholder": "Choisissez un IDP...",
    "selectIdpRequired": "Veuillez sélectionner un IDP lorsque la connexion automatique est activée.",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "Aucune URL de redirection reçue du fournisseur d'identité.",
    "autoLoginErrorGeneratingUrl": "Échec de la génération de l'URL d'authentification.",
    "remoteExitNodeManageRemoteExitNodes": "Nœuds distants",
-    "remoteExitNodeDescription": "Héberger un ou plusieurs nœuds distants pour étendre la connectivité réseau et réduire la dépendance sur le cloud",
+    "remoteExitNodeDescription": "Hébergez vous-même vos propres nœuds de relais et de serveur proxy distants",
    "remoteExitNodes": "Nœuds",
    "searchRemoteExitNodes": "Rechercher des nœuds...",
    "remoteExitNodeAdd": "Ajouter un noeud",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "Confirmer la suppression du noeud",
    "remoteExitNodeDelete": "Supprimer le noeud",
    "sidebarRemoteExitNodes": "Nœuds distants",
+    "remoteExitNodeId": "ID",
+    "remoteExitNodeSecretKey": "Clé secrète",
    "remoteExitNodeCreate": {
-        "title": "Créer un noeud",
-        "description": "Créer un nouveau nœud pour étendre la connectivité réseau",
+        "title": "Créer un nœud distant",
+        "description": "Créez un nouveau nœud de relais et de serveur proxy distant auto-hébergé",
        "viewAllButton": "Voir tous les nœuds",
        "strategy": {
            "title": "Stratégie de création",
-            "description": "Choisissez ceci pour configurer manuellement le noeud ou générer de nouveaux identifiants.",
+            "description": "Sélectionnez comment vous souhaitez créer le nœud distant",
            "adopt": {
                "title": "Adopter un nœud",
                "description": "Choisissez ceci si vous avez déjà les identifiants pour le noeud."
            },
            "generate": {
                "title": "Générer des clés",
-                "description": "Choisissez ceci si vous voulez générer de nouvelles clés pour le noeud"
+                "description": "Choisissez ceci si vous voulez générer de nouvelles clés pour le noeud."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC provider",
    "subnet": "Sous-réseau",
    "subnetDescription": "Le sous-réseau de la configuration réseau de cette organisation.",
-    "authPage": "Page d'authentification",
-    "authPageDescription": "Configurer la page d'authentification de l'organisation",
+    "customDomain": "Domaine personnalisé",
+    "authPage": "Pages d'authentification",
+    "authPageDescription": "Définissez un domaine personnalisé pour les pages d'authentification de l'organisation",
    "authPageDomain": "Domaine de la page d'authentification",
+    "authPageBranding": "Marque personnalisée",
+    "authPageBrandingDescription": "Configurez la marque qui apparaît sur les pages d'authentification pour cette organisation",
+    "authPageBrandingUpdated": "Marque de la page d'authentification mise à jour avec succès",
+    "authPageBrandingRemoved": "Marque de la page d'authentification supprimée avec succès",
+    "authPageBrandingRemoveTitle": "Supprimer la marque de la page d'authentification",
+    "authPageBrandingQuestionRemove": "Êtes-vous sûr de vouloir supprimer la marque des pages d'authentification ?",
+    "authPageBrandingDeleteConfirm": "Confirmer la suppression de la marque",
+    "brandingLogoURL": "URL du logo",
+    "brandingPrimaryColor": "Couleur principale",
+    "brandingLogoWidth": "Largeur (px)",
+    "brandingLogoHeight": "Hauteur (px)",
+    "brandingOrgTitle": "Titre pour la page d'authentification de l'organisation",
+    "brandingOrgDescription": "{orgName} sera remplacé par le nom de l'organisation",
+    "brandingOrgSubtitle": "Sous-titre pour la page d'authentification de l'organisation",
+    "brandingResourceTitle": "Titre pour la page d'authentification de la ressource",
+    "brandingResourceSubtitle": "Sous-titre pour la page d'authentification de la ressource",
+    "brandingResourceDescription": "{resourceName} sera remplacé par le nom de l'organisation",
+    "saveAuthPageDomain": "Enregistrer le domaine",
+    "saveAuthPageBranding": "Enregistrer la marque",
+    "removeAuthPageBranding": "Supprimer la marque",
    "noDomainSet": "Aucun domaine défini",
    "changeDomain": "Changer de domaine",
    "selectDomain": "Sélectionner un domaine",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "Définir le domaine de la page d'authentification",
    "failedToFetchCertificate": "Impossible de récupérer le certificat",
    "failedToRestartCertificate": "Échec du redémarrage du certificat",
-    "addDomainToEnableCustomAuthPages": "Ajouter un domaine pour activer les pages d'authentification personnalisées pour l'organisation",
+    "addDomainToEnableCustomAuthPages": "Les utilisateurs pourront accéder à la page de connexion de l'organisation et compléter l'authentification de la ressource en utilisant ce domaine.",
    "selectDomainForOrgAuthPage": "Sélectionnez un domaine pour la page d'authentification de l'organisation",
    "domainPickerProvidedDomain": "Domaine fourni",
    "domainPickerFreeProvidedDomain": "Domaine fourni gratuitement",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "La «{sub}» n'a pas pu être validée pour {domain}.",
    "domainPickerSubdomainSanitized": "Sous-domaine nettoyé",
    "domainPickerSubdomainCorrected": "\"{sub}\" a été corrigé à \"{sanitized}\"",
-    "orgAuthSignInTitle": "Se connecter à l'organisation",
+    "orgAuthSignInTitle": "Connexion à l'organisation",
    "orgAuthChooseIdpDescription": "Choisissez votre fournisseur d'identité pour continuer",
    "orgAuthNoIdpConfigured": "Cette organisation n'a aucun fournisseur d'identité configuré. Vous pouvez vous connecter avec votre identité Pangolin à la place.",
    "orgAuthSignInWithPangolin": "Se connecter avec Pangolin",
+    "orgAuthSignInToOrg": "Se connecter à une organisation",
+    "orgAuthSelectOrgTitle": "Connexion à l'organisation",
+    "orgAuthSelectOrgDescription": "Entrez votre identifiant d'organisation pour continuer",
+    "orgAuthOrgIdPlaceholder": "votre-organisation",
+    "orgAuthOrgIdHelp": "Entrez l'identifiant unique de votre organisation",
+    "orgAuthSelectOrgHelp": "Après avoir entré votre identifiant d'organisation, vous serez dirigé vers la page de connexion de votre organisation où vous pourrez utiliser l'authentification unique (SSO) ou vos identifiants d'organisation.",
+    "orgAuthRememberOrgId": "Mémoriser cet identifiant d'organisation",
+    "orgAuthBackToSignIn": "Retour à la connexion standard",
+    "orgAuthNoAccount": "Vous n'avez pas de compte ?",
    "subscriptionRequiredToUse": "Un abonnement est requis pour utiliser cette fonctionnalité.",
    "idpDisabled": "Les fournisseurs d'identité sont désactivés.",
    "orgAuthPageDisabled": "La page d'authentification de l'organisation est désactivée.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "Activer l'authentification à deux facteurs",
    "completeSecuritySteps": "Compléter les étapes de sécurité",
    "securitySettings": "Paramètres de sécurité",
+    "dangerSection": "Zone dangereuse",
+    "dangerSectionDescription": "Supprimez définitivement toutes les données associées à cette organisation",
    "securitySettingsDescription": "Configurer les politiques de sécurité de l'organisation",
    "requireTwoFactorForAllUsers": "Exiger une authentification à deux facteurs pour tous les utilisateurs",
    "requireTwoFactorDescription": "Lorsque cette option est activée, tous les utilisateurs internes de cette organisation doivent avoir l'authentification à deux facteurs pour accéder à l'organisation.",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "Cela affectera tous les utilisateurs de l'organisation",
    "authPageErrorUpdateMessage": "Une erreur s'est produite lors de la mise à jour de la page d\u000027authentification",
    "authPageErrorUpdate": "Impossible de mettre à jour la page d'authentification",
-    "authPageUpdated": "Page d\u000027authentification mise à jour avec succès",
+    "authPageDomainUpdated": "Domaine de la page d'authentification mis à jour avec succès",
    "healthCheckNotAvailable": "Locale",
    "rewritePath": "Réécrire le chemin",
    "rewritePathDescription": "Réécrivez éventuellement le chemin avant de le transmettre à la cible.",
@@ -1915,8 +2006,15 @@
    "beta": "Bêta",
    "manageUserDevices": "Périphériques utilisateur",
    "manageUserDevicesDescription": "Voir et gérer les appareils que les utilisateurs utilisent pour se connecter en privé aux ressources",
+    "downloadClientBannerTitle": "Télécharger le client Pangolin",
+    "downloadClientBannerDescription": "Téléchargez le client Pangolin pour votre système afin de vous connecter au réseau Pangolin et accéder aux ressources de manière privée.",
    "manageMachineClients": "Gérer les clients de la machine",
    "manageMachineClientsDescription": "Créer et gérer des clients que les serveurs et les systèmes utilisent pour se connecter en privé aux ressources",
+    "machineClientsBannerTitle": "Serveurs & Systèmes automatisés",
+    "machineClientsBannerDescription": "Les clients de machine sont conçus pour les serveurs et les systèmes automatisés qui ne sont pas associés à un utilisateur spécifique. Ils s'authentifient avec un identifiant et une clé secrète, et peuvent être exécutés avec Pangolin CLI, Olm CLI ou Olm en tant que conteneur.",
+    "machineClientsBannerPangolinCLI": "Pangolin CLI",
+    "machineClientsBannerOlmCLI": "Olm CLI",
+    "machineClientsBannerOlmContainer": "Conteneur Olm",
    "clientsTableUserClients": "Utilisateur",
    "clientsTableMachineClients": "Machine",
    "licenseTableValidUntil": "Valable jusqu'au",
@@ -2060,13 +2158,15 @@
    "request": "Demander",
    "requests": "Requêtes",
    "logs": "Journaux",
-    "logsSettingsDescription": "Surveiller les logs collectés à partir de cette organisation",
+    "logsSettingsDescription": "Surveiller les journaux collectés de cette organisation",
    "searchLogs": "Rechercher dans les journaux...",
    "action": "Action",
    "actor": "Acteur",
    "timestamp": "Horodatage",
    "accessLogs": "Journaux d'accès",
    "exportCsv": "Exporter CSV",
+    "exportError": "Erreur inconnue lors de l'exportation du CSV",
+    "exportCsvTooltip": "Dans la plage de temps",
    "actorId": "ID de l'acteur",
    "allowedByRule": "Autorisé par la règle",
    "allowedNoAuth": "Aucune authentification autorisée",
@@ -2120,7 +2220,7 @@
    "unverified": "Non vérifié",
    "domainSetting": "Paramètres de domaine",
    "domainSettingDescription": "Configurer les paramètres du domaine",
-    "preferWildcardCertDescription": "Tentative de génération d'un certificat générique (nécessite un résolveur de certificat correctement configuré).",
+    "preferWildcardCertDescription": "Tenter de générer un certificat wildcard (requiert un résolveur de certificat correctement configuré).",
    "recordName": "Nom de l'enregistrement",
    "auto": "Automatique",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "Le code doit contenir 9 caractères (par exemple, A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Code invalide ou expiré",
    "deviceCodeVerifyFailed": "Impossible de vérifier le code de l'appareil",
+    "deviceCodeValidating": "Validation du code de l'appareil...",
+    "deviceCodeVerifying": "Vérification de l'autorisation de l'appareil...",
    "signedInAs": "Connecté en tant que",
    "deviceCodeEnterPrompt": "Entrez le code affiché sur l'appareil",
    "continue": "Continuer",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "Accès à toutes les organisations auxquelles votre compte a accès",
    "deviceAuthorize": "Autoriser {applicationName}",
    "deviceConnected": "Appareil connecté !",
-    "deviceAuthorizedMessage": "L'appareil est autorisé à accéder à votre compte.",
+    "deviceAuthorizedMessage": "L'appareil est autorisé à accéder à votre compte. Veuillez retourner à l'application client.",
    "pangolinCloud": "Nuage de Pangolin",
    "viewDevices": "Voir les appareils",
    "viewDevicesDescription": "Gérer vos appareils connectés",
@@ -2246,6 +2348,7 @@
    "identifier": "Identifiant",
    "deviceLoginUseDifferentAccount": "Pas vous ? Utilisez un autre compte.",
    "deviceLoginDeviceRequestingAccessToAccount": "Un appareil demande l'accès à ce compte.",
+    "loginSelectAuthenticationMethod": "Sélectionnez une méthode d'authentification pour continuer.",
    "noData": "Aucune donnée",
    "machineClients": "Clients Machines",
    "install": "Installer",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "Impossible de récupérer le sous-réseau par défaut",
    "setupSubnetAdvanced": "Sous-réseau (Avancé)",
    "setupSubnetDescription": "Le sous-réseau du réseau interne de cette organisation.",
+    "setupUtilitySubnet": "Sous-réseau utilitaire (Avancé)",
+    "setupUtilitySubnetDescription": "Le sous-réseau pour les adresses alias de cette organisation et le serveur DNS.",
    "siteRegenerateAndDisconnect": "Régénérer et déconnecter",
    "siteRegenerateAndDisconnectConfirmation": "Êtes-vous sûr de vouloir régénérer les identifiants et déconnecter ce site ?",
    "siteRegenerateAndDisconnectWarning": "Cela va régénérer les identifiants et déconnecter immédiatement le site. Le site devra être redémarré avec les nouveaux identifiants.",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "Cela va régénérer les identifiants et déconnecter immédiatement le noeud de sortie distant. Le noeud de sortie distant devra être redémarré avec les nouveaux identifiants.",
    "remoteExitNodeRegenerateCredentialsConfirmation": "Êtes-vous sûr de vouloir régénérer les informations d'identification pour ce noeud de sortie distant ?",
    "remoteExitNodeRegenerateCredentialsWarning": "Cela va régénérer les identifiants. Le noeud de sortie distant restera connecté jusqu'à ce que vous le redémarriez manuellement et utilisez les nouveaux identifiants.",
-    "agent": "Agent"
+    "agent": "Agent",
+    "personalUseOnly": "Pour usage personnel uniquement",
+    "loginPageLicenseWatermark": "Cette instance est sous licence pour un usage personnel uniquement.",
+    "instanceIsUnlicensed": "Cette instance n'est pas sous licence.",
+    "portRestrictions": "Restrictions de port",
+    "allPorts": "Tous",
+    "custom": "Personnalisé",
+    "allPortsAllowed": "Tous les ports autorisés",
+    "allPortsBlocked": "Tous les ports bloqués",
+    "tcpPortsDescription": "Indiquez les ports TCP autorisés pour cette ressource. Utilisez '*' pour tous les ports, laissez vide pour tout bloquer, ou entrez une liste de ports et de plages séparés par des virgules (par exemple, 80,443,8000-9000).",
+    "udpPortsDescription": "Indiquez les ports UDP autorisés pour cette ressource. Utilisez '*' pour tous les ports, laissez vide pour tout bloquer, ou entrez une liste de ports et de plages séparés par des virgules (par exemple, 53,123,500-600).",
+    "organizationLoginPageTitle": "Page de connexion de l'organisation",
+    "organizationLoginPageDescription": "Personnalisez la page de connexion pour cette organisation",
+    "resourceLoginPageTitle": "Page de connexion de la ressource",
+    "resourceLoginPageDescription": "Personnalisez la page de connexion pour les ressources individuelles",
+    "enterConfirmation": "Entrez la confirmation",
+    "blueprintViewDetails": "Détails",
+    "defaultIdentityProvider": "Fournisseur d'identité par défaut",
+    "defaultIdentityProviderDescription": "Lorsqu'un fournisseur d'identité par défaut est sélectionné, l'utilisateur sera automatiquement redirigé vers le fournisseur pour authentification.",
+    "editInternalResourceDialogNetworkSettings": "Paramètres réseau",
+    "editInternalResourceDialogAccessPolicy": "Politique d'accès",
+    "editInternalResourceDialogAddRoles": "Ajouter des rôles",
+    "editInternalResourceDialogAddUsers": "Ajouter des utilisateurs",
+    "editInternalResourceDialogAddClients": "Ajouter des clients",
+    "editInternalResourceDialogDestinationLabel": "Destination",
+    "editInternalResourceDialogDestinationDescription": "Indiquez l'adresse de destination pour la ressource interne. Cela peut être un nom d'hôte, une adresse IP ou une plage CIDR selon le mode sélectionné. Définissez éventuellement un alias DNS interne pour une identification plus facile.",
+    "editInternalResourceDialogPortRestrictionsDescription": "Restreindre l'accès à des ports TCP/UDP spécifiques ou autoriser/bloquer tous les ports.",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "Contrôle d'accès",
+    "editInternalResourceDialogAccessControlDescription": "Contrôlez quels rôles, utilisateurs et clients de machine ont accès à cette ressource lorsqu'ils sont connectés. Les administrateurs ont toujours accès.",
+    "editInternalResourceDialogPortRangeValidationError": "La plage de ports doit être \"*\" pour tous les ports, ou une liste de ports et de plages séparés par des virgules (par exemple, \"80,443,8000-9000\"). Les ports doivent être compris entre 1 et 65535.",
+    "orgAuthWhatsThis": "Où puis-je trouver mon identifiant d'organisation ?",
+    "learnMore": "En savoir plus",
+    "backToHome": "Retour à l'accueil",
+    "needToSignInToOrg": "Besoin d'utiliser le fournisseur d'identité de votre organisation ?",
+    "maintenanceMode": "Mode de maintenance",
+    "maintenanceModeDescription": "Afficher une page de maintenance aux visiteurs",
+    "maintenanceModeType": "Type de mode de maintenance",
+    "showMaintenancePage": "Afficher une page de maintenance aux visiteurs",
+    "enableMaintenanceMode": "Activer le mode de maintenance",
+    "automatic": "Automatique",
+    "automaticModeDescription": "Afficher la page de maintenance uniquement lorsque toutes les cibles backend sont en panne ou dégradées. Votre ressource continue à fonctionner normalement tant qu'au moins une cible est en bonne santé.",
+    "forced": "Forcé",
+    "forcedModeDescription": "Toujours afficher la page de maintenance indépendamment de l'état des backend. Utilisez ceci pour une maintenance planifiée lorsque vous souhaitez empêcher tout accès.",
+    "warning:": "Attention :",
+    "forcedeModeWarning": "Tout le trafic sera dirigé vers la page de maintenance. Vos ressources backend ne recevront aucune demande.",
+    "pageTitle": "Titre de la page",
+    "pageTitleDescription": "Le titre principal affiché sur la page de maintenance",
+    "maintenancePageMessage": "Message de maintenance",
+    "maintenancePageMessagePlaceholder": "Nous serons bientôt de retour ! Notre site est actuellement en maintenance planifiée.",
+    "maintenancePageMessageDescription": "Message détaillé expliquant la maintenance",
+    "maintenancePageTimeTitle": "Temps d'achèvement estimé (facultatif)",
+    "maintenanceTime": "par exemple, 2 heures, le 1er nov. à 17:00",
+    "maintenanceEstimatedTimeDescription": "Quand vous attendez que la maintenance soit terminée",
+    "editDomain": "Modifier le domaine",
+    "editDomainDescription": "Sélectionnez un domaine pour votre ressource",
+    "maintenanceModeDisabledTooltip": "Cette fonctionnalité nécessite une licence valide pour être activée.",
+    "maintenanceScreenTitle": "Service temporairement indisponible",
+    "maintenanceScreenMessage": "Nous rencontrons actuellement des difficultés techniques. Veuillez vérifier ultérieurement.",
+    "maintenanceScreenEstimatedCompletion": "Achèvement estimé :",
+    "createInternalResourceDialogDestinationRequired": "La destination est requise",
+    "available": "Disponible",
+    "archived": "Archivé",
+    "noArchivedDevices": "Aucun périphérique archivé trouvé",
+    "deviceArchived": "Appareil archivé",
+    "deviceArchivedDescription": "L'appareil a été archivé avec succès.",
+    "errorArchivingDevice": "Erreur lors de l'archivage du périphérique",
+    "failedToArchiveDevice": "Impossible d'archiver l'appareil",
+    "deviceQuestionArchive": "Êtes-vous sûr de vouloir archiver cet appareil ?",
+    "deviceMessageArchive": "Le périphérique sera archivé et retiré de la liste des périphériques actifs.",
+    "deviceArchiveConfirm": "Dispositif d'archivage",
+    "archiveDevice": "Dispositif d'archivage",
+    "archive": "Archive",
+    "deviceUnarchived": "Appareil désarchivé",
+    "deviceUnarchivedDescription": "L'appareil a été désarchivé avec succès.",
+    "errorUnarchivingDevice": "Erreur lors de la désarchivage du périphérique",
+    "failedToUnarchiveDevice": "Échec de la désarchivage de l'appareil",
+    "unarchive": "Désarchiver",
+    "archiveClient": "Archiver le client",
+    "archiveClientQuestion": "Êtes-vous sûr de vouloir archiver ce client?",
+    "archiveClientMessage": "Le client sera archivé et retiré de votre liste de clients actifs.",
+    "archiveClientConfirm": "Archiver le client",
+    "blockClient": "Bloquer le client",
+    "blockClientQuestion": "Êtes-vous sûr de vouloir bloquer ce client?",
+    "blockClientMessage": "L'appareil sera forcé de se déconnecter si vous êtes actuellement connecté. Vous pourrez débloquer l'appareil plus tard.",
+    "blockClientConfirm": "Bloquer le client",
+    "active": "Actif",
+    "usernameOrEmail": "Nom d'utilisateur ou email",
+    "selectYourOrganization": "Sélectionnez votre organisation",
+    "signInTo": "Se connecter à",
+    "signInWithPassword": "Continuer avec le mot de passe",
+    "noAuthMethodsAvailable": "Aucune méthode d'authentification disponible pour cette organisation.",
+    "enterPassword": "Entrez votre mot de passe",
+    "enterMfaCode": "Entrez le code de votre application d'authentification",
+    "securityKeyRequired": "Veuillez utiliser votre clé de sécurité pour vous connecter.",
+    "needToUseAnotherAccount": "Besoin d'un autre compte ?",
+    "loginLegalDisclaimer": "En cliquant sur les boutons ci-dessous, vous reconnaissez avoir lu, compris et accepté les <termsOfService>Conditions d'utilisation</termsOfService> et la <privacyPolicy>Politique de confidentialité</privacyPolicy>.",
+    "termsOfService": "Conditions d'utilisation",
+    "privacyPolicy": "Politique de confidentialité",
+    "userNotFoundWithUsername": "Aucun utilisateur trouvé avec ce nom d'utilisateur.",
+    "verify": "Vérifier",
+    "signIn": "Se connecter",
+    "forgotPassword": "Mot de passe oublié ?",
+    "orgSignInTip": "Si vous vous êtes déjà connecté, vous pouvez entrer votre nom d'utilisateur ou votre e-mail ci-dessus pour vous authentifier auprès du fournisseur d'identité de votre organisation. C'est plus facile !",
+    "continueAnyway": "Continuer quand même",
+    "dontShowAgain": "Ne plus afficher",
+    "orgSignInNotice": "Le saviez-vous ?",
+    "signupOrgNotice": "Vous essayez de vous connecter ?",
+    "signupOrgTip": "Essayez-vous de vous connecter par l'intermédiaire du fournisseur d'identité de votre organisme?",
+    "signupOrgLink": "Connectez-vous ou inscrivez-vous avec votre organisation à la place",
+    "verifyEmailLogInWithDifferentAccount": "Utiliser un compte différent",
+    "logIn": "Se connecter",
+    "deviceInformation": "Informations sur l'appareil",
+    "deviceInformationDescription": "Informations sur l'appareil et l'agent",
+    "deviceSecurity": "Sécurité de l'appareil",
+    "deviceSecurityDescription": "Informations sur la posture de sécurité de l'appareil",
+    "platform": "Plateforme",
+    "macosVersion": "Version macOS",
+    "windowsVersion": "Version de Windows",
+    "iosVersion": "Version iOS",
+    "androidVersion": "Version d'Android",
+    "osVersion": "Version du système d'exploitation",
+    "kernelVersion": "Version du noyau",
+    "deviceModel": "Modèle de l'appareil",
+    "serialNumber": "Numéro de série",
+    "hostname": "Hostname",
+    "firstSeen": "Première vue",
+    "lastSeen": "Dernière vue",
+    "biometricsEnabled": "biométrique activée",
+    "diskEncrypted": "Disque chiffré",
+    "firewallEnabled": "Pare-feu activé",
+    "autoUpdatesEnabled": "Mises à jour automatiques activées",
+    "tpmAvailable": "TPM disponible",
+    "macosSipEnabled": "Protection contre l'intégrité du système (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Mode furtif du pare-feu",
+    "linuxAppArmorEnabled": "Armure d'application",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Afficher les informations et les paramètres de l'appareil",
+    "devicePendingApprovalDescription": "Cet appareil est en attente d'approbation",
+    "deviceBlockedDescription": "Cet appareil est actuellement bloqué. Il ne pourra se connecter à aucune ressource à moins d'être débloqué.",
+    "unblockClient": "Débloquer le client",
+    "unblockClientDescription": "L'appareil a été débloqué",
+    "unarchiveClient": "Désarchiver le client",
+    "unarchiveClientDescription": "L'appareil a été désarchivé",
+    "block": "Bloquer",
+    "unblock": "Débloquer",
+    "deviceActions": "Actions de l'appareil",
+    "deviceActionsDescription": "Gérer le statut et l'accès de l'appareil",
+    "devicePendingApprovalBannerDescription": "Cet appareil est en attente d'approbation. Il ne sera pas en mesure de se connecter aux ressources jusqu'à ce qu'il soit approuvé.",
+    "connected": "Connecté",
+    "disconnected": "Déconnecté",
+    "approvalsEmptyStateTitle": "Approbations de l'appareil non activées",
+    "approvalsEmptyStateDescription": "Activer les autorisations de l'appareil pour les rôles qui nécessitent l'approbation de l'administrateur avant que les utilisateurs puissent connecter de nouveaux appareils.",
+    "approvalsEmptyStateStep1Title": "Aller aux Rôles",
+    "approvalsEmptyStateStep1Description": "Accédez aux paramètres de rôles de votre organisation pour configurer les autorisations de l'appareil.",
+    "approvalsEmptyStateStep2Title": "Activer les autorisations de l'appareil",
+    "approvalsEmptyStateStep2Description": "Modifier un rôle et activer l'option 'Exiger les autorisations de l'appareil'. Les utilisateurs avec ce rôle auront besoin de l'approbation de l'administrateur pour les nouveaux appareils.",
+    "approvalsEmptyStatePreviewDescription": "Aperçu: Lorsque cette option est activée, les demandes de périphérique en attente apparaîtront ici pour vérification",
+    "approvalsEmptyStateButtonText": "Gérer les rôles"
 }
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Creare l'organizzazione, il sito e le risorse",
+    "headerAuthCompatibilityInfo": "Abilita questo per forzare una risposta 401 Unauthorized quando manca un token di autenticazione. Questo è richiesto per browser o librerie HTTP specifiche che non inviano credenziali senza una sfida del server.",
+    "headerAuthCompatibility": "Compatibilità estesa",
    "setupNewOrg": "Nuova Organizzazione",
    "setupCreateOrg": "Crea Organizzazione",
    "setupCreateResources": "Crea Risorse",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "Sei sicuro di voler rimuovere il sito dall'organizzazione?",
    "siteManageSites": "Gestisci Siti",
    "siteDescription": "Creare e gestire siti per abilitare la connettività a reti private",
+    "sitesBannerTitle": "Connetti Qualsiasi Rete",
+    "sitesBannerDescription": "Un sito è una connessione a una rete remota che consente a Pangolin di fornire accesso alle risorse, pubbliche o private, agli utenti ovunque. Installa il connettore di rete del sito (Newt) ovunque tu possa eseguire un binario o un container per stabilire la connessione.",
+    "sitesBannerButtonText": "Installa Sito",
+    "approvalsBannerTitle": "Approva o nega l'accesso al dispositivo",
+    "approvalsBannerDescription": "Controlla e approva o nega le richieste di accesso al dispositivo da parte degli utenti. Quando le approvazioni del dispositivo sono richieste, gli utenti devono ottenere l'approvazione dell'amministratore prima che i loro dispositivi possano connettersi alle risorse della vostra organizzazione.",
+    "approvalsBannerButtonText": "Scopri di più",
    "siteCreate": "Crea Sito",
    "siteCreateDescription2": "Segui i passaggi qui sotto per creare e collegare un nuovo sito",
    "siteCreateDescription": "Crea un nuovo sito per iniziare a connettere le risorse",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "Determinare come si desidera connettersi al sito",
    "siteNewtCredentials": "Credenziali",
    "siteNewtCredentialsDescription": "Questo è come il sito si autenticerà con il server",
+    "remoteNodeCredentialsDescription": "Questo è come il nodo remoto si autenticherà con il server",
    "siteCredentialsSave": "Salva le credenziali",
    "siteCredentialsSaveDescription": "Potrai vederlo solo una volta. Assicurati di copiarlo in un luogo sicuro.",
    "siteInfo": "Informazioni Sito",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "Seleziona una risorsa",
    "proxyResourceTitle": "Gestisci Risorse Pubbliche",
    "proxyResourceDescription": "Creare e gestire risorse accessibili al pubblico tramite un browser web",
+    "proxyResourcesBannerTitle": "Accesso Pubblico Basato sul Web",
+    "proxyResourcesBannerDescription": "Le risorse pubbliche sono proxy HTTPS o TCP/UDP accessibili a chiunque su Internet tramite un browser web. A differenza delle risorse private, non richiedono software lato client e possono includere politiche di accesso basate su identità e contesto.",
    "clientResourceTitle": "Gestisci Risorse Private",
    "clientResourceDescription": "Crea e gestisci risorse accessibili solo tramite un client connesso",
+    "privateResourcesBannerTitle": "Accesso Privato Zero-Trust",
+    "privateResourcesBannerDescription": "Le risorse private utilizzano la sicurezza zero-trust, assicurandosi che gli utenti e le macchine possano accedere solo alle risorse a cui hai concesso esplicitamente l'accesso. Collega i dispositivi utente o i client macchina per accedere a queste risorse tramite una rete privata virtuale sicura.",
    "resourcesSearch": "Cerca risorse...",
    "resourceAdd": "Aggiungi Risorsa",
    "resourceErrorDelte": "Errore nell'eliminare la risorsa",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "Una volta rimossa, la risorsa non sarà più accessibile. Tutti gli obiettivi associati alla risorsa saranno rimossi.",
    "resourceQuestionRemove": "Sei sicuro di voler rimuovere la risorsa dall'organizzazione?",
    "resourceHTTP": "Risorsa HTTPS",
-    "resourceHTTPDescription": "Richieste proxy per l'applicazione tramite HTTPS utilizzando un sottodominio o un dominio base.",
+    "resourceHTTPDescription": "Richieste proxy su HTTPS usando un nome di dominio completo.",
    "resourceRaw": "Risorsa Raw TCP/UDP",
-    "resourceRawDescription": "Le richieste proxy all'app tramite TCP/UDP utilizzando un numero di porta. Funziona solo quando i siti sono connessi ai nodi.",
+    "resourceRawDescription": "Richieste proxy su TCP/UDP grezzo utilizzando un numero di porta.",
    "resourceCreate": "Crea Risorsa",
    "resourceCreateDescription": "Segui i passaggi seguenti per creare una nuova risorsa",
    "resourceSeeAll": "Vedi Tutte Le Risorse",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "Ricerca ruoli...",
    "accessRolesAdd": "Aggiungi Ruolo",
    "accessRoleDelete": "Elimina Ruolo",
+    "accessApprovalsManage": "Gestisci Approvazioni",
+    "accessApprovalsDescription": "Visualizza e gestisci le approvazioni in attesa per accedere a questa organizzazione",
    "description": "Descrizione",
    "inviteTitle": "Inviti Aperti",
    "inviteDescription": "Gestisci gli inviti per gli altri utenti a unirsi all'organizzazione",
@@ -440,6 +455,18 @@
    "selectDuration": "Seleziona durata",
    "selectResource": "Seleziona Risorsa",
    "filterByResource": "Filtra Per Risorsa",
+    "selectApprovalState": "Seleziona Stato Di Approvazione",
+    "filterByApprovalState": "Filtra Per Stato Di Approvazione",
+    "approvalListEmpty": "Nessuna approvazione",
+    "approvalState": "Stato Di Approvazione",
+    "approve": "Approva",
+    "approved": "Approvato",
+    "denied": "Negato",
+    "deniedApproval": "Omologazione Negata",
+    "all": "Tutti",
+    "deny": "Nega",
+    "viewDetails": "Visualizza Dettagli",
+    "requestingNewDeviceApproval": "ha richiesto un nuovo dispositivo",
    "resetFilters": "Ripristina Filtri",
    "totalBlocked": "Richieste Bloccate Da Pangolino",
    "totalRequests": "Totale Richieste",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "Gli amministratori possono sempre accedere a questa risorsa.",
    "resourceUsersRoles": "Controlli di Accesso",
    "resourceUsersRolesDescription": "Configura quali utenti e ruoli possono visitare questa risorsa",
-    "resourceUsersRolesSubmit": "Salva Utenti e Ruoli",
+    "resourceUsersRolesSubmit": "Salva Controlli di Accesso",
    "resourceWhitelistSave": "Salvato con successo",
    "resourceWhitelistSaveDescription": "Le impostazioni della lista autorizzazioni sono state salvate",
    "ssoUse": "Usa SSO della Piattaforma",
@@ -719,16 +746,28 @@
    "countries": "Paesi",
    "accessRoleCreate": "Crea Ruolo",
    "accessRoleCreateDescription": "Crea un nuovo ruolo per raggruppare gli utenti e gestire i loro permessi.",
+    "accessRoleEdit": "Modifica Ruolo",
+    "accessRoleEditDescription": "Modifica informazioni sul ruolo.",
    "accessRoleCreateSubmit": "Crea Ruolo",
    "accessRoleCreated": "Ruolo creato",
    "accessRoleCreatedDescription": "Il ruolo è stato creato con successo.",
    "accessRoleErrorCreate": "Impossibile creare il ruolo",
    "accessRoleErrorCreateDescription": "Si è verificato un errore durante la creazione del ruolo.",
+    "accessRoleUpdateSubmit": "Aggiorna Ruolo",
+    "accessRoleUpdated": "Ruolo aggiornato",
+    "accessRoleUpdatedDescription": "Il ruolo è stato aggiornato con successo.",
+    "accessApprovalUpdated": "Approvazione trattata",
+    "accessApprovalApprovedDescription": "Impostare la decisione di richiesta di approvazione da approvare.",
+    "accessApprovalDeniedDescription": "Imposta la decisione di richiesta di approvazione negata.",
+    "accessRoleErrorUpdate": "Impossibile aggiornare il ruolo",
+    "accessRoleErrorUpdateDescription": "Si è verificato un errore nell'aggiornamento del ruolo.",
+    "accessApprovalErrorUpdate": "Impossibile elaborare l'approvazione",
+    "accessApprovalErrorUpdateDescription": "Si è verificato un errore durante l'elaborazione dell'approvazione.",
    "accessRoleErrorNewRequired": "Nuovo ruolo richiesto",
    "accessRoleErrorRemove": "Impossibile rimuovere il ruolo",
    "accessRoleErrorRemoveDescription": "Si è verificato un errore durante la rimozione del ruolo.",
    "accessRoleName": "Nome Del Ruolo",
-    "accessRoleQuestionRemove": "Stai per eliminare il ruolo {name}. Non puoi annullare questa azione.",
+    "accessRoleQuestionRemove": "Stai per eliminare il ruolo `{name}`. Non puoi annullare questa azione.",
    "accessRoleRemove": "Rimuovi Ruolo",
    "accessRoleRemoveDescription": "Rimuovi un ruolo dall'organizzazione",
    "accessRoleRemoveSubmit": "Rimuovi Ruolo",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "Configura l'accesso per un'organizzazione",
    "idpUpdatedDescription": "Provider di identità aggiornato con successo",
    "redirectUrl": "URL di Reindirizzamento",
+    "orgIdpRedirectUrls": "Reindirizza URL",
    "redirectUrlAbout": "Informazioni sull'URL di Reindirizzamento",
    "redirectUrlAboutDescription": "Questo è l'URL a cui gli utenti saranno reindirizzati dopo l'autenticazione. È necessario configurare questo URL nelle impostazioni del provider di identità.",
    "pangolinAuth": "Autenticazione - Pangolina",
@@ -863,7 +903,7 @@
    "inviteAlready": "Sembra che sei stato invitato!",
    "inviteAlreadyDescription": "Per accettare l'invito, devi accedere o creare un account.",
    "signupQuestion": "Hai già un account?",
-    "login": "Accedi",
+    "login": "Log In",
    "resourceNotFound": "Risorsa Non Trovata",
    "resourceNotFoundDescription": "La risorsa che stai cercando di accedere non esiste.",
    "pincodeRequirementsLength": "Il PIN deve essere esattamente di 6 cifre",
@@ -943,13 +983,13 @@
    "passwordExpiryDescription": "Questa organizzazione richiede di cambiare la password ogni {maxDays} giorni.",
    "changePasswordNow": "Cambia Password Ora",
    "pincodeAuth": "Codice Autenticatore",
-    "pincodeSubmit2": "Invia Codice",
+    "pincodeSubmit2": "Invia codice",
    "passwordResetSubmit": "Richiedi Reset",
-    "passwordResetAlreadyHaveCode": "Inserisci Il Codice Di Ripristino Della Password",
+    "passwordResetAlreadyHaveCode": "Inserisci Codice",
    "passwordResetSmtpRequired": "Si prega di contattare l'amministratore",
    "passwordResetSmtpRequiredDescription": "Per reimpostare la password è necessario un codice di reimpostazione della password. Si prega di contattare l'amministratore per assistenza.",
    "passwordBack": "Torna alla Password",
-    "loginBack": "Torna al login",
+    "loginBack": "Torna alla pagina di accesso principale",
    "signup": "Registrati",
    "loginStart": "Accedi per iniziare",
    "idpOidcTokenValidating": "Convalida token OIDC",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "Aggiorna Utente Org",
    "createOrgUser": "Crea Utente Org",
    "actionUpdateOrg": "Aggiorna Organizzazione",
+    "actionRemoveInvitation": "Rimuovi Invito",
    "actionUpdateUser": "Aggiorna Utente",
    "actionGetUser": "Ottieni Utente",
    "actionGetOrgUser": "Ottieni Utente Organizzazione",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "Ottieni Sito",
    "actionListSites": "Elenca Siti",
    "actionApplyBlueprint": "Applica Progetto",
+    "actionListBlueprints": "Elenco Blueprints",
+    "actionGetBlueprint": "Ottieni Blueprint",
    "setupToken": "Configura Token",
    "setupTokenDescription": "Inserisci il token di configurazione dalla console del server.",
    "setupTokenRequired": "Il token di configurazione è richiesto",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "Aggiorna Org IDP",
    "actionCreateClient": "Crea Client",
    "actionDeleteClient": "Elimina Client",
+    "actionArchiveClient": "Archivia Client",
+    "actionUnarchiveClient": "Annulla Archiviazione Client",
+    "actionBlockClient": "Blocca Client",
+    "actionUnblockClient": "Sblocca Client",
    "actionUpdateClient": "Aggiorna Client",
    "actionListClients": "Elenco Clienti",
    "actionGetClient": "Ottieni Client",
@@ -1120,14 +1167,14 @@
    "searchProgress": "Ricerca...",
    "create": "Crea",
    "orgs": "Organizzazioni",
-    "loginError": "Si è verificato un errore durante l'accesso",
-    "loginRequiredForDevice": "È richiesto il login per autenticare il dispositivo.",
+    "loginError": "Si è verificato un errore imprevisto. Riprova.",
+    "loginRequiredForDevice": "Il login è richiesto per il tuo dispositivo.",
    "passwordForgot": "Password dimenticata?",
    "otpAuth": "Autenticazione a Due Fattori",
    "otpAuthDescription": "Inserisci il codice dalla tua app di autenticazione o uno dei tuoi codici di backup monouso.",
    "otpAuthSubmit": "Invia Codice",
    "idpContinue": "O continua con",
-    "otpAuthBack": "Torna al Login",
+    "otpAuthBack": "Torna alla Password",
    "navbar": "Menu di Navigazione",
    "navbarDescription": "Menu di navigazione principale dell'applicazione",
    "navbarDocsLink": "Documentazione",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "Panoramica",
    "sidebarHome": "Home",
    "sidebarSites": "Siti",
+    "sidebarApprovals": "Richieste Di Approvazione",
    "sidebarResources": "Risorse",
    "sidebarProxyResources": "Pubblico",
    "sidebarClientResources": "Privato",
@@ -1191,10 +1239,10 @@
    "sidebarIdentityProviders": "Fornitori Di Identità",
    "sidebarLicense": "Licenza",
    "sidebarClients": "Client",
-    "sidebarUserDevices": "Utenti",
+    "sidebarUserDevices": "Dispositivi Utente",
    "sidebarMachineClients": "Macchine",
    "sidebarDomains": "Domini",
-    "sidebarGeneral": "Generale",
+    "sidebarGeneral": "Gestisci",
    "sidebarLogAndAnalytics": "Log & Analytics",
    "sidebarBluePrints": "Progetti",
    "sidebarOrganization": "Organizzazione",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "Si è verificato un errore durante la creazione dell'account amministratore del server.",
    "certificateStatus": "Stato del Certificato",
    "loading": "Caricamento",
+    "loadingAnalytics": "Caricamento Delle Analisi",
    "restart": "Riavvia",
    "domains": "Domini",
    "domainsDescription": "Creare e gestire i domini disponibili nell'organizzazione",
@@ -1290,6 +1339,7 @@
    "refreshError": "Impossibile aggiornare i dati",
    "verified": "Verificato",
    "pending": "In attesa",
+    "pendingApproval": "Approvazione In Attesa",
    "sidebarBilling": "Fatturazione",
    "billing": "Fatturazione",
    "orgBillingDescription": "Gestisci le informazioni di fatturazione e gli abbonamenti",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "Configurazione dell'account completata! Benvenuto su Pangolin!",
    "documentation": "Documentazione",
    "saveAllSettings": "Salva Tutte le Impostazioni",
+    "saveResourceTargets": "Salva Target",
+    "saveResourceHttp": "Salva Impostazioni Proxy",
+    "saveProxyProtocol": "Salva impostazioni protocollo proxy",
    "settingsUpdated": "Impostazioni aggiornate",
-    "settingsUpdatedDescription": "Tutte le impostazioni sono state aggiornate con successo",
+    "settingsUpdatedDescription": "Impostazioni aggiornate con successo",
    "settingsErrorUpdate": "Impossibile aggiornare le impostazioni",
    "settingsErrorUpdateDescription": "Si è verificato un errore durante l'aggiornamento delle impostazioni",
    "sidebarCollapse": "Comprimi",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Chiave di sicurezza rimossa con successo",
    "securityKeyRemoveError": "Errore durante la rimozione della chiave di sicurezza",
    "securityKeyLoadError": "Errore durante il caricamento delle chiavi di sicurezza",
-    "securityKeyLogin": "Continua con la chiave di sicurezza",
+    "securityKeyLogin": "Usa Chiave Di Sicurezza",
    "securityKeyAuthError": "Errore durante l'autenticazione con chiave di sicurezza",
    "securityKeyRecommendation": "Considera di registrare un'altra chiave di sicurezza su un dispositivo diverso per assicurarti di non rimanere bloccato fuori dal tuo account.",
    "registering": "Registrazione in corso...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "Accetto i",
        "termsOfService": "termini di servizio",
        "and": "e",
-        "privacyPolicy": "informativa sulla privacy"
+        "privacyPolicy": "informativa sulla privacy."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Tienimi in loop con notizie, aggiornamenti e nuove funzionalità via e-mail."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "Aggiungi Nuovo Target",
    "targetsList": "Elenco dei Target",
    "advancedMode": "Modalità Avanzata",
+    "advancedSettings": "Impostazioni Avanzate",
    "targetErrorDuplicateTargetFound": "Target duplicato trovato",
    "healthCheckHealthy": "Sano",
    "healthCheckUnhealthy": "Non Sano",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "Intervallo Sano",
    "timeoutSeconds": "Timeout (sec)",
    "timeIsInSeconds": "Il tempo è in secondi",
+    "requireDeviceApproval": "Richiede Approvazioni Dispositivo",
+    "requireDeviceApprovalDescription": "Gli utenti con questo ruolo hanno bisogno di nuovi dispositivi approvati da un amministratore prima di poter connettersi e accedere alle risorse.",
    "retryAttempts": "Tentativi di Riprova",
    "expectedResponseCodes": "Codici di Risposta Attesi",
    "expectedResponseCodesDescription": "Codice di stato HTTP che indica lo stato di salute. Se lasciato vuoto, considerato sano è compreso tra 200-300.",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "Nessuna risorsa interna trovata.",
    "resourcesTableDestination": "Destinazione",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Indirizzo Alias",
+    "resourcesTableAliasAddressInfo": "Questo indirizzo fa parte della subnet di utilità dell'organizzazione. È usato per risolvere i record alias usando la risoluzione DNS interna.",
    "resourcesTableClients": "Client",
    "resourcesTableAndOnlyAccessibleInternally": "e sono accessibili solo internamente quando connessi con un client.",
    "resourcesTableNoTargets": "Nessun obiettivo",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "Proprietà della Risorsa",
    "createInternalResourceDialogName": "Nome",
    "createInternalResourceDialogSite": "Sito",
-    "createInternalResourceDialogSelectSite": "Seleziona sito...",
-    "createInternalResourceDialogSearchSites": "Cerca siti...",
-    "createInternalResourceDialogNoSitesFound": "Nessun sito trovato.",
+    "selectSite": "Seleziona sito...",
+    "noSitesFound": "Nessun sito trovato.",
    "createInternalResourceDialogProtocol": "Protocollo",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "Nessun URL di reindirizzamento ricevuto dal provider di identità.",
    "autoLoginErrorGeneratingUrl": "Impossibile generare l'URL di autenticazione.",
    "remoteExitNodeManageRemoteExitNodes": "Nodi Remoti",
-    "remoteExitNodeDescription": "Self-host uno o più nodi remoti per estendere la connettività di rete e ridurre la dipendenza dal cloud",
+    "remoteExitNodeDescription": "Ospita in proprio i tuoi nodi server di relay e proxy remoti",
    "remoteExitNodes": "Nodi",
    "searchRemoteExitNodes": "Cerca nodi...",
    "remoteExitNodeAdd": "Aggiungi Nodo",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "Conferma Eliminazione Nodo",
    "remoteExitNodeDelete": "Elimina Nodo",
    "sidebarRemoteExitNodes": "Nodi Remoti",
+    "remoteExitNodeId": "ID",
+    "remoteExitNodeSecretKey": "Segreto",
    "remoteExitNodeCreate": {
-        "title": "Crea Nodo",
-        "description": "Crea un nuovo nodo per estendere la connettività di rete",
+        "title": "Crea Nodo Remoto",
+        "description": "Crea un nuovo nodo server proxy e relay remoto ospitato in proprio",
        "viewAllButton": "Visualizza Tutti I Nodi",
        "strategy": {
            "title": "Strategia di Creazione",
-            "description": "Scegli questa opzione per configurare manualmente il nodo o generare nuove credenziali.",
+            "description": "Seleziona come desideri creare il nodo remoto",
            "adopt": {
                "title": "Adotta Nodo",
                "description": "Scegli questo se hai già le credenziali per il nodo."
            },
            "generate": {
                "title": "Genera Chiavi",
-                "description": "Scegli questa opzione se vuoi generare nuove chiavi per il nodo"
+                "description": "Scegli questa opzione se vuoi generare nuove chiavi per il nodo."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC provider",
    "subnet": "Sottorete",
    "subnetDescription": "La sottorete per la configurazione di rete di questa organizzazione.",
-    "authPage": "Pagina Autenticazione",
-    "authPageDescription": "Configura la pagina di autenticazione per l'organizzazione",
+    "customDomain": "Dominio Personalizzato",
+    "authPage": "Pagine di Autenticazione",
+    "authPageDescription": "Imposta un dominio personalizzato per le pagine di autenticazione dell'organizzazione",
    "authPageDomain": "Dominio Pagina Auth",
+    "authPageBranding": "Branding Personalizzato",
+    "authPageBrandingDescription": "Configura il branding che appare sulle pagine di autenticazione per questa organizzazione",
+    "authPageBrandingUpdated": "Branding della pagina di autenticazione aggiornato con successo",
+    "authPageBrandingRemoved": "Branding della pagina di autenticazione rimosso con successo",
+    "authPageBrandingRemoveTitle": "Rimuovere Branding Pagina di Autenticazione",
+    "authPageBrandingQuestionRemove": "Sei sicuro di voler rimuovere il branding per le pagine di autenticazione?",
+    "authPageBrandingDeleteConfirm": "Conferma Eliminazione Branding",
+    "brandingLogoURL": "URL Logo",
+    "brandingPrimaryColor": "Colore Primario",
+    "brandingLogoWidth": "Larghezza (px)",
+    "brandingLogoHeight": "Altezza (px)",
+    "brandingOrgTitle": "Titolo per la Pagina di Autenticazione dell'Organizzazione",
+    "brandingOrgDescription": "{orgName} sarà sostituito con il nome dell'organizzazione",
+    "brandingOrgSubtitle": "Sottotitolo per la Pagina di Autenticazione dell'Organizzazione",
+    "brandingResourceTitle": "Titolo per la Pagina di Autenticazione della Risorsa",
+    "brandingResourceSubtitle": "Sottotitolo per la Pagina di Autenticazione della Risorsa",
+    "brandingResourceDescription": "{resourceName} sarà sostituito con il nome dell'organizzazione",
+    "saveAuthPageDomain": "Salva Dominio",
+    "saveAuthPageBranding": "Salva Branding",
+    "removeAuthPageBranding": "Rimuovi Branding",
    "noDomainSet": "Nessun dominio impostato",
    "changeDomain": "Cambia Dominio",
    "selectDomain": "Seleziona Dominio",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "Imposta Dominio Pagina Autenticazione",
    "failedToFetchCertificate": "Recupero del certificato non riuscito",
    "failedToRestartCertificate": "Riavvio del certificato non riuscito",
-    "addDomainToEnableCustomAuthPages": "Aggiungi un dominio per abilitare le pagine di autenticazione personalizzate per l'organizzazione",
+    "addDomainToEnableCustomAuthPages": "Gli utenti potranno accedere alla pagina di accesso dell'organizzazione e completare l'autenticazione delle risorse utilizzando questo dominio.",
    "selectDomainForOrgAuthPage": "Seleziona un dominio per la pagina di autenticazione dell'organizzazione",
    "domainPickerProvidedDomain": "Dominio Fornito",
    "domainPickerFreeProvidedDomain": "Dominio Fornito Gratuito",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "\"{sub}\" non può essere reso valido per {domain}.",
    "domainPickerSubdomainSanitized": "Sottodominio igienizzato",
    "domainPickerSubdomainCorrected": "\"{sub}\" è stato corretto in \"{sanitized}\"",
-    "orgAuthSignInTitle": "Accedi all'organizzazione",
+    "orgAuthSignInTitle": "Accedi all'Organizzazione",
    "orgAuthChooseIdpDescription": "Scegli il tuo provider di identità per continuare",
    "orgAuthNoIdpConfigured": "Questa organizzazione non ha nessun provider di identità configurato. Puoi accedere con la tua identità Pangolin.",
    "orgAuthSignInWithPangolin": "Accedi con Pangolino",
+    "orgAuthSignInToOrg": "Accedi a un'organizzazione",
+    "orgAuthSelectOrgTitle": "Accesso Organizzazione",
+    "orgAuthSelectOrgDescription": "Inserisci l'ID dell'organizzazione per continuare",
+    "orgAuthOrgIdPlaceholder": "la-tua-organizzazione",
+    "orgAuthOrgIdHelp": "Inserisci l'identificatore univoco della tua organizzazione",
+    "orgAuthSelectOrgHelp": "Dopo aver inserito l'ID dell'organizzazione, verrai indirizzato alla pagina di accesso dell'organizzazione dove puoi usare SSO o le credenziali dell'organizzazione.",
+    "orgAuthRememberOrgId": "Ricorda questo ID organizzazione",
+    "orgAuthBackToSignIn": "Torna alla modalità di accesso standard",
+    "orgAuthNoAccount": "Non hai un account?",
    "subscriptionRequiredToUse": "Per utilizzare questa funzionalità è necessario un abbonamento.",
    "idpDisabled": "I provider di identità sono disabilitati.",
    "orgAuthPageDisabled": "La pagina di autenticazione dell'organizzazione è disabilitata.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "Abilita autenticazione a due fattori",
    "completeSecuritySteps": "Passi Di Sicurezza Completa",
    "securitySettings": "Impostazioni Di Sicurezza",
+    "dangerSection": "Zona Pericolosa",
+    "dangerSectionDescription": "Elimina permanentemente tutti i dati associati a questa organizzazione",
    "securitySettingsDescription": "Configura i criteri di sicurezza per l'organizzazione",
    "requireTwoFactorForAllUsers": "Richiede l'autenticazione a due fattori per tutti gli utenti",
    "requireTwoFactorDescription": "Se abilitata, tutti gli utenti interni di questa organizzazione devono avere un'autenticazione a due fattori abilitata per accedere all'organizzazione.",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "Questo influenzerà tutti gli utenti dell'organizzazione",
    "authPageErrorUpdateMessage": "Si è verificato un errore durante l'aggiornamento delle impostazioni della pagina di autenticazione",
    "authPageErrorUpdate": "Impossibile aggiornare la pagina di autenticazione",
-    "authPageUpdated": "Pagina di autenticazione aggiornata con successo",
+    "authPageDomainUpdated": "Dominio della pagina di autenticazione aggiornato con successo",
    "healthCheckNotAvailable": "Locale",
    "rewritePath": "Riscrivi percorso",
    "rewritePathDescription": "Riscrivi eventualmente il percorso prima di inoltrarlo al target.",
@@ -1915,8 +2006,15 @@
    "beta": "Beta",
    "manageUserDevices": "Dispositivi Utente",
    "manageUserDevicesDescription": "Visualizza e gestisci i dispositivi che gli utenti utilizzano per connettersi privatamente alle risorse",
+    "downloadClientBannerTitle": "Scarica il Client Pangolin",
+    "downloadClientBannerDescription": "Scarica il client Pangolin per il tuo sistema per connetterti alla rete Pangolin e accedere alle risorse in modo privato.",
    "manageMachineClients": "Gestisci Client Machine",
    "manageMachineClientsDescription": "Creare e gestire client che server e sistemi utilizzano per connettersi privatamente alle risorse",
+    "machineClientsBannerTitle": "Server e Sistemi Automatizzati",
+    "machineClientsBannerDescription": "I client macchina sono destinati ai server e ai sistemi automatizzati che non sono associati a un utente specifico. Si autenticano con un ID e un segreto e possono funzionare con la CLI di Pangolin, la CLI di Olm o Olm come container.",
+    "machineClientsBannerPangolinCLI": "CLI Pangolin",
+    "machineClientsBannerOlmCLI": "CLI Olm",
+    "machineClientsBannerOlmContainer": "Container Olm",
    "clientsTableUserClients": "Utente",
    "clientsTableMachineClients": "Macchina",
    "licenseTableValidUntil": "Valido Fino A",
@@ -2060,13 +2158,15 @@
    "request": "Richiesta",
    "requests": "Richieste",
    "logs": "Registri",
-    "logsSettingsDescription": "Monitora i registri raccolti da questa orginizzazione",
+    "logsSettingsDescription": "Monitora i log raccolti da questa organizzazione",
    "searchLogs": "Cerca registro...",
    "action": "Azione",
    "actor": "Attore",
    "timestamp": "Timestamp",
    "accessLogs": "Log Accesso",
    "exportCsv": "Esporta CSV",
+    "exportError": "Errore sconosciuto durante l'esportazione del CSV",
+    "exportCsvTooltip": "All'interno dell'intervallo di tempo",
    "actorId": "Id Attore",
    "allowedByRule": "Consentito dalla regola",
    "allowedNoAuth": "Non Consentito Auth",
@@ -2120,7 +2220,7 @@
    "unverified": "Non Verificato",
    "domainSetting": "Impostazioni Dominio",
    "domainSettingDescription": "Configura le impostazioni per il dominio",
-    "preferWildcardCertDescription": "Tentativo di generare un certificato jolly (richiede un risolutore di certificati correttamente configurato).",
+    "preferWildcardCertDescription": "Tentativo di generare un certificato wildcard (richiede un resolver di certificato configurato correttamente).",
    "recordName": "Nome Record",
    "auto": "Automatico",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "Il codice deve contenere 9 caratteri (es. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Codice non valido o scaduto",
    "deviceCodeVerifyFailed": "Impossibile verificare il codice del dispositivo",
+    "deviceCodeValidating": "Convalida codice dispositivo...",
+    "deviceCodeVerifying": "Verifica autorizzazione dispositivo...",
    "signedInAs": "Accesso come",
    "deviceCodeEnterPrompt": "Inserisci il codice visualizzato sul dispositivo",
    "continue": "Continua",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "Accesso a tutte le organizzazioni a cui il tuo account ha accesso",
    "deviceAuthorize": "Autorizza {applicationName}",
    "deviceConnected": "Dispositivo Connesso!",
-    "deviceAuthorizedMessage": "Il dispositivo è autorizzato ad accedere al tuo account.",
+    "deviceAuthorizedMessage": "Il dispositivo è autorizzato ad accedere al tuo account. Ritorna all'applicazione client.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "Visualizza Dispositivi",
    "viewDevicesDescription": "Gestisci i tuoi dispositivi connessi",
@@ -2246,6 +2348,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Non tu? Usa un account diverso.",
    "deviceLoginDeviceRequestingAccessToAccount": "Un dispositivo sta richiedendo l'accesso a questo account.",
+    "loginSelectAuthenticationMethod": "Selezionare un metodo di autenticazione per continuare.",
    "noData": "Nessun Dato",
    "machineClients": "Machine Clients",
    "install": "Installa",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "Recupero della sottorete predefinita non riuscito",
    "setupSubnetAdvanced": "Subnet (avanzato)",
    "setupSubnetDescription": "La subnet per la rete interna di questa organizzazione.",
+    "setupUtilitySubnet": "Sottorete di Utilità (Avanzata)",
+    "setupUtilitySubnetDescription": "La sottorete per gli indirizzi alias e il server DNS di questa organizzazione.",
    "siteRegenerateAndDisconnect": "Rigenera e disconnetti",
    "siteRegenerateAndDisconnectConfirmation": "Sei sicuro di voler rigenerare le credenziali e disconnettere questo sito?",
    "siteRegenerateAndDisconnectWarning": "Questo rigenererà le credenziali e disconnetterà immediatamente il sito. Il sito dovrà essere riavviato con le nuove credenziali.",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "Questo rigenererà le credenziali e disconnetterà immediatamente il nodo di uscita remoto. Il nodo di uscita remoto dovrà essere riavviato con le nuove credenziali.",
    "remoteExitNodeRegenerateCredentialsConfirmation": "Sei sicuro di voler rigenerare le credenziali per questo nodo di uscita remoto?",
    "remoteExitNodeRegenerateCredentialsWarning": "Questo rigenererà le credenziali. Il nodo di uscita remoto rimarrà connesso finché non lo riavvierai manualmente e userai le nuove credenziali.",
-    "agent": "Agente"
+    "agent": "Agente",
+    "personalUseOnly": "Solo per uso personale",
+    "loginPageLicenseWatermark": "Questa istanza è concessa in licenza solo per uso personale.",
+    "instanceIsUnlicensed": "Questa istanza non è concessa in licenza.",
+    "portRestrictions": "Restrizioni sulle porte",
+    "allPorts": "Tutti",
+    "custom": "Personalizzato",
+    "allPortsAllowed": "Tutte le porte consentite",
+    "allPortsBlocked": "Tutte le porte bloccate",
+    "tcpPortsDescription": "Specifica quali porte TCP sono consentite per questa risorsa. Usa '*' per tutte le porte, lascia vuoto per bloccare tutto o inserisci un elenco di porte e intervalli separato da virgole (ad es. 80,443,8000-9000).",
+    "udpPortsDescription": "Specifica quali porte UDP sono consentite per questa risorsa. Usa '*' per tutte le porte, lascia vuoto per bloccare tutto o inserisci un elenco di porte e intervalli separato da virgole (ad es. 53,123,500-600).",
+    "organizationLoginPageTitle": "Pagina di Accesso dell'Organizzazione",
+    "organizationLoginPageDescription": "Personalizza la pagina di accesso per questa organizzazione",
+    "resourceLoginPageTitle": "Pagina di Accesso delle Risorse",
+    "resourceLoginPageDescription": "Personalizza la pagina di accesso per risorse individuali",
+    "enterConfirmation": "Inserisci conferma",
+    "blueprintViewDetails": "Dettagli",
+    "defaultIdentityProvider": "Provider di Identità Predefinito",
+    "defaultIdentityProviderDescription": "Quando viene selezionato un provider di identità predefinito, l'utente verrà automaticamente reindirizzato al provider per l'autenticazione.",
+    "editInternalResourceDialogNetworkSettings": "Impostazioni di Rete",
+    "editInternalResourceDialogAccessPolicy": "Politica di Accesso",
+    "editInternalResourceDialogAddRoles": "Aggiungi Ruoli",
+    "editInternalResourceDialogAddUsers": "Aggiungi Utenti",
+    "editInternalResourceDialogAddClients": "Aggiungi Clienti",
+    "editInternalResourceDialogDestinationLabel": "Destinazione",
+    "editInternalResourceDialogDestinationDescription": "Specifica l'indirizzo di destinazione per la risorsa interna. Può essere un hostname, indirizzo IP o un intervallo CIDR a seconda della modalità selezionata. Opzionalmente imposta un alias DNS interno per una più facile identificazione.",
+    "editInternalResourceDialogPortRestrictionsDescription": "Limita l'accesso a porte TCP/UDP specifiche o consenti/blocca tutte le porte.",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "Controllo Accesso",
+    "editInternalResourceDialogAccessControlDescription": "Controlla quali ruoli, utenti e client macchina hanno accesso a questa risorsa quando connessi. Gli amministratori hanno sempre accesso.",
+    "editInternalResourceDialogPortRangeValidationError": "Il range delle porte deve essere \"*\" per tutte le porte, o un elenco di porte e intervalli separato da virgole (ad es. \"80,443,8000-9000\"). Le porte devono essere tra 1 e 65535.",
+    "orgAuthWhatsThis": "Dove posso trovare l'ID della mia organizzazione?",
+    "learnMore": "Scopri di più",
+    "backToHome": "Torna alla home",
+    "needToSignInToOrg": "Hai bisogno di utilizzare il provider di identità della tua organizzazione?",
+    "maintenanceMode": "Modalità di Manutenzione",
+    "maintenanceModeDescription": "Visualizza una pagina di manutenzione ai visitatori",
+    "maintenanceModeType": "Tipo di Modalità di Manutenzione",
+    "showMaintenancePage": "Mostra una pagina di manutenzione ai visitatori",
+    "enableMaintenanceMode": "Abilita Modalità di Manutenzione",
+    "automatic": "Automatico",
+    "automaticModeDescription": "Mostra pagina di manutenzione solo quando tutti i target del backend sono inattivi o non in salute. La tua risorsa continua a funzionare normalmente finché almeno un target è in salute.",
+    "forced": "Forzato",
+    "forcedModeDescription": "Mostra sempre la pagina di manutenzione indipendentemente dalla salute del backend. Usa questo per la manutenzione programmata quando vuoi impedire tutto l'accesso.",
+    "warning:": "Avviso:",
+    "forcedeModeWarning": "Tutto il traffico verrà indirizzato alla pagina di manutenzione. Le risorse del tuo backend non riceveranno richieste.",
+    "pageTitle": "Titolo Pagina",
+    "pageTitleDescription": "L'intestazione principale visualizzata sulla pagina di manutenzione",
+    "maintenancePageMessage": "Messaggio di Manutenzione",
+    "maintenancePageMessagePlaceholder": "Torneremo presto! Il nostro sito è attualmente in manutenzione programmata.",
+    "maintenancePageMessageDescription": "Messaggio dettagliato che spiega la manutenzione",
+    "maintenancePageTimeTitle": "Tempo di Completamento Stimato (Opzionale)",
+    "maintenanceTime": "es. 2 ore, 1 novembre alle 17:00",
+    "maintenanceEstimatedTimeDescription": "Quando prevedi che la manutenzione sarà completata",
+    "editDomain": "Modifica Dominio",
+    "editDomainDescription": "Seleziona un dominio per la tua risorsa",
+    "maintenanceModeDisabledTooltip": "Questa funzione richiede una licenza valida per essere abilitata.",
+    "maintenanceScreenTitle": "Servizio Temporaneamente Non Disponibile",
+    "maintenanceScreenMessage": "Stiamo attualmente riscontrando difficoltà tecniche. Si prega di ricontrollare a breve.",
+    "maintenanceScreenEstimatedCompletion": "Completamento Stimato:",
+    "createInternalResourceDialogDestinationRequired": "Destinazione richiesta",
+    "available": "Disponibile",
+    "archived": "Archiviato",
+    "noArchivedDevices": "Nessun dispositivo archiviato trovato",
+    "deviceArchived": "Dispositivo archiviato",
+    "deviceArchivedDescription": "Il dispositivo è stato archiviato con successo.",
+    "errorArchivingDevice": "Errore nell'archiviazione del dispositivo",
+    "failedToArchiveDevice": "Impossibile archiviare il dispositivo",
+    "deviceQuestionArchive": "È sicuro di voler archiviare questo dispositivo?",
+    "deviceMessageArchive": "Il dispositivo verrà archiviato e rimosso dalla lista dei dispositivi attivi.",
+    "deviceArchiveConfirm": "Archivia Dispositivo",
+    "archiveDevice": "Archivia Dispositivo",
+    "archive": "Archivio",
+    "deviceUnarchived": "Dispositivo non archiviato",
+    "deviceUnarchivedDescription": "Il dispositivo è stato disarchiviato con successo.",
+    "errorUnarchivingDevice": "Errore nel disarchiviare il dispositivo",
+    "failedToUnarchiveDevice": "Disarchiviazione del dispositivo non riuscita",
+    "unarchive": "Disarchivia",
+    "archiveClient": "Archivia Client",
+    "archiveClientQuestion": "È sicuro di voler archiviare questo client?",
+    "archiveClientMessage": "Il client verrà archiviato e rimosso dalla lista dei client attivi.",
+    "archiveClientConfirm": "Archivia Client",
+    "blockClient": "Blocca Client",
+    "blockClientQuestion": "Sei sicuro di voler bloccare questo client?",
+    "blockClientMessage": "Il dispositivo sarà forzato a disconnettersi se attualmente connesso. Puoi sbloccare il dispositivo più tardi.",
+    "blockClientConfirm": "Blocca Client",
+    "active": "Attivo",
+    "usernameOrEmail": "Nome utente o Email",
+    "selectYourOrganization": "Seleziona la tua organizzazione",
+    "signInTo": "Accedi a",
+    "signInWithPassword": "Continua con la password",
+    "noAuthMethodsAvailable": "Nessun metodo di autenticazione disponibile per questa organizzazione.",
+    "enterPassword": "Inserisci la tua password",
+    "enterMfaCode": "Inserisci il codice dalla tua app di autenticazione",
+    "securityKeyRequired": "Utilizza la tua chiave di sicurezza per accedere.",
+    "needToUseAnotherAccount": "Hai bisogno di utilizzare un account diverso?",
+    "loginLegalDisclaimer": "Facendo clic sui pulsanti qui sotto, si riconosce di aver letto, capire, e accettare i Termini di Servizio <termsOfService></termsOfService> e <privacyPolicy>Privacy Policy</privacyPolicy>.",
+    "termsOfService": "Termini di servizio",
+    "privacyPolicy": "Politica Sulla Privacy",
+    "userNotFoundWithUsername": "Nessun utente trovato con questo nome utente.",
+    "verify": "Verifica",
+    "signIn": "Accedi",
+    "forgotPassword": "Password dimenticata?",
+    "orgSignInTip": "Se hai effettuato l'accesso prima, puoi inserire il tuo nome utente o email qui sopra per autenticarti con il provider di identità della tua organizzazione. È più facile!",
+    "continueAnyway": "Continua comunque",
+    "dontShowAgain": "Non mostrare più",
+    "orgSignInNotice": "Lo sapevate?",
+    "signupOrgNotice": "Cercando di accedere?",
+    "signupOrgTip": "Stai cercando di accedere tramite il provider di identità della tua organizzazione?",
+    "signupOrgLink": "Accedi o registrati con la tua organizzazione",
+    "verifyEmailLogInWithDifferentAccount": "Usa un account diverso",
+    "logIn": "Log In",
+    "deviceInformation": "Informazioni Sul Dispositivo",
+    "deviceInformationDescription": "Informazioni sul dispositivo e sull'agente",
+    "deviceSecurity": "Sicurezza Del Dispositivo",
+    "deviceSecurityDescription": "Informazioni postura sicurezza dispositivo",
+    "platform": "Piattaforma",
+    "macosVersion": "versione macOS",
+    "windowsVersion": "Versione Windows",
+    "iosVersion": "Versione iOS",
+    "androidVersion": "Versione Android",
+    "osVersion": "Versione OS",
+    "kernelVersion": "Versione Del Kernel",
+    "deviceModel": "Modello Di Dispositivo",
+    "serialNumber": "Numero D'Ordine",
+    "hostname": "Hostname",
+    "firstSeen": "Prima Visto",
+    "lastSeen": "Visto L'Ultima",
+    "biometricsEnabled": "Biometria Abilitata",
+    "diskEncrypted": "Cifratura Del Disco",
+    "firewallEnabled": "Firewall Abilitato",
+    "autoUpdatesEnabled": "Aggiornamenti Automatici Abilitati",
+    "tpmAvailable": "TPM Disponibile",
+    "macosSipEnabled": "Protezione Dell'Integrità Del Sistema (Sip)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Modo Furtivo Del Firewall",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Visualizza informazioni e impostazioni del dispositivo",
+    "devicePendingApprovalDescription": "Questo dispositivo è in attesa di approvazione",
+    "deviceBlockedDescription": "Questo dispositivo è attualmente bloccato. Non sarà in grado di connettersi a nessuna risorsa a meno che non sia sbloccato.",
+    "unblockClient": "Sblocca Client",
+    "unblockClientDescription": "Il dispositivo è stato sbloccato",
+    "unarchiveClient": "Annulla Archiviazione Client",
+    "unarchiveClientDescription": "Il dispositivo è stato disarchiviato",
+    "block": "Blocca",
+    "unblock": "Sblocca",
+    "deviceActions": "Azioni Dispositivo",
+    "deviceActionsDescription": "Gestisci lo stato del dispositivo e l'accesso",
+    "devicePendingApprovalBannerDescription": "Questo dispositivo è in attesa di approvazione. Non sarà in grado di connettersi alle risorse fino all'approvazione.",
+    "connected": "Connesso",
+    "disconnected": "Disconnesso",
+    "approvalsEmptyStateTitle": "Approvazioni Dispositivo Non Abilitato",
+    "approvalsEmptyStateDescription": "Abilita le approvazioni del dispositivo per i ruoli per richiedere l'approvazione dell'amministratore prima che gli utenti possano collegare nuovi dispositivi.",
+    "approvalsEmptyStateStep1Title": "Vai ai ruoli",
+    "approvalsEmptyStateStep1Description": "Vai alle impostazioni dei ruoli della tua organizzazione per configurare le approvazioni del dispositivo.",
+    "approvalsEmptyStateStep2Title": "Abilita Approvazioni Dispositivo",
+    "approvalsEmptyStateStep2Description": "Modifica un ruolo e abilita l'opzione 'Richiedi l'approvazione del dispositivo'. Gli utenti con questo ruolo avranno bisogno dell'approvazione dell'amministratore per i nuovi dispositivi.",
+    "approvalsEmptyStatePreviewDescription": "Anteprima: quando abilitato, le richieste di dispositivo in attesa appariranno qui per la revisione",
+    "approvalsEmptyStateButtonText": "Gestisci Ruoli"
 }
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "조직, 사이트 및 리소스를 생성합니다.",
+    "headerAuthCompatibilityInfo": "인증 토큰이 없을 때 401 Unauthorized 응답을 강제하도록 설정합니다. 서버 챌린지 없이 자격 증명을 제공하지 않는 브라우저나 특정 HTTP 라이브러리에 필요합니다.",
+    "headerAuthCompatibility": "확장된 호환성",
    "setupNewOrg": "새 조직",
    "setupCreateOrg": "조직 생성",
    "setupCreateResources": "리소스 생성",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "조직에서 사이트를 제거하시겠습니까?",
    "siteManageSites": "사이트 관리",
    "siteDescription": "프라이빗 네트워크로의 연결을 활성화하려면 사이트를 생성하고 관리하세요.",
+    "sitesBannerTitle": "모든 네트워크 연결",
+    "sitesBannerDescription": "사이트는 원격 네트워크와의 연결로 Pangolin이 어디서나 사용자에게 공공 및 개인 리소스에 대한 접근을 제공할 수 있게 해 줍니다. 연결을 설정하려면 바이너리 또는 컨테이너로 실행할 수 있는 어디서든 사이트 네트워크 커넥터(Newt)를 설치하세요.",
+    "sitesBannerButtonText": "사이트 설치",
+    "approvalsBannerTitle": "장치 접근 승인 또는 거부",
+    "approvalsBannerDescription": "사용자의 장치 접근 요청을 검토하고 승인하거나 거부하세요. 장치 승인 요구 시, 관리자의 승인이 필요합니다.",
+    "approvalsBannerButtonText": "자세히 알아보기",
    "siteCreate": "사이트 생성",
    "siteCreateDescription2": "아래 단계를 따라 새 사이트를 생성하고 연결하십시오",
    "siteCreateDescription": "리소스를 연결하기 위해 새 사이트를 생성하세요.",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "사이트에 연결하는 방법을 결정하세요.",
    "siteNewtCredentials": "자격 증명",
    "siteNewtCredentialsDescription": "이것이 사이트가 서버와 인증하는 방법입니다.",
+    "remoteNodeCredentialsDescription": "원격 노드가 서버와 인증하는 방법입니다.",
    "siteCredentialsSave": "자격 증명 저장",
    "siteCredentialsSaveDescription": "이것은 한 번만 볼 수 있습니다. 안전한 장소에 복사해 두세요.",
    "siteInfo": "사이트 정보",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "리소스를 선택하세요",
    "proxyResourceTitle": "공개 리소스 관리",
    "proxyResourceDescription": "웹 브라우저를 통해 공용으로 접근할 수 있는 리소스를 생성하고 관리하세요.",
+    "proxyResourcesBannerTitle": "웹 기반 공공 접근",
+    "proxyResourcesBannerDescription": "공공 자원은 누구나 웹 브라우저를 통해 접근 가능한 HTTPS 또는 TCP/UDP 프록시입니다. 개인 자원과 달리 클라이언트 측 소프트웨어가 필요하지 않으며, 아이덴티티 및 컨텍스트 인지 접근 정책을 포함할 수 있습니다.",
    "clientResourceTitle": "개인 리소스 관리",
    "clientResourceDescription": "연결된 클라이언트를 통해서만 접근할 수 있는 리소스를 생성하고 관리하세요.",
+    "privateResourcesBannerTitle": "제로 트러스트 개인 접근",
+    "privateResourcesBannerDescription": "개인 리소스는 제로 트러스트 보안을 사용하여, 사용자와 장치가 명시적으로 허용된 리소스에만 접근할 수 있도록 보장합니다. 이러한 리소스에 접근하려면 안전한 가상 사설 네트워크를 통해 사용자 장치 또는 머신 클라이언트를 연결하십시오.",
    "resourcesSearch": "리소스 검색...",
    "resourceAdd": "리소스 추가",
    "resourceErrorDelte": "리소스 삭제 중 오류 발생",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "제거되면 리소스에 더 이상 접근할 수 없습니다. 리소스와 연결된 모든 대상도 제거됩니다.",
    "resourceQuestionRemove": "조직에서 리소스를 제거하시겠습니까?",
    "resourceHTTP": "HTTPS 리소스",
-    "resourceHTTPDescription": "서브도메인이나 기본 도메인을 사용하여 HTTPS를 통해 앱에 대한 요청을 프록시합니다.",
+    "resourceHTTPDescription": "완전한 도메인 이름을 사용해 RAW 또는 HTTPS로 프록시 요청을 수행합니다.",
    "resourceRaw": "원시 TCP/UDP 리소스",
-    "resourceRawDescription": "TCP/UDP를 사용하여 포트 번호를 통해 앱에 요청을 프록시합니다. 이 기능은 사이트가 노드에 연결될 때만 작동합니다.",
+    "resourceRawDescription": "포트 번호를 사용하여 RAW TCP/UDP로 요청을 프록시합니다.",
    "resourceCreate": "리소스 생성",
    "resourceCreateDescription": "아래 단계를 따라 새 리소스를 생성하세요.",
    "resourceSeeAll": "모든 리소스 보기",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "역할 검색...",
    "accessRolesAdd": "역할 추가",
    "accessRoleDelete": "역할 삭제",
+    "accessApprovalsManage": "승인 관리",
+    "accessApprovalsDescription": "이 조직의 접근 승인 대기를 보고 관리하세요.",
    "description": "설명",
    "inviteTitle": "열린 초대",
    "inviteDescription": "다른 사용자가 조직에 참여하도록 초대장을 관리합니다.",
@@ -440,6 +455,18 @@
    "selectDuration": "지속 시간 선택",
    "selectResource": "리소스 선택",
    "filterByResource": "리소스별 필터",
+    "selectApprovalState": "승인 상태 선택",
+    "filterByApprovalState": "승인 상태로 필터링",
+    "approvalListEmpty": "승인이 없습니다.",
+    "approvalState": "승인 상태",
+    "approve": "승인",
+    "approved": "승인됨",
+    "denied": "거부됨",
+    "deniedApproval": "승인 거부됨",
+    "all": "모두",
+    "deny": "거부",
+    "viewDetails": "세부 정보 보기",
+    "requestingNewDeviceApproval": "새 장치를 요청함",
    "resetFilters": "필터 재설정",
    "totalBlocked": "Pangolin으로 차단된 요청",
    "totalRequests": "총 요청 수",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "관리자는 항상 이 리소스에 접근할 수 있습니다.",
    "resourceUsersRoles": "접근 제어",
    "resourceUsersRolesDescription": "이 리소스를 방문할 수 있는 사용자 및 역할을 구성하십시오",
-    "resourceUsersRolesSubmit": "사용자 및 역할 저장",
+    "resourceUsersRolesSubmit": "접근 제어 저장",
    "resourceWhitelistSave": "성공적으로 저장되었습니다.",
    "resourceWhitelistSaveDescription": "허용 목록 설정이 저장되었습니다.",
    "ssoUse": "플랫폼 SSO 사용",
@@ -719,16 +746,28 @@
    "countries": "국가",
    "accessRoleCreate": "역할 생성",
    "accessRoleCreateDescription": "사용자를 그룹화하고 권한을 관리하기 위해 새 역할을 생성하세요.",
+    "accessRoleEdit": "역할 편집",
+    "accessRoleEditDescription": "역할 정보 편집.",
    "accessRoleCreateSubmit": "역할 생성",
    "accessRoleCreated": "역할이 생성되었습니다.",
    "accessRoleCreatedDescription": "역할이 성공적으로 생성되었습니다.",
    "accessRoleErrorCreate": "역할 생성 실패",
    "accessRoleErrorCreateDescription": "역할 생성 중 오류가 발생했습니다.",
+    "accessRoleUpdateSubmit": "역할 업데이트",
+    "accessRoleUpdated": "역할 업데이트됨",
+    "accessRoleUpdatedDescription": "역할이 성공적으로 업데이트되었습니다.",
+    "accessApprovalUpdated": "승인 처리됨",
+    "accessApprovalApprovedDescription": "승인 요청을 승인으로 설정.",
+    "accessApprovalDeniedDescription": "승인 요청을 거부로 설정.",
+    "accessRoleErrorUpdate": "역할 업데이트 실패",
+    "accessRoleErrorUpdateDescription": "역할 업데이트 중 오류 발생.",
+    "accessApprovalErrorUpdate": "승인 처리 실패",
+    "accessApprovalErrorUpdateDescription": "승인 처리 중 오류가 발생했습니다.",
    "accessRoleErrorNewRequired": "새 역할이 필요합니다.",
    "accessRoleErrorRemove": "역할 제거에 실패했습니다.",
    "accessRoleErrorRemoveDescription": "역할을 제거하는 동안 오류가 발생했습니다.",
    "accessRoleName": "역할 이름",
-    "accessRoleQuestionRemove": "{name} 역할을 삭제하려고 합니다. 이 작업은 취소할 수 없습니다.",
+    "accessRoleQuestionRemove": "`{name}` 역할을 삭제하려고 합니다. 이 작업은 되돌릴 수 없습니다.",
    "accessRoleRemove": "역할 제거",
    "accessRoleRemoveDescription": "조직에서 역할 제거",
    "accessRoleRemoveSubmit": "역할 제거",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "조직에 대한 접근을 구성하십시오.",
    "idpUpdatedDescription": "아이덴티티 제공자가 성공적으로 업데이트되었습니다",
    "redirectUrl": "리디렉션 URL",
+    "orgIdpRedirectUrls": "리디렉션 URL",
    "redirectUrlAbout": "리디렉션 URL에 대한 정보",
    "redirectUrlAboutDescription": "사용자가 인증 후 리디렉션될 URL입니다. 이 URL을 신원 제공자 설정에서 구성해야 합니다.",
    "pangolinAuth": "인증 - 판골린",
@@ -945,11 +985,11 @@
    "pincodeAuth": "인증 코드",
    "pincodeSubmit2": "코드 제출",
    "passwordResetSubmit": "재설정 요청",
-    "passwordResetAlreadyHaveCode": "비밀번호 초기화 코드를 입력하세요",
+    "passwordResetAlreadyHaveCode": "코드를 입력하십시오.",
    "passwordResetSmtpRequired": "관리자에게 문의하십시오",
    "passwordResetSmtpRequiredDescription": "비밀번호를 재설정하려면 비밀번호 초기화 코드가 필요합니다. 지원을 받으려면 관리자에게 문의하십시오.",
    "passwordBack": "비밀번호로 돌아가기",
-    "loginBack": "로그인으로 돌아가기",
+    "loginBack": "메인 로그인 페이지로 돌아갑니다.",
    "signup": "가입하기",
    "loginStart": "시작하려면 로그인하세요.",
    "idpOidcTokenValidating": "OIDC 토큰 검증 중",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "조직 사용자 업데이트",
    "createOrgUser": "조직 사용자 생성",
    "actionUpdateOrg": "조직 업데이트",
+    "actionRemoveInvitation": "초대 제거",
    "actionUpdateUser": "사용자 업데이트",
    "actionGetUser": "사용자 조회",
    "actionGetOrgUser": "조직 사용자 가져오기",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "사이트 가져오기",
    "actionListSites": "사이트 목록",
    "actionApplyBlueprint": "청사진 적용",
+    "actionListBlueprints": "청사진 목록",
+    "actionGetBlueprint": "청사진 가져오기",
    "setupToken": "설정 토큰",
    "setupTokenDescription": "서버 콘솔에서 설정 토큰 입력.",
    "setupTokenRequired": "설정 토큰이 필요합니다",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "IDP 조직 업데이트",
    "actionCreateClient": "클라이언트 생성",
    "actionDeleteClient": "클라이언트 삭제",
+    "actionArchiveClient": "클라이언트 보관",
+    "actionUnarchiveClient": "클라이언트 보관 취소",
+    "actionBlockClient": "클라이언트 차단",
+    "actionUnblockClient": "클라이언트 차단 해제",
    "actionUpdateClient": "클라이언트 업데이트",
    "actionListClients": "클라이언트 목록",
    "actionGetClient": "클라이언트 가져오기",
@@ -1120,14 +1167,14 @@
    "searchProgress": "검색...",
    "create": "생성",
    "orgs": "조직",
-    "loginError": "로그인 중 오류가 발생했습니다",
-    "loginRequiredForDevice": "장치를 인증하려면 로그인이 필요합니다.",
+    "loginError": "예기치 않은 오류가 발생했습니다. 다시 시도해주세요.",
+    "loginRequiredForDevice": "로그인이 필요합니다.",
    "passwordForgot": "비밀번호를 잊으셨나요?",
    "otpAuth": "이중 인증",
    "otpAuthDescription": "인증 앱에서 코드를 입력하거나 단일 사용 백업 코드 중 하나를 입력하세요.",
    "otpAuthSubmit": "코드 제출",
    "idpContinue": "또는 계속 진행하십시오.",
-    "otpAuthBack": "로그인으로 돌아가기",
+    "otpAuthBack": "비밀번호로 돌아가기",
    "navbar": "탐색 메뉴",
    "navbarDescription": "애플리케이션의 주요 탐색 메뉴",
    "navbarDocsLink": "문서",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "개요",
    "sidebarHome": "홈",
    "sidebarSites": "사이트",
+    "sidebarApprovals": "승인 요청",
    "sidebarResources": "리소스",
    "sidebarProxyResources": "공유",
    "sidebarClientResources": "비공개",
@@ -1191,10 +1239,10 @@
    "sidebarIdentityProviders": "신원 공급자",
    "sidebarLicense": "라이선스",
    "sidebarClients": "클라이언트",
-    "sidebarUserDevices": "사용자",
+    "sidebarUserDevices": "사용자 장치",
    "sidebarMachineClients": "기계",
    "sidebarDomains": "도메인",
-    "sidebarGeneral": "일반",
+    "sidebarGeneral": "관리",
    "sidebarLogAndAnalytics": "로그 & 통계",
    "sidebarBluePrints": "청사진",
    "sidebarOrganization": "조직",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "서버 관리자 계정을 생성하는 동안 오류가 발생했습니다.",
    "certificateStatus": "인증서 상태",
    "loading": "로딩 중",
+    "loadingAnalytics": "분석 로딩 중",
    "restart": "재시작",
    "domains": "도메인",
    "domainsDescription": "조직에서 사용 가능한 도메인 생성 및 관리",
@@ -1290,6 +1339,7 @@
    "refreshError": "데이터 새로고침 실패",
    "verified": "검증됨",
    "pending": "대기 중",
+    "pendingApproval": "승인 대기 중",
    "sidebarBilling": "청구",
    "billing": "청구",
    "orgBillingDescription": "청구 정보 및 구독을 관리하세요",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "계정 설정이 완료되었습니다! 판골린에 오신 것을 환영합니다!",
    "documentation": "문서",
    "saveAllSettings": "모든 설정 저장",
+    "saveResourceTargets": "대상 저장",
+    "saveResourceHttp": "프록시 설정 저장",
+    "saveProxyProtocol": "프록시 프로토콜 설정 저장",
    "settingsUpdated": "설정이 업데이트되었습니다",
-    "settingsUpdatedDescription": "모든 설정이 성공적으로 업데이트되었습니다",
+    "settingsUpdatedDescription": "설정이 성공적으로 업데이트되었습니다.",
    "settingsErrorUpdate": "설정 업데이트 실패",
    "settingsErrorUpdateDescription": "설정을 업데이트하는 동안 오류가 발생했습니다",
    "sidebarCollapse": "줄이기",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "보안 키가 성공적으로 제거되었습니다",
    "securityKeyRemoveError": "보안 키 제거 실패",
    "securityKeyLoadError": "보안 키를 불러오는 데 실패했습니다",
-    "securityKeyLogin": "보안 키로 계속하기",
+    "securityKeyLogin": "보안 키 사용",
    "securityKeyAuthError": "보안 키를 사용한 인증 실패",
    "securityKeyRecommendation": "항상 계정에 액세스할 수 있도록 다른 장치에 백업 보안 키를 등록하세요.",
    "registering": "등록 중...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "동의합니다",
        "termsOfService": "서비스 약관",
        "and": "및",
-        "privacyPolicy": "개인 정보 보호 정책"
+        "privacyPolicy": "개인 정보 보호 정책."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "이메일을 통해 소식, 업데이트 및 새로운 기능을 받아보세요."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "새 대상 추가",
    "targetsList": "대상 목록",
    "advancedMode": "고급 모드",
+    "advancedSettings": "고급 설정",
    "targetErrorDuplicateTargetFound": "중복 대상 발견",
    "healthCheckHealthy": "정상",
    "healthCheckUnhealthy": "비정상",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "정상 간격",
    "timeoutSeconds": "타임아웃(초)",
    "timeIsInSeconds": "시간은 초 단위입니다",
+    "requireDeviceApproval": "장치 승인 요구",
+    "requireDeviceApprovalDescription": "이 역할을 가진 사용자는 장치가 연결되기 전에 관리자의 승인이 필요합니다.",
    "retryAttempts": "재시도 횟수",
    "expectedResponseCodes": "예상 응답 코드",
    "expectedResponseCodesDescription": "정상 상태를 나타내는 HTTP 상태 코드입니다. 비워 두면 200-300이 정상으로 간주됩니다.",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "내부 리소스를 찾을 수 없습니다.",
    "resourcesTableDestination": "대상지",
    "resourcesTableAlias": "별칭",
+    "resourcesTableAliasAddress": "별칭 주소",
+    "resourcesTableAliasAddressInfo": "이 주소는 조직의 유틸리티 서브넷의 일부로, 내부 DNS 해석을 사용하여 별칭 레코드를 해석하는 데 사용됩니다.",
    "resourcesTableClients": "클라이언트",
    "resourcesTableAndOnlyAccessibleInternally": "클라이언트와 연결되었을 때만 내부적으로 접근 가능합니다.",
    "resourcesTableNoTargets": "대상 없음",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "리소스 속성",
    "createInternalResourceDialogName": "이름",
    "createInternalResourceDialogSite": "사이트",
-    "createInternalResourceDialogSelectSite": "사이트 선택...",
-    "createInternalResourceDialogSearchSites": "사이트 검색...",
-    "createInternalResourceDialogNoSitesFound": "사이트를 찾을 수 없습니다.",
+    "selectSite": "사이트 선택...",
+    "noSitesFound": "사이트를 찾을 수 없습니다.",
    "createInternalResourceDialogProtocol": "프로토콜",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1658,7 +1715,7 @@
    "siteAddressDescription": "사이트의 내부 주소. 조직의 서브넷 내에 있어야 합니다.",
    "siteNameDescription": "나중에 변경할 수 있는 사이트의 표시 이름입니다.",
    "autoLoginExternalIdp": "외부 IDP로 자동 로그인",
-    "autoLoginExternalIdpDescription": "인증을 위해 외부 IDP로 사용자를 즉시 리디렉션합니다.",
+    "autoLoginExternalIdpDescription": "인증을 위해 사용자를 외부 IDP로 즉시 리디렉션합니다.",
    "selectIdp": "IDP 선택",
    "selectIdpPlaceholder": "IDP 선택...",
    "selectIdpRequired": "자동 로그인이 활성화된 경우 IDP를 선택하십시오.",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "ID 공급자로부터 리디렉션 URL을 받지 못했습니다.",
    "autoLoginErrorGeneratingUrl": "인증 URL 생성 실패.",
    "remoteExitNodeManageRemoteExitNodes": "원격 노드",
-    "remoteExitNodeDescription": "하나 이상의 원격 노드를 자체 호스팅하여 네트워크 연결을 확장하고 클라우드에 대한 의존도를 줄입니다.",
+    "remoteExitNodeDescription": "자체 원격 중계 및 프록시 서버 노드를 호스팅하십시오.",
    "remoteExitNodes": "노드",
    "searchRemoteExitNodes": "노드 검색...",
    "remoteExitNodeAdd": "노드 추가",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "노드 삭제 확인",
    "remoteExitNodeDelete": "노드 삭제",
    "sidebarRemoteExitNodes": "원격 노드",
+    "remoteExitNodeId": "ID",
+    "remoteExitNodeSecretKey": "비밀",
    "remoteExitNodeCreate": {
-        "title": "노드 생성",
-        "description": "네트워크 연결성을 확장하기 위해 새 노드를 생성하세요",
+        "title": "원격 노드 생성",
+        "description": "새로운 자체 호스팅 원격 중계 및 프록시 서버 노드를 생성하십시오.",
        "viewAllButton": "모든 노드 보기",
        "strategy": {
            "title": "생성 전략",
-            "description": "노드를 직접 구성하거나 새 자격 증명을 생성하려면 이것을 선택하세요.",
+            "description": "원격 노드를 생성하는 방법을 선택합니다.",
            "adopt": {
                "title": "노드 채택",
                "description": "이미 노드의 자격 증명이 있는 경우 이것을 선택하세요."
            },
            "generate": {
                "title": "키 생성",
-                "description": "노드에 대한 새 키를 생성하려면 이것을 선택하세요"
+                "description": "노드에 대한 새 키를 생성하려면 이것을 선택하세요."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC 공급자",
    "subnet": "서브넷",
    "subnetDescription": "이 조직의 네트워크 구성에 대한 서브넷입니다.",
+    "customDomain": "사용자 정의 도메인",
    "authPage": "인증 페이지",
-    "authPageDescription": "조직에 대한 인증 페이지를 구성합니다.",
+    "authPageDescription": "조직의 인증 페이지에 대한 사용자 정의 도메인을 설정하세요.",
    "authPageDomain": "인증 페이지 도메인",
+    "authPageBranding": "사용자 정의 브랜딩",
+    "authPageBrandingDescription": "이 조직의 인증 페이지에 표시될 브랜딩을 구성합니다.",
+    "authPageBrandingUpdated": "인증 페이지 브랜딩이 성공적으로 업데이트되었습니다.",
+    "authPageBrandingRemoved": "인증 페이지 브랜딩이 성공적으로 제거되었습니다.",
+    "authPageBrandingRemoveTitle": "인증 페이지 브랜딩 제거",
+    "authPageBrandingQuestionRemove": "인증 페이지의 브랜딩을 제거하시겠습니까?",
+    "authPageBrandingDeleteConfirm": "브랜딩 삭제 확인",
+    "brandingLogoURL": "로고 URL",
+    "brandingPrimaryColor": "기본 색상",
+    "brandingLogoWidth": "너비(px)",
+    "brandingLogoHeight": "높이(px)",
+    "brandingOrgTitle": "조직 인증 페이지의 제목",
+    "brandingOrgDescription": "{orgName}은 조직의 이름으로 대체됩니다.",
+    "brandingOrgSubtitle": "조직 인증 페이지의 부제목",
+    "brandingResourceTitle": "리소스 인증 페이지의 제목",
+    "brandingResourceSubtitle": "리소스 인증 페이지의 부제목",
+    "brandingResourceDescription": "{resourceName} 은 조직의 이름으로 대체됩니다.",
+    "saveAuthPageDomain": "도메인 저장",
+    "saveAuthPageBranding": "브랜딩 저장",
+    "removeAuthPageBranding": "브랜딩 제거",
    "noDomainSet": "도메인 설정 없음",
    "changeDomain": "도메인 변경",
    "selectDomain": "도메인 선택",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "인증 페이지 도메인 설정",
    "failedToFetchCertificate": "인증서 가져오기 실패",
    "failedToRestartCertificate": "인증서 재시작 실패",
-    "addDomainToEnableCustomAuthPages": "조직의 맞춤 인증 페이지를 활성화하려면 도메인을 추가하세요.",
+    "addDomainToEnableCustomAuthPages": "사용자는 이 도메인을 사용하여 조직의 로그인 페이지에 액세스하고 리소스 인증을 완료할 수 있습니다.",
    "selectDomainForOrgAuthPage": "조직 인증 페이지에 대한 도메인을 선택하세요.",
    "domainPickerProvidedDomain": "제공된 도메인",
    "domainPickerFreeProvidedDomain": "무료 제공된 도메인",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "\"{sub}\"을(를) {domain}에 대해 유효하게 만들 수 없습니다.",
    "domainPickerSubdomainSanitized": "하위 도메인 정리됨",
    "domainPickerSubdomainCorrected": "\"{sub}\"이(가) \"{sanitized}\"로 수정되었습니다",
-    "orgAuthSignInTitle": "조직에 로그인",
+    "orgAuthSignInTitle": "조직 로그인",
    "orgAuthChooseIdpDescription": "계속하려면 신원 공급자를 선택하세요.",
    "orgAuthNoIdpConfigured": "이 조직은 구성된 신원 공급자가 없습니다. 대신 Pangolin 아이덴티티로 로그인할 수 있습니다.",
    "orgAuthSignInWithPangolin": "Pangolin으로 로그인",
+    "orgAuthSignInToOrg": "조직에 로그인",
+    "orgAuthSelectOrgTitle": "조직 로그인",
+    "orgAuthSelectOrgDescription": "계속하려면 조직 ID를 입력하십시오.",
+    "orgAuthOrgIdPlaceholder": "your-organization",
+    "orgAuthOrgIdHelp": "조직의 고유 식별자를 입력하십시오.",
+    "orgAuthSelectOrgHelp": "조직 ID를 입력하면, SSO 또는 조직 인증 정보를 사용할 수 있는 조직의 로그인 페이지로 이동합니다.",
+    "orgAuthRememberOrgId": "이 조직 ID 기억하기",
+    "orgAuthBackToSignIn": "표준 로그인을 통해 돌아가기",
+    "orgAuthNoAccount": "계정이 없으신가요?",
    "subscriptionRequiredToUse": "이 기능을 사용하려면 구독이 필요합니다.",
    "idpDisabled": "신원 공급자가 비활성화되었습니다.",
    "orgAuthPageDisabled": "조직 인증 페이지가 비활성화되었습니다.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "이중 인증 활성화",
    "completeSecuritySteps": "보안 단계 완료",
    "securitySettings": "보안 설정",
+    "dangerSection": "위험 구역",
+    "dangerSectionDescription": "이 조직에 관련된 모든 데이터를 영구적으로 삭제합니다.",
    "securitySettingsDescription": "조직의 보안 정책을 구성하세요",
    "requireTwoFactorForAllUsers": "모든 사용자에 대해 이중 인증 요구",
    "requireTwoFactorDescription": "활성화되면, 이 조직의 모든 내부 사용자는 조직에 접근하기 위해 이중 인증을 활성화해야 합니다.",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "이 작업은 조직의 모든 사용자에게 영향을 미칩니다",
    "authPageErrorUpdateMessage": "인증 페이지 설정을 업데이트하는 동안 오류가 발생했습니다",
    "authPageErrorUpdate": "인증 페이지를 업데이트할 수 없습니다",
-    "authPageUpdated": "인증 페이지가 성공적으로 업데이트되었습니다",
+    "authPageDomainUpdated": "인증 페이지 도메인이 성공적으로 업데이트되었습니다.",
    "healthCheckNotAvailable": "로컬",
    "rewritePath": "경로 재작성",
    "rewritePathDescription": "대상으로 전달하기 전에 경로를 선택적으로 재작성합니다.",
@@ -1915,8 +2006,15 @@
    "beta": "베타",
    "manageUserDevices": "사용자 초대를 제어",
    "manageUserDevicesDescription": "리소스에 개인적으로 연결하기 위해 사용자가 사용하는 장치를 보고 관리하세요",
+    "downloadClientBannerTitle": "Pangolin 클라이언트 다운로드",
+    "downloadClientBannerDescription": "Pangolin 네트워크에 연결하고 리소스를 비공개로 접근하기위해 시스템에 맞는 Pangolin 클라이언트를 다운로드하십시오.",
    "manageMachineClients": "기계 클라이언트 관리",
    "manageMachineClientsDescription": "서버와 시스템이 리소스에 개인적으로 연결하는 데 사용하는 클라이언트를 생성하고 관리하십시오",
+    "machineClientsBannerTitle": "서버 및 자동 시스템",
+    "machineClientsBannerDescription": "머신 클라이언트는 특정 사용자와 연결되지 않은 서버 및 자동화된 시스템을 위한 것입니다. 이들은 ID와 비밀을 통해 인증하며, Pangolin CLI, Olm CLI, 또는 Olm 컨테이너로 실행될 수 있습니다.",
+    "machineClientsBannerPangolinCLI": "Pangolin CLI",
+    "machineClientsBannerOlmCLI": "Olm CLI",
+    "machineClientsBannerOlmContainer": "Olm 컨테이너",
    "clientsTableUserClients": "사용자",
    "clientsTableMachineClients": "기계",
    "licenseTableValidUntil": "유효 기한",
@@ -2060,13 +2158,15 @@
    "request": "요청",
    "requests": "요청",
    "logs": "로그",
-    "logsSettingsDescription": "이 조직에서 수집된 로그를 모니터링합니다",
+    "logsSettingsDescription": "이 조직에서 수집된 로그를 모니터링합니다.",
    "searchLogs": "로그 검색...",
    "action": "작업",
    "actor": "행위자",
    "timestamp": "타임스탬프",
    "accessLogs": "접근 로그",
    "exportCsv": "CSV 내보내기",
+    "exportError": "CSV로 내보내는 중 알 수 없는 오류가 발생했습니다.",
+    "exportCsvTooltip": "시간 범위 내",
    "actorId": "행위자 ID",
    "allowedByRule": "룰에 의해 허용됨",
    "allowedNoAuth": "인증 없음 허용됨",
@@ -2120,7 +2220,7 @@
    "unverified": "검증되지 않음",
    "domainSetting": "도메인 설정",
    "domainSettingDescription": "도메인 설정 구성",
-    "preferWildcardCertDescription": "와일드카드 인증서를 생성하려고 시도합니다 (올바르게 구성된 인증서 해결사가 필요합니다).",
+    "preferWildcardCertDescription": "와일드카드 인증서를 생성하려고 시도합니다(적절한 인증서 해결 장치가 필요).",
    "recordName": "레코드 이름",
    "auto": "자동",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "코드는 9자리여야 합니다 (예: A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "무효하거나 만료된 코드",
    "deviceCodeVerifyFailed": "이메일 확인에 실패했습니다:",
+    "deviceCodeValidating": "장치 코드 검증 중...",
+    "deviceCodeVerifying": "장치 권한 검증 중...",
    "signedInAs": "로그인한 사용자",
    "deviceCodeEnterPrompt": "기기에 표시된 코드를 입력하세요",
    "continue": "계속 진행하기",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "계정이 접근할 수 있는 모든 조직에 대한 접근",
    "deviceAuthorize": "{applicationName} 권한 부여",
    "deviceConnected": "장치가 연결되었습니다!",
-    "deviceAuthorizedMessage": "장치가 계정에 액세스할 수 있도록 승인되었습니다.",
+    "deviceAuthorizedMessage": "장치가 계정 접속을 승인받았습니다. 클라이언트 응용프로그램으로 돌아가세요.",
    "pangolinCloud": "판골린 클라우드",
    "viewDevices": "장치 보기",
    "viewDevicesDescription": "연결된 장치를 관리하십시오",
@@ -2246,6 +2348,7 @@
    "identifier": "식별자",
    "deviceLoginUseDifferentAccount": "본인이 아닙니까? 다른 계정을 사용하세요.",
    "deviceLoginDeviceRequestingAccessToAccount": "장치가 이 계정에 접근하려고 합니다.",
+    "loginSelectAuthenticationMethod": "계속하려면 인증 방법을 선택하세요.",
    "noData": "데이터 없음",
    "machineClients": "기계 클라이언트",
    "install": "설치",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "기본값 로드 실패",
    "setupSubnetAdvanced": "서브넷(고급)",
    "setupSubnetDescription": "이 조직의 네트워크 구성에 대한 서브넷입니다.",
+    "setupUtilitySubnet": "유틸리티 서브넷 (고급)",
+    "setupUtilitySubnetDescription": "이 조직의 별칭 주소 및 DNS 서버에 대한 서브넷입니다.",
    "siteRegenerateAndDisconnect": "재생성 및 연결 해제",
    "siteRegenerateAndDisconnectConfirmation": "자격 증명을 재생성하고 이 사이트와의 연결을 해제하시겠습니까?",
    "siteRegenerateAndDisconnectWarning": "이 과정은 자격 증명을 다시 생성하고 사이트와의 연결을 즉시 해제합니다. 사이트는 새 자격 증명으로 다시 시작되어야 합니다.",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "이 과정은 자격 증명을 다시 생성하고 원격 종료 노드와의 연결을 즉시 해제합니다. 원격 종료 노드는 새 자격 증명으로 다시 시작되어야 합니다.",
    "remoteExitNodeRegenerateCredentialsConfirmation": "이 원격 종료 노드에 대한 자격 증명을 다시 생성하시겠습니까?",
    "remoteExitNodeRegenerateCredentialsWarning": "이 과정은 자격 증명을 다시 생성합니다. 수동으로 다시 시작하고 새 자격 증명을 사용하기 전까지 원격 종료 노드는 연결된 상태로 유지됩니다.",
-    "agent": "에이전트"
+    "agent": "에이전트",
+    "personalUseOnly": "개인 용도로만 사용",
+    "loginPageLicenseWatermark": "이 인스턴스는 개인 용도로만 라이선스가 부여되었습니다.",
+    "instanceIsUnlicensed": "이 인스턴스에는 라이선스가 없습니다.",
+    "portRestrictions": "포트 제한",
+    "allPorts": "모두",
+    "custom": "사용자 정의",
+    "allPortsAllowed": "모든 포트 허용",
+    "allPortsBlocked": "모든 포트 차단",
+    "tcpPortsDescription": "이 리소스에 허용된 TCP 포트를 지정하세요. 모든 포트에 '*'를 사용하고, 모든 포트를 차단하려면 비워두거나 쉼표로 구분된 포트 및 범위 목록(예: 80,443,8000-9000)을 입력하십시오.",
+    "udpPortsDescription": "이 리소스에 허용된 UDP 포트를 지정하세요. 모든 포트에 '*'를 사용하고, 모든 포트를 차단하려면 비워두거나 쉼표로 구분된 포트 및 범위 목록(예: 53,123,500-600)을 입력하십시오.",
+    "organizationLoginPageTitle": "조직 로그인 페이지",
+    "organizationLoginPageDescription": "이 조직의 로그인 페이지를 사용자 정의합니다.",
+    "resourceLoginPageTitle": "리소스 로그인 페이지",
+    "resourceLoginPageDescription": "각 리소스의 로그인 페이지를 사용자 정의합니다.",
+    "enterConfirmation": "확인 입력",
+    "blueprintViewDetails": "세부 정보",
+    "defaultIdentityProvider": "기본 아이덴티티 공급자",
+    "defaultIdentityProviderDescription": "기본 ID 공급자가 선택되면, 사용자는 인증을 위해 자동으로 해당 공급자로 리디렉션됩니다.",
+    "editInternalResourceDialogNetworkSettings": "네트워크 설정",
+    "editInternalResourceDialogAccessPolicy": "액세스 정책",
+    "editInternalResourceDialogAddRoles": "역할 추가",
+    "editInternalResourceDialogAddUsers": "사용자 추가",
+    "editInternalResourceDialogAddClients": "클라이언트 추가",
+    "editInternalResourceDialogDestinationLabel": "대상지",
+    "editInternalResourceDialogDestinationDescription": "내부 리소스의 목적지 주소를 지정하세요. 선택한 모드에 따라 이 주소는 호스트명, IP 주소, 또는 CIDR 범위가 될 수 있습니다. 더욱 쉽게 식별할 수 있도록 내부 DNS 별칭을 설정할 수 있습니다.",
+    "editInternalResourceDialogPortRestrictionsDescription": "특정 TCP/UDP 포트에 대한 접근을 제한하거나 모든 포트를 허용/차단하십시오.",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "액세스 제어",
+    "editInternalResourceDialogAccessControlDescription": "연결 시 이 리소스에 대한 액세스 권한을 가지는 역할, 사용자, 그리고 머신 클라이언트를 제어합니다. 관리자는 항상 접근할 수 있습니다.",
+    "editInternalResourceDialogPortRangeValidationError": "모든 포트에 대해서는 \"*\"로, 아니면 쉼표로 구분된 포트 및 범위 목록(예: \"80,443,8000-9000\")을 설정해야 합니다. 포트는 1에서 65535 사이여야 합니다.",
+    "orgAuthWhatsThis": "조직 ID를 어디에서 찾을 수 있습니까?",
+    "learnMore": "자세히 알아보기",
+    "backToHome": "홈으로 돌아가기",
+    "needToSignInToOrg": "조직의 아이덴티티 공급자를 사용해야 합니까?",
+    "maintenanceMode": "유지보수 모드",
+    "maintenanceModeDescription": "방문자에게 유지보수 페이지 표시",
+    "maintenanceModeType": "유지보수 모드 유형",
+    "showMaintenancePage": "방문자에게 유지보수 페이지 표시",
+    "enableMaintenanceMode": "유지보수 모드 활성화",
+    "automatic": "자동",
+    "automaticModeDescription": "백엔드 타깃이 모두 다운되거나 건강하지 않을 때만 유지보수 페이지를 표시합니다. 적어도 하나의 타깃이 건강한 한 리소스는 정상 작동합니다.",
+    "forced": "강제",
+    "forcedModeDescription": "백엔드 상태와 무관하게 항상 유지보수 페이지를 표시하십시오. 모든 접근을 차단하려는 계획된 유지보수 시 사용하세요.",
+    "warning:": "경고:",
+    "forcedeModeWarning": "모든 트래픽이 유지보수 페이지로 전달됩니다. 백엔드 리소스는 어떠한 요청도 받지 않습니다.",
+    "pageTitle": "페이지 제목",
+    "pageTitleDescription": "유지보수 페이지에 표시될 주요 제목",
+    "maintenancePageMessage": "유지보수 메시지",
+    "maintenancePageMessagePlaceholder": "곧 돌아오겠습니다! 사이트는 현재 예정된 유지보수를 진행 중입니다.",
+    "maintenancePageMessageDescription": "유지보수를 설명하는 상세 메시지",
+    "maintenancePageTimeTitle": "예상 완료 시간(선택 사항)",
+    "maintenanceTime": "예: 2시간, 11월 1일 오후 5시",
+    "maintenanceEstimatedTimeDescription": "유지보수가 완료될 것으로 예상되는 시간",
+    "editDomain": "도메인 수정",
+    "editDomainDescription": "리소스를 위한 도메인을 선택하십시오.",
+    "maintenanceModeDisabledTooltip": "이 기능을 사용하려면 유효한 라이선스가 필요합니다.",
+    "maintenanceScreenTitle": "서비스 일시 중단",
+    "maintenanceScreenMessage": "현재 기술적 문제를 겪고 있습니다. 곧 다시 확인하십시오.",
+    "maintenanceScreenEstimatedCompletion": "예상 완료:",
+    "createInternalResourceDialogDestinationRequired": "목적지가 필요합니다.",
+    "available": "사용 가능",
+    "archived": "보관된",
+    "noArchivedDevices": "보관된 장치가 없습니다.",
+    "deviceArchived": "장치가 보관되었습니다.",
+    "deviceArchivedDescription": "장치가 성공적으로 보관되었습니다.",
+    "errorArchivingDevice": "장치를 보관하는 동안 오류가 발생했습니다.",
+    "failedToArchiveDevice": "장치를 보관하는 데 실패했습니다.",
+    "deviceQuestionArchive": "이 장치를 보관하시겠습니까?",
+    "deviceMessageArchive": "장치가 보관되며 당신의 활성 장치 목록에서 제거됩니다.",
+    "deviceArchiveConfirm": "장치 보관",
+    "archiveDevice": "장치 보관",
+    "archive": "보관",
+    "deviceUnarchived": "장치의 보관이 취소되었습니다.",
+    "deviceUnarchivedDescription": "장치의 보관이 성공적으로 취소되었습니다.",
+    "errorUnarchivingDevice": "장치 보관 해제 중 오류가 발생했습니다.",
+    "failedToUnarchiveDevice": "장치 보관 해제 실패",
+    "unarchive": "보관 해제",
+    "archiveClient": "클라이언트 보관",
+    "archiveClientQuestion": "이 클라이언트를 보관하시겠습니까?",
+    "archiveClientMessage": "클라이언트가 보관되며 당신의 활성 클라이언트 목록에서 제거됩니다.",
+    "archiveClientConfirm": "클라이언트 보관 확인",
+    "blockClient": "클라이언트 차단",
+    "blockClientQuestion": "이 클라이언트를 차단하시겠습니까?",
+    "blockClientMessage": "장치가 현재 연결되어 있는 경우 강제로 연결이 해제됩니다. 이후에도 차단 해제가 가능합니다.",
+    "blockClientConfirm": "클라이언트 차단 확인",
+    "active": "활성",
+    "usernameOrEmail": "사용자 이름 또는 이메일",
+    "selectYourOrganization": "조직 선택",
+    "signInTo": "로그인 중",
+    "signInWithPassword": "비밀번호로 계속",
+    "noAuthMethodsAvailable": "이 조직에는 사용할 수 있는 인증 방법이 없습니다.",
+    "enterPassword": "비밀번호를 입력하세요.",
+    "enterMfaCode": "인증 앱에서 제공한 코드를 입력하세요.",
+    "securityKeyRequired": "보안 키를 사용해 로그인하세요.",
+    "needToUseAnotherAccount": "다른 계정을 사용해야 합니까?",
+    "loginLegalDisclaimer": "아래 버튼을 클릭하여 <termsOfService>서비스 약관</termsOfService>과 <privacyPolicy>개인 정보 보호 정책</privacyPolicy>을 읽고 이해했으며 동의함을 인정합니다.",
+    "termsOfService": "서비스 약관",
+    "privacyPolicy": "개인 정보 보호 정책",
+    "userNotFoundWithUsername": "해당 사용자 이름으로 사용자를 찾지 못했습니다.",
+    "verify": "확인",
+    "signIn": "로그인",
+    "forgotPassword": "비밀번호를 잊으셨나요?",
+    "orgSignInTip": "이전에 로그인한 적이 있다면, 위의 사용자 이름 또는 이메일을 입력하여 조직의 ID 공급자로 인증할 수 있습니다. 더 쉬워요!",
+    "continueAnyway": "계속하기",
+    "dontShowAgain": "다시 보기 않습니다.",
+    "orgSignInNotice": "아셨나요?",
+    "signupOrgNotice": "로그인 중이신가요?",
+    "signupOrgTip": "조직의 ID 공급자를 통해 로그인하려고 하십니까?",
+    "signupOrgLink": "대신 조직을 사용하여 로그인 또는 가입",
+    "verifyEmailLogInWithDifferentAccount": "다른 계정 사용",
+    "logIn": "로그인",
+    "deviceInformation": "장치 정보",
+    "deviceInformationDescription": "장치와 에이전트 정보",
+    "deviceSecurity": "디바이스 보안",
+    "deviceSecurityDescription": "디바이스 보안 상태 정보",
+    "platform": "플랫폼",
+    "macosVersion": "macOS 버전",
+    "windowsVersion": "Windows 버전",
+    "iosVersion": "iOS 버전",
+    "androidVersion": "Android 버전",
+    "osVersion": "OS 버전",
+    "kernelVersion": "커널 버전",
+    "deviceModel": "장치 모델",
+    "serialNumber": "일련 번호",
+    "hostname": "호스트 이름",
+    "firstSeen": "처음 발견됨",
+    "lastSeen": "마지막으로 발견됨",
+    "biometricsEnabled": "생체 인식 활성화",
+    "diskEncrypted": "디스크 암호화됨",
+    "firewallEnabled": "방화벽 활성화",
+    "autoUpdatesEnabled": "자동 업데이트 활성화",
+    "tpmAvailable": "TPM 사용 가능",
+    "macosSipEnabled": "시스템 무결성 보호 (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "방화벽 스텔스 모드",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "장치 정보 및 설정 보기",
+    "devicePendingApprovalDescription": "이 장치는 승인을 기다리고 있습니다.",
+    "deviceBlockedDescription": "이 장치는 현재 차단되었습니다. 차단이 해제되지 않으면 리소스에 연결할 수 없습니다.",
+    "unblockClient": "클라이언트 차단 해제",
+    "unblockClientDescription": "장치가 차단 해제되었습니다.",
+    "unarchiveClient": "클라이언트 보관 취소",
+    "unarchiveClientDescription": "장치가 보관 해제되었습니다.",
+    "block": "차단",
+    "unblock": "차단 해제",
+    "deviceActions": "장치 작업",
+    "deviceActionsDescription": "장치 상태 및 접근 관리",
+    "devicePendingApprovalBannerDescription": "이 장치는 승인 대기 중입니다. 승인될 때까지 리소스에 연결할 수 없습니다.",
+    "connected": "연결됨",
+    "disconnected": "연결 해제됨",
+    "approvalsEmptyStateTitle": "장치 승인 비활성화됨",
+    "approvalsEmptyStateDescription": "사용자가 새 장치를 연결하기 전에 관리자의 승인을 필요로 하도록 역할에 대해 장치 승인을 활성화하세요.",
+    "approvalsEmptyStateStep1Title": "역할로 이동",
+    "approvalsEmptyStateStep1Description": "조직의 역할 설정으로 이동하여 장치 승인을 구성하십시오.",
+    "approvalsEmptyStateStep2Title": "장치 승인 활성화",
+    "approvalsEmptyStateStep2Description": "역할을 편집하고 '장치 승인 요구' 옵션을 활성화하세요. 이 역할을 가진 사용자는 새 장치에 대해 관리자의 승인이 필요합니다.",
+    "approvalsEmptyStatePreviewDescription": "미리 보기: 활성화된 경우, 승인 대기 중인 장치 요청이 검토용으로 여기에 표시됩니다.",
+    "approvalsEmptyStateButtonText": "역할 관리"
 }
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Opprett organisasjonen, nettstedet og ressursene",
+    "headerAuthCompatibilityInfo": "Aktiver dette for å tvinge frem en 401 Uautorisert-respons når en autentiseringstoken mangler. Dette kreves for nettlesere eller spesifikke HTTP-biblioteker som ikke sender legitimasjon uten en serverutfordring.",
+    "headerAuthCompatibility": "Utvidet kompatibilitet",
    "setupNewOrg": "Ny Organisasjon",
    "setupCreateOrg": "Opprett organisasjon",
    "setupCreateResources": "Opprett ressurser",
@@ -33,7 +35,7 @@
    "password": "Passord",
    "confirmPassword": "Bekreft Passord",
    "createAccount": "Opprett Konto",
-    "viewSettings": "Vis Innstillinger",
+    "viewSettings": "Vis innstillinger",
    "delete": "Slett",
    "name": "Navn",
    "online": "Online",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "Er du sikker på at du vil fjerne nettstedet fra organisasjonen?",
    "siteManageSites": "Administrer Områder",
    "siteDescription": "Opprette og administrere nettsteder for å aktivere tilkobling til private nettverk",
+    "sitesBannerTitle": "Koble til alle nettverk",
+    "sitesBannerDescription": "Et nettverk er en tilkobling til et eksternt nettverk som tillater Pangolin å gi tilgang til ressurser, enten offentlige eller private, til brukere hvor som helst. Installer nettverkskontaktet (Newt) hvor som helst du kan kjøre en binærfil eller container for å opprette forbindelsen.",
+    "sitesBannerButtonText": "Installer nettsted",
+    "approvalsBannerTitle": "Godkjenn eller avslå tilgang til enhet",
+    "approvalsBannerDescription": "Gjennomgå og godkjenne eller avslå forespørsler om tilgang fra brukere. Når enhetsgodkjenninger er nødvendig, må brukere få admingodkjenning før enhetene kan koble seg til organisasjonens ressurser.",
+    "approvalsBannerButtonText": "Lær mer",
    "siteCreate": "Opprett område",
    "siteCreateDescription2": "Følg trinnene nedenfor for å opprette og koble til et nytt område",
    "siteCreateDescription": "Opprett et nytt nettsted for å koble til ressurser",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "Avgjør hvordan du vil koble deg til nettstedet",
    "siteNewtCredentials": "Legitimasjon",
    "siteNewtCredentialsDescription": "Dette er hvordan nettstedet vil godkjenne med serveren",
+    "remoteNodeCredentialsDescription": "Slik vil den eksterne noden autentisere seg med serveren",
    "siteCredentialsSave": "Lagre brukeropplysninger",
    "siteCredentialsSaveDescription": "Du vil kun kunne se dette én gang. Sørg for å kopiere det til et sikkert sted.",
    "siteInfo": "Områdeinformasjon",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "Vennligst velg en ressurs",
    "proxyResourceTitle": "Administrere offentlige ressurser",
    "proxyResourceDescription": "Opprett og administrer ressurser som er offentlig tilgjengelige via en nettleser",
+    "proxyResourcesBannerTitle": "Nettbasert offentlig tilgang",
+    "proxyResourcesBannerDescription": "Offentlige ressurser er HTTPS- eller TCP/UDP-proxyer tilgjengelige for alle på internett via en nettleser. I motsetning til private ressurser, krever de ikke klient-basert programvare og kan inkludere identitets- og kontekstbevisste tilgangspolicyer.",
    "clientResourceTitle": "Administrer private ressurser",
    "clientResourceDescription": "Opprette og administrere ressurser som bare er tilgjengelige via en tilkoblet klient",
+    "privateResourcesBannerTitle": "Zero-Trust privat tilgang",
+    "privateResourcesBannerDescription": "Private ressurser bruker Zero-Trust-sikkerhet, og sikrer at brukere og maskiner kun kan få tilgang til ressurser du eksplisitt gir tillatelse til. Koble bruker-enheter eller maskinklienter for å få tilgang til disse ressursene via et sikkert virtuelt privat nettverk.",
    "resourcesSearch": "Søk i ressurser...",
    "resourceAdd": "Legg til ressurs",
    "resourceErrorDelte": "Feil ved sletting av ressurs",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "Når den er fjernet, vil ressursen ikke lenger være tilgjengelig. Alle mål knyttet til ressursen vil også bli fjernet.",
    "resourceQuestionRemove": "Er du sikker på at du vil fjerne ressursen fra organisasjonen?",
    "resourceHTTP": "HTTPS-ressurs",
-    "resourceHTTPDescription": "Proxy-forespørsler til appen over HTTPS ved hjelp av et underdomene eller basisdomene.",
+    "resourceHTTPDescription": "Proxy forespørsler over HTTPS ved å bruke et fullstendig kvalifisert domenenavn.",
    "resourceRaw": "Rå TCP/UDP-ressurs",
-    "resourceRawDescription": "Proxy ber om til appen over TCP/UDP med et portnummer. Dette fungerer bare når nettsteder er koblet til noder.",
+    "resourceRawDescription": "Proxy forespørsler over rå TCP/UDP ved å bruke et portnummer.",
    "resourceCreate": "Opprett ressurs",
    "resourceCreateDescription": "Følg trinnene nedenfor for å opprette en ny ressurs",
    "resourceSeeAll": "Se alle ressurser",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "Søk etter roller...",
    "accessRolesAdd": "Legg til rolle",
    "accessRoleDelete": "Slett rolle",
+    "accessApprovalsManage": "Behandle godkjenninger",
+    "accessApprovalsDescription": "Se og administrer ventende godkjenninger for tilgang til denne organisasjonen",
    "description": "Beskrivelse",
    "inviteTitle": "Åpne invitasjoner",
    "inviteDescription": "Administrer invitasjoner til andre brukere for å bli med i organisasjonen",
@@ -440,6 +455,18 @@
    "selectDuration": "Velg varighet",
    "selectResource": "Velg ressurs",
    "filterByResource": "Filtrer etter ressurser",
+    "selectApprovalState": "Velg godkjenningsstatus",
+    "filterByApprovalState": "Filtrer etter godkjenningsstatus",
+    "approvalListEmpty": "Ingen godkjenninger",
+    "approvalState": "Godkjennings tilstand",
+    "approve": "Godkjenn",
+    "approved": "Godkjent",
+    "denied": "Avvist",
+    "deniedApproval": "Avslått godkjenning",
+    "all": "Alle",
+    "deny": "Avslå",
+    "viewDetails": "Vis detaljer",
+    "requestingNewDeviceApproval": "forespurt en ny enhet",
    "resetFilters": "Tilbakestill filtre",
    "totalBlocked": "Forespørsler blokkert av Pangolin",
    "totalRequests": "Totalt antall forespørsler",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "Administratorer har alltid tilgang til denne ressursen.",
    "resourceUsersRoles": "Tilgangskontroller",
    "resourceUsersRolesDescription": "Konfigurer hvilke brukere og roller som har tilgang til denne ressursen",
-    "resourceUsersRolesSubmit": "Lagre brukere og roller",
+    "resourceUsersRolesSubmit": "Lagre tilgangskontroller",
    "resourceWhitelistSave": "Lagring vellykket",
    "resourceWhitelistSaveDescription": "Hvitlisteinnstillinger er lagret",
    "ssoUse": "Bruk plattform SSO",
@@ -719,16 +746,28 @@
    "countries": "Land",
    "accessRoleCreate": "Opprett rolle",
    "accessRoleCreateDescription": "Opprett en ny rolle for å gruppere brukere og administrere deres tillatelser.",
+    "accessRoleEdit": "Rediger rolle",
+    "accessRoleEditDescription": "Rediger rolleinformasjon.",
    "accessRoleCreateSubmit": "Opprett rolle",
    "accessRoleCreated": "Rolle opprettet",
    "accessRoleCreatedDescription": "Rollen er vellykket opprettet.",
    "accessRoleErrorCreate": "Klarte ikke å opprette rolle",
    "accessRoleErrorCreateDescription": "Det oppstod en feil under opprettelse av rollen.",
+    "accessRoleUpdateSubmit": "Oppdater rolle",
+    "accessRoleUpdated": "Rollen oppdatert",
+    "accessRoleUpdatedDescription": "Rollen har blitt oppdatert.",
+    "accessApprovalUpdated": "Godkjenning behandlet",
+    "accessApprovalApprovedDescription": "Sett godkjenningsforespørsel om å godta.",
+    "accessApprovalDeniedDescription": "Sett godkjenningsforespørsel om å nekte.",
+    "accessRoleErrorUpdate": "Kunne ikke oppdatere rolle",
+    "accessRoleErrorUpdateDescription": "Det oppstod en feil under oppdatering av rollen.",
+    "accessApprovalErrorUpdate": "Kunne ikke behandle godkjenning",
+    "accessApprovalErrorUpdateDescription": "Det oppstod en feil under behandling av godkjenningen.",
    "accessRoleErrorNewRequired": "Ny rolle kreves",
    "accessRoleErrorRemove": "Kunne ikke fjerne rolle",
    "accessRoleErrorRemoveDescription": "Det oppstod en feil under fjerning av rollen.",
    "accessRoleName": "Rollenavn",
-    "accessRoleQuestionRemove": "Du er i ferd med å slette rollen {name}. Du kan ikke angre denne handlingen.",
+    "accessRoleQuestionRemove": "Du er ferd med å slette rollen `{name}. Du kan ikke angre denne handlingen.",
    "accessRoleRemove": "Fjern Rolle",
    "accessRoleRemoveDescription": "Fjern en rolle fra organisasjonen",
    "accessRoleRemoveSubmit": "Fjern Rolle",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "Konfigurer tilgang for en organisasjon",
    "idpUpdatedDescription": "Identitetsleverandør vellykket oppdatert",
    "redirectUrl": "Omdirigerings-URL",
+    "orgIdpRedirectUrls": "Omadressere URL'er",
    "redirectUrlAbout": "Om omdirigerings-URL",
    "redirectUrlAboutDescription": "Dette er URLen som brukere vil bli omdirigert etter autentisering. Du må konfigurere denne URLen i identitetsleverandørens innstillinger.",
    "pangolinAuth": "Autentisering - Pangolin",
@@ -943,13 +983,13 @@
    "passwordExpiryDescription": "Denne organisasjonen krever at du bytter passord hver {maxDays} dag.",
    "changePasswordNow": "Bytt passord nå",
    "pincodeAuth": "Autentiseringskode",
-    "pincodeSubmit2": "Send inn kode",
+    "pincodeSubmit2": "Send kode",
    "passwordResetSubmit": "Be om tilbakestilling",
-    "passwordResetAlreadyHaveCode": "Skriv inn tilbakestillingskode for passord",
+    "passwordResetAlreadyHaveCode": "Skriv inn koden",
    "passwordResetSmtpRequired": "Kontakt din administrator",
    "passwordResetSmtpRequiredDescription": "En passord tilbakestillingskode kreves for å tilbakestille passordet. Kontakt systemansvarlig for assistanse.",
    "passwordBack": "Tilbake til passord",
-    "loginBack": "Gå tilbake til innlogging",
+    "loginBack": "Gå tilbake til innloggingssiden for hovedkontoen",
    "signup": "Registrer deg",
    "loginStart": "Logg inn for å komme i gang",
    "idpOidcTokenValidating": "Validerer OIDC-token",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "Oppdater org.bruker",
    "createOrgUser": "Opprett Org bruker",
    "actionUpdateOrg": "Oppdater organisasjon",
+    "actionRemoveInvitation": "Fjern invitasjon",
    "actionUpdateUser": "Oppdater bruker",
    "actionGetUser": "Hent bruker",
    "actionGetOrgUser": "Hent organisasjonsbruker",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "Hent område",
    "actionListSites": "List opp områder",
    "actionApplyBlueprint": "Bruk blåkopi",
+    "actionListBlueprints": "List opp blåkopier",
+    "actionGetBlueprint": "Hent blåkopi",
    "setupToken": "Oppsetttoken",
    "setupTokenDescription": "Skriv inn oppsetttoken fra serverkonsollen.",
    "setupTokenRequired": "Oppsetttoken er nødvendig",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "Oppdater IDP-organisasjon",
    "actionCreateClient": "Opprett Klient",
    "actionDeleteClient": "Slett klient",
+    "actionArchiveClient": "Arkiver klient",
+    "actionUnarchiveClient": "Fjern arkivering klient",
+    "actionBlockClient": "Blokker kunde",
+    "actionUnblockClient": "Avblokker klient",
    "actionUpdateClient": "Oppdater klient",
    "actionListClients": "List klienter",
    "actionGetClient": "Hent klient",
@@ -1120,14 +1167,14 @@
    "searchProgress": "Søker...",
    "create": "Opprett",
    "orgs": "Organisasjoner",
-    "loginError": "En feil oppstod under innlogging",
-    "loginRequiredForDevice": "Innlogging kreves for å godkjenne enheten.",
+    "loginError": "En uventet feil oppstod. Vennligst prøv igjen.",
+    "loginRequiredForDevice": "Innlogging er nødvendig for enheten din.",
    "passwordForgot": "Glemt passordet ditt?",
    "otpAuth": "Tofaktorautentisering",
    "otpAuthDescription": "Skriv inn koden fra autentiseringsappen din eller en av dine engangs reservekoder.",
    "otpAuthSubmit": "Send inn kode",
    "idpContinue": "Eller fortsett med",
-    "otpAuthBack": "Tilbake til innlogging",
+    "otpAuthBack": "Tilbake til passord",
    "navbar": "Navigasjonsmeny",
    "navbarDescription": "Hovednavigasjonsmeny for applikasjonen",
    "navbarDocsLink": "Dokumentasjon",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "Oversikt",
    "sidebarHome": "Hjem",
    "sidebarSites": "Områder",
+    "sidebarApprovals": "Godkjenningsforespørsler",
    "sidebarResources": "Ressurser",
    "sidebarProxyResources": "Offentlig",
    "sidebarClientResources": "Privat",
@@ -1191,10 +1239,10 @@
    "sidebarIdentityProviders": "Identitetsleverandører",
    "sidebarLicense": "Lisens",
    "sidebarClients": "Klienter",
-    "sidebarUserDevices": "Brukere",
+    "sidebarUserDevices": "Bruker Enheter",
    "sidebarMachineClients": "Maskiner",
    "sidebarDomains": "Domener",
-    "sidebarGeneral": "Generelt",
+    "sidebarGeneral": "Administrer",
    "sidebarLogAndAnalytics": "Logg og analyser",
    "sidebarBluePrints": "Tegninger",
    "sidebarOrganization": "Organisasjon",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "En feil oppstod under opprettelsen av serveradministratorkontoen.",
    "certificateStatus": "Sertifikatstatus",
    "loading": "Laster inn",
+    "loadingAnalytics": "Laster inn analyser",
    "restart": "Start på nytt",
    "domains": "Domener",
    "domainsDescription": "Opprett og behandle domener som er tilgjengelige i organisasjonen",
@@ -1290,6 +1339,7 @@
    "refreshError": "Klarte ikke å oppdatere data",
    "verified": "Verifisert",
    "pending": "Venter",
+    "pendingApproval": "Venter på godkjenning",
    "sidebarBilling": "Fakturering",
    "billing": "Fakturering",
    "orgBillingDescription": "Administrer faktureringsinformasjon og abonnementer",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "Kontooppsett fullført! Velkommen til Pangolin!",
    "documentation": "Dokumentasjon",
    "saveAllSettings": "Lagre alle innstillinger",
+    "saveResourceTargets": "Lagre mål",
+    "saveResourceHttp": "Lagre proxy-innstillinger",
+    "saveProxyProtocol": "Lagre proxy-protokollinnstillinger",
    "settingsUpdated": "Innstillinger oppdatert",
-    "settingsUpdatedDescription": "Alle innstillinger er oppdatert",
+    "settingsUpdatedDescription": "Innstillinger oppdatert vellykket",
    "settingsErrorUpdate": "Klarte ikke å oppdatere innstillinger",
    "settingsErrorUpdateDescription": "En feil oppstod under oppdatering av innstillinger",
    "sidebarCollapse": "Skjul",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Sikkerhetsnøkkel fjernet",
    "securityKeyRemoveError": "Klarte ikke å fjerne sikkerhetsnøkkel",
    "securityKeyLoadError": "Klarte ikke å laste inn sikkerhetsnøkler",
-    "securityKeyLogin": "Fortsett med sikkerhetsnøkkel",
+    "securityKeyLogin": "Bruk sikkerhetsnøkkel",
    "securityKeyAuthError": "Klarte ikke å autentisere med sikkerhetsnøkkel",
    "securityKeyRecommendation": "Registrer en reservesikkerhetsnøkkel på en annen enhet for å sikre at du alltid har tilgang til kontoen din.",
    "registering": "Registrerer...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "Jeg godtar",
        "termsOfService": "brukervilkårene",
        "and": "og",
-        "privacyPolicy": "personvernerklæringen"
+        "privacyPolicy": "retningslinjer for personvern"
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Hold meg i løken med nyheter, oppdateringer og nye funksjoner via e-post."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "Legg til nytt mål",
    "targetsList": "Liste over mål",
    "advancedMode": "Avansert modus",
+    "advancedSettings": "Avanserte innstillinger",
    "targetErrorDuplicateTargetFound": "Duplikat av mål funnet",
    "healthCheckHealthy": "Sunn",
    "healthCheckUnhealthy": "Usunn",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "Sunt intervall",
    "timeoutSeconds": "Tidsavbrudd (sek)",
    "timeIsInSeconds": "Tid er i sekunder",
+    "requireDeviceApproval": "Krev enhetsgodkjenning",
+    "requireDeviceApprovalDescription": "Brukere med denne rollen trenger nye enheter godkjent av en admin før de kan koble seg og få tilgang til ressurser.",
    "retryAttempts": "Forsøk på nytt",
    "expectedResponseCodes": "Forventede svarkoder",
    "expectedResponseCodesDescription": "HTTP-statuskode som indikerer sunn status. Hvis den blir stående tom, regnes 200-300 som sunn.",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "Ingen interne ressurser funnet.",
    "resourcesTableDestination": "Destinasjon",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Alias adresse",
+    "resourcesTableAliasAddressInfo": "Denne adressen er en del av organisasjonens undernettverk. Den brukes til å løse aliasposter ved hjelp av intern DNS-oppløsning.",
    "resourcesTableClients": "Klienter",
    "resourcesTableAndOnlyAccessibleInternally": "og er kun tilgjengelig internt når de er koblet til med en klient.",
    "resourcesTableNoTargets": "Ingen mål",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "Ressursegenskaper",
    "createInternalResourceDialogName": "Navn",
    "createInternalResourceDialogSite": "Område",
-    "createInternalResourceDialogSelectSite": "Velg område...",
-    "createInternalResourceDialogSearchSites": "Søk i områder...",
-    "createInternalResourceDialogNoSitesFound": "Ingen områder funnet.",
+    "selectSite": "Velg område...",
+    "noSitesFound": "Ingen områder funnet.",
    "createInternalResourceDialogProtocol": "Protokoll",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1658,7 +1715,7 @@
    "siteAddressDescription": "Den interne adressen til nettstedet. Må falle innenfor organisasjonens undernett.",
    "siteNameDescription": "Visningsnavnet på nettstedet som kan endres senere.",
    "autoLoginExternalIdp": "Automatisk innlogging med ekstern IDP",
-    "autoLoginExternalIdpDescription": "Omdiriger brukeren umiddelbart til den eksterne IDP-en for autentisering.",
+    "autoLoginExternalIdpDescription": "Omdiriger brukeren umiddelbart til den eksterne identitetsleverandøren for autentisering.",
    "selectIdp": "Velg IDP",
    "selectIdpPlaceholder": "Velg en IDP...",
    "selectIdpRequired": "Vennligst velg en IDP når automatisk innlogging er aktivert.",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "Ingen omdirigerings-URL mottatt fra identitetsleverandøren.",
    "autoLoginErrorGeneratingUrl": "Kunne ikke generere autentiserings-URL.",
    "remoteExitNodeManageRemoteExitNodes": "Eksterne Noder",
-    "remoteExitNodeDescription": "Selvbetjent én eller flere eksterne noder for å utvide nettverkstilkobling og redusere avhengighet på skyen",
+    "remoteExitNodeDescription": "Egendrift din egen eksterne relé- og proxyservernode",
    "remoteExitNodes": "Noder",
    "searchRemoteExitNodes": "Søk noder...",
    "remoteExitNodeAdd": "Legg til Node",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "Bekreft sletting av Node",
    "remoteExitNodeDelete": "Slett Node",
    "sidebarRemoteExitNodes": "Eksterne Noder",
+    "remoteExitNodeId": "ID",
+    "remoteExitNodeSecretKey": "Sikkerhetsnøkkel",
    "remoteExitNodeCreate": {
-        "title": "Opprett node",
-        "description": "Opprett en ny node for å utvide nettverkstilkoblingen",
+        "title": "Opprett ekstern node",
+        "description": "Opprett en ny egendrift ekstern relé- og proxyservernode",
        "viewAllButton": "Vis alle koder",
        "strategy": {
            "title": "Opprettelsesstrategi",
-            "description": "Velg denne for manuelt å konfigurere noden eller generere nye legitimasjoner.",
+            "description": "Velg hvordan du vil opprette den eksterne noden",
            "adopt": {
                "title": "Adopter Node",
                "description": "Velg dette hvis du allerede har legitimasjon til noden."
            },
            "generate": {
                "title": "Generer Nøkler",
-                "description": "Velg denne hvis du vil generere nye nøkler for noden"
+                "description": "Velg denne hvis du vil generere nye nøkler for noden."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC provider",
    "subnet": "Subnett",
    "subnetDescription": "Undernettverket for denne organisasjonens nettverkskonfigurasjon.",
-    "authPage": "Autentiseringsside",
-    "authPageDescription": "Konfigurer autoriseringssiden for organisasjonen",
+    "customDomain": "Egendefinert domene",
+    "authPage": "Autentiseringssider",
+    "authPageDescription": "Sett et egendefinert domene for organisasjonens autentiseringssider",
    "authPageDomain": "Autentiseringsside domene",
+    "authPageBranding": "Egendefinert merkevarebygging",
+    "authPageBrandingDescription": "Konfigurer merkevarebyggingen som vises på autentiseringssidene for denne organisasjonen",
+    "authPageBrandingUpdated": "Autentiseringsside-markedsføring oppdatert vellykket",
+    "authPageBrandingRemoved": "Autentiseringsside-markedsføring fjernet vellykket",
+    "authPageBrandingRemoveTitle": "Fjern markedsføring for autentiseringsside",
+    "authPageBrandingQuestionRemove": "Er du sikker på at du vil fjerne merkevarebyggingen for autentiseringssider?",
+    "authPageBrandingDeleteConfirm": "Bekreft sletting av merkevarebygging",
+    "brandingLogoURL": "Logo URL",
+    "brandingPrimaryColor": "Primærfarge",
+    "brandingLogoWidth": "Bredde (px)",
+    "brandingLogoHeight": "Høyde (px)",
+    "brandingOrgTitle": "Tittel for organisasjonens autentiseringsside",
+    "brandingOrgDescription": "{orgName} vil bli erstattet med organisasjonens navn",
+    "brandingOrgSubtitle": "Undertittel for organisasjonens autentiseringsside",
+    "brandingResourceTitle": "Tittel for ressursens autentiseringsside",
+    "brandingResourceSubtitle": "Undertittel for ressursens autentiseringsside",
+    "brandingResourceDescription": "{resourceName} vil bli erstattet med organisasjonens navn",
+    "saveAuthPageDomain": "Lagre domene",
+    "saveAuthPageBranding": "Lagre merkevarebygging",
+    "removeAuthPageBranding": "Fjern merkevarebygging",
    "noDomainSet": "Ingen domene valgt",
    "changeDomain": "Endre domene",
    "selectDomain": "Velg domene",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "Angi autoriseringsside domene",
    "failedToFetchCertificate": "Kunne ikke hente sertifikat",
    "failedToRestartCertificate": "Kan ikke starte sertifikat",
-    "addDomainToEnableCustomAuthPages": "Legg til et domene for å aktivere egendefinerte autentiseringssider for organisasjonen",
+    "addDomainToEnableCustomAuthPages": "Brukere vil kunne få tilgang til organisasjonens innloggingsside og fullføre ressursautentisering ved å bruke dette domenet.",
    "selectDomainForOrgAuthPage": "Velg et domene for organisasjonens autentiseringsside",
    "domainPickerProvidedDomain": "Gitt domene",
    "domainPickerFreeProvidedDomain": "Gratis oppgitt domene",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "\"{sub}\" kunne ikke gjøres gyldig for {domain}.",
    "domainPickerSubdomainSanitized": "Underdomenet som ble sanivert",
    "domainPickerSubdomainCorrected": "\"{sub}\" var korrigert til \"{sanitized}\"",
-    "orgAuthSignInTitle": "Logg inn på organisasjonen",
+    "orgAuthSignInTitle": "Organisasjonsinnlogging",
    "orgAuthChooseIdpDescription": "Velg din identitet leverandør for å fortsette",
    "orgAuthNoIdpConfigured": "Denne organisasjonen har ikke noen identitetstjeneste konfigurert. Du kan i stedet logge inn med Pangolin identiteten din.",
    "orgAuthSignInWithPangolin": "Logg inn med Pangolin",
+    "orgAuthSignInToOrg": "Logg inn på en organisasjon",
+    "orgAuthSelectOrgTitle": "Organisasjonsinnlogging",
+    "orgAuthSelectOrgDescription": "Skriv inn organisasjons-ID-en din for å fortsette",
+    "orgAuthOrgIdPlaceholder": "din-organisasjon",
+    "orgAuthOrgIdHelp": "Skriv inn organisasjonens unike identifikator",
+    "orgAuthSelectOrgHelp": "Etter å ha skrevet inn din organisasjons-ID, blir du videresendt til din organisasjons innloggingsside hvor du kan bruke SSO eller organisasjonens legitimasjon.",
+    "orgAuthRememberOrgId": "Husk denne organisasjons-ID-en",
+    "orgAuthBackToSignIn": "Tilbake til standard innlogging",
+    "orgAuthNoAccount": "Har du ikke konto?",
    "subscriptionRequiredToUse": "Et abonnement er påkrevd for å bruke denne funksjonen.",
    "idpDisabled": "Identitetsleverandører er deaktivert.",
    "orgAuthPageDisabled": "Informasjons-siden for organisasjon er deaktivert.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "Aktiver to-faktor autentisering",
    "completeSecuritySteps": "Fullfør sikkerhetstrinnene",
    "securitySettings": "Sikkerhet innstillinger",
+    "dangerSection": "Faresone",
+    "dangerSectionDescription": "Slett permanent alle data tilknyttet denne organisasjonen",
    "securitySettingsDescription": "Konfigurer sikkerhetspolicyer for organisasjonen",
    "requireTwoFactorForAllUsers": "Krev to-faktor autentisering for alle brukere",
    "requireTwoFactorDescription": "Når aktivert må alle interne brukere i denne organisasjonen ha to-faktorautentisering aktivert for å få tilgang til organisasjonen.",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "Dette vil påvirke alle brukere i organisasjonen",
    "authPageErrorUpdateMessage": "Det oppstod en feil under oppdatering av innstillingene for godkjenningssiden",
    "authPageErrorUpdate": "Kunne ikke oppdatere autoriseringssiden",
-    "authPageUpdated": "Godkjenningsside oppdatert",
+    "authPageDomainUpdated": "Autentiseringsside-domenet ble oppdatert vellykket",
    "healthCheckNotAvailable": "Lokal",
    "rewritePath": "Omskriv sti",
    "rewritePathDescription": "Valgfritt omskrive stien før videresending til målet.",
@@ -1915,8 +2006,15 @@
    "beta": "beta",
    "manageUserDevices": "Bruker Enheter",
    "manageUserDevicesDescription": "Se og administrer enheter som brukere bruker for privat tilkobling til ressurser",
+    "downloadClientBannerTitle": "Last ned Pangolin-klienten",
+    "downloadClientBannerDescription": "Last ned Pangolin-klienten for systemet ditt for å koble til Pangolin-nettverket og få tilgang til ressurser privat.",
    "manageMachineClients": "Administrer maskinneklienter",
    "manageMachineClientsDescription": "Opprett og behandle klienter som servere og systemer bruker for privat tilkobling til ressurser",
+    "machineClientsBannerTitle": "Servere og automatiserte systemer",
+    "machineClientsBannerDescription": "Maskinklienter er for servere og automatiserte systemer som ikke er tilknyttet en spesifikk bruker. De autentiserer med en ID og et hemmelighetsnummer, og kan kjøre med Pangolin CLI, Olm CLI eller Olm som en container.",
+    "machineClientsBannerPangolinCLI": "Pangolin CLI",
+    "machineClientsBannerOlmCLI": "Olm CLI",
+    "machineClientsBannerOlmContainer": "Olm Container",
    "clientsTableUserClients": "Bruker",
    "clientsTableMachineClients": "Maskin",
    "licenseTableValidUntil": "Gyldig til",
@@ -2060,13 +2158,15 @@
    "request": "Forespørsel",
    "requests": "Forespørsler",
    "logs": "Logger",
-    "logsSettingsDescription": "Overvåk logger samlet fra denne orginiasjonen",
+    "logsSettingsDescription": "Overvåk logger samlet inn fra denne organisasjonen",
    "searchLogs": "Søk i logger...",
    "action": "Handling",
    "actor": "Aktør",
    "timestamp": "Tidsstempel",
    "accessLogs": "Tilgangslogger (Automatic Translation)",
    "exportCsv": "Eksportere CSV",
+    "exportError": "Ukjent feil ved eksport av CSV",
+    "exportCsvTooltip": "Innenfor tidsramme",
    "actorId": "Skuespiller ID",
    "allowedByRule": "Tillatt etter regel",
    "allowedNoAuth": "Tillatt Ingen Auth",
@@ -2120,7 +2220,7 @@
    "unverified": "Uverifisert",
    "domainSetting": "Domene innstillinger",
    "domainSettingDescription": "Konfigurer innstillinger for domenet",
-    "preferWildcardCertDescription": "Forsøk på å generere et jokertegn (krever en riktig konfigurert sertifikatløsning).",
+    "preferWildcardCertDescription": "Forsøk å generere et jokertegn-sertifikat (krever en riktig konfigurert sertifikatløser).",
    "recordName": "Lagre navn",
    "auto": "Automatisk",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "Kode må inneholde 9 tegn (f.eks A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Ugyldig eller utløpt kode",
    "deviceCodeVerifyFailed": "Klarte ikke å bekrefte enhetskoden",
+    "deviceCodeValidating": "Validerer enhetskode...",
+    "deviceCodeVerifying": "Bekrefter enhetens godkjennelse...",
    "signedInAs": "Logget inn som",
    "deviceCodeEnterPrompt": "Skriv inn koden som vises på enheten",
    "continue": "Fortsett",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "Tilgang til alle organisasjoner din konto har tilgang til",
    "deviceAuthorize": "Autoriser {applicationName}",
    "deviceConnected": "Enhet tilkoblet!",
-    "deviceAuthorizedMessage": "Enhet er autorisert for tilgang til kontoen din.",
+    "deviceAuthorizedMessage": "Enheten er autorisert for tilgang til kontoen. Vennligst gå tilbake til klientapplikasjonen.",
    "pangolinCloud": "Pangolin Sky",
    "viewDevices": "Vis enheter",
    "viewDevicesDescription": "Administrer tilkoblede enheter",
@@ -2246,6 +2348,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Ikke du? Bruk en annen konto.",
    "deviceLoginDeviceRequestingAccessToAccount": "En enhet ber om tilgang til denne kontoen.",
+    "loginSelectAuthenticationMethod": "Velg en autentiseringsmetode for å fortsette.",
    "noData": "Ingen data",
    "machineClients": "Maskinklienter",
    "install": "Installer",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "Kunne ikke hente standard undernett",
    "setupSubnetAdvanced": "Subnet (avansert)",
    "setupSubnetDescription": "Subnet for denne organisasjonens interne nettverk.",
+    "setupUtilitySubnet": "Utility Subnet (Avansert)",
+    "setupUtilitySubnetDescription": "Subnettet for denne organisasjonens aliasadresser og DNS-server.",
    "siteRegenerateAndDisconnect": "Regenerer og koble fra",
    "siteRegenerateAndDisconnectConfirmation": "Er du sikker på at du vil regenerere legitimasjon og koble fra dette nettstedet?",
    "siteRegenerateAndDisconnectWarning": "Dette vil regenerere legitimasjon og umiddelbart koble fra siden. Siden må startes på nytt med de nye legitimasjonene.",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "Dette vil regenerere innloggingsdetaljene og umiddelbart koble fra den eksterne avkjøringnoden. Ekstern avkjøringsnode må startes på nytt med de nye opplysningene",
    "remoteExitNodeRegenerateCredentialsConfirmation": "Er du sikker på at du vil regenerere innloggingsene for denne eksterne avslutningen?",
    "remoteExitNodeRegenerateCredentialsWarning": "Dette vil regenerere legitimasjon. Ekstern avgang noden vil forbli tilkoblet inntil du manuelt gjenoppstarter den og bruker de nye legitimasjonene.",
-    "agent": "Agent"
+    "agent": "Agent",
+    "personalUseOnly": "Kun til personlig bruk",
+    "loginPageLicenseWatermark": "Denne instansen er lisensiert kun for personlig bruk.",
+    "instanceIsUnlicensed": "Denne instansen er ulisensiert.",
+    "portRestrictions": "Portbegrensninger",
+    "allPorts": "Alle",
+    "custom": "Egendefinert",
+    "allPortsAllowed": "Alle porter tillatt",
+    "allPortsBlocked": "Alle porter blokkert",
+    "tcpPortsDescription": "Spesifiser hvilke TCP-porter som er tillatt for denne ressursen. Bruk '*' for alle porter, la stå tomt for å blokkere alle, eller skriv inn en kommaseparert liste over porter og sjikt (f.eks. 80,443,8000-9000).",
+    "udpPortsDescription": "Spesifiser hvilke UDP-porter som er tillatt for denne ressursen. Bruk '*' for alle porter, la stå tomt for å blokkere alle, eller skriv inn en kommaseparert liste over porter og sjikt (f.eks. 53,123,500-600).",
+    "organizationLoginPageTitle": "Organisasjonens innloggingsside",
+    "organizationLoginPageDescription": "Tilpass innloggingssiden for denne organisasjonen",
+    "resourceLoginPageTitle": "Ressursens innloggingsside",
+    "resourceLoginPageDescription": "Tilpass innloggingssiden for individuelle ressurser",
+    "enterConfirmation": "Skriv inn bekreftelse",
+    "blueprintViewDetails": "Detaljer",
+    "defaultIdentityProvider": "Standard identitetsleverandør",
+    "defaultIdentityProviderDescription": "Når en standard identitetsleverandør er valgt, vil brukeren automatisk bli omdirigert til leverandøren for autentisering.",
+    "editInternalResourceDialogNetworkSettings": "Nettverksinnstillinger",
+    "editInternalResourceDialogAccessPolicy": "Tilgangsregler for tilgang",
+    "editInternalResourceDialogAddRoles": "Legg til roller",
+    "editInternalResourceDialogAddUsers": "Legg til brukere",
+    "editInternalResourceDialogAddClients": "Legg til klienter",
+    "editInternalResourceDialogDestinationLabel": "Destinasjon",
+    "editInternalResourceDialogDestinationDescription": "Spesifiser destinasjonsadressen for den interne ressursen. Dette kan være et vertsnavn, IP-adresse eller CIDR-sjikt avhengig av valgt modus. Valgfrie oppsett av intern DNS-alias for enklere identifikasjon.",
+    "editInternalResourceDialogPortRestrictionsDescription": "Begrens tilgang til spesifikke TCP/UDP-porter eller tillate/blokkere alle porter.",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "Tilgangskontroll",
+    "editInternalResourceDialogAccessControlDescription": "Kontroller hvilke roller, brukere og maskinklienter som har tilgang til denne ressursen når den er koblet til. Administratorer har alltid tilgang.",
+    "editInternalResourceDialogPortRangeValidationError": "Portsjiktet må være \"*\" for alle porter, eller en kommaseparert liste med porter og sjikt (f.eks. \"80,443,8000-9000\"). Porter må være mellom 1 og 65535.",
+    "orgAuthWhatsThis": "Hvor kan jeg finne min organisasjons-ID?",
+    "learnMore": "Lær mer",
+    "backToHome": "Gå tilbake til start",
+    "needToSignInToOrg": "Trenger du å bruke organisasjonens identitetsleverandør?",
+    "maintenanceMode": "Vedlikeholdsmodus",
+    "maintenanceModeDescription": "Vis en vedlikeholdsside til besøkende",
+    "maintenanceModeType": "Vedlikeholdsmodus type",
+    "showMaintenancePage": "Vis en vedlikeholdsside til besøkende",
+    "enableMaintenanceMode": "Aktiver vedlikeholdsmodus",
+    "automatic": "Automatisk",
+    "automaticModeDescription": "Vis vedlikeholdsside kun når alle serverens mål er nede eller usunne. Ressursen din fortsetter å fungere normalt så lenge minst ett mål er sunt.",
+    "forced": "Tvunget",
+    "forcedModeDescription": "Vis alltid vedlikeholdssiden uavhengig av serverens helse. Bruk dette ved planlagt vedlikehold når du vil hindre all tilgang.",
+    "warning:": "Advarsel:",
+    "forcedeModeWarning": "All trafikk vil bli dirigeres til vedlikeholdssiden. Serverens ressurser vil ikke motta noen forespørsler.",
+    "pageTitle": "Sidetittel",
+    "pageTitleDescription": "Hovedoverskriften vist på vedlikeholdssiden",
+    "maintenancePageMessage": "Vedlikeholdsbeskjed",
+    "maintenancePageMessagePlaceholder": "Vi kommer snart tilbake! Vårt nettsted gjennomgår for øyeblikket planlagt vedlikehold.",
+    "maintenancePageMessageDescription": "Detaljert beskjed som forklarer vedlikeholdet",
+    "maintenancePageTimeTitle": "Estimert ferdigstillelsestid (Valgfritt)",
+    "maintenanceTime": "f.eks. 2 timer, 1. november kl. 17:00",
+    "maintenanceEstimatedTimeDescription": "Når du forventer at vedlikeholdet er ferdigstilt",
+    "editDomain": "Rediger domene",
+    "editDomainDescription": "Velg et domene for ressursen din",
+    "maintenanceModeDisabledTooltip": "Denne funksjonen krever en gyldig lisens for å aktiveres.",
+    "maintenanceScreenTitle": "Tjenesten er midlertidig utilgjengelig",
+    "maintenanceScreenMessage": "Vi opplever for øyeblikket tekniske problemer. Vennligst sjekk igjen snart.",
+    "maintenanceScreenEstimatedCompletion": "Estimert ferdigstillelse:",
+    "createInternalResourceDialogDestinationRequired": "Destinasjonen er nødvendig",
+    "available": "Tilgjengelig",
+    "archived": "Arkivert",
+    "noArchivedDevices": "Ingen arkiverte enheter funnet",
+    "deviceArchived": "Enhet arkivert",
+    "deviceArchivedDescription": "Enheten er blitt arkivert.",
+    "errorArchivingDevice": "Feil ved arkivering av enhet",
+    "failedToArchiveDevice": "Kunne ikke arkivere enhet",
+    "deviceQuestionArchive": "Er du sikker på at du vil arkivere denne enheten?",
+    "deviceMessageArchive": "Enheten blir arkivert og fjernet fra listen over aktive enheter.",
+    "deviceArchiveConfirm": "Arkiver enhet",
+    "archiveDevice": "Arkiver enhet",
+    "archive": "Arkiv",
+    "deviceUnarchived": "Enheten er uarkivert",
+    "deviceUnarchivedDescription": "Enheten er blitt avarkivert.",
+    "errorUnarchivingDevice": "Feil ved arkivering av enhet",
+    "failedToUnarchiveDevice": "Kunne ikke fjerne arkivere enheten",
+    "unarchive": "Avarkiver",
+    "archiveClient": "Arkiver klient",
+    "archiveClientQuestion": "Er du sikker på at du vil arkivere denne klienten?",
+    "archiveClientMessage": "Klienten arkiveres og fjernes fra listen over aktive klienter.",
+    "archiveClientConfirm": "Arkiver klient",
+    "blockClient": "Blokker kunde",
+    "blockClientQuestion": "Er du sikker på at du vil blokkere denne klienten?",
+    "blockClientMessage": "Enheten blir tvunget til å koble fra hvis den er koblet til. Du kan fjerne blokkeringen av enheten senere.",
+    "blockClientConfirm": "Blokker kunde",
+    "active": "Aktiv",
+    "usernameOrEmail": "Brukernavn eller e-post",
+    "selectYourOrganization": "Velg din organisasjon",
+    "signInTo": "Logg inn på",
+    "signInWithPassword": "Fortsett med passord",
+    "noAuthMethodsAvailable": "Ingen autentiseringsmetoder er tilgjengelige for denne organisasjonen.",
+    "enterPassword": "Angi ditt passord",
+    "enterMfaCode": "Angi koden fra din autentiseringsapp",
+    "securityKeyRequired": "Vennligst bruk sikkerhetsnøkkelen til å logge på.",
+    "needToUseAnotherAccount": "Trenger du å bruke en annen konto?",
+    "loginLegalDisclaimer": "Ved å klikke på knappene nedenfor, erkjenner du at du har lest, forstår, og godtar <termsOfService>Vilkår for bruk</termsOfService> og <privacyPolicy>for Personvernerklæring</privacyPolicy>.",
+    "termsOfService": "Vilkår for bruk",
+    "privacyPolicy": "Retningslinjer for personvern",
+    "userNotFoundWithUsername": "Ingen bruker med det brukernavnet funnet.",
+    "verify": "Verifiser",
+    "signIn": "Logg inn",
+    "forgotPassword": "Glemt passord?",
+    "orgSignInTip": "Hvis du har logget inn før, kan du skrive inn brukernavnet eller e-postadressen ovenfor for å autentisere med organisasjonens identitetstjeneste i stedet. Det er enklere!",
+    "continueAnyway": "Fortsett likevel",
+    "dontShowAgain": "Ikke vis igjen",
+    "orgSignInNotice": "Visste du?",
+    "signupOrgNotice": "Prøver å logge inn?",
+    "signupOrgTip": "Prøver du å logge inn gjennom din organisasjons identitetsleverandør?",
+    "signupOrgLink": "Logg inn eller registrer deg med organisasjonen din i stedet",
+    "verifyEmailLogInWithDifferentAccount": "Bruk en annen konto",
+    "logIn": "Logg inn",
+    "deviceInformation": "Enhetens informasjon",
+    "deviceInformationDescription": "Informasjon om enheten og agenten",
+    "deviceSecurity": "Enhetens sikkerhet",
+    "deviceSecurityDescription": "Sikkerhetsstillings informasjon om utstyr",
+    "platform": "Plattform",
+    "macosVersion": "macOS versjon",
+    "windowsVersion": "Windows versjon",
+    "iosVersion": "iOS Versjon",
+    "androidVersion": "Android versjon",
+    "osVersion": "OS versjon",
+    "kernelVersion": "Kjerne versjon",
+    "deviceModel": "Enhets modell",
+    "serialNumber": "Serienummer",
+    "hostname": "Hostname",
+    "firstSeen": "Først sett",
+    "lastSeen": "Sist sett",
+    "biometricsEnabled": "Biometri aktivert",
+    "diskEncrypted": "Disk kryptert",
+    "firewallEnabled": "Brannmur aktivert",
+    "autoUpdatesEnabled": "Automatiske oppdateringer aktivert",
+    "tpmAvailable": "TPM tilgjengelig",
+    "macosSipEnabled": "System Integritetsbeskyttelse (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Brannmur Usynlig Modus",
+    "linuxAppArmorEnabled": "Rustning",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Vis enhetsinformasjon og innstillinger",
+    "devicePendingApprovalDescription": "Denne enheten venter på godkjenning",
+    "deviceBlockedDescription": "Denne enheten er blokkert. Det kan ikke kobles til noen ressurser med mindre de ikke blir blokkert.",
+    "unblockClient": "Avblokker klient",
+    "unblockClientDescription": "Enheten har blitt blokkert",
+    "unarchiveClient": "Fjern arkivering klient",
+    "unarchiveClientDescription": "Enheten er arkivert",
+    "block": "Blokker",
+    "unblock": "Avblokker",
+    "deviceActions": "Enhetens handlinger",
+    "deviceActionsDescription": "Administrer enhetsstatus og tilgang",
+    "devicePendingApprovalBannerDescription": "Denne enheten venter på godkjenning. Den kan ikke koble til ressurser før den er godkjent.",
+    "connected": "Tilkoblet",
+    "disconnected": "Frakoblet",
+    "approvalsEmptyStateTitle": "Enhetsgodkjenninger er ikke aktivert",
+    "approvalsEmptyStateDescription": "Aktivere godkjenninger av enheter for at roller må godkjennes av admin før brukere kan koble til nye enheter.",
+    "approvalsEmptyStateStep1Title": "Gå til roller",
+    "approvalsEmptyStateStep1Description": "Naviger til organisasjonens roller innstillinger for å konfigurere enhetsgodkjenninger.",
+    "approvalsEmptyStateStep2Title": "Aktiver enhetsgodkjenninger",
+    "approvalsEmptyStateStep2Description": "Rediger en rolle og aktiver alternativet 'Kreve enhetsgodkjenninger'. Brukere med denne rollen vil trenge administratorgodkjenning for nye enheter.",
+    "approvalsEmptyStatePreviewDescription": "Forhåndsvisning: Når aktivert, ventende enhets forespørsler vil vises her for vurdering",
+    "approvalsEmptyStateButtonText": "Administrer Roller"
 }
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Maak de organisatie, site en bronnen aan",
+    "headerAuthCompatibilityInfo": "Schakel dit in om een 401 Niet Geautoriseerd antwoord af te dwingen wanneer een authenticatietoken ontbreekt. Dit is vereist voor browsers of specifieke HTTP-bibliotheken die geen referenties verzenden zonder een serveruitdaging.",
+    "headerAuthCompatibility": "Uitgebreide compatibiliteit",
    "setupNewOrg": "Nieuwe organisatie",
    "setupCreateOrg": "Nieuwe organisatie aanmaken",
    "setupCreateResources": "Bronnen aanmaken",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "Weet u zeker dat u de site wilt verwijderen uit de organisatie?",
    "siteManageSites": "Sites beheren",
    "siteDescription": "Maak en beheer sites om verbinding met privénetwerken in te schakelen",
+    "sitesBannerTitle": "Verbind elk netwerk",
+    "sitesBannerDescription": "Een site is een verbinding met een extern netwerk waarmee Pangolin toegang biedt tot bronnen, zowel openbaar als privé, aan gebruikers overal. Installeer de sitedatacenterconnector (Newt) overal waar je een binaire of container kunt uitvoeren om de verbinding tot stand te brengen.",
+    "sitesBannerButtonText": "Site installeren",
+    "approvalsBannerTitle": "Toegang tot het apparaat goedkeuren of weigeren",
+    "approvalsBannerDescription": "Bekijk en keur toestelverzoeken goed of weiger toegang van gebruikers. Wanneer apparaatgoedkeuringen vereist zijn, moeten gebruikers de goedkeuring van beheerders krijgen voordat hun apparaten verbinding kunnen maken met de bronnen van uw organisatie.",
+    "approvalsBannerButtonText": "Meer informatie",
    "siteCreate": "Site maken",
    "siteCreateDescription2": "Volg de onderstaande stappen om een nieuwe site aan te maken en te verbinden",
    "siteCreateDescription": "Maak een nieuwe site aan om bronnen te verbinden",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "Bepaal hoe u verbinding wilt maken met de site",
    "siteNewtCredentials": "Aanmeldgegevens",
    "siteNewtCredentialsDescription": "Dit is hoe de site zich zal verifiëren met de server",
+    "remoteNodeCredentialsDescription": "Dit is hoe de externe node zich bij de server zal authenticeren",
    "siteCredentialsSave": "Sla de aanmeldgegevens op",
    "siteCredentialsSaveDescription": "Je kunt dit slechts één keer zien. Kopieer het naar een beveiligde plek.",
    "siteInfo": "Site informatie",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "Selecteer een bron",
    "proxyResourceTitle": "Openbare bronnen beheren",
    "proxyResourceDescription": "Creëer en beheer bronnen die openbaar toegankelijk zijn via een webbrowser",
+    "proxyResourcesBannerTitle": "Webgebaseerde openbare toegang",
+    "proxyResourcesBannerDescription": "Openbare bronnen zijn HTTPS of TCP/UDP-proxies die toegankelijk zijn voor iedereen op het internet via een webbrowser. In tegenstelling tot priv<69><76>bronnen vereisen ze geen client-side software maar kunnen ze identiteits- en context-bewuste toegangsrichtlijnen bevatten.",
    "clientResourceTitle": "Privébronnen beheren",
    "clientResourceDescription": "Creëer en beheer bronnen die alleen toegankelijk zijn via een verbonden client",
+    "privateResourcesBannerTitle": "Zero-Trust Private Access",
+    "privateResourcesBannerDescription": "Privé bronnen maken gebruik van zero-trust-beveiliging, wat ervoor zorgt dat gebruikers en machines alleen toegang kunnen krijgen tot middelen die jij specifiek toestaat. Verbind gebruikersapparaten of machineclients om deze middelen te benaderen via een veilig virtueel priv<69><76>netwerk.",
    "resourcesSearch": "Zoek bronnen...",
    "resourceAdd": "Bron toevoegen",
    "resourceErrorDelte": "Fout bij verwijderen document",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "Eenmaal verwijderd, zal het bestand niet langer toegankelijk zijn. Alle doelen die gekoppeld zijn aan het hulpbron, zullen ook verwijderd worden.",
    "resourceQuestionRemove": "Weet u zeker dat u het document van de organisatie wilt verwijderen?",
    "resourceHTTP": "HTTPS bron",
-    "resourceHTTPDescription": "Proxy verzoeken aan de app via HTTPS via een subdomein of basisdomein.",
+    "resourceHTTPDescription": "Proxyverzoeken via HTTPS met een volledig gekwalificeerde domeinnaam.",
    "resourceRaw": "TCP/UDP bron",
-    "resourceRawDescription": "Proxy verzoeken naar de app via TCP/UDP met behulp van een poortnummer. Dit werkt alleen als sites zijn verbonden met nodes.",
+    "resourceRawDescription": "Proxyverzoeken via ruwe TCP/UDP met een poortnummer.",
    "resourceCreate": "Bron maken",
    "resourceCreateDescription": "Volg de onderstaande stappen om een nieuwe bron te maken",
    "resourceSeeAll": "Alle bronnen bekijken",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "Rollen zoeken...",
    "accessRolesAdd": "Rol toevoegen",
    "accessRoleDelete": "Verwijder rol",
+    "accessApprovalsManage": "Goedkeuringen beheren",
+    "accessApprovalsDescription": "Bekijk en beheer openstaande goedkeuringen voor toegang tot deze organisatie",
    "description": "Beschrijving",
    "inviteTitle": "Open uitnodigingen",
    "inviteDescription": "Beheer uitnodigingen voor andere gebruikers om deel te nemen aan de organisatie",
@@ -440,6 +455,18 @@
    "selectDuration": "Selecteer duur",
    "selectResource": "Selecteer Document",
    "filterByResource": "Filter op pagina",
+    "selectApprovalState": "Selecteer goedkeuringsstatus",
+    "filterByApprovalState": "Filter op goedkeuringsstatus",
+    "approvalListEmpty": "Geen goedkeuringen",
+    "approvalState": "Goedkeuring status",
+    "approve": "Goedkeuren",
+    "approved": "Goedgekeurd",
+    "denied": "Geweigerd",
+    "deniedApproval": "Geweigerde goedkeuring",
+    "all": "Alles",
+    "deny": "Weigeren",
+    "viewDetails": "Details bekijken",
+    "requestingNewDeviceApproval": "heeft een nieuw apparaat aangevraagd",
    "resetFilters": "Filters resetten",
    "totalBlocked": "Verzoeken geblokkeerd door Pangolin",
    "totalRequests": "Totaal verzoeken",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "Beheerders hebben altijd toegang tot deze bron.",
    "resourceUsersRoles": "Toegang Bediening",
    "resourceUsersRolesDescription": "Configureer welke gebruikers en rollen deze pagina kunnen bezoeken",
-    "resourceUsersRolesSubmit": "Gebruikers opslaan & rollen",
+    "resourceUsersRolesSubmit": "Bewaar Toegangsbesturing",
    "resourceWhitelistSave": "Succesvol opgeslagen",
    "resourceWhitelistSaveDescription": "Whitelist instellingen zijn opgeslagen",
    "ssoUse": "Gebruik Platform SSO",
@@ -719,16 +746,28 @@
    "countries": "Landen",
    "accessRoleCreate": "Rol aanmaken",
    "accessRoleCreateDescription": "Maak een nieuwe rol aan om gebruikers te groeperen en hun rechten te beheren.",
+    "accessRoleEdit": "Rol bewerken",
+    "accessRoleEditDescription": "Bewerk rol informatie.",
    "accessRoleCreateSubmit": "Rol aanmaken",
    "accessRoleCreated": "Rol aangemaakt",
    "accessRoleCreatedDescription": "De rol is succesvol aangemaakt.",
    "accessRoleErrorCreate": "Rol aanmaken mislukt",
    "accessRoleErrorCreateDescription": "Fout opgetreden tijdens het aanmaken van de rol.",
+    "accessRoleUpdateSubmit": "Rol bijwerken",
+    "accessRoleUpdated": "Rol bijgewerkt",
+    "accessRoleUpdatedDescription": "De rol is succesvol bijgewerkt.",
+    "accessApprovalUpdated": "Afgewerkt met goedkeuring",
+    "accessApprovalApprovedDescription": "Stel het goedkeuringsverzoek in op goedkeuring.",
+    "accessApprovalDeniedDescription": "Stel de beslissing over het goedkeuringsverzoek in als geweigerd.",
+    "accessRoleErrorUpdate": "Bijwerken van rol mislukt",
+    "accessRoleErrorUpdateDescription": "Fout opgetreden tijdens het bijwerken van de rol.",
+    "accessApprovalErrorUpdate": "Kan goedkeuring niet verwerken",
+    "accessApprovalErrorUpdateDescription": "Er is een fout opgetreden bij het verwerken van de goedkeuring.",
    "accessRoleErrorNewRequired": "Nieuwe rol is vereist",
    "accessRoleErrorRemove": "Rol verwijderen mislukt",
    "accessRoleErrorRemoveDescription": "Er is een fout opgetreden tijdens het verwijderen van de rol.",
    "accessRoleName": "Rol naam",
-    "accessRoleQuestionRemove": "U staat op het punt de {name} rol te verwijderen. U kunt deze actie niet ongedaan maken.",
+    "accessRoleQuestionRemove": "Je staat op het punt de `{name}` rol te verwijderen. Je kunt deze actie niet ongedaan maken.",
    "accessRoleRemove": "Rol verwijderen",
    "accessRoleRemoveDescription": "Verwijder een rol van de organisatie",
    "accessRoleRemoveSubmit": "Rol verwijderen",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "Toegang voor een organisatie configureren",
    "idpUpdatedDescription": "Identity provider succesvol bijgewerkt",
    "redirectUrl": "Omleidings URL",
+    "orgIdpRedirectUrls": "URL's omleiden",
    "redirectUrlAbout": "Over omleidings-URL",
    "redirectUrlAboutDescription": "Dit is de URL waarnaar gebruikers worden doorverwezen na verificatie. U moet deze URL configureren in de instellingen van de identiteitsprovider.",
    "pangolinAuth": "Authenticatie - Pangolin",
@@ -863,7 +903,7 @@
    "inviteAlready": "Het lijkt erop dat je bent uitgenodigd!",
    "inviteAlreadyDescription": "Om de uitnodiging te accepteren, moet je inloggen of een account aanmaken.",
    "signupQuestion": "Heeft u al een account?",
-    "login": "Inloggen",
+    "login": "Log in",
    "resourceNotFound": "Bron niet gevonden",
    "resourceNotFoundDescription": "De bron die u probeert te benaderen bestaat niet.",
    "pincodeRequirementsLength": "Pincode moet precies 6 cijfers zijn",
@@ -945,11 +985,11 @@
    "pincodeAuth": "Authenticatiecode",
    "pincodeSubmit2": "Code indienen",
    "passwordResetSubmit": "Opnieuw instellen aanvragen",
-    "passwordResetAlreadyHaveCode": "Herstelcode wachtwoord invoeren",
+    "passwordResetAlreadyHaveCode": "Code invoeren",
    "passwordResetSmtpRequired": "Neem contact op met uw beheerder",
    "passwordResetSmtpRequiredDescription": "Er is een wachtwoord reset code nodig om uw wachtwoord opnieuw in te stellen. Neem contact op met uw beheerder voor hulp.",
    "passwordBack": "Terug naar wachtwoord",
-    "loginBack": "Ga terug naar login",
+    "loginBack": "Ga terug naar de hoofdinlogpagina",
    "signup": "Registreer nu",
    "loginStart": "Log in om te beginnen",
    "idpOidcTokenValidating": "Valideer OIDC-token",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "Org gebruiker bijwerken",
    "createOrgUser": "Org gebruiker aanmaken",
    "actionUpdateOrg": "Organisatie bijwerken",
+    "actionRemoveInvitation": "Verwijder uitnodiging",
    "actionUpdateUser": "Gebruiker bijwerken",
    "actionGetUser": "Gebruiker ophalen",
    "actionGetOrgUser": "Krijg organisatie-gebruiker",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "Site ophalen",
    "actionListSites": "Sites weergeven",
    "actionApplyBlueprint": "Blauwdruk toepassen",
+    "actionListBlueprints": "Lijst blauwdrukken",
+    "actionGetBlueprint": "Krijg Blauwdruk",
    "setupToken": "Instel Token",
    "setupTokenDescription": "Voer het setup-token in vanaf de serverconsole.",
    "setupTokenRequired": "Setup-token is vereist",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "IDP-org bijwerken",
    "actionCreateClient": "Client aanmaken",
    "actionDeleteClient": "Verwijder klant",
+    "actionArchiveClient": "Archiveer client",
+    "actionUnarchiveClient": "Dearchiveer client",
+    "actionBlockClient": "Blokkeer klant",
+    "actionUnblockClient": "Deblokkeer client",
    "actionUpdateClient": "Klant bijwerken",
    "actionListClients": "Lijst klanten",
    "actionGetClient": "Client ophalen",
@@ -1120,14 +1167,14 @@
    "searchProgress": "Zoeken...",
    "create": "Aanmaken",
    "orgs": "Organisaties",
-    "loginError": "Er is een fout opgetreden tijdens het inloggen",
-    "loginRequiredForDevice": "Inloggen is vereist om je apparaat te verifiëren.",
+    "loginError": "Er is een onverwachte fout opgetreden. Probeer het opnieuw.",
+    "loginRequiredForDevice": "Inloggen is vereist voor je apparaat.",
    "passwordForgot": "Wachtwoord vergeten?",
    "otpAuth": "Tweestapsverificatie verificatie",
    "otpAuthDescription": "Voer de code van je authenticator-app of een van je reservekopiecodes voor het eenmalig gebruik in.",
    "otpAuthSubmit": "Code indienen",
    "idpContinue": "Of ga verder met",
-    "otpAuthBack": "Terug naar inloggen",
+    "otpAuthBack": "Terug naar wachtwoord",
    "navbar": "Navigatiemenu",
    "navbarDescription": "Hoofd navigatie menu voor de applicatie",
    "navbarDocsLink": "Documentatie",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "Overzicht.",
    "sidebarHome": "Startpagina",
    "sidebarSites": "Werkruimtes",
+    "sidebarApprovals": "Goedkeuringsverzoeken",
    "sidebarResources": "Bronnen",
    "sidebarProxyResources": "Openbaar",
    "sidebarClientResources": "Privé",
@@ -1191,10 +1239,10 @@
    "sidebarIdentityProviders": "Identiteit aanbieders",
    "sidebarLicense": "Licentie",
    "sidebarClients": "Clienten",
-    "sidebarUserDevices": "Gebruikers",
+    "sidebarUserDevices": "Gebruiker Apparaten",
    "sidebarMachineClients": "Machines",
    "sidebarDomains": "Domeinen",
-    "sidebarGeneral": "Algemeen",
+    "sidebarGeneral": "Beheren",
    "sidebarLogAndAnalytics": "Log & Analytics",
    "sidebarBluePrints": "Blauwdrukken",
    "sidebarOrganization": "Organisatie",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "Er is een fout opgetreden bij het maken van het serverbeheerdersaccount.",
    "certificateStatus": "Certificaatstatus",
    "loading": "Bezig met laden",
+    "loadingAnalytics": "Laden van Analytics",
    "restart": "Herstarten",
    "domains": "Domeinen",
    "domainsDescription": "Maak en beheer domeinen die beschikbaar zijn in de organisatie",
@@ -1290,6 +1339,7 @@
    "refreshError": "Het vernieuwen van gegevens is mislukt",
    "verified": "Gecontroleerd",
    "pending": "In afwachting",
+    "pendingApproval": "Wachten op goedkeuring",
    "sidebarBilling": "Facturering",
    "billing": "Facturering",
    "orgBillingDescription": "Beheer factureringsinformatie en abonnementen",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "Accountinstelling voltooid! Welkom bij Pangolin!",
    "documentation": "Documentatie",
    "saveAllSettings": "Alle instellingen opslaan",
+    "saveResourceTargets": "Doelstellingen opslaan",
+    "saveResourceHttp": "Proxyinstellingen opslaan",
+    "saveProxyProtocol": "Proxy-protocolinstellingen opslaan",
    "settingsUpdated": "Instellingen bijgewerkt",
-    "settingsUpdatedDescription": "Alle instellingen zijn succesvol bijgewerkt",
+    "settingsUpdatedDescription": "Instellingen succesvol bijgewerkt",
    "settingsErrorUpdate": "Bijwerken van instellingen mislukt",
    "settingsErrorUpdateDescription": "Er is een fout opgetreden bij het bijwerken van instellingen",
    "sidebarCollapse": "Inklappen",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Beveiligingssleutel succesvol verwijderd",
    "securityKeyRemoveError": "Fout bij verwijderen van beveiligingssleutel",
    "securityKeyLoadError": "Fout bij laden van beveiligingssleutels",
-    "securityKeyLogin": "Doorgaan met beveiligingssleutel",
+    "securityKeyLogin": "Gebruik beveiligingssleutel",
    "securityKeyAuthError": "Fout bij authenticatie met beveiligingssleutel",
    "securityKeyRecommendation": "Overweeg om een andere beveiligingssleutel te registreren op een ander apparaat om ervoor te zorgen dat u niet buitengesloten raakt van uw account.",
    "registering": "Registreren...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "Ik ga akkoord met de",
        "termsOfService": "servicevoorwaarden",
        "and": "en",
-        "privacyPolicy": "privacybeleid"
+        "privacyPolicy": "privacy beleid"
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Houd me op de hoogte met nieuws, updates en nieuwe functies per e-mail."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "Voeg nieuw doelwit toe",
    "targetsList": "Lijst met doelen",
    "advancedMode": "Geavanceerde modus",
+    "advancedSettings": "Geavanceerde instellingen",
    "targetErrorDuplicateTargetFound": "Dubbel doelwit gevonden",
    "healthCheckHealthy": "Gezond",
    "healthCheckUnhealthy": "Ongezond",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "Gezonde Interval",
    "timeoutSeconds": "Timeout (sec)",
    "timeIsInSeconds": "Tijd is in seconden",
+    "requireDeviceApproval": "Vereist goedkeuring van apparaat",
+    "requireDeviceApprovalDescription": "Gebruikers met deze rol hebben nieuwe apparaten nodig die door een beheerder zijn goedgekeurd voordat ze verbinding kunnen maken met bronnen en deze kunnen gebruiken.",
    "retryAttempts": "Herhaal Pogingen",
    "expectedResponseCodes": "Verwachte Reactiecodes",
    "expectedResponseCodesDescription": "HTTP-statuscode die gezonde status aangeeft. Indien leeg wordt 200-300 als gezond beschouwd.",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "Geen interne bronnen gevonden.",
    "resourcesTableDestination": "Bestemming",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Alias adres",
+    "resourcesTableAliasAddressInfo": "Dit adres is onderdeel van het hulpprogramma subnet van de organisatie. Het wordt gebruikt om aliasrecords op te lossen met behulp van interne DNS-resolutie.",
    "resourcesTableClients": "Clienten",
    "resourcesTableAndOnlyAccessibleInternally": "en zijn alleen intern toegankelijk wanneer verbonden met een client.",
    "resourcesTableNoTargets": "Geen doelen",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "Bron-eigenschappen",
    "createInternalResourceDialogName": "Naam",
    "createInternalResourceDialogSite": "Site",
-    "createInternalResourceDialogSelectSite": "Selecteer site...",
-    "createInternalResourceDialogSearchSites": "Zoek sites...",
-    "createInternalResourceDialogNoSitesFound": "Geen sites gevonden.",
+    "selectSite": "Selecteer site...",
+    "noSitesFound": "Geen sites gevonden.",
    "createInternalResourceDialogProtocol": "Protocol",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1658,7 +1715,7 @@
    "siteAddressDescription": "Het interne adres van de site. Moet binnen het subnetwerk van de organisatie vallen.",
    "siteNameDescription": "De weergavenaam van de site die later gewijzigd kan worden.",
    "autoLoginExternalIdp": "Auto Login met Externe IDP",
-    "autoLoginExternalIdpDescription": "De gebruiker onmiddellijk doorsturen naar de externe IDP voor authenticatie.",
+    "autoLoginExternalIdpDescription": "Leidt de gebruiker onmiddellijk door naar de externe identiteitsprovider voor authenticatie.",
    "selectIdp": "Selecteer IDP",
    "selectIdpPlaceholder": "Kies een IDP...",
    "selectIdpRequired": "Selecteer alstublieft een IDP wanneer automatisch inloggen is ingeschakeld.",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "Geen redirect URL ontvangen van de identity provider.",
    "autoLoginErrorGeneratingUrl": "Genereren van authenticatie-URL mislukt.",
    "remoteExitNodeManageRemoteExitNodes": "Externe knooppunten",
-    "remoteExitNodeDescription": "Zelf host één of meer externe knooppunten om de netwerkverbinding uit te breiden en het vertrouwen in de cloud te verminderen",
+    "remoteExitNodeDescription": "Host je eigen externe relais- en proxyserverknooppunten zelf",
    "remoteExitNodes": "Nodes",
    "searchRemoteExitNodes": "Knooppunten zoeken...",
    "remoteExitNodeAdd": "Voeg node toe",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "Bevestig verwijderen node",
    "remoteExitNodeDelete": "Knoop verwijderen",
    "sidebarRemoteExitNodes": "Externe knooppunten",
+    "remoteExitNodeId": "ID",
+    "remoteExitNodeSecretKey": "Geheim",
    "remoteExitNodeCreate": {
-        "title": "Maak node",
-        "description": "Maak een nieuwe node aan om de netwerkverbinding uit te breiden",
+        "title": "Externe knoop aanmaken",
+        "description": "Maak een nieuwe zelf-gehoste externe relais- en proxyservermodule",
        "viewAllButton": "Alle nodes weergeven",
        "strategy": {
            "title": "Creatie Strategie",
-            "description": "Kies dit om handmatig het knooppunt te configureren of nieuwe referenties te genereren.",
+            "description": "Selecteer hoe u de externe knoop wilt aanmaken",
            "adopt": {
                "title": "Adopteer Node",
                "description": "Kies dit als u al de referenties voor deze node heeft"
            },
            "generate": {
                "title": "Genereer Sleutels",
-                "description": "Kies dit als u nieuwe sleutels voor het knooppunt wilt genereren"
+                "description": "Kies dit als u nieuwe sleutels voor het knooppunt wilt genereren."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC provider",
    "subnet": "Subnet",
    "subnetDescription": "Het subnet van de netwerkconfiguratie van deze organisatie.",
-    "authPage": "Authenticatie pagina",
-    "authPageDescription": "De autorisatiepagina voor de organisatie configureren",
+    "customDomain": "Aangepast domein",
+    "authPage": "Authenticatiepagina's",
+    "authPageDescription": "Stel een aangepast domein in voor de authenticatiepagina's van de organisatie",
    "authPageDomain": "Authenticatie pagina domein",
+    "authPageBranding": "Aangepaste branding",
+    "authPageBrandingDescription": "Configureer de branding die op de authenticatiepagina's voor deze organisatie verschijnt",
+    "authPageBrandingUpdated": "Auth-paginamerken succesvol bijgewerkt",
+    "authPageBrandingRemoved": "Configuratie hiervan is succesvol verwijderd.",
+    "authPageBrandingRemoveTitle": "Verwijder Auth-pagina Branding",
+    "authPageBrandingQuestionRemove": "Weet u zeker dat u de branding voor Auth-pagina's wilt verwijderen?",
+    "authPageBrandingDeleteConfirm": "Bevestig verwijder Branding",
+    "brandingLogoURL": "Het logo-URL",
+    "brandingPrimaryColor": "Primaire kleur",
+    "brandingLogoWidth": "Breedte (px)",
+    "brandingLogoHeight": "Hoogte (px)",
+    "brandingOrgTitle": "Titel voor organisatie-authenticatiepagina",
+    "brandingOrgDescription": "{orgName} wordt vervangen door de naam van de organisatie",
+    "brandingOrgSubtitle": "Ondertitel voor organisatie-authenticatiepagina",
+    "brandingResourceTitle": "Titel voor bron-authenticatiepagina",
+    "brandingResourceSubtitle": "Ondertitel voor bron-authenticatiepagina",
+    "brandingResourceDescription": "{resourceName} wordt vervangen door de naam van de organisatie",
+    "saveAuthPageDomain": "Domein opslaan",
+    "saveAuthPageBranding": "Branding opslaan",
+    "removeAuthPageBranding": "Branding verwijderen",
    "noDomainSet": "Geen domein ingesteld",
    "changeDomain": "Domein wijzigen",
    "selectDomain": "Domein selecteren",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "Authenticatiepagina domein instellen",
    "failedToFetchCertificate": "Certificaat ophalen mislukt",
    "failedToRestartCertificate": "Kon certificaat niet opnieuw opstarten",
-    "addDomainToEnableCustomAuthPages": "Een domein toevoegen om aangepaste authenticatiepagina's voor de organisatie in te schakelen",
+    "addDomainToEnableCustomAuthPages": "Gebruikers kunnen toegang krijgen tot de inlogpagina van de organisatie en de bronauthenticatie voltooien met dit domein.",
    "selectDomainForOrgAuthPage": "Selecteer een domein voor de authenticatiepagina van de organisatie",
    "domainPickerProvidedDomain": "Opgegeven domein",
    "domainPickerFreeProvidedDomain": "Gratis verstrekt domein",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "\"{sub}\" kon niet geldig worden gemaakt voor {domain}.",
    "domainPickerSubdomainSanitized": "Subdomein gesaniseerd",
    "domainPickerSubdomainCorrected": "\"{sub}\" was gecorrigeerd op \"{sanitized}\"",
-    "orgAuthSignInTitle": "Log in op de organisatie",
+    "orgAuthSignInTitle": "Organisatie Inloggen",
    "orgAuthChooseIdpDescription": "Kies uw identiteitsprovider om door te gaan",
    "orgAuthNoIdpConfigured": "Deze organisatie heeft geen identiteitsproviders geconfigureerd. Je kunt in plaats daarvan inloggen met je Pangolin-identiteit.",
    "orgAuthSignInWithPangolin": "Log in met Pangolin",
+    "orgAuthSignInToOrg": "Log in bij een organisatie",
+    "orgAuthSelectOrgTitle": "Organisatie Inloggen",
+    "orgAuthSelectOrgDescription": "Voer je organisatie-ID in om verder te gaan",
+    "orgAuthOrgIdPlaceholder": "jouw-organisatie",
+    "orgAuthOrgIdHelp": "Voer de unieke ID van jouw organisatie in",
+    "orgAuthSelectOrgHelp": "Na het invoeren van je organisatie-ID, word je doorgestuurd naar de inlogpagina van je organisatie waar je SSO kunt gebruiken of de gegevens van je organisatie.",
+    "orgAuthRememberOrgId": "Vergeet deze organisatie-ID niet",
+    "orgAuthBackToSignIn": "Terug naar standaard aanmelden",
+    "orgAuthNoAccount": "Nog geen account?",
    "subscriptionRequiredToUse": "Een abonnement is vereist om deze functie te gebruiken.",
    "idpDisabled": "Identiteitsaanbieders zijn uitgeschakeld.",
    "orgAuthPageDisabled": "Pagina voor organisatie-authenticatie is uitgeschakeld.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "Tweestapsverificatie inschakelen",
    "completeSecuritySteps": "Voltooi beveiligingsstappen",
    "securitySettings": "Beveiliging instellingen",
+    "dangerSection": "Gevaarlijke zone",
+    "dangerSectionDescription": "Verwijder permanent alle gegevens die aan deze organisatie zijn gekoppeld",
    "securitySettingsDescription": "Beveiligingsbeleid voor de organisatie configureren",
    "requireTwoFactorForAllUsers": "Authenticatie in twee stappen vereist voor alle gebruikers",
    "requireTwoFactorDescription": "Wanneer ingeschakeld, moeten alle interne gebruikers in deze organisatie tweestapsverificatie ingeschakeld hebben om toegang te krijgen tot de organisatie.",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "Dit heeft invloed op alle gebruikers in de organisatie",
    "authPageErrorUpdateMessage": "Er is een fout opgetreden bij het bijwerken van de instellingen van de auth-pagina",
    "authPageErrorUpdate": "Kan de autorisatiepagina niet bijwerken",
-    "authPageUpdated": "Auth-pagina succesvol bijgewerkt",
+    "authPageDomainUpdated": "Auth-pagina domein succesvol bijgewerkt",
    "healthCheckNotAvailable": "Lokaal",
    "rewritePath": "Herschrijf Pad",
    "rewritePathDescription": "Optioneel het pad herschrijven voordat je het naar het doel doorstuurt.",
@@ -1915,8 +2006,15 @@
    "beta": "Bèta",
    "manageUserDevices": "Gebruiker Apparaten",
    "manageUserDevicesDescription": "Bekijk en beheer apparaten die gebruikers gebruiken om privé verbinding te maken met bronnen",
+    "downloadClientBannerTitle": "Download Pangolin Client",
+    "downloadClientBannerDescription": "Download de Pangolin-client voor je systeem om verbinding te maken met het Pangolin-netwerk en resources privé te benaderen.",
    "manageMachineClients": "Beheer Machine Clients",
    "manageMachineClientsDescription": "Creëer en beheer clients die servers en systemen gebruiken om privé verbinding te maken met bronnen",
+    "machineClientsBannerTitle": "Servers & Geautomatiseerde Systemen",
+    "machineClientsBannerDescription": "Machineclients zijn bedoeld voor servers en geautomatiseerde systemen die niet aan een specifieke gebruiker zijn gekoppeld. Ze verifiëren met een ID en geheim, en kunnen draaien met Pangolin CLI, Olm CLI, of Olm als een container.",
+    "machineClientsBannerPangolinCLI": "Pangolin CLI",
+    "machineClientsBannerOlmCLI": "Olm CLI",
+    "machineClientsBannerOlmContainer": "Olm-container",
    "clientsTableUserClients": "Gebruiker",
    "clientsTableMachineClients": "Machine",
    "licenseTableValidUntil": "Geldig tot",
@@ -2060,13 +2158,15 @@
    "request": "Aanvragen",
    "requests": "Verzoeken",
    "logs": "Logboeken",
-    "logsSettingsDescription": "Monitor logs verzameld van deze orginiatie",
+    "logsSettingsDescription": "Controleer logs verzameld van deze organisatie",
    "searchLogs": "Logboeken zoeken...",
    "action": "actie",
    "actor": "Acteur",
    "timestamp": "Artikeldatering",
    "accessLogs": "Toegang tot logboek",
    "exportCsv": "Exporteren als CSV",
+    "exportError": "Onbekende fout bij exporteren naar CSV",
+    "exportCsvTooltip": "Binnen tijdsbereik",
    "actorId": "Acteur ID",
    "allowedByRule": "Toegestaan door regel",
    "allowedNoAuth": "Toegestaan geen authenticatie",
@@ -2120,7 +2220,7 @@
    "unverified": "Ongeverifieerd",
    "domainSetting": "Domein instellingen",
    "domainSettingDescription": "Configureer instellingen voor het domein",
-    "preferWildcardCertDescription": "Poging om een certificaat met een wildcard te genereren (vereist een correct geconfigureerde certificaatresolver).",
+    "preferWildcardCertDescription": "Probeer een wildcardcertificaat te genereren (vereist een correct geconfigureerde certificaatoplosser).",
    "recordName": "Record Naam",
    "auto": "Automatisch",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "Code moet 9 tekens bevatten (bijv. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Ongeldige of verlopen code",
    "deviceCodeVerifyFailed": "Apparaatcode verifiëren mislukt",
+    "deviceCodeValidating": "Apparaatcode valideren...",
+    "deviceCodeVerifying": "Apparaatmachtiging verifiëren...",
    "signedInAs": "Ingelogd als",
    "deviceCodeEnterPrompt": "Voer de op het apparaat weergegeven code in",
    "continue": "Doorgaan",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "Toegang tot alle organisaties waar uw account toegang tot heeft",
    "deviceAuthorize": "Autoriseer {applicationName}",
    "deviceConnected": "Apparaat verbonden!",
-    "deviceAuthorizedMessage": "Apparaat is gemachtigd om toegang te krijgen tot je account.",
+    "deviceAuthorizedMessage": "Apparaat is gemachtigd om toegang te krijgen tot je account. Ga terug naar de client applicatie.",
    "pangolinCloud": "Pangoline Cloud",
    "viewDevices": "Bekijk apparaten",
    "viewDevicesDescription": "Beheer uw aangesloten apparaten",
@@ -2246,6 +2348,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Niet u? Gebruik een ander account.",
    "deviceLoginDeviceRequestingAccessToAccount": "Een apparaat vraagt om toegang tot dit account.",
+    "loginSelectAuthenticationMethod": "Selecteer een verificatiemethode om door te gaan.",
    "noData": "Geen gegevens",
    "machineClients": "Machine Clienten",
    "install": "Installeren",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "Kan standaard subnet niet ophalen",
    "setupSubnetAdvanced": "Subnet (Geavanceerd)",
    "setupSubnetDescription": "Het subnet van het interne netwerk van deze organisatie.",
+    "setupUtilitySubnet": "Hulpprogrammasubnet (Geavanceerd)",
+    "setupUtilitySubnetDescription": "Het subnet voor de aliasadressen en DNS-server van deze organisatie.",
    "siteRegenerateAndDisconnect": "Hergenereer en verbreek verbinding",
    "siteRegenerateAndDisconnectConfirmation": "Weet u zeker dat u de inloggegevens opnieuw wilt genereren en de verbinding met deze website wilt verbreken?",
    "siteRegenerateAndDisconnectWarning": "Dit zal de inloggegevens opnieuw genereren en onmiddellijk de site ontkoppelen. De site zal opnieuw moeten worden gestart met de nieuwe inloggegevens.",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "Dit zal de referenties regenereren en onmiddellijk de externe exit node ontkoppelen. Het externe exit node zal opnieuw moeten worden gestart met de nieuwe referenties.",
    "remoteExitNodeRegenerateCredentialsConfirmation": "Weet u zeker dat u de referenties voor deze externe exit node opnieuw wilt genereren?",
    "remoteExitNodeRegenerateCredentialsWarning": "Dit zal de referenties opnieuw genereren. De remote exit node zal verbonden blijven totdat u deze handmatig herstart en de nieuwe referenties gebruikt.",
-    "agent": "Agent"
+    "agent": "Agent",
+    "personalUseOnly": "Alleen voor persoonlijk gebruik",
+    "loginPageLicenseWatermark": "Deze instantie is alleen gelicentieerd voor persoonlijk gebruik.",
+    "instanceIsUnlicensed": "Deze instantie is niet gelicentieerd.",
+    "portRestrictions": "Poortbeperkingen",
+    "allPorts": "Alles",
+    "custom": "Aangepast",
+    "allPortsAllowed": "Alle poorten toegestaan",
+    "allPortsBlocked": "Alle poorten geblokkeerd",
+    "tcpPortsDescription": "Geef op welke TCP-poorten zijn toegestaan voor deze bron. Gebruik '*' voor alle poorten, laat leeg om alles te blokkeren of voer een komma-gescheiden lijst van poorten en reeksen in (bijv. 80,443,8000-9000).",
+    "udpPortsDescription": "Geef op welke UDP-poorten zijn toegestaan voor deze bron. Gebruik '*' voor alle poorten, laat leeg om alles te blokkeren of voer een komma-gescheiden lijst van poorten en reeksen in (bijv. 53,123,500-600).",
+    "organizationLoginPageTitle": "Organisatie-inlogpagina",
+    "organizationLoginPageDescription": "Pas de inlogpagina voor deze organisatie aan",
+    "resourceLoginPageTitle": "Inlogpagina voor bronnen",
+    "resourceLoginPageDescription": "Pas de inlogpagina aan voor individuele bronnen",
+    "enterConfirmation": "Bevestiging invoeren",
+    "blueprintViewDetails": "Details",
+    "defaultIdentityProvider": "Standaard Identiteitsprovider",
+    "defaultIdentityProviderDescription": "Wanneer een standaard identity provider is geselecteerd, zal de gebruiker automatisch worden doorgestuurd naar de provider voor authenticatie.",
+    "editInternalResourceDialogNetworkSettings": "Netwerkinstellingen",
+    "editInternalResourceDialogAccessPolicy": "Toegangsbeleid",
+    "editInternalResourceDialogAddRoles": "Rollen toevoegen",
+    "editInternalResourceDialogAddUsers": "Gebruikers toevoegen",
+    "editInternalResourceDialogAddClients": "Clienten toevoegen",
+    "editInternalResourceDialogDestinationLabel": "Bestemming",
+    "editInternalResourceDialogDestinationDescription": "Specificeer het bestemmingsadres voor de interne bron. Dit kan een hostnaam, IP-adres of CIDR-bereik zijn, afhankelijk van de geselecteerde modus. Stel optioneel een interne DNS-alias in voor eenvoudigere identificatie.",
+    "editInternalResourceDialogPortRestrictionsDescription": "Beperk toegang tot specifieke TCP/UDP-poorten of sta alle poorten toe/blokkeer.",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "Toegangs controle",
+    "editInternalResourceDialogAccessControlDescription": "Beheer welke rollen, gebruikers en machineclients toegang hebben tot deze bron wanneer ze zijn verbonden. Beheerders hebben altijd toegang.",
+    "editInternalResourceDialogPortRangeValidationError": "Poortbereik moet \"*\" zijn voor alle poorten, of een komma-gescheiden lijst van poorten en bereiken (bijv. \"80,443,8000-9000\"). Poorten moeten tussen 1 en 65535 zijn.",
+    "orgAuthWhatsThis": "Waar kan ik mijn organisatie-ID vinden?",
+    "learnMore": "Meer informatie",
+    "backToHome": "Ga terug naar startpagina",
+    "needToSignInToOrg": "Moet u de identiteit provider van uw organisatie gebruiken?",
+    "maintenanceMode": "Onderhoudsmodus",
+    "maintenanceModeDescription": "Toon een onderhoudspagina aan bezoekers",
+    "maintenanceModeType": "Type onderhoudsmodus",
+    "showMaintenancePage": "Toon een onderhoudspagina aan bezoekers",
+    "enableMaintenanceMode": "Onderhoudsmodus inschakelen",
+    "automatic": "Automatisch",
+    "automaticModeDescription": " Toon onderhoudspagina alleen wanneer alle back-enddoelen niet beschikbaar zijn of ongezond zijn. Jouw bron blijft normaal functioneren zolang er tenminste één doel gezond is.",
+    "forced": "Geforceerd",
+    "forcedModeDescription": "Toon altijd de onderhoudspagina ongeacht de gezondheid van de backend. Gebruik dit voor gepland onderhoud wanneer je alle toegang wilt voorkomen.",
+    "warning:": "Waarschuwing:",
+    "forcedeModeWarning": "Al het verkeer wordt naar de onderhoudspagina geleid. Jouw back-endbronnen ontvangen geen verzoeken.",
+    "pageTitle": "Paginatitel",
+    "pageTitleDescription": "De hoofdkop die op de onderhoudspagina wordt weergegeven",
+    "maintenancePageMessage": "Onderhoudsbericht",
+    "maintenancePageMessagePlaceholder": "We keren snel terug! Onze site ondergaat momenteel gepland onderhoud.",
+    "maintenancePageMessageDescription": "Gedetailleerd bericht dat het onderhoud uitlegt",
+    "maintenancePageTimeTitle": "Geschatte voltooiingstijd (optioneel)",
+    "maintenanceTime": "bijv. 2 uur, 1 nov om 17:00",
+    "maintenanceEstimatedTimeDescription": "Wanneer u verwacht dat het onderhoud voltooid is",
+    "editDomain": "Domein bewerken",
+    "editDomainDescription": "Selecteer een domein voor jouw hulpbron",
+    "maintenanceModeDisabledTooltip": "Deze functie vereist een geldige licentie om in te schakelen.",
+    "maintenanceScreenTitle": "Dienst tijdelijk niet beschikbaar",
+    "maintenanceScreenMessage": "We hebben momenteel technische problemen. Probeer het later opnieuw.",
+    "maintenanceScreenEstimatedCompletion": "Geschatte voltooiing:",
+    "createInternalResourceDialogDestinationRequired": "Bestemming is vereist",
+    "available": "Beschikbaar",
+    "archived": "Gearchiveerd",
+    "noArchivedDevices": "Geen gearchiveerde apparaten gevonden",
+    "deviceArchived": "Apparaat gearchiveerd",
+    "deviceArchivedDescription": "Het apparaat is met succes gearchiveerd.",
+    "errorArchivingDevice": "Fout bij archiveren apparaat",
+    "failedToArchiveDevice": "Kan apparaat niet archiveren",
+    "deviceQuestionArchive": "Weet u zeker dat u dit apparaat wilt archiveren?",
+    "deviceMessageArchive": "Het apparaat wordt gearchiveerd en verwijderd uit de lijst met actieve apparaten.",
+    "deviceArchiveConfirm": "Archiveer apparaat",
+    "archiveDevice": "Archiveer apparaat",
+    "archive": "Archief",
+    "deviceUnarchived": "Apparaat niet gearchiveerd",
+    "deviceUnarchivedDescription": "Het apparaat is met succes gedearchiveerd.",
+    "errorUnarchivingDevice": "Fout bij dearchiveren van apparaat",
+    "failedToUnarchiveDevice": "Apparaat dearchiveren mislukt",
+    "unarchive": "Dearchiveren",
+    "archiveClient": "Archiveer client",
+    "archiveClientQuestion": "Weet u zeker dat u deze client wilt archiveren?",
+    "archiveClientMessage": "De klant zal worden gearchiveerd en verwijderd uit de lijst met actieve cliënten.",
+    "archiveClientConfirm": "Archiveer client",
+    "blockClient": "Blokkeer klant",
+    "blockClientQuestion": "Weet u zeker dat u deze cliënt wilt blokkeren?",
+    "blockClientMessage": "Het apparaat zal worden gedwongen de verbinding te verbreken als het momenteel is verbonden. U kunt het apparaat later deblokkeren.",
+    "blockClientConfirm": "Blokkeer klant",
+    "active": "actief",
+    "usernameOrEmail": "Gebruikersnaam of e-mailadres",
+    "selectYourOrganization": "Selecteer uw organisatie",
+    "signInTo": "Log in op",
+    "signInWithPassword": "Ga verder met wachtwoord",
+    "noAuthMethodsAvailable": "Geen verificatiemethoden beschikbaar voor deze organisatie.",
+    "enterPassword": "Voer je wachtwoord in",
+    "enterMfaCode": "Voer de code van je authenticator-app in",
+    "securityKeyRequired": "Gebruik uw beveiligingssleutel om in te loggen.",
+    "needToUseAnotherAccount": "Wilt u een ander account gebruiken?",
+    "loginLegalDisclaimer": "Door op de knoppen hieronder te klikken, erken je dat je gelezen en begrepen hebt en ga akkoord met de <termsOfService>Gebruiksvoorwaarden</termsOfService> en <privacyPolicy>Privacybeleid</privacyPolicy>.",
+    "termsOfService": "Algemene gebruiksvoorwaarden",
+    "privacyPolicy": "Privacy Beleid",
+    "userNotFoundWithUsername": "Geen gebruiker gevonden met die gebruikersnaam.",
+    "verify": "Verifiëren",
+    "signIn": "Log in",
+    "forgotPassword": "Wachtwoord vergeten?",
+    "orgSignInTip": "Als u eerder bent ingelogd, kunt u uw gebruikersnaam of e-mail hierboven invoeren om in plaats daarvan te verifiëren met de identiteitsprovider van uw organisatie! Het is makkelijk!",
+    "continueAnyway": "Toch doorgaan",
+    "dontShowAgain": "Niet meer weergeven",
+    "orgSignInNotice": "Wist u dat?",
+    "signupOrgNotice": "Proberen je aan te melden?",
+    "signupOrgTip": "Probeert u zich aan te melden via de identiteitsprovider van uw organisatie?",
+    "signupOrgLink": "Log in of meld je aan bij je organisatie",
+    "verifyEmailLogInWithDifferentAccount": "Gebruik een ander account",
+    "logIn": "Log in",
+    "deviceInformation": "Apparaat informatie",
+    "deviceInformationDescription": "Informatie over het apparaat en de agent",
+    "deviceSecurity": "Apparaat beveiliging",
+    "deviceSecurityDescription": "Apparaat beveiligingsinformatie",
+    "platform": "Platform",
+    "macosVersion": "macOS versie",
+    "windowsVersion": "Windows versie",
+    "iosVersion": "iOS versie",
+    "androidVersion": "Android versie",
+    "osVersion": "OS versie",
+    "kernelVersion": "Kernel versie",
+    "deviceModel": "Apparaat model",
+    "serialNumber": "Serienummer",
+    "hostname": "Hostname",
+    "firstSeen": "Eerst gezien",
+    "lastSeen": "Laatst gezien op",
+    "biometricsEnabled": "Biometrie ingeschakeld",
+    "diskEncrypted": "Schijf versleuteld",
+    "firewallEnabled": "Firewall ingeschakeld",
+    "autoUpdatesEnabled": "Auto Updates Ingeschakeld",
+    "tpmAvailable": "TPM beschikbaar",
+    "macosSipEnabled": "Systeemintegriteitsbescherming (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Firewall Verberg Modus",
+    "linuxAppArmorEnabled": "Appharnas",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Apparaatinformatie en -instellingen bekijken",
+    "devicePendingApprovalDescription": "Dit apparaat wacht op goedkeuring",
+    "deviceBlockedDescription": "Dit apparaat is momenteel geblokkeerd. Het kan geen verbinding maken met bronnen tenzij het wordt gedeblokkeerd.",
+    "unblockClient": "Deblokkeer client",
+    "unblockClientDescription": "Het apparaat is gedeblokkeerd",
+    "unarchiveClient": "Dearchiveer client",
+    "unarchiveClientDescription": "Het apparaat is gedearchiveerd",
+    "block": "Blokkeren",
+    "unblock": "Deblokkeer",
+    "deviceActions": "Apparaat Acties",
+    "deviceActionsDescription": "Apparaatstatus en toegang beheren",
+    "devicePendingApprovalBannerDescription": "Dit apparaat wacht op goedkeuring. Het zal niet in staat zijn verbinding te maken met bronnen totdat het is goedgekeurd.",
+    "connected": "Verbonden",
+    "disconnected": "Losgekoppeld",
+    "approvalsEmptyStateTitle": "Apparaat goedkeuringen niet ingeschakeld",
+    "approvalsEmptyStateDescription": "Apparaatgoedkeuringen voor rollen inschakelen om goedkeuring van de beheerder te vereisen voordat gebruikers nieuwe apparaten kunnen koppelen.",
+    "approvalsEmptyStateStep1Title": "Ga naar rollen",
+    "approvalsEmptyStateStep1Description": "Navigeer naar de rolinstellingen van uw organisatie om apparaatgoedkeuringen te configureren.",
+    "approvalsEmptyStateStep2Title": "Toestel goedkeuringen inschakelen",
+    "approvalsEmptyStateStep2Description": "Bewerk een rol en schakel de optie 'Vereist Apparaat Goedkeuringen' in. Gebruikers met deze rol hebben admin goedkeuring nodig voor nieuwe apparaten.",
+    "approvalsEmptyStatePreviewDescription": "Voorbeeld: Indien ingeschakeld, zullen in afwachting van apparaatverzoeken hier verschijnen om te beoordelen",
+    "approvalsEmptyStateButtonText": "Rollen beheren"
 }
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Utwórz organizację, witrynę i zasoby",
+    "headerAuthCompatibilityInfo": "Włącz to, aby wymusić odpowiedź Unauthorized 401, gdy brakuje tokena uwierzytelniania. Jest to wymagane dla przeglądarek lub określonych bibliotek HTTP, które nie wysyłają poświadczeń bez wyzwania serwera.",
+    "headerAuthCompatibility": "Rozszerzona kompatybilność",
    "setupNewOrg": "Nowa organizacja",
    "setupCreateOrg": "Utwórz organizację",
    "setupCreateResources": "Utwórz Zasoby",
@@ -39,8 +41,8 @@
    "online": "Dostępny",
    "offline": "Offline",
    "site": "Witryna",
-    "dataIn": "Dane w",
-    "dataOut": "Dane niedostępne",
+    "dataIn": "Dane Przychodzące",
+    "dataOut": "Dane Wychodzące",
    "connectionType": "Typ połączenia",
    "tunnelType": "Typ tunelu",
    "local": "Lokalny",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "Czy na pewno chcesz usunąć witrynę z organizacji?",
    "siteManageSites": "Zarządzaj stronami",
    "siteDescription": "Tworzenie stron i zarządzanie nimi, aby włączyć połączenia z prywatnymi sieciami",
+    "sitesBannerTitle": "Połącz dowolną sieć",
+    "sitesBannerDescription": "Witryna to połączenie z siecią zdalną, które umożliwia Pangolinowi zapewnienie dostępu do zasobów, publicznych lub prywatnych, użytkownikom w dowolnym miejscu. Zainstaluj łącznik sieci w witrynie (Newt) w dowolnym miejscu, w którym możesz uruchomić binarkę lub kontener, aby ustanowić połączenie.",
+    "sitesBannerButtonText": "Zainstaluj witrynę",
+    "approvalsBannerTitle": "Zatwierdź lub odmów dostępu do urządzenia",
+    "approvalsBannerDescription": "Przejrzyj i zatwierdzaj lub odmawiaj użytkownikom dostępu do urządzenia. Gdy wymagane jest zatwierdzenie urządzenia, użytkownicy muszą uzyskać zatwierdzenie administratora, zanim ich urządzenia będą mogły połączyć się z zasobami Twojej organizacji.",
+    "approvalsBannerButtonText": "Dowiedz się więcej",
    "siteCreate": "Utwórz witrynę",
    "siteCreateDescription2": "Wykonaj poniższe kroki, aby utworzyć i połączyć nową witrynę",
    "siteCreateDescription": "Utwórz nową witrynę, aby rozpocząć łączenie zasobów",
@@ -63,11 +71,11 @@
    "siteLearnNewt": "Dowiedz się, jak zainstalować Newt w systemie",
    "siteSeeConfigOnce": "Możesz zobaczyć konfigurację tylko raz.",
    "siteLoadWGConfig": "Ładowanie konfiguracji WireGuard...",
-    "siteDocker": "Rozwiń o szczegóły wdrożenia dokera",
+    "siteDocker": "Rozwiń o szczegóły wdrożenia Dockera",
    "toggle": "Przełącz",
    "dockerCompose": "Kompozytor dokujący",
    "dockerRun": "Uruchom Docker",
-    "siteLearnLocal": "Lokalne witryny nie tunelowają, dowiedz się więcej",
+    "siteLearnLocal": "Lokalne witryny nie tunelują, dowiedz się więcej",
    "siteConfirmCopy": "Skopiowałem konfigurację",
    "searchSitesProgress": "Szukaj witryn...",
    "siteAdd": "Dodaj witrynę",
@@ -78,9 +86,9 @@
    "operatingSystem": "System operacyjny",
    "commands": "Polecenia",
    "recommended": "Rekomendowane",
-    "siteNewtDescription": "Aby uzyskać najlepsze doświadczenia użytkownika, użyj Newt. Używa WireGuard pod zapleczem i pozwala na przekierowanie twoich prywatnych zasobów przez ich adres LAN w sieci prywatnej z panelu Pangolin.",
-    "siteRunsInDocker": "Uruchamia w Docke'u",
-    "siteRunsInShell": "Uruchamia w skorupce na macOS, Linux i Windows",
+    "siteNewtDescription": "Aby uzyskać najlepsze doświadczenia użytkownika, użyj Newt. Używa wewnętrznie WireGuard i pozwala na przekierowanie twoich prywatnych zasobów przez ich adres LAN w sieci prywatnej z panelu Pangolin.",
+    "siteRunsInDocker": "Uruchamia w Dockerze",
+    "siteRunsInShell": "Uruchamia w powłoce na macOS, Linux i Windows",
    "siteErrorDelete": "Błąd podczas usuwania witryny",
    "siteErrorUpdate": "Nie udało się zaktualizować witryny",
    "siteErrorUpdateDescription": "Wystąpił błąd podczas aktualizacji witryny.",
@@ -90,7 +98,7 @@
    "siteSettingDescription": "Skonfiguruj ustawienia na stronie",
    "siteSetting": "Ustawienia {siteName}",
    "siteNewtTunnel": "Newt Site (Rekomendowane)",
-    "siteNewtTunnelDescription": "Najprostszy sposób na stworzenie punktu wejścia w żadnej sieci. Nie ma dodatkowej konfiguracji.",
+    "siteNewtTunnelDescription": "Najprostszy sposób na stworzenie punktu wejścia w sieci. Nie ma dodatkowej konfiguracji.",
    "siteWg": "Podstawowy WireGuard",
    "siteWgDescription": "Użyj dowolnego klienta WireGuard do utworzenia tunelu. Wymagana jest ręczna konfiguracja NAT.",
    "siteWgDescriptionSaas": "Użyj dowolnego klienta WireGuard do utworzenia tunelu. Wymagana ręczna konfiguracja NAT. DZIAŁA TYLKO NA SAMODZIELNIE HOSTOWANYCH WĘZŁACH",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "Określ jak chcesz połączyć się z witryną",
    "siteNewtCredentials": "Dane logowania",
    "siteNewtCredentialsDescription": "Oto jak witryna będzie uwierzytelniać się z serwerem",
+    "remoteNodeCredentialsDescription": "Tak będzie działać uwierzytelnianie z serwerem dla zdalnego węzła",
    "siteCredentialsSave": "Zapisz dane logowania",
    "siteCredentialsSaveDescription": "Możesz to zobaczyć tylko raz. Upewnij się, że skopiuj je do bezpiecznego miejsca.",
    "siteInfo": "Informacje o witrynie",
@@ -146,20 +155,24 @@
    "shareErrorSelectResource": "Wybierz zasób",
    "proxyResourceTitle": "Zarządzaj zasobami publicznymi",
    "proxyResourceDescription": "Twórz i zarządzaj zasobami, które są publicznie dostępne w przeglądarce internetowej",
+    "proxyResourcesBannerTitle": "Publiczny dostęp za pośrednictwem sieci Web",
+    "proxyResourcesBannerDescription": "Zasoby publiczne to proxy HTTPS lub TCP/UDP dostępne dla każdego w internecie za pośrednictwem przeglądarki internetowej. W przeciwieństwie do zasobów prywatnych, nie wymagają oprogramowania po stronie klienta i mogą obejmować polityki dostępu świadome tożsamości i kontekstu.",
    "clientResourceTitle": "Zarządzaj zasobami prywatnymi",
    "clientResourceDescription": "Twórz i zarządzaj zasobami, które są dostępne tylko za pośrednictwem połączonego klienta",
+    "privateResourcesBannerTitle": "Zero zaufania do prywatnego dostępu",
+    "privateResourcesBannerDescription": "Zasoby prywatne korzystają z zabezpieczeń zero-trust, zapewniając dostęp do zasobów użytkownikom i maszynom, którym wyraźnie udzielasz dostępu. Połącz urządzenia użytkowników lub klientów maszyn z tymi zasobami przez bezpieczną prywatną sieć wirtualną.",
    "resourcesSearch": "Szukaj zasobów...",
    "resourceAdd": "Dodaj zasób",
    "resourceErrorDelte": "Błąd podczas usuwania zasobu",
    "authentication": "Uwierzytelnianie",
    "protected": "Chronione",
    "notProtected": "Niechronione",
-    "resourceMessageRemove": "Po usunięciu, zasób nie będzie już dostępny. Wszystkie cele związane z zasobem zostaną również usunięte.",
+    "resourceMessageRemove": "Po usunięciu zasób nie będzie już dostępny. Wszystkie cele związane z zasobem zostaną również usunięte.",
    "resourceQuestionRemove": "Czy na pewno chcesz usunąć zasób z organizacji?",
    "resourceHTTP": "Zasób HTTPS",
-    "resourceHTTPDescription": "Proxy żądania do aplikacji przez HTTPS przy użyciu poddomeny lub domeny bazowej.",
+    "resourceHTTPDescription": "Proxy zapytań przez HTTPS przy użyciu w pełni kwalifikowanej nazwy domeny.",
    "resourceRaw": "Surowy zasób TCP/UDP",
-    "resourceRawDescription": "Proxy żądania do aplikacji przez TCP/UDP przy użyciu numeru portu. Działa to tylko wtedy, gdy witryny są podłączone do węzłów.",
+    "resourceRawDescription": "Proxy zapytań przez surowe TCP/UDP przy użyciu numeru portu.",
    "resourceCreate": "Utwórz zasób",
    "resourceCreateDescription": "Wykonaj poniższe kroki, aby utworzyć nowy zasób",
    "resourceSeeAll": "Zobacz wszystkie zasoby",
@@ -202,7 +215,7 @@
    "general": "Ogólny",
    "generalSettings": "Ustawienia ogólne",
    "proxy": "Serwer pośredniczący",
-    "internal": "Wewętrzny",
+    "internal": "Wewnętrzny",
    "rules": "Regulamin",
    "resourceSettingDescription": "Skonfiguruj ustawienia zasobu",
    "resourceSetting": "Ustawienia {resourceName}",
@@ -215,7 +228,7 @@
    "saveGeneralSettings": "Zapisz ustawienia ogólne",
    "saveSettings": "Zapisz ustawienia",
    "orgDangerZone": "Strefa zagrożenia",
-    "orgDangerZoneDescription": "Po usunięciu tego organa nie ma odwrotu. Upewnij się.",
+    "orgDangerZoneDescription": "Po usunięciu tej organizacji nie ma odwrotu. Upewnij się.",
    "orgDelete": "Usuń organizację",
    "orgDeleteConfirm": "Potwierdź usunięcie organizacji",
    "orgMessageRemove": "Ta akcja jest nieodwracalna i usunie wszystkie powiązane dane.",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "Szukaj ról...",
    "accessRolesAdd": "Dodaj rolę",
    "accessRoleDelete": "Usuń rolę",
+    "accessApprovalsManage": "Zarządzaj zatwierdzaniem",
+    "accessApprovalsDescription": "Przeglądaj i zarządzaj oczekującymi zatwierdzeniami dostępu do tej organizacji",
    "description": "Opis",
    "inviteTitle": "Otwórz zaproszenia",
    "inviteDescription": "Zarządzaj zaproszeniami dla innych użytkowników do dołączenia do organizacji",
@@ -322,7 +337,7 @@
    "licenseErrorKeyActivate": "Nie udało się aktywować klucza licencji",
    "licenseErrorKeyActivateDescription": "Wystąpił błąd podczas aktywacji klucza licencyjnego.",
    "licenseAbout": "O licencjonowaniu",
-    "communityEdition": "Edycja Społeczności",
+    "communityEdition": "Edycja Społecznościowa",
    "licenseAboutDescription": "Dotyczy to przedsiębiorstw i przedsiębiorstw, którzy stosują Pangolin w środowisku handlowym. Jeśli używasz Pangolin do użytku osobistego, możesz zignorować tę sekcję.",
    "licenseKeyActivated": "Klucz licencyjny aktywowany",
    "licenseKeyActivatedDescription": "Klucz licencyjny został pomyślnie aktywowany.",
@@ -440,6 +455,18 @@
    "selectDuration": "Wybierz okres",
    "selectResource": "Wybierz zasób",
    "filterByResource": "Filtruj według zasobów",
+    "selectApprovalState": "Wybierz województwo zatwierdzające",
+    "filterByApprovalState": "Filtruj według państwa zatwierdzenia",
+    "approvalListEmpty": "Brak zatwierdzeń",
+    "approvalState": "Państwo zatwierdzające",
+    "approve": "Zatwierdź",
+    "approved": "Zatwierdzone",
+    "denied": "Odmowa",
+    "deniedApproval": "Odrzucono zatwierdzenie",
+    "all": "Wszystko",
+    "deny": "Odmowa",
+    "viewDetails": "Zobacz szczegóły",
+    "requestingNewDeviceApproval": "zażądano nowego urządzenia",
    "resetFilters": "Resetuj filtry",
    "totalBlocked": "Żądania zablokowane przez Pangolina",
    "totalRequests": "Wszystkich Żądań",
@@ -456,7 +483,7 @@
    "idpSelect": "Wybierz dostawcę tożsamości dla użytkownika zewnętrznego",
    "idpNotConfigured": "Nie skonfigurowano żadnych dostawców tożsamości. Skonfiguruj dostawcę tożsamości przed utworzeniem użytkowników zewnętrznych.",
    "usernameUniq": "Musi to odpowiadać unikalnej nazwie użytkownika istniejącej u wybranego dostawcy tożsamości.",
-    "emailOptional": "Email (Opcjonalnie)",
+    "emailOptional": "E-mail (Opcjonalnie)",
    "nameOptional": "Nazwa (Opcjonalnie)",
    "accessControls": "Kontrola dostępu",
    "userDescription2": "Zarządzaj ustawieniami tego użytkownika",
@@ -668,7 +695,7 @@
    "resourceErrorWhitelistSave": "Nie udało się zapisać białej listy",
    "resourceErrorWhitelistSaveDescription": "Wystąpił błąd podczas zapisywania białej listy",
    "resourcePasswordSubmit": "Włącz ochronę hasłem",
-    "resourcePasswordProtection": "Ochrona haseł {status}",
+    "resourcePasswordProtection": "Ochrona hasłem {status}",
    "resourcePasswordRemove": "Hasło zasobu zostało usunięte",
    "resourcePasswordRemoveDescription": "Hasło zasobu zostało pomyślnie usunięte",
    "resourcePasswordSetup": "Ustawiono hasło zasobu",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "Administratorzy zawsze mają dostęp do tego zasobu.",
    "resourceUsersRoles": "Kontrola dostępu",
    "resourceUsersRolesDescription": "Skonfiguruj, którzy użytkownicy i role mogą odwiedzać ten zasób",
-    "resourceUsersRolesSubmit": "Zapisz użytkowników i role",
+    "resourceUsersRolesSubmit": "Zapisz kontrole dostępu",
    "resourceWhitelistSave": "Zapisano pomyślnie",
    "resourceWhitelistSaveDescription": "Ustawienia białej listy zostały zapisane",
    "ssoUse": "Użyj platformy SSO",
@@ -719,16 +746,28 @@
    "countries": "Kraje",
    "accessRoleCreate": "Utwórz rolę",
    "accessRoleCreateDescription": "Utwórz nową rolę aby zgrupować użytkowników i zarządzać ich uprawnieniami.",
+    "accessRoleEdit": "Edytuj rolę",
+    "accessRoleEditDescription": "Edytuj informacje o rolach.",
    "accessRoleCreateSubmit": "Utwórz rolę",
    "accessRoleCreated": "Rola utworzona",
    "accessRoleCreatedDescription": "Rola została pomyślnie utworzona.",
    "accessRoleErrorCreate": "Nie udało się utworzyć roli",
    "accessRoleErrorCreateDescription": "Wystąpił błąd podczas tworzenia roli.",
+    "accessRoleUpdateSubmit": "Aktualizuj rolę",
+    "accessRoleUpdated": "Rola zaktualizowana",
+    "accessRoleUpdatedDescription": "Rola została pomyślnie zaktualizowana.",
+    "accessApprovalUpdated": "Zatwierdzenie przetworzone",
+    "accessApprovalApprovedDescription": "Ustaw decyzję o zatwierdzeniu wniosku o zatwierdzenie.",
+    "accessApprovalDeniedDescription": "Ustaw decyzję o odrzuceniu wniosku o zatwierdzenie.",
+    "accessRoleErrorUpdate": "Nie udało się zaktualizować roli",
+    "accessRoleErrorUpdateDescription": "Wystąpił błąd podczas aktualizowania roli.",
+    "accessApprovalErrorUpdate": "Nie udało się przetworzyć zatwierdzenia",
+    "accessApprovalErrorUpdateDescription": "Wystąpił błąd podczas przetwarzania zatwierdzenia.",
    "accessRoleErrorNewRequired": "Nowa rola jest wymagana",
    "accessRoleErrorRemove": "Nie udało się usunąć roli",
    "accessRoleErrorRemoveDescription": "Wystąpił błąd podczas usuwania roli.",
    "accessRoleName": "Nazwa roli",
-    "accessRoleQuestionRemove": "Zamierzasz usunąć rolę {name}. Tej akcji nie można cofnąć.",
+    "accessRoleQuestionRemove": "Zamierzasz usunąć rolę `{name}`. Nie możesz cofnąć tej czynności.",
    "accessRoleRemove": "Usuń rolę",
    "accessRoleRemoveDescription": "Usuń rolę z organizacji",
    "accessRoleRemoveSubmit": "Usuń rolę",
@@ -789,7 +828,7 @@
    "idpTokenUrl": "URL tokena",
    "idpTokenUrlDescription": "URL punktu końcowego tokena OAuth2",
    "idpOidcConfigureAlert": "Ważna informacja",
-    "idpOidcConfigureAlertDescription": "Po utworzeniu dostawcy tożsamości, musisz skonfigurować adres URL wywołania zwrotnego w ustawieniach dostawcy tożsamości. Adres zwrotny zostanie podany po pomyślnym utworzeniu.",
+    "idpOidcConfigureAlertDescription": "Po utworzeniu dostawcy tożsamości musisz skonfigurować adres URL wywołania zwrotnego w ustawieniach dostawcy tożsamości. Adres zwrotny zostanie podany po pomyślnym utworzeniu.",
    "idpToken": "Konfiguracja tokena",
    "idpTokenDescription": "Skonfiguruj jak wydobywać informacje o użytkowniku z tokena ID",
    "idpJmespathAbout": "O JMESPath",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "Skonfiguruj dostęp dla organizacji",
    "idpUpdatedDescription": "Dostawca tożsamości został pomyślnie zaktualizowany",
    "redirectUrl": "URL przekierowania",
+    "orgIdpRedirectUrls": "Przekieruj adresy URL",
    "redirectUrlAbout": "O URL przekierowania",
    "redirectUrlAboutDescription": "Jest to adres URL, na który użytkownicy zostaną przekierowani po uwierzytelnieniu. Musisz skonfigurować ten adres URL w ustawieniach dostawcy tożsamości.",
    "pangolinAuth": "Autoryzacja - Pangolin",
@@ -943,13 +983,13 @@
    "passwordExpiryDescription": "Organizacja wymaga zmiany hasła co {maxDays} dni.",
    "changePasswordNow": "Zmień hasło teraz",
    "pincodeAuth": "Kod uwierzytelniający",
-    "pincodeSubmit2": "Wyślij kod",
+    "pincodeSubmit2": "Prześlij kod",
    "passwordResetSubmit": "Zażądaj resetowania",
-    "passwordResetAlreadyHaveCode": "Wprowadź kod resetowania hasła",
+    "passwordResetAlreadyHaveCode": "Wprowadź kod",
    "passwordResetSmtpRequired": "Skontaktuj się z administratorem",
    "passwordResetSmtpRequiredDescription": "Aby zresetować hasło, wymagany jest kod resetowania hasła. Skontaktuj się z administratorem.",
    "passwordBack": "Powrót do hasła",
-    "loginBack": "Wróć do logowania",
+    "loginBack": "Wróć do strony logowania głównego",
    "signup": "Zarejestruj się",
    "loginStart": "Zaloguj się, aby rozpocząć",
    "idpOidcTokenValidating": "Walidacja tokena OIDC",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "Aktualizuj użytkownika Org",
    "createOrgUser": "Utwórz użytkownika Org",
    "actionUpdateOrg": "Aktualizuj organizację",
+    "actionRemoveInvitation": "Usuń zaproszenie",
    "actionUpdateUser": "Zaktualizuj użytkownika",
    "actionGetUser": "Pobierz użytkownika",
    "actionGetOrgUser": "Pobierz użytkownika organizacji",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "Pobierz witrynę",
    "actionListSites": "Lista witryn",
    "actionApplyBlueprint": "Zastosuj schemat",
+    "actionListBlueprints": "Lista planów",
+    "actionGetBlueprint": "Pobierz plan",
    "setupToken": "Skonfiguruj token",
    "setupTokenDescription": "Wprowadź token konfiguracji z konsoli serwera.",
    "setupTokenRequired": "Wymagany jest token konfiguracji",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "Aktualizuj organizację IDP",
    "actionCreateClient": "Utwórz klienta",
    "actionDeleteClient": "Usuń klienta",
+    "actionArchiveClient": "Zarchiwizuj klienta",
+    "actionUnarchiveClient": "Usuń archiwizację klienta",
+    "actionBlockClient": "Zablokuj klienta",
+    "actionUnblockClient": "Odblokuj klienta",
    "actionUpdateClient": "Aktualizuj klienta",
    "actionListClients": "Lista klientów",
    "actionGetClient": "Pobierz klienta",
@@ -1120,14 +1167,14 @@
    "searchProgress": "Szukaj...",
    "create": "Utwórz",
    "orgs": "Organizacje",
-    "loginError": "Wystąpił błąd podczas logowania",
-    "loginRequiredForDevice": "Logowanie jest wymagane do uwierzytelnienia urządzenia.",
+    "loginError": "Wystąpił nieoczekiwany błąd. Spróbuj ponownie.",
+    "loginRequiredForDevice": "Logowanie jest wymagane dla Twojego urządzenia.",
    "passwordForgot": "Zapomniałeś hasła?",
    "otpAuth": "Uwierzytelnianie dwuskładnikowe",
    "otpAuthDescription": "Wprowadź kod z aplikacji uwierzytelniającej lub jeden z jednorazowych kodów zapasowych.",
    "otpAuthSubmit": "Wyślij kod",
    "idpContinue": "Lub kontynuuj z",
-    "otpAuthBack": "Powrót do logowania",
+    "otpAuthBack": "Powrót do hasła",
    "navbar": "Menu nawigacyjne",
    "navbarDescription": "Główne menu nawigacyjne aplikacji",
    "navbarDocsLink": "Dokumentacja",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "Przegląd",
    "sidebarHome": "Strona główna",
    "sidebarSites": "Witryny",
+    "sidebarApprovals": "Wnioski o zatwierdzenie",
    "sidebarResources": "Zasoby",
    "sidebarProxyResources": "Publiczne",
    "sidebarClientResources": "Prywatny",
@@ -1190,11 +1238,11 @@
    "sidebarAllUsers": "Wszyscy użytkownicy",
    "sidebarIdentityProviders": "Dostawcy tożsamości",
    "sidebarLicense": "Licencja",
-    "sidebarClients": "Klientami",
-    "sidebarUserDevices": "Użytkownicy",
+    "sidebarClients": "Klienty",
+    "sidebarUserDevices": "Urządzenia użytkownika",
    "sidebarMachineClients": "Maszyny",
    "sidebarDomains": "Domeny",
-    "sidebarGeneral": "Ogólny",
+    "sidebarGeneral": "Zarządzaj",
    "sidebarLogAndAnalytics": "Dziennik & Analityka",
    "sidebarBluePrints": "Schematy",
    "sidebarOrganization": "Organizacja",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "Wystąpił błąd podczas tworzenia konta administratora serwera.",
    "certificateStatus": "Status certyfikatu",
    "loading": "Ładowanie",
+    "loadingAnalytics": "Ładowanie Analityki",
    "restart": "Uruchom ponownie",
    "domains": "Domeny",
    "domainsDescription": "Tworzenie domen dostępnych w organizacji i zarządzanie nimi",
@@ -1290,6 +1339,7 @@
    "refreshError": "Nie udało się odświeżyć danych",
    "verified": "Zatwierdzony",
    "pending": "Oczekuje",
+    "pendingApproval": "Oczekujące na zatwierdzenie",
    "sidebarBilling": "Fakturowanie",
    "billing": "Fakturowanie",
    "orgBillingDescription": "Zarządzaj informacjami rozliczeniowymi i subskrypcjami",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "Konfiguracja konta zakończona! Witaj w Pangolin!",
    "documentation": "Dokumentacja",
    "saveAllSettings": "Zapisz wszystkie ustawienia",
+    "saveResourceTargets": "Zapisz cele",
+    "saveResourceHttp": "Zapisz ustawienia proxy",
+    "saveProxyProtocol": "Zapisz ustawienia protokołu proxy",
    "settingsUpdated": "Ustawienia zaktualizowane",
-    "settingsUpdatedDescription": "Wszystkie ustawienia zostały pomyślnie zaktualizowane",
+    "settingsUpdatedDescription": "Ustawienia zostały pomyślnie zaktualizowane",
    "settingsErrorUpdate": "Nie udało się zaktualizować ustawień",
    "settingsErrorUpdateDescription": "Wystąpił błąd podczas aktualizacji ustawień",
    "sidebarCollapse": "Zwiń",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Klucz bezpieczeństwa został pomyślnie usunięty",
    "securityKeyRemoveError": "Błąd podczas usuwania klucza bezpieczeństwa",
    "securityKeyLoadError": "Błąd podczas ładowania kluczy bezpieczeństwa",
-    "securityKeyLogin": "Zaloguj się kluczem bezpieczeństwa",
+    "securityKeyLogin": "Użyj klucza bezpieczeństwa",
    "securityKeyAuthError": "Błąd podczas uwierzytelniania kluczem bezpieczeństwa",
    "securityKeyRecommendation": "Rozważ zarejestrowanie innego klucza bezpieczeństwa na innym urządzeniu, aby upewnić się, że nie zostaniesz zablokowany z dostępu do swojego konta.",
    "registering": "Rejestracja...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "Zgadzam się z",
        "termsOfService": "warunkami usługi",
        "and": "oraz",
-        "privacyPolicy": "polityką prywatności"
+        "privacyPolicy": "polityka prywatności."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Zachowaj mnie w pętli z wiadomościami, aktualizacjami i nowymi funkcjami przez e-mail."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "Dodaj nowy cel",
    "targetsList": "Lista celów",
    "advancedMode": "Tryb zaawansowany",
+    "advancedSettings": "Zaawansowane ustawienia",
    "targetErrorDuplicateTargetFound": "Znaleziono duplikat celu",
    "healthCheckHealthy": "Zdrowy",
    "healthCheckUnhealthy": "Niezdrowy",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "Interwał Zdrowy",
    "timeoutSeconds": "Limit czasu (sek)",
    "timeIsInSeconds": "Czas w sekundach",
+    "requireDeviceApproval": "Wymagaj zatwierdzenia urządzenia",
+    "requireDeviceApprovalDescription": "Użytkownicy o tej roli potrzebują nowych urządzeń zatwierdzonych przez administratora, zanim będą mogli połączyć się i uzyskać dostęp do zasobów.",
    "retryAttempts": "Próby Ponowienia",
    "expectedResponseCodes": "Oczekiwane Kody Odpowiedzi",
    "expectedResponseCodesDescription": "Kod statusu HTTP, który wskazuje zdrowy status. Jeśli pozostanie pusty, uznaje się 200-300 za zdrowy.",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "Nie znaleziono wewnętrznych zasobów.",
    "resourcesTableDestination": "Miejsce docelowe",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Adres aliasu",
+    "resourcesTableAliasAddressInfo": "Ten adres jest częścią podsieci użyteczności organizacji. Jest używany do rozwiązywania rekordów aliasu przy użyciu wewnętrznej rozdzielczości DNS.",
    "resourcesTableClients": "Klientami",
    "resourcesTableAndOnlyAccessibleInternally": "i są dostępne tylko wewnętrznie po połączeniu z klientem.",
    "resourcesTableNoTargets": "Brak celów",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "Właściwości zasobów",
    "createInternalResourceDialogName": "Nazwa",
    "createInternalResourceDialogSite": "Witryna",
-    "createInternalResourceDialogSelectSite": "Wybierz stronę...",
-    "createInternalResourceDialogSearchSites": "Szukaj stron...",
-    "createInternalResourceDialogNoSitesFound": "Nie znaleziono stron.",
+    "selectSite": "Wybierz stronę...",
+    "noSitesFound": "Nie znaleziono stron.",
    "createInternalResourceDialogProtocol": "Protokół",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "Nie otrzymano URL przekierowania od dostawcy tożsamości.",
    "autoLoginErrorGeneratingUrl": "Nie udało się wygenerować URL uwierzytelniania.",
    "remoteExitNodeManageRemoteExitNodes": "Zdalne węzły",
-    "remoteExitNodeDescription": "Samodzielny host jeden lub więcej węzłów zdalnych, aby rozszerzyć łączność z siecią i zmniejszyć zależność od chmury",
+    "remoteExitNodeDescription": "Hosting własnych zdalnych węzłów przekaźnikowych i serwerów proxy",
    "remoteExitNodes": "Węzły",
    "searchRemoteExitNodes": "Szukaj węzłów...",
    "remoteExitNodeAdd": "Dodaj węzeł",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "Potwierdź usunięcie węzła",
    "remoteExitNodeDelete": "Usuń węzeł",
    "sidebarRemoteExitNodes": "Zdalne węzły",
+    "remoteExitNodeId": "ID",
+    "remoteExitNodeSecretKey": "Sekret",
    "remoteExitNodeCreate": {
-        "title": "Utwórz węzeł",
-        "description": "Utwórz nowy węzeł, aby rozszerzyć łączność z siecią",
+        "title": "Utwórz zdalny węzeł",
+        "description": "Utwórz nowy, samodzielnie hostowany węzeł przekaźnika zdalnego i serwera proxy",
        "viewAllButton": "Zobacz wszystkie węzły",
        "strategy": {
            "title": "Strategia Tworzenia",
-            "description": "Wybierz to, aby ręcznie skonfigurować węzeł lub wygenerować nowe poświadczenia.",
+            "description": "Wybierz sposób, w jaki chcesz utworzyć zdalny węzeł",
            "adopt": {
                "title": "Zaadoptuj Węzeł",
                "description": "Wybierz to, jeśli masz już dane logowania dla węzła."
            },
            "generate": {
                "title": "Generuj Klucze",
-                "description": "Wybierz to, jeśli chcesz wygenerować nowe klucze dla węzła"
+                "description": "Wybierz to, jeśli chcesz wygenerować nowe klucze dla węzła."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC provider",
    "subnet": "Podsieć",
    "subnetDescription": "Podsieć dla konfiguracji sieci tej organizacji.",
-    "authPage": "Strona uwierzytelniania",
-    "authPageDescription": "Skonfiguruj stronę uwierzytelniania dla organizacji",
+    "customDomain": "Niestandardowa domena",
+    "authPage": "Strony uwierzytelniania",
+    "authPageDescription": "Ustaw niestandardową domenę dla stron uwierzytelniania organizacji",
    "authPageDomain": "Domena strony uwierzytelniania",
+    "authPageBranding": "Niestandardowy branding",
+    "authPageBrandingDescription": "Konfiguruj branding, który pojawia się na stronach uwierzytelniania dla tej organizacji",
+    "authPageBrandingUpdated": "Branding strony uwierzytelniania został pomyślnie zaktualizowany",
+    "authPageBrandingRemoved": "Marka strony uwierzytelniania została pomyślnie usunięta",
+    "authPageBrandingRemoveTitle": "Usuń markę strony uwierzytelniania",
+    "authPageBrandingQuestionRemove": "Czy na pewno chcesz usunąć branding dla stron uwierzytelniania?",
+    "authPageBrandingDeleteConfirm": "Potwierdź usunięcie brandingu",
+    "brandingLogoURL": "URL logo",
+    "brandingPrimaryColor": "Główny kolor",
+    "brandingLogoWidth": "Szerokość (piksele)",
+    "brandingLogoHeight": "Wysokość (piksele)",
+    "brandingOrgTitle": "Tytuł dla strony uwierzytelniania organizacji",
+    "brandingOrgDescription": "{orgName} zostanie zastąpione nazwą organizacji",
+    "brandingOrgSubtitle": "Podtytuł dla strony uwierzytelniania organizacji",
+    "brandingResourceTitle": "Tytuł dla strony uwierzytelniania zasobu",
+    "brandingResourceSubtitle": "Podtytuł dla strony uwierzytelniania zasobu",
+    "brandingResourceDescription": "{resourceName} zostanie zastąpione nazwą organizacji",
+    "saveAuthPageDomain": "Zapisz domenę",
+    "saveAuthPageBranding": "Zapisz branding",
+    "removeAuthPageBranding": "Usuń branding",
    "noDomainSet": "Nie ustawiono domeny",
    "changeDomain": "Zmień domenę",
    "selectDomain": "Wybierz domenę",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "Ustaw domenę strony uwierzytelniania",
    "failedToFetchCertificate": "Nie udało się pobrać certyfikatu",
    "failedToRestartCertificate": "Nie udało się ponownie uruchomić certyfikatu",
-    "addDomainToEnableCustomAuthPages": "Dodaj domenę, aby włączyć niestandardowe strony uwierzytelniania dla organizacji",
+    "addDomainToEnableCustomAuthPages": "Użytkownicy będą mogli uzyskać dostęp do strony logowania organizacji i zakończyć uwierzytelnianie zasobów za pomocą tej domeny.",
    "selectDomainForOrgAuthPage": "Wybierz domenę dla strony uwierzytelniania organizacji",
    "domainPickerProvidedDomain": "Dostarczona domena",
    "domainPickerFreeProvidedDomain": "Darmowa oferowana domena",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "\"{sub}\" nie może być poprawne dla {domain}.",
    "domainPickerSubdomainSanitized": "Poddomena oczyszczona",
    "domainPickerSubdomainCorrected": "\"{sub}\" został skorygowany do \"{sanitized}\"",
-    "orgAuthSignInTitle": "Zaloguj się do organizacji",
+    "orgAuthSignInTitle": "Logowanie do organizacji",
    "orgAuthChooseIdpDescription": "Wybierz swojego dostawcę tożsamości, aby kontynuować",
    "orgAuthNoIdpConfigured": "Ta organizacja nie ma skonfigurowanych żadnych dostawców tożsamości. Zamiast tego możesz zalogować się za pomocą swojej tożsamości Pangolin.",
    "orgAuthSignInWithPangolin": "Zaloguj się używając Pangolin",
+    "orgAuthSignInToOrg": "Zaloguj się do organizacji",
+    "orgAuthSelectOrgTitle": "Logowanie do organizacji",
+    "orgAuthSelectOrgDescription": "Wprowadź identyfikator organizacji, aby kontynuować",
+    "orgAuthOrgIdPlaceholder": "twoja-organizacja",
+    "orgAuthOrgIdHelp": "Wpisz unikalny identyfikator swojej organizacji",
+    "orgAuthSelectOrgHelp": "Po wpisaniu ID organizacji zostaniesz przeniesiony na stronę logowania organizacji, gdzie możesz użyć SSO lub danych logowania organizacji.",
+    "orgAuthRememberOrgId": "Zapamiętaj ten identyfikator organizacji",
+    "orgAuthBackToSignIn": "Powrót do standardowego logowania",
+    "orgAuthNoAccount": "Nie masz konta?",
    "subscriptionRequiredToUse": "Do korzystania z tej funkcji wymagana jest subskrypcja.",
    "idpDisabled": "Dostawcy tożsamości są wyłączeni",
    "orgAuthPageDisabled": "Strona autoryzacji organizacji jest wyłączona.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "Włącz uwierzytelnianie dwuskładnikowe",
    "completeSecuritySteps": "Zakończ kroki bezpieczeństwa",
    "securitySettings": "Ustawienia zabezpieczeń",
+    "dangerSection": "Strefa zagrożenia",
+    "dangerSectionDescription": "Trwale usuń wszystkie dane związane z tą organizacją",
    "securitySettingsDescription": "Skonfiguruj polityki bezpieczeństwa dla organizacji",
    "requireTwoFactorForAllUsers": "Wymagaj uwierzytelniania dwuetapowego dla wszystkich użytkowników",
    "requireTwoFactorDescription": "Po włączeniu wszyscy użytkownicy wewnętrzni w tej organizacji muszą mieć włączone uwierzytelnianie dwuskładnikowe, aby uzyskać dostęp do organizacji.",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "To wpłynie na wszystkich użytkowników w organizacji",
    "authPageErrorUpdateMessage": "Wystąpił błąd podczas aktualizacji ustawień strony uwierzytelniania",
    "authPageErrorUpdate": "Nie można zaktualizować strony uwierzytelniania",
-    "authPageUpdated": "Strona uwierzytelniania została pomyślnie zaktualizowana",
+    "authPageDomainUpdated": "Domena strony uwierzytelniania została pomyślnie zaktualizowana",
    "healthCheckNotAvailable": "Lokalny",
    "rewritePath": "Przepis Ścieżki",
    "rewritePathDescription": "Opcjonalnie przepisz ścieżkę przed przesłaniem do celu.",
@@ -1915,8 +2006,15 @@
    "beta": "Beta",
    "manageUserDevices": "Urządzenia użytkownika",
    "manageUserDevicesDescription": "Przeglądaj i zarządzaj urządzeniami, które użytkownicy używają do prywatnego łączenia się z zasobami",
+    "downloadClientBannerTitle": "Pobierz klienta Pangolin",
+    "downloadClientBannerDescription": "Pobierz klienta Pangolin dla swojego systemu, aby połączyć się z siecią Pangolin i uzyskać dostęp do zasobów prywatnie.",
    "manageMachineClients": "Zarządzaj klientami maszyn",
    "manageMachineClientsDescription": "Tworzenie i zarządzanie klientami, których serwery i systemy używają do prywatnego łączenia się z zasobami",
+    "machineClientsBannerTitle": "Serwery i systemy zautomatyzowane",
+    "machineClientsBannerDescription": "Klienci maszyn służą dla serwerów i systemów zautomatyzowanych, które nie są powiązane z konkretnym użytkownikiem. Uwierzytelniają się za pomocą identyfikatora i sekretu i mogą działać z Pangolin CLI, Olm CLI lub Olm jako kontener.",
+    "machineClientsBannerPangolinCLI": "Pangolin CLI",
+    "machineClientsBannerOlmCLI": "Olm CLI",
+    "machineClientsBannerOlmContainer": "Kontener Olm",
    "clientsTableUserClients": "Użytkownik",
    "clientsTableMachineClients": "Maszyna",
    "licenseTableValidUntil": "Ważny do",
@@ -2060,13 +2158,15 @@
    "request": "Żądanie",
    "requests": "Żądania",
    "logs": "Logi",
-    "logsSettingsDescription": "Monitoruj logi zebrane z tej orginizacji",
+    "logsSettingsDescription": "Monitorowanie logów zbieranych z tej organizacji",
    "searchLogs": "Szukaj dzienników...",
    "action": "Akcja",
    "actor": "Aktor",
    "timestamp": "Znacznik czasu",
    "accessLogs": "Logi dostępu",
    "exportCsv": "Eksportuj CSV",
+    "exportError": "Nieznany błąd podczas eksportowania CSV",
+    "exportCsvTooltip": "W obrębie zakresu czasowego",
    "actorId": "Identyfikator podmiotu",
    "allowedByRule": "Dozwolone przez regułę",
    "allowedNoAuth": "Dozwolone Brak Auth",
@@ -2120,7 +2220,7 @@
    "unverified": "Niezweryfikowane",
    "domainSetting": "Ustawienia domeny",
    "domainSettingDescription": "Skonfiguruj ustawienia domeny",
-    "preferWildcardCertDescription": "Próba wygenerowania certyfikatu wieloznacznego (wymaga poprawnie skonfigurowanego resolwera certyfikatów).",
+    "preferWildcardCertDescription": "Spróbuj wygenerować certyfikat wieloznaczny (wymaga odpowiednio skonfigurowanego resolvera certyfikatu).",
    "recordName": "Nazwa rekordu",
    "auto": "Auto",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "Kod musi mieć 9 znaków (np. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Nieprawidłowy lub wygasły kod",
    "deviceCodeVerifyFailed": "Nie udało się zweryfikować kodu urządzenia",
+    "deviceCodeValidating": "Sprawdzanie kodu urządzenia...",
+    "deviceCodeVerifying": "Weryfikowanie autoryzacji urządzenia...",
    "signedInAs": "Zalogowany jako",
    "deviceCodeEnterPrompt": "Wprowadź kod wyświetlany na urządzeniu",
    "continue": "Kontynuuj",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "Dostęp do wszystkich organizacji, do których Twoje konto ma dostęp",
    "deviceAuthorize": "Autoryzuj {applicationName}",
    "deviceConnected": "Urządzenie podłączone!",
-    "deviceAuthorizedMessage": "Urządzenie jest upoważnione do dostępu do Twojego konta.",
+    "deviceAuthorizedMessage": "Urządzenie jest autoryzowane do uzyskania dostępu do Twojego konta. Proszę wróć do aplikacji klienckiej.",
    "pangolinCloud": "Chmura Pangolin",
    "viewDevices": "Zobacz urządzenia",
    "viewDevicesDescription": "Zarządzaj podłączonymi urządzeniami",
@@ -2215,7 +2317,7 @@
    "enableSelected": "Włącz zaznaczone",
    "disableSelected": "Wyłącz zaznaczone",
    "checkSelectedStatus": "Sprawdź status zaznaczonych",
-    "clients": "Klientami",
+    "clients": "Klienty",
    "accessClientSelect": "Wybierz klientów komputera",
    "resourceClientDescription": "Klienci maszynowi, którzy mają dostęp do tego zasobu",
    "regenerate": "Wygeneruj ponownie",
@@ -2244,8 +2346,9 @@
    "niceIdCannotBeEmpty": "Niepoprawny identyfikator nie może być pusty",
    "enterIdentifier": "Wprowadź identyfikator",
    "identifier": "Identifier",
-    "deviceLoginUseDifferentAccount": "To nie? Użyj innego konta.",
+    "deviceLoginUseDifferentAccount": "Nie ty? Użyj innego konta.",
    "deviceLoginDeviceRequestingAccessToAccount": "Urządzenie żąda dostępu do tego konta.",
+    "loginSelectAuthenticationMethod": "Wybierz metodę uwierzytelniania aby kontynuować.",
    "noData": "Brak danych",
    "machineClients": "Klienci maszyn",
    "install": "Zainstaluj",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "Nie udało się pobrać domyślnej podsieci",
    "setupSubnetAdvanced": "Podsieć (zaawansowana)",
    "setupSubnetDescription": "Podsieć dla wewnętrznej sieci tej organizacji.",
+    "setupUtilitySubnet": "Podsieć narzędziowa (zaawansowana)",
+    "setupUtilitySubnetDescription": "Podsieć dla aliasów adresów i serwera DNS tej organizacji.",
    "siteRegenerateAndDisconnect": "Wygeneruj ponownie i rozłącz",
    "siteRegenerateAndDisconnectConfirmation": "Czy na pewno chcesz odzyskać dane logowania i odłączyć tę stronę?",
    "siteRegenerateAndDisconnectWarning": "Spowoduje to regenerację poświadczeń i natychmiastowe odłączenie witryny. Strona będzie musiała zostać zrestartowana z nowymi poświadczeniami.",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "Spowoduje to regenerację danych logowania i natychmiastowe odłączenie zdalnego węzła wyjścia. Węzeł zdalnego wyjścia będzie musiał zostać ponownie uruchomiony z nowymi danymi logowania.",
    "remoteExitNodeRegenerateCredentialsConfirmation": "Czy na pewno chcesz wygenerować dane logowania dla tego węzła zdalnego wyjścia?",
    "remoteExitNodeRegenerateCredentialsWarning": "Spowoduje to regenerację poświadczeń. Serwer wyjścia pozostanie podłączony do momentu ręcznego ponownego uruchomienia i użycia nowych poświadczeń.",
-    "agent": "Agent"
+    "agent": "Agent",
+    "personalUseOnly": "Tylko do użytku osobistego",
+    "loginPageLicenseWatermark": "Ta instancja jest licencjonowana tylko do użytku osobistego.",
+    "instanceIsUnlicensed": "Ta instancja nie jest licencjonowana.",
+    "portRestrictions": "Ograniczenia portu",
+    "allPorts": "Wszystko",
+    "custom": "Niestandardowe",
+    "allPortsAllowed": "Wszystkie porty dozwolone",
+    "allPortsBlocked": "Wszystkie porty zablokowane",
+    "tcpPortsDescription": "Określ, które porty TCP są dozwolone dla tego zasobu. Użyj '*' dla wszystkich portów, pozostaw puste, aby zablokować wszystkie lub wpisz listę portów i zakresów oddzielonych przecinkami (np. 80,443,8000-9000).",
+    "udpPortsDescription": "Określ, które porty UDP są dozwolone dla tego zasobu. Użyj '*' dla wszystkich portów, pozostaw puste, aby zablokować wszystkie lub wpisz listę portów i zakresów oddzielonych przecinkami (np. 53,123,500-600).",
+    "organizationLoginPageTitle": "Strona logowania organizacji",
+    "organizationLoginPageDescription": "Dostosuj stronę logowania dla tej organizacji",
+    "resourceLoginPageTitle": "Strona logowania zasobów",
+    "resourceLoginPageDescription": "Dostosuj stronę logowania dla poszczególnych zasobów",
+    "enterConfirmation": "Wprowadź potwierdzenie",
+    "blueprintViewDetails": "Szczegóły",
+    "defaultIdentityProvider": "Domyślny dostawca tożsamości",
+    "defaultIdentityProviderDescription": "Gdy zostanie wybrany domyślny dostawca tożsamości, użytkownik zostanie automatycznie przekierowany do dostawcy w celu uwierzytelnienia.",
+    "editInternalResourceDialogNetworkSettings": "Ustawienia sieci",
+    "editInternalResourceDialogAccessPolicy": "Polityka dostępowa",
+    "editInternalResourceDialogAddRoles": "Dodaj role",
+    "editInternalResourceDialogAddUsers": "Dodaj użytkowników",
+    "editInternalResourceDialogAddClients": "Dodaj klientów",
+    "editInternalResourceDialogDestinationLabel": "Miejsce docelowe",
+    "editInternalResourceDialogDestinationDescription": "Określ adres docelowy dla wewnętrznego zasobu. Może to być nazwa hosta, adres IP lub zakres CIDR, w zależności od wybranego trybu. Opcjonalnie ustaw wewnętrzny alias DNS dla łatwiejszej identyfikacji.",
+    "editInternalResourceDialogPortRestrictionsDescription": "Ogranicz dostęp do konkretnych portów TCP/UDP lub zezwól/zablokuj wszystkie porty.",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "Kontrola dostępu",
+    "editInternalResourceDialogAccessControlDescription": "Kontroluj, które role, użytkownicy i klienci maszyn mają dostęp do tego zasobu po połączeniu. Administratorzy zawsze mają dostęp.",
+    "editInternalResourceDialogPortRangeValidationError": "Zakres portów musi być \"*\" dla wszystkich portów lub listą portów i zakresów oddzielonych przecinkami (np. \"80,443,8000-9000\"). Porty muszą znajdować się w przedziale od 1 do 65535.",
+    "orgAuthWhatsThis": "Gdzie mogę znaleźć swój identyfikator organizacji?",
+    "learnMore": "Dowiedz się więcej",
+    "backToHome": "Wróć do strony głównej",
+    "needToSignInToOrg": "Czy potrzebujesz użyć dostawcy tożsamości organizacji?",
+    "maintenanceMode": "Tryb konserwacji",
+    "maintenanceModeDescription": "Wyświetl stronę konserwacyjną odwiedzającym",
+    "maintenanceModeType": "Typ trybu konserwacji",
+    "showMaintenancePage": "Pokaż odwiedzającym stronę konserwacji",
+    "enableMaintenanceMode": "Włącz tryb konserwacji",
+    "automatic": "Automatycznie",
+    "automaticModeDescription": "Pokaż stronę konserwacyjną tylko wtedy, gdy wszystkie cele zaplecza są wyłączone lub niezdrowe. Twój zasób działa nadal normalnie, o ile przynajmniej jeden cel jest zdrowy.",
+    "forced": "Wymuszone",
+    "forcedModeDescription": "Zawsze pokazuj stronę konserwacyjną, niezależnie od stanu zdrowia zaplecza. Użyj tego w przypadku planowanej konserwacji, gdy chcesz zapobiec wszelkiemu dostępowi.",
+    "warning:": "Ostrzeżenie:",
+    "forcedeModeWarning": "Cały ruch zostanie skierowany na stronę konserwacyjną. Twoje zasoby zaplecza nie otrzymają żadnych żądań.",
+    "pageTitle": "Tytuł strony",
+    "pageTitleDescription": "Główny nagłówek wyświetlany na stronie konserwacyjnej",
+    "maintenancePageMessage": "Komunikat konserwacyjny",
+    "maintenancePageMessagePlaceholder": "Wrócimy wkrótce! Nasza strona przechodzi obecnie zaplanowaną konserwację.",
+    "maintenancePageMessageDescription": "Szczegółowy komunikat wyjaśniający konserwację",
+    "maintenancePageTimeTitle": "Szacowany czas zakończenia (opcjonalnie)",
+    "maintenanceTime": "np. 2 godziny, 1 listopad o 17:00",
+    "maintenanceEstimatedTimeDescription": "Kiedy oczekujesz zakończenia konserwacji",
+    "editDomain": "Edytuj domenę",
+    "editDomainDescription": "Wybierz domenę dla swojego zasobu",
+    "maintenanceModeDisabledTooltip": "Ta funkcja wymaga ważnej licencji do aktywacji.",
+    "maintenanceScreenTitle": "Usługa chwilowo niedostępna",
+    "maintenanceScreenMessage": "Obecnie doświadczamy problemów technicznych. Proszę sprawdzić ponownie wkrótce.",
+    "maintenanceScreenEstimatedCompletion": "Szacowane zakończenie:",
+    "createInternalResourceDialogDestinationRequired": "Miejsce docelowe jest wymagane",
+    "available": "Dostępny",
+    "archived": "Zarchiwizowane",
+    "noArchivedDevices": "Nie znaleziono zarchiwizowanych urządzeń",
+    "deviceArchived": "Urządzenie zarchiwizowane",
+    "deviceArchivedDescription": "Urządzenie zostało pomyślnie zarchiwizowane.",
+    "errorArchivingDevice": "Błąd podczas archiwizacji urządzenia",
+    "failedToArchiveDevice": "Nie udało się zarchiwizować urządzenia",
+    "deviceQuestionArchive": "Czy na pewno chcesz zarchiwizować to urządzenie?",
+    "deviceMessageArchive": "Urządzenie zostanie zarchiwizowane i usunięte z listy aktywnych urządzeń.",
+    "deviceArchiveConfirm": "Archiwizuj urządzenie",
+    "archiveDevice": "Archiwizuj urządzenie",
+    "archive": "Archiwum",
+    "deviceUnarchived": "Urządzenie niezarchiwizowane",
+    "deviceUnarchivedDescription": "Urządzenie zostało pomyślnie usunięte.",
+    "errorUnarchivingDevice": "Błąd podczas usuwania archiwizacji urządzenia",
+    "failedToUnarchiveDevice": "Nie udało się odarchiwizować urządzenia",
+    "unarchive": "Usuń z archiwum",
+    "archiveClient": "Zarchiwizuj klienta",
+    "archiveClientQuestion": "Czy na pewno chcesz zarchiwizować tego klienta?",
+    "archiveClientMessage": "Klient zostanie zarchiwizowany i usunięty z listy aktywnych klientów.",
+    "archiveClientConfirm": "Zarchiwizuj klienta",
+    "blockClient": "Zablokuj klienta",
+    "blockClientQuestion": "Czy na pewno chcesz zablokować tego klienta?",
+    "blockClientMessage": "Urządzenie zostanie wymuszone do rozłączenia, jeśli jest obecnie podłączone. Możesz odblokować urządzenie później.",
+    "blockClientConfirm": "Zablokuj klienta",
+    "active": "Aktywne",
+    "usernameOrEmail": "Nazwa użytkownika lub e-mail",
+    "selectYourOrganization": "Wybierz swoją organizację",
+    "signInTo": "Zaloguj się do",
+    "signInWithPassword": "Kontynuuj z hasłem",
+    "noAuthMethodsAvailable": "Brak dostępnych metod uwierzytelniania dla tej organizacji.",
+    "enterPassword": "Wprowadź hasło",
+    "enterMfaCode": "Wprowadź kod z aplikacji uwierzytelniającej",
+    "securityKeyRequired": "Aby się zalogować, użyj klucza bezpieczeństwa.",
+    "needToUseAnotherAccount": "Potrzebujesz użyć innego konta?",
+    "loginLegalDisclaimer": "Klikając na przycisk poniżej, potwierdzasz, że przeczytałeś, rozumiesz, i zaakceptuj <termsOfService>Warunki świadczenia usługi</termsOfService> i <privacyPolicy>Polityka prywatności</privacyPolicy>.",
+    "termsOfService": "Warunki korzystania z usługi",
+    "privacyPolicy": "Polityka prywatności",
+    "userNotFoundWithUsername": "Nie znaleziono użytkownika o tej nazwie użytkownika.",
+    "verify": "Weryfikacja",
+    "signIn": "Zaloguj się",
+    "forgotPassword": "Zapomniałeś hasła?",
+    "orgSignInTip": "Jeśli zalogowałeś się wcześniej, możesz wprowadzić nazwę użytkownika lub e-mail powyżej, aby uwierzytelnić się z dostawcą tożsamości organizacji. To łatwiejsze!",
+    "continueAnyway": "Kontynuuj mimo to",
+    "dontShowAgain": "Nie pokazuj ponownie",
+    "orgSignInNotice": "Czy wiedziałeś?",
+    "signupOrgNotice": "Próbujesz się zalogować?",
+    "signupOrgTip": "Czy próbujesz zalogować się za pośrednictwem dostawcy tożsamości organizacji?",
+    "signupOrgLink": "Zamiast tego zaloguj się lub zarejestruj w swojej organizacji",
+    "verifyEmailLogInWithDifferentAccount": "Użyj innego konta",
+    "logIn": "Zaloguj się",
+    "deviceInformation": "Informacje o urządzeniu",
+    "deviceInformationDescription": "Informacje o urządzeniu i agentach",
+    "deviceSecurity": "Bezpieczeństwo urządzenia",
+    "deviceSecurityDescription": "Informacje o bezpieczeństwie urządzenia",
+    "platform": "Platforma",
+    "macosVersion": "Wersja macOS",
+    "windowsVersion": "Wersja Windows",
+    "iosVersion": "Wersja iOS",
+    "androidVersion": "Wersja Androida",
+    "osVersion": "Wersja systemu operacyjnego",
+    "kernelVersion": "Wersja jądra",
+    "deviceModel": "Model urządzenia",
+    "serialNumber": "Numer seryjny",
+    "hostname": "Hostname",
+    "firstSeen": "Widziany po raz pierwszy",
+    "lastSeen": "Ostatnio widziane",
+    "biometricsEnabled": "Biometria włączona",
+    "diskEncrypted": "Dysk zaszyfrowany",
+    "firewallEnabled": "Zapora włączona",
+    "autoUpdatesEnabled": "Automatyczne aktualizacje włączone",
+    "tpmAvailable": "TPM dostępne",
+    "macosSipEnabled": "Ochrona integralności systemu (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Tryb Stealth zapory",
+    "linuxAppArmorEnabled": "Zbroja aplikacji",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Wyświetl informacje o urządzeniu i ustawienia",
+    "devicePendingApprovalDescription": "To urządzenie czeka na zatwierdzenie",
+    "deviceBlockedDescription": "To urządzenie jest obecnie zablokowane. Nie będzie można połączyć się z żadnymi zasobami, chyba że zostanie odblokowane.",
+    "unblockClient": "Odblokuj klienta",
+    "unblockClientDescription": "Urządzenie zostało odblokowane",
+    "unarchiveClient": "Usuń archiwizację klienta",
+    "unarchiveClientDescription": "Urządzenie zostało odarchiwizowane",
+    "block": "Blok",
+    "unblock": "Odblokuj",
+    "deviceActions": "Akcje urządzenia",
+    "deviceActionsDescription": "Zarządzaj stanem urządzenia i dostępem",
+    "devicePendingApprovalBannerDescription": "To urządzenie oczekuje na zatwierdzenie. Nie będzie można połączyć się z zasobami, dopóki nie zostanie zatwierdzone.",
+    "connected": "Połączono",
+    "disconnected": "Rozłączony",
+    "approvalsEmptyStateTitle": "Zatwierdzanie urządzenia nie włączone",
+    "approvalsEmptyStateDescription": "Włącz zatwierdzanie urządzeń dla ról aby wymagać zgody administratora, zanim użytkownicy będą mogli podłączyć nowe urządzenia.",
+    "approvalsEmptyStateStep1Title": "Przejdź do ról",
+    "approvalsEmptyStateStep1Description": "Przejdź do ustawień ról swojej organizacji, aby skonfigurować zatwierdzenia urządzenia.",
+    "approvalsEmptyStateStep2Title": "Włącz zatwierdzanie urządzenia",
+    "approvalsEmptyStateStep2Description": "Edytuj rolę i włącz opcję \"Wymagaj zatwierdzenia urządzenia\". Użytkownicy z tą rolą będą potrzebowali zatwierdzenia administratora dla nowych urządzeń.",
+    "approvalsEmptyStatePreviewDescription": "Podgląd: Gdy włączone, oczekujące prośby o sprawdzenie pojawią się tutaj",
+    "approvalsEmptyStateButtonText": "Zarządzaj rolami"
 }
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Criar a organização, o site e os recursos",
+    "headerAuthCompatibilityInfo": "Habilite isso para forçar uma resposta 401 Unauthorized quando um token de autenticação estiver faltando. Isso é necessário para navegadores ou bibliotecas HTTP específicas que não enviam credenciais sem um desafio do servidor.",
+    "headerAuthCompatibility": "Compatibilidade Estendida",
    "setupNewOrg": "Nova organização",
    "setupCreateOrg": "Criar Organização",
    "setupCreateResources": "Criar recursos",
@@ -33,7 +35,7 @@
    "password": "Palavra-passe",
    "confirmPassword": "Confirmar senha",
    "createAccount": "Criar conta",
-    "viewSettings": "Visualizar configurações",
+    "viewSettings": "Ver Configurações",
    "delete": "apagar",
    "name": "Nome:",
    "online": "Disponível",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "Você tem certeza que deseja remover este site da organização?",
    "siteManageSites": "Gerir sites",
    "siteDescription": "Criar e gerenciar sites para ativar a conectividade a redes privadas",
+    "sitesBannerTitle": "Conectar a Qualquer Rede",
+    "sitesBannerDescription": "Um site é uma conexão a uma rede remota que permite ao Pangolin fornecer acesso a recursos, sejam eles públicos ou privados, a usuários em qualquer lugar. Instale o conector de rede do site (Newt) em qualquer lugar onde você possa executar um binário ou contêiner para estabelecer a conexão.",
+    "sitesBannerButtonText": "Instalar Site",
+    "approvalsBannerTitle": "Aprovar ou negar acesso ao dispositivo",
+    "approvalsBannerDescription": "Revisar e aprovar ou negar solicitações de acesso ao dispositivo de usuários. Quando as aprovações do dispositivo são necessárias, os usuários devem obter a aprovação do administrador antes que seus dispositivos possam se conectar aos recursos da sua organização.",
+    "approvalsBannerButtonText": "Saiba mais",
    "siteCreate": "Criar site",
    "siteCreateDescription2": "Siga os passos abaixo para criar e conectar um novo site",
    "siteCreateDescription": "Crie um novo site para começar a conectar os recursos",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "Determine como você deseja se conectar ao site",
    "siteNewtCredentials": "Credenciais",
    "siteNewtCredentialsDescription": "É assim que o site se autentica com o servidor",
+    "remoteNodeCredentialsDescription": "É assim que o nó remoto se autenticará com o servidor",
    "siteCredentialsSave": "Salvar as Credenciais",
    "siteCredentialsSaveDescription": "Você só será capaz de ver esta vez. Certifique-se de copiá-lo para um lugar seguro.",
    "siteInfo": "Informações do Site",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "Por favor, selecione um recurso",
    "proxyResourceTitle": "Gerenciar Recursos Públicos",
    "proxyResourceDescription": "Criar e gerenciar recursos que são acessíveis publicamente por meio de um navegador da web",
+    "proxyResourcesBannerTitle": "Acesso Público via Web",
+    "proxyResourcesBannerDescription": "Os recursos públicos são proxies HTTPS ou TCP/UDP acessíveis a qualquer pessoa na internet por meio de um navegador web. Ao contrário dos recursos privados, eles não requerem software do lado do cliente e podem incluir políticas de acesso conscientes de identidade e contexto.",
    "clientResourceTitle": "Gerenciar recursos privados",
    "clientResourceDescription": "Criar e gerenciar recursos que só são acessíveis por meio de um cliente conectado",
+    "privateResourcesBannerTitle": "Acesso Privado com Confiança Zero",
+    "privateResourcesBannerDescription": "Os recursos privados usam segurança de zero confiança, garantindo que usuários e máquinas possam acessar apenas os recursos que você concede explicitamente. Conecte dispositivos de usuários ou clientes de máquinas para acessar esses recursos por meio de uma rede privada virtual segura.",
    "resourcesSearch": "Procurar recursos...",
    "resourceAdd": "Adicionar Recurso",
    "resourceErrorDelte": "Erro ao apagar recurso",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "Uma vez removido, o recurso não estará mais acessível. Todos os alvos associados ao recurso também serão removidos.",
    "resourceQuestionRemove": "Você tem certeza que deseja remover o recurso da organização?",
    "resourceHTTP": "Recurso HTTPS",
-    "resourceHTTPDescription": "O proxy solicita ao aplicativo via HTTPS usando um subdomínio ou domínio base.",
+    "resourceHTTPDescription": "Proxies requests sobre HTTPS usando um nome de domínio totalmente qualificado.",
    "resourceRaw": "Recurso TCP/UDP bruto",
-    "resourceRawDescription": "O proxy solicita ao aplicativo sobre TCP/UDP usando um número de porta. Isso só funciona quando os sites estão conectados a nós.",
+    "resourceRawDescription": "Proxies solicitações sobre TCP/UDP bruto usando um número de porta.",
    "resourceCreate": "Criar Recurso",
    "resourceCreateDescription": "Siga os passos abaixo para criar um novo recurso",
    "resourceSeeAll": "Ver todos os recursos",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "Pesquisar funções...",
    "accessRolesAdd": "Adicionar função",
    "accessRoleDelete": "Excluir Papel",
+    "accessApprovalsManage": "Gerenciar aprovações",
+    "accessApprovalsDescription": "Visualizar e gerenciar aprovações pendentes para acesso a esta organização",
    "description": "Descrição:",
    "inviteTitle": "Convites Abertos",
    "inviteDescription": "Gerenciar convites para outros usuários participarem da organização",
@@ -419,7 +434,7 @@
    "userErrorExistsDescription": "Este utilizador já é membro da organização.",
    "inviteError": "Falha ao convidar utilizador",
    "inviteErrorDescription": "Ocorreu um erro ao convidar o utilizador",
-    "userInvited": "Usuário convidado",
+    "userInvited": "Usuário Convidado",
    "userInvitedDescription": "O utilizador foi convidado com sucesso.",
    "userErrorCreate": "Falha ao criar utilizador",
    "userErrorCreateDescription": "Ocorreu um erro ao criar o utilizador",
@@ -440,6 +455,18 @@
    "selectDuration": "Selecionar duração",
    "selectResource": "Selecionar Recurso",
    "filterByResource": "Filtrar por Recurso",
+    "selectApprovalState": "Selecionar Estado de Aprovação",
+    "filterByApprovalState": "Filtrar por estado de aprovação",
+    "approvalListEmpty": "Sem aprovações",
+    "approvalState": "Estado de aprovação",
+    "approve": "Aprovar",
+    "approved": "Aceito",
+    "denied": "Negado",
+    "deniedApproval": "Aprovação Negada",
+    "all": "Todos",
+    "deny": "Recusar",
+    "viewDetails": "Visualizar Detalhes",
+    "requestingNewDeviceApproval": "solicitou um novo dispositivo",
    "resetFilters": "Redefinir filtros",
    "totalBlocked": "Solicitações bloqueadas pelo Pangolin",
    "totalRequests": "Total de pedidos",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "Administradores sempre podem aceder este recurso.",
    "resourceUsersRoles": "Controlos de Acesso",
    "resourceUsersRolesDescription": "Configure quais utilizadores e funções podem visitar este recurso",
-    "resourceUsersRolesSubmit": "Guardar Utilizadores e Funções",
+    "resourceUsersRolesSubmit": "Guardar Controlos de Acesso",
    "resourceWhitelistSave": "Salvo com sucesso",
    "resourceWhitelistSaveDescription": "As configurações da lista permitida foram salvas",
    "ssoUse": "Usar SSO da Plataforma",
@@ -719,16 +746,28 @@
    "countries": "Países",
    "accessRoleCreate": "Criar Função",
    "accessRoleCreateDescription": "Crie uma nova função para agrupar utilizadores e gerir suas permissões.",
+    "accessRoleEdit": "Editar Permissão",
+    "accessRoleEditDescription": "Editar informações do papel.",
    "accessRoleCreateSubmit": "Criar Função",
    "accessRoleCreated": "Função criada",
    "accessRoleCreatedDescription": "A função foi criada com sucesso.",
    "accessRoleErrorCreate": "Falha ao criar função",
    "accessRoleErrorCreateDescription": "Ocorreu um erro ao criar a função.",
+    "accessRoleUpdateSubmit": "Atualizar Função",
+    "accessRoleUpdated": "Função atualizada",
+    "accessRoleUpdatedDescription": "A função foi atualizada com sucesso.",
+    "accessApprovalUpdated": "Aprovação processada",
+    "accessApprovalApprovedDescription": "Definir decisão de solicitação de aprovação para aprovada.",
+    "accessApprovalDeniedDescription": "Definir decisão de solicitação de aprovação para negada.",
+    "accessRoleErrorUpdate": "Falha ao atualizar papel",
+    "accessRoleErrorUpdateDescription": "Ocorreu um erro ao atualizar a função.",
+    "accessApprovalErrorUpdate": "Não foi possível processar a aprovação",
+    "accessApprovalErrorUpdateDescription": "Ocorreu um erro ao processar a aprovação.",
    "accessRoleErrorNewRequired": "Nova função é necessária",
    "accessRoleErrorRemove": "Falha ao remover função",
    "accessRoleErrorRemoveDescription": "Ocorreu um erro ao remover a função.",
    "accessRoleName": "Nome da Função",
-    "accessRoleQuestionRemove": "Você está prestes a apagar a função {name}. Você não pode desfazer esta ação.",
+    "accessRoleQuestionRemove": "Você está prestes a apagar o papel `{name}. Você não pode desfazer esta ação.",
    "accessRoleRemove": "Remover Função",
    "accessRoleRemoveDescription": "Remover uma função da organização",
    "accessRoleRemoveSubmit": "Remover Função",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "Configurar acesso para uma organização",
    "idpUpdatedDescription": "Provedor de identidade atualizado com sucesso",
    "redirectUrl": "URL de Redirecionamento",
+    "orgIdpRedirectUrls": "Redirecionar URLs",
    "redirectUrlAbout": "Sobre o URL de Redirecionamento",
    "redirectUrlAboutDescription": "Essa é a URL para a qual os usuários serão redirecionados após a autenticação. Você precisa configurar esta URL nas configurações do provedor de identidade.",
    "pangolinAuth": "Autenticação - Pangolin",
@@ -943,13 +983,13 @@
    "passwordExpiryDescription": "Esta organização exige que você altere sua senha a cada {maxDays} dias.",
    "changePasswordNow": "Alterar a senha agora",
    "pincodeAuth": "Código do Autenticador",
-    "pincodeSubmit2": "Submeter Código",
+    "pincodeSubmit2": "Enviar código",
    "passwordResetSubmit": "Solicitar Redefinição",
-    "passwordResetAlreadyHaveCode": "Digitar Código de Redefinição de Senha",
+    "passwordResetAlreadyHaveCode": "Inserir Código",
    "passwordResetSmtpRequired": "Por favor, contate o administrador",
    "passwordResetSmtpRequiredDescription": "É necessário um código de redefinição de senha para redefinir sua senha. Por favor, contate o administrador para assistência.",
    "passwordBack": "Voltar à Palavra-passe",
-    "loginBack": "Voltar ao início de sessão",
+    "loginBack": "Voltar para a página principal de acesso",
    "signup": "Registar",
    "loginStart": "Inicie sessão para começar",
    "idpOidcTokenValidating": "A validar token OIDC",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "Atualizar utilizador Org",
    "createOrgUser": "Criar utilizador Org",
    "actionUpdateOrg": "Atualizar Organização",
+    "actionRemoveInvitation": "Remover Convite",
    "actionUpdateUser": "Atualizar Usuário",
    "actionGetUser": "Obter Usuário",
    "actionGetOrgUser": "Obter Utilizador da Organização",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "Obter Site",
    "actionListSites": "Listar Sites",
    "actionApplyBlueprint": "Aplicar Diagrama",
+    "actionListBlueprints": "Listar Modelos",
+    "actionGetBlueprint": "Obter Modelo",
    "setupToken": "Configuração do Token",
    "setupTokenDescription": "Digite o token de configuração do console do servidor.",
    "setupTokenRequired": "Token de configuração é necessário",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "Atualizar Organização IDP",
    "actionCreateClient": "Criar Cliente",
    "actionDeleteClient": "Excluir Cliente",
+    "actionArchiveClient": "Arquivar Cliente",
+    "actionUnarchiveClient": "Desarquivar Cliente",
+    "actionBlockClient": "Bloco do Cliente",
+    "actionUnblockClient": "Desbloquear Cliente",
    "actionUpdateClient": "Atualizar Cliente",
    "actionListClients": "Listar Clientes",
    "actionGetClient": "Obter Cliente",
@@ -1120,14 +1167,14 @@
    "searchProgress": "Pesquisar...",
    "create": "Criar",
    "orgs": "Organizações",
-    "loginError": "Ocorreu um erro ao iniciar sessão",
-    "loginRequiredForDevice": "É necessário entrar para autenticar seu dispositivo.",
+    "loginError": "Ocorreu um erro inesperado. Por favor, tente novamente.",
+    "loginRequiredForDevice": "O login é necessário para seu dispositivo.",
    "passwordForgot": "Esqueceu a sua palavra-passe?",
    "otpAuth": "Autenticação de Dois Fatores",
    "otpAuthDescription": "Insira o código da sua aplicação de autenticação ou um dos seus códigos de backup de uso único.",
    "otpAuthSubmit": "Submeter Código",
    "idpContinue": "Ou continuar com",
-    "otpAuthBack": "Voltar ao Início de Sessão",
+    "otpAuthBack": "Voltar à Palavra-passe",
    "navbar": "Menu de Navegação",
    "navbarDescription": "Menu de navegação principal da aplicação",
    "navbarDocsLink": "Documentação",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "Geral",
    "sidebarHome": "Residencial",
    "sidebarSites": "sites",
+    "sidebarApprovals": "Solicitações de aprovação",
    "sidebarResources": "Recursos",
    "sidebarProxyResources": "Público",
    "sidebarClientResources": "Privado",
@@ -1191,10 +1239,10 @@
    "sidebarIdentityProviders": "Provedores de identidade",
    "sidebarLicense": "Tipo:",
    "sidebarClients": "Clientes",
-    "sidebarUserDevices": "Utilizadores",
+    "sidebarUserDevices": "Dispositivos do usuário",
    "sidebarMachineClients": "Máquinas",
    "sidebarDomains": "Domínios",
-    "sidebarGeneral": "Gerais",
+    "sidebarGeneral": "Gerir",
    "sidebarLogAndAnalytics": "Registo & Análise",
    "sidebarBluePrints": "Diagramas",
    "sidebarOrganization": "Organização",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "Ocorreu um erro ao criar a conta de administrador do servidor.",
    "certificateStatus": "Status do Certificado",
    "loading": "Carregando",
+    "loadingAnalytics": "Carregando Analytics",
    "restart": "Reiniciar",
    "domains": "Domínios",
    "domainsDescription": "Criar e gerenciar domínios disponíveis na organização",
@@ -1290,6 +1339,7 @@
    "refreshError": "Falha ao atualizar dados",
    "verified": "Verificado",
    "pending": "Pendente",
+    "pendingApproval": "Aprovação pendente",
    "sidebarBilling": "Faturamento",
    "billing": "Faturamento",
    "orgBillingDescription": "Gerenciar informações e assinaturas de cobrança",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "Configuração da conta concluída! Bem-vindo ao Pangolin!",
    "documentation": "Documentação",
    "saveAllSettings": "Guardar Todas as Configurações",
+    "saveResourceTargets": "Guardar Alvos",
+    "saveResourceHttp": "Guardar Configurações de Proxy",
+    "saveProxyProtocol": "Salvar configurações do protocolo de proxy",
    "settingsUpdated": "Configurações atualizadas",
-    "settingsUpdatedDescription": "Todas as configurações foram atualizadas com sucesso",
+    "settingsUpdatedDescription": "Configurações atualizadas com sucesso",
    "settingsErrorUpdate": "Falha ao atualizar configurações",
    "settingsErrorUpdateDescription": "Ocorreu um erro ao atualizar configurações",
    "sidebarCollapse": "Recolher",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Chave de segurança removida com sucesso",
    "securityKeyRemoveError": "Erro ao remover chave de segurança",
    "securityKeyLoadError": "Erro ao carregar chaves de segurança",
-    "securityKeyLogin": "Continuar com a chave de segurança",
+    "securityKeyLogin": "Usar chave de segurança",
    "securityKeyAuthError": "Erro ao autenticar com chave de segurança",
    "securityKeyRecommendation": "Considere registrar outra chave de segurança em um dispositivo diferente para garantir que você não fique bloqueado da sua conta.",
    "registering": "Registrando...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "Concordo com",
        "termsOfService": "os termos de serviço",
        "and": "e",
-        "privacyPolicy": "política de privacidade"
+        "privacyPolicy": "política de privacidade."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Mantenha-me à disposição com notícias, atualizações e novos recursos por e-mail."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "Adicionar Novo Alvo",
    "targetsList": "Lista de Alvos",
    "advancedMode": "Modo Avançado",
+    "advancedSettings": "Configurações Avançadas",
    "targetErrorDuplicateTargetFound": "Alvo duplicado encontrado",
    "healthCheckHealthy": "Saudável",
    "healthCheckUnhealthy": "Não Saudável",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "Intervalo Saudável",
    "timeoutSeconds": "Tempo limite (seg)",
    "timeIsInSeconds": "O tempo está em segundos",
+    "requireDeviceApproval": "Exigir aprovação do dispositivo",
+    "requireDeviceApprovalDescription": "Usuários com esta função precisam de novos dispositivos aprovados por um administrador antes que eles possam se conectar e acessar recursos.",
    "retryAttempts": "Tentativas de Repetição",
    "expectedResponseCodes": "Códigos de Resposta Esperados",
    "expectedResponseCodesDescription": "Código de status HTTP que indica estado saudável. Se deixado em branco, 200-300 é considerado saudável.",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "Nenhum recurso interno encontrado.",
    "resourcesTableDestination": "Destino",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Endereço do Pseudônimo",
+    "resourcesTableAliasAddressInfo": "Este endereço faz parte da sub-rede de utilitários da organização. É usado para resolver registros de alias usando resolução de DNS interno.",
    "resourcesTableClients": "Clientes",
    "resourcesTableAndOnlyAccessibleInternally": "e são acessíveis apenas internamente quando conectados com um cliente.",
    "resourcesTableNoTargets": "Nenhum alvo",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "Propriedades do Recurso",
    "createInternalResourceDialogName": "Nome",
    "createInternalResourceDialogSite": "Site",
-    "createInternalResourceDialogSelectSite": "Selecionar site...",
-    "createInternalResourceDialogSearchSites": "Procurar sites...",
-    "createInternalResourceDialogNoSitesFound": "Nenhum site encontrado.",
+    "selectSite": "Selecionar site...",
+    "noSitesFound": "Nenhum site encontrado.",
    "createInternalResourceDialogProtocol": "Protocolo",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1658,7 +1715,7 @@
    "siteAddressDescription": "Endereço interno do site. Deve estar dentro da sub-rede da organização.",
    "siteNameDescription": "O nome de exibição do site que pode ser alterado mais tarde.",
    "autoLoginExternalIdp": "Login Automático com IDP Externo",
-    "autoLoginExternalIdpDescription": "Redirecionar imediatamente o utilizador para o IDP externo para autenticação.",
+    "autoLoginExternalIdpDescription": "Redirecionar imediatamente o usuário para o provedor de identidade externo para autenticação.",
    "selectIdp": "Selecionar IDP",
    "selectIdpPlaceholder": "Escolher um IDP...",
    "selectIdpRequired": "Por favor, selecione um IDP quando o login automático estiver ativado.",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "Nenhum URL de redirecionamento recebido do provedor de identidade.",
    "autoLoginErrorGeneratingUrl": "Falha ao gerar URL de autenticação.",
    "remoteExitNodeManageRemoteExitNodes": "Nós remotos",
-    "remoteExitNodeDescription": "Auto-hospedar um ou mais nós remotos para estender a conectividade de rede e reduzir a dependência da nuvem",
+    "remoteExitNodeDescription": "Hospede seus próprios nós de retransmissão e proxy servidores remotamente",
    "remoteExitNodes": "Nós",
    "searchRemoteExitNodes": "Buscar nós...",
    "remoteExitNodeAdd": "Adicionar node",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "Confirmar exclusão do nó",
    "remoteExitNodeDelete": "Excluir nó",
    "sidebarRemoteExitNodes": "Nós remotos",
+    "remoteExitNodeId": "ID",
+    "remoteExitNodeSecretKey": "Chave Secreta",
    "remoteExitNodeCreate": {
-        "title": "Criar nó",
-        "description": "Crie um novo nó para estender a conectividade de rede",
+        "title": "Criar Nó Remoto",
+        "description": "Crie um novo nó de retransmissão e proxy servidor auto-hospedado",
        "viewAllButton": "Ver Todos os Nós",
        "strategy": {
            "title": "Estratégia de Criação",
-            "description": "Escolha esta opção para configurar o nó manualmente ou gerar novas credenciais.",
+            "description": "Selecione como você deseja criar o nó remoto",
            "adopt": {
                "title": "Adotar Nodo",
                "description": "Escolha isto se você já tem credenciais para o nó."
            },
            "generate": {
                "title": "Gerar Chaves",
-                "description": "Escolha esta opção se você quer gerar novas chaves para o nó"
+                "description": "Escolha esta opção se você quer gerar novas chaves para o nó."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC provider",
    "subnet": "Sub-rede",
    "subnetDescription": "A sub-rede para a configuração de rede dessa organização.",
-    "authPage": "Página de Autenticação",
-    "authPageDescription": "Configurar a página de autenticação para a organização",
+    "customDomain": "Domínio Personalizado",
+    "authPage": "Páginas de Autenticação",
+    "authPageDescription": "Defina um domínio personalizado para as páginas de autenticação da organização",
    "authPageDomain": "Domínio de Página Autenticação",
+    "authPageBranding": "Marcação Personalizada",
+    "authPageBrandingDescription": "Configure a marcação que aparece nas páginas de autenticação para esta organização",
+    "authPageBrandingUpdated": "Marca de Autenticação atualizada com sucesso",
+    "authPageBrandingRemoved": "Marca de Autenticação removida com sucesso",
+    "authPageBrandingRemoveTitle": "Remover Marca de Autenticação",
+    "authPageBrandingQuestionRemove": "Tem certeza de que deseja remover a marcação das Páginas de Autenticação?",
+    "authPageBrandingDeleteConfirm": "Confirmar Exclusão de Marca",
+    "brandingLogoURL": "URL do Logo",
+    "brandingPrimaryColor": "Cor Primária",
+    "brandingLogoWidth": "Largura (px)",
+    "brandingLogoHeight": "Altura (px)",
+    "brandingOrgTitle": "Título para Página de Autenticação da Organização",
+    "brandingOrgDescription": "{orgName} será substituído pelo nome da organização",
+    "brandingOrgSubtitle": "Subtítulo para Página de Autenticação da Organização",
+    "brandingResourceTitle": "Título para Página de Autenticação do Recurso",
+    "brandingResourceSubtitle": "Subtítulo para Página de Autenticação do Recurso",
+    "brandingResourceDescription": "{resourceName} será substituído pelo nome da organização",
+    "saveAuthPageDomain": "Salvar Domínio",
+    "saveAuthPageBranding": "Salvar Marcação",
+    "removeAuthPageBranding": "Remover Marcação",
    "noDomainSet": "Nenhum domínio definido",
    "changeDomain": "Alterar domínio",
    "selectDomain": "Selecionar domínio",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "Definir domínio da página de autenticação",
    "failedToFetchCertificate": "Falha ao buscar o certificado",
    "failedToRestartCertificate": "Falha ao reiniciar o certificado",
-    "addDomainToEnableCustomAuthPages": "Adicione um domínio para habilitar páginas de autenticação personalizadas para a organização",
+    "addDomainToEnableCustomAuthPages": "Os usuários poderão acessar a página de login da organização e completar a autenticação do recurso usando este domínio.",
    "selectDomainForOrgAuthPage": "Selecione um domínio para a página de autenticação da organização",
    "domainPickerProvidedDomain": "Domínio fornecido",
    "domainPickerFreeProvidedDomain": "Domínio fornecido grátis",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "\"{sub}\" não pôde ser válido para {domain}.",
    "domainPickerSubdomainSanitized": "Subdomínio banalizado",
    "domainPickerSubdomainCorrected": "\"{sub}\" foi corrigido para \"{sanitized}\"",
-    "orgAuthSignInTitle": "Fazer login na organização",
+    "orgAuthSignInTitle": "Entrada da Organização",
    "orgAuthChooseIdpDescription": "Escolha o seu provedor de identidade para continuar",
    "orgAuthNoIdpConfigured": "Esta organização não tem nenhum provedor de identidade configurado. Você pode entrar com a identidade do seu Pangolin.",
    "orgAuthSignInWithPangolin": "Entrar com o Pangolin",
+    "orgAuthSignInToOrg": "Fazer login em uma organização",
+    "orgAuthSelectOrgTitle": "Entrada da Organização",
+    "orgAuthSelectOrgDescription": "Digite seu ID da organização para continuar",
+    "orgAuthOrgIdPlaceholder": "sua-organização",
+    "orgAuthOrgIdHelp": "Digite o identificador único da sua organização",
+    "orgAuthSelectOrgHelp": "Após inserir o seu ID da organização, você será redirecionado para a página de entrada da organização onde poderá usar SSO ou as credenciais da organização.",
+    "orgAuthRememberOrgId": "Lembrar este ID da organização",
+    "orgAuthBackToSignIn": "Voltar para entrada padrão",
+    "orgAuthNoAccount": "Não possui uma conta?",
    "subscriptionRequiredToUse": "Uma assinatura é necessária para usar esse recurso.",
    "idpDisabled": "Provedores de identidade estão desabilitados.",
    "orgAuthPageDisabled": "A página de autenticação da organização está desativada.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "Ativar autenticação de dois fatores",
    "completeSecuritySteps": "Passos de segurança completos",
    "securitySettings": "Configurações de Segurança",
+    "dangerSection": "Zona de Perigo",
+    "dangerSectionDescription": "Excluir permanentemente todos os dados associados a esta organização",
    "securitySettingsDescription": "Configurar políticas de segurança para a organização",
    "requireTwoFactorForAllUsers": "Exigir autenticação dupla para todos os usuários",
    "requireTwoFactorDescription": "Quando ativado, todos os usuários internos nesta organização devem ter a autenticação de dois fatores ativada para acessar a organização.",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "Isso afetará todos os usuários da organização",
    "authPageErrorUpdateMessage": "Ocorreu um erro ao atualizar as configurações da página de autenticação",
    "authPageErrorUpdate": "Não é possível atualizar a página de autenticação",
-    "authPageUpdated": "Página de autenticação atualizada com sucesso",
+    "authPageDomainUpdated": "Domínio da Página de Autenticação atualizado com sucesso",
    "healthCheckNotAvailable": "Localização",
    "rewritePath": "Reescrever Caminho",
    "rewritePathDescription": "Opcionalmente reescreva o caminho antes de encaminhar ao destino.",
@@ -1915,8 +2006,15 @@
    "beta": "Beta",
    "manageUserDevices": "Dispositivos do usuário",
    "manageUserDevicesDescription": "Ver e gerenciar dispositivos que os usuários usam para se conectar de forma privada aos recursos",
+    "downloadClientBannerTitle": "Baixar Cliente Pangolin",
+    "downloadClientBannerDescription": "Baixe o cliente Pangolin para seu sistema e conecte-se à rede Pangolin para acessar recursos de forma privada.",
    "manageMachineClients": "Gerenciar Clientes de Máquina",
    "manageMachineClientsDescription": "Crie e gerencie clientes que servidores e sistemas usam para se conectar de forma privada aos recursos",
+    "machineClientsBannerTitle": "Servidores e Sistemas Automatizados",
+    "machineClientsBannerDescription": "Clientes de máquina são para servidores e sistemas automatizados que não estão associados a um usuário específico. Eles autenticam com um ID e segredo, e podem ser executados com CLI Pangolin, CLI Olm, ou Olm como um contêiner.",
+    "machineClientsBannerPangolinCLI": "CLI de Pangolin",
+    "machineClientsBannerOlmCLI": "CLI Olm",
+    "machineClientsBannerOlmContainer": "Contêiner Olm",
    "clientsTableUserClients": "Utilizador",
    "clientsTableMachineClients": "Máquina",
    "licenseTableValidUntil": "Válido até",
@@ -2060,13 +2158,15 @@
    "request": "Pedir",
    "requests": "Solicitações",
    "logs": "Registros",
-    "logsSettingsDescription": "Monitorar logs coletados desta orginização",
+    "logsSettingsDescription": "Monitore os logs coletados desta organização",
    "searchLogs": "Pesquisar registros...",
    "action": "Acão",
    "actor": "Ator",
    "timestamp": "Timestamp",
    "accessLogs": "Logs de Acesso",
    "exportCsv": "Exportar como CSV",
+    "exportError": "Erro desconhecido ao exportar CSV",
+    "exportCsvTooltip": "Dentro do Intervalo de Tempo",
    "actorId": "ID do ator",
    "allowedByRule": "Permitido por regra",
    "allowedNoAuth": "Não Permitido Nenhuma Autenticação",
@@ -2120,7 +2220,7 @@
    "unverified": "Não verificado",
    "domainSetting": "Configurações do domínio",
    "domainSettingDescription": "Configurar configurações para o domínio",
-    "preferWildcardCertDescription": "Tentativa de gerar um certificado coringa (requer um resolvedor de certificado devidamente configurado).",
+    "preferWildcardCertDescription": "Tente gerar um certificado curingado (requer um resolvedor de certificado configurado corretamente).",
    "recordName": "Nome da gravação",
    "auto": "Automático",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "O código deve ter 9 caracteres (ex.: A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Código inválido ou expirado",
    "deviceCodeVerifyFailed": "Falha ao verificar o código do dispositivo",
+    "deviceCodeValidating": "Validando código do dispositivo...",
+    "deviceCodeVerifying": "Verificando autorização do dispositivo...",
    "signedInAs": "Sessão iniciada como",
    "deviceCodeEnterPrompt": "Digite o código exibido no dispositivo",
    "continue": "Continuar",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "Acesso a todas as organizações que sua conta tem acesso a",
    "deviceAuthorize": "Autorizar {applicationName}",
    "deviceConnected": "Dispositivo Conectado!",
-    "deviceAuthorizedMessage": "O dispositivo está autorizado a acessar sua conta.",
+    "deviceAuthorizedMessage": "O dispositivo está autorizado a acessar sua conta. Por favor, retorne ao aplicativo cliente.",
    "pangolinCloud": "Nuvem do Pangolin",
    "viewDevices": "Ver Dispositivos",
    "viewDevicesDescription": "Gerencie seus dispositivos conectados",
@@ -2246,6 +2348,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Não é você? Use uma conta diferente.",
    "deviceLoginDeviceRequestingAccessToAccount": "Um dispositivo está solicitando acesso a essa conta.",
+    "loginSelectAuthenticationMethod": "Selecione um método de autenticação para continuar.",
    "noData": "Nenhum dado encontrado",
    "machineClients": "Clientes de máquina",
    "install": "Instale",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "Falha ao buscar a subrede padrão",
    "setupSubnetAdvanced": "Sub-rede (Avançado)",
    "setupSubnetDescription": "A sub-rede para a rede interna desta organização.",
+    "setupUtilitySubnet": "Sub-rede Utilitária (Avançado)",
+    "setupUtilitySubnetDescription": "A sub-rede para os endereços de alias e servidor DNS desta organização.",
    "siteRegenerateAndDisconnect": "Regerar e Desconectar",
    "siteRegenerateAndDisconnectConfirmation": "Você tem certeza que deseja regenerar as credenciais e desconectar este site?",
    "siteRegenerateAndDisconnectWarning": "Isto irá regenerar as credenciais e desconectar imediatamente o site. O site precisará ser reiniciado com as novas credenciais.",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "Isto irá regenerar as credenciais e desconectar imediatamente o nó de saída remota. O nó de saída remota precisará ser reiniciado com as novas credenciais.",
    "remoteExitNodeRegenerateCredentialsConfirmation": "Você tem certeza que deseja regenerar as credenciais para este nó de saída remota?",
    "remoteExitNodeRegenerateCredentialsWarning": "Isto irá regenerar as credenciais. O nó de saída remota permanecerá conectado até que você o reinicie manualmente e use as novas credenciais.",
-    "agent": "Representante"
+    "agent": "Representante",
+    "personalUseOnly": "Uso Pessoal Apenas",
+    "loginPageLicenseWatermark": "Esta instância está licenciada apenas para uso pessoal.",
+    "instanceIsUnlicensed": "Esta instância não está licenciada.",
+    "portRestrictions": "Restrições de Porta",
+    "allPorts": "Todos",
+    "custom": "Personalizado",
+    "allPortsAllowed": "Todas as Portas Permitidas",
+    "allPortsBlocked": "Todas as Portas Bloqueadas",
+    "tcpPortsDescription": "Especifique quais portas TCP são permitidas para este recurso. Use '*' para todas as portas, deixe vazio para bloquear todas, ou insira uma lista de portas separadas por vírgulas e intervalos (por exemplo, 80,443,8000-9000).",
+    "udpPortsDescription": "Especifique quais portas UDP são permitidas para este recurso. Use '*' para todas as portas, deixe vazio para bloquear todas, ou insira uma lista de portas separadas por vírgulas e intervalos (por exemplo, 53,123,500-600).",
+    "organizationLoginPageTitle": "Página de Login da Organização",
+    "organizationLoginPageDescription": "Personalize a página de login para esta organização",
+    "resourceLoginPageTitle": "Página de Login de Recurso",
+    "resourceLoginPageDescription": "Personalize a página de login para recursos individuais",
+    "enterConfirmation": "Inserir confirmação",
+    "blueprintViewDetails": "Detalhes",
+    "defaultIdentityProvider": "Provedor de Identidade Padrão",
+    "defaultIdentityProviderDescription": "Quando um provedor de identidade padrão for selecionado, o usuário será automaticamente redirecionado para o provedor de autenticação.",
+    "editInternalResourceDialogNetworkSettings": "Configurações de Rede",
+    "editInternalResourceDialogAccessPolicy": "Política de Acesso",
+    "editInternalResourceDialogAddRoles": "Adicionar Funções",
+    "editInternalResourceDialogAddUsers": "Adicionar Usuários",
+    "editInternalResourceDialogAddClients": "Adicionar Clientes",
+    "editInternalResourceDialogDestinationLabel": "Destino",
+    "editInternalResourceDialogDestinationDescription": "Especifique o endereço de destino para o recurso interno. Isso pode ser um nome de host, endereço IP ou intervalo CIDR, dependendo do modo selecionado. Opcionalmente, defina um alias interno de DNS para facilitar a identificação.",
+    "editInternalResourceDialogPortRestrictionsDescription": "Restrinja o acesso a portas TCP/UDP específicas ou permita/bloqueie todas as portas.",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "Controle de Acesso",
+    "editInternalResourceDialogAccessControlDescription": "Controle quais funções, usuários e clientes de máquina podem acessar este recurso quando conectados. Os administradores sempre têm acesso.",
+    "editInternalResourceDialogPortRangeValidationError": "O intervalo de portas deve ser \"*\" para todas as portas, ou uma lista de portas e intervalos separados por vírgulas (por exemplo, \"80,443,8000-9000\"). As portas devem estar entre 1 e 65535.",
+    "orgAuthWhatsThis": "Onde posso encontrar meu ID da organização?",
+    "learnMore": "Saiba mais",
+    "backToHome": "Voltar para a página inicial",
+    "needToSignInToOrg": "Precisa usar o provedor de identidade da sua organização?",
+    "maintenanceMode": "Modo de Manutenção",
+    "maintenanceModeDescription": "Exibir uma página de manutenção para os visitantes",
+    "maintenanceModeType": "Tipo de Modo de Manutenção",
+    "showMaintenancePage": "Mostrar uma página de manutenção para os visitantes",
+    "enableMaintenanceMode": "Ativar Modo de Manutenção",
+    "automatic": "Automático",
+    "automaticModeDescription": "Exibir página de manutenção apenas quando todos os destinos de back-end estiverem inativos ou não saudáveis. Seu recurso continua funcionando normalmente desde que pelo menos um destino esteja saudável.",
+    "forced": "Forçado",
+    "forcedModeDescription": "Sempre mostre a página de manutenção, independentemente da saúde do backend. Use isso para manutenção planejada quando você deseja impedir todo acesso.",
+    "warning:": "Aviso:",
+    "forcedeModeWarning": "Todo o tráfego será direcionado para a página de manutenção. Seus recursos de back-end não receberão nenhuma solicitação.",
+    "pageTitle": "Título da Página",
+    "pageTitleDescription": "O título principal exibido na página de manutenção",
+    "maintenancePageMessage": "Mensagem de Manutenção",
+    "maintenancePageMessagePlaceholder": "Voltaremos em breve! Nosso site está passando por manutenção programada.",
+    "maintenancePageMessageDescription": "Mensagem detalhada explicando a manutenção",
+    "maintenancePageTimeTitle": "Hora de Conclusão Estimada (Opcional)",
+    "maintenanceTime": "por exemplo, 2 horas, 1 de Nov às 17h00",
+    "maintenanceEstimatedTimeDescription": "Quando você espera que a manutenção seja concluída",
+    "editDomain": "Editar Domínio",
+    "editDomainDescription": "Selecione um domínio para o seu recurso",
+    "maintenanceModeDisabledTooltip": "Este recurso requer uma licença válida para ativar.",
+    "maintenanceScreenTitle": "Serviço Temporariamente Indisponível",
+    "maintenanceScreenMessage": "Estamos enfrentando dificuldades técnicas no momento. Por favor, volte em breve.",
+    "maintenanceScreenEstimatedCompletion": "Conclusão Estimada:",
+    "createInternalResourceDialogDestinationRequired": "Destino é obrigatório",
+    "available": "Disponível",
+    "archived": "Arquivado",
+    "noArchivedDevices": "Nenhum dispositivo arquivado encontrado",
+    "deviceArchived": "Dispositivo arquivado",
+    "deviceArchivedDescription": "O dispositivo foi arquivado com sucesso.",
+    "errorArchivingDevice": "Erro ao arquivar dispositivo",
+    "failedToArchiveDevice": "Falha ao arquivar dispositivo",
+    "deviceQuestionArchive": "Tem certeza que deseja arquivar este dispositivo?",
+    "deviceMessageArchive": "O dispositivo será arquivado e removido da sua lista de dispositivos ativos.",
+    "deviceArchiveConfirm": "Arquivar dispositivo",
+    "archiveDevice": "Arquivar dispositivo",
+    "archive": "Arquivo",
+    "deviceUnarchived": "Dispositivo desarquivado",
+    "deviceUnarchivedDescription": "O dispositivo foi desarquivado com sucesso.",
+    "errorUnarchivingDevice": "Erro ao desarquivar dispositivo",
+    "failedToUnarchiveDevice": "Falha ao desarquivar dispositivo",
+    "unarchive": "Desarquivar",
+    "archiveClient": "Arquivar Cliente",
+    "archiveClientQuestion": "Tem certeza que deseja arquivar este cliente?",
+    "archiveClientMessage": "O cliente será arquivado e removido da sua lista de clientes ativos.",
+    "archiveClientConfirm": "Arquivar Cliente",
+    "blockClient": "Bloco do Cliente",
+    "blockClientQuestion": "Tem certeza que deseja bloquear este cliente?",
+    "blockClientMessage": "O dispositivo será forçado a desconectar se estiver conectado. Você pode desbloquear o dispositivo mais tarde.",
+    "blockClientConfirm": "Bloco do Cliente",
+    "active": "ativo",
+    "usernameOrEmail": "Usuário ou Email",
+    "selectYourOrganization": "Selecione sua organização",
+    "signInTo": "Iniciar sessão em",
+    "signInWithPassword": "Continuar com a senha",
+    "noAuthMethodsAvailable": "Nenhum método de autenticação disponível para esta organização.",
+    "enterPassword": "Digite sua senha",
+    "enterMfaCode": "Insira o código do seu aplicativo autenticador",
+    "securityKeyRequired": "Por favor, utilize sua chave de segurança para entrar.",
+    "needToUseAnotherAccount": "Precisa usar uma conta diferente?",
+    "loginLegalDisclaimer": "Ao clicar nos botões abaixo, você reconhece que leu, entende e concorda com os <termsOfService>Termos de Serviço</termsOfService> e a <privacyPolicy>Política de Privacidade</privacyPolicy>.",
+    "termsOfService": "Termos de Serviço",
+    "privacyPolicy": "Política de Privacidade",
+    "userNotFoundWithUsername": "Nenhum usuário encontrado com este nome de usuário.",
+    "verify": "Verificar",
+    "signIn": "Iniciar sessão",
+    "forgotPassword": "Esqueceu a senha?",
+    "orgSignInTip": "Se você já fez login antes, você pode digitar seu nome de usuário ou e-mail acima para autenticar com o provedor de identidade da sua organização. É mais fácil!",
+    "continueAnyway": "Continuar mesmo assim",
+    "dontShowAgain": "Não mostrar novamente",
+    "orgSignInNotice": "Você sabia?",
+    "signupOrgNotice": "Tentando fazer login?",
+    "signupOrgTip": "Você está tentando entrar através do provedor de identidade da sua organização?",
+    "signupOrgLink": "Faça login ou inscreva-se com sua organização em vez disso",
+    "verifyEmailLogInWithDifferentAccount": "Use uma Conta Diferente",
+    "logIn": "Iniciar sessão",
+    "deviceInformation": "Informações do dispositivo",
+    "deviceInformationDescription": "Informações sobre o dispositivo e o agente",
+    "deviceSecurity": "Segurança do dispositivo",
+    "deviceSecurityDescription": "Informações sobre postagem de segurança",
+    "platform": "Plataforma",
+    "macosVersion": "Versão do macOS",
+    "windowsVersion": "Versão do Windows",
+    "iosVersion": "Versão para iOS",
+    "androidVersion": "Versão do Android",
+    "osVersion": "Versão do SO",
+    "kernelVersion": "Versão do Kernel",
+    "deviceModel": "Modelo do dispositivo",
+    "serialNumber": "Número de Série",
+    "hostname": "Hostname",
+    "firstSeen": "Visto primeiro",
+    "lastSeen": "Visto por último",
+    "biometricsEnabled": "Biometria habilitada",
+    "diskEncrypted": "Disco criptografado",
+    "firewallEnabled": "Firewall habilitado",
+    "autoUpdatesEnabled": "Atualizações Automáticas Habilitadas",
+    "tpmAvailable": "TPM disponível",
+    "macosSipEnabled": "Proteção da Integridade do Sistema (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Modo Furtivo do Firewall",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Ver informações e configurações do dispositivo",
+    "devicePendingApprovalDescription": "Este dispositivo está aguardando aprovação",
+    "deviceBlockedDescription": "Este dispositivo está bloqueado no momento. Ele não será capaz de se conectar a qualquer recurso a menos que seja desbloqueado.",
+    "unblockClient": "Desbloquear Cliente",
+    "unblockClientDescription": "O dispositivo foi desbloqueado",
+    "unarchiveClient": "Desarquivar Cliente",
+    "unarchiveClientDescription": "O dispositivo foi desarquivado",
+    "block": "Bloquear",
+    "unblock": "Desbloquear",
+    "deviceActions": "Ações do dispositivo",
+    "deviceActionsDescription": "Gerenciar status e acesso do dispositivo",
+    "devicePendingApprovalBannerDescription": "Este dispositivo está pendente de aprovação. Não será possível conectar-se a recursos até ser aprovado.",
+    "connected": "Conectado",
+    "disconnected": "Desconectado",
+    "approvalsEmptyStateTitle": "Aprovações do dispositivo não habilitado",
+    "approvalsEmptyStateDescription": "Habilitar aprovações do dispositivo para cargos que exigem aprovação do administrador antes que os usuários possam conectar novos dispositivos.",
+    "approvalsEmptyStateStep1Title": "Ir para Funções",
+    "approvalsEmptyStateStep1Description": "Navegue até as configurações dos papéis da sua organização para configurar as aprovações de dispositivo.",
+    "approvalsEmptyStateStep2Title": "Habilitar Aprovações do Dispositivo",
+    "approvalsEmptyStateStep2Description": "Editar uma função e habilitar a opção 'Exigir aprovação de dispositivos'. Usuários com essa função precisarão de aprovação de administrador para novos dispositivos.",
+    "approvalsEmptyStatePreviewDescription": "Pré-visualização: Quando ativado, solicitações de dispositivo pendentes aparecerão aqui para revisão",
+    "approvalsEmptyStateButtonText": "Gerir Funções"
 }
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Создать организацию, сайт и ресурсы",
+    "headerAuthCompatibilityInfo": "Включите это, чтобы принудительно вернуть ответ 401 Unauthorized, если отсутствует токен аутентификации. Это требуется для браузеров или определенных библиотек HTTP, которые не отправляют учетные данные без запроса сервера.",
+    "headerAuthCompatibility": "Дополнительная совместимость",
    "setupNewOrg": "Новая организация",
    "setupCreateOrg": "Создать организацию",
    "setupCreateResources": "Создать ресурсы",
@@ -33,7 +35,7 @@
    "password": "Пароль",
    "confirmPassword": "Подтвердите пароль",
    "createAccount": "Создать учётную запись",
-    "viewSettings": "Посмотреть настройки",
+    "viewSettings": "Просмотреть настройки",
    "delete": "Удалить",
    "name": "Имя",
    "online": "Онлайн",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "Вы уверены, что хотите удалить сайт из организации?",
    "siteManageSites": "Управление сайтами",
    "siteDescription": "Создание и управление сайтами, чтобы включить подключение к приватным сетям",
+    "sitesBannerTitle": "Подключить любую сеть",
+    "sitesBannerDescription": "Сайт — это соединение с удаленной сетью, которое позволяет Pangolin предоставлять доступ к ресурсам, будь они общедоступными или частными, пользователям в любом месте. Установите сетевой коннектор сайта (Newt) там, где можно запустить исполняемый файл или контейнер, чтобы установить соединение.",
+    "sitesBannerButtonText": "Установить сайт",
+    "approvalsBannerTitle": "Одобрить или запретить доступ к устройству",
+    "approvalsBannerDescription": "Просмотрите и подтвердите или отклоните запросы на доступ к устройству от пользователей. Когда требуется подтверждение устройства, пользователи должны получить одобрение администратора, прежде чем их устройства смогут подключиться к ресурсам вашей организации.",
+    "approvalsBannerButtonText": "Узнать больше",
    "siteCreate": "Создать сайт",
    "siteCreateDescription2": "Следуйте инструкциям ниже для создания и подключения нового сайта",
    "siteCreateDescription": "Создайте новый сайт для начала подключения ресурсов",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "Определите, как вы хотите подключиться к сайту",
    "siteNewtCredentials": "Полномочия",
    "siteNewtCredentialsDescription": "Вот как сайт будет аутентифицироваться с сервером",
+    "remoteNodeCredentialsDescription": "Так удалённый узел будет выполнять аутентификацию на сервере",
    "siteCredentialsSave": "Сохранить учетные данные",
    "siteCredentialsSaveDescription": "Вы сможете увидеть эти данные только один раз. Обязательно скопируйте их в безопасное место.",
    "siteInfo": "Информация о сайте",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "Пожалуйста, выберите ресурс",
    "proxyResourceTitle": "Управление публичными ресурсами",
    "proxyResourceDescription": "Создание и управление ресурсами, которые доступны через веб-браузер",
+    "proxyResourcesBannerTitle": "Общедоступный доступ через веб",
+    "proxyResourcesBannerDescription": "Общедоступные ресурсы — это прокси-по HTTPS или TCP/UDP, доступные любому пользователю в Интернете через веб-браузер. В отличие от частных ресурсов, они не требуют программного обеспечения на стороне клиента и могут включать политики доступа на основе идентификации и контекста.",
    "clientResourceTitle": "Управление приватными ресурсами",
    "clientResourceDescription": "Создание и управление ресурсами, которые доступны только через подключенный клиент",
+    "privateResourcesBannerTitle": "Частный доступ с нулевым доверием",
+    "privateResourcesBannerDescription": "Частные ресурсы используют безопасность с нулевым доверием, обеспечивая доступ пользователей и устройств только к ресурсам, к которым вы явно предоставили доступ. Подключите пользовательские устройства или машинных клиентов, чтобы получить доступ к этим ресурсам через безопасную виртуальную частную сеть.",
    "resourcesSearch": "Поиск ресурсов...",
    "resourceAdd": "Добавить ресурс",
    "resourceErrorDelte": "Ошибка при удалении ресурса",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "После удаления ресурс больше не будет доступен. Все целевые узлы, связанные с ресурсом, также будут удалены.",
    "resourceQuestionRemove": "Вы уверены, что хотите удалить ресурс из организации?",
    "resourceHTTP": "HTTPS-ресурс",
-    "resourceHTTPDescription": "Прокси-запросы к приложению по HTTPS с помощью поддомена или базового домена.",
+    "resourceHTTPDescription": "Проксировать запросы через HTTPS с использованием полного доменного имени.",
    "resourceRaw": "Сырой TCP/UDP-ресурс",
-    "resourceRawDescription": "Прокси запрашивает приложение через TCP/UDP по номеру порта. Это работает только тогда, когда сайты подключены к узлам.",
+    "resourceRawDescription": "Проксировать запросы по сырому TCP/UDP с использованием номера порта.",
    "resourceCreate": "Создание ресурса",
    "resourceCreateDescription": "Следуйте инструкциям ниже для создания нового ресурса",
    "resourceSeeAll": "Посмотреть все ресурсы",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "Поиск ролей...",
    "accessRolesAdd": "Добавить роль",
    "accessRoleDelete": "Удалить роль",
+    "accessApprovalsManage": "Управление утверждениями",
+    "accessApprovalsDescription": "Просмотр и управление утверждениями в ожидании доступа к этой организации",
    "description": "Описание",
    "inviteTitle": "Открытые приглашения",
    "inviteDescription": "Управление приглашениями для присоединения других пользователей к организации",
@@ -440,6 +455,18 @@
    "selectDuration": "Укажите срок действия",
    "selectResource": "Выберите ресурс",
    "filterByResource": "Фильтровать по ресурсам",
+    "selectApprovalState": "Выберите состояние одобрения",
+    "filterByApprovalState": "Фильтр по состоянию утверждения",
+    "approvalListEmpty": "Нет утверждений",
+    "approvalState": "Состояние одобрения",
+    "approve": "Одобрить",
+    "approved": "Одобрено",
+    "denied": "Отказано",
+    "deniedApproval": "Отказано в одобрении",
+    "all": "Все",
+    "deny": "Запретить",
+    "viewDetails": "Детали",
+    "requestingNewDeviceApproval": "запросил новое устройство",
    "resetFilters": "Сбросить фильтры",
    "totalBlocked": "Запросы заблокированы Панголином",
    "totalRequests": "Всего запросов",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "Администраторы всегда имеют доступ к этому ресурсу.",
    "resourceUsersRoles": "Контроль доступа",
    "resourceUsersRolesDescription": "Выберите пользователей и роли с доступом к этому ресурсу",
-    "resourceUsersRolesSubmit": "Сохранить пользователей и роли",
+    "resourceUsersRolesSubmit": "Сохранить контроль доступа",
    "resourceWhitelistSave": "Успешно сохранено",
    "resourceWhitelistSaveDescription": "Настройки белого списка были сохранены",
    "ssoUse": "Использовать Platform SSO",
@@ -719,16 +746,28 @@
    "countries": "Страны",
    "accessRoleCreate": "Создание роли",
    "accessRoleCreateDescription": "Создайте новую роль для группы пользователей и выдавайте им разрешения.",
+    "accessRoleEdit": "Изменить роль",
+    "accessRoleEditDescription": "Редактировать информацию о роли.",
    "accessRoleCreateSubmit": "Создать роль",
    "accessRoleCreated": "Роль создана",
    "accessRoleCreatedDescription": "Роль была успешно создана.",
    "accessRoleErrorCreate": "Не удалось создать роль",
    "accessRoleErrorCreateDescription": "Произошла ошибка при создании роли.",
+    "accessRoleUpdateSubmit": "Обновить роль",
+    "accessRoleUpdated": "Роль обновлена",
+    "accessRoleUpdatedDescription": "Роль была успешно обновлена.",
+    "accessApprovalUpdated": "Выполнено утверждение",
+    "accessApprovalApprovedDescription": "Принять решение об утверждении запроса.",
+    "accessApprovalDeniedDescription": "Отказано в запросе об утверждении.",
+    "accessRoleErrorUpdate": "Не удалось обновить роль",
+    "accessRoleErrorUpdateDescription": "Произошла ошибка при обновлении роли.",
+    "accessApprovalErrorUpdate": "Не удалось обработать подтверждение",
+    "accessApprovalErrorUpdateDescription": "Произошла ошибка при обработке одобрения.",
    "accessRoleErrorNewRequired": "Новая роль обязательна",
    "accessRoleErrorRemove": "Не удалось удалить роль",
    "accessRoleErrorRemoveDescription": "Произошла ошибка при удалении роли.",
    "accessRoleName": "Название роли",
-    "accessRoleQuestionRemove": "Вы собираетесь удалить роль {name}. Это действие нельзя отменить.",
+    "accessRoleQuestionRemove": "Вы собираетесь удалить `{name}` роль. Это действие нельзя отменить.",
    "accessRoleRemove": "Удалить роль",
    "accessRoleRemoveDescription": "Удалить роль из организации",
    "accessRoleRemoveSubmit": "Удалить роль",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "Настроить доступ для организации",
    "idpUpdatedDescription": "Поставщик удостоверений успешно обновлён",
    "redirectUrl": "URL редиректа",
+    "orgIdpRedirectUrls": "Перенаправление URL",
    "redirectUrlAbout": "О редиректе URL",
    "redirectUrlAboutDescription": "Это URL, на который пользователи будут перенаправлены после аутентификации. Вам нужно настроить этот URL в настройках провайдера.",
    "pangolinAuth": "Аутентификация - Pangolin",
@@ -945,11 +985,11 @@
    "pincodeAuth": "Код аутентификатора",
    "pincodeSubmit2": "Отправить код",
    "passwordResetSubmit": "Запросить сброс",
-    "passwordResetAlreadyHaveCode": "Введите код сброса пароля",
+    "passwordResetAlreadyHaveCode": "Введите код",
    "passwordResetSmtpRequired": "Пожалуйста, обратитесь к администратору",
    "passwordResetSmtpRequiredDescription": "Для сброса пароля необходим код сброса пароля. Обратитесь к администратору за помощью.",
    "passwordBack": "Назад к паролю",
-    "loginBack": "Вернуться к входу",
+    "loginBack": "Вернуться на главную страницу входа",
    "signup": "Регистрация",
    "loginStart": "Войдите для начала работы",
    "idpOidcTokenValidating": "Проверка OIDC токена",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "Обновить пользователя Org",
    "createOrgUser": "Создать пользователя Org",
    "actionUpdateOrg": "Обновить организацию",
+    "actionRemoveInvitation": "Удалить приглашение",
    "actionUpdateUser": "Обновить пользователя",
    "actionGetUser": "Получить пользователя",
    "actionGetOrgUser": "Получить пользователя организации",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "Получить сайт",
    "actionListSites": "Список сайтов",
    "actionApplyBlueprint": "Применить чертёж",
+    "actionListBlueprints": "Список чертежей",
+    "actionGetBlueprint": "Получить чертёж",
    "setupToken": "Код настройки",
    "setupTokenDescription": "Введите токен настройки из консоли сервера.",
    "setupTokenRequired": "Токен настройки обязателен",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "Обновить организацию IDP",
    "actionCreateClient": "Создать Клиента",
    "actionDeleteClient": "Удалить Клиента",
+    "actionArchiveClient": "Архивировать клиента",
+    "actionUnarchiveClient": "Разархивировать клиента",
+    "actionBlockClient": "Блокировать клиента",
+    "actionUnblockClient": "Разблокировать клиента",
    "actionUpdateClient": "Обновить Клиента",
    "actionListClients": "Список Клиентов",
    "actionGetClient": "Получить Клиента",
@@ -1120,14 +1167,14 @@
    "searchProgress": "Поиск...",
    "create": "Создать",
    "orgs": "Организации",
-    "loginError": "Произошла ошибка при входе",
-    "loginRequiredForDevice": "Для аутентификации устройства необходимо войти в систему.",
+    "loginError": "Произошла непредвиденная ошибка. Пожалуйста, попробуйте еще раз.",
+    "loginRequiredForDevice": "Логин необходим для вашего устройства.",
    "passwordForgot": "Забыли пароль?",
    "otpAuth": "Двухфакторная аутентификация",
    "otpAuthDescription": "Введите код из вашего приложения-аутентификатора или один из ваших одноразовых резервных кодов.",
    "otpAuthSubmit": "Отправить код",
    "idpContinue": "Или продолжить с",
-    "otpAuthBack": "Вернуться к входу",
+    "otpAuthBack": "Назад к паролю",
    "navbar": "Навигационное меню",
    "navbarDescription": "Главное навигационное меню приложения",
    "navbarDocsLink": "Документация",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "Обзор",
    "sidebarHome": "Главная",
    "sidebarSites": "Сайты",
+    "sidebarApprovals": "Запросы на утверждение",
    "sidebarResources": "Ресурсы",
    "sidebarProxyResources": "Публичный",
    "sidebarClientResources": "Приватный",
@@ -1191,10 +1239,10 @@
    "sidebarIdentityProviders": "Поставщики удостоверений",
    "sidebarLicense": "Лицензия",
    "sidebarClients": "Клиенты",
-    "sidebarUserDevices": "Пользователи",
+    "sidebarUserDevices": "Устройства пользователя",
    "sidebarMachineClients": "Машины",
    "sidebarDomains": "Домены",
-    "sidebarGeneral": "Общие",
+    "sidebarGeneral": "Управление",
    "sidebarLogAndAnalytics": "Журнал и аналитика",
    "sidebarBluePrints": "Чертежи",
    "sidebarOrganization": "Организация",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "Произошла ошибка при создании учётной записи администратора сервера.",
    "certificateStatus": "Статус сертификата",
    "loading": "Загрузка",
+    "loadingAnalytics": "Загрузка аналитики",
    "restart": "Перезагрузка",
    "domains": "Домены",
    "domainsDescription": "Создание и управление доменами, доступными в организации",
@@ -1290,6 +1339,7 @@
    "refreshError": "Не удалось обновить данные",
    "verified": "Подтверждено",
    "pending": "В ожидании",
+    "pendingApproval": "Ожидает утверждения",
    "sidebarBilling": "Выставление счетов",
    "billing": "Выставление счетов",
    "orgBillingDescription": "Управление платежной информацией и подписками",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "Настройка аккаунта завершена! Добро пожаловать в Pangolin!",
    "documentation": "Документация",
    "saveAllSettings": "Сохранить все настройки",
+    "saveResourceTargets": "Сохранить цели",
+    "saveResourceHttp": "Сохранить настройки прокси",
+    "saveProxyProtocol": "Сохранить настройки прокси-протокола",
    "settingsUpdated": "Настройки обновлены",
-    "settingsUpdatedDescription": "Все настройки успешно обновлены",
+    "settingsUpdatedDescription": "Настройки успешно обновлены",
    "settingsErrorUpdate": "Не удалось обновить настройки",
    "settingsErrorUpdateDescription": "Произошла ошибка при обновлении настроек",
    "sidebarCollapse": "Свернуть",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Ключ безопасности успешно удален",
    "securityKeyRemoveError": "Не удалось удалить ключ безопасности",
    "securityKeyLoadError": "Не удалось загрузить ключи безопасности",
-    "securityKeyLogin": "Продолжить с ключом безопасности",
+    "securityKeyLogin": "Использовать ключ безопасности",
    "securityKeyAuthError": "Не удалось аутентифицироваться с ключом безопасности",
    "securityKeyRecommendation": "Зарегистрируйте резервный ключ безопасности на другом устройстве, чтобы всегда иметь доступ к вашему аккаунту.",
    "registering": "Регистрация...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "Я согласен с",
        "termsOfService": "условия использования",
        "and": "и",
-        "privacyPolicy": "политика конфиденциальности"
+        "privacyPolicy": "политика конфиденциальности."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Держите меня в цикле с новостями, обновлениями и новыми функциями по электронной почте."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "Добавить новую цель",
    "targetsList": "Список целей",
    "advancedMode": "Расширенный режим",
+    "advancedSettings": "Расширенные настройки",
    "targetErrorDuplicateTargetFound": "Обнаружена дублирующаяся цель",
    "healthCheckHealthy": "Здоровый",
    "healthCheckUnhealthy": "Нездоровый",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "Интервал здоровых состояний",
    "timeoutSeconds": "Таймаут (сек)",
    "timeIsInSeconds": "Время указано в секундах",
+    "requireDeviceApproval": "Требовать подтверждения устройства",
+    "requireDeviceApprovalDescription": "Пользователям с этой ролью нужны новые устройства, одобренные администратором, прежде чем они смогут подключаться и получать доступ к ресурсам.",
    "retryAttempts": "Количество попыток повторного запроса",
    "expectedResponseCodes": "Ожидаемые коды ответов",
    "expectedResponseCodesDescription": "HTTP-код состояния, указывающий на здоровое состояние. Если оставить пустым, 200-300 считается здоровым.",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "Внутренних ресурсов не найдено.",
    "resourcesTableDestination": "Пункт назначения",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "Псевдоним адреса",
+    "resourcesTableAliasAddressInfo": "Этот адрес является частью вспомогательной подсети организации. Он используется для разрешения псевдонимов с использованием внутреннего разрешения DNS.",
    "resourcesTableClients": "Клиенты",
    "resourcesTableAndOnlyAccessibleInternally": "и доступны только внутренне при подключении с клиентом.",
    "resourcesTableNoTargets": "Нет ярлыков",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "Свойства ресурса",
    "createInternalResourceDialogName": "Имя",
    "createInternalResourceDialogSite": "Сайт",
-    "createInternalResourceDialogSelectSite": "Выберите сайт...",
-    "createInternalResourceDialogSearchSites": "Поиск сайтов...",
-    "createInternalResourceDialogNoSitesFound": "Сайты не найдены.",
+    "selectSite": "Выберите сайт...",
+    "noSitesFound": "Сайты не найдены.",
    "createInternalResourceDialogProtocol": "Протокол",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1658,7 +1715,7 @@
    "siteAddressDescription": "Внутренний адрес сайта. Должен находиться в подсети организации.",
    "siteNameDescription": "Отображаемое имя сайта, которое может быть изменено позже.",
    "autoLoginExternalIdp": "Автоматический вход с внешним провайдером",
-    "autoLoginExternalIdpDescription": "Немедленно перенаправьте пользователя к внешнему провайдеру для аутентификации.",
+    "autoLoginExternalIdpDescription": "Немедленно перенаправьте пользователя к внешнему поставщику удостоверений для аутентификации.",
    "selectIdp": "Выберите провайдера",
    "selectIdpPlaceholder": "Выберите провайдера...",
    "selectIdpRequired": "Пожалуйста, выберите провайдера, когда автоматический вход включен.",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "URL-адрес перенаправления не получен от провайдера удостоверения.",
    "autoLoginErrorGeneratingUrl": "Не удалось сгенерировать URL-адрес аутентификации.",
    "remoteExitNodeManageRemoteExitNodes": "Удаленные узлы",
-    "remoteExitNodeDescription": "Самохост-один или несколько удаленных узлов для расширения сетевого соединения и уменьшения зависимости от облака",
+    "remoteExitNodeDescription": "Самостоятельно размещайте свои удаленные ретрансляторы и узлы прокси-сервера",
    "remoteExitNodes": "Узлы",
    "searchRemoteExitNodes": "Поиск узлов...",
    "remoteExitNodeAdd": "Добавить узел",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "Подтвердите удаление узла",
    "remoteExitNodeDelete": "Удалить узел",
    "sidebarRemoteExitNodes": "Удаленные узлы",
+    "remoteExitNodeId": "ID",
+    "remoteExitNodeSecretKey": "Секретный ключ",
    "remoteExitNodeCreate": {
-        "title": "Создать узел",
-        "description": "Создать новый узел для расширения сетевого подключения",
+        "title": "Создать удалённый узел",
+        "description": "Создайте новый самостоятельный удалённый ретранслятор и узел прокси-сервера",
        "viewAllButton": "Все узлы",
        "strategy": {
            "title": "Стратегия создания",
-            "description": "Выберите эту опцию для настройки узла или создания новых учетных данных.",
+            "description": "Выберите способ создания удалённого узла",
            "adopt": {
                "title": "Принять узел",
                "description": "Выберите это, если у вас уже есть учетные данные для узла."
            },
            "generate": {
                "title": "Сгенерировать ключи",
-                "description": "Выберите это, если вы хотите создать новые ключи для узла"
+                "description": "Выберите это, если вы хотите создать новые ключи для узла."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC provider",
    "subnet": "Подсеть",
    "subnetDescription": "Подсеть для конфигурации сети этой организации.",
-    "authPage": "Страница авторизации",
-    "authPageDescription": "Настроить страницу авторизации для организации",
+    "customDomain": "Пользовательский домен",
+    "authPage": "Страницы аутентификации",
+    "authPageDescription": "Установите пользовательский домен для страниц аутентификации организации",
    "authPageDomain": "Домен страницы авторизации",
+    "authPageBranding": "Пользовательское брендирование",
+    "authPageBrandingDescription": "Настройте брендирование, отображаемое на страницах аутентификации для этой организации",
+    "authPageBrandingUpdated": "Брендирование страницы аутентификации успешно обновлено",
+    "authPageBrandingRemoved": "Брендирование страницы аутентификации успешно удалено",
+    "authPageBrandingRemoveTitle": "Удалить брендирование страницы аутентификации",
+    "authPageBrandingQuestionRemove": "Вы уверены, что хотите удалить брендирование для страниц аутентификации?",
+    "authPageBrandingDeleteConfirm": "Подтвердить удаление брендирования",
+    "brandingLogoURL": "URL логотипа",
+    "brandingPrimaryColor": "Основной цвет",
+    "brandingLogoWidth": "Ширина (px)",
+    "brandingLogoHeight": "Высота (px)",
+    "brandingOrgTitle": "Заголовок для страницы аутентификации организации",
+    "brandingOrgDescription": "{orgName} будет заменен названием организации",
+    "brandingOrgSubtitle": "Подзаголовок страницы аутентификации организации",
+    "brandingResourceTitle": "Заголовок для страницы аутентификации ресурса",
+    "brandingResourceSubtitle": "Подзаголовок страницы аутентификации ресурса",
+    "brandingResourceDescription": "{resourceName} будет заменено на имя организации",
+    "saveAuthPageDomain": "Сохранить домен",
+    "saveAuthPageBranding": "Сохранить брендирование",
+    "removeAuthPageBranding": "Удалить брендирование",
    "noDomainSet": "Домен не установлен",
    "changeDomain": "Изменить домен",
    "selectDomain": "Выберите домен",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "Установить домен страницы авторизации",
    "failedToFetchCertificate": "Не удалось получить сертификат",
    "failedToRestartCertificate": "Не удалось перезапустить сертификат",
-    "addDomainToEnableCustomAuthPages": "Добавить домен для включения пользовательских страниц аутентификации для организации",
+    "addDomainToEnableCustomAuthPages": "Пользователи смогут получить доступ к странице входа в систему организации и завершить аутентификацию ресурса, используя этот домен.",
    "selectDomainForOrgAuthPage": "Выберите домен для страницы аутентификации организации",
    "domainPickerProvidedDomain": "Домен предоставлен",
    "domainPickerFreeProvidedDomain": "Бесплатный домен",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "\"{sub}\" не может быть действительным для {domain}.",
    "domainPickerSubdomainSanitized": "Субдомен очищен",
    "domainPickerSubdomainCorrected": "\"{sub}\" был исправлен на \"{sanitized}\"",
-    "orgAuthSignInTitle": "Войти в организацию",
+    "orgAuthSignInTitle": "Вход в организацию",
    "orgAuthChooseIdpDescription": "Выберите своего поставщика удостоверений личности для продолжения",
    "orgAuthNoIdpConfigured": "Эта организация не имеет настроенных поставщиков идентификационных данных. Вместо этого вы можете войти в свой Pangolin.",
    "orgAuthSignInWithPangolin": "Войти через Pangolin",
+    "orgAuthSignInToOrg": "Войти в организацию",
+    "orgAuthSelectOrgTitle": "Вход в организацию",
+    "orgAuthSelectOrgDescription": "Введите ID вашей организации, чтобы продолжить",
+    "orgAuthOrgIdPlaceholder": "ваша-организация",
+    "orgAuthOrgIdHelp": "Введите уникальный идентификатор вашей организации",
+    "orgAuthSelectOrgHelp": "После ввода ID вашей организации вы попадете на страницу входа в вашу организацию, где сможете использовать SSO или учетные данные вашей организации.",
+    "orgAuthRememberOrgId": "Запомнить этот ID организации",
+    "orgAuthBackToSignIn": "Вернуться к стандартному входу",
+    "orgAuthNoAccount": "Нет учётной записи?",
    "subscriptionRequiredToUse": "Для использования этой функции требуется подписка.",
    "idpDisabled": "Провайдеры идентификации отключены.",
    "orgAuthPageDisabled": "Страница авторизации организации отключена.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "Включить двухфакторную аутентификацию",
    "completeSecuritySteps": "Пройти шаги безопасности",
    "securitySettings": "Настройки безопасности",
+    "dangerSection": "Опасная зона",
+    "dangerSectionDescription": "Навсегда удалить все данные, связанные с этой организацией",
    "securitySettingsDescription": "Настройка политик безопасности для организации",
    "requireTwoFactorForAllUsers": "Требовать двухфакторную аутентификацию для всех пользователей",
    "requireTwoFactorDescription": "Когда включено, все внутренние пользователи в этой организации должны иметь двухфакторную аутентификацию для доступа к организации.",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "Это повлияет на всех пользователей организации",
    "authPageErrorUpdateMessage": "Произошла ошибка при обновлении настроек страницы авторизации",
    "authPageErrorUpdate": "Не удалось обновить страницу авторизации",
-    "authPageUpdated": "Страница авторизации успешно обновлена",
+    "authPageDomainUpdated": "Домен страницы аутентификации успешно обновлён",
    "healthCheckNotAvailable": "Локальный",
    "rewritePath": "Переписать путь",
    "rewritePathDescription": "При необходимости, измените путь перед пересылкой к целевому адресу.",
@@ -1915,8 +2006,15 @@
    "beta": "Бета",
    "manageUserDevices": "Устройства пользователя",
    "manageUserDevicesDescription": "Просмотр и управление устройствами, которые пользователи используют для приватного подключения к ресурсам",
+    "downloadClientBannerTitle": "Скачать клиент Pangolin",
+    "downloadClientBannerDescription": "Загрузите клиент Pangolin для вашей системы, чтобы подключиться к сети Pangolin и получить доступ к ресурсам в частном порядке.",
    "manageMachineClients": "Управление машинными клиентами",
    "manageMachineClientsDescription": "Создание и управление клиентами, которые используют серверы и системы для частного подключения к ресурсам",
+    "machineClientsBannerTitle": "Серверы и автоматизированные системы",
+    "machineClientsBannerDescription": "Клиенты для машин предназначены для серверов и автоматизированных систем, которые не связаны с конкретным пользователем. Они аутентифицируются по ID и секрету и могут работать с Pangolin CLI, Olm CLI или Olm как с контейнером.",
+    "machineClientsBannerPangolinCLI": "Pangolin CLI",
+    "machineClientsBannerOlmCLI": "Olm CLI",
+    "machineClientsBannerOlmContainer": "Olm как контейнер",
    "clientsTableUserClients": "Пользователь",
    "clientsTableMachineClients": "Машина",
    "licenseTableValidUntil": "Действителен до",
@@ -2060,13 +2158,15 @@
    "request": "Запросить",
    "requests": "Запросы",
    "logs": "Логи",
-    "logsSettingsDescription": "Отслеживать журналы, собранные в этой организации",
+    "logsSettingsDescription": "Мониторинг журналов, собранных от этой организации",
    "searchLogs": "Поиск журналов...",
    "action": "Действие",
    "actor": "Актер",
    "timestamp": "Отметка времени",
    "accessLogs": "Журналы доступа",
    "exportCsv": "Экспорт CSV",
+    "exportError": "Неизвестная ошибка при экспорте CSV",
+    "exportCsvTooltip": "В пределах диапазона времени",
    "actorId": "ID актера",
    "allowedByRule": "Разрешено правилом",
    "allowedNoAuth": "Разрешено без авторизации",
@@ -2120,7 +2220,7 @@
    "unverified": "Не подтверждено",
    "domainSetting": "Настройки домена",
    "domainSettingDescription": "Настройка параметров домена",
-    "preferWildcardCertDescription": "Попытка создания шаблона сертификата (требуется должным образом сконфигурированный резолвер сертификата).",
+    "preferWildcardCertDescription": "Попытка создать сертификат с подстановочными знаками (требуется правильно настроенное средство разрешения сертификатов).",
    "recordName": "Имя записи",
    "auto": "Авто",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "Код должен быть 9 символов (например, A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Неверный или просроченный код",
    "deviceCodeVerifyFailed": "Не удалось проверить код устройства",
+    "deviceCodeValidating": "Проверка кода устройства...",
+    "deviceCodeVerifying": "Проверка авторизации устройства...",
    "signedInAs": "Вы вошли как",
    "deviceCodeEnterPrompt": "Введите код, отображаемый на устройстве",
    "continue": "Продолжить",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "Доступ ко всем организациям, к которым ваш аккаунт имеет доступ",
    "deviceAuthorize": "Авторизовать {applicationName}",
    "deviceConnected": "Устройство подключено!",
-    "deviceAuthorizedMessage": "Устройство авторизовано для доступа к вашей учетной записи.",
+    "deviceAuthorizedMessage": "Устройство авторизовано для доступа к вашей учетной записи. Вернитесь в клиентское приложение.",
    "pangolinCloud": "Облако Панголина",
    "viewDevices": "Просмотр устройств",
    "viewDevicesDescription": "Управление подключенными устройствами",
@@ -2246,6 +2348,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "Не вы? Используйте другую учетную запись.",
    "deviceLoginDeviceRequestingAccessToAccount": "Устройство запрашивает доступ к этой учетной записи.",
+    "loginSelectAuthenticationMethod": "Выберите метод аутентификации для продолжения.",
    "noData": "Нет данных",
    "machineClients": "Машинные клиенты",
    "install": "Установить",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "Не удалось получить подсеть по умолчанию",
    "setupSubnetAdvanced": "Подсеть (Дополнительно)",
    "setupSubnetDescription": "Подсеть для внутренней сети этой организации.",
+    "setupUtilitySubnet": "Утилита подсети (расширенная)",
+    "setupUtilitySubnetDescription": "Подсеть для адресов псевдонимов этой организации и DNS-сервера.",
    "siteRegenerateAndDisconnect": "Сгенерировать и отключить",
    "siteRegenerateAndDisconnectConfirmation": "Вы уверены, что хотите сгенерировать учетные данные и отключить этот сайт?",
    "siteRegenerateAndDisconnectWarning": "Это позволит восстановить учетные данные и немедленно отключить сайт. Сайт будет перезапущен с новыми учетными данными.",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "Это позволит восстановить учётные данные и немедленно отключить удаленный узел выхода. Удаленный узел выхода должен быть перезапущен с новыми учетными данными.",
    "remoteExitNodeRegenerateCredentialsConfirmation": "Вы уверены, что хотите восстановить учетные данные для этого удаленного выхода узла?",
    "remoteExitNodeRegenerateCredentialsWarning": "Это позволит восстановить учетные данные. Удалённый узел останется подключенным, пока вы не перезапустите его вручную и воспользуетесь новыми учетными данными.",
-    "agent": "Агент"
+    "agent": "Агент",
+    "personalUseOnly": "Только для личного использования",
+    "loginPageLicenseWatermark": "Это экземпляр лицензирован только для личного использования.",
+    "instanceIsUnlicensed": "Этот экземпляр не лицензирован.",
+    "portRestrictions": "Ограничения портов",
+    "allPorts": "Все",
+    "custom": "Пользовательский",
+    "allPortsAllowed": "Все порты разрешены",
+    "allPortsBlocked": "Все порты заблокированы",
+    "tcpPortsDescription": "Укажите, какие TCP-порты разрешены для этого ресурса. Используйте '*' для всех портов, оставьте пустым, чтобы заблокировать все, или введите список портов и диапазонов через запятую (например, 80,443,8000-9000).",
+    "udpPortsDescription": "Укажите, какие UDP-порты разрешены для этого ресурса. Используйте '*' для всех портов, оставьте пустым, чтобы заблокировать все, или введите список портов и диапазонов через запятую (например, 53,123,500-600).",
+    "organizationLoginPageTitle": "Страница входа в систему организации",
+    "organizationLoginPageDescription": "Настройте страницу входа для этой организации",
+    "resourceLoginPageTitle": "Страница входа в систему ресурса",
+    "resourceLoginPageDescription": "Настройте страницу входа для отдельных ресурсов",
+    "enterConfirmation": "Введите подтверждение",
+    "blueprintViewDetails": "Подробности",
+    "defaultIdentityProvider": "Поставщик удостоверений по умолчанию",
+    "defaultIdentityProviderDescription": "Когда выбран поставщик идентификации по умолчанию, пользователь будет автоматически перенаправлен на провайдер для аутентификации.",
+    "editInternalResourceDialogNetworkSettings": "Настройки сети",
+    "editInternalResourceDialogAccessPolicy": "Политика доступа",
+    "editInternalResourceDialogAddRoles": "Добавить роли",
+    "editInternalResourceDialogAddUsers": "Добавить пользователей",
+    "editInternalResourceDialogAddClients": "Добавить клиентов",
+    "editInternalResourceDialogDestinationLabel": "Пункт назначения",
+    "editInternalResourceDialogDestinationDescription": "Укажите адрес назначения для внутреннего ресурса. Это может быть имя хоста, IP-адрес или диапазон CIDR в зависимости от выбранного режима. При необходимости установите внутренний DNS-алиас для облегчения идентификации.",
+    "editInternalResourceDialogPortRestrictionsDescription": "Ограничьте доступ к определенным TCP/UDP-портам или разрешите/заблокируйте все порты.",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "Контроль доступа",
+    "editInternalResourceDialogAccessControlDescription": "Контролируйте, какие роли, пользователи и машинные клиенты имеют доступ к этому ресурсу при подключении. Администраторы всегда имеют доступ.",
+    "editInternalResourceDialogPortRangeValidationError": "Диапазон портов должен быть \"*\" для всех портов или списком портов и диапазонов через запятую (например, \"80,443,8000-9000\"). Порты должны находиться в диапазоне от 1 до 65535.",
+    "orgAuthWhatsThis": "Где я могу найти ID моей организации?",
+    "learnMore": "Узнать больше",
+    "backToHome": "Вернуться домой",
+    "needToSignInToOrg": "Нужно использовать провайдера идентификаций вашей организации?",
+    "maintenanceMode": "Режим обслуживания",
+    "maintenanceModeDescription": "Показать страницу обслуживания посетителям",
+    "maintenanceModeType": "Тип режима обслуживания",
+    "showMaintenancePage": "Показать страницу обслуживания посетителям",
+    "enableMaintenanceMode": "Включить режим обслуживания",
+    "automatic": "Автоматический",
+    "automaticModeDescription": "Показывать страницу обслуживания только когда все цели бэкэнда недоступны или неисправны. Ваш ресурс продолжит работать нормально, пока хотя бы одна цель здорова.",
+    "forced": "Принудительно",
+    "forcedModeDescription": "Всегда показывать страницу обслуживания независимо от состояния бэкэнда. Используйте это для планового обслуживания, когда хотите предотвратить всех доступ.",
+    "warning:": "Предупреждение:",
+    "forcedeModeWarning": "Весь трафик будет направлен на страницу обслуживания. Ваши бекэнд ресурсы не будут получать никакие запросы.",
+    "pageTitle": "Заголовок страницы",
+    "pageTitleDescription": "Основной заголовок, отображаемый на странице обслуживания",
+    "maintenancePageMessage": "Сообщение об обслуживании",
+    "maintenancePageMessagePlaceholder": "Мы скоро вернемся! Наш сайт в настоящее время проходит плановое техническое обслуживание.",
+    "maintenancePageMessageDescription": "Подробное сообщение, объясняющее обслуживание",
+    "maintenancePageTimeTitle": "Предполагаемое время завершения (необязательно)",
+    "maintenanceTime": "например, 2 часа, 1 ноября в 5:00 вечера",
+    "maintenanceEstimatedTimeDescription": "Когда вы ожидаете завершения обслуживания",
+    "editDomain": "Редактировать домен",
+    "editDomainDescription": "Выберите домен для вашего ресурса",
+    "maintenanceModeDisabledTooltip": "Для использования этой функции требуется действующая лицензия.",
+    "maintenanceScreenTitle": "Сервис временно недоступен",
+    "maintenanceScreenMessage": "В настоящее время мы испытываем технические трудности. Пожалуйста, зайдите позже.",
+    "maintenanceScreenEstimatedCompletion": "Предполагаемое завершение:",
+    "createInternalResourceDialogDestinationRequired": "Укажите адрес назначения. Это может быть имя хоста или IP-адрес.",
+    "available": "Доступно",
+    "archived": "Архивировано",
+    "noArchivedDevices": "Архивные устройства не найдены",
+    "deviceArchived": "Устройство архивировано",
+    "deviceArchivedDescription": "Устройство успешно архивировано.",
+    "errorArchivingDevice": "Ошибка архивирования устройства",
+    "failedToArchiveDevice": "Не удалось архивировать устройство",
+    "deviceQuestionArchive": "Вы уверены, что хотите архивировать это устройство?",
+    "deviceMessageArchive": "Устройство будет архивировано и удалено из вашего списка активных устройств.",
+    "deviceArchiveConfirm": "Архивировать устройство",
+    "archiveDevice": "Архивировать устройство",
+    "archive": "Архивировать",
+    "deviceUnarchived": "Устройство разархивировано",
+    "deviceUnarchivedDescription": "Устройство было успешно разархивировано.",
+    "errorUnarchivingDevice": "Ошибка разархивирования устройства",
+    "failedToUnarchiveDevice": "Не удалось распаковать устройство",
+    "unarchive": "Разархивировать",
+    "archiveClient": "Архивировать клиента",
+    "archiveClientQuestion": "Вы уверены, что хотите архивировать этого клиента?",
+    "archiveClientMessage": "Клиент будет архивирован и удален из вашего активного списка клиентов.",
+    "archiveClientConfirm": "Архивировать клиента",
+    "blockClient": "Блокировать клиента",
+    "blockClientQuestion": "Вы уверены, что хотите заблокировать этого клиента?",
+    "blockClientMessage": "Устройство будет вынуждено отключиться, если подключено в данный момент. Вы можете разблокировать устройство позже.",
+    "blockClientConfirm": "Блокировать клиента",
+    "active": "Активный",
+    "usernameOrEmail": "Имя пользователя или Email",
+    "selectYourOrganization": "Выберите вашу организацию",
+    "signInTo": "Войти в",
+    "signInWithPassword": "Продолжить с паролем",
+    "noAuthMethodsAvailable": "Методы аутентификации для этой организации недоступны.",
+    "enterPassword": "Введите ваш пароль",
+    "enterMfaCode": "Введите код из вашего приложения-аутентификатора",
+    "securityKeyRequired": "Пожалуйста, используйте ваш защитный ключ для входа.",
+    "needToUseAnotherAccount": "Нужно использовать другой аккаунт?",
+    "loginLegalDisclaimer": "Нажимая на кнопки ниже, вы подтверждаете, что прочитали, поняли и согласны с <termsOfService>Условиями использования</termsOfService> и <privacyPolicy>Политикой конфиденциальности</privacyPolicy>.",
+    "termsOfService": "Условия предоставления услуг",
+    "privacyPolicy": "Политика конфиденциальности",
+    "userNotFoundWithUsername": "Пользователь с таким именем пользователя не найден.",
+    "verify": "Подтвердить",
+    "signIn": "Войти",
+    "forgotPassword": "Забыли пароль?",
+    "orgSignInTip": "Если вы вошли в систему ранее, вы можете ввести имя пользователя или адрес электронной почты, чтобы войти в систему с поставщиком идентификации вашей организации. Это проще!",
+    "continueAnyway": "Все равно продолжить",
+    "dontShowAgain": "Больше не показывать",
+    "orgSignInNotice": "Знаете ли вы?",
+    "signupOrgNotice": "Пытаетесь войти?",
+    "signupOrgTip": "Вы пытаетесь войти через оператора идентификации вашей организации?",
+    "signupOrgLink": "Войдите или зарегистрируйтесь через вашу организацию",
+    "verifyEmailLogInWithDifferentAccount": "Использовать другую учетную запись",
+    "logIn": "Войти",
+    "deviceInformation": "Информация об устройстве",
+    "deviceInformationDescription": "Информация о устройстве и агенте",
+    "deviceSecurity": "Безопасность устройства",
+    "deviceSecurityDescription": "Информация о позе безопасности устройства",
+    "platform": "Платформа",
+    "macosVersion": "Версия macOS",
+    "windowsVersion": "Версия Windows",
+    "iosVersion": "Версия iOS",
+    "androidVersion": "Версия Android",
+    "osVersion": "Версия ОС",
+    "kernelVersion": "Версия ядра",
+    "deviceModel": "Модель устройства",
+    "serialNumber": "Серийный номер",
+    "hostname": "Hostname",
+    "firstSeen": "Первый раз виден",
+    "lastSeen": "Последнее посещение",
+    "biometricsEnabled": "Включены биометрические данные",
+    "diskEncrypted": "Диск зашифрован",
+    "firewallEnabled": "Брандмауэр включен",
+    "autoUpdatesEnabled": "Автоматические обновления включены",
+    "tpmAvailable": "Доступно TPM",
+    "macosSipEnabled": "Защита целостности системы (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Стилс-режим брандмауэра",
+    "linuxAppArmorEnabled": "Броня",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Просмотр информации и настроек устройства",
+    "devicePendingApprovalDescription": "Это устройство ожидает одобрения",
+    "deviceBlockedDescription": "Это устройство заблокировано. Оно не сможет подключаться к ресурсам, если не разблокировано.",
+    "unblockClient": "Разблокировать клиента",
+    "unblockClientDescription": "Устройство разблокировано",
+    "unarchiveClient": "Разархивировать клиента",
+    "unarchiveClientDescription": "Устройство было разархивировано",
+    "block": "Блок",
+    "unblock": "Разблокировать",
+    "deviceActions": "Действия устройства",
+    "deviceActionsDescription": "Управление статусом устройства и доступом",
+    "devicePendingApprovalBannerDescription": "Это устройство ожидает одобрения. Он не сможет подключиться к ресурсам до утверждения.",
+    "connected": "Подключено",
+    "disconnected": "Отключено",
+    "approvalsEmptyStateTitle": "Утверждения устройства не включены",
+    "approvalsEmptyStateDescription": "Включите одобрение ролей для того, чтобы пользователи могли подключать новые устройства.",
+    "approvalsEmptyStateStep1Title": "Перейти к ролям",
+    "approvalsEmptyStateStep1Description": "Перейдите в настройки ролей вашей организации для настройки утверждений устройств.",
+    "approvalsEmptyStateStep2Title": "Включить утверждения устройства",
+    "approvalsEmptyStateStep2Description": "Редактировать роль и включить опцию 'Требовать утверждения устройств'. Пользователям с этой ролью потребуется подтверждение администратора для новых устройств.",
+    "approvalsEmptyStatePreviewDescription": "Предпросмотр: Если включено, ожидающие запросы на устройство появятся здесь для проверки",
+    "approvalsEmptyStateButtonText": "Управление ролями"
 }
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "Organizasyonu, siteyi ve kaynakları oluşturun",
+    "headerAuthCompatibilityInfo": "Kimlik doğrulama belirteci eksik olduğunda 401 Yetkisiz yanıtı zorlamak için bunu etkinleştirin. Bu, sunucu sorunu olmadan kimlik bilgilerini göndermeyen tarayıcılar veya belirli HTTP kütüphaneleri için gereklidir.",
+    "headerAuthCompatibility": "Genişletilmiş Uyumluluk",
    "setupNewOrg": "Yeni Organizasyon",
    "setupCreateOrg": "Organizasyon Oluştur",
    "setupCreateResources": "Kaynaklar Oluştur",
@@ -33,7 +35,7 @@
    "password": "Şifre",
    "confirmPassword": "Şifreyi Onayla",
    "createAccount": "Hesap Oluştur",
-    "viewSettings": "Ayarları görüntüle",
+    "viewSettings": "Ayarları Görüntüle",
    "delete": "Sil",
    "name": "Ad",
    "online": "Çevrimiçi",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "Siteyi organizasyondan kaldırmak istediğinizden emin misiniz?",
    "siteManageSites": "Siteleri Yönet",
    "siteDescription": "Özel ağlara erişimi etkinleştirmek için siteler oluşturun ve yönetin",
+    "sitesBannerTitle": "Herhangi Bir Ağa Bağlan",
+    "sitesBannerDescription": "Bir site, Pangolin'in kullanıcılara, halka açık veya özel kaynaklara, her yerden erişim sağlamak için uzak bir ağa bağlantı sunmasıdır. Site ağı bağlantısını (Newt) çalıştırabileceğiniz her yere kurarak bağlantıyı kurunuz.",
+    "sitesBannerButtonText": "Site Kur",
+    "approvalsBannerTitle": "Cihaz Erişimini Onayla veya Reddet",
+    "approvalsBannerDescription": "Kullanıcılardan gelen cihaz erişim isteklerini gözden geçirin ve onaylayın veya reddedin. Cihaz onaylarının gerekli olduğu durumlarda, kullanıcıların cihazlarının kuruluşunuzun kaynaklarına bağlanabilmesi için yönetici onayı alması gerekecektir.",
+    "approvalsBannerButtonText": "Daha fazla bilgi",
    "siteCreate": "Site Oluştur",
    "siteCreateDescription2": "Yeni bir site oluşturup bağlanmak için aşağıdaki adımları izleyin",
    "siteCreateDescription": "Kaynaklarınızı bağlamaya başlamak için yeni bir site oluşturun",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "Sitenize nasıl bağlanmak istediğinizi belirleyin",
    "siteNewtCredentials": "Kimlik Bilgileri",
    "siteNewtCredentialsDescription": "Bu, sitenin sunucu ile kimlik doğrulaması yapacağı yöntemdir",
+    "remoteNodeCredentialsDescription": "Uzak düğümün sunucu ile kimliği nasıl doğrulayacağı budur",
    "siteCredentialsSave": "Kimlik Bilgilerinizi Kaydedin",
    "siteCredentialsSaveDescription": "Yalnızca bir kez görebileceksiniz. Güvenli bir yere kopyaladığınızdan emin olun.",
    "siteInfo": "Site Bilgilendirmesi",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "Lütfen bir kaynak seçin",
    "proxyResourceTitle": "Herkese Açık Kaynakları Yönet",
    "proxyResourceDescription": "Bir web tarayıcısı aracılığıyla kamuya açık kaynaklar oluşturun ve yönetin",
+    "proxyResourcesBannerTitle": "Web Tabanlı Genel Erişim",
+    "proxyResourcesBannerDescription": "Genel kaynaklar, web tarayıcısı aracılığıyla herkesin internette erişebileceği HTTPS veya TCP/UDP proxy'leridir. Özel kaynakların aksine, istemci tarafı yazılıma ihtiyaç duymazlar ve kimlik ve bağlam farkındalığı erişim politikalarını içerebilirler.",
    "clientResourceTitle": "Özel Kaynakları Yönet",
    "clientResourceDescription": "Sadece bağlı bir istemci aracılığıyla erişilebilen kaynakları oluşturun ve yönetin",
+    "privateResourcesBannerTitle": "Sıfır Güven Özel Erişim",
+    "privateResourcesBannerDescription": "Özel kaynaklar sıfır güven güvenliği kullanır, kullanıcılar ve makinelerin yalnızca açıkça izin verdiğiniz kaynaklara erişmesini sağlar. Bu kaynaklara güvenli bir sanal özel ağ üzerinden erişmek için kullanıcı cihazlarını veya makine müşterilerini bağlayın.",
    "resourcesSearch": "Kaynakları ara...",
    "resourceAdd": "Kaynak Ekle",
    "resourceErrorDelte": "Kaynak silinirken hata",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "Kaldırıldıktan sonra kaynak artık erişilebilir olmayacaktır. Kaynakla ilişkili tüm hedefler de kaldırılacaktır.",
    "resourceQuestionRemove": "Kaynağı organizasyondan kaldırmak istediğinizden emin misiniz?",
    "resourceHTTP": "HTTPS Kaynağı",
-    "resourceHTTPDescription": "Bir alt alan adı veya temel alan adı kullanarak uygulamanıza HTTPS üzerinden vekil istek gönderin.",
+    "resourceHTTPDescription": "Tam nitelikli bir etki alanı adı kullanarak HTTPS üzerinden proxy isteklerini yönlendirin.",
    "resourceRaw": "Ham TCP/UDP Kaynağı",
-    "resourceRawDescription": "Uygulamanıza TCP/UDP üzerinden port numarası ile vekil istek gönderin.",
+    "resourceRawDescription": "Port numarası kullanarak ham TCP/UDP üzerinden proxy isteklerini yönlendirin.",
    "resourceCreate": "Kaynak Oluştur",
    "resourceCreateDescription": "Yeni bir kaynak oluşturmak için aşağıdaki adımları izleyin",
    "resourceSeeAll": "Tüm Kaynakları Gör",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "Rolleri ara...",
    "accessRolesAdd": "Rol Ekle",
    "accessRoleDelete": "Rolü Sil",
+    "accessApprovalsManage": "Onayları Yönet",
+    "accessApprovalsDescription": "Bu kuruluşa erişim için bekleyen onayları görüntüleyin ve yönetin",
    "description": "Açıklama",
    "inviteTitle": "Açık Davetiyeler",
    "inviteDescription": "Organizasyona katılmak için diğer kullanıcılar için davetleri yönetin",
@@ -440,6 +455,18 @@
    "selectDuration": "Süreyi seçin",
    "selectResource": "Kaynak Seçin",
    "filterByResource": "Kaynağa Göre Filtrele",
+    "selectApprovalState": "Onay Durumunu Seçin",
+    "filterByApprovalState": "Onay Durumuna Göre Filtrele",
+    "approvalListEmpty": "Onay yok",
+    "approvalState": "Onay Durumu",
+    "approve": "Onayla",
+    "approved": "Onaylandı",
+    "denied": "Reddedildi",
+    "deniedApproval": "Reddedilen Onay",
+    "all": "Tümü",
+    "deny": "Reddet",
+    "viewDetails": "Ayrıntıları Gör",
+    "requestingNewDeviceApproval": "yeni bir cihaz talep etti",
    "resetFilters": "Filtreleri Sıfırla",
    "totalBlocked": "Pangolin Tarafından Engellenen İstekler",
    "totalRequests": "Toplam İstekler",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "Yöneticiler her zaman bu kaynağa erişebilir.",
    "resourceUsersRoles": "Erişim Kontrolleri",
    "resourceUsersRolesDescription": "Bu kaynağı kimlerin ziyaret edebileceği kullanıcıları ve rolleri yapılandırın",
-    "resourceUsersRolesSubmit": "Kullanıcıları ve Rolleri Kaydet",
+    "resourceUsersRolesSubmit": "Erişim Kontrollerini Kaydet",
    "resourceWhitelistSave": "Başarıyla kaydedildi",
    "resourceWhitelistSaveDescription": "Beyaz liste ayarları kaydedildi",
    "ssoUse": "Platform SSO'sunu Kullanın",
@@ -719,11 +746,23 @@
    "countries": "Ülkeler",
    "accessRoleCreate": "Rol Oluştur",
    "accessRoleCreateDescription": "Kullanıcıları gruplamak ve izinlerini yönetmek için yeni bir rol oluşturun.",
+    "accessRoleEdit": "Rol Düzenle",
+    "accessRoleEditDescription": "Rol bilgilerini düzenleyin.",
    "accessRoleCreateSubmit": "Rol Oluştur",
    "accessRoleCreated": "Rol oluşturuldu",
    "accessRoleCreatedDescription": "Rol başarıyla oluşturuldu.",
    "accessRoleErrorCreate": "Rol oluşturulamadı",
    "accessRoleErrorCreateDescription": "Rol oluşturulurken bir hata oluştu.",
+    "accessRoleUpdateSubmit": "Rolü Güncelle",
+    "accessRoleUpdated": "Rol güncellendi",
+    "accessRoleUpdatedDescription": "Rol başarıyla güncellendi.",
+    "accessApprovalUpdated": "Onay işlendi",
+    "accessApprovalApprovedDescription": "Onay İsteği kararını onaylandı olarak ayarlayın.",
+    "accessApprovalDeniedDescription": "Onay İsteği kararını reddedildi olarak ayarlayın.",
+    "accessRoleErrorUpdate": "Rol güncellenemedi",
+    "accessRoleErrorUpdateDescription": "Rol güncellenirken bir hata oluştu.",
+    "accessApprovalErrorUpdate": "Onay işlenemedi",
+    "accessApprovalErrorUpdateDescription": "Onay işlenirken bir hata oluştu.",
    "accessRoleErrorNewRequired": "Yeni rol gerekli",
    "accessRoleErrorRemove": "Rol kaldırılamadı",
    "accessRoleErrorRemoveDescription": "Rol kaldırılırken bir hata oluştu.",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "Bir kuruluş için erişimi yapılandırın",
    "idpUpdatedDescription": "Kimlik sağlayıcı başarıyla güncellendi",
    "redirectUrl": "Yönlendirme URL'si",
+    "orgIdpRedirectUrls": "Yönlendirme URL'leri",
    "redirectUrlAbout": "Yönlendirme URL'si Hakkında",
    "redirectUrlAboutDescription": "Bu, kimlik doğrulamasından sonra kullanıcıların yönlendirileceği URL'dir. Bu URL'yi kimlik sağlayıcınızın ayarlarında yapılandırmanız gerekir.",
    "pangolinAuth": "Yetkilendirme - Pangolin",
@@ -863,7 +903,7 @@
    "inviteAlready": "Davetiye gönderilmiş gibi görünüyor!",
    "inviteAlreadyDescription": "Daveti kabul etmek için giriş yapmalı veya bir hesap oluşturmalısınız.",
    "signupQuestion": "Zaten bir hesabınız var mı?",
-    "login": "Giriş yap",
+    "login": "Giriş Yap",
    "resourceNotFound": "No resources found",
    "resourceNotFoundDescription": "Erişmeye çalıştığınız kaynak mevcut değil.",
    "pincodeRequirementsLength": "PIN kesinlikle 6 haneli olmalıdır",
@@ -945,11 +985,11 @@
    "pincodeAuth": "Kimlik Doğrulama Kodu",
    "pincodeSubmit2": "Kodu Gönder",
    "passwordResetSubmit": "Sıfırlama İsteği",
-    "passwordResetAlreadyHaveCode": "Parola Sıfırlama Kodunu Giriniz",
+    "passwordResetAlreadyHaveCode": "Kodu Girin",
    "passwordResetSmtpRequired": "Yönetici ile iletişime geçin",
    "passwordResetSmtpRequiredDescription": "Parolanızı sıfırlamak için bir parola sıfırlama kodu gereklidir. Yardım için yönetici ile iletişime geçin.",
    "passwordBack": "Şifreye Geri Dön",
-    "loginBack": "Girişe geri dön",
+    "loginBack": "Ana oturum açma sayfasına geri dön",
    "signup": "Kaydol",
    "loginStart": "Başlamak için giriş yapın",
    "idpOidcTokenValidating": "OIDC token'ı doğrulanıyor",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "Organizasyon Kullanıcısını Güncelle",
    "createOrgUser": "Organizasyon Kullanıcısı Oluştur",
    "actionUpdateOrg": "Kuruluşu Güncelle",
+    "actionRemoveInvitation": "Daveti Kaldır",
    "actionUpdateUser": "Kullanıcıyı Güncelle",
    "actionGetUser": "Kullanıcıyı Getir",
    "actionGetOrgUser": "Kuruluş Kullanıcısını Al",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "Siteyi Al",
    "actionListSites": "Siteleri Listele",
    "actionApplyBlueprint": "Planı Uygula",
+    "actionListBlueprints": "Plan Listesini Görüntüle",
+    "actionGetBlueprint": "Planı Elde Et",
    "setupToken": "Kurulum Simgesi",
    "setupTokenDescription": "Sunucu konsolundan kurulum simgesini girin.",
    "setupTokenRequired": "Kurulum simgesi gerekli",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "Kimlik Sağlayıcı Organizasyonu Güncelle",
    "actionCreateClient": "Müşteri Oluştur",
    "actionDeleteClient": "Müşteri Sil",
+    "actionArchiveClient": "İstemci Arşivle",
+    "actionUnarchiveClient": "İstemci Arşivini Kaldır",
+    "actionBlockClient": "İstemci Engelle",
+    "actionUnblockClient": "İstemci Engelini Kaldır",
    "actionUpdateClient": "Müşteri Güncelle",
    "actionListClients": "Müşterileri Listele",
    "actionGetClient": "Müşteriyi Al",
@@ -1120,14 +1167,14 @@
    "searchProgress": "Ara...",
    "create": "Oluştur",
    "orgs": "Organizasyonlar",
-    "loginError": "Giriş yaparken bir hata oluştu",
-    "loginRequiredForDevice": "Cihazınızı kimlik doğrulamak için giriş yapılması gereklidir.",
+    "loginError": "Beklenmeyen bir hata oluştu. Lütfen tekrar deneyin.",
+    "loginRequiredForDevice": "Cihazınız için oturum açmanız gerekiyor.",
    "passwordForgot": "Şifrenizi mi unuttunuz?",
    "otpAuth": "İki Faktörlü Kimlik Doğrulama",
    "otpAuthDescription": "Authenticator uygulamanızdan veya tek kullanımlık yedek kodlarınızdan birini girin.",
    "otpAuthSubmit": "Kodu Gönder",
    "idpContinue": "Veya devam et:",
-    "otpAuthBack": "Girişe Dön",
+    "otpAuthBack": "Şifreye Geri Dön",
    "navbar": "Navigasyon Menüsü",
    "navbarDescription": "Uygulamanın ana navigasyon menüsü",
    "navbarDocsLink": "Dokümantasyon",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "Genel Bakış",
    "sidebarHome": "Ana Sayfa",
    "sidebarSites": "Siteler",
+    "sidebarApprovals": "Onay Talepleri",
    "sidebarResources": "Kaynaklar",
    "sidebarProxyResources": "Herkese Açık",
    "sidebarClientResources": "Özel",
@@ -1191,10 +1239,10 @@
    "sidebarIdentityProviders": "Kimlik Sağlayıcılar",
    "sidebarLicense": "Lisans",
    "sidebarClients": "İstemciler",
-    "sidebarUserDevices": "Kullanıcılar",
+    "sidebarUserDevices": "Kullanıcı Cihazları",
    "sidebarMachineClients": "Makineler",
    "sidebarDomains": "Alan Adları",
-    "sidebarGeneral": "Genel",
+    "sidebarGeneral": "Yönet",
    "sidebarLogAndAnalytics": "Kayıt & Analiz",
    "sidebarBluePrints": "Planlar",
    "sidebarOrganization": "Organizasyon",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "Sunucu yönetici hesabı oluşturulurken bir hata oluştu.",
    "certificateStatus": "Sertifika Durumu",
    "loading": "Yükleniyor",
+    "loadingAnalytics": "Analiz Yükleniyor",
    "restart": "Yeniden Başlat",
    "domains": "Alan Adları",
    "domainsDescription": "Organizasyonda kullanılabilir alan adlarını oluşturun ve yönetin",
@@ -1290,6 +1339,7 @@
    "refreshError": "Veriler yenilenemedi",
    "verified": "Doğrulandı",
    "pending": "Beklemede",
+    "pendingApproval": "Bekleyen Onay",
    "sidebarBilling": "Faturalama",
    "billing": "Faturalama",
    "orgBillingDescription": "Fatura bilgilerinizi ve aboneliklerinizi yönetin",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "Hesap kurulumu tamamlandı! Pangolin'e hoş geldiniz!",
    "documentation": "Dokümantasyon",
    "saveAllSettings": "Tüm Ayarları Kaydet",
+    "saveResourceTargets": "Hedefleri Kaydet",
+    "saveResourceHttp": "Proxy Ayarlarını Kaydet",
+    "saveProxyProtocol": "Proxy protokol ayarlarını kaydet",
    "settingsUpdated": "Ayarlar güncellendi",
-    "settingsUpdatedDescription": "Tüm ayarlar başarıyla güncellendi",
+    "settingsUpdatedDescription": "Ayarlar başarıyla güncellendi",
    "settingsErrorUpdate": "Ayarlar güncellenemedi",
    "settingsErrorUpdateDescription": "Ayarları güncellerken bir hata oluştu",
    "sidebarCollapse": "Daralt",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "Güvenlik anahtarı başarıyla kaldırıldı",
    "securityKeyRemoveError": "Güvenlik anahtarı kaldırılırken hata oluştu",
    "securityKeyLoadError": "Güvenlik anahtarları yüklenirken hata oluştu",
-    "securityKeyLogin": "Güvenlik anahtarı ile devam edin",
+    "securityKeyLogin": "Güvenlik Anahtarı Kullan",
    "securityKeyAuthError": "Güvenlik anahtarı ile kimlik doğrulama başarısız oldu",
    "securityKeyRecommendation": "Hesabınızdan kilitlenmediğinizden emin olmak için farklı bir cihazda başka bir güvenlik anahtarı kaydetmeyi düşünün.",
    "registering": "Kaydediliyor...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "Kabul ediyorum",
        "termsOfService": "hizmet şartları",
        "and": "ve",
-        "privacyPolicy": "gizlilik politikası"
+        "privacyPolicy": "gizlilik politikası."
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "Bana e-posta yoluyla haberler, güncellemeler ve yeni özellikler hakkında bilgi verin."
@@ -1508,6 +1561,7 @@
    "addNewTarget": "Yeni Hedef Ekle",
    "targetsList": "Hedefler Listesi",
    "advancedMode": "Gelişmiş Mod",
+    "advancedSettings": "Gelişmiş Ayarlar",
    "targetErrorDuplicateTargetFound": "Yinelenen hedef bulundu",
    "healthCheckHealthy": "Sağlıklı",
    "healthCheckUnhealthy": "Sağlıksız",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "Sağlıklı Aralık",
    "timeoutSeconds": "Zaman Aşımı (saniye)",
    "timeIsInSeconds": "Zaman saniye cinsindendir",
+    "requireDeviceApproval": "Cihaz Onaylarını Gerektir",
+    "requireDeviceApprovalDescription": "Bu role sahip kullanıcıların yeni cihazlarının bağlanabilmesi ve kaynaklara erişebilmesi için bir yönetici tarafından onaylanması gerekiyor.",
    "retryAttempts": "Tekrar Deneme Girişimleri",
    "expectedResponseCodes": "Beklenen Yanıt Kodları",
    "expectedResponseCodesDescription": "Sağlıklı durumu gösteren HTTP durum kodu. Boş bırakılırsa, 200-300 arası sağlıklı kabul edilir.",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "Hiçbir dahili kaynak bulunamadı.",
    "resourcesTableDestination": "Hedef",
    "resourcesTableAlias": "Takma Ad",
+    "resourcesTableAliasAddress": "Alias Adresi",
+    "resourcesTableAliasAddressInfo": "Bu adres, kuruluşun yardımcı ağ alt bantının bir parçasıdır. Alias kayıtlarını çözümlemek için dahili DNS çözümlemesi kullanılır.",
    "resourcesTableClients": "İstemciler",
    "resourcesTableAndOnlyAccessibleInternally": "veyalnızca bir istemci ile bağlandığında dahili olarak erişilebilir.",
    "resourcesTableNoTargets": "Hedef yok",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "Kaynak Özellikleri",
    "createInternalResourceDialogName": "Ad",
    "createInternalResourceDialogSite": "Site",
-    "createInternalResourceDialogSelectSite": "Site seç...",
-    "createInternalResourceDialogSearchSites": "Siteleri ara...",
-    "createInternalResourceDialogNoSitesFound": "Site bulunamadı.",
+    "selectSite": "Site seç...",
+    "noSitesFound": "Site bulunamadı.",
    "createInternalResourceDialogProtocol": "Protokol",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1658,7 +1715,7 @@
    "siteAddressDescription": "Site için dahili adres. Organizasyon alt ağı içinde olmalıdır.",
    "siteNameDescription": "Sonradan değiştirilebilecek sitenin görünen adı.",
    "autoLoginExternalIdp": "Harici IDP ile Otomatik Giriş",
-    "autoLoginExternalIdpDescription": "Kullanıcıyı kimlik doğrulama için otomatik olarak harici IDP'ye yönlendirin.",
+    "autoLoginExternalIdpDescription": "Kullanıcıyı kimlik doğrulama için hemen harici kimlik sağlayıcısına yönlendirin.",
    "selectIdp": "IDP Seç",
    "selectIdpPlaceholder": "IDP seçin...",
    "selectIdpRequired": "Otomatik giriş etkinleştirildiğinde lütfen bir IDP seçin.",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "Kimlik sağlayıcıdan yönlendirme URL'si alınamadı.",
    "autoLoginErrorGeneratingUrl": "Kimlik doğrulama URL'si oluşturulamadı.",
    "remoteExitNodeManageRemoteExitNodes": "Uzak Düğümler",
-    "remoteExitNodeDescription": "Ağ bağlantınızı genişletmek ve buluta bağlı kalmayı azaltmak için bir veya daha fazla uzak düğüm barındırın",
+    "remoteExitNodeDescription": "Kendi uzaktan yönetilen ileti ve ara sunucu düğümlerinizi barındırın",
    "remoteExitNodes": "Düğümler",
    "searchRemoteExitNodes": "Düğüm ara...",
    "remoteExitNodeAdd": "Düğüm Ekle",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "Düğüm Silmeyi Onayla",
    "remoteExitNodeDelete": "Düğümü Sil",
    "sidebarRemoteExitNodes": "Uzak Düğümler",
+    "remoteExitNodeId": "Kimlik",
+    "remoteExitNodeSecretKey": "Gizli",
    "remoteExitNodeCreate": {
-        "title": "Düğüm Oluştur",
-        "description": "Ağ bağlantınızı genişletmek için yeni bir düğüm oluşturun",
+        "title": "Uzak Düğüm Oluştur",
+        "description": "Yeni bir kendine misafir uzaktan ileti ve ara sunucu düğümü oluşturun",
        "viewAllButton": "Tüm Düğümleri Gör",
        "strategy": {
            "title": "Oluşturma Stratejisi",
-            "description": "Düğümünüzü manuel olarak yapılandırmak veya yeni kimlik bilgileri oluşturmak için bunu seçin.",
+            "description": "Uzak düğümü nasıl oluşturmak istediğinizi seçin",
            "adopt": {
                "title": "Düğüm Benimse",
                "description": "Zaten düğüm için kimlik bilgilerine sahipseniz bunu seçin."
            },
            "generate": {
                "title": "Anahtarları Oluştur",
-                "description": "Düğüm için yeni anahtarlar oluşturmak istiyorsanız bunu seçin"
+                "description": "Düğüm için yeni anahtarlar oluşturmak istiyorsanız bunu seçin."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC sağlayıcısı",
    "subnet": "Alt ağ",
    "subnetDescription": "Bu organizasyonun ağ yapılandırması için alt ağ.",
-    "authPage": "Yetkilendirme Sayfası",
-    "authPageDescription": "Kuruluşunuz için yetkilendirme sayfasını yapılandırın",
+    "customDomain": "Özel Alan",
+    "authPage": "Kimlik Sayfaları",
+    "authPageDescription": "Kuruluşun kimlik doğrulama sayfaları için özel bir alan belirleyin",
    "authPageDomain": "Yetkilendirme Sayfası Alanı",
+    "authPageBranding": "Özel Marka",
+    "authPageBrandingDescription": "Bu kuruluşa ait kimlik doğrulama sayfalarında görünecek markayı yapılandırın",
+    "authPageBrandingUpdated": "Kimlik doğrulama sayfası marka güncellemesi başarıyla tamamlandı",
+    "authPageBrandingRemoved": "Kimlik doğrulama sayfası marka kaldırıldı",
+    "authPageBrandingRemoveTitle": "Kimlik Doğrulama Sayfası Markası Kaldır",
+    "authPageBrandingQuestionRemove": "Kimlik Sayfaları için markayı kaldırmak istediğinizden emin misiniz?",
+    "authPageBrandingDeleteConfirm": "Markayı Silmeyi Onayla",
+    "brandingLogoURL": "Logo URL",
+    "brandingPrimaryColor": "Ana Renk",
+    "brandingLogoWidth": "Genişlik (px)",
+    "brandingLogoHeight": "Yükseklik (px)",
+    "brandingOrgTitle": "Kuruluş Kimlik Sayfası için Başlık",
+    "brandingOrgDescription": "{orgName} kuruluş adı ile değiştirilecek",
+    "brandingOrgSubtitle": "Kuruluş Kimlik Sayfası için Alt Başlık",
+    "brandingResourceTitle": "Kaynak Yetkilendirme Sayfası için Başlık",
+    "brandingResourceSubtitle": "Kaynak Yetkilendirme Sayfası için Alt Başlık",
+    "brandingResourceDescription": "{resourceName} organizasyon adıyla değiştirilecek",
+    "saveAuthPageDomain": "Alan Adını Kaydet",
+    "saveAuthPageBranding": "Markayı Kaydet",
+    "removeAuthPageBranding": "Markayı Kaldır",
    "noDomainSet": "Alan belirlenmedi",
    "changeDomain": "Alanı Değiştir",
    "selectDomain": "Alan Seçin",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "Yetkilendirme Sayfası Alanını Ayarla",
    "failedToFetchCertificate": "Sertifika getirilemedi",
    "failedToRestartCertificate": "Sertifika yeniden başlatılamadı",
-    "addDomainToEnableCustomAuthPages": "Kuruluşunuz için özel kimlik doğrulama sayfalarını etkinleştirmek için bir alan ekleyin",
+    "addDomainToEnableCustomAuthPages": "Kullanıcılar, bu alanı kullanarak kuruluşun giriş sayfasına erişebilir ve kaynak kimlik doğrulamasını tamamlayabilir.",
    "selectDomainForOrgAuthPage": "Kuruluşun kimlik doğrulama sayfası için bir alan seçin",
    "domainPickerProvidedDomain": "Sağlanan Alan Adı",
    "domainPickerFreeProvidedDomain": "Ücretsiz Sağlanan Alan Adı",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "\"{sub}\" {domain} için geçerli yapılamadı.",
    "domainPickerSubdomainSanitized": "Alt alan adı temizlendi",
    "domainPickerSubdomainCorrected": "\"{sub}\" \"{sanitized}\" olarak düzeltildi",
-    "orgAuthSignInTitle": "Kuruluşunuza giriş yapın",
+    "orgAuthSignInTitle": "Kuruluş Giriş",
    "orgAuthChooseIdpDescription": "Devam etmek için kimlik sağlayıcınızı seçin",
    "orgAuthNoIdpConfigured": "Bu kuruluşta yapılandırılmış kimlik sağlayıcı yok. Bunun yerine Pangolin kimliğinizle giriş yapabilirsiniz.",
    "orgAuthSignInWithPangolin": "Pangolin ile Giriş Yap",
+    "orgAuthSignInToOrg": "Bir kuruluşa giriş yapın",
+    "orgAuthSelectOrgTitle": "Kuruluş Giriş",
+    "orgAuthSelectOrgDescription": "Devam etmek için kuruluş kimliğinizi girin",
+    "orgAuthOrgIdPlaceholder": "kuruluşunuz",
+    "orgAuthOrgIdHelp": "Kuruluşunuzun benzersiz tanımlayıcısını girin",
+    "orgAuthSelectOrgHelp": "Kuruluş kimliğinizi girdikten sonra, SSO veya kuruluş kimlik bilgilerinizi kullanabileceğiniz kuruluş giriş sayfanıza yönlendirileceksiniz.",
+    "orgAuthRememberOrgId": "Bu kuruluş kimliğini hatırla",
+    "orgAuthBackToSignIn": "Standart girişe geri dön",
+    "orgAuthNoAccount": "Hesabınız yok mu?",
    "subscriptionRequiredToUse": "Bu özelliği kullanmak için abonelik gerekmektedir.",
    "idpDisabled": "Kimlik sağlayıcılar devre dışı bırakılmıştır.",
    "orgAuthPageDisabled": "Kuruluş kimlik doğrulama sayfası devre dışı bırakılmıştır.",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "İki faktörlü kimlik doğrulamayı etkinleştir",
    "completeSecuritySteps": "Güvenlik Adımlarını Tamamla",
    "securitySettings": "Güvenlik Ayarları",
+    "dangerSection": "Tehlike Alanı",
+    "dangerSectionDescription": "Bu organizasyonla ilişkili tüm verileri kalıcı olarak silin",
    "securitySettingsDescription": "Kuruluşunuz için güvenlik politikalarını yapılandırın",
    "requireTwoFactorForAllUsers": "Tüm Kullanıcılar için İki Faktörlü Kimlik Doğrulama Gerektir",
    "requireTwoFactorDescription": "Etkinleştirildiğinde, bu kuruluştaki tüm dahili kullanıcıların, kuruluşa erişmek için iki faktörlü kimlik doğrulama etkinleştirilmiş olmalıdır.",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "Bu, organizasyondaki tüm kullanıcıları etkileyecektir",
    "authPageErrorUpdateMessage": "Kimlik doğrulama sayfası ayarları güncellenirken bir hata oluştu.",
    "authPageErrorUpdate": "Kimlik doğrulama sayfası güncellenemedi",
-    "authPageUpdated": "Kimlik doğrulama sayfası başarıyla güncellendi",
+    "authPageDomainUpdated": "Kimlik doğrulama sayfası alanı başarıyla güncellendi",
    "healthCheckNotAvailable": "Yerel",
    "rewritePath": "Yolu Yeniden Yaz",
    "rewritePathDescription": "Seçenek olarak hedefe iletmeden önce yolu yeniden yazın.",
@@ -1915,8 +2006,15 @@
    "beta": "Beta",
    "manageUserDevices": "Kullanıcı Cihazları",
    "manageUserDevicesDescription": "Kullanıcıların kaynaklara özel olarak bağlanmak için kullandığı cihazları görüntüleyin ve yönetin",
+    "downloadClientBannerTitle": "Pangolin İstemcisini İndir",
+    "downloadClientBannerDescription": "Sisteminize Pangolin istemcisini indirerek Pangolin ağına bağlanın ve kaynaklara özel olarak erişim sağlayın.",
    "manageMachineClients": "Makine İstemcilerini Yönetin",
    "manageMachineClientsDescription": "Sunucuların ve sistemlerin kaynaklara özel olarak bağlanmak için kullandığı istemcileri oluşturun ve yönetin",
+    "machineClientsBannerTitle": "Sunucular ve Otomatik Sistemler",
+    "machineClientsBannerDescription": "Makine müşterileri, belirli bir kullanıcı ile ilişkilendirilmemiş sunucular ve otomatik sistemler içindir. Kimlik ve şifreyle doğrulama yaparlar ve Pangolin CLI, Olm CLI veya Olm'yi bir konteyner olarak çalıştırabilirler.",
+    "machineClientsBannerPangolinCLI": "Pangolin CLI",
+    "machineClientsBannerOlmCLI": "Olm CLI",
+    "machineClientsBannerOlmContainer": "Olm Konteyner",
    "clientsTableUserClients": "Kullanıcı",
    "clientsTableMachineClients": "Makine",
    "licenseTableValidUntil": "Geçerli İki Tarih Kadar",
@@ -2060,13 +2158,15 @@
    "request": "İstek",
    "requests": "İstekler",
    "logs": "Günlükler",
-    "logsSettingsDescription": "Bu organizasyondan toplanan günlükleri izleyin",
+    "logsSettingsDescription": "Bu kuruluştan toplanan günlükleri izleyin",
    "searchLogs": "Günlüklerde ara...",
    "action": "Eylem",
    "actor": "Aktör",
    "timestamp": "Zaman damgası",
    "accessLogs": "Erişim Günlükleri",
    "exportCsv": "CSV Dışa Aktar",
+    "exportError": "CSV dışa aktarılırken bilinmeyen hata",
+    "exportCsvTooltip": "Zaman Aralığında",
    "actorId": "Aktör Kimliği",
    "allowedByRule": "Kurallara Göre İzin Verildi",
    "allowedNoAuth": "Kimlik Doğrulama Yok İzin Verildi",
@@ -2120,7 +2220,7 @@
    "unverified": "Doğrulanmadı",
    "domainSetting": "Alan Adı Ayarları",
    "domainSettingDescription": "Alan adı için ayarları yapılandırın",
-    "preferWildcardCertDescription": "Joker sertifika üretmeye çalışın (doğru yapılandırılmış bir sertifika çözücü gereklidir).",
+    "preferWildcardCertDescription": "Joker karakter sertifikası oluşturmayı deneyin (doğru yapılandırılmış bir sertifika çözümleyici gerektirir).",
    "recordName": "Kayıt Adı",
    "auto": "Otomatik",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "Kod 9 karakter olmalı (ör. A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "Geçersiz veya süresi dolmuş kod",
    "deviceCodeVerifyFailed": "Cihaz kodu doğrulanamadı",
+    "deviceCodeValidating": "Cihaz kodu doğrulanıyor...",
+    "deviceCodeVerifying": "Cihaz yetkilendirme doğrulanıyor...",
    "signedInAs": "Olarak giriş yapıldı",
    "deviceCodeEnterPrompt": "Cihazda gösterilen kodu girin",
    "continue": "Devam Et",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "Hesabınızın erişim hakkına sahip olduğu tüm organizasyonlara erişim",
    "deviceAuthorize": "{uygulamaAdi} yetkilendir",
    "deviceConnected": "Cihaz Bağlandı!",
-    "deviceAuthorizedMessage": "Cihazınız, hesabınıza erişim izni almıştır.",
+    "deviceAuthorizedMessage": "Cihaz hesabınıza erişim yetkisine sahiptir. Lütfen istemci uygulamasına geri dönün.",
    "pangolinCloud": "Pangolin Cloud",
    "viewDevices": "Cihazları Görüntüle",
    "viewDevicesDescription": "Bağlantılı cihazlarınızı yönetin",
@@ -2246,6 +2348,7 @@
    "identifier": "Tanımlayıcı",
    "deviceLoginUseDifferentAccount": "Siz değil misiniz? Farklı bir hesap kullanın.",
    "deviceLoginDeviceRequestingAccessToAccount": "Bir cihaz bu hesaba erişim talep ediyor.",
+    "loginSelectAuthenticationMethod": "Devam etmek için bir kimlik doğrulama yöntemi seçin.",
    "noData": "Veri Yok",
    "machineClients": "Makine İstemcileri",
    "install": "Yükle",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "Varsayılan alt ağ alınamadı",
    "setupSubnetAdvanced": "Alt Ağ (Gelişmiş)",
    "setupSubnetDescription": "Bu organizasyonun dahili ağı için alt ağ.",
+    "setupUtilitySubnet": "Yardımcı Alt Ağ (Gelişmiş)",
+    "setupUtilitySubnetDescription": "Bu kuruluşun alias adresleri ve DNS sunucusu için alt ağ.",
    "siteRegenerateAndDisconnect": "Yeniden Oluştur ve Bağlantıyı Kes",
    "siteRegenerateAndDisconnectConfirmation": "Kimlik bilgilerini yeniden oluşturmak ve bu sitenin bağlantısını kesmek istediğinizden emin misiniz?",
    "siteRegenerateAndDisconnectWarning": "Bu, kimlik bilgilerini yeniden oluşturacak ve sitenin bağlantısını anında kesecektir. Site yeni kimlik bilgilerle yeniden başlatılmalıdır.",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "Bu, kimlik bilgilerini yeniden oluşturacak ve hemen uzak çıkış düğümünün bağlantısını kesecek. Uzak çıkış düğümü, yeni kimlik bilgileri ile yeniden başlatılmalıdır.",
    "remoteExitNodeRegenerateCredentialsConfirmation": "Bu uzak çıkış düğümü için kimlik bilgilerini yeniden oluşturmak istediğinizden emin misiniz?",
    "remoteExitNodeRegenerateCredentialsWarning": "Bu, kimlik bilgilerini yeniden oluşturacak. Uzak çıkış düğümü, manuel olarak yeniden başlatılana ve yeni kimlik bilgiler kullanılana kadar bağlı kalacak.",
-    "agent": "Aracı"
+    "agent": "Aracı",
+    "personalUseOnly": "Sadece Kişisel Kullanım",
+    "loginPageLicenseWatermark": "Bu örnek yalnızca kişisel kullanım için lisanslıdır.",
+    "instanceIsUnlicensed": "Bu örnek lisanssızdır.",
+    "portRestrictions": "Port Kısıtlamaları",
+    "allPorts": "Tümü",
+    "custom": "Özel",
+    "allPortsAllowed": "Tüm Portlar İzinli",
+    "allPortsBlocked": "Tüm Portlar Engelli",
+    "tcpPortsDescription": "Bu kaynak için izin verilen TCP portlarını belirtin. Tüm portlar için '*' kullanın, hepsini engellemek için boş bırakın veya virgülle ayrılmış port ve aralık listesi girin (ör. 80,443,8000-9000).",
+    "udpPortsDescription": "Bu kaynak için izin verilen UDP portlarını belirtin. Tüm portlar için '*' kullanın, hepsini engellemek için boş bırakın veya virgülle ayrılmış port ve aralık listesi girin (ör. 53,123,500-600).",
+    "organizationLoginPageTitle": "Kuruluş Giriş Sayfası",
+    "organizationLoginPageDescription": "Bu kuruluş için giriş sayfasını özelleştirin",
+    "resourceLoginPageTitle": "Kaynak Giriş Sayfası",
+    "resourceLoginPageDescription": "Bağımsız kaynaklar için giriş sayfasını özelleştirin",
+    "enterConfirmation": "Onayı girin",
+    "blueprintViewDetails": "Detaylar",
+    "defaultIdentityProvider": "Varsayılan Kimlik Sağlayıcı",
+    "defaultIdentityProviderDescription": "Varsayılan bir kimlik sağlayıcı seçildiğinde, kullanıcı kimlik doğrulaması için otomatik olarak sağlayıcıya yönlendirilecektir.",
+    "editInternalResourceDialogNetworkSettings": "Ağ Ayarları",
+    "editInternalResourceDialogAccessPolicy": "Erişim Politikası",
+    "editInternalResourceDialogAddRoles": "Roller Ekle",
+    "editInternalResourceDialogAddUsers": "Kullanıcılar Ekle",
+    "editInternalResourceDialogAddClients": "Müşteriler Ekle",
+    "editInternalResourceDialogDestinationLabel": "Hedef",
+    "editInternalResourceDialogDestinationDescription": "Dahili kaynak için hedef adresi belirtin. Seçilen moda bağlı olarak bu bir ana bilgisayar adı, IP adresi veya CIDR aralığı olabilir. Daha kolay tanımlama için isteğe bağlı olarak dahili bir DNS takma adı ayarlayın.",
+    "editInternalResourceDialogPortRestrictionsDescription": "Belirtilen TCP/UDP portlarına erişimi kısıtlayın veya tüm portlara izin/engelleme verin.",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "Erişim Kontrolü",
+    "editInternalResourceDialogAccessControlDescription": "Bağlandığında bu kaynağa erişimi olan roller, kullanıcılar ve makine müşterilerini kontrol edin. Yöneticiler her zaman erişime sahiptir.",
+    "editInternalResourceDialogPortRangeValidationError": "Port aralığı, tüm portlar için \"*\" veya virgülle ayrılmış bir port ve aralık listesi olmalıdır (ör. \"80,443,8000-9000\"). Portlar 1 ile 65535 arasında olmalıdır.",
+    "orgAuthWhatsThis": "Kuruluş kimliğimi nerede bulabilirim?",
+    "learnMore": "Daha fazla bilgi",
+    "backToHome": "Ana sayfaya geri dön",
+    "needToSignInToOrg": "Kuruluşunuzun kimlik sağlayıcısını kullanmanız mı gerekiyor?",
+    "maintenanceMode": "Bakım Modu",
+    "maintenanceModeDescription": "Ziyaretçilere bir bakım sayfası gösterin",
+    "maintenanceModeType": "Bakım Modu Türü",
+    "showMaintenancePage": "Ziyaretçilere bir bakım sayfası gösterin",
+    "enableMaintenanceMode": "Bakım Modunu Etkinleştir",
+    "automatic": "Otomatik",
+    "automaticModeDescription": "Tüm arka uç hedefleri kapalı veya sağlıksız olduğunda yalnızca bakım sayfasını gösterin. Sağlıklı en az bir hedef olduğu sürece kaynağınız normal şekilde çalışmaya devam eder.",
+    "forced": "Zorunlu",
+    "forcedModeDescription": "Arka plan sağlığına bakılmaksızın her zaman bakım sayfasını gösterin. Tüm erişimi engellemek istediğiniz planlı bakım için bunu kullanın.",
+    "warning:": "Uyarı:",
+    "forcedeModeWarning": "Tüm trafik bakım sayfasına yönlendirilecek. Arka plan kaynaklarınız herhangi bir isteği almayacaktır.",
+    "pageTitle": "Sayfa Başlığı",
+    "pageTitleDescription": "Bakım sayfasında gösterilen ana başlık",
+    "maintenancePageMessage": "Bakım Mesajı",
+    "maintenancePageMessagePlaceholder": "Yakında geri döneceğiz! Sitemiz şu anda planlı bakım altındadır.",
+    "maintenancePageMessageDescription": "Bakımın detaylarını açıklayan mesaj",
+    "maintenancePageTimeTitle": "Tahmini Tamamlanma Süresi (İsteğe Bağlı)",
+    "maintenanceTime": "ör. 2 saat, 1 Kasım saat 17:00",
+    "maintenanceEstimatedTimeDescription": "Bakımın ne zaman tamamlanmasını bekliyorsunuz",
+    "editDomain": "Alan Adını Düzenle",
+    "editDomainDescription": "Kaynak için bir alan adı seçin",
+    "maintenanceModeDisabledTooltip": "Bu özelliği etkinleştirmek için geçerli bir lisans gereklidir.",
+    "maintenanceScreenTitle": "Servis Geçici Olarak Kullanılamıyor",
+    "maintenanceScreenMessage": "Şu anda teknik zorluklar yaşıyoruz. Lütfen yakında tekrar kontrol edin.",
+    "maintenanceScreenEstimatedCompletion": "Tahmini Tamamlama:",
+    "createInternalResourceDialogDestinationRequired": "Hedef gereklidir",
+    "available": "Mevcut",
+    "archived": "Arşivlenmiş",
+    "noArchivedDevices": "Arşivlenmiş cihaz bulunamadı",
+    "deviceArchived": "Cihaz arşivlendi",
+    "deviceArchivedDescription": "Cihaz başarıyla arşivlendi.",
+    "errorArchivingDevice": "Cihaz arşivleme hatası",
+    "failedToArchiveDevice": "Cihaz arşivlenemedi",
+    "deviceQuestionArchive": "Bu cihazı arşivlemek istediğinizden emin misiniz?",
+    "deviceMessageArchive": "Cihaz arşivlenecek ve aktif cihazlar listenizden kaldırılacak.",
+    "deviceArchiveConfirm": "Cihaz Arşivle",
+    "archiveDevice": "Cihaz Arşivle",
+    "archive": "Arşivle",
+    "deviceUnarchived": "Cihaz arşivden çıkarıldı",
+    "deviceUnarchivedDescription": "Cihaz başarıyla arşivden çıkarıldı.",
+    "errorUnarchivingDevice": "Cihaz arşivden çıkartılamadı",
+    "failedToUnarchiveDevice": "Cihaz arşivden çıkarılamadı",
+    "unarchive": "Arşivden Çıkart",
+    "archiveClient": "İstemci Arşivle",
+    "archiveClientQuestion": "Bu istemciyi arşivlemek istediğinizden emin misiniz?",
+    "archiveClientMessage": "İstemci arşivlenecek ve aktif istemciler listenizden çıkarılacak.",
+    "archiveClientConfirm": "İstemci Arşivle",
+    "blockClient": "İstemci Engelle",
+    "blockClientQuestion": "Bu istemciyi engellemek istediğinizden emin misiniz?",
+    "blockClientMessage": "Cihaz şu anda bağlıysa bağlantısı kesilecek. Cihazı daha sonra engelini kaldırabilirsiniz.",
+    "blockClientConfirm": "İstemci Engelle",
+    "active": "Aktif",
+    "usernameOrEmail": "Kullanıcı adı veya E-posta",
+    "selectYourOrganization": "Kuruluşunuzu seçin",
+    "signInTo": "Giriş yapın",
+    "signInWithPassword": "Şifre ile Devam Et",
+    "noAuthMethodsAvailable": "Bu kuruluş için kullanılabilir kimlik doğrulama yöntemleri yok.",
+    "enterPassword": "Şifrenizi girin",
+    "enterMfaCode": "Authenticator uygulamanızdan kodu girin",
+    "securityKeyRequired": "Giriş yapmak için güvenlik anahtarınızı kullanın.",
+    "needToUseAnotherAccount": "Farklı bir hesap kullanmanız mı gerekiyor?",
+    "loginLegalDisclaimer": "Aşağıdaki butonlara tıklayarak, <termsOfService>Hizmet Şartları</termsOfService> ve <privacyPolicy>Gizlilik Politikası</privacyPolicy> metinlerini okuduğunuzu ve anladığınızı kabul etmektesiniz.",
+    "termsOfService": "Hizmet Şartları",
+    "privacyPolicy": "Gizlilik Politikası",
+    "userNotFoundWithUsername": "Bu kullanıcı adıyla eşleşen kullanıcı bulunamadı.",
+    "verify": "Doğrula",
+    "signIn": "Giriş Yap",
+    "forgotPassword": "Şifreni mi unuttun?",
+    "orgSignInTip": "Daha önce giriş yaptıysanız, yukarıda kullanıcı adınızı veya e-posta adresinizi girerek kuruluşunuzun kimlik sağlayıcısıyla kimlik doğrulaması yapabilirsiniz. Daha kolay!",
+    "continueAnyway": "Yine de devam et",
+    "dontShowAgain": "Tekrar gösterme",
+    "orgSignInNotice": "Biliyor muydunuz?",
+    "signupOrgNotice": "Giriş yapmaya mı çalışıyorsunuz?",
+    "signupOrgTip": "Kuruluşunuzun kimlik sağlayıcısı aracılığıyla giriş yapmaya mı çalışıyorsunuz?",
+    "signupOrgLink": "Bunun yerine kuruluşunuzla giriş yapın veya kaydolun",
+    "verifyEmailLogInWithDifferentAccount": "Farklı Bir Hesap Kullan",
+    "logIn": "Giriş Yap",
+    "deviceInformation": "Cihaz Bilgisi",
+    "deviceInformationDescription": "Cihaz ve temsilci hakkında bilgi",
+    "deviceSecurity": "Cihaz Güvenliği",
+    "deviceSecurityDescription": "Cihaz güvenliği durumu bilgisi",
+    "platform": "Platform",
+    "macosVersion": "macOS Sürümü",
+    "windowsVersion": "Windows Sürümü",
+    "iosVersion": "iOS Sürümü",
+    "androidVersion": "Android Sürümü",
+    "osVersion": "İşletim Sistemi Sürümü",
+    "kernelVersion": "Çekirdek Sürümü",
+    "deviceModel": "Cihaz Modeli",
+    "serialNumber": "Seri Numarası",
+    "hostname": "Ana Makine Adı",
+    "firstSeen": "İlk Görüldü",
+    "lastSeen": "Son Görüldü",
+    "biometricsEnabled": "Biyometri Etkin",
+    "diskEncrypted": "Disk Şifrelenmiş",
+    "firewallEnabled": "Güvenlik Duvarı Etkin",
+    "autoUpdatesEnabled": "Otomatik Güncellemeler Etkin",
+    "tpmAvailable": "TPM Mevcut",
+    "macosSipEnabled": "Sistem Bütünlüğü Koruması (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "Güvenlik Duvarı Gizlilik Modu",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "Cihaz bilgilerini ve ayarlarını görüntüleyin",
+    "devicePendingApprovalDescription": "Bu cihaz onay bekliyor",
+    "deviceBlockedDescription": "Bu cihaz şu anda engellidir. Engeli kaldırılmadığı sürece hiçbir kaynağa bağlanamayacaktır.",
+    "unblockClient": "İstemci Engeli Kaldır",
+    "unblockClientDescription": "Cihazın engeli kaldırıldı",
+    "unarchiveClient": "İstemci Arşivini Kaldır",
+    "unarchiveClientDescription": "Cihaz arşivden çıkarıldı",
+    "block": "Engelle",
+    "unblock": "Engelini Kaldır",
+    "deviceActions": "Cihaz İşlemleri",
+    "deviceActionsDescription": "Cihaz durumu ve erişimini yönetin",
+    "devicePendingApprovalBannerDescription": "Bu cihaz onay bekliyor. Onaylanana kadar kaynaklara bağlanamayacak.",
+    "connected": "Bağlandı",
+    "disconnected": "Bağlantı Kesildi",
+    "approvalsEmptyStateTitle": "Cihaz Onayları Etkin Değil",
+    "approvalsEmptyStateDescription": "Kullanıcıların yeni cihazlara bağlanabilmeleri için yönetici onayı gerektiren rol cihaz onaylarını etkinleştirin.",
+    "approvalsEmptyStateStep1Title": "Rollere Git",
+    "approvalsEmptyStateStep1Description": "Cihaz onaylarını yapılandırmak için kuruluşunuzun rol ayarlarına gidin.",
+    "approvalsEmptyStateStep2Title": "Cihaz Onaylarını Etkinleştir",
+    "approvalsEmptyStateStep2Description": "Bir rolü düzenleyin ve 'Cihaz Onaylarını Gerektir' seçeneğini etkinleştirin. Bu role sahip kullanıcıların yeni cihazlar için yönetici onayına ihtiyacı olacaktır.",
+    "approvalsEmptyStatePreviewDescription": "Önizleme: Etkinleştirildiğinde, bekleyen cihaz talepleri incelenmek üzere burada görünecektir.",
+    "approvalsEmptyStateButtonText": "Rolleri Yönet"
 }
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -1,5 +1,7 @@
 {
    "setupCreate": "创建组织、站点和资源",
+    "headerAuthCompatibilityInfo": "启用此功能以在身份验证令牌缺失时强制返回401未授权响应。对于不在没有服务器挑战的情况下不发送凭证的浏览器或特定HTTP库，这是必需的。",
+    "headerAuthCompatibility": "扩展兼容性",
    "setupNewOrg": "新建组织",
    "setupCreateOrg": "创建组织",
    "setupCreateResources": "创建资源",
@@ -51,6 +53,12 @@
    "siteQuestionRemove": "您确定要从组织中删除该站点吗？",
    "siteManageSites": "管理站点",
    "siteDescription": "创建和管理站点，启用与私人网络的连接",
+    "sitesBannerTitle": "连接任何网络",
+    "sitesBannerDescription": "站点是连接到远程网络的链接，允许Pangolin为用户提供资源访问，无论是公共还是私人。可以在任何可以运行二进制文件或容器的地方安装站点网络连接器（Newt）以建立连接。",
+    "sitesBannerButtonText": "安装站点",
+    "approvalsBannerTitle": "批准或拒绝设备访问",
+    "approvalsBannerDescription": "审核、批准或拒绝用户的设备访问请求。 当需要设备批准时，用户必须先获得管理员批准，然后他们的设备才能连接到您的组织资源。",
+    "approvalsBannerButtonText": "了解更多",
    "siteCreate": "创建站点",
    "siteCreateDescription2": "按照下面的步骤创建和连接一个新站点",
    "siteCreateDescription": "创建一个新站点开始连接资源",
@@ -100,6 +108,7 @@
    "siteTunnelDescription": "确定如何连接到站点",
    "siteNewtCredentials": "全权证书",
    "siteNewtCredentialsDescription": "站点如何通过服务器进行身份验证",
+    "remoteNodeCredentialsDescription": "这是远程节点如何与服务器进行身份验证",
    "siteCredentialsSave": "保存证书",
    "siteCredentialsSaveDescription": "您只能看到一次。请确保将其复制并保存到一个安全的地方。",
    "siteInfo": "站点信息",
@@ -146,8 +155,12 @@
    "shareErrorSelectResource": "请选择一个资源",
    "proxyResourceTitle": "管理公共资源",
    "proxyResourceDescription": "创建和管理可通过 Web 浏览器公开访问的资源",
+    "proxyResourcesBannerTitle": "基于Web的公共访问",
+    "proxyResourcesBannerDescription": "公共资源是可以通过网络浏览器在互联网上任何人访问的HTTPS或TCP/UDP代理。与私人资源不同，它们不需要客户端软件，并且可以包含身份和上下文感知访问策略。",
    "clientResourceTitle": "管理私有资源",
    "clientResourceDescription": "创建和管理只能通过连接客户端访问的资源",
+    "privateResourcesBannerTitle": "零信任的私人访问",
+    "privateResourcesBannerDescription": "私人资源使用零信任安全性，确保只允许明确授予的用户和机器访问资源。可以连接用户设备或机器客户端，通过安全的虚拟专用网络访问这些资源。",
    "resourcesSearch": "搜索资源...",
    "resourceAdd": "添加资源",
    "resourceErrorDelte": "删除资源时出错",
@@ -157,9 +170,9 @@
    "resourceMessageRemove": "一旦删除，资源将不再可访问。与该资源相关的所有目标也将被删除。",
    "resourceQuestionRemove": "您确定要从组织中删除资源吗？",
    "resourceHTTP": "HTTPS 资源",
-    "resourceHTTPDescription": "使用子域或基础域通过 HTTPS 请求此应用的代理请求。",
+    "resourceHTTPDescription": "通过使用完全限定的域名的HTTPS代理请求。",
    "resourceRaw": "TCP/UDP 资源",
-    "resourceRawDescription": "通过 TCP/UDP 使用端口号对应用程序的代理请求。只有当站点连接到节点时才能生效。",
+    "resourceRawDescription": "通过使用端口号的原始TCP/UDP代理请求。",
    "resourceCreate": "创建资源",
    "resourceCreateDescription": "按照下面的步骤创建新资源",
    "resourceSeeAll": "查看所有资源",
@@ -247,6 +260,8 @@
    "accessRolesSearch": "搜索角色...",
    "accessRolesAdd": "添加角色",
    "accessRoleDelete": "删除角色",
+    "accessApprovalsManage": "管理批准",
+    "accessApprovalsDescription": "查看和管理待审批的组织访问权限",
    "description": "描述",
    "inviteTitle": "打开邀请",
    "inviteDescription": "管理其他用户加入机构的邀请",
@@ -440,6 +455,18 @@
    "selectDuration": "选择持续时间",
    "selectResource": "选择资源",
    "filterByResource": "按资源过滤",
+    "selectApprovalState": "选择审批状态",
+    "filterByApprovalState": "按批准状态过滤",
+    "approvalListEmpty": "无批准",
+    "approvalState": "审批状态",
+    "approve": "批准",
+    "approved": "已批准",
+    "denied": "被拒绝",
+    "deniedApproval": "拒绝批准",
+    "all": "所有",
+    "deny": "拒绝",
+    "viewDetails": "查看详情",
+    "requestingNewDeviceApproval": "请求了一个新设备",
    "resetFilters": "重置过滤器",
    "totalBlocked": "被Pangolin阻止的请求",
    "totalRequests": "总请求",
@@ -687,7 +714,7 @@
    "resourceRoleDescription": "管理员总是可以访问此资源。",
    "resourceUsersRoles": "访问控制",
    "resourceUsersRolesDescription": "配置用户和角色可以访问此资源",
-    "resourceUsersRolesSubmit": "保存用户和角色",
+    "resourceUsersRolesSubmit": "保存访问控制",
    "resourceWhitelistSave": "保存成功",
    "resourceWhitelistSaveDescription": "白名单设置已保存",
    "ssoUse": "使用平台 SSO",
@@ -719,16 +746,28 @@
    "countries": "国家",
    "accessRoleCreate": "创建角色",
    "accessRoleCreateDescription": "创建一个新角色来分组用户并管理他们的权限。",
+    "accessRoleEdit": "编辑角色",
+    "accessRoleEditDescription": "编辑角色信息。",
    "accessRoleCreateSubmit": "创建角色",
    "accessRoleCreated": "角色已创建",
    "accessRoleCreatedDescription": "角色已成功创建。",
    "accessRoleErrorCreate": "创建角色失败",
    "accessRoleErrorCreateDescription": "创建角色时出错。",
+    "accessRoleUpdateSubmit": "更新角色",
+    "accessRoleUpdated": "角色已更新",
+    "accessRoleUpdatedDescription": "角色已成功更新。",
+    "accessApprovalUpdated": "审批已处理",
+    "accessApprovalApprovedDescription": "将审批请求决定设置为已批准。",
+    "accessApprovalDeniedDescription": "设置审批请求决定被拒绝。",
+    "accessRoleErrorUpdate": "更新角色失败",
+    "accessRoleErrorUpdateDescription": "更新角色时出错。",
+    "accessApprovalErrorUpdate": "处理审核失败",
+    "accessApprovalErrorUpdateDescription": "处理批准时出错。",
    "accessRoleErrorNewRequired": "需要新角色",
    "accessRoleErrorRemove": "删除角色失败",
    "accessRoleErrorRemoveDescription": "删除角色时出错。",
    "accessRoleName": "角色名称",
-    "accessRoleQuestionRemove": "您即将删除 {name} 角色。 此操作无法撤销。",
+    "accessRoleQuestionRemove": "您即将删除 `{name}` 角色。此操作无法撤销。",
    "accessRoleRemove": "删除角色",
    "accessRoleRemoveDescription": "从组织中删除角色",
    "accessRoleRemoveSubmit": "删除角色",
@@ -840,6 +879,7 @@
    "orgPolicyConfig": "配置组织访问权限",
    "idpUpdatedDescription": "身份提供商更新成功",
    "redirectUrl": "重定向网址",
+    "orgIdpRedirectUrls": "重定向URL",
    "redirectUrlAbout": "关于重定向网址",
    "redirectUrlAboutDescription": "这是用户在验证后将被重定向到的URL。您需要在身份提供者的设置中配置此URL。",
    "pangolinAuth": "认证 - Pangolin",
@@ -945,11 +985,11 @@
    "pincodeAuth": "验证器代码",
    "pincodeSubmit2": "提交代码",
    "passwordResetSubmit": "请求重置",
-    "passwordResetAlreadyHaveCode": "输入密码重置码",
+    "passwordResetAlreadyHaveCode": "输入代码",
    "passwordResetSmtpRequired": "请联系您的管理员",
    "passwordResetSmtpRequiredDescription": "需要密码重置密码。请联系您的管理员寻求帮助。",
    "passwordBack": "回到密码",
-    "loginBack": "返回登录",
+    "loginBack": "返回主登录页面",
    "signup": "注册",
    "loginStart": "登录以开始",
    "idpOidcTokenValidating": "正在验证 OIDC 令牌",
@@ -1035,6 +1075,7 @@
    "updateOrgUser": "更新组织用户",
    "createOrgUser": "创建组织用户",
    "actionUpdateOrg": "更新组织",
+    "actionRemoveInvitation": "移除邀请",
    "actionUpdateUser": "更新用户",
    "actionGetUser": "获取用户",
    "actionGetOrgUser": "获取组织用户",
@@ -1044,6 +1085,8 @@
    "actionGetSite": "获取站点",
    "actionListSites": "站点列表",
    "actionApplyBlueprint": "应用蓝图",
+    "actionListBlueprints": "列表蓝图",
+    "actionGetBlueprint": "获取蓝图",
    "setupToken": "设置令牌",
    "setupTokenDescription": "从服务器控制台输入设置令牌。",
    "setupTokenRequired": "需要设置令牌",
@@ -1104,6 +1147,10 @@
    "actionUpdateIdpOrg": "更新 IDP组织",
    "actionCreateClient": "创建客户端",
    "actionDeleteClient": "删除客户端",
+    "actionArchiveClient": "归档客户端",
+    "actionUnarchiveClient": "取消归档客户端",
+    "actionBlockClient": "屏蔽客户端",
+    "actionUnblockClient": "解除屏蔽客户端",
    "actionUpdateClient": "更新客户端",
    "actionListClients": "列出客户端",
    "actionGetClient": "获取客户端",
@@ -1120,14 +1167,14 @@
    "searchProgress": "搜索中...",
    "create": "创建",
    "orgs": "组织",
-    "loginError": "登录时出错",
-    "loginRequiredForDevice": "需要登录才能验证您的设备。",
+    "loginError": "发生意外错误。请重试。",
+    "loginRequiredForDevice": "您的设备需要登录。",
    "passwordForgot": "忘记密码？",
    "otpAuth": "两步验证",
    "otpAuthDescription": "从您的身份验证程序中输入代码或您的单次备份代码。",
    "otpAuthSubmit": "提交代码",
    "idpContinue": "或者继续",
-    "otpAuthBack": "返回登录",
+    "otpAuthBack": "回到密码",
    "navbar": "导航菜单",
    "navbarDescription": "应用程序的主导航菜单",
    "navbarDocsLink": "文件",
@@ -1175,6 +1222,7 @@
    "sidebarOverview": "概览",
    "sidebarHome": "首页",
    "sidebarSites": "站点",
+    "sidebarApprovals": "审批请求",
    "sidebarResources": "资源",
    "sidebarProxyResources": "公开的",
    "sidebarClientResources": "非公开的",
@@ -1191,10 +1239,10 @@
    "sidebarIdentityProviders": "身份提供商",
    "sidebarLicense": "证书",
    "sidebarClients": "客户端",
-    "sidebarUserDevices": "用户",
+    "sidebarUserDevices": "用户设备",
    "sidebarMachineClients": "机",
    "sidebarDomains": "域",
-    "sidebarGeneral": "概览",
+    "sidebarGeneral": "管理",
    "sidebarLogAndAnalytics": "日志与分析",
    "sidebarBluePrints": "蓝图",
    "sidebarOrganization": "组织",
@@ -1263,6 +1311,7 @@
    "setupErrorCreateAdmin": "创建服务器管理员账户时发生错误。",
    "certificateStatus": "证书状态",
    "loading": "加载中",
+    "loadingAnalytics": "加载分析",
    "restart": "重启",
    "domains": "域",
    "domainsDescription": "创建和管理组织中可用的域",
@@ -1290,6 +1339,7 @@
    "refreshError": "刷新数据失败",
    "verified": "已验证",
    "pending": "待定",
+    "pendingApproval": "等待批准",
    "sidebarBilling": "计费",
    "billing": "计费",
    "orgBillingDescription": "管理账单信息和订阅",
@@ -1308,8 +1358,11 @@
    "accountSetupSuccess": "账号设置完成！欢迎来到 Pangolin！",
    "documentation": "文档",
    "saveAllSettings": "保存所有设置",
+    "saveResourceTargets": "保存目标",
+    "saveResourceHttp": "保存代理设置",
+    "saveProxyProtocol": "保存代理协议设置",
    "settingsUpdated": "设置已更新",
-    "settingsUpdatedDescription": "所有设置已成功更新",
+    "settingsUpdatedDescription": "设置更新成功",
    "settingsErrorUpdate": "设置更新失败",
    "settingsErrorUpdateDescription": "更新设置时发生错误",
    "sidebarCollapse": "折叠",
@@ -1403,7 +1456,7 @@
    "securityKeyRemoveSuccess": "安全密钥删除成功",
    "securityKeyRemoveError": "删除安全密钥失败",
    "securityKeyLoadError": "加载安全密钥失败",
-    "securityKeyLogin": "使用安全密钥继续",
+    "securityKeyLogin": "使用安全密钥",
    "securityKeyAuthError": "使用安全密钥认证失败",
    "securityKeyRecommendation": "考虑在其他设备上注册另一个安全密钥，以确保不会被锁定在您的账户之外。",
    "registering": "注册中...",
@@ -1463,7 +1516,7 @@
        "IAgreeToThe": "我同意",
        "termsOfService": "服务条款",
        "and": "和",
-        "privacyPolicy": "隐私政策"
+        "privacyPolicy": "隐私政策。"
    },
    "signUpMarketing": {
        "keepMeInTheLoop": "通过电子邮件让我在循环中保持新闻、更新和新功能。"
@@ -1508,6 +1561,7 @@
    "addNewTarget": "添加新目标",
    "targetsList": "目标列表",
    "advancedMode": "高级模式",
+    "advancedSettings": "高级设置",
    "targetErrorDuplicateTargetFound": "找到重复的目标",
    "healthCheckHealthy": "正常",
    "healthCheckUnhealthy": "不正常",
@@ -1529,6 +1583,8 @@
    "IntervalSeconds": "正常间隔",
    "timeoutSeconds": "超时(秒)",
    "timeIsInSeconds": "时间以秒为单位",
+    "requireDeviceApproval": "需要设备批准",
+    "requireDeviceApprovalDescription": "具有此角色的用户需要管理员批准的新设备才能连接和访问资源。",
    "retryAttempts": "重试次数",
    "expectedResponseCodes": "期望响应代码",
    "expectedResponseCodesDescription": "HTTP 状态码表示健康状态。如留空，200-300 被视为健康。",
@@ -1569,6 +1625,8 @@
    "resourcesTableNoInternalResourcesFound": "未找到内部资源。",
    "resourcesTableDestination": "目标",
    "resourcesTableAlias": "Alias",
+    "resourcesTableAliasAddress": "别名地址",
+    "resourcesTableAliasAddressInfo": "此地址是组织实用子网的一部分。它用来使用内部DNS解析来解析别名记录。",
    "resourcesTableClients": "客户端",
    "resourcesTableAndOnlyAccessibleInternally": "且仅在与客户端连接时可内部访问。",
    "resourcesTableNoTargets": "没有目标",
@@ -1616,9 +1674,8 @@
    "createInternalResourceDialogResourceProperties": "资源属性",
    "createInternalResourceDialogName": "名称",
    "createInternalResourceDialogSite": "站点",
-    "createInternalResourceDialogSelectSite": "选择站点...",
-    "createInternalResourceDialogSearchSites": "搜索站点...",
-    "createInternalResourceDialogNoSitesFound": "未找到站点。",
+    "selectSite": "选择站点...",
+    "noSitesFound": "未找到站点。",
    "createInternalResourceDialogProtocol": "协议",
    "createInternalResourceDialogTcp": "TCP",
    "createInternalResourceDialogUdp": "UDP",
@@ -1658,7 +1715,7 @@
    "siteAddressDescription": "站点的内部地址。必须属于组织的子网。",
    "siteNameDescription": "可以稍后更改的站点显示名称。",
    "autoLoginExternalIdp": "自动使用外部IDP登录",
-    "autoLoginExternalIdpDescription": "立即将用户重定向到外部IDP进行身份验证。",
+    "autoLoginExternalIdpDescription": "立即重定向用户到外部身份提供商进行身份验证。",
    "selectIdp": "选择IDP",
    "selectIdpPlaceholder": "选择一个IDP...",
    "selectIdpRequired": "在启用自动登录时，请选择一个IDP。",
@@ -1670,7 +1727,7 @@
    "autoLoginErrorNoRedirectUrl": "未从身份提供商收到重定向URL。",
    "autoLoginErrorGeneratingUrl": "生成身份验证URL失败。",
    "remoteExitNodeManageRemoteExitNodes": "远程节点",
-    "remoteExitNodeDescription": "自我主机一个或多个远程节点来扩展网络连接并减少对云的依赖性",
+    "remoteExitNodeDescription": "自托管您的远程中继和代理服务器节点",
    "remoteExitNodes": "节点",
    "searchRemoteExitNodes": "搜索节点...",
    "remoteExitNodeAdd": "添加节点",
@@ -1680,20 +1737,22 @@
    "remoteExitNodeConfirmDelete": "确认删除节点",
    "remoteExitNodeDelete": "删除节点",
    "sidebarRemoteExitNodes": "远程节点",
+    "remoteExitNodeId": "ID",
+    "remoteExitNodeSecretKey": "密钥",
    "remoteExitNodeCreate": {
-        "title": "创建节点",
-        "description": "创建一个新节点来扩展网络连接",
+        "title": "创建远程节点",
+        "description": "创建一个新的自托管远程中继和代理服务器节点",
        "viewAllButton": "查看所有节点",
        "strategy": {
            "title": "创建策略",
-            "description": "选择此选项以手动配置节点或生成新凭据。",
+            "description": "选择您想如何创建远程节点",
            "adopt": {
                "title": "采纳节点",
                "description": "如果您已经拥有该节点的凭据，请选择此项。"
            },
            "generate": {
                "title": "生成密钥",
-                "description": "如果您想为节点生成新密钥，请选择此选项"
+                "description": "如果您想为节点生成新密钥，请选择此选项."
            }
        },
        "adopt": {
@@ -1806,9 +1865,30 @@
    "idpAzureDescription": "Microsoft Azure OAuth2/OIDC provider",
    "subnet": "子网",
    "subnetDescription": "此组织网络配置的子网。",
-    "authPage": "认证页面",
-    "authPageDescription": "配置组织认证页面",
+    "customDomain": "自定义域",
+    "authPage": "身份验证页面",
+    "authPageDescription": "为组织的身份验证页面设置自定义域",
    "authPageDomain": "认证页面域",
+    "authPageBranding": "自定义品牌",
+    "authPageBrandingDescription": "配置此组织身份验证页面的品牌",
+    "authPageBrandingUpdated": "授权页面品牌更新成功",
+    "authPageBrandingRemoved": "成功移除授权页面品牌",
+    "authPageBrandingRemoveTitle": "移除授权页面品牌",
+    "authPageBrandingQuestionRemove": "您确定要移除授权页面的品牌吗？",
+    "authPageBrandingDeleteConfirm": "确认删除品牌",
+    "brandingLogoURL": "Logo URL",
+    "brandingPrimaryColor": "主要颜色",
+    "brandingLogoWidth": "宽度（px）",
+    "brandingLogoHeight": "高度（px）",
+    "brandingOrgTitle": "组织授权页面标题",
+    "brandingOrgDescription": "{orgName}将替换为组织名称",
+    "brandingOrgSubtitle": "组织授权页面副标题",
+    "brandingResourceTitle": "资源授权页面标题",
+    "brandingResourceSubtitle": "资源授权页面副标题",
+    "brandingResourceDescription": "{resourceName}  将替换为组织名称",
+    "saveAuthPageDomain": "保存域",
+    "saveAuthPageBranding": "保存品牌",
+    "removeAuthPageBranding": "移除品牌",
    "noDomainSet": "没有域设置",
    "changeDomain": "更改域",
    "selectDomain": "选择域",
@@ -1817,7 +1897,7 @@
    "setAuthPageDomain": "设置认证页面域",
    "failedToFetchCertificate": "获取证书失败",
    "failedToRestartCertificate": "重新启动证书失败",
-    "addDomainToEnableCustomAuthPages": "添加域名以启用组织自定义认证页面",
+    "addDomainToEnableCustomAuthPages": "用户将能够使用该域访问组织的登录页面并完成资源身份验证。",
    "selectDomainForOrgAuthPage": "选择组织认证页面的域",
    "domainPickerProvidedDomain": "提供的域",
    "domainPickerFreeProvidedDomain": "免费提供的域",
@@ -1832,10 +1912,19 @@
    "domainPickerInvalidSubdomainCannotMakeValid": "\"{sub}\" 无法为 {domain} 变为有效。",
    "domainPickerSubdomainSanitized": "子域已净化",
    "domainPickerSubdomainCorrected": "\"{sub}\" 已被更正为 \"{sanitized}\"",
-    "orgAuthSignInTitle": "登录到组织",
+    "orgAuthSignInTitle": "组织登录",
    "orgAuthChooseIdpDescription": "选择您的身份提供商以继续",
    "orgAuthNoIdpConfigured": "此机构没有配置任何身份提供者。您可以使用您的 Pangolin 身份登录。",
    "orgAuthSignInWithPangolin": "使用 Pangolin 登录",
+    "orgAuthSignInToOrg": "登录到组织",
+    "orgAuthSelectOrgTitle": "组织登录",
+    "orgAuthSelectOrgDescription": "输入您的组织ID以继续",
+    "orgAuthOrgIdPlaceholder": "您的组织",
+    "orgAuthOrgIdHelp": "输入您组织的唯一标识符",
+    "orgAuthSelectOrgHelp": "输入您的组织ID后，您将跳转到组织的登录页面，您可以使用SSO或组织凭据。",
+    "orgAuthRememberOrgId": "记住这个组织ID",
+    "orgAuthBackToSignIn": "返回标准登录",
+    "orgAuthNoAccount": "没有账户？",
    "subscriptionRequiredToUse": "需要订阅才能使用此功能。",
    "idpDisabled": "身份提供者已禁用。",
    "orgAuthPageDisabled": "组织认证页面已禁用。",
@@ -1850,6 +1939,8 @@
    "enableTwoFactorAuthentication": "启用两步验证",
    "completeSecuritySteps": "完成安全步骤",
    "securitySettings": "安全设置",
+    "dangerSection": "危险区域",
+    "dangerSectionDescription": "永久删除与此组织相关的所有数据",
    "securitySettingsDescription": "配置组织安全策略",
    "requireTwoFactorForAllUsers": "所有用户需要两步验证",
    "requireTwoFactorDescription": "如果启用，此组织的所有内部用户必须启用双重身份验证才能访问组织。",
@@ -1887,7 +1978,7 @@
    "securityPolicyChangeWarningText": "这将影响组织中的所有用户",
    "authPageErrorUpdateMessage": "更新身份验证页面设置时出错",
    "authPageErrorUpdate": "无法更新认证页面",
-    "authPageUpdated": "身份验证页面更新成功",
+    "authPageDomainUpdated": "授权页面域更新成功",
    "healthCheckNotAvailable": "本地的",
    "rewritePath": "重写路径",
    "rewritePathDescription": "在转发到目标之前，可以选择重写路径。",
@@ -1915,8 +2006,15 @@
    "beta": "测试版",
    "manageUserDevices": "用户设备",
    "manageUserDevicesDescription": "查看和管理用户用来私下连接到资源的设备",
+    "downloadClientBannerTitle": "下载Pangolin客户端",
+    "downloadClientBannerDescription": "下载适用于您系统的Pangolin客户端以连接到Pangolin网络并私下访问资源。",
    "manageMachineClients": "管理机器客户端",
    "manageMachineClientsDescription": "创建和管理服务器和系统用于私密连接到资源的客户端",
+    "machineClientsBannerTitle": "服务器与自动化系统",
+    "machineClientsBannerDescription": "机器客户端适用于不与特定用户关联的服务器与自动化系统。它们使用ID和密钥进行身份验证，并可以与Pangolin CLI、Olm CLI或作为容器运行。",
+    "machineClientsBannerPangolinCLI": "Pangolin CLI",
+    "machineClientsBannerOlmCLI": "Olm CLI",
+    "machineClientsBannerOlmContainer": "Olm 容器",
    "clientsTableUserClients": "用户",
    "clientsTableMachineClients": "机",
    "licenseTableValidUntil": "有效期至",
@@ -2060,13 +2158,15 @@
    "request": "请求",
    "requests": "请求",
    "logs": "日志",
-    "logsSettingsDescription": "监视从此orginization中收集的日志",
+    "logsSettingsDescription": "监控从此组织收集的日志",
    "searchLogs": "搜索日志...",
    "action": "行 动",
    "actor": "执行者",
    "timestamp": "时间戳",
    "accessLogs": "访问日志",
    "exportCsv": "导出CSV",
+    "exportError": "导出CSV时发生未知错误",
+    "exportCsvTooltip": "在时间范围内",
    "actorId": "执行者ID",
    "allowedByRule": "根据规则允许",
    "allowedNoAuth": "无认证",
@@ -2120,7 +2220,7 @@
    "unverified": "未验证",
    "domainSetting": "域设置",
    "domainSettingDescription": "配置域设置",
-    "preferWildcardCertDescription": "尝试生成通配符证书(需要正确配置的证书解析器)。",
+    "preferWildcardCertDescription": "尝试生成通配符证书（需要正确配置的证书解析器）。",
    "recordName": "记录名称",
    "auto": "自动操作",
    "TTL": "TTL",
@@ -2172,6 +2272,8 @@
    "deviceCodeInvalidFormat": "代码必须是9个字符(如A1AJ-N5JD)",
    "deviceCodeInvalidOrExpired": "无效或过期的代码",
    "deviceCodeVerifyFailed": "验证设备代码失败",
+    "deviceCodeValidating": "正在验证设备代码...",
+    "deviceCodeVerifying": "正在验证设备授权...",
    "signedInAs": "登录为",
    "deviceCodeEnterPrompt": "输入设备上显示的代码",
    "continue": "继续",
@@ -2184,7 +2286,7 @@
    "deviceOrganizationsAccess": "访问您的帐户拥有访问权限的所有组织",
    "deviceAuthorize": "授权{applicationName}",
    "deviceConnected": "设备已连接！",
-    "deviceAuthorizedMessage": "设备被授权访问您的帐户。",
+    "deviceAuthorizedMessage": "设备被授权访问您的帐户。请返回客户端应用程序。",
    "pangolinCloud": "邦戈林云",
    "viewDevices": "查看设备",
    "viewDevicesDescription": "管理您已连接的设备",
@@ -2246,6 +2348,7 @@
    "identifier": "Identifier",
    "deviceLoginUseDifferentAccount": "不是你？使用一个不同的帐户。",
    "deviceLoginDeviceRequestingAccessToAccount": "设备正在请求访问此帐户。",
+    "loginSelectAuthenticationMethod": "选择要继续的身份验证方法。",
    "noData": "无数据",
    "machineClients": "机器客户端",
    "install": "安装",
@@ -2255,6 +2358,8 @@
    "setupFailedToFetchSubnet": "获取默认子网失败",
    "setupSubnetAdvanced": "子网 (高级)",
    "setupSubnetDescription": "该组织内部网络的子网。",
+    "setupUtilitySubnet": "实用子网（高级）",
+    "setupUtilitySubnetDescription": "此组织的别名地址和DNS服务器的子网。",
    "siteRegenerateAndDisconnect": "重新生成和断开",
    "siteRegenerateAndDisconnectConfirmation": "您确定要重新生成凭据并断开此站点连接吗？",
    "siteRegenerateAndDisconnectWarning": "这将重新生成凭据并立即断开站点。该站点将需要重新启动新凭据。",
@@ -2270,5 +2375,166 @@
    "remoteExitNodeRegenerateAndDisconnectWarning": "这将重新生成凭据并立即断开远程退出节点。远程退出节点将需要用新的凭据重启。",
    "remoteExitNodeRegenerateCredentialsConfirmation": "您确定要重新生成此远程退出节点的凭据吗？",
    "remoteExitNodeRegenerateCredentialsWarning": "这将重新生成凭据。远程退出节点将保持连接，直到您手动重启它并使用新凭据。",
-    "agent": "代理"
+    "agent": "代理",
+    "personalUseOnly": "仅供个人使用",
+    "loginPageLicenseWatermark": "此实例仅限于个人使用许可。",
+    "instanceIsUnlicensed": "此实例未获得许可。",
+    "portRestrictions": "端口限制",
+    "allPorts": "所有",
+    "custom": "自定义",
+    "allPortsAllowed": "所有端口均允许",
+    "allPortsBlocked": "所有端口均阻止",
+    "tcpPortsDescription": "指定允许此资源使用的TCP端口。使用'*'表示所有端口，留空表示阻止所有端口，或输入用逗号分隔的端口和范围列表（例如：80,443,8000-9000）。",
+    "udpPortsDescription": "指定允许此资源使用的UDP端口。使用'*'表示所有端口，留空表示阻止所有端口，或输入用逗号分隔的端口和范围列表（例如：53,123,500-600）。",
+    "organizationLoginPageTitle": "组织登录页面",
+    "organizationLoginPageDescription": "自定义此组织的登录页面",
+    "resourceLoginPageTitle": "资源登录页面",
+    "resourceLoginPageDescription": "自定义个别资源的登录页面",
+    "enterConfirmation": "输入确认",
+    "blueprintViewDetails": "详细信息",
+    "defaultIdentityProvider": "默认身份提供商",
+    "defaultIdentityProviderDescription": "当选择默认身份提供商时，用户将自动重定向到提供商进行身份验证。",
+    "editInternalResourceDialogNetworkSettings": "网络设置",
+    "editInternalResourceDialogAccessPolicy": "访问策略",
+    "editInternalResourceDialogAddRoles": "添加角色",
+    "editInternalResourceDialogAddUsers": "添加用户",
+    "editInternalResourceDialogAddClients": "添加客户端",
+    "editInternalResourceDialogDestinationLabel": "目标",
+    "editInternalResourceDialogDestinationDescription": "指定内部资源的目标地址。根据选择的模式，这可以是主机名、IP地址或CIDR范围。可选的，设置一个内部DNS别名以便于识别。",
+    "editInternalResourceDialogPortRestrictionsDescription": "限制访问特定的TCP/UDP端口或允许/阻止所有端口。",
+    "editInternalResourceDialogTcp": "TCP",
+    "editInternalResourceDialogUdp": "UDP",
+    "editInternalResourceDialogIcmp": "ICMP",
+    "editInternalResourceDialogAccessControl": "访问控制",
+    "editInternalResourceDialogAccessControlDescription": "控制当连接到此资源时，哪些角色、用户和机器客户端可以访问。管理员始终具有访问权。",
+    "editInternalResourceDialogPortRangeValidationError": "端口范围必须为\"*\"表示所有端口，或一个用逗号分隔的端口和范围列表（例如：\"80,443,8000-9000\"）。端口必须在1到65535之间。",
+    "orgAuthWhatsThis": "我的组织ID在哪里可以找到？",
+    "learnMore": "了解更多",
+    "backToHome": "返回首页",
+    "needToSignInToOrg": "需要使用您组织的身份提供商吗？",
+    "maintenanceMode": "维护模式",
+    "maintenanceModeDescription": "向访客显示维护页面",
+    "maintenanceModeType": "维护模式类型",
+    "showMaintenancePage": "只在所有后端目标都故障或不健康时显示维护页面。只要至少一个目标健康，您的资源将正常工作。",
+    "enableMaintenanceMode": "启用维护模式",
+    "automatic": "自动",
+    "automaticModeDescription": "如果所有后端目标都故障或不健康，则仅显示维护页面。只要至少一个目标健康，您的资源将正常工作。",
+    "forced": "强制",
+    "forcedModeDescription": "无论后端健康如何，都始终显示维护页面。用于计划维护时希望阻止所有访问。",
+    "warning:": "警告：",
+    "forcedeModeWarning": "所有流量将被引导到维护页面。您的后端资源不会收到任何请求。",
+    "pageTitle": "页面标题",
+    "pageTitleDescription": "维护页面显示的主标题",
+    "maintenancePageMessage": "维护信息",
+    "maintenancePageMessagePlaceholder": "我们很快回来！ 我们的网站目前正在进行计划中的维护。",
+    "maintenancePageMessageDescription": "详细说明维护的消息",
+    "maintenancePageTimeTitle": "预计完成时间（可选）",
+    "maintenanceTime": "例如，2小时，11月1日下午5:00",
+    "maintenanceEstimatedTimeDescription": "您期望维护完成的时间",
+    "editDomain": "编辑域名",
+    "editDomainDescription": "选择您资源的域",
+    "maintenanceModeDisabledTooltip": "启用此功能需要有效的许可证。",
+    "maintenanceScreenTitle": "服务暂时不可用",
+    "maintenanceScreenMessage": "我们目前遇到技术问题。 请稍后再回来查看。",
+    "maintenanceScreenEstimatedCompletion": "预计完成时间：",
+    "createInternalResourceDialogDestinationRequired": "需要目标地址",
+    "available": "可用",
+    "archived": "已存档",
+    "noArchivedDevices": "未找到存档设备",
+    "deviceArchived": "设备已存档",
+    "deviceArchivedDescription": "设备已成功归档。",
+    "errorArchivingDevice": "错误存档设备",
+    "failedToArchiveDevice": "归档设备失败",
+    "deviceQuestionArchive": "您确定要存档此设备吗？",
+    "deviceMessageArchive": "设备将被存档并从活动设备列表中删除。",
+    "deviceArchiveConfirm": "归档设备",
+    "archiveDevice": "归档设备",
+    "archive": "存档",
+    "deviceUnarchived": "设备未存档",
+    "deviceUnarchivedDescription": "设备已成功解除归档。",
+    "errorUnarchivingDevice": "卸载设备时出错",
+    "failedToUnarchiveDevice": "取消归档设备失败",
+    "unarchive": "取消存档",
+    "archiveClient": "归档客户端",
+    "archiveClientQuestion": "您确定要存档此客户端吗？",
+    "archiveClientMessage": "客户端将被存档并从您活跃的客户端列表中删除。",
+    "archiveClientConfirm": "归档客户端",
+    "blockClient": "屏蔽客户端",
+    "blockClientQuestion": "您确定要屏蔽此客户端？",
+    "blockClientMessage": "如果当前连接，设备将被迫断开连接。您可以稍后取消屏蔽设备。",
+    "blockClientConfirm": "屏蔽客户端",
+    "active": "已启用",
+    "usernameOrEmail": "用户名或电子邮件",
+    "selectYourOrganization": "选择您的组织",
+    "signInTo": "登录到",
+    "signInWithPassword": "使用密码继续",
+    "noAuthMethodsAvailable": "该组织没有可用的身份验证方法。",
+    "enterPassword": "输入您的密码",
+    "enterMfaCode": "从您的身份验证程序中输入代码",
+    "securityKeyRequired": "请使用您的安全密钥登录。",
+    "needToUseAnotherAccount": "需要使用不同的帐户？",
+    "loginLegalDisclaimer": "点击下面的按钮，您确认您已经阅读了，理解， 并同意 <termsOfService>服务条款</termsOfService> 和 <privacyPolicy>隐私政策</privacyPolicy>。",
+    "termsOfService": "服务条款",
+    "privacyPolicy": "隐私政策",
+    "userNotFoundWithUsername": "找不到该用户名。",
+    "verify": "验证",
+    "signIn": "登录",
+    "forgotPassword": "忘记密码？",
+    "orgSignInTip": "如果您以前已经登录，您可以在上面输入您的用户名或电子邮件来验证您的组织身份提供者。这很容易！",
+    "continueAnyway": "仍然继续",
+    "dontShowAgain": "不再显示",
+    "orgSignInNotice": "您知道吗？",
+    "signupOrgNotice": "试图登录？",
+    "signupOrgTip": "您是否试图通过您的组织的身份提供者登录？",
+    "signupOrgLink": "使用您的组织登录或注册",
+    "verifyEmailLogInWithDifferentAccount": "使用不同的帐户",
+    "logIn": "登录",
+    "deviceInformation": "设备信息",
+    "deviceInformationDescription": "关于设备和代理的信息",
+    "deviceSecurity": "设备安全",
+    "deviceSecurityDescription": "设备安全态势信息",
+    "platform": "平台",
+    "macosVersion": "macOS 版本",
+    "windowsVersion": "Windows 版本",
+    "iosVersion": "iOS 版本",
+    "androidVersion": "Android 版本",
+    "osVersion": "操作系统版本",
+    "kernelVersion": "内核版本",
+    "deviceModel": "设备模型",
+    "serialNumber": "序列号",
+    "hostname": "Hostname",
+    "firstSeen": "第一次查看",
+    "lastSeen": "上次查看时间",
+    "biometricsEnabled": "生物计已启用",
+    "diskEncrypted": "磁盘加密",
+    "firewallEnabled": "防火墙已启用",
+    "autoUpdatesEnabled": "启用自动更新",
+    "tpmAvailable": "TPM 可用",
+    "macosSipEnabled": "系统完整性保护 (SIP)",
+    "macosGatekeeperEnabled": "Gatekeeper",
+    "macosFirewallStealthMode": "防火墙隐形模式",
+    "linuxAppArmorEnabled": "AppArmor",
+    "linuxSELinuxEnabled": "SELinux",
+    "deviceSettingsDescription": "查看设备信息和设置",
+    "devicePendingApprovalDescription": "此设备正在等待批准",
+    "deviceBlockedDescription": "此设备目前已被屏蔽。除非解除屏蔽，否则无法连接到任何资源。",
+    "unblockClient": "解除屏蔽客户端",
+    "unblockClientDescription": "设备已解除阻止",
+    "unarchiveClient": "取消归档客户端",
+    "unarchiveClientDescription": "设备已被取消存档",
+    "block": "封禁",
+    "unblock": "取消屏蔽",
+    "deviceActions": "设备操作",
+    "deviceActionsDescription": "管理设备状态和访问权限",
+    "devicePendingApprovalBannerDescription": "此设备正在等待批准。在批准之前，它将无法连接到资源。",
+    "connected": "已连接",
+    "disconnected": "断开连接",
+    "approvalsEmptyStateTitle": "设备批准未启用",
+    "approvalsEmptyStateDescription": "在用户连接新设备之前，允许设备批准角色，需要管理员批准。",
+    "approvalsEmptyStateStep1Title": "转到角色",
+    "approvalsEmptyStateStep1Description": "导航到您组织的角色设置来配置设备批准。",
+    "approvalsEmptyStateStep2Title": "启用设备批准",
+    "approvalsEmptyStateStep2Description": "编辑角色并启用“需要设备审批”选项。具有此角色的用户需要管理员批准新设备。",
+    "approvalsEmptyStatePreviewDescription": "预览：如果启用，待处理设备请求将出现在这里供审核",
+    "approvalsEmptyStateButtonText": "管理角色"
 }
--- a/messages/zh-TW.json
+++ b/messages/zh-TW.json
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -3,7 +3,7 @@
    "version": "0.0.0",
    "private": true,
    "type": "module",
-    "description": "Tunneled Reverse Proxy Management Server with Identity and Access Control and Dashboard UI",
+    "description": "Identity-aware VPN and proxy for remote access to anything, anywhere and Dashboard UI",
    "homepage": "https://github.com/fosrl/pangolin",
    "repository": {
        "type": "git",
@@ -33,9 +33,9 @@
        "format": "prettier --write ."
    },
    "dependencies": {
-        "@asteasolutions/zod-to-openapi": "8.2.0",
-        "@aws-sdk/client-s3": "3.955.0",
-        "@faker-js/faker": "10.1.0",
+        "@asteasolutions/zod-to-openapi": "8.4.0",
+        "@aws-sdk/client-s3": "3.971.0",
+        "@faker-js/faker": "10.2.0",
        "@headlessui/react": "2.2.9",
        "@hookform/resolvers": "5.2.2",
        "@monaco-editor/react": "4.7.0",
@@ -92,7 +92,7 @@
        "http-errors": "2.0.1",
        "i": "0.3.7",
        "input-otp": "1.4.2",
-        "ioredis": "5.8.2",
+        "ioredis": "5.9.2",
        "jmespath": "0.16.0",
        "js-yaml": "4.1.1",
        "jsonwebtoken": "9.0.3",
@@ -100,7 +100,7 @@
        "maxmind": "5.0.1",
        "moment": "2.30.1",
        "next": "15.5.9",
-        "next-intl": "4.6.1",
+        "next-intl": "4.7.0",
        "next-themes": "0.4.6",
        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
@@ -109,21 +109,21 @@
        "npm": "11.7.0",
        "nprogress": "0.2.0",
        "oslo": "1.2.1",
-        "pg": "8.16.3",
-        "posthog-node": "5.17.4",
+        "pg": "8.17.1",
+        "posthog-node": "5.23.0",
        "qrcode.react": "4.2.0",
        "react": "19.2.3",
        "react-day-picker": "9.13.0",
        "react-dom": "19.2.3",
        "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.68.0",
+        "react-hook-form": "7.71.1",
        "react-icons": "5.5.0",
        "rebuild": "0.1.2",
        "recharts": "2.15.4",
        "reodotdev": "1.0.0",
-        "resend": "6.6.0",
+        "resend": "6.8.0",
        "semver": "7.7.3",
-        "stripe": "20.1.0",
+        "stripe": "20.2.0",
        "swagger-ui-express": "5.0.1",
        "tailwind-merge": "3.4.0",
        "topojson-client": "3.1.0",
@@ -133,10 +133,10 @@
        "visionscarto-world-atlas": "1.0.0",
        "winston": "3.19.0",
        "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.18.3",
+        "ws": "8.19.0",
        "yaml": "2.8.2",
        "yargs": "18.0.0",
-        "zod": "4.2.1",
+        "zod": "4.3.5",
        "zod-validation-error": "5.0.0"
    },
    "devDependencies": {
@@ -170,12 +170,12 @@
        "esbuild": "0.27.2",
        "esbuild-node-externals": "1.20.1",
        "postcss": "8.5.6",
-        "prettier": "3.7.4",
-        "react-email": "5.0.7",
+        "prettier": "3.8.0",
+        "react-email": "5.2.5",
        "tailwindcss": "4.1.18",
        "tsc-alias": "1.8.16",
        "tsx": "4.21.0",
        "typescript": "5.9.3",
-        "typescript-eslint": "8.49.0"
+        "typescript-eslint": "8.53.1"
    }
 }
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -78,6 +78,10 @@ export enum ActionsEnum {
    updateSiteResource = "updateSiteResource",
    createClient = "createClient",
    deleteClient = "deleteClient",
+    archiveClient = "archiveClient",
+    unarchiveClient = "unarchiveClient",
+    blockClient = "blockClient",
+    unblockClient = "unblockClient",
    updateClient = "updateClient",
    listClients = "listClients",
    getClient = "getClient",
@@ -125,7 +129,9 @@ export enum ActionsEnum {
    getBlueprint = "getBlueprint",
    applyBlueprint = "applyBlueprint",
    viewLogs = "viewLogs",
-    exportLogs = "exportLogs"
+    exportLogs = "exportLogs",
+    listApprovals = "listApprovals",
+    updateApprovals = "updateApprovals"
 }

 export async function checkUserActionPermission(
--- a/server/db/asns.ts
+++ b/server/db/asns.ts
@@ -68,7 +68,7 @@ export const MAJOR_ASNS = [
        code: "AS36351",
        asn: 36351
    },
-    
+
    // CDNs
    {
        name: "Cloudflare",
@@ -90,7 +90,7 @@ export const MAJOR_ASNS = [
        code: "AS16625",
        asn: 16625
    },
-    
+
    // Mobile Carriers - US
    {
        name: "T-Mobile USA",
@@ -117,7 +117,7 @@ export const MAJOR_ASNS = [
        code: "AS6430",
        asn: 6430
    },
-    
+
    // Mobile Carriers - Europe
    {
        name: "Vodafone UK",
@@ -144,7 +144,7 @@ export const MAJOR_ASNS = [
        code: "AS12430",
        asn: 12430
    },
-    
+
    // Mobile Carriers - Asia
    {
        name: "NTT DoCoMo (Japan)",
@@ -176,7 +176,7 @@ export const MAJOR_ASNS = [
        code: "AS9808",
        asn: 9808
    },
-    
+
    // Major US ISPs
    {
        name: "AT&T Services",
@@ -208,7 +208,7 @@ export const MAJOR_ASNS = [
        code: "AS209",
        asn: 209
    },
-    
+
    // Major European ISPs
    {
        name: "Deutsche Telekom",
@@ -235,7 +235,7 @@ export const MAJOR_ASNS = [
        code: "AS12956",
        asn: 12956
    },
-    
+
    // Major Asian ISPs
    {
        name: "China Telecom",
@@ -262,7 +262,7 @@ export const MAJOR_ASNS = [
        code: "AS55836",
        asn: 55836
    },
-    
+
    // VPN/Proxy Providers
    {
        name: "Private Internet Access",
@@ -279,7 +279,7 @@ export const MAJOR_ASNS = [
        code: "AS213281",
        asn: 213281
    },
-    
+
    // Social Media / Major Tech
    {
        name: "Facebook/Meta",
@@ -301,7 +301,7 @@ export const MAJOR_ASNS = [
        code: "AS2906",
        asn: 2906
    },
-    
+
    // Academic/Research
    {
        name: "MIT",
--- a/server/db/ios_models.json
+++ b/server/db/ios_models.json
@@ -0,0 +1,150 @@
+{
+  "iPad1,1": "iPad",
+  "iPad2,1": "iPad 2",
+  "iPad2,2": "iPad 2",
+  "iPad2,3": "iPad 2",
+  "iPad2,4": "iPad 2",
+  "iPad3,1": "iPad 3rd Gen",
+  "iPad3,3": "iPad 3rd Gen",
+  "iPad3,2": "iPad 3rd Gen",
+  "iPad3,4": "iPad 4th Gen",
+  "iPad3,5": "iPad 4th Gen",
+  "iPad3,6": "iPad 4th Gen",
+  "iPad6,11": "iPad 9.7 5th Gen",
+  "iPad6,12": "iPad 9.7 5th Gen",
+  "iPad7,5": "iPad 9.7 6th Gen",
+  "iPad7,6": "iPad 9.7 6th Gen",
+  "iPad7,11": "iPad 10.2 7th Gen",
+  "iPad7,12": "iPad 10.2 7th Gen",
+  "iPad11,6": "iPad 10.2 8th Gen",
+  "iPad11,7": "iPad 10.2 8th Gen",
+  "iPad12,1": "iPad 10.2 9th Gen",
+  "iPad12,2": "iPad 10.2 9th Gen",
+  "iPad13,18": "iPad 10.9 10th Gen",
+  "iPad13,19": "iPad 10.9 10th Gen",
+  "iPad4,1": "iPad Air",
+  "iPad4,2": "iPad Air",
+  "iPad4,3": "iPad Air",
+  "iPad5,3": "iPad Air 2",
+  "iPad5,4": "iPad Air 2",
+  "iPad11,3": "iPad Air 3rd Gen",
+  "iPad11,4": "iPad Air 3rd Gen",
+  "iPad13,1": "iPad Air 4th Gen",
+  "iPad13,2": "iPad Air 4th Gen",
+  "iPad13,16": "iPad Air 5th Gen",
+  "iPad13,17": "iPad Air 5th Gen",
+  "iPad14,8": "iPad Air M2 11",
+  "iPad14,9": "iPad Air M2 11",
+  "iPad14,10": "iPad Air M2 13",
+  "iPad14,11": "iPad Air M2 13",
+  "iPad2,5": "iPad mini",
+  "iPad2,6": "iPad mini",
+  "iPad2,7": "iPad mini",
+  "iPad4,4": "iPad mini 2",
+  "iPad4,5": "iPad mini 2",
+  "iPad4,6": "iPad mini 2",
+  "iPad4,7": "iPad mini 3",
+  "iPad4,8": "iPad mini 3",
+  "iPad4,9": "iPad mini 3",
+  "iPad5,1": "iPad mini 4",
+  "iPad5,2": "iPad mini 4",
+  "iPad11,1": "iPad mini 5th Gen",
+  "iPad11,2": "iPad mini 5th Gen",
+  "iPad14,1": "iPad mini 6th Gen",
+  "iPad14,2": "iPad mini 6th Gen",
+  "iPad6,7": "iPad Pro 12.9",
+  "iPad6,8": "iPad Pro 12.9",
+  "iPad6,3": "iPad Pro 9.7",
+  "iPad6,4": "iPad Pro 9.7",
+  "iPad7,3": "iPad Pro 10.5",
+  "iPad7,4": "iPad Pro 10.5",
+  "iPad7,1": "iPad Pro 12.9",
+  "iPad7,2": "iPad Pro 12.9",
+  "iPad8,1": "iPad Pro 11",
+  "iPad8,2": "iPad Pro 11",
+  "iPad8,3": "iPad Pro 11",
+  "iPad8,4": "iPad Pro 11",
+  "iPad8,5": "iPad Pro 12.9",
+  "iPad8,6": "iPad Pro 12.9",
+  "iPad8,7": "iPad Pro 12.9",
+  "iPad8,8": "iPad Pro 12.9",
+  "iPad8,9": "iPad Pro 11",
+  "iPad8,10": "iPad Pro 11",
+  "iPad8,11": "iPad Pro 12.9",
+  "iPad8,12": "iPad Pro 12.9",
+  "iPad13,4": "iPad Pro 11",
+  "iPad13,5": "iPad Pro 11",
+  "iPad13,6": "iPad Pro 11",
+  "iPad13,7": "iPad Pro 11",
+  "iPad13,8": "iPad Pro 12.9",
+  "iPad13,9": "iPad Pro 12.9",
+  "iPad13,10": "iPad Pro 12.9",
+  "iPad13,11": "iPad Pro 12.9",
+  "iPad14,3": "iPad Pro 11",
+  "iPad14,4": "iPad Pro 11",
+  "iPad14,5": "iPad Pro 12.9",
+  "iPad14,6": "iPad Pro 12.9",
+  "iPad16,3": "iPad Pro M4 11",
+  "iPad16,4": "iPad Pro M4 11",
+  "iPad16,5": "iPad Pro M4 13",
+  "iPad16,6": "iPad Pro M4 13",
+  "iPhone1,1": "iPhone",
+  "iPhone1,2": "iPhone 3G",
+  "iPhone2,1": "iPhone 3GS",
+  "iPhone3,1": "iPhone 4",
+  "iPhone3,2": "iPhone 4",
+  "iPhone3,3": "iPhone 4",
+  "iPhone4,1": "iPhone 4S",
+  "iPhone5,1": "iPhone 5",
+  "iPhone5,2": "iPhone 5",
+  "iPhone5,3": "iPhone 5c",
+  "iPhone5,4": "iPhone 5c",
+  "iPhone6,1": "iPhone 5s",
+  "iPhone6,2": "iPhone 5s",
+  "iPhone7,2": "iPhone 6",
+  "iPhone7,1": "iPhone 6 Plus",
+  "iPhone8,1": "iPhone 6s",
+  "iPhone8,2": "iPhone 6s Plus",
+  "iPhone8,4": "iPhone SE",
+  "iPhone9,1": "iPhone 7",
+  "iPhone9,3": "iPhone 7",
+  "iPhone9,2": "iPhone 7 Plus",
+  "iPhone9,4": "iPhone 7 Plus",
+  "iPhone10,1": "iPhone 8",
+  "iPhone10,4": "iPhone 8",
+  "iPhone10,2": "iPhone 8 Plus",
+  "iPhone10,5": "iPhone 8 Plus",
+  "iPhone10,3": "iPhone X",
+  "iPhone10,6": "iPhone X",
+  "iPhone11,2": "iPhone Xs",
+  "iPhone11,6": "iPhone Xs Max",
+  "iPhone11,8": "iPhone XR",
+  "iPhone12,1": "iPhone 11",
+  "iPhone12,3": "iPhone 11 Pro",
+  "iPhone12,5": "iPhone 11 Pro Max",
+  "iPhone12,8": "iPhone SE",
+  "iPhone13,1": "iPhone 12 mini",
+  "iPhone13,2": "iPhone 12",
+  "iPhone13,3": "iPhone 12 Pro",
+  "iPhone13,4": "iPhone 12 Pro Max",
+  "iPhone14,4": "iPhone 13 mini",
+  "iPhone14,5": "iPhone 13",
+  "iPhone14,2": "iPhone 13 Pro",
+  "iPhone14,3": "iPhone 13 Pro Max",
+  "iPhone14,6": "iPhone SE",
+  "iPhone14,7": "iPhone 14",
+  "iPhone14,8": "iPhone 14 Plus",
+  "iPhone15,2": "iPhone 14 Pro",
+  "iPhone15,3": "iPhone 14 Pro Max",
+  "iPhone15,4": "iPhone 15",
+  "iPhone15,5": "iPhone 15 Plus",
+  "iPhone16,1": "iPhone 15 Pro",
+  "iPhone16,2": "iPhone 15 Pro Max",
+  "iPod1,1": "iPod touch Original",
+  "iPod2,1": "iPod touch 2nd",
+  "iPod3,1": "iPod touch 3rd Gen",
+  "iPod4,1": "iPod touch 4th",
+  "iPod5,1": "iPod touch 5th",
+  "iPod7,1": "iPod touch 6th Gen",
+  "iPod9,1": "iPod touch 7th Gen"
+}
--- a/server/db/mac_models.json
+++ b/server/db/mac_models.json
@@ -0,0 +1,201 @@
+{
+  "PowerMac4,4": "eMac",
+  "PowerMac6,4": "eMac",
+  "PowerBook2,1": "iBook",
+  "PowerBook2,2": "iBook",
+  "PowerBook4,1": "iBook",
+  "PowerBook4,2": "iBook",
+  "PowerBook4,3": "iBook",
+  "PowerBook6,3": "iBook",
+  "PowerBook6,5": "iBook",
+  "PowerBook6,7": "iBook",
+  "iMac,1": "iMac",
+  "PowerMac2,1": "iMac",
+  "PowerMac2,2": "iMac",
+  "PowerMac4,1": "iMac",
+  "PowerMac4,2": "iMac",
+  "PowerMac4,5": "iMac",
+  "PowerMac6,1": "iMac",
+  "PowerMac6,3*": "iMac",
+  "PowerMac6,3": "iMac",
+  "PowerMac8,1": "iMac",
+  "PowerMac8,2": "iMac",
+  "PowerMac12,1": "iMac",
+  "iMac4,1": "iMac",
+  "iMac4,2": "iMac",
+  "iMac5,2": "iMac",
+  "iMac5,1": "iMac",
+  "iMac6,1": "iMac",
+  "iMac7,1": "iMac",
+  "iMac8,1": "iMac",
+  "iMac9,1": "iMac",
+  "iMac10,1": "iMac",
+  "iMac11,1": "iMac",
+  "iMac11,2": "iMac",
+  "iMac11,3": "iMac",
+  "iMac12,1": "iMac",
+  "iMac12,2": "iMac",
+  "iMac13,1": "iMac",
+  "iMac13,2": "iMac",
+  "iMac14,1": "iMac",
+  "iMac14,3": "iMac",
+  "iMac14,2": "iMac",
+  "iMac14,4": "iMac",
+  "iMac15,1": "iMac",
+  "iMac16,1": "iMac",
+  "iMac16,2": "iMac",
+  "iMac17,1": "iMac",
+  "iMac18,1": "iMac",
+  "iMac18,2": "iMac",
+  "iMac18,3": "iMac",
+  "iMac19,2": "iMac",
+  "iMac19,1": "iMac",
+  "iMac20,1": "iMac",
+  "iMac20,2": "iMac",
+  "iMac21,2": "iMac",
+  "iMac21,1": "iMac",
+  "iMacPro1,1": "iMac Pro",
+  "PowerMac10,1": "Mac mini",
+  "PowerMac10,2": "Mac mini",
+  "Macmini1,1": "Mac mini",
+  "Macmini2,1": "Mac mini",
+  "Macmini3,1": "Mac mini",
+  "Macmini4,1": "Mac mini",
+  "Macmini5,1": "Mac mini",
+  "Macmini5,2": "Mac mini",
+  "Macmini5,3": "Mac mini",
+  "Macmini6,1": "Mac mini",
+  "Macmini6,2": "Mac mini",
+  "Macmini7,1": "Mac mini",
+  "Macmini8,1": "Mac mini",
+  "ADP3,2": "Mac mini",
+  "Macmini9,1": "Mac mini",
+  "Mac14,3": "Mac mini",
+  "Mac14,12": "Mac mini",
+  "MacPro1,1*": "Mac Pro",
+  "MacPro2,1": "Mac Pro",
+  "MacPro3,1": "Mac Pro",
+  "MacPro4,1": "Mac Pro",
+  "MacPro5,1": "Mac Pro",
+  "MacPro6,1": "Mac Pro",
+  "MacPro7,1": "Mac Pro",
+  "N/A*": "Power Macintosh",
+  "PowerMac1,1": "Power Macintosh",
+  "PowerMac3,1": "Power Macintosh",
+  "PowerMac3,3": "Power Macintosh",
+  "PowerMac3,4": "Power Macintosh",
+  "PowerMac3,5": "Power Macintosh",
+  "PowerMac3,6": "Power Macintosh",
+  "Mac13,1": "Mac Studio",
+  "Mac13,2": "Mac Studio",
+  "MacBook1,1": "MacBook",
+  "MacBook2,1": "MacBook",
+  "MacBook3,1": "MacBook",
+  "MacBook4,1": "MacBook",
+  "MacBook5,1": "MacBook",
+  "MacBook5,2": "MacBook",
+  "MacBook6,1": "MacBook",
+  "MacBook7,1": "MacBook",
+  "MacBook8,1": "MacBook",
+  "MacBook9,1": "MacBook",
+  "MacBook10,1": "MacBook",
+  "MacBookAir1,1": "MacBook Air",
+  "MacBookAir2,1": "MacBook Air",
+  "MacBookAir3,1": "MacBook Air",
+  "MacBookAir3,2": "MacBook Air",
+  "MacBookAir4,1": "MacBook Air",
+  "MacBookAir4,2": "MacBook Air",
+  "MacBookAir5,1": "MacBook Air",
+  "MacBookAir5,2": "MacBook Air",
+  "MacBookAir6,1": "MacBook Air",
+  "MacBookAir6,2": "MacBook Air",
+  "MacBookAir7,1": "MacBook Air",
+  "MacBookAir7,2": "MacBook Air",
+  "MacBookAir8,1": "MacBook Air",
+  "MacBookAir8,2": "MacBook Air",
+  "MacBookAir9,1": "MacBook Air",
+  "MacBookAir10,1": "MacBook Air",
+  "Mac14,2": "MacBook Air",
+  "MacBookPro1,1": "MacBook Pro",
+  "MacBookPro1,2": "MacBook Pro",
+  "MacBookPro2,2": "MacBook Pro",
+  "MacBookPro2,1": "MacBook Pro",
+  "MacBookPro3,1": "MacBook Pro",
+  "MacBookPro4,1": "MacBook Pro",
+  "MacBookPro5,1": "MacBook Pro",
+  "MacBookPro5,2": "MacBook Pro",
+  "MacBookPro5,5": "MacBook Pro",
+  "MacBookPro5,4": "MacBook Pro",
+  "MacBookPro5,3": "MacBook Pro",
+  "MacBookPro7,1": "MacBook Pro",
+  "MacBookPro6,2": "MacBook Pro",
+  "MacBookPro6,1": "MacBook Pro",
+  "MacBookPro8,1": "MacBook Pro",
+  "MacBookPro8,2": "MacBook Pro",
+  "MacBookPro8,3": "MacBook Pro",
+  "MacBookPro9,2": "MacBook Pro",
+  "MacBookPro9,1": "MacBook Pro",
+  "MacBookPro10,1": "MacBook Pro",
+  "MacBookPro10,2": "MacBook Pro",
+  "MacBookPro11,1": "MacBook Pro",
+  "MacBookPro11,2": "MacBook Pro",
+  "MacBookPro11,3": "MacBook Pro",
+  "MacBookPro12,1": "MacBook Pro",
+  "MacBookPro11,4": "MacBook Pro",
+  "MacBookPro11,5": "MacBook Pro",
+  "MacBookPro13,1": "MacBook Pro",
+  "MacBookPro13,2": "MacBook Pro",
+  "MacBookPro13,3": "MacBook Pro",
+  "MacBookPro14,1": "MacBook Pro",
+  "MacBookPro14,2": "MacBook Pro",
+  "MacBookPro14,3": "MacBook Pro",
+  "MacBookPro15,2": "MacBook Pro",
+  "MacBookPro15,1": "MacBook Pro",
+  "MacBookPro15,3": "MacBook Pro",
+  "MacBookPro15,4": "MacBook Pro",
+  "MacBookPro16,1": "MacBook Pro",
+  "MacBookPro16,3": "MacBook Pro",
+  "MacBookPro16,2": "MacBook Pro",
+  "MacBookPro16,4": "MacBook Pro",
+  "MacBookPro17,1": "MacBook Pro",
+  "MacBookPro18,3": "MacBook Pro",
+  "MacBookPro18,4": "MacBook Pro",
+  "MacBookPro18,1": "MacBook Pro",
+  "MacBookPro18,2": "MacBook Pro",
+  "Mac14,7": "MacBook Pro",
+  "Mac14,9": "MacBook Pro",
+  "Mac14,5": "MacBook Pro",
+  "Mac14,10": "MacBook Pro",
+  "Mac14,6": "MacBook Pro",
+  "PowerMac1,2": "Power Macintosh",
+  "PowerMac5,1": "Power Macintosh",
+  "PowerMac7,2": "Power Macintosh",
+  "PowerMac7,3": "Power Macintosh",
+  "PowerMac9,1": "Power Macintosh",
+  "PowerMac11,2": "Power Macintosh",
+  "PowerBook1,1": "PowerBook",
+  "PowerBook3,1": "PowerBook",
+  "PowerBook3,2": "PowerBook",
+  "PowerBook3,3": "PowerBook",
+  "PowerBook3,4": "PowerBook",
+  "PowerBook3,5": "PowerBook",
+  "PowerBook6,1": "PowerBook",
+  "PowerBook5,1": "PowerBook",
+  "PowerBook6,2": "PowerBook",
+  "PowerBook5,2": "PowerBook",
+  "PowerBook5,3": "PowerBook",
+  "PowerBook6,4": "PowerBook",
+  "PowerBook5,4": "PowerBook",
+  "PowerBook5,5": "PowerBook",
+  "PowerBook6,8": "PowerBook",
+  "PowerBook5,6": "PowerBook",
+  "PowerBook5,7": "PowerBook",
+  "PowerBook5,8": "PowerBook",
+  "PowerBook5,9": "PowerBook",
+  "RackMac1,1": "Xserve",
+  "RackMac1,2": "Xserve",
+  "RackMac3,1": "Xserve",
+  "Xserve1,1": "Xserve",
+  "Xserve2,1": "Xserve",
+  "Xserve3,1": "Xserve"
+}
--- a/server/db/names.ts
+++ b/server/db/names.ts
@@ -16,6 +16,24 @@ if (!dev) {
 }
 export const names = JSON.parse(readFileSync(file, "utf-8"));

+// Load iOS and Mac model mappings
+let iosModelsFile: string;
+let macModelsFile: string;
+if (!dev) {
+    iosModelsFile = join(__DIRNAME, "ios_models.json");
+    macModelsFile = join(__DIRNAME, "mac_models.json");
+} else {
+    iosModelsFile = join("server/db/ios_models.json");
+    macModelsFile = join("server/db/mac_models.json");
+}
+
+const iosModels: Record<string, string> = JSON.parse(
+    readFileSync(iosModelsFile, "utf-8")
+);
+const macModels: Record<string, string> = JSON.parse(
+    readFileSync(macModelsFile, "utf-8")
+);
+
 export async function getUniqueClientName(orgId: string): Promise<string> {
    let loops = 0;
    while (true) {
@@ -159,3 +177,29 @@ export function generateName(): string {
    // clean out any non-alphanumeric characters except for dashes
    return name.replace(/[^a-z0-9-]/g, "");
 }
+
+export function getMacDeviceName(macIdentifier?: string | null): string | null {
+    if (macIdentifier && macModels[macIdentifier]) {
+        return macModels[macIdentifier];
+    }
+    return null;
+}
+
+export function getIosDeviceName(iosIdentifier?: string | null): string | null {
+    if (iosIdentifier && iosModels[iosIdentifier]) {
+        return iosModels[iosIdentifier];
+    }
+    return null;
+}
+
+export function getUserDeviceName(
+    model: string | null,
+    fallBack: string | null
+): string {
+    return (
+        getMacDeviceName(model) ||
+        getIosDeviceName(model) ||
+        fallBack ||
+        "Unknown Device"
+    );
+}
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -10,7 +10,15 @@ import {
    index
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
-import { domains, orgs, targets, users, exitNodes, sessions } from "./schema";
+import {
+    domains,
+    orgs,
+    targets,
+    users,
+    exitNodes,
+    sessions,
+    clients
+} from "./schema";

 export const certificates = pgTable("certificates", {
    certId: serial("certId").primaryKey(),
@@ -206,7 +214,7 @@ export const loginPageOrg = pgTable("loginPageOrg", {

 export const loginPageBranding = pgTable("loginPageBranding", {
    loginPageBrandingId: serial("loginPageBrandingId").primaryKey(),
-    logoUrl: text("logoUrl").notNull(),
+    logoUrl: text("logoUrl"),
    logoWidth: integer("logoWidth").notNull(),
    logoHeight: integer("logoHeight").notNull(),
    primaryColor: text("primaryColor"),
@@ -289,6 +297,33 @@ export const accessAuditLog = pgTable(
    ]
 );

+export const approvals = pgTable("approvals", {
+    approvalId: serial("approvalId").primaryKey(),
+    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    clientId: integer("clientId").references(() => clients.clientId, {
+        onDelete: "cascade"
+    }), // clients reference user devices (in this case)
+    userId: varchar("userId")
+        .references(() => users.userId, {
+            // optionally tied to a user and in this case delete when the user deletes
+            onDelete: "cascade"
+        })
+        .notNull(),
+    decision: varchar("decision")
+        .$type<"approved" | "denied" | "pending">()
+        .default("pending")
+        .notNull(),
+    type: varchar("type")
+        .$type<"user_device" /*| 'proxy' // for later */>()
+        .notNull()
+});
+
+export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
 export type Certificate = InferSelectModel<typeof certificates>;
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -132,7 +132,17 @@ export const resources = pgTable("resources", {
    }),
    headers: text("headers"), // comma-separated list of headers to add to the request
    proxyProtocol: boolean("proxyProtocol").notNull().default(false),
-    proxyProtocolVersion: integer("proxyProtocolVersion").default(1)
+    proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
+
+    maintenanceModeEnabled: boolean("maintenanceModeEnabled")
+        .notNull()
+        .default(false),
+    maintenanceModeType: text("maintenanceModeType", {
+        enum: ["forced", "automatic"]
+    }).default("forced"), // "forced" = always show, "automatic" = only when down
+    maintenanceTitle: text("maintenanceTitle"),
+    maintenanceMessage: text("maintenanceMessage"),
+    maintenanceEstimatedTime: text("maintenanceEstimatedTime")
 });

 export const targets = pgTable("targets", {
@@ -215,8 +225,8 @@ export const siteResources = pgTable("siteResources", {
    enabled: boolean("enabled").notNull().default(true),
    alias: varchar("alias"),
    aliasAddress: varchar("aliasAddress"),
-    tcpPortRangeString: varchar("tcpPortRangeString"),
-    udpPortRangeString: varchar("udpPortRangeString"),
+    tcpPortRangeString: varchar("tcpPortRangeString").notNull().default("*"),
+    udpPortRangeString: varchar("udpPortRangeString").notNull().default("*"),
    disableIcmp: boolean("disableIcmp").notNull().default(false)
 });

@@ -355,7 +365,8 @@ export const roles = pgTable("roles", {
        .notNull(),
    isAdmin: boolean("isAdmin"),
    name: varchar("name").notNull(),
-    description: varchar("description")
+    description: varchar("description"),
+    requireDeviceApproval: boolean("requireDeviceApproval").default(false)
 });

 export const roleActions = pgTable("roleActions", {
@@ -456,6 +467,23 @@ export const resourceHeaderAuth = pgTable("resourceHeaderAuth", {
    headerAuthHash: varchar("headerAuthHash").notNull()
 });

+export const resourceHeaderAuthExtendedCompatibility = pgTable(
+    "resourceHeaderAuthExtendedCompatibility",
+    {
+        headerAuthExtendedCompatibilityId: serial(
+            "headerAuthExtendedCompatibilityId"
+        ).primaryKey(),
+        resourceId: integer("resourceId")
+            .notNull()
+            .references(() => resources.resourceId, { onDelete: "cascade" }),
+        extendedCompatibilityIsActivated: boolean(
+            "extendedCompatibilityIsActivated"
+        )
+            .notNull()
+            .default(true)
+    }
+);
+
 export const resourceAccessToken = pgTable("resourceAccessToken", {
    accessTokenId: varchar("accessTokenId").primaryKey(),
    orgId: varchar("orgId")
@@ -564,7 +592,8 @@ export const idp = pgTable("idp", {
    type: varchar("type").notNull(),
    defaultRoleMapping: varchar("defaultRoleMapping"),
    defaultOrgMapping: varchar("defaultOrgMapping"),
-    autoProvision: boolean("autoProvision").notNull().default(false)
+    autoProvision: boolean("autoProvision").notNull().default(false),
+    tags: text("tags")
 });

 export const idpOidcConfig = pgTable("idpOidcConfig", {
@@ -661,7 +690,12 @@ export const clients = pgTable("clients", {
    online: boolean("online").notNull().default(false),
    // endpoint: varchar("endpoint"),
    lastHolePunch: integer("lastHolePunch"),
-    maxConnections: integer("maxConnections")
+    maxConnections: integer("maxConnections"),
+    archived: boolean("archived").notNull().default(false),
+    blocked: boolean("blocked").notNull().default(false),
+    approvalState: varchar("approvalState").$type<
+        "pending" | "approved" | "denied"
+    >()
 });

 export const clientSitesAssociationsCache = pgTable(
@@ -685,6 +719,16 @@ export const clientSiteResourcesAssociationsCache = pgTable(
    }
 );

+export const clientPostureSnapshots = pgTable("clientPostureSnapshots", {
+    snapshotId: serial("snapshotId").primaryKey(),
+
+    clientId: integer("clientId").references(() => clients.clientId, {
+        onDelete: "cascade"
+    }),
+
+    collectedAt: integer("collectedAt").notNull()
+});
+
 export const olms = pgTable("olms", {
    olmId: varchar("id").primaryKey(),
    secretHash: varchar("secretHash").notNull(),
@@ -699,7 +743,118 @@ export const olms = pgTable("olms", {
    userId: text("userId").references(() => users.userId, {
        // optionally tied to a user and in this case delete when the user deletes
        onDelete: "cascade"
-    })
+    }),
+    archived: boolean("archived").notNull().default(false)
+});
+
+export const currentFingerprint = pgTable("currentFingerprint", {
+    fingerprintId: serial("id").primaryKey(),
+
+    olmId: text("olmId")
+        .references(() => olms.olmId, { onDelete: "cascade" })
+        .notNull(),
+
+    firstSeen: integer("firstSeen").notNull(),
+    lastSeen: integer("lastSeen").notNull(),
+    lastCollectedAt: integer("lastCollectedAt").notNull(),
+
+    username: text("username"),
+    hostname: text("hostname"),
+    platform: text("platform"),
+    osVersion: text("osVersion"),
+    kernelVersion: text("kernelVersion"),
+    arch: text("arch"),
+    deviceModel: text("deviceModel"),
+    serialNumber: text("serialNumber"),
+    platformFingerprint: varchar("platformFingerprint"),
+
+    // Platform-agnostic checks
+
+    biometricsEnabled: boolean("biometricsEnabled").notNull().default(false),
+    diskEncrypted: boolean("diskEncrypted").notNull().default(false),
+    firewallEnabled: boolean("firewallEnabled").notNull().default(false),
+    autoUpdatesEnabled: boolean("autoUpdatesEnabled").notNull().default(false),
+    tpmAvailable: boolean("tpmAvailable").notNull().default(false),
+
+    // Windows-specific posture check information
+
+    windowsAntivirusEnabled: boolean("windowsAntivirusEnabled")
+        .notNull()
+        .default(false),
+
+    // macOS-specific posture check information
+
+    macosSipEnabled: boolean("macosSipEnabled").notNull().default(false),
+    macosGatekeeperEnabled: boolean("macosGatekeeperEnabled")
+        .notNull()
+        .default(false),
+    macosFirewallStealthMode: boolean("macosFirewallStealthMode")
+        .notNull()
+        .default(false),
+
+    // Linux-specific posture check information
+
+    linuxAppArmorEnabled: boolean("linuxAppArmorEnabled")
+        .notNull()
+        .default(false),
+    linuxSELinuxEnabled: boolean("linuxSELinuxEnabled").notNull().default(false)
+});
+
+export const fingerprintSnapshots = pgTable("fingerprintSnapshots", {
+    snapshotId: serial("id").primaryKey(),
+
+    fingerprintId: integer("fingerprintId").references(
+        () => currentFingerprint.fingerprintId,
+        {
+            onDelete: "set null"
+        }
+    ),
+
+    username: text("username"),
+    hostname: text("hostname"),
+    platform: text("platform"),
+    osVersion: text("osVersion"),
+    kernelVersion: text("kernelVersion"),
+    arch: text("arch"),
+    deviceModel: text("deviceModel"),
+    serialNumber: text("serialNumber"),
+    platformFingerprint: varchar("platformFingerprint"),
+
+    // Platform-agnostic checks
+
+    biometricsEnabled: boolean("biometricsEnabled").notNull().default(false),
+    diskEncrypted: boolean("diskEncrypted").notNull().default(false),
+    firewallEnabled: boolean("firewallEnabled").notNull().default(false),
+    autoUpdatesEnabled: boolean("autoUpdatesEnabled").notNull().default(false),
+    tpmAvailable: boolean("tpmAvailable").notNull().default(false),
+
+    // Windows-specific posture check information
+
+    windowsAntivirusEnabled: boolean("windowsAntivirusEnabled")
+        .notNull()
+        .default(false),
+
+    // macOS-specific posture check information
+
+    macosSipEnabled: boolean("macosSipEnabled").notNull().default(false),
+    macosGatekeeperEnabled: boolean("macosGatekeeperEnabled")
+        .notNull()
+        .default(false),
+    macosFirewallStealthMode: boolean("macosFirewallStealthMode")
+        .notNull()
+        .default(false),
+
+    // Linux-specific posture check information
+
+    linuxAppArmorEnabled: boolean("linuxAppArmorEnabled")
+        .notNull()
+        .default(false),
+    linuxSELinuxEnabled: boolean("linuxSELinuxEnabled")
+        .notNull()
+        .default(false),
+
+    hash: text("hash").notNull(),
+    collectedAt: integer("collectedAt").notNull()
 });

 export const olmSessions = pgTable("clientSession", {
@@ -856,6 +1011,9 @@ export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
 export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>;
+export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<
+    typeof resourceHeaderAuthExtendedCompatibility
+>;
 export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
 export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
 export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;
--- a/server/db/queries/verifySessionQueries.ts
+++ b/server/db/queries/verifySessionQueries.ts
@@ -1,4 +1,4 @@
-import { db, loginPage, LoginPage, loginPageOrg, Org, orgs } from "@server/db";
+import { db, loginPage, LoginPage, loginPageOrg, Org, orgs, roles } from "@server/db";
 import {
    Resource,
    ResourcePassword,
@@ -14,7 +14,9 @@ import {
    sessions,
    userOrgs,
    userResources,
-    users
+    users,
+    ResourceHeaderAuthExtendedCompatibility,
+    resourceHeaderAuthExtendedCompatibility
 } from "@server/db";
 import { and, eq } from "drizzle-orm";

@@ -23,6 +25,7 @@ export type ResourceWithAuth = {
    pincode: ResourcePincode | null;
    password: ResourcePassword | null;
    headerAuth: ResourceHeaderAuth | null;
+    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
    org: Org;
 };

@@ -52,6 +55,13 @@ export async function getResourceByDomain(
            resourceHeaderAuth,
            eq(resourceHeaderAuth.resourceId, resources.resourceId)
        )
+        .leftJoin(
+            resourceHeaderAuthExtendedCompatibility,
+            eq(
+                resourceHeaderAuthExtendedCompatibility.resourceId,
+                resources.resourceId
+            )
+        )
        .innerJoin(orgs, eq(orgs.orgId, resources.orgId))
        .where(eq(resources.fullDomain, domain))
        .limit(1);
@@ -65,6 +75,8 @@ export async function getResourceByDomain(
        pincode: result.resourcePincode,
        password: result.resourcePassword,
        headerAuth: result.resourceHeaderAuth,
+        headerAuthExtendedCompatibility:
+            result.resourceHeaderAuthExtendedCompatibility,
        org: result.orgs
    };
 }
@@ -96,9 +108,17 @@ export async function getUserSessionWithUser(
 */
 export async function getUserOrgRole(userId: string, orgId: string) {
    const userOrgRole = await db
-        .select()
+        .select({
+            userId: userOrgs.userId,
+            orgId: userOrgs.orgId,
+            roleId: userOrgs.roleId,
+            isOwner: userOrgs.isOwner,
+            autoProvisioned: userOrgs.autoProvisioned,
+            roleName: roles.name
+        })
        .from(userOrgs)
        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
        .limit(1);

    return userOrgRole.length > 0 ? userOrgRole[0] : null;
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -6,7 +6,7 @@ import {
    sqliteTable,
    text
 } from "drizzle-orm/sqlite-core";
-import { domains, exitNodes, orgs, sessions, users } from "./schema";
+import { clients, domains, exitNodes, orgs, sessions, users } from "./schema";

 export const certificates = sqliteTable("certificates", {
    certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -206,7 +206,7 @@ export const loginPageBranding = sqliteTable("loginPageBranding", {
    loginPageBrandingId: integer("loginPageBrandingId").primaryKey({
        autoIncrement: true
    }),
-    logoUrl: text("logoUrl").notNull(),
+    logoUrl: text("logoUrl"),
    logoWidth: integer("logoWidth").notNull(),
    logoHeight: integer("logoHeight").notNull(),
    primaryColor: text("primaryColor"),
@@ -289,6 +289,31 @@ export const accessAuditLog = sqliteTable(
    ]
 );

+export const approvals = sqliteTable("approvals", {
+    approvalId: integer("approvalId").primaryKey({ autoIncrement: true }),
+    timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    clientId: integer("clientId").references(() => clients.clientId, {
+        onDelete: "cascade"
+    }), // olms reference user devices clients
+    userId: text("userId").references(() => users.userId, {
+        // optionally tied to a user and in this case delete when the user deletes
+        onDelete: "cascade"
+    }),
+    decision: text("decision")
+        .$type<"approved" | "denied" | "pending">()
+        .default("pending")
+        .notNull(),
+    type: text("type")
+        .$type<"user_device" /*| 'proxy' // for later */>()
+        .notNull()
+});
+
+export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
 export type Certificate = InferSelectModel<typeof certificates>;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -150,7 +150,19 @@ export const resources = sqliteTable("resources", {
    proxyProtocol: integer("proxyProtocol", { mode: "boolean" })
        .notNull()
        .default(false),
-    proxyProtocolVersion: integer("proxyProtocolVersion").default(1)
+    proxyProtocolVersion: integer("proxyProtocolVersion").default(1),
+
+    maintenanceModeEnabled: integer("maintenanceModeEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+    maintenanceModeType: text("maintenanceModeType", {
+        enum: ["forced", "automatic"]
+    }).default("forced"), // "forced" = always show, "automatic" = only when down
+    maintenanceTitle: text("maintenanceTitle"),
+    maintenanceMessage: text("maintenanceMessage"),
+    maintenanceEstimatedTime: text("maintenanceEstimatedTime")
 });

 export const targets = sqliteTable("targets", {
@@ -241,9 +253,11 @@ export const siteResources = sqliteTable("siteResources", {
    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
    alias: text("alias"),
    aliasAddress: text("aliasAddress"),
-    tcpPortRangeString: text("tcpPortRangeString"),
-    udpPortRangeString: text("udpPortRangeString"),
+    tcpPortRangeString: text("tcpPortRangeString").notNull().default("*"),
+    udpPortRangeString: text("udpPortRangeString").notNull().default("*"),
    disableIcmp: integer("disableIcmp", { mode: "boolean" })
+        .notNull()
+        .default(false)
 });

 export const clientSiteResources = sqliteTable("clientSiteResources", {
@@ -371,7 +385,12 @@ export const clients = sqliteTable("clients", {
    type: text("type").notNull(), // "olm"
    online: integer("online", { mode: "boolean" }).notNull().default(false),
    // endpoint: text("endpoint"),
-    lastHolePunch: integer("lastHolePunch")
+    lastHolePunch: integer("lastHolePunch"),
+    archived: integer("archived", { mode: "boolean" }).notNull().default(false),
+    blocked: integer("blocked", { mode: "boolean" }).notNull().default(false),
+    approvalState: text("approvalState").$type<
+        "pending" | "approved" | "denied"
+    >()
 });

 export const clientSitesAssociationsCache = sqliteTable(
@@ -411,7 +430,160 @@ export const olms = sqliteTable("olms", {
    userId: text("userId").references(() => users.userId, {
        // optionally tied to a user and in this case delete when the user deletes
        onDelete: "cascade"
+    }),
+    archived: integer("archived", { mode: "boolean" }).notNull().default(false)
+});
+
+export const currentFingerprint = sqliteTable("currentFingerprint", {
+    fingerprintId: integer("id").primaryKey({ autoIncrement: true }),
+
+    olmId: text("olmId")
+        .references(() => olms.olmId, { onDelete: "cascade" })
+        .notNull(),
+
+    firstSeen: integer("firstSeen").notNull(),
+    lastSeen: integer("lastSeen").notNull(),
+    lastCollectedAt: integer("lastCollectedAt").notNull(),
+
+    username: text("username"),
+    hostname: text("hostname"),
+    platform: text("platform"),
+    osVersion: text("osVersion"),
+    kernelVersion: text("kernelVersion"),
+    arch: text("arch"),
+    deviceModel: text("deviceModel"),
+    serialNumber: text("serialNumber"),
+    platformFingerprint: text("platformFingerprint"),
+
+    // Platform-agnostic checks
+
+    biometricsEnabled: integer("biometricsEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    diskEncrypted: integer("diskEncrypted", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    firewallEnabled: integer("firewallEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    autoUpdatesEnabled: integer("autoUpdatesEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    tpmAvailable: integer("tpmAvailable", { mode: "boolean" })
+        .notNull()
+        .default(false),
+
+    // Windows-specific posture check information
+
+    windowsAntivirusEnabled: integer("windowsAntivirusEnabled", {
+        mode: "boolean"
    })
+        .notNull()
+        .default(false),
+
+    // macOS-specific posture check information
+
+    macosSipEnabled: integer("macosSipEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    macosGatekeeperEnabled: integer("macosGatekeeperEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+    macosFirewallStealthMode: integer("macosFirewallStealthMode", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+
+    // Linux-specific posture check information
+
+    linuxAppArmorEnabled: integer("linuxAppArmorEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    linuxSELinuxEnabled: integer("linuxSELinuxEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false)
+});
+
+export const fingerprintSnapshots = sqliteTable("fingerprintSnapshots", {
+    snapshotId: integer("id").primaryKey({ autoIncrement: true }),
+
+    fingerprintId: integer("fingerprintId").references(
+        () => currentFingerprint.fingerprintId,
+        {
+            onDelete: "set null"
+        }
+    ),
+
+    username: text("username"),
+    hostname: text("hostname"),
+    platform: text("platform"),
+    osVersion: text("osVersion"),
+    kernelVersion: text("kernelVersion"),
+    arch: text("arch"),
+    deviceModel: text("deviceModel"),
+    serialNumber: text("serialNumber"),
+    platformFingerprint: text("platformFingerprint"),
+
+    // Platform-agnostic checks
+
+    biometricsEnabled: integer("biometricsEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    diskEncrypted: integer("diskEncrypted", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    firewallEnabled: integer("firewallEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    autoUpdatesEnabled: integer("autoUpdatesEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    tpmAvailable: integer("tpmAvailable", { mode: "boolean" })
+        .notNull()
+        .default(false),
+
+    // Windows-specific posture check information
+
+    windowsAntivirusEnabled: integer("windowsAntivirusEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+
+    // macOS-specific posture check information
+
+    macosSipEnabled: integer("macosSipEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    macosGatekeeperEnabled: integer("macosGatekeeperEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+    macosFirewallStealthMode: integer("macosFirewallStealthMode", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+
+    // Linux-specific posture check information
+
+    linuxAppArmorEnabled: integer("linuxAppArmorEnabled", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    linuxSELinuxEnabled: integer("linuxSELinuxEnabled", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false),
+
+    hash: text("hash").notNull(),
+    collectedAt: integer("collectedAt").notNull()
 });

 export const twoFactorBackupCodes = sqliteTable("twoFactorBackupCodes", {
@@ -503,7 +675,10 @@ export const roles = sqliteTable("roles", {
        .notNull(),
    isAdmin: integer("isAdmin", { mode: "boolean" }),
    name: text("name").notNull(),
-    description: text("description")
+    description: text("description"),
+    requireDeviceApproval: integer("requireDeviceApproval", {
+        mode: "boolean"
+    }).default(false)
 });

 export const roleActions = sqliteTable("roleActions", {
@@ -628,6 +803,26 @@ export const resourceHeaderAuth = sqliteTable("resourceHeaderAuth", {
    headerAuthHash: text("headerAuthHash").notNull()
 });

+export const resourceHeaderAuthExtendedCompatibility = sqliteTable(
+    "resourceHeaderAuthExtendedCompatibility",
+    {
+        headerAuthExtendedCompatibilityId: integer(
+            "headerAuthExtendedCompatibilityId"
+        ).primaryKey({
+            autoIncrement: true
+        }),
+        resourceId: integer("resourceId")
+            .notNull()
+            .references(() => resources.resourceId, { onDelete: "cascade" }),
+        extendedCompatibilityIsActivated: integer(
+            "extendedCompatibilityIsActivated",
+            { mode: "boolean" }
+        )
+            .notNull()
+            .default(true)
+    }
+);
+
 export const resourceAccessToken = sqliteTable("resourceAccessToken", {
    accessTokenId: text("accessTokenId").primaryKey(),
    orgId: text("orgId")
@@ -742,7 +937,8 @@ export const idp = sqliteTable("idp", {
        mode: "boolean"
    })
        .notNull()
-        .default(false)
+        .default(false),
+    tags: text("tags")
 });

 // Identity Provider OAuth Configuration
@@ -913,6 +1109,9 @@ export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
 export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>;
+export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<
+    typeof resourceHeaderAuthExtendedCompatibility
+>;
 export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
 export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
 export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;
--- a/server/lib/blueprints/MaintenanceSchema.ts
+++ b/server/lib/blueprints/MaintenanceSchema.ts
@@ -0,0 +1,3 @@
+import { z } from "zod";
+
+export const MaintenanceSchema = z.object({});
--- a/server/lib/blueprints/applyBlueprint.ts
+++ b/server/lib/blueprints/applyBlueprint.ts
@@ -1,4 +1,14 @@
-import { db, newts, blueprints, Blueprint, Site, siteResources, roleSiteResources, userSiteResources, clientSiteResources } from "@server/db";
+import {
+    db,
+    newts,
+    blueprints,
+    Blueprint,
+    Site,
+    siteResources,
+    roleSiteResources,
+    userSiteResources,
+    clientSiteResources
+} from "@server/db";
 import { Config, ConfigSchema } from "./types";
 import { ProxyResourcesResults, updateProxyResources } from "./proxyResources";
 import { fromError } from "zod-validation-error";
@@ -126,7 +136,7 @@ export async function applyBlueprint({
                        )
                        .then((rows) => rows.map((row) => row.roleId));

-                    const existingUserIds= await trx
+                    const existingUserIds = await trx
                        .select()
                        .from(userSiteResources)
                        .where(
@@ -134,7 +144,8 @@ export async function applyBlueprint({
                                userSiteResources.siteResourceId,
                                result.oldSiteResource.siteResourceId
                            )
-                        ).then((rows) => rows.map((row) => row.userId));
+                        )
+                        .then((rows) => rows.map((row) => row.userId));

                    const existingClientIds = await trx
                        .select()
@@ -144,13 +155,19 @@ export async function applyBlueprint({
                                clientSiteResources.siteResourceId,
                                result.oldSiteResource.siteResourceId
                            )
-                        ).then((rows) => rows.map((row) => row.clientId));
+                        )
+                        .then((rows) => rows.map((row) => row.clientId));

                    // delete the existing site resource
                    await trx
                        .delete(siteResources)
                        .where(
-                            and(eq(siteResources.siteResourceId, result.oldSiteResource.siteResourceId))
+                            and(
+                                eq(
+                                    siteResources.siteResourceId,
+                                    result.oldSiteResource.siteResourceId
+                                )
+                            )
                        );

                    await rebuildClientAssociationsFromSiteResource(
@@ -161,7 +178,7 @@ export async function applyBlueprint({
                    const [insertedSiteResource] = await trx
                        .insert(siteResources)
                        .values({
-                            ...result.newSiteResource,
+                            ...result.newSiteResource
                        })
                        .returning();

@@ -172,18 +189,20 @@ export async function applyBlueprint({

                    if (existingRoleIds.length > 0) {
                        await trx.insert(roleSiteResources).values(
-                           existingRoleIds.map((roleId) => ({
+                            existingRoleIds.map((roleId) => ({
                                roleId,
-                                siteResourceId: insertedSiteResource!.siteResourceId
+                                siteResourceId:
+                                    insertedSiteResource!.siteResourceId
                            }))
                        );
                    }

                    if (existingUserIds.length > 0) {
                        await trx.insert(userSiteResources).values(
-                           existingUserIds.map((userId) => ({
+                            existingUserIds.map((userId) => ({
                                userId,
-                                siteResourceId: insertedSiteResource!.siteResourceId
+                                siteResourceId:
+                                    insertedSiteResource!.siteResourceId
                            }))
                        );
                    }
@@ -192,7 +211,8 @@ export async function applyBlueprint({
                        await trx.insert(clientSiteResources).values(
                            existingClientIds.map((clientId) => ({
                                clientId,
-                                siteResourceId: insertedSiteResource!.siteResourceId
+                                siteResourceId:
+                                    insertedSiteResource!.siteResourceId
                            }))
                        );
                    }
@@ -201,7 +221,6 @@ export async function applyBlueprint({
                        insertedSiteResource,
                        trx
                    );
-
                } else {
                    const [newSite] = await trx
                        .select()
--- a/server/lib/blueprints/applyNewtDockerBlueprint.ts
+++ b/server/lib/blueprints/applyNewtDockerBlueprint.ts
@@ -36,7 +36,9 @@ export async function applyNewtDockerBlueprint(

        if (
            isEmptyObject(blueprint["proxy-resources"]) &&
-            isEmptyObject(blueprint["client-resources"])
+            isEmptyObject(blueprint["client-resources"]) &&
+            isEmptyObject(blueprint["public-resources"]) &&
+            isEmptyObject(blueprint["private-resources"])
        ) {
            return;
        }
--- a/server/lib/blueprints/parseDockerContainers.ts
+++ b/server/lib/blueprints/parseDockerContainers.ts
@@ -54,10 +54,14 @@ function getContainerPort(container: Container): number | null {
 export function processContainerLabels(containers: Container[]): {
    "proxy-resources": { [key: string]: ResourceConfig };
    "client-resources": { [key: string]: ResourceConfig };
+    "public-resources": { [key: string]: ResourceConfig };
+    "private-resources": { [key: string]: ResourceConfig };
 } {
    const result = {
        "proxy-resources": {} as { [key: string]: ResourceConfig },
-        "client-resources": {} as { [key: string]: ResourceConfig }
+        "client-resources": {} as { [key: string]: ResourceConfig },
+        "public-resources": {} as { [key: string]: ResourceConfig },
+        "private-resources": {} as { [key: string]: ResourceConfig }
    };

    // Process each container
@@ -68,8 +72,10 @@ export function processContainerLabels(containers: Container[]): {

        const proxyResourceLabels: DockerLabels = {};
        const clientResourceLabels: DockerLabels = {};
+        const publicResourceLabels: DockerLabels = {};
+        const privateResourceLabels: DockerLabels = {};

-        // Filter and separate proxy-resources and client-resources labels
+        // Filter and separate proxy-resources, client-resources, public-resources, and private-resources labels
        Object.entries(container.labels).forEach(([key, value]) => {
            if (key.startsWith("pangolin.proxy-resources.")) {
                // remove the pangolin.proxy- prefix to get "resources.xxx"
@@ -79,6 +85,14 @@ export function processContainerLabels(containers: Container[]): {
                // remove the pangolin.client- prefix to get "resources.xxx"
                const strippedKey = key.replace("pangolin.client-", "");
                clientResourceLabels[strippedKey] = value;
+            } else if (key.startsWith("pangolin.public-resources.")) {
+                // remove the pangolin.public- prefix to get "resources.xxx"
+                const strippedKey = key.replace("pangolin.public-", "");
+                publicResourceLabels[strippedKey] = value;
+            } else if (key.startsWith("pangolin.private-resources.")) {
+                // remove the pangolin.private- prefix to get "resources.xxx"
+                const strippedKey = key.replace("pangolin.private-", "");
+                privateResourceLabels[strippedKey] = value;
            }
        });

@@ -99,6 +113,24 @@ export function processContainerLabels(containers: Container[]): {
                result["client-resources"]
            );
        }
+
+        // Process public resources (alias for proxy resources)
+        if (Object.keys(publicResourceLabels).length > 0) {
+            processResourceLabels(
+                publicResourceLabels,
+                container,
+                result["public-resources"]
+            );
+        }
+
+        // Process private resources (alias for client resources)
+        if (Object.keys(privateResourceLabels).length > 0) {
+            processResourceLabels(
+                privateResourceLabels,
+                container,
+                result["private-resources"]
+            );
+        }
    });

    return result;
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -3,6 +3,7 @@ import {
    orgDomains,
    Resource,
    resourceHeaderAuth,
+    resourceHeaderAuthExtendedCompatibility,
    resourcePincode,
    resourceRules,
    resourceWhitelist,
@@ -30,7 +31,8 @@ import { pickPort } from "@server/routers/target/helpers";
 import { resourcePassword } from "@server/db";
 import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
-import { get } from "http";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
+import { build } from "@server/build";

 export type ProxyResourcesResults = {
    proxyResource: Resource;
@@ -209,6 +211,12 @@ export async function updateProxyResources(
                resource = existingResource;
            } else {
                // Update existing resource
+
+                const isLicensed = await isLicensedOrSubscribed(orgId);
+                if (!isLicensed) {
+                    resourceData.maintenance = undefined;
+                }
+
                [resource] = await trx
                    .update(resources)
                    .set({
@@ -233,7 +241,14 @@ export async function updateProxyResources(
                            : false,
                        headers: headers || null,
                        applyRules:
-                            resourceData.rules && resourceData.rules.length > 0
+                            resourceData.rules && resourceData.rules.length > 0,
+                        maintenanceModeEnabled:
+                            resourceData.maintenance?.enabled,
+                        maintenanceModeType: resourceData.maintenance?.type,
+                        maintenanceTitle: resourceData.maintenance?.title,
+                        maintenanceMessage: resourceData.maintenance?.message,
+                        maintenanceEstimatedTime:
+                            resourceData.maintenance?.["estimated-time"]
                    })
                    .where(
                        eq(resources.resourceId, existingResource.resourceId)
@@ -287,21 +302,47 @@ export async function updateProxyResources(
                            existingResource.resourceId
                        )
                    );
+
+                await trx
+                    .delete(resourceHeaderAuthExtendedCompatibility)
+                    .where(
+                        eq(
+                            resourceHeaderAuthExtendedCompatibility.resourceId,
+                            existingResource.resourceId
+                        )
+                    );
+
                if (resourceData.auth?.["basic-auth"]) {
                    const headerAuthUser =
                        resourceData.auth?.["basic-auth"]?.user;
                    const headerAuthPassword =
                        resourceData.auth?.["basic-auth"]?.password;
-                    if (headerAuthUser && headerAuthPassword) {
+                    const headerAuthExtendedCompatibility =
+                        resourceData.auth?.["basic-auth"]
+                            ?.extendedCompatibility;
+                    if (
+                        headerAuthUser &&
+                        headerAuthPassword &&
+                        headerAuthExtendedCompatibility !== null
+                    ) {
                        const headerAuthHash = await hashPassword(
                            Buffer.from(
                                `${headerAuthUser}:${headerAuthPassword}`
                            ).toString("base64")
                        );
-                        await trx.insert(resourceHeaderAuth).values({
-                            resourceId: existingResource.resourceId,
-                            headerAuthHash
-                        });
+                        await Promise.all([
+                            trx.insert(resourceHeaderAuth).values({
+                                resourceId: existingResource.resourceId,
+                                headerAuthHash
+                            }),
+                            trx
+                                .insert(resourceHeaderAuthExtendedCompatibility)
+                                .values({
+                                    resourceId: existingResource.resourceId,
+                                    extendedCompatibilityIsActivated:
+                                        headerAuthExtendedCompatibility
+                                })
+                        ]);
                    }
                }

@@ -542,13 +583,15 @@ export async function updateProxyResources(

            // Sync rules
            for (const [index, rule] of resourceData.rules?.entries() || []) {
+                const intendedPriority = rule.priority ?? index + 1;
                const existingRule = existingRules[index];
                if (existingRule) {
                    if (
                        existingRule.action !== getRuleAction(rule.action) ||
                        existingRule.match !== rule.match.toUpperCase() ||
                        existingRule.value !==
-                            getRuleValue(rule.match.toUpperCase(), rule.value)
+                        getRuleValue(rule.match.toUpperCase(), rule.value) ||
+                        existingRule.priority !== intendedPriority
                    ) {
                        validateRule(rule);
                        await trx
@@ -559,7 +602,8 @@ export async function updateProxyResources(
                                value: getRuleValue(
                                    rule.match.toUpperCase(),
                                    rule.value
-                                )
+                                ),
+                                priority: intendedPriority
                            })
                            .where(
                                eq(resourceRules.ruleId, existingRule.ruleId)
@@ -575,7 +619,7 @@ export async function updateProxyResources(
                            rule.match.toUpperCase(),
                            rule.value
                        ),
-                        priority: index + 1 // start priorities at 1
+                        priority: intendedPriority
                    });
                }
            }
@@ -604,6 +648,11 @@ export async function updateProxyResources(
                );
            }

+            const isLicensed = await isLicensedOrSubscribed(orgId);
+            if (!isLicensed) {
+                resourceData.maintenance = undefined;
+            }
+
            // Create new resource
            const [newResource] = await trx
                .insert(resources)
@@ -625,7 +674,13 @@ export async function updateProxyResources(
                    ssl: resourceSsl,
                    headers: headers || null,
                    applyRules:
-                        resourceData.rules && resourceData.rules.length > 0
+                        resourceData.rules && resourceData.rules.length > 0,
+                    maintenanceModeEnabled: resourceData.maintenance?.enabled,
+                    maintenanceModeType: resourceData.maintenance?.type,
+                    maintenanceTitle: resourceData.maintenance?.title,
+                    maintenanceMessage: resourceData.maintenance?.message,
+                    maintenanceEstimatedTime:
+                        resourceData.maintenance?.["estimated-time"]
                })
                .returning();

@@ -656,18 +711,33 @@ export async function updateProxyResources(
                const headerAuthUser = resourceData.auth?.["basic-auth"]?.user;
                const headerAuthPassword =
                    resourceData.auth?.["basic-auth"]?.password;
+                const headerAuthExtendedCompatibility =
+                    resourceData.auth?.["basic-auth"]?.extendedCompatibility;

-                if (headerAuthUser && headerAuthPassword) {
+                if (
+                    headerAuthUser &&
+                    headerAuthPassword &&
+                    headerAuthExtendedCompatibility !== null
+                ) {
                    const headerAuthHash = await hashPassword(
                        Buffer.from(
                            `${headerAuthUser}:${headerAuthPassword}`
                        ).toString("base64")
                    );

-                    await trx.insert(resourceHeaderAuth).values({
-                        resourceId: newResource.resourceId,
-                        headerAuthHash
-                    });
+                    await Promise.all([
+                        trx.insert(resourceHeaderAuth).values({
+                            resourceId: newResource.resourceId,
+                            headerAuthHash
+                        }),
+                        trx
+                            .insert(resourceHeaderAuthExtendedCompatibility)
+                            .values({
+                                resourceId: newResource.resourceId,
+                                extendedCompatibilityIsActivated:
+                                    headerAuthExtendedCompatibility
+                            })
+                    ]);
                }
            }

@@ -734,7 +804,7 @@ export async function updateProxyResources(
                    action: getRuleAction(rule.action),
                    match: rule.match.toUpperCase(),
                    value: getRuleValue(rule.match.toUpperCase(), rule.value),
-                    priority: index + 1 // start priorities at 1
+                    priority: rule.priority ?? index + 1
                });
            }

--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -1,5 +1,6 @@
 import { z } from "zod";
 import { portRangeStringSchema } from "@server/lib/ip";
+import { MaintenanceSchema } from "#dynamic/lib/blueprints/MaintenanceSchema";

 export const SiteSchema = z.object({
    name: z.string().min(1).max(100),
@@ -56,7 +57,8 @@ export const AuthSchema = z.object({
    "basic-auth": z
        .object({
            user: z.string().min(1),
-            password: z.string().min(1)
+            password: z.string().min(1),
+            extendedCompatibility: z.boolean().default(true)
        })
        .optional(),
    "sso-enabled": z.boolean().optional().default(false),
@@ -76,7 +78,8 @@ export const RuleSchema = z
    .object({
        action: z.enum(["allow", "deny", "pass"]),
        match: z.enum(["cidr", "path", "ip", "country", "asn"]),
-        value: z.string()
+        value: z.string(),
+        priority: z.int().optional()
    })
    .refine(
        (rule) => {
@@ -109,32 +112,30 @@ export const RuleSchema = z
    .refine(
        (rule) => {
            if (rule.match === "country") {
-                // Check if it's a valid 2-letter country code
-                return /^[A-Z]{2}$/.test(rule.value);
+                // Check if it's a valid 2-letter country code or "ALL"
+                return /^[A-Z]{2}$/.test(rule.value) || rule.value === "ALL";
            }
            return true;
        },
        {
            path: ["value"],
            message:
-                "Value must be a 2-letter country code when match is 'country'"
+                "Value must be a 2-letter country code or 'ALL' when match is 'country'"
        }
    )
    .refine(
        (rule) => {
            if (rule.match === "asn") {
-                // Check if it's either AS<number> format or just a number
+                // Check if it's either AS<number> format or "ALL"
                const asNumberPattern = /^AS\d+$/i;
-                const isASFormat = asNumberPattern.test(rule.value);
-                const isNumeric = /^\d+$/.test(rule.value);
-                return isASFormat || isNumeric;
+                return asNumberPattern.test(rule.value) || rule.value === "ALL";
            }
            return true;
        },
        {
            path: ["value"],
            message:
-                "Value must be either 'AS<number>' format or a number when match is 'asn'"
+                "Value must be 'AS<number>' format or 'ALL' when match is 'asn'"
        }
    );

@@ -157,7 +158,8 @@ export const ResourceSchema = z
        "host-header": z.string().optional(),
        "tls-server-name": z.string().optional(),
        headers: z.array(HeaderSchema).optional(),
-        rules: z.array(RuleSchema).optional()
+        rules: z.array(RuleSchema).optional(),
+        maintenance: MaintenanceSchema.optional()
    })
    .refine(
        (resource) => {
@@ -267,6 +269,39 @@ export const ResourceSchema = z
            path: ["auth"],
            error: "When protocol is 'tcp' or 'udp', 'auth' must not be provided"
        }
+    )
+    .refine(
+        (resource) => {
+            // Skip validation for targets-only resources
+            if (isTargetsOnlyResource(resource)) {
+                return true;
+            }
+            // Skip validation if no rules are defined
+            if (!resource.rules || resource.rules.length === 0) return true;
+
+            const finalPriorities: number[] = [];
+            let priorityCounter = 1;
+
+            // Gather priorities, assigning auto-priorities where needed
+            // following the logic from the backend implementation where
+            // empty priorities are auto-assigned a value of 1 + index of rule
+            for (const rule of resource.rules) {
+                if (rule.priority !== undefined) {
+                    finalPriorities.push(rule.priority);
+                } else {
+                    finalPriorities.push(priorityCounter);
+                }
+                priorityCounter++;
+            }
+
+            // Validate for duplicate priorities
+            return finalPriorities.length === new Set(finalPriorities).size;
+        },
+        {
+            path: ["rules"],
+            message:
+                "Rules have conflicting or invalid priorities (must be unique, including auto-assigned ones)"
+        }
    );

 export function isTargetsOnlyResource(resource: any): boolean {
@@ -289,8 +324,8 @@ export const ClientResourceSchema = z
        alias: z
            .string()
            .regex(
-                /^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/,
-                "Alias must be a fully qualified domain name (e.g., example.com)"
+                /^(?:[a-zA-Z0-9*?](?:[a-zA-Z0-9*?-]{0,61}[a-zA-Z0-9*?])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?$/,
+                "Alias must be a fully qualified domain name with optional wildcards (e.g., example.com, *.example.com, host-0?.example.internal)"
            )
            .optional(),
        roles: z
--- a/server/lib/cache.ts
+++ b/server/lib/cache.ts
@@ -1,5 +1,20 @@
 import NodeCache from "node-cache";
+import logger from "@server/logger";

-export const cache = new NodeCache({ stdTTL: 3600, checkperiod: 120 });
+// Create cache with maxKeys limit to prevent memory leaks
+// With ~10k requests/day and 5min TTL, 10k keys should be more than sufficient
+export const cache = new NodeCache({
+    stdTTL: 3600,
+    checkperiod: 120,
+    maxKeys: 10000
+});
+
+// Log cache statistics periodically for monitoring
+setInterval(() => {
+    const stats = cache.getStats();
+    logger.debug(
+        `Cache stats - Keys: ${stats.keys}, Hits: ${stats.hits}, Misses: ${stats.misses}, Hit rate: ${stats.hits > 0 ? ((stats.hits / (stats.hits + stats.misses)) * 100).toFixed(2) : 0}%`
+    );
+}, 300000); // Every 5 minutes

 export default cache;
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -1,21 +1,25 @@
+import { listExitNodes } from "#dynamic/lib/exitNodes";
+import { build } from "@server/build";
 import {
+    approvals,
    clients,
    db,
    olms,
    orgs,
    roleClients,
    roles,
+    Transaction,
    userClients,
-    userOrgs,
-    Transaction
+    userOrgs
 } from "@server/db";
-import { eq, and, notInArray } from "drizzle-orm";
-import { listExitNodes } from "#dynamic/lib/exitNodes";
-import { getNextAvailableClientSubnet } from "@server/lib/ip";
-import logger from "@server/logger";
-import { rebuildClientAssociationsFromClient } from "./rebuildClientAssociations";
-import { sendTerminateClient } from "@server/routers/client/terminate";
 import { getUniqueClientName } from "@server/db/names";
+import { getNextAvailableClientSubnet } from "@server/lib/ip";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
+import logger from "@server/logger";
+import { sendTerminateClient } from "@server/routers/client/terminate";
+import { and, eq, notInArray, type InferInsertModel } from "drizzle-orm";
+import { rebuildClientAssociationsFromClient } from "./rebuildClientAssociations";
+import { OlmErrorCodes } from "@server/routers/olm/error";

 export async function calculateUserClientsForOrgs(
    userId: string,
@@ -38,13 +42,15 @@ export async function calculateUserClientsForOrgs(
        const allUserOrgs = await transaction
            .select()
            .from(userOrgs)
+            .innerJoin(roles, eq(roles.roleId, userOrgs.roleId))
            .where(eq(userOrgs.userId, userId));

-        const userOrgIds = allUserOrgs.map((uo) => uo.orgId);
+        const userOrgIds = allUserOrgs.map(({ userOrgs: uo }) => uo.orgId);

        // For each OLM, ensure there's a client in each org the user is in
        for (const olm of userOlms) {
-            for (const userOrg of allUserOrgs) {
+            for (const userRoleOrg of allUserOrgs) {
+                const { userOrgs: userOrg, roles: role } = userRoleOrg;
                const orgId = userOrg.orgId;

                const [org] = await transaction
@@ -182,21 +188,46 @@ export async function calculateUserClientsForOrgs(

                const niceId = await getUniqueClientName(orgId);

+                const isOrgLicensed = await isLicensedOrSubscribed(
+                    userOrg.orgId
+                );
+                const requireApproval =
+                    build !== "oss" &&
+                    isOrgLicensed &&
+                    role.requireDeviceApproval;
+
+                const newClientData: InferInsertModel<typeof clients> = {
+                    userId,
+                    orgId: userOrg.orgId,
+                    exitNodeId: randomExitNode.exitNodeId,
+                    name: olm.name || "User Client",
+                    subnet: updatedSubnet,
+                    olmId: olm.olmId,
+                    type: "olm",
+                    niceId,
+                    approvalState: requireApproval ? "pending" : null
+                };
+
                // Create the client
                const [newClient] = await transaction
                    .insert(clients)
-                    .values({
-                        userId,
-                        orgId: userOrg.orgId,
-                        exitNodeId: randomExitNode.exitNodeId,
-                        name: olm.name || "User Client",
-                        subnet: updatedSubnet,
-                        olmId: olm.olmId,
-                        type: "olm",
-                        niceId
-                    })
+                    .values(newClientData)
                    .returning();

+                // create approval request
+                if (requireApproval) {
+                    await transaction
+                        .insert(approvals)
+                        .values({
+                            timestamp: Math.floor(new Date().getTime() / 1000),
+                            orgId: userOrg.orgId,
+                            clientId: newClient.clientId,
+                            userId,
+                            type: "user_device"
+                        })
+                        .returning();
+                }
+
                await rebuildClientAssociationsFromClient(
                    newClient,
                    transaction
@@ -275,6 +306,7 @@ async function cleanupOrphanedClients(
            if (deletedClient.olmId) {
                await sendTerminateClient(
                    deletedClient.clientId,
+                    OlmErrorCodes.TERMINATED_DELETED,
                    deletedClient.olmId
                );
            }
--- a/server/lib/cleanupLogs.ts
+++ b/server/lib/cleanupLogs.ts
@@ -3,6 +3,7 @@ import { cleanUpOldLogs as cleanUpOldAccessLogs } from "#dynamic/lib/logAccessAu
 import { cleanUpOldLogs as cleanUpOldActionLogs } from "#dynamic/middlewares/logActionAudit";
 import { cleanUpOldLogs as cleanUpOldRequestLogs } from "@server/routers/badger/logRequestAudit";
 import { gt, or } from "drizzle-orm";
+import { cleanUpOldFingerprintSnapshots } from "@server/routers/olm/fingerprintingUtils";

 export function initLogCleanupInterval() {
    return setInterval(
@@ -26,6 +27,7 @@ export function initLogCleanupInterval() {
                    )
                );

+            // TODO: handle when there are multiple nodes doing this clearing using redis
            for (const org of orgsToClean) {
                const {
                    orgId,
@@ -55,6 +57,8 @@ export function initLogCleanupInterval() {
                    );
                }
            }
+
+            await cleanUpOldFingerprintSnapshots(365);
        },
        3 * 60 * 60 * 1000
    ); // every 3 hours
--- a/server/lib/config.ts
+++ b/server/lib/config.ts
@@ -84,6 +84,10 @@ export class Config {
            ?.disable_basic_wireguard_sites
            ? "true"
            : "false";
+        process.env.FLAGS_DISABLE_PRODUCT_HELP_BANNERS = parsedConfig.flags
+            ?.disable_product_help_banners
+            ? "true"
+            : "false";

        process.env.PRODUCT_UPDATES_NOTIFICATION_ENABLED = parsedConfig.app
            .notifications.product_updates
--- a/server/lib/consts.ts
+++ b/server/lib/consts.ts
@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";

 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.13.1";
+export const APP_VERSION = "1.15.0";

 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);
--- a/server/lib/ip.ts
+++ b/server/lib/ip.ts
@@ -4,6 +4,7 @@ import { and, eq, isNotNull } from "drizzle-orm";
 import config from "@server/lib/config";
 import z from "zod";
 import logger from "@server/logger";
+import semver from "semver";

 interface IPRange {
    start: bigint;
@@ -318,10 +319,7 @@ export function doCidrsOverlap(cidr1: string, cidr2: string): boolean {
    const range2 = cidrToRange(cidr2);

    // Overlap if the ranges intersect
-    return (
-        range1.start <= range2.end &&
-        range2.start <= range1.end
-    );
+    return range1.start <= range2.end && range2.start <= range1.end;
 }

 export async function getNextAvailableClientSubnet(
@@ -686,3 +684,35 @@ export function parsePortRangeString(

    return result;
 }
+
+export function stripPortFromHost(ip: string, badgerVersion?: string): string {
+    const isNewerBadger =
+        badgerVersion &&
+        semver.valid(badgerVersion) &&
+        semver.gte(badgerVersion, "1.3.1");
+
+    if (isNewerBadger) {
+        return ip;
+    }
+
+    if (ip.startsWith("[") && ip.includes("]")) {
+        // if brackets are found, extract the IPv6 address from between the brackets
+        const ipv6Match = ip.match(/\[(.*?)\]/);
+        if (ipv6Match) {
+            return ipv6Match[1];
+        }
+    }
+
+    // Check if it looks like IPv4 (contains dots and matches IPv4 pattern)
+    // IPv4 format: x.x.x.x where x is 0-255
+    const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}/;
+    if (ipv4Pattern.test(ip)) {
+        const lastColonIndex = ip.lastIndexOf(":");
+        if (lastColonIndex !== -1) {
+            return ip.substring(0, lastColonIndex);
+        }
+    }
+
+    // Return as is
+    return ip;
+}
--- a/server/lib/isLicencedOrSubscribed.ts
+++ b/server/lib/isLicencedOrSubscribed.ts
@@ -0,0 +1,3 @@
+export async function isLicensedOrSubscribed(orgId: string): Promise<boolean> {
+    return false;
+}
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -330,7 +330,8 @@ export const configSchema = z
                enable_integration_api: z.boolean().optional(),
                disable_local_sites: z.boolean().optional(),
                disable_basic_wireguard_sites: z.boolean().optional(),
-                disable_config_managed_domains: z.boolean().optional()
+                disable_config_managed_domains: z.boolean().optional(),
+                disable_product_help_banners: z.boolean().optional()
            })
            .optional(),
        dns: z
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -19,24 +19,33 @@ import { sanitize, validatePathRewriteConfig } from "./utils";
 const redirectHttpsMiddlewareName = "redirect-to-https";
 const badgerMiddlewareName = "badger";

+// Define extended target type with site information
+type TargetWithSite = Target & {
+    resourceId: number;
+    targetId: number;
+    ip: string | null;
+    method: string | null;
+    port: number | null;
+    internalPort: number | null;
+    enabled: boolean;
+    health: string | null;
+    site: {
+        siteId: number;
+        type: string;
+        subnet: string | null;
+        exitNodeId: number | null;
+        online: boolean;
+    };
+};
+
 export async function getTraefikConfig(
    exitNodeId: number,
    siteTypes: string[],
-    filterOutNamespaceDomains = false,
-    generateLoginPageRouters = false,
-    allowRawResources = true
+    filterOutNamespaceDomains = false, // UNUSED BUT USED IN PRIVATE
+    generateLoginPageRouters = false, // UNUSED BUT USED IN PRIVATE
+    allowRawResources = true,
+    allowMaintenancePage = true, // UNUSED BUT USED IN PRIVATE
 ): Promise<any> {
-    // Define extended target type with site information
-    type TargetWithSite = Target & {
-        site: {
-            siteId: number;
-            type: string;
-            subnet: string | null;
-            exitNodeId: number | null;
-            online: boolean;
-        };
-    };
-
    // Get resources with their targets and sites in a single optimized query
    // Start from sites on this exit node, then join to targets and resources
    const resourcesWithTargetsAndSites = await db
@@ -59,6 +68,7 @@ export async function getTraefikConfig(
            headers: resources.headers,
            proxyProtocol: resources.proxyProtocol,
            proxyProtocolVersion: resources.proxyProtocolVersion,
+
            // Target fields
            targetId: targets.targetId,
            targetEnabled: targets.enabled,
@@ -103,10 +113,6 @@ export async function getTraefikConfig(
                        eq(sites.type, "local")
                    )
                ),
-                or(
-                    ne(targetHealthCheck.hcHealth, "unhealthy"), // Exclude unhealthy targets
-                    isNull(targetHealthCheck.hcHealth) // Include targets with no health check record
-                ),
                inArray(sites.type, siteTypes),
                allowRawResources
                    ? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true
@@ -184,7 +190,6 @@ export async function getTraefikConfig(
            });
        }

-        // Add target with its associated site data
        resourcesMap.get(key).targets.push({
            resourceId: row.resourceId,
            targetId: row.targetId,
@@ -193,6 +198,7 @@ export async function getTraefikConfig(
            port: row.port,
            internalPort: row.internalPort,
            enabled: row.targetEnabled,
+            health: row.hcHealth,
            site: {
                siteId: row.siteId,
                type: row.siteType,
@@ -222,7 +228,7 @@ export async function getTraefikConfig(

    // get the key and the resource
    for (const [key, resource] of resourcesMap.entries()) {
-        const targets = resource.targets;
+        const targets = resource.targets as TargetWithSite[];

        const routerName = `${key}-${resource.name}-router`;
        const serviceName = `${key}-${resource.name}-service`;
@@ -470,17 +476,21 @@ export async function getTraefikConfig(
                        // RECEIVE BANDWIDTH ENDPOINT.

                        // TODO: HOW TO HANDLE ^^^^^^ BETTER
-                        const anySitesOnline = (
-                            targets as TargetWithSite[]
-                        ).some((target: TargetWithSite) => target.site.online);
+                        const anySitesOnline = targets.some(
+                            (target) => target.site.online
+                        );

                        return (
-                            (targets as TargetWithSite[])
-                                .filter((target: TargetWithSite) => {
+                            targets
+                                .filter((target) => {
                                    if (!target.enabled) {
                                        return false;
                                    }

+                                    if (target.health == "unhealthy") {
+                                        return false;
+                                    }
+
                                    // If any sites are online, exclude offline sites
                                    if (anySitesOnline && !target.site.online) {
                                        return false;
@@ -508,7 +518,7 @@ export async function getTraefikConfig(
                                    }
                                    return true;
                                })
-                                .map((target: TargetWithSite) => {
+                                .map((target) => {
                                    if (
                                        target.site.type === "local" ||
                                        target.site.type === "wireguard"
@@ -594,12 +604,12 @@ export async function getTraefikConfig(
                loadBalancer: {
                    servers: (() => {
                        // Check if any sites are online
-                        const anySitesOnline = (
-                            targets as TargetWithSite[]
-                        ).some((target: TargetWithSite) => target.site.online);
+                        const anySitesOnline = targets.some(
+                            (target) => target.site.online
+                        );

-                        return (targets as TargetWithSite[])
-                            .filter((target: TargetWithSite) => {
+                        return targets
+                            .filter((target) => {
                                if (!target.enabled) {
                                    return false;
                                }
@@ -626,7 +636,7 @@ export async function getTraefikConfig(
                                }
                                return true;
                            })
-                            .map((target: TargetWithSite) => {
+                            .map((target) => {
                                if (
                                    target.site.type === "local" ||
                                    target.site.type === "wireguard"
--- a/server/middlewares/integration/index.ts
+++ b/server/middlewares/integration/index.ts
@@ -13,3 +13,4 @@ export * from "./verifyApiKeyIsRoot";
 export * from "./verifyApiKeyApiKeyAccess";
 export * from "./verifyApiKeyClientAccess";
 export * from "./verifyApiKeySiteResourceAccess";
+export * from "./verifyApiKeyIdpAccess";
--- a/server/middlewares/integration/verifyApiKeyIdpAccess.ts
+++ b/server/middlewares/integration/verifyApiKeyIdpAccess.ts
@@ -0,0 +1,88 @@
+import { Request, Response, NextFunction } from "express";
+import { db } from "@server/db";
+import { idp, idpOrg, apiKeyOrg } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import createHttpError from "http-errors";
+import HttpCode from "@server/types/HttpCode";
+
+export async function verifyApiKeyIdpAccess(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const apiKey = req.apiKey;
+        const idpId = req.params.idpId || req.body.idpId || req.query.idpId;
+        const orgId = req.params.orgId;
+
+        if (!apiKey) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Key not authenticated")
+            );
+        }
+
+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
+        if (!idpId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid IDP ID")
+            );
+        }
+
+        if (apiKey.isRoot) {
+            // Root keys can access any IDP in any org
+            return next();
+        }
+
+        const [idpRes] = await db
+            .select()
+            .from(idp)
+            .innerJoin(idpOrg, eq(idp.idpId, idpOrg.idpId))
+            .where(and(eq(idp.idpId, idpId), eq(idpOrg.orgId, orgId)))
+            .limit(1);
+
+        if (!idpRes || !idpRes.idp || !idpRes.idpOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `IdP with ID ${idpId} not found for organization ${orgId}`
+                )
+            );
+        }
+
+        if (!req.apiKeyOrg) {
+            const apiKeyOrgRes = await db
+                .select()
+                .from(apiKeyOrg)
+                .where(
+                    and(
+                        eq(apiKeyOrg.apiKeyId, apiKey.apiKeyId),
+                        eq(apiKeyOrg.orgId, idpRes.idpOrg.orgId)
+                    )
+                );
+            req.apiKeyOrg = apiKeyOrgRes[0];
+        }
+
+        if (!req.apiKeyOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Key does not have access to this organization"
+                )
+            );
+        }
+
+        return next();
+    } catch (error) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Error verifying IDP access"
+            )
+        );
+    }
+}
--- a/server/private/lib/blueprints/MaintenanceSchema.ts
+++ b/server/private/lib/blueprints/MaintenanceSchema.ts
@@ -0,0 +1,22 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { z } from "zod";
+
+export const MaintenanceSchema = z.object({
+    enabled: z.boolean().optional(),
+    type: z.enum(["forced", "automatic"]).optional(),
+    title: z.string().max(255).nullable().optional(),
+    message: z.string().max(2000).nullable().optional(),
+    "estimated-time": z.string().max(100).nullable().optional()
+});
--- a/server/private/lib/checkOrgAccessPolicy.ts
+++ b/server/private/lib/checkOrgAccessPolicy.ts
@@ -23,10 +23,10 @@ import {
 } from "@server/lib/checkOrgAccessPolicy";
 import { UserType } from "@server/types/UserTypes";

-export async function enforceResourceSessionLength(
+export function enforceResourceSessionLength(
    resourceSession: ResourceSession,
    org: Org
-): Promise<{ valid: boolean; error?: string }> {
+): { valid: boolean; error?: string } {
    if (org.maxSessionLengthHours) {
        const sessionIssuedAt = resourceSession.issuedAt; // may be null
        const maxSessionLengthHours = org.maxSessionLengthHours;
--- a/server/private/lib/config.ts
+++ b/server/private/lib/config.ts
@@ -139,6 +139,10 @@ export class PrivateConfig {
            process.env.USE_PANGOLIN_DNS =
                this.rawPrivateConfig.flags.use_pangolin_dns.toString();
        }
+        if (this.rawPrivateConfig.flags.use_org_only_idp) {
+            process.env.USE_ORG_ONLY_IDP =
+                this.rawPrivateConfig.flags.use_org_only_idp.toString();
+        }
    }

    public getRawPrivateConfig() {
--- a/server/private/lib/exitNodes/exitNodeComms.ts
+++ b/server/private/lib/exitNodes/exitNodeComms.ts
@@ -50,10 +50,14 @@ export async function sendToExitNode(
            );
        }

-        return sendToClient(remoteExitNode.remoteExitNodeId, {
-            type: request.remoteType,
-            data: request.data
-        });
+        return sendToClient(
+            remoteExitNode.remoteExitNodeId,
+            {
+                type: request.remoteType,
+                data: request.data
+            },
+            { incrementConfigVersion: true }
+        );
    } else {
        let hostname = exitNode.reachableAt;

--- a/server/private/lib/exitNodes/exitNodes.ts
+++ b/server/private/lib/exitNodes/exitNodes.ts
@@ -288,7 +288,7 @@ export function selectBestExitNode(
    const validNodes = pingResults.filter((n) => !n.error && n.weight > 0);

    if (validNodes.length === 0) {
-        logger.error("No valid exit nodes available");
+        logger.debug("No valid exit nodes available");
        return null;
    }

--- a/server/private/lib/isLicencedOrSubscribed.ts
+++ b/server/private/lib/isLicencedOrSubscribed.ts
@@ -0,0 +1,30 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { build } from "@server/build";
+import license from "#private/license/license";
+import { getOrgTierData } from "#private/lib/billing";
+import { TierId } from "@server/lib/billing/tiers";
+
+export async function isLicensedOrSubscribed(orgId: string): Promise<boolean> {
+    if (build === "enterprise") {
+        return await license.isUnlocked();
+    }
+
+    if (build === "saas") {
+        const { tier } = await getOrgTierData(orgId);
+        return tier === TierId.STANDARD;
+    }
+
+    return false;
+}
--- a/server/private/lib/lock.ts
+++ b/server/private/lib/lock.ts
@@ -24,7 +24,9 @@ export class LockManager {
     */
    async acquireLock(
        lockKey: string,
-        ttlMs: number = 30000
+        ttlMs: number = 30000,
+        maxRetries: number = 3,
+        retryDelayMs: number = 100
    ): Promise<boolean> {
        if (!redis || !redis.status || redis.status !== "ready") {
            return true;
@@ -35,49 +37,67 @@ export class LockManager {
        }:${Date.now()}`;
        const redisKey = `lock:${lockKey}`;

-        try {
-            // Use SET with NX (only set if not exists) and PX (expire in milliseconds)
-            // This is atomic and handles both setting and expiration
-            const result = await redis.set(
-                redisKey,
-                lockValue,
-                "PX",
-                ttlMs,
-                "NX"
-            );
-
-            if (result === "OK") {
-                logger.debug(
-                    `Lock acquired: ${lockKey} by ${
-                        config.getRawConfig().gerbil.exit_node_name
-                    }`
+        for (let attempt = 0; attempt < maxRetries; attempt++) {
+            try {
+                // Use SET with NX (only set if not exists) and PX (expire in milliseconds)
+                // This is atomic and handles both setting and expiration
+                const result = await redis.set(
+                    redisKey,
+                    lockValue,
+                    "PX",
+                    ttlMs,
+                    "NX"
                );
-                return true;
-            }

-            // Check if the existing lock is from this worker (reentrant behavior)
-            const existingValue = await redis.get(redisKey);
-            if (
-                existingValue &&
-                existingValue.startsWith(
-                    `${config.getRawConfig().gerbil.exit_node_name}:`
-                )
-            ) {
-                // Extend the lock TTL since it's the same worker
-                await redis.pexpire(redisKey, ttlMs);
-                logger.debug(
-                    `Lock extended: ${lockKey} by ${
-                        config.getRawConfig().gerbil.exit_node_name
-                    }`
-                );
-                return true;
-            }
+                if (result === "OK") {
+                    logger.debug(
+                        `Lock acquired: ${lockKey} by ${
+                            config.getRawConfig().gerbil.exit_node_name
+                        }`
+                    );
+                    return true;
+                }

-            return false;
-        } catch (error) {
-            logger.error(`Failed to acquire lock ${lockKey}:`, error);
-            return false;
+                // Check if the existing lock is from this worker (reentrant behavior)
+                const existingValue = await redis.get(redisKey);
+                if (
+                    existingValue &&
+                    existingValue.startsWith(
+                        `${config.getRawConfig().gerbil.exit_node_name}:`
+                    )
+                ) {
+                    // Extend the lock TTL since it's the same worker
+                    await redis.pexpire(redisKey, ttlMs);
+                    logger.debug(
+                        `Lock extended: ${lockKey} by ${
+                            config.getRawConfig().gerbil.exit_node_name
+                        }`
+                    );
+                    return true;
+                }
+
+                // If this isn't our last attempt, wait before retrying with exponential backoff
+                if (attempt < maxRetries - 1) {
+                    const delay = retryDelayMs * Math.pow(2, attempt);
+                    logger.debug(
+                        `Lock ${lockKey} not available, retrying in ${delay}ms (attempt ${attempt + 1}/${maxRetries})`
+                    );
+                    await new Promise((resolve) => setTimeout(resolve, delay));
+                }
+            } catch (error) {
+                logger.error(`Failed to acquire lock ${lockKey} (attempt ${attempt + 1}/${maxRetries}):`, error);
+                // On error, still retry if we have attempts left
+                if (attempt < maxRetries - 1) {
+                    const delay = retryDelayMs * Math.pow(2, attempt);
+                    await new Promise((resolve) => setTimeout(resolve, delay));
+                }
+            }
        }
+
+        logger.debug(
+            `Failed to acquire lock ${lockKey} after ${maxRetries} attempts`
+        );
+        return false;
    }

    /**
--- a/server/private/lib/logAccessAudit.ts
+++ b/server/private/lib/logAccessAudit.ts
@@ -17,6 +17,7 @@ import logger from "@server/logger";
 import { and, eq, lt } from "drizzle-orm";
 import cache from "@server/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
+import { stripPortFromHost } from "@server/lib/ip";

 async function getAccessDays(orgId: string): Promise<number> {
    // check cache first
@@ -116,19 +117,7 @@ export async function logAccessAudit(data: {
        }

        const clientIp = data.requestIp
-            ? (() => {
-                  if (
-                      data.requestIp.startsWith("[") &&
-                      data.requestIp.includes("]")
-                  ) {
-                      // if brackets are found, extract the IPv6 address from between the brackets
-                      const ipv6Match = data.requestIp.match(/\[(.*?)\]/);
-                      if (ipv6Match) {
-                          return ipv6Match[1];
-                      }
-                  }
-                  return data.requestIp;
-              })()
+            ? stripPortFromHost(data.requestIp)
            : undefined;

        const countryCode = data.requestIp
@@ -161,8 +150,11 @@ async function getCountryCodeFromIp(ip: string): Promise<string | undefined> {

    if (!cachedCountryCode) {
        cachedCountryCode = await getCountryCodeForIp(ip); // do it locally
-        // Cache for longer since IP geolocation doesn't change frequently
-        cache.set(geoIpCacheKey, cachedCountryCode, 300); // 5 minutes
+        // Only cache successful lookups to avoid filling cache with undefined values
+        if (cachedCountryCode) {
+            // Cache for longer since IP geolocation doesn't change frequently
+            cache.set(geoIpCacheKey, cachedCountryCode, 300); // 5 minutes
+        }
    }

    return cachedCountryCode;
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -83,7 +83,8 @@ export const privateConfigSchema = z.object({
    flags: z
        .object({
            enable_redis: z.boolean().optional().default(false),
-            use_pangolin_dns: z.boolean().optional().default(false)
+            use_pangolin_dns: z.boolean().optional().default(false),
+            use_org_only_idp: z.boolean().optional().default(false)
        })
        .optional()
        .prefault({}),
--- a/server/private/lib/redis.ts
+++ b/server/private/lib/redis.ts
@@ -573,6 +573,20 @@ class RedisManager {
        }
    }

+    public async incr(key: string): Promise<number> {
+        if (!this.isRedisEnabled() || !this.writeClient) return 0;
+
+        try {
+            return await this.executeWithRetry(
+                () => this.writeClient!.incr(key),
+                "Redis INCR"
+            );
+        } catch (error) {
+            logger.error("Redis INCR error:", error);
+            return 0;
+        }
+    }
+
    public async sadd(key: string, member: string): Promise<boolean> {
        if (!this.isRedisEnabled() || !this.writeClient) return false;

--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -47,24 +47,33 @@ const redirectHttpsMiddlewareName = "redirect-to-https";
 const redirectToRootMiddlewareName = "redirect-to-root";
 const badgerMiddlewareName = "badger";

+// Define extended target type with site information
+type TargetWithSite = Target & {
+    resourceId: number;
+    targetId: number;
+    ip: string | null;
+    method: string | null;
+    port: number | null;
+    internalPort: number | null;
+    enabled: boolean;
+    health: string | null;
+    site: {
+        siteId: number;
+        type: string;
+        subnet: string | null;
+        exitNodeId: number | null;
+        online: boolean;
+    };
+};
+
 export async function getTraefikConfig(
    exitNodeId: number,
    siteTypes: string[],
    filterOutNamespaceDomains = false,
    generateLoginPageRouters = false,
-    allowRawResources = true
+    allowRawResources = true,
+    allowMaintenancePage = true
 ): Promise<any> {
-    // Define extended target type with site information
-    type TargetWithSite = Target & {
-        site: {
-            siteId: number;
-            type: string;
-            subnet: string | null;
-            exitNodeId: number | null;
-            online: boolean;
-        };
-    };
-
    // Get resources with their targets and sites in a single optimized query
    // Start from sites on this exit node, then join to targets and resources
    const resourcesWithTargetsAndSites = await db
@@ -87,6 +96,13 @@ export async function getTraefikConfig(
            headers: resources.headers,
            proxyProtocol: resources.proxyProtocol,
            proxyProtocolVersion: resources.proxyProtocolVersion,
+
+            maintenanceModeEnabled: resources.maintenanceModeEnabled,
+            maintenanceModeType: resources.maintenanceModeType,
+            maintenanceTitle: resources.maintenanceTitle,
+            maintenanceMessage: resources.maintenanceMessage,
+            maintenanceEstimatedTime: resources.maintenanceEstimatedTime,
+
            // Target fields
            targetId: targets.targetId,
            targetEnabled: targets.enabled,
@@ -140,10 +156,6 @@ export async function getTraefikConfig(
                        sql`(${build != "saas" ? 1 : 0} = 1)` // Dont allow undefined local sites in cloud
                    )
                ),
-                or(
-                    ne(targetHealthCheck.hcHealth, "unhealthy"), // Exclude unhealthy targets
-                    isNull(targetHealthCheck.hcHealth) // Include targets with no health check record
-                ),
                inArray(sites.type, siteTypes),
                allowRawResources
                    ? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true
@@ -220,7 +232,13 @@ export async function getTraefikConfig(
                rewritePathType: row.rewritePathType,
                priority: priority, // may be null, we fallback later
                domainCertResolver: row.domainCertResolver,
-                preferWildcardCert: row.preferWildcardCert
+                preferWildcardCert: row.preferWildcardCert,
+
+                maintenanceModeEnabled: row.maintenanceModeEnabled,
+                maintenanceModeType: row.maintenanceModeType,
+                maintenanceTitle: row.maintenanceTitle,
+                maintenanceMessage: row.maintenanceMessage,
+                maintenanceEstimatedTime: row.maintenanceEstimatedTime
            });
        }

@@ -233,6 +251,7 @@ export async function getTraefikConfig(
            port: row.port,
            internalPort: row.internalPort,
            enabled: row.targetEnabled,
+            health: row.hcHealth,
            site: {
                siteId: row.siteId,
                type: row.siteType,
@@ -278,7 +297,7 @@ export async function getTraefikConfig(

    // get the key and the resource
    for (const [key, resource] of resourcesMap.entries()) {
-        const targets = resource.targets;
+        const targets = resource.targets as TargetWithSite[];

        const routerName = `${key}-${resource.name}-router`;
        const serviceName = `${key}-${resource.name}-service`;
@@ -308,20 +327,37 @@ export async function getTraefikConfig(
                config_output.http.services = {};
            }

-            const domainParts = fullDomain.split(".");
-            let wildCard;
-            if (domainParts.length <= 2) {
-                wildCard = `*.${domainParts.join(".")}`;
+            const additionalMiddlewares =
+                config.getRawConfig().traefik.additional_middlewares || [];
+
+            const routerMiddlewares = [
+                badgerMiddlewareName,
+                ...additionalMiddlewares
+            ];
+
+            let rule = `Host(\`${fullDomain}\`)`;
+
+            // priority logic
+            let priority: number;
+            if (resource.priority && resource.priority != 100) {
+                priority = resource.priority;
            } else {
-                wildCard = `*.${domainParts.slice(1).join(".")}`;
+                priority = 100;
+                if (resource.path && resource.pathMatchType) {
+                    priority += 10;
+                    if (resource.pathMatchType === "exact") {
+                        priority += 5;
+                    } else if (resource.pathMatchType === "prefix") {
+                        priority += 3;
+                    } else if (resource.pathMatchType === "regex") {
+                        priority += 2;
+                    }
+                    if (resource.path === "/") {
+                        priority = 1; // lowest for catch-all
+                    }
+                }
            }

-            if (!resource.subdomain) {
-                wildCard = resource.fullDomain;
-            }
-
-            const configDomain = config.getDomain(resource.domainId);
-
            let tls = {};
            if (!privateConfig.getRawPrivateConfig().flags.use_pangolin_dns) {
                const domainParts = fullDomain.split(".");
@@ -387,13 +423,117 @@ export async function getTraefikConfig(
                }
            }

-            const additionalMiddlewares =
-                config.getRawConfig().traefik.additional_middlewares || [];
+            if (resource.ssl) {
+                config_output.http.routers![routerName + "-redirect"] = {
+                    entryPoints: [
+                        config.getRawConfig().traefik.http_entrypoint
+                    ],
+                    middlewares: [redirectHttpsMiddlewareName],
+                    service: serviceName,
+                    rule: rule,
+                    priority: priority
+                };
+            }

-            const routerMiddlewares = [
-                badgerMiddlewareName,
-                ...additionalMiddlewares
-            ];
+            const availableServers = targets.filter((target) => {
+                if (!target.enabled) return false;
+
+                if (!target.site.online) return false;
+
+                if (target.health == "unhealthy") return false;
+
+                return true;
+            });
+
+            const hasHealthyServers = availableServers.length > 0;
+
+            let showMaintenancePage = false;
+            if (resource.maintenanceModeEnabled) {
+                if (resource.maintenanceModeType === "forced") {
+                    showMaintenancePage = true;
+                    // logger.debug(
+                    //     `Resource ${resource.name} (${fullDomain}) is in FORCED maintenance mode`
+                    // );
+                } else if (resource.maintenanceModeType === "automatic") {
+                    showMaintenancePage = !hasHealthyServers;
+                    // if (showMaintenancePage) {
+                    //     logger.warn(
+                    //         `Resource ${resource.name} (${fullDomain}) has no healthy servers - showing maintenance page (AUTOMATIC mode)`
+                    //     );
+                    // }
+                }
+            }
+
+            if (showMaintenancePage && allowMaintenancePage) {
+                const maintenanceServiceName = `${key}-maintenance-service`;
+                const maintenanceRouterName = `${key}-maintenance-router`;
+                const rewriteMiddlewareName = `${key}-maintenance-rewrite`;
+
+                const entrypointHttp =
+                    config.getRawConfig().traefik.http_entrypoint;
+                const entrypointHttps =
+                    config.getRawConfig().traefik.https_entrypoint;
+
+                const fullDomain = resource.fullDomain;
+                const domainParts = fullDomain.split(".");
+                const wildCard = resource.subdomain
+                    ? `*.${domainParts.slice(1).join(".")}`
+                    : fullDomain;
+
+                const maintenancePort = config.getRawConfig().server.next_port;
+                const maintenanceHost =
+                    config.getRawConfig().server.internal_hostname;
+
+                config_output.http.services[maintenanceServiceName] = {
+                    loadBalancer: {
+                        servers: [
+                            {
+                                url: `http://${maintenanceHost}:${maintenancePort}`
+                            }
+                        ],
+                        passHostHeader: true
+                    }
+                };
+
+                // middleware to rewrite path to /maintenance-screen
+                if (!config_output.http.middlewares) {
+                    config_output.http.middlewares = {};
+                }
+
+                config_output.http.middlewares[rewriteMiddlewareName] = {
+                    replacePathRegex: {
+                        regex: "^/(.*)",
+                        replacement: "/maintenance-screen"
+                    }
+                };
+
+                config_output.http.routers[maintenanceRouterName] = {
+                    entryPoints: [
+                        resource.ssl ? entrypointHttps : entrypointHttp
+                    ],
+                    service: maintenanceServiceName,
+                    middlewares: [rewriteMiddlewareName],
+                    rule: rule,
+                    priority: 2000,
+                    ...(resource.ssl ? { tls } : {})
+                };
+
+                // Router to allow Next.js assets to load without rewrite
+                config_output.http.routers[`${maintenanceRouterName}-assets`] =
+                    {
+                        entryPoints: [
+                            resource.ssl ? entrypointHttps : entrypointHttp
+                        ],
+                        service: maintenanceServiceName,
+                        rule: `Host(\`${fullDomain}\`) && (PathPrefix(\`/_next\`) || PathRegexp(\`^/__nextjs*\`))`,
+                        priority: 2001,
+                        ...(resource.ssl ? { tls } : {})
+                    };
+
+                // logger.info(`Maintenance mode active for ${fullDomain}`);
+
+                continue;
+            }

            // Handle path rewriting middleware
            if (
@@ -485,29 +625,6 @@ export async function getTraefikConfig(
                }
            }

-            let rule = `Host(\`${fullDomain}\`)`;
-
-            // priority logic
-            let priority: number;
-            if (resource.priority && resource.priority != 100) {
-                priority = resource.priority;
-            } else {
-                priority = 100;
-                if (resource.path && resource.pathMatchType) {
-                    priority += 10;
-                    if (resource.pathMatchType === "exact") {
-                        priority += 5;
-                    } else if (resource.pathMatchType === "prefix") {
-                        priority += 3;
-                    } else if (resource.pathMatchType === "regex") {
-                        priority += 2;
-                    }
-                    if (resource.path === "/") {
-                        priority = 1; // lowest for catch-all
-                    }
-                }
-            }
-
            if (resource.path && resource.pathMatchType) {
                //priority += 1;
                // add path to rule based on match type
@@ -538,18 +655,6 @@ export async function getTraefikConfig(
                ...(resource.ssl ? { tls } : {})
            };

-            if (resource.ssl) {
-                config_output.http.routers![routerName + "-redirect"] = {
-                    entryPoints: [
-                        config.getRawConfig().traefik.http_entrypoint
-                    ],
-                    middlewares: [redirectHttpsMiddlewareName],
-                    service: serviceName,
-                    rule: rule,
-                    priority: priority
-                };
-            }
-
            config_output.http.services![serviceName] = {
                loadBalancer: {
                    servers: (() => {
@@ -559,17 +664,21 @@ export async function getTraefikConfig(
                        // RECEIVE BANDWIDTH ENDPOINT.

                        // TODO: HOW TO HANDLE ^^^^^^ BETTER
-                        const anySitesOnline = (
-                            targets as TargetWithSite[]
-                        ).some((target: TargetWithSite) => target.site.online);
+                        const anySitesOnline = targets.some(
+                            (target) => target.site.online
+                        );

                        return (
-                            (targets as TargetWithSite[])
-                                .filter((target: TargetWithSite) => {
+                            targets
+                                .filter((target) => {
                                    if (!target.enabled) {
                                        return false;
                                    }

+                                    if (target.health == "unhealthy") {
+                                        return false;
+                                    }
+
                                    // If any sites are online, exclude offline sites
                                    if (anySitesOnline && !target.site.online) {
                                        return false;
@@ -597,7 +706,7 @@ export async function getTraefikConfig(
                                    }
                                    return true;
                                })
-                                .map((target: TargetWithSite) => {
+                                .map((target) => {
                                    if (
                                        target.site.type === "local" ||
                                        target.site.type === "wireguard"
@@ -683,12 +792,12 @@ export async function getTraefikConfig(
                loadBalancer: {
                    servers: (() => {
                        // Check if any sites are online
-                        const anySitesOnline = (
-                            targets as TargetWithSite[]
-                        ).some((target: TargetWithSite) => target.site.online);
+                        const anySitesOnline = targets.some(
+                            (target) => target.site.online
+                        );

-                        return (targets as TargetWithSite[])
-                            .filter((target: TargetWithSite) => {
+                        return targets
+                            .filter((target) => {
                                if (!target.enabled) {
                                    return false;
                                }
@@ -715,7 +824,7 @@ export async function getTraefikConfig(
                                }
                                return true;
                            })
-                            .map((target: TargetWithSite) => {
+                            .map((target) => {
                                if (
                                    target.site.type === "local" ||
                                    target.site.type === "wireguard"
--- a/server/private/middlewares/verifySubscription.ts
+++ b/server/private/middlewares/verifySubscription.ts
@@ -27,7 +27,18 @@ export async function verifyValidSubscription(
            return next();
        }

-        const tier = await getOrgTierData(req.params.orgId);
+        const orgId = req.params.orgId || req.body.orgId || req.query.orgId || req.userOrgId;
+
+        if (!orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Organization ID is required to verify subscription"
+                )
+            );
+        }
+
+        const tier = await getOrgTierData(orgId);

        if (!tier.active) {
            return next(
--- a/server/private/routers/approvals/countApprovals.ts
+++ b/server/private/routers/approvals/countApprovals.ts
@@ -0,0 +1,110 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+import type { Request, Response, NextFunction } from "express";
+import { approvals, db, type Approval } from "@server/db";
+import { eq, sql, and } from "drizzle-orm";
+import response from "@server/lib/response";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string()
+});
+
+const querySchema = z.strictObject({
+    approvalState: z
+        .enum(["pending", "approved", "denied", "all"])
+        .optional()
+        .default("all")
+        .catch("all")
+});
+
+export type CountApprovalsResponse = {
+    count: number;
+};
+
+export async function countApprovals(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+
+        const { approvalState } = parsedQuery.data;
+        const { orgId } = parsedParams.data;
+
+        let state: Array<Approval["decision"]> = [];
+        switch (approvalState) {
+            case "pending":
+                state = ["pending"];
+                break;
+            case "approved":
+                state = ["approved"];
+                break;
+            case "denied":
+                state = ["denied"];
+                break;
+            default:
+                state = ["approved", "denied", "pending"];
+        }
+
+        const [{ count }] = await db
+            .select({ count: sql<number>`count(*)` })
+            .from(approvals)
+            .where(
+                and(
+                    eq(approvals.orgId, orgId),
+                    sql`${approvals.decision} in ${state}`
+                )
+            );
+
+        return response<CountApprovalsResponse>(res, {
+            data: {
+                count
+            },
+            success: true,
+            error: false,
+            message: "Approval count retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
--- a/server/private/routers/approvals/index.ts
+++ b/server/private/routers/approvals/index.ts
@@ -0,0 +1,16 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./listApprovals";
+export * from "./processPendingApproval";
+export * from "./countApprovals";
--- a/server/private/routers/approvals/listApprovals.ts
+++ b/server/private/routers/approvals/listApprovals.ts
@@ -0,0 +1,269 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+import type { Request, Response, NextFunction } from "express";
+import { build } from "@server/build";
+import { getOrgTierData } from "@server/lib/billing";
+import { TierId } from "@server/lib/billing/tiers";
+import {
+    approvals,
+    clients,
+    db,
+    users,
+    olms,
+    currentFingerprint,
+    type Approval
+} from "@server/db";
+import { eq, isNull, sql, not, and, desc } from "drizzle-orm";
+import response from "@server/lib/response";
+import { getUserDeviceName } from "@server/db/names";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string()
+});
+
+const querySchema = z.strictObject({
+    limit: z
+        .string()
+        .optional()
+        .default("1000")
+        .transform(Number)
+        .pipe(z.int().nonnegative()),
+    offset: z
+        .string()
+        .optional()
+        .default("0")
+        .transform(Number)
+        .pipe(z.int().nonnegative()),
+    approvalState: z
+        .enum(["pending", "approved", "denied", "all"])
+        .optional()
+        .default("all")
+        .catch("all"),
+    clientId: z
+        .string()
+        .optional()
+        .transform((val) => (val ? Number(val) : undefined))
+        .pipe(z.number().int().positive().optional())
+});
+
+async function queryApprovals(
+    orgId: string,
+    limit: number,
+    offset: number,
+    approvalState: z.infer<typeof querySchema>["approvalState"],
+    clientId?: number
+) {
+    let state: Array<Approval["decision"]> = [];
+    switch (approvalState) {
+        case "pending":
+            state = ["pending"];
+            break;
+        case "approved":
+            state = ["approved"];
+            break;
+        case "denied":
+            state = ["denied"];
+            break;
+        default:
+            state = ["approved", "denied", "pending"];
+    }
+
+    const res = await db
+        .select({
+            approvalId: approvals.approvalId,
+            orgId: approvals.orgId,
+            clientId: approvals.clientId,
+            decision: approvals.decision,
+            type: approvals.type,
+            user: {
+                name: users.name,
+                userId: users.userId,
+                username: users.username,
+                email: users.email
+            },
+            clientName: clients.name,
+            niceId: clients.niceId,
+            deviceModel: currentFingerprint.deviceModel,
+            fingerprintPlatform: currentFingerprint.platform,
+            fingerprintOsVersion: currentFingerprint.osVersion,
+            fingerprintKernelVersion: currentFingerprint.kernelVersion,
+            fingerprintArch: currentFingerprint.arch,
+            fingerprintSerialNumber: currentFingerprint.serialNumber,
+            fingerprintUsername: currentFingerprint.username,
+            fingerprintHostname: currentFingerprint.hostname
+        })
+        .from(approvals)
+        .innerJoin(users, and(eq(approvals.userId, users.userId)))
+        .leftJoin(
+            clients,
+            and(
+                eq(approvals.clientId, clients.clientId),
+                not(isNull(clients.userId)) // only user devices
+            )
+        )
+        .leftJoin(olms, eq(clients.clientId, olms.clientId))
+        .leftJoin(currentFingerprint, eq(olms.olmId, currentFingerprint.olmId))
+        .where(
+            and(
+                eq(approvals.orgId, orgId),
+                sql`${approvals.decision} in ${state}`,
+                ...(clientId ? [eq(approvals.clientId, clientId)] : [])
+            )
+        )
+        .orderBy(
+            sql`CASE ${approvals.decision} WHEN 'pending' THEN 0 ELSE 1 END`,
+            desc(approvals.timestamp)
+        )
+        .limit(limit)
+        .offset(offset);
+
+    // Process results to format device names and build fingerprint objects
+    return res.map((approval) => {
+        const model = approval.deviceModel || null;
+        const deviceName = approval.clientName
+            ? getUserDeviceName(model, approval.clientName)
+            : null;
+
+        // Build fingerprint object if any fingerprint data exists
+        const hasFingerprintData =
+            approval.fingerprintPlatform ||
+            approval.fingerprintOsVersion ||
+            approval.fingerprintKernelVersion ||
+            approval.fingerprintArch ||
+            approval.fingerprintSerialNumber ||
+            approval.fingerprintUsername ||
+            approval.fingerprintHostname ||
+            approval.deviceModel;
+
+        const fingerprint = hasFingerprintData
+            ? {
+                platform: approval.fingerprintPlatform || null,
+                osVersion: approval.fingerprintOsVersion || null,
+                kernelVersion: approval.fingerprintKernelVersion || null,
+                arch: approval.fingerprintArch || null,
+                deviceModel: approval.deviceModel || null,
+                serialNumber: approval.fingerprintSerialNumber || null,
+                username: approval.fingerprintUsername || null,
+                hostname: approval.fingerprintHostname || null
+            }
+            : null;
+
+        const {
+            clientName,
+            deviceModel,
+            fingerprintPlatform,
+            fingerprintOsVersion,
+            fingerprintKernelVersion,
+            fingerprintArch,
+            fingerprintSerialNumber,
+            fingerprintUsername,
+            fingerprintHostname,
+            ...rest
+        } = approval;
+
+        return {
+            ...rest,
+            deviceName,
+            fingerprint,
+            niceId: approval.niceId || null
+        };
+    });
+}
+
+export type ListApprovalsResponse = {
+    approvals: NonNullable<Awaited<ReturnType<typeof queryApprovals>>>;
+    pagination: { total: number; limit: number; offset: number };
+};
+
+export async function listApprovals(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedQuery = querySchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error).toString()
+                )
+            );
+        }
+        const { limit, offset, approvalState, clientId } = parsedQuery.data;
+
+        const { orgId } = parsedParams.data;
+
+        if (build === "saas") {
+            const { tier } = await getOrgTierData(orgId);
+            const subscribed = tier === TierId.STANDARD;
+            if (!subscribed) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "This organization's current plan does not support this feature."
+                    )
+                );
+            }
+        }
+
+        const approvalsList = await queryApprovals(
+            orgId.toString(),
+            limit,
+            offset,
+            approvalState,
+            clientId
+        );
+
+        const [{ count }] = await db
+            .select({ count: sql<number>`count(*)` })
+            .from(approvals);
+
+        return response<ListApprovalsResponse>(res, {
+            data: {
+                approvals: approvalsList,
+                pagination: {
+                    total: count,
+                    limit,
+                    offset
+                }
+            },
+            success: true,
+            error: false,
+            message: "Approvals retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
--- a/server/private/routers/approvals/processPendingApproval.ts
+++ b/server/private/routers/approvals/processPendingApproval.ts
@@ -0,0 +1,142 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import logger from "@server/logger";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+import { build } from "@server/build";
+import { approvals, clients, db, orgs, type Approval } from "@server/db";
+import { getOrgTierData } from "@server/lib/billing";
+import { TierId } from "@server/lib/billing/tiers";
+import response from "@server/lib/response";
+import { and, eq, type InferInsertModel } from "drizzle-orm";
+import type { NextFunction, Request, Response } from "express";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string(),
+    approvalId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+const bodySchema = z.strictObject({
+    decision: z.enum(["approved", "denied"])
+});
+
+export type ProcessApprovalResponse = Approval;
+
+export async function processPendingApproval(
+    req: Request,
+    res: Response,
+    next: NextFunction
+) {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = bodySchema.safeParse(req.body);
+
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { orgId, approvalId } = parsedParams.data;
+
+        if (build === "saas") {
+            const { tier } = await getOrgTierData(orgId);
+            const subscribed = tier === TierId.STANDARD;
+            if (!subscribed) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "This organization's current plan does not support this feature."
+                    )
+                );
+            }
+        }
+
+        const updateData = parsedBody.data;
+
+        const approval = await db
+            .select()
+            .from(approvals)
+            .where(
+                and(
+                    eq(approvals.approvalId, approvalId),
+                    eq(approvals.decision, "pending")
+                )
+            )
+            .innerJoin(orgs, eq(approvals.orgId, approvals.orgId))
+            .limit(1);
+
+        if (approval.length === 0) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Pending Approval with ID ${approvalId} not found`
+                )
+            );
+        }
+
+        const [updatedApproval] = await db
+            .update(approvals)
+            .set(updateData)
+            .where(eq(approvals.approvalId, approvalId))
+            .returning();
+
+        // Update user device approval state too
+        if (
+            updatedApproval.type === "user_device" &&
+            updatedApproval.clientId
+        ) {
+            const updateDataBody: Partial<InferInsertModel<typeof clients>> = {
+                approvalState: updateData.decision
+            };
+
+            if (updateData.decision === "denied") {
+                updateDataBody.blocked = true;
+            }
+
+            await db
+                .update(clients)
+                .set(updateDataBody)
+                .where(eq(clients.clientId, updatedApproval.clientId));
+        }
+
+        return response(res, {
+            data: updatedApproval,
+            success: true,
+            error: false,
+            message: "Approval updated successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -24,6 +24,7 @@ import * as generateLicense from "./generatedLicense";
 import * as logs from "#private/routers/auditLogs";
 import * as misc from "#private/routers/misc";
 import * as reKey from "#private/routers/re-key";
+import * as approval from "#private/routers/approvals";

 import {
    verifyOrgAccess,
@@ -311,6 +312,31 @@ authenticated.get(
    loginPage.getLoginPage
 );

+authenticated.get(
+    "/org/:orgId/approvals",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listApprovals),
+    logActionAudit(ActionsEnum.listApprovals),
+    approval.listApprovals
+);
+
+authenticated.get(
+    "/org/:orgId/approvals/count",
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listApprovals),
+    approval.countApprovals
+);
+
+authenticated.put(
+    "/org/:orgId/approvals/:approvalId",
+    verifyValidLicense,
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.updateApprovals),
+    logActionAudit(ActionsEnum.updateApprovals),
+    approval.processPendingApproval
+);
+
 authenticated.get(
    "/org/:orgId/login-page-branding",
    verifyValidLicense,
@@ -436,18 +462,18 @@ authenticated.get(

 authenticated.post(
    "/re-key/:clientId/regenerate-client-secret",
+    verifyClientAccess, // this is first to set the org id
    verifyValidLicense,
    verifyValidSubscription,
-    verifyClientAccess,
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateClientSecret
 );

 authenticated.post(
    "/re-key/:siteId/regenerate-site-secret",
+    verifySiteAccess, // this is first to set the org id
    verifyValidLicense,
    verifyValidSubscription,
-    verifySiteAccess,
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateSiteSecret
 );
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -36,8 +36,11 @@ import {
    LoginPage,
    resourceHeaderAuth,
    ResourceHeaderAuth,
+    resourceHeaderAuthExtendedCompatibility,
+    ResourceHeaderAuthExtendedCompatibility,
    orgs,
-    requestAuditLog
+    requestAuditLog,
+    Org
 } from "@server/db";
 import {
    resources,
@@ -77,6 +80,7 @@ import { maxmindLookup } from "@server/db/maxmind";
 import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
 import semver from "semver";
 import { maxmindAsnLookup } from "@server/db/maxmindAsn";
+import { checkOrgAccessPolicy } from "@server/lib/checkOrgAccessPolicy";

 // Zod schemas for request validation
 const getResourceByDomainParamsSchema = z.strictObject({
@@ -92,6 +96,12 @@ const getUserOrgRoleParamsSchema = z.strictObject({
    orgId: z.string().min(1, "Organization ID is required")
 });

+const getUserOrgSessionVerifySchema = z.strictObject({
+    userId: z.string().min(1, "User ID is required"),
+    orgId: z.string().min(1, "Organization ID is required"),
+    sessionId: z.string().min(1, "Session ID is required")
+});
+
 const getRoleResourceAccessParamsSchema = z.strictObject({
    roleId: z
        .string()
@@ -175,6 +185,8 @@ export type ResourceWithAuth = {
    pincode: ResourcePincode | null;
    password: ResourcePassword | null;
    headerAuth: ResourceHeaderAuth | null;
+    headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
+    org: Org
 };

 export type UserSessionWithUser = {
@@ -235,7 +247,8 @@ hybridRouter.get(
                ["newt", "local", "wireguard"], // Allow them to use all the site types
                true, // But don't allow domain namespace resources
                false, // Dont include login pages,
-                true // allow raw resources
+                true, // allow raw resources
+                false // dont generate maintenance page
            );

            return response(res, {
@@ -498,6 +511,14 @@ hybridRouter.get(
                    resourceHeaderAuth,
                    eq(resourceHeaderAuth.resourceId, resources.resourceId)
                )
+                .leftJoin(
+                    resourceHeaderAuthExtendedCompatibility,
+                    eq(
+                        resourceHeaderAuthExtendedCompatibility.resourceId,
+                        resources.resourceId
+                    )
+                )
+                .innerJoin(orgs, eq(orgs.orgId, resources.orgId))
                .where(eq(resources.fullDomain, domain))
                .limit(1);

@@ -530,7 +551,10 @@ hybridRouter.get(
                resource: result.resources,
                pincode: result.resourcePincode,
                password: result.resourcePassword,
-                headerAuth: result.resourceHeaderAuth
+                headerAuth: result.resourceHeaderAuth,
+                headerAuthExtendedCompatibility:
+                    result.resourceHeaderAuthExtendedCompatibility,
+                org: result.orgs
            };

            return response<ResourceWithAuth>(res, {
@@ -594,6 +618,16 @@ hybridRouter.get(
                )
                .limit(1);

+            if (!result) {
+                return response<LoginPage | null>(res, {
+                    data: null,
+                    success: true,
+                    error: false,
+                    message: "Login page not found",
+                    status: HttpCode.OK
+                });
+            }
+
            if (
                await checkExitNodeOrg(
                    remoteExitNode.exitNodeId,
@@ -609,16 +643,6 @@ hybridRouter.get(
                );
            }

-            if (!result) {
-                return response<LoginPage | null>(res, {
-                    data: null,
-                    success: true,
-                    error: false,
-                    message: "Login page not found",
-                    status: HttpCode.OK
-                });
-            }
-
            return response<LoginPage>(res, {
                data: result.loginPage,
                success: true,
@@ -810,6 +834,69 @@ hybridRouter.get(
    }
 );

+// Get user organization role
+hybridRouter.get(
+    "/user/:userId/org/:orgId/session/:sessionId/verify",
+    async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const parsedParams = getUserOrgSessionVerifySchema.safeParse(
+                req.params
+            );
+            if (!parsedParams.success) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        fromError(parsedParams.error).toString()
+                    )
+                );
+            }
+
+            const { userId, orgId, sessionId } = parsedParams.data;
+            const remoteExitNode = req.remoteExitNode;
+
+            if (!remoteExitNode || !remoteExitNode.exitNodeId) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Remote exit node not found"
+                    )
+                );
+            }
+
+            if (await checkExitNodeOrg(remoteExitNode.exitNodeId, orgId)) {
+                return next(
+                    createHttpError(
+                        HttpCode.UNAUTHORIZED,
+                        "User is not authorized to access this organization"
+                    )
+                );
+            }
+
+            const accessPolicy = await checkOrgAccessPolicy({
+                orgId,
+                userId,
+                sessionId
+            });
+
+            return response(res, {
+                data: accessPolicy,
+                success: true,
+                error: false,
+                message: "User org access policy retrieved successfully",
+                status: HttpCode.OK
+            });
+        } catch (error) {
+            logger.error(error);
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to get user org role"
+                )
+            );
+        }
+    }
+);
+
 // Check if role has access to resource
 hybridRouter.get(
    "/role/:roleId/resource/:resourceId/access",
--- a/server/private/routers/integration.ts
+++ b/server/private/routers/integration.ts
@@ -18,7 +18,8 @@ import * as logs from "#private/routers/auditLogs";
 import {
    verifyApiKeyHasAction,
    verifyApiKeyIsRoot,
-    verifyApiKeyOrgAccess
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess
 } from "@server/middlewares";
 import {
    verifyValidSubscription,
@@ -31,6 +32,8 @@ import {
    authenticated as a
 } from "@server/routers/integration";
 import { logActionAudit } from "#private/middlewares";
+import config from "#private/lib/config";
+import { build } from "@server/build";

 export const unauthenticated = ua;
 export const authenticated = a;
@@ -88,3 +91,49 @@ authenticated.get(
    logActionAudit(ActionsEnum.exportLogs),
    logs.exportAccessAuditLogs
 );
+
+authenticated.put(
+    "/org/:orgId/idp/oidc",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.createIdp),
+    logActionAudit(ActionsEnum.createIdp),
+    orgIdp.createOrgOidcIdp
+);
+
+authenticated.post(
+    "/org/:orgId/idp/:idpId/oidc",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess,
+    verifyApiKeyHasAction(ActionsEnum.updateIdp),
+    logActionAudit(ActionsEnum.updateIdp),
+    orgIdp.updateOrgOidcIdp
+);
+
+authenticated.delete(
+    "/org/:orgId/idp/:idpId",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess,
+    verifyApiKeyHasAction(ActionsEnum.deleteIdp),
+    logActionAudit(ActionsEnum.deleteIdp),
+    orgIdp.deleteOrgIdp
+);
+
+authenticated.get(
+    "/org/:orgId/idp/:idpId",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyIdpAccess,
+    verifyApiKeyHasAction(ActionsEnum.getIdp),
+    orgIdp.getOrgIdp
+);
+
+authenticated.get(
+    "/org/:orgId/idp",
+    verifyValidLicense,
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.listIdps),
+    orgIdp.listOrgIdps
+);
--- a/server/private/routers/internal.ts
+++ b/server/private/routers/internal.ts
@@ -16,6 +16,7 @@ import * as auth from "#private/routers/auth";
 import * as orgIdp from "#private/routers/orgIdp";
 import * as billing from "#private/routers/billing";
 import * as license from "#private/routers/license";
+import * as resource from "#private/routers/resource";

 import { verifySessionUserMiddleware } from "@server/middlewares";

@@ -37,3 +38,5 @@ internalRouter.post(
 );

 internalRouter.get(`/license/status`, license.getLicenseStatus);
+
+internalRouter.get("/maintenance/info", resource.getMaintenanceInfo);
--- a/server/private/routers/loginPage/getLoginPageBranding.ts
+++ b/server/private/routers/loginPage/getLoginPageBranding.ts
@@ -29,11 +29,9 @@ import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { build } from "@server/build";

-const paramsSchema = z
-    .object({
-        orgId: z.string()
-    })
-    .strict();
+const paramsSchema = z.strictObject({
+    orgId: z.string()
+});

 export async function getLoginPageBranding(
    req: Request,
--- a/server/private/routers/loginPage/loadLoginPage.ts
+++ b/server/private/routers/loginPage/loadLoginPage.ts
@@ -40,6 +40,11 @@ async function query(orgId: string | undefined, fullDomain: string) {
                eq(loginPage.loginPageId, loginPageOrg.loginPageId)
            )
            .limit(1);
+
+        if (!res) {
+            return null;
+        }
+
        return {
            ...res.loginPage,
            orgId: res.loginPageOrg.orgId
@@ -65,6 +70,11 @@ async function query(orgId: string | undefined, fullDomain: string) {
            )
        )
        .limit(1);
+
+    if (!res) {
+        return null;
+    }
+
    return {
        ...res,
        orgId: orgLink.orgId
--- a/server/private/routers/loginPage/loadLoginPageBranding.ts
+++ b/server/private/routers/loginPage/loadLoginPageBranding.ts
@@ -48,6 +48,11 @@ async function query(orgId: string) {
            )
        )
        .limit(1);
+
+    if (!res) {
+        return null;
+    }
+
    return {
        ...res,
        orgId: orgLink.orgs.orgId,
--- a/server/private/routers/loginPage/upsertLoginPageBranding.ts
+++ b/server/private/routers/loginPage/upsertLoginPageBranding.ts
@@ -28,13 +28,36 @@ import { eq, InferInsertModel } from "drizzle-orm";
 import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { build } from "@server/build";
+import config from "@server/private/lib/config";

 const paramsSchema = z.strictObject({
    orgId: z.string()
 });

 const bodySchema = z.strictObject({
-    logoUrl: z.url(),
+    logoUrl: z
+        .union([
+            z.string().length(0),
+            z.url().refine(
+                async (url) => {
+                    try {
+                        const response = await fetch(url);
+                        return (
+                            response.status === 200 &&
+                            (
+                                response.headers.get("content-type") ?? ""
+                            ).startsWith("image/")
+                        );
+                    } catch (error) {
+                        return false;
+                    }
+                },
+                {
+                    error: "Invalid logo URL, must be a valid image URL"
+                }
+            )
+        ])
+        .optional(),
    logoWidth: z.coerce.number<number>().min(1),
    logoHeight: z.coerce.number<number>().min(1),
    resourceTitle: z.string(),
@@ -94,8 +117,14 @@ export async function upsertLoginPageBranding(
            typeof loginPageBranding
        >;

-        if (build !== "saas") {
-            // org branding settings are only considered in the saas build
+        if ((updateData.logoUrl ?? "").trim().length === 0) {
+            updateData.logoUrl = undefined;
+        }
+
+        if (
+            build !== "saas" &&
+            !config.getRawPrivateConfig().flags.use_org_only_idp
+        ) {
            const { orgTitle, orgSubtitle, ...rest } = updateData;
            updateData = rest;
        }
--- a/Show More
+++ b/Show More