use pricing matrix in existing usePaidStatus funcitons

Add pricing matrix
add rest of tier types
2026-05-05 03:54:22 +00:00 · 2026-02-09 18:17:18 -08:00 · 2026-02-09 18:04:37 -08:00 · 2026-02-09 17:52:28 -08:00 · 2026-02-09 17:42:45 -08:00 · 2026-02-09 17:23:48 -08:00
110 changed files with 2464 additions and 2557 deletions
--- a/docker-compose.pgr.yml
+++ b/docker-compose.pgr.yml
@@ -7,8 +7,8 @@ services:
      POSTGRES_DB: postgres # Default database name
      POSTGRES_USER: postgres # Default user
      POSTGRES_PASSWORD: password # Default password (change for production!)
-    volumes:
+    # volumes:
-      - ./config/postgres:/var/lib/postgresql/data
+    #   - ./config/postgres:/var/lib/postgresql/data
    ports:
      - "5432:5432" # Map host port 5432 to container port 5432
    restart: no
--- a/drizzle.config.ts
+++ b/drizzle.config.ts
@@ -0,0 +1,14 @@
 import { defineConfig } from "drizzle-kit";
 import path from "path";
 const schema = [path.join("server", "db", "pg", "schema")];
 export default defineConfig({
    dialect: "postgresql",
    schema: schema,
    out: path.join("server", "migrations"),
    verbose: true,
    dbCredentials: {
        url: process.env.DATABASE_URL as string
    }
 });
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -55,7 +55,7 @@
    "siteDescription": "Create and manage sites to enable connectivity to private networks",
    "sitesBannerTitle": "Connect Any Network",
    "sitesBannerDescription": "A site is a connection to a remote network that allows Pangolin to provide access to resources, whether public or private, to users anywhere. Install the site network connector (Newt) anywhere you can run a binary or container to establish the connection.",
-    "sitesBannerButtonText": "Install Site",
+    "sitesBannerButtonText": "Install Site Connector",
    "approvalsBannerTitle": "Approve or Deny Device Access",
    "approvalsBannerDescription": "Review and approve or deny device access requests from users. When device approvals are required, users must get admin approval before their devices can connect to your organization's resources.",
    "approvalsBannerButtonText": "Learn More",
@@ -79,8 +79,8 @@
    "siteConfirmCopy": "I have copied the config",
    "searchSitesProgress": "Search sites...",
    "siteAdd": "Add Site",
-    "siteInstallNewt": "Install Newt",
+    "siteInstallNewt": "Install Site",
-    "siteInstallNewtDescription": "Get Newt running on your system",
+    "siteInstallNewtDescription": "Install the site connector for your system",
    "WgConfiguration": "WireGuard Configuration",
    "WgConfigurationDescription": "Use the following configuration to connect to the network",
    "operatingSystem": "Operating System",
@@ -1404,10 +1404,10 @@
    "billingUsageLimitsOverview": "Usage Limits Overview",
    "billingMonitorUsage": "Monitor your usage against configured limits. If you need limits increased please contact us support@pangolin.net.",
    "billingDataUsage": "Data Usage",
-    "billingOnlineTime": "Site Online Time",
+    "billingSites": "Sites",
-    "billingUsers": "Active Users",
+    "billingUsers": "Users",
-    "billingDomains": "Active Domains",
+    "billingDomains": "Domains",
-    "billingRemoteExitNodes": "Active Self-hosted Nodes",
+    "billingRemoteExitNodes": "Remote Nodes",
    "billingNoLimitConfigured": "No limit configured",
    "billingEstimatedPeriod": "Estimated Billing Period",
    "billingIncludedUsage": "Included Usage",
@@ -1432,10 +1432,10 @@
    "billingFailedToGetPortalUrl": "Failed to get portal URL",
    "billingPortalError": "Portal Error",
    "billingDataUsageInfo": "You're charged for all data transferred through your secure tunnels when connected to the cloud. This includes both incoming and outgoing traffic across all your sites. When you reach your limit, your sites will disconnect until you upgrade your plan or reduce usage. Data is not charged when using nodes.",
-    "billingOnlineTimeInfo": "You're charged based on how long your sites stay connected to the cloud. For example, 44,640 minutes equals one site running 24/7 for a full month. When you reach your limit, your sites will disconnect until you upgrade your plan or reduce usage. Time is not charged when using nodes.",
+    "billingSInfo": "How many sites you can use",
-    "billingUsersInfo": "You're charged for each user in the organization. Billing is calculated daily based on the number of active user accounts in your org.",
+    "billingUsersInfo": "How many users you can use",
-    "billingDomainInfo": "You're charged for each domain in the organization. Billing is calculated daily based on the number of active domain accounts in your org.",
+    "billingDomainInfo": "How many domains you can use",
-    "billingRemoteExitNodesInfo": "You're charged for each managed Node in the organization. Billing is calculated daily based on the number of active managed Nodes in your org.",
+    "billingRemoteExitNodesInfo": "How many remote nodes you can use",
    "billingLicenseKeys": "License Keys",
    "billingLicenseKeysDescription": "Manage your license key subscriptions",
    "billingLicenseSubscription": "License Subscription",
@@ -1444,7 +1444,6 @@
    "billingQuantity": "Quantity",
    "billingTotal": "total",
    "billingModifyLicenses": "Modify License Subscription",
    "billingPricingCalculatorLink": "View Pricing Calculator",
    "domainNotFound": "Domain Not Found",
    "domainNotFoundDescription": "This resource is disabled because the domain no longer exists our system. Please set a new domain for this resource.",
    "failed": "Failed",
@@ -1521,6 +1520,27 @@
    "resourcePortRequired": "Port number is required for non-HTTP resources",
    "resourcePortNotAllowed": "Port number should not be set for HTTP resources",
    "billingPricingCalculatorLink": "Pricing Calculator",
    "billingYourPlan": "Your Plan",
    "billingViewOrModifyPlan": "View or modify your current plan",
    "billingViewPlanDetails": "View Plan Details",
    "billingUsageAndLimits": "Usage and Limits",
    "billingViewUsageAndLimits": "View your plan's limits and current usage",
    "billingCurrentUsage": "Current Usage",
    "billingMaximumLimits": "Maximum Limits",
    "billingRemoteNodes": "Remote Nodes",
    "billingUnlimited": "Unlimited",
    "billingPaidLicenseKeys": "Paid License Keys",
    "billingManageLicenseSubscription": "Manage your subscription for paid self-hosted license keys",
    "billingCurrentKeys": "Current Keys",
    "billingModifyCurrentPlan": "Modify Current Plan",
    "billingConfirmUpgrade": "Confirm Upgrade",
    "billingConfirmDowngrade": "Confirm Downgrade",
    "billingConfirmUpgradeDescription": "You are about to upgrade your plan. Review the new limits and pricing below.",
    "billingConfirmDowngradeDescription": "You are about to downgrade your plan. Review the new limits and pricing below.",
    "billingPlanIncludes": "Plan Includes",
    "billingProcessing": "Processing...",
    "billingConfirmUpgradeButton": "Confirm Upgrade",
    "billingConfirmDowngradeButton": "Confirm Downgrade",
    "signUpTerms": {
        "IAgreeToThe": "I agree to the",
        "termsOfService": "terms of service",
@@ -1545,8 +1565,8 @@
    "addressDescription": "The internal address of the client. Must fall within the organization's subnet.",
    "selectSites": "Select sites",
    "sitesDescription": "The client will have connectivity to the selected sites",
-    "clientInstallOlm": "Install Olm",
+    "clientInstallOlm": "Install Machine Client",
-    "clientInstallOlmDescription": "Get Olm running on your system",
+    "clientInstallOlmDescription": "Install the machine client for your system",
    "clientOlmCredentials": "Credentials",
    "clientOlmCredentialsDescription": "This is how the client will authenticate with the server",
    "olmEndpoint": "Endpoint",
@@ -2247,6 +2267,7 @@
    "actionLogsDescription": "View a history of actions performed in this organization",
    "accessLogsDescription": "View access auth requests for resources in this organization",
    "licenseRequiredToUse": "An Enterprise license is required to use this feature.",
    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature.",
    "certResolver": "Certificate Resolver",
    "certResolverDescription": "Select the certificate resolver to use for this resource.",
    "selectCertResolver": "Select Certificate Resolver",
--- a/package.json
+++ b/package.json
@@ -14,10 +14,12 @@
        "dev": "NODE_ENV=development ENVIRONMENT=dev tsx watch server/index.ts",
        "dev:check": "npx tsc --noEmit && npm run format:check",
        "dev:setup": "cp config/config.example.yml config/config.yml && npm run set:oss && npm run set:sqlite && npm run db:generate && npm run db:sqlite:push",
-        "db:generate": "drizzle-kit generate --config=./drizzle.config.ts",
+        "db:pg:generate": "drizzle-kit generate --config=./drizzle.pg.config.ts",
        "db:sqlite:generate": "drizzle-kit generate --config=./drizzle.sqlite.config.ts",
        "db:pg:push": "npx tsx server/db/pg/migrate.ts",
        "db:sqlite:push": "npx tsx server/db/sqlite/migrate.ts",
-        "db:studio": "drizzle-kit studio --config=./drizzle.config.ts",
+        "db:pg:studio": "drizzle-kit studio --config=./drizzle.pg.config.ts",
        "db:sqlite:studio": "drizzle-kit studio --config=./drizzle.sqlite.config.ts",
        "db:clear-migrations": "rm -rf server/migrations",
        "set:oss": "echo 'export const build = \"oss\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.oss.json tsconfig.json",
        "set:saas": "echo 'export const build = \"saas\" as \"saas\" | \"enterprise\" | \"oss\";' > server/build.ts && cp tsconfig.saas.json tsconfig.json",
--- a/server/db/pg/schema/privateSchema.ts
+++ b/server/db/pg/schema/privateSchema.ts
@@ -82,11 +82,14 @@ export const subscriptions = pgTable("subscriptions", {
    canceledAt: bigint("canceledAt", { mode: "number" }),
    createdAt: bigint("createdAt", { mode: "number" }).notNull(),
    updatedAt: bigint("updatedAt", { mode: "number" }),
-    billingCycleAnchor: bigint("billingCycleAnchor", { mode: "number" })
+    version: integer("version"),
    billingCycleAnchor: bigint("billingCycleAnchor", { mode: "number" }),
    type: varchar("type", { length: 50 }) // tier1, tier2, tier3, or license
 });
 export const subscriptionItems = pgTable("subscriptionItems", {
    subscriptionItemId: serial("subscriptionItemId").primaryKey(),
    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", { length: 255 }),
    subscriptionId: varchar("subscriptionId", { length: 255 })
        .notNull()
        .references(() => subscriptions.subscriptionId, {
@@ -94,6 +97,7 @@ export const subscriptionItems = pgTable("subscriptionItems", {
        }),
    planId: varchar("planId", { length: 255 }).notNull(),
    priceId: varchar("priceId", { length: 255 }),
    featureId: varchar("featureId", { length: 255 }),
    meterId: varchar("meterId", { length: 255 }),
    unitAmount: real("unitAmount"),
    tiers: text("tiers"),
--- a/server/db/sqlite/schema/privateSchema.ts
+++ b/server/db/sqlite/schema/privateSchema.ts
@@ -70,7 +70,9 @@ export const subscriptions = sqliteTable("subscriptions", {
    canceledAt: integer("canceledAt"),
    createdAt: integer("createdAt").notNull(),
    updatedAt: integer("updatedAt"),
-    billingCycleAnchor: integer("billingCycleAnchor")
+    version: integer("version"),
    billingCycleAnchor: integer("billingCycleAnchor"),
    type: text("type") // tier1, tier2, tier3, or license
 });
 export const subscriptionItems = sqliteTable("subscriptionItems", {
@@ -84,6 +86,7 @@ export const subscriptionItems = sqliteTable("subscriptionItems", {
        }),
    planId: text("planId").notNull(),
    priceId: text("priceId"),
    featureId: text("featureId"),
    meterId: text("meterId"),
    unitAmount: real("unitAmount"),
    tiers: text("tiers"),
--- a/server/integrationApiServer.ts
+++ b/server/integrationApiServer.ts
@@ -105,11 +105,13 @@ function getOpenApiDocumentation() {
        servers: [{ url: "/v1" }]
    });
-    // convert to yaml and save to file
+    if (!process.env.DISABLE_GEN_OPENAPI) {
-    const outputPath = path.join(APP_PATH, "openapi.yaml");
+        // convert to yaml and save to file
-    const yamlOutput = yaml.dump(generated);
+        const outputPath = path.join(APP_PATH, "openapi.yaml");
-    fs.writeFileSync(outputPath, yamlOutput, "utf8");
+        const yamlOutput = yaml.dump(generated);
-    logger.info(`OpenAPI documentation saved to ${outputPath}`);
+        fs.writeFileSync(outputPath, yamlOutput, "utf8");
        logger.info(`OpenAPI documentation saved to ${outputPath}`);
    }
    return generated;
 }
--- a/server/lib/billing/features.ts
+++ b/server/lib/billing/features.ts
@@ -1,30 +1,44 @@
 import Stripe from "stripe";
 import { usageService } from "./usageService";
 export enum FeatureId {
    SITE_UPTIME = "siteUptime",
    USERS = "users",
    SITES = "sites",
    EGRESS_DATA_MB = "egressDataMb",
    DOMAINS = "domains",
-    REMOTE_EXIT_NODES = "remoteExitNodes"
+    REMOTE_EXIT_NODES = "remoteExitNodes",
    TIER1 = "tier1"
 }
-export const FeatureMeterIds: Record<FeatureId, string> = {
+export async function getFeatureDisplayName(featureId: FeatureId): Promise<string> {
-    [FeatureId.SITE_UPTIME]: "mtr_61Srrej5wUJuiTWgo41D3Ee2Ir7WmDLU",
+    switch (featureId) {
-    [FeatureId.USERS]: "mtr_61SrreISyIWpwUNGR41D3Ee2Ir7WmQro",
+        case FeatureId.USERS:
-    [FeatureId.EGRESS_DATA_MB]: "mtr_61Srreh9eWrExDSCe41D3Ee2Ir7Wm5YW",
+            return "Users";
-    [FeatureId.DOMAINS]: "mtr_61Ss9nIKDNMw0LDRU41D3Ee2Ir7WmRPU",
+        case FeatureId.SITES:
-    [FeatureId.REMOTE_EXIT_NODES]: "mtr_61T86UXnfxTVXy9sD41D3Ee2Ir7WmFTE"
+            return "Sites";
        case FeatureId.EGRESS_DATA_MB:
            return "Egress Data (MB)";
        case FeatureId.DOMAINS:
            return "Domains";
        case FeatureId.REMOTE_EXIT_NODES:
            return "Remote Exit Nodes";
        case FeatureId.TIER1:
            return "Home Lab";
        default:
            return featureId;
    }
 }
 // this is from the old system
 export const FeatureMeterIds: Partial<Record<FeatureId, string>> = { // right now we are not charging for any data
    // [FeatureId.EGRESS_DATA_MB]: "mtr_61Srreh9eWrExDSCe41D3Ee2Ir7Wm5YW"
 };
-export const FeatureMeterIdsSandbox: Record<FeatureId, string> = {
+export const FeatureMeterIdsSandbox: Partial<Record<FeatureId, string>> = {
-    [FeatureId.SITE_UPTIME]: "mtr_test_61Snh3cees4w60gv841DCpkOb237BDEu",
+    // [FeatureId.EGRESS_DATA_MB]: "mtr_test_61Snh2a2m6qome5Kv41DCpkOb237B3dQ"
    [FeatureId.USERS]: "mtr_test_61Sn5fLtq1gSfRkyA41DCpkOb237B6au",
    [FeatureId.EGRESS_DATA_MB]: "mtr_test_61Snh2a2m6qome5Kv41DCpkOb237B3dQ",
    [FeatureId.DOMAINS]: "mtr_test_61SsA8qrdAlgPpFRQ41DCpkOb237BGts",
    [FeatureId.REMOTE_EXIT_NODES]: "mtr_test_61T86Vqmwa3D9ra3341DCpkOb237B94K"
 };
-export function getFeatureMeterId(featureId: FeatureId): string {
+export function getFeatureMeterId(featureId: FeatureId): string | undefined {
    if (
        process.env.ENVIRONMENT == "prod" &&
        process.env.SANDBOX_MODE !== "true"
@@ -43,45 +57,103 @@ export function getFeatureIdByMetricId(
    )?.[0];
 }
-export type FeaturePriceSet = {
+export type FeaturePriceSet = Partial<Record<FeatureId, string>>;
-    [key in Exclude<FeatureId, FeatureId.DOMAINS>]: string;
+
-} & {
+export const homeLabFeaturePriceSet: FeaturePriceSet = {
-    [FeatureId.DOMAINS]?: string; // Optional since domains are not billed
+    [FeatureId.TIER1]: "price_1SxgpPDCpkOb237Bfo4rIsoT"
 };
-export const standardFeaturePriceSet: FeaturePriceSet = {
+export const homeLabFeaturePriceSetSandbox: FeaturePriceSet = {
-    // Free tier matches the freeLimitSet
+    [FeatureId.TIER1]: "price_1SxgpPDCpkOb237Bfo4rIsoT"
    [FeatureId.SITE_UPTIME]: "price_1RrQc4D3Ee2Ir7WmaJGZ3MtF",
    [FeatureId.USERS]: "price_1RrQeJD3Ee2Ir7WmgveP3xea",
    [FeatureId.EGRESS_DATA_MB]: "price_1RrQXFD3Ee2Ir7WmvGDlgxQk",
    // [FeatureId.DOMAINS]: "price_1Rz3tMD3Ee2Ir7Wm5qLeASzC",
    [FeatureId.REMOTE_EXIT_NODES]: "price_1S46weD3Ee2Ir7Wm94KEHI4h"
 };
-export const standardFeaturePriceSetSandbox: FeaturePriceSet = {
+export function getHomeLabFeaturePriceSet(): FeaturePriceSet {
    // Free tier matches the freeLimitSet
    [FeatureId.SITE_UPTIME]: "price_1RefFBDCpkOb237BPrKZ8IEU",
    [FeatureId.USERS]: "price_1ReNa4DCpkOb237Bc67G5muF",
    [FeatureId.EGRESS_DATA_MB]: "price_1Rfp9LDCpkOb237BwuN5Oiu0",
    // [FeatureId.DOMAINS]: "price_1Ryi88DCpkOb237B2D6DM80b",
    [FeatureId.REMOTE_EXIT_NODES]: "price_1RyiZvDCpkOb237BXpmoIYJL"
 };
 export function getStandardFeaturePriceSet(): FeaturePriceSet {
    if (
        process.env.ENVIRONMENT == "prod" &&
        process.env.SANDBOX_MODE !== "true"
    ) {
-        return standardFeaturePriceSet;
+        return homeLabFeaturePriceSet;
    } else {
-        return standardFeaturePriceSetSandbox;
+        return homeLabFeaturePriceSetSandbox;
    }
 }
-export function getLineItems(
+export const tier2FeaturePriceSet: FeaturePriceSet = {
-    featurePriceSet: FeaturePriceSet
+    [FeatureId.USERS]: "price_1SxaEHDCpkOb237BD9lBkPiR"
-): Stripe.Checkout.SessionCreateParams.LineItem[] {
+};
-    return Object.entries(featurePriceSet).map(([featureId, priceId]) => ({
+
-        price: priceId
+export const tier2FeaturePriceSetSandbox: FeaturePriceSet = {
-    }));
+    [FeatureId.USERS]: "price_1SxaEHDCpkOb237BD9lBkPiR"
 };
 export function getStarterFeaturePriceSet(): FeaturePriceSet {
    if (
        process.env.ENVIRONMENT == "prod" &&
        process.env.SANDBOX_MODE !== "true"
    ) {
        return tier2FeaturePriceSet;
    } else {
        return tier2FeaturePriceSetSandbox;
    }
 }
 export const tier3FeaturePriceSet: FeaturePriceSet = {
    [FeatureId.USERS]: "price_1SxaEODCpkOb237BiXdCBSfs"
 };
 export const tier3FeaturePriceSetSandbox: FeaturePriceSet = {
    [FeatureId.USERS]: "price_1SxaEODCpkOb237BiXdCBSfs"
 };
 export function getScaleFeaturePriceSet(): FeaturePriceSet {
    if (
        process.env.ENVIRONMENT == "prod" &&
        process.env.SANDBOX_MODE !== "true"
    ) {
        return tier3FeaturePriceSet;
    } else {
        return tier3FeaturePriceSetSandbox;
    }
 }
 export function getFeatureIdByPriceId(priceId: string): FeatureId | undefined {
    // Check all feature price sets
    const allPriceSets = [
        getHomeLabFeaturePriceSet(),
        getStarterFeaturePriceSet(),
        getScaleFeaturePriceSet()
    ];
    for (const priceSet of allPriceSets) {
        const entry = (Object.entries(priceSet) as [FeatureId, string][]).find(
            ([_, price]) => price === priceId
        );
        if (entry) {
            return entry[0];
        }
    }
    return undefined;
 }
 export async function getLineItems(
    featurePriceSet: FeaturePriceSet,
    orgId: string,
 ): Promise<Stripe.Checkout.SessionCreateParams.LineItem[]> {
    const users = await usageService.getUsage(orgId, FeatureId.USERS);
    return Object.entries(featurePriceSet).map(([featureId, priceId]) => {
        let quantity: number | undefined;
        if (featureId === FeatureId.USERS) {
            quantity = users?.instantaneousValue || 1;
        } else if (featureId === FeatureId.TIER1) {
            quantity = 1;
        }
        return {
            price: priceId,
            quantity: quantity
        };
    });
 }
--- a/server/lib/billing/limitSet.ts
+++ b/server/lib/billing/limitSet.ts
@@ -1,50 +1,67 @@
 import { FeatureId } from "./features";
-export type LimitSet = {
+export type LimitSet = Partial<{
    [key in FeatureId]: {
        value: number | null; // null indicates no limit
        description?: string;
    };
-};
+}>;
 export const sandboxLimitSet: LimitSet = {
    [FeatureId.SITE_UPTIME]: { value: 2880, description: "Sandbox limit" }, // 1 site up for 2 days
    [FeatureId.USERS]: { value: 1, description: "Sandbox limit" },
-    [FeatureId.EGRESS_DATA_MB]: { value: 1000, description: "Sandbox limit" }, // 1 GB
+    [FeatureId.SITES]: { value: 1, description: "Sandbox limit" },
    [FeatureId.DOMAINS]: { value: 0, description: "Sandbox limit" },
-    [FeatureId.REMOTE_EXIT_NODES]: { value: 0, description: "Sandbox limit" }
+    [FeatureId.REMOTE_EXIT_NODES]: { value: 0, description: "Sandbox limit" },
 };
 export const freeLimitSet: LimitSet = {
-    [FeatureId.SITE_UPTIME]: { value: 46080, description: "Free tier limit" }, // 1 site up for 32 days
+    [FeatureId.USERS]: { value: 5, description: "Starter limit" },
-    [FeatureId.USERS]: { value: 3, description: "Free tier limit" },
+    [FeatureId.SITES]: { value: 5, description: "Starter limit" },
-    [FeatureId.EGRESS_DATA_MB]: {
+    [FeatureId.DOMAINS]: { value: 5, description: "Starter limit" },
-        value: 25000,
+    [FeatureId.REMOTE_EXIT_NODES]: { value: 1, description: "Starter limit" },
        description: "Free tier limit"
    }, // 25 GB
    [FeatureId.DOMAINS]: { value: 3, description: "Free tier limit" },
    [FeatureId.REMOTE_EXIT_NODES]: { value: 1, description: "Free tier limit" }
 };
-export const subscribedLimitSet: LimitSet = {
+export const tier1LimitSet: LimitSet = {
-    [FeatureId.SITE_UPTIME]: {
+    [FeatureId.USERS]: { value: 7, description: "Home limit" },
-        value: 2232000,
+    [FeatureId.SITES]: { value: 10, description: "Home limit" },
-        description: "Contact us to increase soft limit."
+    [FeatureId.DOMAINS]: { value: 10, description: "Home limit" },
-    }, // 50 sites up for 31 days
+    [FeatureId.REMOTE_EXIT_NODES]: { value: 1, description: "Home limit" },
 };
 export const tier2LimitSet: LimitSet = {
    [FeatureId.USERS]: {
-        value: 150,
+        value: 100,
-        description: "Contact us to increase soft limit."
+        description: "Team limit"
    },
    [FeatureId.SITES]: {
        value: 50,
        description: "Team limit"
    },
    [FeatureId.EGRESS_DATA_MB]: {
        value: 12000000,
        description: "Contact us to increase soft limit."
    }, // 12000 GB
    [FeatureId.DOMAINS]: {
-        value: 250,
+        value: 50,
-        description: "Contact us to increase soft limit."
+        description: "Team limit"
    },
    [FeatureId.REMOTE_EXIT_NODES]: {
-        value: 5,
+        value: 3,
-        description: "Contact us to increase soft limit."
+        description: "Team limit"
-    }
+    },
 };
 export const tier3LimitSet: LimitSet = {
    [FeatureId.USERS]: {
        value: 500,
        description: "Business limit"
    },
    [FeatureId.SITES]: {
        value: 250,
        description: "Business limit"
    },
    [FeatureId.DOMAINS]: {
        value: 100,
        description: "Business limit"
    },
    [FeatureId.REMOTE_EXIT_NODES]: {
        value: 20,
        description: "Business limit"
    },
 };
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -0,0 +1,38 @@
 import { Tier } from "@server/types/Tiers";
 export enum TierFeature {
    OrgOidc = "orgOidc",
    CustomAuthenticationDomain = "customAuthenticationDomain",
    DeviceApprovals = "deviceApprovals",
    LoginPageBranding = "loginPageBranding",
    LogExport = "logExport",
    AccessLogs = "accessLogs",
    ActionLogs = "actionLogs",
    RotateCredentials = "rotateCredentials",
    MaintencePage = "maintencePage",
    DevicePosture = "devicePosture",
    TwoFactorEnforcement = "twoFactorEnforcement",
    SessionDurationPolicies = "sessionDurationPolicies",
    PasswordExpirationPolicies = "passwordExpirationPolicies"
 }
 export const tierMatrix: Record<TierFeature, Tier[]> = {
    [TierFeature.OrgOidc]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.CustomAuthenticationDomain]: [
        "tier1",
        "tier2",
        "tier3",
        "enterprise"
    ],
    [TierFeature.DeviceApprovals]: ["tier1", "tier3", "enterprise"],
    [TierFeature.LoginPageBranding]: ["tier1", "tier3", "enterprise"],
    [TierFeature.LogExport]: ["tier3", "enterprise"],
    [TierFeature.AccessLogs]: ["tier2", "tier3", "enterprise"],
    [TierFeature.ActionLogs]: ["tier2", "tier3", "enterprise"],
    [TierFeature.RotateCredentials]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.MaintencePage]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.DevicePosture]: ["tier2", "tier3", "enterprise"],
    [TierFeature.TwoFactorEnforcement]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.SessionDurationPolicies]: ["tier1", "tier2", "tier3", "enterprise"],
    [TierFeature.PasswordExpirationPolicies]: ["tier1", "tier2", "tier3", "enterprise"]
 };
--- a/server/lib/billing/tiers.ts
+++ b/server/lib/billing/tiers.ts
@@ -1,34 +0,0 @@
 export enum TierId {
    STANDARD = "standard"
 }
 export type TierPriceSet = {
    [key in TierId]: string;
 };
 export const tierPriceSet: TierPriceSet = {
    // Free tier matches the freeLimitSet
    [TierId.STANDARD]: "price_1RrQ9cD3Ee2Ir7Wmqdy3KBa0"
 };
 export const tierPriceSetSandbox: TierPriceSet = {
    // Free tier matches the freeLimitSet
    // when matching tier the keys closer to 0 index are matched first so list the tiers in descending order of value
    [TierId.STANDARD]: "price_1RrAYJDCpkOb237By2s1P32m"
 };
 export function getTierPriceSet(
    environment?: string,
    sandbox_mode?: boolean
 ): TierPriceSet {
    if (
        (process.env.ENVIRONMENT == "prod" &&
            process.env.SANDBOX_MODE !== "true") ||
        (environment === "prod" && sandbox_mode !== true)
    ) {
        // THIS GETS LOADED CLIENT SIDE AND SERVER SIDE
        return tierPriceSet;
    } else {
        return tierPriceSetSandbox;
    }
 }
--- a/server/lib/billing/usageService.ts
+++ b/server/lib/billing/usageService.ts
@@ -1,8 +1,6 @@
 import { eq, sql, and } from "drizzle-orm";
 import { v4 as uuidv4 } from "uuid";
 import { PutObjectCommand } from "@aws-sdk/client-s3";
 import * as fs from "fs/promises";
 import * as path from "path";
 import {
    db,
    usage,
@@ -20,6 +18,7 @@ import { sendToClient } from "#dynamic/routers/ws";
 import { build } from "@server/build";
 import { s3Client } from "@server/lib/s3";
 import cache from "@server/lib/cache";
 import privateConfig from "@server/private/lib/config";
 interface StripeEvent {
    identifier?: string;
@@ -32,11 +31,7 @@ interface StripeEvent {
 }
 export function noop() {
-    if (
+    if (build !== "saas") {
        build !== "saas" ||
        !process.env.S3_BUCKET ||
        !process.env.LOCAL_FILE_PATH
    ) {
        return true;
    }
    return false;
@@ -44,31 +39,48 @@ export function noop() {
 export class UsageService {
    private bucketName: string | undefined;
-    private currentEventFile: string | null = null;
+    private events: StripeEvent[] = [];
-    private currentFileStartTime: number = 0;
+    private lastUploadTime: number = Date.now();
-    private eventsDir: string | undefined;
+    private isUploading: boolean = false;
    private uploadingFiles: Set<string> = new Set();
    constructor() {
        if (noop()) {
            return;
        }
-        // this.bucketName = privateConfig.getRawPrivateConfig().stripe?.s3Bucket;
+
        // this.eventsDir = privateConfig.getRawPrivateConfig().stripe?.localFilePath;
        this.bucketName = process.env.S3_BUCKET || undefined;
        this.eventsDir = process.env.LOCAL_FILE_PATH || undefined;
-        // Ensure events directory exists
+        if (
-        this.initializeEventsDirectory().then(() => {
+            // Only set up event uploading if usage reporting is enabled and bucket name is configured
-            this.uploadPendingEventFilesOnStartup();
+            privateConfig.getRawPrivateConfig().flags.usage_reporting &&
-        });
+            this.bucketName
        ) {
            // Periodically check and upload events
            setInterval(() => {
                this.checkAndUploadEvents().catch((err) => {
                    logger.error("Error in periodic event upload:", err);
                });
            }, 30000); // every 30 seconds
-        // Periodically check for old event files to upload
+            // Handle graceful shutdown on SIGTERM
-        setInterval(() => {
+            process.on("SIGTERM", async () => {
-            this.uploadOldEventFiles().catch((err) => {
+                logger.info(
-                logger.error("Error in periodic event file upload:", err);
+                    "SIGTERM received, uploading events before shutdown..."
                );
                await this.forceUpload();
                logger.info("Events uploaded, proceeding with shutdown");
            });
-        }, 30000); // every 30 seconds
+
            // Handle SIGINT as well (Ctrl+C)
            process.on("SIGINT", async () => {
                logger.info(
                    "SIGINT received, uploading events before shutdown..."
                );
                await this.forceUpload();
                logger.info("Events uploaded, proceeding with shutdown");
                process.exit(0);
            });
        }
    }
    /**
@@ -78,85 +90,6 @@ export class UsageService {
        return Math.round(value * 100000000000) / 100000000000; // 11 decimal places
    }
    private async initializeEventsDirectory(): Promise<void> {
        if (!this.eventsDir) {
            logger.warn(
                "Stripe local file path is not configured, skipping events directory initialization."
            );
            return;
        }
        try {
            await fs.mkdir(this.eventsDir, { recursive: true });
        } catch (error) {
            logger.error("Failed to create events directory:", error);
        }
    }
    private async uploadPendingEventFilesOnStartup(): Promise<void> {
        if (!this.eventsDir || !this.bucketName) {
            logger.warn(
                "Stripe local file path or bucket name is not configured, skipping leftover event file upload."
            );
            return;
        }
        try {
            const files = await fs.readdir(this.eventsDir);
            for (const file of files) {
                if (file.endsWith(".json")) {
                    const filePath = path.join(this.eventsDir, file);
                    try {
                        const fileContent = await fs.readFile(
                            filePath,
                            "utf-8"
                        );
                        const events = JSON.parse(fileContent);
                        if (Array.isArray(events) && events.length > 0) {
                            // Upload to S3
                            const uploadCommand = new PutObjectCommand({
                                Bucket: this.bucketName,
                                Key: file,
                                Body: fileContent,
                                ContentType: "application/json"
                            });
                            await s3Client.send(uploadCommand);
                            // Check if file still exists before unlinking
                            try {
                                await fs.access(filePath);
                                await fs.unlink(filePath);
                            } catch (unlinkError) {
                                logger.debug(
                                    `Startup file ${file} was already deleted`
                                );
                            }
                            logger.info(
                                `Uploaded leftover event file ${file} to S3 with ${events.length} events`
                            );
                        } else {
                            // Remove empty file
                            try {
                                await fs.access(filePath);
                                await fs.unlink(filePath);
                            } catch (unlinkError) {
                                logger.debug(
                                    `Empty startup file ${file} was already deleted`
                                );
                            }
                        }
                    } catch (err) {
                        logger.error(
                            `Error processing leftover event file ${file}:`,
                            err
                        );
                    }
                }
            }
        } catch (error) {
            logger.error("Failed to scan for leftover event files");
        }
    }
    public async add(
        orgId: string,
        featureId: FeatureId,
@@ -206,7 +139,9 @@ export class UsageService {
                }
                // Log event for Stripe
-                await this.logStripeEvent(featureId, value, customerId);
+                if (privateConfig.getRawPrivateConfig().flags.usage_reporting) {
                    await this.logStripeEvent(featureId, value, customerId);
                }
                return usage || null;
            } catch (error: any) {
@@ -286,7 +221,7 @@ export class UsageService {
        return new Date(date * 1000).toISOString().split("T")[0];
    }
-    async updateDaily(
+    async updateCount(
        orgId: string,
        featureId: FeatureId,
        value?: number,
@@ -312,8 +247,6 @@ export class UsageService {
                value = this.truncateValue(value);
            }
            const today = this.getTodayDateString();
            let currentUsage: Usage | null = null;
            await db.transaction(async (trx) => {
@@ -327,66 +260,34 @@ export class UsageService {
                    .limit(1);
                if (currentUsage) {
-                    const lastUpdateDate = this.getDateString(
+                    await trx
-                        currentUsage.updatedAt
+                        .update(usage)
-                    );
+                        .set({
-                    const currentRunningTotal = currentUsage.latestValue;
+                            instantaneousValue: value,
-                    const lastDailyValue = currentUsage.instantaneousValue || 0;
+                            updatedAt: Math.floor(Date.now() / 1000)
-
+                        })
-                    if (value == undefined || value === null) {
+                        .where(eq(usage.usageId, usageId));
                        value = currentUsage.instantaneousValue || 0;
                    }
                    if (lastUpdateDate === today) {
                        // Same day update: replace the daily value
                        // Remove old daily value from running total, add new value
                        const newRunningTotal = this.truncateValue(
                            currentRunningTotal - lastDailyValue + value
                        );
                        await trx
                            .update(usage)
                            .set({
                                latestValue: newRunningTotal,
                                instantaneousValue: value,
                                updatedAt: Math.floor(Date.now() / 1000)
                            })
                            .where(eq(usage.usageId, usageId));
                    } else {
                        // New day: add to running total
                        const newRunningTotal = this.truncateValue(
                            currentRunningTotal + value
                        );
                        await trx
                            .update(usage)
                            .set({
                                latestValue: newRunningTotal,
                                instantaneousValue: value,
                                updatedAt: Math.floor(Date.now() / 1000)
                            })
                            .where(eq(usage.usageId, usageId));
                    }
                } else {
                    // First record for this meter
                    const meterId = getFeatureMeterId(featureId);
                    const truncatedValue = this.truncateValue(value || 0);
                    await trx.insert(usage).values({
                        usageId,
                        featureId,
                        orgId,
                        meterId,
-                        instantaneousValue: truncatedValue,
+                        instantaneousValue: value || 0,
-                        latestValue: truncatedValue,
+                        latestValue: value || 0,
                        updatedAt: Math.floor(Date.now() / 1000)
                    });
                }
            });
-            await this.logStripeEvent(featureId, value || 0, customerId);
+            if (privateConfig.getRawPrivateConfig().flags.usage_reporting) {
                await this.logStripeEvent(featureId, value || 0, customerId);
            }
        } catch (error) {
            logger.error(
-                `Failed to update daily usage for ${orgId}/${featureId}:`,
+                `Failed to update count usage for ${orgId}/${featureId}:`,
                error
            );
        }
@@ -450,121 +351,58 @@ export class UsageService {
            }
        };
-        await this.writeEventToFile(event);
+        this.addEventToMemory(event);
-        await this.checkAndUploadFile();
+        await this.checkAndUploadEvents();
    }
-    private async writeEventToFile(event: StripeEvent): Promise<void> {
+    private addEventToMemory(event: StripeEvent): void {
-        if (!this.eventsDir || !this.bucketName) {
+        if (!this.bucketName) {
            logger.warn(
-                "Stripe local file path or bucket name is not configured, skipping event file write."
+                "S3 bucket name is not configured, skipping event storage."
            );
            return;
        }
-        if (!this.currentEventFile) {
+        this.events.push(event);
            this.currentEventFile = this.generateEventFileName();
            this.currentFileStartTime = Date.now();
        }
        const filePath = path.join(this.eventsDir, this.currentEventFile);
        try {
            let events: StripeEvent[] = [];
            // Try to read existing file
            try {
                const fileContent = await fs.readFile(filePath, "utf-8");
                events = JSON.parse(fileContent);
            } catch (error) {
                // File doesn't exist or is empty, start with empty array
                events = [];
            }
            // Add new event
            events.push(event);
            // Write back to file
            await fs.writeFile(filePath, JSON.stringify(events, null, 2));
        } catch (error) {
            logger.error("Failed to write event to file:", error);
        }
    }
-    private async checkAndUploadFile(): Promise<void> {
+    private async checkAndUploadEvents(): Promise<void> {
        if (!this.currentEventFile) {
            return;
        }
        const now = Date.now();
-        const fileAge = now - this.currentFileStartTime;
+        const timeSinceLastUpload = now - this.lastUploadTime;
-        // Check if file is at least 1 minute old
+        // Check if at least 1 minute has passed since last upload
-        if (fileAge >= 60000) {
+        if (timeSinceLastUpload >= 60000 && this.events.length > 0) {
-            // 60 seconds
+            await this.uploadEventsToS3();
            await this.uploadFileToS3();
        }
    }
-    private async uploadFileToS3(): Promise<void> {
+    private async uploadEventsToS3(): Promise<void> {
-        if (!this.bucketName || !this.eventsDir) {
+        if (!this.bucketName) {
            logger.warn(
-                "Stripe local file path or bucket name is not configured, skipping S3 upload."
+                "S3 bucket name is not configured, skipping S3 upload."
            );
            return;
        }
        if (!this.currentEventFile) {
            return;
        }
        const fileName = this.currentEventFile;
        const filePath = path.join(this.eventsDir, fileName);
        // Check if this file is already being uploaded
        if (this.uploadingFiles.has(fileName)) {
            logger.debug(
                `File ${fileName} is already being uploaded, skipping`
            );
            return;
        }
-        // Mark file as being uploaded
+        if (this.events.length === 0) {
-        this.uploadingFiles.add(fileName);
+            return;
        }
        // Check if already uploading
        if (this.isUploading) {
            logger.debug("Already uploading events, skipping");
            return;
        }
        this.isUploading = true;
        try {
-            // Check if file exists before trying to read it
+            // Take a snapshot of current events and clear the array
-            try {
+            const eventsToUpload = [...this.events];
-                await fs.access(filePath);
+            this.events = [];
-            } catch (error) {
+            this.lastUploadTime = Date.now();
                logger.debug(
                    `File ${fileName} does not exist, may have been already processed`
                );
                this.uploadingFiles.delete(fileName);
                // Reset current file if it was this file
                if (this.currentEventFile === fileName) {
                    this.currentEventFile = null;
                    this.currentFileStartTime = 0;
                }
                return;
            }
-            // Check if file exists and has content
+            const fileName = this.generateEventFileName();
-            const fileContent = await fs.readFile(filePath, "utf-8");
+            const fileContent = JSON.stringify(eventsToUpload, null, 2);
            const events = JSON.parse(fileContent);
            if (events.length === 0) {
                // No events to upload, just clean up
                try {
                    await fs.unlink(filePath);
                } catch (unlinkError) {
                    // File may have been already deleted
                    logger.debug(
                        `File ${fileName} was already deleted during cleanup`
                    );
                }
                this.currentEventFile = null;
                this.uploadingFiles.delete(fileName);
                return;
            }
            // Upload to S3
            const uploadCommand = new PutObjectCommand({
@@ -576,29 +414,15 @@ export class UsageService {
            await s3Client.send(uploadCommand);
            // Clean up local file - check if it still exists before unlinking
            try {
                await fs.access(filePath);
                await fs.unlink(filePath);
            } catch (unlinkError) {
                // File may have been already deleted by another process
                logger.debug(
                    `File ${fileName} was already deleted during upload`
                );
            }
            logger.info(
-                `Uploaded ${fileName} to S3 with ${events.length} events`
+                `Uploaded ${fileName} to S3 with ${eventsToUpload.length} events`
            );
            // Reset for next file
            this.currentEventFile = null;
            this.currentFileStartTime = 0;
        } catch (error) {
-            logger.error(`Failed to upload ${fileName} to S3:`, error);
+            logger.error("Failed to upload events to S3:", error);
            // Note: Events are lost if upload fails. In a production system,
            // you might want to add the events back to the array or implement retry logic
        } finally {
-            // Always remove from uploading set
+            this.isUploading = false;
            this.uploadingFiles.delete(fileName);
        }
    }
@@ -683,129 +507,16 @@ export class UsageService {
        }
    }
    public async getUsageDaily(
        orgId: string,
        featureId: FeatureId
    ): Promise<Usage | null> {
        if (noop()) {
            return null;
        }
        await this.updateDaily(orgId, featureId); // Ensure daily usage is updated
        return this.getUsage(orgId, featureId);
    }
    public async forceUpload(): Promise<void> {
-        await this.uploadFileToS3();
+        if (this.events.length > 0) {
-    }
+            // Force upload regardless of time
-
+            this.lastUploadTime = 0; // Reset to force upload
-    /**
+            await this.uploadEventsToS3();
     * Scan the events directory for files older than 1 minute and upload them if not empty.
     */
    private async uploadOldEventFiles(): Promise<void> {
        if (!this.eventsDir || !this.bucketName) {
            logger.warn(
                "Stripe local file path or bucket name is not configured, skipping old event file upload."
            );
            return;
        }
        try {
            const files = await fs.readdir(this.eventsDir);
            const now = Date.now();
            for (const file of files) {
                if (!file.endsWith(".json")) continue;
                // Skip files that are already being uploaded
                if (this.uploadingFiles.has(file)) {
                    logger.debug(
                        `Skipping file ${file} as it's already being uploaded`
                    );
                    continue;
                }
                const filePath = path.join(this.eventsDir, file);
                try {
                    // Check if file still exists before processing
                    try {
                        await fs.access(filePath);
                    } catch (accessError) {
                        logger.debug(`File ${file} does not exist, skipping`);
                        continue;
                    }
                    const stat = await fs.stat(filePath);
                    const age = now - stat.mtimeMs;
                    if (age >= 90000) {
                        // 1.5 minutes - Mark as being uploaded
                        this.uploadingFiles.add(file);
                        try {
                            const fileContent = await fs.readFile(
                                filePath,
                                "utf-8"
                            );
                            const events = JSON.parse(fileContent);
                            if (Array.isArray(events) && events.length > 0) {
                                // Upload to S3
                                const uploadCommand = new PutObjectCommand({
                                    Bucket: this.bucketName,
                                    Key: file,
                                    Body: fileContent,
                                    ContentType: "application/json"
                                });
                                await s3Client.send(uploadCommand);
                                // Check if file still exists before unlinking
                                try {
                                    await fs.access(filePath);
                                    await fs.unlink(filePath);
                                } catch (unlinkError) {
                                    logger.debug(
                                        `File ${file} was already deleted during interval upload`
                                    );
                                }
                                logger.info(
                                    `Interval: Uploaded event file ${file} to S3 with ${events.length} events`
                                );
                                // If this was the current event file, reset it
                                if (this.currentEventFile === file) {
                                    this.currentEventFile = null;
                                    this.currentFileStartTime = 0;
                                }
                            } else {
                                // Remove empty file
                                try {
                                    await fs.access(filePath);
                                    await fs.unlink(filePath);
                                } catch (unlinkError) {
                                    logger.debug(
                                        `Empty file ${file} was already deleted`
                                    );
                                }
                            }
                        } finally {
                            // Always remove from uploading set
                            this.uploadingFiles.delete(file);
                        }
                    }
                } catch (err) {
                    logger.error(
                        `Interval: Error processing event file ${file}:`,
                        err
                    );
                    // Remove from uploading set on error
                    this.uploadingFiles.delete(file);
                }
            }
        } catch (err) {
            logger.error("Interval: Failed to scan for event files:", err);
        }
    }
    public async checkLimitSet(
        orgId: string,
        kickSites = false,
        featureId?: FeatureId,
        usage?: Usage,
        trx: Transaction | typeof db = db
@@ -879,58 +590,6 @@ export class UsageService {
                    break; // Exit early if any limit is exceeded
                }
            }
            // If any limits are exceeded, disconnect all sites for this organization
            if (hasExceededLimits && kickSites) {
                logger.warn(
                    `Disconnecting all sites for org ${orgId} due to exceeded limits`
                );
                // Get all sites for this organization
                const orgSites = await trx
                    .select()
                    .from(sites)
                    .where(eq(sites.orgId, orgId));
                // Mark all sites as offline and send termination messages
                const siteUpdates = orgSites.map((site) => site.siteId);
                if (siteUpdates.length > 0) {
                    // Send termination messages to newt sites
                    for (const site of orgSites) {
                        if (site.type === "newt") {
                            const [newt] = await trx
                                .select()
                                .from(newts)
                                .where(eq(newts.siteId, site.siteId))
                                .limit(1);
                            if (newt) {
                                const payload = {
                                    type: `newt/wg/terminate`,
                                    data: {
                                        reason: "Usage limits exceeded"
                                    }
                                };
                                // Don't await to prevent blocking
                                await sendToClient(newt.newtId, payload).catch(
                                    (error: any) => {
                                        logger.error(
                                            `Failed to send termination message to newt ${newt.newtId}:`,
                                            error
                                        );
                                    }
                                );
                            }
                        }
                    }
                    logger.info(
                        `Disconnected ${orgSites.length} sites for org ${orgId} due to exceeded limits`
                    );
                }
            }
        } catch (error) {
            logger.error(`Error checking limits for org ${orgId}:`, error);
        }
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -32,7 +32,8 @@ import { resourcePassword } from "@server/db";
 import { hashPassword } from "@server/auth/password";
 import { isValidCIDR, isValidIP, isValidUrlGlobPattern } from "../validators";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
-import { build } from "@server/build";
+import { tierMatrix } from "../billing/tierMatrix";
 import { t } from "@faker-js/faker/dist/airline-DF6RqYmq";
 export type ProxyResourcesResults = {
    proxyResource: Resource;
@@ -212,7 +213,7 @@ export async function updateProxyResources(
            } else {
                // Update existing resource
-                const isLicensed = await isLicensedOrSubscribed(orgId);
+                const isLicensed = await isLicensedOrSubscribed(orgId, tierMatrix.maintencePage);
                if (!isLicensed) {
                    resourceData.maintenance = undefined;
                }
@@ -648,7 +649,7 @@ export async function updateProxyResources(
                );
            }
-            const isLicensed = await isLicensedOrSubscribed(orgId);
+            const isLicensed = await isLicensedOrSubscribed(orgId, tierMatrix.maintencePage);
            if (!isLicensed) {
                resourceData.maintenance = undefined;
            }
--- a/server/lib/calculateUserClientsForOrgs.ts
+++ b/server/lib/calculateUserClientsForOrgs.ts
@@ -20,6 +20,7 @@ import { sendTerminateClient } from "@server/routers/client/terminate";
 import { and, eq, notInArray, type InferInsertModel } from "drizzle-orm";
 import { rebuildClientAssociationsFromClient } from "./rebuildClientAssociations";
 import { OlmErrorCodes } from "@server/routers/olm/error";
 import { tierMatrix } from "./billing/tierMatrix";
 export async function calculateUserClientsForOrgs(
    userId: string,
@@ -189,7 +190,8 @@ export async function calculateUserClientsForOrgs(
                const niceId = await getUniqueClientName(orgId);
                const isOrgLicensed = await isLicensedOrSubscribed(
-                    userOrg.orgId
+                    userOrg.orgId,
                    tierMatrix.deviceApprovals
                );
                const requireApproval =
                    build !== "oss" &&
--- a/server/lib/config.ts
+++ b/server/lib/config.ts
@@ -107,6 +107,11 @@ export class Config {
            process.env.MAXMIND_ASN_PATH = parsedConfig.server.maxmind_asn_path;
        }
        process.env.DISABLE_ENTERPRISE_FEATURES = parsedConfig.flags
            ?.disable_enterprise_features
            ? "true"
            : "false";
        this.rawConfig = parsedConfig;
    }
--- a/server/lib/createUserAccountOrg.ts
+++ b/server/lib/createUserAccountOrg.ts
@@ -182,7 +182,7 @@ export async function createUserAccountOrg(
    const customerId = await createCustomer(orgId, userEmail);
    if (customerId) {
-        await usageService.updateDaily(orgId, FeatureId.USERS, 1, customerId); // Only 1 because we are crating the org
+        await usageService.updateCount(orgId, FeatureId.USERS, 1, customerId); // Only 1 because we are crating the org
    }
    return {
--- a/server/lib/isLicencedOrSubscribed.ts
+++ b/server/lib/isLicencedOrSubscribed.ts
@@ -1,3 +1,8 @@
-export async function isLicensedOrSubscribed(orgId: string): Promise<boolean> {
+import { Tier } from "@server/types/Tiers";
 export async function isLicensedOrSubscribed(
    orgId: string,
    tiers: Tier[]
 ): Promise<boolean> {
    return false;
-}
+}
--- a/server/lib/isSubscribed.ts
+++ b/server/lib/isSubscribed.ts
@@ -0,0 +1,8 @@
 import { Tier } from "@server/types/Tiers";
 export async function isSubscribed(
    orgId: string,
    tiers: Tier[]
 ): Promise<boolean> {
    return false;
 }
--- a/server/lib/readConfigFile.ts
+++ b/server/lib/readConfigFile.ts
@@ -331,7 +331,8 @@ export const configSchema = z
                disable_local_sites: z.boolean().optional(),
                disable_basic_wireguard_sites: z.boolean().optional(),
                disable_config_managed_domains: z.boolean().optional(),
-                disable_product_help_banners: z.boolean().optional()
+                disable_product_help_banners: z.boolean().optional(),
                disable_enterprise_features: z.boolean().optional()
            })
            .optional(),
        dns: z
--- a/server/private/lib/billing/getOrgTierData.ts
+++ b/server/private/lib/billing/getOrgTierData.ts
@@ -11,46 +11,59 @@
 * This file is not licensed under the AGPLv3.
 */
 import { getTierPriceSet } from "@server/lib/billing/tiers";
 import { getOrgSubscriptionsData } from "@server/private/routers/billing/getOrgSubscriptions";
 import { build } from "@server/build";
 import { db, customers, subscriptions } from "@server/db";
 import { Tier } from "@server/types/Tiers";
 import { eq, and, ne } from "drizzle-orm";
 export async function getOrgTierData(
    orgId: string
-): Promise<{ tier: string | null; active: boolean }> {
+): Promise<{ tier: Tier | null; active: boolean }> {
-    let tier = null;
+    let tier: Tier | null = null;
    let active = false;
    if (build !== "saas") {
        return { tier, active };
    }
-    // TODO: THIS IS INEFFICIENT!!! WE SHOULD IMPROVE HOW WE STORE TIERS WITH SUBSCRIPTIONS AND RETRIEVE THEM
+    try {
        // Get customer for org
        const [customer] = await db
            .select()
            .from(customers)
            .where(eq(customers.orgId, orgId))
            .limit(1);
-    const subscriptionsWithItems = await getOrgSubscriptionsData(orgId);
+        if (customer) {
            // Query for active subscriptions that are not license type
            const [subscription] = await db
                .select()
                .from(subscriptions)
                .where(
                    and(
                        eq(subscriptions.customerId, customer.customerId),
                        eq(subscriptions.status, "active"),
                        ne(subscriptions.type, "license")
                    )
                )
                .limit(1);
-    for (const { subscription, items } of subscriptionsWithItems) {
+            if (subscription) {
-        if (items && items.length > 0) {
+                // Validate that subscription.type is one of the expected tier values
-            const tierPriceSet = getTierPriceSet();
+                if (
-            // Iterate through tiers in order (earlier keys are higher tiers)
+                    subscription.type === "tier1" ||
-            for (const [tierId, priceId] of Object.entries(tierPriceSet)) {
+                    subscription.type === "tier2" ||
-                // Check if any subscription item matches this tier's price ID
+                    subscription.type === "tier3"
-                const matchingItem = items.find((item) => item.priceId === priceId);
+                ) {
-                if (matchingItem) {
+                    tier = subscription.type;
-                    tier = tierId;
+                    active = true;
                    break;
                }
            }
        }
-
+    } catch (error) {
-        if (subscription && subscription.status === "active") {
+        // If org not found or error occurs, return null tier and inactive
-            active = true;
+        // This is acceptable behavior as per the function signature
        }
        // If we found a tier and active subscription, we can stop
        if (tier && active) {
            break;
        }
    }
    return { tier, active };
 }
--- a/server/private/lib/checkOrgAccessPolicy.ts
+++ b/server/private/lib/checkOrgAccessPolicy.ts
@@ -13,8 +13,6 @@
 import { build } from "@server/build";
 import { db, Org, orgs, ResourceSession, sessions, users } from "@server/db";
 import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import license from "#private/license/license";
 import { eq } from "drizzle-orm";
 import {
@@ -80,6 +78,8 @@ export async function checkOrgAccessPolicy(
        }
    }
    // TODO: check that the org is subscribed
    // get the needed data
    if (!props.org) {
--- a/server/private/lib/config.ts
+++ b/server/private/lib/config.ts
@@ -128,10 +128,7 @@ export class PrivateConfig {
        if (this.rawPrivateConfig.stripe?.s3Bucket) {
            process.env.S3_BUCKET = this.rawPrivateConfig.stripe.s3Bucket;
        }
-        if (this.rawPrivateConfig.stripe?.localFilePath) {
+
            process.env.LOCAL_FILE_PATH =
                this.rawPrivateConfig.stripe.localFilePath;
        }
        if (this.rawPrivateConfig.stripe?.s3Region) {
            process.env.S3_REGION = this.rawPrivateConfig.stripe.s3Region;
        }
--- a/server/private/lib/isLicencedOrSubscribed.ts
+++ b/server/private/lib/isLicencedOrSubscribed.ts
@@ -13,18 +13,20 @@
 import { build } from "@server/build";
 import license from "#private/license/license";
-import { getOrgTierData } from "#private/lib/billing";
+import { isSubscribed } from "#private/lib/isSubscribed";
-import { TierId } from "@server/lib/billing/tiers";
+import { Tier } from "@server/types/Tiers";
-export async function isLicensedOrSubscribed(orgId: string): Promise<boolean> {
+export async function isLicensedOrSubscribed(
    orgId: string,
    tiers: Tier[]
 ): Promise<boolean> {
    if (build === "enterprise") {
        return await license.isUnlocked();
    }
    if (build === "saas") {
-        const { tier } = await getOrgTierData(orgId);
+        return isSubscribed(orgId, tiers);
        return tier === TierId.STANDARD;
    }
    return false;
-}
+}
--- a/server/private/lib/isSubscribed.ts
+++ b/server/private/lib/isSubscribed.ts
@@ -0,0 +1,29 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import { build } from "@server/build";
 import { getOrgTierData } from "#private/lib/billing";
 import { Tier } from "@server/types/Tiers";
 export async function isSubscribed(
    orgId: string,
    tiers: Tier[]
 ): Promise<boolean> {
    if (build === "saas") {
        const { tier, active } = await getOrgTierData(orgId);
        const isTier = (tier && tiers.includes(tier)) || false;
        return active && isTier;
    }
    return false;
 }
--- a/server/private/lib/readConfigFile.ts
+++ b/server/private/lib/readConfigFile.ts
@@ -95,7 +95,8 @@ export const privateConfigSchema = z.object({
        .object({
            enable_redis: z.boolean().optional().default(false),
            use_pangolin_dns: z.boolean().optional().default(false),
-            use_org_only_idp: z.boolean().optional().default(false)
+            use_org_only_idp: z.boolean().optional().default(false),
            usage_reporting: z.boolean().optional().default(false)
        })
        .optional()
        .prefault({}),
@@ -178,7 +179,7 @@ export const privateConfigSchema = z.object({
                .transform(getEnvOrYaml("STRIPE_WEBHOOK_SECRET")),
            s3Bucket: z.string(),
            s3Region: z.string().default("us-east-1"),
-            localFilePath: z.string()
+            localFilePath: z.string().optional()
        })
        .optional()
 });
--- a/server/private/middlewares/verifySubscription.ts
+++ b/server/private/middlewares/verifySubscription.ts
@@ -16,46 +16,61 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { build } from "@server/build";
 import { getOrgTierData } from "#private/lib/billing";
 import { Tier } from "@server/types/Tiers";
 export function verifyValidSubscription(tiers: Tier[]) {
    return async function (
        req: Request,
        res: Response,
        next: NextFunction
    ): Promise<any> {
        try {
            if (build != "saas") {
                return next();
            }
            const orgId =
                req.params.orgId ||
                req.body.orgId ||
                req.query.orgId ||
                req.userOrgId;
            if (!orgId) {
                return next(
                    createHttpError(
                        HttpCode.BAD_REQUEST,
                        "Organization ID is required to verify subscription"
                    )
                );
            }
            const { tier, active } = await getOrgTierData(orgId);
            const isTier = tiers.includes(tier || "");
            if (!active) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "Organization does not have an active subscription"
                    )
                );
            }
            if (!isTier) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "Organization subscription tier does not have access to this feature"
                    )
                );
            }
 export async function verifyValidSubscription(
    req: Request,
    res: Response,
    next: NextFunction
 ) {
    try {
        if (build != "saas") {
            return next();
-        }
+        } catch (e) {
        const orgId = req.params.orgId || req.body.orgId || req.query.orgId || req.userOrgId;
        if (!orgId) {
            return next(
                createHttpError(
-                    HttpCode.BAD_REQUEST,
+                    HttpCode.INTERNAL_SERVER_ERROR,
-                    "Organization ID is required to verify subscription"
+                    "Error verifying subscription"
                )
            );
        }
-
+    };
        const tier = await getOrgTierData(orgId);
        if (!tier.active) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "Organization does not have an active subscription"
                )
            );
        }
        return next();
    } catch (e) {
        return next(
            createHttpError(
                HttpCode.INTERNAL_SERVER_ERROR,
                "Error verifying subscription"
            )
        );
    }
 }
--- a/server/private/routers/approvals/listApprovals.ts
+++ b/server/private/routers/approvals/listApprovals.ts
@@ -19,8 +19,6 @@ import { fromError } from "zod-validation-error";
 import type { Request, Response, NextFunction } from "express";
 import { build } from "@server/build";
 import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import {
    approvals,
    clients,
@@ -221,19 +219,6 @@ export async function listApprovals(
        const { orgId } = parsedParams.data;
        if (build === "saas") {
            const { tier } = await getOrgTierData(orgId);
            const subscribed = tier === TierId.STANDARD;
            if (!subscribed) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "This organization's current plan does not support this feature."
                    )
                );
            }
        }
        const approvalsList = await queryApprovals(
            orgId.toString(),
            limit,
--- a/server/private/routers/approvals/processPendingApproval.ts
+++ b/server/private/routers/approvals/processPendingApproval.ts
@@ -17,10 +17,7 @@ import createHttpError from "http-errors";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
 import { build } from "@server/build";
 import { approvals, clients, db, orgs, type Approval } from "@server/db";
 import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import response from "@server/lib/response";
 import { and, eq, type InferInsertModel } from "drizzle-orm";
 import type { NextFunction, Request, Response } from "express";
@@ -64,20 +61,6 @@ export async function processPendingApproval(
        }
        const { orgId, approvalId } = parsedParams.data;
        if (build === "saas") {
            const { tier } = await getOrgTierData(orgId);
            const subscribed = tier === TierId.STANDARD;
            if (!subscribed) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "This organization's current plan does not support this feature."
                    )
                );
            }
        }
        const updateData = parsedBody.data;
        const approval = await db
--- a/server/private/routers/auth/index.ts
+++ b/server/private/routers/auth/index.ts
@@ -13,4 +13,3 @@
 export * from "./transferSession";
 export * from "./getSessionTransferToken";
 export * from "./quickStart";
--- a/server/private/routers/auth/quickStart.ts
+++ b/server/private/routers/auth/quickStart.ts
@@ -1,585 +0,0 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import { NextFunction, Request, Response } from "express";
 import {
    account,
    db,
    domainNamespaces,
    domains,
    exitNodes,
    newts,
    newtSessions,
    orgs,
    passwordResetTokens,
    Resource,
    resourcePassword,
    resourcePincode,
    resources,
    resourceWhitelist,
    roleResources,
    roles,
    roleSites,
    sites,
    targetHealthCheck,
    targets,
    userResources,
    userSites
 } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
 import { z } from "zod";
 import { users } from "@server/db";
 import { fromError } from "zod-validation-error";
 import createHttpError from "http-errors";
 import response from "@server/lib/response";
 import { SqliteError } from "better-sqlite3";
 import { eq, and, sql } from "drizzle-orm";
 import moment from "moment";
 import { generateId } from "@server/auth/sessions/app";
 import config from "@server/lib/config";
 import logger from "@server/logger";
 import { hashPassword } from "@server/auth/password";
 import { UserType } from "@server/types/UserTypes";
 import { createUserAccountOrg } from "@server/lib/createUserAccountOrg";
 import { sendEmail } from "@server/emails";
 import WelcomeQuickStart from "@server/emails/templates/WelcomeQuickStart";
 import { alphabet, generateRandomString } from "oslo/crypto";
 import { createDate, TimeSpan } from "oslo";
 import { getUniqueResourceName, getUniqueSiteName } from "@server/db/names";
 import { pickPort } from "@server/routers/target/helpers";
 import { addTargets } from "@server/routers/newt/targets";
 import { isTargetValid } from "@server/lib/validators";
 import { listExitNodes } from "#private/lib/exitNodes";
 const bodySchema = z.object({
    email: z.email().toLowerCase(),
    ip: z.string().refine(isTargetValid),
    method: z.enum(["http", "https"]),
    port: z.int().min(1).max(65535),
    pincode: z
        .string()
        .regex(/^\d{6}$/)
        .optional(),
    password: z.string().min(4).max(100).optional(),
    enableWhitelist: z.boolean().optional().default(true),
    animalId: z.string() // This is actually the secret key for the backend
 });
 export type QuickStartBody = z.infer<typeof bodySchema>;
 export type QuickStartResponse = {
    newtId: string;
    newtSecret: string;
    resourceUrl: string;
    completeSignUpLink: string;
 };
 const DEMO_UBO_KEY = "b460293f-347c-4b30-837d-4e06a04d5a22";
 export async function quickStart(
    req: Request,
    res: Response,
    next: NextFunction
 ): Promise<any> {
    const parsedBody = bodySchema.safeParse(req.body);
    if (!parsedBody.success) {
        return next(
            createHttpError(
                HttpCode.BAD_REQUEST,
                fromError(parsedBody.error).toString()
            )
        );
    }
    const {
        email,
        ip,
        method,
        port,
        pincode,
        password,
        enableWhitelist,
        animalId
    } = parsedBody.data;
    try {
        const tokenValidation = validateTokenOnApi(animalId);
        if (!tokenValidation.isValid) {
            logger.warn(
                `Quick start failed for ${email} token ${animalId}: ${tokenValidation.message}`
            );
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    "Invalid or expired token"
                )
            );
        }
        if (animalId === DEMO_UBO_KEY) {
            if (email !== "mehrdad@getubo.com") {
                return next(
                    createHttpError(
                        HttpCode.BAD_REQUEST,
                        "Invalid email for demo Ubo key"
                    )
                );
            }
            const [existing] = await db
                .select()
                .from(users)
                .where(
                    and(
                        eq(users.email, email),
                        eq(users.type, UserType.Internal)
                    )
                );
            if (existing) {
                // delete the user if it already exists
                await db.delete(users).where(eq(users.userId, existing.userId));
                const orgId = `org_${existing.userId}`;
                await db.delete(orgs).where(eq(orgs.orgId, orgId));
            }
        }
        const tempPassword = generateId(15);
        const passwordHash = await hashPassword(tempPassword);
        const userId = generateId(15);
        // TODO: see if that user already exists?
        // Create the sandbox user
        const existing = await db
            .select()
            .from(users)
            .where(
                and(eq(users.email, email), eq(users.type, UserType.Internal))
            );
        if (existing && existing.length > 0) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    "A user with that email address already exists"
                )
            );
        }
        let newtId: string;
        let secret: string;
        let fullDomain: string;
        let resource: Resource;
        let completeSignUpLink: string;
        await db.transaction(async (trx) => {
            await trx.insert(users).values({
                userId: userId,
                type: UserType.Internal,
                username: email,
                email: email,
                passwordHash,
                dateCreated: moment().toISOString()
            });
            // create user"s account
            await trx.insert(account).values({
                userId
            });
        });
        const { success, error, org } = await createUserAccountOrg(
            userId,
            email
        );
        if (!success) {
            if (error) {
                throw new Error(error);
            }
            throw new Error("Failed to create user account and organization");
        }
        if (!org) {
            throw new Error("Failed to create user account and organization");
        }
        const orgId = org.orgId;
        await db.transaction(async (trx) => {
            const token = generateRandomString(
                8,
                alphabet("0-9", "A-Z", "a-z")
            );
            await trx
                .delete(passwordResetTokens)
                .where(eq(passwordResetTokens.userId, userId));
            const tokenHash = await hashPassword(token);
            await trx.insert(passwordResetTokens).values({
                userId: userId,
                email: email,
                tokenHash,
                expiresAt: createDate(new TimeSpan(7, "d")).getTime()
            });
            // // Create the sandbox newt
            // const newClientAddress = await getNextAvailableClientSubnet(orgId);
            // if (!newClientAddress) {
            //     throw new Error("No available subnet found");
            // }
            // const clientAddress = newClientAddress.split("/")[0];
            newtId = generateId(15);
            secret = generateId(48);
            // Create the sandbox site
            const siteNiceId = await getUniqueSiteName(orgId);
            const siteName = `First Site`;
            // pick a random exit node
            const exitNodesList = await listExitNodes(orgId);
            // select a random exit node
            const randomExitNode =
                exitNodesList[Math.floor(Math.random() * exitNodesList.length)];
            if (!randomExitNode) {
                throw new Error("No exit nodes available");
            }
            const [newSite] = await trx
                .insert(sites)
                .values({
                    orgId,
                    exitNodeId: randomExitNode.exitNodeId,
                    name: siteName,
                    niceId: siteNiceId,
                    // address: clientAddress,
                    type: "newt",
                    dockerSocketEnabled: true
                })
                .returning();
            const siteId = newSite.siteId;
            const adminRole = await trx
                .select()
                .from(roles)
                .where(and(eq(roles.isAdmin, true), eq(roles.orgId, orgId)))
                .limit(1);
            if (adminRole.length === 0) {
                throw new Error("Admin role not found");
            }
            await trx.insert(roleSites).values({
                roleId: adminRole[0].roleId,
                siteId: newSite.siteId
            });
            if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
                // make sure the user can access the site
                await trx.insert(userSites).values({
                    userId: req.user?.userId!,
                    siteId: newSite.siteId
                });
            }
            // add the peer to the exit node
            const secretHash = await hashPassword(secret!);
            await trx.insert(newts).values({
                newtId: newtId!,
                secretHash,
                siteId: newSite.siteId,
                dateCreated: moment().toISOString()
            });
            const [randomNamespace] = await trx
                .select()
                .from(domainNamespaces)
                .orderBy(sql`RANDOM()`)
                .limit(1);
            if (!randomNamespace) {
                throw new Error("No domain namespace available");
            }
            const [randomNamespaceDomain] = await trx
                .select()
                .from(domains)
                .where(eq(domains.domainId, randomNamespace.domainId))
                .limit(1);
            if (!randomNamespaceDomain) {
                throw new Error("No domain found for the namespace");
            }
            const resourceNiceId = await getUniqueResourceName(orgId);
            // Create sandbox resource
            const subdomain = `${resourceNiceId}-${generateId(5)}`;
            fullDomain = `${subdomain}.${randomNamespaceDomain.baseDomain}`;
            const resourceName = `First Resource`;
            const newResource = await trx
                .insert(resources)
                .values({
                    niceId: resourceNiceId,
                    fullDomain,
                    domainId: randomNamespaceDomain.domainId,
                    orgId,
                    name: resourceName,
                    subdomain,
                    http: true,
                    protocol: "tcp",
                    ssl: true,
                    sso: false,
                    emailWhitelistEnabled: enableWhitelist
                })
                .returning();
            await trx.insert(roleResources).values({
                roleId: adminRole[0].roleId,
                resourceId: newResource[0].resourceId
            });
            if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
                // make sure the user can access the resource
                await trx.insert(userResources).values({
                    userId: req.user?.userId!,
                    resourceId: newResource[0].resourceId
                });
            }
            resource = newResource[0];
            // Create the sandbox target
            const { internalPort, targetIps } = await pickPort(siteId!, trx);
            if (!internalPort) {
                throw new Error("No available internal port");
            }
            const newTarget = await trx
                .insert(targets)
                .values({
                    resourceId: resource.resourceId,
                    siteId: siteId!,
                    internalPort,
                    ip,
                    method,
                    port,
                    enabled: true
                })
                .returning();
            const newHealthcheck = await trx
                .insert(targetHealthCheck)
                .values({
                    targetId: newTarget[0].targetId,
                    hcEnabled: false
                })
                .returning();
            // add the new target to the targetIps array
            targetIps.push(`${ip}/32`);
            const [newt] = await trx
                .select()
                .from(newts)
                .where(eq(newts.siteId, siteId!))
                .limit(1);
            await addTargets(
                newt.newtId,
                newTarget,
                newHealthcheck,
                resource.protocol
            );
            // Set resource pincode if provided
            if (pincode) {
                await trx
                    .delete(resourcePincode)
                    .where(
                        eq(resourcePincode.resourceId, resource!.resourceId)
                    );
                const pincodeHash = await hashPassword(pincode);
                await trx.insert(resourcePincode).values({
                    resourceId: resource!.resourceId,
                    pincodeHash,
                    digitLength: 6
                });
            }
            // Set resource password if provided
            if (password) {
                await trx
                    .delete(resourcePassword)
                    .where(
                        eq(resourcePassword.resourceId, resource!.resourceId)
                    );
                const passwordHash = await hashPassword(password);
                await trx.insert(resourcePassword).values({
                    resourceId: resource!.resourceId,
                    passwordHash
                });
            }
            // Set resource OTP if whitelist is enabled
            if (enableWhitelist) {
                await trx.insert(resourceWhitelist).values({
                    email,
                    resourceId: resource!.resourceId
                });
            }
            completeSignUpLink = `${config.getRawConfig().app.dashboard_url}/auth/reset-password?quickstart=true&email=${email}&token=${token}`;
            // Store token for email outside transaction
            await sendEmail(
                WelcomeQuickStart({
                    username: email,
                    link: completeSignUpLink,
                    fallbackLink: `${config.getRawConfig().app.dashboard_url}/auth/reset-password?quickstart=true&email=${email}`,
                    resourceMethod: method,
                    resourceHostname: ip,
                    resourcePort: port,
                    resourceUrl: `https://${fullDomain}`,
                    cliCommand: `newt --id ${newtId} --secret ${secret}`
                }),
                {
                    to: email,
                    from: config.getNoReplyEmail(),
                    subject: `Access your Pangolin dashboard and resources`
                }
            );
        });
        return response<QuickStartResponse>(res, {
            data: {
                newtId: newtId!,
                newtSecret: secret!,
                resourceUrl: `https://${fullDomain!}`,
                completeSignUpLink: completeSignUpLink!
            },
            success: true,
            error: false,
            message: "Quick start completed successfully",
            status: HttpCode.OK
        });
    } catch (e) {
        if (e instanceof SqliteError && e.code === "SQLITE_CONSTRAINT_UNIQUE") {
            if (config.getRawConfig().app.log_failed_attempts) {
                logger.info(
                    `Account already exists with that email. Email: ${email}. IP: ${req.ip}.`
                );
            }
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    "A user with that email address already exists"
                )
            );
        } else {
            logger.error(e);
            return next(
                createHttpError(
                    HttpCode.INTERNAL_SERVER_ERROR,
                    "Failed to do quick start"
                )
            );
        }
    }
 }
 const BACKEND_SECRET_KEY = "4f9b6000-5d1a-11f0-9de7-ff2cc032f501";
 /**
 * Validates a token received from the frontend.
 * @param {string} token The validation token from the request.
 * @returns {{ isValid: boolean; message: string }} An object indicating if the token is valid.
 */
 const validateTokenOnApi = (
    token: string
 ): { isValid: boolean; message: string } => {
    if (token === DEMO_UBO_KEY) {
        // Special case for demo UBO key
        return { isValid: true, message: "Demo UBO key is valid." };
    }
    if (!token) {
        return { isValid: false, message: "Error: No token provided." };
    }
    try {
        // 1. Decode the base64 string
        const decodedB64 = atob(token);
        // 2. Reverse the character code manipulation
        const deobfuscated = decodedB64
            .split("")
            .map((char) => String.fromCharCode(char.charCodeAt(0) - 5)) // Reverse the shift
            .join("");
        // 3. Split the data to get the original secret and timestamp
        const parts = deobfuscated.split("|");
        if (parts.length !== 2) {
            throw new Error("Invalid token format.");
        }
        const receivedKey = parts[0];
        const tokenTimestamp = parseInt(parts[1], 10);
        // 4. Check if the secret key matches
        if (receivedKey !== BACKEND_SECRET_KEY) {
            return { isValid: false, message: "Invalid token: Key mismatch." };
        }
        // 5. Check if the timestamp is recent (e.g., within 30 seconds) to prevent replay attacks
        const now = Date.now();
        const timeDifference = now - tokenTimestamp;
        if (timeDifference > 30000) {
            // 30 seconds
            return { isValid: false, message: "Invalid token: Expired." };
        }
        if (timeDifference < 0) {
            // Timestamp is in the future
            return {
                isValid: false,
                message: "Invalid token: Timestamp is in the future."
            };
        }
        // If all checks pass, the token is valid
        return { isValid: true, message: "Token is valid!" };
    } catch (error) {
        // This will catch errors from atob (if not valid base64) or other issues.
        return {
            isValid: false,
            message: `Error: ${(error as Error).message}`
        };
    }
 };
--- a/server/private/routers/billing/changeTier.ts
+++ b/server/private/routers/billing/changeTier.ts
@@ -0,0 +1,266 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { customers, db, subscriptions, subscriptionItems } from "@server/db";
 import { eq, and, or } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import stripe from "#private/lib/stripe";
 import {
    getHomeLabFeaturePriceSet,
    getScaleFeaturePriceSet,
    getStarterFeaturePriceSet,
    getLineItems,
    FeatureId,
    type FeaturePriceSet
 } from "@server/lib/billing";
 const changeTierSchema = z.strictObject({
    orgId: z.string()
 });
 const changeTierBodySchema = z.strictObject({
    tier: z.enum(["tier1", "tier2", "tier3"])
 });
 export async function changeTier(
    req: Request,
    res: Response,
    next: NextFunction
 ): Promise<any> {
    try {
        const parsedParams = changeTierSchema.safeParse(req.params);
        if (!parsedParams.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedParams.error).toString()
                )
            );
        }
        const { orgId } = parsedParams.data;
        const parsedBody = changeTierBodySchema.safeParse(req.body);
        if (!parsedBody.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedBody.error).toString()
                )
            );
        }
        const { tier } = parsedBody.data;
        // Get the customer for this org
        const [customer] = await db
            .select()
            .from(customers)
            .where(eq(customers.orgId, orgId))
            .limit(1);
        if (!customer) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    "No customer found for this organization"
                )
            );
        }
        // Get the active subscription for this customer
        const [subscription] = await db
            .select()
            .from(subscriptions)
            .where(
                and(
                    eq(subscriptions.customerId, customer.customerId),
                    eq(subscriptions.status, "active"),
                    or(
                        eq(subscriptions.type, "tier1"),
                        eq(subscriptions.type, "tier2"),
                        eq(subscriptions.type, "tier3")
                    )
                )
            )
            .limit(1);
        if (!subscription) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    "No active subscription found for this organization"
                )
            );
        }
        // Get the target tier's price set
        let targetPriceSet: FeaturePriceSet;
        if (tier === "tier1") {
            targetPriceSet = getHomeLabFeaturePriceSet();
        } else if (tier === "tier2") {
            targetPriceSet = getStarterFeaturePriceSet();
        } else if (tier === "tier3") {
            targetPriceSet = getScaleFeaturePriceSet();
        } else {
            return next(createHttpError(HttpCode.BAD_REQUEST, "Invalid tier"));
        }
        // Get current subscription items from our database
        const currentItems = await db
            .select()
            .from(subscriptionItems)
            .where(
                eq(
                    subscriptionItems.subscriptionId,
                    subscription.subscriptionId
                )
            );
        if (currentItems.length === 0) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    "No subscription items found"
                )
            );
        }
        // Retrieve the full subscription from Stripe to get item IDs
        const stripeSubscription = await stripe!.subscriptions.retrieve(
            subscription.subscriptionId
        );
        // Determine if we're switching between different products
        // tier1 uses TIER1 product, tier2/tier3 use USERS product
        const currentTier = subscription.type;
        const switchingProducts =
            (currentTier === "tier1" && (tier === "tier2" || tier === "tier3")) ||
            ((currentTier === "tier2" || currentTier === "tier3") && tier === "tier1");
        let updatedSubscription;
        if (switchingProducts) {
            // When switching between different products, we need to:
            // 1. Delete old subscription items
            // 2. Add new subscription items
            logger.info(
                `Switching products from ${currentTier} to ${tier} for subscription ${subscription.subscriptionId}`
            );
            // Build array to delete all existing items and add new ones
            const itemsToUpdate: any[] = [];
            // Mark all existing items for deletion
            for (const stripeItem of stripeSubscription.items.data) {
                itemsToUpdate.push({
                    id: stripeItem.id,
                    deleted: true
                });
            }
            // Add new items for the target tier
            const newLineItems = await getLineItems(targetPriceSet, orgId);
            for (const lineItem of newLineItems) {
                itemsToUpdate.push(lineItem);
            }
            updatedSubscription = await stripe!.subscriptions.update(
                subscription.subscriptionId,
                {
                    items: itemsToUpdate,
                    proration_behavior: "create_prorations"
                }
            );
        } else {
            // Same product, different price tier (tier2 <-> tier3)
            // We can simply update the price
            logger.info(
                `Updating price from ${currentTier} to ${tier} for subscription ${subscription.subscriptionId}`
            );
            const itemsToUpdate = stripeSubscription.items.data.map(
                (stripeItem) => {
                    // Find the corresponding item in our database
                    const dbItem = currentItems.find(
                        (item) => item.priceId === stripeItem.price.id
                    );
                    if (!dbItem) {
                        // Keep the existing item unchanged if we can't find it
                        return {
                            id: stripeItem.id,
                            price: stripeItem.price.id,
                            quantity: stripeItem.quantity
                        };
                    }
                    // Map to the corresponding feature in the new tier
                    const newPriceId = targetPriceSet[FeatureId.USERS];
                    if (newPriceId) {
                        return {
                            id: stripeItem.id,
                            price: newPriceId,
                            quantity: stripeItem.quantity
                        };
                    }
                    // If no mapping found, keep existing
                    return {
                        id: stripeItem.id,
                        price: stripeItem.price.id,
                        quantity: stripeItem.quantity
                    };
                }
            );
            updatedSubscription = await stripe!.subscriptions.update(
                subscription.subscriptionId,
                {
                    items: itemsToUpdate,
                    proration_behavior: "create_prorations"
                }
            );
        }
        logger.info(
            `Successfully changed tier to ${tier} for org ${orgId}, subscription ${subscription.subscriptionId}`
        );
        return response<{ subscriptionId: string; newTier: string }>(res, {
            data: {
                subscriptionId: updatedSubscription.id,
                newTier: tier
            },
            success: true,
            error: false,
            message: "Tier change successful",
            status: HttpCode.OK
        });
    } catch (error) {
        logger.error("Error changing tier:", error);
        return next(
            createHttpError(
                HttpCode.INTERNAL_SERVER_ERROR,
                "An error occurred while changing tier"
            )
        );
    }
 }
--- a/server/private/routers/billing/createCheckoutSessionSAAS.ts
+++ b/server/private/routers/billing/createCheckoutSessionSAAS.ts
@@ -22,14 +22,19 @@ import logger from "@server/logger";
 import config from "@server/lib/config";
 import { fromError } from "zod-validation-error";
 import stripe from "#private/lib/stripe";
-import { getLineItems, getStandardFeaturePriceSet } from "@server/lib/billing";
+import { getHomeLabFeaturePriceSet, getLineItems, getScaleFeaturePriceSet, getStarterFeaturePriceSet } from "@server/lib/billing";
-import { getTierPriceSet, TierId } from "@server/lib/billing/tiers";
+import { usageService } from "@server/lib/billing/usageService";
 import Stripe from "stripe";
 const createCheckoutSessionSchema = z.strictObject({
    orgId: z.string()
 });
-export async function createCheckoutSessionSAAS(
+const createCheckoutSessionBodySchema = z.strictObject({
    tier: z.enum(["tier1", "tier2", "tier3"]),
 });
 export async function createCheckoutSession(
    req: Request,
    res: Response,
    next: NextFunction
@@ -47,6 +52,18 @@ export async function createCheckoutSessionSAAS(
        const { orgId } = parsedParams.data;
        const parsedBody = createCheckoutSessionBodySchema.safeParse(req.body);
        if (!parsedBody.success) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
                    fromError(parsedBody.error).toString()
                )
            );
        }
        const { tier } = parsedBody.data;
        // check if we already have a customer for this org
        const [customer] = await db
            .select()
@@ -65,18 +82,25 @@ export async function createCheckoutSessionSAAS(
            );
        }
-        const standardTierPrice = getTierPriceSet()[TierId.STANDARD];
+        let lineItems: Stripe.Checkout.SessionCreateParams.LineItem[];
        if (tier === "tier1") {
            lineItems = await getLineItems(getHomeLabFeaturePriceSet(), orgId);
        } else if (tier === "tier2") {
            lineItems = await getLineItems(getStarterFeaturePriceSet(), orgId);
        } else if (tier === "tier3") {
            lineItems = await getLineItems(getScaleFeaturePriceSet(), orgId);
        } else {
            return next(
                createHttpError(HttpCode.BAD_REQUEST, "Invalid plan")
            );
        }
        logger.debug(`Line items: ${JSON.stringify(lineItems)}`)
        const session = await stripe!.checkout.sessions.create({
            client_reference_id: orgId, // So we can look it up the org later on the webhook
            billing_address_collection: "required",
-            line_items: [
+            line_items: lineItems,
                {
                    price: standardTierPrice, // Use the standard tier
                    quantity: 1
                },
                ...getLineItems(getStandardFeaturePriceSet())
            ], // Start with the standard feature set that matches the free limits
            customer: customer.customerId,
            mode: "subscription",
            success_url: `${config.getRawConfig().app.dashboard_url}/${orgId}/settings/billing?success=true&session_id={CHECKOUT_SESSION_ID}`,
--- a/server/private/routers/billing/getOrgUsage.ts
+++ b/server/private/routers/billing/getOrgUsage.ts
@@ -78,16 +78,10 @@ export async function getOrgUsage(
        // Get usage for org
        const usageData = [];
-        const siteUptime = await usageService.getUsage(
+        const sites = await usageService.getUsage(orgId, FeatureId.SITES);
-            orgId,
+        const users = await usageService.getUsage(orgId, FeatureId.USERS);
-            FeatureId.SITE_UPTIME
+        const domains = await usageService.getUsage(orgId, FeatureId.DOMAINS);
-        );
+        const remoteExitNodes = await usageService.getUsage(
        const users = await usageService.getUsageDaily(orgId, FeatureId.USERS);
        const domains = await usageService.getUsageDaily(
            orgId,
            FeatureId.DOMAINS
        );
        const remoteExitNodes = await usageService.getUsageDaily(
            orgId,
            FeatureId.REMOTE_EXIT_NODES
        );
@@ -96,8 +90,8 @@ export async function getOrgUsage(
            FeatureId.EGRESS_DATA_MB
        );
-        if (siteUptime) {
+        if (sites) {
-            usageData.push(siteUptime);
+            usageData.push(sites);
        }
        if (users) {
            usageData.push(users);
--- a/server/private/routers/billing/hooks/getSubType.ts
+++ b/server/private/routers/billing/hooks/getSubType.ts
@@ -1,35 +1,62 @@
 /*
 * This file is part of a proprietary work.
 *
 * Copyright (c) 2025 Fossorial, Inc.
 * All rights reserved.
 *
 * This file is licensed under the Fossorial Commercial License.
 * You may not use this file except in compliance with the License.
 * Unauthorized use, copying, modification, or distribution is strictly prohibited.
 *
 * This file is not licensed under the AGPLv3.
 */
 import {
    getLicensePriceSet,
 } from "@server/lib/billing/licenses";
 import {
-    getTierPriceSet,
+    getHomeLabFeaturePriceSet,
-} from "@server/lib/billing/tiers";
+    getStarterFeaturePriceSet,
    getScaleFeaturePriceSet,
 } from "@server/lib/billing/features";
 import Stripe from "stripe";
 import { Tier } from "@server/types/Tiers";
-export function getSubType(fullSubscription: Stripe.Response<Stripe.Subscription>): "saas" | "license" {
+export type SubscriptionType = Tier | "license";
 export function getSubType(fullSubscription: Stripe.Response<Stripe.Subscription>): SubscriptionType | null {
    // Determine subscription type by checking subscription items
-    let type: "saas" | "license" = "saas";
+    if (!Array.isArray(fullSubscription.items?.data) || fullSubscription.items.data.length === 0) {
-    if (Array.isArray(fullSubscription.items?.data)) {
+        return null;
-        for (const item of fullSubscription.items.data) {
+    }
            const priceId = item.price.id;
-            // Check if price ID matches any license price
+    for (const item of fullSubscription.items.data) {
-            const licensePrices = Object.values(getLicensePriceSet());
+        const priceId = item.price.id;
-            if (licensePrices.includes(priceId)) {
+        // Check if price ID matches any license price
-                type = "license";
+        const licensePrices = Object.values(getLicensePriceSet());
-                break;
+        if (licensePrices.includes(priceId)) {
-            }
+            return "license";
        }
-            // Check if price ID matches any tier price (saas)
+        // Check if price ID matches home lab tier
-            const tierPrices = Object.values(getTierPriceSet());
+        const homeLabPrices = Object.values(getHomeLabFeaturePriceSet());
        if (homeLabPrices.includes(priceId)) {
            return "tier1";
        }
-            if (tierPrices.includes(priceId)) {
+        // Check if price ID matches tier2 tier
-                type = "saas";
+        const tier2Prices = Object.values(getStarterFeaturePriceSet());
-                break;
+        if (tier2Prices.includes(priceId)) {
-            }
+            return "tier2";
        }
        // Check if price ID matches tier3 tier
        const tier3Prices = Object.values(getScaleFeaturePriceSet());
        if (tier3Prices.includes(priceId)) {
            return "tier3";
        }
    }
-    return type;
+    return null;
 }
--- a/server/private/routers/billing/hooks/handleSubscriptionCreated.ts
+++ b/server/private/routers/billing/hooks/handleSubscriptionCreated.ts
@@ -31,6 +31,7 @@ import { getLicensePriceSet, LicenseId } from "@server/lib/billing/licenses";
 import { sendEmail } from "@server/emails";
 import EnterpriseEditionKeyGenerated from "@server/emails/templates/EnterpriseEditionKeyGenerated";
 import config from "@server/lib/config";
 import { getFeatureIdByPriceId } from "@server/lib/billing/features";
 export async function handleSubscriptionCreated(
    subscription: Stripe.Subscription
@@ -59,6 +60,8 @@ export async function handleSubscriptionCreated(
            return;
        }
        const type = getSubType(fullSubscription);
        const newSubscription = {
            subscriptionId: subscription.id,
            customerId: subscription.customer as string,
@@ -66,7 +69,9 @@ export async function handleSubscriptionCreated(
            canceledAt: subscription.canceled_at
                ? subscription.canceled_at
                : null,
-            createdAt: subscription.created
+            createdAt: subscription.created,
            type: type,
            version: 1 // we are hardcoding the initial version when the subscription is created, and then we will increment it on every update
        };
        await db.insert(subscriptions).values(newSubscription);
@@ -87,10 +92,15 @@ export async function handleSubscriptionCreated(
                        name = product.name || null;
                    }
                    // Get the feature ID from the price ID
                    const featureId = getFeatureIdByPriceId(item.price.id);
                    return {
                        stripeSubscriptionItemId: item.id,
                        subscriptionId: subscription.id,
                        planId: item.plan.id,
                        priceId: item.price.id,
                        featureId: featureId || null,
                        meterId: item.plan.meter,
                        unitAmount: item.price.unit_amount || 0,
                        currentPeriodStart: item.current_period_start,
@@ -129,15 +139,15 @@ export async function handleSubscriptionCreated(
            return;
        }
-        const type = getSubType(fullSubscription);
+        if (type === "tier1" || type === "tier2" || type === "tier3") {
        if (type === "saas") {
            logger.debug(
-                `Handling SAAS subscription lifecycle for org ${customer.orgId}`
+                `Handling SAAS subscription lifecycle for org ${customer.orgId} with type ${type}`
            );
            // we only need to handle the limit lifecycle for saas subscriptions not for the licenses
            await handleSubscriptionLifesycle(
                customer.orgId,
-                subscription.status
+                subscription.status,
                type
            );
            const [orgUserRes] = await db
--- a/server/private/routers/billing/hooks/handleSubscriptionDeleted.ts
+++ b/server/private/routers/billing/hooks/handleSubscriptionDeleted.ts
@@ -76,14 +76,15 @@ export async function handleSubscriptionDeleted(
        }
        const type = getSubType(fullSubscription);
-        if (type === "saas") {
+        if (type == "tier1" || type == "tier2" || type == "tier3") {
            logger.debug(
                `Handling SaaS subscription deletion for orgId ${customer.orgId} and subscription ID ${subscription.id}`
            );
            await handleSubscriptionLifesycle(
                customer.orgId,
-                subscription.status
+                subscription.status,
                type
            );
            const [orgUserRes] = await db
--- a/server/private/routers/billing/hooks/handleSubscriptionUpdated.ts
+++ b/server/private/routers/billing/hooks/handleSubscriptionUpdated.ts
@@ -23,7 +23,7 @@ import {
 } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import logger from "@server/logger";
-import { getFeatureIdByMetricId } from "@server/lib/billing/features";
+import { getFeatureIdByMetricId, getFeatureIdByPriceId } from "@server/lib/billing/features";
 import stripe from "#private/lib/stripe";
 import { handleSubscriptionLifesycle } from "../subscriptionLifecycle";
 import { getSubType } from "./getSubType";
@@ -64,6 +64,8 @@ export async function handleSubscriptionUpdated(
            .where(eq(customers.customerId, subscription.customer as string))
            .limit(1);
        const type = getSubType(fullSubscription);
        await db
            .update(subscriptions)
            .set({
@@ -72,25 +74,47 @@ export async function handleSubscriptionUpdated(
                    ? subscription.canceled_at
                    : null,
                updatedAt: Math.floor(Date.now() / 1000),
-                billingCycleAnchor: subscription.billing_cycle_anchor
+                billingCycleAnchor: subscription.billing_cycle_anchor,
                type: type
            })
            .where(eq(subscriptions.subscriptionId, subscription.id));
        // Upsert subscription items
        if (Array.isArray(fullSubscription.items?.data)) {
-            const itemsToUpsert = fullSubscription.items.data.map((item) => ({
+            // First, get existing items to preserve featureId when there's no match
-                subscriptionId: subscription.id,
+            const existingItems = await db
-                planId: item.plan.id,
+                .select()
-                priceId: item.price.id,
+                .from(subscriptionItems)
-                meterId: item.plan.meter,
+                .where(eq(subscriptionItems.subscriptionId, subscription.id));
-                unitAmount: item.price.unit_amount || 0,
+
-                currentPeriodStart: item.current_period_start,
+            const itemsToUpsert = fullSubscription.items.data.map((item) => {
-                currentPeriodEnd: item.current_period_end,
+                // Try to get featureId from price
-                tiers: item.price.tiers
+                let featureId: string | null = getFeatureIdByPriceId(item.price.id) || null;
-                    ? JSON.stringify(item.price.tiers)
+                
-                    : null,
+                // If no match, try to preserve existing featureId
-                interval: item.plan.interval
+                if (!featureId) {
-            }));
+                    const existingItem = existingItems.find(
                        (ei) => ei.stripeSubscriptionItemId === item.id
                    );
                    featureId = existingItem?.featureId || null;
                }
                return {
                    stripeSubscriptionItemId: item.id,
                    subscriptionId: subscription.id,
                    planId: item.plan.id,
                    priceId: item.price.id,
                    featureId: featureId,
                    meterId: item.plan.meter,
                    unitAmount: item.price.unit_amount || 0,
                    currentPeriodStart: item.current_period_start,
                    currentPeriodEnd: item.current_period_end,
                    tiers: item.price.tiers
                        ? JSON.stringify(item.price.tiers)
                        : null,
                    interval: item.plan.interval
                };
            });
            if (itemsToUpsert.length > 0) {
                await db.transaction(async (trx) => {
                    await trx
@@ -234,17 +258,17 @@ export async function handleSubscriptionUpdated(
            }
            // --- end usage update ---
-            const type = getSubType(fullSubscription);
+            if (type === "tier1" || type === "tier2" || type === "tier3") {
            if (type === "saas") {
                logger.debug(
-                    `Handling SAAS subscription lifecycle for org ${customer.orgId}`
+                    `Handling SAAS subscription lifecycle for org ${customer.orgId} with type ${type}`
                );
                // we only need to handle the limit lifecycle for saas subscriptions not for the licenses
                await handleSubscriptionLifesycle(
                    customer.orgId,
-                    subscription.status
+                    subscription.status,
                    type
                );
-            } else {
+            } else if (type === "license") {
                if (subscription.status === "canceled" || subscription.status == "unpaid" || subscription.status == "incomplete_expired") {
                    try {
                        // WARNING:
--- a/server/private/routers/billing/index.ts
+++ b/server/private/routers/billing/index.ts
@@ -11,8 +11,9 @@
 * This file is not licensed under the AGPLv3.
 */
-export * from "./createCheckoutSessionSAAS";
+export * from "./createCheckoutSession";
 export * from "./createPortalSession";
 export * from "./getOrgSubscriptions";
 export * from "./getOrgUsage";
 export * from "./internalGetOrgTier";
 export * from "./changeTier";
--- a/server/private/routers/billing/subscriptionLifecycle.ts
+++ b/server/private/routers/billing/subscriptionLifecycle.ts
@@ -13,38 +13,66 @@
 import {
    freeLimitSet,
    tier1LimitSet,
    tier2LimitSet,
    tier3LimitSet,
    limitsService,
-    subscribedLimitSet
+    LimitSet
 } from "@server/lib/billing";
 import { usageService } from "@server/lib/billing/usageService";
-import logger from "@server/logger";
+import { SubscriptionType } from "./hooks/getSubType";
 function getLimitSetForSubscriptionType(
    subType: SubscriptionType | null
 ): LimitSet {
    switch (subType) {
        case "tier1":
            return tier1LimitSet;
        case "tier2":
            return tier2LimitSet;
        case "tier3":
            return tier3LimitSet;
        case "license":
            // License subscriptions use tier2 limits by default
            // This can be adjusted based on your business logic
            return tier2LimitSet;
        default:
            return freeLimitSet;
    }
 }
 export async function handleSubscriptionLifesycle(
    orgId: string,
-    status: string
+    status: string,
    subType: SubscriptionType | null
 ) {
    switch (status) {
        case "active":
-            await limitsService.applyLimitSetToOrg(orgId, subscribedLimitSet);
+            const activeLimitSet = getLimitSetForSubscriptionType(subType);
-            await usageService.checkLimitSet(orgId, true);
+            await limitsService.applyLimitSetToOrg(orgId, activeLimitSet);
            await usageService.checkLimitSet(orgId);
            break;
        case "canceled":
            // Subscription canceled - revert to free tier
            await limitsService.applyLimitSetToOrg(orgId, freeLimitSet);
-            await usageService.checkLimitSet(orgId, true);
+            await usageService.checkLimitSet(orgId);
            break;
        case "past_due":
-            // Optionally handle past due status, e.g., notify customer
+            // Payment past due - keep current limits but notify customer
            // Limits will revert to free tier if it becomes unpaid
            break;
        case "unpaid":
            // Subscription unpaid - revert to free tier
            await limitsService.applyLimitSetToOrg(orgId, freeLimitSet);
-            await usageService.checkLimitSet(orgId, true);
+            await usageService.checkLimitSet(orgId);
            break;
        case "incomplete":
-            // Optionally handle incomplete status, e.g., notify customer
+            // Payment incomplete - give them time to complete payment
            break;
        case "incomplete_expired":
            // Payment never completed - revert to free tier
            await limitsService.applyLimitSetToOrg(orgId, freeLimitSet);
-            await usageService.checkLimitSet(orgId, true);
+            await usageService.checkLimitSet(orgId);
            break;
        default:
            break;
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -52,6 +52,7 @@ import {
    authenticated as a,
    authRouter as aa
 } from "@server/routers/external";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 export const authenticated = a;
 export const unauthenticated = ua;
@@ -76,6 +77,7 @@ unauthenticated.post(
 authenticated.put(
    "/org/:orgId/idp/oidc",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.orgOidc),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.createIdp),
    logActionAudit(ActionsEnum.createIdp),
@@ -85,6 +87,7 @@ authenticated.put(
 authenticated.post(
    "/org/:orgId/idp/:idpId/oidc",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.orgOidc),
    verifyOrgAccess,
    verifyIdpAccess,
    verifyUserHasAction(ActionsEnum.updateIdp),
@@ -141,29 +144,20 @@ authenticated.post(
 );
 if (build === "saas") {
    unauthenticated.post(
        "/quick-start",
        rateLimit({
            windowMs: 15 * 60 * 1000,
            max: 100,
            keyGenerator: (req) => req.path,
            handler: (req, res, next) => {
                const message = `We're too busy right now. Please try again later.`;
                return next(
                    createHttpError(HttpCode.TOO_MANY_REQUESTS, message)
                );
            },
            store: createStore()
        }),
        auth.quickStart
    );
    authenticated.post(
-        "/org/:orgId/billing/create-checkout-session-saas",
+        "/org/:orgId/billing/create-checkout-session",
        verifyOrgAccess,
        verifyUserHasAction(ActionsEnum.billing),
        logActionAudit(ActionsEnum.billing),
-        billing.createCheckoutSessionSAAS
+        billing.createCheckoutSession
    );
    authenticated.post(
        "/org/:orgId/billing/change-tier",
        verifyOrgAccess,
        verifyUserHasAction(ActionsEnum.billing),
        logActionAudit(ActionsEnum.billing),
        billing.changeTier
    );
    authenticated.post(
@@ -286,6 +280,7 @@ authenticated.delete(
 authenticated.put(
    "/org/:orgId/login-page",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.customAuthenticationDomain),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.createLoginPage),
    logActionAudit(ActionsEnum.createLoginPage),
@@ -295,6 +290,7 @@ authenticated.put(
 authenticated.post(
    "/org/:orgId/login-page/:loginPageId",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.customAuthenticationDomain),
    verifyOrgAccess,
    verifyLoginPageAccess,
    verifyUserHasAction(ActionsEnum.updateLoginPage),
@@ -323,6 +319,7 @@ authenticated.get(
 authenticated.get(
    "/org/:orgId/approvals",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.deviceApprovals),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.listApprovals),
    logActionAudit(ActionsEnum.listApprovals),
@@ -339,6 +336,7 @@ authenticated.get(
 authenticated.put(
    "/org/:orgId/approvals/:approvalId",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.deviceApprovals),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.updateApprovals),
    logActionAudit(ActionsEnum.updateApprovals),
@@ -348,6 +346,7 @@ authenticated.put(
 authenticated.get(
    "/org/:orgId/login-page-branding",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.loginPageBranding),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.getLoginPage),
    logActionAudit(ActionsEnum.getLoginPage),
@@ -357,6 +356,7 @@ authenticated.get(
 authenticated.put(
    "/org/:orgId/login-page-branding",
    verifyValidLicense,
    verifyValidSubscription(tierMatrix.loginPageBranding),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.updateLoginPage),
    logActionAudit(ActionsEnum.updateLoginPage),
@@ -433,7 +433,7 @@ authenticated.post(
 authenticated.get(
    "/org/:orgId/logs/action",
    verifyValidLicense,
-    verifyValidSubscription,
+    verifyValidSubscription(tierMatrix.actionLogs),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.exportLogs),
    logs.queryActionAuditLogs
@@ -442,7 +442,7 @@ authenticated.get(
 authenticated.get(
    "/org/:orgId/logs/action/export",
    verifyValidLicense,
-    verifyValidSubscription,
+    verifyValidSubscription(tierMatrix.logExport),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.exportLogs),
    logActionAudit(ActionsEnum.exportLogs),
@@ -452,7 +452,7 @@ authenticated.get(
 authenticated.get(
    "/org/:orgId/logs/access",
    verifyValidLicense,
-    verifyValidSubscription,
+    verifyValidSubscription(tierMatrix.accessLogs),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.exportLogs),
    logs.queryAccessAuditLogs
@@ -461,7 +461,7 @@ authenticated.get(
 authenticated.get(
    "/org/:orgId/logs/access/export",
    verifyValidLicense,
-    verifyValidSubscription,
+    verifyValidSubscription(tierMatrix.logExport),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.exportLogs),
    logActionAudit(ActionsEnum.exportLogs),
@@ -472,7 +472,7 @@ authenticated.post(
    "/re-key/:clientId/regenerate-client-secret",
    verifyClientAccess, // this is first to set the org id
    verifyValidLicense,
-    verifyValidSubscription,
+    verifyValidSubscription(tierMatrix.rotateCredentials),
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateClientSecret
 );
@@ -481,7 +481,7 @@ authenticated.post(
    "/re-key/:siteId/regenerate-site-secret",
    verifySiteAccess, // this is first to set the org id
    verifyValidLicense,
-    verifyValidSubscription,
+    verifyValidSubscription(tierMatrix.rotateCredentials),
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateSiteSecret
 );
@@ -489,7 +489,7 @@ authenticated.post(
 authenticated.put(
    "/re-key/:orgId/regenerate-remote-exit-node-secret",
    verifyValidLicense,
-    verifyValidSubscription,
+    verifyValidSubscription(tierMatrix.rotateCredentials),
    verifyOrgAccess,
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateExitNodeSecret
--- a/server/private/routers/loginPage/createLoginPage.ts
+++ b/server/private/routers/loginPage/createLoginPage.ts
@@ -30,9 +30,7 @@ import { fromError } from "zod-validation-error";
 import { eq, and } from "drizzle-orm";
 import { validateAndConstructDomain } from "@server/lib/domainUtils";
 import { createCertificate } from "#private/routers/certificates/createCertificate";
-import { getOrgTierData } from "#private/lib/billing";
+
 import { TierId } from "@server/lib/billing/tiers";
 import { build } from "@server/build";
 import { CreateLoginPageResponse } from "@server/routers/loginPage/types";
 const paramsSchema = z.strictObject({
@@ -76,19 +74,6 @@ export async function createLoginPage(
        const { orgId } = parsedParams.data;
        if (build === "saas") {
            const { tier } = await getOrgTierData(orgId);
            const subscribed = tier === TierId.STANDARD;
            if (!subscribed) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "This organization's current plan does not support this feature."
                    )
                );
            }
        }
        const [existing] = await db
            .select()
            .from(loginPageOrg)
--- a/server/private/routers/loginPage/deleteLoginPageBranding.ts
+++ b/server/private/routers/loginPage/deleteLoginPageBranding.ts
@@ -25,9 +25,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { eq } from "drizzle-orm";
-import { getOrgTierData } from "#private/lib/billing";
+
 import { TierId } from "@server/lib/billing/tiers";
 import { build } from "@server/build";
 const paramsSchema = z
    .object({
@@ -53,18 +51,6 @@ export async function deleteLoginPageBranding(
        const { orgId } = parsedParams.data;
        if (build === "saas") {
            const { tier } = await getOrgTierData(orgId);
            const subscribed = tier === TierId.STANDARD;
            if (!subscribed) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "This organization's current plan does not support this feature."
                    )
                );
            }
        }
        const [existingLoginPageBranding] = await db
            .select()
--- a/server/private/routers/loginPage/getLoginPageBranding.ts
+++ b/server/private/routers/loginPage/getLoginPageBranding.ts
@@ -25,9 +25,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { eq } from "drizzle-orm";
-import { getOrgTierData } from "#private/lib/billing";
+
 import { TierId } from "@server/lib/billing/tiers";
 import { build } from "@server/build";
 const paramsSchema = z.strictObject({
    orgId: z.string()
@@ -51,19 +49,6 @@ export async function getLoginPageBranding(
        const { orgId } = parsedParams.data;
        if (build === "saas") {
            const { tier } = await getOrgTierData(orgId);
            const subscribed = tier === TierId.STANDARD;
            if (!subscribed) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "This organization's current plan does not support this feature."
                    )
                );
            }
        }
        const [existingLoginPageBranding] = await db
            .select()
            .from(loginPageBranding)
--- a/server/private/routers/loginPage/updateLoginPage.ts
+++ b/server/private/routers/loginPage/updateLoginPage.ts
@@ -23,9 +23,7 @@ import { eq, and } from "drizzle-orm";
 import { validateAndConstructDomain } from "@server/lib/domainUtils";
 import { subdomainSchema } from "@server/lib/schemas";
 import { createCertificate } from "#private/routers/certificates/createCertificate";
-import { getOrgTierData } from "#private/lib/billing";
+
 import { TierId } from "@server/lib/billing/tiers";
 import { build } from "@server/build";
 import { UpdateLoginPageResponse } from "@server/routers/loginPage/types";
 const paramsSchema = z
@@ -87,18 +85,6 @@ export async function updateLoginPage(
        const { loginPageId, orgId } = parsedParams.data;
        if (build === "saas") {
            const { tier } = await getOrgTierData(orgId);
            const subscribed = tier === TierId.STANDARD;
            if (!subscribed) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "This organization's current plan does not support this feature."
                    )
                );
            }
        }
        const [existingLoginPage] = await db
            .select()
--- a/server/private/routers/loginPage/upsertLoginPageBranding.ts
+++ b/server/private/routers/loginPage/upsertLoginPageBranding.ts
@@ -25,10 +25,8 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { eq, InferInsertModel } from "drizzle-orm";
 import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { build } from "@server/build";
-import config from "@server/private/lib/config";
+import config from "#private/lib/config";
 const paramsSchema = z.strictObject({
    orgId: z.string()
@@ -128,19 +126,6 @@ export async function upsertLoginPageBranding(
        const { orgId } = parsedParams.data;
        if (build === "saas") {
            const { tier } = await getOrgTierData(orgId);
            const subscribed = tier === TierId.STANDARD;
            if (!subscribed) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "This organization's current plan does not support this feature."
                    )
                );
            }
        }
        let updateData = parsedBody.data satisfies InferInsertModel<
            typeof loginPageBranding
        >;
--- a/server/private/routers/orgIdp/createOrgOidcIdp.ts
+++ b/server/private/routers/orgIdp/createOrgOidcIdp.ts
@@ -24,9 +24,6 @@ import { idp, idpOidcConfig, idpOrg, orgs } from "@server/db";
 import { generateOidcRedirectUrl } from "@server/lib/idp/generateRedirectUrl";
 import { encrypt } from "@server/lib/crypto";
 import config from "@server/lib/config";
 import { build } from "@server/build";
 import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { CreateOrgIdpResponse } from "@server/routers/orgIdp/types";
 const paramsSchema = z.strictObject({ orgId: z.string().nonempty() });
@@ -109,19 +106,6 @@ export async function createOrgOidcIdp(
            tags
        } = parsedBody.data;
        if (build === "saas") {
            const { tier, active } = await getOrgTierData(orgId);
            const subscribed = tier === TierId.STANDARD;
            if (!subscribed) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "This organization's current plan does not support this feature."
                    )
                );
            }
        }
        const key = config.getRawConfig().server.secret!;
        const encryptedSecret = encrypt(clientSecret, key);
--- a/server/private/routers/orgIdp/updateOrgOidcIdp.ts
+++ b/server/private/routers/orgIdp/updateOrgOidcIdp.ts
@@ -24,9 +24,6 @@ import { idp, idpOidcConfig } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import { encrypt } from "@server/lib/crypto";
 import config from "@server/lib/config";
 import { build } from "@server/build";
 import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 const paramsSchema = z
    .object({
@@ -114,19 +111,6 @@ export async function updateOrgOidcIdp(
            tags
        } = parsedBody.data;
        if (build === "saas") {
            const { tier, active } = await getOrgTierData(orgId);
            const subscribed = tier === TierId.STANDARD;
            if (!subscribed) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "This organization's current plan does not support this feature."
                    )
                );
            }
        }
        // Check if IDP exists and is of type OIDC
        const [existingIdp] = await db
            .select()
--- a/server/private/routers/remoteExitNode/createRemoteExitNode.ts
+++ b/server/private/routers/remoteExitNode/createRemoteExitNode.ts
@@ -85,7 +85,7 @@ export async function createRemoteExitNode(
        if (usage) {
            const rejectRemoteExitNodes = await usageService.checkLimitSet(
                orgId,
-                false,
+
                FeatureId.REMOTE_EXIT_NODES,
                {
                    ...usage,
@@ -97,7 +97,7 @@ export async function createRemoteExitNode(
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
-                        "Remote exit node limit exceeded. Please upgrade your plan or contact us at support@pangolin.net"
+                        "Remote node limit exceeded. Please upgrade your plan."
                    )
                );
            }
@@ -224,7 +224,7 @@ export async function createRemoteExitNode(
        });
        if (numExitNodeOrgs) {
-            await usageService.updateDaily(
+            await usageService.updateCount(
                orgId,
                FeatureId.REMOTE_EXIT_NODES,
                numExitNodeOrgs.length
--- a/server/private/routers/remoteExitNode/deleteRemoteExitNode.ts
+++ b/server/private/routers/remoteExitNode/deleteRemoteExitNode.ts
@@ -106,7 +106,7 @@ export async function deleteRemoteExitNode(
        });
        if (numExitNodeOrgs) {
-            await usageService.updateDaily(
+            await usageService.updateCount(
                orgId,
                FeatureId.REMOTE_EXIT_NODES,
                numExitNodeOrgs.length
--- a/server/routers/badger/logRequestAudit.ts
+++ b/server/routers/badger/logRequestAudit.ts
@@ -1,6 +1,6 @@
 import { db, orgs, requestAuditLog } from "@server/db";
 import logger from "@server/logger";
-import { and, eq, lt } from "drizzle-orm";
+import { and, eq, lt, sql } from "drizzle-orm";
 import cache from "@server/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
 import { stripPortFromHost } from "@server/lib/ip";
@@ -67,17 +67,27 @@ async function flushAuditLogs() {
    const logsToWrite = auditLogBuffer.splice(0, auditLogBuffer.length);
    try {
-        // Batch insert logs in groups of 25 to avoid overwhelming the database
+        // Use a transaction to ensure all inserts succeed or fail together
-        const BATCH_DB_SIZE = 25;
+        // This prevents index corruption from partial writes
-        for (let i = 0; i < logsToWrite.length; i += BATCH_DB_SIZE) {
+        await db.transaction(async (tx) => {
-            const batch = logsToWrite.slice(i, i + BATCH_DB_SIZE);
+            // Batch insert logs in groups of 25 to avoid overwhelming the database
-            await db.insert(requestAuditLog).values(batch);
+            const BATCH_DB_SIZE = 25;
-        }
+            for (let i = 0; i < logsToWrite.length; i += BATCH_DB_SIZE) {
                const batch = logsToWrite.slice(i, i + BATCH_DB_SIZE);
                await tx.insert(requestAuditLog).values(batch);
            }
        });
        logger.debug(`Flushed ${logsToWrite.length} audit logs to database`);
    } catch (error) {
        logger.error("Error flushing audit logs:", error);
-        // On error, we lose these logs - consider a fallback strategy if needed
+        // On transaction error, put logs back at the front of the buffer to retry
-        // (e.g., write to file, or put back in buffer with retry limit)
+        // but only if buffer isn't too large
        if (auditLogBuffer.length < MAX_BUFFER_SIZE - logsToWrite.length) {
            auditLogBuffer.unshift(...logsToWrite);
            logger.info(`Re-queued ${logsToWrite.length} audit logs for retry`);
        } else {
            logger.error(`Buffer full, dropped ${logsToWrite.length} audit logs`);
        }
    } finally {
        isFlushInProgress = false;
        // If buffer filled up while we were flushing, flush again
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -18,7 +18,6 @@ import {
    ResourcePassword,
    ResourcePincode,
    ResourceRule,
    resourceSessions
 } from "@server/db";
 import config from "@server/lib/config";
 import { isIpInCidr, stripPortFromHost } from "@server/lib/ip";
@@ -32,7 +31,6 @@ import { fromError } from "zod-validation-error";
 import { getCountryCodeForIp } from "@server/lib/geoip";
 import { getAsnForIp } from "@server/lib/asn";
 import { getOrgTierData } from "#dynamic/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { verifyPassword } from "@server/auth/password";
 import {
    checkOrgAccessPolicy,
@@ -40,8 +38,8 @@ import {
 } from "#dynamic/lib/checkOrgAccessPolicy";
 import { logRequestAudit } from "./logRequestAudit";
 import cache from "@server/lib/cache";
 import semver from "semver";
 import { APP_VERSION } from "@server/lib/consts";
 import { isSubscribed } from "#private/lib/isSubscribed";
 const verifyResourceSessionSchema = z.object({
    sessions: z.record(z.string(), z.string()).optional(),
@@ -798,8 +796,8 @@ async function notAllowed(
 ) {
    let loginPage: LoginPage | null = null;
    if (orgId) {
-        const { tier } = await getOrgTierData(orgId); // returns null in oss
+        const subscribed = await isSubscribed(orgId);
-        if (tier === TierId.STANDARD) {
+        if (subscribed) {
            loginPage = await getOrgLoginPage(orgId);
        }
    }
@@ -852,8 +850,8 @@ async function headerAuthChallenged(
 ) {
    let loginPage: LoginPage | null = null;
    if (orgId) {
-        const { tier } = await getOrgTierData(orgId); // returns null in oss
+        const subscribed = await isSubscribed(orgId);
-        if (tier === TierId.STANDARD) {
+        if (subscribed) {
            loginPage = await getOrgLoginPage(orgId);
        }
    }
--- a/server/routers/client/getClient.ts
+++ b/server/routers/client/getClient.ts
@@ -13,6 +13,7 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { getUserDeviceName } from "@server/db/names";
 import { build } from "@server/build";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 const getClientSchema = z.strictObject({
    clientId: z
@@ -56,19 +57,29 @@ async function query(clientId?: number, niceId?: string, orgId?: string) {
 }
 type PostureData = {
-    biometricsEnabled?: boolean | null;
+    biometricsEnabled?: boolean | null | "-";
-    diskEncrypted?: boolean | null;
+    diskEncrypted?: boolean | null | "-";
-    firewallEnabled?: boolean | null;
+    firewallEnabled?: boolean | null | "-";
-    autoUpdatesEnabled?: boolean | null;
+    autoUpdatesEnabled?: boolean | null | "-";
-    tpmAvailable?: boolean | null;
+    tpmAvailable?: boolean | null | "-";
-    windowsAntivirusEnabled?: boolean | null;
+    windowsAntivirusEnabled?: boolean | null | "-";
-    macosSipEnabled?: boolean | null;
+    macosSipEnabled?: boolean | null | "-";
-    macosGatekeeperEnabled?: boolean | null;
+    macosGatekeeperEnabled?: boolean | null | "-";
-    macosFirewallStealthMode?: boolean | null;
+    macosFirewallStealthMode?: boolean | null | "-";
-    linuxAppArmorEnabled?: boolean | null;
+    linuxAppArmorEnabled?: boolean | null | "-";
-    linuxSELinuxEnabled?: boolean | null;
+    linuxSELinuxEnabled?: boolean | null | "-";
 };
 function maskPostureDataWithPlaceholder(posture: PostureData): PostureData {
    const masked: PostureData = {};
    for (const key of Object.keys(posture) as (keyof PostureData)[]) {
        if (posture[key] !== undefined && posture[key] !== null) {
            (masked as Record<keyof PostureData, "-">)[key] = "-";
        }
    }
    return masked;
 }
 function getPlatformPostureData(
    platform: string | null | undefined,
    fingerprint: typeof currentFingerprint.$inferSelect | null
@@ -284,9 +295,11 @@ export async function getClient(
            );
        }
        const isUserDevice = client.user !== null && client.user !== undefined;
        // Replace name with device name if OLM exists
        let clientName = client.clients.name;
-        if (client.olms) {
+        if (client.olms && isUserDevice) {
            const model = client.currentFingerprint?.deviceModel || null;
            clientName = getUserDeviceName(model, client.clients.name);
        }
@@ -294,32 +307,35 @@ export async function getClient(
        // Build fingerprint data if available
        const fingerprintData = client.currentFingerprint
            ? {
-                  username: client.currentFingerprint.username || null,
+                username: client.currentFingerprint.username || null,
-                  hostname: client.currentFingerprint.hostname || null,
+                hostname: client.currentFingerprint.hostname || null,
-                  platform: client.currentFingerprint.platform || null,
+                platform: client.currentFingerprint.platform || null,
-                  osVersion: client.currentFingerprint.osVersion || null,
+                osVersion: client.currentFingerprint.osVersion || null,
-                  kernelVersion:
+                kernelVersion:
-                      client.currentFingerprint.kernelVersion || null,
+                    client.currentFingerprint.kernelVersion || null,
-                  arch: client.currentFingerprint.arch || null,
+                arch: client.currentFingerprint.arch || null,
-                  deviceModel: client.currentFingerprint.deviceModel || null,
+                deviceModel: client.currentFingerprint.deviceModel || null,
-                  serialNumber: client.currentFingerprint.serialNumber || null,
+                serialNumber: client.currentFingerprint.serialNumber || null,
-                  firstSeen: client.currentFingerprint.firstSeen || null,
+                firstSeen: client.currentFingerprint.firstSeen || null,
-                  lastSeen: client.currentFingerprint.lastSeen || null
+                lastSeen: client.currentFingerprint.lastSeen || null
-              }
+            }
            : null;
        // Build posture data if available (platform-specific)
-        // Only return posture data if org is licensed/subscribed
+        // Licensed: real values; not licensed: same keys but values set to "-"
-        let postureData: PostureData | null = null;
+        const rawPosture = getPlatformPostureData(
-        const isOrgLicensed = await isLicensedOrSubscribed(
+            client.currentFingerprint?.platform || null,
-            client.clients.orgId
+            client.currentFingerprint
        );
-        if (isOrgLicensed) {
+        const isOrgLicensed = await isLicensedOrSubscribed(
-            postureData = getPlatformPostureData(
+            client.clients.orgId,
-                client.currentFingerprint?.platform || null,
+            tierMatrix.devicePosture
-                client.currentFingerprint
+        );
-            );
+        const postureData: PostureData | null = rawPosture
-        }
+            ? isOrgLicensed
                ? rawPosture
                : maskPostureDataWithPlaceholder(rawPosture)
            : null;
        const data: GetClientResponse = {
            ...client.clients,
--- a/server/routers/client/listClients.ts
+++ b/server/routers/client/listClients.ts
@@ -320,7 +320,10 @@ export async function listClients(
        // Merge clients with their site associations and replace name with device name
        const clientsWithSites = clientsList.map((client) => {
            const model = client.deviceModel || null;
-            const newName = getUserDeviceName(model, client.name);
+            let newName = client.name;
            if (filter === "user") {
                newName = getUserDeviceName(model, client.name);
            }
            return {
                ...client,
                name: newName,
--- a/server/routers/domain/createOrgDomain.ts
+++ b/server/routers/domain/createOrgDomain.ts
@@ -131,7 +131,7 @@ export async function createOrgDomain(
            }
            const rejectDomains = await usageService.checkLimitSet(
                orgId,
-                false,
+
                FeatureId.DOMAINS,
                {
                    ...usage,
@@ -354,7 +354,7 @@ export async function createOrgDomain(
        });
        if (numOrgDomains) {
-            await usageService.updateDaily(
+            await usageService.updateCount(
                orgId,
                FeatureId.DOMAINS,
                numOrgDomains.length
--- a/server/routers/domain/deleteOrgDomain.ts
+++ b/server/routers/domain/deleteOrgDomain.ts
@@ -86,7 +86,7 @@ export async function deleteAccountDomain(
        });
        if (numOrgDomains) {
-            await usageService.updateDaily(
+            await usageService.updateCount(
                orgId,
                FeatureId.DOMAINS,
                numOrgDomains.length
--- a/server/routers/gerbil/receiveBandwidth.ts
+++ b/server/routers/gerbil/receiveBandwidth.ts
@@ -114,7 +114,6 @@ export async function updateSiteBandwidth(
    // Aggregate usage data by organization (collected outside transaction)
    const orgUsageMap = new Map<string, number>();
    const orgUptimeMap = new Map<string, number>();
    if (activePeers.length > 0) {
        // Remove any active peers from offline tracking since they're sending data
@@ -166,14 +165,6 @@ export async function updateSiteBandwidth(
                        updatedSite.orgId,
                        currentOrgUsage + totalBandwidth
                    );
                    // Add 10 seconds of uptime for each active site
                    const currentOrgUptime =
                        orgUptimeMap.get(updatedSite.orgId) || 0;
                    orgUptimeMap.set(
                        updatedSite.orgId,
                        currentOrgUptime + 10 / 60
                    );
                }
            } catch (error) {
                logger.error(
@@ -187,11 +178,9 @@ export async function updateSiteBandwidth(
    // Process usage updates outside of site update transactions
    // This separates the concerns and reduces lock contention
-    if (calcUsageAndLimits && (orgUsageMap.size > 0 || orgUptimeMap.size > 0)) {
+    if (calcUsageAndLimits && orgUsageMap.size > 0) {
        // Sort org IDs to ensure consistent lock ordering
-        const allOrgIds = [
+        const allOrgIds = [...new Set([...orgUsageMap.keys()])].sort();
            ...new Set([...orgUsageMap.keys(), ...orgUptimeMap.keys()])
        ].sort();
        for (const orgId of allOrgIds) {
            try {
@@ -208,7 +197,7 @@ export async function updateSiteBandwidth(
                        usageService
                            .checkLimitSet(
                                orgId,
-                                true,
+
                                FeatureId.EGRESS_DATA_MB,
                                bandwidthUsage
                            )
@@ -220,32 +209,6 @@ export async function updateSiteBandwidth(
                            });
                    }
                }
                // Process uptime usage for this org
                const totalUptime = orgUptimeMap.get(orgId);
                if (totalUptime) {
                    const uptimeUsage = await usageService.add(
                        orgId,
                        FeatureId.SITE_UPTIME,
                        totalUptime
                    );
                    if (uptimeUsage) {
                        // Fire and forget - don't block on limit checking
                        usageService
                            .checkLimitSet(
                                orgId,
                                true,
                                FeatureId.SITE_UPTIME,
                                uptimeUsage
                            )
                            .catch((error: any) => {
                                logger.error(
                                    `Error checking uptime limits for org ${orgId}:`,
                                    error
                                );
                            });
                    }
                }
            } catch (error) {
                logger.error(`Error processing usage for org ${orgId}:`, error);
                // Continue with other orgs
--- a/server/routers/idp/generateOidcUrl.ts
+++ b/server/routers/idp/generateOidcUrl.ts
@@ -14,8 +14,7 @@ import jsonwebtoken from "jsonwebtoken";
 import config from "@server/lib/config";
 import { decrypt } from "@server/lib/crypto";
 import { build } from "@server/build";
-import { getOrgTierData } from "#dynamic/lib/billing";
+import { isSubscribed } from "#dynamic/lib/isSubscribed";
 import { TierId } from "@server/lib/billing/tiers";
 const paramsSchema = z
    .object({
@@ -113,8 +112,7 @@ export async function generateOidcUrl(
            }
            if (build === "saas") {
-                const { tier } = await getOrgTierData(orgId);
+                const subscribed = await isSubscribed(orgId);
                const subscribed = tier === TierId.STANDARD;
                if (!subscribed) {
                    return next(
                        createHttpError(
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -587,7 +587,7 @@ export async function validateOidcCallback(
            });
            for (const orgCount of orgUserCounts) {
-                await usageService.updateDaily(
+                await usageService.updateCount(
                    orgCount.orgId,
                    FeatureId.USERS,
                    orgCount.userCount
--- a/server/routers/newt/getNewtToken.ts
+++ b/server/routers/newt/getNewtToken.ts
@@ -18,7 +18,7 @@ import config from "@server/lib/config";
 import { APP_VERSION } from "@server/lib/consts";
 export const newtGetTokenBodySchema = z.object({
-    newtId: z.string(),
+    // newtId: z.string(),
    secret: z.string(),
    token: z.string().optional()
 });
--- a/server/routers/newt/handleNewtRegisterMessage.ts
+++ b/server/routers/newt/handleNewtRegisterMessage.ts
@@ -1,17 +1,13 @@
-import { db, ExitNode, exitNodeOrgs, newts, Transaction } from "@server/db";
+import { db, ExitNode, newts, Transaction } from "@server/db";
 import { MessageHandler } from "@server/routers/ws";
-import { exitNodes, Newt, resources, sites, Target, targets } from "@server/db";
+import { exitNodes, Newt, sites } from "@server/db";
-import { targetHealthCheck } from "@server/db";
+import { eq } from "drizzle-orm";
 import { eq, and, sql, inArray, ne } from "drizzle-orm";
 import { addPeer, deletePeer } from "../gerbil/peers";
 import logger from "@server/logger";
 import config from "@server/lib/config";
 import {
    findNextAvailableCidr,
    getNextAvailableClientSubnet
 } from "@server/lib/ip";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
 import {
    selectBestExitNode,
    verifyExitNodeOrgAccess
@@ -30,8 +26,6 @@ export type ExitNodePingResult = {
    wasPreviouslyConnected: boolean;
 };
 const numTimesLimitExceededForId: Record<string, number> = {};
 export const handleNewtRegisterMessage: MessageHandler = async (context) => {
    const { message, client, sendToClient } = context;
    const newt = client as Newt;
@@ -96,42 +90,6 @@ export const handleNewtRegisterMessage: MessageHandler = async (context) => {
        fetchContainers(newt.newtId);
    }
    const rejectSiteUptime = await usageService.checkLimitSet(
        oldSite.orgId,
        false,
        FeatureId.SITE_UPTIME
    );
    const rejectEgressDataMb = await usageService.checkLimitSet(
        oldSite.orgId,
        false,
        FeatureId.EGRESS_DATA_MB
    );
    // Do we need to check the users and domains daily limits here?
    // const rejectUsers = await usageService.checkLimitSet(oldSite.orgId, false, FeatureId.USERS);
    // const rejectDomains = await usageService.checkLimitSet(oldSite.orgId, false, FeatureId.DOMAINS);
    // if (rejectEgressDataMb || rejectSiteUptime || rejectUsers || rejectDomains) {
    if (rejectEgressDataMb || rejectSiteUptime) {
        logger.info(
            `Usage limits exceeded for org ${oldSite.orgId}. Rejecting newt registration.`
        );
        // PREVENT FURTHER REGISTRATION ATTEMPTS SO WE DON'T SPAM
        // Increment the limit exceeded count for this site
        numTimesLimitExceededForId[newt.newtId] =
            (numTimesLimitExceededForId[newt.newtId] || 0) + 1;
        if (numTimesLimitExceededForId[newt.newtId] > 15) {
            logger.debug(
                `Newt ${newt.newtId} has exceeded usage limits 15 times. Terminating...`
            );
        }
        return;
    }
    let siteSubnet = oldSite.subnet;
    let exitNodeIdToQuery = oldSite.exitNodeId;
    if (exitNodeId && (oldSite.exitNodeId !== exitNodeId || !oldSite.subnet)) {
--- a/server/routers/olm/handleOlmPingMessage.ts
+++ b/server/routers/olm/handleOlmPingMessage.ts
@@ -117,6 +117,8 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
        return;
    }
    const isUserDevice = olm.userId !== null && olm.userId !== undefined;
    try {
        // get the client
        const [client] = await db
@@ -219,7 +221,9 @@ export const handleOlmPingMessage: MessageHandler = async (context) => {
        logger.error("Error handling ping message", { error });
    }
-    await handleFingerprintInsertion(olm, fingerprint, postures);
+    if (isUserDevice) {
        await handleFingerprintInsertion(olm, fingerprint, postures);
    }
    return {
        message: {
--- a/server/routers/olm/handleOlmRegisterMessage.ts
+++ b/server/routers/olm/handleOlmRegisterMessage.ts
@@ -53,7 +53,11 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
        postures
    });
-    await handleFingerprintInsertion(olm, fingerprint, postures);
+    const isUserDevice = olm.userId !== null && olm.userId !== undefined;
    if (isUserDevice) {
        await handleFingerprintInsertion(olm, fingerprint, postures);
    }
    if (
        (olmVersion && olm.version !== olmVersion) ||
--- a/server/routers/org/createOrg.ts
+++ b/server/routers/org/createOrg.ts
@@ -271,7 +271,7 @@ export async function createOrg(
            // make sure we have the stripe customer
            const customerId = await createCustomer(orgId, req.user?.email);
            if (customerId) {
-                await usageService.updateDaily(
+                await usageService.updateCount(
                    orgId,
                    FeatureId.USERS,
                    1,
--- a/server/routers/org/updateOrg.ts
+++ b/server/routers/org/updateOrg.ts
@@ -10,10 +10,10 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 import { build } from "@server/build";
 import { getOrgTierData } from "#dynamic/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { cache } from "@server/lib/cache";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 import { getOrgTierData } from "#dynamic/lib/billing";
 const updateOrgParamsSchema = z.strictObject({
    orgId: z.string()
@@ -88,26 +88,83 @@ export async function updateOrg(
        const { orgId } = parsedParams.data;
-        const isLicensed = await isLicensedOrSubscribed(orgId);
+        // Check 2FA enforcement feature
-        if (!isLicensed) {
+        const has2FAFeature = await isLicensedOrSubscribed(
            orgId,
            tierMatrix[TierFeature.TwoFactorEnforcement]
        );
        if (!has2FAFeature) {
            parsedBody.data.requireTwoFactor = undefined;
            parsedBody.data.maxSessionLengthHours = undefined;
            parsedBody.data.passwordExpiryDays = undefined;
        }
-        const { tier } = await getOrgTierData(orgId);
+        // Check session duration policies feature
-        if (
+        const hasSessionDurationFeature = await isLicensedOrSubscribed(
-            build == "saas" &&
+            orgId,
-            tier != TierId.STANDARD &&
+            tierMatrix[TierFeature.SessionDurationPolicies]
-            parsedBody.data.settingsLogRetentionDaysRequest &&
+        );
-            parsedBody.data.settingsLogRetentionDaysRequest > 30
+        if (!hasSessionDurationFeature) {
-        ) {
+            parsedBody.data.maxSessionLengthHours = undefined;
-            return next(
+        }
-                createHttpError(
+
-                    HttpCode.FORBIDDEN,
+        // Check password expiration policies feature
-                    "You are not allowed to set log retention days greater than 30 with your current subscription"
+        const hasPasswordExpirationFeature = await isLicensedOrSubscribed(
-                )
+            orgId,
-            );
+            tierMatrix[TierFeature.PasswordExpirationPolicies]
        );
        if (!hasPasswordExpirationFeature) {
            parsedBody.data.passwordExpiryDays = undefined;
        }
        if (build == "saas") {
            const { tier } = await getOrgTierData(orgId);
            // Determine max allowed retention days based on tier
            let maxRetentionDays: number | null = null;
            if (!tier) {
                maxRetentionDays = 0;
            } else if (tier === "tier1") {
                maxRetentionDays = 7;
            } else if (tier === "tier2") {
                maxRetentionDays = 30;
            } else if (tier === "tier3") {
                maxRetentionDays = 90;
            }
            // For enterprise tier, no check (maxRetentionDays remains null)
            if (maxRetentionDays !== null) {
                if (
                    parsedBody.data.settingsLogRetentionDaysRequest !== undefined &&
                    parsedBody.data.settingsLogRetentionDaysRequest > maxRetentionDays
                ) {
                    return next(
                        createHttpError(
                            HttpCode.FORBIDDEN,
                            `You are not allowed to set log retention days greater than ${maxRetentionDays} with your current subscription`
                        )
                    );
                }
                if (
                    parsedBody.data.settingsLogRetentionDaysAccess !== undefined &&
                    parsedBody.data.settingsLogRetentionDaysAccess > maxRetentionDays
                ) {
                    return next(
                        createHttpError(
                            HttpCode.FORBIDDEN,
                            `You are not allowed to set log retention days greater than ${maxRetentionDays} with your current subscription`
                        )
                    );
                }
                if (
                    parsedBody.data.settingsLogRetentionDaysAction !== undefined &&
                    parsedBody.data.settingsLogRetentionDaysAction > maxRetentionDays
                ) {
                    return next(
                        createHttpError(
                            HttpCode.FORBIDDEN,
                            `You are not allowed to set log retention days greater than ${maxRetentionDays} with your current subscription`
                        )
                    );
                }
            }
        }
        const updatedOrg = await db
--- a/server/routers/site/createSite.ts
+++ b/server/routers/site/createSite.ts
@@ -18,6 +18,8 @@ import { isValidIP } from "@server/lib/validators";
 import { isIpInCidr } from "@server/lib/ip";
 import { verifyExitNodeOrgAccess } from "#dynamic/lib/exitNodes";
 import { build } from "@server/build";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
 const createSiteParamsSchema = z.strictObject({
    orgId: z.string()
@@ -126,6 +128,35 @@ export async function createSite(
            );
        }
        if (build == "saas") {
            const usage = await usageService.getUsage(orgId, FeatureId.SITES);
            if (!usage) {
                return next(
                    createHttpError(
                        HttpCode.NOT_FOUND,
                        "No usage data found for this organization"
                    )
                );
            }
            const rejectSites = await usageService.checkLimitSet(
                orgId,
                FeatureId.SITES,
                {
                    ...usage,
                    instantaneousValue: (usage.instantaneousValue || 0) + 1
                } // We need to add one to know if we are violating the limit
            );
            if (rejectSites) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "Site limit exceeded. Please upgrade your plan."
                    )
                );
            }
        }
        let updatedAddress = null;
        if (address) {
            if (!org.subnet) {
@@ -256,8 +287,8 @@ export async function createSite(
        const niceId = await getUniqueSiteName(orgId);
-        let newSite: Site;
+        let newSite: Site | undefined;
-
+        let numSites: Site[] | undefined;
        await db.transaction(async (trx) => {
            if (type == "wireguard" || type == "newt") {
                // we are creating a site with an exit node (tunneled)
@@ -402,13 +433,35 @@ export async function createSite(
                });
            }
-            return response<CreateSiteResponse>(res, {
+            numSites = await trx
-                data: newSite,
+                .select()
-                success: true,
+                .from(sites)
-                error: false,
+                .where(eq(sites.orgId, orgId));
-                message: "Site created successfully",
+        });
-                status: HttpCode.CREATED
+
-            });
+        if (numSites) {
            await usageService.updateCount(
                orgId,
                FeatureId.SITES,
                numSites.length
            );
        }
        if (!newSite) {
            return next(
                createHttpError(
                    HttpCode.INTERNAL_SERVER_ERROR,
                    "Failed to create site"
                )
            );
        }
        return response<CreateSiteResponse>(res, {
            data: newSite,
            success: true,
            error: false,
            message: "Site created successfully",
            status: HttpCode.CREATED
        });
    } catch (error) {
        logger.error(error);
--- a/server/routers/site/deleteSite.ts
+++ b/server/routers/site/deleteSite.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, siteResources } from "@server/db";
+import { db, Site, siteResources } from "@server/db";
 import { newts, newtSessions, sites } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -12,6 +12,8 @@ import { fromError } from "zod-validation-error";
 import { sendToClient } from "#dynamic/routers/ws";
 import { OpenAPITags, registry } from "@server/openApi";
 import { rebuildClientAssociationsFromSiteResource } from "@server/lib/rebuildClientAssociations";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
 const deleteSiteSchema = z.strictObject({
    siteId: z.string().transform(Number).pipe(z.int().positive())
@@ -62,6 +64,7 @@ export async function deleteSite(
        }
        let deletedNewtId: string | null = null;
        let numSites: Site[] | undefined;
        await db.transaction(async (trx) => {
            if (site.type == "wireguard") {
@@ -99,8 +102,20 @@ export async function deleteSite(
            }
            await trx.delete(sites).where(eq(sites.siteId, siteId));
            numSites = await trx
                .select()
                .from(sites)
                .where(eq(sites.orgId, site.orgId));
        });
        if (numSites) {
            await usageService.updateCount(
                site.orgId,
                FeatureId.SITES,
                numSites.length
            );
        }
        // Send termination message outside of transaction to prevent blocking
        if (deletedNewtId) {
            const payload = {
--- a/server/routers/user/acceptInvite.ts
+++ b/server/routers/user/acceptInvite.ts
@@ -13,6 +13,7 @@ import { verifySession } from "@server/auth/sessions/verifySession";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
 import { build } from "@server/build";
 const acceptInviteBodySchema = z.strictObject({
    token: z.string(),
@@ -92,6 +93,38 @@ export async function acceptInvite(
            );
        }
        if (build == "saas") {
            const usage = await usageService.getUsage(
                existingInvite.orgId,
                FeatureId.USERS
            );
            if (!usage) {
                return next(
                    createHttpError(
                        HttpCode.NOT_FOUND,
                        "No usage data found for this organization"
                    )
                );
            }
            const rejectUsers = await usageService.checkLimitSet(
                existingInvite.orgId,
                FeatureId.USERS,
                {
                    ...usage,
                    instantaneousValue: (usage.instantaneousValue || 0) + 1
                } // We need to add one to know if we are violating the limit
            );
            if (rejectUsers) {
                return next(
                    createHttpError(
                        HttpCode.FORBIDDEN,
                        "Can not accept because this org's user limit is exceeded. Please contact your administrator to upgrade their plan."
                    )
                );
            }
        }
        let roleId: number;
        let totalUsers: UserOrg[] | undefined;
        // get the role to make sure it exists
@@ -125,17 +158,21 @@ export async function acceptInvite(
                .delete(userInvites)
                .where(eq(userInvites.inviteId, inviteId));
            await calculateUserClientsForOrgs(existingUser[0].userId, trx);
            // Get the total number of users in the org now
-            totalUsers = await db
+            totalUsers = await trx
                .select()
                .from(userOrgs)
                .where(eq(userOrgs.orgId, existingInvite.orgId));
-            await calculateUserClientsForOrgs(existingUser[0].userId, trx);
+            logger.debug(
                `User ${existingUser[0].userId} accepted invite to org ${existingInvite.orgId}. Total users in org: ${totalUsers.length}`
            );
        });
        if (totalUsers) {
-            await usageService.updateDaily(
+            await usageService.updateCount(
                existingInvite.orgId,
                FeatureId.USERS,
                totalUsers.length
--- a/server/routers/user/createOrgUser.ts
+++ b/server/routers/user/createOrgUser.ts
@@ -13,20 +13,15 @@ import { generateId } from "@server/auth/sessions/app";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
 import { build } from "@server/build";
 import { getOrgTierData } from "#dynamic/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
 });
 const bodySchema = z.strictObject({
-    email: z
+    email: z.string().email().toLowerCase().optional(),
        .string()
        .email()
        .toLowerCase()
        .optional(),
    username: z.string().nonempty().toLowerCase(),
    name: z.string().optional(),
    type: z.enum(["internal", "oidc"]).optional(),
@@ -95,7 +90,7 @@ export async function createOrgUser(
            }
            const rejectUsers = await usageService.checkLimitSet(
                orgId,
-                false,
+
                FeatureId.USERS,
                {
                    ...usage,
@@ -132,9 +127,8 @@ export async function createOrgUser(
            );
        } else if (type === "oidc") {
            if (build === "saas") {
-                const { tier } = await getOrgTierData(orgId);
+                const subscribed = await isSubscribed(orgId);
-                const subscribed = tier === TierId.STANDARD;
+                if (subscribed) {
                if (!subscribed) {
                    return next(
                        createHttpError(
                            HttpCode.FORBIDDEN,
@@ -256,7 +250,7 @@ export async function createOrgUser(
            });
            if (orgUsers) {
-                await usageService.updateDaily(
+                await usageService.updateCount(
                    orgId,
                    FeatureId.USERS,
                    orgUsers.length
--- a/server/routers/user/inviteUser.ts
+++ b/server/routers/user/inviteUser.ts
@@ -133,7 +133,6 @@ export async function inviteUser(
            }
            const rejectUsers = await usageService.checkLimitSet(
                orgId,
                false,
                FeatureId.USERS,
                {
                    ...usage,
--- a/server/routers/user/removeUserOrg.ts
+++ b/server/routers/user/removeUserOrg.ts
@@ -140,7 +140,7 @@ export async function removeUserOrg(
        });
        if (userCount) {
-            await usageService.updateDaily(
+            await usageService.updateCount(
                orgId,
                FeatureId.USERS,
                userCount.length
--- a/server/setup/migrations.ts
+++ b/server/setup/migrations.ts
@@ -0,0 +1,162 @@
 #! /usr/bin/env node
 import { migrate } from "drizzle-orm/node-postgres/migrator";
 import { db } from "../db/pg";
 import semver from "semver";
 import { versionMigrations } from "../db/pg";
 import { __DIRNAME, APP_VERSION } from "@server/lib/consts";
 import path from "path";
 import m1 from "./scriptsPg/1.6.0";
 import m2 from "./scriptsPg/1.7.0";
 import m3 from "./scriptsPg/1.8.0";
 import m4 from "./scriptsPg/1.9.0";
 import m5 from "./scriptsPg/1.10.0";
 import m6 from "./scriptsPg/1.10.2";
 import m7 from "./scriptsPg/1.11.0";
 import m8 from "./scriptsPg/1.11.1";
 import m9 from "./scriptsPg/1.12.0";
 import m10 from "./scriptsPg/1.13.0";
 import m11 from "./scriptsPg/1.14.0";
 import m12 from "./scriptsPg/1.15.0";
 // THIS CANNOT IMPORT ANYTHING FROM THE SERVER
 // EXCEPT FOR THE DATABASE AND THE SCHEMA
 // Define the migration list with versions and their corresponding functions
 const migrations = [
    { version: "1.6.0", run: m1 },
    { version: "1.7.0", run: m2 },
    { version: "1.8.0", run: m3 },
    { version: "1.9.0", run: m4 },
    { version: "1.10.0", run: m5 },
    { version: "1.10.2", run: m6 },
    { version: "1.11.0", run: m7 },
    { version: "1.11.1", run: m8 },
    { version: "1.12.0", run: m9 },
    { version: "1.13.0", run: m10 },
    { version: "1.14.0", run: m11 },
    { version: "1.15.0", run: m12 }
    // Add new migrations here as they are created
 ] as {
    version: string;
    run: () => Promise<void>;
 }[];
 await run();
 async function run() {
    // run the migrations
    await runMigrations();
 }
 export async function runMigrations() {
    if (process.env.DISABLE_MIGRATIONS) {
        console.log("Migrations are disabled. Skipping...");
        return;
    }
    try {
        const appVersion = APP_VERSION;
        // determine if the migrations table exists
        const exists = await db
            .select()
            .from(versionMigrations)
            .limit(1)
            .execute()
            .then((res) => res.length > 0)
            .catch(() => false);
        if (exists) {
            console.log("Migrations table exists, running scripts...");
            await executeScripts();
        } else {
            console.log("Migrations table does not exist, creating it...");
            console.log("Running migrations...");
            try {
                await migrate(db, {
                    migrationsFolder: path.join(__DIRNAME, "init") // put here during the docker build
                });
                console.log("Migrations completed successfully.");
            } catch (error) {
                console.error("Error running migrations:", error);
            }
            await db
                .insert(versionMigrations)
                .values({
                    version: appVersion,
                    executedAt: Date.now()
                })
                .execute();
        }
    } catch (e) {
        console.error("Error running migrations:", e);
        await new Promise((resolve) =>
            setTimeout(resolve, 1000 * 60 * 60 * 24 * 1)
        );
    }
 }
 async function executeScripts() {
    try {
        // Get the last executed version from the database
        const lastExecuted = await db.select().from(versionMigrations);
        // Filter and sort migrations
        const pendingMigrations = lastExecuted
            .map((m) => m)
            .sort((a, b) => semver.compare(b.version, a.version));
        const startVersion = pendingMigrations[0]?.version ?? "0.0.0";
        console.log(`Starting migrations from version ${startVersion}`);
        const migrationsToRun = migrations.filter((migration) =>
            semver.gt(migration.version, startVersion)
        );
        console.log(
            "Migrations to run:",
            migrationsToRun.map((m) => m.version).join(", ")
        );
        // Run migrations in order
        for (const migration of migrationsToRun) {
            console.log(`Running migration ${migration.version}`);
            try {
                await migration.run();
                // Update version in database
                await db
                    .insert(versionMigrations)
                    .values({
                        version: migration.version,
                        executedAt: Date.now()
                    })
                    .execute();
                console.log(
                    `Successfully completed migration ${migration.version}`
                );
            } catch (e) {
                if (
                    e instanceof Error &&
                    typeof (e as any).code === "string" &&
                    (e as any).code === "23505"
                ) {
                    console.error("Migration has already run! Skipping...");
                    continue; // or return, depending on context
                }
                console.error(
                    `Failed to run migration ${migration.version}:`,
                    e
                );
                throw e;
            }
        }
        console.log("All migrations completed successfully");
    } catch (error) {
        console.error("Migration process failed:", error);
        throw error;
    }
 }
--- a/server/types/Tiers.ts
+++ b/server/types/Tiers.ts
@@ -0,0 +1 @@
 export type Tier = "tier1" | "tier2" | "tier3" | "enterprise";
--- a/src/app/[orgId]/settings/(private)/billing/page.tsx
+++ b/src/app/[orgId]/settings/(private)/billing/page.tsx
--- a/src/app/[orgId]/settings/(private)/idp/create/page.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/create/page.tsx
@@ -27,6 +27,7 @@ import {
 import { Input } from "@app/components/ui/input";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 import { useLicenseStatusContext } from "@app/hooks/useLicenseStatusContext";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { toast } from "@app/hooks/useToast";
 import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { zodResolver } from "@hookform/resolvers/zod";
@@ -51,6 +52,7 @@ export default function Page() {
    >("role");
    const { isUnlocked } = useLicenseStatusContext();
    const t = useTranslations();
    const { isPaidUser } = usePaidStatus();
    const params = useParams();
@@ -806,7 +808,7 @@ export default function Page() {
                </Button>
                <Button
                    type="submit"
-                    disabled={createLoading}
+                    disabled={createLoading || !isPaidUser}
                    loading={createLoading}
                    onClick={() => {
                        // log any issues with the form
--- a/src/app/[orgId]/settings/(private)/idp/layout.tsx
+++ b/src/app/[orgId]/settings/(private)/idp/layout.tsx
@@ -1,18 +1,8 @@
 import { pullEnv } from "@app/lib/pullEnv";
 import { build } from "@server/build";
 import { redirect } from "next/navigation";
 interface LayoutProps {
    children: React.ReactNode;
    params: Promise<{}>;
 }
 export default async function Layout(props: LayoutProps) {
    const env = pullEnv();
    if (build !== "saas" && !env.flags.useOrgOnlyIdp) {
        redirect("/");
    }
    return props.children;
 }
--- a/src/app/[orgId]/settings/(private)/remote-exit-nodes/[remoteExitNodeId]/credentials/page.tsx
+++ b/src/app/[orgId]/settings/(private)/remote-exit-nodes/[remoteExitNodeId]/credentials/page.tsx
@@ -195,7 +195,7 @@ export default function CredentialsPage() {
                            </Alert>
                        )}
                    </SettingsSectionBody>
-                    {build !== "oss" && (
+                    {!env.flags.disableEnterpriseFeatures && (
                        <SettingsSectionFooter>
                            <Button
                                variant="outline"
--- a/src/app/[orgId]/settings/access/users/create/page.tsx
+++ b/src/app/[orgId]/settings/access/users/create/page.tsx
@@ -48,7 +48,6 @@ import { useTranslations } from "next-intl";
 import { build } from "@server/build";
 import Image from "next/image";
 import { useSubscriptionStatusContext } from "@app/hooks/useSubscriptionStatusContext";
 import { TierId } from "@server/lib/billing/tiers";
 type UserType = "internal" | "oidc";
--- a/src/app/[orgId]/settings/clients/machine/[niceId]/credentials/page.tsx
+++ b/src/app/[orgId]/settings/clients/machine/[niceId]/credentials/page.tsx
@@ -61,7 +61,9 @@ export default function CredentialsPage() {
        const isEnterpriseNotLicensed = build === "enterprise" && !isUnlocked();
        const isSaasNotSubscribed =
            build === "saas" && !subscription?.isSubscribed();
-        return isEnterpriseNotLicensed || isSaasNotSubscribed;
+        return (
            isEnterpriseNotLicensed || isSaasNotSubscribed || build === "oss"
        );
    };
    const handleConfirmRegenerate = async () => {
@@ -181,7 +183,7 @@ export default function CredentialsPage() {
                            </Alert>
                        )}
                    </SettingsSectionBody>
-                    {build !== "oss" && (
+                    {!env.flags.disableEnterpriseFeatures && (
                        <SettingsSectionFooter>
                            <Button
                                variant="outline"
--- a/src/app/[orgId]/settings/clients/user/[niceId]/general/page.tsx
+++ b/src/app/[orgId]/settings/clients/user/[niceId]/general/page.tsx
@@ -28,10 +28,19 @@ import { createApiClient, formatAxiosError } from "@app/lib/api";
 import { toast } from "@app/hooks/useToast";
 import { useRouter } from "next/navigation";
 import { useState, useEffect, useTransition } from "react";
-import { Check, Ban, Shield, ShieldOff, Clock, CheckCircle2, XCircle } from "lucide-react";
+import {
    Check,
    Ban,
    Shield,
    ShieldOff,
    Clock,
    CheckCircle2,
    XCircle
 } from "lucide-react";
 import { useParams } from "next/navigation";
 import { FaApple, FaWindows, FaLinux } from "react-icons/fa";
 import { SiAndroid } from "react-icons/si";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 function formatTimestamp(timestamp: number | null | undefined): string {
    if (!timestamp) return "-";
@@ -111,13 +120,13 @@ function getPlatformFieldConfig(
            osVersion: { show: true, labelKey: "iosVersion" },
            kernelVersion: { show: false, labelKey: "kernelVersion" },
            arch: { show: true, labelKey: "architecture" },
-            deviceModel: { show: true, labelKey: "deviceModel" },
+            deviceModel: { show: true, labelKey: "deviceModel" }
        },
        android: {
            osVersion: { show: true, labelKey: "androidVersion" },
            kernelVersion: { show: true, labelKey: "kernelVersion" },
            arch: { show: true, labelKey: "architecture" },
-            deviceModel: { show: true, labelKey: "deviceModel" },
+            deviceModel: { show: true, labelKey: "deviceModel" }
        },
        unknown: {
            osVersion: { show: true, labelKey: "osVersion" },
@@ -133,7 +142,6 @@ function getPlatformFieldConfig(
    return configs[normalizedPlatform] || configs.unknown;
 }
 export default function GeneralPage() {
    const { client, updateClient } = useClientContext();
    const { isPaidUser } = usePaidStatus();
@@ -145,11 +153,15 @@ export default function GeneralPage() {
    const [approvalId, setApprovalId] = useState<number | null>(null);
    const [isRefreshing, setIsRefreshing] = useState(false);
    const [, startTransition] = useTransition();
    const { env } = useEnvContext();
    const showApprovalFeatures = build !== "oss" && isPaidUser;
-    const formatPostureValue = (value: boolean | null | undefined) => {
+    const formatPostureValue = (
-        if (value === null || value === undefined) return "-";
+        value: boolean | null | undefined | "-"
    ) => {
        if (value === null || value === undefined || value === "-")
            return "-";
        return (
            <div className="flex items-center gap-2">
                {value ? (
@@ -423,7 +435,8 @@ export default function GeneralPage() {
                                                        {t(
                                                            fieldConfig
                                                                .osVersion
-                                                                ?.labelKey || "osVersion"
+                                                                ?.labelKey ||
                                                                "osVersion"
                                                        )}
                                                    </InfoSectionTitle>
                                                    <InfoSectionContent>
@@ -559,8 +572,7 @@ export default function GeneralPage() {
                </SettingsSection>
            )}
-            {/* Device Security Section */}
+            {!env.flags.disableEnterpriseFeatures && (
            {build !== "oss" && (
                <SettingsSection>
                    <SettingsSectionHeader>
                        <SettingsSectionTitle>
@@ -572,20 +584,24 @@ export default function GeneralPage() {
                    </SettingsSectionHeader>
                    <SettingsSectionBody>
-                        {client.posture && Object.keys(client.posture).length > 0 ? (
+                        <PaidFeaturesAlert />
                        {client.posture &&
                        Object.keys(client.posture).length > 0 ? (
                            <>
                                {!isPaidUser && <PaidFeaturesAlert />}
                                <InfoSections cols={3}>
-                                    {client.posture.biometricsEnabled !== null &&
+                                    {client.posture.biometricsEnabled !==
-                                        client.posture.biometricsEnabled !== undefined && (
+                                        null &&
                                        client.posture.biometricsEnabled !==
                                            undefined && (
                                            <InfoSection>
                                                <InfoSectionTitle>
                                                    {t("biometricsEnabled")}
                                                </InfoSectionTitle>
                                                <InfoSectionContent>
-                                                    {isPaidUser
+                                                    {isPaidUser(tierMatrix.devicePosture)
                                                        ? formatPostureValue(
-                                                              client.posture.biometricsEnabled
+                                                              client.posture
                                                                  .biometricsEnabled
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -593,7 +609,8 @@ export default function GeneralPage() {
                                        )}
                                    {client.posture.diskEncrypted !== null &&
-                                        client.posture.diskEncrypted !== undefined && (
+                                        client.posture.diskEncrypted !==
                                            undefined && (
                                            <InfoSection>
                                                <InfoSectionTitle>
                                                    {t("diskEncrypted")}
@@ -601,7 +618,8 @@ export default function GeneralPage() {
                                                <InfoSectionContent>
                                                    {isPaidUser
                                                        ? formatPostureValue(
-                                                              client.posture.diskEncrypted
+                                                              client.posture
                                                                  .diskEncrypted
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -609,7 +627,8 @@ export default function GeneralPage() {
                                        )}
                                    {client.posture.firewallEnabled !== null &&
-                                        client.posture.firewallEnabled !== undefined && (
+                                        client.posture.firewallEnabled !==
                                            undefined && (
                                            <InfoSection>
                                                <InfoSectionTitle>
                                                    {t("firewallEnabled")}
@@ -617,15 +636,18 @@ export default function GeneralPage() {
                                                <InfoSectionContent>
                                                    {isPaidUser
                                                        ? formatPostureValue(
-                                                              client.posture.firewallEnabled
+                                                              client.posture
                                                                  .firewallEnabled
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
                                            </InfoSection>
                                        )}
-                                    {client.posture.autoUpdatesEnabled !== null &&
+                                    {client.posture.autoUpdatesEnabled !==
-                                        client.posture.autoUpdatesEnabled !== undefined && (
+                                        null &&
                                        client.posture.autoUpdatesEnabled !==
                                            undefined && (
                                            <InfoSection>
                                                <InfoSectionTitle>
                                                    {t("autoUpdatesEnabled")}
@@ -633,7 +655,8 @@ export default function GeneralPage() {
                                                <InfoSectionContent>
                                                    {isPaidUser
                                                        ? formatPostureValue(
-                                                              client.posture.autoUpdatesEnabled
+                                                              client.posture
                                                                  .autoUpdatesEnabled
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -641,7 +664,8 @@ export default function GeneralPage() {
                                        )}
                                    {client.posture.tpmAvailable !== null &&
-                                        client.posture.tpmAvailable !== undefined && (
+                                        client.posture.tpmAvailable !==
                                            undefined && (
                                            <InfoSection>
                                                <InfoSectionTitle>
                                                    {t("tpmAvailable")}
@@ -649,18 +673,24 @@ export default function GeneralPage() {
                                                <InfoSectionContent>
                                                    {isPaidUser
                                                        ? formatPostureValue(
-                                                              client.posture.tpmAvailable
+                                                              client.posture
                                                                  .tpmAvailable
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
                                            </InfoSection>
                                        )}
-                                    {client.posture.windowsAntivirusEnabled !== null &&
+                                    {client.posture.windowsAntivirusEnabled !==
-                                        client.posture.windowsAntivirusEnabled !== undefined && (
+                                        null &&
                                        client.posture
                                            .windowsAntivirusEnabled !==
                                            undefined && (
                                            <InfoSection>
                                                <InfoSectionTitle>
-                                                    {t("windowsAntivirusEnabled")}
+                                                    {t(
                                                        "windowsAntivirusEnabled"
                                                    )}
                                                </InfoSectionTitle>
                                                <InfoSectionContent>
                                                    {isPaidUser
@@ -674,7 +704,8 @@ export default function GeneralPage() {
                                        )}
                                    {client.posture.macosSipEnabled !== null &&
-                                        client.posture.macosSipEnabled !== undefined && (
+                                        client.posture.macosSipEnabled !==
                                            undefined && (
                                            <InfoSection>
                                                <InfoSectionTitle>
                                                    {t("macosSipEnabled")}
@@ -682,19 +713,24 @@ export default function GeneralPage() {
                                                <InfoSectionContent>
                                                    {isPaidUser
                                                        ? formatPostureValue(
-                                                              client.posture.macosSipEnabled
+                                                              client.posture
                                                                  .macosSipEnabled
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
                                            </InfoSection>
                                        )}
-                                    {client.posture.macosGatekeeperEnabled !== null &&
+                                    {client.posture.macosGatekeeperEnabled !==
-                                        client.posture.macosGatekeeperEnabled !==
+                                        null &&
                                        client.posture
                                            .macosGatekeeperEnabled !==
                                            undefined && (
                                            <InfoSection>
                                                <InfoSectionTitle>
-                                                    {t("macosGatekeeperEnabled")}
+                                                    {t(
                                                        "macosGatekeeperEnabled"
                                                    )}
                                                </InfoSectionTitle>
                                                <InfoSectionContent>
                                                    {isPaidUser
@@ -707,12 +743,16 @@ export default function GeneralPage() {
                                            </InfoSection>
                                        )}
-                                    {client.posture.macosFirewallStealthMode !== null &&
+                                    {client.posture.macosFirewallStealthMode !==
-                                        client.posture.macosFirewallStealthMode !==
+                                        null &&
                                        client.posture
                                            .macosFirewallStealthMode !==
                                            undefined && (
                                            <InfoSection>
                                                <InfoSectionTitle>
-                                                    {t("macosFirewallStealthMode")}
+                                                    {t(
                                                        "macosFirewallStealthMode"
                                                    )}
                                                </InfoSectionTitle>
                                                <InfoSectionContent>
                                                    {isPaidUser
@@ -725,7 +765,8 @@ export default function GeneralPage() {
                                            </InfoSection>
                                        )}
-                                    {client.posture.linuxAppArmorEnabled !== null &&
+                                    {client.posture.linuxAppArmorEnabled !==
                                        null &&
                                        client.posture.linuxAppArmorEnabled !==
                                            undefined && (
                                            <InfoSection>
@@ -743,7 +784,8 @@ export default function GeneralPage() {
                                            </InfoSection>
                                        )}
-                                    {client.posture.linuxSELinuxEnabled !== null &&
+                                    {client.posture.linuxSELinuxEnabled !==
                                        null &&
                                        client.posture.linuxSELinuxEnabled !==
                                            undefined && (
                                            <InfoSection>
--- a/src/app/[orgId]/settings/general/auth-page/page.tsx
+++ b/src/app/[orgId]/settings/general/auth-page/page.tsx
@@ -20,11 +20,6 @@ export interface AuthPageProps {
 export default async function AuthPage(props: AuthPageProps) {
    const orgId = (await props.params).orgId;
    // custom auth branding is only available in enterprise and saas
    if (build === "oss") {
        redirect(`/${orgId}/settings/general/`);
    }
    let subscriptionStatus: GetOrgTierResponse | null = null;
    try {
        const subRes = await getCachedSubscription(orgId);
--- a/src/app/[orgId]/settings/general/layout.tsx
+++ b/src/app/[orgId]/settings/general/layout.tsx
@@ -10,6 +10,7 @@ import { getTranslations } from "next-intl/server";
 import { getCachedOrg } from "@app/lib/api/getCachedOrg";
 import { getCachedOrgUser } from "@app/lib/api/getCachedOrgUser";
 import { build } from "@server/build";
 import { pullEnv } from "@app/lib/pullEnv";
 type GeneralSettingsProps = {
    children: React.ReactNode;
@@ -23,6 +24,7 @@ export default async function GeneralSettingsPage({
    const { orgId } = await params;
    const user = await verifySession();
    const env = pullEnv();
    if (!user) {
        redirect(`/`);
@@ -55,14 +57,17 @@ export default async function GeneralSettingsPage({
        {
            title: t("security"),
            href: `/{orgId}/settings/general/security`
-        }
+        },
        // PaidFeaturesAlert
        ...(!env.flags.disableEnterpriseFeatures
            ? [
                  {
                      title: t("authPage"),
                      href: `/{orgId}/settings/general/auth-page`
                  }
              ]
            : [])
    ];
    if (build !== "oss") {
        navItems.push({
            title: t("authPage"),
            href: `/{orgId}/settings/general/auth-page`
        });
    }
    return (
        <>
--- a/src/app/[orgId]/settings/general/security/page.tsx
+++ b/src/app/[orgId]/settings/general/security/page.tsx
@@ -3,12 +3,7 @@ import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
 import { Button } from "@app/components/ui/button";
 import { useOrgContext } from "@app/hooks/useOrgContext";
 import { toast } from "@app/hooks/useToast";
-import {
+import { useState, useRef, useActionState, type ComponentRef } from "react";
    useState,
    useRef,
    useActionState,
    type ComponentRef
 } from "react";
 import {
    Form,
    FormControl,
@@ -107,10 +102,13 @@ type SectionFormProps = {
 export default function SecurityPage() {
    const { org } = useOrgContext();
    const { env } = useEnvContext();
    return (
        <SettingsContainer>
            <LogRetentionSectionForm org={org.org} />
-            {build !== "oss" && <SecuritySettingsSectionForm org={org.org} />}
+            {!env.flags.disableEnterpriseFeatures && (
                <SecuritySettingsSectionForm org={org.org} />
            )}
        </SettingsContainer>
    );
 }
@@ -140,7 +138,8 @@ function LogRetentionSectionForm({ org }: SectionFormProps) {
    const { isPaidUser, hasSaasSubscription } = usePaidStatus();
    const [, formAction, loadingSave] = useActionState(performSave, null);
-    const api = createApiClient(useEnvContext());
+    const { env } = useEnvContext();
    const api = createApiClient({ env });
    async function performSave() {
        const isValid = await form.trigger();
@@ -243,7 +242,7 @@ function LogRetentionSectionForm({ org }: SectionFormProps) {
                                )}
                            />
-                            {build !== "oss" && (
+                            {!env.flags.disableEnterpriseFeatures && (
                                <>
                                    <PaidFeaturesAlert />
@@ -740,7 +739,7 @@ function SecuritySettingsSectionForm({ org }: SectionFormProps) {
                        type="submit"
                        form="security-settings-section-form"
                        loading={loadingSave}
-                        disabled={loadingSave}
+                        disabled={loadingSave || !isPaidUser}
                    >
                        {t("saveSettings")}
                    </Button>
--- a/src/app/[orgId]/settings/logs/access/page.tsx
+++ b/src/app/[orgId]/settings/logs/access/page.tsx
@@ -20,6 +20,7 @@ import { Alert, AlertDescription } from "@app/components/ui/alert";
 import { getSevenDaysAgo } from "@app/lib/getSevenDaysAgo";
 import axios from "axios";
 import { useStoredPageSize } from "@app/hooks/useStoredPageSize";
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 export default function GeneralPage() {
    const router = useRouter();
@@ -209,7 +210,8 @@ export default function GeneralPage() {
        console.log("Date range changed:", { startDate, endDate, page, size });
        if (
            (build == "saas" && !subscription?.subscribed) ||
-            (build == "enterprise" && !isUnlocked())
+            (build == "enterprise" && !isUnlocked()) ||
            build === "oss"
        ) {
            console.log(
                "Access denied: subscription inactive or license locked"
@@ -611,21 +613,7 @@ export default function GeneralPage() {
                description={t("accessLogsDescription")}
            />
-            {build == "saas" && !subscription?.subscribed ? (
+            <PaidFeaturesAlert />
                <Alert variant="info" className="mb-6">
                    <AlertDescription>
                        {t("subscriptionRequiredToUse")}
                    </AlertDescription>
                </Alert>
            ) : null}
            {build == "enterprise" && !isUnlocked() ? (
                <Alert variant="info" className="mb-6">
                    <AlertDescription>
                        {t("licenseRequiredToUse")}
                    </AlertDescription>
                </Alert>
            ) : null}
            <LogDataTable
                columns={columns}
@@ -656,7 +644,8 @@ export default function GeneralPage() {
                renderExpandedRow={renderExpandedRow}
                disabled={
                    (build == "saas" && !subscription?.subscribed) ||
-                    (build == "enterprise" && !isUnlocked())
+                    (build == "enterprise" && !isUnlocked()) ||
                    build === "oss"
                }
            />
        </>
--- a/src/app/[orgId]/settings/logs/action/page.tsx
+++ b/src/app/[orgId]/settings/logs/action/page.tsx
@@ -2,6 +2,7 @@
 import { ColumnFilter } from "@app/components/ColumnFilter";
 import { DateTimeValue } from "@app/components/DateTimePicker";
 import { LogDataTable } from "@app/components/LogDataTable";
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
 import { Alert, AlertDescription } from "@app/components/ui/alert";
 import { useEnvContext } from "@app/hooks/useEnvContext";
@@ -92,6 +93,9 @@ export default function GeneralPage() {
    // Trigger search with default values on component mount
    useEffect(() => {
        if (build === "oss") {
            return;
        }
        const defaultRange = getDefaultDateRange();
        queryDateTime(
            defaultRange.startDate,
@@ -461,21 +465,7 @@ export default function GeneralPage() {
                description={t("actionLogsDescription")}
            />
-            {build == "saas" && !subscription?.subscribed ? (
+            <PaidFeaturesAlert />
                <Alert variant="info" className="mb-6">
                    <AlertDescription>
                        {t("subscriptionRequiredToUse")}
                    </AlertDescription>
                </Alert>
            ) : null}
            {build == "enterprise" && !isUnlocked() ? (
                <Alert variant="info" className="mb-6">
                    <AlertDescription>
                        {t("licenseRequiredToUse")}
                    </AlertDescription>
                </Alert>
            ) : null}
            <LogDataTable
                columns={columns}
@@ -508,7 +498,8 @@ export default function GeneralPage() {
                renderExpandedRow={renderExpandedRow}
                disabled={
                    (build == "saas" && !subscription?.subscribed) ||
-                    (build == "enterprise" && !isUnlocked())
+                    (build == "enterprise" && !isUnlocked()) ||
                    build === "oss"
                }
            />
        </>
--- a/src/app/[orgId]/settings/logs/request/page.tsx
+++ b/src/app/[orgId]/settings/logs/request/page.tsx
@@ -16,6 +16,7 @@ import Link from "next/link";
 import { useParams, useRouter, useSearchParams } from "next/navigation";
 import { useEffect, useState, useTransition } from "react";
 import { useStoredPageSize } from "@app/hooks/useStoredPageSize";
 import { build } from "@server/build";
 export default function GeneralPage() {
    const router = useRouter();
@@ -110,6 +111,9 @@ export default function GeneralPage() {
    // Trigger search with default values on component mount
    useEffect(() => {
        if (build === "oss") {
            return;
        }
        const defaultRange = getDefaultDateRange();
        queryDateTime(
            defaultRange.startDate,
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx
@@ -44,6 +44,7 @@ import { getUserDisplayName } from "@app/lib/getUserDisplayName";
 import { orgQueries, resourceQueries } from "@app/lib/queries";
 import { zodResolver } from "@hookform/resolvers/zod";
 import { build } from "@server/build";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import { UserType } from "@server/types/UserTypes";
 import { useQuery, useQueryClient } from "@tanstack/react-query";
 import SetResourcePasswordForm from "components/SetResourcePasswordForm";
@@ -164,7 +165,7 @@ export default function ResourceAuthenticationPage() {
    const allIdps = useMemo(() => {
        if (build === "saas") {
-            if (isPaidUser) {
+            if (isPaidUser(tierMatrix.orgOidc)) {
                return orgIdps.map((idp) => ({
                    id: idp.idpId,
                    text: idp.name
--- a/src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/[niceId]/general/page.tsx
@@ -63,6 +63,7 @@ import {
 import { PaidFeaturesAlert } from "@app/components/PaidFeaturesAlert";
 import { GetResourceResponse } from "@server/routers/resource/getResource";
 import type { ResourceContextType } from "@app/contexts/resourceContext";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 type MaintenanceSectionFormProps = {
    resource: GetResourceResponse;
@@ -78,6 +79,7 @@ function MaintenanceSectionForm({
    const api = createApiClient({ env });
    const { isUnlocked } = useLicenseStatusContext();
    const subscription = useSubscriptionStatusContext();
    const { isPaidUser } = usePaidStatus();
    const MaintenanceFormSchema = z.object({
        maintenanceModeEnabled: z.boolean().optional(),
@@ -161,7 +163,9 @@ function MaintenanceSectionForm({
        const isEnterpriseNotLicensed = build === "enterprise" && !isUnlocked();
        const isSaasNotSubscribed =
            build === "saas" && !subscription?.isSubscribed();
-        return isEnterpriseNotLicensed || isSaasNotSubscribed;
+        return (
            isEnterpriseNotLicensed || isSaasNotSubscribed || build === "oss"
        );
    };
    if (!resource.http) {
@@ -187,13 +191,14 @@ function MaintenanceSectionForm({
                            className="space-y-4"
                            id="maintenance-settings-form"
                        >
-                            <PaidFeaturesAlert></PaidFeaturesAlert>
+                            <PaidFeaturesAlert />
                            <FormField
                                control={maintenanceForm.control}
                                name="maintenanceModeEnabled"
                                render={({ field }) => {
                                    const isDisabled =
-                                        isSecurityFeatureDisabled() || resource.http === false;
+                                        isSecurityFeatureDisabled() ||
                                        resource.http === false;
                                    return (
                                        <FormItem>
@@ -413,7 +418,7 @@ function MaintenanceSectionForm({
                <Button
                    type="submit"
                    loading={maintenanceSaveLoading}
-                    disabled={maintenanceSaveLoading}
+                    disabled={maintenanceSaveLoading || !isPaidUser}
                    form="maintenance-settings-form"
                >
                    {t("saveSettings")}
@@ -739,7 +744,7 @@ export default function GeneralForm() {
                    </SettingsSectionFooter>
                </SettingsSection>
-                {build !== "oss" && (
+                {!env.flags.disableEnterpriseFeatures && (
                    <MaintenanceSectionForm
                        resource={resource}
                        updateResource={updateResource}
--- a/src/app/[orgId]/settings/sites/[niceId]/credentials/page.tsx
+++ b/src/app/[orgId]/settings/sites/[niceId]/credentials/page.tsx
@@ -72,7 +72,9 @@ export default function CredentialsPage() {
        const isEnterpriseNotLicensed = build === "enterprise" && !isUnlocked();
        const isSaasNotSubscribed =
            build === "saas" && !subscription?.isSubscribed();
-        return isEnterpriseNotLicensed || isSaasNotSubscribed;
+        return (
            isEnterpriseNotLicensed || isSaasNotSubscribed || build === "oss"
        );
    };
    // Fetch site defaults for wireguard sites to show in obfuscated config
@@ -269,7 +271,7 @@ export default function CredentialsPage() {
                                    </Alert>
                                )}
                            </SettingsSectionBody>
-                            {build !== "oss" && (
+                            {!env.flags.disableEnterpriseFeatures && (
                                <SettingsSectionFooter>
                                    <Button
                                        variant="outline"
@@ -383,7 +385,7 @@ export default function CredentialsPage() {
                                </>
                            )}
                        </SettingsSectionBody>
-                        {build === "enterprise" && (
+                        {!env.flags.disableEnterpriseFeatures && (
                            <SettingsSectionFooter>
                                <Button
                                    onClick={() => setModalOpen(true)}
--- a/src/app/auth/login/device/page.tsx
+++ b/src/app/auth/login/device/page.tsx
@@ -7,22 +7,35 @@ import { cache } from "react";
 export const dynamic = "force-dynamic";
 type Props = {
-    searchParams: Promise<{ code?: string }>;
+    searchParams: Promise<{ code?: string; user?: string }>;
 };
 function deviceRedirectSearchParams(params: {
    code?: string;
    user?: string;
 }): string {
    const search = new URLSearchParams();
    if (params.code) search.set("code", params.code);
    if (params.user) search.set("user", params.user);
    const q = search.toString();
    return q ? `?${q}` : "";
 }
 export default async function DeviceLoginPage({ searchParams }: Props) {
    const user = await verifySession({ forceLogin: true });
    const params = await searchParams;
    const code = params.code || "";
    const defaultUser = params.user;
    if (!user) {
-        const redirectDestination = code
+        const redirectDestination = `/auth/login/device${deviceRedirectSearchParams({ code, user: params.user })}`;
-            ? `/auth/login/device?code=${encodeURIComponent(code)}`
+        const loginUrl = new URL("/auth/login", "http://x");
-            : "/auth/login/device";
+        loginUrl.searchParams.set("forceLogin", "true");
-        redirect(
+        loginUrl.searchParams.set("redirect", redirectDestination);
-            `/auth/login?forceLogin=true&redirect=${encodeURIComponent(redirectDestination)}`
+        if (defaultUser) loginUrl.searchParams.set("user", defaultUser);
-        );
+        console.log("loginUrl", loginUrl.pathname + loginUrl.search);
        redirect(loginUrl.pathname + loginUrl.search);
    }
    const userName = user
@@ -37,6 +50,7 @@ export default async function DeviceLoginPage({ searchParams }: Props) {
            userEmail={user?.email || ""}
            userName={userName}
            initialCode={code}
            userQueryParam={defaultUser}
        />
    );
 }
--- a/src/app/auth/login/page.tsx
+++ b/src/app/auth/login/page.tsx
@@ -72,6 +72,8 @@ export default async function Page(props: {
        searchParams.redirect = redirectUrl;
    }
    const defaultUser = searchParams.user as string | undefined;
    // Only use SmartLoginForm if NOT (OSS build OR org-only IdP enabled)
    const useSmartLogin =
        build === "saas" || (build === "enterprise" && env.flags.useOrgOnlyIdp);
@@ -151,6 +153,7 @@ export default async function Page(props: {
                            <SmartLoginForm
                                redirect={redirectUrl}
                                forceLogin={forceLogin}
                                defaultUser={defaultUser}
                            />
                        </CardContent>
                    </Card>
@@ -165,6 +168,7 @@ export default async function Page(props: {
                        (build === "saas" || env.flags.useOrgOnlyIdp)
                    }
                    searchParams={searchParams}
                    defaultUser={defaultUser}
                />
            )}
--- a/src/app/auth/resource/[resourceGuid]/page.tsx
+++ b/src/app/auth/resource/[resourceGuid]/page.tsx
@@ -23,8 +23,6 @@ import type {
    LoadLoginPageBrandingResponse,
    LoadLoginPageResponse
 } from "@server/routers/loginPage/types";
 import { GetOrgTierResponse } from "@server/routers/billing/types";
 import { TierId } from "@server/lib/billing/tiers";
 import { CheckOrgUserAccessResponse } from "@server/routers/org";
 import OrgPolicyRequired from "@app/components/OrgPolicyRequired";
 import { isOrgSubscribed } from "@app/lib/api/isOrgSubscribed";
--- a/src/app/navigation.tsx
+++ b/src/app/navigation.tsx
@@ -121,7 +121,10 @@ export const orgNavSections = (env?: Env): SidebarNavSection[] => [
                href: "/{orgId}/settings/access/roles",
                icon: <Users className="size-4 flex-none" />
            },
-            ...(build === "saas" || env?.flags.useOrgOnlyIdp
+            // PaidFeaturesAlert
            ...((build === "oss" && !env?.flags.disableEnterpriseFeatures) ||
            build === "saas" ||
            env?.flags.useOrgOnlyIdp
                ? [
                      {
                          title: "sidebarIdentityProviders",
@@ -130,7 +133,7 @@ export const orgNavSections = (env?: Env): SidebarNavSection[] => [
                      }
                  ]
                : []),
-            ...(build !== "oss"
+            ...(!env?.flags.disableEnterpriseFeatures
                ? [
                      {
                          title: "sidebarApprovals",
@@ -155,7 +158,7 @@ export const orgNavSections = (env?: Env): SidebarNavSection[] => [
                    href: "/{orgId}/settings/logs/request",
                    icon: <SquareMousePointer className="size-4 flex-none" />
                },
-                ...(build != "oss"
+                ...(!env?.flags.disableEnterpriseFeatures
                    ? [
                          {
                              title: "sidebarLogsAccess",
--- a/src/components/ApprovalFeed.tsx
+++ b/src/components/ApprovalFeed.tsx
@@ -30,6 +30,8 @@ import {
 import { Separator } from "./ui/separator";
 import { InfoPopup } from "./ui/info-popup";
 import { ApprovalsEmptyState } from "./ApprovalsEmptyState";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 export type ApprovalFeedProps = {
    orgId: string;
@@ -50,9 +52,12 @@ export function ApprovalFeed({
        Object.fromEntries(searchParams.entries())
    );
-    const { data, isFetching, refetch } = useQuery(
+    const { isPaidUser } = usePaidStatus();
-        approvalQueries.listApprovals(orgId, filters)
+
-    );
+    const { data, isFetching, refetch } = useQuery({
        ...approvalQueries.listApprovals(orgId, filters),
        enabled: isPaidUser(tierMatrix.deviceApprovals)
    });
    const approvals = data?.approvals ?? [];
@@ -209,19 +214,19 @@ function ApprovalRequest({ approval, orgId, onSuccess }: ApprovalRequestProps) {
                    &nbsp;
                    {approval.type === "user_device" && (
                        <span className="inline-flex items-center gap-1">
-                                    {approval.deviceName ? (
+                            {approval.deviceName ? (
-                                        <>
+                                <>
-                                            {t("requestingNewDeviceApproval")}:{" "}
+                                    {t("requestingNewDeviceApproval")}:{" "}
-                                            {approval.niceId ? (
+                                    {approval.niceId ? (
-                                                <Link
+                                        <Link
-                                                    href={`/${orgId}/settings/clients/user/${approval.niceId}/general`}
+                                            href={`/${orgId}/settings/clients/user/${approval.niceId}/general`}
-                                                    className="text-primary hover:underline cursor-pointer"
+                                            className="text-primary hover:underline cursor-pointer"
-                                                >
+                                        >
-                                                    {approval.deviceName}
+                                            {approval.deviceName}
-                                                </Link>
+                                        </Link>
-                                            ) : (
+                                    ) : (
-                                                <span>{approval.deviceName}</span>
+                                        <span>{approval.deviceName}</span>
-                                            )}
+                                    )}
                                    {approval.fingerprint && (
                                        <InfoPopup>
                                            <div className="space-y-1 text-sm">
@@ -229,7 +234,10 @@ function ApprovalRequest({ approval, orgId, onSuccess }: ApprovalRequestProps) {
                                                    {t("deviceInformation")}
                                                </div>
                                                <div className="text-muted-foreground whitespace-pre-line">
-                                                    {formatFingerprintInfo(approval.fingerprint, t)}
+                                                    {formatFingerprintInfo(
                                                        approval.fingerprint,
                                                        t
                                                    )}
                                                </div>
                                            </div>
                                        </InfoPopup>
--- a/src/components/CreateRoleForm.tsx
+++ b/src/components/CreateRoleForm.tsx
@@ -51,6 +51,7 @@ export default function CreateRoleForm({
    const { org } = useOrgContext();
    const t = useTranslations();
    const { isPaidUser } = usePaidStatus();
    const { env } = useEnvContext();
    const formSchema = z.object({
        name: z
@@ -160,8 +161,9 @@ export default function CreateRoleForm({
                                        </FormItem>
                                    )}
                                />
-                                {build !== "oss" && (
+
-                                    <div>
+                                {!env.flags.disableEnterpriseFeatures && (
                                    <>
                                        <PaidFeaturesAlert />
                                        <FormField
@@ -208,7 +210,7 @@ export default function CreateRoleForm({
                                                </FormItem>
                                            )}
                                        />
-                                    </div>
+                                    </>
                                )}
                            </form>
                        </Form>
--- a/src/components/DashboardLoginForm.tsx
+++ b/src/components/DashboardLoginForm.tsx
@@ -29,6 +29,7 @@ type DashboardLoginFormProps = {
    searchParams?: {
        [key: string]: string | string[] | undefined;
    };
    defaultUser?: string;
 };
 export default function DashboardLoginForm({
@@ -36,7 +37,8 @@ export default function DashboardLoginForm({
    idps,
    forceLogin,
    showOrgLogin,
-    searchParams
+    searchParams,
    defaultUser
 }: DashboardLoginFormProps) {
    const router = useRouter();
    const { env } = useEnvContext();
@@ -75,6 +77,7 @@ export default function DashboardLoginForm({
                    redirect={redirect}
                    idps={idps}
                    forceLogin={forceLogin}
                    defaultEmail={defaultUser}
                    onLogin={(redirectUrl) => {
                        if (redirectUrl) {
                            const safe = cleanRedirect(redirectUrl);
--- a/src/components/DeviceLoginForm.tsx
+++ b/src/components/DeviceLoginForm.tsx
@@ -55,12 +55,14 @@ type DeviceLoginFormProps = {
    userEmail: string;
    userName?: string;
    initialCode?: string;
    userQueryParam?: string;
 };
 export default function DeviceLoginForm({
    userEmail,
    userName,
-    initialCode = ""
+    initialCode = "",
    userQueryParam
 }: DeviceLoginFormProps) {
    const router = useRouter();
    const { env } = useEnvContext();
@@ -219,9 +221,12 @@ export default function DeviceLoginForm({
            const currentSearch =
                typeof window !== "undefined" ? window.location.search : "";
            const redirectTarget = `/auth/login/device${currentSearch || ""}`;
-            router.push(
+            const loginUrl = new URL("/auth/login", "http://x");
-                `/auth/login?forceLogin=true&redirect=${encodeURIComponent(redirectTarget)}`
+            loginUrl.searchParams.set("forceLogin", "true");
-            );
+            loginUrl.searchParams.set("redirect", redirectTarget);
            if (userQueryParam)
                loginUrl.searchParams.set("user", userQueryParam);
            router.push(loginUrl.pathname + loginUrl.search);
            router.refresh();
        }
    }
--- a/src/components/EditRoleForm.tsx
+++ b/src/components/EditRoleForm.tsx
@@ -59,6 +59,7 @@ export default function EditRoleForm({
    const { org } = useOrgContext();
    const t = useTranslations();
    const { isPaidUser } = usePaidStatus();
    const { env } = useEnvContext();
    const formSchema = z.object({
        name: z
@@ -168,8 +169,9 @@ export default function EditRoleForm({
                                        </FormItem>
                                    )}
                                />
-                                {build !== "oss" && (
+
-                                    <div>
+                                {!env.flags.disableEnterpriseFeatures && (
                                    <>
                                        <PaidFeaturesAlert />
                                        <FormField
@@ -216,7 +218,7 @@ export default function EditRoleForm({
                                                </FormItem>
                                            )}
                                        />
-                                    </div>
+                                    </>
                                )}
                            </form>
                        </Form>
--- a/src/components/InviteStatusCard.tsx
+++ b/src/components/InviteStatusCard.tsx
@@ -39,7 +39,7 @@ export default function InviteStatusCard({
    const [loading, setLoading] = useState(true);
    const [error, setError] = useState("");
    const [type, setType] = useState<
-        "rejected" | "wrong_user" | "user_does_not_exist" | "not_logged_in"
+        "rejected" | "wrong_user" | "user_does_not_exist" | "not_logged_in" | "user_limit_exceeded"
    >("rejected");
    useEffect(() => {
@@ -75,6 +75,11 @@ export default function InviteStatusCard({
                    error.includes("You must be logged in to accept an invite")
                ) {
                    return "not_logged_in";
                } else if (
                    error.includes("user limit is exceeded") ||
                    error.includes("Can not accept")
                ) {
                    return "user_limit_exceeded";
                } else {
                    return "rejected";
                }
@@ -145,6 +150,17 @@ export default function InviteStatusCard({
                    <p className="text-center">{t("inviteCreateUser")}</p>
                </div>
            );
        } else if (type === "user_limit_exceeded") {
            return (
                <div>
                    <p className="text-center mb-4 font-semibold">
                        Cannot Accept Invite
                    </p>
                    <p className="text-center text-sm">
                        This organization has reached its user limit. Please contact the organization administrator to upgrade their plan before accepting this invite.
                    </p>
                </div>
            );
        }
    }
@@ -165,6 +181,16 @@ export default function InviteStatusCard({
            );
        } else if (type === "user_does_not_exist") {
            return <Button onClick={goToSignup}>{t("createAnAccount")}</Button>;
        } else if (type === "user_limit_exceeded") {
            return (
                <Button
                    onClick={() => {
                        router.push("/");
                    }}
                >
                    {t("goHome")}
                </Button>
            );
        }
    }
--- a/src/components/LoginForm.tsx
+++ b/src/components/LoginForm.tsx
@@ -54,6 +54,7 @@ type LoginFormProps = {
    idps?: LoginFormIDP[];
    orgId?: string;
    forceLogin?: boolean;
    defaultEmail?: string;
 };
 export default function LoginForm({
@@ -61,7 +62,8 @@ export default function LoginForm({
    onLogin,
    idps,
    orgId,
-    forceLogin
+    forceLogin,
    defaultEmail
 }: LoginFormProps) {
    const router = useRouter();
@@ -116,7 +118,7 @@ export default function LoginForm({
    const form = useForm({
        resolver: zodResolver(formSchema),
        defaultValues: {
-            email: "",
+            email: defaultEmail ?? "",
            password: ""
        }
    });
--- a/src/components/PaidFeaturesAlert.tsx
+++ b/src/components/PaidFeaturesAlert.tsx
@@ -1,28 +1,74 @@
 "use client";
-import { Alert, AlertDescription } from "@app/components/ui/alert";
+import { Card, CardContent } from "@app/components/ui/card";
 import { build } from "@server/build";
 import { useTranslations } from "next-intl";
 import { usePaidStatus } from "@app/hooks/usePaidStatus";
 import { ExternalLink, KeyRound, Sparkles } from "lucide-react";
 import { useTranslations } from "next-intl";
 import Link from "next/link";
 import { useEnvContext } from "@app/hooks/useEnvContext";
 const bannerClassName =
    "mb-6 border-primary/30 bg-linear-to-br from-primary/10 via-background to-background overflow-hidden";
 const bannerContentClassName = "py-3 px-4";
 const bannerRowClassName =
    "flex items-center gap-2.5 text-sm text-muted-foreground";
 export function PaidFeaturesAlert() {
    const t = useTranslations();
    const { hasSaasSubscription, hasEnterpriseLicense } = usePaidStatus();
    const { env } = useEnvContext();
    if (env.flags.disableEnterpriseFeatures) {
        return null;
    }
    return (
        <>
            {build === "saas" && !hasSaasSubscription ? (
-                <Alert variant="info" className="mb-6">
+                <Card className={bannerClassName}>
-                    <AlertDescription>
+                    <CardContent className={bannerContentClassName}>
-                        {t("subscriptionRequiredToUse")}
+                        <div className={bannerRowClassName}>
-                    </AlertDescription>
+                            <KeyRound className="size-4 shrink-0 text-primary" />
-                </Alert>
+                            <span>{t("subscriptionRequiredToUse")}</span>
                        </div>
                    </CardContent>
                </Card>
            ) : null}
            {build === "enterprise" && !hasEnterpriseLicense ? (
-                <Alert variant="info" className="mb-6">
+                <Card className={bannerClassName}>
-                    <AlertDescription>
+                    <CardContent className={bannerContentClassName}>
-                        {t("licenseRequiredToUse")}
+                        <div className={bannerRowClassName}>
-                    </AlertDescription>
+                            <KeyRound className="size-4 shrink-0 text-primary" />
-                </Alert>
+                            <span>{t("licenseRequiredToUse")}</span>
                        </div>
                    </CardContent>
                </Card>
            ) : null}
            {build === "oss" && !hasEnterpriseLicense ? (
                <Card className="mb-6 border-purple-500/30 bg-linear-to-br from-purple-500/10 via-background to-background overflow-hidden">
                    <CardContent className={bannerContentClassName}>
                        <div className={bannerRowClassName}>
                            <KeyRound className="size-4 shrink-0 text-purple-500" />
                            <span>
                                {t.rich("ossEnterpriseEditionRequired", {
                                    enterpriseEditionLink: (chunks) => (
                                        <Link
                                            href="https://docs.pangolin.net/self-host/enterprise-edition"
                                            target="_blank"
                                            rel="noopener noreferrer"
                                            className="inline-flex items-center gap-1 font-medium text-purple-600 underline"
                                        >
                                            {chunks}
                                            <ExternalLink className="size-3.5 shrink-0" />
                                        </Link>
                                    )
                                })}
                            </span>
                        </div>
                    </CardContent>
                </Card>
            ) : null}
        </>
    );
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
miloschwartz	a095dddd01	use pricing matrix in existing usePaidStatus funcitons	2026-02-09 18:17:18 -08:00
Owen	1b5cfaa49b	Add pricing matrix	2026-02-09 18:04:37 -08:00
miloschwartz	66f3fabbae	add rest of tier types	2026-02-09 17:52:28 -08:00
miloschwartz	0be8fb7931	add tier type	2026-02-09 17:42:45 -08:00
Owen	431e6ffaae	Remove site kick	2026-02-09 17:23:48 -08:00
Owen	7d8185e0ee	Getting swtiching tiers to work	2026-02-09 17:05:14 -08:00
miloschwartz	dff45748bd	refactor is licensed and subscribed util functions	2026-02-09 16:57:41 -08:00
miloschwartz	e6464929ff	Merge branch 'dev' into new-pricing	2026-02-09 15:05:13 -08:00
miloschwartz	122053939d	dont fingerprint machine clients	2026-02-09 14:41:40 -08:00
Owen	300b4a3706	Set version when creating sub	2026-02-08 17:56:50 -08:00
Owen	81ef2db7f8	Rename tiers and get working	2026-02-08 17:56:36 -08:00
Owen	c41e8be3e8	Dont accept invite if over the limits	2026-02-08 11:55:24 -08:00
Owen	41bab0ce0b	Dont log to stripe	2026-02-08 11:13:09 -08:00
Owen	5f26b9eeea	Merge branch 'k8s' into new-pricing	2026-02-08 11:08:51 -08:00
Owen	1cca69ad23	Further billing	2026-02-08 11:08:23 -08:00
miloschwartz	410ed3949b	use pangolin cli in machine client commands	2026-02-07 17:13:55 -08:00
miloschwartz	efc6ef3075	show features in ce	2026-02-07 17:00:44 -08:00
Owen	e101ac341b	Basic billing page is working	2026-02-06 17:41:20 -08:00
Owen	6cfc7b7c69	Switch to the new tier system and clean up checks	2026-02-06 16:27:31 -08:00
Owen	313acabc86	Wrap insert in transaction Ref #2222	2026-02-06 10:48:18 -08:00
Owen	34cced872f	Switching to new pricing - remove old feature tracking	2026-02-06 10:47:43 -08:00
Owen	ac09e3aaf9	Wrap insert in transaction Ref #2222	2026-02-06 10:47:19 -08:00
miloschwartz	a8f6b6c1da	prefill username in login	2026-02-05 16:55:00 -08:00
Owen	f899326189	Change features, remove site uptime	2026-02-05 14:56:07 -08:00
Owen	f2ba4b270f	Dont write stripe to files anymore	2026-01-29 20:56:46 -08:00
		`@@ -0,0 +1 @@`
							`export type Tier = "tier1" \| "tier2" \| "tier3" \| "enterprise";`