From 2c80fdf9af3428a57b022bef20b2d53bd16e7b9c Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 13:22:05 -0400
Subject: [PATCH 01/37] feat: add caddy web server provider

---
 Dockerfile                                    |    4 +-
 .../__test__/caddy/application/domain.test.ts |  127 +
 .../__test__/caddy/compose/domain.test.ts     |  267 +
 apps/dokploy/__test__/caddy/config.test.ts    |  354 +
 .../__test__/caddy/dashboard-route.test.ts    |   81 +
 .../caddy/migration/apply-rollback.test.ts    |  546 ++
 .../caddy-migration-rollback-cli.test.ts      |   95 +
 .../compose-label-translator.test.ts          |  329 +
 .../migration/dynamic-file-translator.test.ts |  266 +
 .../fixtures/generic-compose-labels.yml       |   58 +
 .../fixtures/middleware-coverage.yml          |   54 +
 .../migration/fixtures/priority-dynamic.yml   |   58 +
 .../__test__/caddy/migration/prepare.test.ts  |  595 ++
 .../caddy/migration/traefik-recovery.test.ts  |  290 +
 .../migration/upstream-preflight.test.ts      |  270 +
 apps/dokploy/__test__/caddy/setup.test.ts     |   81 +
 .../server/update-server-config.test.ts       |    1 +
 .../advanced/traefik/show-traefik-config.tsx  |   38 +-
 .../application/domains/handle-domain.tsx     |  270 +-
 .../servers/actions/show-traefik-actions.tsx  |  123 +-
 .../dashboard/settings/web-server.tsx         |    5 +
 .../web-server/caddy-migration-panel.tsx      |  318 +
 .../settings/web-server/edit-traefik-env.tsx  |   26 +-
 .../web-server/manage-traefik-ports.tsx       |   34 +-
 .../web-server-provider-selector.tsx          |  101 +
 .../drizzle/0170_web_server_provider.sql      |    3 +
 apps/dokploy/drizzle/meta/0170_snapshot.json  | 8356 +++++++++++++++++
 apps/dokploy/drizzle/meta/_journal.json       |    7 +
 apps/dokploy/esbuild.config.ts                |    1 +
 apps/dokploy/package.json                     |    2 +
 .../scripts/caddy-migration-rollback.ts       |   87 +
 .../dokploy/server/api/routers/application.ts |   42 +
 apps/dokploy/server/api/routers/compose.ts    |    7 +-
 apps/dokploy/server/api/routers/domain.ts     |  217 +-
 apps/dokploy/server/api/routers/settings.ts   |  616 +-
 packages/server/src/constants/index.ts        |   12 +
 packages/server/src/db/schema/server.ts       |    5 +
 packages/server/src/db/schema/shared.ts       |    5 +
 .../src/db/schema/web-server-settings.ts      |    6 +-
 packages/server/src/index.ts                  |   19 +
 packages/server/src/services/compose.ts       |   19 +
 packages/server/src/services/domain.ts        |    4 +-
 packages/server/src/services/settings.ts      |  384 +-
 packages/server/src/services/user.ts          |    7 +
 .../src/services/web-server-settings.ts       |   57 +-
 packages/server/src/setup/caddy-setup.ts      |  259 +
 packages/server/src/setup/traefik-setup.ts    |   73 +-
 packages/server/src/utils/builders/compose.ts |    6 +-
 packages/server/src/utils/caddy/compose.ts    |  143 +
 packages/server/src/utils/caddy/config.ts     |  851 ++
 packages/server/src/utils/caddy/domain.ts     |  145 +
 .../server/src/utils/caddy/migration/apply.ts |  444 +
 .../migration/compose-label-translator.ts     |  575 ++
 .../migration/dynamic-file-translator.ts      |  736 ++
 .../server/src/utils/caddy/migration/files.ts |  335 +
 .../src/utils/caddy/migration/prepare.ts      | 1014 ++
 .../src/utils/caddy/migration/rollback.ts     |  238 +
 .../caddy/migration/traefik-rule-parser.ts    |  337 +
 .../server/src/utils/caddy/migration/types.ts |  194 +
 .../caddy/migration/upstream-preflight.ts     |  336 +
 packages/server/src/utils/caddy/types.ts      |   70 +
 .../src/utils/caddy/upstream-targets.ts       |   34 +
 packages/server/src/utils/caddy/web-server.ts |   60 +
 packages/server/src/utils/docker/domain.ts    |  350 +-
 .../server/src/utils/web-server/domain.ts     |   31 +
 packages/server/src/utils/web-server/paths.ts |   29 +
 .../server/src/utils/web-server/providers.ts  |   20 +
 67 files changed, 20292 insertions(+), 235 deletions(-)
 create mode 100644 apps/dokploy/__test__/caddy/application/domain.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/compose/domain.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/config.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/dashboard-route.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/migration/caddy-migration-rollback-cli.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/migration/compose-label-translator.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/migration/dynamic-file-translator.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/migration/fixtures/generic-compose-labels.yml
 create mode 100644 apps/dokploy/__test__/caddy/migration/fixtures/middleware-coverage.yml
 create mode 100644 apps/dokploy/__test__/caddy/migration/fixtures/priority-dynamic.yml
 create mode 100644 apps/dokploy/__test__/caddy/migration/prepare.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/migration/traefik-recovery.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/migration/upstream-preflight.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/setup.test.ts
 create mode 100644 apps/dokploy/components/dashboard/settings/web-server/caddy-migration-panel.tsx
 create mode 100644 apps/dokploy/components/dashboard/settings/web-server/web-server-provider-selector.tsx
 create mode 100644 apps/dokploy/drizzle/0170_web_server_provider.sql
 create mode 100644 apps/dokploy/drizzle/meta/0170_snapshot.json
 create mode 100644 apps/dokploy/scripts/caddy-migration-rollback.ts
 create mode 100644 packages/server/src/setup/caddy-setup.ts
 create mode 100644 packages/server/src/utils/caddy/compose.ts
 create mode 100644 packages/server/src/utils/caddy/config.ts
 create mode 100644 packages/server/src/utils/caddy/domain.ts
 create mode 100644 packages/server/src/utils/caddy/migration/apply.ts
 create mode 100644 packages/server/src/utils/caddy/migration/compose-label-translator.ts
 create mode 100644 packages/server/src/utils/caddy/migration/dynamic-file-translator.ts
 create mode 100644 packages/server/src/utils/caddy/migration/files.ts
 create mode 100644 packages/server/src/utils/caddy/migration/prepare.ts
 create mode 100644 packages/server/src/utils/caddy/migration/rollback.ts
 create mode 100644 packages/server/src/utils/caddy/migration/traefik-rule-parser.ts
 create mode 100644 packages/server/src/utils/caddy/migration/types.ts
 create mode 100644 packages/server/src/utils/caddy/migration/upstream-preflight.ts
 create mode 100644 packages/server/src/utils/caddy/types.ts
 create mode 100644 packages/server/src/utils/caddy/upstream-targets.ts
 create mode 100644 packages/server/src/utils/caddy/web-server.ts
 create mode 100644 packages/server/src/utils/web-server/domain.ts
 create mode 100644 packages/server/src/utils/web-server/paths.ts
 create mode 100644 packages/server/src/utils/web-server/providers.ts

diff --git a/Dockerfile b/Dockerfile
index 4cab0e8f36..6886e32178 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,6 +19,7 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm install --frozen-lockfile
 ENV NODE_ENV=production
 RUN pnpm --filter=@dokploy/server build
 RUN pnpm --filter=./apps/dokploy run build
+RUN test -f /usr/src/app/apps/dokploy/dist/caddy-migration-rollback.mjs
 
 RUN pnpm --filter=./apps/dokploy --prod deploy --legacy /prod/dokploy
 
@@ -43,7 +44,8 @@ COPY --from=build /prod/dokploy/drizzle ./drizzle
 COPY .env.production ./.env
 COPY --from=build /prod/dokploy/components.json ./components.json
 COPY --from=build /prod/dokploy/node_modules ./node_modules
-
+RUN test -f /app/dist/caddy-migration-rollback.mjs \
+  && node -r dotenv/config /app/dist/caddy-migration-rollback.mjs --help | grep -q "Usage: caddy-migration-rollback"
 
 # Install docker
 RUN curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh --version 28.5.2 && rm get-docker.sh && curl https://rclone.org/install.sh | bash
diff --git a/apps/dokploy/__test__/caddy/application/domain.test.ts b/apps/dokploy/__test__/caddy/application/domain.test.ts
new file mode 100644
index 0000000000..346e16fa84
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/application/domain.test.ts
@@ -0,0 +1,127 @@
+import type { ApplicationNested, Domain } from "@dokploy/server";
+import {
+	compileCaddyConfig,
+	createCaddyApplicationRouteFragment,
+	getCaddyApplicationFragmentId,
+} from "@dokploy/server";
+import { expect, test } from "vitest";
+
+const app = (overrides: Partial<ApplicationNested> = {}) =>
+	({
+		appName: "my-app",
+		serverId: null,
+		...overrides,
+	}) as ApplicationNested;
+
+const domain = (overrides: Partial<Domain> = {}) =>
+	({
+		domainId: "domain-1",
+		applicationId: "app-1",
+		composeId: null,
+		previewDeploymentId: null,
+		domainType: "application",
+		host: "example.com",
+		path: null,
+		internalPath: "/",
+		stripPath: false,
+		https: false,
+		certificateType: "none",
+		customCertResolver: null,
+		customEntrypoint: null,
+		middlewares: null,
+		port: null,
+		serviceName: null,
+		uniqueConfigKey: 7,
+		createdAt: "",
+		...overrides,
+	}) as Domain;
+
+const getServers = (config: ReturnType<typeof compileCaddyConfig>) => {
+	const apps = config.apps as Record<string, any>;
+	return apps.http.servers as Record<string, any>;
+};
+
+test("creates deterministic Caddy application fragments", () => {
+	const fragment = createCaddyApplicationRouteFragment(app(), domain());
+
+	expect(fragment.id).toBe(getCaddyApplicationFragmentId("my-app", 7));
+	expect(fragment.source).toBe("dokploy-application");
+	expect(fragment.routes[0]).toMatchObject({
+		id: "my-app-route-7",
+		hosts: ["example.com"],
+		https: false,
+		upstreams: ["http://my-app:80"],
+	});
+});
+
+test("renders path rewrites and custom upstream port", () => {
+	const fragment = createCaddyApplicationRouteFragment(
+		app(),
+		domain({
+			path: "/public",
+			stripPath: true,
+			internalPath: "/internal",
+			port: 3000,
+		}),
+	);
+	const config = compileCaddyConfig({ fragments: [fragment] });
+	const handlers = getServers(config).http.routes[0].handle;
+
+	expect(getServers(config).http.routes[0].match[0]).toMatchObject({
+		host: ["example.com"],
+		path: ["/public*"],
+	});
+	expect(handlers[0]).toMatchObject({
+		handler: "rewrite",
+		strip_path_prefix: "/public",
+	});
+	expect(handlers[1]).toMatchObject({
+		handler: "rewrite",
+		uri: "/internal{http.request.uri.path}",
+	});
+	expect(handlers[2]).toMatchObject({
+		handler: "reverse_proxy",
+		upstreams: [{ dial: "my-app:3000" }],
+	});
+});
+
+test("HTTPS application routes redirect HTTP and proxy on HTTPS", () => {
+	const fragment = createCaddyApplicationRouteFragment(
+		app(),
+		domain({ https: true, certificateType: "letsencrypt" }),
+	);
+	const config = compileCaddyConfig({ fragments: [fragment] });
+	const servers = getServers(config);
+
+	expect(servers.http.routes[0].handle[0]).toMatchObject({
+		handler: "static_response",
+		status_code: 308,
+	});
+	expect(servers.https.routes[0].handle.at(-1)).toMatchObject({
+		handler: "reverse_proxy",
+		upstreams: [{ dial: "my-app:80" }],
+	});
+});
+
+test("punycodes internationalized hosts for Caddy routes", () => {
+	const fragment = createCaddyApplicationRouteFragment(
+		app(),
+		domain({ host: "тест.рф" }),
+	);
+
+	expect(fragment.routes[0]?.hosts).toEqual(["xn--e1aybc.xn--p1ai"]);
+});
+
+test("rejects Traefik-only domain features for Caddy routes", () => {
+	expect(() =>
+		createCaddyApplicationRouteFragment(
+			app(),
+			domain({
+				customEntrypoint: "admin",
+				customCertResolver: "internal",
+				certificateType: "custom",
+				middlewares: ["auth@file"],
+			}),
+		),
+	).toThrow("unsupported Caddy fields");
+});
diff --git a/apps/dokploy/__test__/caddy/compose/domain.test.ts b/apps/dokploy/__test__/caddy/compose/domain.test.ts
new file mode 100644
index 0000000000..d0ded5fc96
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/compose/domain.test.ts
@@ -0,0 +1,267 @@
+import path from "node:path";
+import type { Compose, Domain } from "@dokploy/server";
+import { fs, vol } from "memfs";
+import { parse, stringify } from "yaml";
+
+vi.mock("node:fs", () => ({
+	...fs,
+	default: fs,
+}));
+
+import {
+	addDomainToCompose,
+	addDomainToComposeForWebServer,
+	compileCaddyConfig,
+	createCaddyComposeRouteFragment,
+	createDomainLabels,
+	isDokployGeneratedTraefikLabel,
+	paths,
+} from "@dokploy/server";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+const compose = (overrides: Partial<Compose> = {}) =>
+	({
+		appName: "my-compose",
+		serverId: null,
+		sourceType: "raw",
+		composePath: "docker-compose.yml",
+		composeType: "docker-compose",
+		isolatedDeployment: false,
+		isolatedDeploymentsVolume: false,
+		randomize: false,
+		suffix: null,
+		...overrides,
+	}) as Compose;
+
+const domain = (overrides: Partial<Domain> = {}) =>
+	({
+		domainId: "domain-1",
+		applicationId: null,
+		composeId: "compose-1",
+		previewDeploymentId: null,
+		domainType: "compose",
+		host: "example.com",
+		path: "/",
+		internalPath: "/",
+		stripPath: false,
+		https: false,
+		certificateType: "none",
+		customCertResolver: null,
+		customEntrypoint: null,
+		middlewares: null,
+		port: 8080,
+		serviceName: "web",
+		uniqueConfigKey: 3,
+		createdAt: "",
+		...overrides,
+	}) as Domain;
+
+const writeComposeFile = (
+	composeInput: Compose,
+	content: Record<string, unknown>,
+) => {
+	const filePath = path.join(
+		paths(false).COMPOSE_PATH,
+		composeInput.appName,
+		"code",
+		"docker-compose.yml",
+	);
+	vol.mkdirSync(path.dirname(filePath), { recursive: true });
+	vol.writeFileSync(filePath, stringify(content));
+};
+
+const getServers = (config: ReturnType<typeof compileCaddyConfig>) => {
+	const apps = config.apps as Record<string, any>;
+	return apps.http.servers as Record<string, any>;
+};
+
+beforeEach(() => {
+	vol.reset();
+});
+
+describe("Caddy compose route generation", () => {
+	test("creates route fragments with compose upstream names", () => {
+		const fragment = createCaddyComposeRouteFragment(
+			compose(),
+			domain(),
+			"web",
+		);
+		const config = compileCaddyConfig({ fragments: [fragment] });
+
+		expect(fragment).toMatchObject({
+			id: "compose.my-compose.3",
+			source: "dokploy-compose",
+		});
+		expect(getServers(config).http.routes[0].handle.at(-1)).toMatchObject({
+			handler: "reverse_proxy",
+			upstreams: [{ dial: "my-compose-web:8080" }],
+		});
+	});
+
+	test("uses swarm stack service names for Caddy upstreams", () => {
+		const fragment = createCaddyComposeRouteFragment(
+			compose({ composeType: "stack" }),
+			domain(),
+			"web-blue",
+		);
+		const config = compileCaddyConfig({ fragments: [fragment] });
+
+		expect(getServers(config).http.routes[0].handle.at(-1)).toMatchObject({
+			handler: "reverse_proxy",
+			upstreams: [{ dial: "my-compose_web-blue:8080" }],
+		});
+	});
+
+	test("Traefik provider conversion delegates to the existing Traefik label path", async () => {
+		const composeInput = compose();
+		writeComposeFile(composeInput, {
+			services: {
+				web: { image: "nginx" },
+			},
+		});
+
+		const existingTraefikOutput = await addDomainToCompose(composeInput, [
+			domain(),
+		]);
+		const providerOutput = await addDomainToComposeForWebServer(
+			composeInput,
+			[domain()],
+			"traefik",
+		);
+
+		expect(providerOutput).toEqual(existingTraefikOutput);
+	});
+
+	test("Caddy compose conversion strips only Dokploy Traefik labels and attaches shared network", async () => {
+		const composeInput = compose();
+		const routeDomain = domain({ https: true, path: "/app", stripPath: true });
+		const dokployLabels = [
+			"traefik.docker.network=dokploy-network",
+			"traefik.enable=true",
+			...createDomainLabels(composeInput.appName, routeDomain, "web"),
+			...createDomainLabels(composeInput.appName, routeDomain, "websecure"),
+		];
+		writeComposeFile(composeInput, {
+			services: {
+				web: {
+					image: "nginx",
+					labels: [
+						"com.example.keep=true",
+						"traefik.http.routers.manual.rule=Host(`manual.example.com`)",
+						"traefik.http.routers.my-compose-custom-web.rule=Host(`custom.example.com`)",
+						...dokployLabels,
+					],
+				},
+			},
+		});
+
+		const converted = await addDomainToComposeForWebServer(
+			composeInput,
+			[routeDomain],
+			"caddy",
+		);
+
+		const webService = converted?.services?.web;
+		expect(webService).toBeDefined();
+		const labels = webService?.labels as string[];
+		expect(labels).toEqual([
+			"com.example.keep=true",
+			"traefik.http.routers.manual.rule=Host(`manual.example.com`)",
+			"traefik.http.routers.my-compose-custom-web.rule=Host(`custom.example.com`)",
+		]);
+		expect(webService?.networks).toEqual({
+			"dokploy-network": { aliases: ["my-compose-web"] },
+			default: {},
+		});
+		expect(converted?.networks?.["dokploy-network"]).toEqual({
+			external: true,
+		});
+	});
+
+	test("Caddy compose conversion rejects unsupported domain fields before mutating compose labels", async () => {
+		const composeInput = compose();
+		writeComposeFile(composeInput, {
+			services: {
+				web: {
+					image: "nginx",
+					labels: [
+						"traefik.enable=true",
+						"traefik.http.routers.my-compose-3-web.rule=Host(`example.com`)",
+					],
+				},
+			},
+		});
+
+		await expect(
+			addDomainToComposeForWebServer(
+				composeInput,
+				[domain({ middlewares: ["auth@file"] })],
+				"caddy",
+			),
+		).rejects.toThrow("unsupported Caddy fields");
+
+		const stored = parse(
+			vol
+				.readFileSync(
+					path.join(
+						paths(false).COMPOSE_PATH,
+						composeInput.appName,
+						"code",
+						"docker-compose.yml",
+					),
+					"utf8",
+				)
+				.toString(),
+		) as any;
+		expect(stored.services.web.labels).toEqual([
+			"traefik.enable=true",
+			"traefik.http.routers.my-compose-3-web.rule=Host(`example.com`)",
+		]);
+	});
+
+	test("Caddy compose conversion uses finalized randomized service names", async () => {
+		const composeInput = compose({ randomize: true, suffix: "blue" });
+		writeComposeFile(composeInput, {
+			services: {
+				web: { image: "nginx" },
+				worker: { image: "busybox", depends_on: ["web"] },
+			},
+		});
+
+		const converted = await addDomainToComposeForWebServer(
+			composeInput,
+			[domain()],
+			"caddy",
+		);
+
+		expect(converted?.services?.web).toBeUndefined();
+		expect(converted?.services?.["web-blue"]?.networks).toEqual({
+			"dokploy-network": { aliases: ["my-compose-web-blue"] },
+			default: {},
+		});
+		expect(converted?.services?.["worker-blue"]?.depends_on).toEqual([
+			"web-blue",
+		]);
+	});
+
+	test("classifier identifies current Dokploy-generated Traefik labels without matching unrelated labels", () => {
+		const routeDomain = domain({ https: true });
+		expect(
+			isDokployGeneratedTraefikLabel(
+				"traefik.http.routers.my-compose-3-web.rule=Host(`example.com`)",
+				{ appName: "my-compose", domains: [routeDomain] },
+			),
+		).toBe(true);
+		expect(
+			isDokployGeneratedTraefikLabel("traefik.enable=true", {
+				includeGenericLabels: true,
+			}),
+		).toBe(true);
+		expect(
+			isDokployGeneratedTraefikLabel(
+				"traefik.http.routers.manual.rule=Host(`manual.example.com`)",
+				{ appName: "my-compose", domains: [routeDomain] },
+			),
+		).toBe(false);
+	});
+});
diff --git a/apps/dokploy/__test__/caddy/config.test.ts b/apps/dokploy/__test__/caddy/config.test.ts
new file mode 100644
index 0000000000..f163b40502
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/config.test.ts
@@ -0,0 +1,354 @@
+import { fs, vol } from "memfs";
+
+vi.mock("node:fs", () => ({
+	...fs,
+	default: fs,
+}));
+
+const execAsyncMock = vi.hoisted(() => vi.fn());
+const execAsyncRemoteMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@dokploy/server/utils/process/execAsync", () => ({
+	execAsync: execAsyncMock,
+	execAsyncRemote: execAsyncRemoteMock,
+}));
+
+import {
+	type ApplicationNested,
+	type CaddyRouteFragment,
+	type CaddyRouteIntent,
+	compileAndWriteCaddyConfig,
+	compileCaddyConfig,
+	type Domain,
+	getCaddyMigrationArtifactPaths,
+	manageCaddyDomain,
+	paths,
+	readCaddyRouteFragments,
+	validateCaddyConfigFileWithImage,
+	writeCaddyRouteFragment,
+} from "@dokploy/server";
+import { beforeEach, expect, test, vi } from "vitest";
+
+const route = (
+	overrides: Partial<CaddyRouteIntent> = {},
+): CaddyRouteIntent => ({
+	id: "app-route",
+	source: "dokploy-application",
+	hosts: ["example.com"],
+	https: false,
+	upstreams: ["http://app:3000"],
+	...overrides,
+});
+
+const getServers = (config: ReturnType<typeof compileCaddyConfig>) => {
+	const apps = config.apps as Record<string, any>;
+	return apps.http.servers as Record<string, any>;
+};
+
+beforeEach(() => {
+	vol.reset();
+	execAsyncMock.mockReset();
+	execAsyncRemoteMock.mockReset();
+	execAsyncMock.mockResolvedValue({ stdout: "dokploy-caddy\n", stderr: "" });
+	execAsyncRemoteMock.mockResolvedValue({
+		stdout: "dokploy-caddy\n",
+		stderr: "",
+	});
+});
+
+test("compiles explicit http and https servers with managed HTTPS redirect", () => {
+	const config = compileCaddyConfig({
+		letsEncryptEmail: "ops@example.com",
+		routes: [route({ https: true })],
+	});
+
+	const servers = getServers(config);
+	expect(servers.http.listen).toEqual([":80"]);
+	expect(servers.https.listen).toEqual([":443"]);
+	expect(servers.http.routes[0].handle[0].handler).toBe("static_response");
+	expect(servers.http.routes[0].handle[0].headers.Location).toEqual([
+		"https://{http.request.host}{http.request.uri}",
+	]);
+	expect(servers.https.routes[0].handle.at(-1)).toMatchObject({
+		handler: "reverse_proxy",
+		upstreams: [{ dial: "app:3000" }],
+	});
+	expect((config.apps as any).tls.automation.policies[0].issuers[0].email).toBe(
+		"ops@example.com",
+	);
+});
+
+test("sorts routes by priority before path specificity and stable id", () => {
+	const config = compileCaddyConfig({
+		routes: [
+			route({ id: "low-specific", priority: 1, pathPrefix: "/very/specific" }),
+			route({ id: "high-priority", priority: 10, pathPrefix: "/api" }),
+			route({ id: "same-priority-longer", priority: 1, pathPrefix: "/longer" }),
+			route({
+				id: "same-tiebreak-b",
+				priority: 1,
+				pathPrefix: "/same",
+				upstreams: ["http://b:3000"],
+			}),
+			route({
+				id: "same-tiebreak-a",
+				priority: 1,
+				pathPrefix: "/same",
+				upstreams: ["http://a:3000"],
+			}),
+		],
+	});
+
+	const [first, second, third, fourth, fifth] = getServers(config).http.routes;
+	expect(first.match[0].path).toEqual(["/api*"]);
+	expect(second.match[0].path).toEqual(["/very/specific*"]);
+	expect(third.match[0].path).toEqual(["/longer*"]);
+	expect(fourth.handle.at(-1).upstreams).toEqual([{ dial: "a:3000" }]);
+	expect(fifth.handle.at(-1).upstreams).toEqual([{ dial: "b:3000" }]);
+});
+
+test("orders migrated manual and Traefik routes before DB fallbacks for identical catch-all matches", () => {
+	const config = compileCaddyConfig({
+		routes: [
+			route({
+				id: "db-compose-fallback",
+				source: "dokploy-compose",
+				https: true,
+				upstreams: ["http://cms:3000"],
+			}),
+			route({
+				id: "manual-waf",
+				source: "manual",
+				https: true,
+				upstreams: ["http://waf:8080"],
+			}),
+			route({
+				id: "dynamic-blog",
+				source: "traefik-dynamic-file",
+				https: true,
+				upstreams: ["http://blog:8080"],
+			}),
+			route({
+				id: "label-cms",
+				source: "traefik-compose-label",
+				https: true,
+				upstreams: ["http://cms:80"],
+			}),
+		],
+	});
+
+	const upstreamOrder = getServers(config).https.routes.map(
+		(compiledRoute: any) => compiledRoute.handle.at(-1).upstreams[0].dial,
+	);
+	expect(upstreamOrder).toEqual([
+		"waf:8080",
+		"cms:80",
+		"blog:8080",
+		"cms:3000",
+	]);
+});
+
+test("renders transforms, headers, and HTTPS upstream transport", () => {
+	const config = compileCaddyConfig({
+		routes: [
+			route({
+				upstreams: ["https://upstream.example.com:443"],
+				transforms: {
+					stripPrefix: "/public",
+					addPrefix: "/internal",
+					responseHeaders: {
+						"Cache-Control": "no-store",
+					},
+				},
+			}),
+		],
+	});
+
+	const handlers = getServers(config).http.routes[0].handle;
+	expect(handlers[0]).toMatchObject({
+		handler: "headers",
+		response: { set: { "Cache-Control": ["no-store"] } },
+	});
+	expect(handlers[1]).toMatchObject({
+		handler: "rewrite",
+		strip_path_prefix: "/public",
+	});
+	expect(handlers[2]).toMatchObject({
+		handler: "rewrite",
+		uri: "/internal{http.request.uri.path}",
+	});
+	expect(handlers[3]).toMatchObject({
+		handler: "reverse_proxy",
+		upstreams: [{ dial: "upstream.example.com:443" }],
+		transport: { protocol: "http", tls: {} },
+	});
+});
+
+test("rejects proxy upstreams without explicit valid ports", () => {
+	for (const upstream of [
+		"http://admin",
+		"https://external.example.com",
+		"http://app:0",
+		"http://app:65536",
+		"http://app:abc",
+		"app",
+		"app:0",
+	]) {
+		expect(() =>
+			compileCaddyConfig({
+				routes: [route({ upstreams: [upstream] })],
+			}),
+		).toThrow(`invalid upstream "${upstream}"`);
+	}
+});
+
+test("allows redirect-only routes without upstreams", () => {
+	const config = compileCaddyConfig({
+		routes: [
+			route({
+				upstreams: [],
+				redirectScheme: { scheme: "https", permanent: true },
+			}),
+		],
+	});
+
+	expect(getServers(config).http.routes[0].handle[0]).toMatchObject({
+		handler: "static_response",
+		status_code: 308,
+	});
+});
+
+test("allows static response routes without upstreams", () => {
+	const config = compileCaddyConfig({
+		routes: [
+			route({
+				source: "manual",
+				https: true,
+				upstreams: [],
+				staticResponse: {
+					statusCode: 404,
+					headers: {
+						"Cache-Control": "no-store",
+					},
+				},
+			}),
+		],
+	});
+
+	const servers = getServers(config);
+	expect(servers.http.routes[0].handle[0]).toMatchObject({
+		handler: "static_response",
+		status_code: 308,
+	});
+	expect(servers.https.routes[0].handle).toEqual([
+		{
+			handler: "static_response",
+			status_code: 404,
+			headers: {
+				"Cache-Control": ["no-store"],
+			},
+		},
+	]);
+});
+
+test("stores fragments and compiles them into the active config", async () => {
+	const fragment: CaddyRouteFragment = {
+		version: 1,
+		id: "app.example",
+		source: "dokploy-application",
+		routes: [route({ id: "stored", pathPrefix: "/stored" })],
+	};
+
+	await writeCaddyRouteFragment(fragment);
+	const fragments = await readCaddyRouteFragments();
+	const config = await compileAndWriteCaddyConfig();
+
+	expect(fragments).toEqual([fragment]);
+	expect(getServers(config).http.routes[0].match[0].path).toEqual(["/stored*"]);
+});
+
+test("rejects invalid fragment ids before touching the store", async () => {
+	for (const id of ["../bad", "..", ".", "bad..segment"]) {
+		await expect(
+			writeCaddyRouteFragment({
+				version: 1,
+				id,
+				source: "manual",
+				routes: [route()],
+			}),
+		).rejects.toThrow("Invalid Caddy fragment id");
+	}
+	expect(vol.existsSync(paths().CADDY_FRAGMENTS_PATH)).toBe(false);
+});
+
+test("rejects unsafe Caddy migration ids", () => {
+	for (const id of ["..", ".", "bad..segment"]) {
+		expect(() => getCaddyMigrationArtifactPaths(id)).toThrow(
+			"Invalid Caddy migration id",
+		);
+	}
+});
+
+test("validates a config file with the Caddy binary in an isolated runtime container", async () => {
+	await validateCaddyConfigFileWithImage(
+		"/etc/dokploy/caddy/migrations/test/caddy.json",
+	);
+
+	const validateCommand = execAsyncMock.mock.calls
+		.map(([command]) => command as string)
+		.find((command) => command.includes("docker run"));
+	expect(validateCommand).toContain("docker run --rm --network none");
+	expect(validateCommand).toContain("caddy\\:2.11.3");
+	expect(validateCommand).toContain(
+		"/etc/dokploy/caddy/migrations/test/caddy.json\\:/etc/caddy/caddy.json\\:ro",
+	);
+	expect(validateCommand).toContain(
+		"/etc/dokploy/caddy/migrations/test/.validate-runtime/config\\:/config",
+	);
+	expect(validateCommand).toContain(" caddy validate --config");
+	expect(validateCommand).not.toContain("caddy\\:2.11.3 validate --config");
+});
+
+test("restores previous fragments when Caddy domain reload fails", async () => {
+	const existingFragment: CaddyRouteFragment = {
+		version: 1,
+		id: "app.existing",
+		source: "dokploy-application",
+		routes: [route({ id: "existing", hosts: ["old.example.com"] })],
+	};
+	await writeCaddyRouteFragment(existingFragment);
+	execAsyncMock.mockImplementation(async (command: string) => {
+		if (command.includes("caddy validate")) {
+			throw new Error("validation failed");
+		}
+		return { stdout: "dokploy-caddy\n", stderr: "" };
+	});
+
+	await expect(
+		manageCaddyDomain(
+			{ appName: "my-app", serverId: null } as ApplicationNested,
+			{
+				domainId: "domain-1",
+				applicationId: "app-1",
+				composeId: null,
+				previewDeploymentId: null,
+				domainType: "application",
+				host: "example.com",
+				path: "/",
+				internalPath: "/",
+				stripPath: false,
+				https: false,
+				certificateType: "none",
+				customCertResolver: null,
+				customEntrypoint: null,
+				middlewares: null,
+				port: 3000,
+				serviceName: null,
+				uniqueConfigKey: 7,
+				createdAt: "",
+			} as Domain,
+		),
+	).rejects.toThrow("validation failed");
+
+	expect(await readCaddyRouteFragments()).toEqual([existingFragment]);
+});
diff --git a/apps/dokploy/__test__/caddy/dashboard-route.test.ts b/apps/dokploy/__test__/caddy/dashboard-route.test.ts
new file mode 100644
index 0000000000..b4669b930a
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/dashboard-route.test.ts
@@ -0,0 +1,81 @@
+import {
+	compileCaddyConfig,
+	createCaddyDashboardRouteFragment,
+} from "@dokploy/server";
+import type { webServerSettings } from "@dokploy/server/db/schema";
+import { expect, test } from "vitest";
+
+type WebServerSettings = typeof webServerSettings.$inferSelect;
+
+const settings = (overrides: Partial<WebServerSettings> = {}) =>
+	({
+		id: "settings-1",
+		webServerProvider: "caddy",
+		https: false,
+		certificateType: "none",
+		host: null,
+		serverIp: null,
+		letsEncryptEmail: null,
+		sshPrivateKey: null,
+		enableDockerCleanup: false,
+		logCleanupCron: null,
+		metricsConfig: {} as WebServerSettings["metricsConfig"],
+		whitelabelingConfig: null,
+		cleanupCacheApplications: false,
+		cleanupCacheOnCompose: false,
+		cleanupCacheOnPreviews: false,
+		createdAt: null,
+		updatedAt: new Date(),
+		...overrides,
+	}) as WebServerSettings;
+
+const getServers = (config: ReturnType<typeof compileCaddyConfig>) => {
+	const apps = config.apps as Record<string, any>;
+	return apps.http.servers as Record<string, any>;
+};
+
+test("creates a Caddy dashboard route to the Dokploy container", () => {
+	const fragment = createCaddyDashboardRouteFragment(
+		settings(),
+		"dashboard.example.com",
+	);
+	const config = compileCaddyConfig({ fragments: [fragment] });
+	const route = getServers(config).http.routes[0];
+
+	expect(fragment).toMatchObject({
+		id: "dashboard.dokploy",
+		source: "dokploy-dashboard",
+	});
+	expect(route.match[0]).toMatchObject({
+		host: ["dashboard.example.com"],
+	});
+	expect(route.match[0].path).toBeUndefined();
+	expect(route.handle.at(-1)).toMatchObject({
+		handler: "reverse_proxy",
+		upstreams: [{ dial: "dokploy:3000" }],
+	});
+});
+
+test("dashboard HTTPS route uses global ACME email when compiled", () => {
+	const fragment = createCaddyDashboardRouteFragment(
+		settings({ https: true, letsEncryptEmail: "ops@example.com" }),
+		"панель.example.com",
+	);
+	const config = compileCaddyConfig({
+		fragments: [fragment],
+		letsEncryptEmail: "ops@example.com",
+	});
+	const servers = getServers(config);
+
+	expect(fragment.routes[0]?.hosts).toEqual(["xn--80aksgi6f.example.com"]);
+	expect(servers.http.routes[0].handle[0]).toMatchObject({
+		handler: "static_response",
+		status_code: 308,
+	});
+	expect(servers.https.routes[0].handle.at(-1)).toMatchObject({
+		handler: "reverse_proxy",
+	});
+	expect((config.apps as any).tls.automation.policies[0].issuers[0].email).toBe(
+		"ops@example.com",
+	);
+});
diff --git a/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts b/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
new file mode 100644
index 0000000000..753ef76f90
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
@@ -0,0 +1,546 @@
+import { fs, vol } from "memfs";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+vi.mock("node:fs", () => ({
+	...fs,
+	default: fs,
+}));
+
+vi.mock("@dokploy/server/services/settings", () => ({
+	getDockerResourceSnapshot: vi.fn(),
+	readEnvironmentVariables: vi.fn(),
+	readPorts: vi.fn(),
+	stopDockerResource: vi.fn(),
+	startDockerResourceFromSnapshot: vi.fn(),
+	ensureTraefikRunningFromSnapshot: vi.fn(),
+	waitForDockerResourceRunning: vi.fn(),
+	writeCaddySetup: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/services/web-server-settings", () => ({
+	resolveWebServerProvider: vi.fn(),
+	updateLocalWebServerProvider: vi.fn(),
+	updateRemoteWebServerProvider: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/utils/caddy/config", () => ({
+	reloadCaddyAfterValidation: vi.fn(),
+	validateCaddyConfigFileWithImage: vi.fn(),
+	validateCaddyConfigWithContainer: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/utils/caddy/migration/upstream-preflight", () => ({
+	runCaddyMigrationUpstreamPreflight: vi.fn(),
+}));
+
+import { paths } from "@dokploy/server/constants";
+import * as settingsService from "@dokploy/server/services/settings";
+import * as providerService from "@dokploy/server/services/web-server-settings";
+import * as caddyConfig from "@dokploy/server/utils/caddy/config";
+import { applyCaddyMigration } from "@dokploy/server/utils/caddy/migration/apply";
+import { getCaddyMigrationArtifactPaths } from "@dokploy/server/utils/caddy/migration/files";
+import { rollbackCaddyMigration } from "@dokploy/server/utils/caddy/migration/rollback";
+import type { CaddyMigrationReport } from "@dokploy/server/utils/caddy/migration/types";
+import * as upstreamPreflight from "@dokploy/server/utils/caddy/migration/upstream-preflight";
+
+const createReport = (migrationId: string): CaddyMigrationReport => {
+	const artifactPaths = getCaddyMigrationArtifactPaths(migrationId);
+	return {
+		migrationId,
+		serverId: null,
+		createdAt: "2026-05-22T00:00:00.000Z",
+		updatedAt: "2026-05-22T00:00:00.000Z",
+		status: "prepared",
+		sourceProvider: "traefik",
+		targetProvider: "caddy",
+		artifactPaths,
+		inputs: {
+			traefikStaticConfigPath: `${paths().MAIN_TRAEFIK_PATH}/traefik.yml`,
+			traefikStaticConfigFound: true,
+			dynamicFiles: [],
+			dbApplicationDomains: 0,
+			dbComposeDomains: 0,
+			composeFilesScanned: [],
+			composeFilesSkipped: [],
+		},
+		summary: {
+			fragments: 1,
+			routes: 1,
+			warnings: 0,
+			blockingWarnings: 0,
+		},
+		validation: { status: "passed", message: "ok" },
+		warnings: [],
+		events: [],
+	};
+};
+
+const seedMigration = (migrationId: string) => {
+	const report = createReport(migrationId);
+	const currentPaths = paths();
+	vol.mkdirSync(report.artifactPaths.fragmentsDir, { recursive: true });
+	vol.writeFileSync(
+		`${report.artifactPaths.fragmentsDir}/app.json`,
+		JSON.stringify({ version: 1, id: "app", source: "manual", routes: [] }),
+	);
+	vol.writeFileSync(report.artifactPaths.caddyJson, '{"apps":{"http":{}}}\n');
+	vol.writeFileSync(
+		report.artifactPaths.reportJson,
+		`${JSON.stringify(report, null, 2)}\n`,
+	);
+	vol.mkdirSync(currentPaths.MAIN_TRAEFIK_PATH, { recursive: true });
+	vol.writeFileSync(
+		`${currentPaths.MAIN_TRAEFIK_PATH}/traefik.yml`,
+		"entryPoints: {}\n",
+	);
+	vol.mkdirSync(currentPaths.DYNAMIC_TRAEFIK_PATH, { recursive: true });
+	vol.writeFileSync(
+		`${currentPaths.DYNAMIC_TRAEFIK_PATH}/app.yml`,
+		"http: {}\n",
+	);
+	vol.mkdirSync(currentPaths.CADDY_FRAGMENTS_PATH, { recursive: true });
+	vol.writeFileSync(`${currentPaths.CADDY_FRAGMENTS_PATH}/old.json`, "{}\n");
+	vol.writeFileSync(currentPaths.CADDY_CONFIG_PATH, '{"old":true}\n');
+	return report;
+};
+
+describe("applyCaddyMigration", () => {
+	beforeEach(() => {
+		vol.reset();
+		vi.clearAllMocks();
+		vi.mocked(providerService.resolveWebServerProvider).mockResolvedValue(
+			"traefik",
+		);
+		vi.mocked(settingsService.getDockerResourceSnapshot).mockImplementation(
+			async (resourceName: string) => ({
+				resourceName,
+				resourceType:
+					resourceName === "dokploy-traefik" ? "standalone" : "unknown",
+				running: resourceName === "dokploy-traefik",
+			}),
+		);
+		vi.mocked(settingsService.readEnvironmentVariables).mockResolvedValue("");
+		vi.mocked(settingsService.readPorts).mockResolvedValue([]);
+		vi.mocked(settingsService.waitForDockerResourceRunning).mockResolvedValue({
+			resourceName: "dokploy-caddy",
+			resourceType: "standalone",
+			running: true,
+		});
+		vi.mocked(
+			settingsService.ensureTraefikRunningFromSnapshot,
+		).mockResolvedValue(undefined);
+		vi.mocked(caddyConfig.reloadCaddyAfterValidation).mockResolvedValue(
+			{} as any,
+		);
+		vi.mocked(caddyConfig.validateCaddyConfigFileWithImage).mockResolvedValue(
+			{} as any,
+		);
+		vi.mocked(caddyConfig.validateCaddyConfigWithContainer).mockResolvedValue(
+			{} as any,
+		);
+		vi.mocked(
+			upstreamPreflight.runCaddyMigrationUpstreamPreflight,
+		).mockResolvedValue({
+			status: "passed",
+			checkedAt: "2026-05-22T00:00:00.000Z",
+			network: "dokploy-network",
+			probeImage: "busybox:1.36",
+			checks: [],
+		});
+	});
+
+	test("rejects a concurrent migration operation while a lock exists", async () => {
+		const report = seedMigration("caddy-apply-locked");
+		vol.mkdirSync(`${report.artifactPaths.root}/.operation.lock`);
+
+		await expect(
+			applyCaddyMigration({ migrationId: report.migrationId }),
+		).rejects.toThrow("already has an apply or rollback operation in progress");
+		expect(
+			upstreamPreflight.runCaddyMigrationUpstreamPreflight,
+		).not.toHaveBeenCalled();
+	});
+
+	test("writes approved artifacts, starts Caddy, validates, then updates provider", async () => {
+		const report = seedMigration("caddy-apply-success");
+
+		const applied = await applyCaddyMigration({
+			migrationId: report.migrationId,
+		});
+
+		expect(applied.status).toBe("applied");
+		expect(settingsService.stopDockerResource).toHaveBeenCalledWith(
+			"dokploy-traefik",
+			undefined,
+		);
+		expect(
+			vi.mocked(upstreamPreflight.runCaddyMigrationUpstreamPreflight).mock
+				.invocationCallOrder[0],
+		).toBeLessThan(
+			vi.mocked(settingsService.stopDockerResource).mock
+				.invocationCallOrder[0] ?? 0,
+		);
+		expect(caddyConfig.validateCaddyConfigFileWithImage).toHaveBeenCalledWith(
+			report.artifactPaths.caddyJson,
+			undefined,
+		);
+		expect(
+			vi.mocked(caddyConfig.validateCaddyConfigFileWithImage).mock
+				.invocationCallOrder[0],
+		).toBeLessThan(
+			vi.mocked(settingsService.stopDockerResource).mock
+				.invocationCallOrder[0] ?? 0,
+		);
+		expect(settingsService.writeCaddySetup).toHaveBeenCalled();
+		expect(caddyConfig.validateCaddyConfigWithContainer).toHaveBeenCalled();
+		expect(providerService.updateLocalWebServerProvider).toHaveBeenCalledWith(
+			"caddy",
+		);
+		expect(
+			vi.mocked(caddyConfig.validateCaddyConfigWithContainer).mock
+				.invocationCallOrder[0],
+		).toBeLessThan(
+			vi.mocked(providerService.updateLocalWebServerProvider).mock
+				.invocationCallOrder[0] ?? 0,
+		);
+		expect(vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8")).toBe(
+			'{"apps":{"http":{}}}\n',
+		);
+		expect(vol.existsSync(`${paths().CADDY_FRAGMENTS_PATH}/app.json`)).toBe(
+			true,
+		);
+	});
+
+	test("rewrites the mounted Caddy config file in place after setup", async () => {
+		const report = seedMigration("caddy-apply-preserves-config-inode");
+		let mountedConfigFd: number | undefined;
+		vi.mocked(settingsService.writeCaddySetup).mockImplementationOnce(
+			async () => {
+				vol.writeFileSync(
+					paths().CADDY_CONFIG_PATH,
+					'{"generatedBySetup":true}\n',
+				);
+				mountedConfigFd = fs.openSync(paths().CADDY_CONFIG_PATH, "r");
+			},
+		);
+
+		await applyCaddyMigration({
+			migrationId: report.migrationId,
+		});
+
+		expect(mountedConfigFd).toBeDefined();
+		const mountedContent = Buffer.alloc(1024);
+		const bytesRead = fs.readSync(
+			mountedConfigFd as number,
+			mountedContent,
+			0,
+			mountedContent.length,
+			0,
+		);
+		fs.closeSync(mountedConfigFd as number);
+		expect(mountedContent.toString("utf8", 0, bytesRead)).toBe(
+			'{"apps":{"http":{}}}\n',
+		);
+		expect(vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8")).toBe(
+			'{"apps":{"http":{}}}\n',
+		);
+	});
+
+	test("runtime upstream preflight failure stops apply before Traefik is stopped", async () => {
+		const report = seedMigration("caddy-preflight-fails");
+		vi.mocked(
+			upstreamPreflight.runCaddyMigrationUpstreamPreflight,
+		).mockResolvedValueOnce({
+			status: "failed",
+			checkedAt: "2026-05-22T00:00:00.000Z",
+			network: "dokploy-network",
+			probeImage: "busybox:1.36",
+			checks: [
+				{
+					dial: "missing:3000",
+					host: "missing",
+					port: 3000,
+					network: "dokploy-network",
+					status: "failed",
+					reason: "DNS resolution failed",
+					routes: [],
+				},
+			],
+		});
+
+		await expect(
+			applyCaddyMigration({ migrationId: report.migrationId }),
+		).rejects.toThrow("Runtime upstream preflight failed");
+
+		expect(settingsService.stopDockerResource).not.toHaveBeenCalledWith(
+			"dokploy-traefik",
+			undefined,
+		);
+		expect(settingsService.writeCaddySetup).not.toHaveBeenCalled();
+		expect(
+			settingsService.ensureTraefikRunningFromSnapshot,
+		).not.toHaveBeenCalled();
+		const finalReport = JSON.parse(
+			vol.readFileSync(report.artifactPaths.reportJson, "utf8") as string,
+		) as CaddyMigrationReport;
+		expect(finalReport.status).toBe("failed");
+		expect(finalReport.runtimePreflight?.status).toBe("failed");
+	});
+
+	test("rolls back to Traefik and keeps provider Traefik when Caddy setup fails", async () => {
+		const report = seedMigration("caddy-apply-fails");
+		vi.mocked(settingsService.writeCaddySetup).mockRejectedValueOnce(
+			new Error("caddy failed"),
+		);
+
+		await expect(
+			applyCaddyMigration({ migrationId: report.migrationId }),
+		).rejects.toThrow("caddy failed");
+
+		expect(
+			providerService.updateLocalWebServerProvider,
+		).not.toHaveBeenCalledWith("caddy");
+		expect(providerService.updateLocalWebServerProvider).toHaveBeenCalledWith(
+			"traefik",
+		);
+		expect(settingsService.stopDockerResource).toHaveBeenCalledWith(
+			"dokploy-caddy",
+			undefined,
+		);
+		expect(
+			settingsService.ensureTraefikRunningFromSnapshot,
+		).toHaveBeenCalledWith(
+			expect.objectContaining({ resourceName: "dokploy-traefik" }),
+			undefined,
+		);
+		const finalReport = JSON.parse(
+			vol.readFileSync(report.artifactPaths.reportJson, "utf8") as string,
+		) as CaddyMigrationReport;
+		expect(finalReport.status).toBe("rolled_back");
+	});
+
+	test("uses restore-only unredacted resource snapshot during rollback", async () => {
+		const report = seedMigration("caddy-restore-snapshot");
+		vi.mocked(settingsService.getDockerResourceSnapshot).mockImplementation(
+			async (resourceName: string) => ({
+				resourceName,
+				resourceType:
+					resourceName === "dokploy-traefik" ? "standalone" : "unknown",
+				running: resourceName === "dokploy-traefik",
+				env: resourceName === "dokploy-traefik" ? "SECRET=value" : undefined,
+				image:
+					resourceName === "dokploy-traefik"
+						? "private.registry.example/traefik:latest"
+						: undefined,
+				binds:
+					resourceName === "dokploy-traefik"
+						? ["/etc/dokploy/traefik/acme.json:/letsencrypt/acme.json"]
+						: undefined,
+				labels:
+					resourceName === "dokploy-traefik"
+						? { "secret.label": "private" }
+						: undefined,
+			}),
+		);
+		vi.mocked(settingsService.writeCaddySetup).mockRejectedValueOnce(
+			new Error("caddy failed"),
+		);
+
+		await expect(
+			applyCaddyMigration({ migrationId: report.migrationId }),
+		).rejects.toThrow("caddy failed");
+
+		const finalReport = JSON.parse(
+			vol.readFileSync(report.artifactPaths.reportJson, "utf8") as string,
+		) as CaddyMigrationReport;
+		expect(finalReport.backup?.traefikResource?.env).toBeUndefined();
+		expect(finalReport.backup?.traefikResource?.binds).toBeUndefined();
+		expect(finalReport.backup?.traefikResource?.labels).toBeUndefined();
+		expect(finalReport.backup?.traefikResource?.image).toBeUndefined();
+		expect(finalReport.backup?.traefikResource).toMatchObject({
+			resourceName: "dokploy-traefik",
+			resourceType: "standalone",
+			running: true,
+		});
+		expect(finalReport.backup?.restoreSnapshotPath).toBeTruthy();
+		const restoreSnapshots = JSON.parse(
+			vol.readFileSync(
+				finalReport.backup?.restoreSnapshotPath ?? "",
+				"utf8",
+			) as string,
+		) as { traefikResource: { env?: string; binds?: string[] } };
+		expect(restoreSnapshots.traefikResource.env).toBe("SECRET=value");
+		expect(restoreSnapshots.traefikResource.binds).toEqual([
+			"/etc/dokploy/traefik/acme.json:/letsencrypt/acme.json",
+		]);
+		expect(
+			settingsService.ensureTraefikRunningFromSnapshot,
+		).toHaveBeenCalledWith(
+			expect.objectContaining({
+				env: "SECRET=value",
+				binds: ["/etc/dokploy/traefik/acme.json:/letsencrypt/acme.json"],
+			}),
+			undefined,
+		);
+	});
+
+	test("rollback failure leaves provider unchanged and writes failed report", async () => {
+		const report = seedMigration("caddy-rollback-traefik-fails");
+		vi.mocked(settingsService.writeCaddySetup).mockRejectedValueOnce(
+			new Error("caddy failed"),
+		);
+		vi.mocked(
+			settingsService.ensureTraefikRunningFromSnapshot,
+		).mockRejectedValueOnce(new Error("traefik missing"));
+
+		await expect(
+			applyCaddyMigration({ migrationId: report.migrationId }),
+		).rejects.toThrow("caddy failed");
+
+		expect(
+			providerService.updateLocalWebServerProvider,
+		).not.toHaveBeenCalledWith("traefik");
+		const finalReport = JSON.parse(
+			vol.readFileSync(report.artifactPaths.reportJson, "utf8") as string,
+		) as CaddyMigrationReport;
+		expect(finalReport.status).toBe("failed");
+		expect(finalReport.warnings).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					code: "rollback-failed",
+					message: "traefik missing",
+					blocking: true,
+				}),
+			]),
+		);
+	});
+
+	test("restores backed-up Caddy files when post-start validation fails", async () => {
+		const report = seedMigration("caddy-validation-fails");
+		vi.mocked(
+			caddyConfig.validateCaddyConfigWithContainer,
+		).mockRejectedValueOnce(new Error("validation failed"));
+
+		await expect(
+			applyCaddyMigration({ migrationId: report.migrationId }),
+		).rejects.toThrow("validation failed");
+
+		expect(
+			providerService.updateLocalWebServerProvider,
+		).not.toHaveBeenCalledWith("caddy");
+		expect(providerService.updateLocalWebServerProvider).toHaveBeenCalledWith(
+			"traefik",
+		);
+		expect(vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8")).toBe(
+			'{"old":true}\n',
+		);
+		expect(vol.existsSync(`${paths().CADDY_FRAGMENTS_PATH}/old.json`)).toBe(
+			true,
+		);
+		expect(vol.existsSync(`${paths().CADDY_FRAGMENTS_PATH}/app.json`)).toBe(
+			false,
+		);
+
+		const finalReport = JSON.parse(
+			vol.readFileSync(report.artifactPaths.reportJson, "utf8") as string,
+		) as CaddyMigrationReport;
+		expect(finalReport.status).toBe("rolled_back");
+	});
+
+	test("fails closed when an expected rollback backup path is missing", async () => {
+		const report = seedMigration("caddy-missing-traefik-backup");
+		const traefikConfigPath = `${paths().MAIN_TRAEFIK_PATH}/traefik.yml`;
+		vol.writeFileSync(
+			report.artifactPaths.reportJson,
+			`${JSON.stringify(
+				{
+					...report,
+					status: "applied",
+					backup: {
+						createdAt: "2026-05-22T00:00:00.000Z",
+						traefikResource: {
+							resourceName: "dokploy-traefik",
+							resourceType: "standalone",
+							running: true,
+						},
+						files: [
+							{
+								label: "traefik-static",
+								source: traefikConfigPath,
+								backupPath: `${report.artifactPaths.backupsDir}/missing-traefik.yml`,
+								existed: true,
+							},
+						],
+					},
+				},
+				null,
+				2,
+			)}\n`,
+		);
+
+		await expect(
+			rollbackCaddyMigration({ migrationId: report.migrationId }),
+		).rejects.toThrow("backup path is missing");
+
+		expect(vol.readFileSync(traefikConfigPath, "utf8")).toBe(
+			"entryPoints: {}\n",
+		);
+		expect(
+			settingsService.ensureTraefikRunningFromSnapshot,
+		).not.toHaveBeenCalled();
+		expect(
+			providerService.updateLocalWebServerProvider,
+		).not.toHaveBeenCalledWith("traefik");
+
+		const finalReport = JSON.parse(
+			vol.readFileSync(report.artifactPaths.reportJson, "utf8") as string,
+		) as CaddyMigrationReport;
+		expect(finalReport.status).toBe("failed");
+		expect(finalReport.warnings).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					code: "rollback-failed",
+					blocking: true,
+				}),
+			]),
+		);
+	});
+
+	test("rolls back older reports that have backup metadata without file entries", async () => {
+		const report = seedMigration("caddy-old-backup-report");
+		vol.writeFileSync(
+			report.artifactPaths.reportJson,
+			`${JSON.stringify(
+				{
+					...report,
+					status: "applied",
+					backup: {
+						createdAt: "2026-05-22T00:00:00.000Z",
+						traefikResource: {
+							resourceName: "dokploy-traefik",
+							resourceType: "standalone",
+							running: true,
+						},
+					},
+				},
+				null,
+				2,
+			)}\n`,
+		);
+
+		const rolledBack = await rollbackCaddyMigration({
+			migrationId: report.migrationId,
+		});
+
+		expect(rolledBack.status).toBe("rolled_back");
+		expect(
+			settingsService.ensureTraefikRunningFromSnapshot,
+		).toHaveBeenCalledWith(
+			expect.objectContaining({ resourceName: "dokploy-traefik" }),
+			undefined,
+		);
+		expect(providerService.updateLocalWebServerProvider).toHaveBeenCalledWith(
+			"traefik",
+		);
+	});
+});
diff --git a/apps/dokploy/__test__/caddy/migration/caddy-migration-rollback-cli.test.ts b/apps/dokploy/__test__/caddy/migration/caddy-migration-rollback-cli.test.ts
new file mode 100644
index 0000000000..49a301ab44
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/migration/caddy-migration-rollback-cli.test.ts
@@ -0,0 +1,95 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+const rollbackCaddyMigrationMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@dokploy/server", () => ({
+	rollbackCaddyMigration: rollbackCaddyMigrationMock,
+}));
+
+import {
+	parseCaddyRollbackArgs,
+	runCaddyMigrationRollbackCli,
+} from "../../../scripts/caddy-migration-rollback";
+
+const createIo = () => ({
+	stdout: { write: vi.fn() },
+	stderr: { write: vi.fn() },
+});
+
+describe("caddy migration rollback CLI", () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+	});
+
+	test("requires a migration id", async () => {
+		expect(() => parseCaddyRollbackArgs([])).toThrow("Missing --migration-id");
+
+		const io = createIo();
+		const code = await runCaddyMigrationRollbackCli([], io);
+
+		expect(code).toBe(1);
+		expect(rollbackCaddyMigrationMock).not.toHaveBeenCalled();
+		expect(io.stderr.write).toHaveBeenCalledWith(
+			expect.stringContaining("Missing --migration-id"),
+		);
+	});
+
+	test("prints help and exits zero without invoking rollback", async () => {
+		const io = createIo();
+
+		const code = await runCaddyMigrationRollbackCli(["--help"], io);
+
+		expect(code).toBe(0);
+		expect(rollbackCaddyMigrationMock).not.toHaveBeenCalled();
+		expect(io.stdout.write).toHaveBeenCalledWith(
+			expect.stringContaining("Usage: caddy-migration-rollback"),
+		);
+		expect(io.stderr.write).not.toHaveBeenCalled();
+	});
+
+	test("awaits rollback and exits zero for rolled_back reports", async () => {
+		rollbackCaddyMigrationMock.mockResolvedValueOnce({
+			migrationId: "caddy-123",
+			status: "rolled_back",
+			warnings: [],
+			summary: { warnings: 0, blockingWarnings: 0, fragments: 1, routes: 1 },
+			artifactPaths: { reportJson: "/tmp/report.json" },
+		});
+		const io = createIo();
+
+		const code = await runCaddyMigrationRollbackCli(
+			["--migration-id", "caddy-123", "--server-id", "server-1"],
+			io,
+		);
+
+		expect(code).toBe(0);
+		expect(rollbackCaddyMigrationMock).toHaveBeenCalledWith({
+			migrationId: "caddy-123",
+			serverId: "server-1",
+		});
+		expect(io.stdout.write).toHaveBeenCalledWith(
+			expect.stringContaining('"status": "rolled_back"'),
+		);
+	});
+
+	test("exits non-zero for non-rolled-back terminal reports", async () => {
+		rollbackCaddyMigrationMock.mockResolvedValueOnce({
+			migrationId: "caddy-123",
+			status: "failed",
+			warnings: [],
+			summary: { warnings: 1, blockingWarnings: 1, fragments: 1, routes: 1 },
+			artifactPaths: { reportJson: "/tmp/report.json" },
+		});
+		const io = createIo();
+
+		const code = await runCaddyMigrationRollbackCli(
+			["--migration-id", "caddy-123"],
+			io,
+		);
+
+		expect(code).toBe(1);
+		expect(io.stdout.write).toHaveBeenCalledWith(
+			expect.stringContaining('"status": "failed"'),
+		);
+	});
+});
diff --git a/apps/dokploy/__test__/caddy/migration/compose-label-translator.test.ts b/apps/dokploy/__test__/caddy/migration/compose-label-translator.test.ts
new file mode 100644
index 0000000000..4360b8e6d5
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/migration/compose-label-translator.test.ts
@@ -0,0 +1,329 @@
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import {
+	compileCaddyConfig,
+	translateTraefikComposeLabelsToCaddyFragment,
+} from "@dokploy/server";
+import { describe, expect, test } from "vitest";
+import { parse } from "yaml";
+
+const fixture = (name: string) =>
+	parse(readFileSync(path.join(__dirname, "fixtures", name), "utf8")) as any;
+
+const getServers = (config: ReturnType<typeof compileCaddyConfig>) => {
+	const apps = config.apps as Record<string, any>;
+	return apps.http.servers as Record<string, any>;
+};
+
+const composeLabels = (serviceName: string) =>
+	fixture("generic-compose-labels.yml").services[serviceName].deploy?.labels ??
+	fixture("generic-compose-labels.yml").services[serviceName].labels;
+
+describe("Traefik compose labels to Caddy migration", () => {
+	test("translates representative Dokploy-generated HTTP/HTTPS label pairs", () => {
+		const result = translateTraefikComposeLabelsToCaddyFragment(
+			composeLabels("frontend"),
+			{
+				sourceFile: "compose-sample-stack/docker-compose.yml",
+				appName: "compose-sample-stack",
+				serviceName: "frontend",
+				upstreamServiceName: "frontend",
+			},
+		);
+		const config = compileCaddyConfig({ fragments: [result.fragment] });
+		const servers = getServers(config);
+
+		expect(result.warnings).toEqual([]);
+		expect(result.classifications.some((item) => item.dokployGenerated)).toBe(
+			true,
+		);
+
+		const secureRoute = result.routes.find((route) =>
+			route.id.includes("websecure"),
+		);
+		expect(secureRoute).toMatchObject({
+			source: "traefik-compose-label",
+			hosts: ["app.example.com"],
+			https: true,
+			upstreams: ["http://frontend:3000"],
+		});
+
+		const redirectRoute = result.routes.find((route) =>
+			route.id.endsWith("-web"),
+		);
+		expect(redirectRoute).toMatchObject({
+			redirectScheme: { scheme: "https", permanent: true },
+			upstreams: [],
+		});
+		expect(servers.https.routes[0].handle.at(-1)).toMatchObject({
+			handler: "reverse_proxy",
+			upstreams: [{ dial: "frontend:3000" }],
+		});
+	});
+
+	test("translates manual compose labels with OR host rules and file middleware definitions", () => {
+		const result = translateTraefikComposeLabelsToCaddyFragment(
+			composeLabels("cms"),
+			{
+				sourceFile: "cms-site/docker-compose.yml",
+				serviceName: "cms",
+				upstreamServiceName: "cms",
+				fileMiddlewares: {
+					"cms-security-headers": {
+						headers: {
+							stsSeconds: 31536000,
+							stsIncludeSubdomains: true,
+							stsPreload: true,
+							referrerPolicy: "strict-origin-when-cross-origin",
+							contentTypeNosniff: true,
+							customFrameOptionsValue: "SAMEORIGIN",
+						},
+					},
+				},
+			},
+		);
+
+		const prodRoute = result.routes.find((route) =>
+			route.id.includes("cms-prod"),
+		);
+		expect(result.warnings).toEqual([]);
+		expect(prodRoute).toMatchObject({
+			hosts: ["example.com", "www.example.com"],
+			https: true,
+			upstreams: ["http://cms:8080"],
+			transforms: {
+				responseHeaders: {
+					"Strict-Transport-Security":
+						"max-age=31536000; includeSubDomains; preload",
+					"Referrer-Policy": "strict-origin-when-cross-origin",
+					"X-Content-Type-Options": "nosniff",
+					"X-Frame-Options": "SAMEORIGIN",
+				},
+			},
+		});
+	});
+
+	test("translates path-specific manual labels with priority and dynamic file middleware mapping", () => {
+		const result = translateTraefikComposeLabelsToCaddyFragment(
+			composeLabels("admin"),
+			{
+				sourceFile: "admin-console/docker-compose.yml",
+				serviceName: "admin",
+				upstreamServiceName: "admin",
+				fileMiddlewares: {
+					"admin-no-store": {
+						headers: {
+							customResponseHeaders: {
+								"Cache-Control": "private, no-store",
+							},
+						},
+					},
+				},
+			},
+		);
+
+		expect(result.warnings).toEqual([]);
+		const adminRoutes = result.routes.filter((route) =>
+			route.id.includes("admin-console"),
+		);
+		expect(adminRoutes).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					priority: 100,
+					pathPrefix: "/admin",
+					transforms: expect.objectContaining({
+						responseHeaders: expect.objectContaining({
+							"Cache-Control": "private, no-store",
+						}),
+					}),
+				}),
+				expect.objectContaining({
+					priority: 100,
+					pathExact: "/login",
+				}),
+			]),
+		);
+	});
+
+	test("treats tls=true router labels as HTTPS intent", () => {
+		const result = translateTraefikComposeLabelsToCaddyFragment(
+			[
+				"traefik.http.routers.app.rule=Host(`tls.example.com`)",
+				"traefik.http.routers.app.entrypoints=websecure",
+				"traefik.http.routers.app.tls=true",
+				"traefik.http.routers.app.service=app",
+				"traefik.http.services.app.loadbalancer.server.port=3000",
+			],
+			{
+				sourceFile: "tls/docker-compose.yml",
+				serviceName: "app",
+				upstreamServiceName: "app",
+			},
+		);
+
+		expect(result.warnings).toEqual([]);
+		expect(result.routes[0]).toMatchObject({
+			hosts: ["tls.example.com"],
+			https: true,
+			upstreams: ["http://app:3000"],
+		});
+	});
+
+	test("translates compose-label routes that reference ipAllowList file middleware", () => {
+		const result = translateTraefikComposeLabelsToCaddyFragment(
+			[
+				"traefik.http.routers.dash.rule=Host(`dash.example.com`)",
+				"traefik.http.routers.dash.entrypoints=websecure",
+				"traefik.http.routers.dash.tls.certresolver=letsencrypt",
+				"traefik.http.routers.dash.service=dash",
+				"traefik.http.routers.dash.middlewares=internal-allowlist@file",
+				"traefik.http.services.dash.loadbalancer.server.port=8000",
+			],
+			{
+				sourceFile: "dash/docker-compose.yml",
+				serviceName: "dash",
+				upstreamServiceName: "dash",
+				fileMiddlewares: {
+					"internal-allowlist": {
+						ipAllowList: {
+							sourceRange: ["192.0.2.0/24"],
+						},
+					} as any,
+				},
+			},
+		);
+
+		expect(result.warnings).toEqual([]);
+		expect(result.routes[0]).toMatchObject({
+			allowedRemoteIps: ["192.0.2.0/24"],
+		});
+	});
+
+	test("drops generated labels when manual labels are present after security middleware is migratable", () => {
+		const result = translateTraefikComposeLabelsToCaddyFragment(
+			[
+				"traefik.enable=true",
+				"traefik.http.routers.sample-app-42-websecure.rule=Host(`dashboard.example.com`)",
+				"traefik.http.routers.sample-app-42-websecure.entrypoints=websecure",
+				"traefik.http.routers.sample-app-42-websecure.tls.certresolver=letsencrypt",
+				"traefik.http.routers.sample-app-42-websecure.middlewares=internal-allowlist@file",
+				"traefik.http.routers.sample-app-42-websecure.service=sample-app-42-websecure",
+				"traefik.http.services.sample-app-42-websecure.loadbalancer.server.port=8000",
+				"traefik.http.routers.custom.rule=Host(`custom.example.com`)",
+				"traefik.http.routers.custom.entrypoints=websecure",
+				"traefik.http.routers.custom.tls.certresolver=letsencrypt",
+				"traefik.http.routers.custom.service=custom",
+				"traefik.http.services.custom.loadbalancer.server.port=3000",
+			],
+			{
+				sourceFile: "sample-app/dashboard-api/labels",
+				appName: "sample-app",
+				domains: [
+					{
+						host: "dashboard.example.com",
+						uniqueConfigKey: 42,
+						https: true,
+					} as any,
+				],
+				serviceName: "dashboard-api",
+				upstreamServiceName: "dashboard-api",
+				fileMiddlewares: {
+					"internal-allowlist": {
+						ipAllowList: {
+							sourceRange: ["192.0.2.0/24"],
+						},
+					} as any,
+				},
+			},
+		);
+
+		expect(result.routes).toEqual([
+			expect.objectContaining({
+				hosts: ["custom.example.com"],
+				upstreams: ["http://dashboard-api:3000"],
+			}),
+		]);
+		expect(result.warnings).toEqual([]);
+	});
+
+	test("parses inline ipWhiteList labels as Caddy remote IP restrictions", () => {
+		const result = translateTraefikComposeLabelsToCaddyFragment(
+			[
+				"traefik.http.routers.admin.rule=Host(`admin.example.com`)",
+				"traefik.http.routers.admin.entrypoints=websecure",
+				"traefik.http.routers.admin.tls.certresolver=letsencrypt",
+				"traefik.http.routers.admin.service=admin",
+				"traefik.http.routers.admin.middlewares=admin-allow",
+				"traefik.http.services.admin.loadbalancer.server.port=8080",
+				"traefik.http.middlewares.admin-allow.ipWhiteList.sourceRange=192.0.2.0/24,127.0.0.1/32",
+			],
+			{
+				sourceFile: "admin/docker-compose.yml",
+				serviceName: "admin",
+				upstreamServiceName: "admin",
+			},
+		);
+
+		expect(result.warnings).toEqual([]);
+		expect(result.routes[0]).toMatchObject({
+			allowedRemoteIps: ["192.0.2.0/24", "127.0.0.1/32"],
+		});
+	});
+
+	test("does not classify app-name-shaped labels as generated when DB domains are provided", () => {
+		const result = translateTraefikComposeLabelsToCaddyFragment(
+			[
+				"traefik.http.routers.my-compose-custom-web.rule=Host(`custom.example.com`)",
+				"traefik.http.routers.my-compose-custom-web.entrypoints=web",
+				"traefik.http.services.my-compose-custom-web.loadbalancer.server.port=8080",
+			],
+			{
+				sourceFile: "my-compose/docker-compose.yml",
+				appName: "my-compose",
+				domains: [],
+				serviceName: "web",
+				upstreamServiceName: "web",
+			},
+		);
+
+		expect(result.classifications).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					label:
+						"traefik.http.routers.my-compose-custom-web.rule=Host(`custom.example.com`)",
+					dokployGenerated: false,
+				}),
+			]),
+		);
+		expect(result.routes[0]).toMatchObject({
+			hosts: ["custom.example.com"],
+			upstreams: ["http://web:8080"],
+		});
+	});
+
+	test("returns blocking warnings for unsupported label rules and middleware constructs", () => {
+		const result = translateTraefikComposeLabelsToCaddyFragment(
+			composeLabels("unsupported"),
+			{
+				sourceFile: "unsupported/docker-compose.yml",
+				serviceName: "unsupported",
+			},
+		);
+
+		expect(result.routes).toHaveLength(0);
+		expect(result.warnings).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					code: "unsupported-matcher",
+					routerName: "unsupported",
+					blocking: true,
+				}),
+				expect.objectContaining({
+					code: "unsupported-middleware",
+					middlewareName: "plugin-only",
+					blocking: true,
+				}),
+			]),
+		);
+	});
+});
diff --git a/apps/dokploy/__test__/caddy/migration/dynamic-file-translator.test.ts b/apps/dokploy/__test__/caddy/migration/dynamic-file-translator.test.ts
new file mode 100644
index 0000000000..a04a43c439
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/migration/dynamic-file-translator.test.ts
@@ -0,0 +1,266 @@
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import {
+	compileCaddyConfig,
+	translateTraefikDynamicConfigToCaddyFragment,
+} from "@dokploy/server";
+import { describe, expect, test } from "vitest";
+
+const fixture = (name: string) =>
+	readFileSync(path.join(__dirname, "fixtures", name), "utf8");
+
+const getServers = (config: ReturnType<typeof compileCaddyConfig>) => {
+	const apps = config.apps as Record<string, any>;
+	return apps.http.servers as Record<string, any>;
+};
+
+describe("Traefik dynamic file to Caddy migration", () => {
+	test("translates priority dynamic-file routers, headers, redirects, and external upstreams", () => {
+		const result = translateTraefikDynamicConfigToCaddyFragment(
+			fixture("priority-dynamic.yml"),
+			{ sourceFile: "priority-dynamic.yml" },
+		);
+		const config = compileCaddyConfig({ fragments: [result.fragment] });
+		const servers = getServers(config);
+
+		expect(result.warnings).toEqual([]);
+		expect(result.fragment).toMatchObject({
+			id: "migration.traefik-dynamic.priority-dynamic",
+			source: "traefik-dynamic-file",
+		});
+
+		const activityRoutes = result.routes.filter((route) =>
+			route.id.includes("activity-feed"),
+		);
+		expect(activityRoutes).toHaveLength(3);
+		expect(activityRoutes.map((route) => route.priority)).toEqual([
+			10000, 10000, 10000,
+		]);
+		expect(activityRoutes).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					pathPrefix: "/activity",
+					upstreams: ["https://activity.example.net:443"],
+				}),
+				expect.objectContaining({ pathExact: "/.well-known/webfinger" }),
+				expect.objectContaining({ pathExact: "/.well-known/nodeinfo" }),
+			]),
+		);
+
+		const adminRoute = result.routes.find((route) =>
+			route.id.includes("admin-console"),
+		);
+		expect(adminRoute).toMatchObject({
+			hosts: ["example.com", "www.example.com"],
+			pathPrefix: "/admin",
+			priority: 9000,
+			transforms: {
+				responseHeaders: {
+					"Cache-Control":
+						"private, no-store, no-cache, must-revalidate, max-age=0",
+					Pragma: "no-cache",
+					Expires: "0",
+				},
+			},
+		});
+
+		const redirectRoute = result.routes.find((route) =>
+			route.id.includes("site-redirect"),
+		);
+		expect(redirectRoute).toMatchObject({
+			redirectScheme: { scheme: "https", permanent: true },
+			upstreams: [],
+		});
+
+		const activityProxy = servers.https.routes.find((route: any) =>
+			route.match[0].path?.includes("/activity*"),
+		);
+		expect(activityProxy.handle.at(-1)).toMatchObject({
+			handler: "reverse_proxy",
+			upstreams: [{ dial: "activity.example.net:443" }],
+			transport: { protocol: "http", tls: {} },
+		});
+	});
+
+	test("normalizes Traefik service URLs with default scheme ports", () => {
+		const result = translateTraefikDynamicConfigToCaddyFragment(
+			[
+				"http:",
+				"  routers:",
+				"    admin:",
+				"      rule: Host(`admin.example.com`)",
+				"      entryPoints: [websecure]",
+				"      service: admin",
+				"      tls:",
+				"        certResolver: letsencrypt",
+				"  services:",
+				"    admin:",
+				"      loadBalancer:",
+				"        servers:",
+				"          - url: http://admin",
+			].join("\n"),
+			{ sourceFile: "admin.yml" },
+		);
+
+		expect(result.routes[0]).toMatchObject({
+			upstreams: ["http://admin:80"],
+		});
+		expect(() =>
+			compileCaddyConfig({ fragments: [result.fragment] }),
+		).not.toThrow();
+	});
+
+	test("skips Traefik api@internal dashboard routers as non-migratable internals", () => {
+		const result = translateTraefikDynamicConfigToCaddyFragment(
+			[
+				"http:",
+				"  routers:",
+				"    traefik-dashboard:",
+				"      rule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)",
+				"      entryPoints: [traefik]",
+				"      service: api@internal",
+				"      middlewares: [internal-allowlist]",
+			].join("\n"),
+			{ sourceFile: "routers.yml" },
+		);
+
+		expect(result.routes).toEqual([]);
+		expect(result.warnings).toEqual([
+			expect.objectContaining({
+				code: "unsupported-router",
+				routerName: "traefik-dashboard",
+				serviceName: "api@internal",
+				blocking: false,
+				message: expect.stringContaining("Skipped Traefik internal router"),
+			}),
+		]);
+	});
+
+	test("translates active routes that use ipAllowList file middleware", () => {
+		const result = translateTraefikDynamicConfigToCaddyFragment(
+			[
+				"http:",
+				"  routers:",
+				"    dash:",
+				"      rule: Host(`dash.example.com`)",
+				"      entryPoints: [websecure]",
+				"      service: dash",
+				"      tls:",
+				"        certResolver: letsencrypt",
+				"      middlewares: [internal-allowlist]",
+				"  services:",
+				"    dash:",
+				"      loadBalancer:",
+				"        servers:",
+				"          - url: http://dash:8000",
+				"  middlewares:",
+				"    internal-allowlist:",
+				"      ipAllowList:",
+				"        sourceRange:",
+				"          - 192.0.2.0/24",
+			].join("\n"),
+			{ sourceFile: "dash.yml" },
+		);
+
+		expect(result.warnings).toEqual([]);
+		expect(result.routes[0]).toMatchObject({
+			allowedRemoteIps: ["192.0.2.0/24"],
+		});
+		const config = compileCaddyConfig({ fragments: [result.fragment] });
+		const servers = getServers(config);
+		expect(servers.https.routes).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					match: [
+						expect.objectContaining({
+							remote_ip: { ranges: ["192.0.2.0/24"] },
+						}),
+					],
+				}),
+				expect.objectContaining({
+					handle: [
+						expect.objectContaining({
+							handler: "static_response",
+							status_code: 403,
+						}),
+					],
+				}),
+			]),
+		);
+	});
+
+	test("translates strip/add prefix, basicAuth, chain, and blocks unsupported constructs", () => {
+		const result = translateTraefikDynamicConfigToCaddyFragment(
+			fixture("middleware-coverage.yml"),
+			{ sourceFile: "middleware-coverage.yml" },
+		);
+
+		const toolRoute = result.routes.find((route) => route.id.endsWith("-tool"));
+		expect(toolRoute).toMatchObject({
+			transforms: {
+				stripPrefix: "/public",
+				addPrefix: "/internal",
+				requestHeaders: { "X-Forwarded-Proto": "https" },
+				responseHeaders: { "X-Test": "true" },
+			},
+			basicAuth: [{ username: "admin", hash: "$2y$05$abcdef" }],
+		});
+
+		expect(result.warnings).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					code: "unsupported-service",
+					serviceName: "tool",
+					blocking: true,
+				}),
+				expect.objectContaining({
+					code: "unsupported-middleware",
+					middlewareName: "plugin-auth",
+					blocking: true,
+				}),
+				expect.objectContaining({
+					code: "unsupported-router",
+					routerName: "unsupported-plugin",
+					message: expect.stringContaining("Custom certResolver"),
+					blocking: true,
+				}),
+			]),
+		);
+	});
+
+	test("blocks basicAuth hashes that Caddy cannot safely consume", () => {
+		const result = translateTraefikDynamicConfigToCaddyFragment(
+			[
+				"http:",
+				"  routers:",
+				"    secure:",
+				"      rule: Host(`secure.example.com`)",
+				"      service: secure",
+				"      middlewares: [legacy-auth]",
+				"  services:",
+				"    secure:",
+				"      loadBalancer:",
+				"        servers:",
+				"          - url: http://secure:3000",
+				"  middlewares:",
+				"    legacy-auth:",
+				"      basicAuth:",
+				"        users:",
+				"          - admin:$apr1$legacy-hash",
+			].join("\n"),
+			{ sourceFile: "legacy-auth.yml" },
+		);
+
+		expect(result.routes[0]?.basicAuth).toBeNull();
+		expect(result.warnings).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					code: "unsupported-security-middleware",
+					middlewareName: "legacy-auth",
+					blocking: true,
+					message: expect.stringContaining("hash format"),
+				}),
+			]),
+		);
+	});
+});
diff --git a/apps/dokploy/__test__/caddy/migration/fixtures/generic-compose-labels.yml b/apps/dokploy/__test__/caddy/migration/fixtures/generic-compose-labels.yml
new file mode 100644
index 0000000000..2500c4eb69
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/migration/fixtures/generic-compose-labels.yml
@@ -0,0 +1,58 @@
+# Representative Traefik compose labels for Caddy migration tests.
+services:
+  frontend:
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.compose-sample-stack-frontend-web.rule=Host(`app.example.com`)
+        - traefik.http.routers.compose-sample-stack-frontend-web.entrypoints=web
+        - traefik.http.services.compose-sample-stack-frontend-web.loadbalancer.server.port=3000
+        - traefik.http.routers.compose-sample-stack-frontend-web.service=compose-sample-stack-frontend-web
+        - traefik.http.routers.compose-sample-stack-frontend-web.middlewares=redirect-to-https@file
+        - traefik.http.routers.compose-sample-stack-frontend-websecure.rule=Host(`app.example.com`)
+        - traefik.http.routers.compose-sample-stack-frontend-websecure.entrypoints=websecure
+        - traefik.http.services.compose-sample-stack-frontend-websecure.loadbalancer.server.port=3000
+        - traefik.http.routers.compose-sample-stack-frontend-websecure.service=compose-sample-stack-frontend-websecure
+        - traefik.http.routers.compose-sample-stack-frontend-websecure.tls.certresolver=letsencrypt
+        - traefik.http.routers.compose-sample-stack-frontend-websecure.middlewares=security-headers@file
+        - traefik.docker.network=dokploy-network
+  cms:
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=dokploy-network
+        - traefik.http.routers.cms-prod.rule=Host(`example.com`) || Host(`www.example.com`)
+        - traefik.http.routers.cms-prod.entrypoints=websecure
+        - traefik.http.routers.cms-prod.tls.certresolver=letsencrypt
+        - traefik.http.routers.cms-prod.middlewares=cms-security-headers@file
+        - traefik.http.routers.cms-prod.service=cms-prod
+        - traefik.http.routers.cms-preview.rule=Host(`cms.test.example.com`) || Host(`preview.test.example.com`)
+        - traefik.http.routers.cms-preview.entrypoints=websecure
+        - traefik.http.routers.cms-preview.tls.certresolver=letsencrypt
+        - traefik.http.routers.cms-preview.middlewares=cms-security-headers@file
+        - traefik.http.routers.cms-preview.service=cms-prod
+        - traefik.http.services.cms-prod.loadbalancer.server.port=8080
+  admin:
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.admin.rule=Host(`admin.example.com`)
+        - traefik.http.routers.admin.entrypoints=websecure
+        - traefik.http.routers.admin.service=admin
+        - traefik.http.routers.admin.tls.certresolver=letsencrypt
+        - traefik.http.routers.admin.middlewares=security-headers@file
+        - traefik.http.routers.admin-console.rule=Host(`admin.example.com`) && (PathPrefix(`/admin`) || Path(`/login`))
+        - traefik.http.routers.admin-console.entrypoints=websecure
+        - traefik.http.routers.admin-console.service=admin
+        - traefik.http.routers.admin-console.tls.certresolver=letsencrypt
+        - traefik.http.routers.admin-console.middlewares=security-headers@file,admin-no-store@file
+        - traefik.http.routers.admin-console.priority=100
+        - traefik.http.services.admin.loadbalancer.server.port=80
+  unsupported:
+    labels:
+      - traefik.http.routers.unsupported.rule=HostRegexp(`{subdomain:[a-z]+}.example.com`)
+      - traefik.http.routers.unsupported.entrypoints=websecure
+      - traefik.http.routers.unsupported.service=unsupported
+      - traefik.http.services.unsupported.loadbalancer.server.port=9000
+      - traefik.http.routers.unsupported.middlewares=plugin-only
+      - traefik.http.middlewares.plugin-only.plugin.demo.enabled=true
diff --git a/apps/dokploy/__test__/caddy/migration/fixtures/middleware-coverage.yml b/apps/dokploy/__test__/caddy/migration/fixtures/middleware-coverage.yml
new file mode 100644
index 0000000000..964c992f75
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/migration/fixtures/middleware-coverage.yml
@@ -0,0 +1,54 @@
+http:
+  routers:
+    tool:
+      rule: "Host(`tools.example.com`) && PathPrefix(`/public`)"
+      entryPoints:
+        - websecure
+      service: tool
+      tls:
+        certResolver: letsencrypt
+      middlewares:
+        - tool-chain
+    unsupported-plugin:
+      rule: "Host(`blocked.example.com`)"
+      entryPoints:
+        - websecure
+      service: tool
+      tls:
+        certResolver: customresolver
+      middlewares:
+        - plugin-auth
+  services:
+    tool:
+      loadBalancer:
+        servers:
+          - url: http://tool:8080
+        passHostHeader: false
+  middlewares:
+    tool-chain:
+      chain:
+        middlewares:
+          - strip-public
+          - add-internal
+          - basic-users
+          - response-headers
+    strip-public:
+      stripPrefix:
+        prefixes:
+          - /public
+    add-internal:
+      addPrefix:
+        prefix: /internal
+    basic-users:
+      basicAuth:
+        users:
+          - admin:$2y$05$abcdef
+    response-headers:
+      headers:
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+        customResponseHeaders:
+          X-Test: "true"
+    plugin-auth:
+      plugin:
+        unsupported: {}
diff --git a/apps/dokploy/__test__/caddy/migration/fixtures/priority-dynamic.yml b/apps/dokploy/__test__/caddy/migration/fixtures/priority-dynamic.yml
new file mode 100644
index 0000000000..ace2ca7a5c
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/migration/fixtures/priority-dynamic.yml
@@ -0,0 +1,58 @@
+# Representative Traefik dynamic-file routes for Caddy migration tests.
+http:
+  routers:
+    activity-feed:
+      rule: "Host(`example.com`) && (PathPrefix(`/activity`) || Path(`/.well-known/webfinger`) || Path(`/.well-known/nodeinfo`))"
+      entryPoints:
+        - websecure
+      service: hosted-activity
+      tls:
+        certResolver: letsencrypt
+      middlewares:
+        - security-headers
+      priority: 10000
+    admin-console:
+      rule: "(Host(`example.com`) || Host(`www.example.com`)) && PathPrefix(`/admin`)"
+      entryPoints:
+        - websecure
+      service: site
+      tls:
+        certResolver: letsencrypt
+      middlewares:
+        - security-headers
+        - admin-no-store
+      priority: 9000
+    site:
+      rule: "Host(`example.com`) || Host(`www.example.com`)"
+      entryPoints:
+        - websecure
+      service: site
+      tls:
+        certResolver: letsencrypt
+      middlewares:
+        - security-headers
+    site-redirect:
+      rule: "Host(`example.com`) || Host(`www.example.com`)"
+      entryPoints:
+        - web
+      service: site
+      middlewares:
+        - redirect-to-https
+  services:
+    site:
+      loadBalancer:
+        servers:
+          - url: http://site:8080
+        passHostHeader: true
+    hosted-activity:
+      loadBalancer:
+        servers:
+          - url: https://activity.example.net:443
+        passHostHeader: true
+  middlewares:
+    admin-no-store:
+      headers:
+        customResponseHeaders:
+          Cache-Control: "private, no-store, no-cache, must-revalidate, max-age=0"
+          Pragma: "no-cache"
+          Expires: "0"
diff --git a/apps/dokploy/__test__/caddy/migration/prepare.test.ts b/apps/dokploy/__test__/caddy/migration/prepare.test.ts
new file mode 100644
index 0000000000..42d736d254
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/migration/prepare.test.ts
@@ -0,0 +1,595 @@
+import { fs, vol } from "memfs";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+vi.mock("node:fs", () => ({
+	...fs,
+	default: fs,
+}));
+
+vi.mock("@dokploy/server/db", () => ({
+	db: {
+		query: {
+			applications: { findMany: vi.fn() },
+			compose: { findMany: vi.fn() },
+		},
+	},
+}));
+
+vi.mock("@dokploy/server/services/web-server-settings", () => ({
+	getWebServerSettings: vi.fn().mockResolvedValue({
+		letsEncryptEmail: "ops@example.com",
+	}),
+}));
+
+vi.mock("@dokploy/server/utils/docker/domain", async (importOriginal) => {
+	const actual =
+		await importOriginal<
+			typeof import("@dokploy/server/utils/docker/domain")
+		>();
+	return {
+		...actual,
+		loadDockerCompose: vi.fn().mockResolvedValue(null),
+		loadDockerComposeRemote: vi.fn().mockResolvedValue(null),
+	};
+});
+
+const remoteDockerMock = vi.hoisted(() => ({
+	listServices: vi.fn().mockResolvedValue([]),
+	listContainers: vi.fn().mockResolvedValue([]),
+	listTasks: vi.fn().mockResolvedValue([]),
+	getContainer: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/utils/servers/remote-docker", () => ({
+	getRemoteDocker: vi.fn().mockResolvedValue(remoteDockerMock),
+}));
+
+import { paths } from "@dokploy/server/constants";
+import { db } from "@dokploy/server/db";
+import { prepareCaddyMigration } from "@dokploy/server/utils/caddy/migration/prepare";
+
+const domain = {
+	domainId: "domain-1",
+	host: "app.example.com",
+	https: true,
+	port: 3000,
+	customEntrypoint: null,
+	path: "/",
+	serviceName: null,
+	domainType: "application",
+	uniqueConfigKey: 1,
+	createdAt: new Date().toISOString(),
+	composeId: null,
+	customCertResolver: null,
+	applicationId: "app-1",
+	previewDeploymentId: null,
+	certificateType: "letsencrypt",
+	internalPath: "/",
+	stripPath: false,
+	middlewares: [],
+};
+
+const genericComposeFixture = [
+	"services:",
+	"  cms:",
+	"    deploy:",
+	"      labels:",
+	"        - traefik.enable=true",
+	"        - traefik.docker.network=dokploy-network",
+	"        - traefik.http.routers.cms-prod.rule=Host(`example.com`) || Host(`www.example.com`)",
+	"        - traefik.http.routers.cms-prod.entrypoints=websecure",
+	"        - traefik.http.routers.cms-prod.tls.certresolver=letsencrypt",
+	"        - traefik.http.routers.cms-prod.middlewares=cms-security-headers@file",
+	"        - traefik.http.routers.cms-prod.service=cms-prod",
+	"        - traefik.http.services.cms-prod.loadbalancer.server.port=8080",
+	"  unsupported:",
+	"    labels:",
+	"      - traefik.http.routers.unsupported.rule=HostRegexp(`{subdomain:[a-z]+}.example.com`)",
+	"      - traefik.http.routers.unsupported.entrypoints=websecure",
+	"      - traefik.http.routers.unsupported.service=unsupported",
+	"      - traefik.http.services.unsupported.loadbalancer.server.port=9000",
+	"      - traefik.http.routers.unsupported.middlewares=plugin-only",
+	"      - traefik.http.middlewares.plugin-only.plugin.demo.enabled=true",
+].join("\n");
+
+describe("prepareCaddyMigration", () => {
+	beforeEach(() => {
+		vol.reset();
+		vi.clearAllMocks();
+		remoteDockerMock.listServices.mockResolvedValue([]);
+		remoteDockerMock.listContainers.mockResolvedValue([]);
+		remoteDockerMock.listTasks.mockResolvedValue([]);
+		remoteDockerMock.getContainer.mockReturnValue({
+			inspect: vi.fn().mockResolvedValue({}),
+		});
+		vi.mocked(db.query.applications.findMany).mockResolvedValue([
+			{
+				applicationId: "app-1",
+				appName: "test-app",
+				serverId: null,
+				domains: [domain],
+			} as any,
+		]);
+		vi.mocked(db.query.compose.findMany).mockResolvedValue([]);
+	});
+
+	test("writes reviewable dry-run artifacts without touching live Caddy config", async () => {
+		const currentPaths = paths();
+		vol.mkdirSync(currentPaths.DYNAMIC_TRAEFIK_PATH, { recursive: true });
+		vol.writeFileSync(
+			`${currentPaths.MAIN_TRAEFIK_PATH}/traefik.yml`,
+			"entryPoints:\n  web:\n    address: ':80'\n",
+		);
+		vol.writeFileSync(
+			`${currentPaths.DYNAMIC_TRAEFIK_PATH}/manual.yml`,
+			[
+				"http:",
+				"  routers:",
+				"    manual:",
+				"      rule: Host(`manual.example.com`)",
+				"      entryPoints: [websecure]",
+				"      service: manual",
+				"      tls:",
+				"        certResolver: letsencrypt",
+				"  services:",
+				"    manual:",
+				"      loadBalancer:",
+				"        servers:",
+				"          - url: http://manual:8080",
+			].join("\n"),
+		);
+
+		const report = await prepareCaddyMigration();
+
+		expect(report.status).toBe("prepared");
+		expect(report.summary.blockingWarnings).toBe(0);
+		expect(report.summary.fragments).toBe(2);
+		expect(report.inputs.dynamicFiles).toHaveLength(1);
+		expect(vol.existsSync(report.artifactPaths.reportJson)).toBe(true);
+		expect(vol.existsSync(report.artifactPaths.reportMd)).toBe(true);
+		expect(vol.existsSync(report.artifactPaths.caddyJson)).toBe(true);
+		expect(vol.existsSync(currentPaths.CADDY_CONFIG_PATH)).toBe(false);
+
+		const draft = JSON.parse(
+			vol.readFileSync(report.artifactPaths.caddyJson, "utf8") as string,
+		) as any;
+		expect(draft.apps.tls.automation.policies[0].issuers[0].email).toBe(
+			"ops@example.com",
+		);
+		const fragmentFiles = vol.readdirSync(report.artifactPaths.fragmentsDir);
+		expect(fragmentFiles).toEqual(
+			expect.arrayContaining([
+				"application.test-app.1.json",
+				"migration.traefik-dynamic.manual.json",
+			]),
+		);
+	});
+
+	test("carries existing manual Caddy fragments into the migration draft", async () => {
+		const currentPaths = paths();
+		vol.mkdirSync(currentPaths.CADDY_FRAGMENTS_PATH, { recursive: true });
+		vol.writeFileSync(
+			`${currentPaths.CADDY_FRAGMENTS_PATH}/manual.archive.json`,
+			JSON.stringify(
+				{
+					version: 1,
+					id: "manual.archive",
+					source: "manual",
+					routes: [
+						{
+							id: "archive-404",
+							source: "manual",
+							hosts: ["archive.example.com"],
+							https: true,
+							upstreams: [],
+							staticResponse: { statusCode: 404 },
+						},
+					],
+				},
+				null,
+				2,
+			),
+		);
+
+		const report = await prepareCaddyMigration();
+
+		expect(report.summary.blockingWarnings).toBe(0);
+		expect(
+			vol.existsSync(
+				`${report.artifactPaths.fragmentsDir}/manual.archive.json`,
+			),
+		).toBe(true);
+		const draft = JSON.parse(
+			vol.readFileSync(report.artifactPaths.caddyJson, "utf8") as string,
+		) as any;
+		const archiveRoute = draft.apps.http.servers.https.routes.find(
+			(item: any) => JSON.stringify(item.match).includes("archive.example.com"),
+		);
+		expect(archiveRoute.handle[0]).toMatchObject({
+			handler: "static_response",
+			status_code: 404,
+		});
+	});
+
+	test("blocks carried manual Caddy fragments that overlap generated migration routes", async () => {
+		const currentPaths = paths();
+		vol.mkdirSync(currentPaths.CADDY_FRAGMENTS_PATH, { recursive: true });
+		vol.mkdirSync(currentPaths.DYNAMIC_TRAEFIK_PATH, { recursive: true });
+		vol.writeFileSync(
+			`${currentPaths.CADDY_FRAGMENTS_PATH}/manual.conflict.json`,
+			JSON.stringify(
+				{
+					version: 1,
+					id: "manual.conflict",
+					source: "manual",
+					routes: [
+						{
+							id: "manual-conflict",
+							source: "manual",
+							hosts: ["manual.example.com"],
+							https: true,
+							upstreams: [],
+							staticResponse: { statusCode: 404 },
+						},
+					],
+				},
+				null,
+				2,
+			),
+		);
+		vol.writeFileSync(
+			`${currentPaths.MAIN_TRAEFIK_PATH}/traefik.yml`,
+			"entryPoints:\n  web:\n    address: ':80'\n",
+		);
+		vol.writeFileSync(
+			`${currentPaths.DYNAMIC_TRAEFIK_PATH}/manual.yml`,
+			[
+				"http:",
+				"  routers:",
+				"    manual:",
+				"      rule: Host(`manual.example.com`)",
+				"      entryPoints: [websecure]",
+				"      service: manual",
+				"      tls:",
+				"        certResolver: letsencrypt",
+				"  services:",
+				"    manual:",
+				"      loadBalancer:",
+				"        servers:",
+				"          - url: http://manual:8080",
+			].join("\n"),
+		);
+		vi.mocked(db.query.applications.findMany).mockResolvedValue([]);
+
+		const report = await prepareCaddyMigration();
+
+		expect(report.summary.blockingWarnings).toBe(1);
+		expect(report.warnings).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					code: "conflicting-manual-fragment",
+					source: "manual.conflict",
+					blocking: true,
+				}),
+			]),
+		);
+		expect(vol.readFileSync(report.artifactPaths.reportMd, "utf8")).toContain(
+			"conflicting-manual-fragment",
+		);
+	});
+
+	test("reports compose-label warnings with source references during dry run", async () => {
+		const currentPaths = paths();
+		vol.mkdirSync(currentPaths.DYNAMIC_TRAEFIK_PATH, { recursive: true });
+		vol.writeFileSync(
+			`${currentPaths.MAIN_TRAEFIK_PATH}/traefik.yml`,
+			"entryPoints:\n  web:\n    address: ':80'\n",
+		);
+		vol.writeFileSync(
+			`${currentPaths.DYNAMIC_TRAEFIK_PATH}/middlewares.yml`,
+			[
+				"http:",
+				"  middlewares:",
+				"    cms-security-headers:",
+				"      headers:",
+				"        stsSeconds: 31536000",
+				"        stsIncludeSubdomains: true",
+				"        stsPreload: true",
+				"        referrerPolicy: strict-origin-when-cross-origin",
+				"        contentTypeNosniff: true",
+			].join("\n"),
+		);
+		vi.mocked(db.query.applications.findMany).mockResolvedValue([]);
+		vi.mocked(db.query.compose.findMany).mockResolvedValue([
+			{
+				appName: "generic-fixture",
+				serverId: null,
+				composeFile: genericComposeFixture,
+				composeType: "docker-compose",
+				randomize: false,
+				isolatedDeployment: false,
+				suffix: null,
+				domains: [],
+			} as any,
+		]);
+
+		const report = await prepareCaddyMigration();
+
+		expect(report.inputs.composeFilesScanned).toEqual(["generic-fixture"]);
+		expect(report.summary.fragments).toBe(1);
+		expect(report.summary.blockingWarnings).toBeGreaterThan(0);
+		expect(report.warnings).not.toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					code: "unresolved-middleware",
+					source: "generic-fixture/cms/deploy.labels",
+					middlewareName: "cms-security-headers@file",
+				}),
+			]),
+		);
+		expect(report.warnings).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					code: "unsupported-matcher",
+					source: "generic-fixture/unsupported/labels",
+					routerName: "unsupported",
+					blocking: true,
+				}),
+			]),
+		);
+
+		const reportJson = JSON.parse(
+			vol.readFileSync(report.artifactPaths.reportJson, "utf8") as string,
+		);
+		expect(reportJson.inputs.composeFilesScanned).toEqual(["generic-fixture"]);
+		const reportMd = vol.readFileSync(
+			report.artifactPaths.reportMd,
+			"utf8",
+		) as string;
+		expect(reportMd).toContain("Blocking warnings");
+		expect(reportMd).not.toContain("cms-security-headers@file");
+		expect(reportMd).toContain("generic-fixture/unsupported/labels");
+	});
+
+	test("normalizes dynamic-file upstream URLs with default scheme ports", async () => {
+		const currentPaths = paths();
+		vol.mkdirSync(currentPaths.DYNAMIC_TRAEFIK_PATH, { recursive: true });
+		vol.writeFileSync(
+			`${currentPaths.MAIN_TRAEFIK_PATH}/traefik.yml`,
+			"entryPoints:\n  web:\n    address: ':80'\n",
+		);
+		vol.writeFileSync(
+			`${currentPaths.DYNAMIC_TRAEFIK_PATH}/admin.yml`,
+			[
+				"http:",
+				"  routers:",
+				"    admin:",
+				"      rule: Host(`admin.example.com`)",
+				"      entryPoints: [websecure]",
+				"      service: admin",
+				"      tls:",
+				"        certResolver: letsencrypt",
+				"  services:",
+				"    admin:",
+				"      loadBalancer:",
+				"        servers:",
+				"          - url: http://admin",
+			].join("\n"),
+		);
+		vi.mocked(db.query.applications.findMany).mockResolvedValue([]);
+
+		const report = await prepareCaddyMigration();
+
+		expect(report.validation.status).toBe("passed");
+		expect(report.summary.blockingWarnings).toBe(0);
+		expect(report.warnings).toEqual([]);
+		expect(vol.readFileSync(report.artifactPaths.caddyJson, "utf8")).toContain(
+			'"dial": "admin:80"',
+		);
+	});
+
+	test("preserves generated-only compose label IP restrictions before discarding generated labels", async () => {
+		const currentPaths = paths();
+		vol.mkdirSync(currentPaths.DYNAMIC_TRAEFIK_PATH, { recursive: true });
+		vol.writeFileSync(
+			`${currentPaths.MAIN_TRAEFIK_PATH}/traefik.yml`,
+			"entryPoints:\n  web:\n    address: ':80'\n",
+		);
+		vol.writeFileSync(
+			`${currentPaths.DYNAMIC_TRAEFIK_PATH}/middlewares.yml`,
+			[
+				"http:",
+				"  middlewares:",
+				"    internal-allowlist:",
+				"      ipAllowList:",
+				"        sourceRange:",
+				"          - 192.0.2.0/24",
+			].join("\n"),
+		);
+		vi.mocked(db.query.applications.findMany).mockResolvedValue([]);
+		vi.mocked(db.query.compose.findMany).mockResolvedValue([
+			{
+				appName: "sample-dashboard",
+				serverId: null,
+				composeFile: [
+					"services:",
+					"  dash-api:",
+					"    image: dash",
+					"    labels:",
+					"      - traefik.enable=true",
+					"      - traefik.docker.network=dokploy-network",
+					"      - traefik.http.routers.sample-dashboard-42-websecure.rule=Host(`dashboard.example.com`)",
+					"      - traefik.http.routers.sample-dashboard-42-websecure.entrypoints=websecure",
+					"      - traefik.http.routers.sample-dashboard-42-websecure.tls.certresolver=letsencrypt",
+					"      - traefik.http.routers.sample-dashboard-42-websecure.middlewares=internal-allowlist@file",
+					"      - traefik.http.routers.sample-dashboard-42-websecure.service=sample-dashboard-42-websecure",
+					"      - traefik.http.services.sample-dashboard-42-websecure.loadbalancer.server.port=8000",
+				].join("\n"),
+				composeType: "docker-compose",
+				randomize: false,
+				isolatedDeployment: false,
+				suffix: null,
+				domains: [
+					{
+						...domain,
+						domainId: "dash-domain",
+						applicationId: null,
+						composeId: "dash-compose",
+						domainType: "compose",
+						host: "dashboard.example.com",
+						port: 8000,
+						serviceName: "dash-api",
+						uniqueConfigKey: 42,
+					},
+				],
+			} as any,
+		]);
+
+		const report = await prepareCaddyMigration();
+
+		expect(report.summary.blockingWarnings).toBe(0);
+		expect(report.warnings).toEqual([
+			expect.objectContaining({
+				code: "shadowed-route",
+				blocking: false,
+			}),
+		]);
+		expect(report.summary.fragments).toBe(1);
+		const caddyJson = vol.readFileSync(report.artifactPaths.caddyJson, "utf8");
+		expect(caddyJson).toContain('"remote_ip"');
+		expect(caddyJson).toContain('"status_code": 403');
+	});
+
+	test("skips live Docker Traefik label services with no running tasks", async () => {
+		const currentPaths = paths();
+		vol.mkdirSync(currentPaths.DYNAMIC_TRAEFIK_PATH, { recursive: true });
+		vol.writeFileSync(
+			`${currentPaths.MAIN_TRAEFIK_PATH}/traefik.yml`,
+			"entryPoints:\n  web:\n    address: ':80'\n",
+		);
+		vi.mocked(db.query.applications.findMany).mockResolvedValue([]);
+		vi.mocked(db.query.compose.findMany).mockResolvedValue([]);
+		remoteDockerMock.listServices.mockResolvedValue([
+			{
+				ID: "stopped-service-id",
+				Spec: {
+					Name: "stopped-stack_web",
+					Mode: { Replicated: { Replicas: 1 } },
+					Labels: {
+						"traefik.http.routers.stopped.rule": "Host(`stopped.example.com`)",
+						"traefik.http.routers.stopped.entrypoints": "websecure",
+						"traefik.http.routers.stopped.service": "stopped",
+						"traefik.http.routers.stopped.tls.certresolver": "letsencrypt",
+						"traefik.http.services.stopped.loadbalancer.server.port": "8080",
+					},
+				},
+			},
+			{
+				ID: "running-service-id",
+				Spec: {
+					Name: "running-stack_web",
+					Mode: { Replicated: { Replicas: 1 } },
+					Labels: {
+						"traefik.http.routers.running.rule": "Host(`running.example.com`)",
+						"traefik.http.routers.running.entrypoints": "websecure",
+						"traefik.http.routers.running.service": "running",
+						"traefik.http.routers.running.tls.certresolver": "letsencrypt",
+						"traefik.http.services.running.loadbalancer.server.port": "8080",
+					},
+				},
+			},
+		]);
+		remoteDockerMock.listTasks.mockResolvedValue([
+			{
+				ServiceID: "running-service-id",
+				DesiredState: "running",
+				Status: { State: "running" },
+			},
+		]);
+
+		const report = await prepareCaddyMigration();
+		const caddyJson = vol.readFileSync(report.artifactPaths.caddyJson, "utf8");
+
+		expect(report.summary.blockingWarnings).toBe(0);
+		expect(caddyJson).toContain("running.example.com");
+		expect(caddyJson).toContain("running-stack_web:8080");
+		expect(caddyJson).not.toContain("stopped.example.com");
+		expect(caddyJson).not.toContain("stopped-stack_web:8080");
+	});
+
+	test("uses inspected container network aliases for reachability checks", async () => {
+		const currentPaths = paths();
+		vol.mkdirSync(currentPaths.DYNAMIC_TRAEFIK_PATH, { recursive: true });
+		vol.writeFileSync(
+			`${currentPaths.MAIN_TRAEFIK_PATH}/traefik.yml`,
+			"entryPoints:\n  web:\n    address: ':80'\n",
+		);
+		vol.writeFileSync(
+			`${currentPaths.DYNAMIC_TRAEFIK_PATH}/admin.yml`,
+			[
+				"http:",
+				"  routers:",
+				"    admin:",
+				"      rule: Host(`admin.example.com`)",
+				"      entryPoints: [websecure]",
+				"      service: admin",
+				"      tls:",
+				"        certResolver: letsencrypt",
+				"  services:",
+				"    admin:",
+				"      loadBalancer:",
+				"        servers:",
+				"          - url: http://admin:80",
+			].join("\n"),
+		);
+		vi.mocked(db.query.applications.findMany).mockResolvedValue([]);
+		vi.mocked(db.query.compose.findMany).mockResolvedValue([]);
+		remoteDockerMock.listContainers.mockResolvedValue([
+			{
+				Id: "traefik-container",
+				Names: ["/dokploy-traefik"],
+				NetworkSettings: { Networks: {} },
+				Labels: {},
+			},
+			{
+				Id: "admin-container",
+				Names: ["/admin-console-admin-1"],
+				NetworkSettings: { Networks: {} },
+				Labels: {},
+			},
+		]);
+		remoteDockerMock.getContainer.mockImplementation((id: string) => ({
+			inspect: vi.fn().mockResolvedValue(
+				id === "admin-container"
+					? {
+							NetworkSettings: {
+								Networks: {
+									"dokploy-network": {
+										Aliases: ["admin-console-admin-1", "admin"],
+									},
+								},
+							},
+						}
+					: {
+							NetworkSettings: {
+								Networks: {
+									"dokploy-network": { Aliases: ["dokploy-traefik"] },
+								},
+							},
+						},
+			),
+		}));
+
+		const report = await prepareCaddyMigration();
+
+		expect(report.summary.blockingWarnings).toBe(0);
+		expect(report.warnings).not.toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({ code: "unreachable-upstream" }),
+			]),
+		);
+		expect(vol.readFileSync(report.artifactPaths.caddyJson, "utf8")).toContain(
+			'"dial": "admin:80"',
+		);
+	});
+});
diff --git a/apps/dokploy/__test__/caddy/migration/traefik-recovery.test.ts b/apps/dokploy/__test__/caddy/migration/traefik-recovery.test.ts
new file mode 100644
index 0000000000..56720c50ae
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/migration/traefik-recovery.test.ts
@@ -0,0 +1,290 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+const execAsyncMock = vi.hoisted(() => vi.fn());
+const execAsyncRemoteMock = vi.hoisted(() => vi.fn());
+const initializeTraefikServiceMock = vi.hoisted(() => vi.fn());
+const initializeStandaloneTraefikMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@dokploy/server/utils/process/execAsync", () => ({
+	execAsync: execAsyncMock,
+	execAsyncRemote: execAsyncRemoteMock,
+}));
+
+vi.mock("@dokploy/server/db", () => ({
+	db: {
+		query: {
+			compose: { findMany: vi.fn().mockResolvedValue([]) },
+		},
+	},
+}));
+
+vi.mock("@dokploy/server/setup/caddy-setup", () => ({
+	initializeCaddyService: vi.fn(),
+	initializeStandaloneCaddy: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/setup/traefik-setup", () => ({
+	initializeTraefikService: initializeTraefikServiceMock,
+	initializeStandaloneTraefik: initializeStandaloneTraefikMock,
+}));
+
+import {
+	ensureTraefikRunningFromSnapshot,
+	getDockerResourceSnapshot,
+} from "@dokploy/server/services/settings";
+
+describe("Traefik rollback recovery", () => {
+	let resourceTypes: Record<string, "service" | "standalone" | "unknown">;
+
+	beforeEach(() => {
+		vi.clearAllMocks();
+		resourceTypes = {
+			"dokploy-traefik": "unknown",
+			dokploy: "service",
+		};
+		initializeTraefikServiceMock.mockImplementation(async () => {
+			resourceTypes["dokploy-traefik"] = "service";
+		});
+		initializeStandaloneTraefikMock.mockImplementation(async () => {
+			resourceTypes["dokploy-traefik"] = "standalone";
+		});
+		execAsyncMock.mockImplementation(async (command: string) => {
+			const resourceName = command.match(/RESOURCE_NAME="([^"]+)"/)?.[1];
+			if (resourceName) {
+				return {
+					stdout: `${resourceTypes[resourceName] ?? "unknown"}\n`,
+					stderr: "",
+				};
+			}
+			if (command.includes("docker start dokploy-traefik")) {
+				throw new Error("No such container: dokploy-traefik");
+			}
+			if (command.includes("docker service inspect dokploy-traefik")) {
+				return {
+					stdout: JSON.stringify({ Replicated: { Replicas: 1 } }),
+					stderr: "",
+				};
+			}
+			if (command.includes("docker service ps dokploy-traefik")) {
+				return { stdout: "Running 1 second ago\n", stderr: "" };
+			}
+			if (
+				command.includes("docker container inspect dokploy-traefik") &&
+				command.includes("'{{json .}}'")
+			) {
+				return {
+					stdout: `${JSON.stringify({
+						State: {
+							Running: resourceTypes["dokploy-traefik"] === "standalone",
+						},
+						HostConfig: { Binds: [], RestartPolicy: { Name: "always" } },
+						NetworkSettings: { Networks: { "dokploy-network": {} } },
+						Config: { Labels: {} },
+					})}\n`,
+					stderr: "",
+				};
+			}
+			if (
+				command.includes("docker container inspect dokploy-traefik") &&
+				command.includes(".State.Running")
+			) {
+				return { stdout: "true\n", stderr: "" };
+			}
+			return { stdout: "", stderr: "" };
+		});
+		execAsyncRemoteMock.mockImplementation(execAsyncMock);
+	});
+
+	test("recreates missing standalone Traefik with captured snapshot metadata", async () => {
+		await ensureTraefikRunningFromSnapshot({
+			resourceName: "dokploy-traefik",
+			resourceType: "standalone",
+			running: true,
+			env: "FOO=bar\nBAZ=qux",
+			additionalPorts: [
+				{ targetPort: 8080, publishedPort: 8080, protocol: "tcp" },
+			],
+			image: "traefik:v3.7.1",
+			binds: [
+				"/etc/dokploy/traefik/traefik.yml:/etc/traefik/traefik.yml:ro",
+				"/etc/dokploy/traefik/dynamic:/etc/dokploy/traefik/dynamic",
+				"/etc/dokploy/traefik/acme.json:/letsencrypt/acme.json",
+				"/var/run/docker.sock:/var/run/docker.sock:ro",
+			],
+			networks: ["dokploy-network"],
+			labels: { "example.label": "preserved" },
+			restartPolicy: { Name: "unless-stopped" },
+		});
+
+		expect(initializeStandaloneTraefikMock).toHaveBeenCalledWith({
+			env: ["FOO=bar", "BAZ=qux"],
+			additionalPorts: [
+				{ targetPort: 8080, publishedPort: 8080, protocol: "tcp" },
+			],
+			image: "traefik:v3.7.1",
+			serverId: undefined,
+			binds: [
+				"/etc/dokploy/traefik/traefik.yml:/etc/traefik/traefik.yml:ro",
+				"/etc/dokploy/traefik/dynamic:/etc/dokploy/traefik/dynamic",
+				"/etc/dokploy/traefik/acme.json:/letsencrypt/acme.json",
+				"/var/run/docker.sock:/var/run/docker.sock:ro",
+			],
+			networks: ["dokploy-network"],
+			labels: { "example.label": "preserved" },
+			serviceMounts: undefined,
+			restartPolicy: { Name: "unless-stopped" },
+			serviceNetworks: [],
+			servicePlacement: undefined,
+			serviceLabels: { "example.label": "preserved" },
+			serviceEndpointPorts: undefined,
+		});
+		expect(initializeTraefikServiceMock).not.toHaveBeenCalled();
+	});
+
+	test("captures standalone Traefik binds and networks in rollback snapshot", async () => {
+		resourceTypes["dokploy-traefik"] = "standalone";
+		execAsyncMock.mockImplementation(async (command: string) => {
+			const resourceName = command.match(/RESOURCE_NAME="([^"]+)"/)?.[1];
+			if (resourceName) {
+				return {
+					stdout: `${resourceTypes[resourceName] ?? "unknown"}\n`,
+					stderr: "",
+				};
+			}
+			if (command.includes("docker container inspect dokploy-traefik")) {
+				if (command.includes("'{{json .}}'")) {
+					return {
+						stdout: `${JSON.stringify({
+							State: { Running: true },
+							HostConfig: {
+								Binds: [
+									"/etc/dokploy/traefik/traefik.yml:/etc/traefik/traefik.yml:ro",
+									"/etc/dokploy/traefik/dynamic:/etc/dokploy/traefik/dynamic",
+									"/etc/dokploy/traefik/acme.json:/letsencrypt/acme.json",
+									"/var/run/docker.sock:/var/run/docker.sock:ro",
+								],
+								RestartPolicy: { Name: "always" },
+							},
+							NetworkSettings: { Networks: { "dokploy-network": {} } },
+							Config: { Labels: { "example.label": "preserved" } },
+						})}\n`,
+						stderr: "",
+					};
+				}
+				if (command.includes(".Config.Image")) {
+					return { stdout: "traefik:v3.7.1\n", stderr: "" };
+				}
+			}
+			if (command.includes("docker container inspect dokploy-traefik")) {
+				return { stdout: "{}\n", stderr: "" };
+			}
+			return { stdout: "[]\n", stderr: "" };
+		});
+
+		const snapshot = await getDockerResourceSnapshot("dokploy-traefik");
+
+		expect(snapshot.binds).toEqual([
+			"/etc/dokploy/traefik/traefik.yml:/etc/traefik/traefik.yml:ro",
+			"/etc/dokploy/traefik/dynamic:/etc/dokploy/traefik/dynamic",
+			"/etc/dokploy/traefik/acme.json:/letsencrypt/acme.json",
+			"/var/run/docker.sock:/var/run/docker.sock:ro",
+		]);
+		expect(snapshot.networks).toEqual(["dokploy-network"]);
+		expect(snapshot.labels).toEqual({ "example.label": "preserved" });
+		expect(snapshot.restartPolicy).toEqual({ Name: "always" });
+	});
+
+	test("recreates missing Traefik service with captured service shape", async () => {
+		await ensureTraefikRunningFromSnapshot({
+			resourceName: "dokploy-traefik",
+			resourceType: "service",
+			running: false,
+			replicas: 2,
+			env: "FOO=bar",
+			additionalPorts: [
+				{ targetPort: 8080, publishedPort: 8080, protocol: "tcp" },
+			],
+			image: "traefik:v3.7.1",
+			mounts: [
+				{
+					Type: "bind",
+					Source: "/etc/dokploy/traefik/acme.json",
+					Target: "/letsencrypt/acme.json",
+				},
+			],
+			networks: [{ Target: "dokploy-network" }],
+			labels: { "service.label": "preserved" },
+			containerLabels: { "container.label": "preserved" },
+			placement: { Constraints: ["node.role==manager"] },
+			endpointPorts: [
+				{
+					TargetPort: 443,
+					PublishedPort: 443,
+					Protocol: "tcp",
+					PublishMode: "host",
+				},
+			],
+		});
+
+		expect(initializeTraefikServiceMock).toHaveBeenCalledWith(
+			expect.objectContaining({
+				env: ["FOO=bar"],
+				replicas: 2,
+				serviceMounts: [
+					{
+						Type: "bind",
+						Source: "/etc/dokploy/traefik/acme.json",
+						Target: "/letsencrypt/acme.json",
+					},
+				],
+				serviceNetworks: [{ Target: "dokploy-network" }],
+				serviceLabels: { "service.label": "preserved" },
+				serviceContainerLabels: { "container.label": "preserved" },
+				servicePlacement: { Constraints: ["node.role==manager"] },
+				serviceEndpointPorts: [
+					{
+						TargetPort: 443,
+						PublishedPort: 443,
+						Protocol: "tcp",
+						PublishMode: "host",
+					},
+				],
+			}),
+		);
+	});
+
+	test("falls back to generic setup when exact recreation fails", async () => {
+		initializeStandaloneTraefikMock.mockRejectedValueOnce(
+			new Error("stale mount"),
+		);
+
+		await ensureTraefikRunningFromSnapshot({
+			resourceName: "dokploy-traefik",
+			resourceType: "standalone",
+			running: true,
+			image: "traefik:v3.7.1",
+		});
+
+		expect(initializeStandaloneTraefikMock).toHaveBeenCalledOnce();
+		expect(initializeTraefikServiceMock).toHaveBeenCalledWith(
+			expect.objectContaining({ image: "traefik:v3.7.1" }),
+		);
+	});
+
+	test("falls back to standalone recreation when no service shape can be inferred", async () => {
+		resourceTypes.dokploy = "unknown";
+
+		await ensureTraefikRunningFromSnapshot({
+			resourceName: "dokploy-traefik",
+			resourceType: "unknown",
+			running: false,
+		});
+
+		expect(initializeStandaloneTraefikMock).toHaveBeenCalledWith({
+			env: undefined,
+			additionalPorts: [],
+			image: undefined,
+			serverId: undefined,
+		});
+	});
+});
diff --git a/apps/dokploy/__test__/caddy/migration/upstream-preflight.test.ts b/apps/dokploy/__test__/caddy/migration/upstream-preflight.test.ts
new file mode 100644
index 0000000000..0ae1d2d7f2
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/migration/upstream-preflight.test.ts
@@ -0,0 +1,270 @@
+import { fs, vol } from "memfs";
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+vi.mock("node:fs", () => ({
+	...fs,
+	default: fs,
+}));
+
+const execAsyncMock = vi.hoisted(() => vi.fn());
+const execAsyncRemoteMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@dokploy/server/utils/process/execAsync", () => ({
+	execAsync: execAsyncMock,
+	execAsyncRemote: execAsyncRemoteMock,
+}));
+
+import type { CaddyMigrationReport, CaddyRouteFragment } from "@dokploy/server";
+import {
+	getCaddyMigrationArtifactPaths,
+	runCaddyMigrationUpstreamPreflight,
+} from "@dokploy/server";
+
+const createReport = (migrationId: string): CaddyMigrationReport => {
+	const artifactPaths = getCaddyMigrationArtifactPaths(migrationId);
+	return {
+		migrationId,
+		serverId: null,
+		createdAt: "2026-05-22T00:00:00.000Z",
+		updatedAt: "2026-05-22T00:00:00.000Z",
+		status: "prepared",
+		sourceProvider: "traefik",
+		targetProvider: "caddy",
+		artifactPaths,
+		inputs: {
+			traefikStaticConfigPath: "",
+			traefikStaticConfigFound: true,
+			dynamicFiles: [],
+			dbApplicationDomains: 0,
+			dbComposeDomains: 0,
+			composeFilesScanned: [],
+			composeFilesSkipped: [],
+		},
+		summary: {
+			fragments: 1,
+			routes: 1,
+			warnings: 0,
+			blockingWarnings: 0,
+		},
+		validation: { status: "passed", message: "ok" },
+		warnings: [],
+		events: [],
+	};
+};
+
+const writeFragment = (
+	report: CaddyMigrationReport,
+	fragment: CaddyRouteFragment,
+) => {
+	vol.mkdirSync(report.artifactPaths.fragmentsDir, { recursive: true });
+	vol.writeFileSync(
+		`${report.artifactPaths.fragmentsDir}/${fragment.id}.json`,
+		`${JSON.stringify(fragment, null, 2)}\n`,
+	);
+};
+
+describe("Caddy migration upstream preflight", () => {
+	beforeEach(() => {
+		vol.reset();
+		vi.clearAllMocks();
+		execAsyncMock.mockResolvedValue({ stdout: "passed\n", stderr: "" });
+		execAsyncRemoteMock.mockResolvedValue({ stdout: "passed\n", stderr: "" });
+	});
+
+	test("deduplicates upstream probes while preserving every route reference", async () => {
+		const report = createReport("caddy-preflight-dedupe");
+		writeFragment(report, {
+			version: 1,
+			id: "manual",
+			source: "manual",
+			routes: [
+				{
+					id: "route-a",
+					source: "manual",
+					hosts: ["a.example.com"],
+					upstreams: ["http://app:3000"],
+				},
+				{
+					id: "route-b",
+					source: "manual",
+					hosts: ["b.example.com"],
+					upstreams: ["http://app:3000"],
+				},
+			],
+		});
+
+		const preflight = await runCaddyMigrationUpstreamPreflight(report);
+
+		expect(preflight.status).toBe("passed");
+		expect(execAsyncMock).toHaveBeenCalledTimes(1);
+		expect(preflight.checks).toHaveLength(1);
+		expect(preflight.checks[0]).toMatchObject({
+			dial: "app:3000",
+			host: "app",
+			port: 3000,
+			network: "dokploy-network",
+			status: "passed",
+			routes: [
+				expect.objectContaining({ routeId: "route-a" }),
+				expect.objectContaining({ routeId: "route-b" }),
+			],
+		});
+	});
+
+	test("reports invalid no-port upstreams without running Docker", async () => {
+		const report = createReport("caddy-preflight-invalid");
+		writeFragment(report, {
+			version: 1,
+			id: "manual",
+			source: "manual",
+			routes: [
+				{
+					id: "admin",
+					source: "manual",
+					hosts: ["admin.example.com"],
+					upstreams: ["http://admin"],
+				},
+			],
+		});
+
+		const preflight = await runCaddyMigrationUpstreamPreflight(report);
+
+		expect(preflight.status).toBe("failed");
+		expect(execAsyncMock).not.toHaveBeenCalled();
+		expect(preflight.checks[0]).toMatchObject({
+			dial: "http://admin",
+			network: "dokploy-network",
+			status: "failed",
+			reason: expect.stringContaining("explicit port"),
+			routes: [expect.objectContaining({ routeId: "admin" })],
+		});
+	});
+
+	test("records DNS and TCP probe failures with route context", async () => {
+		const report = createReport("caddy-preflight-dns");
+		writeFragment(report, {
+			version: 1,
+			id: "manual",
+			source: "manual",
+			routes: [
+				{
+					id: "missing",
+					source: "manual",
+					hosts: ["missing.example.com"],
+					upstreams: ["http://missing:3000"],
+				},
+			],
+		});
+		execAsyncMock.mockRejectedValueOnce(
+			Object.assign(new Error("probe failed"), { stdout: "dns_failed\n" }),
+		);
+
+		const preflight = await runCaddyMigrationUpstreamPreflight(report);
+
+		expect(preflight.status).toBe("failed");
+		expect(preflight.checks[0]).toMatchObject({
+			dial: "missing:3000",
+			host: "missing",
+			port: 3000,
+			network: "dokploy-network",
+			status: "failed",
+			reason: "DNS resolution failed",
+			routes: [expect.objectContaining({ routeId: "missing" })],
+		});
+	});
+
+	test("probes identical dials separately when route networks differ", async () => {
+		const report = createReport("caddy-preflight-networks");
+		writeFragment(report, {
+			version: 1,
+			id: "manual",
+			source: "manual",
+			routes: [
+				{
+					id: "shared-a",
+					source: "manual",
+					hosts: ["a.example.com"],
+					upstreams: ["http://web:8080"],
+					upstreamNetwork: "project-a",
+				},
+				{
+					id: "shared-b",
+					source: "manual",
+					hosts: ["b.example.com"],
+					upstreams: ["http://web:8080"],
+					upstreamNetwork: "project-b",
+				},
+			],
+		});
+
+		const preflight = await runCaddyMigrationUpstreamPreflight(report);
+
+		expect(preflight.status).toBe("passed");
+		expect(preflight.network).toBe("mixed");
+		expect(preflight.networks).toEqual(["project-a", "project-b"]);
+		expect(preflight.checks).toHaveLength(2);
+		expect(execAsyncMock).toHaveBeenCalledTimes(2);
+		expect(execAsyncMock.mock.calls[0]?.[0]).toContain("--network project-a");
+		expect(execAsyncMock.mock.calls[1]?.[0]).toContain("--network project-b");
+	});
+
+	test("uses a one-shot container probe on the route network", async () => {
+		const report = createReport("caddy-preflight-service");
+		writeFragment(report, {
+			version: 1,
+			id: "manual",
+			source: "manual",
+			routes: [
+				{
+					id: "app",
+					source: "manual",
+					hosts: ["app.example.com"],
+					upstreams: ["http://app:3000"],
+				},
+			],
+		});
+		execAsyncMock.mockResolvedValueOnce({ stdout: "passed\n", stderr: "" });
+
+		const preflight = await runCaddyMigrationUpstreamPreflight(report);
+
+		expect(preflight.status).toBe("passed");
+		expect(preflight.probeMode).toBe("standalone");
+		expect(execAsyncMock.mock.calls[0]?.[0]).toContain("docker run --rm");
+		expect(execAsyncMock.mock.calls[0]?.[0]).toContain(
+			"--network dokploy-network",
+		);
+	});
+
+	test("falls back to a temporary service probe when the overlay network is not attachable", async () => {
+		const report = createReport("caddy-preflight-service-fallback");
+		writeFragment(report, {
+			version: 1,
+			id: "manual",
+			source: "manual",
+			routes: [
+				{
+					id: "app",
+					source: "manual",
+					hosts: ["app.example.com"],
+					upstreams: ["http://app:3000"],
+				},
+			],
+		});
+		execAsyncMock
+			.mockRejectedValueOnce(
+				Object.assign(new Error("docker run failed"), {
+					stderr:
+						"Error response from daemon: network dokploy-network is not manually attachable",
+				}),
+			)
+			.mockResolvedValueOnce({ stdout: "passed\n", stderr: "" });
+
+		const preflight = await runCaddyMigrationUpstreamPreflight(report);
+
+		expect(preflight.status).toBe("passed");
+		expect(preflight.probeMode).toBe("service");
+		expect(execAsyncMock).toHaveBeenCalledTimes(2);
+		expect(execAsyncMock.mock.calls[0]?.[0]).toContain("docker run --rm");
+		expect(execAsyncMock.mock.calls[1]?.[0]).toContain("docker service create");
+	});
+});
diff --git a/apps/dokploy/__test__/caddy/setup.test.ts b/apps/dokploy/__test__/caddy/setup.test.ts
new file mode 100644
index 0000000000..21d28a7332
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/setup.test.ts
@@ -0,0 +1,81 @@
+import { afterEach, describe, expect, test, vi } from "vitest";
+
+const validateCaddyConfigWithContainerMock = vi.hoisted(() => vi.fn());
+const ensureDefaultCaddyConfigMock = vi.hoisted(() => vi.fn());
+const getRemoteDockerMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@dokploy/server/utils/caddy/config", () => ({
+	ensureDefaultCaddyConfig: ensureDefaultCaddyConfigMock,
+	reloadCaddyAfterValidation: vi.fn(),
+	validateCaddyConfigWithContainer: validateCaddyConfigWithContainerMock,
+}));
+
+vi.mock("@dokploy/server/utils/servers/remote-docker", () => ({
+	getRemoteDocker: getRemoteDockerMock,
+}));
+
+const loadCaddySetup = async () => {
+	vi.resetModules();
+	vi.unstubAllEnvs();
+	vi.stubEnv("CADDY_VERSION", "");
+	return import("@dokploy/server/setup/caddy-setup");
+};
+
+afterEach(() => {
+	vi.unstubAllEnvs();
+	vi.clearAllMocks();
+});
+
+describe("Caddy runtime setup", () => {
+	test("defaults to the pinned Caddy 2.11.3 image tag", async () => {
+		const { CADDY_VERSION } = await loadCaddySetup();
+
+		expect(CADDY_VERSION).toBe("2.11.3");
+	});
+
+	test("uses the pinned default image for standalone Caddy", async () => {
+		const createContainer = vi.fn();
+		const start = vi.fn();
+		const remove = vi.fn().mockRejectedValue(new Error("missing"));
+		const docker = {
+			pull: vi.fn(
+				(_imageName: string, callback: (error: Error | null) => void) => {
+					callback(null);
+				},
+			),
+			modem: { followProgress: vi.fn() },
+			createContainer,
+			getContainer: vi.fn(() => ({ remove, start })),
+		};
+		getRemoteDockerMock.mockResolvedValue(docker);
+		ensureDefaultCaddyConfigMock.mockResolvedValue(undefined);
+		validateCaddyConfigWithContainerMock.mockResolvedValue(undefined);
+		const { initializeStandaloneCaddy } = await loadCaddySetup();
+
+		await initializeStandaloneCaddy();
+
+		expect(docker.pull).toHaveBeenCalledWith(
+			"caddy:2.11.3",
+			expect.any(Function),
+		);
+		expect(createContainer).toHaveBeenCalledWith(
+			expect.objectContaining({
+				Image: "caddy:2.11.3",
+				HostConfig: expect.objectContaining({
+					Binds: expect.arrayContaining([
+						expect.stringMatching(/\/caddy:\/etc\/caddy$/),
+					]),
+				}),
+			}),
+		);
+		expect(
+			(createContainer.mock.calls[0]?.[0] as any).HostConfig.Binds,
+		).not.toEqual(
+			expect.arrayContaining([
+				expect.stringMatching(
+					/\/caddy\/caddy\.json:\/etc\/caddy\/caddy\.json$/,
+				),
+			]),
+		);
+	});
+});
diff --git a/apps/dokploy/__test__/traefik/server/update-server-config.test.ts b/apps/dokploy/__test__/traefik/server/update-server-config.test.ts
index eda4dace58..e934820bda 100644
--- a/apps/dokploy/__test__/traefik/server/update-server-config.test.ts
+++ b/apps/dokploy/__test__/traefik/server/update-server-config.test.ts
@@ -18,6 +18,7 @@ type WebServerSettings = typeof webServerSettings.$inferSelect;
 
 const baseSettings: WebServerSettings = {
 	id: "",
+	webServerProvider: "traefik",
 	https: false,
 	certificateType: "none",
 	host: null,
diff --git a/apps/dokploy/components/dashboard/application/advanced/traefik/show-traefik-config.tsx b/apps/dokploy/components/dashboard/application/advanced/traefik/show-traefik-config.tsx
index 94efbc285c..035e13bb2a 100644
--- a/apps/dokploy/components/dashboard/application/advanced/traefik/show-traefik-config.tsx
+++ b/apps/dokploy/components/dashboard/application/advanced/traefik/show-traefik-config.tsx
@@ -1,4 +1,5 @@
 import { File, Loader2 } from "lucide-react";
+import { AlertBlock } from "@/components/shared/alert-block";
 import { CodeEditor } from "@/components/shared/code-editor";
 import {
 	Card,
@@ -17,7 +18,17 @@ interface Props {
 export const ShowTraefikConfig = ({ applicationId }: Props) => {
 	const { data: permissions } = api.user.getPermissions.useQuery();
 	const canRead = permissions?.traefikFiles.read ?? false;
-	const { data, isPending } = api.application.readTraefikConfig.useQuery(
+	const { data: application } = api.application.one.useQuery(
+		{ applicationId },
+		{ enabled: !!applicationId && canRead },
+	);
+	const { data: activeProvider } =
+		api.settings.getActiveWebServerProvider.useQuery(
+			{ serverId: application?.serverId || undefined },
+			{ enabled: canRead && !!application },
+		);
+	const providerLabel = activeProvider === "caddy" ? "Caddy" : "Traefik";
+	const { data, isPending } = api.application.readWebServerConfig.useQuery(
 		{
 			applicationId,
 		},
@@ -30,15 +41,22 @@ export const ShowTraefikConfig = ({ applicationId }: Props) => {
 		<Card className="bg-background">
 			<CardHeader className="flex flex-row justify-between">
 				<div>
-					<CardTitle className="text-xl">Traefik</CardTitle>
+					<CardTitle className="text-xl">{providerLabel}</CardTitle>
 					<CardDescription>
-						Modify the traefik config, in rare cases you may need to add
-						specific config, be careful because modifying incorrectly can break
-						traefik and your application
+						{activeProvider === "caddy"
+							? "Review generated Caddy route fragments for this application. Caddy manages certificates for HTTPS domains; Traefik YAML and custom certificate resolvers do not apply."
+							: "Modify the Traefik config in rare cases. Be careful: invalid Traefik YAML can break the application route."}
 					</CardDescription>
 				</div>
 			</CardHeader>
 			<CardContent className="flex flex-col gap-4">
+				{activeProvider === "caddy" && (
+					<AlertBlock type="info">
+						For Caddy, domain changes generate JSON fragments and Caddy handles
+						ACME certificates automatically. Use Settings → Web Server for the
+						active Caddy config and migration artifacts.
+					</AlertBlock>
+				)}
 				{isPending ? (
 					<span className="text-base text-muted-foreground flex flex-row gap-3 items-center justify-center min-h-[10vh]">
 						Loading...
@@ -48,7 +66,7 @@ export const ShowTraefikConfig = ({ applicationId }: Props) => {
 					<div className="flex w-full flex-col items-center justify-center gap-3 pt-10">
 						<File className="size-8 text-muted-foreground" />
 						<span className="text-base text-muted-foreground">
-							No traefik config detected
+							No {providerLabel} config detected
 						</span>
 					</div>
 				) : (
@@ -60,9 +78,11 @@ export const ShowTraefikConfig = ({ applicationId }: Props) => {
 								disabled
 								className="font-mono"
 							/>
-							<div className="flex justify-end absolute z-50 right-6 top-6">
-								<UpdateTraefikConfig applicationId={applicationId} />
-							</div>
+							{activeProvider !== "caddy" && (
+								<div className="flex justify-end absolute z-50 right-6 top-6">
+									<UpdateTraefikConfig applicationId={applicationId} />
+								</div>
+							)}
 						</div>
 					</div>
 				)}
diff --git a/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx b/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
index b232591e4b..8fd75b68be 100644
--- a/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
+++ b/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
@@ -178,6 +178,13 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 	const { mutateAsync: generateDomain, isPending: isLoadingGenerate } =
 		api.domain.generateDomain.useMutation();
 
+	const { data: activeProvider, isLoading: isLoadingProvider } =
+		api.settings.getActiveWebServerProvider.useQuery(
+			{ serverId: application?.serverId || undefined },
+			{ enabled: !!application },
+		);
+	const isCaddyProvider = activeProvider === "caddy";
+
 	const { data: canGenerateTraefikMeDomains } =
 		api.domain.canGenerateTraefikMeDomains.useQuery({
 			serverId: application?.serverId || "",
@@ -264,12 +271,15 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 		}
 	}, [form, data, isPending, domainId]);
 
-	// Separate effect for handling custom cert resolver validation
+	// Separate effect for handling provider-specific certificate fields
 	useEffect(() => {
 		if (certificateType === "custom") {
 			form.trigger("customCertResolver");
 		}
-	}, [certificateType, form]);
+		if (isCaddyProvider && certificateType !== "custom") {
+			form.setValue("customCertResolver", undefined);
+		}
+	}, [certificateType, form, isCaddyProvider]);
 
 	const dictionary = {
 		success: domainId ? "Domain Updated" : "Domain Created",
@@ -281,6 +291,13 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 	};
 
 	const onSubmit = async (data: Domain) => {
+		if (isCaddyProvider && data.certificateType === "custom") {
+			toast.error(
+				"Caddy does not support Traefik custom certificate resolvers. Choose Let's Encrypt or None.",
+			);
+			return;
+		}
+
 		await mutateAsync({
 			domainId,
 			...(data.domainType === "application" && {
@@ -302,6 +319,9 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 					await utils.application.readTraefikConfig.invalidate({
 						applicationId: id,
 					});
+					await utils.application.readWebServerConfig.invalidate({
+						applicationId: id,
+					});
 				} else if (data.domainType === "compose") {
 					await utils.domain.byComposeId.invalidate({
 						composeId: id,
@@ -337,6 +357,15 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 					</AlertBlock>
 				)}
 
+				{isCaddyProvider && (
+					<AlertBlock type="info" className="mb-4">
+						This server uses Caddy. Dokploy will generate Caddy route fragments,
+						Caddy will manage HTTPS certificates for public DNS names, and
+						Traefik-only custom entrypoints, middleware references, and custom
+						certificate resolvers are hidden.
+					</AlertBlock>
+				)}
+
 				<Form {...form}>
 					<form
 						id="hook-form"
@@ -658,36 +687,38 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 									}}
 								/>
 
-								<FormField
-									control={form.control}
-									name="useCustomEntrypoint"
-									render={({ field }) => (
-										<FormItem className="flex flex-row items-center justify-between p-3 mt-4 border rounded-lg shadow-sm">
-											<div className="space-y-0.5">
-												<FormLabel>Custom Entrypoint</FormLabel>
-												<FormDescription>
-													Use custom entrypoint for domain
-													<br />
-													"web" and/or "websecure" is used by default.
-												</FormDescription>
-												<FormMessage />
-											</div>
-											<FormControl>
-												<Switch
-													checked={field.value}
-													onCheckedChange={(checked) => {
-														field.onChange(checked);
-														if (!checked) {
-															form.setValue("customEntrypoint", undefined);
-														}
-													}}
-												/>
-											</FormControl>
-										</FormItem>
-									)}
-								/>
+								{!isCaddyProvider && (
+									<FormField
+										control={form.control}
+										name="useCustomEntrypoint"
+										render={({ field }) => (
+											<FormItem className="flex flex-row items-center justify-between p-3 mt-4 border rounded-lg shadow-sm">
+												<div className="space-y-0.5">
+													<FormLabel>Custom Entrypoint</FormLabel>
+													<FormDescription>
+														Use custom entrypoint for domain
+														<br />
+														"web" and/or "websecure" is used by default.
+													</FormDescription>
+													<FormMessage />
+												</div>
+												<FormControl>
+													<Switch
+														checked={field.value}
+														onCheckedChange={(checked) => {
+															field.onChange(checked);
+															if (!checked) {
+																form.setValue("customEntrypoint", undefined);
+															}
+														}}
+													/>
+												</FormControl>
+											</FormItem>
+										)}
+									/>
+								)}
 
-								{useCustomEntrypoint && (
+								{!isCaddyProvider && useCustomEntrypoint && (
 									<FormField
 										control={form.control}
 										name="customEntrypoint"
@@ -715,7 +746,9 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 											<div className="space-y-0.5">
 												<FormLabel>HTTPS</FormLabel>
 												<FormDescription>
-													Automatically provision SSL Certificate.
+													{isCaddyProvider
+														? "Let Caddy manage HTTPS automatically for this host."
+														: "Automatically provision SSL Certificate."}
 												</FormDescription>
 												<FormMessage />
 											</div>
@@ -758,9 +791,15 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 															<SelectContent>
 																<SelectItem value={"none"}>None</SelectItem>
 																<SelectItem value={"letsencrypt"}>
-																	Let's Encrypt
+																	{isCaddyProvider
+																		? "Caddy-managed HTTPS (ACME)"
+																		: "Let's Encrypt"}
 																</SelectItem>
-																<SelectItem value={"custom"}>Custom</SelectItem>
+																{!isCaddyProvider && (
+																	<SelectItem value={"custom"}>
+																		Custom
+																	</SelectItem>
+																)}
 															</SelectContent>
 														</Select>
 														<FormMessage />
@@ -769,7 +808,15 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 											}}
 										/>
 
-										{certificateType === "custom" && (
+										{isCaddyProvider && certificateType === "custom" && (
+											<AlertBlock type="warning">
+												This domain uses a Traefik custom certificate resolver.
+												Caddy does not use resolver names; choose Caddy-managed
+												HTTPS or None before saving.
+											</AlertBlock>
+										)}
+
+										{!isCaddyProvider && certificateType === "custom" && (
 											<FormField
 												control={form.control}
 												name="customCertResolver"
@@ -797,52 +844,71 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 										)}
 									</>
 								)}
-								<FormField
-									control={form.control}
-									name="middlewares"
-									render={({ field }) => (
-										<FormItem>
-											<div className="flex items-center gap-2">
-												<FormLabel>Middlewares</FormLabel>
-												<TooltipProvider>
-													<Tooltip>
-														<TooltipTrigger type="button">
-															<div className="size-4 rounded-full bg-muted flex items-center justify-center text-[10px] font-bold">
-																?
-															</div>
-														</TooltipTrigger>
-														<TooltipContent className="max-w-[300px]">
-															<p>
-																Add Traefik middleware references. Middlewares
-																must be defined in your Traefik configuration.
-															</p>
-														</TooltipContent>
-													</Tooltip>
-												</TooltipProvider>
-											</div>
-											<div className="flex flex-wrap gap-2 mb-2">
-												{field.value?.map((name, index) => (
-													<Badge key={index} variant="secondary">
-														{name}
-														<X
-															className="ml-1 size-3 cursor-pointer"
-															onClick={() => {
-																const newMiddlewares = [...(field.value || [])];
-																newMiddlewares.splice(index, 1);
-																form.setValue("middlewares", newMiddlewares);
+								{!isCaddyProvider && (
+									<FormField
+										control={form.control}
+										name="middlewares"
+										render={({ field }) => (
+											<FormItem>
+												<div className="flex items-center gap-2">
+													<FormLabel>Middlewares</FormLabel>
+													<TooltipProvider>
+														<Tooltip>
+															<TooltipTrigger type="button">
+																<div className="size-4 rounded-full bg-muted flex items-center justify-center text-[10px] font-bold">
+																	?
+																</div>
+															</TooltipTrigger>
+															<TooltipContent className="max-w-[300px]">
+																<p>
+																	Add Traefik middleware references. Middlewares
+																	must be defined in your Traefik configuration.
+																</p>
+															</TooltipContent>
+														</Tooltip>
+													</TooltipProvider>
+												</div>
+												<div className="flex flex-wrap gap-2 mb-2">
+													{field.value?.map((name, index) => (
+														<Badge key={index} variant="secondary">
+															{name}
+															<X
+																className="ml-1 size-3 cursor-pointer"
+																onClick={() => {
+																	const newMiddlewares = [...(field.value || [])];
+																	newMiddlewares.splice(index, 1);
+																	form.setValue("middlewares", newMiddlewares);
+																}}
+															/>
+														</Badge>
+													))}
+												</div>
+												<FormControl>
+													<div className="flex gap-2">
+														<Input
+															placeholder="e.g., rate-limit@file, auth@file"
+															onKeyDown={(e) => {
+																if (e.key === "Enter") {
+																	e.preventDefault();
+																	const input = e.currentTarget;
+																	const value = input.value.trim();
+																	if (value && !field.value?.includes(value)) {
+																		form.setValue("middlewares", [
+																			...(field.value || []),
+																			value,
+																		]);
+																		input.value = "";
+																	}
+																}
 															}}
 														/>
-													</Badge>
-												))}
-											</div>
-											<FormControl>
-												<div className="flex gap-2">
-													<Input
-														placeholder="e.g., rate-limit@file, auth@file"
-														onKeyDown={(e) => {
-															if (e.key === "Enter") {
-																e.preventDefault();
-																const input = e.currentTarget;
+														<Button
+															type="button"
+															variant="secondary"
+															onClick={() => {
+																const input = document.querySelector(
+																	'input[placeholder="e.g., rate-limit@file, auth@file"]',
+																) as HTMLInputElement;
 																const value = input.value.trim();
 																if (value && !field.value?.includes(value)) {
 																	form.setValue("middlewares", [
@@ -851,40 +917,28 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 																	]);
 																	input.value = "";
 																}
-															}
-														}}
-													/>
-													<Button
-														type="button"
-														variant="secondary"
-														onClick={() => {
-															const input = document.querySelector(
-																'input[placeholder="e.g., rate-limit@file, auth@file"]',
-															) as HTMLInputElement;
-															const value = input.value.trim();
-															if (value && !field.value?.includes(value)) {
-																form.setValue("middlewares", [
-																	...(field.value || []),
-																	value,
-																]);
-																input.value = "";
-															}
-														}}
-													>
-														Add
-													</Button>
-												</div>
-											</FormControl>
-											<FormMessage />
-										</FormItem>
-									)}
-								/>
+															}}
+														>
+															Add
+														</Button>
+													</div>
+												</FormControl>
+												<FormMessage />
+											</FormItem>
+										)}
+									/>
+								)}
 							</div>
 						</div>
 					</form>
 
 					<DialogFooter>
-						<Button isLoading={isPending} form="hook-form" type="submit">
+						<Button
+							isLoading={isPending || isLoadingProvider}
+							disabled={isLoadingProvider}
+							form="hook-form"
+							type="submit"
+						>
 							{dictionary.submit}
 						</Button>
 					</DialogFooter>
diff --git a/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx b/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
index 65957a881c..9a1d3c26a4 100644
--- a/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
+++ b/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
@@ -21,16 +21,25 @@ interface Props {
 	serverId?: string;
 }
 export const ShowTraefikActions = ({ serverId }: Props) => {
-	const { mutateAsync: reloadTraefik, isPending: reloadTraefikIsLoading } =
-		api.settings.reloadTraefik.useMutation();
+	const { data: activeProvider, isLoading: isLoadingProvider } =
+		api.settings.getActiveWebServerProvider.useQuery({ serverId });
+	const providerLabel = activeProvider === "caddy" ? "Caddy" : "Traefik";
+	const resourceName =
+		activeProvider === "caddy" ? "dokploy-caddy" : "dokploy-traefik";
+
+	const { mutateAsync: reloadWebServer, isPending: reloadTraefikIsLoading } =
+		api.settings.reloadWebServer.useMutation();
 
 	const { mutateAsync: toggleDashboard, isPending: toggleDashboardIsLoading } =
 		api.settings.toggleDashboard.useMutation();
 
-	const { data: haveTraefikDashboardPortEnabled, refetch: refetchDashboard } =
-		api.settings.haveTraefikDashboardPortEnabled.useQuery({
+	const { data: webServerDashboardState, refetch: refetchDashboard } =
+		api.settings.getWebServerDashboardState.useQuery({
 			serverId,
 		});
+	const haveTraefikDashboardPortEnabled =
+		webServerDashboardState?.provider === "traefik" &&
+		webServerDashboardState.enabled;
 
 	const {
 		execute: executeWithHealthCheck,
@@ -50,7 +59,7 @@ export const ShowTraefikActions = ({ serverId }: Props) => {
 	} = useHealthCheckAfterMutation({
 		initialDelay: 5000,
 		pollInterval: 4000,
-		successMessage: "Traefik Reloaded",
+		successMessage: `${providerLabel} reloaded`,
 	});
 
 	return (
@@ -58,6 +67,7 @@ export const ShowTraefikActions = ({ serverId }: Props) => {
 			<DropdownMenuTrigger
 				asChild
 				disabled={
+					isLoadingProvider ||
 					reloadTraefikIsLoading ||
 					toggleDashboardIsLoading ||
 					isHealthCheckExecuting ||
@@ -66,6 +76,7 @@ export const ShowTraefikActions = ({ serverId }: Props) => {
 			>
 				<Button
 					isLoading={
+						isLoadingProvider ||
 						reloadTraefikIsLoading ||
 						toggleDashboardIsLoading ||
 						isHealthCheckExecuting ||
@@ -73,7 +84,7 @@ export const ShowTraefikActions = ({ serverId }: Props) => {
 					}
 					variant="outline"
 				>
-					Traefik
+					{providerLabel}
 				</Button>
 			</DropdownMenuTrigger>
 			<DropdownMenuContent className="w-56" align="start">
@@ -84,12 +95,12 @@ export const ShowTraefikActions = ({ serverId }: Props) => {
 						onClick={async () => {
 							try {
 								await executeReloadWithHealthCheck(() =>
-									reloadTraefik({ serverId }),
+									reloadWebServer({ serverId }),
 								);
 							} catch (error) {
 								const errorMessage =
 									(error as Error)?.message ||
-									"Failed to reload Traefik. Please try again.";
+									`Failed to reload ${providerLabel}. Please try again.`;
 								toast.error(errorMessage);
 							}
 						}}
@@ -99,7 +110,7 @@ export const ShowTraefikActions = ({ serverId }: Props) => {
 						<span>Reload</span>
 					</DropdownMenuItem>
 					<ShowModalLogs
-						appName="dokploy-traefik"
+						appName={resourceName}
 						serverId={serverId}
 						type="standalone"
 					>
@@ -119,54 +130,56 @@ export const ShowTraefikActions = ({ serverId }: Props) => {
 						</DropdownMenuItem>
 					</EditTraefikEnv>
 
-					<DialogAction
-						title={
-							haveTraefikDashboardPortEnabled
-								? "Disable Traefik Dashboard"
-								: "Enable Traefik Dashboard"
-						}
-						description={
-							<div className="space-y-4">
-								<AlertBlock type="warning">
-									The Traefik container will be recreated from scratch. This
-									means the container will be deleted and created again, which
-									may cause downtime in your applications.
-								</AlertBlock>
-								<p>
-									Are you sure you want to{" "}
-									{haveTraefikDashboardPortEnabled ? "disable" : "enable"} the
-									Traefik dashboard?
-								</p>
-							</div>
-						}
-						onClick={async () => {
-							try {
-								await executeWithHealthCheck(() =>
-									toggleDashboard({
-										enableDashboard: !haveTraefikDashboardPortEnabled,
-										serverId: serverId,
-									}),
-								);
-							} catch (error) {
-								const errorMessage =
-									(error as Error)?.message ||
-									"Failed to toggle dashboard. Please check if port 8080 is available.";
-								toast.error(errorMessage);
+					{activeProvider === "traefik" && (
+						<DialogAction
+							title={
+								haveTraefikDashboardPortEnabled
+									? "Disable Traefik Dashboard"
+									: "Enable Traefik Dashboard"
 							}
-						}}
-						disabled={toggleDashboardIsLoading || isHealthCheckExecuting}
-						type="default"
-					>
-						<DropdownMenuItem
-							onSelect={(e) => e.preventDefault()}
-							className="w-full cursor-pointer space-x-3"
+							description={
+								<div className="space-y-4">
+									<AlertBlock type="warning">
+										The Traefik container will be recreated from scratch. This
+										means the container will be deleted and created again, which
+										may cause downtime in your applications.
+									</AlertBlock>
+									<p>
+										Are you sure you want to{" "}
+										{haveTraefikDashboardPortEnabled ? "disable" : "enable"} the
+										Traefik dashboard?
+									</p>
+								</div>
+							}
+							onClick={async () => {
+								try {
+									await executeWithHealthCheck(() =>
+										toggleDashboard({
+											enableDashboard: !haveTraefikDashboardPortEnabled,
+											serverId: serverId,
+										}),
+									);
+								} catch (error) {
+									const errorMessage =
+										(error as Error)?.message ||
+										"Failed to toggle dashboard. Please check if port 8080 is available.";
+									toast.error(errorMessage);
+								}
+							}}
+							disabled={toggleDashboardIsLoading || isHealthCheckExecuting}
+							type="default"
 						>
-							<span>
-								{haveTraefikDashboardPortEnabled ? "Disable" : "Enable"}{" "}
-								Dashboard
-							</span>
-						</DropdownMenuItem>
-					</DialogAction>
+							<DropdownMenuItem
+								onSelect={(e) => e.preventDefault()}
+								className="w-full cursor-pointer space-x-3"
+							>
+								<span>
+									{haveTraefikDashboardPortEnabled ? "Disable" : "Enable"}{" "}
+									Dashboard
+								</span>
+							</DropdownMenuItem>
+						</DialogAction>
+					)}
 					<ManageTraefikPorts serverId={serverId}>
 						<DropdownMenuItem
 							onSelect={(e) => e.preventDefault()}
diff --git a/apps/dokploy/components/dashboard/settings/web-server.tsx b/apps/dokploy/components/dashboard/settings/web-server.tsx
index a383fbf7d6..ab16e57045 100644
--- a/apps/dokploy/components/dashboard/settings/web-server.tsx
+++ b/apps/dokploy/components/dashboard/settings/web-server.tsx
@@ -13,7 +13,9 @@ import { ShowDokployActions } from "./servers/actions/show-dokploy-actions";
 import { ShowStorageActions } from "./servers/actions/show-storage-actions";
 import { ShowTraefikActions } from "./servers/actions/show-traefik-actions";
 import { ToggleDockerCleanup } from "./servers/actions/toggle-docker-cleanup";
+import { CaddyMigrationPanel } from "./web-server/caddy-migration-panel";
 import { UpdateServer } from "./web-server/update-server";
+import { WebServerProviderSelector } from "./web-server/web-server-provider-selector";
 
 export const WebServer = () => {
 	const { data: webServerSettings } =
@@ -42,6 +44,9 @@ export const WebServer = () => {
 						</CardDescription>
 					</CardHeader> */}
 					<CardContent className="space-y-6 py-6 border-t">
+						<WebServerProviderSelector />
+						<CaddyMigrationPanel />
+
 						<div className="grid md:grid-cols-2 gap-4">
 							<ShowDokployActions />
 							<ShowTraefikActions />
diff --git a/apps/dokploy/components/dashboard/settings/web-server/caddy-migration-panel.tsx b/apps/dokploy/components/dashboard/settings/web-server/caddy-migration-panel.tsx
new file mode 100644
index 0000000000..cba2a3e0a1
--- /dev/null
+++ b/apps/dokploy/components/dashboard/settings/web-server/caddy-migration-panel.tsx
@@ -0,0 +1,318 @@
+import type { CaddyMigrationReport } from "@dokploy/server";
+import { AlertTriangle, CheckCircle2, Loader2, RotateCcw } from "lucide-react";
+import { useState } from "react";
+import { toast } from "sonner";
+import { AlertBlock } from "@/components/shared/alert-block";
+import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {
+	Card,
+	CardContent,
+	CardDescription,
+	CardHeader,
+	CardTitle,
+} from "@/components/ui/card";
+import { Checkbox } from "@/components/ui/checkbox";
+import { Label } from "@/components/ui/label";
+import { api } from "@/utils/api";
+
+interface Props {
+	serverId?: string;
+}
+
+const statusLabel = (report: CaddyMigrationReport) => {
+	if (report.summary.blockingWarnings > 0) {
+		return "Blocked";
+	}
+	if (report.validation.status !== "passed") {
+		return "Validation required";
+	}
+	return "Ready";
+};
+
+export const CaddyMigrationPanel = ({ serverId }: Props) => {
+	const [migrationId, setMigrationId] = useState<string | null>(null);
+	const [maintenanceConfirmed, setMaintenanceConfirmed] = useState(false);
+
+	const { data: activeProvider } =
+		api.settings.getActiveWebServerProvider.useQuery({ serverId });
+	const utils = api.useUtils();
+	const { mutateAsync: prepareMigration, isPending: isPreparing } =
+		api.settings.prepareCaddyMigration.useMutation();
+	const { mutateAsync: applyMigration, isPending: isApplying } =
+		api.settings.applyCaddyMigration.useMutation();
+	const { mutateAsync: rollbackMigration, isPending: isRollingBack } =
+		api.settings.rollbackCaddyMigration.useMutation();
+	const { data: fetchedReport, refetch: refetchReport } =
+		api.settings.getCaddyMigrationReport.useQuery(
+			{ migrationId: migrationId ?? "", serverId },
+			{ enabled: !!migrationId },
+		);
+	const [preparedReport, setPreparedReport] =
+		useState<CaddyMigrationReport | null>(null);
+	const report = fetchedReport ?? preparedReport;
+	const blockingWarnings = report?.warnings.filter(
+		(warning) => warning.blocking,
+	);
+	const nonBlockingWarnings = report?.warnings.filter(
+		(warning) => !warning.blocking,
+	);
+	const isMutating = isPreparing || isApplying || isRollingBack;
+	const canApply =
+		!!report &&
+		report.summary.blockingWarnings === 0 &&
+		report.validation.status === "passed" &&
+		maintenanceConfirmed &&
+		!isMutating;
+	const canRollback = !!report && report.status !== "prepared" && !isMutating;
+
+	const handleDryRun = async () => {
+		try {
+			const nextReport = await prepareMigration({ serverId });
+			setPreparedReport(nextReport);
+			setMigrationId(nextReport.migrationId);
+			setMaintenanceConfirmed(false);
+			toast.success("Caddy migration dry run prepared");
+		} catch (error) {
+			toast.error(
+				(error as Error).message || "Error preparing Caddy migration",
+			);
+		}
+	};
+
+	const handleApply = async () => {
+		if (!report) return;
+		try {
+			await applyMigration({
+				migrationId: report.migrationId,
+				serverId,
+				confirmMaintenanceWindow: true,
+			});
+			toast.success("Caddy migration apply started");
+			await utils.settings.getActiveWebServerProvider.invalidate({ serverId });
+			await refetchReport();
+		} catch (error) {
+			toast.error((error as Error).message || "Error applying Caddy migration");
+		}
+	};
+
+	const handleRollback = async () => {
+		if (!report) return;
+		try {
+			await rollbackMigration({ migrationId: report.migrationId, serverId });
+			toast.success("Caddy rollback started");
+			await utils.settings.getActiveWebServerProvider.invalidate({ serverId });
+			await refetchReport();
+		} catch (error) {
+			toast.error(
+				(error as Error).message || "Error rolling back Caddy migration",
+			);
+		}
+	};
+
+	return (
+		<Card className="bg-transparent">
+			<CardHeader className="px-0">
+				<div className="flex flex-col gap-2 sm:flex-row sm:items-start sm:justify-between">
+					<div>
+						<CardTitle className="text-base">Caddy migration</CardTitle>
+						<CardDescription>
+							Prepare a reviewable Traefik → Caddy migration before any
+							maintenance-window cutover.
+						</CardDescription>
+					</div>
+					<Button
+						variant="secondary"
+						onClick={() => void handleDryRun()}
+						isLoading={isPreparing}
+						disabled={isMutating}
+					>
+						Dry-run migration
+					</Button>
+				</div>
+			</CardHeader>
+			<CardContent className="px-0 pb-0 space-y-4">
+				{activeProvider === "caddy" && (
+					<AlertBlock type="success">
+						Caddy is already the active provider. Dry runs are still useful for
+						reviewing translated Traefik artifacts before rollback or follow-up
+						changes.
+					</AlertBlock>
+				)}
+
+				{isPreparing && (
+					<div className="flex items-center gap-2 text-sm text-muted-foreground">
+						<Loader2 className="size-4 animate-spin" /> Preparing migration
+						artifacts...
+					</div>
+				)}
+
+				{report && (
+					<div className="space-y-4 rounded-lg border p-4">
+						<div className="flex flex-wrap items-center justify-between gap-3">
+							<div className="space-y-1">
+								<div className="flex items-center gap-2">
+									<span className="font-medium">
+										Dry run {report.migrationId}
+									</span>
+									<Badge
+										variant={
+											report.summary.blockingWarnings > 0
+												? "destructive"
+												: "secondary"
+										}
+									>
+										{statusLabel(report)}
+									</Badge>
+								</div>
+								<p className="text-xs text-muted-foreground">
+									Created {new Date(report.createdAt).toLocaleString()} ·
+									Status: {report.status} · Validation:{" "}
+									{report.validation.status}
+								</p>
+							</div>
+							<div className="grid grid-cols-3 gap-2 text-center text-xs">
+								<div className="rounded-md bg-muted p-2">
+									<div className="font-medium">{report.summary.fragments}</div>
+									<div className="text-muted-foreground">Fragments</div>
+								</div>
+								<div className="rounded-md bg-muted p-2">
+									<div className="font-medium">{report.summary.routes}</div>
+									<div className="text-muted-foreground">Routes</div>
+								</div>
+								<div className="rounded-md bg-muted p-2">
+									<div className="font-medium">
+										{report.summary.blockingWarnings}/{report.summary.warnings}
+									</div>
+									<div className="text-muted-foreground">Blocking</div>
+								</div>
+							</div>
+						</div>
+
+						{report.validation.message && (
+							<AlertBlock
+								type={
+									report.validation.status === "passed" ? "success" : "warning"
+								}
+							>
+								{report.validation.message}
+							</AlertBlock>
+						)}
+
+						<div className="grid gap-3 text-sm md:grid-cols-2">
+							<div>
+								<div className="font-medium">Inputs</div>
+								<ul className="mt-1 list-disc space-y-1 pl-5 text-muted-foreground">
+									<li>
+										Traefik static config:{" "}
+										{report.inputs.traefikStaticConfigFound
+											? "found"
+											: "not found"}
+									</li>
+									<li>Dynamic files: {report.inputs.dynamicFiles.length}</li>
+									<li>
+										Application domains: {report.inputs.dbApplicationDomains}
+									</li>
+									<li>Compose domains: {report.inputs.dbComposeDomains}</li>
+								</ul>
+							</div>
+							<div>
+								<div className="font-medium">Artifacts</div>
+								<ul className="mt-1 list-disc space-y-1 pl-5 text-muted-foreground [overflow-wrap:anywhere]">
+									<li>Report: {report.artifactPaths.reportMd}</li>
+									<li>Draft Caddy JSON: {report.artifactPaths.caddyJson}</li>
+									<li>Fragments: {report.artifactPaths.fragmentsDir}</li>
+								</ul>
+							</div>
+						</div>
+
+						{blockingWarnings && blockingWarnings.length > 0 ? (
+							<AlertBlock type="error">
+								<div className="space-y-2">
+									<div className="font-medium">Blocking items</div>
+									<ul className="list-disc space-y-1 pl-5">
+										{blockingWarnings.map((warning, index) => (
+											<li key={`${warning.code}-${index}`}>
+												{warning.source ? `${warning.source}: ` : ""}
+												{warning.message}
+											</li>
+										))}
+									</ul>
+								</div>
+							</AlertBlock>
+						) : (
+							<AlertBlock
+								type="success"
+								icon={<CheckCircle2 className="size-5" />}
+							>
+								No blocking migration items were reported.
+							</AlertBlock>
+						)}
+
+						{nonBlockingWarnings && nonBlockingWarnings.length > 0 && (
+							<details className="rounded-md border p-3 text-sm">
+								<summary className="cursor-pointer font-medium">
+									Review non-blocking warnings ({nonBlockingWarnings.length})
+								</summary>
+								<ul className="mt-2 list-disc space-y-1 pl-5 text-muted-foreground">
+									{nonBlockingWarnings.map((warning, index) => (
+										<li key={`${warning.code}-${index}`}>
+											{warning.source ? `${warning.source}: ` : ""}
+											{warning.message}
+										</li>
+									))}
+								</ul>
+							</details>
+						)}
+
+						<div className="rounded-md border border-orange-500/30 bg-orange-500/10 p-3">
+							<div className="flex items-start gap-3">
+								<AlertTriangle className="mt-0.5 size-4 text-orange-500" />
+								<div className="space-y-3">
+									<p className="text-sm">
+										Apply stops Traefik, starts Caddy on ports 80/443/443 UDP,
+										and changes the active provider only after cutover checks
+										pass. Run this during a maintenance window.
+									</p>
+									<div className="flex items-center gap-2">
+										<Checkbox
+											id="confirm-caddy-maintenance-window"
+											checked={maintenanceConfirmed}
+											onCheckedChange={(checked) =>
+												setMaintenanceConfirmed(checked === true)
+											}
+										/>
+										<Label
+											htmlFor="confirm-caddy-maintenance-window"
+											className="cursor-pointer text-sm font-normal"
+										>
+											I am in a maintenance window and approve the cutover.
+										</Label>
+									</div>
+								</div>
+							</div>
+						</div>
+
+						<div className="flex flex-wrap justify-end gap-2">
+							<Button
+								variant="outline"
+								onClick={() => void handleRollback()}
+								isLoading={isRollingBack}
+								disabled={!canRollback}
+							>
+								<RotateCcw className="size-4" /> Roll back to Traefik
+							</Button>
+							<Button
+								onClick={() => void handleApply()}
+								isLoading={isApplying}
+								disabled={!canApply}
+							>
+								Apply Caddy cutover
+							</Button>
+						</div>
+					</div>
+				)}
+			</CardContent>
+		</Card>
+	);
+};
diff --git a/apps/dokploy/components/dashboard/settings/web-server/edit-traefik-env.tsx b/apps/dokploy/components/dashboard/settings/web-server/edit-traefik-env.tsx
index 1312b96c59..b5f57f8bbe 100644
--- a/apps/dokploy/components/dashboard/settings/web-server/edit-traefik-env.tsx
+++ b/apps/dokploy/components/dashboard/settings/web-server/edit-traefik-env.tsx
@@ -40,19 +40,23 @@ interface Props {
 export const EditTraefikEnv = ({ children, serverId }: Props) => {
 	const [canEdit, setCanEdit] = useState(true);
 
-	const { data } = api.settings.readTraefikEnv.useQuery({
+	const { data: activeProvider } =
+		api.settings.getActiveWebServerProvider.useQuery({ serverId });
+	const providerLabel = activeProvider === "caddy" ? "Caddy" : "Traefik";
+
+	const { data } = api.settings.readWebServerEnv.useQuery({
 		serverId,
 	});
 
 	const { mutateAsync, isPending, error, isError } =
-		api.settings.writeTraefikEnv.useMutation();
+		api.settings.writeWebServerEnv.useMutation();
 
 	const {
 		execute: executeWithHealthCheck,
 		isExecuting: isHealthCheckExecuting,
 	} = useHealthCheckAfterMutation({
 		initialDelay: 5000,
-		successMessage: "Traefik Env Updated",
+		successMessage: `${providerLabel} env updated`,
 	});
 
 	const form = useForm<Schema>({
@@ -80,7 +84,7 @@ export const EditTraefikEnv = ({ children, serverId }: Props) => {
 				}),
 			);
 		} catch {
-			toast.error("Error updating the Traefik env");
+			toast.error(`Error updating the ${providerLabel} env`);
 		}
 	};
 
@@ -109,9 +113,9 @@ export const EditTraefikEnv = ({ children, serverId }: Props) => {
 			<DialogTrigger asChild>{children}</DialogTrigger>
 			<DialogContent className="sm:max-w-4xl">
 				<DialogHeader>
-					<DialogTitle>Update Traefik Environment</DialogTitle>
+					<DialogTitle>Update {providerLabel} Environment</DialogTitle>
 					<DialogDescription>
-						Update the traefik environment variables
+						Update the active web server environment variables.
 					</DialogDescription>
 				</DialogHeader>
 				{isError && <AlertBlock type="error">{error?.message}</AlertBlock>}
@@ -133,14 +137,20 @@ export const EditTraefikEnv = ({ children, serverId }: Props) => {
 											<CodeEditor
 												language="properties"
 												wrapperClassName="h-[35rem] font-mono"
-												placeholder={`TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL=test@localhost.com
+												placeholder={
+													activeProvider === "caddy"
+														? `CADDY_ADMIN=localhost:2019
+# Add Caddy container environment variables here if needed.
+                                                    `
+														: `TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL=test@localhost.com
 TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_STORAGE=/etc/dokploy/traefik/dynamic/acme.json
 TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE=true
 TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE_PRETTY=true
 TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE_ENTRYPOINT=web
 TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE_DNS_CHALLENGE=true
 TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE_DNS_PROVIDER=cloudflare
-                                                    `}
+                                                    `
+												}
 												{...field}
 											/>
 										</FormControl>
diff --git a/apps/dokploy/components/dashboard/settings/web-server/manage-traefik-ports.tsx b/apps/dokploy/components/dashboard/settings/web-server/manage-traefik-ports.tsx
index 6f42c804b5..a935492966 100644
--- a/apps/dokploy/components/dashboard/settings/web-server/manage-traefik-ports.tsx
+++ b/apps/dokploy/components/dashboard/settings/web-server/manage-traefik-ports.tsx
@@ -48,17 +48,21 @@ const PortSchema = z.object({
 	protocol: z.enum(["tcp", "udp", "sctp"]),
 });
 
-const TraefikPortsSchema = z.object({
+const WebServerPortsSchema = z.object({
 	ports: z.array(PortSchema),
 });
 
-type TraefikPortsForm = z.infer<typeof TraefikPortsSchema>;
+type WebServerPortsForm = z.infer<typeof WebServerPortsSchema>;
 
 export const ManageTraefikPorts = ({ children, serverId }: Props) => {
 	const [open, setOpen] = useState(false);
 
-	const form = useForm<TraefikPortsForm>({
-		resolver: zodResolver(TraefikPortsSchema),
+	const { data: activeProvider } =
+		api.settings.getActiveWebServerProvider.useQuery({ serverId });
+	const providerLabel = activeProvider === "caddy" ? "Caddy" : "Traefik";
+
+	const form = useForm<WebServerPortsForm>({
+		resolver: zodResolver(WebServerPortsSchema),
 		defaultValues: {
 			ports: [],
 		},
@@ -70,12 +74,12 @@ export const ManageTraefikPorts = ({ children, serverId }: Props) => {
 	});
 
 	const { data: currentPorts, refetch: refetchPorts } =
-		api.settings.getTraefikPorts.useQuery({
+		api.settings.getWebServerPorts.useQuery({
 			serverId,
 		});
 
 	const { mutateAsync: updatePorts, isPending } =
-		api.settings.updateTraefikPorts.useMutation();
+		api.settings.updateWebServerPorts.useMutation();
 
 	const {
 		execute: executeWithHealthCheck,
@@ -104,7 +108,7 @@ export const ManageTraefikPorts = ({ children, serverId }: Props) => {
 		append({ targetPort: 0, publishedPort: 0, protocol: "tcp" });
 	};
 
-	const onSubmit = async (data: TraefikPortsForm) => {
+	const onSubmit = async (data: WebServerPortsForm) => {
 		try {
 			await executeWithHealthCheck(() =>
 				updatePorts({
@@ -114,7 +118,9 @@ export const ManageTraefikPorts = ({ children, serverId }: Props) => {
 			);
 			setOpen(false);
 		} catch (error) {
-			toast.error((error as Error).message || "Error updating Traefik ports");
+			toast.error(
+				(error as Error).message || `Error updating ${providerLabel} ports`,
+			);
 		}
 	};
 
@@ -132,7 +138,7 @@ export const ManageTraefikPorts = ({ children, serverId }: Props) => {
 						<DialogDescription className="text-base w-full">
 							<div className="flex items-center justify-between">
 								<div className="flex flex-col gap-1">
-									Add or remove additional ports for Traefik
+									Add or remove additional ports for {providerLabel}
 									<span className="text-sm text-muted-foreground">
 										{fields.length} port mapping{fields.length !== 1 ? "s" : ""}{" "}
 										configured
@@ -300,8 +306,8 @@ export const ManageTraefikPorts = ({ children, serverId }: Props) => {
 												</ul>
 												<p className="mt-2">
 													All ports are bound directly to the host machine,
-													allowing Traefik to handle incoming traffic and route
-													it appropriately to your services.
+													allowing {providerLabel} to handle incoming traffic
+													and route it appropriately to your services.
 												</p>
 											</span>
 										</div>
@@ -309,9 +315,9 @@ export const ManageTraefikPorts = ({ children, serverId }: Props) => {
 								)}
 
 								<AlertBlock type="warning">
-									The Traefik container will be recreated from scratch. This
-									means the container will be deleted and created again, which
-									may cause downtime in your applications.
+									The {providerLabel} resource will be recreated from scratch.
+									This means the container or service will be deleted and
+									created again, which may cause downtime in your applications.
 								</AlertBlock>
 							</div>
 							<DialogFooter>
diff --git a/apps/dokploy/components/dashboard/settings/web-server/web-server-provider-selector.tsx b/apps/dokploy/components/dashboard/settings/web-server/web-server-provider-selector.tsx
new file mode 100644
index 0000000000..7bf3713e3e
--- /dev/null
+++ b/apps/dokploy/components/dashboard/settings/web-server/web-server-provider-selector.tsx
@@ -0,0 +1,101 @@
+import type { WebServerProvider } from "@dokploy/server";
+import { toast } from "sonner";
+import { AlertBlock } from "@/components/shared/alert-block";
+import {
+	Card,
+	CardContent,
+	CardDescription,
+	CardHeader,
+	CardTitle,
+} from "@/components/ui/card";
+import {
+	Select,
+	SelectContent,
+	SelectItem,
+	SelectTrigger,
+	SelectValue,
+} from "@/components/ui/select";
+import { api } from "@/utils/api";
+
+interface Props {
+	serverId?: string;
+}
+
+const providerLabels: Record<WebServerProvider, string> = {
+	traefik: "Traefik",
+	caddy: "Caddy",
+};
+
+export const WebServerProviderSelector = ({ serverId }: Props) => {
+	const utils = api.useUtils();
+	const { data: activeProvider, isLoading } =
+		api.settings.getActiveWebServerProvider.useQuery({ serverId });
+	const { mutateAsync: updateProvider, isPending } =
+		api.settings.updateActiveWebServerProvider.useMutation();
+
+	const handleProviderChange = async (provider: WebServerProvider) => {
+		if (!activeProvider || provider === activeProvider) return;
+		if (provider === "caddy") {
+			toast.error(
+				"Run and apply a Caddy migration dry run to activate Caddy safely.",
+			);
+			return;
+		}
+		if (activeProvider === "caddy" && provider === "traefik") {
+			toast.error("Use the migration rollback action to return to Traefik.");
+			return;
+		}
+
+		try {
+			await updateProvider({ provider, serverId });
+			await utils.settings.getActiveWebServerProvider.invalidate({ serverId });
+			await utils.settings.getWebServerDashboardState.invalidate({ serverId });
+			await utils.settings.readWebServerConfig.invalidate({ serverId });
+			toast.success(`Active web server set to ${providerLabels[provider]}`);
+		} catch (error) {
+			toast.error(
+				(error as Error).message || "Error updating active web server provider",
+			);
+		}
+	};
+
+	return (
+		<Card className="bg-transparent">
+			<CardHeader className="px-0 pt-0">
+				<CardTitle className="text-base">Active provider</CardTitle>
+				<CardDescription>
+					Review the active web server Dokploy uses for provider-aware reload,
+					configuration, and new domain changes.
+				</CardDescription>
+			</CardHeader>
+			<CardContent className="px-0 pb-0 space-y-3">
+				<Select
+					disabled={isLoading || isPending}
+					value={activeProvider ?? "traefik"}
+					onValueChange={(value) =>
+						void handleProviderChange(value as WebServerProvider)
+					}
+				>
+					<SelectTrigger className="max-w-sm">
+						<SelectValue placeholder="Select a web server provider" />
+					</SelectTrigger>
+					<SelectContent>
+						<SelectItem value="traefik">Traefik</SelectItem>
+						<SelectItem value="caddy">Caddy</SelectItem>
+					</SelectContent>
+				</Select>
+				{activeProvider === "traefik" ? (
+					<AlertBlock type="info">
+						Traefik workflows remain available. Caddy activation is handled by
+						the migration apply flow below so cutover checks are not bypassed.
+					</AlertBlock>
+				) : (
+					<AlertBlock type="warning">
+						Caddy is the active provider. Traefik-specific editors remain
+						available only for existing Traefik configuration review.
+					</AlertBlock>
+				)}
+			</CardContent>
+		</Card>
+	);
+};
diff --git a/apps/dokploy/drizzle/0170_web_server_provider.sql b/apps/dokploy/drizzle/0170_web_server_provider.sql
new file mode 100644
index 0000000000..24b513d90c
--- /dev/null
+++ b/apps/dokploy/drizzle/0170_web_server_provider.sql
@@ -0,0 +1,3 @@
+CREATE TYPE "public"."webServerProvider" AS ENUM('traefik', 'caddy');--> statement-breakpoint
+ALTER TABLE "server" ADD COLUMN "webServerProvider" "webServerProvider" DEFAULT 'traefik' NOT NULL;--> statement-breakpoint
+ALTER TABLE "webServerSettings" ADD COLUMN "webServerProvider" "webServerProvider" DEFAULT 'traefik' NOT NULL;
\ No newline at end of file
diff --git a/apps/dokploy/drizzle/meta/0170_snapshot.json b/apps/dokploy/drizzle/meta/0170_snapshot.json
new file mode 100644
index 0000000000..5f624ff410
--- /dev/null
+++ b/apps/dokploy/drizzle/meta/0170_snapshot.json
@@ -0,0 +1,8356 @@
+{
+  "id": "93bfd2e4-aeef-4158-9b26-97da9f79b99b",
+  "prevId": "f3f22c15-d2d1-4ed1-9561-24aa98e30231",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.account": {
+      "name": "account",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "account_id": {
+          "name": "account_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "access_token": {
+          "name": "access_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token": {
+          "name": "refresh_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "id_token": {
+          "name": "id_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "access_token_expires_at": {
+          "name": "access_token_expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token_expires_at": {
+          "name": "refresh_token_expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scope": {
+          "name": "scope",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is2FAEnabled": {
+          "name": "is2FAEnabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resetPasswordToken": {
+          "name": "resetPasswordToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "resetPasswordExpiresAt": {
+          "name": "resetPasswordExpiresAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "confirmationToken": {
+          "name": "confirmationToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "confirmationExpiresAt": {
+          "name": "confirmationExpiresAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "account_user_id_user_id_fk": {
+          "name": "account_user_id_user_id_fk",
+          "tableFrom": "account",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.apikey": {
+      "name": "apikey",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "start": {
+          "name": "start",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "prefix": {
+          "name": "prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "config_id": {
+          "name": "config_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'default'"
+        },
+        "reference_id": {
+          "name": "reference_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "refill_interval": {
+          "name": "refill_interval",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refill_amount": {
+          "name": "refill_amount",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_refill_at": {
+          "name": "last_refill_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rate_limit_enabled": {
+          "name": "rate_limit_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rate_limit_time_window": {
+          "name": "rate_limit_time_window",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rate_limit_max": {
+          "name": "rate_limit_max",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "request_count": {
+          "name": "request_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "remaining": {
+          "name": "remaining",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_request": {
+          "name": "last_request",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "apikey_reference_id_user_id_fk": {
+          "name": "apikey_reference_id_user_id_fk",
+          "tableFrom": "apikey",
+          "tableTo": "user",
+          "columnsFrom": [
+            "reference_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.invitation": {
+      "name": "invitation",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "inviter_id": {
+          "name": "inviter_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "team_id": {
+          "name": "team_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "invitation_organization_id_organization_id_fk": {
+          "name": "invitation_organization_id_organization_id_fk",
+          "tableFrom": "invitation",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "invitation_inviter_id_user_id_fk": {
+          "name": "invitation_inviter_id_user_id_fk",
+          "tableFrom": "invitation",
+          "tableTo": "user",
+          "columnsFrom": [
+            "inviter_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.member": {
+      "name": "member",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "team_id": {
+          "name": "team_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_default": {
+          "name": "is_default",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canCreateProjects": {
+          "name": "canCreateProjects",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToSSHKeys": {
+          "name": "canAccessToSSHKeys",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canCreateServices": {
+          "name": "canCreateServices",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canDeleteProjects": {
+          "name": "canDeleteProjects",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canDeleteServices": {
+          "name": "canDeleteServices",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToDocker": {
+          "name": "canAccessToDocker",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToAPI": {
+          "name": "canAccessToAPI",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToGitProviders": {
+          "name": "canAccessToGitProviders",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToTraefikFiles": {
+          "name": "canAccessToTraefikFiles",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canDeleteEnvironments": {
+          "name": "canDeleteEnvironments",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canCreateEnvironments": {
+          "name": "canCreateEnvironments",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "accesedProjects": {
+          "name": "accesedProjects",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        },
+        "accessedEnvironments": {
+          "name": "accessedEnvironments",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        },
+        "accesedServices": {
+          "name": "accesedServices",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        },
+        "accessedGitProviders": {
+          "name": "accessedGitProviders",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        },
+        "accessedServers": {
+          "name": "accessedServers",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "member_organization_id_organization_id_fk": {
+          "name": "member_organization_id_organization_id_fk",
+          "tableFrom": "member",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "member_user_id_user_id_fk": {
+          "name": "member_user_id_user_id_fk",
+          "tableFrom": "member",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.organization": {
+      "name": "organization",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "slug": {
+          "name": "slug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "logo": {
+          "name": "logo",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "owner_id": {
+          "name": "owner_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "organization_owner_id_user_id_fk": {
+          "name": "organization_owner_id_user_id_fk",
+          "tableFrom": "organization",
+          "tableTo": "user",
+          "columnsFrom": [
+            "owner_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "organization_slug_unique": {
+          "name": "organization_slug_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "slug"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.organization_role": {
+      "name": "organization_role",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "permission": {
+          "name": "permission",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "organizationRole_organizationId_idx": {
+          "name": "organizationRole_organizationId_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "organizationRole_role_idx": {
+          "name": "organizationRole_role_idx",
+          "columns": [
+            {
+              "expression": "role",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "organization_role_organization_id_organization_id_fk": {
+          "name": "organization_role_organization_id_organization_id_fk",
+          "tableFrom": "organization_role",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.two_factor": {
+      "name": "two_factor",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "secret": {
+          "name": "secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "backup_codes": {
+          "name": "backup_codes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "two_factor_user_id_user_id_fk": {
+          "name": "two_factor_user_id_user_id_fk",
+          "tableFrom": "two_factor",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.verification": {
+      "name": "verification",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "identifier": {
+          "name": "identifier",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ai": {
+      "name": "ai",
+      "schema": "",
+      "columns": {
+        "aiId": {
+          "name": "aiId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "apiUrl": {
+          "name": "apiUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "apiKey": {
+          "name": "apiKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "model": {
+          "name": "model",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "isEnabled": {
+          "name": "isEnabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "ai_organizationId_organization_id_fk": {
+          "name": "ai_organizationId_organization_id_fk",
+          "tableFrom": "ai",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.application": {
+      "name": "application",
+      "schema": "",
+      "columns": {
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewEnv": {
+          "name": "previewEnv",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "watchPaths": {
+          "name": "watchPaths",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewBuildArgs": {
+          "name": "previewBuildArgs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewBuildSecrets": {
+          "name": "previewBuildSecrets",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewLabels": {
+          "name": "previewLabels",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewWildcard": {
+          "name": "previewWildcard",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewPort": {
+          "name": "previewPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 3000
+        },
+        "previewHttps": {
+          "name": "previewHttps",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "previewPath": {
+          "name": "previewPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "certificateType": {
+          "name": "certificateType",
+          "type": "certificateType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "previewCustomCertResolver": {
+          "name": "previewCustomCertResolver",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewLimit": {
+          "name": "previewLimit",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 3
+        },
+        "isPreviewDeploymentsActive": {
+          "name": "isPreviewDeploymentsActive",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "previewRequireCollaboratorPermissions": {
+          "name": "previewRequireCollaboratorPermissions",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "rollbackActive": {
+          "name": "rollbackActive",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "buildArgs": {
+          "name": "buildArgs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildSecrets": {
+          "name": "buildSecrets",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "subtitle": {
+          "name": "subtitle",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "icon": {
+          "name": "icon",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refreshToken": {
+          "name": "refreshToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sourceType": {
+          "name": "sourceType",
+          "type": "sourceType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'github'"
+        },
+        "cleanCache": {
+          "name": "cleanCache",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "repository": {
+          "name": "repository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "owner": {
+          "name": "owner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildPath": {
+          "name": "buildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "triggerType": {
+          "name": "triggerType",
+          "type": "triggerType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'push'"
+        },
+        "autoDeploy": {
+          "name": "autoDeploy",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabProjectId": {
+          "name": "gitlabProjectId",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabRepository": {
+          "name": "gitlabRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabOwner": {
+          "name": "gitlabOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabBranch": {
+          "name": "gitlabBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabBuildPath": {
+          "name": "gitlabBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "gitlabPathNamespace": {
+          "name": "gitlabPathNamespace",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaRepository": {
+          "name": "giteaRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaOwner": {
+          "name": "giteaOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaBranch": {
+          "name": "giteaBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaBuildPath": {
+          "name": "giteaBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "bitbucketRepository": {
+          "name": "bitbucketRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketRepositorySlug": {
+          "name": "bitbucketRepositorySlug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketOwner": {
+          "name": "bitbucketOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketBranch": {
+          "name": "bitbucketBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketBuildPath": {
+          "name": "bitbucketBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "registryUrl": {
+          "name": "registryUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitUrl": {
+          "name": "customGitUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitBranch": {
+          "name": "customGitBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitBuildPath": {
+          "name": "customGitBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitSSHKeyId": {
+          "name": "customGitSSHKeyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enableSubmodules": {
+          "name": "enableSubmodules",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dockerfile": {
+          "name": "dockerfile",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'Dockerfile'"
+        },
+        "dockerContextPath": {
+          "name": "dockerContextPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "dockerBuildStage": {
+          "name": "dockerBuildStage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "dropBuildPath": {
+          "name": "dropBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "buildType": {
+          "name": "buildType",
+          "type": "buildType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'nixpacks'"
+        },
+        "railpackVersion": {
+          "name": "railpackVersion",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0.15.4'"
+        },
+        "herokuVersion": {
+          "name": "herokuVersion",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'24'"
+        },
+        "publishDirectory": {
+          "name": "publishDirectory",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "isStaticSpa": {
+          "name": "isStaticSpa",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createEnvFile": {
+          "name": "createEnvFile",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "registryId": {
+          "name": "registryId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackRegistryId": {
+          "name": "rollbackRegistryId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "githubId": {
+          "name": "githubId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabId": {
+          "name": "gitlabId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaId": {
+          "name": "giteaId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketId": {
+          "name": "bitbucketId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildServerId": {
+          "name": "buildServerId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildRegistryId": {
+          "name": "buildRegistryId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "application_customGitSSHKeyId_ssh-key_sshKeyId_fk": {
+          "name": "application_customGitSSHKeyId_ssh-key_sshKeyId_fk",
+          "tableFrom": "application",
+          "tableTo": "ssh-key",
+          "columnsFrom": [
+            "customGitSSHKeyId"
+          ],
+          "columnsTo": [
+            "sshKeyId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_registryId_registry_registryId_fk": {
+          "name": "application_registryId_registry_registryId_fk",
+          "tableFrom": "application",
+          "tableTo": "registry",
+          "columnsFrom": [
+            "registryId"
+          ],
+          "columnsTo": [
+            "registryId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_rollbackRegistryId_registry_registryId_fk": {
+          "name": "application_rollbackRegistryId_registry_registryId_fk",
+          "tableFrom": "application",
+          "tableTo": "registry",
+          "columnsFrom": [
+            "rollbackRegistryId"
+          ],
+          "columnsTo": [
+            "registryId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_environmentId_environment_environmentId_fk": {
+          "name": "application_environmentId_environment_environmentId_fk",
+          "tableFrom": "application",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "application_githubId_github_githubId_fk": {
+          "name": "application_githubId_github_githubId_fk",
+          "tableFrom": "application",
+          "tableTo": "github",
+          "columnsFrom": [
+            "githubId"
+          ],
+          "columnsTo": [
+            "githubId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_gitlabId_gitlab_gitlabId_fk": {
+          "name": "application_gitlabId_gitlab_gitlabId_fk",
+          "tableFrom": "application",
+          "tableTo": "gitlab",
+          "columnsFrom": [
+            "gitlabId"
+          ],
+          "columnsTo": [
+            "gitlabId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_giteaId_gitea_giteaId_fk": {
+          "name": "application_giteaId_gitea_giteaId_fk",
+          "tableFrom": "application",
+          "tableTo": "gitea",
+          "columnsFrom": [
+            "giteaId"
+          ],
+          "columnsTo": [
+            "giteaId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_bitbucketId_bitbucket_bitbucketId_fk": {
+          "name": "application_bitbucketId_bitbucket_bitbucketId_fk",
+          "tableFrom": "application",
+          "tableTo": "bitbucket",
+          "columnsFrom": [
+            "bitbucketId"
+          ],
+          "columnsTo": [
+            "bitbucketId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_serverId_server_serverId_fk": {
+          "name": "application_serverId_server_serverId_fk",
+          "tableFrom": "application",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "application_buildServerId_server_serverId_fk": {
+          "name": "application_buildServerId_server_serverId_fk",
+          "tableFrom": "application",
+          "tableTo": "server",
+          "columnsFrom": [
+            "buildServerId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_buildRegistryId_registry_registryId_fk": {
+          "name": "application_buildRegistryId_registry_registryId_fk",
+          "tableFrom": "application",
+          "tableTo": "registry",
+          "columnsFrom": [
+            "buildRegistryId"
+          ],
+          "columnsTo": [
+            "registryId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "application_appName_unique": {
+          "name": "application_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.audit_log": {
+      "name": "audit_log",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_email": {
+          "name": "user_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_role": {
+          "name": "user_role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resource_type": {
+          "name": "resource_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resource_id": {
+          "name": "resource_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "resource_name": {
+          "name": "resource_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "auditLog_organizationId_idx": {
+          "name": "auditLog_organizationId_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "auditLog_userId_idx": {
+          "name": "auditLog_userId_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "auditLog_createdAt_idx": {
+          "name": "auditLog_createdAt_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "audit_log_organization_id_organization_id_fk": {
+          "name": "audit_log_organization_id_organization_id_fk",
+          "tableFrom": "audit_log",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "audit_log_user_id_user_id_fk": {
+          "name": "audit_log_user_id_user_id_fk",
+          "tableFrom": "audit_log",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.backup": {
+      "name": "backup",
+      "schema": "",
+      "columns": {
+        "backupId": {
+          "name": "backupId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "schedule": {
+          "name": "schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "database": {
+          "name": "database",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "prefix": {
+          "name": "prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serviceName": {
+          "name": "serviceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "destinationId": {
+          "name": "destinationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "keepLatestCount": {
+          "name": "keepLatestCount",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "backupType": {
+          "name": "backupType",
+          "type": "backupType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'database'"
+        },
+        "databaseType": {
+          "name": "databaseType",
+          "type": "databaseType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "postgresId": {
+          "name": "postgresId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mariadbId": {
+          "name": "mariadbId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mysqlId": {
+          "name": "mysqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mongoId": {
+          "name": "mongoId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "libsqlId": {
+          "name": "libsqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "userId": {
+          "name": "userId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "backup_destinationId_destination_destinationId_fk": {
+          "name": "backup_destinationId_destination_destinationId_fk",
+          "tableFrom": "backup",
+          "tableTo": "destination",
+          "columnsFrom": [
+            "destinationId"
+          ],
+          "columnsTo": [
+            "destinationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_composeId_compose_composeId_fk": {
+          "name": "backup_composeId_compose_composeId_fk",
+          "tableFrom": "backup",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_postgresId_postgres_postgresId_fk": {
+          "name": "backup_postgresId_postgres_postgresId_fk",
+          "tableFrom": "backup",
+          "tableTo": "postgres",
+          "columnsFrom": [
+            "postgresId"
+          ],
+          "columnsTo": [
+            "postgresId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_mariadbId_mariadb_mariadbId_fk": {
+          "name": "backup_mariadbId_mariadb_mariadbId_fk",
+          "tableFrom": "backup",
+          "tableTo": "mariadb",
+          "columnsFrom": [
+            "mariadbId"
+          ],
+          "columnsTo": [
+            "mariadbId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_mysqlId_mysql_mysqlId_fk": {
+          "name": "backup_mysqlId_mysql_mysqlId_fk",
+          "tableFrom": "backup",
+          "tableTo": "mysql",
+          "columnsFrom": [
+            "mysqlId"
+          ],
+          "columnsTo": [
+            "mysqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_mongoId_mongo_mongoId_fk": {
+          "name": "backup_mongoId_mongo_mongoId_fk",
+          "tableFrom": "backup",
+          "tableTo": "mongo",
+          "columnsFrom": [
+            "mongoId"
+          ],
+          "columnsTo": [
+            "mongoId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_libsqlId_libsql_libsqlId_fk": {
+          "name": "backup_libsqlId_libsql_libsqlId_fk",
+          "tableFrom": "backup",
+          "tableTo": "libsql",
+          "columnsFrom": [
+            "libsqlId"
+          ],
+          "columnsTo": [
+            "libsqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_userId_user_id_fk": {
+          "name": "backup_userId_user_id_fk",
+          "tableFrom": "backup",
+          "tableTo": "user",
+          "columnsFrom": [
+            "userId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "backup_appName_unique": {
+          "name": "backup_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.bitbucket": {
+      "name": "bitbucket",
+      "schema": "",
+      "columns": {
+        "bitbucketId": {
+          "name": "bitbucketId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "bitbucketUsername": {
+          "name": "bitbucketUsername",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketEmail": {
+          "name": "bitbucketEmail",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "appPassword": {
+          "name": "appPassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "apiToken": {
+          "name": "apiToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketWorkspaceName": {
+          "name": "bitbucketWorkspaceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "bitbucket_gitProviderId_git_provider_gitProviderId_fk": {
+          "name": "bitbucket_gitProviderId_git_provider_gitProviderId_fk",
+          "tableFrom": "bitbucket",
+          "tableTo": "git_provider",
+          "columnsFrom": [
+            "gitProviderId"
+          ],
+          "columnsTo": [
+            "gitProviderId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.certificate": {
+      "name": "certificate",
+      "schema": "",
+      "columns": {
+        "certificateId": {
+          "name": "certificateId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "certificateData": {
+          "name": "certificateData",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "privateKey": {
+          "name": "privateKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "certificatePath": {
+          "name": "certificatePath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "autoRenew": {
+          "name": "autoRenew",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "certificate_organizationId_organization_id_fk": {
+          "name": "certificate_organizationId_organization_id_fk",
+          "tableFrom": "certificate",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "certificate_serverId_server_serverId_fk": {
+          "name": "certificate_serverId_server_serverId_fk",
+          "tableFrom": "certificate",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "certificate_certificatePath_unique": {
+          "name": "certificate_certificatePath_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "certificatePath"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.compose": {
+      "name": "compose",
+      "schema": "",
+      "columns": {
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeFile": {
+          "name": "composeFile",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "refreshToken": {
+          "name": "refreshToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sourceType": {
+          "name": "sourceType",
+          "type": "sourceTypeCompose",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'github'"
+        },
+        "composeType": {
+          "name": "composeType",
+          "type": "composeType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'docker-compose'"
+        },
+        "repository": {
+          "name": "repository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "owner": {
+          "name": "owner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "autoDeploy": {
+          "name": "autoDeploy",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabProjectId": {
+          "name": "gitlabProjectId",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabRepository": {
+          "name": "gitlabRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabOwner": {
+          "name": "gitlabOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabBranch": {
+          "name": "gitlabBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabPathNamespace": {
+          "name": "gitlabPathNamespace",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketRepository": {
+          "name": "bitbucketRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketRepositorySlug": {
+          "name": "bitbucketRepositorySlug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketOwner": {
+          "name": "bitbucketOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketBranch": {
+          "name": "bitbucketBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaRepository": {
+          "name": "giteaRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaOwner": {
+          "name": "giteaOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaBranch": {
+          "name": "giteaBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitUrl": {
+          "name": "customGitUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitBranch": {
+          "name": "customGitBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitSSHKeyId": {
+          "name": "customGitSSHKeyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "enableSubmodules": {
+          "name": "enableSubmodules",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "composePath": {
+          "name": "composePath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'./docker-compose.yml'"
+        },
+        "suffix": {
+          "name": "suffix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "randomize": {
+          "name": "randomize",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "isolatedDeployment": {
+          "name": "isolatedDeployment",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "isolatedDeploymentsVolume": {
+          "name": "isolatedDeploymentsVolume",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "triggerType": {
+          "name": "triggerType",
+          "type": "triggerType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'push'"
+        },
+        "composeStatus": {
+          "name": "composeStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "watchPaths": {
+          "name": "watchPaths",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubId": {
+          "name": "githubId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabId": {
+          "name": "gitlabId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketId": {
+          "name": "bitbucketId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaId": {
+          "name": "giteaId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "compose_customGitSSHKeyId_ssh-key_sshKeyId_fk": {
+          "name": "compose_customGitSSHKeyId_ssh-key_sshKeyId_fk",
+          "tableFrom": "compose",
+          "tableTo": "ssh-key",
+          "columnsFrom": [
+            "customGitSSHKeyId"
+          ],
+          "columnsTo": [
+            "sshKeyId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_environmentId_environment_environmentId_fk": {
+          "name": "compose_environmentId_environment_environmentId_fk",
+          "tableFrom": "compose",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "compose_githubId_github_githubId_fk": {
+          "name": "compose_githubId_github_githubId_fk",
+          "tableFrom": "compose",
+          "tableTo": "github",
+          "columnsFrom": [
+            "githubId"
+          ],
+          "columnsTo": [
+            "githubId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_gitlabId_gitlab_gitlabId_fk": {
+          "name": "compose_gitlabId_gitlab_gitlabId_fk",
+          "tableFrom": "compose",
+          "tableTo": "gitlab",
+          "columnsFrom": [
+            "gitlabId"
+          ],
+          "columnsTo": [
+            "gitlabId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_bitbucketId_bitbucket_bitbucketId_fk": {
+          "name": "compose_bitbucketId_bitbucket_bitbucketId_fk",
+          "tableFrom": "compose",
+          "tableTo": "bitbucket",
+          "columnsFrom": [
+            "bitbucketId"
+          ],
+          "columnsTo": [
+            "bitbucketId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_giteaId_gitea_giteaId_fk": {
+          "name": "compose_giteaId_gitea_giteaId_fk",
+          "tableFrom": "compose",
+          "tableTo": "gitea",
+          "columnsFrom": [
+            "giteaId"
+          ],
+          "columnsTo": [
+            "giteaId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_serverId_server_serverId_fk": {
+          "name": "compose_serverId_server_serverId_fk",
+          "tableFrom": "compose",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.deployment": {
+      "name": "deployment",
+      "schema": "",
+      "columns": {
+        "deploymentId": {
+          "name": "deploymentId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "deploymentStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'running'"
+        },
+        "logPath": {
+          "name": "logPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pid": {
+          "name": "pid",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "isPreviewDeployment": {
+          "name": "isPreviewDeployment",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "previewDeploymentId": {
+          "name": "previewDeploymentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "startedAt": {
+          "name": "startedAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "finishedAt": {
+          "name": "finishedAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "errorMessage": {
+          "name": "errorMessage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scheduleId": {
+          "name": "scheduleId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "backupId": {
+          "name": "backupId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackId": {
+          "name": "rollbackId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "volumeBackupId": {
+          "name": "volumeBackupId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildServerId": {
+          "name": "buildServerId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "deployment_applicationId_application_applicationId_fk": {
+          "name": "deployment_applicationId_application_applicationId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_composeId_compose_composeId_fk": {
+          "name": "deployment_composeId_compose_composeId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_serverId_server_serverId_fk": {
+          "name": "deployment_serverId_server_serverId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_previewDeploymentId_preview_deployments_previewDeploymentId_fk": {
+          "name": "deployment_previewDeploymentId_preview_deployments_previewDeploymentId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "preview_deployments",
+          "columnsFrom": [
+            "previewDeploymentId"
+          ],
+          "columnsTo": [
+            "previewDeploymentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_scheduleId_schedule_scheduleId_fk": {
+          "name": "deployment_scheduleId_schedule_scheduleId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "schedule",
+          "columnsFrom": [
+            "scheduleId"
+          ],
+          "columnsTo": [
+            "scheduleId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_backupId_backup_backupId_fk": {
+          "name": "deployment_backupId_backup_backupId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "backup",
+          "columnsFrom": [
+            "backupId"
+          ],
+          "columnsTo": [
+            "backupId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_rollbackId_rollback_rollbackId_fk": {
+          "name": "deployment_rollbackId_rollback_rollbackId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "rollback",
+          "columnsFrom": [
+            "rollbackId"
+          ],
+          "columnsTo": [
+            "rollbackId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_volumeBackupId_volume_backup_volumeBackupId_fk": {
+          "name": "deployment_volumeBackupId_volume_backup_volumeBackupId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "volume_backup",
+          "columnsFrom": [
+            "volumeBackupId"
+          ],
+          "columnsTo": [
+            "volumeBackupId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_buildServerId_server_serverId_fk": {
+          "name": "deployment_buildServerId_server_serverId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "server",
+          "columnsFrom": [
+            "buildServerId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.destination": {
+      "name": "destination",
+      "schema": "",
+      "columns": {
+        "destinationId": {
+          "name": "destinationId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "accessKey": {
+          "name": "accessKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "secretAccessKey": {
+          "name": "secretAccessKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "bucket": {
+          "name": "bucket",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "region": {
+          "name": "region",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "endpoint": {
+          "name": "endpoint",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "additionalFlags": {
+          "name": "additionalFlags",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "destination_organizationId_organization_id_fk": {
+          "name": "destination_organizationId_organization_id_fk",
+          "tableFrom": "destination",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.domain": {
+      "name": "domain",
+      "schema": "",
+      "columns": {
+        "domainId": {
+          "name": "domainId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "https": {
+          "name": "https",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 3000
+        },
+        "customEntrypoint": {
+          "name": "customEntrypoint",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "path": {
+          "name": "path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "serviceName": {
+          "name": "serviceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "domainType": {
+          "name": "domainType",
+          "type": "domainType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'application'"
+        },
+        "uniqueConfigKey": {
+          "name": "uniqueConfigKey",
+          "type": "serial",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customCertResolver": {
+          "name": "customCertResolver",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewDeploymentId": {
+          "name": "previewDeploymentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "certificateType": {
+          "name": "certificateType",
+          "type": "certificateType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "internalPath": {
+          "name": "internalPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "stripPath": {
+          "name": "stripPath",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "middlewares": {
+          "name": "middlewares",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "ARRAY[]::text[]"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "domain_composeId_compose_composeId_fk": {
+          "name": "domain_composeId_compose_composeId_fk",
+          "tableFrom": "domain",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "domain_applicationId_application_applicationId_fk": {
+          "name": "domain_applicationId_application_applicationId_fk",
+          "tableFrom": "domain",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "domain_previewDeploymentId_preview_deployments_previewDeploymentId_fk": {
+          "name": "domain_previewDeploymentId_preview_deployments_previewDeploymentId_fk",
+          "tableFrom": "domain",
+          "tableTo": "preview_deployments",
+          "columnsFrom": [
+            "previewDeploymentId"
+          ],
+          "columnsTo": [
+            "previewDeploymentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.environment": {
+      "name": "environment",
+      "schema": "",
+      "columns": {
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "projectId": {
+          "name": "projectId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "isDefault": {
+          "name": "isDefault",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "environment_projectId_project_projectId_fk": {
+          "name": "environment_projectId_project_projectId_fk",
+          "tableFrom": "environment",
+          "tableTo": "project",
+          "columnsFrom": [
+            "projectId"
+          ],
+          "columnsTo": [
+            "projectId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_provider": {
+      "name": "git_provider",
+      "schema": "",
+      "columns": {
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "providerType": {
+          "name": "providerType",
+          "type": "gitProviderType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'github'"
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "userId": {
+          "name": "userId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "sharedWithOrganization": {
+          "name": "sharedWithOrganization",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "git_provider_organizationId_organization_id_fk": {
+          "name": "git_provider_organizationId_organization_id_fk",
+          "tableFrom": "git_provider",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "git_provider_userId_user_id_fk": {
+          "name": "git_provider_userId_user_id_fk",
+          "tableFrom": "git_provider",
+          "tableTo": "user",
+          "columnsFrom": [
+            "userId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.gitea": {
+      "name": "gitea",
+      "schema": "",
+      "columns": {
+        "giteaId": {
+          "name": "giteaId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "giteaUrl": {
+          "name": "giteaUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'https://gitea.com'"
+        },
+        "giteaInternalUrl": {
+          "name": "giteaInternalUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "client_secret": {
+          "name": "client_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "access_token": {
+          "name": "access_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token": {
+          "name": "refresh_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scopes": {
+          "name": "scopes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'repo,repo:status,read:user,read:org'"
+        },
+        "last_authenticated_at": {
+          "name": "last_authenticated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "gitea_gitProviderId_git_provider_gitProviderId_fk": {
+          "name": "gitea_gitProviderId_git_provider_gitProviderId_fk",
+          "tableFrom": "gitea",
+          "tableTo": "git_provider",
+          "columnsFrom": [
+            "gitProviderId"
+          ],
+          "columnsTo": [
+            "gitProviderId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.github": {
+      "name": "github",
+      "schema": "",
+      "columns": {
+        "githubId": {
+          "name": "githubId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "githubAppName": {
+          "name": "githubAppName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubAppId": {
+          "name": "githubAppId",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubClientId": {
+          "name": "githubClientId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubClientSecret": {
+          "name": "githubClientSecret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubInstallationId": {
+          "name": "githubInstallationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubPrivateKey": {
+          "name": "githubPrivateKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubWebhookSecret": {
+          "name": "githubWebhookSecret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "github_gitProviderId_git_provider_gitProviderId_fk": {
+          "name": "github_gitProviderId_git_provider_gitProviderId_fk",
+          "tableFrom": "github",
+          "tableTo": "git_provider",
+          "columnsFrom": [
+            "gitProviderId"
+          ],
+          "columnsTo": [
+            "gitProviderId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.gitlab": {
+      "name": "gitlab",
+      "schema": "",
+      "columns": {
+        "gitlabId": {
+          "name": "gitlabId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "gitlabUrl": {
+          "name": "gitlabUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'https://gitlab.com'"
+        },
+        "gitlabInternalUrl": {
+          "name": "gitlabInternalUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "application_id": {
+          "name": "application_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "secret": {
+          "name": "secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "access_token": {
+          "name": "access_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token": {
+          "name": "refresh_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "group_name": {
+          "name": "group_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "gitlab_gitProviderId_git_provider_gitProviderId_fk": {
+          "name": "gitlab_gitProviderId_git_provider_gitProviderId_fk",
+          "tableFrom": "gitlab",
+          "tableTo": "git_provider",
+          "columnsFrom": [
+            "gitProviderId"
+          ],
+          "columnsTo": [
+            "gitProviderId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.libsql": {
+      "name": "libsql",
+      "schema": "",
+      "columns": {
+        "libsqlId": {
+          "name": "libsqlId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "sqldNode": {
+          "name": "sqldNode",
+          "type": "sqldNode",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'primary'"
+        },
+        "sqldPrimaryUrl": {
+          "name": "sqldPrimaryUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enableNamespaces": {
+          "name": "enableNamespaces",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalGRPCPort": {
+          "name": "externalGRPCPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalAdminPort": {
+          "name": "externalAdminPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "libsql_environmentId_environment_environmentId_fk": {
+          "name": "libsql_environmentId_environment_environmentId_fk",
+          "tableFrom": "libsql",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "libsql_serverId_server_serverId_fk": {
+          "name": "libsql_serverId_server_serverId_fk",
+          "tableFrom": "libsql",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "libsql_appName_unique": {
+          "name": "libsql_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mariadb": {
+      "name": "mariadb",
+      "schema": "",
+      "columns": {
+        "mariadbId": {
+          "name": "mariadbId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "databaseName": {
+          "name": "databaseName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "rootPassword": {
+          "name": "rootPassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "mariadb_environmentId_environment_environmentId_fk": {
+          "name": "mariadb_environmentId_environment_environmentId_fk",
+          "tableFrom": "mariadb",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mariadb_serverId_server_serverId_fk": {
+          "name": "mariadb_serverId_server_serverId_fk",
+          "tableFrom": "mariadb",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "mariadb_appName_unique": {
+          "name": "mariadb_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mongo": {
+      "name": "mongo",
+      "schema": "",
+      "columns": {
+        "mongoId": {
+          "name": "mongoId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'mongo:8'"
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicaSets": {
+          "name": "replicaSets",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "mongo_environmentId_environment_environmentId_fk": {
+          "name": "mongo_environmentId_environment_environmentId_fk",
+          "tableFrom": "mongo",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mongo_serverId_server_serverId_fk": {
+          "name": "mongo_serverId_server_serverId_fk",
+          "tableFrom": "mongo",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "mongo_appName_unique": {
+          "name": "mongo_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mount": {
+      "name": "mount",
+      "schema": "",
+      "columns": {
+        "mountId": {
+          "name": "mountId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "mountType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "hostPath": {
+          "name": "hostPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "volumeName": {
+          "name": "volumeName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "filePath": {
+          "name": "filePath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "content": {
+          "name": "content",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serviceType": {
+          "name": "serviceType",
+          "type": "serviceType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'application'"
+        },
+        "mountPath": {
+          "name": "mountPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "libsqlId": {
+          "name": "libsqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mariadbId": {
+          "name": "mariadbId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mongoId": {
+          "name": "mongoId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mysqlId": {
+          "name": "mysqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "postgresId": {
+          "name": "postgresId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "redisId": {
+          "name": "redisId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "mount_applicationId_application_applicationId_fk": {
+          "name": "mount_applicationId_application_applicationId_fk",
+          "tableFrom": "mount",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_composeId_compose_composeId_fk": {
+          "name": "mount_composeId_compose_composeId_fk",
+          "tableFrom": "mount",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_libsqlId_libsql_libsqlId_fk": {
+          "name": "mount_libsqlId_libsql_libsqlId_fk",
+          "tableFrom": "mount",
+          "tableTo": "libsql",
+          "columnsFrom": [
+            "libsqlId"
+          ],
+          "columnsTo": [
+            "libsqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_mariadbId_mariadb_mariadbId_fk": {
+          "name": "mount_mariadbId_mariadb_mariadbId_fk",
+          "tableFrom": "mount",
+          "tableTo": "mariadb",
+          "columnsFrom": [
+            "mariadbId"
+          ],
+          "columnsTo": [
+            "mariadbId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_mongoId_mongo_mongoId_fk": {
+          "name": "mount_mongoId_mongo_mongoId_fk",
+          "tableFrom": "mount",
+          "tableTo": "mongo",
+          "columnsFrom": [
+            "mongoId"
+          ],
+          "columnsTo": [
+            "mongoId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_mysqlId_mysql_mysqlId_fk": {
+          "name": "mount_mysqlId_mysql_mysqlId_fk",
+          "tableFrom": "mount",
+          "tableTo": "mysql",
+          "columnsFrom": [
+            "mysqlId"
+          ],
+          "columnsTo": [
+            "mysqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_postgresId_postgres_postgresId_fk": {
+          "name": "mount_postgresId_postgres_postgresId_fk",
+          "tableFrom": "mount",
+          "tableTo": "postgres",
+          "columnsFrom": [
+            "postgresId"
+          ],
+          "columnsTo": [
+            "postgresId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_redisId_redis_redisId_fk": {
+          "name": "mount_redisId_redis_redisId_fk",
+          "tableFrom": "mount",
+          "tableTo": "redis",
+          "columnsFrom": [
+            "redisId"
+          ],
+          "columnsTo": [
+            "redisId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mysql": {
+      "name": "mysql",
+      "schema": "",
+      "columns": {
+        "mysqlId": {
+          "name": "mysqlId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "databaseName": {
+          "name": "databaseName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "rootPassword": {
+          "name": "rootPassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "mysql_environmentId_environment_environmentId_fk": {
+          "name": "mysql_environmentId_environment_environmentId_fk",
+          "tableFrom": "mysql",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mysql_serverId_server_serverId_fk": {
+          "name": "mysql_serverId_server_serverId_fk",
+          "tableFrom": "mysql",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "mysql_appName_unique": {
+          "name": "mysql_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.custom": {
+      "name": "custom",
+      "schema": "",
+      "columns": {
+        "customId": {
+          "name": "customId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "endpoint": {
+          "name": "endpoint",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "headers": {
+          "name": "headers",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.discord": {
+      "name": "discord",
+      "schema": "",
+      "columns": {
+        "discordId": {
+          "name": "discordId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "decoration": {
+          "name": "decoration",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.email": {
+      "name": "email",
+      "schema": "",
+      "columns": {
+        "emailId": {
+          "name": "emailId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "smtpServer": {
+          "name": "smtpServer",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "smtpPort": {
+          "name": "smtpPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "fromAddress": {
+          "name": "fromAddress",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "toAddress": {
+          "name": "toAddress",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.gotify": {
+      "name": "gotify",
+      "schema": "",
+      "columns": {
+        "gotifyId": {
+          "name": "gotifyId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "serverUrl": {
+          "name": "serverUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appToken": {
+          "name": "appToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "priority": {
+          "name": "priority",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 5
+        },
+        "decoration": {
+          "name": "decoration",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.lark": {
+      "name": "lark",
+      "schema": "",
+      "columns": {
+        "larkId": {
+          "name": "larkId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mattermost": {
+      "name": "mattermost",
+      "schema": "",
+      "columns": {
+        "mattermostId": {
+          "name": "mattermostId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "channel": {
+          "name": "channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.notification": {
+      "name": "notification",
+      "schema": "",
+      "columns": {
+        "notificationId": {
+          "name": "notificationId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appDeploy": {
+          "name": "appDeploy",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "appBuildError": {
+          "name": "appBuildError",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "databaseBackup": {
+          "name": "databaseBackup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "volumeBackup": {
+          "name": "volumeBackup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dokployRestart": {
+          "name": "dokployRestart",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dokployBackup": {
+          "name": "dokployBackup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dockerCleanup": {
+          "name": "dockerCleanup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "serverThreshold": {
+          "name": "serverThreshold",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "notificationType": {
+          "name": "notificationType",
+          "type": "notificationType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "slackId": {
+          "name": "slackId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "telegramId": {
+          "name": "telegramId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "discordId": {
+          "name": "discordId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "emailId": {
+          "name": "emailId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "resendId": {
+          "name": "resendId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gotifyId": {
+          "name": "gotifyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ntfyId": {
+          "name": "ntfyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mattermostId": {
+          "name": "mattermostId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customId": {
+          "name": "customId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "larkId": {
+          "name": "larkId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "pushoverId": {
+          "name": "pushoverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "teamsId": {
+          "name": "teamsId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "notification_slackId_slack_slackId_fk": {
+          "name": "notification_slackId_slack_slackId_fk",
+          "tableFrom": "notification",
+          "tableTo": "slack",
+          "columnsFrom": [
+            "slackId"
+          ],
+          "columnsTo": [
+            "slackId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_telegramId_telegram_telegramId_fk": {
+          "name": "notification_telegramId_telegram_telegramId_fk",
+          "tableFrom": "notification",
+          "tableTo": "telegram",
+          "columnsFrom": [
+            "telegramId"
+          ],
+          "columnsTo": [
+            "telegramId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_discordId_discord_discordId_fk": {
+          "name": "notification_discordId_discord_discordId_fk",
+          "tableFrom": "notification",
+          "tableTo": "discord",
+          "columnsFrom": [
+            "discordId"
+          ],
+          "columnsTo": [
+            "discordId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_emailId_email_emailId_fk": {
+          "name": "notification_emailId_email_emailId_fk",
+          "tableFrom": "notification",
+          "tableTo": "email",
+          "columnsFrom": [
+            "emailId"
+          ],
+          "columnsTo": [
+            "emailId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_resendId_resend_resendId_fk": {
+          "name": "notification_resendId_resend_resendId_fk",
+          "tableFrom": "notification",
+          "tableTo": "resend",
+          "columnsFrom": [
+            "resendId"
+          ],
+          "columnsTo": [
+            "resendId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_gotifyId_gotify_gotifyId_fk": {
+          "name": "notification_gotifyId_gotify_gotifyId_fk",
+          "tableFrom": "notification",
+          "tableTo": "gotify",
+          "columnsFrom": [
+            "gotifyId"
+          ],
+          "columnsTo": [
+            "gotifyId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_ntfyId_ntfy_ntfyId_fk": {
+          "name": "notification_ntfyId_ntfy_ntfyId_fk",
+          "tableFrom": "notification",
+          "tableTo": "ntfy",
+          "columnsFrom": [
+            "ntfyId"
+          ],
+          "columnsTo": [
+            "ntfyId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_mattermostId_mattermost_mattermostId_fk": {
+          "name": "notification_mattermostId_mattermost_mattermostId_fk",
+          "tableFrom": "notification",
+          "tableTo": "mattermost",
+          "columnsFrom": [
+            "mattermostId"
+          ],
+          "columnsTo": [
+            "mattermostId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_customId_custom_customId_fk": {
+          "name": "notification_customId_custom_customId_fk",
+          "tableFrom": "notification",
+          "tableTo": "custom",
+          "columnsFrom": [
+            "customId"
+          ],
+          "columnsTo": [
+            "customId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_larkId_lark_larkId_fk": {
+          "name": "notification_larkId_lark_larkId_fk",
+          "tableFrom": "notification",
+          "tableTo": "lark",
+          "columnsFrom": [
+            "larkId"
+          ],
+          "columnsTo": [
+            "larkId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_pushoverId_pushover_pushoverId_fk": {
+          "name": "notification_pushoverId_pushover_pushoverId_fk",
+          "tableFrom": "notification",
+          "tableTo": "pushover",
+          "columnsFrom": [
+            "pushoverId"
+          ],
+          "columnsTo": [
+            "pushoverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_teamsId_teams_teamsId_fk": {
+          "name": "notification_teamsId_teams_teamsId_fk",
+          "tableFrom": "notification",
+          "tableTo": "teams",
+          "columnsFrom": [
+            "teamsId"
+          ],
+          "columnsTo": [
+            "teamsId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_organizationId_organization_id_fk": {
+          "name": "notification_organizationId_organization_id_fk",
+          "tableFrom": "notification",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ntfy": {
+      "name": "ntfy",
+      "schema": "",
+      "columns": {
+        "ntfyId": {
+          "name": "ntfyId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "serverUrl": {
+          "name": "serverUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "topic": {
+          "name": "topic",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "accessToken": {
+          "name": "accessToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "priority": {
+          "name": "priority",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 3
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.pushover": {
+      "name": "pushover",
+      "schema": "",
+      "columns": {
+        "pushoverId": {
+          "name": "pushoverId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "userKey": {
+          "name": "userKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "apiToken": {
+          "name": "apiToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "priority": {
+          "name": "priority",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "retry": {
+          "name": "retry",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expire": {
+          "name": "expire",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.resend": {
+      "name": "resend",
+      "schema": "",
+      "columns": {
+        "resendId": {
+          "name": "resendId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "apiKey": {
+          "name": "apiKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "fromAddress": {
+          "name": "fromAddress",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "toAddress": {
+          "name": "toAddress",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.slack": {
+      "name": "slack",
+      "schema": "",
+      "columns": {
+        "slackId": {
+          "name": "slackId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "channel": {
+          "name": "channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.teams": {
+      "name": "teams",
+      "schema": "",
+      "columns": {
+        "teamsId": {
+          "name": "teamsId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.telegram": {
+      "name": "telegram",
+      "schema": "",
+      "columns": {
+        "telegramId": {
+          "name": "telegramId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "botToken": {
+          "name": "botToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "chatId": {
+          "name": "chatId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "messageThreadId": {
+          "name": "messageThreadId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.patch": {
+      "name": "patch",
+      "schema": "",
+      "columns": {
+        "patchId": {
+          "name": "patchId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "patchType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'update'"
+        },
+        "filePath": {
+          "name": "filePath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "content": {
+          "name": "content",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updatedAt": {
+          "name": "updatedAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "patch_applicationId_application_applicationId_fk": {
+          "name": "patch_applicationId_application_applicationId_fk",
+          "tableFrom": "patch",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "patch_composeId_compose_composeId_fk": {
+          "name": "patch_composeId_compose_composeId_fk",
+          "tableFrom": "patch",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "patch_filepath_application_unique": {
+          "name": "patch_filepath_application_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "filePath",
+            "applicationId"
+          ]
+        },
+        "patch_filepath_compose_unique": {
+          "name": "patch_filepath_compose_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "filePath",
+            "composeId"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.port": {
+      "name": "port",
+      "schema": "",
+      "columns": {
+        "portId": {
+          "name": "portId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "publishedPort": {
+          "name": "publishedPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "publishMode": {
+          "name": "publishMode",
+          "type": "publishModeType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'host'"
+        },
+        "targetPort": {
+          "name": "targetPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "protocol": {
+          "name": "protocol",
+          "type": "protocolType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "port_applicationId_application_applicationId_fk": {
+          "name": "port_applicationId_application_applicationId_fk",
+          "tableFrom": "port",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.postgres": {
+      "name": "postgres",
+      "schema": "",
+      "columns": {
+        "postgresId": {
+          "name": "postgresId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databaseName": {
+          "name": "databaseName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "postgres_environmentId_environment_environmentId_fk": {
+          "name": "postgres_environmentId_environment_environmentId_fk",
+          "tableFrom": "postgres",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "postgres_serverId_server_serverId_fk": {
+          "name": "postgres_serverId_server_serverId_fk",
+          "tableFrom": "postgres",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "postgres_appName_unique": {
+          "name": "postgres_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.preview_deployments": {
+      "name": "preview_deployments",
+      "schema": "",
+      "columns": {
+        "previewDeploymentId": {
+          "name": "previewDeploymentId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestId": {
+          "name": "pullRequestId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestNumber": {
+          "name": "pullRequestNumber",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestURL": {
+          "name": "pullRequestURL",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestTitle": {
+          "name": "pullRequestTitle",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestCommentId": {
+          "name": "pullRequestCommentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "previewStatus": {
+          "name": "previewStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "domainId": {
+          "name": "domainId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expiresAt": {
+          "name": "expiresAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "preview_deployments_applicationId_application_applicationId_fk": {
+          "name": "preview_deployments_applicationId_application_applicationId_fk",
+          "tableFrom": "preview_deployments",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "preview_deployments_domainId_domain_domainId_fk": {
+          "name": "preview_deployments_domainId_domain_domainId_fk",
+          "tableFrom": "preview_deployments",
+          "tableTo": "domain",
+          "columnsFrom": [
+            "domainId"
+          ],
+          "columnsTo": [
+            "domainId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "preview_deployments_appName_unique": {
+          "name": "preview_deployments_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.project": {
+      "name": "project",
+      "schema": "",
+      "columns": {
+        "projectId": {
+          "name": "projectId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "project_organizationId_organization_id_fk": {
+          "name": "project_organizationId_organization_id_fk",
+          "tableFrom": "project",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.redirect": {
+      "name": "redirect",
+      "schema": "",
+      "columns": {
+        "redirectId": {
+          "name": "redirectId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "regex": {
+          "name": "regex",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "replacement": {
+          "name": "replacement",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "permanent": {
+          "name": "permanent",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "uniqueConfigKey": {
+          "name": "uniqueConfigKey",
+          "type": "serial",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "redirect_applicationId_application_applicationId_fk": {
+          "name": "redirect_applicationId_application_applicationId_fk",
+          "tableFrom": "redirect",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.redis": {
+      "name": "redis",
+      "schema": "",
+      "columns": {
+        "redisId": {
+          "name": "redisId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "redis_environmentId_environment_environmentId_fk": {
+          "name": "redis_environmentId_environment_environmentId_fk",
+          "tableFrom": "redis",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "redis_serverId_server_serverId_fk": {
+          "name": "redis_serverId_server_serverId_fk",
+          "tableFrom": "redis",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "redis_appName_unique": {
+          "name": "redis_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.registry": {
+      "name": "registry",
+      "schema": "",
+      "columns": {
+        "registryId": {
+          "name": "registryId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "registryName": {
+          "name": "registryName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "imagePrefix": {
+          "name": "imagePrefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "registryUrl": {
+          "name": "registryUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "selfHosted": {
+          "name": "selfHosted",
+          "type": "RegistryType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'cloud'"
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "registry_organizationId_organization_id_fk": {
+          "name": "registry_organizationId_organization_id_fk",
+          "tableFrom": "registry",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.rollback": {
+      "name": "rollback",
+      "schema": "",
+      "columns": {
+        "rollbackId": {
+          "name": "rollbackId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "deploymentId": {
+          "name": "deploymentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "version": {
+          "name": "version",
+          "type": "serial",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "fullContext": {
+          "name": "fullContext",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "rollback_deploymentId_deployment_deploymentId_fk": {
+          "name": "rollback_deploymentId_deployment_deploymentId_fk",
+          "tableFrom": "rollback",
+          "tableTo": "deployment",
+          "columnsFrom": [
+            "deploymentId"
+          ],
+          "columnsTo": [
+            "deploymentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.schedule": {
+      "name": "schedule",
+      "schema": "",
+      "columns": {
+        "scheduleId": {
+          "name": "scheduleId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cronExpression": {
+          "name": "cronExpression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serviceName": {
+          "name": "serviceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "shellType": {
+          "name": "shellType",
+          "type": "shellType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'bash'"
+        },
+        "scheduleType": {
+          "name": "scheduleType",
+          "type": "scheduleType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'application'"
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "script": {
+          "name": "script",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "timezone": {
+          "name": "timezone",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "schedule_applicationId_application_applicationId_fk": {
+          "name": "schedule_applicationId_application_applicationId_fk",
+          "tableFrom": "schedule",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "schedule_composeId_compose_composeId_fk": {
+          "name": "schedule_composeId_compose_composeId_fk",
+          "tableFrom": "schedule",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "schedule_serverId_server_serverId_fk": {
+          "name": "schedule_serverId_server_serverId_fk",
+          "tableFrom": "schedule",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "schedule_organizationId_organization_id_fk": {
+          "name": "schedule_organizationId_organization_id_fk",
+          "tableFrom": "schedule",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.security": {
+      "name": "security",
+      "schema": "",
+      "columns": {
+        "securityId": {
+          "name": "securityId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "security_applicationId_application_applicationId_fk": {
+          "name": "security_applicationId_application_applicationId_fk",
+          "tableFrom": "security",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "security_username_applicationId_unique": {
+          "name": "security_username_applicationId_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "username",
+            "applicationId"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.server": {
+      "name": "server",
+      "schema": "",
+      "columns": {
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ipAddress": {
+          "name": "ipAddress",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'root'"
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enableDockerCleanup": {
+          "name": "enableDockerCleanup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "webServerProvider": {
+          "name": "webServerProvider",
+          "type": "webServerProvider",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'traefik'"
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverStatus": {
+          "name": "serverStatus",
+          "type": "serverStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'active'"
+        },
+        "serverType": {
+          "name": "serverType",
+          "type": "serverType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'deploy'"
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "sshKeyId": {
+          "name": "sshKeyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metricsConfig": {
+          "name": "metricsConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{\"server\":{\"type\":\"Remote\",\"refreshRate\":60,\"port\":4500,\"token\":\"\",\"urlCallback\":\"\",\"cronJob\":\"\",\"retentionDays\":2,\"thresholds\":{\"cpu\":0,\"memory\":0}},\"containers\":{\"refreshRate\":60,\"services\":{\"include\":[],\"exclude\":[]}}}'::jsonb"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "server_organizationId_organization_id_fk": {
+          "name": "server_organizationId_organization_id_fk",
+          "tableFrom": "server",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "server_sshKeyId_ssh-key_sshKeyId_fk": {
+          "name": "server_sshKeyId_ssh-key_sshKeyId_fk",
+          "tableFrom": "server",
+          "tableTo": "ssh-key",
+          "columnsFrom": [
+            "sshKeyId"
+          ],
+          "columnsTo": [
+            "sshKeyId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.session": {
+      "name": "session",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "impersonated_by": {
+          "name": "impersonated_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "active_organization_id": {
+          "name": "active_organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "session_user_id_user_id_fk": {
+          "name": "session_user_id_user_id_fk",
+          "tableFrom": "session",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "session_token_unique": {
+          "name": "session_token_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "token"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ssh-key": {
+      "name": "ssh-key",
+      "schema": "",
+      "columns": {
+        "sshKeyId": {
+          "name": "sshKeyId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "privateKey": {
+          "name": "privateKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "publicKey": {
+          "name": "publicKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "lastUsedAt": {
+          "name": "lastUsedAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "ssh-key_organizationId_organization_id_fk": {
+          "name": "ssh-key_organizationId_organization_id_fk",
+          "tableFrom": "ssh-key",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.sso_provider": {
+      "name": "sso_provider",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "issuer": {
+          "name": "issuer",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "oidc_config": {
+          "name": "oidc_config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "saml_config": {
+          "name": "saml_config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "domain": {
+          "name": "domain",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "sso_provider_user_id_user_id_fk": {
+          "name": "sso_provider_user_id_user_id_fk",
+          "tableFrom": "sso_provider",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "sso_provider_organization_id_organization_id_fk": {
+          "name": "sso_provider_organization_id_organization_id_fk",
+          "tableFrom": "sso_provider",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "sso_provider_provider_id_unique": {
+          "name": "sso_provider_provider_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "provider_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.project_tag": {
+      "name": "project_tag",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "projectId": {
+          "name": "projectId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "tagId": {
+          "name": "tagId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "project_tag_projectId_project_projectId_fk": {
+          "name": "project_tag_projectId_project_projectId_fk",
+          "tableFrom": "project_tag",
+          "tableTo": "project",
+          "columnsFrom": [
+            "projectId"
+          ],
+          "columnsTo": [
+            "projectId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "project_tag_tagId_tag_tagId_fk": {
+          "name": "project_tag_tagId_tag_tagId_fk",
+          "tableFrom": "project_tag",
+          "tableTo": "tag",
+          "columnsFrom": [
+            "tagId"
+          ],
+          "columnsTo": [
+            "tagId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "unique_project_tag": {
+          "name": "unique_project_tag",
+          "nullsNotDistinct": false,
+          "columns": [
+            "projectId",
+            "tagId"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.tag": {
+      "name": "tag",
+      "schema": "",
+      "columns": {
+        "tagId": {
+          "name": "tagId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "color": {
+          "name": "color",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "tag_organizationId_organization_id_fk": {
+          "name": "tag_organizationId_organization_id_fk",
+          "tableFrom": "tag",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "unique_org_tag_name": {
+          "name": "unique_org_tag_name",
+          "nullsNotDistinct": false,
+          "columns": [
+            "organizationId",
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user": {
+      "name": "user",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "firstName": {
+          "name": "firstName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "lastName": {
+          "name": "lastName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "isRegistered": {
+          "name": "isRegistered",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "expirationDate": {
+          "name": "expirationDate",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "two_factor_enabled": {
+          "name": "two_factor_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email_verified": {
+          "name": "email_verified",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "banned": {
+          "name": "banned",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ban_reason": {
+          "name": "ban_reason",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ban_expires": {
+          "name": "ban_expires",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'user'"
+        },
+        "enablePaidFeatures": {
+          "name": "enablePaidFeatures",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "allowImpersonation": {
+          "name": "allowImpersonation",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "enableEnterpriseFeatures": {
+          "name": "enableEnterpriseFeatures",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "licenseKey": {
+          "name": "licenseKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "isValidEnterpriseLicense": {
+          "name": "isValidEnterpriseLicense",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "stripeCustomerId": {
+          "name": "stripeCustomerId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stripeSubscriptionId": {
+          "name": "stripeSubscriptionId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serversQuantity": {
+          "name": "serversQuantity",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "sendInvoiceNotifications": {
+          "name": "sendInvoiceNotifications",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "isEnterpriseCloud": {
+          "name": "isEnterpriseCloud",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "trustedOrigins": {
+          "name": "trustedOrigins",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bookmarkedTemplates": {
+          "name": "bookmarkedTemplates",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "ARRAY[]::text[]"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_email_unique": {
+          "name": "user_email_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "email"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.volume_backup": {
+      "name": "volume_backup",
+      "schema": "",
+      "columns": {
+        "volumeBackupId": {
+          "name": "volumeBackupId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "volumeName": {
+          "name": "volumeName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "prefix": {
+          "name": "prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serviceType": {
+          "name": "serviceType",
+          "type": "serviceType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'application'"
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serviceName": {
+          "name": "serviceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "turnOff": {
+          "name": "turnOff",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "cronExpression": {
+          "name": "cronExpression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "keepLatestCount": {
+          "name": "keepLatestCount",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "postgresId": {
+          "name": "postgresId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mariadbId": {
+          "name": "mariadbId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mongoId": {
+          "name": "mongoId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mysqlId": {
+          "name": "mysqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "redisId": {
+          "name": "redisId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "libsqlId": {
+          "name": "libsqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "destinationId": {
+          "name": "destinationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "volume_backup_applicationId_application_applicationId_fk": {
+          "name": "volume_backup_applicationId_application_applicationId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_postgresId_postgres_postgresId_fk": {
+          "name": "volume_backup_postgresId_postgres_postgresId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "postgres",
+          "columnsFrom": [
+            "postgresId"
+          ],
+          "columnsTo": [
+            "postgresId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_mariadbId_mariadb_mariadbId_fk": {
+          "name": "volume_backup_mariadbId_mariadb_mariadbId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "mariadb",
+          "columnsFrom": [
+            "mariadbId"
+          ],
+          "columnsTo": [
+            "mariadbId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_mongoId_mongo_mongoId_fk": {
+          "name": "volume_backup_mongoId_mongo_mongoId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "mongo",
+          "columnsFrom": [
+            "mongoId"
+          ],
+          "columnsTo": [
+            "mongoId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_mysqlId_mysql_mysqlId_fk": {
+          "name": "volume_backup_mysqlId_mysql_mysqlId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "mysql",
+          "columnsFrom": [
+            "mysqlId"
+          ],
+          "columnsTo": [
+            "mysqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_redisId_redis_redisId_fk": {
+          "name": "volume_backup_redisId_redis_redisId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "redis",
+          "columnsFrom": [
+            "redisId"
+          ],
+          "columnsTo": [
+            "redisId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_libsqlId_libsql_libsqlId_fk": {
+          "name": "volume_backup_libsqlId_libsql_libsqlId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "libsql",
+          "columnsFrom": [
+            "libsqlId"
+          ],
+          "columnsTo": [
+            "libsqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_composeId_compose_composeId_fk": {
+          "name": "volume_backup_composeId_compose_composeId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_destinationId_destination_destinationId_fk": {
+          "name": "volume_backup_destinationId_destination_destinationId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "destination",
+          "columnsFrom": [
+            "destinationId"
+          ],
+          "columnsTo": [
+            "destinationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.webServerSettings": {
+      "name": "webServerSettings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webServerProvider": {
+          "name": "webServerProvider",
+          "type": "webServerProvider",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'traefik'"
+        },
+        "serverIp": {
+          "name": "serverIp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "certificateType": {
+          "name": "certificateType",
+          "type": "certificateType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "https": {
+          "name": "https",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "letsEncryptEmail": {
+          "name": "letsEncryptEmail",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sshPrivateKey": {
+          "name": "sshPrivateKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enableDockerCleanup": {
+          "name": "enableDockerCleanup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "logCleanupCron": {
+          "name": "logCleanupCron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0 0 * * *'"
+        },
+        "metricsConfig": {
+          "name": "metricsConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{\"server\":{\"type\":\"Dokploy\",\"refreshRate\":60,\"port\":4500,\"token\":\"\",\"retentionDays\":2,\"cronJob\":\"\",\"urlCallback\":\"\",\"thresholds\":{\"cpu\":0,\"memory\":0}},\"containers\":{\"refreshRate\":60,\"services\":{\"include\":[],\"exclude\":[]}}}'::jsonb"
+        },
+        "whitelabelingConfig": {
+          "name": "whitelabelingConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'{\"appName\":null,\"appDescription\":null,\"logoUrl\":null,\"faviconUrl\":null,\"customCss\":null,\"loginLogoUrl\":null,\"supportUrl\":null,\"docsUrl\":null,\"errorPageTitle\":null,\"errorPageDescription\":null,\"metaTitle\":null,\"footerText\":null}'::jsonb"
+        },
+        "remoteServersOnly": {
+          "name": "remoteServersOnly",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "enforceSSO": {
+          "name": "enforceSSO",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "cleanupCacheApplications": {
+          "name": "cleanupCacheApplications",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "cleanupCacheOnPreviews": {
+          "name": "cleanupCacheOnPreviews",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "cleanupCacheOnCompose": {
+          "name": "cleanupCacheOnCompose",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {
+    "public.buildType": {
+      "name": "buildType",
+      "schema": "public",
+      "values": [
+        "dockerfile",
+        "heroku_buildpacks",
+        "paketo_buildpacks",
+        "nixpacks",
+        "static",
+        "railpack"
+      ]
+    },
+    "public.sourceType": {
+      "name": "sourceType",
+      "schema": "public",
+      "values": [
+        "docker",
+        "git",
+        "github",
+        "gitlab",
+        "bitbucket",
+        "gitea",
+        "drop"
+      ]
+    },
+    "public.backupType": {
+      "name": "backupType",
+      "schema": "public",
+      "values": [
+        "database",
+        "compose"
+      ]
+    },
+    "public.databaseType": {
+      "name": "databaseType",
+      "schema": "public",
+      "values": [
+        "postgres",
+        "mariadb",
+        "mysql",
+        "mongo",
+        "web-server",
+        "libsql"
+      ]
+    },
+    "public.composeType": {
+      "name": "composeType",
+      "schema": "public",
+      "values": [
+        "docker-compose",
+        "stack"
+      ]
+    },
+    "public.sourceTypeCompose": {
+      "name": "sourceTypeCompose",
+      "schema": "public",
+      "values": [
+        "git",
+        "github",
+        "gitlab",
+        "bitbucket",
+        "gitea",
+        "raw"
+      ]
+    },
+    "public.deploymentStatus": {
+      "name": "deploymentStatus",
+      "schema": "public",
+      "values": [
+        "running",
+        "done",
+        "error",
+        "cancelled"
+      ]
+    },
+    "public.domainType": {
+      "name": "domainType",
+      "schema": "public",
+      "values": [
+        "compose",
+        "application",
+        "preview"
+      ]
+    },
+    "public.gitProviderType": {
+      "name": "gitProviderType",
+      "schema": "public",
+      "values": [
+        "github",
+        "gitlab",
+        "bitbucket",
+        "gitea"
+      ]
+    },
+    "public.mountType": {
+      "name": "mountType",
+      "schema": "public",
+      "values": [
+        "bind",
+        "volume",
+        "file"
+      ]
+    },
+    "public.serviceType": {
+      "name": "serviceType",
+      "schema": "public",
+      "values": [
+        "application",
+        "postgres",
+        "mysql",
+        "mariadb",
+        "mongo",
+        "redis",
+        "compose",
+        "libsql"
+      ]
+    },
+    "public.notificationType": {
+      "name": "notificationType",
+      "schema": "public",
+      "values": [
+        "slack",
+        "telegram",
+        "discord",
+        "email",
+        "resend",
+        "gotify",
+        "ntfy",
+        "mattermost",
+        "pushover",
+        "custom",
+        "lark",
+        "teams"
+      ]
+    },
+    "public.patchType": {
+      "name": "patchType",
+      "schema": "public",
+      "values": [
+        "create",
+        "update",
+        "delete"
+      ]
+    },
+    "public.protocolType": {
+      "name": "protocolType",
+      "schema": "public",
+      "values": [
+        "tcp",
+        "udp"
+      ]
+    },
+    "public.publishModeType": {
+      "name": "publishModeType",
+      "schema": "public",
+      "values": [
+        "ingress",
+        "host"
+      ]
+    },
+    "public.RegistryType": {
+      "name": "RegistryType",
+      "schema": "public",
+      "values": [
+        "selfHosted",
+        "cloud"
+      ]
+    },
+    "public.scheduleType": {
+      "name": "scheduleType",
+      "schema": "public",
+      "values": [
+        "application",
+        "compose",
+        "server",
+        "dokploy-server"
+      ]
+    },
+    "public.shellType": {
+      "name": "shellType",
+      "schema": "public",
+      "values": [
+        "bash",
+        "sh"
+      ]
+    },
+    "public.serverStatus": {
+      "name": "serverStatus",
+      "schema": "public",
+      "values": [
+        "active",
+        "inactive"
+      ]
+    },
+    "public.serverType": {
+      "name": "serverType",
+      "schema": "public",
+      "values": [
+        "deploy",
+        "build"
+      ]
+    },
+    "public.applicationStatus": {
+      "name": "applicationStatus",
+      "schema": "public",
+      "values": [
+        "idle",
+        "running",
+        "done",
+        "error"
+      ]
+    },
+    "public.certificateType": {
+      "name": "certificateType",
+      "schema": "public",
+      "values": [
+        "letsencrypt",
+        "none",
+        "custom"
+      ]
+    },
+    "public.sqldNode": {
+      "name": "sqldNode",
+      "schema": "public",
+      "values": [
+        "primary",
+        "replica"
+      ]
+    },
+    "public.triggerType": {
+      "name": "triggerType",
+      "schema": "public",
+      "values": [
+        "push",
+        "tag"
+      ]
+    },
+    "public.webServerProvider": {
+      "name": "webServerProvider",
+      "schema": "public",
+      "values": [
+        "traefik",
+        "caddy"
+      ]
+    }
+  },
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": {
+    "columns": {},
+    "schemas": {},
+    "tables": {}
+  }
+}
\ No newline at end of file
diff --git a/apps/dokploy/drizzle/meta/_journal.json b/apps/dokploy/drizzle/meta/_journal.json
index 573e42b56e..42c4b63771 100644
--- a/apps/dokploy/drizzle/meta/_journal.json
+++ b/apps/dokploy/drizzle/meta/_journal.json
@@ -1191,6 +1191,13 @@
       "when": 1780127552074,
       "tag": "0169_parched_johnny_storm",
       "breakpoints": true
+    },
+    {
+      "idx": 170,
+      "version": "7",
+      "when": 1780337191309,
+      "tag": "0170_web_server_provider",
+      "breakpoints": true
     }
   ]
 }
\ No newline at end of file
diff --git a/apps/dokploy/esbuild.config.ts b/apps/dokploy/esbuild.config.ts
index fa053d726c..e590de8254 100644
--- a/apps/dokploy/esbuild.config.ts
+++ b/apps/dokploy/esbuild.config.ts
@@ -29,6 +29,7 @@ try {
 				"reset-password": "reset-password.ts",
 				"reset-2fa": "reset-2fa.ts",
 				"migrate-auth-secret": "scripts/migrate-auth-secret.ts",
+				"caddy-migration-rollback": "scripts/caddy-migration-rollback.ts",
 			},
 			bundle: true,
 			platform: "node",
diff --git a/apps/dokploy/package.json b/apps/dokploy/package.json
index c271f32bd4..4c24f12bb0 100644
--- a/apps/dokploy/package.json
+++ b/apps/dokploy/package.json
@@ -20,6 +20,8 @@
 		"migration:generate": "drizzle-kit generate --config ./server/db/drizzle.config.ts",
 		"migration:run": "tsx -r dotenv/config migration.ts",
 		"manual-migration:run": "tsx -r dotenv/config migrate.ts",
+		"caddy:migration:rollback": "tsx -r dotenv/config scripts/caddy-migration-rollback.ts",
+		"caddy:migration:rollback:runtime": "node -r dotenv/config dist/caddy-migration-rollback.mjs",
 		"migration:up": "drizzle-kit up --config ./server/db/drizzle.config.ts",
 		"migration:drop": "drizzle-kit drop --config ./server/db/drizzle.config.ts",
 		"db:push": "drizzle-kit push --config ./server/db/drizzle.config.ts",
diff --git a/apps/dokploy/scripts/caddy-migration-rollback.ts b/apps/dokploy/scripts/caddy-migration-rollback.ts
new file mode 100644
index 0000000000..40e9936a3f
--- /dev/null
+++ b/apps/dokploy/scripts/caddy-migration-rollback.ts
@@ -0,0 +1,87 @@
+import { pathToFileURL } from "node:url";
+import type { CaddyMigrationReport } from "@dokploy/server";
+
+interface RollbackArgs {
+	migrationId: string;
+	serverId?: string;
+}
+
+interface CliIo {
+	stdout: Pick<typeof process.stdout, "write">;
+	stderr: Pick<typeof process.stderr, "write">;
+}
+
+const usage =
+	"Usage: caddy-migration-rollback --migration-id <id> [--server-id <id>]";
+
+export const parseCaddyRollbackArgs = (argv: string[]): RollbackArgs => {
+	let migrationId = "";
+	let serverId: string | undefined;
+	for (let index = 0; index < argv.length; index++) {
+		const arg = argv[index];
+		if (arg === "--migration-id") {
+			migrationId = argv[++index] ?? "";
+		} else if (arg === "--server-id") {
+			serverId = argv[++index] || undefined;
+		} else if (arg === "--help" || arg === "-h") {
+			throw new Error(usage);
+		} else {
+			throw new Error(`Unknown argument "${arg}". ${usage}`);
+		}
+	}
+	if (!migrationId) {
+		throw new Error(`Missing --migration-id. ${usage}`);
+	}
+	return { migrationId, serverId };
+};
+
+const isHelpRequest = (argv: string[]) =>
+	argv.some((arg) => arg === "--help" || arg === "-h");
+
+const buildOutput = (report: CaddyMigrationReport) => ({
+	migrationId: report.migrationId,
+	status: report.status,
+	providerTarget: "traefik",
+	warnings: report.warnings,
+	summary: report.summary,
+	reportPath: report.artifactPaths.reportJson,
+});
+
+export const runCaddyMigrationRollbackCli = async (
+	argv = process.argv.slice(2),
+	io: CliIo = process,
+) => {
+	if (isHelpRequest(argv)) {
+		io.stdout.write(`${usage}\n`);
+		return 0;
+	}
+
+	try {
+		const args = parseCaddyRollbackArgs(argv);
+		const { rollbackCaddyMigration } = await import("@dokploy/server");
+		const report = await rollbackCaddyMigration(args);
+		const output = buildOutput(report);
+		io.stdout.write(`${JSON.stringify(output, null, 2)}\n`);
+		return report.status === "rolled_back" ? 0 : 1;
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Rollback failed";
+		io.stderr.write(`${message}\n`);
+		io.stdout.write(
+			`${JSON.stringify(
+				{
+					status: "failed",
+					providerTarget: "traefik",
+					error: message,
+				},
+				null,
+				2,
+			)}\n`,
+		);
+		return 1;
+	}
+};
+
+if (import.meta.url === pathToFileURL(process.argv[1] ?? "").href) {
+	const code = await runCaddyMigrationRollbackCli();
+	process.exit(code);
+}
diff --git a/apps/dokploy/server/api/routers/application.ts b/apps/dokploy/server/api/routers/application.ts
index c7b1f8642f..2cb64046e5 100644
--- a/apps/dokploy/server/api/routers/application.ts
+++ b/apps/dokploy/server/api/routers/application.ts
@@ -1,8 +1,10 @@
 import {
 	clearOldDeployments,
 	createApplication,
+	createCaddyApplicationRouteFragment,
 	deleteAllMiddlewares,
 	findApplicationById,
+	findDomainsByApplicationId,
 	findEnvironmentById,
 	findGitProviderById,
 	findProjectById,
@@ -19,6 +21,7 @@ import {
 	removeMonitoringDirectory,
 	removeService,
 	removeTraefikConfig,
+	resolveWebServerProvider,
 	startService,
 	startServiceRemote,
 	stopService,
@@ -796,6 +799,45 @@ export const applicationRouter = createTRPCRouter({
 			}
 			return traefikConfig;
 		}),
+	readWebServerConfig: protectedProcedure
+		.input(apiFindOneApplication)
+		.query(async ({ input, ctx }) => {
+			await checkServicePermissionAndAccess(ctx, input.applicationId, {
+				traefikFiles: ["read"],
+			});
+			const application = await findApplicationById(input.applicationId);
+			const provider = await resolveWebServerProvider(
+				application.serverId || undefined,
+			);
+
+			if (provider === "traefik") {
+				if (application.serverId) {
+					return await readRemoteConfig(
+						application.serverId,
+						application.appName,
+					);
+				}
+				return readConfig(application.appName);
+			}
+
+			const domains = await findDomainsByApplicationId(input.applicationId);
+			const fragments = domains.map((domain) =>
+				createCaddyApplicationRouteFragment(
+					application as never,
+					domain as never,
+				),
+			);
+			return `${JSON.stringify(
+				{
+					provider,
+					message:
+						"Generated Caddy route fragments for this application. Caddy manages HTTPS certificates automatically for HTTPS domains; Traefik custom certificate resolvers do not apply.",
+					fragments,
+				},
+				null,
+				2,
+			)}\n`;
+		}),
 
 	dropDeployment: protectedProcedure
 		.input(
diff --git a/apps/dokploy/server/api/routers/compose.ts b/apps/dokploy/server/api/routers/compose.ts
index 51e257ce65..0dde5aaa64 100644
--- a/apps/dokploy/server/api/routers/compose.ts
+++ b/apps/dokploy/server/api/routers/compose.ts
@@ -1,5 +1,5 @@
 import {
-	addDomainToCompose,
+	addDomainToComposeForWebServer,
 	clearOldDeployments,
 	cloneCompose,
 	createCommand,
@@ -411,7 +411,10 @@ export const composeRouter = createTRPCRouter({
 			});
 			const compose = await findComposeById(input.composeId);
 			const domains = await findDomainsByComposeId(input.composeId);
-			const composeFile = await addDomainToCompose(compose, domains);
+			const composeFile = await addDomainToComposeForWebServer(
+				compose,
+				domains,
+			);
 			return stringify(composeFile, {
 				lineWidth: 1000,
 			});
diff --git a/apps/dokploy/server/api/routers/domain.ts b/apps/dokploy/server/api/routers/domain.ts
index 8210fcf8a5..290654bd85 100644
--- a/apps/dokploy/server/api/routers/domain.ts
+++ b/apps/dokploy/server/api/routers/domain.ts
@@ -1,16 +1,21 @@
 import {
+	assertCaddyDomainSupported,
 	createDomain,
 	findApplicationById,
+	findComposeById,
 	findDomainById,
 	findDomainsByApplicationId,
 	findDomainsByComposeId,
 	findPreviewDeploymentById,
 	findServerById,
 	generateTraefikMeDomain,
+	getCaddyComposeRouteTargetsForWebServer,
 	getWebServerSettings,
-	manageDomain,
-	removeDomain,
+	manageWebServerDomain,
 	removeDomainById,
+	writeCaddyComposeRoutesForTargets,
+	removeWebServerDomain,
+	resolveWebServerProvider,
 	updateDomainById,
 	validateDomain,
 } from "@dokploy/server";
@@ -31,6 +36,35 @@ import {
 	apiUpdateDomain,
 } from "@/server/db/schema";
 
+const toDomainUpdateFields = (domain: Awaited<ReturnType<typeof findDomainById>>) => ({
+	host: domain.host,
+	https: domain.https,
+	port: domain.port,
+	customEntrypoint: domain.customEntrypoint,
+	path: domain.path,
+	serviceName: domain.serviceName,
+	domainType: domain.domainType,
+	customCertResolver: domain.customCertResolver,
+	certificateType: domain.certificateType,
+	internalPath: domain.internalPath,
+	stripPath: domain.stripPath,
+	middlewares: domain.middlewares,
+});
+
+const refreshCaddyComposeRoutes = async (
+	compose: Awaited<ReturnType<typeof findComposeById>>,
+) => {
+	const domains = await findDomainsByComposeId(compose.composeId);
+	const routeTargets = await getCaddyComposeRouteTargetsForWebServer(
+		compose,
+		domains,
+		"caddy",
+	);
+	if (routeTargets) {
+		await writeCaddyComposeRoutesForTargets(compose, routeTargets);
+	}
+};
+
 export const domainRouter = createTRPCRouter({
 	create: protectedProcedure
 		.input(apiCreateDomain)
@@ -46,6 +80,18 @@ export const domainRouter = createTRPCRouter({
 					});
 				}
 				const domain = await createDomain(input);
+				if (domain.composeId) {
+					const compose = await findComposeById(domain.composeId);
+					if ((await resolveWebServerProvider(compose.serverId)) === "caddy") {
+						try {
+							await refreshCaddyComposeRoutes(compose);
+						} catch (error) {
+							await removeDomainById(domain.domainId);
+							await refreshCaddyComposeRoutes(compose);
+							throw error;
+						}
+					}
+				}
 				await audit(ctx, {
 					action: "create",
 					resourceType: "domain",
@@ -118,6 +164,85 @@ export const domainRouter = createTRPCRouter({
 				});
 			}
 
+			const nextDomain = { ...currentDomain, ...input };
+			if (currentDomain.applicationId) {
+				const application = await findApplicationById(currentDomain.applicationId);
+				if ((await resolveWebServerProvider(application.serverId)) === "caddy") {
+					assertCaddyDomainSupported(nextDomain);
+					await manageWebServerDomain(application, nextDomain);
+					try {
+						const result = await updateDomainById(input.domainId, input);
+						if (!result) {
+							throw new Error("Error updating domain");
+						}
+						await audit(ctx, {
+							action: "update",
+							resourceType: "domain",
+							resourceId: result.domainId,
+							resourceName: result.host,
+						});
+						return result;
+					} catch (error) {
+						await manageWebServerDomain(application, currentDomain);
+						throw error;
+					}
+				}
+			} else if (currentDomain.previewDeploymentId) {
+				const previewDeployment = await findPreviewDeploymentById(
+					currentDomain.previewDeploymentId,
+				);
+				const application = await findApplicationById(
+					previewDeployment.applicationId,
+				);
+				application.appName = previewDeployment.appName;
+				if ((await resolveWebServerProvider(application.serverId)) === "caddy") {
+					assertCaddyDomainSupported(nextDomain);
+					await manageWebServerDomain(application, nextDomain);
+					try {
+						const result = await updateDomainById(input.domainId, input);
+						if (!result) {
+							throw new Error("Error updating domain");
+						}
+						await audit(ctx, {
+							action: "update",
+							resourceType: "domain",
+							resourceId: result.domainId,
+							resourceName: result.host,
+						});
+						return result;
+					} catch (error) {
+						await manageWebServerDomain(application, currentDomain);
+						throw error;
+					}
+				}
+			} else if (currentDomain.composeId) {
+				const compose = await findComposeById(currentDomain.composeId);
+				if ((await resolveWebServerProvider(compose.serverId)) === "caddy") {
+					assertCaddyDomainSupported(nextDomain);
+					const result = await updateDomainById(input.domainId, input);
+					if (!result) {
+						throw new Error("Error updating domain");
+					}
+					try {
+						await refreshCaddyComposeRoutes(compose);
+						await audit(ctx, {
+							action: "update",
+							resourceType: "domain",
+							resourceId: result.domainId,
+							resourceName: result.host,
+						});
+						return result;
+					} catch (error) {
+						await updateDomainById(
+							input.domainId,
+							toDomainUpdateFields(currentDomain),
+						);
+						await refreshCaddyComposeRoutes(compose);
+						throw error;
+					}
+				}
+			}
+
 			const result = await updateDomainById(input.domainId, input);
 			const domain = await findDomainById(input.domainId);
 			await audit(ctx, {
@@ -128,7 +253,7 @@ export const domainRouter = createTRPCRouter({
 			});
 			if (domain.applicationId) {
 				const application = await findApplicationById(domain.applicationId);
-				await manageDomain(application, domain);
+				await manageWebServerDomain(application, domain);
 			} else if (domain.previewDeploymentId) {
 				const previewDeployment = await findPreviewDeploymentById(
 					domain.previewDeploymentId,
@@ -137,7 +262,7 @@ export const domainRouter = createTRPCRouter({
 					previewDeployment.applicationId,
 				);
 				application.appName = previewDeployment.appName;
-				await manageDomain(application, domain);
+				await manageWebServerDomain(application, domain);
 			}
 			return result;
 		}),
@@ -176,6 +301,79 @@ export const domainRouter = createTRPCRouter({
 				});
 			}
 
+			if (domain.applicationId) {
+				const application = await findApplicationById(domain.applicationId);
+				if ((await resolveWebServerProvider(application.serverId)) === "caddy") {
+					await removeWebServerDomain(application, domain.uniqueConfigKey);
+					try {
+						const result = await removeDomainById(input.domainId);
+						await audit(ctx, {
+							action: "delete",
+							resourceType: "domain",
+							resourceId: domain.domainId,
+							resourceName: domain.host,
+						});
+						return result;
+					} catch (error) {
+						await manageWebServerDomain(application, domain);
+						throw error;
+					}
+				}
+			} else if (domain.previewDeploymentId) {
+				const previewDeployment = await findPreviewDeploymentById(
+					domain.previewDeploymentId,
+				);
+				const application = await findApplicationById(
+					previewDeployment.applicationId,
+				);
+				application.appName = previewDeployment.appName;
+				if ((await resolveWebServerProvider(application.serverId)) === "caddy") {
+					await removeWebServerDomain(application, domain.uniqueConfigKey);
+					try {
+						const result = await removeDomainById(input.domainId);
+						await audit(ctx, {
+							action: "delete",
+							resourceType: "domain",
+							resourceId: domain.domainId,
+							resourceName: domain.host,
+						});
+						return result;
+					} catch (error) {
+						await manageWebServerDomain(application, domain);
+						throw error;
+					}
+				}
+			} else if (domain.composeId) {
+				const compose = await findComposeById(domain.composeId);
+				if ((await resolveWebServerProvider(compose.serverId)) === "caddy") {
+					const domains = await findDomainsByComposeId(compose.composeId);
+					const remainingDomains = domains.filter(
+						(item) => item.domainId !== domain.domainId,
+					);
+					const routeTargets = await getCaddyComposeRouteTargetsForWebServer(
+						compose,
+						remainingDomains,
+						"caddy",
+					);
+					try {
+						if (routeTargets) {
+							await writeCaddyComposeRoutesForTargets(compose, routeTargets);
+						}
+						const result = await removeDomainById(input.domainId);
+						await audit(ctx, {
+							action: "delete",
+							resourceType: "domain",
+							resourceId: domain.domainId,
+							resourceName: domain.host,
+						});
+						return result;
+					} catch (error) {
+						await refreshCaddyComposeRoutes(compose);
+						throw error;
+					}
+				}
+			}
+
 			const result = await removeDomainById(input.domainId);
 			await audit(ctx, {
 				action: "delete",
@@ -186,7 +384,16 @@ export const domainRouter = createTRPCRouter({
 
 			if (domain.applicationId) {
 				const application = await findApplicationById(domain.applicationId);
-				await removeDomain(application, domain.uniqueConfigKey);
+				await removeWebServerDomain(application, domain.uniqueConfigKey);
+			} else if (domain.previewDeploymentId) {
+				const previewDeployment = await findPreviewDeploymentById(
+					domain.previewDeploymentId,
+				);
+				const application = await findApplicationById(
+					previewDeployment.applicationId,
+				);
+				application.appName = previewDeployment.appName;
+				await removeWebServerDomain(application, domain.uniqueConfigKey);
 			}
 
 			return result;
diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts
index aff6650f17..e82b6ace26 100644
--- a/apps/dokploy/server/api/routers/settings.ts
+++ b/apps/dokploy/server/api/routers/settings.ts
@@ -1,4 +1,5 @@
 import {
+	applyCaddyMigration as applyCaddyMigrationCutover,
 	CLEANUP_CRON_JOB,
 	checkGPUStatus,
 	checkPortInUse,
@@ -19,12 +20,17 @@ import {
 	getDokployImageTag,
 	getLogCleanupStatus,
 	getUpdateData,
+	getWebServerPaths,
+	getWebServerResourceName,
 	getWebServerSettings,
 	IS_CLOUD,
 	parseRawConfig,
 	paths,
+	prepareCaddyMigration as prepareCaddyMigrationDryRun,
 	prepareEnvironmentVariables,
 	processLogs,
+	readCaddyConfigFileIfExists,
+	getCaddyMigrationReport as readCaddyMigrationReport,
 	readConfig,
 	readConfigInPath,
 	readDirectory,
@@ -33,20 +39,28 @@ import {
 	readMonitoringConfig,
 	readPorts,
 	recreateDirectory,
+	reloadCaddyAfterValidation,
 	reloadDockerResource,
+	resolveWebServerProvider,
+	rollbackCaddyMigration as rollbackCaddyMigrationCutover,
 	sendDockerCleanupNotifications,
 	setupGPUSupport,
 	spawnAsync,
 	startLogCleanup,
 	stopLogCleanup,
 	updateLetsEncryptEmail,
+	updateLocalWebServerProvider,
+	updateRemoteWebServerProvider,
 	updateServerById,
+	updateServerCaddy,
 	updateServerTraefik,
 	updateWebServerSettings,
+	type WebServerProvider,
 	writeConfig,
 	writeMainConfig,
 	writeTraefikConfigInPath,
 	writeTraefikSetup,
+	writeWebServerSetup,
 } from "@dokploy/server";
 import { db } from "@dokploy/server/db";
 import { checkPermission } from "@dokploy/server/services/permission";
@@ -82,6 +96,244 @@ import {
 	publicProcedure,
 } from "../trpc";
 
+const webServerProviderSchema = z.enum(["traefik", "caddy"]);
+
+const apiWebServerProvider = z.object({
+	provider: webServerProviderSchema,
+	serverId: z.string().optional(),
+});
+
+const apiWebServerConfig = z.object({
+	webServerConfig: z.string().min(1),
+	serverId: z.string().optional(),
+});
+
+const apiReadWebServerFile = z.object({
+	path: z.string().min(1),
+	serverId: z.string().optional(),
+});
+
+const apiModifyWebServerFile = apiReadWebServerFile.extend({
+	webServerConfig: z.string().min(1),
+});
+
+const apiWriteWebServerEnv = z.object({
+	env: z.string(),
+	serverId: z.string().optional(),
+});
+
+const apiWebServerPorts = z.object({
+	serverId: z.string().optional(),
+	additionalPorts: z.array(
+		z.object({
+			targetPort: z.number(),
+			publishedPort: z.number(),
+			protocol: z.enum(["tcp", "udp", "sctp"]),
+		}),
+	),
+});
+
+const apiCaddyMigration = z.object({
+	serverId: z.string().optional(),
+});
+
+const apiCaddyMigrationById = apiCaddyMigration.extend({
+	migrationId: z.string().min(1),
+});
+
+const apiApplyCaddyMigration = apiCaddyMigrationById.extend({
+	confirmMaintenanceWindow: z.literal(true),
+});
+
+const ensureServerAccess = async (
+	ctx: { session?: { activeOrganizationId?: string | null } | null },
+	serverId?: string,
+) => {
+	if (!serverId) return;
+	const remoteServer = await findServerById(serverId);
+	if (remoteServer.organizationId !== ctx.session?.activeOrganizationId) {
+		throw new TRPCError({ code: "UNAUTHORIZED" });
+	}
+};
+
+const normalizeWebServerPath = (filePath: string) =>
+	filePath.replace(/\\/g, "/").replace(/\/+$/g, "");
+
+const isPathWithin = (targetPath: string, basePath: string) => {
+	const normalizedTarget = normalizeWebServerPath(targetPath);
+	const normalizedBase = normalizeWebServerPath(basePath);
+	return (
+		normalizedTarget === normalizedBase ||
+		normalizedTarget.startsWith(`${normalizedBase}/`)
+	);
+};
+
+const isCaddyMigrationBackupPath = (filePath: string, serverId?: string) => {
+	const caddyPaths = paths(!!serverId);
+	const normalizedPath = normalizeWebServerPath(filePath);
+	const migrationsPath = normalizeWebServerPath(caddyPaths.CADDY_MIGRATIONS_PATH);
+	if (!isPathWithin(normalizedPath, migrationsPath)) {
+		return false;
+	}
+	return normalizedPath
+		.slice(migrationsPath.length)
+		.split("/")
+		.filter(Boolean)
+		.includes("backups");
+};
+
+const assertCaddyReadableFilePath = (filePath: string, serverId?: string) => {
+	const caddyPaths = paths(!!serverId);
+	const normalizedPath = normalizeWebServerPath(filePath);
+	if (isCaddyMigrationBackupPath(normalizedPath, serverId)) {
+		throw new TRPCError({
+			code: "BAD_REQUEST",
+			message:
+				"Caddy migration backups may contain TLS or internal configuration and are not readable from the file editor.",
+		});
+	}
+	if (
+		normalizedPath === normalizeWebServerPath(caddyPaths.CADDY_CONFIG_PATH) ||
+		isPathWithin(normalizedPath, caddyPaths.CADDY_FRAGMENTS_PATH) ||
+		isPathWithin(normalizedPath, caddyPaths.CADDY_MIGRATIONS_PATH)
+	) {
+		return;
+	}
+	throw new TRPCError({
+		code: "BAD_REQUEST",
+		message:
+			"Caddy file access is limited to caddy.json, route fragments, and non-backup migration artifacts.",
+	});
+};
+
+const readCaddySafeDirectoryTree = async (serverId?: string) => {
+	const caddyPaths = paths(!!serverId);
+	const readOptionalDirectory = async (dirPath: string) => {
+		try {
+			return await readDirectory(dirPath, serverId);
+		} catch (error) {
+			if (
+				error instanceof Error &&
+				(error as NodeJS.ErrnoException).code === "ENOENT"
+			) {
+				return [];
+			}
+			throw error;
+		}
+	};
+	return [
+		{
+			id: caddyPaths.CADDY_CONFIG_PATH,
+			name: "caddy.json",
+			type: "file" as const,
+		},
+		{
+			id: caddyPaths.CADDY_FRAGMENTS_PATH,
+			name: "fragments",
+			type: "directory" as const,
+			children: await readOptionalDirectory(caddyPaths.CADDY_FRAGMENTS_PATH),
+		},
+		{
+			id: caddyPaths.CADDY_MIGRATIONS_PATH,
+			name: "migrations",
+			type: "directory" as const,
+			children: await readOptionalDirectory(caddyPaths.CADDY_MIGRATIONS_PATH),
+		},
+	];
+};
+
+const resolveWebServerFilePath = (
+	filePath: string,
+	provider: WebServerProvider,
+	serverId?: string,
+) => {
+	if (
+		filePath.includes("../") ||
+		filePath.includes("..\\") ||
+		filePath.includes("\0") ||
+		filePath.includes("\x00")
+	) {
+		throw new TRPCError({
+			code: "BAD_REQUEST",
+			message: "Invalid path: path traversal or null bytes are not allowed",
+		});
+	}
+
+	const basePath = getWebServerPaths(provider, !!serverId).basePath;
+	if (filePath.startsWith("/")) {
+		if (filePath !== basePath && !filePath.startsWith(`${basePath}/`)) {
+			throw new TRPCError({
+				code: "BAD_REQUEST",
+				message: "Invalid path: outside of active web server directory",
+			});
+		}
+		return filePath;
+	}
+
+	return `${basePath}/${filePath.replace(/^\/+/, "")}`;
+};
+
+const getMainTraefikConfigPath = (serverId?: string) =>
+	`${paths(!!serverId).MAIN_TRAEFIK_PATH}/traefik.yml`;
+
+const readProviderMainConfig = async (
+	provider: WebServerProvider,
+	serverId?: string,
+) => {
+	if (provider === "caddy") {
+		return readCaddyConfigFileIfExists({ serverId });
+	}
+
+	if (serverId) {
+		return readConfigInPath(getMainTraefikConfigPath(serverId), serverId);
+	}
+	return readMainConfig();
+};
+
+const writeProviderMainConfig = async (
+	provider: WebServerProvider,
+	content: string,
+	serverId?: string,
+) => {
+	if (provider === "caddy") {
+		throw new TRPCError({
+			code: "BAD_REQUEST",
+			message:
+				"Caddy caddy.json is generated from route fragments and is read-only. Use Caddy migration/domain actions to update it.",
+		});
+	}
+
+	if (serverId) {
+		await writeTraefikConfigInPath(
+			getMainTraefikConfigPath(serverId),
+			content,
+			serverId,
+		);
+		return;
+	}
+	writeMainConfig(content);
+};
+
+const reloadWebServerProvider = async (
+	provider: WebServerProvider,
+	serverId?: string,
+) => {
+	if (provider === "caddy") {
+		await reloadCaddyAfterValidation(serverId);
+		return;
+	}
+	await reloadDockerResource(getWebServerResourceName(provider), serverId);
+};
+
+const getCaddyLetsEncryptEmailForSetup = async (
+	provider: WebServerProvider,
+	serverId?: string,
+) => {
+	if (provider !== "caddy" || serverId) return undefined;
+	const settings = await getWebServerSettings();
+	return settings?.letsEncryptEmail;
+};
+
 export const settingsRouter = createTRPCRouter({
 	getWebServerSettings: protectedProcedure.query(async () => {
 		if (IS_CLOUD) {
@@ -165,6 +417,134 @@ export const settingsRouter = createTRPCRouter({
 			});
 			return true;
 		}),
+	getActiveWebServerProvider: adminProcedure
+		.input(apiServerSchema)
+		.query(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input?.serverId);
+			return resolveWebServerProvider(input?.serverId);
+		}),
+	updateActiveWebServerProvider: adminProcedure
+		.input(apiWebServerProvider)
+		.mutation(async ({ input, ctx }) => {
+			if (input.provider === "caddy") {
+				throw new TRPCError({
+					code: "BAD_REQUEST",
+					message:
+						"Caddy can only be activated through the migration apply flow after validation succeeds.",
+				});
+			}
+			if (input.serverId) {
+				await ensureServerAccess(ctx, input.serverId);
+			}
+			const currentProvider = await resolveWebServerProvider(input.serverId);
+			if (currentProvider === "caddy" && input.provider === "traefik") {
+				throw new TRPCError({
+					code: "BAD_REQUEST",
+					message:
+						"Use the Caddy migration rollback flow to return to Traefik safely.",
+				});
+			}
+			if (input.serverId) {
+				await updateRemoteWebServerProvider(input.serverId, input.provider);
+			} else {
+				await updateLocalWebServerProvider(input.provider);
+			}
+			await audit(ctx, {
+				action: "update",
+				resourceType: "settings",
+				resourceName: "web-server-provider",
+			});
+			return true;
+		}),
+	reloadWebServer: adminProcedure
+		.input(apiServerSchema)
+		.mutation(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input?.serverId);
+			const provider = await resolveWebServerProvider(input?.serverId);
+			void reloadWebServerProvider(provider, input?.serverId).catch((err) => {
+				console.error("reloadWebServer background:", err);
+			});
+			await audit(ctx, {
+				action: "reload",
+				resourceType: "settings",
+				resourceName: getWebServerResourceName(provider),
+			});
+			return true;
+		}),
+	prepareCaddyMigration: adminProcedure
+		.input(apiCaddyMigration)
+		.mutation(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input.serverId);
+			const report = await prepareCaddyMigrationDryRun({
+				serverId: input.serverId,
+			});
+			await audit(ctx, {
+				action: "create",
+				resourceType: "settings",
+				resourceName: "caddy-migration-dry-run",
+			});
+			return report;
+		}),
+	getCaddyMigrationReport: adminProcedure
+		.input(apiCaddyMigrationById)
+		.query(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input.serverId);
+			return readCaddyMigrationReport({
+				migrationId: input.migrationId,
+				serverId: input.serverId,
+			});
+		}),
+	applyCaddyMigration: adminProcedure
+		.input(apiApplyCaddyMigration)
+		.mutation(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input.serverId);
+			const report = await readCaddyMigrationReport({
+				migrationId: input.migrationId,
+				serverId: input.serverId,
+			});
+			if (report.summary.blockingWarnings > 0) {
+				throw new TRPCError({
+					code: "BAD_REQUEST",
+					message: `Cannot apply Caddy migration with ${report.summary.blockingWarnings} blocking warning(s)`,
+				});
+			}
+			if (report.validation.status !== "passed") {
+				throw new TRPCError({
+					code: "BAD_REQUEST",
+					message:
+						"Cannot apply Caddy migration because draft validation did not pass",
+				});
+			}
+			void applyCaddyMigrationCutover({
+				migrationId: input.migrationId,
+				serverId: input.serverId,
+			}).catch((err) => {
+				console.error("applyCaddyMigration background:", err);
+			});
+			await audit(ctx, {
+				action: "update",
+				resourceType: "settings",
+				resourceName: "caddy-migration-apply",
+			});
+			return { started: true, migrationId: input.migrationId };
+		}),
+	rollbackCaddyMigration: adminProcedure
+		.input(apiCaddyMigrationById)
+		.mutation(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input.serverId);
+			void rollbackCaddyMigrationCutover({
+				migrationId: input.migrationId,
+				serverId: input.serverId,
+			}).catch((err) => {
+				console.error("rollbackCaddyMigration background:", err);
+			});
+			await audit(ctx, {
+				action: "update",
+				resourceType: "settings",
+				resourceName: "caddy-migration-rollback",
+			});
+			return { started: true, migrationId: input.migrationId };
+		}),
 	toggleDashboard: adminProcedure
 		.input(apiEnableDashboard)
 		.mutation(async ({ input, ctx }) => {
@@ -335,9 +715,14 @@ export const settingsRouter = createTRPCRouter({
 				});
 			}
 
-			updateServerTraefik(settings, input.host);
-			if (input.letsEncryptEmail) {
-				updateLetsEncryptEmail(input.letsEncryptEmail);
+			const provider = await resolveWebServerProvider();
+			if (provider === "caddy") {
+				await updateServerCaddy(settings, input.host);
+			} else {
+				updateServerTraefik(settings, input.host);
+				if (input.letsEncryptEmail) {
+					updateLetsEncryptEmail(input.letsEncryptEmail);
+				}
 			}
 
 			await audit(ctx, {
@@ -513,6 +898,38 @@ export const settingsRouter = createTRPCRouter({
 			return true;
 		}),
 
+	readWebServerConfig: adminProcedure
+		.input(apiServerSchema)
+		.query(async ({ input, ctx }) => {
+			if (IS_CLOUD && !input?.serverId) {
+				return true;
+			}
+			await ensureServerAccess(ctx, input?.serverId);
+			const provider = await resolveWebServerProvider(input?.serverId);
+			return readProviderMainConfig(provider, input?.serverId);
+		}),
+
+	updateWebServerConfig: adminProcedure
+		.input(apiWebServerConfig)
+		.mutation(async ({ input, ctx }) => {
+			if (IS_CLOUD && !input.serverId) {
+				return true;
+			}
+			await ensureServerAccess(ctx, input.serverId);
+			const provider = await resolveWebServerProvider(input.serverId);
+			await writeProviderMainConfig(
+				provider,
+				input.webServerConfig,
+				input.serverId,
+			);
+			await audit(ctx, {
+				action: "update",
+				resourceType: "settings",
+				resourceName: "web-server-config",
+			});
+			return true;
+		}),
+
 	readWebServerTraefikConfig: adminProcedure.query(() => {
 		if (IS_CLOUD) {
 			return true;
@@ -608,6 +1025,30 @@ export const settingsRouter = createTRPCRouter({
 			}
 		}),
 
+	readWebServerDirectories: protectedProcedure
+		.input(apiServerSchema)
+		.query(async ({ ctx, input }) => {
+			await checkPermission(ctx, { traefikFiles: ["read"] });
+			await ensureServerAccess(ctx, input?.serverId);
+			const provider = await resolveWebServerProvider(input?.serverId);
+			if (provider === "caddy") {
+				return readCaddySafeDirectoryTree(input?.serverId);
+			}
+			const { basePath } = getWebServerPaths(provider, !!input?.serverId);
+			try {
+				const result = await readDirectory(basePath, input?.serverId);
+				return result || [];
+			} catch (error) {
+				if (
+					error instanceof Error &&
+					(error as NodeJS.ErrnoException).code === "ENOENT"
+				) {
+					return [];
+				}
+				throw error;
+			}
+		}),
+
 	updateTraefikFile: protectedProcedure
 		.input(apiModifyTraefikConfig)
 		.mutation(async ({ input, ctx }) => {
@@ -640,6 +1081,53 @@ export const settingsRouter = createTRPCRouter({
 
 			return readConfigInPath(input.path, input.serverId);
 		}),
+	updateWebServerFile: protectedProcedure
+		.input(apiModifyWebServerFile)
+		.mutation(async ({ input, ctx }) => {
+			await checkPermission(ctx, { traefikFiles: ["write"] });
+			await ensureServerAccess(ctx, input.serverId);
+			const provider = await resolveWebServerProvider(input.serverId);
+			if (provider === "caddy") {
+				throw new TRPCError({
+					code: "BAD_REQUEST",
+					message:
+						"Caddy generated config files are read-only from the file editor.",
+				});
+			}
+			const filePath = resolveWebServerFilePath(
+				input.path,
+				provider,
+				input.serverId,
+			);
+			await writeTraefikConfigInPath(
+				filePath,
+				input.webServerConfig,
+				input.serverId,
+			);
+			await audit(ctx, {
+				action: "update",
+				resourceType: "settings",
+				resourceName: "web-server-file",
+			});
+			return true;
+		}),
+
+	readWebServerFile: protectedProcedure
+		.input(apiReadWebServerFile)
+		.query(async ({ input, ctx }) => {
+			await checkPermission(ctx, { traefikFiles: ["read"] });
+			await ensureServerAccess(ctx, input.serverId);
+			const provider = await resolveWebServerProvider(input.serverId);
+			const filePath = resolveWebServerFilePath(
+				input.path,
+				provider,
+				input.serverId,
+			);
+			if (provider === "caddy") {
+				assertCaddyReadableFilePath(filePath, input.serverId);
+			}
+			return readConfigInPath(filePath, input.serverId);
+		}),
 	getIp: protectedProcedure.query(async () => {
 		if (IS_CLOUD) {
 			return "";
@@ -761,6 +1249,16 @@ export const settingsRouter = createTRPCRouter({
 			);
 			return envVars;
 		}),
+	readWebServerEnv: adminProcedure
+		.input(apiServerSchema)
+		.query(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input?.serverId);
+			const provider = await resolveWebServerProvider(input?.serverId);
+			return readEnvironmentVariables(
+				getWebServerResourceName(provider),
+				input?.serverId,
+			);
+		}),
 
 	writeTraefikEnv: adminProcedure
 		.input(z.object({ env: z.string(), serverId: z.string().optional() }))
@@ -783,12 +1281,54 @@ export const settingsRouter = createTRPCRouter({
 			});
 			return true;
 		}),
+	writeWebServerEnv: adminProcedure
+		.input(apiWriteWebServerEnv)
+		.mutation(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input.serverId);
+			const provider = await resolveWebServerProvider(input.serverId);
+			const resourceName = getWebServerResourceName(provider);
+			const envs = prepareEnvironmentVariables(input.env);
+			const ports = await readPorts(resourceName, input.serverId);
+
+			void writeWebServerSetup(provider, {
+				env: envs,
+				additionalPorts: ports,
+				serverId: input.serverId,
+				letsEncryptEmail: await getCaddyLetsEncryptEmailForSetup(
+					provider,
+					input.serverId,
+				),
+			}).catch((err) => {
+				console.error("writeWebServerEnv background writeWebServerSetup:", err);
+			});
+			await audit(ctx, {
+				action: "update",
+				resourceType: "settings",
+				resourceName: "web-server-env",
+			});
+			return true;
+		}),
 	haveTraefikDashboardPortEnabled: adminProcedure
 		.input(apiServerSchema)
 		.query(async ({ input }) => {
 			const ports = await readPorts("dokploy-traefik", input?.serverId);
 			return ports.some((port) => port.targetPort === 8080);
 		}),
+	getWebServerDashboardState: adminProcedure
+		.input(apiServerSchema)
+		.query(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input?.serverId);
+			const provider = await resolveWebServerProvider(input?.serverId);
+			if (provider === "traefik") {
+				const ports = await readPorts("dokploy-traefik", input?.serverId);
+				return {
+					provider,
+					enabled: ports.some((port) => port.targetPort === 8080),
+				};
+			}
+
+			return { provider, enabled: false };
+		}),
 
 	readStatsLogs: protectedProcedure
 		.meta({
@@ -1081,6 +1621,76 @@ export const settingsRouter = createTRPCRouter({
 			const ports = await readPorts("dokploy-traefik", input?.serverId);
 			return ports;
 		}),
+	updateWebServerPorts: adminProcedure
+		.input(apiWebServerPorts)
+		.mutation(async ({ input, ctx }) => {
+			try {
+				await ensureServerAccess(ctx, input.serverId);
+				if (IS_CLOUD && !input.serverId) {
+					throw new TRPCError({
+						code: "UNAUTHORIZED",
+						message: "Please set a serverId to update web server ports",
+					});
+				}
+				const provider = await resolveWebServerProvider(input.serverId);
+				const resourceName = getWebServerResourceName(provider);
+				const env = await readEnvironmentVariables(
+					resourceName,
+					input.serverId,
+				);
+
+				for (const port of input.additionalPorts) {
+					const portCheck = await checkPortInUse(
+						port.publishedPort,
+						input.serverId,
+					);
+					if (portCheck.isInUse) {
+						throw new TRPCError({
+							code: "CONFLICT",
+							message: `Port ${port.publishedPort} is already in use by ${portCheck.conflictingContainer}`,
+						});
+					}
+				}
+				const preparedEnv = prepareEnvironmentVariables(env);
+
+				void writeWebServerSetup(provider, {
+					env: preparedEnv,
+					additionalPorts: input.additionalPorts,
+					serverId: input.serverId,
+					letsEncryptEmail: await getCaddyLetsEncryptEmailForSetup(
+						provider,
+						input.serverId,
+					),
+				}).catch((err) => {
+					console.error(
+						"updateWebServerPorts background writeWebServerSetup:",
+						err,
+					);
+				});
+				await audit(ctx, {
+					action: "update",
+					resourceType: "settings",
+					resourceName: "web-server-ports",
+				});
+				return true;
+			} catch (error) {
+				throw new TRPCError({
+					code: "BAD_REQUEST",
+					message:
+						error instanceof Error
+							? error.message
+							: "Error updating web server ports",
+					cause: error,
+				});
+			}
+		}),
+	getWebServerPorts: adminProcedure
+		.input(apiServerSchema)
+		.query(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input?.serverId);
+			const provider = await resolveWebServerProvider(input?.serverId);
+			return readPorts(getWebServerResourceName(provider), input?.serverId);
+		}),
 	updateLogCleanup: protectedProcedure
 		.input(
 			z.object({
diff --git a/packages/server/src/constants/index.ts b/packages/server/src/constants/index.ts
index 706a0dbecb..10964ed6b4 100644
--- a/packages/server/src/constants/index.ts
+++ b/packages/server/src/constants/index.ts
@@ -90,11 +90,23 @@ export const paths = (isServer = false) => {
 			: path.join(process.cwd(), ".docker");
 	const MAIN_TRAEFIK_PATH = `${BASE_PATH}/traefik`;
 	const DYNAMIC_TRAEFIK_PATH = `${MAIN_TRAEFIK_PATH}/dynamic`;
+	const MAIN_CADDY_PATH = `${BASE_PATH}/caddy`;
+	const CADDY_CONFIG_PATH = `${MAIN_CADDY_PATH}/caddy.json`;
+	const CADDY_FRAGMENTS_PATH = `${MAIN_CADDY_PATH}/fragments`;
+	const CADDY_DATA_PATH = `${MAIN_CADDY_PATH}/data`;
+	const CADDY_CONFIG_DIR_PATH = `${MAIN_CADDY_PATH}/config`;
+	const CADDY_MIGRATIONS_PATH = `${MAIN_CADDY_PATH}/migrations`;
 
 	return {
 		BASE_PATH,
 		MAIN_TRAEFIK_PATH,
 		DYNAMIC_TRAEFIK_PATH,
+		MAIN_CADDY_PATH,
+		CADDY_CONFIG_PATH,
+		CADDY_FRAGMENTS_PATH,
+		CADDY_DATA_PATH,
+		CADDY_CONFIG_DIR_PATH,
+		CADDY_MIGRATIONS_PATH,
 		LOGS_PATH: `${BASE_PATH}/logs`,
 		APPLICATIONS_PATH: `${BASE_PATH}/applications`,
 		COMPOSE_PATH: `${BASE_PATH}/compose`,
diff --git a/packages/server/src/db/schema/server.ts b/packages/server/src/db/schema/server.ts
index 4c8f1fc948..f12186c93c 100644
--- a/packages/server/src/db/schema/server.ts
+++ b/packages/server/src/db/schema/server.ts
@@ -23,6 +23,7 @@ import { postgres } from "./postgres";
 import { redis } from "./redis";
 import { schedules } from "./schedule";
 import { sshKeys } from "./ssh-key";
+import { webServerProvider } from "./shared";
 import { generateAppName } from "./utils";
 export const serverStatus = pgEnum("serverStatus", ["active", "inactive"]);
 export const serverType = pgEnum("serverType", ["deploy", "build"]);
@@ -41,6 +42,9 @@ export const server = pgTable("server", {
 		.notNull()
 		.$defaultFn(() => generateAppName("server")),
 	enableDockerCleanup: boolean("enableDockerCleanup").notNull().default(false),
+	webServerProvider: webServerProvider("webServerProvider")
+		.notNull()
+		.default("traefik"),
 	createdAt: text("createdAt").notNull(),
 	organizationId: text("organizationId")
 		.notNull()
@@ -136,6 +140,7 @@ const createSchema = createInsertSchema(server, {
 	name: z.string().min(1),
 	description: z.string().optional(),
 	serverType: z.enum(["deploy", "build"]).optional(),
+	webServerProvider: z.enum(["traefik", "caddy"]).optional(),
 });
 
 export const apiCreateServer = createSchema
diff --git a/packages/server/src/db/schema/shared.ts b/packages/server/src/db/schema/shared.ts
index 6566968c64..2ab58c79bd 100644
--- a/packages/server/src/db/schema/shared.ts
+++ b/packages/server/src/db/schema/shared.ts
@@ -14,6 +14,11 @@ export const certificateType = pgEnum("certificateType", [
 	"custom",
 ]);
 
+export const webServerProvider = pgEnum("webServerProvider", [
+	"traefik",
+	"caddy",
+]);
+
 export const triggerType = pgEnum("triggerType", ["push", "tag"]);
 
 export const sqldNode = pgEnum("sqldNode", ["primary", "replica"]);
diff --git a/packages/server/src/db/schema/web-server-settings.ts b/packages/server/src/db/schema/web-server-settings.ts
index a44f1356a6..7284deca10 100644
--- a/packages/server/src/db/schema/web-server-settings.ts
+++ b/packages/server/src/db/schema/web-server-settings.ts
@@ -3,7 +3,7 @@ import { boolean, jsonb, pgTable, text, timestamp } from "drizzle-orm/pg-core";
 import { createInsertSchema } from "drizzle-zod";
 import { nanoid } from "nanoid";
 import { z } from "zod";
-import { certificateType } from "./shared";
+import { certificateType, webServerProvider } from "./shared";
 
 export const webServerSettings = pgTable("webServerSettings", {
 	id: text("id")
@@ -11,6 +11,9 @@ export const webServerSettings = pgTable("webServerSettings", {
 		.primaryKey()
 		.$defaultFn(() => nanoid()),
 	// Web Server Configuration
+	webServerProvider: webServerProvider("webServerProvider")
+		.notNull()
+		.default("traefik"),
 	serverIp: text("serverIp"),
 	certificateType: certificateType("certificateType").notNull().default("none"),
 	https: boolean("https").notNull().default(false),
@@ -124,6 +127,7 @@ const createSchema = createInsertSchema(webServerSettings, {
 });
 
 export const apiUpdateWebServerSettings = createSchema.partial().extend({
+	webServerProvider: z.enum(["traefik", "caddy"]).optional(),
 	serverIp: z.string().optional(),
 	certificateType: z.enum(["letsencrypt", "none", "custom"]).optional(),
 	https: z.boolean().optional(),
diff --git a/packages/server/src/index.ts b/packages/server/src/index.ts
index dd627deaf3..c6649c44b1 100644
--- a/packages/server/src/index.ts
+++ b/packages/server/src/index.ts
@@ -49,6 +49,7 @@ export * from "./services/ssh-key";
 export * from "./services/user";
 export * from "./services/volume-backups";
 export * from "./services/web-server-settings";
+export * from "./setup/caddy-setup";
 export * from "./setup/config-paths";
 export * from "./setup/monitoring-setup";
 export * from "./setup/postgres-setup";
@@ -85,6 +86,21 @@ export * from "./utils/builders/nixpacks";
 export * from "./utils/builders/paketo";
 export * from "./utils/builders/static";
 export * from "./utils/builders/utils";
+export * from "./utils/caddy/compose";
+export * from "./utils/caddy/config";
+export * from "./utils/caddy/domain";
+export * from "./utils/caddy/migration/apply";
+export * from "./utils/caddy/migration/compose-label-translator";
+export * from "./utils/caddy/migration/dynamic-file-translator";
+export * from "./utils/caddy/migration/files";
+export * from "./utils/caddy/migration/prepare";
+export * from "./utils/caddy/migration/rollback";
+export * from "./utils/caddy/migration/traefik-rule-parser";
+export * from "./utils/caddy/migration/types";
+export * from "./utils/caddy/migration/upstream-preflight";
+export * from "./utils/caddy/types";
+export * from "./utils/caddy/upstream-targets";
+export * from "./utils/caddy/web-server";
 export * from "./utils/cluster/upload";
 export * from "./utils/crons/enterprise";
 export * from "./utils/databases/rebuild";
@@ -134,5 +150,8 @@ export * from "./utils/traefik/types";
 export * from "./utils/traefik/web-server";
 export * from "./utils/volume-backups/index";
 export * from "./utils/watch-paths/should-deploy";
+export * from "./utils/web-server/domain";
+export * from "./utils/web-server/paths";
+export * from "./utils/web-server/providers";
 export * from "./verification/send-verification-email";
 export * from "./wss/utils";
diff --git a/packages/server/src/services/compose.ts b/packages/server/src/services/compose.ts
index 0cec3418ba..efe8d9ce4a 100644
--- a/packages/server/src/services/compose.ts
+++ b/packages/server/src/services/compose.ts
@@ -11,8 +11,10 @@ import { getBuildComposeCommand } from "@dokploy/server/utils/builders/compose";
 import { randomizeSpecificationFile } from "@dokploy/server/utils/docker/compose";
 import {
 	cloneCompose,
+	getCaddyComposeRouteTargetsForWebServer,
 	loadDockerCompose,
 	loadDockerComposeRemote,
+	writeCaddyComposeRoutesForTargets,
 } from "@dokploy/server/utils/docker/domain";
 import type { ComposeSpecification } from "@dokploy/server/utils/docker/types";
 import { sendBuildErrorNotifications } from "@dokploy/server/utils/notifications/build-error";
@@ -266,6 +268,9 @@ export const deployCompose = async ({
 			}
 		}
 
+		const caddyComposeRouteTargets =
+			await getCaddyComposeRouteTargetsForWebServer(entity, compose.domains);
+
 		command = "set -e;";
 		command += await getBuildComposeCommand(entity);
 		commandWithLog = `(${command}) >> ${deployment.logPath} 2>&1`;
@@ -275,6 +280,10 @@ export const deployCompose = async ({
 			await execAsync(commandWithLog);
 		}
 
+		if (caddyComposeRouteTargets) {
+			await writeCaddyComposeRoutesForTargets(entity, caddyComposeRouteTargets);
+		}
+
 		await updateDeploymentStatus(deployment.deploymentId, "done");
 		await updateCompose(composeId, {
 			composeStatus: "done",
@@ -380,6 +389,9 @@ export const rebuildCompose = async ({
 			}
 		}
 
+		const caddyComposeRouteTargets =
+			await getCaddyComposeRouteTargetsForWebServer(compose, compose.domains);
+
 		command = "set -e;";
 		command += await getBuildComposeCommand(compose);
 		commandWithLog = `(${command}) >> ${deployment.logPath} 2>&1`;
@@ -389,6 +401,13 @@ export const rebuildCompose = async ({
 			await execAsync(commandWithLog);
 		}
 
+		if (caddyComposeRouteTargets) {
+			await writeCaddyComposeRoutesForTargets(
+				compose,
+				caddyComposeRouteTargets,
+			);
+		}
+
 		await updateDeploymentStatus(deployment.deploymentId, "done");
 		await updateCompose(composeId, {
 			composeStatus: "done",
diff --git a/packages/server/src/services/domain.ts b/packages/server/src/services/domain.ts
index e1460fd482..e582f4dfa1 100644
--- a/packages/server/src/services/domain.ts
+++ b/packages/server/src/services/domain.ts
@@ -3,7 +3,7 @@ import { promisify } from "node:util";
 import { db } from "@dokploy/server/db";
 import { getWebServerSettings } from "@dokploy/server/services/web-server-settings";
 import { generateRandomDomain } from "@dokploy/server/templates";
-import { manageDomain } from "@dokploy/server/utils/traefik/domain";
+import { manageWebServerDomain } from "@dokploy/server/utils/web-server/domain";
 import { TRPCError } from "@trpc/server";
 import { eq } from "drizzle-orm";
 import type { z } from "zod";
@@ -34,7 +34,7 @@ export const createDomain = async (input: z.infer<typeof apiCreateDomain>) => {
 
 		if (domain.applicationId) {
 			const application = await findApplicationById(domain.applicationId);
-			await manageDomain(application, domain);
+			await manageWebServerDomain(application, domain);
 		}
 
 		return domain;
diff --git a/packages/server/src/services/settings.ts b/packages/server/src/services/settings.ts
index ecfb7f6de3..5fafa9dd2c 100644
--- a/packages/server/src/services/settings.ts
+++ b/packages/server/src/services/settings.ts
@@ -7,13 +7,21 @@ import {
 import { and, eq } from "drizzle-orm";
 
 import semver from "semver";
+import { quote } from "shell-quote";
 import { db } from "../db";
 import { compose } from "../db/schema";
+import {
+	type CaddyOptions,
+	initializeCaddyService,
+	initializeStandaloneCaddy,
+} from "../setup/caddy-setup";
 import {
 	initializeStandaloneTraefik,
 	initializeTraefikService,
 	type TraefikOptions,
 } from "../setup/traefik-setup";
+import type { CaddyMigrationResourceSnapshot } from "../utils/caddy/migration/types";
+import type { WebServerProvider } from "../utils/web-server/providers";
 export interface IUpdateData {
 	latestVersion: string | null;
 	updateAvailable: boolean;
@@ -311,6 +319,302 @@ export const reloadDockerResource = async (
 	}
 };
 
+const runDockerResourceCommand = async (command: string, serverId?: string) => {
+	if (serverId) {
+		return execAsyncRemote(serverId, command);
+	}
+	return execAsync(command);
+};
+
+const readDockerResourceJson = async <T = Record<string, unknown>>(
+	command: string,
+	serverId?: string,
+): Promise<T | undefined> => {
+	const { stdout } = await runDockerResourceCommand(command, serverId);
+	const trimmed = stdout.trim();
+	return trimmed ? (JSON.parse(trimmed) as T) : undefined;
+};
+
+const asRecord = (value: unknown): Record<string, unknown> | undefined =>
+	value && typeof value === "object"
+		? (value as Record<string, unknown>)
+		: undefined;
+
+const asStringRecord = (value: unknown): Record<string, string> | undefined => {
+	const record = asRecord(value);
+	if (!record) return undefined;
+	return Object.fromEntries(
+		Object.entries(record).filter(
+			(entry): entry is [string, string] => typeof entry[1] === "string",
+		),
+	);
+};
+
+const asRecordArray = (value: unknown): Array<Record<string, unknown>> | undefined =>
+	Array.isArray(value)
+		? value.filter(
+				(item): item is Record<string, unknown> =>
+					!!item && typeof item === "object",
+			)
+		: undefined;
+
+const asStringArray = (value: unknown): string[] | undefined =>
+	Array.isArray(value)
+		? value.filter((item): item is string => typeof item === "string")
+		: undefined;
+
+const readDockerResourceImage = async (
+	resourceName: string,
+	resourceType: "service" | "standalone",
+	serverId?: string,
+) => {
+	const command =
+		resourceType === "service"
+			? `docker service inspect ${resourceName} --format '{{.Spec.TaskTemplate.ContainerSpec.Image}}'`
+			: `docker container inspect ${resourceName} --format '{{.Config.Image}}'`;
+	const { stdout } = await runDockerResourceCommand(command, serverId);
+	return stdout.trim() || undefined;
+};
+
+export const getDockerResourceSnapshot = async (
+	resourceName: string,
+	serverId?: string,
+): Promise<CaddyMigrationResourceSnapshot> => {
+	const resourceType = await getDockerResourceType(resourceName, serverId);
+	if (resourceType === "unknown") {
+		return { resourceName, resourceType, running: false };
+	}
+
+	if (resourceType === "service") {
+		const spec =
+			(await readDockerResourceJson<Record<string, unknown>>(
+				`docker service inspect ${resourceName} --format '{{json .Spec}}'`,
+				serverId,
+			).catch(() => undefined)) ?? {};
+		const mode = asRecord(spec.Mode);
+		const replicated = asRecord(mode?.Replicated);
+		const replicas = Number(replicated?.Replicas ?? 1);
+		const taskTemplate = asRecord(spec.TaskTemplate);
+		const containerSpec = asRecord(taskTemplate?.ContainerSpec);
+		const endpointSpec = asRecord(spec.EndpointSpec);
+		return {
+			resourceName,
+			resourceType,
+			replicas,
+			running: replicas > 0,
+			env: await readEnvironmentVariables(resourceName, serverId).catch(
+				() => undefined,
+			),
+			additionalPorts: await readPorts(resourceName, serverId).catch(() => []),
+			image: await readDockerResourceImage(
+				resourceName,
+				resourceType,
+				serverId,
+			).catch(() => undefined),
+			mounts: asRecordArray(containerSpec?.Mounts),
+			networks: asRecordArray(taskTemplate?.Networks),
+			labels: asStringRecord(spec.Labels),
+			containerLabels: asStringRecord(containerSpec?.Labels),
+			placement: asRecord(taskTemplate?.Placement),
+			endpointPorts: asRecordArray(endpointSpec?.Ports),
+		};
+	}
+
+	const inspect =
+		(await readDockerResourceJson<Record<string, unknown>>(
+			`docker container inspect ${resourceName} --format '{{json .}}'`,
+			serverId,
+		).catch(() => undefined)) ?? {};
+	const state = asRecord(inspect.State);
+	const hostConfig = asRecord(inspect.HostConfig);
+	const networkSettings = asRecord(inspect.NetworkSettings);
+	const networksRecord = asRecord(networkSettings?.Networks);
+	const config = asRecord(inspect.Config);
+	return {
+		resourceName,
+		resourceType,
+		running: state?.Running === true,
+		env: await readEnvironmentVariables(resourceName, serverId).catch(
+			() => undefined,
+		),
+		additionalPorts: await readPorts(resourceName, serverId).catch(() => []),
+		image: await readDockerResourceImage(
+			resourceName,
+			resourceType,
+			serverId,
+		).catch(() => undefined),
+		binds: asStringArray(hostConfig?.Binds),
+		networks: networksRecord ? Object.keys(networksRecord) : undefined,
+		labels: asStringRecord(config?.Labels),
+		restartPolicy: asRecord(hostConfig?.RestartPolicy),
+	};
+};
+
+export const stopDockerResource = async (
+	resourceName: string,
+	serverId?: string,
+) => {
+	const resourceType = await getDockerResourceType(resourceName, serverId);
+	if (resourceType === "service") {
+		await runDockerResourceCommand(
+			`docker service scale ${resourceName}=0`,
+			serverId,
+		);
+		return;
+	}
+	if (resourceType === "standalone") {
+		await runDockerResourceCommand(`docker stop ${resourceName}`, serverId);
+	}
+};
+
+export const startDockerResourceFromSnapshot = async (
+	snapshot: CaddyMigrationResourceSnapshot,
+	serverId?: string,
+) => {
+	if (!snapshot.running) {
+		return;
+	}
+	if (snapshot.resourceType === "service") {
+		await runDockerResourceCommand(
+			`docker service scale ${snapshot.resourceName}=${snapshot.replicas ?? 1}`,
+			serverId,
+		);
+		return;
+	}
+	if (snapshot.resourceType === "standalone") {
+		await runDockerResourceCommand(
+			`docker start ${snapshot.resourceName}`,
+			serverId,
+		);
+	}
+};
+
+const envStringToArray = (env?: string) =>
+	env && env !== "[redacted]" ? env.split("\n").filter(Boolean) : undefined;
+
+export const ensureTraefikRunningFromSnapshot = async (
+	snapshot?: CaddyMigrationResourceSnapshot,
+	serverId?: string,
+) => {
+	let restartError: unknown;
+	if (snapshot?.running) {
+		try {
+			await startDockerResourceFromSnapshot(snapshot, serverId);
+			await waitForDockerResourceRunning("dokploy-traefik", serverId, {
+				retries: 10,
+				intervalMs: 1000,
+			});
+			return;
+		} catch (error) {
+			restartError = error;
+		}
+	}
+
+	const recreateInput: TraefikOptions = {
+		env: envStringToArray(snapshot?.env),
+		additionalPorts: snapshot?.additionalPorts ?? [],
+		image: snapshot?.image,
+		serverId,
+		binds: snapshot?.binds,
+		networks: snapshot?.networks?.filter(
+			(item): item is string => typeof item === "string",
+		),
+		labels: snapshot?.labels,
+		restartPolicy: snapshot?.restartPolicy as TraefikOptions["restartPolicy"],
+		replicas: snapshot?.replicas,
+		serviceMounts: snapshot?.mounts as TraefikOptions["serviceMounts"],
+		serviceNetworks: snapshot?.networks?.filter(
+			(item): item is Record<string, unknown> => typeof item === "object",
+		) as TraefikOptions["serviceNetworks"],
+		servicePlacement: snapshot?.placement as TraefikOptions["servicePlacement"],
+		serviceLabels: snapshot?.labels,
+		serviceContainerLabels: snapshot?.containerLabels,
+		serviceEndpointPorts:
+			snapshot?.endpointPorts as TraefikOptions["serviceEndpointPorts"],
+	};
+
+	const runExactRecreate = async () => {
+		if (snapshot?.resourceType === "service") {
+			await initializeTraefikService(recreateInput);
+			await reconnectServicesToTraefik(serverId);
+			return;
+		}
+		if (snapshot?.resourceType === "standalone") {
+			await initializeStandaloneTraefik(recreateInput);
+			await reconnectServicesToTraefik(serverId);
+			return;
+		}
+		await writeTraefikSetup(recreateInput);
+	};
+
+	try {
+		try {
+			await runExactRecreate();
+		} catch (exactError) {
+			if (snapshot?.resourceType === "unknown") {
+				throw exactError;
+			}
+			try {
+				await writeTraefikSetup(recreateInput);
+			} catch (fallbackError) {
+				const exactMessage =
+					exactError instanceof Error
+						? exactError.message
+						: "exact Traefik recreation failed";
+				const fallbackMessage =
+					fallbackError instanceof Error
+						? fallbackError.message
+						: "generic Traefik recreation failed";
+				throw new Error(
+					`Exact Traefik recreation failed: ${exactMessage}; generic recreation failed: ${fallbackMessage}`,
+				);
+			}
+		}
+		await waitForDockerResourceRunning("dokploy-traefik", serverId, {
+			retries: 20,
+			intervalMs: 1000,
+		});
+	} catch (error) {
+		const recreateMessage =
+			error instanceof Error ? error.message : "Traefik recreation failed";
+		if (restartError) {
+			const restartMessage =
+				restartError instanceof Error
+					? restartError.message
+					: "Traefik restart failed";
+			throw new Error(
+				`Unable to restore Traefik. Restart failed: ${restartMessage}; recreate failed: ${recreateMessage}`,
+			);
+		}
+		throw error;
+	}
+};
+
+export const waitForDockerResourceRunning = async (
+	resourceName: string,
+	serverId?: string,
+	options: { retries?: number; intervalMs?: number } = {},
+) => {
+	const retries = options.retries ?? 20;
+	const intervalMs = options.intervalMs ?? 1000;
+	for (let attempt = 0; attempt < retries; attempt++) {
+		const snapshot = await getDockerResourceSnapshot(resourceName, serverId);
+		if (snapshot.resourceType === "service" && snapshot.running) {
+			const { stdout } = await runDockerResourceCommand(
+				`docker service ps ${resourceName} --filter desired-state=running --format '{{.CurrentState}}' | grep -m1 '^Running' || true`,
+				serverId,
+			);
+			if (stdout.trim()) {
+				return snapshot;
+			}
+		} else if (snapshot.running) {
+			return snapshot;
+		}
+		await new Promise((resolve) => setTimeout(resolve, intervalMs));
+	}
+	throw new Error(`Docker resource ${resourceName} did not become running`);
+};
+
 export const readEnvironmentVariables = async (
 	resourceName: string,
 	serverId?: string,
@@ -414,7 +718,7 @@ export const checkPortInUse = async (
 ): Promise<{ isInUse: boolean; conflictingContainer?: string }> => {
 	try {
 		// Check if port is in use by a Docker container
-		const dockerCommand = `docker ps -a --format '{{.Names}}' | grep -v '^dokploy-traefik$' | while read name; do docker port "$name" 2>/dev/null | grep -q ':${port}' && echo "$name" && break; done || true`;
+		const dockerCommand = `docker ps -a --format '{{.Names}}' | grep -Ev '^(dokploy-traefik|dokploy-caddy)$' | while read name; do docker port "$name" 2>/dev/null | grep -q ':${port}' && echo "$name" && break; done || true`;
 		const { stdout: dockerOut } = serverId
 			? await execAsyncRemote(serverId, dockerCommand)
 			: await execAsync(dockerCommand);
@@ -451,33 +755,79 @@ export const checkPortInUse = async (
 	}
 };
 
-export const writeTraefikSetup = async (input: TraefikOptions) => {
+export const writeCaddySetup = async (input: CaddyOptions) => {
 	const resourceType = await getDockerResourceType(
-		"dokploy-traefik",
+		"dokploy-caddy",
 		input.serverId,
 	);
-
-	if (resourceType === "service") {
-		await initializeTraefikService({
+	const traefikResourceType =
+		resourceType === "unknown"
+			? await getDockerResourceType("dokploy-traefik", input.serverId)
+			: resourceType;
+	const fallbackResourceType =
+		traefikResourceType === "unknown"
+			? await getDockerResourceType("dokploy", input.serverId)
+			: traefikResourceType;
+	const setupType =
+		fallbackResourceType === "service" ? "service" : "standalone";
+
+	if (setupType === "service") {
+		await initializeCaddyService({
 			env: input.env,
 			additionalPorts: input.additionalPorts,
 			serverId: input.serverId,
+			letsEncryptEmail: input.letsEncryptEmail,
 		});
-		await reconnectServicesToTraefik(input.serverId);
-	} else if (resourceType === "standalone") {
-		await initializeStandaloneTraefik({
+		await reconnectServicesToWebServer("dokploy-caddy", input.serverId);
+	} else {
+		await initializeStandaloneCaddy({
 			env: input.env,
 			additionalPorts: input.additionalPorts,
 			serverId: input.serverId,
+			letsEncryptEmail: input.letsEncryptEmail,
 		});
 
+		await reconnectServicesToWebServer("dokploy-caddy", input.serverId);
+	}
+};
+
+export const writeWebServerSetup = async (
+	provider: WebServerProvider,
+	input: TraefikOptions | CaddyOptions,
+) => {
+	if (provider === "caddy") {
+		return writeCaddySetup(input as CaddyOptions);
+	}
+
+	return writeTraefikSetup(input as TraefikOptions);
+};
+
+export const writeTraefikSetup = async (input: TraefikOptions) => {
+	const resourceType = await getDockerResourceType(
+		"dokploy-traefik",
+		input.serverId,
+	);
+	const fallbackResourceType =
+		resourceType === "unknown"
+			? await getDockerResourceType("dokploy", input.serverId)
+			: resourceType;
+	const setupType =
+		fallbackResourceType === "service" ? "service" : "standalone";
+
+	if (setupType === "service") {
+		await initializeTraefikService(input);
 		await reconnectServicesToTraefik(input.serverId);
 	} else {
-		throw new Error("Traefik resource type not found");
+		await initializeStandaloneTraefik(input);
+
+		await reconnectServicesToTraefik(input.serverId);
 	}
 };
 
-export const reconnectServicesToTraefik = async (serverId?: string) => {
+export const reconnectServicesToWebServer = async (
+	resourceName: "dokploy-traefik" | "dokploy-caddy",
+	serverId?: string,
+) => {
 	const composeResult = await db.query.compose.findMany({
 		where: and(
 			...(serverId ? [eq(compose.serverId, serverId)] : []),
@@ -491,7 +841,13 @@ export const reconnectServicesToTraefik = async (serverId?: string) => {
 	let commands = "";
 
 	for (const compose of composeResult) {
-		commands += `docker network connect ${compose.appName} $(docker ps --filter "name=dokploy-traefik" -q) >/dev/null 2>&1\n`;
+		const networkName = quote([compose.appName]);
+		const quotedResourceName = quote([resourceName]);
+		commands += `if docker service inspect ${quotedResourceName} >/dev/null 2>&1; then\n`;
+		commands += `  docker service inspect ${quotedResourceName} --format '{{range .Spec.TaskTemplate.Networks}}{{println .Target}}{{end}}' | grep -qx ${networkName} || docker service update --network-add ${networkName} ${quotedResourceName} >/dev/null\n`;
+		commands += `else\n`;
+		commands += `  docker network connect ${networkName} $(docker ps --filter "name=${resourceName}" -q) >/dev/null 2>&1 || true\n`;
+		commands += `fi\n`;
 	}
 
 	if (serverId) {
@@ -500,3 +856,7 @@ export const reconnectServicesToTraefik = async (serverId?: string) => {
 		await execAsync(commands);
 	}
 };
+
+export const reconnectServicesToTraefik = async (serverId?: string) => {
+	await reconnectServicesToWebServer("dokploy-traefik", serverId);
+};
diff --git a/packages/server/src/services/user.ts b/packages/server/src/services/user.ts
index 2437517052..8ae5529454 100644
--- a/packages/server/src/services/user.ts
+++ b/packages/server/src/services/user.ts
@@ -199,6 +199,13 @@ export const canAccessToTraefikFiles = async (
 	return canAccessToTraefikFiles;
 };
 
+export const canAccessToWebServerFiles = async (
+	userId: string,
+	organizationId: string,
+) => {
+	return canAccessToTraefikFiles(userId, organizationId);
+};
+
 export const checkServiceAccess = async (
 	userId: string,
 	serviceId: string,
diff --git a/packages/server/src/services/web-server-settings.ts b/packages/server/src/services/web-server-settings.ts
index 289d119c99..152d30874d 100644
--- a/packages/server/src/services/web-server-settings.ts
+++ b/packages/server/src/services/web-server-settings.ts
@@ -1,5 +1,9 @@
 import { db } from "@dokploy/server/db";
-import { webServerSettings } from "@dokploy/server/db/schema";
+import { server, webServerSettings } from "@dokploy/server/db/schema";
+import {
+	normalizeWebServerProvider,
+	type WebServerProvider,
+} from "@dokploy/server/utils/web-server/providers";
 import { eq } from "drizzle-orm";
 
 /**
@@ -42,3 +46,54 @@ export const updateWebServerSettings = async (
 
 	return updated;
 };
+
+export const getLocalWebServerProvider = async (): Promise<WebServerProvider> => {
+	const settings = await getWebServerSettings();
+	return normalizeWebServerProvider(settings?.webServerProvider);
+};
+
+export const updateLocalWebServerProvider = async (
+	provider: WebServerProvider,
+) => {
+	return updateWebServerSettings({ webServerProvider: provider });
+};
+
+export const getRemoteWebServerProvider = async (
+	serverId: string,
+): Promise<WebServerProvider> => {
+	const remoteServer = await db.query.server.findFirst({
+		where: eq(server.serverId, serverId),
+		columns: {
+			webServerProvider: true,
+		},
+	});
+
+	if (!remoteServer) {
+		throw new Error(`Server not found: ${serverId}`);
+	}
+
+	return normalizeWebServerProvider(remoteServer.webServerProvider);
+};
+
+export const updateRemoteWebServerProvider = async (
+	serverId: string,
+	provider: WebServerProvider,
+) => {
+	const [updated] = await db
+		.update(server)
+		.set({ webServerProvider: provider })
+		.where(eq(server.serverId, serverId))
+		.returning();
+
+	return updated;
+};
+
+export const resolveWebServerProvider = async (
+	serverId?: string | null,
+): Promise<WebServerProvider> => {
+	if (serverId) {
+		return getRemoteWebServerProvider(serverId);
+	}
+
+	return getLocalWebServerProvider();
+};
diff --git a/packages/server/src/setup/caddy-setup.ts b/packages/server/src/setup/caddy-setup.ts
new file mode 100644
index 0000000000..4a68a11338
--- /dev/null
+++ b/packages/server/src/setup/caddy-setup.ts
@@ -0,0 +1,259 @@
+import type { ContainerCreateOptions, CreateServiceOptions } from "dockerode";
+import { paths } from "../constants";
+import {
+	ensureDefaultCaddyConfig,
+	reloadCaddyAfterValidation,
+	validateCaddyConfigWithContainer,
+} from "../utils/caddy/config";
+import { getRemoteDocker } from "../utils/servers/remote-docker";
+
+export const CADDY_SSL_PORT =
+	Number.parseInt(process.env.CADDY_SSL_PORT ?? "", 10) || 443;
+export const CADDY_PORT =
+	Number.parseInt(process.env.CADDY_PORT ?? "", 10) || 80;
+export const CADDY_HTTP3_PORT =
+	Number.parseInt(process.env.CADDY_HTTP3_PORT ?? "", 10) || 443;
+export const CADDY_VERSION = process.env.CADDY_VERSION || "2.11.3";
+
+export interface CaddyOptions {
+	env?: string[];
+	serverId?: string;
+	additionalPorts?: {
+		targetPort: number;
+		publishedPort: number;
+		protocol?: string;
+	}[];
+	letsEncryptEmail?: string | null;
+}
+
+const getCaddyMounts = (serverId?: string) => {
+	const { CADDY_CONFIG_DIR_PATH, CADDY_DATA_PATH, MAIN_CADDY_PATH } = paths(
+		!!serverId,
+	);
+
+	return {
+		MAIN_CADDY_PATH,
+		binds: [
+			`${MAIN_CADDY_PATH}:/etc/caddy`,
+			`${CADDY_DATA_PATH}:/data`,
+			`${CADDY_CONFIG_DIR_PATH}:/config`,
+		],
+		serviceMounts: [
+			{
+				Type: "bind" as const,
+				Source: MAIN_CADDY_PATH,
+				Target: "/etc/caddy",
+			},
+			{
+				Type: "bind" as const,
+				Source: CADDY_DATA_PATH,
+				Target: "/data",
+			},
+			{
+				Type: "bind" as const,
+				Source: CADDY_CONFIG_DIR_PATH,
+				Target: "/config",
+			},
+		],
+	};
+};
+
+const buildStandalonePorts = (
+	additionalPorts: CaddyOptions["additionalPorts"],
+) => {
+	const exposedPorts: Record<string, {}> = {
+		[`${CADDY_PORT}/tcp`]: {},
+		[`${CADDY_SSL_PORT}/tcp`]: {},
+		[`${CADDY_HTTP3_PORT}/udp`]: {},
+	};
+
+	const portBindings: Record<string, Array<{ HostPort: string }>> = {
+		[`${CADDY_PORT}/tcp`]: [{ HostPort: CADDY_PORT.toString() }],
+		[`${CADDY_SSL_PORT}/tcp`]: [{ HostPort: CADDY_SSL_PORT.toString() }],
+		[`${CADDY_HTTP3_PORT}/udp`]: [{ HostPort: CADDY_HTTP3_PORT.toString() }],
+	};
+
+	for (const port of additionalPorts ?? []) {
+		const portKey = `${port.targetPort}/${port.protocol ?? "tcp"}`;
+		exposedPorts[portKey] = {};
+		portBindings[portKey] = [{ HostPort: port.publishedPort.toString() }];
+	}
+
+	return { exposedPorts, portBindings };
+};
+
+const pullImage = async (
+	docker: Awaited<ReturnType<typeof getRemoteDocker>>,
+	imageName: string,
+) => {
+	await new Promise<void>((resolve, reject) => {
+		docker.pull(
+			imageName,
+			(error: Error | null, stream?: NodeJS.ReadableStream) => {
+				if (error) {
+					reject(error);
+					return;
+				}
+				if (!stream) {
+					resolve();
+					return;
+				}
+				docker.modem.followProgress(stream, (progressError?: Error | null) => {
+					if (progressError) {
+						reject(progressError);
+						return;
+					}
+					resolve();
+				});
+			},
+		);
+	});
+};
+
+const buildServicePorts = (
+	additionalPorts: CaddyOptions["additionalPorts"],
+) => [
+	{
+		TargetPort: 443,
+		PublishedPort: CADDY_SSL_PORT,
+		PublishMode: "host" as const,
+		Protocol: "tcp" as const,
+	},
+	{
+		TargetPort: 443,
+		PublishedPort: CADDY_HTTP3_PORT,
+		PublishMode: "host" as const,
+		Protocol: "udp" as const,
+	},
+	{
+		TargetPort: 80,
+		PublishedPort: CADDY_PORT,
+		PublishMode: "host" as const,
+		Protocol: "tcp" as const,
+	},
+	...(additionalPorts ?? []).map((port) => ({
+		TargetPort: port.targetPort,
+		PublishedPort: port.publishedPort,
+		Protocol: port.protocol as "tcp" | "udp" | "sctp" | undefined,
+		PublishMode: "host" as const,
+	})),
+];
+
+export const initializeStandaloneCaddy = async ({
+	env,
+	serverId,
+	additionalPorts = [],
+	letsEncryptEmail,
+}: CaddyOptions = {}) => {
+	await ensureDefaultCaddyConfig({ serverId, letsEncryptEmail });
+	const imageName = `caddy:${CADDY_VERSION}`;
+	const containerName = "dokploy-caddy";
+	const { binds } = getCaddyMounts(serverId);
+	const { exposedPorts, portBindings } = buildStandalonePorts(additionalPorts);
+
+	const settings: ContainerCreateOptions = {
+		name: containerName,
+		Image: imageName,
+		Cmd: ["caddy", "run", "--config", "/etc/caddy/caddy.json"],
+		NetworkingConfig: {
+			EndpointsConfig: {
+				"dokploy-network": {},
+			},
+		},
+		ExposedPorts: exposedPorts,
+		HostConfig: {
+			RestartPolicy: {
+				Name: "always",
+			},
+			Binds: binds,
+			PortBindings: portBindings,
+		},
+		Env: env,
+	};
+
+	const docker = await getRemoteDocker(serverId);
+	try {
+		await pullImage(docker, imageName);
+		console.log("Caddy Image Pulled ✅");
+	} catch (error) {
+		console.log("Caddy Image Not Found: Pulling ", error);
+	}
+	try {
+		const container = docker.getContainer(containerName);
+		await container.remove({ force: true });
+		await new Promise((resolve) => setTimeout(resolve, 5000));
+	} catch {}
+
+	await docker.createContainer(settings);
+	const newContainer = docker.getContainer(containerName);
+	await newContainer.start();
+	await validateCaddyConfigWithContainer(serverId);
+	console.log("Caddy Started ✅");
+};
+
+export const initializeCaddyService = async ({
+	env,
+	additionalPorts = [],
+	serverId,
+	letsEncryptEmail,
+}: CaddyOptions) => {
+	await ensureDefaultCaddyConfig({ serverId, letsEncryptEmail });
+	const imageName = `caddy:${CADDY_VERSION}`;
+	const appName = "dokploy-caddy";
+	const { serviceMounts } = getCaddyMounts(serverId);
+
+	const settings: CreateServiceOptions = {
+		Name: appName,
+		TaskTemplate: {
+			ContainerSpec: {
+				Image: imageName,
+				Command: ["caddy", "run", "--config", "/etc/caddy/caddy.json"],
+				Env: env,
+				Mounts: serviceMounts,
+			},
+			Networks: [{ Target: "dokploy-network" }],
+			Placement: {
+				Constraints: ["node.role==manager"],
+			},
+		},
+		Mode: {
+			Replicated: {
+				Replicas: 1,
+			},
+		},
+		EndpointSpec: {
+			Ports: buildServicePorts(additionalPorts),
+		},
+	};
+	const docker = await getRemoteDocker(serverId);
+	try {
+		await pullImage(docker, imageName);
+		console.log("Caddy Image Pulled ✅");
+	} catch (error) {
+		console.log("Caddy Image Not Found: Pulling ", error);
+	}
+	try {
+		const service = docker.getService(appName);
+		const inspect = await service.inspect();
+
+		await service.update({
+			version: inspect.Version.Index,
+			...settings,
+			TaskTemplate: {
+				...settings.TaskTemplate,
+				ForceUpdate: (inspect.Spec.TaskTemplate.ForceUpdate ?? 0) + 1,
+			},
+		});
+		console.log("Caddy Updated ✅");
+	} catch {
+		await docker.createService(settings);
+		console.log("Caddy Started ✅");
+	}
+};
+
+export const createDefaultCaddyConfig = async (options: CaddyOptions = {}) => {
+	await ensureDefaultCaddyConfig(options);
+};
+
+export const validateCaddyConfig = validateCaddyConfigWithContainer;
+export const reloadCaddy = reloadCaddyAfterValidation;
diff --git a/packages/server/src/setup/traefik-setup.ts b/packages/server/src/setup/traefik-setup.ts
index 9fcebe5408..5212aa8f14 100644
--- a/packages/server/src/setup/traefik-setup.ts
+++ b/packages/server/src/setup/traefik-setup.ts
@@ -22,23 +22,57 @@ export const TRAEFIK_HTTP3_PORT =
 	Number.parseInt(process.env.TRAEFIK_HTTP3_PORT!, 10) || 443;
 export const TRAEFIK_VERSION = process.env.TRAEFIK_VERSION || "3.6.7";
 
+type TraefikServiceTaskTemplate = NonNullable<
+	CreateServiceOptions["TaskTemplate"]
+>;
+type TraefikServiceContainerTaskTemplate = Extract<
+	TraefikServiceTaskTemplate,
+	{ ContainerSpec?: unknown }
+>;
+type TraefikServiceContainerSpec = NonNullable<
+	TraefikServiceContainerTaskTemplate["ContainerSpec"]
+>;
+type TraefikServiceEndpointSpec = NonNullable<
+	CreateServiceOptions["EndpointSpec"]
+>;
+type TraefikStandaloneHostConfig = NonNullable<
+	ContainerCreateOptions["HostConfig"]
+>;
+
 export interface TraefikOptions {
 	env?: string[];
 	serverId?: string;
+	image?: string;
 	additionalPorts?: {
 		targetPort: number;
 		publishedPort: number;
 		protocol?: string;
 	}[];
+	binds?: string[];
+	networks?: string[];
+	labels?: Record<string, string>;
+	restartPolicy?: TraefikStandaloneHostConfig["RestartPolicy"];
+	replicas?: number;
+	serviceMounts?: TraefikServiceContainerSpec["Mounts"];
+	serviceNetworks?: TraefikServiceTaskTemplate["Networks"];
+	servicePlacement?: TraefikServiceTaskTemplate["Placement"];
+	serviceLabels?: Record<string, string>;
+	serviceContainerLabels?: Record<string, string>;
+	serviceEndpointPorts?: TraefikServiceEndpointSpec["Ports"];
 }
 
 export const initializeStandaloneTraefik = async ({
 	env,
 	serverId,
+	image,
 	additionalPorts = [],
+	binds,
+	networks,
+	labels,
+	restartPolicy,
 }: TraefikOptions = {}) => {
 	const { MAIN_TRAEFIK_PATH, DYNAMIC_TRAEFIK_PATH } = paths(!!serverId);
-	const imageName = `traefik:v${TRAEFIK_VERSION}`;
+	const imageName = image ?? `traefik:v${TRAEFIK_VERSION}`;
 	const containerName = "dokploy-traefik";
 
 	const exposedPorts: Record<string, {}> = {
@@ -58,6 +92,12 @@ export const initializeStandaloneTraefik = async ({
 	const enableDashboard = additionalPorts.some(
 		(port) => port.targetPort === 8080,
 	);
+	const endpointNetworks = Object.fromEntries(
+		(networks?.length ? networks : ["dokploy-network"]).map((network) => [
+			network,
+			{},
+		]),
+	);
 
 	if (enableDashboard) {
 		exposedPorts["8080/tcp"] = {};
@@ -74,16 +114,14 @@ export const initializeStandaloneTraefik = async ({
 		name: containerName,
 		Image: imageName,
 		NetworkingConfig: {
-			EndpointsConfig: {
-				"dokploy-network": {},
-			},
+			EndpointsConfig: endpointNetworks,
 		},
 		ExposedPorts: exposedPorts,
 		HostConfig: {
-			RestartPolicy: {
+			RestartPolicy: restartPolicy ?? {
 				Name: "always",
 			},
-			Binds: [
+			Binds: binds ?? [
 				`${MAIN_TRAEFIK_PATH}/traefik.yml:/etc/traefik/traefik.yml`,
 				`${DYNAMIC_TRAEFIK_PATH}:/etc/dokploy/traefik/dynamic`,
 				"/var/run/docker.sock:/var/run/docker.sock",
@@ -91,6 +129,7 @@ export const initializeStandaloneTraefik = async ({
 			PortBindings: portBindings,
 		},
 		Env: env,
+		Labels: labels,
 	};
 
 	const docker = await getRemoteDocker(serverId);
@@ -119,20 +158,30 @@ export const initializeStandaloneTraefik = async ({
 
 export const initializeTraefikService = async ({
 	env,
+	image,
 	additionalPorts = [],
 	serverId,
+	serviceMounts,
+	serviceNetworks,
+	servicePlacement,
+	serviceLabels,
+	serviceContainerLabels,
+	serviceEndpointPorts,
+	replicas,
 }: TraefikOptions) => {
 	const { MAIN_TRAEFIK_PATH, DYNAMIC_TRAEFIK_PATH } = paths(!!serverId);
-	const imageName = `traefik:v${TRAEFIK_VERSION}`;
+	const imageName = image ?? `traefik:v${TRAEFIK_VERSION}`;
 	const appName = "dokploy-traefik";
 
 	const settings: CreateServiceOptions = {
 		Name: appName,
+		Labels: serviceLabels,
 		TaskTemplate: {
 			ContainerSpec: {
 				Image: imageName,
 				Env: env,
-				Mounts: [
+				Labels: serviceContainerLabels,
+				Mounts: serviceMounts ?? [
 					{
 						Type: "bind",
 						Source: `${MAIN_TRAEFIK_PATH}/traefik.yml`,
@@ -150,18 +199,18 @@ export const initializeTraefikService = async ({
 					},
 				],
 			},
-			Networks: [{ Target: "dokploy-network" }],
-			Placement: {
+			Networks: serviceNetworks ?? [{ Target: "dokploy-network" }],
+			Placement: servicePlacement ?? {
 				Constraints: ["node.role==manager"],
 			},
 		},
 		Mode: {
 			Replicated: {
-				Replicas: 1,
+				Replicas: replicas ?? 1,
 			},
 		},
 		EndpointSpec: {
-			Ports: [
+			Ports: serviceEndpointPorts ?? [
 				{
 					TargetPort: 443,
 					PublishedPort: TRAEFIK_SSL_PORT,
diff --git a/packages/server/src/utils/builders/compose.ts b/packages/server/src/utils/builders/compose.ts
index 790116cb6d..46ac77ed86 100644
--- a/packages/server/src/utils/builders/compose.ts
+++ b/packages/server/src/utils/builders/compose.ts
@@ -1,5 +1,6 @@
 import { dirname, join } from "node:path";
 import { paths } from "@dokploy/server/constants";
+import { resolveWebServerProvider } from "@dokploy/server/services/web-server-settings";
 import type { InferResultType } from "@dokploy/server/types/with";
 import boxen from "boxen";
 import { quote } from "shell-quote";
@@ -9,6 +10,7 @@ import {
 	getEnvironmentVariablesObject,
 	prepareEnvironmentVariables,
 } from "../docker/utils";
+import { getWebServerResourceName } from "../web-server/providers";
 
 export type ComposeNested = InferResultType<
 	"compose",
@@ -23,6 +25,8 @@ export const getBuildComposeCommand = async (compose: ComposeNested) => {
 	const projectPath = join(COMPOSE_PATH, compose.appName, "code");
 	const exportEnvCommand = getExportEnvCommand(compose);
 
+	const provider = await resolveWebServerProvider(compose.serverId);
+	const webServerResourceName = getWebServerResourceName(provider);
 	const newCompose = await writeDomainsToCompose(compose, domains);
 	const logContent = `
 App Name: ${appName}
@@ -55,7 +59,7 @@ Compose Type: ${composeType} ✅`;
 
 		${compose.isolatedDeployment ? `docker network inspect ${compose.appName} >/dev/null 2>&1 || docker network create ${compose.composeType === "stack" ? "--driver overlay" : ""} --attachable ${compose.appName}` : ""}
 		env -i PATH="$PATH" HOME="$HOME" ${exportEnvCommand} docker ${command.split(" ").join(" ")} 2>&1 || { echo "Error: ❌ Docker command failed"; exit 1; }
-		${compose.isolatedDeployment ? `docker network connect ${compose.appName} $(docker ps --filter "name=dokploy-traefik" -q) >/dev/null 2>&1` : ""}
+		${compose.isolatedDeployment ? `docker network connect ${compose.appName} $(docker ps --filter "name=${webServerResourceName}" -q) >/dev/null 2>&1` : ""}
 
 		echo "Docker Compose Deployed: ✅";
 	} || {
diff --git a/packages/server/src/utils/caddy/compose.ts b/packages/server/src/utils/caddy/compose.ts
new file mode 100644
index 0000000000..d1715e0c12
--- /dev/null
+++ b/packages/server/src/utils/caddy/compose.ts
@@ -0,0 +1,143 @@
+import type { Compose } from "@dokploy/server/services/compose";
+import type { Domain } from "@dokploy/server/services/domain";
+import { getWebServerSettings } from "@dokploy/server/services/web-server-settings";
+import {
+	compileWriteAndReloadCaddyConfigSafely,
+	readCaddyRouteFragments,
+	removeCaddyRouteFragment,
+	restoreCaddyRouteFragments,
+	writeCaddyRouteFragment,
+} from "./config";
+import { assertCaddyDomainSupported } from "./domain";
+import type { CaddyRouteFragment, CaddyRouteIntent } from "./types";
+import { getCaddyComposeRuntimeTarget } from "./upstream-targets";
+
+const CADDY_FRAGMENT_VERSION = 1;
+
+const toPunycode = (host: string): string => {
+	try {
+		return new URL(`http://${host}`).hostname;
+	} catch {
+		return host;
+	}
+};
+
+export const getCaddyComposeFragmentPrefix = (appName: string) =>
+	`compose.${appName}.`;
+
+export const getCaddyComposeFragmentId = (
+	appName: string,
+	uniqueConfigKey: number,
+) => `${getCaddyComposeFragmentPrefix(appName)}${uniqueConfigKey}`;
+
+const createCaddyRouteId = (appName: string, uniqueConfigKey: number) =>
+	`${appName}-compose-route-${uniqueConfigKey}`;
+
+export const createCaddyComposeRouteIntent = (
+	compose: Pick<Compose, "appName" | "composeType" | "isolatedDeployment">,
+	domain: Domain,
+	finalServiceName: string,
+	options: {
+		upstreamServiceName?: string;
+		upstreamNetwork?: string | null;
+	} = {},
+): CaddyRouteIntent => {
+	assertCaddyDomainSupported(domain);
+	const publicPath = domain.path && domain.path !== "/" ? domain.path : null;
+	const internalPath =
+		domain.internalPath &&
+		domain.internalPath !== "/" &&
+		domain.internalPath !== domain.path
+			? domain.internalPath
+			: null;
+	const runtimeTarget = getCaddyComposeRuntimeTarget(compose, finalServiceName);
+	const upstreamServiceName = options.upstreamServiceName ?? runtimeTarget.host;
+	const upstreamNetwork = options.upstreamNetwork ?? runtimeTarget.network;
+
+	return {
+		id: createCaddyRouteId(compose.appName, domain.uniqueConfigKey),
+		source: "dokploy-compose",
+		hosts: [toPunycode(domain.host)],
+		pathPrefix: publicPath,
+		https: domain.https && !domain.customEntrypoint,
+		upstreams: [`http://${upstreamServiceName}:${domain.port || 80}`],
+		upstreamNetwork,
+		transforms: {
+			stripPrefix: domain.stripPath ? publicPath : null,
+			addPrefix: internalPath,
+		},
+	};
+};
+
+export const createCaddyComposeRouteFragment = (
+	compose: Pick<Compose, "appName" | "composeType" | "isolatedDeployment">,
+	domain: Domain,
+	finalServiceName: string,
+	options: {
+		upstreamServiceName?: string;
+		upstreamNetwork?: string | null;
+	} = {},
+): CaddyRouteFragment => ({
+	version: CADDY_FRAGMENT_VERSION,
+	id: getCaddyComposeFragmentId(compose.appName, domain.uniqueConfigKey),
+	source: "dokploy-compose",
+	description: `Dokploy compose route for ${compose.appName}:${domain.uniqueConfigKey}`,
+	routes: [
+		createCaddyComposeRouteIntent(compose, domain, finalServiceName, options),
+	],
+});
+
+const getLocalLetsEncryptEmail = async (serverId?: string | null) => {
+	if (serverId) return null;
+	const settings = await getWebServerSettings();
+	return settings?.letsEncryptEmail;
+};
+
+export const writeCaddyComposeRouteFragments = async (
+	compose: Compose,
+	domains: Array<{ domain: Domain; finalServiceName: string }>,
+) => {
+	const serverId = compose.serverId || undefined;
+	const options = { serverId };
+	const fragmentPrefix = getCaddyComposeFragmentPrefix(compose.appName);
+	const nextFragmentIds = new Set(
+		domains.map(({ domain }) =>
+			getCaddyComposeFragmentId(compose.appName, domain.uniqueConfigKey),
+		),
+	);
+	let changed = false;
+
+	const existingFragments = await readCaddyRouteFragments(options);
+	try {
+		for (const fragment of existingFragments) {
+			if (
+				fragment.source === "dokploy-compose" &&
+				fragment.id.startsWith(fragmentPrefix) &&
+				!nextFragmentIds.has(fragment.id)
+			) {
+				await removeCaddyRouteFragment(fragment.id, options);
+				changed = true;
+			}
+		}
+
+		for (const { domain, finalServiceName } of domains) {
+			await writeCaddyRouteFragment(
+				createCaddyComposeRouteFragment(compose, domain, finalServiceName),
+				options,
+			);
+			changed = true;
+		}
+
+		if (!changed) {
+			return;
+		}
+
+		await compileWriteAndReloadCaddyConfigSafely({
+			serverId,
+			letsEncryptEmail: await getLocalLetsEncryptEmail(serverId),
+		});
+	} catch (error) {
+		await restoreCaddyRouteFragments(existingFragments, options);
+		throw error;
+	}
+};
diff --git a/packages/server/src/utils/caddy/config.ts b/packages/server/src/utils/caddy/config.ts
new file mode 100644
index 0000000000..c550e9a1e2
--- /dev/null
+++ b/packages/server/src/utils/caddy/config.ts
@@ -0,0 +1,851 @@
+import {
+	existsSync,
+	mkdirSync,
+	readdirSync,
+	readFileSync,
+	renameSync,
+	rmSync,
+	writeFileSync,
+} from "node:fs";
+import * as path from "node:path";
+import { paths } from "@dokploy/server/constants";
+import {
+	execAsync,
+	execAsyncRemote,
+} from "@dokploy/server/utils/process/execAsync";
+import { quote } from "shell-quote";
+import type {
+	CaddyCompileOptions,
+	CaddyFragmentStoreOptions,
+	CaddyHeaderMap,
+	CaddyJsonObject,
+	CaddyRouteFragment,
+	CaddyRouteIntent,
+} from "./types";
+
+const CADDY_FRAGMENT_VERSION = 1;
+const CADDY_VERSION = process.env.CADDY_VERSION || "2.11.3";
+
+const assertSafeFragmentId = (id: string) => {
+	if (
+		!/^[a-zA-Z0-9_.-]+$/.test(id) ||
+		id === "." ||
+		id === ".." ||
+		id.split(".").some((segment) => segment === "")
+	) {
+		throw new Error(
+			`Invalid Caddy fragment id "${id}". Use letters, numbers, dash, underscore, or dot only; dot path segments are not allowed.`,
+		);
+	}
+};
+
+const assertPathWithinBase = (basePath: string, targetPath: string) => {
+	const resolvedBase = path.resolve(basePath);
+	const resolvedTarget = path.resolve(targetPath);
+	if (
+		resolvedTarget !== resolvedBase &&
+		!resolvedTarget.startsWith(`${resolvedBase}${path.sep}`)
+	) {
+		throw new Error(`Resolved path "${targetPath}" escapes "${basePath}"`);
+	}
+};
+
+export const getCaddyFragmentFilePath = (
+	fragmentId: string,
+	isServer = false,
+) => {
+	assertSafeFragmentId(fragmentId);
+	const fragmentsPath = paths(isServer).CADDY_FRAGMENTS_PATH;
+	const filePath = path.join(fragmentsPath, `${fragmentId}.json`);
+	assertPathWithinBase(fragmentsPath, filePath);
+	return filePath;
+};
+
+export const getCaddyActiveConfigPath = (isServer = false) => {
+	return paths(isServer).CADDY_CONFIG_PATH;
+};
+
+export const validateCaddyRouteIntent = (route: CaddyRouteIntent) => {
+	if (!route.id) {
+		throw new Error("Caddy route intent requires an id");
+	}
+	if (!route.hosts.length) {
+		throw new Error(`Caddy route "${route.id}" requires at least one host`);
+	}
+	if (
+		!route.upstreams.length &&
+		!route.redirectScheme &&
+		!route.staticResponse
+	) {
+		throw new Error(`Caddy route "${route.id}" requires at least one upstream`);
+	}
+	if (route.staticResponse) {
+		const statusCode = route.staticResponse.statusCode;
+		if (!Number.isInteger(statusCode) || statusCode < 100 || statusCode > 999) {
+			throw new Error(
+				`Caddy route "${route.id}" has invalid static response status code`,
+			);
+		}
+	}
+	for (const upstream of route.upstreams) {
+		if (!upstream.trim()) {
+			throw new Error(`Caddy route "${route.id}" has an empty upstream`);
+		}
+		try {
+			parseCaddyUpstream(upstream);
+		} catch (error) {
+			const message =
+				error instanceof Error ? error.message : "invalid upstream format";
+			throw new Error(
+				`Caddy route "${route.id}" has invalid upstream "${upstream}": ${message}`,
+			);
+		}
+	}
+};
+
+export const validateCaddyRouteFragment = (fragment: CaddyRouteFragment) => {
+	assertSafeFragmentId(fragment.id);
+	if (fragment.version !== CADDY_FRAGMENT_VERSION) {
+		throw new Error(
+			`Unsupported Caddy fragment version for "${fragment.id}": ${fragment.version}`,
+		);
+	}
+	for (const route of fragment.routes) {
+		validateCaddyRouteIntent(route);
+	}
+};
+
+const normalizePathPrefix = (prefix?: string | null) => {
+	if (!prefix || prefix === "/") {
+		return undefined;
+	}
+	return prefix.startsWith("/") ? prefix : `/${prefix}`;
+};
+
+const normalizeExactPath = (exactPath?: string | null) => {
+	if (!exactPath) {
+		return undefined;
+	}
+	return exactPath.startsWith("/") ? exactPath : `/${exactPath}`;
+};
+
+const getPathSpecificity = (route: CaddyRouteIntent) => {
+	return (route.pathExact ?? route.pathPrefix ?? "").length;
+};
+
+const routeSourcePrecedence: Record<CaddyRouteIntent["source"], number> = {
+	manual: 0,
+	"traefik-dynamic-file": 0,
+	"traefik-compose-label": 0,
+	"dokploy-application": 1,
+	"dokploy-compose": 1,
+	"dokploy-dashboard": 1,
+};
+
+export const sortCaddyRouteIntents = (routes: CaddyRouteIntent[]) => {
+	return [...routes].sort((a, b) => {
+		const priorityDiff = (b.priority ?? 0) - (a.priority ?? 0);
+		if (priorityDiff !== 0) return priorityDiff;
+
+		const specificityDiff = getPathSpecificity(b) - getPathSpecificity(a);
+		if (specificityDiff !== 0) return specificityDiff;
+
+		const sourcePrecedenceDiff =
+			routeSourcePrecedence[a.source] - routeSourcePrecedence[b.source];
+		if (sourcePrecedenceDiff !== 0) return sourcePrecedenceDiff;
+
+		const sourceDiff = a.source.localeCompare(b.source);
+		if (sourceDiff !== 0) return sourceDiff;
+
+		return a.id.localeCompare(b.id);
+	});
+};
+
+const createRouteMatcher = (route: CaddyRouteIntent) => {
+	const matcher: CaddyJsonObject = {
+		host: route.hosts,
+	};
+	const exactPath = normalizeExactPath(route.pathExact);
+	const pathPrefix = normalizePathPrefix(route.pathPrefix);
+
+	if (exactPath) {
+		matcher.path = [exactPath];
+	} else if (pathPrefix) {
+		matcher.path = [`${pathPrefix}*`];
+	}
+	if (route.allowedRemoteIps?.length) {
+		matcher.remote_ip = {
+			ranges: route.allowedRemoteIps,
+		};
+	}
+
+	return [matcher];
+};
+
+const createRouteMatcherWithoutRemoteIp = (route: CaddyRouteIntent) => {
+	const { allowedRemoteIps: _allowedRemoteIps, ...unrestrictedRoute } = route;
+	return createRouteMatcher(unrestrictedRoute);
+};
+
+const normalizeHeaderValues = (headers: CaddyHeaderMap) => {
+	return Object.fromEntries(
+		Object.entries(headers).map(([name, value]) => [
+			name,
+			Array.isArray(value) ? value : [value],
+		]),
+	);
+};
+
+const createHeaderHandler = (route: CaddyRouteIntent) => {
+	const requestHeaders = route.transforms?.requestHeaders;
+	const responseHeaders = route.transforms?.responseHeaders;
+	const hasRequestHeaders =
+		requestHeaders && Object.keys(requestHeaders).length > 0;
+	const hasResponseHeaders =
+		responseHeaders && Object.keys(responseHeaders).length > 0;
+	if (!hasRequestHeaders && !hasResponseHeaders) {
+		return undefined;
+	}
+
+	return {
+		handler: "headers",
+		...(hasRequestHeaders && {
+			request: {
+				set: normalizeHeaderValues(requestHeaders ?? {}),
+			},
+		}),
+		...(hasResponseHeaders && {
+			response: {
+				set: normalizeHeaderValues(responseHeaders ?? {}),
+			},
+		}),
+	};
+};
+
+const createRewriteHandlers = (route: CaddyRouteIntent) => {
+	const handlers: CaddyJsonObject[] = [];
+	const stripPrefix = normalizePathPrefix(route.transforms?.stripPrefix);
+	const addPrefix = normalizePathPrefix(route.transforms?.addPrefix);
+
+	if (stripPrefix) {
+		handlers.push({
+			handler: "rewrite",
+			strip_path_prefix: stripPrefix,
+		});
+	}
+
+	if (addPrefix) {
+		handlers.push({
+			handler: "rewrite",
+			uri: `${addPrefix}{http.request.uri.path}`,
+		});
+	}
+
+	return handlers;
+};
+
+const createBasicAuthHandler = (route: CaddyRouteIntent) => {
+	if (!route.basicAuth?.length) {
+		return undefined;
+	}
+
+	return {
+		handler: "authentication",
+		providers: {
+			http_basic: {
+				accounts: route.basicAuth.map((account) => ({
+					username: account.username,
+					password: account.hash,
+				})),
+			},
+		},
+	};
+};
+
+const httpUrlPrefixRegex = /^https?:\/\//i;
+
+const stripUrlPath = (value: string) => value.split(/[/?#]/, 1)[0] ?? "";
+
+const getAuthorityPort = (authority: string) => {
+	const withoutCredentials = authority.includes("@")
+		? authority.slice(authority.lastIndexOf("@") + 1)
+		: authority;
+
+	if (withoutCredentials.startsWith("[")) {
+		const closingBracketIndex = withoutCredentials.indexOf("]");
+		if (closingBracketIndex === -1) {
+			return { host: withoutCredentials, port: "" };
+		}
+		const host = withoutCredentials.slice(0, closingBracketIndex + 1);
+		const remainder = withoutCredentials.slice(closingBracketIndex + 1);
+		return {
+			host,
+			port: remainder.startsWith(":") ? remainder.slice(1) : "",
+		};
+	}
+
+	const separatorIndex = withoutCredentials.lastIndexOf(":");
+	if (separatorIndex === -1) {
+		return { host: withoutCredentials, port: "" };
+	}
+
+	return {
+		host: withoutCredentials.slice(0, separatorIndex),
+		port: withoutCredentials.slice(separatorIndex + 1),
+	};
+};
+
+const validateExplicitPort = (port: string) => {
+	if (!port) {
+		throw new Error("upstream must include an explicit port");
+	}
+	if (!/^\d+$/.test(port)) {
+		throw new Error(`upstream port "${port}" must be numeric`);
+	}
+	const portNumber = Number(port);
+	if (portNumber < 1 || portNumber > 65535) {
+		throw new Error(`upstream port "${port}" must be between 1 and 65535`);
+	}
+	return port;
+};
+
+export const parseCaddyUpstream = (upstream: string) => {
+	const trimmed = upstream.trim();
+	if (httpUrlPrefixRegex.test(trimmed)) {
+		const authority = stripUrlPath(trimmed.replace(httpUrlPrefixRegex, ""));
+		const { port } = getAuthorityPort(authority);
+		const explicitPort = validateExplicitPort(port);
+		const url = new URL(trimmed);
+		const scheme = url.protocol.replace(":", "");
+		if (scheme !== "http" && scheme !== "https") {
+			throw new Error(`unsupported upstream scheme "${scheme}"`);
+		}
+		return {
+			dial: `${url.hostname}:${explicitPort}`,
+			scheme,
+		};
+	}
+
+	const { host, port } = getAuthorityPort(trimmed);
+	const explicitPort = validateExplicitPort(port);
+	if (!host) {
+		throw new Error("upstream must include a host");
+	}
+	if (trimmed.includes("/") || trimmed.includes("?") || trimmed.includes("#")) {
+		throw new Error("raw upstream dials must be host:port only");
+	}
+	return {
+		dial: `${host}:${explicitPort}`,
+		scheme: "http",
+	};
+};
+
+const createReverseProxyHandler = (route: CaddyRouteIntent) => {
+	const parsedUpstreams = route.upstreams.map(parseCaddyUpstream);
+	const usesTlsTransport = parsedUpstreams.some(
+		(upstream) => upstream.scheme === "https",
+	);
+
+	return {
+		handler: "reverse_proxy",
+		upstreams: parsedUpstreams.map((upstream) => ({ dial: upstream.dial })),
+		...(usesTlsTransport && {
+			transport: {
+				protocol: "http",
+				tls: {},
+			},
+		}),
+	};
+};
+
+const createProxyRoute = (route: CaddyRouteIntent) => {
+	const handlers = [
+		createHeaderHandler(route),
+		createBasicAuthHandler(route),
+		...createRewriteHandlers(route),
+		createReverseProxyHandler(route),
+	].filter(Boolean) as CaddyJsonObject[];
+
+	return {
+		match: createRouteMatcher(route),
+		handle: handlers,
+		terminal: true,
+	};
+};
+
+const createStaticResponseRoute = (route: CaddyRouteIntent) => {
+	const response = route.staticResponse;
+	const handlers = [
+		createHeaderHandler(route),
+		{
+			handler: "static_response",
+			status_code: response?.statusCode ?? 404,
+			...(response?.body && { body: response.body }),
+			...(response?.headers && {
+				headers: normalizeHeaderValues(response.headers),
+			}),
+		},
+	].filter(Boolean) as CaddyJsonObject[];
+
+	return {
+		match: createRouteMatcher(route),
+		handle: handlers,
+		terminal: true,
+	};
+};
+
+const createForbiddenRoute = (route: CaddyRouteIntent) => {
+	return {
+		match: createRouteMatcherWithoutRemoteIp(route),
+		handle: [
+			{
+				handler: "static_response",
+				status_code: 403,
+			},
+		],
+		terminal: true,
+	};
+};
+
+const createRedirectLocation = (route: CaddyRouteIntent) => {
+	const scheme = route.redirectScheme?.scheme || "https";
+	const port = route.redirectScheme?.port
+		? `:${route.redirectScheme.port}`
+		: "";
+	return `${scheme}://{http.request.host}${port}{http.request.uri}`;
+};
+
+const createRedirectRoute = (route: CaddyRouteIntent) => {
+	return {
+		match: createRouteMatcher(route),
+		handle: [
+			{
+				handler: "static_response",
+				status_code: route.redirectScheme?.permanent === false ? 302 : 308,
+				headers: {
+					Location: [createRedirectLocation(route)],
+				},
+			},
+		],
+		terminal: true,
+	};
+};
+
+const createHttpsRedirectRoute = (route: CaddyRouteIntent) => {
+	return createRedirectRoute({
+		...route,
+		allowedRemoteIps: null,
+		redirectScheme: { scheme: "https", permanent: true },
+	});
+};
+
+export const flattenCaddyFragments = (fragments: CaddyRouteFragment[] = []) => {
+	for (const fragment of fragments) {
+		validateCaddyRouteFragment(fragment);
+	}
+	return fragments.flatMap((fragment) => fragment.routes);
+};
+
+export const compileCaddyConfig = ({
+	fragments = [],
+	routes = [],
+	letsEncryptEmail,
+}: CaddyCompileOptions = {}) => {
+	const allRoutes = sortCaddyRouteIntents([
+		...flattenCaddyFragments(fragments),
+		...routes,
+	]);
+	for (const route of allRoutes) {
+		validateCaddyRouteIntent(route);
+	}
+
+	const httpRoutes = allRoutes.map((route) => {
+		if (route.redirectScheme) {
+			return createRedirectRoute(route);
+		}
+		if (route.staticResponse && !route.https) {
+			return createStaticResponseRoute(route);
+		}
+		return route.https
+			? createHttpsRedirectRoute(route)
+			: createProxyRoute(route);
+	});
+	const httpsRoutes = allRoutes
+		.filter((route) => route.https && !route.redirectScheme)
+		.flatMap((route) => {
+			const proxyRoute = route.staticResponse
+				? createStaticResponseRoute(route)
+				: createProxyRoute(route);
+			return route.allowedRemoteIps?.length
+				? [proxyRoute, createForbiddenRoute(route)]
+				: [proxyRoute];
+		});
+
+	return {
+		admin: {
+			listen: "localhost:2019",
+		},
+		apps: {
+			...(letsEncryptEmail && {
+				tls: {
+					automation: {
+						policies: [
+							{
+								issuers: [
+									{
+										module: "acme",
+										email: letsEncryptEmail,
+									},
+								],
+							},
+						],
+					},
+				},
+			}),
+			http: {
+				servers: {
+					http: {
+						listen: [":80"],
+						routes: httpRoutes,
+					},
+					https: {
+						listen: [":443"],
+						routes: httpsRoutes,
+					},
+				},
+			},
+		},
+	};
+};
+
+const encodeBase64 = (content: string) =>
+	Buffer.from(content, "utf8").toString("base64");
+
+const remoteWriteFileAtomic = async (
+	serverId: string,
+	filePath: string,
+	content: string,
+) => {
+	const tempPath = `${filePath}.tmp-${Date.now()}`;
+	const command = [
+		`mkdir -p ${quote([path.posix.dirname(filePath)])}`,
+		`printf %s ${quote([encodeBase64(content)])} | base64 -d > ${quote([tempPath])}`,
+		`mv ${quote([tempPath])} ${quote([filePath])}`,
+	].join(" && ");
+	await execAsyncRemote(serverId, command);
+};
+
+export const writeCaddyConfigContent = async (
+	content: string,
+	options: CaddyFragmentStoreOptions = {},
+) => {
+	const filePath = getCaddyActiveConfigPath(!!options.serverId);
+	if (options.serverId) {
+		await remoteWriteFileAtomic(options.serverId, filePath, content);
+		return;
+	}
+	mkdirSync(path.dirname(filePath), { recursive: true });
+	const tempPath = `${filePath}.tmp-${Date.now()}`;
+	writeFileSync(tempPath, content, "utf8");
+	renameSync(tempPath, filePath);
+};
+
+export const writeCaddyConfigFile = async (
+	config: CaddyJsonObject,
+	options: CaddyFragmentStoreOptions = {},
+) => {
+	await writeCaddyConfigContent(
+		`${JSON.stringify(config, null, 2)}\n`,
+		options,
+	);
+};
+
+export const writeCaddyRouteFragment = async (
+	fragment: CaddyRouteFragment,
+	options: CaddyFragmentStoreOptions = {},
+) => {
+	validateCaddyRouteFragment(fragment);
+	const filePath = getCaddyFragmentFilePath(fragment.id, !!options.serverId);
+	const content = `${JSON.stringify(fragment, null, 2)}\n`;
+	if (options.serverId) {
+		await remoteWriteFileAtomic(options.serverId, filePath, content);
+		return;
+	}
+	mkdirSync(path.dirname(filePath), { recursive: true });
+	writeFileSync(filePath, content, "utf8");
+};
+
+export const removeCaddyRouteFragment = async (
+	fragmentId: string,
+	options: CaddyFragmentStoreOptions = {},
+) => {
+	const filePath = getCaddyFragmentFilePath(fragmentId, !!options.serverId);
+	if (options.serverId) {
+		await execAsyncRemote(options.serverId, `rm -f ${quote([filePath])}`);
+		return;
+	}
+	rmSync(filePath, { force: true });
+};
+
+export const restoreCaddyRouteFragments = async (
+	fragments: CaddyRouteFragment[],
+	options: CaddyFragmentStoreOptions = {},
+) => {
+	const fragmentsPath = paths(!!options.serverId).CADDY_FRAGMENTS_PATH;
+	if (options.serverId) {
+		await execAsyncRemote(
+			options.serverId,
+			`rm -rf ${quote([fragmentsPath])} && mkdir -p ${quote([fragmentsPath])}`,
+		);
+	} else {
+		rmSync(fragmentsPath, { recursive: true, force: true });
+		mkdirSync(fragmentsPath, { recursive: true });
+	}
+
+	for (const fragment of fragments) {
+		await writeCaddyRouteFragment(fragment, options);
+	}
+};
+
+const parseFragmentContent = (fileName: string, content: string) => {
+	try {
+		const parsed = JSON.parse(content) as CaddyRouteFragment;
+		validateCaddyRouteFragment(parsed);
+		return parsed;
+	} catch (error) {
+		throw new Error(
+			`Invalid Caddy fragment ${fileName}: ${error instanceof Error ? error.message : "Unknown error"}`,
+		);
+	}
+};
+
+export const readCaddyRouteFragments = async (
+	options: CaddyFragmentStoreOptions = {},
+) => {
+	const fragmentsPath = paths(!!options.serverId).CADDY_FRAGMENTS_PATH;
+	if (options.serverId) {
+		const command = `if [ -d ${quote([fragmentsPath])} ]; then find ${quote([fragmentsPath])} -maxdepth 1 -type f -name '*.json' | sort | while IFS= read -r file; do printf '%s\n' "---DOKPLOY-CADDY-FILE:$file"; cat "$file"; printf '\n'; done; fi`;
+		const { stdout } = await execAsyncRemote(options.serverId, command);
+		const fragments: CaddyRouteFragment[] = [];
+		for (const block of stdout.split("---DOKPLOY-CADDY-FILE:")) {
+			if (!block.trim()) continue;
+			const newlineIndex = block.indexOf("\n");
+			if (newlineIndex === -1) continue;
+			const fileName = block.slice(0, newlineIndex).trim();
+			const content = block.slice(newlineIndex + 1).trim();
+			fragments.push(parseFragmentContent(fileName, content));
+		}
+		return fragments;
+	}
+
+	if (!existsSync(fragmentsPath)) {
+		return [];
+	}
+
+	return readdirSync(fragmentsPath)
+		.filter((fileName) => fileName.endsWith(".json"))
+		.sort()
+		.map((fileName) => {
+			const filePath = path.join(fragmentsPath, fileName);
+			return parseFragmentContent(fileName, readFileSync(filePath, "utf8"));
+		});
+};
+
+export const compileAndWriteCaddyConfig = async (
+	options: CaddyFragmentStoreOptions & {
+		letsEncryptEmail?: string | null;
+	} = {},
+) => {
+	const fragments = await readCaddyRouteFragments(options);
+	const config = compileCaddyConfig({
+		fragments,
+		letsEncryptEmail: options.letsEncryptEmail,
+	});
+	await writeCaddyConfigFile(config, options);
+	return config;
+};
+
+export const readCaddyConfigFile = async (
+	options: CaddyFragmentStoreOptions = {},
+) => {
+	const filePath = getCaddyActiveConfigPath(!!options.serverId);
+	if (options.serverId) {
+		const { stdout } = await execAsyncRemote(
+			options.serverId,
+			`cat ${quote([filePath])}`,
+		);
+		return stdout;
+	}
+	return readFileSync(filePath, "utf8");
+};
+
+export const readCaddyConfigFileIfExists = async (
+	options: CaddyFragmentStoreOptions = {},
+) => {
+	const filePath = getCaddyActiveConfigPath(!!options.serverId);
+	if (options.serverId) {
+		const { stdout } = await execAsyncRemote(
+			options.serverId,
+			`if [ -f ${quote([filePath])} ]; then cat ${quote([filePath])}; fi`,
+		);
+		return stdout || null;
+	}
+	if (!existsSync(filePath)) {
+		return null;
+	}
+	return readFileSync(filePath, "utf8");
+};
+
+export const writeAndReloadCaddyConfigSafely = async (
+	config: CaddyJsonObject,
+	options: CaddyFragmentStoreOptions = {},
+) => {
+	const previousConfig = await readCaddyConfigFileIfExists(options);
+	await writeCaddyConfigFile(config, options);
+	try {
+		await reloadCaddyAfterValidation(options.serverId);
+	} catch (error) {
+		if (previousConfig) {
+			await writeCaddyConfigContent(previousConfig, options);
+		} else {
+			await writeCaddyConfigFile(compileCaddyConfig(), options);
+		}
+		throw error;
+	}
+};
+
+export const compileWriteAndReloadCaddyConfigSafely = async (
+	options: CaddyFragmentStoreOptions & {
+		letsEncryptEmail?: string | null;
+	} = {},
+) => {
+	const fragments = await readCaddyRouteFragments(options);
+	const config = compileCaddyConfig({
+		fragments,
+		letsEncryptEmail: options.letsEncryptEmail,
+	});
+	await writeAndReloadCaddyConfigSafely(config, options);
+	return config;
+};
+
+export const ensureDefaultCaddyConfig = async (
+	options: CaddyFragmentStoreOptions & {
+		letsEncryptEmail?: string | null;
+	} = {},
+) => {
+	const caddyPaths = paths(!!options.serverId);
+	if (options.serverId) {
+		await execAsyncRemote(
+			options.serverId,
+			`mkdir -p ${quote([
+				caddyPaths.MAIN_CADDY_PATH,
+				caddyPaths.CADDY_FRAGMENTS_PATH,
+				caddyPaths.CADDY_DATA_PATH,
+				caddyPaths.CADDY_CONFIG_DIR_PATH,
+			])}`,
+		);
+		await compileAndWriteCaddyConfig(options);
+		return;
+	}
+
+	mkdirSync(caddyPaths.MAIN_CADDY_PATH, { recursive: true });
+	mkdirSync(caddyPaths.CADDY_FRAGMENTS_PATH, { recursive: true });
+	mkdirSync(caddyPaths.CADDY_DATA_PATH, { recursive: true });
+	mkdirSync(caddyPaths.CADDY_CONFIG_DIR_PATH, { recursive: true });
+	await compileAndWriteCaddyConfig(options);
+};
+
+const getCaddyExecTargetCommand = `
+if docker service inspect dokploy-caddy >/dev/null 2>&1; then
+	docker ps --filter "label=com.docker.swarm.service.name=dokploy-caddy" --format '{{.ID}}' | head -n 1
+else
+	echo dokploy-caddy
+fi`;
+
+const execInCaddy = async (serverId: string | undefined, command: string) => {
+	const { stdout } = serverId
+		? await execAsyncRemote(serverId, getCaddyExecTargetCommand)
+		: await execAsync(getCaddyExecTargetCommand);
+	const target = stdout.trim();
+	if (!target) {
+		throw new Error("Caddy resource is not running");
+	}
+	const dockerExecCommand = `docker exec ${quote([target])} ${command}`;
+	if (serverId) {
+		return execAsyncRemote(serverId, dockerExecCommand);
+	}
+	return execAsync(dockerExecCommand);
+};
+
+export const validateCaddyConfigWithContainer = async (serverId?: string) => {
+	return execInCaddy(serverId, "caddy validate --config /etc/caddy/caddy.json");
+};
+
+export const validateCaddyConfigFileWithImage = async (
+	configPath: string,
+	serverId?: string,
+) => {
+	const imageName = `caddy:${CADDY_VERSION}`;
+	const validationRoot = path.posix.join(
+		path.posix.dirname(configPath),
+		".validate-runtime",
+	);
+	const validationDataPath = path.posix.join(validationRoot, "data");
+	const validationConfigPath = path.posix.join(validationRoot, "config");
+	const mkdirCommand = `mkdir -p ${quote([
+		validationDataPath,
+		validationConfigPath,
+	])}`;
+	const cleanupCommand = `rm -rf ${quote([validationRoot])}`;
+	const validateCommand = `docker run --rm --network none ${[
+		"-v",
+		`${configPath}:/etc/caddy/caddy.json:ro`,
+		"-v",
+		`${validationDataPath}:/data`,
+		"-v",
+		`${validationConfigPath}:/config`,
+		imageName,
+		"caddy",
+		"validate",
+		"--config",
+		"/etc/caddy/caddy.json",
+	]
+		.map((part) => quote([part]))
+		.join(" ")}`;
+	if (serverId) {
+		await execAsyncRemote(serverId, mkdirCommand);
+		try {
+			return await execAsyncRemote(serverId, validateCommand);
+		} finally {
+			await execAsyncRemote(serverId, cleanupCommand).catch(() => undefined);
+		}
+	}
+	await execAsync(mkdirCommand);
+	try {
+		return await execAsync(validateCommand);
+	} finally {
+		await execAsync(cleanupCommand).catch(() => undefined);
+	}
+};
+
+export const reloadCaddyWithContainer = async (serverId?: string) => {
+	const { stdout } = serverId
+		? await execAsyncRemote(serverId, getCaddyExecTargetCommand)
+		: await execAsync(getCaddyExecTargetCommand);
+	const target = stdout.trim();
+	if (!target) {
+		throw new Error("Caddy resource is not running");
+	}
+	const dockerExecCommand = `docker exec -w /etc/caddy ${quote([
+		target,
+	])} caddy reload --config /etc/caddy/caddy.json`;
+	if (serverId) {
+		return execAsyncRemote(serverId, dockerExecCommand);
+	}
+	return execAsync(dockerExecCommand);
+};
+
+export const reloadCaddyAfterValidation = async (serverId?: string) => {
+	await validateCaddyConfigWithContainer(serverId);
+	return reloadCaddyWithContainer(serverId);
+};
diff --git a/packages/server/src/utils/caddy/domain.ts b/packages/server/src/utils/caddy/domain.ts
new file mode 100644
index 0000000000..463f472996
--- /dev/null
+++ b/packages/server/src/utils/caddy/domain.ts
@@ -0,0 +1,145 @@
+import type { Domain } from "@dokploy/server/services/domain";
+import { getWebServerSettings } from "@dokploy/server/services/web-server-settings";
+import type { ApplicationNested } from "../builders";
+import {
+	compileWriteAndReloadCaddyConfigSafely,
+	readCaddyRouteFragments,
+	removeCaddyRouteFragment,
+	restoreCaddyRouteFragments,
+	writeCaddyRouteFragment,
+} from "./config";
+import type { CaddyRouteFragment, CaddyRouteIntent } from "./types";
+import { DOKPLOY_CADDY_NETWORK } from "./upstream-targets";
+
+const CADDY_FRAGMENT_VERSION = 1;
+
+const toPunycode = (host: string): string => {
+	try {
+		return new URL(`http://${host}`).hostname;
+	} catch {
+		return host;
+	}
+};
+
+export const getCaddyApplicationFragmentId = (
+	appName: string,
+	uniqueConfigKey: number,
+) => `application.${appName}.${uniqueConfigKey}`;
+
+const createCaddyRouteId = (appName: string, uniqueConfigKey: number) =>
+	`${appName}-route-${uniqueConfigKey}`;
+
+export const getUnsupportedCaddyDomainFieldMessages = (domain: Domain) => {
+	const messages: string[] = [];
+	if (domain.customEntrypoint) {
+		messages.push("custom entrypoints are not supported by Caddy routes");
+	}
+	if (domain.customCertResolver) {
+		messages.push("custom certificate resolvers are Traefik-specific");
+	}
+	if (domain.certificateType === "custom") {
+		messages.push("custom certificates are not translated to Caddy yet");
+	}
+	if (domain.middlewares?.length) {
+		messages.push("Traefik middlewares are not translated to Caddy yet");
+	}
+	return messages;
+};
+
+export const assertCaddyDomainSupported = (domain: Domain) => {
+	const messages = getUnsupportedCaddyDomainFieldMessages(domain);
+	if (messages.length) {
+		throw new Error(
+			`Domain "${domain.host}" uses unsupported Caddy fields: ${messages.join("; ")}`,
+		);
+	}
+};
+
+export const createCaddyApplicationRouteIntent = (
+	app: ApplicationNested,
+	domain: Domain,
+): CaddyRouteIntent => {
+	assertCaddyDomainSupported(domain);
+	const publicPath = domain.path && domain.path !== "/" ? domain.path : null;
+	const internalPath =
+		domain.internalPath &&
+		domain.internalPath !== "/" &&
+		domain.internalPath !== domain.path
+			? domain.internalPath
+			: null;
+
+	return {
+		id: createCaddyRouteId(app.appName, domain.uniqueConfigKey),
+		source: "dokploy-application",
+		hosts: [toPunycode(domain.host)],
+		pathPrefix: publicPath,
+		https: domain.https && !domain.customEntrypoint,
+		upstreams: [`http://${app.appName}:${domain.port || 80}`],
+		upstreamNetwork: DOKPLOY_CADDY_NETWORK,
+		transforms: {
+			stripPrefix: domain.stripPath ? publicPath : null,
+			addPrefix: internalPath,
+		},
+	};
+};
+
+export const createCaddyApplicationRouteFragment = (
+	app: ApplicationNested,
+	domain: Domain,
+): CaddyRouteFragment => ({
+	version: CADDY_FRAGMENT_VERSION,
+	id: getCaddyApplicationFragmentId(app.appName, domain.uniqueConfigKey),
+	source: "dokploy-application",
+	description: `Dokploy application route for ${app.appName}:${domain.uniqueConfigKey}`,
+	routes: [createCaddyApplicationRouteIntent(app, domain)],
+});
+
+const getLocalLetsEncryptEmail = async (serverId?: string | null) => {
+	if (serverId) return null;
+	const settings = await getWebServerSettings();
+	return settings?.letsEncryptEmail;
+};
+
+export const manageCaddyDomain = async (
+	app: ApplicationNested,
+	domain: Domain,
+) => {
+	const serverId = app.serverId || undefined;
+	const options = { serverId };
+	const previousFragments = await readCaddyRouteFragments(options);
+	try {
+		await writeCaddyRouteFragment(
+			createCaddyApplicationRouteFragment(app, domain),
+			options,
+		);
+		await compileWriteAndReloadCaddyConfigSafely({
+			serverId,
+			letsEncryptEmail: await getLocalLetsEncryptEmail(serverId),
+		});
+	} catch (error) {
+		await restoreCaddyRouteFragments(previousFragments, options);
+		throw error;
+	}
+};
+
+export const removeCaddyDomain = async (
+	app: ApplicationNested,
+	uniqueConfigKey: number,
+) => {
+	const serverId = app.serverId || undefined;
+	const options = { serverId };
+	const previousFragments = await readCaddyRouteFragments(options);
+	try {
+		await removeCaddyRouteFragment(
+			getCaddyApplicationFragmentId(app.appName, uniqueConfigKey),
+			options,
+		);
+		await compileWriteAndReloadCaddyConfigSafely({
+			serverId,
+			letsEncryptEmail: await getLocalLetsEncryptEmail(serverId),
+		});
+	} catch (error) {
+		await restoreCaddyRouteFragments(previousFragments, options);
+		throw error;
+	}
+};
diff --git a/packages/server/src/utils/caddy/migration/apply.ts b/packages/server/src/utils/caddy/migration/apply.ts
new file mode 100644
index 0000000000..38c69415f9
--- /dev/null
+++ b/packages/server/src/utils/caddy/migration/apply.ts
@@ -0,0 +1,444 @@
+import * as path from "node:path";
+import { paths } from "@dokploy/server/constants";
+import {
+	getDockerResourceSnapshot,
+	readEnvironmentVariables,
+	readPorts,
+	stopDockerResource,
+	waitForDockerResourceRunning,
+	writeCaddySetup,
+} from "@dokploy/server/services/settings";
+import {
+	resolveWebServerProvider,
+	updateLocalWebServerProvider,
+	updateRemoteWebServerProvider,
+} from "@dokploy/server/services/web-server-settings";
+import {
+	reloadCaddyAfterValidation,
+	validateCaddyConfigFileWithImage,
+	validateCaddyConfigWithContainer,
+} from "@dokploy/server/utils/caddy/config";
+import {
+	acquireCaddyMigrationOperationLock,
+	appendCaddyMigrationEvent,
+	copyMigrationFileInPlace,
+	copyMigrationPath,
+	loadCaddyMigrationReport,
+	migrationPathExists,
+	readMigrationTextFileIfExists,
+	removeMigrationPath,
+	writeCaddyMigrationReport,
+	writeMigrationTextFile,
+} from "./files";
+import { rollbackCaddyMigration } from "./rollback";
+import type {
+	CaddyMigrationBackupSummary,
+	CaddyMigrationFileBackup,
+	CaddyMigrationReport,
+	CaddyMigrationResourceSnapshot,
+} from "./types";
+import { runCaddyMigrationUpstreamPreflight } from "./upstream-preflight";
+
+const updateProviderToCaddy = async (serverId?: string | null) => {
+	if (serverId) {
+		await updateRemoteWebServerProvider(serverId, "caddy");
+		return;
+	}
+	await updateLocalWebServerProvider("caddy");
+};
+
+const filterCaddyAdditionalPorts = (
+	ports: { targetPort: number; publishedPort: number; protocol?: string }[],
+) =>
+	ports.filter(
+		(port) =>
+			!(
+				(port.targetPort === 8080 || port.targetPort === 8082) &&
+				(port.protocol ?? "tcp") === "tcp"
+			),
+	);
+
+const createFileBackup = async (
+	label: string,
+	source: string,
+	backupPath: string,
+	serverId?: string | null,
+): Promise<CaddyMigrationFileBackup> => {
+	const existed = await migrationPathExists(source, serverId);
+	if (existed) {
+		await copyMigrationPath(source, backupPath, serverId);
+	}
+	return { label, source, backupPath, existed };
+};
+
+const redactResourceSnapshot = (
+	snapshot: CaddyMigrationResourceSnapshot,
+): CaddyMigrationResourceSnapshot => ({
+	resourceName: snapshot.resourceName,
+	resourceType: snapshot.resourceType,
+	running: snapshot.running,
+	replicas: snapshot.replicas,
+	additionalPorts: snapshot.additionalPorts,
+});
+
+const createMigrationBackups = async (
+	report: CaddyMigrationReport,
+	serverId?: string,
+): Promise<CaddyMigrationBackupSummary> => {
+	const currentPaths = paths(!!serverId);
+	const backupRoot = report.artifactPaths.backupsDir;
+	const files: CaddyMigrationFileBackup[] = [];
+	files.push(
+		await createFileBackup(
+			"traefik-static",
+			path.posix.join(currentPaths.MAIN_TRAEFIK_PATH, "traefik.yml"),
+			path.posix.join(backupRoot, "traefik", "traefik.yml"),
+			serverId,
+		),
+	);
+	files.push(
+		await createFileBackup(
+			"traefik-dynamic",
+			currentPaths.DYNAMIC_TRAEFIK_PATH,
+			path.posix.join(backupRoot, "traefik", "dynamic"),
+			serverId,
+		),
+	);
+	files.push(
+		await createFileBackup(
+			"caddy-config",
+			currentPaths.CADDY_CONFIG_PATH,
+			path.posix.join(backupRoot, "caddy", "caddy.json"),
+			serverId,
+		),
+	);
+	files.push(
+		await createFileBackup(
+			"caddy-fragments",
+			currentPaths.CADDY_FRAGMENTS_PATH,
+			path.posix.join(backupRoot, "caddy", "fragments"),
+			serverId,
+		),
+	);
+
+	const [traefikResource, caddyResource] = await Promise.all([
+		getDockerResourceSnapshot("dokploy-traefik", serverId),
+		getDockerResourceSnapshot("dokploy-caddy", serverId),
+	]);
+	const restoreSnapshotPath = path.posix.join(
+		backupRoot,
+		"resources.restore.json",
+	);
+	await writeMigrationTextFile(
+		restoreSnapshotPath,
+		`${JSON.stringify({ traefikResource, caddyResource }, null, 2)}\n`,
+		serverId,
+	);
+
+	return {
+		createdAt: new Date().toISOString(),
+		traefikResource: redactResourceSnapshot(traefikResource),
+		caddyResource: redactResourceSnapshot(caddyResource),
+		restoreSnapshotPath,
+		files,
+	};
+};
+
+const readResourceEnvAndPorts = async (
+	resourceName: string,
+	serverId?: string,
+) => {
+	try {
+		const [env, additionalPorts] = await Promise.all([
+			readEnvironmentVariables(resourceName, serverId),
+			readPorts(resourceName, serverId),
+		]);
+		return { env, additionalPorts };
+	} catch {
+		return { env: "", additionalPorts: [] };
+	}
+};
+
+const validateAppliedCaddy = async (serverId?: string) => {
+	await waitForDockerResourceRunning("dokploy-caddy", serverId, {
+		retries: 30,
+		intervalMs: 1000,
+	});
+	await validateCaddyConfigWithContainer(serverId);
+};
+
+const getLetsEncryptEmailFromConfig = async (
+	caddyJsonPath: string,
+	serverId?: string,
+) => {
+	const content = await readMigrationTextFileIfExists(caddyJsonPath, serverId);
+	if (!content) return null;
+	try {
+		const config = JSON.parse(content) as {
+			apps?: {
+				tls?: {
+					automation?: {
+						policies?: Array<{
+							issuers?: Array<{ email?: string }>;
+						}>;
+					};
+				};
+			};
+		};
+		return (
+			config.apps?.tls?.automation?.policies?.[0]?.issuers?.[0]?.email ?? null
+		);
+	} catch {
+		return null;
+	}
+};
+
+const markFailed = async (
+	report: CaddyMigrationReport,
+	message: string,
+	serverId?: string,
+) => {
+	const warning = {
+		code: "apply-failed" as const,
+		message,
+		blocking: true,
+	};
+	return writeCaddyMigrationReport(
+		appendCaddyMigrationEvent(
+			{
+				...report,
+				status: "failed",
+				warnings: [...report.warnings, warning],
+				summary: {
+					...report.summary,
+					warnings: report.summary.warnings + 1,
+					blockingWarnings: report.summary.blockingWarnings + 1,
+				},
+			},
+			"apply_failed",
+			message,
+		),
+		serverId,
+	);
+};
+
+export const applyCaddyMigration = async (input: {
+	migrationId: string;
+	serverId?: string;
+}) => {
+	const releaseLock = await acquireCaddyMigrationOperationLock(
+		input.migrationId,
+		input.serverId,
+	);
+	try {
+		return await applyCaddyMigrationUnlocked(input);
+	} finally {
+		await releaseLock();
+	}
+};
+
+const applyCaddyMigrationUnlocked = async (input: {
+	migrationId: string;
+	serverId?: string;
+}) => {
+	const serverId = input.serverId;
+	let report = await loadCaddyMigrationReport(input.migrationId, serverId);
+	if (report.summary.blockingWarnings > 0) {
+		throw new Error(
+			`Cannot apply Caddy migration ${input.migrationId}: report has ${report.summary.blockingWarnings} blocking warning(s)`,
+		);
+	}
+	if (report.validation.status !== "passed") {
+		throw new Error(
+			`Cannot apply Caddy migration ${input.migrationId}: draft validation did not pass`,
+		);
+	}
+	if (report.status !== "prepared") {
+		throw new Error(
+			`Cannot apply Caddy migration ${input.migrationId}: report status is ${report.status}`,
+		);
+	}
+	if (
+		!(await migrationPathExists(report.artifactPaths.caddyJson, serverId)) ||
+		!(await migrationPathExists(report.artifactPaths.fragmentsDir, serverId))
+	) {
+		throw new Error(
+			`Cannot apply Caddy migration ${input.migrationId}: approved Caddy artifacts are missing`,
+		);
+	}
+	const provider = await resolveWebServerProvider(serverId);
+	if (provider !== "traefik") {
+		throw new Error(
+			`Cannot apply Caddy migration ${input.migrationId}: active provider is ${provider}`,
+		);
+	}
+
+	report = await writeCaddyMigrationReport(
+		appendCaddyMigrationEvent(
+			{ ...report, status: "applying" },
+			"applying",
+			"Applying Caddy migration cutover",
+		),
+		serverId,
+	);
+
+	const runtimePreflight = await runCaddyMigrationUpstreamPreflight(report, {
+		serverId,
+	});
+	report = await writeCaddyMigrationReport(
+		appendCaddyMigrationEvent(
+			{ ...report, runtimePreflight },
+			"runtime_preflight",
+			`Runtime upstream preflight ${runtimePreflight.status}`,
+		),
+		serverId,
+	);
+	if (runtimePreflight.status !== "passed") {
+		const failedChecks = runtimePreflight.checks.filter(
+			(check) => check.status === "failed",
+		);
+		const message =
+			runtimePreflight.status === "failed"
+				? `Runtime upstream preflight failed for ${failedChecks.length} upstream check(s)`
+				: `Runtime upstream preflight did not pass: ${runtimePreflight.status}`;
+		await markFailed(report, message, serverId);
+		throw new Error(message);
+	}
+
+	try {
+		await validateCaddyConfigFileWithImage(
+			report.artifactPaths.caddyJson,
+			serverId,
+		);
+	} catch (error) {
+		const message = `Pre-stop Caddy runtime validation failed: ${
+			error instanceof Error ? error.message : "unknown error"
+		}`;
+		await markFailed(report, message, serverId);
+		throw error;
+	}
+	report = await writeCaddyMigrationReport(
+		appendCaddyMigrationEvent(
+			{ ...report },
+			"pre_stop_caddy_validate",
+			"Prepared Caddy config validated with the runtime Caddy image before stopping Traefik",
+		),
+		serverId,
+	);
+
+	try {
+		const backup = await createMigrationBackups(report, serverId);
+		report = await writeCaddyMigrationReport(
+			appendCaddyMigrationEvent(
+				{ ...report, backup },
+				"backup_created",
+				"Backed up Traefik and Caddy configuration before cutover",
+			),
+			serverId,
+		);
+
+		const currentPaths = paths(!!serverId);
+		await removeMigrationPath(currentPaths.CADDY_FRAGMENTS_PATH, serverId);
+		await copyMigrationPath(
+			report.artifactPaths.fragmentsDir,
+			currentPaths.CADDY_FRAGMENTS_PATH,
+			serverId,
+		);
+		await copyMigrationPath(
+			report.artifactPaths.caddyJson,
+			currentPaths.CADDY_CONFIG_PATH,
+			serverId,
+		);
+
+		const caddyRuntime = await readResourceEnvAndPorts(
+			"dokploy-caddy",
+			serverId,
+		);
+		const traefikRuntime = await readResourceEnvAndPorts(
+			"dokploy-traefik",
+			serverId,
+		);
+		const runtime = (await migrationPathExists(
+			currentPaths.CADDY_CONFIG_PATH,
+			serverId,
+		))
+			? {
+					env: caddyRuntime.env || undefined,
+					additionalPorts: caddyRuntime.additionalPorts.length
+						? caddyRuntime.additionalPorts
+						: traefikRuntime.additionalPorts,
+				}
+			: {
+					env: undefined,
+					additionalPorts: traefikRuntime.additionalPorts,
+				};
+		const caddyAdditionalPorts = filterCaddyAdditionalPorts(
+			runtime.additionalPorts,
+		);
+		const droppedPorts = runtime.additionalPorts.filter(
+			(port) => !caddyAdditionalPorts.includes(port),
+		);
+		if (droppedPorts.length) {
+			report = await writeCaddyMigrationReport(
+				appendCaddyMigrationEvent(
+					{ ...report },
+					"caddy_ports_filtered",
+					`Dropped Traefik-only additional port(s) for Caddy: ${droppedPorts
+						.map(
+							(port) =>
+								`${port.publishedPort}->${port.targetPort}/${port.protocol ?? "tcp"}`,
+						)
+						.join(", ")}`,
+				),
+				serverId,
+			);
+		}
+
+		await stopDockerResource("dokploy-traefik", serverId);
+		await writeCaddySetup({
+			env: runtime.env ? runtime.env.split("\n").filter(Boolean) : undefined,
+			additionalPorts: caddyAdditionalPorts,
+			serverId,
+			letsEncryptEmail: await getLetsEncryptEmailFromConfig(
+				report.artifactPaths.caddyJson,
+				serverId,
+			),
+		});
+		await copyMigrationFileInPlace(
+			report.artifactPaths.caddyJson,
+			currentPaths.CADDY_CONFIG_PATH,
+			serverId,
+		);
+		await reloadCaddyAfterValidation(serverId);
+		await validateAppliedCaddy(serverId);
+		await updateProviderToCaddy(serverId);
+
+		report = await writeCaddyMigrationReport(
+			appendCaddyMigrationEvent(
+				{ ...report, status: "applied" },
+				"applied",
+				"Caddy migration applied successfully",
+			),
+			serverId,
+		);
+		return report;
+	} catch (error) {
+		const message =
+			error instanceof Error ? error.message : "Caddy migration apply failed";
+		report = await markFailed(report, message, serverId);
+		try {
+			await rollbackCaddyMigration({
+				migrationId: input.migrationId,
+				serverId,
+				skipOperationLock: true,
+			});
+		} catch (rollbackError) {
+			const rollbackMessage =
+				rollbackError instanceof Error
+					? rollbackError.message
+					: "rollback failed";
+			throw new Error(`${message}; rollback also failed: ${rollbackMessage}`);
+		}
+		throw error;
+	}
+};
diff --git a/packages/server/src/utils/caddy/migration/compose-label-translator.ts b/packages/server/src/utils/caddy/migration/compose-label-translator.ts
new file mode 100644
index 0000000000..4a1d33583f
--- /dev/null
+++ b/packages/server/src/utils/caddy/migration/compose-label-translator.ts
@@ -0,0 +1,575 @@
+import type { Domain } from "@dokploy/server/services/domain";
+import { isDokployGeneratedTraefikLabel } from "../../docker/domain";
+import type { ListOrDict } from "../../docker/types";
+import type { HttpMiddleware } from "../../traefik/file-types";
+import type { CaddyRouteFragment, CaddyRouteIntent } from "../types";
+import {
+	defaultKnownTraefikFileMiddlewares,
+	translateTraefikMiddleware,
+} from "./dynamic-file-translator";
+import { parseTraefikRule } from "./traefik-rule-parser";
+import type { CaddyMigrationWarning, KnownTraefikMiddlewareMap } from "./types";
+
+interface ComposeLabelTranslatorOptions {
+	sourceFile?: string;
+	fragmentId?: string;
+	appName?: string;
+	serviceName?: string;
+	upstreamServiceName?: string;
+	upstreamNetwork?: string | null;
+	composeType?: "docker-compose" | "stack";
+	domains?: Domain[];
+	knownMiddlewares?: KnownTraefikMiddlewareMap;
+	fileMiddlewares?: Record<string, HttpMiddleware>;
+}
+
+interface ParsedRouterLabels {
+	rule?: string;
+	entryPoints?: string[];
+	middlewares?: string[];
+	service?: string;
+	priority?: number;
+	tls?: boolean;
+	tlsCertResolver?: string;
+}
+
+interface ParsedServiceLabels {
+	port?: number;
+	scheme?: string;
+}
+
+interface LabelClassification {
+	label: string;
+	dokployGenerated: boolean;
+}
+
+const CADDY_FRAGMENT_VERSION = 1;
+
+const toSafeId = (value: string) =>
+	value
+		.replace(/\.[^.]+$/, "")
+		.replace(/[^a-zA-Z0-9_.-]+/g, "-")
+		.replace(/^-+|-+$/g, "") || "compose-labels";
+
+const warning = (
+	message: string,
+	options: ComposeLabelTranslatorOptions & {
+		routerName?: string;
+		serviceName?: string;
+		middlewareName?: string;
+		label?: string;
+		code?: CaddyMigrationWarning["code"];
+	},
+): CaddyMigrationWarning => ({
+	code: options.code ?? "invalid-label",
+	message,
+	blocking: true,
+	source: options.sourceFile,
+	routerName: options.routerName,
+	serviceName: options.serviceName,
+	middlewareName: options.middlewareName,
+	label: options.label,
+});
+
+const labelsToStrings = (labels: ListOrDict | undefined): string[] => {
+	if (!labels) {
+		return [];
+	}
+	if (Array.isArray(labels)) {
+		return labels.map(String);
+	}
+	return Object.entries(labels).map(([key, value]) =>
+		value === null ? key : `${key}=${value}`,
+	);
+};
+
+const splitLabel = (label: string) => {
+	const separatorIndex = label.indexOf("=");
+	if (separatorIndex === -1) {
+		return { key: label, value: undefined };
+	}
+	return {
+		key: label.slice(0, separatorIndex),
+		value: label.slice(separatorIndex + 1),
+	};
+};
+
+const splitList = (value: string | undefined) =>
+	(value ?? "")
+		.split(",")
+		.map((item) => item.trim())
+		.filter(Boolean);
+
+const mergeTransforms = (
+	target: NonNullable<CaddyRouteIntent["transforms"]>,
+	next: NonNullable<CaddyRouteIntent["transforms"]>,
+) => {
+	target.requestHeaders = {
+		...(target.requestHeaders ?? {}),
+		...(next.requestHeaders ?? {}),
+	};
+	target.responseHeaders = {
+		...(target.responseHeaders ?? {}),
+		...(next.responseHeaders ?? {}),
+	};
+	if (next.stripPrefix) target.stripPrefix = next.stripPrefix;
+	if (next.addPrefix) target.addPrefix = next.addPrefix;
+};
+
+const mergeAllowedRemoteIps = (target: string[], next?: string[] | null) => {
+	if (!next?.length) {
+		return;
+	}
+	for (const range of next) {
+		if (!target.includes(range)) {
+			target.push(range);
+		}
+	}
+};
+
+const ensureMiddleware = (
+	middlewares: Record<string, Record<string, unknown>>,
+	name: string,
+) => {
+	middlewares[name] ??= {};
+	return middlewares[name];
+};
+
+const parseBoolean = (value: string | undefined) =>
+	value === undefined ? undefined : value === "true";
+
+const setMiddlewareLabel = (
+	middlewares: Record<string, Record<string, unknown>>,
+	name: string,
+	suffix: string,
+	value: string | undefined,
+) => {
+	const middleware = ensureMiddleware(middlewares, name);
+	const lowerSuffix = suffix.toLowerCase();
+	if (lowerSuffix === "stripprefix.prefixes") {
+		middleware.stripPrefix = { prefixes: splitList(value) };
+		return true;
+	}
+	if (lowerSuffix === "addprefix.prefix") {
+		middleware.addPrefix = { prefix: value };
+		return true;
+	}
+	if (lowerSuffix === "basicauth.users") {
+		middleware.basicAuth = {
+			...(middleware.basicAuth as Record<string, unknown> | undefined),
+			users: splitList(value),
+		};
+		return true;
+	}
+	if (lowerSuffix === "basicauth.usersfile") {
+		middleware.basicAuth = {
+			...(middleware.basicAuth as Record<string, unknown> | undefined),
+			usersFile: value,
+		};
+		return true;
+	}
+	if (lowerSuffix === "redirectscheme.scheme") {
+		middleware.redirectScheme = {
+			...(middleware.redirectScheme as Record<string, unknown> | undefined),
+			scheme: value,
+		};
+		return true;
+	}
+	if (lowerSuffix === "redirectscheme.permanent") {
+		middleware.redirectScheme = {
+			...(middleware.redirectScheme as Record<string, unknown> | undefined),
+			permanent: parseBoolean(value),
+		};
+		return true;
+	}
+	if (lowerSuffix === "redirectscheme.port") {
+		middleware.redirectScheme = {
+			...(middleware.redirectScheme as Record<string, unknown> | undefined),
+			port: value,
+		};
+		return true;
+	}
+	if (lowerSuffix === "chain.middlewares") {
+		middleware.chain = { middlewares: splitList(value) };
+		return true;
+	}
+	if (lowerSuffix.startsWith("ipallowlist.")) {
+		middleware.ipAllowList = {
+			...(middleware.ipAllowList as Record<string, unknown> | undefined),
+			[suffix.slice("ipallowlist.".length)]: lowerSuffix.endsWith("sourcerange")
+				? splitList(value)
+				: value,
+		};
+		return true;
+	}
+	if (lowerSuffix.startsWith("ipwhitelist.")) {
+		middleware.ipWhiteList = {
+			...(middleware.ipWhiteList as Record<string, unknown> | undefined),
+			[suffix.slice("ipwhitelist.".length)]: lowerSuffix.endsWith("sourcerange")
+				? splitList(value)
+				: value,
+		};
+		return true;
+	}
+	if (lowerSuffix.startsWith("headers.customresponseheaders.")) {
+		const header = suffix.slice("headers.customresponseheaders.".length);
+		middleware.headers = {
+			...(middleware.headers as Record<string, unknown> | undefined),
+			customResponseHeaders: {
+				...((
+					middleware.headers as
+						| Record<string, Record<string, string>>
+						| undefined
+				)?.customResponseHeaders ?? {}),
+				[header]: value ?? "",
+			},
+		};
+		return true;
+	}
+	if (lowerSuffix.startsWith("headers.customrequestheaders.")) {
+		const header = suffix.slice("headers.customrequestheaders.".length);
+		middleware.headers = {
+			...(middleware.headers as Record<string, unknown> | undefined),
+			customRequestHeaders: {
+				...((
+					middleware.headers as
+						| Record<string, Record<string, string>>
+						| undefined
+				)?.customRequestHeaders ?? {}),
+				[header]: value ?? "",
+			},
+		};
+		return true;
+	}
+	return false;
+};
+
+const parseComposeLabels = (
+	labels: string[],
+	options: ComposeLabelTranslatorOptions,
+) => {
+	const routers: Record<string, ParsedRouterLabels> = {};
+	const services: Record<string, ParsedServiceLabels> = {};
+	const middlewares: Record<string, Record<string, unknown>> = {};
+	const warnings: CaddyMigrationWarning[] = [];
+	const classifications: LabelClassification[] = [];
+
+	for (const label of labels) {
+		const { key, value } = splitLabel(label);
+		const dokployGenerated = isDokployGeneratedTraefikLabel(label, {
+			appName: options.appName,
+			domains: options.domains,
+			includeGenericLabels: true,
+		});
+		classifications.push({ label, dokployGenerated });
+
+		const routerMatch = key.match(/^traefik\.http\.routers\.([^.]+)\.(.+)$/);
+		if (routerMatch?.[1] && routerMatch[2]) {
+			const routerName = routerMatch[1];
+			const suffix = routerMatch[2];
+			routers[routerName] ??= {};
+			const lowerSuffix = suffix.toLowerCase();
+			if (lowerSuffix === "rule") routers[routerName].rule = value;
+			else if (lowerSuffix === "entrypoints") {
+				routers[routerName].entryPoints = splitList(value);
+			} else if (lowerSuffix === "middlewares") {
+				routers[routerName].middlewares = splitList(value);
+			} else if (lowerSuffix === "service") routers[routerName].service = value;
+			else if (lowerSuffix === "priority") {
+				const priority = Number(value);
+				if (Number.isFinite(priority)) routers[routerName].priority = priority;
+			} else if (lowerSuffix === "tls") {
+				routers[routerName].tls = parseBoolean(value) ?? value === "";
+			} else if (lowerSuffix === "tls.certresolver") {
+				routers[routerName].tlsCertResolver = value;
+			} else {
+				warnings.push(
+					warning(`Unsupported router label suffix "${suffix}"`, {
+						...options,
+						routerName,
+						label,
+						code: "unsupported-router",
+					}),
+				);
+			}
+			continue;
+		}
+
+		const serviceMatch = key.match(/^traefik\.http\.services\.([^.]+)\.(.+)$/);
+		if (serviceMatch?.[1] && serviceMatch[2]) {
+			const serviceName = serviceMatch[1];
+			const suffix = serviceMatch[2];
+			services[serviceName] ??= {};
+			const lowerSuffix = suffix.toLowerCase();
+			if (lowerSuffix === "loadbalancer.server.port") {
+				const port = Number(value);
+				if (Number.isFinite(port)) services[serviceName].port = port;
+			} else if (lowerSuffix === "loadbalancer.server.scheme") {
+				services[serviceName].scheme = value;
+			} else {
+				warnings.push(
+					warning(`Unsupported service label suffix "${suffix}"`, {
+						...options,
+						serviceName,
+						label,
+						code: "unsupported-service",
+					}),
+				);
+			}
+			continue;
+		}
+
+		const middlewareMatch = key.match(
+			/^traefik\.http\.middlewares\.([^.]+)\.(.+)$/,
+		);
+		if (middlewareMatch?.[1] && middlewareMatch[2]) {
+			const middlewareName = middlewareMatch[1];
+			const suffix = middlewareMatch[2];
+			if (!setMiddlewareLabel(middlewares, middlewareName, suffix, value)) {
+				warnings.push(
+					warning(`Unsupported middleware label suffix "${suffix}"`, {
+						...options,
+						middlewareName,
+						label,
+						code: "unsupported-middleware",
+					}),
+				);
+			}
+			continue;
+		}
+
+		if (key.startsWith("traefik.http.")) {
+			warnings.push(
+				warning(`Unsupported Traefik HTTP label "${key}"`, {
+					...options,
+					label,
+					code: "invalid-label",
+				}),
+			);
+		}
+	}
+
+	return { routers, services, middlewares, warnings, classifications };
+};
+
+const isSecurityMiddlewareWarning = (item: CaddyMigrationWarning) =>
+	item.code === "unsupported-security-middleware";
+
+const dedupeWarnings = (warnings: CaddyMigrationWarning[]) => {
+	const seen = new Set<string>();
+	return warnings.filter((item) => {
+		const key = [
+			item.code,
+			item.source ?? "",
+			item.routerName ?? "",
+			item.serviceName ?? "",
+			item.middlewareName ?? "",
+			item.label ?? "",
+			item.message,
+		].join("\0");
+		if (seen.has(key)) return false;
+		seen.add(key);
+		return true;
+	});
+};
+
+const routerUsesHttps = (router: ParsedRouterLabels) =>
+	Boolean(router.tls) ||
+	Boolean(router.tlsCertResolver) ||
+	Boolean(
+		router.entryPoints?.includes("websecure") &&
+			!router.entryPoints?.includes("web"),
+	);
+
+const getRouterUpstreams = (
+	routerName: string,
+	router: ParsedRouterLabels,
+	services: Record<string, ParsedServiceLabels>,
+	options: ComposeLabelTranslatorOptions,
+) => {
+	const serviceName = router.service ?? routerName;
+	const service = services[serviceName] ?? services[routerName];
+	if (!service?.port) {
+		return {
+			upstreams: [],
+			warnings: [
+				warning(
+					`Router "${routerName}" references service "${serviceName}" without a migrated port label`,
+					{
+						...options,
+						routerName,
+						serviceName,
+						code: "unresolved-service",
+					},
+				),
+			],
+		};
+	}
+	const scheme = service.scheme ?? "http";
+	const upstreamName =
+		options.upstreamServiceName ?? options.serviceName ?? serviceName;
+	return {
+		upstreams: [`${scheme}://${upstreamName}:${service.port}`],
+		warnings: [],
+	};
+};
+
+export const translateTraefikComposeLabelsToCaddyFragment = (
+	labelsInput: ListOrDict | undefined,
+	options: ComposeLabelTranslatorOptions = {},
+): {
+	fragment: CaddyRouteFragment;
+	routes: CaddyRouteIntent[];
+	warnings: CaddyMigrationWarning[];
+	classifications: LabelClassification[];
+} => {
+	const labels = labelsToStrings(labelsInput);
+	const initialParsed = parseComposeLabels(labels, options);
+	const generatedSecurityWarnings = initialParsed.classifications.some(
+		(item) => item.dokployGenerated,
+	)
+		? translateParsedComposeRoutes(initialParsed, options).warnings.filter(
+				isSecurityMiddlewareWarning,
+			)
+		: [];
+	const hasManualLabels = initialParsed.classifications.some(
+		(item) => !item.dokployGenerated,
+	);
+	const hasGeneratedLabels = initialParsed.classifications.some(
+		(item) => item.dokployGenerated,
+	);
+	const labelsForTranslation =
+		hasManualLabels && hasGeneratedLabels
+			? labels.filter(
+					(_, index) => !initialParsed.classifications[index]?.dokployGenerated,
+				)
+			: labels;
+	const parsed =
+		labelsForTranslation === labels
+			? initialParsed
+			: parseComposeLabels(labelsForTranslation, options);
+	const warnings = dedupeWarnings([
+		...parsed.warnings,
+		...generatedSecurityWarnings,
+	]);
+	const translatedRoutes = translateParsedComposeRoutes(parsed, options);
+	warnings.push(...translatedRoutes.warnings);
+	return {
+		...translatedRoutes,
+		warnings: dedupeWarnings(warnings),
+		classifications: initialParsed.classifications,
+	};
+};
+
+const translateParsedComposeRoutes = (
+	parsed: ReturnType<typeof parseComposeLabels>,
+	options: ComposeLabelTranslatorOptions,
+) => {
+	const warnings: CaddyMigrationWarning[] = [];
+	const routes: CaddyRouteIntent[] = [];
+	const middlewares = {
+		...(options.fileMiddlewares ?? {}),
+		...(parsed.middlewares as Record<string, HttpMiddleware>),
+	};
+
+	for (const [routerName, router] of Object.entries(parsed.routers)) {
+		if (!router.rule) {
+			warnings.push(
+				warning(`Router "${routerName}" is missing a rule label`, {
+					...options,
+					routerName,
+					code: "unsupported-router",
+				}),
+			);
+			continue;
+		}
+
+		const rule = parseTraefikRule(router.rule, {
+			source: options.sourceFile,
+			routerName,
+		});
+		warnings.push(...rule.warnings);
+
+		const transforms = {};
+		const basicAuth: { username: string; hash: string }[] = [];
+		const allowedRemoteIps: string[] = [];
+		let redirectScheme: CaddyRouteIntent["redirectScheme"] = null;
+		for (const middlewareName of router.middlewares ?? []) {
+			const translated = translateTraefikMiddleware(
+				middlewareName,
+				middlewares,
+				{
+					sourceFile: options.sourceFile,
+					routerName,
+					knownMiddlewares: {
+						...defaultKnownTraefikFileMiddlewares,
+						...(options.knownMiddlewares ?? {}),
+					},
+				},
+			);
+			mergeTransforms(transforms, translated.transforms);
+			basicAuth.push(...translated.basicAuth);
+			mergeAllowedRemoteIps(allowedRemoteIps, translated.allowedRemoteIps);
+			if (translated.redirectScheme) {
+				redirectScheme = translated.redirectScheme;
+			}
+			warnings.push(...translated.warnings);
+		}
+
+		if (router.tlsCertResolver && router.tlsCertResolver !== "letsencrypt") {
+			warnings.push(
+				warning(
+					`Custom certResolver "${router.tlsCertResolver}" has no direct Caddy mapping`,
+					{
+						...options,
+						routerName,
+						code: "unsupported-router",
+					},
+				),
+			);
+		}
+
+		const upstreamResult = redirectScheme
+			? { upstreams: [], warnings: [] }
+			: getRouterUpstreams(routerName, router, parsed.services, options);
+		warnings.push(...upstreamResult.warnings);
+
+		rule.matches.forEach((match, index) => {
+			routes.push({
+				id: `${toSafeId(options.sourceFile ?? options.appName ?? "compose")}-${routerName}${rule.matches.length > 1 ? `-${index + 1}` : ""}`,
+				source: "traefik-compose-label",
+				hosts: match.hosts,
+				pathPrefix: match.pathPrefix,
+				pathExact: match.pathExact,
+				https: redirectScheme ? false : routerUsesHttps(router),
+				priority: router.priority ?? null,
+				upstreams: upstreamResult.upstreams,
+				upstreamNetwork: options.upstreamNetwork,
+				transforms,
+				allowedRemoteIps: allowedRemoteIps.length ? allowedRemoteIps : null,
+				basicAuth: basicAuth.length ? basicAuth : null,
+				redirectScheme,
+			});
+		});
+	}
+
+	const fragment: CaddyRouteFragment = {
+		version: CADDY_FRAGMENT_VERSION,
+		id:
+			options.fragmentId ??
+			`migration.traefik-compose-label.${toSafeId(
+				options.sourceFile ?? options.appName ?? "compose",
+			)}`,
+		source: "traefik-compose-label",
+		description: options.sourceFile
+			? `Migrated Traefik compose labels from ${options.sourceFile}`
+			: "Migrated Traefik compose labels",
+		routes,
+	};
+
+	return {
+		fragment,
+		routes,
+		warnings,
+	};
+};
diff --git a/packages/server/src/utils/caddy/migration/dynamic-file-translator.ts b/packages/server/src/utils/caddy/migration/dynamic-file-translator.ts
new file mode 100644
index 0000000000..cd75b2aa92
--- /dev/null
+++ b/packages/server/src/utils/caddy/migration/dynamic-file-translator.ts
@@ -0,0 +1,736 @@
+import { parse } from "yaml";
+import type { FileConfig, HttpMiddleware } from "../../traefik/file-types";
+import type {
+	CaddyHeaderMap,
+	CaddyRouteFragment,
+	CaddyRouteIntent,
+	CaddyRouteTransform,
+} from "../types";
+import { parseTraefikRule } from "./traefik-rule-parser";
+import type {
+	CaddyMiddlewareTranslation,
+	CaddyMigrationWarning,
+	KnownTraefikMiddlewareMap,
+	ResolvedCaddyMiddleware,
+} from "./types";
+
+interface DynamicTranslatorOptions {
+	sourceFile?: string;
+	fragmentId?: string;
+	knownMiddlewares?: KnownTraefikMiddlewareMap;
+	fileMiddlewares?: Record<string, HttpMiddleware>;
+}
+
+const CADDY_FRAGMENT_VERSION = 1;
+const httpUrlPrefixRegex = /^https?:\/\//i;
+
+export const defaultKnownTraefikFileMiddlewares: KnownTraefikMiddlewareMap = {
+	"redirect-to-https": {
+		redirectScheme: { scheme: "https", permanent: true },
+	},
+	"security-headers": {
+		transforms: {
+			responseHeaders: {
+				"X-Content-Type-Options": "nosniff",
+				"X-Frame-Options": "DENY",
+			},
+		},
+	},
+};
+
+const toSafeId = (value: string) =>
+	value
+		.replace(/\.[^.]+$/, "")
+		.replace(/[^a-zA-Z0-9_.-]+/g, "-")
+		.replace(/^-+|-+$/g, "") || "traefik-dynamic";
+
+const warning = (
+	message: string,
+	options: {
+		source?: string;
+		routerName?: string;
+		serviceName?: string;
+		middlewareName?: string;
+		code?: CaddyMigrationWarning["code"];
+	},
+): CaddyMigrationWarning => ({
+	code: options.code ?? "unsupported-middleware",
+	message,
+	blocking: true,
+	source: options.source,
+	routerName: options.routerName,
+	serviceName: options.serviceName,
+	middlewareName: options.middlewareName,
+});
+
+const asRecord = (value: unknown) =>
+	value && typeof value === "object" ? (value as Record<string, unknown>) : {};
+
+const mergeHeaders = (
+	a?: CaddyHeaderMap | null,
+	b?: CaddyHeaderMap | null,
+) => ({
+	...(a ?? {}),
+	...(b ?? {}),
+});
+
+const mergeTransforms = (
+	target: CaddyRouteTransform,
+	next: CaddyRouteTransform = {},
+) => {
+	target.requestHeaders = mergeHeaders(
+		target.requestHeaders,
+		next.requestHeaders,
+	);
+	target.responseHeaders = mergeHeaders(
+		target.responseHeaders,
+		next.responseHeaders,
+	);
+	if (next.stripPrefix) {
+		target.stripPrefix = next.stripPrefix;
+	}
+	if (next.addPrefix) {
+		target.addPrefix = next.addPrefix;
+	}
+};
+
+const mergeAllowedRemoteIps = (target: string[], next?: string[] | null) => {
+	if (!next?.length) {
+		return;
+	}
+	for (const range of next) {
+		if (!target.includes(range)) {
+			target.push(range);
+		}
+	}
+};
+
+const normalizeMiddlewareName = (name: string) => name.replace(/@file$/, "");
+
+const knownMiddlewareToTranslation = (
+	middleware: Partial<ResolvedCaddyMiddleware> & {
+		responseHeaders?: CaddyHeaderMap;
+		requestHeaders?: CaddyHeaderMap;
+	},
+): ResolvedCaddyMiddleware => ({
+	transforms: {
+		...(middleware.transforms ?? {}),
+		...(middleware.requestHeaders || middleware.responseHeaders
+			? {
+					requestHeaders: middleware.requestHeaders,
+					responseHeaders: middleware.responseHeaders,
+				}
+			: {}),
+	},
+	basicAuth: middleware.basicAuth ?? [],
+	allowedRemoteIps: middleware.allowedRemoteIps ?? null,
+	redirectScheme: middleware.redirectScheme ?? null,
+});
+
+const setResponseHeader = (
+	transforms: CaddyRouteTransform,
+	name: string,
+	value: string,
+) => {
+	transforms.responseHeaders = {
+		...(transforms.responseHeaders ?? {}),
+		[name]: value,
+	};
+};
+
+const translateHeadersMiddleware = (headers: Record<string, unknown>) => {
+	const transforms: CaddyRouteTransform = {};
+	const customRequestHeaders = asRecord(headers.customRequestHeaders);
+	const customResponseHeaders = asRecord(headers.customResponseHeaders);
+	if (Object.keys(customRequestHeaders).length) {
+		transforms.requestHeaders = customRequestHeaders as CaddyHeaderMap;
+	}
+	if (Object.keys(customResponseHeaders).length) {
+		transforms.responseHeaders = customResponseHeaders as CaddyHeaderMap;
+	}
+	if (headers.frameDeny === true) {
+		setResponseHeader(transforms, "X-Frame-Options", "DENY");
+	}
+	if (typeof headers.customFrameOptionsValue === "string") {
+		setResponseHeader(
+			transforms,
+			"X-Frame-Options",
+			headers.customFrameOptionsValue,
+		);
+	}
+	if (headers.contentTypeNosniff === true) {
+		setResponseHeader(transforms, "X-Content-Type-Options", "nosniff");
+	}
+	if (headers.browserXssFilter === true) {
+		setResponseHeader(transforms, "X-XSS-Protection", "1; mode=block");
+	}
+	if (typeof headers.customBrowserXSSValue === "string") {
+		setResponseHeader(
+			transforms,
+			"X-XSS-Protection",
+			headers.customBrowserXSSValue,
+		);
+	}
+	if (typeof headers.contentSecurityPolicy === "string") {
+		setResponseHeader(
+			transforms,
+			"Content-Security-Policy",
+			headers.contentSecurityPolicy,
+		);
+	}
+	if (typeof headers.referrerPolicy === "string") {
+		setResponseHeader(transforms, "Referrer-Policy", headers.referrerPolicy);
+	}
+	if (typeof headers.permissionsPolicy === "string") {
+		setResponseHeader(
+			transforms,
+			"Permissions-Policy",
+			headers.permissionsPolicy,
+		);
+	}
+	if (typeof headers.featurePolicy === "string") {
+		setResponseHeader(transforms, "Feature-Policy", headers.featurePolicy);
+	}
+	if (typeof headers.stsSeconds === "number" && headers.stsSeconds > 0) {
+		setResponseHeader(
+			transforms,
+			"Strict-Transport-Security",
+			[
+				`max-age=${headers.stsSeconds}`,
+				headers.stsIncludeSubdomains === true ? "includeSubDomains" : null,
+				headers.stsPreload === true ? "preload" : null,
+			]
+				.filter(Boolean)
+				.join("; "),
+		);
+	}
+	return transforms;
+};
+
+const parseBasicAuthUsers = (users: unknown) => {
+	if (!Array.isArray(users)) {
+		return [];
+	}
+	return users.flatMap((user) => {
+		if (typeof user !== "string") {
+			return [];
+		}
+		const separatorIndex = user.indexOf(":");
+		if (separatorIndex === -1) {
+			return [];
+		}
+		return [
+			{
+				username: user.slice(0, separatorIndex),
+				hash: user.slice(separatorIndex + 1),
+			},
+		];
+	});
+};
+
+const isLikelyCaddySupportedBasicAuthHash = (hash: string) =>
+	/^\$2[aby]\$/.test(hash);
+
+const findCaseInsensitiveValue = (
+	record: Record<string, unknown>,
+	key: string,
+) => {
+	const lowerKey = key.toLowerCase();
+	const entry = Object.entries(record).find(
+		([entryKey]) => entryKey.toLowerCase() === lowerKey,
+	);
+	return entry?.[1];
+};
+
+const getIpAllowRanges = (middleware: Record<string, unknown>) => {
+	const ipConfig = asRecord(middleware.ipAllowList ?? middleware.ipWhiteList);
+	const sourceRange = findCaseInsensitiveValue(ipConfig, "sourceRange");
+	if (!Array.isArray(sourceRange)) {
+		return [];
+	}
+	return sourceRange
+		.map((item) => `${item}`.trim())
+		.filter((item) => item.length > 0);
+};
+
+const normalizeTraefikServerUrl = (value: string) => {
+	if (!httpUrlPrefixRegex.test(value)) {
+		return value;
+	}
+	try {
+		const url = new URL(value);
+		if (url.port) {
+			return value;
+		}
+		const scheme = url.protocol.replace(":", "");
+		const defaultPort = scheme === "https" ? "443" : "80";
+		return `${scheme}://${url.hostname}:${defaultPort}`;
+	} catch {
+		return value;
+	}
+};
+
+export const translateTraefikMiddleware = (
+	middlewareName: string,
+	middlewares: Record<string, HttpMiddleware> = {},
+	options: DynamicTranslatorOptions & {
+		routerName?: string;
+		seen?: Set<string>;
+	} = {},
+): CaddyMiddlewareTranslation => {
+	const normalizedName = normalizeMiddlewareName(middlewareName);
+	const source = options.sourceFile;
+	const seen = options.seen ?? new Set<string>();
+	if (seen.has(normalizedName)) {
+		return {
+			transforms: {},
+			basicAuth: [],
+			warnings: [
+				warning(`Middleware chain cycle at "${normalizedName}"`, {
+					source,
+					routerName: options.routerName,
+					middlewareName: normalizedName,
+				}),
+			],
+		};
+	}
+
+	const knownMiddleware = {
+		...defaultKnownTraefikFileMiddlewares,
+		...(options.knownMiddlewares ?? {}),
+	}[normalizedName];
+	if (knownMiddleware && !middlewares[normalizedName]) {
+		return {
+			...knownMiddlewareToTranslation(knownMiddleware),
+			warnings: [],
+		};
+	}
+
+	const middleware = middlewares[normalizedName];
+	if (!middleware) {
+		return {
+			transforms: {},
+			basicAuth: [],
+			warnings: [
+				warning(`Referenced middleware "${middlewareName}" was not found`, {
+					source,
+					routerName: options.routerName,
+					middlewareName,
+					code: "unresolved-middleware",
+				}),
+			],
+		};
+	}
+
+	const middlewareRecord = middleware as Record<string, unknown>;
+	const transforms: CaddyRouteTransform = {};
+	const basicAuth: { username: string; hash: string }[] = [];
+	const allowedRemoteIps: string[] = [];
+	const warnings: CaddyMigrationWarning[] = [];
+	let redirectScheme: CaddyMiddlewareTranslation["redirectScheme"] = null;
+
+	const securityMiddleware = middlewareRecord.ipAllowList
+		? "ipAllowList"
+		: middlewareRecord.ipWhiteList
+			? "ipWhiteList"
+			: null;
+	if (securityMiddleware) {
+		const ranges = getIpAllowRanges(middlewareRecord);
+		if (ranges.length) {
+			mergeAllowedRemoteIps(allowedRemoteIps, ranges);
+		} else {
+			warnings.push(
+				warning(
+					`Traefik middleware "${normalizedName}" uses ${securityMiddleware} without a migratable sourceRange`,
+					{
+						source,
+						routerName: options.routerName,
+						middlewareName: normalizedName,
+						code: "unsupported-security-middleware",
+					},
+				),
+			);
+		}
+	} else if (middlewareRecord.headers) {
+		mergeTransforms(
+			transforms,
+			translateHeadersMiddleware(asRecord(middlewareRecord.headers)),
+		);
+	} else if (middlewareRecord.stripPrefix) {
+		const prefixes = asRecord(middlewareRecord.stripPrefix).prefixes;
+		if (Array.isArray(prefixes) && prefixes.length === 1) {
+			transforms.stripPrefix = `${prefixes[0]}`;
+		} else {
+			warnings.push(
+				warning("stripPrefix migration supports exactly one prefix", {
+					source,
+					routerName: options.routerName,
+					middlewareName: normalizedName,
+				}),
+			);
+		}
+	} else if (middlewareRecord.addPrefix) {
+		const prefix = asRecord(middlewareRecord.addPrefix).prefix;
+		if (typeof prefix === "string") {
+			transforms.addPrefix = prefix;
+		} else {
+			warnings.push(
+				warning("addPrefix middleware is missing a string prefix", {
+					source,
+					routerName: options.routerName,
+					middlewareName: normalizedName,
+				}),
+			);
+		}
+	} else if (middlewareRecord.basicAuth) {
+		const basicAuthConfig = asRecord(middlewareRecord.basicAuth);
+		for (const account of parseBasicAuthUsers(basicAuthConfig.users)) {
+			if (isLikelyCaddySupportedBasicAuthHash(account.hash)) {
+				basicAuth.push(account);
+				continue;
+			}
+			warnings.push(
+				warning(
+					`basicAuth user "${account.username}" uses a hash format that is not supported by the Caddy migration`,
+					{
+						source,
+						routerName: options.routerName,
+						middlewareName: normalizedName,
+						code: "unsupported-security-middleware",
+					},
+				),
+			);
+		}
+		if (basicAuthConfig.usersFile) {
+			warnings.push(
+				warning("basicAuth usersFile cannot be inlined into Caddy migration", {
+					source,
+					routerName: options.routerName,
+					middlewareName: normalizedName,
+				}),
+			);
+		}
+	} else if (middlewareRecord.redirectScheme) {
+		const redirect = asRecord(middlewareRecord.redirectScheme);
+		redirectScheme = {
+			scheme: typeof redirect.scheme === "string" ? redirect.scheme : "https",
+			permanent: redirect.permanent !== false,
+			port: typeof redirect.port === "string" ? redirect.port : null,
+		};
+	} else if (middlewareRecord.chain) {
+		const chain = asRecord(middlewareRecord.chain).middlewares;
+		if (!Array.isArray(chain)) {
+			warnings.push(
+				warning("chain middleware is missing middlewares", {
+					source,
+					routerName: options.routerName,
+					middlewareName: normalizedName,
+				}),
+			);
+		} else {
+			const nextSeen = new Set([...seen, normalizedName]);
+			for (const chainedName of chain) {
+				const translated = translateTraefikMiddleware(
+					`${chainedName}`,
+					middlewares,
+					{
+						...options,
+						seen: nextSeen,
+					},
+				);
+				mergeTransforms(transforms, translated.transforms);
+				basicAuth.push(...translated.basicAuth);
+				mergeAllowedRemoteIps(allowedRemoteIps, translated.allowedRemoteIps);
+				if (translated.redirectScheme) {
+					redirectScheme = translated.redirectScheme;
+				}
+				warnings.push(...translated.warnings);
+			}
+		}
+	} else {
+		warnings.push(
+			warning(`Unsupported Traefik middleware "${normalizedName}"`, {
+				source,
+				routerName: options.routerName,
+				middlewareName: normalizedName,
+			}),
+		);
+	}
+
+	return {
+		transforms,
+		basicAuth,
+		allowedRemoteIps: allowedRemoteIps.length ? allowedRemoteIps : null,
+		redirectScheme,
+		warnings,
+	};
+};
+
+const collectRouterMiddlewares = (
+	middlewareNames: string[] | undefined,
+	middlewares: Record<string, HttpMiddleware>,
+	options: DynamicTranslatorOptions & { routerName: string },
+) => {
+	const transforms: CaddyRouteTransform = {};
+	const basicAuth: { username: string; hash: string }[] = [];
+	const allowedRemoteIps: string[] = [];
+	const warnings: CaddyMigrationWarning[] = [];
+	let redirectScheme: CaddyMiddlewareTranslation["redirectScheme"] = null;
+
+	for (const middlewareName of middlewareNames ?? []) {
+		const translated = translateTraefikMiddleware(
+			middlewareName,
+			middlewares,
+			options,
+		);
+		mergeTransforms(transforms, translated.transforms);
+		basicAuth.push(...translated.basicAuth);
+		mergeAllowedRemoteIps(allowedRemoteIps, translated.allowedRemoteIps);
+		if (translated.redirectScheme) {
+			redirectScheme = translated.redirectScheme;
+		}
+		warnings.push(...translated.warnings);
+	}
+
+	return {
+		transforms,
+		basicAuth,
+		allowedRemoteIps: allowedRemoteIps.length ? allowedRemoteIps : null,
+		redirectScheme,
+		warnings,
+	};
+};
+
+const getServiceUpstreams = (
+	serviceName: string,
+	config: FileConfig,
+	options: DynamicTranslatorOptions & { routerName: string },
+) => {
+	const service = config.http?.services?.[normalizeMiddlewareName(serviceName)];
+	if (!service) {
+		return {
+			upstreams: [],
+			warnings: [
+				warning(`Referenced service "${serviceName}" was not found`, {
+					source: options.sourceFile,
+					routerName: options.routerName,
+					serviceName,
+					code: "unresolved-service",
+				}),
+			],
+		};
+	}
+	const loadBalancer = (service as Record<string, unknown>).loadBalancer;
+	if (!loadBalancer) {
+		return {
+			upstreams: [],
+			warnings: [
+				warning(`Service "${serviceName}" is not a loadBalancer service`, {
+					source: options.sourceFile,
+					routerName: options.routerName,
+					serviceName,
+					code: "unsupported-service",
+				}),
+			],
+		};
+	}
+	const loadBalancerRecord = asRecord(loadBalancer);
+	const servers = loadBalancerRecord.servers;
+	const upstreams = Array.isArray(servers)
+		? servers.flatMap((server) => {
+				const url = asRecord(server).url;
+				return typeof url === "string" ? [normalizeTraefikServerUrl(url)] : [];
+			})
+		: [];
+	const warnings: CaddyMigrationWarning[] = [];
+	if (!upstreams.length) {
+		warnings.push(
+			warning(`Service "${serviceName}" has no loadBalancer servers`, {
+				source: options.sourceFile,
+				routerName: options.routerName,
+				serviceName,
+				code: "unsupported-service",
+			}),
+		);
+	}
+	if (loadBalancerRecord.passHostHeader === false) {
+		warnings.push(
+			warning("passHostHeader=false has no direct migration mapping yet", {
+				source: options.sourceFile,
+				routerName: options.routerName,
+				serviceName,
+				code: "unsupported-service",
+			}),
+		);
+	}
+	for (const key of [
+		"sticky",
+		"healthCheck",
+		"responseForwarding",
+		"serversTransport",
+	]) {
+		if (loadBalancerRecord[key]) {
+			warnings.push(
+				warning(`Service option "${key}" is not migrated yet`, {
+					source: options.sourceFile,
+					routerName: options.routerName,
+					serviceName,
+					code: "unsupported-service",
+				}),
+			);
+		}
+	}
+	return { upstreams, warnings };
+};
+
+const routerUsesHttps = (router: Record<string, unknown>) => {
+	if (router.tls) {
+		return true;
+	}
+	const entryPoints = router.entryPoints;
+	return Array.isArray(entryPoints)
+		? entryPoints.includes("websecure") && !entryPoints.includes("web")
+		: false;
+};
+
+const isTraefikInternalRouter = (
+	routerName: string,
+	router: Record<string, unknown>,
+) => {
+	const service = typeof router.service === "string" ? router.service : "";
+	const entryPoints = Array.isArray(router.entryPoints)
+		? router.entryPoints.map(String)
+		: [];
+	return (
+		service === "api@internal" ||
+		(routerName.includes("traefik-dashboard") &&
+			entryPoints.includes("traefik"))
+	);
+};
+
+export const translateTraefikDynamicConfigToCaddyFragment = (
+	input: string | FileConfig,
+	options: DynamicTranslatorOptions = {},
+): {
+	fragment: CaddyRouteFragment;
+	routes: CaddyRouteIntent[];
+	warnings: CaddyMigrationWarning[];
+} => {
+	let config: FileConfig;
+	try {
+		config = typeof input === "string" ? (parse(input) as FileConfig) : input;
+	} catch (error) {
+		const fragment: CaddyRouteFragment = {
+			version: CADDY_FRAGMENT_VERSION,
+			id: options.fragmentId ?? "migration.traefik-dynamic.invalid",
+			source: "traefik-dynamic-file",
+			routes: [],
+		};
+		return {
+			fragment,
+			routes: [],
+			warnings: [
+				warning(
+					error instanceof Error
+						? error.message
+						: "Invalid Traefik dynamic config",
+					{ source: options.sourceFile, code: "invalid-config" },
+				),
+			],
+		};
+	}
+
+	const routes: CaddyRouteIntent[] = [];
+	const warnings: CaddyMigrationWarning[] = [];
+	const mergedMiddlewares = {
+		...(options.fileMiddlewares ?? {}),
+		...(config.http?.middlewares ?? {}),
+	};
+	for (const [routerName, router] of Object.entries(
+		config.http?.routers ?? {},
+	)) {
+		const routerRecord = router as unknown as Record<string, unknown>;
+		if (isTraefikInternalRouter(routerName, routerRecord)) {
+			warnings.push({
+				code: "unsupported-router",
+				message: `Skipped Traefik internal router "${routerName}"; Caddy migration does not expose api@internal/dashboard routes`,
+				blocking: false,
+				source: options.sourceFile,
+				routerName,
+				serviceName:
+					typeof routerRecord.service === "string"
+						? routerRecord.service
+						: undefined,
+			});
+			continue;
+		}
+		const rule = typeof router.rule === "string" ? router.rule : "";
+		const parsedRule = parseTraefikRule(rule, {
+			source: options.sourceFile,
+			routerName,
+		});
+		warnings.push(...parsedRule.warnings);
+
+		const middlewareResult = collectRouterMiddlewares(
+			router.middlewares,
+			mergedMiddlewares,
+			{ ...options, routerName },
+		);
+		warnings.push(...middlewareResult.warnings);
+
+		const serviceName = router.service;
+		const serviceResult = middlewareResult.redirectScheme
+			? { upstreams: [], warnings: [] }
+			: getServiceUpstreams(serviceName, config, { ...options, routerName });
+		warnings.push(...serviceResult.warnings);
+
+		const tls = asRecord(routerRecord.tls);
+		if (tls.certResolver && tls.certResolver !== "letsencrypt") {
+			warnings.push(
+				warning(
+					`Custom certResolver "${tls.certResolver}" has no direct Caddy mapping`,
+					{
+						source: options.sourceFile,
+						routerName,
+						code: "unsupported-router",
+					},
+				),
+			);
+		}
+
+		parsedRule.matches.forEach((match, index) => {
+			routes.push({
+				id: `${toSafeId(options.sourceFile ?? "dynamic")}-${routerName}${parsedRule.matches.length > 1 ? `-${index + 1}` : ""}`,
+				source: "traefik-dynamic-file",
+				hosts: match.hosts,
+				pathPrefix: match.pathPrefix,
+				pathExact: match.pathExact,
+				https: middlewareResult.redirectScheme
+					? false
+					: routerUsesHttps(routerRecord),
+				priority: router.priority ?? null,
+				upstreams: serviceResult.upstreams,
+				transforms: middlewareResult.transforms,
+				allowedRemoteIps: middlewareResult.allowedRemoteIps,
+				basicAuth: middlewareResult.basicAuth.length
+					? middlewareResult.basicAuth
+					: null,
+				redirectScheme: middlewareResult.redirectScheme,
+			});
+		});
+	}
+
+	const fragment: CaddyRouteFragment = {
+		version: CADDY_FRAGMENT_VERSION,
+		id:
+			options.fragmentId ??
+			`migration.traefik-dynamic.${toSafeId(options.sourceFile ?? "manual")}`,
+		source: "traefik-dynamic-file",
+		description: options.sourceFile
+			? `Migrated Traefik dynamic file ${options.sourceFile}`
+			: "Migrated Traefik dynamic config",
+		routes,
+	};
+
+	return { fragment, routes, warnings };
+};
diff --git a/packages/server/src/utils/caddy/migration/files.ts b/packages/server/src/utils/caddy/migration/files.ts
new file mode 100644
index 0000000000..b5bcbc7cc6
--- /dev/null
+++ b/packages/server/src/utils/caddy/migration/files.ts
@@ -0,0 +1,335 @@
+import { randomUUID } from "node:crypto";
+import {
+	copyFileSync,
+	existsSync,
+	mkdirSync,
+	readdirSync,
+	readFileSync,
+	renameSync,
+	rmSync,
+	statSync,
+	writeFileSync,
+} from "node:fs";
+import * as path from "node:path";
+import { paths } from "@dokploy/server/constants";
+import { execAsyncRemote } from "@dokploy/server/utils/process/execAsync";
+import { quote } from "shell-quote";
+import type {
+	CaddyMigrationArtifactPaths,
+	CaddyMigrationReport,
+} from "./types";
+
+export const assertSafeMigrationId = (migrationId: string) => {
+	if (
+		!/^[a-zA-Z0-9_.-]+$/.test(migrationId) ||
+		migrationId === "." ||
+		migrationId === ".." ||
+		migrationId.split(".").some((segment) => segment === "")
+	) {
+		throw new Error(
+			`Invalid Caddy migration id "${migrationId}". Use letters, numbers, dash, underscore, or dot only; dot path segments are not allowed.`,
+		);
+	}
+};
+
+const assertPosixPathWithinBase = (basePath: string, targetPath: string) => {
+	const resolvedBase = path.posix.resolve(basePath);
+	const resolvedTarget = path.posix.resolve(targetPath);
+	if (
+		resolvedTarget !== resolvedBase &&
+		!resolvedTarget.startsWith(`${resolvedBase}/`)
+	) {
+		throw new Error(`Resolved path "${targetPath}" escapes "${basePath}"`);
+	}
+};
+
+export const createCaddyMigrationId = () =>
+	`caddy-${new Date()
+		.toISOString()
+		.replace(/[^0-9]/g, "")
+		.slice(0, 14)}-${randomUUID().slice(0, 8)}`;
+
+export const getCaddyMigrationArtifactPaths = (
+	migrationId: string,
+	serverId?: string | null,
+): CaddyMigrationArtifactPaths => {
+	assertSafeMigrationId(migrationId);
+	const migrationsPath = paths(!!serverId).CADDY_MIGRATIONS_PATH;
+	const root = path.posix.join(migrationsPath, migrationId);
+	assertPosixPathWithinBase(migrationsPath, root);
+	return {
+		root,
+		reportJson: path.posix.join(root, "report.json"),
+		reportMd: path.posix.join(root, "report.md"),
+		caddyJson: path.posix.join(root, "caddy.json"),
+		fragmentsDir: path.posix.join(root, "fragments"),
+		backupsDir: path.posix.join(root, "backups"),
+	};
+};
+
+const encodeBase64 = (content: string) =>
+	Buffer.from(content, "utf8").toString("base64");
+
+export const ensureMigrationDirectory = async (
+	dirPath: string,
+	serverId?: string | null,
+) => {
+	if (serverId) {
+		await execAsyncRemote(serverId, `mkdir -p ${quote([dirPath])}`);
+		return;
+	}
+	mkdirSync(dirPath, { recursive: true });
+};
+
+export const writeMigrationTextFile = async (
+	filePath: string,
+	content: string,
+	serverId?: string | null,
+) => {
+	if (serverId) {
+		const tempPath = `${filePath}.tmp-${Date.now()}`;
+		await execAsyncRemote(
+			serverId,
+			[
+				`mkdir -p ${quote([path.posix.dirname(filePath)])}`,
+				`printf %s ${quote([encodeBase64(content)])} | base64 -d > ${quote([
+					tempPath,
+				])}`,
+				`mv ${quote([tempPath])} ${quote([filePath])}`,
+			].join(" && "),
+		);
+		return;
+	}
+	mkdirSync(path.dirname(filePath), { recursive: true });
+	writeFileSync(filePath, content, "utf8");
+};
+
+export const readMigrationTextFileIfExists = async (
+	filePath: string,
+	serverId?: string | null,
+) => {
+	if (serverId) {
+		const { stdout } = await execAsyncRemote(
+			serverId,
+			`if [ -f ${quote([filePath])} ]; then cat ${quote([filePath])}; fi`,
+		);
+		return stdout || null;
+	}
+	if (!existsSync(filePath)) return null;
+	return readFileSync(filePath, "utf8");
+};
+
+export const readRequiredMigrationTextFile = async (
+	filePath: string,
+	serverId?: string | null,
+) => {
+	const content = await readMigrationTextFileIfExists(filePath, serverId);
+	if (content === null) {
+		throw new Error(`Migration file not found: ${filePath}`);
+	}
+	return content;
+};
+
+export const listMigrationFiles = async (
+	dirPath: string,
+	serverId?: string | null,
+	extensions: string[] = [],
+) => {
+	if (serverId) {
+		const extensionExpression = extensions.length
+			? extensions.map((ext) => `-name '*${ext}'`).join(" -o ")
+			: "-type f";
+		const { stdout } = await execAsyncRemote(
+			serverId,
+			`if [ -d ${quote([dirPath])} ]; then find ${quote([
+				dirPath,
+			])} -maxdepth 1 -type f \\( ${extensionExpression} \\) | sort; fi`,
+		);
+		return stdout
+			.split("\n")
+			.map((item) => item.trim())
+			.filter(Boolean);
+	}
+	if (!existsSync(dirPath)) return [];
+	return readdirSync(dirPath)
+		.filter((fileName) =>
+			extensions.length
+				? extensions.some((ext) => fileName.endsWith(ext))
+				: true,
+		)
+		.sort()
+		.map((fileName) => path.join(dirPath, fileName));
+};
+
+export const migrationPathExists = async (
+	target: string,
+	serverId?: string | null,
+) => {
+	if (serverId) {
+		const { stdout } = await execAsyncRemote(
+			serverId,
+			`if [ -e ${quote([target])} ]; then echo yes; fi`,
+		);
+		return stdout.trim() === "yes";
+	}
+	return existsSync(target);
+};
+
+export const acquireCaddyMigrationOperationLock = async (
+	migrationId: string,
+	serverId?: string | null,
+) => {
+	const artifactPaths = getCaddyMigrationArtifactPaths(migrationId, serverId);
+	const lockPath = path.posix.join(artifactPaths.root, ".operation.lock");
+	const errorMessage = `Caddy migration ${migrationId} already has an apply or rollback operation in progress`;
+
+	if (serverId) {
+		try {
+			await execAsyncRemote(
+				serverId,
+				`mkdir ${quote([lockPath])} 2>/dev/null || { echo ${quote([
+					errorMessage,
+				])} >&2; exit 70; }`,
+			);
+		} catch {
+			throw new Error(errorMessage);
+		}
+	} else {
+		try {
+			mkdirSync(lockPath);
+		} catch {
+			throw new Error(errorMessage);
+		}
+	}
+
+	let released = false;
+	return async () => {
+		if (released) return;
+		released = true;
+		await removeMigrationPath(lockPath, serverId);
+	};
+};
+
+const copyLocalPath = (source: string, destination: string) => {
+	const stats = statSync(source);
+	if (stats.isDirectory()) {
+		mkdirSync(destination, { recursive: true });
+		for (const entry of readdirSync(source)) {
+			copyLocalPath(path.join(source, entry), path.join(destination, entry));
+		}
+		return;
+	}
+	mkdirSync(path.dirname(destination), { recursive: true });
+	writeFileSync(destination, readFileSync(source));
+};
+
+export const copyMigrationPath = async (
+	source: string,
+	destination: string,
+	serverId?: string | null,
+) => {
+	const tempDestination = `${destination}.tmp-${Date.now()}`;
+	if (serverId) {
+		await execAsyncRemote(
+			serverId,
+			[
+				`test -e ${quote([source])}`,
+				`rm -rf ${quote([tempDestination])}`,
+				`mkdir -p ${quote([path.posix.dirname(destination)])}`,
+				`cp -a ${quote([source])} ${quote([tempDestination])}`,
+				`rm -rf ${quote([destination])}`,
+				`mv ${quote([tempDestination])} ${quote([destination])}`,
+			].join(" && "),
+		);
+		return;
+	}
+	if (!existsSync(source)) {
+		throw new Error(`Migration source path not found: ${source}`);
+	}
+	rmSync(tempDestination, { force: true, recursive: true });
+	mkdirSync(path.dirname(destination), { recursive: true });
+	copyLocalPath(source, tempDestination);
+	rmSync(destination, { force: true, recursive: true });
+	renameSync(tempDestination, destination);
+};
+
+export const copyMigrationFileInPlace = async (
+	source: string,
+	destination: string,
+	serverId?: string | null,
+) => {
+	if (serverId) {
+		const copyInPlaceCommand = [
+			`test -f ${quote([source])}`,
+			`test -f ${quote([destination])}`,
+			`cp ${quote([source])} ${quote([destination])}`,
+		].join(" && ");
+		try {
+			await execAsyncRemote(serverId, copyInPlaceCommand);
+			return;
+		} catch {
+			await copyMigrationPath(source, destination, serverId);
+			return;
+		}
+	}
+	if (
+		existsSync(source) &&
+		statSync(source).isFile() &&
+		existsSync(destination)
+	) {
+		const destinationStats = statSync(destination);
+		if (destinationStats.isFile()) {
+			copyFileSync(source, destination);
+			return;
+		}
+	}
+	await copyMigrationPath(source, destination, serverId);
+};
+
+export const removeMigrationPath = async (
+	target: string,
+	serverId?: string | null,
+) => {
+	if (serverId) {
+		await execAsyncRemote(serverId, `rm -rf ${quote([target])}`);
+		return;
+	}
+	rmSync(target, { force: true, recursive: true });
+};
+
+export const loadCaddyMigrationReport = async (
+	migrationId: string,
+	serverId?: string | null,
+): Promise<CaddyMigrationReport> => {
+	const artifactPaths = getCaddyMigrationArtifactPaths(migrationId, serverId);
+	const content = await readRequiredMigrationTextFile(
+		artifactPaths.reportJson,
+		serverId,
+	);
+	return JSON.parse(content) as CaddyMigrationReport;
+};
+
+export const writeCaddyMigrationReport = async (
+	report: CaddyMigrationReport,
+	serverId?: string | null,
+) => {
+	const nextReport = {
+		...report,
+		updatedAt: new Date().toISOString(),
+	};
+	await writeMigrationTextFile(
+		nextReport.artifactPaths.reportJson,
+		`${JSON.stringify(nextReport, null, 2)}\n`,
+		serverId,
+	);
+	return nextReport;
+};
+
+export const appendCaddyMigrationEvent = (
+	report: CaddyMigrationReport,
+	type: string,
+	message: string,
+): CaddyMigrationReport => ({
+	...report,
+	events: [...report.events, { at: new Date().toISOString(), type, message }],
+});
diff --git a/packages/server/src/utils/caddy/migration/prepare.ts b/packages/server/src/utils/caddy/migration/prepare.ts
new file mode 100644
index 0000000000..aa52f57d73
--- /dev/null
+++ b/packages/server/src/utils/caddy/migration/prepare.ts
@@ -0,0 +1,1014 @@
+import { isIP } from "node:net";
+import * as path from "node:path";
+import { paths } from "@dokploy/server/constants";
+import { db } from "@dokploy/server/db";
+import { applications, compose } from "@dokploy/server/db/schema";
+import { getWebServerSettings } from "@dokploy/server/services/web-server-settings";
+import { createCaddyComposeRouteFragment } from "@dokploy/server/utils/caddy/compose";
+import {
+	compileCaddyConfig,
+	parseCaddyUpstream,
+	readCaddyRouteFragments,
+} from "@dokploy/server/utils/caddy/config";
+import {
+	createCaddyApplicationRouteFragment,
+	getUnsupportedCaddyDomainFieldMessages,
+} from "@dokploy/server/utils/caddy/domain";
+import type { CaddyRouteFragment } from "@dokploy/server/utils/caddy/types";
+import {
+	DOKPLOY_CADDY_NETWORK,
+	getCaddyComposeNetworkAlias,
+	getCaddyComposeRuntimeTarget,
+} from "@dokploy/server/utils/caddy/upstream-targets";
+import {
+	loadDockerCompose,
+	loadDockerComposeRemote,
+} from "@dokploy/server/utils/docker/domain";
+import type {
+	ComposeSpecification,
+	ListOrDict,
+} from "@dokploy/server/utils/docker/types";
+import { getComposeContainer } from "@dokploy/server/utils/docker/utils";
+import { getRemoteDocker } from "@dokploy/server/utils/servers/remote-docker";
+import type {
+	FileConfig,
+	HttpMiddleware,
+} from "@dokploy/server/utils/traefik/file-types";
+import { eq, isNull } from "drizzle-orm";
+import { parse } from "yaml";
+import { translateTraefikComposeLabelsToCaddyFragment } from "./compose-label-translator";
+import { translateTraefikDynamicConfigToCaddyFragment } from "./dynamic-file-translator";
+import {
+	createCaddyMigrationId,
+	ensureMigrationDirectory,
+	getCaddyMigrationArtifactPaths,
+	listMigrationFiles,
+	readMigrationTextFileIfExists,
+	writeCaddyMigrationReport,
+	writeMigrationTextFile,
+} from "./files";
+import type { CaddyMigrationReport, CaddyMigrationWarning } from "./types";
+
+const CADDY_FRAGMENT_VERSION = 1;
+
+const warning = (
+	message: string,
+	options: Partial<CaddyMigrationWarning> = {},
+): CaddyMigrationWarning => ({
+	code: options.code ?? "missing-input",
+	message,
+	blocking: options.blocking ?? false,
+	source: options.source,
+	routerName: options.routerName,
+	serviceName: options.serviceName,
+	middlewareName: options.middlewareName,
+	label: options.label,
+});
+
+const safeFragmentIdPart = (value: string) =>
+	value.replace(/[^a-zA-Z0-9_.-]+/g, "-").replace(/^-+|-+$/g, "") || "source";
+
+const addFragment = (
+	fragments: CaddyRouteFragment[],
+	fragment: CaddyRouteFragment,
+) => {
+	if (!fragment.routes.length) return;
+	const existing = new Set(fragments.map((item) => item.id));
+	let nextFragment = fragment;
+	let index = 2;
+	while (existing.has(nextFragment.id)) {
+		nextFragment = { ...fragment, id: `${fragment.id}.${index}` };
+		index++;
+	}
+	fragments.push(nextFragment);
+};
+
+const labelsToStrings = (labels: ListOrDict | undefined) => {
+	if (!labels) return [];
+	if (Array.isArray(labels)) return labels.map(String);
+	return Object.entries(labels).map(([key, value]) =>
+		value === null ? key : `${key}=${value}`,
+	);
+};
+
+const labelsHaveTraefikHttp = (labels: ListOrDict | undefined) =>
+	labelsToStrings(labels).some((label) => label.startsWith("traefik.http."));
+
+const isSecurityMiddlewareWarning = (item: CaddyMigrationWarning) =>
+	item.code === "unsupported-security-middleware";
+
+const hasTraefikHttpLabelMap = (labels: Record<string, string> | undefined) =>
+	labels
+		? Object.keys(labels).some((label) => label.startsWith("traefik.http."))
+		: false;
+
+const getTraefikNetworkLabel = (labels: Record<string, string> | undefined) =>
+	labels?.["traefik.swarm.network"] ??
+	labels?.["traefik.docker.network"] ??
+	DOKPLOY_CADDY_NETWORK;
+
+const splitDialHost = (dial: string) => {
+	const index = dial.lastIndexOf(":");
+	return index === -1 ? dial : dial.slice(0, index);
+};
+
+const isDockerLocalHost = (host: string) => !isIP(host) && !host.includes(".");
+
+const getRunningTaskCounts = (tasks: any[]) => {
+	const counts = new Map<string, number>();
+	for (const task of tasks) {
+		const serviceId = task.ServiceID;
+		if (
+			typeof serviceId !== "string" ||
+			task.DesiredState !== "running" ||
+			task.Status?.State !== "running"
+		) {
+			continue;
+		}
+		counts.set(serviceId, (counts.get(serviceId) ?? 0) + 1);
+	}
+	return counts;
+};
+
+const getRunningServiceTasks = (
+	service: any,
+	runningTaskCounts?: Map<string, number>,
+) => {
+	if (runningTaskCounts && typeof service.ID === "string") {
+		return runningTaskCounts.get(service.ID) ?? 0;
+	}
+	const runningTasks = service.ServiceStatus?.RunningTasks;
+	if (typeof runningTasks === "number") return runningTasks;
+	const replicas = service.Spec?.Mode?.Replicated?.Replicas;
+	return typeof replicas === "number" ? replicas : 1;
+};
+
+const getPrimaryContainerName = (container: any) => {
+	const names = Array.isArray(container.Names) ? container.Names : [];
+	return names[0]?.replace(/^\//, "") ?? container.Names?.[0] ?? null;
+};
+
+const addContainerNetworkAliases = (hosts: Set<string>, container: any) => {
+	const networks = container.NetworkSettings?.Networks ?? {};
+	for (const network of Object.values(networks) as any[]) {
+		for (const alias of network?.Aliases ?? []) {
+			if (
+				typeof alias === "string" &&
+				alias &&
+				!/^[a-f0-9]{12,64}$/.test(alias)
+			) {
+				hosts.add(alias);
+			}
+		}
+	}
+};
+
+const inspectContainer = async (docker: any, container: any) => {
+	const containerId = container.Id ?? container.ID;
+	if (typeof containerId !== "string" || !containerId) return null;
+	if (typeof docker.getContainer !== "function") return null;
+	try {
+		return await docker.getContainer(containerId).inspect();
+	} catch {
+		return null;
+	}
+};
+
+const getLiveDockerTraefikFragments = async (
+	serverId: string | undefined,
+	fileMiddlewares: Record<string, HttpMiddleware>,
+) => {
+	const docker = await getRemoteDocker(serverId);
+	const hosts = new Set<string>();
+	const fragments: CaddyRouteFragment[] = [];
+	const warnings: CaddyMigrationWarning[] = [];
+
+	const [services, containers, tasks] = await Promise.all([
+		docker.listServices().catch(() => []),
+		docker.listContainers().catch(() => []),
+		typeof docker.listTasks === "function"
+			? docker.listTasks().catch(() => null)
+			: Promise.resolve(null),
+	]);
+	const runningTaskCounts = Array.isArray(tasks)
+		? getRunningTaskCounts(tasks)
+		: undefined;
+
+	for (const service of services as any[]) {
+		const serviceName = service.Spec?.Name;
+		if (typeof serviceName !== "string" || !serviceName) continue;
+		if (getRunningServiceTasks(service, runningTaskCounts) <= 0) continue;
+		hosts.add(serviceName);
+		hosts.add(`tasks.${serviceName}`);
+		const labels = service.Spec?.Labels as Record<string, string> | undefined;
+		if (!hasTraefikHttpLabelMap(labels)) continue;
+		const translated = translateTraefikComposeLabelsToCaddyFragment(labels, {
+			sourceFile: `docker-service/${serviceName}`,
+			appName: serviceName,
+			serviceName,
+			upstreamServiceName: serviceName,
+			upstreamNetwork: getTraefikNetworkLabel(labels),
+			composeType: "stack",
+			fileMiddlewares,
+		});
+		warnings.push(...translated.warnings.filter(isSecurityMiddlewareWarning));
+		addFragment(fragments, {
+			...translated.fragment,
+			id: `migration.traefik-docker-label.service.${safeFragmentIdPart(
+				serviceName,
+			)}`,
+		});
+	}
+
+	for (const container of containers as any[]) {
+		const containerName = getPrimaryContainerName(container);
+		if (!containerName) continue;
+		hosts.add(containerName);
+		for (const name of container.Names ?? []) {
+			if (typeof name === "string") hosts.add(name.replace(/^\//, ""));
+		}
+		addContainerNetworkAliases(hosts, container);
+		const inspectedContainer = await inspectContainer(docker, container);
+		if (inspectedContainer) {
+			addContainerNetworkAliases(hosts, inspectedContainer);
+		}
+		const labels = container.Labels as Record<string, string> | undefined;
+		if (
+			!hasTraefikHttpLabelMap(labels) ||
+			labels?.["com.docker.swarm.service.name"]
+		) {
+			continue;
+		}
+		const translated = translateTraefikComposeLabelsToCaddyFragment(labels, {
+			sourceFile: `docker-container/${containerName}`,
+			appName: containerName,
+			serviceName: containerName,
+			upstreamServiceName: containerName,
+			upstreamNetwork: getTraefikNetworkLabel(labels),
+			fileMiddlewares,
+		});
+		warnings.push(...translated.warnings.filter(isSecurityMiddlewareWarning));
+		addFragment(fragments, {
+			...translated.fragment,
+			id: `migration.traefik-docker-label.container.${safeFragmentIdPart(
+				containerName,
+			)}`,
+		});
+	}
+
+	return {
+		fragments,
+		warnings,
+		hosts,
+		canPrune:
+			hosts.has("dokploy") ||
+			hosts.has("dokploy-traefik") ||
+			fragments.length > 0,
+	};
+};
+
+const getLocalOrRemoteComposeSpec = async (
+	composeEntity: typeof compose.$inferSelect,
+) => {
+	const loaded = composeEntity.serverId
+		? await loadDockerComposeRemote(composeEntity)
+		: await loadDockerCompose(composeEntity);
+	if (loaded) return loaded;
+	if (composeEntity.composeFile?.trim()) {
+		return parse(composeEntity.composeFile, {
+			maxAliasCount: 10000,
+		}) as ComposeSpecification;
+	}
+	return null;
+};
+
+const resolveFinalComposeServiceName = (
+	composeEntity: typeof compose.$inferSelect,
+	composeSpec: ComposeSpecification | null,
+	serviceName: string,
+) => {
+	if (!composeSpec?.services) {
+		return composeEntity.randomize || composeEntity.isolatedDeployment
+			? null
+			: serviceName;
+	}
+	if (composeSpec.services[serviceName]) {
+		return serviceName;
+	}
+	const suffix = composeEntity.randomize
+		? composeEntity.suffix
+		: composeEntity.isolatedDeployment
+			? composeEntity.suffix || composeEntity.appName
+			: null;
+	if (suffix && composeSpec.services[`${serviceName}-${suffix}`]) {
+		return `${serviceName}-${suffix}`;
+	}
+	return null;
+};
+
+const getServiceNetworkAliases = (
+	composeSpec: ComposeSpecification | null,
+	serviceName: string,
+	network: string,
+) => {
+	const networks = composeSpec?.services?.[serviceName]?.networks;
+	if (!networks || Array.isArray(networks)) return [];
+	const attachment = networks[network];
+	return attachment?.aliases ?? [];
+};
+
+const getComposeServiceContainerName = async (
+	composeEntity: typeof compose.$inferSelect,
+	finalServiceName: string,
+) => {
+	try {
+		const container = await getComposeContainer(
+			composeEntity as never,
+			finalServiceName,
+		);
+		return container?.Names?.[0]?.replace(/^\//, "") ?? null;
+	} catch {
+		return null;
+	}
+};
+
+const resolveMigrationComposeUpstreamTarget = async (
+	composeEntity: typeof compose.$inferSelect,
+	composeSpec: ComposeSpecification | null,
+	finalServiceName: string,
+) => {
+	const runtimeTarget = getCaddyComposeRuntimeTarget(
+		composeEntity,
+		finalServiceName,
+	);
+
+	if (
+		composeEntity.composeType === "stack" ||
+		composeEntity.isolatedDeployment
+	) {
+		return runtimeTarget;
+	}
+
+	const expectedAlias = getCaddyComposeNetworkAlias(
+		composeEntity.appName,
+		finalServiceName,
+	);
+	if (
+		getServiceNetworkAliases(
+			composeSpec,
+			finalServiceName,
+			DOKPLOY_CADDY_NETWORK,
+		).includes(expectedAlias)
+	) {
+		return runtimeTarget;
+	}
+
+	const containerName =
+		composeSpec?.services?.[finalServiceName]?.container_name;
+	if (typeof containerName === "string" && containerName.trim()) {
+		return {
+			host: containerName.trim(),
+			network: DOKPLOY_CADDY_NETWORK,
+		};
+	}
+
+	const runningContainerName = await getComposeServiceContainerName(
+		composeEntity,
+		finalServiceName,
+	);
+	if (runningContainerName) {
+		return {
+			host: runningContainerName,
+			network: DOKPLOY_CADDY_NETWORK,
+		};
+	}
+
+	return runtimeTarget;
+};
+
+const routeCoverageKey = (route: CaddyRouteFragment["routes"][number]) =>
+	route.hosts
+		.map((host) =>
+			[
+				host,
+				route.pathPrefix ?? "",
+				route.pathExact ?? "",
+				route.https ? "https" : "http",
+			].join("\0"),
+		)
+		.sort();
+
+type MigrationRoute = CaddyRouteFragment["routes"][number];
+
+const pathMatchesOverlap = (
+	left: Pick<MigrationRoute, "pathExact" | "pathPrefix">,
+	right: Pick<MigrationRoute, "pathExact" | "pathPrefix">,
+) => {
+	const leftExact = left.pathExact ?? null;
+	const rightExact = right.pathExact ?? null;
+	const leftPrefix = left.pathPrefix ?? null;
+	const rightPrefix = right.pathPrefix ?? null;
+
+	if (!leftExact && !leftPrefix) return true;
+	if (!rightExact && !rightPrefix) return true;
+	if (leftExact && rightExact) return leftExact === rightExact;
+	if (leftExact && rightPrefix) return leftExact.startsWith(rightPrefix);
+	if (leftPrefix && rightExact) return rightExact.startsWith(leftPrefix);
+	if (leftPrefix && rightPrefix) {
+		return (
+			leftPrefix.startsWith(rightPrefix) || rightPrefix.startsWith(leftPrefix)
+		);
+	}
+	return false;
+};
+
+const routesOverlap = (left: MigrationRoute, right: MigrationRoute) => {
+	if (left.https !== right.https) return false;
+	if (!left.hosts.some((host) => right.hosts.includes(host))) return false;
+	return pathMatchesOverlap(left, right);
+};
+
+const warnOnManualFragmentConflicts = (
+	fragments: CaddyRouteFragment[],
+	warnings: CaddyMigrationWarning[],
+) => {
+	const manualFragments = fragments.filter(
+		(fragment) => fragment.source === "manual",
+	);
+	const generatedFragments = fragments.filter(
+		(fragment) => fragment.source !== "manual",
+	);
+	const seen = new Set<string>();
+
+	for (const manualFragment of manualFragments) {
+		for (const manualRoute of manualFragment.routes) {
+			for (const generatedFragment of generatedFragments) {
+				for (const generatedRoute of generatedFragment.routes) {
+					if (!routesOverlap(manualRoute, generatedRoute)) continue;
+					const key = [
+						manualFragment.id,
+						manualRoute.id,
+						generatedFragment.id,
+						generatedRoute.id,
+					].join("\0");
+					if (seen.has(key)) continue;
+					seen.add(key);
+					warnings.push(
+						warning(
+							`Manual Caddy route "${manualRoute.id}" overlaps generated migration route "${generatedRoute.id}" for at least one host/path`,
+							{
+								code: "conflicting-manual-fragment",
+								source: manualFragment.id,
+								blocking: true,
+							},
+						),
+					);
+				}
+			}
+		}
+	}
+};
+
+const reconcileDbFallbackRoutes = (
+	fragments: CaddyRouteFragment[],
+	warnings: CaddyMigrationWarning[],
+) => {
+	const migratedCoverage = new Set<string>();
+	for (const fragment of fragments) {
+		if (
+			fragment.source !== "traefik-compose-label" &&
+			fragment.source !== "traefik-dynamic-file"
+		) {
+			continue;
+		}
+		for (const route of fragment.routes) {
+			if (route.redirectScheme || !route.upstreams.length) continue;
+			for (const key of routeCoverageKey(route)) {
+				migratedCoverage.add(key);
+			}
+		}
+	}
+
+	const reconciled: CaddyRouteFragment[] = [];
+	for (const fragment of fragments) {
+		if (
+			fragment.source !== "dokploy-compose" &&
+			fragment.source !== "dokploy-application"
+		) {
+			reconciled.push(fragment);
+			continue;
+		}
+
+		const nextRoutes = fragment.routes.filter((route) => {
+			const shadowed = routeCoverageKey(route).some((key) =>
+				migratedCoverage.has(key),
+			);
+			if (shadowed) {
+				warnings.push(
+					warning(
+						`Dropped DB fallback route "${route.id}" because a migrated Traefik route covers the same host/path`,
+						{
+							code: "shadowed-route",
+							source: fragment.id,
+							blocking: false,
+						},
+					),
+				);
+			}
+			return !shadowed;
+		});
+
+		if (nextRoutes.length) {
+			reconciled.push({ ...fragment, routes: nextRoutes });
+		}
+	}
+
+	return reconciled;
+};
+
+const pruneUnreachableDockerUpstreams = (
+	fragments: CaddyRouteFragment[],
+	warnings: CaddyMigrationWarning[],
+	reachableDockerHosts: Set<string>,
+) => {
+	const reconciled: CaddyRouteFragment[] = [];
+	for (const fragment of fragments) {
+		const nextRoutes: CaddyRouteFragment["routes"] = [];
+		for (const route of fragment.routes) {
+			if (route.redirectScheme || !route.upstreams.length) {
+				nextRoutes.push(route);
+				continue;
+			}
+			const upstreams = route.upstreams.filter((upstream) => {
+				let host = "";
+				try {
+					host = splitDialHost(parseCaddyUpstream(upstream).dial);
+				} catch {
+					return true;
+				}
+				if (!isDockerLocalHost(host) || reachableDockerHosts.has(host)) {
+					return true;
+				}
+				warnings.push(
+					warning(
+						`Route "${route.id}" upstream "${upstream}" did not match a running Docker service, container, or network alias for "${host}"`,
+						{
+							code: "unreachable-upstream",
+							source: fragment.id,
+							blocking: true,
+						},
+					),
+				);
+				return true;
+			});
+			if (upstreams.length) {
+				nextRoutes.push({ ...route, upstreams });
+			}
+		}
+		if (nextRoutes.length) {
+			reconciled.push({ ...fragment, routes: nextRoutes });
+		}
+	}
+	return reconciled;
+};
+
+const readTraefikStaticConfig = async (serverId?: string) => {
+	const configPath = path.posix.join(
+		paths(!!serverId).MAIN_TRAEFIK_PATH,
+		"traefik.yml",
+	);
+	const content = await readMigrationTextFileIfExists(configPath, serverId);
+	return { path: configPath, content };
+};
+
+const getLetsEncryptEmail = async (serverId?: string) => {
+	if (serverId) return null;
+	const settings = await getWebServerSettings();
+	return settings?.letsEncryptEmail ?? null;
+};
+
+const renderReportMarkdown = (report: CaddyMigrationReport) => {
+	const blocking = report.warnings.filter((item) => item.blocking);
+	return [
+		`# Caddy Migration ${report.migrationId}`,
+		"",
+		`Status: **${report.status}**`,
+		`Server: ${report.serverId ?? "local"}`,
+		`Created: ${report.createdAt}`,
+		"",
+		"## Summary",
+		`- Fragments: ${report.summary.fragments}`,
+		`- Routes: ${report.summary.routes}`,
+		`- Warnings: ${report.summary.warnings}`,
+		`- Blocking warnings: ${report.summary.blockingWarnings}`,
+		`- Validation: ${report.validation.status}${report.validation.message ? ` (${report.validation.message})` : ""}`,
+		"",
+		"## Inputs",
+		`- Traefik static config: ${report.inputs.traefikStaticConfigFound ? report.inputs.traefikStaticConfigPath : "not found"}`,
+		`- Dynamic files: ${report.inputs.dynamicFiles.length}`,
+		`- DB application domains: ${report.inputs.dbApplicationDomains}`,
+		`- DB compose domains: ${report.inputs.dbComposeDomains}`,
+		`- Compose files scanned: ${report.inputs.composeFilesScanned.length}`,
+		`- Compose files skipped: ${report.inputs.composeFilesSkipped.length}`,
+		"",
+		"## Blocking warnings",
+		blocking.length
+			? blocking
+					.map(
+						(item) =>
+							`- [${item.code}] ${item.message}${item.source ? ` (${item.source})` : ""}`,
+					)
+					.join("\n")
+			: "None",
+		"",
+		"## All warnings",
+		report.warnings.length
+			? report.warnings
+					.map(
+						(item) =>
+							`- ${item.blocking ? "BLOCKING" : "info"} [${item.code}] ${item.message}${item.source ? ` (${item.source})` : ""}`,
+					)
+					.join("\n")
+			: "None",
+		"",
+	].join("\n");
+};
+
+export const prepareCaddyMigration = async (
+	input: { serverId?: string } = {},
+) => {
+	const serverId = input.serverId;
+	const migrationId = createCaddyMigrationId();
+	const artifactPaths = getCaddyMigrationArtifactPaths(migrationId, serverId);
+	await ensureMigrationDirectory(artifactPaths.fragmentsDir, serverId);
+	await ensureMigrationDirectory(artifactPaths.backupsDir, serverId);
+
+	const createdAt = new Date().toISOString();
+	let fragments: CaddyRouteFragment[] = [];
+	const warnings: CaddyMigrationWarning[] = [];
+	const composeFilesScanned: string[] = [];
+	const composeFilesSkipped: Array<{ path: string; reason: string }> = [];
+	const fileMiddlewares: Record<string, HttpMiddleware> = {};
+	let reachableDockerHosts = new Set<string>();
+	let canPruneUnreachableDockerUpstreams = false;
+
+	try {
+		const existingManualFragments = (
+			await readCaddyRouteFragments({ serverId })
+		).filter((fragment) => fragment.source === "manual");
+		for (const fragment of existingManualFragments) {
+			addFragment(fragments, fragment);
+		}
+	} catch (error) {
+		warnings.push(
+			warning(
+				`Unable to read existing manual Caddy fragments: ${
+					error instanceof Error ? error.message : "unknown error"
+				}`,
+				{
+					code: "missing-input",
+					blocking: false,
+				},
+			),
+		);
+	}
+
+	const staticConfig = await readTraefikStaticConfig(serverId);
+	const dynamicFileContents: Array<{
+		file: string;
+		content: string;
+		config?: FileConfig;
+	}> = [];
+	if (!staticConfig.content) {
+		warnings.push(
+			warning("Traefik static config was not found", {
+				source: staticConfig.path,
+			}),
+		);
+	}
+
+	const dynamicFiles = await listMigrationFiles(
+		paths(!!serverId).DYNAMIC_TRAEFIK_PATH,
+		serverId,
+		[".yml", ".yaml"],
+	);
+	for (const dynamicFile of dynamicFiles) {
+		const content = await readMigrationTextFileIfExists(dynamicFile, serverId);
+		if (!content) continue;
+		try {
+			const config = parse(content) as FileConfig;
+			Object.assign(fileMiddlewares, config.http?.middlewares ?? {});
+			dynamicFileContents.push({ file: dynamicFile, content, config });
+		} catch {
+			dynamicFileContents.push({ file: dynamicFile, content });
+		}
+	}
+	for (const dynamicFile of dynamicFileContents) {
+		const translated = translateTraefikDynamicConfigToCaddyFragment(
+			dynamicFile.config ?? dynamicFile.content,
+			{
+				sourceFile: path.posix.basename(dynamicFile.file),
+				fileMiddlewares,
+			},
+		);
+		warnings.push(...translated.warnings);
+		addFragment(fragments, translated.fragment);
+	}
+	try {
+		const liveDockerLabels = await getLiveDockerTraefikFragments(
+			serverId,
+			fileMiddlewares,
+		);
+		reachableDockerHosts = liveDockerLabels.hosts;
+		canPruneUnreachableDockerUpstreams = liveDockerLabels.canPrune;
+		warnings.push(...liveDockerLabels.warnings);
+		for (const fragment of liveDockerLabels.fragments) {
+			addFragment(fragments, fragment);
+		}
+	} catch (error) {
+		warnings.push(
+			warning(
+				`Unable to inspect live Docker Traefik labels: ${
+					error instanceof Error ? error.message : "unknown error"
+				}`,
+				{
+					code: "missing-input",
+					blocking: false,
+				},
+			),
+		);
+	}
+
+	const appWhere = serverId
+		? eq(applications.serverId, serverId)
+		: isNull(applications.serverId);
+	const applicationRows = await db.query.applications.findMany({
+		where: appWhere,
+		with: { domains: true },
+	});
+	let applicationDomainCount = 0;
+	for (const app of applicationRows) {
+		for (const domain of app.domains ?? []) {
+			applicationDomainCount++;
+			const unsupportedFields = getUnsupportedCaddyDomainFieldMessages(domain);
+			if (unsupportedFields.length) {
+				warnings.push(
+					warning(
+						`Application domain "${domain.host}" uses unsupported Caddy fields: ${unsupportedFields.join("; ")}`,
+						{
+							blocking: true,
+							code: "unsupported-domain-field",
+							source: app.appName,
+						},
+					),
+				);
+				continue;
+			}
+			addFragment(
+				fragments,
+				createCaddyApplicationRouteFragment(app as never, domain),
+			);
+		}
+	}
+
+	const composeWhere = serverId
+		? eq(compose.serverId, serverId)
+		: isNull(compose.serverId);
+	const composeRows = await db.query.compose.findMany({
+		where: composeWhere,
+		with: { domains: true },
+	});
+	let composeDomainCount = 0;
+	for (const composeEntity of composeRows) {
+		let composeSpec: ComposeSpecification | null = null;
+		try {
+			composeSpec = await getLocalOrRemoteComposeSpec(composeEntity);
+		} catch (error) {
+			composeFilesSkipped.push({
+				path: composeEntity.appName,
+				reason:
+					error instanceof Error
+						? error.message
+						: "Unable to read compose file",
+			});
+		}
+
+		for (const domain of composeEntity.domains ?? []) {
+			composeDomainCount++;
+			const unsupportedFields = getUnsupportedCaddyDomainFieldMessages(domain);
+			if (unsupportedFields.length) {
+				warnings.push(
+					warning(
+						`Compose domain "${domain.host}" uses unsupported Caddy fields: ${unsupportedFields.join("; ")}`,
+						{
+							blocking: true,
+							code: "unsupported-domain-field",
+							source: composeEntity.appName,
+							serviceName: domain.serviceName ?? undefined,
+						},
+					),
+				);
+				continue;
+			}
+			if (!domain.serviceName) {
+				warnings.push(
+					warning(`Compose domain "${domain.host}" is missing a service name`, {
+						blocking: true,
+						source: composeEntity.appName,
+						serviceName: domain.serviceName ?? undefined,
+					}),
+				);
+				continue;
+			}
+			const finalServiceName = resolveFinalComposeServiceName(
+				composeEntity,
+				composeSpec,
+				domain.serviceName,
+			);
+			if (!finalServiceName) {
+				warnings.push(
+					warning(
+						`Compose domain "${domain.host}" references service "${domain.serviceName}" that could not be verified in the compose file`,
+						{
+							blocking: true,
+							source: composeEntity.appName,
+							serviceName: domain.serviceName,
+						},
+					),
+				);
+				continue;
+			}
+			const upstreamTarget = await resolveMigrationComposeUpstreamTarget(
+				composeEntity,
+				composeSpec,
+				finalServiceName,
+			);
+			addFragment(
+				fragments,
+				createCaddyComposeRouteFragment(
+					composeEntity,
+					domain,
+					finalServiceName,
+					{
+						upstreamServiceName: upstreamTarget.host,
+						upstreamNetwork: upstreamTarget.network,
+					},
+				),
+			);
+		}
+
+		if (!composeSpec?.services) {
+			composeFilesSkipped.push({
+				path: composeEntity.appName,
+				reason: "Compose file not found or has no services",
+			});
+			continue;
+		}
+
+		composeFilesScanned.push(composeEntity.appName);
+		for (const [serviceName, service] of Object.entries(composeSpec.services)) {
+			const labelSources: Array<{
+				labels: ListOrDict | undefined;
+				suffix: string;
+			}> = [
+				{ labels: service.labels, suffix: "labels" },
+				{ labels: service.deploy?.labels, suffix: "deploy.labels" },
+			].filter((labelSource) => labelsHaveTraefikHttp(labelSource.labels));
+			if (!labelSources.length) continue;
+
+			const labelFinalServiceName =
+				resolveFinalComposeServiceName(
+					composeEntity,
+					composeSpec,
+					serviceName,
+				) ?? serviceName;
+			const upstreamTarget = await resolveMigrationComposeUpstreamTarget(
+				composeEntity,
+				composeSpec,
+				labelFinalServiceName,
+			);
+			for (const labelSource of labelSources) {
+				const translated = translateTraefikComposeLabelsToCaddyFragment(
+					labelSource.labels,
+					{
+						sourceFile: `${composeEntity.appName}/${serviceName}/${labelSource.suffix}`,
+						appName: composeEntity.appName,
+						domains: composeEntity.domains ?? [],
+						serviceName,
+						upstreamServiceName: upstreamTarget.host,
+						upstreamNetwork: upstreamTarget.network,
+						composeType: composeEntity.composeType,
+						fileMiddlewares,
+					},
+				);
+				warnings.push(
+					...translated.warnings.filter(
+						(item) =>
+							!translated.classifications.every(
+								(classification) => classification.dokployGenerated,
+							) || isSecurityMiddlewareWarning(item),
+					),
+				);
+				addFragment(fragments, {
+					...translated.fragment,
+					id: `migration.traefik-compose-label.${safeFragmentIdPart(
+						`${composeEntity.appName}.${serviceName}.${labelSource.suffix}`,
+					)}`,
+				});
+			}
+		}
+	}
+
+	fragments = reconcileDbFallbackRoutes(fragments, warnings);
+	if (canPruneUnreachableDockerUpstreams && reachableDockerHosts.size) {
+		fragments = pruneUnreachableDockerUpstreams(
+			fragments,
+			warnings,
+			reachableDockerHosts,
+		);
+	}
+	warnOnManualFragmentConflicts(fragments, warnings);
+
+	let config: ReturnType<typeof compileCaddyConfig>;
+	let validation: CaddyMigrationReport["validation"];
+	try {
+		config = compileCaddyConfig({
+			fragments,
+			letsEncryptEmail: await getLetsEncryptEmail(serverId),
+		});
+		validation = {
+			status: "passed",
+			message:
+				"Draft config compiled successfully; container validation runs during apply",
+		};
+	} catch (error) {
+		config = compileCaddyConfig();
+		const message =
+			error instanceof Error ? error.message : "Draft Caddy config is invalid";
+		warnings.push(
+			warning(message, {
+				code: "validation-failed",
+				blocking: true,
+			}),
+		);
+		validation = { status: "failed", message };
+	}
+
+	for (const fragment of fragments) {
+		await writeMigrationTextFile(
+			path.posix.join(artifactPaths.fragmentsDir, `${fragment.id}.json`),
+			`${JSON.stringify(fragment, null, 2)}\n`,
+			serverId,
+		);
+	}
+	await writeMigrationTextFile(
+		artifactPaths.caddyJson,
+		`${JSON.stringify(config, null, 2)}\n`,
+		serverId,
+	);
+
+	const report: CaddyMigrationReport = {
+		migrationId,
+		serverId: serverId ?? null,
+		createdAt,
+		updatedAt: createdAt,
+		status: "prepared",
+		sourceProvider: "traefik",
+		targetProvider: "caddy",
+		artifactPaths,
+		inputs: {
+			traefikStaticConfigPath: staticConfig.path,
+			traefikStaticConfigFound: Boolean(staticConfig.content),
+			dynamicFiles,
+			dbApplicationDomains: applicationDomainCount,
+			dbComposeDomains: composeDomainCount,
+			composeFilesScanned,
+			composeFilesSkipped,
+		},
+		summary: {
+			fragments: fragments.length,
+			routes: fragments.reduce(
+				(total, fragment) => total + fragment.routes.length,
+				0,
+			),
+			warnings: warnings.length,
+			blockingWarnings: warnings.filter((item) => item.blocking).length,
+		},
+		validation,
+		warnings,
+		events: [
+			{
+				at: createdAt,
+				type: "prepared",
+				message: "Dry-run Caddy migration artifacts generated",
+			},
+		],
+	};
+	await writeCaddyMigrationReport(report, serverId);
+	await writeMigrationTextFile(
+		artifactPaths.reportMd,
+		renderReportMarkdown(report),
+		serverId,
+	);
+	return report;
+};
diff --git a/packages/server/src/utils/caddy/migration/rollback.ts b/packages/server/src/utils/caddy/migration/rollback.ts
new file mode 100644
index 0000000000..f43519b8a1
--- /dev/null
+++ b/packages/server/src/utils/caddy/migration/rollback.ts
@@ -0,0 +1,238 @@
+import * as path from "node:path";
+import { paths } from "@dokploy/server/constants";
+import {
+	ensureTraefikRunningFromSnapshot,
+	stopDockerResource,
+} from "@dokploy/server/services/settings";
+import {
+	updateLocalWebServerProvider,
+	updateRemoteWebServerProvider,
+} from "@dokploy/server/services/web-server-settings";
+import {
+	acquireCaddyMigrationOperationLock,
+	appendCaddyMigrationEvent,
+	copyMigrationPath,
+	getCaddyMigrationArtifactPaths,
+	loadCaddyMigrationReport,
+	migrationPathExists,
+	readMigrationTextFileIfExists,
+	removeMigrationPath,
+	writeCaddyMigrationReport,
+} from "./files";
+import type {
+	CaddyMigrationReport,
+	CaddyMigrationResourceSnapshot,
+} from "./types";
+
+const updateProviderToTraefik = async (serverId?: string | null) => {
+	if (serverId) {
+		await updateRemoteWebServerProvider(serverId, "traefik");
+		return;
+	}
+	await updateLocalWebServerProvider("traefik");
+};
+
+const restorePathFromBackup = async (
+	backupSource: string,
+	liveDestination: string,
+	existed?: boolean,
+	serverId?: string | null,
+) => {
+	if (existed === true) {
+		if (!(await migrationPathExists(backupSource, serverId))) {
+			throw new Error(
+				`Cannot restore ${liveDestination}: backup path is missing at ${backupSource}`,
+			);
+		}
+		await copyMigrationPath(backupSource, liveDestination, serverId);
+		return;
+	}
+	if (existed === false) {
+		await removeMigrationPath(liveDestination, serverId);
+	}
+};
+
+const loadRestoreSnapshots = async (
+	report: CaddyMigrationReport,
+	serverId?: string | null,
+): Promise<{
+	traefikResource?: CaddyMigrationResourceSnapshot;
+	caddyResource?: CaddyMigrationResourceSnapshot;
+}> => {
+	const restoreSnapshotPath = report.backup?.restoreSnapshotPath;
+	if (!restoreSnapshotPath) {
+		return {
+			traefikResource: report.backup?.traefikResource,
+			caddyResource: report.backup?.caddyResource,
+		};
+	}
+	const content = await readMigrationTextFileIfExists(
+		restoreSnapshotPath,
+		serverId,
+	);
+	if (!content) {
+		return {
+			traefikResource: report.backup?.traefikResource,
+			caddyResource: report.backup?.caddyResource,
+		};
+	}
+	return JSON.parse(content) as {
+		traefikResource?: CaddyMigrationResourceSnapshot;
+		caddyResource?: CaddyMigrationResourceSnapshot;
+	};
+};
+
+export const rollbackCaddyMigration = async (input: {
+	migrationId: string;
+	serverId?: string;
+	skipOperationLock?: boolean;
+}) => {
+	const releaseLock = input.skipOperationLock
+		? null
+		: await acquireCaddyMigrationOperationLock(
+				input.migrationId,
+				input.serverId,
+			);
+	try {
+		return await rollbackCaddyMigrationUnlocked(input);
+	} finally {
+		await releaseLock?.();
+	}
+};
+
+const rollbackCaddyMigrationUnlocked = async (input: {
+	migrationId: string;
+	serverId?: string;
+}) => {
+	const serverId = input.serverId;
+	let report = await loadCaddyMigrationReport(input.migrationId, serverId);
+	if (!report.backup) {
+		throw new Error(
+			`Cannot roll back Caddy migration ${input.migrationId}: no backup metadata is available`,
+		);
+	}
+	report = await writeCaddyMigrationReport(
+		appendCaddyMigrationEvent(
+			{ ...report, status: "rolling_back" },
+			"rolling_back",
+			"Rolling back Caddy migration to Traefik",
+		),
+		serverId,
+	);
+
+	try {
+		await stopDockerResource("dokploy-caddy", serverId);
+
+		const caddyPaths = paths(!!serverId);
+		const backup = report.backup;
+		if (!backup) {
+			throw new Error(
+				`Cannot roll back Caddy migration ${input.migrationId}: no backup metadata is available`,
+			);
+		}
+		const backupRoot = path.posix.join(
+			report.artifactPaths.backupsDir,
+			"caddy",
+		);
+		const backupFiles = backup.files ?? [];
+		const backedUpCaddyConfig = backupFiles.find(
+			(item) => item.label === "caddy-config",
+		);
+		const backedUpCaddyFragments = backupFiles.find(
+			(item) => item.label === "caddy-fragments",
+		);
+		const backedUpTraefikStatic = backupFiles.find(
+			(item) => item.label === "traefik-static",
+		);
+		const backedUpTraefikDynamic = backupFiles.find(
+			(item) => item.label === "traefik-dynamic",
+		);
+
+		await restorePathFromBackup(
+			backedUpCaddyConfig?.backupPath ??
+				path.posix.join(backupRoot, "caddy.json"),
+			caddyPaths.CADDY_CONFIG_PATH,
+			backedUpCaddyConfig?.existed,
+			serverId,
+		);
+		await restorePathFromBackup(
+			backedUpCaddyFragments?.backupPath ??
+				path.posix.join(backupRoot, "fragments"),
+			caddyPaths.CADDY_FRAGMENTS_PATH,
+			backedUpCaddyFragments?.existed,
+			serverId,
+		);
+		await restorePathFromBackup(
+			backedUpTraefikStatic?.backupPath ??
+				path.posix.join(
+					report.artifactPaths.backupsDir,
+					"traefik",
+					"traefik.yml",
+				),
+			path.posix.join(caddyPaths.MAIN_TRAEFIK_PATH, "traefik.yml"),
+			backedUpTraefikStatic?.existed,
+			serverId,
+		);
+		await restorePathFromBackup(
+			backedUpTraefikDynamic?.backupPath ??
+				path.posix.join(report.artifactPaths.backupsDir, "traefik", "dynamic"),
+			caddyPaths.DYNAMIC_TRAEFIK_PATH,
+			backedUpTraefikDynamic?.existed,
+			serverId,
+		);
+
+		const restoreSnapshots = await loadRestoreSnapshots(report, serverId);
+		await ensureTraefikRunningFromSnapshot(
+			restoreSnapshots.traefikResource ?? backup.traefikResource,
+			serverId,
+		);
+		await updateProviderToTraefik(serverId);
+
+		report = await writeCaddyMigrationReport(
+			appendCaddyMigrationEvent(
+				{ ...report, status: "rolled_back" },
+				"rolled_back",
+				"Rollback completed; Traefik is the active provider",
+			),
+			serverId,
+		);
+		return report;
+	} catch (error) {
+		const message =
+			error instanceof Error
+				? error.message
+				: "Caddy migration rollback failed";
+		const failedReport: CaddyMigrationReport = {
+			...report,
+			status: "failed",
+			warnings: [
+				...report.warnings,
+				{
+					code: "rollback-failed",
+					message,
+					blocking: true,
+				},
+			],
+			summary: {
+				...report.summary,
+				warnings: report.summary.warnings + 1,
+				blockingWarnings: report.summary.blockingWarnings + 1,
+			},
+		};
+		await writeCaddyMigrationReport(
+			appendCaddyMigrationEvent(failedReport, "rollback_failed", message),
+			serverId,
+		);
+		throw error;
+	}
+};
+
+export const getCaddyMigrationReport = async (input: {
+	migrationId: string;
+	serverId?: string;
+}) => loadCaddyMigrationReport(input.migrationId, input.serverId);
+
+export const getCaddyMigrationPaths = (input: {
+	migrationId: string;
+	serverId?: string;
+}) => getCaddyMigrationArtifactPaths(input.migrationId, input.serverId);
diff --git a/packages/server/src/utils/caddy/migration/traefik-rule-parser.ts b/packages/server/src/utils/caddy/migration/traefik-rule-parser.ts
new file mode 100644
index 0000000000..a4b923d55e
--- /dev/null
+++ b/packages/server/src/utils/caddy/migration/traefik-rule-parser.ts
@@ -0,0 +1,337 @@
+import type { CaddyMigrationWarning, TraefikRuleMatch } from "./types";
+
+interface ParseOptions {
+	source?: string;
+	routerName?: string;
+}
+
+type TokenType =
+	| "identifier"
+	| "string"
+	| "and"
+	| "or"
+	| "lparen"
+	| "rparen"
+	| "comma";
+
+interface Token {
+	type: TokenType;
+	value: string;
+}
+
+type RuleNode =
+	| { type: "matcher"; name: string; args: string[] }
+	| { type: "and" | "or"; left: RuleNode; right: RuleNode };
+
+const warning = (
+	message: string,
+	options: ParseOptions,
+	code: CaddyMigrationWarning["code"] = "unsupported-rule",
+): CaddyMigrationWarning => ({
+	code,
+	message,
+	blocking: true,
+	source: options.source,
+	routerName: options.routerName,
+});
+
+const tokenizeRule = (rule: string, options: ParseOptions) => {
+	const tokens: Token[] = [];
+	let index = 0;
+
+	while (index < rule.length) {
+		const char = rule[index] ?? "";
+		if (/\s/.test(char)) {
+			index += 1;
+			continue;
+		}
+		if (rule.startsWith("&&", index)) {
+			tokens.push({ type: "and", value: "&&" });
+			index += 2;
+			continue;
+		}
+		if (rule.startsWith("||", index)) {
+			tokens.push({ type: "or", value: "||" });
+			index += 2;
+			continue;
+		}
+		if (char === "(") {
+			tokens.push({ type: "lparen", value: char });
+			index += 1;
+			continue;
+		}
+		if (char === ")") {
+			tokens.push({ type: "rparen", value: char });
+			index += 1;
+			continue;
+		}
+		if (char === ",") {
+			tokens.push({ type: "comma", value: char });
+			index += 1;
+			continue;
+		}
+		if (char === "`" || char === "'" || char === '"') {
+			const quote = char;
+			let value = "";
+			index += 1;
+			while (index < rule.length && rule[index] !== quote) {
+				value += rule[index] ?? "";
+				index += 1;
+			}
+			if (rule[index] !== quote) {
+				throw new Error(
+					warning("Unterminated string in Traefik rule", options).message,
+				);
+			}
+			index += 1;
+			tokens.push({ type: "string", value });
+			continue;
+		}
+		if (/[A-Za-z]/.test(char)) {
+			let value = "";
+			while (index < rule.length && /[A-Za-z0-9_]/.test(rule[index] ?? "")) {
+				value += rule[index] ?? "";
+				index += 1;
+			}
+			tokens.push({ type: "identifier", value });
+			continue;
+		}
+		throw new Error(
+			warning(`Unsupported token "${char}" in Traefik rule`, options).message,
+		);
+	}
+
+	return tokens;
+};
+
+class RuleParser {
+	private index = 0;
+
+	constructor(
+		private readonly tokens: Token[],
+		private readonly options: ParseOptions,
+	) {}
+
+	parse() {
+		const expression = this.parseOr();
+		if (this.peek()) {
+			throw new Error(
+				warning(
+					`Unexpected token "${this.peek()?.value}" in Traefik rule`,
+					this.options,
+				).message,
+			);
+		}
+		return expression;
+	}
+
+	private peek() {
+		return this.tokens[this.index];
+	}
+
+	private consume(type?: TokenType) {
+		const token = this.tokens[this.index];
+		if (!token || (type && token.type !== type)) {
+			throw new Error(
+				warning(`Expected ${type ?? "token"} in Traefik rule`, this.options)
+					.message,
+			);
+		}
+		this.index += 1;
+		return token;
+	}
+
+	private parseOr(): RuleNode {
+		let node = this.parseAnd();
+		while (this.peek()?.type === "or") {
+			this.consume("or");
+			node = { type: "or", left: node, right: this.parseAnd() };
+		}
+		return node;
+	}
+
+	private parseAnd(): RuleNode {
+		let node = this.parsePrimary();
+		while (this.peek()?.type === "and") {
+			this.consume("and");
+			node = { type: "and", left: node, right: this.parsePrimary() };
+		}
+		return node;
+	}
+
+	private parsePrimary(): RuleNode {
+		const token = this.peek();
+		if (token?.type === "lparen") {
+			this.consume("lparen");
+			const node = this.parseOr();
+			this.consume("rparen");
+			return node;
+		}
+		if (token?.type !== "identifier") {
+			throw new Error(
+				warning("Expected Traefik matcher in rule", this.options).message,
+			);
+		}
+
+		const name = this.consume("identifier").value;
+		this.consume("lparen");
+		const args: string[] = [];
+		while (this.peek()?.type !== "rparen") {
+			args.push(this.consume("string").value);
+			if (this.peek()?.type === "comma") {
+				this.consume("comma");
+			} else if (this.peek()?.type !== "rparen") {
+				throw new Error(
+					warning(`Expected comma in ${name} matcher`, this.options).message,
+				);
+			}
+		}
+		this.consume("rparen");
+		return { type: "matcher", name, args };
+	}
+}
+
+const mergeMatches = (
+	left: TraefikRuleMatch,
+	right: TraefikRuleMatch,
+	warnings: CaddyMigrationWarning[],
+	options: ParseOptions,
+): TraefikRuleMatch | null => {
+	const hosts = [...new Set([...left.hosts, ...right.hosts])];
+	const pathPrefix = left.pathPrefix ?? right.pathPrefix ?? null;
+	const pathExact = left.pathExact ?? right.pathExact ?? null;
+
+	if (
+		left.pathPrefix &&
+		right.pathPrefix &&
+		left.pathPrefix !== right.pathPrefix
+	) {
+		warnings.push(
+			warning(
+				`Multiple PathPrefix matchers cannot be represented as one Caddy route: ${left.pathPrefix}, ${right.pathPrefix}`,
+				options,
+			),
+		);
+		return null;
+	}
+	if (left.pathExact && right.pathExact && left.pathExact !== right.pathExact) {
+		warnings.push(
+			warning(
+				`Multiple Path matchers cannot be represented as one Caddy route: ${left.pathExact}, ${right.pathExact}`,
+				options,
+			),
+		);
+		return null;
+	}
+	if (pathPrefix && pathExact) {
+		warnings.push(
+			warning(
+				`Combined Path and PathPrefix matchers cannot be represented as one Caddy route: ${pathExact}, ${pathPrefix}`,
+				options,
+			),
+		);
+		return null;
+	}
+
+	return { hosts, pathPrefix, pathExact };
+};
+
+const expandRuleNode = (
+	node: RuleNode,
+	warnings: CaddyMigrationWarning[],
+	options: ParseOptions,
+): TraefikRuleMatch[] => {
+	if (node.type === "matcher") {
+		if (node.name === "Host") {
+			return [{ hosts: [...new Set(node.args)] }];
+		}
+		if (node.name === "PathPrefix") {
+			return node.args.map((pathPrefix) => ({ hosts: [], pathPrefix }));
+		}
+		if (node.name === "Path") {
+			return node.args.map((pathExact) => ({ hosts: [], pathExact }));
+		}
+		warnings.push(
+			warning(
+				`Unsupported Traefik matcher "${node.name}" in rule`,
+				options,
+				"unsupported-matcher",
+			),
+		);
+		return [];
+	}
+
+	const left = expandRuleNode(node.left, warnings, options);
+	const right = expandRuleNode(node.right, warnings, options);
+	if (node.type === "or") {
+		return [...left, ...right];
+	}
+
+	const merged: TraefikRuleMatch[] = [];
+	for (const leftMatch of left) {
+		for (const rightMatch of right) {
+			const match = mergeMatches(leftMatch, rightMatch, warnings, options);
+			if (match) {
+				merged.push(match);
+			}
+		}
+	}
+	return merged;
+};
+
+const normalizeMatches = (
+	matches: TraefikRuleMatch[],
+	warnings: CaddyMigrationWarning[],
+	options: ParseOptions,
+) => {
+	const grouped = new Map<string, TraefikRuleMatch>();
+	for (const match of matches) {
+		if (!match.hosts.length) {
+			warnings.push(
+				warning("Traefik rule did not include a Host matcher", options),
+			);
+			continue;
+		}
+
+		const key = `${match.pathPrefix ?? ""}\u0000${match.pathExact ?? ""}`;
+		const existing = grouped.get(key);
+		if (existing) {
+			existing.hosts = [...new Set([...existing.hosts, ...match.hosts])];
+		} else {
+			grouped.set(key, {
+				...match,
+				hosts: [...new Set(match.hosts)],
+			});
+		}
+	}
+	return [...grouped.values()];
+};
+
+export const parseTraefikRule = (
+	rule: string,
+	options: ParseOptions = {},
+): { matches: TraefikRuleMatch[]; warnings: CaddyMigrationWarning[] } => {
+	const warnings: CaddyMigrationWarning[] = [];
+	try {
+		const tokens = tokenizeRule(rule, options);
+		const ast = new RuleParser(tokens, options).parse();
+		const matches = normalizeMatches(
+			expandRuleNode(ast, warnings, options),
+			warnings,
+			options,
+		);
+		return { matches, warnings };
+	} catch (error) {
+		return {
+			matches: [],
+			warnings: [
+				warning(
+					error instanceof Error
+						? error.message
+						: "Failed to parse Traefik rule",
+					options,
+				),
+			],
+		};
+	}
+};
diff --git a/packages/server/src/utils/caddy/migration/types.ts b/packages/server/src/utils/caddy/migration/types.ts
new file mode 100644
index 0000000000..7181be586f
--- /dev/null
+++ b/packages/server/src/utils/caddy/migration/types.ts
@@ -0,0 +1,194 @@
+import type {
+	CaddyHeaderMap,
+	CaddyRouteRedirectScheme,
+	CaddyRouteTransform,
+} from "../types";
+
+export type CaddyMigrationWarningCode =
+	| "unsupported-rule"
+	| "unsupported-matcher"
+	| "unsupported-router"
+	| "unsupported-service"
+	| "unsupported-middleware"
+	| "unsupported-security-middleware"
+	| "unsupported-domain-field"
+	| "unresolved-middleware"
+	| "unresolved-service"
+	| "shadowed-route"
+	| "conflicting-manual-fragment"
+	| "unreachable-upstream"
+	| "invalid-label"
+	| "invalid-config"
+	| "missing-input"
+	| "validation-failed"
+	| "health-check-failed"
+	| "backup-failed"
+	| "apply-failed"
+	| "rollback-failed";
+
+export interface CaddyMigrationWarning {
+	code: CaddyMigrationWarningCode;
+	message: string;
+	blocking: boolean;
+	source?: string;
+	routerName?: string;
+	serviceName?: string;
+	middlewareName?: string;
+	label?: string;
+}
+
+export interface CaddyMiddlewareTranslation {
+	transforms: CaddyRouteTransform;
+	basicAuth: { username: string; hash: string }[];
+	allowedRemoteIps?: string[] | null;
+	redirectScheme?: CaddyRouteRedirectScheme | null;
+	warnings: CaddyMigrationWarning[];
+}
+
+export type ResolvedCaddyMiddleware = Omit<
+	CaddyMiddlewareTranslation,
+	"warnings"
+>;
+
+export type KnownTraefikMiddlewareMap = Record<
+	string,
+	Partial<ResolvedCaddyMiddleware> & {
+		transforms?: CaddyRouteTransform;
+		basicAuth?: { username: string; hash: string }[];
+		responseHeaders?: CaddyHeaderMap;
+		requestHeaders?: CaddyHeaderMap;
+	}
+>;
+
+export interface TraefikRuleMatch {
+	hosts: string[];
+	pathPrefix?: string | null;
+	pathExact?: string | null;
+}
+
+export type CaddyMigrationStatus =
+	| "prepared"
+	| "applying"
+	| "applied"
+	| "failed"
+	| "rolling_back"
+	| "rolled_back";
+
+export interface CaddyMigrationArtifactPaths {
+	root: string;
+	reportJson: string;
+	reportMd: string;
+	caddyJson: string;
+	fragmentsDir: string;
+	backupsDir: string;
+}
+
+export interface CaddyMigrationFileBackup {
+	label: string;
+	source: string;
+	backupPath: string;
+	existed: boolean;
+}
+
+export interface CaddyMigrationResourceSnapshot {
+	resourceName: string;
+	resourceType: "service" | "standalone" | "unknown";
+	running: boolean;
+	replicas?: number;
+	env?: string;
+	additionalPorts?: {
+		targetPort: number;
+		publishedPort: number;
+		protocol?: string;
+	}[];
+	image?: string;
+	binds?: string[];
+	mounts?: Array<Record<string, unknown>>;
+	networks?: Array<string | Record<string, unknown>>;
+	labels?: Record<string, string>;
+	containerLabels?: Record<string, string>;
+	placement?: Record<string, unknown>;
+	endpointPorts?: Array<Record<string, unknown>>;
+	restartPolicy?: Record<string, unknown>;
+}
+
+export interface CaddyMigrationBackupSummary {
+	createdAt: string;
+	traefikResource?: CaddyMigrationResourceSnapshot;
+	caddyResource?: CaddyMigrationResourceSnapshot;
+	restoreSnapshotPath?: string;
+	files?: CaddyMigrationFileBackup[];
+}
+
+export interface CaddyMigrationRuntimePreflightRoute {
+	routeId: string;
+	routeHosts: string[];
+	source: string;
+	sourceFragment?: string;
+	upstream: string;
+	normalizedHost: string;
+	normalizedPort: number;
+	network: string;
+}
+
+export interface CaddyMigrationRuntimePreflightCheck {
+	dial: string;
+	host: string;
+	port: number;
+	network: string;
+	status: "passed" | "failed";
+	reason?: string;
+	routes: CaddyMigrationRuntimePreflightRoute[];
+}
+
+export interface CaddyMigrationRuntimePreflight {
+	status: "passed" | "failed" | "skipped";
+	checkedAt?: string;
+	network: string;
+	networks?: string[];
+	probeMode?: "standalone" | "service";
+	probeImage: string;
+	checks: CaddyMigrationRuntimePreflightCheck[];
+}
+
+export interface CaddyMigrationReport {
+	migrationId: string;
+	serverId: string | null;
+	createdAt: string;
+	updatedAt: string;
+	status: CaddyMigrationStatus;
+	sourceProvider: "traefik";
+	targetProvider: "caddy";
+	artifactPaths: CaddyMigrationArtifactPaths;
+	inputs: {
+		traefikStaticConfigPath: string;
+		traefikStaticConfigFound: boolean;
+		dynamicFiles: string[];
+		dbApplicationDomains: number;
+		dbComposeDomains: number;
+		composeFilesScanned: string[];
+		composeFilesSkipped: Array<{ path: string; reason: string }>;
+	};
+	summary: {
+		fragments: number;
+		routes: number;
+		warnings: number;
+		blockingWarnings: number;
+	};
+	validation: {
+		status: "passed" | "failed" | "skipped";
+		message?: string;
+	};
+	runtimePreflight?: CaddyMigrationRuntimePreflight;
+	warnings: CaddyMigrationWarning[];
+	backup?: CaddyMigrationBackupSummary;
+	events: Array<{
+		at: string;
+		type: string;
+		message: string;
+	}>;
+}
+
+export const createMigrationWarning = (
+	warning: CaddyMigrationWarning,
+): CaddyMigrationWarning => warning;
diff --git a/packages/server/src/utils/caddy/migration/upstream-preflight.ts b/packages/server/src/utils/caddy/migration/upstream-preflight.ts
new file mode 100644
index 0000000000..1c2693e830
--- /dev/null
+++ b/packages/server/src/utils/caddy/migration/upstream-preflight.ts
@@ -0,0 +1,336 @@
+import {
+	execAsync,
+	execAsyncRemote,
+} from "@dokploy/server/utils/process/execAsync";
+import { quote } from "shell-quote";
+import { parseCaddyUpstream } from "../config";
+import type { CaddyRouteFragment } from "../types";
+import { DOKPLOY_CADDY_NETWORK } from "../upstream-targets";
+import { listMigrationFiles, readRequiredMigrationTextFile } from "./files";
+import type {
+	CaddyMigrationReport,
+	CaddyMigrationRuntimePreflight,
+	CaddyMigrationRuntimePreflightCheck,
+	CaddyMigrationRuntimePreflightRoute,
+} from "./types";
+
+const PROBE_IMAGE = "busybox:1.36";
+const DEFAULT_PROBE_NETWORK = DOKPLOY_CADDY_NETWORK;
+type ProbeMode = "standalone" | "service";
+
+const runCommand = async (command: string, serverId?: string) => {
+	if (serverId) {
+		return execAsyncRemote(serverId, command);
+	}
+	return execAsync(command);
+};
+
+const splitDial = (dial: string) => {
+	const separatorIndex = dial.lastIndexOf(":");
+	if (separatorIndex === -1) {
+		throw new Error("normalized upstream dial is missing a port");
+	}
+	const host = dial.slice(0, separatorIndex);
+	const port = Number(dial.slice(separatorIndex + 1));
+	if (!host || !Number.isInteger(port)) {
+		throw new Error("normalized upstream dial is invalid");
+	}
+	return { host, port };
+};
+
+const routeRefsFromFragment = (
+	fragment: CaddyRouteFragment,
+): {
+	refs: CaddyMigrationRuntimePreflightRoute[];
+	invalidChecks: CaddyMigrationRuntimePreflightCheck[];
+} => {
+	const refs: CaddyMigrationRuntimePreflightRoute[] = [];
+	const invalidChecks: CaddyMigrationRuntimePreflightCheck[] = [];
+	for (const route of fragment.routes) {
+		if (route.redirectScheme) continue;
+		for (const upstream of route.upstreams) {
+			let host = "";
+			let port = 0;
+			try {
+				const parsed = parseCaddyUpstream(upstream);
+				const normalized = splitDial(parsed.dial);
+				host = normalized.host;
+				port = normalized.port;
+			} catch (error) {
+				invalidChecks.push({
+					dial: upstream,
+					host: "",
+					port: 0,
+					status: "failed",
+					reason:
+						error instanceof Error ? error.message : "Invalid upstream format",
+					routes: [
+						{
+							routeId: route.id,
+							routeHosts: route.hosts,
+							source: route.source,
+							sourceFragment: fragment.id,
+							upstream,
+							normalizedHost: "",
+							normalizedPort: 0,
+							network: route.upstreamNetwork ?? DEFAULT_PROBE_NETWORK,
+						},
+					],
+					network: route.upstreamNetwork ?? DEFAULT_PROBE_NETWORK,
+				});
+				continue;
+			}
+			refs.push({
+				routeId: route.id,
+				routeHosts: route.hosts,
+				source: route.source,
+				sourceFragment: fragment.id,
+				upstream,
+				normalizedHost: host,
+				normalizedPort: port,
+				network: route.upstreamNetwork ?? DEFAULT_PROBE_NETWORK,
+			});
+		}
+	}
+	return { refs, invalidChecks };
+};
+
+const readPreflightInputs = async (
+	report: CaddyMigrationReport,
+	serverId?: string,
+) => {
+	const refs: CaddyMigrationRuntimePreflightRoute[] = [];
+	const invalidChecks: CaddyMigrationRuntimePreflightCheck[] = [];
+	const fragmentFiles = await listMigrationFiles(
+		report.artifactPaths.fragmentsDir,
+		serverId,
+		[".json"],
+	);
+	for (const fragmentFile of fragmentFiles) {
+		const content = await readRequiredMigrationTextFile(fragmentFile, serverId);
+		const fragment = JSON.parse(content) as CaddyRouteFragment;
+		const parsed = routeRefsFromFragment(fragment);
+		refs.push(...parsed.refs);
+		invalidChecks.push(...parsed.invalidChecks);
+	}
+	return { refs, invalidChecks };
+};
+
+const probeScript = [
+	'if nc -z -w 3 "$1" "$2" >/dev/null 2>&1; then echo passed; exit 0; fi',
+	'if ! nslookup "$1" >/dev/null 2>&1; then echo dns_failed; exit 10; fi',
+	"echo tcp_failed",
+	"exit 11",
+].join("; ");
+
+const parseProbeFailure = (error: unknown, output: string) => {
+	if (output.includes("dns_failed")) {
+		return "DNS resolution failed";
+	}
+	if (output.includes("tcp_failed")) {
+		return "TCP connection failed";
+	}
+	if (output) {
+		return output.split("\n").slice(-3).join("; ");
+	}
+	return error instanceof Error ? error.message : "upstream probe failed";
+};
+
+const shouldFallbackToServiceProbe = (reason: string) =>
+	[
+		/not manually attachable/i,
+		/not attachable/i,
+		/network .* not found/i,
+		/could not find network/i,
+		/only supported for user defined networks/i,
+		/error response from daemon/i,
+	].some((pattern) => pattern.test(reason));
+
+const probeStandaloneUpstream = async (
+	host: string,
+	port: number,
+	network: string,
+	serverId?: string,
+) => {
+	const command = [
+		"docker run --rm",
+		`--network ${quote([network])}`,
+		quote([PROBE_IMAGE]),
+		"sh -c",
+		quote([probeScript]),
+		"sh",
+		quote([host]),
+		quote([String(port)]),
+	].join(" ");
+
+	try {
+		const { stdout } = await runCommand(command, serverId);
+		return stdout.trim() === "passed"
+			? null
+			: stdout.trim() || "upstream probe did not report success";
+	} catch (error) {
+		const output =
+			`${(error as { stdout?: string }).stdout ?? ""}\n${(error as { stderr?: string }).stderr ?? ""}`.trim();
+		return parseProbeFailure(error, output);
+	}
+};
+
+const probeServiceUpstream = async (
+	host: string,
+	port: number,
+	network: string,
+	serverId?: string,
+) => {
+	const serviceName = `dokploy-caddy-preflight-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 8)}`;
+	const command = `
+set -e
+SERVICE_NAME=${quote([serviceName])}
+docker service rm "$SERVICE_NAME" >/dev/null 2>&1 || true
+trap 'docker service rm "$SERVICE_NAME" >/dev/null 2>&1 || true' EXIT
+docker service create --detach=true --name "$SERVICE_NAME" --restart-condition none --network ${quote([network])} ${quote([PROBE_IMAGE])} sh -c ${quote([probeScript])} sh ${quote([host])} ${quote([String(port)])} >/dev/null
+for i in $(seq 1 30); do
+	LOGS=$(docker service logs --raw "$SERVICE_NAME" 2>&1 || true)
+	if echo "$LOGS" | grep -Eq '(^|[[:space:]])(passed|dns_failed|tcp_failed)([[:space:]]|$)'; then
+		echo "$LOGS"
+		exit 0
+	fi
+	STATE=$(docker service ps "$SERVICE_NAME" --no-trunc --format '{{.CurrentState}} {{.Error}}' 2>&1 | head -n 1 || true)
+	if echo "$STATE" | grep -Eq 'Failed|Rejected|Complete|Shutdown'; then
+		echo "$LOGS"
+		echo "$STATE"
+		exit 0
+	fi
+	sleep 1
+done
+docker service logs --raw "$SERVICE_NAME" 2>&1 || true
+exit 12
+`;
+
+	try {
+		const { stdout } = await runCommand(command, serverId);
+		return stdout.trim().includes("passed")
+			? null
+			: parseProbeFailure(new Error("upstream service probe failed"), stdout);
+	} catch (error) {
+		const output =
+			`${(error as { stdout?: string }).stdout ?? ""}\n${(error as { stderr?: string }).stderr ?? ""}`.trim();
+		return parseProbeFailure(error, output);
+	}
+};
+
+const probeUpstream = async (
+	host: string,
+	port: number,
+	network: string,
+	serverId?: string,
+): Promise<{ failureReason: string | null; probeMode: ProbeMode }> => {
+	const standaloneFailure = await probeStandaloneUpstream(
+		host,
+		port,
+		network,
+		serverId,
+	);
+	if (!standaloneFailure) {
+		return { failureReason: null, probeMode: "standalone" };
+	}
+	if (!shouldFallbackToServiceProbe(standaloneFailure)) {
+		return { failureReason: standaloneFailure, probeMode: "standalone" };
+	}
+
+	const serviceFailure = await probeServiceUpstream(
+		host,
+		port,
+		network,
+		serverId,
+	);
+	if (!serviceFailure) {
+		return { failureReason: null, probeMode: "service" };
+	}
+	return {
+		failureReason: `standalone probe failed (${standaloneFailure}); service probe failed (${serviceFailure})`,
+		probeMode: "service",
+	};
+};
+
+export const runCaddyMigrationUpstreamPreflight = async (
+	report: CaddyMigrationReport,
+	input: { serverId?: string } = {},
+): Promise<CaddyMigrationRuntimePreflight> => {
+	const grouped = new Map<string, CaddyMigrationRuntimePreflightCheck>();
+	let refs: CaddyMigrationRuntimePreflightRoute[] = [];
+	let invalidChecks: CaddyMigrationRuntimePreflightCheck[] = [];
+	try {
+		const inputs = await readPreflightInputs(report, input.serverId);
+		refs = inputs.refs;
+		invalidChecks = inputs.invalidChecks;
+	} catch (error) {
+		return {
+			status: "failed",
+			checkedAt: new Date().toISOString(),
+			network: DEFAULT_PROBE_NETWORK,
+			networks: [DEFAULT_PROBE_NETWORK],
+			probeImage: PROBE_IMAGE,
+			checks: [
+				{
+					dial: "fragment-read",
+					host: "",
+					port: 0,
+					network: DEFAULT_PROBE_NETWORK,
+					status: "failed",
+					reason:
+						error instanceof Error
+							? error.message
+							: "Unable to read Caddy fragments",
+					routes: [],
+				},
+			],
+		};
+	}
+
+	for (const ref of refs) {
+		const dial = `${ref.normalizedHost}:${ref.normalizedPort}`;
+		const groupKey = `${ref.network}\0${dial}`;
+		grouped.set(groupKey, {
+			dial,
+			host: ref.normalizedHost,
+			port: ref.normalizedPort,
+			network: ref.network,
+			status: "passed",
+			routes: [...(grouped.get(groupKey)?.routes ?? []), ref],
+		});
+	}
+
+	const checks = [...invalidChecks, ...grouped.values()];
+	const probeableChecks = checks.filter((item) => item.port > 0);
+	let probeMode: ProbeMode = "standalone";
+	for (const check of probeableChecks) {
+		const probeResult = await probeUpstream(
+			check.host,
+			check.port,
+			check.network,
+			input.serverId,
+		);
+		if (probeResult.probeMode === "service") {
+			probeMode = "service";
+		}
+		const { failureReason } = probeResult;
+		if (failureReason) {
+			check.status = "failed";
+			check.reason = failureReason;
+		}
+	}
+	const networks = [...new Set(checks.map((check) => check.network))].sort();
+
+	return {
+		status: checks.some((check) => check.status === "failed")
+			? "failed"
+			: "passed",
+		checkedAt: new Date().toISOString(),
+		network:
+			networks.length === 1 ? (networks[0] ?? DEFAULT_PROBE_NETWORK) : "mixed",
+		networks,
+		probeMode,
+		probeImage: PROBE_IMAGE,
+		checks,
+	};
+};
diff --git a/packages/server/src/utils/caddy/types.ts b/packages/server/src/utils/caddy/types.ts
new file mode 100644
index 0000000000..e665b94402
--- /dev/null
+++ b/packages/server/src/utils/caddy/types.ts
@@ -0,0 +1,70 @@
+export type CaddyRouteSource =
+	| "dokploy-application"
+	| "dokploy-compose"
+	| "dokploy-dashboard"
+	| "manual"
+	| "traefik-dynamic-file"
+	| "traefik-compose-label";
+
+export type CaddyHeaderMap = Record<string, string | string[]>;
+
+export interface CaddyRouteTransform {
+	stripPrefix?: string | null;
+	addPrefix?: string | null;
+	requestHeaders?: CaddyHeaderMap | null;
+	responseHeaders?: CaddyHeaderMap | null;
+}
+
+export interface CaddyRouteRedirectScheme {
+	scheme: string;
+	permanent?: boolean | null;
+	port?: string | null;
+}
+
+export interface CaddyStaticResponse {
+	statusCode: number;
+	body?: string | null;
+	headers?: CaddyHeaderMap | null;
+}
+
+export interface CaddyBasicAuthAccount {
+	username: string;
+	hash: string;
+}
+
+export interface CaddyRouteIntent {
+	id: string;
+	source: CaddyRouteSource;
+	hosts: string[];
+	pathPrefix?: string | null;
+	pathExact?: string | null;
+	allowedRemoteIps?: string[] | null;
+	https?: boolean;
+	priority?: number | null;
+	upstreams: string[];
+	upstreamNetwork?: string | null;
+	transforms?: CaddyRouteTransform | null;
+	basicAuth?: CaddyBasicAuthAccount[] | null;
+	redirectScheme?: CaddyRouteRedirectScheme | null;
+	staticResponse?: CaddyStaticResponse | null;
+}
+
+export interface CaddyRouteFragment {
+	version: 1;
+	id: string;
+	source: CaddyRouteSource;
+	description?: string;
+	routes: CaddyRouteIntent[];
+}
+
+export interface CaddyCompileOptions {
+	fragments?: CaddyRouteFragment[];
+	routes?: CaddyRouteIntent[];
+	letsEncryptEmail?: string | null;
+}
+
+export type CaddyJsonObject = Record<string, unknown>;
+
+export interface CaddyFragmentStoreOptions {
+	serverId?: string;
+}
diff --git a/packages/server/src/utils/caddy/upstream-targets.ts b/packages/server/src/utils/caddy/upstream-targets.ts
new file mode 100644
index 0000000000..94a6063fe9
--- /dev/null
+++ b/packages/server/src/utils/caddy/upstream-targets.ts
@@ -0,0 +1,34 @@
+import type { Compose } from "@dokploy/server/services/compose";
+
+export const DOKPLOY_CADDY_NETWORK = "dokploy-network";
+
+export const getCaddyComposeNetworkAlias = (
+	appName: string,
+	finalServiceName: string,
+) => `${appName}-${finalServiceName}`;
+
+export const getCaddyComposeRuntimeTarget = (
+	compose: Pick<Compose, "appName" | "composeType" | "isolatedDeployment">,
+	finalServiceName: string,
+) => {
+	if (compose.composeType === "stack") {
+		return {
+			host: `${compose.appName}_${finalServiceName}`,
+			network: compose.isolatedDeployment
+				? compose.appName
+				: DOKPLOY_CADDY_NETWORK,
+		};
+	}
+
+	if (compose.isolatedDeployment) {
+		return {
+			host: finalServiceName,
+			network: compose.appName,
+		};
+	}
+
+	return {
+		host: getCaddyComposeNetworkAlias(compose.appName, finalServiceName),
+		network: DOKPLOY_CADDY_NETWORK,
+	};
+};
diff --git a/packages/server/src/utils/caddy/web-server.ts b/packages/server/src/utils/caddy/web-server.ts
new file mode 100644
index 0000000000..20fe80b204
--- /dev/null
+++ b/packages/server/src/utils/caddy/web-server.ts
@@ -0,0 +1,60 @@
+import type { webServerSettings } from "@dokploy/server/db/schema/web-server-settings";
+import {
+	compileWriteAndReloadCaddyConfigSafely,
+	removeCaddyRouteFragment,
+	writeCaddyRouteFragment,
+} from "./config";
+import type { CaddyRouteFragment, CaddyRouteIntent } from "./types";
+import { DOKPLOY_CADDY_NETWORK } from "./upstream-targets";
+
+const CADDY_FRAGMENT_VERSION = 1;
+const DASHBOARD_FRAGMENT_ID = "dashboard.dokploy";
+
+const toPunycode = (host: string): string => {
+	try {
+		return new URL(`http://${host}`).hostname;
+	} catch {
+		return host;
+	}
+};
+
+export const createCaddyDashboardRouteIntent = (
+	settings: typeof webServerSettings.$inferSelect,
+	host: string,
+): CaddyRouteIntent => ({
+	id: "dokploy-dashboard",
+	source: "dokploy-dashboard",
+	hosts: [toPunycode(host)],
+	pathPrefix: "/",
+	https: !!settings.https,
+	upstreams: [`http://dokploy:${process.env.PORT || 3000}`],
+	upstreamNetwork: DOKPLOY_CADDY_NETWORK,
+});
+
+export const createCaddyDashboardRouteFragment = (
+	settings: typeof webServerSettings.$inferSelect,
+	host: string,
+): CaddyRouteFragment => ({
+	version: CADDY_FRAGMENT_VERSION,
+	id: DASHBOARD_FRAGMENT_ID,
+	source: "dokploy-dashboard",
+	description: "Dokploy dashboard route",
+	routes: [createCaddyDashboardRouteIntent(settings, host)],
+});
+
+export const updateServerCaddy = async (
+	settings: typeof webServerSettings.$inferSelect,
+	newHost: string | null,
+) => {
+	if (newHost) {
+		await writeCaddyRouteFragment(
+			createCaddyDashboardRouteFragment(settings, newHost),
+		);
+	} else {
+		await removeCaddyRouteFragment(DASHBOARD_FRAGMENT_ID);
+	}
+
+	await compileWriteAndReloadCaddyConfigSafely({
+		letsEncryptEmail: settings.letsEncryptEmail,
+	});
+};
diff --git a/packages/server/src/utils/docker/domain.ts b/packages/server/src/utils/docker/domain.ts
index 8094f1df2a..cc2b5e6dd3 100644
--- a/packages/server/src/utils/docker/domain.ts
+++ b/packages/server/src/utils/docker/domain.ts
@@ -3,7 +3,11 @@ import { join } from "node:path";
 import { paths } from "@dokploy/server/constants";
 import type { Compose } from "@dokploy/server/services/compose";
 import type { Domain } from "@dokploy/server/services/domain";
+import { resolveWebServerProvider } from "@dokploy/server/services/web-server-settings";
 import { parse, stringify } from "yaml";
+import { writeCaddyComposeRouteFragments } from "../caddy/compose";
+import { assertCaddyDomainSupported } from "../caddy/domain";
+import { getCaddyComposeNetworkAlias } from "../caddy/upstream-targets";
 import { execAsyncRemote } from "../process/execAsync";
 import { cloneBitbucketRepository } from "../providers/bitbucket";
 import { cloneGitRepository } from "../providers/git";
@@ -11,11 +15,13 @@ import { cloneGiteaRepository } from "../providers/gitea";
 import { cloneGithubRepository } from "../providers/github";
 import { cloneGitlabRepository } from "../providers/gitlab";
 import { getCreateComposeFileCommand } from "../providers/raw";
+import type { WebServerProvider } from "../web-server/providers";
 import { randomizeDeployableSpecificationFile } from "./collision";
 import { randomizeSpecificationFile } from "./compose";
 import type {
 	ComposeSpecification,
 	DefinitionsService,
+	ListOrDict,
 	PropertiesNetworks,
 } from "./types";
 import { encodeBase64 } from "./utils";
@@ -106,12 +112,184 @@ export const readComposeFile = async (compose: Compose) => {
 	return null;
 };
 
+export type CaddyComposeRouteTarget = {
+	domain: Domain;
+	finalServiceName: string;
+};
+
+const loadComposeSpecification = async (compose: Compose) => {
+	if (compose.serverId) {
+		return loadDockerComposeRemote(compose);
+	}
+	return loadDockerCompose(compose);
+};
+
+const finalizeComposeSpecification = (
+	compose: Compose,
+	composeSpec: ComposeSpecification,
+) => {
+	let result = composeSpec;
+
+	if (compose.isolatedDeployment) {
+		result = randomizeDeployableSpecificationFile(
+			result,
+			compose.isolatedDeploymentsVolume,
+			compose.suffix || compose.appName,
+		);
+	} else if (compose.randomize) {
+		result = randomizeSpecificationFile(result, compose.suffix);
+	}
+
+	return result;
+};
+
+const resolveFinalServiceName = (
+	compose: Compose,
+	composeSpec: ComposeSpecification,
+	serviceName: string,
+) => {
+	if (composeSpec.services?.[serviceName]) {
+		return serviceName;
+	}
+
+	const suffix = compose.randomize
+		? compose.suffix
+		: compose.isolatedDeployment
+			? compose.suffix || compose.appName
+			: null;
+	if (suffix) {
+		const suffixedServiceName = `${serviceName}-${suffix}`;
+		if (composeSpec.services?.[suffixedServiceName]) {
+			return suffixedServiceName;
+		}
+	}
+
+	return serviceName;
+};
+
+const addDomainToComposeForCaddyWithRoutes = async (
+	compose: Compose,
+	domains: Domain[],
+): Promise<{
+	composeSpec: ComposeSpecification | null;
+	caddyRouteTargets: CaddyComposeRouteTarget[];
+}> => {
+	const result = await loadComposeSpecification(compose);
+	if (!result) {
+		return { composeSpec: null, caddyRouteTargets: [] };
+	}
+
+	for (const domain of domains) {
+		assertCaddyDomainSupported(domain);
+	}
+
+	const finalizedCompose = finalizeComposeSpecification(compose, result);
+	const caddyRouteTargets: CaddyComposeRouteTarget[] = [];
+
+	for (const domain of domains) {
+		const { serviceName } = domain;
+		if (!serviceName) {
+			throw new Error(`Domain "${domain.host}" is missing a service name`);
+		}
+
+		const finalServiceName = resolveFinalServiceName(
+			compose,
+			finalizedCompose,
+			serviceName,
+		);
+		if (!finalizedCompose.services?.[finalServiceName]) {
+			throw new Error(
+				`Domain "${domain.host}" is attached to service "${serviceName}" which does not exist in the compose`,
+			);
+		}
+
+		const service = finalizedCompose.services[finalServiceName];
+		if (compose.composeType === "docker-compose") {
+			if (service.labels) {
+				service.labels = removeDokployGeneratedTraefikLabels(service.labels, {
+					appName: compose.appName,
+					domains,
+				});
+			}
+		} else if (service.deploy?.labels) {
+			service.deploy.labels = removeDokployGeneratedTraefikLabels(
+				service.deploy.labels,
+				{
+					appName: compose.appName,
+					domains,
+				},
+			);
+		}
+
+		if (!compose.isolatedDeployment) {
+			service.networks = addDokployNetworkToService(service.networks, {
+				aliases:
+					compose.composeType === "docker-compose"
+						? [getCaddyComposeNetworkAlias(compose.appName, finalServiceName)]
+						: undefined,
+			});
+		}
+
+		caddyRouteTargets.push({ domain, finalServiceName });
+	}
+
+	if (!compose.isolatedDeployment) {
+		finalizedCompose.networks = addDokployNetworkToRoot(
+			finalizedCompose.networks,
+		);
+	}
+
+	return { composeSpec: finalizedCompose, caddyRouteTargets };
+};
+
+export const getCaddyComposeRouteTargetsForWebServer = async (
+	compose: Compose,
+	domains: Domain[],
+	provider?: WebServerProvider,
+) => {
+	const resolvedProvider =
+		provider ?? (await resolveWebServerProvider(compose.serverId));
+	if (resolvedProvider !== "caddy") {
+		return null;
+	}
+
+	return (await addDomainToComposeForCaddyWithRoutes(compose, domains))
+		.caddyRouteTargets;
+};
+
+export const writeCaddyComposeRoutesForTargets = async (
+	compose: Compose,
+	caddyRouteTargets: CaddyComposeRouteTarget[],
+) => {
+	await writeCaddyComposeRouteFragments(compose, caddyRouteTargets);
+};
+
+export const addDomainToComposeForWebServer = async (
+	compose: Compose,
+	domains: Domain[],
+	provider?: WebServerProvider,
+) => {
+	const resolvedProvider =
+		provider ?? (await resolveWebServerProvider(compose.serverId));
+	if (resolvedProvider === "caddy") {
+		return (await addDomainToComposeForCaddyWithRoutes(compose, domains))
+			.composeSpec;
+	}
+
+	return addDomainToCompose(compose, domains);
+};
+
 export const writeDomainsToCompose = async (
 	compose: Compose,
 	domains: Domain[],
 ) => {
 	try {
-		const composeConverted = await addDomainToCompose(compose, domains);
+		const provider = await resolveWebServerProvider(compose.serverId);
+		const composeConverted =
+			provider === "caddy"
+				? (await addDomainToComposeForCaddyWithRoutes(compose, domains))
+						.composeSpec
+				: await addDomainToCompose(compose, domains);
 		const path = getComposePath(compose);
 
 		if (!composeConverted) {
@@ -347,8 +525,156 @@ export const createDomainLabels = (
 	return labels;
 };
 
+export type DokployTraefikLabelClassifierContext = {
+	appName?: string;
+	domains?: Pick<Domain, "uniqueConfigKey" | "customEntrypoint" | "https">[];
+	includeGenericLabels?: boolean;
+};
+
+const getLabelKey = (label: string) => label.split("=")[0] ?? label;
+
+const getLabelValue = (label: string) => {
+	const separatorIndex = label.indexOf("=");
+	return separatorIndex === -1 ? undefined : label.slice(separatorIndex + 1);
+};
+
+const getDomainEntrypoints = (
+	domain: Pick<Domain, "customEntrypoint" | "https">,
+) => {
+	if (domain.customEntrypoint) {
+		return [domain.customEntrypoint];
+	}
+	return domain.https ? ["web", "websecure"] : ["web"];
+};
+
+const isGenericDokployTraefikLabel = (label: string) => {
+	const key = getLabelKey(label);
+	const value = getLabelValue(label);
+
+	if (key === "traefik.enable") {
+		return value === undefined || value === "true";
+	}
+
+	if (key === "traefik.docker.network" || key === "traefik.swarm.network") {
+		return value === undefined || value === "dokploy-network";
+	}
+
+	return false;
+};
+
+const isDomainSpecificDokployTraefikLabel = (
+	label: string,
+	context: DokployTraefikLabelClassifierContext = {},
+) => {
+	const key = getLabelKey(label);
+	const { appName, domains } = context;
+
+	if (appName && domains) {
+		for (const domain of domains) {
+			for (const entrypoint of getDomainEntrypoints(domain)) {
+				const routerName = `${appName}-${domain.uniqueConfigKey}-${entrypoint}`;
+				if (
+					key.startsWith(`traefik.http.routers.${routerName}.`) ||
+					key.startsWith(`traefik.http.services.${routerName}.`)
+				) {
+					return true;
+				}
+			}
+
+			if (
+				key.startsWith(
+					`traefik.http.middlewares.stripprefix-${appName}-${domain.uniqueConfigKey}.`,
+				) ||
+				key.startsWith(
+					`traefik.http.middlewares.addprefix-${appName}-${domain.uniqueConfigKey}.`,
+				)
+			) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	if (appName) {
+		const appRouterPattern = new RegExp(
+			`^traefik\\.http\\.(routers|services)\\.${appName.replace(/[.*+?^${}()|[\\]\\]/g, "\\$&")}.+-(web|websecure)\\.`,
+		);
+		if (appRouterPattern.test(key)) {
+			return true;
+		}
+	}
+
+	return (
+		/^traefik\.http\.(routers|services)\.[^.]+-\d+-[^.]+\./.test(key) ||
+		/^traefik\.http\.middlewares\.(stripprefix|addprefix)-.+-\d+\./.test(key)
+	);
+};
+
+export const isDokployGeneratedTraefikLabel = (
+	label: string,
+	context: DokployTraefikLabelClassifierContext = {},
+) => {
+	return (
+		isDomainSpecificDokployTraefikLabel(label, context) ||
+		(context.includeGenericLabels !== false &&
+			isGenericDokployTraefikLabel(label))
+	);
+};
+
+const stringifyLabelObjectEntry = (
+	key: string,
+	value: string | number | boolean | null,
+) => (value === null ? key : `${key}=${value}`);
+
+export const removeDokployGeneratedTraefikLabels = (
+	labels: ListOrDict | undefined,
+	context: DokployTraefikLabelClassifierContext = {},
+): ListOrDict | undefined => {
+	if (!labels) {
+		return labels;
+	}
+
+	if (Array.isArray(labels)) {
+		const removedSpecificLabel = labels.some((label) =>
+			isDomainSpecificDokployTraefikLabel(label, context),
+		);
+		return labels.filter((label) => {
+			if (isDomainSpecificDokployTraefikLabel(label, context)) {
+				return false;
+			}
+			if (removedSpecificLabel && isGenericDokployTraefikLabel(label)) {
+				return false;
+			}
+			return true;
+		});
+	}
+
+	const entries = Object.entries(labels);
+	const removedSpecificLabel = entries.some(([key, value]) =>
+		isDomainSpecificDokployTraefikLabel(
+			stringifyLabelObjectEntry(key, value),
+			context,
+		),
+	);
+
+	return Object.fromEntries(
+		entries.filter(([key, value]) => {
+			const label = stringifyLabelObjectEntry(key, value);
+			if (isDomainSpecificDokployTraefikLabel(label, context)) {
+				return false;
+			}
+			if (removedSpecificLabel && isGenericDokployTraefikLabel(label)) {
+				return false;
+			}
+			return true;
+		}),
+	);
+};
+
 export const addDokployNetworkToService = (
 	networkService: DefinitionsService["networks"],
+	options: { aliases?: string[] } = {},
 ) => {
 	let networks = networkService;
 	const network = "dokploy-network";
@@ -364,6 +690,17 @@ export const addDokployNetworkToService = (
 		if (!networks.includes(defaultNetwork)) {
 			networks.push(defaultNetwork);
 		}
+		if (options.aliases?.length) {
+			const nextNetworks: Record<string, { aliases?: string[] }> = {};
+			for (const item of networks) {
+				nextNetworks[item] = {};
+			}
+			nextNetworks[network] = {
+				...nextNetworks[network],
+				aliases: [...new Set(options.aliases)],
+			};
+			networks = nextNetworks;
+		}
 	} else if (networks && typeof networks === "object") {
 		if (!(network in networks)) {
 			networks[network] = {};
@@ -371,6 +708,17 @@ export const addDokployNetworkToService = (
 		if (!(defaultNetwork in networks)) {
 			networks[defaultNetwork] = {};
 		}
+		if (options.aliases?.length) {
+			const current = networks[network];
+			const currentAliases =
+				current && typeof current === "object" && "aliases" in current
+					? ((current.aliases as string[] | undefined) ?? [])
+					: [];
+			networks[network] = {
+				...(current && typeof current === "object" ? current : {}),
+				aliases: [...new Set([...currentAliases, ...options.aliases])],
+			};
+		}
 	}
 
 	return networks;
diff --git a/packages/server/src/utils/web-server/domain.ts b/packages/server/src/utils/web-server/domain.ts
new file mode 100644
index 0000000000..19066863d8
--- /dev/null
+++ b/packages/server/src/utils/web-server/domain.ts
@@ -0,0 +1,31 @@
+import type { Domain } from "@dokploy/server/services/domain";
+import { resolveWebServerProvider } from "@dokploy/server/services/web-server-settings";
+import type { ApplicationNested } from "../builders";
+import { manageCaddyDomain, removeCaddyDomain } from "../caddy/domain";
+import { manageDomain, removeDomain } from "../traefik/domain";
+
+export const manageWebServerDomain = async (
+	app: ApplicationNested,
+	domain: Domain,
+) => {
+	const provider = await resolveWebServerProvider(app.serverId);
+
+	if (provider === "caddy") {
+		return manageCaddyDomain(app, domain);
+	}
+
+	return manageDomain(app, domain);
+};
+
+export const removeWebServerDomain = async (
+	app: ApplicationNested,
+	uniqueConfigKey: number,
+) => {
+	const provider = await resolveWebServerProvider(app.serverId);
+
+	if (provider === "caddy") {
+		return removeCaddyDomain(app, uniqueConfigKey);
+	}
+
+	return removeDomain(app, uniqueConfigKey);
+};
diff --git a/packages/server/src/utils/web-server/paths.ts b/packages/server/src/utils/web-server/paths.ts
new file mode 100644
index 0000000000..1d113bf030
--- /dev/null
+++ b/packages/server/src/utils/web-server/paths.ts
@@ -0,0 +1,29 @@
+import { paths } from "@dokploy/server/constants";
+import type { WebServerProvider } from "./providers";
+
+export const getWebServerPaths = (
+	provider: WebServerProvider,
+	isServer = false,
+) => {
+	const resolvedPaths = paths(isServer);
+
+	if (provider === "caddy") {
+		return {
+			provider,
+			basePath: resolvedPaths.MAIN_CADDY_PATH,
+			activeConfigPath: resolvedPaths.CADDY_CONFIG_PATH,
+			fragmentsPath: resolvedPaths.CADDY_FRAGMENTS_PATH,
+			dataPath: resolvedPaths.CADDY_DATA_PATH,
+			configDirPath: resolvedPaths.CADDY_CONFIG_DIR_PATH,
+			migrationsPath: resolvedPaths.CADDY_MIGRATIONS_PATH,
+		};
+	}
+
+	return {
+		provider,
+		basePath: resolvedPaths.MAIN_TRAEFIK_PATH,
+		activeConfigPath: `${resolvedPaths.MAIN_TRAEFIK_PATH}/traefik.yml`,
+		fragmentsPath: resolvedPaths.DYNAMIC_TRAEFIK_PATH,
+		certificatesPath: resolvedPaths.CERTIFICATES_PATH,
+	};
+};
diff --git a/packages/server/src/utils/web-server/providers.ts b/packages/server/src/utils/web-server/providers.ts
new file mode 100644
index 0000000000..e5c29623a3
--- /dev/null
+++ b/packages/server/src/utils/web-server/providers.ts
@@ -0,0 +1,20 @@
+export const WEB_SERVER_PROVIDERS = ["traefik", "caddy"] as const;
+
+export type WebServerProvider = (typeof WEB_SERVER_PROVIDERS)[number];
+
+export const DEFAULT_WEB_SERVER_PROVIDER: WebServerProvider = "traefik";
+
+export const isWebServerProvider = (
+	provider: unknown,
+): provider is WebServerProvider =>
+	typeof provider === "string" &&
+	WEB_SERVER_PROVIDERS.includes(provider as WebServerProvider);
+
+export const normalizeWebServerProvider = (
+	provider: unknown,
+): WebServerProvider =>
+	isWebServerProvider(provider) ? provider : DEFAULT_WEB_SERVER_PROVIDER;
+
+export const getWebServerResourceName = (provider: WebServerProvider) => {
+	return provider === "caddy" ? "dokploy-caddy" : "dokploy-traefik";
+};

From f8c6d78f8712889d6261a7f2bfcdfb71258ea826 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 14:33:22 -0400
Subject: [PATCH 02/37] chore: format caddy provider changes

---
 .../application/domains/handle-domain.tsx     |  4 ++-
 apps/dokploy/server/api/routers/domain.ts     | 26 ++++++++++++++-----
 apps/dokploy/server/api/routers/settings.ts   |  4 ++-
 packages/server/src/db/schema/server.ts       |  2 +-
 packages/server/src/services/settings.ts      |  8 +++---
 .../src/services/web-server-settings.ts       |  9 ++++---
 6 files changed, 36 insertions(+), 17 deletions(-)

diff --git a/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx b/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
index 8fd75b68be..564f4fd182 100644
--- a/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
+++ b/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
@@ -875,7 +875,9 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 															<X
 																className="ml-1 size-3 cursor-pointer"
 																onClick={() => {
-																	const newMiddlewares = [...(field.value || [])];
+																	const newMiddlewares = [
+																		...(field.value || []),
+																	];
 																	newMiddlewares.splice(index, 1);
 																	form.setValue("middlewares", newMiddlewares);
 																}}
diff --git a/apps/dokploy/server/api/routers/domain.ts b/apps/dokploy/server/api/routers/domain.ts
index 290654bd85..7d1bb43ebb 100644
--- a/apps/dokploy/server/api/routers/domain.ts
+++ b/apps/dokploy/server/api/routers/domain.ts
@@ -13,11 +13,11 @@ import {
 	getWebServerSettings,
 	manageWebServerDomain,
 	removeDomainById,
-	writeCaddyComposeRoutesForTargets,
 	removeWebServerDomain,
 	resolveWebServerProvider,
 	updateDomainById,
 	validateDomain,
+	writeCaddyComposeRoutesForTargets,
 } from "@dokploy/server";
 import { checkServicePermissionAndAccess } from "@dokploy/server/services/permission";
 import { TRPCError } from "@trpc/server";
@@ -36,7 +36,9 @@ import {
 	apiUpdateDomain,
 } from "@/server/db/schema";
 
-const toDomainUpdateFields = (domain: Awaited<ReturnType<typeof findDomainById>>) => ({
+const toDomainUpdateFields = (
+	domain: Awaited<ReturnType<typeof findDomainById>>,
+) => ({
 	host: domain.host,
 	https: domain.https,
 	port: domain.port,
@@ -166,8 +168,12 @@ export const domainRouter = createTRPCRouter({
 
 			const nextDomain = { ...currentDomain, ...input };
 			if (currentDomain.applicationId) {
-				const application = await findApplicationById(currentDomain.applicationId);
-				if ((await resolveWebServerProvider(application.serverId)) === "caddy") {
+				const application = await findApplicationById(
+					currentDomain.applicationId,
+				);
+				if (
+					(await resolveWebServerProvider(application.serverId)) === "caddy"
+				) {
 					assertCaddyDomainSupported(nextDomain);
 					await manageWebServerDomain(application, nextDomain);
 					try {
@@ -195,7 +201,9 @@ export const domainRouter = createTRPCRouter({
 					previewDeployment.applicationId,
 				);
 				application.appName = previewDeployment.appName;
-				if ((await resolveWebServerProvider(application.serverId)) === "caddy") {
+				if (
+					(await resolveWebServerProvider(application.serverId)) === "caddy"
+				) {
 					assertCaddyDomainSupported(nextDomain);
 					await manageWebServerDomain(application, nextDomain);
 					try {
@@ -303,7 +311,9 @@ export const domainRouter = createTRPCRouter({
 
 			if (domain.applicationId) {
 				const application = await findApplicationById(domain.applicationId);
-				if ((await resolveWebServerProvider(application.serverId)) === "caddy") {
+				if (
+					(await resolveWebServerProvider(application.serverId)) === "caddy"
+				) {
 					await removeWebServerDomain(application, domain.uniqueConfigKey);
 					try {
 						const result = await removeDomainById(input.domainId);
@@ -327,7 +337,9 @@ export const domainRouter = createTRPCRouter({
 					previewDeployment.applicationId,
 				);
 				application.appName = previewDeployment.appName;
-				if ((await resolveWebServerProvider(application.serverId)) === "caddy") {
+				if (
+					(await resolveWebServerProvider(application.serverId)) === "caddy"
+				) {
 					await removeWebServerDomain(application, domain.uniqueConfigKey);
 					try {
 						const result = await removeDomainById(input.domainId);
diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts
index e82b6ace26..921dee6dc1 100644
--- a/apps/dokploy/server/api/routers/settings.ts
+++ b/apps/dokploy/server/api/routers/settings.ts
@@ -171,7 +171,9 @@ const isPathWithin = (targetPath: string, basePath: string) => {
 const isCaddyMigrationBackupPath = (filePath: string, serverId?: string) => {
 	const caddyPaths = paths(!!serverId);
 	const normalizedPath = normalizeWebServerPath(filePath);
-	const migrationsPath = normalizeWebServerPath(caddyPaths.CADDY_MIGRATIONS_PATH);
+	const migrationsPath = normalizeWebServerPath(
+		caddyPaths.CADDY_MIGRATIONS_PATH,
+	);
 	if (!isPathWithin(normalizedPath, migrationsPath)) {
 		return false;
 	}
diff --git a/packages/server/src/db/schema/server.ts b/packages/server/src/db/schema/server.ts
index f12186c93c..db4c3ffda1 100644
--- a/packages/server/src/db/schema/server.ts
+++ b/packages/server/src/db/schema/server.ts
@@ -22,8 +22,8 @@ import { mysql } from "./mysql";
 import { postgres } from "./postgres";
 import { redis } from "./redis";
 import { schedules } from "./schedule";
-import { sshKeys } from "./ssh-key";
 import { webServerProvider } from "./shared";
+import { sshKeys } from "./ssh-key";
 import { generateAppName } from "./utils";
 export const serverStatus = pgEnum("serverStatus", ["active", "inactive"]);
 export const serverType = pgEnum("serverType", ["deploy", "build"]);
diff --git a/packages/server/src/services/settings.ts b/packages/server/src/services/settings.ts
index 5fafa9dd2c..c0005fb098 100644
--- a/packages/server/src/services/settings.ts
+++ b/packages/server/src/services/settings.ts
@@ -350,7 +350,9 @@ const asStringRecord = (value: unknown): Record<string, string> | undefined => {
 	);
 };
 
-const asRecordArray = (value: unknown): Array<Record<string, unknown>> | undefined =>
+const asRecordArray = (
+	value: unknown,
+): Array<Record<string, unknown>> | undefined =>
 	Array.isArray(value)
 		? value.filter(
 				(item): item is Record<string, unknown> =>
@@ -845,9 +847,9 @@ export const reconnectServicesToWebServer = async (
 		const quotedResourceName = quote([resourceName]);
 		commands += `if docker service inspect ${quotedResourceName} >/dev/null 2>&1; then\n`;
 		commands += `  docker service inspect ${quotedResourceName} --format '{{range .Spec.TaskTemplate.Networks}}{{println .Target}}{{end}}' | grep -qx ${networkName} || docker service update --network-add ${networkName} ${quotedResourceName} >/dev/null\n`;
-		commands += `else\n`;
+		commands += "else\n";
 		commands += `  docker network connect ${networkName} $(docker ps --filter "name=${resourceName}" -q) >/dev/null 2>&1 || true\n`;
-		commands += `fi\n`;
+		commands += "fi\n";
 	}
 
 	if (serverId) {
diff --git a/packages/server/src/services/web-server-settings.ts b/packages/server/src/services/web-server-settings.ts
index 152d30874d..0b1403f2c9 100644
--- a/packages/server/src/services/web-server-settings.ts
+++ b/packages/server/src/services/web-server-settings.ts
@@ -47,10 +47,11 @@ export const updateWebServerSettings = async (
 	return updated;
 };
 
-export const getLocalWebServerProvider = async (): Promise<WebServerProvider> => {
-	const settings = await getWebServerSettings();
-	return normalizeWebServerProvider(settings?.webServerProvider);
-};
+export const getLocalWebServerProvider =
+	async (): Promise<WebServerProvider> => {
+		const settings = await getWebServerSettings();
+		return normalizeWebServerProvider(settings?.webServerProvider);
+	};
 
 export const updateLocalWebServerProvider = async (
 	provider: WebServerProvider,

From a86a412be1b2c9d6453410008a0d6cd6fad39544 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 18:30:19 -0400
Subject: [PATCH 03/37] fix: fail closed on runtime migration errors

---
 .../__test__/db/runtime-migration.test.ts     | 85 +++++++++++++++++++
 apps/dokploy/migration.ts                     | 24 ++----
 apps/dokploy/server/db/migration.ts           | 23 +----
 apps/dokploy/server/db/run-migrations.ts      | 29 +++++++
 4 files changed, 124 insertions(+), 37 deletions(-)
 create mode 100644 apps/dokploy/__test__/db/runtime-migration.test.ts
 create mode 100644 apps/dokploy/server/db/run-migrations.ts

diff --git a/apps/dokploy/__test__/db/runtime-migration.test.ts b/apps/dokploy/__test__/db/runtime-migration.test.ts
new file mode 100644
index 0000000000..b7ddbca00e
--- /dev/null
+++ b/apps/dokploy/__test__/db/runtime-migration.test.ts
@@ -0,0 +1,85 @@
+import { beforeEach, describe, expect, test, vi } from "vitest";
+
+const mocks = vi.hoisted(() => {
+	const db = { id: "db" };
+	const sql = { end: vi.fn().mockResolvedValue(undefined) };
+
+	return {
+		db,
+		drizzle: vi.fn(() => db),
+		logger: {
+			error: vi.fn(),
+			log: vi.fn(),
+		},
+		migrate: vi.fn().mockResolvedValue(undefined),
+		postgres: vi.fn(() => sql),
+		sql,
+	};
+});
+
+vi.mock("@dokploy/server/db/constants", () => ({
+	dbUrl: "postgres://dokploy:test@localhost:5432/dokploy",
+}));
+
+vi.mock("postgres", () => ({
+	default: mocks.postgres,
+}));
+
+vi.mock("drizzle-orm/postgres-js", () => ({
+	drizzle: mocks.drizzle,
+}));
+
+vi.mock("drizzle-orm/postgres-js/migrator", () => ({
+	migrate: mocks.migrate,
+}));
+
+import { runRuntimeMigrations } from "../../server/db/run-migrations";
+
+describe("runtime migrations", () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+		mocks.sql.end.mockResolvedValue(undefined);
+		mocks.migrate.mockResolvedValue(undefined);
+	});
+
+	test("runs the default migration folder and closes the connection once", async () => {
+		await runRuntimeMigrations({ logger: mocks.logger });
+
+		expect(mocks.postgres).toHaveBeenCalledWith(
+			"postgres://dokploy:test@localhost:5432/dokploy",
+			{ max: 1 },
+		);
+		expect(mocks.drizzle).toHaveBeenCalledWith(mocks.sql);
+		expect(mocks.migrate).toHaveBeenCalledWith(mocks.db, {
+			migrationsFolder: "drizzle",
+		});
+		expect(mocks.logger.log).toHaveBeenCalledWith("Migration complete");
+		expect(mocks.logger.error).not.toHaveBeenCalled();
+		expect(mocks.sql.end).toHaveBeenCalledTimes(1);
+	});
+
+	test("supports an explicit migration folder", async () => {
+		await runRuntimeMigrations({
+			logger: mocks.logger,
+			migrationsFolder: "/app/drizzle",
+		});
+
+		expect(mocks.migrate).toHaveBeenCalledWith(mocks.db, {
+			migrationsFolder: "/app/drizzle",
+		});
+		expect(mocks.sql.end).toHaveBeenCalledTimes(1);
+	});
+
+	test("rejects migration failures and still closes the connection once", async () => {
+		const error = new Error("migration boom");
+		mocks.migrate.mockRejectedValueOnce(error);
+
+		await expect(runRuntimeMigrations({ logger: mocks.logger })).rejects.toBe(
+			error,
+		);
+
+		expect(mocks.logger.error).toHaveBeenCalledWith("Migration failed", error);
+		expect(mocks.logger.log).not.toHaveBeenCalled();
+		expect(mocks.sql.end).toHaveBeenCalledTimes(1);
+	});
+});
diff --git a/apps/dokploy/migration.ts b/apps/dokploy/migration.ts
index 984197b2ae..0f077acdfa 100644
--- a/apps/dokploy/migration.ts
+++ b/apps/dokploy/migration.ts
@@ -1,19 +1,7 @@
-import { dbUrl } from "@dokploy/server/db";
-import { drizzle } from "drizzle-orm/postgres-js";
-import { migrate } from "drizzle-orm/postgres-js/migrator";
-import postgres from "postgres";
+import { runRuntimeMigrations } from "./server/db/run-migrations";
 
-const sql = postgres(dbUrl, { max: 1 });
-const db = drizzle(sql);
-
-await migrate(db, { migrationsFolder: "drizzle" })
-	.then(() => {
-		console.log("Migration complete");
-		sql.end();
-	})
-	.catch((error) => {
-		console.log("Migration failed", error);
-	})
-	.finally(() => {
-		sql.end();
-	});
+try {
+	await runRuntimeMigrations();
+} catch {
+	process.exit(1);
+}
diff --git a/apps/dokploy/server/db/migration.ts b/apps/dokploy/server/db/migration.ts
index 8a24afdc50..da381cfea4 100644
--- a/apps/dokploy/server/db/migration.ts
+++ b/apps/dokploy/server/db/migration.ts
@@ -1,20 +1,5 @@
-import { dbUrl } from "@dokploy/server/db";
-import { drizzle } from "drizzle-orm/postgres-js";
-import { migrate } from "drizzle-orm/postgres-js/migrator";
-import postgres from "postgres";
+import { runRuntimeMigrations } from "./run-migrations";
 
-const sql = postgres(dbUrl, { max: 1 });
-const db = drizzle(sql);
-
-export const migration = async () =>
-	await migrate(db, { migrationsFolder: "drizzle" })
-		.then(() => {
-			console.log("Migration complete");
-			sql.end();
-		})
-		.catch((error) => {
-			console.log("Migration failed", error);
-		})
-		.finally(() => {
-			sql.end();
-		});
+export const migration = async () => {
+	await runRuntimeMigrations();
+};
diff --git a/apps/dokploy/server/db/run-migrations.ts b/apps/dokploy/server/db/run-migrations.ts
new file mode 100644
index 0000000000..202c5fbf24
--- /dev/null
+++ b/apps/dokploy/server/db/run-migrations.ts
@@ -0,0 +1,29 @@
+import { dbUrl } from "@dokploy/server/db/constants";
+import { drizzle } from "drizzle-orm/postgres-js";
+import { migrate } from "drizzle-orm/postgres-js/migrator";
+import postgres from "postgres";
+
+export type RuntimeMigrationLogger = Pick<typeof console, "error" | "log">;
+
+export type RunRuntimeMigrationsOptions = {
+	logger?: RuntimeMigrationLogger;
+	migrationsFolder?: string;
+};
+
+export const runRuntimeMigrations = async ({
+	logger = console,
+	migrationsFolder = "drizzle",
+}: RunRuntimeMigrationsOptions = {}) => {
+	const sql = postgres(dbUrl, { max: 1 });
+
+	try {
+		const db = drizzle(sql);
+		await migrate(db, { migrationsFolder });
+		logger.log("Migration complete");
+	} catch (error) {
+		logger.error("Migration failed", error);
+		throw error;
+	} finally {
+		await sql.end();
+	}
+};

From 94164bf7cc74b13e3c44470744e305c6bfb60e24 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 21:03:06 -0400
Subject: [PATCH 04/37] feat: harden caddy provider domain flows

---
 .../caddy/application/domain-service.test.ts  |  154 +
 .../__test__/caddy/application/domain.test.ts |   40 +-
 .../__test__/caddy/certificate-guard.test.ts  |   69 +
 .../__test__/caddy/compose/domain.test.ts     |   55 +
 apps/dokploy/__test__/caddy/config.test.ts    |  122 +
 .../__test__/caddy/dashboard-route.test.ts    |    1 +
 .../caddy/domain-router-lifecycle.test.ts     |  254 +
 .../caddy/migration/apply-rollback.test.ts    |    4 +
 .../__test__/caddy/migration/prepare.test.ts  |    4 +
 .../__test__/caddy/preview-deployment.test.ts |  275 +
 apps/dokploy/__test__/caddy/setup.test.ts     |    1 +
 .../server/update-server-config.test.ts       |    1 +
 .../application/domains/handle-domain.tsx     |   79 +-
 .../certificates/show-certificates.tsx        |    9 +-
 .../servers/actions/show-traefik-actions.tsx  |   12 +
 .../dashboard/settings/web-server.tsx         |    2 +
 .../caddy-trusted-proxy-settings.tsx          |  214 +
 .../0171_caddy_trusted_proxy_config.sql       |    2 +
 apps/dokploy/drizzle/meta/0171_snapshot.json  | 8370 +++++++++++++++++
 apps/dokploy/drizzle/meta/_journal.json       |    7 +
 apps/dokploy/server/api/routers/ai.ts         |    4 +-
 apps/dokploy/server/api/routers/compose.ts    |    6 +-
 apps/dokploy/server/api/routers/domain.ts     |   58 +-
 apps/dokploy/server/api/routers/project.ts    |    3 +-
 apps/dokploy/server/api/routers/settings.ts   |  105 +-
 docs/caddy-provider-upstream-readiness.md     |  356 +
 packages/server/src/db/schema/server.ts       |    4 +
 .../src/db/schema/web-server-settings.ts      |   13 +
 packages/server/src/services/certificate.ts   |   22 +
 packages/server/src/services/domain.ts        |   58 +-
 .../server/src/services/preview-deployment.ts |   97 +-
 packages/server/src/services/settings.ts      |    2 +
 .../src/services/web-server-settings.ts       |  140 +
 packages/server/src/setup/caddy-setup.ts      |   24 +-
 packages/server/src/utils/caddy/compose.ts    |   36 +-
 packages/server/src/utils/caddy/config.ts     |  191 +-
 packages/server/src/utils/caddy/domain.ts     |   69 +-
 .../server/src/utils/caddy/migration/apply.ts |    2 +
 .../src/utils/caddy/migration/prepare.ts      |   10 +-
 packages/server/src/utils/caddy/types.ts      |   21 +
 packages/server/src/utils/caddy/web-server.ts |    4 +
 41 files changed, 10733 insertions(+), 167 deletions(-)
 create mode 100644 apps/dokploy/__test__/caddy/application/domain-service.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/certificate-guard.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/preview-deployment.test.ts
 create mode 100644 apps/dokploy/components/dashboard/settings/web-server/caddy-trusted-proxy-settings.tsx
 create mode 100644 apps/dokploy/drizzle/0171_caddy_trusted_proxy_config.sql
 create mode 100644 apps/dokploy/drizzle/meta/0171_snapshot.json
 create mode 100644 docs/caddy-provider-upstream-readiness.md

diff --git a/apps/dokploy/__test__/caddy/application/domain-service.test.ts b/apps/dokploy/__test__/caddy/application/domain-service.test.ts
new file mode 100644
index 0000000000..4678fa528a
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/application/domain-service.test.ts
@@ -0,0 +1,154 @@
+import { beforeEach, expect, test, vi } from "vitest";
+
+const txInsertMock = vi.hoisted(() => vi.fn());
+const transactionMock = vi.hoisted(() => vi.fn());
+const dbDeleteMock = vi.hoisted(() => vi.fn());
+const domainsFindFirstMock = vi.hoisted(() => vi.fn());
+const domainsFindManyMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@dokploy/server/db", () => ({
+	db: {
+		transaction: transactionMock,
+		query: {
+			domains: {
+				findFirst: domainsFindFirstMock,
+				findMany: domainsFindManyMock,
+			},
+		},
+		delete: dbDeleteMock,
+	},
+}));
+
+vi.mock("@dokploy/server/services/application", () => ({
+	findApplicationById: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/utils/web-server/domain", () => ({
+	manageWebServerDomain: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/utils/docker/domain", () => ({
+	getCaddyComposeRouteTargetsForWebServer: vi.fn(),
+	writeCaddyComposeRoutesForTargets: vi.fn(),
+}));
+
+import { findApplicationById } from "@dokploy/server/services/application";
+import {
+	createComposeDomain,
+	createDomain,
+} from "@dokploy/server/services/domain";
+import {
+	getCaddyComposeRouteTargetsForWebServer,
+	writeCaddyComposeRoutesForTargets,
+} from "@dokploy/server/utils/docker/domain";
+import { manageWebServerDomain } from "@dokploy/server/utils/web-server/domain";
+
+const domain = {
+	domainId: "domain-1",
+	applicationId: "app-1",
+	composeId: null,
+	previewDeploymentId: null,
+	host: "example.com",
+	uniqueConfigKey: 7,
+};
+
+const composeDomain = {
+	...domain,
+	applicationId: null,
+	composeId: "compose-1",
+	domainType: "compose",
+};
+
+const application = {
+	applicationId: "app-1",
+	appName: "my-app",
+	serverId: null,
+};
+
+beforeEach(() => {
+	vi.clearAllMocks();
+	txInsertMock.mockReturnValue({
+		values: vi.fn().mockReturnValue({
+			returning: vi.fn().mockResolvedValue([domain]),
+		}),
+	});
+	transactionMock.mockImplementation(async (callback) => {
+		const tx = { insert: txInsertMock };
+		return callback(tx);
+	});
+	domainsFindFirstMock.mockResolvedValue(domain);
+	domainsFindManyMock.mockResolvedValue([composeDomain]);
+	dbDeleteMock.mockReturnValue({
+		where: vi.fn().mockReturnValue({
+			returning: vi.fn().mockResolvedValue([composeDomain]),
+		}),
+	});
+	vi.mocked(getCaddyComposeRouteTargetsForWebServer).mockResolvedValue([
+		{},
+	] as never);
+	vi.mocked(writeCaddyComposeRoutesForTargets).mockResolvedValue(
+		undefined as never,
+	);
+	vi.mocked(findApplicationById).mockResolvedValue(application as never);
+});
+
+test("creates copied new-service application domains through the active web server provider", async () => {
+	vi.mocked(manageWebServerDomain).mockResolvedValue(undefined as never);
+
+	const created = await createDomain({
+		host: " example.com ",
+		applicationId: "app-1",
+		domainType: "application",
+	} as never);
+
+	expect(created).toBe(domain);
+	expect(txInsertMock).toHaveBeenCalled();
+	expect(manageWebServerDomain).toHaveBeenCalledWith(application, domain);
+});
+
+test("removes application domain rows when provider route creation fails", async () => {
+	vi.mocked(manageWebServerDomain).mockRejectedValueOnce(
+		new Error("caddy reload failed") as never,
+	);
+
+	await expect(
+		createDomain({
+			host: "example.com",
+			applicationId: "app-1",
+			domainType: "application",
+		} as never),
+	).rejects.toThrow("caddy reload failed");
+
+	expect(manageWebServerDomain).toHaveBeenCalledWith(application, domain);
+	expect(dbDeleteMock).toHaveBeenCalled();
+});
+
+test("removes compose domain rows when Caddy compose route refresh fails after creation", async () => {
+	txInsertMock.mockReturnValueOnce({
+		values: vi.fn().mockReturnValue({
+			returning: vi.fn().mockResolvedValue([composeDomain]),
+		}),
+	});
+	vi.mocked(writeCaddyComposeRoutesForTargets)
+		.mockRejectedValueOnce(new Error("caddy refresh failed") as never)
+		.mockResolvedValueOnce(undefined as never);
+
+	await expect(
+		createComposeDomain(
+			{
+				composeId: "compose-1",
+				appName: "my-compose",
+				serverId: null,
+			} as never,
+			{
+				host: "example.com",
+				composeId: "compose-1",
+				domainType: "compose",
+			} as never,
+			"caddy",
+		),
+	).rejects.toThrow("caddy refresh failed");
+
+	expect(dbDeleteMock).toHaveBeenCalled();
+	expect(writeCaddyComposeRoutesForTargets).toHaveBeenCalledTimes(2);
+});
diff --git a/apps/dokploy/__test__/caddy/application/domain.test.ts b/apps/dokploy/__test__/caddy/application/domain.test.ts
index 346e16fa84..9b9569e743 100644
--- a/apps/dokploy/__test__/caddy/application/domain.test.ts
+++ b/apps/dokploy/__test__/caddy/application/domain.test.ts
@@ -3,6 +3,7 @@ import {
 	compileCaddyConfig,
 	createCaddyApplicationRouteFragment,
 	getCaddyApplicationFragmentId,
+	paths,
 } from "@dokploy/server";
 import { expect, test } from "vitest";
 
@@ -103,6 +104,31 @@ test("HTTPS application routes redirect HTTP and proxy on HTTPS", () => {
 	});
 });
 
+test("loads uploaded certificates for custom Caddy HTTPS routes", () => {
+	const fragment = createCaddyApplicationRouteFragment(
+		app(),
+		domain({
+			https: true,
+			certificateType: "custom",
+			customCertResolver: "certificate-uploaded",
+		}),
+	);
+	const config = compileCaddyConfig({ fragments: [fragment] });
+	const tls = (config.apps as any).tls;
+	const certificatePath = `${paths(false).CERTIFICATES_PATH}/certificate-uploaded`;
+
+	expect(tls.certificates.load_files).toEqual([
+		{
+			certificate: `${certificatePath}/chain.crt`,
+			key: `${certificatePath}/privkey.key`,
+		},
+	]);
+	expect(getServers(config).https.routes[0].handle.at(-1)).toMatchObject({
+		handler: "reverse_proxy",
+		upstreams: [{ dial: "my-app:80" }],
+	});
+});
+
 test("punycodes internationalized hosts for Caddy routes", () => {
 	const fragment = createCaddyApplicationRouteFragment(
 		app(),
@@ -119,9 +145,21 @@ test("rejects Traefik-only domain features for Caddy routes", () => {
 			domain({
 				customEntrypoint: "admin",
 				customCertResolver: "internal",
-				certificateType: "custom",
 				middlewares: ["auth@file"],
 			}),
 		),
 	).toThrow("unsupported Caddy fields");
 });
+
+test("rejects Caddy custom certificate routes without an uploaded certificate", () => {
+	expect(() =>
+		createCaddyApplicationRouteFragment(
+			app(),
+			domain({
+				https: true,
+				certificateType: "custom",
+				customCertResolver: null,
+			}),
+		),
+	).toThrow("custom certificates require an uploaded certificate");
+});
diff --git a/apps/dokploy/__test__/caddy/certificate-guard.test.ts b/apps/dokploy/__test__/caddy/certificate-guard.test.ts
new file mode 100644
index 0000000000..277cd54953
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/certificate-guard.test.ts
@@ -0,0 +1,69 @@
+import { beforeEach, expect, test, vi } from "vitest";
+
+const certificatesFindFirstMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@dokploy/server/db", () => ({
+	db: {
+		query: {
+			certificates: {
+				findFirst: certificatesFindFirstMock,
+			},
+		},
+	},
+}));
+
+import type { Domain } from "@dokploy/server";
+import { assertCaddyDomainCertificateAvailable } from "@dokploy/server/utils/caddy/domain";
+
+const domain = (overrides: Partial<Domain> = {}) =>
+	({
+		domainId: "domain-1",
+		applicationId: "app-1",
+		composeId: null,
+		previewDeploymentId: null,
+		domainType: "application",
+		host: "example.com",
+		path: "/",
+		internalPath: "/",
+		stripPath: false,
+		https: true,
+		certificateType: "custom",
+		customCertResolver: "certificate-uploaded",
+		customEntrypoint: null,
+		middlewares: null,
+		port: 3000,
+		serviceName: null,
+		uniqueConfigKey: 7,
+		createdAt: "",
+		...overrides,
+	}) as Domain;
+
+beforeEach(() => {
+	vi.clearAllMocks();
+});
+
+test("allows uploaded Caddy certificates assigned to the same server", async () => {
+	certificatesFindFirstMock.mockResolvedValue({
+		certificatePath: "certificate-uploaded",
+		serverId: "server-1",
+	});
+
+	await expect(
+		assertCaddyDomainCertificateAvailable("server-1", domain()),
+	).resolves.toBeUndefined();
+});
+
+test("rejects missing or cross-server Caddy certificate paths", async () => {
+	certificatesFindFirstMock.mockResolvedValueOnce(null);
+	await expect(
+		assertCaddyDomainCertificateAvailable(null, domain()),
+	).rejects.toThrow("is not available for this server");
+
+	certificatesFindFirstMock.mockResolvedValueOnce({
+		certificatePath: "certificate-uploaded",
+		serverId: "server-2",
+	});
+	await expect(
+		assertCaddyDomainCertificateAvailable("server-1", domain()),
+	).rejects.toThrow("is not available for this server");
+});
diff --git a/apps/dokploy/__test__/caddy/compose/domain.test.ts b/apps/dokploy/__test__/caddy/compose/domain.test.ts
index d0ded5fc96..80f2914161 100644
--- a/apps/dokploy/__test__/caddy/compose/domain.test.ts
+++ b/apps/dokploy/__test__/caddy/compose/domain.test.ts
@@ -8,6 +8,14 @@ vi.mock("node:fs", () => ({
 	default: fs,
 }));
 
+const execAsyncMock = vi.hoisted(() => vi.fn());
+const execAsyncRemoteMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@dokploy/server/utils/process/execAsync", () => ({
+	execAsync: execAsyncMock,
+	execAsyncRemote: execAsyncRemoteMock,
+}));
+
 import {
 	addDomainToCompose,
 	addDomainToComposeForWebServer,
@@ -16,6 +24,8 @@ import {
 	createDomainLabels,
 	isDokployGeneratedTraefikLabel,
 	paths,
+	readCaddyRouteFragments,
+	refreshCaddyComposeRoutes,
 } from "@dokploy/server";
 import { beforeEach, describe, expect, test, vi } from "vitest";
 
@@ -77,6 +87,13 @@ const getServers = (config: ReturnType<typeof compileCaddyConfig>) => {
 
 beforeEach(() => {
 	vol.reset();
+	execAsyncMock.mockReset();
+	execAsyncRemoteMock.mockReset();
+	execAsyncMock.mockResolvedValue({ stdout: "dokploy-caddy\n", stderr: "" });
+	execAsyncRemoteMock.mockResolvedValue({
+		stdout: "dokploy-caddy\n",
+		stderr: "",
+	});
 });
 
 describe("Caddy compose route generation", () => {
@@ -112,6 +129,44 @@ describe("Caddy compose route generation", () => {
 		});
 	});
 
+	test("refreshes Caddy compose route fragments for domains created outside the domain router", async () => {
+		const composeInput = compose();
+		const routeDomain = domain({ https: true });
+		writeComposeFile(composeInput, {
+			services: {
+				web: { image: "nginx" },
+			},
+		});
+
+		await refreshCaddyComposeRoutes(composeInput, [routeDomain], "caddy");
+
+		const fragments = await readCaddyRouteFragments();
+		expect(fragments).toHaveLength(1);
+		expect(fragments[0]).toMatchObject({
+			id: "compose.my-compose.3",
+			source: "dokploy-compose",
+		});
+		const config = compileCaddyConfig({ fragments });
+		expect(getServers(config).https.routes[0].handle.at(-1)).toMatchObject({
+			handler: "reverse_proxy",
+			upstreams: [{ dial: "my-compose-web:8080" }],
+		});
+	});
+
+	test("skips compose route refresh for Traefik provider", async () => {
+		const composeInput = compose();
+		writeComposeFile(composeInput, {
+			services: {
+				web: { image: "nginx" },
+			},
+		});
+
+		await refreshCaddyComposeRoutes(composeInput, [domain()], "traefik");
+
+		expect(await readCaddyRouteFragments()).toEqual([]);
+		expect(execAsyncMock).not.toHaveBeenCalled();
+	});
+
 	test("Traefik provider conversion delegates to the existing Traefik label path", async () => {
 		const composeInput = compose();
 		writeComposeFile(composeInput, {
diff --git a/apps/dokploy/__test__/caddy/config.test.ts b/apps/dokploy/__test__/caddy/config.test.ts
index f163b40502..8dc8b61856 100644
--- a/apps/dokploy/__test__/caddy/config.test.ts
+++ b/apps/dokploy/__test__/caddy/config.test.ts
@@ -17,13 +17,17 @@ import {
 	type ApplicationNested,
 	type CaddyRouteFragment,
 	type CaddyRouteIntent,
+	CLOUDFLARE_TRUSTED_PROXY_RANGES,
+	caddyTrustedProxySettingsToConfig,
 	compileAndWriteCaddyConfig,
 	compileCaddyConfig,
 	type Domain,
 	getCaddyMigrationArtifactPaths,
 	manageCaddyDomain,
+	normalizeCaddyTrustedProxySettings,
 	paths,
 	readCaddyRouteFragments,
+	removeCaddyDomain,
 	validateCaddyConfigFileWithImage,
 	writeCaddyRouteFragment,
 } from "@dokploy/server";
@@ -76,6 +80,96 @@ test("compiles explicit http and https servers with managed HTTPS redirect", ()
 	expect((config.apps as any).tls.automation.policies[0].issuers[0].email).toBe(
 		"ops@example.com",
 	);
+	expect(servers.http.trusted_proxies).toBeUndefined();
+	expect(servers.https.trusted_proxies).toBeUndefined();
+	expect(servers.http.client_ip_headers).toBeUndefined();
+	expect(servers.https.client_ip_headers).toBeUndefined();
+});
+
+test("compiles Cloudflare trusted proxy settings with safe client IP headers", () => {
+	const config = compileCaddyConfig({
+		routes: [route({ https: true })],
+		trustedProxies: {
+			source: "cloudflare",
+		},
+	});
+
+	const servers = getServers(config);
+	for (const server of [servers.http, servers.https]) {
+		expect(server.trusted_proxies).toEqual({
+			source: "static",
+			ranges: [...CLOUDFLARE_TRUSTED_PROXY_RANGES],
+		});
+		expect(server.client_ip_headers).toEqual([
+			"CF-Connecting-IP",
+			"X-Forwarded-For",
+		]);
+		expect(server.trusted_proxies_strict).toBe(1);
+	}
+});
+
+test("compiles custom static trusted proxy ranges", () => {
+	const config = compileCaddyConfig({
+		routes: [route()],
+		trustedProxies: {
+			source: "static",
+			ranges: ["192.0.2.0/24", "2001:db8::/32"],
+			clientIpHeaders: ["X-Forwarded-For"],
+			strict: false,
+		},
+	});
+
+	const servers = getServers(config);
+	expect(servers.http).toMatchObject({
+		trusted_proxies: {
+			source: "static",
+			ranges: ["192.0.2.0/24", "2001:db8::/32"],
+		},
+		client_ip_headers: ["X-Forwarded-For"],
+	});
+	expect(servers.http.trusted_proxies_strict).toBeUndefined();
+	expect(servers.https.trusted_proxies).toEqual(servers.http.trusted_proxies);
+});
+
+test("normalizes persisted Caddy trusted proxy settings", () => {
+	const settings = normalizeCaddyTrustedProxySettings({
+		mode: "static",
+		ranges: [" 192.0.2.0/24 ", "192.0.2.0/24"],
+		clientIpHeaders: [" X-Forwarded-For ", ""],
+		strict: null,
+	});
+
+	expect(settings).toEqual({
+		mode: "static",
+		ranges: ["192.0.2.0/24"],
+		clientIpHeaders: ["X-Forwarded-For"],
+		strict: true,
+	});
+	expect(caddyTrustedProxySettingsToConfig(settings)).toEqual({
+		source: "static",
+		ranges: ["192.0.2.0/24"],
+		clientIpHeaders: ["X-Forwarded-For"],
+		strict: true,
+	});
+	expect(normalizeCaddyTrustedProxySettings({ mode: "disabled" })).toBeNull();
+});
+
+test("rejects invalid trusted proxy settings before writing Caddy config", () => {
+	expect(() =>
+		compileCaddyConfig({
+			trustedProxies: { source: "static", ranges: ["192.0.2.0/33"] },
+		}),
+	).toThrow("Invalid Caddy trusted proxy prefix");
+
+	expect(() =>
+		compileCaddyConfig({
+			trustedProxies: {
+				source: "static",
+				ranges: ["192.0.2.0/24"],
+				clientIpHeaders: ["X-Forwarded-For", "x-forwarded-for"],
+			},
+		}),
+	).toThrow("Duplicate Caddy trusted proxy client IP header");
 });
 
 test("sorts routes by priority before path specificity and stable id", () => {
@@ -305,6 +399,9 @@ test("validates a config file with the Caddy binary in an isolated runtime conta
 	expect(validateCommand).toContain(
 		"/etc/dokploy/caddy/migrations/test/.validate-runtime/config\\:/config",
 	);
+	expect(validateCommand).toContain(
+		`${paths().CERTIFICATES_PATH}\\:${paths().CERTIFICATES_PATH}\\:ro`,
+	);
 	expect(validateCommand).toContain(" caddy validate --config");
 	expect(validateCommand).not.toContain("caddy\\:2.11.3 validate --config");
 });
@@ -352,3 +449,28 @@ test("restores previous fragments when Caddy domain reload fails", async () => {
 
 	expect(await readCaddyRouteFragments()).toEqual([existingFragment]);
 });
+
+test("restores removed fragments when Caddy domain removal reload fails", async () => {
+	const existingFragment: CaddyRouteFragment = {
+		version: 1,
+		id: "application.my-app.7",
+		source: "dokploy-application",
+		routes: [route({ id: "existing", hosts: ["old.example.com"] })],
+	};
+	await writeCaddyRouteFragment(existingFragment);
+	execAsyncMock.mockImplementation(async (command: string) => {
+		if (command.includes("caddy validate")) {
+			throw new Error("validation failed");
+		}
+		return { stdout: "dokploy-caddy\n", stderr: "" };
+	});
+
+	await expect(
+		removeCaddyDomain(
+			{ appName: "my-app", serverId: null } as ApplicationNested,
+			7,
+		),
+	).rejects.toThrow("validation failed");
+
+	expect(await readCaddyRouteFragments()).toEqual([existingFragment]);
+});
diff --git a/apps/dokploy/__test__/caddy/dashboard-route.test.ts b/apps/dokploy/__test__/caddy/dashboard-route.test.ts
index b4669b930a..2eb3f65670 100644
--- a/apps/dokploy/__test__/caddy/dashboard-route.test.ts
+++ b/apps/dokploy/__test__/caddy/dashboard-route.test.ts
@@ -11,6 +11,7 @@ const settings = (overrides: Partial<WebServerSettings> = {}) =>
 	({
 		id: "settings-1",
 		webServerProvider: "caddy",
+		caddyTrustedProxyConfig: null,
 		https: false,
 		certificateType: "none",
 		host: null,
diff --git a/apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts b/apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts
new file mode 100644
index 0000000000..a8bec8702c
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts
@@ -0,0 +1,254 @@
+import { beforeEach, expect, test, vi } from "vitest";
+
+vi.mock("@dokploy/server", () => ({
+	assertCaddyDomainSupported: vi.fn(),
+	createComposeDomain: vi.fn(),
+	createDomain: vi.fn(),
+	findApplicationById: vi.fn(),
+	findComposeById: vi.fn(),
+	findDomainById: vi.fn(),
+	findDomainsByApplicationId: vi.fn(),
+	findDomainsByComposeId: vi.fn(),
+	findPreviewDeploymentById: vi.fn(),
+	findServerById: vi.fn(),
+	generateTraefikMeDomain: vi.fn(),
+	getWebServerSettings: vi.fn(),
+	manageWebServerDomain: vi.fn(),
+	refreshCaddyComposeRoutes: vi.fn(),
+	removeDomainById: vi.fn(),
+	removeWebServerDomain: vi.fn(),
+	resolveWebServerProvider: vi.fn(),
+	updateDomainById: vi.fn(),
+	validateDomain: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/services/permission", () => ({
+	checkServicePermissionAndAccess: vi.fn(),
+}));
+
+vi.mock("@/server/api/utils/audit", () => ({
+	audit: vi.fn(),
+}));
+
+import {
+	findApplicationById,
+	findComposeById,
+	findDomainById,
+	findDomainsByComposeId,
+	manageWebServerDomain,
+	refreshCaddyComposeRoutes,
+	removeDomainById,
+	removeWebServerDomain,
+	resolveWebServerProvider,
+	updateDomainById,
+} from "@dokploy/server";
+import { domainRouter } from "@/server/api/routers/domain";
+
+const application = {
+	applicationId: "app-1",
+	appName: "my-app",
+	serverId: null,
+};
+
+const currentDomain = {
+	domainId: "domain-1",
+	applicationId: "app-1",
+	composeId: null,
+	previewDeploymentId: null,
+	domainType: "application",
+	host: "old.example.com",
+	path: "/",
+	internalPath: "/",
+	stripPath: false,
+	https: true,
+	certificateType: "letsencrypt",
+	customCertResolver: null,
+	customEntrypoint: null,
+	middlewares: null,
+	port: 3000,
+	serviceName: null,
+	uniqueConfigKey: 7,
+	createdAt: "",
+};
+
+const compose = {
+	composeId: "compose-1",
+	appName: "my-compose",
+	serverId: null,
+};
+
+const currentComposeDomain = {
+	...currentDomain,
+	applicationId: null,
+	composeId: "compose-1",
+	domainType: "compose" as const,
+	serviceName: "web",
+};
+
+const siblingComposeDomain = {
+	...currentComposeDomain,
+	domainId: "domain-2",
+	host: "sibling.example.com",
+	uniqueConfigKey: 8,
+};
+
+const updateInput = {
+	domainId: "domain-1",
+	domainType: "application" as const,
+	host: "new.example.com",
+	path: "/",
+	internalPath: "/",
+	stripPath: false,
+	https: true,
+	certificateType: "letsencrypt" as const,
+	customCertResolver: null,
+	customEntrypoint: null,
+	middlewares: null,
+	port: 3000,
+	serviceName: null,
+};
+
+const caller = domainRouter.createCaller({
+	session: {
+		userId: "user-1",
+		activeOrganizationId: "org-1",
+	},
+	user: {
+		id: "user-1",
+		role: "owner",
+		ownerId: "user-1",
+		email: "owner@example.com",
+		enableEnterpriseFeatures: true,
+		isValidEnterpriseLicense: true,
+	},
+	req: { headers: {} },
+	res: {},
+} as never);
+
+beforeEach(() => {
+	vi.clearAllMocks();
+	vi.mocked(findDomainById).mockResolvedValue(currentDomain as never);
+	vi.mocked(findApplicationById).mockResolvedValue(application as never);
+	vi.mocked(findComposeById).mockResolvedValue(compose as never);
+	vi.mocked(findDomainsByComposeId).mockResolvedValue([
+		currentComposeDomain,
+		siblingComposeDomain,
+	] as never);
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+	vi.mocked(manageWebServerDomain).mockResolvedValue(undefined as never);
+	vi.mocked(removeWebServerDomain).mockResolvedValue(undefined as never);
+	vi.mocked(refreshCaddyComposeRoutes).mockResolvedValue(undefined as never);
+});
+
+test("restores the previous Caddy application route when domain update persistence fails", async () => {
+	vi.mocked(updateDomainById).mockRejectedValueOnce(
+		new Error("db update failed") as never,
+	);
+
+	await expect(caller.update(updateInput)).rejects.toThrow("db update failed");
+
+	expect(manageWebServerDomain).toHaveBeenNthCalledWith(
+		1,
+		application,
+		expect.objectContaining({
+			domainId: "domain-1",
+			host: "new.example.com",
+		}),
+	);
+	expect(manageWebServerDomain).toHaveBeenNthCalledWith(
+		2,
+		application,
+		currentDomain,
+	);
+});
+
+test("restores the removed Caddy application route when domain delete persistence fails", async () => {
+	vi.mocked(removeDomainById).mockRejectedValueOnce(
+		new Error("db delete failed") as never,
+	);
+
+	await expect(caller.delete({ domainId: "domain-1" })).rejects.toThrow(
+		"db delete failed",
+	);
+
+	expect(removeWebServerDomain).toHaveBeenCalledWith(application, 7);
+	expect(manageWebServerDomain).toHaveBeenCalledWith(
+		application,
+		currentDomain,
+	);
+});
+
+test("restores previous compose domain fields when Caddy route refresh fails after update", async () => {
+	const updatedDomain = {
+		...currentComposeDomain,
+		host: "new.example.com",
+	};
+	vi.mocked(findDomainById).mockResolvedValueOnce(
+		currentComposeDomain as never,
+	);
+	vi.mocked(updateDomainById)
+		.mockResolvedValueOnce(updatedDomain as never)
+		.mockResolvedValueOnce(currentComposeDomain as never);
+	vi.mocked(refreshCaddyComposeRoutes)
+		.mockRejectedValueOnce(new Error("caddy refresh failed") as never)
+		.mockResolvedValueOnce(undefined as never);
+
+	await expect(
+		caller.update({
+			...updateInput,
+			domainType: "compose",
+			serviceName: "web",
+		}),
+	).rejects.toThrow("caddy refresh failed");
+
+	expect(updateDomainById).toHaveBeenNthCalledWith(
+		1,
+		"domain-1",
+		expect.objectContaining({
+			host: "new.example.com",
+			domainType: "compose",
+			serviceName: "web",
+		}),
+	);
+	expect(updateDomainById).toHaveBeenNthCalledWith(
+		2,
+		"domain-1",
+		expect.objectContaining({
+			host: "old.example.com",
+			domainType: "compose",
+			serviceName: "web",
+		}),
+	);
+	expect(refreshCaddyComposeRoutes).toHaveBeenNthCalledWith(
+		2,
+		compose,
+		undefined,
+		"caddy",
+	);
+});
+
+test("restores all compose routes when compose domain delete persistence fails", async () => {
+	vi.mocked(findDomainById).mockResolvedValueOnce(
+		currentComposeDomain as never,
+	);
+	vi.mocked(removeDomainById).mockRejectedValueOnce(
+		new Error("db delete failed") as never,
+	);
+
+	await expect(caller.delete({ domainId: "domain-1" })).rejects.toThrow(
+		"db delete failed",
+	);
+
+	expect(refreshCaddyComposeRoutes).toHaveBeenNthCalledWith(
+		1,
+		compose,
+		[siblingComposeDomain],
+		"caddy",
+	);
+	expect(refreshCaddyComposeRoutes).toHaveBeenNthCalledWith(
+		2,
+		compose,
+		undefined,
+		"caddy",
+	);
+});
diff --git a/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts b/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
index 753ef76f90..3607a5e2c8 100644
--- a/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
+++ b/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
@@ -18,6 +18,7 @@ vi.mock("@dokploy/server/services/settings", () => ({
 }));
 
 vi.mock("@dokploy/server/services/web-server-settings", () => ({
+	getCaddyCompileSettings: vi.fn(),
 	resolveWebServerProvider: vi.fn(),
 	updateLocalWebServerProvider: vi.fn(),
 	updateRemoteWebServerProvider: vi.fn(),
@@ -111,6 +112,9 @@ describe("applyCaddyMigration", () => {
 		vi.mocked(providerService.resolveWebServerProvider).mockResolvedValue(
 			"traefik",
 		);
+		vi.mocked(providerService.getCaddyCompileSettings).mockResolvedValue({
+			trustedProxies: null,
+		});
 		vi.mocked(settingsService.getDockerResourceSnapshot).mockImplementation(
 			async (resourceName: string) => ({
 				resourceName,
diff --git a/apps/dokploy/__test__/caddy/migration/prepare.test.ts b/apps/dokploy/__test__/caddy/migration/prepare.test.ts
index 42d736d254..1bffb710d8 100644
--- a/apps/dokploy/__test__/caddy/migration/prepare.test.ts
+++ b/apps/dokploy/__test__/caddy/migration/prepare.test.ts
@@ -16,6 +16,10 @@ vi.mock("@dokploy/server/db", () => ({
 }));
 
 vi.mock("@dokploy/server/services/web-server-settings", () => ({
+	getCaddyCompileSettings: vi.fn().mockResolvedValue({
+		letsEncryptEmail: "ops@example.com",
+		trustedProxies: null,
+	}),
 	getWebServerSettings: vi.fn().mockResolvedValue({
 		letsEncryptEmail: "ops@example.com",
 	}),
diff --git a/apps/dokploy/__test__/caddy/preview-deployment.test.ts b/apps/dokploy/__test__/caddy/preview-deployment.test.ts
new file mode 100644
index 0000000000..6ac708ea1e
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/preview-deployment.test.ts
@@ -0,0 +1,275 @@
+import { beforeEach, expect, test, vi } from "vitest";
+
+const previewDeploymentRow = {
+	previewDeploymentId: "preview-1",
+	applicationId: "app-1",
+	appName: "preview-my-app-fixedpw",
+	pullRequestCommentId: "comment-1",
+	domainId: null,
+};
+
+const insertedPreviewDeployment = { ...previewDeploymentRow };
+
+const dbMock = vi.hoisted(() => ({
+	query: {
+		organization: { findFirst: vi.fn() },
+		previewDeployments: { findFirst: vi.fn() },
+	},
+	insert: vi.fn(),
+	update: vi.fn(),
+	delete: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/db", () => ({
+	db: dbMock,
+}));
+
+vi.mock("@dokploy/server/templates", () => ({
+	generatePassword: vi.fn(() => "fixedpw"),
+}));
+
+vi.mock("@dokploy/server/services/application", () => ({
+	findApplicationById: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/services/deployment", () => ({
+	removeDeploymentsByPreviewDeploymentId: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/services/domain", () => ({
+	createDomain: vi.fn(),
+	removeDomainById: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/services/github", () => ({
+	getIssueComment: vi.fn(() => "preview comment"),
+}));
+
+vi.mock("@dokploy/server/services/web-server-settings", () => ({
+	getWebServerSettings: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/utils/docker/utils", () => ({
+	removeService: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/utils/filesystem/directory", () => ({
+	removeDirectoryCode: vi.fn(),
+}));
+
+const createCommentMock = vi.hoisted(() => vi.fn());
+const deleteCommentMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@dokploy/server/utils/providers/github", () => ({
+	authGithub: vi.fn(() => ({
+		rest: {
+			issues: {
+				createComment: createCommentMock,
+				deleteComment: deleteCommentMock,
+			},
+		},
+	})),
+}));
+
+vi.mock("@dokploy/server/utils/traefik/application", () => ({
+	removeTraefikConfig: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/utils/web-server/domain", () => ({
+	manageWebServerDomain: vi.fn(),
+	removeWebServerDomain: vi.fn(),
+}));
+
+import { findApplicationById } from "@dokploy/server/services/application";
+import {
+	createDomain,
+	removeDomainById,
+} from "@dokploy/server/services/domain";
+import {
+	createPreviewDeployment,
+	removePreviewDeployment,
+} from "@dokploy/server/services/preview-deployment";
+import {
+	manageWebServerDomain,
+	removeWebServerDomain,
+} from "@dokploy/server/utils/web-server/domain";
+
+const createApplication = () => ({
+	applicationId: "app-1",
+	appName: "my-app",
+	name: "My App",
+	owner: "dokploy",
+	repository: "dokploy",
+	github: {},
+	serverId: null,
+	server: {
+		ipAddress: "192.0.2.10",
+	},
+	previewWildcard: "*.sslip.io",
+	previewPath: "/",
+	previewPort: 3000,
+	previewHttps: true,
+	previewCertificateType: "letsencrypt",
+	previewCustomCertResolver: null,
+	environment: {
+		project: {
+			organizationId: "org-1",
+		},
+	},
+});
+
+beforeEach(() => {
+	vi.clearAllMocks();
+	Object.assign(insertedPreviewDeployment, previewDeploymentRow);
+	dbMock.query.organization.findFirst.mockResolvedValue({ ownerId: "user-1" });
+	createCommentMock.mockResolvedValue({ data: { id: 12345 } });
+	dbMock.insert.mockReturnValue({
+		values: vi.fn().mockReturnValue({
+			returning: vi.fn().mockResolvedValue([insertedPreviewDeployment]),
+		}),
+	});
+	dbMock.update.mockReturnValue({
+		set: vi.fn().mockReturnValue({
+			where: vi.fn().mockResolvedValue([]),
+		}),
+	});
+	dbMock.delete.mockReturnValue({
+		where: vi.fn().mockReturnValue({
+			returning: vi.fn().mockResolvedValue([]),
+		}),
+	});
+	vi.mocked(removeDomainById).mockResolvedValue(undefined as never);
+	vi.mocked(removeWebServerDomain).mockResolvedValue(undefined as never);
+	deleteCommentMock.mockResolvedValue(undefined);
+});
+
+test("creates preview domains through the active web server provider", async () => {
+	const application = createApplication();
+	const domain = {
+		domainId: "domain-1",
+		host: "preview-my-app-fixedpw-192-0-2-10.sslip.io",
+		uniqueConfigKey: 17,
+	};
+	vi.mocked(findApplicationById).mockResolvedValue(application as never);
+	vi.mocked(createDomain).mockResolvedValue(domain as never);
+
+	await createPreviewDeployment({
+		applicationId: "app-1",
+		pullRequestId: "pr-1",
+		pullRequestNumber: "42",
+		branch: "feature/caddy-preview",
+	} as never);
+
+	expect(createDomain).toHaveBeenCalledWith(
+		expect.objectContaining({
+			host: "preview-my-app-fixedpw-192-0-2-10.sslip.io",
+			path: "/",
+			port: 3000,
+			https: true,
+			certificateType: "letsencrypt",
+			domainType: "preview",
+			previewDeploymentId: "preview-1",
+		}),
+	);
+	expect(manageWebServerDomain).toHaveBeenCalledWith(
+		expect.objectContaining({
+			applicationId: "app-1",
+			appName: "preview-my-app-fixedpw",
+		}),
+		domain,
+	);
+});
+
+test("cleans up preview domain state when provider route creation fails", async () => {
+	const application = createApplication();
+	const domain = {
+		domainId: "domain-1",
+		host: "preview-my-app-fixedpw-192-0-2-10.sslip.io",
+		uniqueConfigKey: 17,
+	};
+	vi.mocked(findApplicationById).mockResolvedValue(application as never);
+	vi.mocked(createDomain).mockResolvedValue(domain as never);
+	vi.mocked(manageWebServerDomain).mockRejectedValueOnce(
+		new Error("caddy reload failed") as never,
+	);
+
+	await expect(
+		createPreviewDeployment({
+			applicationId: "app-1",
+			pullRequestId: "pr-1",
+			pullRequestNumber: "42",
+			branch: "feature/caddy-preview",
+		} as never),
+	).rejects.toThrow("caddy reload failed");
+
+	expect(removeDomainById).toHaveBeenCalledWith("domain-1");
+	expect(removeWebServerDomain).not.toHaveBeenCalled();
+	expect(dbMock.delete).toHaveBeenCalled();
+	expect(deleteCommentMock).toHaveBeenCalledWith(
+		expect.objectContaining({
+			owner: "dokploy",
+			repo: "dokploy",
+			comment_id: 12345,
+		}),
+	);
+});
+
+test("removes preview routes when preview domain linking fails after route creation", async () => {
+	const application = createApplication();
+	const domain = {
+		domainId: "domain-1",
+		host: "preview-my-app-fixedpw-192-0-2-10.sslip.io",
+		uniqueConfigKey: 17,
+	};
+	vi.mocked(findApplicationById).mockResolvedValue(application as never);
+	vi.mocked(createDomain).mockResolvedValue(domain as never);
+	dbMock.update.mockReturnValueOnce({
+		set: vi.fn().mockReturnValue({
+			where: vi.fn().mockRejectedValue(new Error("db update failed")),
+		}),
+	});
+
+	await expect(
+		createPreviewDeployment({
+			applicationId: "app-1",
+			pullRequestId: "pr-1",
+			pullRequestNumber: "42",
+			branch: "feature/caddy-preview",
+		} as never),
+	).rejects.toThrow("db update failed");
+
+	expect(removeWebServerDomain).toHaveBeenCalledWith(
+		expect.objectContaining({
+			appName: "preview-my-app-fixedpw",
+		}),
+		17,
+	);
+	expect(removeDomainById).toHaveBeenCalledWith("domain-1");
+	expect(dbMock.delete).toHaveBeenCalled();
+});
+
+test("removes preview domains through the active web server provider", async () => {
+	const application = createApplication();
+	vi.mocked(findApplicationById).mockResolvedValue(application as never);
+	dbMock.query.previewDeployments.findFirst.mockResolvedValue({
+		...previewDeploymentRow,
+		domain: {
+			domainId: "domain-1",
+			uniqueConfigKey: 17,
+		},
+		application: {
+			applicationId: "app-1",
+			serverId: null,
+		},
+	});
+
+	await removePreviewDeployment("preview-1");
+
+	expect(removeWebServerDomain).toHaveBeenCalledWith(
+		expect.objectContaining({
+			applicationId: "app-1",
+			appName: "preview-my-app-fixedpw",
+		}),
+		17,
+	);
+});
diff --git a/apps/dokploy/__test__/caddy/setup.test.ts b/apps/dokploy/__test__/caddy/setup.test.ts
index 21d28a7332..d336d3bbb4 100644
--- a/apps/dokploy/__test__/caddy/setup.test.ts
+++ b/apps/dokploy/__test__/caddy/setup.test.ts
@@ -64,6 +64,7 @@ describe("Caddy runtime setup", () => {
 				HostConfig: expect.objectContaining({
 					Binds: expect.arrayContaining([
 						expect.stringMatching(/\/caddy:\/etc\/caddy$/),
+						expect.stringMatching(/\/certificates:.*\/certificates:ro$/),
 					]),
 				}),
 			}),
diff --git a/apps/dokploy/__test__/traefik/server/update-server-config.test.ts b/apps/dokploy/__test__/traefik/server/update-server-config.test.ts
index e934820bda..85beddfc8a 100644
--- a/apps/dokploy/__test__/traefik/server/update-server-config.test.ts
+++ b/apps/dokploy/__test__/traefik/server/update-server-config.test.ts
@@ -19,6 +19,7 @@ type WebServerSettings = typeof webServerSettings.$inferSelect;
 const baseSettings: WebServerSettings = {
 	id: "",
 	webServerProvider: "traefik",
+	caddyTrustedProxyConfig: null,
 	https: false,
 	certificateType: "none",
 	host: null,
diff --git a/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx b/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
index 564f4fd182..cfcd00ee0e 100644
--- a/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
+++ b/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
@@ -185,6 +185,15 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 		);
 	const isCaddyProvider = activeProvider === "caddy";
 
+	const { data: certificates } = api.certificates.all.useQuery(undefined, {
+		enabled: isOpen && isCaddyProvider,
+	});
+	const caddyCertificates = (certificates ?? []).filter((certificate) =>
+		application?.serverId
+			? certificate.serverId === application.serverId
+			: !certificate.serverId,
+	);
+
 	const { data: canGenerateTraefikMeDomains } =
 		api.domain.canGenerateTraefikMeDomains.useQuery({
 			serverId: application?.serverId || "",
@@ -291,13 +300,6 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 	};
 
 	const onSubmit = async (data: Domain) => {
-		if (isCaddyProvider && data.certificateType === "custom") {
-			toast.error(
-				"Caddy does not support Traefik custom certificate resolvers. Choose Let's Encrypt or None.",
-			);
-			return;
-		}
-
 		await mutateAsync({
 			domainId,
 			...(data.domainType === "application" && {
@@ -360,9 +362,9 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 				{isCaddyProvider && (
 					<AlertBlock type="info" className="mb-4">
 						This server uses Caddy. Dokploy will generate Caddy route fragments,
-						Caddy will manage HTTPS certificates for public DNS names, and
-						Traefik-only custom entrypoints, middleware references, and custom
-						certificate resolvers are hidden.
+						Caddy can manage HTTPS certificates for public DNS names or load an
+						uploaded certificate, and Traefik-only custom entrypoints and
+						middleware references are hidden.
 					</AlertBlock>
 				)}
 
@@ -795,11 +797,11 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 																		? "Caddy-managed HTTPS (ACME)"
 																		: "Let's Encrypt"}
 																</SelectItem>
-																{!isCaddyProvider && (
-																	<SelectItem value={"custom"}>
-																		Custom
-																	</SelectItem>
-																)}
+																<SelectItem value={"custom"}>
+																	{isCaddyProvider
+																		? "Uploaded certificate"
+																		: "Custom"}
+																</SelectItem>
 															</SelectContent>
 														</Select>
 														<FormMessage />
@@ -809,11 +811,48 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 										/>
 
 										{isCaddyProvider && certificateType === "custom" && (
-											<AlertBlock type="warning">
-												This domain uses a Traefik custom certificate resolver.
-												Caddy does not use resolver names; choose Caddy-managed
-												HTTPS or None before saving.
-											</AlertBlock>
+											<FormField
+												control={form.control}
+												name="customCertResolver"
+												render={({ field }) => {
+													return (
+														<FormItem>
+															<FormLabel>Uploaded Certificate</FormLabel>
+															{caddyCertificates.length > 0 ? (
+																<Select
+																	onValueChange={(value) => {
+																		field.onChange(value);
+																		form.trigger("customCertResolver");
+																	}}
+																	value={field.value}
+																>
+																	<FormControl>
+																		<SelectTrigger>
+																			<SelectValue placeholder="Select an uploaded certificate" />
+																		</SelectTrigger>
+																	</FormControl>
+																	<SelectContent>
+																		{caddyCertificates.map((certificate) => (
+																			<SelectItem
+																				key={certificate.certificateId}
+																				value={certificate.certificatePath}
+																			>
+																				{certificate.name}
+																			</SelectItem>
+																		))}
+																	</SelectContent>
+																</Select>
+															) : (
+																<AlertBlock type="warning">
+																	Add an uploaded certificate for this server
+																	before selecting custom HTTPS.
+																</AlertBlock>
+															)}
+															<FormMessage />
+														</FormItem>
+													);
+												}}
+											/>
 										)}
 
 										{!isCaddyProvider && certificateType === "custom" && (
diff --git a/apps/dokploy/components/dashboard/settings/certificates/show-certificates.tsx b/apps/dokploy/components/dashboard/settings/certificates/show-certificates.tsx
index c69451c895..d158b381bc 100644
--- a/apps/dokploy/components/dashboard/settings/certificates/show-certificates.tsx
+++ b/apps/dokploy/components/dashboard/settings/certificates/show-certificates.tsx
@@ -46,14 +46,13 @@ export const ShowCertificates = () => {
 							Certificates
 						</CardTitle>
 						<CardDescription>
-							Create certificates in the Traefik directory
+							Create uploaded certificates for web server domains
 						</CardDescription>
 
 						<AlertBlock type="warning">
-							Certificates are created in the Traefik directory. Traefik uses
-							these certificates to secure your applications. Using invalid
-							certificates can break your Traefik instance, preventing access to
-							your applications.
+							Uploaded certificates can be used by supported web server
+							providers to secure your applications. Invalid certificates can
+							break domain access for the services that use them.
 						</AlertBlock>
 					</CardHeader>
 					<CardContent className="space-y-2 py-8 border-t">
diff --git a/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx b/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
index 9a1d3c26a4..d0ff8c0e2a 100644
--- a/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
+++ b/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
@@ -13,6 +13,7 @@ import {
 } from "@/components/ui/dropdown-menu";
 import { useHealthCheckAfterMutation } from "@/hooks/use-health-check-after-mutation";
 import { api } from "@/utils/api";
+import { CaddyTrustedProxySettings } from "../../web-server/caddy-trusted-proxy-settings";
 import { EditTraefikEnv } from "../../web-server/edit-traefik-env";
 import { ManageTraefikPorts } from "../../web-server/manage-traefik-ports";
 import { ShowModalLogs } from "../../web-server/show-modal-logs";
@@ -130,6 +131,17 @@ export const ShowTraefikActions = ({ serverId }: Props) => {
 						</DropdownMenuItem>
 					</EditTraefikEnv>
 
+					{activeProvider === "caddy" && (
+						<CaddyTrustedProxySettings serverId={serverId}>
+							<DropdownMenuItem
+								onSelect={(e) => e.preventDefault()}
+								className="cursor-pointer"
+							>
+								<span>Trusted Proxies</span>
+							</DropdownMenuItem>
+						</CaddyTrustedProxySettings>
+					)}
+
 					{activeProvider === "traefik" && (
 						<DialogAction
 							title={
diff --git a/apps/dokploy/components/dashboard/settings/web-server.tsx b/apps/dokploy/components/dashboard/settings/web-server.tsx
index ab16e57045..e2f9a85e42 100644
--- a/apps/dokploy/components/dashboard/settings/web-server.tsx
+++ b/apps/dokploy/components/dashboard/settings/web-server.tsx
@@ -14,6 +14,7 @@ import { ShowStorageActions } from "./servers/actions/show-storage-actions";
 import { ShowTraefikActions } from "./servers/actions/show-traefik-actions";
 import { ToggleDockerCleanup } from "./servers/actions/toggle-docker-cleanup";
 import { CaddyMigrationPanel } from "./web-server/caddy-migration-panel";
+import { CaddyTrustedProxySettings } from "./web-server/caddy-trusted-proxy-settings";
 import { UpdateServer } from "./web-server/update-server";
 import { WebServerProviderSelector } from "./web-server/web-server-provider-selector";
 
@@ -46,6 +47,7 @@ export const WebServer = () => {
 					<CardContent className="space-y-6 py-6 border-t">
 						<WebServerProviderSelector />
 						<CaddyMigrationPanel />
+						<CaddyTrustedProxySettings />
 
 						<div className="grid md:grid-cols-2 gap-4">
 							<ShowDokployActions />
diff --git a/apps/dokploy/components/dashboard/settings/web-server/caddy-trusted-proxy-settings.tsx b/apps/dokploy/components/dashboard/settings/web-server/caddy-trusted-proxy-settings.tsx
new file mode 100644
index 0000000000..b1d8ab0a41
--- /dev/null
+++ b/apps/dokploy/components/dashboard/settings/web-server/caddy-trusted-proxy-settings.tsx
@@ -0,0 +1,214 @@
+import { Cloud, ShieldCheck } from "lucide-react";
+import { useEffect, useState } from "react";
+import { toast } from "sonner";
+import { AlertBlock } from "@/components/shared/alert-block";
+import { Button } from "@/components/ui/button";
+import {
+	Dialog,
+	DialogContent,
+	DialogDescription,
+	DialogFooter,
+	DialogHeader,
+	DialogTitle,
+	DialogTrigger,
+} from "@/components/ui/dialog";
+import { Label } from "@/components/ui/label";
+import {
+	Select,
+	SelectContent,
+	SelectItem,
+	SelectTrigger,
+	SelectValue,
+} from "@/components/ui/select";
+import { Switch } from "@/components/ui/switch";
+import { Textarea } from "@/components/ui/textarea";
+import { api } from "@/utils/api";
+
+type TrustedProxyMode = "disabled" | "cloudflare" | "static";
+
+interface Props {
+	serverId?: string;
+	children?: React.ReactNode;
+}
+
+const splitList = (value: string) =>
+	Array.from(
+		new Set(
+			value
+				.split(/[\n,]+/)
+				.map((item) => item.trim())
+				.filter((item) => item.length > 0),
+		),
+	);
+
+const joinList = (values?: string[] | null) => (values ?? []).join("\n");
+
+const modeLabel = (mode?: TrustedProxyMode) => {
+	switch (mode) {
+		case "cloudflare":
+			return "Cloudflare";
+		case "static":
+			return "Static CIDRs";
+		default:
+			return "Disabled";
+	}
+};
+
+export const CaddyTrustedProxySettings = ({ serverId, children }: Props) => {
+	const [isOpen, setIsOpen] = useState(false);
+	const [mode, setMode] = useState<TrustedProxyMode>("disabled");
+	const [ranges, setRanges] = useState("");
+	const [headers, setHeaders] = useState("");
+	const [strict, setStrict] = useState(true);
+
+	const { data: settings, refetch } =
+		api.settings.getCaddyTrustedProxySettings.useQuery({ serverId });
+	const { mutateAsync: updateSettings, isPending } =
+		api.settings.updateCaddyTrustedProxySettings.useMutation();
+
+	useEffect(() => {
+		if (!settings) return;
+		setMode(settings.mode);
+		setRanges(joinList(settings.ranges));
+		setHeaders(joinList(settings.clientIpHeaders));
+		setStrict(settings.strict !== false);
+	}, [settings]);
+
+	const save = async () => {
+		try {
+			await updateSettings({
+				serverId,
+				mode,
+				ranges: mode === "static" ? splitList(ranges) : [],
+				clientIpHeaders: splitList(headers),
+				strict,
+			});
+			await refetch();
+			toast.success("Caddy trusted proxy settings updated");
+			setIsOpen(false);
+		} catch (error) {
+			toast.error(
+				error instanceof Error
+					? error.message
+					: "Error updating Caddy trusted proxy settings",
+			);
+		}
+	};
+
+	const trigger = children ?? (
+		<button
+			type="button"
+			className="flex w-full flex-col gap-4 rounded-lg border p-4 text-left transition-colors hover:bg-muted/40 md:flex-row md:items-center md:justify-between"
+		>
+			<div className="flex gap-3">
+				<ShieldCheck className="mt-0.5 size-5 shrink-0 text-muted-foreground" />
+				<div className="space-y-1">
+					<div className="font-medium">Caddy trusted proxies</div>
+					<div className="text-sm text-muted-foreground">
+						Mode: {modeLabel(settings?.mode)}
+					</div>
+				</div>
+			</div>
+			<span className="inline-flex h-8 items-center justify-center rounded-md border border-input bg-background px-3 text-sm font-medium shadow-sm">
+				Configure
+			</span>
+		</button>
+	);
+
+	return (
+		<Dialog open={isOpen} onOpenChange={setIsOpen}>
+			<DialogTrigger asChild>{trigger}</DialogTrigger>
+			<DialogContent className="max-w-xl">
+				<DialogHeader>
+					<DialogTitle>Caddy trusted proxies</DialogTitle>
+					<DialogDescription>
+						Configure which proxy IPs Caddy trusts for client IP headers.
+					</DialogDescription>
+				</DialogHeader>
+
+				<div className="space-y-5">
+					<div className="space-y-2">
+						<Label>Mode</Label>
+						<Select
+							value={mode}
+							onValueChange={(value) => setMode(value as TrustedProxyMode)}
+						>
+							<SelectTrigger>
+								<SelectValue placeholder="Select mode" />
+							</SelectTrigger>
+							<SelectContent>
+								<SelectItem value="disabled">Disabled</SelectItem>
+								<SelectItem value="cloudflare">Cloudflare</SelectItem>
+								<SelectItem value="static">Static CIDRs</SelectItem>
+							</SelectContent>
+						</Select>
+					</div>
+
+					{mode === "cloudflare" && (
+						<AlertBlock type="info">
+							<div className="flex gap-2">
+								<Cloud className="mt-0.5 size-4 shrink-0" />
+								<span>
+									Caddy will trust Cloudflare IP ranges and use CF-Connecting-IP
+									before X-Forwarded-For.
+								</span>
+							</div>
+						</AlertBlock>
+					)}
+
+					{mode === "static" && (
+						<div className="space-y-2">
+							<Label>Trusted CIDR ranges</Label>
+							<Textarea
+								value={ranges}
+								onChange={(event) => setRanges(event.target.value)}
+								placeholder={"192.0.2.0/24\n2001:db8::/32"}
+								rows={5}
+							/>
+						</div>
+					)}
+
+					{mode !== "disabled" && (
+						<>
+							<div className="space-y-2">
+								<Label>Client IP headers</Label>
+								<Textarea
+									value={headers}
+									onChange={(event) => setHeaders(event.target.value)}
+									placeholder={
+										mode === "cloudflare"
+											? "CF-Connecting-IP\nX-Forwarded-For"
+											: "X-Forwarded-For"
+									}
+									rows={3}
+								/>
+							</div>
+							<div className="flex items-center justify-between rounded-lg border p-3">
+								<div className="space-y-0.5">
+									<Label>Strict proxy order</Label>
+									<div className="text-sm text-muted-foreground">
+										Require the trusted proxy chain to be ordered.
+									</div>
+								</div>
+								<Switch checked={strict} onCheckedChange={setStrict} />
+							</div>
+						</>
+					)}
+				</div>
+
+				<DialogFooter>
+					<Button
+						type="button"
+						variant="outline"
+						onClick={() => setIsOpen(false)}
+					>
+						Cancel
+					</Button>
+					<Button type="button" onClick={save} isLoading={isPending}>
+						Save
+					</Button>
+				</DialogFooter>
+			</DialogContent>
+		</Dialog>
+	);
+};
diff --git a/apps/dokploy/drizzle/0171_caddy_trusted_proxy_config.sql b/apps/dokploy/drizzle/0171_caddy_trusted_proxy_config.sql
new file mode 100644
index 0000000000..3e86ae140e
--- /dev/null
+++ b/apps/dokploy/drizzle/0171_caddy_trusted_proxy_config.sql
@@ -0,0 +1,2 @@
+ALTER TABLE "server" ADD COLUMN "caddyTrustedProxyConfig" jsonb DEFAULT 'null'::jsonb;--> statement-breakpoint
+ALTER TABLE "webServerSettings" ADD COLUMN "caddyTrustedProxyConfig" jsonb DEFAULT 'null'::jsonb;
\ No newline at end of file
diff --git a/apps/dokploy/drizzle/meta/0171_snapshot.json b/apps/dokploy/drizzle/meta/0171_snapshot.json
new file mode 100644
index 0000000000..788382429e
--- /dev/null
+++ b/apps/dokploy/drizzle/meta/0171_snapshot.json
@@ -0,0 +1,8370 @@
+{
+  "id": "99b3eb38-5993-4945-a6ae-46e791e23c57",
+  "prevId": "93bfd2e4-aeef-4158-9b26-97da9f79b99b",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.account": {
+      "name": "account",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "account_id": {
+          "name": "account_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "access_token": {
+          "name": "access_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token": {
+          "name": "refresh_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "id_token": {
+          "name": "id_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "access_token_expires_at": {
+          "name": "access_token_expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token_expires_at": {
+          "name": "refresh_token_expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scope": {
+          "name": "scope",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is2FAEnabled": {
+          "name": "is2FAEnabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resetPasswordToken": {
+          "name": "resetPasswordToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "resetPasswordExpiresAt": {
+          "name": "resetPasswordExpiresAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "confirmationToken": {
+          "name": "confirmationToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "confirmationExpiresAt": {
+          "name": "confirmationExpiresAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "account_user_id_user_id_fk": {
+          "name": "account_user_id_user_id_fk",
+          "tableFrom": "account",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.apikey": {
+      "name": "apikey",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "start": {
+          "name": "start",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "prefix": {
+          "name": "prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "config_id": {
+          "name": "config_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'default'"
+        },
+        "reference_id": {
+          "name": "reference_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "refill_interval": {
+          "name": "refill_interval",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refill_amount": {
+          "name": "refill_amount",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_refill_at": {
+          "name": "last_refill_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rate_limit_enabled": {
+          "name": "rate_limit_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rate_limit_time_window": {
+          "name": "rate_limit_time_window",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rate_limit_max": {
+          "name": "rate_limit_max",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "request_count": {
+          "name": "request_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "remaining": {
+          "name": "remaining",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_request": {
+          "name": "last_request",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "apikey_reference_id_user_id_fk": {
+          "name": "apikey_reference_id_user_id_fk",
+          "tableFrom": "apikey",
+          "tableTo": "user",
+          "columnsFrom": [
+            "reference_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.invitation": {
+      "name": "invitation",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "inviter_id": {
+          "name": "inviter_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "team_id": {
+          "name": "team_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "invitation_organization_id_organization_id_fk": {
+          "name": "invitation_organization_id_organization_id_fk",
+          "tableFrom": "invitation",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "invitation_inviter_id_user_id_fk": {
+          "name": "invitation_inviter_id_user_id_fk",
+          "tableFrom": "invitation",
+          "tableTo": "user",
+          "columnsFrom": [
+            "inviter_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.member": {
+      "name": "member",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "team_id": {
+          "name": "team_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_default": {
+          "name": "is_default",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canCreateProjects": {
+          "name": "canCreateProjects",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToSSHKeys": {
+          "name": "canAccessToSSHKeys",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canCreateServices": {
+          "name": "canCreateServices",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canDeleteProjects": {
+          "name": "canDeleteProjects",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canDeleteServices": {
+          "name": "canDeleteServices",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToDocker": {
+          "name": "canAccessToDocker",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToAPI": {
+          "name": "canAccessToAPI",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToGitProviders": {
+          "name": "canAccessToGitProviders",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToTraefikFiles": {
+          "name": "canAccessToTraefikFiles",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canDeleteEnvironments": {
+          "name": "canDeleteEnvironments",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canCreateEnvironments": {
+          "name": "canCreateEnvironments",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "accesedProjects": {
+          "name": "accesedProjects",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        },
+        "accessedEnvironments": {
+          "name": "accessedEnvironments",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        },
+        "accesedServices": {
+          "name": "accesedServices",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        },
+        "accessedGitProviders": {
+          "name": "accessedGitProviders",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        },
+        "accessedServers": {
+          "name": "accessedServers",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "member_organization_id_organization_id_fk": {
+          "name": "member_organization_id_organization_id_fk",
+          "tableFrom": "member",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "member_user_id_user_id_fk": {
+          "name": "member_user_id_user_id_fk",
+          "tableFrom": "member",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.organization": {
+      "name": "organization",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "slug": {
+          "name": "slug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "logo": {
+          "name": "logo",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "owner_id": {
+          "name": "owner_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "organization_owner_id_user_id_fk": {
+          "name": "organization_owner_id_user_id_fk",
+          "tableFrom": "organization",
+          "tableTo": "user",
+          "columnsFrom": [
+            "owner_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "organization_slug_unique": {
+          "name": "organization_slug_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "slug"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.organization_role": {
+      "name": "organization_role",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "permission": {
+          "name": "permission",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "organizationRole_organizationId_idx": {
+          "name": "organizationRole_organizationId_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "organizationRole_role_idx": {
+          "name": "organizationRole_role_idx",
+          "columns": [
+            {
+              "expression": "role",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "organization_role_organization_id_organization_id_fk": {
+          "name": "organization_role_organization_id_organization_id_fk",
+          "tableFrom": "organization_role",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.two_factor": {
+      "name": "two_factor",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "secret": {
+          "name": "secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "backup_codes": {
+          "name": "backup_codes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "two_factor_user_id_user_id_fk": {
+          "name": "two_factor_user_id_user_id_fk",
+          "tableFrom": "two_factor",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.verification": {
+      "name": "verification",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "identifier": {
+          "name": "identifier",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ai": {
+      "name": "ai",
+      "schema": "",
+      "columns": {
+        "aiId": {
+          "name": "aiId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "apiUrl": {
+          "name": "apiUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "apiKey": {
+          "name": "apiKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "model": {
+          "name": "model",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "isEnabled": {
+          "name": "isEnabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "ai_organizationId_organization_id_fk": {
+          "name": "ai_organizationId_organization_id_fk",
+          "tableFrom": "ai",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.application": {
+      "name": "application",
+      "schema": "",
+      "columns": {
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewEnv": {
+          "name": "previewEnv",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "watchPaths": {
+          "name": "watchPaths",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewBuildArgs": {
+          "name": "previewBuildArgs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewBuildSecrets": {
+          "name": "previewBuildSecrets",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewLabels": {
+          "name": "previewLabels",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewWildcard": {
+          "name": "previewWildcard",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewPort": {
+          "name": "previewPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 3000
+        },
+        "previewHttps": {
+          "name": "previewHttps",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "previewPath": {
+          "name": "previewPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "certificateType": {
+          "name": "certificateType",
+          "type": "certificateType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "previewCustomCertResolver": {
+          "name": "previewCustomCertResolver",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewLimit": {
+          "name": "previewLimit",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 3
+        },
+        "isPreviewDeploymentsActive": {
+          "name": "isPreviewDeploymentsActive",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "previewRequireCollaboratorPermissions": {
+          "name": "previewRequireCollaboratorPermissions",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "rollbackActive": {
+          "name": "rollbackActive",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "buildArgs": {
+          "name": "buildArgs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildSecrets": {
+          "name": "buildSecrets",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "subtitle": {
+          "name": "subtitle",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "icon": {
+          "name": "icon",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refreshToken": {
+          "name": "refreshToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sourceType": {
+          "name": "sourceType",
+          "type": "sourceType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'github'"
+        },
+        "cleanCache": {
+          "name": "cleanCache",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "repository": {
+          "name": "repository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "owner": {
+          "name": "owner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildPath": {
+          "name": "buildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "triggerType": {
+          "name": "triggerType",
+          "type": "triggerType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'push'"
+        },
+        "autoDeploy": {
+          "name": "autoDeploy",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabProjectId": {
+          "name": "gitlabProjectId",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabRepository": {
+          "name": "gitlabRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabOwner": {
+          "name": "gitlabOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabBranch": {
+          "name": "gitlabBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabBuildPath": {
+          "name": "gitlabBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "gitlabPathNamespace": {
+          "name": "gitlabPathNamespace",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaRepository": {
+          "name": "giteaRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaOwner": {
+          "name": "giteaOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaBranch": {
+          "name": "giteaBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaBuildPath": {
+          "name": "giteaBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "bitbucketRepository": {
+          "name": "bitbucketRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketRepositorySlug": {
+          "name": "bitbucketRepositorySlug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketOwner": {
+          "name": "bitbucketOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketBranch": {
+          "name": "bitbucketBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketBuildPath": {
+          "name": "bitbucketBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "registryUrl": {
+          "name": "registryUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitUrl": {
+          "name": "customGitUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitBranch": {
+          "name": "customGitBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitBuildPath": {
+          "name": "customGitBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitSSHKeyId": {
+          "name": "customGitSSHKeyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enableSubmodules": {
+          "name": "enableSubmodules",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dockerfile": {
+          "name": "dockerfile",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'Dockerfile'"
+        },
+        "dockerContextPath": {
+          "name": "dockerContextPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "dockerBuildStage": {
+          "name": "dockerBuildStage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "dropBuildPath": {
+          "name": "dropBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "buildType": {
+          "name": "buildType",
+          "type": "buildType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'nixpacks'"
+        },
+        "railpackVersion": {
+          "name": "railpackVersion",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0.15.4'"
+        },
+        "herokuVersion": {
+          "name": "herokuVersion",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'24'"
+        },
+        "publishDirectory": {
+          "name": "publishDirectory",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "isStaticSpa": {
+          "name": "isStaticSpa",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createEnvFile": {
+          "name": "createEnvFile",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "registryId": {
+          "name": "registryId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackRegistryId": {
+          "name": "rollbackRegistryId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "githubId": {
+          "name": "githubId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabId": {
+          "name": "gitlabId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaId": {
+          "name": "giteaId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketId": {
+          "name": "bitbucketId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildServerId": {
+          "name": "buildServerId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildRegistryId": {
+          "name": "buildRegistryId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "application_customGitSSHKeyId_ssh-key_sshKeyId_fk": {
+          "name": "application_customGitSSHKeyId_ssh-key_sshKeyId_fk",
+          "tableFrom": "application",
+          "tableTo": "ssh-key",
+          "columnsFrom": [
+            "customGitSSHKeyId"
+          ],
+          "columnsTo": [
+            "sshKeyId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_registryId_registry_registryId_fk": {
+          "name": "application_registryId_registry_registryId_fk",
+          "tableFrom": "application",
+          "tableTo": "registry",
+          "columnsFrom": [
+            "registryId"
+          ],
+          "columnsTo": [
+            "registryId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_rollbackRegistryId_registry_registryId_fk": {
+          "name": "application_rollbackRegistryId_registry_registryId_fk",
+          "tableFrom": "application",
+          "tableTo": "registry",
+          "columnsFrom": [
+            "rollbackRegistryId"
+          ],
+          "columnsTo": [
+            "registryId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_environmentId_environment_environmentId_fk": {
+          "name": "application_environmentId_environment_environmentId_fk",
+          "tableFrom": "application",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "application_githubId_github_githubId_fk": {
+          "name": "application_githubId_github_githubId_fk",
+          "tableFrom": "application",
+          "tableTo": "github",
+          "columnsFrom": [
+            "githubId"
+          ],
+          "columnsTo": [
+            "githubId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_gitlabId_gitlab_gitlabId_fk": {
+          "name": "application_gitlabId_gitlab_gitlabId_fk",
+          "tableFrom": "application",
+          "tableTo": "gitlab",
+          "columnsFrom": [
+            "gitlabId"
+          ],
+          "columnsTo": [
+            "gitlabId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_giteaId_gitea_giteaId_fk": {
+          "name": "application_giteaId_gitea_giteaId_fk",
+          "tableFrom": "application",
+          "tableTo": "gitea",
+          "columnsFrom": [
+            "giteaId"
+          ],
+          "columnsTo": [
+            "giteaId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_bitbucketId_bitbucket_bitbucketId_fk": {
+          "name": "application_bitbucketId_bitbucket_bitbucketId_fk",
+          "tableFrom": "application",
+          "tableTo": "bitbucket",
+          "columnsFrom": [
+            "bitbucketId"
+          ],
+          "columnsTo": [
+            "bitbucketId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_serverId_server_serverId_fk": {
+          "name": "application_serverId_server_serverId_fk",
+          "tableFrom": "application",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "application_buildServerId_server_serverId_fk": {
+          "name": "application_buildServerId_server_serverId_fk",
+          "tableFrom": "application",
+          "tableTo": "server",
+          "columnsFrom": [
+            "buildServerId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_buildRegistryId_registry_registryId_fk": {
+          "name": "application_buildRegistryId_registry_registryId_fk",
+          "tableFrom": "application",
+          "tableTo": "registry",
+          "columnsFrom": [
+            "buildRegistryId"
+          ],
+          "columnsTo": [
+            "registryId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "application_appName_unique": {
+          "name": "application_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.audit_log": {
+      "name": "audit_log",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_email": {
+          "name": "user_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_role": {
+          "name": "user_role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resource_type": {
+          "name": "resource_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resource_id": {
+          "name": "resource_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "resource_name": {
+          "name": "resource_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "auditLog_organizationId_idx": {
+          "name": "auditLog_organizationId_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "auditLog_userId_idx": {
+          "name": "auditLog_userId_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "auditLog_createdAt_idx": {
+          "name": "auditLog_createdAt_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "audit_log_organization_id_organization_id_fk": {
+          "name": "audit_log_organization_id_organization_id_fk",
+          "tableFrom": "audit_log",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "audit_log_user_id_user_id_fk": {
+          "name": "audit_log_user_id_user_id_fk",
+          "tableFrom": "audit_log",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.backup": {
+      "name": "backup",
+      "schema": "",
+      "columns": {
+        "backupId": {
+          "name": "backupId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "schedule": {
+          "name": "schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "database": {
+          "name": "database",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "prefix": {
+          "name": "prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serviceName": {
+          "name": "serviceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "destinationId": {
+          "name": "destinationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "keepLatestCount": {
+          "name": "keepLatestCount",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "backupType": {
+          "name": "backupType",
+          "type": "backupType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'database'"
+        },
+        "databaseType": {
+          "name": "databaseType",
+          "type": "databaseType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "postgresId": {
+          "name": "postgresId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mariadbId": {
+          "name": "mariadbId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mysqlId": {
+          "name": "mysqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mongoId": {
+          "name": "mongoId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "libsqlId": {
+          "name": "libsqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "userId": {
+          "name": "userId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "backup_destinationId_destination_destinationId_fk": {
+          "name": "backup_destinationId_destination_destinationId_fk",
+          "tableFrom": "backup",
+          "tableTo": "destination",
+          "columnsFrom": [
+            "destinationId"
+          ],
+          "columnsTo": [
+            "destinationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_composeId_compose_composeId_fk": {
+          "name": "backup_composeId_compose_composeId_fk",
+          "tableFrom": "backup",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_postgresId_postgres_postgresId_fk": {
+          "name": "backup_postgresId_postgres_postgresId_fk",
+          "tableFrom": "backup",
+          "tableTo": "postgres",
+          "columnsFrom": [
+            "postgresId"
+          ],
+          "columnsTo": [
+            "postgresId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_mariadbId_mariadb_mariadbId_fk": {
+          "name": "backup_mariadbId_mariadb_mariadbId_fk",
+          "tableFrom": "backup",
+          "tableTo": "mariadb",
+          "columnsFrom": [
+            "mariadbId"
+          ],
+          "columnsTo": [
+            "mariadbId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_mysqlId_mysql_mysqlId_fk": {
+          "name": "backup_mysqlId_mysql_mysqlId_fk",
+          "tableFrom": "backup",
+          "tableTo": "mysql",
+          "columnsFrom": [
+            "mysqlId"
+          ],
+          "columnsTo": [
+            "mysqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_mongoId_mongo_mongoId_fk": {
+          "name": "backup_mongoId_mongo_mongoId_fk",
+          "tableFrom": "backup",
+          "tableTo": "mongo",
+          "columnsFrom": [
+            "mongoId"
+          ],
+          "columnsTo": [
+            "mongoId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_libsqlId_libsql_libsqlId_fk": {
+          "name": "backup_libsqlId_libsql_libsqlId_fk",
+          "tableFrom": "backup",
+          "tableTo": "libsql",
+          "columnsFrom": [
+            "libsqlId"
+          ],
+          "columnsTo": [
+            "libsqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_userId_user_id_fk": {
+          "name": "backup_userId_user_id_fk",
+          "tableFrom": "backup",
+          "tableTo": "user",
+          "columnsFrom": [
+            "userId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "backup_appName_unique": {
+          "name": "backup_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.bitbucket": {
+      "name": "bitbucket",
+      "schema": "",
+      "columns": {
+        "bitbucketId": {
+          "name": "bitbucketId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "bitbucketUsername": {
+          "name": "bitbucketUsername",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketEmail": {
+          "name": "bitbucketEmail",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "appPassword": {
+          "name": "appPassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "apiToken": {
+          "name": "apiToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketWorkspaceName": {
+          "name": "bitbucketWorkspaceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "bitbucket_gitProviderId_git_provider_gitProviderId_fk": {
+          "name": "bitbucket_gitProviderId_git_provider_gitProviderId_fk",
+          "tableFrom": "bitbucket",
+          "tableTo": "git_provider",
+          "columnsFrom": [
+            "gitProviderId"
+          ],
+          "columnsTo": [
+            "gitProviderId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.certificate": {
+      "name": "certificate",
+      "schema": "",
+      "columns": {
+        "certificateId": {
+          "name": "certificateId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "certificateData": {
+          "name": "certificateData",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "privateKey": {
+          "name": "privateKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "certificatePath": {
+          "name": "certificatePath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "autoRenew": {
+          "name": "autoRenew",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "certificate_organizationId_organization_id_fk": {
+          "name": "certificate_organizationId_organization_id_fk",
+          "tableFrom": "certificate",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "certificate_serverId_server_serverId_fk": {
+          "name": "certificate_serverId_server_serverId_fk",
+          "tableFrom": "certificate",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "certificate_certificatePath_unique": {
+          "name": "certificate_certificatePath_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "certificatePath"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.compose": {
+      "name": "compose",
+      "schema": "",
+      "columns": {
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeFile": {
+          "name": "composeFile",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "refreshToken": {
+          "name": "refreshToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sourceType": {
+          "name": "sourceType",
+          "type": "sourceTypeCompose",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'github'"
+        },
+        "composeType": {
+          "name": "composeType",
+          "type": "composeType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'docker-compose'"
+        },
+        "repository": {
+          "name": "repository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "owner": {
+          "name": "owner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "autoDeploy": {
+          "name": "autoDeploy",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabProjectId": {
+          "name": "gitlabProjectId",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabRepository": {
+          "name": "gitlabRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabOwner": {
+          "name": "gitlabOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabBranch": {
+          "name": "gitlabBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabPathNamespace": {
+          "name": "gitlabPathNamespace",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketRepository": {
+          "name": "bitbucketRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketRepositorySlug": {
+          "name": "bitbucketRepositorySlug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketOwner": {
+          "name": "bitbucketOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketBranch": {
+          "name": "bitbucketBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaRepository": {
+          "name": "giteaRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaOwner": {
+          "name": "giteaOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaBranch": {
+          "name": "giteaBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitUrl": {
+          "name": "customGitUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitBranch": {
+          "name": "customGitBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitSSHKeyId": {
+          "name": "customGitSSHKeyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "enableSubmodules": {
+          "name": "enableSubmodules",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "composePath": {
+          "name": "composePath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'./docker-compose.yml'"
+        },
+        "suffix": {
+          "name": "suffix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "randomize": {
+          "name": "randomize",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "isolatedDeployment": {
+          "name": "isolatedDeployment",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "isolatedDeploymentsVolume": {
+          "name": "isolatedDeploymentsVolume",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "triggerType": {
+          "name": "triggerType",
+          "type": "triggerType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'push'"
+        },
+        "composeStatus": {
+          "name": "composeStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "watchPaths": {
+          "name": "watchPaths",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubId": {
+          "name": "githubId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabId": {
+          "name": "gitlabId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketId": {
+          "name": "bitbucketId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaId": {
+          "name": "giteaId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "compose_customGitSSHKeyId_ssh-key_sshKeyId_fk": {
+          "name": "compose_customGitSSHKeyId_ssh-key_sshKeyId_fk",
+          "tableFrom": "compose",
+          "tableTo": "ssh-key",
+          "columnsFrom": [
+            "customGitSSHKeyId"
+          ],
+          "columnsTo": [
+            "sshKeyId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_environmentId_environment_environmentId_fk": {
+          "name": "compose_environmentId_environment_environmentId_fk",
+          "tableFrom": "compose",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "compose_githubId_github_githubId_fk": {
+          "name": "compose_githubId_github_githubId_fk",
+          "tableFrom": "compose",
+          "tableTo": "github",
+          "columnsFrom": [
+            "githubId"
+          ],
+          "columnsTo": [
+            "githubId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_gitlabId_gitlab_gitlabId_fk": {
+          "name": "compose_gitlabId_gitlab_gitlabId_fk",
+          "tableFrom": "compose",
+          "tableTo": "gitlab",
+          "columnsFrom": [
+            "gitlabId"
+          ],
+          "columnsTo": [
+            "gitlabId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_bitbucketId_bitbucket_bitbucketId_fk": {
+          "name": "compose_bitbucketId_bitbucket_bitbucketId_fk",
+          "tableFrom": "compose",
+          "tableTo": "bitbucket",
+          "columnsFrom": [
+            "bitbucketId"
+          ],
+          "columnsTo": [
+            "bitbucketId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_giteaId_gitea_giteaId_fk": {
+          "name": "compose_giteaId_gitea_giteaId_fk",
+          "tableFrom": "compose",
+          "tableTo": "gitea",
+          "columnsFrom": [
+            "giteaId"
+          ],
+          "columnsTo": [
+            "giteaId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_serverId_server_serverId_fk": {
+          "name": "compose_serverId_server_serverId_fk",
+          "tableFrom": "compose",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.deployment": {
+      "name": "deployment",
+      "schema": "",
+      "columns": {
+        "deploymentId": {
+          "name": "deploymentId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "deploymentStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'running'"
+        },
+        "logPath": {
+          "name": "logPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pid": {
+          "name": "pid",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "isPreviewDeployment": {
+          "name": "isPreviewDeployment",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "previewDeploymentId": {
+          "name": "previewDeploymentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "startedAt": {
+          "name": "startedAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "finishedAt": {
+          "name": "finishedAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "errorMessage": {
+          "name": "errorMessage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scheduleId": {
+          "name": "scheduleId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "backupId": {
+          "name": "backupId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackId": {
+          "name": "rollbackId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "volumeBackupId": {
+          "name": "volumeBackupId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildServerId": {
+          "name": "buildServerId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "deployment_applicationId_application_applicationId_fk": {
+          "name": "deployment_applicationId_application_applicationId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_composeId_compose_composeId_fk": {
+          "name": "deployment_composeId_compose_composeId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_serverId_server_serverId_fk": {
+          "name": "deployment_serverId_server_serverId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_previewDeploymentId_preview_deployments_previewDeploymentId_fk": {
+          "name": "deployment_previewDeploymentId_preview_deployments_previewDeploymentId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "preview_deployments",
+          "columnsFrom": [
+            "previewDeploymentId"
+          ],
+          "columnsTo": [
+            "previewDeploymentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_scheduleId_schedule_scheduleId_fk": {
+          "name": "deployment_scheduleId_schedule_scheduleId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "schedule",
+          "columnsFrom": [
+            "scheduleId"
+          ],
+          "columnsTo": [
+            "scheduleId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_backupId_backup_backupId_fk": {
+          "name": "deployment_backupId_backup_backupId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "backup",
+          "columnsFrom": [
+            "backupId"
+          ],
+          "columnsTo": [
+            "backupId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_rollbackId_rollback_rollbackId_fk": {
+          "name": "deployment_rollbackId_rollback_rollbackId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "rollback",
+          "columnsFrom": [
+            "rollbackId"
+          ],
+          "columnsTo": [
+            "rollbackId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_volumeBackupId_volume_backup_volumeBackupId_fk": {
+          "name": "deployment_volumeBackupId_volume_backup_volumeBackupId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "volume_backup",
+          "columnsFrom": [
+            "volumeBackupId"
+          ],
+          "columnsTo": [
+            "volumeBackupId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_buildServerId_server_serverId_fk": {
+          "name": "deployment_buildServerId_server_serverId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "server",
+          "columnsFrom": [
+            "buildServerId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.destination": {
+      "name": "destination",
+      "schema": "",
+      "columns": {
+        "destinationId": {
+          "name": "destinationId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "accessKey": {
+          "name": "accessKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "secretAccessKey": {
+          "name": "secretAccessKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "bucket": {
+          "name": "bucket",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "region": {
+          "name": "region",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "endpoint": {
+          "name": "endpoint",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "additionalFlags": {
+          "name": "additionalFlags",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "destination_organizationId_organization_id_fk": {
+          "name": "destination_organizationId_organization_id_fk",
+          "tableFrom": "destination",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.domain": {
+      "name": "domain",
+      "schema": "",
+      "columns": {
+        "domainId": {
+          "name": "domainId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "https": {
+          "name": "https",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 3000
+        },
+        "customEntrypoint": {
+          "name": "customEntrypoint",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "path": {
+          "name": "path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "serviceName": {
+          "name": "serviceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "domainType": {
+          "name": "domainType",
+          "type": "domainType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'application'"
+        },
+        "uniqueConfigKey": {
+          "name": "uniqueConfigKey",
+          "type": "serial",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customCertResolver": {
+          "name": "customCertResolver",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewDeploymentId": {
+          "name": "previewDeploymentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "certificateType": {
+          "name": "certificateType",
+          "type": "certificateType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "internalPath": {
+          "name": "internalPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "stripPath": {
+          "name": "stripPath",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "middlewares": {
+          "name": "middlewares",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "ARRAY[]::text[]"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "domain_composeId_compose_composeId_fk": {
+          "name": "domain_composeId_compose_composeId_fk",
+          "tableFrom": "domain",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "domain_applicationId_application_applicationId_fk": {
+          "name": "domain_applicationId_application_applicationId_fk",
+          "tableFrom": "domain",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "domain_previewDeploymentId_preview_deployments_previewDeploymentId_fk": {
+          "name": "domain_previewDeploymentId_preview_deployments_previewDeploymentId_fk",
+          "tableFrom": "domain",
+          "tableTo": "preview_deployments",
+          "columnsFrom": [
+            "previewDeploymentId"
+          ],
+          "columnsTo": [
+            "previewDeploymentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.environment": {
+      "name": "environment",
+      "schema": "",
+      "columns": {
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "projectId": {
+          "name": "projectId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "isDefault": {
+          "name": "isDefault",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "environment_projectId_project_projectId_fk": {
+          "name": "environment_projectId_project_projectId_fk",
+          "tableFrom": "environment",
+          "tableTo": "project",
+          "columnsFrom": [
+            "projectId"
+          ],
+          "columnsTo": [
+            "projectId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_provider": {
+      "name": "git_provider",
+      "schema": "",
+      "columns": {
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "providerType": {
+          "name": "providerType",
+          "type": "gitProviderType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'github'"
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "userId": {
+          "name": "userId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "sharedWithOrganization": {
+          "name": "sharedWithOrganization",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "git_provider_organizationId_organization_id_fk": {
+          "name": "git_provider_organizationId_organization_id_fk",
+          "tableFrom": "git_provider",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "git_provider_userId_user_id_fk": {
+          "name": "git_provider_userId_user_id_fk",
+          "tableFrom": "git_provider",
+          "tableTo": "user",
+          "columnsFrom": [
+            "userId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.gitea": {
+      "name": "gitea",
+      "schema": "",
+      "columns": {
+        "giteaId": {
+          "name": "giteaId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "giteaUrl": {
+          "name": "giteaUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'https://gitea.com'"
+        },
+        "giteaInternalUrl": {
+          "name": "giteaInternalUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "client_secret": {
+          "name": "client_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "access_token": {
+          "name": "access_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token": {
+          "name": "refresh_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scopes": {
+          "name": "scopes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'repo,repo:status,read:user,read:org'"
+        },
+        "last_authenticated_at": {
+          "name": "last_authenticated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "gitea_gitProviderId_git_provider_gitProviderId_fk": {
+          "name": "gitea_gitProviderId_git_provider_gitProviderId_fk",
+          "tableFrom": "gitea",
+          "tableTo": "git_provider",
+          "columnsFrom": [
+            "gitProviderId"
+          ],
+          "columnsTo": [
+            "gitProviderId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.github": {
+      "name": "github",
+      "schema": "",
+      "columns": {
+        "githubId": {
+          "name": "githubId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "githubAppName": {
+          "name": "githubAppName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubAppId": {
+          "name": "githubAppId",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubClientId": {
+          "name": "githubClientId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubClientSecret": {
+          "name": "githubClientSecret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubInstallationId": {
+          "name": "githubInstallationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubPrivateKey": {
+          "name": "githubPrivateKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubWebhookSecret": {
+          "name": "githubWebhookSecret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "github_gitProviderId_git_provider_gitProviderId_fk": {
+          "name": "github_gitProviderId_git_provider_gitProviderId_fk",
+          "tableFrom": "github",
+          "tableTo": "git_provider",
+          "columnsFrom": [
+            "gitProviderId"
+          ],
+          "columnsTo": [
+            "gitProviderId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.gitlab": {
+      "name": "gitlab",
+      "schema": "",
+      "columns": {
+        "gitlabId": {
+          "name": "gitlabId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "gitlabUrl": {
+          "name": "gitlabUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'https://gitlab.com'"
+        },
+        "gitlabInternalUrl": {
+          "name": "gitlabInternalUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "application_id": {
+          "name": "application_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "secret": {
+          "name": "secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "access_token": {
+          "name": "access_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token": {
+          "name": "refresh_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "group_name": {
+          "name": "group_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "gitlab_gitProviderId_git_provider_gitProviderId_fk": {
+          "name": "gitlab_gitProviderId_git_provider_gitProviderId_fk",
+          "tableFrom": "gitlab",
+          "tableTo": "git_provider",
+          "columnsFrom": [
+            "gitProviderId"
+          ],
+          "columnsTo": [
+            "gitProviderId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.libsql": {
+      "name": "libsql",
+      "schema": "",
+      "columns": {
+        "libsqlId": {
+          "name": "libsqlId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "sqldNode": {
+          "name": "sqldNode",
+          "type": "sqldNode",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'primary'"
+        },
+        "sqldPrimaryUrl": {
+          "name": "sqldPrimaryUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enableNamespaces": {
+          "name": "enableNamespaces",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalGRPCPort": {
+          "name": "externalGRPCPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalAdminPort": {
+          "name": "externalAdminPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "libsql_environmentId_environment_environmentId_fk": {
+          "name": "libsql_environmentId_environment_environmentId_fk",
+          "tableFrom": "libsql",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "libsql_serverId_server_serverId_fk": {
+          "name": "libsql_serverId_server_serverId_fk",
+          "tableFrom": "libsql",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "libsql_appName_unique": {
+          "name": "libsql_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mariadb": {
+      "name": "mariadb",
+      "schema": "",
+      "columns": {
+        "mariadbId": {
+          "name": "mariadbId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "databaseName": {
+          "name": "databaseName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "rootPassword": {
+          "name": "rootPassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "mariadb_environmentId_environment_environmentId_fk": {
+          "name": "mariadb_environmentId_environment_environmentId_fk",
+          "tableFrom": "mariadb",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mariadb_serverId_server_serverId_fk": {
+          "name": "mariadb_serverId_server_serverId_fk",
+          "tableFrom": "mariadb",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "mariadb_appName_unique": {
+          "name": "mariadb_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mongo": {
+      "name": "mongo",
+      "schema": "",
+      "columns": {
+        "mongoId": {
+          "name": "mongoId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'mongo:8'"
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicaSets": {
+          "name": "replicaSets",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "mongo_environmentId_environment_environmentId_fk": {
+          "name": "mongo_environmentId_environment_environmentId_fk",
+          "tableFrom": "mongo",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mongo_serverId_server_serverId_fk": {
+          "name": "mongo_serverId_server_serverId_fk",
+          "tableFrom": "mongo",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "mongo_appName_unique": {
+          "name": "mongo_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mount": {
+      "name": "mount",
+      "schema": "",
+      "columns": {
+        "mountId": {
+          "name": "mountId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "mountType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "hostPath": {
+          "name": "hostPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "volumeName": {
+          "name": "volumeName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "filePath": {
+          "name": "filePath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "content": {
+          "name": "content",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serviceType": {
+          "name": "serviceType",
+          "type": "serviceType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'application'"
+        },
+        "mountPath": {
+          "name": "mountPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "libsqlId": {
+          "name": "libsqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mariadbId": {
+          "name": "mariadbId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mongoId": {
+          "name": "mongoId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mysqlId": {
+          "name": "mysqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "postgresId": {
+          "name": "postgresId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "redisId": {
+          "name": "redisId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "mount_applicationId_application_applicationId_fk": {
+          "name": "mount_applicationId_application_applicationId_fk",
+          "tableFrom": "mount",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_composeId_compose_composeId_fk": {
+          "name": "mount_composeId_compose_composeId_fk",
+          "tableFrom": "mount",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_libsqlId_libsql_libsqlId_fk": {
+          "name": "mount_libsqlId_libsql_libsqlId_fk",
+          "tableFrom": "mount",
+          "tableTo": "libsql",
+          "columnsFrom": [
+            "libsqlId"
+          ],
+          "columnsTo": [
+            "libsqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_mariadbId_mariadb_mariadbId_fk": {
+          "name": "mount_mariadbId_mariadb_mariadbId_fk",
+          "tableFrom": "mount",
+          "tableTo": "mariadb",
+          "columnsFrom": [
+            "mariadbId"
+          ],
+          "columnsTo": [
+            "mariadbId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_mongoId_mongo_mongoId_fk": {
+          "name": "mount_mongoId_mongo_mongoId_fk",
+          "tableFrom": "mount",
+          "tableTo": "mongo",
+          "columnsFrom": [
+            "mongoId"
+          ],
+          "columnsTo": [
+            "mongoId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_mysqlId_mysql_mysqlId_fk": {
+          "name": "mount_mysqlId_mysql_mysqlId_fk",
+          "tableFrom": "mount",
+          "tableTo": "mysql",
+          "columnsFrom": [
+            "mysqlId"
+          ],
+          "columnsTo": [
+            "mysqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_postgresId_postgres_postgresId_fk": {
+          "name": "mount_postgresId_postgres_postgresId_fk",
+          "tableFrom": "mount",
+          "tableTo": "postgres",
+          "columnsFrom": [
+            "postgresId"
+          ],
+          "columnsTo": [
+            "postgresId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_redisId_redis_redisId_fk": {
+          "name": "mount_redisId_redis_redisId_fk",
+          "tableFrom": "mount",
+          "tableTo": "redis",
+          "columnsFrom": [
+            "redisId"
+          ],
+          "columnsTo": [
+            "redisId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mysql": {
+      "name": "mysql",
+      "schema": "",
+      "columns": {
+        "mysqlId": {
+          "name": "mysqlId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "databaseName": {
+          "name": "databaseName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "rootPassword": {
+          "name": "rootPassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "mysql_environmentId_environment_environmentId_fk": {
+          "name": "mysql_environmentId_environment_environmentId_fk",
+          "tableFrom": "mysql",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mysql_serverId_server_serverId_fk": {
+          "name": "mysql_serverId_server_serverId_fk",
+          "tableFrom": "mysql",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "mysql_appName_unique": {
+          "name": "mysql_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.custom": {
+      "name": "custom",
+      "schema": "",
+      "columns": {
+        "customId": {
+          "name": "customId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "endpoint": {
+          "name": "endpoint",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "headers": {
+          "name": "headers",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.discord": {
+      "name": "discord",
+      "schema": "",
+      "columns": {
+        "discordId": {
+          "name": "discordId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "decoration": {
+          "name": "decoration",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.email": {
+      "name": "email",
+      "schema": "",
+      "columns": {
+        "emailId": {
+          "name": "emailId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "smtpServer": {
+          "name": "smtpServer",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "smtpPort": {
+          "name": "smtpPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "fromAddress": {
+          "name": "fromAddress",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "toAddress": {
+          "name": "toAddress",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.gotify": {
+      "name": "gotify",
+      "schema": "",
+      "columns": {
+        "gotifyId": {
+          "name": "gotifyId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "serverUrl": {
+          "name": "serverUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appToken": {
+          "name": "appToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "priority": {
+          "name": "priority",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 5
+        },
+        "decoration": {
+          "name": "decoration",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.lark": {
+      "name": "lark",
+      "schema": "",
+      "columns": {
+        "larkId": {
+          "name": "larkId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mattermost": {
+      "name": "mattermost",
+      "schema": "",
+      "columns": {
+        "mattermostId": {
+          "name": "mattermostId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "channel": {
+          "name": "channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.notification": {
+      "name": "notification",
+      "schema": "",
+      "columns": {
+        "notificationId": {
+          "name": "notificationId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appDeploy": {
+          "name": "appDeploy",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "appBuildError": {
+          "name": "appBuildError",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "databaseBackup": {
+          "name": "databaseBackup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "volumeBackup": {
+          "name": "volumeBackup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dokployRestart": {
+          "name": "dokployRestart",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dokployBackup": {
+          "name": "dokployBackup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dockerCleanup": {
+          "name": "dockerCleanup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "serverThreshold": {
+          "name": "serverThreshold",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "notificationType": {
+          "name": "notificationType",
+          "type": "notificationType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "slackId": {
+          "name": "slackId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "telegramId": {
+          "name": "telegramId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "discordId": {
+          "name": "discordId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "emailId": {
+          "name": "emailId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "resendId": {
+          "name": "resendId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gotifyId": {
+          "name": "gotifyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ntfyId": {
+          "name": "ntfyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mattermostId": {
+          "name": "mattermostId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customId": {
+          "name": "customId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "larkId": {
+          "name": "larkId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "pushoverId": {
+          "name": "pushoverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "teamsId": {
+          "name": "teamsId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "notification_slackId_slack_slackId_fk": {
+          "name": "notification_slackId_slack_slackId_fk",
+          "tableFrom": "notification",
+          "tableTo": "slack",
+          "columnsFrom": [
+            "slackId"
+          ],
+          "columnsTo": [
+            "slackId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_telegramId_telegram_telegramId_fk": {
+          "name": "notification_telegramId_telegram_telegramId_fk",
+          "tableFrom": "notification",
+          "tableTo": "telegram",
+          "columnsFrom": [
+            "telegramId"
+          ],
+          "columnsTo": [
+            "telegramId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_discordId_discord_discordId_fk": {
+          "name": "notification_discordId_discord_discordId_fk",
+          "tableFrom": "notification",
+          "tableTo": "discord",
+          "columnsFrom": [
+            "discordId"
+          ],
+          "columnsTo": [
+            "discordId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_emailId_email_emailId_fk": {
+          "name": "notification_emailId_email_emailId_fk",
+          "tableFrom": "notification",
+          "tableTo": "email",
+          "columnsFrom": [
+            "emailId"
+          ],
+          "columnsTo": [
+            "emailId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_resendId_resend_resendId_fk": {
+          "name": "notification_resendId_resend_resendId_fk",
+          "tableFrom": "notification",
+          "tableTo": "resend",
+          "columnsFrom": [
+            "resendId"
+          ],
+          "columnsTo": [
+            "resendId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_gotifyId_gotify_gotifyId_fk": {
+          "name": "notification_gotifyId_gotify_gotifyId_fk",
+          "tableFrom": "notification",
+          "tableTo": "gotify",
+          "columnsFrom": [
+            "gotifyId"
+          ],
+          "columnsTo": [
+            "gotifyId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_ntfyId_ntfy_ntfyId_fk": {
+          "name": "notification_ntfyId_ntfy_ntfyId_fk",
+          "tableFrom": "notification",
+          "tableTo": "ntfy",
+          "columnsFrom": [
+            "ntfyId"
+          ],
+          "columnsTo": [
+            "ntfyId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_mattermostId_mattermost_mattermostId_fk": {
+          "name": "notification_mattermostId_mattermost_mattermostId_fk",
+          "tableFrom": "notification",
+          "tableTo": "mattermost",
+          "columnsFrom": [
+            "mattermostId"
+          ],
+          "columnsTo": [
+            "mattermostId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_customId_custom_customId_fk": {
+          "name": "notification_customId_custom_customId_fk",
+          "tableFrom": "notification",
+          "tableTo": "custom",
+          "columnsFrom": [
+            "customId"
+          ],
+          "columnsTo": [
+            "customId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_larkId_lark_larkId_fk": {
+          "name": "notification_larkId_lark_larkId_fk",
+          "tableFrom": "notification",
+          "tableTo": "lark",
+          "columnsFrom": [
+            "larkId"
+          ],
+          "columnsTo": [
+            "larkId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_pushoverId_pushover_pushoverId_fk": {
+          "name": "notification_pushoverId_pushover_pushoverId_fk",
+          "tableFrom": "notification",
+          "tableTo": "pushover",
+          "columnsFrom": [
+            "pushoverId"
+          ],
+          "columnsTo": [
+            "pushoverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_teamsId_teams_teamsId_fk": {
+          "name": "notification_teamsId_teams_teamsId_fk",
+          "tableFrom": "notification",
+          "tableTo": "teams",
+          "columnsFrom": [
+            "teamsId"
+          ],
+          "columnsTo": [
+            "teamsId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_organizationId_organization_id_fk": {
+          "name": "notification_organizationId_organization_id_fk",
+          "tableFrom": "notification",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ntfy": {
+      "name": "ntfy",
+      "schema": "",
+      "columns": {
+        "ntfyId": {
+          "name": "ntfyId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "serverUrl": {
+          "name": "serverUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "topic": {
+          "name": "topic",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "accessToken": {
+          "name": "accessToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "priority": {
+          "name": "priority",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 3
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.pushover": {
+      "name": "pushover",
+      "schema": "",
+      "columns": {
+        "pushoverId": {
+          "name": "pushoverId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "userKey": {
+          "name": "userKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "apiToken": {
+          "name": "apiToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "priority": {
+          "name": "priority",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "retry": {
+          "name": "retry",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expire": {
+          "name": "expire",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.resend": {
+      "name": "resend",
+      "schema": "",
+      "columns": {
+        "resendId": {
+          "name": "resendId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "apiKey": {
+          "name": "apiKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "fromAddress": {
+          "name": "fromAddress",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "toAddress": {
+          "name": "toAddress",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.slack": {
+      "name": "slack",
+      "schema": "",
+      "columns": {
+        "slackId": {
+          "name": "slackId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "channel": {
+          "name": "channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.teams": {
+      "name": "teams",
+      "schema": "",
+      "columns": {
+        "teamsId": {
+          "name": "teamsId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.telegram": {
+      "name": "telegram",
+      "schema": "",
+      "columns": {
+        "telegramId": {
+          "name": "telegramId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "botToken": {
+          "name": "botToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "chatId": {
+          "name": "chatId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "messageThreadId": {
+          "name": "messageThreadId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.patch": {
+      "name": "patch",
+      "schema": "",
+      "columns": {
+        "patchId": {
+          "name": "patchId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "patchType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'update'"
+        },
+        "filePath": {
+          "name": "filePath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "content": {
+          "name": "content",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updatedAt": {
+          "name": "updatedAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "patch_applicationId_application_applicationId_fk": {
+          "name": "patch_applicationId_application_applicationId_fk",
+          "tableFrom": "patch",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "patch_composeId_compose_composeId_fk": {
+          "name": "patch_composeId_compose_composeId_fk",
+          "tableFrom": "patch",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "patch_filepath_application_unique": {
+          "name": "patch_filepath_application_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "filePath",
+            "applicationId"
+          ]
+        },
+        "patch_filepath_compose_unique": {
+          "name": "patch_filepath_compose_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "filePath",
+            "composeId"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.port": {
+      "name": "port",
+      "schema": "",
+      "columns": {
+        "portId": {
+          "name": "portId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "publishedPort": {
+          "name": "publishedPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "publishMode": {
+          "name": "publishMode",
+          "type": "publishModeType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'host'"
+        },
+        "targetPort": {
+          "name": "targetPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "protocol": {
+          "name": "protocol",
+          "type": "protocolType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "port_applicationId_application_applicationId_fk": {
+          "name": "port_applicationId_application_applicationId_fk",
+          "tableFrom": "port",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.postgres": {
+      "name": "postgres",
+      "schema": "",
+      "columns": {
+        "postgresId": {
+          "name": "postgresId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databaseName": {
+          "name": "databaseName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "postgres_environmentId_environment_environmentId_fk": {
+          "name": "postgres_environmentId_environment_environmentId_fk",
+          "tableFrom": "postgres",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "postgres_serverId_server_serverId_fk": {
+          "name": "postgres_serverId_server_serverId_fk",
+          "tableFrom": "postgres",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "postgres_appName_unique": {
+          "name": "postgres_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.preview_deployments": {
+      "name": "preview_deployments",
+      "schema": "",
+      "columns": {
+        "previewDeploymentId": {
+          "name": "previewDeploymentId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestId": {
+          "name": "pullRequestId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestNumber": {
+          "name": "pullRequestNumber",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestURL": {
+          "name": "pullRequestURL",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestTitle": {
+          "name": "pullRequestTitle",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestCommentId": {
+          "name": "pullRequestCommentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "previewStatus": {
+          "name": "previewStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "domainId": {
+          "name": "domainId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expiresAt": {
+          "name": "expiresAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "preview_deployments_applicationId_application_applicationId_fk": {
+          "name": "preview_deployments_applicationId_application_applicationId_fk",
+          "tableFrom": "preview_deployments",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "preview_deployments_domainId_domain_domainId_fk": {
+          "name": "preview_deployments_domainId_domain_domainId_fk",
+          "tableFrom": "preview_deployments",
+          "tableTo": "domain",
+          "columnsFrom": [
+            "domainId"
+          ],
+          "columnsTo": [
+            "domainId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "preview_deployments_appName_unique": {
+          "name": "preview_deployments_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.project": {
+      "name": "project",
+      "schema": "",
+      "columns": {
+        "projectId": {
+          "name": "projectId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "project_organizationId_organization_id_fk": {
+          "name": "project_organizationId_organization_id_fk",
+          "tableFrom": "project",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.redirect": {
+      "name": "redirect",
+      "schema": "",
+      "columns": {
+        "redirectId": {
+          "name": "redirectId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "regex": {
+          "name": "regex",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "replacement": {
+          "name": "replacement",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "permanent": {
+          "name": "permanent",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "uniqueConfigKey": {
+          "name": "uniqueConfigKey",
+          "type": "serial",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "redirect_applicationId_application_applicationId_fk": {
+          "name": "redirect_applicationId_application_applicationId_fk",
+          "tableFrom": "redirect",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.redis": {
+      "name": "redis",
+      "schema": "",
+      "columns": {
+        "redisId": {
+          "name": "redisId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "redis_environmentId_environment_environmentId_fk": {
+          "name": "redis_environmentId_environment_environmentId_fk",
+          "tableFrom": "redis",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "redis_serverId_server_serverId_fk": {
+          "name": "redis_serverId_server_serverId_fk",
+          "tableFrom": "redis",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "redis_appName_unique": {
+          "name": "redis_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.registry": {
+      "name": "registry",
+      "schema": "",
+      "columns": {
+        "registryId": {
+          "name": "registryId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "registryName": {
+          "name": "registryName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "imagePrefix": {
+          "name": "imagePrefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "registryUrl": {
+          "name": "registryUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "selfHosted": {
+          "name": "selfHosted",
+          "type": "RegistryType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'cloud'"
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "registry_organizationId_organization_id_fk": {
+          "name": "registry_organizationId_organization_id_fk",
+          "tableFrom": "registry",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.rollback": {
+      "name": "rollback",
+      "schema": "",
+      "columns": {
+        "rollbackId": {
+          "name": "rollbackId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "deploymentId": {
+          "name": "deploymentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "version": {
+          "name": "version",
+          "type": "serial",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "fullContext": {
+          "name": "fullContext",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "rollback_deploymentId_deployment_deploymentId_fk": {
+          "name": "rollback_deploymentId_deployment_deploymentId_fk",
+          "tableFrom": "rollback",
+          "tableTo": "deployment",
+          "columnsFrom": [
+            "deploymentId"
+          ],
+          "columnsTo": [
+            "deploymentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.schedule": {
+      "name": "schedule",
+      "schema": "",
+      "columns": {
+        "scheduleId": {
+          "name": "scheduleId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cronExpression": {
+          "name": "cronExpression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serviceName": {
+          "name": "serviceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "shellType": {
+          "name": "shellType",
+          "type": "shellType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'bash'"
+        },
+        "scheduleType": {
+          "name": "scheduleType",
+          "type": "scheduleType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'application'"
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "script": {
+          "name": "script",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "timezone": {
+          "name": "timezone",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "schedule_applicationId_application_applicationId_fk": {
+          "name": "schedule_applicationId_application_applicationId_fk",
+          "tableFrom": "schedule",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "schedule_composeId_compose_composeId_fk": {
+          "name": "schedule_composeId_compose_composeId_fk",
+          "tableFrom": "schedule",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "schedule_serverId_server_serverId_fk": {
+          "name": "schedule_serverId_server_serverId_fk",
+          "tableFrom": "schedule",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "schedule_organizationId_organization_id_fk": {
+          "name": "schedule_organizationId_organization_id_fk",
+          "tableFrom": "schedule",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.security": {
+      "name": "security",
+      "schema": "",
+      "columns": {
+        "securityId": {
+          "name": "securityId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "security_applicationId_application_applicationId_fk": {
+          "name": "security_applicationId_application_applicationId_fk",
+          "tableFrom": "security",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "security_username_applicationId_unique": {
+          "name": "security_username_applicationId_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "username",
+            "applicationId"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.server": {
+      "name": "server",
+      "schema": "",
+      "columns": {
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ipAddress": {
+          "name": "ipAddress",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'root'"
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enableDockerCleanup": {
+          "name": "enableDockerCleanup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "webServerProvider": {
+          "name": "webServerProvider",
+          "type": "webServerProvider",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'traefik'"
+        },
+        "caddyTrustedProxyConfig": {
+          "name": "caddyTrustedProxyConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'null'::jsonb"
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverStatus": {
+          "name": "serverStatus",
+          "type": "serverStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'active'"
+        },
+        "serverType": {
+          "name": "serverType",
+          "type": "serverType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'deploy'"
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "sshKeyId": {
+          "name": "sshKeyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metricsConfig": {
+          "name": "metricsConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{\"server\":{\"type\":\"Remote\",\"refreshRate\":60,\"port\":4500,\"token\":\"\",\"urlCallback\":\"\",\"cronJob\":\"\",\"retentionDays\":2,\"thresholds\":{\"cpu\":0,\"memory\":0}},\"containers\":{\"refreshRate\":60,\"services\":{\"include\":[],\"exclude\":[]}}}'::jsonb"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "server_organizationId_organization_id_fk": {
+          "name": "server_organizationId_organization_id_fk",
+          "tableFrom": "server",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "server_sshKeyId_ssh-key_sshKeyId_fk": {
+          "name": "server_sshKeyId_ssh-key_sshKeyId_fk",
+          "tableFrom": "server",
+          "tableTo": "ssh-key",
+          "columnsFrom": [
+            "sshKeyId"
+          ],
+          "columnsTo": [
+            "sshKeyId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.session": {
+      "name": "session",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "impersonated_by": {
+          "name": "impersonated_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "active_organization_id": {
+          "name": "active_organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "session_user_id_user_id_fk": {
+          "name": "session_user_id_user_id_fk",
+          "tableFrom": "session",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "session_token_unique": {
+          "name": "session_token_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "token"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ssh-key": {
+      "name": "ssh-key",
+      "schema": "",
+      "columns": {
+        "sshKeyId": {
+          "name": "sshKeyId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "privateKey": {
+          "name": "privateKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "publicKey": {
+          "name": "publicKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "lastUsedAt": {
+          "name": "lastUsedAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "ssh-key_organizationId_organization_id_fk": {
+          "name": "ssh-key_organizationId_organization_id_fk",
+          "tableFrom": "ssh-key",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.sso_provider": {
+      "name": "sso_provider",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "issuer": {
+          "name": "issuer",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "oidc_config": {
+          "name": "oidc_config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "saml_config": {
+          "name": "saml_config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "domain": {
+          "name": "domain",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "sso_provider_user_id_user_id_fk": {
+          "name": "sso_provider_user_id_user_id_fk",
+          "tableFrom": "sso_provider",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "sso_provider_organization_id_organization_id_fk": {
+          "name": "sso_provider_organization_id_organization_id_fk",
+          "tableFrom": "sso_provider",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "sso_provider_provider_id_unique": {
+          "name": "sso_provider_provider_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "provider_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.project_tag": {
+      "name": "project_tag",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "projectId": {
+          "name": "projectId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "tagId": {
+          "name": "tagId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "project_tag_projectId_project_projectId_fk": {
+          "name": "project_tag_projectId_project_projectId_fk",
+          "tableFrom": "project_tag",
+          "tableTo": "project",
+          "columnsFrom": [
+            "projectId"
+          ],
+          "columnsTo": [
+            "projectId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "project_tag_tagId_tag_tagId_fk": {
+          "name": "project_tag_tagId_tag_tagId_fk",
+          "tableFrom": "project_tag",
+          "tableTo": "tag",
+          "columnsFrom": [
+            "tagId"
+          ],
+          "columnsTo": [
+            "tagId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "unique_project_tag": {
+          "name": "unique_project_tag",
+          "nullsNotDistinct": false,
+          "columns": [
+            "projectId",
+            "tagId"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.tag": {
+      "name": "tag",
+      "schema": "",
+      "columns": {
+        "tagId": {
+          "name": "tagId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "color": {
+          "name": "color",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "tag_organizationId_organization_id_fk": {
+          "name": "tag_organizationId_organization_id_fk",
+          "tableFrom": "tag",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "unique_org_tag_name": {
+          "name": "unique_org_tag_name",
+          "nullsNotDistinct": false,
+          "columns": [
+            "organizationId",
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user": {
+      "name": "user",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "firstName": {
+          "name": "firstName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "lastName": {
+          "name": "lastName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "isRegistered": {
+          "name": "isRegistered",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "expirationDate": {
+          "name": "expirationDate",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "two_factor_enabled": {
+          "name": "two_factor_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email_verified": {
+          "name": "email_verified",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "banned": {
+          "name": "banned",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ban_reason": {
+          "name": "ban_reason",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ban_expires": {
+          "name": "ban_expires",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'user'"
+        },
+        "enablePaidFeatures": {
+          "name": "enablePaidFeatures",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "allowImpersonation": {
+          "name": "allowImpersonation",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "enableEnterpriseFeatures": {
+          "name": "enableEnterpriseFeatures",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "licenseKey": {
+          "name": "licenseKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "isValidEnterpriseLicense": {
+          "name": "isValidEnterpriseLicense",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "stripeCustomerId": {
+          "name": "stripeCustomerId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stripeSubscriptionId": {
+          "name": "stripeSubscriptionId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serversQuantity": {
+          "name": "serversQuantity",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "sendInvoiceNotifications": {
+          "name": "sendInvoiceNotifications",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "isEnterpriseCloud": {
+          "name": "isEnterpriseCloud",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "trustedOrigins": {
+          "name": "trustedOrigins",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bookmarkedTemplates": {
+          "name": "bookmarkedTemplates",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "ARRAY[]::text[]"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_email_unique": {
+          "name": "user_email_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "email"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.volume_backup": {
+      "name": "volume_backup",
+      "schema": "",
+      "columns": {
+        "volumeBackupId": {
+          "name": "volumeBackupId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "volumeName": {
+          "name": "volumeName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "prefix": {
+          "name": "prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serviceType": {
+          "name": "serviceType",
+          "type": "serviceType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'application'"
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serviceName": {
+          "name": "serviceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "turnOff": {
+          "name": "turnOff",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "cronExpression": {
+          "name": "cronExpression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "keepLatestCount": {
+          "name": "keepLatestCount",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "postgresId": {
+          "name": "postgresId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mariadbId": {
+          "name": "mariadbId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mongoId": {
+          "name": "mongoId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mysqlId": {
+          "name": "mysqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "redisId": {
+          "name": "redisId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "libsqlId": {
+          "name": "libsqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "destinationId": {
+          "name": "destinationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "volume_backup_applicationId_application_applicationId_fk": {
+          "name": "volume_backup_applicationId_application_applicationId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_postgresId_postgres_postgresId_fk": {
+          "name": "volume_backup_postgresId_postgres_postgresId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "postgres",
+          "columnsFrom": [
+            "postgresId"
+          ],
+          "columnsTo": [
+            "postgresId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_mariadbId_mariadb_mariadbId_fk": {
+          "name": "volume_backup_mariadbId_mariadb_mariadbId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "mariadb",
+          "columnsFrom": [
+            "mariadbId"
+          ],
+          "columnsTo": [
+            "mariadbId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_mongoId_mongo_mongoId_fk": {
+          "name": "volume_backup_mongoId_mongo_mongoId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "mongo",
+          "columnsFrom": [
+            "mongoId"
+          ],
+          "columnsTo": [
+            "mongoId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_mysqlId_mysql_mysqlId_fk": {
+          "name": "volume_backup_mysqlId_mysql_mysqlId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "mysql",
+          "columnsFrom": [
+            "mysqlId"
+          ],
+          "columnsTo": [
+            "mysqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_redisId_redis_redisId_fk": {
+          "name": "volume_backup_redisId_redis_redisId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "redis",
+          "columnsFrom": [
+            "redisId"
+          ],
+          "columnsTo": [
+            "redisId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_libsqlId_libsql_libsqlId_fk": {
+          "name": "volume_backup_libsqlId_libsql_libsqlId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "libsql",
+          "columnsFrom": [
+            "libsqlId"
+          ],
+          "columnsTo": [
+            "libsqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_composeId_compose_composeId_fk": {
+          "name": "volume_backup_composeId_compose_composeId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_destinationId_destination_destinationId_fk": {
+          "name": "volume_backup_destinationId_destination_destinationId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "destination",
+          "columnsFrom": [
+            "destinationId"
+          ],
+          "columnsTo": [
+            "destinationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.webServerSettings": {
+      "name": "webServerSettings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webServerProvider": {
+          "name": "webServerProvider",
+          "type": "webServerProvider",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'traefik'"
+        },
+        "caddyTrustedProxyConfig": {
+          "name": "caddyTrustedProxyConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'null'::jsonb"
+        },
+        "serverIp": {
+          "name": "serverIp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "certificateType": {
+          "name": "certificateType",
+          "type": "certificateType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "https": {
+          "name": "https",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "letsEncryptEmail": {
+          "name": "letsEncryptEmail",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sshPrivateKey": {
+          "name": "sshPrivateKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enableDockerCleanup": {
+          "name": "enableDockerCleanup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "logCleanupCron": {
+          "name": "logCleanupCron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0 0 * * *'"
+        },
+        "metricsConfig": {
+          "name": "metricsConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{\"server\":{\"type\":\"Dokploy\",\"refreshRate\":60,\"port\":4500,\"token\":\"\",\"retentionDays\":2,\"cronJob\":\"\",\"urlCallback\":\"\",\"thresholds\":{\"cpu\":0,\"memory\":0}},\"containers\":{\"refreshRate\":60,\"services\":{\"include\":[],\"exclude\":[]}}}'::jsonb"
+        },
+        "whitelabelingConfig": {
+          "name": "whitelabelingConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'{\"appName\":null,\"appDescription\":null,\"logoUrl\":null,\"faviconUrl\":null,\"customCss\":null,\"loginLogoUrl\":null,\"supportUrl\":null,\"docsUrl\":null,\"errorPageTitle\":null,\"errorPageDescription\":null,\"metaTitle\":null,\"footerText\":null}'::jsonb"
+        },
+        "remoteServersOnly": {
+          "name": "remoteServersOnly",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "enforceSSO": {
+          "name": "enforceSSO",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "cleanupCacheApplications": {
+          "name": "cleanupCacheApplications",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "cleanupCacheOnPreviews": {
+          "name": "cleanupCacheOnPreviews",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "cleanupCacheOnCompose": {
+          "name": "cleanupCacheOnCompose",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {
+    "public.buildType": {
+      "name": "buildType",
+      "schema": "public",
+      "values": [
+        "dockerfile",
+        "heroku_buildpacks",
+        "paketo_buildpacks",
+        "nixpacks",
+        "static",
+        "railpack"
+      ]
+    },
+    "public.sourceType": {
+      "name": "sourceType",
+      "schema": "public",
+      "values": [
+        "docker",
+        "git",
+        "github",
+        "gitlab",
+        "bitbucket",
+        "gitea",
+        "drop"
+      ]
+    },
+    "public.backupType": {
+      "name": "backupType",
+      "schema": "public",
+      "values": [
+        "database",
+        "compose"
+      ]
+    },
+    "public.databaseType": {
+      "name": "databaseType",
+      "schema": "public",
+      "values": [
+        "postgres",
+        "mariadb",
+        "mysql",
+        "mongo",
+        "web-server",
+        "libsql"
+      ]
+    },
+    "public.composeType": {
+      "name": "composeType",
+      "schema": "public",
+      "values": [
+        "docker-compose",
+        "stack"
+      ]
+    },
+    "public.sourceTypeCompose": {
+      "name": "sourceTypeCompose",
+      "schema": "public",
+      "values": [
+        "git",
+        "github",
+        "gitlab",
+        "bitbucket",
+        "gitea",
+        "raw"
+      ]
+    },
+    "public.deploymentStatus": {
+      "name": "deploymentStatus",
+      "schema": "public",
+      "values": [
+        "running",
+        "done",
+        "error",
+        "cancelled"
+      ]
+    },
+    "public.domainType": {
+      "name": "domainType",
+      "schema": "public",
+      "values": [
+        "compose",
+        "application",
+        "preview"
+      ]
+    },
+    "public.gitProviderType": {
+      "name": "gitProviderType",
+      "schema": "public",
+      "values": [
+        "github",
+        "gitlab",
+        "bitbucket",
+        "gitea"
+      ]
+    },
+    "public.mountType": {
+      "name": "mountType",
+      "schema": "public",
+      "values": [
+        "bind",
+        "volume",
+        "file"
+      ]
+    },
+    "public.serviceType": {
+      "name": "serviceType",
+      "schema": "public",
+      "values": [
+        "application",
+        "postgres",
+        "mysql",
+        "mariadb",
+        "mongo",
+        "redis",
+        "compose",
+        "libsql"
+      ]
+    },
+    "public.notificationType": {
+      "name": "notificationType",
+      "schema": "public",
+      "values": [
+        "slack",
+        "telegram",
+        "discord",
+        "email",
+        "resend",
+        "gotify",
+        "ntfy",
+        "mattermost",
+        "pushover",
+        "custom",
+        "lark",
+        "teams"
+      ]
+    },
+    "public.patchType": {
+      "name": "patchType",
+      "schema": "public",
+      "values": [
+        "create",
+        "update",
+        "delete"
+      ]
+    },
+    "public.protocolType": {
+      "name": "protocolType",
+      "schema": "public",
+      "values": [
+        "tcp",
+        "udp"
+      ]
+    },
+    "public.publishModeType": {
+      "name": "publishModeType",
+      "schema": "public",
+      "values": [
+        "ingress",
+        "host"
+      ]
+    },
+    "public.RegistryType": {
+      "name": "RegistryType",
+      "schema": "public",
+      "values": [
+        "selfHosted",
+        "cloud"
+      ]
+    },
+    "public.scheduleType": {
+      "name": "scheduleType",
+      "schema": "public",
+      "values": [
+        "application",
+        "compose",
+        "server",
+        "dokploy-server"
+      ]
+    },
+    "public.shellType": {
+      "name": "shellType",
+      "schema": "public",
+      "values": [
+        "bash",
+        "sh"
+      ]
+    },
+    "public.serverStatus": {
+      "name": "serverStatus",
+      "schema": "public",
+      "values": [
+        "active",
+        "inactive"
+      ]
+    },
+    "public.serverType": {
+      "name": "serverType",
+      "schema": "public",
+      "values": [
+        "deploy",
+        "build"
+      ]
+    },
+    "public.applicationStatus": {
+      "name": "applicationStatus",
+      "schema": "public",
+      "values": [
+        "idle",
+        "running",
+        "done",
+        "error"
+      ]
+    },
+    "public.certificateType": {
+      "name": "certificateType",
+      "schema": "public",
+      "values": [
+        "letsencrypt",
+        "none",
+        "custom"
+      ]
+    },
+    "public.sqldNode": {
+      "name": "sqldNode",
+      "schema": "public",
+      "values": [
+        "primary",
+        "replica"
+      ]
+    },
+    "public.triggerType": {
+      "name": "triggerType",
+      "schema": "public",
+      "values": [
+        "push",
+        "tag"
+      ]
+    },
+    "public.webServerProvider": {
+      "name": "webServerProvider",
+      "schema": "public",
+      "values": [
+        "traefik",
+        "caddy"
+      ]
+    }
+  },
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": {
+    "columns": {},
+    "schemas": {},
+    "tables": {}
+  }
+}
\ No newline at end of file
diff --git a/apps/dokploy/drizzle/meta/_journal.json b/apps/dokploy/drizzle/meta/_journal.json
index 42c4b63771..3cb271b561 100644
--- a/apps/dokploy/drizzle/meta/_journal.json
+++ b/apps/dokploy/drizzle/meta/_journal.json
@@ -1198,6 +1198,13 @@
       "when": 1780337191309,
       "tag": "0170_web_server_provider",
       "breakpoints": true
+    },
+    {
+      "idx": 171,
+      "version": "7",
+      "when": 1780360688821,
+      "tag": "0171_caddy_trusted_proxy_config",
+      "breakpoints": true
     }
   ]
 }
\ No newline at end of file
diff --git a/apps/dokploy/server/api/routers/ai.ts b/apps/dokploy/server/api/routers/ai.ts
index 81e03fe26a..37a79dcb7e 100644
--- a/apps/dokploy/server/api/routers/ai.ts
+++ b/apps/dokploy/server/api/routers/ai.ts
@@ -5,7 +5,7 @@ import {
 	deploySuggestionSchema,
 } from "@dokploy/server/db/schema/ai";
 import {
-	createDomain,
+	createComposeDomain,
 	createMount,
 	findEnvironmentById,
 } from "@dokploy/server/index";
@@ -352,7 +352,7 @@ ${input.logs}`,
 
 			if (input.domains && input.domains?.length > 0) {
 				for (const domain of input.domains) {
-					await createDomain({
+					await createComposeDomain(compose, {
 						...domain,
 						domainType: "compose",
 						certificateType: "none",
diff --git a/apps/dokploy/server/api/routers/compose.ts b/apps/dokploy/server/api/routers/compose.ts
index 0dde5aaa64..769a088f90 100644
--- a/apps/dokploy/server/api/routers/compose.ts
+++ b/apps/dokploy/server/api/routers/compose.ts
@@ -5,7 +5,7 @@ import {
 	createCommand,
 	createCompose,
 	createComposeByTemplate,
-	createDomain,
+	createComposeDomain,
 	createMount,
 	deleteMount,
 	execAsync,
@@ -671,7 +671,7 @@ export const composeRouter = createTRPCRouter({
 
 			if (generate.domains && generate.domains?.length > 0) {
 				for (const domain of generate.domains) {
-					await createDomain({
+					await createComposeDomain(compose, {
 						...domain,
 						domainType: "compose",
 						certificateType: "none",
@@ -1027,7 +1027,7 @@ export const composeRouter = createTRPCRouter({
 
 				if (processedTemplate.domains && processedTemplate.domains.length > 0) {
 					for (const domain of processedTemplate.domains) {
-						await createDomain({
+						await createComposeDomain(compose, {
 							...domain,
 							domainType: "compose",
 							certificateType: "none",
diff --git a/apps/dokploy/server/api/routers/domain.ts b/apps/dokploy/server/api/routers/domain.ts
index 7d1bb43ebb..2063384470 100644
--- a/apps/dokploy/server/api/routers/domain.ts
+++ b/apps/dokploy/server/api/routers/domain.ts
@@ -1,5 +1,6 @@
 import {
 	assertCaddyDomainSupported,
+	createComposeDomain,
 	createDomain,
 	findApplicationById,
 	findComposeById,
@@ -9,15 +10,14 @@ import {
 	findPreviewDeploymentById,
 	findServerById,
 	generateTraefikMeDomain,
-	getCaddyComposeRouteTargetsForWebServer,
 	getWebServerSettings,
 	manageWebServerDomain,
+	refreshCaddyComposeRoutes,
 	removeDomainById,
 	removeWebServerDomain,
 	resolveWebServerProvider,
 	updateDomainById,
 	validateDomain,
-	writeCaddyComposeRoutesForTargets,
 } from "@dokploy/server";
 import { checkServicePermissionAndAccess } from "@dokploy/server/services/permission";
 import { TRPCError } from "@trpc/server";
@@ -53,20 +53,6 @@ const toDomainUpdateFields = (
 	middlewares: domain.middlewares,
 });
 
-const refreshCaddyComposeRoutes = async (
-	compose: Awaited<ReturnType<typeof findComposeById>>,
-) => {
-	const domains = await findDomainsByComposeId(compose.composeId);
-	const routeTargets = await getCaddyComposeRouteTargetsForWebServer(
-		compose,
-		domains,
-		"caddy",
-	);
-	if (routeTargets) {
-		await writeCaddyComposeRoutesForTargets(compose, routeTargets);
-	}
-};
-
 export const domainRouter = createTRPCRouter({
 	create: protectedProcedure
 		.input(apiCreateDomain)
@@ -76,24 +62,23 @@ export const domainRouter = createTRPCRouter({
 					await checkServicePermissionAndAccess(ctx, input.composeId, {
 						domain: ["create"],
 					});
-				} else if (input.domainType === "application" && input.applicationId) {
+					const compose = await findComposeById(input.composeId);
+					const provider = await resolveWebServerProvider(compose.serverId);
+					const domain = await createComposeDomain(compose, input, provider);
+					await audit(ctx, {
+						action: "create",
+						resourceType: "domain",
+						resourceId: domain.domainId,
+						resourceName: domain.host,
+					});
+					return domain;
+				}
+				if (input.domainType === "application" && input.applicationId) {
 					await checkServicePermissionAndAccess(ctx, input.applicationId, {
 						domain: ["create"],
 					});
 				}
 				const domain = await createDomain(input);
-				if (domain.composeId) {
-					const compose = await findComposeById(domain.composeId);
-					if ((await resolveWebServerProvider(compose.serverId)) === "caddy") {
-						try {
-							await refreshCaddyComposeRoutes(compose);
-						} catch (error) {
-							await removeDomainById(domain.domainId);
-							await refreshCaddyComposeRoutes(compose);
-							throw error;
-						}
-					}
-				}
 				await audit(ctx, {
 					action: "create",
 					resourceType: "domain",
@@ -232,7 +217,7 @@ export const domainRouter = createTRPCRouter({
 						throw new Error("Error updating domain");
 					}
 					try {
-						await refreshCaddyComposeRoutes(compose);
+						await refreshCaddyComposeRoutes(compose, undefined, "caddy");
 						await audit(ctx, {
 							action: "update",
 							resourceType: "domain",
@@ -245,7 +230,7 @@ export const domainRouter = createTRPCRouter({
 							input.domainId,
 							toDomainUpdateFields(currentDomain),
 						);
-						await refreshCaddyComposeRoutes(compose);
+						await refreshCaddyComposeRoutes(compose, undefined, "caddy");
 						throw error;
 					}
 				}
@@ -362,15 +347,8 @@ export const domainRouter = createTRPCRouter({
 					const remainingDomains = domains.filter(
 						(item) => item.domainId !== domain.domainId,
 					);
-					const routeTargets = await getCaddyComposeRouteTargetsForWebServer(
-						compose,
-						remainingDomains,
-						"caddy",
-					);
 					try {
-						if (routeTargets) {
-							await writeCaddyComposeRoutesForTargets(compose, routeTargets);
-						}
+						await refreshCaddyComposeRoutes(compose, remainingDomains, "caddy");
 						const result = await removeDomainById(input.domainId);
 						await audit(ctx, {
 							action: "delete",
@@ -380,7 +358,7 @@ export const domainRouter = createTRPCRouter({
 						});
 						return result;
 					} catch (error) {
-						await refreshCaddyComposeRoutes(compose);
+						await refreshCaddyComposeRoutes(compose, undefined, "caddy");
 						throw error;
 					}
 				}
diff --git a/apps/dokploy/server/api/routers/project.ts b/apps/dokploy/server/api/routers/project.ts
index 2e35aee2a1..6e9e0b1e76 100644
--- a/apps/dokploy/server/api/routers/project.ts
+++ b/apps/dokploy/server/api/routers/project.ts
@@ -2,6 +2,7 @@ import {
 	createApplication,
 	createBackup,
 	createCompose,
+	createComposeDomain,
 	createDomain,
 	createLibsql,
 	createMariadb,
@@ -977,7 +978,7 @@ export const projectRouter = createTRPCRouter({
 
 								for (const domain of domains) {
 									const { domainId, ...rest } = domain;
-									await createDomain({
+									await createComposeDomain(newCompose, {
 										...rest,
 										composeId: newCompose.composeId,
 										domainType: "compose",
diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts
index 921dee6dc1..41b6eb6c88 100644
--- a/apps/dokploy/server/api/routers/settings.ts
+++ b/apps/dokploy/server/api/routers/settings.ts
@@ -13,9 +13,12 @@ import {
 	cleanupImages,
 	cleanupSystem,
 	cleanupVolumes,
+	compileWriteAndReloadCaddyConfigSafely,
 	DEFAULT_UPDATE_DATA,
 	execAsync,
 	findServerById,
+	getCaddyCompileSettings,
+	getCaddyTrustedProxySettings,
 	getDockerDiskUsage,
 	getDokployImageTag,
 	getLogCleanupStatus,
@@ -48,6 +51,7 @@ import {
 	spawnAsync,
 	startLogCleanup,
 	stopLogCleanup,
+	updateCaddyTrustedProxySettings,
 	updateLetsEncryptEmail,
 	updateLocalWebServerProvider,
 	updateRemoteWebServerProvider,
@@ -133,6 +137,14 @@ const apiWebServerPorts = z.object({
 	),
 });
 
+const apiCaddyTrustedProxySettings = z.object({
+	serverId: z.string().optional(),
+	mode: z.enum(["disabled", "cloudflare", "static"]),
+	ranges: z.array(z.string()).optional().nullable(),
+	clientIpHeaders: z.array(z.string()).optional().nullable(),
+	strict: z.boolean().optional().nullable(),
+});
+
 const apiCaddyMigration = z.object({
 	serverId: z.string().optional(),
 });
@@ -327,13 +339,12 @@ const reloadWebServerProvider = async (
 	await reloadDockerResource(getWebServerResourceName(provider), serverId);
 };
 
-const getCaddyLetsEncryptEmailForSetup = async (
+const getCaddySetupOptions = async (
 	provider: WebServerProvider,
 	serverId?: string,
 ) => {
-	if (provider !== "caddy" || serverId) return undefined;
-	const settings = await getWebServerSettings();
-	return settings?.letsEncryptEmail;
+	if (provider !== "caddy") return {};
+	return getCaddyCompileSettings(serverId);
 };
 
 export const settingsRouter = createTRPCRouter({
@@ -425,6 +436,82 @@ export const settingsRouter = createTRPCRouter({
 			await ensureServerAccess(ctx, input?.serverId);
 			return resolveWebServerProvider(input?.serverId);
 		}),
+	getCaddyTrustedProxySettings: adminProcedure
+		.input(apiServerSchema)
+		.query(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input?.serverId);
+			if (IS_CLOUD && !input?.serverId) {
+				return {
+					mode: "disabled" as const,
+					ranges: [],
+					clientIpHeaders: [],
+					strict: true,
+				};
+			}
+
+			const settings = await getCaddyTrustedProxySettings(input?.serverId);
+			return (
+				settings ?? {
+					mode: "disabled" as const,
+					ranges: [],
+					clientIpHeaders: [],
+					strict: true,
+				}
+			);
+		}),
+	updateCaddyTrustedProxySettings: adminProcedure
+		.input(apiCaddyTrustedProxySettings)
+		.mutation(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input.serverId);
+			if (IS_CLOUD && !input.serverId) {
+				throw new TRPCError({
+					code: "BAD_REQUEST",
+					message:
+						"Caddy trusted proxy settings are only available for a local or remote web server.",
+				});
+			}
+
+			const previousSettings = await getCaddyTrustedProxySettings(
+				input.serverId,
+			);
+			const nextSettings =
+				input.mode === "disabled"
+					? null
+					: {
+							mode: input.mode,
+							ranges: input.ranges,
+							clientIpHeaders: input.clientIpHeaders,
+							strict: input.strict,
+						};
+
+			const provider = await resolveWebServerProvider(input.serverId);
+			await updateCaddyTrustedProxySettings(nextSettings, input.serverId);
+			try {
+				if (provider === "caddy") {
+					await compileWriteAndReloadCaddyConfigSafely({
+						serverId: input.serverId,
+						...(await getCaddyCompileSettings(input.serverId)),
+					});
+				}
+			} catch (error) {
+				await updateCaddyTrustedProxySettings(previousSettings, input.serverId);
+				throw error;
+			}
+
+			await audit(ctx, {
+				action: "update",
+				resourceType: "settings",
+				resourceName: "caddy-trusted-proxy",
+			});
+			return (
+				(await getCaddyTrustedProxySettings(input.serverId)) ?? {
+					mode: "disabled" as const,
+					ranges: [],
+					clientIpHeaders: [],
+					strict: true,
+				}
+			);
+		}),
 	updateActiveWebServerProvider: adminProcedure
 		.input(apiWebServerProvider)
 		.mutation(async ({ input, ctx }) => {
@@ -1296,10 +1383,7 @@ export const settingsRouter = createTRPCRouter({
 				env: envs,
 				additionalPorts: ports,
 				serverId: input.serverId,
-				letsEncryptEmail: await getCaddyLetsEncryptEmailForSetup(
-					provider,
-					input.serverId,
-				),
+				...(await getCaddySetupOptions(provider, input.serverId)),
 			}).catch((err) => {
 				console.error("writeWebServerEnv background writeWebServerSetup:", err);
 			});
@@ -1659,10 +1743,7 @@ export const settingsRouter = createTRPCRouter({
 					env: preparedEnv,
 					additionalPorts: input.additionalPorts,
 					serverId: input.serverId,
-					letsEncryptEmail: await getCaddyLetsEncryptEmailForSetup(
-						provider,
-						input.serverId,
-					),
+					...(await getCaddySetupOptions(provider, input.serverId)),
 				}).catch((err) => {
 					console.error(
 						"updateWebServerPorts background writeWebServerSetup:",
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
new file mode 100644
index 0000000000..565822c62d
--- /dev/null
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -0,0 +1,356 @@
+# Caddy Provider Upstream Readiness
+
+This document tracks the work needed to turn the Caddy web server provider from a working proof of concept into an upstream-ready Dokploy alternative to Traefik.
+
+PR: https://github.com/Dokploy/dokploy/pull/4534
+
+## Scope and Safety
+
+- The upstream PR should contain generic Dokploy code, tests, and user-facing documentation only.
+- Keep platform-specific route manifests, hostnames, production logs, secrets, and operational evidence outside this repository.
+- Read-only production checks are allowed for proof gathering.
+- Live apply, rollback, provider switching, service updates, restarts, or config writes require explicit human approval in the current work session.
+
+## Current PR State
+
+Observed with `gh pr view 4534 --repo Dokploy/dokploy`:
+
+- State: open
+- Base: `canary`
+- Head: `codex/caddy-web-server-v0296-clean-pr`
+- Mergeable: mergeable
+- Review decision: review required
+- Visible check: `anti-slop` succeeded
+
+Local state observed before this document was added:
+
+- Repo: local Dokploy checkout
+- Branch: `codex/caddy-web-server-v0296-clean-pr`
+- Working tree: clean except the RepoPrompt export generated during planning, which must not be kept in the PR surface
+
+## Readiness Matrix
+
+| Area | Current evidence | Status | Next proof needed |
+| --- | --- | --- | --- |
+| Application domain create under Caddy | `createDomain()` dispatches through `manageWebServerDomain()` for application domains inside the DB transaction. Focused service tests prove provider dispatch and transaction rollback when provider route creation fails. | Locally covered | Add router-level test only if maintainers want end-to-end TRPC proof. |
+| Application domain update under Caddy | `domainRouter.update` writes the next Caddy fragment before DB update and restores the old fragment on DB failure. `manageCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | Add runtime proof after explicit approval. |
+| Application domain delete under Caddy | `domainRouter.delete` removes provider config before DB deletion and restores on DB failure. `removeCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | Add runtime proof after explicit approval. |
+| Compose domain add/update/remove under Caddy | `createComposeDomain()` removes new rows if refresh fails. `domainRouter.update` restores previous compose domain fields and fragments if refresh fails. `domainRouter.delete` restores all compose routes if DB delete fails. | Locally covered | Add runtime proof after explicit approval. |
+| Domain added while creating/duplicating a new application service | `application.create` has no domain payload. The application new-service-with-domain path is project duplication: copied application domains call `createDomain()` with `applicationId`, which invokes provider dispatch. | Locally covered | Add router-level duplication proof only if maintainers want end-to-end TRPC coverage beyond the service contract. |
+| Domain added during new compose/template/AI/import creation | `createComposeDomain()` now creates compose domains and refreshes Caddy compose routes with rollback if refresh fails. Template create, template import, AI compose generation, project compose duplication, and `domainRouter.create` use it. | Locally covered | Add router-level or creation-flow tests if upstream reviewers want proof beyond the focused helper test. |
+| Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and `removeWebServerDomain()` for cleanup when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch and cleanup removes by `uniqueConfigKey`. | Locally covered | Add runtime proof after explicit approval if preview deployments are included in the live validation pass. |
+| Custom SSL certificates | Caddy domains can now select uploaded certificates. Route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
+| LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
+| Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, and provider-neutral uploaded certificate copy now exist. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
+| Caddy dashboard | Caddy admin endpoint is local-only in the current design, and this PR does not expose it through the Dokploy UI. | Deferred | Prefer no public dashboard in this PR; document local-only admin API and track any dashboard proxy as a follow-up with auth and network controls. |
+| Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. | Needs final proof | Re-run focused migration suite after new changes and record sanitized results. |
+| Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. | Ongoing | Keep PR surface generic; run targeted checks and `git diff --check`. |
+
+## Code Evidence
+
+Provider selection and resources:
+
+- `packages/server/src/utils/web-server/providers.ts`
+- `packages/server/src/services/web-server-settings.ts`
+- `apps/dokploy/drizzle/0170_web_server_provider.sql`
+- `apps/dokploy/drizzle/0171_caddy_trusted_proxy_config.sql`
+
+Application domain Caddy routing:
+
+- `packages/server/src/utils/web-server/domain.ts`
+- `packages/server/src/utils/caddy/domain.ts`
+- `packages/server/src/utils/caddy/config.ts`
+- `apps/dokploy/server/api/routers/domain.ts`
+
+Compose domain Caddy routing:
+
+- `packages/server/src/utils/caddy/compose.ts`
+- `packages/server/src/utils/docker/domain.ts`
+- `apps/dokploy/server/api/routers/domain.ts`
+
+Known domain creation call sites now using the shared provider-aware helpers:
+
+- `apps/dokploy/server/api/routers/project.ts`: project duplication creates application domains with `createDomain()` and compose domains with `createComposeDomain()`.
+- `apps/dokploy/server/api/routers/compose.ts`: template create and template import create compose domains with `createComposeDomain()`.
+- `apps/dokploy/server/api/routers/ai.ts`: AI compose generation creates compose domains with `createComposeDomain()`.
+
+Preview route evidence:
+
+- `packages/server/src/services/preview-deployment.ts` creates a preview domain, mutates `application.appName`, and calls provider-aware web-server domain helpers.
+- `apps/dokploy/__test__/caddy/preview-deployment.test.ts` proves provider-aware preview create/remove behavior.
+
+Custom certificate evidence:
+
+- `packages/server/src/utils/caddy/domain.ts` maps Caddy custom certificate domains to uploaded certificate files.
+- `packages/server/src/utils/caddy/compose.ts` carries custom certificate file references for compose Caddy routes.
+- `packages/server/src/utils/caddy/config.ts` compiles manual certificate files into `apps.tls.certificates.load_files`.
+- `apps/dokploy/components/dashboard/application/domains/handle-domain.tsx` lets Caddy domains choose an uploaded certificate from the existing certificate UI surface.
+- `apps/dokploy/components/dashboard/settings/certificates/handle-certificate.tsx` is the existing uploaded certificate creation surface.
+
+Trusted proxy evidence:
+
+- `packages/server/src/db/schema/web-server-settings.ts` persists local Caddy trusted proxy settings.
+- `packages/server/src/db/schema/server.ts` persists remote-server Caddy trusted proxy settings.
+- `packages/server/src/services/web-server-settings.ts` normalizes trusted proxy settings and maps them into Caddy compile options.
+- `apps/dokploy/server/api/routers/settings.ts` exposes Caddy trusted proxy read/update endpoints and rebuilds Caddy config when active.
+- `apps/dokploy/components/dashboard/settings/web-server/caddy-trusted-proxy-settings.tsx` provides the local/remote UI dialog.
+
+Migration and live-readiness evidence:
+
+- `packages/server/src/utils/caddy/migration/prepare.ts`
+- `packages/server/src/utils/caddy/migration/apply.ts`
+- `packages/server/src/utils/caddy/migration/rollback.ts`
+- `packages/server/src/utils/caddy/migration/upstream-preflight.ts`
+- `apps/dokploy/scripts/caddy-migration-rollback.ts`
+- `apps/dokploy/__test__/caddy/migration/*`
+- `apps/dokploy/__test__/db/runtime-migration.test.ts`
+
+## Implementation Plan
+
+### 1. Preserve the proof document
+
+- Keep this file upstream-safe.
+- Update the readiness matrix as gaps close.
+- Add proof log entries with command summaries, commit SHAs, and sanitized notes.
+- Do not add prompt exports, private route manifests, or platform-specific production evidence to the PR.
+
+### 2. Harden compose domain refresh for non-router creation flows
+
+Original issue: `domainRouter.create` refreshed compose Caddy routes, but several service creation/import flows called `createDomain()` directly. That meant compose domains could be present in the DB without matching Caddy fragments until a later domain edit or deploy refresh.
+
+Preferred design:
+
+- Move the router-local Caddy compose refresh behavior into a reusable helper.
+- Make it no-op for Traefik and refresh Caddy compose fragments when the active provider is Caddy.
+- Call it after compose domain creation in template create, template import, AI compose generation, and project duplication paths.
+- Keep rollback behavior local to the compose domain creation helper.
+
+Implemented:
+
+- `packages/server/src/services/domain.ts` exports `refreshCaddyComposeRoutes()` and `createComposeDomain()`.
+- `domainRouter.create`, template create, template import, AI compose generation, and project compose duplication now use `createComposeDomain()`.
+- `apps/dokploy/__test__/caddy/compose/domain.test.ts` proves the helper writes Caddy fragments for domains created outside the domain router and skips refresh for Traefik.
+
+Required tests:
+
+- New compose from template under active Caddy writes fragments.
+- Template import under active Caddy writes fragments.
+- AI compose generation under active Caddy writes fragments.
+- Project compose duplication under active Caddy writes fragments.
+- Failure to write/reload Caddy leaves no orphaned domain rows or restores previous route fragments.
+
+### 3. Make preview domains provider-aware
+
+Original issue: preview deployment route management imported and called Traefik `manageDomain()` directly after creating a preview domain.
+
+Preferred design:
+
+- Route preview domain management through `manageWebServerDomain()`.
+- Ensure `application.appName` is still set to the preview deployment app name before provider dispatch.
+- Add tests for preview domain creation under Caddy.
+
+Implemented:
+
+- Preview create now calls `manageWebServerDomain()`.
+- Preview removal now calls `removeWebServerDomain()` when the preview deployment has a domain.
+- `apps/dokploy/__test__/caddy/preview-deployment.test.ts` proves provider-aware create/remove behavior.
+
+### 4. Prove application and compose domain lifecycle rollback
+
+Application domains:
+
+- Create should route through the active web server provider when a domain is created for a copied/new application service. Covered by `apps/dokploy/__test__/caddy/application/domain-service.test.ts`.
+- Create should not leave a DB row if Caddy write/reload fails. Covered by `apps/dokploy/__test__/caddy/application/domain-service.test.ts`.
+- Update should restore the old fragment if Caddy write/reload fails. Covered by `apps/dokploy/__test__/caddy/config.test.ts`.
+- Update should restore the old fragment if DB update fails. Covered by `apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts`.
+- Delete should restore the fragment if Caddy write/reload fails. Covered by `apps/dokploy/__test__/caddy/config.test.ts`.
+- Delete should restore the fragment if DB delete fails. Covered by `apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts`.
+
+Compose domains:
+
+- Create should remove the new DB row and restore previous fragments if Caddy refresh fails. Covered by `apps/dokploy/__test__/caddy/application/domain-service.test.ts`.
+- Update should restore DB fields and previous fragments if Caddy refresh fails. Covered by `apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts`.
+- Delete should restore fragments if Caddy refresh or DB delete fails. Covered by `apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts`.
+
+### 5. Decide and implement custom certificate behavior
+
+Implemented behavior: support uploaded certificates for Caddy domains.
+
+Implemented:
+
+- Caddy application and compose route intents can carry uploaded certificate file references.
+- Caddy config compilation emits manual certificate file loaders while keeping automatic HTTPS available for other routes.
+- The Caddy domain UI labels the `custom` certificate provider as an uploaded certificate flow and restricts selection to certificates available to the current server.
+- Missing custom certificate references fail before writing Caddy config.
+
+Tradeoff:
+
+- The implementation reuses the existing `customCertResolver` column to store the uploaded certificate path for Caddy, while Traefik keeps using it as a resolver name.
+- This avoids a database migration in the PR, but the field name is Traefik-shaped. A provider-neutral schema rename or additive field remains a cleanup candidate if maintainers want stricter data semantics.
+
+### 6. Add Cloudflare/proxy awareness
+
+Default behavior:
+
+- Do not trust arbitrary forwarded headers by default.
+
+Cloudflare opt-in behavior:
+
+- Provide a Caddy trusted-proxy mode for Cloudflare only when public traffic is expected to reach Dokploy through Cloudflare.
+- Use static trusted proxy ranges in the standard Caddy image; the dynamic Cloudflare IP-source module is non-standard and should not be required by this PR.
+- Validate any custom CIDRs before writing config.
+- Document SSL mode caveats:
+  - DNS-only works normally.
+  - Orange-cloud proxy hides the real TCP peer behind Cloudflare.
+  - Flexible SSL is not recommended for Dokploy origins.
+  - Full strict is preferred with a valid origin certificate.
+
+Tests:
+
+- Default config does not trust forwarded headers globally.
+- Cloudflare mode emits trusted proxy config.
+- Custom CIDRs validate and compile.
+- Invalid CIDRs fail before config write.
+
+Implemented:
+
+- `packages/server/src/utils/caddy/config.ts` supports trusted proxy compile options.
+- `packages/server/src/utils/caddy/types.ts` defines compile and persisted trusted proxy setting types.
+- Local `webServerSettings` and remote `server` rows persist Caddy trusted proxy settings.
+- Caddy domain, compose, dashboard, migration dry-run, migration apply setup, and web-server setup paths pass persisted trusted proxy options into Caddy compilation.
+- Settings -> Web Server exposes a Caddy trusted proxy dialog for local settings; remote web-server actions expose the same dialog for remote Caddy.
+- `apps/dokploy/__test__/caddy/config.test.ts` covers default no-trust behavior, Cloudflare trusted proxy config, custom static CIDRs, invalid CIDR/header rejection, and persisted-setting normalization.
+
+Still needed:
+
+- Runtime proof after explicit approval.
+- Decide whether Cloudflare SSL mode guidance belongs in the app UI, docs, or PR notes.
+
+### 7. Polish UI and dashboard behavior
+
+UI changes:
+
+- Use provider-neutral visible labels where users still see Traefik-specific wording for generic web server controls.
+- Add a Caddy settings section for trusted proxy mode if Cloudflare support lands.
+- Keep the provider selector guardrails: direct Caddy activation should go through migration apply, and Caddy to Traefik should go through rollback.
+- Make dry-run/apply/rollback safety copy explicit.
+
+Dashboard decision:
+
+- Do not expose a public Caddy dashboard or admin API in this PR.
+- Keep Caddy admin local-only.
+- If a dashboard is desired later, it should be an authenticated Dokploy proxy and likely a follow-up PR.
+
+### 8. Keep migration hardening intact
+
+Do not weaken these gates:
+
+- Apply fails closed on blocking warnings.
+- Apply fails closed on runtime upstream preflight failure.
+- Caddy config validation runs before Traefik is stopped.
+- Rollback uses backup metadata and restores Traefik resources.
+- Rollback CLI exits non-zero on failure.
+- Runtime DB migration failure exits non-zero.
+
+## Validation Ladder
+
+Run and record the narrowest checks that prove the changed behavior.
+
+Static checks:
+
+```bash
+git diff --check
+```
+
+Focused Caddy tests:
+
+```bash
+pnpm --filter=dokploy test --run __test__/caddy
+pnpm --filter=dokploy test --run __test__/db/runtime-migration.test.ts
+```
+
+Targeted type and format checks:
+
+```bash
+pnpm --filter=dokploy typecheck
+pnpm --filter=@dokploy/server typecheck
+pnpm format
+```
+
+Shell checks, only if shell scripts are touched:
+
+```bash
+bash -n <script>
+```
+
+Read-only production checks, only when production proof is needed:
+
+```bash
+docker ps --filter label=com.docker.swarm.service.name=dokploy
+docker service inspect dokploy --format '{{.Spec.TaskTemplate.ContainerSpec.Image}}'
+docker service ps dokploy
+docker service inspect dokploy-traefik
+docker service inspect dokploy-caddy
+```
+
+Forbidden without explicit approval:
+
+- Caddy migration apply
+- Caddy migration rollback
+- Provider state changes
+- Docker service updates
+- Docker service scale changes
+- Container or service restarts
+- Writing live Caddy or Traefik config files
+
+## Live Mutation Approval Gate
+
+No live mutation has been approved for this document.
+
+Before any production mutation, fill this in:
+
+```text
+Approved by:
+Approval time:
+Mutation scope:
+Rollback plan:
+Expected read-only checks before mutation:
+Expected post-mutation checks:
+```
+
+## Proof Log
+
+| Date | Evidence | Result | Notes |
+| --- | --- | --- | --- |
+| 2026-06-01 | RepoPrompt Deep Plan run with Dokploy and infrastructure workspace roots | Complete | Generated implementation plan for upstream Caddy readiness. Generated prompt export must be removed from PR surface. |
+| 2026-06-01 | `gh pr view 4534 --repo Dokploy/dokploy` | Complete | PR open, mergeable, review required, visible `anti-slop` check succeeded. |
+| 2026-06-01 | `git status --short --branch` | Complete | Branch `codex/caddy-web-server-v0296-clean-pr`; clean before document work except generated RepoPrompt export. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/compose/domain.test.ts` | Passed | 1 file, 9 tests. Proves shared compose refresh writes Caddy fragments and skips Traefik. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts` | Passed | 1 file, 15 tests. Proves Caddy trusted proxy defaults, Cloudflare/static CIDR config, and validation. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 13 files, 84 tests before the custom certificate slice. Covers focused Caddy config, domain, migration, rollback, and runtime migration tests. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/application/domain.test.ts __test__/caddy/compose/domain.test.ts __test__/caddy/config.test.ts` | Passed | 3 files, 31 tests. Covers custom Caddy certificate file loading, compose domain refresh, and trusted proxy config. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 13 files, 86 tests after the custom certificate slice. Covers focused Caddy config, domain, migration, rollback, and runtime migration tests. |
+| 2026-06-02 | `pnpm --filter=dokploy migration:generate` | Passed | Generated `0171_caddy_trusted_proxy_config.sql` for local and remote Caddy trusted proxy JSON settings. Node v26 produced the same engine warning. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts __test__/caddy/dashboard-route.test.ts` | Passed | 2 files, 18 tests. Covers persisted trusted proxy normalization and dashboard route settings shape. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 13 files, 87 tests after persisted trusted proxy settings. Covers focused Caddy config, domain, migration, rollback, and runtime migration tests. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts __test__/caddy/application/domain-service.test.ts __test__/caddy/preview-deployment.test.ts` | Passed | 3 files, 21 tests. Covers application create rollback, Caddy domain removal rollback, and provider-aware preview create/remove. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 15 files, 92 tests after preview and application route lifecycle proof. Covers focused Caddy config, domain, preview, migration, rollback, and runtime migration tests. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/domain-router-lifecycle.test.ts __test__/caddy/application/domain-service.test.ts __test__/caddy/config.test.ts __test__/caddy/preview-deployment.test.ts` | Passed | 4 files, 26 tests. Covers application and compose router lifecycle rollback plus service-level create cleanup. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 16 files, 97 tests after router lifecycle proof. Covers focused Caddy config, domain, preview, migration, rollback, and runtime migration tests. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` | Passed | App typecheck passed. Node v26 produced an engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `pnpm --filter=@dokploy/server typecheck` | Passed | Server package typecheck passed. Node v26 produced the same engine warning. |
+| 2026-06-02 | RepoPrompt oracle plan for the new-service domain tracker gap | Complete | Confirmed normal `application.create` has no domain payload and the application new-service-with-domain path is project duplication through `createDomain()`. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/application/domain-service.test.ts` | Passed | 1 file, 3 tests. Maps copied/new-service application domains to `createDomain()` provider dispatch and rollback coverage. |
+| 2026-06-02 | Provider-neutral uploaded certificate UI copy | Complete | Replaced Traefik-only copy on the certificate settings page because uploaded certificates can now be selected by Caddy domains. |
+| 2026-06-02 | `git diff --check` | Passed | No whitespace errors in the current local diff. |
+| 2026-06-02 | RepoPrompt review with `back:3` diff artifacts | Complete | Incorporated production-code recommendations for Caddy certificate mounts, custom certificate availability checks, application domain creation compensation, preview route cleanup, and descriptive migration naming. |
+
+## Upstream Hygiene Checklist
+
+- [ ] No `prompt-exports/` files in the final diff.
+- [ ] No platform-specific hostnames, route manifests, or production logs in this repo.
+- [ ] No private runbooks or agent files added to PR surface.
+- [ ] Caddy fixtures remain generic.
+- [ ] Proof log entries are sanitized.
+- [ ] Commit messages describe generic Dokploy behavior, not private deployment details.
diff --git a/packages/server/src/db/schema/server.ts b/packages/server/src/db/schema/server.ts
index db4c3ffda1..99d048eefe 100644
--- a/packages/server/src/db/schema/server.ts
+++ b/packages/server/src/db/schema/server.ts
@@ -10,6 +10,7 @@ import {
 import { createInsertSchema } from "drizzle-zod";
 import { nanoid } from "nanoid";
 import { z } from "zod";
+import type { CaddyTrustedProxySettings } from "../../utils/caddy/types";
 import { organization } from "./account";
 import { applications } from "./application";
 import { certificates } from "./certificate";
@@ -45,6 +46,9 @@ export const server = pgTable("server", {
 	webServerProvider: webServerProvider("webServerProvider")
 		.notNull()
 		.default("traefik"),
+	caddyTrustedProxyConfig: jsonb("caddyTrustedProxyConfig")
+		.$type<CaddyTrustedProxySettings | null>()
+		.default(null),
 	createdAt: text("createdAt").notNull(),
 	organizationId: text("organizationId")
 		.notNull()
diff --git a/packages/server/src/db/schema/web-server-settings.ts b/packages/server/src/db/schema/web-server-settings.ts
index 7284deca10..59e2a76b8e 100644
--- a/packages/server/src/db/schema/web-server-settings.ts
+++ b/packages/server/src/db/schema/web-server-settings.ts
@@ -3,6 +3,7 @@ import { boolean, jsonb, pgTable, text, timestamp } from "drizzle-orm/pg-core";
 import { createInsertSchema } from "drizzle-zod";
 import { nanoid } from "nanoid";
 import { z } from "zod";
+import type { CaddyTrustedProxySettings } from "../../utils/caddy/types";
 import { certificateType, webServerProvider } from "./shared";
 
 export const webServerSettings = pgTable("webServerSettings", {
@@ -14,6 +15,9 @@ export const webServerSettings = pgTable("webServerSettings", {
 	webServerProvider: webServerProvider("webServerProvider")
 		.notNull()
 		.default("traefik"),
+	caddyTrustedProxyConfig: jsonb("caddyTrustedProxyConfig")
+		.$type<CaddyTrustedProxySettings | null>()
+		.default(null),
 	serverIp: text("serverIp"),
 	certificateType: certificateType("certificateType").notNull().default("none"),
 	https: boolean("https").notNull().default(false),
@@ -128,6 +132,15 @@ const createSchema = createInsertSchema(webServerSettings, {
 
 export const apiUpdateWebServerSettings = createSchema.partial().extend({
 	webServerProvider: z.enum(["traefik", "caddy"]).optional(),
+	caddyTrustedProxyConfig: z
+		.object({
+			mode: z.enum(["disabled", "cloudflare", "static"]),
+			ranges: z.array(z.string()).optional().nullable(),
+			clientIpHeaders: z.array(z.string()).optional().nullable(),
+			strict: z.boolean().optional().nullable(),
+		})
+		.optional()
+		.nullable(),
 	serverIp: z.string().optional(),
 	certificateType: z.enum(["letsencrypt", "none", "custom"]).optional(),
 	https: z.boolean().optional(),
diff --git a/packages/server/src/services/certificate.ts b/packages/server/src/services/certificate.ts
index aa5c3983c2..aa322e6f22 100644
--- a/packages/server/src/services/certificate.ts
+++ b/packages/server/src/services/certificate.ts
@@ -31,6 +31,28 @@ export const findCertificateById = async (certificateId: string) => {
 	return certificate;
 };
 
+export const findCertificateByPath = async (certificatePath: string) => {
+	return db.query.certificates.findFirst({
+		where: eq(certificates.certificatePath, certificatePath),
+	});
+};
+
+export const assertCertificatePathAvailableForServer = async (
+	certificatePath: string,
+	serverId?: string | null,
+) => {
+	const certificate = await findCertificateByPath(certificatePath);
+	const expectedServerId = serverId ?? null;
+
+	if (!certificate || (certificate.serverId ?? null) !== expectedServerId) {
+		throw new Error(
+			`Caddy custom certificate "${certificatePath}" is not available for this server. Use an uploaded certificate assigned to the same server.`,
+		);
+	}
+
+	return certificate;
+};
+
 export const createCertificate = async (
 	certificateData: z.infer<typeof apiCreateCertificate>,
 	organizationId: string,
diff --git a/packages/server/src/services/domain.ts b/packages/server/src/services/domain.ts
index e582f4dfa1..1546b72d99 100644
--- a/packages/server/src/services/domain.ts
+++ b/packages/server/src/services/domain.ts
@@ -3,19 +3,25 @@ import { promisify } from "node:util";
 import { db } from "@dokploy/server/db";
 import { getWebServerSettings } from "@dokploy/server/services/web-server-settings";
 import { generateRandomDomain } from "@dokploy/server/templates";
+import {
+	getCaddyComposeRouteTargetsForWebServer,
+	writeCaddyComposeRoutesForTargets,
+} from "@dokploy/server/utils/docker/domain";
 import { manageWebServerDomain } from "@dokploy/server/utils/web-server/domain";
+import type { WebServerProvider } from "@dokploy/server/utils/web-server/providers";
 import { TRPCError } from "@trpc/server";
 import { eq } from "drizzle-orm";
 import type { z } from "zod";
 import { type apiCreateDomain, domains } from "../db/schema";
 import { findApplicationById } from "./application";
 import { detectCDNProvider } from "./cdn";
+import type { Compose } from "./compose";
 import { findServerById } from "./server";
 
 export type Domain = typeof domains.$inferSelect;
 
 export const createDomain = async (input: z.infer<typeof apiCreateDomain>) => {
-	const result = await db.transaction(async (tx) => {
+	const domain = await db.transaction(async (tx) => {
 		const domain = await tx
 			.insert(domains)
 			.values({
@@ -32,15 +38,20 @@ export const createDomain = async (input: z.infer<typeof apiCreateDomain>) => {
 			});
 		}
 
-		if (domain.applicationId) {
-			const application = await findApplicationById(domain.applicationId);
-			await manageWebServerDomain(application, domain);
-		}
-
 		return domain;
 	});
 
-	return result;
+	if (domain.applicationId) {
+		const application = await findApplicationById(domain.applicationId);
+		try {
+			await manageWebServerDomain(application, domain);
+		} catch (error) {
+			await removeDomainById(domain.domainId).catch(() => undefined);
+			throw error;
+		}
+	}
+
+	return domain;
 };
 
 export const generateTraefikMeDomain = async (
@@ -140,6 +151,39 @@ export const removeDomainById = async (domainId: string) => {
 	return result[0];
 };
 
+export const refreshCaddyComposeRoutes = async (
+	compose: Compose,
+	domainsInput?: Domain[],
+	provider?: WebServerProvider,
+) => {
+	const domainsArray =
+		domainsInput ?? (await findDomainsByComposeId(compose.composeId));
+	const routeTargets = await getCaddyComposeRouteTargetsForWebServer(
+		compose,
+		domainsArray,
+		provider,
+	);
+	if (routeTargets) {
+		await writeCaddyComposeRoutesForTargets(compose, routeTargets);
+	}
+};
+
+export const createComposeDomain = async (
+	compose: Compose,
+	input: z.infer<typeof apiCreateDomain>,
+	provider?: WebServerProvider,
+) => {
+	const domain = await createDomain(input);
+	try {
+		await refreshCaddyComposeRoutes(compose, undefined, provider);
+		return domain;
+	} catch (error) {
+		await removeDomainById(domain.domainId);
+		await refreshCaddyComposeRoutes(compose, undefined, provider);
+		throw error;
+	}
+};
+
 export const getDomainHost = (domain: Domain) => {
 	return `${domain.https ? "https" : "http"}://${domain.host}`;
 };
diff --git a/packages/server/src/services/preview-deployment.ts b/packages/server/src/services/preview-deployment.ts
index 20f64259bc..b00ddd5afb 100644
--- a/packages/server/src/services/preview-deployment.ts
+++ b/packages/server/src/services/preview-deployment.ts
@@ -13,10 +13,13 @@ import { removeService } from "../utils/docker/utils";
 import { removeDirectoryCode } from "../utils/filesystem/directory";
 import { authGithub } from "../utils/providers/github";
 import { removeTraefikConfig } from "../utils/traefik/application";
-import { manageDomain } from "../utils/traefik/domain";
+import {
+	manageWebServerDomain,
+	removeWebServerDomain,
+} from "../utils/web-server/domain";
 import { findApplicationById } from "./application";
 import { removeDeploymentsByPreviewDeploymentId } from "./deployment";
-import { createDomain } from "./domain";
+import { createDomain, removeDomainById } from "./domain";
 import { type Github, getIssueComment } from "./github";
 import { getWebServerSettings } from "./web-server-settings";
 
@@ -65,8 +68,16 @@ export const removePreviewDeployment = async (previewDeploymentId: string) => {
 				),
 			async () =>
 				await removeDirectoryCode(application?.appName, application?.serverId),
-			async () =>
-				await removeTraefikConfig(application?.appName, application?.serverId),
+			async () => {
+				if (previewDeployment.domain) {
+					await removeWebServerDomain(
+						application,
+						previewDeployment.domain.uniqueConfigKey,
+					);
+					return;
+				}
+				await removeTraefikConfig(application?.appName, application?.serverId);
+			},
 			async () =>
 				await db
 					.delete(previewDeployments)
@@ -174,32 +185,64 @@ export const createPreviewDeployment = async (
 		});
 	}
 
-	const newDomain = await createDomain({
-		host: generateDomain,
-		path: application.previewPath,
-		port: application.previewPort,
-		https: application.previewHttps,
-		certificateType: application.previewCertificateType,
-		customCertResolver: application.previewCustomCertResolver,
-		domainType: "preview",
-		previewDeploymentId: previewDeployment.previewDeploymentId,
-	});
-
 	application.appName = appName;
+	let newDomain: Awaited<ReturnType<typeof createDomain>> | undefined;
+	let routeCreated = false;
 
-	await manageDomain(application, newDomain);
+	try {
+		newDomain = await createDomain({
+			host: generateDomain,
+			path: application.previewPath,
+			port: application.previewPort,
+			https: application.previewHttps,
+			certificateType: application.previewCertificateType,
+			customCertResolver: application.previewCustomCertResolver,
+			domainType: "preview",
+			previewDeploymentId: previewDeployment.previewDeploymentId,
+		});
 
-	await db
-		.update(previewDeployments)
-		.set({
-			domainId: newDomain.domainId,
-		})
-		.where(
-			eq(
-				previewDeployments.previewDeploymentId,
-				previewDeployment.previewDeploymentId,
-			),
-		);
+		await manageWebServerDomain(application, newDomain);
+		routeCreated = true;
+
+		await db
+			.update(previewDeployments)
+			.set({
+				domainId: newDomain.domainId,
+			})
+			.where(
+				eq(
+					previewDeployments.previewDeploymentId,
+					previewDeployment.previewDeploymentId,
+				),
+			);
+	} catch (error) {
+		if (routeCreated && newDomain) {
+			await removeWebServerDomain(application, newDomain.uniqueConfigKey).catch(
+				() => undefined,
+			);
+		}
+		if (newDomain) {
+			await removeDomainById(newDomain.domainId).catch(() => undefined);
+		}
+		await db
+			.delete(previewDeployments)
+			.where(
+				eq(
+					previewDeployments.previewDeploymentId,
+					previewDeployment.previewDeploymentId,
+				),
+			)
+			.returning()
+			.catch(() => undefined);
+		await octokit.rest.issues
+			.deleteComment({
+				owner: application?.owner || "",
+				repo: application?.repository || "",
+				comment_id: issue.data.id,
+			})
+			.catch(() => undefined);
+		throw error;
+	}
 
 	return previewDeployment;
 };
diff --git a/packages/server/src/services/settings.ts b/packages/server/src/services/settings.ts
index c0005fb098..f322f0810a 100644
--- a/packages/server/src/services/settings.ts
+++ b/packages/server/src/services/settings.ts
@@ -779,6 +779,7 @@ export const writeCaddySetup = async (input: CaddyOptions) => {
 			additionalPorts: input.additionalPorts,
 			serverId: input.serverId,
 			letsEncryptEmail: input.letsEncryptEmail,
+			trustedProxies: input.trustedProxies,
 		});
 		await reconnectServicesToWebServer("dokploy-caddy", input.serverId);
 	} else {
@@ -787,6 +788,7 @@ export const writeCaddySetup = async (input: CaddyOptions) => {
 			additionalPorts: input.additionalPorts,
 			serverId: input.serverId,
 			letsEncryptEmail: input.letsEncryptEmail,
+			trustedProxies: input.trustedProxies,
 		});
 
 		await reconnectServicesToWebServer("dokploy-caddy", input.serverId);
diff --git a/packages/server/src/services/web-server-settings.ts b/packages/server/src/services/web-server-settings.ts
index 0b1403f2c9..887d66e5b7 100644
--- a/packages/server/src/services/web-server-settings.ts
+++ b/packages/server/src/services/web-server-settings.ts
@@ -1,11 +1,80 @@
 import { db } from "@dokploy/server/db";
 import { server, webServerSettings } from "@dokploy/server/db/schema";
+import { assertValidCaddyTrustedProxyConfig } from "@dokploy/server/utils/caddy/config";
+import type {
+	CaddyTrustedProxyConfig,
+	CaddyTrustedProxySettings,
+} from "@dokploy/server/utils/caddy/types";
 import {
 	normalizeWebServerProvider,
 	type WebServerProvider,
 } from "@dokploy/server/utils/web-server/providers";
 import { eq } from "drizzle-orm";
 
+const normalizeStringList = (values: string[] | null | undefined) =>
+	Array.from(
+		new Set(
+			(values ?? [])
+				.map((value) => value.trim())
+				.filter((value) => value.length > 0),
+		),
+	);
+
+export const normalizeCaddyTrustedProxySettings = (
+	settings: CaddyTrustedProxySettings | null | undefined,
+): CaddyTrustedProxySettings | null => {
+	if (!settings || settings.mode === "disabled") {
+		return null;
+	}
+
+	const normalized: CaddyTrustedProxySettings =
+		settings.mode === "cloudflare"
+			? {
+					mode: "cloudflare",
+					clientIpHeaders: normalizeStringList(settings.clientIpHeaders),
+					strict: settings.strict !== false,
+				}
+			: {
+					mode: "static",
+					ranges: normalizeStringList(settings.ranges),
+					clientIpHeaders: normalizeStringList(settings.clientIpHeaders),
+					strict: settings.strict !== false,
+				};
+
+	assertValidCaddyTrustedProxyConfig(
+		caddyTrustedProxySettingsToConfig(normalized),
+	);
+
+	return normalized;
+};
+
+export const caddyTrustedProxySettingsToConfig = (
+	settings: CaddyTrustedProxySettings | null | undefined,
+): CaddyTrustedProxyConfig | null => {
+	if (!settings || settings.mode === "disabled") {
+		return null;
+	}
+
+	if (settings.mode === "cloudflare") {
+		return {
+			source: "cloudflare",
+			clientIpHeaders: settings.clientIpHeaders?.length
+				? settings.clientIpHeaders
+				: undefined,
+			strict: settings.strict,
+		};
+	}
+
+	return {
+		source: "static",
+		ranges: settings.ranges ?? [],
+		clientIpHeaders: settings.clientIpHeaders?.length
+			? settings.clientIpHeaders
+			: undefined,
+		strict: settings.strict,
+	};
+};
+
 /**
  * Get the web server settings (singleton - only one row should exist)
  */
@@ -89,6 +158,77 @@ export const updateRemoteWebServerProvider = async (
 	return updated;
 };
 
+export const getCaddyTrustedProxySettings = async (
+	serverId?: string | null,
+): Promise<CaddyTrustedProxySettings | null> => {
+	if (serverId) {
+		const remoteServer = await db.query.server.findFirst({
+			where: eq(server.serverId, serverId),
+			columns: {
+				caddyTrustedProxyConfig: true,
+			},
+		});
+
+		if (!remoteServer) {
+			throw new Error(`Server not found: ${serverId}`);
+		}
+
+		return normalizeCaddyTrustedProxySettings(
+			remoteServer.caddyTrustedProxyConfig,
+		);
+	}
+
+	const settings = await getWebServerSettings();
+	return normalizeCaddyTrustedProxySettings(settings?.caddyTrustedProxyConfig);
+};
+
+export const getCaddyTrustedProxyConfig = async (
+	serverId?: string | null,
+): Promise<CaddyTrustedProxyConfig | null> => {
+	return caddyTrustedProxySettingsToConfig(
+		await getCaddyTrustedProxySettings(serverId),
+	);
+};
+
+export const getCaddyCompileSettings = async (
+	serverId?: string | null,
+): Promise<{
+	letsEncryptEmail?: string | null;
+	trustedProxies?: CaddyTrustedProxyConfig | null;
+}> => {
+	if (serverId) {
+		return {
+			trustedProxies: await getCaddyTrustedProxyConfig(serverId),
+		};
+	}
+
+	const settings = await getWebServerSettings();
+	return {
+		letsEncryptEmail: settings?.letsEncryptEmail,
+		trustedProxies: caddyTrustedProxySettingsToConfig(
+			normalizeCaddyTrustedProxySettings(settings?.caddyTrustedProxyConfig),
+		),
+	};
+};
+
+export const updateCaddyTrustedProxySettings = async (
+	settings: CaddyTrustedProxySettings | null,
+	serverId?: string | null,
+) => {
+	const normalized = normalizeCaddyTrustedProxySettings(settings);
+	if (serverId) {
+		const [updated] = await db
+			.update(server)
+			.set({ caddyTrustedProxyConfig: normalized })
+			.where(eq(server.serverId, serverId))
+			.returning();
+
+		return updated;
+	}
+
+	return updateWebServerSettings({ caddyTrustedProxyConfig: normalized });
+};
+
 export const resolveWebServerProvider = async (
 	serverId?: string | null,
 ): Promise<WebServerProvider> => {
diff --git a/packages/server/src/setup/caddy-setup.ts b/packages/server/src/setup/caddy-setup.ts
index 4a68a11338..950aad7d2b 100644
--- a/packages/server/src/setup/caddy-setup.ts
+++ b/packages/server/src/setup/caddy-setup.ts
@@ -5,6 +5,7 @@ import {
 	reloadCaddyAfterValidation,
 	validateCaddyConfigWithContainer,
 } from "../utils/caddy/config";
+import type { CaddyTrustedProxyConfig } from "../utils/caddy/types";
 import { getRemoteDocker } from "../utils/servers/remote-docker";
 
 export const CADDY_SSL_PORT =
@@ -24,12 +25,14 @@ export interface CaddyOptions {
 		protocol?: string;
 	}[];
 	letsEncryptEmail?: string | null;
+	trustedProxies?: CaddyTrustedProxyConfig | null;
 }
 
 const getCaddyMounts = (serverId?: string) => {
 	const { CADDY_CONFIG_DIR_PATH, CADDY_DATA_PATH, MAIN_CADDY_PATH } = paths(
 		!!serverId,
 	);
+	const { CERTIFICATES_PATH } = paths(!!serverId);
 
 	return {
 		MAIN_CADDY_PATH,
@@ -37,6 +40,7 @@ const getCaddyMounts = (serverId?: string) => {
 			`${MAIN_CADDY_PATH}:/etc/caddy`,
 			`${CADDY_DATA_PATH}:/data`,
 			`${CADDY_CONFIG_DIR_PATH}:/config`,
+			`${CERTIFICATES_PATH}:${CERTIFICATES_PATH}:ro`,
 		],
 		serviceMounts: [
 			{
@@ -54,6 +58,12 @@ const getCaddyMounts = (serverId?: string) => {
 				Source: CADDY_CONFIG_DIR_PATH,
 				Target: "/config",
 			},
+			{
+				Type: "bind" as const,
+				Source: CERTIFICATES_PATH,
+				Target: CERTIFICATES_PATH,
+				ReadOnly: true,
+			},
 		],
 	};
 };
@@ -144,8 +154,13 @@ export const initializeStandaloneCaddy = async ({
 	serverId,
 	additionalPorts = [],
 	letsEncryptEmail,
+	trustedProxies,
 }: CaddyOptions = {}) => {
-	await ensureDefaultCaddyConfig({ serverId, letsEncryptEmail });
+	await ensureDefaultCaddyConfig({
+		serverId,
+		letsEncryptEmail,
+		trustedProxies,
+	});
 	const imageName = `caddy:${CADDY_VERSION}`;
 	const containerName = "dokploy-caddy";
 	const { binds } = getCaddyMounts(serverId);
@@ -196,8 +211,13 @@ export const initializeCaddyService = async ({
 	additionalPorts = [],
 	serverId,
 	letsEncryptEmail,
+	trustedProxies,
 }: CaddyOptions) => {
-	await ensureDefaultCaddyConfig({ serverId, letsEncryptEmail });
+	await ensureDefaultCaddyConfig({
+		serverId,
+		letsEncryptEmail,
+		trustedProxies,
+	});
 	const imageName = `caddy:${CADDY_VERSION}`;
 	const appName = "dokploy-caddy";
 	const { serviceMounts } = getCaddyMounts(serverId);
diff --git a/packages/server/src/utils/caddy/compose.ts b/packages/server/src/utils/caddy/compose.ts
index d1715e0c12..7872f7bd15 100644
--- a/packages/server/src/utils/caddy/compose.ts
+++ b/packages/server/src/utils/caddy/compose.ts
@@ -1,6 +1,6 @@
 import type { Compose } from "@dokploy/server/services/compose";
 import type { Domain } from "@dokploy/server/services/domain";
-import { getWebServerSettings } from "@dokploy/server/services/web-server-settings";
+import { getCaddyCompileSettings } from "@dokploy/server/services/web-server-settings";
 import {
 	compileWriteAndReloadCaddyConfigSafely,
 	readCaddyRouteFragments,
@@ -8,7 +8,11 @@ import {
 	restoreCaddyRouteFragments,
 	writeCaddyRouteFragment,
 } from "./config";
-import { assertCaddyDomainSupported } from "./domain";
+import {
+	assertCaddyDomainCertificateAvailable,
+	assertCaddyDomainSupported,
+	getCaddyCustomCertificateFiles,
+} from "./domain";
 import type { CaddyRouteFragment, CaddyRouteIntent } from "./types";
 import { getCaddyComposeRuntimeTarget } from "./upstream-targets";
 
@@ -34,7 +38,10 @@ const createCaddyRouteId = (appName: string, uniqueConfigKey: number) =>
 	`${appName}-compose-route-${uniqueConfigKey}`;
 
 export const createCaddyComposeRouteIntent = (
-	compose: Pick<Compose, "appName" | "composeType" | "isolatedDeployment">,
+	compose: Pick<
+		Compose,
+		"appName" | "composeType" | "isolatedDeployment" | "serverId"
+	>,
 	domain: Domain,
 	finalServiceName: string,
 	options: {
@@ -62,6 +69,13 @@ export const createCaddyComposeRouteIntent = (
 		https: domain.https && !domain.customEntrypoint,
 		upstreams: [`http://${upstreamServiceName}:${domain.port || 80}`],
 		upstreamNetwork,
+		tlsCertificate:
+			domain.certificateType === "custom" && domain.customCertResolver
+				? getCaddyCustomCertificateFiles(
+						compose.serverId,
+						domain.customCertResolver,
+					)
+				: null,
 		transforms: {
 			stripPrefix: domain.stripPath ? publicPath : null,
 			addPrefix: internalPath,
@@ -70,7 +84,10 @@ export const createCaddyComposeRouteIntent = (
 };
 
 export const createCaddyComposeRouteFragment = (
-	compose: Pick<Compose, "appName" | "composeType" | "isolatedDeployment">,
+	compose: Pick<
+		Compose,
+		"appName" | "composeType" | "isolatedDeployment" | "serverId"
+	>,
 	domain: Domain,
 	finalServiceName: string,
 	options: {
@@ -87,17 +104,14 @@ export const createCaddyComposeRouteFragment = (
 	],
 });
 
-const getLocalLetsEncryptEmail = async (serverId?: string | null) => {
-	if (serverId) return null;
-	const settings = await getWebServerSettings();
-	return settings?.letsEncryptEmail;
-};
-
 export const writeCaddyComposeRouteFragments = async (
 	compose: Compose,
 	domains: Array<{ domain: Domain; finalServiceName: string }>,
 ) => {
 	const serverId = compose.serverId || undefined;
+	for (const { domain } of domains) {
+		await assertCaddyDomainCertificateAvailable(serverId, domain);
+	}
 	const options = { serverId };
 	const fragmentPrefix = getCaddyComposeFragmentPrefix(compose.appName);
 	const nextFragmentIds = new Set(
@@ -134,7 +148,7 @@ export const writeCaddyComposeRouteFragments = async (
 
 		await compileWriteAndReloadCaddyConfigSafely({
 			serverId,
-			letsEncryptEmail: await getLocalLetsEncryptEmail(serverId),
+			...(await getCaddyCompileSettings(serverId)),
 		});
 	} catch (error) {
 		await restoreCaddyRouteFragments(existingFragments, options);
diff --git a/packages/server/src/utils/caddy/config.ts b/packages/server/src/utils/caddy/config.ts
index c550e9a1e2..21a3b1912d 100644
--- a/packages/server/src/utils/caddy/config.ts
+++ b/packages/server/src/utils/caddy/config.ts
@@ -7,6 +7,7 @@ import {
 	rmSync,
 	writeFileSync,
 } from "node:fs";
+import { isIP } from "node:net";
 import * as path from "node:path";
 import { paths } from "@dokploy/server/constants";
 import {
@@ -25,6 +26,33 @@ import type {
 
 const CADDY_FRAGMENT_VERSION = 1;
 const CADDY_VERSION = process.env.CADDY_VERSION || "2.11.3";
+export const CLOUDFLARE_TRUSTED_PROXY_RANGES = [
+	"173.245.48.0/20",
+	"103.21.244.0/22",
+	"103.22.200.0/22",
+	"103.31.4.0/22",
+	"141.101.64.0/18",
+	"108.162.192.0/18",
+	"190.93.240.0/20",
+	"188.114.96.0/20",
+	"197.234.240.0/22",
+	"198.41.128.0/17",
+	"162.158.0.0/15",
+	"104.16.0.0/13",
+	"104.24.0.0/14",
+	"172.64.0.0/13",
+	"131.0.72.0/22",
+	"2400:cb00::/32",
+	"2606:4700::/32",
+	"2803:f800::/32",
+	"2405:b500::/32",
+	"2405:8100::/32",
+	"2a06:98c0::/29",
+	"2c0f:f248::/32",
+] as const;
+
+const DEFAULT_CLIENT_IP_HEADERS = ["X-Forwarded-For"];
+const CLOUDFLARE_CLIENT_IP_HEADERS = ["CF-Connecting-IP", "X-Forwarded-For"];
 
 const assertSafeFragmentId = (id: string) => {
 	if (
@@ -196,6 +224,137 @@ const normalizeHeaderValues = (headers: CaddyHeaderMap) => {
 	);
 };
 
+const assertValidTrustedProxyRange = (range: string) => {
+	const [address, prefix, ...extra] = range.split("/");
+	if (!address || !prefix || extra.length > 0) {
+		throw new Error(`Invalid Caddy trusted proxy CIDR range "${range}"`);
+	}
+	const ipVersion = isIP(address);
+	if (!ipVersion) {
+		throw new Error(`Invalid Caddy trusted proxy address "${address}"`);
+	}
+	if (!/^\d+$/.test(prefix)) {
+		throw new Error(`Invalid Caddy trusted proxy prefix "${prefix}"`);
+	}
+	const prefixNumber = Number(prefix);
+	const maxPrefix = ipVersion === 4 ? 32 : 128;
+	if (prefixNumber < 0 || prefixNumber > maxPrefix) {
+		throw new Error(
+			`Invalid Caddy trusted proxy prefix "${prefix}" for ${address}`,
+		);
+	}
+};
+
+const normalizeClientIpHeaders = (headers: string[]) => {
+	if (!headers.length) {
+		throw new Error(
+			"Caddy trusted proxies require at least one client IP header",
+		);
+	}
+	const seen = new Set<string>();
+	return headers.map((header) => {
+		const normalized = header.trim();
+		if (!normalized) {
+			throw new Error("Caddy trusted proxy client IP header cannot be empty");
+		}
+		const key = normalized.toLowerCase();
+		if (seen.has(key)) {
+			throw new Error(
+				`Duplicate Caddy trusted proxy client IP header "${normalized}"`,
+			);
+		}
+		seen.add(key);
+		return normalized;
+	});
+};
+
+const createTrustedProxyServerOptions = (
+	trustedProxies: CaddyCompileOptions["trustedProxies"],
+) => {
+	if (!trustedProxies) {
+		return {};
+	}
+	const ranges =
+		trustedProxies.source === "cloudflare"
+			? [...CLOUDFLARE_TRUSTED_PROXY_RANGES]
+			: (trustedProxies.ranges ?? []);
+	if (!ranges.length) {
+		throw new Error("Caddy trusted proxies require at least one CIDR range");
+	}
+	for (const range of ranges) {
+		assertValidTrustedProxyRange(range);
+	}
+
+	const clientIpHeaders = normalizeClientIpHeaders(
+		trustedProxies.clientIpHeaders ??
+			(trustedProxies.source === "cloudflare"
+				? CLOUDFLARE_CLIENT_IP_HEADERS
+				: DEFAULT_CLIENT_IP_HEADERS),
+	);
+
+	return {
+		trusted_proxies: {
+			source: "static",
+			ranges,
+		},
+		client_ip_headers: clientIpHeaders,
+		...(trustedProxies.strict === false ? {} : { trusted_proxies_strict: 1 }),
+	};
+};
+
+export const assertValidCaddyTrustedProxyConfig = (
+	trustedProxies: CaddyCompileOptions["trustedProxies"],
+) => {
+	createTrustedProxyServerOptions(trustedProxies);
+};
+
+const collectManualTlsCertificates = (routes: CaddyRouteIntent[]) => {
+	const seen = new Set<string>();
+	const certificates = [];
+	for (const route of routes) {
+		if (!route.tlsCertificate) {
+			continue;
+		}
+		const key = `${route.tlsCertificate.certificate}\0${route.tlsCertificate.key}`;
+		if (seen.has(key)) {
+			continue;
+		}
+		seen.add(key);
+		certificates.push({
+			certificate: route.tlsCertificate.certificate,
+			key: route.tlsCertificate.key,
+		});
+	}
+	return certificates;
+};
+
+const createTlsAppConfig = (
+	letsEncryptEmail: string | null | undefined,
+	manualCertificates: Array<{ certificate: string; key: string }>,
+) => {
+	const tlsApp: CaddyJsonObject = {};
+	if (manualCertificates.length) {
+		tlsApp.certificates = {
+			load_files: manualCertificates,
+		};
+	}
+	if (letsEncryptEmail) {
+		tlsApp.automation = {
+			policies: [
+				{
+					issuers: [
+						{
+							module: "acme",
+							email: letsEncryptEmail,
+						},
+					],
+				},
+			],
+		};
+	}
+	return Object.keys(tlsApp).length ? { tls: tlsApp } : {};
+};
+
 const createHeaderHandler = (route: CaddyRouteIntent) => {
 	const requestHeaders = route.transforms?.requestHeaders;
 	const responseHeaders = route.transforms?.responseHeaders;
@@ -450,6 +609,7 @@ export const compileCaddyConfig = ({
 	fragments = [],
 	routes = [],
 	letsEncryptEmail,
+	trustedProxies,
 }: CaddyCompileOptions = {}) => {
 	const allRoutes = sortCaddyRouteIntents([
 		...flattenCaddyFragments(fragments),
@@ -480,36 +640,26 @@ export const compileCaddyConfig = ({
 				? [proxyRoute, createForbiddenRoute(route)]
 				: [proxyRoute];
 		});
+	const trustedProxyServerOptions =
+		createTrustedProxyServerOptions(trustedProxies);
+	const manualTlsCertificates = collectManualTlsCertificates(allRoutes);
 
 	return {
 		admin: {
 			listen: "localhost:2019",
 		},
 		apps: {
-			...(letsEncryptEmail && {
-				tls: {
-					automation: {
-						policies: [
-							{
-								issuers: [
-									{
-										module: "acme",
-										email: letsEncryptEmail,
-									},
-								],
-							},
-						],
-					},
-				},
-			}),
+			...createTlsAppConfig(letsEncryptEmail, manualTlsCertificates),
 			http: {
 				servers: {
 					http: {
 						listen: [":80"],
+						...trustedProxyServerOptions,
 						routes: httpRoutes,
 					},
 					https: {
 						listen: [":443"],
+						...trustedProxyServerOptions,
 						routes: httpsRoutes,
 					},
 				},
@@ -654,12 +804,14 @@ export const readCaddyRouteFragments = async (
 export const compileAndWriteCaddyConfig = async (
 	options: CaddyFragmentStoreOptions & {
 		letsEncryptEmail?: string | null;
+		trustedProxies?: CaddyCompileOptions["trustedProxies"];
 	} = {},
 ) => {
 	const fragments = await readCaddyRouteFragments(options);
 	const config = compileCaddyConfig({
 		fragments,
 		letsEncryptEmail: options.letsEncryptEmail,
+		trustedProxies: options.trustedProxies,
 	});
 	await writeCaddyConfigFile(config, options);
 	return config;
@@ -717,12 +869,14 @@ export const writeAndReloadCaddyConfigSafely = async (
 export const compileWriteAndReloadCaddyConfigSafely = async (
 	options: CaddyFragmentStoreOptions & {
 		letsEncryptEmail?: string | null;
+		trustedProxies?: CaddyCompileOptions["trustedProxies"];
 	} = {},
 ) => {
 	const fragments = await readCaddyRouteFragments(options);
 	const config = compileCaddyConfig({
 		fragments,
 		letsEncryptEmail: options.letsEncryptEmail,
+		trustedProxies: options.trustedProxies,
 	});
 	await writeAndReloadCaddyConfigSafely(config, options);
 	return config;
@@ -731,6 +885,7 @@ export const compileWriteAndReloadCaddyConfigSafely = async (
 export const ensureDefaultCaddyConfig = async (
 	options: CaddyFragmentStoreOptions & {
 		letsEncryptEmail?: string | null;
+		trustedProxies?: CaddyCompileOptions["trustedProxies"];
 	} = {},
 ) => {
 	const caddyPaths = paths(!!options.serverId);
@@ -792,9 +947,11 @@ export const validateCaddyConfigFileWithImage = async (
 	);
 	const validationDataPath = path.posix.join(validationRoot, "data");
 	const validationConfigPath = path.posix.join(validationRoot, "config");
+	const { CERTIFICATES_PATH } = paths(!!serverId);
 	const mkdirCommand = `mkdir -p ${quote([
 		validationDataPath,
 		validationConfigPath,
+		CERTIFICATES_PATH,
 	])}`;
 	const cleanupCommand = `rm -rf ${quote([validationRoot])}`;
 	const validateCommand = `docker run --rm --network none ${[
@@ -804,6 +961,8 @@ export const validateCaddyConfigFileWithImage = async (
 		`${validationDataPath}:/data`,
 		"-v",
 		`${validationConfigPath}:/config`,
+		"-v",
+		`${CERTIFICATES_PATH}:${CERTIFICATES_PATH}:ro`,
 		imageName,
 		"caddy",
 		"validate",
diff --git a/packages/server/src/utils/caddy/domain.ts b/packages/server/src/utils/caddy/domain.ts
index 463f472996..67b7d94c17 100644
--- a/packages/server/src/utils/caddy/domain.ts
+++ b/packages/server/src/utils/caddy/domain.ts
@@ -1,5 +1,8 @@
+import * as path from "node:path";
+import { paths } from "@dokploy/server/constants";
+import { assertCertificatePathAvailableForServer } from "@dokploy/server/services/certificate";
 import type { Domain } from "@dokploy/server/services/domain";
-import { getWebServerSettings } from "@dokploy/server/services/web-server-settings";
+import { getCaddyCompileSettings } from "@dokploy/server/services/web-server-settings";
 import type { ApplicationNested } from "../builders";
 import {
 	compileWriteAndReloadCaddyConfigSafely,
@@ -29,16 +32,44 @@ export const getCaddyApplicationFragmentId = (
 const createCaddyRouteId = (appName: string, uniqueConfigKey: number) =>
 	`${appName}-route-${uniqueConfigKey}`;
 
+const assertSafeCertificatePath = (certificatePath: string) => {
+	if (
+		!/^[a-zA-Z0-9_.-]+$/.test(certificatePath) ||
+		certificatePath === "." ||
+		certificatePath === ".." ||
+		certificatePath.split(".").some((segment) => segment === "")
+	) {
+		throw new Error(
+			`Invalid Caddy custom certificate path "${certificatePath}". Use an uploaded certificate from Dokploy.`,
+		);
+	}
+};
+
+export const getCaddyCustomCertificateFiles = (
+	serverId: string | null | undefined,
+	certificatePath: string,
+) => {
+	assertSafeCertificatePath(certificatePath);
+	const certDir = path.join(
+		paths(!!serverId).CERTIFICATES_PATH,
+		certificatePath,
+	);
+	return {
+		certificate: path.join(certDir, "chain.crt"),
+		key: path.join(certDir, "privkey.key"),
+	};
+};
+
 export const getUnsupportedCaddyDomainFieldMessages = (domain: Domain) => {
 	const messages: string[] = [];
 	if (domain.customEntrypoint) {
 		messages.push("custom entrypoints are not supported by Caddy routes");
 	}
-	if (domain.customCertResolver) {
+	if (domain.customCertResolver && domain.certificateType !== "custom") {
 		messages.push("custom certificate resolvers are Traefik-specific");
 	}
-	if (domain.certificateType === "custom") {
-		messages.push("custom certificates are not translated to Caddy yet");
+	if (domain.certificateType === "custom" && !domain.customCertResolver) {
+		messages.push("custom certificates require an uploaded certificate");
 	}
 	if (domain.middlewares?.length) {
 		messages.push("Traefik middlewares are not translated to Caddy yet");
@@ -55,6 +86,18 @@ export const assertCaddyDomainSupported = (domain: Domain) => {
 	}
 };
 
+export const assertCaddyDomainCertificateAvailable = async (
+	serverId: string | null | undefined,
+	domain: Domain,
+) => {
+	if (domain.certificateType === "custom" && domain.customCertResolver) {
+		await assertCertificatePathAvailableForServer(
+			domain.customCertResolver,
+			serverId,
+		);
+	}
+};
+
 export const createCaddyApplicationRouteIntent = (
 	app: ApplicationNested,
 	domain: Domain,
@@ -76,6 +119,13 @@ export const createCaddyApplicationRouteIntent = (
 		https: domain.https && !domain.customEntrypoint,
 		upstreams: [`http://${app.appName}:${domain.port || 80}`],
 		upstreamNetwork: DOKPLOY_CADDY_NETWORK,
+		tlsCertificate:
+			domain.certificateType === "custom" && domain.customCertResolver
+				? getCaddyCustomCertificateFiles(
+						app.serverId,
+						domain.customCertResolver,
+					)
+				: null,
 		transforms: {
 			stripPrefix: domain.stripPath ? publicPath : null,
 			addPrefix: internalPath,
@@ -94,17 +144,12 @@ export const createCaddyApplicationRouteFragment = (
 	routes: [createCaddyApplicationRouteIntent(app, domain)],
 });
 
-const getLocalLetsEncryptEmail = async (serverId?: string | null) => {
-	if (serverId) return null;
-	const settings = await getWebServerSettings();
-	return settings?.letsEncryptEmail;
-};
-
 export const manageCaddyDomain = async (
 	app: ApplicationNested,
 	domain: Domain,
 ) => {
 	const serverId = app.serverId || undefined;
+	await assertCaddyDomainCertificateAvailable(serverId, domain);
 	const options = { serverId };
 	const previousFragments = await readCaddyRouteFragments(options);
 	try {
@@ -114,7 +159,7 @@ export const manageCaddyDomain = async (
 		);
 		await compileWriteAndReloadCaddyConfigSafely({
 			serverId,
-			letsEncryptEmail: await getLocalLetsEncryptEmail(serverId),
+			...(await getCaddyCompileSettings(serverId)),
 		});
 	} catch (error) {
 		await restoreCaddyRouteFragments(previousFragments, options);
@@ -136,7 +181,7 @@ export const removeCaddyDomain = async (
 		);
 		await compileWriteAndReloadCaddyConfigSafely({
 			serverId,
-			letsEncryptEmail: await getLocalLetsEncryptEmail(serverId),
+			...(await getCaddyCompileSettings(serverId)),
 		});
 	} catch (error) {
 		await restoreCaddyRouteFragments(previousFragments, options);
diff --git a/packages/server/src/utils/caddy/migration/apply.ts b/packages/server/src/utils/caddy/migration/apply.ts
index 38c69415f9..d0dd03e10a 100644
--- a/packages/server/src/utils/caddy/migration/apply.ts
+++ b/packages/server/src/utils/caddy/migration/apply.ts
@@ -9,6 +9,7 @@ import {
 	writeCaddySetup,
 } from "@dokploy/server/services/settings";
 import {
+	getCaddyCompileSettings,
 	resolveWebServerProvider,
 	updateLocalWebServerProvider,
 	updateRemoteWebServerProvider,
@@ -403,6 +404,7 @@ const applyCaddyMigrationUnlocked = async (input: {
 				report.artifactPaths.caddyJson,
 				serverId,
 			),
+			trustedProxies: (await getCaddyCompileSettings(serverId)).trustedProxies,
 		});
 		await copyMigrationFileInPlace(
 			report.artifactPaths.caddyJson,
diff --git a/packages/server/src/utils/caddy/migration/prepare.ts b/packages/server/src/utils/caddy/migration/prepare.ts
index aa52f57d73..05e78474a3 100644
--- a/packages/server/src/utils/caddy/migration/prepare.ts
+++ b/packages/server/src/utils/caddy/migration/prepare.ts
@@ -3,7 +3,7 @@ import * as path from "node:path";
 import { paths } from "@dokploy/server/constants";
 import { db } from "@dokploy/server/db";
 import { applications, compose } from "@dokploy/server/db/schema";
-import { getWebServerSettings } from "@dokploy/server/services/web-server-settings";
+import { getCaddyCompileSettings } from "@dokploy/server/services/web-server-settings";
 import { createCaddyComposeRouteFragment } from "@dokploy/server/utils/caddy/compose";
 import {
 	compileCaddyConfig,
@@ -581,12 +581,6 @@ const readTraefikStaticConfig = async (serverId?: string) => {
 	return { path: configPath, content };
 };
 
-const getLetsEncryptEmail = async (serverId?: string) => {
-	if (serverId) return null;
-	const settings = await getWebServerSettings();
-	return settings?.letsEncryptEmail ?? null;
-};
-
 const renderReportMarkdown = (report: CaddyMigrationReport) => {
 	const blocking = report.warnings.filter((item) => item.blocking);
 	return [
@@ -934,7 +928,7 @@ export const prepareCaddyMigration = async (
 	try {
 		config = compileCaddyConfig({
 			fragments,
-			letsEncryptEmail: await getLetsEncryptEmail(serverId),
+			...(await getCaddyCompileSettings(serverId)),
 		});
 		validation = {
 			status: "passed",
diff --git a/packages/server/src/utils/caddy/types.ts b/packages/server/src/utils/caddy/types.ts
index e665b94402..b1945ca82f 100644
--- a/packages/server/src/utils/caddy/types.ts
+++ b/packages/server/src/utils/caddy/types.ts
@@ -27,6 +27,11 @@ export interface CaddyStaticResponse {
 	headers?: CaddyHeaderMap | null;
 }
 
+export interface CaddyTlsCertificateFile {
+	certificate: string;
+	key: string;
+}
+
 export interface CaddyBasicAuthAccount {
 	username: string;
 	hash: string;
@@ -45,6 +50,7 @@ export interface CaddyRouteIntent {
 	upstreamNetwork?: string | null;
 	transforms?: CaddyRouteTransform | null;
 	basicAuth?: CaddyBasicAuthAccount[] | null;
+	tlsCertificate?: CaddyTlsCertificateFile | null;
 	redirectScheme?: CaddyRouteRedirectScheme | null;
 	staticResponse?: CaddyStaticResponse | null;
 }
@@ -57,10 +63,25 @@ export interface CaddyRouteFragment {
 	routes: CaddyRouteIntent[];
 }
 
+export interface CaddyTrustedProxyConfig {
+	source: "static" | "cloudflare";
+	ranges?: string[] | null;
+	clientIpHeaders?: string[] | null;
+	strict?: boolean | null;
+}
+
+export interface CaddyTrustedProxySettings {
+	mode: "disabled" | "cloudflare" | "static";
+	ranges?: string[] | null;
+	clientIpHeaders?: string[] | null;
+	strict?: boolean | null;
+}
+
 export interface CaddyCompileOptions {
 	fragments?: CaddyRouteFragment[];
 	routes?: CaddyRouteIntent[];
 	letsEncryptEmail?: string | null;
+	trustedProxies?: CaddyTrustedProxyConfig | null;
 }
 
 export type CaddyJsonObject = Record<string, unknown>;
diff --git a/packages/server/src/utils/caddy/web-server.ts b/packages/server/src/utils/caddy/web-server.ts
index 20fe80b204..bdf12dc1b8 100644
--- a/packages/server/src/utils/caddy/web-server.ts
+++ b/packages/server/src/utils/caddy/web-server.ts
@@ -1,4 +1,5 @@
 import type { webServerSettings } from "@dokploy/server/db/schema/web-server-settings";
+import { caddyTrustedProxySettingsToConfig } from "@dokploy/server/services/web-server-settings";
 import {
 	compileWriteAndReloadCaddyConfigSafely,
 	removeCaddyRouteFragment,
@@ -56,5 +57,8 @@ export const updateServerCaddy = async (
 
 	await compileWriteAndReloadCaddyConfigSafely({
 		letsEncryptEmail: settings.letsEncryptEmail,
+		trustedProxies: caddyTrustedProxySettingsToConfig(
+			settings.caddyTrustedProxyConfig,
+		),
 	});
 };

From 82a758e83f4dc928074fa15fa7ca7406df3a6f2e Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 21:16:09 -0400
Subject: [PATCH 05/37] fix: block missing caddy custom cert migrations

---
 .../__test__/caddy/migration/prepare.test.ts  | 34 ++++++++++
 docs/caddy-provider-upstream-readiness.md     |  2 +
 .../src/utils/caddy/migration/prepare.ts      | 68 ++++++++++++++++++-
 .../server/src/utils/caddy/migration/types.ts |  1 +
 4 files changed, 104 insertions(+), 1 deletion(-)

diff --git a/apps/dokploy/__test__/caddy/migration/prepare.test.ts b/apps/dokploy/__test__/caddy/migration/prepare.test.ts
index 1bffb710d8..f2833e4fc9 100644
--- a/apps/dokploy/__test__/caddy/migration/prepare.test.ts
+++ b/apps/dokploy/__test__/caddy/migration/prepare.test.ts
@@ -10,6 +10,7 @@ vi.mock("@dokploy/server/db", () => ({
 	db: {
 		query: {
 			applications: { findMany: vi.fn() },
+			certificates: { findFirst: vi.fn() },
 			compose: { findMany: vi.fn() },
 		},
 	},
@@ -115,6 +116,7 @@ describe("prepareCaddyMigration", () => {
 			} as any,
 		]);
 		vi.mocked(db.query.compose.findMany).mockResolvedValue([]);
+		vi.mocked(db.query.certificates.findFirst).mockResolvedValue(undefined);
 	});
 
 	test("writes reviewable dry-run artifacts without touching live Caddy config", async () => {
@@ -169,6 +171,38 @@ describe("prepareCaddyMigration", () => {
 		);
 	});
 
+	test("blocks DB fallback routes with missing uploaded custom certificates", async () => {
+		vi.mocked(db.query.applications.findMany).mockResolvedValue([
+			{
+				applicationId: "app-1",
+				appName: "custom-cert-app",
+				serverId: null,
+				domains: [
+					{
+						...domain,
+						certificateType: "custom",
+						customCertResolver: "legacy-traefik-resolver",
+					},
+				],
+			} as any,
+		]);
+
+		const report = await prepareCaddyMigration();
+
+		expect(report.summary.blockingWarnings).toBe(1);
+		expect(report.warnings).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					blocking: true,
+					code: "missing-certificate",
+					source: "custom-cert-app",
+					message: expect.stringContaining("legacy-traefik-resolver"),
+				}),
+			]),
+		);
+		expect(report.summary.fragments).toBe(0);
+	});
+
 	test("carries existing manual Caddy fragments into the migration draft", async () => {
 		const currentPaths = paths();
 		vol.mkdirSync(currentPaths.CADDY_FRAGMENTS_PATH, { recursive: true });
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 565822c62d..423a38a52f 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -183,6 +183,7 @@ Implemented:
 - Caddy config compilation emits manual certificate file loaders while keeping automatic HTTPS available for other routes.
 - The Caddy domain UI labels the `custom` certificate provider as an uploaded certificate flow and restricts selection to certificates available to the current server.
 - Missing custom certificate references fail before writing Caddy config.
+- Migration dry-runs emit a blocking warning instead of generating DB fallback Caddy routes when a custom certificate reference does not map to an uploaded certificate for the same server.
 
 Tradeoff:
 
@@ -345,6 +346,7 @@ Expected post-mutation checks:
 | 2026-06-02 | Provider-neutral uploaded certificate UI copy | Complete | Replaced Traefik-only copy on the certificate settings page because uploaded certificates can now be selected by Caddy domains. |
 | 2026-06-02 | `git diff --check` | Passed | No whitespace errors in the current local diff. |
 | 2026-06-02 | RepoPrompt review with `back:3` diff artifacts | Complete | Incorporated production-code recommendations for Caddy certificate mounts, custom certificate availability checks, application domain creation compensation, preview route cleanup, and descriptive migration naming. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/migration/prepare.test.ts` | Passed | 1 file, 9 tests. Covers migration dry-run blocking warnings for missing uploaded custom certificate references. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/utils/caddy/migration/prepare.ts b/packages/server/src/utils/caddy/migration/prepare.ts
index 05e78474a3..7e4b3de071 100644
--- a/packages/server/src/utils/caddy/migration/prepare.ts
+++ b/packages/server/src/utils/caddy/migration/prepare.ts
@@ -2,7 +2,7 @@ import { isIP } from "node:net";
 import * as path from "node:path";
 import { paths } from "@dokploy/server/constants";
 import { db } from "@dokploy/server/db";
-import { applications, compose } from "@dokploy/server/db/schema";
+import { applications, certificates, compose } from "@dokploy/server/db/schema";
 import { getCaddyCompileSettings } from "@dokploy/server/services/web-server-settings";
 import { createCaddyComposeRouteFragment } from "@dokploy/server/utils/caddy/compose";
 import {
@@ -469,6 +469,51 @@ const warnOnManualFragmentConflicts = (
 	}
 };
 
+const hasAvailableUploadedCertificate = async (
+	certificatePath: string,
+	serverId: string | null | undefined,
+) => {
+	const certificate = await db.query.certificates.findFirst({
+		where: eq(certificates.certificatePath, certificatePath),
+	});
+
+	return !!certificate && (certificate.serverId ?? null) === (serverId ?? null);
+};
+
+const warnIfCustomCertificateMissing = async (
+	domain: {
+		host: string;
+		certificateType: string;
+		customCertResolver?: string | null;
+	},
+	source: string,
+	serverId: string | null | undefined,
+	warnings: CaddyMigrationWarning[],
+	serviceName?: string | null,
+) => {
+	if (domain.certificateType !== "custom" || !domain.customCertResolver) {
+		return false;
+	}
+	if (
+		await hasAvailableUploadedCertificate(domain.customCertResolver, serverId)
+	) {
+		return false;
+	}
+
+	warnings.push(
+		warning(
+			`Domain "${domain.host}" references custom certificate "${domain.customCertResolver}" that is not an uploaded certificate for this server`,
+			{
+				blocking: true,
+				code: "missing-certificate",
+				source,
+				serviceName: serviceName ?? undefined,
+			},
+		),
+	);
+	return true;
+};
+
 const reconcileDbFallbackRoutes = (
 	fragments: CaddyRouteFragment[],
 	warnings: CaddyMigrationWarning[],
@@ -758,6 +803,16 @@ export const prepareCaddyMigration = async (
 				);
 				continue;
 			}
+			if (
+				await warnIfCustomCertificateMissing(
+					domain,
+					app.appName,
+					app.serverId,
+					warnings,
+				)
+			) {
+				continue;
+			}
 			addFragment(
 				fragments,
 				createCaddyApplicationRouteFragment(app as never, domain),
@@ -804,6 +859,17 @@ export const prepareCaddyMigration = async (
 				);
 				continue;
 			}
+			if (
+				await warnIfCustomCertificateMissing(
+					domain,
+					composeEntity.appName,
+					composeEntity.serverId,
+					warnings,
+					domain.serviceName,
+				)
+			) {
+				continue;
+			}
 			if (!domain.serviceName) {
 				warnings.push(
 					warning(`Compose domain "${domain.host}" is missing a service name`, {
diff --git a/packages/server/src/utils/caddy/migration/types.ts b/packages/server/src/utils/caddy/migration/types.ts
index 7181be586f..09359febc1 100644
--- a/packages/server/src/utils/caddy/migration/types.ts
+++ b/packages/server/src/utils/caddy/migration/types.ts
@@ -20,6 +20,7 @@ export type CaddyMigrationWarningCode =
 	| "invalid-label"
 	| "invalid-config"
 	| "missing-input"
+	| "missing-certificate"
 	| "validation-failed"
 	| "health-check-failed"
 	| "backup-failed"

From df469d908c989f4a50bfbb0cc24aa6ea94385f4f Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 21:36:44 -0400
Subject: [PATCH 06/37] fix: harden caddy certificate and migration guards

---
 .../__test__/caddy/certificate-guard.test.ts  | 66 +++++++++++--
 .../caddy/certificate-lifecycle.test.ts       | 93 +++++++++++++++++++
 apps/dokploy/__test__/caddy/config.test.ts    |  2 +-
 .../caddy/migration/apply-rollback.test.ts    | 35 +++++++
 .../__test__/caddy/migration/prepare.test.ts  | 40 ++++++++
 .../__test__/caddy/preview-deployment.test.ts | 25 +++++
 .../application/domains/handle-domain.tsx     | 14 ++-
 docs/caddy-provider-upstream-readiness.md     | 22 +++--
 packages/server/src/db/validations/domain.ts  | 12 ++-
 packages/server/src/services/certificate.ts   | 84 ++++++++++++++++-
 .../server/src/services/preview-deployment.ts | 19 ++--
 packages/server/src/utils/caddy/compose.ts    | 15 ++-
 packages/server/src/utils/caddy/config.ts     |  4 +-
 packages/server/src/utils/caddy/domain.ts     | 30 +++++-
 .../server/src/utils/caddy/migration/apply.ts | 29 +++++-
 .../src/utils/caddy/migration/prepare.ts      | 46 ++++++---
 .../server/src/utils/caddy/migration/types.ts |  5 +
 17 files changed, 486 insertions(+), 55 deletions(-)
 create mode 100644 apps/dokploy/__test__/caddy/certificate-lifecycle.test.ts

diff --git a/apps/dokploy/__test__/caddy/certificate-guard.test.ts b/apps/dokploy/__test__/caddy/certificate-guard.test.ts
index 277cd54953..54c772dddf 100644
--- a/apps/dokploy/__test__/caddy/certificate-guard.test.ts
+++ b/apps/dokploy/__test__/caddy/certificate-guard.test.ts
@@ -1,7 +1,13 @@
+import { fs, vol } from "memfs";
 import { beforeEach, expect, test, vi } from "vitest";
 
 const certificatesFindFirstMock = vi.hoisted(() => vi.fn());
 
+vi.mock("node:fs", () => ({
+	...fs,
+	default: fs,
+}));
+
 vi.mock("@dokploy/server/db", () => ({
 	db: {
 		query: {
@@ -13,8 +19,16 @@ vi.mock("@dokploy/server/db", () => ({
 }));
 
 import type { Domain } from "@dokploy/server";
+import { paths } from "@dokploy/server/constants";
 import { assertCaddyDomainCertificateAvailable } from "@dokploy/server/utils/caddy/domain";
 
+const writeCertificateFiles = (certificatePath: string) => {
+	const certDir = `${paths().CERTIFICATES_PATH}/${certificatePath}`;
+	vol.mkdirSync(certDir, { recursive: true });
+	vol.writeFileSync(`${certDir}/chain.crt`, "cert");
+	vol.writeFileSync(`${certDir}/privkey.key`, "key");
+};
+
 const domain = (overrides: Partial<Domain> = {}) =>
 	({
 		domainId: "domain-1",
@@ -39,31 +53,67 @@ const domain = (overrides: Partial<Domain> = {}) =>
 	}) as Domain;
 
 beforeEach(() => {
+	vol.reset();
 	vi.clearAllMocks();
 });
 
-test("allows uploaded Caddy certificates assigned to the same server", async () => {
+test("allows uploaded Caddy certificates assigned to the same server and organization", async () => {
+	writeCertificateFiles("certificate-uploaded");
 	certificatesFindFirstMock.mockResolvedValue({
 		certificatePath: "certificate-uploaded",
-		serverId: "server-1",
+		serverId: null,
+		organizationId: "org-1",
 	});
 
 	await expect(
-		assertCaddyDomainCertificateAvailable("server-1", domain()),
+		assertCaddyDomainCertificateAvailable(null, domain(), "org-1"),
 	).resolves.toBeUndefined();
 });
 
-test("rejects missing or cross-server Caddy certificate paths", async () => {
+test("rejects missing, cross-server, or cross-organization Caddy certificate paths", async () => {
 	certificatesFindFirstMock.mockResolvedValueOnce(null);
 	await expect(
-		assertCaddyDomainCertificateAvailable(null, domain()),
-	).rejects.toThrow("is not available for this server");
+		assertCaddyDomainCertificateAvailable(null, domain(), "org-1"),
+	).rejects.toThrow("is not available for this server and organization");
 
 	certificatesFindFirstMock.mockResolvedValueOnce({
 		certificatePath: "certificate-uploaded",
 		serverId: "server-2",
+		organizationId: "org-1",
+	});
+	await expect(
+		assertCaddyDomainCertificateAvailable("server-1", domain(), "org-1"),
+	).rejects.toThrow("is not available for this server and organization");
+
+	certificatesFindFirstMock.mockResolvedValueOnce({
+		certificatePath: "certificate-uploaded",
+		serverId: null,
+		organizationId: "org-2",
 	});
 	await expect(
-		assertCaddyDomainCertificateAvailable("server-1", domain()),
-	).rejects.toThrow("is not available for this server");
+		assertCaddyDomainCertificateAvailable(null, domain(), "org-1"),
+	).rejects.toThrow("is not available for this server and organization");
+});
+
+test("rejects uploaded Caddy certificate rows when files are missing", async () => {
+	certificatesFindFirstMock.mockResolvedValue({
+		certificatePath: "certificate-uploaded",
+		serverId: null,
+		organizationId: "org-1",
+	});
+
+	await expect(
+		assertCaddyDomainCertificateAvailable(null, domain(), "org-1"),
+	).rejects.toThrow("missing readable chain.crt or privkey.key");
+});
+
+test("ignores stale custom certificate fields when HTTPS is disabled", async () => {
+	await expect(
+		assertCaddyDomainCertificateAvailable(
+			null,
+			domain({ https: false }),
+			"org-1",
+		),
+	).resolves.toBeUndefined();
+	expect(certificatesFindFirstMock).not.toHaveBeenCalled();
 });
diff --git a/apps/dokploy/__test__/caddy/certificate-lifecycle.test.ts b/apps/dokploy/__test__/caddy/certificate-lifecycle.test.ts
new file mode 100644
index 0000000000..b49ddf616c
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/certificate-lifecycle.test.ts
@@ -0,0 +1,93 @@
+import { beforeEach, expect, test, vi } from "vitest";
+
+const dbMock = vi.hoisted(() => ({
+	query: {
+		certificates: { findFirst: vi.fn() },
+		domains: { findFirst: vi.fn() },
+	},
+	delete: vi.fn(),
+	update: vi.fn(),
+}));
+
+const resolveWebServerProviderMock = vi.hoisted(() => vi.fn());
+const removeDirectoryIfExistsContentMock = vi.hoisted(() => vi.fn());
+
+vi.mock("@dokploy/server/db", () => ({
+	db: dbMock,
+}));
+
+vi.mock("@dokploy/server/services/web-server-settings", () => ({
+	getCaddyCompileSettings: vi.fn().mockResolvedValue({}),
+	resolveWebServerProvider: resolveWebServerProviderMock,
+}));
+
+vi.mock("@dokploy/server/utils/filesystem/directory", () => ({
+	removeDirectoryIfExistsContent: removeDirectoryIfExistsContentMock,
+}));
+
+vi.mock("@dokploy/server/utils/process/execAsync", () => ({
+	execAsyncRemote: vi.fn(),
+}));
+
+import {
+	removeCertificateById,
+	updateCertificate,
+} from "@dokploy/server/services/certificate";
+
+const certificate = {
+	certificateId: "cert-1",
+	name: "Shared cert",
+	certificatePath: "certificate-uploaded",
+	certificateData: "cert",
+	privateKey: "key",
+	autoRenew: null,
+	organizationId: "org-1",
+	serverId: null,
+};
+
+beforeEach(() => {
+	vi.clearAllMocks();
+	dbMock.query.certificates.findFirst.mockResolvedValue(certificate);
+	dbMock.query.domains.findFirst.mockResolvedValue(null);
+	dbMock.delete.mockReturnValue({
+		where: vi.fn().mockReturnValue({
+			returning: vi.fn().mockResolvedValue([certificate]),
+		}),
+	});
+	dbMock.update.mockReturnValue({
+		set: vi.fn().mockReturnValue({
+			where: vi.fn().mockReturnValue({
+				returning: vi.fn().mockResolvedValue([certificate]),
+			}),
+		}),
+	});
+	resolveWebServerProviderMock.mockResolvedValue("caddy");
+	removeDirectoryIfExistsContentMock.mockResolvedValue(undefined);
+});
+
+test("blocks deleting uploaded certificates used by active Caddy domains", async () => {
+	dbMock.query.domains.findFirst.mockResolvedValueOnce({
+		host: "example.com",
+	});
+
+	await expect(removeCertificateById("cert-1")).rejects.toThrow(
+		'Cannot delete certificate "Shared cert" because active Caddy domain "example.com" uses it',
+	);
+
+	expect(removeDirectoryIfExistsContentMock).not.toHaveBeenCalled();
+	expect(dbMock.delete).not.toHaveBeenCalled();
+});
+
+test("blocks replacing uploaded certificate files used by active Caddy domains", async () => {
+	dbMock.query.domains.findFirst.mockResolvedValueOnce({
+		host: "example.com",
+	});
+
+	await expect(
+		updateCertificate("cert-1", { certificateData: "new cert" }),
+	).rejects.toThrow(
+		'Cannot update certificate "Shared cert" because active Caddy domain "example.com" uses it',
+	);
+
+	expect(dbMock.update).not.toHaveBeenCalled();
+});
diff --git a/apps/dokploy/__test__/caddy/config.test.ts b/apps/dokploy/__test__/caddy/config.test.ts
index 8dc8b61856..3a5fe6b26a 100644
--- a/apps/dokploy/__test__/caddy/config.test.ts
+++ b/apps/dokploy/__test__/caddy/config.test.ts
@@ -104,7 +104,7 @@ test("compiles Cloudflare trusted proxy settings with safe client IP headers", (
 			"CF-Connecting-IP",
 			"X-Forwarded-For",
 		]);
-		expect(server.trusted_proxies_strict).toBe(1);
+		expect(server.trusted_proxies_strict).toBe(true);
 	}
 });
 
diff --git a/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts b/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
index 3607a5e2c8..4610705c37 100644
--- a/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
+++ b/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
@@ -71,6 +71,10 @@ const createReport = (migrationId: string): CaddyMigrationReport => {
 			blockingWarnings: 0,
 		},
 		validation: { status: "passed", message: "ok" },
+		compileSettings: {
+			letsEncryptEmail: null,
+			trustedProxies: null,
+		},
 		warnings: [],
 		events: [],
 	};
@@ -215,6 +219,37 @@ describe("applyCaddyMigration", () => {
 		);
 	});
 
+	test("rejects apply when Caddy compile settings changed after prepare", async () => {
+		const report = seedMigration("caddy-apply-stale-settings");
+		vi.mocked(providerService.getCaddyCompileSettings).mockResolvedValueOnce({
+			trustedProxies: {
+				source: "cloudflare",
+			},
+		});
+
+		await expect(
+			applyCaddyMigration({ migrationId: report.migrationId }),
+		).rejects.toThrow("Caddy compile settings changed after prepare");
+
+		expect(
+			upstreamPreflight.runCaddyMigrationUpstreamPreflight,
+		).not.toHaveBeenCalled();
+		expect(settingsService.stopDockerResource).not.toHaveBeenCalled();
+		expect(settingsService.writeCaddySetup).not.toHaveBeenCalled();
+		const failedReport = JSON.parse(
+			vol.readFileSync(report.artifactPaths.reportJson, "utf8") as string,
+		) as CaddyMigrationReport;
+		expect(failedReport.status).toBe("failed");
+		expect(failedReport.warnings).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					code: "apply-failed",
+					message: expect.stringContaining("Caddy compile settings changed"),
+				}),
+			]),
+		);
+	});
+
 	test("rewrites the mounted Caddy config file in place after setup", async () => {
 		const report = seedMigration("caddy-apply-preserves-config-inode");
 		let mountedConfigFd: number | undefined;
diff --git a/apps/dokploy/__test__/caddy/migration/prepare.test.ts b/apps/dokploy/__test__/caddy/migration/prepare.test.ts
index f2833e4fc9..e90cc857a5 100644
--- a/apps/dokploy/__test__/caddy/migration/prepare.test.ts
+++ b/apps/dokploy/__test__/caddy/migration/prepare.test.ts
@@ -112,6 +112,7 @@ describe("prepareCaddyMigration", () => {
 				applicationId: "app-1",
 				appName: "test-app",
 				serverId: null,
+				environment: { project: { organizationId: "org-1" } },
 				domains: [domain],
 			} as any,
 		]);
@@ -177,6 +178,7 @@ describe("prepareCaddyMigration", () => {
 				applicationId: "app-1",
 				appName: "custom-cert-app",
 				serverId: null,
+				environment: { project: { organizationId: "org-1" } },
 				domains: [
 					{
 						...domain,
@@ -203,6 +205,44 @@ describe("prepareCaddyMigration", () => {
 		expect(report.summary.fragments).toBe(0);
 	});
 
+	test("blocks DB fallback routes with cross-organization uploaded certificates", async () => {
+		vi.mocked(db.query.applications.findMany).mockResolvedValue([
+			{
+				applicationId: "app-1",
+				appName: "custom-cert-app",
+				serverId: null,
+				environment: { project: { organizationId: "org-1" } },
+				domains: [
+					{
+						...domain,
+						certificateType: "custom",
+						customCertResolver: "certificate-uploaded",
+					},
+				],
+			} as any,
+		]);
+		vi.mocked(db.query.certificates.findFirst).mockResolvedValue({
+			certificatePath: "certificate-uploaded",
+			serverId: null,
+			organizationId: "org-2",
+		} as any);
+
+		const report = await prepareCaddyMigration();
+
+		expect(report.summary.blockingWarnings).toBe(1);
+		expect(report.warnings).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					blocking: true,
+					code: "missing-certificate",
+					source: "custom-cert-app",
+					message: expect.stringContaining("server and organization"),
+				}),
+			]),
+		);
+		expect(report.summary.fragments).toBe(0);
+	});
+
 	test("carries existing manual Caddy fragments into the migration draft", async () => {
 		const currentPaths = paths();
 		vol.mkdirSync(currentPaths.CADDY_FRAGMENTS_PATH, { recursive: true });
diff --git a/apps/dokploy/__test__/caddy/preview-deployment.test.ts b/apps/dokploy/__test__/caddy/preview-deployment.test.ts
index 6ac708ea1e..c5d5db3cfa 100644
--- a/apps/dokploy/__test__/caddy/preview-deployment.test.ts
+++ b/apps/dokploy/__test__/caddy/preview-deployment.test.ts
@@ -273,3 +273,28 @@ test("removes preview domains through the active web server provider", async ()
 		17,
 	);
 });
+
+test("keeps preview deployment row when provider route removal fails", async () => {
+	const application = createApplication();
+	vi.mocked(findApplicationById).mockResolvedValue(application as never);
+	dbMock.query.previewDeployments.findFirst.mockResolvedValue({
+		...previewDeploymentRow,
+		domain: {
+			domainId: "domain-1",
+			uniqueConfigKey: 17,
+		},
+		application: {
+			applicationId: "app-1",
+			serverId: null,
+		},
+	});
+	vi.mocked(removeWebServerDomain).mockRejectedValueOnce(
+		new Error("caddy route cleanup failed") as never,
+	);
+
+	await expect(removePreviewDeployment("preview-1")).rejects.toThrow(
+		"caddy route cleanup failed",
+	);
+
+	expect(dbMock.delete).not.toHaveBeenCalled();
+});
diff --git a/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx b/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
index cfcd00ee0e..9f98f8e24a 100644
--- a/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
+++ b/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
@@ -80,7 +80,11 @@ export const domain = z
 			});
 		}
 
-		if (input.certificateType === "custom" && !input.customCertResolver) {
+		if (
+			input.https &&
+			input.certificateType === "custom" &&
+			!input.customCertResolver
+		) {
 			ctx.addIssue({
 				code: z.ZodIssueCode.custom,
 				path: ["customCertResolver"],
@@ -661,7 +665,13 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 											<FormControl>
 												<Switch
 													checked={field.value}
-													onCheckedChange={field.onChange}
+													onCheckedChange={(checked) => {
+														field.onChange(checked);
+														if (!checked) {
+															form.setValue("certificateType", "none");
+															form.setValue("customCertResolver", undefined);
+														}
+													}}
 												/>
 											</FormControl>
 										</FormItem>
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 423a38a52f..330bcb32c6 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -32,19 +32,19 @@ Local state observed before this document was added:
 
 | Area | Current evidence | Status | Next proof needed |
 | --- | --- | --- | --- |
-| Application domain create under Caddy | `createDomain()` dispatches through `manageWebServerDomain()` for application domains inside the DB transaction. Focused service tests prove provider dispatch and transaction rollback when provider route creation fails. | Locally covered | Add router-level test only if maintainers want end-to-end TRPC proof. |
+| Application domain create under Caddy | `createDomain()` inserts the row, dispatches through `manageWebServerDomain()` for application domains, and removes the row if provider route creation fails. Focused service tests prove provider dispatch and cleanup when provider route creation fails. | Locally covered | Add router-level test only if maintainers want end-to-end TRPC proof. |
 | Application domain update under Caddy | `domainRouter.update` writes the next Caddy fragment before DB update and restores the old fragment on DB failure. `manageCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | Add runtime proof after explicit approval. |
 | Application domain delete under Caddy | `domainRouter.delete` removes provider config before DB deletion and restores on DB failure. `removeCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | Add runtime proof after explicit approval. |
 | Compose domain add/update/remove under Caddy | `createComposeDomain()` removes new rows if refresh fails. `domainRouter.update` restores previous compose domain fields and fragments if refresh fails. `domainRouter.delete` restores all compose routes if DB delete fails. | Locally covered | Add runtime proof after explicit approval. |
 | Domain added while creating/duplicating a new application service | `application.create` has no domain payload. The application new-service-with-domain path is project duplication: copied application domains call `createDomain()` with `applicationId`, which invokes provider dispatch. | Locally covered | Add router-level duplication proof only if maintainers want end-to-end TRPC coverage beyond the service contract. |
 | Domain added during new compose/template/AI/import creation | `createComposeDomain()` now creates compose domains and refreshes Caddy compose routes with rollback if refresh fails. Template create, template import, AI compose generation, project compose duplication, and `domainRouter.create` use it. | Locally covered | Add router-level or creation-flow tests if upstream reviewers want proof beyond the focused helper test. |
-| Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and `removeWebServerDomain()` for cleanup when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch and cleanup removes by `uniqueConfigKey`. | Locally covered | Add runtime proof after explicit approval if preview deployments are included in the live validation pass. |
-| Custom SSL certificates | Caddy domains can now select uploaded certificates. Route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
+| Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and requires `removeWebServerDomain()` cleanup before deleting a preview deployment row when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch, cleanup removes by `uniqueConfigKey`, and route cleanup failures preserve the DB row. | Locally covered | Add runtime proof after explicit approval if preview deployments are included in the live validation pass. |
+| Custom SSL certificates | Caddy domains can now select uploaded certificates. Route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
-| Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
+| Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
 | Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, and provider-neutral uploaded certificate copy now exist. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, and this PR does not expose it through the Dokploy UI. | Deferred | Prefer no public dashboard in this PR; document local-only admin API and track any dashboard proxy as a follow-up with auth and network controls. |
-| Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. | Needs final proof | Re-run focused migration suite after new changes and record sanitized results. |
+| Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. | Ongoing | Keep PR surface generic; run targeted checks and `git diff --check`. |
 
 ## Code Evidence
@@ -183,7 +183,9 @@ Implemented:
 - Caddy config compilation emits manual certificate file loaders while keeping automatic HTTPS available for other routes.
 - The Caddy domain UI labels the `custom` certificate provider as an uploaded certificate flow and restricts selection to certificates available to the current server.
 - Missing custom certificate references fail before writing Caddy config.
-- Migration dry-runs emit a blocking warning instead of generating DB fallback Caddy routes when a custom certificate reference does not map to an uploaded certificate for the same server.
+- Migration dry-runs emit a blocking warning instead of generating DB fallback Caddy routes when a custom certificate reference does not map to an uploaded certificate with readable files for the same server and organization.
+- Custom certificate guards ignore stale uploaded-certificate fields when HTTPS is disabled.
+- Active Caddy domains block deleting an uploaded certificate or replacing its cert/key files until the domain no longer references it.
 
 Tradeoff:
 
@@ -250,6 +252,7 @@ Do not weaken these gates:
 - Apply fails closed on blocking warnings.
 - Apply fails closed on runtime upstream preflight failure.
 - Caddy config validation runs before Traefik is stopped.
+- Apply fails closed if Caddy compile settings changed after the dry-run artifact was prepared.
 - Rollback uses backup metadata and restores Traefik resources.
 - Rollback CLI exits non-zero on failure.
 - Runtime DB migration failure exits non-zero.
@@ -347,6 +350,13 @@ Expected post-mutation checks:
 | 2026-06-02 | `git diff --check` | Passed | No whitespace errors in the current local diff. |
 | 2026-06-02 | RepoPrompt review with `back:3` diff artifacts | Complete | Incorporated production-code recommendations for Caddy certificate mounts, custom certificate availability checks, application domain creation compensation, preview route cleanup, and descriptive migration naming. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/migration/prepare.test.ts` | Passed | 1 file, 9 tests. Covers migration dry-run blocking warnings for missing uploaded custom certificate references. |
+| 2026-06-02 | RepoPrompt review mode over `HEAD~3..HEAD` / `back:3` | Complete | Review findings incorporated locally: trusted proxy strict boolean, server/org/readable custom certificate guards, active Caddy certificate lifecycle blocks, stale migration compile-settings rejection, preview cleanup fail-closed behavior, and HTTPS-gated custom certificate fields. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts __test__/caddy/certificate-guard.test.ts __test__/caddy/migration/prepare.test.ts __test__/caddy/application/domain-service.test.ts __test__/caddy/compose/domain.test.ts` | Passed | 5 files, 43 tests. Covers strict trusted proxy JSON, certificate availability guard, migration custom-certificate blocking, and Caddy domain/compose route flows after review fixes. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/preview-deployment.test.ts __test__/caddy/config.test.ts __test__/caddy/certificate-guard.test.ts __test__/caddy/migration/prepare.test.ts` | Passed | 4 files, 36 tests. Covers preview route cleanup fail-closed behavior and certificate/trusted-proxy regressions. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/migration/apply-rollback.test.ts __test__/caddy/migration/prepare.test.ts` | Passed | 2 files, 21 tests. Covers migration apply rejection when compile settings changed after prepare. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/certificate-guard.test.ts __test__/caddy/certificate-lifecycle.test.ts` | Passed | 2 files, 6 tests. Covers same-server/org/readable custom certificate guards and active Caddy certificate delete/update blocks. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 18 files, 109 tests after RepoPrompt review hardening. Covers focused Caddy config, certificates, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, and runtime migration tests. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/db/validations/domain.ts b/packages/server/src/db/validations/domain.ts
index 62447bee72..fdeab3ac38 100644
--- a/packages/server/src/db/validations/domain.ts
+++ b/packages/server/src/db/validations/domain.ts
@@ -31,7 +31,11 @@ export const domain = z
 			});
 		}
 
-		if (input.certificateType === "custom" && !input.customCertResolver) {
+		if (
+			input.https &&
+			input.certificateType === "custom" &&
+			!input.customCertResolver
+		) {
 			ctx.addIssue({
 				code: z.ZodIssueCode.custom,
 				path: ["customCertResolver"],
@@ -95,7 +99,11 @@ export const domainCompose = z
 			});
 		}
 
-		if (input.certificateType === "custom" && !input.customCertResolver) {
+		if (
+			input.https &&
+			input.certificateType === "custom" &&
+			!input.customCertResolver
+		) {
 			ctx.addIssue({
 				code: z.ZodIssueCode.custom,
 				path: ["customCertResolver"],
diff --git a/packages/server/src/services/certificate.ts b/packages/server/src/services/certificate.ts
index aa322e6f22..87bd915234 100644
--- a/packages/server/src/services/certificate.ts
+++ b/packages/server/src/services/certificate.ts
@@ -5,14 +5,17 @@ import { db } from "@dokploy/server/db";
 import {
 	type apiCreateCertificate,
 	certificates,
+	domains,
 } from "@dokploy/server/db/schema";
 import { removeDirectoryIfExistsContent } from "@dokploy/server/utils/filesystem/directory";
 import { TRPCError } from "@trpc/server";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
+import { quote } from "shell-quote";
 import { stringify } from "yaml";
 import type { z } from "zod";
 import { encodeBase64 } from "../utils/docker/utils";
 import { execAsyncRemote } from "../utils/process/execAsync";
+import { resolveWebServerProvider } from "./web-server-settings";
 
 export type Certificate = typeof certificates.$inferSelect;
 
@@ -40,19 +43,84 @@ export const findCertificateByPath = async (certificatePath: string) => {
 export const assertCertificatePathAvailableForServer = async (
 	certificatePath: string,
 	serverId?: string | null,
+	organizationId?: string | null,
 ) => {
 	const certificate = await findCertificateByPath(certificatePath);
 	const expectedServerId = serverId ?? null;
+	const expectedOrganizationId = organizationId ?? null;
 
-	if (!certificate || (certificate.serverId ?? null) !== expectedServerId) {
+	if (
+		!certificate ||
+		(certificate.serverId ?? null) !== expectedServerId ||
+		(expectedOrganizationId &&
+			certificate.organizationId !== expectedOrganizationId)
+	) {
 		throw new Error(
-			`Caddy custom certificate "${certificatePath}" is not available for this server. Use an uploaded certificate assigned to the same server.`,
+			`Caddy custom certificate "${certificatePath}" is not available for this server and organization. Use an uploaded certificate assigned to the same server and project organization.`,
 		);
 	}
 
+	await assertCertificateFilesReadable(certificate);
+
 	return certificate;
 };
 
+const assertCertificateFilesReadable = async (certificate: Certificate) => {
+	const { CERTIFICATES_PATH } = paths(!!certificate.serverId);
+	const certDir = path.join(CERTIFICATES_PATH, certificate.certificatePath);
+	const crtPath = path.join(certDir, "chain.crt");
+	const keyPath = path.join(certDir, "privkey.key");
+
+	try {
+		if (certificate.serverId) {
+			await execAsyncRemote(
+				certificate.serverId,
+				`test -r ${quote([crtPath])} && test -r ${quote([keyPath])}`,
+			);
+			return;
+		}
+
+		await fs.promises.access(crtPath, fs.constants.R_OK);
+		await fs.promises.access(keyPath, fs.constants.R_OK);
+	} catch {
+		throw new Error(
+			`Caddy custom certificate "${certificate.certificatePath}" is missing readable chain.crt or privkey.key files.`,
+		);
+	}
+};
+
+const findActiveCaddyDomainUsingCertificate = async (
+	certificate: Certificate,
+) => {
+	const provider = await resolveWebServerProvider(certificate.serverId);
+	if (provider !== "caddy") {
+		return null;
+	}
+
+	return db.query.domains.findFirst({
+		where: and(
+			eq(domains.customCertResolver, certificate.certificatePath),
+			eq(domains.certificateType, "custom"),
+			eq(domains.https, true),
+		),
+	});
+};
+
+const assertCertificateNotUsedByActiveCaddyDomain = async (
+	certificate: Certificate,
+	action: "delete" | "update",
+) => {
+	const domain = await findActiveCaddyDomainUsingCertificate(certificate);
+	if (!domain) {
+		return;
+	}
+
+	throw new TRPCError({
+		code: "BAD_REQUEST",
+		message: `Cannot ${action} certificate "${certificate.name}" because active Caddy domain "${domain.host}" uses it. Change or remove that domain certificate first.`,
+	});
+};
+
 export const createCertificate = async (
 	certificateData: z.infer<typeof apiCreateCertificate>,
 	organizationId: string,
@@ -74,18 +142,19 @@ export const createCertificate = async (
 
 	const cer = certificate[0];
 
-	createCertificateFiles(cer);
+	await createCertificateFiles(cer);
 
 	return cer;
 };
 
 export const removeCertificateById = async (certificateId: string) => {
 	const certificate = await findCertificateById(certificateId);
+	await assertCertificateNotUsedByActiveCaddyDomain(certificate, "delete");
 	const { CERTIFICATES_PATH } = paths(!!certificate.serverId);
 	const certDir = path.join(CERTIFICATES_PATH, certificate.certificatePath);
 
 	if (certificate.serverId) {
-		await execAsyncRemote(certificate.serverId, `rm -rf ${certDir}`);
+		await execAsyncRemote(certificate.serverId, `rm -rf ${quote([certDir])}`);
 	} else {
 		await removeDirectoryIfExistsContent(certDir);
 	}
@@ -157,6 +226,11 @@ export const updateCertificate = async (
 		privateKey?: string;
 	},
 ) => {
+	const current = await findCertificateById(certificateId);
+	if (updates.certificateData || updates.privateKey) {
+		await assertCertificateNotUsedByActiveCaddyDomain(current, "update");
+	}
+
 	const updated = await db
 		.update(certificates)
 		.set({
diff --git a/packages/server/src/services/preview-deployment.ts b/packages/server/src/services/preview-deployment.ts
index b00ddd5afb..8acf57d0dd 100644
--- a/packages/server/src/services/preview-deployment.ts
+++ b/packages/server/src/services/preview-deployment.ts
@@ -58,6 +58,15 @@ export const removePreviewDeployment = async (previewDeploymentId: string) => {
 		);
 
 		application.appName = previewDeployment.appName;
+		if (previewDeployment.domain) {
+			await removeWebServerDomain(
+				application,
+				previewDeployment.domain.uniqueConfigKey,
+			);
+		} else {
+			await removeTraefikConfig(application?.appName, application?.serverId);
+		}
+
 		const cleanupOperations = [
 			async () =>
 				await removeService(application?.appName, application?.serverId),
@@ -68,16 +77,6 @@ export const removePreviewDeployment = async (previewDeploymentId: string) => {
 				),
 			async () =>
 				await removeDirectoryCode(application?.appName, application?.serverId),
-			async () => {
-				if (previewDeployment.domain) {
-					await removeWebServerDomain(
-						application,
-						previewDeployment.domain.uniqueConfigKey,
-					);
-					return;
-				}
-				await removeTraefikConfig(application?.appName, application?.serverId);
-			},
 			async () =>
 				await db
 					.delete(previewDeployments)
diff --git a/packages/server/src/utils/caddy/compose.ts b/packages/server/src/utils/caddy/compose.ts
index 7872f7bd15..5d7650eeb3 100644
--- a/packages/server/src/utils/caddy/compose.ts
+++ b/packages/server/src/utils/caddy/compose.ts
@@ -70,7 +70,9 @@ export const createCaddyComposeRouteIntent = (
 		upstreams: [`http://${upstreamServiceName}:${domain.port || 80}`],
 		upstreamNetwork,
 		tlsCertificate:
-			domain.certificateType === "custom" && domain.customCertResolver
+			domain.https &&
+			domain.certificateType === "custom" &&
+			domain.customCertResolver
 				? getCaddyCustomCertificateFiles(
 						compose.serverId,
 						domain.customCertResolver,
@@ -109,8 +111,17 @@ export const writeCaddyComposeRouteFragments = async (
 	domains: Array<{ domain: Domain; finalServiceName: string }>,
 ) => {
 	const serverId = compose.serverId || undefined;
+	const organizationId = (
+		compose as Compose & {
+			environment?: { project?: { organizationId?: string | null } };
+		}
+	).environment?.project?.organizationId;
 	for (const { domain } of domains) {
-		await assertCaddyDomainCertificateAvailable(serverId, domain);
+		await assertCaddyDomainCertificateAvailable(
+			serverId,
+			domain,
+			organizationId,
+		);
 	}
 	const options = { serverId };
 	const fragmentPrefix = getCaddyComposeFragmentPrefix(compose.appName);
diff --git a/packages/server/src/utils/caddy/config.ts b/packages/server/src/utils/caddy/config.ts
index 21a3b1912d..2da8771280 100644
--- a/packages/server/src/utils/caddy/config.ts
+++ b/packages/server/src/utils/caddy/config.ts
@@ -298,7 +298,9 @@ const createTrustedProxyServerOptions = (
 			ranges,
 		},
 		client_ip_headers: clientIpHeaders,
-		...(trustedProxies.strict === false ? {} : { trusted_proxies_strict: 1 }),
+		...(trustedProxies.strict === false
+			? {}
+			: { trusted_proxies_strict: true }),
 	};
 };
 
diff --git a/packages/server/src/utils/caddy/domain.ts b/packages/server/src/utils/caddy/domain.ts
index 67b7d94c17..ae062e1ec0 100644
--- a/packages/server/src/utils/caddy/domain.ts
+++ b/packages/server/src/utils/caddy/domain.ts
@@ -65,10 +65,18 @@ export const getUnsupportedCaddyDomainFieldMessages = (domain: Domain) => {
 	if (domain.customEntrypoint) {
 		messages.push("custom entrypoints are not supported by Caddy routes");
 	}
-	if (domain.customCertResolver && domain.certificateType !== "custom") {
+	if (
+		domain.https &&
+		domain.customCertResolver &&
+		domain.certificateType !== "custom"
+	) {
 		messages.push("custom certificate resolvers are Traefik-specific");
 	}
-	if (domain.certificateType === "custom" && !domain.customCertResolver) {
+	if (
+		domain.https &&
+		domain.certificateType === "custom" &&
+		!domain.customCertResolver
+	) {
 		messages.push("custom certificates require an uploaded certificate");
 	}
 	if (domain.middlewares?.length) {
@@ -89,11 +97,17 @@ export const assertCaddyDomainSupported = (domain: Domain) => {
 export const assertCaddyDomainCertificateAvailable = async (
 	serverId: string | null | undefined,
 	domain: Domain,
+	organizationId?: string | null,
 ) => {
-	if (domain.certificateType === "custom" && domain.customCertResolver) {
+	if (
+		domain.https &&
+		domain.certificateType === "custom" &&
+		domain.customCertResolver
+	) {
 		await assertCertificatePathAvailableForServer(
 			domain.customCertResolver,
 			serverId,
+			organizationId,
 		);
 	}
 };
@@ -120,7 +134,9 @@ export const createCaddyApplicationRouteIntent = (
 		upstreams: [`http://${app.appName}:${domain.port || 80}`],
 		upstreamNetwork: DOKPLOY_CADDY_NETWORK,
 		tlsCertificate:
-			domain.certificateType === "custom" && domain.customCertResolver
+			domain.https &&
+			domain.certificateType === "custom" &&
+			domain.customCertResolver
 				? getCaddyCustomCertificateFiles(
 						app.serverId,
 						domain.customCertResolver,
@@ -149,7 +165,11 @@ export const manageCaddyDomain = async (
 	domain: Domain,
 ) => {
 	const serverId = app.serverId || undefined;
-	await assertCaddyDomainCertificateAvailable(serverId, domain);
+	await assertCaddyDomainCertificateAvailable(
+		serverId,
+		domain,
+		app.environment?.project?.organizationId,
+	);
 	const options = { serverId };
 	const previousFragments = await readCaddyRouteFragments(options);
 	try {
diff --git a/packages/server/src/utils/caddy/migration/apply.ts b/packages/server/src/utils/caddy/migration/apply.ts
index d0dd03e10a..aab4becdd1 100644
--- a/packages/server/src/utils/caddy/migration/apply.ts
+++ b/packages/server/src/utils/caddy/migration/apply.ts
@@ -48,6 +48,24 @@ const updateProviderToCaddy = async (serverId?: string | null) => {
 	await updateLocalWebServerProvider("caddy");
 };
 
+type CaddyMigrationCompileSettings = NonNullable<
+	CaddyMigrationReport["compileSettings"]
+>;
+
+const normalizeCompileSettings = (
+	settings: CaddyMigrationReport["compileSettings"],
+): CaddyMigrationCompileSettings => ({
+	letsEncryptEmail: settings?.letsEncryptEmail ?? null,
+	trustedProxies: settings?.trustedProxies ?? null,
+});
+
+const compileSettingsChanged = (
+	prepared: CaddyMigrationReport["compileSettings"],
+	current: CaddyMigrationReport["compileSettings"],
+) =>
+	JSON.stringify(normalizeCompileSettings(prepared)) !==
+	JSON.stringify(normalizeCompileSettings(current));
+
 const filterCaddyAdditionalPorts = (
 	ports: { targetPort: number; publishedPort: number; protocol?: string }[],
 ) =>
@@ -273,6 +291,15 @@ const applyCaddyMigrationUnlocked = async (input: {
 			`Cannot apply Caddy migration ${input.migrationId}: active provider is ${provider}`,
 		);
 	}
+	const currentCompileSettings = await getCaddyCompileSettings(serverId);
+	if (
+		report.compileSettings &&
+		compileSettingsChanged(report.compileSettings, currentCompileSettings)
+	) {
+		const message = `Cannot apply Caddy migration ${input.migrationId}: Caddy compile settings changed after prepare. Prepare a fresh migration dry run before applying.`;
+		await markFailed(report, message, serverId);
+		throw new Error(message);
+	}
 
 	report = await writeCaddyMigrationReport(
 		appendCaddyMigrationEvent(
@@ -404,7 +431,7 @@ const applyCaddyMigrationUnlocked = async (input: {
 				report.artifactPaths.caddyJson,
 				serverId,
 			),
-			trustedProxies: (await getCaddyCompileSettings(serverId)).trustedProxies,
+			trustedProxies: currentCompileSettings.trustedProxies,
 		});
 		await copyMigrationFileInPlace(
 			report.artifactPaths.caddyJson,
diff --git a/packages/server/src/utils/caddy/migration/prepare.ts b/packages/server/src/utils/caddy/migration/prepare.ts
index 7e4b3de071..18e74dcde8 100644
--- a/packages/server/src/utils/caddy/migration/prepare.ts
+++ b/packages/server/src/utils/caddy/migration/prepare.ts
@@ -2,7 +2,8 @@ import { isIP } from "node:net";
 import * as path from "node:path";
 import { paths } from "@dokploy/server/constants";
 import { db } from "@dokploy/server/db";
-import { applications, certificates, compose } from "@dokploy/server/db/schema";
+import { applications, compose } from "@dokploy/server/db/schema";
+import { assertCertificatePathAvailableForServer } from "@dokploy/server/services/certificate";
 import { getCaddyCompileSettings } from "@dokploy/server/services/web-server-settings";
 import { createCaddyComposeRouteFragment } from "@dokploy/server/utils/caddy/compose";
 import {
@@ -472,17 +473,24 @@ const warnOnManualFragmentConflicts = (
 const hasAvailableUploadedCertificate = async (
 	certificatePath: string,
 	serverId: string | null | undefined,
+	organizationId?: string | null,
 ) => {
-	const certificate = await db.query.certificates.findFirst({
-		where: eq(certificates.certificatePath, certificatePath),
-	});
-
-	return !!certificate && (certificate.serverId ?? null) === (serverId ?? null);
+	try {
+		await assertCertificatePathAvailableForServer(
+			certificatePath,
+			serverId,
+			organizationId,
+		);
+		return true;
+	} catch {
+		return false;
+	}
 };
 
 const warnIfCustomCertificateMissing = async (
 	domain: {
 		host: string;
+		https: boolean;
 		certificateType: string;
 		customCertResolver?: string | null;
 	},
@@ -490,19 +498,28 @@ const warnIfCustomCertificateMissing = async (
 	serverId: string | null | undefined,
 	warnings: CaddyMigrationWarning[],
 	serviceName?: string | null,
+	organizationId?: string | null,
 ) => {
-	if (domain.certificateType !== "custom" || !domain.customCertResolver) {
+	if (
+		!domain.https ||
+		domain.certificateType !== "custom" ||
+		!domain.customCertResolver
+	) {
 		return false;
 	}
 	if (
-		await hasAvailableUploadedCertificate(domain.customCertResolver, serverId)
+		await hasAvailableUploadedCertificate(
+			domain.customCertResolver,
+			serverId,
+			organizationId,
+		)
 	) {
 		return false;
 	}
 
 	warnings.push(
 		warning(
-			`Domain "${domain.host}" references custom certificate "${domain.customCertResolver}" that is not an uploaded certificate for this server`,
+			`Domain "${domain.host}" references custom certificate "${domain.customCertResolver}" that is not an uploaded certificate with readable files for this server and organization`,
 			{
 				blocking: true,
 				code: "missing-certificate",
@@ -783,7 +800,7 @@ export const prepareCaddyMigration = async (
 		: isNull(applications.serverId);
 	const applicationRows = await db.query.applications.findMany({
 		where: appWhere,
-		with: { domains: true },
+		with: { domains: true, environment: { with: { project: true } } },
 	});
 	let applicationDomainCount = 0;
 	for (const app of applicationRows) {
@@ -809,6 +826,8 @@ export const prepareCaddyMigration = async (
 					app.appName,
 					app.serverId,
 					warnings,
+					undefined,
+					app.environment?.project?.organizationId,
 				)
 			) {
 				continue;
@@ -825,7 +844,7 @@ export const prepareCaddyMigration = async (
 		: isNull(compose.serverId);
 	const composeRows = await db.query.compose.findMany({
 		where: composeWhere,
-		with: { domains: true },
+		with: { domains: true, environment: { with: { project: true } } },
 	});
 	let composeDomainCount = 0;
 	for (const composeEntity of composeRows) {
@@ -866,6 +885,7 @@ export const prepareCaddyMigration = async (
 					composeEntity.serverId,
 					warnings,
 					domain.serviceName,
+					composeEntity.environment?.project?.organizationId,
 				)
 			) {
 				continue;
@@ -989,12 +1009,13 @@ export const prepareCaddyMigration = async (
 	}
 	warnOnManualFragmentConflicts(fragments, warnings);
 
+	const compileSettings = await getCaddyCompileSettings(serverId);
 	let config: ReturnType<typeof compileCaddyConfig>;
 	let validation: CaddyMigrationReport["validation"];
 	try {
 		config = compileCaddyConfig({
 			fragments,
-			...(await getCaddyCompileSettings(serverId)),
+			...compileSettings,
 		});
 		validation = {
 			status: "passed",
@@ -1055,6 +1076,7 @@ export const prepareCaddyMigration = async (
 			blockingWarnings: warnings.filter((item) => item.blocking).length,
 		},
 		validation,
+		compileSettings,
 		warnings,
 		events: [
 			{
diff --git a/packages/server/src/utils/caddy/migration/types.ts b/packages/server/src/utils/caddy/migration/types.ts
index 09359febc1..a8f3ed1764 100644
--- a/packages/server/src/utils/caddy/migration/types.ts
+++ b/packages/server/src/utils/caddy/migration/types.ts
@@ -1,4 +1,5 @@
 import type {
+	CaddyCompileOptions,
 	CaddyHeaderMap,
 	CaddyRouteRedirectScheme,
 	CaddyRouteTransform,
@@ -180,6 +181,10 @@ export interface CaddyMigrationReport {
 		status: "passed" | "failed" | "skipped";
 		message?: string;
 	};
+	compileSettings?: Pick<
+		CaddyCompileOptions,
+		"letsEncryptEmail" | "trustedProxies"
+	>;
 	runtimePreflight?: CaddyMigrationRuntimePreflight;
 	warnings: CaddyMigrationWarning[];
 	backup?: CaddyMigrationBackupSummary;

From 7e78bbdd91ef1dd6b1f7536a7a9e0fdeca6bbcf9 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 21:40:20 -0400
Subject: [PATCH 07/37] fix: relax domain custom cert validation

---
 .../__test__/caddy/domain-validation.test.ts  | 43 +++++++++++++++++++
 docs/caddy-provider-upstream-readiness.md     |  4 ++
 packages/server/src/db/validations/domain.ts  |  4 +-
 3 files changed, 49 insertions(+), 2 deletions(-)
 create mode 100644 apps/dokploy/__test__/caddy/domain-validation.test.ts

diff --git a/apps/dokploy/__test__/caddy/domain-validation.test.ts b/apps/dokploy/__test__/caddy/domain-validation.test.ts
new file mode 100644
index 0000000000..10e61a1b49
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/domain-validation.test.ts
@@ -0,0 +1,43 @@
+import { domain, domainCompose } from "@dokploy/server/db/validations/domain";
+import { describe, expect, test } from "vitest";
+
+describe("domain validation", () => {
+	test("does not require a custom certificate resolver when HTTPS is disabled", () => {
+		expect(
+			domain.safeParse({
+				host: "example.com",
+				https: false,
+				certificateType: "none",
+			}).success,
+		).toBe(true);
+
+		expect(
+			domainCompose.safeParse({
+				host: "example.com",
+				https: false,
+				certificateType: "none",
+				serviceName: "web",
+			}).success,
+		).toBe(true);
+	});
+
+	test("requires a custom certificate resolver for HTTPS custom certificates", () => {
+		const result = domain.safeParse({
+			host: "example.com",
+			https: true,
+			certificateType: "custom",
+		});
+
+		expect(result.success).toBe(false);
+		if (!result.success) {
+			expect(result.error.issues).toEqual(
+				expect.arrayContaining([
+					expect.objectContaining({
+						path: ["customCertResolver"],
+						message: "Required when certificate type is custom",
+					}),
+				]),
+			);
+		}
+	});
+});
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 330bcb32c6..c9c1d60017 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -185,6 +185,7 @@ Implemented:
 - Missing custom certificate references fail before writing Caddy config.
 - Migration dry-runs emit a blocking warning instead of generating DB fallback Caddy routes when a custom certificate reference does not map to an uploaded certificate with readable files for the same server and organization.
 - Custom certificate guards ignore stale uploaded-certificate fields when HTTPS is disabled.
+- Shared domain validation only requires `customCertResolver` when HTTPS custom certificates are selected, so preview-domain and API submissions are not blocked by hidden certificate fields.
 - Active Caddy domains block deleting an uploaded certificate or replacing its cert/key files until the domain no longer references it.
 
 Tradeoff:
@@ -357,6 +358,9 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/certificate-guard.test.ts __test__/caddy/certificate-lifecycle.test.ts` | Passed | 2 files, 6 tests. Covers same-server/org/readable custom certificate guards and active Caddy certificate delete/update blocks. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 18 files, 109 tests after RepoPrompt review hardening. Covers focused Caddy config, certificates, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, and runtime migration tests. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/domain-validation.test.ts __test__/caddy/preview-deployment.test.ts __test__/caddy/domain-router-lifecycle.test.ts` | Passed | 3 files, 11 tests. Covers optional custom certificate resolver validation when HTTPS is disabled plus preview and router domain regressions. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 19 files, 111 tests after shared domain validation cleanup. Covers focused Caddy config, certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, and runtime migration tests. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck`, `pnpm --filter=@dokploy/server typecheck`, and `git diff --check` | Passed | App/server typechecks and whitespace checks passed after the shared validation cleanup. Node v26 produced the expected engine warning. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/db/validations/domain.ts b/packages/server/src/db/validations/domain.ts
index fdeab3ac38..dc2d61ec92 100644
--- a/packages/server/src/db/validations/domain.ts
+++ b/packages/server/src/db/validations/domain.ts
@@ -19,7 +19,7 @@ export const domain = z
 			.optional(),
 		https: z.boolean().optional(),
 		certificateType: z.enum(["letsencrypt", "none", "custom"]).optional(),
-		customCertResolver: z.string(),
+		customCertResolver: z.string().optional(),
 		middlewares: z.array(z.string()).optional(),
 	})
 	.superRefine((input, ctx) => {
@@ -86,7 +86,7 @@ export const domainCompose = z
 			.optional(),
 		https: z.boolean().optional(),
 		certificateType: z.enum(["letsencrypt", "none", "custom"]).optional(),
-		customCertResolver: z.string(),
+		customCertResolver: z.string().optional(),
 		serviceName: z.string().min(1, { message: "Service name is required" }),
 		middlewares: z.array(z.string()).optional(),
 	})

From bbbe7ce7a452961f74467bbbcd9e8332a0ffbd92 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 21:42:00 -0400
Subject: [PATCH 08/37] chore: polish caddy settings copy

---
 .../dashboard/settings/web-server/caddy-migration-panel.tsx | 3 ++-
 .../settings/web-server/caddy-trusted-proxy-settings.tsx    | 3 ++-
 .../dashboard/settings/web-server/manage-traefik-ports.tsx  | 2 +-
 docs/caddy-provider-upstream-readiness.md                   | 6 ++++--
 4 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/apps/dokploy/components/dashboard/settings/web-server/caddy-migration-panel.tsx b/apps/dokploy/components/dashboard/settings/web-server/caddy-migration-panel.tsx
index cba2a3e0a1..38467859b5 100644
--- a/apps/dokploy/components/dashboard/settings/web-server/caddy-migration-panel.tsx
+++ b/apps/dokploy/components/dashboard/settings/web-server/caddy-migration-panel.tsx
@@ -272,7 +272,8 @@ export const CaddyMigrationPanel = ({ serverId }: Props) => {
 									<p className="text-sm">
 										Apply stops Traefik, starts Caddy on ports 80/443/443 UDP,
 										and changes the active provider only after cutover checks
-										pass. Run this during a maintenance window.
+										pass. Run this during a maintenance window. Changing Caddy
+										settings after a dry run requires preparing a fresh dry run.
 									</p>
 									<div className="flex items-center gap-2">
 										<Checkbox
diff --git a/apps/dokploy/components/dashboard/settings/web-server/caddy-trusted-proxy-settings.tsx b/apps/dokploy/components/dashboard/settings/web-server/caddy-trusted-proxy-settings.tsx
index b1d8ab0a41..e3acb8962a 100644
--- a/apps/dokploy/components/dashboard/settings/web-server/caddy-trusted-proxy-settings.tsx
+++ b/apps/dokploy/components/dashboard/settings/web-server/caddy-trusted-proxy-settings.tsx
@@ -150,7 +150,8 @@ export const CaddyTrustedProxySettings = ({ serverId, children }: Props) => {
 								<Cloud className="mt-0.5 size-4 shrink-0" />
 								<span>
 									Caddy will trust Cloudflare IP ranges and use CF-Connecting-IP
-									before X-Forwarded-For.
+									before X-Forwarded-For. Use DNS-only or Full (strict) SSL mode
+									for origin traffic; Flexible SSL is not recommended.
 								</span>
 							</div>
 						</AlertBlock>
diff --git a/apps/dokploy/components/dashboard/settings/web-server/manage-traefik-ports.tsx b/apps/dokploy/components/dashboard/settings/web-server/manage-traefik-ports.tsx
index a935492966..e7a703908a 100644
--- a/apps/dokploy/components/dashboard/settings/web-server/manage-traefik-ports.tsx
+++ b/apps/dokploy/components/dashboard/settings/web-server/manage-traefik-ports.tsx
@@ -292,7 +292,7 @@ export const ManageTraefikPorts = ({ children, serverId }: Props) => {
 											<span className="text-sm">
 												<strong>
 													Each port mapping defines how external traffic reaches
-													your containers through Traefik.
+													your containers through {providerLabel}.
 												</strong>
 												<ul className="pt-2">
 													<li>
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index c9c1d60017..d8633589f5 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -42,7 +42,7 @@ Local state observed before this document was added:
 | Custom SSL certificates | Caddy domains can now select uploaded certificates. Route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, and provider-neutral uploaded certificate copy now exist. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, and provider-neutral port-mapping copy now exist. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, and this PR does not expose it through the Dokploy UI. | Deferred | Prefer no public dashboard in this PR; document local-only admin API and track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. | Ongoing | Keep PR surface generic; run targeted checks and `git diff --check`. |
@@ -224,12 +224,12 @@ Implemented:
 - Local `webServerSettings` and remote `server` rows persist Caddy trusted proxy settings.
 - Caddy domain, compose, dashboard, migration dry-run, migration apply setup, and web-server setup paths pass persisted trusted proxy options into Caddy compilation.
 - Settings -> Web Server exposes a Caddy trusted proxy dialog for local settings; remote web-server actions expose the same dialog for remote Caddy.
+- The Caddy trusted proxy dialog includes Cloudflare origin SSL mode guidance: DNS-only or Full (strict) are acceptable; Flexible SSL is not recommended.
 - `apps/dokploy/__test__/caddy/config.test.ts` covers default no-trust behavior, Cloudflare trusted proxy config, custom static CIDRs, invalid CIDR/header rejection, and persisted-setting normalization.
 
 Still needed:
 
 - Runtime proof after explicit approval.
-- Decide whether Cloudflare SSL mode guidance belongs in the app UI, docs, or PR notes.
 
 ### 7. Polish UI and dashboard behavior
 
@@ -239,6 +239,7 @@ UI changes:
 - Add a Caddy settings section for trusted proxy mode if Cloudflare support lands.
 - Keep the provider selector guardrails: direct Caddy activation should go through migration apply, and Caddy to Traefik should go through rollback.
 - Make dry-run/apply/rollback safety copy explicit.
+- Warn in the migration panel that changing Caddy settings after a dry run requires preparing a fresh dry run before apply.
 
 Dashboard decision:
 
@@ -361,6 +362,7 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/domain-validation.test.ts __test__/caddy/preview-deployment.test.ts __test__/caddy/domain-router-lifecycle.test.ts` | Passed | 3 files, 11 tests. Covers optional custom certificate resolver validation when HTTPS is disabled plus preview and router domain regressions. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 19 files, 111 tests after shared domain validation cleanup. Covers focused Caddy config, certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, and runtime migration tests. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck`, `pnpm --filter=@dokploy/server typecheck`, and `git diff --check` | Passed | App/server typechecks and whitespace checks passed after the shared validation cleanup. Node v26 produced the expected engine warning. |
+| 2026-06-02 | Provider-neutral Caddy UI copy pass | Complete | Updated trusted-proxy Cloudflare SSL guidance, migration stale-settings safety copy, and provider-neutral additional port mapping text. |
 
 ## Upstream Hygiene Checklist
 

From c145d1a28dcf41dd610279b0425e8d32b14aa038 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 21:44:23 -0400
Subject: [PATCH 09/37] docs: record caddy pr hygiene audit

---
 docs/caddy-provider-upstream-readiness.md | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index d8633589f5..7cc12d0745 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -45,7 +45,7 @@ Local state observed before this document was added:
 | Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, and provider-neutral port-mapping copy now exist. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, and this PR does not expose it through the Dokploy UI. | Deferred | Prefer no public dashboard in this PR; document local-only admin API and track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. | Locally covered | Add runtime proof after explicit approval. |
-| Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. | Ongoing | Keep PR surface generic; run targeted checks and `git diff --check`. |
+| Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
 
 ## Code Evidence
 
@@ -363,12 +363,13 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 19 files, 111 tests after shared domain validation cleanup. Covers focused Caddy config, certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, and runtime migration tests. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck`, `pnpm --filter=@dokploy/server typecheck`, and `git diff --check` | Passed | App/server typechecks and whitespace checks passed after the shared validation cleanup. Node v26 produced the expected engine warning. |
 | 2026-06-02 | Provider-neutral Caddy UI copy pass | Complete | Updated trusted-proxy Cloudflare SSL guidance, migration stale-settings safety copy, and provider-neutral additional port mapping text. |
+| 2026-06-02 | Upstream hygiene audit against `upstream/canary...HEAD` | Passed | 88 changed files. No `prompt-exports/`, `docs/plans/`, `docs/reviews/`, `AGENTS.md`, or `CLAUDE.md` in the PR surface. Private-string scan only found generic test values such as `private.registry.example` and HTTP cache header text. Commit subjects are generic. |
 
 ## Upstream Hygiene Checklist
 
-- [ ] No `prompt-exports/` files in the final diff.
-- [ ] No platform-specific hostnames, route manifests, or production logs in this repo.
-- [ ] No private runbooks or agent files added to PR surface.
-- [ ] Caddy fixtures remain generic.
-- [ ] Proof log entries are sanitized.
-- [ ] Commit messages describe generic Dokploy behavior, not private deployment details.
+- [x] No `prompt-exports/` files in the current diff.
+- [x] No platform-specific hostnames, route manifests, or production logs in this repo.
+- [x] No private runbooks or agent files added to PR surface.
+- [x] Caddy fixtures remain generic.
+- [x] Proof log entries are sanitized.
+- [x] Commit messages describe generic Dokploy behavior, not private deployment details.

From c4ac4d03fc110541d9ed661e03554569d633e54b Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 21:57:40 -0400
Subject: [PATCH 10/37] fix: refresh caddy routes on compose domain import
 cleanup

---
 .../caddy/application/domain-service.test.ts  | 89 ++++++++++++++++++-
 apps/dokploy/server/api/routers/compose.ts    |  6 +-
 docs/caddy-provider-upstream-readiness.md     | 15 +++-
 packages/server/src/services/domain.ts        | 68 +++++++++++++-
 4 files changed, 167 insertions(+), 11 deletions(-)

diff --git a/apps/dokploy/__test__/caddy/application/domain-service.test.ts b/apps/dokploy/__test__/caddy/application/domain-service.test.ts
index 4678fa528a..9e09a71ed8 100644
--- a/apps/dokploy/__test__/caddy/application/domain-service.test.ts
+++ b/apps/dokploy/__test__/caddy/application/domain-service.test.ts
@@ -36,6 +36,7 @@ import { findApplicationById } from "@dokploy/server/services/application";
 import {
 	createComposeDomain,
 	createDomain,
+	removeComposeDomainsForWebServer,
 } from "@dokploy/server/services/domain";
 import {
 	getCaddyComposeRouteTargetsForWebServer,
@@ -59,6 +60,13 @@ const composeDomain = {
 	domainType: "compose",
 };
 
+const retainedComposeDomain = {
+	...composeDomain,
+	domainId: "domain-2",
+	host: "retained.example.com",
+	uniqueConfigKey: 8,
+};
+
 const application = {
 	applicationId: "app-1",
 	appName: "my-app",
@@ -73,7 +81,7 @@ beforeEach(() => {
 		}),
 	});
 	transactionMock.mockImplementation(async (callback) => {
-		const tx = { insert: txInsertMock };
+		const tx = { delete: dbDeleteMock, insert: txInsertMock };
 		return callback(tx);
 	});
 	domainsFindFirstMock.mockResolvedValue(domain);
@@ -152,3 +160,82 @@ test("removes compose domain rows when Caddy compose route refresh fails after c
 	expect(dbDeleteMock).toHaveBeenCalled();
 	expect(writeCaddyComposeRoutesForTargets).toHaveBeenCalledTimes(2);
 });
+
+test("refreshes Caddy compose routes with zero remaining domains before deleting imported template domains", async () => {
+	domainsFindManyMock.mockResolvedValueOnce([composeDomain]);
+
+	const removed = await removeComposeDomainsForWebServer(
+		{
+			composeId: "compose-1",
+			appName: "my-compose",
+			serverId: null,
+		} as never,
+		[composeDomain] as never,
+		"caddy",
+	);
+
+	expect(removed).toEqual([composeDomain]);
+	expect(getCaddyComposeRouteTargetsForWebServer).toHaveBeenCalledWith(
+		expect.objectContaining({ composeId: "compose-1" }),
+		[],
+		"caddy",
+	);
+	expect(dbDeleteMock).toHaveBeenCalled();
+	expect(writeCaddyComposeRoutesForTargets).toHaveBeenCalledTimes(1);
+});
+
+test("restores Caddy compose routes if imported template domain deletion fails", async () => {
+	domainsFindManyMock.mockResolvedValueOnce([
+		composeDomain,
+		retainedComposeDomain,
+	]);
+	dbDeleteMock.mockReturnValueOnce({
+		where: vi.fn().mockReturnValue({
+			returning: vi.fn().mockRejectedValue(new Error("db delete failed")),
+		}),
+	});
+
+	await expect(
+		removeComposeDomainsForWebServer(
+			{
+				composeId: "compose-1",
+				appName: "my-compose",
+				serverId: null,
+			} as never,
+			[composeDomain] as never,
+			"caddy",
+		),
+	).rejects.toThrow("db delete failed");
+
+	expect(getCaddyComposeRouteTargetsForWebServer).toHaveBeenNthCalledWith(
+		1,
+		expect.objectContaining({ composeId: "compose-1" }),
+		[retainedComposeDomain],
+		"caddy",
+	);
+	expect(getCaddyComposeRouteTargetsForWebServer).toHaveBeenNthCalledWith(
+		2,
+		expect.objectContaining({ composeId: "compose-1" }),
+		[composeDomain, retainedComposeDomain],
+		"caddy",
+	);
+	expect(writeCaddyComposeRoutesForTargets).toHaveBeenCalledTimes(2);
+});
+
+test("deletes imported template compose domains without Caddy refresh under Traefik", async () => {
+	domainsFindManyMock.mockResolvedValueOnce([composeDomain]);
+
+	await removeComposeDomainsForWebServer(
+		{
+			composeId: "compose-1",
+			appName: "my-compose",
+			serverId: null,
+		} as never,
+		[composeDomain] as never,
+		"traefik",
+	);
+
+	expect(getCaddyComposeRouteTargetsForWebServer).not.toHaveBeenCalled();
+	expect(writeCaddyComposeRoutesForTargets).not.toHaveBeenCalled();
+	expect(dbDeleteMock).toHaveBeenCalled();
+});
diff --git a/apps/dokploy/server/api/routers/compose.ts b/apps/dokploy/server/api/routers/compose.ts
index 769a088f90..0bb6d9f644 100644
--- a/apps/dokploy/server/api/routers/compose.ts
+++ b/apps/dokploy/server/api/routers/compose.ts
@@ -26,8 +26,8 @@ import {
 	randomizeIsolatedDeploymentComposeFile,
 	removeCompose,
 	removeComposeDirectory,
+	removeComposeDomainsForWebServer,
 	removeDeploymentsByComposeId,
-	removeDomainById,
 	startCompose,
 	stopCompose,
 	updateCompose,
@@ -964,9 +964,7 @@ export const composeRouter = createTRPCRouter({
 					await deleteMount(mount.mountId);
 				}
 
-				for (const domain of compose.domains) {
-					await removeDomainById(domain.domainId);
-				}
+				await removeComposeDomainsForWebServer(compose, compose.domains);
 
 				let serverIp = "127.0.0.1";
 
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 7cc12d0745..376da2680f 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -35,9 +35,9 @@ Local state observed before this document was added:
 | Application domain create under Caddy | `createDomain()` inserts the row, dispatches through `manageWebServerDomain()` for application domains, and removes the row if provider route creation fails. Focused service tests prove provider dispatch and cleanup when provider route creation fails. | Locally covered | Add router-level test only if maintainers want end-to-end TRPC proof. |
 | Application domain update under Caddy | `domainRouter.update` writes the next Caddy fragment before DB update and restores the old fragment on DB failure. `manageCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | Add runtime proof after explicit approval. |
 | Application domain delete under Caddy | `domainRouter.delete` removes provider config before DB deletion and restores on DB failure. `removeCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | Add runtime proof after explicit approval. |
-| Compose domain add/update/remove under Caddy | `createComposeDomain()` removes new rows if refresh fails. `domainRouter.update` restores previous compose domain fields and fragments if refresh fails. `domainRouter.delete` restores all compose routes if DB delete fails. | Locally covered | Add runtime proof after explicit approval. |
+| Compose domain add/update/remove under Caddy | `createComposeDomain()` removes new rows if refresh fails. `removeComposeDomainsForWebServer()` refreshes Caddy with remaining compose domains before non-router delete flows remove rows and restores old fragments if DB deletion fails. `domainRouter.update` restores previous compose domain fields and fragments if refresh fails. `domainRouter.delete` restores all compose routes if DB delete fails. | Locally covered | Add runtime proof after explicit approval. |
 | Domain added while creating/duplicating a new application service | `application.create` has no domain payload. The application new-service-with-domain path is project duplication: copied application domains call `createDomain()` with `applicationId`, which invokes provider dispatch. | Locally covered | Add router-level duplication proof only if maintainers want end-to-end TRPC coverage beyond the service contract. |
-| Domain added during new compose/template/AI/import creation | `createComposeDomain()` now creates compose domains and refreshes Caddy compose routes with rollback if refresh fails. Template create, template import, AI compose generation, project compose duplication, and `domainRouter.create` use it. | Locally covered | Add router-level or creation-flow tests if upstream reviewers want proof beyond the focused helper test. |
+| Domain added during new compose/template/AI/import creation | `createComposeDomain()` now creates compose domains and refreshes Caddy compose routes with rollback if refresh fails. Template create, template import, AI compose generation, project compose duplication, and `domainRouter.create` use it. Template import also removes prior compose domains through `removeComposeDomainsForWebServer()` so importing a template with zero replacement domains removes stale Caddy fragments. | Locally covered | Add router-level or creation-flow tests if upstream reviewers want proof beyond the focused helper test. |
 | Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and requires `removeWebServerDomain()` cleanup before deleting a preview deployment row when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch, cleanup removes by `uniqueConfigKey`, and route cleanup failures preserve the DB row. | Locally covered | Add runtime proof after explicit approval if preview deployments are included in the live validation pass. |
 | Custom SSL certificates | Caddy domains can now select uploaded certificates. Route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
@@ -124,13 +124,15 @@ Preferred design:
 - Move the router-local Caddy compose refresh behavior into a reusable helper.
 - Make it no-op for Traefik and refresh Caddy compose fragments when the active provider is Caddy.
 - Call it after compose domain creation in template create, template import, AI compose generation, and project duplication paths.
-- Keep rollback behavior local to the compose domain creation helper.
+- Keep rollback behavior local to shared compose domain create/delete helpers.
 
 Implemented:
 
-- `packages/server/src/services/domain.ts` exports `refreshCaddyComposeRoutes()` and `createComposeDomain()`.
+- `packages/server/src/services/domain.ts` exports `refreshCaddyComposeRoutes()`, `createComposeDomain()`, and `removeComposeDomainsForWebServer()`.
 - `domainRouter.create`, template create, template import, AI compose generation, and project compose duplication now use `createComposeDomain()`.
+- Template import removes old compose domain rows through `removeComposeDomainsForWebServer()` so Caddy fragments are refreshed even when the imported template has no replacement domains.
 - `apps/dokploy/__test__/caddy/compose/domain.test.ts` proves the helper writes Caddy fragments for domains created outside the domain router and skips refresh for Traefik.
+- `apps/dokploy/__test__/caddy/application/domain-service.test.ts` proves imported-template domain deletion refreshes Caddy with zero remaining domains, restores old routes if DB deletion fails, and skips Caddy refresh under Traefik.
 
 Required tests:
 
@@ -139,6 +141,7 @@ Required tests:
 - AI compose generation under active Caddy writes fragments.
 - Project compose duplication under active Caddy writes fragments.
 - Failure to write/reload Caddy leaves no orphaned domain rows or restores previous route fragments.
+- Template import with zero replacement domains removes stale Caddy fragments.
 
 ### 3. Make preview domains provider-aware
 
@@ -364,6 +367,10 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy typecheck`, `pnpm --filter=@dokploy/server typecheck`, and `git diff --check` | Passed | App/server typechecks and whitespace checks passed after the shared validation cleanup. Node v26 produced the expected engine warning. |
 | 2026-06-02 | Provider-neutral Caddy UI copy pass | Complete | Updated trusted-proxy Cloudflare SSL guidance, migration stale-settings safety copy, and provider-neutral additional port mapping text. |
 | 2026-06-02 | Upstream hygiene audit against `upstream/canary...HEAD` | Passed | 88 changed files. No `prompt-exports/`, `docs/plans/`, `docs/reviews/`, `AGENTS.md`, or `CLAUDE.md` in the PR surface. Private-string scan only found generic test values such as `private.registry.example` and HTTP cache header text. Commit subjects are generic. |
+| 2026-06-02 | RepoPrompt Deep Plan pass for remaining Caddy PR gaps | Complete | Identified template import domain deletion as the highest-value production correctness gap because direct row deletion could leave stale Caddy compose fragments when an imported template has no replacement domains. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/application/domain-service.test.ts` | Passed | 1 file, 6 tests. Covers provider-aware application create, compose create cleanup, imported-template compose domain delete refresh with zero remaining domains, DB-delete rollback restoration, and Traefik no-op behavior. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 19 files, 114 tests after template-import compose-domain deletion hardening. Covers focused Caddy config, certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, and runtime migration tests. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after template-import compose-domain deletion hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/services/domain.ts b/packages/server/src/services/domain.ts
index 1546b72d99..dd8095f204 100644
--- a/packages/server/src/services/domain.ts
+++ b/packages/server/src/services/domain.ts
@@ -1,7 +1,10 @@
 import dns from "node:dns";
 import { promisify } from "node:util";
 import { db } from "@dokploy/server/db";
-import { getWebServerSettings } from "@dokploy/server/services/web-server-settings";
+import {
+	getWebServerSettings,
+	resolveWebServerProvider,
+} from "@dokploy/server/services/web-server-settings";
 import { generateRandomDomain } from "@dokploy/server/templates";
 import {
 	getCaddyComposeRouteTargetsForWebServer,
@@ -10,7 +13,7 @@ import {
 import { manageWebServerDomain } from "@dokploy/server/utils/web-server/domain";
 import type { WebServerProvider } from "@dokploy/server/utils/web-server/providers";
 import { TRPCError } from "@trpc/server";
-import { eq } from "drizzle-orm";
+import { eq, inArray } from "drizzle-orm";
 import type { z } from "zod";
 import { type apiCreateDomain, domains } from "../db/schema";
 import { findApplicationById } from "./application";
@@ -184,6 +187,67 @@ export const createComposeDomain = async (
 	}
 };
 
+export const removeComposeDomainsForWebServer = async (
+	compose: Compose,
+	domainsToRemove: Domain[],
+	provider?: WebServerProvider,
+) => {
+	if (domainsToRemove.length === 0) {
+		return [];
+	}
+
+	const resolvedProvider =
+		provider ?? (await resolveWebServerProvider(compose.serverId));
+	const currentDomains = await findDomainsByComposeId(compose.composeId);
+	const domainIdsToRemove = new Set(
+		domainsToRemove.map((domain) => domain.domainId),
+	);
+	const removableDomains = currentDomains.filter((domain) =>
+		domainIdsToRemove.has(domain.domainId),
+	);
+
+	if (removableDomains.length === 0) {
+		return [];
+	}
+
+	if (resolvedProvider !== "caddy") {
+		return db.transaction(async (tx) =>
+			tx
+				.delete(domains)
+				.where(
+					inArray(
+						domains.domainId,
+						removableDomains.map((domain) => domain.domainId),
+					),
+				)
+				.returning(),
+		);
+	}
+
+	const remainingDomains = currentDomains.filter(
+		(domain) => !domainIdsToRemove.has(domain.domainId),
+	);
+
+	await refreshCaddyComposeRoutes(compose, remainingDomains, resolvedProvider);
+
+	try {
+		return await db.transaction(async (tx) =>
+			tx
+				.delete(domains)
+				.where(
+					inArray(
+						domains.domainId,
+						removableDomains.map((domain) => domain.domainId),
+					),
+				)
+				.returning(),
+		);
+	} catch (error) {
+		await refreshCaddyComposeRoutes(compose, currentDomains, resolvedProvider);
+		throw error;
+	}
+};
+
 export const getDomainHost = (domain: Domain) => {
 	return `${domain.https ? "https" : "http"}://${domain.host}`;
 };

From d14bea949483fc41c507f5919fb31a90ea6f7efd Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 22:03:01 -0400
Subject: [PATCH 11/37] fix: make web server health provider aware

---
 .../__test__/caddy/web-server-health.test.ts  | 83 +++++++++++++++++++
 .../settings/web-server/update-webserver.tsx  | 18 ++--
 apps/dokploy/server/api/routers/settings.ts   | 18 ++--
 docs/caddy-provider-upstream-readiness.md     |  6 +-
 packages/server/src/utils/docker/utils.ts     | 27 ++++--
 5 files changed, 136 insertions(+), 16 deletions(-)
 create mode 100644 apps/dokploy/__test__/caddy/web-server-health.test.ts

diff --git a/apps/dokploy/__test__/caddy/web-server-health.test.ts b/apps/dokploy/__test__/caddy/web-server-health.test.ts
new file mode 100644
index 0000000000..b7509ee9c6
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/web-server-health.test.ts
@@ -0,0 +1,83 @@
+import { beforeEach, expect, test, vi } from "vitest";
+
+const dockerMock = vi.hoisted(() => ({
+	getContainer: vi.fn(),
+	getService: vi.fn(),
+	listTasks: vi.fn(),
+}));
+
+vi.mock("@dokploy/server/constants", () => ({
+	docker: dockerMock,
+	paths: vi.fn(() => ({})),
+}));
+
+import {
+	checkTraefikHealth,
+	checkWebServerHealth,
+} from "@dokploy/server/utils/docker/utils";
+
+beforeEach(() => {
+	vi.clearAllMocks();
+	dockerMock.getContainer.mockReturnValue({
+		inspect: vi.fn().mockResolvedValue({ State: { Running: true } }),
+	});
+	dockerMock.getService.mockReturnValue({
+		inspect: vi.fn().mockResolvedValue({
+			Spec: { Mode: { Replicated: { Replicas: 1 } } },
+		}),
+	});
+	dockerMock.listTasks.mockResolvedValue([
+		{
+			Status: {
+				State: "running",
+				ContainerStatus: { ContainerID: "container-1" },
+			},
+		},
+	]);
+});
+
+test("checks the Caddy resource when the active web server provider is Caddy", async () => {
+	const result = await checkWebServerHealth("caddy");
+
+	expect(result).toEqual({ provider: "caddy", status: "healthy" });
+	expect(dockerMock.getContainer).toHaveBeenCalledWith("dokploy-caddy");
+	expect(dockerMock.getService).not.toHaveBeenCalled();
+});
+
+test("checks the Traefik resource when the active web server provider is Traefik", async () => {
+	const result = await checkWebServerHealth("traefik");
+
+	expect(result).toEqual({ provider: "traefik", status: "healthy" });
+	expect(dockerMock.getContainer).toHaveBeenCalledWith("dokploy-traefik");
+});
+
+test("falls back to the active Caddy swarm service when no standalone Caddy container exists", async () => {
+	dockerMock.getContainer.mockReturnValueOnce({
+		inspect: vi.fn().mockRejectedValue(new Error("missing container")),
+	});
+
+	const result = await checkWebServerHealth("caddy");
+
+	expect(result).toEqual({ provider: "caddy", status: "healthy" });
+	expect(dockerMock.getService).toHaveBeenCalledWith("dokploy-caddy");
+	expect(dockerMock.listTasks).toHaveBeenCalledWith({
+		filters: JSON.stringify({
+			service: ["dokploy-caddy"],
+			"desired-state": ["running"],
+		}),
+	});
+});
+
+test("keeps the Traefik-specific helper on the Traefik resource", async () => {
+	dockerMock.getContainer.mockReturnValueOnce({
+		inspect: vi.fn().mockResolvedValue({ State: { Running: false } }),
+	});
+
+	const result = await checkTraefikHealth();
+
+	expect(result).toEqual({
+		status: "unhealthy",
+		message: "Container is not running",
+	});
+	expect(dockerMock.getContainer).toHaveBeenCalledWith("dokploy-traefik");
+});
diff --git a/apps/dokploy/components/dashboard/settings/web-server/update-webserver.tsx b/apps/dokploy/components/dashboard/settings/web-server/update-webserver.tsx
index abeba47c4b..2fd2c45630 100644
--- a/apps/dokploy/components/dashboard/settings/web-server/update-webserver.tsx
+++ b/apps/dokploy/components/dashboard/settings/web-server/update-webserver.tsx
@@ -30,7 +30,10 @@ type ServiceStatus = {
 type HealthResult = {
 	postgres: ServiceStatus;
 	redis: ServiceStatus;
-	traefik: ServiceStatus;
+	webServer: ServiceStatus & {
+		provider: "traefik" | "caddy";
+	};
+	traefik?: ServiceStatus;
 };
 
 type ModalState = "idle" | "checking" | "results" | "updating";
@@ -55,6 +58,11 @@ const ServiceStatusItem = ({
 	</div>
 );
 
+const webServerLabels: Record<HealthResult["webServer"]["provider"], string> = {
+	traefik: "Traefik",
+	caddy: "Caddy",
+};
+
 export const UpdateWebServer = () => {
 	const [modalState, setModalState] = useState<ModalState>("idle");
 	const [open, setOpen] = useState(false);
@@ -85,7 +93,7 @@ export const UpdateWebServer = () => {
 		healthResult &&
 		healthResult.postgres.status === "healthy" &&
 		healthResult.redis.status === "healthy" &&
-		healthResult.traefik.status === "healthy";
+		healthResult.webServer.status === "healthy";
 
 	const checkIsUpdateFinished = async () => {
 		try {
@@ -174,7 +182,7 @@ export const UpdateWebServer = () => {
 							{modalState === "checking" && (
 								<span className="flex items-center gap-2">
 									<Loader2 className="animate-spin h-4 w-4" />
-									Checking PostgreSQL, Redis and Traefik...
+									Checking PostgreSQL, Redis and the active web server...
 								</span>
 							)}
 
@@ -190,8 +198,8 @@ export const UpdateWebServer = () => {
 											service={healthResult.redis}
 										/>
 										<ServiceStatusItem
-											name="Traefik"
-											service={healthResult.traefik}
+											name={`Web server (${webServerLabels[healthResult.webServer.provider]})`}
+											service={healthResult.webServer}
 										/>
 									</div>
 
diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts
index 41b6eb6c88..191985f17f 100644
--- a/apps/dokploy/server/api/routers/settings.ts
+++ b/apps/dokploy/server/api/routers/settings.ts
@@ -5,7 +5,7 @@ import {
 	checkPortInUse,
 	checkPostgresHealth,
 	checkRedisHealth,
-	checkTraefikHealth,
+	checkWebServerHealth,
 	cleanupAll,
 	cleanupAllBackground,
 	cleanupBuilders,
@@ -1559,21 +1559,29 @@ export const settingsRouter = createTRPCRouter({
 		}
 	}),
 	checkInfrastructureHealth: adminProcedure.query(async () => {
+		const provider = await resolveWebServerProvider();
 		if (IS_CLOUD) {
+			const webServer = { provider, status: "healthy" as const };
 			return {
 				postgres: { status: "healthy" as const },
 				redis: { status: "healthy" as const },
-				traefik: { status: "healthy" as const },
+				webServer,
+				traefik: { status: webServer.status },
 			};
 		}
 
-		const [postgres, redis, traefik] = await Promise.all([
+		const [postgres, redis, webServer] = await Promise.all([
 			checkPostgresHealth(),
 			checkRedisHealth(),
-			checkTraefikHealth(),
+			checkWebServerHealth(provider),
 		]);
 
-		return { postgres, redis, traefik };
+		return {
+			postgres,
+			redis,
+			webServer,
+			traefik: { status: webServer.status, message: webServer.message },
+		};
 	}),
 	setupGPU: adminProcedure
 		.input(
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 376da2680f..f2a4597c17 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -42,7 +42,7 @@ Local state observed before this document was added:
 | Custom SSL certificates | Caddy domains can now select uploaded certificates. Route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, and provider-neutral port-mapping copy now exist. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, and provider-aware update-server health checks now exist. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, and this PR does not expose it through the Dokploy UI. | Deferred | Prefer no public dashboard in this PR; document local-only admin API and track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
@@ -243,6 +243,7 @@ UI changes:
 - Keep the provider selector guardrails: direct Caddy activation should go through migration apply, and Caddy to Traefik should go through rollback.
 - Make dry-run/apply/rollback safety copy explicit.
 - Warn in the migration panel that changing Caddy settings after a dry run requires preparing a fresh dry run before apply.
+- Make update-server health checks provider-aware so the modal checks and displays Caddy when Caddy is the active web server.
 
 Dashboard decision:
 
@@ -371,6 +372,9 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/application/domain-service.test.ts` | Passed | 1 file, 6 tests. Covers provider-aware application create, compose create cleanup, imported-template compose domain delete refresh with zero remaining domains, DB-delete rollback restoration, and Traefik no-op behavior. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 19 files, 114 tests after template-import compose-domain deletion hardening. Covers focused Caddy config, certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, and runtime migration tests. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after template-import compose-domain deletion hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/web-server-health.test.ts` | Passed | 1 file, 4 tests. Covers active-provider web-server health checks for Caddy and Traefik, including Caddy swarm-service fallback and the existing Traefik helper. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 20 files, 118 tests after provider-aware update-server health hardening. Covers focused Caddy config, certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, and active web-server health checks. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after provider-aware update-server health hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/utils/docker/utils.ts b/packages/server/src/utils/docker/utils.ts
index 8065b7dd93..fffbc286f9 100644
--- a/packages/server/src/utils/docker/utils.ts
+++ b/packages/server/src/utils/docker/utils.ts
@@ -16,6 +16,7 @@ import type { RedisNested } from "../databases/redis";
 import { execAsync, execAsyncRemote } from "../process/execAsync";
 import { spawnAsync } from "../process/spawnAsync";
 import { getRemoteDocker } from "../servers/remote-docker";
+import type { WebServerProvider } from "../web-server/providers";
 
 interface RegistryAuth {
 	username: string;
@@ -788,7 +789,7 @@ export const getComposeContainer = async (
 	}
 };
 
-type ServiceHealthStatus = {
+export type ServiceHealthStatus = {
 	status: "healthy" | "unhealthy";
 	message?: string;
 };
@@ -944,10 +945,11 @@ export const checkRedisHealth = async (): Promise<ServiceHealthStatus> => {
 	}
 };
 
-export const checkTraefikHealth = async (): Promise<ServiceHealthStatus> => {
-	// Traefik can run as a standalone container or a swarm service
+const checkDockerResourceHealth = async (
+	resourceName: string,
+): Promise<ServiceHealthStatus> => {
 	try {
-		const container = docker.getContainer("dokploy-traefik");
+		const container = docker.getContainer(resourceName);
 		const info = await container.inspect();
 		if (!info.State.Running) {
 			return {
@@ -958,6 +960,21 @@ export const checkTraefikHealth = async (): Promise<ServiceHealthStatus> => {
 		return { status: "healthy" };
 	} catch {
 		// Not a standalone container, check as swarm service
-		return checkSwarmServiceRunning("dokploy-traefik");
+		return checkSwarmServiceRunning(resourceName);
 	}
 };
+
+export const checkTraefikHealth = async (): Promise<ServiceHealthStatus> => {
+	return checkDockerResourceHealth("dokploy-traefik");
+};
+
+export const checkWebServerHealth = async (
+	provider: WebServerProvider,
+): Promise<ServiceHealthStatus & { provider: WebServerProvider }> => {
+	const resourceName =
+		provider === "caddy" ? "dokploy-caddy" : "dokploy-traefik";
+	return {
+		provider,
+		...(await checkDockerResourceHealth(resourceName)),
+	};
+};

From 55e003cd839f63c4faa9a68bd9a8005c8b7fa6c8 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 22:06:07 -0400
Subject: [PATCH 12/37] test: prove caddy custom certificate success paths

---
 .../__test__/caddy/compose/domain.test.ts     | 26 ++++++++++
 .../__test__/caddy/migration/prepare.test.ts  | 51 +++++++++++++++++++
 docs/caddy-provider-upstream-readiness.md     |  6 ++-
 3 files changed, 82 insertions(+), 1 deletion(-)

diff --git a/apps/dokploy/__test__/caddy/compose/domain.test.ts b/apps/dokploy/__test__/caddy/compose/domain.test.ts
index 80f2914161..35208b5651 100644
--- a/apps/dokploy/__test__/caddy/compose/domain.test.ts
+++ b/apps/dokploy/__test__/caddy/compose/domain.test.ts
@@ -153,6 +153,32 @@ describe("Caddy compose route generation", () => {
 		});
 	});
 
+	test("loads uploaded certificates for custom Caddy compose HTTPS routes", () => {
+		const fragment = createCaddyComposeRouteFragment(
+			compose(),
+			domain({
+				https: true,
+				certificateType: "custom",
+				customCertResolver: "certificate-uploaded",
+			}),
+			"web",
+		);
+		const config = compileCaddyConfig({ fragments: [fragment] });
+		const tls = (config.apps as any).tls;
+		const certificatePath = `${paths(false).CERTIFICATES_PATH}/certificate-uploaded`;
+
+		expect(tls.certificates.load_files).toEqual([
+			{
+				certificate: `${certificatePath}/chain.crt`,
+				key: `${certificatePath}/privkey.key`,
+			},
+		]);
+		expect(getServers(config).https.routes[0].handle.at(-1)).toMatchObject({
+			handler: "reverse_proxy",
+			upstreams: [{ dial: "my-compose-web:8080" }],
+		});
+	});
+
 	test("skips compose route refresh for Traefik provider", async () => {
 		const composeInput = compose();
 		writeComposeFile(composeInput, {
diff --git a/apps/dokploy/__test__/caddy/migration/prepare.test.ts b/apps/dokploy/__test__/caddy/migration/prepare.test.ts
index e90cc857a5..41702311dc 100644
--- a/apps/dokploy/__test__/caddy/migration/prepare.test.ts
+++ b/apps/dokploy/__test__/caddy/migration/prepare.test.ts
@@ -97,6 +97,13 @@ const genericComposeFixture = [
 	"      - traefik.http.middlewares.plugin-only.plugin.demo.enabled=true",
 ].join("\n");
 
+const writeCertificateFiles = (certificatePath: string) => {
+	const certDir = `${paths().CERTIFICATES_PATH}/${certificatePath}`;
+	vol.mkdirSync(certDir, { recursive: true });
+	vol.writeFileSync(`${certDir}/chain.crt`, "cert");
+	vol.writeFileSync(`${certDir}/privkey.key`, "key");
+};
+
 describe("prepareCaddyMigration", () => {
 	beforeEach(() => {
 		vol.reset();
@@ -243,6 +250,50 @@ describe("prepareCaddyMigration", () => {
 		expect(report.summary.fragments).toBe(0);
 	});
 
+	test("keeps DB fallback routes with readable uploaded custom certificates", async () => {
+		writeCertificateFiles("certificate-uploaded");
+		vi.mocked(db.query.applications.findMany).mockResolvedValue([
+			{
+				applicationId: "app-1",
+				appName: "custom-cert-app",
+				serverId: null,
+				environment: { project: { organizationId: "org-1" } },
+				domains: [
+					{
+						...domain,
+						certificateType: "custom",
+						customCertResolver: "certificate-uploaded",
+					},
+				],
+			} as any,
+		]);
+		vi.mocked(db.query.certificates.findFirst).mockResolvedValue({
+			certificatePath: "certificate-uploaded",
+			serverId: null,
+			organizationId: "org-1",
+		} as any);
+
+		const report = await prepareCaddyMigration();
+		const draft = JSON.parse(
+			vol.readFileSync(report.artifactPaths.caddyJson, "utf8") as string,
+		) as any;
+		const certificatePath = `${paths().CERTIFICATES_PATH}/certificate-uploaded`;
+
+		expect(report.summary.blockingWarnings).toBe(0);
+		expect(report.warnings).not.toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({ code: "missing-certificate" }),
+			]),
+		);
+		expect(report.summary.fragments).toBe(1);
+		expect(draft.apps.tls.certificates.load_files).toEqual([
+			{
+				certificate: `${certificatePath}/chain.crt`,
+				key: `${certificatePath}/privkey.key`,
+			},
+		]);
+	});
+
 	test("carries existing manual Caddy fragments into the migration draft", async () => {
 		const currentPaths = paths();
 		vol.mkdirSync(currentPaths.CADDY_FRAGMENTS_PATH, { recursive: true });
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index f2a4597c17..ac26561d72 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -39,7 +39,7 @@ Local state observed before this document was added:
 | Domain added while creating/duplicating a new application service | `application.create` has no domain payload. The application new-service-with-domain path is project duplication: copied application domains call `createDomain()` with `applicationId`, which invokes provider dispatch. | Locally covered | Add router-level duplication proof only if maintainers want end-to-end TRPC coverage beyond the service contract. |
 | Domain added during new compose/template/AI/import creation | `createComposeDomain()` now creates compose domains and refreshes Caddy compose routes with rollback if refresh fails. Template create, template import, AI compose generation, project compose duplication, and `domainRouter.create` use it. Template import also removes prior compose domains through `removeComposeDomainsForWebServer()` so importing a template with zero replacement domains removes stale Caddy fragments. | Locally covered | Add router-level or creation-flow tests if upstream reviewers want proof beyond the focused helper test. |
 | Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and requires `removeWebServerDomain()` cleanup before deleting a preview deployment row when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch, cleanup removes by `uniqueConfigKey`, and route cleanup failures preserve the DB row. | Locally covered | Add runtime proof after explicit approval if preview deployments are included in the live validation pass. |
-| Custom SSL certificates | Caddy domains can now select uploaded certificates. Route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
+| Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
 | Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, and provider-aware update-server health checks now exist. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
@@ -186,6 +186,7 @@ Implemented:
 - Caddy config compilation emits manual certificate file loaders while keeping automatic HTTPS available for other routes.
 - The Caddy domain UI labels the `custom` certificate provider as an uploaded certificate flow and restricts selection to certificates available to the current server.
 - Missing custom certificate references fail before writing Caddy config.
+- Migration dry-runs keep DB fallback routes with readable uploaded custom certificates and include the manual certificate files in the draft Caddy JSON.
 - Migration dry-runs emit a blocking warning instead of generating DB fallback Caddy routes when a custom certificate reference does not map to an uploaded certificate with readable files for the same server and organization.
 - Custom certificate guards ignore stale uploaded-certificate fields when HTTPS is disabled.
 - Shared domain validation only requires `customCertResolver` when HTTPS custom certificates are selected, so preview-domain and API submissions are not blocked by hidden certificate fields.
@@ -375,6 +376,9 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/web-server-health.test.ts` | Passed | 1 file, 4 tests. Covers active-provider web-server health checks for Caddy and Traefik, including Caddy swarm-service fallback and the existing Traefik helper. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 20 files, 118 tests after provider-aware update-server health hardening. Covers focused Caddy config, certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, and active web-server health checks. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after provider-aware update-server health hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/compose/domain.test.ts __test__/caddy/migration/prepare.test.ts` | Passed | 2 files, 21 tests. Covers compose custom uploaded certificate `load_files` and migration dry-run success with a readable same-server/org uploaded custom certificate. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 20 files, 120 tests after custom certificate success-path proof. Covers focused Caddy config, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, and active web-server health checks. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after custom certificate success-path proof. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 
 ## Upstream Hygiene Checklist
 

From 2e618b68f4951551c9a89df277536e7d8469f891 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 22:10:26 -0400
Subject: [PATCH 13/37] test: prove caddy trusted proxy settings rollback

---
 .../trusted-proxy-settings-router.test.ts     | 208 ++++++++++++++++++
 docs/caddy-provider-upstream-readiness.md     |   6 +-
 2 files changed, 213 insertions(+), 1 deletion(-)
 create mode 100644 apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts

diff --git a/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts b/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
new file mode 100644
index 0000000000..06192e4f5e
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
@@ -0,0 +1,208 @@
+import { beforeEach, expect, test, vi } from "vitest";
+
+const serverMocks = vi.hoisted(() => ({
+	applyCaddyMigration: vi.fn(),
+	checkGPUStatus: vi.fn(),
+	checkPortInUse: vi.fn(),
+	checkPostgresHealth: vi.fn(),
+	checkRedisHealth: vi.fn(),
+	checkWebServerHealth: vi.fn(),
+	cleanupAll: vi.fn(),
+	cleanupAllBackground: vi.fn(),
+	cleanupBuilders: vi.fn(),
+	cleanupContainers: vi.fn(),
+	cleanupImages: vi.fn(),
+	cleanupSystem: vi.fn(),
+	cleanupVolumes: vi.fn(),
+	compileWriteAndReloadCaddyConfigSafely: vi.fn(),
+	execAsync: vi.fn(),
+	findServerById: vi.fn(),
+	getCaddyCompileSettings: vi.fn(),
+	getCaddyMigrationReport: vi.fn(),
+	getCaddyTrustedProxySettings: vi.fn(),
+	getDockerDiskUsage: vi.fn(),
+	getDokployImageTag: vi.fn(),
+	getLogCleanupStatus: vi.fn(),
+	getUpdateData: vi.fn(),
+	getWebServerPaths: vi.fn(),
+	getWebServerResourceName: vi.fn(),
+	getWebServerSettings: vi.fn(),
+	parseRawConfig: vi.fn(),
+	paths: vi.fn(),
+	prepareCaddyMigration: vi.fn(),
+	prepareEnvironmentVariables: vi.fn(),
+	processLogs: vi.fn(),
+	readCaddyConfigFileIfExists: vi.fn(),
+	readConfig: vi.fn(),
+	readConfigInPath: vi.fn(),
+	readDirectory: vi.fn(),
+	readEnvironmentVariables: vi.fn(),
+	readMainConfig: vi.fn(),
+	readMonitoringConfig: vi.fn(),
+	readPorts: vi.fn(),
+	recreateDirectory: vi.fn(),
+	reloadCaddyAfterValidation: vi.fn(),
+	reloadDockerResource: vi.fn(),
+	resolveWebServerProvider: vi.fn(),
+	rollbackCaddyMigration: vi.fn(),
+	sendDockerCleanupNotifications: vi.fn(),
+	setupGPUSupport: vi.fn(),
+	spawnAsync: vi.fn(),
+	startLogCleanup: vi.fn(),
+	stopLogCleanup: vi.fn(),
+	updateCaddyTrustedProxySettings: vi.fn(),
+	updateLetsEncryptEmail: vi.fn(),
+	updateLocalWebServerProvider: vi.fn(),
+	updateRemoteWebServerProvider: vi.fn(),
+	updateServerById: vi.fn(),
+	updateServerCaddy: vi.fn(),
+	updateServerTraefik: vi.fn(),
+	updateWebServerSettings: vi.fn(),
+	writeConfig: vi.fn(),
+	writeMainConfig: vi.fn(),
+	writeTraefikConfigInPath: vi.fn(),
+	writeTraefikSetup: vi.fn(),
+	writeWebServerSetup: vi.fn(),
+}));
+
+vi.mock("@dokploy/server", () => ({
+	...serverMocks,
+	CLEANUP_CRON_JOB: "cleanup",
+	DEFAULT_UPDATE_DATA: { latestVersion: null, updateAvailable: false },
+	IS_CLOUD: false,
+}));
+
+vi.mock("@dokploy/trpc-openapi", () => ({
+	generateOpenApiDocument: vi.fn(),
+}));
+
+vi.mock("@/server/api/root", () => ({
+	appRouter: {},
+}));
+
+vi.mock("@/server/api/utils/audit", () => ({
+	audit: vi.fn(),
+}));
+
+vi.mock("@/server/queues/queueSetup", () => ({
+	cleanAllDeploymentQueue: vi.fn(),
+}));
+
+vi.mock("@/server/utils/backup", () => ({
+	removeJob: vi.fn(),
+	schedule: vi.fn(),
+}));
+
+import {
+	compileWriteAndReloadCaddyConfigSafely,
+	getCaddyCompileSettings,
+	getCaddyTrustedProxySettings,
+	resolveWebServerProvider,
+	updateCaddyTrustedProxySettings,
+} from "@dokploy/server";
+import { settingsRouter } from "@/server/api/routers/settings";
+import { audit } from "@/server/api/utils/audit";
+
+const caller = settingsRouter.createCaller({
+	session: {
+		userId: "user-1",
+		activeOrganizationId: "org-1",
+	},
+	user: {
+		id: "user-1",
+		role: "owner",
+		ownerId: "user-1",
+		email: "owner@example.com",
+		enableEnterpriseFeatures: true,
+		isValidEnterpriseLicense: true,
+	},
+	req: { headers: {} },
+	res: {},
+} as never);
+
+const staticInput = {
+	mode: "static" as const,
+	ranges: ["192.0.2.0/24"],
+	clientIpHeaders: ["X-Forwarded-For"],
+	strict: true,
+};
+
+beforeEach(() => {
+	vi.clearAllMocks();
+	vi.mocked(getCaddyCompileSettings).mockResolvedValue({
+		letsEncryptEmail: "ops@example.com",
+		trustedProxies: { source: "static", ranges: ["192.0.2.0/24"] },
+	} as never);
+	vi.mocked(getCaddyTrustedProxySettings)
+		.mockResolvedValueOnce(null as never)
+		.mockResolvedValueOnce(staticInput as never);
+	vi.mocked(updateCaddyTrustedProxySettings).mockResolvedValue({} as never);
+	vi.mocked(compileWriteAndReloadCaddyConfigSafely).mockResolvedValue(
+		undefined as never,
+	);
+});
+
+test("persists Caddy trusted proxy settings without rebuilding when Traefik is active", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("traefik");
+
+	const result = await caller.updateCaddyTrustedProxySettings(staticInput);
+
+	expect(updateCaddyTrustedProxySettings).toHaveBeenCalledTimes(1);
+	expect(updateCaddyTrustedProxySettings).toHaveBeenCalledWith(
+		staticInput,
+		undefined,
+	);
+	expect(compileWriteAndReloadCaddyConfigSafely).not.toHaveBeenCalled();
+	expect(audit).toHaveBeenCalledWith(
+		expect.anything(),
+		expect.objectContaining({ resourceName: "caddy-trusted-proxy" }),
+	);
+	expect(result).toEqual(staticInput);
+});
+
+test("rebuilds Caddy with persisted compile settings when Caddy is active", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+
+	await caller.updateCaddyTrustedProxySettings(staticInput);
+
+	expect(getCaddyCompileSettings).toHaveBeenCalledWith(undefined);
+	expect(compileWriteAndReloadCaddyConfigSafely).toHaveBeenCalledWith({
+		serverId: undefined,
+		letsEncryptEmail: "ops@example.com",
+		trustedProxies: { source: "static", ranges: ["192.0.2.0/24"] },
+	});
+	expect(audit).toHaveBeenCalled();
+});
+
+test("restores previous trusted proxy settings when active Caddy rebuild fails", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+	vi.mocked(getCaddyTrustedProxySettings).mockReset();
+	vi.mocked(getCaddyTrustedProxySettings).mockResolvedValueOnce({
+		mode: "cloudflare",
+		clientIpHeaders: ["CF-Connecting-IP"],
+		strict: true,
+	} as never);
+	vi.mocked(compileWriteAndReloadCaddyConfigSafely).mockRejectedValueOnce(
+		new Error("caddy reload failed") as never,
+	);
+
+	await expect(
+		caller.updateCaddyTrustedProxySettings(staticInput),
+	).rejects.toThrow("caddy reload failed");
+
+	expect(updateCaddyTrustedProxySettings).toHaveBeenNthCalledWith(
+		1,
+		staticInput,
+		undefined,
+	);
+	expect(updateCaddyTrustedProxySettings).toHaveBeenNthCalledWith(
+		2,
+		{
+			mode: "cloudflare",
+			clientIpHeaders: ["CF-Connecting-IP"],
+			strict: true,
+		},
+		undefined,
+	);
+	expect(audit).not.toHaveBeenCalled();
+});
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index ac26561d72..9f31304351 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -41,7 +41,7 @@ Local state observed before this document was added:
 | Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and requires `removeWebServerDomain()` cleanup before deleting a preview deployment row when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch, cleanup removes by `uniqueConfigKey`, and route cleanup failures preserve the DB row. | Locally covered | Add runtime proof after explicit approval if preview deployments are included in the live validation pass. |
 | Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
-| Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
+| Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active Caddy with persisted compile settings, and restores previous settings if reload fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
 | Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, and provider-aware update-server health checks now exist. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, and this PR does not expose it through the Dokploy UI. | Deferred | Prefer no public dashboard in this PR; document local-only admin API and track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. | Locally covered | Add runtime proof after explicit approval. |
@@ -230,6 +230,7 @@ Implemented:
 - Settings -> Web Server exposes a Caddy trusted proxy dialog for local settings; remote web-server actions expose the same dialog for remote Caddy.
 - The Caddy trusted proxy dialog includes Cloudflare origin SSL mode guidance: DNS-only or Full (strict) are acceptable; Flexible SSL is not recommended.
 - `apps/dokploy/__test__/caddy/config.test.ts` covers default no-trust behavior, Cloudflare trusted proxy config, custom static CIDRs, invalid CIDR/header rejection, and persisted-setting normalization.
+- `apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts` covers settings mutation behavior under Traefik, active Caddy rebuild, and rollback if active Caddy reload fails.
 
 Still needed:
 
@@ -379,6 +380,9 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/compose/domain.test.ts __test__/caddy/migration/prepare.test.ts` | Passed | 2 files, 21 tests. Covers compose custom uploaded certificate `load_files` and migration dry-run success with a readable same-server/org uploaded custom certificate. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 20 files, 120 tests after custom certificate success-path proof. Covers focused Caddy config, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, and active web-server health checks. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after custom certificate success-path proof. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 1 file, 3 tests. Covers trusted-proxy settings persistence without rebuild under Traefik, active Caddy rebuild with persisted compile settings, and restore-on-reload-failure behavior. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 21 files, 123 tests after trusted-proxy settings-router proof. Covers focused Caddy config, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, and active web-server health checks. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after trusted-proxy settings-router proof. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 
 ## Upstream Hygiene Checklist
 

From 877a2493d15b829a3413aaec0bc3ac44d18f76d3 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 22:13:55 -0400
Subject: [PATCH 14/37] test: prove caddy dashboard stays local only

---
 .../__test__/caddy/dashboard-route.test.ts    |  6 +++++
 .../trusted-proxy-settings-router.test.ts     | 22 +++++++++++++++++++
 docs/caddy-provider-upstream-readiness.md     |  7 +++++-
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/apps/dokploy/__test__/caddy/dashboard-route.test.ts b/apps/dokploy/__test__/caddy/dashboard-route.test.ts
index 2eb3f65670..7ed02b2096 100644
--- a/apps/dokploy/__test__/caddy/dashboard-route.test.ts
+++ b/apps/dokploy/__test__/caddy/dashboard-route.test.ts
@@ -35,6 +35,12 @@ const getServers = (config: ReturnType<typeof compileCaddyConfig>) => {
 	return apps.http.servers as Record<string, any>;
 };
 
+test("keeps the Caddy admin API bound to localhost", () => {
+	const config = compileCaddyConfig();
+
+	expect(config.admin.listen).toBe("localhost:2019");
+});
+
 test("creates a Caddy dashboard route to the Dokploy container", () => {
 	const fragment = createCaddyDashboardRouteFragment(
 		settings(),
diff --git a/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts b/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
index 06192e4f5e..1742bd500b 100644
--- a/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
+++ b/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
@@ -97,6 +97,7 @@ import {
 	compileWriteAndReloadCaddyConfigSafely,
 	getCaddyCompileSettings,
 	getCaddyTrustedProxySettings,
+	readPorts,
 	resolveWebServerProvider,
 	updateCaddyTrustedProxySettings,
 } from "@dokploy/server";
@@ -206,3 +207,24 @@ test("restores previous trusted proxy settings when active Caddy rebuild fails",
 	);
 	expect(audit).not.toHaveBeenCalled();
 });
+
+test("reports Caddy dashboard disabled instead of exposing the Caddy admin API", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+
+	const result = await caller.getWebServerDashboardState({});
+
+	expect(result).toEqual({ provider: "caddy", enabled: false });
+	expect(readPorts).not.toHaveBeenCalled();
+});
+
+test("keeps Traefik dashboard state based on the Traefik dashboard port", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("traefik");
+	vi.mocked(readPorts).mockResolvedValue([
+		{ targetPort: 8080, publishedPort: 8080, protocol: "tcp" },
+	] as never);
+
+	const result = await caller.getWebServerDashboardState({});
+
+	expect(readPorts).toHaveBeenCalledWith("dokploy-traefik", undefined);
+	expect(result).toEqual({ provider: "traefik", enabled: true });
+});
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 9f31304351..6ef202bd64 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -43,7 +43,7 @@ Local state observed before this document was added:
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active Caddy with persisted compile settings, and restores previous settings if reload fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
 | Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, and provider-aware update-server health checks now exist. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
-| Caddy dashboard | Caddy admin endpoint is local-only in the current design, and this PR does not expose it through the Dokploy UI. | Deferred | Prefer no public dashboard in this PR; document local-only admin API and track any dashboard proxy as a follow-up with auth and network controls. |
+| Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, and `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
 
@@ -252,6 +252,8 @@ Dashboard decision:
 - Do not expose a public Caddy dashboard or admin API in this PR.
 - Keep Caddy admin local-only.
 - If a dashboard is desired later, it should be an authenticated Dokploy proxy and likely a follow-up PR.
+- `apps/dokploy/__test__/caddy/dashboard-route.test.ts` covers the local-only Caddy admin bind.
+- `apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts` covers the Caddy dashboard disabled API state and Traefik dashboard-port contrast.
 
 ### 8. Keep migration hardening intact
 
@@ -383,6 +385,9 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 1 file, 3 tests. Covers trusted-proxy settings persistence without rebuild under Traefik, active Caddy rebuild with persisted compile settings, and restore-on-reload-failure behavior. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 21 files, 123 tests after trusted-proxy settings-router proof. Covers focused Caddy config, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, and active web-server health checks. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after trusted-proxy settings-router proof. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/dashboard-route.test.ts __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 2 files, 8 tests. Covers local-only Caddy admin bind, Caddy dashboard disabled API state, and Traefik dashboard-port state for contrast. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 21 files, 126 tests after Caddy dashboard local-only proof. Covers focused Caddy config, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, and dashboard local-only behavior. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after Caddy dashboard local-only proof. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 
 ## Upstream Hygiene Checklist
 

From 6d4fbeb69fabb0441b2fe86a00aabdb8e8abc87d Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 22:18:57 -0400
Subject: [PATCH 15/37] test: prove caddy domain delete preflight failures

---
 .../caddy/domain-router-lifecycle.test.ts     | 79 +++++++++++++++++++
 docs/caddy-provider-upstream-readiness.md     | 11 ++-
 2 files changed, 87 insertions(+), 3 deletions(-)

diff --git a/apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts b/apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts
index a8bec8702c..3ed85309b4 100644
--- a/apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts
+++ b/apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts
@@ -35,6 +35,7 @@ import {
 	findComposeById,
 	findDomainById,
 	findDomainsByComposeId,
+	findPreviewDeploymentById,
 	manageWebServerDomain,
 	refreshCaddyComposeRoutes,
 	removeDomainById,
@@ -92,6 +93,20 @@ const siblingComposeDomain = {
 	uniqueConfigKey: 8,
 };
 
+const previewDeployment = {
+	previewDeploymentId: "preview-1",
+	applicationId: "app-1",
+	appName: "my-app-pr-42",
+};
+
+const currentPreviewDomain = {
+	...currentDomain,
+	applicationId: null,
+	previewDeploymentId: "preview-1",
+	domainType: "preview" as const,
+	host: "preview.example.com",
+};
+
 const updateInput = {
 	domainId: "domain-1",
 	domainType: "application" as const,
@@ -130,6 +145,9 @@ beforeEach(() => {
 	vi.mocked(findDomainById).mockResolvedValue(currentDomain as never);
 	vi.mocked(findApplicationById).mockResolvedValue(application as never);
 	vi.mocked(findComposeById).mockResolvedValue(compose as never);
+	vi.mocked(findPreviewDeploymentById).mockResolvedValue(
+		previewDeployment as never,
+	);
 	vi.mocked(findDomainsByComposeId).mockResolvedValue([
 		currentComposeDomain,
 		siblingComposeDomain,
@@ -162,6 +180,20 @@ test("restores the previous Caddy application route when domain update persisten
 	);
 });
 
+test("preserves application domain rows when Caddy route removal fails before delete", async () => {
+	vi.mocked(removeWebServerDomain).mockRejectedValueOnce(
+		new Error("caddy route removal failed") as never,
+	);
+
+	await expect(caller.delete({ domainId: "domain-1" })).rejects.toThrow(
+		"caddy route removal failed",
+	);
+
+	expect(removeWebServerDomain).toHaveBeenCalledWith(application, 7);
+	expect(removeDomainById).not.toHaveBeenCalled();
+	expect(manageWebServerDomain).not.toHaveBeenCalled();
+});
+
 test("restores the removed Caddy application route when domain delete persistence fails", async () => {
 	vi.mocked(removeDomainById).mockRejectedValueOnce(
 		new Error("db delete failed") as never,
@@ -178,6 +210,26 @@ test("restores the removed Caddy application route when domain delete persistenc
 	);
 });
 
+test("preserves preview domain rows when Caddy route removal fails before delete", async () => {
+	vi.mocked(findDomainById).mockResolvedValueOnce(
+		currentPreviewDomain as never,
+	);
+	vi.mocked(removeWebServerDomain).mockRejectedValueOnce(
+		new Error("preview caddy route removal failed") as never,
+	);
+
+	await expect(caller.delete({ domainId: "domain-1" })).rejects.toThrow(
+		"preview caddy route removal failed",
+	);
+
+	expect(findPreviewDeploymentById).toHaveBeenCalledWith("preview-1");
+	expect(removeWebServerDomain).toHaveBeenCalledWith(
+		expect.objectContaining({ appName: "my-app-pr-42" }),
+		7,
+	);
+	expect(removeDomainById).not.toHaveBeenCalled();
+});
+
 test("restores previous compose domain fields when Caddy route refresh fails after update", async () => {
 	const updatedDomain = {
 		...currentComposeDomain,
@@ -227,6 +279,33 @@ test("restores previous compose domain fields when Caddy route refresh fails aft
 	);
 });
 
+test("preserves compose domain rows when Caddy route refresh fails before delete", async () => {
+	vi.mocked(findDomainById).mockResolvedValueOnce(
+		currentComposeDomain as never,
+	);
+	vi.mocked(refreshCaddyComposeRoutes)
+		.mockRejectedValueOnce(new Error("caddy refresh failed") as never)
+		.mockResolvedValueOnce(undefined as never);
+
+	await expect(caller.delete({ domainId: "domain-1" })).rejects.toThrow(
+		"caddy refresh failed",
+	);
+
+	expect(refreshCaddyComposeRoutes).toHaveBeenNthCalledWith(
+		1,
+		compose,
+		[siblingComposeDomain],
+		"caddy",
+	);
+	expect(refreshCaddyComposeRoutes).toHaveBeenNthCalledWith(
+		2,
+		compose,
+		undefined,
+		"caddy",
+	);
+	expect(removeDomainById).not.toHaveBeenCalled();
+});
+
 test("restores all compose routes when compose domain delete persistence fails", async () => {
 	vi.mocked(findDomainById).mockResolvedValueOnce(
 		currentComposeDomain as never,
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 6ef202bd64..3f2df87dcf 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -34,11 +34,11 @@ Local state observed before this document was added:
 | --- | --- | --- | --- |
 | Application domain create under Caddy | `createDomain()` inserts the row, dispatches through `manageWebServerDomain()` for application domains, and removes the row if provider route creation fails. Focused service tests prove provider dispatch and cleanup when provider route creation fails. | Locally covered | Add router-level test only if maintainers want end-to-end TRPC proof. |
 | Application domain update under Caddy | `domainRouter.update` writes the next Caddy fragment before DB update and restores the old fragment on DB failure. `manageCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | Add runtime proof after explicit approval. |
-| Application domain delete under Caddy | `domainRouter.delete` removes provider config before DB deletion and restores on DB failure. `removeCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | Add runtime proof after explicit approval. |
-| Compose domain add/update/remove under Caddy | `createComposeDomain()` removes new rows if refresh fails. `removeComposeDomainsForWebServer()` refreshes Caddy with remaining compose domains before non-router delete flows remove rows and restores old fragments if DB deletion fails. `domainRouter.update` restores previous compose domain fields and fragments if refresh fails. `domainRouter.delete` restores all compose routes if DB delete fails. | Locally covered | Add runtime proof after explicit approval. |
+| Application domain delete under Caddy | `domainRouter.delete` removes provider config before DB deletion, preserves the DB row if Caddy route removal fails before delete, and restores on DB failure. `removeCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | Add runtime proof after explicit approval. |
+| Compose domain add/update/remove under Caddy | `createComposeDomain()` removes new rows if refresh fails. `removeComposeDomainsForWebServer()` refreshes Caddy with remaining compose domains before non-router delete flows remove rows and restores old fragments if DB deletion fails. `domainRouter.update` restores previous compose domain fields and fragments if refresh fails. `domainRouter.delete` preserves DB rows when route refresh fails before delete and restores all compose routes if DB delete fails. | Locally covered | Add runtime proof after explicit approval. |
 | Domain added while creating/duplicating a new application service | `application.create` has no domain payload. The application new-service-with-domain path is project duplication: copied application domains call `createDomain()` with `applicationId`, which invokes provider dispatch. | Locally covered | Add router-level duplication proof only if maintainers want end-to-end TRPC coverage beyond the service contract. |
 | Domain added during new compose/template/AI/import creation | `createComposeDomain()` now creates compose domains and refreshes Caddy compose routes with rollback if refresh fails. Template create, template import, AI compose generation, project compose duplication, and `domainRouter.create` use it. Template import also removes prior compose domains through `removeComposeDomainsForWebServer()` so importing a template with zero replacement domains removes stale Caddy fragments. | Locally covered | Add router-level or creation-flow tests if upstream reviewers want proof beyond the focused helper test. |
-| Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and requires `removeWebServerDomain()` cleanup before deleting a preview deployment row when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch, cleanup removes by `uniqueConfigKey`, and route cleanup failures preserve the DB row. | Locally covered | Add runtime proof after explicit approval if preview deployments are included in the live validation pass. |
+| Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and requires `removeWebServerDomain()` cleanup before deleting a preview deployment row when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch, cleanup removes by `uniqueConfigKey`, and route cleanup failures preserve the DB row across preview-deployment cleanup and domain-router delete flows. | Locally covered | Add runtime proof after explicit approval if preview deployments are included in the live validation pass. |
 | Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active Caddy with persisted compile settings, and restores previous settings if reload fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
@@ -168,12 +168,14 @@ Application domains:
 - Update should restore the old fragment if Caddy write/reload fails. Covered by `apps/dokploy/__test__/caddy/config.test.ts`.
 - Update should restore the old fragment if DB update fails. Covered by `apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts`.
 - Delete should restore the fragment if Caddy write/reload fails. Covered by `apps/dokploy/__test__/caddy/config.test.ts`.
+- Delete should not remove the DB row if provider route removal fails before deletion. Covered by `apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts`.
 - Delete should restore the fragment if DB delete fails. Covered by `apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts`.
 
 Compose domains:
 
 - Create should remove the new DB row and restore previous fragments if Caddy refresh fails. Covered by `apps/dokploy/__test__/caddy/application/domain-service.test.ts`.
 - Update should restore DB fields and previous fragments if Caddy refresh fails. Covered by `apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts`.
+- Delete should not remove the DB row if Caddy route refresh fails before deletion. Covered by `apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts`.
 - Delete should restore fragments if Caddy refresh or DB delete fails. Covered by `apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts`.
 
 ### 5. Decide and implement custom certificate behavior
@@ -388,6 +390,9 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/dashboard-route.test.ts __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 2 files, 8 tests. Covers local-only Caddy admin bind, Caddy dashboard disabled API state, and Traefik dashboard-port state for contrast. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 21 files, 126 tests after Caddy dashboard local-only proof. Covers focused Caddy config, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, and dashboard local-only behavior. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after Caddy dashboard local-only proof. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/domain-router-lifecycle.test.ts` | Passed | 1 file, 7 tests. Covers application, preview, and compose domain delete preservation when Caddy route removal/refresh fails before DB deletion, plus existing DB-failure restoration paths. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 21 files, 129 tests after domain-router delete preflight-failure proof. Covers focused Caddy config, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, and dashboard local-only behavior. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after domain-router delete preflight-failure proof. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 
 ## Upstream Hygiene Checklist
 

From 5ce0f8ce4c07608bcbf5ff0ea17b32cb4463e6f0 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 22:33:20 -0400
Subject: [PATCH 16/37] fix: harden caddy reload and admin ports

---
 apps/dokploy/__test__/caddy/config.test.ts    |  36 ++++
 .../caddy/migration/apply-rollback.test.ts    |  19 ++-
 apps/dokploy/__test__/caddy/setup.test.ts     |  79 +++++++++
 .../trusted-proxy-settings-router.test.ts     | 155 ++++++++++++++++--
 apps/dokploy/server/api/routers/settings.ts   |  13 ++
 docs/caddy-provider-upstream-readiness.md     |  13 +-
 packages/server/src/setup/caddy-setup.ts      |  19 ++-
 packages/server/src/utils/caddy/config.ts     |   1 +
 .../server/src/utils/caddy/migration/apply.ts |  12 +-
 9 files changed, 317 insertions(+), 30 deletions(-)

diff --git a/apps/dokploy/__test__/caddy/config.test.ts b/apps/dokploy/__test__/caddy/config.test.ts
index 3a5fe6b26a..e6b85ab388 100644
--- a/apps/dokploy/__test__/caddy/config.test.ts
+++ b/apps/dokploy/__test__/caddy/config.test.ts
@@ -21,6 +21,7 @@ import {
 	caddyTrustedProxySettingsToConfig,
 	compileAndWriteCaddyConfig,
 	compileCaddyConfig,
+	compileWriteAndReloadCaddyConfigSafely,
 	type Domain,
 	getCaddyMigrationArtifactPaths,
 	manageCaddyDomain,
@@ -406,6 +407,41 @@ test("validates a config file with the Caddy binary in an isolated runtime conta
 	expect(validateCommand).not.toContain("caddy\\:2.11.3 validate --config");
 });
 
+test("reloads the restored Caddy config when safe reload fails", async () => {
+	const previousConfig = `${JSON.stringify(
+		compileCaddyConfig({ routes: [route({ hosts: ["old.example.com"] })] }),
+		null,
+		2,
+	)}\n`;
+	vol.mkdirSync(paths().MAIN_CADDY_PATH, { recursive: true });
+	vol.mkdirSync(paths().CADDY_FRAGMENTS_PATH, { recursive: true });
+	vol.writeFileSync(paths().CADDY_CONFIG_PATH, previousConfig);
+	let reloads = 0;
+	execAsyncMock.mockImplementation(async (command: string) => {
+		if (command.includes("caddy reload")) {
+			reloads += 1;
+			if (reloads === 1) {
+				throw new Error("reload failed");
+			}
+		}
+		return { stdout: "dokploy-caddy\n", stderr: "" };
+	});
+
+	await expect(
+		compileWriteAndReloadCaddyConfigSafely({
+			trustedProxies: {
+				source: "static",
+				ranges: ["192.0.2.0/24"],
+			},
+		}),
+	).rejects.toThrow("reload failed");
+
+	expect(vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8")).toBe(
+		previousConfig,
+	);
+	expect(reloads).toBe(2);
+});
+
 test("restores previous fragments when Caddy domain reload fails", async () => {
 	const existingFragment: CaddyRouteFragment = {
 		version: 1,
diff --git a/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts b/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
index 4610705c37..7bbdfae360 100644
--- a/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
+++ b/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
@@ -171,6 +171,17 @@ describe("applyCaddyMigration", () => {
 
 	test("writes approved artifacts, starts Caddy, validates, then updates provider", async () => {
 		const report = seedMigration("caddy-apply-success");
+		vi.mocked(settingsService.readPorts).mockImplementation(
+			async (resourceName: string) =>
+				resourceName === "dokploy-traefik"
+					? [
+							{ targetPort: 8080, publishedPort: 8080, protocol: "tcp" },
+							{ targetPort: 8082, publishedPort: 8082, protocol: "tcp" },
+							{ targetPort: 2019, publishedPort: 2019, protocol: "tcp" },
+							{ targetPort: 9000, publishedPort: 9000, protocol: "tcp" },
+						]
+					: [],
+		);
 
 		const applied = await applyCaddyMigration({
 			migrationId: report.migrationId,
@@ -199,7 +210,13 @@ describe("applyCaddyMigration", () => {
 			vi.mocked(settingsService.stopDockerResource).mock
 				.invocationCallOrder[0] ?? 0,
 		);
-		expect(settingsService.writeCaddySetup).toHaveBeenCalled();
+		expect(settingsService.writeCaddySetup).toHaveBeenCalledWith(
+			expect.objectContaining({
+				additionalPorts: [
+					{ targetPort: 9000, publishedPort: 9000, protocol: "tcp" },
+				],
+			}),
+		);
 		expect(caddyConfig.validateCaddyConfigWithContainer).toHaveBeenCalled();
 		expect(providerService.updateLocalWebServerProvider).toHaveBeenCalledWith(
 			"caddy",
diff --git a/apps/dokploy/__test__/caddy/setup.test.ts b/apps/dokploy/__test__/caddy/setup.test.ts
index d336d3bbb4..ae7605364d 100644
--- a/apps/dokploy/__test__/caddy/setup.test.ts
+++ b/apps/dokploy/__test__/caddy/setup.test.ts
@@ -79,4 +79,83 @@ describe("Caddy runtime setup", () => {
 			]),
 		);
 	});
+
+	test("does not publish the Caddy admin port for standalone Caddy", async () => {
+		const createContainer = vi.fn();
+		const start = vi.fn();
+		const remove = vi.fn().mockRejectedValue(new Error("missing"));
+		const docker = {
+			pull: vi.fn(
+				(_imageName: string, callback: (error: Error | null) => void) => {
+					callback(null);
+				},
+			),
+			modem: { followProgress: vi.fn() },
+			createContainer,
+			getContainer: vi.fn(() => ({ remove, start })),
+		};
+		getRemoteDockerMock.mockResolvedValue(docker);
+		ensureDefaultCaddyConfigMock.mockResolvedValue(undefined);
+		validateCaddyConfigWithContainerMock.mockResolvedValue(undefined);
+		const { initializeStandaloneCaddy } = await loadCaddySetup();
+
+		await initializeStandaloneCaddy({
+			additionalPorts: [
+				{ targetPort: 2019, publishedPort: 2019, protocol: "tcp" },
+				{ targetPort: 9000, publishedPort: 9000, protocol: "tcp" },
+			],
+		});
+
+		const createOptions = createContainer.mock.calls[0]?.[0] as any;
+		expect(createOptions.ExposedPorts).not.toHaveProperty("2019/tcp");
+		expect(createOptions.HostConfig.PortBindings).not.toHaveProperty(
+			"2019/tcp",
+		);
+		expect(createOptions.ExposedPorts).toHaveProperty("9000/tcp");
+		expect(createOptions.HostConfig.PortBindings["9000/tcp"]).toEqual([
+			{ HostPort: "9000" },
+		]);
+	});
+
+	test("does not publish the Caddy admin port for Caddy services", async () => {
+		const createService = vi.fn();
+		const docker = {
+			pull: vi.fn(
+				(_imageName: string, callback: (error: Error | null) => void) => {
+					callback(null);
+				},
+			),
+			modem: { followProgress: vi.fn() },
+			createService,
+			getService: vi.fn(() => ({
+				inspect: vi.fn().mockRejectedValue(new Error("missing")),
+			})),
+		};
+		getRemoteDockerMock.mockResolvedValue(docker);
+		ensureDefaultCaddyConfigMock.mockResolvedValue(undefined);
+		const { initializeCaddyService } = await loadCaddySetup();
+
+		await initializeCaddyService({
+			additionalPorts: [
+				{ targetPort: 2019, publishedPort: 2019, protocol: "tcp" },
+				{ targetPort: 9000, publishedPort: 9000, protocol: "tcp" },
+			],
+		});
+
+		const createOptions = createService.mock.calls[0]?.[0] as any;
+		expect(createOptions.EndpointSpec.Ports).not.toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({ TargetPort: 2019, Protocol: "tcp" }),
+			]),
+		);
+		expect(createOptions.EndpointSpec.Ports).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					TargetPort: 9000,
+					PublishedPort: 9000,
+					Protocol: "tcp",
+				}),
+			]),
+		);
+	});
 });
diff --git a/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts b/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
index 1742bd500b..af2662d799 100644
--- a/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
+++ b/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
@@ -27,6 +27,7 @@ const serverMocks = vi.hoisted(() => ({
 	getWebServerPaths: vi.fn(),
 	getWebServerResourceName: vi.fn(),
 	getWebServerSettings: vi.fn(),
+	isCaddyReservedAdditionalPort: vi.fn(),
 	parseRawConfig: vi.fn(),
 	paths: vi.fn(),
 	prepareCaddyMigration: vi.fn(),
@@ -94,12 +95,18 @@ vi.mock("@/server/utils/backup", () => ({
 }));
 
 import {
+	checkPortInUse,
 	compileWriteAndReloadCaddyConfigSafely,
+	findServerById,
 	getCaddyCompileSettings,
 	getCaddyTrustedProxySettings,
+	getWebServerResourceName,
+	isCaddyReservedAdditionalPort,
+	readEnvironmentVariables,
 	readPorts,
 	resolveWebServerProvider,
 	updateCaddyTrustedProxySettings,
+	writeWebServerSetup,
 } from "@dokploy/server";
 import { settingsRouter } from "@/server/api/routers/settings";
 import { audit } from "@/server/api/utils/audit";
@@ -128,19 +135,74 @@ const staticInput = {
 	strict: true,
 };
 
+type TrustedProxySettings =
+	| typeof staticInput
+	| {
+			mode: "cloudflare";
+			ranges?: string[] | null;
+			clientIpHeaders?: string[] | null;
+			strict?: boolean | null;
+	  }
+	| null;
+
+let persistedTrustedProxySettings: TrustedProxySettings;
+let trustedProxyCallOrder: string[];
+
+const trustedProxyCompileConfig = (settings: TrustedProxySettings) => {
+	if (!settings) return null;
+	if (settings.mode === "cloudflare") {
+		return {
+			source: "cloudflare" as const,
+			clientIpHeaders: settings.clientIpHeaders ?? undefined,
+			strict: settings.strict ?? true,
+		};
+	}
+	return {
+		source: "static" as const,
+		ranges: settings.ranges,
+		clientIpHeaders: settings.clientIpHeaders,
+		strict: settings.strict,
+	};
+};
+
 beforeEach(() => {
 	vi.clearAllMocks();
-	vi.mocked(getCaddyCompileSettings).mockResolvedValue({
-		letsEncryptEmail: "ops@example.com",
-		trustedProxies: { source: "static", ranges: ["192.0.2.0/24"] },
-	} as never);
-	vi.mocked(getCaddyTrustedProxySettings)
-		.mockResolvedValueOnce(null as never)
-		.mockResolvedValueOnce(staticInput as never);
-	vi.mocked(updateCaddyTrustedProxySettings).mockResolvedValue({} as never);
+	persistedTrustedProxySettings = null;
+	trustedProxyCallOrder = [];
+	vi.mocked(getCaddyCompileSettings).mockImplementation(async () => {
+		trustedProxyCallOrder.push("read-compile-settings");
+		return {
+			letsEncryptEmail: "ops@example.com",
+			trustedProxies: trustedProxyCompileConfig(persistedTrustedProxySettings),
+		} as never;
+	});
+	vi.mocked(getCaddyTrustedProxySettings).mockImplementation(
+		async () => persistedTrustedProxySettings as never,
+	);
+	vi.mocked(updateCaddyTrustedProxySettings).mockImplementation(
+		async (settings) => {
+			trustedProxyCallOrder.push("persist-settings");
+			persistedTrustedProxySettings = settings as TrustedProxySettings;
+			return {} as never;
+		},
+	);
 	vi.mocked(compileWriteAndReloadCaddyConfigSafely).mockResolvedValue(
 		undefined as never,
 	);
+	vi.mocked(readEnvironmentVariables).mockResolvedValue("");
+	vi.mocked(getWebServerResourceName).mockImplementation((provider) =>
+		provider === "caddy" ? "dokploy-caddy" : "dokploy-traefik",
+	);
+	vi.mocked(checkPortInUse).mockResolvedValue({ isInUse: false } as never);
+	vi.mocked(findServerById).mockResolvedValue({
+		serverId: "server-1",
+		organizationId: "org-1",
+	} as never);
+	vi.mocked(isCaddyReservedAdditionalPort).mockImplementation(
+		(port) =>
+			[8080, 8082, 2019].includes(port.targetPort) &&
+			(port.protocol ?? "tcp") === "tcp",
+	);
 });
 
 test("persists Caddy trusted proxy settings without rebuilding when Traefik is active", async () => {
@@ -170,19 +232,53 @@ test("rebuilds Caddy with persisted compile settings when Caddy is active", asyn
 	expect(compileWriteAndReloadCaddyConfigSafely).toHaveBeenCalledWith({
 		serverId: undefined,
 		letsEncryptEmail: "ops@example.com",
-		trustedProxies: { source: "static", ranges: ["192.0.2.0/24"] },
+		trustedProxies: {
+			source: "static",
+			ranges: ["192.0.2.0/24"],
+			clientIpHeaders: ["X-Forwarded-For"],
+			strict: true,
+		},
 	});
+	expect(trustedProxyCallOrder).toEqual([
+		"persist-settings",
+		"read-compile-settings",
+	]);
 	expect(audit).toHaveBeenCalled();
 });
 
+test("rebuilds remote Caddy with the remote persisted compile settings", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+
+	await caller.updateCaddyTrustedProxySettings({
+		...staticInput,
+		serverId: "server-1",
+	});
+
+	expect(resolveWebServerProvider).toHaveBeenCalledWith("server-1");
+	expect(updateCaddyTrustedProxySettings).toHaveBeenCalledWith(
+		staticInput,
+		"server-1",
+	);
+	expect(getCaddyCompileSettings).toHaveBeenCalledWith("server-1");
+	expect(compileWriteAndReloadCaddyConfigSafely).toHaveBeenCalledWith({
+		serverId: "server-1",
+		letsEncryptEmail: "ops@example.com",
+		trustedProxies: {
+			source: "static",
+			ranges: ["192.0.2.0/24"],
+			clientIpHeaders: ["X-Forwarded-For"],
+			strict: true,
+		},
+	});
+});
+
 test("restores previous trusted proxy settings when active Caddy rebuild fails", async () => {
 	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
-	vi.mocked(getCaddyTrustedProxySettings).mockReset();
-	vi.mocked(getCaddyTrustedProxySettings).mockResolvedValueOnce({
+	persistedTrustedProxySettings = {
 		mode: "cloudflare",
 		clientIpHeaders: ["CF-Connecting-IP"],
 		strict: true,
-	} as never);
+	};
 	vi.mocked(compileWriteAndReloadCaddyConfigSafely).mockRejectedValueOnce(
 		new Error("caddy reload failed") as never,
 	);
@@ -205,6 +301,11 @@ test("restores previous trusted proxy settings when active Caddy rebuild fails",
 		},
 		undefined,
 	);
+	expect(persistedTrustedProxySettings).toEqual({
+		mode: "cloudflare",
+		clientIpHeaders: ["CF-Connecting-IP"],
+		strict: true,
+	});
 	expect(audit).not.toHaveBeenCalled();
 });
 
@@ -228,3 +329,33 @@ test("keeps Traefik dashboard state based on the Traefik dashboard port", async
 	expect(readPorts).toHaveBeenCalledWith("dokploy-traefik", undefined);
 	expect(result).toEqual({ provider: "traefik", enabled: true });
 });
+
+test("reads remote Traefik dashboard state from the remote web server", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("traefik");
+	vi.mocked(readPorts).mockResolvedValue([
+		{ targetPort: 8080, publishedPort: 8080, protocol: "tcp" },
+	] as never);
+
+	const result = await caller.getWebServerDashboardState({
+		serverId: "server-1",
+	});
+
+	expect(resolveWebServerProvider).toHaveBeenCalledWith("server-1");
+	expect(readPorts).toHaveBeenCalledWith("dokploy-traefik", "server-1");
+	expect(result).toEqual({ provider: "traefik", enabled: true });
+});
+
+test("rejects Caddy admin port publishing before rebuilding the web server", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+
+	await expect(
+		caller.updateWebServerPorts({
+			additionalPorts: [
+				{ targetPort: 2019, publishedPort: 2019, protocol: "tcp" },
+			],
+		}),
+	).rejects.toThrow("reserved and cannot be published");
+
+	expect(checkPortInUse).not.toHaveBeenCalled();
+	expect(writeWebServerSetup).not.toHaveBeenCalled();
+});
diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts
index 191985f17f..a0db854a1d 100644
--- a/apps/dokploy/server/api/routers/settings.ts
+++ b/apps/dokploy/server/api/routers/settings.ts
@@ -27,6 +27,7 @@ import {
 	getWebServerResourceName,
 	getWebServerSettings,
 	IS_CLOUD,
+	isCaddyReservedAdditionalPort,
 	parseRawConfig,
 	paths,
 	prepareCaddyMigration as prepareCaddyMigrationDryRun,
@@ -1733,6 +1734,18 @@ export const settingsRouter = createTRPCRouter({
 					input.serverId,
 				);
 
+				if (provider === "caddy") {
+					const reservedPort = input.additionalPorts.find(
+						isCaddyReservedAdditionalPort,
+					);
+					if (reservedPort) {
+						throw new TRPCError({
+							code: "BAD_REQUEST",
+							message: `Caddy target port ${reservedPort.targetPort}/${reservedPort.protocol ?? "tcp"} is reserved and cannot be published.`,
+						});
+					}
+				}
+
 				for (const port of input.additionalPorts) {
 					const portCheck = await checkPortInUse(
 						port.publishedPort,
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 3f2df87dcf..99f0a2712e 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -41,9 +41,9 @@ Local state observed before this document was added:
 | Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and requires `removeWebServerDomain()` cleanup before deleting a preview deployment row when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch, cleanup removes by `uniqueConfigKey`, and route cleanup failures preserve the DB row across preview-deployment cleanup and domain-router delete flows. | Locally covered | Add runtime proof after explicit approval if preview deployments are included in the live validation pass. |
 | Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
-| Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active Caddy with persisted compile settings, and restores previous settings if reload fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
+| Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, and the safe reload helper reloads the restored runtime config. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
 | Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, and provider-aware update-server health checks now exist. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
-| Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, and `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
+| Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, Caddy setup filters reserved `2019/tcp` admin publishing, migration carry-over drops it, and the ports mutation rejects reserved Caddy targets before rebuild. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
 
@@ -232,7 +232,8 @@ Implemented:
 - Settings -> Web Server exposes a Caddy trusted proxy dialog for local settings; remote web-server actions expose the same dialog for remote Caddy.
 - The Caddy trusted proxy dialog includes Cloudflare origin SSL mode guidance: DNS-only or Full (strict) are acceptable; Flexible SSL is not recommended.
 - `apps/dokploy/__test__/caddy/config.test.ts` covers default no-trust behavior, Cloudflare trusted proxy config, custom static CIDRs, invalid CIDR/header rejection, and persisted-setting normalization.
-- `apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts` covers settings mutation behavior under Traefik, active Caddy rebuild, and rollback if active Caddy reload fails.
+- `apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts` covers settings mutation behavior under Traefik, active local and remote Caddy rebuild using compile settings read after persistence, remote dashboard state reads, rollback if active Caddy reload fails, and rejection of reserved Caddy admin-port publishing.
+- `apps/dokploy/__test__/caddy/config.test.ts` covers reloading the restored runtime Caddy config after a failed safe reload.
 
 Still needed:
 
@@ -384,7 +385,7 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/compose/domain.test.ts __test__/caddy/migration/prepare.test.ts` | Passed | 2 files, 21 tests. Covers compose custom uploaded certificate `load_files` and migration dry-run success with a readable same-server/org uploaded custom certificate. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 20 files, 120 tests after custom certificate success-path proof. Covers focused Caddy config, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, and active web-server health checks. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after custom certificate success-path proof. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
-| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 1 file, 3 tests. Covers trusted-proxy settings persistence without rebuild under Traefik, active Caddy rebuild with persisted compile settings, and restore-on-reload-failure behavior. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | Historical 1-file, 3-test run before remote/dashboard/admin-port additions; superseded by later trusted-proxy router evidence. Covered trusted-proxy settings persistence without rebuild under Traefik, active Caddy rebuild with persisted compile settings, and restore-on-reload-failure behavior. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 21 files, 123 tests after trusted-proxy settings-router proof. Covers focused Caddy config, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, and active web-server health checks. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after trusted-proxy settings-router proof. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/dashboard-route.test.ts __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 2 files, 8 tests. Covers local-only Caddy admin bind, Caddy dashboard disabled API state, and Traefik dashboard-port state for contrast. |
@@ -393,6 +394,10 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/domain-router-lifecycle.test.ts` | Passed | 1 file, 7 tests. Covers application, preview, and compose domain delete preservation when Caddy route removal/refresh fails before DB deletion, plus existing DB-failure restoration paths. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 21 files, 129 tests after domain-router delete preflight-failure proof. Covers focused Caddy config, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, and dashboard local-only behavior. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after domain-router delete preflight-failure proof. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | RepoPrompt review with git compare `back:3` | Complete | Review findings were incorporated into production code and tests: safe Caddy reload now reloads restored runtime config, trusted-proxy router coverage is stateful and remote-aware, Caddy setup/migration/update paths prevent reserved admin-port publishing, and stale proof-log wording was marked historical. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts __test__/caddy/setup.test.ts __test__/caddy/trusted-proxy-settings-router.test.ts __test__/caddy/migration/apply-rollback.test.ts` | Passed | 4 files, 41 tests. Covers restored runtime config reload after safe-reload failure, standalone/service Caddy admin-port non-publishing, stateful local/remote trusted-proxy settings rebuild and rollback, remote dashboard state reads, admin-port update rejection, and migration carry-over filtering for Traefik-only/admin ports. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 21 files, 135 tests after RepoPrompt `back:3` recommendations were incorporated. Covers focused Caddy config, setup, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, and dashboard local-only/admin-port behavior. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after RepoPrompt `back:3` recommendations were incorporated. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/setup/caddy-setup.ts b/packages/server/src/setup/caddy-setup.ts
index 950aad7d2b..643df18460 100644
--- a/packages/server/src/setup/caddy-setup.ts
+++ b/packages/server/src/setup/caddy-setup.ts
@@ -14,6 +14,8 @@ export const CADDY_PORT =
 	Number.parseInt(process.env.CADDY_PORT ?? "", 10) || 80;
 export const CADDY_HTTP3_PORT =
 	Number.parseInt(process.env.CADDY_HTTP3_PORT ?? "", 10) || 443;
+export const CADDY_ADMIN_PORT = 2019;
+const CADDY_RESERVED_TCP_TARGET_PORTS = new Set([8080, 8082, CADDY_ADMIN_PORT]);
 export const CADDY_VERSION = process.env.CADDY_VERSION || "2.11.3";
 
 export interface CaddyOptions {
@@ -28,6 +30,19 @@ export interface CaddyOptions {
 	trustedProxies?: CaddyTrustedProxyConfig | null;
 }
 
+type CaddyAdditionalPort = NonNullable<CaddyOptions["additionalPorts"]>[number];
+
+export const isCaddyAdminPort = (port: CaddyAdditionalPort) =>
+	port.targetPort === CADDY_ADMIN_PORT && (port.protocol ?? "tcp") === "tcp";
+
+export const isCaddyReservedAdditionalPort = (port: CaddyAdditionalPort) =>
+	CADDY_RESERVED_TCP_TARGET_PORTS.has(port.targetPort) &&
+	(port.protocol ?? "tcp") === "tcp";
+
+export const filterCaddyAdditionalPorts = (
+	additionalPorts: CaddyOptions["additionalPorts"] = [],
+) => additionalPorts.filter((port) => !isCaddyReservedAdditionalPort(port));
+
 const getCaddyMounts = (serverId?: string) => {
 	const { CADDY_CONFIG_DIR_PATH, CADDY_DATA_PATH, MAIN_CADDY_PATH } = paths(
 		!!serverId,
@@ -83,7 +98,7 @@ const buildStandalonePorts = (
 		[`${CADDY_HTTP3_PORT}/udp`]: [{ HostPort: CADDY_HTTP3_PORT.toString() }],
 	};
 
-	for (const port of additionalPorts ?? []) {
+	for (const port of filterCaddyAdditionalPorts(additionalPorts)) {
 		const portKey = `${port.targetPort}/${port.protocol ?? "tcp"}`;
 		exposedPorts[portKey] = {};
 		portBindings[portKey] = [{ HostPort: port.publishedPort.toString() }];
@@ -141,7 +156,7 @@ const buildServicePorts = (
 		PublishMode: "host" as const,
 		Protocol: "tcp" as const,
 	},
-	...(additionalPorts ?? []).map((port) => ({
+	...filterCaddyAdditionalPorts(additionalPorts).map((port) => ({
 		TargetPort: port.targetPort,
 		PublishedPort: port.publishedPort,
 		Protocol: port.protocol as "tcp" | "udp" | "sctp" | undefined,
diff --git a/packages/server/src/utils/caddy/config.ts b/packages/server/src/utils/caddy/config.ts
index 2da8771280..10a819c50e 100644
--- a/packages/server/src/utils/caddy/config.ts
+++ b/packages/server/src/utils/caddy/config.ts
@@ -864,6 +864,7 @@ export const writeAndReloadCaddyConfigSafely = async (
 		} else {
 			await writeCaddyConfigFile(compileCaddyConfig(), options);
 		}
+		await reloadCaddyAfterValidation(options.serverId);
 		throw error;
 	}
 };
diff --git a/packages/server/src/utils/caddy/migration/apply.ts b/packages/server/src/utils/caddy/migration/apply.ts
index aab4becdd1..5637c055fe 100644
--- a/packages/server/src/utils/caddy/migration/apply.ts
+++ b/packages/server/src/utils/caddy/migration/apply.ts
@@ -14,6 +14,7 @@ import {
 	updateLocalWebServerProvider,
 	updateRemoteWebServerProvider,
 } from "@dokploy/server/services/web-server-settings";
+import { filterCaddyAdditionalPorts } from "@dokploy/server/setup/caddy-setup";
 import {
 	reloadCaddyAfterValidation,
 	validateCaddyConfigFileWithImage,
@@ -66,17 +67,6 @@ const compileSettingsChanged = (
 	JSON.stringify(normalizeCompileSettings(prepared)) !==
 	JSON.stringify(normalizeCompileSettings(current));
 
-const filterCaddyAdditionalPorts = (
-	ports: { targetPort: number; publishedPort: number; protocol?: string }[],
-) =>
-	ports.filter(
-		(port) =>
-			!(
-				(port.targetPort === 8080 || port.targetPort === 8082) &&
-				(port.protocol ?? "tcp") === "tcp"
-			),
-	);
-
 const createFileBackup = async (
 	label: string,
 	source: string,

From ceec308fdeaf8a277dad95624617ccf832ac4656 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 22:47:43 -0400
Subject: [PATCH 17/37] fix: refresh caddy app config cache

---
 ...pplication-web-server-config-cache.test.ts | 61 +++++++++++++++++++
 .../advanced/redirects/handle-redirect.tsx    |  5 +-
 .../advanced/redirects/show-redirects.tsx     | 10 +--
 .../advanced/security/handle-security.tsx     |  5 +-
 .../advanced/security/show-security.tsx       | 10 +--
 .../application/domains/handle-domain.tsx     |  8 +--
 .../application/web-server-config-cache.ts    | 21 +++++++
 docs/caddy-provider-upstream-readiness.md     |  8 ++-
 8 files changed, 107 insertions(+), 21 deletions(-)
 create mode 100644 apps/dokploy/__test__/caddy/application-web-server-config-cache.test.ts
 create mode 100644 apps/dokploy/components/dashboard/application/web-server-config-cache.ts

diff --git a/apps/dokploy/__test__/caddy/application-web-server-config-cache.test.ts b/apps/dokploy/__test__/caddy/application-web-server-config-cache.test.ts
new file mode 100644
index 0000000000..3a6615a5b7
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/application-web-server-config-cache.test.ts
@@ -0,0 +1,61 @@
+import { expect, test, vi } from "vitest";
+import { invalidateApplicationWebServerConfig } from "@/components/dashboard/application/web-server-config-cache";
+
+const createUtils = () => ({
+	application: {
+		readTraefikConfig: {
+			invalidate: vi.fn(),
+		},
+		readWebServerConfig: {
+			invalidate: vi.fn(),
+		},
+	},
+});
+
+test("invalidates legacy Traefik and provider-aware application web-server config caches", async () => {
+	const utils = createUtils();
+
+	await invalidateApplicationWebServerConfig(utils, "app-1");
+
+	expect(utils.application.readTraefikConfig.invalidate).toHaveBeenCalledWith({
+		applicationId: "app-1",
+	});
+	expect(utils.application.readWebServerConfig.invalidate).toHaveBeenCalledWith(
+		{ applicationId: "app-1" },
+	);
+});
+
+test("awaits both application web-server config cache invalidations", async () => {
+	const calls: string[] = [];
+	const utils = createUtils();
+	utils.application.readTraefikConfig.invalidate.mockImplementation(
+		async () => {
+			await Promise.resolve();
+			calls.push("traefik");
+		},
+	);
+	utils.application.readWebServerConfig.invalidate.mockImplementation(
+		async () => {
+			await Promise.resolve();
+			calls.push("web-server");
+		},
+	);
+
+	await invalidateApplicationWebServerConfig(utils, "app-1");
+
+	expect(calls).toEqual(["traefik", "web-server"]);
+});
+
+test("propagates application web-server config cache invalidation failures", async () => {
+	const utils = createUtils();
+	utils.application.readWebServerConfig.invalidate.mockRejectedValueOnce(
+		new Error("provider-aware cache failed"),
+	);
+
+	await expect(
+		invalidateApplicationWebServerConfig(utils, "app-1"),
+	).rejects.toThrow("provider-aware cache failed");
+	expect(utils.application.readTraefikConfig.invalidate).toHaveBeenCalledWith({
+		applicationId: "app-1",
+	});
+});
diff --git a/apps/dokploy/components/dashboard/application/advanced/redirects/handle-redirect.tsx b/apps/dokploy/components/dashboard/application/advanced/redirects/handle-redirect.tsx
index 683e0ebbaf..7774cf8f75 100644
--- a/apps/dokploy/components/dashboard/application/advanced/redirects/handle-redirect.tsx
+++ b/apps/dokploy/components/dashboard/application/advanced/redirects/handle-redirect.tsx
@@ -36,6 +36,7 @@ import {
 import { Separator } from "@/components/ui/separator";
 import { Switch } from "@/components/ui/switch";
 import { api } from "@/utils/api";
+import { invalidateApplicationWebServerConfig } from "../../web-server-config-cache";
 
 const AddRedirectSchema = z.object({
 	regex: z.string().min(1, "Regex required"),
@@ -133,9 +134,7 @@ export const HandleRedirect = ({
 					applicationId,
 				});
 				refetch();
-				await utils.application.readTraefikConfig.invalidate({
-					applicationId,
-				});
+				await invalidateApplicationWebServerConfig(utils, applicationId);
 				onDialogToggle(false);
 			})
 			.catch(() => {
diff --git a/apps/dokploy/components/dashboard/application/advanced/redirects/show-redirects.tsx b/apps/dokploy/components/dashboard/application/advanced/redirects/show-redirects.tsx
index a14074ec59..e057af7677 100644
--- a/apps/dokploy/components/dashboard/application/advanced/redirects/show-redirects.tsx
+++ b/apps/dokploy/components/dashboard/application/advanced/redirects/show-redirects.tsx
@@ -10,6 +10,7 @@ import {
 	CardTitle,
 } from "@/components/ui/card";
 import { api } from "@/utils/api";
+import { invalidateApplicationWebServerConfig } from "../../web-server-config-cache";
 import { HandleRedirect } from "./handle-redirect";
 
 interface Props {
@@ -97,11 +98,12 @@ export const ShowRedirects = ({ applicationId }: Props) => {
 													await deleteRedirect({
 														redirectId: redirect.redirectId,
 													})
-														.then(() => {
-															refetch();
-															utils.application.readTraefikConfig.invalidate({
+														.then(async () => {
+															await refetch();
+															await invalidateApplicationWebServerConfig(
+																utils,
 																applicationId,
-															});
+															);
 															toast.success("Redirect deleted successfully");
 														})
 														.catch(() => {
diff --git a/apps/dokploy/components/dashboard/application/advanced/security/handle-security.tsx b/apps/dokploy/components/dashboard/application/advanced/security/handle-security.tsx
index 49a126881a..de1e9e0c37 100644
--- a/apps/dokploy/components/dashboard/application/advanced/security/handle-security.tsx
+++ b/apps/dokploy/components/dashboard/application/advanced/security/handle-security.tsx
@@ -25,6 +25,7 @@ import {
 } from "@/components/ui/form";
 import { Input } from "@/components/ui/input";
 import { api } from "@/utils/api";
+import { invalidateApplicationWebServerConfig } from "../../web-server-config-cache";
 
 const AddSecuritychema = z.object({
 	username: z.string().min(1, "Username is required"),
@@ -85,9 +86,7 @@ export const HandleSecurity = ({
 				await utils.application.one.invalidate({
 					applicationId,
 				});
-				await utils.application.readTraefikConfig.invalidate({
-					applicationId,
-				});
+				await invalidateApplicationWebServerConfig(utils, applicationId);
 				await refetch();
 				setIsOpen(false);
 			})
diff --git a/apps/dokploy/components/dashboard/application/advanced/security/show-security.tsx b/apps/dokploy/components/dashboard/application/advanced/security/show-security.tsx
index 724953afec..888d54bc5f 100644
--- a/apps/dokploy/components/dashboard/application/advanced/security/show-security.tsx
+++ b/apps/dokploy/components/dashboard/application/advanced/security/show-security.tsx
@@ -13,6 +13,7 @@ import {
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { api } from "@/utils/api";
+import { invalidateApplicationWebServerConfig } from "../../web-server-config-cache";
 import { HandleSecurity } from "./handle-security";
 
 interface Props {
@@ -88,11 +89,12 @@ export const ShowSecurity = ({ applicationId }: Props) => {
 													await deleteSecurity({
 														securityId: security.securityId,
 													})
-														.then(() => {
-															refetch();
-															utils.application.readTraefikConfig.invalidate({
+														.then(async () => {
+															await refetch();
+															await invalidateApplicationWebServerConfig(
+																utils,
 																applicationId,
-															});
+															);
 															toast.success("Security deleted successfully");
 														})
 														.catch(() => {
diff --git a/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx b/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
index 9f98f8e24a..c51ee531a4 100644
--- a/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
+++ b/apps/dokploy/components/dashboard/application/domains/handle-domain.tsx
@@ -5,6 +5,7 @@ import { useEffect, useState } from "react";
 import { useForm } from "react-hook-form";
 import { toast } from "sonner";
 import z from "zod";
+import { invalidateApplicationWebServerConfig } from "@/components/dashboard/application/web-server-config-cache";
 import { AlertBlock } from "@/components/shared/alert-block";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
@@ -322,12 +323,7 @@ export const AddDomain = ({ id, type, domainId = "", children }: Props) => {
 					await utils.domain.byApplicationId.invalidate({
 						applicationId: id,
 					});
-					await utils.application.readTraefikConfig.invalidate({
-						applicationId: id,
-					});
-					await utils.application.readWebServerConfig.invalidate({
-						applicationId: id,
-					});
+					await invalidateApplicationWebServerConfig(utils, id);
 				} else if (data.domainType === "compose") {
 					await utils.domain.byComposeId.invalidate({
 						composeId: id,
diff --git a/apps/dokploy/components/dashboard/application/web-server-config-cache.ts b/apps/dokploy/components/dashboard/application/web-server-config-cache.ts
new file mode 100644
index 0000000000..f2cf9ed234
--- /dev/null
+++ b/apps/dokploy/components/dashboard/application/web-server-config-cache.ts
@@ -0,0 +1,21 @@
+type ConfigCacheUtils = {
+	application: {
+		readTraefikConfig: {
+			invalidate(input: { applicationId: string }): Promise<unknown> | unknown;
+		};
+		readWebServerConfig: {
+			invalidate(input: { applicationId: string }): Promise<unknown> | unknown;
+		};
+	};
+};
+
+export const invalidateApplicationWebServerConfig = async (
+	utils: ConfigCacheUtils,
+	applicationId: string,
+) => {
+	const input = { applicationId };
+	await Promise.all([
+		utils.application.readTraefikConfig.invalidate(input),
+		utils.application.readWebServerConfig.invalidate(input),
+	]);
+};
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 99f0a2712e..6ca156a7fa 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -42,7 +42,7 @@ Local state observed before this document was added:
 | Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, and the safe reload helper reloads the restored runtime config. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, and provider-aware update-server health checks now exist. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, and provider-aware update-server health checks now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, Caddy setup filters reserved `2019/tcp` admin publishing, migration carry-over drops it, and the ports mutation rejects reserved Caddy targets before rebuild. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
@@ -249,6 +249,7 @@ UI changes:
 - Make dry-run/apply/rollback safety copy explicit.
 - Warn in the migration panel that changing Caddy settings after a dry run requires preparing a fresh dry run before apply.
 - Make update-server health checks provider-aware so the modal checks and displays Caddy when Caddy is the active web server.
+- Keep the provider-aware application web-server config preview fresh when application domains, redirects, or security settings change.
 
 Dashboard decision:
 
@@ -398,6 +399,11 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts __test__/caddy/setup.test.ts __test__/caddy/trusted-proxy-settings-router.test.ts __test__/caddy/migration/apply-rollback.test.ts` | Passed | 4 files, 41 tests. Covers restored runtime config reload after safe-reload failure, standalone/service Caddy admin-port non-publishing, stateful local/remote trusted-proxy settings rebuild and rollback, remote dashboard state reads, admin-port update rejection, and migration carry-over filtering for Traefik-only/admin ports. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 21 files, 135 tests after RepoPrompt `back:3` recommendations were incorporated. Covers focused Caddy config, setup, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, and dashboard local-only/admin-port behavior. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after RepoPrompt `back:3` recommendations were incorporated. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | RepoPrompt Deep Plan pass for remaining local-safe Caddy UI gaps | Complete | Identified stale provider-aware application web-server config cache invalidation after redirect/security mutations as the next highest-value local-safe gap. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/application-web-server-config-cache.test.ts` | Passed | 1 file, 3 tests. Covers shared invalidation of legacy Traefik and provider-aware application web-server config caches, async invalidation waiting, and failure propagation. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 22 files, 138 tests after provider-aware application config cache hardening. Covers focused Caddy config, setup, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, and application web-server config cache invalidation. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after provider-aware application config cache hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `pnpm exec biome check --no-errors-on-unmatched --files-ignore-unknown=true <touched files>` and `git diff --check` | Passed | Formatter/import checks and whitespace checks passed after provider-aware application config cache hardening. |
 
 ## Upstream Hygiene Checklist
 

From 4537236931f16340645fd6d8d62431bafde14281 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 23:15:18 -0400
Subject: [PATCH 18/37] fix: harden caddy web server review gaps

---
 ...pplication-web-server-config-cache.test.ts |  35 ++
 apps/dokploy/__test__/caddy/config.test.ts    |  53 +++
 .../caddy/migration/apply-rollback.test.ts    |  68 ++++
 apps/dokploy/__test__/caddy/setup.test.ts     |  22 ++
 .../trusted-proxy-settings-router.test.ts     |  90 ++++-
 .../web-server-file-system-router.test.ts     | 335 ++++++++++++++++++
 .../file-system/show-traefik-file.tsx         | 145 +++++---
 .../file-system/show-traefik-system.tsx       |  46 ++-
 .../settings/servers/show-servers.tsx         |   5 +-
 .../show-traefik-file-system-modal.tsx        |  18 +-
 apps/dokploy/server/api/routers/settings.ts   |  31 +-
 docs/caddy-provider-upstream-readiness.md     |  20 +-
 packages/server/src/setup/caddy-setup.ts      |  26 +-
 packages/server/src/utils/caddy/config.ts     |  18 +-
 .../server/src/utils/caddy/migration/apply.ts |   4 +-
 15 files changed, 817 insertions(+), 99 deletions(-)
 create mode 100644 apps/dokploy/__test__/caddy/web-server-file-system-router.test.ts

diff --git a/apps/dokploy/__test__/caddy/application-web-server-config-cache.test.ts b/apps/dokploy/__test__/caddy/application-web-server-config-cache.test.ts
index 3a6615a5b7..36f1b926c0 100644
--- a/apps/dokploy/__test__/caddy/application-web-server-config-cache.test.ts
+++ b/apps/dokploy/__test__/caddy/application-web-server-config-cache.test.ts
@@ -1,3 +1,4 @@
+import { readFileSync } from "node:fs";
 import { expect, test, vi } from "vitest";
 import { invalidateApplicationWebServerConfig } from "@/components/dashboard/application/web-server-config-cache";
 
@@ -59,3 +60,37 @@ test("propagates application web-server config cache invalidation failures", asy
 		applicationId: "app-1",
 	});
 });
+
+const applicationMutationHandlers = [
+	[
+		"domain handler",
+		"../../components/dashboard/application/domains/handle-domain.tsx",
+	],
+	[
+		"redirect form handler",
+		"../../components/dashboard/application/advanced/redirects/handle-redirect.tsx",
+	],
+	[
+		"redirect delete handler",
+		"../../components/dashboard/application/advanced/redirects/show-redirects.tsx",
+	],
+	[
+		"security form handler",
+		"../../components/dashboard/application/advanced/security/handle-security.tsx",
+	],
+	[
+		"security delete handler",
+		"../../components/dashboard/application/advanced/security/show-security.tsx",
+	],
+] as const;
+
+test.each(applicationMutationHandlers)(
+	"%s uses the shared application web-server cache invalidation helper",
+	(_name, filePath) => {
+		const source = readFileSync(new URL(filePath, import.meta.url), "utf8");
+
+		expect(source).toContain("invalidateApplicationWebServerConfig");
+		expect(source).not.toMatch(/readTraefikConfig\.invalidate/);
+		expect(source).not.toMatch(/readWebServerConfig\.invalidate/);
+	},
+);
diff --git a/apps/dokploy/__test__/caddy/config.test.ts b/apps/dokploy/__test__/caddy/config.test.ts
index e6b85ab388..85fae27648 100644
--- a/apps/dokploy/__test__/caddy/config.test.ts
+++ b/apps/dokploy/__test__/caddy/config.test.ts
@@ -442,6 +442,59 @@ test("reloads the restored Caddy config when safe reload fails", async () => {
 	expect(reloads).toBe(2);
 });
 
+test("preserves the original safe reload error when the restored Caddy reload also fails", async () => {
+	const previousConfig = `${JSON.stringify(
+		compileCaddyConfig({ routes: [route({ hosts: ["old.example.com"] })] }),
+		null,
+		2,
+	)}\n`;
+	vol.mkdirSync(paths().MAIN_CADDY_PATH, { recursive: true });
+	vol.mkdirSync(paths().CADDY_FRAGMENTS_PATH, { recursive: true });
+	vol.writeFileSync(paths().CADDY_CONFIG_PATH, previousConfig);
+	const restoreError = new Error("restored reload failed");
+	let reloads = 0;
+	execAsyncMock.mockImplementation(async (command: string) => {
+		if (command.includes("caddy reload")) {
+			reloads += 1;
+			if (reloads === 1) {
+				throw new Error("new config reload failed");
+			}
+			throw restoreError;
+		}
+		return { stdout: "dokploy-caddy\n", stderr: "" };
+	});
+	const consoleError = vi
+		.spyOn(console, "error")
+		.mockImplementation(() => undefined);
+
+	let thrownError: Error | undefined;
+	try {
+		await compileWriteAndReloadCaddyConfigSafely({
+			trustedProxies: {
+				source: "static",
+				ranges: ["192.0.2.0/24"],
+			},
+		});
+	} catch (error) {
+		thrownError = error as Error;
+	}
+
+	expect(thrownError).toBeInstanceOf(Error);
+	expect(thrownError?.message).toBe("new config reload failed");
+	expect((thrownError as Error & { restoreError?: unknown }).restoreError).toBe(
+		restoreError,
+	);
+	expect(consoleError).toHaveBeenCalledWith(
+		"Failed to restore Caddy config:",
+		restoreError,
+	);
+	consoleError.mockRestore();
+	expect(vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8")).toBe(
+		previousConfig,
+	);
+	expect(reloads).toBe(2);
+});
+
 test("restores previous fragments when Caddy domain reload fails", async () => {
 	const existingFragment: CaddyRouteFragment = {
 		version: 1,
diff --git a/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts b/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
index 7bbdfae360..d5508ef27a 100644
--- a/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
+++ b/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
@@ -236,6 +236,74 @@ describe("applyCaddyMigration", () => {
 		);
 	});
 
+	test("applies and rolls back approved Caddy custom certificate artifacts", async () => {
+		const report = seedMigration("caddy-custom-cert-apply-rollback");
+		const certificatePath = `${paths().CERTIFICATES_PATH}/certificate-uploaded`;
+		const loadFiles = [
+			{
+				certificate: `${certificatePath}/chain.crt`,
+				key: `${certificatePath}/privkey.key`,
+			},
+		];
+		vol.writeFileSync(
+			report.artifactPaths.caddyJson,
+			`${JSON.stringify(
+				{
+					apps: {
+						http: {},
+						tls: {
+							certificates: {
+								load_files: loadFiles,
+							},
+						},
+					},
+				},
+				null,
+				2,
+			)}\n`,
+		);
+		vi.mocked(
+			caddyConfig.validateCaddyConfigFileWithImage,
+		).mockImplementationOnce(async (filePath: string) => {
+			const validatedConfig = JSON.parse(
+				vol.readFileSync(filePath, "utf8") as string,
+			);
+			expect(validatedConfig.apps.tls.certificates.load_files).toEqual(
+				loadFiles,
+			);
+			return {} as any;
+		});
+
+		const applied = await applyCaddyMigration({
+			migrationId: report.migrationId,
+		});
+
+		expect(applied.status).toBe("applied");
+		expect(caddyConfig.validateCaddyConfigFileWithImage).toHaveBeenCalledWith(
+			report.artifactPaths.caddyJson,
+			undefined,
+		);
+		const activeConfig = JSON.parse(
+			vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8") as string,
+		);
+		expect(activeConfig.apps.tls.certificates.load_files).toEqual(loadFiles);
+
+		const rolledBack = await rollbackCaddyMigration({
+			migrationId: report.migrationId,
+		});
+
+		expect(rolledBack.status).toBe("rolled_back");
+		expect(vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8")).toBe(
+			'{"old":true}\n',
+		);
+		expect(vol.existsSync(`${paths().CADDY_FRAGMENTS_PATH}/old.json`)).toBe(
+			true,
+		);
+		expect(providerService.updateLocalWebServerProvider).toHaveBeenCalledWith(
+			"traefik",
+		);
+	});
+
 	test("rejects apply when Caddy compile settings changed after prepare", async () => {
 		const report = seedMigration("caddy-apply-stale-settings");
 		vi.mocked(providerService.getCaddyCompileSettings).mockResolvedValueOnce({
diff --git a/apps/dokploy/__test__/caddy/setup.test.ts b/apps/dokploy/__test__/caddy/setup.test.ts
index ae7605364d..1151d904f1 100644
--- a/apps/dokploy/__test__/caddy/setup.test.ts
+++ b/apps/dokploy/__test__/caddy/setup.test.ts
@@ -102,6 +102,8 @@ describe("Caddy runtime setup", () => {
 		await initializeStandaloneCaddy({
 			additionalPorts: [
 				{ targetPort: 2019, publishedPort: 2019, protocol: "tcp" },
+				{ targetPort: 8080, publishedPort: 18080, protocol: "tcp" },
+				{ targetPort: 8082, publishedPort: 18082, protocol: "tcp" },
 				{ targetPort: 9000, publishedPort: 9000, protocol: "tcp" },
 			],
 		});
@@ -111,6 +113,14 @@ describe("Caddy runtime setup", () => {
 		expect(createOptions.HostConfig.PortBindings).not.toHaveProperty(
 			"2019/tcp",
 		);
+		expect(createOptions.ExposedPorts).toHaveProperty("8080/tcp");
+		expect(createOptions.HostConfig.PortBindings["8080/tcp"]).toEqual([
+			{ HostPort: "18080" },
+		]);
+		expect(createOptions.ExposedPorts).toHaveProperty("8082/tcp");
+		expect(createOptions.HostConfig.PortBindings["8082/tcp"]).toEqual([
+			{ HostPort: "18082" },
+		]);
 		expect(createOptions.ExposedPorts).toHaveProperty("9000/tcp");
 		expect(createOptions.HostConfig.PortBindings["9000/tcp"]).toEqual([
 			{ HostPort: "9000" },
@@ -138,6 +148,8 @@ describe("Caddy runtime setup", () => {
 		await initializeCaddyService({
 			additionalPorts: [
 				{ targetPort: 2019, publishedPort: 2019, protocol: "tcp" },
+				{ targetPort: 8080, publishedPort: 18080, protocol: "tcp" },
+				{ targetPort: 8082, publishedPort: 18082, protocol: "tcp" },
 				{ targetPort: 9000, publishedPort: 9000, protocol: "tcp" },
 			],
 		});
@@ -150,6 +162,16 @@ describe("Caddy runtime setup", () => {
 		);
 		expect(createOptions.EndpointSpec.Ports).toEqual(
 			expect.arrayContaining([
+				expect.objectContaining({
+					TargetPort: 8080,
+					PublishedPort: 18080,
+					Protocol: "tcp",
+				}),
+				expect.objectContaining({
+					TargetPort: 8082,
+					PublishedPort: 18082,
+					Protocol: "tcp",
+				}),
 				expect.objectContaining({
 					TargetPort: 9000,
 					PublishedPort: 9000,
diff --git a/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts b/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
index af2662d799..fe2d6ced4f 100644
--- a/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
+++ b/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
@@ -27,6 +27,7 @@ const serverMocks = vi.hoisted(() => ({
 	getWebServerPaths: vi.fn(),
 	getWebServerResourceName: vi.fn(),
 	getWebServerSettings: vi.fn(),
+	isCaddyAdminAdditionalPort: vi.fn(),
 	isCaddyReservedAdditionalPort: vi.fn(),
 	parseRawConfig: vi.fn(),
 	paths: vi.fn(),
@@ -101,7 +102,7 @@ import {
 	getCaddyCompileSettings,
 	getCaddyTrustedProxySettings,
 	getWebServerResourceName,
-	isCaddyReservedAdditionalPort,
+	isCaddyAdminAdditionalPort,
 	readEnvironmentVariables,
 	readPorts,
 	resolveWebServerProvider,
@@ -198,11 +199,10 @@ beforeEach(() => {
 		serverId: "server-1",
 		organizationId: "org-1",
 	} as never);
-	vi.mocked(isCaddyReservedAdditionalPort).mockImplementation(
-		(port) =>
-			[8080, 8082, 2019].includes(port.targetPort) &&
-			(port.protocol ?? "tcp") === "tcp",
+	vi.mocked(isCaddyAdminAdditionalPort).mockImplementation(
+		(port) => port.targetPort === 2019 && (port.protocol ?? "tcp") === "tcp",
 	);
+	vi.mocked(writeWebServerSetup).mockResolvedValue(undefined as never);
 });
 
 test("persists Caddy trusted proxy settings without rebuilding when Traefik is active", async () => {
@@ -309,6 +309,58 @@ test("restores previous trusted proxy settings when active Caddy rebuild fails",
 	expect(audit).not.toHaveBeenCalled();
 });
 
+test("restores remote trusted proxy settings when remote Caddy rebuild fails", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+	persistedTrustedProxySettings = {
+		mode: "cloudflare",
+		clientIpHeaders: ["CF-Connecting-IP"],
+		strict: true,
+	};
+	vi.mocked(compileWriteAndReloadCaddyConfigSafely).mockRejectedValueOnce(
+		new Error("remote caddy reload failed") as never,
+	);
+
+	await expect(
+		caller.updateCaddyTrustedProxySettings({
+			...staticInput,
+			serverId: "server-1",
+		}),
+	).rejects.toThrow("remote caddy reload failed");
+
+	expect(resolveWebServerProvider).toHaveBeenCalledWith("server-1");
+	expect(getCaddyCompileSettings).toHaveBeenCalledWith("server-1");
+	expect(compileWriteAndReloadCaddyConfigSafely).toHaveBeenCalledWith({
+		serverId: "server-1",
+		letsEncryptEmail: "ops@example.com",
+		trustedProxies: {
+			source: "static",
+			ranges: ["192.0.2.0/24"],
+			clientIpHeaders: ["X-Forwarded-For"],
+			strict: true,
+		},
+	});
+	expect(updateCaddyTrustedProxySettings).toHaveBeenNthCalledWith(
+		1,
+		staticInput,
+		"server-1",
+	);
+	expect(updateCaddyTrustedProxySettings).toHaveBeenNthCalledWith(
+		2,
+		{
+			mode: "cloudflare",
+			clientIpHeaders: ["CF-Connecting-IP"],
+			strict: true,
+		},
+		"server-1",
+	);
+	expect(persistedTrustedProxySettings).toEqual({
+		mode: "cloudflare",
+		clientIpHeaders: ["CF-Connecting-IP"],
+		strict: true,
+	});
+	expect(audit).not.toHaveBeenCalled();
+});
+
 test("reports Caddy dashboard disabled instead of exposing the Caddy admin API", async () => {
 	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
 
@@ -359,3 +411,31 @@ test("rejects Caddy admin port publishing before rebuilding the web server", asy
 	expect(checkPortInUse).not.toHaveBeenCalled();
 	expect(writeWebServerSetup).not.toHaveBeenCalled();
 });
+
+test("allows non-admin Caddy additional ports before rebuilding the web server", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+
+	await caller.updateWebServerPorts({
+		additionalPorts: [
+			{ targetPort: 8080, publishedPort: 18080, protocol: "tcp" },
+			{ targetPort: 8082, publishedPort: 18082, protocol: "tcp" },
+		],
+	});
+
+	expect(checkPortInUse).toHaveBeenCalledWith(18080, undefined);
+	expect(checkPortInUse).toHaveBeenCalledWith(18082, undefined);
+	expect(writeWebServerSetup).toHaveBeenCalledWith(
+		"caddy",
+		expect.objectContaining({
+			additionalPorts: [
+				{ targetPort: 8080, publishedPort: 18080, protocol: "tcp" },
+				{ targetPort: 8082, publishedPort: 18082, protocol: "tcp" },
+			],
+			serverId: undefined,
+		}),
+	);
+	expect(audit).toHaveBeenCalledWith(
+		expect.anything(),
+		expect.objectContaining({ resourceName: "web-server-ports" }),
+	);
+});
diff --git a/apps/dokploy/__test__/caddy/web-server-file-system-router.test.ts b/apps/dokploy/__test__/caddy/web-server-file-system-router.test.ts
new file mode 100644
index 0000000000..8da82ddd0a
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/web-server-file-system-router.test.ts
@@ -0,0 +1,335 @@
+import { beforeEach, expect, test, vi } from "vitest";
+
+const serverMocks = vi.hoisted(() => ({
+	applyCaddyMigration: vi.fn(),
+	checkGPUStatus: vi.fn(),
+	checkPortInUse: vi.fn(),
+	checkPostgresHealth: vi.fn(),
+	checkRedisHealth: vi.fn(),
+	checkWebServerHealth: vi.fn(),
+	cleanupAll: vi.fn(),
+	cleanupAllBackground: vi.fn(),
+	cleanupBuilders: vi.fn(),
+	cleanupContainers: vi.fn(),
+	cleanupImages: vi.fn(),
+	cleanupSystem: vi.fn(),
+	cleanupVolumes: vi.fn(),
+	compileWriteAndReloadCaddyConfigSafely: vi.fn(),
+	execAsync: vi.fn(),
+	findServerById: vi.fn(),
+	getCaddyCompileSettings: vi.fn(),
+	getCaddyMigrationReport: vi.fn(),
+	getCaddyTrustedProxySettings: vi.fn(),
+	getDockerDiskUsage: vi.fn(),
+	getDokployImageTag: vi.fn(),
+	getLogCleanupStatus: vi.fn(),
+	getUpdateData: vi.fn(),
+	getWebServerPaths: vi.fn(),
+	getWebServerResourceName: vi.fn(),
+	getWebServerSettings: vi.fn(),
+	isCaddyAdminAdditionalPort: vi.fn(),
+	isCaddyReservedAdditionalPort: vi.fn(),
+	parseRawConfig: vi.fn(),
+	paths: vi.fn(),
+	prepareCaddyMigration: vi.fn(),
+	prepareEnvironmentVariables: vi.fn(),
+	processLogs: vi.fn(),
+	readCaddyConfigFileIfExists: vi.fn(),
+	readConfig: vi.fn(),
+	readConfigInPath: vi.fn(),
+	readDirectory: vi.fn(),
+	readEnvironmentVariables: vi.fn(),
+	readMainConfig: vi.fn(),
+	readMonitoringConfig: vi.fn(),
+	readPorts: vi.fn(),
+	recreateDirectory: vi.fn(),
+	reloadCaddyAfterValidation: vi.fn(),
+	reloadDockerResource: vi.fn(),
+	resolveWebServerProvider: vi.fn(),
+	rollbackCaddyMigration: vi.fn(),
+	sendDockerCleanupNotifications: vi.fn(),
+	setupGPUSupport: vi.fn(),
+	spawnAsync: vi.fn(),
+	startLogCleanup: vi.fn(),
+	stopLogCleanup: vi.fn(),
+	updateCaddyTrustedProxySettings: vi.fn(),
+	updateLetsEncryptEmail: vi.fn(),
+	updateLocalWebServerProvider: vi.fn(),
+	updateRemoteWebServerProvider: vi.fn(),
+	updateServerById: vi.fn(),
+	updateServerCaddy: vi.fn(),
+	updateServerTraefik: vi.fn(),
+	updateWebServerSettings: vi.fn(),
+	writeConfig: vi.fn(),
+	writeMainConfig: vi.fn(),
+	writeTraefikConfigInPath: vi.fn(),
+	writeTraefikSetup: vi.fn(),
+	writeWebServerSetup: vi.fn(),
+}));
+
+vi.mock("@dokploy/server", () => ({
+	...serverMocks,
+	CLEANUP_CRON_JOB: "cleanup",
+	DEFAULT_UPDATE_DATA: { latestVersion: null, updateAvailable: false },
+	IS_CLOUD: false,
+}));
+
+vi.mock("@dokploy/trpc-openapi", () => ({
+	generateOpenApiDocument: vi.fn(),
+}));
+
+vi.mock("@/server/api/root", () => ({
+	appRouter: {},
+}));
+
+vi.mock("@dokploy/server/services/permission", () => ({
+	checkPermission: vi.fn(),
+}));
+
+vi.mock("@/server/api/utils/audit", () => ({
+	audit: vi.fn(),
+}));
+
+vi.mock("@/server/queues/queueSetup", () => ({
+	cleanAllDeploymentQueue: vi.fn(),
+}));
+
+vi.mock("@/server/utils/backup", () => ({
+	removeJob: vi.fn(),
+	schedule: vi.fn(),
+}));
+
+import {
+	findServerById,
+	getWebServerPaths,
+	paths,
+	readConfigInPath,
+	readDirectory,
+	resolveWebServerProvider,
+	writeTraefikConfigInPath,
+} from "@dokploy/server";
+import { settingsRouter } from "@/server/api/routers/settings";
+import { audit } from "@/server/api/utils/audit";
+
+const caller = settingsRouter.createCaller({
+	session: {
+		userId: "user-1",
+		activeOrganizationId: "org-1",
+	},
+	user: {
+		id: "user-1",
+		role: "owner",
+		ownerId: "user-1",
+		email: "owner@example.com",
+		enableEnterpriseFeatures: true,
+		isValidEnterpriseLicense: true,
+	},
+	req: { headers: {} },
+	res: {},
+} as never);
+
+const caddyPaths = {
+	MAIN_CADDY_PATH: "/etc/dokploy/caddy",
+	CADDY_CONFIG_PATH: "/etc/dokploy/caddy/caddy.json",
+	CADDY_FRAGMENTS_PATH: "/etc/dokploy/caddy/fragments",
+	CADDY_MIGRATIONS_PATH: "/etc/dokploy/caddy/migrations",
+};
+
+beforeEach(() => {
+	vi.clearAllMocks();
+	vi.mocked(findServerById).mockResolvedValue({
+		serverId: "server-1",
+		organizationId: "org-1",
+	} as never);
+	vi.mocked(paths).mockReturnValue({
+		MAIN_TRAEFIK_PATH: "/etc/dokploy/traefik",
+		...caddyPaths,
+	} as never);
+	vi.mocked(getWebServerPaths).mockImplementation(
+		(provider) =>
+			({
+				basePath:
+					provider === "caddy"
+						? caddyPaths.MAIN_CADDY_PATH
+						: "/etc/dokploy/traefik",
+				activeConfigPath:
+					provider === "caddy"
+						? caddyPaths.CADDY_CONFIG_PATH
+						: "/etc/dokploy/traefik/traefik.yml",
+				fragmentsPath:
+					provider === "caddy"
+						? caddyPaths.CADDY_FRAGMENTS_PATH
+						: "/etc/dokploy/traefik/dynamic",
+			}) as never,
+	);
+	vi.mocked(readConfigInPath).mockImplementation(
+		async (filePath: string) => `contents:${filePath}`,
+	);
+});
+
+test("reads and updates Traefik web-server files through provider-aware endpoints", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("traefik");
+	vi.mocked(readDirectory).mockResolvedValue([
+		{
+			id: "/etc/dokploy/traefik/dynamic/app.yml",
+			name: "app.yml",
+			type: "file",
+		},
+	] as never);
+
+	const directories = await caller.readWebServerDirectories({
+		serverId: "server-1",
+	});
+	const file = await caller.readWebServerFile({
+		serverId: "server-1",
+		path: "dynamic/app.yml",
+	});
+	const updated = await caller.updateWebServerFile({
+		serverId: "server-1",
+		path: "dynamic/app.yml",
+		webServerConfig: "http: {}\n",
+	});
+
+	expect(directories).toHaveLength(1);
+	expect(readDirectory).toHaveBeenCalledWith(
+		"/etc/dokploy/traefik",
+		"server-1",
+	);
+	expect(readConfigInPath).toHaveBeenCalledWith(
+		"/etc/dokploy/traefik/dynamic/app.yml",
+		"server-1",
+	);
+	expect(writeTraefikConfigInPath).toHaveBeenCalledWith(
+		"/etc/dokploy/traefik/dynamic/app.yml",
+		"http: {}\n",
+		"server-1",
+	);
+	expect(audit).toHaveBeenCalledWith(
+		expect.anything(),
+		expect.objectContaining({ resourceName: "web-server-file" }),
+	);
+	expect(file).toBe("contents:/etc/dokploy/traefik/dynamic/app.yml");
+	expect(updated).toBe(true);
+});
+
+test("limits Caddy web-server file access to safe generated artifacts", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+	vi.mocked(readDirectory).mockImplementation(async (dirPath: string) => {
+		if (dirPath === caddyPaths.CADDY_FRAGMENTS_PATH) {
+			return [
+				{
+					id: `${caddyPaths.CADDY_FRAGMENTS_PATH}/app.json`,
+					name: "app.json",
+					type: "file",
+				},
+			] as never;
+		}
+		if (dirPath === caddyPaths.CADDY_MIGRATIONS_PATH) {
+			return [
+				{
+					id: `${caddyPaths.CADDY_MIGRATIONS_PATH}/caddy-1`,
+					name: "caddy-1",
+					type: "directory",
+					children: [
+						{
+							id: `${caddyPaths.CADDY_MIGRATIONS_PATH}/caddy-1/caddy.json`,
+							name: "caddy.json",
+							type: "file",
+						},
+						{
+							id: `${caddyPaths.CADDY_MIGRATIONS_PATH}/caddy-1/backups`,
+							name: "backups",
+							type: "directory",
+							children: [
+								{
+									id: `${caddyPaths.CADDY_MIGRATIONS_PATH}/caddy-1/backups/traefik.yml`,
+									name: "traefik.yml",
+									type: "file",
+								},
+							],
+						},
+					],
+				},
+				{
+					id: `${caddyPaths.CADDY_MIGRATIONS_PATH}/backups`,
+					name: "backups",
+					type: "directory",
+					children: [],
+				},
+			] as never;
+		}
+		return [] as never;
+	});
+
+	const directories = await caller.readWebServerDirectories({
+		serverId: "server-1",
+	});
+	const file = await caller.readWebServerFile({
+		serverId: "server-1",
+		path: caddyPaths.CADDY_CONFIG_PATH,
+	});
+
+	expect(directories).toEqual([
+		{
+			id: caddyPaths.CADDY_CONFIG_PATH,
+			name: "caddy.json",
+			type: "file",
+		},
+		{
+			id: caddyPaths.CADDY_FRAGMENTS_PATH,
+			name: "fragments",
+			type: "directory",
+			children: [
+				{
+					id: `${caddyPaths.CADDY_FRAGMENTS_PATH}/app.json`,
+					name: "app.json",
+					type: "file",
+				},
+			],
+		},
+		{
+			id: caddyPaths.CADDY_MIGRATIONS_PATH,
+			name: "migrations",
+			type: "directory",
+			children: [
+				{
+					id: `${caddyPaths.CADDY_MIGRATIONS_PATH}/caddy-1`,
+					name: "caddy-1",
+					type: "directory",
+					children: [
+						{
+							id: `${caddyPaths.CADDY_MIGRATIONS_PATH}/caddy-1/caddy.json`,
+							name: "caddy.json",
+							type: "file",
+						},
+					],
+				},
+			],
+		},
+	]);
+	expect(readConfigInPath).toHaveBeenCalledWith(
+		caddyPaths.CADDY_CONFIG_PATH,
+		"server-1",
+	);
+	expect(file).toBe(`contents:${caddyPaths.CADDY_CONFIG_PATH}`);
+	await expect(
+		caller.readWebServerFile({
+			serverId: "server-1",
+			path: `${caddyPaths.CADDY_MIGRATIONS_PATH}/caddy-1/backups/traefik.yml`,
+		}),
+	).rejects.toThrow("migration backups");
+	await expect(
+		caller.readWebServerFile({
+			serverId: "server-1",
+			path: "/etc/dokploy/traefik/traefik.yml",
+		}),
+	).rejects.toThrow("outside of active web server directory");
+	await expect(
+		caller.updateWebServerFile({
+			serverId: "server-1",
+			path: caddyPaths.CADDY_CONFIG_PATH,
+			webServerConfig: "{}",
+		}),
+	).rejects.toThrow("read-only");
+	expect(writeTraefikConfigInPath).not.toHaveBeenCalled();
+});
diff --git a/apps/dokploy/components/dashboard/file-system/show-traefik-file.tsx b/apps/dokploy/components/dashboard/file-system/show-traefik-file.tsx
index 288208fb1b..1a8b4c71b6 100644
--- a/apps/dokploy/components/dashboard/file-system/show-traefik-file.tsx
+++ b/apps/dokploy/components/dashboard/file-system/show-traefik-file.tsx
@@ -22,7 +22,7 @@ import { api } from "@/utils/api";
 import { validateAndFormatYAML } from "../application/advanced/traefik/update-traefik-config";
 
 const UpdateServerMiddlewareConfigSchema = z.object({
-	traefikConfig: z.string(),
+	webServerConfig: z.string(),
 });
 
 type UpdateServerMiddlewareConfig = z.infer<
@@ -32,14 +32,24 @@ type UpdateServerMiddlewareConfig = z.infer<
 interface Props {
 	path: string;
 	serverId?: string;
+	activeProvider?: "traefik" | "caddy";
 }
 
-export const ShowTraefikFile = ({ path, serverId }: Props) => {
+export const ShowTraefikFile = ({ path, serverId, activeProvider }: Props) => {
+	const providerLabel =
+		activeProvider === "caddy"
+			? "Caddy"
+			: activeProvider === "traefik"
+				? "Traefik"
+				: "Web Server";
+	const isTraefik = activeProvider === "traefik";
 	const {
 		data,
 		refetch,
 		isLoading: isLoadingFile,
-	} = api.settings.readTraefikFile.useQuery(
+		error: readError,
+		isError: isReadError,
+	} = api.settings.readWebServerFile.useQuery(
 		{
 			path,
 			serverId,
@@ -52,51 +62,64 @@ export const ShowTraefikFile = ({ path, serverId }: Props) => {
 	const [skipYamlValidation, setSkipYamlValidation] = useState(false);
 
 	const { mutateAsync, isPending, error, isError } =
-		api.settings.updateTraefikFile.useMutation();
+		api.settings.updateWebServerFile.useMutation();
 
 	const form = useForm<UpdateServerMiddlewareConfig>({
 		defaultValues: {
-			traefikConfig: "",
+			webServerConfig: "",
 		},
-		disabled: canEdit,
+		disabled: !isTraefik || canEdit,
 		resolver: zodResolver(UpdateServerMiddlewareConfigSchema),
 	});
 
 	useEffect(() => {
 		form.reset({
-			traefikConfig: data || "",
+			webServerConfig: data || "",
 		});
 	}, [form, form.reset, data]);
 
 	const onSubmit = async (data: UpdateServerMiddlewareConfig) => {
+		if (!isTraefik) {
+			return;
+		}
 		if (!skipYamlValidation) {
-			const { valid, error } = validateAndFormatYAML(data.traefikConfig);
+			const { valid, error } = validateAndFormatYAML(data.webServerConfig);
 			if (!valid) {
-				form.setError("traefikConfig", {
+				form.setError("webServerConfig", {
 					type: "manual",
 					message: error || "Invalid YAML",
 				});
 				return;
 			}
 		}
-		form.clearErrors("traefikConfig");
+		form.clearErrors("webServerConfig");
 		await mutateAsync({
-			traefikConfig: data.traefikConfig,
+			webServerConfig: data.webServerConfig,
 			path,
 			serverId,
 		})
 			.then(async () => {
-				toast.success("Traefik config Updated");
+				toast.success(`${providerLabel} config updated`);
 				refetch();
 			})
 			.catch(() => {
-				toast.error("Error updating the Traefik config");
+				toast.error(`Error updating the ${providerLabel} config`);
 			});
 	};
 
 	return (
 		<div>
+			{isReadError && (
+				<AlertBlock type="error">{readError?.message}</AlertBlock>
+			)}
 			{isError && <AlertBlock type="error">{error?.message}</AlertBlock>}
+			{activeProvider === "caddy" && (
+				<AlertBlock type="info" className="mb-4">
+					Caddy generated files are read-only from this view. Use Dokploy
+					settings, domains, and migration controls to change generated Caddy
+					config.
+				</AlertBlock>
+			)}
 			<Form {...form}>
 				<form
 					onSubmit={form.handleSubmit(onSubmit)}
@@ -113,16 +136,18 @@ export const ShowTraefikFile = ({ path, serverId }: Props) => {
 						) : (
 							<FormField
 								control={form.control}
-								name="traefikConfig"
+								name="webServerConfig"
 								render={({ field }) => (
 									<FormItem className="relative">
-										<FormLabel>Traefik config</FormLabel>
+										<FormLabel>{providerLabel} config</FormLabel>
 										<FormDescription className="break-all">
 											{path}
 										</FormDescription>
 										<FormControl>
 											<CodeEditor
+												disabled={!isTraefik || canEdit}
 												lineWrapping
+												language={activeProvider === "caddy" ? "json" : "yaml"}
 												wrapperClassName="h-[35rem] font-mono"
 												placeholder={`http:
 routers:
@@ -141,55 +166,59 @@ routers:
 										<pre>
 											<FormMessage />
 										</pre>
-										<div className="flex justify-end absolute z-50 right-6 top-8">
-											<Button
-												className="shadow-sm"
-												variant="secondary"
-												type="button"
-												onClick={async () => {
-													setCanEdit(!canEdit);
-												}}
-											>
-												{canEdit ? "Unlock" : "Lock"}
-											</Button>
-										</div>
+										{isTraefik && (
+											<div className="flex justify-end absolute z-50 right-6 top-8">
+												<Button
+													className="shadow-sm"
+													variant="secondary"
+													type="button"
+													onClick={async () => {
+														setCanEdit(!canEdit);
+													}}
+												>
+													{canEdit ? "Unlock" : "Lock"}
+												</Button>
+											</div>
+										)}
 									</FormItem>
 								)}
 							/>
 						)}
 					</div>
-					<div className="flex flex-col gap-4">
-						<div className="flex items-center space-x-2">
-							<Checkbox
-								id="skip-yaml-validation"
-								checked={skipYamlValidation}
-								onCheckedChange={(checked) =>
-									setSkipYamlValidation(checked === true)
-								}
-							/>
-							<Label
-								htmlFor="skip-yaml-validation"
-								className="text-sm font-normal cursor-pointer"
-							>
-								Skip YAML validation (for Go templating)
-							</Label>
-						</div>
-						<p className="text-sm text-muted-foreground -mt-2">
-							Traefik supports Go templating in dynamic configs (e.g.{" "}
-							<code className="text-xs">{"{{range}}"}</code>). Configs using
-							templates will fail standard YAML validation. Check this to save
-							without validation.
-						</p>
-						<div className="flex justify-end">
-							<Button
-								isLoading={isPending}
-								disabled={canEdit || isLoadingFile}
-								type="submit"
-							>
-								Update
-							</Button>
+					{isTraefik && (
+						<div className="flex flex-col gap-4">
+							<div className="flex items-center space-x-2">
+								<Checkbox
+									id="skip-yaml-validation"
+									checked={skipYamlValidation}
+									onCheckedChange={(checked) =>
+										setSkipYamlValidation(checked === true)
+									}
+								/>
+								<Label
+									htmlFor="skip-yaml-validation"
+									className="text-sm font-normal cursor-pointer"
+								>
+									Skip YAML validation (for Go templating)
+								</Label>
+							</div>
+							<p className="text-sm text-muted-foreground -mt-2">
+								Traefik supports Go templating in dynamic configs (e.g.{" "}
+								<code className="text-xs">{"{{range}}"}</code>). Configs using
+								templates will fail standard YAML validation. Check this to save
+								without validation.
+							</p>
+							<div className="flex justify-end">
+								<Button
+									isLoading={isPending}
+									disabled={canEdit || isLoadingFile}
+									type="submit"
+								>
+									Update
+								</Button>
+							</div>
 						</div>
-					</div>
+					)}
 				</form>
 			</Form>
 		</div>
diff --git a/apps/dokploy/components/dashboard/file-system/show-traefik-system.tsx b/apps/dokploy/components/dashboard/file-system/show-traefik-system.tsx
index 94a5c72a6d..62410d6ee5 100644
--- a/apps/dokploy/components/dashboard/file-system/show-traefik-system.tsx
+++ b/apps/dokploy/components/dashboard/file-system/show-traefik-system.tsx
@@ -14,16 +14,32 @@ import { ShowTraefikFile } from "./show-traefik-file";
 
 interface Props {
 	serverId?: string;
+	activeProvider?: "traefik" | "caddy";
 }
-export const ShowTraefikSystem = ({ serverId }: Props) => {
+export const ShowTraefikSystem = ({ serverId, activeProvider }: Props) => {
 	const [file, setFile] = React.useState<null | string>(null);
+	const providerLabel =
+		activeProvider === "caddy"
+			? "Caddy"
+			: activeProvider === "traefik"
+				? "Traefik"
+				: "Web Server";
+	const isCaddy = activeProvider === "caddy";
+
+	React.useEffect(() => {
+		setFile(null);
+	}, []);
+
+	React.useEffect(() => {
+		setFile(null);
+	}, [activeProvider]);
 
 	const {
 		data: directories,
 		isLoading,
 		error,
 		isError,
-	} = api.settings.readDirectories.useQuery(
+	} = api.settings.readWebServerDirectories.useQuery(
 		{
 			serverId,
 		},
@@ -39,16 +55,20 @@ export const ShowTraefikSystem = ({ serverId }: Props) => {
 					<CardHeader className="">
 						<CardTitle className="text-xl flex flex-row gap-2">
 							<FileIcon className="size-6 text-muted-foreground self-center" />
-							Traefik File System
+							{providerLabel} File System
 						</CardTitle>
 						<CardDescription>
-							Manage all the files and directories in {"'/etc/dokploy/traefik'"}
-							.
+							{isCaddy
+								? "Review generated Caddy artifacts such as caddy.json, route fragments, and non-backup migration artifacts."
+								: activeProvider === "traefik"
+									? "Manage files and directories for the active Traefik web server."
+									: "Review files and directories for the active web server."}
 						</CardDescription>
 
-						<AlertBlock type="warning">
-							Adding invalid configuration to existing files, can break your
-							Traefik instance, preventing access to your applications.
+						<AlertBlock type={isCaddy ? "info" : "warning"}>
+							{isCaddy
+								? "Caddy generated config is read-only here. Use Dokploy settings, domains, and migration controls to change generated Caddy config."
+								: "Adding invalid configuration to existing files can break your Traefik instance, preventing access to your applications."}
 						</AlertBlock>
 					</CardHeader>
 					<CardContent className="space-y-2 py-8 border-t">
@@ -70,8 +90,8 @@ export const ShowTraefikSystem = ({ serverId }: Props) => {
 								{directories?.length === 0 && (
 									<div className="w-full flex-col gap-2 flex items-center justify-center h-[55vh]">
 										<span className="text-muted-foreground text-lg font-medium">
-											No directories or files detected in{" "}
-											{"'/etc/dokploy/traefik'"}
+											No directories or files detected for the active{" "}
+											{providerLabel} web server.
 										</span>
 										<Folder className="size-8 text-muted-foreground" />
 									</div>
@@ -87,7 +107,11 @@ export const ShowTraefikSystem = ({ serverId }: Props) => {
 										/>
 										<div className="w-full">
 											{file ? (
-												<ShowTraefikFile path={file} serverId={serverId} />
+												<ShowTraefikFile
+													path={file}
+													serverId={serverId}
+													activeProvider={activeProvider}
+												/>
 											) : (
 												<div className="h-full w-full flex-col gap-2 flex items-center justify-center">
 													<span className="text-muted-foreground text-lg font-medium">
diff --git a/apps/dokploy/components/dashboard/settings/servers/show-servers.tsx b/apps/dokploy/components/dashboard/settings/servers/show-servers.tsx
index 832d047593..034941e823 100644
--- a/apps/dokploy/components/dashboard/settings/servers/show-servers.tsx
+++ b/apps/dokploy/components/dashboard/settings/servers/show-servers.tsx
@@ -298,8 +298,9 @@ export const ShowServers = () => {
 																							</p>
 																							<p className="text-xs text-muted-foreground">
 																								Configure and initialize your
-																								server with Docker, Traefik, and
-																								other essential services
+																								server with Docker, the web
+																								server, and other essential
+																								services
 																							</p>
 																						</div>
 																					</TooltipContent>
diff --git a/apps/dokploy/components/dashboard/settings/servers/show-traefik-file-system-modal.tsx b/apps/dokploy/components/dashboard/settings/servers/show-traefik-file-system-modal.tsx
index c7f135acd9..34f88278fc 100644
--- a/apps/dokploy/components/dashboard/settings/servers/show-traefik-file-system-modal.tsx
+++ b/apps/dokploy/components/dashboard/settings/servers/show-traefik-file-system-modal.tsx
@@ -1,6 +1,7 @@
 import { useState } from "react";
 import { Dialog, DialogContent, DialogTrigger } from "@/components/ui/dialog";
 import { DropdownMenuItem } from "@/components/ui/dropdown-menu";
+import { api } from "@/utils/api";
 import { ShowTraefikSystem } from "../../file-system/show-traefik-system";
 
 interface Props {
@@ -9,6 +10,16 @@ interface Props {
 
 export const ShowTraefikFileSystemModal = ({ serverId }: Props) => {
 	const [isOpen, setIsOpen] = useState(false);
+	const { data: activeProvider } =
+		api.settings.getActiveWebServerProvider.useQuery({
+			serverId,
+		});
+	const providerLabel =
+		activeProvider === "caddy"
+			? "Caddy"
+			: activeProvider === "traefik"
+				? "Traefik"
+				: "Web Server";
 
 	return (
 		<Dialog open={isOpen} onOpenChange={setIsOpen}>
@@ -17,11 +28,14 @@ export const ShowTraefikFileSystemModal = ({ serverId }: Props) => {
 					className="w-full cursor-pointer "
 					onSelect={(e) => e.preventDefault()}
 				>
-					Show Traefik File System
+					Show {providerLabel} File System
 				</DropdownMenuItem>
 			</DialogTrigger>
 			<DialogContent className="sm:max-w-7xl  ">
-				<ShowTraefikSystem serverId={serverId} />
+				<ShowTraefikSystem
+					serverId={serverId}
+					activeProvider={activeProvider}
+				/>
 			</DialogContent>
 		</Dialog>
 	);
diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts
index a0db854a1d..d57b7e8e60 100644
--- a/apps/dokploy/server/api/routers/settings.ts
+++ b/apps/dokploy/server/api/routers/settings.ts
@@ -27,7 +27,7 @@ import {
 	getWebServerResourceName,
 	getWebServerSettings,
 	IS_CLOUD,
-	isCaddyReservedAdditionalPort,
+	isCaddyAdminAdditionalPort,
 	parseRawConfig,
 	paths,
 	prepareCaddyMigration as prepareCaddyMigrationDryRun,
@@ -221,6 +221,28 @@ const assertCaddyReadableFilePath = (filePath: string, serverId?: string) => {
 	});
 };
 
+type WebServerDirectoryNode = {
+	id: string;
+	name: string;
+	type: "file" | "directory";
+	children?: WebServerDirectoryNode[];
+};
+
+const pruneCaddyBackupDirectoryNodes = (
+	nodes: WebServerDirectoryNode[],
+	serverId?: string,
+): WebServerDirectoryNode[] =>
+	nodes
+		.filter((node) => !isCaddyMigrationBackupPath(node.id, serverId))
+		.map((node) =>
+			node.children
+				? {
+						...node,
+						children: pruneCaddyBackupDirectoryNodes(node.children, serverId),
+					}
+				: node,
+		);
+
 const readCaddySafeDirectoryTree = async (serverId?: string) => {
 	const caddyPaths = paths(!!serverId);
 	const readOptionalDirectory = async (dirPath: string) => {
@@ -252,7 +274,10 @@ const readCaddySafeDirectoryTree = async (serverId?: string) => {
 			id: caddyPaths.CADDY_MIGRATIONS_PATH,
 			name: "migrations",
 			type: "directory" as const,
-			children: await readOptionalDirectory(caddyPaths.CADDY_MIGRATIONS_PATH),
+			children: pruneCaddyBackupDirectoryNodes(
+				await readOptionalDirectory(caddyPaths.CADDY_MIGRATIONS_PATH),
+				serverId,
+			),
 		},
 	];
 };
@@ -1736,7 +1761,7 @@ export const settingsRouter = createTRPCRouter({
 
 				if (provider === "caddy") {
 					const reservedPort = input.additionalPorts.find(
-						isCaddyReservedAdditionalPort,
+						isCaddyAdminAdditionalPort,
 					);
 					if (reservedPort) {
 						throw new TRPCError({
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 6ca156a7fa..7147e13aac 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -41,10 +41,10 @@ Local state observed before this document was added:
 | Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and requires `removeWebServerDomain()` cleanup before deleting a preview deployment row when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch, cleanup removes by `uniqueConfigKey`, and route cleanup failures preserve the DB row across preview-deployment cleanup and domain-router delete flows. | Locally covered | Add runtime proof after explicit approval if preview deployments are included in the live validation pass. |
 | Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
-| Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, and the safe reload helper reloads the restored runtime config. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, and provider-aware update-server health checks now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Existing Traefik file-system views remain Traefik-specific. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
-| Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, Caddy setup filters reserved `2019/tcp` admin publishing, migration carry-over drops it, and the ports mutation rejects reserved Caddy targets before rebuild. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
-| Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. | Locally covered | Add runtime proof after explicit approval. |
+| Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, and provider-aware update-server health checks now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; Caddy generated artifacts are inspectable through safe read-only paths while Traefik remains editable. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
+| Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
+| Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
 
 ## Code Evidence
@@ -232,8 +232,8 @@ Implemented:
 - Settings -> Web Server exposes a Caddy trusted proxy dialog for local settings; remote web-server actions expose the same dialog for remote Caddy.
 - The Caddy trusted proxy dialog includes Cloudflare origin SSL mode guidance: DNS-only or Full (strict) are acceptable; Flexible SSL is not recommended.
 - `apps/dokploy/__test__/caddy/config.test.ts` covers default no-trust behavior, Cloudflare trusted proxy config, custom static CIDRs, invalid CIDR/header rejection, and persisted-setting normalization.
-- `apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts` covers settings mutation behavior under Traefik, active local and remote Caddy rebuild using compile settings read after persistence, remote dashboard state reads, rollback if active Caddy reload fails, and rejection of reserved Caddy admin-port publishing.
-- `apps/dokploy/__test__/caddy/config.test.ts` covers reloading the restored runtime Caddy config after a failed safe reload.
+- `apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts` covers settings mutation behavior under Traefik, active local and remote Caddy rebuild using compile settings read after persistence, remote dashboard state reads, local and remote rollback if active Caddy reload fails, Caddy admin-port update rejection, and non-admin Caddy additional-port allowance.
+- `apps/dokploy/__test__/caddy/config.test.ts` covers reloading the restored runtime Caddy config after a failed safe reload and preserving the original error if the restore attempt also fails.
 
 Still needed:
 
@@ -250,6 +250,7 @@ UI changes:
 - Warn in the migration panel that changing Caddy settings after a dry run requires preparing a fresh dry run before apply.
 - Make update-server health checks provider-aware so the modal checks and displays Caddy when Caddy is the active web server.
 - Keep the provider-aware application web-server config preview fresh when application domains, redirects, or security settings change.
+- Use active-provider labels and endpoints for remote web-server file-system inspection, with Caddy generated artifacts read-only and backup migration artifacts hidden from the tree.
 
 Dashboard decision:
 
@@ -404,6 +405,13 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 22 files, 138 tests after provider-aware application config cache hardening. Covers focused Caddy config, setup, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, and application web-server config cache invalidation. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after provider-aware application config cache hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 | 2026-06-02 | `pnpm exec biome check --no-errors-on-unmatched --files-ignore-unknown=true <touched files>` and `git diff --check` | Passed | Formatter/import checks and whitespace checks passed after provider-aware application config cache hardening. |
+| 2026-06-02 | RepoPrompt Deep Plan pass for remaining local-safe Caddy file-system UI gap | Complete | Identified the remote server Advanced file-system modal as still Traefik-only despite provider-aware web-server file endpoints already existing in the settings router. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/web-server-file-system-router.test.ts` | Passed | 1 file, 2 tests. Covers Traefik provider-aware file reads/writes, Caddy safe directory tree pruning, Caddy safe file reads, Caddy backup/outside-path rejection, and Caddy write rejection. |
+| 2026-06-02 | RepoPrompt review with git compare `back:3` | Complete | Latest review findings incorporated locally: active Caddy now blocks only `2019/tcp` admin publishing while migration carry-over still drops Traefik-only `8080/8082`, safe reload preserves the original error if restore fails, remote trusted-proxy rollback stays server-scoped, application config cache call sites are statically guarded, and custom-certificate migration apply/rollback is covered. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/application-web-server-config-cache.test.ts __test__/caddy/trusted-proxy-settings-router.test.ts __test__/caddy/setup.test.ts __test__/caddy/config.test.ts __test__/caddy/migration/apply-rollback.test.ts __test__/caddy/web-server-file-system-router.test.ts` | Passed | 6 files, 55 tests. Covers RepoPrompt review recommendations plus provider-aware remote web-server file-system inspection. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 23 files, 149 tests after the latest RepoPrompt review and file-system UI hardening. Covers focused Caddy config, setup, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, and remote web-server file-system inspection. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the latest RepoPrompt review and file-system UI hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `pnpm exec biome check --no-errors-on-unmatched --files-ignore-unknown=true <touched files>` and `git diff --check` | Passed | Formatter/import checks and whitespace checks passed after the latest RepoPrompt review and file-system UI hardening. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/setup/caddy-setup.ts b/packages/server/src/setup/caddy-setup.ts
index 643df18460..ce00fee8a9 100644
--- a/packages/server/src/setup/caddy-setup.ts
+++ b/packages/server/src/setup/caddy-setup.ts
@@ -15,7 +15,11 @@ export const CADDY_PORT =
 export const CADDY_HTTP3_PORT =
 	Number.parseInt(process.env.CADDY_HTTP3_PORT ?? "", 10) || 443;
 export const CADDY_ADMIN_PORT = 2019;
-const CADDY_RESERVED_TCP_TARGET_PORTS = new Set([8080, 8082, CADDY_ADMIN_PORT]);
+const CADDY_TRAEFIK_CARRY_OVER_TCP_TARGET_PORTS = new Set([
+	8080,
+	8082,
+	CADDY_ADMIN_PORT,
+]);
 export const CADDY_VERSION = process.env.CADDY_VERSION || "2.11.3";
 
 export interface CaddyOptions {
@@ -32,16 +36,28 @@ export interface CaddyOptions {
 
 type CaddyAdditionalPort = NonNullable<CaddyOptions["additionalPorts"]>[number];
 
-export const isCaddyAdminPort = (port: CaddyAdditionalPort) =>
+export const isCaddyAdminAdditionalPort = (port: CaddyAdditionalPort) =>
 	port.targetPort === CADDY_ADMIN_PORT && (port.protocol ?? "tcp") === "tcp";
 
-export const isCaddyReservedAdditionalPort = (port: CaddyAdditionalPort) =>
-	CADDY_RESERVED_TCP_TARGET_PORTS.has(port.targetPort) &&
+export const isCaddyAdminPort = isCaddyAdminAdditionalPort;
+export const isCaddyReservedAdditionalPort = isCaddyAdminAdditionalPort;
+
+export const isTraefikCarryOverPortForCaddyMigration = (
+	port: CaddyAdditionalPort,
+) =>
+	CADDY_TRAEFIK_CARRY_OVER_TCP_TARGET_PORTS.has(port.targetPort) &&
 	(port.protocol ?? "tcp") === "tcp";
 
 export const filterCaddyAdditionalPorts = (
 	additionalPorts: CaddyOptions["additionalPorts"] = [],
-) => additionalPorts.filter((port) => !isCaddyReservedAdditionalPort(port));
+) => additionalPorts.filter((port) => !isCaddyAdminAdditionalPort(port));
+
+export const filterTraefikCarryOverPortsForCaddyMigration = (
+	additionalPorts: CaddyOptions["additionalPorts"] = [],
+) =>
+	additionalPorts.filter(
+		(port) => !isTraefikCarryOverPortForCaddyMigration(port),
+	);
 
 const getCaddyMounts = (serverId?: string) => {
 	const { CADDY_CONFIG_DIR_PATH, CADDY_DATA_PATH, MAIN_CADDY_PATH } = paths(
diff --git a/packages/server/src/utils/caddy/config.ts b/packages/server/src/utils/caddy/config.ts
index 10a819c50e..624c97507c 100644
--- a/packages/server/src/utils/caddy/config.ts
+++ b/packages/server/src/utils/caddy/config.ts
@@ -859,12 +859,20 @@ export const writeAndReloadCaddyConfigSafely = async (
 	try {
 		await reloadCaddyAfterValidation(options.serverId);
 	} catch (error) {
-		if (previousConfig) {
-			await writeCaddyConfigContent(previousConfig, options);
-		} else {
-			await writeCaddyConfigFile(compileCaddyConfig(), options);
+		try {
+			if (previousConfig) {
+				await writeCaddyConfigContent(previousConfig, options);
+			} else {
+				await writeCaddyConfigFile(compileCaddyConfig(), options);
+			}
+			await reloadCaddyAfterValidation(options.serverId);
+		} catch (restoreError) {
+			if (error instanceof Error) {
+				(error as Error & { restoreError?: unknown }).restoreError =
+					restoreError;
+			}
+			console.error("Failed to restore Caddy config:", restoreError);
 		}
-		await reloadCaddyAfterValidation(options.serverId);
 		throw error;
 	}
 };
diff --git a/packages/server/src/utils/caddy/migration/apply.ts b/packages/server/src/utils/caddy/migration/apply.ts
index 5637c055fe..e59a20d233 100644
--- a/packages/server/src/utils/caddy/migration/apply.ts
+++ b/packages/server/src/utils/caddy/migration/apply.ts
@@ -14,7 +14,7 @@ import {
 	updateLocalWebServerProvider,
 	updateRemoteWebServerProvider,
 } from "@dokploy/server/services/web-server-settings";
-import { filterCaddyAdditionalPorts } from "@dokploy/server/setup/caddy-setup";
+import { filterTraefikCarryOverPortsForCaddyMigration } from "@dokploy/server/setup/caddy-setup";
 import {
 	reloadCaddyAfterValidation,
 	validateCaddyConfigFileWithImage,
@@ -390,7 +390,7 @@ const applyCaddyMigrationUnlocked = async (input: {
 					env: undefined,
 					additionalPorts: traefikRuntime.additionalPorts,
 				};
-		const caddyAdditionalPorts = filterCaddyAdditionalPorts(
+		const caddyAdditionalPorts = filterTraefikCarryOverPortsForCaddyMigration(
 			runtime.additionalPorts,
 		);
 		const droppedPorts = runtime.additionalPorts.filter(

From 2f8a69f1b4b9b9a5a75790f0a4e03dc1d48a5712 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Mon, 1 Jun 2026 23:53:05 -0400
Subject: [PATCH 19/37] fix: harden caddy request analytics

---
 apps/dokploy/__test__/caddy/config.test.ts    |   24 +
 .../caddy/migration/apply-rollback.test.ts    |   30 +
 .../caddy/request-log-cleanup.test.ts         |  101 +
 .../__test__/caddy/request-log-utils.test.ts  |   94 +
 .../caddy/request-logs-router.test.ts         |  339 +
 apps/dokploy/__test__/caddy/setup.test.ts     |   36 +
 .../server/update-server-config.test.ts       |    1 +
 .../file-system/show-traefik-system.tsx       |   18 +-
 .../dashboard/requests/show-requests.tsx      |   23 +-
 apps/dokploy/drizzle/0172_normal_gauntlet.sql |    1 +
 apps/dokploy/drizzle/meta/0172_snapshot.json  | 8377 +++++++++++++++++
 apps/dokploy/drizzle/meta/_journal.json       |    7 +
 apps/dokploy/server/api/routers/settings.ts   |  121 +-
 docs/caddy-provider-upstream-readiness.md     |   23 +-
 packages/server/src/constants/index.ts        |    2 +
 .../src/db/schema/web-server-settings.ts      |    2 +
 packages/server/src/services/settings.ts      |    2 +
 .../src/services/web-server-settings.ts       |    3 +
 packages/server/src/setup/caddy-setup.ts      |   10 +-
 .../server/src/utils/access-log/handler.ts    |   64 +-
 packages/server/src/utils/access-log/types.ts |   30 +-
 packages/server/src/utils/access-log/utils.ts |  148 +-
 packages/server/src/utils/caddy/config.ts     |   39 +
 .../server/src/utils/caddy/migration/apply.ts |    1 +
 .../server/src/utils/caddy/migration/types.ts |    2 +-
 packages/server/src/utils/caddy/types.ts      |    6 +
 26 files changed, 9430 insertions(+), 74 deletions(-)
 create mode 100644 apps/dokploy/__test__/caddy/request-log-cleanup.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/request-log-utils.test.ts
 create mode 100644 apps/dokploy/__test__/caddy/request-logs-router.test.ts
 create mode 100644 apps/dokploy/drizzle/0172_normal_gauntlet.sql
 create mode 100644 apps/dokploy/drizzle/meta/0172_snapshot.json

diff --git a/apps/dokploy/__test__/caddy/config.test.ts b/apps/dokploy/__test__/caddy/config.test.ts
index 85fae27648..ba14031876 100644
--- a/apps/dokploy/__test__/caddy/config.test.ts
+++ b/apps/dokploy/__test__/caddy/config.test.ts
@@ -85,6 +85,30 @@ test("compiles explicit http and https servers with managed HTTPS redirect", ()
 	expect(servers.https.trusted_proxies).toBeUndefined();
 	expect(servers.http.client_ip_headers).toBeUndefined();
 	expect(servers.https.client_ip_headers).toBeUndefined();
+	expect((config as any).logging).toBeUndefined();
+	expect(servers.http.logs).toBeUndefined();
+	expect(servers.https.logs).toBeUndefined();
+});
+
+test("compiles Caddy access-log output when request analytics are enabled", () => {
+	const config = compileCaddyConfig({
+		routes: [route({ https: true })],
+		accessLogs: { enabled: true },
+	});
+
+	const servers = getServers(config);
+	expect(servers.http.logs).toEqual({});
+	expect(servers.https.logs).toEqual({});
+	expect((config as any).logging.logs["dokploy-requests"]).toEqual({
+		writer: {
+			output: "file",
+			filename: "/etc/caddy/access.log",
+		},
+		encoder: {
+			format: "json",
+		},
+		include: ["http.log.access"],
+	});
 });
 
 test("compiles Cloudflare trusted proxy settings with safe client IP headers", () => {
diff --git a/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts b/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
index d5508ef27a..0e87695167 100644
--- a/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
+++ b/apps/dokploy/__test__/caddy/migration/apply-rollback.test.ts
@@ -335,6 +335,36 @@ describe("applyCaddyMigration", () => {
 		);
 	});
 
+	test("rejects apply when Caddy request-log compile settings changed after prepare", async () => {
+		const report = seedMigration("caddy-apply-stale-request-logs");
+		vi.mocked(providerService.getCaddyCompileSettings).mockResolvedValueOnce({
+			trustedProxies: null,
+			accessLogs: { enabled: true },
+		});
+
+		await expect(
+			applyCaddyMigration({ migrationId: report.migrationId }),
+		).rejects.toThrow("Caddy compile settings changed after prepare");
+
+		expect(
+			upstreamPreflight.runCaddyMigrationUpstreamPreflight,
+		).not.toHaveBeenCalled();
+		expect(settingsService.stopDockerResource).not.toHaveBeenCalled();
+		expect(settingsService.writeCaddySetup).not.toHaveBeenCalled();
+		const failedReport = JSON.parse(
+			vol.readFileSync(report.artifactPaths.reportJson, "utf8") as string,
+		) as CaddyMigrationReport;
+		expect(failedReport.status).toBe("failed");
+		expect(failedReport.warnings).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					code: "apply-failed",
+					message: expect.stringContaining("Caddy compile settings changed"),
+				}),
+			]),
+		);
+	});
+
 	test("rewrites the mounted Caddy config file in place after setup", async () => {
 		const report = seedMigration("caddy-apply-preserves-config-inode");
 		let mountedConfigFd: number | undefined;
diff --git a/apps/dokploy/__test__/caddy/request-log-cleanup.test.ts b/apps/dokploy/__test__/caddy/request-log-cleanup.test.ts
new file mode 100644
index 0000000000..482da34ba6
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/request-log-cleanup.test.ts
@@ -0,0 +1,101 @@
+import { beforeEach, expect, test, vi } from "vitest";
+
+const existsSyncMock = vi.hoisted(() => vi.fn());
+const execAsyncMock = vi.hoisted(() => vi.fn());
+const getWebServerSettingsMock = vi.hoisted(() => vi.fn());
+const updateWebServerSettingsMock = vi.hoisted(() => vi.fn());
+const resolveWebServerProviderMock = vi.hoisted(() => vi.fn());
+const scheduleJobMock = vi.hoisted(() => vi.fn());
+const scheduledJobsMock = vi.hoisted(() => ({}) as Record<string, any>);
+let scheduledCallback: (() => Promise<void>) | undefined;
+
+vi.mock("node:fs", () => ({
+	default: {
+		existsSync: existsSyncMock,
+	},
+	existsSync: existsSyncMock,
+}));
+
+vi.mock("node-schedule", () => ({
+	scheduledJobs: scheduledJobsMock,
+	scheduleJob: scheduleJobMock,
+}));
+
+vi.mock("@dokploy/server/constants", () => ({
+	paths: () => ({
+		DYNAMIC_TRAEFIK_PATH: "/etc/dokploy/traefik/dynamic",
+		CADDY_ACCESS_LOG_PATH: "/etc/dokploy/caddy/access.log",
+	}),
+}));
+
+vi.mock("@dokploy/server/services/web-server-settings", () => ({
+	getWebServerSettings: getWebServerSettingsMock,
+	updateWebServerSettings: updateWebServerSettingsMock,
+	resolveWebServerProvider: resolveWebServerProviderMock,
+}));
+
+vi.mock("@dokploy/server/utils/process/execAsync", () => ({
+	execAsync: execAsyncMock,
+}));
+
+import { startLogCleanup } from "@dokploy/server/utils/access-log/handler";
+
+beforeEach(() => {
+	vi.clearAllMocks();
+	for (const key of Object.keys(scheduledJobsMock)) {
+		delete scheduledJobsMock[key];
+	}
+	scheduledCallback = undefined;
+	existsSyncMock.mockReturnValue(true);
+	execAsyncMock.mockResolvedValue({ stdout: "", stderr: "" });
+	updateWebServerSettingsMock.mockResolvedValue({});
+	scheduleJobMock.mockImplementation((name, _cron, callback) => {
+		if (name === "access-log-cleanup") {
+			scheduledCallback = callback;
+		}
+		return { cancel: vi.fn() };
+	});
+});
+
+test("keeps Traefik access-log cleanup and signal behavior", async () => {
+	resolveWebServerProviderMock.mockResolvedValue("traefik");
+
+	await startLogCleanup("0 0 * * *");
+	await scheduledCallback?.();
+
+	expect(execAsyncMock).toHaveBeenNthCalledWith(
+		1,
+		"tail -n 1000 /etc/dokploy/traefik/dynamic/access.log > /etc/dokploy/traefik/dynamic/access.log.tmp && mv /etc/dokploy/traefik/dynamic/access.log.tmp /etc/dokploy/traefik/dynamic/access.log",
+	);
+	expect(execAsyncMock).toHaveBeenNthCalledWith(
+		2,
+		"docker exec dokploy-traefik kill -USR1 1",
+	);
+});
+
+test("cleans Caddy access logs without signaling Traefik", async () => {
+	resolveWebServerProviderMock.mockResolvedValue("caddy");
+
+	await startLogCleanup("0 0 * * *");
+	await scheduledCallback?.();
+
+	expect(execAsyncMock).toHaveBeenCalledTimes(1);
+	expect(execAsyncMock).toHaveBeenCalledWith(
+		"tail -n 1000 /etc/dokploy/caddy/access.log > /etc/dokploy/caddy/access.log.tmp && cat /etc/dokploy/caddy/access.log.tmp > /etc/dokploy/caddy/access.log && rm /etc/dokploy/caddy/access.log.tmp",
+	);
+	expect(execAsyncMock).not.toHaveBeenCalledWith(
+		"docker exec dokploy-traefik kill -USR1 1",
+	);
+});
+
+test("does not persist invalid cleanup cron schedules", async () => {
+	const existingCancel = vi.fn();
+	scheduledJobsMock["access-log-cleanup"] = { cancel: existingCancel };
+	scheduleJobMock.mockReturnValueOnce(null);
+
+	const result = await startLogCleanup("not a cron");
+
+	expect(result).toBe(false);
+	expect(existingCancel).not.toHaveBeenCalled();
+	expect(updateWebServerSettingsMock).not.toHaveBeenCalled();
+});
diff --git a/apps/dokploy/__test__/caddy/request-log-utils.test.ts b/apps/dokploy/__test__/caddy/request-log-utils.test.ts
new file mode 100644
index 0000000000..6512ad071a
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/request-log-utils.test.ts
@@ -0,0 +1,94 @@
+import { parseRawConfig, processLogs } from "@dokploy/server";
+import { expect, test } from "vitest";
+
+const caddyLogEntry = JSON.stringify({
+	level: "info",
+	ts: 1_724_603_677.306,
+	logger: "http.log.access",
+	msg: "handled request",
+	server_name: "http",
+	request: {
+		remote_ip: "192.0.2.10",
+		remote_port: "54321",
+		client_ip: "198.51.100.20",
+		proto: "HTTP/2.0",
+		method: "GET",
+		host: "app.example.com",
+		uri: "/dashboard?_rsc=1",
+		tls: {
+			resumed: false,
+		},
+		headers: {
+			"User-Agent": ["curl/8.0"],
+		},
+	},
+	bytes_read: 7,
+	duration: 0.014729375,
+	size: 1234,
+	status: 200,
+});
+
+const traefikLogEntry = `{"ClientAddr":"172.19.0.1:56732","ClientHost":"172.19.0.1","ClientPort":"56732","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":304,"Duration":14729375,"OriginContentSize":0,"OriginDuration":14051833,"OriginStatus":304,"Overhead":677542,"RequestAddr":"app.traefik.test","RequestContentSize":0,"RequestCount":122,"RequestHost":"app.traefik.test","RequestMethod":"GET","RequestPath":"/dashboard?_rsc=1rugv","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"app-router@docker","ServiceAddr":"10.0.1.15:3000","ServiceName":"app-service@docker","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"10.0.1.15:3000","Path":"","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2024-08-25T04:34:37.306691884Z","StartUTC":"2024-08-25T04:34:37.306691884Z","entryPointName":"web","level":"info","msg":"","time":"2024-08-25T04:34:37Z"}`;
+
+test("normalizes Caddy JSON access logs into the Requests table shape", () => {
+	const result = parseRawConfig(caddyLogEntry);
+
+	expect(result.totalCount).toBe(1);
+	expect(result.data[0]).toMatchObject({
+		Provider: "caddy",
+		ClientAddr: "192.0.2.10:54321",
+		ClientHost: "198.51.100.20",
+		ClientPort: "54321",
+		DownstreamStatus: 200,
+		Duration: 14_729_375,
+		RequestHost: "app.example.com",
+		RequestMethod: "GET",
+		RequestPath: "/dashboard",
+		RequestPort: "443",
+		RequestProtocol: "HTTP/2.0",
+		RequestScheme: "https",
+		ServiceName: "http",
+		request_User_Agent: "curl/8.0",
+	});
+});
+
+test("filters and groups normalized Caddy request logs", () => {
+	const rawConfig = `${caddyLogEntry}\n${JSON.stringify({
+		...JSON.parse(caddyLogEntry),
+		ts: 1_724_607_277.306,
+		status: 404,
+		request: {
+			...JSON.parse(caddyLogEntry).request,
+			host: "api.example.com",
+			uri: "/missing",
+			tls: undefined,
+		},
+	})}`;
+
+	expect(
+		parseRawConfig(rawConfig, undefined, undefined, "app.example", ["success"])
+			.totalCount,
+	).toBe(1);
+	expect(
+		parseRawConfig(rawConfig, undefined, undefined, "api.example", ["client"])
+			.totalCount,
+	).toBe(1);
+	expect(
+		processLogs(rawConfig, {
+			start: "2024-08-25T16:00:00.000Z",
+			end: "2024-08-25T17:00:00.000Z",
+		}),
+	).toEqual([{ hour: "2024-08-25T16:00:00Z", count: 1 }]);
+});
+
+test("preserves existing Traefik request log parsing", () => {
+	const result = parseRawConfig(traefikLogEntry);
+
+	expect(result.totalCount).toBe(1);
+	expect(result.data[0]).toMatchObject({
+		Provider: "traefik",
+		RequestHost: "app.traefik.test",
+		DownstreamStatus: 304,
+		Duration: 14_729_375,
+	});
+});
diff --git a/apps/dokploy/__test__/caddy/request-logs-router.test.ts b/apps/dokploy/__test__/caddy/request-logs-router.test.ts
new file mode 100644
index 0000000000..0b3a5cb576
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/request-logs-router.test.ts
@@ -0,0 +1,339 @@
+import { mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { dirname, join } from "node:path";
+import { afterEach, beforeEach, expect, test, vi } from "vitest";
+
+const serverMocks = vi.hoisted(() => ({
+	applyCaddyMigration: vi.fn(),
+	checkGPUStatus: vi.fn(),
+	checkPortInUse: vi.fn(),
+	checkPostgresHealth: vi.fn(),
+	checkRedisHealth: vi.fn(),
+	checkWebServerHealth: vi.fn(),
+	cleanupAll: vi.fn(),
+	cleanupAllBackground: vi.fn(),
+	cleanupBuilders: vi.fn(),
+	cleanupContainers: vi.fn(),
+	cleanupImages: vi.fn(),
+	cleanupSystem: vi.fn(),
+	cleanupVolumes: vi.fn(),
+	compileAndWriteCaddyConfig: vi.fn(),
+	compileWriteAndReloadCaddyConfigSafely: vi.fn(),
+	execAsync: vi.fn(),
+	findServerById: vi.fn(),
+	getCaddyCompileSettings: vi.fn(),
+	getCaddyMigrationReport: vi.fn(),
+	getCaddyTrustedProxySettings: vi.fn(),
+	getDockerDiskUsage: vi.fn(),
+	getDokployImageTag: vi.fn(),
+	getLogCleanupStatus: vi.fn(),
+	getUpdateData: vi.fn(),
+	getWebServerPaths: vi.fn(),
+	getWebServerResourceName: vi.fn(),
+	getWebServerSettings: vi.fn(),
+	isCaddyAdminAdditionalPort: vi.fn(),
+	isCaddyReservedAdditionalPort: vi.fn(),
+	parseRawConfig: vi.fn(),
+	paths: vi.fn(),
+	prepareCaddyMigration: vi.fn(),
+	prepareEnvironmentVariables: vi.fn(),
+	processLogs: vi.fn(),
+	readCaddyConfigFileIfExists: vi.fn(),
+	readConfig: vi.fn(),
+	readConfigInPath: vi.fn(),
+	readDirectory: vi.fn(),
+	readEnvironmentVariables: vi.fn(),
+	readMainConfig: vi.fn(),
+	readMonitoringConfig: vi.fn(),
+	readPorts: vi.fn(),
+	recreateDirectory: vi.fn(),
+	reloadCaddyAfterValidation: vi.fn(),
+	reloadDockerResource: vi.fn(),
+	resolveWebServerProvider: vi.fn(),
+	rollbackCaddyMigration: vi.fn(),
+	sendDockerCleanupNotifications: vi.fn(),
+	setupGPUSupport: vi.fn(),
+	spawnAsync: vi.fn(),
+	startLogCleanup: vi.fn(),
+	stopLogCleanup: vi.fn(),
+	updateCaddyTrustedProxySettings: vi.fn(),
+	updateLetsEncryptEmail: vi.fn(),
+	updateLocalWebServerProvider: vi.fn(),
+	updateRemoteWebServerProvider: vi.fn(),
+	updateServerById: vi.fn(),
+	updateServerCaddy: vi.fn(),
+	updateServerTraefik: vi.fn(),
+	updateWebServerSettings: vi.fn(),
+	writeConfig: vi.fn(),
+	writeMainConfig: vi.fn(),
+	writeTraefikConfigInPath: vi.fn(),
+	writeTraefikSetup: vi.fn(),
+	writeWebServerSetup: vi.fn(),
+}));
+
+vi.mock("@dokploy/server", () => ({
+	...serverMocks,
+	CLEANUP_CRON_JOB: "cleanup",
+	DEFAULT_UPDATE_DATA: { latestVersion: null, updateAvailable: false },
+	IS_CLOUD: false,
+}));
+
+vi.mock("@dokploy/trpc-openapi", () => ({
+	generateOpenApiDocument: vi.fn(),
+}));
+
+vi.mock("@/server/api/root", () => ({
+	appRouter: {},
+}));
+
+vi.mock("@/server/api/utils/audit", () => ({
+	audit: vi.fn(),
+}));
+
+vi.mock("@/server/queues/queueSetup", () => ({
+	cleanAllDeploymentQueue: vi.fn(),
+}));
+
+vi.mock("@/server/utils/backup", () => ({
+	removeJob: vi.fn(),
+	schedule: vi.fn(),
+}));
+
+import {
+	checkPortInUse,
+	compileAndWriteCaddyConfig,
+	getCaddyCompileSettings,
+	getWebServerResourceName,
+	getWebServerSettings,
+	parseRawConfig,
+	paths,
+	prepareEnvironmentVariables,
+	processLogs,
+	readEnvironmentVariables,
+	readMainConfig,
+	readMonitoringConfig,
+	readPorts,
+	resolveWebServerProvider,
+	updateWebServerSettings,
+	writeMainConfig,
+	writeWebServerSetup,
+} from "@dokploy/server";
+import { settingsRouter } from "@/server/api/routers/settings";
+import { audit } from "@/server/api/utils/audit";
+
+const caller = settingsRouter.createCaller({
+	session: {
+		userId: "user-1",
+		activeOrganizationId: "org-1",
+	},
+	user: {
+		id: "user-1",
+		role: "owner",
+		ownerId: "user-1",
+		email: "owner@example.com",
+		enableEnterpriseFeatures: true,
+		isValidEnterpriseLicense: true,
+	},
+	req: { headers: {} },
+	res: {},
+} as never);
+
+const tempRoot = join(tmpdir(), "dokploy-caddy-request-logs-test");
+const caddyAccessLogPath = join(tempRoot, "caddy", "access.log");
+
+let requestLogsEnabled = false;
+
+beforeEach(() => {
+	vi.clearAllMocks();
+	rmSync(tempRoot, { recursive: true, force: true });
+	mkdirSync(dirname(caddyAccessLogPath), { recursive: true });
+	requestLogsEnabled = false;
+	vi.mocked(paths).mockReturnValue({
+		DYNAMIC_TRAEFIK_PATH: join(tempRoot, "traefik", "dynamic"),
+		CADDY_ACCESS_LOG_PATH: caddyAccessLogPath,
+	} as never);
+	vi.mocked(getWebServerResourceName).mockImplementation((provider) =>
+		provider === "caddy" ? "dokploy-caddy" : "dokploy-traefik",
+	);
+	vi.mocked(getWebServerSettings).mockImplementation(
+		async () => ({ requestLogsEnabled }) as never,
+	);
+	vi.mocked(updateWebServerSettings).mockImplementation(async (updates) => {
+		if ("requestLogsEnabled" in updates) {
+			requestLogsEnabled = Boolean(updates.requestLogsEnabled);
+		}
+		return { requestLogsEnabled } as never;
+	});
+	vi.mocked(getCaddyCompileSettings).mockImplementation(async () => ({
+		letsEncryptEmail: "ops@example.com",
+		accessLogs: requestLogsEnabled ? { enabled: true } : null,
+	}));
+	vi.mocked(compileAndWriteCaddyConfig).mockResolvedValue({} as never);
+	vi.mocked(checkPortInUse).mockResolvedValue({ isInUse: false } as never);
+	vi.mocked(readEnvironmentVariables).mockResolvedValue("CADDY_ENV=1");
+	vi.mocked(prepareEnvironmentVariables).mockReturnValue(["CADDY_ENV=1"]);
+	vi.mocked(readPorts).mockResolvedValue([
+		{ targetPort: 80, publishedPort: 80, protocol: "tcp" },
+	] as never);
+	vi.mocked(writeWebServerSetup).mockResolvedValue(undefined as never);
+	vi.mocked(readMainConfig).mockReturnValue("entryPoints: {}\n");
+	vi.mocked(readMonitoringConfig).mockResolvedValue("traefik-log\n");
+	vi.mocked(parseRawConfig).mockReturnValue({
+		data: [],
+		totalCount: 1,
+	} as never);
+	vi.mocked(processLogs).mockReturnValue([
+		{ hour: "2026-06-02T00:00:00Z", count: 1 },
+	] as never);
+});
+
+afterEach(() => {
+	rmSync(tempRoot, { recursive: true, force: true });
+});
+
+test("keeps Traefik request toggles on the existing Traefik YAML path", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("traefik");
+
+	await caller.toggleRequests({ enable: true });
+
+	expect(writeMainConfig).toHaveBeenCalledWith(
+		expect.stringContaining("/etc/dokploy/traefik/dynamic/access.log"),
+	);
+	expect(compileAndWriteCaddyConfig).not.toHaveBeenCalled();
+	expect(audit).toHaveBeenCalledWith(
+		expect.anything(),
+		expect.objectContaining({ resourceName: "toggle-requests" }),
+	);
+});
+
+test("reports Caddy request analytics state from persisted settings", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+	requestLogsEnabled = true;
+
+	const state = await caller.getRequestAnalyticsState();
+
+	expect(state).toEqual({
+		provider: "caddy",
+		enabled: true,
+		reloadResourceName: "dokploy-caddy",
+		accessLogPath: caddyAccessLogPath,
+	});
+	expect(readMainConfig).not.toHaveBeenCalled();
+});
+
+test("toggles Caddy request logs without writing Traefik main config", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+
+	await caller.toggleRequests({ enable: true });
+
+	expect(updateWebServerSettings).toHaveBeenCalledWith({
+		requestLogsEnabled: true,
+	});
+	expect(getCaddyCompileSettings).toHaveBeenCalledWith();
+	expect(compileAndWriteCaddyConfig).toHaveBeenCalledWith({
+		letsEncryptEmail: "ops@example.com",
+		accessLogs: { enabled: true },
+	});
+	expect(writeMainConfig).not.toHaveBeenCalled();
+	expect(requestLogsEnabled).toBe(true);
+});
+
+test("preserves Caddy request-log settings when rewriting web-server setup", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+	requestLogsEnabled = true;
+
+	await caller.writeWebServerEnv({ env: "CADDY_ENV=1" });
+
+	expect(writeWebServerSetup).toHaveBeenCalledWith(
+		"caddy",
+		expect.objectContaining({
+			env: ["CADDY_ENV=1"],
+			additionalPorts: [{ targetPort: 80, publishedPort: 80, protocol: "tcp" }],
+			letsEncryptEmail: "ops@example.com",
+			accessLogs: { enabled: true },
+		}),
+	);
+
+	vi.mocked(writeWebServerSetup).mockClear();
+	await caller.updateWebServerPorts({
+		additionalPorts: [
+			{ targetPort: 9000, publishedPort: 9000, protocol: "tcp" },
+		],
+	});
+
+	expect(checkPortInUse).toHaveBeenCalledWith(9000, undefined);
+	expect(writeWebServerSetup).toHaveBeenCalledWith(
+		"caddy",
+		expect.objectContaining({
+			env: ["CADDY_ENV=1"],
+			additionalPorts: [
+				{ targetPort: 9000, publishedPort: 9000, protocol: "tcp" },
+			],
+			letsEncryptEmail: "ops@example.com",
+			accessLogs: { enabled: true },
+		}),
+	);
+});
+
+test("restores Caddy request-log setting when generated config write fails", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+	requestLogsEnabled = true;
+	vi.mocked(compileAndWriteCaddyConfig).mockRejectedValueOnce(
+		new Error("caddy write failed") as never,
+	);
+
+	await expect(caller.toggleRequests({ enable: false })).rejects.toThrow(
+		"caddy write failed",
+	);
+
+	expect(updateWebServerSettings).toHaveBeenNthCalledWith(1, {
+		requestLogsEnabled: false,
+	});
+	expect(updateWebServerSettings).toHaveBeenNthCalledWith(2, {
+		requestLogsEnabled: true,
+	});
+	expect(requestLogsEnabled).toBe(true);
+	expect(audit).not.toHaveBeenCalled();
+});
+
+test("reads Caddy request stats from the Caddy access-log path", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+	writeFileSync(caddyAccessLogPath, '{"caddy":true}\n');
+
+	const logs = await caller.readStatsLogs({
+		page: { pageIndex: 0, pageSize: 10 },
+	});
+	const stats = await caller.readStats();
+
+	expect(readMonitoringConfig).not.toHaveBeenCalled();
+	expect(parseRawConfig).toHaveBeenCalledWith(
+		'{"caddy":true}\n',
+		{ pageIndex: 0, pageSize: 10 },
+		undefined,
+		undefined,
+		undefined,
+		undefined,
+	);
+	expect(processLogs).toHaveBeenCalledWith('{"caddy":true}\n', undefined);
+	expect(logs.totalCount).toBe(1);
+	expect(stats).toEqual([{ hour: "2026-06-02T00:00:00Z", count: 1 }]);
+});
+
+test("reads the latest Caddy request log entries for paginated stats", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+	writeFileSync(
+		caddyAccessLogPath,
+		Array.from({ length: 501 }, (_, index) =>
+			JSON.stringify({ caddy: true, index }),
+		).join("\n"),
+	);
+
+	await caller.readStatsLogs({
+		page: { pageIndex: 0, pageSize: 10 },
+	});
+
+	const rawLog = vi.mocked(parseRawConfig).mock.calls[0]?.[0] as string;
+	expect(rawLog.split("\n").filter(Boolean)).toHaveLength(500);
+	expect(rawLog).not.toContain('"index":0');
+	expect(rawLog).toContain('"index":500');
+});
diff --git a/apps/dokploy/__test__/caddy/setup.test.ts b/apps/dokploy/__test__/caddy/setup.test.ts
index 1151d904f1..bb03392e69 100644
--- a/apps/dokploy/__test__/caddy/setup.test.ts
+++ b/apps/dokploy/__test__/caddy/setup.test.ts
@@ -127,6 +127,38 @@ describe("Caddy runtime setup", () => {
 		]);
 	});
 
+	test("passes access-log settings into standalone Caddy config generation", async () => {
+		const createContainer = vi.fn();
+		const start = vi.fn();
+		const remove = vi.fn().mockRejectedValue(new Error("missing"));
+		const docker = {
+			pull: vi.fn(
+				(_imageName: string, callback: (error: Error | null) => void) => {
+					callback(null);
+				},
+			),
+			modem: { followProgress: vi.fn() },
+			createContainer,
+			getContainer: vi.fn(() => ({ remove, start })),
+		};
+		getRemoteDockerMock.mockResolvedValue(docker);
+		ensureDefaultCaddyConfigMock.mockResolvedValue(undefined);
+		validateCaddyConfigWithContainerMock.mockResolvedValue(undefined);
+		const { initializeStandaloneCaddy } = await loadCaddySetup();
+
+		await initializeStandaloneCaddy({
+			letsEncryptEmail: "ops@example.com",
+			accessLogs: { enabled: true },
+		});
+
+		expect(ensureDefaultCaddyConfigMock).toHaveBeenCalledWith(
+			expect.objectContaining({
+				letsEncryptEmail: "ops@example.com",
+				accessLogs: { enabled: true },
+			}),
+		);
+	});
+
 	test("does not publish the Caddy admin port for Caddy services", async () => {
 		const createService = vi.fn();
 		const docker = {
@@ -146,6 +178,7 @@ describe("Caddy runtime setup", () => {
 		const { initializeCaddyService } = await loadCaddySetup();
 
 		await initializeCaddyService({
+			accessLogs: { enabled: true },
 			additionalPorts: [
 				{ targetPort: 2019, publishedPort: 2019, protocol: "tcp" },
 				{ targetPort: 8080, publishedPort: 18080, protocol: "tcp" },
@@ -179,5 +212,8 @@ describe("Caddy runtime setup", () => {
 				}),
 			]),
 		);
+		expect(ensureDefaultCaddyConfigMock).toHaveBeenCalledWith(
+			expect.objectContaining({ accessLogs: { enabled: true } }),
+		);
 	});
 });
diff --git a/apps/dokploy/__test__/traefik/server/update-server-config.test.ts b/apps/dokploy/__test__/traefik/server/update-server-config.test.ts
index 85beddfc8a..562111b723 100644
--- a/apps/dokploy/__test__/traefik/server/update-server-config.test.ts
+++ b/apps/dokploy/__test__/traefik/server/update-server-config.test.ts
@@ -21,6 +21,7 @@ const baseSettings: WebServerSettings = {
 	webServerProvider: "traefik",
 	caddyTrustedProxyConfig: null,
 	https: false,
+	requestLogsEnabled: false,
 	certificateType: "none",
 	host: null,
 	serverIp: null,
diff --git a/apps/dokploy/components/dashboard/file-system/show-traefik-system.tsx b/apps/dokploy/components/dashboard/file-system/show-traefik-system.tsx
index 62410d6ee5..f1cb01a0df 100644
--- a/apps/dokploy/components/dashboard/file-system/show-traefik-system.tsx
+++ b/apps/dokploy/components/dashboard/file-system/show-traefik-system.tsx
@@ -18,13 +18,19 @@ interface Props {
 }
 export const ShowTraefikSystem = ({ serverId, activeProvider }: Props) => {
 	const [file, setFile] = React.useState<null | string>(null);
+	const { data: resolvedProvider } =
+		api.settings.getActiveWebServerProvider.useQuery(
+			{ serverId },
+			{ enabled: !activeProvider },
+		);
+	const provider = activeProvider ?? resolvedProvider;
 	const providerLabel =
-		activeProvider === "caddy"
+		provider === "caddy"
 			? "Caddy"
-			: activeProvider === "traefik"
+			: provider === "traefik"
 				? "Traefik"
 				: "Web Server";
-	const isCaddy = activeProvider === "caddy";
+	const isCaddy = provider === "caddy";
 
 	React.useEffect(() => {
 		setFile(null);
@@ -32,7 +38,7 @@ export const ShowTraefikSystem = ({ serverId, activeProvider }: Props) => {
 
 	React.useEffect(() => {
 		setFile(null);
-	}, [activeProvider]);
+	}, [provider]);
 
 	const {
 		data: directories,
@@ -60,7 +66,7 @@ export const ShowTraefikSystem = ({ serverId, activeProvider }: Props) => {
 						<CardDescription>
 							{isCaddy
 								? "Review generated Caddy artifacts such as caddy.json, route fragments, and non-backup migration artifacts."
-								: activeProvider === "traefik"
+								: provider === "traefik"
 									? "Manage files and directories for the active Traefik web server."
 									: "Review files and directories for the active web server."}
 						</CardDescription>
@@ -110,7 +116,7 @@ export const ShowTraefikSystem = ({ serverId, activeProvider }: Props) => {
 												<ShowTraefikFile
 													path={file}
 													serverId={serverId}
-													activeProvider={activeProvider}
+													activeProvider={provider}
 												/>
 											) : (
 												<div className="h-full w-full flex-col gap-2 flex items-center justify-center">
diff --git a/apps/dokploy/components/dashboard/requests/show-requests.tsx b/apps/dokploy/components/dashboard/requests/show-requests.tsx
index cc4f1764a0..0213b27263 100644
--- a/apps/dokploy/components/dashboard/requests/show-requests.tsx
+++ b/apps/dokploy/components/dashboard/requests/show-requests.tsx
@@ -41,10 +41,13 @@ export type LogEntry = NonNullable<
 >[0];
 
 export const ShowRequests = () => {
-	const { data: isActive, refetch } =
-		api.settings.haveActivateRequests.useQuery();
+	const { data: requestAnalyticsState, refetch } =
+		api.settings.getRequestAnalyticsState.useQuery();
 	const { mutateAsync: toggleRequests } =
 		api.settings.toggleRequests.useMutation();
+	const isActive = requestAnalyticsState?.enabled ?? false;
+	const providerLabel =
+		requestAnalyticsState?.provider === "caddy" ? "Caddy" : "Traefik";
 
 	const { data: logCleanupStatus } =
 		api.settings.getLogCleanupStatus.useQuery();
@@ -101,13 +104,13 @@ export const ShowRequests = () => {
 								Requests
 							</CardTitle>
 							<CardDescription>
-								See all the incoming requests that pass trough Traefik
+								See incoming requests handled by the active web server.
 							</CardDescription>
 
 							{shouldShowWarning && (
 								<AlertBlock type="warning">
-									When you activate, you need to reload traefik to apply the
-									changes, you can reload traefik in{" "}
+									After activation, reload {providerLabel} to apply access-log
+									changes. You can reload the active web server in{" "}
 									<Link
 										href="/dashboard/settings/server"
 										className="text-primary"
@@ -133,8 +136,8 @@ export const ShowRequests = () => {
 													<p className="max-w-80">
 														At the scheduled time, the cleanup job will keep
 														only the last 1000 entries in the access log file
-														and signal Traefik to reopen its log files. The
-														default schedule is daily at midnight (0 0 * * *).
+														for the active web server. The default schedule is
+														daily at midnight (0 0 * * *).
 													</p>
 												</TooltipContent>
 											</Tooltip>
@@ -174,7 +177,7 @@ export const ShowRequests = () => {
 								</div>
 								<DialogAction
 									title={isActive ? "Deactivate Requests" : "Activate Requests"}
-									description="You will also need to restart Traefik to apply the changes"
+									description={`You will also need to reload ${providerLabel} to apply the changes`}
 									type={isActive ? "destructive" : "default"}
 									onClick={async () => {
 										await toggleRequests({ enable: !isActive })
@@ -256,8 +259,8 @@ export const ShowRequests = () => {
 										</h3>
 										<p className="text-sm max-w-md">
 											Activate requests to see incoming traffic statistics and
-											monitor your application's usage. After activation, you'll
-											need to reload Traefik for the changes to take effect.
+											monitor your application's usage. After activation, reload
+											the active web server for the changes to take effect.
 										</p>
 									</div>
 								</div>
diff --git a/apps/dokploy/drizzle/0172_normal_gauntlet.sql b/apps/dokploy/drizzle/0172_normal_gauntlet.sql
new file mode 100644
index 0000000000..aebd384685
--- /dev/null
+++ b/apps/dokploy/drizzle/0172_normal_gauntlet.sql
@@ -0,0 +1 @@
+ALTER TABLE "webServerSettings" ADD COLUMN "requestLogsEnabled" boolean DEFAULT false NOT NULL;
\ No newline at end of file
diff --git a/apps/dokploy/drizzle/meta/0172_snapshot.json b/apps/dokploy/drizzle/meta/0172_snapshot.json
new file mode 100644
index 0000000000..e1742b117e
--- /dev/null
+++ b/apps/dokploy/drizzle/meta/0172_snapshot.json
@@ -0,0 +1,8377 @@
+{
+  "id": "364132ca-1f0c-4dc5-8827-daf5f4c6cc2c",
+  "prevId": "99b3eb38-5993-4945-a6ae-46e791e23c57",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.account": {
+      "name": "account",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "account_id": {
+          "name": "account_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "access_token": {
+          "name": "access_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token": {
+          "name": "refresh_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "id_token": {
+          "name": "id_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "access_token_expires_at": {
+          "name": "access_token_expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token_expires_at": {
+          "name": "refresh_token_expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scope": {
+          "name": "scope",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is2FAEnabled": {
+          "name": "is2FAEnabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resetPasswordToken": {
+          "name": "resetPasswordToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "resetPasswordExpiresAt": {
+          "name": "resetPasswordExpiresAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "confirmationToken": {
+          "name": "confirmationToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "confirmationExpiresAt": {
+          "name": "confirmationExpiresAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "account_user_id_user_id_fk": {
+          "name": "account_user_id_user_id_fk",
+          "tableFrom": "account",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.apikey": {
+      "name": "apikey",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "start": {
+          "name": "start",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "prefix": {
+          "name": "prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "key": {
+          "name": "key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "config_id": {
+          "name": "config_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'default'"
+        },
+        "reference_id": {
+          "name": "reference_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "refill_interval": {
+          "name": "refill_interval",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refill_amount": {
+          "name": "refill_amount",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_refill_at": {
+          "name": "last_refill_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rate_limit_enabled": {
+          "name": "rate_limit_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rate_limit_time_window": {
+          "name": "rate_limit_time_window",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rate_limit_max": {
+          "name": "rate_limit_max",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "request_count": {
+          "name": "request_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "remaining": {
+          "name": "remaining",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "last_request": {
+          "name": "last_request",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "permissions": {
+          "name": "permissions",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "apikey_reference_id_user_id_fk": {
+          "name": "apikey_reference_id_user_id_fk",
+          "tableFrom": "apikey",
+          "tableTo": "user",
+          "columnsFrom": [
+            "reference_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.invitation": {
+      "name": "invitation",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "inviter_id": {
+          "name": "inviter_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "team_id": {
+          "name": "team_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "invitation_organization_id_organization_id_fk": {
+          "name": "invitation_organization_id_organization_id_fk",
+          "tableFrom": "invitation",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "invitation_inviter_id_user_id_fk": {
+          "name": "invitation_inviter_id_user_id_fk",
+          "tableFrom": "invitation",
+          "tableTo": "user",
+          "columnsFrom": [
+            "inviter_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.member": {
+      "name": "member",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "team_id": {
+          "name": "team_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "is_default": {
+          "name": "is_default",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canCreateProjects": {
+          "name": "canCreateProjects",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToSSHKeys": {
+          "name": "canAccessToSSHKeys",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canCreateServices": {
+          "name": "canCreateServices",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canDeleteProjects": {
+          "name": "canDeleteProjects",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canDeleteServices": {
+          "name": "canDeleteServices",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToDocker": {
+          "name": "canAccessToDocker",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToAPI": {
+          "name": "canAccessToAPI",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToGitProviders": {
+          "name": "canAccessToGitProviders",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canAccessToTraefikFiles": {
+          "name": "canAccessToTraefikFiles",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canDeleteEnvironments": {
+          "name": "canDeleteEnvironments",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "canCreateEnvironments": {
+          "name": "canCreateEnvironments",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "accesedProjects": {
+          "name": "accesedProjects",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        },
+        "accessedEnvironments": {
+          "name": "accessedEnvironments",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        },
+        "accesedServices": {
+          "name": "accesedServices",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        },
+        "accessedGitProviders": {
+          "name": "accessedGitProviders",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        },
+        "accessedServers": {
+          "name": "accessedServers",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "ARRAY[]::text[]"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "member_organization_id_organization_id_fk": {
+          "name": "member_organization_id_organization_id_fk",
+          "tableFrom": "member",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "member_user_id_user_id_fk": {
+          "name": "member_user_id_user_id_fk",
+          "tableFrom": "member",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.organization": {
+      "name": "organization",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "slug": {
+          "name": "slug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "logo": {
+          "name": "logo",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "owner_id": {
+          "name": "owner_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "organization_owner_id_user_id_fk": {
+          "name": "organization_owner_id_user_id_fk",
+          "tableFrom": "organization",
+          "tableTo": "user",
+          "columnsFrom": [
+            "owner_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "organization_slug_unique": {
+          "name": "organization_slug_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "slug"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.organization_role": {
+      "name": "organization_role",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "permission": {
+          "name": "permission",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "organizationRole_organizationId_idx": {
+          "name": "organizationRole_organizationId_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "organizationRole_role_idx": {
+          "name": "organizationRole_role_idx",
+          "columns": [
+            {
+              "expression": "role",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "organization_role_organization_id_organization_id_fk": {
+          "name": "organization_role_organization_id_organization_id_fk",
+          "tableFrom": "organization_role",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.two_factor": {
+      "name": "two_factor",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "secret": {
+          "name": "secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "backup_codes": {
+          "name": "backup_codes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "two_factor_user_id_user_id_fk": {
+          "name": "two_factor_user_id_user_id_fk",
+          "tableFrom": "two_factor",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.verification": {
+      "name": "verification",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "identifier": {
+          "name": "identifier",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "value": {
+          "name": "value",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ai": {
+      "name": "ai",
+      "schema": "",
+      "columns": {
+        "aiId": {
+          "name": "aiId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "apiUrl": {
+          "name": "apiUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "apiKey": {
+          "name": "apiKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "model": {
+          "name": "model",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "isEnabled": {
+          "name": "isEnabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "ai_organizationId_organization_id_fk": {
+          "name": "ai_organizationId_organization_id_fk",
+          "tableFrom": "ai",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.application": {
+      "name": "application",
+      "schema": "",
+      "columns": {
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewEnv": {
+          "name": "previewEnv",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "watchPaths": {
+          "name": "watchPaths",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewBuildArgs": {
+          "name": "previewBuildArgs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewBuildSecrets": {
+          "name": "previewBuildSecrets",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewLabels": {
+          "name": "previewLabels",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewWildcard": {
+          "name": "previewWildcard",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewPort": {
+          "name": "previewPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 3000
+        },
+        "previewHttps": {
+          "name": "previewHttps",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "previewPath": {
+          "name": "previewPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "certificateType": {
+          "name": "certificateType",
+          "type": "certificateType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "previewCustomCertResolver": {
+          "name": "previewCustomCertResolver",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewLimit": {
+          "name": "previewLimit",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 3
+        },
+        "isPreviewDeploymentsActive": {
+          "name": "isPreviewDeploymentsActive",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "previewRequireCollaboratorPermissions": {
+          "name": "previewRequireCollaboratorPermissions",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": true
+        },
+        "rollbackActive": {
+          "name": "rollbackActive",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "buildArgs": {
+          "name": "buildArgs",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildSecrets": {
+          "name": "buildSecrets",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "subtitle": {
+          "name": "subtitle",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "icon": {
+          "name": "icon",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refreshToken": {
+          "name": "refreshToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sourceType": {
+          "name": "sourceType",
+          "type": "sourceType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'github'"
+        },
+        "cleanCache": {
+          "name": "cleanCache",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "repository": {
+          "name": "repository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "owner": {
+          "name": "owner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildPath": {
+          "name": "buildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "triggerType": {
+          "name": "triggerType",
+          "type": "triggerType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'push'"
+        },
+        "autoDeploy": {
+          "name": "autoDeploy",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabProjectId": {
+          "name": "gitlabProjectId",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabRepository": {
+          "name": "gitlabRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabOwner": {
+          "name": "gitlabOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabBranch": {
+          "name": "gitlabBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabBuildPath": {
+          "name": "gitlabBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "gitlabPathNamespace": {
+          "name": "gitlabPathNamespace",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaRepository": {
+          "name": "giteaRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaOwner": {
+          "name": "giteaOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaBranch": {
+          "name": "giteaBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaBuildPath": {
+          "name": "giteaBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "bitbucketRepository": {
+          "name": "bitbucketRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketRepositorySlug": {
+          "name": "bitbucketRepositorySlug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketOwner": {
+          "name": "bitbucketOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketBranch": {
+          "name": "bitbucketBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketBuildPath": {
+          "name": "bitbucketBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "registryUrl": {
+          "name": "registryUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitUrl": {
+          "name": "customGitUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitBranch": {
+          "name": "customGitBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitBuildPath": {
+          "name": "customGitBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitSSHKeyId": {
+          "name": "customGitSSHKeyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enableSubmodules": {
+          "name": "enableSubmodules",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dockerfile": {
+          "name": "dockerfile",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'Dockerfile'"
+        },
+        "dockerContextPath": {
+          "name": "dockerContextPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "dockerBuildStage": {
+          "name": "dockerBuildStage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "dropBuildPath": {
+          "name": "dropBuildPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "buildType": {
+          "name": "buildType",
+          "type": "buildType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'nixpacks'"
+        },
+        "railpackVersion": {
+          "name": "railpackVersion",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0.15.4'"
+        },
+        "herokuVersion": {
+          "name": "herokuVersion",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'24'"
+        },
+        "publishDirectory": {
+          "name": "publishDirectory",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "isStaticSpa": {
+          "name": "isStaticSpa",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createEnvFile": {
+          "name": "createEnvFile",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "registryId": {
+          "name": "registryId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackRegistryId": {
+          "name": "rollbackRegistryId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "githubId": {
+          "name": "githubId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabId": {
+          "name": "gitlabId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaId": {
+          "name": "giteaId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketId": {
+          "name": "bitbucketId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildServerId": {
+          "name": "buildServerId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildRegistryId": {
+          "name": "buildRegistryId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "application_customGitSSHKeyId_ssh-key_sshKeyId_fk": {
+          "name": "application_customGitSSHKeyId_ssh-key_sshKeyId_fk",
+          "tableFrom": "application",
+          "tableTo": "ssh-key",
+          "columnsFrom": [
+            "customGitSSHKeyId"
+          ],
+          "columnsTo": [
+            "sshKeyId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_registryId_registry_registryId_fk": {
+          "name": "application_registryId_registry_registryId_fk",
+          "tableFrom": "application",
+          "tableTo": "registry",
+          "columnsFrom": [
+            "registryId"
+          ],
+          "columnsTo": [
+            "registryId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_rollbackRegistryId_registry_registryId_fk": {
+          "name": "application_rollbackRegistryId_registry_registryId_fk",
+          "tableFrom": "application",
+          "tableTo": "registry",
+          "columnsFrom": [
+            "rollbackRegistryId"
+          ],
+          "columnsTo": [
+            "registryId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_environmentId_environment_environmentId_fk": {
+          "name": "application_environmentId_environment_environmentId_fk",
+          "tableFrom": "application",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "application_githubId_github_githubId_fk": {
+          "name": "application_githubId_github_githubId_fk",
+          "tableFrom": "application",
+          "tableTo": "github",
+          "columnsFrom": [
+            "githubId"
+          ],
+          "columnsTo": [
+            "githubId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_gitlabId_gitlab_gitlabId_fk": {
+          "name": "application_gitlabId_gitlab_gitlabId_fk",
+          "tableFrom": "application",
+          "tableTo": "gitlab",
+          "columnsFrom": [
+            "gitlabId"
+          ],
+          "columnsTo": [
+            "gitlabId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_giteaId_gitea_giteaId_fk": {
+          "name": "application_giteaId_gitea_giteaId_fk",
+          "tableFrom": "application",
+          "tableTo": "gitea",
+          "columnsFrom": [
+            "giteaId"
+          ],
+          "columnsTo": [
+            "giteaId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_bitbucketId_bitbucket_bitbucketId_fk": {
+          "name": "application_bitbucketId_bitbucket_bitbucketId_fk",
+          "tableFrom": "application",
+          "tableTo": "bitbucket",
+          "columnsFrom": [
+            "bitbucketId"
+          ],
+          "columnsTo": [
+            "bitbucketId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_serverId_server_serverId_fk": {
+          "name": "application_serverId_server_serverId_fk",
+          "tableFrom": "application",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "application_buildServerId_server_serverId_fk": {
+          "name": "application_buildServerId_server_serverId_fk",
+          "tableFrom": "application",
+          "tableTo": "server",
+          "columnsFrom": [
+            "buildServerId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "application_buildRegistryId_registry_registryId_fk": {
+          "name": "application_buildRegistryId_registry_registryId_fk",
+          "tableFrom": "application",
+          "tableTo": "registry",
+          "columnsFrom": [
+            "buildRegistryId"
+          ],
+          "columnsTo": [
+            "registryId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "application_appName_unique": {
+          "name": "application_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.audit_log": {
+      "name": "audit_log",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_email": {
+          "name": "user_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_role": {
+          "name": "user_role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "action": {
+          "name": "action",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resource_type": {
+          "name": "resource_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "resource_id": {
+          "name": "resource_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "resource_name": {
+          "name": "resource_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "auditLog_organizationId_idx": {
+          "name": "auditLog_organizationId_idx",
+          "columns": [
+            {
+              "expression": "organization_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "auditLog_userId_idx": {
+          "name": "auditLog_userId_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "auditLog_createdAt_idx": {
+          "name": "auditLog_createdAt_idx",
+          "columns": [
+            {
+              "expression": "created_at",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "audit_log_organization_id_organization_id_fk": {
+          "name": "audit_log_organization_id_organization_id_fk",
+          "tableFrom": "audit_log",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "audit_log_user_id_user_id_fk": {
+          "name": "audit_log_user_id_user_id_fk",
+          "tableFrom": "audit_log",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.backup": {
+      "name": "backup",
+      "schema": "",
+      "columns": {
+        "backupId": {
+          "name": "backupId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "schedule": {
+          "name": "schedule",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "database": {
+          "name": "database",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "prefix": {
+          "name": "prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serviceName": {
+          "name": "serviceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "destinationId": {
+          "name": "destinationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "keepLatestCount": {
+          "name": "keepLatestCount",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "backupType": {
+          "name": "backupType",
+          "type": "backupType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'database'"
+        },
+        "databaseType": {
+          "name": "databaseType",
+          "type": "databaseType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "postgresId": {
+          "name": "postgresId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mariadbId": {
+          "name": "mariadbId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mysqlId": {
+          "name": "mysqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mongoId": {
+          "name": "mongoId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "libsqlId": {
+          "name": "libsqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "userId": {
+          "name": "userId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metadata": {
+          "name": "metadata",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "backup_destinationId_destination_destinationId_fk": {
+          "name": "backup_destinationId_destination_destinationId_fk",
+          "tableFrom": "backup",
+          "tableTo": "destination",
+          "columnsFrom": [
+            "destinationId"
+          ],
+          "columnsTo": [
+            "destinationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_composeId_compose_composeId_fk": {
+          "name": "backup_composeId_compose_composeId_fk",
+          "tableFrom": "backup",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_postgresId_postgres_postgresId_fk": {
+          "name": "backup_postgresId_postgres_postgresId_fk",
+          "tableFrom": "backup",
+          "tableTo": "postgres",
+          "columnsFrom": [
+            "postgresId"
+          ],
+          "columnsTo": [
+            "postgresId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_mariadbId_mariadb_mariadbId_fk": {
+          "name": "backup_mariadbId_mariadb_mariadbId_fk",
+          "tableFrom": "backup",
+          "tableTo": "mariadb",
+          "columnsFrom": [
+            "mariadbId"
+          ],
+          "columnsTo": [
+            "mariadbId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_mysqlId_mysql_mysqlId_fk": {
+          "name": "backup_mysqlId_mysql_mysqlId_fk",
+          "tableFrom": "backup",
+          "tableTo": "mysql",
+          "columnsFrom": [
+            "mysqlId"
+          ],
+          "columnsTo": [
+            "mysqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_mongoId_mongo_mongoId_fk": {
+          "name": "backup_mongoId_mongo_mongoId_fk",
+          "tableFrom": "backup",
+          "tableTo": "mongo",
+          "columnsFrom": [
+            "mongoId"
+          ],
+          "columnsTo": [
+            "mongoId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_libsqlId_libsql_libsqlId_fk": {
+          "name": "backup_libsqlId_libsql_libsqlId_fk",
+          "tableFrom": "backup",
+          "tableTo": "libsql",
+          "columnsFrom": [
+            "libsqlId"
+          ],
+          "columnsTo": [
+            "libsqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "backup_userId_user_id_fk": {
+          "name": "backup_userId_user_id_fk",
+          "tableFrom": "backup",
+          "tableTo": "user",
+          "columnsFrom": [
+            "userId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "backup_appName_unique": {
+          "name": "backup_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.bitbucket": {
+      "name": "bitbucket",
+      "schema": "",
+      "columns": {
+        "bitbucketId": {
+          "name": "bitbucketId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "bitbucketUsername": {
+          "name": "bitbucketUsername",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketEmail": {
+          "name": "bitbucketEmail",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "appPassword": {
+          "name": "appPassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "apiToken": {
+          "name": "apiToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketWorkspaceName": {
+          "name": "bitbucketWorkspaceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "bitbucket_gitProviderId_git_provider_gitProviderId_fk": {
+          "name": "bitbucket_gitProviderId_git_provider_gitProviderId_fk",
+          "tableFrom": "bitbucket",
+          "tableTo": "git_provider",
+          "columnsFrom": [
+            "gitProviderId"
+          ],
+          "columnsTo": [
+            "gitProviderId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.certificate": {
+      "name": "certificate",
+      "schema": "",
+      "columns": {
+        "certificateId": {
+          "name": "certificateId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "certificateData": {
+          "name": "certificateData",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "privateKey": {
+          "name": "privateKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "certificatePath": {
+          "name": "certificatePath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "autoRenew": {
+          "name": "autoRenew",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "certificate_organizationId_organization_id_fk": {
+          "name": "certificate_organizationId_organization_id_fk",
+          "tableFrom": "certificate",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "certificate_serverId_server_serverId_fk": {
+          "name": "certificate_serverId_server_serverId_fk",
+          "tableFrom": "certificate",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "certificate_certificatePath_unique": {
+          "name": "certificate_certificatePath_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "certificatePath"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.compose": {
+      "name": "compose",
+      "schema": "",
+      "columns": {
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeFile": {
+          "name": "composeFile",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "refreshToken": {
+          "name": "refreshToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sourceType": {
+          "name": "sourceType",
+          "type": "sourceTypeCompose",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'github'"
+        },
+        "composeType": {
+          "name": "composeType",
+          "type": "composeType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'docker-compose'"
+        },
+        "repository": {
+          "name": "repository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "owner": {
+          "name": "owner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "autoDeploy": {
+          "name": "autoDeploy",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabProjectId": {
+          "name": "gitlabProjectId",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabRepository": {
+          "name": "gitlabRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabOwner": {
+          "name": "gitlabOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabBranch": {
+          "name": "gitlabBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabPathNamespace": {
+          "name": "gitlabPathNamespace",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketRepository": {
+          "name": "bitbucketRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketRepositorySlug": {
+          "name": "bitbucketRepositorySlug",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketOwner": {
+          "name": "bitbucketOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketBranch": {
+          "name": "bitbucketBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaRepository": {
+          "name": "giteaRepository",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaOwner": {
+          "name": "giteaOwner",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaBranch": {
+          "name": "giteaBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitUrl": {
+          "name": "customGitUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitBranch": {
+          "name": "customGitBranch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customGitSSHKeyId": {
+          "name": "customGitSSHKeyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "enableSubmodules": {
+          "name": "enableSubmodules",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "composePath": {
+          "name": "composePath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'./docker-compose.yml'"
+        },
+        "suffix": {
+          "name": "suffix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "randomize": {
+          "name": "randomize",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "isolatedDeployment": {
+          "name": "isolatedDeployment",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "isolatedDeploymentsVolume": {
+          "name": "isolatedDeploymentsVolume",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "triggerType": {
+          "name": "triggerType",
+          "type": "triggerType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'push'"
+        },
+        "composeStatus": {
+          "name": "composeStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "watchPaths": {
+          "name": "watchPaths",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubId": {
+          "name": "githubId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitlabId": {
+          "name": "gitlabId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bitbucketId": {
+          "name": "bitbucketId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "giteaId": {
+          "name": "giteaId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "compose_customGitSSHKeyId_ssh-key_sshKeyId_fk": {
+          "name": "compose_customGitSSHKeyId_ssh-key_sshKeyId_fk",
+          "tableFrom": "compose",
+          "tableTo": "ssh-key",
+          "columnsFrom": [
+            "customGitSSHKeyId"
+          ],
+          "columnsTo": [
+            "sshKeyId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_environmentId_environment_environmentId_fk": {
+          "name": "compose_environmentId_environment_environmentId_fk",
+          "tableFrom": "compose",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "compose_githubId_github_githubId_fk": {
+          "name": "compose_githubId_github_githubId_fk",
+          "tableFrom": "compose",
+          "tableTo": "github",
+          "columnsFrom": [
+            "githubId"
+          ],
+          "columnsTo": [
+            "githubId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_gitlabId_gitlab_gitlabId_fk": {
+          "name": "compose_gitlabId_gitlab_gitlabId_fk",
+          "tableFrom": "compose",
+          "tableTo": "gitlab",
+          "columnsFrom": [
+            "gitlabId"
+          ],
+          "columnsTo": [
+            "gitlabId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_bitbucketId_bitbucket_bitbucketId_fk": {
+          "name": "compose_bitbucketId_bitbucket_bitbucketId_fk",
+          "tableFrom": "compose",
+          "tableTo": "bitbucket",
+          "columnsFrom": [
+            "bitbucketId"
+          ],
+          "columnsTo": [
+            "bitbucketId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_giteaId_gitea_giteaId_fk": {
+          "name": "compose_giteaId_gitea_giteaId_fk",
+          "tableFrom": "compose",
+          "tableTo": "gitea",
+          "columnsFrom": [
+            "giteaId"
+          ],
+          "columnsTo": [
+            "giteaId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        },
+        "compose_serverId_server_serverId_fk": {
+          "name": "compose_serverId_server_serverId_fk",
+          "tableFrom": "compose",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.deployment": {
+      "name": "deployment",
+      "schema": "",
+      "columns": {
+        "deploymentId": {
+          "name": "deploymentId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "title": {
+          "name": "title",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "status": {
+          "name": "status",
+          "type": "deploymentStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'running'"
+        },
+        "logPath": {
+          "name": "logPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pid": {
+          "name": "pid",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "isPreviewDeployment": {
+          "name": "isPreviewDeployment",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        },
+        "previewDeploymentId": {
+          "name": "previewDeploymentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "startedAt": {
+          "name": "startedAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "finishedAt": {
+          "name": "finishedAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "errorMessage": {
+          "name": "errorMessage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scheduleId": {
+          "name": "scheduleId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "backupId": {
+          "name": "backupId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackId": {
+          "name": "rollbackId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "volumeBackupId": {
+          "name": "volumeBackupId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "buildServerId": {
+          "name": "buildServerId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "deployment_applicationId_application_applicationId_fk": {
+          "name": "deployment_applicationId_application_applicationId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_composeId_compose_composeId_fk": {
+          "name": "deployment_composeId_compose_composeId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_serverId_server_serverId_fk": {
+          "name": "deployment_serverId_server_serverId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_previewDeploymentId_preview_deployments_previewDeploymentId_fk": {
+          "name": "deployment_previewDeploymentId_preview_deployments_previewDeploymentId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "preview_deployments",
+          "columnsFrom": [
+            "previewDeploymentId"
+          ],
+          "columnsTo": [
+            "previewDeploymentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_scheduleId_schedule_scheduleId_fk": {
+          "name": "deployment_scheduleId_schedule_scheduleId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "schedule",
+          "columnsFrom": [
+            "scheduleId"
+          ],
+          "columnsTo": [
+            "scheduleId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_backupId_backup_backupId_fk": {
+          "name": "deployment_backupId_backup_backupId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "backup",
+          "columnsFrom": [
+            "backupId"
+          ],
+          "columnsTo": [
+            "backupId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_rollbackId_rollback_rollbackId_fk": {
+          "name": "deployment_rollbackId_rollback_rollbackId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "rollback",
+          "columnsFrom": [
+            "rollbackId"
+          ],
+          "columnsTo": [
+            "rollbackId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_volumeBackupId_volume_backup_volumeBackupId_fk": {
+          "name": "deployment_volumeBackupId_volume_backup_volumeBackupId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "volume_backup",
+          "columnsFrom": [
+            "volumeBackupId"
+          ],
+          "columnsTo": [
+            "volumeBackupId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "deployment_buildServerId_server_serverId_fk": {
+          "name": "deployment_buildServerId_server_serverId_fk",
+          "tableFrom": "deployment",
+          "tableTo": "server",
+          "columnsFrom": [
+            "buildServerId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.destination": {
+      "name": "destination",
+      "schema": "",
+      "columns": {
+        "destinationId": {
+          "name": "destinationId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "provider": {
+          "name": "provider",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "accessKey": {
+          "name": "accessKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "secretAccessKey": {
+          "name": "secretAccessKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "bucket": {
+          "name": "bucket",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "region": {
+          "name": "region",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "endpoint": {
+          "name": "endpoint",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "additionalFlags": {
+          "name": "additionalFlags",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "destination_organizationId_organization_id_fk": {
+          "name": "destination_organizationId_organization_id_fk",
+          "tableFrom": "destination",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.domain": {
+      "name": "domain",
+      "schema": "",
+      "columns": {
+        "domainId": {
+          "name": "domainId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "https": {
+          "name": "https",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "default": 3000
+        },
+        "customEntrypoint": {
+          "name": "customEntrypoint",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "path": {
+          "name": "path",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "serviceName": {
+          "name": "serviceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "domainType": {
+          "name": "domainType",
+          "type": "domainType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'application'"
+        },
+        "uniqueConfigKey": {
+          "name": "uniqueConfigKey",
+          "type": "serial",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customCertResolver": {
+          "name": "customCertResolver",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "previewDeploymentId": {
+          "name": "previewDeploymentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "certificateType": {
+          "name": "certificateType",
+          "type": "certificateType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "internalPath": {
+          "name": "internalPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'/'"
+        },
+        "stripPath": {
+          "name": "stripPath",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "middlewares": {
+          "name": "middlewares",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "ARRAY[]::text[]"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "domain_composeId_compose_composeId_fk": {
+          "name": "domain_composeId_compose_composeId_fk",
+          "tableFrom": "domain",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "domain_applicationId_application_applicationId_fk": {
+          "name": "domain_applicationId_application_applicationId_fk",
+          "tableFrom": "domain",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "domain_previewDeploymentId_preview_deployments_previewDeploymentId_fk": {
+          "name": "domain_previewDeploymentId_preview_deployments_previewDeploymentId_fk",
+          "tableFrom": "domain",
+          "tableTo": "preview_deployments",
+          "columnsFrom": [
+            "previewDeploymentId"
+          ],
+          "columnsTo": [
+            "previewDeploymentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.environment": {
+      "name": "environment",
+      "schema": "",
+      "columns": {
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "projectId": {
+          "name": "projectId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "isDefault": {
+          "name": "isDefault",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "environment_projectId_project_projectId_fk": {
+          "name": "environment_projectId_project_projectId_fk",
+          "tableFrom": "environment",
+          "tableTo": "project",
+          "columnsFrom": [
+            "projectId"
+          ],
+          "columnsTo": [
+            "projectId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.git_provider": {
+      "name": "git_provider",
+      "schema": "",
+      "columns": {
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "providerType": {
+          "name": "providerType",
+          "type": "gitProviderType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'github'"
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "userId": {
+          "name": "userId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "sharedWithOrganization": {
+          "name": "sharedWithOrganization",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "git_provider_organizationId_organization_id_fk": {
+          "name": "git_provider_organizationId_organization_id_fk",
+          "tableFrom": "git_provider",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "git_provider_userId_user_id_fk": {
+          "name": "git_provider_userId_user_id_fk",
+          "tableFrom": "git_provider",
+          "tableTo": "user",
+          "columnsFrom": [
+            "userId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.gitea": {
+      "name": "gitea",
+      "schema": "",
+      "columns": {
+        "giteaId": {
+          "name": "giteaId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "giteaUrl": {
+          "name": "giteaUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'https://gitea.com'"
+        },
+        "giteaInternalUrl": {
+          "name": "giteaInternalUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "client_id": {
+          "name": "client_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "client_secret": {
+          "name": "client_secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "access_token": {
+          "name": "access_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token": {
+          "name": "refresh_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "scopes": {
+          "name": "scopes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'repo,repo:status,read:user,read:org'"
+        },
+        "last_authenticated_at": {
+          "name": "last_authenticated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "gitea_gitProviderId_git_provider_gitProviderId_fk": {
+          "name": "gitea_gitProviderId_git_provider_gitProviderId_fk",
+          "tableFrom": "gitea",
+          "tableTo": "git_provider",
+          "columnsFrom": [
+            "gitProviderId"
+          ],
+          "columnsTo": [
+            "gitProviderId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.github": {
+      "name": "github",
+      "schema": "",
+      "columns": {
+        "githubId": {
+          "name": "githubId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "githubAppName": {
+          "name": "githubAppName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubAppId": {
+          "name": "githubAppId",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubClientId": {
+          "name": "githubClientId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubClientSecret": {
+          "name": "githubClientSecret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubInstallationId": {
+          "name": "githubInstallationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubPrivateKey": {
+          "name": "githubPrivateKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "githubWebhookSecret": {
+          "name": "githubWebhookSecret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "github_gitProviderId_git_provider_gitProviderId_fk": {
+          "name": "github_gitProviderId_git_provider_gitProviderId_fk",
+          "tableFrom": "github",
+          "tableTo": "git_provider",
+          "columnsFrom": [
+            "gitProviderId"
+          ],
+          "columnsTo": [
+            "gitProviderId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.gitlab": {
+      "name": "gitlab",
+      "schema": "",
+      "columns": {
+        "gitlabId": {
+          "name": "gitlabId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "gitlabUrl": {
+          "name": "gitlabUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'https://gitlab.com'"
+        },
+        "gitlabInternalUrl": {
+          "name": "gitlabInternalUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "application_id": {
+          "name": "application_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "redirect_uri": {
+          "name": "redirect_uri",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "secret": {
+          "name": "secret",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "access_token": {
+          "name": "access_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "refresh_token": {
+          "name": "refresh_token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "group_name": {
+          "name": "group_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gitProviderId": {
+          "name": "gitProviderId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "gitlab_gitProviderId_git_provider_gitProviderId_fk": {
+          "name": "gitlab_gitProviderId_git_provider_gitProviderId_fk",
+          "tableFrom": "gitlab",
+          "tableTo": "git_provider",
+          "columnsFrom": [
+            "gitProviderId"
+          ],
+          "columnsTo": [
+            "gitProviderId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.libsql": {
+      "name": "libsql",
+      "schema": "",
+      "columns": {
+        "libsqlId": {
+          "name": "libsqlId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "sqldNode": {
+          "name": "sqldNode",
+          "type": "sqldNode",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'primary'"
+        },
+        "sqldPrimaryUrl": {
+          "name": "sqldPrimaryUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enableNamespaces": {
+          "name": "enableNamespaces",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalGRPCPort": {
+          "name": "externalGRPCPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalAdminPort": {
+          "name": "externalAdminPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "libsql_environmentId_environment_environmentId_fk": {
+          "name": "libsql_environmentId_environment_environmentId_fk",
+          "tableFrom": "libsql",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "libsql_serverId_server_serverId_fk": {
+          "name": "libsql_serverId_server_serverId_fk",
+          "tableFrom": "libsql",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "libsql_appName_unique": {
+          "name": "libsql_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mariadb": {
+      "name": "mariadb",
+      "schema": "",
+      "columns": {
+        "mariadbId": {
+          "name": "mariadbId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "databaseName": {
+          "name": "databaseName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "rootPassword": {
+          "name": "rootPassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "mariadb_environmentId_environment_environmentId_fk": {
+          "name": "mariadb_environmentId_environment_environmentId_fk",
+          "tableFrom": "mariadb",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mariadb_serverId_server_serverId_fk": {
+          "name": "mariadb_serverId_server_serverId_fk",
+          "tableFrom": "mariadb",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "mariadb_appName_unique": {
+          "name": "mariadb_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mongo": {
+      "name": "mongo",
+      "schema": "",
+      "columns": {
+        "mongoId": {
+          "name": "mongoId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'mongo:8'"
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicaSets": {
+          "name": "replicaSets",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "mongo_environmentId_environment_environmentId_fk": {
+          "name": "mongo_environmentId_environment_environmentId_fk",
+          "tableFrom": "mongo",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mongo_serverId_server_serverId_fk": {
+          "name": "mongo_serverId_server_serverId_fk",
+          "tableFrom": "mongo",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "mongo_appName_unique": {
+          "name": "mongo_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mount": {
+      "name": "mount",
+      "schema": "",
+      "columns": {
+        "mountId": {
+          "name": "mountId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "mountType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "hostPath": {
+          "name": "hostPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "volumeName": {
+          "name": "volumeName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "filePath": {
+          "name": "filePath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "content": {
+          "name": "content",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serviceType": {
+          "name": "serviceType",
+          "type": "serviceType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'application'"
+        },
+        "mountPath": {
+          "name": "mountPath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "libsqlId": {
+          "name": "libsqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mariadbId": {
+          "name": "mariadbId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mongoId": {
+          "name": "mongoId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mysqlId": {
+          "name": "mysqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "postgresId": {
+          "name": "postgresId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "redisId": {
+          "name": "redisId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "mount_applicationId_application_applicationId_fk": {
+          "name": "mount_applicationId_application_applicationId_fk",
+          "tableFrom": "mount",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_composeId_compose_composeId_fk": {
+          "name": "mount_composeId_compose_composeId_fk",
+          "tableFrom": "mount",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_libsqlId_libsql_libsqlId_fk": {
+          "name": "mount_libsqlId_libsql_libsqlId_fk",
+          "tableFrom": "mount",
+          "tableTo": "libsql",
+          "columnsFrom": [
+            "libsqlId"
+          ],
+          "columnsTo": [
+            "libsqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_mariadbId_mariadb_mariadbId_fk": {
+          "name": "mount_mariadbId_mariadb_mariadbId_fk",
+          "tableFrom": "mount",
+          "tableTo": "mariadb",
+          "columnsFrom": [
+            "mariadbId"
+          ],
+          "columnsTo": [
+            "mariadbId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_mongoId_mongo_mongoId_fk": {
+          "name": "mount_mongoId_mongo_mongoId_fk",
+          "tableFrom": "mount",
+          "tableTo": "mongo",
+          "columnsFrom": [
+            "mongoId"
+          ],
+          "columnsTo": [
+            "mongoId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_mysqlId_mysql_mysqlId_fk": {
+          "name": "mount_mysqlId_mysql_mysqlId_fk",
+          "tableFrom": "mount",
+          "tableTo": "mysql",
+          "columnsFrom": [
+            "mysqlId"
+          ],
+          "columnsTo": [
+            "mysqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_postgresId_postgres_postgresId_fk": {
+          "name": "mount_postgresId_postgres_postgresId_fk",
+          "tableFrom": "mount",
+          "tableTo": "postgres",
+          "columnsFrom": [
+            "postgresId"
+          ],
+          "columnsTo": [
+            "postgresId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mount_redisId_redis_redisId_fk": {
+          "name": "mount_redisId_redis_redisId_fk",
+          "tableFrom": "mount",
+          "tableTo": "redis",
+          "columnsFrom": [
+            "redisId"
+          ],
+          "columnsTo": [
+            "redisId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mysql": {
+      "name": "mysql",
+      "schema": "",
+      "columns": {
+        "mysqlId": {
+          "name": "mysqlId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "databaseName": {
+          "name": "databaseName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "rootPassword": {
+          "name": "rootPassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "mysql_environmentId_environment_environmentId_fk": {
+          "name": "mysql_environmentId_environment_environmentId_fk",
+          "tableFrom": "mysql",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "mysql_serverId_server_serverId_fk": {
+          "name": "mysql_serverId_server_serverId_fk",
+          "tableFrom": "mysql",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "mysql_appName_unique": {
+          "name": "mysql_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.custom": {
+      "name": "custom",
+      "schema": "",
+      "columns": {
+        "customId": {
+          "name": "customId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "endpoint": {
+          "name": "endpoint",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "headers": {
+          "name": "headers",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.discord": {
+      "name": "discord",
+      "schema": "",
+      "columns": {
+        "discordId": {
+          "name": "discordId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "decoration": {
+          "name": "decoration",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.email": {
+      "name": "email",
+      "schema": "",
+      "columns": {
+        "emailId": {
+          "name": "emailId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "smtpServer": {
+          "name": "smtpServer",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "smtpPort": {
+          "name": "smtpPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "fromAddress": {
+          "name": "fromAddress",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "toAddress": {
+          "name": "toAddress",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.gotify": {
+      "name": "gotify",
+      "schema": "",
+      "columns": {
+        "gotifyId": {
+          "name": "gotifyId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "serverUrl": {
+          "name": "serverUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appToken": {
+          "name": "appToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "priority": {
+          "name": "priority",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 5
+        },
+        "decoration": {
+          "name": "decoration",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.lark": {
+      "name": "lark",
+      "schema": "",
+      "columns": {
+        "larkId": {
+          "name": "larkId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.mattermost": {
+      "name": "mattermost",
+      "schema": "",
+      "columns": {
+        "mattermostId": {
+          "name": "mattermostId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "channel": {
+          "name": "channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.notification": {
+      "name": "notification",
+      "schema": "",
+      "columns": {
+        "notificationId": {
+          "name": "notificationId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appDeploy": {
+          "name": "appDeploy",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "appBuildError": {
+          "name": "appBuildError",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "databaseBackup": {
+          "name": "databaseBackup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "volumeBackup": {
+          "name": "volumeBackup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dokployRestart": {
+          "name": "dokployRestart",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dokployBackup": {
+          "name": "dokployBackup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "dockerCleanup": {
+          "name": "dockerCleanup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "serverThreshold": {
+          "name": "serverThreshold",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "notificationType": {
+          "name": "notificationType",
+          "type": "notificationType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "slackId": {
+          "name": "slackId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "telegramId": {
+          "name": "telegramId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "discordId": {
+          "name": "discordId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "emailId": {
+          "name": "emailId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "resendId": {
+          "name": "resendId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "gotifyId": {
+          "name": "gotifyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ntfyId": {
+          "name": "ntfyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mattermostId": {
+          "name": "mattermostId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "customId": {
+          "name": "customId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "larkId": {
+          "name": "larkId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "pushoverId": {
+          "name": "pushoverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "teamsId": {
+          "name": "teamsId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "notification_slackId_slack_slackId_fk": {
+          "name": "notification_slackId_slack_slackId_fk",
+          "tableFrom": "notification",
+          "tableTo": "slack",
+          "columnsFrom": [
+            "slackId"
+          ],
+          "columnsTo": [
+            "slackId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_telegramId_telegram_telegramId_fk": {
+          "name": "notification_telegramId_telegram_telegramId_fk",
+          "tableFrom": "notification",
+          "tableTo": "telegram",
+          "columnsFrom": [
+            "telegramId"
+          ],
+          "columnsTo": [
+            "telegramId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_discordId_discord_discordId_fk": {
+          "name": "notification_discordId_discord_discordId_fk",
+          "tableFrom": "notification",
+          "tableTo": "discord",
+          "columnsFrom": [
+            "discordId"
+          ],
+          "columnsTo": [
+            "discordId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_emailId_email_emailId_fk": {
+          "name": "notification_emailId_email_emailId_fk",
+          "tableFrom": "notification",
+          "tableTo": "email",
+          "columnsFrom": [
+            "emailId"
+          ],
+          "columnsTo": [
+            "emailId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_resendId_resend_resendId_fk": {
+          "name": "notification_resendId_resend_resendId_fk",
+          "tableFrom": "notification",
+          "tableTo": "resend",
+          "columnsFrom": [
+            "resendId"
+          ],
+          "columnsTo": [
+            "resendId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_gotifyId_gotify_gotifyId_fk": {
+          "name": "notification_gotifyId_gotify_gotifyId_fk",
+          "tableFrom": "notification",
+          "tableTo": "gotify",
+          "columnsFrom": [
+            "gotifyId"
+          ],
+          "columnsTo": [
+            "gotifyId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_ntfyId_ntfy_ntfyId_fk": {
+          "name": "notification_ntfyId_ntfy_ntfyId_fk",
+          "tableFrom": "notification",
+          "tableTo": "ntfy",
+          "columnsFrom": [
+            "ntfyId"
+          ],
+          "columnsTo": [
+            "ntfyId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_mattermostId_mattermost_mattermostId_fk": {
+          "name": "notification_mattermostId_mattermost_mattermostId_fk",
+          "tableFrom": "notification",
+          "tableTo": "mattermost",
+          "columnsFrom": [
+            "mattermostId"
+          ],
+          "columnsTo": [
+            "mattermostId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_customId_custom_customId_fk": {
+          "name": "notification_customId_custom_customId_fk",
+          "tableFrom": "notification",
+          "tableTo": "custom",
+          "columnsFrom": [
+            "customId"
+          ],
+          "columnsTo": [
+            "customId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_larkId_lark_larkId_fk": {
+          "name": "notification_larkId_lark_larkId_fk",
+          "tableFrom": "notification",
+          "tableTo": "lark",
+          "columnsFrom": [
+            "larkId"
+          ],
+          "columnsTo": [
+            "larkId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_pushoverId_pushover_pushoverId_fk": {
+          "name": "notification_pushoverId_pushover_pushoverId_fk",
+          "tableFrom": "notification",
+          "tableTo": "pushover",
+          "columnsFrom": [
+            "pushoverId"
+          ],
+          "columnsTo": [
+            "pushoverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_teamsId_teams_teamsId_fk": {
+          "name": "notification_teamsId_teams_teamsId_fk",
+          "tableFrom": "notification",
+          "tableTo": "teams",
+          "columnsFrom": [
+            "teamsId"
+          ],
+          "columnsTo": [
+            "teamsId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "notification_organizationId_organization_id_fk": {
+          "name": "notification_organizationId_organization_id_fk",
+          "tableFrom": "notification",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ntfy": {
+      "name": "ntfy",
+      "schema": "",
+      "columns": {
+        "ntfyId": {
+          "name": "ntfyId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "serverUrl": {
+          "name": "serverUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "topic": {
+          "name": "topic",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "accessToken": {
+          "name": "accessToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "priority": {
+          "name": "priority",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 3
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.pushover": {
+      "name": "pushover",
+      "schema": "",
+      "columns": {
+        "pushoverId": {
+          "name": "pushoverId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "userKey": {
+          "name": "userKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "apiToken": {
+          "name": "apiToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "priority": {
+          "name": "priority",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "retry": {
+          "name": "retry",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "expire": {
+          "name": "expire",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.resend": {
+      "name": "resend",
+      "schema": "",
+      "columns": {
+        "resendId": {
+          "name": "resendId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "apiKey": {
+          "name": "apiKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "fromAddress": {
+          "name": "fromAddress",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "toAddress": {
+          "name": "toAddress",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.slack": {
+      "name": "slack",
+      "schema": "",
+      "columns": {
+        "slackId": {
+          "name": "slackId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "channel": {
+          "name": "channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.teams": {
+      "name": "teams",
+      "schema": "",
+      "columns": {
+        "teamsId": {
+          "name": "teamsId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webhookUrl": {
+          "name": "webhookUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.telegram": {
+      "name": "telegram",
+      "schema": "",
+      "columns": {
+        "telegramId": {
+          "name": "telegramId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "botToken": {
+          "name": "botToken",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "chatId": {
+          "name": "chatId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "messageThreadId": {
+          "name": "messageThreadId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.patch": {
+      "name": "patch",
+      "schema": "",
+      "columns": {
+        "patchId": {
+          "name": "patchId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "type": {
+          "name": "type",
+          "type": "patchType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'update'"
+        },
+        "filePath": {
+          "name": "filePath",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "content": {
+          "name": "content",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updatedAt": {
+          "name": "updatedAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "patch_applicationId_application_applicationId_fk": {
+          "name": "patch_applicationId_application_applicationId_fk",
+          "tableFrom": "patch",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "patch_composeId_compose_composeId_fk": {
+          "name": "patch_composeId_compose_composeId_fk",
+          "tableFrom": "patch",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "patch_filepath_application_unique": {
+          "name": "patch_filepath_application_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "filePath",
+            "applicationId"
+          ]
+        },
+        "patch_filepath_compose_unique": {
+          "name": "patch_filepath_compose_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "filePath",
+            "composeId"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.port": {
+      "name": "port",
+      "schema": "",
+      "columns": {
+        "portId": {
+          "name": "portId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "publishedPort": {
+          "name": "publishedPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "publishMode": {
+          "name": "publishMode",
+          "type": "publishModeType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'host'"
+        },
+        "targetPort": {
+          "name": "targetPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "protocol": {
+          "name": "protocol",
+          "type": "protocolType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "port_applicationId_application_applicationId_fk": {
+          "name": "port_applicationId_application_applicationId_fk",
+          "tableFrom": "port",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.postgres": {
+      "name": "postgres",
+      "schema": "",
+      "columns": {
+        "postgresId": {
+          "name": "postgresId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databaseName": {
+          "name": "databaseName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databaseUser": {
+          "name": "databaseUser",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "databasePassword": {
+          "name": "databasePassword",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "postgres_environmentId_environment_environmentId_fk": {
+          "name": "postgres_environmentId_environment_environmentId_fk",
+          "tableFrom": "postgres",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "postgres_serverId_server_serverId_fk": {
+          "name": "postgres_serverId_server_serverId_fk",
+          "tableFrom": "postgres",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "postgres_appName_unique": {
+          "name": "postgres_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.preview_deployments": {
+      "name": "preview_deployments",
+      "schema": "",
+      "columns": {
+        "previewDeploymentId": {
+          "name": "previewDeploymentId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "branch": {
+          "name": "branch",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestId": {
+          "name": "pullRequestId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestNumber": {
+          "name": "pullRequestNumber",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestURL": {
+          "name": "pullRequestURL",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestTitle": {
+          "name": "pullRequestTitle",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "pullRequestCommentId": {
+          "name": "pullRequestCommentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "previewStatus": {
+          "name": "previewStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "domainId": {
+          "name": "domainId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "expiresAt": {
+          "name": "expiresAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "preview_deployments_applicationId_application_applicationId_fk": {
+          "name": "preview_deployments_applicationId_application_applicationId_fk",
+          "tableFrom": "preview_deployments",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "preview_deployments_domainId_domain_domainId_fk": {
+          "name": "preview_deployments_domainId_domain_domainId_fk",
+          "tableFrom": "preview_deployments",
+          "tableTo": "domain",
+          "columnsFrom": [
+            "domainId"
+          ],
+          "columnsTo": [
+            "domainId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "preview_deployments_appName_unique": {
+          "name": "preview_deployments_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.project": {
+      "name": "project",
+      "schema": "",
+      "columns": {
+        "projectId": {
+          "name": "projectId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "project_organizationId_organization_id_fk": {
+          "name": "project_organizationId_organization_id_fk",
+          "tableFrom": "project",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.redirect": {
+      "name": "redirect",
+      "schema": "",
+      "columns": {
+        "redirectId": {
+          "name": "redirectId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "regex": {
+          "name": "regex",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "replacement": {
+          "name": "replacement",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "permanent": {
+          "name": "permanent",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "uniqueConfigKey": {
+          "name": "uniqueConfigKey",
+          "type": "serial",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "redirect_applicationId_application_applicationId_fk": {
+          "name": "redirect_applicationId_application_applicationId_fk",
+          "tableFrom": "redirect",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.redis": {
+      "name": "redis",
+      "schema": "",
+      "columns": {
+        "redisId": {
+          "name": "redisId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "dockerImage": {
+          "name": "dockerImage",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "args": {
+          "name": "args",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "env": {
+          "name": "env",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryReservation": {
+          "name": "memoryReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "memoryLimit": {
+          "name": "memoryLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuReservation": {
+          "name": "cpuReservation",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cpuLimit": {
+          "name": "cpuLimit",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "externalPort": {
+          "name": "externalPort",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationStatus": {
+          "name": "applicationStatus",
+          "type": "applicationStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'idle'"
+        },
+        "healthCheckSwarm": {
+          "name": "healthCheckSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "restartPolicySwarm": {
+          "name": "restartPolicySwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "placementSwarm": {
+          "name": "placementSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updateConfigSwarm": {
+          "name": "updateConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "rollbackConfigSwarm": {
+          "name": "rollbackConfigSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "modeSwarm": {
+          "name": "modeSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "labelsSwarm": {
+          "name": "labelsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "networkSwarm": {
+          "name": "networkSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stopGracePeriodSwarm": {
+          "name": "stopGracePeriodSwarm",
+          "type": "bigint",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "endpointSpecSwarm": {
+          "name": "endpointSpecSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ulimitsSwarm": {
+          "name": "ulimitsSwarm",
+          "type": "json",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "replicas": {
+          "name": "replicas",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 1
+        },
+        "environmentId": {
+          "name": "environmentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "redis_environmentId_environment_environmentId_fk": {
+          "name": "redis_environmentId_environment_environmentId_fk",
+          "tableFrom": "redis",
+          "tableTo": "environment",
+          "columnsFrom": [
+            "environmentId"
+          ],
+          "columnsTo": [
+            "environmentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "redis_serverId_server_serverId_fk": {
+          "name": "redis_serverId_server_serverId_fk",
+          "tableFrom": "redis",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "redis_appName_unique": {
+          "name": "redis_appName_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "appName"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.registry": {
+      "name": "registry",
+      "schema": "",
+      "columns": {
+        "registryId": {
+          "name": "registryId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "registryName": {
+          "name": "registryName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "imagePrefix": {
+          "name": "imagePrefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "registryUrl": {
+          "name": "registryUrl",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "selfHosted": {
+          "name": "selfHosted",
+          "type": "RegistryType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'cloud'"
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "registry_organizationId_organization_id_fk": {
+          "name": "registry_organizationId_organization_id_fk",
+          "tableFrom": "registry",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.rollback": {
+      "name": "rollback",
+      "schema": "",
+      "columns": {
+        "rollbackId": {
+          "name": "rollbackId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "deploymentId": {
+          "name": "deploymentId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "version": {
+          "name": "version",
+          "type": "serial",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "fullContext": {
+          "name": "fullContext",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "rollback_deploymentId_deployment_deploymentId_fk": {
+          "name": "rollback_deploymentId_deployment_deploymentId_fk",
+          "tableFrom": "rollback",
+          "tableTo": "deployment",
+          "columnsFrom": [
+            "deploymentId"
+          ],
+          "columnsTo": [
+            "deploymentId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.schedule": {
+      "name": "schedule",
+      "schema": "",
+      "columns": {
+        "scheduleId": {
+          "name": "scheduleId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "cronExpression": {
+          "name": "cronExpression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serviceName": {
+          "name": "serviceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "shellType": {
+          "name": "shellType",
+          "type": "shellType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'bash'"
+        },
+        "scheduleType": {
+          "name": "scheduleType",
+          "type": "scheduleType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'application'"
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "script": {
+          "name": "script",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "timezone": {
+          "name": "timezone",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "schedule_applicationId_application_applicationId_fk": {
+          "name": "schedule_applicationId_application_applicationId_fk",
+          "tableFrom": "schedule",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "schedule_composeId_compose_composeId_fk": {
+          "name": "schedule_composeId_compose_composeId_fk",
+          "tableFrom": "schedule",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "schedule_serverId_server_serverId_fk": {
+          "name": "schedule_serverId_server_serverId_fk",
+          "tableFrom": "schedule",
+          "tableTo": "server",
+          "columnsFrom": [
+            "serverId"
+          ],
+          "columnsTo": [
+            "serverId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "schedule_organizationId_organization_id_fk": {
+          "name": "schedule_organizationId_organization_id_fk",
+          "tableFrom": "schedule",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.security": {
+      "name": "security",
+      "schema": "",
+      "columns": {
+        "securityId": {
+          "name": "securityId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "password": {
+          "name": "password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "security_applicationId_application_applicationId_fk": {
+          "name": "security_applicationId_application_applicationId_fk",
+          "tableFrom": "security",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "security_username_applicationId_unique": {
+          "name": "security_username_applicationId_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "username",
+            "applicationId"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.server": {
+      "name": "server",
+      "schema": "",
+      "columns": {
+        "serverId": {
+          "name": "serverId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ipAddress": {
+          "name": "ipAddress",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "port": {
+          "name": "port",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'root'"
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "enableDockerCleanup": {
+          "name": "enableDockerCleanup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "webServerProvider": {
+          "name": "webServerProvider",
+          "type": "webServerProvider",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'traefik'"
+        },
+        "caddyTrustedProxyConfig": {
+          "name": "caddyTrustedProxyConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'null'::jsonb"
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serverStatus": {
+          "name": "serverStatus",
+          "type": "serverStatus",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'active'"
+        },
+        "serverType": {
+          "name": "serverType",
+          "type": "serverType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'deploy'"
+        },
+        "command": {
+          "name": "command",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "sshKeyId": {
+          "name": "sshKeyId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "metricsConfig": {
+          "name": "metricsConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{\"server\":{\"type\":\"Remote\",\"refreshRate\":60,\"port\":4500,\"token\":\"\",\"urlCallback\":\"\",\"cronJob\":\"\",\"retentionDays\":2,\"thresholds\":{\"cpu\":0,\"memory\":0}},\"containers\":{\"refreshRate\":60,\"services\":{\"include\":[],\"exclude\":[]}}}'::jsonb"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "server_organizationId_organization_id_fk": {
+          "name": "server_organizationId_organization_id_fk",
+          "tableFrom": "server",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "server_sshKeyId_ssh-key_sshKeyId_fk": {
+          "name": "server_sshKeyId_ssh-key_sshKeyId_fk",
+          "tableFrom": "server",
+          "tableTo": "ssh-key",
+          "columnsFrom": [
+            "sshKeyId"
+          ],
+          "columnsTo": [
+            "sshKeyId"
+          ],
+          "onDelete": "set null",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.session": {
+      "name": "session",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token": {
+          "name": "token",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "ip_address": {
+          "name": "ip_address",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_agent": {
+          "name": "user_agent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "impersonated_by": {
+          "name": "impersonated_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "active_organization_id": {
+          "name": "active_organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "session_user_id_user_id_fk": {
+          "name": "session_user_id_user_id_fk",
+          "tableFrom": "session",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "session_token_unique": {
+          "name": "session_token_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "token"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.ssh-key": {
+      "name": "ssh-key",
+      "schema": "",
+      "columns": {
+        "sshKeyId": {
+          "name": "sshKeyId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "privateKey": {
+          "name": "privateKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "publicKey": {
+          "name": "publicKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "lastUsedAt": {
+          "name": "lastUsedAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "ssh-key_organizationId_organization_id_fk": {
+          "name": "ssh-key_organizationId_organization_id_fk",
+          "tableFrom": "ssh-key",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.sso_provider": {
+      "name": "sso_provider",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "issuer": {
+          "name": "issuer",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "oidc_config": {
+          "name": "oidc_config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "saml_config": {
+          "name": "saml_config",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "provider_id": {
+          "name": "provider_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "organization_id": {
+          "name": "organization_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "domain": {
+          "name": "domain",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "sso_provider_user_id_user_id_fk": {
+          "name": "sso_provider_user_id_user_id_fk",
+          "tableFrom": "sso_provider",
+          "tableTo": "user",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "sso_provider_organization_id_organization_id_fk": {
+          "name": "sso_provider_organization_id_organization_id_fk",
+          "tableFrom": "sso_provider",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organization_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "sso_provider_provider_id_unique": {
+          "name": "sso_provider_provider_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "provider_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.project_tag": {
+      "name": "project_tag",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "projectId": {
+          "name": "projectId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "tagId": {
+          "name": "tagId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "project_tag_projectId_project_projectId_fk": {
+          "name": "project_tag_projectId_project_projectId_fk",
+          "tableFrom": "project_tag",
+          "tableTo": "project",
+          "columnsFrom": [
+            "projectId"
+          ],
+          "columnsTo": [
+            "projectId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "project_tag_tagId_tag_tagId_fk": {
+          "name": "project_tag_tagId_tag_tagId_fk",
+          "tableFrom": "project_tag",
+          "tableTo": "tag",
+          "columnsFrom": [
+            "tagId"
+          ],
+          "columnsTo": [
+            "tagId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "unique_project_tag": {
+          "name": "unique_project_tag",
+          "nullsNotDistinct": false,
+          "columns": [
+            "projectId",
+            "tagId"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.tag": {
+      "name": "tag",
+      "schema": "",
+      "columns": {
+        "tagId": {
+          "name": "tagId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "color": {
+          "name": "color",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "organizationId": {
+          "name": "organizationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "tag_organizationId_organization_id_fk": {
+          "name": "tag_organizationId_organization_id_fk",
+          "tableFrom": "tag",
+          "tableTo": "organization",
+          "columnsFrom": [
+            "organizationId"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "unique_org_tag_name": {
+          "name": "unique_org_tag_name",
+          "nullsNotDistinct": false,
+          "columns": [
+            "organizationId",
+            "name"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.user": {
+      "name": "user",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "firstName": {
+          "name": "firstName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "lastName": {
+          "name": "lastName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "''"
+        },
+        "isRegistered": {
+          "name": "isRegistered",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "expirationDate": {
+          "name": "expirationDate",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "two_factor_enabled": {
+          "name": "two_factor_enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "email_verified": {
+          "name": "email_verified",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "image": {
+          "name": "image",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "banned": {
+          "name": "banned",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ban_reason": {
+          "name": "ban_reason",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "ban_expires": {
+          "name": "ban_expires",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'user'"
+        },
+        "enablePaidFeatures": {
+          "name": "enablePaidFeatures",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "allowImpersonation": {
+          "name": "allowImpersonation",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "enableEnterpriseFeatures": {
+          "name": "enableEnterpriseFeatures",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "licenseKey": {
+          "name": "licenseKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "isValidEnterpriseLicense": {
+          "name": "isValidEnterpriseLicense",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "stripeCustomerId": {
+          "name": "stripeCustomerId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "stripeSubscriptionId": {
+          "name": "stripeSubscriptionId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "serversQuantity": {
+          "name": "serversQuantity",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "default": 0
+        },
+        "sendInvoiceNotifications": {
+          "name": "sendInvoiceNotifications",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "isEnterpriseCloud": {
+          "name": "isEnterpriseCloud",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "trustedOrigins": {
+          "name": "trustedOrigins",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "bookmarkedTemplates": {
+          "name": "bookmarkedTemplates",
+          "type": "text[]",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "ARRAY[]::text[]"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "user_email_unique": {
+          "name": "user_email_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "email"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.volume_backup": {
+      "name": "volume_backup",
+      "schema": "",
+      "columns": {
+        "volumeBackupId": {
+          "name": "volumeBackupId",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "volumeName": {
+          "name": "volumeName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "prefix": {
+          "name": "prefix",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serviceType": {
+          "name": "serviceType",
+          "type": "serviceType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'application'"
+        },
+        "appName": {
+          "name": "appName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "serviceName": {
+          "name": "serviceName",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "turnOff": {
+          "name": "turnOff",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "cronExpression": {
+          "name": "cronExpression",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "keepLatestCount": {
+          "name": "keepLatestCount",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enabled": {
+          "name": "enabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "applicationId": {
+          "name": "applicationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "postgresId": {
+          "name": "postgresId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mariadbId": {
+          "name": "mariadbId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mongoId": {
+          "name": "mongoId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "mysqlId": {
+          "name": "mysqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "redisId": {
+          "name": "redisId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "libsqlId": {
+          "name": "libsqlId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "composeId": {
+          "name": "composeId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "createdAt": {
+          "name": "createdAt",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "destinationId": {
+          "name": "destinationId",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "volume_backup_applicationId_application_applicationId_fk": {
+          "name": "volume_backup_applicationId_application_applicationId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "application",
+          "columnsFrom": [
+            "applicationId"
+          ],
+          "columnsTo": [
+            "applicationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_postgresId_postgres_postgresId_fk": {
+          "name": "volume_backup_postgresId_postgres_postgresId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "postgres",
+          "columnsFrom": [
+            "postgresId"
+          ],
+          "columnsTo": [
+            "postgresId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_mariadbId_mariadb_mariadbId_fk": {
+          "name": "volume_backup_mariadbId_mariadb_mariadbId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "mariadb",
+          "columnsFrom": [
+            "mariadbId"
+          ],
+          "columnsTo": [
+            "mariadbId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_mongoId_mongo_mongoId_fk": {
+          "name": "volume_backup_mongoId_mongo_mongoId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "mongo",
+          "columnsFrom": [
+            "mongoId"
+          ],
+          "columnsTo": [
+            "mongoId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_mysqlId_mysql_mysqlId_fk": {
+          "name": "volume_backup_mysqlId_mysql_mysqlId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "mysql",
+          "columnsFrom": [
+            "mysqlId"
+          ],
+          "columnsTo": [
+            "mysqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_redisId_redis_redisId_fk": {
+          "name": "volume_backup_redisId_redis_redisId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "redis",
+          "columnsFrom": [
+            "redisId"
+          ],
+          "columnsTo": [
+            "redisId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_libsqlId_libsql_libsqlId_fk": {
+          "name": "volume_backup_libsqlId_libsql_libsqlId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "libsql",
+          "columnsFrom": [
+            "libsqlId"
+          ],
+          "columnsTo": [
+            "libsqlId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_composeId_compose_composeId_fk": {
+          "name": "volume_backup_composeId_compose_composeId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "compose",
+          "columnsFrom": [
+            "composeId"
+          ],
+          "columnsTo": [
+            "composeId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "volume_backup_destinationId_destination_destinationId_fk": {
+          "name": "volume_backup_destinationId_destination_destinationId_fk",
+          "tableFrom": "volume_backup",
+          "tableTo": "destination",
+          "columnsFrom": [
+            "destinationId"
+          ],
+          "columnsTo": [
+            "destinationId"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.webServerSettings": {
+      "name": "webServerSettings",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true
+        },
+        "webServerProvider": {
+          "name": "webServerProvider",
+          "type": "webServerProvider",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'traefik'"
+        },
+        "caddyTrustedProxyConfig": {
+          "name": "caddyTrustedProxyConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'null'::jsonb"
+        },
+        "requestLogsEnabled": {
+          "name": "requestLogsEnabled",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "serverIp": {
+          "name": "serverIp",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "certificateType": {
+          "name": "certificateType",
+          "type": "certificateType",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'none'"
+        },
+        "https": {
+          "name": "https",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "host": {
+          "name": "host",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "letsEncryptEmail": {
+          "name": "letsEncryptEmail",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "sshPrivateKey": {
+          "name": "sshPrivateKey",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "enableDockerCleanup": {
+          "name": "enableDockerCleanup",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": true
+        },
+        "logCleanupCron": {
+          "name": "logCleanupCron",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'0 0 * * *'"
+        },
+        "metricsConfig": {
+          "name": "metricsConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'{\"server\":{\"type\":\"Dokploy\",\"refreshRate\":60,\"port\":4500,\"token\":\"\",\"retentionDays\":2,\"cronJob\":\"\",\"urlCallback\":\"\",\"thresholds\":{\"cpu\":0,\"memory\":0}},\"containers\":{\"refreshRate\":60,\"services\":{\"include\":[],\"exclude\":[]}}}'::jsonb"
+        },
+        "whitelabelingConfig": {
+          "name": "whitelabelingConfig",
+          "type": "jsonb",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "'{\"appName\":null,\"appDescription\":null,\"logoUrl\":null,\"faviconUrl\":null,\"customCss\":null,\"loginLogoUrl\":null,\"supportUrl\":null,\"docsUrl\":null,\"errorPageTitle\":null,\"errorPageDescription\":null,\"metaTitle\":null,\"footerText\":null}'::jsonb"
+        },
+        "remoteServersOnly": {
+          "name": "remoteServersOnly",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "enforceSSO": {
+          "name": "enforceSSO",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "cleanupCacheApplications": {
+          "name": "cleanupCacheApplications",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "cleanupCacheOnPreviews": {
+          "name": "cleanupCacheOnPreviews",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "cleanupCacheOnCompose": {
+          "name": "cleanupCacheOnCompose",
+          "type": "boolean",
+          "primaryKey": false,
+          "notNull": true,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {
+    "public.buildType": {
+      "name": "buildType",
+      "schema": "public",
+      "values": [
+        "dockerfile",
+        "heroku_buildpacks",
+        "paketo_buildpacks",
+        "nixpacks",
+        "static",
+        "railpack"
+      ]
+    },
+    "public.sourceType": {
+      "name": "sourceType",
+      "schema": "public",
+      "values": [
+        "docker",
+        "git",
+        "github",
+        "gitlab",
+        "bitbucket",
+        "gitea",
+        "drop"
+      ]
+    },
+    "public.backupType": {
+      "name": "backupType",
+      "schema": "public",
+      "values": [
+        "database",
+        "compose"
+      ]
+    },
+    "public.databaseType": {
+      "name": "databaseType",
+      "schema": "public",
+      "values": [
+        "postgres",
+        "mariadb",
+        "mysql",
+        "mongo",
+        "web-server",
+        "libsql"
+      ]
+    },
+    "public.composeType": {
+      "name": "composeType",
+      "schema": "public",
+      "values": [
+        "docker-compose",
+        "stack"
+      ]
+    },
+    "public.sourceTypeCompose": {
+      "name": "sourceTypeCompose",
+      "schema": "public",
+      "values": [
+        "git",
+        "github",
+        "gitlab",
+        "bitbucket",
+        "gitea",
+        "raw"
+      ]
+    },
+    "public.deploymentStatus": {
+      "name": "deploymentStatus",
+      "schema": "public",
+      "values": [
+        "running",
+        "done",
+        "error",
+        "cancelled"
+      ]
+    },
+    "public.domainType": {
+      "name": "domainType",
+      "schema": "public",
+      "values": [
+        "compose",
+        "application",
+        "preview"
+      ]
+    },
+    "public.gitProviderType": {
+      "name": "gitProviderType",
+      "schema": "public",
+      "values": [
+        "github",
+        "gitlab",
+        "bitbucket",
+        "gitea"
+      ]
+    },
+    "public.mountType": {
+      "name": "mountType",
+      "schema": "public",
+      "values": [
+        "bind",
+        "volume",
+        "file"
+      ]
+    },
+    "public.serviceType": {
+      "name": "serviceType",
+      "schema": "public",
+      "values": [
+        "application",
+        "postgres",
+        "mysql",
+        "mariadb",
+        "mongo",
+        "redis",
+        "compose",
+        "libsql"
+      ]
+    },
+    "public.notificationType": {
+      "name": "notificationType",
+      "schema": "public",
+      "values": [
+        "slack",
+        "telegram",
+        "discord",
+        "email",
+        "resend",
+        "gotify",
+        "ntfy",
+        "mattermost",
+        "pushover",
+        "custom",
+        "lark",
+        "teams"
+      ]
+    },
+    "public.patchType": {
+      "name": "patchType",
+      "schema": "public",
+      "values": [
+        "create",
+        "update",
+        "delete"
+      ]
+    },
+    "public.protocolType": {
+      "name": "protocolType",
+      "schema": "public",
+      "values": [
+        "tcp",
+        "udp"
+      ]
+    },
+    "public.publishModeType": {
+      "name": "publishModeType",
+      "schema": "public",
+      "values": [
+        "ingress",
+        "host"
+      ]
+    },
+    "public.RegistryType": {
+      "name": "RegistryType",
+      "schema": "public",
+      "values": [
+        "selfHosted",
+        "cloud"
+      ]
+    },
+    "public.scheduleType": {
+      "name": "scheduleType",
+      "schema": "public",
+      "values": [
+        "application",
+        "compose",
+        "server",
+        "dokploy-server"
+      ]
+    },
+    "public.shellType": {
+      "name": "shellType",
+      "schema": "public",
+      "values": [
+        "bash",
+        "sh"
+      ]
+    },
+    "public.serverStatus": {
+      "name": "serverStatus",
+      "schema": "public",
+      "values": [
+        "active",
+        "inactive"
+      ]
+    },
+    "public.serverType": {
+      "name": "serverType",
+      "schema": "public",
+      "values": [
+        "deploy",
+        "build"
+      ]
+    },
+    "public.applicationStatus": {
+      "name": "applicationStatus",
+      "schema": "public",
+      "values": [
+        "idle",
+        "running",
+        "done",
+        "error"
+      ]
+    },
+    "public.certificateType": {
+      "name": "certificateType",
+      "schema": "public",
+      "values": [
+        "letsencrypt",
+        "none",
+        "custom"
+      ]
+    },
+    "public.sqldNode": {
+      "name": "sqldNode",
+      "schema": "public",
+      "values": [
+        "primary",
+        "replica"
+      ]
+    },
+    "public.triggerType": {
+      "name": "triggerType",
+      "schema": "public",
+      "values": [
+        "push",
+        "tag"
+      ]
+    },
+    "public.webServerProvider": {
+      "name": "webServerProvider",
+      "schema": "public",
+      "values": [
+        "traefik",
+        "caddy"
+      ]
+    }
+  },
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": {
+    "columns": {},
+    "schemas": {},
+    "tables": {}
+  }
+}
\ No newline at end of file
diff --git a/apps/dokploy/drizzle/meta/_journal.json b/apps/dokploy/drizzle/meta/_journal.json
index 3cb271b561..842d1f82b9 100644
--- a/apps/dokploy/drizzle/meta/_journal.json
+++ b/apps/dokploy/drizzle/meta/_journal.json
@@ -1205,6 +1205,13 @@
       "when": 1780360688821,
       "tag": "0171_caddy_trusted_proxy_config",
       "breakpoints": true
+    },
+    {
+      "idx": 172,
+      "version": "7",
+      "when": 1780371136997,
+      "tag": "0172_normal_gauntlet",
+      "breakpoints": true
     }
   ]
 }
\ No newline at end of file
diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts
index d57b7e8e60..5315f7eb6b 100644
--- a/apps/dokploy/server/api/routers/settings.ts
+++ b/apps/dokploy/server/api/routers/settings.ts
@@ -1,3 +1,5 @@
+import { createReadStream, existsSync, readFileSync } from "node:fs";
+import { createInterface } from "node:readline";
 import {
 	applyCaddyMigration as applyCaddyMigrationCutover,
 	CLEANUP_CRON_JOB,
@@ -13,6 +15,7 @@ import {
 	cleanupImages,
 	cleanupSystem,
 	cleanupVolumes,
+	compileAndWriteCaddyConfig,
 	compileWriteAndReloadCaddyConfigSafely,
 	DEFAULT_UPDATE_DATA,
 	execAsync,
@@ -373,6 +376,80 @@ const getCaddySetupOptions = async (
 	return getCaddyCompileSettings(serverId);
 };
 
+const getLocalAccessLogPath = (provider: WebServerProvider) => {
+	const currentPaths = paths();
+	return provider === "caddy"
+		? currentPaths.CADDY_ACCESS_LOG_PATH
+		: `${currentPaths.DYNAMIC_TRAEFIK_PATH}/access.log`;
+};
+
+const readAccessLogFile = async (filePath: string, readAll = false) => {
+	if (!existsSync(filePath)) {
+		return "";
+	}
+	if (readAll) {
+		return readFileSync(filePath, "utf8");
+	}
+
+	const recentLines: string[] = [];
+	const fileStream = createReadStream(filePath, { encoding: "utf8" });
+	const readline = createInterface({
+		input: fileStream,
+		crlfDelay: Number.POSITIVE_INFINITY,
+	});
+	for await (const line of readline) {
+		const trimmed = line.trim();
+		if (trimmed.startsWith("{") && trimmed.endsWith("}")) {
+			recentLines.push(line);
+			if (recentLines.length > 500) {
+				recentLines.shift();
+			}
+		}
+	}
+	return recentLines.length ? `${recentLines.join("\n")}\n` : "";
+};
+
+const readActiveRequestAccessLog = async (readAll = false) => {
+	const provider = await resolveWebServerProvider();
+	if (provider === "traefik") {
+		return (await readMonitoringConfig(readAll)) ?? "";
+	}
+	return readAccessLogFile(getLocalAccessLogPath(provider), readAll);
+};
+
+const getRequestAnalyticsState = async () => {
+	if (IS_CLOUD) {
+		return {
+			provider: "traefik" as const,
+			enabled: true,
+			reloadResourceName: "dokploy-traefik",
+			accessLogPath: getLocalAccessLogPath("traefik"),
+		};
+	}
+
+	const provider = await resolveWebServerProvider();
+	if (provider === "caddy") {
+		const settings = await getWebServerSettings();
+		return {
+			provider,
+			enabled: Boolean(settings?.requestLogsEnabled),
+			reloadResourceName: getWebServerResourceName(provider),
+			accessLogPath: getLocalAccessLogPath(provider),
+		};
+	}
+
+	const config = readMainConfig();
+	const parsedConfig = config
+		? (parse(config) as { accessLog?: { filePath?: string } })
+		: null;
+	return {
+		provider,
+		enabled: Boolean(parsedConfig?.accessLog?.filePath),
+		reloadResourceName: getWebServerResourceName(provider),
+		accessLogPath: getLocalAccessLogPath(provider),
+	};
+};
+
 export const settingsRouter = createTRPCRouter({
 	getWebServerSettings: protectedProcedure.query(async () => {
 		if (IS_CLOUD) {
@@ -1442,6 +1519,9 @@ export const settingsRouter = createTRPCRouter({
 			return { provider, enabled: false };
 		}),
 
+	getRequestAnalyticsState: protectedProcedure.query(async () => {
+		return getRequestAnalyticsState();
+	}),
 	readStatsLogs: protectedProcedure
 		.meta({
 			openapi: {
@@ -1459,7 +1539,7 @@ export const settingsRouter = createTRPCRouter({
 					totalCount: 0,
 				};
 			}
-			const rawConfig = await readMonitoringConfig(
+			const rawConfig = await readActiveRequestAccessLog(
 				!!input.dateRange?.start && !!input.dateRange?.end,
 			);
 
@@ -1499,26 +1579,14 @@ export const settingsRouter = createTRPCRouter({
 			if (IS_CLOUD) {
 				return [];
 			}
-			const rawConfig = await readMonitoringConfig(
+			const rawConfig = await readActiveRequestAccessLog(
 				!!input?.dateRange?.start || !!input?.dateRange?.end,
 			);
 			const processedLogs = processLogs(rawConfig as string, input?.dateRange);
 			return processedLogs || [];
 		}),
 	haveActivateRequests: protectedProcedure.query(async () => {
-		if (IS_CLOUD) {
-			return true;
-		}
-		const config = readMainConfig();
-
-		if (!config) return false;
-		const parsedConfig = parse(config) as {
-			accessLog?: {
-				filePath: string;
-			};
-		};
-
-		return !!parsedConfig?.accessLog?.filePath;
+		return (await getRequestAnalyticsState()).enabled;
 	}),
 	toggleRequests: protectedProcedure
 		.input(
@@ -1530,6 +1598,29 @@ export const settingsRouter = createTRPCRouter({
 			if (IS_CLOUD) {
 				return true;
 			}
+			const provider = await resolveWebServerProvider();
+			if (provider === "caddy") {
+				const previousSettings = await getWebServerSettings();
+				const previousEnabled = Boolean(previousSettings?.requestLogsEnabled);
+				await updateWebServerSettings({
+					requestLogsEnabled: input.enable,
+				});
+				try {
+					await compileAndWriteCaddyConfig(await getCaddyCompileSettings());
+				} catch (error) {
+					await updateWebServerSettings({
+						requestLogsEnabled: previousEnabled,
+					});
+					throw error;
+				}
+				await audit(ctx, {
+					action: "update",
+					resourceType: "settings",
+					resourceName: "toggle-requests",
+				});
+				return true;
+			}
+
 			const mainConfig = readMainConfig();
 			if (!mainConfig) return false;
 
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 7147e13aac..363c088bfd 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -42,7 +42,8 @@ Local state observed before this document was added:
 | Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, and provider-aware update-server health checks now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; Caddy generated artifacts are inspectable through safe read-only paths while Traefik remains editable. | Needs manual UI QA | Browser-smoke the settings/domain flows when a Dokploy dev server or review app is available. |
+| Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape, reads the latest local Caddy log lines for paginated views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Browser-smoke the Requests page under active Caddy after a dev server or review app is available; add live runtime proof only after explicit approval. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, and provider-aware Requests copy now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. | Needs manual UI QA | Browser-smoke the settings/domain/request flows when a Dokploy dev server or review app is available. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
@@ -96,6 +97,16 @@ Trusted proxy evidence:
 - `apps/dokploy/server/api/routers/settings.ts` exposes Caddy trusted proxy read/update endpoints and rebuilds Caddy config when active.
 - `apps/dokploy/components/dashboard/settings/web-server/caddy-trusted-proxy-settings.tsx` provides the local/remote UI dialog.
 
+Request analytics evidence:
+
+- `packages/server/src/db/schema/web-server-settings.ts` persists local Caddy request-log enablement.
+- `packages/server/src/utils/caddy/config.ts` compiles Caddy access logging to a JSON file writer.
+- `packages/server/src/utils/access-log/utils.ts` normalizes Caddy and Traefik JSON access logs into the Requests table shape.
+- `packages/server/src/utils/access-log/handler.ts` cleans the active web-server access log and only signals Traefik when Traefik is active.
+- `packages/server/src/setup/caddy-setup.ts` and `packages/server/src/services/settings.ts` preserve Caddy access-log compile settings during env/port setup rewrites.
+- `apps/dokploy/server/api/routers/settings.ts` exposes provider-aware request analytics state, toggle, stats, and stats-log endpoints.
+- `apps/dokploy/components/dashboard/requests/show-requests.tsx` uses active-provider copy for request analytics activation and reload guidance.
+
 Migration and live-readiness evidence:
 
 - `packages/server/src/utils/caddy/migration/prepare.ts`
@@ -412,6 +423,16 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 23 files, 149 tests after the latest RepoPrompt review and file-system UI hardening. Covers focused Caddy config, setup, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, and remote web-server file-system inspection. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the latest RepoPrompt review and file-system UI hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 | 2026-06-02 | `pnpm exec biome check --no-errors-on-unmatched --files-ignore-unknown=true <touched files>` and `git diff --check` | Passed | Formatter/import checks and whitespace checks passed after the latest RepoPrompt review and file-system UI hardening. |
+| 2026-06-02 | RepoPrompt Deep Plan pass for remaining local-safe Requests/access-log gap | Complete | Identified the Requests analytics path as still Traefik-specific despite active-provider hardening elsewhere in the Caddy PR. |
+| 2026-06-02 | `pnpm --filter=dokploy migration:generate` | Passed | Generated additive `0172_normal_gauntlet.sql` for local `webServerSettings.requestLogsEnabled`; Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `docker run --rm --network none -v <generated-caddy-json>:/etc/caddy/caddy.json:ro caddy:2.11.3 caddy validate --config /etc/caddy/caddy.json` | Passed | Validated the Caddy JSON shape for request access logs: non-null HTTP server `logs`, file writer, JSON encoder, and `http.log.access` include filter. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/request-logs-router.test.ts __test__/caddy/request-log-utils.test.ts __test__/caddy/request-log-cleanup.test.ts __test__/caddy/config.test.ts __test__/caddy/migration/apply-rollback.test.ts` | Passed | 5 files, 43 tests. Covers provider-aware request analytics state/toggle/read paths, Caddy log normalization, provider-aware cleanup, Caddy access-log compile output, and migration staleness when request-log compile settings change. |
+| 2026-06-02 | RepoPrompt review with git compare `back:3` plus current working-tree diff | Complete | Review findings incorporated locally: Caddy setup rewrites preserve request-log compile settings, file-system UI resolves the active provider when omitted, Caddy request-log reads return latest entries, and invalid cleanup cron schedules do not persist as enabled. The remaining remote Requests analytics and Caddy dashboard self-traffic topics are local-active-only/follow-up decisions. |
+| 2026-06-02 | Drizzle snapshot inspection for `0172_snapshot.json` | Passed | Verified `webServerSettings.requestLogsEnabled` is a non-null boolean with default `false`. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/request-logs-router.test.ts __test__/caddy/request-log-cleanup.test.ts __test__/caddy/setup.test.ts __test__/caddy/config.test.ts __test__/caddy/migration/apply-rollback.test.ts` | Passed | 5 files, 48 tests after RepoPrompt `back:3` review fixes. Covers Caddy setup rewrite preservation, latest Caddy request-log reads, invalid cleanup cron rejection, access-log compile output, migration staleness, and request analytics router behavior. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the request analytics review fixes. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 26 files, 165 tests after Requests/access-log hardening and RepoPrompt `back:3` recommendations. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, and remote web-server file-system inspection. |
+| 2026-06-02 | `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>` | Passed | Formatter/import checks passed for the request analytics review slice. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/constants/index.ts b/packages/server/src/constants/index.ts
index 10964ed6b4..73f00aa4ca 100644
--- a/packages/server/src/constants/index.ts
+++ b/packages/server/src/constants/index.ts
@@ -93,6 +93,7 @@ export const paths = (isServer = false) => {
 	const MAIN_CADDY_PATH = `${BASE_PATH}/caddy`;
 	const CADDY_CONFIG_PATH = `${MAIN_CADDY_PATH}/caddy.json`;
 	const CADDY_FRAGMENTS_PATH = `${MAIN_CADDY_PATH}/fragments`;
+	const CADDY_ACCESS_LOG_PATH = `${MAIN_CADDY_PATH}/access.log`;
 	const CADDY_DATA_PATH = `${MAIN_CADDY_PATH}/data`;
 	const CADDY_CONFIG_DIR_PATH = `${MAIN_CADDY_PATH}/config`;
 	const CADDY_MIGRATIONS_PATH = `${MAIN_CADDY_PATH}/migrations`;
@@ -104,6 +105,7 @@ export const paths = (isServer = false) => {
 		MAIN_CADDY_PATH,
 		CADDY_CONFIG_PATH,
 		CADDY_FRAGMENTS_PATH,
+		CADDY_ACCESS_LOG_PATH,
 		CADDY_DATA_PATH,
 		CADDY_CONFIG_DIR_PATH,
 		CADDY_MIGRATIONS_PATH,
diff --git a/packages/server/src/db/schema/web-server-settings.ts b/packages/server/src/db/schema/web-server-settings.ts
index 59e2a76b8e..4bb9548008 100644
--- a/packages/server/src/db/schema/web-server-settings.ts
+++ b/packages/server/src/db/schema/web-server-settings.ts
@@ -18,6 +18,7 @@ export const webServerSettings = pgTable("webServerSettings", {
 	caddyTrustedProxyConfig: jsonb("caddyTrustedProxyConfig")
 		.$type<CaddyTrustedProxySettings | null>()
 		.default(null),
+	requestLogsEnabled: boolean("requestLogsEnabled").notNull().default(false),
 	serverIp: text("serverIp"),
 	certificateType: certificateType("certificateType").notNull().default("none"),
 	https: boolean("https").notNull().default(false),
@@ -148,6 +149,7 @@ export const apiUpdateWebServerSettings = createSchema.partial().extend({
 	letsEncryptEmail: z.string().email().optional().nullable(),
 	sshPrivateKey: z.string().optional(),
 	enableDockerCleanup: z.boolean().optional(),
+	requestLogsEnabled: z.boolean().optional(),
 	logCleanupCron: z.string().optional().nullable(),
 	metricsConfig: z
 		.object({
diff --git a/packages/server/src/services/settings.ts b/packages/server/src/services/settings.ts
index f322f0810a..b358be8ee6 100644
--- a/packages/server/src/services/settings.ts
+++ b/packages/server/src/services/settings.ts
@@ -780,6 +780,7 @@ export const writeCaddySetup = async (input: CaddyOptions) => {
 			serverId: input.serverId,
 			letsEncryptEmail: input.letsEncryptEmail,
 			trustedProxies: input.trustedProxies,
+			accessLogs: input.accessLogs,
 		});
 		await reconnectServicesToWebServer("dokploy-caddy", input.serverId);
 	} else {
@@ -789,6 +790,7 @@ export const writeCaddySetup = async (input: CaddyOptions) => {
 			serverId: input.serverId,
 			letsEncryptEmail: input.letsEncryptEmail,
 			trustedProxies: input.trustedProxies,
+			accessLogs: input.accessLogs,
 		});
 
 		await reconnectServicesToWebServer("dokploy-caddy", input.serverId);
diff --git a/packages/server/src/services/web-server-settings.ts b/packages/server/src/services/web-server-settings.ts
index 887d66e5b7..f60eef37d5 100644
--- a/packages/server/src/services/web-server-settings.ts
+++ b/packages/server/src/services/web-server-settings.ts
@@ -2,6 +2,7 @@ import { db } from "@dokploy/server/db";
 import { server, webServerSettings } from "@dokploy/server/db/schema";
 import { assertValidCaddyTrustedProxyConfig } from "@dokploy/server/utils/caddy/config";
 import type {
+	CaddyAccessLogConfig,
 	CaddyTrustedProxyConfig,
 	CaddyTrustedProxySettings,
 } from "@dokploy/server/utils/caddy/types";
@@ -195,6 +196,7 @@ export const getCaddyCompileSettings = async (
 ): Promise<{
 	letsEncryptEmail?: string | null;
 	trustedProxies?: CaddyTrustedProxyConfig | null;
+	accessLogs?: CaddyAccessLogConfig | null;
 }> => {
 	if (serverId) {
 		return {
@@ -208,6 +210,7 @@ export const getCaddyCompileSettings = async (
 		trustedProxies: caddyTrustedProxySettingsToConfig(
 			normalizeCaddyTrustedProxySettings(settings?.caddyTrustedProxyConfig),
 		),
+		accessLogs: settings?.requestLogsEnabled ? { enabled: true } : null,
 	};
 };
 
diff --git a/packages/server/src/setup/caddy-setup.ts b/packages/server/src/setup/caddy-setup.ts
index ce00fee8a9..2bdddf0d43 100644
--- a/packages/server/src/setup/caddy-setup.ts
+++ b/packages/server/src/setup/caddy-setup.ts
@@ -5,7 +5,10 @@ import {
 	reloadCaddyAfterValidation,
 	validateCaddyConfigWithContainer,
 } from "../utils/caddy/config";
-import type { CaddyTrustedProxyConfig } from "../utils/caddy/types";
+import type {
+	CaddyAccessLogConfig,
+	CaddyTrustedProxyConfig,
+} from "../utils/caddy/types";
 import { getRemoteDocker } from "../utils/servers/remote-docker";
 
 export const CADDY_SSL_PORT =
@@ -32,6 +35,7 @@ export interface CaddyOptions {
 	}[];
 	letsEncryptEmail?: string | null;
 	trustedProxies?: CaddyTrustedProxyConfig | null;
+	accessLogs?: CaddyAccessLogConfig | null;
 }
 
 type CaddyAdditionalPort = NonNullable<CaddyOptions["additionalPorts"]>[number];
@@ -186,11 +190,13 @@ export const initializeStandaloneCaddy = async ({
 	additionalPorts = [],
 	letsEncryptEmail,
 	trustedProxies,
+	accessLogs,
 }: CaddyOptions = {}) => {
 	await ensureDefaultCaddyConfig({
 		serverId,
 		letsEncryptEmail,
 		trustedProxies,
+		accessLogs,
 	});
 	const imageName = `caddy:${CADDY_VERSION}`;
 	const containerName = "dokploy-caddy";
@@ -243,11 +249,13 @@ export const initializeCaddyService = async ({
 	serverId,
 	letsEncryptEmail,
 	trustedProxies,
+	accessLogs,
 }: CaddyOptions) => {
 	await ensureDefaultCaddyConfig({
 		serverId,
 		letsEncryptEmail,
 		trustedProxies,
+		accessLogs,
 	});
 	const imageName = `caddy:${CADDY_VERSION}`;
 	const appName = "dokploy-caddy";
diff --git a/packages/server/src/utils/access-log/handler.ts b/packages/server/src/utils/access-log/handler.ts
index 17b1c25432..51bece03ae 100644
--- a/packages/server/src/utils/access-log/handler.ts
+++ b/packages/server/src/utils/access-log/handler.ts
@@ -3,9 +3,11 @@ import path from "node:path";
 import { paths } from "@dokploy/server/constants";
 import {
 	getWebServerSettings,
+	resolveWebServerProvider,
 	updateWebServerSettings,
 } from "@dokploy/server/services/web-server-settings";
 import { scheduledJobs, scheduleJob } from "node-schedule";
+import { quote } from "shell-quote";
 import { execAsync } from "../process/execAsync";
 
 const LOG_CLEANUP_JOB_NAME = "access-log-cleanup";
@@ -14,29 +16,59 @@ export const startLogCleanup = async (
 	cronExpression = "0 0 * * *",
 ): Promise<boolean> => {
 	try {
+		const validationJob = scheduleJob(
+			`${LOG_CLEANUP_JOB_NAME}-validation`,
+			cronExpression,
+			() => {},
+		);
+		if (!validationJob) {
+			return false;
+		}
+		validationJob.cancel();
+
 		const existingJob = scheduledJobs[LOG_CLEANUP_JOB_NAME];
 		if (existingJob) {
 			existingJob.cancel();
 		}
 
-		scheduleJob(LOG_CLEANUP_JOB_NAME, cronExpression, async () => {
-			try {
-				const { DYNAMIC_TRAEFIK_PATH } = paths();
-				const accessLogPath = path.join(DYNAMIC_TRAEFIK_PATH, "access.log");
+		const cleanupJob = scheduleJob(
+			LOG_CLEANUP_JOB_NAME,
+			cronExpression,
+			async () => {
+				try {
+					const provider = await resolveWebServerProvider();
+					const currentPaths = paths();
+					const accessLogPath =
+						provider === "caddy"
+							? currentPaths.CADDY_ACCESS_LOG_PATH
+							: path.join(currentPaths.DYNAMIC_TRAEFIK_PATH, "access.log");
 
-				if (!fs.existsSync(accessLogPath)) {
-					console.error("Access log file does not exist");
-					return;
-				}
+					if (!fs.existsSync(accessLogPath)) {
+						console.error("Access log file does not exist");
+						return;
+					}
 
-				await execAsync(
-					`tail -n 1000 ${accessLogPath} > ${accessLogPath}.tmp && mv ${accessLogPath}.tmp ${accessLogPath}`,
-				);
-				await execAsync("docker exec dokploy-traefik kill -USR1 1");
-			} catch (error) {
-				console.error("Error during log cleanup:", error);
-			}
-		});
+					const quotedAccessLogPath = quote([accessLogPath]);
+					const quotedTempPath = quote([`${accessLogPath}.tmp`]);
+					if (provider === "caddy") {
+						await execAsync(
+							`tail -n 1000 ${quotedAccessLogPath} > ${quotedTempPath} && cat ${quotedTempPath} > ${quotedAccessLogPath} && rm ${quotedTempPath}`,
+						);
+						return;
+					}
+
+					await execAsync(
+						`tail -n 1000 ${quotedAccessLogPath} > ${quotedTempPath} && mv ${quotedTempPath} ${quotedAccessLogPath}`,
+					);
+					await execAsync("docker exec dokploy-traefik kill -USR1 1");
+				} catch (error) {
+					console.error("Error during log cleanup:", error);
+				}
+			},
+		);
+		if (!cleanupJob) {
+			return false;
+		}
 
 		await updateWebServerSettings({
 			logCleanupCron: cronExpression,
diff --git a/packages/server/src/utils/access-log/types.ts b/packages/server/src/utils/access-log/types.ts
index 6c35f9bb57..b6a395db56 100644
--- a/packages/server/src/utils/access-log/types.ts
+++ b/packages/server/src/utils/access-log/types.ts
@@ -1,4 +1,4 @@
-export interface LogEntry {
+export interface TraefikLogEntry {
 	ClientAddr: string;
 	ClientHost: string;
 	ClientPort: string;
@@ -46,3 +46,31 @@ export interface LogEntry {
 	request_User_Agent: string;
 	time: string;
 }
+
+export interface CaddyRawAccessLogEntry {
+	level?: string;
+	ts?: number;
+	logger?: string;
+	msg?: string;
+	server_name?: string;
+	request?: {
+		remote_ip?: string;
+		remote_port?: string;
+		client_ip?: string;
+		proto?: string;
+		method?: string;
+		host?: string;
+		uri?: string;
+		tls?: unknown;
+		headers?: Record<string, string[]>;
+	};
+	bytes_read?: number;
+	duration?: number;
+	size?: number;
+	status?: number;
+	resp_headers?: Record<string, string[]>;
+}
+
+export type LogEntry = TraefikLogEntry & {
+	Provider?: "traefik" | "caddy";
+};
diff --git a/packages/server/src/utils/access-log/utils.ts b/packages/server/src/utils/access-log/utils.ts
index 9b472ee27d..6db497c16f 100644
--- a/packages/server/src/utils/access-log/utils.ts
+++ b/packages/server/src/utils/access-log/utils.ts
@@ -1,11 +1,131 @@
 import _ from "lodash";
-import type { LogEntry } from "./types";
+import type { CaddyRawAccessLogEntry, LogEntry } from "./types";
 
 interface HourlyData {
 	hour: string;
 	count: number;
 }
 
+const emptyServiceURL = {
+	Scheme: "",
+	Opaque: "",
+	User: null,
+	Host: "",
+	Path: "",
+	RawPath: "",
+	ForceQuery: false,
+	RawQuery: "",
+	Fragment: "",
+	RawFragment: "",
+};
+
+const isTraefikLogEntry = (value: unknown): value is LogEntry => {
+	const entry = value as Partial<LogEntry>;
+	return (
+		typeof entry.StartUTC === "string" &&
+		typeof entry.RequestHost === "string" &&
+		typeof entry.DownstreamStatus === "number"
+	);
+};
+
+const isCaddyLogEntry = (value: unknown): value is CaddyRawAccessLogEntry => {
+	const entry = value as CaddyRawAccessLogEntry;
+	return (
+		typeof entry.ts === "number" &&
+		typeof entry.status === "number" &&
+		typeof entry.request === "object" &&
+		entry.request !== null
+	);
+};
+
+const getRequestPath = (uri = "") => {
+	if (!uri) return "";
+	const queryIndex = uri.indexOf("?");
+	return queryIndex === -1 ? uri : uri.slice(0, queryIndex) || "/";
+};
+
+const getHostPort = (host = "", tls?: unknown) => {
+	const match = host.match(/:(\d+)$/);
+	if (match?.[1]) return match[1];
+	return tls ? "443" : "80";
+};
+
+const normalizeCaddyLogEntry = (
+	entry: CaddyRawAccessLogEntry,
+): LogEntry | null => {
+	if (!isCaddyLogEntry(entry)) return null;
+	const ts = entry.ts;
+	if (typeof ts !== "number") return null;
+	const timestamp = new Date(ts * 1000);
+	if (Number.isNaN(timestamp.getTime())) return null;
+
+	const request = entry.request ?? {};
+	const startUTC = timestamp.toISOString();
+	const remoteIp = request.remote_ip ?? "";
+	const remotePort = request.remote_port ?? "";
+	const clientHost = request.client_ip ?? remoteIp;
+	const clientAddr =
+		remoteIp && remotePort ? `${remoteIp}:${remotePort}` : remoteIp;
+	const serviceName = entry.server_name ?? entry.logger ?? "caddy";
+
+	return {
+		Provider: "caddy",
+		ClientAddr: clientAddr,
+		ClientHost: clientHost,
+		ClientPort: remotePort,
+		ClientUsername: "-",
+		DownstreamContentSize: entry.size ?? 0,
+		DownstreamStatus: entry.status ?? 0,
+		Duration: Math.round((entry.duration ?? 0) * 1_000_000_000),
+		OriginContentSize: entry.size ?? 0,
+		OriginDuration: Math.round((entry.duration ?? 0) * 1_000_000_000),
+		OriginStatus: entry.status ?? 0,
+		Overhead: 0,
+		RequestAddr: request.host ?? "",
+		RequestContentSize: entry.bytes_read ?? 0,
+		RequestCount: 0,
+		RequestHost: request.host ?? "",
+		RequestMethod: request.method ?? "",
+		RequestPath: getRequestPath(request.uri),
+		RequestPort: getHostPort(request.host, request.tls),
+		RequestProtocol: request.proto ?? "",
+		RequestScheme: request.tls ? "https" : "http",
+		RetryAttempts: 0,
+		RouterName: serviceName,
+		ServiceAddr: "",
+		ServiceName: serviceName,
+		ServiceURL: emptyServiceURL,
+		StartLocal: startUTC,
+		StartUTC: startUTC,
+		downstream_Content_Type: "",
+		entryPointName: request.tls ? "https" : "http",
+		level: entry.level ?? "info",
+		msg: entry.msg ?? "",
+		origin_Content_Type: "",
+		request_Content_Type: "",
+		request_User_Agent: request.headers?.["User-Agent"]?.[0] ?? "",
+		time: startUTC,
+	};
+};
+
+export const parseAccessLogLine = (line: string): LogEntry | null => {
+	const trimmed = line.trim();
+	if (!trimmed || !trimmed.startsWith("{") || !trimmed.endsWith("}")) {
+		return null;
+	}
+
+	try {
+		const parsed = JSON.parse(trimmed);
+		if (isTraefikLogEntry(parsed)) {
+			return { ...parsed, Provider: parsed.Provider ?? "traefik" };
+		}
+		return normalizeCaddyLogEntry(parsed);
+	} catch (error) {
+		console.error("Error parsing log line:", error);
+		return null;
+	}
+};
+
 export function processLogs(
 	logString: string,
 	dateRange?: { start?: string; end?: string },
@@ -16,14 +136,10 @@ export function processLogs(
 
 	const hourlyData = _(logString)
 		.split("\n")
-		.filter((line) => {
-			const trimmed = line.trim();
-			// Check if the line starts with { and ends with } to ensure it's a potential JSON object
-			return trimmed !== "" && trimmed.startsWith("{") && trimmed.endsWith("}");
-		})
 		.map((entry) => {
 			try {
-				const log: LogEntry = JSON.parse(entry);
+				const log = parseAccessLogLine(entry);
+				if (!log) return null;
 				if (log.ServiceName === "dokploy-service-app@file") {
 					return null;
 				}
@@ -44,7 +160,7 @@ export function processLogs(
 
 				return `${date.toISOString().slice(0, 13)}:00:00Z`;
 			} catch (error) {
-				console.error("Error parsing log entry:", error);
+				console.error("Error processing log entry:", error);
 				return null;
 			}
 		})
@@ -79,23 +195,9 @@ export function parseRawConfig(
 			return { data: [], totalCount: 0 };
 		}
 
-		// Split logs into chunks to avoid memory issues
 		let parsedLogs = _(rawConfig)
 			.split("\n")
-			.filter((line) => {
-				const trimmed = line.trim();
-				return (
-					trimmed !== "" && trimmed.startsWith("{") && trimmed.endsWith("}")
-				);
-			})
-			.map((line) => {
-				try {
-					return JSON.parse(line) as LogEntry;
-				} catch (error) {
-					console.error("Error parsing log line:", error);
-					return null;
-				}
-			})
+			.map(parseAccessLogLine)
 			.compact()
 			.value();
 
diff --git a/packages/server/src/utils/caddy/config.ts b/packages/server/src/utils/caddy/config.ts
index 624c97507c..db96279e82 100644
--- a/packages/server/src/utils/caddy/config.ts
+++ b/packages/server/src/utils/caddy/config.ts
@@ -26,6 +26,7 @@ import type {
 
 const CADDY_FRAGMENT_VERSION = 1;
 const CADDY_VERSION = process.env.CADDY_VERSION || "2.11.3";
+const CADDY_ACCESS_LOG_CONTAINER_PATH = "/etc/caddy/access.log";
 export const CLOUDFLARE_TRUSTED_PROXY_RANGES = [
 	"173.245.48.0/20",
 	"103.21.244.0/22",
@@ -357,6 +358,35 @@ const createTlsAppConfig = (
 	return Object.keys(tlsApp).length ? { tls: tlsApp } : {};
 };
 
+const createCaddyAccessLogConfig = (
+	accessLogs: CaddyCompileOptions["accessLogs"],
+) => {
+	if (!accessLogs?.enabled) {
+		return {};
+	}
+
+	return {
+		logging: {
+			logs: {
+				"dokploy-requests": {
+					writer: {
+						output: "file",
+						filename: accessLogs.filename || CADDY_ACCESS_LOG_CONTAINER_PATH,
+					},
+					encoder: {
+						format: "json",
+					},
+					include: ["http.log.access"],
+				},
+			},
+		},
+	};
+};
+
+const createCaddyServerLogConfig = (
+	accessLogs: CaddyCompileOptions["accessLogs"],
+) => (accessLogs?.enabled ? { logs: {} } : {});
+
 const createHeaderHandler = (route: CaddyRouteIntent) => {
 	const requestHeaders = route.transforms?.requestHeaders;
 	const responseHeaders = route.transforms?.responseHeaders;
@@ -612,6 +642,7 @@ export const compileCaddyConfig = ({
 	routes = [],
 	letsEncryptEmail,
 	trustedProxies,
+	accessLogs,
 }: CaddyCompileOptions = {}) => {
 	const allRoutes = sortCaddyRouteIntents([
 		...flattenCaddyFragments(fragments),
@@ -650,17 +681,20 @@ export const compileCaddyConfig = ({
 		admin: {
 			listen: "localhost:2019",
 		},
+		...createCaddyAccessLogConfig(accessLogs),
 		apps: {
 			...createTlsAppConfig(letsEncryptEmail, manualTlsCertificates),
 			http: {
 				servers: {
 					http: {
 						listen: [":80"],
+						...createCaddyServerLogConfig(accessLogs),
 						...trustedProxyServerOptions,
 						routes: httpRoutes,
 					},
 					https: {
 						listen: [":443"],
+						...createCaddyServerLogConfig(accessLogs),
 						...trustedProxyServerOptions,
 						routes: httpsRoutes,
 					},
@@ -807,6 +841,7 @@ export const compileAndWriteCaddyConfig = async (
 	options: CaddyFragmentStoreOptions & {
 		letsEncryptEmail?: string | null;
 		trustedProxies?: CaddyCompileOptions["trustedProxies"];
+		accessLogs?: CaddyCompileOptions["accessLogs"];
 	} = {},
 ) => {
 	const fragments = await readCaddyRouteFragments(options);
@@ -814,6 +849,7 @@ export const compileAndWriteCaddyConfig = async (
 		fragments,
 		letsEncryptEmail: options.letsEncryptEmail,
 		trustedProxies: options.trustedProxies,
+		accessLogs: options.accessLogs,
 	});
 	await writeCaddyConfigFile(config, options);
 	return config;
@@ -881,6 +917,7 @@ export const compileWriteAndReloadCaddyConfigSafely = async (
 	options: CaddyFragmentStoreOptions & {
 		letsEncryptEmail?: string | null;
 		trustedProxies?: CaddyCompileOptions["trustedProxies"];
+		accessLogs?: CaddyCompileOptions["accessLogs"];
 	} = {},
 ) => {
 	const fragments = await readCaddyRouteFragments(options);
@@ -888,6 +925,7 @@ export const compileWriteAndReloadCaddyConfigSafely = async (
 		fragments,
 		letsEncryptEmail: options.letsEncryptEmail,
 		trustedProxies: options.trustedProxies,
+		accessLogs: options.accessLogs,
 	});
 	await writeAndReloadCaddyConfigSafely(config, options);
 	return config;
@@ -897,6 +935,7 @@ export const ensureDefaultCaddyConfig = async (
 	options: CaddyFragmentStoreOptions & {
 		letsEncryptEmail?: string | null;
 		trustedProxies?: CaddyCompileOptions["trustedProxies"];
+		accessLogs?: CaddyCompileOptions["accessLogs"];
 	} = {},
 ) => {
 	const caddyPaths = paths(!!options.serverId);
diff --git a/packages/server/src/utils/caddy/migration/apply.ts b/packages/server/src/utils/caddy/migration/apply.ts
index e59a20d233..15493362aa 100644
--- a/packages/server/src/utils/caddy/migration/apply.ts
+++ b/packages/server/src/utils/caddy/migration/apply.ts
@@ -58,6 +58,7 @@ const normalizeCompileSettings = (
 ): CaddyMigrationCompileSettings => ({
 	letsEncryptEmail: settings?.letsEncryptEmail ?? null,
 	trustedProxies: settings?.trustedProxies ?? null,
+	accessLogs: settings?.accessLogs ?? null,
 });
 
 const compileSettingsChanged = (
diff --git a/packages/server/src/utils/caddy/migration/types.ts b/packages/server/src/utils/caddy/migration/types.ts
index a8f3ed1764..d2fe158122 100644
--- a/packages/server/src/utils/caddy/migration/types.ts
+++ b/packages/server/src/utils/caddy/migration/types.ts
@@ -183,7 +183,7 @@ export interface CaddyMigrationReport {
 	};
 	compileSettings?: Pick<
 		CaddyCompileOptions,
-		"letsEncryptEmail" | "trustedProxies"
+		"letsEncryptEmail" | "trustedProxies" | "accessLogs"
 	>;
 	runtimePreflight?: CaddyMigrationRuntimePreflight;
 	warnings: CaddyMigrationWarning[];
diff --git a/packages/server/src/utils/caddy/types.ts b/packages/server/src/utils/caddy/types.ts
index b1945ca82f..dbee1a0c5b 100644
--- a/packages/server/src/utils/caddy/types.ts
+++ b/packages/server/src/utils/caddy/types.ts
@@ -77,11 +77,17 @@ export interface CaddyTrustedProxySettings {
 	strict?: boolean | null;
 }
 
+export interface CaddyAccessLogConfig {
+	enabled: boolean;
+	filename?: string | null;
+}
+
 export interface CaddyCompileOptions {
 	fragments?: CaddyRouteFragment[];
 	routes?: CaddyRouteIntent[];
 	letsEncryptEmail?: string | null;
 	trustedProxies?: CaddyTrustedProxyConfig | null;
+	accessLogs?: CaddyAccessLogConfig | null;
 }
 
 export type CaddyJsonObject = Record<string, unknown>;

From 7c80ad6b78462ca942bd3c27a885a4cc4b811d84 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 00:00:22 -0400
Subject: [PATCH 20/37] fix: neutralize web server file permission copy

---
 .../components/dashboard/settings/users/add-permissions.tsx  | 5 +++--
 docs/caddy-provider-upstream-readiness.md                    | 5 ++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/apps/dokploy/components/dashboard/settings/users/add-permissions.tsx b/apps/dokploy/components/dashboard/settings/users/add-permissions.tsx
index e54140bbfa..3b01982432 100644
--- a/apps/dokploy/components/dashboard/settings/users/add-permissions.tsx
+++ b/apps/dokploy/components/dashboard/settings/users/add-permissions.tsx
@@ -457,9 +457,10 @@ export const AddUserPermissions = ({ userId, role }: Props) => {
 									render={({ field }) => (
 										<FormItem className="flex flex-row items-center justify-between rounded-lg border p-3 shadow-sm">
 											<div className="space-y-0.5">
-												<FormLabel>Access to Traefik Files</FormLabel>
+												<FormLabel>Access to Web Server Files</FormLabel>
 												<FormDescription>
-													Allow the user to access to the Traefik Tab Files
+													Allow the user to access the active web server file
+													browser
 												</FormDescription>
 											</div>
 											<FormControl>
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 363c088bfd..bcc3c07d02 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -43,7 +43,7 @@ Local state observed before this document was added:
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
 | Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape, reads the latest local Caddy log lines for paginated views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Browser-smoke the Requests page under active Caddy after a dev server or review app is available; add live runtime proof only after explicit approval. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, and provider-aware Requests copy now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. | Needs manual UI QA | Browser-smoke the settings/domain/request flows when a Dokploy dev server or review app is available. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, and provider-neutral web-server file permission copy now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. | Needs manual UI QA | Browser-smoke the settings/domain/request flows when a Dokploy dev server or review app is available. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
@@ -433,6 +433,9 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the request analytics review fixes. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 26 files, 165 tests after Requests/access-log hardening and RepoPrompt `back:3` recommendations. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, and remote web-server file-system inspection. |
 | 2026-06-02 | `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>` | Passed | Formatter/import checks passed for the request analytics review slice. |
+| 2026-06-02 | RepoPrompt Deep Plan pass for provider-neutral file-permission copy | Complete | Identified the user-permissions switch for provider-aware web-server file browsing as still using Traefik-only visible copy while intentionally retaining legacy internal permission names for compatibility. |
+| 2026-06-02 | `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true apps/dokploy/components/dashboard/settings/users/add-permissions.tsx docs/caddy-provider-upstream-readiness.md`, stale permission-copy `rg`, and `git diff --check` | Passed | Formatter/import check, stale Traefik-only permission-copy search, and whitespace check passed after provider-neutral permission copy. |
+| 2026-06-02 | `git diff --name-only upstream/canary...HEAD \| rg '(^\|/)(prompt-exports\|docs/plans\|docs/reviews\|AGENTS\\.md\|CLAUDE\\.md)(/\|$)'` | Passed | No forbidden prompt export, private docs, or agent files are in the current PR diff surface. Local `docs/plans` and `docs/reviews` directories are not tracked in this branch state. |
 
 ## Upstream Hygiene Checklist
 

From 057a1c7fed2f0b6d7682444437200d5379ef2b68 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 00:06:04 -0400
Subject: [PATCH 21/37] fix: neutralize web server file nav copy

---
 apps/dokploy/components/dashboard/search-command.tsx | 2 +-
 apps/dokploy/components/layouts/side.tsx             | 4 ++--
 docs/caddy-provider-upstream-readiness.md            | 4 +++-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/apps/dokploy/components/dashboard/search-command.tsx b/apps/dokploy/components/dashboard/search-command.tsx
index 841728dc10..d24eb3d51a 100644
--- a/apps/dokploy/components/dashboard/search-command.tsx
+++ b/apps/dokploy/components/dashboard/search-command.tsx
@@ -197,7 +197,7 @@ export const SearchCommand = () => {
 										setOpen(false);
 									}}
 								>
-									Traefik
+									Web Server Files
 								</CommandItem>
 								<CommandItem
 									onSelect={() => {
diff --git a/apps/dokploy/components/layouts/side.tsx b/apps/dokploy/components/layouts/side.tsx
index c9a4d5dfba..f7646ef0d0 100644
--- a/apps/dokploy/components/layouts/side.tsx
+++ b/apps/dokploy/components/layouts/side.tsx
@@ -188,10 +188,10 @@ const MENU: Menu = {
 		},
 		{
 			isSingle: true,
-			title: "Traefik File System",
+			title: "Web Server Files",
 			url: "/dashboard/traefik",
 			icon: GalleryVerticalEnd,
-			// Only enabled for users with access to Traefik files in non-cloud environments
+			// `traefikFiles` is the legacy permission key for active web-server files.
 			isEnabled: ({ permissions, isCloud }) =>
 				!!(permissions?.traefikFiles.read && !isCloud),
 		},
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index bcc3c07d02..a87329701b 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -43,7 +43,7 @@ Local state observed before this document was added:
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
 | Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape, reads the latest local Caddy log lines for paginated views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Browser-smoke the Requests page under active Caddy after a dev server or review app is available; add live runtime proof only after explicit approval. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, and provider-neutral web-server file permission copy now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. | Needs manual UI QA | Browser-smoke the settings/domain/request flows when a Dokploy dev server or review app is available. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, and provider-neutral local web-server file nav/search labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. | Needs manual UI QA | Browser-smoke the settings/domain/request flows when a Dokploy dev server or review app is available. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
@@ -436,6 +436,8 @@ Expected post-mutation checks:
 | 2026-06-02 | RepoPrompt Deep Plan pass for provider-neutral file-permission copy | Complete | Identified the user-permissions switch for provider-aware web-server file browsing as still using Traefik-only visible copy while intentionally retaining legacy internal permission names for compatibility. |
 | 2026-06-02 | `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true apps/dokploy/components/dashboard/settings/users/add-permissions.tsx docs/caddy-provider-upstream-readiness.md`, stale permission-copy `rg`, and `git diff --check` | Passed | Formatter/import check, stale Traefik-only permission-copy search, and whitespace check passed after provider-neutral permission copy. |
 | 2026-06-02 | `git diff --name-only upstream/canary...HEAD \| rg '(^\|/)(prompt-exports\|docs/plans\|docs/reviews\|AGENTS\\.md\|CLAUDE\\.md)(/\|$)'` | Passed | No forbidden prompt export, private docs, or agent files are in the current PR diff surface. Local `docs/plans` and `docs/reviews` directories are not tracked in this branch state. |
+| 2026-06-02 | RepoPrompt Deep Plan pass for provider-neutral local web-server file nav/search copy | Complete | Identified the sidebar and command palette labels for the provider-aware `/dashboard/traefik` file browser as still Traefik-specific while retaining the legacy route and permission names for compatibility. |
+| 2026-06-02 | Stale nav/search copy `rg`, `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true apps/dokploy/components/layouts/side.tsx apps/dokploy/components/dashboard/search-command.tsx docs/caddy-provider-upstream-readiness.md`, `git diff --check`, and PR-surface hygiene scan | Passed | Sidebar and command palette now label the local provider-aware file browser as web-server files while keeping the legacy route and permission names. No forbidden prompt export/private-doc paths were found in the current PR diff surface. |
 
 ## Upstream Hygiene Checklist
 

From fd2a97139ced2e28ef41c6405684c1bf9d73b047 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 00:33:53 -0400
Subject: [PATCH 22/37] fix: harden caddy request analytics review gaps

---
 apps/dokploy/__test__/caddy/config.test.ts    | 37 +++++++
 .../caddy/request-log-cleanup.test.ts         |  1 +
 .../__test__/caddy/request-log-utils.test.ts  | 16 +++
 .../caddy/request-logs-router.test.ts         | 49 +++++++++-
 apps/dokploy/server/api/routers/settings.ts   | 18 ++--
 docs/caddy-provider-upstream-readiness.md     | 11 ++-
 packages/server/src/constants/index.ts        |  1 +
 .../src/db/schema/web-server-settings.ts      | 98 ++++++++++---------
 .../server/src/utils/access-log/handler.ts    |  6 +-
 packages/server/src/utils/access-log/utils.ts | 13 ++-
 packages/server/src/utils/caddy/config.ts     | 31 ++++++
 11 files changed, 213 insertions(+), 68 deletions(-)

diff --git a/apps/dokploy/__test__/caddy/config.test.ts b/apps/dokploy/__test__/caddy/config.test.ts
index ba14031876..e2b3239bbf 100644
--- a/apps/dokploy/__test__/caddy/config.test.ts
+++ b/apps/dokploy/__test__/caddy/config.test.ts
@@ -22,6 +22,7 @@ import {
 	compileAndWriteCaddyConfig,
 	compileCaddyConfig,
 	compileWriteAndReloadCaddyConfigSafely,
+	compileWriteAndValidateCaddyConfigSafely,
 	type Domain,
 	getCaddyMigrationArtifactPaths,
 	manageCaddyDomain,
@@ -431,6 +432,42 @@ test("validates a config file with the Caddy binary in an isolated runtime conta
 	expect(validateCommand).not.toContain("caddy\\:2.11.3 validate --config");
 });
 
+test("restores the previous Caddy config when safe validation fails without reloading", async () => {
+	const previousConfig = `${JSON.stringify(
+		compileCaddyConfig({ routes: [route({ hosts: ["old.example.com"] })] }),
+		null,
+		2,
+	)}\n`;
+	vol.mkdirSync(paths().MAIN_CADDY_PATH, { recursive: true });
+	vol.mkdirSync(paths().CADDY_FRAGMENTS_PATH, { recursive: true });
+	vol.writeFileSync(paths().CADDY_CONFIG_PATH, previousConfig);
+	execAsyncMock.mockImplementation(async (command: string) => {
+		if (command.includes("caddy validate")) {
+			throw new Error("validation failed");
+		}
+		return { stdout: "dokploy-caddy\n", stderr: "" };
+	});
+	const consoleError = vi
+		.spyOn(console, "error")
+		.mockImplementation(() => undefined);
+
+	await expect(
+		compileWriteAndValidateCaddyConfigSafely({
+			accessLogs: { enabled: true },
+		}),
+	).rejects.toThrow("validation failed");
+
+	expect(vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8")).toBe(
+		previousConfig,
+	);
+	expect(
+		execAsyncMock.mock.calls.some(([command]) =>
+			(command as string).includes("caddy reload"),
+		),
+	).toBe(false);
+	consoleError.mockRestore();
+});
+
 test("reloads the restored Caddy config when safe reload fails", async () => {
 	const previousConfig = `${JSON.stringify(
 		compileCaddyConfig({ routes: [route({ hosts: ["old.example.com"] })] }),
diff --git a/apps/dokploy/__test__/caddy/request-log-cleanup.test.ts b/apps/dokploy/__test__/caddy/request-log-cleanup.test.ts
index 482da34ba6..888e3cf335 100644
--- a/apps/dokploy/__test__/caddy/request-log-cleanup.test.ts
+++ b/apps/dokploy/__test__/caddy/request-log-cleanup.test.ts
@@ -22,6 +22,7 @@ vi.mock("node-schedule", () => ({
 }));
 
 vi.mock("@dokploy/server/constants", () => ({
+	ACCESS_LOG_RETAINED_LINES: 1000,
 	paths: () => ({
 		DYNAMIC_TRAEFIK_PATH: "/etc/dokploy/traefik/dynamic",
 		CADDY_ACCESS_LOG_PATH: "/etc/dokploy/caddy/access.log",
diff --git a/apps/dokploy/__test__/caddy/request-log-utils.test.ts b/apps/dokploy/__test__/caddy/request-log-utils.test.ts
index 6512ad071a..bde4ff47b1 100644
--- a/apps/dokploy/__test__/caddy/request-log-utils.test.ts
+++ b/apps/dokploy/__test__/caddy/request-log-utils.test.ts
@@ -52,6 +52,22 @@ test("normalizes Caddy JSON access logs into the Requests table shape", () => {
 	});
 });
 
+test("normalizes Caddy user-agent headers case-insensitively", () => {
+	const result = parseRawConfig(
+		JSON.stringify({
+			...JSON.parse(caddyLogEntry),
+			request: {
+				...JSON.parse(caddyLogEntry).request,
+				headers: {
+					"user-agent": ["lowercase-agent"],
+				},
+			},
+		}),
+	);
+
+	expect(result.data[0]?.request_User_Agent).toBe("lowercase-agent");
+});
+
 test("filters and groups normalized Caddy request logs", () => {
 	const rawConfig = `${caddyLogEntry}\n${JSON.stringify({
 		...JSON.parse(caddyLogEntry),
diff --git a/apps/dokploy/__test__/caddy/request-logs-router.test.ts b/apps/dokploy/__test__/caddy/request-logs-router.test.ts
index 0b3a5cb576..dbd0880208 100644
--- a/apps/dokploy/__test__/caddy/request-logs-router.test.ts
+++ b/apps/dokploy/__test__/caddy/request-logs-router.test.ts
@@ -18,6 +18,7 @@ const serverMocks = vi.hoisted(() => ({
 	cleanupSystem: vi.fn(),
 	cleanupVolumes: vi.fn(),
 	compileAndWriteCaddyConfig: vi.fn(),
+	compileWriteAndValidateCaddyConfigSafely: vi.fn(),
 	compileWriteAndReloadCaddyConfigSafely: vi.fn(),
 	execAsync: vi.fn(),
 	findServerById: vi.fn(),
@@ -73,6 +74,7 @@ const serverMocks = vi.hoisted(() => ({
 
 vi.mock("@dokploy/server", () => ({
 	...serverMocks,
+	ACCESS_LOG_RETAINED_LINES: 1000,
 	CLEANUP_CRON_JOB: "cleanup",
 	DEFAULT_UPDATE_DATA: { latestVersion: null, updateAvailable: false },
 	IS_CLOUD: false,
@@ -102,6 +104,7 @@ vi.mock("@/server/utils/backup", () => ({
 import {
 	checkPortInUse,
 	compileAndWriteCaddyConfig,
+	compileWriteAndValidateCaddyConfigSafely,
 	getCaddyCompileSettings,
 	getWebServerResourceName,
 	getWebServerSettings,
@@ -118,6 +121,7 @@ import {
 	writeMainConfig,
 	writeWebServerSetup,
 } from "@dokploy/server";
+import { apiUpdateWebServerSettings } from "@dokploy/server/db/schema";
 import { settingsRouter } from "@/server/api/routers/settings";
 import { audit } from "@/server/api/utils/audit";
 
@@ -169,6 +173,9 @@ beforeEach(() => {
 		accessLogs: requestLogsEnabled ? { enabled: true } : null,
 	}));
 	vi.mocked(compileAndWriteCaddyConfig).mockResolvedValue({} as never);
+	vi.mocked(compileWriteAndValidateCaddyConfigSafely).mockResolvedValue(
+		{} as never,
+	);
 	vi.mocked(checkPortInUse).mockResolvedValue({ isInUse: false } as never);
 	vi.mocked(readEnvironmentVariables).mockResolvedValue("CADDY_ENV=1");
 	vi.mocked(prepareEnvironmentVariables).mockReturnValue(["CADDY_ENV=1"]);
@@ -200,6 +207,7 @@ test("keeps Traefik request toggles on the existing Traefik YAML path", async ()
 		expect.stringContaining("/etc/dokploy/traefik/dynamic/access.log"),
 	);
 	expect(compileAndWriteCaddyConfig).not.toHaveBeenCalled();
+	expect(compileWriteAndValidateCaddyConfigSafely).not.toHaveBeenCalled();
 	expect(audit).toHaveBeenCalledWith(
 		expect.anything(),
 		expect.objectContaining({ resourceName: "toggle-requests" }),
@@ -230,10 +238,11 @@ test("toggles Caddy request logs without writing Traefik main config", async ()
 		requestLogsEnabled: true,
 	});
 	expect(getCaddyCompileSettings).toHaveBeenCalledWith();
-	expect(compileAndWriteCaddyConfig).toHaveBeenCalledWith({
+	expect(compileWriteAndValidateCaddyConfigSafely).toHaveBeenCalledWith({
 		letsEncryptEmail: "ops@example.com",
 		accessLogs: { enabled: true },
 	});
+	expect(compileAndWriteCaddyConfig).not.toHaveBeenCalled();
 	expect(writeMainConfig).not.toHaveBeenCalled();
 	expect(requestLogsEnabled).toBe(true);
 });
@@ -278,7 +287,7 @@ test("preserves Caddy request-log settings when rewriting web-server setup", asy
 test("restores Caddy request-log setting when generated config write fails", async () => {
 	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
 	requestLogsEnabled = true;
-	vi.mocked(compileAndWriteCaddyConfig).mockRejectedValueOnce(
+	vi.mocked(compileWriteAndValidateCaddyConfigSafely).mockRejectedValueOnce(
 		new Error("caddy write failed") as never,
 	);
 
@@ -296,6 +305,14 @@ test("restores Caddy request-log setting when generated config write fails", asy
 	expect(audit).not.toHaveBeenCalled();
 });
 
+test("does not allow generic web-server settings updates to toggle Caddy request logs", () => {
+	const parsed = apiUpdateWebServerSettings.parse({
+		requestLogsEnabled: true,
+	});
+
+	expect(parsed).not.toHaveProperty("requestLogsEnabled");
+});
+
 test("reads Caddy request stats from the Caddy access-log path", async () => {
 	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
 	writeFileSync(caddyAccessLogPath, '{"caddy":true}\n');
@@ -323,7 +340,7 @@ test("reads the latest Caddy request log entries for paginated stats", async ()
 	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
 	writeFileSync(
 		caddyAccessLogPath,
-		Array.from({ length: 501 }, (_, index) =>
+		Array.from({ length: 1001 }, (_, index) =>
 			JSON.stringify({ caddy: true, index }),
 		).join("\n"),
 	);
@@ -333,7 +350,29 @@ test("reads the latest Caddy request log entries for paginated stats", async ()
 	});
 
 	const rawLog = vi.mocked(parseRawConfig).mock.calls[0]?.[0] as string;
-	expect(rawLog.split("\n").filter(Boolean)).toHaveLength(500);
+	expect(rawLog.split("\n").filter(Boolean)).toHaveLength(1000);
+	expect(rawLog).not.toContain('"index":0');
+	expect(rawLog).toContain('"index":1000');
+});
+
+test("bounds Caddy date-range request stats reads to the retained line window", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+	writeFileSync(
+		caddyAccessLogPath,
+		Array.from({ length: 1001 }, (_, index) =>
+			JSON.stringify({ caddy: true, index }),
+		).join("\n"),
+	);
+
+	await caller.readStats({
+		dateRange: {
+			start: "2026-06-02T00:00:00.000Z",
+			end: "2026-06-02T23:59:59.999Z",
+		},
+	});
+
+	const rawLog = vi.mocked(processLogs).mock.calls[0]?.[0] as string;
+	expect(rawLog.split("\n").filter(Boolean)).toHaveLength(1000);
 	expect(rawLog).not.toContain('"index":0');
-	expect(rawLog).toContain('"index":500');
+	expect(rawLog).toContain('"index":1000');
 });
diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts
index 5315f7eb6b..ce4c8f1353 100644
--- a/apps/dokploy/server/api/routers/settings.ts
+++ b/apps/dokploy/server/api/routers/settings.ts
@@ -1,6 +1,7 @@
-import { createReadStream, existsSync, readFileSync } from "node:fs";
+import { createReadStream, existsSync } from "node:fs";
 import { createInterface } from "node:readline";
 import {
+	ACCESS_LOG_RETAINED_LINES,
 	applyCaddyMigration as applyCaddyMigrationCutover,
 	CLEANUP_CRON_JOB,
 	checkGPUStatus,
@@ -15,8 +16,8 @@ import {
 	cleanupImages,
 	cleanupSystem,
 	cleanupVolumes,
-	compileAndWriteCaddyConfig,
 	compileWriteAndReloadCaddyConfigSafely,
+	compileWriteAndValidateCaddyConfigSafely,
 	DEFAULT_UPDATE_DATA,
 	execAsync,
 	findServerById,
@@ -383,13 +384,10 @@ const getLocalAccessLogPath = (provider: WebServerProvider) => {
 		: `${currentPaths.DYNAMIC_TRAEFIK_PATH}/access.log`;
 };
 
-const readAccessLogFile = async (filePath: string, readAll = false) => {
+const readAccessLogFile = async (filePath: string) => {
 	if (!existsSync(filePath)) {
 		return "";
 	}
-	if (readAll) {
-		return readFileSync(filePath, "utf8");
-	}
 
 	const recentLines: string[] = [];
 	const fileStream = createReadStream(filePath, { encoding: "utf8" });
@@ -401,7 +399,7 @@ const readAccessLogFile = async (filePath: string, readAll = false) => {
 		const trimmed = line.trim();
 		if (trimmed.startsWith("{") && trimmed.endsWith("}")) {
 			recentLines.push(line);
-			if (recentLines.length > 500) {
+			if (recentLines.length > ACCESS_LOG_RETAINED_LINES) {
 				recentLines.shift();
 			}
 		}
@@ -414,7 +412,7 @@ const readActiveRequestAccessLog = async (readAll = false) => {
 	if (provider === "traefik") {
 		return (await readMonitoringConfig(readAll)) ?? "";
 	}
-	return readAccessLogFile(getLocalAccessLogPath(provider), readAll);
+	return readAccessLogFile(getLocalAccessLogPath(provider));
 };
 
 const getRequestAnalyticsState = async () => {
@@ -1606,7 +1604,9 @@ export const settingsRouter = createTRPCRouter({
 					requestLogsEnabled: input.enable,
 				});
 				try {
-					await compileAndWriteCaddyConfig(await getCaddyCompileSettings());
+					await compileWriteAndValidateCaddyConfigSafely(
+						await getCaddyCompileSettings(),
+					);
 				} catch (error) {
 					await updateWebServerSettings({
 						requestLogsEnabled: previousEnabled,
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index a87329701b..6bfce3c6bb 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -42,8 +42,8 @@ Local state observed before this document was added:
 | Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
-| Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape, reads the latest local Caddy log lines for paginated views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Browser-smoke the Requests page under active Caddy after a dev server or review app is available; add live runtime proof only after explicit approval. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, and provider-neutral local web-server file nav/search labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. | Needs manual UI QA | Browser-smoke the settings/domain/request flows when a Dokploy dev server or review app is available. |
+| Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting only through the provider-aware toggle flow, validates the rewritten Caddy config before returning success, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape, reads the latest retained local Caddy log lines for paginated and date-range views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Add live runtime proof only after explicit approval. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, and provider-neutral local web-server file nav/search labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, and the Caddy trusted-proxy dialog under Traefik-active and Caddy-active states. | Needs domain modal UI QA | Browser-smoke the application domain modal under active Caddy after a local service/domain fixture is available; add live runtime proof only after explicit approval. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
@@ -438,6 +438,13 @@ Expected post-mutation checks:
 | 2026-06-02 | `git diff --name-only upstream/canary...HEAD \| rg '(^\|/)(prompt-exports\|docs/plans\|docs/reviews\|AGENTS\\.md\|CLAUDE\\.md)(/\|$)'` | Passed | No forbidden prompt export, private docs, or agent files are in the current PR diff surface. Local `docs/plans` and `docs/reviews` directories are not tracked in this branch state. |
 | 2026-06-02 | RepoPrompt Deep Plan pass for provider-neutral local web-server file nav/search copy | Complete | Identified the sidebar and command palette labels for the provider-aware `/dashboard/traefik` file browser as still Traefik-specific while retaining the legacy route and permission names for compatibility. |
 | 2026-06-02 | Stale nav/search copy `rg`, `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true apps/dokploy/components/layouts/side.tsx apps/dokploy/components/dashboard/search-command.tsx docs/caddy-provider-upstream-readiness.md`, `git diff --check`, and PR-surface hygiene scan | Passed | Sidebar and command palette now label the local provider-aware file browser as web-server files while keeping the legacy route and permission names. No forbidden prompt export/private-doc paths were found in the current PR diff surface. |
+| 2026-06-02 | Local isolated browser UI QA with temporary Postgres/Redis and Playwright | Partial | Registered a local QA owner and smoke-tested Settings -> Web Server, Requests, local web-server file browser, Caddy read-only artifact browsing, and the Caddy trusted-proxy dialog under Traefik-active and Caddy-active states. No apply, rollback, reload, provider switch, PR update, or live mutation was performed. Application domain modal QA is still pending a local service/domain fixture. |
+| 2026-06-02 | RepoPrompt review with git compare `back:3` using per-file artifacts excluding only generated Drizzle snapshot JSON | Complete | Review findings incorporated locally: generic web-server settings updates can no longer toggle Caddy request logs, Caddy request-log toggles now validate the rewritten config before returning success and restore on validation failure, Caddy request-log reads are bounded to the shared retained-line window, cleanup/read retention constants are shared, and Caddy user-agent parsing handles header case defensively. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts __test__/caddy/request-log-utils.test.ts __test__/caddy/request-log-cleanup.test.ts __test__/caddy/request-logs-router.test.ts` | Passed | 4 files, 37 tests. Covers safe Caddy validate-without-reload config writes, provider-aware request-log toggles, generic schema drift prevention, bounded Caddy log reads for pagination/date-range stats, cleanup retention, and case-insensitive Caddy user-agent headers. |
+| 2026-06-02 | `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>` | Passed | Formatter/import checks passed for the RepoPrompt request-analytics review slice. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the RepoPrompt request-analytics review slice. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 26 files, 169 tests after the RepoPrompt request-analytics review slice. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, and remote web-server file-system inspection. |
+| 2026-06-02 | `git diff --check` and PR-surface hygiene scan | Passed | No whitespace errors. No forbidden prompt export, private docs, or agent-file paths were found in `upstream/canary...HEAD`; the local `prompt-exports/` directory from RepoPrompt was removed. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/constants/index.ts b/packages/server/src/constants/index.ts
index 73f00aa4ca..b25c620e52 100644
--- a/packages/server/src/constants/index.ts
+++ b/packages/server/src/constants/index.ts
@@ -12,6 +12,7 @@ export const DOKPLOY_DOCKER_PORT = process.env.DOKPLOY_DOCKER_PORT
 	: undefined;
 
 export const CLEANUP_CRON_JOB = "50 23 * * *";
+export const ACCESS_LOG_RETAINED_LINES = 1000;
 
 type DockerSocketCandidate = {
 	label: string;
diff --git a/packages/server/src/db/schema/web-server-settings.ts b/packages/server/src/db/schema/web-server-settings.ts
index 4bb9548008..4d5904da42 100644
--- a/packages/server/src/db/schema/web-server-settings.ts
+++ b/packages/server/src/db/schema/web-server-settings.ts
@@ -131,56 +131,58 @@ const createSchema = createInsertSchema(webServerSettings, {
 	id: z.string().min(1),
 });
 
-export const apiUpdateWebServerSettings = createSchema.partial().extend({
-	webServerProvider: z.enum(["traefik", "caddy"]).optional(),
-	caddyTrustedProxyConfig: z
-		.object({
-			mode: z.enum(["disabled", "cloudflare", "static"]),
-			ranges: z.array(z.string()).optional().nullable(),
-			clientIpHeaders: z.array(z.string()).optional().nullable(),
-			strict: z.boolean().optional().nullable(),
-		})
-		.optional()
-		.nullable(),
-	serverIp: z.string().optional(),
-	certificateType: z.enum(["letsencrypt", "none", "custom"]).optional(),
-	https: z.boolean().optional(),
-	host: z.string().optional(),
-	letsEncryptEmail: z.string().email().optional().nullable(),
-	sshPrivateKey: z.string().optional(),
-	enableDockerCleanup: z.boolean().optional(),
-	requestLogsEnabled: z.boolean().optional(),
-	logCleanupCron: z.string().optional().nullable(),
-	metricsConfig: z
-		.object({
-			server: z.object({
-				type: z.enum(["Dokploy", "Remote"]),
-				refreshRate: z.number(),
-				port: z.number(),
-				token: z.string(),
-				urlCallback: z.string(),
-				retentionDays: z.number(),
-				cronJob: z.string(),
-				thresholds: z.object({
-					cpu: z.number(),
-					memory: z.number(),
+export const apiUpdateWebServerSettings = createSchema
+	.omit({ requestLogsEnabled: true })
+	.partial()
+	.extend({
+		webServerProvider: z.enum(["traefik", "caddy"]).optional(),
+		caddyTrustedProxyConfig: z
+			.object({
+				mode: z.enum(["disabled", "cloudflare", "static"]),
+				ranges: z.array(z.string()).optional().nullable(),
+				clientIpHeaders: z.array(z.string()).optional().nullable(),
+				strict: z.boolean().optional().nullable(),
+			})
+			.optional()
+			.nullable(),
+		serverIp: z.string().optional(),
+		certificateType: z.enum(["letsencrypt", "none", "custom"]).optional(),
+		https: z.boolean().optional(),
+		host: z.string().optional(),
+		letsEncryptEmail: z.string().email().optional().nullable(),
+		sshPrivateKey: z.string().optional(),
+		enableDockerCleanup: z.boolean().optional(),
+		logCleanupCron: z.string().optional().nullable(),
+		metricsConfig: z
+			.object({
+				server: z.object({
+					type: z.enum(["Dokploy", "Remote"]),
+					refreshRate: z.number(),
+					port: z.number(),
+					token: z.string(),
+					urlCallback: z.string(),
+					retentionDays: z.number(),
+					cronJob: z.string(),
+					thresholds: z.object({
+						cpu: z.number(),
+						memory: z.number(),
+					}),
 				}),
-			}),
-			containers: z.object({
-				refreshRate: z.number(),
-				services: z.object({
-					include: z.array(z.string()),
-					exclude: z.array(z.string()),
+				containers: z.object({
+					refreshRate: z.number(),
+					services: z.object({
+						include: z.array(z.string()),
+						exclude: z.array(z.string()),
+					}),
 				}),
-			}),
-		})
-		.optional(),
-	cleanupCacheApplications: z.boolean().optional(),
-	cleanupCacheOnPreviews: z.boolean().optional(),
-	cleanupCacheOnCompose: z.boolean().optional(),
-	remoteServersOnly: z.boolean().optional(),
-	enforceSSO: z.boolean().optional(),
-});
+			})
+			.optional(),
+		cleanupCacheApplications: z.boolean().optional(),
+		cleanupCacheOnPreviews: z.boolean().optional(),
+		cleanupCacheOnCompose: z.boolean().optional(),
+		remoteServersOnly: z.boolean().optional(),
+		enforceSSO: z.boolean().optional(),
+	});
 
 export const apiAssignDomain = z
 	.object({
diff --git a/packages/server/src/utils/access-log/handler.ts b/packages/server/src/utils/access-log/handler.ts
index 51bece03ae..87105ec3d1 100644
--- a/packages/server/src/utils/access-log/handler.ts
+++ b/packages/server/src/utils/access-log/handler.ts
@@ -1,6 +1,6 @@
 import fs from "node:fs";
 import path from "node:path";
-import { paths } from "@dokploy/server/constants";
+import { ACCESS_LOG_RETAINED_LINES, paths } from "@dokploy/server/constants";
 import {
 	getWebServerSettings,
 	resolveWebServerProvider,
@@ -52,13 +52,13 @@ export const startLogCleanup = async (
 					const quotedTempPath = quote([`${accessLogPath}.tmp`]);
 					if (provider === "caddy") {
 						await execAsync(
-							`tail -n 1000 ${quotedAccessLogPath} > ${quotedTempPath} && cat ${quotedTempPath} > ${quotedAccessLogPath} && rm ${quotedTempPath}`,
+							`tail -n ${ACCESS_LOG_RETAINED_LINES} ${quotedAccessLogPath} > ${quotedTempPath} && cat ${quotedTempPath} > ${quotedAccessLogPath} && rm ${quotedTempPath}`,
 						);
 						return;
 					}
 
 					await execAsync(
-						`tail -n 1000 ${quotedAccessLogPath} > ${quotedTempPath} && mv ${quotedTempPath} ${quotedAccessLogPath}`,
+						`tail -n ${ACCESS_LOG_RETAINED_LINES} ${quotedAccessLogPath} > ${quotedTempPath} && mv ${quotedTempPath} ${quotedAccessLogPath}`,
 					);
 					await execAsync("docker exec dokploy-traefik kill -USR1 1");
 				} catch (error) {
diff --git a/packages/server/src/utils/access-log/utils.ts b/packages/server/src/utils/access-log/utils.ts
index 6db497c16f..06ba990a44 100644
--- a/packages/server/src/utils/access-log/utils.ts
+++ b/packages/server/src/utils/access-log/utils.ts
@@ -50,6 +50,17 @@ const getHostPort = (host = "", tls?: unknown) => {
 	return tls ? "443" : "80";
 };
 
+const getHeaderValue = (
+	headers: Record<string, string[]> | undefined,
+	name: string,
+) => {
+	if (!headers) return "";
+	const match = Object.entries(headers).find(
+		([headerName]) => headerName.toLowerCase() === name.toLowerCase(),
+	);
+	return match?.[1]?.[0] ?? "";
+};
+
 const normalizeCaddyLogEntry = (
 	entry: CaddyRawAccessLogEntry,
 ): LogEntry | null => {
@@ -103,7 +114,7 @@ const normalizeCaddyLogEntry = (
 		msg: entry.msg ?? "",
 		origin_Content_Type: "",
 		request_Content_Type: "",
-		request_User_Agent: request.headers?.["User-Agent"]?.[0] ?? "",
+		request_User_Agent: getHeaderValue(request.headers, "User-Agent"),
 		time: startUTC,
 	};
 };
diff --git a/packages/server/src/utils/caddy/config.ts b/packages/server/src/utils/caddy/config.ts
index db96279e82..94f47d56e6 100644
--- a/packages/server/src/utils/caddy/config.ts
+++ b/packages/server/src/utils/caddy/config.ts
@@ -855,6 +855,37 @@ export const compileAndWriteCaddyConfig = async (
 	return config;
 };
 
+export const compileWriteAndValidateCaddyConfigSafely = async (
+	options: CaddyFragmentStoreOptions & {
+		letsEncryptEmail?: string | null;
+		trustedProxies?: CaddyCompileOptions["trustedProxies"];
+		accessLogs?: CaddyCompileOptions["accessLogs"];
+	} = {},
+) => {
+	const previousConfig = await readCaddyConfigFileIfExists(options);
+	const config = await compileAndWriteCaddyConfig(options);
+	try {
+		await validateCaddyConfigWithContainer(options.serverId);
+	} catch (error) {
+		try {
+			if (previousConfig) {
+				await writeCaddyConfigContent(previousConfig, options);
+			} else {
+				await writeCaddyConfigFile(compileCaddyConfig(), options);
+			}
+			await validateCaddyConfigWithContainer(options.serverId);
+		} catch (restoreError) {
+			if (error instanceof Error) {
+				(error as Error & { restoreError?: unknown }).restoreError =
+					restoreError;
+			}
+			console.error("Failed to restore Caddy config:", restoreError);
+		}
+		throw error;
+	}
+	return config;
+};
+
 export const readCaddyConfigFile = async (
 	options: CaddyFragmentStoreOptions = {},
 ) => {

From 1e4985b51e11cd72e1f53e92f77072dda4baf543 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 00:44:19 -0400
Subject: [PATCH 23/37] fix: cover caddy domain modal contracts

---
 .../caddy/domain-modal-ui-contract.test.ts    | 110 +++++++++++++
 .../__test__/caddy/domain-validation.test.ts  | 126 +++++++++++++++
 docs/caddy-provider-upstream-readiness.md     |  11 +-
 packages/server/src/db/schema/domain.ts       |  41 ++---
 packages/server/src/db/validations/domain.ts  | 147 +++++++-----------
 5 files changed, 326 insertions(+), 109 deletions(-)
 create mode 100644 apps/dokploy/__test__/caddy/domain-modal-ui-contract.test.ts

diff --git a/apps/dokploy/__test__/caddy/domain-modal-ui-contract.test.ts b/apps/dokploy/__test__/caddy/domain-modal-ui-contract.test.ts
new file mode 100644
index 0000000000..15292a69f3
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/domain-modal-ui-contract.test.ts
@@ -0,0 +1,110 @@
+import { readFileSync } from "node:fs";
+import { describe, expect, test } from "vitest";
+
+const readSource = (relativePath: string) =>
+	readFileSync(new URL(relativePath, import.meta.url), "utf8");
+
+const compact = (source: string) => source.replace(/\s+/g, " ");
+
+describe("Caddy domain modal UI contract", () => {
+	test("wires application domain tab and edit actions through AddDomain", () => {
+		const applicationPage = compact(
+			readSource(
+				"../../pages/dashboard/project/[projectId]/environment/[environmentId]/services/application/[applicationId].tsx",
+			),
+		);
+		const showDomainsSource = readSource(
+			"../../components/dashboard/application/domains/show-domains.tsx",
+		);
+		const showDomains = compact(showDomainsSource);
+		const columns = compact(
+			readSource("../../components/dashboard/application/domains/columns.tsx"),
+		);
+
+		expect(applicationPage).toContain(
+			'import { ShowDomains } from "@/components/dashboard/application/domains/show-domains";',
+		);
+		expect(applicationPage).toContain('<TabsContent value="domains"');
+		expect(applicationPage).toContain(
+			'<ShowDomains id={applicationId} type="application" />',
+		);
+
+		expect(showDomains).toContain(
+			'import { AddDomain } from "./handle-domain";',
+		);
+		expect(showDomains).toContain("<AddDomain id={id} type={type}>");
+		expect(showDomainsSource).toMatch(
+			/<AddDomain[\s\S]*?id={id}[\s\S]*?type={type}[\s\S]*?domainId={item\.domainId}/,
+		);
+
+		expect(columns).toContain('import { AddDomain } from "./handle-domain";');
+		expect(columns).toContain(
+			"<AddDomain id={id} type={type} domainId={domain.domainId}>",
+		);
+	});
+
+	test("resolves the active Caddy provider and scopes uploaded certificates", () => {
+		const source = readSource(
+			"../../components/dashboard/application/domains/handle-domain.tsx",
+		);
+		const normalized = compact(source);
+
+		expect(source).toMatch(
+			/api\.settings\.getActiveWebServerProvider\.useQuery\(\s*\{\s*serverId:\s*application\?\.serverId \|\| undefined\s*\},\s*\{\s*enabled:\s*!!application\s*\}/,
+		);
+		expect(normalized).toContain(
+			'const isCaddyProvider = activeProvider === "caddy";',
+		);
+		expect(source).toMatch(
+			/api\.certificates\.all\.useQuery\(undefined,\s*\{\s*enabled:\s*isOpen && isCaddyProvider,\s*\}\)/,
+		);
+		expect(normalized).toContain(
+			"certificate.serverId === application.serverId",
+		);
+		expect(normalized).toContain(": !certificate.serverId");
+	});
+
+	test("renders Caddy certificate copy and submits uploaded certificate paths", () => {
+		const source = readSource(
+			"../../components/dashboard/application/domains/handle-domain.tsx",
+		);
+		const normalized = compact(source);
+
+		for (const expectedCopy of [
+			"This server uses Caddy",
+			"Caddy route fragments",
+			"Caddy can manage HTTPS",
+			"Let Caddy manage HTTPS automatically for this host.",
+			"Caddy-managed HTTPS (ACME)",
+			"Uploaded certificate",
+			"Uploaded Certificate",
+			"Select an uploaded certificate",
+			"Add an uploaded certificate for this server",
+		]) {
+			expect(source).toContain(expectedCopy);
+		}
+
+		expect(normalized).toContain('name="customCertResolver"');
+		expect(normalized).toContain("key={certificate.certificateId}");
+		expect(normalized).toContain("value={certificate.certificatePath}");
+	});
+
+	test("keeps Traefik-only domain controls hidden when Caddy is active", () => {
+		const source = readSource(
+			"../../components/dashboard/application/domains/handle-domain.tsx",
+		);
+
+		expect(source).toMatch(
+			/\{!isCaddyProvider && \(\s*<FormField[\s\S]*?name="useCustomEntrypoint"[\s\S]*?Custom Entrypoint/,
+		);
+		expect(source).toMatch(
+			/\{!isCaddyProvider && useCustomEntrypoint && \(\s*<FormField[\s\S]*?name="customEntrypoint"[\s\S]*?Entrypoint Name/,
+		);
+		expect(source).toMatch(
+			/\{!isCaddyProvider && certificateType === "custom" && \(\s*<FormField[\s\S]*?name="customCertResolver"[\s\S]*?Custom Certificate Resolver/,
+		);
+		expect(source).toMatch(
+			/\{!isCaddyProvider && \(\s*<FormField[\s\S]*?name="middlewares"[\s\S]*?Middlewares/,
+		);
+	});
+});
diff --git a/apps/dokploy/__test__/caddy/domain-validation.test.ts b/apps/dokploy/__test__/caddy/domain-validation.test.ts
index 10e61a1b49..1d314014c0 100644
--- a/apps/dokploy/__test__/caddy/domain-validation.test.ts
+++ b/apps/dokploy/__test__/caddy/domain-validation.test.ts
@@ -1,3 +1,7 @@
+import {
+	apiCreateDomain,
+	apiUpdateDomain,
+} from "@dokploy/server/db/schema/domain";
 import { domain, domainCompose } from "@dokploy/server/db/validations/domain";
 import { describe, expect, test } from "vitest";
 
@@ -40,4 +44,126 @@ describe("domain validation", () => {
 			);
 		}
 	});
+
+	const baseApplicationDomain = {
+		applicationId: "app-1",
+		domainType: "application" as const,
+		host: "app.example.com",
+		path: "/",
+		internalPath: "/",
+		stripPath: false,
+		port: 3000,
+		middlewares: [] as string[],
+	};
+
+	test("accepts application domain create payloads used by the Caddy modal", () => {
+		expect(
+			apiCreateDomain.parse({
+				...baseApplicationDomain,
+				https: true,
+				certificateType: "letsencrypt",
+			}),
+		).toMatchObject({
+			applicationId: "app-1",
+			domainType: "application",
+			https: true,
+			certificateType: "letsencrypt",
+		});
+
+		expect(
+			apiCreateDomain.parse({
+				...baseApplicationDomain,
+				https: true,
+				certificateType: "custom",
+				customCertResolver: "local-uploaded-cert-path",
+			}),
+		).toMatchObject({
+			customCertResolver: "local-uploaded-cert-path",
+			certificateType: "custom",
+		});
+
+		expect(
+			apiCreateDomain.parse({
+				...baseApplicationDomain,
+				https: false,
+				certificateType: "none",
+			}),
+		).toMatchObject({
+			https: false,
+			certificateType: "none",
+		});
+	});
+
+	test("accepts application domain update payloads used by the Caddy modal", () => {
+		const baseUpdate = {
+			...baseApplicationDomain,
+			domainId: "domain-1",
+		};
+
+		expect(
+			apiUpdateDomain.parse({
+				...baseUpdate,
+				https: true,
+				certificateType: "letsencrypt",
+			}),
+		).toMatchObject({
+			domainId: "domain-1",
+			domainType: "application",
+			https: true,
+			certificateType: "letsencrypt",
+		});
+
+		expect(
+			apiUpdateDomain.parse({
+				...baseUpdate,
+				https: true,
+				certificateType: "custom",
+				customCertResolver: "local-uploaded-cert-path",
+			}),
+		).toMatchObject({
+			domainId: "domain-1",
+			customCertResolver: "local-uploaded-cert-path",
+			certificateType: "custom",
+		});
+
+		expect(
+			apiUpdateDomain.parse({
+				...baseUpdate,
+				https: false,
+				certificateType: "none",
+			}),
+		).toMatchObject({
+			domainId: "domain-1",
+			https: false,
+			certificateType: "none",
+		});
+	});
+
+	test("rejects Caddy custom certificate payloads without an uploaded certificate reference", () => {
+		const createResult = apiCreateDomain.safeParse({
+			...baseApplicationDomain,
+			https: true,
+			certificateType: "custom",
+		});
+		const updateResult = apiUpdateDomain.safeParse({
+			...baseApplicationDomain,
+			domainId: "domain-1",
+			https: true,
+			certificateType: "custom",
+		});
+
+		for (const result of [createResult, updateResult]) {
+			expect(result.success).toBe(false);
+			if (!result.success) {
+				expect(result.error.issues).toEqual(
+					expect.arrayContaining([
+						expect.objectContaining({
+							path: ["customCertResolver"],
+							message: "Required when certificate type is custom",
+						}),
+					]),
+				);
+			}
+		}
+	});
 });
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 6bfce3c6bb..b436295ac9 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -39,11 +39,11 @@ Local state observed before this document was added:
 | Domain added while creating/duplicating a new application service | `application.create` has no domain payload. The application new-service-with-domain path is project duplication: copied application domains call `createDomain()` with `applicationId`, which invokes provider dispatch. | Locally covered | Add router-level duplication proof only if maintainers want end-to-end TRPC coverage beyond the service contract. |
 | Domain added during new compose/template/AI/import creation | `createComposeDomain()` now creates compose domains and refreshes Caddy compose routes with rollback if refresh fails. Template create, template import, AI compose generation, project compose duplication, and `domainRouter.create` use it. Template import also removes prior compose domains through `removeComposeDomainsForWebServer()` so importing a template with zero replacement domains removes stale Caddy fragments. | Locally covered | Add router-level or creation-flow tests if upstream reviewers want proof beyond the focused helper test. |
 | Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and requires `removeWebServerDomain()` cleanup before deleting a preview deployment row when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch, cleanup removes by `uniqueConfigKey`, and route cleanup failures preserve the DB row across preview-deployment cleanup and domain-router delete flows. | Locally covered | Add runtime proof after explicit approval if preview deployments are included in the live validation pass. |
-| Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
+| Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. Domain create/update API schemas now enforce the same HTTPS custom-certificate resolver requirement as the frontend and shared validation layer. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
 | Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting only through the provider-aware toggle flow, validates the rewritten Caddy config before returning success, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape, reads the latest retained local Caddy log lines for paginated and date-range views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Add live runtime proof only after explicit approval. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, and provider-neutral local web-server file nav/search labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, and the Caddy trusted-proxy dialog under Traefik-active and Caddy-active states. | Needs domain modal UI QA | Browser-smoke the application domain modal under active Caddy after a local service/domain fixture is available; add live runtime proof only after explicit approval. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, and provider-neutral local web-server file nav/search labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, and the Caddy trusted-proxy dialog under Traefik-active and Caddy-active states. Source contract tests now cover the application domain tab/modal path, active-Caddy provider resolution, Caddy uploaded certificate query/filter/copy, and hiding Traefik-only controls under active Caddy. | Locally source-covered; browser modal smoke pending | Browser-smoke the application domain modal under active Caddy after a local service/domain fixture is available; add live runtime proof only after explicit approval. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
@@ -445,6 +445,13 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the RepoPrompt request-analytics review slice. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 26 files, 169 tests after the RepoPrompt request-analytics review slice. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain lifecycle, validation, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, and remote web-server file-system inspection. |
 | 2026-06-02 | `git diff --check` and PR-surface hygiene scan | Passed | No whitespace errors. No forbidden prompt export, private docs, or agent-file paths were found in `upstream/canary...HEAD`; the local `prompt-exports/` directory from RepoPrompt was removed. |
+| 2026-06-02 | RepoPrompt Deep Plan pass for application domain modal UI QA | Complete | Identified an upstream-safe source/API proof slice as the right next step because full React component testing would require new jsdom/testing-library churn. The plan kept browser modal smoke as a separate local-fixture proof item. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/domain-modal-ui-contract.test.ts __test__/caddy/domain-validation.test.ts` | Passed | 2 files, 9 tests. Covers application domain tab/modal wiring, active Caddy provider resolution, uploaded certificate query/filter/copy, hidden Traefik-only modal fields under active Caddy, and create/update API payload validation for ACME, uploaded certificate, HTTP, and missing custom resolver cases. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/domain-modal-ui-contract.test.ts __test__/caddy/domain-validation.test.ts __test__/caddy/domain-router-lifecycle.test.ts __test__/caddy/application/domain.test.ts __test__/caddy/application/domain-service.test.ts __test__/caddy/compose/domain.test.ts` | Passed | 6 files, 39 tests. Covers the new modal/source and API schema proof together with Caddy application/compose domain route lifecycle and service-level rollback coverage. |
+| 2026-06-02 | `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>` | Passed | Formatter/import checks passed for the domain modal/API validation proof slice. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 27 files, 176 tests after the domain modal/API validation proof slice. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, and remote web-server file-system inspection. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the domain modal/API validation proof slice. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `git diff --check` and PR-surface hygiene scan | Passed | No whitespace errors. No forbidden prompt export, private docs, or agent-file paths were found in `upstream/canary...HEAD`; the local `prompt-exports/` directory from RepoPrompt was removed. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/db/schema/domain.ts b/packages/server/src/db/schema/domain.ts
index 646dfdf9f2..75eb2051b8 100644
--- a/packages/server/src/db/schema/domain.ts
+++ b/packages/server/src/db/schema/domain.ts
@@ -11,7 +11,7 @@ import {
 import { createInsertSchema } from "drizzle-zod";
 import { nanoid } from "nanoid";
 import { z } from "zod";
-import { domain } from "../validations/domain";
+import { domain, validateDomainSettings } from "../validations/domain";
 import { applications } from "./application";
 import { compose } from "./compose";
 import { previewDeployments } from "./preview-deployments";
@@ -78,23 +78,25 @@ const createSchema = createInsertSchema(domains, {
 	domainType: z.enum(["compose", "application", "preview"]).optional(),
 });
 
-export const apiCreateDomain = createSchema.pick({
-	host: true,
-	path: true,
-	port: true,
-	customEntrypoint: true,
-	https: true,
-	applicationId: true,
-	certificateType: true,
-	customCertResolver: true,
-	composeId: true,
-	serviceName: true,
-	domainType: true,
-	previewDeploymentId: true,
-	internalPath: true,
-	stripPath: true,
-	middlewares: true,
-});
+export const apiCreateDomain = createSchema
+	.pick({
+		host: true,
+		path: true,
+		port: true,
+		customEntrypoint: true,
+		https: true,
+		applicationId: true,
+		certificateType: true,
+		customCertResolver: true,
+		composeId: true,
+		serviceName: true,
+		domainType: true,
+		previewDeploymentId: true,
+		internalPath: true,
+		stripPath: true,
+		middlewares: true,
+	})
+	.superRefine(validateDomainSettings);
 
 export const apiFindDomain = z.object({
 	domainId: z.string().min(1),
@@ -127,4 +129,5 @@ export const apiUpdateDomain = createSchema
 		stripPath: true,
 		middlewares: true,
 	})
-	.merge(createSchema.pick({ domainId: true }).required());
+	.merge(createSchema.pick({ domainId: true }).required())
+	.superRefine(validateDomainSettings);
diff --git a/packages/server/src/db/validations/domain.ts b/packages/server/src/db/validations/domain.ts
index dc2d61ec92..fce929d5b5 100644
--- a/packages/server/src/db/validations/domain.ts
+++ b/packages/server/src/db/validations/domain.ts
@@ -1,5 +1,62 @@
 import { z } from "zod";
 
+type DomainSettingsValidationInput = {
+	https?: boolean | null;
+	certificateType?: "letsencrypt" | "none" | "custom" | null;
+	customCertResolver?: string | null;
+	stripPath?: boolean | null;
+	path?: string | null;
+	internalPath?: string | null;
+};
+
+export const validateDomainSettings = (
+	input: DomainSettingsValidationInput,
+	ctx: z.RefinementCtx,
+) => {
+	if (input.https && !input.certificateType) {
+		ctx.addIssue({
+			code: z.ZodIssueCode.custom,
+			path: ["certificateType"],
+			message: "Required",
+		});
+	}
+
+	if (
+		input.https &&
+		input.certificateType === "custom" &&
+		!input.customCertResolver
+	) {
+		ctx.addIssue({
+			code: z.ZodIssueCode.custom,
+			path: ["customCertResolver"],
+			message: "Required when certificate type is custom",
+		});
+	}
+
+	// Validate stripPath requires a valid path
+	if (input.stripPath && (!input.path || input.path === "/")) {
+		ctx.addIssue({
+			code: z.ZodIssueCode.custom,
+			path: ["stripPath"],
+			message:
+				"Strip path can only be enabled when a path other than '/' is specified",
+		});
+	}
+
+	// Validate internalPath starts with /
+	if (
+		input.internalPath &&
+		input.internalPath !== "/" &&
+		!input.internalPath.startsWith("/")
+	) {
+		ctx.addIssue({
+			code: z.ZodIssueCode.custom,
+			path: ["internalPath"],
+			message: "Internal path must start with '/'",
+		});
+	}
+};
+
 export const domain = z
 	.object({
 		host: z
@@ -22,50 +79,7 @@ export const domain = z
 		customCertResolver: z.string().optional(),
 		middlewares: z.array(z.string()).optional(),
 	})
-	.superRefine((input, ctx) => {
-		if (input.https && !input.certificateType) {
-			ctx.addIssue({
-				code: z.ZodIssueCode.custom,
-				path: ["certificateType"],
-				message: "Required",
-			});
-		}
-
-		if (
-			input.https &&
-			input.certificateType === "custom" &&
-			!input.customCertResolver
-		) {
-			ctx.addIssue({
-				code: z.ZodIssueCode.custom,
-				path: ["customCertResolver"],
-				message: "Required when certificate type is custom",
-			});
-		}
-
-		// Validate stripPath requires a valid path
-		if (input.stripPath && (!input.path || input.path === "/")) {
-			ctx.addIssue({
-				code: z.ZodIssueCode.custom,
-				path: ["stripPath"],
-				message:
-					"Strip path can only be enabled when a path other than '/' is specified",
-			});
-		}
-
-		// Validate internalPath starts with /
-		if (
-			input.internalPath &&
-			input.internalPath !== "/" &&
-			!input.internalPath.startsWith("/")
-		) {
-			ctx.addIssue({
-				code: z.ZodIssueCode.custom,
-				path: ["internalPath"],
-				message: "Internal path must start with '/'",
-			});
-		}
-	});
+	.superRefine(validateDomainSettings);
 
 export const domainCompose = z
 	.object({
@@ -90,47 +104,4 @@ export const domainCompose = z
 		serviceName: z.string().min(1, { message: "Service name is required" }),
 		middlewares: z.array(z.string()).optional(),
 	})
-	.superRefine((input, ctx) => {
-		if (input.https && !input.certificateType) {
-			ctx.addIssue({
-				code: z.ZodIssueCode.custom,
-				path: ["certificateType"],
-				message: "Required",
-			});
-		}
-
-		if (
-			input.https &&
-			input.certificateType === "custom" &&
-			!input.customCertResolver
-		) {
-			ctx.addIssue({
-				code: z.ZodIssueCode.custom,
-				path: ["customCertResolver"],
-				message: "Required when certificate type is custom",
-			});
-		}
-
-		// Validate stripPath requires a valid path
-		if (input.stripPath && (!input.path || input.path === "/")) {
-			ctx.addIssue({
-				code: z.ZodIssueCode.custom,
-				path: ["stripPath"],
-				message:
-					"Strip path can only be enabled when a path other than '/' is specified",
-			});
-		}
-
-		// Validate internalPath starts with /
-		if (
-			input.internalPath &&
-			input.internalPath !== "/" &&
-			!input.internalPath.startsWith("/")
-		) {
-			ctx.addIssue({
-				code: z.ZodIssueCode.custom,
-				path: ["internalPath"],
-				message: "Internal path must start with '/'",
-			});
-		}
-	});
+	.superRefine(validateDomainSettings);

From b92b6809e65ec786c4545e97386057ac677f0ed2 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 01:11:34 -0400
Subject: [PATCH 24/37] fix: prove caddy modal and request log review gaps

---
 .../__test__/caddy/request-log-utils.test.ts    |  2 +-
 apps/dokploy/__test__/caddy/setup.test.ts       | 17 ++++++++++++++---
 docs/caddy-provider-upstream-readiness.md       | 10 ++++++++--
 packages/server/src/utils/access-log/utils.ts   |  4 +---
 4 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/apps/dokploy/__test__/caddy/request-log-utils.test.ts b/apps/dokploy/__test__/caddy/request-log-utils.test.ts
index bde4ff47b1..fdb328e993 100644
--- a/apps/dokploy/__test__/caddy/request-log-utils.test.ts
+++ b/apps/dokploy/__test__/caddy/request-log-utils.test.ts
@@ -43,7 +43,7 @@ test("normalizes Caddy JSON access logs into the Requests table shape", () => {
 		Duration: 14_729_375,
 		RequestHost: "app.example.com",
 		RequestMethod: "GET",
-		RequestPath: "/dashboard",
+		RequestPath: "/dashboard?_rsc=1",
 		RequestPort: "443",
 		RequestProtocol: "HTTP/2.0",
 		RequestScheme: "https",
diff --git a/apps/dokploy/__test__/caddy/setup.test.ts b/apps/dokploy/__test__/caddy/setup.test.ts
index bb03392e69..586ea9b805 100644
--- a/apps/dokploy/__test__/caddy/setup.test.ts
+++ b/apps/dokploy/__test__/caddy/setup.test.ts
@@ -69,9 +69,11 @@ describe("Caddy runtime setup", () => {
 				}),
 			}),
 		);
-		expect(
-			(createContainer.mock.calls[0]?.[0] as any).HostConfig.Binds,
-		).not.toEqual(
+		const binds = (createContainer.mock.calls[0]?.[0] as any).HostConfig.Binds;
+		expect(binds).toEqual(
+			expect.arrayContaining([expect.stringMatching(/\/caddy:\/etc\/caddy$/)]),
+		);
+		expect(binds).not.toEqual(
 			expect.arrayContaining([
 				expect.stringMatching(
 					/\/caddy\/caddy\.json:\/etc\/caddy\/caddy\.json$/,
@@ -188,6 +190,15 @@ describe("Caddy runtime setup", () => {
 		});
 
 		const createOptions = createService.mock.calls[0]?.[0] as any;
+		expect(createOptions.TaskTemplate.ContainerSpec.Mounts).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					Type: "bind",
+					Source: expect.stringMatching(/\/caddy$/),
+					Target: "/etc/caddy",
+				}),
+			]),
+		);
 		expect(createOptions.EndpointSpec.Ports).not.toEqual(
 			expect.arrayContaining([
 				expect.objectContaining({ TargetPort: 2019, Protocol: "tcp" }),
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index b436295ac9..85f8c2a21a 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -42,8 +42,8 @@ Local state observed before this document was added:
 | Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. Domain create/update API schemas now enforce the same HTTPS custom-certificate resolver requirement as the frontend and shared validation layer. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
-| Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting only through the provider-aware toggle flow, validates the rewritten Caddy config before returning success, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape, reads the latest retained local Caddy log lines for paginated and date-range views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Add live runtime proof only after explicit approval. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, and provider-neutral local web-server file nav/search labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, and the Caddy trusted-proxy dialog under Traefik-active and Caddy-active states. Source contract tests now cover the application domain tab/modal path, active-Caddy provider resolution, Caddy uploaded certificate query/filter/copy, and hiding Traefik-only controls under active Caddy. | Locally source-covered; browser modal smoke pending | Browser-smoke the application domain modal under active Caddy after a local service/domain fixture is available; add live runtime proof only after explicit approval. |
+| Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting only through the provider-aware toggle flow, validates the rewritten Caddy config before returning success, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape while preserving query strings in `RequestPath`, reads the latest retained local Caddy log lines for paginated and date-range views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Add live runtime proof only after explicit approval. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, and provider-neutral local web-server file nav/search labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, the Caddy trusted-proxy dialog, and the application domain modal under active Caddy with an uploaded certificate fixture. Source contract tests cover the application domain tab/modal path, active-Caddy provider resolution, Caddy uploaded certificate query/filter/copy, and hiding Traefik-only controls under active Caddy. | Locally covered | Add live runtime proof only after explicit approval. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
@@ -452,6 +452,12 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 27 files, 176 tests after the domain modal/API validation proof slice. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, and remote web-server file-system inspection. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the domain modal/API validation proof slice. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 | 2026-06-02 | `git diff --check` and PR-surface hygiene scan | Passed | No whitespace errors. No forbidden prompt export, private docs, or agent-file paths were found in `upstream/canary...HEAD`; the local `prompt-exports/` directory from RepoPrompt was removed. |
+| 2026-06-02 | Local isolated browser modal smoke with temporary Postgres/Redis and Playwright on Chrome | Passed | Registered/logged in a local owner, seeded a local Caddy application and uploaded certificate fixture, opened the application Domains tab, verified Caddy modal copy, HTTPS provider options, uploaded certificate selection, hidden Traefik-only fields, and observed zero forbidden domain/deploy/settings mutation requests. No apply, rollback, reload, provider switch, PR update, or live mutation was performed. |
+| 2026-06-02 | RepoPrompt review mode with git compare `back:3` | Complete | Latest review findings incorporated or proven covered: Caddy access-log writer path is covered by the `/etc/caddy` directory mount with explicit standalone/service setup assertions; Caddy request-log normalization now preserves query strings for Traefik parity; date-range Caddy request-log reads remain bounded to the retained-line streaming window. |
+| 2026-06-02 | `pnpm --filter=dokploy test __test__/caddy/request-log-utils.test.ts __test__/caddy/setup.test.ts __test__/caddy/request-logs-router.test.ts` | Passed | 3 files, 18 tests. Covers Caddy query-preserving request-log normalization, explicit Caddy setup directory mounts for access logs, and bounded/provider-aware request analytics router behavior. |
+| 2026-06-02 | `pnpm --filter=dokploy test __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 27 files, 176 tests after the browser-modal proof and latest RepoPrompt `back:3` follow-up. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, and remote web-server file-system inspection. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the browser-modal proof and request-log query/mount assertions. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>`, `git diff --check`, and PR-surface hygiene scan | Passed | Formatter/import checks, whitespace checks, and forbidden-path scan passed. No `prompt-exports/`, private docs, or agent-file paths were found in `upstream/canary...HEAD`; local RepoPrompt exports and scratch containers were removed. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/utils/access-log/utils.ts b/packages/server/src/utils/access-log/utils.ts
index 06ba990a44..b40e0222a1 100644
--- a/packages/server/src/utils/access-log/utils.ts
+++ b/packages/server/src/utils/access-log/utils.ts
@@ -39,9 +39,7 @@ const isCaddyLogEntry = (value: unknown): value is CaddyRawAccessLogEntry => {
 };
 
 const getRequestPath = (uri = "") => {
-	if (!uri) return "";
-	const queryIndex = uri.indexOf("?");
-	return queryIndex === -1 ? uri : uri.slice(0, queryIndex) || "/";
+	return uri;
 };
 
 const getHostPort = (host = "", tls?: unknown) => {

From dee7df563b087dc60822b1a41cf5825723e9807d Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 01:25:15 -0400
Subject: [PATCH 25/37] docs: record caddy read-only proof refresh

---
 docs/caddy-provider-upstream-readiness.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 85f8c2a21a..19e9a75ac8 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -458,6 +458,7 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 27 files, 176 tests after the browser-modal proof and latest RepoPrompt `back:3` follow-up. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, and remote web-server file-system inspection. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the browser-modal proof and request-log query/mount assertions. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 | 2026-06-02 | `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>`, `git diff --check`, and PR-surface hygiene scan | Passed | Formatter/import checks, whitespace checks, and forbidden-path scan passed. No `prompt-exports/`, private docs, or agent-file paths were found in `upstream/canary...HEAD`; local RepoPrompt exports and scratch containers were removed. |
+| 2026-06-02 | RepoPrompt Deep Plan no-mutation production proof pass plus platform-infra read-only readiness wrapper | Passed | RepoPrompt recommended treating the latest local commit as locally proven unless runtime image provenance matches it. Platform-infra read-only checks passed for the currently promoted Caddy candidate runtime: schema preflight, exact-image dry-run, runtime provider/Caddy posture, rollback CLI check-only, admin-port non-public posture, and route expectations. No provider switch, apply, rollback execution, service update/restart, config write, DNS change, PR update, or production mutation was performed. Platform-specific evidence is recorded outside this upstream PR surface. |
 
 ## Upstream Hygiene Checklist
 

From 6dc39dd9b7a1579c790acf3dfcce36dc62e4e26f Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 01:33:48 -0400
Subject: [PATCH 26/37] fix: neutralize web server account copy

---
 .../provider-neutral-ui-contract.test.ts      | 45 +++++++++++++++++++
 .../file-system/show-traefik-system.tsx       |  7 ++-
 .../servers/actions/show-traefik-actions.tsx  |  7 ++-
 apps/dokploy/components/layouts/user-nav.tsx  |  2 +-
 .../proprietary/roles/manage-custom-roles.tsx |  4 +-
 docs/caddy-provider-upstream-readiness.md     |  4 +-
 6 files changed, 62 insertions(+), 7 deletions(-)
 create mode 100644 apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts

diff --git a/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts b/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
new file mode 100644
index 0000000000..1f6606dd5c
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
@@ -0,0 +1,45 @@
+import { readFileSync } from "node:fs";
+import { describe, expect, test } from "vitest";
+
+const readSource = (relativePath: string) =>
+	readFileSync(new URL(relativePath, import.meta.url), "utf8");
+
+describe("provider-neutral Caddy UI contract", () => {
+	test("labels the account menu file-browser link as web-server files", () => {
+		const source = readSource("../../components/layouts/user-nav.tsx");
+
+		expect(source).toContain("permissions?.traefikFiles.read");
+		expect(source).toContain('router.push("/dashboard/traefik")');
+		expect(source).toContain("Web Server Files");
+		expect(source).not.toMatch(/>\s*Traefik\s*</);
+	});
+
+	test("keeps custom-role file-browser permission copy provider-neutral", () => {
+		const source = readSource(
+			"../../components/proprietary/roles/manage-custom-roles.tsx",
+		);
+
+		expect(source).toContain("traefikFiles:");
+		expect(source).toContain('label: "Web Server Files"');
+		expect(source).toContain(
+			'description: "Access to the active web server file browser"',
+		);
+		expect(source).not.toContain("Traefik Files");
+		expect(source).not.toContain("Traefik file system configuration");
+	});
+
+	test("uses generic copy while active web-server provider is unresolved", () => {
+		const actions = readSource(
+			"../../components/dashboard/settings/servers/actions/show-traefik-actions.tsx",
+		);
+		const fileSystem = readSource(
+			"../../components/dashboard/file-system/show-traefik-system.tsx",
+		);
+
+		expect(actions).toContain(': "Web Server";');
+		expect(fileSystem).toContain('const isTraefik = provider === "traefik";');
+		expect(fileSystem).toContain(
+			"Provider-specific edit controls appear after Dokploy resolves the active provider.",
+		);
+	});
+});
diff --git a/apps/dokploy/components/dashboard/file-system/show-traefik-system.tsx b/apps/dokploy/components/dashboard/file-system/show-traefik-system.tsx
index f1cb01a0df..1630959989 100644
--- a/apps/dokploy/components/dashboard/file-system/show-traefik-system.tsx
+++ b/apps/dokploy/components/dashboard/file-system/show-traefik-system.tsx
@@ -31,6 +31,7 @@ export const ShowTraefikSystem = ({ serverId, activeProvider }: Props) => {
 				? "Traefik"
 				: "Web Server";
 	const isCaddy = provider === "caddy";
+	const isTraefik = provider === "traefik";
 
 	React.useEffect(() => {
 		setFile(null);
@@ -71,10 +72,12 @@ export const ShowTraefikSystem = ({ serverId, activeProvider }: Props) => {
 									: "Review files and directories for the active web server."}
 						</CardDescription>
 
-						<AlertBlock type={isCaddy ? "info" : "warning"}>
+						<AlertBlock type={isTraefik ? "warning" : "info"}>
 							{isCaddy
 								? "Caddy generated config is read-only here. Use Dokploy settings, domains, and migration controls to change generated Caddy config."
-								: "Adding invalid configuration to existing files can break your Traefik instance, preventing access to your applications."}
+								: isTraefik
+									? "Adding invalid configuration to existing files can break your Traefik instance, preventing access to your applications."
+									: "Review active web server files here. Provider-specific edit controls appear after Dokploy resolves the active provider."}
 						</AlertBlock>
 					</CardHeader>
 					<CardContent className="space-y-2 py-8 border-t">
diff --git a/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx b/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
index d0ff8c0e2a..78b5f815a4 100644
--- a/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
+++ b/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
@@ -24,7 +24,12 @@ interface Props {
 export const ShowTraefikActions = ({ serverId }: Props) => {
 	const { data: activeProvider, isLoading: isLoadingProvider } =
 		api.settings.getActiveWebServerProvider.useQuery({ serverId });
-	const providerLabel = activeProvider === "caddy" ? "Caddy" : "Traefik";
+	const providerLabel =
+		activeProvider === "caddy"
+			? "Caddy"
+			: activeProvider === "traefik"
+				? "Traefik"
+				: "Web Server";
 	const resourceName =
 		activeProvider === "caddy" ? "dokploy-caddy" : "dokploy-traefik";
 
diff --git a/apps/dokploy/components/layouts/user-nav.tsx b/apps/dokploy/components/layouts/user-nav.tsx
index 4df84bb14d..a9f3b76cb4 100644
--- a/apps/dokploy/components/layouts/user-nav.tsx
+++ b/apps/dokploy/components/layouts/user-nav.tsx
@@ -102,7 +102,7 @@ export const UserNav = () => {
 										router.push("/dashboard/traefik");
 									}}
 								>
-									Traefik
+									Web Server Files
 								</DropdownMenuItem>
 							)}
 							{permissions?.docker.read && (
diff --git a/apps/dokploy/components/proprietary/roles/manage-custom-roles.tsx b/apps/dokploy/components/proprietary/roles/manage-custom-roles.tsx
index 51b31b84c7..438d1747e4 100644
--- a/apps/dokploy/components/proprietary/roles/manage-custom-roles.tsx
+++ b/apps/dokploy/components/proprietary/roles/manage-custom-roles.tsx
@@ -76,8 +76,8 @@ const RESOURCE_META: Record<string, { label: string; description: string }> = {
 		description: "Access to Git providers (GitHub, GitLab, Bitbucket, Gitea)",
 	},
 	traefikFiles: {
-		label: "Traefik Files",
-		description: "Access to the Traefik file system configuration",
+		label: "Web Server Files",
+		description: "Access to the active web server file browser",
 	},
 	api: {
 		label: "API / CLI",
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 19e9a75ac8..babcbebf24 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -43,7 +43,7 @@ Local state observed before this document was added:
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
 | Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting only through the provider-aware toggle flow, validates the rewritten Caddy config before returning success, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape while preserving query strings in `RequestPath`, reads the latest retained local Caddy log lines for paginated and date-range views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Add live runtime proof only after explicit approval. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, and provider-neutral local web-server file nav/search labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, the Caddy trusted-proxy dialog, and the application domain modal under active Caddy with an uploaded certificate fixture. Source contract tests cover the application domain tab/modal path, active-Caddy provider resolution, Caddy uploaded certificate query/filter/copy, and hiding Traefik-only controls under active Caddy. | Locally covered | Add live runtime proof only after explicit approval. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, provider-neutral local web-server file nav/search/account labels, and provider-neutral custom-role file permission labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, the Caddy trusted-proxy dialog, and the application domain modal under active Caddy with an uploaded certificate fixture. Source contract tests cover the application domain tab/modal path, active-Caddy provider resolution, Caddy uploaded certificate query/filter/copy, provider-neutral web-server file-browser labels, and hiding Traefik-only controls under active Caddy. | Locally covered | Add live runtime proof only after explicit approval. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
@@ -459,6 +459,8 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the browser-modal proof and request-log query/mount assertions. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 | 2026-06-02 | `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>`, `git diff --check`, and PR-surface hygiene scan | Passed | Formatter/import checks, whitespace checks, and forbidden-path scan passed. No `prompt-exports/`, private docs, or agent-file paths were found in `upstream/canary...HEAD`; local RepoPrompt exports and scratch containers were removed. |
 | 2026-06-02 | RepoPrompt Deep Plan no-mutation production proof pass plus platform-infra read-only readiness wrapper | Passed | RepoPrompt recommended treating the latest local commit as locally proven unless runtime image provenance matches it. Platform-infra read-only checks passed for the currently promoted Caddy candidate runtime: schema preflight, exact-image dry-run, runtime provider/Caddy posture, rollback CLI check-only, admin-port non-public posture, and route expectations. No provider switch, apply, rollback execution, service update/restart, config write, DNS change, PR update, or production mutation was performed. Platform-specific evidence is recorded outside this upstream PR surface. |
+| 2026-06-02 | RepoPrompt Deep Plan pass for remaining provider-neutral UI paper cuts | Complete | Identified the account dropdown quick link and proprietary custom-role permission metadata as still showing visible Traefik-only file-browser copy while the sidebar, command palette, and user-permissions switch were already provider-neutral. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/provider-neutral-ui-contract.test.ts`, stale provider-copy scan, Biome, and `git diff --check` | Passed | 1 file, 3 tests. Covers provider-neutral account menu and custom-role file-browser labels while preserving legacy `/dashboard/traefik` and `traefikFiles` compatibility keys. The narrow stale-copy scan found no remaining `Traefik Files` or account-menu-style Traefik labels in the touched provider-neutral UI surfaces. |
 
 ## Upstream Hygiene Checklist
 

From a9bcee156117be29977cdc8f5e2042de28c311f9 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 01:41:28 -0400
Subject: [PATCH 27/37] fix: close provider-neutral review gaps

---
 .../provider-neutral-ui-contract.test.ts      |  9 ++++++
 .../servers/actions/show-traefik-actions.tsx  | 31 ++++++++++++-------
 .../proprietary/roles/manage-custom-roles.tsx |  4 +--
 docs/caddy-provider-upstream-readiness.md     |  6 ++--
 4 files changed, 33 insertions(+), 17 deletions(-)

diff --git a/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts b/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
index 1f6606dd5c..8353eda231 100644
--- a/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
+++ b/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
@@ -24,8 +24,15 @@ describe("provider-neutral Caddy UI contract", () => {
 		expect(source).toContain(
 			'description: "Access to the active web server file browser"',
 		);
+		expect(source).toContain(
+			'description: "View active web server configuration files"',
+		);
+		expect(source).toContain(
+			'description: "Edit and save active web server configuration files"',
+		);
 		expect(source).not.toContain("Traefik Files");
 		expect(source).not.toContain("Traefik file system configuration");
+		expect(source).not.toContain("Traefik configuration files");
 	});
 
 	test("uses generic copy while active web-server provider is unresolved", () => {
@@ -37,6 +44,8 @@ describe("provider-neutral Caddy UI contract", () => {
 		);
 
 		expect(actions).toContain(': "Web Server";');
+		expect(actions).toContain(": null;");
+		expect(actions).toContain("{resourceName && (");
 		expect(fileSystem).toContain('const isTraefik = provider === "traefik";');
 		expect(fileSystem).toContain(
 			"Provider-specific edit controls appear after Dokploy resolves the active provider.",
diff --git a/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx b/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
index 78b5f815a4..4bbc8e7e47 100644
--- a/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
+++ b/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
@@ -31,7 +31,11 @@ export const ShowTraefikActions = ({ serverId }: Props) => {
 				? "Traefik"
 				: "Web Server";
 	const resourceName =
-		activeProvider === "caddy" ? "dokploy-caddy" : "dokploy-traefik";
+		activeProvider === "caddy"
+			? "dokploy-caddy"
+			: activeProvider === "traefik"
+				? "dokploy-traefik"
+				: null;
 
 	const { mutateAsync: reloadWebServer, isPending: reloadTraefikIsLoading } =
 		api.settings.reloadWebServer.useMutation();
@@ -73,6 +77,7 @@ export const ShowTraefikActions = ({ serverId }: Props) => {
 			<DropdownMenuTrigger
 				asChild
 				disabled={
+					!activeProvider ||
 					isLoadingProvider ||
 					reloadTraefikIsLoading ||
 					toggleDashboardIsLoading ||
@@ -115,18 +120,20 @@ export const ShowTraefikActions = ({ serverId }: Props) => {
 					>
 						<span>Reload</span>
 					</DropdownMenuItem>
-					<ShowModalLogs
-						appName={resourceName}
-						serverId={serverId}
-						type="standalone"
-					>
-						<DropdownMenuItem
-							onSelect={(e) => e.preventDefault()}
-							className="cursor-pointer"
+					{resourceName && (
+						<ShowModalLogs
+							appName={resourceName}
+							serverId={serverId}
+							type="standalone"
 						>
-							View Logs
-						</DropdownMenuItem>
-					</ShowModalLogs>
+							<DropdownMenuItem
+								onSelect={(e) => e.preventDefault()}
+								className="cursor-pointer"
+							>
+								View Logs
+							</DropdownMenuItem>
+						</ShowModalLogs>
+					)}
 					<EditTraefikEnv serverId={serverId}>
 						<DropdownMenuItem
 							onSelect={(e) => e.preventDefault()}
diff --git a/apps/dokploy/components/proprietary/roles/manage-custom-roles.tsx b/apps/dokploy/components/proprietary/roles/manage-custom-roles.tsx
index 438d1747e4..07020d6695 100644
--- a/apps/dokploy/components/proprietary/roles/manage-custom-roles.tsx
+++ b/apps/dokploy/components/proprietary/roles/manage-custom-roles.tsx
@@ -242,11 +242,11 @@ const ACTION_META: Record<
 	traefikFiles: {
 		read: {
 			label: "Read",
-			description: "View Traefik configuration files",
+			description: "View active web server configuration files",
 		},
 		write: {
 			label: "Write",
-			description: "Edit and save Traefik configuration files",
+			description: "Edit and save active web server configuration files",
 		},
 	},
 	api: {
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index babcbebf24..646b5e38ed 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -455,12 +455,12 @@ Expected post-mutation checks:
 | 2026-06-02 | Local isolated browser modal smoke with temporary Postgres/Redis and Playwright on Chrome | Passed | Registered/logged in a local owner, seeded a local Caddy application and uploaded certificate fixture, opened the application Domains tab, verified Caddy modal copy, HTTPS provider options, uploaded certificate selection, hidden Traefik-only fields, and observed zero forbidden domain/deploy/settings mutation requests. No apply, rollback, reload, provider switch, PR update, or live mutation was performed. |
 | 2026-06-02 | RepoPrompt review mode with git compare `back:3` | Complete | Latest review findings incorporated or proven covered: Caddy access-log writer path is covered by the `/etc/caddy` directory mount with explicit standalone/service setup assertions; Caddy request-log normalization now preserves query strings for Traefik parity; date-range Caddy request-log reads remain bounded to the retained-line streaming window. |
 | 2026-06-02 | `pnpm --filter=dokploy test __test__/caddy/request-log-utils.test.ts __test__/caddy/setup.test.ts __test__/caddy/request-logs-router.test.ts` | Passed | 3 files, 18 tests. Covers Caddy query-preserving request-log normalization, explicit Caddy setup directory mounts for access logs, and bounded/provider-aware request analytics router behavior. |
-| 2026-06-02 | `pnpm --filter=dokploy test __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 27 files, 176 tests after the browser-modal proof and latest RepoPrompt `back:3` follow-up. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, and remote web-server file-system inspection. |
+| 2026-06-02 | `pnpm --filter=dokploy test __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 28 files, 179 tests after the browser-modal proof and latest RepoPrompt `back:3` follow-up. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, provider-neutral UI contracts, and remote web-server file-system inspection. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the browser-modal proof and request-log query/mount assertions. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 | 2026-06-02 | `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>`, `git diff --check`, and PR-surface hygiene scan | Passed | Formatter/import checks, whitespace checks, and forbidden-path scan passed. No `prompt-exports/`, private docs, or agent-file paths were found in `upstream/canary...HEAD`; local RepoPrompt exports and scratch containers were removed. |
-| 2026-06-02 | RepoPrompt Deep Plan no-mutation production proof pass plus platform-infra read-only readiness wrapper | Passed | RepoPrompt recommended treating the latest local commit as locally proven unless runtime image provenance matches it. Platform-infra read-only checks passed for the currently promoted Caddy candidate runtime: schema preflight, exact-image dry-run, runtime provider/Caddy posture, rollback CLI check-only, admin-port non-public posture, and route expectations. No provider switch, apply, rollback execution, service update/restart, config write, DNS change, PR update, or production mutation was performed. Platform-specific evidence is recorded outside this upstream PR surface. |
+| 2026-06-02 | RepoPrompt Deep Plan no-mutation production proof pass | Complete | RepoPrompt recommended treating the latest local commit as locally proven unless runtime image provenance matches it. Runtime evidence remains intentionally excluded from this upstream PR surface and tracked out of repo. No provider switch, apply, rollback execution, service update/restart, config write, DNS change, PR update, or production mutation was performed. |
 | 2026-06-02 | RepoPrompt Deep Plan pass for remaining provider-neutral UI paper cuts | Complete | Identified the account dropdown quick link and proprietary custom-role permission metadata as still showing visible Traefik-only file-browser copy while the sidebar, command palette, and user-permissions switch were already provider-neutral. |
-| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/provider-neutral-ui-contract.test.ts`, stale provider-copy scan, Biome, and `git diff --check` | Passed | 1 file, 3 tests. Covers provider-neutral account menu and custom-role file-browser labels while preserving legacy `/dashboard/traefik` and `traefikFiles` compatibility keys. The narrow stale-copy scan found no remaining `Traefik Files` or account-menu-style Traefik labels in the touched provider-neutral UI surfaces. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/provider-neutral-ui-contract.test.ts`, stale provider-copy scan, Biome, and `git diff --check` | Passed | 1 file, 3 tests. Covers provider-neutral account menu and custom-role file-browser labels while preserving legacy `/dashboard/traefik` and `traefikFiles` compatibility keys. The narrow stale-copy scan found no remaining old file-browser label or account-menu-style provider-specific labels in the touched provider-neutral UI surfaces. |
 
 ## Upstream Hygiene Checklist
 

From 3de974bb344e597a8293584a7ad2b42418c859bf Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 02:01:21 -0400
Subject: [PATCH 28/37] docs: record exact-head caddy image gate

---
 docs/caddy-provider-upstream-readiness.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 646b5e38ed..f26f573ea6 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -461,6 +461,8 @@ Expected post-mutation checks:
 | 2026-06-02 | RepoPrompt Deep Plan no-mutation production proof pass | Complete | RepoPrompt recommended treating the latest local commit as locally proven unless runtime image provenance matches it. Runtime evidence remains intentionally excluded from this upstream PR surface and tracked out of repo. No provider switch, apply, rollback execution, service update/restart, config write, DNS change, PR update, or production mutation was performed. |
 | 2026-06-02 | RepoPrompt Deep Plan pass for remaining provider-neutral UI paper cuts | Complete | Identified the account dropdown quick link and proprietary custom-role permission metadata as still showing visible Traefik-only file-browser copy while the sidebar, command palette, and user-permissions switch were already provider-neutral. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/provider-neutral-ui-contract.test.ts`, stale provider-copy scan, Biome, and `git diff --check` | Passed | 1 file, 3 tests. Covers provider-neutral account menu and custom-role file-browser labels while preserving legacy `/dashboard/traefik` and `traefikFiles` compatibility keys. The narrow stale-copy scan found no remaining old file-browser label or account-menu-style provider-specific labels in the touched provider-neutral UI surfaces. |
+| 2026-06-02 | Exact-HEAD local image build for `ad36a5d37` | Passed | Built `dokploy/dokploy:caddy-pr4534-ad36a5d37-20260602-local` for `linux/amd64`; image manifest list ID `sha256:342b5c049d46c78eb4a5609d336f59468f369e9e02bb51cb098deab5ce2b2f23`; container-safe rollback CLI help smoke passed. No PR update, service update, provider switch, config write, reload, apply, rollback, or production mutation was performed. |
+| 2026-06-02 | Exact-HEAD production schema and image-update gates | Blocked as designed | Candidate schema preflight and image-update dry-run fail closed for the exact-HEAD image because the live runtime migration table is behind the candidate journal tail and the Caddy trusted-proxy/request-log columns are not present yet. Production proof for this HEAD requires an explicit database migration plan and approval before any live image update. Platform-specific evidence remains outside this upstream PR surface. |
 
 ## Upstream Hygiene Checklist
 

From 98f6a18797efcc81d4e67bed84b637c408d83aa1 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 02:28:36 -0400
Subject: [PATCH 29/37] fix: make app web server config provider-neutral

---
 .../provider-neutral-ui-contract.test.ts      | 24 ++++++++++++++++++-
 .../advanced/traefik/show-traefik-config.tsx  | 18 ++++++++++----
 docs/caddy-provider-upstream-readiness.md     | 10 ++++----
 3 files changed, 42 insertions(+), 10 deletions(-)

diff --git a/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts b/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
index 8353eda231..d26e9f21b4 100644
--- a/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
+++ b/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
@@ -44,11 +44,33 @@ describe("provider-neutral Caddy UI contract", () => {
 		);
 
 		expect(actions).toContain(': "Web Server";');
-		expect(actions).toContain(": null;");
+		expect(actions).toMatch(
+			/const resourceName =[\s\S]*activeProvider === "caddy"[\s\S]*"dokploy-caddy"[\s\S]*activeProvider === "traefik"[\s\S]*"dokploy-traefik"[\s\S]*: null;/,
+		);
+		expect(actions).toContain("!activeProvider ||");
 		expect(actions).toContain("{resourceName && (");
+		expect(actions).toContain('activeProvider === "traefik" && (');
 		expect(fileSystem).toContain('const isTraefik = provider === "traefik";');
 		expect(fileSystem).toContain(
 			"Provider-specific edit controls appear after Dokploy resolves the active provider.",
 		);
 	});
+
+	test("keeps application advanced web-server config provider-neutral while provider is unresolved", () => {
+		const source = readSource(
+			"../../components/dashboard/application/advanced/traefik/show-traefik-config.tsx",
+		);
+
+		expect(source).toContain('const isCaddy = activeProvider === "caddy";');
+		expect(source).toContain('const isTraefik = activeProvider === "traefik";');
+		expect(source).toContain(': "Web Server";');
+		expect(source).toContain(
+			"Provider-specific edit controls appear after Dokploy resolves the active provider.",
+		);
+		expect(source).toContain("{isTraefik && (");
+		expect(source).not.toContain('activeProvider !== "caddy"');
+		expect(source).not.toContain(
+			'activeProvider === "caddy" ? "Caddy" : "Traefik"',
+		);
+	});
 });
diff --git a/apps/dokploy/components/dashboard/application/advanced/traefik/show-traefik-config.tsx b/apps/dokploy/components/dashboard/application/advanced/traefik/show-traefik-config.tsx
index 035e13bb2a..2f0ab08d20 100644
--- a/apps/dokploy/components/dashboard/application/advanced/traefik/show-traefik-config.tsx
+++ b/apps/dokploy/components/dashboard/application/advanced/traefik/show-traefik-config.tsx
@@ -27,7 +27,13 @@ export const ShowTraefikConfig = ({ applicationId }: Props) => {
 			{ serverId: application?.serverId || undefined },
 			{ enabled: canRead && !!application },
 		);
-	const providerLabel = activeProvider === "caddy" ? "Caddy" : "Traefik";
+	const isCaddy = activeProvider === "caddy";
+	const isTraefik = activeProvider === "traefik";
+	const providerLabel = isCaddy
+		? "Caddy"
+		: isTraefik
+			? "Traefik"
+			: "Web Server";
 	const { data, isPending } = api.application.readWebServerConfig.useQuery(
 		{
 			applicationId,
@@ -43,14 +49,16 @@ export const ShowTraefikConfig = ({ applicationId }: Props) => {
 				<div>
 					<CardTitle className="text-xl">{providerLabel}</CardTitle>
 					<CardDescription>
-						{activeProvider === "caddy"
+						{isCaddy
 							? "Review generated Caddy route fragments for this application. Caddy manages certificates for HTTPS domains; Traefik YAML and custom certificate resolvers do not apply."
-							: "Modify the Traefik config in rare cases. Be careful: invalid Traefik YAML can break the application route."}
+							: isTraefik
+								? "Modify the Traefik config in rare cases. Be careful: invalid Traefik YAML can break the application route."
+								: "Review the active web server configuration for this application. Provider-specific edit controls appear after Dokploy resolves the active provider."}
 					</CardDescription>
 				</div>
 			</CardHeader>
 			<CardContent className="flex flex-col gap-4">
-				{activeProvider === "caddy" && (
+				{isCaddy && (
 					<AlertBlock type="info">
 						For Caddy, domain changes generate JSON fragments and Caddy handles
 						ACME certificates automatically. Use Settings → Web Server for the
@@ -78,7 +86,7 @@ export const ShowTraefikConfig = ({ applicationId }: Props) => {
 								disabled
 								className="font-mono"
 							/>
-							{activeProvider !== "caddy" && (
+							{isTraefik && (
 								<div className="flex justify-end absolute z-50 right-6 top-6">
 									<UpdateTraefikConfig applicationId={applicationId} />
 								</div>
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index f26f573ea6..13f6b6e284 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -43,7 +43,7 @@ Local state observed before this document was added:
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
 | Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting only through the provider-aware toggle flow, validates the rewritten Caddy config before returning success, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape while preserving query strings in `RequestPath`, reads the latest retained local Caddy log lines for paginated and date-range views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Add live runtime proof only after explicit approval. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, provider-neutral local web-server file nav/search/account labels, and provider-neutral custom-role file permission labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, the Caddy trusted-proxy dialog, and the application domain modal under active Caddy with an uploaded certificate fixture. Source contract tests cover the application domain tab/modal path, active-Caddy provider resolution, Caddy uploaded certificate query/filter/copy, provider-neutral web-server file-browser labels, and hiding Traefik-only controls under active Caddy. | Locally covered | Add live runtime proof only after explicit approval. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, provider-neutral local web-server file nav/search/account labels, and provider-neutral custom-role file permission labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. The application Advanced web-server config viewer now uses generic `Web Server` copy while provider resolution is pending and only exposes the legacy Traefik modify dialog after the active provider resolves to Traefik; Caddy previews remain read-only. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, the Caddy trusted-proxy dialog, and the application domain modal under active Caddy with an uploaded certificate fixture. Source contract tests cover the application domain tab/modal path, active-Caddy provider resolution, Caddy uploaded certificate query/filter/copy, provider-neutral web-server file-browser labels, unresolved-provider application config copy, and hiding Traefik-only controls under active Caddy or unresolved providers. | Locally covered | Add live runtime proof only after explicit approval. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
@@ -460,9 +460,11 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>`, `git diff --check`, and PR-surface hygiene scan | Passed | Formatter/import checks, whitespace checks, and forbidden-path scan passed. No `prompt-exports/`, private docs, or agent-file paths were found in `upstream/canary...HEAD`; local RepoPrompt exports and scratch containers were removed. |
 | 2026-06-02 | RepoPrompt Deep Plan no-mutation production proof pass | Complete | RepoPrompt recommended treating the latest local commit as locally proven unless runtime image provenance matches it. Runtime evidence remains intentionally excluded from this upstream PR surface and tracked out of repo. No provider switch, apply, rollback execution, service update/restart, config write, DNS change, PR update, or production mutation was performed. |
 | 2026-06-02 | RepoPrompt Deep Plan pass for remaining provider-neutral UI paper cuts | Complete | Identified the account dropdown quick link and proprietary custom-role permission metadata as still showing visible Traefik-only file-browser copy while the sidebar, command palette, and user-permissions switch were already provider-neutral. |
-| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/provider-neutral-ui-contract.test.ts`, stale provider-copy scan, Biome, and `git diff --check` | Passed | 1 file, 3 tests. Covers provider-neutral account menu and custom-role file-browser labels while preserving legacy `/dashboard/traefik` and `traefikFiles` compatibility keys. The narrow stale-copy scan found no remaining old file-browser label or account-menu-style provider-specific labels in the touched provider-neutral UI surfaces. |
-| 2026-06-02 | Exact-HEAD local image build for `ad36a5d37` | Passed | Built `dokploy/dokploy:caddy-pr4534-ad36a5d37-20260602-local` for `linux/amd64`; image manifest list ID `sha256:342b5c049d46c78eb4a5609d336f59468f369e9e02bb51cb098deab5ce2b2f23`; container-safe rollback CLI help smoke passed. No PR update, service update, provider switch, config write, reload, apply, rollback, or production mutation was performed. |
-| 2026-06-02 | Exact-HEAD production schema and image-update gates | Blocked as designed | Candidate schema preflight and image-update dry-run fail closed for the exact-HEAD image because the live runtime migration table is behind the candidate journal tail and the Caddy trusted-proxy/request-log columns are not present yet. Production proof for this HEAD requires an explicit database migration plan and approval before any live image update. Platform-specific evidence remains outside this upstream PR surface. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/provider-neutral-ui-contract.test.ts` | Passed | 1 file, 4 tests. Covers provider-neutral account menu and custom-role file-browser labels while preserving legacy `/dashboard/traefik` and `traefikFiles` compatibility keys, plus unresolved-provider generic `Web Server` copy and positive Traefik-only edit gating for the application Advanced web-server config viewer. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 28 files, 180 tests after the application Advanced config viewer hardening. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, provider-neutral UI contracts, and remote web-server file-system inspection. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` | Passed | App package typecheck passed after the application Advanced config viewer hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | Prior exact-image local build for `ad36a5d37` | Passed | Built `dokploy/dokploy:caddy-pr4534-ad36a5d37-20260602-local` for `linux/amd64`; image manifest list ID `sha256:342b5c049d46c78eb4a5609d336f59468f369e9e02bb51cb098deab5ce2b2f23`; container-safe rollback CLI help smoke passed. Later local UI hardening commits are not represented by this image, so current HEAD runtime provenance remains unproven. No PR update, service update, provider switch, config write, reload, apply, rollback, or production mutation was performed. |
+| 2026-06-02 | Prior exact-image production schema and image-update gates | Blocked as designed | Candidate schema preflight and image-update dry-run for the `ad36a5d37` image fail closed because the live runtime migration table is behind the candidate journal tail and the Caddy trusted-proxy/request-log columns are not present yet. Production proof for the current local HEAD still requires a fresh exact image plus the explicit database migration plan and approval before any live image update. Platform-specific evidence remains outside this upstream PR surface. |
 
 ## Upstream Hygiene Checklist
 

From 01b45331811a79eabeeb3edc9d1e5c440d735218 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 03:05:00 -0400
Subject: [PATCH 30/37] docs: record exact-head caddy live validation

---
 docs/caddy-provider-upstream-readiness.md | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 13f6b6e284..5710b3301d 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -336,17 +336,20 @@ Forbidden without explicit approval:
 
 ## Live Mutation Approval Gate
 
-No live mutation has been approved for this document.
+A current-session live validation was approved and executed for the exact
+`3c3de125a` candidate image after the evidence packet and DB gate were updated.
+The operational evidence, route manifest, hostnames, backups, and deployment
+logs are intentionally tracked outside this upstream PR surface.
 
 Before any production mutation, fill this in:
 
 ```text
-Approved by:
-Approval time:
-Mutation scope:
-Rollback plan:
-Expected read-only checks before mutation:
-Expected post-mutation checks:
+Approved by: current-session operator approval
+Approval time: 2026-06-02
+Mutation scope: additive DB reconcile for candidate runtime migrations plus exact-image Dokploy service update
+Rollback plan: immediate service image rollback on post-deploy verification failure; DB restore only by separate approval
+Expected read-only checks before mutation: exact image proof, schema preflight, route manifest, rollback CLI, readiness dry-run
+Expected post-mutation checks: schema proof, provider/task checks, route expectations, quick/full healthchecks, final readiness
 ```
 
 ## Proof Log
@@ -465,6 +468,9 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` | Passed | App package typecheck passed after the application Advanced config viewer hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 | 2026-06-02 | Prior exact-image local build for `ad36a5d37` | Passed | Built `dokploy/dokploy:caddy-pr4534-ad36a5d37-20260602-local` for `linux/amd64`; image manifest list ID `sha256:342b5c049d46c78eb4a5609d336f59468f369e9e02bb51cb098deab5ce2b2f23`; container-safe rollback CLI help smoke passed. Later local UI hardening commits are not represented by this image, so current HEAD runtime provenance remains unproven. No PR update, service update, provider switch, config write, reload, apply, rollback, or production mutation was performed. |
 | 2026-06-02 | Prior exact-image production schema and image-update gates | Blocked as designed | Candidate schema preflight and image-update dry-run for the `ad36a5d37` image fail closed because the live runtime migration table is behind the candidate journal tail and the Caddy trusted-proxy/request-log columns are not present yet. Production proof for the current local HEAD still requires a fresh exact image plus the explicit database migration plan and approval before any live image update. Platform-specific evidence remains outside this upstream PR surface. |
+| 2026-06-02 | Current exact-image local build for `3c3de125a` | Passed | Built `dokploy/dokploy:caddy-pr4534-3c3de125a-20260602-local` for `linux/amd64`; image manifest list ID `sha256:f2c5713b717e50e073081a1d6da2afdd56b0d505ec197cd9c8b053d4c1871430`; image inspect reported `amd64/linux` and size `1352203663`; container-safe rollback CLI help smoke passed. The exact image journal tails at `0172_normal_gauntlet` with 173 entries and includes the expected `0171`/`0172` SQL hashes. |
+| 2026-06-02 | Current exact-image read-only production readiness gate | Blocked as designed | The approved read-only readiness wrapper for the `3c3de125a` image failed closed on the expected pending DB migration blocker before any image update path. No PR update, service update, provider switch, config write, reload, apply, rollback, or production mutation was performed. Platform-specific operational evidence remains outside this upstream PR surface. |
+| 2026-06-02 | Current exact-image live validation for `3c3de125a` | Passed | After current-session approval, the additive DB gate and exact-image runtime deployment were executed outside the upstream PR surface. Post-deploy schema proof, provider/task checks, route expectations, quick/full healthchecks, and final readiness passed. No PR update, Caddy migration apply, Caddy rollback execution, provider switch, or manual config write was performed. |
 
 ## Upstream Hygiene Checklist
 

From 4141b3d1c94fbf12364d2f851e4b25aac3f41327 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 03:52:16 -0400
Subject: [PATCH 31/37] fix: harden caddy dashboard route updates

---
 apps/dokploy/__test__/caddy/config.test.ts    | 118 ++++++++++++++++++
 .../trusted-proxy-settings-router.test.ts     |  47 +++++++
 apps/dokploy/server/api/routers/settings.ts   |  20 ++-
 docs/caddy-provider-upstream-readiness.md     |  11 +-
 .../src/services/web-server-settings.ts       |  10 ++
 packages/server/src/utils/caddy/web-server.ts |  38 +++---
 6 files changed, 227 insertions(+), 17 deletions(-)

diff --git a/apps/dokploy/__test__/caddy/config.test.ts b/apps/dokploy/__test__/caddy/config.test.ts
index e2b3239bbf..d9185a2da8 100644
--- a/apps/dokploy/__test__/caddy/config.test.ts
+++ b/apps/dokploy/__test__/caddy/config.test.ts
@@ -23,6 +23,7 @@ import {
 	compileCaddyConfig,
 	compileWriteAndReloadCaddyConfigSafely,
 	compileWriteAndValidateCaddyConfigSafely,
+	createCaddyDashboardRouteFragment,
 	type Domain,
 	getCaddyMigrationArtifactPaths,
 	manageCaddyDomain,
@@ -30,9 +31,11 @@ import {
 	paths,
 	readCaddyRouteFragments,
 	removeCaddyDomain,
+	updateServerCaddy,
 	validateCaddyConfigFileWithImage,
 	writeCaddyRouteFragment,
 } from "@dokploy/server";
+import type { webServerSettings } from "@dokploy/server/db/schema";
 import { beforeEach, expect, test, vi } from "vitest";
 
 const route = (
@@ -51,6 +54,34 @@ const getServers = (config: ReturnType<typeof compileCaddyConfig>) => {
 	return apps.http.servers as Record<string, any>;
 };
 
+type WebServerSettings = typeof webServerSettings.$inferSelect;
+
+const settings = (overrides: Partial<WebServerSettings> = {}) =>
+	({
+		id: "settings-1",
+		webServerProvider: "caddy",
+		caddyTrustedProxyConfig: null,
+		requestLogsEnabled: false,
+		https: false,
+		certificateType: "none",
+		host: null,
+		serverIp: null,
+		letsEncryptEmail: null,
+		sshPrivateKey: null,
+		enableDockerCleanup: false,
+		logCleanupCron: null,
+		metricsConfig: {} as WebServerSettings["metricsConfig"],
+		whitelabelingConfig: null,
+		remoteServersOnly: false,
+		enforceSSO: false,
+		cleanupCacheApplications: false,
+		cleanupCacheOnCompose: false,
+		cleanupCacheOnPreviews: false,
+		createdAt: null,
+		updatedAt: new Date(),
+		...overrides,
+	}) as WebServerSettings;
+
 beforeEach(() => {
 	vol.reset();
 	execAsyncMock.mockReset();
@@ -112,6 +143,93 @@ test("compiles Caddy access-log output when request analytics are enabled", () =
 	});
 });
 
+test("dashboard Caddy updates preserve enabled request access logs", async () => {
+	await updateServerCaddy(
+		settings({
+			requestLogsEnabled: true,
+			https: true,
+			letsEncryptEmail: "ops@example.com",
+			caddyTrustedProxyConfig: {
+				mode: "static",
+				ranges: ["192.0.2.0/24"],
+				clientIpHeaders: ["X-Forwarded-For"],
+				strict: true,
+			},
+		}),
+		"dashboard.example.com",
+	);
+
+	const config = JSON.parse(
+		vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8") as string,
+	);
+	const servers = (config.apps as Record<string, any>).http.servers;
+
+	expect(servers.http.logs).toEqual({});
+	expect(servers.http.trusted_proxies).toEqual({
+		source: "static",
+		ranges: ["192.0.2.0/24"],
+	});
+	expect(servers.http.client_ip_headers).toEqual(["X-Forwarded-For"]);
+	expect(servers.https.trusted_proxies).toEqual(servers.http.trusted_proxies);
+	expect((config.apps as any).tls.automation.policies[0].issuers[0].email).toBe(
+		"ops@example.com",
+	);
+	expect((config as any).logging.logs["dokploy-requests"]).toEqual({
+		writer: {
+			output: "file",
+			filename: "/etc/caddy/access.log",
+		},
+		encoder: {
+			format: "json",
+		},
+		include: ["http.log.access"],
+	});
+});
+
+test("restores dashboard fragments when Caddy dashboard reload fails", async () => {
+	const existingFragment = createCaddyDashboardRouteFragment(
+		settings(),
+		"old-dashboard.example.com",
+	);
+	const concurrentFragment: CaddyRouteFragment = {
+		version: 1,
+		id: "application.concurrent",
+		source: "dokploy-application",
+		routes: [route({ id: "concurrent", hosts: ["concurrent.example.com"] })],
+	};
+	await writeCaddyRouteFragment(existingFragment);
+	const previousConfig = `${JSON.stringify(
+		compileCaddyConfig({ fragments: [existingFragment] }),
+		null,
+		2,
+	)}\n`;
+	vol.mkdirSync(paths().MAIN_CADDY_PATH, { recursive: true });
+	vol.writeFileSync(paths().CADDY_CONFIG_PATH, previousConfig);
+	let concurrentFragmentWritten = false;
+	execAsyncMock.mockImplementation(async (command: string) => {
+		if (command.includes("caddy validate")) {
+			if (!concurrentFragmentWritten) {
+				concurrentFragmentWritten = true;
+				await writeCaddyRouteFragment(concurrentFragment);
+			}
+			throw new Error("validation failed");
+		}
+		return { stdout: "dokploy-caddy\n", stderr: "" };
+	});
+
+	await expect(
+		updateServerCaddy(settings(), "new-dashboard.example.com"),
+	).rejects.toThrow("validation failed");
+
+	expect(await readCaddyRouteFragments()).toEqual([
+		concurrentFragment,
+		existingFragment,
+	]);
+	expect(vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8")).toBe(
+		previousConfig,
+	);
+});
+
 test("compiles Cloudflare trusted proxy settings with safe client IP headers", () => {
 	const config = compileCaddyConfig({
 		routes: [route({ https: true })],
diff --git a/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts b/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
index fe2d6ced4f..3e523d2dab 100644
--- a/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
+++ b/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
@@ -102,11 +102,14 @@ import {
 	getCaddyCompileSettings,
 	getCaddyTrustedProxySettings,
 	getWebServerResourceName,
+	getWebServerSettings,
 	isCaddyAdminAdditionalPort,
 	readEnvironmentVariables,
 	readPorts,
 	resolveWebServerProvider,
 	updateCaddyTrustedProxySettings,
+	updateServerCaddy,
+	updateWebServerSettings,
 	writeWebServerSetup,
 } from "@dokploy/server";
 import { settingsRouter } from "@/server/api/routers/settings";
@@ -382,6 +385,50 @@ test("keeps Traefik dashboard state based on the Traefik dashboard port", async
 	expect(result).toEqual({ provider: "traefik", enabled: true });
 });
 
+test("restores dashboard settings when active Caddy domain rewrite fails", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+	const previousSettings = {
+		host: "old-dashboard.example.com",
+		letsEncryptEmail: "old-ops@example.com",
+		certificateType: "letsencrypt",
+		https: true,
+	};
+	const updatedSettings = {
+		...previousSettings,
+		host: "new-dashboard.example.com",
+		letsEncryptEmail: "new-ops@example.com",
+	};
+	vi.mocked(getWebServerSettings).mockResolvedValue(previousSettings as never);
+	vi.mocked(updateWebServerSettings)
+		.mockResolvedValueOnce(updatedSettings as never)
+		.mockResolvedValueOnce(previousSettings as never);
+	vi.mocked(updateServerCaddy).mockRejectedValueOnce(
+		new Error("caddy reload failed") as never,
+	);
+
+	await expect(
+		caller.assignDomainServer({
+			host: "new-dashboard.example.com",
+			letsEncryptEmail: "new-ops@example.com",
+			certificateType: "letsencrypt",
+			https: true,
+		}),
+	).rejects.toThrow("caddy reload failed");
+
+	expect(updateWebServerSettings).toHaveBeenNthCalledWith(1, {
+		host: "new-dashboard.example.com",
+		letsEncryptEmail: "new-ops@example.com",
+		certificateType: "letsencrypt",
+		https: true,
+	});
+	expect(updateWebServerSettings).toHaveBeenNthCalledWith(2, previousSettings);
+	expect(updateServerCaddy).toHaveBeenCalledWith(
+		updatedSettings,
+		"new-dashboard.example.com",
+	);
+	expect(audit).not.toHaveBeenCalled();
+});
+
 test("reads remote Traefik dashboard state from the remote web server", async () => {
 	vi.mocked(resolveWebServerProvider).mockResolvedValue("traefik");
 	vi.mocked(readPorts).mockResolvedValue([
diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts
index ce4c8f1353..0e1e572b79 100644
--- a/apps/dokploy/server/api/routers/settings.ts
+++ b/apps/dokploy/server/api/routers/settings.ts
@@ -891,6 +891,14 @@ export const settingsRouter = createTRPCRouter({
 			if (IS_CLOUD) {
 				return true;
 			}
+			const previousSettings = await getWebServerSettings();
+			if (!previousSettings) {
+				throw new TRPCError({
+					code: "NOT_FOUND",
+					message: "Web server settings not found",
+				});
+			}
+
 			const settings = await updateWebServerSettings({
 				host: input.host,
 				letsEncryptEmail: input.letsEncryptEmail,
@@ -907,7 +915,17 @@ export const settingsRouter = createTRPCRouter({
 
 			const provider = await resolveWebServerProvider();
 			if (provider === "caddy") {
-				await updateServerCaddy(settings, input.host);
+				try {
+					await updateServerCaddy(settings, input.host);
+				} catch (error) {
+					await updateWebServerSettings({
+						host: previousSettings.host,
+						letsEncryptEmail: previousSettings.letsEncryptEmail,
+						certificateType: previousSettings.certificateType,
+						https: previousSettings.https,
+					});
+					throw error;
+				}
 			} else {
 				updateServerTraefik(settings, input.host);
 				if (input.letsEncryptEmail) {
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 5710b3301d..f1a62a9344 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -42,9 +42,9 @@ Local state observed before this document was added:
 | Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. Domain create/update API schemas now enforce the same HTTPS custom-certificate resolver requirement as the frontend and shared validation layer. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
 | LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
-| Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting only through the provider-aware toggle flow, validates the rewritten Caddy config before returning success, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape while preserving query strings in `RequestPath`, reads the latest retained local Caddy log lines for paginated and date-range views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Add live runtime proof only after explicit approval. |
+| Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting only through the provider-aware toggle flow, validates the rewritten Caddy config before returning success, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites and Dokploy dashboard route rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape while preserving query strings in `RequestPath`, reads the latest retained local Caddy log lines for paginated and date-range views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Add live runtime proof only after explicit approval. |
 | Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, provider-neutral local web-server file nav/search/account labels, and provider-neutral custom-role file permission labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. The application Advanced web-server config viewer now uses generic `Web Server` copy while provider resolution is pending and only exposes the legacy Traefik modify dialog after the active provider resolves to Traefik; Caddy previews remain read-only. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, the Caddy trusted-proxy dialog, and the application domain modal under active Caddy with an uploaded certificate fixture. Source contract tests cover the application domain tab/modal path, active-Caddy provider resolution, Caddy uploaded certificate query/filter/copy, provider-neutral web-server file-browser labels, unresolved-provider application config copy, and hiding Traefik-only controls under active Caddy or unresolved providers. | Locally covered | Add live runtime proof only after explicit approval. |
-| Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
+| Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. Dokploy dashboard route rewrites now preserve local Caddy compile settings and restore previous route fragments if the Caddy reload fails. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
 
@@ -101,6 +101,7 @@ Request analytics evidence:
 
 - `packages/server/src/db/schema/web-server-settings.ts` persists local Caddy request-log enablement.
 - `packages/server/src/utils/caddy/config.ts` compiles Caddy access logging to a JSON file writer.
+- `packages/server/src/utils/caddy/web-server.ts` preserves local Caddy compile settings when rewriting the Dokploy dashboard route.
 - `packages/server/src/utils/access-log/utils.ts` normalizes Caddy and Traefik JSON access logs into the Requests table shape.
 - `packages/server/src/utils/access-log/handler.ts` cleans the active web-server access log and only signals Traefik when Traefik is active.
 - `packages/server/src/setup/caddy-setup.ts` and `packages/server/src/services/settings.ts` preserve Caddy access-log compile settings during env/port setup rewrites.
@@ -471,6 +472,12 @@ Expected post-mutation checks: schema proof, provider/task checks, route expecta
 | 2026-06-02 | Current exact-image local build for `3c3de125a` | Passed | Built `dokploy/dokploy:caddy-pr4534-3c3de125a-20260602-local` for `linux/amd64`; image manifest list ID `sha256:f2c5713b717e50e073081a1d6da2afdd56b0d505ec197cd9c8b053d4c1871430`; image inspect reported `amd64/linux` and size `1352203663`; container-safe rollback CLI help smoke passed. The exact image journal tails at `0172_normal_gauntlet` with 173 entries and includes the expected `0171`/`0172` SQL hashes. |
 | 2026-06-02 | Current exact-image read-only production readiness gate | Blocked as designed | The approved read-only readiness wrapper for the `3c3de125a` image failed closed on the expected pending DB migration blocker before any image update path. No PR update, service update, provider switch, config write, reload, apply, rollback, or production mutation was performed. Platform-specific operational evidence remains outside this upstream PR surface. |
 | 2026-06-02 | Current exact-image live validation for `3c3de125a` | Passed | After current-session approval, the additive DB gate and exact-image runtime deployment were executed outside the upstream PR surface. Post-deploy schema proof, provider/task checks, route expectations, quick/full healthchecks, and final readiness passed. No PR update, Caddy migration apply, Caddy rollback execution, provider switch, or manual config write was performed. |
+| 2026-06-02 | Prior exact-image live validation for `40825c9c1` | Passed | After current-session approval, a docs-only branch-head image was deployed outside the upstream PR surface and passed schema proof, provider/task checks, route expectations, quick/full healthchecks, and final readiness. The production-code fix below makes that runtime provenance historical; current HEAD requires a fresh exact image before any new production-runtime claim. |
+| 2026-06-02 | RepoPrompt Deep Plan pass for remaining Caddy PR audit | Complete | Identified one production-code correctness gap: Dokploy dashboard route rewrites under Caddy could omit local request-log compile settings and leave stale dashboard route fragments if Caddy reload failed. |
+| 2026-06-02 | RepoPrompt review with current diff and `back:3` context | Complete | Review findings incorporated locally: dashboard rollback is scoped to the dashboard fragment instead of replacing unrelated fragments, active-Caddy dashboard-domain settings are restored if the Caddy rewrite fails, dashboard rewrites preserve ACME/trusted-proxy/request-log compile settings, and failure tests assert active config alignment. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts __test__/caddy/request-logs-router.test.ts __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 3 files, 43 tests. Covers dashboard Caddy updates preserving request access logs, ACME email, and trusted proxy settings; dashboard-fragment restoration on failed reload without clobbering unrelated fragments; request analytics router behavior; and trusted-proxy/dashboard settings rollback behavior. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 28 files, 183 tests after dashboard route rewrite hardening and review fixes. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, dashboard rewrite rollback/settings compensation, provider-aware application config cache invalidation, provider-neutral UI contracts, and remote web-server file-system inspection. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after dashboard route rewrite hardening and review fixes. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/services/web-server-settings.ts b/packages/server/src/services/web-server-settings.ts
index f60eef37d5..4cd7252c2a 100644
--- a/packages/server/src/services/web-server-settings.ts
+++ b/packages/server/src/services/web-server-settings.ts
@@ -205,6 +205,16 @@ export const getCaddyCompileSettings = async (
 	}
 
 	const settings = await getWebServerSettings();
+	return localWebServerSettingsToCaddyCompileSettings(settings);
+};
+
+export const localWebServerSettingsToCaddyCompileSettings = (
+	settings: typeof webServerSettings.$inferSelect | null | undefined,
+): {
+	letsEncryptEmail?: string | null;
+	trustedProxies?: CaddyTrustedProxyConfig | null;
+	accessLogs?: CaddyAccessLogConfig | null;
+} => {
 	return {
 		letsEncryptEmail: settings?.letsEncryptEmail,
 		trustedProxies: caddyTrustedProxySettingsToConfig(
diff --git a/packages/server/src/utils/caddy/web-server.ts b/packages/server/src/utils/caddy/web-server.ts
index bdf12dc1b8..01ac09b063 100644
--- a/packages/server/src/utils/caddy/web-server.ts
+++ b/packages/server/src/utils/caddy/web-server.ts
@@ -1,7 +1,8 @@
 import type { webServerSettings } from "@dokploy/server/db/schema/web-server-settings";
-import { caddyTrustedProxySettingsToConfig } from "@dokploy/server/services/web-server-settings";
+import { localWebServerSettingsToCaddyCompileSettings } from "@dokploy/server/services/web-server-settings";
 import {
 	compileWriteAndReloadCaddyConfigSafely,
+	readCaddyRouteFragments,
 	removeCaddyRouteFragment,
 	writeCaddyRouteFragment,
 } from "./config";
@@ -47,18 +48,27 @@ export const updateServerCaddy = async (
 	settings: typeof webServerSettings.$inferSelect,
 	newHost: string | null,
 ) => {
-	if (newHost) {
-		await writeCaddyRouteFragment(
-			createCaddyDashboardRouteFragment(settings, newHost),
-		);
-	} else {
-		await removeCaddyRouteFragment(DASHBOARD_FRAGMENT_ID);
-	}
+	const compileSettings =
+		localWebServerSettingsToCaddyCompileSettings(settings);
+	const previousDashboardFragment = (await readCaddyRouteFragments()).find(
+		(fragment) => fragment.id === DASHBOARD_FRAGMENT_ID,
+	);
+	try {
+		if (newHost) {
+			await writeCaddyRouteFragment(
+				createCaddyDashboardRouteFragment(settings, newHost),
+			);
+		} else {
+			await removeCaddyRouteFragment(DASHBOARD_FRAGMENT_ID);
+		}
 
-	await compileWriteAndReloadCaddyConfigSafely({
-		letsEncryptEmail: settings.letsEncryptEmail,
-		trustedProxies: caddyTrustedProxySettingsToConfig(
-			settings.caddyTrustedProxyConfig,
-		),
-	});
+		await compileWriteAndReloadCaddyConfigSafely(compileSettings);
+	} catch (error) {
+		if (previousDashboardFragment) {
+			await writeCaddyRouteFragment(previousDashboardFragment);
+		} else {
+			await removeCaddyRouteFragment(DASHBOARD_FRAGMENT_ID);
+		}
+		throw error;
+	}
 };

From 1fffd19d04650326deab2f97896448f25ca1eadb Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 04:20:22 -0400
Subject: [PATCH 32/37] fix: guard caddy dashboard toggles

---
 .../trusted-proxy-settings-router.test.ts     | 46 +++++++++++++++++++
 apps/dokploy/server/api/routers/settings.ts   | 10 ++++
 docs/caddy-provider-upstream-readiness.md     | 10 +++-
 3 files changed, 64 insertions(+), 2 deletions(-)

diff --git a/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts b/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
index 3e523d2dab..12aed5ac98 100644
--- a/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
+++ b/apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts
@@ -104,12 +104,14 @@ import {
 	getWebServerResourceName,
 	getWebServerSettings,
 	isCaddyAdminAdditionalPort,
+	prepareEnvironmentVariables,
 	readEnvironmentVariables,
 	readPorts,
 	resolveWebServerProvider,
 	updateCaddyTrustedProxySettings,
 	updateServerCaddy,
 	updateWebServerSettings,
+	writeTraefikSetup,
 	writeWebServerSetup,
 } from "@dokploy/server";
 import { settingsRouter } from "@/server/api/routers/settings";
@@ -194,6 +196,7 @@ beforeEach(() => {
 		undefined as never,
 	);
 	vi.mocked(readEnvironmentVariables).mockResolvedValue("");
+	vi.mocked(prepareEnvironmentVariables).mockReturnValue([]);
 	vi.mocked(getWebServerResourceName).mockImplementation((provider) =>
 		provider === "caddy" ? "dokploy-caddy" : "dokploy-traefik",
 	);
@@ -206,6 +209,7 @@ beforeEach(() => {
 		(port) => port.targetPort === 2019 && (port.protocol ?? "tcp") === "tcp",
 	);
 	vi.mocked(writeWebServerSetup).mockResolvedValue(undefined as never);
+	vi.mocked(writeTraefikSetup).mockResolvedValue(undefined as never);
 });
 
 test("persists Caddy trusted proxy settings without rebuilding when Traefik is active", async () => {
@@ -385,6 +389,48 @@ test("keeps Traefik dashboard state based on the Traefik dashboard port", async
 	expect(result).toEqual({ provider: "traefik", enabled: true });
 });
 
+test("rejects direct dashboard toggles when Caddy is active", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
+
+	await expect(
+		caller.toggleDashboard({ enableDashboard: true }),
+	).rejects.toThrow("Caddy admin API is kept local-only");
+
+	expect(readPorts).not.toHaveBeenCalled();
+	expect(readEnvironmentVariables).not.toHaveBeenCalled();
+	expect(prepareEnvironmentVariables).not.toHaveBeenCalled();
+	expect(checkPortInUse).not.toHaveBeenCalled();
+	expect(writeTraefikSetup).not.toHaveBeenCalled();
+	expect(audit).not.toHaveBeenCalled();
+});
+
+test("keeps dashboard toggles available when Traefik is active", async () => {
+	vi.mocked(resolveWebServerProvider).mockResolvedValue("traefik");
+	vi.mocked(readPorts).mockResolvedValue([]);
+	vi.mocked(readEnvironmentVariables).mockResolvedValue("TRAEFIK_ENV=1");
+	vi.mocked(prepareEnvironmentVariables).mockReturnValue(["TRAEFIK_ENV=1"]);
+
+	await caller.toggleDashboard({ enableDashboard: true });
+
+	expect(readPorts).toHaveBeenCalledWith("dokploy-traefik", undefined);
+	expect(readEnvironmentVariables).toHaveBeenCalledWith(
+		"dokploy-traefik",
+		undefined,
+	);
+	expect(checkPortInUse).toHaveBeenCalledWith(8080, undefined);
+	expect(writeTraefikSetup).toHaveBeenCalledWith({
+		env: ["TRAEFIK_ENV=1"],
+		additionalPorts: [
+			{ targetPort: 8080, publishedPort: 8080, protocol: "tcp" },
+		],
+		serverId: undefined,
+	});
+	expect(audit).toHaveBeenCalledWith(
+		expect.anything(),
+		expect.objectContaining({ resourceName: "toggle-dashboard" }),
+	);
+});
+
 test("restores dashboard settings when active Caddy domain rewrite fails", async () => {
 	vi.mocked(resolveWebServerProvider).mockResolvedValue("caddy");
 	const previousSettings = {
diff --git a/apps/dokploy/server/api/routers/settings.ts b/apps/dokploy/server/api/routers/settings.ts
index 0e1e572b79..3a79b3065b 100644
--- a/apps/dokploy/server/api/routers/settings.ts
+++ b/apps/dokploy/server/api/routers/settings.ts
@@ -738,6 +738,16 @@ export const settingsRouter = createTRPCRouter({
 	toggleDashboard: adminProcedure
 		.input(apiEnableDashboard)
 		.mutation(async ({ input, ctx }) => {
+			await ensureServerAccess(ctx, input.serverId);
+			const provider = await resolveWebServerProvider(input.serverId);
+			if (provider !== "traefik") {
+				throw new TRPCError({
+					code: "BAD_REQUEST",
+					message:
+						"The dashboard toggle is only available for Traefik. The Caddy admin API is kept local-only and is not exposed through Dokploy.",
+				});
+			}
+
 			const ports = await readPorts("dokploy-traefik", input.serverId);
 			const env = await readEnvironmentVariables(
 				"dokploy-traefik",
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index f1a62a9344..dba2f157b1 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -44,7 +44,7 @@ Local state observed before this document was added:
 | Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
 | Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting only through the provider-aware toggle flow, validates the rewritten Caddy config before returning success, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites and Dokploy dashboard route rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape while preserving query strings in `RequestPath`, reads the latest retained local Caddy log lines for paginated and date-range views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Add live runtime proof only after explicit approval. |
 | Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, provider-neutral local web-server file nav/search/account labels, and provider-neutral custom-role file permission labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. The application Advanced web-server config viewer now uses generic `Web Server` copy while provider resolution is pending and only exposes the legacy Traefik modify dialog after the active provider resolves to Traefik; Caddy previews remain read-only. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, the Caddy trusted-proxy dialog, and the application domain modal under active Caddy with an uploaded certificate fixture. Source contract tests cover the application domain tab/modal path, active-Caddy provider resolution, Caddy uploaded certificate query/filter/copy, provider-neutral web-server file-browser labels, unresolved-provider application config copy, and hiding Traefik-only controls under active Caddy or unresolved providers. | Locally covered | Add live runtime proof only after explicit approval. |
-| Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. Dokploy dashboard route rewrites now preserve local Caddy compile settings and restore previous route fragments if the Caddy reload fails. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
+| Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, direct dashboard toggle API calls reject while Caddy is active before reading or rewriting legacy Traefik resources, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. Dokploy dashboard route rewrites now preserve local Caddy compile settings and restore previous route fragments if the Caddy reload fails. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
 | Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | Add runtime proof after explicit approval. |
 | Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
 
@@ -268,9 +268,11 @@ Dashboard decision:
 
 - Do not expose a public Caddy dashboard or admin API in this PR.
 - Keep Caddy admin local-only.
+- Reject direct dashboard toggle API calls while Caddy is active so hidden UI
+  controls cannot mutate legacy Traefik resources.
 - If a dashboard is desired later, it should be an authenticated Dokploy proxy and likely a follow-up PR.
 - `apps/dokploy/__test__/caddy/dashboard-route.test.ts` covers the local-only Caddy admin bind.
-- `apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts` covers the Caddy dashboard disabled API state and Traefik dashboard-port contrast.
+- `apps/dokploy/__test__/caddy/trusted-proxy-settings-router.test.ts` covers the Caddy dashboard disabled API state, direct dashboard toggle rejection under active Caddy, and Traefik dashboard-port contrast.
 
 ### 8. Keep migration hardening intact
 
@@ -478,6 +480,10 @@ Expected post-mutation checks: schema proof, provider/task checks, route expecta
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts __test__/caddy/request-logs-router.test.ts __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 3 files, 43 tests. Covers dashboard Caddy updates preserving request access logs, ACME email, and trusted proxy settings; dashboard-fragment restoration on failed reload without clobbering unrelated fragments; request analytics router behavior; and trusted-proxy/dashboard settings rollback behavior. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 28 files, 183 tests after dashboard route rewrite hardening and review fixes. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, dashboard rewrite rollback/settings compensation, provider-aware application config cache invalidation, provider-neutral UI contracts, and remote web-server file-system inspection. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after dashboard route rewrite hardening and review fixes. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | RepoPrompt Deep Plan pass for direct dashboard toggle guard | Complete | Identified that Caddy hides dashboard controls in the UI and reports dashboard disabled, but direct `toggleDashboard` API calls still needed a provider guard before touching legacy Traefik resources. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 1 file, 13 tests. Covers direct dashboard toggle rejection under active Caddy with no Traefik read/write side effects, plus the active-Traefik dashboard toggle success path. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 28 files, 185 tests after the direct dashboard toggle guard. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, dashboard rewrite rollback/settings compensation, provider-aware application config cache invalidation, provider-neutral UI contracts, remote web-server file-system inspection, and direct dashboard toggle rejection under active Caddy. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the direct dashboard toggle guard. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 
 ## Upstream Hygiene Checklist
 

From 14dcc22b11102e53ddfd5f9b1b90a4caebb2b548 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 04:44:24 -0400
Subject: [PATCH 33/37] fix: harden caddy dashboard rollback

---
 apps/dokploy/__test__/caddy/config.test.ts    | 67 +++++++++++++++++++
 docs/caddy-provider-upstream-readiness.md     | 34 +++++-----
 packages/server/src/utils/caddy/web-server.ts | 29 ++++++--
 3 files changed, 107 insertions(+), 23 deletions(-)

diff --git a/apps/dokploy/__test__/caddy/config.test.ts b/apps/dokploy/__test__/caddy/config.test.ts
index d9185a2da8..b6c3fbd93e 100644
--- a/apps/dokploy/__test__/caddy/config.test.ts
+++ b/apps/dokploy/__test__/caddy/config.test.ts
@@ -230,6 +230,73 @@ test("restores dashboard fragments when Caddy dashboard reload fails", async ()
 	);
 });
 
+test("does not overwrite a concurrent dashboard fragment update when dashboard reload fails", async () => {
+	const existingFragment = createCaddyDashboardRouteFragment(
+		settings(),
+		"old-dashboard.example.com",
+	);
+	const concurrentDashboardFragment = createCaddyDashboardRouteFragment(
+		settings(),
+		"concurrent-dashboard.example.com",
+	);
+	await writeCaddyRouteFragment(existingFragment);
+	const previousConfig = `${JSON.stringify(
+		compileCaddyConfig({ fragments: [existingFragment] }),
+		null,
+		2,
+	)}\n`;
+	vol.mkdirSync(paths().MAIN_CADDY_PATH, { recursive: true });
+	vol.writeFileSync(paths().CADDY_CONFIG_PATH, previousConfig);
+	execAsyncMock.mockImplementation(async (command: string) => {
+		if (command.includes("caddy validate")) {
+			await writeCaddyRouteFragment(concurrentDashboardFragment);
+			throw new Error("validation failed");
+		}
+		return { stdout: "dokploy-caddy\n", stderr: "" };
+	});
+
+	await expect(
+		updateServerCaddy(settings(), "new-dashboard.example.com"),
+	).rejects.toThrow("validation failed");
+
+	expect(await readCaddyRouteFragments()).toEqual([
+		concurrentDashboardFragment,
+	]);
+	expect(vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8")).toBe(
+		previousConfig,
+	);
+});
+
+test("restores removed dashboard fragments when Caddy dashboard removal reload fails", async () => {
+	const existingFragment = createCaddyDashboardRouteFragment(
+		settings(),
+		"old-dashboard.example.com",
+	);
+	await writeCaddyRouteFragment(existingFragment);
+	const previousConfig = `${JSON.stringify(
+		compileCaddyConfig({ fragments: [existingFragment] }),
+		null,
+		2,
+	)}\n`;
+	vol.mkdirSync(paths().MAIN_CADDY_PATH, { recursive: true });
+	vol.writeFileSync(paths().CADDY_CONFIG_PATH, previousConfig);
+	execAsyncMock.mockImplementation(async (command: string) => {
+		if (command.includes("caddy validate")) {
+			throw new Error("validation failed");
+		}
+		return { stdout: "dokploy-caddy\n", stderr: "" };
+	});
+
+	await expect(updateServerCaddy(settings(), null)).rejects.toThrow(
+		"validation failed",
+	);
+
+	expect(await readCaddyRouteFragments()).toEqual([existingFragment]);
+	expect(vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8")).toBe(
+		previousConfig,
+	);
+});
+
 test("compiles Cloudflare trusted proxy settings with safe client IP headers", () => {
 	const config = compileCaddyConfig({
 		routes: [route({ https: true })],
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index dba2f157b1..cae8a328e6 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -339,20 +339,21 @@ Forbidden without explicit approval:
 
 ## Live Mutation Approval Gate
 
-A current-session live validation was approved and executed for the exact
-`3c3de125a` candidate image after the evidence packet and DB gate were updated.
-The operational evidence, route manifest, hostnames, backups, and deployment
-logs are intentionally tracked outside this upstream PR surface.
+Production runtime evidence is intentionally tracked outside this upstream PR
+surface. For PR-facing notes, summarize only the generic gate classes that were
+covered: exact-image provenance, schema proof, rollback readiness, provider/task
+state, route expectations, health checks, and final readiness.
 
-Before any production mutation, fill this in:
+Before any production mutation, capture a platform-specific packet outside this
+repository with:
 
 ```text
-Approved by: current-session operator approval
-Approval time: 2026-06-02
-Mutation scope: additive DB reconcile for candidate runtime migrations plus exact-image Dokploy service update
-Rollback plan: immediate service image rollback on post-deploy verification failure; DB restore only by separate approval
-Expected read-only checks before mutation: exact image proof, schema preflight, route manifest, rollback CLI, readiness dry-run
-Expected post-mutation checks: schema proof, provider/task checks, route expectations, quick/full healthchecks, final readiness
+Approved by:
+Approval time:
+Mutation scope:
+Rollback plan:
+Expected read-only checks before mutation:
+Expected post-mutation checks:
 ```
 
 ## Proof Log
@@ -469,12 +470,7 @@ Expected post-mutation checks: schema proof, provider/task checks, route expecta
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/provider-neutral-ui-contract.test.ts` | Passed | 1 file, 4 tests. Covers provider-neutral account menu and custom-role file-browser labels while preserving legacy `/dashboard/traefik` and `traefikFiles` compatibility keys, plus unresolved-provider generic `Web Server` copy and positive Traefik-only edit gating for the application Advanced web-server config viewer. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 28 files, 180 tests after the application Advanced config viewer hardening. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, provider-aware application config cache invalidation, provider-neutral UI contracts, and remote web-server file-system inspection. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` | Passed | App package typecheck passed after the application Advanced config viewer hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
-| 2026-06-02 | Prior exact-image local build for `ad36a5d37` | Passed | Built `dokploy/dokploy:caddy-pr4534-ad36a5d37-20260602-local` for `linux/amd64`; image manifest list ID `sha256:342b5c049d46c78eb4a5609d336f59468f369e9e02bb51cb098deab5ce2b2f23`; container-safe rollback CLI help smoke passed. Later local UI hardening commits are not represented by this image, so current HEAD runtime provenance remains unproven. No PR update, service update, provider switch, config write, reload, apply, rollback, or production mutation was performed. |
-| 2026-06-02 | Prior exact-image production schema and image-update gates | Blocked as designed | Candidate schema preflight and image-update dry-run for the `ad36a5d37` image fail closed because the live runtime migration table is behind the candidate journal tail and the Caddy trusted-proxy/request-log columns are not present yet. Production proof for the current local HEAD still requires a fresh exact image plus the explicit database migration plan and approval before any live image update. Platform-specific evidence remains outside this upstream PR surface. |
-| 2026-06-02 | Current exact-image local build for `3c3de125a` | Passed | Built `dokploy/dokploy:caddy-pr4534-3c3de125a-20260602-local` for `linux/amd64`; image manifest list ID `sha256:f2c5713b717e50e073081a1d6da2afdd56b0d505ec197cd9c8b053d4c1871430`; image inspect reported `amd64/linux` and size `1352203663`; container-safe rollback CLI help smoke passed. The exact image journal tails at `0172_normal_gauntlet` with 173 entries and includes the expected `0171`/`0172` SQL hashes. |
-| 2026-06-02 | Current exact-image read-only production readiness gate | Blocked as designed | The approved read-only readiness wrapper for the `3c3de125a` image failed closed on the expected pending DB migration blocker before any image update path. No PR update, service update, provider switch, config write, reload, apply, rollback, or production mutation was performed. Platform-specific operational evidence remains outside this upstream PR surface. |
-| 2026-06-02 | Current exact-image live validation for `3c3de125a` | Passed | After current-session approval, the additive DB gate and exact-image runtime deployment were executed outside the upstream PR surface. Post-deploy schema proof, provider/task checks, route expectations, quick/full healthchecks, and final readiness passed. No PR update, Caddy migration apply, Caddy rollback execution, provider switch, or manual config write was performed. |
-| 2026-06-02 | Prior exact-image live validation for `40825c9c1` | Passed | After current-session approval, a docs-only branch-head image was deployed outside the upstream PR surface and passed schema proof, provider/task checks, route expectations, quick/full healthchecks, and final readiness. The production-code fix below makes that runtime provenance historical; current HEAD requires a fresh exact image before any new production-runtime claim. |
+| 2026-06-02 | External exact-image runtime validation packets | Passed | Earlier approved candidate deployments were recorded outside this upstream PR surface. They covered exact-image provenance, schema proof, provider/task checks, route expectations, health checks, and final readiness. Later local code commits make that runtime provenance historical; current HEAD requires fresh exact-image proof before any production-runtime claim. |
 | 2026-06-02 | RepoPrompt Deep Plan pass for remaining Caddy PR audit | Complete | Identified one production-code correctness gap: Dokploy dashboard route rewrites under Caddy could omit local request-log compile settings and leave stale dashboard route fragments if Caddy reload failed. |
 | 2026-06-02 | RepoPrompt review with current diff and `back:3` context | Complete | Review findings incorporated locally: dashboard rollback is scoped to the dashboard fragment instead of replacing unrelated fragments, active-Caddy dashboard-domain settings are restored if the Caddy rewrite fails, dashboard rewrites preserve ACME/trusted-proxy/request-log compile settings, and failure tests assert active config alignment. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts __test__/caddy/request-logs-router.test.ts __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 3 files, 43 tests. Covers dashboard Caddy updates preserving request access logs, ACME email, and trusted proxy settings; dashboard-fragment restoration on failed reload without clobbering unrelated fragments; request analytics router behavior; and trusted-proxy/dashboard settings rollback behavior. |
@@ -484,6 +480,10 @@ Expected post-mutation checks: schema proof, provider/task checks, route expecta
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 1 file, 13 tests. Covers direct dashboard toggle rejection under active Caddy with no Traefik read/write side effects, plus the active-Traefik dashboard toggle success path. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 28 files, 185 tests after the direct dashboard toggle guard. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, dashboard rewrite rollback/settings compensation, provider-aware application config cache invalidation, provider-neutral UI contracts, remote web-server file-system inspection, and direct dashboard toggle rejection under active Caddy. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck` and `pnpm --filter=@dokploy/server typecheck` | Passed | App and server package typechecks passed after the direct dashboard toggle guard. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | RepoPrompt review with git compare `back:3` | Complete | Latest review findings incorporated locally: dashboard fragment rollback now avoids clobbering concurrent dashboard updates, and dashboard-domain removal has focused restore-on-failure coverage. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 2 files, 38 tests. Covers dashboard route rollback, concurrent dashboard-fragment preservation, dashboard removal rollback, and direct Caddy dashboard toggle rejection. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 28 files, 187 tests after the dashboard rollback concurrency hardening. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, dashboard rewrite rollback/settings compensation, provider-aware application config cache invalidation, provider-neutral UI contracts, remote web-server file-system inspection, direct dashboard toggle rejection, and concurrent dashboard-fragment preservation. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck`, `pnpm --filter=@dokploy/server typecheck`, and `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>` | Passed | App/server typechecks and formatter/import checks passed after the dashboard rollback concurrency hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/utils/caddy/web-server.ts b/packages/server/src/utils/caddy/web-server.ts
index 01ac09b063..22a6857b02 100644
--- a/packages/server/src/utils/caddy/web-server.ts
+++ b/packages/server/src/utils/caddy/web-server.ts
@@ -12,6 +12,11 @@ import { DOKPLOY_CADDY_NETWORK } from "./upstream-targets";
 const CADDY_FRAGMENT_VERSION = 1;
 const DASHBOARD_FRAGMENT_ID = "dashboard.dokploy";
 
+const isSameFragment = (
+	first: CaddyRouteFragment | undefined,
+	second: CaddyRouteFragment | undefined,
+) => JSON.stringify(first) === JSON.stringify(second);
+
 const toPunycode = (host: string): string => {
 	try {
 		return new URL(`http://${host}`).hostname;
@@ -53,21 +58,33 @@ export const updateServerCaddy = async (
 	const previousDashboardFragment = (await readCaddyRouteFragments()).find(
 		(fragment) => fragment.id === DASHBOARD_FRAGMENT_ID,
 	);
+	let writtenDashboardFragment: CaddyRouteFragment | undefined;
 	try {
 		if (newHost) {
-			await writeCaddyRouteFragment(
-				createCaddyDashboardRouteFragment(settings, newHost),
+			writtenDashboardFragment = createCaddyDashboardRouteFragment(
+				settings,
+				newHost,
 			);
+			await writeCaddyRouteFragment(writtenDashboardFragment);
 		} else {
 			await removeCaddyRouteFragment(DASHBOARD_FRAGMENT_ID);
 		}
 
 		await compileWriteAndReloadCaddyConfigSafely(compileSettings);
 	} catch (error) {
-		if (previousDashboardFragment) {
-			await writeCaddyRouteFragment(previousDashboardFragment);
-		} else {
-			await removeCaddyRouteFragment(DASHBOARD_FRAGMENT_ID);
+		const currentDashboardFragment = (await readCaddyRouteFragments()).find(
+			(fragment) => fragment.id === DASHBOARD_FRAGMENT_ID,
+		);
+		const shouldRestorePrevious = newHost
+			? isSameFragment(currentDashboardFragment, writtenDashboardFragment)
+			: !currentDashboardFragment;
+
+		if (shouldRestorePrevious) {
+			if (previousDashboardFragment) {
+				await writeCaddyRouteFragment(previousDashboardFragment);
+			} else {
+				await removeCaddyRouteFragment(DASHBOARD_FRAGMENT_ID);
+			}
 		}
 		throw error;
 	}

From 83d15ce5bd41196e3d7d141e4faa90bf9b180c0f Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 05:32:24 -0400
Subject: [PATCH 34/37] fix: tighten caddy certificate and env handling

---
 .../__test__/caddy/certificate-guard.test.ts  |  27 +++
 .../caddy/compose-domain-call-sites.test.ts   |  49 +++++
 .../caddy/domain-router-lifecycle.test.ts     |   5 +
 .../provider-neutral-ui-contract.test.ts      |   9 +
 .../servers/actions/show-traefik-actions.tsx  |   6 +-
 .../settings/web-server/edit-traefik-env.tsx  | 194 +----------------
 .../web-server/edit-web-server-env.tsx        | 197 ++++++++++++++++++
 apps/dokploy/server/api/routers/ai.ts         |  17 +-
 apps/dokploy/server/api/routers/compose.ts    |  45 ++--
 apps/dokploy/server/api/routers/domain.ts     |  35 +++-
 apps/dokploy/server/api/routers/project.ts    |  15 +-
 docs/caddy-provider-upstream-readiness.md     |  30 +--
 packages/server/src/services/certificate.ts   |  10 +-
 packages/server/src/services/compose.ts       |  11 +-
 packages/server/src/services/domain.ts        |  35 +++-
 packages/server/src/utils/caddy/compose.ts    |  25 ++-
 packages/server/src/utils/docker/domain.ts    |   5 +-
 17 files changed, 457 insertions(+), 258 deletions(-)
 create mode 100644 apps/dokploy/__test__/caddy/compose-domain-call-sites.test.ts
 create mode 100644 apps/dokploy/components/dashboard/settings/web-server/edit-web-server-env.tsx

diff --git a/apps/dokploy/__test__/caddy/certificate-guard.test.ts b/apps/dokploy/__test__/caddy/certificate-guard.test.ts
index 54c772dddf..454a3cd97e 100644
--- a/apps/dokploy/__test__/caddy/certificate-guard.test.ts
+++ b/apps/dokploy/__test__/caddy/certificate-guard.test.ts
@@ -70,6 +70,22 @@ test("allows uploaded Caddy certificates assigned to the same server and organiz
 	).resolves.toBeUndefined();
 });
 
+test("requires organization context for uploaded Caddy certificate validation", async () => {
+	writeCertificateFiles("certificate-uploaded");
+	certificatesFindFirstMock.mockResolvedValue({
+		certificatePath: "certificate-uploaded",
+		serverId: null,
+		organizationId: "org-1",
+	});
+
+	await expect(
+		assertCaddyDomainCertificateAvailable(null, domain(), null),
+	).rejects.toThrow(
+		"Caddy custom certificate validation requires organization context",
+	);
+	expect(certificatesFindFirstMock).not.toHaveBeenCalled();
+});
+
 test("rejects missing, cross-server, or cross-organization Caddy certificate paths", async () => {
 	certificatesFindFirstMock.mockResolvedValueOnce(null);
 	await expect(
@@ -117,3 +133,14 @@ test("ignores stale custom certificate fields when HTTPS is disabled", async ()
 	).resolves.toBeUndefined();
 	expect(certificatesFindFirstMock).not.toHaveBeenCalled();
 });
+
+test("does not require organization context for non-custom Caddy certificates", async () => {
+	await expect(
+		assertCaddyDomainCertificateAvailable(
+			null,
+			domain({ certificateType: "letsencrypt", customCertResolver: null }),
+			null,
+		),
+	).resolves.toBeUndefined();
+	expect(certificatesFindFirstMock).not.toHaveBeenCalled();
+});
diff --git a/apps/dokploy/__test__/caddy/compose-domain-call-sites.test.ts b/apps/dokploy/__test__/caddy/compose-domain-call-sites.test.ts
new file mode 100644
index 0000000000..34fc5255a7
--- /dev/null
+++ b/apps/dokploy/__test__/caddy/compose-domain-call-sites.test.ts
@@ -0,0 +1,49 @@
+import { readFileSync } from "node:fs";
+import { describe, expect, test } from "vitest";
+
+const readSource = (relativePath: string) =>
+	readFileSync(new URL(relativePath, import.meta.url), "utf8");
+
+const expectNoRawComposeCreateDomain = (source: string) => {
+	expect(source).not.toMatch(
+		/createDomain\(\s*\{[\s\S]{0,500}domainType:\s*"compose"/,
+	);
+};
+
+describe("compose domain creation call-site contract", () => {
+	test("routes template compose domains through shared provider-aware helpers", () => {
+		const source = readSource("../../server/api/routers/compose.ts");
+
+		expect(source).toContain("createComposeDomain(");
+		expect(source).toContain("removeComposeDomainsForWebServer(");
+		expect(source).toContain("ctx.session.activeOrganizationId");
+		expectNoRawComposeCreateDomain(source);
+	});
+
+	test("routes AI-generated compose domains through shared provider-aware helpers", () => {
+		const source = readSource("../../server/api/routers/ai.ts");
+
+		expect(source).toContain("createComposeDomain(");
+		expect(source).toContain("ctx.session.activeOrganizationId");
+		expectNoRawComposeCreateDomain(source);
+	});
+
+	test("routes project duplication domains through application and compose helpers", () => {
+		const source = readSource("../../server/api/routers/project.ts");
+
+		expect(source).toContain("await createDomain({");
+		expect(source).toContain("applicationId: newApplication.applicationId");
+		expect(source).toContain("createComposeDomain(");
+		expect(source).toContain("ctx.session.activeOrganizationId");
+		expectNoRawComposeCreateDomain(source);
+	});
+
+	test("routes domain-router compose domains through shared provider-aware helpers", () => {
+		const source = readSource("../../server/api/routers/domain.ts");
+
+		expect(source).toContain("createComposeDomain(");
+		expect(source).toContain("refreshCaddyComposeRoutes(");
+		expect(source).toContain("ctx.session.activeOrganizationId");
+		expectNoRawComposeCreateDomain(source);
+	});
+});
diff --git a/apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts b/apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts
index 3ed85309b4..9a5fd0a097 100644
--- a/apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts
+++ b/apps/dokploy/__test__/caddy/domain-router-lifecycle.test.ts
@@ -276,6 +276,7 @@ test("restores previous compose domain fields when Caddy route refresh fails aft
 		compose,
 		undefined,
 		"caddy",
+		"org-1",
 	);
 });
 
@@ -296,12 +297,14 @@ test("preserves compose domain rows when Caddy route refresh fails before delete
 		compose,
 		[siblingComposeDomain],
 		"caddy",
+		"org-1",
 	);
 	expect(refreshCaddyComposeRoutes).toHaveBeenNthCalledWith(
 		2,
 		compose,
 		undefined,
 		"caddy",
+		"org-1",
 	);
 	expect(removeDomainById).not.toHaveBeenCalled();
 });
@@ -323,11 +326,13 @@ test("restores all compose routes when compose domain delete persistence fails",
 		compose,
 		[siblingComposeDomain],
 		"caddy",
+		"org-1",
 	);
 	expect(refreshCaddyComposeRoutes).toHaveBeenNthCalledWith(
 		2,
 		compose,
 		undefined,
 		"caddy",
+		"org-1",
 	);
 });
diff --git a/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts b/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
index d26e9f21b4..ef57d836fd 100644
--- a/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
+++ b/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
@@ -39,10 +39,19 @@ describe("provider-neutral Caddy UI contract", () => {
 		const actions = readSource(
 			"../../components/dashboard/settings/servers/actions/show-traefik-actions.tsx",
 		);
+		const envEditor = readSource(
+			"../../components/dashboard/settings/web-server/edit-web-server-env.tsx",
+		);
 		const fileSystem = readSource(
 			"../../components/dashboard/file-system/show-traefik-system.tsx",
 		);
 
+		expect(actions).toContain("EditWebServerEnv");
+		expect(actions).not.toContain("EditTraefikEnv");
+		expect(envEditor).toContain("readWebServerEnv");
+		expect(envEditor).toContain("writeWebServerEnv");
+		expect(envEditor).not.toContain("readTraefikEnv");
+		expect(envEditor).not.toContain("writeTraefikEnv");
 		expect(actions).toContain(': "Web Server";');
 		expect(actions).toMatch(
 			/const resourceName =[\s\S]*activeProvider === "caddy"[\s\S]*"dokploy-caddy"[\s\S]*activeProvider === "traefik"[\s\S]*"dokploy-traefik"[\s\S]*: null;/,
diff --git a/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx b/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
index 4bbc8e7e47..5c6d7867d4 100644
--- a/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
+++ b/apps/dokploy/components/dashboard/settings/servers/actions/show-traefik-actions.tsx
@@ -14,7 +14,7 @@ import {
 import { useHealthCheckAfterMutation } from "@/hooks/use-health-check-after-mutation";
 import { api } from "@/utils/api";
 import { CaddyTrustedProxySettings } from "../../web-server/caddy-trusted-proxy-settings";
-import { EditTraefikEnv } from "../../web-server/edit-traefik-env";
+import { EditWebServerEnv } from "../../web-server/edit-web-server-env";
 import { ManageTraefikPorts } from "../../web-server/manage-traefik-ports";
 import { ShowModalLogs } from "../../web-server/show-modal-logs";
 
@@ -134,14 +134,14 @@ export const ShowTraefikActions = ({ serverId }: Props) => {
 							</DropdownMenuItem>
 						</ShowModalLogs>
 					)}
-					<EditTraefikEnv serverId={serverId}>
+					<EditWebServerEnv serverId={serverId}>
 						<DropdownMenuItem
 							onSelect={(e) => e.preventDefault()}
 							className="cursor-pointer"
 						>
 							<span>Modify Environment</span>
 						</DropdownMenuItem>
-					</EditTraefikEnv>
+					</EditWebServerEnv>
 
 					{activeProvider === "caddy" && (
 						<CaddyTrustedProxySettings serverId={serverId}>
diff --git a/apps/dokploy/components/dashboard/settings/web-server/edit-traefik-env.tsx b/apps/dokploy/components/dashboard/settings/web-server/edit-traefik-env.tsx
index b5f57f8bbe..8c5a0e8db2 100644
--- a/apps/dokploy/components/dashboard/settings/web-server/edit-traefik-env.tsx
+++ b/apps/dokploy/components/dashboard/settings/web-server/edit-traefik-env.tsx
@@ -1,193 +1,3 @@
-import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
-import { useEffect, useState } from "react";
-import { useForm } from "react-hook-form";
-import { toast } from "sonner";
-import { z } from "zod";
-import { AlertBlock } from "@/components/shared/alert-block";
-import { CodeEditor } from "@/components/shared/code-editor";
-import { Button } from "@/components/ui/button";
-import {
-	Dialog,
-	DialogContent,
-	DialogDescription,
-	DialogFooter,
-	DialogHeader,
-	DialogTitle,
-	DialogTrigger,
-} from "@/components/ui/dialog";
-import {
-	Form,
-	FormControl,
-	FormField,
-	FormItem,
-	FormLabel,
-	FormMessage,
-} from "@/components/ui/form";
-import { useHealthCheckAfterMutation } from "@/hooks/use-health-check-after-mutation";
-import { api } from "@/utils/api";
+import { EditWebServerEnv } from "./edit-web-server-env";
 
-const schema = z.object({
-	env: z.string(),
-});
-
-type Schema = z.infer<typeof schema>;
-
-interface Props {
-	children?: React.ReactNode;
-	serverId?: string;
-}
-
-export const EditTraefikEnv = ({ children, serverId }: Props) => {
-	const [canEdit, setCanEdit] = useState(true);
-
-	const { data: activeProvider } =
-		api.settings.getActiveWebServerProvider.useQuery({ serverId });
-	const providerLabel = activeProvider === "caddy" ? "Caddy" : "Traefik";
-
-	const { data } = api.settings.readWebServerEnv.useQuery({
-		serverId,
-	});
-
-	const { mutateAsync, isPending, error, isError } =
-		api.settings.writeWebServerEnv.useMutation();
-
-	const {
-		execute: executeWithHealthCheck,
-		isExecuting: isHealthCheckExecuting,
-	} = useHealthCheckAfterMutation({
-		initialDelay: 5000,
-		successMessage: `${providerLabel} env updated`,
-	});
-
-	const form = useForm<Schema>({
-		defaultValues: {
-			env: data || "",
-		},
-		disabled: canEdit,
-		resolver: zodResolver(schema),
-	});
-
-	useEffect(() => {
-		if (data) {
-			form.reset({
-				env: data || "",
-			});
-		}
-	}, [form, form.reset, data]);
-
-	const onSubmit = async (data: Schema) => {
-		try {
-			await executeWithHealthCheck(() =>
-				mutateAsync({
-					env: data.env,
-					serverId,
-				}),
-			);
-		} catch {
-			toast.error(`Error updating the ${providerLabel} env`);
-		}
-	};
-
-	// Add keyboard shortcut for Ctrl+S/Cmd+S
-	useEffect(() => {
-		const handleKeyDown = (e: KeyboardEvent) => {
-			if (
-				(e.ctrlKey || e.metaKey) &&
-				e.code === "KeyS" &&
-				!isPending &&
-				!canEdit
-			) {
-				e.preventDefault();
-				form.handleSubmit(onSubmit)();
-			}
-		};
-
-		document.addEventListener("keydown", handleKeyDown);
-		return () => {
-			document.removeEventListener("keydown", handleKeyDown);
-		};
-	}, [form, onSubmit, isPending, canEdit]);
-
-	return (
-		<Dialog>
-			<DialogTrigger asChild>{children}</DialogTrigger>
-			<DialogContent className="sm:max-w-4xl">
-				<DialogHeader>
-					<DialogTitle>Update {providerLabel} Environment</DialogTitle>
-					<DialogDescription>
-						Update the active web server environment variables.
-					</DialogDescription>
-				</DialogHeader>
-				{isError && <AlertBlock type="error">{error?.message}</AlertBlock>}
-
-				<Form {...form}>
-					<form
-						id="hook-form-update-server-traefik-config"
-						onSubmit={form.handleSubmit(onSubmit)}
-						className="w-full space-y-4 relative overflow-auto"
-					>
-						<div className="flex flex-col">
-							<FormField
-								control={form.control}
-								name="env"
-								render={({ field }) => (
-									<FormItem className="relative">
-										<FormLabel>Env</FormLabel>
-										<FormControl>
-											<CodeEditor
-												language="properties"
-												wrapperClassName="h-[35rem] font-mono"
-												placeholder={
-													activeProvider === "caddy"
-														? `CADDY_ADMIN=localhost:2019
-# Add Caddy container environment variables here if needed.
-                                                    `
-														: `TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL=test@localhost.com
-TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_STORAGE=/etc/dokploy/traefik/dynamic/acme.json
-TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE=true
-TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE_PRETTY=true
-TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE_ENTRYPOINT=web
-TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE_DNS_CHALLENGE=true
-TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE_DNS_PROVIDER=cloudflare
-                                                    `
-												}
-												{...field}
-											/>
-										</FormControl>
-
-										<pre>
-											<FormMessage />
-										</pre>
-										<div className="flex justify-end absolute z-50 right-6 top-0">
-											<Button
-												className="shadow-sm"
-												variant="secondary"
-												type="button"
-												onClick={async () => {
-													setCanEdit(!canEdit);
-												}}
-											>
-												{canEdit ? "Unlock" : "Lock"}
-											</Button>
-										</div>
-									</FormItem>
-								)}
-							/>
-						</div>
-					</form>
-
-					<DialogFooter>
-						<Button
-							isLoading={isPending || isHealthCheckExecuting}
-							disabled={canEdit || isPending || isHealthCheckExecuting}
-							form="hook-form-update-server-traefik-config"
-							type="submit"
-						>
-							Update
-						</Button>
-					</DialogFooter>
-				</Form>
-			</DialogContent>
-		</Dialog>
-	);
-};
+export const EditTraefikEnv = EditWebServerEnv;
diff --git a/apps/dokploy/components/dashboard/settings/web-server/edit-web-server-env.tsx b/apps/dokploy/components/dashboard/settings/web-server/edit-web-server-env.tsx
new file mode 100644
index 0000000000..69d9bfadf5
--- /dev/null
+++ b/apps/dokploy/components/dashboard/settings/web-server/edit-web-server-env.tsx
@@ -0,0 +1,197 @@
+import { standardSchemaResolver as zodResolver } from "@hookform/resolvers/standard-schema";
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+import { toast } from "sonner";
+import { z } from "zod";
+import { AlertBlock } from "@/components/shared/alert-block";
+import { CodeEditor } from "@/components/shared/code-editor";
+import { Button } from "@/components/ui/button";
+import {
+	Dialog,
+	DialogContent,
+	DialogDescription,
+	DialogFooter,
+	DialogHeader,
+	DialogTitle,
+	DialogTrigger,
+} from "@/components/ui/dialog";
+import {
+	Form,
+	FormControl,
+	FormField,
+	FormItem,
+	FormLabel,
+	FormMessage,
+} from "@/components/ui/form";
+import { useHealthCheckAfterMutation } from "@/hooks/use-health-check-after-mutation";
+import { api } from "@/utils/api";
+
+const schema = z.object({
+	env: z.string(),
+});
+
+type Schema = z.infer<typeof schema>;
+
+interface Props {
+	children?: React.ReactNode;
+	serverId?: string;
+}
+
+export const EditWebServerEnv = ({ children, serverId }: Props) => {
+	const [canEdit, setCanEdit] = useState(true);
+
+	const { data: activeProvider } =
+		api.settings.getActiveWebServerProvider.useQuery({ serverId });
+	const providerLabel =
+		activeProvider === "caddy"
+			? "Caddy"
+			: activeProvider === "traefik"
+				? "Traefik"
+				: "Web Server";
+
+	const { data } = api.settings.readWebServerEnv.useQuery({
+		serverId,
+	});
+
+	const { mutateAsync, isPending, error, isError } =
+		api.settings.writeWebServerEnv.useMutation();
+
+	const {
+		execute: executeWithHealthCheck,
+		isExecuting: isHealthCheckExecuting,
+	} = useHealthCheckAfterMutation({
+		initialDelay: 5000,
+		successMessage: `${providerLabel} env updated`,
+	});
+
+	const form = useForm<Schema>({
+		defaultValues: {
+			env: data || "",
+		},
+		disabled: canEdit,
+		resolver: zodResolver(schema),
+	});
+
+	useEffect(() => {
+		if (data) {
+			form.reset({
+				env: data || "",
+			});
+		}
+	}, [form, form.reset, data]);
+
+	const onSubmit = async (data: Schema) => {
+		try {
+			await executeWithHealthCheck(() =>
+				mutateAsync({
+					env: data.env,
+					serverId,
+				}),
+			);
+		} catch {
+			toast.error(`Error updating the ${providerLabel} env`);
+		}
+	};
+
+	useEffect(() => {
+		const handleKeyDown = (e: KeyboardEvent) => {
+			if (
+				(e.ctrlKey || e.metaKey) &&
+				e.code === "KeyS" &&
+				!isPending &&
+				!canEdit
+			) {
+				e.preventDefault();
+				form.handleSubmit(onSubmit)();
+			}
+		};
+
+		document.addEventListener("keydown", handleKeyDown);
+		return () => {
+			document.removeEventListener("keydown", handleKeyDown);
+		};
+	}, [form, onSubmit, isPending, canEdit]);
+
+	return (
+		<Dialog>
+			<DialogTrigger asChild>{children}</DialogTrigger>
+			<DialogContent className="sm:max-w-4xl">
+				<DialogHeader>
+					<DialogTitle>Update {providerLabel} Environment</DialogTitle>
+					<DialogDescription>
+						Update the active web server environment variables.
+					</DialogDescription>
+				</DialogHeader>
+				{isError && <AlertBlock type="error">{error?.message}</AlertBlock>}
+
+				<Form {...form}>
+					<form
+						id="hook-form-update-web-server-env"
+						onSubmit={form.handleSubmit(onSubmit)}
+						className="w-full space-y-4 relative overflow-auto"
+					>
+						<div className="flex flex-col">
+							<FormField
+								control={form.control}
+								name="env"
+								render={({ field }) => (
+									<FormItem className="relative">
+										<FormLabel>Env</FormLabel>
+										<FormControl>
+											<CodeEditor
+												language="properties"
+												wrapperClassName="h-[35rem] font-mono"
+												placeholder={
+													activeProvider === "caddy"
+														? `CADDY_ADMIN=localhost:2019
+# Add Caddy container environment variables here if needed.
+                                                    `
+														: `TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_ACME_EMAIL=test@localhost.com
+TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_STORAGE=/etc/dokploy/traefik/dynamic/acme.json
+TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE=true
+TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE_PRETTY=true
+TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE_ENTRYPOINT=web
+TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE_DNS_CHALLENGE=true
+TRAEFIK_CERTIFICATESRESOLVERS_LETSENCRYPT_HTTP_CHALLENGE_DNS_PROVIDER=cloudflare
+                                                    `
+												}
+												{...field}
+											/>
+										</FormControl>
+
+										<pre>
+											<FormMessage />
+										</pre>
+										<div className="flex justify-end absolute z-50 right-6 top-0">
+											<Button
+												className="shadow-sm"
+												variant="secondary"
+												type="button"
+												onClick={async () => {
+													setCanEdit(!canEdit);
+												}}
+											>
+												{canEdit ? "Unlock" : "Lock"}
+											</Button>
+										</div>
+									</FormItem>
+								)}
+							/>
+						</div>
+					</form>
+
+					<DialogFooter>
+						<Button
+							isLoading={isPending || isHealthCheckExecuting}
+							disabled={canEdit || isPending || isHealthCheckExecuting}
+							form="hook-form-update-web-server-env"
+							type="submit"
+						>
+							Update
+						</Button>
+					</DialogFooter>
+				</Form>
+			</DialogContent>
+		</Dialog>
+	);
+};
diff --git a/apps/dokploy/server/api/routers/ai.ts b/apps/dokploy/server/api/routers/ai.ts
index 37a79dcb7e..fc8c43ee90 100644
--- a/apps/dokploy/server/api/routers/ai.ts
+++ b/apps/dokploy/server/api/routers/ai.ts
@@ -352,12 +352,17 @@ ${input.logs}`,
 
 			if (input.domains && input.domains?.length > 0) {
 				for (const domain of input.domains) {
-					await createComposeDomain(compose, {
-						...domain,
-						domainType: "compose",
-						certificateType: "none",
-						composeId: compose.composeId,
-					});
+					await createComposeDomain(
+						compose,
+						{
+							...domain,
+							domainType: "compose",
+							certificateType: "none",
+							composeId: compose.composeId,
+						},
+						undefined,
+						ctx.session.activeOrganizationId,
+					);
 				}
 			}
 			if (input.configFiles && input.configFiles?.length > 0) {
diff --git a/apps/dokploy/server/api/routers/compose.ts b/apps/dokploy/server/api/routers/compose.ts
index 0bb6d9f644..cc2f0efcde 100644
--- a/apps/dokploy/server/api/routers/compose.ts
+++ b/apps/dokploy/server/api/routers/compose.ts
@@ -671,13 +671,18 @@ export const composeRouter = createTRPCRouter({
 
 			if (generate.domains && generate.domains?.length > 0) {
 				for (const domain of generate.domains) {
-					await createComposeDomain(compose, {
-						...domain,
-						domainType: "compose",
-						certificateType: "none",
-						composeId: compose.composeId,
-						host: domain.host || "",
-					});
+					await createComposeDomain(
+						compose,
+						{
+							...domain,
+							domainType: "compose",
+							certificateType: "none",
+							composeId: compose.composeId,
+							host: domain.host || "",
+						},
+						undefined,
+						ctx.session.activeOrganizationId,
+					);
 				}
 			}
 
@@ -964,7 +969,12 @@ export const composeRouter = createTRPCRouter({
 					await deleteMount(mount.mountId);
 				}
 
-				await removeComposeDomainsForWebServer(compose, compose.domains);
+				await removeComposeDomainsForWebServer(
+					compose,
+					compose.domains,
+					undefined,
+					ctx.session.activeOrganizationId,
+				);
 
 				let serverIp = "127.0.0.1";
 
@@ -1025,13 +1035,18 @@ export const composeRouter = createTRPCRouter({
 
 				if (processedTemplate.domains && processedTemplate.domains.length > 0) {
 					for (const domain of processedTemplate.domains) {
-						await createComposeDomain(compose, {
-							...domain,
-							domainType: "compose",
-							certificateType: "none",
-							composeId: compose.composeId,
-							host: domain.host || "",
-						});
+						await createComposeDomain(
+							compose,
+							{
+								...domain,
+								domainType: "compose",
+								certificateType: "none",
+								composeId: compose.composeId,
+								host: domain.host || "",
+							},
+							undefined,
+							ctx.session.activeOrganizationId,
+						);
 					}
 				}
 
diff --git a/apps/dokploy/server/api/routers/domain.ts b/apps/dokploy/server/api/routers/domain.ts
index 2063384470..0b975afc96 100644
--- a/apps/dokploy/server/api/routers/domain.ts
+++ b/apps/dokploy/server/api/routers/domain.ts
@@ -64,7 +64,12 @@ export const domainRouter = createTRPCRouter({
 					});
 					const compose = await findComposeById(input.composeId);
 					const provider = await resolveWebServerProvider(compose.serverId);
-					const domain = await createComposeDomain(compose, input, provider);
+					const domain = await createComposeDomain(
+						compose,
+						input,
+						provider,
+						ctx.session.activeOrganizationId,
+					);
 					await audit(ctx, {
 						action: "create",
 						resourceType: "domain",
@@ -217,7 +222,12 @@ export const domainRouter = createTRPCRouter({
 						throw new Error("Error updating domain");
 					}
 					try {
-						await refreshCaddyComposeRoutes(compose, undefined, "caddy");
+						await refreshCaddyComposeRoutes(
+							compose,
+							undefined,
+							"caddy",
+							ctx.session.activeOrganizationId,
+						);
 						await audit(ctx, {
 							action: "update",
 							resourceType: "domain",
@@ -230,7 +240,12 @@ export const domainRouter = createTRPCRouter({
 							input.domainId,
 							toDomainUpdateFields(currentDomain),
 						);
-						await refreshCaddyComposeRoutes(compose, undefined, "caddy");
+						await refreshCaddyComposeRoutes(
+							compose,
+							undefined,
+							"caddy",
+							ctx.session.activeOrganizationId,
+						);
 						throw error;
 					}
 				}
@@ -348,7 +363,12 @@ export const domainRouter = createTRPCRouter({
 						(item) => item.domainId !== domain.domainId,
 					);
 					try {
-						await refreshCaddyComposeRoutes(compose, remainingDomains, "caddy");
+						await refreshCaddyComposeRoutes(
+							compose,
+							remainingDomains,
+							"caddy",
+							ctx.session.activeOrganizationId,
+						);
 						const result = await removeDomainById(input.domainId);
 						await audit(ctx, {
 							action: "delete",
@@ -358,7 +378,12 @@ export const domainRouter = createTRPCRouter({
 						});
 						return result;
 					} catch (error) {
-						await refreshCaddyComposeRoutes(compose, undefined, "caddy");
+						await refreshCaddyComposeRoutes(
+							compose,
+							undefined,
+							"caddy",
+							ctx.session.activeOrganizationId,
+						);
 						throw error;
 					}
 				}
diff --git a/apps/dokploy/server/api/routers/project.ts b/apps/dokploy/server/api/routers/project.ts
index 6e9e0b1e76..47af6cde03 100644
--- a/apps/dokploy/server/api/routers/project.ts
+++ b/apps/dokploy/server/api/routers/project.ts
@@ -978,11 +978,16 @@ export const projectRouter = createTRPCRouter({
 
 								for (const domain of domains) {
 									const { domainId, ...rest } = domain;
-									await createComposeDomain(newCompose, {
-										...rest,
-										composeId: newCompose.composeId,
-										domainType: "compose",
-									});
+									await createComposeDomain(
+										newCompose,
+										{
+											...rest,
+											composeId: newCompose.composeId,
+											domainType: "compose",
+										},
+										undefined,
+										ctx.session.activeOrganizationId,
+									);
 								}
 
 								break;
diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index cae8a328e6..713adecb58 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -8,6 +8,7 @@ PR: https://github.com/Dokploy/dokploy/pull/4534
 
 - The upstream PR should contain generic Dokploy code, tests, and user-facing documentation only.
 - Keep platform-specific route manifests, hostnames, production logs, secrets, and operational evidence outside this repository.
+- Runtime evidence is not part of the upstream PR surface; PR readiness is tracked through source inspection, focused tests, typechecks, formatter checks, and sanitized proof notes.
 - Read-only production checks are allowed for proof gathering.
 - Live apply, rollback, provider switching, service updates, restarts, or config writes require explicit human approval in the current work session.
 
@@ -33,20 +34,20 @@ Local state observed before this document was added:
 | Area | Current evidence | Status | Next proof needed |
 | --- | --- | --- | --- |
 | Application domain create under Caddy | `createDomain()` inserts the row, dispatches through `manageWebServerDomain()` for application domains, and removes the row if provider route creation fails. Focused service tests prove provider dispatch and cleanup when provider route creation fails. | Locally covered | Add router-level test only if maintainers want end-to-end TRPC proof. |
-| Application domain update under Caddy | `domainRouter.update` writes the next Caddy fragment before DB update and restores the old fragment on DB failure. `manageCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | Add runtime proof after explicit approval. |
-| Application domain delete under Caddy | `domainRouter.delete` removes provider config before DB deletion, preserves the DB row if Caddy route removal fails before delete, and restores on DB failure. `removeCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | Add runtime proof after explicit approval. |
-| Compose domain add/update/remove under Caddy | `createComposeDomain()` removes new rows if refresh fails. `removeComposeDomainsForWebServer()` refreshes Caddy with remaining compose domains before non-router delete flows remove rows and restores old fragments if DB deletion fails. `domainRouter.update` restores previous compose domain fields and fragments if refresh fails. `domainRouter.delete` preserves DB rows when route refresh fails before delete and restores all compose routes if DB delete fails. | Locally covered | Add runtime proof after explicit approval. |
+| Application domain update under Caddy | `domainRouter.update` writes the next Caddy fragment before DB update and restores the old fragment on DB failure. `manageCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | None before PR update; runtime proof stays external to this PR surface. |
+| Application domain delete under Caddy | `domainRouter.delete` removes provider config before DB deletion, preserves the DB row if Caddy route removal fails before delete, and restores on DB failure. `removeCaddyDomain()` also restores previous fragments when reload fails. | Locally covered | None before PR update; runtime proof stays external to this PR surface. |
+| Compose domain add/update/remove under Caddy | `createComposeDomain()` removes new rows if refresh fails. `removeComposeDomainsForWebServer()` refreshes Caddy with remaining compose domains before non-router delete flows remove rows and restores old fragments if DB deletion fails. `domainRouter.update` restores previous compose domain fields and fragments if refresh fails. `domainRouter.delete` preserves DB rows when route refresh fails before delete and restores all compose routes if DB delete fails. Compose route refresh call sites pass organization context when validating uploaded Caddy certificates. | Locally covered | None before PR update; rerun helper/source-contract tests after edits. |
 | Domain added while creating/duplicating a new application service | `application.create` has no domain payload. The application new-service-with-domain path is project duplication: copied application domains call `createDomain()` with `applicationId`, which invokes provider dispatch. | Locally covered | Add router-level duplication proof only if maintainers want end-to-end TRPC coverage beyond the service contract. |
-| Domain added during new compose/template/AI/import creation | `createComposeDomain()` now creates compose domains and refreshes Caddy compose routes with rollback if refresh fails. Template create, template import, AI compose generation, project compose duplication, and `domainRouter.create` use it. Template import also removes prior compose domains through `removeComposeDomainsForWebServer()` so importing a template with zero replacement domains removes stale Caddy fragments. | Locally covered | Add router-level or creation-flow tests if upstream reviewers want proof beyond the focused helper test. |
-| Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and requires `removeWebServerDomain()` cleanup before deleting a preview deployment row when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch, cleanup removes by `uniqueConfigKey`, and route cleanup failures preserve the DB row across preview-deployment cleanup and domain-router delete flows. | Locally covered | Add runtime proof after explicit approval if preview deployments are included in the live validation pass. |
-| Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; active Caddy domains block certificate file replacement/deletion until the domain is changed. Domain create/update API schemas now enforce the same HTTPS custom-certificate resolver requirement as the frontend and shared validation layer. | Locally covered | Add runtime proof after explicit approval. Consider a follow-up schema rename because Caddy currently stores the uploaded certificate path in the existing `customCertResolver` field. |
-| LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | Add runtime proof after explicit approval. |
-| Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | Add runtime proof after explicit approval by enabling Cloudflare or static trusted proxies and validating generated `caddy.json` plus route behavior. |
-| Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting only through the provider-aware toggle flow, validates the rewritten Caddy config before returning success, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites and Dokploy dashboard route rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape while preserving query strings in `RequestPath`, reads the latest retained local Caddy log lines for paginated and date-range views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | Add live runtime proof only after explicit approval. |
-| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, provider-neutral local web-server file nav/search/account labels, and provider-neutral custom-role file permission labels now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. The application Advanced web-server config viewer now uses generic `Web Server` copy while provider resolution is pending and only exposes the legacy Traefik modify dialog after the active provider resolves to Traefik; Caddy previews remain read-only. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, the Caddy trusted-proxy dialog, and the application domain modal under active Caddy with an uploaded certificate fixture. Source contract tests cover the application domain tab/modal path, active-Caddy provider resolution, Caddy uploaded certificate query/filter/copy, provider-neutral web-server file-browser labels, unresolved-provider application config copy, and hiding Traefik-only controls under active Caddy or unresolved providers. | Locally covered | Add live runtime proof only after explicit approval. |
+| Domain added during new compose/template/AI/import creation | `createComposeDomain()` now creates compose domains and refreshes Caddy compose routes with rollback if refresh fails. Template create, template import, AI compose generation, project compose duplication, and `domainRouter.create` use it with active organization context. Template import also removes prior compose domains through `removeComposeDomainsForWebServer()` so importing a template with zero replacement domains removes stale Caddy fragments. Source-contract tests cover these non-domain-router call sites so they do not regress to raw compose-domain row writes. | Locally covered | None before PR update; rerun helper/source-contract tests after edits. |
+| Preview domains under Caddy | Preview deployment uses `manageWebServerDomain()` for create and requires `removeWebServerDomain()` cleanup before deleting a preview deployment row when a preview domain exists. Focused tests prove the preview app name is set before provider dispatch, cleanup removes by `uniqueConfigKey`, and route cleanup failures preserve the DB row across preview-deployment cleanup and domain-router delete flows. | Locally covered | None before PR update; runtime proof stays external to this PR surface. |
+| Custom SSL certificates | Caddy domains can now select uploaded certificates. Application and compose route intents reference certificate/key files and compiled Caddy JSON emits `apps.tls.certificates.load_files`. Migration dry-runs keep valid uploaded certificates and block missing/cross-org/unreadable references. Backend guards require matching server/org context and readable `chain.crt` plus `privkey.key`; uploaded Caddy certificate validation now fails closed when organization context is missing instead of silently skipping org scoping. Active Caddy domains block certificate file replacement/deletion until the domain is changed. Domain create/update API schemas now enforce the same HTTPS custom-certificate resolver requirement as the frontend and shared validation layer. | Locally covered | None before PR update; provider-neutral schema naming remains a follow-up unless maintainers request it in this PR. |
+| LetsEncrypt / automatic HTTPS | Caddy application and compose fragments set `https` from domain settings and pass local LetsEncrypt email where available. Config and route lifecycle tests cover the generated ACME paths. | Locally covered | None before PR update; runtime proof stays external to this PR surface. |
+| Cloudflare proxy awareness | `compileCaddyConfig()` supports explicit static trusted proxy CIDRs and a Cloudflare preset using static Cloudflare IP ranges plus `CF-Connecting-IP` and `X-Forwarded-For`. Local and remote settings persist the selected mode and Caddy rebuild paths pass it into generated JSON. Default config still trusts no forwarded headers. Strict mode emits a Caddy-compatible boolean. The settings mutation persists without rebuilding under Traefik, rebuilds active local and remote Caddy with settings read after persistence, restores previous DB settings if reload fails, scopes remote rollback to the selected server, and the safe reload helper reloads the restored runtime config while preserving the original failure if the restore attempt also fails. | Locally covered | None before PR update; runtime proof stays external to this PR surface. |
+| Requests / access-log analytics | Requests analytics are provider-aware for the local active web server. Traefik keeps its existing YAML `accessLog.filePath` toggle and log parser behavior. Caddy persists a local `requestLogsEnabled` setting only through the provider-aware toggle flow, validates the rewritten Caddy config before returning success, compiles JSON access logs to `/etc/caddy/access.log`, preserves that setting across Caddy env/port setup rewrites and Dokploy dashboard route rewrites, normalizes Caddy JSON access-log entries into the existing Requests table/chart shape while preserving query strings in `RequestPath`, reads the latest retained local Caddy log lines for paginated and date-range views, rejects invalid cleanup cron schedules before persistence, cleans Caddy logs without signaling Traefik, and marks prepared migration artifacts stale if request-log compile settings change before apply. The current API/UI is local active web-server only; remote-server Requests analytics are a follow-up decision. | Locally covered | None before PR update; runtime proof stays external to this PR surface. |
+| Caddy settings UI | Migration panel, provider selector, Caddy domain certificate labels, Caddy trusted proxy settings, provider-neutral uploaded certificate copy, provider-neutral port-mapping copy, provider-aware update-server health checks, provider-aware Requests copy, provider-neutral web-server file permission copy, provider-neutral local web-server file nav/search/account labels, provider-neutral custom-role file permission labels, and a provider-neutral local web-server environment editor entry point now exist. Application domain, redirect, and security mutation paths invalidate the provider-aware application web-server config cache so the Caddy route-fragment preview does not stay stale. The application Advanced web-server config viewer now uses generic `Web Server` copy while provider resolution is pending and only exposes the legacy Traefik modify dialog after the active provider resolves to Traefik; Caddy previews remain read-only. Remote server file-system inspection now uses active-provider labels and provider-aware endpoints; the local file-system page resolves the active provider when the prop is omitted so Traefik stays editable; Caddy generated artifacts are inspectable through safe read-only paths. Local isolated browser QA covered Settings -> Web Server, Requests, file browser, the Caddy trusted-proxy dialog, and the application domain modal under active Caddy with an uploaded certificate fixture. Source contract tests cover the application domain tab/modal path, active-Caddy provider resolution, Caddy uploaded certificate query/filter/copy, provider-neutral web-server file-browser labels and environment editor endpoints, unresolved-provider application config copy, and hiding Traefik-only controls under active Caddy or unresolved providers. | Locally covered | None before PR update; local browser QA can be repeated if UI files change again. |
 | Caddy dashboard | Caddy admin endpoint is local-only in the current design, `compileCaddyConfig()` binds admin to `localhost:2019`, `getWebServerDashboardState` reports Caddy dashboard disabled instead of exposing the admin API through Dokploy, direct dashboard toggle API calls reject while Caddy is active before reading or rewriting legacy Traefik resources, active Caddy setup filters only reserved `2019/tcp` admin publishing, migration carry-over drops Traefik-only `8080/8082` plus `2019`, and the ports mutation rejects Caddy admin-port targets before rebuild while allowing non-admin custom Caddy ports. Dokploy dashboard route rewrites now preserve local Caddy compile settings and restore previous route fragments if the Caddy reload fails. | Deferred | Prefer no public dashboard in this PR; track any dashboard proxy as a follow-up with auth and network controls. |
-| Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | Add runtime proof after explicit approval. |
-| Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
+| Migration dry-run/apply/rollback | Current PR includes prepare/apply/rollback, runtime preflight, rollback CLI, fail-closed runtime migration tests, and focused migration tests. Prepare records compile settings and apply rejects stale dry-runs if trusted proxy/ACME settings changed after prepare. Approved Caddy custom-certificate `load_files` artifacts are validated before cutover, applied into the active config, and rollback restores the previous config. | Locally covered | None before PR update; runtime proof stays external to this PR surface. |
+| Developer paper cuts | Generated RepoPrompt exports, private docs, stale Traefik labels, broad noisy tests, and provider-specific UI names can cause review friction. Current upstream-surface audit found no forbidden prompt exports/private docs/platform runbooks and commit subjects are generic. Provider-neutral env-editor wiring and compose-domain call-site source contracts now guard two review-friction areas that could otherwise regress silently. | Locally covered | Re-run the hygiene audit and `git diff --check` after any further commits before push. |
 
 ## Code Evidence
 
@@ -484,6 +485,11 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts __test__/caddy/trusted-proxy-settings-router.test.ts` | Passed | 2 files, 38 tests. Covers dashboard route rollback, concurrent dashboard-fragment preservation, dashboard removal rollback, and direct Caddy dashboard toggle rejection. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 28 files, 187 tests after the dashboard rollback concurrency hardening. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, dashboard rewrite rollback/settings compensation, provider-aware application config cache invalidation, provider-neutral UI contracts, remote web-server file-system inspection, direct dashboard toggle rejection, and concurrent dashboard-fragment preservation. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck`, `pnpm --filter=@dokploy/server typecheck`, and `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>` | Passed | App/server typechecks and formatter/import checks passed after the dashboard rollback concurrency hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | RepoPrompt Deep Plan pass for remaining Caddy PR audit | Complete | Identified provider-neutral env-editor wiring, custom-certificate organization-context validation, compose-domain call-site contracts, and tracker cleanup as the latest local-safe PR hardening packet. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/provider-neutral-ui-contract.test.ts __test__/caddy/certificate-guard.test.ts __test__/caddy/compose-domain-call-sites.test.ts` | Passed | 3 files, 14 tests. Covers provider-neutral web-server env endpoints, fail-closed uploaded Caddy certificate validation without organization context, and source contracts for non-domain-router compose-domain creation paths. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/provider-neutral-ui-contract.test.ts __test__/caddy/certificate-guard.test.ts __test__/caddy/compose-domain-call-sites.test.ts __test__/caddy/compose/domain.test.ts __test__/caddy/application/domain-service.test.ts __test__/caddy/domain-router-lifecycle.test.ts` | Passed | 6 files, 37 tests. Covers provider-neutral env UI contracts, custom certificate org-context guards, compose-domain source contracts, compose helper behavior, service-level rollback, and router lifecycle rollback with organization context threaded through refresh calls. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 29 files, 193 tests after provider-neutral env-editor and compose certificate org-context hardening. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, compose-domain call-site contracts, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, dashboard rewrite rollback/settings compensation, provider-aware application config cache invalidation, provider-neutral UI contracts, remote web-server file-system inspection, direct dashboard toggle rejection, and concurrent dashboard-fragment preservation. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck`, `pnpm --filter=@dokploy/server typecheck`, `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>`, and `git diff --check` | Passed | App/server typechecks, formatter/import checks, and whitespace checks passed after provider-neutral env-editor and compose certificate org-context hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
 
 ## Upstream Hygiene Checklist
 
diff --git a/packages/server/src/services/certificate.ts b/packages/server/src/services/certificate.ts
index 87bd915234..072650b768 100644
--- a/packages/server/src/services/certificate.ts
+++ b/packages/server/src/services/certificate.ts
@@ -45,15 +45,19 @@ export const assertCertificatePathAvailableForServer = async (
 	serverId?: string | null,
 	organizationId?: string | null,
 ) => {
+	if (!organizationId) {
+		throw new Error(
+			"Caddy custom certificate validation requires organization context.",
+		);
+	}
+
 	const certificate = await findCertificateByPath(certificatePath);
 	const expectedServerId = serverId ?? null;
-	const expectedOrganizationId = organizationId ?? null;
 
 	if (
 		!certificate ||
 		(certificate.serverId ?? null) !== expectedServerId ||
-		(expectedOrganizationId &&
-			certificate.organizationId !== expectedOrganizationId)
+		certificate.organizationId !== organizationId
 	) {
 		throw new Error(
 			`Caddy custom certificate "${certificatePath}" is not available for this server and organization. Use an uploaded certificate assigned to the same server and project organization.`,
diff --git a/packages/server/src/services/compose.ts b/packages/server/src/services/compose.ts
index efe8d9ce4a..74087de069 100644
--- a/packages/server/src/services/compose.ts
+++ b/packages/server/src/services/compose.ts
@@ -281,7 +281,13 @@ export const deployCompose = async ({
 		}
 
 		if (caddyComposeRouteTargets) {
-			await writeCaddyComposeRoutesForTargets(entity, caddyComposeRouteTargets);
+			await writeCaddyComposeRoutesForTargets(
+				entity,
+				caddyComposeRouteTargets,
+				{
+					organizationId: compose.environment.project.organizationId,
+				},
+			);
 		}
 
 		await updateDeploymentStatus(deployment.deploymentId, "done");
@@ -405,6 +411,9 @@ export const rebuildCompose = async ({
 			await writeCaddyComposeRoutesForTargets(
 				compose,
 				caddyComposeRouteTargets,
+				{
+					organizationId: compose.environment.project.organizationId,
+				},
 			);
 		}
 
diff --git a/packages/server/src/services/domain.ts b/packages/server/src/services/domain.ts
index dd8095f204..710085b12f 100644
--- a/packages/server/src/services/domain.ts
+++ b/packages/server/src/services/domain.ts
@@ -158,6 +158,7 @@ export const refreshCaddyComposeRoutes = async (
 	compose: Compose,
 	domainsInput?: Domain[],
 	provider?: WebServerProvider,
+	organizationId?: string | null,
 ) => {
 	const domainsArray =
 		domainsInput ?? (await findDomainsByComposeId(compose.composeId));
@@ -167,7 +168,9 @@ export const refreshCaddyComposeRoutes = async (
 		provider,
 	);
 	if (routeTargets) {
-		await writeCaddyComposeRoutesForTargets(compose, routeTargets);
+		await writeCaddyComposeRoutesForTargets(compose, routeTargets, {
+			organizationId,
+		});
 	}
 };
 
@@ -175,14 +178,25 @@ export const createComposeDomain = async (
 	compose: Compose,
 	input: z.infer<typeof apiCreateDomain>,
 	provider?: WebServerProvider,
+	organizationId?: string | null,
 ) => {
 	const domain = await createDomain(input);
 	try {
-		await refreshCaddyComposeRoutes(compose, undefined, provider);
+		await refreshCaddyComposeRoutes(
+			compose,
+			undefined,
+			provider,
+			organizationId,
+		);
 		return domain;
 	} catch (error) {
 		await removeDomainById(domain.domainId);
-		await refreshCaddyComposeRoutes(compose, undefined, provider);
+		await refreshCaddyComposeRoutes(
+			compose,
+			undefined,
+			provider,
+			organizationId,
+		);
 		throw error;
 	}
 };
@@ -191,6 +205,7 @@ export const removeComposeDomainsForWebServer = async (
 	compose: Compose,
 	domainsToRemove: Domain[],
 	provider?: WebServerProvider,
+	organizationId?: string | null,
 ) => {
 	if (domainsToRemove.length === 0) {
 		return [];
@@ -228,7 +243,12 @@ export const removeComposeDomainsForWebServer = async (
 		(domain) => !domainIdsToRemove.has(domain.domainId),
 	);
 
-	await refreshCaddyComposeRoutes(compose, remainingDomains, resolvedProvider);
+	await refreshCaddyComposeRoutes(
+		compose,
+		remainingDomains,
+		resolvedProvider,
+		organizationId,
+	);
 
 	try {
 		return await db.transaction(async (tx) =>
@@ -243,7 +263,12 @@ export const removeComposeDomainsForWebServer = async (
 				.returning(),
 		);
 	} catch (error) {
-		await refreshCaddyComposeRoutes(compose, currentDomains, resolvedProvider);
+		await refreshCaddyComposeRoutes(
+			compose,
+			currentDomains,
+			resolvedProvider,
+			organizationId,
+		);
 		throw error;
 	}
 };
diff --git a/packages/server/src/utils/caddy/compose.ts b/packages/server/src/utils/caddy/compose.ts
index 5d7650eeb3..374e3542ff 100644
--- a/packages/server/src/utils/caddy/compose.ts
+++ b/packages/server/src/utils/caddy/compose.ts
@@ -109,13 +109,18 @@ export const createCaddyComposeRouteFragment = (
 export const writeCaddyComposeRouteFragments = async (
 	compose: Compose,
 	domains: Array<{ domain: Domain; finalServiceName: string }>,
+	options: {
+		organizationId?: string | null;
+	} = {},
 ) => {
 	const serverId = compose.serverId || undefined;
-	const organizationId = (
-		compose as Compose & {
-			environment?: { project?: { organizationId?: string | null } };
-		}
-	).environment?.project?.organizationId;
+	const organizationId =
+		options.organizationId ??
+		(
+			compose as Compose & {
+				environment?: { project?: { organizationId?: string | null } };
+			}
+		).environment?.project?.organizationId;
 	for (const { domain } of domains) {
 		await assertCaddyDomainCertificateAvailable(
 			serverId,
@@ -123,7 +128,7 @@ export const writeCaddyComposeRouteFragments = async (
 			organizationId,
 		);
 	}
-	const options = { serverId };
+	const routeFragmentOptions = { serverId };
 	const fragmentPrefix = getCaddyComposeFragmentPrefix(compose.appName);
 	const nextFragmentIds = new Set(
 		domains.map(({ domain }) =>
@@ -132,7 +137,7 @@ export const writeCaddyComposeRouteFragments = async (
 	);
 	let changed = false;
 
-	const existingFragments = await readCaddyRouteFragments(options);
+	const existingFragments = await readCaddyRouteFragments(routeFragmentOptions);
 	try {
 		for (const fragment of existingFragments) {
 			if (
@@ -140,7 +145,7 @@ export const writeCaddyComposeRouteFragments = async (
 				fragment.id.startsWith(fragmentPrefix) &&
 				!nextFragmentIds.has(fragment.id)
 			) {
-				await removeCaddyRouteFragment(fragment.id, options);
+				await removeCaddyRouteFragment(fragment.id, routeFragmentOptions);
 				changed = true;
 			}
 		}
@@ -148,7 +153,7 @@ export const writeCaddyComposeRouteFragments = async (
 		for (const { domain, finalServiceName } of domains) {
 			await writeCaddyRouteFragment(
 				createCaddyComposeRouteFragment(compose, domain, finalServiceName),
-				options,
+				routeFragmentOptions,
 			);
 			changed = true;
 		}
@@ -162,7 +167,7 @@ export const writeCaddyComposeRouteFragments = async (
 			...(await getCaddyCompileSettings(serverId)),
 		});
 	} catch (error) {
-		await restoreCaddyRouteFragments(existingFragments, options);
+		await restoreCaddyRouteFragments(existingFragments, routeFragmentOptions);
 		throw error;
 	}
 };
diff --git a/packages/server/src/utils/docker/domain.ts b/packages/server/src/utils/docker/domain.ts
index cc2b5e6dd3..79cbfe3637 100644
--- a/packages/server/src/utils/docker/domain.ts
+++ b/packages/server/src/utils/docker/domain.ts
@@ -260,8 +260,11 @@ export const getCaddyComposeRouteTargetsForWebServer = async (
 export const writeCaddyComposeRoutesForTargets = async (
 	compose: Compose,
 	caddyRouteTargets: CaddyComposeRouteTarget[],
+	options: {
+		organizationId?: string | null;
+	} = {},
 ) => {
-	await writeCaddyComposeRouteFragments(compose, caddyRouteTargets);
+	await writeCaddyComposeRouteFragments(compose, caddyRouteTargets, options);
 };
 
 export const addDomainToComposeForWebServer = async (

From 7baf056e0b6a762f3fc9d2fd9ca712505732f332 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 06:01:10 -0400
Subject: [PATCH 35/37] fix: resync caddy dashboard after concurrent reload
 failure

---
 .../caddy/compose-domain-call-sites.test.ts   | 19 +++++++++++++++++++
 apps/dokploy/__test__/caddy/config.test.ts    | 11 +++++++++--
 packages/server/src/utils/caddy/web-server.ts |  9 +++++++++
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/apps/dokploy/__test__/caddy/compose-domain-call-sites.test.ts b/apps/dokploy/__test__/caddy/compose-domain-call-sites.test.ts
index 34fc5255a7..b6f4f98647 100644
--- a/apps/dokploy/__test__/caddy/compose-domain-call-sites.test.ts
+++ b/apps/dokploy/__test__/caddy/compose-domain-call-sites.test.ts
@@ -46,4 +46,23 @@ describe("compose domain creation call-site contract", () => {
 		expect(source).toContain("ctx.session.activeOrganizationId");
 		expectNoRawComposeCreateDomain(source);
 	});
+
+	test("keeps compose deploy route refreshes tied to eagerly loaded project org context", () => {
+		const source = readSource(
+			"../../../../packages/server/src/services/compose.ts",
+		);
+
+		expect(source).toMatch(
+			/export const findComposeById[\s\S]*environment:\s*{\s*with:\s*{\s*project:\s*true/,
+		);
+
+		const routeRefreshCalls =
+			source.match(/writeCaddyComposeRoutesForTargets\([\s\S]*?\);/g) ?? [];
+		expect(routeRefreshCalls).toHaveLength(2);
+		for (const call of routeRefreshCalls) {
+			expect(call).toContain(
+				"organizationId: compose.environment.project.organizationId",
+			);
+		}
+	});
 });
diff --git a/apps/dokploy/__test__/caddy/config.test.ts b/apps/dokploy/__test__/caddy/config.test.ts
index b6c3fbd93e..96c0659ed5 100644
--- a/apps/dokploy/__test__/caddy/config.test.ts
+++ b/apps/dokploy/__test__/caddy/config.test.ts
@@ -245,10 +245,17 @@ test("does not overwrite a concurrent dashboard fragment update when dashboard r
 		null,
 		2,
 	)}\n`;
+	const concurrentConfig = `${JSON.stringify(
+		compileCaddyConfig({ fragments: [concurrentDashboardFragment] }),
+		null,
+		2,
+	)}\n`;
 	vol.mkdirSync(paths().MAIN_CADDY_PATH, { recursive: true });
 	vol.writeFileSync(paths().CADDY_CONFIG_PATH, previousConfig);
+	let failedInitialValidation = false;
 	execAsyncMock.mockImplementation(async (command: string) => {
-		if (command.includes("caddy validate")) {
+		if (command.includes("caddy validate") && !failedInitialValidation) {
+			failedInitialValidation = true;
 			await writeCaddyRouteFragment(concurrentDashboardFragment);
 			throw new Error("validation failed");
 		}
@@ -263,7 +270,7 @@ test("does not overwrite a concurrent dashboard fragment update when dashboard r
 		concurrentDashboardFragment,
 	]);
 	expect(vol.readFileSync(paths().CADDY_CONFIG_PATH, "utf8")).toBe(
-		previousConfig,
+		concurrentConfig,
 	);
 });
 
diff --git a/packages/server/src/utils/caddy/web-server.ts b/packages/server/src/utils/caddy/web-server.ts
index 22a6857b02..9274d08d85 100644
--- a/packages/server/src/utils/caddy/web-server.ts
+++ b/packages/server/src/utils/caddy/web-server.ts
@@ -85,6 +85,15 @@ export const updateServerCaddy = async (
 			} else {
 				await removeCaddyRouteFragment(DASHBOARD_FRAGMENT_ID);
 			}
+		} else {
+			try {
+				await compileWriteAndReloadCaddyConfigSafely(compileSettings);
+			} catch (resyncError) {
+				if (error instanceof Error) {
+					(error as Error & { resyncError?: unknown }).resyncError =
+						resyncError;
+				}
+			}
 		}
 		throw error;
 	}

From 8d24ce53e7ba88974733a387bc7e940966307824 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 06:42:07 -0400
Subject: [PATCH 36/37] docs: record rebased caddy PR validation

---
 docs/caddy-provider-upstream-readiness.md | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/docs/caddy-provider-upstream-readiness.md b/docs/caddy-provider-upstream-readiness.md
index 713adecb58..615094f432 100644
--- a/docs/caddy-provider-upstream-readiness.md
+++ b/docs/caddy-provider-upstream-readiness.md
@@ -18,16 +18,19 @@ Observed with `gh pr view 4534 --repo Dokploy/dokploy`:
 
 - State: open
 - Base: `canary`
+- Base SHA: `6a0acd9cad0a00f2ef09a10124d2d40f57e220f6`
 - Head: `codex/caddy-web-server-v0296-clean-pr`
 - Mergeable: mergeable
 - Review decision: review required
-- Visible check: `anti-slop` succeeded
+- Visible checks: none reported immediately after the rebased branch push
 
-Local state observed before this document was added:
+Local state observed after the rebased branch push:
 
 - Repo: local Dokploy checkout
 - Branch: `codex/caddy-web-server-v0296-clean-pr`
-- Working tree: clean except the RepoPrompt export generated during planning, which must not be kept in the PR surface
+- Working tree: clean
+- Upstream base: `upstream/canary`
+- Remote branch: `origin/codex/caddy-web-server-v0296-clean-pr` matched local `HEAD`
 
 ## Readiness Matrix
 
@@ -490,6 +493,11 @@ Expected post-mutation checks:
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/provider-neutral-ui-contract.test.ts __test__/caddy/certificate-guard.test.ts __test__/caddy/compose-domain-call-sites.test.ts __test__/caddy/compose/domain.test.ts __test__/caddy/application/domain-service.test.ts __test__/caddy/domain-router-lifecycle.test.ts` | Passed | 6 files, 37 tests. Covers provider-neutral env UI contracts, custom certificate org-context guards, compose-domain source contracts, compose helper behavior, service-level rollback, and router lifecycle rollback with organization context threaded through refresh calls. |
 | 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 29 files, 193 tests after provider-neutral env-editor and compose certificate org-context hardening. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, compose-domain call-site contracts, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, dashboard rewrite rollback/settings compensation, provider-aware application config cache invalidation, provider-neutral UI contracts, remote web-server file-system inspection, direct dashboard toggle rejection, and concurrent dashboard-fragment preservation. |
 | 2026-06-02 | `pnpm --filter=dokploy typecheck`, `pnpm --filter=@dokploy/server typecheck`, `pnpm exec biome check --write --no-errors-on-unmatched --files-ignore-unknown=true <touched files>`, and `git diff --check` | Passed | App/server typechecks, formatter/import checks, and whitespace checks passed after provider-neutral env-editor and compose certificate org-context hardening. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | RepoPrompt review mode over git compare `back:3` before PR push | Complete | Review findings incorporated locally: concurrent dashboard-fragment updates now trigger a second compile/reload from the preserved fragment store, and compose deploy/rebuild route-refresh org context is protected by a source-contract test tied to `findComposeById()` loading `environment.project`. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy/config.test.ts __test__/caddy/compose-domain-call-sites.test.ts` | Passed | 2 files, 30 tests. Covers concurrent dashboard-fragment active-config resync and compose deploy/rebuild route-refresh org-context source contracts. |
+| 2026-06-02 | `pnpm --filter=dokploy test --run __test__/caddy __test__/db/runtime-migration.test.ts` | Passed | 29 files, 194 tests after the final RepoPrompt `back:3` review follow-up. Covers focused Caddy config, setup, request analytics, trusted proxy settings, custom certificates, domain modal source contracts, domain validation, domain lifecycle, compose-domain call-site contracts, preview cleanup, migration prepare/apply/rollback, upstream preflight, runtime migration, active web-server health checks, dashboard local-only/admin-port behavior, dashboard rewrite rollback/settings compensation, provider-aware application web-server config cache invalidation, provider-neutral UI contracts, remote web-server file-system inspection, direct dashboard toggle rejection, concurrent dashboard-fragment preservation, and active-config resync after a concurrent dashboard update. |
+| 2026-06-02 | `pnpm --filter=dokploy typecheck`, `pnpm --filter=@dokploy/server typecheck`, `pnpm exec biome check --no-errors-on-unmatched --files-ignore-unknown=true <PR file set>`, `git diff --check`, and `git merge-tree --write-tree HEAD upstream/canary` | Passed | App/server typechecks, formatter/import checks over 109 recognized PR files, whitespace checks, and clean merge-tree verification passed after rebasing onto `upstream/canary`. Node v26 produced the expected engine warning because the repo wants Node `^24.4.0`. |
+| 2026-06-02 | `git push --force-with-lease origin codex/caddy-web-server-v0296-clean-pr` and `gh pr view 4534 --repo Dokploy/dokploy` | Passed | PR branch updated after rebasing onto current `upstream/canary`; GitHub reported PR `#4534` open, non-draft, mergeable, review required, and no checks reported immediately after push. |
 
 ## Upstream Hygiene Checklist
 

From 6929bbae6ed7dc3a35df29ea8b934251836abb20 Mon Sep 17 00:00:00 2001
From: Mason James <mason@growagainorchids.com>
Date: Tue, 2 Jun 2026 09:42:39 -0400
Subject: [PATCH 37/37] fix: polish caddy web server UI

---
 .../provider-neutral-ui-contract.test.ts      | 29 +++++++++++++++++++
 .../web-server/caddy-migration-panel.tsx      |  4 +--
 .../web-server-provider-selector.tsx          |  4 +--
 .../dokploy/components/shared/code-editor.tsx |  2 +-
 4 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts b/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
index ef57d836fd..f7411927c8 100644
--- a/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
+++ b/apps/dokploy/__test__/caddy/provider-neutral-ui-contract.test.ts
@@ -82,4 +82,33 @@ describe("provider-neutral Caddy UI contract", () => {
 			'activeProvider === "caddy" ? "Caddy" : "Traefik"',
 		);
 	});
+
+	test("keeps read-only web-server files scrollable", () => {
+		const editor = readSource("../../components/shared/code-editor.tsx");
+		const fileEditor = readSource(
+			"../../components/dashboard/file-system/show-traefik-file.tsx",
+		);
+
+		expect(editor).toContain("pointer-events-none absolute");
+		expect(fileEditor).toContain(
+			'activeProvider === "caddy" ? "json" : "yaml"',
+		);
+		expect(fileEditor).toContain("disabled={!isTraefik || canEdit}");
+	});
+
+	test("keeps Caddy web-server settings cards padded", () => {
+		const providerSelector = readSource(
+			"../../components/dashboard/settings/web-server/web-server-provider-selector.tsx",
+		);
+		const migrationPanel = readSource(
+			"../../components/dashboard/settings/web-server/caddy-migration-panel.tsx",
+		);
+
+		expect(providerSelector).toContain('CardHeader className="pb-3"');
+		expect(providerSelector).toContain('CardContent className="space-y-3"');
+		expect(migrationPanel).toContain('CardHeader className="pb-3"');
+		expect(migrationPanel).toContain('CardContent className="space-y-4"');
+		expect(providerSelector).not.toContain('CardHeader className="px-0 pt-0"');
+		expect(migrationPanel).not.toContain('CardHeader className="px-0"');
+	});
 });
diff --git a/apps/dokploy/components/dashboard/settings/web-server/caddy-migration-panel.tsx b/apps/dokploy/components/dashboard/settings/web-server/caddy-migration-panel.tsx
index 38467859b5..a788b01d9e 100644
--- a/apps/dokploy/components/dashboard/settings/web-server/caddy-migration-panel.tsx
+++ b/apps/dokploy/components/dashboard/settings/web-server/caddy-migration-panel.tsx
@@ -112,7 +112,7 @@ export const CaddyMigrationPanel = ({ serverId }: Props) => {
 
 	return (
 		<Card className="bg-transparent">
-			<CardHeader className="px-0">
+			<CardHeader className="pb-3">
 				<div className="flex flex-col gap-2 sm:flex-row sm:items-start sm:justify-between">
 					<div>
 						<CardTitle className="text-base">Caddy migration</CardTitle>
@@ -131,7 +131,7 @@ export const CaddyMigrationPanel = ({ serverId }: Props) => {
 					</Button>
 				</div>
 			</CardHeader>
-			<CardContent className="px-0 pb-0 space-y-4">
+			<CardContent className="space-y-4">
 				{activeProvider === "caddy" && (
 					<AlertBlock type="success">
 						Caddy is already the active provider. Dry runs are still useful for
diff --git a/apps/dokploy/components/dashboard/settings/web-server/web-server-provider-selector.tsx b/apps/dokploy/components/dashboard/settings/web-server/web-server-provider-selector.tsx
index 7bf3713e3e..539f69cbc5 100644
--- a/apps/dokploy/components/dashboard/settings/web-server/web-server-provider-selector.tsx
+++ b/apps/dokploy/components/dashboard/settings/web-server/web-server-provider-selector.tsx
@@ -61,14 +61,14 @@ export const WebServerProviderSelector = ({ serverId }: Props) => {
 
 	return (
 		<Card className="bg-transparent">
-			<CardHeader className="px-0 pt-0">
+			<CardHeader className="pb-3">
 				<CardTitle className="text-base">Active provider</CardTitle>
 				<CardDescription>
 					Review the active web server Dokploy uses for provider-aware reload,
 					configuration, and new domain changes.
 				</CardDescription>
 			</CardHeader>
-			<CardContent className="px-0 pb-0 space-y-3">
+			<CardContent className="space-y-3">
 				<Select
 					disabled={isLoading || isPending}
 					value={activeProvider ?? "traefik"}
diff --git a/apps/dokploy/components/shared/code-editor.tsx b/apps/dokploy/components/shared/code-editor.tsx
index 3f07fa8b39..bfc9f2a31b 100644
--- a/apps/dokploy/components/shared/code-editor.tsx
+++ b/apps/dokploy/components/shared/code-editor.tsx
@@ -190,7 +190,7 @@ export const CodeEditor = ({
 				)}
 			>
 				{props.disabled && (
-					<div className="absolute top-0 rounded-md left-0 w-full h-full  flex items-center justify-center z-[10] [background:var(--overlay)] h-full" />
+					<div className="pointer-events-none absolute left-0 top-0 z-[10] flex h-full w-full items-center justify-center rounded-md [background:var(--overlay)]" />
 				)}
 			</CodeMirror>
 		</div>