🚀 Release v0.29.8 (#4562)

* fix(migrate-auth-secret): exit cleanly when there are no 2FA records

The empty-records branch of `main()` returned without calling
`process.exit(0)`, leaving the Drizzle Postgres connection pool
holding the event loop open. The `migrate-auth-secret` process
then hangs indefinitely after printing "No 2FA records found,
nothing to migrate." causing the upstream `0.29.3.sh` security
migration script (which calls this via `docker exec`) to never
reach its final `docker service update` step that mounts the new
Docker Secret. Operators end up with the new secret created but
the dokploy service still configured with the hardcoded
`BETTER_AUTH_SECRET`, while believing the migration completed.

Match the success branch a few lines below which already does
`process.exit(0)`, and the pattern used in sibling scripts
`reset-password.ts` and `reset-2fa.ts`.

Closes #4392

* feat(compose): add import from base64 in create service dropdown

Adds an "Import" option to the Create Service dropdown that lets users
paste a base64-encoded compose export, preview the template (compose YAML,
domains, envs, mounts) before confirming, and create the service only on
confirm. Adds a `previewTemplate` tRPC procedure that processes the base64
without touching the DB, with server access validation via session.

* [autofix.ci] apply automated fixes

* Enhance version synchronization workflow to include SDK repository

- Updated the GitHub Actions workflow to sync versioning across MCP, CLI, and SDK repositories.
- Added steps to bump the version in the SDK repository and regenerate tools from the latest OpenAPI spec.
- Improved commit message formatting to include source and release information for all repositories.
- Ensured successful synchronization messages for each repository after the version update.

* feat(deployment): add readLogs procedure to fetch deployment logs

- Introduced a new `readLogs` procedure that allows users to retrieve logs for a specific deployment by providing the deployment ID and an optional tail parameter.
- Implemented permission checks to ensure users have access to the requested logs.
- Enhanced log retrieval for both cloud and non-cloud environments, utilizing appropriate commands based on the server context.

Resolve https://github.com/Dokploy/mcp/issues/14

* feat(deployment): add server access validation for deployment actions

- Implemented server access validation in deployment procedures to ensure users can only access deployments associated with their active organization.
- Added checks to throw an UNAUTHORIZED error if a user attempts to access a deployment linked to a server outside their organization.

This enhancement improves security and access control within the deployment management system.

* feat(organization): prevent inviting users with owner role

- Added validation to prevent users from being invited with the owner role in the organization and user routers.
- Implemented TRPCError responses to ensure proper error handling when attempting to assign the owner role.
This change enhances role management and security within the organization structure.

https://github.com/Dokploy/dokploy/security/advisories/GHSA-fm9p-wmpw-gxjh

* feat(user): implement session cleanup on user update

- Added functionality to delete old sessions when a user updates their password, ensuring that only the current session remains active.
- This change enhances security by preventing unauthorized access from previous sessions after a password change.

Close here https://github.com/Dokploy/dokploy/security/advisories/GHSA-rr9m-w87g-46f3

* feat(settings): add copy button to server IP in web server settings (#4397)

* fix: copy Dokploy server IP when clicking server badge (#4390)

* fix: copy Dokploy server IP when clicking server badge

When a service runs on the local Dokploy server (no remote server),
clicking the server badge did nothing because `data.server` is null.
Now falls back to the server IP from settings so the badge always
copies an IP address.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat(copy-ip): implement IP address copying functionality across database service components

- Added the ability to copy the server IP address to the clipboard when clicking the server badge in various database service components (Libsql, MariaDB, MongoDB, MySQL, PostgreSQL, Redis).
- Integrated the `copy-to-clipboard` library and `sonner` for user feedback upon successful copy action.
- Ensured fallback to the server IP from settings when the service data is not available, enhancing user experience and functionality.

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Mauricio Siu <siumauricio@icloud.com>

* fix: responsive layout (#4391)

Signed-off-by: Nahidujjaman Hridoy <hridoyboss12@gmail.com>

* fix: automatically converting username to lowercase both in creation of register, and build for extra. (#4382)

* fix: allow square brackets in zip path validation for Next.js dynamic routes (#4468)

* fix: allow square brackets in zip drop path validation for Next.js dynamic routes

ZIP uploads containing Next.js dynamic route files (e.g. app/api/[id]/route.ts,
pages/[slug].tsx) were rejected by readValidDirectory because the path regex
did not include square bracket characters.

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: prevent webhook deploy crash when commit data lacks modified files (#4470)

shouldDeploy passed undefined/null entries from commit.modified straight
into micromatch, which throws "Expected input to be a string" and fails
every webhook deployment when watch paths are configured. Filter out
non-string values before matching.

* fix: add type="button" to TooltipTrigger in form components to prevent accidental submission (#4422)

Co-authored-by: Maks Pikov <mixelburg@users.noreply.github.com>

* fix: enable comment toggle shortcut in env variable editor (#4402) (#4473)

* fix: add tls=true label for domains when certificateType is none (#4018) (#4474)

* fix: add tls=true label for compose domains when certificateType is none (#4018)

* test: cover tls=true label for certificateType none, require https

* fix: scope tls fix to compose labels, leave traefik file config unchanged (#4018)

* chore: update version to v0.29.5 in package.json

* chore(deps): upgrade next to 16.2.6 (#4477)

Upgraded next dependency in apps/dokploy to 16.2.6 exactly. Verified typescript typecheck passes successfully.

* feat: add self-hosted enterprise restrictions (remote-servers-only, enforce-sso) (#4511)

* feat: add self-hosted enterprise restrictions (remote-servers-only, enforce-sso)

- Add `remoteServersOnly` field to webServerSettings: prevents creating services
  on the local Dokploy VM, forcing all deployments to remote servers. Validated
  in all 8 service routers (application, compose, postgres, mysql, mongo, redis,
  mariadb, libsql).
- Add `enforceSSO` field to webServerSettings: hides the email/password login
  form and shows only the SSO button on the login page.
- Both settings are enterprise-only (enterpriseProcedure) and self-hosted-only
  (blocked at the API level when IS_CLOUD=true).
- UI toggles added to the SSO settings page under a new "Self-hosted
  Restrictions" card (hidden in cloud). Login page reads enforceSSO from
  getServerSideProps to avoid client-side flash.
- Migrations: 0167_fresh_goliath.sql, 0168_long_justice.sql

* fix: add missing final newlines to migration files

* refactor: improve code formatting for better readability in multiple components

- Adjusted formatting in `add-application.tsx`, `add-compose.tsx`, and `add-database.tsx` to enhance readability by adding line breaks and consistent indentation.
- Updated `toggle-enforce-sso.tsx` to simplify the Switch component's props.
- Reformatted imports in `index.tsx` and `sso.tsx` for consistency.
- Cleaned up conditional statements in various router files for improved clarity.

* fix: add enforceSSO to test mock

* fix: grant create and delete SSH key permissions when canAccessToSSHKeys is enabled for members (#4512)

* fix: use create permission for basic auth delete instead of delete (#4513)

* fix: wrap long server names and keep actions menu visible (#4434)

On settings/servers, a long server name in the card title (h3) did not
wrap and overflowed its container, overlapping nearby content and
squeezing the three-dots actions menu until it disappeared.

Allow the title block to shrink and wrap (min-w-0 + break-words), keep
the server icon and the actions trigger from being crushed (shrink-0),
and add gap between the title and the actions button.

* chore: update version to v0.29.6 in package.json

* fix: preserve HOME in compose deploy so --with-registry-auth can read docker config (#4485)

The compose/stack deploy command runs under `env -i PATH="$PATH"`, which
clears the environment except for PATH. That strips HOME, so when the
generated command is `docker stack deploy --prune --with-registry-auth`
the docker CLI cannot resolve `~/.docker/config.json` (e.g.
`/root/.docker/config.json`) and ships no registry credentials to the
swarm. Private-registry images then fail to pull on the nodes:

  image registry.example.com/... could not be accessed on a registry to
  record its digest. Each node will access ... independently

while the deploy still logs "Docker Compose Deployed: ✅".

Keep PATH isolation but preserve HOME so docker can read its config for
both `stack deploy --with-registry-auth` and `compose up -d --build`.

Add a regression test asserting the generated command preserves
`HOME="$HOME"` for both stack and docker-compose deploys.

Fixes #4401

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: scope dokploy-server schedules to organization instead of user (#4526)

* fix: scope dokploy-server schedules to organization instead of user

Replaces userId with organizationId on the schedule table so that
global (dokploy-server) schedules are shared across all owners and
admins of the same organization, while remaining isolated between
different organizations.

Includes a data migration that backfills organizationId from the
owner membership record for any existing dokploy-server schedules.

Closes #4300

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* feat: implement forward authentication settings and UI components

- Added a new `forward_auth_settings` table to manage authentication domains and their configurations.
- Introduced UI components for handling forward authentication, including enabling/disabling SSO for domains and selecting SSO providers.
- Updated existing tests to include validation for the new `forwardAuthProviderId` field in domain configurations.
- Enhanced the dashboard to integrate forward authentication management, allowing users to configure SSO settings directly from the application interface.

This update improves the flexibility and security of application authentication by allowing integration with various identity providers.

* refactor: simplify forward authentication handling in UI and API

- Removed the selection of SSO providers from the UI, streamlining the process to enable/disable SSO for domains.
- Updated the API to eliminate the need for a provider ID when enabling forward authentication, relying on the configured settings instead.
- Enhanced user feedback by updating toast messages to reflect the current state of SSO authentication.
- Improved the UI layout for better clarity on SSO status and actions.

This refactor enhances the user experience by simplifying the SSO configuration process and ensuring clearer communication of actions taken.

* refactor: unify branch validation imports across provider components

- Added the `VALID_BRANCH_REGEX` import to all Git provider components to ensure consistent branch validation.
- Removed duplicate imports of `VALID_BRANCH_REGEX` to streamline the code and improve readability.

This change enhances maintainability by centralizing branch validation logic across the application.

* refactor: remove obsolete SQL migration files and snapshots

- Deleted several SQL migration files related to the `webServerSettings` and `schedule` tables, which included adding and dropping columns and constraints.
- Removed snapshots corresponding to the deleted migrations to maintain consistency in the database schema history.

This cleanup enhances the maintainability of the migration history by removing outdated and unused files.

* refactor: update forward authentication handling in domain schema and tests

- Replaced `forwardAuthProviderId` with `forwardAuthEnabled` in the domain schema to simplify the configuration of forward authentication.
- Updated related tests to reflect this change, ensuring consistency across the application.
- Introduced a new SQL migration to create the `forward_auth_settings` table for managing authentication domains and their configurations.

This refactor enhances the clarity and maintainability of the forward authentication logic within the application.

* chore: remove PR quality workflow configuration

Deleted the `.github/workflows/pr-quality.yml` file, which contained the configuration for the PR Quality workflow. This removal streamlines the repository by eliminating unused workflow files.

* Delete .github/workflows/pr-quality.yml

* refactor: enhance forward authentication UI and API integration

- Updated the alert block in the HandleForwardAuth component to provide clearer requirements for deploying the authentication proxy.
- Added a DnsHelperModal to assist with DNS configuration in the ForwardAuthServers component.
- Refined API input schemas for forward authentication operations to improve type safety and clarity.
- Removed the obsolete forward-auth SSO design document to streamline documentation.

These changes improve the user experience and maintainability of the forward authentication feature across the application.

* feat: add SQL migration for lucky echo and update foreign key constraints

- Introduced a new SQL migration file `0171_lucky_echo.sql` to modify the foreign key constraint on the `sso_provider` table, changing the `ON DELETE` behavior from `cascade` to `set null`.
- Updated the journal to include the new migration version and its associated tag.
- Added a snapshot file for version 7 of the database schema, reflecting the current state of the `sso_provider` and other related tables.

These changes enhance the integrity of the database by ensuring that user references are set to null instead of being deleted when the referenced user is removed.

* refactor: improve path validation in Traefik configuration schema

- Enhanced the `apiReadTraefikConfig` schema by reintroducing path validation logic to prevent directory traversal attacks and unauthorized access.
- The validation now includes checks for null bytes and ensures paths start with a defined main Traefik path, improving security and robustness.

These changes strengthen the integrity of the configuration handling by ensuring only valid paths are accepted.

* fix: swarm health check fields not resetting to default values (#4558)

Fixes #4553

- Replace z.coerce.number() with a custom transform that converts empty strings to undefined instead of 0
- Add value={field.value ?? ""} to numeric inputs so they visually clear when reset to undefined

* fix: add docker cleanup toggle to remote server creation (#4559)

* fix: add docker cleanup toggle to remote server creation and update forms

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: use stop-first update order for all database services (#4560)

Docker Swarm's default start-first update order causes new database
containers to fail with 'DBPathInUse' because two containers compete
for the same data volume simultaneously. Docker then rolls back the
update, silently reverting any env var or config changes.

Using stop-first ensures the old container is stopped before the new
one starts, preventing volume lock conflicts across all database types.

Fixes #4550

* fix: respect gitProviders permissions in git provider UI (#4561)

* chore: bump dokploy version to v0.29.8

* fix: strip credentials from service-level API responses (#4564)

* fix: strip credentials from service-level API responses

Registry passwords and S3 destination credentials were being returned
in service `.one` tRPC endpoints to any user with service-level read
access. Reported by Nihon Kohden Corporation security team.

- Strip registry `password` from `findApplicationById` via Drizzle `columns: { password: false }`
- Strip destination `accessKey`/`secretAccessKey` from all DB service finders (postgres, mysql, mariadb, mongo, libsql, compose, backup, volume-backups)
- Add `findRegistryByIdWithCredentials` for internal use only
- Builders and upload utils now load registry credentials by ID at execution time
- `createRollback` enriches `fullContext` with registry credentials before persisting to DB so rollback execution has what it needs
- Remove `findApplicationByIdWithCredentials` and `ApplicationNestedWithCredentials` — no longer needed
- Backup execution utils load full destination via `findDestinationById` at runtime instead of reading from the joined relation

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* refactor: improve restore logging for database backups (#4566)

* refactor: improve restore logging for database backups

- Updated restore functions across various database types (Postgres, MySQL, MongoDB, MariaDB, LibSQL, and Compose) to provide clearer logging messages.
- Replaced generic command execution logs with specific messages indicating the database being restored and the source backup file.
- This change enhances the clarity of restore operations and aids in troubleshooting by providing more context in the logs.

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: use swarm advertise address in docker swarm join command (#4567)

* fix: enforce docker:read on container start/stop/kill/restart mutations (#4568)

* refactor: replace BETTER_AUTH_SECRET with betterAuthSecret in forward-auth setup

* fix: update deriveCookieSecret to meet oauth2-proxy requirements

* fix: correct deriveCookieSecret test to validate 16-byte hex secret as per oauth2-proxy requirements

* fix: strip credentials from gitProvider.getAll API response (#4569)

* fix: strip credentials from gitProvider.getAll API response

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: correct git provider access check for existing deploys (#4570)

* fix: use canEditDeployGitSource for git provider access on existing deploys

Replaces the simple userId ownership check with a new canEditDeployGitSource
function that correctly handles all role/sharing scenarios. Owner always has
access; admin and member only if they own the provider or it is shared with
the org — being assigned via accessedGitProviders (enterprise) only grants
permission to connect new deploys, not to edit the git source of existing ones.

Adds 26 unit tests covering owner, admin, member (with/without enterprise
license), shared providers, and the key regression case from issue #4469.

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: prevent registry password from appearing in error messages and shell commands (#4579)

---------

Signed-off-by: Nahidujjaman Hridoy <hridoyboss12@gmail.com>
Co-authored-by: ngenohkevin <ngenohkevin19@gmail.com>
Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
Co-authored-by: Mauricio Siu <siumauricio@icloud.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Volodymyr Kravchuk <volodymyr.kravch@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Nahidujjaman Hridoy <75487507+nhridoy@users.noreply.github.com>
Co-authored-by: Francis <9560564+Baker@users.noreply.github.com>
Co-authored-by: mixelburg <52622705+mixelburg@users.noreply.github.com>
Co-authored-by: Maks Pikov <mixelburg@users.noreply.github.com>
Co-authored-by: Jasael <67719321+jasael@users.noreply.github.com>
Co-authored-by: Philippe Parage <69145356+pparage@users.noreply.github.com>
Co-authored-by: youcef zr <93142224+youcefzemmar@users.noreply.github.com>

.devcontainer/Dockerfile

@@ -0,0 +1,21 @@
+# Dockerfile for DevContainer
+FROM node:24.4.0-bullseye-slim
+
+# Install essential packages
+RUN apt-get update && apt-get install -y \
+    curl \
+    bash \
+    git \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Set up PNPM
+ENV PNPM_HOME="/pnpm"
+ENV PATH="$PNPM_HOME:$PATH"
+RUN corepack enable && corepack prepare pnpm@10.22.0 --activate
+
+# Create workspace directory
+WORKDIR /workspaces/dokploy
+
+# Set up user permissions
+USER node

.devcontainer/devcontainer.json

@@ -0,0 +1,53 @@
+{
+	"name": "Dokploy development container",
+	"build": {
+		"dockerfile": "Dockerfile",
+		"context": ".."
+	},
+	"features": {
+		"ghcr.io/devcontainers/features/docker-in-docker:2": {
+			"moby": true,
+			"version": "latest"
+		},
+		"ghcr.io/devcontainers/features/git:1": {
+			"ppa": true,
+			"version": "latest"
+		},
+		"ghcr.io/devcontainers/features/go:1": {
+			"version": "1.20"
+		}
+	},
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"ms-vscode.vscode-typescript-next",
+				"bradlc.vscode-tailwindcss",
+				"ms-vscode.vscode-json",
+				"biomejs.biome",
+				"golang.go",
+				"redhat.vscode-xml",
+				"github.vscode-github-actions",
+				"github.copilot",
+				"github.copilot-chat"
+			]
+		}
+	},
+	"forwardPorts": [3000, 5432, 6379],
+	"portsAttributes": {
+		"3000": {
+			"label": "Dokploy App",
+			"onAutoForward": "notify"
+		},
+		"5432": {
+			"label": "PostgreSQL",
+			"onAutoForward": "silent"
+		},
+		"6379": {
+			"label": "Redis",
+			"onAutoForward": "silent"
+		}
+	},
+	"remoteUser": "node",
+	"workspaceFolder": "/workspaces/dokploy",
+	"runArgs": ["--name", "dokploy-devcontainer"]
+}

.github/pull_request_template.md

@@ -8,7 +8,7 @@ Before submitting this PR, please make sure that:
 
 - [ ] You created a dedicated branch based on the `canary` branch.
 - [ ] You have read the suggestions in the CONTRIBUTING.md file https://github.com/Dokploy/dokploy/blob/canary/CONTRIBUTING.md#pull-request
-- [ ] You have tested this PR in your local instance.
+- [ ] You have tested this PR in your local instance. If you have not tested it yet, please do so before submitting. This helps avoid wasting maintainers' time reviewing code that has not been verified by you.
 
 ## Issues related (if applicable)
 

.github/workflows/deploy.yml

@@ -13,6 +13,17 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
+      - name: Set tag and version
+        id: meta-cloud
+        run: |
+          VERSION=$(jq -r .version apps/dokploy/package.json)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          if [ "${{ github.ref }}" = "refs/heads/main" ]; then
+            echo "tags=siumauricio/cloud:latest,siumauricio/cloud:${VERSION}" >> $GITHUB_OUTPUT
+          else
+            echo "tags=siumauricio/cloud:canary" >> $GITHUB_OUTPUT
+          fi
+
       - name: Log in to Docker Hub
         uses: docker/login-action@v2
         with:
@@ -25,8 +36,7 @@ jobs:
           context: .
           file: ./Dockerfile.cloud
           push: true
-          tags: |
-            siumauricio/cloud:${{ github.ref_name == 'main' && 'latest' || 'canary' }}
+          tags: ${{ steps.meta-cloud.outputs.tags }}
           platforms: linux/amd64
           build-args: |
             NEXT_PUBLIC_UMAMI_HOST=${{ secrets.NEXT_PUBLIC_UMAMI_HOST }}
@@ -40,6 +50,16 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
+      - name: Set tag and version
+        id: meta-schedule
+        run: |
+          VERSION=$(jq -r .version apps/dokploy/package.json)
+          if [ "${{ github.ref }}" = "refs/heads/main" ]; then
+            echo "tags=siumauricio/schedule:latest,siumauricio/schedule:${VERSION}" >> $GITHUB_OUTPUT
+          else
+            echo "tags=siumauricio/schedule:canary" >> $GITHUB_OUTPUT
+          fi
+
       - name: Log in to Docker Hub
         uses: docker/login-action@v2
         with:
@@ -52,8 +72,7 @@ jobs:
           context: .
           file: ./Dockerfile.schedule
           push: true
-          tags: |
-            siumauricio/schedule:${{ github.ref_name == 'main' && 'latest' || 'canary' }}
+          tags: ${{ steps.meta-schedule.outputs.tags }}
           platforms: linux/amd64
 
   build-and-push-server-image:
@@ -63,6 +82,16 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
+      - name: Set tag and version
+        id: meta-server
+        run: |
+          VERSION=$(jq -r .version apps/dokploy/package.json)
+          if [ "${{ github.ref }}" = "refs/heads/main" ]; then
+            echo "tags=siumauricio/server:latest,siumauricio/server:${VERSION}" >> $GITHUB_OUTPUT
+          else
+            echo "tags=siumauricio/server:canary" >> $GITHUB_OUTPUT
+          fi
+
       - name: Log in to Docker Hub
         uses: docker/login-action@v2
         with:
@@ -75,6 +104,5 @@ jobs:
           context: .
           file: ./Dockerfile.server
           push: true
-          tags: |
-            siumauricio/server:${{ github.ref_name == 'main' && 'latest' || 'canary' }}
+          tags: ${{ steps.meta-server.outputs.tags }}
           platforms: linux/amd64

.github/workflows/dokploy.yml

@@ -138,6 +138,8 @@ jobs:
     needs: [combine-manifests]
     if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.get_version.outputs.version }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -160,3 +162,80 @@ jobs:
           prerelease: false
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  sync-version:
+    needs: [generate-release]
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Sync version to MCP repository
+        run: |
+          git clone https://x-access-token:${{ secrets.DOCS_SYNC_TOKEN }}@github.com/dokploy/mcp.git /tmp/mcp-repo
+          cd /tmp/mcp-repo
+
+          jq --arg v "${{ needs.generate-release.outputs.version }}" '.version = $v' package.json > package.json.tmp
+          mv package.json.tmp package.json
+
+          npm install -g pnpm
+          pnpm install
+          pnpm run fetch-openapi
+          pnpm run generate
+
+          git config user.name "Dokploy Bot"
+          git config user.email "bot@dokploy.com"
+          git add -A
+          git commit -m "chore: bump version to ${{ needs.generate-release.outputs.version }}" \
+            -m "Source: ${{ github.repository }}@${{ github.sha }}" \
+            --allow-empty
+          git push
+
+          echo "✅ MCP repo synced to version ${{ needs.generate-release.outputs.version }}"
+
+      - name: Sync version to CLI repository
+        run: |
+          git clone https://x-access-token:${{ secrets.DOCS_SYNC_TOKEN }}@github.com/dokploy/cli.git /tmp/cli-repo
+          cd /tmp/cli-repo
+
+          jq --arg v "${{ needs.generate-release.outputs.version }}" '.version = $v' package.json > package.json.tmp
+          mv package.json.tmp package.json
+
+          cp ${{ github.workspace }}/openapi.json ./openapi.json
+          npm install -g pnpm
+          pnpm install
+          pnpm run generate
+
+          git config user.name "Dokploy Bot"
+          git config user.email "bot@dokploy.com"
+          git add -A
+          git commit -m "chore: bump version to ${{ needs.generate-release.outputs.version }}" \
+            -m "Source: ${{ github.repository }}@${{ github.sha }}" \
+            --allow-empty
+          git push
+
+          echo "✅ CLI repo synced to version ${{ needs.generate-release.outputs.version }}"
+
+      - name: Sync version to SDK repository
+        run: |
+          git clone https://x-access-token:${{ secrets.DOCS_SYNC_TOKEN }}@github.com/dokploy/sdk.git /tmp/sdk-repo
+          cd /tmp/sdk-repo
+
+          jq --arg v "${{ needs.generate-release.outputs.version }}" '.version = $v' package.json > package.json.tmp
+          mv package.json.tmp package.json
+
+          cp ${{ github.workspace }}/openapi.json ./openapi.json
+          npm install -g pnpm
+          pnpm install
+          pnpm run generate
+
+          git config user.name "Dokploy Bot"
+          git config user.email "bot@dokploy.com"
+          git add -A
+          git commit -m "chore: bump version to ${{ needs.generate-release.outputs.version }}" \
+            -m "Source: ${{ github.repository }}@${{ github.sha }}" \
+            --allow-empty
+          git push
+
+          echo "✅ SDK repo synced to version ${{ needs.generate-release.outputs.version }}"

.github/workflows/pull-request.yml

@@ -18,7 +18,7 @@ jobs:
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 20.16.0
+          node-version: 24.4.0
           cache: "pnpm"
       
       - name: Install Nixpacks

.github/workflows/sync-openapi-docs.yml

@@ -24,7 +24,7 @@ jobs:
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 20.16.0
+          node-version: 24.4.0
           cache: "pnpm"
 
       - name: Install dependencies
@@ -68,3 +68,66 @@ jobs:
           
           echo "✅ OpenAPI synced to website successfully"
 
+      - name: Sync to MCP repository
+        run: |
+          git clone https://x-access-token:${{ secrets.DOCS_SYNC_TOKEN }}@github.com/dokploy/mcp.git mcp-repo
+
+          cd mcp-repo
+
+          cp -f ../openapi.json openapi.json
+
+          git config user.name "Dokploy Bot"
+          git config user.email "bot@dokploy.com"
+
+          git add openapi.json
+          git commit -m "chore: sync OpenAPI specification [skip ci]" \
+            -m "Source: ${{ github.repository }}@${{ github.sha }}" \
+            -m "Updated: $(date -u +'%Y-%m-%d %H:%M:%S UTC')" \
+            --allow-empty
+
+          git push
+
+          echo "✅ OpenAPI synced to MCP repository successfully"
+
+      - name: Sync to CLI repository
+        run: |
+          git clone https://x-access-token:${{ secrets.DOCS_SYNC_TOKEN }}@github.com/dokploy/cli.git cli-repo
+
+          cd cli-repo
+
+          cp -f ../openapi.json openapi.json
+
+          git config user.name "Dokploy Bot"
+          git config user.email "bot@dokploy.com"
+
+          git add openapi.json
+          git commit -m "chore: sync OpenAPI specification [skip ci]" \
+            -m "Source: ${{ github.repository }}@${{ github.sha }}" \
+            -m "Updated: $(date -u +'%Y-%m-%d %H:%M:%S UTC')" \
+            --allow-empty
+
+          git push
+
+          echo "✅ OpenAPI synced to CLI repository successfully"
+
+      - name: Sync to SDK repository
+        run: |
+          git clone https://x-access-token:${{ secrets.DOCS_SYNC_TOKEN }}@github.com/dokploy/sdk.git sdk-repo
+
+          cd sdk-repo
+
+          cp -f ../openapi.json openapi.json
+
+          git config user.name "Dokploy Bot"
+          git config user.email "bot@dokploy.com"
+
+          git add openapi.json
+          git commit -m "chore: sync OpenAPI specification [skip ci]" \
+            -m "Source: ${{ github.repository }}@${{ github.sha }}" \
+            -m "Updated: $(date -u +'%Y-%m-%d %H:%M:%S UTC')" \
+            --allow-empty
+
+          git push
+
+          echo "✅ OpenAPI synced to SDK repository successfully"
+

.gitignore

@@ -43,7 +43,4 @@ yarn-error.log*
 *.pem
 
 
-.db
-
-# Development environment
-.devcontainer
+.db

.nvmrc

@@ -1 +1 @@
-20.16.0
+24.4.0

.vscode/settings.json

@@ -4,5 +4,8 @@
 	"editor.codeActionsOnSave": {
 		"source.fixAll.biome": "explicit",
 		"source.organizeImports.biome": "explicit"
+	},
+	"[typescript]": {
+		"editor.defaultFormatter": "biomejs.biome"
 	}
 }

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 Hey, thanks for your interest in contributing to Dokploy! We appreciate your help and taking your time to contribute.
 
-Before you start, please first discuss the feature/bug you want to add with the owners and comunity via github issues.
+Before you start, please first discuss the feature/bug you want to add with the owners and community via github issues.
 
 We have a few guidelines to follow when contributing to this project:
 
@@ -11,6 +11,7 @@ We have a few guidelines to follow when contributing to this project:
 - [Development](#development)
 - [Build](#build)
 - [Pull Request](#pull-request)
+- [Important Considerations](#important-considerations-for-pull-requests)
 
 ## Commit Convention
 
@@ -52,7 +53,7 @@ feat: add new feature
 
 Before you start, please make the clone based on the `canary` branch, since the `main` branch is the source of truth and should always reflect the latest stable release, also the PRs will be merged to the `canary` branch.
 
-We use Node v20.16.0 and recommend this specific version. If you have nvm installed, you can run `nvm install 20.16.0 && nvm use` in the root directory.
+We use Node v24.4.0 and recommend this specific version. If you have nvm installed, you can run `nvm install 24.4.0 && nvm use` in the root directory.
 
 ```bash
 git clone https://github.com/dokploy/dokploy.git
@@ -98,7 +99,14 @@ pnpm run dokploy:build
 
 ## Docker
 
-To build the docker image
+To build the docker image first run commands to copy .env files
+
+```bash
+cp apps/dokploy/.env.production.example .env.production
+cp apps/dokploy/.env.production.example apps/dokploy/.env.production
+```
+
+then run build command
 
 ```bash
 pnpm run docker:build
@@ -162,11 +170,13 @@ curl -sSL "https://github.com/buildpacks/pack/releases/download/v0.39.1/pack-v0.
 - If your pull request fixes an open issue, please reference the issue in the pull request description.
 - Once your pull request is merged, you will be automatically added as a contributor to the project.
 
-**Important Considerations for Pull Requests:**
+### Important Considerations for Pull Requests
 
+- **Testing is Mandatory:** All Pull Requests **must be tested** by the PR author before submission. You must verify that your changes work as expected in a local development environment (see [Setup](#setup)). **Pull Requests that have not been tested by their creator will be rejected.** This policy keeps the PR history clean and values contributors who submit verified, working code. Untested PRs are often recognizable by disproportionately large or scattered changes for simple tasks—please test first.
 - **Focus and Scope:** Each Pull Request should ideally address a single, well-defined problem or introduce one new feature. This greatly facilitates review and reduces the chances of introducing unintended side effects.
 - **Avoid Unfocused Changes:** Please avoid submitting Pull Requests that contain only minor changes such as whitespace adjustments, IDE-generated formatting, or removal of unused variables, unless these are part of a larger, clearly defined refactor or a dedicated "cleanup" Pull Request that addresses a specific `good first issue` or maintenance task.
 - **Issue Association:** For any significant change, it's highly recommended to open an issue first to discuss the proposed solution with the community and maintainers. This ensures alignment and avoids duplicated effort. If your PR resolves an existing issue, please link it in the description (e.g., `Fixes #123`, `Closes #456`).
+- **Large Features:** Pull Requests that introduce very large or broad features **will not be accepted** unless the idea is first outlined and discussed in a GitHub issue. Large features should be designed together with the Dokploy team so the project stays coherent and moves in the same direction. Open an issue to propose and align on the design before implementing.
 
 Thank you for your contribution!
 

Dockerfile

@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
-FROM node:20.16.0-slim AS base
+FROM node:24.4.0-slim AS base
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 RUN corepack enable
-RUN corepack prepare pnpm@9.12.0 --activate
+RUN corepack prepare pnpm@10.22.0 --activate
 
 FROM base AS build
 COPY . /usr/src/app
@@ -20,7 +20,7 @@ ENV NODE_ENV=production
 RUN pnpm --filter=@dokploy/server build
 RUN pnpm --filter=./apps/dokploy run build
 
-RUN pnpm --filter=./apps/dokploy --prod deploy /prod/dokploy
+RUN pnpm --filter=./apps/dokploy --prod deploy --legacy /prod/dokploy
 
 RUN cp -R /usr/src/app/apps/dokploy/.next /prod/dokploy/.next
 RUN cp -R /usr/src/app/apps/dokploy/dist /prod/dokploy/dist
@@ -65,4 +65,8 @@ RUN curl -sSL https://railpack.com/install.sh | bash
 COPY --from=buildpacksio/pack:0.39.1 /usr/local/bin/pack /usr/local/bin/pack
 
 EXPOSE 3000
-CMD [ "pnpm", "start" ]
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=60s --retries=5 \
+  CMD curl -fs http://localhost:3000/api/trpc/settings.health || exit 1
+
+  CMD ["sh", "-c", "pnpm run wait-for-postgres && exec pnpm start"]

Dockerfile.cloud

@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
-FROM node:20.16.0-slim AS base
+FROM node:24.4.0-slim AS base
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 RUN corepack enable
-RUN corepack prepare pnpm@9.12.0 --activate
+RUN corepack prepare pnpm@10.22.0 --activate
 
 FROM base AS build
 COPY . /usr/src/app
@@ -29,7 +29,7 @@ ENV NODE_ENV=production
 RUN pnpm --filter=@dokploy/server build
 RUN pnpm --filter=./apps/dokploy run build
 
-RUN pnpm --filter=./apps/dokploy --prod deploy /prod/dokploy
+RUN pnpm --filter=./apps/dokploy --prod deploy --legacy /prod/dokploy
 
 RUN cp -R /usr/src/app/apps/dokploy/.next /prod/dokploy/.next
 RUN cp -R /usr/src/app/apps/dokploy/dist /prod/dokploy/dist

Dockerfile.schedule

@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
-FROM node:20.16.0-slim AS base
+FROM node:24.4.0-slim AS base
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 RUN corepack enable
-RUN corepack prepare pnpm@9.12.0 --activate
+RUN corepack prepare pnpm@10.22.0 --activate
 
 FROM base AS build
 COPY . /usr/src/app
@@ -20,7 +20,7 @@ ENV NODE_ENV=production
 RUN pnpm --filter=@dokploy/server build
 RUN pnpm --filter=./apps/schedules run build
 
-RUN pnpm --filter=./apps/schedules --prod deploy /prod/schedules
+RUN pnpm --filter=./apps/schedules --prod deploy --legacy /prod/schedules
 
 RUN cp -R /usr/src/app/apps/schedules/dist /prod/schedules/dist
 
@@ -35,4 +35,5 @@ COPY --from=build /prod/schedules/dist ./dist
 COPY --from=build /prod/schedules/package.json ./package.json
 COPY --from=build /prod/schedules/node_modules ./node_modules
 
-CMD HOSTNAME=0.0.0.0 && pnpm start
+ENV HOSTNAME=0.0.0.0
+CMD ["pnpm", "start"]

Dockerfile.server

@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
-FROM node:20.16.0-slim AS base
+FROM node:24.4.0-slim AS base
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 RUN corepack enable
-RUN corepack prepare pnpm@9.12.0 --activate
+RUN corepack prepare pnpm@10.22.0 --activate
 
 FROM base AS build
 COPY . /usr/src/app
@@ -20,7 +20,7 @@ ENV NODE_ENV=production
 RUN pnpm --filter=@dokploy/server build
 RUN pnpm --filter=./apps/api run build
 
-RUN pnpm --filter=./apps/api --prod deploy /prod/api
+RUN pnpm --filter=./apps/api --prod deploy --legacy /prod/api
 
 RUN cp -R /usr/src/app/apps/api/dist /prod/api/dist
 
@@ -35,4 +35,5 @@ COPY --from=build /prod/api/dist ./dist
 COPY --from=build /prod/api/package.json ./package.json
 COPY --from=build /prod/api/node_modules ./node_modules
 
-CMD HOSTNAME=0.0.0.0 && pnpm start
+ENV HOSTNAME=0.0.0.0
+CMD ["pnpm", "start"]

LICENSE.MD

@@ -1,8 +1,13 @@
-# License
+Copyright 2026-present Dokploy Technology, Inc.
 
-## Core License (Apache License 2.0)
+Portions of this software are licensed as follows:
 
-Copyright 2025 Mauricio Siu.
+* All content that resides under a "/proprietary" directory of this repository, if that directory exists, is licensed under the license defined in "LICENSE_PROPRIETARY".
+* Content outside of the above mentioned directories or restrictions above is available under the "Apache License 2.0" license as defined below.
+
+## Apache License 2.0
+
+Copyright 2026-present Dokploy Technology, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -15,12 +20,4 @@ distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and limitations under the License.
 
-## Additional Terms for Specific Features
 
-The following additional terms apply to the multi-node support, Docker Compose file, Preview Deployments and Multi Server features of Dokploy. In the event of a conflict, these provisions shall take precedence over those in the Apache License:
-
-- **Self-Hosted Version Free**: All features of Dokploy, including multi-node support, Docker Compose file support, Schedules, Preview Deployments and Multi Server, will always be free to use in the self-hosted version.
-- **Restriction on Resale**: The multi-node support, Docker Compose file support, Schedules, Preview Deployments and Multi Server features cannot be sold or offered as a service by any party other than the copyright holder without prior written consent.
-- **Modification Distribution**: Any modifications to the multi-node support, Docker Compose file support, Schedules, Preview Deployments and Multi Server features must be distributed freely and cannot be sold or offered as a service.
-
-For further inquiries or permissions, please contact us directly.

LICENSE_PROPRIETARY.md

@@ -0,0 +1,11 @@
+The Dokploy Source Available license (DSAL) version 1.0
+
+Copyright (c) 2026-present Dokploy Technology, Inc.
+
+With regard to the Dokploy Software:This software and associated documentation files (the "Software") may only beused in production, if you (and any entity that you represent) have agreed to, and are in compliance with, a valid commercial agreement from Dokploy.Subject to the foregoing sentence, you are free to modify this Software and publish patches to the Software. You agree that Dokploy and/or its licensors (as applicable) retain all right, title and interest in and to all such modifications and/or patches, and all such modifications and/or patches may only be used, copied, modified, displayed, distributed, or otherwise exploited with a valid Dokploy Source Available License.  Notwithstanding the foregoing, you may copy and modify the Software for development and testing purposes, without requiring a subscription.  You agree that Dokploy and/or its licensors (as applicable) retain all right, title and interest in and to all such modifications.  You are not granted any other rights beyond what is expressly stated herein.  Subject to theforegoing, it is forbidden to copy, merge, publish, distribute, sublicense,and/or sell the Software.
+
+This Dokploy Source Available license applies only to the part of this Software that is in a /proprietary folder. The full text of this License shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THESOFTWARE.
+
+For all third party components incorporated into the Dokploy Software, thosecomponents are licensed under the original license provided by the owner of the applicable component.

README.md

@@ -12,30 +12,14 @@
 <br />
 
 
-
-<div align="center" markdown="1">
-   <sup>Special thanks to:</sup>
-   <br>
-   <br>
-   <a href="https://tuple.app/dokploy">
-     <img src=".github/sponsors/tuple.png" alt="Tuple's sponsorship image" width="400"/>
-   </a>
-
-### [Tuple, the premier screen sharing app for developers](https://tuple.app/dokploy)
-[Available for MacOS & Windows](https://tuple.app/dokploy)<br>
-
-</div>
-
-
 Dokploy is a free, self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases.
 
-
 ## ✨ Features
 
 Dokploy includes multiple features to make your life easier.
 
 - **Applications**: Deploy any type of application (Node.js, PHP, Python, Go, Ruby, etc.).
-- **Databases**: Create and manage databases with support for MySQL, PostgreSQL, MongoDB, MariaDB, and Redis.
+- **Databases**: Create and manage databases with support for MySQL, PostgreSQL, MongoDB, MariaDB, libsql, and Redis.
 - **Backups**: Automate backups for databases to an external storage destination.
 - **Docker Compose**: Native support for Docker Compose to manage complex applications.
 - **Multi Node**: Scale applications to multiple nodes using Docker Swarm to manage the cluster.
@@ -55,77 +39,14 @@ To get started, run the following command on a VPS:
 Want to skip the installation process? [Try the Dokploy Cloud](https://app.dokploy.com).
 
 ```bash
-curl -sSL https://dokploy.com/install.sh | sh
+curl -sSL https://dokploy.com/install.sh | bash
 ```
 
 For detailed documentation, visit [docs.dokploy.com](https://docs.dokploy.com).
 
-## ♥️ Sponsors
-
-🙏 We're deeply grateful to all our sponsors who make Dokploy possible! Your support helps cover the costs of hosting, testing, and developing new features.
-
-[Dokploy Open Collective](https://opencollective.com/dokploy)
 
 [Github Sponsors](https://github.com/sponsors/Siumauricio)
 
-<!-- Hero Sponsors 🎖 -->
-
-<!-- Add Hero Sponsors here -->
-
-### Hero Sponsors 🎖
-
-<div>
-  <a href="https://www.hostinger.com/vps-hosting?ref=dokploy"><img src=".github/sponsors/hostinger.jpg" alt="Hostinger" width="300"/></a>
-  <a href="https://www.lxaer.com/?ref=dokploy"><img src=".github/sponsors/lxaer.png" alt="LX Aer" width="100"/></a>
-        <a href="https://www.lambdatest.com/?utm_source=dokploy&utm_medium=sponsor" target="_blank">
-            <img src="https://www.lambdatest.com/blue-logo.png"  width="450" height="100" />
-        </a>
-        <a href="https://awesome.tools/" target="_blank">
-            <img src=".github/sponsors/awesome.png"  width="200" height="150" />
-        </a>
-</div>
-
-<!-- Premium Supporters 🥇 -->
-
-<!-- Add Premium Supporters here -->
-
-### Premium Supporters 🥇
-
-<div>
-  <a href="https://supafort.com/?ref=dokploy"><img src="https://supafort.com/build/q-4Ht4rBZR.webp" alt="Supafort.com" width="300"/></a>
-  <a href="https://agentdock.ai/?ref=dokploy"><img src=".github/sponsors/agentdock.png" alt="agentdock.ai" width="100"/></a>
-</div>
-
-<!-- Elite Contributors 🥈 -->
-
-<!-- Add Elite Contributors here -->
-
-### Elite Contributors 🥈
-
-<div>
-  <a href="https://americancloud.com/?ref=dokploy"><img src=".github/sponsors/american-cloud.png" alt="AmericanCloud" width="300"/></a>
-  <a href="https://tolgee.io/?utm_source=github_dokploy&utm_medium=banner&utm_campaign=dokploy"><img src="https://dokploy.com/tolgee-logo.png" alt="Tolgee" width="100"/></a>
-</div>
-
-### Supporting Members 🥉
-
-<div>
-
-  <a href="https://cloudblast.io/?ref=dokploy"><img src="https://cloudblast.io/img/logo-icon.193cf13e.svg" width="250px" alt="Cloudblast.io"/></a>
-
-  <a href="https://synexa.ai/?ref=dokploy"><img src=".github/sponsors/synexa.png" width="65px" alt="Synexa"/></a>
-</div>
-
-### Community Backers 🤝
-
-#### Organizations:
-
-[Sponsors on Open Collective](https://opencollective.com/dokploy)
-
-#### Individuals:
-
-[![Individual Contributors on Open Collective](https://opencollective.com/dokploy/individuals.svg?width=890)](https://opencollective.com/dokploy)
-
 ### Contributors 🤝
 
 <a href="https://github.com/dokploy/dokploy/graphs/contributors">

apps/api/.env.example

@@ -1,2 +1,11 @@
 LEMON_SQUEEZY_API_KEY=""
-LEMON_SQUEEZY_STORE_ID=""
+LEMON_SQUEEZY_STORE_ID=""
+
+# Inngest (for GET /jobs - list deployment queue). Self-hosted example:
+# INNGEST_BASE_URL="http://localhost:8288"
+# Production: INNGEST_BASE_URL="https://dev-inngest.dokploy.com"
+# INNGEST_SIGNING_KEY="your-signing-key"
+# Optional: only events after this RFC3339 timestamp. If unset, no date filter is applied.
+# INNGEST_EVENTS_RECEIVED_AFTER="2024-01-01T00:00:00Z"
+# Max events to fetch when listing jobs (paginates with cursor). Default 100, max 10000.
+# INNGEST_JOBS_MAX_EVENTS=100

apps/api/package.json

@@ -4,7 +4,7 @@
 	"type": "module",
 	"scripts": {
 		"dev": "PORT=4000 tsx watch src/index.ts",
-		"build": "tsc --project tsconfig.json",
+		"build": "rimraf dist && tsc --project tsconfig.json",
 		"start": "node dist/index.js",
 		"typecheck": "tsc --noEmit"
 	},
@@ -12,26 +12,27 @@
 		"inngest": "3.40.1",
 		"@dokploy/server": "workspace:*",
 		"@hono/node-server": "^1.14.3",
-		"@hono/zod-validator": "0.3.0",
+		"@hono/zod-validator": "0.7.6",
 		"dotenv": "^16.4.5",
-		"hono": "^4.7.10",
+		"hono": "^4.11.7",
 		"pino": "9.4.0",
 		"pino-pretty": "11.2.2",
 		"react": "18.2.0",
 		"react-dom": "18.2.0",
 		"redis": "4.7.0",
-		"zod": "^3.25.32"
+		"zod": "^4.3.6"
 	},
 	"devDependencies": {
-		"@types/node": "^20.17.51",
+		"@types/node": "^24.4.0",
 		"@types/react": "^18.2.37",
 		"@types/react-dom": "^18.2.15",
+		"rimraf": "6.1.3",
 		"tsx": "^4.16.2",
 		"typescript": "^5.8.3"
 	},
-	"packageManager": "pnpm@9.12.0",
+	"packageManager": "pnpm@10.22.0",
 	"engines": {
-		"node": "^20.16.0",
-		"pnpm": ">=9.12.0"
+		"node": "^24.4.0",
+		"pnpm": ">=10.22.0"
 	}
 }

apps/api/src/index.ts

@@ -10,6 +10,7 @@ import {
 	type DeployJob,
 	deployJobSchema,
 } from "./schema.js";
+import { fetchDeploymentJobs } from "./service.js";
 import { deploy } from "./utils.js";
 
 const app = new Hono();
@@ -118,7 +119,6 @@ app.post("/deploy", zValidator("json", deployJobSchema), async (c) => {
 			200,
 		);
 	} catch (error) {
-		console.log("error", error);
 		logger.error("Failed to send deployment event", error);
 		return c.json(
 			{
@@ -176,6 +176,29 @@ app.get("/health", async (c) => {
 	return c.json({ status: "ok" });
 });
 
+// List deployment jobs (Inngest runs) for a server - same shape as BullMQ queue for the UI
+app.get("/jobs", async (c) => {
+	const serverId = c.req.query("serverId");
+	if (!serverId) {
+		return c.json({ message: "serverId is required" }, 400);
+	}
+
+	try {
+		const rows = await fetchDeploymentJobs(serverId);
+		return c.json(rows);
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		if (message.includes("INNGEST_BASE_URL")) {
+			return c.json(
+				{ message: "INNGEST_BASE_URL is required to list deployment jobs" },
+				503,
+			);
+		}
+		logger.error("Failed to fetch jobs from Inngest", { serverId, error });
+		return c.json([], 200);
+	}
+});
+
 // Serve Inngest functions endpoint
 app.on(
 	["GET", "POST", "PUT"],

apps/api/src/service.ts

@@ -0,0 +1,239 @@
+import { logger } from "./logger.js";
+
+const baseUrl = process.env.INNGEST_BASE_URL ?? "";
+const signingKey = process.env.INNGEST_SIGNING_KEY ?? "";
+
+const DEFAULT_MAX_EVENTS = 500;
+const MAX_EVENTS = DEFAULT_MAX_EVENTS;
+
+/** Event shape from GET /v1/events (https://api.inngest.com/v1/events) */
+type InngestEventRow = {
+	internal_id?: string;
+	accountID?: string;
+	environmentID?: string;
+	source?: string;
+	sourceID?: string | null;
+	/** RFC3339 timestamp – API uses receivedAt, dev server may use received_at */
+	receivedAt?: string;
+	received_at?: string;
+	id: string;
+	name: string;
+	data: Record<string, unknown>;
+	user?: unknown;
+	ts: number;
+	v?: string | null;
+	metadata?: {
+		fetchedAt: string;
+		cachedUntil: string | null;
+	};
+};
+
+/** Run shape from GET /v1/events/{eventId}/runs – the actual job execution */
+type InngestRun = {
+	run_id: string;
+	event_id: string;
+	status: string; // "Running" | "Completed" | "Failed" | "Cancelled" | "Queued"?
+	run_started_at?: string;
+	ended_at?: string | null;
+	output?: unknown;
+	// dev server / API may use different casing
+	run_started_at_ms?: number;
+};
+
+function getEventReceivedAt(ev: InngestEventRow): string | undefined {
+	return ev.receivedAt ?? ev.received_at;
+}
+
+/** Map Inngest run status to BullMQ-style state for the UI */
+function runStatusToState(
+	status: string,
+): "pending" | "active" | "completed" | "failed" | "cancelled" {
+	const s = status.toLowerCase();
+	if (s === "running") return "active";
+	if (s === "completed") return "completed";
+	if (s === "failed") return "failed";
+	if (s === "cancelled") return "cancelled";
+	if (s === "queued") return "pending";
+	return "pending";
+}
+
+export const fetchInngestEvents = async () => {
+	const maxEvents = MAX_EVENTS;
+	const all: InngestEventRow[] = [];
+	let cursor: string | undefined;
+
+	do {
+		const params = new URLSearchParams({ limit: "100" });
+		if (cursor) {
+			params.set("cursor", cursor);
+		}
+
+		const res = await fetch(`${baseUrl}/v1/events?${params}`, {
+			headers: {
+				Authorization: `Bearer ${signingKey}`,
+				"Content-Type": "application/json",
+			},
+		});
+
+		if (!res.ok) {
+			logger.warn("Inngest API error", {
+				status: res.status,
+				body: await res.text(),
+			});
+			break;
+		}
+
+		const body = (await res.json()) as {
+			data?: InngestEventRow[];
+			cursor?: string;
+			nextCursor?: string;
+		};
+		const data = Array.isArray(body.data) ? body.data : [];
+		all.push(...data);
+
+		// Next page: API may return cursor/nextCursor, or use last event's internal_id (per API docs)
+		const nextCursor =
+			body.cursor ?? body.nextCursor ?? data[data.length - 1]?.internal_id;
+		const hasMore = data.length === 100 && nextCursor && all.length < maxEvents;
+		cursor = hasMore ? nextCursor : undefined;
+	} while (cursor);
+
+	return all.slice(0, maxEvents);
+};
+
+/** Fetch runs for a single event (GET /v1/events/{eventId}/runs) – runs are the actual jobs */
+export const fetchInngestRunsForEvent = async (
+	eventId: string,
+): Promise<InngestRun[]> => {
+	const res = await fetch(
+		`${baseUrl}/v1/events/${encodeURIComponent(eventId)}/runs`,
+		{
+			headers: {
+				Authorization: `Bearer ${signingKey}`,
+				"Content-Type": "application/json",
+			},
+		},
+	);
+	if (!res.ok) {
+		logger.warn("Inngest runs API error", {
+			eventId,
+			status: res.status,
+			body: await res.text(),
+		});
+		return [];
+	}
+	const body = (await res.json()) as { data?: InngestRun[] };
+	return Array.isArray(body.data) ? body.data : [];
+};
+
+/** One row for the queue UI (BullMQ-compatible shape) */
+export type DeploymentJobRow = {
+	id: string;
+	name: string;
+	data: Record<string, unknown>;
+	timestamp: number;
+	processedOn?: number;
+	finishedOn?: number;
+	failedReason?: string;
+	state: string;
+};
+
+/** Build queue rows from events + their runs (one row per run, or pending if no run yet) */
+function buildDeploymentRowsFromRuns(
+	events: InngestEventRow[],
+	runsByEventId: Map<string, InngestRun[]>,
+	serverId: string,
+): DeploymentJobRow[] {
+	const requested = events.filter(
+		(e) =>
+			e.name === "deployment/requested" &&
+			(e.data as Record<string, unknown>)?.serverId === serverId,
+	);
+	const rows: DeploymentJobRow[] = [];
+
+	for (const ev of requested) {
+		const data = (ev.data ?? {}) as Record<string, unknown>;
+		const runs = runsByEventId.get(ev.id) ?? [];
+
+		if (runs.length === 0) {
+			// Queued: event received but no run yet
+			rows.push({
+				id: ev.id,
+				name: ev.name,
+				data,
+				timestamp: ev.ts,
+				processedOn: ev.ts,
+				finishedOn: undefined,
+				failedReason: undefined,
+				state: "pending",
+			});
+			continue;
+		}
+
+		for (const run of runs) {
+			const state = runStatusToState(run.status);
+			const runStartedMs =
+				run.run_started_at_ms ??
+				(run.run_started_at ? new Date(run.run_started_at).getTime() : ev.ts);
+			const endedMs = run.ended_at
+				? new Date(run.ended_at).getTime()
+				: undefined;
+			const failedReason =
+				state === "failed" &&
+				run.output &&
+				typeof run.output === "object" &&
+				"error" in run.output
+					? String((run.output as { error?: unknown }).error)
+					: undefined;
+
+			rows.push({
+				id: run.run_id,
+				name: ev.name,
+				data,
+				timestamp: runStartedMs,
+				processedOn: runStartedMs,
+				finishedOn:
+					state === "completed" || state === "failed" || state === "cancelled"
+						? endedMs
+						: undefined,
+				failedReason,
+				state,
+			});
+		}
+	}
+
+	return rows.sort((a, b) => (b.timestamp ?? 0) - (a.timestamp ?? 0));
+}
+
+/** Fetch deployment jobs for a server: events → runs → rows (correct model: runs = jobs) */
+export const fetchDeploymentJobs = async (
+	serverId: string,
+): Promise<DeploymentJobRow[]> => {
+	if (!signingKey) {
+		logger.warn("INNGEST_SIGNING_KEY not set, returning empty jobs list");
+		return [];
+	}
+	if (!baseUrl) {
+		throw new Error("INNGEST_BASE_URL is required to list deployment jobs");
+	}
+
+	const events = await fetchInngestEvents();
+
+	const requestedForServer = events.filter(
+		(e) =>
+			e.name === "deployment/requested" &&
+			(e.data as Record<string, unknown>)?.serverId === serverId,
+	);
+	// Limit to avoid too many run fetches
+	const toFetch = requestedForServer.slice(0, 50);
+	const runsByEventId = new Map<string, InngestRun[]>();
+
+	await Promise.all(
+		toFetch.map(async (ev) => {
+			const runs = await fetchInngestRunsForEvent(ev.id);
+			runsByEventId.set(ev.id, runs);
+		}),
+	);
+
+	return buildDeploymentRowsFromRuns(toFetch, runsByEventId, serverId);
+};

apps/api/src/utils.ts

@@ -9,7 +9,7 @@ import {
 	updateCompose,
 	updatePreviewDeployment,
 } from "@dokploy/server";
-import type { DeployJob } from "./schema";
+import type { DeployJob } from "./schema.js";
 
 export const deploy = async (job: DeployJob) => {
 	try {

apps/dokploy/.env.production.example

@@ -1,3 +1,2 @@
-DATABASE_URL="postgres://dokploy:amukds4wi9001583845717ad2@dokploy-postgres:5432/dokploy"
 PORT=3000
 NODE_ENV=production

apps/dokploy/.nvmrc

@@ -1 +0,0 @@
-20.16.0

apps/dokploy/__test__/compose/build-compose-command.test.ts

@@ -0,0 +1,52 @@
+import { getBuildComposeCommand } from "@dokploy/server/utils/builders/compose";
+import { describe, expect, it, vi } from "vitest";
+
+// Isolate the command builder from the compose-file I/O performed by
+// writeDomainsToCompose; we only care about the docker invocation it emits.
+vi.mock("@dokploy/server/utils/docker/domain", () => ({
+	writeDomainsToCompose: vi.fn().mockResolvedValue(""),
+}));
+
+const baseCompose = {
+	appName: "my-app",
+	sourceType: "raw",
+	command: "",
+	composePath: "docker-compose.yml",
+	composeType: "stack",
+	isolatedDeployment: false,
+	randomize: false,
+	suffix: "",
+	serverId: null,
+	env: "",
+	mounts: [],
+	domains: [],
+	environment: { project: { env: "" }, env: "" },
+} as unknown as Parameters<typeof getBuildComposeCommand>[0];
+
+// Regression coverage for #4401: the deploy command runs under `env -i`, which
+// clears the environment except for the vars listed explicitly. HOME must be
+// preserved so docker can resolve ~/.docker/config.json — otherwise
+// `docker stack deploy --with-registry-auth` ships no credentials to the swarm
+// and private-registry images fail to pull.
+describe("getBuildComposeCommand registry auth (#4401)", () => {
+	it("preserves HOME for swarm stack deploys", async () => {
+		const command = await getBuildComposeCommand({
+			...baseCompose,
+			composeType: "stack",
+		});
+
+		expect(command).toContain("stack deploy");
+		expect(command).toContain("--with-registry-auth");
+		expect(command).toContain('env -i PATH="$PATH" HOME="$HOME"');
+	});
+
+	it("preserves HOME for docker compose deploys", async () => {
+		const command = await getBuildComposeCommand({
+			...baseCompose,
+			composeType: "docker-compose",
+		});
+
+		expect(command).toContain("compose -p my-app");
+		expect(command).toContain('env -i PATH="$PATH" HOME="$HOME"');
+	});
+});

apps/dokploy/__test__/compose/domain/host-rule-format.test.ts

@@ -32,6 +32,9 @@ describe("Host rule format regression tests", () => {
 		previewDeploymentId: "",
 		internalPath: "/",
 		stripPath: false,
+		customEntrypoint: null,
+		middlewares: null,
+		forwardAuthEnabled: false,
 	};
 
 	describe("Host rule format validation", () => {

apps/dokploy/__test__/compose/domain/labels.test.ts

@@ -7,6 +7,7 @@ describe("createDomainLabels", () => {
 	const baseDomain: Domain = {
 		host: "example.com",
 		port: 8080,
+		customEntrypoint: null,
 		https: false,
 		uniqueConfigKey: 1,
 		customCertResolver: null,
@@ -21,6 +22,8 @@ describe("createDomainLabels", () => {
 		previewDeploymentId: "",
 		internalPath: "/",
 		stripPath: false,
+		middlewares: null,
+		forwardAuthEnabled: false,
 	};
 
 	it("should create basic labels for web entrypoint", async () => {
@@ -101,6 +104,51 @@ describe("createDomainLabels", () => {
 		);
 	});
 
+	it("should add tls=true for certificateType none on websecure entrypoint", async () => {
+		const noneDomain = {
+			...baseDomain,
+			https: true,
+			certificateType: "none" as const,
+		};
+		const labels = await createDomainLabels(appName, noneDomain, "websecure");
+		expect(labels).toContain(
+			"traefik.http.routers.test-app-1-websecure.tls=true",
+		);
+		// no cert resolver should be set when relying on a default/custom cert
+		expect(labels).not.toContain(
+			"traefik.http.routers.test-app-1-websecure.tls.certresolver=letsencrypt",
+		);
+	});
+
+	it("should not add tls=true for certificateType none on web entrypoint", async () => {
+		const noneDomain = {
+			...baseDomain,
+			https: true,
+			certificateType: "none" as const,
+		};
+		const labels = await createDomainLabels(appName, noneDomain, "web");
+		expect(labels).not.toContain(
+			"traefik.http.routers.test-app-1-web.tls=true",
+		);
+	});
+
+	it("should add tls=true for certificateType none on a custom https entrypoint", async () => {
+		const noneDomain = {
+			...baseDomain,
+			https: true,
+			customEntrypoint: "websecure-custom",
+			certificateType: "none" as const,
+		};
+		const labels = await createDomainLabels(
+			appName,
+			noneDomain,
+			"websecure-custom",
+		);
+		expect(labels).toContain(
+			"traefik.http.routers.test-app-1-websecure-custom.tls=true",
+		);
+	});
+
 	it("should handle different ports correctly", async () => {
 		const customPortDomain = { ...baseDomain, port: 3000 };
 		const labels = await createDomainLabels(appName, customPortDomain, "web");
@@ -171,12 +219,12 @@ describe("createDomainLabels", () => {
 			"websecure",
 		);
 
-		// Web entrypoint should have both middlewares with redirect first
+		// Web entrypoint with HTTPS should only have redirect
 		expect(webLabels).toContain(
-			"traefik.http.routers.test-app-1-web.middlewares=redirect-to-https@file,addprefix-test-app-1",
+			"traefik.http.routers.test-app-1-web.middlewares=redirect-to-https@file",
 		);
 
-		// Websecure should only have the addprefix middleware
+		// Websecure should have the addprefix middleware
 		expect(websecureLabels).toContain(
 			"traefik.http.routers.test-app-1-websecure.middlewares=addprefix-test-app-1",
 		);
@@ -208,9 +256,9 @@ describe("createDomainLabels", () => {
 			"traefik.http.middlewares.addprefix-test-app-1.addprefix.prefix=/hello",
 		);
 
-		// Should have middlewares in correct order: redirect, stripprefix, addprefix
+		// Web router with HTTPS should only have redirect
 		expect(webLabels).toContain(
-			"traefik.http.routers.test-app-1-web.middlewares=redirect-to-https@file,stripprefix-test-app-1,addprefix-test-app-1",
+			"traefik.http.routers.test-app-1-web.middlewares=redirect-to-https@file",
 		);
 	});
 
@@ -240,4 +288,259 @@ describe("createDomainLabels", () => {
 			"traefik.http.routers.test-app-1-websecure.middlewares=stripprefix-test-app-1,addprefix-test-app-1",
 		);
 	});
+
+	it("should add single custom middleware to router", async () => {
+		const customMiddlewareDomain = {
+			...baseDomain,
+			middlewares: ["auth@file"],
+		};
+		const labels = await createDomainLabels(
+			appName,
+			customMiddlewareDomain,
+			"web",
+		);
+
+		expect(labels).toContain(
+			"traefik.http.routers.test-app-1-web.middlewares=auth@file",
+		);
+	});
+
+	it("should add multiple custom middlewares to router", async () => {
+		const customMiddlewareDomain = {
+			...baseDomain,
+			middlewares: ["auth@file", "rate-limit@file"],
+		};
+		const labels = await createDomainLabels(
+			appName,
+			customMiddlewareDomain,
+			"web",
+		);
+
+		expect(labels).toContain(
+			"traefik.http.routers.test-app-1-web.middlewares=auth@file,rate-limit@file",
+		);
+	});
+
+	it("should only have redirect on web router when HTTPS is enabled with custom middlewares", async () => {
+		const combinedDomain = {
+			...baseDomain,
+			https: true,
+			middlewares: ["auth@file"],
+		};
+		const labels = await createDomainLabels(appName, combinedDomain, "web");
+
+		// Web router with HTTPS should only redirect, custom middlewares go on websecure
+		expect(labels).toContain(
+			"traefik.http.routers.test-app-1-web.middlewares=redirect-to-https@file",
+		);
+		expect(labels).not.toContain("auth@file");
+	});
+
+	it("should combine custom middlewares with stripPath middleware (no HTTPS)", async () => {
+		const combinedDomain = {
+			...baseDomain,
+			path: "/api",
+			stripPath: true,
+			middlewares: ["auth@file"],
+		};
+		const labels = await createDomainLabels(appName, combinedDomain, "web");
+
+		// stripprefix should come before custom middleware
+		expect(labels).toContain(
+			"traefik.http.routers.test-app-1-web.middlewares=stripprefix-test-app-1,auth@file",
+		);
+	});
+
+	it("should only have redirect on web router even with all built-in middlewares and custom middlewares", async () => {
+		const fullDomain = {
+			...baseDomain,
+			https: true,
+			path: "/api",
+			stripPath: true,
+			internalPath: "/hello",
+			middlewares: ["auth@file", "rate-limit@file"],
+		};
+		const webLabels = await createDomainLabels(appName, fullDomain, "web");
+
+		// Web router with HTTPS should only redirect
+		expect(webLabels).toContain(
+			"traefik.http.routers.test-app-1-web.middlewares=redirect-to-https@file",
+		);
+		// Middleware definitions should still be present (Traefik needs them registered)
+		expect(webLabels).toContain(
+			"traefik.http.middlewares.stripprefix-test-app-1.stripprefix.prefixes=/api",
+		);
+		expect(webLabels).toContain(
+			"traefik.http.middlewares.addprefix-test-app-1.addprefix.prefix=/hello",
+		);
+		// But they should NOT be attached to the router
+		expect(webLabels).not.toContain("stripprefix-test-app-1,");
+		expect(webLabels).not.toContain("auth@file");
+		expect(webLabels).not.toContain("rate-limit@file");
+	});
+
+	it("should include custom middlewares on websecure entrypoint", async () => {
+		const customMiddlewareDomain = {
+			...baseDomain,
+			https: true,
+			middlewares: ["auth@file"],
+		};
+		const websecureLabels = await createDomainLabels(
+			appName,
+			customMiddlewareDomain,
+			"websecure",
+		);
+
+		// Websecure should have custom middleware but not redirect-to-https
+		expect(websecureLabels).toContain(
+			"traefik.http.routers.test-app-1-websecure.middlewares=auth@file",
+		);
+		expect(websecureLabels).not.toContain("redirect-to-https");
+	});
+
+	it("should NOT include custom middlewares on web router when HTTPS is enabled (only redirect)", async () => {
+		const domain = {
+			...baseDomain,
+			https: true,
+			middlewares: ["rate-limit@file", "auth@file"],
+		};
+		const webLabels = await createDomainLabels(appName, domain, "web");
+
+		// Web router with HTTPS should ONLY have redirect, not custom middlewares
+		expect(webLabels).toContain(
+			"traefik.http.routers.test-app-1-web.middlewares=redirect-to-https@file",
+		);
+		expect(webLabels).not.toContain("rate-limit@file");
+		expect(webLabels).not.toContain("auth@file");
+	});
+
+	it("should create basic labels for custom entrypoint", async () => {
+		const labels = await createDomainLabels(
+			appName,
+			{ ...baseDomain, customEntrypoint: "custom" },
+			"custom",
+		);
+		expect(labels).toEqual([
+			"traefik.http.routers.test-app-1-custom.rule=Host(`example.com`)",
+			"traefik.http.routers.test-app-1-custom.entrypoints=custom",
+			"traefik.http.services.test-app-1-custom.loadbalancer.server.port=8080",
+			"traefik.http.routers.test-app-1-custom.service=test-app-1-custom",
+		]);
+	});
+
+	it("should create https labels for custom entrypoint", async () => {
+		const labels = await createDomainLabels(
+			appName,
+			{
+				...baseDomain,
+				https: true,
+				customEntrypoint: "custom",
+				certificateType: "letsencrypt",
+			},
+			"custom",
+		);
+		expect(labels).toEqual([
+			"traefik.http.routers.test-app-1-custom.rule=Host(`example.com`)",
+			"traefik.http.routers.test-app-1-custom.entrypoints=custom",
+			"traefik.http.services.test-app-1-custom.loadbalancer.server.port=8080",
+			"traefik.http.routers.test-app-1-custom.service=test-app-1-custom",
+			"traefik.http.routers.test-app-1-custom.tls.certresolver=letsencrypt",
+		]);
+	});
+
+	it("should add stripPath middleware for custom entrypoint", async () => {
+		const labels = await createDomainLabels(
+			appName,
+			{
+				...baseDomain,
+				customEntrypoint: "custom",
+				path: "/api",
+				stripPath: true,
+			},
+			"custom",
+		);
+
+		expect(labels).toContain(
+			"traefik.http.middlewares.stripprefix-test-app-1.stripprefix.prefixes=/api",
+		);
+		expect(labels).toContain(
+			"traefik.http.routers.test-app-1-custom.middlewares=stripprefix-test-app-1",
+		);
+	});
+
+	it("should add internalPath middleware for custom entrypoint", async () => {
+		const labels = await createDomainLabels(
+			appName,
+			{
+				...baseDomain,
+				customEntrypoint: "custom",
+				internalPath: "/hello",
+			},
+			"custom",
+		);
+
+		expect(labels).toContain(
+			"traefik.http.middlewares.addprefix-test-app-1.addprefix.prefix=/hello",
+		);
+		expect(labels).toContain(
+			"traefik.http.routers.test-app-1-custom.middlewares=addprefix-test-app-1",
+		);
+	});
+
+	it("should add path prefix in rule for custom entrypoint", async () => {
+		const labels = await createDomainLabels(
+			appName,
+			{
+				...baseDomain,
+				customEntrypoint: "custom",
+				path: "/api",
+			},
+			"custom",
+		);
+
+		expect(labels).toContain(
+			"traefik.http.routers.test-app-1-custom.rule=Host(`example.com`) && PathPrefix(`/api`)",
+		);
+	});
+
+	it("should combine all middlewares for custom entrypoint", async () => {
+		const labels = await createDomainLabels(
+			appName,
+			{
+				...baseDomain,
+				customEntrypoint: "custom",
+				path: "/api",
+				stripPath: true,
+				internalPath: "/hello",
+			},
+			"custom",
+		);
+
+		expect(labels).toContain(
+			"traefik.http.middlewares.stripprefix-test-app-1.stripprefix.prefixes=/api",
+		);
+		expect(labels).toContain(
+			"traefik.http.middlewares.addprefix-test-app-1.addprefix.prefix=/hello",
+		);
+		expect(labels).toContain(
+			"traefik.http.routers.test-app-1-custom.middlewares=stripprefix-test-app-1,addprefix-test-app-1",
+		);
+	});
+
+	it("should not add redirect-to-https for custom entrypoint even with https", async () => {
+		const labels = await createDomainLabels(
+			appName,
+			{
+				...baseDomain,
+				customEntrypoint: "custom",
+				https: true,
+				certificateType: "letsencrypt",
+			},
+			"custom",
+		);
+
+		const middlewareLabel = labels.find((l) => l.includes(".middlewares="));
+		// Should not contain redirect-to-https since there's only one router
+		expect(middlewareLabel).toBeUndefined();
+	});
 });

apps/dokploy/__test__/compose/domain/network-service.test.ts

@@ -4,21 +4,30 @@ import { describe, expect, it } from "vitest";
 describe("addDokployNetworkToService", () => {
 	it("should add network to an empty array", () => {
 		const result = addDokployNetworkToService([]);
-		expect(result).toEqual(["dokploy-network"]);
+		expect(result).toEqual(["dokploy-network", "default"]);
 	});
 
 	it("should not add duplicate network to an array", () => {
 		const result = addDokployNetworkToService(["dokploy-network"]);
-		expect(result).toEqual(["dokploy-network"]);
+		expect(result).toEqual(["dokploy-network", "default"]);
 	});
 
 	it("should add network to an existing array with other networks", () => {
 		const result = addDokployNetworkToService(["other-network"]);
-		expect(result).toEqual(["other-network", "dokploy-network"]);
+		expect(result).toEqual(["other-network", "dokploy-network", "default"]);
 	});
 
 	it("should add network to an object if networks is an object", () => {
 		const result = addDokployNetworkToService({ "other-network": {} });
-		expect(result).toEqual({ "other-network": {}, "dokploy-network": {} });
+		expect(result).toEqual({
+			"other-network": {},
+			"dokploy-network": {},
+			default: {},
+		});
+	});
+
+	it("should not duplicate default network when already present", () => {
+		const result = addDokployNetworkToService(["default", "dokploy-network"]);
+		expect(result).toEqual(["default", "dokploy-network"]);
 	});
 });

apps/dokploy/__test__/compose/network/network-root.test.ts

@@ -292,7 +292,7 @@ networks:
   dokploy-network:
 `;
 
-test("It shoudn't add suffix to dokploy-network", () => {
+test("It shouldn't add suffix to dokploy-network", () => {
 	const composeData = parse(composeFile7) as ComposeSpecification;
 
 	const suffix = generateRandomHash();

apps/dokploy/__test__/compose/network/network-service.test.ts

@@ -195,7 +195,7 @@ services:
       - dokploy-network
 `;
 
-test("It shoudn't add suffix to dokploy-network in services", () => {
+test("It shouldn't add suffix to dokploy-network in services", () => {
 	const composeData = parse(composeFile7) as ComposeSpecification;
 
 	const suffix = generateRandomHash();
@@ -241,10 +241,10 @@ services:
       dokploy-network:
         aliases:
           - apid
-	
+
 `;
 
-test("It shoudn't add suffix to dokploy-network in services multiples cases", () => {
+test("It shouldn't add suffix to dokploy-network in services multiples cases", () => {
 	const composeData = parse(composeFile8) as ComposeSpecification;
 
 	const suffix = generateRandomHash();

apps/dokploy/__test__/deploy/application.command.test.ts

@@ -14,13 +14,18 @@ vi.mock("@dokploy/server/db", () => {
 			set: vi.fn(() => chain),
 			where: vi.fn(() => chain),
 			returning: vi.fn().mockResolvedValue([{}] as any),
+			from: vi.fn(() => chain),
+			innerJoin: vi.fn(() => chain),
+			then: (resolve: (v: any) => void) => {
+				resolve([]);
+			},
 		} as any;
 		return chain;
 	};
 
 	return {
 		db: {
-			select: vi.fn(),
+			select: vi.fn(() => createChainableMock()),
 			insert: vi.fn(),
 			update: vi.fn(() => createChainableMock()),
 			delete: vi.fn(),
@@ -28,6 +33,12 @@ vi.mock("@dokploy/server/db", () => {
 				applications: {
 					findFirst: vi.fn(),
 				},
+				patch: {
+					findMany: vi.fn().mockResolvedValue([]),
+				},
+				member: {
+					findMany: vi.fn().mockResolvedValue([]),
+				},
 			},
 		},
 	};

apps/dokploy/__test__/deploy/application.real.test.ts

@@ -15,13 +15,18 @@ vi.mock("@dokploy/server/db", () => {
 			set: vi.fn(() => chain),
 			where: vi.fn(() => chain),
 			returning: vi.fn().mockResolvedValue([{}]),
+			from: vi.fn(() => chain),
+			innerJoin: vi.fn(() => chain),
+			then: (resolve: (v: any) => void) => {
+				resolve([]);
+			},
 		};
 		return chain;
 	};
 
 	return {
 		db: {
-			select: vi.fn(),
+			select: vi.fn(() => createChainableMock()),
 			insert: vi.fn(),
 			update: vi.fn(() => createChainableMock()),
 			delete: vi.fn(),
@@ -29,6 +34,12 @@ vi.mock("@dokploy/server/db", () => {
 				applications: {
 					findFirst: vi.fn(),
 				},
+				patch: {
+					findMany: vi.fn().mockResolvedValue([]),
+				},
+				member: {
+					findMany: vi.fn().mockResolvedValue([]),
+				},
 			},
 		},
 	};

apps/dokploy/__test__/deploy/github.test.ts

@@ -83,6 +83,14 @@ describe("GitHub Webhook Skip CI", () => {
 				{ commits: [{ message: "[skip ci] test" }] },
 			),
 		).toBe("[skip ci] test");
+
+		// Soft Serve
+		expect(
+			extractCommitMessage(
+				{ "x-softserve-event": "push" },
+				{ commits: [{ message: "[skip ci] test" }] },
+			),
+		).toBe("[skip ci] test");
 	});
 
 	it("should handle missing commit message", () => {
@@ -99,6 +107,9 @@ describe("GitHub Webhook Skip CI", () => {
 		expect(extractCommitMessage({ "x-gitea-event": "push" }, {})).toBe(
 			"NEW COMMIT",
 		);
+		expect(extractCommitMessage({ "x-softserve-event": "push" }, {})).toBe(
+			"NEW COMMIT",
+		);
 	});
 });
 
@@ -404,5 +415,24 @@ describe("Docker Image Name and Tag Extraction", () => {
 			expect(extractImageTag("my-image:123")).toBe("123");
 			expect(extractImageTag("my-image:1")).toBe("1");
 		});
+
+		it("should return 'latest' for registry with port but no tag", () => {
+			expect(extractImageTag("registry.example.com:5000/myimage")).toBe(
+				"latest",
+			);
+			expect(extractImageTag("registry:5000/fedora/httpd")).toBe("latest");
+			expect(extractImageTag("localhost:5000/myapp")).toBe("latest");
+			expect(extractImageTag("my-registry.io:443/org/app")).toBe("latest");
+		});
+
+		it("should extract tag from registry with port and tag", () => {
+			expect(extractImageTag("registry:5000/image:tag")).toBe("tag");
+			expect(extractImageTag("registry.example.com:5000/myimage:v2.0")).toBe(
+				"v2.0",
+			);
+			expect(extractImageTag("localhost:5000/app:sha-abc123")).toBe(
+				"sha-abc123",
+			);
+		});
 	});
 });

apps/dokploy/__test__/deploy/should-deploy.test.ts

@@ -0,0 +1,41 @@
+import { shouldDeploy } from "@dokploy/server";
+import { describe, expect, it } from "vitest";
+
+describe("shouldDeploy", () => {
+	it("should deploy when no watch paths are configured", () => {
+		expect(shouldDeploy(null, ["src/index.ts"])).toBe(true);
+		expect(shouldDeploy([], ["src/index.ts"])).toBe(true);
+	});
+
+	it("should deploy when watch paths match modified files", () => {
+		expect(shouldDeploy(["src/**"], ["src/index.ts"])).toBe(true);
+		expect(shouldDeploy(["apps/web/**"], ["apps/web/page.tsx"])).toBe(true);
+	});
+
+	it("should not deploy when watch paths do not match", () => {
+		expect(shouldDeploy(["src/**"], ["docs/readme.md"])).toBe(false);
+	});
+
+	it("should not throw when modified files contain non-string values", () => {
+		expect(() =>
+			shouldDeploy(["src/**"], ["src/index.ts", undefined, null] as any),
+		).not.toThrow();
+		expect(
+			shouldDeploy(["src/**"], ["src/index.ts", undefined, null] as any),
+		).toBe(true);
+	});
+
+	it("should not throw when modified files are undefined or null", () => {
+		expect(() => shouldDeploy(["src/**"], undefined)).not.toThrow();
+		expect(() => shouldDeploy(["src/**"], null)).not.toThrow();
+		expect(shouldDeploy(["src/**"], undefined)).toBe(false);
+		expect(shouldDeploy(["src/**"], null)).toBe(false);
+	});
+
+	it("should not throw when every modified file is non-string", () => {
+		expect(() =>
+			shouldDeploy(["src/**"], [undefined, undefined] as any),
+		).not.toThrow();
+		expect(shouldDeploy(["src/**"], [undefined, undefined] as any)).toBe(false);
+	});
+});

apps/dokploy/__test__/deploy/soft-serve.test.ts

@@ -0,0 +1,49 @@
+import { describe, expect, it } from "vitest";
+import {
+	extractBranchName,
+	extractCommitMessage,
+	extractHash,
+	getProviderByHeader,
+} from "@/pages/api/deploy/[refreshToken]";
+
+describe("Soft Serve Webhook", () => {
+	const mockSoftServeHeaders = {
+		"x-softserve-event": "push",
+	};
+
+	const createMockBody = (message: string, hash: string, branch: string) => ({
+		event: "push",
+		ref: `refs/heads/${branch}`,
+		after: hash,
+		commits: [{ message: message }],
+	});
+	const message: string = "feat: add new feature";
+	const hash: string = "3c91c24ef9560bddc695bce138bf8a7094ec3df5";
+	const branch: string = "feat/add-new";
+	const goodWebhook = createMockBody(message, hash, branch);
+
+	it("should properly extract the provider name", () => {
+		expect(getProviderByHeader(mockSoftServeHeaders)).toBe("soft-serve");
+	});
+
+	it("should properly extract the commit message", () => {
+		expect(extractCommitMessage(mockSoftServeHeaders, goodWebhook)).toBe(
+			message,
+		);
+	});
+
+	it("should properly extract hash", () => {
+		expect(extractHash(mockSoftServeHeaders, goodWebhook)).toBe(hash);
+	});
+
+	it("should properly extract branch name", () => {
+		expect(extractBranchName(mockSoftServeHeaders, goodWebhook)).toBe(branch);
+	});
+
+	it("should gracefully handle invalid webhook", () => {
+		expect(getProviderByHeader({})).toBeNull();
+		expect(extractCommitMessage(mockSoftServeHeaders, {})).toBe("NEW COMMIT");
+		expect(extractHash(mockSoftServeHeaders, {})).toBe("NEW COMMIT");
+		expect(extractBranchName(mockSoftServeHeaders, {})).toBeNull();
+	});
+});

apps/dokploy/__test__/drop/drop.test.ts

@@ -6,6 +6,7 @@ import { paths } from "@dokploy/server/constants";
 import AdmZip from "adm-zip";
 import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
 
+const OUTPUT_BASE = "./__test__/drop/zips/output";
 const { APPLICATIONS_PATH } = paths();
 vi.mock("@dokploy/server/constants", async (importOriginal) => {
 	const actual = await importOriginal();
@@ -13,7 +14,10 @@ vi.mock("@dokploy/server/constants", async (importOriginal) => {
 		// @ts-ignore
 		...actual,
 		paths: () => ({
-			APPLICATIONS_PATH: "./__test__/drop/zips/output",
+			// @ts-ignore
+			...actual.paths(),
+			BASE_PATH: OUTPUT_BASE,
+			APPLICATIONS_PATH: OUTPUT_BASE,
 		}),
 	};
 });
@@ -29,6 +33,7 @@ const baseApp: ApplicationNested = {
 	applicationId: "",
 	previewLabels: [],
 	createEnvFile: true,
+	bitbucketRepositorySlug: "",
 	herokuVersion: "",
 	giteaBranch: "",
 	buildServerId: "",
@@ -115,6 +120,7 @@ const baseApp: ApplicationNested = {
 	environmentId: "",
 	enabled: null,
 	env: null,
+	icon: null,
 	healthCheckSwarm: null,
 	labelsSwarm: null,
 	memoryLimit: null,
@@ -146,8 +152,179 @@ const baseApp: ApplicationNested = {
 	dockerContextPath: null,
 	rollbackActive: false,
 	stopGracePeriodSwarm: null,
+	ulimitsSwarm: null,
 };
 
+/**
+ * GHSA-66v7-g3fh-47h3: Remote Code Execution through Path Traversal.
+ * Validates the exact PoC: ZIP with path traversal entry ../../../../../etc/cron.d/malicious-cron
+ * plus cover files (package.json, index.js). unzipDrop must reject and never write outside output.
+ */
+describe("GHSA-66v7-g3fh-47h3 path traversal RCE", () => {
+	beforeAll(async () => {
+		await fs.rm(APPLICATIONS_PATH, { recursive: true, force: true });
+	});
+	afterAll(async () => {
+		await fs.rm(APPLICATIONS_PATH, { recursive: true, force: true });
+	});
+
+	it("rejects PoC ZIP: traversal ../../../../../etc/cron.d/malicious-cron + package.json + index.js", async () => {
+		baseApp.appName = "ghsa-rce";
+		// PoC payload: same entry name as advisory (Python zipfile keeps it; AdmZip normalizes on add → use placeholder + replace)
+		const traversalEntry = "../../../../../etc/cron.d/malicious-cron";
+		const cronPayload = "* * * * * root id\n";
+		const placeholder = "x".repeat(traversalEntry.length);
+		const zip = new AdmZip();
+		zip.addFile(
+			"package.json",
+			Buffer.from('{"name": "app", "version": "1.0.0"}'),
+		);
+		zip.addFile("index.js", Buffer.from('console.log("Application");'));
+		zip.addFile(placeholder, Buffer.from(cronPayload));
+		let buf = Buffer.from(zip.toBuffer());
+		buf = Buffer.from(
+			buf.toString("binary").split(placeholder).join(traversalEntry),
+			"binary",
+		);
+		const file = new File([buf as unknown as ArrayBuffer], "exploit.zip");
+		await expect(unzipDrop(file, baseApp)).rejects.toThrow(
+			/Path traversal detected.*resolved path escapes output directory/,
+		);
+	});
+});
+
+describe("security: existing symlink escape", () => {
+	beforeAll(async () => {
+		await fs.rm(APPLICATIONS_PATH, { recursive: true, force: true });
+	});
+
+	afterAll(async () => {
+		await fs.rm(APPLICATIONS_PATH, { recursive: true, force: true });
+	});
+
+	it("should NOT write outside base when directory is a symlink", async () => {
+		const appName = "symlink-existing";
+		const output = path.join(APPLICATIONS_PATH, appName, "code");
+		await fs.mkdir(output, { recursive: true });
+
+		// outside target (attacker wants to write here)
+		const outside = path.join(APPLICATIONS_PATH, "..", "outside");
+		await fs.mkdir(outside, { recursive: true });
+
+		// attacker-controlled symlink inside project
+		await fs.symlink(outside, path.join(output, "logs"));
+
+		// zip looks totally harmless
+		const zip = new AdmZip();
+		zip.addFile("logs/pwned.txt", Buffer.from("owned"));
+
+		const file = new File([zip.toBuffer() as any], "exploit.zip");
+
+		await unzipDrop(file, { ...baseApp, appName });
+
+		// if vulnerable -> file exists outside sandbox
+		const escaped = await fs
+			.readFile(path.join(outside, "pwned.txt"), "utf8")
+			.then(() => true)
+			.catch(() => false);
+
+		expect(escaped).toBe(false);
+	});
+});
+
+describe("security: zip symlink entry blocked", () => {
+	beforeAll(async () => {
+		await fs.rm(APPLICATIONS_PATH, { recursive: true, force: true });
+	});
+
+	afterAll(async () => {
+		await fs.rm(APPLICATIONS_PATH, { recursive: true, force: true });
+	});
+
+	it("rejects zip containing real symlink entry", async () => {
+		const appName = "zip-symlink";
+
+		const zipBuffer = await fs.readFile(
+			path.join(__dirname, "./zips/payload/symlink-entry.zip"),
+		);
+
+		const file = new File([zipBuffer as any], "exploit.zip");
+
+		await expect(unzipDrop(file, { ...baseApp, appName })).rejects.toThrow(
+			/Dangerous node entries are not allowed/,
+		);
+	});
+});
+
+describe("unzipDrop path under output (no traversal)", () => {
+	beforeAll(async () => {
+		await fs.rm(APPLICATIONS_PATH, { recursive: true, force: true });
+	});
+	afterAll(async () => {
+		await fs.rm(APPLICATIONS_PATH, { recursive: true, force: true });
+	});
+
+	it("allows entry etc/cron.d/malicious-cron when under output (no path traversal)", async () => {
+		baseApp.appName = "cron-under-output";
+		const zip = new AdmZip();
+		zip.addFile(
+			"etc/cron.d/malicious-cron",
+			Buffer.from("* * * * * root id\n"),
+		);
+		zip.addFile("package.json", Buffer.from('{"name":"app"}'));
+		const file = new File(
+			[zip.toBuffer() as unknown as ArrayBuffer],
+			"app.zip",
+		);
+		const outputPath = path.join(APPLICATIONS_PATH, baseApp.appName, "code");
+		await unzipDrop(file, baseApp);
+		const content = await fs.readFile(
+			path.join(outputPath, "etc/cron.d/malicious-cron"),
+			"utf8",
+		);
+		expect(content).toBe("* * * * * root id\n");
+	});
+});
+
+describe("security: traversal inside BASE_PATH (sandbox escape)", () => {
+	beforeAll(async () => {
+		await fs.rm(APPLICATIONS_PATH, { recursive: true, force: true });
+	});
+
+	afterAll(async () => {
+		await fs.rm(APPLICATIONS_PATH, { recursive: true, force: true });
+	});
+
+	it("should NOT allow writing outside application directory but inside BASE_PATH", async () => {
+		const appName = "sandbox-escape";
+
+		const base = APPLICATIONS_PATH.replace("/applications", "");
+		const output = path.join(APPLICATIONS_PATH, appName, "code");
+
+		await fs.mkdir(output, { recursive: true });
+
+		// attacker writes into traefik config inside base
+		const zip = new AdmZip();
+		zip.addFile(
+			"../../../traefik/dynamic/evil.yml",
+			Buffer.from("pwned: true"),
+		);
+
+		const file = new File([zip.toBuffer() as any], "exploit.zip");
+
+		await unzipDrop(file, { ...baseApp, appName });
+
+		const escapedPath = path.join(base, "traefik/dynamic/evil.yml");
+
+		const exists = await fs
+			.readFile(escapedPath)
+			.then(() => true)
+			.catch(() => false);
+
+		expect(exists).toBe(false);
+	});
+});
+
 describe("unzipDrop using real zip files", () => {
 	// const { APPLICATIONS_PATH } = paths();
 	beforeAll(async () => {
@@ -164,14 +341,12 @@ describe("unzipDrop using real zip files", () => {
 		try {
 			const outputPath = path.join(APPLICATIONS_PATH, baseApp.appName, "code");
 			const zip = new AdmZip("./__test__/drop/zips/single-file.zip");
-			console.log(`Output Path: ${outputPath}`);
 			const zipBuffer = zip.toBuffer() as Buffer<ArrayBuffer>;
 			const file = new File([zipBuffer], "single.zip");
 			await unzipDrop(file, baseApp);
 			const files = await fs.readdir(outputPath, { withFileTypes: true });
 			expect(files.some((f) => f.name === "test.txt")).toBe(true);
 		} catch (err) {
-			console.log(err);
 		} finally {
 		}
 	});

apps/dokploy/__test__/drop/zips/payload/link

@@ -0,0 +1 @@
+/etc/passwd

apps/dokploy/__test__/env/environment-access-fallback.test.ts

@@ -0,0 +1,294 @@
+import { describe, expect, it } from "vitest";
+
+// Type definitions matching the project structure
+type Environment = {
+	environmentId: string;
+	name: string;
+	isDefault: boolean;
+};
+
+type Project = {
+	projectId: string;
+	name: string;
+	environments: Environment[];
+};
+
+/**
+ * Helper function that selects the appropriate environment for a user
+ * This matches the logic used in search-command.tsx and show.tsx
+ */
+function selectAccessibleEnvironment(
+	project: Project | null | undefined,
+): Environment | null {
+	if (!project || !project.environments || project.environments.length === 0) {
+		return null;
+	}
+
+	// Find default environment from accessible environments, or fall back to first accessible environment
+	const defaultEnvironment =
+		project.environments.find((environment) => environment.isDefault) ||
+		project.environments[0];
+
+	return defaultEnvironment || null;
+}
+
+describe("Environment Access Fallback", () => {
+	describe("selectAccessibleEnvironment", () => {
+		it("should return default environment when user has access to it", () => {
+			const project: Project = {
+				projectId: "proj-1",
+				name: "Test Project",
+				environments: [
+					{
+						environmentId: "env-prod",
+						name: "production",
+						isDefault: true,
+					},
+					{
+						environmentId: "env-dev",
+						name: "development",
+						isDefault: false,
+					},
+				],
+			};
+
+			const result = selectAccessibleEnvironment(project);
+
+			expect(result).not.toBeNull();
+			expect(result?.environmentId).toBe("env-prod");
+			expect(result?.isDefault).toBe(true);
+		});
+
+		it("should return first accessible environment when user doesn't have access to default", () => {
+			// Simulating filtered environments (user only has access to development)
+			const project: Project = {
+				projectId: "proj-1",
+				name: "Test Project",
+				environments: [
+					// Note: production is not in the list because user doesn't have access
+					{
+						environmentId: "env-dev",
+						name: "development",
+						isDefault: false,
+					},
+					{
+						environmentId: "env-staging",
+						name: "staging",
+						isDefault: false,
+					},
+				],
+			};
+
+			const result = selectAccessibleEnvironment(project);
+
+			expect(result).not.toBeNull();
+			expect(result?.environmentId).toBe("env-dev");
+			expect(result?.name).toBe("development");
+		});
+
+		it("should return first environment when no default is marked but environments exist", () => {
+			const project: Project = {
+				projectId: "proj-1",
+				name: "Test Project",
+				environments: [
+					{
+						environmentId: "env-dev",
+						name: "development",
+						isDefault: false,
+					},
+					{
+						environmentId: "env-staging",
+						name: "staging",
+						isDefault: false,
+					},
+				],
+			};
+
+			const result = selectAccessibleEnvironment(project);
+
+			expect(result).not.toBeNull();
+			expect(result?.environmentId).toBe("env-dev");
+		});
+
+		it("should return null when project has no accessible environments", () => {
+			const project: Project = {
+				projectId: "proj-1",
+				name: "Test Project",
+				environments: [],
+			};
+
+			const result = selectAccessibleEnvironment(project);
+
+			expect(result).toBeNull();
+		});
+
+		it("should return null when project is null", () => {
+			const result = selectAccessibleEnvironment(null);
+
+			expect(result).toBeNull();
+		});
+
+		it("should return null when project is undefined", () => {
+			const result = selectAccessibleEnvironment(undefined);
+
+			expect(result).toBeNull();
+		});
+
+		it("should handle project with single accessible environment", () => {
+			const project: Project = {
+				projectId: "proj-1",
+				name: "Test Project",
+				environments: [
+					{
+						environmentId: "env-dev",
+						name: "development",
+						isDefault: false,
+					},
+				],
+			};
+
+			const result = selectAccessibleEnvironment(project);
+
+			expect(result).not.toBeNull();
+			expect(result?.environmentId).toBe("env-dev");
+		});
+
+		it("should prioritize default environment even when it's not first in the array", () => {
+			const project: Project = {
+				projectId: "proj-1",
+				name: "Test Project",
+				environments: [
+					{
+						environmentId: "env-dev",
+						name: "development",
+						isDefault: false,
+					},
+					{
+						environmentId: "env-staging",
+						name: "staging",
+						isDefault: false,
+					},
+					{
+						environmentId: "env-prod",
+						name: "production",
+						isDefault: true,
+					},
+				],
+			};
+
+			const result = selectAccessibleEnvironment(project);
+
+			expect(result).not.toBeNull();
+			expect(result?.environmentId).toBe("env-prod");
+			expect(result?.isDefault).toBe(true);
+		});
+
+		it("should handle multiple default environments by returning the first one found", () => {
+			// Edge case: multiple environments marked as default (shouldn't happen, but test it)
+			const project: Project = {
+				projectId: "proj-1",
+				name: "Test Project",
+				environments: [
+					{
+						environmentId: "env-prod-1",
+						name: "production-1",
+						isDefault: true,
+					},
+					{
+						environmentId: "env-prod-2",
+						name: "production-2",
+						isDefault: true,
+					},
+				],
+			};
+
+			const result = selectAccessibleEnvironment(project);
+
+			expect(result).not.toBeNull();
+			expect(result?.isDefault).toBe(true);
+			// Should return the first default found
+			expect(result?.environmentId).toBe("env-prod-1");
+		});
+
+		it("should work correctly when user has access to multiple environments including default", () => {
+			const project: Project = {
+				projectId: "proj-1",
+				name: "Test Project",
+				environments: [
+					{
+						environmentId: "env-prod",
+						name: "production",
+						isDefault: true,
+					},
+					{
+						environmentId: "env-dev",
+						name: "development",
+						isDefault: false,
+					},
+					{
+						environmentId: "env-staging",
+						name: "staging",
+						isDefault: false,
+					},
+				],
+			};
+
+			const result = selectAccessibleEnvironment(project);
+
+			expect(result).not.toBeNull();
+			expect(result?.environmentId).toBe("env-prod");
+			expect(result?.isDefault).toBe(true);
+		});
+
+		it("should handle real-world scenario: user with only development access", () => {
+			// This simulates the exact bug we're fixing:
+			// User has access to development but not production (default)
+			// The filtered environments array only contains development
+			const project: Project = {
+				projectId: "proj-1",
+				name: "My Project",
+				environments: [
+					// Only development is accessible (production was filtered out)
+					{
+						environmentId: "env-dev-123",
+						name: "development",
+						isDefault: false,
+					},
+				],
+			};
+
+			const result = selectAccessibleEnvironment(project);
+
+			expect(result).not.toBeNull();
+			expect(result?.environmentId).toBe("env-dev-123");
+			expect(result?.name).toBe("development");
+			// Should not be null even though it's not the default
+		});
+	});
+
+	describe("Environment selection edge cases", () => {
+		it("should handle project with environments property as undefined", () => {
+			const project = {
+				projectId: "proj-1",
+				name: "Test Project",
+				environments: undefined,
+			} as unknown as Project;
+
+			const result = selectAccessibleEnvironment(project);
+
+			expect(result).toBeNull();
+		});
+
+		it("should handle project with null environments array", () => {
+			const project = {
+				projectId: "proj-1",
+				name: "Test Project",
+				environments: null,
+			} as unknown as Project;
+
+			const result = selectAccessibleEnvironment(project);
+
+			expect(result).toBeNull();
+		});
+	});
+});

apps/dokploy/__test__/env/stack-environment.test.ts

@@ -0,0 +1,184 @@
+import { getEnvironmentVariablesObject } from "@dokploy/server/index";
+import { describe, expect, it } from "vitest";
+
+const projectEnv = `
+ENVIRONMENT=staging
+DATABASE_URL=postgres://postgres:postgres@localhost:5432/project_db
+PORT=3000
+`;
+
+const environmentEnv = `
+NODE_ENV=development
+API_URL=https://api.dev.example.com
+REDIS_URL=redis://localhost:6379
+DATABASE_NAME=dev_database
+SECRET_KEY=env-secret-123
+`;
+
+describe("getEnvironmentVariablesObject with environment variables (Stack compose)", () => {
+	it("resolves environment variables correctly for Stack compose", () => {
+		const serviceEnv = `
+FOO=\${{environment.NODE_ENV}}
+BAR=\${{environment.API_URL}}
+BAZ=test
+`;
+
+		const result = getEnvironmentVariablesObject(
+			serviceEnv,
+			projectEnv,
+			environmentEnv,
+		);
+
+		expect(result).toEqual({
+			FOO: "development",
+			BAR: "https://api.dev.example.com",
+			BAZ: "test",
+		});
+	});
+
+	it("resolves both project and environment variables for Stack compose", () => {
+		const serviceEnv = `
+ENVIRONMENT=\${{project.ENVIRONMENT}}
+NODE_ENV=\${{environment.NODE_ENV}}
+API_URL=\${{environment.API_URL}}
+DATABASE_URL=\${{project.DATABASE_URL}}
+SERVICE_PORT=4000
+`;
+
+		const result = getEnvironmentVariablesObject(
+			serviceEnv,
+			projectEnv,
+			environmentEnv,
+		);
+
+		expect(result).toEqual({
+			ENVIRONMENT: "staging",
+			NODE_ENV: "development",
+			API_URL: "https://api.dev.example.com",
+			DATABASE_URL: "postgres://postgres:postgres@localhost:5432/project_db",
+			SERVICE_PORT: "4000",
+		});
+	});
+
+	it("handles multiple environment references in single value for Stack compose", () => {
+		const multiRefEnv = `
+HOST=localhost
+PORT=5432
+USERNAME=postgres
+PASSWORD=secret123
+`;
+
+		const serviceEnv = `
+DATABASE_URL=postgresql://\${{environment.USERNAME}}:\${{environment.PASSWORD}}@\${{environment.HOST}}:\${{environment.PORT}}/mydb
+`;
+
+		const result = getEnvironmentVariablesObject(serviceEnv, "", multiRefEnv);
+
+		expect(result).toEqual({
+			DATABASE_URL: "postgresql://postgres:secret123@localhost:5432/mydb",
+		});
+	});
+
+	it("throws error for undefined environment variables in Stack compose", () => {
+		const serviceWithUndefined = `
+UNDEFINED_VAR=\${{environment.UNDEFINED_VAR}}
+`;
+
+		expect(() =>
+			getEnvironmentVariablesObject(serviceWithUndefined, "", environmentEnv),
+		).toThrow("Invalid environment variable: environment.UNDEFINED_VAR");
+	});
+
+	it("allows service variables to override environment variables in Stack compose", () => {
+		const serviceOverrideEnv = `
+NODE_ENV=production
+API_URL=\${{environment.API_URL}}
+`;
+
+		const result = getEnvironmentVariablesObject(
+			serviceOverrideEnv,
+			"",
+			environmentEnv,
+		);
+
+		expect(result).toEqual({
+			NODE_ENV: "production",
+			API_URL: "https://api.dev.example.com",
+		});
+	});
+
+	it("resolves complex references with project, environment, and service variables for Stack compose", () => {
+		const complexServiceEnv = `
+FULL_DATABASE_URL=\${{project.DATABASE_URL}}/\${{environment.DATABASE_NAME}}
+API_ENDPOINT=\${{environment.API_URL}}/\${{project.ENVIRONMENT}}/api
+SERVICE_NAME=my-service
+COMPLEX_VAR=\${{SERVICE_NAME}}-\${{environment.NODE_ENV}}-\${{project.ENVIRONMENT}}
+`;
+
+		const result = getEnvironmentVariablesObject(
+			complexServiceEnv,
+			projectEnv,
+			environmentEnv,
+		);
+
+		expect(result).toEqual({
+			FULL_DATABASE_URL:
+				"postgres://postgres:postgres@localhost:5432/project_db/dev_database",
+			API_ENDPOINT: "https://api.dev.example.com/staging/api",
+			SERVICE_NAME: "my-service",
+			COMPLEX_VAR: "my-service-development-staging",
+		});
+	});
+
+	it("maintains precedence: service > environment > project in Stack compose", () => {
+		const conflictingProjectEnv = `
+NODE_ENV=production-project
+API_URL=https://project.api.com
+DATABASE_NAME=project_db
+`;
+
+		const conflictingEnvironmentEnv = `
+NODE_ENV=development-environment
+API_URL=https://environment.api.com
+DATABASE_NAME=env_db
+`;
+
+		const serviceWithConflicts = `
+NODE_ENV=service-override
+PROJECT_ENV=\${{project.NODE_ENV}}
+ENV_VAR=\${{environment.API_URL}}
+DB_NAME=\${{environment.DATABASE_NAME}}
+`;
+
+		const result = getEnvironmentVariablesObject(
+			serviceWithConflicts,
+			conflictingProjectEnv,
+			conflictingEnvironmentEnv,
+		);
+
+		expect(result).toEqual({
+			NODE_ENV: "service-override",
+			PROJECT_ENV: "production-project",
+			ENV_VAR: "https://environment.api.com",
+			DB_NAME: "env_db",
+		});
+	});
+
+	it("handles empty environment variables in Stack compose", () => {
+		const serviceWithEmpty = `
+SERVICE_VAR=test
+PROJECT_VAR=\${{project.ENVIRONMENT}}
+`;
+
+		const result = getEnvironmentVariablesObject(
+			serviceWithEmpty,
+			projectEnv,
+			"",
+		);
+
+		expect(result).toEqual({
+			SERVICE_VAR: "test",
+			PROJECT_VAR: "staging",
+		});
+	});
+});

apps/dokploy/__test__/git-provider/git-provider-access.test.ts

@@ -0,0 +1,369 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import {
+	canEditDeployGitSource,
+	getAccessibleGitProviderIds,
+} from "@dokploy/server/services/git-provider";
+
+const mockDb = vi.hoisted(() => ({
+	query: {
+		gitProvider: {
+			findMany: vi.fn(),
+			findFirst: vi.fn(),
+		},
+		member: {
+			findFirst: vi.fn(),
+		},
+	},
+}));
+
+vi.mock("@dokploy/server/db", () => ({ db: mockDb }));
+
+const mockHasValidLicense = vi.hoisted(() => vi.fn());
+vi.mock("@dokploy/server/services/proprietary/license-key", () => ({
+	hasValidLicense: mockHasValidLicense,
+}));
+
+const ORG_ID = "org-1";
+const USER_OWNER = "user-owner";
+const USER_ADMIN = "user-admin";
+const USER_MEMBER = "user-member";
+const USER_MEMBER_2 = "user-member-2";
+
+const providerOwned = {
+	gitProviderId: "gp-owned",
+	userId: USER_MEMBER,
+	sharedWithOrganization: false,
+};
+const providerShared = {
+	gitProviderId: "gp-shared",
+	userId: USER_OWNER,
+	sharedWithOrganization: true,
+};
+const providerPrivate = {
+	gitProviderId: "gp-private",
+	userId: USER_OWNER,
+	sharedWithOrganization: false,
+};
+const providerOtherMember = {
+	gitProviderId: "gp-other",
+	userId: USER_MEMBER_2,
+	sharedWithOrganization: false,
+};
+
+const allProviders = [
+	providerOwned,
+	providerShared,
+	providerPrivate,
+	providerOtherMember,
+];
+
+function session(userId: string) {
+	return { userId, activeOrganizationId: ORG_ID };
+}
+
+beforeEach(() => {
+	vi.clearAllMocks();
+	mockDb.query.gitProvider.findMany.mockResolvedValue(allProviders);
+	mockHasValidLicense.mockResolvedValue(false);
+});
+
+describe("getAccessibleGitProviderIds", () => {
+	describe("owner", () => {
+		beforeEach(() => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "owner",
+				accessedGitProviders: [],
+			});
+		});
+
+		it("returns all org providers", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_OWNER));
+			expect(ids).toEqual(new Set(allProviders.map((p) => p.gitProviderId)));
+		});
+
+		it("includes providers owned by other members", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_OWNER));
+			expect(ids.has(providerOwned.gitProviderId)).toBe(true);
+			expect(ids.has(providerOtherMember.gitProviderId)).toBe(true);
+		});
+	});
+
+	describe("admin", () => {
+		beforeEach(() => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "admin",
+				accessedGitProviders: [],
+			});
+		});
+
+		it("returns all org providers", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_ADMIN));
+			expect(ids).toEqual(new Set(allProviders.map((p) => p.gitProviderId)));
+		});
+
+		it("includes providers owned by other members — fixes issue #4469", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_ADMIN));
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(true);
+			expect(ids.has(providerOtherMember.gitProviderId)).toBe(true);
+		});
+	});
+
+	describe("member without enterprise license", () => {
+		beforeEach(() => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [providerPrivate.gitProviderId],
+			});
+			mockHasValidLicense.mockResolvedValue(false);
+		});
+
+		it("can access their own provider", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerOwned.gitProviderId)).toBe(true);
+		});
+
+		it("can access shared providers", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerShared.gitProviderId)).toBe(true);
+		});
+
+		it("cannot access private providers of other users even if assigned (no license)", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(false);
+		});
+
+		it("cannot access providers of other members", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerOtherMember.gitProviderId)).toBe(false);
+		});
+	});
+
+	describe("member with enterprise license", () => {
+		beforeEach(() => {
+			mockHasValidLicense.mockResolvedValue(true);
+		});
+
+		it("can access provider explicitly assigned to them", async () => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [providerPrivate.gitProviderId],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(true);
+		});
+
+		it("cannot access provider not assigned and not shared", async () => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(false);
+			expect(ids.has(providerOtherMember.gitProviderId)).toBe(false);
+		});
+
+		it("can access shared provider even without explicit assignment", async () => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerShared.gitProviderId)).toBe(true);
+		});
+
+		it("can access own provider regardless of assignments", async () => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerOwned.gitProviderId)).toBe(true);
+		});
+
+		it("cannot access provider of other member even with license but no assignment", async () => {
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerOtherMember.gitProviderId)).toBe(false);
+		});
+	});
+
+	describe("member with no member record", () => {
+		beforeEach(() => {
+			mockDb.query.member.findFirst.mockResolvedValue(null);
+			mockHasValidLicense.mockResolvedValue(true);
+		});
+
+		it("only returns own providers and shared ones", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerOwned.gitProviderId)).toBe(true);
+			expect(ids.has(providerShared.gitProviderId)).toBe(true);
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(false);
+		});
+	});
+
+	describe("enterprise license — member assigned to a provider they do not own", () => {
+		// getAccessibleGitProviderIds still returns the provider (member can connect NEW deploys)
+		it("member assigned to owner's private provider can USE the provider for new deploys", async () => {
+			mockHasValidLicense.mockResolvedValue(true);
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [providerPrivate.gitProviderId],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(true);
+		});
+
+		it("member NOT assigned to owner's private provider cannot use it at all", async () => {
+			mockHasValidLicense.mockResolvedValue(true);
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "member",
+				accessedGitProviders: [],
+			});
+			const ids = await getAccessibleGitProviderIds(session(USER_MEMBER));
+			expect(ids.has(providerPrivate.gitProviderId)).toBe(false);
+		});
+	});
+
+	describe("empty org", () => {
+		beforeEach(() => {
+			mockDb.query.gitProvider.findMany.mockResolvedValue([]);
+			mockDb.query.member.findFirst.mockResolvedValue({
+				role: "admin",
+				accessedGitProviders: [],
+			});
+		});
+
+		it("returns empty set when org has no providers", async () => {
+			const ids = await getAccessibleGitProviderIds(session(USER_ADMIN));
+			expect(ids.size).toBe(0);
+		});
+	});
+});
+
+describe("canEditDeployGitSource", () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+		mockHasValidLicense.mockResolvedValue(true);
+	});
+
+	describe("owner", () => {
+		it("can edit deploy using any provider", async () => {
+			mockDb.query.member.findFirst.mockResolvedValue({ role: "owner" });
+			const result = await canEditDeployGitSource(
+				providerPrivate.gitProviderId,
+				session(USER_OWNER),
+			);
+			expect(result).toBe(true);
+		});
+	});
+
+	describe("admin", () => {
+		beforeEach(() => {
+			mockDb.query.member.findFirst.mockResolvedValue({ role: "admin" });
+		});
+
+		it("cannot edit deploy using owner's private provider (not shared)", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_OWNER,
+				sharedWithOrganization: false,
+			});
+			const result = await canEditDeployGitSource(
+				providerPrivate.gitProviderId,
+				session(USER_ADMIN),
+			);
+			expect(result).toBe(false);
+		});
+
+		it("can edit deploy using a provider shared with the org", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_OWNER,
+				sharedWithOrganization: true,
+			});
+			const result = await canEditDeployGitSource(
+				providerShared.gitProviderId,
+				session(USER_ADMIN),
+			);
+			expect(result).toBe(true);
+		});
+
+		it("can edit deploy using their own provider", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_ADMIN,
+				sharedWithOrganization: false,
+			});
+			const result = await canEditDeployGitSource(
+				"gp-admin-owned",
+				session(USER_ADMIN),
+			);
+			expect(result).toBe(true);
+		});
+	});
+
+	describe("member", () => {
+		beforeEach(() => {
+			mockDb.query.member.findFirst.mockResolvedValue({ role: "member" });
+		});
+
+		it("can edit deploy using their own provider", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_MEMBER,
+				sharedWithOrganization: false,
+			});
+			const result = await canEditDeployGitSource(
+				providerOwned.gitProviderId,
+				session(USER_MEMBER),
+			);
+			expect(result).toBe(true);
+		});
+
+		it("can edit deploy using a provider shared with the org", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_OWNER,
+				sharedWithOrganization: true,
+			});
+			const result = await canEditDeployGitSource(
+				providerShared.gitProviderId,
+				session(USER_MEMBER),
+			);
+			expect(result).toBe(true);
+		});
+
+		it("cannot edit deploy using owner's private provider even with enterprise license and assignment", async () => {
+			// This is the key case: enterprise, provider del owner, no compartido,
+			// member tiene accessedGitProviders asignado — pero NO puede cambiar la branch del deploy del owner
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_OWNER,
+				sharedWithOrganization: false,
+			});
+			const result = await canEditDeployGitSource(
+				providerPrivate.gitProviderId,
+				session(USER_MEMBER),
+			);
+			expect(result).toBe(false);
+		});
+
+		it("cannot edit deploy using another member's private provider", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue({
+				userId: USER_MEMBER_2,
+				sharedWithOrganization: false,
+			});
+			const result = await canEditDeployGitSource(
+				providerOtherMember.gitProviderId,
+				session(USER_MEMBER),
+			);
+			expect(result).toBe(false);
+		});
+
+		it("returns false if provider does not exist", async () => {
+			mockDb.query.gitProvider.findFirst.mockResolvedValue(null);
+			const result = await canEditDeployGitSource(
+				"nonexistent-id",
+				session(USER_MEMBER),
+			);
+			expect(result).toBe(false);
+		});
+	});
+});

apps/dokploy/__test__/permissions/check-permission.test.ts

@@ -0,0 +1,186 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const mockMemberData = (
+	role: string,
+	overrides: Record<string, boolean> = {},
+) => ({
+	id: "member-1",
+	role,
+	userId: "user-1",
+	organizationId: "org-1",
+	accessedProjects: [] as string[],
+	accessedServices: [] as string[],
+	accessedEnvironments: [] as string[],
+	canCreateProjects: overrides.canCreateProjects ?? false,
+	canDeleteProjects: overrides.canDeleteProjects ?? false,
+	canCreateServices: overrides.canCreateServices ?? false,
+	canDeleteServices: overrides.canDeleteServices ?? false,
+	canCreateEnvironments: overrides.canCreateEnvironments ?? false,
+	canDeleteEnvironments: overrides.canDeleteEnvironments ?? false,
+	canAccessToTraefikFiles: overrides.canAccessToTraefikFiles ?? false,
+	canAccessToDocker: overrides.canAccessToDocker ?? false,
+	canAccessToAPI: overrides.canAccessToAPI ?? false,
+	canAccessToSSHKeys: overrides.canAccessToSSHKeys ?? false,
+	canAccessToGitProviders: overrides.canAccessToGitProviders ?? false,
+	user: { id: "user-1", email: "test@test.com" },
+});
+
+let memberToReturn: ReturnType<typeof mockMemberData> =
+	mockMemberData("member");
+
+vi.mock("@dokploy/server/db", () => ({
+	db: {
+		query: {
+			member: {
+				findFirst: vi.fn(() => Promise.resolve(memberToReturn)),
+				findMany: vi.fn(() => Promise.resolve([])),
+			},
+			organizationRole: {
+				findFirst: vi.fn(),
+				findMany: vi.fn(() => Promise.resolve([])),
+			},
+		},
+	},
+}));
+
+vi.mock("@dokploy/server/services/proprietary/license-key", () => ({
+	hasValidLicense: vi.fn(() => Promise.resolve(false)),
+}));
+
+const { checkPermission } = await import("@dokploy/server/services/permission");
+
+const ctx = {
+	user: { id: "user-1" },
+	session: { activeOrganizationId: "org-1" },
+};
+
+beforeEach(() => {
+	vi.clearAllMocks();
+});
+
+describe("owner and admin bypass enterprise resources", () => {
+	it("owner bypasses deployment.read", async () => {
+		memberToReturn = mockMemberData("owner");
+		await expect(
+			checkPermission(ctx, { deployment: ["read"] }),
+		).resolves.toBeUndefined();
+	});
+
+	it("admin bypasses backup.create", async () => {
+		memberToReturn = mockMemberData("admin");
+		await expect(
+			checkPermission(ctx, { backup: ["create"] }),
+		).resolves.toBeUndefined();
+	});
+
+	it("owner bypasses multiple enterprise permissions at once", async () => {
+		memberToReturn = mockMemberData("owner");
+		await expect(
+			checkPermission(ctx, {
+				deployment: ["read"],
+				backup: ["create"],
+				domain: ["delete"],
+			}),
+		).resolves.toBeUndefined();
+	});
+});
+
+describe("member is denied org-level enterprise resources (CVE: bypass via staticRoles)", () => {
+	it("member is denied registry.read", async () => {
+		memberToReturn = mockMemberData("member");
+		await expect(
+			checkPermission(ctx, { registry: ["read"] }),
+		).rejects.toThrow();
+	});
+
+	it("member is denied certificate.read", async () => {
+		memberToReturn = mockMemberData("member");
+		await expect(
+			checkPermission(ctx, { certificate: ["read"] }),
+		).rejects.toThrow();
+	});
+
+	it("member is denied destination.read", async () => {
+		memberToReturn = mockMemberData("member");
+		await expect(
+			checkPermission(ctx, { destination: ["read"] }),
+		).rejects.toThrow();
+	});
+
+	it("member is denied notification.read", async () => {
+		memberToReturn = mockMemberData("member");
+		await expect(
+			checkPermission(ctx, { notification: ["read"] }),
+		).rejects.toThrow();
+	});
+
+	it("member is denied auditLog.read", async () => {
+		memberToReturn = mockMemberData("member");
+		await expect(
+			checkPermission(ctx, { auditLog: ["read"] }),
+		).rejects.toThrow();
+	});
+
+	it("member is denied server.read", async () => {
+		memberToReturn = mockMemberData("member");
+		await expect(checkPermission(ctx, { server: ["read"] })).rejects.toThrow();
+	});
+
+	it("member is denied registry.create", async () => {
+		memberToReturn = mockMemberData("member");
+		await expect(
+			checkPermission(ctx, { registry: ["create"] }),
+		).rejects.toThrow();
+	});
+});
+
+describe("static roles validate free-tier resources", () => {
+	it("owner passes project.create", async () => {
+		memberToReturn = mockMemberData("owner");
+		await expect(
+			checkPermission(ctx, { project: ["create"] }),
+		).resolves.toBeUndefined();
+	});
+
+	it("member fails project.create (no legacy override)", async () => {
+		memberToReturn = mockMemberData("member");
+		await expect(
+			checkPermission(ctx, { project: ["create"] }),
+		).rejects.toThrow();
+	});
+
+	it("member passes service.read", async () => {
+		memberToReturn = mockMemberData("member");
+		await expect(
+			checkPermission(ctx, { service: ["read"] }),
+		).resolves.toBeUndefined();
+	});
+
+	it("member fails service.create", async () => {
+		memberToReturn = mockMemberData("member");
+		await expect(
+			checkPermission(ctx, { service: ["create"] }),
+		).rejects.toThrow();
+	});
+});
+
+describe("legacy boolean overrides for member", () => {
+	it("member passes project.create with canCreateProjects=true", async () => {
+		memberToReturn = mockMemberData("member", { canCreateProjects: true });
+		await expect(
+			checkPermission(ctx, { project: ["create"] }),
+		).resolves.toBeUndefined();
+	});
+
+	it("member passes docker.read with canAccessToDocker=true", async () => {
+		memberToReturn = mockMemberData("member", { canAccessToDocker: true });
+		await expect(
+			checkPermission(ctx, { docker: ["read"] }),
+		).resolves.toBeUndefined();
+	});
+
+	it("member fails docker.read with canAccessToDocker=false", async () => {
+		memberToReturn = mockMemberData("member");
+		await expect(checkPermission(ctx, { docker: ["read"] })).rejects.toThrow();
+	});
+});

apps/dokploy/__test__/permissions/enterprise-only-resources.test.ts

@@ -0,0 +1,79 @@
+import {
+	enterpriseOnlyResources,
+	statements,
+} from "@dokploy/server/lib/access-control";
+import { describe, expect, it } from "vitest";
+
+const FREE_TIER_RESOURCES = [
+	"organization",
+	"member",
+	"invitation",
+	"team",
+	"ac",
+	"project",
+	"service",
+	"environment",
+	"docker",
+	"sshKeys",
+	"gitProviders",
+	"traefikFiles",
+	"api",
+];
+
+const ENTERPRISE_RESOURCES = [
+	"volume",
+	"deployment",
+	"envVars",
+	"projectEnvVars",
+	"environmentEnvVars",
+	"server",
+	"registry",
+	"certificate",
+	"backup",
+	"volumeBackup",
+	"schedule",
+	"domain",
+	"destination",
+	"notification",
+	"tag",
+	"logs",
+	"monitoring",
+	"auditLog",
+];
+
+describe("enterpriseOnlyResources set", () => {
+	it("contains all enterprise resources", () => {
+		for (const resource of ENTERPRISE_RESOURCES) {
+			expect(enterpriseOnlyResources.has(resource)).toBe(true);
+		}
+	});
+
+	it("does NOT contain free-tier resources", () => {
+		for (const resource of FREE_TIER_RESOURCES) {
+			expect(enterpriseOnlyResources.has(resource)).toBe(false);
+		}
+	});
+
+	it("every resource in statements is either free or enterprise", () => {
+		const allResources = Object.keys(statements);
+		for (const resource of allResources) {
+			const isFree = FREE_TIER_RESOURCES.includes(resource);
+			const isEnterprise = enterpriseOnlyResources.has(resource);
+			expect(isFree || isEnterprise).toBe(true);
+		}
+	});
+
+	it("free and enterprise sets don't overlap", () => {
+		for (const resource of FREE_TIER_RESOURCES) {
+			expect(enterpriseOnlyResources.has(resource)).toBe(false);
+		}
+	});
+
+	it("all statement resources are accounted for", () => {
+		const allResources = Object.keys(statements);
+		const categorized = [...FREE_TIER_RESOURCES, ...ENTERPRISE_RESOURCES];
+		for (const resource of allResources) {
+			expect(categorized).toContain(resource);
+		}
+	});
+});

apps/dokploy/__test__/permissions/resolve-permissions.test.ts

@@ -0,0 +1,161 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const mockMemberData = (
+	role: string,
+	overrides: Record<string, boolean> = {},
+) => ({
+	id: "member-1",
+	role,
+	userId: "user-1",
+	organizationId: "org-1",
+	accessedProjects: [] as string[],
+	accessedServices: [] as string[],
+	accessedEnvironments: [] as string[],
+	canCreateProjects: overrides.canCreateProjects ?? false,
+	canDeleteProjects: overrides.canDeleteProjects ?? false,
+	canCreateServices: overrides.canCreateServices ?? false,
+	canDeleteServices: overrides.canDeleteServices ?? false,
+	canCreateEnvironments: overrides.canCreateEnvironments ?? false,
+	canDeleteEnvironments: overrides.canDeleteEnvironments ?? false,
+	canAccessToTraefikFiles: overrides.canAccessToTraefikFiles ?? false,
+	canAccessToDocker: overrides.canAccessToDocker ?? false,
+	canAccessToAPI: overrides.canAccessToAPI ?? false,
+	canAccessToSSHKeys: overrides.canAccessToSSHKeys ?? false,
+	canAccessToGitProviders: overrides.canAccessToGitProviders ?? false,
+	user: { id: "user-1", email: "test@test.com" },
+});
+
+let memberToReturn: ReturnType<typeof mockMemberData> =
+	mockMemberData("member");
+
+vi.mock("@dokploy/server/db", () => ({
+	db: {
+		query: {
+			member: {
+				findFirst: vi.fn(() => Promise.resolve(memberToReturn)),
+				findMany: vi.fn(() => Promise.resolve([])),
+			},
+			organizationRole: {
+				findFirst: vi.fn(),
+				findMany: vi.fn(() => Promise.resolve([])),
+			},
+		},
+	},
+}));
+
+vi.mock("@dokploy/server/services/proprietary/license-key", () => ({
+	hasValidLicense: vi.fn(() => Promise.resolve(false)),
+}));
+
+const { resolvePermissions } = await import(
+	"@dokploy/server/services/permission"
+);
+const { enterpriseOnlyResources, statements } = await import(
+	"@dokploy/server/lib/access-control"
+);
+
+const ctx = {
+	user: { id: "user-1" },
+	session: { activeOrganizationId: "org-1" },
+};
+
+beforeEach(() => {
+	vi.clearAllMocks();
+});
+
+describe("enterprise resources for static roles", () => {
+	it("owner gets true for all enterprise resources", async () => {
+		memberToReturn = mockMemberData("owner");
+		const perms = await resolvePermissions(ctx);
+
+		for (const resource of enterpriseOnlyResources) {
+			const actions = statements[resource as keyof typeof statements];
+			for (const action of actions) {
+				expect((perms as any)[resource][action]).toBe(true);
+			}
+		}
+	});
+
+	it("admin gets true for all enterprise resources", async () => {
+		memberToReturn = mockMemberData("admin");
+		const perms = await resolvePermissions(ctx);
+
+		for (const resource of enterpriseOnlyResources) {
+			const actions = statements[resource as keyof typeof statements];
+			for (const action of actions) {
+				expect((perms as any)[resource][action]).toBe(true);
+			}
+		}
+	});
+
+	it("member gets true for service-level enterprise resources", async () => {
+		memberToReturn = mockMemberData("member");
+		const perms = await resolvePermissions(ctx);
+
+		expect(perms.deployment.read).toBe(true);
+		expect(perms.deployment.create).toBe(true);
+		expect(perms.domain.read).toBe(true);
+		expect(perms.backup.read).toBe(true);
+		expect(perms.logs.read).toBe(true);
+		expect(perms.monitoring.read).toBe(true);
+	});
+
+	it("member gets false for org-level enterprise resources", async () => {
+		memberToReturn = mockMemberData("member");
+		const perms = await resolvePermissions(ctx);
+
+		expect(perms.server.read).toBe(false);
+		expect(perms.registry.read).toBe(false);
+		expect(perms.certificate.read).toBe(false);
+		expect(perms.destination.read).toBe(false);
+		expect(perms.notification.read).toBe(false);
+		expect(perms.auditLog.read).toBe(false);
+	});
+});
+
+describe("free-tier resources for member", () => {
+	it("member gets service.read=true", async () => {
+		memberToReturn = mockMemberData("member");
+		const perms = await resolvePermissions(ctx);
+		expect(perms.service.read).toBe(true);
+	});
+
+	it("member gets project.create=false without legacy override", async () => {
+		memberToReturn = mockMemberData("member");
+		const perms = await resolvePermissions(ctx);
+		expect(perms.project.create).toBe(false);
+	});
+
+	it("member gets project.create=true with canCreateProjects", async () => {
+		memberToReturn = mockMemberData("member", { canCreateProjects: true });
+		const perms = await resolvePermissions(ctx);
+		expect(perms.project.create).toBe(true);
+	});
+
+	it("member gets docker.read=false without legacy override", async () => {
+		memberToReturn = mockMemberData("member");
+		const perms = await resolvePermissions(ctx);
+		expect(perms.docker.read).toBe(false);
+	});
+
+	it("member gets docker.read=true with canAccessToDocker", async () => {
+		memberToReturn = mockMemberData("member", { canAccessToDocker: true });
+		const perms = await resolvePermissions(ctx);
+		expect(perms.docker.read).toBe(true);
+	});
+});
+
+describe("free-tier resources for owner", () => {
+	it("owner gets all free-tier permissions as true", async () => {
+		memberToReturn = mockMemberData("owner");
+		const perms = await resolvePermissions(ctx);
+		expect(perms.project.create).toBe(true);
+		expect(perms.project.delete).toBe(true);
+		expect(perms.service.create).toBe(true);
+		expect(perms.service.read).toBe(true);
+		expect(perms.service.delete).toBe(true);
+		expect(perms.docker.read).toBe(true);
+		expect(perms.traefikFiles.read).toBe(true);
+		expect(perms.traefikFiles.write).toBe(true);
+	});
+});

apps/dokploy/__test__/permissions/service-access.test.ts

@@ -0,0 +1,132 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const mockMemberData = (
+	role: string,
+	accessedServices: string[] = [],
+	accessedProjects: string[] = [],
+) => ({
+	id: "member-1",
+	role,
+	userId: "user-1",
+	organizationId: "org-1",
+	accessedProjects,
+	accessedServices,
+	accessedEnvironments: [] as string[],
+	canCreateProjects: false,
+	canDeleteProjects: false,
+	canCreateServices: false,
+	canDeleteServices: false,
+	canCreateEnvironments: false,
+	canDeleteEnvironments: false,
+	canAccessToTraefikFiles: false,
+	canAccessToDocker: false,
+	canAccessToAPI: false,
+	canAccessToSSHKeys: false,
+	canAccessToGitProviders: false,
+	user: { id: "user-1", email: "test@test.com" },
+});
+
+let memberToReturn: ReturnType<typeof mockMemberData> =
+	mockMemberData("member");
+
+vi.mock("@dokploy/server/db", () => ({
+	db: {
+		query: {
+			member: {
+				findFirst: vi.fn(() => Promise.resolve(memberToReturn)),
+				findMany: vi.fn(() => Promise.resolve([])),
+			},
+			organizationRole: {
+				findFirst: vi.fn(),
+				findMany: vi.fn(() => Promise.resolve([])),
+			},
+		},
+	},
+}));
+
+vi.mock("@dokploy/server/services/proprietary/license-key", () => ({
+	hasValidLicense: vi.fn(() => Promise.resolve(false)),
+}));
+
+const { checkServicePermissionAndAccess, checkServiceAccess } = await import(
+	"@dokploy/server/services/permission"
+);
+
+const ctx = {
+	user: { id: "user-1" },
+	session: { activeOrganizationId: "org-1" },
+};
+
+beforeEach(() => {
+	vi.clearAllMocks();
+});
+
+describe("checkServicePermissionAndAccess", () => {
+	it("owner bypasses accessedServices check", async () => {
+		memberToReturn = mockMemberData("owner", []);
+		await expect(
+			checkServicePermissionAndAccess(ctx, "service-123", {
+				deployment: ["read"],
+			}),
+		).resolves.toBeUndefined();
+	});
+
+	it("admin bypasses accessedServices check", async () => {
+		memberToReturn = mockMemberData("admin", []);
+		await expect(
+			checkServicePermissionAndAccess(ctx, "service-123", {
+				backup: ["create"],
+			}),
+		).resolves.toBeUndefined();
+	});
+
+	it("member with access to service passes", async () => {
+		memberToReturn = mockMemberData("member", ["service-123"]);
+		await expect(
+			checkServicePermissionAndAccess(ctx, "service-123", {
+				deployment: ["read"],
+			}),
+		).resolves.toBeUndefined();
+	});
+
+	it("member WITHOUT access to service fails", async () => {
+		memberToReturn = mockMemberData("member", ["other-service"]);
+		await expect(
+			checkServicePermissionAndAccess(ctx, "service-123", {
+				deployment: ["read"],
+			}),
+		).rejects.toThrow("You don't have access to this service");
+	});
+
+	it("member with empty accessedServices fails", async () => {
+		memberToReturn = mockMemberData("member", []);
+		await expect(
+			checkServicePermissionAndAccess(ctx, "service-123", {
+				domain: ["delete"],
+			}),
+		).rejects.toThrow("You don't have access to this service");
+	});
+});
+
+describe("checkServiceAccess", () => {
+	it("member with service access passes read check", async () => {
+		memberToReturn = mockMemberData("member", ["app-1"]);
+		await expect(
+			checkServiceAccess(ctx, "app-1", "read"),
+		).resolves.toBeUndefined();
+	});
+
+	it("member without service access fails read check", async () => {
+		memberToReturn = mockMemberData("member", []);
+		await expect(checkServiceAccess(ctx, "app-1", "read")).rejects.toThrow(
+			"You don't have access to this service",
+		);
+	});
+
+	it("owner bypasses all access checks", async () => {
+		memberToReturn = mockMemberData("owner", [], []);
+		await expect(
+			checkServiceAccess(ctx, "project-1", "create"),
+		).resolves.toBeUndefined();
+	});
+});

apps/dokploy/__test__/server/mechanizeDockerContainer.test.ts

@@ -6,6 +6,7 @@ type MockCreateServiceOptions = {
 	TaskTemplate?: {
 		ContainerSpec?: {
 			StopGracePeriod?: number;
+			Ulimits?: Array<{ Name: string; Soft: number; Hard: number }>;
 		};
 	};
 	[key: string]: unknown;
@@ -13,11 +14,11 @@ type MockCreateServiceOptions = {
 
 const { inspectMock, getServiceMock, createServiceMock, getRemoteDockerMock } =
 	vi.hoisted(() => {
-		const inspect = vi.fn<[], Promise<never>>();
+		const inspect = vi.fn<() => Promise<never>>();
 		const getService = vi.fn(() => ({ inspect }));
-		const createService = vi.fn<[MockCreateServiceOptions], Promise<void>>(
-			async () => undefined,
-		);
+		const createService = vi.fn<
+			(opts: MockCreateServiceOptions) => Promise<void>
+		>(async () => undefined);
 		const getRemoteDocker = vi.fn(async () => ({
 			getService,
 			createService,
@@ -56,7 +57,8 @@ const createApplication = (
 			env: null,
 		},
 		replicas: 1,
-		stopGracePeriodSwarm: 0n,
+		stopGracePeriodSwarm: 0,
+		ulimitsSwarm: null,
 		serverId: "server-id",
 		...overrides,
 	}) as unknown as ApplicationNested;
@@ -74,13 +76,15 @@ describe("mechanizeDockerContainer", () => {
 		});
 	});
 
-	it("converts bigint stopGracePeriodSwarm to a number and keeps zero values", async () => {
-		const application = createApplication({ stopGracePeriodSwarm: 0n });
+	it("passes stopGracePeriodSwarm as a number and keeps zero values", async () => {
+		const application = createApplication({ stopGracePeriodSwarm: 0 });
 
 		await mechanizeDockerContainer(application);
 
 		expect(createServiceMock).toHaveBeenCalledTimes(1);
-		const call = createServiceMock.mock.calls[0];
+		const call = createServiceMock.mock.calls[0] as
+			| [MockCreateServiceOptions]
+			| undefined;
 		if (!call) {
 			throw new Error("createServiceMock should have been called once");
 		}
@@ -97,7 +101,9 @@ describe("mechanizeDockerContainer", () => {
 		await mechanizeDockerContainer(application);
 
 		expect(createServiceMock).toHaveBeenCalledTimes(1);
-		const call = createServiceMock.mock.calls[0];
+		const call = createServiceMock.mock.calls[0] as
+			| [MockCreateServiceOptions]
+			| undefined;
 		if (!call) {
 			throw new Error("createServiceMock should have been called once");
 		}
@@ -106,4 +112,50 @@ describe("mechanizeDockerContainer", () => {
 			"StopGracePeriod",
 		);
 	});
+
+	it("passes ulimits to ContainerSpec when ulimitsSwarm is defined", async () => {
+		const ulimits = [
+			{ Name: "nofile", Soft: 10000, Hard: 20000 },
+			{ Name: "nproc", Soft: 4096, Hard: 8192 },
+		];
+		const application = createApplication({ ulimitsSwarm: ulimits });
+
+		await mechanizeDockerContainer(application);
+
+		expect(createServiceMock).toHaveBeenCalledTimes(1);
+		const call = createServiceMock.mock.calls[0];
+		if (!call) {
+			throw new Error("createServiceMock should have been called once");
+		}
+		const [settings] = call;
+		expect(settings.TaskTemplate?.ContainerSpec?.Ulimits).toEqual(ulimits);
+	});
+
+	it("omits Ulimits when ulimitsSwarm is null", async () => {
+		const application = createApplication({ ulimitsSwarm: null });
+
+		await mechanizeDockerContainer(application);
+
+		expect(createServiceMock).toHaveBeenCalledTimes(1);
+		const call = createServiceMock.mock.calls[0];
+		if (!call) {
+			throw new Error("createServiceMock should have been called once");
+		}
+		const [settings] = call;
+		expect(settings.TaskTemplate?.ContainerSpec).not.toHaveProperty("Ulimits");
+	});
+
+	it("omits Ulimits when ulimitsSwarm is an empty array", async () => {
+		const application = createApplication({ ulimitsSwarm: [] });
+
+		await mechanizeDockerContainer(application);
+
+		expect(createServiceMock).toHaveBeenCalledTimes(1);
+		const call = createServiceMock.mock.calls[0];
+		if (!call) {
+			throw new Error("createServiceMock should have been called once");
+		}
+		const [settings] = call;
+		expect(settings.TaskTemplate?.ContainerSpec).not.toHaveProperty("Ulimits");
+	});
 });

apps/dokploy/__test__/setup.ts

@@ -0,0 +1,43 @@
+import { vi } from "vitest";
+
+/**
+ * Mock the DB module so tests that import from @dokploy/server (barrel)
+ * never open a real TCP connection to PostgreSQL (e.g. in CI where no DB runs).
+ * Without this, loading the server barrel pulls in lib/auth and db, which
+ * connect to localhost:5432 and cause ECONNREFUSED.
+ */
+vi.mock("@dokploy/server/db", () => {
+	const chain = () => chain;
+	chain.set = () => chain;
+	chain.where = () => chain;
+	chain.values = () => chain;
+	chain.returning = () => Promise.resolve([{}]);
+	chain.from = () => chain;
+	chain.innerJoin = () => chain;
+	chain.then = (resolve: (value: unknown) => void) => {
+		resolve([]);
+	};
+
+	const tableMock = {
+		findFirst: vi.fn(() => Promise.resolve(undefined)),
+		findMany: vi.fn(() => Promise.resolve([])),
+		insert: vi.fn(() => Promise.resolve([{}])),
+		update: vi.fn(() => chain),
+		delete: vi.fn(() => chain),
+	};
+
+	return {
+		db: {
+			select: vi.fn(() => chain),
+			insert: vi.fn(() => ({
+				values: () => ({ returning: () => Promise.resolve([{}]) }),
+			})),
+			update: vi.fn(() => chain),
+			delete: vi.fn(() => chain),
+			query: new Proxy({} as Record<string, typeof tableMock>, {
+				get: () => tableMock,
+			}),
+		},
+		dbUrl: "postgres://mock:mock@localhost:5432/mock",
+	};
+});

apps/dokploy/__test__/templates/config.template.test.ts

@@ -494,4 +494,49 @@ describe("processTemplate", () => {
 			expect(result.mounts).toHaveLength(1);
 		});
 	});
+
+	describe("isolated deployment config", () => {
+		it("should default to isolated=true when not specified", () => {
+			const template: CompleteTemplate = {
+				metadata: {} as any,
+				variables: {},
+				config: {
+					domains: [],
+					env: {},
+				},
+			};
+
+			expect(template.config.isolated).toBeUndefined();
+			// undefined !== false => isolatedDeployment = true
+			expect(template.config.isolated !== false).toBe(true);
+		});
+
+		it("should be isolated when isolated=true is explicitly set", () => {
+			const template: CompleteTemplate = {
+				metadata: {} as any,
+				variables: {},
+				config: {
+					isolated: true,
+					domains: [],
+					env: {},
+				},
+			};
+
+			expect(template.config.isolated !== false).toBe(true);
+		});
+
+		it("should disable isolated deployment when isolated=false", () => {
+			const template: CompleteTemplate = {
+				metadata: {} as any,
+				variables: {},
+				config: {
+					isolated: false,
+					domains: [],
+					env: {},
+				},
+			};
+
+			expect(template.config.isolated !== false).toBe(false);
+		});
+	});
 });

apps/dokploy/__test__/templates/helpers.template.test.ts

@@ -30,9 +30,7 @@ describe("helpers functions", () => {
 			const domain = processValue("${domain}", {}, mockSchema);
 			expect(domain.startsWith(`${mockSchema.projectName}-`)).toBeTruthy();
 			expect(
-				domain.endsWith(
-					`${mockSchema.serverIp.replaceAll(".", "-")}.traefik.me`,
-				),
+				domain.endsWith(`${mockSchema.serverIp.replaceAll(".", "-")}.sslip.io`),
 			).toBeTruthy();
 		});
 	});

apps/dokploy/__test__/traefik/forward-auth.test.ts

@@ -0,0 +1,233 @@
+import type { ApplicationNested, Domain } from "@dokploy/server";
+import {
+	buildForwardAuthEnv,
+	createRouterConfig,
+	deriveBaseDomain,
+	deriveCookieSecret,
+	forwardAuthCallbackUrl,
+	forwardAuthMiddlewareName,
+} from "@dokploy/server";
+import { beforeAll, describe, expect, test } from "vitest";
+
+const app = {
+	appName: "my-app",
+	redirects: [],
+	security: [],
+} as unknown as ApplicationNested;
+
+const baseDomain: Domain = {
+	applicationId: "app-1",
+	certificateType: "none",
+	createdAt: "",
+	domainId: "domain-1",
+	host: "app.example.com",
+	https: false,
+	path: null,
+	port: 3000,
+	customEntrypoint: null,
+	serviceName: "",
+	composeId: "",
+	customCertResolver: null,
+	domainType: "application",
+	uniqueConfigKey: 7,
+	previewDeploymentId: "",
+	internalPath: "/",
+	stripPath: false,
+	middlewares: null,
+	forwardAuthEnabled: false,
+};
+
+describe("forwardAuthMiddlewareName", () => {
+	test("is stable and unique per app + uniqueConfigKey", () => {
+		expect(forwardAuthMiddlewareName("my-app", 7)).toBe(
+			"forward-auth-my-app-7",
+		);
+		expect(forwardAuthMiddlewareName("my-app", 7)).toBe(
+			forwardAuthMiddlewareName("my-app", 7),
+		);
+		expect(forwardAuthMiddlewareName("my-app", 7)).not.toBe(
+			forwardAuthMiddlewareName("my-app", 8),
+		);
+	});
+});
+
+describe("createRouterConfig forward-auth wiring", () => {
+	test("does NOT add forward-auth middleware when no provider is linked", async () => {
+		const config = await createRouterConfig(app, baseDomain, "websecure");
+		expect(config.middlewares).not.toContain(
+			forwardAuthMiddlewareName("my-app", 7),
+		);
+	});
+
+	test("adds forward-auth middleware when a provider is linked", async () => {
+		const domain: Domain = {
+			...baseDomain,
+			forwardAuthEnabled: true,
+		};
+		const config = await createRouterConfig(app, domain, "websecure");
+		expect(config.middlewares).toContain(
+			forwardAuthMiddlewareName("my-app", 7),
+		);
+	});
+
+	test("forward-auth runs before custom domain middlewares", async () => {
+		const domain: Domain = {
+			...baseDomain,
+			forwardAuthEnabled: true,
+			middlewares: ["rate-limit@file"],
+		};
+		const config = await createRouterConfig(app, domain, "websecure");
+		const forwardAuthIdx = config.middlewares?.indexOf(
+			forwardAuthMiddlewareName("my-app", 7),
+		);
+		const customIdx = config.middlewares?.indexOf("rate-limit@file");
+		expect(forwardAuthIdx).toBeGreaterThanOrEqual(0);
+		expect(customIdx).toBeGreaterThan(forwardAuthIdx as number);
+	});
+
+	test("redirect-only web router does not get the forward-auth middleware", async () => {
+		const domain: Domain = {
+			...baseDomain,
+			https: true,
+			forwardAuthEnabled: true,
+		};
+		const config = await createRouterConfig(app, domain, "web");
+		expect(config.middlewares).toContain("redirect-to-https");
+		expect(config.middlewares).not.toContain(
+			forwardAuthMiddlewareName("my-app", 7),
+		);
+	});
+});
+
+describe("buildForwardAuthEnv", () => {
+	const baseOptions = {
+		oidc: {
+			clientId: "client-123",
+			clientSecret: "secret-xyz",
+			issuer: "https://idp.example.com",
+		},
+		cookieSecret: "cookie-secret-value",
+		authDomain: "auth.acme.com",
+		baseDomain: ".acme.com",
+		authDomainHttps: true,
+	};
+
+	test("emits the required oauth2-proxy OIDC env vars", () => {
+		const env = buildForwardAuthEnv(baseOptions);
+		expect(env).toContain("OAUTH2_PROXY_PROVIDER=oidc");
+		expect(env).toContain(
+			"OAUTH2_PROXY_OIDC_ISSUER_URL=https://idp.example.com",
+		);
+		expect(env).toContain("OAUTH2_PROXY_CLIENT_ID=client-123");
+		expect(env).toContain("OAUTH2_PROXY_CLIENT_SECRET=secret-xyz");
+		expect(env).toContain("OAUTH2_PROXY_COOKIE_SECRET=cookie-secret-value");
+		expect(env).toContain("OAUTH2_PROXY_REVERSE_PROXY=true");
+		expect(env).toContain("OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180");
+	});
+
+	test("uses the central auth domain for the single fixed callback", () => {
+		const env = buildForwardAuthEnv(baseOptions);
+		expect(env).toContain(
+			"OAUTH2_PROXY_REDIRECT_URL=https://auth.acme.com/oauth2/callback",
+		);
+	});
+
+	test("shares cookie + whitelist on the base domain (no per-app redeploy)", () => {
+		const env = buildForwardAuthEnv(baseOptions);
+		expect(env).toContain("OAUTH2_PROXY_COOKIE_DOMAINS=.acme.com");
+		expect(env).toContain("OAUTH2_PROXY_WHITELIST_DOMAINS=.acme.com");
+	});
+
+	test("matches cookie Secure flag and callback scheme to https setting", () => {
+		const https = buildForwardAuthEnv(baseOptions);
+		expect(https).toContain("OAUTH2_PROXY_COOKIE_SECURE=true");
+
+		const http = buildForwardAuthEnv({
+			...baseOptions,
+			authDomainHttps: false,
+		});
+		expect(http).toContain("OAUTH2_PROXY_COOKIE_SECURE=false");
+		expect(http).toContain(
+			"OAUTH2_PROXY_REDIRECT_URL=http://auth.acme.com/oauth2/callback",
+		);
+	});
+
+	test("allows unverified emails so OIDC providers don't 500 the callback", () => {
+		const env = buildForwardAuthEnv(baseOptions);
+		expect(env).toContain(
+			"OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL=true",
+		);
+	});
+
+	test("defaults to any authenticated user and standard scopes", () => {
+		const env = buildForwardAuthEnv(baseOptions);
+		expect(env).toContain("OAUTH2_PROXY_EMAIL_DOMAINS=*");
+		expect(env).toContain("OAUTH2_PROXY_SCOPE=openid email profile");
+	});
+
+	test("honors custom scopes and email domains", () => {
+		const env = buildForwardAuthEnv({
+			...baseOptions,
+			oidc: { ...baseOptions.oidc, scopes: ["openid", "groups"] },
+			emailDomains: ["acme.com", "corp.com"],
+		});
+		expect(env).toContain("OAUTH2_PROXY_SCOPE=openid groups");
+		expect(env).toContain("OAUTH2_PROXY_EMAIL_DOMAINS=acme.com,corp.com");
+	});
+
+	test("sets skip-discovery flag only when requested", () => {
+		const withoutSkip = buildForwardAuthEnv(baseOptions);
+		expect(withoutSkip).not.toContain("OAUTH2_PROXY_SKIP_OIDC_DISCOVERY=true");
+
+		const withSkip = buildForwardAuthEnv({
+			...baseOptions,
+			oidc: { ...baseOptions.oidc, skipDiscovery: true },
+		});
+		expect(withSkip).toContain("OAUTH2_PROXY_SKIP_OIDC_DISCOVERY=true");
+	});
+});
+
+describe("deriveBaseDomain", () => {
+	test("strips the auth subdomain to the shared base", () => {
+		expect(deriveBaseDomain("auth.acme.com")).toBe(".acme.com");
+		expect(deriveBaseDomain("sso.apps.acme.com")).toBe(".apps.acme.com");
+	});
+
+	test("keeps a two-label apex as the base", () => {
+		expect(deriveBaseDomain("acme.com")).toBe(".acme.com");
+	});
+});
+
+describe("forwardAuthCallbackUrl", () => {
+	test("builds the single IdP callback per scheme", () => {
+		expect(forwardAuthCallbackUrl("auth.acme.com", true)).toBe(
+			"https://auth.acme.com/oauth2/callback",
+		);
+		expect(forwardAuthCallbackUrl("auth.acme.com", false)).toBe(
+			"http://auth.acme.com/oauth2/callback",
+		);
+	});
+});
+
+describe("deriveCookieSecret", () => {
+	beforeAll(() => {
+		process.env.BETTER_AUTH_SECRET = "test-root-secret";
+	});
+
+	test("is deterministic for the same salt (survives service updates)", () => {
+		expect(deriveCookieSecret(".acme.com")).toBe(
+			deriveCookieSecret(".acme.com"),
+		);
+	});
+
+	test("differs per salt", () => {
+		expect(deriveCookieSecret(".acme.com")).not.toBe(
+			deriveCookieSecret(".other.com"),
+		);
+	});
+
+	test("produces a 16-byte hex secret (oauth2-proxy requirement)", () => {
+		const secret = deriveCookieSecret(".acme.com");
+		expect(Buffer.from(secret, "hex")).toHaveLength(16);
+	});
+});

apps/dokploy/__test__/traefik/server/update-server-config.test.ts

@@ -48,9 +48,25 @@ const baseSettings: WebServerSettings = {
 			urlCallback: "",
 		},
 	},
+	whitelabelingConfig: {
+		appName: null,
+		appDescription: null,
+		logoUrl: null,
+		faviconUrl: null,
+		customCss: null,
+		loginLogoUrl: null,
+		supportUrl: null,
+		docsUrl: null,
+		errorPageTitle: null,
+		errorPageDescription: null,
+		metaTitle: null,
+		footerText: null,
+	},
 	cleanupCacheApplications: false,
 	cleanupCacheOnCompose: false,
 	cleanupCacheOnPreviews: false,
+	remoteServersOnly: false,
+	enforceSSO: false,
 	createdAt: null,
 	updatedAt: new Date(),
 };

apps/dokploy/__test__/traefik/traefik.test.ts

@@ -8,6 +8,7 @@ const baseApp: ApplicationNested = {
 	applicationId: "",
 	previewLabels: [],
 	createEnvFile: true,
+	bitbucketRepositorySlug: "",
 	herokuVersion: "",
 	giteaRepository: "",
 	giteaOwner: "",
@@ -94,6 +95,7 @@ const baseApp: ApplicationNested = {
 	dropBuildPath: null,
 	enabled: null,
 	env: null,
+	icon: null,
 	healthCheckSwarm: null,
 	labelsSwarm: null,
 	memoryLimit: null,
@@ -124,6 +126,7 @@ const baseApp: ApplicationNested = {
 	username: null,
 	dockerContextPath: null,
 	stopGracePeriodSwarm: null,
+	ulimitsSwarm: null,
 };
 
 const baseDomain: Domain = {
@@ -135,6 +138,7 @@ const baseDomain: Domain = {
 	https: false,
 	path: null,
 	port: null,
+	customEntrypoint: null,
 	serviceName: "",
 	composeId: "",
 	customCertResolver: null,
@@ -143,6 +147,8 @@ const baseDomain: Domain = {
 	previewDeploymentId: "",
 	internalPath: "/",
 	stripPath: false,
+	middlewares: null,
+	forwardAuthEnabled: false,
 };
 
 const baseRedirect: Redirect = {
@@ -262,6 +268,80 @@ test("Websecure entrypoint on https domain with redirect", async () => {
 	expect(router.middlewares).toContain("redirect-test-1");
 });
 
+/** Custom Middlewares */
+
+test("Web entrypoint with single custom middleware", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{ ...baseDomain, middlewares: ["auth@file"] },
+		"web",
+	);
+
+	expect(router.middlewares).toContain("auth@file");
+});
+
+test("Web entrypoint with multiple custom middlewares", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{ ...baseDomain, middlewares: ["auth@file", "rate-limit@file"] },
+		"web",
+	);
+
+	expect(router.middlewares).toContain("auth@file");
+	expect(router.middlewares).toContain("rate-limit@file");
+});
+
+test("Web entrypoint on https domain with custom middleware", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{ ...baseDomain, https: true, middlewares: ["auth@file"] },
+		"web",
+	);
+
+	// Should only have HTTPS redirect - custom middleware applies on websecure
+	expect(router.middlewares).toContain("redirect-to-https");
+	expect(router.middlewares).not.toContain("auth@file");
+});
+
+test("Websecure entrypoint with custom middleware", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{ ...baseDomain, https: true, middlewares: ["auth@file"] },
+		"websecure",
+	);
+
+	// Should have custom middleware but not HTTPS redirect
+	expect(router.middlewares).not.toContain("redirect-to-https");
+	expect(router.middlewares).toContain("auth@file");
+});
+
+test("Web entrypoint with redirect and custom middleware", async () => {
+	const router = await createRouterConfig(
+		{
+			...baseApp,
+			appName: "test",
+			redirects: [{ ...baseRedirect, uniqueConfigKey: 1 }],
+		},
+		{ ...baseDomain, middlewares: ["auth@file"] },
+		"web",
+	);
+
+	// Should have both redirect middleware and custom middleware
+	expect(router.middlewares).toContain("redirect-test-1");
+	expect(router.middlewares).toContain("auth@file");
+});
+
+test("Web entrypoint with empty middlewares array", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{ ...baseDomain, https: false, middlewares: [] },
+		"web",
+	);
+
+	// Should behave same as no middlewares - no redirect for http
+	expect(router.middlewares).not.toContain("redirect-to-https");
+});
+
 /** Certificates */
 
 test("CertificateType on websecure entrypoint", async () => {
@@ -273,3 +353,175 @@ test("CertificateType on websecure entrypoint", async () => {
 
 	expect(router.tls?.certResolver).toBe("letsencrypt");
 });
+
+test("Custom entrypoint on http domain", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{ ...baseDomain, https: false, customEntrypoint: "custom" },
+		"custom",
+	);
+
+	expect(router.entryPoints).toEqual(["custom"]);
+	expect(router.middlewares).not.toContain("redirect-to-https");
+	expect(router.tls).toBeUndefined();
+});
+
+test("Custom entrypoint on https domain", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{
+			...baseDomain,
+			https: true,
+			customEntrypoint: "custom",
+			certificateType: "letsencrypt",
+		},
+		"custom",
+	);
+
+	expect(router.entryPoints).toEqual(["custom"]);
+	expect(router.middlewares).not.toContain("redirect-to-https");
+	expect(router.tls?.certResolver).toBe("letsencrypt");
+});
+
+test("Custom entrypoint with path includes PathPrefix in rule", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{ ...baseDomain, customEntrypoint: "custom", path: "/api" },
+		"custom",
+	);
+
+	expect(router.rule).toContain("PathPrefix(`/api`)");
+	expect(router.entryPoints).toEqual(["custom"]);
+});
+
+test("Custom entrypoint with stripPath adds stripprefix middleware", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{
+			...baseDomain,
+			customEntrypoint: "custom",
+			path: "/api",
+			stripPath: true,
+		},
+		"custom",
+	);
+
+	expect(router.middlewares).toContain("stripprefix--1");
+	expect(router.entryPoints).toEqual(["custom"]);
+});
+
+test("Custom entrypoint with internalPath adds addprefix middleware", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{
+			...baseDomain,
+			customEntrypoint: "custom",
+			internalPath: "/hello",
+		},
+		"custom",
+	);
+
+	expect(router.middlewares).toContain("addprefix--1");
+	expect(router.entryPoints).toEqual(["custom"]);
+});
+
+test("stripPath and internalPath together: stripprefix must come before addprefix", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{
+			...baseDomain,
+			path: "/public",
+			stripPath: true,
+			internalPath: "/app/v2",
+		},
+		"web",
+	);
+
+	const stripIndex = router.middlewares?.indexOf("stripprefix--1") ?? -1;
+	const addIndex = router.middlewares?.indexOf("addprefix--1") ?? -1;
+
+	expect(stripIndex).toBeGreaterThanOrEqual(0);
+	expect(addIndex).toBeGreaterThanOrEqual(0);
+	expect(stripIndex).toBeLessThan(addIndex);
+});
+
+test("Custom entrypoint with https and custom cert resolver", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{
+			...baseDomain,
+			https: true,
+			customEntrypoint: "custom",
+			certificateType: "custom",
+			customCertResolver: "myresolver",
+		},
+		"custom",
+	);
+
+	expect(router.entryPoints).toEqual(["custom"]);
+	expect(router.tls?.certResolver).toBe("myresolver");
+});
+
+test("Custom entrypoint without https should not have tls", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{
+			...baseDomain,
+			https: false,
+			customEntrypoint: "custom",
+			certificateType: "letsencrypt",
+		},
+		"custom",
+	);
+
+	expect(router.entryPoints).toEqual(["custom"]);
+	expect(router.tls).toBeUndefined();
+});
+
+/** IDN/Punycode */
+
+test("Internationalized domain name is converted to punycode", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{ ...baseDomain, host: "тест.рф" },
+		"web",
+	);
+
+	// тест.рф in punycode is xn--e1aybc.xn--p1ai
+	expect(router.rule).toContain("Host(`xn--e1aybc.xn--p1ai`)");
+	expect(router.rule).not.toContain("тест.рф");
+});
+
+test("ASCII domain remains unchanged", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{ ...baseDomain, host: "example.com" },
+		"web",
+	);
+
+	expect(router.rule).toContain("Host(`example.com`)");
+});
+
+test("Russian Cyrillic label with .ru TLD is converted to punycode", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{ ...baseDomain, host: "сайт.ru" },
+		"web",
+	);
+
+	// сайт in punycode is xn--80aswg
+	expect(router.rule).toContain("Host(`xn--80aswg.ru`)");
+	expect(router.rule).not.toContain("сайт");
+});
+
+test("Subdomain with Russian IDN TLD converts non-ASCII part to punycode", async () => {
+	const router = await createRouterConfig(
+		baseApp,
+		{ ...baseDomain, host: "app.тест.рф" },
+		"web",
+	);
+
+	// app stays ASCII, тест.рф becomes xn--e1aybc.xn--p1ai
+	expect(router.rule).toContain("Host(`app.xn--e1aybc.xn--p1ai`)");
+	expect(router.rule).not.toContain("тест.рф");
+});

apps/dokploy/__test__/vitest.config.ts

@@ -7,10 +7,15 @@ export default defineConfig({
 		include: ["__test__/**/*.test.ts"], // Incluir solo los archivos de test en el directorio __test__
 		exclude: ["**/node_modules/**", "**/dist/**", "**/.docker/**"],
 		pool: "forks",
+		setupFiles: [path.resolve(__dirname, "setup.ts")],
 	},
 	define: {
 		"process.env": {
 			NODE: "test",
+			GITHUB_CLIENT_ID: "test",
+			GITHUB_CLIENT_SECRET: "test",
+			GOOGLE_CLIENT_ID: "test",
+			GOOGLE_CLIENT_SECRET: "test",
 		},
 	},
 	plugins: [

apps/dokploy/__test__/wss/readValidDirectory.test.ts

@@ -0,0 +1,97 @@
+import path from "node:path";
+import { describe, expect, it, vi } from "vitest";
+
+const BASE = "/base";
+
+vi.mock("@dokploy/server/constants", async (importOriginal) => {
+	const actual =
+		await importOriginal<typeof import("@dokploy/server/constants")>();
+	return {
+		...actual,
+		paths: () => ({
+			...actual.paths(),
+			BASE_PATH: BASE,
+			LOGS_PATH: `${BASE}/logs`,
+			APPLICATIONS_PATH: `${BASE}/applications`,
+		}),
+	};
+});
+
+// Import after mock so paths() uses our BASE
+const { readValidDirectory } = await import("@dokploy/server");
+
+describe("readValidDirectory (path traversal)", () => {
+	it("returns true when directory is exactly BASE_PATH", () => {
+		expect(readValidDirectory(BASE)).toBe(true);
+		expect(readValidDirectory(path.resolve(BASE))).toBe(true);
+	});
+
+	it("returns true when directory is under BASE_PATH", () => {
+		expect(readValidDirectory(`${BASE}/logs`)).toBe(true);
+		expect(readValidDirectory(`${BASE}/logs/app/foo.log`)).toBe(true);
+		expect(readValidDirectory(`${BASE}/applications/myapp/code`)).toBe(true);
+	});
+
+	it("returns false for path traversal escaping base (absolute)", () => {
+		expect(readValidDirectory("/etc/passwd")).toBe(false);
+		expect(readValidDirectory("/etc/cron.d/malicious")).toBe(false);
+		expect(readValidDirectory("/tmp/outside")).toBe(false);
+	});
+
+	it("returns false when resolved path escapes base via ..", () => {
+		// Resolved: /etc/passwd (outside /base)
+		expect(readValidDirectory(`${BASE}/../etc/passwd`)).toBe(false);
+		expect(readValidDirectory(`${BASE}/logs/../../etc/passwd`)).toBe(false);
+		expect(readValidDirectory(`${BASE}/..`)).toBe(false);
+	});
+
+	it("returns true when .. stays within base", () => {
+		// e.g. /base/logs/../applications -> /base/applications (still under /base)
+		expect(readValidDirectory(`${BASE}/logs/../applications`)).toBe(true);
+		expect(readValidDirectory(`${BASE}/foo/../bar`)).toBe(true);
+	});
+
+	it("accepts serverId for remote base path", () => {
+		// With our mock, serverId doesn't change BASE_PATH; just ensure it doesn't throw
+		expect(readValidDirectory(BASE, "server-1")).toBe(true);
+		expect(readValidDirectory("/etc/passwd", "server-1")).toBe(false);
+	});
+
+	it("returns false for null/undefined-like paths that resolve outside", () => {
+		// Paths that might resolve to cwd or root
+		expect(readValidDirectory(".")).toBe(false);
+		expect(readValidDirectory("..")).toBe(false);
+	});
+
+	it("returns true for BASE_PATH with trailing slash or double slashes under base", () => {
+		expect(readValidDirectory(`${BASE}/`)).toBe(true);
+		expect(readValidDirectory(`${BASE}//logs`)).toBe(true);
+		expect(readValidDirectory(`${BASE}/applications///myapp/code`)).toBe(true);
+	});
+
+	it("returns false when path looks like base but is a sibling or prefix", () => {
+		expect(readValidDirectory("/base-evil")).toBe(false);
+		expect(readValidDirectory("/bas")).toBe(false);
+		expect(readValidDirectory(`${BASE}/../base-evil`)).toBe(false);
+	});
+
+	it("returns false for empty string (resolves to cwd)", () => {
+		expect(readValidDirectory("")).toBe(false);
+	});
+
+	it("returns true for Next.js dynamic route paths with square brackets", () => {
+		expect(
+			readValidDirectory(
+				`${BASE}/applications/myapp/code/app/api/[id]/route.ts`,
+			),
+		).toBe(true);
+		expect(
+			readValidDirectory(`${BASE}/applications/myapp/code/pages/[slug].tsx`),
+		).toBe(true);
+		expect(
+			readValidDirectory(
+				`${BASE}/applications/myapp/code/app/[...catch]/page.tsx`,
+			),
+		).toBe(true);
+	});
+});

apps/dokploy/__test__/wss/utils.test.ts

@@ -0,0 +1,132 @@
+import { describe, expect, it } from "vitest";
+import {
+	isValidContainerId,
+	isValidSearch,
+	isValidSince,
+	isValidTail,
+} from "../../server/wss/utils";
+
+describe("isValidTail (docker-container-logs)", () => {
+	it("accepts valid numeric tail values", () => {
+		expect(isValidTail("0")).toBe(true);
+		expect(isValidTail("1")).toBe(true);
+		expect(isValidTail("100")).toBe(true);
+		expect(isValidTail("10000")).toBe(true);
+	});
+
+	it("rejects tail above 10000", () => {
+		expect(isValidTail("10001")).toBe(false);
+		expect(isValidTail("99999")).toBe(false);
+	});
+
+	it("rejects non-numeric tail", () => {
+		expect(isValidTail("")).toBe(false);
+		expect(isValidTail("abc")).toBe(false);
+		expect(isValidTail("10a")).toBe(false);
+		expect(isValidTail("-1")).toBe(false);
+	});
+
+	it("rejects command injection payloads in tail", () => {
+		expect(isValidTail("10; whoami; #")).toBe(false);
+		expect(isValidTail("100 | cat /etc/passwd")).toBe(false);
+		expect(isValidTail("$(id)")).toBe(false);
+		expect(isValidTail("`id`")).toBe(false);
+		expect(isValidTail("100\nid")).toBe(false);
+		expect(isValidTail("100 && id")).toBe(false);
+		expect(isValidTail("100; env | grep DATABASE")).toBe(false);
+	});
+});
+
+describe("isValidSince (docker-container-logs)", () => {
+	it("accepts 'all'", () => {
+		expect(isValidSince("all")).toBe(true);
+	});
+
+	it("accepts valid duration format (number + s|m|h|d)", () => {
+		expect(isValidSince("5s")).toBe(true);
+		expect(isValidSince("10m")).toBe(true);
+		expect(isValidSince("1h")).toBe(true);
+		expect(isValidSince("2d")).toBe(true);
+		expect(isValidSince("0s")).toBe(true);
+		expect(isValidSince("999d")).toBe(true);
+	});
+
+	it("rejects invalid duration format", () => {
+		expect(isValidSince("")).toBe(false);
+		expect(isValidSince("5")).toBe(false);
+		expect(isValidSince("s")).toBe(false);
+		expect(isValidSince("5x")).toBe(false);
+		expect(isValidSince("5sec")).toBe(false);
+		expect(isValidSince("5 m")).toBe(false);
+	});
+
+	it("rejects command injection payloads in since", () => {
+		expect(isValidSince("5s; whoami")).toBe(false);
+		expect(isValidSince("all; id")).toBe(false);
+		expect(isValidSince("1m$(id)")).toBe(false);
+		expect(isValidSince("1m | cat /etc/passwd")).toBe(false);
+	});
+});
+
+describe("isValidSearch (docker-container-logs)", () => {
+	it("accepts empty string", () => {
+		expect(isValidSearch("")).toBe(true);
+	});
+
+	it("accepts only alphanumeric, space, dot, underscore, hyphen", () => {
+		expect(isValidSearch("error")).toBe(true);
+		expect(isValidSearch("foo bar")).toBe(true);
+		expect(isValidSearch("a-zA-Z0-9_.-")).toBe(true);
+		expect(isValidSearch("")).toBe(true);
+	});
+
+	it("rejects strings longer than 500 chars", () => {
+		expect(isValidSearch("a".repeat(501))).toBe(false);
+		expect(isValidSearch("a".repeat(500))).toBe(true);
+	});
+
+	it("rejects control characters and non-printable", () => {
+		expect(isValidSearch("foo\nbar")).toBe(false);
+		expect(isValidSearch("foo\rbar")).toBe(false);
+		expect(isValidSearch("\x00")).toBe(false);
+		expect(isValidSearch("a\x19b")).toBe(false);
+	});
+
+	it("rejects command injection vectors in search (search is concatenated into shell)", () => {
+		// Double-quoted context (SSH line 99): $ and ` execute
+		expect(isValidSearch("$(whoami)")).toBe(false);
+		expect(isValidSearch("`id`")).toBe(false);
+		expect(isValidSearch("$(id)")).toBe(false);
+		// Single-quoted context (local line 153): ' breaks out
+		expect(isValidSearch("'$(whoami)'")).toBe(false);
+		expect(isValidSearch("error'")).toBe(false);
+		expect(isValidSearch("'; whoami; #")).toBe(false);
+		// Other shell-metacharacters
+		expect(isValidSearch("error; id")).toBe(false);
+		expect(isValidSearch("a|b")).toBe(false);
+		expect(isValidSearch('error"')).toBe(false);
+		expect(isValidSearch("a&b")).toBe(false);
+	});
+});
+
+describe("isValidContainerId (docker-container-logs)", () => {
+	it("accepts valid hex container IDs", () => {
+		expect(isValidContainerId("a".repeat(12))).toBe(true);
+		expect(isValidContainerId("abc123def456")).toBe(true);
+		expect(isValidContainerId("a".repeat(64))).toBe(true);
+	});
+
+	it("accepts valid container names", () => {
+		expect(isValidContainerId("my-container")).toBe(true);
+		expect(isValidContainerId("app_1")).toBe(true);
+		expect(isValidContainerId("service.name")).toBe(true);
+	});
+
+	it("rejects command injection in container ID", () => {
+		expect(isValidContainerId("dummy; whoami")).toBe(false);
+		expect(isValidContainerId("$(id)")).toBe(false);
+		expect(isValidContainerId("`id`")).toBe(false);
+		expect(isValidContainerId("container|cat /etc/passwd")).toBe(false);
+		expect(isValidContainerId("x; env | grep DATABASE")).toBe(false);
+	});
+});

apps/dokploy/components/dashboard/application/advanced/cluster/show-cluster-settings.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { Server } from "lucide-react";
 import Link from "next/link";
 import { useEffect } from "react";
@@ -37,27 +37,27 @@ import { AddSwarmSettings } from "./modify-swarm-settings";
 
 interface Props {
 	id: string;
-	type: "postgres" | "mariadb" | "mongo" | "mysql" | "redis" | "application";
+	type: "application" | "mariadb" | "mongo" | "mysql" | "postgres" | "redis";
 }
 
-const AddRedirectchema = z.object({
+const AddRedirectSchema = z.object({
 	replicas: z.number().min(1, "Replicas must be at least 1"),
 	registryId: z.string().optional(),
 });
 
-type AddCommand = z.infer<typeof AddRedirectchema>;
+type AddCommand = z.infer<typeof AddRedirectSchema>;
 
 export const ShowClusterSettings = ({ id, type }: Props) => {
 	const queryMap = {
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
 		postgres: () =>
 			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
 		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
-		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
-		mariadb: () =>
-			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
-		application: () =>
-			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
-		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
 	};
 	const { data, refetch } = queryMap[type]
 		? queryMap[type]()
@@ -65,15 +65,16 @@ export const ShowClusterSettings = ({ id, type }: Props) => {
 	const { data: registries } = api.registry.all.useQuery();
 
 	const mutationMap = {
+		application: () => api.application.update.useMutation(),
+		libsql: () => api.libsql.update.useMutation(),
+		mariadb: () => api.mariadb.update.useMutation(),
+		mongo: () => api.mongo.update.useMutation(),
+		mysql: () => api.mysql.update.useMutation(),
 		postgres: () => api.postgres.update.useMutation(),
 		redis: () => api.redis.update.useMutation(),
-		mysql: () => api.mysql.update.useMutation(),
-		mariadb: () => api.mariadb.update.useMutation(),
-		application: () => api.application.update.useMutation(),
-		mongo: () => api.mongo.update.useMutation(),
 	};
 
-	const { mutateAsync, isLoading } = mutationMap[type]
+	const { mutateAsync, isPending } = mutationMap[type]
 		? mutationMap[type]()
 		: api.mongo.update.useMutation();
 
@@ -86,7 +87,7 @@ export const ShowClusterSettings = ({ id, type }: Props) => {
 				: {}),
 			replicas: data?.replicas || 1,
 		},
-		resolver: zodResolver(AddRedirectchema),
+		resolver: zodResolver(AddRedirectSchema),
 	});
 
 	useEffect(() => {
@@ -105,11 +106,11 @@ export const ShowClusterSettings = ({ id, type }: Props) => {
 	const onSubmit = async (data: AddCommand) => {
 		await mutateAsync({
 			applicationId: id || "",
-			postgresId: id || "",
-			redisId: id || "",
-			mysqlId: id || "",
 			mariadbId: id || "",
 			mongoId: id || "",
+			mysqlId: id || "",
+			postgresId: id || "",
+			redisId: id || "",
 			...(type === "application"
 				? {
 						registryId:
@@ -236,7 +237,7 @@ export const ShowClusterSettings = ({ id, type }: Props) => {
 						)}
 
 						<div className="flex justify-end">
-							<Button isLoading={isLoading} type="submit" className="w-fit">
+							<Button isLoading={isPending} type="submit" className="w-fit">
 								Save
 							</Button>
 						</div>

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/endpoint-spec-form.tsx

@@ -0,0 +1,164 @@
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { toast } from "sonner";
+import { z } from "zod";
+import { Button } from "@/components/ui/button";
+import {
+	Form,
+	FormControl,
+	FormDescription,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import {
+	Select,
+	SelectContent,
+	SelectItem,
+	SelectTrigger,
+	SelectValue,
+} from "@/components/ui/select";
+import { api } from "@/utils/api";
+
+export const endpointSpecFormSchema = z.object({
+	Mode: z.string().optional(),
+});
+
+interface EndpointSpecFormProps {
+	id: string;
+	type:
+		| "postgres"
+		| "mariadb"
+		| "mongo"
+		| "mysql"
+		| "redis"
+		| "application"
+		| "libsql";
+}
+
+export const EndpointSpecForm = ({ id, type }: EndpointSpecFormProps) => {
+	const [isLoading, setIsLoading] = useState(false);
+
+	const queryMap = {
+		postgres: () =>
+			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
+		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
+	};
+	const { data, refetch } = queryMap[type]
+		? queryMap[type]()
+		: api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id });
+
+	const mutationMap = {
+		postgres: () => api.postgres.update.useMutation(),
+		redis: () => api.redis.update.useMutation(),
+		mysql: () => api.mysql.update.useMutation(),
+		mariadb: () => api.mariadb.update.useMutation(),
+		application: () => api.application.update.useMutation(),
+		mongo: () => api.mongo.update.useMutation(),
+		libsql: () => api.libsql.update.useMutation(),
+	};
+
+	const { mutateAsync } = mutationMap[type]
+		? mutationMap[type]()
+		: api.mongo.update.useMutation();
+
+	const form = useForm<any>({
+		resolver: zodResolver(endpointSpecFormSchema),
+		defaultValues: {
+			Mode: undefined,
+		},
+	});
+
+	useEffect(() => {
+		if (data?.endpointSpecSwarm) {
+			const es = data.endpointSpecSwarm;
+			form.reset({
+				Mode: es.Mode,
+			});
+		}
+	}, [data, form]);
+
+	const onSubmit = async (formData: z.infer<typeof endpointSpecFormSchema>) => {
+		setIsLoading(true);
+		try {
+			// Check if all values are empty, if so, send null to clear the database
+			const hasAnyValue =
+				formData.Mode !== undefined &&
+				formData.Mode !== null &&
+				formData.Mode !== "";
+
+			await mutateAsync({
+				applicationId: id || "",
+				postgresId: id || "",
+				redisId: id || "",
+				mysqlId: id || "",
+				mariadbId: id || "",
+				mongoId: id || "",
+				libsqlId: id || "",
+				endpointSpecSwarm: hasAnyValue ? formData : null,
+			});
+
+			toast.success("Endpoint spec updated successfully");
+			refetch();
+		} catch {
+			toast.error("Error updating endpoint spec");
+		} finally {
+			setIsLoading(false);
+		}
+	};
+
+	return (
+		<Form {...form}>
+			<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+				<FormField
+					control={form.control}
+					name="Mode"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Mode</FormLabel>
+							<FormDescription>Endpoint mode (vip or dnsrr)</FormDescription>
+							<Select onValueChange={field.onChange} value={field.value}>
+								<FormControl>
+									<SelectTrigger>
+										<SelectValue placeholder="Select endpoint mode" />
+									</SelectTrigger>
+								</FormControl>
+								<SelectContent>
+									<SelectItem value="vip">VIP (Virtual IP)</SelectItem>
+									<SelectItem value="dnsrr">DNS Round Robin</SelectItem>
+								</SelectContent>
+							</Select>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<div className="flex justify-end gap-2">
+					<Button
+						type="button"
+						variant="outline"
+						onClick={() => {
+							form.reset({
+								Mode: undefined,
+							});
+						}}
+					>
+						Clear
+					</Button>
+					<Button type="submit" isLoading={isLoading}>
+						Save Endpoint Spec
+					</Button>
+				</div>
+			</form>
+		</Form>
+	);
+};

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/health-check-form.tsx

@@ -0,0 +1,305 @@
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { toast } from "sonner";
+import { z } from "zod";
+import { Button } from "@/components/ui/button";
+import {
+	Form,
+	FormControl,
+	FormDescription,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import { api } from "@/utils/api";
+
+const optionalNumber = z
+	.union([z.string(), z.number()])
+	.transform((val) => (val === "" ? undefined : Number(val)))
+	.optional();
+
+export const healthCheckFormSchema = z.object({
+	Test: z.array(z.string()).optional(),
+	Interval: optionalNumber,
+	Timeout: optionalNumber,
+	StartPeriod: optionalNumber,
+	Retries: optionalNumber,
+});
+
+interface HealthCheckFormProps {
+	id: string;
+	type:
+		| "postgres"
+		| "mariadb"
+		| "mongo"
+		| "mysql"
+		| "redis"
+		| "application"
+		| "libsql";
+}
+
+export const HealthCheckForm = ({ id, type }: HealthCheckFormProps) => {
+	const [isLoading, setIsLoading] = useState(false);
+
+	const queryMap = {
+		postgres: () =>
+			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
+		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
+	};
+	const { data, refetch } = queryMap[type]
+		? queryMap[type]()
+		: api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id });
+
+	const mutationMap = {
+		postgres: () => api.postgres.update.useMutation(),
+		redis: () => api.redis.update.useMutation(),
+		mysql: () => api.mysql.update.useMutation(),
+		mariadb: () => api.mariadb.update.useMutation(),
+		application: () => api.application.update.useMutation(),
+		mongo: () => api.mongo.update.useMutation(),
+		libsql: () => api.libsql.update.useMutation(),
+	};
+
+	const { mutateAsync } = mutationMap[type]
+		? mutationMap[type]()
+		: api.mongo.update.useMutation();
+
+	const form = useForm<any>({
+		resolver: zodResolver(healthCheckFormSchema),
+		defaultValues: {
+			Test: [],
+			Interval: undefined,
+			Timeout: undefined,
+			StartPeriod: undefined,
+			Retries: undefined,
+		},
+	});
+
+	const testCommands = form.watch("Test") || [];
+
+	useEffect(() => {
+		if (data?.healthCheckSwarm) {
+			const hc = data.healthCheckSwarm;
+			form.reset({
+				Test: hc.Test || [],
+				Interval: hc.Interval,
+				Timeout: hc.Timeout,
+				StartPeriod: hc.StartPeriod,
+				Retries: hc.Retries,
+			});
+		}
+	}, [data, form]);
+
+	const onSubmit = async (formData: z.infer<typeof healthCheckFormSchema>) => {
+		setIsLoading(true);
+		try {
+			// Check if all values are empty, if so, send null to clear the database
+			const hasAnyValue =
+				(formData.Test && formData.Test.length > 0) ||
+				formData.Interval !== undefined ||
+				formData.Timeout !== undefined ||
+				formData.StartPeriod !== undefined ||
+				formData.Retries !== undefined;
+
+			await mutateAsync({
+				applicationId: id || "",
+				postgresId: id || "",
+				redisId: id || "",
+				mysqlId: id || "",
+				mariadbId: id || "",
+				mongoId: id || "",
+				libsqlId: id || "",
+				healthCheckSwarm: hasAnyValue ? formData : null,
+			});
+
+			toast.success("Health check updated successfully");
+			refetch();
+		} catch {
+			toast.error("Error updating health check");
+		} finally {
+			setIsLoading(false);
+		}
+	};
+
+	const addTestCommand = () => {
+		form.setValue("Test", [...testCommands, ""]);
+	};
+
+	const updateTestCommand = (index: number, value: string) => {
+		const newCommands = [...testCommands];
+		newCommands[index] = value;
+		form.setValue("Test", newCommands);
+	};
+
+	const removeTestCommand = (index: number) => {
+		form.setValue(
+			"Test",
+			testCommands.filter((_: string, i: number) => i !== index),
+		);
+	};
+
+	return (
+		<Form {...form}>
+			<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+				<div>
+					<FormLabel>Test Commands</FormLabel>
+					<FormDescription>
+						Command to run for health check (e.g., ["CMD-SHELL", "curl -f
+						http://localhost:3000/health"])
+					</FormDescription>
+					<div className="space-y-2 mt-2">
+						{testCommands.map((cmd: string, index: number) => (
+							<div key={index} className="flex gap-2">
+								<Input
+									value={cmd}
+									onChange={(e) => updateTestCommand(index, e.target.value)}
+									placeholder={
+										index === 0
+											? "CMD-SHELL"
+											: "curl -f http://localhost:3000/health"
+									}
+								/>
+								<Button
+									type="button"
+									variant="destructive"
+									size="sm"
+									onClick={() => removeTestCommand(index)}
+								>
+									Remove
+								</Button>
+							</div>
+						))}
+						<Button
+							type="button"
+							variant="outline"
+							size="sm"
+							onClick={addTestCommand}
+						>
+							Add Command
+						</Button>
+					</div>
+				</div>
+
+				<FormField
+					control={form.control}
+					name="Interval"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Interval (nanoseconds)</FormLabel>
+							<FormDescription>
+								Time between health checks (e.g., 10000000000 for 10 seconds)
+							</FormDescription>
+							<FormControl>
+								<Input
+									type="number"
+									placeholder="10000000000"
+									{...field}
+									value={field.value ?? ""}
+								/>
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="Timeout"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Timeout (nanoseconds)</FormLabel>
+							<FormDescription>
+								Maximum time to wait for health check response
+							</FormDescription>
+							<FormControl>
+								<Input
+									type="number"
+									placeholder="10000000000"
+									{...field}
+									value={field.value ?? ""}
+								/>
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="StartPeriod"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Start Period (nanoseconds)</FormLabel>
+							<FormDescription>
+								Initial grace period before health checks begin
+							</FormDescription>
+							<FormControl>
+								<Input
+									type="number"
+									placeholder="10000000000"
+									{...field}
+									value={field.value ?? ""}
+								/>
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="Retries"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Retries</FormLabel>
+							<FormDescription>
+								Number of consecutive failures needed to consider container
+								unhealthy
+							</FormDescription>
+							<FormControl>
+								<Input
+									type="number"
+									placeholder="3"
+									{...field}
+									value={field.value ?? ""}
+								/>
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<div className="flex justify-end gap-2">
+					<Button
+						type="button"
+						variant="outline"
+						onClick={() => {
+							form.reset({
+								Test: [],
+								Interval: undefined,
+								Timeout: undefined,
+								StartPeriod: undefined,
+								Retries: undefined,
+							});
+						}}
+					>
+						Clear
+					</Button>
+					<Button type="submit" isLoading={isLoading}>
+						Save Health Check
+					</Button>
+				</div>
+			</form>
+		</Form>
+	);
+};

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/index.ts

@@ -0,0 +1,11 @@
+export { EndpointSpecForm } from "./endpoint-spec-form";
+export { HealthCheckForm } from "./health-check-form";
+export { LabelsForm } from "./labels-form";
+export { ModeForm } from "./mode-form";
+export { NetworkForm } from "./network-form";
+export { PlacementForm } from "./placement-form";
+export { RestartPolicyForm } from "./restart-policy-form";
+export { RollbackConfigForm } from "./rollback-config-form";
+export { StopGracePeriodForm } from "./stop-grace-period-form";
+export { UpdateConfigForm } from "./update-config-form";
+export { filterEmptyValues, hasValues } from "./utils";

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/labels-form.tsx

@@ -0,0 +1,210 @@
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
+import { useEffect, useState } from "react";
+import { useFieldArray, useForm } from "react-hook-form";
+import { toast } from "sonner";
+import { z } from "zod";
+import { Button } from "@/components/ui/button";
+import {
+	Form,
+	FormControl,
+	FormDescription,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import { api } from "@/utils/api";
+
+export const labelsFormSchema = z.object({
+	labels: z
+		.array(
+			z.object({
+				key: z.string(),
+				value: z.string(),
+			}),
+		)
+		.optional(),
+});
+
+interface LabelsFormProps {
+	id: string;
+	type:
+		| "postgres"
+		| "mariadb"
+		| "mongo"
+		| "mysql"
+		| "redis"
+		| "application"
+		| "libsql";
+}
+
+export const LabelsForm = ({ id, type }: LabelsFormProps) => {
+	const [isLoading, setIsLoading] = useState(false);
+
+	const queryMap = {
+		postgres: () =>
+			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
+		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
+	};
+	const { data, refetch } = queryMap[type]
+		? queryMap[type]()
+		: api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id });
+
+	const mutationMap = {
+		postgres: () => api.postgres.update.useMutation(),
+		redis: () => api.redis.update.useMutation(),
+		mysql: () => api.mysql.update.useMutation(),
+		mariadb: () => api.mariadb.update.useMutation(),
+		application: () => api.application.update.useMutation(),
+		mongo: () => api.mongo.update.useMutation(),
+		libsql: () => api.libsql.update.useMutation(),
+	};
+
+	const { mutateAsync } = mutationMap[type]
+		? mutationMap[type]()
+		: api.mongo.update.useMutation();
+
+	const form = useForm<any>({
+		resolver: zodResolver(labelsFormSchema),
+		defaultValues: {
+			labels: [],
+		},
+	});
+
+	const { fields, append, remove } = useFieldArray({
+		control: form.control,
+		name: "labels",
+	});
+
+	useEffect(() => {
+		if (data?.labelsSwarm && typeof data.labelsSwarm === "object") {
+			const labelEntries = Object.entries(data.labelsSwarm).map(
+				([key, value]) => ({
+					key,
+					value: value as string,
+				}),
+			);
+			form.reset({ labels: labelEntries });
+		}
+	}, [data, form]);
+
+	const onSubmit = async (formData: z.infer<typeof labelsFormSchema>) => {
+		setIsLoading(true);
+		try {
+			const labelsObject =
+				formData.labels?.reduce(
+					(acc, { key, value }) => {
+						if (key && value) {
+							acc[key] = value;
+						}
+						return acc;
+					},
+					{} as Record<string, string>,
+				) || {};
+
+			// If no labels, send null to clear the database
+			const labelsToSend =
+				Object.keys(labelsObject).length > 0 ? labelsObject : null;
+
+			await mutateAsync({
+				applicationId: id || "",
+				postgresId: id || "",
+				redisId: id || "",
+				mysqlId: id || "",
+				mariadbId: id || "",
+				mongoId: id || "",
+				libsqlId: id || "",
+				labelsSwarm: labelsToSend,
+			});
+
+			toast.success("Labels updated successfully");
+			refetch();
+		} catch {
+			toast.error("Error updating labels");
+		} finally {
+			setIsLoading(false);
+		}
+	};
+
+	return (
+		<Form {...form}>
+			<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+				<div>
+					<FormLabel>Labels</FormLabel>
+					<FormDescription>
+						Add key-value labels to your service
+					</FormDescription>
+					<div className="space-y-2 mt-2">
+						{fields.map((field, index) => (
+							<div key={field.id} className="flex gap-2">
+								<FormField
+									control={form.control}
+									name={`labels.${index}.key`}
+									render={({ field }) => (
+										<FormItem className="flex-1">
+											<FormControl>
+												<Input {...field} placeholder="com.example.app.name" />
+											</FormControl>
+											<FormMessage />
+										</FormItem>
+									)}
+								/>
+								<FormField
+									control={form.control}
+									name={`labels.${index}.value`}
+									render={({ field }) => (
+										<FormItem className="flex-1">
+											<FormControl>
+												<Input {...field} placeholder="my-app" />
+											</FormControl>
+											<FormMessage />
+										</FormItem>
+									)}
+								/>
+								<Button
+									type="button"
+									variant="destructive"
+									size="sm"
+									onClick={() => remove(index)}
+								>
+									Remove
+								</Button>
+							</div>
+						))}
+						<Button
+							type="button"
+							variant="outline"
+							size="sm"
+							onClick={() => append({ key: "", value: "" })}
+						>
+							Add Label
+						</Button>
+					</div>
+				</div>
+
+				<div className="flex justify-end gap-2">
+					<Button
+						type="button"
+						variant="outline"
+						onClick={() => {
+							form.reset({ labels: [] });
+						}}
+					>
+						Clear
+					</Button>
+					<Button type="submit" isLoading={isLoading}>
+						Save Labels
+					</Button>
+				</div>
+			</form>
+		</Form>
+	);
+};

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/mode-form.tsx

@@ -0,0 +1,213 @@
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { toast } from "sonner";
+import { Button } from "@/components/ui/button";
+import {
+	Form,
+	FormControl,
+	FormDescription,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import {
+	Select,
+	SelectContent,
+	SelectItem,
+	SelectTrigger,
+	SelectValue,
+} from "@/components/ui/select";
+import { api } from "@/utils/api";
+
+interface ModeFormProps {
+	id: string;
+	type:
+		| "postgres"
+		| "mariadb"
+		| "mongo"
+		| "mysql"
+		| "redis"
+		| "application"
+		| "libsql";
+}
+
+export const ModeForm = ({ id, type }: ModeFormProps) => {
+	const [isLoading, setIsLoading] = useState(false);
+
+	const queryMap = {
+		postgres: () =>
+			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
+		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
+	};
+	const { data, refetch } = queryMap[type]
+		? queryMap[type]()
+		: api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id });
+
+	const mutationMap = {
+		postgres: () => api.postgres.update.useMutation(),
+		redis: () => api.redis.update.useMutation(),
+		mysql: () => api.mysql.update.useMutation(),
+		mariadb: () => api.mariadb.update.useMutation(),
+		application: () => api.application.update.useMutation(),
+		mongo: () => api.mongo.update.useMutation(),
+		libsql: () => api.libsql.update.useMutation(),
+	};
+
+	const { mutateAsync } = mutationMap[type]
+		? mutationMap[type]()
+		: api.mongo.update.useMutation();
+
+	const form = useForm<any>({
+		defaultValues: {
+			type: undefined,
+			Replicas: undefined,
+		},
+	});
+
+	const modeType = form.watch("type");
+
+	useEffect(() => {
+		if (data?.modeSwarm) {
+			const mode = data.modeSwarm;
+			if (mode.Replicated) {
+				form.reset({
+					type: "Replicated",
+					Replicas: mode.Replicated.Replicas,
+				});
+			} else if (mode.Global) {
+				form.reset({
+					type: "Global",
+					Replicas: undefined,
+				});
+			}
+		}
+	}, [data, form]);
+
+	const onSubmit = async (formData: any) => {
+		setIsLoading(true);
+		try {
+			// If no type is selected, send null to clear the database
+			if (!formData.type) {
+				await mutateAsync({
+					applicationId: id || "",
+					postgresId: id || "",
+					redisId: id || "",
+					mysqlId: id || "",
+					mariadbId: id || "",
+					mongoId: id || "",
+					libsqlId: id || "",
+					modeSwarm: null,
+				});
+				toast.success("Mode updated successfully");
+				refetch();
+				setIsLoading(false);
+				return;
+			}
+
+			const modeData =
+				formData.type === "Replicated"
+					? {
+							Replicated: {
+								Replicas:
+									formData.Replicas !== undefined && formData.Replicas !== ""
+										? Number(formData.Replicas)
+										: undefined,
+							},
+						}
+					: { Global: {} };
+
+			await mutateAsync({
+				applicationId: id || "",
+				postgresId: id || "",
+				redisId: id || "",
+				mysqlId: id || "",
+				mariadbId: id || "",
+				mongoId: id || "",
+				libsqlId: id || "",
+				modeSwarm: modeData,
+			});
+
+			toast.success("Mode updated successfully");
+			refetch();
+		} catch {
+			toast.error("Error updating mode");
+		} finally {
+			setIsLoading(false);
+		}
+	};
+
+	return (
+		<Form {...form}>
+			<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+				<FormField
+					control={form.control}
+					name="type"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Mode Type</FormLabel>
+							<FormDescription>
+								Choose between replicated or global service mode
+							</FormDescription>
+							<Select onValueChange={field.onChange} value={field.value}>
+								<FormControl>
+									<SelectTrigger>
+										<SelectValue placeholder="Select mode type" />
+									</SelectTrigger>
+								</FormControl>
+								<SelectContent>
+									<SelectItem value="Replicated">Replicated</SelectItem>
+									<SelectItem value="Global">Global</SelectItem>
+								</SelectContent>
+							</Select>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				{modeType === "Replicated" && (
+					<FormField
+						control={form.control}
+						name="Replicas"
+						render={({ field }) => (
+							<FormItem>
+								<FormLabel>Replicas</FormLabel>
+								<FormDescription>Number of replicas to run</FormDescription>
+								<FormControl>
+									<Input type="number" placeholder="1" {...field} />
+								</FormControl>
+								<FormMessage />
+							</FormItem>
+						)}
+					/>
+				)}
+
+				<div className="flex justify-end gap-2">
+					<Button
+						type="button"
+						variant="outline"
+						onClick={() => {
+							form.reset({
+								type: undefined,
+								Replicas: undefined,
+							});
+						}}
+					>
+						Clear
+					</Button>
+					<Button type="submit" isLoading={isLoading}>
+						Save Mode
+					</Button>
+				</div>
+			</form>
+		</Form>
+	);
+};

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/network-form.tsx

@@ -0,0 +1,323 @@
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
+import { useEffect, useState } from "react";
+import { useFieldArray, useForm } from "react-hook-form";
+import { toast } from "sonner";
+import { z } from "zod";
+import { Button } from "@/components/ui/button";
+import {
+	Form,
+	FormControl,
+	FormDescription,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import { api } from "@/utils/api";
+
+const driverOptEntrySchema = z.object({
+	key: z.string(),
+	value: z.string(),
+});
+
+export const networkFormSchema = z.object({
+	networks: z
+		.array(
+			z.object({
+				Target: z.string().optional(),
+				Aliases: z.string().optional(),
+				DriverOptsEntries: z.array(driverOptEntrySchema).optional(),
+			}),
+		)
+		.optional(),
+});
+
+interface NetworkFormProps {
+	id: string;
+	type:
+		| "postgres"
+		| "mariadb"
+		| "mongo"
+		| "mysql"
+		| "redis"
+		| "application"
+		| "libsql";
+}
+
+export const NetworkForm = ({ id, type }: NetworkFormProps) => {
+	const [isLoading, setIsLoading] = useState(false);
+
+	const queryMap = {
+		postgres: () =>
+			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
+		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
+	};
+	const { data, refetch } = queryMap[type]
+		? queryMap[type]()
+		: api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id });
+
+	const mutationMap = {
+		postgres: () => api.postgres.update.useMutation(),
+		redis: () => api.redis.update.useMutation(),
+		mysql: () => api.mysql.update.useMutation(),
+		mariadb: () => api.mariadb.update.useMutation(),
+		application: () => api.application.update.useMutation(),
+		mongo: () => api.mongo.update.useMutation(),
+		libsql: () => api.libsql.update.useMutation(),
+	};
+
+	const { mutateAsync } = mutationMap[type]
+		? mutationMap[type]()
+		: api.mongo.update.useMutation();
+
+	const form = useForm<z.infer<typeof networkFormSchema>>({
+		resolver: zodResolver(networkFormSchema),
+		defaultValues: {
+			networks: [],
+		},
+	});
+
+	const { fields, append, remove } = useFieldArray({
+		control: form.control,
+		name: "networks",
+	});
+
+	useEffect(() => {
+		if (data?.networkSwarm && Array.isArray(data.networkSwarm)) {
+			const networkEntries = data.networkSwarm.map((network) => ({
+				Target: network.Target || "",
+				Aliases: network.Aliases?.join(", ") || "",
+				DriverOptsEntries: network.DriverOpts
+					? Object.entries(network.DriverOpts).map(([key, value]) => ({
+							key,
+							value: value ?? "",
+						}))
+					: [],
+			}));
+			form.reset({ networks: networkEntries });
+		}
+	}, [data, form]);
+
+	const onSubmit = async (formData: z.infer<typeof networkFormSchema>) => {
+		setIsLoading(true);
+		try {
+			const networksArray =
+				formData.networks
+					?.filter((network) => network.Target)
+					.map((network) => {
+						const entries = (network.DriverOptsEntries ?? []).filter(
+							(e) => e.key.trim() !== "",
+						);
+						const driverOpts =
+							entries.length > 0
+								? Object.fromEntries(
+										entries.map((e) => [e.key.trim(), e.value]),
+									)
+								: undefined;
+						return {
+							Target: network.Target,
+							Aliases: network.Aliases
+								? network.Aliases.split(",").map((alias) => alias.trim())
+								: undefined,
+							DriverOpts: driverOpts,
+						};
+					}) || [];
+
+			// If no networks, send null to clear the database
+			const networksToSend = networksArray.length > 0 ? networksArray : null;
+
+			await mutateAsync({
+				applicationId: id || "",
+				postgresId: id || "",
+				redisId: id || "",
+				mysqlId: id || "",
+				mariadbId: id || "",
+				mongoId: id || "",
+				libsqlId: id || "",
+				networkSwarm: networksToSend,
+			});
+
+			toast.success("Network configuration updated successfully");
+			refetch();
+		} catch {
+			toast.error("Error updating network configuration");
+		} finally {
+			setIsLoading(false);
+		}
+	};
+
+	return (
+		<Form {...form}>
+			<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+				<div>
+					<FormLabel>Networks</FormLabel>
+					<FormDescription>
+						Configure network attachments for your service
+					</FormDescription>
+					<div className="space-y-2 mt-2">
+						{fields.map((field, index) => (
+							<div key={field.id} className="space-y-2 p-3 border rounded">
+								<FormField
+									control={form.control}
+									name={`networks.${index}.Target`}
+									render={({ field }) => (
+										<FormItem>
+											<FormLabel>Network Name</FormLabel>
+											<FormControl>
+												<Input {...field} placeholder="my-network" />
+											</FormControl>
+											<FormDescription>
+												The name of the network to attach to
+											</FormDescription>
+											<FormMessage />
+										</FormItem>
+									)}
+								/>
+								<FormField
+									control={form.control}
+									name={`networks.${index}.Aliases`}
+									render={({ field }) => (
+										<FormItem>
+											<FormLabel>Aliases (optional)</FormLabel>
+											<FormControl>
+												<Input
+													{...field}
+													placeholder="alias1, alias2, alias3"
+												/>
+											</FormControl>
+											<FormDescription>
+												Comma-separated list of network aliases
+											</FormDescription>
+											<FormMessage />
+										</FormItem>
+									)}
+								/>
+								<div className="space-y-2">
+									<FormLabel>Driver options (optional)</FormLabel>
+									<FormDescription>
+										e.g. com.docker.network.driver.mtu,
+										com.docker.network.driver.host_binding
+									</FormDescription>
+									{(
+										form.watch(`networks.${index}.DriverOptsEntries`) ?? []
+									).map((_, optIndex) => (
+										<div
+											key={optIndex}
+											className="flex gap-2 items-end flex-wrap"
+										>
+											<FormField
+												control={form.control}
+												name={`networks.${index}.DriverOptsEntries.${optIndex}.key`}
+												render={({ field }) => (
+													<FormItem className="flex-1 min-w-[140px]">
+														<FormControl>
+															<Input
+																{...field}
+																placeholder="com.docker.network.driver.mtu"
+															/>
+														</FormControl>
+														<FormMessage />
+													</FormItem>
+												)}
+											/>
+											<FormField
+												control={form.control}
+												name={`networks.${index}.DriverOptsEntries.${optIndex}.value`}
+												render={({ field }) => (
+													<FormItem className="flex-1 min-w-[100px]">
+														<FormControl>
+															<Input {...field} placeholder="1500" />
+														</FormControl>
+														<FormMessage />
+													</FormItem>
+												)}
+											/>
+											<Button
+												type="button"
+												variant="ghost"
+												size="sm"
+												onClick={() => {
+													const entries =
+														form.getValues(
+															`networks.${index}.DriverOptsEntries`,
+														) ?? [];
+													form.setValue(
+														`networks.${index}.DriverOptsEntries`,
+														entries.filter((_, i) => i !== optIndex),
+													);
+												}}
+											>
+												Remove
+											</Button>
+										</div>
+									))}
+									<Button
+										type="button"
+										variant="outline"
+										size="sm"
+										onClick={() => {
+											const entries =
+												form.getValues(`networks.${index}.DriverOptsEntries`) ??
+												[];
+											form.setValue(`networks.${index}.DriverOptsEntries`, [
+												...entries,
+												{ key: "", value: "" },
+											]);
+										}}
+									>
+										Add driver option
+									</Button>
+								</div>
+								<Button
+									type="button"
+									variant="destructive"
+									size="sm"
+									onClick={() => remove(index)}
+								>
+									Remove Network
+								</Button>
+							</div>
+						))}
+						<Button
+							type="button"
+							variant="outline"
+							size="sm"
+							onClick={() =>
+								append({
+									Target: "",
+									Aliases: "",
+									DriverOptsEntries: [],
+								})
+							}
+						>
+							Add Network
+						</Button>
+					</div>
+				</div>
+
+				<div className="flex justify-end gap-2">
+					<Button
+						type="button"
+						variant="outline"
+						onClick={() => {
+							form.reset({ networks: [] });
+						}}
+					>
+						Clear
+					</Button>
+					<Button type="submit" isLoading={isLoading}>
+						Save Networks
+					</Button>
+				</div>
+			</form>
+		</Form>
+	);
+};

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/placement-form.tsx

@@ -0,0 +1,357 @@
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { toast } from "sonner";
+import { z } from "zod";
+import { Button } from "@/components/ui/button";
+import {
+	Form,
+	FormControl,
+	FormDescription,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import { api } from "@/utils/api";
+
+const PreferenceSchema = z.object({
+	SpreadDescriptor: z.string(),
+});
+
+const PlatformSchema = z.object({
+	Architecture: z.string(),
+	OS: z.string(),
+});
+
+export const placementFormSchema = z.object({
+	Constraints: z.array(z.string()).optional(),
+	Preferences: z.array(PreferenceSchema).optional(),
+	MaxReplicas: z.coerce.number().optional(),
+	Platforms: z.array(PlatformSchema).optional(),
+});
+
+interface PlacementFormProps {
+	id: string;
+	type:
+		| "postgres"
+		| "mariadb"
+		| "mongo"
+		| "mysql"
+		| "redis"
+		| "application"
+		| "libsql";
+}
+
+export const PlacementForm = ({ id, type }: PlacementFormProps) => {
+	const [isLoading, setIsLoading] = useState(false);
+
+	const queryMap = {
+		postgres: () =>
+			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
+		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
+	};
+	const { data, refetch } = queryMap[type]
+		? queryMap[type]()
+		: api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id });
+
+	const mutationMap = {
+		postgres: () => api.postgres.update.useMutation(),
+		redis: () => api.redis.update.useMutation(),
+		mysql: () => api.mysql.update.useMutation(),
+		mariadb: () => api.mariadb.update.useMutation(),
+		application: () => api.application.update.useMutation(),
+		mongo: () => api.mongo.update.useMutation(),
+		libsql: () => api.libsql.update.useMutation(),
+	};
+
+	const { mutateAsync } = mutationMap[type]
+		? mutationMap[type]()
+		: api.mongo.update.useMutation();
+
+	const form = useForm<any>({
+		resolver: zodResolver(placementFormSchema),
+		defaultValues: {
+			Constraints: [],
+			Preferences: [],
+			MaxReplicas: undefined,
+			Platforms: [],
+		},
+	});
+
+	const constraints = form.watch("Constraints") || [];
+	const preferences = form.watch("Preferences") || [];
+	const platforms = form.watch("Platforms") || [];
+
+	useEffect(() => {
+		if (data?.placementSwarm) {
+			const placement = data.placementSwarm;
+			form.reset({
+				Constraints: placement.Constraints || [],
+				Preferences:
+					placement.Preferences?.map((p: any) => ({
+						SpreadDescriptor: p.Spread?.SpreadDescriptor || "",
+					})) || [],
+				MaxReplicas: placement.MaxReplicas,
+				Platforms: placement.Platforms || [],
+			});
+		}
+	}, [data, form]);
+
+	const onSubmit = async (formData: z.infer<typeof placementFormSchema>) => {
+		setIsLoading(true);
+		try {
+			// Check if all values are empty, if so, send null to clear the database
+			const hasAnyValue =
+				(formData.Constraints && formData.Constraints.length > 0) ||
+				(formData.Preferences && formData.Preferences.length > 0) ||
+				(formData.Platforms && formData.Platforms.length > 0) ||
+				formData.MaxReplicas !== undefined;
+
+			await mutateAsync({
+				applicationId: id || "",
+				postgresId: id || "",
+				redisId: id || "",
+				mysqlId: id || "",
+				mariadbId: id || "",
+				mongoId: id || "",
+				libsqlId: id || "",
+				placementSwarm: hasAnyValue
+					? {
+							...formData,
+							Preferences: formData.Preferences?.map((p) => ({
+								Spread: { SpreadDescriptor: p.SpreadDescriptor },
+							})),
+						}
+					: null,
+			});
+
+			toast.success("Placement updated successfully");
+			refetch();
+		} catch {
+			toast.error("Error updating placement");
+		} finally {
+			setIsLoading(false);
+		}
+	};
+
+	const addConstraint = () => {
+		form.setValue("Constraints", [...constraints, ""]);
+	};
+
+	const updateConstraint = (index: number, value: string) => {
+		const newConstraints = [...constraints];
+		newConstraints[index] = value;
+		form.setValue("Constraints", newConstraints);
+	};
+
+	const removeConstraint = (index: number) => {
+		form.setValue(
+			"Constraints",
+			constraints.filter((_: string, i: number) => i !== index),
+		);
+	};
+
+	const addPreference = () => {
+		form.setValue("Preferences", [...preferences, { SpreadDescriptor: "" }]);
+	};
+
+	const updatePreference = (index: number, value: string) => {
+		const newPreferences = [...preferences];
+		if (newPreferences[index]) {
+			newPreferences[index].SpreadDescriptor = value;
+			form.setValue("Preferences", newPreferences);
+		}
+	};
+
+	const removePreference = (index: number) => {
+		form.setValue(
+			"Preferences",
+			preferences.filter((_: any, i: number) => i !== index),
+		);
+	};
+
+	const addPlatform = () => {
+		form.setValue("Platforms", [...platforms, { Architecture: "", OS: "" }]);
+	};
+
+	const updatePlatform = (
+		index: number,
+		field: "Architecture" | "OS",
+		value: string,
+	) => {
+		const newPlatforms = [...platforms];
+		if (newPlatforms[index]) {
+			newPlatforms[index][field] = value;
+			form.setValue("Platforms", newPlatforms);
+		}
+	};
+
+	const removePlatform = (index: number) => {
+		form.setValue(
+			"Platforms",
+			platforms.filter((_: any, i: number) => i !== index),
+		);
+	};
+
+	return (
+		<Form {...form}>
+			<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+				<div>
+					<FormLabel>Constraints</FormLabel>
+					<FormDescription>
+						Placement constraints (e.g., "node.role==manager")
+					</FormDescription>
+					<div className="space-y-2 mt-2">
+						{constraints.map((constraint: string, index: number) => (
+							<div key={index} className="flex gap-2">
+								<Input
+									value={constraint}
+									onChange={(e) => updateConstraint(index, e.target.value)}
+									placeholder="node.role==manager"
+								/>
+								<Button
+									type="button"
+									variant="destructive"
+									size="sm"
+									onClick={() => removeConstraint(index)}
+								>
+									Remove
+								</Button>
+							</div>
+						))}
+						<Button
+							type="button"
+							variant="outline"
+							size="sm"
+							onClick={addConstraint}
+						>
+							Add Constraint
+						</Button>
+					</div>
+				</div>
+
+				<div>
+					<FormLabel>Preferences</FormLabel>
+					<FormDescription>
+						Spread preferences for task distribution (e.g.,
+						"node.labels.region")
+					</FormDescription>
+					<div className="space-y-2 mt-2">
+						{preferences.map((pref: any, index: number) => (
+							<div key={index} className="flex gap-2">
+								<Input
+									value={pref.SpreadDescriptor}
+									onChange={(e) => updatePreference(index, e.target.value)}
+									placeholder="node.labels.region"
+								/>
+								<Button
+									type="button"
+									variant="destructive"
+									size="sm"
+									onClick={() => removePreference(index)}
+								>
+									Remove
+								</Button>
+							</div>
+						))}
+						<Button
+							type="button"
+							variant="outline"
+							size="sm"
+							onClick={addPreference}
+						>
+							Add Preference
+						</Button>
+					</div>
+				</div>
+
+				<FormField
+					control={form.control}
+					name="MaxReplicas"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Max Replicas</FormLabel>
+							<FormDescription>
+								Maximum number of replicas per node
+							</FormDescription>
+							<FormControl>
+								<Input type="number" placeholder="10" {...field} />
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<div>
+					<FormLabel>Platforms</FormLabel>
+					<FormDescription>
+						Target platforms for task scheduling
+					</FormDescription>
+					<div className="space-y-2 mt-2">
+						{platforms.map((platform: any, index: number) => (
+							<div key={index} className="flex gap-2">
+								<Input
+									value={platform.Architecture}
+									onChange={(e) =>
+										updatePlatform(index, "Architecture", e.target.value)
+									}
+									placeholder="amd64"
+								/>
+								<Input
+									value={platform.OS}
+									onChange={(e) => updatePlatform(index, "OS", e.target.value)}
+									placeholder="linux"
+								/>
+								<Button
+									type="button"
+									variant="destructive"
+									size="sm"
+									onClick={() => removePlatform(index)}
+								>
+									Remove
+								</Button>
+							</div>
+						))}
+						<Button
+							type="button"
+							variant="outline"
+							size="sm"
+							onClick={addPlatform}
+						>
+							Add Platform
+						</Button>
+					</div>
+				</div>
+
+				<div className="flex justify-end gap-2">
+					<Button
+						type="button"
+						variant="outline"
+						onClick={() => {
+							form.reset({
+								Constraints: [],
+								Preferences: [],
+								MaxReplicas: undefined,
+								Platforms: [],
+							});
+						}}
+					>
+						Clear
+					</Button>
+					<Button type="submit" isLoading={isLoading}>
+						Save Placement
+					</Button>
+				</div>
+			</form>
+		</Form>
+	);
+};

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/restart-policy-form.tsx

@@ -0,0 +1,229 @@
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { toast } from "sonner";
+import { z } from "zod";
+import { Button } from "@/components/ui/button";
+import {
+	Form,
+	FormControl,
+	FormDescription,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import {
+	Select,
+	SelectContent,
+	SelectItem,
+	SelectTrigger,
+	SelectValue,
+} from "@/components/ui/select";
+import { api } from "@/utils/api";
+
+export const restartPolicyFormSchema = z.object({
+	Condition: z.string().optional(),
+	Delay: z.coerce.number().optional(),
+	MaxAttempts: z.coerce.number().optional(),
+	Window: z.coerce.number().optional(),
+});
+
+interface RestartPolicyFormProps {
+	id: string;
+	type:
+		| "postgres"
+		| "mariadb"
+		| "mongo"
+		| "mysql"
+		| "redis"
+		| "application"
+		| "libsql";
+}
+
+export const RestartPolicyForm = ({ id, type }: RestartPolicyFormProps) => {
+	const [isLoading, setIsLoading] = useState(false);
+
+	const queryMap = {
+		postgres: () =>
+			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
+		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
+	};
+	const { data, refetch } = queryMap[type]
+		? queryMap[type]()
+		: api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id });
+
+	const mutationMap = {
+		postgres: () => api.postgres.update.useMutation(),
+		redis: () => api.redis.update.useMutation(),
+		mysql: () => api.mysql.update.useMutation(),
+		mariadb: () => api.mariadb.update.useMutation(),
+		application: () => api.application.update.useMutation(),
+		mongo: () => api.mongo.update.useMutation(),
+		libsql: () => api.libsql.update.useMutation(),
+	};
+
+	const { mutateAsync } = mutationMap[type]
+		? mutationMap[type]()
+		: api.mongo.update.useMutation();
+
+	const form = useForm<any>({
+		resolver: zodResolver(restartPolicyFormSchema),
+		defaultValues: {
+			Condition: undefined,
+			Delay: undefined,
+			MaxAttempts: undefined,
+			Window: undefined,
+		},
+	});
+
+	useEffect(() => {
+		if (data?.restartPolicySwarm) {
+			form.reset({
+				Condition: data.restartPolicySwarm.Condition,
+				Delay: data.restartPolicySwarm.Delay,
+				MaxAttempts: data.restartPolicySwarm.MaxAttempts,
+				Window: data.restartPolicySwarm.Window,
+			});
+		}
+	}, [data, form]);
+
+	const onSubmit = async (
+		formData: z.infer<typeof restartPolicyFormSchema>,
+	) => {
+		setIsLoading(true);
+		try {
+			// Check if all values are empty, if so, send null to clear the database
+			const hasAnyValue = Object.values(formData).some(
+				(value) => value !== undefined && value !== null && value !== "",
+			);
+
+			await mutateAsync({
+				applicationId: id || "",
+				postgresId: id || "",
+				redisId: id || "",
+				mysqlId: id || "",
+				mariadbId: id || "",
+				mongoId: id || "",
+				libsqlId: id || "",
+				restartPolicySwarm: hasAnyValue ? formData : null,
+			});
+
+			toast.success("Restart policy updated successfully");
+			refetch();
+		} catch {
+			toast.error("Error updating restart policy");
+		} finally {
+			setIsLoading(false);
+		}
+	};
+
+	return (
+		<Form {...form}>
+			<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+				<FormField
+					control={form.control}
+					name="Condition"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Condition</FormLabel>
+							<FormDescription>When to restart the container</FormDescription>
+							<Select onValueChange={field.onChange} value={field.value}>
+								<FormControl>
+									<SelectTrigger>
+										<SelectValue placeholder="Select restart condition" />
+									</SelectTrigger>
+								</FormControl>
+								<SelectContent>
+									<SelectItem value="none">None</SelectItem>
+									<SelectItem value="on-failure">On Failure</SelectItem>
+									<SelectItem value="any">Any</SelectItem>
+								</SelectContent>
+							</Select>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="Delay"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Delay (nanoseconds)</FormLabel>
+							<FormDescription>
+								Wait time between restart attempts
+							</FormDescription>
+							<FormControl>
+								<Input type="number" placeholder="10000000000" {...field} />
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="MaxAttempts"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Max Attempts</FormLabel>
+							<FormDescription>
+								Maximum number of restart attempts
+							</FormDescription>
+							<FormControl>
+								<Input type="number" placeholder="3" {...field} />
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="Window"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Window (nanoseconds)</FormLabel>
+							<FormDescription>
+								Time window to evaluate restart policy
+							</FormDescription>
+							<FormControl>
+								<Input type="number" placeholder="10000000000" {...field} />
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<div className="flex justify-end gap-2">
+					<Button
+						type="button"
+						variant="outline"
+						onClick={() => {
+							form.reset({
+								Condition: undefined,
+								Delay: undefined,
+								MaxAttempts: undefined,
+								Window: undefined,
+							});
+						}}
+					>
+						Clear
+					</Button>
+					<Button type="submit" isLoading={isLoading}>
+						Save Restart Policy
+					</Button>
+				</div>
+			</form>
+		</Form>
+	);
+};

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/rollback-config-form.tsx

@@ -0,0 +1,267 @@
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { toast } from "sonner";
+import { z } from "zod";
+import { Button } from "@/components/ui/button";
+import {
+	Form,
+	FormControl,
+	FormDescription,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import {
+	Select,
+	SelectContent,
+	SelectItem,
+	SelectTrigger,
+	SelectValue,
+} from "@/components/ui/select";
+import { api } from "@/utils/api";
+
+export const rollbackConfigFormSchema = z.object({
+	Parallelism: z.coerce.number().optional(),
+	Delay: z.coerce.number().optional(),
+	FailureAction: z.string().optional(),
+	Monitor: z.coerce.number().optional(),
+	MaxFailureRatio: z.coerce.number().optional(),
+	Order: z.string().optional(),
+});
+
+interface RollbackConfigFormProps {
+	id: string;
+	type:
+		| "postgres"
+		| "mariadb"
+		| "mongo"
+		| "mysql"
+		| "redis"
+		| "application"
+		| "libsql";
+}
+
+export const RollbackConfigForm = ({ id, type }: RollbackConfigFormProps) => {
+	const [isLoading, setIsLoading] = useState(false);
+
+	const queryMap = {
+		postgres: () =>
+			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
+		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
+	};
+	const { data, refetch } = queryMap[type]
+		? queryMap[type]()
+		: api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id });
+
+	const mutationMap = {
+		postgres: () => api.postgres.update.useMutation(),
+		redis: () => api.redis.update.useMutation(),
+		mysql: () => api.mysql.update.useMutation(),
+		mariadb: () => api.mariadb.update.useMutation(),
+		application: () => api.application.update.useMutation(),
+		mongo: () => api.mongo.update.useMutation(),
+		libsql: () => api.libsql.update.useMutation(),
+	};
+
+	const { mutateAsync } = mutationMap[type]
+		? mutationMap[type]()
+		: api.mongo.update.useMutation();
+
+	const form = useForm<any>({
+		resolver: zodResolver(rollbackConfigFormSchema),
+		defaultValues: {
+			Parallelism: undefined,
+			Delay: undefined,
+			FailureAction: undefined,
+			Monitor: undefined,
+			MaxFailureRatio: undefined,
+			Order: undefined,
+		},
+	});
+
+	useEffect(() => {
+		if (data?.rollbackConfigSwarm) {
+			form.reset(data.rollbackConfigSwarm);
+		}
+	}, [data, form]);
+
+	const onSubmit = async (
+		formData: z.infer<typeof rollbackConfigFormSchema>,
+	) => {
+		setIsLoading(true);
+		try {
+			// Check if all values are empty, if so, send null to clear the database
+			const hasAnyValue = Object.values(formData).some(
+				(value) => value !== undefined && value !== null && value !== "",
+			);
+
+			await mutateAsync({
+				applicationId: id || "",
+				postgresId: id || "",
+				redisId: id || "",
+				mysqlId: id || "",
+				mariadbId: id || "",
+				mongoId: id || "",
+				libsqlId: id || "",
+				rollbackConfigSwarm: (hasAnyValue ? formData : null) as any,
+			});
+
+			toast.success("Rollback config updated successfully");
+			refetch();
+		} catch {
+			toast.error("Error updating rollback config");
+		} finally {
+			setIsLoading(false);
+		}
+	};
+
+	return (
+		<Form {...form}>
+			<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+				<FormField
+					control={form.control}
+					name="Parallelism"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Parallelism</FormLabel>
+							<FormDescription>
+								Number of tasks to rollback simultaneously
+							</FormDescription>
+							<FormControl>
+								<Input type="number" placeholder="1" {...field} />
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="Delay"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Delay (nanoseconds)</FormLabel>
+							<FormDescription>Delay between task rollbacks</FormDescription>
+							<FormControl>
+								<Input type="number" placeholder="10000000000" {...field} />
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="FailureAction"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Failure Action</FormLabel>
+							<FormDescription>Action on rollback failure</FormDescription>
+							<Select onValueChange={field.onChange} value={field.value}>
+								<FormControl>
+									<SelectTrigger>
+										<SelectValue placeholder="Select failure action" />
+									</SelectTrigger>
+								</FormControl>
+								<SelectContent>
+									<SelectItem value="pause">Pause</SelectItem>
+									<SelectItem value="continue">Continue</SelectItem>
+								</SelectContent>
+							</Select>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="Monitor"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Monitor (nanoseconds)</FormLabel>
+							<FormDescription>
+								Duration to monitor for failure after rollback
+							</FormDescription>
+							<FormControl>
+								<Input type="number" placeholder="10000000000" {...field} />
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="MaxFailureRatio"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Max Failure Ratio</FormLabel>
+							<FormDescription>
+								Maximum failure ratio tolerated (0-1)
+							</FormDescription>
+							<FormControl>
+								<Input type="number" step="0.01" placeholder="0.1" {...field} />
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="Order"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Order</FormLabel>
+							<FormDescription>Rollback order strategy</FormDescription>
+							<Select onValueChange={field.onChange} value={field.value}>
+								<FormControl>
+									<SelectTrigger>
+										<SelectValue placeholder="Select order" />
+									</SelectTrigger>
+								</FormControl>
+								<SelectContent>
+									<SelectItem value="stop-first">Stop First</SelectItem>
+									<SelectItem value="start-first">Start First</SelectItem>
+								</SelectContent>
+							</Select>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<div className="flex justify-end gap-2">
+					<Button
+						type="button"
+						variant="outline"
+						onClick={() => {
+							form.reset({
+								Parallelism: undefined,
+								Delay: undefined,
+								FailureAction: undefined,
+								Monitor: undefined,
+								MaxFailureRatio: undefined,
+								Order: undefined,
+							});
+						}}
+					>
+						Clear
+					</Button>
+					<Button type="submit" isLoading={isLoading}>
+						Save Rollback Config
+					</Button>
+				</div>
+			</form>
+		</Form>
+	);
+};

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/stop-grace-period-form.tsx

@@ -0,0 +1,164 @@
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { toast } from "sonner";
+import { Button } from "@/components/ui/button";
+import {
+	Form,
+	FormControl,
+	FormDescription,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import { api } from "@/utils/api";
+
+const hasStopGracePeriodSwarm = (
+	value: unknown,
+): value is { stopGracePeriodSwarm: number | string | null } =>
+	typeof value === "object" &&
+	value !== null &&
+	"stopGracePeriodSwarm" in value;
+
+interface StopGracePeriodFormProps {
+	id: string;
+	type:
+		| "postgres"
+		| "mariadb"
+		| "mongo"
+		| "mysql"
+		| "redis"
+		| "application"
+		| "libsql";
+}
+
+export const StopGracePeriodForm = ({ id, type }: StopGracePeriodFormProps) => {
+	const [isLoading, setIsLoading] = useState(false);
+
+	const queryMap = {
+		postgres: () =>
+			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
+		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
+	};
+	const { data, refetch } = queryMap[type]
+		? queryMap[type]()
+		: api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id });
+
+	const mutationMap = {
+		postgres: () => api.postgres.update.useMutation(),
+		redis: () => api.redis.update.useMutation(),
+		mysql: () => api.mysql.update.useMutation(),
+		mariadb: () => api.mariadb.update.useMutation(),
+		application: () => api.application.update.useMutation(),
+		mongo: () => api.mongo.update.useMutation(),
+		libsql: () => api.libsql.update.useMutation(),
+	};
+
+	const { mutateAsync } = mutationMap[type]
+		? mutationMap[type]()
+		: api.mongo.update.useMutation();
+
+	const form = useForm<any>({
+		defaultValues: {
+			value: null as number | null,
+		},
+	});
+
+	useEffect(() => {
+		if (hasStopGracePeriodSwarm(data)) {
+			const value = data.stopGracePeriodSwarm;
+			const normalizedValue =
+				value === null || value === undefined ? null : Number(value);
+			form.reset({
+				value: normalizedValue,
+			});
+		}
+	}, [data, form]);
+
+	const onSubmit = async (formData: any) => {
+		setIsLoading(true);
+		try {
+			await mutateAsync({
+				applicationId: id || "",
+				postgresId: id || "",
+				redisId: id || "",
+				mysqlId: id || "",
+				mariadbId: id || "",
+				mongoId: id || "",
+				libsqlId: id || "",
+				stopGracePeriodSwarm: formData.value,
+			});
+
+			toast.success("Stop grace period updated successfully");
+			refetch();
+		} catch {
+			toast.error("Error updating stop grace period");
+		} finally {
+			setIsLoading(false);
+		}
+	};
+
+	return (
+		<Form {...form}>
+			<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+				<FormField
+					control={form.control}
+					name="value"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Stop Grace Period (nanoseconds)</FormLabel>
+							<FormDescription>
+								Time to wait before forcefully killing the container
+								<br />
+								Examples: 30000000000 (30s), 120000000000 (2m)
+							</FormDescription>
+							<FormControl>
+								<Input
+									type="number"
+									placeholder="30000000000"
+									{...field}
+									value={
+										field?.value !== null && field?.value !== undefined
+											? field.value.toString()
+											: ""
+									}
+									onChange={(e) =>
+										field.onChange(
+											e.target.value ? Number(e.target.value) : null,
+										)
+									}
+								/>
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<div className="flex justify-end gap-2">
+					<Button
+						type="button"
+						variant="outline"
+						onClick={() => {
+							form.reset({
+								value: null,
+							});
+						}}
+					>
+						Clear
+					</Button>
+					<Button type="submit" isLoading={isLoading}>
+						Save Stop Grace Period
+					</Button>
+				</div>
+			</form>
+		</Form>
+	);
+};

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/update-config-form.tsx

@@ -0,0 +1,274 @@
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { toast } from "sonner";
+import { z } from "zod";
+import { Button } from "@/components/ui/button";
+import {
+	Form,
+	FormControl,
+	FormDescription,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
+import {
+	Select,
+	SelectContent,
+	SelectItem,
+	SelectTrigger,
+	SelectValue,
+} from "@/components/ui/select";
+import { api } from "@/utils/api";
+
+export const updateConfigFormSchema = z.object({
+	Parallelism: z.coerce.number().optional(),
+	Delay: z.coerce.number().optional(),
+	FailureAction: z.string().optional(),
+	Monitor: z.coerce.number().optional(),
+	MaxFailureRatio: z.coerce.number().optional(),
+	Order: z.string().optional(),
+});
+
+interface UpdateConfigFormProps {
+	id: string;
+	type:
+		| "postgres"
+		| "mariadb"
+		| "mongo"
+		| "mysql"
+		| "redis"
+		| "application"
+		| "libsql";
+}
+
+export const UpdateConfigForm = ({ id, type }: UpdateConfigFormProps) => {
+	const [isLoading, setIsLoading] = useState(false);
+
+	const queryMap = {
+		postgres: () =>
+			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
+		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
+	};
+	const { data, refetch } = queryMap[type]
+		? queryMap[type]()
+		: api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id });
+
+	const mutationMap = {
+		postgres: () => api.postgres.update.useMutation(),
+		redis: () => api.redis.update.useMutation(),
+		mysql: () => api.mysql.update.useMutation(),
+		mariadb: () => api.mariadb.update.useMutation(),
+		application: () => api.application.update.useMutation(),
+		mongo: () => api.mongo.update.useMutation(),
+		libsql: () => api.libsql.update.useMutation(),
+	};
+
+	const { mutateAsync } = mutationMap[type]
+		? mutationMap[type]()
+		: api.mongo.update.useMutation();
+
+	const form = useForm<any>({
+		resolver: zodResolver(updateConfigFormSchema),
+		defaultValues: {
+			Parallelism: undefined,
+			Delay: undefined,
+			FailureAction: undefined,
+			Monitor: undefined,
+			MaxFailureRatio: undefined,
+			Order: undefined,
+		},
+	});
+
+	useEffect(() => {
+		if (data?.updateConfigSwarm) {
+			const config = data.updateConfigSwarm;
+			form.reset({
+				Parallelism: config.Parallelism,
+				Delay: config.Delay,
+				FailureAction: config.FailureAction,
+				Monitor: config.Monitor,
+				MaxFailureRatio: config.MaxFailureRatio,
+				Order: config.Order,
+			});
+		}
+	}, [data, form]);
+
+	const onSubmit = async (formData: z.infer<typeof updateConfigFormSchema>) => {
+		setIsLoading(true);
+		try {
+			// Check if all values are empty, if so, send null to clear the database
+			const hasAnyValue = Object.values(formData).some(
+				(value) => value !== undefined && value !== null && value !== "",
+			);
+
+			await mutateAsync({
+				applicationId: id || "",
+				postgresId: id || "",
+				redisId: id || "",
+				mysqlId: id || "",
+				mariadbId: id || "",
+				mongoId: id || "",
+				libsqlId: id || "",
+				updateConfigSwarm: (hasAnyValue ? formData : null) as any,
+			});
+
+			toast.success("Update config updated successfully");
+			refetch();
+		} catch {
+			toast.error("Error updating update config");
+		} finally {
+			setIsLoading(false);
+		}
+	};
+
+	return (
+		<Form {...form}>
+			<form onSubmit={form.handleSubmit(onSubmit)} className="space-y-4">
+				<FormField
+					control={form.control}
+					name="Parallelism"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Parallelism</FormLabel>
+							<FormDescription>
+								Number of tasks to update simultaneously
+							</FormDescription>
+							<FormControl>
+								<Input type="number" placeholder="1" {...field} />
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="Delay"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Delay (nanoseconds)</FormLabel>
+							<FormDescription>Delay between task updates</FormDescription>
+							<FormControl>
+								<Input type="number" placeholder="10000000000" {...field} />
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="FailureAction"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Failure Action</FormLabel>
+							<FormDescription>Action on update failure</FormDescription>
+							<Select onValueChange={field.onChange} value={field.value}>
+								<FormControl>
+									<SelectTrigger>
+										<SelectValue placeholder="Select failure action" />
+									</SelectTrigger>
+								</FormControl>
+								<SelectContent>
+									<SelectItem value="pause">Pause</SelectItem>
+									<SelectItem value="continue">Continue</SelectItem>
+									<SelectItem value="rollback">Rollback</SelectItem>
+								</SelectContent>
+							</Select>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="Monitor"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Monitor (nanoseconds)</FormLabel>
+							<FormDescription>
+								Duration to monitor for failure after update
+							</FormDescription>
+							<FormControl>
+								<Input type="number" placeholder="10000000000" {...field} />
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="MaxFailureRatio"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Max Failure Ratio</FormLabel>
+							<FormDescription>
+								Maximum failure ratio tolerated (0-1)
+							</FormDescription>
+							<FormControl>
+								<Input type="number" step="0.01" placeholder="0.1" {...field} />
+							</FormControl>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<FormField
+					control={form.control}
+					name="Order"
+					render={({ field }) => (
+						<FormItem>
+							<FormLabel>Order</FormLabel>
+							<FormDescription>Update order strategy</FormDescription>
+							<Select onValueChange={field.onChange} value={field.value}>
+								<FormControl>
+									<SelectTrigger>
+										<SelectValue placeholder="Select order" />
+									</SelectTrigger>
+								</FormControl>
+								<SelectContent>
+									<SelectItem value="stop-first">Stop First</SelectItem>
+									<SelectItem value="start-first">Start First</SelectItem>
+								</SelectContent>
+							</Select>
+							<FormMessage />
+						</FormItem>
+					)}
+				/>
+
+				<div className="flex justify-end gap-2">
+					<Button
+						type="button"
+						variant="outline"
+						onClick={() => {
+							form.reset({
+								Parallelism: undefined,
+								Delay: undefined,
+								FailureAction: undefined,
+								Monitor: undefined,
+								MaxFailureRatio: undefined,
+								Order: undefined,
+							});
+						}}
+					>
+						Clear
+					</Button>
+					<Button type="submit" isLoading={isLoading}>
+						Save Update Config
+					</Button>
+				</div>
+			</form>
+		</Form>
+	);
+};

apps/dokploy/components/dashboard/application/advanced/cluster/swarm-forms/utils.ts

@@ -0,0 +1,31 @@
+/**
+ * Filters out undefined, null, and empty string values from form data
+ * Only returns fields that have actual values
+ */
+export const filterEmptyValues = (
+	formData: Record<string, any>,
+): Record<string, any> => {
+	return Object.entries(formData).reduce(
+		(acc, [key, value]) => {
+			// Keep arrays even if empty (they might be intentionally cleared)
+			if (Array.isArray(value)) {
+				if (value.length > 0) {
+					acc[key] = value;
+				}
+			}
+			// For other values, filter out undefined, null, and empty strings
+			else if (value !== undefined && value !== null && value !== "") {
+				acc[key] = value;
+			}
+			return acc;
+		},
+		{} as Record<string, any>,
+	);
+};
+
+/**
+ * Checks if filtered data has any values to save
+ */
+export const hasValues = (data: Record<string, any>): boolean => {
+	return Object.keys(data).length > 0;
+};

apps/dokploy/components/dashboard/application/advanced/general/add-command.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { Plus, Trash2 } from "lucide-react";
 import { useEffect } from "react";
 import { useFieldArray, useForm } from "react-hook-form";
@@ -50,7 +50,7 @@ export const AddCommand = ({ applicationId }: Props) => {
 
 	const utils = api.useUtils();
 
-	const { mutateAsync, isLoading } = api.application.update.useMutation();
+	const { mutateAsync, isPending } = api.application.update.useMutation();
 
 	const form = useForm<AddCommand>({
 		defaultValues: {
@@ -177,7 +177,7 @@ export const AddCommand = ({ applicationId }: Props) => {
 							</div>
 						</div>
 						<div className="flex justify-end">
-							<Button isLoading={isLoading} type="submit" className="w-fit">
+							<Button isLoading={isPending} type="submit" className="w-fit">
 								Save
 							</Button>
 						</div>

apps/dokploy/components/dashboard/application/advanced/import/show-import.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { Code2, Globe2, HardDrive } from "lucide-react";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -69,11 +69,11 @@ export const ShowImport = ({ composeId }: Props) => {
 	} | null>(null);
 
 	const utils = api.useUtils();
-	const { mutateAsync: processTemplate, isLoading: isLoadingTemplate } =
+	const { mutateAsync: processTemplate, isPending: isLoadingTemplate } =
 		api.compose.processTemplate.useMutation();
 	const {
 		mutateAsync: importTemplate,
-		isLoading: isImporting,
+		isPending: isImporting,
 		isSuccess: isImportSuccess,
 	} = api.compose.import.useMutation();
 

apps/dokploy/components/dashboard/application/advanced/ports/handle-ports.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { PenBoxIcon, PlusIcon } from "lucide-react";
 import { useEffect, useState } from "react";
 import { useForm, useWatch } from "react-hook-form";
@@ -35,13 +35,9 @@ import { api } from "@/utils/api";
 
 const AddPortSchema = z.object({
 	publishedPort: z.number().int().min(1).max(65535),
-	publishMode: z.enum(["ingress", "host"], {
-		required_error: "Publish mode is required",
-	}),
+	publishMode: z.enum(["ingress", "host"]),
 	targetPort: z.number().int().min(1).max(65535),
-	protocol: z.enum(["tcp", "udp"], {
-		required_error: "Protocol is required",
-	}),
+	protocol: z.enum(["tcp", "udp"]),
 });
 
 type AddPort = z.infer<typeof AddPortSchema>;
@@ -68,7 +64,7 @@ export const HandlePorts = ({
 			enabled: !!portId,
 		},
 	);
-	const { mutateAsync, isLoading, error, isError } = portId
+	const { mutateAsync, isPending, error, isError } = portId
 		? api.port.update.useMutation()
 		: api.port.create.useMutation();
 
@@ -270,7 +266,7 @@ export const HandlePorts = ({
 
 					<DialogFooter>
 						<Button
-							isLoading={isLoading}
+							isLoading={isPending}
 							form="hook-form-add-port"
 							type="submit"
 						>

apps/dokploy/components/dashboard/application/advanced/ports/show-port.tsx

@@ -25,7 +25,7 @@ export const ShowPorts = ({ applicationId }: Props) => {
 		{ enabled: !!applicationId },
 	);
 
-	const { mutateAsync: deletePort, isLoading: isRemoving } =
+	const { mutateAsync: deletePort, isPending: isRemoving } =
 		api.port.delete.useMutation();
 
 	return (

apps/dokploy/components/dashboard/application/advanced/redirects/handle-redirect.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { PenBoxIcon, PlusIcon } from "lucide-react";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -37,13 +37,13 @@ import { Separator } from "@/components/ui/separator";
 import { Switch } from "@/components/ui/switch";
 import { api } from "@/utils/api";
 
-const AddRedirectchema = z.object({
+const AddRedirectSchema = z.object({
 	regex: z.string().min(1, "Regex required"),
 	permanent: z.boolean().default(false),
 	replacement: z.string().min(1, "Replacement required"),
 });
 
-type AddRedirect = z.infer<typeof AddRedirectchema>;
+type AddRedirect = z.infer<typeof AddRedirectSchema>;
 
 // Default presets
 const redirectPresets = [
@@ -100,17 +100,17 @@ export const HandleRedirect = ({
 
 	const utils = api.useUtils();
 
-	const { mutateAsync, isLoading, error, isError } = redirectId
+	const { mutateAsync, isPending, error, isError } = redirectId
 		? api.redirects.update.useMutation()
 		: api.redirects.create.useMutation();
 
-	const form = useForm<AddRedirect>({
+	const form = useForm({
 		defaultValues: {
 			permanent: false,
 			regex: "",
 			replacement: "",
 		},
-		resolver: zodResolver(AddRedirectchema),
+		resolver: zodResolver(AddRedirectSchema),
 	});
 
 	useEffect(() => {
@@ -149,7 +149,7 @@ export const HandleRedirect = ({
 
 	const onDialogToggle = (open: boolean) => {
 		setIsOpen(open);
-		// commented for the moment because not reseting the form if accidentally closed the dialog can be considered as a feature instead of a bug
+		// commented for the moment because not resetting the form if accidentally closed the dialog can be considered as a feature instead of a bug
 		// setPresetSelected("");
 		// form.reset();
 	};
@@ -268,7 +268,7 @@ export const HandleRedirect = ({
 
 					<DialogFooter>
 						<Button
-							isLoading={isLoading}
+							isLoading={isPending}
 							form="hook-form-add-redirect"
 							type="submit"
 						>

apps/dokploy/components/dashboard/application/advanced/redirects/show-redirects.tsx

@@ -24,7 +24,7 @@ export const ShowRedirects = ({ applicationId }: Props) => {
 		{ enabled: !!applicationId },
 	);
 
-	const { mutateAsync: deleteRedirect, isLoading: isRemoving } =
+	const { mutateAsync: deleteRedirect, isPending: isRemoving } =
 		api.redirects.delete.useMutation();
 
 	const utils = api.useUtils();

apps/dokploy/components/dashboard/application/advanced/security/handle-security.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { PenBoxIcon, PlusIcon } from "lucide-react";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -46,7 +46,7 @@ export const HandleSecurity = ({
 }: Props) => {
 	const utils = api.useUtils();
 	const [isOpen, setIsOpen] = useState(false);
-	const { data } = api.security.one.useQuery(
+	const { data, refetch } = api.security.one.useQuery(
 		{
 			securityId: securityId ?? "",
 		},
@@ -55,7 +55,7 @@ export const HandleSecurity = ({
 		},
 	);
 
-	const { mutateAsync, isLoading, error, isError } = securityId
+	const { mutateAsync, isPending, error, isError } = securityId
 		? api.security.update.useMutation()
 		: api.security.create.useMutation();
 
@@ -88,6 +88,7 @@ export const HandleSecurity = ({
 				await utils.application.readTraefikConfig.invalidate({
 					applicationId,
 				});
+				await refetch();
 				setIsOpen(false);
 			})
 			.catch(() => {
@@ -163,7 +164,7 @@ export const HandleSecurity = ({
 
 					<DialogFooter>
 						<Button
-							isLoading={isLoading}
+							isLoading={isPending}
 							form="hook-form-add-security"
 							type="submit"
 						>

apps/dokploy/components/dashboard/application/advanced/security/show-security.tsx

@@ -27,7 +27,7 @@ export const ShowSecurity = ({ applicationId }: Props) => {
 		{ enabled: !!applicationId },
 	);
 
-	const { mutateAsync: deleteSecurity, isLoading: isRemoving } =
+	const { mutateAsync: deleteSecurity, isPending: isRemoving } =
 		api.security.delete.useMutation();
 
 	const utils = api.useUtils();

apps/dokploy/components/dashboard/application/advanced/show-build-server.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { Server } from "lucide-react";
 import Link from "next/link";
 import { useEffect } from "react";
@@ -74,7 +74,7 @@ export const ShowBuildServer = ({ applicationId }: Props) => {
 	const { data: buildServers } = api.server.buildServers.useQuery();
 	const { data: registries } = api.registry.all.useQuery();
 
-	const { mutateAsync, isLoading } = api.application.update.useMutation();
+	const { mutateAsync, isPending } = api.application.update.useMutation();
 
 	const form = useForm<Schema>({
 		defaultValues: {
@@ -274,7 +274,7 @@ export const ShowBuildServer = ({ applicationId }: Props) => {
 						/>
 
 						<div className="flex w-full justify-end">
-							<Button isLoading={isLoading} type="submit">
+							<Button isLoading={isPending} type="submit">
 								Save
 							</Button>
 						</div>

apps/dokploy/components/dashboard/application/advanced/show-resources.tsx

@@ -1,7 +1,7 @@
-import { zodResolver } from "@hookform/resolvers/zod";
-import { InfoIcon } from "lucide-react";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
+import { InfoIcon, Plus, Trash2 } from "lucide-react";
 import { useEffect } from "react";
-import { useForm } from "react-hook-form";
+import { useFieldArray, useForm } from "react-hook-form";
 import { toast } from "sonner";
 import { z } from "zod";
 import { AlertBlock } from "@/components/shared/alert-block";
@@ -21,10 +21,18 @@ import {
 	FormLabel,
 	FormMessage,
 } from "@/components/ui/form";
+import { Input } from "@/components/ui/input";
 import {
 	createConverter,
 	NumberInputWithSteps,
 } from "@/components/ui/number-input";
+import {
+	Select,
+	SelectContent,
+	SelectItem,
+	SelectTrigger,
+	SelectValue,
+} from "@/components/ui/select";
 import {
 	Tooltip,
 	TooltipContent,
@@ -50,20 +58,44 @@ const memoryConverter = createConverter(1024 * 1024, (mb) => {
 		: `${formatNumber(mb)} MB`;
 });
 
+const ulimitSchema = z.object({
+	Name: z.string().min(1, "Name is required"),
+	Soft: z.coerce.number().int().min(-1, "Must be >= -1"),
+	Hard: z.coerce.number().int().min(-1, "Must be >= -1"),
+});
+
 const addResourcesSchema = z.object({
 	memoryReservation: z.string().optional(),
 	cpuLimit: z.string().optional(),
 	memoryLimit: z.string().optional(),
 	cpuReservation: z.string().optional(),
+	ulimitsSwarm: z.array(ulimitSchema).optional(),
 });
 
+const ULIMIT_PRESETS = [
+	{ value: "nofile", label: "nofile (Open Files)" },
+	{ value: "nproc", label: "nproc (Processes)" },
+	{ value: "memlock", label: "memlock (Locked Memory)" },
+	{ value: "stack", label: "stack (Stack Size)" },
+	{ value: "core", label: "core (Core File Size)" },
+	{ value: "cpu", label: "cpu (CPU Time)" },
+	{ value: "data", label: "data (Data Segment)" },
+	{ value: "fsize", label: "fsize (File Size)" },
+	{ value: "locks", label: "locks (File Locks)" },
+	{ value: "msgqueue", label: "msgqueue (Message Queues)" },
+	{ value: "nice", label: "nice (Nice Priority)" },
+	{ value: "rtprio", label: "rtprio (Real-time Priority)" },
+	{ value: "sigpending", label: "sigpending (Pending Signals)" },
+];
+
 export type ServiceType =
-	| "postgres"
-	| "mongo"
-	| "redis"
-	| "mysql"
+	| "application"
+	| "libsql"
 	| "mariadb"
-	| "application";
+	| "mongo"
+	| "mysql"
+	| "postgres"
+	| "redis";
 
 interface Props {
 	id: string;
@@ -74,43 +106,51 @@ type AddResources = z.infer<typeof addResourcesSchema>;
 
 export const ShowResources = ({ id, type }: Props) => {
 	const queryMap = {
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
 		postgres: () =>
 			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
 		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
-		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
-		mariadb: () =>
-			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
-		application: () =>
-			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
-		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
 	};
 	const { data, refetch } = queryMap[type]
 		? queryMap[type]()
 		: api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id });
 
 	const mutationMap = {
+		application: () => api.application.update.useMutation(),
+		libsql: () => api.libsql.update.useMutation(),
+		mariadb: () => api.mariadb.update.useMutation(),
+		mongo: () => api.mongo.update.useMutation(),
+		mysql: () => api.mysql.update.useMutation(),
 		postgres: () => api.postgres.update.useMutation(),
 		redis: () => api.redis.update.useMutation(),
-		mysql: () => api.mysql.update.useMutation(),
-		mariadb: () => api.mariadb.update.useMutation(),
-		application: () => api.application.update.useMutation(),
-		mongo: () => api.mongo.update.useMutation(),
 	};
 
-	const { mutateAsync, isLoading } = mutationMap[type]
+	const { mutateAsync, isPending } = mutationMap[type]
 		? mutationMap[type]()
 		: api.mongo.update.useMutation();
 
-	const form = useForm<AddResources>({
+	const form = useForm({
 		defaultValues: {
 			cpuLimit: "",
 			cpuReservation: "",
 			memoryLimit: "",
 			memoryReservation: "",
+			ulimitsSwarm: [],
 		},
 		resolver: zodResolver(addResourcesSchema),
 	});
 
+	const { fields, append, remove } = useFieldArray({
+		control: form.control,
+		name: "ulimitsSwarm",
+	});
+
 	useEffect(() => {
 		if (data) {
 			form.reset({
@@ -118,22 +158,28 @@ export const ShowResources = ({ id, type }: Props) => {
 				cpuReservation: data?.cpuReservation || undefined,
 				memoryLimit: data?.memoryLimit || undefined,
 				memoryReservation: data?.memoryReservation || undefined,
+				ulimitsSwarm: (data as any)?.ulimitsSwarm || [],
 			});
 		}
 	}, [data, form, form.reset]);
 
 	const onSubmit = async (formData: AddResources) => {
 		await mutateAsync({
+			applicationId: id || "",
+			libsqlId: id || "",
+			mariadbId: id || "",
 			mongoId: id || "",
+			mysqlId: id || "",
 			postgresId: id || "",
 			redisId: id || "",
-			mysqlId: id || "",
-			mariadbId: id || "",
-			applicationId: id || "",
 			cpuLimit: formData.cpuLimit || null,
 			cpuReservation: formData.cpuReservation || null,
 			memoryLimit: formData.memoryLimit || null,
 			memoryReservation: formData.memoryReservation || null,
+			ulimitsSwarm:
+				formData.ulimitsSwarm && formData.ulimitsSwarm.length > 0
+					? formData.ulimitsSwarm
+					: null,
 		})
 			.then(async () => {
 				toast.success("Resources Updated");
@@ -178,7 +224,7 @@ export const ShowResources = ({ id, type }: Props) => {
 												<FormLabel>Memory Limit</FormLabel>
 												<TooltipProvider>
 													<Tooltip delayDuration={0}>
-														<TooltipTrigger>
+														<TooltipTrigger type="button">
 															<InfoIcon className="h-4 w-4 text-muted-foreground" />
 														</TooltipTrigger>
 														<TooltipContent>
@@ -217,7 +263,7 @@ export const ShowResources = ({ id, type }: Props) => {
 											<FormLabel>Memory Reservation</FormLabel>
 											<TooltipProvider>
 												<Tooltip delayDuration={0}>
-													<TooltipTrigger>
+													<TooltipTrigger type="button">
 														<InfoIcon className="h-4 w-4 text-muted-foreground" />
 													</TooltipTrigger>
 													<TooltipContent>
@@ -257,7 +303,7 @@ export const ShowResources = ({ id, type }: Props) => {
 												<FormLabel>CPU Limit</FormLabel>
 												<TooltipProvider>
 													<Tooltip delayDuration={0}>
-														<TooltipTrigger>
+														<TooltipTrigger type="button">
 															<InfoIcon className="h-4 w-4 text-muted-foreground" />
 														</TooltipTrigger>
 														<TooltipContent>
@@ -297,7 +343,7 @@ export const ShowResources = ({ id, type }: Props) => {
 												<FormLabel>CPU Reservation</FormLabel>
 												<TooltipProvider>
 													<Tooltip delayDuration={0}>
-														<TooltipTrigger>
+														<TooltipTrigger type="button">
 															<InfoIcon className="h-4 w-4 text-muted-foreground" />
 														</TooltipTrigger>
 														<TooltipContent>
@@ -325,8 +371,157 @@ export const ShowResources = ({ id, type }: Props) => {
 								}}
 							/>
 						</div>
+
+						{/* Ulimits Section */}
+						<div className="space-y-4">
+							<div className="flex items-center justify-between">
+								<div className="flex items-center gap-2">
+									<FormLabel className="text-base">Ulimits</FormLabel>
+									<TooltipProvider>
+										<Tooltip delayDuration={0}>
+											<TooltipTrigger type="button">
+												<InfoIcon className="h-4 w-4 text-muted-foreground" />
+											</TooltipTrigger>
+											<TooltipContent className="max-w-xs">
+												<p>
+													Set resource limits for the container. Each ulimit has
+													a soft limit (warning threshold) and hard limit
+													(maximum allowed). Use -1 for unlimited.
+												</p>
+											</TooltipContent>
+										</Tooltip>
+									</TooltipProvider>
+								</div>
+								<Button
+									type="button"
+									variant="outline"
+									size="sm"
+									onClick={() =>
+										append({ Name: "nofile", Soft: 65535, Hard: 65535 })
+									}
+								>
+									<Plus className="h-4 w-4 mr-1" />
+									Add Ulimit
+								</Button>
+							</div>
+
+							{fields.length > 0 && (
+								<div className="space-y-3">
+									{fields.map((field, index) => (
+										<div
+											key={field.id}
+											className="flex items-start gap-3 p-3 border rounded-lg bg-muted/30"
+										>
+											<FormField
+												control={form.control}
+												name={`ulimitsSwarm.${index}.Name`}
+												render={({ field }) => (
+													<FormItem className="flex-1">
+														<FormLabel className="text-xs">Type</FormLabel>
+														<Select
+															onValueChange={field.onChange}
+															value={field.value}
+														>
+															<FormControl>
+																<SelectTrigger>
+																	<SelectValue placeholder="Select ulimit" />
+																</SelectTrigger>
+															</FormControl>
+															<SelectContent>
+																{ULIMIT_PRESETS.map((preset) => (
+																	<SelectItem
+																		key={preset.value}
+																		value={preset.value}
+																	>
+																		{preset.label}
+																	</SelectItem>
+																))}
+															</SelectContent>
+														</Select>
+														<FormMessage />
+													</FormItem>
+												)}
+											/>
+											<FormField
+												control={form.control}
+												name={`ulimitsSwarm.${index}.Soft`}
+												render={({ field }) => (
+													<FormItem className="w-32">
+														<FormLabel className="text-xs">
+															Soft Limit
+														</FormLabel>
+														<FormControl>
+															<Input
+																type="number"
+																min={-1}
+																placeholder="65535"
+																{...field}
+																value={
+																	typeof field.value === "number"
+																		? field.value
+																		: ""
+																}
+																onChange={(e) =>
+																	field.onChange(Number(e.target.value))
+																}
+															/>
+														</FormControl>
+														<FormMessage />
+													</FormItem>
+												)}
+											/>
+											<FormField
+												control={form.control}
+												name={`ulimitsSwarm.${index}.Hard`}
+												render={({ field }) => (
+													<FormItem className="w-32">
+														<FormLabel className="text-xs">
+															Hard Limit
+														</FormLabel>
+														<FormControl>
+															<Input
+																type="number"
+																min={-1}
+																placeholder="65535"
+																{...field}
+																value={
+																	typeof field.value === "number"
+																		? field.value
+																		: ""
+																}
+																onChange={(e) =>
+																	field.onChange(Number(e.target.value))
+																}
+															/>
+														</FormControl>
+														<FormMessage />
+													</FormItem>
+												)}
+											/>
+											<Button
+												type="button"
+												variant="ghost"
+												size="icon"
+												className="mt-6 text-destructive hover:text-destructive"
+												onClick={() => remove(index)}
+											>
+												<Trash2 className="h-4 w-4" />
+											</Button>
+										</div>
+									))}
+								</div>
+							)}
+
+							{fields.length === 0 && (
+								<p className="text-sm text-muted-foreground">
+									No ulimits configured. Click &quot;Add Ulimit&quot; to set
+									resource limits.
+								</p>
+							)}
+						</div>
+
 						<div className="flex w-full justify-end">
-							<Button isLoading={isLoading} type="submit">
+							<Button isLoading={isPending} type="submit">
 								Save
 							</Button>
 						</div>

apps/dokploy/components/dashboard/application/advanced/traefik/show-traefik-config.tsx

@@ -15,13 +15,17 @@ interface Props {
 }
 
 export const ShowTraefikConfig = ({ applicationId }: Props) => {
-	const { data, isLoading } = api.application.readTraefikConfig.useQuery(
+	const { data: permissions } = api.user.getPermissions.useQuery();
+	const canRead = permissions?.traefikFiles.read ?? false;
+	const { data, isPending } = api.application.readTraefikConfig.useQuery(
 		{
 			applicationId,
 		},
-		{ enabled: !!applicationId },
+		{ enabled: !!applicationId && canRead },
 	);
 
+	if (!canRead) return null;
+
 	return (
 		<Card className="bg-background">
 			<CardHeader className="flex flex-row justify-between">
@@ -35,7 +39,7 @@ export const ShowTraefikConfig = ({ applicationId }: Props) => {
 				</div>
 			</CardHeader>
 			<CardContent className="flex flex-col gap-4">
-				{isLoading ? (
+				{isPending ? (
 					<span className="text-base text-muted-foreground flex flex-row gap-3 items-center justify-center min-h-[10vh]">
 						Loading...
 						<Loader2 className="animate-spin" />

apps/dokploy/components/dashboard/application/advanced/traefik/update-traefik-config.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
 import { toast } from "sonner";
@@ -7,6 +7,7 @@ import { z } from "zod";
 import { AlertBlock } from "@/components/shared/alert-block";
 import { CodeEditor } from "@/components/shared/code-editor";
 import { Button } from "@/components/ui/button";
+import { Checkbox } from "@/components/ui/checkbox";
 import {
 	Dialog,
 	DialogContent,
@@ -24,6 +25,7 @@ import {
 	FormLabel,
 	FormMessage,
 } from "@/components/ui/form";
+import { Label } from "@/components/ui/label";
 import { api } from "@/utils/api";
 
 const UpdateTraefikConfigSchema = z.object({
@@ -58,7 +60,10 @@ export const validateAndFormatYAML = (yamlText: string) => {
 };
 
 export const UpdateTraefikConfig = ({ applicationId }: Props) => {
+	const { data: permissions } = api.user.getPermissions.useQuery();
+	const canWrite = permissions?.traefikFiles.write ?? false;
 	const [open, setOpen] = useState(false);
+	const [skipYamlValidation, setSkipYamlValidation] = useState(false);
 	const { data, refetch } = api.application.readTraefikConfig.useQuery(
 		{
 			applicationId,
@@ -66,7 +71,7 @@ export const UpdateTraefikConfig = ({ applicationId }: Props) => {
 		{ enabled: !!applicationId },
 	);
 
-	const { mutateAsync, isLoading, error, isError } =
+	const { mutateAsync, isPending, error, isError } =
 		api.application.updateTraefikConfig.useMutation();
 
 	const form = useForm<UpdateTraefikConfig>({
@@ -85,13 +90,15 @@ export const UpdateTraefikConfig = ({ applicationId }: Props) => {
 	}, [data]);
 
 	const onSubmit = async (data: UpdateTraefikConfig) => {
-		const { valid, error } = validateAndFormatYAML(data.traefikConfig);
-		if (!valid) {
-			form.setError("traefikConfig", {
-				type: "manual",
-				message: (error as string) || "Invalid YAML",
-			});
-			return;
+		if (!skipYamlValidation) {
+			const { valid, error } = validateAndFormatYAML(data.traefikConfig);
+			if (!valid) {
+				form.setError("traefikConfig", {
+					type: "manual",
+					message: (error as string) || "Invalid YAML",
+				});
+				return;
+			}
 		}
 		form.clearErrors("traefikConfig");
 		await mutateAsync({
@@ -116,12 +123,15 @@ export const UpdateTraefikConfig = ({ applicationId }: Props) => {
 				setOpen(open);
 				if (!open) {
 					form.reset();
+					setSkipYamlValidation(false);
 				}
 			}}
 		>
-			<DialogTrigger asChild>
-				<Button isLoading={isLoading}>Modify</Button>
-			</DialogTrigger>
+			{canWrite && (
+				<DialogTrigger asChild>
+					<Button isLoading={isPending}>Modify</Button>
+				</DialogTrigger>
+			)}
 			<DialogContent className="sm:max-w-4xl">
 				<DialogHeader>
 					<DialogTitle>Update traefik config</DialogTitle>
@@ -169,9 +179,30 @@ routers:
 						</div>
 					</form>
 
-					<DialogFooter>
+					<DialogFooter className="flex-col sm:flex-row gap-4">
+						<div className="flex flex-col gap-1 w-full sm:w-auto sm:mr-auto">
+							<div className="flex items-center space-x-2">
+								<Checkbox
+									id="skip-yaml-validation-app"
+									checked={skipYamlValidation}
+									onCheckedChange={(checked) =>
+										setSkipYamlValidation(checked === true)
+									}
+								/>
+								<Label
+									htmlFor="skip-yaml-validation-app"
+									className="text-sm font-normal cursor-pointer"
+								>
+									Skip YAML validation (for Go templating)
+								</Label>
+							</div>
+							<p className="text-sm text-muted-foreground">
+								Check to save configs with Go templating (e.g.{" "}
+								<code className="text-xs">{"{{range}}"}</code>).
+							</p>
+						</div>
 						<Button
-							isLoading={isLoading}
+							isLoading={isPending}
 							form="hook-form-update-traefik-config"
 							type="submit"
 						>

apps/dokploy/components/dashboard/application/advanced/volumes/add-volumes.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { PlusIcon } from "lucide-react";
 import type React from "react";
 import { useEffect, useState } from "react";
@@ -34,13 +34,13 @@ interface Props {
 	serviceId: string;
 	serviceType:
 		| "application"
-		| "postgres"
-		| "redis"
-		| "mongo"
-		| "redis"
-		| "mysql"
+		| "compose"
+		| "libsql"
 		| "mariadb"
-		| "compose";
+		| "mongo"
+		| "mysql"
+		| "postgres"
+		| "redis";
 	refetch: () => void;
 	children?: React.ReactNode;
 }

apps/dokploy/components/dashboard/application/advanced/volumes/show-volumes.tsx

@@ -21,24 +21,33 @@ interface Props {
 }
 
 export const ShowVolumes = ({ id, type }: Props) => {
+	const { data: permissions } = api.user.getPermissions.useQuery();
+	const canRead = permissions?.volume.read ?? false;
+	const canCreate = permissions?.volume.create ?? false;
+	const canDelete = permissions?.volume.delete ?? false;
+
+	if (!canRead) return null;
+
 	const queryMap = {
+		application: () =>
+			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
+		compose: () =>
+			api.compose.one.useQuery({ composeId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
+		mariadb: () =>
+			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
+		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
 		postgres: () =>
 			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
 		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
-		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
-		mariadb: () =>
-			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
-		application: () =>
-			api.application.one.useQuery({ applicationId: id }, { enabled: !!id }),
-		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
-		compose: () =>
-			api.compose.one.useQuery({ composeId: id }, { enabled: !!id }),
 	};
 	const { data, refetch } = queryMap[type]
 		? queryMap[type]()
 		: api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id });
-	const { mutateAsync: deleteVolume, isLoading: isRemoving } =
+	const { mutateAsync: deleteVolume, isPending: isRemoving } =
 		api.mounts.remove.useMutation();
+
 	return (
 		<Card className="bg-background">
 			<CardHeader className="flex flex-row justify-between flex-wrap gap-4">
@@ -50,7 +59,7 @@ export const ShowVolumes = ({ id, type }: Props) => {
 					</CardDescription>
 				</div>
 
-				{data && data?.mounts.length > 0 && (
+				{canCreate && data && data?.mounts.length > 0 && (
 					<AddVolumes serviceId={id} refetch={refetch} serviceType={type}>
 						Add Volume
 					</AddVolumes>
@@ -63,9 +72,11 @@ export const ShowVolumes = ({ id, type }: Props) => {
 						<span className="text-base text-muted-foreground">
 							No volumes/mounts configured
 						</span>
-						<AddVolumes serviceId={id} refetch={refetch} serviceType={type}>
-							Add Volume
-						</AddVolumes>
+						{canCreate && (
+							<AddVolumes serviceId={id} refetch={refetch} serviceType={type}>
+								Add Volume
+							</AddVolumes>
+						)}
 					</div>
 				) : (
 					<div className="flex flex-col pt-2 gap-4">
@@ -130,38 +141,42 @@ export const ShowVolumes = ({ id, type }: Props) => {
 											</div>
 										</div>
 										<div className="flex flex-row gap-1">
-											<UpdateVolume
-												mountId={mount.mountId}
-												type={mount.type}
-												refetch={refetch}
-												serviceType={type}
-											/>
-											<DialogAction
-												title="Delete Volume"
-												description="Are you sure you want to delete this volume?"
-												type="destructive"
-												onClick={async () => {
-													await deleteVolume({
-														mountId: mount.mountId,
-													})
-														.then(() => {
-															refetch();
-															toast.success("Volume deleted successfully");
+											{canCreate && (
+												<UpdateVolume
+													mountId={mount.mountId}
+													type={mount.type}
+													refetch={refetch}
+													serviceType={type}
+												/>
+											)}
+											{canDelete && (
+												<DialogAction
+													title="Delete Volume"
+													description="Are you sure you want to delete this volume?"
+													type="destructive"
+													onClick={async () => {
+														await deleteVolume({
+															mountId: mount.mountId,
 														})
-														.catch(() => {
-															toast.error("Error deleting volume");
-														});
-												}}
-											>
-												<Button
-													variant="ghost"
-													size="icon"
-													className="group hover:bg-red-500/10"
-													isLoading={isRemoving}
+															.then(() => {
+																refetch();
+																toast.success("Volume deleted successfully");
+															})
+															.catch(() => {
+																toast.error("Error deleting volume");
+															});
+													}}
 												>
-													<Trash2 className="size-4 text-primary group-hover:text-red-500" />
-												</Button>
-											</DialogAction>
+													<Button
+														variant="ghost"
+														size="icon"
+														className="group hover:bg-red-500/10"
+														isLoading={isRemoving}
+													>
+														<Trash2 className="size-4 text-primary group-hover:text-red-500" />
+													</Button>
+												</DialogAction>
+											)}
 										</div>
 									</div>
 								</div>

apps/dokploy/components/dashboard/application/advanced/volumes/update-volume.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { PenBoxIcon } from "lucide-react";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -67,13 +67,13 @@ interface Props {
 	refetch: () => void;
 	serviceType:
 		| "application"
-		| "postgres"
-		| "redis"
-		| "mongo"
-		| "redis"
-		| "mysql"
+		| "compose"
+		| "libsql"
 		| "mariadb"
-		| "compose";
+		| "mongo"
+		| "mysql"
+		| "postgres"
+		| "redis";
 }
 
 export const UpdateVolume = ({
@@ -93,7 +93,7 @@ export const UpdateVolume = ({
 		},
 	);
 
-	const { mutateAsync, isLoading, error, isError } =
+	const { mutateAsync, isPending, error, isError } =
 		api.mounts.update.useMutation();
 
 	const form = useForm<UpdateMount>({
@@ -187,7 +187,7 @@ export const UpdateVolume = ({
 					variant="ghost"
 					size="icon"
 					className="group hover:bg-blue-500/10 "
-					isLoading={isLoading}
+					isLoading={isPending}
 				>
 					<PenBoxIcon className="size-3.5  text-primary group-hover:text-blue-500" />
 				</Button>
@@ -253,7 +253,7 @@ export const UpdateVolume = ({
 										control={form.control}
 										name="content"
 										render={({ field }) => (
-											<FormItem className="max-w-full max-w-[45rem]">
+											<FormItem className="w-full max-w-[45rem]">
 												<FormLabel>Content</FormLabel>
 												<FormControl>
 													<FormControl>
@@ -310,7 +310,7 @@ PORT=3000
 						</div>
 						<DialogFooter>
 							<Button
-								isLoading={isLoading}
+								isLoading={isPending}
 								// form="hook-form-update-volume"
 								type="submit"
 							>

apps/dokploy/components/dashboard/application/build/show.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { Cog } from "lucide-react";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -74,12 +74,7 @@ const buildTypeDisplayMap: Record<BuildType, string> = {
 const mySchema = z.discriminatedUnion("buildType", [
 	z.object({
 		buildType: z.literal(BuildType.dockerfile),
-		dockerfile: z
-			.string({
-				required_error: "Dockerfile path is required",
-				invalid_type_error: "Dockerfile path is required",
-			})
-			.min(1, "Dockerfile required"),
+		dockerfile: z.string().nullable().default(""),
 		dockerContextPath: z.string().nullable().default(""),
 		dockerBuildStage: z.string().nullable().default(""),
 	}),
@@ -168,14 +163,14 @@ const resetData = (data: ApplicationData): AddTemplate => {
 };
 
 export const ShowBuildChooseForm = ({ applicationId }: Props) => {
-	const { mutateAsync, isLoading } =
+	const { mutateAsync, isPending } =
 		api.application.saveBuildType.useMutation();
 	const { data, refetch } = api.application.one.useQuery(
 		{ applicationId },
 		{ enabled: !!applicationId },
 	);
 
-	const form = useForm<AddTemplate>({
+	const form = useForm({
 		defaultValues: {
 			buildType: BuildType.nixpacks,
 		},
@@ -207,6 +202,11 @@ export const ShowBuildChooseForm = ({ applicationId }: Props) => {
 		}
 	}, [data, form]);
 
+	// Hide builder section when Docker provider is selected
+	if (data?.sourceType === "docker") {
+		return null;
+	}
+
 	const onSubmit = async (data: AddTemplate) => {
 		await mutateAsync({
 			applicationId,
@@ -342,7 +342,7 @@ export const ShowBuildChooseForm = ({ applicationId }: Props) => {
 											<FormLabel>Docker File</FormLabel>
 											<FormControl>
 												<Input
-													placeholder="Path of your docker file"
+													placeholder="Path of your docker file (default: Dockerfile)"
 													{...field}
 													value={field.value ?? ""}
 												/>
@@ -528,7 +528,7 @@ export const ShowBuildChooseForm = ({ applicationId }: Props) => {
 							</>
 						)}
 						<div className="flex w-full justify-end">
-							<Button isLoading={isLoading} type="submit">
+							<Button isLoading={isPending} type="submit">
 								Save
 							</Button>
 						</div>

apps/dokploy/components/dashboard/application/deployments/cancel-queues.tsx

@@ -1,4 +1,4 @@
-import { Paintbrush } from "lucide-react";
+import { Ban } from "lucide-react";
 import { toast } from "sonner";
 import {
 	AlertDialog,
@@ -20,7 +20,7 @@ interface Props {
 }
 
 export const CancelQueues = ({ id, type }: Props) => {
-	const { mutateAsync, isLoading } =
+	const { mutateAsync, isPending } =
 		type === "application"
 			? api.application.cleanQueues.useMutation()
 			: api.compose.cleanQueues.useMutation();
@@ -33,9 +33,9 @@ export const CancelQueues = ({ id, type }: Props) => {
 	return (
 		<AlertDialog>
 			<AlertDialogTrigger asChild>
-				<Button variant="destructive" className="w-fit" isLoading={isLoading}>
+				<Button variant="destructive" className="w-fit" isLoading={isPending}>
 					Cancel Queues
-					<Paintbrush className="size-4" />
+					<Ban className="size-4" />
 				</Button>
 			</AlertDialogTrigger>
 			<AlertDialogContent>

apps/dokploy/components/dashboard/application/deployments/clear-deployments.tsx

@@ -0,0 +1,73 @@
+import { Paintbrush } from "lucide-react";
+import { toast } from "sonner";
+import {
+	AlertDialog,
+	AlertDialogAction,
+	AlertDialogCancel,
+	AlertDialogContent,
+	AlertDialogDescription,
+	AlertDialogFooter,
+	AlertDialogHeader,
+	AlertDialogTitle,
+	AlertDialogTrigger,
+} from "@/components/ui/alert-dialog";
+import { Button } from "@/components/ui/button";
+import { api } from "@/utils/api";
+
+interface Props {
+	id: string;
+	type: "application" | "compose";
+}
+
+export const ClearDeployments = ({ id, type }: Props) => {
+	const utils = api.useUtils();
+	const { mutateAsync, isPending } =
+		type === "application"
+			? api.application.clearDeployments.useMutation()
+			: api.compose.clearDeployments.useMutation();
+
+	return (
+		<AlertDialog>
+			<AlertDialogTrigger asChild>
+				<Button variant="outline" className="w-fit" isLoading={isPending}>
+					Clear deployments
+					<Paintbrush className="size-4" />
+				</Button>
+			</AlertDialogTrigger>
+			<AlertDialogContent>
+				<AlertDialogHeader>
+					<AlertDialogTitle>
+						Are you sure you want to clear old deployments?
+					</AlertDialogTitle>
+					<AlertDialogDescription>
+						This will delete all old deployment records and logs, keeping only
+						the active deployment (the most recent successful one).
+					</AlertDialogDescription>
+				</AlertDialogHeader>
+				<AlertDialogFooter>
+					<AlertDialogCancel>Cancel</AlertDialogCancel>
+					<AlertDialogAction
+						onClick={async () => {
+							await mutateAsync({
+								applicationId: id || "",
+								composeId: id || "",
+							})
+								.then(async () => {
+									toast.success("Old deployments cleared successfully");
+									await utils.deployment.allByType.invalidate({
+										id,
+										type: type as "application" | "compose",
+									});
+								})
+								.catch((err) => {
+									toast.error(err.message);
+								});
+						}}
+					>
+						Confirm
+					</AlertDialogAction>
+				</AlertDialogFooter>
+			</AlertDialogContent>
+		</AlertDialog>
+	);
+};

apps/dokploy/components/dashboard/application/deployments/kill-build.tsx

@@ -20,7 +20,7 @@ interface Props {
 }
 
 export const KillBuild = ({ id, type }: Props) => {
-	const { mutateAsync, isLoading } =
+	const { mutateAsync, isPending } =
 		type === "application"
 			? api.application.killBuild.useMutation()
 			: api.compose.killBuild.useMutation();
@@ -28,7 +28,7 @@ export const KillBuild = ({ id, type }: Props) => {
 	return (
 		<AlertDialog>
 			<AlertDialogTrigger asChild>
-				<Button variant="outline" className="w-fit" isLoading={isLoading}>
+				<Button variant="outline" className="w-fit" isLoading={isPending}>
 					Kill Build
 					<Scissors className="size-4" />
 				</Button>

apps/dokploy/components/dashboard/application/deployments/show-deployment.tsx

@@ -1,6 +1,7 @@
 import copy from "copy-to-clipboard";
 import { Check, Copy, Loader2 } from "lucide-react";
 import { useEffect, useRef, useState } from "react";
+import { AnalyzeLogs } from "@/components/dashboard/docker/logs/analyze-logs";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
 import { Checkbox } from "@/components/ui/checkbox";
@@ -165,6 +166,7 @@ export const ShowDeployment = ({
 								<Copy className="h-3.5 w-3.5" />
 							)}
 						</Button>
+						<AnalyzeLogs logs={filteredLogs} context="build" />
 
 						{serverId && (
 							<div className="flex items-center space-x-2">
@@ -194,13 +196,21 @@ export const ShowDeployment = ({
 					{" "}
 					{filteredLogs.length > 0 ? (
 						filteredLogs.map((log: LogLine, index: number) => (
-							<TerminalLine key={index} log={log} noTimestamp />
+							<TerminalLine
+								key={`${log.rawTimestamp ?? ""}-${index}`}
+								log={log}
+								noTimestamp
+							/>
 						))
 					) : (
 						<>
 							{optionalErrors.length > 0 ? (
 								optionalErrors.map((log: LogLine, index: number) => (
-									<TerminalLine key={`extra-${index}`} log={log} noTimestamp />
+									<TerminalLine
+										key={`extra-${log.rawTimestamp ?? ""}-${index}`}
+										log={log}
+										noTimestamp
+									/>
 								))
 							) : (
 								<div className="flex justify-center items-center h-full text-muted-foreground">

apps/dokploy/components/dashboard/application/deployments/show-deployments.tsx

@@ -1,11 +1,14 @@
+import copy from "copy-to-clipboard";
 import {
 	ChevronDown,
 	ChevronUp,
 	Clock,
+	Copy,
 	Loader2,
 	RefreshCcw,
 	RocketIcon,
 	Settings,
+	Trash2,
 } from "lucide-react";
 import React, { useEffect, useMemo, useState } from "react";
 import { toast } from "sonner";
@@ -25,6 +28,7 @@ import {
 import { api, type RouterOutputs } from "@/utils/api";
 import { ShowRollbackSettings } from "../rollbacks/show-rollback-settings";
 import { CancelQueues } from "./cancel-queues";
+import { ClearDeployments } from "./clear-deployments";
 import { KillBuild } from "./kill-build";
 import { RefreshToken } from "./refresh-token";
 import { ShowDeployment } from "./show-deployment";
@@ -59,7 +63,7 @@ export const ShowDeployments = ({
 	const [activeLog, setActiveLog] = useState<
 		RouterOutputs["deployment"]["all"][number] | null
 	>(null);
-	const { data: deployments, isLoading: isLoadingDeployments } =
+	const { data: deployments, isPending: isLoadingDeployments } =
 		api.deployment.allByType.useQuery(
 			{
 				id,
@@ -73,19 +77,21 @@ export const ShowDeployments = ({
 
 	const { data: isCloud } = api.settings.isCloud.useQuery();
 
-	const { mutateAsync: rollback, isLoading: isRollingBack } =
+	const { mutateAsync: rollback, isPending: isRollingBack } =
 		api.rollback.rollback.useMutation();
-	const { mutateAsync: killProcess, isLoading: isKillingProcess } =
+	const { mutateAsync: killProcess, isPending: isKillingProcess } =
 		api.deployment.killProcess.useMutation();
+	const { mutateAsync: removeDeployment, isPending: isRemovingDeployment } =
+		api.deployment.removeDeployment.useMutation();
 
 	// Cancel deployment mutations
 	const {
 		mutateAsync: cancelApplicationDeployment,
-		isLoading: isCancellingApp,
+		isPending: isCancellingApp,
 	} = api.application.cancelDeployment.useMutation();
 	const {
 		mutateAsync: cancelComposeDeployment,
-		isLoading: isCancellingCompose,
+		isPending: isCancellingCompose,
 	} = api.compose.cancelDeployment.useMutation();
 
 	const [url, setUrl] = React.useState("");
@@ -93,6 +99,12 @@ export const ShowDeployments = ({
 		new Set(),
 	);
 
+	const webhookUrl = useMemo(
+		() =>
+			`${url}/api/deploy${type === "compose" ? "/compose" : ""}/${refreshToken}`,
+		[url, refreshToken, type],
+	);
+
 	const MAX_DESCRIPTION_LENGTH = 200;
 
 	const truncateDescription = (description: string): string => {
@@ -144,6 +156,9 @@ export const ShowDeployments = ({
 					</CardDescription>
 				</div>
 				<div className="flex flex-row items-center flex-wrap gap-2">
+					{(type === "application" || type === "compose") && (
+						<ClearDeployments id={id} type={type} />
+					)}
 					{(type === "application" || type === "compose") && (
 						<KillBuild id={id} type={type} />
 					)}
@@ -217,11 +232,27 @@ export const ShowDeployments = ({
 						<div className="flex flex-row items-center gap-2 flex-wrap">
 							<span>Webhook URL: </span>
 							<div className="flex flex-row items-center gap-2">
-								<span className="break-all text-muted-foreground">
-									{`${url}/api/deploy${
-										type === "compose" ? "/compose" : ""
-									}/${refreshToken}`}
-								</span>
+								<Badge
+									role="button"
+									tabIndex={0}
+									aria-label="Copy webhook URL to clipboard"
+									className="p-2 rounded-md ml-1 mr-1 hover:border-primary hover:text-primary-foreground hover:bg-primary hover:cursor-pointer whitespace-normal break-all"
+									variant="outline"
+									onKeyDown={(event) => {
+										if (event.key === "Enter" || event.key === " ") {
+											event.preventDefault();
+											copy(webhookUrl);
+											toast.success("Copied to clipboard.");
+										}
+									}}
+									onClick={() => {
+										copy(webhookUrl);
+										toast.success("Copied to clipboard.");
+									}}
+								>
+									{webhookUrl}
+									<Copy className="h-4 w-4 ml-2" />
+								</Badge>
 								{(type === "application" || type === "compose") && (
 									<RefreshToken id={id} type={type} />
 								)}
@@ -252,6 +283,8 @@ export const ShowDeployments = ({
 							const isExpanded = expandedDescriptions.has(
 								deployment.deploymentId,
 							);
+							const canDelete =
+								deployment.status === "done" || deployment.status === "error";
 
 							return (
 								<div
@@ -370,6 +403,33 @@ export const ShowDeployments = ({
 												View
 											</Button>
 
+											{canDelete && (
+												<DialogAction
+													title="Delete Deployment"
+													description="Are you sure you want to delete this deployment? This action cannot be undone."
+													type="default"
+													onClick={async () => {
+														try {
+															await removeDeployment({
+																deploymentId: deployment.deploymentId,
+															});
+															toast.success("Deployment deleted successfully");
+														} catch (error) {
+															toast.error("Error deleting deployment");
+														}
+													}}
+												>
+													<Button
+														variant="destructive"
+														size="sm"
+														isLoading={isRemovingDeployment}
+													>
+														Delete
+														<Trash2 className="size-4" />
+													</Button>
+												</DialogAction>
+											)}
+
 											{deployment?.rollback &&
 												deployment.status === "done" &&
 												type === "application" && (

apps/dokploy/components/dashboard/application/domains/columns.tsx

@@ -0,0 +1,303 @@
+import type { ColumnDef } from "@tanstack/react-table";
+import {
+	ArrowUpDown,
+	CheckCircle2,
+	ExternalLink,
+	Loader2,
+	PenBoxIcon,
+	RefreshCw,
+	Server,
+	Trash2,
+	XCircle,
+} from "lucide-react";
+import Link from "next/link";
+import { DialogAction } from "@/components/shared/dialog-action";
+import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {
+	Tooltip,
+	TooltipContent,
+	TooltipProvider,
+	TooltipTrigger,
+} from "@/components/ui/tooltip";
+import type { RouterOutputs } from "@/utils/api";
+import { DnsHelperModal } from "./dns-helper-modal";
+import { AddDomain } from "./handle-domain";
+import type { ValidationStates } from "./show-domains";
+
+export type Domain =
+	| RouterOutputs["domain"]["byApplicationId"][0]
+	| RouterOutputs["domain"]["byComposeId"][0];
+
+interface ColumnsProps {
+	id: string;
+	type: "application" | "compose";
+	validationStates: ValidationStates;
+	handleValidateDomain: (host: string) => Promise<void>;
+	handleDeleteDomain: (domainId: string) => Promise<void>;
+	isDeleting: boolean;
+	serverIp?: string;
+	canCreateDomain: boolean;
+	canDeleteDomain: boolean;
+}
+
+export const createColumns = ({
+	id,
+	type,
+	validationStates,
+	handleValidateDomain,
+	handleDeleteDomain,
+	isDeleting,
+	serverIp,
+	canCreateDomain,
+	canDeleteDomain,
+}: ColumnsProps): ColumnDef<Domain>[] => [
+	...(type === "compose"
+		? [
+				{
+					accessorKey: "serviceName",
+					header: "Service",
+					cell: ({ row }: { row: { getValue: (key: string) => unknown } }) => {
+						const serviceName = row.getValue("serviceName") as string | null;
+						if (!serviceName) return null;
+						return (
+							<Badge variant="outline">
+								<Server className="size-3 mr-1" />
+								{serviceName}
+							</Badge>
+						);
+					},
+				} satisfies ColumnDef<Domain>,
+			]
+		: []),
+	{
+		accessorKey: "host",
+		header: ({ column }) => {
+			return (
+				<Button
+					variant="ghost"
+					onClick={() => column.toggleSorting(column.getIsSorted() === "asc")}
+				>
+					Host
+					<ArrowUpDown className="ml-2 h-4 w-4" />
+				</Button>
+			);
+		},
+		cell: ({ row }) => {
+			const domain = row.original;
+			return (
+				<Link
+					className="flex items-center gap-2 font-medium hover:underline"
+					target="_blank"
+					href={`${domain.https ? "https" : "http"}://${domain.host}${domain.path}`}
+				>
+					{domain.host}
+					<ExternalLink className="size-3" />
+				</Link>
+			);
+		},
+	},
+	{
+		accessorKey: "path",
+		header: ({ column }) => {
+			return (
+				<Button
+					variant="ghost"
+					onClick={() => column.toggleSorting(column.getIsSorted() === "asc")}
+				>
+					Path
+					<ArrowUpDown className="ml-2 h-4 w-4" />
+				</Button>
+			);
+		},
+		cell: ({ row }) => {
+			const path = row.getValue("path") as string;
+			return <div className="font-mono text-sm">{path || "/"}</div>;
+		},
+	},
+	{
+		accessorKey: "port",
+		header: ({ column }) => {
+			return (
+				<Button
+					variant="ghost"
+					onClick={() => column.toggleSorting(column.getIsSorted() === "asc")}
+				>
+					Port
+					<ArrowUpDown className="ml-2 h-4 w-4" />
+				</Button>
+			);
+		},
+		cell: ({ row }) => {
+			const port = row.getValue("port") as number;
+			return <Badge variant="secondary">{port}</Badge>;
+		},
+	},
+	{
+		accessorKey: "customEntrypoint",
+		header: "Entrypoint",
+		cell: ({ row }) => {
+			const entrypoint = row.getValue("customEntrypoint") as string | null;
+			if (!entrypoint) return <span className="text-muted-foreground">-</span>;
+			return <div className="font-mono text-sm">{entrypoint}</div>;
+		},
+	},
+	{
+		accessorKey: "https",
+		header: "Protocol",
+		cell: ({ row }) => {
+			const https = row.getValue("https") as boolean;
+			return (
+				<Badge variant={https ? "outline" : "secondary"}>
+					{https ? "HTTPS" : "HTTP"}
+				</Badge>
+			);
+		},
+	},
+	{
+		id: "certificate",
+		header: "Certificate",
+		cell: ({ row }) => {
+			const domain = row.original;
+			const validationState = validationStates[domain.host];
+
+			return (
+				<div className="flex items-center gap-2">
+					{domain.certificateType && (
+						<Badge variant="outline" className="capitalize">
+							{domain.certificateType}
+						</Badge>
+					)}
+					{!domain.host.includes("sslip.io") && (
+						<TooltipProvider>
+							<Tooltip>
+								<TooltipTrigger asChild>
+									<Badge
+										variant="outline"
+										className={
+											validationState?.isValid
+												? "bg-green-500/10 text-green-500 cursor-pointer"
+												: validationState?.error
+													? "bg-red-500/10 text-red-500 cursor-pointer"
+													: "bg-yellow-500/10 text-yellow-500 cursor-pointer"
+										}
+										onClick={() => handleValidateDomain(domain.host)}
+									>
+										{validationState?.isLoading ? (
+											<>
+												<Loader2 className="size-3 mr-1 animate-spin" />
+												Checking...
+											</>
+										) : validationState?.isValid ? (
+											<>
+												<CheckCircle2 className="size-3 mr-1" />
+												{validationState.message && validationState.cdnProvider
+													? `${validationState.cdnProvider}`
+													: "Valid"}
+											</>
+										) : validationState?.error ? (
+											<>
+												<XCircle className="size-3 mr-1" />
+												Invalid
+											</>
+										) : (
+											<>
+												<RefreshCw className="size-3 mr-1" />
+												Validate
+											</>
+										)}
+									</Badge>
+								</TooltipTrigger>
+								<TooltipContent className="max-w-xs">
+									{validationState?.error ? (
+										<div className="flex flex-col gap-1">
+											<p className="font-medium text-red-500">Error:</p>
+											<p>{validationState.error}</p>
+										</div>
+									) : (
+										"Click to validate DNS configuration"
+									)}
+								</TooltipContent>
+							</Tooltip>
+						</TooltipProvider>
+					)}
+				</div>
+			);
+		},
+	},
+	{
+		accessorKey: "createdAt",
+		header: ({ column }) => {
+			return (
+				<Button
+					variant="ghost"
+					onClick={() => column.toggleSorting(column.getIsSorted() === "asc")}
+				>
+					Created
+					<ArrowUpDown className="ml-2 h-4 w-4" />
+				</Button>
+			);
+		},
+		cell: ({ row }) => {
+			const createdAt = row.getValue("createdAt") as string;
+			return (
+				<div className="text-sm text-muted-foreground">
+					{new Date(createdAt).toLocaleDateString()}
+				</div>
+			);
+		},
+	},
+	{
+		id: "actions",
+		header: "Actions",
+		enableHiding: false,
+		cell: ({ row }) => {
+			const domain = row.original;
+
+			return (
+				<div className="flex items-center gap-2">
+					{!domain.host.includes("sslip.io") && (
+						<DnsHelperModal
+							domain={{
+								host: domain.host,
+								https: domain.https,
+								path: domain.path || undefined,
+							}}
+							serverIp={serverIp}
+						/>
+					)}
+					{canCreateDomain && (
+						<AddDomain id={id} type={type} domainId={domain.domainId}>
+							<Button
+								variant="ghost"
+								size="icon"
+								className="group hover:bg-blue-500/10 h-8 w-8"
+							>
+								<PenBoxIcon className="size-3.5 text-primary group-hover:text-blue-500" />
+							</Button>
+						</AddDomain>
+					)}
+					{canDeleteDomain && (
+						<DialogAction
+							title="Delete Domain"
+							description="Are you sure you want to delete this domain?"
+							type="destructive"
+							onClick={async () => {
+								await handleDeleteDomain(domain.domainId);
+							}}
+						>
+							<Button
+								variant="ghost"
+								size="icon"
+								className="group hover:bg-red-500/10 h-8 w-8"
+								isLoading={isDeleting}
+							>
+								<Trash2 className="size-4 text-primary group-hover:text-red-500" />
+							</Button>
+						</DialogAction>
+					)}
+				</div>
+			);
+		},
+	},
+];

apps/dokploy/components/dashboard/application/domains/handle-domain.tsx

@@ -1,11 +1,12 @@
-import { zodResolver } from "@hookform/resolvers/zod";
-import { DatabaseZap, Dices, RefreshCw } from "lucide-react";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
+import { DatabaseZap, Dices, RefreshCw, X } from "lucide-react";
 import Link from "next/link";
 import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
 import { toast } from "sonner";
 import z from "zod";
 import { AlertBlock } from "@/components/shared/alert-block";
+import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
 import {
 	Dialog,
@@ -61,11 +62,14 @@ export const domain = z
 			.min(1, { message: "Port must be at least 1" })
 			.max(65535, { message: "Port must be 65535 or below" })
 			.optional(),
+		useCustomEntrypoint: z.boolean(),
+		customEntrypoint: z.string().optional(),
 		https: z.boolean().optional(),
 		certificateType: z.enum(["letsencrypt", "none", "custom"]).optional(),
 		customCertResolver: z.string().optional(),
 		serviceName: z.string().optional(),
 		domainType: z.enum(["application", "compose", "preview"]).optional(),
+		middlewares: z.array(z.string()).optional(),
 	})
 	.superRefine((input, ctx) => {
 		if (input.https && !input.certificateType) {
@@ -114,6 +118,14 @@ export const domain = z
 				message: "Internal path must start with '/'",
 			});
 		}
+
+		if (input.useCustomEntrypoint && !input.customEntrypoint) {
+			ctx.addIssue({
+				code: z.ZodIssueCode.custom,
+				path: ["customEntrypoint"],
+				message: "Custom entry point must be specified",
+			});
+		}
 	});
 
 type Domain = z.infer<typeof domain>;
@@ -159,11 +171,11 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 					},
 				);
 
-	const { mutateAsync, isError, error, isLoading } = domainId
+	const { mutateAsync, isError, error, isPending } = domainId
 		? api.domain.update.useMutation()
 		: api.domain.create.useMutation();
 
-	const { mutateAsync: generateDomain, isLoading: isLoadingGenerate } =
+	const { mutateAsync: generateDomain, isPending: isLoadingGenerate } =
 		api.domain.generateDomain.useMutation();
 
 	const { data: canGenerateTraefikMeDomains } =
@@ -196,20 +208,24 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 			internalPath: undefined,
 			stripPath: false,
 			port: undefined,
+			useCustomEntrypoint: false,
+			customEntrypoint: undefined,
 			https: false,
 			certificateType: undefined,
 			customCertResolver: undefined,
 			serviceName: undefined,
 			domainType: type,
+			middlewares: [],
 		},
 		mode: "onChange",
 	});
 
 	const certificateType = form.watch("certificateType");
+	const useCustomEntrypoint = form.watch("useCustomEntrypoint");
 	const https = form.watch("https");
 	const domainType = form.watch("domainType");
 	const host = form.watch("host");
-	const isTraefikMeDomain = host?.includes("traefik.me") || false;
+	const isTraefikMeDomain = host?.includes("sslip.io") || false;
 
 	useEffect(() => {
 		if (data) {
@@ -220,10 +236,13 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 				internalPath: data?.internalPath || undefined,
 				stripPath: data?.stripPath || false,
 				port: data?.port || undefined,
+				useCustomEntrypoint: !!data.customEntrypoint,
+				customEntrypoint: data.customEntrypoint || undefined,
 				certificateType: data?.certificateType || undefined,
 				customCertResolver: data?.customCertResolver || undefined,
 				serviceName: data?.serviceName || undefined,
 				domainType: data?.domainType || type,
+				middlewares: data?.middlewares || [],
 			});
 		}
 
@@ -234,13 +253,16 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 				internalPath: undefined,
 				stripPath: false,
 				port: undefined,
+				useCustomEntrypoint: false,
+				customEntrypoint: undefined,
 				https: false,
 				certificateType: undefined,
 				customCertResolver: undefined,
 				domainType: type,
+				middlewares: [],
 			});
 		}
-	}, [form, data, isLoading, domainId]);
+	}, [form, data, isPending, domainId]);
 
 	// Separate effect for handling custom cert resolver validation
 	useEffect(() => {
@@ -268,6 +290,7 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 				composeId: id,
 			}),
 			...data,
+			customEntrypoint: data.useCustomEntrypoint ? data.customEntrypoint : null,
 		})
 			.then(async () => {
 				toast.success(dictionary.success);
@@ -490,7 +513,7 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 									render={({ field }) => (
 										<FormItem>
 											{!canGenerateTraefikMeDomains &&
-												field.value.includes("traefik.me") && (
+												field.value.includes("sslip.io") && (
 													<AlertBlock type="warning">
 														You need to set an IP address in your{" "}
 														<Link
@@ -501,12 +524,12 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 																? "Remote Servers -> Server -> Edit Server -> Update IP Address"
 																: "Web Server -> Server -> Update Server IP"}
 														</Link>{" "}
-														to make your traefik.me domain work.
+														to make your sslip.io domain work.
 													</AlertBlock>
 												)}
 											{isTraefikMeDomain && (
 												<AlertBlock type="info">
-													<strong>Note:</strong> traefik.me is a public HTTP
+													<strong>Note:</strong> sslip.io is a public HTTP
 													service and does not support SSL/HTTPS. HTTPS and
 													certificate options will not have any effect.
 												</AlertBlock>
@@ -544,7 +567,7 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 															sideOffset={5}
 															className="max-w-[10rem]"
 														>
-															<p>Generate traefik.me domain</p>
+															<p>Generate sslip.io domain</p>
 														</TooltipContent>
 													</Tooltip>
 												</TooltipProvider>
@@ -635,6 +658,55 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 									}}
 								/>
 
+								<FormField
+									control={form.control}
+									name="useCustomEntrypoint"
+									render={({ field }) => (
+										<FormItem className="flex flex-row items-center justify-between p-3 mt-4 border rounded-lg shadow-sm">
+											<div className="space-y-0.5">
+												<FormLabel>Custom Entrypoint</FormLabel>
+												<FormDescription>
+													Use custom entrypoint for domain
+													<br />
+													"web" and/or "websecure" is used by default.
+												</FormDescription>
+												<FormMessage />
+											</div>
+											<FormControl>
+												<Switch
+													checked={field.value}
+													onCheckedChange={(checked) => {
+														field.onChange(checked);
+														if (!checked) {
+															form.setValue("customEntrypoint", undefined);
+														}
+													}}
+												/>
+											</FormControl>
+										</FormItem>
+									)}
+								/>
+
+								{useCustomEntrypoint && (
+									<FormField
+										control={form.control}
+										name="customEntrypoint"
+										render={({ field }) => (
+											<FormItem className="w-full">
+												<FormLabel>Entrypoint Name</FormLabel>
+												<FormControl>
+													<Input
+														placeholder="Enter entrypoint name manually"
+														{...field}
+														className="w-full"
+													/>
+												</FormControl>
+												<FormMessage />
+											</FormItem>
+										)}
+									/>
+								)}
+
 								<FormField
 									control={form.control}
 									name="https"
@@ -725,12 +797,94 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 										)}
 									</>
 								)}
+								<FormField
+									control={form.control}
+									name="middlewares"
+									render={({ field }) => (
+										<FormItem>
+											<div className="flex items-center gap-2">
+												<FormLabel>Middlewares</FormLabel>
+												<TooltipProvider>
+													<Tooltip>
+														<TooltipTrigger type="button">
+															<div className="size-4 rounded-full bg-muted flex items-center justify-center text-[10px] font-bold">
+																?
+															</div>
+														</TooltipTrigger>
+														<TooltipContent className="max-w-[300px]">
+															<p>
+																Add Traefik middleware references. Middlewares
+																must be defined in your Traefik configuration.
+															</p>
+														</TooltipContent>
+													</Tooltip>
+												</TooltipProvider>
+											</div>
+											<div className="flex flex-wrap gap-2 mb-2">
+												{field.value?.map((name, index) => (
+													<Badge key={index} variant="secondary">
+														{name}
+														<X
+															className="ml-1 size-3 cursor-pointer"
+															onClick={() => {
+																const newMiddlewares = [...(field.value || [])];
+																newMiddlewares.splice(index, 1);
+																form.setValue("middlewares", newMiddlewares);
+															}}
+														/>
+													</Badge>
+												))}
+											</div>
+											<FormControl>
+												<div className="flex gap-2">
+													<Input
+														placeholder="e.g., rate-limit@file, auth@file"
+														onKeyDown={(e) => {
+															if (e.key === "Enter") {
+																e.preventDefault();
+																const input = e.currentTarget;
+																const value = input.value.trim();
+																if (value && !field.value?.includes(value)) {
+																	form.setValue("middlewares", [
+																		...(field.value || []),
+																		value,
+																	]);
+																	input.value = "";
+																}
+															}
+														}}
+													/>
+													<Button
+														type="button"
+														variant="secondary"
+														onClick={() => {
+															const input = document.querySelector(
+																'input[placeholder="e.g., rate-limit@file, auth@file"]',
+															) as HTMLInputElement;
+															const value = input.value.trim();
+															if (value && !field.value?.includes(value)) {
+																form.setValue("middlewares", [
+																	...(field.value || []),
+																	value,
+																]);
+																input.value = "";
+															}
+														}}
+													>
+														Add
+													</Button>
+												</div>
+											</FormControl>
+											<FormMessage />
+										</FormItem>
+									)}
+								/>
 							</div>
 						</div>
 					</form>
 
 					<DialogFooter>
-						<Button isLoading={isLoading} form="hook-form" type="submit">
+						<Button isLoading={isPending} form="hook-form" type="submit">
 							{dictionary.submit}
 						</Button>
 					</DialogFooter>

apps/dokploy/components/dashboard/application/domains/handle-forward-auth.tsx

@@ -0,0 +1,147 @@
+import { ShieldCheck } from "lucide-react";
+import { useState } from "react";
+import { toast } from "sonner";
+import { AlertBlock } from "@/components/shared/alert-block";
+import { Button } from "@/components/ui/button";
+import {
+	Dialog,
+	DialogContent,
+	DialogDescription,
+	DialogFooter,
+	DialogHeader,
+	DialogTitle,
+	DialogTrigger,
+} from "@/components/ui/dialog";
+import { Switch } from "@/components/ui/switch";
+import { api } from "@/utils/api";
+
+interface Props {
+	domainId: string;
+	applicationId: string;
+}
+
+export const HandleForwardAuth = ({ domainId, applicationId }: Props) => {
+	const [isOpen, setIsOpen] = useState(false);
+
+	const { data: haveValidLicense } =
+		api.licenseKey.haveValidLicenseKey.useQuery();
+
+	const utils = api.useUtils();
+
+	const { data: status } = api.forwardAuth.status.useQuery(
+		{ domainId },
+		{ enabled: isOpen },
+	);
+
+	const { mutateAsync: enable, isPending: isEnabling } =
+		api.forwardAuth.enable.useMutation();
+	const { mutateAsync: disable, isPending: isDisabling } =
+		api.forwardAuth.disable.useMutation();
+
+	if (!haveValidLicense) {
+		return null;
+	}
+
+	const isEnabled = !!status?.enabled;
+	const isPending = isEnabling || isDisabling;
+
+	const refresh = async () => {
+		await utils.forwardAuth.status.invalidate({ domainId });
+		await utils.domain.byApplicationId.invalidate({ applicationId });
+		await utils.application.readTraefikConfig.invalidate({ applicationId });
+	};
+
+	const handleToggle = async (next: boolean) => {
+		try {
+			if (next) {
+				await enable({ domainId });
+				toast.success("SSO authentication enabled for this domain");
+			} else {
+				await disable({ domainId });
+				toast.success("SSO authentication disabled for this domain");
+			}
+			await refresh();
+		} catch (error) {
+			toast.error(
+				error instanceof Error
+					? error.message
+					: "Error updating SSO authentication",
+			);
+		}
+	};
+
+	return (
+		<Dialog open={isOpen} onOpenChange={setIsOpen}>
+			<DialogTrigger asChild>
+				<Button
+					variant="ghost"
+					size="icon"
+					className="group hover:bg-emerald-500/10"
+					title="SSO authentication"
+				>
+					<ShieldCheck
+						className={`size-4 ${
+							isEnabled
+								? "text-emerald-500"
+								: "text-primary group-hover:text-emerald-500"
+						}`}
+					/>
+				</Button>
+			</DialogTrigger>
+			<DialogContent>
+				<DialogHeader>
+					<DialogTitle>SSO Authentication</DialogTitle>
+					<DialogDescription>
+						Require visitors to authenticate against your identity provider
+						before reaching this application.
+					</DialogDescription>
+				</DialogHeader>
+
+				<AlertBlock type="warning">
+					<div className="flex flex-col gap-1">
+						<span className="font-medium">Requirements</span>
+						<ol className="list-decimal pl-4 text-sm">
+							<li>
+								The authentication proxy container must be deployed and running
+								on this app's server. Configure it under{" "}
+								<span className="font-medium">
+									Settings → SSO → Application Authentication
+								</span>
+								.
+							</li>
+							<li>
+								This domain must share the same base domain as the
+								authentication domain (e.g. <code>app.acme.com</code> and{" "}
+								<code>auth.acme.com</code>).
+							</li>
+						</ol>
+					</div>
+				</AlertBlock>
+
+				<div className="flex items-center justify-between rounded-lg border p-4 mt-2">
+					<div className="flex flex-col">
+						<span className="text-sm font-medium">
+							Protect this domain with SSO
+						</span>
+						<span className="text-xs text-muted-foreground">
+							{isEnabled
+								? "Visitors must log in via your identity provider."
+								: "The domain is publicly accessible."}
+						</span>
+					</div>
+					<Switch
+						checked={isEnabled}
+						disabled={isPending}
+						onCheckedChange={handleToggle}
+					/>
+				</div>
+
+				<DialogFooter>
+					<Button variant="outline" onClick={() => setIsOpen(false)}>
+						Close
+					</Button>
+				</DialogFooter>
+			</DialogContent>
+		</Dialog>
+	);
+};

apps/dokploy/components/dashboard/application/domains/show-domains.tsx

@@ -1,8 +1,22 @@
+import {
+	type ColumnFiltersState,
+	flexRender,
+	getCoreRowModel,
+	getFilteredRowModel,
+	getPaginationRowModel,
+	getSortedRowModel,
+	type SortingState,
+	useReactTable,
+	type VisibilityState,
+} from "@tanstack/react-table";
 import {
 	CheckCircle2,
+	ChevronDown,
 	ExternalLink,
 	GlobeIcon,
 	InfoIcon,
+	LayoutGrid,
+	LayoutList,
 	Loader2,
 	PenBoxIcon,
 	RefreshCw,
@@ -23,6 +37,21 @@ import {
 	CardHeader,
 	CardTitle,
 } from "@/components/ui/card";
+import {
+	DropdownMenu,
+	DropdownMenuCheckboxItem,
+	DropdownMenuContent,
+	DropdownMenuTrigger,
+} from "@/components/ui/dropdown-menu";
+import { Input } from "@/components/ui/input";
+import {
+	Table,
+	TableBody,
+	TableCell,
+	TableHead,
+	TableHeader,
+	TableRow,
+} from "@/components/ui/table";
 import {
 	Tooltip,
 	TooltipContent,
@@ -30,8 +59,10 @@ import {
 	TooltipTrigger,
 } from "@/components/ui/tooltip";
 import { api } from "@/utils/api";
+import { createColumns } from "./columns";
 import { DnsHelperModal } from "./dns-helper-modal";
 import { AddDomain } from "./handle-domain";
+import { HandleForwardAuth } from "./handle-forward-auth";
 
 export type ValidationState = {
 	isLoading: boolean;
@@ -50,6 +81,9 @@ interface Props {
 }
 
 export const ShowDomains = ({ id, type }: Props) => {
+	const { data: permissions } = api.user.getPermissions.useQuery();
+	const canCreateDomain = permissions?.domain.create ?? false;
+	const canDeleteDomain = permissions?.domain.delete ?? false;
 	const { data: application } =
 		type === "application"
 			? api.application.one.useQuery(
@@ -71,6 +105,19 @@ export const ShowDomains = ({ id, type }: Props) => {
 	const [validationStates, setValidationStates] = useState<ValidationStates>(
 		{},
 	);
+	const [viewMode, setViewMode] = useState<"grid" | "table">(() => {
+		if (typeof window !== "undefined") {
+			return (
+				(localStorage.getItem("domains-view-mode") as "grid" | "table") ??
+				"grid"
+			);
+		}
+		return "grid";
+	});
+	const [sorting, setSorting] = useState<SortingState>([]);
+	const [columnFilters, setColumnFilters] = useState<ColumnFiltersState>([]);
+	const [columnVisibility, setColumnVisibility] = useState<VisibilityState>({});
+	const [rowSelection, setRowSelection] = useState({});
 	const { data: ip } = api.settings.getIp.useQuery();
 
 	const {
@@ -97,9 +144,19 @@ export const ShowDomains = ({ id, type }: Props) => {
 
 	const { mutateAsync: validateDomain } =
 		api.domain.validateDomain.useMutation();
-	const { mutateAsync: deleteDomain, isLoading: isRemoving } =
+	const { mutateAsync: deleteDomain, isPending: isRemoving } =
 		api.domain.delete.useMutation();
 
+	const handleDeleteDomain = async (domainId: string) => {
+		try {
+			await deleteDomain({ domainId });
+			refetch();
+			toast.success("Domain deleted successfully");
+		} catch {
+			toast.error("Error deleting domain");
+		}
+	};
+
 	const handleValidateDomain = async (host: string) => {
 		setValidationStates((prev) => ({
 			...prev,
@@ -137,6 +194,37 @@ export const ShowDomains = ({ id, type }: Props) => {
 		}
 	};
 
+	const columns = createColumns({
+		id,
+		type,
+		validationStates,
+		handleValidateDomain,
+		handleDeleteDomain,
+		isDeleting: isRemoving,
+		serverIp: application?.server?.ipAddress?.toString() || ip?.toString(),
+		canCreateDomain,
+		canDeleteDomain,
+	});
+
+	const table = useReactTable({
+		data: data ?? [],
+		columns,
+		onSortingChange: setSorting,
+		onColumnFiltersChange: setColumnFilters,
+		getCoreRowModel: getCoreRowModel(),
+		getPaginationRowModel: getPaginationRowModel(),
+		getSortedRowModel: getSortedRowModel(),
+		getFilteredRowModel: getFilteredRowModel(),
+		onColumnVisibilityChange: setColumnVisibility,
+		onRowSelectionChange: setRowSelection,
+		state: {
+			sorting,
+			columnFilters,
+			columnVisibility,
+			rowSelection,
+		},
+	});
+
 	return (
 		<div className="flex w-full flex-col gap-5 ">
 			<Card className="bg-background">
@@ -148,13 +236,32 @@ export const ShowDomains = ({ id, type }: Props) => {
 						</CardDescription>
 					</div>
 
-					<div className="flex flex-row gap-4 flex-wrap">
+					<div className="flex flex-row gap-2 flex-wrap">
 						{data && data?.length > 0 && (
-							<AddDomain id={id} type={type}>
-								<Button>
-									<GlobeIcon className="size-4" /> Add Domain
+							<>
+								<Button
+									variant="outline"
+									size="icon"
+									onClick={() => {
+										const next = viewMode === "grid" ? "table" : "grid";
+										localStorage.setItem("domains-view-mode", next);
+										setViewMode(next);
+									}}
+								>
+									{viewMode === "grid" ? (
+										<LayoutList className="size-4" />
+									) : (
+										<LayoutGrid className="size-4" />
+									)}
 								</Button>
-							</AddDomain>
+								{canCreateDomain && (
+									<AddDomain id={id} type={type}>
+										<Button>
+											<GlobeIcon className="size-4" /> Add Domain
+										</Button>
+									</AddDomain>
+								)}
+							</>
 						)}
 					</div>
 				</CardHeader>
@@ -173,13 +280,131 @@ export const ShowDomains = ({ id, type }: Props) => {
 								To access the application it is required to set at least 1
 								domain
 							</span>
-							<div className="flex flex-row gap-4 flex-wrap">
-								<AddDomain id={id} type={type}>
-									<Button>
-										<GlobeIcon className="size-4" /> Add Domain
-									</Button>
-								</AddDomain>
+							{canCreateDomain && (
+								<div className="flex flex-row gap-4 flex-wrap">
+									<AddDomain id={id} type={type}>
+										<Button>
+											<GlobeIcon className="size-4" /> Add Domain
+										</Button>
+									</AddDomain>
+								</div>
+							)}
+						</div>
+					) : viewMode === "table" ? (
+						<div className="flex flex-col gap-4 w-full">
+							<div className="flex items-center gap-2 max-sm:flex-wrap">
+								<Input
+									placeholder="Filter by host..."
+									value={
+										(table.getColumn("host")?.getFilterValue() as string) ?? ""
+									}
+									onChange={(event) =>
+										table.getColumn("host")?.setFilterValue(event.target.value)
+									}
+									className="md:max-w-sm"
+								/>
+								<DropdownMenu>
+									<DropdownMenuTrigger asChild>
+										<Button
+											variant="outline"
+											className="sm:ml-auto max-sm:w-full"
+										>
+											Columns <ChevronDown className="ml-2 h-4 w-4" />
+										</Button>
+									</DropdownMenuTrigger>
+									<DropdownMenuContent align="end">
+										{table
+											.getAllColumns()
+											.filter((column) => column.getCanHide())
+											.map((column) => {
+												return (
+													<DropdownMenuCheckboxItem
+														key={column.id}
+														className="capitalize"
+														checked={column.getIsVisible()}
+														onCheckedChange={(value) =>
+															column.toggleVisibility(!!value)
+														}
+													>
+														{column.id}
+													</DropdownMenuCheckboxItem>
+												);
+											})}
+									</DropdownMenuContent>
+								</DropdownMenu>
 							</div>
+							<div className="rounded-md border">
+								<Table>
+									<TableHeader>
+										{table.getHeaderGroups().map((headerGroup) => (
+											<TableRow key={headerGroup.id}>
+												{headerGroup.headers.map((header) => {
+													return (
+														<TableHead key={header.id}>
+															{header.isPlaceholder
+																? null
+																: flexRender(
+																		header.column.columnDef.header,
+																		header.getContext(),
+																	)}
+														</TableHead>
+													);
+												})}
+											</TableRow>
+										))}
+									</TableHeader>
+									<TableBody>
+										{table?.getRowModel()?.rows?.length ? (
+											table.getRowModel().rows.map((row) => (
+												<TableRow
+													key={row.id}
+													data-state={row.getIsSelected() && "selected"}
+												>
+													{row.getVisibleCells().map((cell) => (
+														<TableCell key={cell.id}>
+															{flexRender(
+																cell.column.columnDef.cell,
+																cell.getContext(),
+															)}
+														</TableCell>
+													))}
+												</TableRow>
+											))
+										) : (
+											<TableRow>
+												<TableCell
+													colSpan={columns.length}
+													className="h-24 text-center"
+												>
+													No results.
+												</TableCell>
+											</TableRow>
+										)}
+									</TableBody>
+								</Table>
+							</div>
+							{data && data?.length > 0 && (
+								<div className="flex items-center justify-end space-x-2 py-4">
+									<div className="space-x-2 flex flex-wrap">
+										<Button
+											variant="outline"
+											size="sm"
+											onClick={() => table.previousPage()}
+											disabled={!table.getCanPreviousPage()}
+										>
+											Previous
+										</Button>
+										<Button
+											variant="outline"
+											size="sm"
+											onClick={() => table.nextPage()}
+											disabled={!table.getCanNextPage()}
+										>
+											Next
+										</Button>
+									</div>
+								</div>
+							)}
 						</div>
 					) : (
 						<div className="grid grid-cols-1 gap-4 xl:grid-cols-2 w-full min-h-[40vh] ">
@@ -201,7 +426,7 @@ export const ShowDomains = ({ id, type }: Props) => {
 														</Badge>
 													)}
 													<div className="flex gap-2 flex-wrap">
-														{!item.host.includes("traefik.me") && (
+														{!item.host.includes("sslip.io") && (
 															<DnsHelperModal
 																domain={{
 																	host: item.host,
@@ -214,47 +439,57 @@ export const ShowDomains = ({ id, type }: Props) => {
 																}
 															/>
 														)}
-														<AddDomain
-															id={id}
-															type={type}
-															domainId={item.domainId}
-														>
-															<Button
-																variant="ghost"
-																size="icon"
-																className="group hover:bg-blue-500/10"
+														{canCreateDomain && (
+															<AddDomain
+																id={id}
+																type={type}
+																domainId={item.domainId}
 															>
-																<PenBoxIcon className="size-3.5 text-primary group-hover:text-blue-500" />
-															</Button>
-														</AddDomain>
-														<DialogAction
-															title="Delete Domain"
-															description="Are you sure you want to delete this domain?"
-															type="destructive"
-															onClick={async () => {
-																await deleteDomain({
-																	domainId: item.domainId,
-																})
-																	.then((_data) => {
-																		refetch();
-																		toast.success(
-																			"Domain deleted successfully",
-																		);
+																<Button
+																	variant="ghost"
+																	size="icon"
+																	className="group hover:bg-blue-500/10"
+																>
+																	<PenBoxIcon className="size-3.5 text-primary group-hover:text-blue-500" />
+																</Button>
+															</AddDomain>
+														)}
+														{canCreateDomain && type === "application" && (
+															<HandleForwardAuth
+																domainId={item.domainId}
+																applicationId={id}
+															/>
+														)}
+														{canDeleteDomain && (
+															<DialogAction
+																title="Delete Domain"
+																description="Are you sure you want to delete this domain?"
+																type="destructive"
+																onClick={async () => {
+																	await deleteDomain({
+																		domainId: item.domainId,
 																	})
-																	.catch(() => {
-																		toast.error("Error deleting domain");
-																	});
-															}}
-														>
-															<Button
-																variant="ghost"
-																size="icon"
-																className="group hover:bg-red-500/10"
-																isLoading={isRemoving}
+																		.then((_data) => {
+																			refetch();
+																			toast.success(
+																				"Domain deleted successfully",
+																			);
+																		})
+																		.catch(() => {
+																			toast.error("Error deleting domain");
+																		});
+																}}
 															>
-																<Trash2 className="size-4 text-primary group-hover:text-red-500" />
-															</Button>
-														</DialogAction>
+																<Button
+																	variant="ghost"
+																	size="icon"
+																	className="group hover:bg-red-500/10"
+																	isLoading={isRemoving}
+																>
+																	<Trash2 className="size-4 text-primary group-hover:text-red-500" />
+																</Button>
+															</DialogAction>
+														)}
 													</div>
 												</div>
 												<div className="w-full break-all">
@@ -332,6 +567,22 @@ export const ShowDomains = ({ id, type }: Props) => {
 														</TooltipProvider>
 													)}
 
+													{item.middlewares?.map((middleware, index) => (
+														<TooltipProvider key={`${middleware}-${index}`}>
+															<Tooltip>
+																<TooltipTrigger asChild>
+																	<Badge variant="secondary">
+																		<InfoIcon className="size-3 mr-1" />
+																		Middleware: {middleware}
+																	</Badge>
+																</TooltipTrigger>
+																<TooltipContent>
+																	<p>Traefik middleware reference</p>
+																</TooltipContent>
+															</Tooltip>
+														</TooltipProvider>
+													))}
+
 													<TooltipProvider>
 														<Tooltip>
 															<TooltipTrigger asChild>

apps/dokploy/components/dashboard/application/environment/show-environment.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { EyeIcon, EyeOffIcon } from "lucide-react";
 import { type CSSProperties, useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
@@ -36,16 +36,19 @@ interface Props {
 }
 
 export const ShowEnvironment = ({ id, type }: Props) => {
+	const { data: permissions } = api.user.getPermissions.useQuery();
+	const canWrite = permissions?.envVars.write ?? false;
 	const queryMap = {
-		postgres: () =>
-			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
-		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
-		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
+		compose: () =>
+			api.compose.one.useQuery({ composeId: id }, { enabled: !!id }),
+		libsql: () => api.libsql.one.useQuery({ libsqlId: id }, { enabled: !!id }),
 		mariadb: () =>
 			api.mariadb.one.useQuery({ mariadbId: id }, { enabled: !!id }),
 		mongo: () => api.mongo.one.useQuery({ mongoId: id }, { enabled: !!id }),
-		compose: () =>
-			api.compose.one.useQuery({ composeId: id }, { enabled: !!id }),
+		mysql: () => api.mysql.one.useQuery({ mysqlId: id }, { enabled: !!id }),
+		postgres: () =>
+			api.postgres.one.useQuery({ postgresId: id }, { enabled: !!id }),
+		redis: () => api.redis.one.useQuery({ redisId: id }, { enabled: !!id }),
 	};
 	const { data, refetch } = queryMap[type]
 		? queryMap[type]()
@@ -53,16 +56,17 @@ export const ShowEnvironment = ({ id, type }: Props) => {
 	const [isEnvVisible, setIsEnvVisible] = useState(true);
 
 	const mutationMap = {
-		postgres: () => api.postgres.update.useMutation(),
-		redis: () => api.redis.update.useMutation(),
-		mysql: () => api.mysql.update.useMutation(),
-		mariadb: () => api.mariadb.update.useMutation(),
-		mongo: () => api.mongo.update.useMutation(),
-		compose: () => api.compose.update.useMutation(),
+		compose: () => api.compose.saveEnvironment.useMutation(),
+		libsql: () => api.libsql.saveEnvironment.useMutation(),
+		mariadb: () => api.mariadb.saveEnvironment.useMutation(),
+		mongo: () => api.mongo.saveEnvironment.useMutation(),
+		mysql: () => api.mysql.saveEnvironment.useMutation(),
+		postgres: () => api.postgres.saveEnvironment.useMutation(),
+		redis: () => api.redis.saveEnvironment.useMutation(),
 	};
-	const { mutateAsync, isLoading } = mutationMap[type]
+	const { mutateAsync, isPending } = mutationMap[type]
 		? mutationMap[type]()
-		: api.mongo.update.useMutation();
+		: api.mongo.saveEnvironment.useMutation();
 
 	const form = useForm<EnvironmentSchema>({
 		defaultValues: {
@@ -85,12 +89,13 @@ export const ShowEnvironment = ({ id, type }: Props) => {
 
 	const onSubmit = async (formData: EnvironmentSchema) => {
 		mutateAsync({
+			composeId: id || "",
+			libsqlId: id || "",
+			mariadbId: id || "",
 			mongoId: id || "",
+			mysqlId: id || "",
 			postgresId: id || "",
 			redisId: id || "",
-			mysqlId: id || "",
-			mariadbId: id || "",
-			composeId: id || "",
 			env: formData.environment,
 		})
 			.then(async () => {
@@ -111,7 +116,7 @@ export const ShowEnvironment = ({ id, type }: Props) => {
 	// Add keyboard shortcut for Ctrl+S/Cmd+S
 	useEffect(() => {
 		const handleKeyDown = (e: KeyboardEvent) => {
-			if ((e.ctrlKey || e.metaKey) && e.key === "s" && !isLoading) {
+			if ((e.ctrlKey || e.metaKey) && e.code === "KeyS" && !isPending) {
 				e.preventDefault();
 				form.handleSubmit(onSubmit)();
 			}
@@ -121,7 +126,7 @@ export const ShowEnvironment = ({ id, type }: Props) => {
 		return () => {
 			document.removeEventListener("keydown", handleKeyDown);
 		};
-	}, [form, onSubmit, isLoading]);
+	}, [form, onSubmit, isPending]);
 
 	return (
 		<div className="flex w-full flex-col gap-5 ">
@@ -185,25 +190,27 @@ PORT=3000
 								)}
 							/>
 
-							<div className="flex flex-row justify-end gap-2">
-								{hasChanges && (
+							{canWrite && (
+								<div className="flex flex-row justify-end gap-2">
+									{hasChanges && (
+										<Button
+											type="button"
+											variant="outline"
+											onClick={handleCancel}
+										>
+											Cancel
+										</Button>
+									)}
 									<Button
-										type="button"
-										variant="outline"
-										onClick={handleCancel}
+										isLoading={isPending}
+										className="w-fit"
+										type="submit"
+										disabled={!hasChanges}
 									>
-										Cancel
+										Save
 									</Button>
-								)}
-								<Button
-									isLoading={isLoading}
-									className="w-fit"
-									type="submit"
-									disabled={!hasChanges}
-								>
-									Save
-								</Button>
-							</div>
+								</div>
+							)}
 						</form>
 					</Form>
 				</CardContent>

apps/dokploy/components/dashboard/application/environment/show.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { useEffect } from "react";
 import { useForm } from "react-hook-form";
 import { toast } from "sonner";
@@ -31,7 +31,9 @@ interface Props {
 }
 
 export const ShowEnvironment = ({ applicationId }: Props) => {
-	const { mutateAsync, isLoading } =
+	const { data: permissions } = api.user.getPermissions.useQuery();
+	const canWrite = permissions?.envVars.write ?? false;
+	const { mutateAsync, isPending } =
 		api.application.saveEnvironment.useMutation();
 
 	const { data, refetch } = api.application.one.useQuery(
@@ -104,7 +106,7 @@ export const ShowEnvironment = ({ applicationId }: Props) => {
 	// Add keyboard shortcut for Ctrl+S/Cmd+S
 	useEffect(() => {
 		const handleKeyDown = (e: KeyboardEvent) => {
-			if ((e.ctrlKey || e.metaKey) && e.key === "s" && !isLoading) {
+			if ((e.ctrlKey || e.metaKey) && e.code === "KeyS" && !isPending) {
 				e.preventDefault();
 				form.handleSubmit(onSubmit)();
 			}
@@ -114,7 +116,7 @@ export const ShowEnvironment = ({ applicationId }: Props) => {
 		return () => {
 			document.removeEventListener("keydown", handleKeyDown);
 		};
-	}, [form, onSubmit, isLoading]);
+	}, [form, onSubmit, isPending]);
 
 	return (
 		<Card className="bg-background px-6 pb-6">
@@ -201,27 +203,30 @@ export const ShowEnvironment = ({ applicationId }: Props) => {
 										<Switch
 											checked={field.value}
 											onCheckedChange={field.onChange}
+											disabled={!canWrite}
 										/>
 									</FormControl>
 								</FormItem>
 							)}
 						/>
 					)}
-					<div className="flex flex-row justify-end gap-2">
-						{hasChanges && (
-							<Button type="button" variant="outline" onClick={handleCancel}>
-								Cancel
+					{canWrite && (
+						<div className="flex flex-row justify-end gap-2">
+							{hasChanges && (
+								<Button type="button" variant="outline" onClick={handleCancel}>
+									Cancel
+								</Button>
+							)}
+							<Button
+								isLoading={isPending}
+								className="w-fit"
+								type="submit"
+								disabled={!hasChanges}
+							>
+								Save
 							</Button>
-						)}
-						<Button
-							isLoading={isLoading}
-							className="w-fit"
-							type="submit"
-							disabled={!hasChanges}
-						>
-							Save
-						</Button>
-					</div>
+						</div>
+					)}
 				</form>
 			</Form>
 		</Card>

apps/dokploy/components/dashboard/application/general/generic/save-bitbucket-provider.tsx

@@ -1,5 +1,6 @@
-import { zodResolver } from "@hookform/resolvers/zod";
-import { CheckIcon, ChevronsUpDown, X } from "lucide-react";
+import { VALID_BRANCH_REGEX } from "@dokploy/server/utils/git-branch-validation";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
+import { CheckIcon, ChevronsUpDown, HelpCircle, X } from "lucide-react";
 import Link from "next/link";
 import { useEffect } from "react";
 import { useForm } from "react-hook-form";
@@ -54,9 +55,13 @@ const BitbucketProviderSchema = z.object({
 		.object({
 			repo: z.string().min(1, "Repo is required"),
 			owner: z.string().min(1, "Owner is required"),
+			slug: z.string().optional(),
 		})
 		.required(),
-	branch: z.string().min(1, "Branch is required"),
+	branch: z
+		.string()
+		.min(1, "Branch is required")
+		.regex(VALID_BRANCH_REGEX, "Invalid branch name"),
 	bitbucketId: z.string().min(1, "Bitbucket Provider is required"),
 	watchPaths: z.array(z.string()).optional(),
 	enableSubmodules: z.boolean().optional(),
@@ -73,15 +78,16 @@ export const SaveBitbucketProvider = ({ applicationId }: Props) => {
 		api.bitbucket.bitbucketProviders.useQuery();
 	const { data, refetch } = api.application.one.useQuery({ applicationId });
 
-	const { mutateAsync, isLoading: isSavingBitbucketProvider } =
+	const { mutateAsync, isPending: isSavingBitbucketProvider } =
 		api.application.saveBitbucketProvider.useMutation();
 
-	const form = useForm<BitbucketProvider>({
+	const form = useForm({
 		defaultValues: {
 			buildPath: "/",
 			repository: {
 				owner: "",
 				repo: "",
+				slug: "",
 			},
 			bitbucketId: "",
 			branch: "",
@@ -114,11 +120,14 @@ export const SaveBitbucketProvider = ({ applicationId }: Props) => {
 	} = api.bitbucket.getBitbucketBranches.useQuery(
 		{
 			owner: repository?.owner,
-			repo: repository?.repo,
+			repo: repository?.slug || repository?.repo || "",
 			bitbucketId,
 		},
 		{
-			enabled: !!repository?.owner && !!repository?.repo && !!bitbucketId,
+			enabled:
+				!!repository?.owner &&
+				!!(repository?.slug || repository?.repo) &&
+				!!bitbucketId,
 		},
 	);
 
@@ -129,6 +138,7 @@ export const SaveBitbucketProvider = ({ applicationId }: Props) => {
 				repository: {
 					repo: data.bitbucketRepository || "",
 					owner: data.bitbucketOwner || "",
+					slug: data.bitbucketRepositorySlug || "",
 				},
 				buildPath: data.bitbucketBuildPath || "/",
 				bitbucketId: data.bitbucketId || "",
@@ -142,6 +152,7 @@ export const SaveBitbucketProvider = ({ applicationId }: Props) => {
 		await mutateAsync({
 			bitbucketBranch: data.branch,
 			bitbucketRepository: data.repository.repo,
+			bitbucketRepositorySlug: data.repository.slug || data.repository.repo,
 			bitbucketOwner: data.repository.owner,
 			bitbucketBuildPath: data.buildPath,
 			bitbucketId: data.bitbucketId,
@@ -181,6 +192,7 @@ export const SaveBitbucketProvider = ({ applicationId }: Props) => {
 											form.setValue("repository", {
 												owner: "",
 												repo: "",
+												slug: "",
 											});
 											form.setValue("branch", "");
 										}}
@@ -217,7 +229,7 @@ export const SaveBitbucketProvider = ({ applicationId }: Props) => {
 										<FormLabel>Repository</FormLabel>
 										{field.value.owner && field.value.repo && (
 											<Link
-												href={`https://bitbucket.org/${field.value.owner}/${field.value.repo}`}
+												href={`https://bitbucket.org/${field.value.owner}/${field.value.slug || field.value.repo}`}
 												target="_blank"
 												rel="noopener noreferrer"
 												className="flex items-center gap-1 text-sm text-muted-foreground hover:text-primary"
@@ -237,13 +249,13 @@ export const SaveBitbucketProvider = ({ applicationId }: Props) => {
 														!field.value && "text-muted-foreground",
 													)}
 												>
-													{isLoadingRepositories
-														? "Loading...."
-														: field.value.owner
-															? repositories?.find(
+													{!field.value.owner
+														? "Select repository"
+														: isLoadingRepositories
+															? "Loading...."
+															: (repositories?.find(
 																	(repo) => repo.name === field.value.repo,
-																)?.name
-															: "Select repository"}
+																)?.name ?? "Select repository")}
 
 													<ChevronsUpDown className="ml-2 h-4 w-4 shrink-0 opacity-50" />
 												</Button>
@@ -255,11 +267,15 @@ export const SaveBitbucketProvider = ({ applicationId }: Props) => {
 													placeholder="Search repository..."
 													className="h-9"
 												/>
-												{isLoadingRepositories && (
+												{!bitbucketId ? (
+													<span className="py-6 text-center text-sm text-muted-foreground">
+														Select a Bitbucket account first
+													</span>
+												) : isLoadingRepositories ? (
 													<span className="py-6 text-center text-sm">
 														Loading Repositories....
 													</span>
-												)}
+												) : null}
 												<CommandEmpty>No repositories found.</CommandEmpty>
 												<ScrollArea className="h-96">
 													<CommandGroup>
@@ -271,6 +287,7 @@ export const SaveBitbucketProvider = ({ applicationId }: Props) => {
 																	form.setValue("repository", {
 																		owner: repo.owner.username as string,
 																		repo: repo.name,
+																		slug: repo.slug,
 																	});
 																	form.setValue("branch", "");
 																}}
@@ -320,7 +337,7 @@ export const SaveBitbucketProvider = ({ applicationId }: Props) => {
 														!field.value && "text-muted-foreground",
 													)}
 												>
-													{status === "loading" && fetchStatus === "fetching"
+													{status === "pending" && fetchStatus === "fetching"
 														? "Loading...."
 														: field.value
 															? branches?.find(
@@ -337,7 +354,7 @@ export const SaveBitbucketProvider = ({ applicationId }: Props) => {
 													placeholder="Search branch..."
 													className="h-9"
 												/>
-												{status === "loading" && fetchStatus === "fetching" && (
+												{status === "pending" && fetchStatus === "fetching" && (
 													<span className="py-6 text-center text-sm text-muted-foreground">
 														Loading Branches....
 													</span>
@@ -403,10 +420,8 @@ export const SaveBitbucketProvider = ({ applicationId }: Props) => {
 										<FormLabel>Watch Paths</FormLabel>
 										<TooltipProvider>
 											<Tooltip>
-												<TooltipTrigger>
-													<div className="size-4 rounded-full bg-muted flex items-center justify-center text-[10px] font-bold">
-														?
-													</div>
+												<TooltipTrigger asChild>
+													<HelpCircle className="size-4 text-muted-foreground hover:text-foreground transition-colors cursor-pointer" />
 												</TooltipTrigger>
 												<TooltipContent>
 													<p>

apps/dokploy/components/dashboard/application/general/generic/save-docker-provider.tsx

@@ -1,4 +1,4 @@
-import { zodResolver } from "@hookform/resolvers/zod";
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
 import { useEffect } from "react";
 import { useForm } from "react-hook-form";
 import { toast } from "sonner";