feat(branding): yellow scrollbar and hide FQDN settings field

- Change scrollbar thumb from Coolify red to MapleDeploy yellow - Hide FQDN field from settings UI (managed during provisioning)
feat(auth): notify MapleDeploy on first-user registration
2026-03-14 00:18:38 -04:00 · 2026-03-14 00:18:29 -04:00 · 2026-03-14 00:18:23 -04:00 · 2026-03-14 00:18:17 -04:00 · 2026-03-14 00:18:06 -04:00 · 2026-03-14 00:17:59 -04:00
473 changed files with 25798 additions and 4316 deletions
--- a/.ai/design-system.md
+++ b/.ai/design-system.md
--- a/.claude/skills/pest-testing/SKILL.md
+++ b/.claude/skills/pest-testing/SKILL.md
@ -23,19 +23,28 @@ ## Documentation

 Use `search-docs` for detailed Pest 4 patterns and documentation.

-## Basic Usage
+## Test Directory Structure

-### Creating Tests
+- `tests/Feature/` and `tests/Unit/` — Legacy tests (keep, don't delete)
+- `tests/v4/Feature/` — New feature tests (SQLite :memory: database)
+- `tests/v4/Browser/` — Browser tests (Pest Browser Plugin + Playwright)
+- `tests/Browser/` — Legacy Dusk browser tests (keep, don't delete)

-All tests must be written using Pest. Use `php artisan make:test --pest {name}`.
+New tests go in `tests/v4/`. The v4 suite uses SQLite :memory: with a schema dump (`database/schema/testing-schema.sql`) instead of running migrations.

-### Test Organization
+Do NOT remove tests without approval.

- Unit/Feature tests: `tests/Feature` and `tests/Unit` directories.
- Browser tests: `tests/Browser/` directory.
- Do NOT remove tests without approval - these are core application code.
+## Running Tests

-### Basic Test Structure
+- All v4 tests: `php artisan test --compact tests/v4/`
+- Browser tests: `php artisan test --compact tests/v4/Browser/`
+- Feature tests: `php artisan test --compact tests/v4/Feature/`
+- Specific file: `php artisan test --compact tests/v4/Browser/LoginTest.php`
+- Filter: `php artisan test --compact --filter=testName`
+- Headed (see browser): `./vendor/bin/pest tests/v4/Browser/ --headed`
+- Debug (pause on failure): `./vendor/bin/pest tests/v4/Browser/ --debug`
+
+## Basic Test Structure

 <code-snippet name="Basic Pest Test Example" lang="php">

@ -45,24 +54,10 @@ ### Basic Test Structure

 </code-snippet>

-### Running Tests
-
- Run minimal tests with filter before finalizing: `php artisan test --compact --filter=testName`.
- Run all tests: `php artisan test --compact`.
- Run file: `php artisan test --compact tests/Feature/ExampleTest.php`.
-
 ## Assertions

 Use specific assertions (`assertSuccessful()`, `assertNotFound()`) instead of `assertStatus()`:

-<code-snippet name="Pest Response Assertion" lang="php">
-
-it('returns all', function () {
-    $this->postJson('/api/docs', [])->assertSuccessful();
-});
-
-</code-snippet>
-
 | Use | Instead of |
 |-----|------------|
 | `assertSuccessful()` | `assertStatus(200)` |
@ -75,7 +70,7 @@ ## Mocking

 ## Datasets

-Use datasets for repetitive tests (validation rules, etc.):
+Use datasets for repetitive tests:

 <code-snippet name="Pest Dataset Example" lang="php">

@ -88,73 +83,94 @@ ## Datasets

 </code-snippet>

-## Pest 4 Features
+## Browser Testing (Pest Browser Plugin + Playwright)

-| Feature | Purpose |
-|---------|---------|
-| Browser Testing | Full integration tests in real browsers |
-| Smoke Testing | Validate multiple pages quickly |
-| Visual Regression | Compare screenshots for visual changes |
-| Test Sharding | Parallel CI runs |
-| Architecture Testing | Enforce code conventions |
+Browser tests use `pestphp/pest-plugin-browser` with Playwright. They run **outside Docker** — the plugin starts an in-process HTTP server and Playwright browser automatically.

-### Browser Test Example
+### Key Rules

-Browser tests run in real browsers for full integration testing:
+1. **Always use `RefreshDatabase`** — the in-process server uses SQLite :memory:
+2. **Always seed `InstanceSettings::create(['id' => 0])` in `beforeEach`** — most pages crash without it
+3. **Use `User::factory()` for auth tests** — create users with `id => 0` for root user
+4. **No Dusk, no Selenium** — use `visit()`, `fill()`, `click()`, `assertSee()` from the Pest Browser API
+5. **Place tests in `tests/v4/Browser/`**
+6. **Views with bare `function` declarations** will crash on the second request in the same process — wrap with `function_exists()` guard if you encounter this

- Browser tests live in `tests/Browser/`.
- Use Laravel features like `Event::fake()`, `assertAuthenticated()`, and model factories.
- Use `RefreshDatabase` for clean state per test.
- Interact with page: click, type, scroll, select, submit, drag-and-drop, touch gestures.
- Test on multiple browsers (Chrome, Firefox, Safari) if requested.
- Test on different devices/viewports (iPhone 14 Pro, tablets) if requested.
- Switch color schemes (light/dark mode) when appropriate.
- Take screenshots or pause tests for debugging.
+### Browser Test Template

-<code-snippet name="Pest Browser Test Example" lang="php">
+<code-snippet name="Coolify Browser Test Template" lang="php">
+<?php

-it('may reset the password', function () {
-    Notification::fake();
+use App\Models\InstanceSettings;
+use Illuminate\Foundation\Testing\RefreshDatabase;

-    $this->actingAs(User::factory()->create());
+uses(RefreshDatabase::class);

-    $page = visit('/sign-in');
-
-    $page->assertSee('Sign In')
-        ->assertNoJavaScriptErrors()
-        ->click('Forgot Password?')
-        ->fill('email', 'nuno@laravel.com')
-        ->click('Send Reset Link')
-        ->assertSee('We have emailed your password reset link!');
-
-    Notification::assertSent(ResetPassword::class);
+beforeEach(function () {
+    InstanceSettings::create(['id' => 0]);
 });

+it('can visit the page', function () {
+    $page = visit('/login');
+
+    $page->assertSee('Login');
+});
 </code-snippet>

-### Smoke Testing
+### Browser Test with Form Interaction

-Quickly validate multiple pages have no JavaScript errors:
+<code-snippet name="Browser Test Form Example" lang="php">
+it('fails login with invalid credentials', function () {
+    User::factory()->create([
+        'id' => 0,
+        'email' => 'test@example.com',
+        'password' => Hash::make('password'),
+    ]);

-<code-snippet name="Pest Smoke Testing Example" lang="php">
-
-$pages = visit(['/', '/about', '/contact']);
-
-$pages->assertNoJavaScriptErrors()->assertNoConsoleLogs();
+    $page = visit('/login');

+    $page->fill('email', 'random@email.com')
+        ->fill('password', 'wrongpassword123')
+        ->click('Login')
+        ->assertSee('These credentials do not match our records');
+});
 </code-snippet>

-### Visual Regression Testing
+### Browser API Reference

-Capture and compare screenshots to detect visual changes.
+| Method | Purpose |
+|--------|---------|
+| `visit('/path')` | Navigate to a page |
+| `->fill('field', 'value')` | Fill an input by name |
+| `->click('Button Text')` | Click a button/link by text |
+| `->assertSee('text')` | Assert visible text |
+| `->assertDontSee('text')` | Assert text is not visible |
+| `->assertPathIs('/path')` | Assert current URL path |
+| `->assertSeeIn('.selector', 'text')` | Assert text in element |
+| `->screenshot()` | Capture screenshot |
+| `->debug()` | Pause test, keep browser open |
+| `->wait(seconds)` | Wait N seconds |

-### Test Sharding
+### Debugging

-Split tests across parallel processes for faster CI runs.
+- Screenshots auto-saved to `tests/Browser/Screenshots/` on failure
+- `->debug()` pauses and keeps browser open (press Enter to continue)
+- `->screenshot()` captures state at any point
+- `--headed` flag shows browser, `--debug` pauses on failure

-### Architecture Testing
+## SQLite Testing Setup

-Pest 4 includes architecture testing (from Pest 3):
+v4 tests use SQLite :memory: instead of PostgreSQL. Schema loaded from `database/schema/testing-schema.sql`.
+
+### Regenerating the Schema
+
+When migrations change, regenerate from the running PostgreSQL database:
+
+```bash
+docker exec coolify php artisan schema:generate-testing
+```
+
+## Architecture Testing

 <code-snippet name="Architecture Test Example" lang="php">

@ -171,4 +187,7 @@ ## Common Pitfalls
 - Using `assertStatus(200)` instead of `assertSuccessful()`
 - Forgetting datasets for repetitive validation tests
 - Deleting tests without approval
- Forgetting `assertNoJavaScriptErrors()` in browser tests
+- Forgetting `assertNoJavaScriptErrors()` in browser tests
+- **Browser tests: forgetting `InstanceSettings::create(['id' => 0])` — most pages crash without it**
+- **Browser tests: forgetting `RefreshDatabase` — SQLite :memory: starts empty**
+- **Browser tests: views with bare `function` declarations crash on second request — wrap with `function_exists()` guard**
--- a/.env.production
+++ b/.env.production
@ -15,4 +15,5 @@ ROOT_USERNAME=
 ROOT_USER_EMAIL=
 ROOT_USER_PASSWORD=

-REGISTRY_URL=ghcr.io
+REGISTRY_URL=forgejo.mapledeploy.ca
+CDN_URL=https://updates.mapledeploy.ca
--- a/.env.testing
+++ b/.env.testing
@ -0,0 +1,15 @@
+APP_ENV=testing
+APP_KEY=base64:8VEfVNVkXQ9mH2L33WBWNMF4eQ0BWD5CTzB8mIxcl+k=
+APP_DEBUG=true
+
+DB_CONNECTION=testing
+
+CACHE_DRIVER=array
+SESSION_DRIVER=array
+QUEUE_CONNECTION=sync
+MAIL_MAILER=array
+TELESCOPE_ENABLED=false
+
+REDIS_HOST=127.0.0.1
+
+SELF_HOSTED=true
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@ -0,0 +1,100 @@
+name: Build MapleDeploy Coolify Image
+
+on:
+  push:
+    branches: [mapledeploy]
+    paths-ignore:
+      - "*.md"
+      - ".github/**"
+      - "templates/**"
+
+env:
+  REGISTRY: forgejo.mapledeploy.ca
+  CDN_STORAGE_ZONE: coolify-update
+  CDN_PULL_ZONE_ID: "5338895"
+  CDN_BASE_URL: https://updates.mapledeploy.ca
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get version
+        id: version
+        run: |
+          VERSION=$(sed -n "s/.*'version' => '\([^']*\)'.*/\1/p" config/constants.php)
+          HELPER_VERSION=$(sed -n "s/.*'helper_version' => '\([^']*\)'.*/\1/p" config/constants.php)
+          REALTIME_VERSION=$(sed -n "s/.*'realtime_version' => '\([^']*\)'.*/\1/p" config/constants.php)
+          echo "VERSION=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "HELPER_VERSION=${HELPER_VERSION}" >> "$GITHUB_OUTPUT"
+          echo "REALTIME_VERSION=${REALTIME_VERSION}" >> "$GITHUB_OUTPUT"
+          echo "Building version: ${VERSION} (helper: ${HELPER_VERSION}, realtime: ${REALTIME_VERSION})"
+
+      - name: Login to Forgejo registry
+        run: |
+          echo "${{ secrets.FORGEJO_TOKEN }}" | docker login ${{ env.REGISTRY }} -u ${{ github.repository_owner }} --password-stdin
+
+      - name: Build image
+        run: |
+          DOCKER_BUILDKIT=1 docker build -f docker/production/Dockerfile \
+            -t ${{ env.REGISTRY }}/${{ github.repository }}:${{ steps.version.outputs.VERSION }} \
+            -t ${{ env.REGISTRY }}/${{ github.repository }}:latest \
+            .
+
+      - name: Push image
+        run: |
+          docker push ${{ env.REGISTRY }}/${{ github.repository }}:${{ steps.version.outputs.VERSION }}
+          docker push ${{ env.REGISTRY }}/${{ github.repository }}:latest
+
+      - name: Generate versions.json
+        run: |
+          cat > versions.json <<EOF
+          {
+            "coolify": {
+              "v4": {
+                "version": "${{ steps.version.outputs.VERSION }}"
+              },
+              "helper": {
+                "version": "${{ steps.version.outputs.HELPER_VERSION }}"
+              },
+              "realtime": {
+                "version": "${{ steps.version.outputs.REALTIME_VERSION }}"
+              }
+            }
+          }
+          EOF
+          echo "Generated versions.json:"
+          cat versions.json
+
+      - name: Install curl
+        run: apk add --no-cache curl
+
+      - name: Upload artifacts to Bunny CDN
+        run: |
+          STORAGE_URL="https://storage.bunnycdn.com/${{ env.CDN_STORAGE_ZONE }}/coolify"
+
+          upload() {
+            local file="$1"
+            local dest="$2"
+            echo "Uploading ${file} -> ${dest}"
+            curl -fsSL -X PUT "${STORAGE_URL}/${dest}" \
+              -H "AccessKey: ${{ secrets.BUNNY_CDN_STORAGE_KEY }}" \
+              -H "Content-Type: application/octet-stream" \
+              --data-binary @"${file}"
+          }
+
+          upload versions.json versions.json
+          upload scripts/upgrade.sh upgrade.sh
+          upload docker-compose.yml docker-compose.yml
+          upload docker-compose.prod.yml docker-compose.prod.yml
+          upload .env.production .env.production
+
+          echo "All artifacts uploaded."
+
+      - name: Purge CDN cache
+        run: |
+          curl -fsSL -X POST "https://api.bunny.net/pullzone/${{ env.CDN_PULL_ZONE_ID }}/purgeCache" \
+            -H "AccessKey: ${{ secrets.BUNNY_API_KEY }}" \
+            -H "Content-Type: application/json"
+          echo "CDN cache purged."
--- a/.github/workflows/chore-lock-closed-issues-discussions-and-prs.yml
+++ b/.github/workflows/chore-lock-closed-issues-discussions-and-prs.yml
@ -1,22 +0,0 @@
-name: Lock closed Issues, Discussions, and PRs
-
-on:
-  schedule:
-    - cron: '0 1 * * *'
-
-permissions:
-  issues: write
-  discussions: write
-  pull-requests: write
-
-jobs:
-  lock-threads:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Lock threads after 30 days of inactivity
-        uses: dessant/lock-threads@v5
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          issue-inactive-days: '30'
-          discussion-inactive-days: '30'
-          pr-inactive-days: '30'
--- a/.github/workflows/chore-manage-stale-issues-and-prs.yml
+++ b/.github/workflows/chore-manage-stale-issues-and-prs.yml
@ -1,32 +0,0 @@
-name: Manage Stale Issues and PRs
-
-on:
-  schedule:
-    - cron: '0 2 * * *'
-
-permissions:
-  issues: write
-  pull-requests: write
-
-jobs:
-  manage-stale:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Manage stale issues and PRs
-        uses: actions/stale@v9
-        id: stale
-        with:
-          stale-issue-message: 'This issue will be automatically closed in a few days if no response is received. Please provide an update with the requested information.'
-          stale-pr-message: 'This pull request requires attention. If no changes or response is received within the next few days, it will be automatically closed. Please update your PR or leave a comment with the requested information.'
-          close-issue-message: 'This issue has been automatically closed due to inactivity.'
-          close-pr-message: 'Thank you for your contribution. Due to inactivity, this PR was automatically closed. If you would like to continue working on this change in the future, feel free to reopen this PR or submit a new one.'
-          days-before-stale: 14
-          days-before-close: 7
-          stale-issue-label: '⏱︎ Stale'
-          stale-pr-label: '⏱︎ Stale'
-          only-labels: '💤 Waiting for feedback, 💤 Waiting for changes'
-          remove-stale-when-updated: true
-          operations-per-run: 100
-          labels-to-remove-when-unstale: '⏱︎ Stale, 💤 Waiting for feedback, 💤 Waiting for changes'
-          close-issue-reason: 'not_planned'
-          exempt-all-milestones: false
--- a/.github/workflows/chore-pr-comments.yml
+++ b/.github/workflows/chore-pr-comments.yml
@ -1,49 +0,0 @@
-name: Add comment based on label
-on:
-  pull_request_target:
-    types:
-      - labeled
-
-permissions:
-  pull-requests: write
-
-jobs:
-  add-comment:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        include:
-          - label: "⚙️ Service"
-            body: |
-              Hi @${{ github.event.pull_request.user.login }}! 👋
-
-              It appears to us that you are either adding a new service or making changes to an existing one.
-              We kindly ask you to also review and update the **Coolify Documentation** to include this new service or it's new configuration needs.
-              This will help ensure that our documentation remains accurate and up-to-date for all users.
-
-              Coolify Docs Repository: https://github.com/coollabsio/coolify-docs
-              How to Contribute a new Service to the Docs: https://coolify.io/docs/get-started/contribute/service#adding-a-new-service-template-to-the-coolify-documentation
-          - label: "🛠️ Feature"
-            body: |
-              Hi @${{ github.event.pull_request.user.login }}! 👋
-
-              It appears to us that you are adding a new feature to Coolify.
-              We kindly ask you to also update the **Coolify Documentation** to include information about this new feature.
-              This will help ensure that our documentation remains accurate and up-to-date for all users.
-
-              Coolify Docs Repository: https://github.com/coollabsio/coolify-docs
-              How to Contribute to the Docs: https://coolify.io/docs/get-started/contribute/documentation
-          # - label: "✨ Enhancement"
-          #  body: |
-          #    It appears to us that you are making an enhancement to Coolify.
-          #    We kindly ask you to also review and update the Coolify Documentation to include information about this enhancement if applicable.
-          #    This will help ensure that our documentation remains accurate and up-to-date for all users.
-    steps:
-      - name: Add comment
-        if: github.event.label.name == matrix.label
-        run: gh pr comment "$NUMBER" --body "$BODY"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_REPO: ${{ github.repository }}
-          NUMBER: ${{ github.event.pull_request.number }}
-          BODY: ${{ matrix.body }}
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@ -1,37 +0,0 @@
-name: Claude Code
-
-on:
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
-  issues:
-    types: [opened, assigned]
-  pull_request_review:
-    types: [submitted]
-
-jobs:
-  claude:
-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-      id-token: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Run Claude Code
-        id: claude
-        uses: anthropics/claude-code-action@v1
-        with:
-          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          claude_args: '--model opus'
--- a/.github/workflows/cleanup-ghcr-untagged.yml
+++ b/.github/workflows/cleanup-ghcr-untagged.yml
@ -1,22 +0,0 @@
-name: Cleanup Untagged GHCR Images
-
-on:
-  workflow_dispatch:
-
-permissions:
-  packages: write
-
-jobs:
-  cleanup-all-packages:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        package: ['coolify', 'coolify-helper', 'coolify-realtime', 'coolify-testing-host']
-    steps:
-      - name: Delete untagged ${{ matrix.package }} images
-        uses: actions/delete-package-versions@v5
-        with:
-          package-name: ${{ matrix.package }}
-          package-type: 'container'
-          min-versions-to-keep: 0
-          delete-only-untagged-versions: 'true'
--- a/.github/workflows/coolify-helper-next.yml
+++ b/.github/workflows/coolify-helper-next.yml
@ -1,117 +0,0 @@
-name: Coolify Helper Image Development
-
-on:
-  push:
-    branches: [ "next" ]
-    paths:
-      - .github/workflows/coolify-helper-next.yml
-      - docker/coolify-helper/Dockerfile
-
-permissions:
-  contents: read
-  packages: write
-
-env:
-  GITHUB_REGISTRY: ghcr.io
-  DOCKER_REGISTRY: docker.io
-  IMAGE_NAME: "coollabsio/coolify-helper"
-
-jobs:
-  build-push:
-    strategy:
-      matrix:
-        include:
-          - arch: amd64
-            platform: linux/amd64
-            runner: ubuntu-24.04
-          - arch: aarch64
-            platform: linux/aarch64
-            runner: ubuntu-24.04-arm
-    runs-on: ${{ matrix.runner }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Get Version
-        id: version
-        run: |
-          echo "VERSION=$(docker run --rm -v "$(pwd):/app" -w /app php:8.2-alpine3.16 php bootstrap/getHelperVersion.php)"|xargs >> $GITHUB_OUTPUT
-
-      - name: Build and Push Image (${{ matrix.arch }})
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/coolify-helper/Dockerfile
-          platforms: ${{ matrix.platform }}
-          push: true
-          tags: |
-            ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next-${{ matrix.arch }}
-            ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next-${{ matrix.arch }}
-          labels: |
-            coolify.managed=true
-
-  merge-manifest:
-    runs-on: ubuntu-24.04
-    needs: build-push
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - uses: docker/setup-buildx-action@v3
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Get Version
-        id: version
-        run: |
-          echo "VERSION=$(docker run --rm -v "$(pwd):/app" -w /app php:8.2-alpine3.16 php bootstrap/getHelperVersion.php)"|xargs >> $GITHUB_OUTPUT
-
-      - name: Create & publish manifest on ${{ env.GITHUB_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next-amd64 \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next-aarch64 \
-          --tag ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next \
-          --tag ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:next
-
-      - name: Create & publish manifest on ${{ env.DOCKER_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next-amd64 \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next-aarch64 \
-          --tag ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next \
-          --tag ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:next
-
-      - uses: sarisia/actions-status-discord@v1
-        if: always()
-        with:
-          webhook: ${{ secrets.DISCORD_WEBHOOK_DEV_RELEASE_CHANNEL  }}
-
--- a/.github/workflows/coolify-helper.yml
+++ b/.github/workflows/coolify-helper.yml
@ -1,116 +0,0 @@
-name: Coolify Helper Image
-
-on:
-  push:
-    branches: [ "v4.x" ]
-    paths:
-      - .github/workflows/coolify-helper.yml
-      - docker/coolify-helper/Dockerfile
-
-permissions:
-  contents: read
-  packages: write
-
-env:
-  GITHUB_REGISTRY: ghcr.io
-  DOCKER_REGISTRY: docker.io
-  IMAGE_NAME: "coollabsio/coolify-helper"
-
-jobs:
-  build-push:
-    strategy:
-      matrix:
-        include:
-          - arch: amd64
-            platform: linux/amd64
-            runner: ubuntu-24.04
-          - arch: aarch64
-            platform: linux/aarch64
-            runner: ubuntu-24.04-arm
-    runs-on: ${{ matrix.runner }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Get Version
-        id: version
-        run: |
-          echo "VERSION=$(docker run --rm -v "$(pwd):/app" -w /app php:8.2-alpine3.16 php bootstrap/getHelperVersion.php)"|xargs >> $GITHUB_OUTPUT
-
-      - name: Build and Push Image (${{ matrix.arch }})
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/coolify-helper/Dockerfile
-          platforms: ${{ matrix.platform }}
-          push: true
-          tags: |
-            ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-${{ matrix.arch }}
-            ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-${{ matrix.arch }}
-          labels: |
-            coolify.managed=true
-  merge-manifest:
-    runs-on: ubuntu-24.04
-    needs: build-push
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - uses: docker/setup-buildx-action@v3
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Get Version
-        id: version
-        run: |
-          echo "VERSION=$(docker run --rm -v "$(pwd):/app" -w /app php:8.2-alpine3.16 php bootstrap/getHelperVersion.php)"|xargs >> $GITHUB_OUTPUT
-
-      - name: Create & publish manifest on ${{ env.GITHUB_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-amd64 \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-aarch64 \
-          --tag ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }} \
-          --tag ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-
-      - name: Create & publish manifest on ${{ env.DOCKER_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-amd64 \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-aarch64 \
-          --tag ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }} \
-          --tag ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-
-      - uses: sarisia/actions-status-discord@v1
-        if: always()
-        with:
-          webhook: ${{ secrets.DISCORD_WEBHOOK_PROD_RELEASE_CHANNEL  }}
-
--- a/.github/workflows/coolify-production-build.yml
+++ b/.github/workflows/coolify-production-build.yml
@ -1,122 +0,0 @@
-name: Production Build (v4)
-
-on:
-  push:
-    branches: ["v4.x"]
-    paths-ignore:
-      - .github/workflows/coolify-helper.yml
-      - .github/workflows/coolify-helper-next.yml
-      - .github/workflows/coolify-realtime.yml
-      - .github/workflows/coolify-realtime-next.yml
-      - .github/workflows/pr-quality.yaml
-      - docker/coolify-helper/Dockerfile
-      - docker/coolify-realtime/Dockerfile
-      - docker/testing-host/Dockerfile
-      - templates/**
-      - CHANGELOG.md
-
-permissions:
-  contents: read
-  packages: write
-
-env:
-  GITHUB_REGISTRY: ghcr.io
-  DOCKER_REGISTRY: docker.io
-  IMAGE_NAME: "coollabsio/coolify"
-
-jobs:
-  build-push:
-    strategy:
-      matrix:
-        include:
-          - arch: amd64
-            platform: linux/amd64
-            runner: ubuntu-24.04
-          - arch: aarch64
-            platform: linux/aarch64
-            runner: ubuntu-24.04-arm
-    runs-on: ${{ matrix.runner }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Get Version
-        id: version
-        run: |
-          echo "VERSION=$(docker run --rm -v "$(pwd):/app" -w /app php:8.2-alpine3.16 php bootstrap/getVersion.php)"|xargs >> $GITHUB_OUTPUT
-
-      - name: Build and Push Image (${{ matrix.arch }})
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/production/Dockerfile
-          platforms: ${{ matrix.platform }}
-          push: true
-          tags: |
-            ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-${{ matrix.arch }}
-            ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-${{ matrix.arch }}
-
-  merge-manifest:
-    runs-on: ubuntu-24.04
-    needs: build-push
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - uses: docker/setup-buildx-action@v3
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Get Version
-        id: version
-        run: |
-          echo "VERSION=$(docker run --rm -v "$(pwd):/app" -w /app php:8.2-alpine3.16 php bootstrap/getVersion.php)"|xargs >> $GITHUB_OUTPUT
-
-      - name: Create & publish manifest on ${{ env.GITHUB_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-amd64 \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-aarch64 \
-          --tag ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }} \
-          --tag ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-
-      - name: Create & publish manifest on ${{ env.DOCKER_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-amd64 \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-aarch64 \
-          --tag ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }} \
-          --tag ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-
-      - uses: sarisia/actions-status-discord@v1
-        if: always()
-        with:
-          webhook: ${{ secrets.DISCORD_WEBHOOK_PROD_RELEASE_CHANNEL  }}
--- a/.github/workflows/coolify-realtime-next.yml
+++ b/.github/workflows/coolify-realtime-next.yml
@ -1,120 +0,0 @@
-name: Coolify Realtime Development
-
-on:
-  push:
-    branches: [ "next" ]
-    paths:
-      - .github/workflows/coolify-realtime-next.yml
-      - docker/coolify-realtime/Dockerfile
-      - docker/coolify-realtime/terminal-server.js
-      - docker/coolify-realtime/package.json
-      - docker/coolify-realtime/package-lock.json
-      - docker/coolify-realtime/soketi-entrypoint.sh
-
-permissions:
-  contents: read
-  packages: write
-
-env:
-  GITHUB_REGISTRY: ghcr.io
-  DOCKER_REGISTRY: docker.io
-  IMAGE_NAME: "coollabsio/coolify-realtime"
-
-jobs:
-  build-push:
-    strategy:
-      matrix:
-        include:
-          - arch: amd64
-            platform: linux/amd64
-            runner: ubuntu-24.04
-          - arch: aarch64
-            platform: linux/aarch64
-            runner: ubuntu-24.04-arm
-    runs-on: ${{ matrix.runner }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Get Version
-        id: version
-        run: |
-          echo "VERSION=$(docker run --rm -v "$(pwd):/app" -w /app php:8.2-alpine3.16 php bootstrap/getRealtimeVersion.php)"|xargs >> $GITHUB_OUTPUT
-
-      - name: Build and Push Image (${{ matrix.arch }})
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/coolify-realtime/Dockerfile
-          platforms: ${{ matrix.platform }}
-          push: true
-          tags: |
-            ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next-${{ matrix.arch }}
-            ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next-${{ matrix.arch }}
-          labels: |
-            coolify.managed=true
-
-  merge-manifest:
-    runs-on: ubuntu-24.04
-    needs: build-push
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - uses: docker/setup-buildx-action@v3
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Get Version
-        id: version
-        run: |
-          echo "VERSION=$(docker run --rm -v "$(pwd):/app" -w /app php:8.2-alpine3.16 php bootstrap/getRealtimeVersion.php)"|xargs >> $GITHUB_OUTPUT
-
-      - name: Create & publish manifest on ${{ env.GITHUB_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next-amd64 \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next-aarch64 \
-          --tag ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next \
-          --tag ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:next
-
-      - name: Create & publish manifest on ${{ env.DOCKER_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next-amd64 \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next-aarch64 \
-          --tag ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-next \
-          --tag ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:next
-
-      - uses: sarisia/actions-status-discord@v1
-        if: always()
-        with:
-          webhook: ${{ secrets.DISCORD_WEBHOOK_DEV_RELEASE_CHANNEL  }}
--- a/.github/workflows/coolify-realtime.yml
+++ b/.github/workflows/coolify-realtime.yml
@ -1,120 +0,0 @@
-name: Coolify Realtime
-
-on:
-  push:
-    branches: [ "v4.x" ]
-    paths:
-      - .github/workflows/coolify-realtime.yml
-      - docker/coolify-realtime/Dockerfile
-      - docker/coolify-realtime/terminal-server.js
-      - docker/coolify-realtime/package.json
-      - docker/coolify-realtime/package-lock.json
-      - docker/coolify-realtime/soketi-entrypoint.sh
-
-permissions:
-  contents: read
-  packages: write
-
-env:
-  GITHUB_REGISTRY: ghcr.io
-  DOCKER_REGISTRY: docker.io
-  IMAGE_NAME: "coollabsio/coolify-realtime"
-
-jobs:
-  build-push:
-    strategy:
-      matrix:
-        include:
-          - arch: amd64
-            platform: linux/amd64
-            runner: ubuntu-24.04
-          - arch: aarch64
-            platform: linux/aarch64
-            runner: ubuntu-24.04-arm
-    runs-on: ${{ matrix.runner }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Get Version
-        id: version
-        run: |
-          echo "VERSION=$(docker run --rm -v "$(pwd):/app" -w /app php:8.2-alpine3.16 php bootstrap/getRealtimeVersion.php)"|xargs >> $GITHUB_OUTPUT
-
-      - name: Build and Push Image (${{ matrix.arch }})
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/coolify-realtime/Dockerfile
-          platforms: ${{ matrix.platform }}
-          push: true
-          tags: |
-            ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-${{ matrix.arch }}
-            ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-${{ matrix.arch }}
-          labels: |
-            coolify.managed=true
-
-  merge-manifest:
-    runs-on: ubuntu-24.04
-    needs: build-push
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - uses: docker/setup-buildx-action@v3
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Get Version
-        id: version
-        run: |
-          echo "VERSION=$(docker run --rm -v "$(pwd):/app" -w /app php:8.2-alpine3.16 php bootstrap/getRealtimeVersion.php)"|xargs >> $GITHUB_OUTPUT
-
-      - name: Create & publish manifest on ${{ env.GITHUB_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-amd64 \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-aarch64 \
-          --tag ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }} \
-          --tag ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-
-      - name: Create & publish manifest on ${{ env.DOCKER_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-amd64 \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }}-aarch64 \
-          --tag ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.VERSION }} \
-          --tag ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-
-      - uses: sarisia/actions-status-discord@v1
-        if: always()
-        with:
-          webhook: ${{ secrets.DISCORD_WEBHOOK_PROD_RELEASE_CHANNEL  }}
--- a/.github/workflows/coolify-staging-build.yml
+++ b/.github/workflows/coolify-staging-build.yml
@ -1,134 +0,0 @@
-name: Staging Build
-
-on:
-  push:
-    branches-ignore:
-      - v4.x
-      - v3.x
-      - '**v5.x**'
-    paths-ignore:
-        - .github/workflows/coolify-helper.yml
-        - .github/workflows/coolify-helper-next.yml
-        - .github/workflows/coolify-realtime.yml
-        - .github/workflows/coolify-realtime-next.yml
-        - .github/workflows/pr-quality.yaml
-        - docker/coolify-helper/Dockerfile
-        - docker/coolify-realtime/Dockerfile
-        - docker/testing-host/Dockerfile
-        - templates/**
-        - CHANGELOG.md
-
-permissions:
-  contents: read
-  packages: write
-
-env:
-  GITHUB_REGISTRY: ghcr.io
-  DOCKER_REGISTRY: docker.io
-  IMAGE_NAME: "coollabsio/coolify"
-
-jobs:
-  build-push:
-    strategy:
-      matrix:
-        include:
-          - arch: amd64
-            platform: linux/amd64
-            runner: ubuntu-24.04
-          - arch: aarch64
-            platform: linux/aarch64
-            runner: ubuntu-24.04-arm
-    runs-on: ${{ matrix.runner }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Sanitize branch name for Docker tag
-        id: sanitize
-        run: |
-          # Replace slashes and other invalid characters with dashes
-          SANITIZED_NAME=$(echo "${{ github.ref_name }}" | sed 's/[\/]/-/g')
-          echo "tag=${SANITIZED_NAME}" >> $GITHUB_OUTPUT
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Build and Push Image (${{ matrix.arch }})
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/production/Dockerfile
-          platforms: ${{ matrix.platform }}
-          push: true
-          tags: |
-            ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.sanitize.outputs.tag }}-${{ matrix.arch }}
-            ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.sanitize.outputs.tag }}-${{ matrix.arch }}
-          cache-from: |
-            type=gha,scope=build-${{ matrix.arch }}
-            type=registry,ref=${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache-${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=build-${{ matrix.arch }}
-
-  merge-manifest:
-    runs-on: ubuntu-24.04
-    needs: build-push
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Sanitize branch name for Docker tag
-        id: sanitize
-        run: |
-          # Replace slashes and other invalid characters with dashes
-          SANITIZED_NAME=$(echo "${{ github.ref_name }}" | sed 's/[\/]/-/g')
-          echo "tag=${SANITIZED_NAME}" >> $GITHUB_OUTPUT
-
-      - uses: docker/setup-buildx-action@v3
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Create & publish manifest on ${{ env.GITHUB_REGISTRY }}
-        run: |
-         docker buildx imagetools create \
-         ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.sanitize.outputs.tag }}-amd64 \
-         ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.sanitize.outputs.tag }}-aarch64 \
-         --tag ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.sanitize.outputs.tag }}
-
-      - name: Create & publish manifest on ${{ env.DOCKER_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.sanitize.outputs.tag }}-amd64 \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.sanitize.outputs.tag }}-aarch64 \
-          --tag ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.sanitize.outputs.tag }}
-
-      - uses: sarisia/actions-status-discord@v1
-        if: always()
-        with:
-          webhook: ${{ secrets.DISCORD_WEBHOOK_DEV_RELEASE_CHANNEL  }}
--- a/.github/workflows/coolify-testing-host.yml
+++ b/.github/workflows/coolify-testing-host.yml
@ -1,104 +0,0 @@
-name: Coolify Testing Host
-
-on:
-  push:
-    branches: [ "next" ]
-    paths:
-      - .github/workflows/coolify-testing-host.yml
-      - docker/testing-host/Dockerfile
-
-permissions:
-  contents: read
-  packages: write
-
-env:
-  GITHUB_REGISTRY: ghcr.io
-  DOCKER_REGISTRY: docker.io
-  IMAGE_NAME: "coollabsio/coolify-testing-host"
-
-jobs:
-  build-push:
-    strategy:
-      matrix:
-        include:
-          - arch: amd64
-            platform: linux/amd64
-            runner: ubuntu-24.04
-          - arch: aarch64
-            platform: linux/aarch64
-            runner: ubuntu-24.04-arm
-    runs-on: ${{ matrix.runner }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Build and Push Image (${{ matrix.arch }})
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/testing-host/Dockerfile
-          platforms: ${{ matrix.platform }}
-          push: true
-          tags: |
-            ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:latest-${{ matrix.arch }}
-            ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:latest-${{ matrix.arch }}
-          labels: |
-            coolify.managed=true
-
-  merge-manifest:
-    runs-on: ubuntu-24.04
-    needs: build-push
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - uses: docker/setup-buildx-action@v3
-
-      - name: Login to ${{ env.GITHUB_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.GITHUB_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN  }}
-
-      - name: Login to ${{ env.DOCKER_REGISTRY }}
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Create & publish manifest on ${{ env.GITHUB_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:latest-amd64 \
-          ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:latest-aarch64 \
-          --tag ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-
-      - name: Create & publish manifest on ${{ env.DOCKER_REGISTRY }}
-        run: |
-          docker buildx imagetools create \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:latest-amd64 \
-          ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:latest-aarch64 \
-          --tag ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-
-      - uses: sarisia/actions-status-discord@v1
-        if: always()
-        with:
-          webhook: ${{ secrets.DISCORD_WEBHOOK_DEV_RELEASE_CHANNEL  }}
--- a/.github/workflows/generate-changelog.yml
+++ b/.github/workflows/generate-changelog.yml
@ -1,42 +0,0 @@
-name: Generate Changelog
-
-on:
-  push:
-    branches: [ v4.x ]
-    paths-ignore:
-      - .github/workflows/coolify-helper.yml
-      - .github/workflows/coolify-helper-next.yml
-      - .github/workflows/coolify-realtime.yml
-      - .github/workflows/coolify-realtime-next.yml
-      - .github/workflows/pr-quality.yaml
-  workflow_dispatch:
-
-permissions:
-  contents: write
-
-jobs:
-  changelog:
-    name: Generate changelog
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Generate changelog
-        uses: orhun/git-cliff-action@v4
-        with:
-          config: cliff.toml
-          args: --verbose
-        env:
-          OUTPUT: CHANGELOG.md
-          GITHUB_REPO: ${{ github.repository }}
-
-      - name: Commit
-        run: |
-          git config user.name 'github-actions[bot]'
-          git config user.email 'github-actions[bot]@users.noreply.github.com'
-          git add CHANGELOG.md
-          git commit -m "docs: update changelog"
-          git push https://${{ secrets.GITHUB_TOKEN }}@github.com/${GITHUB_REPOSITORY}.git v4.x
--- a/.gitignore
+++ b/.gitignore
@ -38,3 +38,5 @@ docker/coolify-realtime/node_modules
 .DS_Store
 CHANGELOG.md
 /.workspaces
+tests/Browser/Screenshots
+tests/v4/Browser/Screenshots
--- a/README.md
+++ b/README.md
@ -55,6 +55,12 @@ ## Donations

 Thank you so much!

+### Huge Sponsors
+
+* [MVPS](https://www.mvps.net?ref=coolify.io) - Cheap VPS servers at the highest possible quality
+* [SerpAPI](https://serpapi.com?ref=coolify.io) - Google Search API — Scrape Google and other search engines from our fast, easy, and complete API
+*
+
 ### Big Sponsors

 * [23M](https://23m.com?ref=coolify.io) - Your experts for high-availability hosting solutions!
@ -70,9 +76,10 @@ ### Big Sponsors
 * [CompAI](https://www.trycomp.ai?ref=coolify.io) - Open source compliance automation platform
 * [Convex](https://convex.link/coolify.io) - Open-source reactive database for web app developers
 * [CubePath](https://cubepath.com/?ref=coolify.io) - Dedicated Servers & Instant Deploy
-* [Dade2](https://dade2.net/?ref=coolify.io) - IT Consulting, Cloud Solutions & System Integration
+* [Darweb](https://darweb.nl/?ref=coolify.io) - 3D CPQ solutions for ecommerce design
 * [Formbricks](https://formbricks.com?ref=coolify.io) - The open source feedback platform
 * [GoldenVM](https://billing.goldenvm.com?ref=coolify.io) - Premium virtual machine hosting solutions
+* [Greptile](https://www.greptile.com?ref=coolify.io) - The AI Code Reviewer
 * [Hetzner](http://htznr.li/CoolifyXHetzner) - Server, cloud, hosting, and data center solutions
 * [Hostinger](https://www.hostinger.com/vps/coolify-hosting?ref=coolify.io) - Web hosting and VPS solutions
 * [JobsCollider](https://jobscollider.com/remote-jobs?ref=coolify.io) - 30,000+ remote jobs for developers
@ -90,6 +97,7 @@ ### Big Sponsors
 * [Tigris](https://www.tigrisdata.com?ref=coolify.io) - Modern developer data platform
 * [Tolgee](https://tolgee.io?ref=coolify.io) - The open source localization platform
 * [Ubicloud](https://www.ubicloud.com?ref=coolify.io) - Open source cloud infrastructure platform
+* [VPSDime](https://vpsdime.com?ref=coolify.io) - Affordable high-performance VPS hosting solutions


 ### Small Sponsors
@ -126,7 +134,6 @@ ### Small Sponsors
 <a href="https://www.runpod.io/?utm_source=coolify.io"><img width="60px" alt="RunPod" src="https://coolify.io/images/runpod.svg"/></a>
 <a href="https://dartnode.com/?utm_source=coolify.io"><img width="60px" alt="DartNode" src="https://github.com/dartnode.png"/></a>
 <a href="https://github.com/whitesidest"><img width="60px" alt="Tyler Whitesides" src="https://avatars.githubusercontent.com/u/12365916?s=52&v=4"/></a>
-<a href="https://serpapi.com/?utm_source=coolify.io"><img width="60px" alt="SerpAPI" src="https://github.com/serpapi.png"/></a>
 <a href="https://aquarela.io"><img width="60px" alt="Aquarela" src="https://github.com/aquarela-io.png"/></a>
 <a href="https://cryptojobslist.com/?utm_source=coolify.io"><img width="60px" alt="Crypto Jobs List" src="https://github.com/cryptojobslist.png"/></a>
 <a href="https://www.youtube.com/@AlfredNutile?utm_source=coolify.io"><img width="60px" alt="Alfred Nutile" src="https://github.com/alnutile.png"/></a>
--- a/app/Actions/Database/StartDatabaseProxy.php
+++ b/app/Actions/Database/StartDatabaseProxy.php
@ -51,9 +51,11 @@ public function handle(StandaloneRedis|StandalonePostgresql|StandaloneMongodb|St
        }

        $configuration_dir = database_proxy_dir($database->uuid);
+        $host_configuration_dir = $configuration_dir;
        if (isDev()) {
-            $configuration_dir = '/var/lib/docker/volumes/coolify_dev_coolify_data/_data/databases/'.$database->uuid.'/proxy';
+            $host_configuration_dir = '/var/lib/docker/volumes/coolify_dev_coolify_data/_data/databases/'.$database->uuid.'/proxy';
        }
+        $timeoutConfig = $this->buildProxyTimeoutConfig($database->public_port_timeout);
        $nginxconf = <<<EOF
    user  nginx;
    worker_processes  auto;
@ -67,6 +69,7 @@ public function handle(StandaloneRedis|StandalonePostgresql|StandaloneMongodb|St
       server {
            listen $database->public_port;
            proxy_pass $containerName:$internalPort;
+            $timeoutConfig
       }
    }
    EOF;
@ -85,7 +88,7 @@ public function handle(StandaloneRedis|StandalonePostgresql|StandaloneMongodb|St
                    'volumes' => [
                        [
                            'type' => 'bind',
-                            'source' => "$configuration_dir/nginx.conf",
+                            'source' => "$host_configuration_dir/nginx.conf",
                            'target' => '/etc/nginx/nginx.conf',
                        ],
                    ],
@ -112,12 +115,61 @@ public function handle(StandaloneRedis|StandalonePostgresql|StandaloneMongodb|St
        $dockercompose_base64 = base64_encode(Yaml::dump($docker_compose, 4, 2));
        $nginxconf_base64 = base64_encode($nginxconf);
        instant_remote_process(["docker rm -f $proxyContainerName"], $server, false);
-        instant_remote_process([
-            "mkdir -p $configuration_dir",
-            "echo '{$nginxconf_base64}' | base64 -d | tee $configuration_dir/nginx.conf > /dev/null",
-            "echo '{$dockercompose_base64}' | base64 -d | tee $configuration_dir/docker-compose.yaml > /dev/null",
-            "docker compose --project-directory {$configuration_dir} pull",
-            "docker compose --project-directory {$configuration_dir} up -d",
-        ], $server);
+
+        try {
+            instant_remote_process([
+                "mkdir -p $configuration_dir",
+                "echo '{$nginxconf_base64}' | base64 -d | tee $configuration_dir/nginx.conf > /dev/null",
+                "echo '{$dockercompose_base64}' | base64 -d | tee $configuration_dir/docker-compose.yaml > /dev/null",
+                "docker compose --project-directory {$configuration_dir} pull",
+                "docker compose --project-directory {$configuration_dir} up -d",
+            ], $server);
+        } catch (\RuntimeException $e) {
+            if ($this->isNonTransientError($e->getMessage())) {
+                $database->update(['is_public' => false]);
+
+                $team = data_get($database, 'environment.project.team')
+                    ?? data_get($database, 'service.environment.project.team');
+
+                $team?->notify(
+                    new \App\Notifications\Container\ContainerRestarted(
+                        "TCP Proxy for {$database->name} database has been disabled due to error: {$e->getMessage()}",
+                        $server,
+                    )
+                );
+
+                ray("Database proxy for {$database->name} disabled due to non-transient error: {$e->getMessage()}");
+
+                return;
+            }
+
+            throw $e;
+        }
+    }
+
+    private function isNonTransientError(string $message): bool
+    {
+        $nonTransientPatterns = [
+            'port is already allocated',
+            'address already in use',
+            'Bind for',
+        ];
+
+        foreach ($nonTransientPatterns as $pattern) {
+            if (str_contains($message, $pattern)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    private function buildProxyTimeoutConfig(?int $timeout): string
+    {
+        if ($timeout === null || $timeout < 1) {
+            $timeout = 3600;
+        }
+
+        return "proxy_timeout {$timeout}s;";
    }
 }
--- a/app/Actions/Database/StartKeydb.php
+++ b/app/Actions/Database/StartKeydb.php
@ -207,6 +207,9 @@ public function handle(StandaloneKeydb $database)
        if ($this->database->enable_ssl) {
            $this->commands[] = "chown -R 999:999 $this->configuration_dir/ssl/server.key $this->configuration_dir/ssl/server.crt";
        }
+        if (! is_null($this->database->keydb_conf) && ! empty($this->database->keydb_conf)) {
+            $this->commands[] = "chown 999:999 $this->configuration_dir/keydb.conf";
+        }
        $this->commands[] = "docker stop -t 10 $container_name 2>/dev/null || true";
        $this->commands[] = "docker rm -f $container_name 2>/dev/null || true";
        $this->commands[] = "docker compose -f $this->configuration_dir/docker-compose.yml up -d";
--- a/app/Actions/Database/StartRedis.php
+++ b/app/Actions/Database/StartRedis.php
@ -204,6 +204,9 @@ public function handle(StandaloneRedis $database)
        if ($this->database->enable_ssl) {
            $this->commands[] = "chown -R 999:999 $this->configuration_dir/ssl/server.key $this->configuration_dir/ssl/server.crt";
        }
+        if (! is_null($this->database->redis_conf) && ! empty($this->database->redis_conf)) {
+            $this->commands[] = "chown 999:999 $this->configuration_dir/redis.conf";
+        }
        $this->commands[] = "docker stop -t 10 $container_name 2>/dev/null || true";
        $this->commands[] = "docker rm -f $container_name 2>/dev/null || true";
        $this->commands[] = "docker compose -f $this->configuration_dir/docker-compose.yml up -d";
--- a/app/Actions/Docker/GetContainersStatus.php
+++ b/app/Actions/Docker/GetContainersStatus.php
@ -327,6 +327,12 @@ public function handle(Server $server, ?Collection $containers = null, ?Collecti
            if (str($exitedService->status)->startsWith('exited')) {
                continue;
            }
+
+            // Only protection: If no containers at all, Docker query might have failed
+            if ($this->containers->isEmpty()) {
+                continue;
+            }
+
            $name = data_get($exitedService, 'name');
            $fqdn = data_get($exitedService, 'fqdn');
            if ($name) {
@ -406,6 +412,12 @@ public function handle(Server $server, ?Collection $containers = null, ?Collecti
            if (str($database->status)->startsWith('exited')) {
                continue;
            }
+
+            // Only protection: If no containers at all, Docker query might have failed
+            if ($this->containers->isEmpty()) {
+                continue;
+            }
+
            // Reset restart tracking when database exits completely
            $database->update([
                'status' => 'exited',
--- a/app/Actions/Fortify/CreateNewUser.php
+++ b/app/Actions/Fortify/CreateNewUser.php
@ -2,6 +2,7 @@

 namespace App\Actions\Fortify;

+use App\Jobs\NotifySetupCompleteJob;
 use App\Models\User;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\Validator;
@ -35,6 +36,14 @@ public function create(array $input): User
        ])->validate();

        if (User::count() == 0) {
+            // MapleDeploy: validate setup token for first user registration
+            if ($settings->setup_token) {
+                $providedToken = $input['setup_token'] ?? null;
+                if (! $providedToken || ! hash_equals($settings->setup_token, $providedToken)) {
+                    abort(403);
+                }
+            }
+
            // If this is the first user, make them the root user
            // Team is already created in the database/seeders/ProductionSeeder.php
            $user = User::create([
@ -48,7 +57,18 @@ public function create(array $input): User
            // Disable registration after first user is created
            $settings = instanceSettings();
            $settings->is_registration_enabled = false;
+
+            // MapleDeploy: notify control plane that setup is complete
+            // Capture token before clearing so the job can authenticate with it
+            $callbackUrl = $settings->setup_callback_url;
+            $token = $settings->setup_token;
+            $settings->setup_token = null;
+            $settings->setup_callback_url = null;
            $settings->save();
+
+            if ($callbackUrl && $token) {
+                NotifySetupCompleteJob::dispatch($token, $callbackUrl);
+            }
        } else {
            $user = User::create([
                'name' => $input['name'],
--- a/app/Actions/Proxy/CheckProxy.php
+++ b/app/Actions/Proxy/CheckProxy.php
@ -102,7 +102,8 @@ public function handle(Server $server, $fromUI = false): bool
            foreach ($conflicts as $port => $conflict) {
                if ($conflict) {
                    if ($fromUI) {
-                        throw new \Exception("Port $port is in use.<br>You must stop the process using this port.<br><br>Docs: <a target='_blank' class='dark:text-white hover:underline' href='https://coolify.io/docs'>https://coolify.io/docs</a><br>Discord: <a target='_blank' class='dark:text-white hover:underline' href='https://coolify.io/discord'>https://coolify.io/discord</a>");
+                        // MapleDeploy branding: support links
+                        throw new \Exception("Port $port is in use.<br>You must stop the process using this port.<br><br>Support: <a target='_blank' class='dark:text-white hover:underline' href='https://mapledeploy.ca/contact'>https://mapledeploy.ca/contact</a>");
                    } else {
                        return false;
                    }
--- a/app/Actions/Proxy/GetProxyConfiguration.php
+++ b/app/Actions/Proxy/GetProxyConfiguration.php
@ -4,6 +4,7 @@

 use App\Models\Server;
 use App\Services\ProxyDashboardCacheService;
+use Illuminate\Support\Facades\Log;
 use Lorisleiva\Actions\Concerns\AsAction;

 class GetProxyConfiguration
@ -17,28 +18,31 @@ public function handle(Server $server, bool $forceRegenerate = false): string
            return 'OK';
        }

-        $proxy_path = $server->proxyPath();
        $proxy_configuration = null;

-        // If not forcing regeneration, try to read existing configuration
        if (! $forceRegenerate) {
-            $payload = [
-                "mkdir -p $proxy_path",
-                "cat $proxy_path/docker-compose.yml 2>/dev/null",
-            ];
-            $proxy_configuration = instant_remote_process($payload, $server, false);
+            // Primary source: database
+            $proxy_configuration = $server->proxy->get('last_saved_proxy_configuration');
+
+            // Backfill: existing servers may not have DB config yet — read from disk once
+            if (empty(trim($proxy_configuration ?? ''))) {
+                $proxy_configuration = $this->backfillFromDisk($server);
+            }
        }

-        // Generate default configuration if:
-        // 1. Force regenerate is requested
-        // 2. Configuration file doesn't exist or is empty
+        // Generate default configuration as last resort
        if ($forceRegenerate || empty(trim($proxy_configuration ?? ''))) {
-            // Extract custom commands from existing config before regenerating
            $custom_commands = [];
            if (! empty(trim($proxy_configuration ?? ''))) {
                $custom_commands = extractCustomProxyCommands($server, $proxy_configuration);
            }

+            Log::warning('Proxy configuration regenerated to defaults', [
+                'server_id' => $server->id,
+                'server_name' => $server->name,
+                'reason' => $forceRegenerate ? 'force_regenerate' : 'config_not_found',
+            ]);
+
            $proxy_configuration = str(generateDefaultProxyConfiguration($server, $custom_commands))->trim()->value();
        }

@ -50,4 +54,30 @@ public function handle(Server $server, bool $forceRegenerate = false): string

        return $proxy_configuration;
    }
+
+    /**
+     * Backfill: read config from disk for servers that predate DB storage.
+     * Stores the result in the database so future reads skip SSH entirely.
+     */
+    private function backfillFromDisk(Server $server): ?string
+    {
+        $proxy_path = $server->proxyPath();
+        $result = instant_remote_process([
+            "mkdir -p $proxy_path",
+            "cat $proxy_path/docker-compose.yml 2>/dev/null",
+        ], $server, false);
+
+        if (! empty(trim($result ?? ''))) {
+            $server->proxy->last_saved_proxy_configuration = $result;
+            $server->save();
+
+            Log::info('Proxy config backfilled to database from disk', [
+                'server_id' => $server->id,
+            ]);
+
+            return $result;
+        }
+
+        return null;
+    }
 }
--- a/app/Actions/Proxy/SaveProxyConfiguration.php
+++ b/app/Actions/Proxy/SaveProxyConfiguration.php
@ -9,19 +9,41 @@ class SaveProxyConfiguration
 {
    use AsAction;

+    private const MAX_BACKUPS = 10;
+
    public function handle(Server $server, string $configuration): void
    {
        $proxy_path = $server->proxyPath();
        $docker_compose_yml_base64 = base64_encode($configuration);
+        $new_hash = str($docker_compose_yml_base64)->pipe('md5')->value;

-        // Update the saved settings hash
-        $server->proxy->last_saved_settings = str($docker_compose_yml_base64)->pipe('md5')->value;
+        // Only create a backup if the configuration actually changed
+        $old_hash = $server->proxy->get('last_saved_settings');
+        $config_changed = $old_hash && $old_hash !== $new_hash;
+
+        // Update the saved settings hash and store full config as database backup
+        $server->proxy->last_saved_settings = $new_hash;
+        $server->proxy->last_saved_proxy_configuration = $configuration;
        $server->save();

-        // Transfer the configuration file to the server
-        instant_remote_process([
-            "mkdir -p $proxy_path",
-            "echo '$docker_compose_yml_base64' | base64 -d | tee $proxy_path/docker-compose.yml > /dev/null",
-        ], $server);
+        $backup_path = "$proxy_path/backups";
+
+        // Transfer the configuration file to the server, with backup if changed
+        $commands = ["mkdir -p $proxy_path"];
+
+        if ($config_changed) {
+            $short_hash = substr($old_hash, 0, 8);
+            $timestamp = now()->format('Y-m-d_H-i-s');
+            $backup_file = "docker-compose.{$timestamp}.{$short_hash}.yml";
+            $commands[] = "mkdir -p $backup_path";
+            // Skip backup if a file with the same hash already exists (identical content)
+            $commands[] = "ls $backup_path/docker-compose.*.$short_hash.yml 1>/dev/null 2>&1 || cp -f $proxy_path/docker-compose.yml $backup_path/$backup_file 2>/dev/null || true";
+            // Prune old backups, keep only the most recent ones
+            $commands[] = 'cd '.$backup_path.' && ls -1t docker-compose.*.yml 2>/dev/null | tail -n +'.((int) self::MAX_BACKUPS + 1).' | xargs rm -f 2>/dev/null || true';
+        }
+
+        $commands[] = "echo '$docker_compose_yml_base64' | base64 -d | tee $proxy_path/docker-compose.yml > /dev/null";
+
+        instant_remote_process($commands, $server);
    }
 }
--- a/app/Actions/Server/CleanupDocker.php
+++ b/app/Actions/Server/CleanupDocker.php
@ -177,9 +177,10 @@ private function cleanupApplicationImages(Server $server, $applications = null):
                ->filter(fn ($image) => ! empty($image['tag']));

            // Separate images into categories
-            // PR images (pr-*) and build images (*-build) are excluded from retention
-            // Build images will be cleaned up by docker image prune -af
+            // PR images (pr-*) are always deleted
+            // Build images (*-build) are cleaned up to match retained regular images
            $prImages = $images->filter(fn ($image) => str_starts_with($image['tag'], 'pr-'));
+            $buildImages = $images->filter(fn ($image) => ! str_starts_with($image['tag'], 'pr-') && str_ends_with($image['tag'], '-build'));
            $regularImages = $images->filter(fn ($image) => ! str_starts_with($image['tag'], 'pr-') && ! str_ends_with($image['tag'], '-build'));

            // Always delete all PR images
@ -209,6 +210,26 @@ private function cleanupApplicationImages(Server $server, $applications = null):
                    'output' => $deleteOutput ?? 'Image removed or was in use',
                ];
            }
+
+            // Clean up build images (-build suffix) that don't correspond to retained regular images
+            // Build images are intermediate artifacts (e.g. Nixpacks) not used by running containers.
+            // If a build is in progress, docker rmi will fail silently since the image is in use.
+            $keptTags = $sortedRegularImages->take($imagesToKeep)->pluck('tag');
+            if (! empty($currentTag)) {
+                $keptTags = $keptTags->push($currentTag);
+            }
+
+            foreach ($buildImages as $image) {
+                $baseTag = preg_replace('/-build$/', '', $image['tag']);
+                if (! $keptTags->contains($baseTag)) {
+                    $deleteCommand = "docker rmi {$image['image_ref']} 2>/dev/null || true";
+                    $deleteOutput = instant_remote_process([$deleteCommand], $server, false);
+                    $cleanupLog[] = [
+                        'command' => $deleteCommand,
+                        'output' => $deleteOutput ?? 'Build image removed or was in use',
+                    ];
+                }
+            }
        }

        return $cleanupLog;
--- a/app/Actions/Server/InstallDocker.php
+++ b/app/Actions/Server/InstallDocker.php
@ -30,12 +30,14 @@ public function handle(Server $server)
            );
            $caCertPath = config('constants.coolify.base_config_path').'/ssl/';

+            $base64Cert = base64_encode($serverCert->ssl_certificate);
+
            $commands = collect([
                "mkdir -p $caCertPath",
                "chown -R 9999:root $caCertPath",
                "chmod -R 700 $caCertPath",
                "rm -rf $caCertPath/coolify-ca.crt",
-                "echo '{$serverCert->ssl_certificate}' > $caCertPath/coolify-ca.crt",
+                "echo '{$base64Cert}' | base64 -d | tee $caCertPath/coolify-ca.crt > /dev/null",
                "chmod 644 $caCertPath/coolify-ca.crt",
            ]);
            remote_process($commands, $server);
--- a/app/Actions/Server/StartLogDrain.php
+++ b/app/Actions/Server/StartLogDrain.php
@ -177,6 +177,19 @@ public function handle(Server $server)
            $parsers_config = $config_path.'/parsers.conf';
            $compose_path = $config_path.'/docker-compose.yml';
            $readme_path = $config_path.'/README.md';
+            if ($type === 'newrelic') {
+                $envContent = "LICENSE_KEY={$license_key}\nBASE_URI={$base_uri}\n";
+            } elseif ($type === 'highlight') {
+                $envContent = "HIGHLIGHT_PROJECT_ID={$server->settings->logdrain_highlight_project_id}\n";
+            } elseif ($type === 'axiom') {
+                $envContent = "AXIOM_DATASET_NAME={$server->settings->logdrain_axiom_dataset_name}\nAXIOM_API_KEY={$server->settings->logdrain_axiom_api_key}\n";
+            } elseif ($type === 'custom') {
+                $envContent = '';
+            } else {
+                throw new \Exception('Unknown log drain type.');
+            }
+            $envEncoded = base64_encode($envContent);
+
            $command = [
                "echo 'Saving configuration'",
                "mkdir -p $config_path",
@ -184,34 +197,10 @@ public function handle(Server $server)
                "echo '{$config}' | base64 -d | tee $fluent_bit_config > /dev/null",
                "echo '{$compose}' | base64 -d | tee $compose_path > /dev/null",
                "echo '{$readme}' | base64 -d | tee $readme_path > /dev/null",
-                "test -f $config_path/.env && rm $config_path/.env",
-            ];
-            if ($type === 'newrelic') {
-                $add_envs_command = [
-                    "echo LICENSE_KEY=$license_key >> $config_path/.env",
-                    "echo BASE_URI=$base_uri >> $config_path/.env",
-                ];
-            } elseif ($type === 'highlight') {
-                $add_envs_command = [
-                    "echo HIGHLIGHT_PROJECT_ID={$server->settings->logdrain_highlight_project_id} >> $config_path/.env",
-                ];
-            } elseif ($type === 'axiom') {
-                $add_envs_command = [
-                    "echo AXIOM_DATASET_NAME={$server->settings->logdrain_axiom_dataset_name} >> $config_path/.env",
-                    "echo AXIOM_API_KEY={$server->settings->logdrain_axiom_api_key} >> $config_path/.env",
-                ];
-            } elseif ($type === 'custom') {
-                $add_envs_command = [
-                    "touch $config_path/.env",
-                ];
-            } else {
-                throw new \Exception('Unknown log drain type.');
-            }
-            $restart_command = [
+                "echo '{$envEncoded}' | base64 -d | tee $config_path/.env > /dev/null",
                "echo 'Starting Fluent Bit'",
                "cd $config_path && docker compose up -d",
            ];
-            $command = array_merge($command, $add_envs_command, $restart_command);

            return instant_remote_process($command, $server);
        } catch (\Throwable $e) {
--- a/app/Actions/Server/StartSentinel.php
+++ b/app/Actions/Server/StartSentinel.php
@ -4,6 +4,7 @@

 use App\Events\SentinelRestarted;
 use App\Models\Server;
+use App\Models\ServerSetting;
 use Lorisleiva\Actions\Concerns\AsAction;

 class StartSentinel
@ -23,6 +24,9 @@ public function handle(Server $server, bool $restart = false, ?string $latestVer
        $refreshRate = data_get($server, 'settings.sentinel_metrics_refresh_rate_seconds');
        $pushInterval = data_get($server, 'settings.sentinel_push_interval_seconds');
        $token = data_get($server, 'settings.sentinel_token');
+        if (! ServerSetting::isValidSentinelToken($token)) {
+            throw new \RuntimeException('Invalid sentinel token format. Token must contain only alphanumeric characters, dots, hyphens, and underscores.');
+        }
        $endpoint = data_get($server, 'settings.sentinel_custom_url');
        $debug = data_get($server, 'settings.is_sentinel_debug_enabled');
        $mountDir = '/data/coolify/sentinel';
@ -49,7 +53,7 @@ public function handle(Server $server, bool $restart = false, ?string $latestVer
            }
            $mountDir = '/var/lib/docker/volumes/coolify_dev_coolify_data/_data/sentinel';
        }
-        $dockerEnvironments = '-e "'.implode('" -e "', array_map(fn ($key, $value) => "$key=$value", array_keys($environments), $environments)).'"';
+        $dockerEnvironments = implode(' ', array_map(fn ($key, $value) => '-e '.escapeshellarg("$key=$value"), array_keys($environments), $environments));
        $dockerLabels = implode(' ', array_map(fn ($key, $value) => "$key=$value", array_keys($labels), $labels));
        $dockerCommand = "docker run -d $dockerEnvironments --name coolify-sentinel -v /var/run/docker.sock:/var/run/docker.sock -v $mountDir:/app/db --pid host --health-cmd \"curl --fail http://127.0.0.1:8888/api/health || exit 1\" --health-interval 10s --health-retries 3 --add-host=host.docker.internal:host-gateway --label $dockerLabels $image";

--- a/app/Actions/Server/UpdateCoolify.php
+++ b/app/Actions/Server/UpdateCoolify.php
@ -119,9 +119,11 @@ private function update()
        $latestHelperImageVersion = getHelperVersion();
        $upgradeScriptUrl = config('constants.coolify.upgrade_script_url');

+        $registryUrl = config('constants.coolify.registry_url');
+
        remote_process([
            "curl -fsSL {$upgradeScriptUrl} -o /data/coolify/source/upgrade.sh",
-            "bash /data/coolify/source/upgrade.sh $this->latestVersion $latestHelperImageVersion",
+            "bash /data/coolify/source/upgrade.sh $this->latestVersion $latestHelperImageVersion $registryUrl",
        ], $this->server);
    }
 }
--- a/app/Actions/Stripe/CancelSubscriptionAtPeriodEnd.php
+++ b/app/Actions/Stripe/CancelSubscriptionAtPeriodEnd.php
@ -0,0 +1,60 @@
+<?php
+
+namespace App\Actions\Stripe;
+
+use App\Models\Team;
+use Stripe\StripeClient;
+
+class CancelSubscriptionAtPeriodEnd
+{
+    private StripeClient $stripe;
+
+    public function __construct(?StripeClient $stripe = null)
+    {
+        $this->stripe = $stripe ?? new StripeClient(config('subscription.stripe_api_key'));
+    }
+
+    /**
+     * Cancel the team's subscription at the end of the current billing period.
+     *
+     * @return array{success: bool, error: string|null}
+     */
+    public function execute(Team $team): array
+    {
+        $subscription = $team->subscription;
+
+        if (! $subscription?->stripe_subscription_id) {
+            return ['success' => false, 'error' => 'No active subscription found.'];
+        }
+
+        if (! $subscription->stripe_invoice_paid) {
+            return ['success' => false, 'error' => 'Subscription is not active.'];
+        }
+
+        if ($subscription->stripe_cancel_at_period_end) {
+            return ['success' => false, 'error' => 'Subscription is already set to cancel at the end of the billing period.'];
+        }
+
+        try {
+            $this->stripe->subscriptions->update($subscription->stripe_subscription_id, [
+                'cancel_at_period_end' => true,
+            ]);
+
+            $subscription->update([
+                'stripe_cancel_at_period_end' => true,
+            ]);
+
+            \Log::info("Subscription {$subscription->stripe_subscription_id} set to cancel at period end for team {$team->name}");
+
+            return ['success' => true, 'error' => null];
+        } catch (\Stripe\Exception\InvalidRequestException $e) {
+            \Log::error("Stripe cancel at period end error for team {$team->id}: ".$e->getMessage());
+
+            return ['success' => false, 'error' => 'Stripe error: '.$e->getMessage()];
+        } catch (\Exception $e) {
+            \Log::error("Cancel at period end error for team {$team->id}: ".$e->getMessage());
+
+            return ['success' => false, 'error' => 'An unexpected error occurred. Please contact support.'];
+        }
+    }
+}
--- a/app/Actions/Stripe/RefundSubscription.php
+++ b/app/Actions/Stripe/RefundSubscription.php
@ -0,0 +1,141 @@
+<?php
+
+namespace App\Actions\Stripe;
+
+use App\Models\Team;
+use Stripe\StripeClient;
+
+class RefundSubscription
+{
+    private StripeClient $stripe;
+
+    private const REFUND_WINDOW_DAYS = 30;
+
+    public function __construct(?StripeClient $stripe = null)
+    {
+        $this->stripe = $stripe ?? new StripeClient(config('subscription.stripe_api_key'));
+    }
+
+    /**
+     * Check if the team's subscription is eligible for a refund.
+     *
+     * @return array{eligible: bool, days_remaining: int, reason: string}
+     */
+    public function checkEligibility(Team $team): array
+    {
+        $subscription = $team->subscription;
+
+        if ($subscription?->stripe_refunded_at) {
+            return $this->ineligible('A refund has already been processed for this team.');
+        }
+
+        if (! $subscription?->stripe_subscription_id) {
+            return $this->ineligible('No active subscription found.');
+        }
+
+        if (! $subscription->stripe_invoice_paid) {
+            return $this->ineligible('Subscription invoice is not paid.');
+        }
+
+        try {
+            $stripeSubscription = $this->stripe->subscriptions->retrieve($subscription->stripe_subscription_id);
+        } catch (\Stripe\Exception\InvalidRequestException $e) {
+            return $this->ineligible('Subscription not found in Stripe.');
+        }
+
+        if (! in_array($stripeSubscription->status, ['active', 'trialing'])) {
+            return $this->ineligible("Subscription status is '{$stripeSubscription->status}'.");
+        }
+
+        $startDate = \Carbon\Carbon::createFromTimestamp($stripeSubscription->start_date);
+        $daysSinceStart = (int) $startDate->diffInDays(now());
+        $daysRemaining = self::REFUND_WINDOW_DAYS - $daysSinceStart;
+
+        if ($daysRemaining <= 0) {
+            return $this->ineligible('The 30-day refund window has expired.');
+        }
+
+        return [
+            'eligible' => true,
+            'days_remaining' => $daysRemaining,
+            'reason' => 'Eligible for refund.',
+        ];
+    }
+
+    /**
+     * Process a full refund and cancel the subscription.
+     *
+     * @return array{success: bool, error: string|null}
+     */
+    public function execute(Team $team): array
+    {
+        $eligibility = $this->checkEligibility($team);
+
+        if (! $eligibility['eligible']) {
+            return ['success' => false, 'error' => $eligibility['reason']];
+        }
+
+        $subscription = $team->subscription;
+
+        try {
+            $invoices = $this->stripe->invoices->all([
+                'subscription' => $subscription->stripe_subscription_id,
+                'status' => 'paid',
+                'limit' => 1,
+            ]);
+
+            if (empty($invoices->data)) {
+                return ['success' => false, 'error' => 'No paid invoice found to refund.'];
+            }
+
+            $invoice = $invoices->data[0];
+            $paymentIntentId = $invoice->payment_intent;
+
+            if (! $paymentIntentId) {
+                return ['success' => false, 'error' => 'No payment intent found on the invoice.'];
+            }
+
+            $this->stripe->refunds->create([
+                'payment_intent' => $paymentIntentId,
+            ]);
+
+            $this->stripe->subscriptions->cancel($subscription->stripe_subscription_id);
+
+            $subscription->update([
+                'stripe_cancel_at_period_end' => false,
+                'stripe_invoice_paid' => false,
+                'stripe_trial_already_ended' => false,
+                'stripe_past_due' => false,
+                'stripe_feedback' => 'Refund requested by user',
+                'stripe_comment' => 'Full refund processed within 30-day window at '.now()->toDateTimeString(),
+                'stripe_refunded_at' => now(),
+            ]);
+
+            $team->subscriptionEnded();
+
+            \Log::info("Refunded and cancelled subscription {$subscription->stripe_subscription_id} for team {$team->name}");
+
+            return ['success' => true, 'error' => null];
+        } catch (\Stripe\Exception\InvalidRequestException $e) {
+            \Log::error("Stripe refund error for team {$team->id}: ".$e->getMessage());
+
+            return ['success' => false, 'error' => 'Stripe error: '.$e->getMessage()];
+        } catch (\Exception $e) {
+            \Log::error("Refund error for team {$team->id}: ".$e->getMessage());
+
+            return ['success' => false, 'error' => 'An unexpected error occurred. Please contact support.'];
+        }
+    }
+
+    /**
+     * @return array{eligible: bool, days_remaining: int, reason: string}
+     */
+    private function ineligible(string $reason): array
+    {
+        return [
+            'eligible' => false,
+            'days_remaining' => 0,
+            'reason' => $reason,
+        ];
+    }
+}
--- a/app/Actions/Stripe/ResumeSubscription.php
+++ b/app/Actions/Stripe/ResumeSubscription.php
@ -0,0 +1,56 @@
+<?php
+
+namespace App\Actions\Stripe;
+
+use App\Models\Team;
+use Stripe\StripeClient;
+
+class ResumeSubscription
+{
+    private StripeClient $stripe;
+
+    public function __construct(?StripeClient $stripe = null)
+    {
+        $this->stripe = $stripe ?? new StripeClient(config('subscription.stripe_api_key'));
+    }
+
+    /**
+     * Resume a subscription that was set to cancel at the end of the billing period.
+     *
+     * @return array{success: bool, error: string|null}
+     */
+    public function execute(Team $team): array
+    {
+        $subscription = $team->subscription;
+
+        if (! $subscription?->stripe_subscription_id) {
+            return ['success' => false, 'error' => 'No active subscription found.'];
+        }
+
+        if (! $subscription->stripe_cancel_at_period_end) {
+            return ['success' => false, 'error' => 'Subscription is not set to cancel.'];
+        }
+
+        try {
+            $this->stripe->subscriptions->update($subscription->stripe_subscription_id, [
+                'cancel_at_period_end' => false,
+            ]);
+
+            $subscription->update([
+                'stripe_cancel_at_period_end' => false,
+            ]);
+
+            \Log::info("Subscription {$subscription->stripe_subscription_id} resumed for team {$team->name}");
+
+            return ['success' => true, 'error' => null];
+        } catch (\Stripe\Exception\InvalidRequestException $e) {
+            \Log::error("Stripe resume subscription error for team {$team->id}: ".$e->getMessage());
+
+            return ['success' => false, 'error' => 'Stripe error: '.$e->getMessage()];
+        } catch (\Exception $e) {
+            \Log::error("Resume subscription error for team {$team->id}: ".$e->getMessage());
+
+            return ['success' => false, 'error' => 'An unexpected error occurred. Please contact support.'];
+        }
+    }
+}
--- a/app/Actions/Stripe/UpdateSubscriptionQuantity.php
+++ b/app/Actions/Stripe/UpdateSubscriptionQuantity.php
@ -0,0 +1,197 @@
+<?php
+
+namespace App\Actions\Stripe;
+
+use App\Jobs\ServerLimitCheckJob;
+use App\Models\Team;
+use Stripe\StripeClient;
+
+class UpdateSubscriptionQuantity
+{
+    public const int MAX_SERVER_LIMIT = 100;
+
+    public const int MIN_SERVER_LIMIT = 2;
+
+    private StripeClient $stripe;
+
+    public function __construct(?StripeClient $stripe = null)
+    {
+        $this->stripe = $stripe ?? new StripeClient(config('subscription.stripe_api_key'));
+    }
+
+    /**
+     * Fetch a full price preview for a quantity change from Stripe.
+     * Returns both the prorated amount due now and the recurring cost for the next billing cycle.
+     *
+     * @return array{success: bool, error: string|null, preview: array{due_now: int, recurring_subtotal: int, recurring_tax: int, recurring_total: int, unit_price: int, tax_description: string|null, quantity: int, currency: string}|null}
+     */
+    public function fetchPricePreview(Team $team, int $quantity): array
+    {
+        $subscription = $team->subscription;
+
+        if (! $subscription?->stripe_subscription_id || ! $subscription->stripe_invoice_paid) {
+            return ['success' => false, 'error' => 'No active subscription found.', 'preview' => null];
+        }
+
+        try {
+            $stripeSubscription = $this->stripe->subscriptions->retrieve($subscription->stripe_subscription_id);
+            $item = $stripeSubscription->items->data[0] ?? null;
+
+            if (! $item) {
+                return ['success' => false, 'error' => 'Could not retrieve subscription details.', 'preview' => null];
+            }
+
+            $currency = strtoupper($item->price->currency ?? 'usd');
+
+            // Upcoming invoice gives us the prorated amount due now
+            $upcomingInvoice = $this->stripe->invoices->upcoming([
+                'customer' => $subscription->stripe_customer_id,
+                'subscription' => $subscription->stripe_subscription_id,
+                'subscription_items' => [
+                    ['id' => $item->id, 'quantity' => $quantity],
+                ],
+                'subscription_proration_behavior' => 'create_prorations',
+            ]);
+
+            // Extract tax percentage — try total_tax_amounts first, fall back to invoice tax/subtotal
+            $taxPercentage = 0.0;
+            $taxDescription = null;
+            if (! empty($upcomingInvoice->total_tax_amounts)) {
+                $taxAmount = $upcomingInvoice->total_tax_amounts[0] ?? null;
+                if ($taxAmount?->tax_rate) {
+                    $taxRate = $this->stripe->taxRates->retrieve($taxAmount->tax_rate);
+                    $taxPercentage = (float) ($taxRate->percentage ?? 0);
+                    $taxDescription = $taxRate->display_name.' ('.$taxRate->jurisdiction.') '.$taxRate->percentage.'%';
+                }
+            }
+            // Fallback tax percentage from invoice totals - use tax_rate details when available for accuracy
+            if ($taxPercentage === 0.0 && ($upcomingInvoice->tax ?? 0) > 0 && ($upcomingInvoice->subtotal ?? 0) > 0) {
+                $taxPercentage = round(($upcomingInvoice->tax / $upcomingInvoice->subtotal) * 100, 2);
+            }
+
+            // Recurring cost for next cycle — read from non-proration invoice lines
+            $recurringSubtotal = 0;
+            foreach ($upcomingInvoice->lines->data as $line) {
+                if (! $line->proration) {
+                    $recurringSubtotal += $line->amount;
+                }
+            }
+            $unitPrice = $quantity > 0 ? (int) round($recurringSubtotal / $quantity) : 0;
+
+            $recurringTax = $taxPercentage > 0
+                ? (int) round($recurringSubtotal * $taxPercentage / 100)
+                : 0;
+            $recurringTotal = $recurringSubtotal + $recurringTax;
+
+            // Due now = amount_due (accounts for customer balance/credits) minus recurring
+            $amountDue = $upcomingInvoice->amount_due ?? $upcomingInvoice->total ?? 0;
+            $dueNow = $amountDue - $recurringTotal;
+
+            return [
+                'success' => true,
+                'error' => null,
+                'preview' => [
+                    'due_now' => $dueNow,
+                    'recurring_subtotal' => $recurringSubtotal,
+                    'recurring_tax' => $recurringTax,
+                    'recurring_total' => $recurringTotal,
+                    'unit_price' => $unitPrice,
+                    'tax_description' => $taxDescription,
+                    'quantity' => $quantity,
+                    'currency' => $currency,
+                ],
+            ];
+        } catch (\Exception $e) {
+            \Log::warning("Stripe fetch price preview error for team {$team->id}: ".$e->getMessage());
+
+            return ['success' => false, 'error' => 'Could not load price preview.', 'preview' => null];
+        }
+    }
+
+    /**
+     * Update the subscription quantity (server limit) for a team.
+     *
+     * @return array{success: bool, error: string|null}
+     */
+    public function execute(Team $team, int $quantity): array
+    {
+        if ($quantity < self::MIN_SERVER_LIMIT) {
+            return ['success' => false, 'error' => 'Minimum server limit is '.self::MIN_SERVER_LIMIT.'.'];
+        }
+
+        $subscription = $team->subscription;
+
+        if (! $subscription?->stripe_subscription_id) {
+            return ['success' => false, 'error' => 'No active subscription found.'];
+        }
+
+        if (! $subscription->stripe_invoice_paid) {
+            return ['success' => false, 'error' => 'Subscription is not active.'];
+        }
+
+        try {
+            $stripeSubscription = $this->stripe->subscriptions->retrieve($subscription->stripe_subscription_id);
+            $item = $stripeSubscription->items->data[0] ?? null;
+
+            if (! $item?->id) {
+                return ['success' => false, 'error' => 'Could not find subscription item.'];
+            }
+
+            $previousQuantity = $item->quantity ?? $team->custom_server_limit;
+
+            $updatedSubscription = $this->stripe->subscriptions->update($subscription->stripe_subscription_id, [
+                'items' => [
+                    ['id' => $item->id, 'quantity' => $quantity],
+                ],
+                'proration_behavior' => 'always_invoice',
+                'expand' => ['latest_invoice'],
+            ]);
+
+            // Check if the proration invoice was paid
+            $latestInvoice = $updatedSubscription->latest_invoice;
+            if ($latestInvoice && $latestInvoice->status !== 'paid') {
+                \Log::warning("Subscription {$subscription->stripe_subscription_id} quantity updated but invoice not paid (status: {$latestInvoice->status}) for team {$team->name}. Reverting to {$previousQuantity}.");
+
+                // Revert subscription quantity on Stripe
+                $this->stripe->subscriptions->update($subscription->stripe_subscription_id, [
+                    'items' => [
+                        ['id' => $item->id, 'quantity' => $previousQuantity],
+                    ],
+                    'proration_behavior' => 'none',
+                ]);
+
+                // Void the unpaid invoice
+                if ($latestInvoice->id) {
+                    $this->stripe->invoices->voidInvoice($latestInvoice->id);
+                }
+
+                return ['success' => false, 'error' => 'Payment failed. Your server limit was not changed. Please check your payment method and try again.'];
+            }
+
+            $team->update([
+                'custom_server_limit' => $quantity,
+            ]);
+
+            ServerLimitCheckJob::dispatch($team);
+
+            \Log::info("Subscription {$subscription->stripe_subscription_id} quantity updated to {$quantity} for team {$team->name}");
+
+            return ['success' => true, 'error' => null];
+        } catch (\Stripe\Exception\InvalidRequestException $e) {
+            \Log::error("Stripe update quantity error for team {$team->id}: ".$e->getMessage());
+
+            return ['success' => false, 'error' => 'Stripe error: '.$e->getMessage()];
+        } catch (\Exception $e) {
+            \Log::error("Update subscription quantity error for team {$team->id}: ".$e->getMessage());
+
+            return ['success' => false, 'error' => 'An unexpected error occurred. Please contact support.'];
+        }
+    }
+
+    private function formatAmount(int $cents, string $currency): string
+    {
+        return strtoupper($currency) === 'USD'
+            ? '$'.number_format($cents / 100, 2)
+            : number_format($cents / 100, 2).' '.$currency;
+    }
+}
--- a/app/Console/Commands/CleanupUnreachableServers.php
+++ b/app/Console/Commands/CleanupUnreachableServers.php
@ -14,7 +14,7 @@ class CleanupUnreachableServers extends Command
    public function handle()
    {
        echo "Running unreachable server cleanup...\n";
-        $servers = Server::where('unreachable_count', 3)->where('unreachable_notification_sent', true)->where('updated_at', '<', now()->subDays(7))->get();
+        $servers = Server::where('unreachable_count', '>=', 3)->where('unreachable_notification_sent', true)->where('updated_at', '<', now()->subDays(7))->get();
        if ($servers->count() > 0) {
            foreach ($servers as $server) {
                echo "Cleanup unreachable server ($server->id) with name $server->name";
--- a/app/Console/Commands/Cloud/SyncStripeSubscriptions.php
+++ b/app/Console/Commands/Cloud/SyncStripeSubscriptions.php
@ -36,7 +36,14 @@ public function handle(): int
        $this->newLine();

        $job = new SyncStripeSubscriptionsJob($fix);
-        $result = $job->handle();
+        $fetched = 0;
+        $result = $job->handle(function (int $count) use (&$fetched): void {
+            $fetched = $count;
+            $this->output->write("\r  Fetching subscriptions from Stripe... {$fetched}");
+        });
+        if ($fetched > 0) {
+            $this->output->write("\r".str_repeat(' ', 60)."\r");
+        }

        if (isset($result['error'])) {
            $this->error($result['error']);
@ -68,6 +75,19 @@ public function handle(): int
            $this->info('No discrepancies found. All subscriptions are in sync.');
        }

+        if (count($result['resubscribed']) > 0) {
+            $this->newLine();
+            $this->warn('Resubscribed users (same email, different customer): '.count($result['resubscribed']));
+            $this->newLine();
+
+            foreach ($result['resubscribed'] as $resub) {
+                $this->line("  - Team ID: {$resub['team_id']} | Email: {$resub['email']}");
+                $this->line("    Old: {$resub['old_stripe_subscription_id']} (cus: {$resub['old_stripe_customer_id']})");
+                $this->line("    New: {$resub['new_stripe_subscription_id']} (cus: {$resub['new_stripe_customer_id']}) [{$resub['new_status']}]");
+                $this->newLine();
+            }
+        }
+
        if (count($result['errors']) > 0) {
            $this->newLine();
            $this->error('Errors encountered: '.count($result['errors']));
--- a/app/Console/Commands/Generate/OpenApi.php
+++ b/app/Console/Commands/Generate/OpenApi.php
@ -32,7 +32,8 @@ public function handle()
        echo $process->output();

        $yaml = file_get_contents('openapi.yaml');
-        $json = json_encode(Yaml::parse($yaml), JSON_PRETTY_PRINT);
+        
+        $json = json_encode(Yaml::parse($yaml), JSON_PRETTY_PRINT)."\n";
        file_put_contents('openapi.json', $json);
        echo "Converted OpenAPI YAML to JSON.\n";
    }
--- a/app/Console/Commands/GenerateTestingSchema.php
+++ b/app/Console/Commands/GenerateTestingSchema.php
@ -0,0 +1,222 @@
+<?php
+
+namespace App\Console\Commands;
+
+use Illuminate\Console\Command;
+use Illuminate\Support\Facades\DB;
+
+class GenerateTestingSchema extends Command
+{
+    protected $signature = 'schema:generate-testing {--connection=pgsql : The database connection to read from}';
+
+    protected $description = 'Generate SQLite testing schema from the PostgreSQL database';
+
+    private array $typeMap = [
+        '/\bbigint\b/' => 'INTEGER',
+        '/\binteger\b/' => 'INTEGER',
+        '/\bsmallint\b/' => 'INTEGER',
+        '/\bboolean\b/' => 'INTEGER',
+        '/character varying\(\d+\)/' => 'TEXT',
+        '/timestamp\(\d+\) without time zone/' => 'TEXT',
+        '/timestamp\(\d+\) with time zone/' => 'TEXT',
+        '/\bjsonb\b/' => 'TEXT',
+        '/\bjson\b/' => 'TEXT',
+        '/\buuid\b/' => 'TEXT',
+        '/double precision/' => 'REAL',
+        '/numeric\(\d+,\d+\)/' => 'REAL',
+        '/\bdate\b/' => 'TEXT',
+    ];
+
+    private array $castRemovals = [
+        '::character varying',
+        '::text',
+        '::integer',
+        '::boolean',
+        '::timestamp without time zone',
+        '::timestamp with time zone',
+        '::numeric',
+    ];
+
+    public function handle(): int
+    {
+        $connection = $this->option('connection');
+
+        if (DB::connection($connection)->getDriverName() !== 'pgsql') {
+            $this->error("Connection '{$connection}' is not PostgreSQL.");
+
+            return self::FAILURE;
+        }
+
+        $this->info('Reading schema from PostgreSQL...');
+
+        $tables = $this->getTables($connection);
+        $lastMigration = DB::connection($connection)
+            ->table('migrations')
+            ->orderByDesc('id')
+            ->value('migration');
+
+        $output = [];
+        $output[] = '-- Generated by: php artisan schema:generate-testing';
+        $output[] = '-- Date: '.now()->format('Y-m-d H:i:s');
+        $output[] = '-- Last migration: '.($lastMigration ?? 'none');
+        $output[] = '';
+
+        foreach ($tables as $table) {
+            $columns = $this->getColumns($connection, $table);
+            $output[] = $this->generateCreateTable($table, $columns);
+        }
+
+        $indexes = $this->getIndexes($connection, $tables);
+        foreach ($indexes as $index) {
+            $output[] = $index;
+        }
+
+        $output[] = '';
+        $output[] = '-- Migration records';
+
+        $migrations = DB::connection($connection)->table('migrations')->orderBy('id')->get();
+        foreach ($migrations as $m) {
+            $migration = str_replace("'", "''", $m->migration);
+            $output[] = "INSERT INTO \"migrations\" (\"id\", \"migration\", \"batch\") VALUES ({$m->id}, '{$migration}', {$m->batch});";
+        }
+
+        $path = database_path('schema/testing-schema.sql');
+
+        if (! is_dir(dirname($path))) {
+            mkdir(dirname($path), 0755, true);
+        }
+
+        file_put_contents($path, implode("\n", $output)."\n");
+
+        $this->info("Schema written to {$path}");
+        $this->info(count($tables).' tables, '.count($migrations).' migration records.');
+
+        return self::SUCCESS;
+    }
+
+    private function getTables(string $connection): array
+    {
+        return collect(DB::connection($connection)->select(
+            "SELECT tablename FROM pg_tables WHERE schemaname = 'public' ORDER BY tablename"
+        ))->pluck('tablename')->toArray();
+    }
+
+    private function getColumns(string $connection, string $table): array
+    {
+        return DB::connection($connection)->select(
+            "SELECT column_name, data_type, character_maximum_length, column_default,
+                    is_nullable, udt_name, numeric_precision, numeric_scale, datetime_precision
+             FROM information_schema.columns
+             WHERE table_schema = 'public' AND table_name = ?
+             ORDER BY ordinal_position",
+            [$table]
+        );
+    }
+
+    private function generateCreateTable(string $table, array $columns): string
+    {
+        $lines = [];
+
+        foreach ($columns as $col) {
+            $lines[] = '    '.$this->generateColumnDef($table, $col);
+        }
+
+        return "CREATE TABLE IF NOT EXISTS \"{$table}\" (\n".implode(",\n", $lines)."\n);\n";
+    }
+
+    private function generateColumnDef(string $table, object $col): string
+    {
+        $name = $col->column_name;
+        $sqliteType = $this->convertType($col);
+
+        // Auto-increment primary key for id columns
+        if ($name === 'id' && $sqliteType === 'INTEGER' && $col->is_nullable === 'NO' && str_contains((string) $col->column_default, 'nextval')) {
+            return "\"{$name}\" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL";
+        }
+
+        $parts = ["\"{$name}\"", $sqliteType];
+
+        // Default value
+        $default = $col->column_default;
+        if ($default !== null && ! str_contains($default, 'nextval')) {
+            $default = $this->cleanDefault($default);
+            $parts[] = "DEFAULT {$default}";
+        }
+
+        // NOT NULL
+        if ($col->is_nullable === 'NO') {
+            $parts[] = 'NOT NULL';
+        }
+
+        return implode(' ', $parts);
+    }
+
+    private function convertType(object $col): string
+    {
+        $pgType = $col->data_type;
+
+        return match (true) {
+            in_array($pgType, ['bigint', 'integer', 'smallint']) => 'INTEGER',
+            $pgType === 'boolean' => 'INTEGER',
+            in_array($pgType, ['character varying', 'text', 'USER-DEFINED']) => 'TEXT',
+            str_contains($pgType, 'timestamp') => 'TEXT',
+            in_array($pgType, ['json', 'jsonb']) => 'TEXT',
+            $pgType === 'uuid' => 'TEXT',
+            $pgType === 'double precision' => 'REAL',
+            $pgType === 'numeric' => 'REAL',
+            $pgType === 'date' => 'TEXT',
+            default => 'TEXT',
+        };
+    }
+
+    private function cleanDefault(string $default): string
+    {
+        foreach ($this->castRemovals as $cast) {
+            $default = str_replace($cast, '', $default);
+        }
+
+        // Remove array type casts like ::text[]
+        $default = preg_replace('/::[\w\s]+(\[\])?/', '', $default);
+
+        return $default;
+    }
+
+    private function getIndexes(string $connection, array $tables): array
+    {
+        $results = [];
+
+        $indexes = DB::connection($connection)->select(
+            "SELECT indexname, tablename, indexdef FROM pg_indexes
+             WHERE schemaname = 'public'
+             ORDER BY tablename, indexname"
+        );
+
+        foreach ($indexes as $idx) {
+            $def = $idx->indexdef;
+
+            // Skip primary key indexes
+            if (str_contains($def, '_pkey')) {
+                continue;
+            }
+
+            // Skip PG-specific indexes (GIN, GIST, expression indexes)
+            if (preg_match('/USING (gin|gist)/i', $def)) {
+                continue;
+            }
+            if (str_contains($def, '->>') || str_contains($def, '::')) {
+                continue;
+            }
+
+            // Convert to SQLite-compatible CREATE INDEX
+            $unique = str_contains($def, 'UNIQUE') ? 'UNIQUE ' : '';
+
+            // Extract columns from the index definition
+            if (preg_match('/\((.+)\)$/', $def, $m)) {
+                $cols = $m[1];
+                $results[] = "CREATE {$unique}INDEX IF NOT EXISTS \"{$idx->indexname}\" ON \"{$idx->tablename}\" ({$cols});";
+            }
+        }
+
+        return $results;
+    }
+}
--- a/app/Console/Commands/Init.php
+++ b/app/Console/Commands/Init.php
@ -263,15 +263,11 @@ private function restoreCoolifyDbBackup()
        }
    }

+    // MapleDeploy branding: telemetry disabled — no phone-home signal
    private function sendAliveSignal()
    {
-        $id = config('app.id');
-        $version = config('constants.coolify.version');
-        try {
-            Http::get("https://undead.coolify.io/v4/alive?appId=$id&version=$version");
-        } catch (\Throwable $e) {
-            echo "Error in sending live signal: {$e->getMessage()}\n";
-        }
+        // Disabled for MapleDeploy: do not send telemetry to coolify.io
+        return;
    }

    private function replaceSlashInEnvironmentName()
--- a/app/Console/Kernel.php
+++ b/app/Console/Kernel.php
@ -40,7 +40,7 @@ protected function schedule(Schedule $schedule): void
        }

        // $this->scheduleInstance->job(new CleanupStaleMultiplexedConnections)->hourly();
-        $this->scheduleInstance->command('cleanup:redis')->weekly();
+        $this->scheduleInstance->command('cleanup:redis --clear-locks')->daily();

        if (isDev()) {
            // Instance Jobs
--- a/app/Helpers/SshMultiplexingHelper.php
+++ b/app/Helpers/SshMultiplexingHelper.php
@ -37,7 +37,7 @@ public static function ensureMultiplexedConnection(Server $server): bool
        if (data_get($server, 'settings.is_cloudflare_tunnel')) {
            $checkCommand .= '-o ProxyCommand="cloudflared access ssh --hostname %h" ';
        }
-        $checkCommand .= "{$server->user}@{$server->ip}";
+        $checkCommand .= self::escapedUserAtHost($server);
        $process = Process::run($checkCommand);

        if ($process->exitCode() !== 0) {
@ -80,7 +80,7 @@ public static function establishNewMultiplexedConnection(Server $server): bool
            $establishCommand .= ' -o ProxyCommand="cloudflared access ssh --hostname %h" ';
        }
        $establishCommand .= self::getCommonSshOptions($server, $sshKeyLocation, $connectionTimeout, $serverInterval);
-        $establishCommand .= "{$server->user}@{$server->ip}";
+        $establishCommand .= self::escapedUserAtHost($server);
        $establishProcess = Process::run($establishCommand);
        if ($establishProcess->exitCode() !== 0) {
            return false;
@ -101,7 +101,7 @@ public static function removeMuxFile(Server $server)
        if (data_get($server, 'settings.is_cloudflare_tunnel')) {
            $closeCommand .= '-o ProxyCommand="cloudflared access ssh --hostname %h" ';
        }
-        $closeCommand .= "{$server->user}@{$server->ip}";
+        $closeCommand .= self::escapedUserAtHost($server);
        Process::run($closeCommand);

        // Clear connection metadata from cache
@ -141,9 +141,9 @@ public static function generateScpCommand(Server $server, string $source, string

        $scp_command .= self::getCommonSshOptions($server, $sshKeyLocation, config('constants.ssh.connection_timeout'), config('constants.ssh.server_interval'), isScp: true);
        if ($server->isIpv6()) {
-            $scp_command .= "{$source} {$server->user}@[{$server->ip}]:{$dest}";
+            $scp_command .= "{$source} ".escapeshellarg($server->user).'@['.escapeshellarg($server->ip)."]:{$dest}";
        } else {
-            $scp_command .= "{$source} {$server->user}@{$server->ip}:{$dest}";
+            $scp_command .= "{$source} ".self::escapedUserAtHost($server).":{$dest}";
        }

        return $scp_command;
@ -189,13 +189,18 @@ public static function generateSshCommand(Server $server, string $command, bool
        $delimiter = base64_encode($delimiter);
        $command = str_replace($delimiter, '', $command);

-        $ssh_command .= "{$server->user}@{$server->ip} 'bash -se' << \\$delimiter".PHP_EOL
+        $ssh_command .= self::escapedUserAtHost($server)." 'bash -se' << \\$delimiter".PHP_EOL
            .$command.PHP_EOL
            .$delimiter;

        return $ssh_command;
    }

+    private static function escapedUserAtHost(Server $server): string
+    {
+        return escapeshellarg($server->user).'@'.escapeshellarg($server->ip);
+    }
+
    private static function isMultiplexingEnabled(): bool
    {
        return config('constants.ssh.mux_enabled') && ! config('constants.coolify.is_windows_docker_desktop');
@ -224,9 +229,9 @@ private static function getCommonSshOptions(Server $server, string $sshKeyLocati

        // Bruh
        if ($isScp) {
-            $options .= "-P {$server->port} ";
+            $options .= '-P '.escapeshellarg((string) $server->port).' ';
        } else {
-            $options .= "-p {$server->port} ";
+            $options .= '-p '.escapeshellarg((string) $server->port).' ';
        }

        return $options;
@ -245,7 +250,7 @@ public static function isConnectionHealthy(Server $server): bool
        if (data_get($server, 'settings.is_cloudflare_tunnel')) {
            $healthCommand .= '-o ProxyCommand="cloudflared access ssh --hostname %h" ';
        }
-        $healthCommand .= "{$server->user}@{$server->ip} 'echo \"health_check_ok\"'";
+        $healthCommand .= self::escapedUserAtHost($server)." 'echo \"health_check_ok\"'";

        $process = Process::run($healthCommand);
        $isHealthy = $process->exitCode() === 0 && str_contains($process->output(), 'health_check_ok');
--- a/app/Http/Controllers/Api/ApplicationsController.php
+++ b/app/Http/Controllers/Api/ApplicationsController.php
@ -19,8 +19,8 @@
 use App\Rules\ValidGitRepositoryUrl;
 use App\Services\DockerImageParser;
 use Illuminate\Http\Request;
-use Illuminate\Support\Facades\Validator;
 use Illuminate\Support\Facades\Http;
+use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\Rule;
 use OpenApi\Attributes as OA;
 use Spatie\Url\Url;
@ -1002,7 +1002,7 @@ private function create_application(Request $request, $type)
        if ($return instanceof \Illuminate\Http\JsonResponse) {
            return $return;
        }
-        $allowedFields = ['project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'type', 'name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'private_key_uuid', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container',  'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'redirect', 'github_app_uuid', 'instant_deploy', 'dockerfile', 'dockerfile_location', 'docker_compose_location', 'docker_compose_raw', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'watch_paths', 'use_build_server', 'static_image', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'autogenerate_domain', 'is_container_label_escape_enabled'];
+        $allowedFields = ['project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'type', 'name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'private_key_uuid', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_type', 'health_check_command', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container',  'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'redirect', 'github_app_uuid', 'instant_deploy', 'dockerfile', 'dockerfile_location', 'docker_compose_location', 'docker_compose_raw', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'watch_paths', 'use_build_server', 'static_image', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'autogenerate_domain', 'is_container_label_escape_enabled'];

        $validator = customApiValidator($request->all(), [
            'name' => 'string|max:255',
@ -1095,13 +1095,23 @@ private function create_application(Request $request, $type)
            return response()->json(['message' => 'Server has multiple destinations and you do not set destination_uuid.'], 400);
        }
        $destination = $destinations->first();
+        if ($destinations->count() > 1 && $request->has('destination_uuid')) {
+            $destination = $destinations->where('uuid', $request->destination_uuid)->first();
+            if (! $destination) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => [
+                        'destination_uuid' => 'Provided destination_uuid does not belong to the specified server.',
+                    ],
+                ], 422);
+            }
+        }
        if ($type === 'public') {
            $validationRules = [
                'git_repository' => ['string', 'required', new ValidGitRepositoryUrl],
                'git_branch' => ['string', 'required', new ValidGitBranch],
                'build_pack' => ['required', Rule::enum(BuildPackTypes::class)],
                'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/|required',
-                'docker_compose_location' => 'string',
                'docker_compose_domains' => 'array|nullable',
                'docker_compose_domains.*' => 'array:name,domain',
                'docker_compose_domains.*.name' => 'string|required',
@ -1297,7 +1307,6 @@ private function create_application(Request $request, $type)
                'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/|required',
                'github_app_uuid' => 'string|required',
                'watch_paths' => 'string|nullable',
-                'docker_compose_location' => 'string',
                'docker_compose_domains' => 'array|nullable',
                'docker_compose_domains.*' => 'array:name,domain',
                'docker_compose_domains.*.name' => 'string|required',
@ -1525,7 +1534,6 @@ private function create_application(Request $request, $type)
                'ports_exposes' => 'string|regex:/^(\d+)(,\d+)*$/|required',
                'private_key_uuid' => 'string|required',
                'watch_paths' => 'string|nullable',
-                'docker_compose_location' => 'string',
                'docker_compose_domains' => 'array|nullable',
                'docker_compose_domains.*' => 'array:name,domain',
                'docker_compose_domains.*.name' => 'string|required',
@ -2463,14 +2471,13 @@ public function update_by_uuid(Request $request)
        $this->authorize('update', $application);

        $server = $application->destination->server;
-        $allowedFields = ['name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'static_image', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'watch_paths', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'dockerfile_location', 'docker_compose_location', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'redirect', 'instant_deploy', 'use_build_server', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'is_container_label_escape_enabled'];
+        $allowedFields = ['name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'static_image', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_type', 'health_check_command', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'watch_paths', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'dockerfile_location', 'docker_compose_location', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'redirect', 'instant_deploy', 'use_build_server', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'is_container_label_escape_enabled'];

        $validationRules = [
            'name' => 'string|max:255',
            'description' => 'string|nullable',
            'static_image' => 'string',
            'watch_paths' => 'string|nullable',
-            'docker_compose_location' => 'string',
            'docker_compose_domains' => 'array|nullable',
            'docker_compose_domains.*' => 'array:name,domain',
            'docker_compose_domains.*.name' => 'string|required',
@ -2919,10 +2926,7 @@ public function envs(Request $request)
                    new OA\MediaType(
                        mediaType: 'application/json',
                        schema: new OA\Schema(
-                            type: 'object',
-                            properties: [
-                                'message' => ['type' => 'string', 'example' => 'Environment variable updated.'],
-                            ]
+                            ref: '#/components/schemas/EnvironmentVariable'
                        )
                    ),
                ]
@ -2943,7 +2947,7 @@ public function envs(Request $request)
    )]
    public function update_env_by_uuid(Request $request)
    {
-        $allowedFields = ['key', 'value', 'is_preview', 'is_literal', 'is_multiline', 'is_shown_once', 'is_runtime', 'is_buildtime'];
+        $allowedFields = ['key', 'value', 'is_preview', 'is_literal', 'is_multiline', 'is_shown_once', 'is_runtime', 'is_buildtime', 'comment'];
        $teamId = getTeamIdFromToken();

        if (is_null($teamId)) {
@ -2973,6 +2977,7 @@ public function update_env_by_uuid(Request $request)
            'is_shown_once' => 'boolean',
            'is_runtime' => 'boolean',
            'is_buildtime' => 'boolean',
+            'comment' => 'string|nullable|max:256',
        ]);

        $extraFields = array_diff(array_keys($request->all()), $allowedFields);
@ -3014,6 +3019,9 @@ public function update_env_by_uuid(Request $request)
                if ($request->has('is_buildtime') && $env->is_buildtime != $request->is_buildtime) {
                    $env->is_buildtime = $request->is_buildtime;
                }
+                if ($request->has('comment') && $env->comment != $request->comment) {
+                    $env->comment = $request->comment;
+                }
                $env->save();

                return response()->json($this->removeSensitiveData($env))->setStatusCode(201);
@ -3044,6 +3052,9 @@ public function update_env_by_uuid(Request $request)
                if ($request->has('is_buildtime') && $env->is_buildtime != $request->is_buildtime) {
                    $env->is_buildtime = $request->is_buildtime;
                }
+                if ($request->has('comment') && $env->comment != $request->comment) {
+                    $env->comment = $request->comment;
+                }
                $env->save();

                return response()->json($this->removeSensitiveData($env))->setStatusCode(201);
@ -3336,7 +3347,7 @@ public function create_bulk_envs(Request $request)
    )]
    public function create_env(Request $request)
    {
-        $allowedFields = ['key', 'value', 'is_preview', 'is_literal', 'is_multiline', 'is_shown_once', 'is_runtime', 'is_buildtime'];
+        $allowedFields = ['key', 'value', 'is_preview', 'is_literal', 'is_multiline', 'is_shown_once', 'is_runtime', 'is_buildtime', 'comment'];
        $teamId = getTeamIdFromToken();

        if (is_null($teamId)) {
@ -3361,6 +3372,7 @@ public function create_env(Request $request)
            'is_shown_once' => 'boolean',
            'is_runtime' => 'boolean',
            'is_buildtime' => 'boolean',
+            'comment' => 'string|nullable|max:256',
        ]);

        $extraFields = array_diff(array_keys($request->all()), $allowedFields);
@ -3396,6 +3408,7 @@ public function create_env(Request $request)
                    'is_shown_once' => $request->is_shown_once ?? false,
                    'is_runtime' => $request->is_runtime ?? true,
                    'is_buildtime' => $request->is_buildtime ?? true,
+                    'comment' => $request->comment ?? null,
                    'resourceable_type' => get_class($application),
                    'resourceable_id' => $application->id,
                ]);
@ -3420,6 +3433,7 @@ public function create_env(Request $request)
                    'is_shown_once' => $request->is_shown_once ?? false,
                    'is_runtime' => $request->is_runtime ?? true,
                    'is_buildtime' => $request->is_buildtime ?? true,
+                    'comment' => $request->comment ?? null,
                    'resourceable_type' => get_class($application),
                    'resourceable_id' => $application->id,
                ]);
@ -3656,6 +3670,15 @@ public function action_deploy(Request $request)
                    type: 'string',
                )
            ),
+            new OA\Parameter(
+                name: 'docker_cleanup',
+                in: 'query',
+                description: 'Perform docker cleanup (prune networks, volumes, etc.).',
+                schema: new OA\Schema(
+                    type: 'boolean',
+                    default: true,
+                )
+            ),
        ],
        responses: [
            new OA\Response(
@ -3704,7 +3727,8 @@ public function action_stop(Request $request)

        $this->authorize('deploy', $application);

-        StopApplication::dispatch($application);
+        $dockerCleanup = $request->boolean('docker_cleanup', true);
+        StopApplication::dispatch($application, false, $dockerCleanup);

        return response()->json(
            [
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@ -2602,6 +2602,15 @@ public function action_deploy(Request $request)
                    type: 'string',
                )
            ),
+            new OA\Parameter(
+                name: 'docker_cleanup',
+                in: 'query',
+                description: 'Perform docker cleanup (prune networks, volumes, etc.).',
+                schema: new OA\Schema(
+                    type: 'boolean',
+                    default: true,
+                )
+            ),
        ],
        responses: [
            new OA\Response(
@ -2653,7 +2662,9 @@ public function action_stop(Request $request)
        if (str($database->status)->contains('stopped') || str($database->status)->contains('exited')) {
            return response()->json(['message' => 'Database is already stopped.'], 400);
        }
-        StopDatabase::dispatch($database);
+
+        $dockerCleanup = $request->boolean('docker_cleanup', true);
+        StopDatabase::dispatch($database, $dockerCleanup);

        return response()->json(
            [
--- a/app/Http/Controllers/Api/DeployController.php
+++ b/app/Http/Controllers/Api/DeployController.php
@ -127,6 +127,10 @@ public function deployment_by_uuid(Request $request)
        if (! $deployment) {
            return response()->json(['message' => 'Deployment not found.'], 404);
        }
+        $application = $deployment->application;
+        if (! $application || data_get($application->team(), 'id') !== (int) $teamId) {
+            return response()->json(['message' => 'Deployment not found.'], 404);
+        }

        return response()->json($this->removeSensitiveData($deployment));
    }
--- a/app/Http/Controllers/Api/OpenApi.php
+++ b/app/Http/Controllers/Api/OpenApi.php
@ -4,8 +4,9 @@

 use OpenApi\Attributes as OA;

-#[OA\Info(title: 'Coolify', version: '0.1')]
-#[OA\Server(url: 'https://app.coolify.io/api/v1', description: 'Coolify Cloud API. Change the host to your own instance if you are self-hosting.')]
+// MapleDeploy branding: API documentation
+#[OA\Info(title: 'MapleDeploy', version: '0.1')]
+#[OA\Server(url: '/api/v1', description: 'MapleDeploy API. Powered by Coolify.')]
 #[OA\SecurityScheme(
    type: 'http',
    scheme: 'bearer',
--- a/app/Http/Controllers/Api/OtherController.php
+++ b/app/Http/Controllers/Api/OtherController.php
@ -4,7 +4,6 @@

 use App\Http\Controllers\Controller;
 use Illuminate\Http\Request;
-use Illuminate\Support\Facades\Http;
 use OpenApi\Attributes as OA;

 class OtherController extends Controller
@ -145,19 +144,6 @@ public function disable_api(Request $request)
        return response()->json(['message' => 'API disabled.'], 200);
    }

-    public function feedback(Request $request)
-    {
-        $content = $request->input('content');
-        $webhook_url = config('constants.webhooks.feedback_discord_webhook');
-        if ($webhook_url) {
-            Http::post($webhook_url, [
-                'content' => $content,
-            ]);
-        }
-
-        return response()->json(['message' => 'Feedback sent.'], 200);
-    }
-
    #[OA\Get(
        summary: 'Healthcheck',
        description: 'Healthcheck endpoint.',
--- a/app/Http/Controllers/Api/ScheduledTasksController.php
+++ b/app/Http/Controllers/Api/ScheduledTasksController.php
@ -0,0 +1,922 @@
+<?php
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Models\Application;
+use App\Models\ScheduledTask;
+use App\Models\Service;
+use Illuminate\Http\Request;
+use OpenApi\Attributes as OA;
+
+class ScheduledTasksController extends Controller
+{
+    private function removeSensitiveData($task)
+    {
+        $task->makeHidden([
+            'id',
+            'team_id',
+            'application_id',
+            'service_id',
+        ]);
+
+        return serializeApiResponse($task);
+    }
+
+    private function resolveApplication(Request $request, int $teamId): ?Application
+    {
+        return Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $request->uuid)->first();
+    }
+
+    private function resolveService(Request $request, int $teamId): ?Service
+    {
+        return Service::whereRelation('environment.project.team', 'id', $teamId)->where('uuid', $request->uuid)->first();
+    }
+
+    private function listTasks(Application|Service $resource): \Illuminate\Http\JsonResponse
+    {
+        $this->authorize('view', $resource);
+
+        $tasks = $resource->scheduled_tasks->map(function ($task) {
+            return $this->removeSensitiveData($task);
+        });
+
+        return response()->json($tasks);
+    }
+
+    private function createTask(Request $request, Application|Service $resource): \Illuminate\Http\JsonResponse
+    {
+        $this->authorize('update', $resource);
+
+        $return = validateIncomingRequest($request);
+        if ($return instanceof \Illuminate\Http\JsonResponse) {
+            return $return;
+        }
+
+        $allowedFields = ['name', 'command', 'frequency', 'container', 'timeout', 'enabled'];
+
+        $validator = customApiValidator($request->all(), [
+            'name' => 'required|string|max:255',
+            'command' => 'required|string',
+            'frequency' => 'required|string',
+            'container' => 'string|nullable',
+            'timeout' => 'integer|min:1',
+            'enabled' => 'boolean',
+        ]);
+
+        $extraFields = array_diff(array_keys($request->all()), $allowedFields);
+        if ($validator->fails() || ! empty($extraFields)) {
+            $errors = $validator->errors();
+            if (! empty($extraFields)) {
+                foreach ($extraFields as $field) {
+                    $errors->add($field, 'This field is not allowed.');
+                }
+            }
+
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => $errors,
+            ], 422);
+        }
+
+        if (! validate_cron_expression($request->frequency)) {
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => ['frequency' => ['Invalid cron expression or frequency format.']],
+            ], 422);
+        }
+
+        $teamId = getTeamIdFromToken();
+
+        $task = new ScheduledTask;
+        $task->name = $request->name;
+        $task->command = $request->command;
+        $task->frequency = $request->frequency;
+        $task->container = $request->container;
+        $task->timeout = $request->has('timeout') ? $request->timeout : 300;
+        $task->enabled = $request->has('enabled') ? $request->enabled : true;
+        $task->team_id = $teamId;
+
+        if ($resource instanceof Application) {
+            $task->application_id = $resource->id;
+        } elseif ($resource instanceof Service) {
+            $task->service_id = $resource->id;
+        }
+
+        $task->save();
+
+        return response()->json($this->removeSensitiveData($task), 201);
+    }
+
+    private function updateTask(Request $request, Application|Service $resource): \Illuminate\Http\JsonResponse
+    {
+        $this->authorize('update', $resource);
+
+        $return = validateIncomingRequest($request);
+        if ($return instanceof \Illuminate\Http\JsonResponse) {
+            return $return;
+        }
+
+        if ($request->all() === []) {
+            return response()->json(['message' => 'At least one field must be provided.'], 422);
+        }
+
+        $allowedFields = ['name', 'command', 'frequency', 'container', 'timeout', 'enabled'];
+
+        $validator = customApiValidator($request->all(), [
+            'name' => 'string|max:255',
+            'command' => 'string',
+            'frequency' => 'string',
+            'container' => 'string|nullable',
+            'timeout' => 'integer|min:1',
+            'enabled' => 'boolean',
+        ]);
+
+        $extraFields = array_diff(array_keys($request->all()), $allowedFields);
+        if ($validator->fails() || ! empty($extraFields)) {
+            $errors = $validator->errors();
+            if (! empty($extraFields)) {
+                foreach ($extraFields as $field) {
+                    $errors->add($field, 'This field is not allowed.');
+                }
+            }
+
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => $errors,
+            ], 422);
+        }
+
+        if ($request->has('frequency') && ! validate_cron_expression($request->frequency)) {
+            return response()->json([
+                'message' => 'Validation failed.',
+                'errors' => ['frequency' => ['Invalid cron expression or frequency format.']],
+            ], 422);
+        }
+
+        $task = $resource->scheduled_tasks()->where('uuid', $request->task_uuid)->first();
+        if (! $task) {
+            return response()->json(['message' => 'Scheduled task not found.'], 404);
+        }
+
+        $task->update($request->only($allowedFields));
+
+        return response()->json($this->removeSensitiveData($task), 200);
+    }
+
+    private function deleteTask(Request $request, Application|Service $resource): \Illuminate\Http\JsonResponse
+    {
+        $this->authorize('update', $resource);
+
+        $deleted = $resource->scheduled_tasks()->where('uuid', $request->task_uuid)->delete();
+        if (! $deleted) {
+            return response()->json(['message' => 'Scheduled task not found.'], 404);
+        }
+
+        return response()->json(['message' => 'Scheduled task deleted.']);
+    }
+
+    private function getExecutions(Request $request, Application|Service $resource): \Illuminate\Http\JsonResponse
+    {
+        $this->authorize('view', $resource);
+
+        $task = $resource->scheduled_tasks()->where('uuid', $request->task_uuid)->first();
+        if (! $task) {
+            return response()->json(['message' => 'Scheduled task not found.'], 404);
+        }
+
+        $executions = $task->executions()->get()->map(function ($execution) {
+            $execution->makeHidden(['id', 'scheduled_task_id']);
+
+            return serializeApiResponse($execution);
+        });
+
+        return response()->json($executions);
+    }
+
+    #[OA\Get(
+        summary: 'List Tasks',
+        description: 'List all scheduled tasks for an application.',
+        path: '/applications/{uuid}/scheduled-tasks',
+        operationId: 'list-scheduled-tasks-by-application-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Scheduled Tasks'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the application.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Get all scheduled tasks for an application.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(
+                            type: 'array',
+                            items: new OA\Items(ref: '#/components/schemas/ScheduledTask')
+                        )
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+        ]
+    )]
+    public function scheduled_tasks_by_application_uuid(Request $request): \Illuminate\Http\JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $application = $this->resolveApplication($request, $teamId);
+        if (! $application) {
+            return response()->json(['message' => 'Application not found.'], 404);
+        }
+
+        return $this->listTasks($application);
+    }
+
+    #[OA\Post(
+        summary: 'Create Task',
+        description: 'Create a new scheduled task for an application.',
+        path: '/applications/{uuid}/scheduled-tasks',
+        operationId: 'create-scheduled-task-by-application-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Scheduled Tasks'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the application.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            description: 'Scheduled task data',
+            required: true,
+            content: new OA\MediaType(
+                mediaType: 'application/json',
+                schema: new OA\Schema(
+                    type: 'object',
+                    required: ['name', 'command', 'frequency'],
+                    properties: [
+                        'name' => ['type' => 'string', 'description' => 'The name of the scheduled task.'],
+                        'command' => ['type' => 'string', 'description' => 'The command to execute.'],
+                        'frequency' => ['type' => 'string', 'description' => 'The frequency of the scheduled task.'],
+                        'container' => ['type' => 'string', 'nullable' => true, 'description' => 'The container where the command should be executed.'],
+                        'timeout' => ['type' => 'integer', 'description' => 'The timeout of the scheduled task in seconds.', 'default' => 300],
+                        'enabled' => ['type' => 'boolean', 'description' => 'The flag to indicate if the scheduled task is enabled.', 'default' => true],
+                    ],
+                ),
+            )
+        ),
+        responses: [
+            new OA\Response(
+                response: 201,
+                description: 'Scheduled task created.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(ref: '#/components/schemas/ScheduledTask')
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+            new OA\Response(
+                response: 422,
+                ref: '#/components/responses/422',
+            ),
+        ]
+    )]
+    public function create_scheduled_task_by_application_uuid(Request $request): \Illuminate\Http\JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $application = $this->resolveApplication($request, $teamId);
+        if (! $application) {
+            return response()->json(['message' => 'Application not found.'], 404);
+        }
+
+        return $this->createTask($request, $application);
+    }
+
+    #[OA\Patch(
+        summary: 'Update Task',
+        description: 'Update a scheduled task for an application.',
+        path: '/applications/{uuid}/scheduled-tasks/{task_uuid}',
+        operationId: 'update-scheduled-task-by-application-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Scheduled Tasks'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the application.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+            new OA\Parameter(
+                name: 'task_uuid',
+                in: 'path',
+                description: 'UUID of the scheduled task.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            description: 'Scheduled task data',
+            required: true,
+            content: new OA\MediaType(
+                mediaType: 'application/json',
+                schema: new OA\Schema(
+                    type: 'object',
+                    properties: [
+                        'name' => ['type' => 'string', 'description' => 'The name of the scheduled task.'],
+                        'command' => ['type' => 'string', 'description' => 'The command to execute.'],
+                        'frequency' => ['type' => 'string', 'description' => 'The frequency of the scheduled task.'],
+                        'container' => ['type' => 'string', 'nullable' => true, 'description' => 'The container where the command should be executed.'],
+                        'timeout' => ['type' => 'integer', 'description' => 'The timeout of the scheduled task in seconds.', 'default' => 300],
+                        'enabled' => ['type' => 'boolean', 'description' => 'The flag to indicate if the scheduled task is enabled.', 'default' => true],
+                    ],
+                ),
+            )
+        ),
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Scheduled task updated.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(ref: '#/components/schemas/ScheduledTask')
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+            new OA\Response(
+                response: 422,
+                ref: '#/components/responses/422',
+            ),
+        ]
+    )]
+    public function update_scheduled_task_by_application_uuid(Request $request): \Illuminate\Http\JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $application = $this->resolveApplication($request, $teamId);
+        if (! $application) {
+            return response()->json(['message' => 'Application not found.'], 404);
+        }
+
+        return $this->updateTask($request, $application);
+    }
+
+    #[OA\Delete(
+        summary: 'Delete Task',
+        description: 'Delete a scheduled task for an application.',
+        path: '/applications/{uuid}/scheduled-tasks/{task_uuid}',
+        operationId: 'delete-scheduled-task-by-application-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Scheduled Tasks'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the application.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+            new OA\Parameter(
+                name: 'task_uuid',
+                in: 'path',
+                description: 'UUID of the scheduled task.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Scheduled task deleted.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(
+                            type: 'object',
+                            properties: [
+                                'message' => ['type' => 'string', 'example' => 'Scheduled task deleted.'],
+                            ]
+                        )
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+        ]
+    )]
+    public function delete_scheduled_task_by_application_uuid(Request $request): \Illuminate\Http\JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $application = $this->resolveApplication($request, $teamId);
+        if (! $application) {
+            return response()->json(['message' => 'Application not found.'], 404);
+        }
+
+        return $this->deleteTask($request, $application);
+    }
+
+    #[OA\Get(
+        summary: 'List Executions',
+        description: 'List all executions for a scheduled task on an application.',
+        path: '/applications/{uuid}/scheduled-tasks/{task_uuid}/executions',
+        operationId: 'list-scheduled-task-executions-by-application-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Scheduled Tasks'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the application.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+            new OA\Parameter(
+                name: 'task_uuid',
+                in: 'path',
+                description: 'UUID of the scheduled task.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Get all executions for a scheduled task.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(
+                            type: 'array',
+                            items: new OA\Items(ref: '#/components/schemas/ScheduledTaskExecution')
+                        )
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+        ]
+    )]
+    public function executions_by_application_uuid(Request $request): \Illuminate\Http\JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $application = $this->resolveApplication($request, $teamId);
+        if (! $application) {
+            return response()->json(['message' => 'Application not found.'], 404);
+        }
+
+        return $this->getExecutions($request, $application);
+    }
+
+    #[OA\Get(
+        summary: 'List Tasks',
+        description: 'List all scheduled tasks for a service.',
+        path: '/services/{uuid}/scheduled-tasks',
+        operationId: 'list-scheduled-tasks-by-service-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Scheduled Tasks'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the service.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Get all scheduled tasks for a service.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(
+                            type: 'array',
+                            items: new OA\Items(ref: '#/components/schemas/ScheduledTask')
+                        )
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+        ]
+    )]
+    public function scheduled_tasks_by_service_uuid(Request $request): \Illuminate\Http\JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $service = $this->resolveService($request, $teamId);
+        if (! $service) {
+            return response()->json(['message' => 'Service not found.'], 404);
+        }
+
+        return $this->listTasks($service);
+    }
+
+    #[OA\Post(
+        summary: 'Create Task',
+        description: 'Create a new scheduled task for a service.',
+        path: '/services/{uuid}/scheduled-tasks',
+        operationId: 'create-scheduled-task-by-service-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Scheduled Tasks'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the service.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            description: 'Scheduled task data',
+            required: true,
+            content: new OA\MediaType(
+                mediaType: 'application/json',
+                schema: new OA\Schema(
+                    type: 'object',
+                    required: ['name', 'command', 'frequency'],
+                    properties: [
+                        'name' => ['type' => 'string', 'description' => 'The name of the scheduled task.'],
+                        'command' => ['type' => 'string', 'description' => 'The command to execute.'],
+                        'frequency' => ['type' => 'string', 'description' => 'The frequency of the scheduled task.'],
+                        'container' => ['type' => 'string', 'nullable' => true, 'description' => 'The container where the command should be executed.'],
+                        'timeout' => ['type' => 'integer', 'description' => 'The timeout of the scheduled task in seconds.', 'default' => 300],
+                        'enabled' => ['type' => 'boolean', 'description' => 'The flag to indicate if the scheduled task is enabled.', 'default' => true],
+                    ],
+                ),
+            )
+        ),
+        responses: [
+            new OA\Response(
+                response: 201,
+                description: 'Scheduled task created.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(ref: '#/components/schemas/ScheduledTask')
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+            new OA\Response(
+                response: 422,
+                ref: '#/components/responses/422',
+            ),
+        ]
+    )]
+    public function create_scheduled_task_by_service_uuid(Request $request): \Illuminate\Http\JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $service = $this->resolveService($request, $teamId);
+        if (! $service) {
+            return response()->json(['message' => 'Service not found.'], 404);
+        }
+
+        return $this->createTask($request, $service);
+    }
+
+    #[OA\Patch(
+        summary: 'Update Task',
+        description: 'Update a scheduled task for a service.',
+        path: '/services/{uuid}/scheduled-tasks/{task_uuid}',
+        operationId: 'update-scheduled-task-by-service-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Scheduled Tasks'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the service.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+            new OA\Parameter(
+                name: 'task_uuid',
+                in: 'path',
+                description: 'UUID of the scheduled task.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        requestBody: new OA\RequestBody(
+            description: 'Scheduled task data',
+            required: true,
+            content: new OA\MediaType(
+                mediaType: 'application/json',
+                schema: new OA\Schema(
+                    type: 'object',
+                    properties: [
+                        'name' => ['type' => 'string', 'description' => 'The name of the scheduled task.'],
+                        'command' => ['type' => 'string', 'description' => 'The command to execute.'],
+                        'frequency' => ['type' => 'string', 'description' => 'The frequency of the scheduled task.'],
+                        'container' => ['type' => 'string', 'nullable' => true, 'description' => 'The container where the command should be executed.'],
+                        'timeout' => ['type' => 'integer', 'description' => 'The timeout of the scheduled task in seconds.', 'default' => 300],
+                        'enabled' => ['type' => 'boolean', 'description' => 'The flag to indicate if the scheduled task is enabled.', 'default' => true],
+                    ],
+                ),
+            )
+        ),
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Scheduled task updated.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(ref: '#/components/schemas/ScheduledTask')
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+            new OA\Response(
+                response: 422,
+                ref: '#/components/responses/422',
+            ),
+        ]
+    )]
+    public function update_scheduled_task_by_service_uuid(Request $request): \Illuminate\Http\JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $service = $this->resolveService($request, $teamId);
+        if (! $service) {
+            return response()->json(['message' => 'Service not found.'], 404);
+        }
+
+        return $this->updateTask($request, $service);
+    }
+
+    #[OA\Delete(
+        summary: 'Delete Task',
+        description: 'Delete a scheduled task for a service.',
+        path: '/services/{uuid}/scheduled-tasks/{task_uuid}',
+        operationId: 'delete-scheduled-task-by-service-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Scheduled Tasks'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the service.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+            new OA\Parameter(
+                name: 'task_uuid',
+                in: 'path',
+                description: 'UUID of the scheduled task.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Scheduled task deleted.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(
+                            type: 'object',
+                            properties: [
+                                'message' => ['type' => 'string', 'example' => 'Scheduled task deleted.'],
+                            ]
+                        )
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+        ]
+    )]
+    public function delete_scheduled_task_by_service_uuid(Request $request): \Illuminate\Http\JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $service = $this->resolveService($request, $teamId);
+        if (! $service) {
+            return response()->json(['message' => 'Service not found.'], 404);
+        }
+
+        return $this->deleteTask($request, $service);
+    }
+
+    #[OA\Get(
+        summary: 'List Executions',
+        description: 'List all executions for a scheduled task on a service.',
+        path: '/services/{uuid}/scheduled-tasks/{task_uuid}/executions',
+        operationId: 'list-scheduled-task-executions-by-service-uuid',
+        security: [
+            ['bearerAuth' => []],
+        ],
+        tags: ['Scheduled Tasks'],
+        parameters: [
+            new OA\Parameter(
+                name: 'uuid',
+                in: 'path',
+                description: 'UUID of the service.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+            new OA\Parameter(
+                name: 'task_uuid',
+                in: 'path',
+                description: 'UUID of the scheduled task.',
+                required: true,
+                schema: new OA\Schema(
+                    type: 'string',
+                )
+            ),
+        ],
+        responses: [
+            new OA\Response(
+                response: 200,
+                description: 'Get all executions for a scheduled task.',
+                content: [
+                    new OA\MediaType(
+                        mediaType: 'application/json',
+                        schema: new OA\Schema(
+                            type: 'array',
+                            items: new OA\Items(ref: '#/components/schemas/ScheduledTaskExecution')
+                        )
+                    ),
+                ]
+            ),
+            new OA\Response(
+                response: 401,
+                ref: '#/components/responses/401',
+            ),
+            new OA\Response(
+                response: 404,
+                ref: '#/components/responses/404',
+            ),
+        ]
+    )]
+    public function executions_by_service_uuid(Request $request): \Illuminate\Http\JsonResponse
+    {
+        $teamId = getTeamIdFromToken();
+        if (is_null($teamId)) {
+            return invalidTokenResponse();
+        }
+
+        $service = $this->resolveService($request, $teamId);
+        if (! $service) {
+            return response()->json(['message' => 'Service not found.'], 404);
+        }
+
+        return $this->getExecutions($request, $service);
+    }
+}
--- a/app/Http/Controllers/Api/ServersController.php
+++ b/app/Http/Controllers/Api/ServersController.php
@ -11,6 +11,7 @@
 use App\Models\PrivateKey;
 use App\Models\Project;
 use App\Models\Server as ModelsServer;
+use App\Rules\ValidServerIp;
 use Illuminate\Http\Request;
 use OpenApi\Attributes as OA;
 use Stringable;
@ -290,9 +291,12 @@ public function domains_by_server(Request $request)
        }
        $uuid = $request->get('uuid');
        if ($uuid) {
-            $domains = Application::getDomainsByUuid($uuid);
+            $application = Application::ownedByCurrentTeamAPI($teamId)->where('uuid', $uuid)->first();
+            if (! $application) {
+                return response()->json(['message' => 'Application not found.'], 404);
+            }

-            return response()->json(serializeApiResponse($domains));
+            return response()->json(serializeApiResponse($application->fqdns));
        }
        $projects = Project::where('team_id', $teamId)->get();
        $domains = collect();
@ -469,10 +473,10 @@ public function create_server(Request $request)
        $validator = customApiValidator($request->all(), [
            'name' => 'string|max:255',
            'description' => 'string|nullable',
-            'ip' => 'string|required',
-            'port' => 'integer|nullable',
+            'ip' => ['string', 'required', new ValidServerIp],
+            'port' => 'integer|nullable|between:1,65535',
            'private_key_uuid' => 'string|required',
-            'user' => 'string|nullable',
+            'user' => ['string', 'nullable', 'regex:/^[a-zA-Z0-9_-]+$/'],
            'is_build_server' => 'boolean|nullable',
            'instant_validate' => 'boolean|nullable',
            'proxy_type' => 'string|nullable',
@ -519,9 +523,13 @@ public function create_server(Request $request)
        if (! $privateKey) {
            return response()->json(['message' => 'Private key not found.'], 404);
        }
-        $allServers = ModelsServer::whereIp($request->ip)->get();
-        if ($allServers->count() > 0) {
-            return response()->json(['message' => 'Server with this IP already exists.'], 400);
+        $foundServer = ModelsServer::whereIp($request->ip)->first();
+        if ($foundServer) {
+            if ($foundServer->team_id === $teamId) {
+                return response()->json(['message' => 'A server with this IP/Domain already exists in your team.'], 400);
+            }
+
+            return response()->json(['message' => 'A server with this IP/Domain is already in use by another team.'], 400);
        }

        $proxyType = $request->proxy_type ? str($request->proxy_type)->upper() : ProxyTypes::TRAEFIK->value;
@ -630,10 +638,10 @@ public function update_server(Request $request)
        $validator = customApiValidator($request->all(), [
            'name' => 'string|max:255|nullable',
            'description' => 'string|nullable',
-            'ip' => 'string|nullable',
-            'port' => 'integer|nullable',
+            'ip' => ['string', 'nullable', new ValidServerIp],
+            'port' => 'integer|nullable|between:1,65535',
            'private_key_uuid' => 'string|nullable',
-            'user' => 'string|nullable',
+            'user' => ['string', 'nullable', 'regex:/^[a-zA-Z0-9_-]+$/'],
            'is_build_server' => 'boolean|nullable',
            'instant_validate' => 'boolean|nullable',
            'proxy_type' => 'string|nullable',
--- a/app/Http/Controllers/Api/ServicesController.php
+++ b/app/Http/Controllers/Api/ServicesController.php
@ -377,6 +377,17 @@ public function create_service(Request $request)
            return response()->json(['message' => 'Server has multiple destinations and you do not set destination_uuid.'], 400);
        }
        $destination = $destinations->first();
+        if ($destinations->count() > 1 && $request->has('destination_uuid')) {
+            $destination = $destinations->where('uuid', $request->destination_uuid)->first();
+            if (! $destination) {
+                return response()->json([
+                    'message' => 'Validation failed.',
+                    'errors' => [
+                        'destination_uuid' => 'Provided destination_uuid does not belong to the specified server.',
+                    ],
+                ], 422);
+            }
+        }
        $services = get_service_templates();
        $serviceKeys = $services->keys();
        if ($serviceKeys->contains($request->type)) {
@ -543,6 +554,17 @@ public function create_service(Request $request)
                return response()->json(['message' => 'Server has multiple destinations and you do not set destination_uuid.'], 400);
            }
            $destination = $destinations->first();
+            if ($destinations->count() > 1 && $request->has('destination_uuid')) {
+                $destination = $destinations->where('uuid', $request->destination_uuid)->first();
+                if (! $destination) {
+                    return response()->json([
+                        'message' => 'Validation failed.',
+                        'errors' => [
+                            'destination_uuid' => 'Provided destination_uuid does not belong to the specified server.',
+                        ],
+                    ], 422);
+                }
+            }
            if (! isBase64Encoded($request->docker_compose_raw)) {
                return response()->json([
                    'message' => 'Validation failed.',
@ -1141,10 +1163,7 @@ public function envs(Request $request)
                    new OA\MediaType(
                        mediaType: 'application/json',
                        schema: new OA\Schema(
-                            type: 'object',
-                            properties: [
-                                'message' => ['type' => 'string', 'example' => 'Environment variable updated.'],
-                            ]
+                            ref: '#/components/schemas/EnvironmentVariable'
                        )
                    ),
                ]
@ -1187,6 +1206,7 @@ public function update_env_by_uuid(Request $request)
            'is_literal' => 'boolean',
            'is_multiline' => 'boolean',
            'is_shown_once' => 'boolean',
+            'comment' => 'string|nullable|max:256',
        ]);

        if ($validator->fails()) {
@ -1202,7 +1222,19 @@ public function update_env_by_uuid(Request $request)
            return response()->json(['message' => 'Environment variable not found.'], 404);
        }

-        $env->fill($request->all());
+        $env->value = $request->value;
+        if ($request->has('is_literal')) {
+            $env->is_literal = $request->is_literal;
+        }
+        if ($request->has('is_multiline')) {
+            $env->is_multiline = $request->is_multiline;
+        }
+        if ($request->has('is_shown_once')) {
+            $env->is_shown_once = $request->is_shown_once;
+        }
+        if ($request->has('comment')) {
+            $env->comment = $request->comment;
+        }
        $env->save();

        return response()->json($this->removeSensitiveData($env))->setStatusCode(201);
@ -1265,10 +1297,8 @@ public function update_env_by_uuid(Request $request)
                    new OA\MediaType(
                        mediaType: 'application/json',
                        schema: new OA\Schema(
-                            type: 'object',
-                            properties: [
-                                'message' => ['type' => 'string', 'example' => 'Environment variables updated.'],
-                            ]
+                            type: 'array',
+                            items: new OA\Items(ref: '#/components/schemas/EnvironmentVariable')
                        )
                    ),
                ]
@ -1430,6 +1460,7 @@ public function create_env(Request $request)
            'is_literal' => 'boolean',
            'is_multiline' => 'boolean',
            'is_shown_once' => 'boolean',
+            'comment' => 'string|nullable|max:256',
        ]);

        if ($validator->fails()) {
@ -1447,7 +1478,14 @@ public function create_env(Request $request)
            ], 409);
        }

-        $env = $service->environment_variables()->create($request->all());
+        $env = $service->environment_variables()->create([
+            'key' => $key,
+            'value' => $request->value,
+            'is_literal' => $request->is_literal ?? false,
+            'is_multiline' => $request->is_multiline ?? false,
+            'is_shown_once' => $request->is_shown_once ?? false,
+            'comment' => $request->comment ?? null,
+        ]);

        return response()->json($this->removeSensitiveData($env))->setStatusCode(201);
    }
@ -1638,6 +1676,15 @@ public function action_deploy(Request $request)
                    type: 'string',
                )
            ),
+            new OA\Parameter(
+                name: 'docker_cleanup',
+                in: 'query',
+                description: 'Perform docker cleanup (prune networks, volumes, etc.).',
+                schema: new OA\Schema(
+                    type: 'boolean',
+                    default: true,
+                )
+            ),
        ],
        responses: [
            new OA\Response(
@ -1689,7 +1736,9 @@ public function action_stop(Request $request)
        if (str($service->status)->contains('stopped') || str($service->status)->contains('exited')) {
            return response()->json(['message' => 'Service is already stopped.'], 400);
        }
-        StopService::dispatch($service);
+
+        $dockerCleanup = $request->boolean('docker_cleanup', true);
+        StopService::dispatch($service, false, $dockerCleanup);

        return response()->json(
            [
--- a/app/Http/Middleware/CheckForcePasswordReset.php
+++ b/app/Http/Middleware/CheckForcePasswordReset.php
@ -25,7 +25,7 @@ public function handle(Request $request, Closure $next): Response
            }
            $force_password_reset = auth()->user()->force_password_reset;
            if ($force_password_reset) {
-                if ($request->routeIs('auth.force-password-reset') || $request->path() === 'force-password-reset' || $request->path() === 'livewire/update' || $request->path() === 'logout') {
+                if ($request->routeIs('auth.force-password-reset') || $request->path() === 'force-password-reset' || $request->path() === 'two-factor-challenge' || $request->path() === 'livewire/update' || $request->path() === 'logout') {
                    return $next($request);
                }

--- a/app/Http/Middleware/TrustHosts.php
+++ b/app/Http/Middleware/TrustHosts.php
@ -91,6 +91,13 @@ public function hosts(): array
        // Trust all subdomains of APP_URL as fallback
        $trustedHosts[] = $this->allSubdomainsOfApplicationUrl();

+        // Always trust loopback addresses so local access works even when FQDN is configured
+        foreach (['localhost', '127.0.0.1', '[::1]'] as $localHost) {
+            if (! in_array($localHost, $trustedHosts, true)) {
+                $trustedHosts[] = $localHost;
+            }
+        }
+
        return array_filter($trustedHosts);
    }
 }
--- a/app/Http/Middleware/TrustProxies.php
+++ b/app/Http/Middleware/TrustProxies.php
@ -25,4 +25,26 @@ class TrustProxies extends Middleware
        Request::HEADER_X_FORWARDED_PORT |
        Request::HEADER_X_FORWARDED_PROTO |
        Request::HEADER_X_FORWARDED_AWS_ELB;
+
+    /**
+     * Handle the request.
+     *
+     * Wraps $next so that after proxy headers are resolved (X-Forwarded-Proto processed),
+     * the Secure cookie flag is auto-enabled when the request is over HTTPS.
+     * This ensures session cookies are correctly marked Secure when behind an HTTPS
+     * reverse proxy (Cloudflare Tunnel, nginx, etc.) even when SESSION_SECURE_COOKIE
+     * is not explicitly set in .env.
+     */
+    public function handle($request, \Closure $next)
+    {
+        return parent::handle($request, function ($request) use ($next) {
+            // At this point proxy headers have been applied to the request,
+            // so $request->secure() correctly reflects the actual protocol.
+            if ($request->secure() && config('session.secure') === null) {
+                config(['session.secure' => true]);
+            }
+
+            return $next($request);
+        });
+    }
 }
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@ -171,6 +171,8 @@ class ApplicationDeploymentJob implements ShouldBeEncrypted, ShouldQueue

    private bool $dockerBuildkitSupported = false;

+    private bool $dockerSecretsSupported = false;
+
    private bool $skip_build = false;

    private Collection|string $build_secrets;
@ -251,7 +253,7 @@ public function __construct(public int $application_deployment_queue_id)
            }
            if ($this->application->build_pack === 'dockerfile') {
                if (data_get($this->application, 'dockerfile_location')) {
-                    $this->dockerfile_location = $this->application->dockerfile_location;
+                    $this->dockerfile_location = $this->validatePathField($this->application->dockerfile_location, 'dockerfile_location');
                }
            }
        }
@ -381,13 +383,6 @@ public function handle(): void

    private function detectBuildKitCapabilities(): void
    {
-        // If build secrets are not enabled, skip detection and use traditional args
-        if (! $this->application->settings->use_build_secrets) {
-            $this->dockerBuildkitSupported = false;
-
-            return;
-        }
-
        $serverToCheck = $this->use_build_server ? $this->build_server : $this->server;
        $serverName = $this->use_build_server ? "build server ({$serverToCheck->name})" : "deployment server ({$serverToCheck->name})";

@ -403,53 +398,55 @@ private function detectBuildKitCapabilities(): void

            if ($majorVersion < 18 || ($majorVersion == 18 && $minorVersion < 9)) {
                $this->dockerBuildkitSupported = false;
-                $this->application_deployment_queue->addLogEntry("Docker {$dockerVersion} on {$serverName} does not support BuildKit (requires 18.09+). Build secrets feature disabled.");
+                $this->application_deployment_queue->addLogEntry("Docker {$dockerVersion} on {$serverName} does not support BuildKit (requires 18.09+).");

                return;
            }

-            $buildkitEnabled = instant_remote_process(
+            // Check buildx availability (always installed by Coolify on Docker 24.0+)
+            $buildxAvailable = instant_remote_process(
                ["docker buildx version >/dev/null 2>&1 && echo 'available' || echo 'not-available'"],
                $serverToCheck
            );

-            if (trim($buildkitEnabled) !== 'available') {
+            if (trim($buildxAvailable) === 'available') {
+                $this->dockerBuildkitSupported = true;
+                $this->application_deployment_queue->addLogEntry("Docker {$dockerVersion} with BuildKit and Buildx detected on {$serverName}.");
+            } else {
+                // Fallback: test DOCKER_BUILDKIT=1 support via --progress flag
                $buildkitTest = instant_remote_process(
-                    ["DOCKER_BUILDKIT=1 docker build --help 2>&1 | grep -q 'secret' && echo 'supported' || echo 'not-supported'"],
+                    ["DOCKER_BUILDKIT=1 docker build --help 2>&1 | grep -q '\\-\\-progress' && echo 'supported' || echo 'not-supported'"],
                    $serverToCheck
                );

                if (trim($buildkitTest) === 'supported') {
                    $this->dockerBuildkitSupported = true;
-                    $this->application_deployment_queue->addLogEntry("Docker {$dockerVersion} with BuildKit secrets support detected on {$serverName}.");
-                    $this->application_deployment_queue->addLogEntry('Build secrets are enabled and will be used for enhanced security.');
+                    $this->application_deployment_queue->addLogEntry("Docker {$dockerVersion} with BuildKit support detected on {$serverName}.");
                } else {
                    $this->dockerBuildkitSupported = false;
-                    $this->application_deployment_queue->addLogEntry("Docker {$dockerVersion} on {$serverName} does not have BuildKit secrets support.");
-                    $this->application_deployment_queue->addLogEntry('Build secrets feature is enabled but not supported. Using traditional build arguments.');
+                    $this->application_deployment_queue->addLogEntry("Docker {$dockerVersion} on {$serverName} does not support BuildKit. Build output progress will be limited.");
                }
-            } else {
-                // Buildx is available, which means BuildKit is available
-                // Now specifically test for secrets support
+            }
+
+            // If build secrets are enabled and BuildKit is available, verify --secret flag support
+            if ($this->application->settings->use_build_secrets && $this->dockerBuildkitSupported) {
                $secretsTest = instant_remote_process(
                    ["docker build --help 2>&1 | grep -q 'secret' && echo 'supported' || echo 'not-supported'"],
                    $serverToCheck
                );

                if (trim($secretsTest) === 'supported') {
-                    $this->dockerBuildkitSupported = true;
-                    $this->application_deployment_queue->addLogEntry("Docker {$dockerVersion} with BuildKit and Buildx detected on {$serverName}.");
+                    $this->dockerSecretsSupported = true;
                    $this->application_deployment_queue->addLogEntry('Build secrets are enabled and will be used for enhanced security.');
                } else {
-                    $this->dockerBuildkitSupported = false;
-                    $this->application_deployment_queue->addLogEntry("Docker {$dockerVersion} with Buildx on {$serverName}, but secrets not supported.");
-                    $this->application_deployment_queue->addLogEntry('Build secrets feature is enabled but not supported. Using traditional build arguments.');
+                    $this->dockerSecretsSupported = false;
+                    $this->application_deployment_queue->addLogEntry("Docker on {$serverName} does not support build secrets. Using traditional build arguments.");
                }
            }
        } catch (\Exception $e) {
            $this->dockerBuildkitSupported = false;
+            $this->dockerSecretsSupported = false;
            $this->application_deployment_queue->addLogEntry("Could not detect BuildKit capabilities on {$serverName}: {$e->getMessage()}");
-            $this->application_deployment_queue->addLogEntry('Build secrets feature is enabled but detection failed. Using traditional build arguments.');
        }
    }

@ -571,7 +568,7 @@ private function deploy_dockerimage_buildpack()
    private function deploy_docker_compose_buildpack()
    {
        if (data_get($this->application, 'docker_compose_location')) {
-            $this->docker_compose_location = $this->application->docker_compose_location;
+            $this->docker_compose_location = $this->validatePathField($this->application->docker_compose_location, 'docker_compose_location');
        }
        if (data_get($this->application, 'docker_compose_custom_start_command')) {
            $this->docker_compose_custom_start_command = $this->application->docker_compose_custom_start_command;
@ -632,7 +629,7 @@ private function deploy_docker_compose_buildpack()

            // For raw compose, we cannot automatically add secrets configuration
            // User must define it manually in their docker-compose file
-            if ($this->application->settings->use_build_secrets && $this->dockerBuildkitSupported && ! empty($this->build_secrets)) {
+            if ($this->dockerSecretsSupported && ! empty($this->build_secrets)) {
                $this->application_deployment_queue->addLogEntry('Build secrets are configured. Ensure your docker-compose file includes build.secrets configuration for services that need them.');
            }
        } else {
@ -653,7 +650,7 @@ private function deploy_docker_compose_buildpack()
            }

            // Add build secrets to compose file if enabled and BuildKit is supported
-            if ($this->application->settings->use_build_secrets && $this->dockerBuildkitSupported && ! empty($this->build_secrets)) {
+            if ($this->dockerSecretsSupported && ! empty($this->build_secrets)) {
                $composeFile = $this->add_build_secrets_to_compose($composeFile);
            }

@ -689,8 +686,6 @@ private function deploy_docker_compose_buildpack()
            // Inject build arguments after build subcommand if not using build secrets
            if (! $this->application->settings->use_build_secrets && $this->build_args instanceof \Illuminate\Support\Collection && $this->build_args->isNotEmpty()) {
                $build_args_string = $this->build_args->implode(' ');
-                // Escape single quotes for bash -c context used by executeInDocker
-                $build_args_string = str_replace("'", "'\\''", $build_args_string);

                // Inject build args right after 'build' subcommand (not at the end)
                $original_command = $build_command;
@ -702,9 +697,17 @@ private function deploy_docker_compose_buildpack()
                }
            }

-            $this->execute_remote_command(
-                [executeInDocker($this->deployment_uuid, "cd {$this->basedir} && {$build_command}"), 'hidden' => true],
-            );
+            try {
+                $this->execute_remote_command(
+                    [executeInDocker($this->deployment_uuid, "cd {$this->basedir} && {$build_command}"), 'hidden' => true],
+                );
+            } catch (\RuntimeException $e) {
+                if (str_contains($e->getMessage(), "matching `'") || str_contains($e->getMessage(), 'unexpected EOF')) {
+                    throw new DeploymentException("Custom build command failed due to shell syntax error. Please check your command for special characters (like unmatched quotes): {$this->docker_compose_custom_build_command}");
+                }
+
+                throw $e;
+            }
        } else {
            $command = "{$this->coolify_variables} docker compose";
            // Prepend DOCKER_BUILDKIT=1 if BuildKit is supported
@ -721,8 +724,6 @@ private function deploy_docker_compose_buildpack()

            if (! $this->application->settings->use_build_secrets && $this->build_args instanceof \Illuminate\Support\Collection && $this->build_args->isNotEmpty()) {
                $build_args_string = $this->build_args->implode(' ');
-                // Escape single quotes for bash -c context used by executeInDocker
-                $build_args_string = str_replace("'", "'\\''", $build_args_string);
                $command .= " {$build_args_string}";
                $this->application_deployment_queue->addLogEntry('Adding build arguments to Docker Compose build command.');
            }
@ -768,9 +769,18 @@ private function deploy_docker_compose_buildpack()
                );

                $this->write_deployment_configurations();
-                $this->execute_remote_command(
-                    [executeInDocker($this->deployment_uuid, "cd {$this->workdir} && {$start_command}"), 'hidden' => true],
-                );
+
+                try {
+                    $this->execute_remote_command(
+                        [executeInDocker($this->deployment_uuid, "cd {$this->workdir} && {$start_command}"), 'hidden' => true],
+                    );
+                } catch (\RuntimeException $e) {
+                    if (str_contains($e->getMessage(), "matching `'") || str_contains($e->getMessage(), 'unexpected EOF')) {
+                        throw new DeploymentException("Custom start command failed due to shell syntax error. Please check your command for special characters (like unmatched quotes): {$this->docker_compose_custom_start_command}");
+                    }
+
+                    throw $e;
+                }
            } else {
                $this->write_deployment_configurations();
                $this->docker_compose_location = '/docker-compose.yaml';
@ -795,9 +805,15 @@ private function deploy_docker_compose_buildpack()
                );

                $this->write_deployment_configurations();
-                $this->execute_remote_command(
-                    [executeInDocker($this->deployment_uuid, "cd {$this->basedir} && {$start_command}"), 'hidden' => true],
-                );
+                if ($this->preserveRepository) {
+                    $this->execute_remote_command(
+                        ['command' => "cd {$server_workdir} && {$start_command}", 'hidden' => true],
+                    );
+                } else {
+                    $this->execute_remote_command(
+                        [executeInDocker($this->deployment_uuid, "cd {$this->basedir} && {$start_command}"), 'hidden' => true],
+                    );
+                }
            } else {
                $command = "{$this->coolify_variables} docker compose";
                if ($this->preserveRepository) {
@ -831,7 +847,7 @@ private function deploy_dockerfile_buildpack()
            $this->server = $this->build_server;
        }
        if (data_get($this->application, 'dockerfile_location')) {
-            $this->dockerfile_location = $this->application->dockerfile_location;
+            $this->dockerfile_location = $this->validatePathField($this->application->dockerfile_location, 'dockerfile_location');
        }
        $this->prepare_builder_image();
        $this->check_git_if_build_needed();
@ -1800,7 +1816,8 @@ private function health_check()
                    $counter = 1;
                    $this->application_deployment_queue->addLogEntry('Waiting for healthcheck to pass on the new container.');
                    if ($this->full_healthcheck_url && ! $this->application->custom_healthcheck_found) {
-                        $this->application_deployment_queue->addLogEntry("Healthcheck URL (inside the container): {$this->full_healthcheck_url}");
+                        $healthcheckLabel = $this->application->health_check_type === 'cmd' ? 'Healthcheck command' : 'Healthcheck URL';
+                        $this->application_deployment_queue->addLogEntry("{$healthcheckLabel} (inside the container): {$this->full_healthcheck_url}");
                    }
                    $this->application_deployment_queue->addLogEntry("Waiting for the start period ({$this->application->health_check_start_period} seconds) before starting healthcheck.");
                    $sleeptime = 0;
@ -2116,7 +2133,7 @@ private function check_git_if_build_needed()
                    executeInDocker($this->deployment_uuid, 'chmod 600 /root/.ssh/id_rsa'),
                ],
                [
-                    executeInDocker($this->deployment_uuid, "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$this->customPort} -o Port={$this->customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git ls-remote {$this->fullRepoUrl} {$lsRemoteRef}"),
+                    executeInDocker($this->deployment_uuid, "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$this->customPort} -o Port={$this->customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i /root/.ssh/id_rsa\" git ls-remote {$this->fullRepoUrl} {$lsRemoteRef}"),
                    'hidden' => true,
                    'save' => 'git_commit_sha',
                ]
@ -2179,7 +2196,7 @@ private function clone_repository()
        $this->create_workdir();
        $this->execute_remote_command(
            [
-                executeInDocker($this->deployment_uuid, "cd {$this->workdir} && git log -1 {$this->commit} --pretty=%B"),
+                executeInDocker($this->deployment_uuid, "cd {$this->workdir} && git log -1 ".escapeshellarg($this->commit).' --pretty=%B'),
                'hidden' => true,
                'save' => 'commit_message',
            ]
@ -2445,7 +2462,9 @@ private function generate_env_variables()

        $coolify_envs = $this->generate_coolify_env_variables(forBuildTime: true);
        $coolify_envs->each(function ($value, $key) {
-            $this->env_args->put($key, $value);
+            if (! is_null($value) && $value !== '') {
+                $this->env_args->put($key, $value);
+            }
        });

        // For build process, include only environment variables where is_buildtime = true
@ -2758,29 +2777,56 @@ private function generate_local_persistent_volumes_only_volume_names()

    private function generate_healthcheck_commands()
    {
+        // Handle CMD type healthcheck
+        if ($this->application->health_check_type === 'cmd' && ! empty($this->application->health_check_command)) {
+            $command = str_replace(["\r\n", "\r", "\n"], ' ', $this->application->health_check_command);
+            $this->full_healthcheck_url = $command;
+
+            return $command;
+        }
+
+        // HTTP type healthcheck (default)
        if (! $this->application->health_check_port) {
-            $health_check_port = $this->application->ports_exposes_array[0];
+            $health_check_port = (int) $this->application->ports_exposes_array[0];
        } else {
-            $health_check_port = $this->application->health_check_port;
+            $health_check_port = (int) $this->application->health_check_port;
        }
        if ($this->application->settings->is_static || $this->application->build_pack === 'static') {
            $health_check_port = 80;
        }
-        if ($this->application->health_check_path) {
-            $this->full_healthcheck_url = "{$this->application->health_check_method}: {$this->application->health_check_scheme}://{$this->application->health_check_host}:{$health_check_port}{$this->application->health_check_path}";
-            $generated_healthchecks_commands = [
-                "curl -s -X {$this->application->health_check_method} -f {$this->application->health_check_scheme}://{$this->application->health_check_host}:{$health_check_port}{$this->application->health_check_path} > /dev/null || wget -q -O- {$this->application->health_check_scheme}://{$this->application->health_check_host}:{$health_check_port}{$this->application->health_check_path} > /dev/null || exit 1",
-            ];
+
+        $method = $this->sanitizeHealthCheckValue($this->application->health_check_method, '/^[A-Z]+$/', 'GET');
+        $scheme = $this->sanitizeHealthCheckValue($this->application->health_check_scheme, '/^https?$/', 'http');
+        $host = $this->sanitizeHealthCheckValue($this->application->health_check_host, '/^[a-zA-Z0-9.\-_]+$/', 'localhost');
+        $path = $this->application->health_check_path
+            ? $this->sanitizeHealthCheckValue($this->application->health_check_path, '#^[a-zA-Z0-9/\-_.~%]+$#', '/')
+            : null;
+
+        $url = escapeshellarg("{$scheme}://{$host}:{$health_check_port}".($path ?? '/'));
+        $method = escapeshellarg($method);
+
+        if ($path) {
+            $this->full_healthcheck_url = "{$this->application->health_check_method}: {$scheme}://{$host}:{$health_check_port}{$path}";
        } else {
-            $this->full_healthcheck_url = "{$this->application->health_check_method}: {$this->application->health_check_scheme}://{$this->application->health_check_host}:{$health_check_port}/";
-            $generated_healthchecks_commands = [
-                "curl -s -X {$this->application->health_check_method} -f {$this->application->health_check_scheme}://{$this->application->health_check_host}:{$health_check_port}/ > /dev/null || wget -q -O- {$this->application->health_check_scheme}://{$this->application->health_check_host}:{$health_check_port}/ > /dev/null || exit 1",
-            ];
+            $this->full_healthcheck_url = "{$this->application->health_check_method}: {$scheme}://{$host}:{$health_check_port}/";
        }

+        $generated_healthchecks_commands = [
+            "curl -s -X {$method} -f {$url} > /dev/null || wget -q -O- {$url} > /dev/null || exit 1",
+        ];
+
        return implode(' ', $generated_healthchecks_commands);
    }

+    private function sanitizeHealthCheckValue(string $value, string $pattern, string $default): string
+    {
+        if (preg_match($pattern, $value)) {
+            return $value;
+        }
+
+        return $default;
+    }
+
    private function pull_latest_image($image)
    {
        $this->application_deployment_queue->addLogEntry("Pulling latest image ($image) from the registry.");
@ -2817,7 +2863,11 @@ private function build_static_image()
                $nginx_config = base64_encode(defaultNginxConfiguration());
            }
        }
-        $build_command = "docker build {$this->addHosts} --network host -f {$this->workdir}/Dockerfile --progress plain -t {$this->production_image_name} {$this->workdir}";
+        if ($this->dockerBuildkitSupported) {
+            $build_command = "DOCKER_BUILDKIT=1 docker build {$this->addHosts} --network host -f {$this->workdir}/Dockerfile --progress plain -t {$this->production_image_name} {$this->workdir}";
+        } else {
+            $build_command = "docker build {$this->addHosts} --network host -f {$this->workdir}/Dockerfile -t {$this->production_image_name} {$this->workdir}";
+        }
        $base64_build_command = base64_encode($build_command);
        $this->execute_remote_command(
            [
@ -2857,21 +2907,19 @@ private function wrap_build_command_with_env_export(string $build_command): stri
    private function build_image()
    {
        // Add Coolify related variables to the build args/secrets
-        if ($this->dockerBuildkitSupported) {
-            // Coolify variables are already included in the secrets from generate_build_env_variables
-            // build_secrets is already a string at this point
-        } else {
+        if (! $this->dockerSecretsSupported) {
            // Traditional build args approach - generate COOLIFY_ variables locally
-            // Generate COOLIFY_ variables locally for build args
            $coolify_envs = $this->generate_coolify_env_variables(forBuildTime: true);
            $coolify_envs->each(function ($value, $key) {
                $this->build_args->push("--build-arg '{$key}'");
            });
-            $this->build_args = $this->build_args instanceof \Illuminate\Support\Collection
-                ? $this->build_args->implode(' ')
-                : (string) $this->build_args;
        }

+        // Always convert build_args Collection to string for command interpolation
+        $this->build_args = $this->build_args instanceof \Illuminate\Support\Collection
+            ? $this->build_args->implode(' ')
+            : (string) $this->build_args;
+
        $this->application_deployment_queue->addLogEntry('----------------------------------------');
        if ($this->disableBuildCache) {
            $this->application_deployment_queue->addLogEntry('Docker build cache is disabled. It will not be used during the build process.');
@ -2899,7 +2947,7 @@ private function build_image()
                        executeInDocker($this->deployment_uuid, "cat {$this->workdir}/.nixpacks/Dockerfile"),
                        'hidden' => true,
                    ]);
-                    if ($this->dockerBuildkitSupported && $this->application->settings->use_build_secrets) {
+                    if ($this->dockerSecretsSupported) {
                        // Modify the nixpacks Dockerfile to use build secrets
                        $this->modify_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
                        $secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
@ -2907,9 +2955,8 @@ private function build_image()
                    } elseif ($this->dockerBuildkitSupported) {
                        // BuildKit without secrets
                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile --progress plain -t {$this->build_image_name} {$this->build_args} {$this->workdir}");
-                        ray($build_command);
                    } else {
-                        $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile --progress plain -t {$this->build_image_name} {$this->build_args} {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile -t {$this->build_image_name} {$this->build_args} {$this->workdir}");
                    }
                } else {
                    $this->execute_remote_command([
@ -2919,18 +2966,16 @@ private function build_image()
                        executeInDocker($this->deployment_uuid, "cat {$this->workdir}/.nixpacks/Dockerfile"),
                        'hidden' => true,
                    ]);
-                    if ($this->dockerBuildkitSupported && $this->application->settings->use_build_secrets) {
+                    if ($this->dockerSecretsSupported) {
                        // Modify the nixpacks Dockerfile to use build secrets
                        $this->modify_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
                        $secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->build_image_name} {$this->workdir}");
                    } elseif ($this->dockerBuildkitSupported) {
                        // BuildKit without secrets
-                        $this->modify_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
-                        $secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
-                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->build_image_name} {$this->build_args} {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile --progress plain -t {$this->build_image_name} {$this->build_args} {$this->workdir}");
                    } else {
-                        $build_command = $this->wrap_build_command_with_env_export("docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile --progress plain -t {$this->build_image_name} {$this->build_args} {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile -t {$this->build_image_name} {$this->build_args} {$this->workdir}");
                    }
                }

@ -2952,7 +2997,7 @@ private function build_image()
                $this->execute_remote_command([executeInDocker($this->deployment_uuid, 'rm '.self::NIXPACKS_PLAN_PATH), 'hidden' => true]);
            } else {
                // Dockerfile buildpack
-                if ($this->dockerBuildkitSupported && $this->application->settings->use_build_secrets) {
+                if ($this->dockerSecretsSupported) {
                    // Modify the Dockerfile to use build secrets
                    $this->modify_dockerfile_for_secrets("{$this->workdir}{$this->dockerfile_location}");
                    $secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
@ -2963,19 +3008,17 @@ private function build_image()
                    }
                } elseif ($this->dockerBuildkitSupported) {
                    // BuildKit without secrets
-                    $this->modify_dockerfile_for_secrets("{$this->workdir}{$this->dockerfile_location}");
-                    $secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
                    if ($this->force_rebuild) {
-                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t $this->build_image_name {$this->build_args} {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} --progress plain -t $this->build_image_name {$this->build_args} {$this->workdir}");
                    } else {
-                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t $this->build_image_name {$this->build_args} {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} --progress plain -t $this->build_image_name {$this->build_args} {$this->workdir}");
                    }
                } else {
                    // Traditional build with args
                    if ($this->force_rebuild) {
-                        $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} --progress plain -t $this->build_image_name {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t $this->build_image_name {$this->workdir}");
                    } else {
-                        $build_command = $this->wrap_build_command_with_env_export("docker build {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} --progress plain -t $this->build_image_name {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("docker build {$this->buildTarget} --network {$this->destination->network} -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t $this->build_image_name {$this->workdir}");
                    }
                }
                $base64_build_command = base64_encode($build_command);
@ -3010,7 +3053,11 @@ private function build_image()
                    $nginx_config = base64_encode(defaultNginxConfiguration());
                }
            }
-            $build_command = $this->wrap_build_command_with_env_export("docker build {$this->addHosts} --network host -f {$this->workdir}/Dockerfile {$this->build_args} --progress plain -t {$this->production_image_name} {$this->workdir}");
+            if ($this->dockerBuildkitSupported) {
+                $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->addHosts} --network host -f {$this->workdir}/Dockerfile {$this->build_args} --progress plain -t {$this->production_image_name} {$this->workdir}");
+            } else {
+                $build_command = $this->wrap_build_command_with_env_export("docker build {$this->addHosts} --network host -f {$this->workdir}/Dockerfile {$this->build_args} -t {$this->production_image_name} {$this->workdir}");
+            }
            $base64_build_command = base64_encode($build_command);
            $this->execute_remote_command(
                [
@ -3035,7 +3082,7 @@ private function build_image()
        } else {
            // Pure Dockerfile based deployment
            if ($this->application->dockerfile) {
-                if ($this->dockerBuildkitSupported && $this->application->settings->use_build_secrets) {
+                if ($this->dockerSecretsSupported) {
                    // Modify the Dockerfile to use build secrets
                    $this->modify_dockerfile_for_secrets("{$this->workdir}{$this->dockerfile_location}");
                    $secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
@ -3044,12 +3091,19 @@ private function build_image()
                    } else {
                        $build_command = "DOCKER_BUILDKIT=1 docker build --pull {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->workdir}";
                    }
-                } else {
-                    // Traditional build with args
+                } elseif ($this->dockerBuildkitSupported) {
+                    // BuildKit without secrets
                    if ($this->force_rebuild) {
-                        $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache --pull {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} --progress plain -t {$this->production_image_name} {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache --pull {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location} --progress plain -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
                    } else {
-                        $build_command = $this->wrap_build_command_with_env_export("docker build --pull {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} --progress plain -t {$this->production_image_name} {$this->workdir}");
+                        $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --pull {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location} --progress plain -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
+                    }
+                } else {
+                    // Traditional build with args (no --progress for legacy builder compatibility)
+                    if ($this->force_rebuild) {
+                        $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache --pull {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t {$this->production_image_name} {$this->workdir}");
+                    } else {
+                        $build_command = $this->wrap_build_command_with_env_export("docker build --pull {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t {$this->production_image_name} {$this->workdir}");
                    }
                }
                $base64_build_command = base64_encode($build_command);
@ -3079,18 +3133,16 @@ private function build_image()
                            executeInDocker($this->deployment_uuid, "cat {$this->workdir}/.nixpacks/Dockerfile"),
                            'hidden' => true,
                        ]);
-                        if ($this->dockerBuildkitSupported && $this->application->settings->use_build_secrets) {
+                        if ($this->dockerSecretsSupported) {
                            // Modify the nixpacks Dockerfile to use build secrets
                            $this->modify_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
                            $secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
                            $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->workdir}");
                        } elseif ($this->dockerBuildkitSupported) {
                            // BuildKit without secrets
-                            $this->modify_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
-                            $secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
-                            $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
+                            $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile --progress plain -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
                        } else {
-                            $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile --progress plain -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
+                            $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
                        }
                    } else {
                        $this->execute_remote_command([
@ -3100,18 +3152,16 @@ private function build_image()
                            executeInDocker($this->deployment_uuid, "cat {$this->workdir}/.nixpacks/Dockerfile"),
                            'hidden' => true,
                        ]);
-                        if ($this->dockerBuildkitSupported && $this->application->settings->use_build_secrets) {
+                        if ($this->dockerSecretsSupported) {
                            // Modify the nixpacks Dockerfile to use build secrets
                            $this->modify_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
                            $secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
                            $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->workdir}");
                        } elseif ($this->dockerBuildkitSupported) {
                            // BuildKit without secrets
-                            $this->modify_dockerfile_for_secrets("{$this->workdir}/.nixpacks/Dockerfile");
-                            $secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
-                            $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
+                            $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile --progress plain -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
                        } else {
-                            $build_command = $this->wrap_build_command_with_env_export("docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile --progress plain -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
+                            $build_command = $this->wrap_build_command_with_env_export("docker build {$this->addHosts} --network host -f {$this->workdir}/.nixpacks/Dockerfile -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
                        }
                    }
                    $base64_build_command = base64_encode($build_command);
@ -3132,7 +3182,7 @@ private function build_image()
                    $this->execute_remote_command([executeInDocker($this->deployment_uuid, 'rm '.self::NIXPACKS_PLAN_PATH), 'hidden' => true]);
                } else {
                    // Dockerfile buildpack
-                    if ($this->dockerBuildkitSupported && $this->application->settings->use_build_secrets) {
+                    if ($this->dockerSecretsSupported) {
                        // Modify the Dockerfile to use build secrets
                        $this->modify_dockerfile_for_secrets("{$this->workdir}{$this->dockerfile_location}");
                        // Use BuildKit with secrets
@ -3144,19 +3194,17 @@ private function build_image()
                        }
                    } elseif ($this->dockerBuildkitSupported) {
                        // BuildKit without secrets
-                        $this->modify_dockerfile_for_secrets("{$this->workdir}{$this->dockerfile_location}");
-                        $secrets_flags = $this->build_secrets ? " {$this->build_secrets}" : '';
                        if ($this->force_rebuild) {
-                            $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
+                            $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build --no-cache {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location} --progress plain -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
                        } else {
-                            $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location}{$secrets_flags} --progress plain -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
+                            $build_command = $this->wrap_build_command_with_env_export("DOCKER_BUILDKIT=1 docker build {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location} --progress plain -t {$this->production_image_name} {$this->build_args} {$this->workdir}");
                        }
                    } else {
                        // Traditional build with args
                        if ($this->force_rebuild) {
-                            $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} --progress plain -t {$this->production_image_name} {$this->workdir}");
+                            $build_command = $this->wrap_build_command_with_env_export("docker build --no-cache {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t {$this->production_image_name} {$this->workdir}");
                        } else {
-                            $build_command = $this->wrap_build_command_with_env_export("docker build {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} --progress plain -t {$this->production_image_name} {$this->workdir}");
+                            $build_command = $this->wrap_build_command_with_env_export("docker build {$this->buildTarget} {$this->addHosts} --network host -f {$this->workdir}{$this->dockerfile_location} {$this->build_args} -t {$this->production_image_name} {$this->workdir}");
                        }
                    }
                    $base64_build_command = base64_encode($build_command);
@ -3332,7 +3380,7 @@ private function generate_build_env_variables()
            $this->analyzeBuildTimeVariables($variables);
        }

-        if ($this->dockerBuildkitSupported && $this->application->settings->use_build_secrets) {
+        if ($this->dockerSecretsSupported) {
            $this->generate_build_secrets($variables);
            $this->build_args = '';
        } else {
@ -3470,8 +3518,8 @@ protected function findFromInstructionLines($dockerfile): array

    private function add_build_env_variables_to_dockerfile()
    {
-        if ($this->dockerBuildkitSupported) {
-            // We dont need to add build secrets to dockerfile for buildkit, as we already added them with --secret flag in function generate_docker_env_flags_for_secrets
+        if ($this->dockerSecretsSupported) {
+            // We dont need to add ARG declarations when using Docker build secrets, as variables are passed with --secret flag
            return;
        }

@ -3819,7 +3867,7 @@ private function modify_dockerfiles_for_compose($composeFile)
                $this->application_deployment_queue->addLogEntry("Service {$serviceName}: All required ARG declarations already exist.");
            }

-            if ($this->application->settings->use_build_secrets && $this->dockerBuildkitSupported && ! empty($this->build_secrets)) {
+            if ($this->dockerSecretsSupported && ! empty($this->build_secrets)) {
                $fullDockerfilePath = "{$this->workdir}/{$dockerfilePath}";
                $this->modify_dockerfile_for_secrets($fullDockerfilePath);
                $this->application_deployment_queue->addLogEntry("Modified Dockerfile for service {$serviceName} to use build secrets.");
@ -3879,6 +3927,18 @@ private function add_build_secrets_to_compose($composeFile)
        return $composeFile;
    }

+    private function validatePathField(string $value, string $fieldName): string
+    {
+        if (! preg_match(\App\Support\ValidationPatterns::FILE_PATH_PATTERN, $value)) {
+            throw new \RuntimeException("Invalid {$fieldName}: contains forbidden characters.");
+        }
+        if (str_contains($value, '..')) {
+            throw new \RuntimeException("Invalid {$fieldName}: path traversal detected.");
+        }
+
+        return $value;
+    }
+
    private function run_pre_deployment_command()
    {
        if (empty($this->application->pre_deployment_command)) {
--- a/app/Jobs/CheckTraefikVersionForServerJob.php
+++ b/app/Jobs/CheckTraefikVersionForServerJob.php
@ -6,12 +6,13 @@
 use App\Models\Server;
 use App\Notifications\Server\TraefikVersionOutdated;
 use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldBeEncrypted;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Bus\Dispatchable;
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\SerializesModels;

-class CheckTraefikVersionForServerJob implements ShouldQueue
+class CheckTraefikVersionForServerJob implements ShouldBeEncrypted, ShouldQueue
 {
    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

--- a/app/Jobs/CheckTraefikVersionJob.php
+++ b/app/Jobs/CheckTraefikVersionJob.php
@ -5,12 +5,13 @@
 use App\Enums\ProxyTypes;
 use App\Models\Server;
 use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldBeEncrypted;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Bus\Dispatchable;
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\SerializesModels;

-class CheckTraefikVersionJob implements ShouldQueue
+class CheckTraefikVersionJob implements ShouldBeEncrypted, ShouldQueue
 {
    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

--- a/app/Jobs/DatabaseBackupJob.php
+++ b/app/Jobs/DatabaseBackupJob.php
@ -111,6 +111,12 @@ public function handle(): void

            $status = str(data_get($this->database, 'status'));
            if (! $status->startsWith('running') && $this->database->id !== 0) {
+                Log::info('DatabaseBackupJob skipped: database not running', [
+                    'backup_id' => $this->backup->id,
+                    'database_id' => $this->database->id,
+                    'status' => (string) $status,
+                ]);
+
                return;
            }
            if (data_get($this->backup, 'database_type') === \App\Models\ServiceDatabase::class) {
@ -472,7 +478,7 @@ private function backup_standalone_mongodb(string $databaseWithCollections): voi
                    throw new \Exception('MongoDB credentials not found. Ensure MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD environment variables are available in the container.');
                }
            }
-            \Log::info('MongoDB backup URL configured', ['has_url' => filled($url), 'using_env_vars' => blank($this->database->internal_db_url)]);
+            Log::info('MongoDB backup URL configured', ['has_url' => filled($url), 'using_env_vars' => blank($this->database->internal_db_url)]);
            if ($databaseWithCollections === 'all') {
                $commands[] = 'mkdir -p '.$this->backup_dir;
                if (str($this->database->image)->startsWith('mongo:4')) {
--- a/app/Jobs/DockerCleanupJob.php
+++ b/app/Jobs/DockerCleanupJob.php
@ -91,6 +91,8 @@ public function handle(): void

                $this->server->team?->notify(new DockerCleanupSuccess($this->server, $message));
                event(new DockerCleanupDone($this->execution_log));
+
+                return;
            }

            if ($this->usageBefore >= $this->server->settings->docker_cleanup_threshold) {
--- a/app/Jobs/NotifySetupCompleteJob.php
+++ b/app/Jobs/NotifySetupCompleteJob.php
@ -0,0 +1,55 @@
+<?php
+
+namespace App\Jobs;
+
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldBeEncrypted;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Facades\Http;
+use Illuminate\Support\Facades\Log;
+
+/**
+ * Notify MapleDeploy that the first user has registered on this Coolify instance.
+ *
+ * Sends the setup token as a Bearer token so MapleDeploy can verify authenticity
+ * and clear its stored copy. The token acts as a one-time shared secret.
+ */
+class NotifySetupCompleteJob implements ShouldBeEncrypted, ShouldQueue
+{
+    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
+
+    public $tries = 5;
+
+    public array $backoff = [10, 30, 60, 120, 300];
+
+    public int $maxExceptions = 5;
+
+    public function __construct(
+        public string $setupToken,
+        public string $callbackUrl
+    ) {
+        $this->onQueue('high');
+    }
+
+    public function handle(): void
+    {
+        $response = Http::withToken($this->setupToken)
+            ->timeout(15)
+            ->post($this->callbackUrl);
+
+        if (! $response->successful()) {
+            Log::warning('Setup-complete callback failed', [
+                'status' => $response->status(),
+                'url' => $this->callbackUrl,
+            ]);
+
+            // Throw so the job retries
+            throw new \RuntimeException(
+                "Setup-complete callback returned HTTP {$response->status()}"
+            );
+        }
+    }
+}
--- a/app/Jobs/PushServerUpdateJob.php
+++ b/app/Jobs/PushServerUpdateJob.php
@ -24,6 +24,7 @@
 use Illuminate\Queue\Middleware\WithoutOverlapping;
 use Illuminate\Queue\SerializesModels;
 use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Cache;
 use Laravel\Horizon\Contracts\Silenced;

 class PushServerUpdateJob implements ShouldBeEncrypted, ShouldQueue, Silenced
@ -130,7 +131,14 @@ public function handle()

        $this->containers = collect(data_get($data, 'containers'));
        $filesystemUsageRoot = data_get($data, 'filesystem_usage_root.used_percentage');
-        ServerStorageCheckJob::dispatch($this->server, $filesystemUsageRoot);
+
+        // Only dispatch storage check when disk percentage actually changes
+        $storageCacheKey = 'storage-check:'.$this->server->id;
+        $lastPercentage = Cache::get($storageCacheKey);
+        if ($lastPercentage === null || (string) $lastPercentage !== (string) $filesystemUsageRoot) {
+            Cache::put($storageCacheKey, $filesystemUsageRoot, 600);
+            ServerStorageCheckJob::dispatch($this->server, $filesystemUsageRoot);
+        }

        if ($this->containers->isEmpty()) {
            return;
@ -207,6 +215,9 @@ public function handle()
                $serviceId = $labels->get('coolify.serviceId');
                $subType = $labels->get('coolify.service.subType');
                $subId = $labels->get('coolify.service.subId');
+                if (empty(trim((string) $subId))) {
+                    continue;
+                }
                if ($subType === 'application') {
                    $this->foundServiceApplicationIds->push($subId);
                    // Store container status for aggregation
@ -296,6 +307,8 @@ private function aggregateMultiContainerStatuses()
                if ($aggregatedStatus && $application->status !== $aggregatedStatus) {
                    $application->status = $aggregatedStatus;
                    $application->save();
+                } elseif ($aggregatedStatus) {
+                    $application->update(['last_online_at' => now()]);
                }

                continue;
@ -310,6 +323,8 @@ private function aggregateMultiContainerStatuses()
            if ($aggregatedStatus && $application->status !== $aggregatedStatus) {
                $application->status = $aggregatedStatus;
                $application->save();
+            } elseif ($aggregatedStatus) {
+                $application->update(['last_online_at' => now()]);
            }
        }
    }
@ -324,6 +339,10 @@ private function aggregateServiceContainerStatuses()
            // Parse key: serviceId:subType:subId
            [$serviceId, $subType, $subId] = explode(':', $key);

+            if (empty($subId)) {
+                continue;
+            }
+
            $service = $this->services->where('id', $serviceId)->first();
            if (! $service) {
                continue;
@ -332,9 +351,9 @@ private function aggregateServiceContainerStatuses()
            // Get the service sub-resource (ServiceApplication or ServiceDatabase)
            $subResource = null;
            if ($subType === 'application') {
-                $subResource = $service->applications()->where('id', $subId)->first();
+                $subResource = $service->applications->where('id', $subId)->first();
            } elseif ($subType === 'database') {
-                $subResource = $service->databases()->where('id', $subId)->first();
+                $subResource = $service->databases->where('id', $subId)->first();
            }

            if (! $subResource) {
@ -356,6 +375,8 @@ private function aggregateServiceContainerStatuses()
                if ($aggregatedStatus && $subResource->status !== $aggregatedStatus) {
                    $subResource->status = $aggregatedStatus;
                    $subResource->save();
+                } elseif ($aggregatedStatus) {
+                    $subResource->update(['last_online_at' => now()]);
                }

                continue;
@ -371,6 +392,8 @@ private function aggregateServiceContainerStatuses()
            if ($aggregatedStatus && $subResource->status !== $aggregatedStatus) {
                $subResource->status = $aggregatedStatus;
                $subResource->save();
+            } elseif ($aggregatedStatus) {
+                $subResource->update(['last_online_at' => now()]);
            }
        }
    }
@ -384,6 +407,8 @@ private function updateApplicationStatus(string $applicationId, string $containe
        if ($application->status !== $containerStatus) {
            $application->status = $containerStatus;
            $application->save();
+        } else {
+            $application->update(['last_online_at' => now()]);
        }
    }

@ -398,6 +423,8 @@ private function updateApplicationPreviewStatus(string $applicationId, string $p
        if ($application->status !== $containerStatus) {
            $application->status = $containerStatus;
            $application->save();
+        } else {
+            $application->update(['last_online_at' => now()]);
        }
    }

@ -473,8 +500,13 @@ private function updateProxyStatus()
                } catch (\Throwable $e) {
                }
            } else {
-                // Connect proxy to networks asynchronously to avoid blocking the status update
-                ConnectProxyToNetworksJob::dispatch($this->server);
+                // Connect proxy to networks periodically (every 10 min) to avoid excessive job dispatches.
+                // On-demand triggers (new network, service deploy) use dispatchSync() and bypass this.
+                $proxyCacheKey = 'connect-proxy:'.$this->server->id;
+                if (! Cache::has($proxyCacheKey)) {
+                    Cache::put($proxyCacheKey, true, 600);
+                    ConnectProxyToNetworksJob::dispatch($this->server);
+                }
            }
        }
    }
@ -488,6 +520,8 @@ private function updateDatabaseStatus(string $databaseUuid, string $containerSta
        if ($database->status !== $containerStatus) {
            $database->status = $containerStatus;
            $database->save();
+        } else {
+            $database->update(['last_online_at' => now()]);
        }
        if ($this->isRunning($containerStatus) && $tcpProxy) {
            $tcpProxyContainerFound = $this->containers->filter(function ($value, $key) use ($databaseUuid) {
@ -525,8 +559,12 @@ private function updateNotFoundDatabaseStatus()
            $database = $this->databases->where('uuid', $databaseUuid)->first();
            if ($database) {
                if (! str($database->status)->startsWith('exited')) {
-                    $database->status = 'exited';
-                    $database->save();
+                    $database->update([
+                        'status' => 'exited',
+                        'restart_count' => 0,
+                        'last_restart_at' => null,
+                        'last_restart_type' => null,
+                    ]);
                }
                if ($database->is_public) {
                    StopDatabaseProxy::dispatch($database);
@ -535,31 +573,6 @@ private function updateNotFoundDatabaseStatus()
        });
    }

-    private function updateServiceSubStatus(string $serviceId, string $subType, string $subId, string $containerStatus)
-    {
-        $service = $this->services->where('id', $serviceId)->first();
-        if (! $service) {
-            return;
-        }
-        if ($subType === 'application') {
-            $application = $service->applications()->where('id', $subId)->first();
-            if ($application) {
-                if ($application->status !== $containerStatus) {
-                    $application->status = $containerStatus;
-                    $application->save();
-                }
-            }
-        } elseif ($subType === 'database') {
-            $database = $service->databases()->where('id', $subId)->first();
-            if ($database) {
-                if ($database->status !== $containerStatus) {
-                    $database->status = $containerStatus;
-                    $database->save();
-                }
-            }
-        }
-    }
-
    private function updateNotFoundServiceStatus()
    {
        $notFoundServiceApplicationIds = $this->allServiceApplicationIds->diff($this->foundServiceApplicationIds);
--- a/app/Jobs/RegenerateSslCertJob.php
+++ b/app/Jobs/RegenerateSslCertJob.php
@ -7,13 +7,14 @@
 use App\Models\Team;
 use App\Notifications\SslExpirationNotification;
 use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldBeEncrypted;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Bus\Dispatchable;
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\SerializesModels;
 use Illuminate\Support\Facades\Log;

-class RegenerateSslCertJob implements ShouldQueue
+class RegenerateSslCertJob implements ShouldBeEncrypted, ShouldQueue
 {
    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

--- a/app/Jobs/ScheduledJobManager.php
+++ b/app/Jobs/ScheduledJobManager.php
@ -15,7 +15,9 @@
 use Illuminate\Queue\SerializesModels;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Redis;

 class ScheduledJobManager implements ShouldQueue
 {
@ -27,6 +29,10 @@ class ScheduledJobManager implements ShouldQueue
     */
    private ?Carbon $executionTime = null;

+    private int $dispatchedCount = 0;
+
+    private int $skippedCount = 0;
+
    /**
     * Create a new job instance.
     */
@ -50,6 +56,11 @@ private function determineQueue(): string
     */
    public function middleware(): array
    {
+        // Self-healing: clear any stale lock before WithoutOverlapping tries to acquire it.
+        // Stale locks (TTL = -1) can occur during upgrades, Redis restarts, or edge cases.
+        // @see https://github.com/coollabsio/coolify/issues/8327
+        self::clearStaleLockIfPresent();
+
        return [
            (new WithoutOverlapping('scheduled-job-manager'))
                ->expireAfter(90)   // Lock expires after 90s to handle high-load environments with many tasks
@ -57,10 +68,44 @@ public function middleware(): array
        ];
    }

+    /**
+     * Clear a stale WithoutOverlapping lock if it has no TTL (TTL = -1).
+     *
+     * This provides continuous self-healing since it runs every time the job is dispatched.
+     * Stale locks permanently block all scheduled job executions with no user-visible error.
+     */
+    private static function clearStaleLockIfPresent(): void
+    {
+        try {
+            $cachePrefix = config('cache.prefix', '');
+            $lockKey = $cachePrefix.'laravel-queue-overlap:'.self::class.':scheduled-job-manager';
+
+            $ttl = Redis::connection('default')->ttl($lockKey);
+
+            if ($ttl === -1) {
+                Redis::connection('default')->del($lockKey);
+                Log::channel('scheduled')->warning('Cleared stale ScheduledJobManager lock', [
+                    'lock_key' => $lockKey,
+                ]);
+            }
+        } catch (\Throwable $e) {
+            // Never let lock cleanup failure prevent the job from running
+            Log::channel('scheduled-errors')->error('Failed to check/clear stale lock', [
+                'error' => $e->getMessage(),
+            ]);
+        }
+    }
+
    public function handle(): void
    {
        // Freeze the execution time at the start of the job
        $this->executionTime = Carbon::now();
+        $this->dispatchedCount = 0;
+        $this->skippedCount = 0;
+
+        Log::channel('scheduled')->info('ScheduledJobManager started', [
+            'execution_time' => $this->executionTime->toIso8601String(),
+        ]);

        // Process backups - don't let failures stop task processing
        try {
@ -91,6 +136,20 @@ public function handle(): void
                'trace' => $e->getTraceAsString(),
            ]);
        }
+
+        Log::channel('scheduled')->info('ScheduledJobManager completed', [
+            'execution_time' => $this->executionTime->toIso8601String(),
+            'duration_ms' => $this->executionTime->diffInMilliseconds(Carbon::now()),
+            'dispatched' => $this->dispatchedCount,
+            'skipped' => $this->skippedCount,
+        ]);
+
+        // Write heartbeat so the UI can detect when the scheduler has stopped
+        try {
+            Cache::put('scheduled-job-manager:heartbeat', now()->toIso8601String(), 300);
+        } catch (\Throwable) {
+            // Non-critical; don't let heartbeat failure affect the job
+        }
    }

    private function processScheduledBackups(): void
@ -101,12 +160,20 @@ private function processScheduledBackups(): void

        foreach ($backups as $backup) {
            try {
-                // Apply the same filtering logic as the original
-                if (! $this->shouldProcessBackup($backup)) {
+                $server = $backup->server();
+                $skipReason = $this->getBackupSkipReason($backup, $server);
+                if ($skipReason !== null) {
+                    $this->skippedCount++;
+                    $this->logSkip('backup', $skipReason, [
+                        'backup_id' => $backup->id,
+                        'database_id' => $backup->database_id,
+                        'database_type' => $backup->database_type,
+                        'team_id' => $backup->team_id ?? null,
+                    ]);
+
                    continue;
                }

-                $server = $backup->server();
                $serverTimezone = data_get($server->settings, 'server_timezone', config('app.timezone'));

                if (validate_timezone($serverTimezone) === false) {
@ -118,8 +185,16 @@ private function processScheduledBackups(): void
                    $frequency = VALID_CRON_STRINGS[$frequency];
                }

-                if ($this->shouldRunNow($frequency, $serverTimezone)) {
+                if ($this->shouldRunNow($frequency, $serverTimezone, "scheduled-backup:{$backup->id}")) {
                    DatabaseBackupJob::dispatch($backup);
+                    $this->dispatchedCount++;
+                    Log::channel('scheduled')->info('Backup dispatched', [
+                        'backup_id' => $backup->id,
+                        'database_id' => $backup->database_id,
+                        'database_type' => $backup->database_type,
+                        'team_id' => $backup->team_id ?? null,
+                        'server_id' => $server->id,
+                    ]);
                }
            } catch (\Exception $e) {
                Log::channel('scheduled-errors')->error('Error processing backup', [
@ -138,11 +213,21 @@ private function processScheduledTasks(): void

        foreach ($tasks as $task) {
            try {
-                if (! $this->shouldProcessTask($task)) {
+                $server = $task->server();
+
+                // Phase 1: Critical checks (always — cheap, handles orphans and infra issues)
+                $criticalSkip = $this->getTaskCriticalSkipReason($task, $server);
+                if ($criticalSkip !== null) {
+                    $this->skippedCount++;
+                    $this->logSkip('task', $criticalSkip, [
+                        'task_id' => $task->id,
+                        'task_name' => $task->name,
+                        'team_id' => $server?->team_id,
+                    ]);
+
                    continue;
                }

-                $server = $task->server();
                $serverTimezone = data_get($server->settings, 'server_timezone', config('app.timezone'));

                if (validate_timezone($serverTimezone) === false) {
@ -154,9 +239,31 @@ private function processScheduledTasks(): void
                    $frequency = VALID_CRON_STRINGS[$frequency];
                }

-                if ($this->shouldRunNow($frequency, $serverTimezone)) {
-                    ScheduledTaskJob::dispatch($task);
+                if (! $this->shouldRunNow($frequency, $serverTimezone, "scheduled-task:{$task->id}")) {
+                    continue;
                }
+
+                // Phase 2: Runtime checks (only when cron is due — avoids noise for stopped resources)
+                $runtimeSkip = $this->getTaskRuntimeSkipReason($task);
+                if ($runtimeSkip !== null) {
+                    $this->skippedCount++;
+                    $this->logSkip('task', $runtimeSkip, [
+                        'task_id' => $task->id,
+                        'task_name' => $task->name,
+                        'team_id' => $server->team_id,
+                    ]);
+
+                    continue;
+                }
+
+                ScheduledTaskJob::dispatch($task);
+                $this->dispatchedCount++;
+                Log::channel('scheduled')->info('Task dispatched', [
+                    'task_id' => $task->id,
+                    'task_name' => $task->name,
+                    'team_id' => $server->team_id,
+                    'server_id' => $server->id,
+                ]);
            } catch (\Exception $e) {
                Log::channel('scheduled-errors')->error('Error processing task', [
                    'task_id' => $task->id,
@ -166,79 +273,112 @@ private function processScheduledTasks(): void
        }
    }

-    private function shouldProcessBackup(ScheduledDatabaseBackup $backup): bool
+    private function getBackupSkipReason(ScheduledDatabaseBackup $backup, ?Server $server): ?string
    {
        if (blank(data_get($backup, 'database'))) {
            $backup->delete();

-            return false;
+            return 'database_deleted';
        }

-        $server = $backup->server();
        if (blank($server)) {
            $backup->delete();

-            return false;
+            return 'server_deleted';
        }

        if ($server->isFunctional() === false) {
-            return false;
+            return 'server_not_functional';
        }

        if (isCloud() && data_get($server->team->subscription, 'stripe_invoice_paid', false) === false && $server->team->id !== 0) {
-            return false;
+            return 'subscription_unpaid';
        }

-        return true;
+        return null;
    }

-    private function shouldProcessTask(ScheduledTask $task): bool
+    private function getTaskCriticalSkipReason(ScheduledTask $task, ?Server $server): ?string
    {
-        $service = $task->service;
-        $application = $task->application;
-
-        $server = $task->server();
        if (blank($server)) {
            $task->delete();

-            return false;
+            return 'server_deleted';
        }

        if ($server->isFunctional() === false) {
-            return false;
+            return 'server_not_functional';
        }

        if (isCloud() && data_get($server->team->subscription, 'stripe_invoice_paid', false) === false && $server->team->id !== 0) {
-            return false;
+            return 'subscription_unpaid';
        }

-        if (! $service && ! $application) {
+        if (! $task->service && ! $task->application) {
            $task->delete();

-            return false;
+            return 'resource_deleted';
        }

-        if ($application && str($application->status)->contains('running') === false) {
-            return false;
-        }
-
-        if ($service && str($service->status)->contains('running') === false) {
-            return false;
-        }
-
-        return true;
+        return null;
    }

-    private function shouldRunNow(string $frequency, string $timezone): bool
+    private function getTaskRuntimeSkipReason(ScheduledTask $task): ?string
+    {
+        if ($task->application && str($task->application->status)->contains('running') === false) {
+            return 'application_not_running';
+        }
+
+        if ($task->service && str($task->service->status)->contains('running') === false) {
+            return 'service_not_running';
+        }
+
+        return null;
+    }
+
+    /**
+     * Determine if a cron schedule should run now.
+     *
+     * When a dedupKey is provided, uses getPreviousRunDate() + last-dispatch tracking
+     * instead of isDue(). This is resilient to queue delays — even if the job is delayed
+     * by minutes, it still catches the missed cron window. Without dedupKey, falls back
+     * to simple isDue() check.
+     */
+    private function shouldRunNow(string $frequency, string $timezone, ?string $dedupKey = null): bool
    {
        $cron = new CronExpression($frequency);
-
-        // Use the frozen execution time, not the current time
-        // Fallback to current time if execution time is not set (shouldn't happen)
        $baseTime = $this->executionTime ?? Carbon::now();
        $executionTime = $baseTime->copy()->setTimezone($timezone);

-        return $cron->isDue($executionTime);
+        // No dedup key → simple isDue check (used by docker cleanups)
+        if ($dedupKey === null) {
+            return $cron->isDue($executionTime);
+        }
+
+        // Get the most recent time this cron was due (including current minute)
+        $previousDue = Carbon::instance($cron->getPreviousRunDate($executionTime, allowCurrentDate: true));
+
+        $lastDispatched = Cache::get($dedupKey);
+
+        if ($lastDispatched === null) {
+            // First run after restart or cache loss: only fire if actually due right now.
+            // Seed the cache so subsequent runs can use tolerance/catch-up logic.
+            $isDue = $cron->isDue($executionTime);
+            if ($isDue) {
+                Cache::put($dedupKey, $executionTime->toIso8601String(), 86400);
+            }
+
+            return $isDue;
+        }
+
+        // Subsequent runs: fire if there's been a due time since last dispatch
+        if ($previousDue->gt(Carbon::parse($lastDispatched))) {
+            Cache::put($dedupKey, $executionTime->toIso8601String(), 86400);
+
+            return true;
+        }
+
+        return false;
    }

    private function processDockerCleanups(): void
@ -248,7 +388,15 @@ private function processDockerCleanups(): void

        foreach ($servers as $server) {
            try {
-                if (! $this->shouldProcessDockerCleanup($server)) {
+                $skipReason = $this->getDockerCleanupSkipReason($server);
+                if ($skipReason !== null) {
+                    $this->skippedCount++;
+                    $this->logSkip('docker_cleanup', $skipReason, [
+                        'server_id' => $server->id,
+                        'server_name' => $server->name,
+                        'team_id' => $server->team_id,
+                    ]);
+
                    continue;
                }

@ -270,6 +418,12 @@ private function processDockerCleanups(): void
                        $server->settings->delete_unused_volumes,
                        $server->settings->delete_unused_networks
                    );
+                    $this->dispatchedCount++;
+                    Log::channel('scheduled')->info('Docker cleanup dispatched', [
+                        'server_id' => $server->id,
+                        'server_name' => $server->name,
+                        'team_id' => $server->team_id,
+                    ]);
                }
            } catch (\Exception $e) {
                Log::channel('scheduled-errors')->error('Error processing docker cleanup', [
@ -296,19 +450,28 @@ private function getServersForCleanup(): Collection
        return $query->get();
    }

-    private function shouldProcessDockerCleanup(Server $server): bool
+    private function getDockerCleanupSkipReason(Server $server): ?string
    {
        if (! $server->isFunctional()) {
-            return false;
+            return 'server_not_functional';
        }

        // In cloud, check subscription status (except team 0)
        if (isCloud() && $server->team_id !== 0) {
            if (data_get($server->team->subscription, 'stripe_invoice_paid', false) === false) {
-                return false;
+                return 'subscription_unpaid';
            }
        }

-        return true;
+        return null;
+    }
+
+    private function logSkip(string $type, string $reason, array $context = []): void
+    {
+        Log::channel('scheduled')->info(ucfirst(str_replace('_', ' ', $type)).' skipped', array_merge([
+            'type' => $type,
+            'skip_reason' => $reason,
+            'execution_time' => $this->executionTime?->toIso8601String(),
+        ], $context));
    }
 }
--- a/app/Jobs/ScheduledTaskJob.php
+++ b/app/Jobs/ScheduledTaskJob.php
@ -14,13 +14,14 @@
 use App\Notifications\ScheduledTask\TaskSuccess;
 use Carbon\Carbon;
 use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldBeEncrypted;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Bus\Dispatchable;
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\SerializesModels;
 use Illuminate\Support\Facades\Log;

-class ScheduledTaskJob implements ShouldQueue
+class ScheduledTaskJob implements ShouldBeEncrypted, ShouldQueue
 {
    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

--- a/app/Jobs/SendMessageToSlackJob.php
+++ b/app/Jobs/SendMessageToSlackJob.php
@ -4,16 +4,27 @@

 use App\Notifications\Dto\SlackMessage;
 use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldBeEncrypted;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Bus\Dispatchable;
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\SerializesModels;
 use Illuminate\Support\Facades\Http;

-class SendMessageToSlackJob implements ShouldQueue
+class SendMessageToSlackJob implements ShouldBeEncrypted, ShouldQueue
 {
    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

+    /**
+     * The number of times the job may be attempted.
+     */
+    public $tries = 5;
+
+    /**
+     * The number of seconds to wait before retrying the job.
+     */
+    public $backoff = 10;
+
    public function __construct(
        private SlackMessage $message,
        private string $webhookUrl
--- a/app/Jobs/SendMessageToTelegramJob.php
+++ b/app/Jobs/SendMessageToTelegramJob.php
@ -22,6 +22,11 @@ class SendMessageToTelegramJob implements ShouldBeEncrypted, ShouldQueue
     */
    public $tries = 5;

+    /**
+     * The number of seconds to wait before retrying the job.
+     */
+    public $backoff = 10;
+
    /**
     * The maximum number of unhandled exceptions to allow before failing.
     */
--- a/app/Jobs/ServerCheckJob.php
+++ b/app/Jobs/ServerCheckJob.php
@ -15,6 +15,7 @@
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\Middleware\WithoutOverlapping;
 use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Facades\Log;

 class ServerCheckJob implements ShouldBeEncrypted, ShouldQueue
 {
@ -33,6 +34,19 @@ public function middleware(): array

    public function __construct(public Server $server) {}

+    public function failed(?\Throwable $exception): void
+    {
+        if ($exception instanceof \Illuminate\Queue\TimeoutExceededException) {
+            Log::warning('ServerCheckJob timed out', [
+                'server_id' => $this->server->id,
+                'server_name' => $this->server->name,
+            ]);
+
+            // Delete the queue job so it doesn't appear in Horizon's failed list.
+            $this->job?->delete();
+        }
+    }
+
    public function handle()
    {
        try {
--- a/app/Jobs/ServerConnectionCheckJob.php
+++ b/app/Jobs/ServerConnectionCheckJob.php
@ -101,12 +101,31 @@ public function handle()
                'is_usable' => false,
            ]);

-            throw $e;
+            return;
+        }
+    }
+
+    public function failed(?\Throwable $exception): void
+    {
+        if ($exception instanceof \Illuminate\Queue\TimeoutExceededException) {
+            Log::warning('ServerConnectionCheckJob timed out', [
+                'server_id' => $this->server->id,
+                'server_name' => $this->server->name,
+            ]);
+            $this->server->settings->update([
+                'is_reachable' => false,
+                'is_usable' => false,
+            ]);
+
+            // Delete the queue job so it doesn't appear in Horizon's failed list.
+            $this->job?->delete();
        }
    }

    private function checkHetznerStatus(): void
    {
+        $status = null;
+
        try {
            $hetznerService = new \App\Services\HetznerService($this->server->cloudProviderToken->token);
            $serverData = $hetznerService->getServer($this->server->hetzner_server_id);
--- a/app/Jobs/ServerLimitCheckJob.php
+++ b/app/Jobs/ServerLimitCheckJob.php
@ -38,7 +38,7 @@ public function handle()
                    $server->forceDisableServer();
                    $this->team->notify(new ForceDisabled($server));
                });
-            } elseif ($number_of_servers_to_disable === 0) {
+            } elseif ($number_of_servers_to_disable <= 0) {
                $servers->each(function ($server) {
                    if ($server->isForceDisabled()) {
                        $server->forceEnableServer();
--- a/app/Jobs/ServerManagerJob.php
+++ b/app/Jobs/ServerManagerJob.php
@ -7,6 +7,7 @@
 use App\Models\Team;
 use Cron\CronExpression;
 use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldBeEncrypted;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Bus\Dispatchable;
 use Illuminate\Queue\InteractsWithQueue;
@ -15,7 +16,7 @@
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Log;

-class ServerManagerJob implements ShouldQueue
+class ServerManagerJob implements ShouldBeEncrypted, ShouldQueue
 {
    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

@ -64,11 +65,11 @@ public function handle(): void

    private function getServers(): Collection
    {
-        $allServers = Server::where('ip', '!=', '1.2.3.4');
+        $allServers = Server::with('settings')->where('ip', '!=', '1.2.3.4');

        if (isCloud()) {
            $servers = $allServers->whereRelation('team.subscription', 'stripe_invoice_paid', true)->get();
-            $own = Team::find(0)->servers;
+            $own = Team::find(0)->servers()->with('settings')->get();

            return $servers->merge($own);
        } else {
@ -82,6 +83,10 @@ private function dispatchConnectionChecks(Collection $servers): void
        if ($this->shouldRunNow($this->checkFrequency)) {
            $servers->each(function (Server $server) {
                try {
+                    // Skip SSH connection check if Sentinel is healthy — its heartbeat already proves connectivity
+                    if ($server->isSentinelEnabled() && $server->isSentinelLive()) {
+                        return;
+                    }
                    ServerConnectionCheckJob::dispatch($server);
                } catch (\Exception $e) {
                    Log::channel('scheduled-errors')->error('Failed to dispatch ServerConnectionCheck', [
@ -134,9 +139,7 @@ private function processServerTasks(Server $server): void
        // Dispatch Sentinel restart if due (daily for Sentinel-enabled servers)

        if ($shouldRestartSentinel) {
-            dispatch(function () use ($server) {
-                $server->restartContainer('coolify-sentinel');
-            });
+            CheckAndStartSentinelJob::dispatch($server);
        }

        // Dispatch ServerStorageCheckJob if due (only when Sentinel is out of sync or disabled)
@ -160,11 +163,8 @@ private function processServerTasks(Server $server): void
            ServerPatchCheckJob::dispatch($server);
        }

-        // Sentinel update checks (hourly) - check for updates to Sentinel version
-        // No timezone needed for hourly - runs at top of every hour
-        if ($isSentinelEnabled && $this->shouldRunNow('0 * * * *')) {
-            CheckAndStartSentinelJob::dispatch($server);
-        }
+        // Note: CheckAndStartSentinelJob is only dispatched daily (line above) for version updates.
+        // Crash recovery is handled by sentinelOutOfSync → ServerCheckJob → CheckAndStartSentinelJob.
    }

    private function shouldRunNow(string $frequency, ?string $timezone = null): bool
--- a/app/Jobs/ServerStorageCheckJob.php
+++ b/app/Jobs/ServerStorageCheckJob.php
@ -10,6 +10,7 @@
 use Illuminate\Foundation\Bus\Dispatchable;
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\RateLimiter;
 use Laravel\Horizon\Contracts\Silenced;

@ -28,6 +29,19 @@ public function backoff(): int

    public function __construct(public Server $server, public int|string|null $percentage = null) {}

+    public function failed(?\Throwable $exception): void
+    {
+        if ($exception instanceof \Illuminate\Queue\TimeoutExceededException) {
+            Log::warning('ServerStorageCheckJob timed out', [
+                'server_id' => $this->server->id,
+                'server_name' => $this->server->name,
+            ]);
+
+            // Delete the queue job so it doesn't appear in Horizon's failed list.
+            $this->job?->delete();
+        }
+    }
+
    public function handle()
    {
        try {
--- a/app/Jobs/StripeProcessJob.php
+++ b/app/Jobs/StripeProcessJob.php
@ -4,11 +4,12 @@

 use App\Models\Subscription;
 use App\Models\Team;
+use Illuminate\Contracts\Queue\ShouldBeEncrypted;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Queue\Queueable;
 use Illuminate\Support\Str;

-class StripeProcessJob implements ShouldQueue
+class StripeProcessJob implements ShouldBeEncrypted, ShouldQueue
 {
    use Queueable;

--- a/app/Jobs/SyncStripeSubscriptionsJob.php
+++ b/app/Jobs/SyncStripeSubscriptionsJob.php
@ -4,12 +4,13 @@

 use App\Models\Subscription;
 use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldBeEncrypted;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Bus\Dispatchable;
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\SerializesModels;

-class SyncStripeSubscriptionsJob implements ShouldQueue
+class SyncStripeSubscriptionsJob implements ShouldBeEncrypted, ShouldQueue
 {
    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

@ -22,7 +23,7 @@ public function __construct(public bool $fix = false)
        $this->onQueue('high');
    }

-    public function handle(): array
+    public function handle(?\Closure $onProgress = null): array
    {
        if (! isCloud() || ! isStripe()) {
            return ['error' => 'Not running on Cloud or Stripe not configured'];
@ -33,48 +34,73 @@ public function handle(): array
            ->get();

        $stripe = new \Stripe\StripeClient(config('subscription.stripe_api_key'));
+
+        // Bulk fetch all valid subscription IDs from Stripe (active + past_due)
+        $validStripeIds = $this->fetchValidStripeSubscriptionIds($stripe, $onProgress);
+
+        // Find DB subscriptions not in the valid set
+        $staleSubscriptions = $subscriptions->filter(
+            fn (Subscription $sub) => ! in_array($sub->stripe_subscription_id, $validStripeIds)
+        );
+
+        // For each stale subscription, get the exact Stripe status and check for resubscriptions
        $discrepancies = [];
+        $resubscribed = [];
        $errors = [];

-        foreach ($subscriptions as $subscription) {
+        foreach ($staleSubscriptions as $subscription) {
            try {
                $stripeSubscription = $stripe->subscriptions->retrieve(
                    $subscription->stripe_subscription_id
                );
+                $stripeStatus = $stripeSubscription->status;

-                // Check if Stripe says cancelled but we think it's active
-                if (in_array($stripeSubscription->status, ['canceled', 'incomplete_expired', 'unpaid'])) {
-                    $discrepancies[] = [
-                        'subscription_id' => $subscription->id,
-                        'team_id' => $subscription->team_id,
-                        'stripe_subscription_id' => $subscription->stripe_subscription_id,
-                        'stripe_status' => $stripeSubscription->status,
-                    ];
-
-                    // Only fix if --fix flag is passed
-                    if ($this->fix) {
-                        $subscription->update([
-                            'stripe_invoice_paid' => false,
-                            'stripe_past_due' => false,
-                        ]);
-
-                        if ($stripeSubscription->status === 'canceled') {
-                            $subscription->team?->subscriptionEnded();
-                        }
-                    }
-                }
-
-                // Small delay to avoid Stripe rate limits
-                usleep(100000); // 100ms
+                usleep(100000); // 100ms rate limit delay
            } catch (\Exception $e) {
                $errors[] = [
                    'subscription_id' => $subscription->id,
                    'error' => $e->getMessage(),
                ];
+
+                continue;
+            }
+
+            // Check if this user resubscribed under a different customer/subscription
+            $activeSub = $this->findActiveSubscriptionByEmail($stripe, $stripeSubscription->customer);
+            if ($activeSub) {
+                $resubscribed[] = [
+                    'subscription_id' => $subscription->id,
+                    'team_id' => $subscription->team_id,
+                    'email' => $activeSub['email'],
+                    'old_stripe_subscription_id' => $subscription->stripe_subscription_id,
+                    'old_stripe_customer_id' => $stripeSubscription->customer,
+                    'new_stripe_subscription_id' => $activeSub['subscription_id'],
+                    'new_stripe_customer_id' => $activeSub['customer_id'],
+                    'new_status' => $activeSub['status'],
+                ];
+
+                continue;
+            }
+
+            $discrepancies[] = [
+                'subscription_id' => $subscription->id,
+                'team_id' => $subscription->team_id,
+                'stripe_subscription_id' => $subscription->stripe_subscription_id,
+                'stripe_status' => $stripeStatus,
+            ];
+
+            if ($this->fix) {
+                $subscription->update([
+                    'stripe_invoice_paid' => false,
+                    'stripe_past_due' => false,
+                ]);
+
+                if ($stripeStatus === 'canceled') {
+                    $subscription->team?->subscriptionEnded();
+                }
            }
        }

-        // Only notify if discrepancies found and fixed
        if ($this->fix && count($discrepancies) > 0) {
            send_internal_notification(
                'SyncStripeSubscriptionsJob: Fixed '.count($discrepancies)." discrepancies:\n".
@ -85,8 +111,88 @@ public function handle(): array
        return [
            'total_checked' => $subscriptions->count(),
            'discrepancies' => $discrepancies,
+            'resubscribed' => $resubscribed,
            'errors' => $errors,
            'fixed' => $this->fix,
        ];
    }
+
+    /**
+     * Given a Stripe customer ID, get their email and search for other customers
+     * with the same email that have an active subscription.
+     *
+     * @return array{email: string, customer_id: string, subscription_id: string, status: string}|null
+     */
+    private function findActiveSubscriptionByEmail(\Stripe\StripeClient $stripe, string $customerId): ?array
+    {
+        try {
+            $customer = $stripe->customers->retrieve($customerId);
+            $email = $customer->email;
+
+            if (! $email) {
+                return null;
+            }
+
+            usleep(100000);
+
+            $customers = $stripe->customers->all([
+                'email' => $email,
+                'limit' => 10,
+            ]);
+
+            usleep(100000);
+
+            foreach ($customers->data as $matchingCustomer) {
+                if ($matchingCustomer->id === $customerId) {
+                    continue;
+                }
+
+                $subs = $stripe->subscriptions->all([
+                    'customer' => $matchingCustomer->id,
+                    'limit' => 10,
+                ]);
+
+                usleep(100000);
+
+                foreach ($subs->data as $sub) {
+                    if (in_array($sub->status, ['active', 'past_due'])) {
+                        return [
+                            'email' => $email,
+                            'customer_id' => $matchingCustomer->id,
+                            'subscription_id' => $sub->id,
+                            'status' => $sub->status,
+                        ];
+                    }
+                }
+            }
+        } catch (\Exception $e) {
+            // Silently skip — will fall through to normal discrepancy
+        }
+
+        return null;
+    }
+
+    /**
+     * Bulk fetch all active and past_due subscription IDs from Stripe.
+     *
+     * @return array<string>
+     */
+    private function fetchValidStripeSubscriptionIds(\Stripe\StripeClient $stripe, ?\Closure $onProgress = null): array
+    {
+        $validIds = [];
+        $fetched = 0;
+
+        foreach (['active', 'past_due'] as $status) {
+            foreach ($stripe->subscriptions->all(['status' => $status, 'limit' => 100])->autoPagingIterator() as $sub) {
+                $validIds[] = $sub->id;
+                $fetched++;
+
+                if ($onProgress) {
+                    $onProgress($fetched);
+                }
+            }
+        }
+
+        return $validIds;
+    }
 }
--- a/app/Jobs/ValidateAndInstallServerJob.php
+++ b/app/Jobs/ValidateAndInstallServerJob.php
@ -8,13 +8,14 @@
 use App\Events\ServerValidated;
 use App\Models\Server;
 use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldBeEncrypted;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Bus\Dispatchable;
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\SerializesModels;
 use Illuminate\Support\Facades\Log;

-class ValidateAndInstallServerJob implements ShouldQueue
+class ValidateAndInstallServerJob implements ShouldBeEncrypted, ShouldQueue
 {
    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

--- a/app/Jobs/VerifyStripeSubscriptionStatusJob.php
+++ b/app/Jobs/VerifyStripeSubscriptionStatusJob.php
@ -4,12 +4,13 @@

 use App\Models\Subscription;
 use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldBeEncrypted;
 use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Foundation\Bus\Dispatchable;
 use Illuminate\Queue\InteractsWithQueue;
 use Illuminate\Queue\SerializesModels;

-class VerifyStripeSubscriptionStatusJob implements ShouldQueue
+class VerifyStripeSubscriptionStatusJob implements ShouldBeEncrypted, ShouldQueue
 {
    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;

--- a/app/Livewire/Boarding/Index.php
+++ b/app/Livewire/Boarding/Index.php
@ -283,7 +283,11 @@ public function saveServer()
        $this->privateKey = formatPrivateKey($this->privateKey);
        $foundServer = Server::whereIp($this->remoteServerHost)->first();
        if ($foundServer) {
-            return $this->dispatch('error', 'IP address is already in use by another team.');
+            if ($foundServer->team_id === currentTeam()->id) {
+                return $this->dispatch('error', 'A server with this IP/Domain already exists in your team.');
+            }
+
+            return $this->dispatch('error', 'A server with this IP/Domain is already in use by another team.');
        }
        $this->createdServer = Server::create([
            'name' => $this->remoteServerName,
--- a/app/Livewire/GlobalSearch.php
+++ b/app/Livewire/GlobalSearch.php
@ -1495,6 +1495,7 @@ public function getServicesProperty()
                'type' => 'one-click-service-'.$serviceKey,
                'category' => 'Services',
                'resourceType' => 'service',
+                'logo' => data_get($service, 'logo'),
            ]);
        }

--- a/app/Livewire/Help.php
+++ b/app/Livewire/Help.php
@ -1,58 +0,0 @@
-<?php
-
-namespace App\Livewire;
-
-use DanHarrin\LivewireRateLimiting\WithRateLimiting;
-use Illuminate\Notifications\Messages\MailMessage;
-use Illuminate\Support\Facades\Http;
-use Livewire\Attributes\Validate;
-use Livewire\Component;
-
-class Help extends Component
-{
-    use WithRateLimiting;
-
-    #[Validate(['required', 'min:10', 'max:1000'])]
-    public string $description;
-
-    #[Validate(['required', 'min:3'])]
-    public string $subject;
-
-    public function submit()
-    {
-        try {
-            $this->validate();
-            $this->rateLimit(3, 30);
-
-            $settings = instanceSettings();
-            $mail = new MailMessage;
-            $mail->view(
-                'emails.help',
-                [
-                    'description' => $this->description,
-                ]
-            );
-            $mail->subject("[HELP]: {$this->subject}");
-            $type = set_transanctional_email_settings($settings);
-
-            // Sending feedback through Cloud API
-            if (blank($type)) {
-                $url = 'https://app.coolify.io/api/feedback';
-                Http::post($url, [
-                    'content' => 'User: `'.auth()->user()?->email.'` with subject: `'.$this->subject.'` has the following problem: `'.$this->description.'`',
-                ]);
-            } else {
-                send_user_an_email($mail, auth()->user()?->email, 'feedback@coollabs.io');
-            }
-            $this->dispatch('success', 'Feedback sent.', 'We will get in touch with you as soon as possible.');
-            $this->reset('description', 'subject');
-        } catch (\Throwable $e) {
-            return handleError($e, $this);
-        }
-    }
-
-    public function render()
-    {
-        return view('livewire.help')->layout('layouts.app');
-    }
-}
--- a/app/Livewire/NavbarDeleteTeam.php
+++ b/app/Livewire/NavbarDeleteTeam.php
@ -15,10 +15,10 @@ public function mount()
        $this->team = currentTeam()->name;
    }

-    public function delete($password)
+    public function delete($password, $selectedActions = [])
    {
        if (! verifyPasswordConfirmation($password, $this)) {
-            return;
+            return 'The provided password is incorrect.';
        }

        $currentTeam = currentTeam();
--- a/app/Livewire/Project/Application/Configuration.php
+++ b/app/Livewire/Project/Application/Configuration.php
@ -51,9 +51,7 @@ public function mount()
        $this->environment = $environment;
        $this->application = $application;

-        if ($this->application->deploymentType() === 'deploy_key' && $this->currentRoute === 'project.application.preview-deployments') {
-            return redirect()->route('project.application.configuration', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'application_uuid' => $application->uuid]);
-        }
+

        if ($this->application->build_pack === 'dockercompose' && $this->currentRoute === 'project.application.healthcheck') {
            return redirect()->route('project.application.configuration', ['project_uuid' => $project->uuid, 'environment_uuid' => $environment->uuid, 'application_uuid' => $application->uuid]);
--- a/app/Livewire/Project/Application/General.php
+++ b/app/Livewire/Project/Application/General.php
@ -37,7 +37,7 @@ class General extends Component
    #[Validate(['required'])]
    public string $gitBranch;

-    #[Validate(['string', 'nullable'])]
+    #[Validate(['string', 'nullable', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'])]
    public ?string $gitCommitSha = null;

    #[Validate(['string', 'nullable'])]
@ -73,7 +73,7 @@ class General extends Component
    #[Validate(['string', 'nullable'])]
    public ?string $dockerfile = null;

-    #[Validate(['string', 'nullable'])]
+    #[Validate(['string', 'nullable', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/~@+]+$/'])]
    public ?string $dockerfileLocation = null;

    #[Validate(['string', 'nullable'])]
@ -85,7 +85,7 @@ class General extends Component
    #[Validate(['string', 'nullable'])]
    public ?string $dockerRegistryImageTag = null;

-    #[Validate(['string', 'nullable'])]
+    #[Validate(['string', 'nullable', 'max:255', 'regex:/^\/[a-zA-Z0-9._\-\/~@+]+$/'])]
    public ?string $dockerComposeLocation = null;

    #[Validate(['string', 'nullable'])]
@ -184,7 +184,7 @@ protected function rules(): array
            'fqdn' => 'nullable',
            'gitRepository' => 'required',
            'gitBranch' => 'required',
-            'gitCommitSha' => 'nullable',
+            'gitCommitSha' => ['nullable', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'],
            'installCommand' => 'nullable',
            'buildCommand' => 'nullable',
            'startCommand' => 'nullable',
@ -198,8 +198,8 @@ protected function rules(): array
            'dockerfile' => 'nullable',
            'dockerRegistryImageName' => 'nullable',
            'dockerRegistryImageTag' => 'nullable',
-            'dockerfileLocation' => 'nullable',
-            'dockerComposeLocation' => 'nullable',
+            'dockerfileLocation' => ['nullable', 'regex:'.ValidationPatterns::FILE_PATH_PATTERN],
+            'dockerComposeLocation' => ['nullable', 'regex:'.ValidationPatterns::FILE_PATH_PATTERN],
            'dockerCompose' => 'nullable',
            'dockerComposeRaw' => 'nullable',
            'dockerfileTargetBuild' => 'nullable',
@ -231,6 +231,8 @@ protected function messages(): array
        return array_merge(
            ValidationPatterns::combinedMessages(),
            [
+                ...ValidationPatterns::filePathMessages('dockerfileLocation', 'Dockerfile'),
+                ...ValidationPatterns::filePathMessages('dockerComposeLocation', 'Docker Compose'),
                'name.required' => 'The Name field is required.',
                'gitRepository.required' => 'The Git Repository field is required.',
                'gitBranch.required' => 'The Git Branch field is required.',
--- a/app/Livewire/Project/Application/Rollback.php
+++ b/app/Livewire/Project/Application/Rollback.php
@ -50,6 +50,8 @@ public function rollbackImage($commit)
    {
        $this->authorize('deploy', $this->application);

+        $commit = validateGitRef($commit, 'rollback commit');
+
        $deployment_uuid = new Cuid2;

        $result = queue_application_deployment(
--- a/app/Livewire/Project/Application/Source.php
+++ b/app/Livewire/Project/Application/Source.php
@ -30,7 +30,7 @@ class Source extends Component
    #[Validate(['required', 'string'])]
    public string $gitBranch;

-    #[Validate(['nullable', 'string'])]
+    #[Validate(['nullable', 'string', 'regex:/^[a-zA-Z0-9][a-zA-Z0-9._\-\/]*$/'])]
    public ?string $gitCommitSha = null;

    #[Locked]
--- a/app/Livewire/Project/Database/BackupEdit.php
+++ b/app/Livewire/Project/Database/BackupEdit.php
@ -146,12 +146,12 @@ public function syncData(bool $toModel = false)
        }
    }

-    public function delete($password)
+    public function delete($password, $selectedActions = [])
    {
        $this->authorize('manageBackups', $this->backup->database);

        if (! verifyPasswordConfirmation($password, $this)) {
-            return;
+            return 'The provided password is incorrect.';
        }

        try {
--- a/app/Livewire/Project/Database/BackupExecutions.php
+++ b/app/Livewire/Project/Database/BackupExecutions.php
@ -65,10 +65,10 @@ public function cleanupDeleted()
        }
    }

-    public function deleteBackup($executionId, $password)
+    public function deleteBackup($executionId, $password, $selectedActions = [])
    {
        if (! verifyPasswordConfirmation($password, $this)) {
-            return;
+            return 'The provided password is incorrect.';
        }

        $execution = $this->backup->executions()->where('id', $executionId)->first();
@ -96,7 +96,11 @@ public function deleteBackup($executionId, $password)
            $this->refreshBackupExecutions();
        } catch (\Exception $e) {
            $this->dispatch('error', 'Failed to delete backup: '.$e->getMessage());
+
+            return true;
        }
+
+        return true;
    }

    public function download_file($exeuctionId)
--- a/app/Livewire/Project/Database/Clickhouse/General.php
+++ b/app/Livewire/Project/Database/Clickhouse/General.php
@ -36,6 +36,8 @@ class General extends Component

    public ?int $publicPort = null;

+    public ?int $publicPortTimeout = 3600;
+
    public ?string $customDockerRunOptions = null;

    public ?string $dbUrl = null;
@ -80,6 +82,7 @@ protected function rules(): array
            'portsMappings' => 'nullable|string',
            'isPublic' => 'nullable|boolean',
            'publicPort' => 'nullable|integer',
+            'publicPortTimeout' => 'nullable|integer|min:1',
            'customDockerRunOptions' => 'nullable|string',
            'dbUrl' => 'nullable|string',
            'dbUrlPublic' => 'nullable|string',
@ -99,6 +102,8 @@ protected function messages(): array
                'image.required' => 'The Docker Image field is required.',
                'image.string' => 'The Docker Image must be a string.',
                'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
+                'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
            ]
        );
    }
@ -115,6 +120,7 @@ public function syncData(bool $toModel = false)
            $this->database->ports_mappings = $this->portsMappings;
            $this->database->is_public = $this->isPublic;
            $this->database->public_port = $this->publicPort;
+            $this->database->public_port_timeout = $this->publicPortTimeout;
            $this->database->custom_docker_run_options = $this->customDockerRunOptions;
            $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
            $this->database->save();
@ -130,6 +136,7 @@ public function syncData(bool $toModel = false)
            $this->portsMappings = $this->database->ports_mappings;
            $this->isPublic = $this->database->is_public;
            $this->publicPort = $this->database->public_port;
+            $this->publicPortTimeout = $this->database->public_port_timeout;
            $this->customDockerRunOptions = $this->database->custom_docker_run_options;
            $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
            $this->dbUrl = $this->database->internal_db_url;
--- a/app/Livewire/Project/Database/Dragonfly/General.php
+++ b/app/Livewire/Project/Database/Dragonfly/General.php
@ -36,6 +36,8 @@ class General extends Component

    public ?int $publicPort = null;

+    public ?int $publicPortTimeout = 3600;
+
    public ?string $customDockerRunOptions = null;

    public ?string $dbUrl = null;
@ -91,6 +93,7 @@ protected function rules(): array
            'portsMappings' => 'nullable|string',
            'isPublic' => 'nullable|boolean',
            'publicPort' => 'nullable|integer',
+            'publicPortTimeout' => 'nullable|integer|min:1',
            'customDockerRunOptions' => 'nullable|string',
            'dbUrl' => 'nullable|string',
            'dbUrlPublic' => 'nullable|string',
@ -109,6 +112,8 @@ protected function messages(): array
                'image.required' => 'The Docker Image field is required.',
                'image.string' => 'The Docker Image must be a string.',
                'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
+                'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
            ]
        );
    }
@ -124,6 +129,7 @@ public function syncData(bool $toModel = false)
            $this->database->ports_mappings = $this->portsMappings;
            $this->database->is_public = $this->isPublic;
            $this->database->public_port = $this->publicPort;
+            $this->database->public_port_timeout = $this->publicPortTimeout;
            $this->database->custom_docker_run_options = $this->customDockerRunOptions;
            $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
            $this->database->enable_ssl = $this->enable_ssl;
@ -139,6 +145,7 @@ public function syncData(bool $toModel = false)
            $this->portsMappings = $this->database->ports_mappings;
            $this->isPublic = $this->database->is_public;
            $this->publicPort = $this->database->public_port;
+            $this->publicPortTimeout = $this->database->public_port_timeout;
            $this->customDockerRunOptions = $this->database->custom_docker_run_options;
            $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
            $this->enable_ssl = $this->database->enable_ssl;
--- a/app/Livewire/Project/Database/Heading.php
+++ b/app/Livewire/Project/Database/Heading.php
@ -69,7 +69,11 @@ public function manualCheckStatus()

    public function mount()
    {
-        $this->parameters = get_route_parameters();
+        $this->parameters = [
+            'project_uuid' => $this->database->environment->project->uuid,
+            'environment_uuid' => $this->database->environment->uuid,
+            'database_uuid' => $this->database->uuid,
+        ];
    }

    public function stop()
--- a/app/Livewire/Project/Database/Import.php
+++ b/app/Livewire/Project/Database/Import.php
@ -401,20 +401,24 @@ public function checkFile()
        }
    }

-    public function runImport()
+    public function runImport(string $password = ''): bool|string
    {
+        if (! verifyPasswordConfirmation($password, $this)) {
+            return 'The provided password is incorrect.';
+        }
+
        $this->authorize('update', $this->resource);

        if ($this->filename === '') {
            $this->dispatch('error', 'Please select a file to import.');

-            return;
+            return true;
        }

        if (! $this->server) {
            $this->dispatch('error', 'Server not found. Please refresh the page.');

-            return;
+            return true;
        }

        try {
@ -434,7 +438,7 @@ public function runImport()
                if (! $this->validateServerPath($this->customLocation)) {
                    $this->dispatch('error', 'Invalid file path. Path must be absolute and contain only safe characters.');

-                    return;
+                    return true;
                }
                $tmpPath = '/tmp/restore_'.$this->resourceUuid;
                $escapedCustomLocation = escapeshellarg($this->customLocation);
@ -442,7 +446,7 @@ public function runImport()
            } else {
                $this->dispatch('error', 'The file does not exist or has been deleted.');

-                return;
+                return true;
            }

            // Copy the restore command to a script file
@ -474,11 +478,15 @@ public function runImport()
                $this->dispatch('databaserestore');
            }
        } catch (\Throwable $e) {
-            return handleError($e, $this);
+            handleError($e, $this);
+
+            return true;
        } finally {
            $this->filename = null;
            $this->importCommands = [];
        }
+
+        return true;
    }

    public function loadAvailableS3Storages()
@ -577,26 +585,30 @@ public function checkS3File()
        }
    }

-    public function restoreFromS3()
+    public function restoreFromS3(string $password = ''): bool|string
    {
+        if (! verifyPasswordConfirmation($password, $this)) {
+            return 'The provided password is incorrect.';
+        }
+
        $this->authorize('update', $this->resource);

        if (! $this->s3StorageId || blank($this->s3Path)) {
            $this->dispatch('error', 'Please select S3 storage and provide a path first.');

-            return;
+            return true;
        }

        if (is_null($this->s3FileSize)) {
            $this->dispatch('error', 'Please check the file first by clicking "Check File".');

-            return;
+            return true;
        }

        if (! $this->server) {
            $this->dispatch('error', 'Server not found. Please refresh the page.');

-            return;
+            return true;
        }

        try {
@ -613,7 +625,7 @@ public function restoreFromS3()
            if (! $this->validateBucketName($bucket)) {
                $this->dispatch('error', 'Invalid S3 bucket name. Bucket name must contain only alphanumerics, dots, dashes, and underscores.');

-                return;
+                return true;
            }

            // Clean the S3 path
@ -623,7 +635,7 @@ public function restoreFromS3()
            if (! $this->validateS3Path($cleanPath)) {
                $this->dispatch('error', 'Invalid S3 path. Path must contain only safe characters (alphanumerics, dots, dashes, underscores, slashes).');

-                return;
+                return true;
            }

            // Get helper image
@ -711,9 +723,12 @@ public function restoreFromS3()
            $this->dispatch('info', 'Restoring database from S3. Progress will be shown in the activity monitor...');
        } catch (\Throwable $e) {
            $this->importRunning = false;
+            handleError($e, $this);

-            return handleError($e, $this);
+            return true;
        }
+
+        return true;
    }

    public function buildRestoreCommand(string $tmpPath): string
--- a/app/Livewire/Project/Database/Keydb/General.php
+++ b/app/Livewire/Project/Database/Keydb/General.php
@ -38,6 +38,8 @@ class General extends Component

    public ?int $publicPort = null;

+    public ?int $publicPortTimeout = 3600;
+
    public ?string $customDockerRunOptions = null;

    public ?string $dbUrl = null;
@ -94,6 +96,7 @@ protected function rules(): array
            'portsMappings' => 'nullable|string',
            'isPublic' => 'nullable|boolean',
            'publicPort' => 'nullable|integer',
+            'publicPortTimeout' => 'nullable|integer|min:1',
            'customDockerRunOptions' => 'nullable|string',
            'dbUrl' => 'nullable|string',
            'dbUrlPublic' => 'nullable|string',
@ -114,6 +117,8 @@ protected function messages(): array
                'image.required' => 'The Docker Image field is required.',
                'image.string' => 'The Docker Image must be a string.',
                'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
+                'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
            ]
        );
    }
@ -130,6 +135,7 @@ public function syncData(bool $toModel = false)
            $this->database->ports_mappings = $this->portsMappings;
            $this->database->is_public = $this->isPublic;
            $this->database->public_port = $this->publicPort;
+            $this->database->public_port_timeout = $this->publicPortTimeout;
            $this->database->custom_docker_run_options = $this->customDockerRunOptions;
            $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
            $this->database->enable_ssl = $this->enable_ssl;
@ -146,6 +152,7 @@ public function syncData(bool $toModel = false)
            $this->portsMappings = $this->database->ports_mappings;
            $this->isPublic = $this->database->is_public;
            $this->publicPort = $this->database->public_port;
+            $this->publicPortTimeout = $this->database->public_port_timeout;
            $this->customDockerRunOptions = $this->database->custom_docker_run_options;
            $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
            $this->enable_ssl = $this->database->enable_ssl;
--- a/app/Livewire/Project/Database/Mariadb/General.php
+++ b/app/Livewire/Project/Database/Mariadb/General.php
@ -44,6 +44,8 @@ class General extends Component

    public ?int $publicPort = null;

+    public ?int $publicPortTimeout = 3600;
+
    public bool $isLogDrainEnabled = false;

    public ?string $customDockerRunOptions = null;
@ -79,6 +81,7 @@ protected function rules(): array
            'portsMappings' => 'nullable',
            'isPublic' => 'nullable|boolean',
            'publicPort' => 'nullable|integer',
+            'publicPortTimeout' => 'nullable|integer|min:1',
            'isLogDrainEnabled' => 'nullable|boolean',
            'customDockerRunOptions' => 'nullable',
            'enableSsl' => 'boolean',
@ -97,6 +100,8 @@ protected function messages(): array
                'mariadbDatabase.required' => 'The MariaDB Database field is required.',
                'image.required' => 'The Docker Image field is required.',
                'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
+                'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
            ]
        );
    }
@ -113,6 +118,7 @@ protected function messages(): array
        'portsMappings' => 'Port Mapping',
        'isPublic' => 'Is Public',
        'publicPort' => 'Public Port',
+        'publicPortTimeout' => 'Public Port Timeout',
        'customDockerRunOptions' => 'Custom Docker Options',
        'enableSsl' => 'Enable SSL',
    ];
@ -154,6 +160,7 @@ public function syncData(bool $toModel = false)
            $this->database->ports_mappings = $this->portsMappings;
            $this->database->is_public = $this->isPublic;
            $this->database->public_port = $this->publicPort;
+            $this->database->public_port_timeout = $this->publicPortTimeout;
            $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
            $this->database->custom_docker_run_options = $this->customDockerRunOptions;
            $this->database->enable_ssl = $this->enableSsl;
@ -173,6 +180,7 @@ public function syncData(bool $toModel = false)
            $this->portsMappings = $this->database->ports_mappings;
            $this->isPublic = $this->database->is_public;
            $this->publicPort = $this->database->public_port;
+            $this->publicPortTimeout = $this->database->public_port_timeout;
            $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
            $this->customDockerRunOptions = $this->database->custom_docker_run_options;
            $this->enableSsl = $this->database->enable_ssl;
--- a/app/Livewire/Project/Database/Mongodb/General.php
+++ b/app/Livewire/Project/Database/Mongodb/General.php
@ -42,6 +42,8 @@ class General extends Component

    public ?int $publicPort = null;

+    public ?int $publicPortTimeout = 3600;
+
    public bool $isLogDrainEnabled = false;

    public ?string $customDockerRunOptions = null;
@ -78,6 +80,7 @@ protected function rules(): array
            'portsMappings' => 'nullable',
            'isPublic' => 'nullable|boolean',
            'publicPort' => 'nullable|integer',
+            'publicPortTimeout' => 'nullable|integer|min:1',
            'isLogDrainEnabled' => 'nullable|boolean',
            'customDockerRunOptions' => 'nullable',
            'enableSsl' => 'boolean',
@ -96,6 +99,8 @@ protected function messages(): array
                'mongoInitdbDatabase.required' => 'The MongoDB Database field is required.',
                'image.required' => 'The Docker Image field is required.',
                'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
+                'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
                'sslMode.in' => 'The SSL Mode must be one of: allow, prefer, require, verify-full.',
            ]
        );
@ -112,6 +117,7 @@ protected function messages(): array
        'portsMappings' => 'Port Mapping',
        'isPublic' => 'Is Public',
        'publicPort' => 'Public Port',
+        'publicPortTimeout' => 'Public Port Timeout',
        'customDockerRunOptions' => 'Custom Docker Run Options',
        'enableSsl' => 'Enable SSL',
        'sslMode' => 'SSL Mode',
@ -153,6 +159,7 @@ public function syncData(bool $toModel = false)
            $this->database->ports_mappings = $this->portsMappings;
            $this->database->is_public = $this->isPublic;
            $this->database->public_port = $this->publicPort;
+            $this->database->public_port_timeout = $this->publicPortTimeout;
            $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
            $this->database->custom_docker_run_options = $this->customDockerRunOptions;
            $this->database->enable_ssl = $this->enableSsl;
@ -172,6 +179,7 @@ public function syncData(bool $toModel = false)
            $this->portsMappings = $this->database->ports_mappings;
            $this->isPublic = $this->database->is_public;
            $this->publicPort = $this->database->public_port;
+            $this->publicPortTimeout = $this->database->public_port_timeout;
            $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
            $this->customDockerRunOptions = $this->database->custom_docker_run_options;
            $this->enableSsl = $this->database->enable_ssl;
--- a/app/Livewire/Project/Database/Mysql/General.php
+++ b/app/Livewire/Project/Database/Mysql/General.php
@ -44,6 +44,8 @@ class General extends Component

    public ?int $publicPort = null;

+    public ?int $publicPortTimeout = 3600;
+
    public bool $isLogDrainEnabled = false;

    public ?string $customDockerRunOptions = null;
@ -81,6 +83,7 @@ protected function rules(): array
            'portsMappings' => 'nullable',
            'isPublic' => 'nullable|boolean',
            'publicPort' => 'nullable|integer',
+            'publicPortTimeout' => 'nullable|integer|min:1',
            'isLogDrainEnabled' => 'nullable|boolean',
            'customDockerRunOptions' => 'nullable',
            'enableSsl' => 'boolean',
@ -100,6 +103,8 @@ protected function messages(): array
                'mysqlDatabase.required' => 'The MySQL Database field is required.',
                'image.required' => 'The Docker Image field is required.',
                'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
+                'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
                'sslMode.in' => 'The SSL Mode must be one of: PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY.',
            ]
        );
@ -117,6 +122,7 @@ protected function messages(): array
        'portsMappings' => 'Port Mapping',
        'isPublic' => 'Is Public',
        'publicPort' => 'Public Port',
+        'publicPortTimeout' => 'Public Port Timeout',
        'customDockerRunOptions' => 'Custom Docker Run Options',
        'enableSsl' => 'Enable SSL',
        'sslMode' => 'SSL Mode',
@ -159,6 +165,7 @@ public function syncData(bool $toModel = false)
            $this->database->ports_mappings = $this->portsMappings;
            $this->database->is_public = $this->isPublic;
            $this->database->public_port = $this->publicPort;
+            $this->database->public_port_timeout = $this->publicPortTimeout;
            $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
            $this->database->custom_docker_run_options = $this->customDockerRunOptions;
            $this->database->enable_ssl = $this->enableSsl;
@ -179,6 +186,7 @@ public function syncData(bool $toModel = false)
            $this->portsMappings = $this->database->ports_mappings;
            $this->isPublic = $this->database->is_public;
            $this->publicPort = $this->database->public_port;
+            $this->publicPortTimeout = $this->database->public_port_timeout;
            $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
            $this->customDockerRunOptions = $this->database->custom_docker_run_options;
            $this->enableSsl = $this->database->enable_ssl;
--- a/app/Livewire/Project/Database/Postgresql/General.php
+++ b/app/Livewire/Project/Database/Postgresql/General.php
@ -48,6 +48,8 @@ class General extends Component

    public ?int $publicPort = null;

+    public ?int $publicPortTimeout = 3600;
+
    public bool $isLogDrainEnabled = false;

    public ?string $customDockerRunOptions = null;
@ -93,6 +95,7 @@ protected function rules(): array
            'portsMappings' => 'nullable',
            'isPublic' => 'nullable|boolean',
            'publicPort' => 'nullable|integer',
+            'publicPortTimeout' => 'nullable|integer|min:1',
            'isLogDrainEnabled' => 'nullable|boolean',
            'customDockerRunOptions' => 'nullable',
            'enableSsl' => 'boolean',
@ -111,6 +114,8 @@ protected function messages(): array
                'postgresDb.required' => 'The Postgres Database field is required.',
                'image.required' => 'The Docker Image field is required.',
                'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
+                'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
                'sslMode.in' => 'The SSL Mode must be one of: allow, prefer, require, verify-ca, verify-full.',
            ]
        );
@ -130,6 +135,7 @@ protected function messages(): array
        'portsMappings' => 'Port Mapping',
        'isPublic' => 'Is Public',
        'publicPort' => 'Public Port',
+        'publicPortTimeout' => 'Public Port Timeout',
        'customDockerRunOptions' => 'Custom Docker Run Options',
        'enableSsl' => 'Enable SSL',
        'sslMode' => 'SSL Mode',
@ -174,6 +180,7 @@ public function syncData(bool $toModel = false)
            $this->database->ports_mappings = $this->portsMappings;
            $this->database->is_public = $this->isPublic;
            $this->database->public_port = $this->publicPort;
+            $this->database->public_port_timeout = $this->publicPortTimeout;
            $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
            $this->database->custom_docker_run_options = $this->customDockerRunOptions;
            $this->database->enable_ssl = $this->enableSsl;
@ -196,6 +203,7 @@ public function syncData(bool $toModel = false)
            $this->portsMappings = $this->database->ports_mappings;
            $this->isPublic = $this->database->is_public;
            $this->publicPort = $this->database->public_port;
+            $this->publicPortTimeout = $this->database->public_port_timeout;
            $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
            $this->customDockerRunOptions = $this->database->custom_docker_run_options;
            $this->enableSsl = $this->database->enable_ssl;
--- a/app/Livewire/Project/Database/Redis/General.php
+++ b/app/Livewire/Project/Database/Redis/General.php
@ -36,6 +36,8 @@ class General extends Component

    public ?int $publicPort = null;

+    public ?int $publicPortTimeout = 3600;
+
    public bool $isLogDrainEnabled = false;

    public ?string $customDockerRunOptions = null;
@ -74,6 +76,7 @@ protected function rules(): array
            'portsMappings' => 'nullable',
            'isPublic' => 'nullable|boolean',
            'publicPort' => 'nullable|integer',
+            'publicPortTimeout' => 'nullable|integer|min:1',
            'isLogDrainEnabled' => 'nullable|boolean',
            'customDockerRunOptions' => 'nullable',
            'redisUsername' => 'required',
@ -90,6 +93,8 @@ protected function messages(): array
                'name.required' => 'The Name field is required.',
                'image.required' => 'The Docker Image field is required.',
                'publicPort.integer' => 'The Public Port must be an integer.',
+                'publicPortTimeout.integer' => 'The Public Port Timeout must be an integer.',
+                'publicPortTimeout.min' => 'The Public Port Timeout must be at least 1.',
                'redisUsername.required' => 'The Redis Username field is required.',
                'redisPassword.required' => 'The Redis Password field is required.',
            ]
@ -104,6 +109,7 @@ protected function messages(): array
        'portsMappings' => 'Port Mapping',
        'isPublic' => 'Is Public',
        'publicPort' => 'Public Port',
+        'publicPortTimeout' => 'Public Port Timeout',
        'customDockerRunOptions' => 'Custom Docker Options',
        'redisUsername' => 'Redis Username',
        'redisPassword' => 'Redis Password',
@ -143,6 +149,7 @@ public function syncData(bool $toModel = false)
            $this->database->ports_mappings = $this->portsMappings;
            $this->database->is_public = $this->isPublic;
            $this->database->public_port = $this->publicPort;
+            $this->database->public_port_timeout = $this->publicPortTimeout;
            $this->database->is_log_drain_enabled = $this->isLogDrainEnabled;
            $this->database->custom_docker_run_options = $this->customDockerRunOptions;
            $this->database->enable_ssl = $this->enableSsl;
@ -158,6 +165,7 @@ public function syncData(bool $toModel = false)
            $this->portsMappings = $this->database->ports_mappings;
            $this->isPublic = $this->database->is_public;
            $this->publicPort = $this->database->public_port;
+            $this->publicPortTimeout = $this->database->public_port_timeout;
            $this->isLogDrainEnabled = $this->database->is_log_drain_enabled;
            $this->customDockerRunOptions = $this->database->custom_docker_run_options;
            $this->enableSsl = $this->database->enable_ssl;
--- a/app/Livewire/Project/New/DockerCompose.php
+++ b/app/Livewire/Project/New/DockerCompose.php
@ -63,10 +63,16 @@ public function submit()
            ]);

            $variables = parseEnvFormatToArray($this->envFile);
-            foreach ($variables as $key => $variable) {
+            foreach ($variables as $key => $data) {
+                // Extract value and comment from parsed data
+                // Handle both array format ['value' => ..., 'comment' => ...] and plain string values
+                $value = is_array($data) ? ($data['value'] ?? '') : $data;
+                $comment = is_array($data) ? ($data['comment'] ?? null) : null;
+
                EnvironmentVariable::create([
                    'key' => $key,
-                    'value' => $variable,
+                    'value' => $value,
+                    'comment' => $comment,
                    'is_preview' => false,
                    'resourceable_id' => $service->id,
                    'resourceable_type' => $service->getMorphClass(),
--- a/app/Livewire/Project/New/GithubPrivateRepository.php
+++ b/app/Livewire/Project/New/GithubPrivateRepository.php
@ -75,6 +75,11 @@ public function mount()
        $this->github_apps = GithubApp::private();
    }

+    public function updatedSelectedRepositoryId(): void
+    {
+        $this->loadBranches();
+    }
+
    public function updatedBuildPack()
    {
        if ($this->build_pack === 'nixpacks') {
@ -158,10 +163,12 @@ public function submit()
                'selected_repository_owner' => $this->selected_repository_owner,
                'selected_repository_repo' => $this->selected_repository_repo,
                'selected_branch_name' => $this->selected_branch_name,
+                'docker_compose_location' => $this->docker_compose_location,
            ], [
                'selected_repository_owner' => 'required|string|regex:/^[a-zA-Z0-9\-_]+$/',
                'selected_repository_repo' => 'required|string|regex:/^[a-zA-Z0-9\-_\.]+$/',
                'selected_branch_name' => ['required', 'string', new ValidGitBranch],
+                'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
            ]);

            if ($validator->fails()) {
--- a/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
+++ b/app/Livewire/Project/New/GithubPrivateRepositoryDeployKey.php
@ -57,15 +57,6 @@ class GithubPrivateRepositoryDeployKey extends Component

    private ?string $git_repository = null;

-    protected $rules = [
-        'repository_url' => ['required', 'string'],
-        'branch' => ['required', 'string'],
-        'port' => 'required|numeric',
-        'is_static' => 'required|boolean',
-        'publish_directory' => 'nullable|string',
-        'build_pack' => 'required|string',
-    ];
-
    protected function rules()
    {
        return [
@ -75,6 +66,7 @@ protected function rules()
            'is_static' => 'required|boolean',
            'publish_directory' => 'nullable|string',
            'build_pack' => 'required|string',
+            'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
        ];
    }

--- a/app/Livewire/Project/New/PublicGitRepository.php
+++ b/app/Livewire/Project/New/PublicGitRepository.php
@ -63,16 +63,6 @@ class PublicGitRepository extends Component

    public bool $new_compose_services = false;

-    protected $rules = [
-        'repository_url' => ['required', 'string'],
-        'port' => 'required|numeric',
-        'isStatic' => 'required|boolean',
-        'publish_directory' => 'nullable|string',
-        'build_pack' => 'required|string',
-        'base_directory' => 'nullable|string',
-        'docker_compose_location' => 'nullable|string',
-    ];
-
    protected function rules()
    {
        return [
@ -82,7 +72,7 @@ protected function rules()
            'publish_directory' => 'nullable|string',
            'build_pack' => 'required|string',
            'base_directory' => 'nullable|string',
-            'docker_compose_location' => 'nullable|string',
+            'docker_compose_location' => \App\Support\ValidationPatterns::filePathRules(),
            'git_branch' => ['required', 'string', new ValidGitBranch],
        ];
    }
--- a/Show more
+++ b/Show more