Add missing queuing

better-sqlite3 11.x exposes no Statement.finalize() — the wrapper threw and
swallowed a TypeError on every query (verified: 'Statement.finalize exists:
undefined' in the runner image) while adding +122% per-statement overhead
(3.90 -> 8.66 us/op, 200k-op in-container microbench) and freeing nothing.
Statement lifecycle is GC-managed by the driver; drizzle-orm prepares fresh
per query, so nothing accumulates unbounded.

busy_timeout=5000 duplicates better-sqlite3's default timeout option, which
already arms sqlite3_busy_timeout(db, 5000) at open (lib/database.js).

With ENABLE_SQLITE_WAL_MODE unset the driver is now runtime-identical to
pre-1.18.3 (zero pragmas). The env-gated WAL block stays: journal_mode is
sticky in the DB file, so removing it would strand opted-in databases on
WAL+synchronous=FULL.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

.github/dependabot.yml

@@ -1,52 +1,42 @@
 version: 2
+
 updates:
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "daily"
+    open-pull-requests-limit: 1
     groups:
-      dev-patch-updates:
+      npm-dependencies:
-        dependency-type: "development"
+        patterns:
-        update-types:
+          - "*"
-          - "patch"
-      dev-minor-updates:
-        dependency-type: "development"
-        update-types:
-          - "minor"
-      prod-patch-updates:
-        dependency-type: "production"
-        update-types:
-          - "patch"
-      prod-minor-updates:
-        dependency-type: "production"
-        update-types:
-          - "minor"
 
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "daily"
+    open-pull-requests-limit: 1
     groups:
-      patch-updates:
+      docker-dependencies:
-        update-types:
+        patterns:
-          - "patch"
+          - "*"
-      minor-updates:
-        update-types:
-          - "minor"
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 1
+    groups:
+      github-actions-dependencies:
+        patterns:
+          - "*"
 
   - package-ecosystem: "gomod"
     directory: "/install"
     schedule:
       interval: "daily"
+    open-pull-requests-limit: 1
     groups:
-      patch-updates:
+      go-install-dependencies:
-        update-types:
+        patterns:
-          - "patch"
+          - "*"
-      minor-updates:
-        update-types:
-          - "minor"

server/db/pg/schema/privateSchema.ts

@@ -11,7 +11,7 @@ import {
     primaryKey,
     uniqueIndex
 } from "drizzle-orm/pg-core";
-import { InferSelectModel } from "drizzle-orm";
+import { InferSelectModel, sql } from "drizzle-orm";
 import {
     domains,
     orgs,
@@ -207,17 +207,28 @@ export const remoteExitNodeSessions = pgTable("remoteExitNodeSession", {
     expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
 });
 
-export const loginPage = pgTable("loginPage", {
+export const loginPage = pgTable(
+    "loginPage",
+    {
         loginPageId: serial("loginPageId").primaryKey(),
         subdomain: varchar("subdomain"),
         fullDomain: varchar("fullDomain"),
-    exitNodeId: integer("exitNodeId").references(() => exitNodes.exitNodeId, {
+        exitNodeId: integer("exitNodeId").references(
+            () => exitNodes.exitNodeId,
+            {
                 onDelete: "set null"
-    }),
+            }
+        ),
         domainId: varchar("domainId").references(() => domains.domainId, {
             onDelete: "set null"
         })
-});
+    },
+    (t) => [
+        index("idx_loginpage_fulldomain")
+            .on(t.fullDomain)
+            .where(sql`${t.fullDomain} IS NOT NULL`)
+    ]
+);
 
 export const loginPageOrg = pgTable("loginPageOrg", {
     loginPageId: integer("loginPageId")

server/db/pg/schema/schema.ts

@@ -1,5 +1,5 @@
 import { randomUUID } from "crypto";
-import { InferSelectModel } from "drizzle-orm";
+import { InferSelectModel, sql } from "drizzle-orm";
 import {
     bigint,
     boolean,
@@ -82,7 +82,9 @@ export const orgDomains = pgTable("orgDomains", {
         .references(() => domains.domainId, { onDelete: "cascade" })
 });
 
-export const sites = pgTable("sites", {
+export const sites = pgTable(
+    "sites",
+    {
         siteId: serial("siteId").primaryKey(),
         orgId: varchar("orgId")
             .references(() => orgs.orgId, {
@@ -107,17 +109,32 @@ export const sites = pgTable("sites", {
         publicKey: varchar("publicKey"),
         lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
         listenPort: integer("listenPort"),
-    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
+        dockerSocketEnabled: boolean("dockerSocketEnabled")
-    autoUpdateEnabled: boolean("autoUpdateEnabled").notNull().default(false),
+            .notNull()
+            .default(true),
+        autoUpdateEnabled: boolean("autoUpdateEnabled")
+            .notNull()
+            .default(false),
         autoUpdateOverrideOrg: boolean("autoUpdateOverrideOrg")
             .notNull()
             .default(false),
         status: varchar("status")
             .$type<"pending" | "approved">()
             .default("approved")
-});
+    },
+    (t) => [
+        index("idx_sites_exitnodeid").on(t.exitNodeId),
+        index("idx_sites_exitnode_type_siteid").on(
+            t.exitNodeId,
+            t.type,
+            t.siteId
+        )
+    ]
+);
 
-export const resources = pgTable("resources", {
+export const resources = pgTable(
+    "resources",
+    {
         resourceId: serial("resourceId").primaryKey(),
         resourcePolicyId: integer("resourcePolicyId").references(
             () => resourcePolicies.resourcePolicyId,
@@ -182,7 +199,13 @@ export const resources = pgTable("resources", {
             .$type<"site" | "remote" | "native">()
             .default("site"),
         authDaemonPort: integer("authDaemonPort").default(22123)
-});
+    },
+    (t) => [
+        index("idx_resources_fulldomain")
+            .on(t.fullDomain)
+            .where(sql`${t.fullDomain} IS NOT NULL`)
+    ]
+);
 
 export const labels = pgTable("labels", {
     labelId: serial("labelId").primaryKey(),
@@ -267,7 +290,9 @@ export const clientLabels = pgTable(
     (t) => [unique("client_label_uniq").on(t.clientId, t.labelId)]
 );
 
-export const targets = pgTable("targets", {
+export const targets = pgTable(
+    "targets",
+    {
         targetId: serial("targetId").primaryKey(),
         resourceId: integer("resourceId")
             .references(() => resources.resourceId, {
@@ -294,9 +319,18 @@ export const targets = pgTable("targets", {
             .notNull()
             .default("http"),
         authToken: varchar("authToken")
-});
+    },
+    (t) => [
+        index("idx_targets_resourceid_siteid").on(t.resourceId, t.siteId),
+        index("idx_targets_site_enabled_priority_target_resource")
+            .on(t.siteId, t.priority.desc(), t.targetId, t.resourceId)
+            .where(sql`${t.enabled} = true`)
+    ]
+);
 
-export const targetHealthCheck = pgTable("targetHealthCheck", {
+export const targetHealthCheck = pgTable(
+    "targetHealthCheck",
+    {
         targetHealthCheckId: serial("targetHealthCheckId").primaryKey(),
         targetId: integer("targetId").references(() => targets.targetId, {
             onDelete: "cascade"
@@ -331,7 +365,9 @@ export const targetHealthCheck = pgTable("targetHealthCheck", {
         hcTlsServerName: text("hcTlsServerName"),
         hcHealthyThreshold: integer("hcHealthyThreshold").default(1),
         hcUnhealthyThreshold: integer("hcUnhealthyThreshold").default(1)
-});
+    },
+    (t) => [index("idx_targethealthcheck_targetid").on(t.targetId)]
+);
 
 export const exitNodes = pgTable("exitNodes", {
     exitNodeId: serial("exitNodeId").primaryKey(),
@@ -406,7 +442,9 @@ export const networks = pgTable("networks", {
         .notNull()
 });
 
-export const siteNetworks = pgTable("siteNetworks", {
+export const siteNetworks = pgTable(
+    "siteNetworks",
+    {
         siteId: integer("siteId")
             .notNull()
             .references(() => sites.siteId, {
@@ -415,34 +453,63 @@ export const siteNetworks = pgTable("siteNetworks", {
         networkId: integer("networkId")
             .notNull()
             .references(() => networks.networkId, { onDelete: "cascade" })
-});
+    },
+    (t) => [
+        index("idx_sitenetworks_siteid").on(t.siteId),
+        index("idx_sitenetworks_networkid").on(t.networkId)
+    ]
+);
 
-export const clientSiteResources = pgTable("clientSiteResources", {
+export const clientSiteResources = pgTable(
+    "clientSiteResources",
+    {
         clientId: integer("clientId")
             .notNull()
             .references(() => clients.clientId, { onDelete: "cascade" }),
         siteResourceId: integer("siteResourceId")
             .notNull()
-        .references(() => siteResources.siteResourceId, { onDelete: "cascade" })
+            .references(() => siteResources.siteResourceId, {
-});
+                onDelete: "cascade"
+            })
+    },
+    (t) => [
+        index("idx_clientsiteresources_clientid").on(t.clientId),
+        index("idx_clientsiteresources_siteresourceid").on(t.siteResourceId)
+    ]
+);
 
-export const roleSiteResources = pgTable("roleSiteResources", {
+export const roleSiteResources = pgTable(
+    "roleSiteResources",
+    {
         roleId: integer("roleId")
             .notNull()
             .references(() => roles.roleId, { onDelete: "cascade" }),
         siteResourceId: integer("siteResourceId")
             .notNull()
-        .references(() => siteResources.siteResourceId, { onDelete: "cascade" })
+            .references(() => siteResources.siteResourceId, {
-});
+                onDelete: "cascade"
+            })
+    },
+    (t) => [index("idx_rolesiteresources_siteresourceid").on(t.siteResourceId)]
+);
 
-export const userSiteResources = pgTable("userSiteResources", {
+export const userSiteResources = pgTable(
+    "userSiteResources",
+    {
         userId: varchar("userId")
             .notNull()
             .references(() => users.userId, { onDelete: "cascade" }),
         siteResourceId: integer("siteResourceId")
             .notNull()
-        .references(() => siteResources.siteResourceId, { onDelete: "cascade" })
+            .references(() => siteResources.siteResourceId, {
-});
+                onDelete: "cascade"
+            })
+    },
+    (t) => [
+        index("idx_usersiteresources_userid").on(t.userId),
+        index("idx_usersiteresources_siteresourceid").on(t.siteResourceId)
+    ]
+);
 
 export const users = pgTable("user", {
     userId: varchar("id").primaryKey(),
@@ -467,7 +534,9 @@ export const users = pgTable("user", {
     locale: varchar("locale")
 });
 
-export const newts = pgTable("newt", {
+export const newts = pgTable(
+    "newt",
+    {
         newtId: varchar("id").primaryKey(),
         secretHash: varchar("secretHash").notNull(),
         dateCreated: varchar("dateCreated").notNull(),
@@ -475,7 +544,9 @@ export const newts = pgTable("newt", {
         siteId: integer("siteId").references(() => sites.siteId, {
             onDelete: "cascade"
         })
-});
+    },
+    (t) => [index("idx_newt_siteid").on(t.siteId)]
+);
 
 export const twoFactorBackupCodes = pgTable("twoFactorBackupCodes", {
     codeId: serial("id").primaryKey(),
@@ -576,7 +647,9 @@ export const userOrgRoles = pgTable(
     (t) => [unique().on(t.userId, t.orgId, t.roleId)]
 );
 
-export const roleActions = pgTable("roleActions", {
+export const roleActions = pgTable(
+    "roleActions",
+    {
         roleId: integer("roleId")
             .notNull()
             .references(() => roles.roleId, { onDelete: "cascade" }),
@@ -586,9 +659,19 @@ export const roleActions = pgTable("roleActions", {
         orgId: varchar("orgId")
             .notNull()
             .references(() => orgs.orgId, { onDelete: "cascade" })
-});
+    },
+    (t) => [
+        index("idx_roleActions_roleId_orgId_actionId").on(
+            t.roleId,
+            t.orgId,
+            t.actionId
+        )
+    ]
+);
 
-export const userActions = pgTable("userActions", {
+export const userActions = pgTable(
+    "userActions",
+    {
         userId: varchar("userId")
             .notNull()
             .references(() => users.userId, { onDelete: "cascade" }),
@@ -598,7 +681,15 @@ export const userActions = pgTable("userActions", {
         orgId: varchar("orgId")
             .notNull()
             .references(() => orgs.orgId, { onDelete: "cascade" })
-});
+    },
+    (t) => [
+        index("idx_userActions_userId_orgId_actionId").on(
+            t.userId,
+            t.orgId,
+            t.actionId
+        )
+    ]
+);
 
 export const roleSites = pgTable("roleSites", {
     roleId: integer("roleId")
@@ -1004,7 +1095,9 @@ export const idpOrg = pgTable("idpOrg", {
     orgMapping: varchar("orgMapping")
 });
 
-export const clients = pgTable("clients", {
+export const clients = pgTable(
+    "clients",
+    {
         clientId: serial("clientId").primaryKey(),
         orgId: varchar("orgId")
             .references(() => orgs.orgId, {
@@ -1037,7 +1130,9 @@ export const clients = pgTable("clients", {
         approvalState: varchar("approvalState").$type<
             "pending" | "approved" | "denied"
         >()
-});
+    },
+    (t) => [index("idx_clients_userid").on(t.userId)]
+);
 
 export const clientSitesAssociationsCache = pgTable(
     "clientSitesAssociationsCache",
@@ -1049,7 +1144,11 @@ export const clientSitesAssociationsCache = pgTable(
         isJitMode: boolean("isJitMode").notNull().default(false),
         endpoint: varchar("endpoint"),
         publicKey: varchar("publicKey") // this will act as the session's public key for hole punching so we can track when it changes
-    }
+    },
+    (t) => [
+        primaryKey({ columns: [t.clientId, t.siteId] }),
+        index("idx_clientsitesassociationscache_siteid").on(t.siteId)
+    ]
 );
 
 export const clientSiteResourcesAssociationsCache = pgTable(
@@ -1058,7 +1157,14 @@ export const clientSiteResourcesAssociationsCache = pgTable(
         clientId: integer("clientId") // not a foreign key here so after its deleted the rebuild function can delete it and send the message
             .notNull(),
         siteResourceId: integer("siteResourceId").notNull()
-    }
+    },
+    (t) => [
+        primaryKey({ columns: [t.clientId, t.siteResourceId] }),
+        index("idx_clientSiteResourcesAssociationsCache_siteResourceId").on(
+            t.siteResourceId,
+            t.clientId
+        )
+    ]
 );
 
 export const clientPostureSnapshots = pgTable("clientPostureSnapshots", {
@@ -1071,7 +1177,9 @@ export const clientPostureSnapshots = pgTable("clientPostureSnapshots", {
     collectedAt: integer("collectedAt").notNull()
 });
 
-export const olms = pgTable("olms", {
+export const olms = pgTable(
+    "olms",
+    {
         olmId: varchar("id").primaryKey(),
         secretHash: varchar("secretHash").notNull(),
         dateCreated: varchar("dateCreated").notNull(),
@@ -1087,7 +1195,9 @@ export const olms = pgTable("olms", {
             onDelete: "cascade"
         }),
         archived: boolean("archived").notNull().default(false)
-});
+    },
+    (t) => [index("idx_olms_clientid").on(t.clientId)]
+);
 
 export const currentFingerprint = pgTable("currentFingerprint", {
     fingerprintId: serial("id").primaryKey(),

server/db/sqlite/driver.ts

@@ -1,6 +1,5 @@
 import { drizzle as DrizzleSqlite } from "drizzle-orm/better-sqlite3";
 import Database from "better-sqlite3";
-import type BetterSqlite3 from "better-sqlite3";
 import * as schema from "./schema/schema";
 import path from "path";
 import fs from "fs";
@@ -12,68 +11,31 @@ export const exists = checkFileExists(location);
 
 bootstrapVolume();
 
-/**
- * Wraps better-sqlite3 Statement to call `finalize()` immediately after
- * execution, freeing native sqlite3_stmt memory deterministically instead
- * of waiting for GC. Fixes steady off-heap growth under load (#2120).
- * WARNING: Finalizes after first execution — incompatible with drizzle's
- * reusable .prepare() builders. No such usage exists in this codebase.
- */
-function autoFinalizeStatement(
-    stmt: BetterSqlite3.Statement
-): BetterSqlite3.Statement {
-    const wrapExec = <T extends (...args: any[]) => any>(fn: T): T => {
-        return function (this: any, ...args: any[]) {
-            try {
-                return fn.apply(this, args);
-            } finally {
-                try {
-                    // finalize() exists on the native Statement at runtime but
-                    // is missing from @types/better-sqlite3.
-                    (stmt as any).finalize();
-                } catch {
-                    // Already finalized — harmless
-                }
-            }
-        } as unknown as T;
-    };
-
-    stmt.run = wrapExec(stmt.run);
-    stmt.get = wrapExec(stmt.get);
-    stmt.all = wrapExec(stmt.all);
-
-    return stmt;
-}
-
 function createDb() {
     const sqlite = new Database(location);
 
     if (process.env.ENABLE_SQLITE_WAL_MODE == "true") {
         // Enable WAL mode — allows concurrent readers + single writer, preventing
         // contention across subsystems (verifySession, Traefik, audit, ping).
+        // NOTE: journal_mode persists in the DB file once set; unsetting this
+        // env var does NOT revert an existing WAL database.
         sqlite.pragma("journal_mode = WAL");
         // NORMAL sync mode: safe with WAL, reduces write lock hold time.
         sqlite.pragma("synchronous = NORMAL");
     }
 
-    // Wait up to 5s on SQLITE_BUSY instead of failing — prevents audit log
+    // No busy_timeout pragma: better-sqlite3 already arms
-    // retry loops that accumulate memory.
+    // sqlite3_busy_timeout(db, 5000) via its default `timeout` option
-    sqlite.pragma("busy_timeout = 5000");
+    // (lib/database.js), so an explicit pragma is redundant.
 
-    // 64 MB page cache (default 2 MB) — reduces I/O round-trips on large
+    // Intentionally NOT setting cache_size or mmap_size: a large page cache plus
-    // TraefikConfigManager JOINs that block the event loop.
+    // a multi-hundred-MB mmap region inflate RSS and cause page-cache thrashing
-    sqlite.pragma("cache_size = -65536");
+    // on small (~1 GB) instances. Leave SQLite on its conservative defaults.
 
-    // 256 MB memory-mapped I/O — OS serves reads from page cache directly,
+    // Intentionally NOT wrapping prepare()/statements: better-sqlite3 finalizes
-    // reducing event-loop blocking.
+    // sqlite3_stmt in the Statement destructor at GC, and drizzle-orm prepares a
-    sqlite.pragma("mmap_size = 268435456");
+    // fresh statement per query (no statement cache), so statements cannot
-
+    // accumulate. better-sqlite3 11.x exposes no Statement.finalize() at all.
-    // Wrap prepare() so every drizzle-orm statement is auto-finalized after
-    // first use, preventing sqlite3_stmt accumulation between GC cycles.
-    const originalPrepare = sqlite.prepare.bind(sqlite);
-    (sqlite as any).prepare = function autoFinalizePrepare(source: string) {
-        return autoFinalizeStatement(originalPrepare(source));
-    };
 
     return DrizzleSqlite(sqlite, {
         schema

server/index.ts

@@ -24,6 +24,7 @@ import license from "#dynamic/license/license";
 import { initLogCleanupInterval } from "@server/lib/cleanupLogs";
 import { initAcmeCertSync } from "#dynamic/lib/acmeCertSync";
 import { fetchServerIp } from "@server/lib/serverIpService";
+import { startRebuildQueueProcessor } from "@server/lib/rebuildClientAssociations";
 
 async function startServers() {
     await setHostMeta();
@@ -41,6 +42,7 @@ async function startServers() {
 
     initLogCleanupInterval();
     initAcmeCertSync();
+    startRebuildQueueProcessor();
 
     // Start all servers
     const apiServer = createApiServer();

server/lib/billing/usageService.ts

@@ -12,7 +12,7 @@ import {
 import { FeatureId, getFeatureMeterId } from "./features";
 import logger from "@server/logger";
 import { build } from "@server/build";
-import cache from "#dynamic/lib/cache";
+import { regionalCache as cache } from "#dynamic/lib/cache";
 
 export function noop() {
     if (build !== "saas") {
@@ -22,7 +22,6 @@ export function noop() {
 }
 
 export class UsageService {
-
     constructor() {
         if (noop()) {
             return;
@@ -57,7 +56,10 @@ export class UsageService {
             try {
                 let usage;
                 if (transaction) {
-                    const orgIdToUse = await this.getBillingOrg(orgId, transaction);
+                    const orgIdToUse = await this.getBillingOrg(
+                        orgId,
+                        transaction
+                    );
                     usage = await this.internalAddUsage(
                         orgIdToUse,
                         featureId,

server/lib/blueprints/applyBlueprint.ts

@@ -48,18 +48,18 @@ export async function applyBlueprint({
     name,
     source = "API"
 }: ApplyBlueprintArgs): Promise<Blueprint> {
-    // Validate the input data
+    let blueprintSucceeded: boolean = false;
+    let blueprintMessage = "";
+    let error: any | null = null;
+
+    try {
         const validationResult = ConfigSchema.safeParse(configData);
         if (!validationResult.success) {
             throw new Error(fromError(validationResult.error).toString());
         }
 
         const config: Config = validationResult.data;
-    let blueprintSucceeded: boolean = false;
-    let blueprintMessage: string;
-    let error: any | null = null;
 
-    try {
         let proxyResourcesResults: PublicResourcesResults = [];
         let clientResourcesResults: ClientResourcesResults = [];
         await db.transaction(async (trx) => {

server/lib/pathMatch.ts

@@ -0,0 +1,74 @@
+const MAX_RECURSION_DEPTH = 100;
+
+const segmentRegexCache = new Map<string, RegExp>();
+
+function getSegmentRegex(patternPart: string): RegExp {
+    let regex = segmentRegexCache.get(patternPart);
+    if (!regex) {
+        const regexPattern = patternPart
+            .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+            .replace(/\*/g, ".*")
+            .replace(/\?/g, ".");
+        regex = new RegExp(`^${regexPattern}$`);
+        segmentRegexCache.set(patternPart, regex);
+    }
+    return regex;
+}
+
+export function isPathAllowed(pattern: string, path: string): boolean {
+    const normalize = (p: string) => p.split("/").filter(Boolean);
+    const patternParts = normalize(pattern);
+    const pathParts = normalize(path);
+
+    function matchSegments(
+        patternIndex: number,
+        pathIndex: number,
+        depth: number = 0
+    ): boolean {
+        if (depth > MAX_RECURSION_DEPTH) {
+            return false;
+        }
+
+        const currentPatternPart = patternParts[patternIndex];
+        const currentPathPart = pathParts[pathIndex];
+
+        if (patternIndex >= patternParts.length) {
+            return pathIndex >= pathParts.length;
+        }
+
+        if (pathIndex >= pathParts.length) {
+            return patternParts.slice(patternIndex).every((p) => p === "*");
+        }
+
+        if (currentPatternPart === "*") {
+            if (matchSegments(patternIndex + 1, pathIndex, depth + 1)) {
+                return true;
+            }
+            if (matchSegments(patternIndex, pathIndex + 1, depth + 1)) {
+                return true;
+            }
+            return false;
+        }
+
+        if (currentPatternPart.includes("*")) {
+            const regex = getSegmentRegex(currentPatternPart);
+
+            if (regex.test(currentPathPart)) {
+                return matchSegments(
+                    patternIndex + 1,
+                    pathIndex + 1,
+                    depth + 1
+                );
+            }
+            return false;
+        }
+
+        if (currentPatternPart !== currentPathPart) {
+            return false;
+        }
+
+        return matchSegments(patternIndex + 1, pathIndex + 1, depth + 1);
+    }
+
+    return matchSegments(0, 0, 0);
+}

server/lib/rebuildClientAssociations.ts

@@ -8,6 +8,7 @@ import {
     exitNodes,
     newts,
     olms,
+    primaryDb,
     roleSiteResources,
     Site,
     SiteResource,
@@ -20,10 +21,10 @@ import {
 } from "@server/db";
 import { and, count, eq, inArray, ne } from "drizzle-orm";
 
-import { deletePeer as newtDeletePeer } from "@server/routers/newt/peers";
+import { deletePeersBatch as newtDeletePeersBatch } from "@server/routers/newt/peers";
 import {
-    initPeerAddHandshake,
+    initPeerAddHandshakeBatch,
-    deletePeer as olmDeletePeer
+    deletePeersBatch as olmDeletePeersBatch
 } from "@server/routers/olm/peers";
 import { sendToExitNode } from "#dynamic/lib/exitNodes";
 import logger from "@server/logger";
@@ -34,12 +35,13 @@ import {
     parseEndpoint
 } from "@server/lib/ip";
 import {
-    addPeerData,
+    addPeerDataBatch,
-    addTargets as addSubnetProxyTargets,
+    addTargetsBatch as addSubnetProxyTargetsBatch,
-    removePeerData,
+    removePeerDataBatch,
-    removeTargets as removeSubnetProxyTargets
+    removeTargetsBatch as removeSubnetProxyTargetsBatch
 } from "@server/routers/client/targets";
 import { lockManager } from "#dynamic/lib/lock";
+import { rebuildQueue } from "#dynamic/lib/rebuildQueue";
 
 // TTL for rebuild-association locks. These functions can fan out into many
 // peer/proxy updates, so give them a generous window.
@@ -160,18 +162,33 @@ export async function getClientSiteResourceAccess(
 export async function rebuildClientAssociationsFromSiteResource(
     siteResource: SiteResource,
     trx: Transaction | typeof db = db
-): Promise<{
+) {
-    mergedAllClients: {
+    try {
-        clientId: number;
-        pubKey: string | null;
-        subnet: string | null;
-    }[];
-}> {
         return await lockManager.withLock(
             `rebuild-client-associations:site-resource:${siteResource.siteResourceId}`,
-        () => rebuildClientAssociationsFromSiteResourceImpl(siteResource, trx),
+            () =>
+                rebuildClientAssociationsFromSiteResourceImpl(
+                    siteResource,
+                    trx
+                ),
             REBUILD_ASSOCIATIONS_LOCK_TTL_MS
         );
+    } catch (err: any) {
+        if (
+            typeof err?.message === "string" &&
+            err.message.startsWith("Failed to acquire lock")
+        ) {
+            logger.warn(
+                `rebuildClientAssociations: could not acquire lock for site resource ${siteResource.siteResourceId}, queuing for deferred processing`
+            );
+            await rebuildQueue.enqueue({
+                type: "site-resource",
+                id: siteResource.siteResourceId
+            });
+            return { mergedAllClients: [] };
+        }
+        throw err;
+    }
 }
 
 async function rebuildClientAssociationsFromSiteResourceImpl(
@@ -536,6 +553,28 @@ async function handleMessagesForSiteClients(
     const newtJobs: Promise<any>[] = [];
     const olmJobs: Promise<any>[] = [];
     const exitNodeJobs: Promise<any>[] = [];
+    const newtPeerDeletes: {
+        siteId: number;
+        publicKey: string;
+        newtId: string;
+    }[] = [];
+    const olmPeerDeletes: {
+        clientId: number;
+        siteId: number;
+        publicKey: string;
+        olmId: string;
+    }[] = [];
+    const olmPeerAddHandshakes: {
+        clientId: number;
+        peer: {
+            siteId: number;
+            exitNode: {
+                publicKey: string;
+                endpoint: string;
+            };
+        };
+        olmId: string;
+    }[] = [];
 
     // Combine all clients that need processing (those being added or removed)
     const clientsToProcess = new Map<
@@ -584,6 +623,21 @@ async function handleMessagesForSiteClients(
         }
     }
 
+    // Batch-fetch all olm IDs for the clients we need to process
+    const clientIdsToProcess = Array.from(clientsToProcess.keys());
+    const olmRows =
+        clientIdsToProcess.length > 0
+            ? await trx
+                  .select({ olmId: olms.olmId, clientId: olms.clientId })
+                  .from(olms)
+                  .where(inArray(olms.clientId, clientIdsToProcess))
+            : [];
+    const olmByClientId = new Map<number, string>(
+        olmRows
+            .filter((r) => r.clientId !== null)
+            .map((r) => [r.clientId as number, r.olmId])
+    );
+
     for (const client of clientsToProcess.values()) {
         // UPDATE THE NEWT
         if (!client.subnet || !client.pubKey) {
@@ -600,14 +654,8 @@ async function handleMessagesForSiteClients(
             continue;
         }
 
-        const [olm] = await trx
+        const olmId = olmByClientId.get(client.clientId);
-            .select({
+        if (!olmId) {
-                olmId: olms.olmId
-            })
-            .from(olms)
-            .where(eq(olms.clientId, client.clientId))
-            .limit(1);
-        if (!olm) {
             logger.warn(
                 `Olm not found for client ${client.clientId} so cannot add/delete peers`
             );
@@ -615,15 +663,17 @@ async function handleMessagesForSiteClients(
         }
 
         if (isDelete) {
-            newtJobs.push(newtDeletePeer(siteId, client.pubKey, newt.newtId));
+            newtPeerDeletes.push({
-            olmJobs.push(
-                olmDeletePeer(
-                    client.clientId,
                 siteId,
-                    site.publicKey,
+                publicKey: client.pubKey,
-                    olm.olmId
+                newtId: newt.newtId
-                )
+            });
-            );
+            olmPeerDeletes.push({
+                clientId: client.clientId,
+                siteId,
+                publicKey: site.publicKey,
+                olmId
+            });
         }
 
         if (isAdd) {
@@ -635,23 +685,34 @@ async function handleMessagesForSiteClients(
                 continue;
             }
 
-            await initPeerAddHandshake(
+            olmPeerAddHandshakes.push({
-                // this will kick off the add peer process for the client
+                clientId: client.clientId,
-                client.clientId,
+                peer: {
-                {
                     siteId,
                     exitNode: {
                         publicKey: exitNode.publicKey,
                         endpoint: exitNode.endpoint
                     }
                 },
-                olm.olmId
+                olmId
-            );
+            });
         }
 
         exitNodeJobs.push(updateClientSiteDestinations(client, trx));
     }
 
+    if (newtPeerDeletes.length > 0) {
+        newtJobs.push(newtDeletePeersBatch(newtPeerDeletes));
+    }
+
+    if (olmPeerDeletes.length > 0) {
+        olmJobs.push(olmDeletePeersBatch(olmPeerDeletes));
+    }
+
+    if (olmPeerAddHandshakes.length > 0) {
+        olmJobs.push(initPeerAddHandshakeBatch(olmPeerAddHandshakes));
+    }
+
     Promise.all(exitNodeJobs).catch((error) => {
         logger.error(
             `rebuildClientAssociations: Error updating client site destinations for site ${site.siteId}:`,
@@ -812,6 +873,20 @@ async function handleSubnetProxyTargetUpdates(
 ): Promise<void> {
     const proxyJobs: Promise<any>[] = [];
     const olmJobs: Promise<any>[] = [];
+    const targetsToAddBatch: {
+        newtId: string;
+        targets: NonNullable<
+            Awaited<ReturnType<typeof generateSubnetProxyTargetV2>>
+        >;
+        version: string | null;
+    }[] = [];
+    const targetsToRemoveBatch: {
+        newtId: string;
+        targets: NonNullable<
+            Awaited<ReturnType<typeof generateSubnetProxyTargetV2>>
+        >;
+        version: string | null;
+    }[] = [];
 
     for (const siteData of sitesList) {
         const siteId = siteData.siteId;
@@ -843,27 +918,27 @@ async function handleSubnetProxyTargetUpdates(
                 );
 
                 if (targetsToAdd) {
-                    proxyJobs.push(
+                    targetsToAddBatch.push({
-                        addSubnetProxyTargets(
+                        newtId: newt.newtId,
-                            newt.newtId,
+                        targets: targetsToAdd,
-                            targetsToAdd,
+                        version: newt.version
-                            newt.version
+                    });
-                        )
-                    );
                 }
 
-                for (const client of addedClients) {
                 olmJobs.push(
-                        addPeerData(
+                    addPeerDataBatch(
-                            client.clientId,
+                        addedClients.map((client) => ({
+                            clientId: client.clientId,
                             siteId,
-                            generateRemoteSubnets([siteResource]),
+                            remoteSubnets: generateRemoteSubnets([
-                            generateAliasConfig([siteResource])
+                                siteResource
+                            ]),
+                            aliases: generateAliasConfig([siteResource])
+                        }))
                     )
                 );
             }
         }
-        }
 
         // here we use the existingSiteResource from BEFORE we updated the destination so we dont need to worry about updating destinations here
 
@@ -880,15 +955,20 @@ async function handleSubnetProxyTargetUpdates(
                 );
 
                 if (targetsToRemove) {
-                    proxyJobs.push(
+                    targetsToRemoveBatch.push({
-                        removeSubnetProxyTargets(
+                        newtId: newt.newtId,
-                            newt.newtId,
+                        targets: targetsToRemove,
-                            targetsToRemove,
+                        version: newt.version
-                            newt.version
+                    });
-                        )
-                    );
                 }
 
+                const peerDataRemovals: {
+                    clientId: number;
+                    siteId: number;
+                    remoteSubnets: string[];
+                    aliases: ReturnType<typeof generateAliasConfig>;
+                }[] = [];
+
                 for (const client of removedClients) {
                     if (!siteResource.destination) {
                         continue;
@@ -936,31 +1016,58 @@ async function handleSubnetProxyTargetUpdates(
                             ? []
                             : generateRemoteSubnets([siteResource]);
 
-                    olmJobs.push(
+                    peerDataRemovals.push({
-                        removePeerData(
+                        clientId: client.clientId,
-                            client.clientId,
                         siteId,
-                            remoteSubnetsToRemove,
+                        remoteSubnets: remoteSubnetsToRemove,
-                            generateAliasConfig([siteResource])
+                        aliases: generateAliasConfig([siteResource])
-                        )
+                    });
-                    );
+                }
+
+                if (peerDataRemovals.length > 0) {
+                    olmJobs.push(removePeerDataBatch(peerDataRemovals));
                 }
             }
         }
     }
 
-    await Promise.all(proxyJobs);
+    if (targetsToAddBatch.length > 0) {
+        proxyJobs.push(addSubnetProxyTargetsBatch(targetsToAddBatch));
+    }
+
+    if (targetsToRemoveBatch.length > 0) {
+        proxyJobs.push(removeSubnetProxyTargetsBatch(targetsToRemoveBatch));
+    }
+
+    await Promise.all([...proxyJobs, ...olmJobs]);
 }
 
 export async function rebuildClientAssociationsFromClient(
     client: Client,
     trx: Transaction | typeof db = db
 ): Promise<void> {
+    try {
         return await lockManager.withLock(
             `rebuild-client-associations:client:${client.clientId}`,
             () => rebuildClientAssociationsFromClientImpl(client, trx),
             REBUILD_ASSOCIATIONS_LOCK_TTL_MS
         );
+    } catch (err: any) {
+        if (
+            typeof err?.message === "string" &&
+            err.message.startsWith("Failed to acquire lock")
+        ) {
+            logger.warn(
+                `rebuildClientAssociations: could not acquire lock for client ${client.clientId}, queuing for deferred processing`
+            );
+            await rebuildQueue.enqueue({
+                type: "client",
+                id: client.clientId
+            });
+            return;
+        }
+        throw err;
+    }
 }
 
 async function rebuildClientAssociationsFromClientImpl(
@@ -1237,6 +1344,28 @@ async function handleMessagesForClientSites(
     const newtJobs: Promise<any>[] = [];
     const olmJobs: Promise<any>[] = [];
     const exitNodeJobs: Promise<any>[] = [];
+    const newtPeerDeletes: {
+        siteId: number;
+        publicKey: string;
+        newtId: string;
+    }[] = [];
+    const olmPeerDeletes: {
+        clientId: number;
+        siteId: number;
+        publicKey: string;
+        olmId: string;
+    }[] = [];
+    const olmPeerAddHandshakes: {
+        clientId: number;
+        peer: {
+            siteId: number;
+            exitNode: {
+                publicKey: string;
+                endpoint: string;
+            };
+        };
+        olmId: string;
+    }[] = [];
 
     const totalSitesOnClient = await trx
         .select({ count: count(clientSitesAssociationsCache.siteId) })
@@ -1268,19 +1397,19 @@ async function handleMessagesForClientSites(
 
         if (isRemove) {
             // Remove peer from newt
-            newtJobs.push(
+            newtPeerDeletes.push({
-                newtDeletePeer(site.siteId, client.pubKey, newt.newtId)
+                siteId: site.siteId,
-            );
+                publicKey: client.pubKey,
+                newtId: newt.newtId
+            });
             try {
                 // Remove peer from olm
-                olmJobs.push(
+                olmPeerDeletes.push({
-                    olmDeletePeer(
+                    clientId: client.clientId,
-                        client.clientId,
+                    siteId: site.siteId,
-                        site.siteId,
+                    publicKey: site.publicKey,
-                        site.publicKey,
                     olmId
-                    )
+                });
-                );
             } catch (error) {
                 // if the error includes not found then its just because the olm does not exist anymore or yet and its fine if we dont send
                 if (
@@ -1312,10 +1441,9 @@ async function handleMessagesForClientSites(
                 continue;
             }
 
-            await initPeerAddHandshake(
+            olmPeerAddHandshakes.push({
-                // this will kick off the add peer process for the client
+                clientId: client.clientId,
-                client.clientId,
+                peer: {
-                {
                     siteId: site.siteId,
                     exitNode: {
                         publicKey: exitNode.publicKey,
@@ -1323,7 +1451,7 @@ async function handleMessagesForClientSites(
                     }
                 },
                 olmId
-            );
+            });
         }
 
         // Update exit node destinations
@@ -1339,6 +1467,18 @@ async function handleMessagesForClientSites(
         );
     }
 
+    if (newtPeerDeletes.length > 0) {
+        newtJobs.push(newtDeletePeersBatch(newtPeerDeletes));
+    }
+
+    if (olmPeerDeletes.length > 0) {
+        olmJobs.push(olmDeletePeersBatch(olmPeerDeletes));
+    }
+
+    if (olmPeerAddHandshakes.length > 0) {
+        olmJobs.push(initPeerAddHandshakeBatch(olmPeerAddHandshakes));
+    }
+
     Promise.all(exitNodeJobs).catch((error) => {
         logger.error(
             `rebuildClientAssociations: Error updating client site destinations for client ${client.clientId}:`,
@@ -1437,6 +1577,20 @@ async function handleMessagesForClientResources(
                 continue;
             }
 
+            const targetsToAddBatch: {
+                newtId: string;
+                targets: NonNullable<
+                    Awaited<ReturnType<typeof generateSubnetProxyTargetV2>>
+                >;
+                version: string | null;
+            }[] = [];
+            const peerDataAdds: {
+                clientId: number;
+                siteId: number;
+                remoteSubnets: string[];
+                aliases: ReturnType<typeof generateAliasConfig>;
+            }[] = [];
+
             for (const resource of resources) {
                 const targets = await generateSubnetProxyTargetV2(resource, [
                     {
@@ -1447,25 +1601,21 @@ async function handleMessagesForClientResources(
                 ]);
 
                 if (targets) {
-                    proxyJobs.push(
+                    targetsToAddBatch.push({
-                        addSubnetProxyTargets(
+                        newtId: newt.newtId,
-                            newt.newtId,
                         targets,
-                            newt.version
+                        version: newt.version
-                        )
+                    });
-                    );
                 }
 
                 try {
                     // Add peer data to olm
-                    olmJobs.push(
+                    peerDataAdds.push({
-                        addPeerData(
+                        clientId: client.clientId,
-                            client.clientId,
                         siteId,
-                            generateRemoteSubnets([resource]),
+                        remoteSubnets: generateRemoteSubnets([resource]),
-                            generateAliasConfig([resource])
+                        aliases: generateAliasConfig([resource])
-                        )
+                    });
-                    );
                 } catch (error) {
                     // if the error includes not found then its just because the olm does not exist anymore or yet and its fine if we dont send
                     if (
@@ -1480,6 +1630,14 @@ async function handleMessagesForClientResources(
                     }
                 }
             }
+
+            if (targetsToAddBatch.length > 0) {
+                proxyJobs.push(addSubnetProxyTargetsBatch(targetsToAddBatch));
+            }
+
+            if (peerDataAdds.length > 0) {
+                olmJobs.push(addPeerDataBatch(peerDataAdds));
+            }
         }
     }
 
@@ -1546,6 +1704,20 @@ async function handleMessagesForClientResources(
                 continue;
             }
 
+            const targetsToRemoveBatch: {
+                newtId: string;
+                targets: NonNullable<
+                    Awaited<ReturnType<typeof generateSubnetProxyTargetV2>>
+                >;
+                version: string | null;
+            }[] = [];
+            const peerDataRemovals: {
+                clientId: number;
+                siteId: number;
+                remoteSubnets: string[];
+                aliases: ReturnType<typeof generateAliasConfig>;
+            }[] = [];
+
             for (const resource of resources) {
                 const targets = await generateSubnetProxyTargetV2(resource, [
                     {
@@ -1556,13 +1728,11 @@ async function handleMessagesForClientResources(
                 ]);
 
                 if (targets) {
-                    proxyJobs.push(
+                    targetsToRemoveBatch.push({
-                        removeSubnetProxyTargets(
+                        newtId: newt.newtId,
-                            newt.newtId,
                         targets,
-                            newt.version
+                        version: newt.version
-                        )
+                    });
-                    );
                 }
 
                 try {
@@ -1613,14 +1783,12 @@ async function handleMessagesForClientResources(
                             : generateRemoteSubnets([resource]);
 
                     // Remove peer data from olm
-                    olmJobs.push(
+                    peerDataRemovals.push({
-                        removePeerData(
+                        clientId: client.clientId,
-                            client.clientId,
                         siteId,
-                            remoteSubnetsToRemove,
+                        remoteSubnets: remoteSubnetsToRemove,
-                            generateAliasConfig([resource])
+                        aliases: generateAliasConfig([resource])
-                        )
+                    });
-                    );
                 } catch (error) {
                     // if the error includes not found then its just because the olm does not exist anymore or yet and its fine if we dont send
                     if (
@@ -1635,6 +1803,16 @@ async function handleMessagesForClientResources(
                     }
                 }
             }
+
+            if (targetsToRemoveBatch.length > 0) {
+                proxyJobs.push(
+                    removeSubnetProxyTargetsBatch(targetsToRemoveBatch)
+                );
+            }
+
+            if (peerDataRemovals.length > 0) {
+                olmJobs.push(removePeerDataBatch(peerDataRemovals));
+            }
         }
     }
 
@@ -1884,11 +2062,20 @@ export async function cleanupSiteAssociations(
 
     // 7. Fire all removal messages in parallel.
     const jobs: Promise<any>[] = [];
+    const olmPeerDeletes: {
+        clientId: number;
+        siteId: number;
+        publicKey: string;
+    }[] = [];
 
     for (const client of allClients) {
         // Tell each olm to drop the site's WireGuard peer.
         if (site.publicKey) {
-            jobs.push(olmDeletePeer(client.clientId, siteId, site.publicKey));
+            olmPeerDeletes.push({
+                clientId: client.clientId,
+                siteId,
+                publicKey: site.publicKey
+            });
         }
 
         // Recompute and push updated relay destinations (now excluding this site).
@@ -1897,6 +2084,10 @@ export async function cleanupSiteAssociations(
         }
     }
 
+    if (olmPeerDeletes.length > 0) {
+        jobs.push(olmDeletePeersBatch(olmPeerDeletes));
+    }
+
     await Promise.all(jobs).catch((error) => {
         logger.error(
             `cleanupSiteAssociations: error sending cleanup messages for siteId=${siteId}:`,
@@ -1906,3 +2097,47 @@ export async function cleanupSiteAssociations(
 
     logger.debug(`cleanupSiteAssociations: DONE siteId=${siteId}`);
 }
+
+/**
+ * Start the background rebuild queue processor. This should be called once
+ * during server startup. Only one server instance at a time will actively
+ * consume the queue (enforced via a distributed Redis lock); all other
+ * instances will poll and wait until the lock becomes available.
+ */
+export function startRebuildQueueProcessor(): void {
+    rebuildQueue.startProcessing({
+        onSiteResource: async (siteResourceId: number) => {
+            const [siteResource] = await primaryDb
+                .select()
+                .from(siteResources)
+                .where(eq(siteResources.siteResourceId, siteResourceId));
+
+            if (!siteResource) {
+                logger.warn(
+                    `Rebuild queue: site resource ${siteResourceId} not found, skipping`
+                );
+                return;
+            }
+
+            await rebuildClientAssociationsFromSiteResource(
+                siteResource,
+                primaryDb
+            );
+        },
+        onClient: async (clientId: number) => {
+            const [client] = await primaryDb
+                .select()
+                .from(clients)
+                .where(eq(clients.clientId, clientId));
+
+            if (!client) {
+                logger.warn(
+                    `Rebuild queue: client ${clientId} not found, skipping`
+                );
+                return;
+            }
+
+            await rebuildClientAssociationsFromClient(client, primaryDb);
+        }
+    });
+}

server/lib/rebuildQueue.ts

@@ -0,0 +1,23 @@
+export type RebuildJobType = "site-resource" | "client";
+
+export interface RebuildJob {
+    type: RebuildJobType;
+    id: number;
+}
+
+export interface RebuildJobHandlers {
+    onSiteResource(siteResourceId: number): Promise<void>;
+    onClient(clientId: number): Promise<void>;
+}
+
+export interface RebuildQueueManager {
+    enqueue(job: RebuildJob): Promise<void>;
+    startProcessing(handlers: RebuildJobHandlers): void;
+}
+
+class NoopRebuildQueue implements RebuildQueueManager {
+    async enqueue(_job: RebuildJob): Promise<void> {}
+    startProcessing(_handlers: RebuildJobHandlers): void {}
+}
+
+export const rebuildQueue: RebuildQueueManager = new NoopRebuildQueue();

server/private/lib/certificates.ts

@@ -17,7 +17,7 @@ import { certificates, db } from "@server/db";
 import { and, eq, isNotNull, or, inArray, sql } from "drizzle-orm";
 import { decrypt } from "@server/lib/crypto";
 import logger from "@server/logger";
-import cache from "#private/lib/cache";
+import { regionalCache as cache } from "#private/lib/cache";
 import { build } from "@server/build";
 
 // Define the return type for clarity and type safety

server/private/lib/rebuildQueue.ts

@@ -0,0 +1,198 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025-2026 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { redis } from "#private/lib/redis";
+import { lockManager } from "#dynamic/lib/lock";
+import logger from "@server/logger";
+
+export type RebuildJobType = "site-resource" | "client";
+
+export interface RebuildJob {
+    type: RebuildJobType;
+    id: number;
+}
+
+export interface RebuildJobHandlers {
+    onSiteResource(siteResourceId: number): Promise<void>;
+    onClient(clientId: number): Promise<void>;
+}
+
+// Redis list holding pending rebuild jobs (RPUSH to enqueue, LPOP to dequeue — FIFO order).
+const QUEUE_KEY = "rebuild-client-associations:queue";
+const QUEUED_SET_KEY = "rebuild-client-associations:queued";
+
+// Distributed lock that serialises queue consumption to a single server instance
+// at a time. TTL is generous enough to cover a full batch of expensive rebuilds.
+const PROCESSOR_LOCK_KEY = "rebuild-client-associations:processor";
+
+// Each rebuild can take up to REBUILD_ASSOCIATIONS_LOCK_TTL_MS (120 s) per
+// resource. Allow BATCH_SIZE resources per processor-lock acquisition, plus a
+// small buffer.
+const BATCH_SIZE = 5;
+const PROCESSOR_LOCK_TTL_MS = 120000 * BATCH_SIZE + 30000; // ~630 s
+
+const POLL_INTERVAL_MS = 500;
+
+class RedisRebuildQueue {
+    private processingStarted = false;
+
+    async enqueue(job: RebuildJob): Promise<void> {
+        if (!redis || redis.status !== "ready") {
+            logger.warn(
+                `Rebuild queue: Redis not available — rebuild for ${job.type}:${job.id} will not be retried`
+            );
+            return;
+        }
+
+        try {
+            const dedupeKey = `${job.type}:${job.id}`;
+            const added = await redis.sadd(QUEUED_SET_KEY, dedupeKey);
+            if (added === 0) {
+                logger.debug(
+                    `Rebuild queue: skipped duplicate queued job ${job.type}:${job.id}`
+                );
+                return;
+            }
+
+            await redis.rpush(QUEUE_KEY, JSON.stringify(job));
+            logger.debug(
+                `Rebuild queue: enqueued ${job.type}:${job.id} (queue position: tail)`
+            );
+        } catch (err) {
+            await redis
+                .srem(QUEUED_SET_KEY, `${job.type}:${job.id}`)
+                .catch((cleanupErr) =>
+                    logger.warn(
+                        `Rebuild queue: failed to cleanup dedupe key for ${job.type}:${job.id} after enqueue failure:`,
+                        cleanupErr
+                    )
+                );
+            logger.error(
+                `Rebuild queue: failed to enqueue ${job.type}:${job.id}:`,
+                err
+            );
+        }
+    }
+
+    startProcessing(handlers: RebuildJobHandlers): void {
+        if (this.processingStarted) return;
+        this.processingStarted = true;
+
+        this.processLoop(handlers).catch((err) => {
+            logger.error("Rebuild queue processor loop crashed:", err);
+        });
+
+        logger.info("Rebuild queue processor started");
+    }
+
+    private async processLoop(handlers: RebuildJobHandlers): Promise<void> {
+        while (true) {
+            try {
+                await this.tryProcessBatch(handlers);
+            } catch (err) {
+                logger.error(
+                    "Rebuild queue: unhandled error in process loop:",
+                    err
+                );
+            }
+            await new Promise((resolve) =>
+                setTimeout(resolve, POLL_INTERVAL_MS)
+            );
+        }
+    }
+
+    private async tryProcessBatch(handlers: RebuildJobHandlers): Promise<void> {
+        if (!redis || redis.status !== "ready") return;
+
+        // Peek before acquiring the processor lock to avoid unnecessary Redis
+        // round-trips and lock contention when the queue is idle.
+        const queueLength = await redis.llen(QUEUE_KEY).catch(() => 0);
+        if (queueLength === 0) return;
+
+        try {
+            await lockManager.withLock(
+                PROCESSOR_LOCK_KEY,
+                async () => {
+                    for (let i = 0; i < BATCH_SIZE; i++) {
+                        if (!redis || redis.status !== "ready") break;
+
+                        const payload = await redis.lpop(QUEUE_KEY);
+                        if (payload === null) break; // queue drained
+
+                        let job: RebuildJob;
+                        try {
+                            job = JSON.parse(payload) as RebuildJob;
+                        } catch {
+                            logger.error(
+                                `Rebuild queue: could not parse job payload, discarding: ${payload}`
+                            );
+                            continue;
+                        }
+
+                        // Remove from dedupe set once dequeued so the same job
+                        // can be re-queued while this one is in progress.
+                        await redis
+                            .srem(QUEUED_SET_KEY, `${job.type}:${job.id}`)
+                            .catch((cleanupErr) =>
+                                logger.warn(
+                                    `Rebuild queue: failed to remove dedupe key for ${job.type}:${job.id} on dequeue:`,
+                                    cleanupErr
+                                )
+                            );
+
+                        logger.debug(
+                            `Rebuild queue: processing ${job.type}:${job.id}`
+                        );
+
+                        try {
+                            if (job.type === "site-resource") {
+                                await handlers.onSiteResource(job.id);
+                            } else if (job.type === "client") {
+                                await handlers.onClient(job.id);
+                            } else {
+                                logger.warn(
+                                    `Rebuild queue: unknown job type "${(job as any).type}", discarding`
+                                );
+                            }
+
+                            logger.debug(
+                                `Rebuild queue: completed ${job.type}:${job.id}`
+                            );
+                        } catch (err) {
+                            logger.error(
+                                `Rebuild queue: job ${job.type}:${job.id} threw an error:`,
+                                err
+                            );
+                        }
+                    }
+                },
+                PROCESSOR_LOCK_TTL_MS
+            );
+        } catch (err: any) {
+            if (
+                typeof err?.message === "string" &&
+                err.message.startsWith("Failed to acquire lock")
+            ) {
+                // Another server instance currently holds the processor lock and
+                // is consuming the queue — nothing to do this cycle.
+                logger.debug(
+                    "Rebuild queue: processor lock held by another instance, skipping this cycle"
+                );
+            } else {
+                throw err;
+            }
+        }
+    }
+}
+
+export const rebuildQueue: RedisRebuildQueue = new RedisRebuildQueue();

server/private/routers/remoteExitNode/listRemoteExitNodes.ts

@@ -22,7 +22,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { ListRemoteExitNodesResponse } from "@server/routers/remoteExitNode/types";
-import cache from "#private/lib/cache";
+import { regionalCache as cache } from "#private/lib/cache";
 import semver from "semver";
 
 let stalePangolinNodeVersion: string | null = null;

server/private/routers/ws/ws.ts

@@ -38,6 +38,7 @@ import { messageHandlers } from "@server/routers/ws/messageHandlers";
 import { messageHandlers as privateMessageHandlers } from "#private/routers/ws/messageHandlers";
 import {
     AuthenticatedWebSocket,
+    BatchSendMessage,
     ClientType,
     WSMessage,
     TokenPayload,
@@ -187,6 +188,8 @@ const wss: WebSocketServer = new WebSocketServer({ noServer: true });
 // Generate unique node ID for this instance
 const NODE_ID = uuidv4();
 const REDIS_CHANNEL = "websocket_messages";
+const REDIS_DIRECT_BATCH_SIZE = 250;
+const REDIS_DIRECT_FLUSH_INTERVAL_MS = 10;
 
 // Client tracking map (local to this node)
 const connectedClients: Map<string, AuthenticatedWebSocket[]> = new Map();
@@ -197,6 +200,15 @@ const clientConfigVersions: Map<string, number> = new Map();
 // Recovery tracking
 let isRedisRecoveryInProgress = false;
 
+interface RedisDirectBatchEntry {
+    targetClientId: string;
+    message: WSMessage;
+    resolve: () => void;
+}
+
+let pendingRedisDirectMessages: RedisDirectBatchEntry[] = [];
+let redisDirectFlushTimer: NodeJS.Timeout | null = null;
+
 // Helper to get map key
 const getClientMapKey = (clientId: string) => clientId;
 
@@ -207,6 +219,78 @@ const getNodeConnectionsKey = (nodeId: string, clientId: string) =>
 const getConfigVersionKey = (clientId: string) =>
     `ws:configVersion:${clientId}`;
 
+const clearRedisDirectFlushTimer = (): void => {
+    if (redisDirectFlushTimer) {
+        clearTimeout(redisDirectFlushTimer);
+        redisDirectFlushTimer = null;
+    }
+};
+
+const publishDirectBatch = async (
+    entries: RedisDirectBatchEntry[]
+): Promise<void> => {
+    const redisMessage: RedisMessage = {
+        type: "direct-batch",
+        messages: entries.map((entry) => ({
+            targetClientId: entry.targetClientId,
+            message: entry.message
+        })),
+        fromNodeId: NODE_ID
+    };
+
+    await redisManager.publish(REDIS_CHANNEL, JSON.stringify(redisMessage));
+};
+
+const flushPendingRedisDirectMessages = async (): Promise<void> => {
+    clearRedisDirectFlushTimer();
+
+    if (pendingRedisDirectMessages.length === 0) {
+        return;
+    }
+
+    const entries = pendingRedisDirectMessages;
+    pendingRedisDirectMessages = [];
+
+    if (!redisManager.isRedisEnabled()) {
+        entries.forEach((entry) => entry.resolve());
+        return;
+    }
+
+    for (let i = 0; i < entries.length; i += REDIS_DIRECT_BATCH_SIZE) {
+        const batch = entries.slice(i, i + REDIS_DIRECT_BATCH_SIZE);
+        try {
+            await publishDirectBatch(batch);
+        } catch (error) {
+            logger.error(
+                "Failed to send batched direct messages via Redis, messages may be lost:",
+                error
+            );
+        } finally {
+            batch.forEach((entry) => entry.resolve());
+        }
+    }
+};
+
+const enqueueRedisDirectMessage = async (
+    targetClientId: string,
+    message: WSMessage
+): Promise<void> => {
+    await new Promise<void>((resolve) => {
+        pendingRedisDirectMessages.push({ targetClientId, message, resolve });
+
+        if (pendingRedisDirectMessages.length >= REDIS_DIRECT_BATCH_SIZE) {
+            void flushPendingRedisDirectMessages();
+            return;
+        }
+
+        if (!redisDirectFlushTimer) {
+            redisDirectFlushTimer = setTimeout(() => {
+                void flushPendingRedisDirectMessages();
+            }, REDIS_DIRECT_FLUSH_INTERVAL_MS);
+        }
+    });
+};
+
 // Initialize Redis subscription for cross-node messaging
 const initializeRedisSubscription = async (): Promise<void> => {
     if (!redisManager.isRedisEnabled()) return;
@@ -227,7 +311,16 @@ const initializeRedisSubscription = async (): Promise<void> => {
                     // Send to specific client on this node
                     await sendToClientLocal(
                         redisMessage.targetClientId,
-                        redisMessage.message
+                        redisMessage.message,
+                        {},
+                        redisMessage.message.configVersion
+                    );
+                } else if (
+                    redisMessage.type === "direct-batch" &&
+                    redisMessage.messages
+                ) {
+                    await sendRedisDirectBatchToLocalClients(
+                        redisMessage.messages
                     );
                 } else if (redisMessage.type === "broadcast") {
                     // Broadcast to all clients on this node except excluded
@@ -503,7 +596,8 @@ const incrementClientConfigVersion = async (
 const sendToClientLocal = async (
     clientId: string,
     message: WSMessage,
-    options: SendMessageOptions = {}
+    options: SendMessageOptions = {},
+    preResolvedConfigVersion?: number
 ): Promise<boolean> => {
     const mapKey = getClientMapKey(clientId);
     const clients = connectedClients.get(mapKey);
@@ -512,7 +606,8 @@ const sendToClientLocal = async (
     }
 
     // Handle config version
-    const configVersion = await getClientConfigVersion(clientId);
+    const configVersion =
+        preResolvedConfigVersion ?? (await getClientConfigVersion(clientId));
 
     // Add config version to message
     const messageWithVersion = {
@@ -545,45 +640,73 @@ const sendToClientLocal = async (
     return true;
 };
 
+const sendRedisDirectBatchToLocalClients = async (
+    entries: { targetClientId: string; message: WSMessage }[]
+): Promise<void> => {
+    const jobs = entries.map((entry) =>
+        sendToClientLocal(
+            entry.targetClientId,
+            entry.message,
+            {},
+            entry.message.configVersion
+        )
+    );
+    await Promise.all(jobs);
+};
+
 const broadcastToAllExceptLocal = async (
     message: WSMessage,
     excludeClientId?: string,
     options: SendMessageOptions = {}
 ): Promise<void> => {
-    for (const [mapKey, clients] of connectedClients.entries()) {
+    const sendPlans = await Promise.all(
-        const [type, id] = mapKey.split(":");
+        Array.from(connectedClients.entries()).map(
+            async ([mapKey, clients]) => {
                 const clientId = mapKey; // mapKey is the clientId
-        if (!(excludeClientId && clientId === excludeClientId)) {
+                if (excludeClientId && clientId === excludeClientId) {
-            // Handle config version per client
+                    return null;
-            let configVersion = await getClientConfigVersion(clientId);
-            if (options.incrementConfigVersion) {
-                configVersion = await incrementClientConfigVersion(clientId);
                 }
 
-            // Add config version to message
+                let configVersion = await getClientConfigVersion(clientId);
-            const messageWithVersion = {
+                if (options.incrementConfigVersion) {
+                    configVersion =
+                        await incrementClientConfigVersion(clientId);
+                }
+
+                return {
+                    clients,
+                    messageWithVersion: {
                         ...message,
                         configVersion
+                    }
                 };
+            }
+        )
+    );
+
+    for (const plan of sendPlans) {
+        if (!plan) {
+            continue;
+        }
 
         if (options.compress) {
             const compressed = zlib.gzipSync(
-                    Buffer.from(JSON.stringify(messageWithVersion), "utf8")
+                Buffer.from(JSON.stringify(plan.messageWithVersion), "utf8")
             );
-                clients.forEach((client) => {
+            plan.clients.forEach((client) => {
                 if (client.readyState === WebSocket.OPEN) {
                     client.send(compressed);
                 }
             });
         } else {
-                clients.forEach((client) => {
+            const messageString = JSON.stringify(plan.messageWithVersion);
+            plan.clients.forEach((client) => {
                 if (client.readyState === WebSocket.OPEN) {
-                        client.send(JSON.stringify(messageWithVersion));
+                    client.send(messageString);
                 }
             });
         }
     }
-    }
 };
 
 // Cross-node message sending (via Redis)
@@ -602,28 +725,23 @@ const sendToClient = async (
     );
 
     // Try to send locally first
-    const localSent = await sendToClientLocal(clientId, message, options);
+    const localSent = await sendToClientLocal(
+        clientId,
+        message,
+        options,
+        configVersion
+    );
 
     // Only send via Redis if the client is not connected locally and Redis is enabled
     if (!localSent && redisManager.isRedisEnabled()) {
         try {
-            const redisMessage: RedisMessage = {
+            await enqueueRedisDirectMessage(clientId, {
-                type: "direct",
-                targetClientId: clientId,
-                message: {
                 ...message,
                 configVersion
-                },
+            });
-                fromNodeId: NODE_ID
-            };
-
-            await redisManager.publish(
-                REDIS_CHANNEL,
-                JSON.stringify(redisMessage)
-            );
         } catch (error) {
             logger.error(
-                "Failed to send message via Redis, message may be lost:",
+                "Failed to queue batched direct message for Redis delivery, message may be lost:",
                 error
             );
             // Continue execution - local delivery already attempted
@@ -638,6 +756,95 @@ const sendToClient = async (
     return localSent;
 };
 
+const sendToClientsBatch = async (
+    entries: BatchSendMessage[]
+): Promise<void> => {
+    if (entries.length === 0) {
+        return;
+    }
+
+    const remoteEntries: { targetClientId: string; message: WSMessage }[] = [];
+    const clientsWithIncrement = new Set(
+        entries
+            .filter((entry) => !!entry.options?.incrementConfigVersion)
+            .map((entry) => entry.clientId)
+    );
+    const nonIncrementOnlyClientIds = Array.from(
+        new Set(
+            entries
+                .map((entry) => entry.clientId)
+                .filter((clientId) => !clientsWithIncrement.has(clientId))
+        )
+    );
+    const stableConfigVersionByClient = new Map<string, number | undefined>(
+        await Promise.all(
+            nonIncrementOnlyClientIds.map(
+                async (clientId) =>
+                    [clientId, await getClientConfigVersion(clientId)] as const
+            )
+        )
+    );
+
+    for (const entry of entries) {
+        const options = entry.options || {};
+        const { clientId, message } = entry;
+
+        const configVersion = options.incrementConfigVersion
+            ? await incrementClientConfigVersion(clientId)
+            : stableConfigVersionByClient.get(clientId);
+
+        logger.debug(
+            `sendToClientsBatch: Message type ${message.type} queued for clientId ${clientId} (new configVersion: ${configVersion})`
+        );
+
+        const localSent = await sendToClientLocal(
+            clientId,
+            message,
+            options,
+            configVersion
+        );
+
+        if (!localSent && redisManager.isRedisEnabled()) {
+            remoteEntries.push({
+                targetClientId: clientId,
+                message: {
+                    ...message,
+                    configVersion
+                }
+            });
+        } else if (!localSent && !redisManager.isRedisEnabled()) {
+            logger.debug(
+                `Could not deliver batch message to ${clientId} - not connected locally and Redis unavailable`
+            );
+        }
+    }
+
+    if (!redisManager.isRedisEnabled() || remoteEntries.length === 0) {
+        return;
+    }
+
+    for (let i = 0; i < remoteEntries.length; i += REDIS_DIRECT_BATCH_SIZE) {
+        const messages = remoteEntries.slice(i, i + REDIS_DIRECT_BATCH_SIZE);
+        try {
+            const redisMessage: RedisMessage = {
+                type: "direct-batch",
+                messages,
+                fromNodeId: NODE_ID
+            };
+
+            await redisManager.publish(
+                REDIS_CHANNEL,
+                JSON.stringify(redisMessage)
+            );
+        } catch (error) {
+            logger.error(
+                "Failed to send explicit direct batch via Redis, messages may be lost:",
+                error
+            );
+        }
+    }
+};
+
 const broadcastToAllExcept = async (
     message: WSMessage,
     excludeClientId?: string,
@@ -1109,6 +1316,8 @@ const disconnectClient = async (clientId: string): Promise<boolean> => {
 // Cleanup function for graceful shutdown
 const cleanup = async (): Promise<void> => {
     try {
+        await flushPendingRedisDirectMessages();
+
         // Close all WebSocket connections
         connectedClients.forEach((clients) => {
             clients.forEach((client) => {
@@ -1139,6 +1348,7 @@ export {
     router,
     handleWSUpgrade,
     sendToClient,
+    sendToClientsBatch,
     broadcastToAllExcept,
     connectedClients,
     hasActiveConnections,

server/routers/badger/verifySession.test.ts

@@ -1,5 +1,6 @@
 import { assertEquals } from "@test/assert";
 import { REGIONS } from "@server/db/regions";
+import { isPathAllowed } from "@server/lib/pathMatch";
 
 function isIpInRegion(
     ipCountryCode: string | undefined,
@@ -33,76 +34,6 @@ function isIpInRegion(
     return false;
 }
 
-function isPathAllowed(pattern: string, path: string): boolean {
-    // Normalize and split paths into segments
-    const normalize = (p: string) => p.split("/").filter(Boolean);
-    const patternParts = normalize(pattern);
-    const pathParts = normalize(path);
-
-    // Recursive function to try different wildcard matches
-    function matchSegments(patternIndex: number, pathIndex: number): boolean {
-        const indent = "  ".repeat(pathIndex); // Indent based on recursion depth
-        const currentPatternPart = patternParts[patternIndex];
-        const currentPathPart = pathParts[pathIndex];
-
-        // If we've consumed all pattern parts, we should have consumed all path parts
-        if (patternIndex >= patternParts.length) {
-            const result = pathIndex >= pathParts.length;
-            return result;
-        }
-
-        // If we've consumed all path parts but still have pattern parts
-        if (pathIndex >= pathParts.length) {
-            // The only way this can match is if all remaining pattern parts are wildcards
-            const remainingPattern = patternParts.slice(patternIndex);
-            const result = remainingPattern.every((p) => p === "*");
-            return result;
-        }
-
-        // For full segment wildcards, try consuming different numbers of path segments
-        if (currentPatternPart === "*") {
-            // Try consuming 0 segments (skip the wildcard)
-            if (matchSegments(patternIndex + 1, pathIndex)) {
-                return true;
-            }
-
-            // Try consuming current segment and recursively try rest
-            if (matchSegments(patternIndex, pathIndex + 1)) {
-                return true;
-            }
-
-            return false;
-        }
-
-        // Check for in-segment wildcard (e.g., "prefix*" or "prefix*suffix")
-        if (currentPatternPart.includes("*")) {
-            // Convert the pattern segment to a regex pattern
-            const regexPattern = currentPatternPart
-                .replace(/\*/g, ".*") // Replace * with .* for regex wildcard
-                .replace(/\?/g, "."); // Replace ? with . for single character wildcard if needed
-
-            const regex = new RegExp(`^${regexPattern}$`);
-
-            if (regex.test(currentPathPart)) {
-                return matchSegments(patternIndex + 1, pathIndex + 1);
-            }
-
-            return false;
-        }
-
-        // For regular segments, they must match exactly
-        if (currentPatternPart !== currentPathPart) {
-            return false;
-        }
-
-        // Move to next segments in both pattern and path
-        return matchSegments(patternIndex + 1, pathIndex + 1);
-    }
-
-    const result = matchSegments(0, 0);
-    return result;
-}
-
 function runTests() {
     console.log("Running path matching tests...");
 
@@ -308,6 +239,121 @@ function runTests() {
     console.log("All path matching tests passed!");
 }
 
+function runSpecialCharacterTests() {
+    console.log("\nRunning special character tests...");
+
+    let threw = false;
+    try {
+        isPathAllowed("(api*", "anything");
+        isPathAllowed("a(b*", "a(bc");
+        isPathAllowed("c[d*", "c[de");
+        isPathAllowed("x{2}*", "x{2}y");
+        isPathAllowed("a|b*", "a|bc");
+        isPathAllowed("back\\slash*", "back\\slashed");
+    } catch (e) {
+        threw = true;
+        console.error(
+            "Patterns accepted by isValidUrlGlobPattern crashed the matcher:",
+            e instanceof Error ? e.message : e
+        );
+    }
+    assertEquals(
+        threw,
+        false,
+        "Patterns with regex metacharacters must not throw"
+    );
+
+    assertEquals(
+        isPathAllowed("(api*", "(api-v1"),
+        true,
+        "Parenthesis should be treated as a literal character"
+    );
+    assertEquals(
+        isPathAllowed("(api*", "xapi-v1"),
+        false,
+        "Parenthesis should not match other characters"
+    );
+    assertEquals(
+        isPathAllowed("a(b)*", "a(b)c"),
+        true,
+        "Parentheses pair should be treated as literal characters"
+    );
+
+    assertEquals(
+        isPathAllowed("*.png", "image.png"),
+        true,
+        "Dot should match a literal dot"
+    );
+    assertEquals(
+        isPathAllowed("*.png", "imageXpng"),
+        false,
+        "Dot should not act as a regex wildcard"
+    );
+    assertEquals(
+        isPathAllowed("v1.0*", "v1.0.1"),
+        true,
+        "Version-like literal should match itself"
+    );
+    assertEquals(
+        isPathAllowed("v1.0*", "v1x0-beta"),
+        false,
+        "Version-like literal should not match arbitrary characters"
+    );
+
+    assertEquals(
+        isPathAllowed("a+b*", "a+bc"),
+        true,
+        "Plus should be treated as a literal character"
+    );
+    assertEquals(
+        isPathAllowed("a+b*", "aaabc"),
+        false,
+        "Plus should not act as a regex quantifier"
+    );
+
+    assertEquals(
+        isPathAllowed("$ref*", "$refs"),
+        true,
+        "Dollar sign should be treated as a literal character"
+    );
+    assertEquals(
+        isPathAllowed("price$*", "price$100"),
+        true,
+        "Dollar sign mid-pattern should be treated as a literal character"
+    );
+
+    assertEquals(
+        isPathAllowed("^start*", "^started"),
+        true,
+        "Caret should be treated as a literal character"
+    );
+
+    assertEquals(
+        isPathAllowed("a|b*", "a|bc"),
+        true,
+        "Pipe should be treated as a literal character"
+    );
+    assertEquals(
+        isPathAllowed("a|b*", "a"),
+        false,
+        "Pipe should not act as regex alternation"
+    );
+
+    assertEquals(
+        isPathAllowed("file?*", "fileX"),
+        true,
+        "Question mark should still act as a single-character wildcard"
+    );
+
+    assertEquals(
+        isPathAllowed("api/*", "api/" + "x/".repeat(50)),
+        true,
+        "Deeply nested paths should still match"
+    );
+
+    console.log("All special character tests passed!");
+}
+
 function runRegionTests() {
     console.log("\nRunning isIpInRegion tests...");
 
@@ -367,6 +413,7 @@ function runRegionTests() {
 // Run all tests
 try {
     runTests();
+    runSpecialCharacterTests();
     runRegionTests();
     console.log("\n✅ All tests passed!");
 } catch (error) {

server/routers/badger/verifySession.ts

@@ -25,6 +25,7 @@ import {
 } from "@server/db";
 import config from "@server/lib/config";
 import { isIpInCidr, stripPortFromHost } from "@server/lib/ip";
+import { isPathAllowed } from "@server/lib/pathMatch";
 import { response } from "@server/lib/response";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
@@ -1090,143 +1091,7 @@ async function checkRules(
     return;
 }
 
-export function isPathAllowed(pattern: string, path: string): boolean {
+export { isPathAllowed };
-    logger.debug(`\nMatching path "${path}" against pattern "${pattern}"`);
-
-    // Normalize and split paths into segments
-    const normalize = (p: string) => p.split("/").filter(Boolean);
-    const patternParts = normalize(pattern);
-    const pathParts = normalize(path);
-
-    logger.debug(`Normalized pattern parts: [${patternParts.join(", ")}]`);
-    logger.debug(`Normalized path parts: [${pathParts.join(", ")}]`);
-
-    // Maximum recursion depth to prevent stack overflow and memory issues
-    const MAX_RECURSION_DEPTH = 100;
-
-    // Recursive function to try different wildcard matches
-    function matchSegments(
-        patternIndex: number,
-        pathIndex: number,
-        depth: number = 0
-    ): boolean {
-        // Check recursion depth limit
-        if (depth > MAX_RECURSION_DEPTH) {
-            logger.warn(
-                `Path matching exceeded maximum recursion depth (${MAX_RECURSION_DEPTH}) for pattern "${pattern}" and path "${path}"`
-            );
-            return false;
-        }
-
-        const indent = "  ".repeat(depth); // Indent based on recursion depth
-        const currentPatternPart = patternParts[patternIndex];
-        const currentPathPart = pathParts[pathIndex];
-
-        logger.debug(
-            `${indent}Checking patternIndex=${patternIndex} (${currentPatternPart || "END"}) vs pathIndex=${pathIndex} (${currentPathPart || "END"}) [depth=${depth}]`
-        );
-
-        // If we've consumed all pattern parts, we should have consumed all path parts
-        if (patternIndex >= patternParts.length) {
-            const result = pathIndex >= pathParts.length;
-            logger.debug(
-                `${indent}Reached end of pattern, remaining path: ${pathParts.slice(pathIndex).join("/")} -> ${result}`
-            );
-            return result;
-        }
-
-        // If we've consumed all path parts but still have pattern parts
-        if (pathIndex >= pathParts.length) {
-            // The only way this can match is if all remaining pattern parts are wildcards
-            const remainingPattern = patternParts.slice(patternIndex);
-            const result = remainingPattern.every((p) => p === "*");
-            logger.debug(
-                `${indent}Reached end of path, remaining pattern: ${remainingPattern.join("/")} -> ${result}`
-            );
-            return result;
-        }
-
-        // For full segment wildcards, try consuming different numbers of path segments
-        if (currentPatternPart === "*") {
-            logger.debug(
-                `${indent}Found wildcard at pattern index ${patternIndex}`
-            );
-
-            // Try consuming 0 segments (skip the wildcard)
-            logger.debug(
-                `${indent}Trying to skip wildcard (consume 0 segments)`
-            );
-            if (matchSegments(patternIndex + 1, pathIndex, depth + 1)) {
-                logger.debug(
-                    `${indent}Successfully matched by skipping wildcard`
-                );
-                return true;
-            }
-
-            // Try consuming current segment and recursively try rest
-            logger.debug(
-                `${indent}Trying to consume segment "${currentPathPart}" for wildcard`
-            );
-            if (matchSegments(patternIndex, pathIndex + 1, depth + 1)) {
-                logger.debug(
-                    `${indent}Successfully matched by consuming segment for wildcard`
-                );
-                return true;
-            }
-
-            logger.debug(`${indent}Failed to match wildcard`);
-            return false;
-        }
-
-        // Check for in-segment wildcard (e.g., "prefix*" or "prefix*suffix")
-        if (currentPatternPart.includes("*")) {
-            logger.debug(
-                `${indent}Found in-segment wildcard in "${currentPatternPart}"`
-            );
-
-            // Convert the pattern segment to a regex pattern
-            const regexPattern = currentPatternPart
-                .replace(/\*/g, ".*") // Replace * with .* for regex wildcard
-                .replace(/\?/g, "."); // Replace ? with . for single character wildcard if needed
-
-            const regex = new RegExp(`^${regexPattern}$`);
-
-            if (regex.test(currentPathPart)) {
-                logger.debug(
-                    `${indent}Segment with wildcard matches: "${currentPatternPart}" matches "${currentPathPart}"`
-                );
-                return matchSegments(
-                    patternIndex + 1,
-                    pathIndex + 1,
-                    depth + 1
-                );
-            }
-
-            logger.debug(
-                `${indent}Segment with wildcard mismatch: "${currentPatternPart}" doesn't match "${currentPathPart}"`
-            );
-            return false;
-        }
-
-        // For regular segments, they must match exactly
-        if (currentPatternPart !== currentPathPart) {
-            logger.debug(
-                `${indent}Segment mismatch: "${currentPatternPart}" != "${currentPathPart}"`
-            );
-            return false;
-        }
-
-        logger.debug(
-            `${indent}Segments match: "${currentPatternPart}" = "${currentPathPart}"`
-        );
-        // Move to next segments in both pattern and path
-        return matchSegments(patternIndex + 1, pathIndex + 1, depth + 1);
-    }
-
-    const result = matchSegments(0, 0, 0);
-    logger.debug(`Final result: ${result}`);
-    return result;
-}
 
 async function isIpInGeoIP(
     ipCountryCode: string | undefined,

server/routers/client/targets.ts

@@ -1,4 +1,4 @@
-import { sendToClient } from "#dynamic/routers/ws";
+import { sendToClient, sendToClientsBatch } from "#dynamic/routers/ws";
 import { db, newts, olms } from "@server/db";
 import {
     Alias,
@@ -8,7 +8,7 @@ import {
 } from "@server/lib/ip";
 import { canCompress } from "@server/lib/clientVersionChecks";
 import logger from "@server/logger";
-import { eq } from "drizzle-orm";
+import { eq, inArray } from "drizzle-orm";
 import semver from "semver";
 
 const NEWT_V2_TARGETS_VERSION = ">=1.10.3";
@@ -59,6 +59,42 @@ export async function addTargets(
     );
 }
 
+export async function addTargetsBatch(
+    entries: {
+        newtId: string;
+        targets: SubnetProxyTarget[] | SubnetProxyTargetV2[];
+        version?: string | null;
+    }[]
+) {
+    if (entries.length === 0) {
+        return;
+    }
+
+    const resolved = await Promise.all(
+        entries.map(async (entry) => ({
+            ...entry,
+            targets: await convertTargetsIfNecessary(
+                entry.newtId,
+                entry.targets
+            )
+        }))
+    );
+
+    await sendToClientsBatch(
+        resolved.map((entry) => ({
+            clientId: entry.newtId,
+            message: {
+                type: `newt/wg/targets/add`,
+                data: entry.targets
+            },
+            options: {
+                incrementConfigVersion: true,
+                compress: canCompress(entry.version, "newt")
+            }
+        }))
+    );
+}
+
 export async function removeTargets(
     newtId: string,
     targets: SubnetProxyTarget[] | SubnetProxyTargetV2[],
@@ -76,6 +112,42 @@ export async function removeTargets(
     );
 }
 
+export async function removeTargetsBatch(
+    entries: {
+        newtId: string;
+        targets: SubnetProxyTarget[] | SubnetProxyTargetV2[];
+        version?: string | null;
+    }[]
+) {
+    if (entries.length === 0) {
+        return;
+    }
+
+    const resolved = await Promise.all(
+        entries.map(async (entry) => ({
+            ...entry,
+            targets: await convertTargetsIfNecessary(
+                entry.newtId,
+                entry.targets
+            )
+        }))
+    );
+
+    await sendToClientsBatch(
+        resolved.map((entry) => ({
+            clientId: entry.newtId,
+            message: {
+                type: `newt/wg/targets/remove`,
+                data: entry.targets
+            },
+            options: {
+                incrementConfigVersion: true,
+                compress: canCompress(entry.version, "newt")
+            }
+        }))
+    );
+}
+
 export async function updateTargets(
     newtId: string,
     targets: {
@@ -201,6 +273,171 @@ export async function removePeerData(
     });
 }
 
+const resolveOlmTargets = async (
+    entries: {
+        clientId: number;
+        olmId?: string;
+        version?: string | null;
+    }[]
+) => {
+    const unresolvedClientIds = entries
+        .filter((entry) => !entry.olmId)
+        .map((entry) => entry.clientId);
+
+    const olmMap = new Map<number, { olmId: string; version: string | null }>();
+
+    if (unresolvedClientIds.length > 0) {
+        const olmRows = await db
+            .select({
+                clientId: olms.clientId,
+                olmId: olms.olmId,
+                version: olms.version
+            })
+            .from(olms)
+            .where(inArray(olms.clientId, unresolvedClientIds));
+
+        for (const row of olmRows) {
+            if (row.clientId !== null) {
+                olmMap.set(row.clientId, {
+                    olmId: row.olmId,
+                    version: row.version
+                });
+            }
+        }
+    }
+
+    return entries
+        .map((entry) => {
+            if (entry.olmId) {
+                return {
+                    clientId: entry.clientId,
+                    olmId: entry.olmId,
+                    version: entry.version
+                };
+            }
+
+            const resolved = olmMap.get(entry.clientId);
+            if (!resolved) {
+                return null;
+            }
+
+            return {
+                clientId: entry.clientId,
+                olmId: resolved.olmId,
+                version: entry.version ?? resolved.version
+            };
+        })
+        .filter((entry) => entry !== null);
+};
+
+export async function addPeerDataBatch(
+    entries: {
+        clientId: number;
+        siteId: number;
+        remoteSubnets: string[];
+        aliases: Alias[];
+        olmId?: string;
+        version?: string | null;
+    }[]
+) {
+    if (entries.length === 0) {
+        return;
+    }
+
+    const resolvedTargets = await resolveOlmTargets(entries);
+
+    if (resolvedTargets.length === 0) {
+        return;
+    }
+
+    const payloads = entries
+        .map((entry) => {
+            const resolved = resolvedTargets.find(
+                (target) => target.clientId === entry.clientId
+            );
+            if (!resolved) {
+                return null;
+            }
+
+            return {
+                clientId: resolved.olmId,
+                message: {
+                    type: `olm/wg/peer/data/add`,
+                    data: {
+                        siteId: entry.siteId,
+                        remoteSubnets: entry.remoteSubnets,
+                        aliases: entry.aliases
+                    }
+                },
+                options: {
+                    incrementConfigVersion: true,
+                    compress: canCompress(resolved.version, "olm")
+                }
+            };
+        })
+        .filter((entry) => entry !== null);
+
+    if (payloads.length === 0) {
+        return;
+    }
+
+    await sendToClientsBatch(payloads);
+}
+
+export async function removePeerDataBatch(
+    entries: {
+        clientId: number;
+        siteId: number;
+        remoteSubnets: string[];
+        aliases: Alias[];
+        olmId?: string;
+        version?: string | null;
+    }[]
+) {
+    if (entries.length === 0) {
+        return;
+    }
+
+    const resolvedTargets = await resolveOlmTargets(entries);
+
+    if (resolvedTargets.length === 0) {
+        return;
+    }
+
+    const payloads = entries
+        .map((entry) => {
+            const resolved = resolvedTargets.find(
+                (target) => target.clientId === entry.clientId
+            );
+            if (!resolved) {
+                return null;
+            }
+
+            return {
+                clientId: resolved.olmId,
+                message: {
+                    type: `olm/wg/peer/data/remove`,
+                    data: {
+                        siteId: entry.siteId,
+                        remoteSubnets: entry.remoteSubnets,
+                        aliases: entry.aliases
+                    }
+                },
+                options: {
+                    incrementConfigVersion: true,
+                    compress: canCompress(resolved.version, "olm")
+                }
+            };
+        })
+        .filter((entry) => entry !== null);
+
+    if (payloads.length === 0) {
+        return;
+    }
+
+    await sendToClientsBatch(payloads);
+}
+
 export async function updatePeerData(
     clientId: number,
     siteId: number,

server/routers/newt/getNewtVersion.ts

@@ -10,7 +10,7 @@ import { verifyPassword } from "@server/auth/password";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
-import cache from "#dynamic/lib/cache";
+import { regionalCache as cache } from "#dynamic/lib/cache";
 import config from "@server/lib/config";
 
 // Stale-while-revalidate in-memory fallback for the releases API.

server/routers/newt/handleSocketMessages.ts

@@ -2,7 +2,7 @@ import { MessageHandler } from "@server/routers/ws";
 import logger from "@server/logger";
 import { Newt } from "@server/db";
 import { applyNewtDockerBlueprint } from "@server/lib/blueprints/applyNewtDockerBlueprint";
-import cache from "#dynamic/lib/cache";
+import cache from "#dynamic/lib/cache"; // not using regional here because we dont know where the site is
 
 export const handleDockerStatusMessage: MessageHandler = async (context) => {
     const { message, client, sendToClient } = context;

server/routers/newt/peers.ts

@@ -1,7 +1,7 @@
 import { db, Site } from "@server/db";
 import { newts, sites } from "@server/db";
 import { eq } from "drizzle-orm";
-import { sendToClient } from "#dynamic/routers/ws";
+import { sendToClient, sendToClientsBatch } from "#dynamic/routers/ws";
 import logger from "@server/logger";
 
 export async function addPeer(
@@ -36,10 +36,14 @@ export async function addPeer(
         newtId = newt.newtId;
     }
 
-    await sendToClient(newtId, {
+    await sendToClient(
+        newtId,
+        {
             type: "newt/wg/peer/add",
             data: peer
-    }, { incrementConfigVersion: true }).catch((error) => {
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 
@@ -76,12 +80,16 @@ export async function deletePeer(
         newtId = newt.newtId;
     }
 
-    await sendToClient(newtId, {
+    await sendToClient(
+        newtId,
+        {
             type: "newt/wg/peer/remove",
             data: {
                 publicKey
             }
-    }, { incrementConfigVersion: true }).catch((error) => {
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 
@@ -90,6 +98,35 @@ export async function deletePeer(
     return site;
 }
 
+export async function deletePeersBatch(
+    peers: {
+        siteId: number;
+        publicKey: string;
+        newtId: string;
+    }[]
+) {
+    if (peers.length === 0) {
+        return;
+    }
+
+    await sendToClientsBatch(
+        peers.map((peer) => ({
+            clientId: peer.newtId,
+            message: {
+                type: "newt/wg/peer/remove",
+                data: {
+                    publicKey: peer.publicKey
+                }
+            },
+            options: { incrementConfigVersion: true }
+        }))
+    ).catch((error) => {
+        logger.warn(`Error sending batched newt peer removals:`, error);
+    });
+
+    logger.info(`Deleted ${peers.length} peer(s) from newts (batch)`);
+}
+
 export async function updatePeer(
     siteId: number,
     publicKey: string,
@@ -122,13 +159,17 @@ export async function updatePeer(
         newtId = newt.newtId;
     }
 
-    await sendToClient(newtId, {
+    await sendToClient(
+        newtId,
+        {
             type: "newt/wg/peer/update",
             data: {
                 publicKey,
                 ...peer
             }
-    }, { incrementConfigVersion: true }).catch((error) => {
+        },
+        { incrementConfigVersion: true }
+    ).catch((error) => {
         logger.warn(`Error sending message:`, error);
     });
 

server/routers/olm/handleOlmRegisterMessage.ts

@@ -20,7 +20,7 @@ import { handleFingerprintInsertion } from "./fingerprintingUtils";
 import { build } from "@server/build";
 import { canCompress } from "@server/lib/clientVersionChecks";
 import config from "@server/lib/config";
-import cache from "#dynamic/lib/cache";
+import cache from "#dynamic/lib/cache"; // not using regional here because we need this in the register message handler before we know where the client is
 
 const HOLEPUNCH_STALE_CHAIN_THRESHOLD = 18;
 const HOLEPUNCH_STALE_CHAIN_TTL_SECONDS = 1800;

server/routers/olm/peers.ts

@@ -1,9 +1,9 @@
-import { sendToClient } from "#dynamic/routers/ws";
+import { sendToClient, sendToClientsBatch } from "#dynamic/routers/ws";
 import { clientSitesAssociationsCache, db, olms } from "@server/db";
 import { canCompress } from "@server/lib/clientVersionChecks";
 import config from "@server/lib/config";
 import logger from "@server/logger";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 import { Alias } from "yaml";
 
 export async function addPeer(
@@ -205,3 +205,150 @@ export async function initPeerAddHandshake(
         `Initiated peer add handshake for site ${peer.siteId} to olm ${olmId}`
     );
 }
+
+export async function deletePeersBatch(
+    peers: {
+        clientId: number;
+        siteId: number;
+        publicKey: string;
+        olmId?: string;
+        version?: string | null;
+    }[]
+) {
+    if (peers.length === 0) {
+        return;
+    }
+
+    const unresolvedClientIds = peers
+        .filter((peer) => !peer.olmId)
+        .map((peer) => peer.clientId);
+
+    const olmByClientId = new Map<
+        number,
+        { olmId: string; version: string | null }
+    >();
+
+    if (unresolvedClientIds.length > 0) {
+        const olmRows = await db
+            .select({
+                clientId: olms.clientId,
+                olmId: olms.olmId,
+                version: olms.version
+            })
+            .from(olms)
+            .where(inArray(olms.clientId, unresolvedClientIds));
+
+        for (const row of olmRows) {
+            if (row.clientId !== null) {
+                olmByClientId.set(row.clientId, {
+                    olmId: row.olmId,
+                    version: row.version
+                });
+            }
+        }
+    }
+
+    const batchPayloads = peers
+        .map((peer) => {
+            const resolved = peer.olmId
+                ? { olmId: peer.olmId, version: peer.version ?? null }
+                : olmByClientId.get(peer.clientId);
+            if (!resolved) {
+                return null;
+            }
+
+            return {
+                clientId: resolved.olmId,
+                message: {
+                    type: "olm/wg/peer/remove",
+                    data: {
+                        publicKey: peer.publicKey,
+                        siteId: peer.siteId
+                    }
+                },
+                options: {
+                    incrementConfigVersion: true,
+                    compress: canCompress(
+                        peer.version ?? resolved.version,
+                        "olm"
+                    )
+                }
+            };
+        })
+        .filter((payload) => payload !== null);
+
+    if (batchPayloads.length === 0) {
+        return;
+    }
+
+    await sendToClientsBatch(batchPayloads).catch((error) => {
+        logger.warn(`Error sending batched olm peer removals:`, error);
+    });
+
+    logger.info(`Deleted ${batchPayloads.length} peer(s) from olms (batch)`);
+}
+
+export async function initPeerAddHandshakeBatch(
+    handshakes: {
+        clientId: number;
+        peer: {
+            siteId: number;
+            exitNode: {
+                publicKey: string;
+                endpoint: string;
+            };
+        };
+        olmId: string;
+        chainId?: string;
+    }[]
+) {
+    if (handshakes.length === 0) {
+        return;
+    }
+
+    await sendToClientsBatch(
+        handshakes.map((item) => ({
+            clientId: item.olmId,
+            message: {
+                type: "olm/wg/peer/holepunch/site/add",
+                data: {
+                    siteId: item.peer.siteId,
+                    exitNode: {
+                        publicKey: item.peer.exitNode.publicKey,
+                        relayPort:
+                            config.getRawConfig().gerbil.clients_start_port,
+                        endpoint: item.peer.exitNode.endpoint
+                    },
+                    chainId: item.chainId
+                }
+            },
+            options: { incrementConfigVersion: true }
+        }))
+    ).catch((error) => {
+        logger.warn(`Error sending batched olm handshakes:`, error);
+    });
+
+    await Promise.all(
+        handshakes.map((item) =>
+            db
+                .update(clientSitesAssociationsCache)
+                .set({ isJitMode: false })
+                .where(
+                    and(
+                        eq(
+                            clientSitesAssociationsCache.clientId,
+                            item.clientId
+                        ),
+                        eq(
+                            clientSitesAssociationsCache.siteId,
+                            item.peer.siteId
+                        )
+                    )
+                )
+        )
+    );
+
+    logger.info(
+        `Initiated ${handshakes.length} peer add handshake(s) to olms (batch)`
+    );
+}

server/routers/resource/listUserResourceAliases.ts

@@ -15,8 +15,7 @@ import logger from "@server/logger";
 import { z } from "zod";
 import { fromZodError } from "zod-validation-error";
 import type { PaginatedResponse } from "@server/types/Pagination";
-import { OpenAPITags, registry } from "@server/openApi";
+import { regionalCache as cache } from "#dynamic/lib/cache";
-import { localCache } from "#dynamic/lib/cache";
 
 const USER_RESOURCE_ALIASES_CACHE_TTL_SEC = 60;
 
@@ -153,7 +152,7 @@ export async function listUserResourceAliases(
             pageSize
         );
         const cachedData: ListUserResourceAliasesResponse | undefined =
-            localCache.get(cacheKey);
+            await cache.get(cacheKey);
 
         if (cachedData) {
             return response<ListUserResourceAliasesResponse>(res, {
@@ -211,7 +210,11 @@ export async function listUserResourceAliases(
                     page
                 }
             };
-            localCache.set(cacheKey, data, USER_RESOURCE_ALIASES_CACHE_TTL_SEC);
+            await cache.set(
+                cacheKey,
+                data,
+                USER_RESOURCE_ALIASES_CACHE_TTL_SEC
+            );
             return response<ListUserResourceAliasesResponse>(res, {
                 data,
                 success: true,
@@ -256,7 +259,7 @@ export async function listUserResourceAliases(
                 page
             }
         };
-        localCache.set(cacheKey, data, USER_RESOURCE_ALIASES_CACHE_TTL_SEC);
+        await cache.set(cacheKey, data, USER_RESOURCE_ALIASES_CACHE_TTL_SEC);
 
         return response<ListUserResourceAliasesResponse>(res, {
             data,

server/routers/site/listSites.ts

@@ -14,7 +14,7 @@ import {
     siteLabels,
     type Label
 } from "@server/db";
-import cache from "#dynamic/lib/cache";
+import { regionalCache as cache } from "#dynamic/lib/cache";
 import response from "@server/lib/response";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";

server/routers/siteResource/updateSiteResource.ts

@@ -28,7 +28,10 @@ import {
     isIpInCidr,
     portRangeStringSchema
 } from "@server/lib/ip";
-import { rebuildClientAssociationsFromSiteResource } from "@server/lib/rebuildClientAssociations";
+import {
+    getClientSiteResourceAccess,
+    rebuildClientAssociationsFromSiteResource
+} from "@server/lib/rebuildClientAssociations";
 import logger from "@server/logger";
 import HttpCode from "@server/types/HttpCode";
 import { NextFunction, Request, Response } from "express";
@@ -846,12 +849,17 @@ export async function handleMessagingForUpdatedSiteResource(
         updatedSiteResource
     );
 
-    const { mergedAllClients } =
     await rebuildClientAssociationsFromSiteResource(
         existingSiteResource || updatedSiteResource, // we want to rebuild based on the existing resource then we will apply the change to the destination below
         trx
     );
 
+    const { sitesList, mergedAllClients, mergedAllClientIds } =
+        await getClientSiteResourceAccess(
+            existingSiteResource || updatedSiteResource,
+            trx
+        );
+
     // after everything is rebuilt above we still need to update the targets and remote subnets if the destination changed
     const destinationChanged =
         existingSiteResource &&

server/routers/ws/types.ts

@@ -76,12 +76,32 @@ export interface SendMessageOptions {
     compress?: boolean;
 }
 
-// Redis message type for cross-node communication
+export interface BatchSendMessage {
-export interface RedisMessage {
+    clientId: string;
-    type: "direct" | "broadcast";
+    message: WSMessage;
-    targetClientId?: string;
+    options?: SendMessageOptions;
+}
+
+// Redis message types for cross-node communication
+export type RedisMessage =
+    | {
+          type: "direct";
+          targetClientId: string;
+          message: WSMessage;
+          fromNodeId: string;
+      }
+    | {
+          type: "direct-batch";
+          messages: {
+              targetClientId: string;
+              message: WSMessage;
+          }[];
+          fromNodeId: string;
+      }
+    | {
+          type: "broadcast";
           excludeClientId?: string;
           message: WSMessage;
           fromNodeId: string;
           options?: SendMessageOptions;
-}
+      };

server/routers/ws/ws.ts

@@ -26,7 +26,8 @@ import {
     WebSocketRequest,
     WSMessage,
     AuthenticatedWebSocket,
-    SendMessageOptions
+    SendMessageOptions,
+    BatchSendMessage
 } from "./types";
 import { validateSessionToken } from "@server/auth/sessions/app";
 
@@ -212,6 +213,20 @@ const sendToClient = async (
     return localSent;
 };
 
+const sendToClientsBatch = async (
+    entries: BatchSendMessage[]
+): Promise<void> => {
+    if (entries.length === 0) {
+        return;
+    }
+
+    await Promise.all(
+        entries.map((entry) =>
+            sendToClient(entry.clientId, entry.message, entry.options)
+        )
+    );
+};
+
 const broadcastToAllExcept = async (
     message: WSMessage,
     excludeClientId?: string,
@@ -552,6 +567,7 @@ export {
     router,
     handleWSUpgrade,
     sendToClient,
+    sendToClientsBatch,
     broadcastToAllExcept,
     connectedClients,
     hasActiveConnections,