Add button to rebuid cache

patch rebuild sites

server/integrationApiServer.ts

@@ -152,17 +152,11 @@ function getOpenApiDocumentation() {
 
             if (!hasExistingResponses) {
                 def.route.responses = {
-                    "200": {
-                        description: "Successful response",
+                    "*": {
+                        description: "",
                         content: {
                             "application/json": {
-                                schema: z.object({
-                                    data: z.unknown().nullable(),
-                                    success: z.boolean(),
-                                    error: z.boolean(),
-                                    message: z.string(),
-                                    status: z.number()
-                                })
+                                schema: z.object({})
                             }
                         }
                     }

server/lib/ip.ts

@@ -873,13 +873,7 @@ export const portRangeStringSchema = z
             message:
                 'Port range must be "*" for all ports, or a comma-separated list of ports and ranges (e.g., "80,443,8000-9000"). Ports must be between 1 and 65535, and ranges must have start <= end.'
         }
-    )
-    .openapi({
-        type: "string",
-        description:
-            'Port range string. Use "*" for all ports, a comma-separated list of ports, or ranges (e.g., "80,443,8000-9000"). Ports must be between 1 and 65535.',
-        example: "80,443,8000-9000"
-    });
+    );
 
 /**
  * Parses a port range string into an array of port range objects

server/lib/openapi/createApiResponseSchema.ts

@@ -1,11 +0,0 @@
-import { z } from "zod";
-
-export function createApiResponseSchema<T extends z.ZodTypeAny>(dataSchema: T) {
-    return z.object({
-        data: dataSchema.nullable(),
-        success: z.boolean(),
-        error: z.boolean(),
-        message: z.string(),
-        status: z.number()
-    });
-}

server/lib/rebuildClientAssociations.ts

@@ -18,7 +18,7 @@ import {
     userOrgRoles,
     userSiteResources
 } from "@server/db";
-import { and, eq, inArray, ne } from "drizzle-orm";
+import { and, count, eq, inArray, ne } from "drizzle-orm";
 
 import { deletePeer as newtDeletePeer } from "@server/routers/newt/peers";
 import {
@@ -39,6 +39,11 @@ import {
     removePeerData,
     removeTargets as removeSubnetProxyTargets
 } from "@server/routers/client/targets";
+import { lockManager } from "#dynamic/lib/lock";
+
+// TTL for rebuild-association locks. These functions can fan out into many
+// peer/proxy updates, so give them a generous window.
+const REBUILD_ASSOCIATIONS_LOCK_TTL_MS = 120000;
 
 export async function getClientSiteResourceAccess(
     siteResource: SiteResource,
@@ -161,6 +166,23 @@ export async function rebuildClientAssociationsFromSiteResource(
         pubKey: string | null;
         subnet: string | null;
     }[];
+}> {
+    return await lockManager.withLock(
+        `rebuild-client-associations:site-resource:${siteResource.siteResourceId}`,
+        () => rebuildClientAssociationsFromSiteResourceImpl(siteResource, trx),
+        REBUILD_ASSOCIATIONS_LOCK_TTL_MS
+    );
+}
+
+async function rebuildClientAssociationsFromSiteResourceImpl(
+    siteResource: SiteResource,
+    trx: Transaction | typeof db = db
+): Promise<{
+    mergedAllClients: {
+        clientId: number;
+        pubKey: string | null;
+        subnet: string | null;
+    }[];
 }> {
     logger.debug(
         `rebuildClientAssociations: [rebuildClientAssociationsFromSiteResource] START siteResourceId=${siteResource.siteResourceId} networkId=${siteResource.networkId} orgId=${siteResource.orgId}`
@@ -539,6 +561,29 @@ async function handleMessagesForSiteClients(
         }
     }
 
+    // get the number of sites on each of these clients so we can log it and make decisions about whether to send messages based on it
+    const clientSiteCounts: Record<number, number> = {};
+    if (clientsToProcess.size > 0) {
+        const clientIdsToProcess = Array.from(clientsToProcess.keys());
+        const siteCounts = await trx
+            .select({
+                clientId: clientSitesAssociationsCache.clientId,
+                siteCount: count(clientSitesAssociationsCache.siteId)
+            })
+            .from(clientSitesAssociationsCache)
+            .where(
+                inArray(
+                    clientSitesAssociationsCache.clientId,
+                    clientIdsToProcess
+                )
+            )
+            .groupBy(clientSitesAssociationsCache.clientId);
+
+        for (const row of siteCounts) {
+            clientSiteCounts[row.clientId] = Number(row.siteCount);
+        }
+    }
+
     for (const client of clientsToProcess.values()) {
         // UPDATE THE NEWT
         if (!client.subnet || !client.pubKey) {
@@ -582,7 +627,14 @@ async function handleMessagesForSiteClients(
         }
 
         if (isAdd) {
-            // TODO: if we are in jit mode here should we really be sending this?
+            if (clientSiteCounts[client.clientId] > 250) {
+                // skip adding the peer if we have more than 250 sites because we are in jit mode anyway
+                logger.info(
+                    `rebuildClientAssociations: Client ${client.clientId} has ${clientSiteCounts[client.clientId]} sites so skipping adding peer to newt and olm because it is likely in jit mode`
+                );
+                continue;
+            }
+
             await initPeerAddHandshake(
                 // this will kick off the add peer process for the client
                 client.clientId,
@@ -600,9 +652,24 @@ async function handleMessagesForSiteClients(
         exitNodeJobs.push(updateClientSiteDestinations(client, trx));
     }
 
-    await Promise.all(exitNodeJobs);
-    await Promise.all(newtJobs); // do the servers first to make sure they are ready?
-    await Promise.all(olmJobs);
+    Promise.all(exitNodeJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating client site destinations for site ${site.siteId}:`,
+            error
+        );
+    });
+    Promise.all(newtJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating Newt peers for site ${site.siteId}:`,
+            error
+        );
+    });
+    Promise.all(olmJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating Olm peers for site ${site.siteId}:`,
+            error
+        );
+    });
 }
 
 interface PeerDestination {
@@ -885,6 +952,17 @@ async function handleSubnetProxyTargetUpdates(
 export async function rebuildClientAssociationsFromClient(
     client: Client,
     trx: Transaction | typeof db = db
+): Promise<void> {
+    return await lockManager.withLock(
+        `rebuild-client-associations:client:${client.clientId}`,
+        () => rebuildClientAssociationsFromClientImpl(client, trx),
+        REBUILD_ASSOCIATIONS_LOCK_TTL_MS
+    );
+}
+
+async function rebuildClientAssociationsFromClientImpl(
+    client: Client,
+    trx: Transaction | typeof db = db
 ): Promise<void> {
     let newSiteResourceIds: number[] = [];
 
@@ -1157,6 +1235,12 @@ async function handleMessagesForClientSites(
     const olmJobs: Promise<any>[] = [];
     const exitNodeJobs: Promise<any>[] = [];
 
+    const totalSitesOnClient = await trx
+        .select({ count: count(clientSitesAssociationsCache.siteId) })
+        .from(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.clientId, client.clientId))
+        .then((rows) => Number(rows[0].count));
+
     for (const siteData of sitesData) {
         const site = siteData.sites;
         const exitNode = siteData.exitNodes;
@@ -1217,7 +1301,14 @@ async function handleMessagesForClientSites(
                 continue;
             }
 
-            // TODO: if we are in jit mode here should we really be sending this?
+            if (totalSitesOnClient > 250) {
+                // skip adding the site if we have more than 250 because we are in jit mode anyway
+                logger.info(
+                    `rebuildClientAssociations: Client ${client.clientId} has ${totalSitesOnClient} sites so skipping adding peer to newt and olm because it is likely in jit mode`
+                );
+                continue;
+            }
+
             await initPeerAddHandshake(
                 // this will kick off the add peer process for the client
                 client.clientId,
@@ -1245,9 +1336,24 @@ async function handleMessagesForClientSites(
         );
     }
 
-    await Promise.all(exitNodeJobs);
-    await Promise.all(newtJobs);
-    await Promise.all(olmJobs);
+    Promise.all(exitNodeJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating client site destinations for client ${client.clientId}:`,
+            error
+        );
+    });
+    Promise.all(newtJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating Newt peers for client ${client.clientId}:`,
+            error
+        );
+    });
+    Promise.all(olmJobs).catch((error) => {
+        logger.error(
+            `rebuildClientAssociations: Error updating Olm peers for client ${client.clientId}:`,
+            error
+        );
+    });
 }
 
 async function handleMessagesForClientResources(
@@ -1528,3 +1634,195 @@ async function handleMessagesForClientResources(
 
     await Promise.all([...proxyJobs, ...olmJobs]);
 }
+
+export type ClientAssociationsCacheVerification = {
+    clientId: number;
+    consistent: boolean;
+    // What permissions say the cache should contain
+    expectedSiteResourceIds: number[];
+    expectedSiteIds: number[];
+    // What the cache currently contains
+    actualSiteResourceIds: number[];
+    actualSiteIds: number[];
+    // Diff
+    missingSiteResourceIds: number[]; // present in expected, missing from cache
+    extraSiteResourceIds: number[]; // present in cache, not in expected
+    missingSiteIds: number[];
+    extraSiteIds: number[];
+};
+
+// verifyClientAssociationsCache walks the same permission-derivation logic as
+// rebuildClientAssociationsFromClient but does NOT modify the database. It
+// returns the expected vs actual cache contents and a boolean indicating
+// whether the cache is in sync with what permissions imply.
+export async function verifyClientAssociationsCache(
+    client: Client,
+    trx: Transaction | typeof db = db
+): Promise<ClientAssociationsCacheVerification> {
+    let newSiteResourceIds: number[] = [];
+
+    // 1. Direct client associations
+    const directSiteResources = await trx
+        .select({ siteResourceId: clientSiteResources.siteResourceId })
+        .from(clientSiteResources)
+        .innerJoin(
+            siteResources,
+            eq(siteResources.siteResourceId, clientSiteResources.siteResourceId)
+        )
+        .where(
+            and(
+                eq(clientSiteResources.clientId, client.clientId),
+                eq(siteResources.orgId, client.orgId)
+            )
+        );
+
+    newSiteResourceIds.push(
+        ...directSiteResources.map((r) => r.siteResourceId)
+    );
+
+    // 2. User-based and role-based access (if client has a userId)
+    if (client.userId) {
+        const userSiteResourceIds = await trx
+            .select({ siteResourceId: userSiteResources.siteResourceId })
+            .from(userSiteResources)
+            .innerJoin(
+                siteResources,
+                eq(
+                    siteResources.siteResourceId,
+                    userSiteResources.siteResourceId
+                )
+            )
+            .where(
+                and(
+                    eq(userSiteResources.userId, client.userId),
+                    eq(siteResources.orgId, client.orgId)
+                )
+            );
+
+        newSiteResourceIds.push(
+            ...userSiteResourceIds.map((r) => r.siteResourceId)
+        );
+
+        const roleIds = await trx
+            .select({ roleId: userOrgRoles.roleId })
+            .from(userOrgRoles)
+            .where(
+                and(
+                    eq(userOrgRoles.userId, client.userId),
+                    eq(userOrgRoles.orgId, client.orgId)
+                )
+            )
+            .then((rows) => rows.map((row) => row.roleId));
+
+        if (roleIds.length > 0) {
+            const roleSiteResourceIds = await trx
+                .select({ siteResourceId: roleSiteResources.siteResourceId })
+                .from(roleSiteResources)
+                .innerJoin(
+                    siteResources,
+                    eq(
+                        siteResources.siteResourceId,
+                        roleSiteResources.siteResourceId
+                    )
+                )
+                .where(
+                    and(
+                        inArray(roleSiteResources.roleId, roleIds),
+                        eq(siteResources.orgId, client.orgId)
+                    )
+                );
+
+            newSiteResourceIds.push(
+                ...roleSiteResourceIds.map((r) => r.siteResourceId)
+            );
+        }
+    }
+
+    newSiteResourceIds = Array.from(new Set(newSiteResourceIds));
+
+    const newSiteResources =
+        newSiteResourceIds.length > 0
+            ? await trx
+                  .select()
+                  .from(siteResources)
+                  .where(
+                      inArray(siteResources.siteResourceId, newSiteResourceIds)
+                  )
+            : [];
+
+    const networkIds = Array.from(
+        new Set(
+            newSiteResources
+                .map((sr) => sr.networkId)
+                .filter((id): id is number => id !== null)
+        )
+    );
+    const newSiteIds =
+        networkIds.length > 0
+            ? await trx
+                  .select({ siteId: siteNetworks.siteId })
+                  .from(siteNetworks)
+                  .where(inArray(siteNetworks.networkId, networkIds))
+                  .then((rows) =>
+                      Array.from(new Set(rows.map((r) => r.siteId)))
+                  )
+            : [];
+
+    // Read the existing cache state
+    const existingResourceAssociations = await trx
+        .select({
+            siteResourceId: clientSiteResourcesAssociationsCache.siteResourceId
+        })
+        .from(clientSiteResourcesAssociationsCache)
+        .where(
+            eq(clientSiteResourcesAssociationsCache.clientId, client.clientId)
+        );
+    const existingSiteResourceIds = existingResourceAssociations.map(
+        (r) => r.siteResourceId
+    );
+
+    const existingSiteAssociations = await trx
+        .select({ siteId: clientSitesAssociationsCache.siteId })
+        .from(clientSitesAssociationsCache)
+        .where(eq(clientSitesAssociationsCache.clientId, client.clientId));
+    const existingSiteIds = existingSiteAssociations.map((s) => s.siteId);
+
+    const expectedSiteResourceSet = new Set(newSiteResourceIds);
+    const actualSiteResourceSet = new Set(existingSiteResourceIds);
+    const expectedSiteSet = new Set(newSiteIds);
+    const actualSiteSet = new Set(existingSiteIds);
+
+    const missingSiteResourceIds = newSiteResourceIds.filter(
+        (id) => !actualSiteResourceSet.has(id)
+    );
+    const extraSiteResourceIds = existingSiteResourceIds.filter(
+        (id) => !expectedSiteResourceSet.has(id)
+    );
+    const missingSiteIds = newSiteIds.filter((id) => !actualSiteSet.has(id));
+    const extraSiteIds = existingSiteIds.filter(
+        (id) => !expectedSiteSet.has(id)
+    );
+
+    const consistent =
+        missingSiteResourceIds.length === 0 &&
+        extraSiteResourceIds.length === 0 &&
+        missingSiteIds.length === 0 &&
+        extraSiteIds.length === 0;
+
+    return {
+        clientId: client.clientId,
+        consistent,
+        expectedSiteResourceIds: Array.from(expectedSiteResourceSet).sort(
+            (a, b) => a - b
+        ),
+        expectedSiteIds: Array.from(expectedSiteSet).sort((a, b) => a - b),
+        actualSiteResourceIds: Array.from(actualSiteResourceSet).sort(
+            (a, b) => a - b
+        ),
+        actualSiteIds: Array.from(actualSiteSet).sort((a, b) => a - b),
+        missingSiteResourceIds: missingSiteResourceIds.sort((a, b) => a - b),
+        extraSiteResourceIds: extraSiteResourceIds.sort((a, b) => a - b),
+        missingSiteIds: missingSiteIds.sort((a, b) => a - b),
+        extraSiteIds: extraSiteIds.sort((a, b) => a - b)
+    };
+}

server/private/routers/alertRule/createAlertRule.ts

@@ -202,22 +202,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createAlertRule(

server/private/routers/alertRule/deleteAlertRule.ts

@@ -38,22 +38,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteAlertRule(

server/private/routers/alertRule/getAlertRule.ts

@@ -49,22 +49,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getAlertRule(

server/private/routers/alertRule/listAlertRules.ts

@@ -95,22 +95,7 @@ registry.registerPath({
         query: querySchema,
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listAlertRules(

server/private/routers/alertRule/updateAlertRule.ts

@@ -13,7 +13,6 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import {
     alertRules,
@@ -149,10 +148,6 @@ const bodySchema = z
 export type UpdateAlertRuleResponse = {
     alertRuleId: number;
 };
-const UpdateAlertRuleResponseDataSchema = z.object({
-    alertRuleId: z.number()
-});
-
 
 registry.registerPath({
     method: "post",
@@ -169,16 +164,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(UpdateAlertRuleResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateAlertRule(

server/private/routers/approvals/processPendingApproval.ts

@@ -24,7 +24,7 @@ import type { NextFunction, Request, Response } from "express";
 
 const paramsSchema = z.strictObject({
     orgId: z.string(),
-    approvalId: z.coerce.number().int().positive()
+    approvalId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 const bodySchema = z.strictObject({

server/private/routers/auditLogs/exportAccessAuditLog.ts

@@ -18,7 +18,6 @@ import { OpenAPITags } from "@server/openApi";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
-import { z } from "zod";
 import logger from "@server/logger";
 import {
     queryAccessAuditLogsParams,
@@ -38,22 +37,7 @@ registry.registerPath({
         query: queryAccessAuditLogsQuery,
         params: queryAccessAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function exportAccessAuditLogs(

server/private/routers/auditLogs/exportActionAuditLog.ts

@@ -18,7 +18,6 @@ import { OpenAPITags } from "@server/openApi";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
-import { z } from "zod";
 import logger from "@server/logger";
 import {
     queryActionAuditLogsParams,
@@ -38,22 +37,7 @@ registry.registerPath({
         query: queryActionAuditLogsQuery,
         params: queryActionAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function exportActionAuditLogs(

server/private/routers/auditLogs/exportConnectionAuditLog.ts

@@ -18,7 +18,6 @@ import { OpenAPITags } from "@server/openApi";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
-import { z } from "zod";
 import logger from "@server/logger";
 import {
     queryConnectionAuditLogsParams,
@@ -38,22 +37,7 @@ registry.registerPath({
         query: queryConnectionAuditLogsQuery,
         params: queryConnectionAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function exportConnectionAuditLogs(

server/private/routers/auditLogs/queryAccessAuditLog.ts

@@ -324,22 +324,7 @@ registry.registerPath({
         query: queryAccessAuditLogsQuery,
         params: queryAccessAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function queryAccessAuditLogs(

server/private/routers/auditLogs/queryActionAuditLog.ts

@@ -165,22 +165,7 @@ registry.registerPath({
         query: queryActionAuditLogsQuery,
         params: queryActionAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function queryActionAuditLogs(

server/private/routers/auditLogs/queryConnectionAuditLog.ts

@@ -439,22 +439,7 @@ registry.registerPath({
         query: queryConnectionAuditLogsQuery,
         params: queryConnectionAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function queryConnectionAuditLogs(

server/private/routers/billing/getOrgUsage.ts

@@ -39,22 +39,7 @@ const getOrgSchema = z.strictObject({
 //     request: {
 //         params: getOrgSchema
 //     },
-// responses: {
-// 200: {
-// description: "Successful response",
-// content: {
-// "application/json": {
-// schema: z.object({
-// data: z.unknown().nullable(),
-// success: z.boolean(),
-// error: z.boolean(),
-// message: z.string(),
-// status: z.number()
-// })
-// }
-// }
-// }
-// }
+//     responses: {}
 // });
 
 export async function getOrgUsage(

server/private/routers/certificates/getCertificate.ts

@@ -115,22 +115,7 @@ registry.registerPath({
             orgId: z.string()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getCertificate(

server/private/routers/certificates/restartCertificate.ts

@@ -25,7 +25,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
 const restartCertificateParamsSchema = z.strictObject({
-    certId: z.coerce.number().int().positive(),
+    certId: z.string().transform(stoi).pipe(z.int().positive()),
     orgId: z.string()
 });
 
@@ -36,26 +36,11 @@ registry.registerPath({
     tags: ["Certificate"],
     request: {
         params: z.object({
-            certId: z.coerce.number().int().positive(),
+            certId: z.string().transform(stoi).pipe(z.int().positive()),
             orgId: z.string()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function restartCertificate(

server/private/routers/domain/checkDomainNamespaceAvailability.ts

@@ -42,22 +42,7 @@ registry.registerPath({
         params: paramsSchema,
         query: querySchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function checkDomainNamespaceAvailability(

server/private/routers/domain/listDomainNamespaces.ts

@@ -25,7 +25,6 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { isSubscribed } from "#private/lib/isSubscribed";
 import { build } from "@server/build";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const paramsSchema = z.strictObject({});
 
@@ -66,20 +65,6 @@ export type ListDomainNamespacesResponse = {
     pagination: { total: number; limit: number; offset: number };
 };
 
-const ListDomainNamespacesResponseDataSchema = z.object({
-    domainNamespaces: z.array(
-        z.object({
-            domainNamespaceId: z.string(),
-            domainId: z.string()
-        })
-    ),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 registry.registerPath({
     method: "get",
     path: "/domains/namepaces",
@@ -88,18 +73,7 @@ registry.registerPath({
     request: {
         query: querySchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(
-                        ListDomainNamespacesResponseDataSchema
-                    )
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listDomainNamespaces(

server/private/routers/eventStreamingDestination/createEventStreamingDestination.ts

@@ -13,7 +13,6 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import { eventStreamingDestinations } from "@server/db";
 import { logStreamingManager } from "#private/lib/logStreaming";
@@ -43,10 +42,6 @@ const bodySchema = z.strictObject({
 export type CreateEventStreamingDestinationResponse = {
     destinationId: number;
 };
-const CreateEventStreamingDestinationResponseDataSchema = z.object({
-    destinationId: z.number()
-});
-
 
 registry.registerPath({
     method: "put",
@@ -63,16 +58,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(CreateEventStreamingDestinationResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createEventStreamingDestination(

server/private/routers/eventStreamingDestination/deleteEventStreamingDestination.ts

@@ -38,22 +38,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteEventStreamingDestination(

server/private/routers/eventStreamingDestination/listEventStreamingDestinations.ts

@@ -24,7 +24,6 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { eq, sql } from "drizzle-orm";
 import { decrypt } from "@server/lib/crypto";
 import config from "@server/lib/config";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const paramsSchema = z.strictObject({
     orgId: z.string().nonempty()
@@ -68,31 +67,6 @@ export type ListEventStreamingDestinationsResponse = {
     };
 };
 
-const ListEventStreamingDestinationsResponseDataSchema = z.object({
-    destinations: z.array(
-        z.object({
-            destinationId: z.number(),
-            orgId: z.string(),
-            type: z.string(),
-            config: z.string(),
-            enabled: z.boolean(),
-            lastError: z.string().nullable(),
-            lastErrorAt: z.number().nullable(),
-            createdAt: z.number(),
-            updatedAt: z.number(),
-            sendConnectionLogs: z.boolean(),
-            sendRequestLogs: z.boolean(),
-            sendActionLogs: z.boolean(),
-            sendAccessLogs: z.boolean()
-        })
-    ),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 async function query(orgId: string, limit: number, offset: number) {
     const res = await db
         .select()
@@ -114,18 +88,7 @@ registry.registerPath({
         query: querySchema,
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(
-                        ListEventStreamingDestinationsResponseDataSchema
-                    )
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listEventStreamingDestinations(

server/private/routers/eventStreamingDestination/updateEventStreamingDestination.ts

@@ -13,7 +13,6 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import { eventStreamingDestinations } from "@server/db";
 import response from "@server/lib/response";
@@ -46,10 +45,6 @@ const bodySchema = z.strictObject({
 export type UpdateEventStreamingDestinationResponse = {
     destinationId: number;
 };
-const UpdateEventStreamingDestinationResponseDataSchema = z.object({
-    destinationId: z.number()
-});
-
 
 registry.registerPath({
     method: "post",
@@ -66,16 +61,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(UpdateEventStreamingDestinationResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateEventStreamingDestination(

server/private/routers/external.ts

@@ -31,6 +31,7 @@ import * as siteProvisioning from "#private/routers/siteProvisioning";
 import * as eventStreamingDestination from "#private/routers/eventStreamingDestination";
 import * as alertRule from "#private/routers/alertRule";
 import * as healthChecks from "#private/routers/healthChecks";
+import * as client from "@server/routers/client";
 
 import {
     verifyOrgAccess,
@@ -775,3 +776,15 @@ authenticated.get(
     verifyUserHasAction(ActionsEnum.getTarget),
     healthChecks.getHealthCheckStatusHistory
 );
+
+authenticated.get(
+    "/client/:clientId/verify-associations-cache",
+    verifyClientAccess,
+    client.verifyClientAssociationsCache
+);
+
+authenticated.post(
+    "/client/:clientId/rebuild-associations-cache",
+    verifyClientAccess,
+    client.rebuildClientAssociationsCacheRoute
+);

server/private/routers/healthChecks/createHealthCheck.ts

@@ -13,7 +13,6 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db, targetHealthCheck, newts, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -53,10 +52,6 @@ const bodySchema = z.strictObject({
 export type CreateHealthCheckResponse = {
     targetHealthCheckId: number;
 };
-const CreateHealthCheckResponseDataSchema = z.object({
-    targetHealthCheckId: z.number()
-});
-
 
 registry.registerPath({
     method: "put",
@@ -73,16 +68,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(CreateHealthCheckResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createHealthCheck(

server/private/routers/healthChecks/deleteHealthCheck.ts

@@ -41,22 +41,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteHealthCheck(

server/private/routers/healthChecks/listHealthChecks.ts

@@ -68,22 +68,7 @@ registry.registerPath({
         params: paramsSchema,
         query: querySchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listHealthChecks(

server/private/routers/healthChecks/updateHealthCheck.ts

@@ -13,7 +13,6 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db, targetHealthCheck, newts, sites } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -82,29 +81,6 @@ export type UpdateHealthCheckResponse = {
     hcHealthyThreshold: number | null;
     hcUnhealthyThreshold: number | null;
 };
-const UpdateHealthCheckResponseDataSchema = z.object({
-    targetHealthCheckId: z.number(),
-    name: z.string().nullable(),
-    siteId: z.number().nullable(),
-    hcEnabled: z.boolean(),
-    hcHealth: z.string().nullable(),
-    hcMode: z.string().nullable(),
-    hcHostname: z.string().nullable(),
-    hcPort: z.number().nullable(),
-    hcPath: z.string().nullable(),
-    hcScheme: z.string().nullable(),
-    hcMethod: z.string().nullable(),
-    hcInterval: z.number().nullable(),
-    hcUnhealthyInterval: z.number().nullable(),
-    hcTimeout: z.number().nullable(),
-    hcHeaders: z.string().nullable(),
-    hcFollowRedirects: z.boolean().nullable(),
-    hcStatus: z.number().nullable(),
-    hcTlsServerName: z.string().nullable(),
-    hcHealthyThreshold: z.number().nullable(),
-    hcUnhealthyThreshold: z.number().nullable()
-});
-
 
 registry.registerPath({
     method: "post",
@@ -121,16 +97,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(UpdateHealthCheckResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateHealthCheck(

server/private/routers/loginPage/upsertLoginPageBranding.ts

@@ -26,7 +26,6 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { eq, InferInsertModel } from "drizzle-orm";
 import { build } from "@server/build";
-import { validateLocalPath } from "@app/lib/validateLocalPath";
 import config from "#private/lib/config";
 
 const paramsSchema = z.strictObject({
@@ -34,79 +33,7 @@ const paramsSchema = z.strictObject({
 });
 
 const bodySchema = z.strictObject({
-    logoUrl: z
-        .union([
-            z.literal(""),
-            z
-                .string()
-                .superRefine(async (urlOrPath, ctx) => {
-                    const parseResult = z.url().safeParse(urlOrPath);
-                    if (!parseResult.success) {
-                        if (build !== "enterprise") {
-                            ctx.addIssue({
-                                code: "custom",
-                                message: "Must be a valid URL"
-                            });
-                            return;
-                        } else {
-                            try {
-                                validateLocalPath(urlOrPath);
-                            } catch (error) {
-                                ctx.addIssue({
-                                    code: "custom",
-                                    message: "Must be either a valid image URL or a valid pathname starting with `/` and not containing query parameters, `..` or `*`"
-                                });
-                            } finally {
-                                return;
-                            }
-                        }
-                    }
-
-                    try {
-                        const response = await fetch(urlOrPath, {
-                            method: "HEAD"
-                        }).catch(() => {
-                            // If HEAD fails (CORS or method not allowed), try GET
-                            return fetch(urlOrPath, { method: "GET" });
-                        });
-
-                        if (response.status !== 200) {
-                            ctx.addIssue({
-                                code: "custom",
-                                message: `Failed to load image. Please check that the URL is accessible.`
-                            });
-                            return;
-                        }
-
-                        const contentType =
-                            response.headers.get("content-type") ?? "";
-                        if (!contentType.startsWith("image/")) {
-                            ctx.addIssue({
-                                code: "custom",
-                                message: `URL does not point to an image. Please provide a URL to an image file (e.g., .png, .jpg, .svg).`
-                            });
-                            return;
-                        }
-                    } catch (error) {
-                        let errorMessage =
-                            "Unable to verify image URL. Please check that the URL is accessible and points to an image file.";
-
-                        if (error instanceof TypeError && error.message.includes("fetch")) {
-                            errorMessage =
-                                "Network error: Unable to reach the URL. Please check your internet connection and verify the URL is correct.";
-                        } else if (error instanceof Error) {
-                            errorMessage = `Error verifying URL: ${error.message}`;
-                        }
-
-                        ctx.addIssue({
-                            code: "custom",
-                            message: errorMessage
-                        });
-                    }
-                })
-        ])
-        .transform((val) => (val === "" ? null : val))
-        .nullish(),
+    logoUrl: z.string().optional(),
     logoWidth: z.coerce.number<number>().min(1),
     logoHeight: z.coerce.number<number>().min(1),
     resourceTitle: z.string(),

server/private/routers/orgIdp/createOrgOidcIdp.ts

@@ -63,22 +63,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createOrgOidcIdp(

server/private/routers/orgIdp/deleteOrgIdp.ts

@@ -38,22 +38,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteOrgIdp(

server/private/routers/orgIdp/getOrgIdp.ts

@@ -56,22 +56,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getOrgIdp(

server/private/routers/orgIdp/listOrgIdps.ts

@@ -72,22 +72,7 @@ registry.registerPath({
         query: querySchema,
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listOrgIdps(

server/private/routers/orgIdp/updateOrgOidcIdp.ts

@@ -13,7 +13,6 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db, idpOrg } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -55,10 +54,6 @@ const bodySchema = z.strictObject({
 export type UpdateOrgIdpResponse = {
     idpId: number;
 };
-const UpdateOrgIdpResponseDataSchema = z.object({
-    idpId: z.number()
-});
-
 
 registry.registerPath({
     method: "post",
@@ -75,16 +70,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(UpdateOrgIdpResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateOrgOidcIdp(

server/private/routers/re-key/reGenerateClientSecret.ts

@@ -28,7 +28,7 @@ import { OlmErrorCodes, sendOlmError } from "@server/routers/olm/error";
 import { sendTerminateClient } from "@server/routers/client/terminate";
 
 const reGenerateSecretParamsSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 const reGenerateSecretBodySchema = z.strictObject({

server/private/routers/re-key/reGenerateSiteSecret.ts

@@ -27,7 +27,7 @@ import { getAllowedIps } from "@server/routers/target/helpers";
 import { disconnectClient, sendToClient } from "#private/routers/ws";
 
 const updateSiteParamsSchema = z.strictObject({
-    siteId: z.coerce.number().int().positive()
+    siteId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 const updateSiteBodySchema = z.strictObject({

server/private/routers/ssh/signSshKey.ts

@@ -19,6 +19,7 @@ import {
     logsDb,
     newts,
     roles,
+    roleSiteResources,
     roundTripMessageTracker,
     siteResources,
     siteNetworks,
@@ -92,22 +93,7 @@ export type SignSshKeyResponse = {
 //             }
 //         }
 //     },
-// responses: {
-// 200: {
-// description: "Successful response",
-// content: {
-// "application/json": {
-// schema: z.object({
-// data: z.unknown().nullable(),
-// success: z.boolean(),
-// error: z.boolean(),
-// message: z.string(),
-// status: z.number()
-// })
-// }
-// }
-// }
-// }
+//     responses: {}
 // });
 
 export async function signSshKey(
@@ -376,9 +362,26 @@ export async function signSshKey(
         }
 
         const roleRows = await db
-            .select()
+            .select({
+                sshSudoCommands: roles.sshSudoCommands,
+                sshUnixGroups: roles.sshUnixGroups,
+                sshCreateHomeDir: roles.sshCreateHomeDir,
+                sshSudoMode: roles.sshSudoMode
+            })
             .from(roles)
-            .where(inArray(roles.roleId, roleIds));
+            .innerJoin(
+                roleSiteResources,
+                eq(roleSiteResources.roleId, roles.roleId)
+            )
+            .where(
+                and(
+                    inArray(roles.roleId, roleIds),
+                    eq(
+                        roleSiteResources.siteResourceId,
+                        resource.siteResourceId
+                    )
+                )
+            );
 
         const parsedSudoCommands: string[] = [];
         const parsedGroupsSet = new Set<string>();
@@ -394,13 +397,17 @@ export async function signSshKey(
             }
             try {
                 const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
-                if (Array.isArray(grps)) grps.forEach((g: string) => parsedGroupsSet.add(g));
+                if (Array.isArray(grps))
+                    grps.forEach((g: string) => parsedGroupsSet.add(g));
             } catch {
                 // skip
             }
             if (roleRow?.sshCreateHomeDir === true) homedir = true;
             const m = roleRow?.sshSudoMode ?? "none";
-            if (sudoModeOrder[m as keyof typeof sudoModeOrder] > sudoModeOrder[sudoMode]) {
+            if (
+                sudoModeOrder[m as keyof typeof sudoModeOrder] >
+                sudoModeOrder[sudoMode]
+            ) {
                 sudoMode = m as "none" | "commands" | "full";
             }
         }

server/private/routers/user/addUserRole.ts

@@ -27,7 +27,7 @@ import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAs
 
 const addUserRoleParamsSchema = z.strictObject({
     userId: z.string(),
-    roleId: z.coerce.number()
+    roleId: z.string().transform(stoi).pipe(z.number())
 });
 
 registry.registerPath({
@@ -38,22 +38,7 @@ registry.registerPath({
     request: {
         params: addUserRoleParamsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function addUserRole(

server/private/routers/user/removeUserRole.ts

@@ -27,7 +27,7 @@ import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAs
 
 const removeUserRoleParamsSchema = z.strictObject({
     userId: z.string(),
-    roleId: z.coerce.number()
+    roleId: z.string().transform(stoi).pipe(z.number())
 });
 
 registry.registerPath({
@@ -39,22 +39,7 @@ registry.registerPath({
     request: {
         params: removeUserRoleParamsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function removeUserRole(

server/routers/accessToken/deleteAccessToken.ts

@@ -22,22 +22,7 @@ registry.registerPath({
     request: {
         params: deleteAccessTokenParamsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteAccessToken(

server/routers/accessToken/generateAccessToken.ts

@@ -31,7 +31,7 @@ export const generateAccessTokenBodySchema = z.strictObject({
 });
 
 export const generateAccssTokenParamsSchema = z.strictObject({
-    resourceId: z.coerce.number().int().positive()
+    resourceId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 export type GenerateAccessTokenResponse = Omit<
@@ -54,22 +54,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function generateAccessToken(

server/routers/accessToken/listAccessTokens.ts

@@ -129,22 +129,7 @@ registry.registerPath({
         }),
         query: listAccessTokensSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 registry.registerPath({
@@ -158,22 +143,7 @@ registry.registerPath({
         }),
         query: listAccessTokensSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listAccessTokens(

server/routers/apiKeys/createOrgApiKey.ts

@@ -2,7 +2,6 @@ import { NextFunction, Request, Response } from "express";
 import { db } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { apiKeyOrg, apiKeys } from "@server/db";
 import { fromError } from "zod-validation-error";
 import createHttpError from "http-errors";
@@ -33,14 +32,6 @@ export type CreateOrgApiKeyResponse = {
     lastChars: string;
     createdAt: string;
 };
-const CreateOrgApiKeyResponseDataSchema = z.object({
-    apiKeyId: z.string(),
-    name: z.string(),
-    apiKey: z.string(),
-    lastChars: z.string(),
-    createdAt: z.string()
-});
-
 
 registry.registerPath({
     method: "put",
@@ -57,16 +48,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(CreateOrgApiKeyResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createOrgApiKey(

server/routers/apiKeys/deleteApiKey.ts

@@ -22,22 +22,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteApiKey(

server/routers/apiKeys/listApiKeyActions.ts

@@ -9,7 +9,6 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import { eq } from "drizzle-orm";
 import { OpenAPITags, registry } from "@server/openApi";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const paramsSchema = z.object({
     apiKeyId: z.string().nonempty()
@@ -45,19 +44,6 @@ export type ListApiKeyActionsResponse = {
     pagination: { total: number; limit: number; offset: number };
 };
 
-const ListApiKeyActionsResponseDataSchema = z.object({
-    actions: z.array(
-        z.object({
-            actionId: z.string()
-        })
-    ),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 registry.registerPath({
     method: "get",
     path: "/org/{orgId}/api-key/{apiKeyId}/actions",
@@ -67,18 +53,7 @@ registry.registerPath({
         params: paramsSchema,
         query: querySchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(
-                        ListApiKeyActionsResponseDataSchema
-                    )
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listApiKeyActions(

server/routers/apiKeys/listOrgApiKeys.ts

@@ -9,7 +9,6 @@ import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import { eq, and } from "drizzle-orm";
 import { OpenAPITags, registry } from "@server/openApi";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const querySchema = z.object({
     limit: z
@@ -49,23 +48,6 @@ export type ListOrgApiKeysResponse = {
     pagination: { total: number; limit: number; offset: number };
 };
 
-const ListOrgApiKeysResponseDataSchema = z.object({
-    apiKeys: z.array(
-        z.object({
-            apiKeyId: z.string(),
-            orgId: z.string(),
-            lastChars: z.string(),
-            createdAt: z.string(),
-            name: z.string()
-        })
-    ),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 registry.registerPath({
     method: "get",
     path: "/org/{orgId}/api-keys",
@@ -75,18 +57,7 @@ registry.registerPath({
         params: paramsSchema,
         query: querySchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(
-                        ListOrgApiKeysResponseDataSchema
-                    )
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listOrgApiKeys(

server/routers/apiKeys/setApiKeyActions.ts

@@ -36,22 +36,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function setApiKeyActions(

server/routers/auditLogs/exportRequestAuditLog.ts

@@ -5,7 +5,6 @@ import { OpenAPITags } from "@server/openApi";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { fromError } from "zod-validation-error";
-import { z } from "zod";
 import logger from "@server/logger";
 import {
     queryAccessAuditLogsQuery,
@@ -29,22 +28,7 @@ registry.registerPath({
         }),
         params: queryRequestAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function exportRequestAuditLogs(

server/routers/auditLogs/queryRequestAnalytics.ts

@@ -156,22 +156,7 @@ registry.registerPath({
         query: queryAccessAuditLogsQuery,
         params: queryRequestAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export type QueryRequestAnalyticsResponse = Awaited<ReturnType<typeof query>>;

server/routers/auditLogs/queryRequestAuditLog.ts

@@ -227,22 +227,7 @@ registry.registerPath({
         query: queryAccessAuditLogsQuery,
         params: queryRequestAuditLogsParams
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 async function queryUniqueFilterAttributes(

server/routers/auth/checkResourceSession.ts

@@ -9,7 +9,7 @@ import logger from "@server/logger";
 
 export const params = z.strictObject({
     token: z.string(),
-    resourceId: z.coerce.number().int().positive()
+    resourceId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 export type CheckResourceSessionParams = z.infer<typeof params>;

server/routers/auth/lookupUser.ts

@@ -51,22 +51,7 @@ export type LookupUserResponse = {
 //     request: {
 //         body: lookupBodySchema
 //     },
-// responses: {
-// 200: {
-// description: "Successful response",
-// content: {
-// "application/json": {
-// schema: z.object({
-// data: z.unknown().nullable(),
-// success: z.boolean(),
-// error: z.boolean(),
-// message: z.string(),
-// status: z.number()
-// })
-// }
-// }
-// }
-// }
+//     responses: {}
 // });
 
 export async function lookupUser(

server/routers/blueprints/applyJSONBlueprint.ts

@@ -31,22 +31,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function applyJSONBlueprint(

server/routers/blueprints/applyYAMLBlueprint.ts

@@ -54,22 +54,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function applyYAMLBlueprint(

server/routers/blueprints/getBlueprint.ts

@@ -7,12 +7,13 @@ import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
+import stoi from "@server/lib/stoi";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { BlueprintData } from "./types";
 
 const getBlueprintSchema = z.strictObject({
-    blueprintId: z.coerce.number().int().positive(),
+    blueprintId: z.string().transform(stoi).pipe(z.int().positive()),
     orgId: z.string()
 });
 
@@ -56,22 +57,7 @@ registry.registerPath({
     request: {
         params: getBlueprintSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getBlueprint(

server/routers/blueprints/listBlueprints.ts

@@ -74,22 +74,7 @@ registry.registerPath({
         }),
         query: listBluePrintsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listBlueprints(

server/routers/client/archiveClient.ts

@@ -11,7 +11,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
 const archiveClientSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 registry.registerPath({
@@ -22,22 +22,7 @@ registry.registerPath({
     request: {
         params: archiveClientSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function archiveClient(

server/routers/client/blockClient.ts

@@ -13,7 +13,7 @@ import { sendTerminateClient } from "./terminate";
 import { OlmErrorCodes } from "../olm/error";
 
 const blockClientSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 registry.registerPath({
@@ -24,22 +24,7 @@ registry.registerPath({
     request: {
         params: blockClientSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function blockClient(

server/routers/client/createClient.ts

@@ -59,22 +59,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createClient(

server/routers/client/createUserClient.ts

@@ -60,22 +60,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createUserClient(

server/routers/client/deleteClient.ts

@@ -14,7 +14,7 @@ import { sendTerminateClient } from "./terminate";
 import { OlmErrorCodes } from "../olm/error";
 
 const deleteClientSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 registry.registerPath({
@@ -25,22 +25,7 @@ registry.registerPath({
     request: {
         params: deleteClientSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteClient(

server/routers/client/getClient.ts

@@ -253,22 +253,7 @@ registry.registerPath({
             niceId: z.string()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 registry.registerPath({
@@ -281,22 +266,7 @@ registry.registerPath({
             clientId: z.number()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getClient(

server/routers/client/index.ts

@@ -10,3 +10,5 @@ export * from "./listUserDevices";
 export * from "./updateClient";
 export * from "./getClient";
 export * from "./createUserClient";
+export * from "./verifyClientAssociationsCache";
+export * from "./rebuildClientAssociationsCacheRoute";

server/routers/client/listClients.ts

@@ -186,22 +186,7 @@ registry.registerPath({
         query: listClientsSchema,
         params: listClientsParamsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listClients(

server/routers/client/listUserDevices.ts

@@ -213,22 +213,7 @@ registry.registerPath({
         query: listUserDevicesSchema,
         params: listUserDevicesParamsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listUserDevices(

server/routers/client/pickClientDefaults.ts

@@ -6,7 +6,6 @@ import logger from "@server/logger";
 import { generateId } from "@server/auth/sessions/app";
 import { getNextAvailableClientSubnet } from "@server/lib/ip";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
@@ -15,12 +14,6 @@ export type PickClientDefaultsResponse = {
     olmSecret: string;
     subnet: string;
 };
-const PickClientDefaultsResponseDataSchema = z.object({
-    olmId: z.string(),
-    olmSecret: z.string(),
-    subnet: z.string()
-});
-
 
 const pickClientDefaultsSchema = z.strictObject({
     orgId: z.string()
@@ -34,16 +27,7 @@ registry.registerPath({
     request: {
         params: pickClientDefaultsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(PickClientDefaultsResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function pickClientDefaults(

server/routers/client/rebuildClientAssociationsCacheRoute.ts

@@ -0,0 +1,81 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { clients } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+
+const paramsSchema = z.strictObject({
+    clientId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "post",
+    path: "/client/{clientId}/rebuild-associations-cache",
+    description:
+        "Rebuild the client's site/site-resource association cache based on current permissions.",
+    tags: [OpenAPITags.Client],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function rebuildClientAssociationsCacheRoute(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { clientId } = parsedParams.data;
+
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, clientId))
+            .limit(1);
+
+        if (!client) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Client with ID ${clientId} not found`
+                )
+            );
+        }
+
+        await rebuildClientAssociationsFromClient(client);
+
+        return response(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Client association cache rebuilt successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to rebuild client association cache"
+            )
+        );
+    }
+}

server/routers/client/unarchiveClient.ts

@@ -11,7 +11,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
 const unarchiveClientSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 registry.registerPath({
@@ -22,22 +22,7 @@ registry.registerPath({
     request: {
         params: unarchiveClientSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function unarchiveClient(

server/routers/client/unblockClient.ts

@@ -11,7 +11,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
 const unblockClientSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 registry.registerPath({
@@ -22,22 +22,7 @@ registry.registerPath({
     request: {
         params: unblockClientSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function unblockClient(

server/routers/client/updateClient.ts

@@ -11,7 +11,7 @@ import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
 const updateClientParamsSchema = z.strictObject({
-    clientId: z.coerce.number().int().positive()
+    clientId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 const updateClientSchema = z.strictObject({
@@ -36,22 +36,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateClient(

server/routers/client/verifyClientAssociationsCache.ts

@@ -0,0 +1,83 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db } from "@server/db";
+import { clients } from "@server/db";
+import { eq } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { verifyClientAssociationsCache as verifyClientAssociationsCacheLib } from "@server/lib/rebuildClientAssociations";
+
+const paramsSchema = z.strictObject({
+    clientId: z.string().transform(Number).pipe(z.int().positive())
+});
+
+registry.registerPath({
+    method: "get",
+    path: "/client/{clientId}/verify-associations-cache",
+    description:
+        "Read-only check of whether the client's site/site-resource association cache matches what the current permissions imply.",
+    tags: [OpenAPITags.Client],
+    request: {
+        params: paramsSchema
+    },
+    responses: {}
+});
+
+export async function verifyClientAssociationsCache(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { clientId } = parsedParams.data;
+
+        const [client] = await db
+            .select()
+            .from(clients)
+            .where(eq(clients.clientId, clientId))
+            .limit(1);
+
+        if (!client) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Client with ID ${clientId} not found`
+                )
+            );
+        }
+
+        const report = await verifyClientAssociationsCacheLib(client);
+
+        return response(res, {
+            data: report,
+            success: true,
+            error: false,
+            message: report.consistent
+                ? "Client association cache is consistent"
+                : "Client association cache is INCONSISTENT",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to verify client association cache"
+            )
+        );
+    }
+}

server/routers/domain/getDNSRecords.ts

@@ -37,22 +37,7 @@ registry.registerPath({
             orgId: z.string()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getDNSRecords(

server/routers/domain/getDomain.ts

@@ -39,22 +39,7 @@ registry.registerPath({
             orgId: z.string()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getDomain(

server/routers/domain/listDomains.ts

@@ -9,7 +9,6 @@ import { eq, sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const listDomainsParamsSchema = z.strictObject({
     orgId: z.string()
@@ -57,28 +56,6 @@ export type ListDomainsResponse = {
     pagination: { total: number; limit: number; offset: number };
 };
 
-const ListDomainsResponseDataSchema = z.object({
-    domains: z.array(
-        z.object({
-            domainId: z.string(),
-            baseDomain: z.string(),
-            verified: z.boolean(),
-            type: z.string().nullable(),
-            failed: z.boolean(),
-            tries: z.number(),
-            configManaged: z.boolean(),
-            certResolver: z.string().nullable(),
-            preferWildcardCert: z.boolean().nullable(),
-            errorMessage: z.string().nullable()
-        })
-    ),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 registry.registerPath({
     method: "get",
     path: "/org/{orgId}/domains",
@@ -90,16 +67,7 @@ registry.registerPath({
         }),
         query: listDomainsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(ListDomainsResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listDomains(

server/routers/domain/updateDomain.ts

@@ -1,6 +1,5 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db, domains, orgDomains } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -25,12 +24,6 @@ export type UpdateDomainResponse = {
     certResolver: string | null;
     preferWildcardCert: boolean | null;
 };
-const UpdateDomainResponseDataSchema = z.object({
-    domainId: z.string(),
-    certResolver: z.string().nullable(),
-    preferWildcardCert: z.boolean().nullable()
-});
-
 
 registry.registerPath({
     method: "patch",
@@ -43,16 +36,7 @@ registry.registerPath({
             orgId: z.string()
         })
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(UpdateDomainResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateOrgDomain(

server/routers/idp/createIdpOrgPolicy.ts

@@ -1,6 +1,5 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -23,8 +22,6 @@ const bodySchema = z.strictObject({
 });
 
 export type CreateIdpOrgPolicyResponse = {};
-const CreateIdpOrgPolicyResponseDataSchema = z.object({});
-
 
 registry.registerPath({
     method: "put",
@@ -41,16 +38,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(CreateIdpOrgPolicyResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createIdpOrgPolicy(

server/routers/idp/createOidcIdp.ts

@@ -1,6 +1,5 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -34,11 +33,6 @@ export type CreateIdpResponse = {
     idpId: number;
     redirectUrl: string;
 };
-const CreateIdpResponseDataSchema = z.object({
-    idpId: z.number(),
-    redirectUrl: z.string()
-});
-
 
 registry.registerPath({
     method: "put",
@@ -54,16 +48,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(CreateIdpResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createOidcIdp(

server/routers/idp/deleteIdp.ts

@@ -25,22 +25,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteIdp(

server/routers/idp/deleteIdpOrgPolicy.ts

@@ -23,22 +23,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteIdpOrgPolicy(

server/routers/idp/getIdp.ts

@@ -38,22 +38,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getIdp(

server/routers/idp/listIdpOrgPolicies.ts

@@ -9,7 +9,6 @@ import { eq, sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const paramsSchema = z.object({
     idpId: z.coerce.number<number>()
@@ -45,21 +44,6 @@ export type ListIdpOrgPoliciesResponse = {
     pagination: { total: number; limit: number; offset: number };
 };
 
-const ListIdpOrgPoliciesResponseDataSchema = z.object({
-    policies: z.array(
-        z.object({
-            idpId: z.number(),
-            orgId: z.string(),
-            assignDefaultOrgRoleId: z.number().nullable()
-        })
-    ),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 registry.registerPath({
     method: "get",
     path: "/idp/{idpId}/org",
@@ -69,18 +53,7 @@ registry.registerPath({
         params: paramsSchema,
         query: querySchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(
-                        ListIdpOrgPoliciesResponseDataSchema
-                    )
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listIdpOrgPolicies(

server/routers/idp/listIdps.ts

@@ -9,7 +9,6 @@ import { eq, sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const querySchema = z.strictObject({
     limit: z
@@ -55,25 +54,6 @@ export type ListIdpsResponse = {
     };
 };
 
-const ListIdpsResponseDataSchema = z.object({
-    idps: z.array(
-        z.object({
-            idpId: z.number(),
-            name: z.string(),
-            type: z.string(),
-            variant: z.string().nullable(),
-            orgCount: z.number(),
-            autoProvision: z.boolean().nullable(),
-            tags: z.string().nullable()
-        })
-    ),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 registry.registerPath({
     method: "get",
     path: "/idp",
@@ -82,16 +62,7 @@ registry.registerPath({
     request: {
         query: querySchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(ListIdpsResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function listIdps(

server/routers/idp/updateIdpOrgPolicy.ts

@@ -1,6 +1,5 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -22,8 +21,6 @@ const bodySchema = z.strictObject({
 });
 
 export type UpdateIdpOrgPolicyResponse = {};
-const UpdateIdpOrgPolicyResponseDataSchema = z.object({});
-
 
 registry.registerPath({
     method: "post",
@@ -40,16 +37,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(UpdateIdpOrgPolicyResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateIdpOrgPolicy(

server/routers/idp/updateOidcIdp.ts

@@ -1,6 +1,5 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -39,10 +38,6 @@ const bodySchema = z.strictObject({
 export type UpdateIdpResponse = {
     idpId: number;
 };
-const UpdateIdpResponseDataSchema = z.object({
-    idpId: z.number()
-});
-
 
 registry.registerPath({
     method: "post",
@@ -59,16 +54,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(UpdateIdpResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateOidcIdp(

server/routers/olm/createUserOlm.ts

@@ -43,22 +43,7 @@ export type CreateOlmResponse = {
 //         },
 //         params: paramsSchema
 //     },
-// responses: {
-// 200: {
-// description: "Successful response",
-// content: {
-// "application/json": {
-// schema: z.object({
-// data: z.unknown().nullable(),
-// success: z.boolean(),
-// error: z.boolean(),
-// message: z.string(),
-// status: z.number()
-// })
-// }
-// }
-// }
-// }
+//     responses: {}
 // });
 
 export async function createUserOlm(

server/routers/olm/deleteUserOlm.ts

@@ -28,22 +28,7 @@ const paramsSchema = z
 //     request: {
 //         params: paramsSchema
 //     },
-// responses: {
-// 200: {
-// description: "Successful response",
-// content: {
-// "application/json": {
-// schema: z.object({
-// data: z.unknown().nullable(),
-// success: z.boolean(),
-// error: z.boolean(),
-// message: z.string(),
-// status: z.number()
-// })
-// }
-// }
-// }
-// }
+//     responses: {}
 // });
 
 export async function deleteUserOlm(

server/routers/olm/getUserOlm.ts

@@ -30,22 +30,7 @@ const querySchema = z.object({
 //     request: {
 //         params: paramsSchema
 //     },
-// responses: {
-// 200: {
-// description: "Successful response",
-// content: {
-// "application/json": {
-// schema: z.object({
-// data: z.unknown().nullable(),
-// success: z.boolean(),
-// error: z.boolean(),
-// message: z.string(),
-// status: z.number()
-// })
-// }
-// }
-// }
-// }
+//     responses: {}
 // });
 
 export async function getUserOlm(

server/routers/olm/listUserOlms.ts

@@ -41,22 +41,7 @@ const paramsSchema = z
 //         query: querySchema,
 //         params: paramsSchema
 //     },
-// responses: {
-// 200: {
-// description: "Successful response",
-// content: {
-// "application/json": {
-// schema: z.object({
-// data: z.unknown().nullable(),
-// success: z.boolean(),
-// error: z.boolean(),
-// message: z.string(),
-// status: z.number()
-// })
-// }
-// }
-// }
-// }
+//     responses: {}
 // });
 
 export type ListUserOlmsResponse = {

server/routers/org/checkOrgUserAccess.ts

@@ -83,22 +83,7 @@ registry.registerPath({
     request: {
         params: paramsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function checkOrgUserAccess(

server/routers/org/createOrg.ts

@@ -74,22 +74,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function createOrg(

server/routers/org/deleteOrg.ts

@@ -24,22 +24,7 @@ registry.registerPath({
     request: {
         params: deleteOrgSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function deleteOrg(

server/routers/org/getOrg.ts

@@ -1,6 +1,5 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 import { db } from "@server/db";
 import { Org, orgs } from "@server/db";
 import { eq } from "drizzle-orm";
@@ -18,10 +17,6 @@ const getOrgSchema = z.strictObject({
 export type GetOrgResponse = {
     org: Org;
 };
-const GetOrgResponseDataSchema = z.object({
-    org: z.object({}).passthrough()
-});
-
 
 registry.registerPath({
     method: "get",
@@ -31,16 +26,7 @@ registry.registerPath({
     request: {
         params: getOrgSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(GetOrgResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function getOrg(

server/routers/org/listOrgs.ts

@@ -9,7 +9,6 @@ import { sql, inArray, eq } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromZodError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { createApiResponseSchema } from "@server/lib/openapi/createApiResponseSchema";
 
 const listOrgsSchema = z.object({
     limit: z
@@ -34,16 +33,7 @@ registry.registerPath({
     request: {
         query: listOrgsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: createApiResponseSchema(ListOrgsResponseDataSchema)
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export type ListOrgsResponse = {
@@ -51,15 +41,6 @@ export type ListOrgsResponse = {
     pagination: { total: number; limit: number; offset: number };
 };
 
-const ListOrgsResponseDataSchema = z.object({
-    orgs: z.array(z.object({}).passthrough()),
-    pagination: z.object({
-        total: z.number(),
-        limit: z.number(),
-        offset: z.number()
-    })
-});
-
 export async function listOrgs(
     req: Request,
     res: Response,

server/routers/org/listUserOrgs.ts

@@ -37,22 +37,7 @@ const listOrgsSchema = z.object({
 //     request: {
 //         query: listOrgsSchema
 //     },
-// responses: {
-// 200: {
-// description: "Successful response",
-// content: {
-// "application/json": {
-// schema: z.object({
-// data: z.unknown().nullable(),
-// success: z.boolean(),
-// error: z.boolean(),
-// message: z.string(),
-// status: z.number()
-// })
-// }
-// }
-// }
-// }
+//     responses: {}
 // });
 
 type ResponseOrg = Org & {

server/routers/org/resetOrgBandwidth.ts

@@ -21,22 +21,7 @@ registry.registerPath({
     request: {
         params: resetOrgBandwidthParamsSchema
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function resetOrgBandwidth(

server/routers/org/updateOrg.ts

@@ -61,22 +61,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function updateOrg(

server/routers/resource/addEmailToResourceWhitelist.ts

@@ -22,7 +22,7 @@ const addEmailToResourceWhitelistBodySchema = z.strictObject({
 });
 
 const addEmailToResourceWhitelistParamsSchema = z.strictObject({
-    resourceId: z.coerce.number().int().positive()
+    resourceId: z.string().transform(Number).pipe(z.int().positive())
 });
 
 registry.registerPath({
@@ -40,22 +40,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function addEmailToResourceWhitelist(

server/routers/resource/addRoleToResource.ts

@@ -40,22 +40,7 @@ registry.registerPath({
             }
         }
     },
-    responses: {
-        200: {
-            description: "Successful response",
-            content: {
-                "application/json": {
-                    schema: z.object({
-                        data: z.unknown().nullable(),
-                        success: z.boolean(),
-                        error: z.boolean(),
-                        message: z.string(),
-                        status: z.number()
-                    })
-                }
-            }
-        }
-    }
+    responses: {}
 });
 
 export async function addRoleToResource(