Bump react-day-picker from 9.14.0 to 10.0.1

Bumps [react-day-picker](https://github.com/gpbl/react-day-picker/tree/HEAD/packages/react-day-picker) from 9.14.0 to 10.0.1.
- [Release notes](https://github.com/gpbl/react-day-picker/releases)
- [Changelog](https://github.com/gpbl/react-day-picker/blob/main/packages/react-day-picker/CHANGELOG.md)
- [Commits](https://github.com/gpbl/react-day-picker/commits/v10.0.1/packages/react-day-picker)

---
updated-dependencies:
- dependency-name: react-day-picker
  dependency-version: 10.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/cicd.yml

@@ -77,7 +77,7 @@ jobs:
                   fi
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
               with:
                   registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -149,7 +149,7 @@ jobs:
                   fi
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
               with:
                   registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -204,7 +204,7 @@ jobs:
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
               with:
                   registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -407,7 +407,7 @@ jobs:
               shell: bash
 
             - name: Login to GitHub Container Registry (for cosign)
-              uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+              uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
               with:
                 registry: ghcr.io
                 username: ${{ github.actor }}

.github/workflows/linting.yml

@@ -24,7 +24,7 @@ jobs:
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             - name: Set up Node.js
-              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+              uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
               with:
                 node-version: '24'
 

.github/workflows/mirror.yaml

@@ -23,7 +23,7 @@ jobs:
           skopeo --version
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       - name: Input check
         run: |

.github/workflows/stale-bot.yml

@@ -14,7 +14,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+      - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
         with:
           days-before-stale: 14
           days-before-close: 14

.github/workflows/test.yml

@@ -17,7 +17,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: '24'
 

drizzle.sqlite.config.ts

@@ -1,4 +1,4 @@
-import { APP_PATH } from "@server/lib/consts";
+import { APP_PATH } from "./server/lib/consts";
 import { defineConfig } from "drizzle-kit";
 import path from "path";
 

install/config/config.yml

@@ -22,7 +22,8 @@ server:
         methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
         allowed_headers: ["X-CSRF-Token", "Content-Type"]
         credentials: false
-    {{if .EnableGeoblocking}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
+    {{if .EnableMaxMind}}maxmind_db_path: "./config/GeoLite2-Country.mmdb"{{end}}
+    {{if .EnableMaxMind}}maxmind_asn_path: "./config/GeoLite2-ASN.mmdb"{{end}}
 {{if .EnableEmail}}
 email:
     smtp_host: "{{.EmailSMTPHost}}"

install/go.mod

@@ -5,7 +5,7 @@ go 1.25.0
 require (
 	github.com/charmbracelet/huh v1.0.0
 	github.com/charmbracelet/lipgloss v1.1.0
-	golang.org/x/term v0.42.0
+	golang.org/x/term v0.43.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -33,6 +33,6 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 )

install/go.sum

@@ -69,10 +69,10 @@ golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=

install/main.go

@@ -54,7 +54,7 @@ type Config struct {
 	InstallGerbil             bool
 	TraefikBouncerKey         string
 	DoCrowdsecInstall         bool
-	EnableGeoblocking         bool
+	EnableMaxMind             bool
 	Secret                    string
 	IsEnterprise              bool
 }
@@ -123,11 +123,11 @@ func main() {
 
 		fmt.Println("\nConfiguration files created successfully!")
 
-		// Download MaxMind database if requested
-		if config.EnableGeoblocking {
-			fmt.Println("\n=== Downloading MaxMind Database ===")
+		// Download MaxMind Country / ASN database if requested
+		if config.EnableMaxMind {
+			fmt.Println("\n=== Downloading MaxMind Country and ASN Databases ===")
 			if err := downloadMaxMindDatabase(); err != nil {
-				fmt.Printf("Error downloading MaxMind database: %v\n", err)
+				fmt.Printf("Error downloading MaxMind databases: %v\n", err)
 				fmt.Println("You can download it manually later if needed.")
 			}
 		}
@@ -188,15 +188,15 @@ func main() {
 		fmt.Println("\n=== MaxMind Database Update ===")
 		if _, err := os.Stat("config/GeoLite2-Country.mmdb"); err == nil {
 			fmt.Println("MaxMind GeoLite2 Country database found.")
-			if readBool("Would you like to update the MaxMind database to the latest version?", false) {
+			if readBool("Would you like to update the MaxMind databases (Country and ASN) to the latest version?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error updating MaxMind database: %v\n", err)
 					fmt.Println("You can try updating it manually later if needed.")
 				}
 			}
 		} else {
-			fmt.Println("MaxMind GeoLite2 Country database not found.")
-			if readBool("Would you like to download the MaxMind GeoLite2 database for geoblocking functionality?", false) {
+			fmt.Println("MaxMind GeoLite2 Country and ASN databases not found.")
+			if readBool("Would you like to download the MaxMind GeoLite2 databases for blocking functionality?", false) {
 				if err := downloadMaxMindDatabase(); err != nil {
 					fmt.Printf("Error downloading MaxMind database: %v\n", err)
 					fmt.Println("You can try downloading it manually later if needed.")
@@ -204,8 +204,10 @@ func main() {
 				// Now you need to update your config file accordingly to enable geoblocking
 				fmt.Print("Please remember to update your config/config.yml file to enable geoblocking! \n\n")
 				// add   maxmind_db_path: "./config/GeoLite2-Country.mmdb" under server
-				fmt.Println("Add the following line under the 'server' section:")
+				// add   maxmind_asn_path: "./config/GeoLite2-ASN.mmdb" under server
+				fmt.Println("Add the following lines under the 'server' section:")
 				fmt.Println("  maxmind_db_path: \"./config/GeoLite2-Country.mmdb\"")
+				fmt.Println("  maxmind_asn_path: \"./config/GeoLite2-ASN.mmdb\"")
 			}
 		}
 	}
@@ -527,7 +529,7 @@ func collectUserInput() Config {
 	fmt.Println("\n=== Advanced Configuration ===")
 
 	config.EnableIPv6 = readBool("Is your server IPv6 capable?", true)
-	config.EnableGeoblocking = readBool("Do you want to download the MaxMind GeoLite2 database for geoblocking functionality?", true)
+	config.EnableMaxMind = readBool("Do you want to download the MaxMind GeoLite2 Country and ADN databases for blocking functionality?", true)
 
 	if config.DashboardDomain == "" {
 		fmt.Println("Error: Dashboard Domain name is required")
@@ -780,29 +782,42 @@ func checkPortsAvailable(port int) error {
 }
 
 func downloadMaxMindDatabase() error {
-	fmt.Println("Downloading MaxMind GeoLite2 Country database...")
+	fmt.Println("Downloading MaxMind GeoLite2 Country and ASN databases...")
 
-	// Download the GeoLite2 Country database
+	// Download the GeoLite2 Country databases
 	if err := run("curl", "-L", "-o", "GeoLite2-Country.tar.gz",
 		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-Country.tar.gz"); err != nil {
-		return fmt.Errorf("failed to download GeoLite2 database: %v", err)
+		return fmt.Errorf("failed to download GeoLite2 Country database: %v", err)
+	}
+	if err := run("curl", "-L", "-o", "GeoLite2-ASN.tar.gz",
+		"https://github.com/GitSquared/node-geolite2-redist/raw/refs/heads/master/redist/GeoLite2-ASN.tar.gz"); err != nil {
+		return fmt.Errorf("failed to download GeoLite2 ASN database: %v", err)
 	}
 
-	// Extract the database
+	// Extract the Country database
 	if err := run("tar", "-xzf", "GeoLite2-Country.tar.gz"); err != nil {
-		return fmt.Errorf("failed to extract GeoLite2 database: %v", err)
+		return fmt.Errorf("failed to extract GeoLite2 Country database: %v", err)
+	}
+	if err := run("tar", "-xzf", "GeoLite2-ASN.tar.gz"); err != nil {
+		return fmt.Errorf("failed to extract GeoLite2 ASN database: %v", err)
 	}
 
 	// Find the .mmdb file and move it to the config directory
 	if err := run("bash", "-c", "mv GeoLite2-Country_*/GeoLite2-Country.mmdb config/"); err != nil {
-		return fmt.Errorf("failed to move GeoLite2 database to config directory: %v", err)
+		return fmt.Errorf("failed to move GeoLite2 Country database to config directory: %v", err)
+	}
+	if err := run("bash", "-c", "mv GeoLite2-ASN_*/GeoLite2-ASN.mmdb config/"); err != nil {
+		return fmt.Errorf("failed to move GeoLite2 ASN database to config directory: %v", err)
 	}
 
 	// Clean up the downloaded files
-	if err := run("rm", "-rf", "GeoLite2-Country.tar.gz", "GeoLite2-Country_*"); err != nil {
-		fmt.Printf("Warning: failed to clean up temporary files: %v\n", err)
+	if err := run("sh", "-c", "rm -rf GeoLite2-Country.tar.gz GeoLite2-Country_*"); err != nil {
+		fmt.Printf("Warning: failed to clean up temporary country files: %v\n", err)
+	}
+	if err := run("sh", "-c", "rm -rf GeoLite2-ASN.tar.gz GeoLite2-ASN_*"); err != nil {
+		fmt.Printf("Warning: failed to clean up temporary ASN files: %v\n", err)
 	}
 
-	fmt.Println("MaxMind GeoLite2 Country database downloaded successfully!")
+	fmt.Println("MaxMind GeoLite2 Country and ASN database downloaded successfully!")
 	return nil
 }

next.config.ts

@@ -5,12 +5,7 @@ const withNextIntl = createNextIntlPlugin();
 
 const nextConfig: NextConfig = {
     reactStrictMode: false,
-    eslint: {
-        ignoreDuringBuilds: true
-    },
-    experimental: {
-        reactCompiler: true
-    },
+    reactCompiler: true,
     output: "standalone"
 };
 

package.json

@@ -32,11 +32,11 @@
         "format": "prettier --write ."
     },
     "dependencies": {
-        "@asteasolutions/zod-to-openapi": "8.4.1",
-        "@aws-sdk/client-s3": "3.1011.0",
-        "@faker-js/faker": "10.3.0",
-        "@headlessui/react": "2.2.9",
-        "@hookform/resolvers": "5.2.2",
+        "@asteasolutions/zod-to-openapi": "8.5.0",
+        "@aws-sdk/client-s3": "3.1056.0",
+        "@faker-js/faker": "10.4.0",
+        "@headlessui/react": "2.2.10",
+        "@hookform/resolvers": "5.4.0",
         "@monaco-editor/react": "4.7.0",
         "@node-rs/argon2": "2.0.2",
         "@oslojs/crypto": "1.0.1",
@@ -59,16 +59,17 @@
         "@radix-ui/react-tabs": "1.1.13",
         "@radix-ui/react-toast": "1.2.15",
         "@radix-ui/react-tooltip": "1.2.8",
-        "@react-email/components": "1.0.8",
-        "@react-email/render": "2.0.4",
-        "@react-email/tailwind": "2.0.5",
+        "@react-email/body": "0.3.0",
+        "@react-email/components": "1.0.12",
+        "@react-email/render": "2.0.8",
+        "@react-email/tailwind": "2.0.7",
         "@simplewebauthn/browser": "13.3.0",
-        "@simplewebauthn/server": "13.3.0",
+        "@simplewebauthn/server": "13.3.1",
         "@tailwindcss/forms": "0.5.11",
-        "@tanstack/react-query": "5.90.21",
+        "@tanstack/react-query": "5.100.14",
         "@tanstack/react-table": "8.21.3",
         "arctic": "3.7.0",
-        "axios": "1.15.0",
+        "axios": "1.16.1",
         "better-sqlite3": "11.9.1",
         "canvas-confetti": "1.9.4",
         "class-variance-authority": "0.7.1",
@@ -80,77 +81,76 @@
         "d3": "7.9.0",
         "drizzle-orm": "0.45.2",
         "express": "5.2.1",
-        "express-rate-limit": "8.3.0",
+        "express-rate-limit": "8.5.2",
         "glob": "13.0.6",
-        "helmet": "8.1.0",
+        "helmet": "8.2.0",
         "http-errors": "2.0.1",
         "input-otp": "1.4.2",
-        "ioredis": "5.10.0",
+        "ioredis": "5.11.0",
         "jmespath": "0.16.0",
         "js-yaml": "4.1.1",
         "jsonwebtoken": "9.0.3",
-        "lucide-react": "0.577.0",
-        "maxmind": "5.0.5",
+        "lucide-react": "1.17.0",
+        "maxmind": "5.0.6",
         "moment": "2.30.1",
-        "next": "15.5.15",
-        "next-intl": "4.8.3",
+        "next": "16.2.6",
+        "next-intl": "4.13.0",
         "next-themes": "0.4.6",
         "nextjs-toploader": "3.9.17",
         "node-cache": "5.1.2",
-        "nodemailer": "8.0.5",
+        "nodemailer": "8.0.9",
         "oslo": "1.2.1",
-        "pg": "8.20.0",
-        "posthog-node": "5.28.0",
+        "pg": "8.21.0",
+        "posthog-node": "5.35.6",
         "qrcode.react": "4.2.0",
-        "react": "19.2.4",
-        "react-day-picker": "9.14.0",
-        "react-dom": "19.2.4",
+        "react": "19.2.6",
+        "react-day-picker": "10.0.1",
+        "react-dom": "19.2.6",
         "react-easy-sort": "1.8.0",
-        "react-hook-form": "7.71.2",
+        "react-hook-form": "7.76.1",
         "react-icons": "5.6.0",
-        "recharts": "2.15.4",
+        "recharts": "3.8.1",
         "reodotdev": "1.1.0",
-        "resend": "6.9.2",
-        "semver": "7.7.4",
+        "semver": "7.8.1",
         "sshpk": "1.18.0",
-        "stripe": "20.4.1",
+        "stripe": "22.2.0",
         "swagger-ui-express": "5.0.1",
-        "tailwind-merge": "3.5.0",
+        "tailwind-merge": "3.6.0",
         "topojson-client": "3.1.0",
         "tw-animate-css": "1.4.0",
-        "use-debounce": "10.1.0",
-        "uuid": "13.0.0",
+        "use-debounce": "10.1.1",
+        "uuid": "14.0.0",
         "vaul": "1.1.2",
         "visionscarto-world-atlas": "1.0.0",
         "winston": "3.19.0",
         "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.19.0",
-        "yaml": "2.8.3",
+        "ws": "8.21.0",
+        "yaml": "2.9.0",
         "yargs": "18.0.0",
-        "zod": "4.3.6",
+        "zod": "4.4.3",
         "zod-validation-error": "5.0.0"
     },
     "devDependencies": {
-        "@dotenvx/dotenvx": "1.54.1",
+        "@dotenvx/dotenvx": "1.69.1",
         "@esbuild-plugins/tsconfig-paths": "0.1.2",
-        "@react-email/preview-server": "5.2.10",
-        "@tailwindcss/postcss": "4.2.2",
-        "@tanstack/react-query-devtools": "5.91.3",
+        "@react-email/ui": "^6.5.0",
+        "@tailwindcss/postcss": "4.3.0",
+        "@tanstack/react-query-devtools": "5.100.14",
         "@types/better-sqlite3": "7.6.13",
         "@types/cookie-parser": "1.4.10",
         "@types/cors": "2.8.19",
         "@types/crypto-js": "4.2.2",
         "@types/d3": "7.4.3",
         "@types/express": "5.0.6",
-        "@types/express-session": "1.18.2",
+        "@types/express-session": "1.19.0",
         "@types/jmespath": "0.15.2",
         "@types/js-yaml": "4.0.9",
         "@types/jsonwebtoken": "9.0.10",
-        "@types/node": "25.3.5",
-        "@types/nodemailer": "7.0.11",
+        "@types/node": "25.9.1",
+        "@types/nodemailer": "8.0.0",
         "@types/nprogress": "0.2.3",
-        "@types/pg": "8.18.0",
-        "@types/react": "19.2.14",
+        "@types/pg": "8.20.0",
+        "@types/react": "19.2.15",
         "@types/react-dom": "19.2.3",
         "@types/semver": "7.7.1",
         "@types/sshpk": "1.17.4",
@@ -160,21 +160,22 @@
         "@types/yargs": "17.0.35",
         "babel-plugin-react-compiler": "1.0.0",
         "drizzle-kit": "0.31.10",
-        "esbuild": "0.27.4",
-        "esbuild-node-externals": "1.20.1",
-        "eslint": "10.0.3",
-        "eslint-config-next": "16.1.7",
-        "postcss": "8.5.8",
-        "prettier": "3.8.1",
-        "react-email": "5.2.10",
-        "tailwindcss": "4.2.2",
-        "tsc-alias": "1.8.16",
-        "tsx": "4.21.0",
-        "typescript": "5.9.3",
-        "typescript-eslint": "8.56.1"
+        "esbuild": "0.28.0",
+        "esbuild-node-externals": "1.22.0",
+        "eslint": "10.4.0",
+        "eslint-config-next": "16.2.6",
+        "postcss": "8.5.15",
+        "prettier": "3.8.3",
+        "react-email": "6.5.0",
+        "tailwindcss": "4.3.0",
+        "tsc-alias": "1.8.17",
+        "tsx": "4.22.3",
+        "typescript": "6.0.3",
+        "typescript-eslint": "8.60.0"
     },
     "overrides": {
-        "esbuild": "0.27.4",
-        "dompurify": "3.3.2"
+        "esbuild": "0.28.0",
+        "dompurify": "3.4.0",
+        "postcss": "8.5.15"
     }
 }

server/index.ts

@@ -1,5 +1,5 @@
 #! /usr/bin/env node
-import "./extendZod.ts";
+import "./extendZod";
 
 import { runSetupFunctions } from "./setup";
 import { createApiServer } from "./apiServer";

server/lib/blueprints/clientResources.ts

@@ -3,6 +3,7 @@ import {
     clientSiteResources,
     domains,
     orgDomains,
+    roleActions,
     roles,
     roleSiteResources,
     Site,
@@ -19,6 +20,7 @@ import { sites } from "@server/db";
 import { eq, and, ne, inArray, or, isNotNull } from "drizzle-orm";
 import { Config } from "./types";
 import logger from "@server/logger";
+import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
 import { getNextAvailableAliasAddress } from "../ip";
 import { createCertificate } from "#dynamic/routers/certificates/createCertificate";
 
@@ -332,8 +334,7 @@ export async function updateClientResources(
             }
 
             if (resourceData.roles.length > 0) {
-                // Re-add specified roles but we need to get the roleIds from the role name in the array
-                const rolesToUpdate = await trx
+                const existingRoles = await trx
                     .select()
                     .from(roles)
                     .where(
@@ -343,7 +344,28 @@ export async function updateClientResources(
                         )
                     );
 
-                const roleIds = rolesToUpdate.map((role) => role.roleId);
+                const foundNames = new Set(existingRoles.map((r) => r.name));
+                const missingNames = resourceData.roles.filter(
+                    (n) => !foundNames.has(n)
+                );
+
+                for (const name of missingNames) {
+                    const [created] = await trx
+                        .insert(roles)
+                        .values({ name, orgId })
+                        .returning();
+                    await trx.insert(roleActions).values(
+                        defaultRoleAllowedActions.map((action) => ({
+                            roleId: created.roleId,
+                            actionId: action,
+                            orgId
+                        }))
+                    );
+                    existingRoles.push(created);
+                    logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
+                }
+
+                const roleIds = existingRoles.map((role) => role.roleId);
 
                 await trx
                     .insert(roleSiteResources)
@@ -444,8 +466,7 @@ export async function updateClientResources(
             });
 
             if (resourceData.roles.length > 0) {
-                // get roleIds from role names
-                const rolesToUpdate = await trx
+                const existingRoles = await trx
                     .select()
                     .from(roles)
                     .where(
@@ -455,7 +476,28 @@ export async function updateClientResources(
                         )
                     );
 
-                const roleIds = rolesToUpdate.map((role) => role.roleId);
+                const foundNames = new Set(existingRoles.map((r) => r.name));
+                const missingNames = resourceData.roles.filter(
+                    (n) => !foundNames.has(n)
+                );
+
+                for (const name of missingNames) {
+                    const [created] = await trx
+                        .insert(roles)
+                        .values({ name, orgId })
+                        .returning();
+                    await trx.insert(roleActions).values(
+                        defaultRoleAllowedActions.map((action) => ({
+                            roleId: created.roleId,
+                            actionId: action,
+                            orgId
+                        }))
+                    );
+                    existingRoles.push(created);
+                    logger.info(`Auto-created role "${name}" in org ${orgId} from blueprint`);
+                }
+
+                const roleIds = existingRoles.map((role) => role.roleId);
 
                 await trx
                     .insert(roleSiteResources)

server/lib/blueprints/proxyResources.ts

@@ -8,6 +8,7 @@ import {
     resourcePincode,
     resourceRules,
     resourceWhitelist,
+    roleActions,
     roleResources,
     roles,
     Target,
@@ -36,6 +37,7 @@ import { isValidRegionId } from "@server/db/regions";
 import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";
 import { fireHealthCheckUnknownAlert } from "@server/lib/alerts";
 import { tierMatrix } from "../billing/tierMatrix";
+import { defaultRoleAllowedActions } from "@server/routers/role/createRole";
 
 export type ProxyResourcesResults = {
     proxyResource: Resource;
@@ -925,14 +927,26 @@ async function syncRoleResources(
         .where(eq(roleResources.resourceId, resourceId));
 
     for (const roleName of ssoRoles) {
-        const [role] = await trx
+        let [role] = await trx
             .select()
             .from(roles)
             .where(and(eq(roles.name, roleName), eq(roles.orgId, orgId)))
             .limit(1);
 
         if (!role) {
-            throw new Error(`Role not found: ${roleName} in org ${orgId}`);
+            const [created] = await trx
+                .insert(roles)
+                .values({ name: roleName, orgId })
+                .returning();
+            await trx.insert(roleActions).values(
+                defaultRoleAllowedActions.map((action) => ({
+                    roleId: created.roleId,
+                    actionId: action,
+                    orgId
+                }))
+            );
+            role = created;
+            logger.info(`Auto-created role "${roleName}" in org ${orgId} from blueprint`);
         }
 
         if (role.isAdmin) {

server/lib/requestParams.ts

@@ -0,0 +1,11 @@
+export function getFirstString(value: unknown): string | undefined {
+    if (typeof value === "string") {
+        return value;
+    }
+
+    if (Array.isArray(value) && typeof value[0] === "string") {
+        return value[0];
+    }
+
+    return undefined;
+}

server/middlewares/integration/verifyAccessTokenAccess.ts

@@ -4,6 +4,7 @@ import { resourceAccessToken, resources, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyApiKeyAccessTokenAccess(
     req: Request,
@@ -12,7 +13,7 @@ export async function verifyApiKeyAccessTokenAccess(
 ) {
     try {
         const apiKey = req.apiKey;
-        const accessTokenId = req.params.accessTokenId;
+        const accessTokenId = getFirstString(req.params.accessTokenId);
 
         if (!apiKey) {
             return next(
@@ -20,6 +21,12 @@ export async function verifyApiKeyAccessTokenAccess(
             );
         }
 
+        if (!accessTokenId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid access token ID")
+            );
+        }
+
         const [accessToken] = await db
             .select()
             .from(resourceAccessToken)

server/middlewares/integration/verifyApiKeyApiKeyAccess.ts

@@ -4,6 +4,7 @@ import { apiKeys, apiKeyOrg } from "@server/db";
 import { and, eq, or } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyApiKeyApiKeyAccess(
     req: Request,
@@ -14,8 +15,10 @@ export async function verifyApiKeyApiKeyAccess(
         const { apiKey: callerApiKey } = req;
 
         const apiKeyId =
-            req.params.apiKeyId || req.body.apiKeyId || req.query.apiKeyId;
-        const orgId = req.params.orgId;
+            getFirstString(req.params.apiKeyId) ||
+            getFirstString(req.body.apiKeyId) ||
+            getFirstString(req.query.apiKeyId);
+        const orgId = getFirstString(req.params.orgId);
 
         if (!callerApiKey) {
             return next(

server/middlewares/integration/verifyApiKeyDomainAccess.ts

@@ -3,6 +3,7 @@ import { db, domains, orgDomains, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyApiKeyDomainAccess(
     req: Request,
@@ -12,8 +13,10 @@ export async function verifyApiKeyDomainAccess(
     try {
         const apiKey = req.apiKey;
         const domainId =
-            req.params.domainId || req.body.domainId || req.query.domainId;
-        const orgId = req.params.orgId;
+            getFirstString(req.params.domainId) ||
+            getFirstString(req.body.domainId) ||
+            getFirstString(req.query.domainId);
+        const orgId = getFirstString(req.params.orgId);
 
         if (!apiKey) {
             return next(
@@ -27,6 +30,12 @@ export async function verifyApiKeyDomainAccess(
             );
         }
 
+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
         if (apiKey.isRoot) {
             // Root keys can access any domain in any org
             return next();

server/middlewares/integration/verifyApiKeyIdpAccess.ts

@@ -4,6 +4,7 @@ import { idp, idpOrg, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyApiKeyIdpAccess(
     req: Request,
@@ -12,8 +13,12 @@ export async function verifyApiKeyIdpAccess(
 ) {
     try {
         const apiKey = req.apiKey;
-        const idpId = req.params.idpId || req.body.idpId || req.query.idpId;
-        const orgId = req.params.orgId;
+        const idpIdRaw =
+            getFirstString(req.params.idpId) ||
+            getFirstString(req.body.idpId) ||
+            getFirstString(req.query.idpId);
+        const idpId = Number.parseInt(idpIdRaw ?? "", 10);
+        const orgId = getFirstString(req.params.orgId);
 
         if (!apiKey) {
             return next(
@@ -27,7 +32,7 @@ export async function verifyApiKeyIdpAccess(
             );
         }
 
-        if (!idpId) {
+        if (Number.isNaN(idpId)) {
             return next(
                 createHttpError(HttpCode.BAD_REQUEST, "Invalid IDP ID")
             );

server/middlewares/integration/verifyApiKeyOrgAccess.ts

@@ -4,6 +4,7 @@ import { apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyApiKeyOrgAccess(
     req: Request,
@@ -12,7 +13,7 @@ export async function verifyApiKeyOrgAccess(
 ) {
     try {
         const apiKeyId = req.apiKey?.apiKeyId;
-        const orgId = req.params.orgId;
+        const orgId = getFirstString(req.params.orgId);
 
         if (!apiKeyId) {
             return next(
@@ -45,7 +46,7 @@ export async function verifyApiKeyOrgAccess(
         }
 
         if (!req.apiKeyOrg) {
-            next(
+            return next(
                 createHttpError(
                     HttpCode.FORBIDDEN,
                     "Key does not have access to this organization"

server/middlewares/integration/verifyApiKeySiteResourceAccess.ts

@@ -4,6 +4,7 @@ import { siteResources, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyApiKeySiteResourceAccess(
     req: Request,
@@ -12,7 +13,8 @@ export async function verifyApiKeySiteResourceAccess(
 ) {
     try {
         const apiKey = req.apiKey;
-        const siteResourceId = parseInt(req.params.siteResourceId);
+        const siteResourceIdRaw = getFirstString(req.params.siteResourceId);
+        const siteResourceId = Number.parseInt(siteResourceIdRaw ?? "", 10);
 
         if (!apiKey) {
             return next(
@@ -20,7 +22,7 @@ export async function verifyApiKeySiteResourceAccess(
             );
         }
 
-        if (!siteResourceId) {
+        if (Number.isNaN(siteResourceId)) {
             return next(
                 createHttpError(
                     HttpCode.BAD_REQUEST,

server/middlewares/integration/verifyApiKeyTargetAccess.ts

@@ -4,6 +4,7 @@ import { resources, targets, apiKeyOrg } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyApiKeyTargetAccess(
     req: Request,
@@ -12,7 +13,8 @@ export async function verifyApiKeyTargetAccess(
 ) {
     try {
         const apiKey = req.apiKey;
-        const targetId = parseInt(req.params.targetId);
+        const targetIdRaw = getFirstString(req.params.targetId);
+        const targetId = Number.parseInt(targetIdRaw ?? "", 10);
 
         if (!apiKey) {
             return next(
@@ -20,7 +22,7 @@ export async function verifyApiKeyTargetAccess(
             );
         }
 
-        if (isNaN(targetId)) {
+        if (Number.isNaN(targetId)) {
             return next(
                 createHttpError(HttpCode.BAD_REQUEST, "Invalid target ID")
             );

server/middlewares/verifyAccessTokenAccess.ts

@@ -7,6 +7,7 @@ import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "@server/auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyAccessTokenAccess(
     req: Request,
@@ -14,7 +15,7 @@ export async function verifyAccessTokenAccess(
     next: NextFunction
 ) {
     const userId = req.user!.userId;
-    const accessTokenId = req.params.accessTokenId;
+    const accessTokenId = getFirstString(req.params.accessTokenId);
 
     if (!userId) {
         return next(
@@ -22,6 +23,12 @@ export async function verifyAccessTokenAccess(
         );
     }
 
+    if (!accessTokenId) {
+        return next(
+            createHttpError(HttpCode.BAD_REQUEST, "Invalid access token ID")
+        );
+    }
+
     const [accessToken] = await db
         .select()
         .from(resourceAccessToken)
@@ -87,7 +94,7 @@ export async function verifyAccessTokenAccess(
         }
 
         if (!req.userOrg) {
-            next(
+            return next(
                 createHttpError(
                     HttpCode.FORBIDDEN,
                     "User does not have access to this organization"

server/middlewares/verifyApiKeyAccess.ts

@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyApiKeyAccess(
     req: Request,
@@ -14,9 +15,24 @@ export async function verifyApiKeyAccess(
 ) {
     try {
         const userId = req.user!.userId;
-        const apiKeyId =
-            req.params.apiKeyId || req.body.apiKeyId || req.query.apiKeyId;
-        const orgId = req.params.orgId;
+        const apiKeyIdFromParams = getFirstString(req.params?.apiKeyId);
+        const apiKeyIdFromBody = getFirstString(req.body?.apiKeyId);
+
+        if (
+            apiKeyIdFromParams &&
+            apiKeyIdFromBody &&
+            apiKeyIdFromParams !== apiKeyIdFromBody
+        ) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "API key ID provided in both URL and body with different values"
+                )
+            );
+        }
+
+        const apiKeyId = apiKeyIdFromParams || apiKeyIdFromBody;
+        const orgId = getFirstString(req.params.orgId);
 
         if (!userId) {
             return next(
@@ -104,10 +120,7 @@ export async function verifyApiKeyAccess(
             }
         }
 
-        req.userOrgRoleIds = await getUserOrgRoleIds(
-            req.userOrg.userId,
-            orgId
-        );
+        req.userOrgRoleIds = await getUserOrgRoleIds(req.userOrg.userId, orgId);
 
         return next();
     } catch (error) {

server/middlewares/verifyDomainAccess.ts

@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyDomainAccess(
     req: Request,
@@ -14,9 +15,8 @@ export async function verifyDomainAccess(
 ) {
     try {
         const userId = req.user!.userId;
-        const domainId =
-            req.params.domainId;
-        const orgId = req.params.orgId;
+        const domainId = getFirstString(req.params.domainId);
+        const orgId = getFirstString(req.params.orgId);
 
         if (!userId) {
             return next(
@@ -62,10 +62,7 @@ export async function verifyDomainAccess(
                 .select()
                 .from(userOrgs)
                 .where(
-                    and(
-                        eq(userOrgs.userId, userId),
-                        eq(userOrgs.orgId, orgId)
-                    )
+                    and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))
                 )
                 .limit(1);
             req.userOrg = userOrgRole[0];

server/middlewares/verifyLimits.ts

@@ -3,6 +3,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { usageService } from "@server/lib/billing/usageService";
 import { build } from "@server/build";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyLimits(
     req: Request,
@@ -13,7 +14,10 @@ export async function verifyLimits(
         return next();
     }
 
-    const orgId = req.userOrgId || req.apiKeyOrg?.orgId || req.params.orgId;
+    const orgId =
+        req.userOrgId ||
+        req.apiKeyOrg?.orgId ||
+        getFirstString(req.params.orgId);
 
     if (!orgId) {
         return next(); // its fine if we silently fail here because this is not critical to operation or security and its better user experience if we dont fail

server/middlewares/verifyOrgAccess.ts

@@ -6,6 +6,7 @@ import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyOrgAccess(
     req: Request,
@@ -13,7 +14,7 @@ export async function verifyOrgAccess(
     next: NextFunction
 ) {
     const userId = req.user!.userId;
-    const orgId = req.params.orgId;
+    const orgId = getFirstString(req.params.orgId);
 
     if (!userId) {
         return next(

server/middlewares/verifySiteProvisioningKeyAccess.ts

@@ -1,10 +1,16 @@
 import { Request, Response, NextFunction } from "express";
-import { db, userOrgs, siteProvisioningKeys, siteProvisioningKeyOrg } from "@server/db";
+import {
+    db,
+    userOrgs,
+    siteProvisioningKeys,
+    siteProvisioningKeyOrg
+} from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifySiteProvisioningKeyAccess(
     req: Request,
@@ -13,8 +19,10 @@ export async function verifySiteProvisioningKeyAccess(
 ) {
     try {
         const userId = req.user!.userId;
-        const siteProvisioningKeyId = req.params.siteProvisioningKeyId;
-        const orgId = req.params.orgId;
+        const siteProvisioningKeyId = getFirstString(
+            req.params.siteProvisioningKeyId
+        );
+        const orgId = getFirstString(req.params.orgId);
 
         if (!userId) {
             return next(
@@ -80,10 +88,7 @@ export async function verifySiteProvisioningKeyAccess(
                 .where(
                     and(
                         eq(userOrgs.userId, userId),
-                        eq(
-                            userOrgs.orgId,
-                            row.siteProvisioningKeyOrg.orgId
-                        )
+                        eq(userOrgs.orgId, row.siteProvisioningKeyOrg.orgId)
                     )
                 )
                 .limit(1);

server/middlewares/verifyTargetAccess.ts

@@ -7,6 +7,7 @@ import HttpCode from "@server/types/HttpCode";
 import { canUserAccessResource } from "../auth/canUserAccessResource";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyTargetAccess(
     req: Request,
@@ -14,7 +15,8 @@ export async function verifyTargetAccess(
     next: NextFunction
 ) {
     const userId = req.user!.userId;
-    const targetId = parseInt(req.params.targetId);
+    const targetIdRaw = getFirstString(req.params.targetId);
+    const targetId = Number.parseInt(targetIdRaw ?? "", 10);
 
     if (!userId) {
         return next(

server/middlewares/verifyUserIsOrgOwner.ts

@@ -4,6 +4,7 @@ import { userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyUserIsOrgOwner(
     req: Request,
@@ -11,7 +12,7 @@ export async function verifyUserIsOrgOwner(
     next: NextFunction
 ) {
     const userId = req.user!.userId;
-    const orgId = req.params.orgId;
+    const orgId = getFirstString(req.params.orgId);
 
     if (!userId) {
         return next(

server/private/middlewares/verifyCertificateAccess.ts

@@ -19,6 +19,7 @@ import { eq, and } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyCertificateAccess(
     req: Request,
@@ -27,11 +28,43 @@ export async function verifyCertificateAccess(
 ) {
     try {
         // Assume user/org access is already verified
-        const orgId = req.params.orgId;
-        const certId =
-            req.params.certId || req.body?.certId || req.query?.certId;
-        let domainId =
-            req.params.domainId || req.body?.domainId || req.query?.domainId;
+        const orgId = getFirstString(req.params.orgId);
+
+        const certIdFromParams = getFirstString(req.params?.certId);
+        const certIdFromBody = getFirstString(req.body?.certId);
+
+        if (
+            certIdFromParams &&
+            certIdFromBody &&
+            certIdFromParams !== certIdFromBody
+        ) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Certificate ID provided in both URL and body with different values"
+                )
+            );
+        }
+
+        const certId = certIdFromParams || certIdFromBody;
+
+        const domainIdFromParams = getFirstString(req.params?.domainId);
+        const domainIdFromBody = getFirstString(req.body?.domainId);
+
+        if (
+            domainIdFromParams &&
+            domainIdFromBody &&
+            domainIdFromParams !== domainIdFromBody
+        ) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Domain ID provided in both URL and body with different values"
+                )
+            );
+        }
+
+        let domainId = domainIdFromParams || domainIdFromBody;
 
         if (!orgId) {
             return next(
@@ -65,7 +98,7 @@ export async function verifyCertificateAccess(
                 );
             }
 
-            domainId = cert.domainId;
+            domainId = cert.domainId ?? undefined;
             if (!domainId) {
                 return next(
                     createHttpError(

server/private/middlewares/verifyIdpAccess.ts

@@ -17,6 +17,7 @@ import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyIdpAccess(
     req: Request,
@@ -25,8 +26,12 @@ export async function verifyIdpAccess(
 ) {
     try {
         const userId = req.user!.userId;
-        const idpId = req.params.idpId || req.body.idpId || req.query.idpId;
-        const orgId = req.params.orgId;
+        const idpIdRaw =
+            getFirstString(req.params.idpId) ||
+            getFirstString(req.body?.idpId) ||
+            getFirstString(req.query?.idpId);
+        const idpId = Number.parseInt(idpIdRaw ?? "", 10);
+        const orgId = getFirstString(req.params.orgId);
 
         if (!userId) {
             return next(
@@ -40,7 +45,7 @@ export async function verifyIdpAccess(
             );
         }
 
-        if (!idpId) {
+        if (Number.isNaN(idpId)) {
             return next(
                 createHttpError(HttpCode.BAD_REQUEST, "Invalid key ID")
             );

server/private/middlewares/verifyRemoteExitNodeAccess.ts

@@ -18,6 +18,7 @@ import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function verifyRemoteExitNodeAccess(
     req: Request,
@@ -25,11 +26,11 @@ export async function verifyRemoteExitNodeAccess(
     next: NextFunction
 ) {
     const userId = req.user!.userId; // Assuming you have user information in the request
-    const orgId = req.params.orgId;
+    const orgId = getFirstString(req.params.orgId);
     const remoteExitNodeId =
-        req.params.remoteExitNodeId ||
-        req.body.remoteExitNodeId ||
-        req.query.remoteExitNodeId;
+        getFirstString(req.params.remoteExitNodeId) ||
+        getFirstString(req.body?.remoteExitNodeId) ||
+        getFirstString(req.query?.remoteExitNodeId);
 
     if (!userId) {
         return next(
@@ -37,6 +38,15 @@ export async function verifyRemoteExitNodeAccess(
         );
     }
 
+    if (!orgId || !remoteExitNodeId) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                "Invalid organization or remote exit node ID"
+            )
+        );
+    }
+
     try {
         const [remoteExitNode] = await db
             .select()

server/private/routers/auditLogs/queryAccessAuditLog.ts

@@ -93,6 +93,20 @@ export const queryAccessAuditLogsCombined = queryAccessAuditLogsQuery.merge(
 );
 type Q = z.infer<typeof queryAccessAuditLogsCombined>;
 
+function sortNamedFilterOptions<T extends { id: number; name: string | null }>(
+    items: T[]
+): T[] {
+    return [...items].sort((a, b) => {
+        const nameA = a.name ?? "";
+        const nameB = b.name ?? "";
+
+        if (nameA < nameB) return -1;
+        if (nameA > nameB) return 1;
+
+        return a.id - b.id;
+    });
+}
+
 function getWhere(data: Q) {
     return and(
         gt(accessAuditLog.timestamp, data.timeStart),
@@ -308,7 +322,7 @@ async function queryUniqueFilterAttributes(
         actors: uniqueActors
             .map((row) => row.actor)
             .filter((actor): actor is string => actor !== null),
-        resources: resourcesWithNames,
+        resources: sortNamedFilterOptions(resourcesWithNames),
         locations: uniqueLocations
             .map((row) => row.locations)
             .filter((location): location is string => location !== null)

server/private/routers/auditLogs/queryConnectionAuditLog.ts

@@ -107,6 +107,20 @@ export const queryConnectionAuditLogsCombined =
     queryConnectionAuditLogsQuery.merge(queryConnectionAuditLogsParams);
 type Q = z.infer<typeof queryConnectionAuditLogsCombined>;
 
+function sortNamedFilterOptions<T extends { id: number; name: string | null }>(
+    items: T[]
+): T[] {
+    return [...items].sort((a, b) => {
+        const nameA = a.name ?? "";
+        const nameB = b.name ?? "";
+
+        if (nameA < nameB) return -1;
+        if (nameA > nameB) return 1;
+
+        return a.id - b.id;
+    });
+}
+
 function getWhere(data: Q) {
     return and(
         gt(connectionAuditLog.startedAt, data.timeStart),
@@ -425,7 +439,7 @@ async function queryUniqueFilterAttributes(
             .map((row) => row.destAddr)
             .filter((addr): addr is string => addr !== null),
         clients: clientsWithNames,
-        resources: resourcesWithNames,
+        resources: sortNamedFilterOptions(resourcesWithNames),
         users: usersWithEmails
     };
 }

server/private/routers/generatedLicense/generateNewLicense.ts

@@ -16,40 +16,44 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { response as sendResponse } from "@server/lib/response";
+import { getFirstString } from "@server/lib/requestParams";
 import privateConfig from "#private/lib/config";
 import { GenerateNewLicenseResponse } from "@server/routers/generatedLicense/types";
 
 export interface CreateNewLicenseResponse {
-  data: Data
-  success: boolean
-  error: boolean
-  message: string
-  status: number
+    data: Data;
+    success: boolean;
+    error: boolean;
+    message: string;
+    status: number;
 }
 
 export interface Data {
-  licenseKey: LicenseKey
+    licenseKey: LicenseKey;
 }
 
 export interface LicenseKey {
-  id: number
-  instanceName: any
-  instanceId: string
-  licenseKey: string
-  tier: string
-  type: string
-  quantity: number
-  quantity_2: number
-  isValid: boolean
-  updatedAt: string
-  createdAt: string
-  expiresAt: string
-  paidFor: boolean
-  orgId: string
-  metadata: string
+    id: number;
+    instanceName: any;
+    instanceId: string;
+    licenseKey: string;
+    tier: string;
+    type: string;
+    quantity: number;
+    quantity_2: number;
+    isValid: boolean;
+    updatedAt: string;
+    createdAt: string;
+    expiresAt: string;
+    paidFor: boolean;
+    orgId: string;
+    metadata: string;
 }
 
-export async function createNewLicense(orgId: string, licenseData: any): Promise<CreateNewLicenseResponse> {
+export async function createNewLicense(
+    orgId: string,
+    licenseData: any
+): Promise<CreateNewLicenseResponse> {
     try {
         const response = await fetch(
             `${privateConfig.getRawPrivateConfig().server.fossorial_api}/api/v1/license-internal/enterprise/${orgId}/create`, // this says enterprise but it does both
@@ -80,7 +84,7 @@ export async function generateNewLicense(
     next: NextFunction
 ): Promise<any> {
     try {
-        const { orgId } = req.params;
+        const orgId = getFirstString(req.params.orgId);
 
         if (!orgId) {
             return next(

server/private/routers/generatedLicense/listGeneratedLicenses.ts

@@ -16,6 +16,7 @@ import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { response as sendResponse } from "@server/lib/response";
+import { getFirstString } from "@server/lib/requestParams";
 import privateConfig from "#private/lib/config";
 import {
     GeneratedLicenseKey,
@@ -55,7 +56,7 @@ export async function listSaasLicenseKeys(
     next: NextFunction
 ): Promise<any> {
     try {
-        const { orgId } = req.params;
+        const orgId = getFirstString(req.params.orgId);
 
         if (!orgId) {
             return next(

server/routers/auditLogs/queryRequestAnalytics.ts

@@ -1,4 +1,4 @@
-import { logsDb, requestAuditLog, driver, primaryLogsDb } from "@server/db";
+import { logsDb, requestAuditLog, driver } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
@@ -74,12 +74,12 @@ async function query(query: Q) {
         );
     }
 
-    const [all] = await primaryLogsDb
+    const [all] = await logsDb
         .select({ total: count() })
         .from(requestAuditLog)
         .where(baseConditions);
 
-    const [blocked] = await primaryLogsDb
+    const [blocked] = await logsDb
         .select({ total: count() })
         .from(requestAuditLog)
         .where(and(baseConditions, eq(requestAuditLog.action, false)));
@@ -90,7 +90,7 @@ async function query(query: Q) {
 
     const DISTINCT_LIMIT = 500;
 
-    const requestsPerCountry = await primaryLogsDb
+    const requestsPerCountry = await logsDb
         .selectDistinct({
             code: requestAuditLog.location,
             count: totalQ
@@ -118,7 +118,7 @@ async function query(query: Q) {
     const booleanTrue = driver === "pg" ? sql`true` : sql`1`;
     const booleanFalse = driver === "pg" ? sql`false` : sql`0`;
 
-    const requestsPerDay = await primaryLogsDb
+    const requestsPerDay = await logsDb
         .select({
             day: groupByDayFunction.as("day"),
             allowedCount:

server/routers/auditLogs/queryRequestAuditLog.ts

@@ -1,4 +1,4 @@
-import { logsDb, primaryLogsDb, requestAuditLog, resources, siteResources, db, primaryDb } from "@server/db";
+import { logsDb, requestAuditLog, resources, siteResources, db, primaryDb } from "@server/db";
 import { registry } from "@server/openApi";
 import { NextFunction } from "express";
 import { Request, Response } from "express";
@@ -86,6 +86,20 @@ export const queryRequestAuditLogsCombined = queryAccessAuditLogsQuery.merge(
 );
 type Q = z.infer<typeof queryRequestAuditLogsCombined>;
 
+function sortNamedFilterOptions<T extends { id: number; name: string | null }>(
+    items: T[]
+): T[] {
+    return [...items].sort((a, b) => {
+        const nameA = a.name ?? "";
+        const nameB = b.name ?? "";
+
+        if (nameA < nameB) return -1;
+        if (nameA > nameB) return 1;
+
+        return a.id - b.id;
+    });
+}
+
 function getWhere(data: Q) {
     return and(
         gt(requestAuditLog.timestamp, data.timeStart),
@@ -110,7 +124,7 @@ function getWhere(data: Q) {
 }
 
 export function queryRequest(data: Q) {
-    return primaryLogsDb
+    return logsDb
         .select({
             id: requestAuditLog.id,
                 timestamp: requestAuditLog.timestamp,
@@ -211,7 +225,7 @@ async function enrichWithResourceDetails(logs: Awaited<ReturnType<typeof queryRe
 }
 
 export function countRequestQuery(data: Q) {
-    const countQuery = primaryLogsDb
+    const countQuery = logsDb
         .select({ count: count() })
         .from(requestAuditLog)
         .where(getWhere(data));
@@ -254,34 +268,34 @@ async function queryUniqueFilterAttributes(
         uniqueResources,
         uniqueSiteResources
     ] = await Promise.all([
-        primaryLogsDb
+        logsDb
             .selectDistinct({ actor: requestAuditLog.actor })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        logsDb
             .selectDistinct({ locations: requestAuditLog.location })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        logsDb
             .selectDistinct({ hosts: requestAuditLog.host })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        logsDb
             .selectDistinct({ paths: requestAuditLog.path })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        logsDb
             .selectDistinct({
                 id: requestAuditLog.resourceId
             })
             .from(requestAuditLog)
             .where(baseConditions)
             .limit(DISTINCT_LIMIT + 1),
-        primaryLogsDb
+        logsDb
             .selectDistinct({
                 id: requestAuditLog.siteResourceId
             })
@@ -353,7 +367,7 @@ async function queryUniqueFilterAttributes(
         actors: uniqueActors
             .map((row) => row.actor)
             .filter((actor): actor is string => actor !== null),
-        resources: resourcesWithNames,
+        resources: sortNamedFilterOptions(resourcesWithNames),
         locations: uniqueLocations
             .map((row) => row.locations)
             .filter((location): location is string => location !== null),

server/routers/auth/securityKey.ts

@@ -25,6 +25,7 @@ import { UserType } from "@server/types/UserTypes";
 import { verifyPassword } from "@server/auth/password";
 import { unauthorized } from "@server/auth/unauthorizedResponse";
 import { verifyTotpCode } from "@server/auth/totp";
+import { getFirstString } from "@server/lib/requestParams";
 
 // The RP ID is the domain name of your application
 const rpID = (() => {
@@ -406,7 +407,12 @@ export async function deleteSecurityKey(
     res: Response,
     next: NextFunction
 ): Promise<any> {
-    const { credentialId: encodedCredentialId } = req.params;
+    const encodedCredentialId = getFirstString(req.params.credentialId);
+    if (!encodedCredentialId) {
+        return next(
+            createHttpError(HttpCode.BAD_REQUEST, "Invalid credential ID")
+        );
+    }
     const credentialId = decodeURIComponent(encodedCredentialId);
     const user = req.user as User;
 

server/routers/domain/getDomain.ts

@@ -8,7 +8,6 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { domain } from "zod/v4/core/regexes";
 
 const getDomainSchema = z.strictObject({
     domainId: z.string().optional(),

server/routers/external.ts

@@ -1156,7 +1156,7 @@ export const authRouter = Router();
 unauthenticated.use("/auth", authRouter);
 authRouter.use(
     rateLimit({
-        windowMs: config.getRawConfig().rate_limits.auth.window_minutes,
+        windowMs: config.getRawConfig().rate_limits.auth.window_minutes * 60 * 1000,
         max: config.getRawConfig().rate_limits.auth.max_requests,
         keyGenerator: (req) =>
             `authRouterGlobal:${ipKeyGenerator(req.ip || "")}:${req.path}`,
@@ -1252,7 +1252,7 @@ authRouter.post(
         windowMs: 15 * 60 * 1000,
         max: 900,
         keyGenerator: (req) =>
-            `olmGetToken:${req.body.newtId || ipKeyGenerator(req.ip || "")}`,
+            `olmGetToken:${req.body.olmId || ipKeyGenerator(req.ip || "")}`,
         handler: (req, res, next) => {
             const message = `You can only request an Olm token ${900} times every ${15} minutes. Please try again later.`;
             return next(createHttpError(HttpCode.TOO_MANY_REQUESTS, message));

server/routers/resource/getUserResources.ts

@@ -19,6 +19,7 @@ import {
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { response } from "@server/lib/response";
+import { getFirstString } from "@server/lib/requestParams";
 
 export async function getUserResources(
     req: Request,
@@ -26,7 +27,7 @@ export async function getUserResources(
     next: NextFunction
 ): Promise<any> {
     try {
-        const { orgId } = req.params;
+        const orgId = getFirstString(req.params.orgId);
         const userId = req.user?.userId;
 
         if (!userId) {
@@ -35,6 +36,12 @@ export async function getUserResources(
             );
         }
 
+        if (!orgId) {
+            return next(
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+            );
+        }
+
         // Check user is in organization and get their role IDs
         const [userOrg] = await db
             .select()

src/app/[orgId]/settings/logs/access/page.tsx

@@ -280,10 +280,14 @@ export default function GeneralPage() {
         console.log("Data refreshed");
         setIsRefreshing(true);
         try {
+            const endDate = searchParams.get("end")
+                ? dateRange.endDate
+                : { date: new Date() };
+            setDateRange((current) => ({ ...current, endDate }));
             // Refresh data with current date range and pagination
             await queryDateTime(
                 dateRange.startDate,
-                dateRange.endDate,
+                endDate,
                 currentPage,
                 pageSize
             );

src/app/[orgId]/settings/logs/action/page.tsx

@@ -266,10 +266,14 @@ export default function GeneralPage() {
         console.log("Data refreshed");
         setIsRefreshing(true);
         try {
+            const endDate = searchParams.get("end")
+                ? dateRange.endDate
+                : { date: new Date() };
+            setDateRange((current) => ({ ...current, endDate }));
             // Refresh data with current date range and pagination
             await queryDateTime(
                 dateRange.startDate,
-                dateRange.endDate,
+                endDate,
                 currentPage,
                 pageSize
             );

src/app/[orgId]/settings/logs/connection/page.tsx

@@ -306,10 +306,14 @@ export default function ConnectionLogsPage() {
         console.log("Data refreshed");
         setIsRefreshing(true);
         try {
+            const endDate = searchParams.get("end")
+                ? dateRange.endDate
+                : { date: new Date() };
+            setDateRange((current) => ({ ...current, endDate }));
             // Refresh data with current date range and pagination
             await queryDateTime(
                 dateRange.startDate,
-                dateRange.endDate,
+                endDate,
                 currentPage,
                 pageSize
             );

src/app/[orgId]/settings/logs/request/page.tsx

@@ -281,10 +281,14 @@ export default function GeneralPage() {
         console.log("Data refreshed");
         setIsRefreshing(true);
         try {
+            const endDate = searchParams.get("end")
+                ? dateRange.endDate
+                : { date: new Date() };
+            setDateRange((current) => ({ ...current, endDate }));
             // Refresh data with current date range and pagination
             await queryDateTime(
                 dateRange.startDate,
-                dateRange.endDate,
+                endDate,
                 currentPage,
                 pageSize
             );

src/app/[orgId]/settings/resources/proxy/[niceId]/authentication/page.tsx

@@ -49,7 +49,7 @@ import { build } from "@server/build";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import { UserType } from "@server/types/UserTypes";
 import { useQuery, useQueryClient } from "@tanstack/react-query";
-import SetResourcePasswordForm from "components/SetResourcePasswordForm";
+import SetResourcePasswordForm from "@app/components/SetResourcePasswordForm";
 import { Binary, Bot, InfoIcon, Key } from "lucide-react";
 import { useTranslations } from "next-intl";
 import { useRouter } from "next/navigation";

src/components/ui/chart.tsx

@@ -101,16 +101,41 @@ ${colorConfig
 
 const ChartTooltip = RechartsPrimitive.Tooltip;
 
+type ChartTooltipValue = number | string | Array<number | string>;
+type ChartTooltipName = number | string;
+type ChartTooltipPayload = RechartsPrimitive.DefaultTooltipContentProps<
+    ChartTooltipValue,
+    ChartTooltipName
+>["payload"];
+type ChartTooltipPayloadItem = NonNullable<ChartTooltipPayload>[number];
+
+type ChartTooltipContentProps = React.ComponentProps<"div"> & {
+    active?: boolean;
+    payload?: ChartTooltipPayload;
+    label?: RechartsPrimitive.DefaultTooltipContentProps<
+        ChartTooltipValue,
+        ChartTooltipName
+    >["label"];
+    labelFormatter?: RechartsPrimitive.DefaultTooltipContentProps<
+        ChartTooltipValue,
+        ChartTooltipName
+    >["labelFormatter"];
+    formatter?: RechartsPrimitive.DefaultTooltipContentProps<
+        ChartTooltipValue,
+        ChartTooltipName
+    >["formatter"];
+    hideLabel?: boolean;
+    hideIndicator?: boolean;
+    indicator?: "line" | "dot" | "dashed";
+    nameKey?: string;
+    labelKey?: string;
+    color?: string;
+    labelClassName?: string;
+};
+
 const ChartTooltipContent = React.forwardRef<
     HTMLDivElement,
-    React.ComponentProps<typeof RechartsPrimitive.Tooltip> &
-        React.ComponentProps<"div"> & {
-            hideLabel?: boolean;
-            hideIndicator?: boolean;
-            indicator?: "line" | "dot" | "dashed";
-            nameKey?: string;
-            labelKey?: string;
-        }
+    ChartTooltipContentProps
 >(
     (
         {
@@ -187,8 +212,11 @@ const ChartTooltipContent = React.forwardRef<
                 {!nestLabel ? tooltipLabel : null}
                 <div className="grid gap-1.5">
                     {payload
-                        .filter((item) => item.type !== "none")
-                        .map((item, index) => {
+                        .filter(
+                            (item: ChartTooltipPayloadItem) =>
+                                item.type !== "none"
+                        )
+                        .map((item: ChartTooltipPayloadItem, index: number) => {
                             const key = `${nameKey || item.name || item.dataKey || "value"}`;
 
                             const itemConfig = getPayloadConfigFromPayload(
@@ -201,7 +229,7 @@ const ChartTooltipContent = React.forwardRef<
 
                             return (
                                 <div
-                                    key={item.dataKey}
+                                    key={String(item.dataKey ?? index)}
                                     className={cn(
                                         "flex w-full flex-wrap items-stretch gap-2 [&>svg]:h-2.5 [&>svg]:w-2.5 [&>svg]:text-muted-foreground",
                                         indicator === "dot" && "items-center"
@@ -301,13 +329,20 @@ ChartTooltipContent.displayName = "ChartTooltip";
 
 const ChartLegend = RechartsPrimitive.Legend;
 
+type ChartLegendPayload =
+    RechartsPrimitive.DefaultLegendContentProps["payload"];
+type ChartLegendPayloadItem = NonNullable<ChartLegendPayload>[number];
+
+type ChartLegendContentProps = React.ComponentProps<"div"> & {
+    payload?: ChartLegendPayload;
+    verticalAlign?: RechartsPrimitive.DefaultLegendContentProps["verticalAlign"];
+    hideIcon?: boolean;
+    nameKey?: string;
+};
+
 const ChartLegendContent = React.forwardRef<
     HTMLDivElement,
-    React.ComponentProps<"div"> &
-        Pick<RechartsPrimitive.LegendProps, "payload" | "verticalAlign"> & {
-            hideIcon?: boolean;
-            nameKey?: string;
-        }
+    ChartLegendContentProps
 >(
     (
         {
@@ -335,8 +370,10 @@ const ChartLegendContent = React.forwardRef<
                 )}
             >
                 {payload
-                    .filter((item) => item.type !== "none")
-                    .map((item) => {
+                    .filter(
+                        (item: ChartLegendPayloadItem) => item.type !== "none"
+                    )
+                    .map((item: ChartLegendPayloadItem) => {
                         const key = `${nameKey || item.dataKey || "value"}`;
                         const itemConfig = getPayloadConfigFromPayload(
                             config,

src/types/css.d.ts

@@ -0,0 +1 @@
+declare module "*.css";

tsconfig.enterprise.json

@@ -1,28 +1,49 @@
 {
     "compilerOptions": {
-        "lib": ["dom", "dom.iterable", "esnext"],
+        "lib": [
+            "dom",
+            "dom.iterable",
+            "esnext"
+        ],
         "allowJs": true,
         "skipLibCheck": true,
         "strict": true,
         "noEmit": true,
         "esModuleInterop": true,
         "module": "esnext",
-        "moduleResolution": "node",
+        "moduleResolution": "bundler",
         "resolveJsonModule": true,
         "isolatedModules": true,
         "jsx": "preserve",
         "incremental": true,
-        "baseUrl": "src",
         "paths": {
-            "@server/*": ["../server/*"],
-            "@test/*": ["../test/*"],
-            "@app/*": ["*"],
-            "@cli/*": ["../cli/*"],
-            "@/*": ["./*"],
-            "#private/*": ["../server/private/*"],
-            "#open/*": ["../server/*"],
-            "#closed/*": ["../server/private/*"],
-            "#dynamic/*": ["../server/private/*"]
+            "@server/*": [
+                "./server/*"
+            ],
+            "@test/*": [
+                "./test/*"
+            ],
+            "@app/*": [
+                "./src/*"
+            ],
+            "@cli/*": [
+                "./cli/*"
+            ],
+            "@/*": [
+                "./src/*"
+            ],
+            "#private/*": [
+                "./server/private/*"
+            ],
+            "#open/*": [
+                "./server/*"
+            ],
+            "#closed/*": [
+                "./server/private/*"
+            ],
+            "#dynamic/*": [
+                "./server/private/*"
+            ]
         },
         "plugins": [
             {
@@ -31,6 +52,14 @@
         ],
         "target": "ES2024"
     },
-    "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
-    "exclude": ["node_modules"]
+    "include": [
+        "next-env.d.ts",
+        "**/*.ts",
+        "**/*.tsx",
+        "**/*.d.ts",
+        ".next/types/**/*.ts"
+    ],
+    "exclude": [
+        "node_modules"
+    ]
 }

tsconfig.oss.json

@@ -1,28 +1,49 @@
 {
     "compilerOptions": {
-        "lib": ["dom", "dom.iterable", "esnext"],
+        "lib": [
+            "dom",
+            "dom.iterable",
+            "esnext"
+        ],
         "allowJs": true,
         "skipLibCheck": true,
         "strict": true,
         "noEmit": true,
         "esModuleInterop": true,
         "module": "esnext",
-        "moduleResolution": "node",
+        "moduleResolution": "bundler",
         "resolveJsonModule": true,
         "isolatedModules": true,
         "jsx": "preserve",
         "incremental": true,
-        "baseUrl": "src",
         "paths": {
-            "@server/*": ["../server/*"],
-            "@test/*": ["../test/*"],
-            "@app/*": ["*"],
-            "@cli/*": ["../cli/*"],
-            "@/*": ["./*"],
-            "#private/*": ["../server/private/*"],
-            "#open/*": ["../server/*"],
-            "#closed/*": ["../server/private/*"],
-            "#dynamic/*": ["../server/*"]
+            "@server/*": [
+                "./server/*"
+            ],
+            "@test/*": [
+                "./test/*"
+            ],
+            "@app/*": [
+                "./src/*"
+            ],
+            "@cli/*": [
+                "./cli/*"
+            ],
+            "@/*": [
+                "./src/*"
+            ],
+            "#private/*": [
+                "./server/private/*"
+            ],
+            "#open/*": [
+                "./server/*"
+            ],
+            "#closed/*": [
+                "./server/private/*"
+            ],
+            "#dynamic/*": [
+                "./server/*"
+            ]
         },
         "plugins": [
             {
@@ -31,6 +52,14 @@
         ],
         "target": "ES2024"
     },
-    "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
-    "exclude": ["node_modules"]
+    "include": [
+        "next-env.d.ts",
+        "**/*.ts",
+        "**/*.tsx",
+        "**/*.d.ts",
+        ".next/types/**/*.ts"
+    ],
+    "exclude": [
+        "node_modules"
+    ]
 }

tsconfig.saas.json

@@ -1,28 +1,49 @@
 {
     "compilerOptions": {
-        "lib": ["dom", "dom.iterable", "esnext"],
+        "lib": [
+            "dom",
+            "dom.iterable",
+            "esnext"
+        ],
         "allowJs": true,
         "skipLibCheck": true,
         "strict": true,
         "noEmit": true,
         "esModuleInterop": true,
         "module": "esnext",
-        "moduleResolution": "node",
+        "moduleResolution": "bundler",
         "resolveJsonModule": true,
         "isolatedModules": true,
         "jsx": "preserve",
         "incremental": true,
-        "baseUrl": "src",
         "paths": {
-            "@server/*": ["../server/*"],
-            "@test/*": ["../test/*"],
-            "@app/*": ["*"],
-            "@cli/*": ["../cli/*"],
-            "@/*": ["./*"],
-            "#private/*": ["../server/private/*"],
-            "#open/*": ["../server/*"],
-            "#closed/*": ["../server/private/*"],
-            "#dynamic/*": ["../server/private/*"]
+            "@server/*": [
+                "./server/*"
+            ],
+            "@test/*": [
+                "./test/*"
+            ],
+            "@app/*": [
+                "./src/*"
+            ],
+            "@cli/*": [
+                "./cli/*"
+            ],
+            "@/*": [
+                "./src/*"
+            ],
+            "#private/*": [
+                "./server/private/*"
+            ],
+            "#open/*": [
+                "./server/*"
+            ],
+            "#closed/*": [
+                "./server/private/*"
+            ],
+            "#dynamic/*": [
+                "./server/private/*"
+            ]
         },
         "plugins": [
             {
@@ -31,6 +52,14 @@
         ],
         "target": "ES2024"
     },
-    "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
-    "exclude": ["node_modules"]
+    "include": [
+        "next-env.d.ts",
+        "**/*.ts",
+        "**/*.tsx",
+        "**/*.d.ts",
+        ".next/types/**/*.ts"
+    ],
+    "exclude": [
+        "node_modules"
+    ]
 }