Bump actions/setup-go from 6.3.0 to 6.4.0

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](4b73464bb3...4a3601121d)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/CODEOWNERS

@@ -1 +0,0 @@
-* @oschwartz10612 @miloschwartz

.github/workflows/cicd.yml

@@ -264,7 +264,7 @@ jobs:
               shell: bash
 
             - name: Install Go
-              uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+              uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
               with:
                   go-version: 1.25
 

messages/en-US.json

@@ -2113,11 +2113,9 @@
     "addDomainToEnableCustomAuthPages": "Users will be able to access the organization's login page and complete resource authentication using this domain.",
     "selectDomainForOrgAuthPage": "Select a domain for the organization's authentication page",
     "domainPickerProvidedDomain": "Provided Domain",
-    "domainPickerFreeProvidedDomain": "Provided Domain",
+    "domainPickerFreeProvidedDomain": "Free Provided Domain",
-    "domainPickerFreeDomainsPaidFeature": "Provided domains are a paid feature. Subscribe to get a domain included with your plan — no need to bring your own.",
     "domainPickerVerified": "Verified",
     "domainPickerUnverified": "Unverified",
-    "domainPickerManual": "Manual",
     "domainPickerInvalidSubdomainStructure": "This subdomain contains invalid characters or structure. It will be sanitized automatically when you save.",
     "domainPickerError": "Error",
     "domainPickerErrorLoadDomains": "Failed to load organization domains",

server/lib/billing/tierMatrix.ts

@@ -19,8 +19,7 @@ export enum TierFeature {
     SshPam = "sshPam",
     FullRbac = "fullRbac",
     SiteProvisioningKeys = "siteProvisioningKeys", // handle downgrade by revoking keys if needed
-    SIEM = "siem", // handle downgrade by disabling SIEM integrations
+    SIEM = "siem" // handle downgrade by disabling SIEM integrations
-    DomainNamespaces = "domainNamespaces" // handle downgrade by removing custom domain namespaces
 }
 
 export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -57,6 +56,5 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
     [TierFeature.SshPam]: ["tier1", "tier3", "enterprise"],
     [TierFeature.FullRbac]: ["tier1", "tier2", "tier3", "enterprise"],
     [TierFeature.SiteProvisioningKeys]: ["tier3", "enterprise"],
-    [TierFeature.SIEM]: ["enterprise"],
+    [TierFeature.SIEM]: ["enterprise"]
-    [TierFeature.DomainNamespaces]: ["tier1", "tier2", "tier3", "enterprise"]
 };

server/private/routers/domain/checkDomainNamespaceAvailability.ts

@@ -22,15 +22,11 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { db, domainNamespaces, resources } from "@server/db";
 import { inArray } from "drizzle-orm";
 import { CheckDomainAvailabilityResponse } from "@server/routers/domain/types";
-import { build } from "@server/build";
-import { isSubscribed } from "#private/lib/isSubscribed";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
 
 const paramsSchema = z.strictObject({});
 
 const querySchema = z.strictObject({
-    subdomain: z.string(),
+    subdomain: z.string()
-    // orgId: build === "saas" ? z.string() : z.string().optional() // Required for saas, optional otherwise
 });
 
 registry.registerPath({
@@ -62,23 +58,6 @@ export async function checkDomainNamespaceAvailability(
         }
         const { subdomain } = parsedQuery.data;
 
-        // if (
-        //     build == "saas" &&
-        //     !isSubscribed(orgId!, tierMatrix.domainNamespaces)
-        // ) {
-        //     // return not available
-        //     return response<CheckDomainAvailabilityResponse>(res, {
-        //         data: {
-        //             available: false,
-        //             options: []
-        //         },
-        //         success: true,
-        //         error: false,
-        //         message: "Your current subscription does not support custom domain namespaces. Please upgrade to access this feature.",
-        //         status: HttpCode.OK
-        //     });
-        // }
-
         const namespaces = await db.select().from(domainNamespaces);
         let possibleDomains = namespaces.map((ns) => {
             const desired = `${subdomain}.${ns.domainNamespaceId}`;

server/private/routers/domain/listDomainNamespaces.ts

@@ -22,9 +22,6 @@ import { eq, sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { isSubscribed } from "#private/lib/isSubscribed";
-import { build } from "@server/build";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
 
 const paramsSchema = z.strictObject({});
 
@@ -40,8 +37,7 @@ const querySchema = z.strictObject({
         .optional()
         .default("0")
         .transform(Number)
-        .pipe(z.int().nonnegative()),
+        .pipe(z.int().nonnegative())
-    // orgId: build === "saas" ? z.string() : z.string().optional() // Required for saas, optional otherwise
 });
 
 async function query(limit: number, offset: number) {
@@ -103,26 +99,6 @@ export async function listDomainNamespaces(
             );
         }
 
-        // if (
-        //     build == "saas" &&
-        //     !isSubscribed(orgId!, tierMatrix.domainNamespaces)
-        // ) {
-        //     return response<ListDomainNamespacesResponse>(res, {
-        //         data: {
-        //             domainNamespaces: [],
-        //             pagination: {
-        //                 total: 0,
-        //                 limit,
-        //                 offset
-        //             }
-        //         },
-        //         success: true,
-        //         error: false,
-        //         message: "No namespaces found. Your current subscription does not support custom domain namespaces. Please upgrade to access this feature.",
-        //         status: HttpCode.OK
-        //     });
-        // }
-
         const domainNamespacesList = await query(limit, offset);
 
         const [{ count }] = await db

server/routers/external.ts

@@ -440,12 +440,6 @@ authenticated.get(
     resource.getUserResources
 );
 
-authenticated.get(
-    "/org/:orgId/user-resource-aliases",
-    verifyOrgAccess,
-    resource.listUserResourceAliases
-);
-
 authenticated.get(
     "/org/:orgId/domains",
     verifyOrgAccess,

server/routers/resource/createResource.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, domainNamespaces, loginPage } from "@server/db";
+import { db, loginPage } from "@server/db";
 import {
     domains,
     orgDomains,
@@ -24,8 +24,6 @@ import { build } from "@server/build";
 import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
 import { getUniqueResourceName } from "@server/db/names";
 import { validateAndConstructDomain } from "@server/lib/domainUtils";
-import { isSubscribed } from "#dynamic/lib/isSubscribed";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
 
 const createResourceParamsSchema = z.strictObject({
     orgId: z.string()
@@ -114,10 +112,7 @@ export async function createResource(
 
         const { orgId } = parsedParams.data;
 
-        if (
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
-            req.user &&
-            (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)
-        ) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -198,29 +193,6 @@ async function createHttpResource(
     const subdomain = parsedBody.data.subdomain;
     const stickySession = parsedBody.data.stickySession;
 
-    if (build == "saas" && !isSubscribed(orgId!, tierMatrix.domainNamespaces)) {
-        // grandfather in existing users
-        const lastAllowedDate = new Date("2026-04-12");
-        const userCreatedDate = new Date(req.user?.dateCreated || new Date());
-        if (userCreatedDate > lastAllowedDate) {
-            // check if this domain id is a namespace domain and if so, reject
-            const domain = await db
-                .select()
-                .from(domainNamespaces)
-                .where(eq(domainNamespaces.domainId, domainId))
-                .limit(1);
-
-            if (domain.length > 0) {
-                return next(
-                    createHttpError(
-                        HttpCode.BAD_REQUEST,
-                        "Your current subscription does not support custom domain namespaces. Please upgrade to access this feature."
-                    )
-                );
-            }
-        }
-    }
-
     // Validate domain and construct full domain
     const domainResult = await validateAndConstructDomain(
         domainId,

server/routers/resource/getUserResources.ts

@@ -142,7 +142,6 @@ export async function getUserResources(
         let siteResourcesData: Array<{
             siteResourceId: number;
             name: string;
-            niceId: string;
             destination: string;
             mode: string;
             protocol: string | null;
@@ -155,7 +154,6 @@ export async function getUserResources(
                 .select({
                     siteResourceId: siteResources.siteResourceId,
                     name: siteResources.name,
-                    niceId: siteResources.niceId,
                     destination: siteResources.destination,
                     mode: siteResources.mode,
                     protocol: siteResources.protocol,

server/routers/resource/index.ts

@@ -22,7 +22,6 @@ export * from "./deleteResourceRule";
 export * from "./listResourceRules";
 export * from "./updateResourceRule";
 export * from "./getUserResources";
-export * from "./listUserResourceAliases";
 export * from "./setResourceHeaderAuth";
 export * from "./addEmailToResourceWhitelist";
 export * from "./removeEmailFromResourceWhitelist";

server/routers/resource/listUserResourceAliases.ts

@@ -1,262 +0,0 @@
-import { Request, Response, NextFunction } from "express";
-import {
-    db,
-    siteResources,
-    userSiteResources,
-    roleSiteResources,
-    userOrgRoles,
-    userOrgs
-} from "@server/db";
-import { and, eq, inArray, asc, isNotNull, ne } from "drizzle-orm";
-import createHttpError from "http-errors";
-import HttpCode from "@server/types/HttpCode";
-import response from "@server/lib/response";
-import logger from "@server/logger";
-import { z } from "zod";
-import { fromZodError } from "zod-validation-error";
-import type { PaginatedResponse } from "@server/types/Pagination";
-import { OpenAPITags, registry } from "@server/openApi";
-import { localCache } from "#dynamic/lib/cache";
-
-const USER_RESOURCE_ALIASES_CACHE_TTL_SEC = 60;
-
-function userResourceAliasesCacheKey(
-    orgId: string,
-    userId: string,
-    page: number,
-    pageSize: number
-) {
-    return `userResourceAliases:${orgId}:${userId}:${page}:${pageSize}`;
-}
-
-const listUserResourceAliasesParamsSchema = z.strictObject({
-    orgId: z.string()
-});
-
-const listUserResourceAliasesQuerySchema = z.object({
-    pageSize: z.coerce
-        .number<string>()
-        .int()
-        .positive()
-        .optional()
-        .catch(20)
-        .default(20)
-        .openapi({
-            type: "integer",
-            default: 20,
-            description: "Number of items per page"
-        }),
-    page: z.coerce
-        .number<string>()
-        .int()
-        .min(0)
-        .optional()
-        .catch(1)
-        .default(1)
-        .openapi({
-            type: "integer",
-            default: 1,
-            description: "Page number to retrieve"
-        })
-});
-
-export type ListUserResourceAliasesResponse = PaginatedResponse<{
-    aliases: string[];
-}>;
-
-// registry.registerPath({
-//     method: "get",
-//     path: "/org/{orgId}/user-resource-aliases",
-//     description:
-//         "List private (host-mode) site resource aliases the authenticated user can access in the organization, paginated.",
-//     tags: [OpenAPITags.PrivateResource],
-//     request: {
-//         params: z.object({
-//             orgId: z.string()
-//         }),
-//         query: listUserResourceAliasesQuerySchema
-//     },
-//     responses: {}
-// });
-
-export async function listUserResourceAliases(
-    req: Request,
-    res: Response,
-    next: NextFunction
-): Promise<any> {
-    try {
-        const parsedQuery = listUserResourceAliasesQuerySchema.safeParse(
-            req.query
-        );
-        if (!parsedQuery.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromZodError(parsedQuery.error)
-                )
-            );
-        }
-        const { page, pageSize } = parsedQuery.data;
-
-        const parsedParams = listUserResourceAliasesParamsSchema.safeParse(
-            req.params
-        );
-        if (!parsedParams.success) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    fromZodError(parsedParams.error)
-                )
-            );
-        }
-
-        const { orgId } = parsedParams.data;
-        const userId = req.user?.userId;
-
-        if (!userId) {
-            return next(
-                createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
-            );
-        }
-
-        const [userOrg] = await db
-            .select()
-            .from(userOrgs)
-            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
-            .limit(1);
-
-        if (!userOrg) {
-            return next(
-                createHttpError(HttpCode.FORBIDDEN, "User not in organization")
-            );
-        }
-
-        const cacheKey = userResourceAliasesCacheKey(
-            orgId,
-            userId,
-            page,
-            pageSize
-        );
-        const cachedData: ListUserResourceAliasesResponse | undefined =
-            localCache.get(cacheKey);
-
-        if (cachedData) {
-            return response<ListUserResourceAliasesResponse>(res, {
-                data: cachedData,
-                success: true,
-                error: false,
-                message: "User resource aliases retrieved successfully",
-                status: HttpCode.OK
-            });
-        }
-
-        const userRoleIds = await db
-            .select({ roleId: userOrgRoles.roleId })
-            .from(userOrgRoles)
-            .where(
-                and(
-                    eq(userOrgRoles.userId, userId),
-                    eq(userOrgRoles.orgId, orgId)
-                )
-            )
-            .then((rows) => rows.map((r) => r.roleId));
-
-        const directSiteResourcesQuery = db
-            .select({ siteResourceId: userSiteResources.siteResourceId })
-            .from(userSiteResources)
-            .where(eq(userSiteResources.userId, userId));
-
-        const roleSiteResourcesQuery =
-            userRoleIds.length > 0
-                ? db
-                      .select({
-                          siteResourceId: roleSiteResources.siteResourceId
-                      })
-                      .from(roleSiteResources)
-                      .where(inArray(roleSiteResources.roleId, userRoleIds))
-                : Promise.resolve([]);
-
-        const [directSiteResourceResults, roleSiteResourceResults] =
-            await Promise.all([
-                directSiteResourcesQuery,
-                roleSiteResourcesQuery
-            ]);
-
-        const accessibleSiteResourceIds = [
-            ...directSiteResourceResults.map((r) => r.siteResourceId),
-            ...roleSiteResourceResults.map((r) => r.siteResourceId)
-        ];
-
-        if (accessibleSiteResourceIds.length === 0) {
-            const data: ListUserResourceAliasesResponse = {
-                aliases: [],
-                pagination: {
-                    total: 0,
-                    pageSize,
-                    page
-                }
-            };
-            localCache.set(cacheKey, data, USER_RESOURCE_ALIASES_CACHE_TTL_SEC);
-            return response<ListUserResourceAliasesResponse>(res, {
-                data,
-                success: true,
-                error: false,
-                message: "User resource aliases retrieved successfully",
-                status: HttpCode.OK
-            });
-        }
-
-        const whereClause = and(
-            eq(siteResources.orgId, orgId),
-            eq(siteResources.enabled, true),
-            eq(siteResources.mode, "host"),
-            isNotNull(siteResources.alias),
-            ne(siteResources.alias, ""),
-            inArray(siteResources.siteResourceId, accessibleSiteResourceIds)
-        );
-
-        const baseSelect = () =>
-            db
-                .select({ alias: siteResources.alias })
-                .from(siteResources)
-                .where(whereClause);
-
-        const countQuery = db.$count(baseSelect().as("filtered_aliases"));
-
-        const [rows, totalCount] = await Promise.all([
-            baseSelect()
-                .orderBy(asc(siteResources.alias))
-                .limit(pageSize)
-                .offset(pageSize * (page - 1)),
-            countQuery
-        ]);
-
-        const aliases = rows.map((r) => r.alias as string);
-
-        const data: ListUserResourceAliasesResponse = {
-            aliases,
-            pagination: {
-                total: totalCount,
-                pageSize,
-                page
-            }
-        };
-        localCache.set(cacheKey, data, USER_RESOURCE_ALIASES_CACHE_TTL_SEC);
-
-        return response<ListUserResourceAliasesResponse>(res, {
-            data,
-            success: true,
-            error: false,
-            message: "User resource aliases retrieved successfully",
-            status: HttpCode.OK
-        });
-    } catch (error) {
-        logger.error(error);
-        return next(
-            createHttpError(
-                HttpCode.INTERNAL_SERVER_ERROR,
-                "Internal server error"
-            )
-        );
-    }
-}

server/routers/resource/updateResource.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, domainNamespaces, loginPage } from "@server/db";
+import { db, loginPage } from "@server/db";
 import {
     domains,
     Org,
@@ -25,7 +25,6 @@ import { validateAndConstructDomain } from "@server/lib/domainUtils";
 import { build } from "@server/build";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
-import { isSubscribed } from "#dynamic/lib/isSubscribed";
 
 const updateResourceParamsSchema = z.strictObject({
     resourceId: z.string().transform(Number).pipe(z.int().positive())
@@ -121,9 +120,7 @@ const updateHttpResourceBodySchema = z
             if (data.headers) {
                 // HTTP header values must be visible ASCII or horizontal whitespace, no control chars (RFC 7230)
                 const validHeaderValue = /^[\t\x20-\x7E]*$/;
-                return data.headers.every((h) =>
+                return data.headers.every((h) => validHeaderValue.test(h.value));
-                    validHeaderValue.test(h.value)
-                );
             }
             return true;
         },
@@ -321,34 +318,6 @@ async function updateHttpResource(
     if (updateData.domainId) {
         const domainId = updateData.domainId;
 
-        if (
-            build == "saas" &&
-            !isSubscribed(resource.orgId, tierMatrix.domainNamespaces)
-        ) {
-            // grandfather in existing users
-            const lastAllowedDate = new Date("2026-04-12");
-            const userCreatedDate = new Date(
-                req.user?.dateCreated || new Date()
-            );
-            if (userCreatedDate > lastAllowedDate) {
-                // check if this domain id is a namespace domain and if so, reject
-                const domain = await db
-                    .select()
-                    .from(domainNamespaces)
-                    .where(eq(domainNamespaces.domainId, domainId))
-                    .limit(1);
-
-                if (domain.length > 0) {
-                    return next(
-                        createHttpError(
-                            HttpCode.BAD_REQUEST,
-                            "Your current subscription does not support custom domain namespaces. Please upgrade to access this feature."
-                        )
-                    );
-                }
-            }
-        }
-
         // Validate domain and construct full domain
         const domainResult = await validateAndConstructDomain(
             domainId,

server/routers/user/inviteUser.ts

@@ -1,14 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import {
+import { orgs, roles, userInviteRoles, userInvites, userOrgs, users } from "@server/db";
-    orgs,
-    roles,
-    userInviteRoles,
-    userInvites,
-    userOrgs,
-    users
-} from "@server/db";
 import { and, eq, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -44,7 +37,8 @@ const inviteUserBodySchema = z
         regenerate: z.boolean().optional()
     })
     .refine(
-        (d) => (d.roleIds != null && d.roleIds.length > 0) || d.roleId != null,
+        (d) =>
+            (d.roleIds != null && d.roleIds.length > 0) || d.roleId != null,
         { message: "roleIds or roleId is required", path: ["roleIds"] }
     )
     .transform((data) => ({
@@ -271,7 +265,7 @@ export async function inviteUser(
                     )
                 );
 
-            const inviteLink = `${config.getRawConfig().app.dashboard_url}/invite?token=${inviteId}-${token}&email=${email}`;
+            const inviteLink = `${config.getRawConfig().app.dashboard_url}/invite?token=${inviteId}-${token}&email=${encodeURIComponent(email)}`;
 
             if (doEmail) {
                 await sendEmail(
@@ -320,12 +314,12 @@ export async function inviteUser(
                 expiresAt,
                 tokenHash
             });
-            await trx
+            await trx.insert(userInviteRoles).values(
-                .insert(userInviteRoles)
+                uniqueRoleIds.map((roleId) => ({ inviteId, roleId }))
-                .values(uniqueRoleIds.map((roleId) => ({ inviteId, roleId })));
+            );
         });
 
-        const inviteLink = `${config.getRawConfig().app.dashboard_url}/invite?token=${inviteId}-${token}&email=${email}`;
+        const inviteLink = `${config.getRawConfig().app.dashboard_url}/invite?token=${inviteId}-${token}&email=${encodeURIComponent(email)}`;
 
         if (doEmail) {
             await sendEmail(

server/setup/scriptsPg/1.17.0.ts

@@ -235,9 +235,7 @@ export default async function migration() {
             for (const row of existingUserInviteRoles) {
                 await db.execute(sql`
                     INSERT INTO "userInviteRoles" ("inviteId", "roleId")
-                    SELECT ${row.inviteId}, ${row.roleId}
+                    VALUES (${row.inviteId}, ${row.roleId})
-                    WHERE EXISTS (SELECT 1 FROM "userInvites" WHERE "inviteId" = ${row.inviteId})
-                      AND EXISTS (SELECT 1 FROM "roles" WHERE "roleId" = ${row.roleId})
                     ON CONFLICT DO NOTHING
                 `);
             }
@@ -260,10 +258,7 @@ export default async function migration() {
             for (const row of existingUserOrgRoles) {
                 await db.execute(sql`
                     INSERT INTO "userOrgRoles" ("userId", "orgId", "roleId")
-                    SELECT ${row.userId}, ${row.orgId}, ${row.roleId}
+                    VALUES (${row.userId}, ${row.orgId}, ${row.roleId})
-                    WHERE EXISTS (SELECT 1 FROM "user" WHERE "id" = ${row.userId})
-                      AND EXISTS (SELECT 1 FROM "orgs" WHERE "orgId" = ${row.orgId})
-                      AND EXISTS (SELECT 1 FROM "roles" WHERE "roleId" = ${row.roleId})
                     ON CONFLICT DO NOTHING
                 `);
             }

server/setup/scriptsSqlite/1.17.0.ts

@@ -145,7 +145,7 @@ export default async function migration() {
             ).run();
 
             db.prepare(
-                `INSERT INTO '__new_userOrgs'("userId", "orgId", "isOwner", "autoProvisioned", "pamUsername") SELECT "userId", "orgId", "isOwner", "autoProvisioned", "pamUsername" FROM 'userOrgs' WHERE EXISTS (SELECT 1 FROM 'user' WHERE id = userOrgs.userId) AND EXISTS (SELECT 1 FROM 'orgs' WHERE orgId = userOrgs.orgId);`
+                `INSERT INTO '__new_userOrgs'("userId", "orgId", "isOwner", "autoProvisioned", "pamUsername") SELECT "userId", "orgId", "isOwner", "autoProvisioned", "pamUsername" FROM 'userOrgs';`
             ).run();
             db.prepare(`DROP TABLE 'userOrgs';`).run();
             db.prepare(
@@ -246,15 +246,12 @@ export default async function migration() {
         // Re-insert the preserved invite role assignments into the new userInviteRoles table
         if (existingUserInviteRoles.length > 0) {
             const insertUserInviteRole = db.prepare(
-                `INSERT OR IGNORE INTO 'userInviteRoles' ("inviteId", "roleId")
+                `INSERT OR IGNORE INTO 'userInviteRoles' ("inviteId", "roleId") VALUES (?, ?)`
-                 SELECT ?, ?
-                 WHERE EXISTS (SELECT 1 FROM 'userInvites' WHERE inviteId = ?)
-                   AND EXISTS (SELECT 1 FROM 'roles' WHERE roleId = ?)`
             );
 
             const insertAll = db.transaction(() => {
                 for (const row of existingUserInviteRoles) {
-                    insertUserInviteRole.run(row.inviteId, row.roleId, row.inviteId, row.roleId);
+                    insertUserInviteRole.run(row.inviteId, row.roleId);
                 }
             });
 
@@ -268,16 +265,12 @@ export default async function migration() {
         // Re-insert the preserved role assignments into the new userOrgRoles table
         if (existingUserOrgRoles.length > 0) {
             const insertUserOrgRole = db.prepare(
-                `INSERT OR IGNORE INTO 'userOrgRoles' ("userId", "orgId", "roleId")
+                `INSERT OR IGNORE INTO 'userOrgRoles' ("userId", "orgId", "roleId") VALUES (?, ?, ?)`
-                 SELECT ?, ?, ?
-                 WHERE EXISTS (SELECT 1 FROM 'user' WHERE id = ?)
-                   AND EXISTS (SELECT 1 FROM 'orgs' WHERE orgId = ?)
-                   AND EXISTS (SELECT 1 FROM 'roles' WHERE roleId = ?)`
             );
 
             const insertAll = db.transaction(() => {
                 for (const row of existingUserOrgRoles) {
-                    insertUserOrgRole.run(row.userId, row.orgId, row.roleId, row.userId, row.orgId, row.roleId);
+                    insertUserOrgRole.run(row.userId, row.orgId, row.roleId);
                 }
             });
 

src/app/[orgId]/settings/domains/[domainId]/page.tsx

@@ -10,7 +10,6 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { GetDNSRecordsResponse } from "@server/routers/domain";
 import DNSRecordsTable from "@app/components/DNSRecordTable";
 import DomainCertForm from "@app/components/DomainCertForm";
-import { build } from "@server/build";
 
 interface DomainSettingsPageProps {
     params: Promise<{ domainId: string; orgId: string }>;
@@ -66,14 +65,12 @@ export default async function DomainSettingsPage({
                 )}
             </div>
             <div className="space-y-6">
-                {build != "oss" && env.flags.usePangolinDns ? (
                 <DomainInfoCard
                     failed={domain.failed}
                     verified={domain.verified}
                     type={domain.type}
                     errorMessage={domain.errorMessage}
                 />
-                ) : null}
 
                 <DNSRecordsTable records={dnsRecords} type={domain.type} />
 

src/app/[orgId]/settings/resources/proxy/[niceId]/proxy/page.tsx

@@ -678,7 +678,6 @@ function ProxyResourceTargetsForm({
         getPaginationRowModel: getPaginationRowModel(),
         getSortedRowModel: getSortedRowModel(),
         getFilteredRowModel: getFilteredRowModel(),
-        getRowId: (row) => String(row.targetId),
         state: {
             pagination: {
                 pageIndex: 0,

src/app/[orgId]/settings/resources/proxy/create/page.tsx

@@ -999,7 +999,6 @@ export default function Page() {
         getPaginationRowModel: getPaginationRowModel(),
         getSortedRowModel: getSortedRowModel(),
         getFilteredRowModel: getFilteredRowModel(),
-        getRowId: (row) => String(row.targetId),
         state: {
             pagination: {
                 pageIndex: 0,

src/components/CreateDomainForm.tsx

@@ -154,7 +154,7 @@ export default function CreateDomainForm({
 
     const punycodePreview = useMemo(() => {
         if (!baseDomain) return "";
-        const punycode = toPunycode(baseDomain.toLowerCase());
+        const punycode = toPunycode(baseDomain);
         return punycode !== baseDomain.toLowerCase() ? punycode : "";
     }, [baseDomain]);
 
@@ -239,7 +239,6 @@ export default function CreateDomainForm({
                             className="space-y-4"
                             id="create-domain-form"
                         >
-                            {build != "oss" && env.flags.usePangolinDns ? (
                             <FormField
                                 control={form.control}
                                 name="type"
@@ -255,8 +254,6 @@ export default function CreateDomainForm({
                                     </FormItem>
                                 )}
                             />
-                            ) : null}
-
                             <FormField
                                 control={form.control}
                                 name="baseDomain"

src/components/DeviceLoginForm.tsx

@@ -319,7 +319,6 @@ export default function DeviceLoginForm({
                                         <div className="flex justify-center">
                                             <InputOTP
                                                 maxLength={9}
-                                                pattern={REGEXP_ONLY_DIGITS_AND_CHARS}
                                                 {...field}
                                                 value={field.value
                                                     .replace(/-/g, "")

src/components/DomainPicker.tsx

@@ -2,7 +2,6 @@
 
 import { Alert, AlertDescription } from "@/components/ui/alert";
 import { Button } from "@/components/ui/button";
-import { Card, CardContent } from "@/components/ui/card";
 import {
     Command,
     CommandEmpty,
@@ -41,12 +40,9 @@ import {
     Check,
     CheckCircle2,
     ChevronsUpDown,
-    KeyRound,
     Zap
 } from "lucide-react";
 import { useTranslations } from "next-intl";
-import { usePaidStatus } from "@/hooks/usePaidStatus";
-import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 import { toUnicode } from "punycode";
 import { useCallback, useEffect, useMemo, useState } from "react";
 
@@ -99,7 +95,6 @@ export default function DomainPicker({
     const { env } = useEnvContext();
     const api = createApiClient({ env });
     const t = useTranslations();
-    const { hasSaasSubscription } = usePaidStatus();
 
     const { data = [], isLoading: loadingDomains } = useQuery(
         orgQueries.domains({ orgId })
@@ -514,9 +509,7 @@ export default function DomainPicker({
                                         <span className="truncate">
                                             {selectedBaseDomain.domain}
                                         </span>
-                                        {selectedBaseDomain.verified &&
+                                        {selectedBaseDomain.verified && (
-                                            selectedBaseDomain.domainType !==
-                                                "wildcard" && (
                                             <CheckCircle2 className="h-3 w-3 text-green-500 shrink-0" />
                                         )}
                                     </div>
@@ -581,13 +574,6 @@ export default function DomainPicker({
                                                                     }
                                                                 </span>
                                                                 <span className="text-xs text-muted-foreground">
-                                                                    {orgDomain.type ===
-                                                                    "wildcard"
-                                                                        ? t(
-                                                                              "domainPickerManual"
-                                                                          )
-                                                                        : (
-                                                                              <>
                                                                     {orgDomain.type.toUpperCase()}{" "}
                                                                     •{" "}
                                                                     {orgDomain.verified
@@ -597,8 +583,6 @@ export default function DomainPicker({
                                                                         : t(
                                                                               "domainPickerUnverified"
                                                                           )}
-                                                                              </>
-                                                                          )}
                                                                 </span>
                                                             </div>
                                                             <Check
@@ -696,23 +680,6 @@ export default function DomainPicker({
                 </div>
             </div>
 
-            {build === "saas" &&
-                !hasSaasSubscription(
-                    tierMatrix[TierFeature.DomainNamespaces]
-                ) &&
-                !hideFreeDomain && (
-                    <Card className="mt-3 border-black-500/30 bg-linear-to-br from-black-500/10 via-background to-background overflow-hidden">
-                        <CardContent className="py-3 px-4">
-                            <div className="flex items-center gap-2.5 text-sm text-muted-foreground">
-                                <KeyRound className="size-4 shrink-0 text-black-500" />
-                                <span>
-                                    {t("domainPickerFreeDomainsPaidFeature")}
-                                </span>
-                            </div>
-                        </CardContent>
-                    </Card>
-                )}
-
             {/*showProvidedDomainSearch && build === "saas" && (
                 <Alert>
                     <AlertCircle className="h-4 w-4" />

src/components/InviteStatusCard.tsx

@@ -39,11 +39,7 @@ export default function InviteStatusCard({
     const [loading, setLoading] = useState(true);
     const [error, setError] = useState("");
     const [type, setType] = useState<
-        | "rejected"
+        "rejected" | "wrong_user" | "user_does_not_exist" | "not_logged_in" | "user_limit_exceeded"
-        | "wrong_user"
-        | "user_does_not_exist"
-        | "not_logged_in"
-        | "user_limit_exceeded"
     >("rejected");
 
     useEffect(() => {
@@ -94,12 +90,12 @@ export default function InviteStatusCard({
 
             if (!user && type === "user_does_not_exist") {
                 const redirectUrl = email
-                    ? `/auth/signup?redirect=/invite?token=${tokenParam}&email=${email}`
+                    ? `/auth/signup?redirect=/invite?token=${tokenParam}&email=${encodeURIComponent(email)}`
                     : `/auth/signup?redirect=/invite?token=${tokenParam}`;
                 router.push(redirectUrl);
             } else if (!user && type === "not_logged_in") {
                 const redirectUrl = email
-                    ? `/auth/login?redirect=/invite?token=${tokenParam}&email=${email}`
+                    ? `/auth/login?redirect=/invite?token=${tokenParam}&email=${encodeURIComponent(email)}`
                     : `/auth/login?redirect=/invite?token=${tokenParam}`;
                 router.push(redirectUrl);
             } else {
@@ -113,7 +109,7 @@ export default function InviteStatusCard({
     async function goToLogin() {
         await api.post("/auth/logout", {});
         const redirectUrl = email
-            ? `/auth/login?redirect=/invite?token=${tokenParam}&email=${email}`
+            ? `/auth/login?redirect=/invite?token=${tokenParam}&email=${encodeURIComponent(email)}`
             : `/auth/login?redirect=/invite?token=${tokenParam}`;
         router.push(redirectUrl);
     }
@@ -121,7 +117,7 @@ export default function InviteStatusCard({
     async function goToSignup() {
         await api.post("/auth/logout", {});
         const redirectUrl = email
-            ? `/auth/signup?redirect=/invite?token=${tokenParam}&email=${email}`
+            ? `/auth/signup?redirect=/invite?token=${tokenParam}&email=${encodeURIComponent(email)}`
             : `/auth/signup?redirect=/invite?token=${tokenParam}`;
         router.push(redirectUrl);
     }
@@ -161,9 +157,7 @@ export default function InviteStatusCard({
                         Cannot Accept Invite
                     </p>
                     <p className="text-center text-sm">
-                        This organization has reached its user limit. Please
+                        This organization has reached its user limit. Please contact the organization administrator to upgrade their plan before accepting this invite.
-                        contact the organization administrator to upgrade their
-                        plan before accepting this invite.
                     </p>
                 </div>
             );

src/components/PendingSitesTable.tsx

@@ -333,8 +333,7 @@ export default function PendingSitesTable({
                         "jupiter",
                         "saturn",
                         "uranus",
-                        "neptune",
+                        "neptune"
-                        "pluto"
                     ].includes(originalRow.exitNodeName.toLowerCase());
 
                 if (isCloudNode) {

src/components/SitesTable.tsx

@@ -342,8 +342,7 @@ export default function SitesTable({
                         "jupiter",
                         "saturn",
                         "uranus",
-                        "neptune",
+                        "neptune"
-                        "pluto"
                     ].includes(originalRow.exitNodeName.toLowerCase());
 
                 if (isCloudNode) {

src/components/WorldMap.tsx

@@ -164,7 +164,7 @@ const countryClass = cn(
 
 const highlightedCountryClass = cn(
     sharedCountryClass,
-    "stroke-[3]",
+    "stroke-2",
     "fill-[#f4f4f5]",
     "stroke-[#f36117]",
     "dark:fill-[#3f3f46]"
@@ -194,20 +194,11 @@ function drawInteractiveCountries(
     const path = setupProjetionPath();
     const data = parseWorldTopoJsonToGeoJsonFeatures();
     const svg = d3.select(element);
-    const countriesLayer = svg.append("g");
-    const hoverLayer = svg.append("g").style("pointer-events", "none");
-    const hoverPath = hoverLayer
-        .append("path")
-        .datum(null)
-        .attr("class", highlightedCountryClass)
-        .style("display", "none");
 
-    countriesLayer
+    svg.selectAll("path")
-        .selectAll("path")
         .data(data)
         .enter()
         .append("path")
-        .attr("data-country-path", "true")
         .attr("class", countryClass)
         .attr("d", path as never)
 
@@ -218,10 +209,9 @@ function drawInteractiveCountries(
                 y,
                 hoveredCountryAlpha3Code: country.properties.a3
             });
-            hoverPath
+            // brings country to front
-                .datum(country)
+            this.parentNode?.appendChild(this);
-                .attr("d", path(country) as string)
+            d3.select(this).attr("class", highlightedCountryClass);
-                .style("display", null);
         })
 
         .on("mousemove", function (event) {
@@ -231,7 +221,7 @@ function drawInteractiveCountries(
 
         .on("mouseout", function () {
             setTooltip({ x: 0, y: 0, hoveredCountryAlpha3Code: null });
-            hoverPath.style("display", "none");
+            d3.select(this).attr("class", countryClass);
         });
 
     return svg;
@@ -267,7 +257,7 @@ function colorInCountriesWithValues(
     const svg = d3.select(element);
 
     return svg
-        .selectAll('path[data-country-path="true"]')
+        .selectAll("path")
         .style("fill", (countryPath) => {
             const country = getCountryByCountryPath(countryPath);
             if (!country?.count) {