bump rust to 1.93.0

deploy 2.0.0-dev-114
check update available against all digests for image
2026-03-12 10:33:16 -05:00 · 2026-01-27 13:42:20 -08:00 · 2026-01-27 12:58:57 -08:00 · 2026-01-27 12:58:32 -08:00 · 2026-01-25 12:36:40 -08:00 · 2026-01-25 11:26:17 -08:00
847 changed files with 151781 additions and 62911 deletions
--- a/.devcontainer/dev.compose.yaml
+++ b/.devcontainer/dev.compose.yaml
@@ -0,0 +1,33 @@
+services:
+  dev:
+    image: mcr.microsoft.com/devcontainers/rust:1-1-bullseye
+    volumes:
+      # Mount the root folder that contains .git
+      - ../:/workspace:cached
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /proc:/proc
+      - repos:/etc/komodo/repos
+      - stacks:/etc/komodo/stacks
+    command: sleep infinity
+    ports:
+      - "9121:9121"
+    environment:
+      KOMODO_FIRST_SERVER: http://localhost:8120
+      KOMODO_DATABASE_ADDRESS: db
+      KOMODO_ENABLE_NEW_USERS: true
+      KOMODO_LOCAL_AUTH: true
+      KOMODO_JWT_SECRET: a_random_secret
+    links:
+      - db
+    # ...
+
+  db:
+    extends:
+      file: ../dev.compose.yaml
+      service: ferretdb
+
+volumes:
+  data:
+  repo-cache:
+  repos:
+  stacks:
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -0,0 +1,46 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/rust
+{
+	"name": "Komodo",
+	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+	//"image": "mcr.microsoft.com/devcontainers/rust:1-1-bullseye",
+	"dockerComposeFile": ["dev.compose.yaml"],
+	"workspaceFolder": "/workspace",
+  	"service": "dev",
+	// Features to add to the dev container. More info: https://containers.dev/features.
+	"features": {
+		"ghcr.io/devcontainers/features/node:1": {
+			"version": "20.12.2"
+		},
+		"ghcr.io/devcontainers-community/features/deno:1": {
+
+		}
+	},
+
+	// Use 'mounts' to make the cargo cache persistent in a Docker Volume.
+	"mounts": [
+		{
+			"source": "devcontainer-cargo-cache-${devcontainerId}",
+			"target": "/usr/local/cargo",
+			"type": "volume"
+		}
+	],
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	"forwardPorts": [
+		9121
+	],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	"postCreateCommand": "./.devcontainer/postCreate.sh",
+
+	"runServices": [
+		"db"
+	]
+
+	// Configure tool-specific properties.
+	// "customizations": {},
+
+	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+	// "remoteUser": "root"
+}
--- a/.devcontainer/postCreate.sh
+++ b/.devcontainer/postCreate.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+cargo install typeshare-cli
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,14 +0,0 @@
-/target
-readme.md
-typeshare.toml
-LICENSE
-*.code-workspace
-
-*/node_modules
-*/dist
-
-creds.toml
-.core-repos
-.repos
-.stacks
-.ssl
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,2 @@
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
+open_collective: komodo
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -0,0 +1,123 @@
+# Komodo AI Coding Instructions
+
+## Project Overview
+Komodo is a distributed system for building and deploying software across multiple servers. It consists of:
+- **Core** (`bin/core`): Central Rust/Axum API server managing resources, scheduling, monitoring
+- **Periphery** (`bin/periphery`): Rust agent deployed to managed servers, executes docker/git operations
+- **Frontend** (`frontend`): React/TypeScript SPA using TanStack Query and shadcn/ui components
+- **Client Libraries** (`client/core/{rs,ts}`): Type-safe API clients generated from shared entity definitions
+
+## Architecture Fundamentals
+
+### Core ↔ Periphery Communication
+- Core and Periphery communicate via **WebSocket connections** that can be initiated from either direction
+- Periphery can connect outbound to Core (common) or Core can connect inbound to Periphery (less common)
+- Connection management is in `bin/core/src/connection` and `bin/periphery/src/connection`
+- Use `state::periphery_connections()` in Core to send requests to Periphery agents
+
+### Type Generation Pipeline
+**Critical**: Rust entities are the source of truth for all types across the stack:
+1. Entities defined in `client/core/rs/src/entities/` with `#[typeshare]` macro
+2. Run `node ./client/core/ts/generate_types.mjs` (uses typeshare CLI) → generates `client/core/ts/src/types.ts`
+3. TypeScript client is built and linked to frontend via `yarn link komodo_client`
+4. Frontend imports types: `import { Types } from "komodo_client"`
+
+**When modifying entities**: Always run the `gen-client` (alias: `gc`) runfile task to regenerate TypeScript types.
+
+### API Pattern (Resolver-Based)
+Core and Periphery use `mogh_resolver::Resolve` trait for RPC-style endpoints:
+- Request enums in `client/*/rs/src/api/` implement `Resolve<Response = T, Error = E>`
+- Core handlers in `bin/core/src/api/{read,write,execute}/*.rs`
+- Periphery handlers in `bin/periphery/src/api/*.rs`
+- Router maps `/{variant}` paths to enum variants automatically
+
+Example request handling:
+```rust
+#[derive(Serialize, Deserialize, Resolve)]
+#[response(MyResponse)]
+#[error(anyhow::Error)]
+pub struct MyRequest { /* fields */ }
+```
+
+### State Management
+Core maintains singleton state via `OnceLock` patterns in `bin/core/src/state.rs`:
+- `db_client()`: MongoDB connection
+- `periphery_connections()`: WebSocket connections to Periphery agents
+- `action_states()`, `build_states()`, etc.: In-memory caches using `CloneCache<K, V>`
+- Always use `state::*()` accessors, never instantiate directly
+
+## Development Workflows
+
+### Running Services Locally
+```bash
+# Start all local services (MongoDB, Core, Periphery, Frontend)
+run dc  # dev-core: runs Core in release mode with .dev/core.config.toml
+run dp  # dev-periphery: runs Periphery with .dev/periphery.config.toml
+
+# Or use docker-compose for full stack
+run dev-compose  # deploys dev.compose.yaml with ferretdb
+```
+
+### Frontend Development
+```bash
+cd frontend && yarn dev  # Vite dev server on port 5173
+
+# After changing Rust entities, regenerate client:
+run gc  # gen-client: typeshare → build TS client → copy to frontend/public/client
+```
+
+### Building & Deploying
+- Deno scripts in `action/` automate version bumps and deployments
+- `run dk` (deploy-komodo): Full build and deploy via Komodo Action
+- `run bk` (build-komodo): Build binaries without deploying
+
+## Code Conventions
+
+### Error Handling
+- Use `anyhow::Result<T>` for application code
+- Use `serror` for serializable errors sent over API boundaries
+- Response helper: `response::Response::from(value)` for JSON responses
+- Never use `unwrap()` in production code paths; prefer `context()` for error messages
+
+### Naming & Structure
+- **Entities**: CamelCase structs in `client/core/rs/src/entities/*/mod.rs`
+- **API requests**: CamelCase request types in `client/core/rs/src/api/*.rs`
+- **Config derivations**: Use `derive_builder::Builder` for config update structs
+- **Variants**: `derive_variants::EnumVariants` generates `TypeVariant` enums for discriminants
+
+### Frontend Patterns
+- **API hooks**: `useRead("GetStack", { stack: "my-stack" })` for queries
+- **Mutations**: `useWrite("UpdateStack", { onSuccess: () => invalidate(...) })`
+- **Components**: Located in `frontend/src/components/`, use shadcn/ui primitives from `@ui/*`
+- **State**: Prefer TanStack Query for server state, Jotai atoms for local UI state
+
+## Key Files & Directories
+
+### Must-Read for Context
+- [readme.md](readme.md): Project overview and deployment info
+- [runfile.toml](runfile.toml): All development task definitions
+- [bin/core/src/state.rs](bin/core/src/state.rs): Core's global state singletons
+- [client/core/rs/src/entities/mod.rs](client/core/rs/src/entities/mod.rs): All entity definitions
+
+### Common Touch Points
+- **Adding new resource type**: Update entities, Core API handlers, Frontend pages/components
+- **Changing API**: Modify request/response types in `client/core/rs/src/api/`, regenerate client
+- **Frontend features**: Usually start in `frontend/src/pages/`, add hooks in `frontend/src/lib/hooks/`
+- **Periphery capabilities**: Add to `periphery_client::api` enum and implement handler in `bin/periphery/src/api/`
+
+## Configuration
+- Core config: `config/core.config.toml` (see `client/core/rs/src/entities/config/core.rs` for schema)
+- Periphery config: `config/periphery.config.toml`
+- Environment variable pattern: Settings support `_FILE` suffix for Docker secrets (see `lib/environment_file`)
+
+## Testing & Validation
+- No comprehensive test suite currently
+- Validate changes by running locally with `run dc` / `run dp`
+- Check Core logs for startup errors (connection to DB, Periphery agents)
+- Frontend errors appear in browser console and TanStack Query devtools
+
+## Common Pitfalls
+- **Forgetting to regenerate TS types** after Rust entity changes → frontend type errors
+- **Not using `state::*()` accessors** → panics from uninitialized `OnceLock`
+- **Breaking WebSocket message format** between Core/Periphery → connection failures
+- **Yarn link issues**: If frontend can't find `komodo_client`, re-run `run link-client`
--- a/.gitignore
+++ b/.gitignore
@@ -1,11 +1,9 @@
 target
-/frontend/build
-/lib/ts_client/build
 node_modules
 dist
+deno.lock
 .env
 .env.development
 .DS_Store
-
-creds.toml
-.komodo
+.idea
+.dev
--- a/.kminclude
+++ b/.kminclude
@@ -0,0 +1 @@
+.dev
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -0,0 +1,8 @@
+{
+    "recommendations": [
+        "rust-lang.rust-analyzer",
+        "tamasfe.even-better-toml",
+        "vadimcn.vscode-lldb",
+        "denoland.vscode-deno"
+    ]
+}
--- a/.vscode/resolver.code-snippets
+++ b/.vscode/resolver.code-snippets
@@ -3,8 +3,8 @@
 		"scope": "rust",
 		"prefix": "resolve",
 		"body": [
-			"impl Resolve<${1}, User> for State {",
-			"\tasync fn resolve(&self, ${1} { ${0} }: ${1}, _: User) -> anyhow::Result<${2}> {",
+			"impl Resolve<${0}> for ${1} {",
+			"\tasync fn resolve(self, _: &${0}) -> Result<Self::Response, Self::Error> {",
 			"\t\ttodo!()",
 			"\t}",
 			"}"
@@ -15,9 +15,9 @@
 		"prefix": "static",
 		"body": [
 			"fn ${1}() -> &'static ${2} {",
-			"\tstatic ${3}: OnceLock<${2}> = OnceLock::new();",
-			"\t${3}.get_or_init(|| {",
-			"\t\t${0}",
+			"\tstatic ${0}: OnceLock<${2}> = OnceLock::new();",
+			"\t${0}.get_or_init(|| {",
+			"\t\ttodo!()",
 			"\t})",
 			"}"
 		]
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -0,0 +1,179 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Run Core",
+            "command": "cargo",
+            "args": [
+                "run",
+                "-p",
+                "komodo_core",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.core.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build Core",
+            "command": "cargo",
+            "args": [
+                "build",
+                "-p",
+                "komodo_core",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.core.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Run Periphery",
+            "command": "cargo",
+            "args": [
+                "run",
+                "-p",
+                "komodo_periphery",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.periphery.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build Periphery",
+            "command": "cargo",
+            "args": [
+                "build",
+                "-p",
+                "komodo_periphery",
+                "--release"
+            ],
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "KOMODO_CONFIG_PATH": "test.periphery.config.toml"
+                }
+            },
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Run Backend",
+            "dependsOn": [
+                "Run Core",
+                "Run Periphery"
+            ],
+            "problemMatcher": [
+                "$rustc"
+            ]
+        },
+        {
+            "label": "Build TS Client Types",
+            "type": "process",
+            "command": "node",
+            "args": [
+                "./client/core/ts/generate_types.mjs"
+            ],
+            "problemMatcher": []
+        },
+        {
+            "label": "Init TS Client",
+            "type": "shell",
+            "command": "yarn && yarn build && yarn link",
+            "options": {
+                "cwd": "${workspaceFolder}/client/core/ts",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Init Frontend Client",
+            "type": "shell",
+            "command": "yarn link komodo_client && yarn install",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Init Frontend",
+            "dependsOn": [
+                "Build TS Client Types",
+                "Init TS Client",
+                "Init Frontend Client"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Build Frontend",
+            "type": "shell",
+            "command": "yarn build",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "problemMatcher": []
+        },
+        {
+            "label": "Prepare Frontend For Run",
+            "type": "shell",
+            "command": "cp -r ./client/core/ts/dist/. frontend/public/client/.",
+            "options": {
+                "cwd": "${workspaceFolder}",
+            },
+            "dependsOn": [
+                "Build TS Client Types",
+                "Build Frontend"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Run Frontend",
+            "type": "shell",
+            "command": "yarn dev",
+            "options": {
+                "cwd": "${workspaceFolder}/frontend",
+            },
+            "dependsOn": ["Prepare Frontend For Run"],
+            "problemMatcher": []
+        },
+        {
+            "label": "Init",
+            "dependsOn": [
+                "Build Backend",
+                "Init Frontend"
+            ],
+            "dependsOrder": "sequence",
+            "problemMatcher": []
+        },
+        {
+            "label": "Run Komodo",
+            "dependsOn": [
+                "Run Core",
+                "Run Periphery",
+                "Run Frontend"
+            ],
+            "problemMatcher": []
+        },
+    ]
+  }
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,111 +1,138 @@
 [workspace]
 resolver = "2"
-members = ["bin/*", "lib/*", "client/core/rs", "client/periphery/rs"]
+members = [
+	"bin/*",
+	"lib/*",
+	"client/core/rs",
+	"client/periphery/rs",
+]

 [workspace.package]
-version = "1.15.7"
-edition = "2021"
+version = "2.0.0-dev-114"
+edition = "2024"
 authors = ["mbecker20 <becker.maxh@gmail.com>"]
 license = "GPL-3.0-or-later"
-repository = "https://github.com/mbecker20/komodo"
+repository = "https://github.com/moghtech/komodo"
 homepage = "https://komo.do"

-[patch.crates-io]
-# komodo_client = { path = "client/core/rs" }
+[profile.release]
+strip = "debuginfo"

 [workspace.dependencies]
 # LOCAL
-# komodo_client = "1.15.6"
 komodo_client = { path = "client/core/rs" }
 periphery_client = { path = "client/periphery/rs" }
-environment_file = { path = "lib/environment_file" }
+environment = { path = "lib/environment" }
+interpolate = { path = "lib/interpolate" }
 formatting = { path = "lib/formatting" }
+transport = { path = "lib/transport" }
+database = { path = "lib/database" }
+encoding = { path = "lib/encoding" }
 command = { path = "lib/command" }
-logger = { path = "lib/logger" }
 git = { path = "lib/git" }

 # MOGH
-run_command = { version = "0.0.6", features = ["async_tokio"] }
-serror = { version = "0.4.6", default-features = false }
-slack = { version = "0.2.0", package = "slack_client_rs" }
+slack = { version = "2.0.0", package = "slack_client_rs", default-features = false, features = ["rustls"] }
+mogh_error = { version = "1.0.3", default-features = false }
 derive_default_builder = "0.1.8"
-derive_empty_traits = "0.1.0"
-merge_config_files = "0.1.5"
-async_timing_util = "1.0.0"
-partial_derive2 = "0.4.3"
-derive_variants = "1.0.0"
-mongo_indexed = "2.0.1"
-resolver_api = "1.1.1"
-toml_pretty = "1.1.2"
-mungos = "1.1.0"
-svi = "1.0.1"
+async_timing_util = "1.1.0"
+mogh_auth_client = "1.2.1"
+mogh_auth_server = "1.2.4"
+mogh_secret_file = "1.0.0"
+mogh_validations = "1.0.0"
+mogh_rate_limit = "1.0.0"
+partial_derive2 = "0.4.5"
+mongo_indexed = "2.0.2"
+mogh_resolver = "1.0.0"
+mogh_config = "1.0.1"
+mogh_logger = "1.3.0"
+mogh_server = "1.3.0"
+toml_pretty = "2.0.0"
+mogh_cache = "1.1.1"
+mogh_pki = "1.1.0"
+mungos = "3.2.2"
+svi = "1.2.0"

 # ASYNC
-reqwest = { version = "0.12.8", features = ["json"] }
-tokio = { version = "1.38.1", features = ["full"] }
-tokio-util = "0.7.12"
-futures = "0.3.31"
+reqwest = { version = "0.13.1", default-features = false, features = ["json", "stream", "form", "query", "rustls"] }
+tokio = { version = "1.49.0", features = ["full"] }
+tokio-util = { version = "0.7.18", features = ["io", "codec"] }
+tokio-stream = { version = "0.1.18", features = ["sync"] }
+pin-project-lite = "0.2.16"
 futures-util = "0.3.31"
+arc-swap = "1.8.0"

 # SERVER
-axum-extra = { version = "0.9.4", features = ["typed-header"] }
-tower-http = { version = "0.6.1", features = ["fs", "cors"] }
-axum-server = { version = "0.7.1", features = ["tls-openssl"] }
-axum = { version = "0.7.7", features = ["ws", "json"] }
-tokio-tungstenite = "0.24.0"
+tokio-tungstenite = { version = "0.28.0", features = ["rustls-tls-native-roots"] }
+axum = { version = "0.8.8", features = ["ws", "json", "macros"] }
+axum-extra = { version = "0.12.5", features = ["typed-header"] }
+
+# OPENAPI
+utoipa-scalar = { version = "0.3.0", features = ["axum"] }
+utoipa = "5.4.0"

 # SER/DE
-ordered_hash_map = { version = "0.4.0", features = ["serde"] }
-serde = { version = "1.0.210", features = ["derive"] }
-strum = { version = "0.26.3", features = ["derive"] }
-serde_json = "1.0.128"
-serde_yaml = "0.9.34"
-toml = "0.8.19"
+ipnetwork = { version = "0.21.1", features = ["serde"] }
+indexmap = { version = "2.13.0", features = ["serde"] }
+serde = { version = "1.0.227", features = ["derive"] }
+strum = { version = "0.27.2", features = ["derive"] }
+bson = { version = "2.15.0" } # must keep in sync with mongodb version
+toml = "0.9.11"
+serde_yaml_ng = "0.10.0"
+serde_json = "1.0.148"
+serde_qs = "0.15.0"
+url = "2.5.7"

 # ERROR
-anyhow = "1.0.89"
-thiserror = "1.0.64"
+anyhow = "1.0.100"
+thiserror = "2.0.18"

 # LOGGING
-opentelemetry_sdk = { version = "0.25.0", features = ["rt-tokio"] }
-tracing-subscriber = { version = "0.3.18", features = ["json"] }
-opentelemetry-semantic-conventions = "0.25.0"
-tracing-opentelemetry = "0.26.0"
-opentelemetry-otlp = "0.25.0"
-opentelemetry = "0.25.0"
-tracing = "0.1.40"
+tracing = "0.1.44"

 # CONFIG
-clap = { version = "4.5.20", features = ["derive"] }
+clap = { version = "4.5.54", features = ["derive"] }
 dotenvy = "0.15.7"
 envy = "0.4.2"

 # CRYPTO / AUTH
-uuid = { version = "1.10.0", features = ["v4", "fast-rng", "serde"] }
-openidconnect = "3.5.0"
+uuid = { version = "1.19.0", features = ["v4", "fast-rng", "serde"] }
+rustls = { version = "0.23.36", features = ["aws-lc-rs"] }
+data-encoding = "2.9.0"
 urlencoding = "2.1.3"
-nom_pem = "4.0.0"
-bcrypt = "0.15.1"
-base64 = "0.22.1"
+bcrypt = "0.18.0"
 hmac = "0.12.1"
-sha2 = "0.10.8"
-rand = "0.8.5"
-jwt = "0.16.0"
+sha1 = "0.10.6"
+sha2 = "0.10.9"
+rand = "0.9.2"
 hex = "0.4.3"

 # SYSTEM
-bollard = "0.17.1"
-sysinfo = "0.32.0"
+hickory-resolver = "0.25.2"
+portable-pty = "0.9.0"
+shell-escape = "0.1.5"
+crossterm = "0.29.0"
+bollard = "0.20.0"
+sysinfo = "0.37.1"
+shlex = "1.3.0"

 # CLOUD
-aws-config = "1.5.8"
-aws-sdk-ec2 = "1.77.0"
+aws-config = "1.8.12"
+aws-sdk-ec2 = "1.200.0"
+aws-credential-types = "1.2.11"
+
+## CRON
+english-to-cron = "0.1.7"
+chrono-tz = "0.10.4"
+chrono = "0.4.43"
+croner = "3.0.1"

 # MISC
+async-compression = { version = "0.4.37", features = ["tokio", "gzip"] }
 derive_builder = "0.20.2"
-typeshare = "1.0.3"
-octorust = "0.7.0"
-dashmap = "6.1.0"
-colored = "2.1.0"
-regex = "1.11.0"
-bson = "2.13.0"
+comfy-table = "7.2.2"
+typeshare = "1.0.5"
+wildcard = "0.3.0"
+colored = "3.0.0"
+bytes = "1.11.0"
+regex = "1.12.2"
--- a/action/build.ts
+++ b/action/build.ts
@@ -0,0 +1,2 @@
+import { run } from "./run.ts";
+await run("build-komodo");
--- a/action/deno.json
+++ b/action/deno.json
@@ -0,0 +1,5 @@
+{
+  "imports": {
+    "@std/toml": "jsr:@std/toml"
+  }
+}
--- a/action/deploy-fe.ts
+++ b/action/deploy-fe.ts
@@ -0,0 +1,4 @@
+const cmd = "km run -y action deploy-komodo-fe-change";
+new Deno.Command("bash", {
+  args: ["-c", cmd],
+}).spawn();
--- a/action/deploy.ts
+++ b/action/deploy.ts
@@ -0,0 +1,2 @@
+import { run } from "./run.ts";
+await run("deploy-komodo");
--- a/action/run.ts
+++ b/action/run.ts
@@ -0,0 +1,52 @@
+import * as TOML from "@std/toml";
+
+export const run = async (action: string) => {
+  const branch = await new Deno.Command("bash", {
+    args: ["-c", "git rev-parse --abbrev-ref HEAD"],
+  })
+    .output()
+    .then((r) => new TextDecoder("utf-8").decode(r.stdout).trim());
+
+  const cargo_toml_str = await Deno.readTextFile("Cargo.toml");
+  const prev_version = (
+    TOML.parse(cargo_toml_str) as {
+      workspace: { package: { version: string } };
+    }
+  ).workspace.package.version;
+
+  const [version, tag, count] = prev_version.split("-");
+  const next_count = Number(count) + 1;
+
+  const next_version = `${version}-${tag}-${next_count}`;
+
+  await Deno.writeTextFile(
+    "Cargo.toml",
+    cargo_toml_str.replace(
+      `version = "${prev_version}"`,
+      `version = "${next_version}"`
+    )
+  );
+
+  // Cargo check first here to make sure lock file is updated before commit.
+  const cmd = `
+cargo check
+echo ""
+
+git add --all
+git commit --all --message "deploy ${version}-${tag}-${next_count}"
+
+echo ""
+git push
+echo ""
+
+km run -y action ${action} "KOMODO_BRANCH=${branch}&KOMODO_VERSION=${version}&KOMODO_TAG=${tag}-${next_count}"
+`
+    .split("\n")
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0 && !line.startsWith("//"))
+    .join(" && ");
+
+  new Deno.Command("bash", {
+    args: ["-c", cmd],
+  }).spawn();
+};
--- a/bin/binaries.Dockerfile
+++ b/bin/binaries.Dockerfile
@@ -0,0 +1,32 @@
+## Builds the Komodo Core, Periphery, and Util binaries
+## for a specific architecture. Requires OpenSSL 3 or later.
+
+FROM rust:1.93.0-bookworm AS builder
+RUN cargo install cargo-strip
+
+WORKDIR /builder
+COPY Cargo.toml Cargo.lock ./
+COPY ./lib ./lib
+COPY ./client/core/rs ./client/core/rs
+COPY ./client/periphery ./client/periphery
+COPY ./bin/core ./bin/core
+COPY ./bin/periphery ./bin/periphery
+COPY ./bin/cli ./bin/cli
+
+# Compile bin
+RUN \
+  cargo build -p komodo_core --release && \
+  cargo build -p komodo_periphery --release && \
+  cargo build -p komodo_cli --release && \
+  cargo strip
+
+# Copy just the binaries to scratch image
+FROM scratch
+
+COPY --from=builder /builder/target/release/core /core
+COPY --from=builder /builder/target/release/periphery /periphery
+COPY --from=builder /builder/target/release/km /km
+
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo Binaries"
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/chef.binaries.Dockerfile
+++ b/bin/chef.binaries.Dockerfile
@@ -0,0 +1,36 @@
+## Builds the Komodo Core, Periphery, and Util binaries
+## for a specific architecture. Requires OpenSSL 3 or later.
+
+## Uses chef for dependency caching to help speed up back-to-back builds.
+
+FROM lukemathwalker/cargo-chef:latest-rust-1.90.0-bookworm AS chef
+WORKDIR /builder
+
+# Plan just the RECIPE to see if things have changed
+FROM chef AS planner
+COPY . .
+RUN cargo chef prepare --recipe-path recipe.json
+
+FROM chef AS builder
+RUN cargo install cargo-strip
+COPY --from=planner /builder/recipe.json recipe.json
+# Build JUST dependencies - cached layer
+RUN cargo chef cook --release --recipe-path recipe.json
+# NOW copy again (this time into builder) and build app
+COPY . .
+RUN \
+  cargo build --release --bin core && \
+  cargo build --release --bin periphery && \
+  cargo build --release --bin km && \
+  cargo strip
+
+# Copy just the binaries to scratch image
+FROM scratch
+
+COPY --from=builder /builder/target/release/core /core
+COPY --from=builder /builder/target/release/periphery /periphery
+COPY --from=builder /builder/target/release/km /km
+
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo Binaries"
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/cli/Cargo.toml
+++ b/bin/cli/Cargo.toml
@@ -1,29 +1,39 @@
 [package]
 name = "komodo_cli"
-description = "Command line tool to execute Komodo actions"
+description = "Command line tool for Komodo"
 version.workspace = true
 edition.workspace = true
 authors.workspace = true
 license.workspace = true
-homepage.workspace = true
 repository.workspace = true
+homepage.workspace = true

 [[bin]]
-name = "komodo"
+name = "km"
 path = "src/main.rs"

-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
 [dependencies]
 # local
-komodo_client.workspace = true
+komodo_client = { workspace = true, features = ["cli"] }
+mogh_secret_file.workspace = true
+mogh_pki.workspace = true
+database.workspace = true
+mogh_config.workspace = true
+mogh_logger.workspace = true
 # external
-tracing-subscriber.workspace = true
-merge_config_files.workspace = true
-futures.workspace = true
+futures-util.workspace = true
+comfy-table.workspace = true
+tokio-util.workspace = true
+serde_json.workspace = true
+crossterm.workspace = true
+serde_qs.workspace = true
+wildcard.workspace = true
 tracing.workspace = true
 colored.workspace = true
+dotenvy.workspace = true
 anyhow.workspace = true
+chrono.workspace = true
 tokio.workspace = true
 serde.workspace = true
 clap.workspace = true
+envy.workspace = true
--- a/bin/cli/aio.Dockerfile
+++ b/bin/cli/aio.Dockerfile
@@ -0,0 +1,25 @@
+FROM rust:1.93.0-bullseye AS builder
+RUN cargo install cargo-strip
+
+WORKDIR /builder
+COPY Cargo.toml Cargo.lock ./
+COPY ./lib ./lib
+COPY ./client/core/rs ./client/core/rs
+COPY ./client/periphery ./client/periphery
+COPY ./bin/cli ./bin/cli
+
+# Compile bin
+RUN cargo build -p komodo_cli --release && cargo strip
+
+# Copy binaries to distroless base
+FROM gcr.io/distroless/cc
+
+COPY --from=builder /builder/target/release/km /usr/local/bin/km
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+
+CMD [ "km" ]
+
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo CLI"
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/cli/docs/copy-database.md
+++ b/bin/cli/docs/copy-database.md
@@ -0,0 +1,135 @@
+# Copy Database Utility
+
+Copy the Komodo database contents between running, mongo-compatible databases.
+Can be used to move between MongoDB / FerretDB, or upgrade from FerretDB v1 to v2.
+
+```yaml
+services:
+
+  copy_database:
+    image: ghcr.io/moghtech/komodo-cli
+    command: km database copy -y
+    environment:
+      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@source:27017
+      KOMODO_DATABASE_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+      KOMODO_CLI_DATABASE_TARGET_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@target:27017
+      KOMODO_CLI_DATABASE_TARGET_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+
+```
+
+## FerretDB v2 Update Guide
+
+Up to Komodo 1.17.5, users who wanted to use Postgres / Sqlite were instructed to deploy FerretDB v1.
+Now that v2 is out however, v1 will go largely unsupported. Users are recommended to migrate to v2 for
+the best performance and ongoing support / updates, however the internal data structures
+have changed and this cannot be done in-place. 
+
+Also note that FerretDB v2 no longer supports Sqlite, and only supports 
+a [customized Postgres distribution](https://docs.ferretdb.io/installation/documentdb/docker/).
+Nonetheless, it remains a solid option for hosts which [do not support mongo](https://github.com/moghtech/komodo/issues/59).
+
+Also note, the same basic process outlined below can also be used to move between MongoDB and FerretDB, just replace FerretDB v2
+with the database you wish to move to.
+
+### **Step 1**: *Add* the new database to the top of your existing Komodo compose file.
+
+**Don't forget to also add the new volumes.**
+
+```yaml
+## In Komodo compose.yaml
+services:
+  postgres2:
+    # Recommended: Pin to a specific version
+    # https://github.com/FerretDB/documentdb/pkgs/container/postgres-documentdb
+    image: ghcr.io/ferretdb/postgres-documentdb
+    labels:
+      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+    restart: unless-stopped
+    # ports:
+    #   - 5432:5432
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_USER: ${KOMODO_DB_USERNAME}
+      POSTGRES_PASSWORD: ${KOMODO_DB_PASSWORD}
+      POSTGRES_DB: postgres # Do not change
+
+  ferretdb2:
+    # Recommended: Pin to a specific version
+    # https://github.com/FerretDB/FerretDB/pkgs/container/ferretdb
+    image: ghcr.io/ferretdb/ferretdb
+    labels:
+      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
+    restart: unless-stopped
+    depends_on:
+      - postgres2
+    # ports:
+    #   - 27017:27017
+    volumes:
+      - ferretdb-state:/state
+    environment:
+      FERRETDB_POSTGRESQL_URL: postgres://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@postgres2:5432/postgres
+
+  ...(unchanged)
+
+volumes:
+  ...(unchanged)
+  postgres-data:
+  ferretdb-state:
+```
+
+### **Step 2**: *Add* the database copy utility to Komodo compose file.
+
+The SOURCE_URI points to the existing database, ie the old FerretDB v1, and it depends
+on whether it was deployed using Postgres or Sqlite. The example below uses the Postgres one,
+but if you use Sqlite it should just be something like `mongodb://ferretdb:27017`.
+
+```yaml
+## In Komodo compose.yaml
+services:
+  ...(new database)
+
+  copy_database:
+    image: ghcr.io/moghtech/komodo-cli
+    command: km database copy -y
+    environment:
+      KOMODO_DATABASE_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb:27017/${KOMODO_DATABASE_DB_NAME:-komodo}?authMechanism=PLAIN
+      KOMODO_DATABASE_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+      KOMODO_CLI_DATABASE_TARGET_URI: mongodb://${KOMODO_DB_USERNAME}:${KOMODO_DB_PASSWORD}@ferretdb2:27017
+      KOMODO_CLI_DATABASE_TARGET_DB_NAME: ${KOMODO_DATABASE_DB_NAME:-komodo}
+
+  ...(unchanged)
+```
+
+### **Step 3**: *Compose Up* the new additions
+
+Run `docker compose -p komodo --env-file compose.env -f xxxxx.compose.yaml up -d`, filling in the name of your compose.yaml.
+This will start up both the old and new database, and copy the data to the new one.
+
+Wait a few moments for the `copy_database` service to finish. When it exits,
+confirm the logs show the data was moved successfully, and move on to the next step.
+
+### **Step 4**: Point Komodo Core to the new database
+
+In your Komodo compose.yaml, first *comment out* the `copy_database` service and old ferretdb v1 service/s.
+Then update the `core` service environment to point to `ferretdb2`.
+
+```yaml
+services:
+  ...
+
+  core:
+    ...(unchanged)
+    environment:
+      KOMODO_DATABASE_ADDRESS: ferretdb2:27017
+      KOMODO_DATABASE_USERNAME: ${KOMODO_DB_USERNAME}
+      KOMODO_DATABASE_PASSWORD: ${KOMODO_DB_PASSWORD}
+```
+
+### **Step 5**: Final *Compose Up*
+
+Repeat the same `docker compose` command as before to apply the changes, and then try navigating to your Komodo web page.
+If it works, congrats, **you are done**. You can clean up the compose file if you would like, removing the old volumes etc.
+
+If it does not work, check the logs for any obvious issues, and if necessary you can undo the previous steps
+to go back to using the previous database.
--- a/bin/cli/multi-arch.Dockerfile
+++ b/bin/cli/multi-arch.Dockerfile
@@ -0,0 +1,29 @@
+## Assumes the latest binaries for x86_64 and aarch64 are already built (by binaries.Dockerfile).
+## Since theres no heavy build here, QEMU multi-arch builds are fine for this image.
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+ARG X86_64_BINARIES=${BINARIES_IMAGE}-x86_64
+ARG AARCH64_BINARIES=${BINARIES_IMAGE}-aarch64
+
+# This is required to work with COPY --from
+FROM ${X86_64_BINARIES} AS x86_64
+FROM ${AARCH64_BINARIES} AS aarch64
+
+FROM debian:bullseye-slim
+
+WORKDIR /app
+
+## Copy both binaries initially, but only keep appropriate one for the TARGETPLATFORM.
+COPY --from=x86_64 /km /app/arch/linux/amd64
+COPY --from=aarch64 /km /app/arch/linux/arm64
+
+ARG TARGETPLATFORM
+RUN mv /app/arch/${TARGETPLATFORM} /usr/local/bin/km && rm -r /app/arch
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+
+CMD [ "km" ]
+
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo CLI"
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/cli/runfile.toml
+++ b/bin/cli/runfile.toml
@@ -0,0 +1,4 @@
+[install-cli]
+alias = "ic"
+description = "installs the komodo-cli, available on the command line as 'km'"
+cmd = "cargo install --path ."
--- a/bin/cli/single-arch.Dockerfile
+++ b/bin/cli/single-arch.Dockerfile
@@ -0,0 +1,18 @@
+## Assumes the latest binaries for the required arch are already built (by binaries.Dockerfile).
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+
+# This is required to work with COPY --from
+FROM ${BINARIES_IMAGE} AS binaries
+
+FROM gcr.io/distroless/cc
+
+COPY --from=binaries /km /usr/local/bin/km
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+
+CMD [ "km" ]
+
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo CLI"
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/cli/src/args.rs
+++ b/bin/cli/src/args.rs
@@ -1,55 +0,0 @@
-use clap::{Parser, Subcommand};
-use komodo_client::api::execute::Execution;
-use serde::Deserialize;
-
-#[derive(Parser, Debug)]
-#[command(version, about, long_about = None)]
-pub struct CliArgs {
-  /// Sync or Exec
-  #[command(subcommand)]
-  pub command: Command,
-
-  /// The path to a creds file.
-  ///
-  /// Note: If each of `url`, `key` and `secret` are passed,
-  /// no file is required at this path.
-  #[arg(long, default_value_t = default_creds())]
-  pub creds: String,
-
-  /// Pass url in args instead of creds file
-  #[arg(long)]
-  pub url: Option<String>,
-  /// Pass api key in args instead of creds file
-  #[arg(long)]
-  pub key: Option<String>,
-  /// Pass api secret in args instead of creds file
-  #[arg(long)]
-  pub secret: Option<String>,
-
-  /// Always continue on user confirmation prompts.
-  #[arg(long, short, default_value_t = false)]
-  pub yes: bool,
-}
-
-fn default_creds() -> String {
-  let home =
-    std::env::var("HOME").unwrap_or_else(|_| String::from("/root"));
-  format!("{home}/.config/komodo/creds.toml")
-}
-
-#[derive(Debug, Clone, Subcommand)]
-pub enum Command {
-  /// Runs an execution
-  Execute {
-    #[command(subcommand)]
-    execution: Execution,
-  },
-  // Room for more
-}
-
-#[derive(Debug, Deserialize)]
-pub struct CredsFile {
-  pub url: String,
-  pub key: String,
-  pub secret: String,
-}
--- a/bin/cli/src/command/container.rs
+++ b/bin/cli/src/command/container.rs
@@ -0,0 +1,314 @@
+use std::collections::{HashMap, HashSet};
+
+use anyhow::Context;
+use colored::Colorize;
+use comfy_table::{Attribute, Cell, Color};
+use futures_util::{
+  FutureExt, TryStreamExt, stream::FuturesUnordered,
+};
+use komodo_client::{
+  api::read::{
+    InspectDockerContainer, ListAllDockerContainers, ListServers,
+  },
+  entities::{
+    config::cli::args::container::{
+      Container, ContainerCommand, InspectContainer,
+    },
+    docker::{
+      self,
+      container::{ContainerListItem, ContainerStateStatusEnum},
+    },
+  },
+};
+
+use crate::{
+  command::{
+    PrintTable, clamp_sha, matches_wildcards, parse_wildcards,
+    print_items,
+  },
+  config::cli_config,
+};
+
+pub async fn handle(container: &Container) -> anyhow::Result<()> {
+  match &container.command {
+    None => list_containers(container).await,
+    Some(ContainerCommand::Inspect(inspect)) => {
+      inspect_container(inspect).await
+    }
+  }
+}
+
+async fn list_containers(
+  Container {
+    all,
+    down,
+    links,
+    reverse,
+    containers: names,
+    images,
+    networks,
+    servers,
+    format,
+    command: _,
+  }: &Container,
+) -> anyhow::Result<()> {
+  let client = super::komodo_client().await?;
+  let (server_map, containers) = tokio::try_join!(
+    client
+      .read(ListServers::default())
+      .map(|res| res.map(|res| res
+        .into_iter()
+        .map(|s| (s.id.clone(), s))
+        .collect::<HashMap<_, _>>())),
+    client.read(ListAllDockerContainers {
+      servers: Default::default(),
+      containers: Default::default(),
+    }),
+  )?;
+
+  // (Option<Server Name>, Container)
+  let containers = containers.into_iter().map(|c| {
+    let server = if let Some(server_id) = c.server_id.as_ref()
+      && let Some(server) = server_map.get(server_id)
+    {
+      server
+    } else {
+      return (None, c);
+    };
+    (Some(server.name.as_str()), c)
+  });
+
+  let names = parse_wildcards(names);
+  let servers = parse_wildcards(servers);
+  let images = parse_wildcards(images);
+  let networks = parse_wildcards(networks);
+
+  let mut containers = containers
+    .into_iter()
+    .filter(|(server_name, c)| {
+      let state_check = if *all {
+        true
+      } else if *down {
+        !matches!(c.state, ContainerStateStatusEnum::Running)
+      } else {
+        matches!(c.state, ContainerStateStatusEnum::Running)
+      };
+      let network_check = matches_wildcards(
+        &networks,
+        &c.network_mode
+          .as_deref()
+          .map(|n| vec![n])
+          .unwrap_or_default(),
+      ) || matches_wildcards(
+        &networks,
+        &c.networks.iter().map(String::as_str).collect::<Vec<_>>(),
+      );
+      state_check
+        && network_check
+        && matches_wildcards(&names, &[c.name.as_str()])
+        && matches_wildcards(
+          &servers,
+          &server_name
+            .as_deref()
+            .map(|i| vec![i])
+            .unwrap_or_default(),
+        )
+        && matches_wildcards(
+          &images,
+          &c.image.as_deref().map(|i| vec![i]).unwrap_or_default(),
+        )
+    })
+    .collect::<Vec<_>>();
+  containers.sort_by(|(a_s, a), (b_s, b)| {
+    a.state
+      .cmp(&b.state)
+      .then(a.name.cmp(&b.name))
+      .then(a_s.cmp(b_s))
+      .then(a.network_mode.cmp(&b.network_mode))
+      .then(a.image.cmp(&b.image))
+  });
+  if *reverse {
+    containers.reverse();
+  }
+  print_items(containers, *format, *links)?;
+  Ok(())
+}
+
+pub async fn inspect_container(
+  inspect: &InspectContainer,
+) -> anyhow::Result<()> {
+  let client = super::komodo_client().await?;
+  let (server_map, mut containers) = tokio::try_join!(
+    client
+      .read(ListServers::default())
+      .map(|res| res.map(|res| res
+        .into_iter()
+        .map(|s| (s.id.clone(), s))
+        .collect::<HashMap<_, _>>())),
+    client.read(ListAllDockerContainers {
+      servers: Default::default(),
+      containers: Default::default()
+    }),
+  )?;
+
+  containers.iter_mut().for_each(|c| {
+    let Some(server_id) = c.server_id.as_ref() else {
+      return;
+    };
+    let Some(server) = server_map.get(server_id) else {
+      c.server_id = Some(String::from("Unknown"));
+      return;
+    };
+    c.server_id = Some(server.name.clone());
+  });
+
+  let names = [inspect.container.to_string()];
+  let names = parse_wildcards(&names);
+  let servers = parse_wildcards(&inspect.servers);
+
+  let mut containers = containers
+    .into_iter()
+    .filter(|c| {
+      matches_wildcards(&names, &[c.name.as_str()])
+        && matches_wildcards(
+          &servers,
+          &c.server_id
+            .as_deref()
+            .map(|i| vec![i])
+            .unwrap_or_default(),
+        )
+    })
+    .map(|c| async move {
+      client
+        .read(InspectDockerContainer {
+          container: c.name,
+          server: c.server_id.context("No server...")?,
+        })
+        .await
+    })
+    .collect::<FuturesUnordered<_>>()
+    .try_collect::<Vec<_>>()
+    .await?;
+
+  containers.sort_by(|a, b| a.name.cmp(&b.name));
+
+  match containers.len() {
+    0 => {
+      println!(
+        "{}: Did not find any containers matching '{}'",
+        "INFO".green(),
+        inspect.container.bold()
+      );
+    }
+    1 => {
+      println!("{}", serialize_container(inspect, &containers[0])?);
+    }
+    _ => {
+      let containers = containers
+        .iter()
+        .map(|c| serialize_container(inspect, c))
+        .collect::<anyhow::Result<Vec<_>>>()?
+        .join("\n");
+      println!("{containers}");
+    }
+  }
+
+  Ok(())
+}
+
+fn serialize_container(
+  inspect: &InspectContainer,
+  container: &docker::container::Container,
+) -> anyhow::Result<String> {
+  let res = if inspect.state {
+    serde_json::to_string_pretty(&container.state)
+  } else if inspect.mounts {
+    serde_json::to_string_pretty(&container.mounts)
+  } else if inspect.host_config {
+    serde_json::to_string_pretty(&container.host_config)
+  } else if inspect.config {
+    serde_json::to_string_pretty(&container.config)
+  } else if inspect.network_settings {
+    serde_json::to_string_pretty(&container.network_settings)
+  } else {
+    serde_json::to_string_pretty(container)
+  }
+  .context("Failed to serialize items to JSON")?;
+  Ok(res)
+}
+
+// (Option<Server Name>, Container)
+impl PrintTable for (Option<&'_ str>, ContainerListItem) {
+  fn header(links: bool) -> &'static [&'static str] {
+    if links {
+      &[
+        "Container",
+        "State",
+        "Server",
+        "Ports",
+        "Networks",
+        "Image",
+        "Link",
+      ]
+    } else {
+      &["Container", "State", "Server", "Ports", "Networks", "Image"]
+    }
+  }
+  fn row(self, links: bool) -> Vec<Cell> {
+    let color = match self.1.state {
+      ContainerStateStatusEnum::Running => Color::Green,
+      ContainerStateStatusEnum::Paused => Color::DarkYellow,
+      ContainerStateStatusEnum::Empty => Color::Grey,
+      _ => Color::Red,
+    };
+    let mut networks = HashSet::new();
+    if let Some(network) = self.1.network_mode {
+      networks.insert(network);
+    }
+    for network in self.1.networks {
+      networks.insert(network);
+    }
+    let mut networks = networks.into_iter().collect::<Vec<_>>();
+    networks.sort();
+    let mut ports = self
+      .1
+      .ports
+      .into_iter()
+      .flat_map(|p| p.public_port.map(|p| p.to_string()))
+      .collect::<HashSet<_>>()
+      .into_iter()
+      .collect::<Vec<_>>();
+    ports.sort();
+    let ports = if ports.is_empty() {
+      Cell::new("")
+    } else {
+      Cell::new(format!(":{}", ports.join(", :")))
+    };
+
+    let image = self.1.image.as_deref().unwrap_or("Unknown");
+    let mut res = vec![
+      Cell::new(self.1.name.clone()).add_attribute(Attribute::Bold),
+      Cell::new(self.1.state.to_string())
+        .fg(color)
+        .add_attribute(Attribute::Bold),
+      Cell::new(self.0.unwrap_or("Unknown")),
+      ports,
+      Cell::new(networks.join(", ")),
+      Cell::new(clamp_sha(image)),
+    ];
+    if !links {
+      return res;
+    }
+    let link = if let Some(server_id) = self.1.server_id {
+      format!(
+        "{}/servers/{server_id}/container/{}",
+        cli_config().host,
+        self.1.name
+      )
+    } else {
+      String::new()
+    };
+    res.push(Cell::new(link));
+    res
+  }
+}
--- a/bin/cli/src/command/database.rs
+++ b/bin/cli/src/command/database.rs
@@ -0,0 +1,371 @@
+use std::path::Path;
+
+use anyhow::Context;
+use colored::Colorize;
+use database::mungos::mongodb::bson::{Document, doc};
+use komodo_client::entities::{
+  config::cli::args::database::DatabaseCommand, optional_string,
+};
+
+use crate::{command::sanitize_uri, config::cli_config};
+
+pub async fn handle(command: &DatabaseCommand) -> anyhow::Result<()> {
+  match command {
+    DatabaseCommand::Backup { yes, .. } => backup(*yes).await,
+    DatabaseCommand::Restore {
+      restore_folder,
+      index,
+      yes,
+      ..
+    } => restore(restore_folder.as_deref(), *index, *yes).await,
+    DatabaseCommand::Prune { yes, .. } => prune(*yes).await,
+    DatabaseCommand::Copy { yes, index, .. } => {
+      copy(*index, *yes).await
+    }
+    DatabaseCommand::V1Downgrade { yes } => v1_downgrade(*yes).await,
+  }
+}
+
+async fn backup(yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Backup".green().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Backup all database contents to gzip compressed files."
+      .dimmed()
+  );
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - Source URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Source Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Source Username".dimmed());
+  }
+  println!(
+    "{}: {}\n",
+    " - Source Db Name".dimmed(),
+    config.database.db_name,
+  );
+  println!(
+    "{}: {:?}",
+    " - Backups Folder".dimmed(),
+    config.backups_folder
+  );
+  if config.max_backups == 0 {
+    println!(
+      "{}{}",
+      " - Backup pruning".dimmed(),
+      "disabled".red().dimmed()
+    );
+  } else {
+    println!("{}: {}", " - Max Backups".dimmed(), config.max_backups);
+  }
+
+  crate::command::wait_for_enter("start backup", yes)?;
+
+  let db = database::init(&config.database).await?;
+
+  database::utils::backup(&db, &config.backups_folder).await?;
+
+  // Early return if backup pruning disabled
+  if config.max_backups == 0 {
+    return Ok(());
+  }
+
+  // Know that new backup was taken successfully at this point,
+  // safe to prune old backup folders
+
+  prune_inner().await
+}
+
+async fn restore(
+  restore_folder: Option<&Path>,
+  index: bool,
+  yes: bool,
+) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Restore".purple().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Restores database contents from gzip compressed files."
+      .dimmed()
+  );
+  if let Some(uri) = optional_string(&config.database_target.uri) {
+    println!("{}: {}", " - Target URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) =
+    optional_string(&config.database_target.address)
+  {
+    println!("{}: {address}", " - Target Address".dimmed());
+  }
+  if let Some(username) =
+    optional_string(&config.database_target.username)
+  {
+    println!("{}: {username}", " - Target Username".dimmed());
+  }
+  println!(
+    "{}: {}",
+    " - Target Db Name".dimmed(),
+    config.database_target.db_name,
+  );
+  if !index {
+    println!(
+      "{}: {}",
+      " - Target Db Indexing".dimmed(),
+      "DISABLED".red(),
+    );
+  }
+  println!(
+    "\n{}: {:?}",
+    " - Backups Folder".dimmed(),
+    config.backups_folder
+  );
+  if let Some(restore_folder) = restore_folder {
+    println!("{}: {restore_folder:?}", " - Restore Folder".dimmed());
+  }
+
+  crate::command::wait_for_enter("start restore", yes)?;
+
+  let db = if index {
+    database::Client::new(&config.database_target).await?.db
+  } else {
+    database::init(&config.database_target).await?
+  };
+
+  database::utils::restore(
+    &db,
+    &config.backups_folder,
+    restore_folder,
+  )
+  .await
+}
+
+async fn prune(yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Backup Prune".cyan().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Prunes database backup folders when greater than the configured amount."
+      .dimmed()
+  );
+  println!(
+    "{}: {:?}",
+    " - Backups Folder".dimmed(),
+    config.backups_folder
+  );
+  if config.max_backups == 0 {
+    println!(
+      "{}{}",
+      " - Backup pruning".dimmed(),
+      "disabled".red().dimmed()
+    );
+  } else {
+    println!("{}: {}", " - Max Backups".dimmed(), config.max_backups);
+  }
+
+  // Early return if backup pruning disabled
+  if config.max_backups == 0 {
+    info!(
+      "Backup pruning is disabled, enabled using 'max_backups' (KOMODO_CLI_MAX_BACKUPS)"
+    );
+    return Ok(());
+  }
+
+  crate::command::wait_for_enter("start backup prune", yes)?;
+
+  prune_inner().await
+}
+
+async fn prune_inner() -> anyhow::Result<()> {
+  let config = cli_config();
+
+  let mut backups_dir =
+    match tokio::fs::read_dir(&config.backups_folder)
+      .await
+      .context("Failed to read backups folder for prune")
+    {
+      Ok(backups_dir) => backups_dir,
+      Err(e) => {
+        warn!("{e:#}");
+        return Ok(());
+      }
+    };
+
+  let mut backup_folders = Vec::new();
+  loop {
+    match backups_dir.next_entry().await {
+      Ok(Some(entry)) => {
+        let Ok(metadata) = entry.metadata().await else {
+          continue;
+        };
+        if metadata.is_dir() {
+          backup_folders.push(entry.path());
+        }
+      }
+      Ok(None) => break,
+      Err(_) => {
+        continue;
+      }
+    }
+  }
+  // Ordered from oldest -> newest
+  backup_folders.sort();
+
+  let max_backups = config.max_backups as usize;
+  let backup_folders_len = backup_folders.len();
+
+  // Early return if under the backup count threshold
+  if backup_folders_len <= max_backups {
+    info!("No backups to prune");
+    return Ok(());
+  }
+
+  let to_delete =
+    &backup_folders[..(backup_folders_len - max_backups)];
+
+  info!("Pruning old backups: {to_delete:?}");
+
+  for path in to_delete {
+    if let Err(e) =
+      tokio::fs::remove_dir_all(path).await.with_context(|| {
+        format!("Failed to delete backup folder at {path:?}")
+      })
+    {
+      warn!("{e:#}");
+    }
+  }
+
+  Ok(())
+}
+
+async fn copy(index: bool, yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {} Utility  🦎",
+    "Komodo".bold(),
+    "Copy".blue().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Copies database contents to another database.".dimmed()
+  );
+
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - Source URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Source Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Source Username".dimmed());
+  }
+  println!(
+    "{}: {}\n",
+    " - Source Db Name".dimmed(),
+    config.database.db_name,
+  );
+
+  if let Some(uri) = optional_string(&config.database_target.uri) {
+    println!("{}: {}", " - Target URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) =
+    optional_string(&config.database_target.address)
+  {
+    println!("{}: {address}", " - Target Address".dimmed());
+  }
+  if let Some(username) =
+    optional_string(&config.database_target.username)
+  {
+    println!("{}: {username}", " - Target Username".dimmed());
+  }
+  println!(
+    "{}: {}",
+    " - Target Db Name".dimmed(),
+    config.database_target.db_name,
+  );
+  if !index {
+    println!(
+      "{}: {}",
+      " - Target Db Indexing".dimmed(),
+      "DISABLED".red(),
+    );
+  }
+
+  crate::command::wait_for_enter("start copy", yes)?;
+
+  let source_db = database::init(&config.database).await?;
+  let target_db = if index {
+    database::Client::new(&config.database_target).await?.db
+  } else {
+    database::init(&config.database_target).await?
+  };
+
+  database::utils::copy(&source_db, &target_db).await
+}
+
+async fn v1_downgrade(yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {}  🦎",
+    "Komodo".bold(),
+    "V1 Downgrade".purple().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Downgrade the database to V1 compatible data structures."
+      .dimmed()
+  );
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Username".dimmed());
+  }
+  println!(
+    "{}: {}\n",
+    " - Db Name".dimmed(),
+    config.database.db_name,
+  );
+
+  crate::command::wait_for_enter("run downgrade", yes)?;
+
+  let db = database::init(&config.database).await?;
+
+  db.collection::<Document>("Server")
+    .update_many(doc! {}, doc! { "$set": { "info": null } })
+    .await
+    .context("Failed to downgrade Server schema")?;
+
+  db.collection::<Document>("Deployment")
+    .update_many(doc! {}, doc! { "$set": { "info": null } })
+    .await
+    .context("Failed to downgrade Deployment schema")?;
+
+  info!(
+    "V1 Downgrade complete. Ready to downgrade to komodo-core:1 ✅"
+  );
+
+  Ok(())
+}
--- a/bin/cli/src/command/execute.rs
+++ b/bin/cli/src/command/execute.rs
@@ -0,0 +1,649 @@
+use std::time::Duration;
+
+use colored::Colorize;
+use futures_util::{StreamExt, stream::FuturesUnordered};
+use komodo_client::{
+  api::execute::{
+    BatchExecutionResponse, BatchExecutionResponseItem, Execution,
+  },
+  entities::{resource_link, update::Update},
+};
+
+use crate::config::cli_config;
+
+enum ExecutionResult {
+  Single(Box<Update>),
+  Batch(BatchExecutionResponse),
+}
+
+pub async fn handle(
+  execution: &Execution,
+  yes: bool,
+) -> anyhow::Result<()> {
+  if matches!(execution, Execution::None(_)) {
+    println!("Got 'none' execution. Doing nothing...");
+    tokio::time::sleep(Duration::from_secs(3)).await;
+    println!("Finished doing nothing. Exiting...");
+    std::process::exit(0);
+  }
+
+  println!("\n{}: Execution", "Mode".dimmed());
+  match execution {
+    Execution::None(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunAction(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunAction(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunProcedure(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunProcedure(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchRunBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CancelBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::Deploy(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeploy(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DestroyDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDestroyDeployment(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CloneRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchCloneRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchPullRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BuildRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchBuildRepo(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CancelRepoBuild(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DestroyContainer(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopAllContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneContainers(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeleteNetwork(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneNetworks(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeleteImage(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneImages(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeleteVolume(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneVolumes(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneDockerBuilders(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneBuildx(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PruneSystem(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunSync(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CommitSync(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeployStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeployStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DeployStackIfChanged(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDeployStackIfChanged(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PullStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchPullStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StartStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RestartStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::PauseStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::UnpauseStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::StopStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::DestroyStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BatchDestroyStack(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RunStackService(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::TestAlerter(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::SendAlert(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmNodes(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmStacks(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmServices(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CreateSwarmConfig(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RotateSwarmConfig(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmConfigs(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CreateSwarmSecret(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RotateSwarmSecret(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmSecrets(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::ClearRepoCache(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::BackupCoreDatabase(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::GlobalAutoUpdate(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RotateAllServerKeys(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RotateCoreKeys(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::Sleep(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+  }
+
+  super::wait_for_enter("run execution", yes)?;
+
+  info!("Running Execution...");
+
+  let client = super::komodo_client().await?;
+
+  let res = match execution.clone() {
+    Execution::RunAction(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchRunAction(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::RunProcedure(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchRunProcedure(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::RunBuild(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchRunBuild(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::CancelBuild(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::Deploy(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDeploy(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::PullDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StartDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RestartDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PauseDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::UnpauseDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StopDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DestroyDeployment(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDestroyDeployment(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::CloneRepo(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchCloneRepo(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::PullRepo(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchPullRepo(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::BuildRepo(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchBuildRepo(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::CancelRepoBuild(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StartContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RestartContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PauseContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::UnpauseContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StopContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DestroyContainer(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StartAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RestartAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PauseAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::UnpauseAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StopAllContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneContainers(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DeleteNetwork(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneNetworks(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DeleteImage(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneImages(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DeleteVolume(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneVolumes(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneDockerBuilders(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneBuildx(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PruneSystem(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RunSync(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::CommitSync(request) => client
+      .write(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DeployStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDeployStack(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::DeployStackIfChanged(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDeployStackIfChanged(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::PullStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchPullStack(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::StartStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RestartStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::PauseStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::UnpauseStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::StopStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::DestroyStack(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BatchDestroyStack(request) => {
+      client.execute(request).await.map(ExecutionResult::Batch)
+    }
+    Execution::RunStackService(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::TestAlerter(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::SendAlert(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmNodes(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmStacks(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmServices(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::CreateSwarmConfig(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RotateSwarmConfig(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmConfigs(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::CreateSwarmSecret(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RotateSwarmSecret(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmSecrets(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::ClearRepoCache(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::BackupCoreDatabase(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::GlobalAutoUpdate(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RotateAllServerKeys(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RotateCoreKeys(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::Sleep(request) => {
+      let duration =
+        Duration::from_millis(request.duration_ms as u64);
+      tokio::time::sleep(duration).await;
+      println!("Finished sleeping!");
+      std::process::exit(0)
+    }
+    Execution::None(_) => unreachable!(),
+  };
+
+  match res {
+    Ok(ExecutionResult::Single(update)) => {
+      poll_update_until_complete(&update).await
+    }
+    Ok(ExecutionResult::Batch(updates)) => {
+      let mut handles = updates
+        .iter()
+        .map(|update| async move {
+          match update {
+            BatchExecutionResponseItem::Ok(update) => {
+              poll_update_until_complete(update).await
+            }
+            BatchExecutionResponseItem::Err(e) => {
+              error!("{e:#?}");
+              Ok(())
+            }
+          }
+        })
+        .collect::<FuturesUnordered<_>>();
+      while let Some(res) = handles.next().await {
+        match res {
+          Ok(()) => {}
+          Err(e) => {
+            error!("{e:#?}");
+          }
+        }
+      }
+      Ok(())
+    }
+    Err(e) => {
+      error!("{e:#?}");
+      Ok(())
+    }
+  }
+}
+
+async fn poll_update_until_complete(
+  update: &Update,
+) -> anyhow::Result<()> {
+  let link = if update.id.is_empty() {
+    let (resource_type, id) = update.target.extract_variant_id();
+    resource_link(&cli_config().host, resource_type, id)
+  } else {
+    format!("{}/updates/{}", cli_config().host, update.id)
+  };
+  println!("Link: '{}'", link.bold());
+
+  let client = super::komodo_client().await?;
+
+  let timer = tokio::time::Instant::now();
+  let update = client.poll_update_until_complete(&update.id).await?;
+  if update.success {
+    println!(
+      "FINISHED in {}: {}",
+      format!("{:.1?}", timer.elapsed()).bold(),
+      "EXECUTION SUCCESSFUL".green(),
+    );
+  } else {
+    eprintln!(
+      "FINISHED in {}: {}",
+      format!("{:.1?}", timer.elapsed()).bold(),
+      "EXECUTION FAILED".red(),
+    );
+  }
+  Ok(())
+}
--- a/bin/cli/src/command/list.rs
+++ b/bin/cli/src/command/list.rs
--- a/bin/cli/src/command/mod.rs
+++ b/bin/cli/src/command/mod.rs
@@ -0,0 +1,182 @@
+use std::io::Read;
+
+use anyhow::{Context, anyhow};
+use chrono::TimeZone;
+use colored::Colorize;
+use comfy_table::{Attribute, Cell, Table};
+use komodo_client::{
+  KomodoClient,
+  entities::config::cli::{CliTableBorders, args::CliFormat},
+};
+use serde::Serialize;
+use tokio::sync::OnceCell;
+use wildcard::Wildcard;
+
+use crate::config::cli_config;
+
+pub mod container;
+pub mod database;
+pub mod execute;
+pub mod list;
+pub mod terminal;
+pub mod update;
+
+async fn komodo_client() -> anyhow::Result<&'static KomodoClient> {
+  static KOMODO_CLIENT: OnceCell<KomodoClient> =
+    OnceCell::const_new();
+  KOMODO_CLIENT
+    .get_or_try_init(|| async {
+      let config = cli_config();
+      let (Some(key), Some(secret)) =
+        (&config.cli_key, &config.cli_secret)
+      else {
+        return Err(anyhow!(
+          "Must provide both cli_key and cli_secret"
+        ));
+      };
+      KomodoClient::new(&config.host, key, secret)
+        .with_healthcheck()
+        .await
+    })
+    .await
+}
+
+fn wait_for_enter(
+  press_enter_to: &str,
+  skip: bool,
+) -> anyhow::Result<()> {
+  if skip {
+    println!();
+    return Ok(());
+  }
+  println!(
+    "\nPress {} to {}\n",
+    "ENTER".green(),
+    press_enter_to.bold()
+  );
+  let buffer = &mut [0u8];
+  std::io::stdin()
+    .read_exact(buffer)
+    .context("failed to read ENTER")?;
+  Ok(())
+}
+
+/// Sanitizes uris of the form:
+/// `protocol://username:password@address`
+fn sanitize_uri(uri: &str) -> String {
+  // protocol: `mongodb`
+  // credentials_address: `username:password@address`
+  let Some((protocol, credentials_address)) = uri.split_once("://")
+  else {
+    // If no protocol, return as-is
+    return uri.to_string();
+  };
+
+  // credentials: `username:password`
+  let Some((credentials, address)) =
+    credentials_address.split_once('@')
+  else {
+    // If no credentials, return as-is
+    return uri.to_string();
+  };
+
+  match credentials.split_once(':') {
+    Some((username, _)) => {
+      format!("{protocol}://{username}:*****@{address}")
+    }
+    None => {
+      format!("{protocol}://*****@{address}")
+    }
+  }
+}
+
+fn print_items<T: PrintTable + Serialize>(
+  items: Vec<T>,
+  format: CliFormat,
+  links: bool,
+) -> anyhow::Result<()> {
+  match format {
+    CliFormat::Table => {
+      let mut table = Table::new();
+      let preset = {
+        use comfy_table::presets::*;
+        match cli_config().table_borders {
+          None | Some(CliTableBorders::Horizontal) => {
+            UTF8_HORIZONTAL_ONLY
+          }
+          Some(CliTableBorders::Vertical) => UTF8_FULL_CONDENSED,
+          Some(CliTableBorders::Inside) => UTF8_NO_BORDERS,
+          Some(CliTableBorders::Outside) => UTF8_BORDERS_ONLY,
+          Some(CliTableBorders::All) => UTF8_FULL,
+        }
+      };
+      table.load_preset(preset).set_header(
+        T::header(links)
+          .iter()
+          .map(|h| Cell::new(h).add_attribute(Attribute::Bold)),
+      );
+      for item in items {
+        table.add_row(item.row(links));
+      }
+      println!("{table}");
+    }
+    CliFormat::Json => {
+      println!(
+        "{}",
+        serde_json::to_string_pretty(&items)
+          .context("Failed to serialize items to JSON")?
+      );
+    }
+  }
+  Ok(())
+}
+
+trait PrintTable {
+  fn header(links: bool) -> &'static [&'static str];
+  fn row(self, links: bool) -> Vec<Cell>;
+}
+
+fn parse_wildcards(items: &[String]) -> Vec<Wildcard<'_>> {
+  items
+    .iter()
+    .flat_map(|i| {
+      Wildcard::new(i.as_bytes()).inspect_err(|e| {
+        warn!("Failed to parse wildcard: {i} | {e:?}")
+      })
+    })
+    .collect::<Vec<_>>()
+}
+
+fn matches_wildcards(
+  wildcards: &[Wildcard<'_>],
+  items: &[&str],
+) -> bool {
+  if wildcards.is_empty() {
+    return true;
+  }
+  items.iter().any(|item| {
+    wildcards.iter().any(|wc| wc.is_match(item.as_bytes()))
+  })
+}
+
+fn format_timetamp(ts: i64) -> anyhow::Result<String> {
+  let ts = chrono::Local
+    .timestamp_millis_opt(ts)
+    .single()
+    .context("Invalid ts")?
+    .format("%m/%d %H:%M:%S")
+    .to_string();
+  Ok(ts)
+}
+
+fn clamp_sha(maybe_sha: &str) -> String {
+  if maybe_sha.starts_with("sha256:") {
+    maybe_sha[0..20].to_string() + "..."
+  } else {
+    maybe_sha.to_string()
+  }
+}
+
+// fn text_link(link: &str, text: &str) -> String {
+//   format!("\x1b]8;;{link}\x07{text}\x1b]8;;\x07")
+// }
--- a/bin/cli/src/command/terminal.rs
+++ b/bin/cli/src/command/terminal.rs
@@ -0,0 +1,334 @@
+use anyhow::{Context, anyhow};
+use colored::Colorize;
+use komodo_client::{
+  api::{
+    read::{ListAllDockerContainers, ListServers},
+    terminal::InitTerminal,
+  },
+  entities::{
+    config::cli::args::terminal::{Attach, Connect, Exec},
+    server::ServerQuery,
+    terminal::{
+      ContainerTerminalMode, TerminalRecreateMode,
+      TerminalResizeMessage, TerminalStdinMessage,
+    },
+  },
+  ws::terminal::TerminalWebsocket,
+};
+use tokio::io::{AsyncReadExt as _, AsyncWriteExt as _};
+use tokio_util::sync::CancellationToken;
+
+pub async fn handle_connect(
+  Connect {
+    server,
+    name,
+    command,
+    recreate,
+  }: &Connect,
+) -> anyhow::Result<()> {
+  handle_terminal_forwarding(async {
+    super::komodo_client()
+      .await?
+      .connect_server_terminal(
+        server.to_string(),
+        Some(name.to_string()),
+        Some(InitTerminal {
+          command: command.clone(),
+          recreate: if *recreate {
+            TerminalRecreateMode::Always
+          } else {
+            TerminalRecreateMode::DifferentCommand
+          },
+          mode: None,
+        }),
+      )
+      .await
+  })
+  .await
+}
+
+pub async fn handle_exec(
+  Exec {
+    server,
+    container,
+    shell,
+    recreate,
+  }: &Exec,
+) -> anyhow::Result<()> {
+  let server = get_server(server.clone(), container).await?;
+  handle_terminal_forwarding(async {
+    super::komodo_client()
+      .await?
+      .connect_container_terminal(
+        server,
+        container.to_string(),
+        None,
+        Some(InitTerminal {
+          command: Some(shell.to_string()),
+          recreate: if *recreate {
+            TerminalRecreateMode::Always
+          } else {
+            TerminalRecreateMode::DifferentCommand
+          },
+          mode: Some(ContainerTerminalMode::Exec),
+        }),
+      )
+      .await
+  })
+  .await
+}
+
+pub async fn handle_attach(
+  Attach {
+    server,
+    container,
+    recreate,
+  }: &Attach,
+) -> anyhow::Result<()> {
+  let server = get_server(server.clone(), container).await?;
+  handle_terminal_forwarding(async {
+    super::komodo_client()
+      .await?
+      .connect_container_terminal(
+        server,
+        container.to_string(),
+        None,
+        Some(InitTerminal {
+          command: None,
+          recreate: if *recreate {
+            TerminalRecreateMode::Always
+          } else {
+            TerminalRecreateMode::DifferentCommand
+          },
+          mode: Some(ContainerTerminalMode::Attach),
+        }),
+      )
+      .await
+  })
+  .await
+}
+
+async fn get_server(
+  server: Option<String>,
+  container: &str,
+) -> anyhow::Result<String> {
+  if let Some(server) = server {
+    return Ok(server);
+  }
+
+  let client = super::komodo_client().await?;
+
+  let mut containers = client
+    .read(ListAllDockerContainers {
+      servers: Default::default(),
+      containers: vec![container.to_string()],
+    })
+    .await?;
+
+  if containers.is_empty() {
+    return Err(anyhow!(
+      "Did not find any container matching {container}"
+    ));
+  }
+
+  if containers.len() == 1 {
+    return containers
+      .pop()
+      .context("Shouldn't happen")?
+      .server_id
+      .context("Container doesn't have server_id");
+  }
+
+  let servers = containers
+    .into_iter()
+    .flat_map(|container| container.server_id)
+    .collect::<Vec<_>>();
+
+  let servers = client
+    .read(ListServers {
+      query: ServerQuery::builder().names(servers).build(),
+    })
+    .await?
+    .into_iter()
+    .map(|server| format!("\t- {}", server.name.bold()))
+    .collect::<Vec<_>>()
+    .join("\n");
+
+  Err(anyhow!(
+    "Multiple containers matching '{}' on Servers:\n{servers}",
+    container.bold(),
+  ))
+}
+
+async fn handle_terminal_forwarding<
+  C: Future<Output = anyhow::Result<TerminalWebsocket>>,
+>(
+  connect: C,
+) -> anyhow::Result<()> {
+  // Need to forward multiple sources into ws write
+  let (write_tx, mut write_rx) =
+    tokio::sync::mpsc::channel::<TerminalStdinMessage>(1024);
+
+  // ================
+  //  SETUP RESIZING
+  // ================
+
+  // Subscribe to SIGWINCH for resize messages
+  let mut sigwinch = tokio::signal::unix::signal(
+    tokio::signal::unix::SignalKind::window_change(),
+  )
+  .context("failed to register SIGWINCH handler")?;
+
+  // Send first resize messsage, bailing if it fails to get the size.
+  write_tx.send(resize_message()?).await?;
+
+  let cancel = CancellationToken::new();
+
+  let forward_resize = async {
+    while future_or_cancel(sigwinch.recv(), &cancel)
+      .await
+      .flatten()
+      .is_some()
+    {
+      if let Ok(resize_message) = resize_message()
+        && write_tx.send(resize_message).await.is_err()
+      {
+        break;
+      }
+    }
+    cancel.cancel();
+  };
+
+  let forward_stdin = async {
+    let mut stdin = tokio::io::stdin();
+    let mut buf = [0u8; 8192];
+    while let Some(Ok(n)) =
+      future_or_cancel(stdin.read(&mut buf), &cancel).await
+    {
+      // EOF
+      if n == 0 {
+        break;
+      }
+      let bytes = &buf[..n];
+      // Check for disconnect sequence (alt + q)
+      if bytes == [197, 147] {
+        break;
+      }
+      // Forward bytes
+      if write_tx
+        .send(TerminalStdinMessage::Forward(bytes.to_vec()))
+        .await
+        .is_err()
+      {
+        break;
+      };
+    }
+    cancel.cancel();
+  };
+
+  // =====================
+  //  CONNECT AND FORWARD
+  // =====================
+
+  let (mut ws_write, mut ws_read) = connect.await?.split();
+
+  let forward_write = async {
+    while let Some(message) =
+      future_or_cancel(write_rx.recv(), &cancel).await.flatten()
+    {
+      if let Err(e) = ws_write.send_stdin_message(message).await {
+        cancel.cancel();
+        return Some(e);
+      };
+    }
+    cancel.cancel();
+    None
+  };
+
+  let forward_read = async {
+    let mut stdout = tokio::io::stdout();
+    while let Some(msg) =
+      future_or_cancel(ws_read.receive_stdout(), &cancel).await
+    {
+      let bytes = match msg {
+        Ok(Some(bytes)) => bytes,
+        Ok(None) => break,
+        Err(e) => {
+          cancel.cancel();
+          return Some(e.context("Websocket read error"));
+        }
+      };
+      if let Err(e) = stdout
+        .write_all(&bytes)
+        .await
+        .context("Failed to write text to stdout")
+      {
+        cancel.cancel();
+        return Some(e);
+      }
+      let _ = stdout.flush().await;
+    }
+    cancel.cancel();
+    None
+  };
+
+  let guard = RawModeGuard::enable_raw_mode()?;
+
+  let (_, _, write_error, read_error) = tokio::join!(
+    forward_resize,
+    forward_stdin,
+    forward_write,
+    forward_read
+  );
+
+  drop(guard);
+
+  if let Some(e) = write_error {
+    eprintln!("\nFailed to forward stdin | {e:#}");
+  }
+
+  if let Some(e) = read_error {
+    eprintln!("\nFailed to forward stdout | {e:#}");
+  }
+
+  println!("\n\n{} {}", "connection".bold(), "closed".red().bold());
+
+  // It doesn't seem to exit by itself after the raw mode stuff.
+  std::process::exit(0)
+}
+
+fn resize_message() -> anyhow::Result<TerminalStdinMessage> {
+  let (cols, rows) = crossterm::terminal::size()
+    .context("Failed to get terminal size")?;
+  Ok(TerminalStdinMessage::Resize(TerminalResizeMessage {
+    rows,
+    cols,
+  }))
+}
+
+struct RawModeGuard;
+
+impl RawModeGuard {
+  fn enable_raw_mode() -> anyhow::Result<Self> {
+    crossterm::terminal::enable_raw_mode()
+      .context("Failed to enable terminal raw mode")?;
+    Ok(Self)
+  }
+}
+impl Drop for RawModeGuard {
+  fn drop(&mut self) {
+    if let Err(e) = crossterm::terminal::disable_raw_mode() {
+      eprintln!("Failed to disable terminal raw mode | {e:?}");
+    }
+  }
+}
+
+async fn future_or_cancel<T, F: Future<Output = T>>(
+  fut: F,
+  cancel: &CancellationToken,
+) -> Option<T> {
+  tokio::select! {
+    res = fut => Some(res),
+    _ = cancel.cancelled() => None
+  }
+}
--- a/bin/cli/src/command/update/mod.rs
+++ b/bin/cli/src/command/update/mod.rs
@@ -0,0 +1,43 @@
+use komodo_client::entities::{
+  build::PartialBuildConfig,
+  config::cli::args::update::UpdateCommand,
+  deployment::PartialDeploymentConfig, repo::PartialRepoConfig,
+  server::PartialServerConfig, stack::PartialStackConfig,
+  sync::PartialResourceSyncConfig,
+};
+
+mod resource;
+mod user;
+mod variable;
+
+pub async fn handle(command: &UpdateCommand) -> anyhow::Result<()> {
+  match command {
+    UpdateCommand::Build(update) => {
+      resource::update::<PartialBuildConfig>(update).await
+    }
+    UpdateCommand::Deployment(update) => {
+      resource::update::<PartialDeploymentConfig>(update).await
+    }
+    UpdateCommand::Repo(update) => {
+      resource::update::<PartialRepoConfig>(update).await
+    }
+    UpdateCommand::Server(update) => {
+      resource::update::<PartialServerConfig>(update).await
+    }
+    UpdateCommand::Stack(update) => {
+      resource::update::<PartialStackConfig>(update).await
+    }
+    UpdateCommand::Sync(update) => {
+      resource::update::<PartialResourceSyncConfig>(update).await
+    }
+    UpdateCommand::Variable {
+      name,
+      value,
+      secret,
+      yes,
+    } => variable::update(name, value, *secret, *yes).await,
+    UpdateCommand::User { username, command } => {
+      user::update(username, command).await
+    }
+  }
+}
--- a/bin/cli/src/command/update/resource.rs
+++ b/bin/cli/src/command/update/resource.rs
@@ -0,0 +1,152 @@
+use anyhow::Context;
+use colored::Colorize;
+use komodo_client::{
+  api::write::{
+    UpdateBuild, UpdateDeployment, UpdateRepo, UpdateResourceSync,
+    UpdateServer, UpdateStack,
+  },
+  entities::{
+    build::PartialBuildConfig,
+    config::cli::args::update::UpdateResource,
+    deployment::PartialDeploymentConfig, repo::PartialRepoConfig,
+    server::PartialServerConfig, stack::PartialStackConfig,
+    sync::PartialResourceSyncConfig,
+  },
+};
+use serde::{Serialize, de::DeserializeOwned};
+
+pub async fn update<
+  T: std::fmt::Debug + Serialize + DeserializeOwned + ResourceUpdate,
+>(
+  UpdateResource {
+    resource,
+    update,
+    yes,
+  }: &UpdateResource,
+) -> anyhow::Result<()> {
+  println!("\n{}: Update {}\n", "Mode".dimmed(), T::resource_type());
+  println!(" - {}: {resource}", "Name".dimmed());
+
+  let config = serde_qs::from_str::<T>(update)
+    .context("Failed to deserialize config")?;
+
+  match serde_json::to_string_pretty(&config) {
+    Ok(config) => {
+      println!(" - {}: {config}", "Update".dimmed());
+    }
+    Err(_) => {
+      println!(" - {}: {config:#?}", "Update".dimmed());
+    }
+  }
+
+  crate::command::wait_for_enter("update resource", *yes)?;
+
+  config.apply(resource).await
+}
+
+pub trait ResourceUpdate {
+  fn resource_type() -> &'static str;
+  async fn apply(self, resource: &str) -> anyhow::Result<()>;
+}
+
+impl ResourceUpdate for PartialBuildConfig {
+  fn resource_type() -> &'static str {
+    "Build"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateBuild {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update build config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialDeploymentConfig {
+  fn resource_type() -> &'static str {
+    "Deployment"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateDeployment {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update deployment config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialRepoConfig {
+  fn resource_type() -> &'static str {
+    "Repo"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateRepo {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update repo config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialServerConfig {
+  fn resource_type() -> &'static str {
+    "Server"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateServer {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update server config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialStackConfig {
+  fn resource_type() -> &'static str {
+    "Stack"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateStack {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update stack config")?;
+    Ok(())
+  }
+}
+
+impl ResourceUpdate for PartialResourceSyncConfig {
+  fn resource_type() -> &'static str {
+    "Sync"
+  }
+  async fn apply(self, resource: &str) -> anyhow::Result<()> {
+    let client = crate::command::komodo_client().await?;
+    client
+      .write(UpdateResourceSync {
+        id: resource.to_string(),
+        config: self,
+      })
+      .await
+      .context("Failed to update sync config")?;
+    Ok(())
+  }
+}
--- a/bin/cli/src/command/update/user.rs
+++ b/bin/cli/src/command/update/user.rs
@@ -0,0 +1,142 @@
+use anyhow::Context;
+use colored::Colorize;
+use database::mungos::mongodb::bson::doc;
+use komodo_client::entities::{
+  config::{
+    cli::args::{CliEnabled, update::UpdateUserCommand},
+    empty_or_redacted,
+  },
+  optional_string,
+};
+
+use crate::{command::sanitize_uri, config::cli_config};
+
+pub async fn update(
+  username: &str,
+  command: &UpdateUserCommand,
+) -> anyhow::Result<()> {
+  match command {
+    UpdateUserCommand::Password {
+      password,
+      unsanitized,
+      yes,
+    } => {
+      update_password(username, password, *unsanitized, *yes).await
+    }
+    UpdateUserCommand::SuperAdmin { enabled, yes } => {
+      update_super_admin(username, *enabled, *yes).await
+    }
+    UpdateUserCommand::Clear2fa { yes } => {
+      clear_2fa(username, *yes).await
+    }
+  }
+}
+
+async fn update_password(
+  username: &str,
+  password: &str,
+  unsanitized: bool,
+  yes: bool,
+) -> anyhow::Result<()> {
+  println!("\n{}: Update Password\n", "Mode".dimmed());
+  println!(" - {}: {username}", "Username".dimmed());
+  if unsanitized {
+    println!(" - {}: {password}", "Password".dimmed());
+  } else {
+    println!(
+      " - {}: {}",
+      "Password".dimmed(),
+      empty_or_redacted(password)
+    );
+  }
+
+  crate::command::wait_for_enter("update password", yes)?;
+
+  info!("Updating password...");
+
+  let db = database::Client::new(&cli_config().database).await?;
+
+  let user = db
+    .users
+    .find_one(doc! { "username": username })
+    .await
+    .context("Failed to query database for user")?
+    .context("No user found with given username")?;
+
+  db.set_user_password(&user, password).await?;
+
+  info!("Password updated ✅");
+
+  Ok(())
+}
+
+async fn update_super_admin(
+  username: &str,
+  super_admin: CliEnabled,
+  yes: bool,
+) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!("\n{}: Update Super Admin\n", "Mode".dimmed());
+  println!(" - {}: {username}", "Username".dimmed());
+  println!(" - {}: {super_admin}\n", "Super Admin".dimmed());
+
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - Source URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Source Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Source Username".dimmed());
+  }
+  println!(
+    "{}: {}",
+    " - Source Db Name".dimmed(),
+    config.database.db_name,
+  );
+
+  crate::command::wait_for_enter("update super admin", yes)?;
+
+  info!("Updating super admin...");
+
+  let db = database::Client::new(&config.database).await?;
+
+  // Make sure the user exists first before saying it is successful.
+  let user = db
+    .users
+    .find_one(doc! { "username": username })
+    .await
+    .context("Failed to query database for user")?
+    .context("No user found with given username")?;
+
+  let super_admin: bool = super_admin.into();
+  db.users
+    .update_one(
+      doc! { "username": user.username },
+      doc! { "$set": { "super_admin": super_admin } },
+    )
+    .await
+    .context("Failed to update user super admin on db")?;
+
+  info!("Super admin updated ✅");
+
+  Ok(())
+}
+
+async fn clear_2fa(username: &str, yes: bool) -> anyhow::Result<()> {
+  println!("\n{}: Clear 2FA Methods\n", "Mode".dimmed());
+  println!(" - {}: {username}", "Username".dimmed());
+
+  crate::command::wait_for_enter("clear user 2FA methods", yes)?;
+
+  info!("Clearing 2FA methods...");
+
+  let db = database::Client::new(&cli_config().database).await?;
+
+  db.clear_user_2fa_methods(username).await?;
+
+  info!("2FA methods cleared ✅");
+
+  Ok(())
+}
--- a/bin/cli/src/command/update/variable.rs
+++ b/bin/cli/src/command/update/variable.rs
@@ -0,0 +1,70 @@
+use anyhow::Context;
+use colored::Colorize;
+use komodo_client::api::{
+  read::GetVariable,
+  write::{
+    CreateVariable, UpdateVariableIsSecret, UpdateVariableValue,
+  },
+};
+
+pub async fn update(
+  name: &str,
+  value: &str,
+  secret: Option<bool>,
+  yes: bool,
+) -> anyhow::Result<()> {
+  println!("\n{}: Update Variable\n", "Mode".dimmed());
+  println!(" - {}:  {name}", "Name".dimmed());
+  println!(" - {}: {value}", "Value".dimmed());
+  if let Some(secret) = secret {
+    println!(" - {}: {secret}", "Is Secret".dimmed());
+  }
+
+  crate::command::wait_for_enter("update variable", yes)?;
+
+  let client = crate::command::komodo_client().await?;
+
+  let Ok(existing) = client
+    .read(GetVariable {
+      name: name.to_string(),
+    })
+    .await
+  else {
+    // Create the variable
+    client
+      .write(CreateVariable {
+        name: name.to_string(),
+        value: value.to_string(),
+        is_secret: secret.unwrap_or_default(),
+        description: Default::default(),
+      })
+      .await
+      .context("Failed to create variable")?;
+    info!("Variable created ✅");
+    return Ok(());
+  };
+
+  client
+    .write(UpdateVariableValue {
+      name: name.to_string(),
+      value: value.to_string(),
+    })
+    .await
+    .context("Failed to update variable 'value'")?;
+  info!("Variable 'value' updated ✅");
+
+  let Some(secret) = secret else { return Ok(()) };
+
+  if secret != existing.is_secret {
+    client
+      .write(UpdateVariableIsSecret {
+        name: name.to_string(),
+        is_secret: secret,
+      })
+      .await
+      .context("Failed to update variable 'is_secret'")?;
+    info!("Variable 'is_secret' updated to {secret} ✅");
+  }
+
+  Ok(())
+}
--- a/bin/cli/src/config.rs
+++ b/bin/cli/src/config.rs
@@ -0,0 +1,280 @@
+use std::{path::PathBuf, sync::OnceLock};
+
+use anyhow::Context;
+use clap::Parser;
+use colored::Colorize;
+use komodo_client::entities::{
+  config::{
+    DatabaseConfig,
+    cli::{
+      CliConfig, Env,
+      args::{CliArgs, Command, Execute, database::DatabaseCommand},
+    },
+  },
+  logger::LogConfig,
+};
+use mogh_secret_file::maybe_read_item_from_file;
+
+pub fn cli_args() -> &'static CliArgs {
+  static CLI_ARGS: OnceLock<CliArgs> = OnceLock::new();
+  CLI_ARGS.get_or_init(CliArgs::parse)
+}
+
+pub fn cli_env() -> &'static Env {
+  static CLI_ARGS: OnceLock<Env> = OnceLock::new();
+  CLI_ARGS.get_or_init(|| {
+    match envy::from_env()
+      .context("Failed to parse Komodo CLI environment")
+    {
+      Ok(env) => env,
+      Err(e) => {
+        panic!("{e:?}")
+      }
+    }
+  })
+}
+
+pub fn cli_config() -> &'static CliConfig {
+  static CLI_CONFIG: OnceLock<CliConfig> = OnceLock::new();
+  CLI_CONFIG.get_or_init(|| {
+    let args = cli_args();
+    let env = cli_env().clone();
+    let config_paths = args
+      .config_path
+      .clone()
+      .unwrap_or(env.komodo_cli_config_paths);
+    let debug_startup =
+      args.debug_startup.unwrap_or(env.komodo_cli_debug_startup);
+
+    if debug_startup {
+      println!(
+        "{}: Komodo CLI version: {}",
+        "DEBUG".cyan(),
+        env!("CARGO_PKG_VERSION").blue().bold()
+      );
+      println!(
+        "{}: {}: {config_paths:?}",
+        "DEBUG".cyan(),
+        "Config Paths".dimmed(),
+      );
+    }
+
+    let config_keywords = args
+      .config_keyword
+      .clone()
+      .unwrap_or(env.komodo_cli_config_keywords);
+    let config_keywords = config_keywords
+      .iter()
+      .map(String::as_str)
+      .collect::<Vec<_>>();
+    if debug_startup {
+      println!(
+        "{}: {}: {config_keywords:?}",
+        "DEBUG".cyan(),
+        "Config File Keywords".dimmed(),
+      );
+    }
+    let mut unparsed_config = (mogh_config::ConfigLoader {
+      paths: &config_paths
+        .iter()
+        .map(PathBuf::as_path)
+        .collect::<Vec<_>>(),
+      match_wildcards: &config_keywords,
+      include_file_name: ".kminclude",
+      merge_nested: env.komodo_cli_merge_nested_config,
+      extend_array: env.komodo_cli_extend_config_arrays,
+      debug_print: debug_startup,
+    })
+    .load::<serde_json::Map<String, serde_json::Value>>()
+    .expect("failed at parsing config from paths");
+    let init_parsed_config = serde_json::from_value::<CliConfig>(
+      serde_json::Value::Object(unparsed_config.clone()),
+    )
+    .context("Failed to parse config")
+    .unwrap();
+
+    let (host, key, secret) = match &args.command {
+      Command::Execute(Execute {
+        host, key, secret, ..
+      }) => (host.clone(), key.clone(), secret.clone()),
+      _ => (None, None, None),
+    };
+
+    let backups_folder = match &args.command {
+      Command::Database {
+        command: DatabaseCommand::Backup { backups_folder, .. },
+      } => backups_folder.clone(),
+      Command::Database {
+        command: DatabaseCommand::Restore { backups_folder, .. },
+      } => backups_folder.clone(),
+      _ => None,
+    };
+    let (uri, address, username, password, db_name) =
+      match &args.command {
+        Command::Database {
+          command:
+            DatabaseCommand::Copy {
+              uri,
+              address,
+              username,
+              password,
+              db_name,
+              ..
+            },
+        } => (
+          uri.clone(),
+          address.clone(),
+          username.clone(),
+          password.clone(),
+          db_name.clone(),
+        ),
+        _ => (None, None, None, None, None),
+      };
+
+    let profile = args
+      .profile
+      .as_ref()
+      .or(init_parsed_config.default_profile.as_ref());
+
+    let unparsed_config = if let Some(profile) = profile
+      && !profile.is_empty()
+    {
+      // Find the profile config,
+      // then merge it with the Default config.
+      let serde_json::Value::Array(profiles) = unparsed_config
+        .remove("profile")
+        .context("Config has no profiles, but a profile is required")
+        .unwrap()
+      else {
+        panic!("`config.profile` is not array");
+      };
+      let Some(profile_config) = profiles.into_iter().find(|p| {
+        let Ok(parsed) =
+          serde_json::from_value::<CliConfig>(p.clone())
+        else {
+          return false;
+        };
+        &parsed.config_profile == profile
+          || parsed
+            .config_aliases
+            .iter()
+            .any(|alias| alias == profile)
+      }) else {
+        panic!("No profile matching '{profile}' was found.");
+      };
+      let serde_json::Value::Object(profile_config) = profile_config
+      else {
+        panic!("Profile config is not Object type.");
+      };
+      mogh_config::merge_config(
+        unparsed_config,
+        profile_config.clone(),
+        env.komodo_cli_merge_nested_config,
+        env.komodo_cli_extend_config_arrays,
+      )
+      .unwrap_or(profile_config)
+    } else {
+      unparsed_config
+    };
+    let config = serde_json::from_value::<CliConfig>(
+      serde_json::Value::Object(unparsed_config),
+    )
+    .context("Failed to parse final config")
+    .unwrap();
+    let config_profile = if config.config_profile.is_empty() {
+      String::from("None")
+    } else {
+      config.config_profile
+    };
+
+    CliConfig {
+      config_profile,
+      config_aliases: config.config_aliases,
+      default_profile: config.default_profile,
+      table_borders: env
+        .komodo_cli_table_borders
+        .or(config.table_borders),
+      host: host
+        .or(env.komodo_cli_host)
+        .or(env.komodo_host)
+        .unwrap_or(config.host),
+      cli_key: key.or(env.komodo_cli_key).or(config.cli_key),
+      cli_secret: secret
+        .or(env.komodo_cli_secret)
+        .or(config.cli_secret),
+      backups_folder: backups_folder
+        .or(env.komodo_cli_backups_folder)
+        .unwrap_or(config.backups_folder),
+      max_backups: env
+        .komodo_cli_max_backups
+        .unwrap_or(config.max_backups),
+      database_target: DatabaseConfig {
+        uri: uri
+          .or(env.komodo_cli_database_target_uri)
+          .unwrap_or(config.database_target.uri),
+        address: address
+          .or(env.komodo_cli_database_target_address)
+          .unwrap_or(config.database_target.address),
+        username: username
+          .or(env.komodo_cli_database_target_username)
+          .unwrap_or(config.database_target.username),
+        password: password
+          .or(env.komodo_cli_database_target_password)
+          .unwrap_or(config.database_target.password),
+        db_name: db_name
+          .or(env.komodo_cli_database_target_db_name)
+          .unwrap_or(config.database_target.db_name),
+        app_name: config.database_target.app_name,
+      },
+      database: DatabaseConfig {
+        uri: maybe_read_item_from_file(
+          env.komodo_database_uri_file,
+          env.komodo_database_uri,
+        )
+        .unwrap_or(config.database.uri),
+        address: env
+          .komodo_database_address
+          .unwrap_or(config.database.address),
+        username: maybe_read_item_from_file(
+          env.komodo_database_username_file,
+          env.komodo_database_username,
+        )
+        .unwrap_or(config.database.username),
+        password: maybe_read_item_from_file(
+          env.komodo_database_password_file,
+          env.komodo_database_password,
+        )
+        .unwrap_or(config.database.password),
+        db_name: env
+          .komodo_database_db_name
+          .unwrap_or(config.database.db_name),
+        app_name: config.database.app_name,
+      },
+      cli_logging: LogConfig {
+        level: env
+          .komodo_cli_logging_level
+          .unwrap_or(config.cli_logging.level),
+        stdio: env
+          .komodo_cli_logging_stdio
+          .unwrap_or(config.cli_logging.stdio),
+        pretty: env
+          .komodo_cli_logging_pretty
+          .unwrap_or(config.cli_logging.pretty),
+        location: false,
+        ansi: env
+          .komodo_cli_logging_ansi
+          .unwrap_or(config.cli_logging.ansi),
+        otlp_endpoint: env
+          .komodo_cli_logging_otlp_endpoint
+          .unwrap_or(config.cli_logging.otlp_endpoint),
+        opentelemetry_service_name: env
+          .komodo_cli_logging_opentelemetry_service_name
+          .unwrap_or(config.cli_logging.opentelemetry_service_name),
+        opentelemetry_scope_name: env
+          .komodo_cli_logging_opentelemetry_scope_name
+          .unwrap_or(config.cli_logging.opentelemetry_scope_name),
+      },
+      profile: config.profile,
+    }
+  })
+}
--- a/bin/cli/src/exec.rs
+++ b/bin/cli/src/exec.rs
@@ -1,316 +0,0 @@
-use std::time::Duration;
-
-use colored::Colorize;
-use komodo_client::api::execute::Execution;
-
-use crate::{
-  helpers::wait_for_enter,
-  state::{cli_args, komodo_client},
-};
-
-pub async fn run(execution: Execution) -> anyhow::Result<()> {
-  if matches!(execution, Execution::None(_)) {
-    println!("Got 'none' execution. Doing nothing...");
-    tokio::time::sleep(Duration::from_secs(3)).await;
-    println!("Finished doing nothing. Exiting...");
-    std::process::exit(0);
-  }
-
-  println!("\n{}: Execution", "Mode".dimmed());
-  match &execution {
-    Execution::None(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RunProcedure(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RunBuild(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::CancelBuild(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::Deploy(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StartDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RestartDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PauseDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::UnpauseDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StopDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DestroyDeployment(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::CloneRepo(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PullRepo(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::BuildRepo(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::CancelRepoBuild(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StartContainer(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RestartContainer(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PauseContainer(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::UnpauseContainer(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StopContainer(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DestroyContainer(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StartAllContainers(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RestartAllContainers(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PauseAllContainers(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::UnpauseAllContainers(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StopAllContainers(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneContainers(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DeleteNetwork(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneNetworks(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DeleteImage(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneImages(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DeleteVolume(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneVolumes(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneDockerBuilders(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneBuildx(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PruneSystem(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RunSync(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DeployStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DeployStackIfChanged(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StartStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::RestartStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::PauseStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::UnpauseStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::StopStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::DestroyStack(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-    Execution::Sleep(data) => {
-      println!("{}: {data:?}", "Data".dimmed())
-    }
-  }
-
-  if !cli_args().yes {
-    wait_for_enter("run execution")?;
-  }
-
-  info!("Running Execution...");
-
-  let res = match execution {
-    Execution::RunProcedure(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RunBuild(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::CancelBuild(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::Deploy(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StartDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RestartDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PauseDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::UnpauseDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StopDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DestroyDeployment(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::CloneRepo(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PullRepo(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::BuildRepo(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::CancelRepoBuild(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StartContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RestartContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PauseContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::UnpauseContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StopContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DestroyContainer(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StartAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RestartAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PauseAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::UnpauseAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StopAllContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneContainers(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeleteNetwork(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneNetworks(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeleteImage(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneImages(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeleteVolume(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneVolumes(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneDockerBuilders(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneBuildx(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PruneSystem(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RunSync(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeployStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DeployStackIfChanged(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StartStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::RestartStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::PauseStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::UnpauseStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::StopStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::DestroyStack(request) => {
-      komodo_client().execute(request).await
-    }
-    Execution::Sleep(request) => {
-      let duration =
-        Duration::from_millis(request.duration_ms as u64);
-      tokio::time::sleep(duration).await;
-      println!("Finished sleeping!");
-      std::process::exit(0)
-    }
-    Execution::None(_) => unreachable!(),
-  };
-
-  match res {
-    Ok(update) => println!("\n{}: {update:#?}", "SUCCESS".green()),
-    Err(e) => println!("{}\n\n{e:#?}", "ERROR".red()),
-  }
-
-  Ok(())
-}
--- a/bin/cli/src/helpers.rs
+++ b/bin/cli/src/helpers.rs
@@ -1,17 +0,0 @@
-use std::io::Read;
-
-use anyhow::Context;
-use colored::Colorize;
-
-pub fn wait_for_enter(press_enter_to: &str) -> anyhow::Result<()> {
-  println!(
-    "\nPress {} to {}\n",
-    "ENTER".green(),
-    press_enter_to.bold()
-  );
-  let buffer = &mut [0u8];
-  std::io::stdin()
-    .read_exact(buffer)
-    .context("failed to read ENTER")?;
-  Ok(())
-}
--- a/bin/cli/src/main.rs
+++ b/bin/cli/src/main.rs
@@ -1,32 +1,96 @@
 #[macro_use]
 extern crate tracing;

+use anyhow::Context;
 use colored::Colorize;
-use komodo_client::api::read::GetVersion;
+use komodo_client::entities::config::cli::args;

-mod args;
-mod exec;
-mod helpers;
-mod state;
+use crate::config::cli_config;
+
+mod command;
+mod config;
+
+async fn app() -> anyhow::Result<()> {
+  dotenvy::dotenv().ok();
+  mogh_logger::init(&config::cli_config().cli_logging)?;
+  let args = config::cli_args();
+  let env = config::cli_env();
+  let debug_load =
+    args.debug_startup.unwrap_or(env.komodo_cli_debug_startup);
+
+  match &args.command {
+    args::Command::Config {
+      all_profiles,
+      unsanitized,
+    } => {
+      let mut config = if *unsanitized {
+        cli_config().clone()
+      } else {
+        cli_config().sanitized()
+      };
+      if !*all_profiles {
+        config.profile = Default::default();
+      }
+      if debug_load {
+        println!("\n{config:#?}");
+      } else {
+        println!(
+          "\nCLI Config {}",
+          serde_json::to_string_pretty(&config)
+            .context("Failed to serialize config for pretty print")?
+        );
+      }
+      Ok(())
+    }
+    args::Command::Container(container) => {
+      command::container::handle(container).await
+    }
+    args::Command::Inspect(inspect) => {
+      command::container::inspect_container(inspect).await
+    }
+    args::Command::List(list) => command::list::handle(list).await,
+    args::Command::Execute(args) => {
+      command::execute::handle(&args.execution, args.yes).await
+    }
+    args::Command::Update { command } => {
+      command::update::handle(command).await
+    }
+    args::Command::Connect(connect) => {
+      command::terminal::handle_connect(connect).await
+    }
+    args::Command::Exec(exec) => {
+      command::terminal::handle_exec(exec).await
+    }
+    args::Command::Attach(attach) => {
+      command::terminal::handle_attach(attach).await
+    }
+    args::Command::Key { command } => {
+      mogh_pki::cli::handle(command, mogh_pki::PkiKind::Mutual).await
+    }
+    args::Command::Database { command } => {
+      command::database::handle(command).await
+    }
+  }
+}

 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
-  tracing_subscriber::fmt().with_target(false).init();
-
-  info!(
-    "Komodo CLI version: {}",
-    env!("CARGO_PKG_VERSION").blue().bold()
-  );
-
-  let version =
-    state::komodo_client().read(GetVersion {}).await?.version;
-  info!("Komodo Core version: {}", version.blue().bold());
-
-  match &state::cli_args().command {
-    args::Command::Execute { execution } => {
-      exec::run(execution.to_owned()).await?
-    }
+  let mut term_signal = tokio::signal::unix::signal(
+    tokio::signal::unix::SignalKind::terminate(),
+  )?;
+  tokio::select! {
+    res = tokio::spawn(app()) => match res {
+      Ok(Err(e)) => {
+        eprintln!("{}: {e}", "ERROR".red());
+        std::process::exit(1)
+      }
+      Err(e) => {
+        eprintln!("{}: {e}", "ERROR".red());
+        std::process::exit(1)
+      },
+      Ok(_) => {}
+    },
+    _ = term_signal.recv() => {},
  }
-
  Ok(())
 }
--- a/bin/cli/src/state.rs
+++ b/bin/cli/src/state.rs
@@ -1,46 +0,0 @@
-use std::sync::OnceLock;
-
-use clap::Parser;
-use komodo_client::KomodoClient;
-use merge_config_files::parse_config_file;
-
-pub fn cli_args() -> &'static crate::args::CliArgs {
-  static CLI_ARGS: OnceLock<crate::args::CliArgs> = OnceLock::new();
-  CLI_ARGS.get_or_init(crate::args::CliArgs::parse)
-}
-
-pub fn komodo_client() -> &'static KomodoClient {
-  static KOMODO_CLIENT: OnceLock<KomodoClient> = OnceLock::new();
-  KOMODO_CLIENT.get_or_init(|| {
-    let args = cli_args();
-    let crate::args::CredsFile { url, key, secret } =
-      match (&args.url, &args.key, &args.secret) {
-        (Some(url), Some(key), Some(secret)) => {
-          crate::args::CredsFile {
-            url: url.clone(),
-            key: key.clone(),
-            secret: secret.clone(),
-          }
-        }
-        (url, key, secret) => {
-          let mut creds: crate::args::CredsFile =
-            parse_config_file(cli_args().creds.as_str())
-              .expect("failed to parse Komodo credentials");
-
-          if let Some(url) = url {
-            creds.url.clone_from(url);
-          }
-          if let Some(key) = key {
-            creds.key.clone_from(key);
-          }
-          if let Some(secret) = secret {
-            creds.secret.clone_from(secret);
-          }
-
-          creds
-        }
-      };
-    futures::executor::block_on(KomodoClient::new(url, key, secret))
-      .expect("failed to initialize Komodo client")
-  })
-}
--- a/bin/core/Cargo.toml
+++ b/bin/core/Cargo.toml
@@ -15,56 +15,72 @@ path = "src/main.rs"

 [dependencies]
 # local
-komodo_client = { workspace = true, features = ["mongo"] }
+komodo_client = { workspace = true, features = ["core"] }
 periphery_client.workspace = true
-environment_file.workspace = true
+mogh_validations.workspace = true
+interpolate.workspace = true
+mogh_secret_file.workspace = true
 formatting.workspace = true
-logger.workspace = true
+mogh_rate_limit.workspace = true
+transport.workspace = true
+database.workspace = true
+encoding.workspace = true
+command.workspace = true
+mogh_config.workspace = true
+mogh_logger.workspace = true
+mogh_cache.workspace = true
+mogh_pki.workspace = true
 git.workspace = true
 # mogh
-serror = { workspace = true, features = ["axum"] }
-merge_config_files.workspace = true
+mogh_error = { workspace = true, features = ["axum"] }
+mogh_auth_client = { workspace = true, features = ["utoipa"] }
+mogh_auth_server.workspace = true
 async_timing_util.workspace = true
 partial_derive2.workspace = true
-derive_variants.workspace = true
-mongo_indexed.workspace = true
-resolver_api.workspace = true
+mogh_resolver.workspace = true
+mogh_server.workspace = true
 toml_pretty.workspace = true
-mungos.workspace = true
 slack.workspace = true
 svi.workspace = true
 # external
-axum-server.workspace = true
-ordered_hash_map.workspace = true
-openidconnect.workspace = true
-urlencoding.workspace = true
+aws-credential-types.workspace = true
+english-to-cron.workspace = true
+data-encoding.workspace = true
+serde_yaml_ng.workspace = true
+utoipa-scalar.workspace = true
+futures-util.workspace = true
 aws-sdk-ec2.workspace = true
+urlencoding.workspace = true
 aws-config.workspace = true
 tokio-util.workspace = true
 axum-extra.workspace = true
-tower-http.workspace = true
 serde_json.workspace = true
-serde_yaml.workspace = true
 typeshare.workspace = true
-octorust.workspace = true
-dashmap.workspace = true
+chrono-tz.workspace = true
+indexmap.workspace = true
+wildcard.workspace = true
+arc-swap.workspace = true
+serde_qs.workspace = true
+colored.workspace = true
 tracing.workspace = true
 reqwest.workspace = true
-futures.workspace = true
-nom_pem.workspace = true
-anyhow.workspace = true
 dotenvy.workspace = true
+anyhow.workspace = true
 bcrypt.workspace = true
-base64.workspace = true
+croner.workspace = true
+chrono.workspace = true
+rustls.workspace = true
+utoipa.workspace = true
+bytes.workspace = true
 tokio.workspace = true
 serde.workspace = true
+strum.workspace = true
 regex.workspace = true
 axum.workspace = true
 toml.workspace = true
 uuid.workspace = true
 envy.workspace = true
-rand.workspace = true
 hmac.workspace = true
 sha2.workspace = true
-jwt.workspace = true
 hex.workspace = true
+url.workspace = true
--- a/bin/core/aio.Dockerfile
+++ b/bin/core/aio.Dockerfile
@@ -0,0 +1,68 @@
+## All in one, multi stage compile + runtime Docker build for your architecture.
+
+# Build Core
+FROM rust:1.93.0-trixie AS core-builder
+RUN cargo install cargo-strip
+
+WORKDIR /builder
+COPY Cargo.toml Cargo.lock ./
+COPY ./lib ./lib
+COPY ./client/core/rs ./client/core/rs
+COPY ./client/periphery ./client/periphery
+COPY ./bin/core ./bin/core
+COPY ./bin/cli ./bin/cli
+
+# Compile app
+RUN cargo build -p komodo_core --release && \
+  cargo build -p komodo_cli --release && \
+  cargo strip
+
+# Build Frontend
+FROM node:22.12-alpine AS frontend-builder
+WORKDIR /builder
+COPY ./frontend ./frontend
+COPY ./client/core/ts ./client
+RUN cd client && yarn && yarn build && yarn link
+RUN cd frontend && yarn link komodo_client && yarn && yarn build
+
+# Final Image
+FROM debian:trixie-slim
+
+COPY ./bin/core/starship.toml /starship.toml
+COPY ./bin/core/debian-deps.sh .
+RUN sh ./debian-deps.sh && rm ./debian-deps.sh
+
+# Setup an application directory
+WORKDIR /app
+
+# Copy
+COPY ./config/core.config.toml /config/.default.config.toml
+COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=core-builder /builder/target/release/core /usr/local/bin/core
+COPY --from=core-builder /builder/target/release/km /usr/local/bin/km
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+  cd /action-cache && \
+  deno install jsr:@std/yaml jsr:@std/toml
+
+COPY ./bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
+# Hint at the port
+EXPOSE 9120
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+# This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
+ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"
+
+CMD [ "/bin/bash", "-c", "update-ca-certificates && core" ]
+
+# Label to prevent Komodo from stopping with StopAllContainers
+LABEL komodo.skip="true"
+# Label for Ghcr
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/core/alpine.Dockerfile
+++ b/bin/core/alpine.Dockerfile
@@ -1,45 +0,0 @@
-## This one produces smaller images,
-## but alpine uses `musl` instead of `glibc`.
-## This makes it take longer / more resources to build,
-## and may negatively affect runtime performance.
-
-# Build Core
-FROM rust:1.81.0-alpine AS core-builder
-WORKDIR /builder
-RUN apk update && apk --no-cache add musl-dev openssl-dev openssl-libs-static
-COPY . .
-RUN cargo build -p komodo_core --release
-
-# Build Frontend
-FROM node:20.12-alpine AS frontend-builder
-WORKDIR /builder
-COPY ./frontend ./frontend
-COPY ./client/core/ts ./client
-RUN cd client && yarn && yarn build && yarn link
-RUN cd frontend && yarn link @komodo/client && yarn && yarn build
-
-# Final Image
-FROM alpine:3.20
-
-# Install Deps
-RUN apk update && apk add --no-cache --virtual .build-deps \
-	openssl ca-certificates git git-lfs
-
-# Setup an application directory
-WORKDIR /app
-
-# Copy
-COPY ./config/core.config.toml /config/config.toml
-COPY --from=core-builder /builder/target/release/core /app
-COPY --from=frontend-builder /builder/frontend/dist /app/frontend
-
-# Hint at the port
-EXPOSE 9120 
-
-# Label for Ghcr
-LABEL org.opencontainers.image.source=https://github.com/mbecker20/komodo
-LABEL org.opencontainers.image.description="Komodo Core"
-LABEL org.opencontainers.image.licenses=GPL-3.0
-
-# Using ENTRYPOINT allows cli args to be passed, eg using "command" in docker compose.
-ENTRYPOINT [ "/app/core" ]
--- a/bin/core/debian-deps.sh
+++ b/bin/core/debian-deps.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+## Core deps installer
+
+apt-get update
+apt-get install -y git curl ca-certificates iproute2
+
+rm -rf /var/lib/apt/lists/*
+
+# Starship prompt
+curl -sS https://starship.rs/install.sh | sh -s -- --yes --bin-dir /usr/local/bin
+echo 'export STARSHIP_CONFIG=/starship.toml' >> /root/.bashrc
+echo 'eval "$(starship init bash)"' >> /root/.bashrc
+
--- a/bin/core/debian.Dockerfile
+++ b/bin/core/debian.Dockerfile
@@ -1,39 +0,0 @@
-# Build Core
-FROM rust:1.81.0-bullseye AS core-builder
-WORKDIR /builder
-COPY . .
-RUN cargo build -p komodo_core --release
-
-# Build Frontend
-FROM node:20.12-alpine AS frontend-builder
-WORKDIR /builder
-COPY ./frontend ./frontend
-COPY ./client/core/ts ./client
-RUN cd client && yarn && yarn build && yarn link
-RUN cd frontend && yarn link @komodo/client && yarn && yarn build
-
-# Final Image
-FROM debian:bullseye-slim
-
-# Install Deps
-RUN apt update && \
-	apt install -y git ca-certificates && \
-	rm -rf /var/lib/apt/lists/*
-
-# Setup an application directory
-WORKDIR /app
-	
-# Copy
-COPY ./config/core.config.toml /config/config.toml
-COPY --from=core-builder /builder/target/release/core /app
-COPY --from=frontend-builder /builder/frontend/dist /app/frontend
-
-# Hint at the port
-EXPOSE 9120
-
-# Label for Ghcr
-LABEL org.opencontainers.image.source=https://github.com/mbecker20/komodo
-LABEL org.opencontainers.image.description="Komodo Core"
-LABEL org.opencontainers.image.licenses=GPL-3.0
-
-ENTRYPOINT [ "/app/core" ]
--- a/bin/core/multi-arch.Dockerfile
+++ b/bin/core/multi-arch.Dockerfile
@@ -0,0 +1,65 @@
+## Assumes the latest binaries for x86_64 and aarch64 are already built (by binaries.Dockerfile).
+## Sets up the necessary runtime container dependencies for Komodo Core.
+## Since theres no heavy build here, QEMU multi-arch builds are fine for this image.
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+ARG FRONTEND_IMAGE=ghcr.io/moghtech/komodo-frontend:latest
+ARG X86_64_BINARIES=${BINARIES_IMAGE}-x86_64
+ARG AARCH64_BINARIES=${BINARIES_IMAGE}-aarch64
+
+# This is required to work with COPY --from
+FROM ${X86_64_BINARIES} AS x86_64
+FROM ${AARCH64_BINARIES} AS aarch64
+FROM ${FRONTEND_IMAGE} AS frontend
+
+# Final Image
+FROM debian:trixie-slim
+
+COPY ./bin/core/starship.toml /starship.toml
+COPY ./bin/core/debian-deps.sh .
+RUN sh ./debian-deps.sh && rm ./debian-deps.sh
+
+WORKDIR /app
+
+ARG TARGETPLATFORM
+
+# Copy both binaries initially, but only keep appropriate one for the TARGETPLATFORM.
+COPY --from=x86_64 /core /app/core/linux/amd64
+COPY --from=aarch64 /core /app/core/linux/arm64
+RUN mv /app/core/${TARGETPLATFORM} /usr/local/bin/core && rm -r /app/core
+
+# Same for km
+COPY --from=x86_64 /km /app/km/linux/amd64
+COPY --from=aarch64 /km /app/km/linux/arm64
+RUN mv /app/km/${TARGETPLATFORM} /usr/local/bin/km && rm -r /app/km
+
+# Copy default config / static frontend / deno binary
+COPY ./config/core.config.toml /config/.default.config.toml
+COPY --from=frontend /frontend /app/frontend
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+  cd /action-cache && \
+  deno install jsr:@std/yaml jsr:@std/toml
+
+COPY ./bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
+# Hint at the port
+EXPOSE 9120
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+# This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
+ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"
+
+ENTRYPOINT [ "entrypoint.sh" ]
+CMD [ "core" ]
+
+# Label to prevent Komodo from stopping with StopAllContainers
+LABEL komodo.skip="true"
+# Label for Ghcr
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/core/single-arch.Dockerfile
+++ b/bin/core/single-arch.Dockerfile
@@ -0,0 +1,54 @@
+## Assumes the latest binaries for the required arch are already built (by binaries.Dockerfile).
+## Sets up the necessary runtime container dependencies for Komodo Core.
+
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+
+# This is required to work with COPY --from
+FROM ${BINARIES_IMAGE} AS binaries
+
+# Build Frontend
+FROM node:22.12-alpine AS frontend-builder
+WORKDIR /builder
+COPY ./frontend ./frontend
+COPY ./client/core/ts ./client
+RUN cd client && yarn && yarn build && yarn link
+RUN cd frontend && yarn link komodo_client && yarn && yarn build
+
+FROM debian:trixie-slim
+
+COPY ./bin/core/starship.toml /starship.toml
+COPY ./bin/core/debian-deps.sh .
+RUN sh ./debian-deps.sh && rm ./debian-deps.sh
+	
+# Copy
+COPY ./config/core.config.toml /config/.default.config.toml
+COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=binaries /core /usr/local/bin/core
+COPY --from=binaries /km /usr/local/bin/km
+COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
+
+# Set $DENO_DIR and preload external Deno deps
+ENV DENO_DIR=/action-cache/deno
+RUN mkdir /action-cache && \
+	cd /action-cache && \
+	deno install jsr:@std/yaml jsr:@std/toml
+
+COPY ./bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
+# Hint at the port
+EXPOSE 9120
+
+ENV KOMODO_CLI_CONFIG_PATHS="/config"
+# This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
+ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"
+
+ENTRYPOINT [ "entrypoint.sh" ]
+CMD [ "core" ]
+
+# Label to prevent Komodo from stopping with StopAllContainers
+LABEL komodo.skip="true"
+# Label for Ghcr
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
+LABEL org.opencontainers.image.description="Komodo Core"
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/core/src/alert/discord.rs
+++ b/bin/core/src/alert/discord.rs
@@ -4,13 +4,58 @@ use serde::Serialize;

 use super::*;

-#[instrument(level = "debug")]
 pub async fn send_alert(
  url: &str,
  alert: &Alert,
 ) -> anyhow::Result<()> {
  let level = fmt_level(alert.level);
  let content = match &alert.data {
+    AlertData::Test { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Alerter, id);
+      format!(
+        "{level} | If you see this message, then Alerter **{name}** is **working**\n{link}"
+      )
+    }
+    AlertData::SwarmUnhealthy { id, name, err } => {
+      let link = resource_link(ResourceTargetVariant::Swarm, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!("{level} | Swarm **{name}** is now **healthy**\n{link}")
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\n**error**: {e}"))
+            .unwrap_or_default();
+          format!(
+            "{level} | Swarm **{name}** is **unhealthy** ❌\n{link}{err}"
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | **{name}**{region} | Periphery version now matches Core version ✅\n{link}"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | **{name}**{region} | Version mismatch detected ⚠️\nPeriphery: **{server_version}** | Core: **{core_version}**\n{link}"
+          )
+        }
+      }
+    }
    AlertData::ServerUnreachable {
      id,
      name,
@@ -22,7 +67,7 @@ pub async fn send_alert(
      match alert.level {
        SeverityLevel::Ok => {
          format!(
-            "{level} | *{name}*{region} is now *reachable*\n{link}"
+            "{level} | **{name}**{region} is now **connected**\n{link}"
          )
        }
        SeverityLevel::Critical => {
@@ -31,7 +76,7 @@ pub async fn send_alert(
            .map(|e| format!("\n**error**: {e:#?}"))
            .unwrap_or_default();
          format!(
-            "{level} | *{name}*{region} is *unreachable* ❌\n{link}{err}"
+            "{level} | **{name}**{region} is **unreachable** ❌\n{link}{err}"
          )
        }
        _ => unreachable!(),
@@ -46,7 +91,7 @@ pub async fn send_alert(
      let region = fmt_region(region);
      let link = resource_link(ResourceTargetVariant::Server, id);
      format!(
-        "{level} | *{name}*{region} cpu usage at *{percentage:.1}%*\n{link}"
+        "{level} | **{name}**{region} cpu usage at **{percentage:.1}%**\n{link}"
      )
    }
    AlertData::ServerMem {
@@ -60,7 +105,7 @@ pub async fn send_alert(
      let link = resource_link(ResourceTargetVariant::Server, id);
      let percentage = 100.0 * used_gb / total_gb;
      format!(
-        "{level} | *{name}*{region} memory usage at *{percentage:.1}%* 💾\n\nUsing *{used_gb:.1} GiB* / *{total_gb:.1} GiB*\n{link}"
+        "{level} | **{name}**{region} memory usage at **{percentage:.1}%** 💾\n\nUsing **{used_gb:.1} GiB** / **{total_gb:.1} GiB**\n{link}"
      )
    }
    AlertData::ServerDisk {
@@ -75,12 +120,14 @@ pub async fn send_alert(
      let link = resource_link(ResourceTargetVariant::Server, id);
      let percentage = 100.0 * used_gb / total_gb;
      format!(
-        "{level} | *{name}*{region} disk usage at *{percentage:.1}%* 💿\nmount point: `{path:?}`\nusing *{used_gb:.1} GiB* / *{total_gb:.1} GiB*\n{link}"
+        "{level} | **{name}**{region} disk usage at **{percentage:.1}%** 💿\nmount point: `{path:?}`\nusing **{used_gb:.1} GiB** / **{total_gb:.1} GiB**\n{link}"
      )
    }
    AlertData::ContainerStateChange {
      id,
      name,
+      swarm_id: _swarm_id,
+      swarm_name,
      server_id: _server_id,
      server_name,
      from,
@@ -88,11 +135,64 @@ pub async fn send_alert(
    } => {
      let link = resource_link(ResourceTargetVariant::Deployment, id);
      let to = fmt_docker_container_state(to);
-      format!("📦 Deployment *{name}* is now {to}\nserver: {server_name}\nprevious: {from}\n{link}")
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        format!("")
+      };
+      format!(
+        "📦 Deployment **{name}** is now **{to}**{target}\nprevious: **{from}**\n{link}"
+      )
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        format!("")
+      };
+      format!(
+        "⬆ Deployment **{name}** has an update available{target}\nimage: **{image}**\n{link}"
+      )
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        format!("")
+      };
+      format!(
+        "⬆ Deployment **{name}** was updated automatically ⏫{target}\nimage: **{image}**\n{link}"
+      )
    }
    AlertData::StackStateChange {
      id,
      name,
+      swarm_id: _swarm_id,
+      swarm_name,
      server_id: _server_id,
      server_name,
      from,
@@ -100,35 +200,145 @@ pub async fn send_alert(
    } => {
      let link = resource_link(ResourceTargetVariant::Stack, id);
      let to = fmt_stack_state(to);
-      format!("🥞 Stack *{name}* is now {to}\nserver: {server_name}\nprevious: {from}\n{link}")
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        format!("")
+      };
+      format!(
+        "🥞 Stack **{name}** is now {to}{target}\nprevious: **{from}**\n{link}"
+      )
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      service,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        format!("")
+      };
+      format!(
+        "⬆ Stack **{name}** has an update available{target}\nservice: **{service}**\nimage: **{image}**\n{link}"
+      )
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      images,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images = images.join(", ");
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        format!("")
+      };
+      format!(
+        "⬆ Stack **{name}** was updated automatically ⏫{target}\n{images_label}: **{images}**\n{link}"
+      )
    }
    AlertData::AwsBuilderTerminationFailed {
      instance_id,
      message,
    } => {
-      format!("{level} | Failed to terminated AWS builder instance\ninstance id: *{instance_id}*\n{message}")
+      format!(
+        "{level} | Failed to terminated AWS builder instance\ninstance id: **{instance_id}**\n{message}"
+      )
    }
    AlertData::ResourceSyncPendingUpdates { id, name } => {
      let link =
        resource_link(ResourceTargetVariant::ResourceSync, id);
      format!(
-        "{level} | Pending resource sync updates on *{name}*\n{link}"
+        "{level} | Pending resource sync updates on **{name}**\n{link}"
      )
    }
    AlertData::BuildFailed { id, name, version } => {
      let link = resource_link(ResourceTargetVariant::Build, id);
-      format!("{level} | Build *{name}* failed\nversion: v{version}\n{link}")
+      format!(
+        "{level} | Build **{name}** failed\nversion: **v{version}**\n{link}"
+      )
    }
    AlertData::RepoBuildFailed { id, name } => {
      let link = resource_link(ResourceTargetVariant::Repo, id);
-      format!("{level} | Repo build for *{name}* failed\n{link}")
+      format!("{level} | Repo build for **{name}** failed\n{link}")
+    }
+    AlertData::ProcedureFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Procedure, id);
+      format!("{level} | Procedure **{name}** failed\n{link}")
+    }
+    AlertData::ActionFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Action, id);
+      format!("{level} | Action **{name}** failed\n{link}")
+    }
+    AlertData::ScheduleRun {
+      resource_type,
+      id,
+      name,
+    } => {
+      let link = resource_link(*resource_type, id);
+      format!(
+        "{level} | **{name}** ({resource_type}) | Scheduled run started 🕝\n{link}"
+      )
+    }
+    AlertData::Custom { message, details } => {
+      format!(
+        "{level} | {message}{}",
+        if details.is_empty() {
+          String::new()
+        } else {
+          format!("\n{details}")
+        }
+      )
    }
    AlertData::None {} => Default::default(),
  };
-  if !content.is_empty() {
-    send_message(url, &content).await?;
+
+  if content.is_empty() {
+    return Ok(());
  }
-  Ok(())
+
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
+
+  send_message(&url_interpolated, &content)
+    .await
+    .map_err(|e| {
+      let replacers = interpolator
+        .secret_replacers
+        .into_iter()
+        .collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with request to Discord: {sanitized_error}"
+      ))
+    })
 }

 async fn send_message(
--- a/bin/core/src/alert/mod.rs
+++ b/bin/core/src/alert/mod.rs
@@ -1,20 +1,25 @@
-use ::slack::types::Block;
-use anyhow::{anyhow, Context};
-use derive_variants::ExtractVariant;
-use futures::future::join_all;
+use anyhow::{Context, anyhow};
+use database::mungos::{find::find_collect, mongodb::bson::doc};
+use futures_util::future::join_all;
+use interpolate::Interpolator;
 use komodo_client::entities::{
-  alert::{Alert, AlertData, SeverityLevel},
+  ResourceTargetVariant,
+  alert::{Alert, AlertData, AlertDataVariant, SeverityLevel},
  alerter::*,
  deployment::DeploymentState,
+  komodo_timestamp,
  stack::StackState,
-  ResourceTargetVariant,
 };
-use mungos::{find::find_collect, mongodb::bson::doc};
-use tracing::Instrument;

+use crate::helpers::query::get_variables_and_secrets;
+use crate::helpers::{
+  maintenance::is_in_maintenance, query::VariablesAndSecrets,
+};
 use crate::{config::core_config, state::db_client};

 mod discord;
+mod ntfy;
+mod pushover;
 mod slack;

 pub async fn send_alerts(alerts: &[Alert]) {
@@ -22,49 +27,67 @@ pub async fn send_alerts(alerts: &[Alert]) {
    return;
  }

-  let span =
-    info_span!("send_alerts", alerts = format!("{alerts:?}"));
-  async {
-    let Ok(alerters) = find_collect(
-      &db_client().alerters,
-      doc! { "config.enabled": true },
-      None,
-    )
-    .await
-    .inspect_err(|e| {
-      error!(
+  let Ok(alerters) = find_collect(
+    &db_client().alerters,
+    doc! { "config.enabled": true },
+    None,
+  )
+  .await
+  .inspect_err(|e| {
+    error!(
      "ERROR sending alerts | failed to get alerters from db | {e:#}"
    )
-    }) else {
-      return;
-    };
+  }) else {
+    return;
+  };

-    let handles =
-      alerts.iter().map(|alert| send_alert(&alerters, alert));
+  let handles = alerts
+    .iter()
+    .map(|alert| send_alert_to_alerters(&alerters, alert));

-    join_all(handles).await;
-  }
-  .instrument(span)
-  .await
+  join_all(handles).await;
 }

-#[instrument(level = "debug")]
-async fn send_alert(alerters: &[Alerter], alert: &Alert) {
+async fn send_alert_to_alerters(alerters: &[Alerter], alert: &Alert) {
  if alerters.is_empty() {
    return;
  }

-  let alert_type = alert.data.extract_variant();
+  let handles = alerters
+    .iter()
+    .map(|alerter| send_alert_to_alerter(alerter, alert));

-  let handles = alerters.iter().map(|alerter| async {
-    // Don't send if not enabled
-    if !alerter.config.enabled {
-      return Ok(());
-    }
+  join_all(handles)
+    .await
+    .into_iter()
+    .filter_map(|res| res.err())
+    .for_each(|e| error!("{e:#}"));
+}

+pub async fn send_alert_to_alerter(
+  alerter: &Alerter,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  // Don't send if not enabled
+  if !alerter.config.enabled {
+    return Ok(());
+  }
+
+  if is_in_maintenance(
+    &alerter.config.maintenance_windows,
+    komodo_timestamp(),
+  ) {
+    return Ok(());
+  }
+
+  let alert_variant: AlertDataVariant = (&alert.data).into();
+
+  // In the test case, we don't want the filters inside this
+  // block to stop the test from being sent to the alerting endpoint.
+  if alert_variant != AlertDataVariant::Test {
    // Don't send if alert type not configured on the alerter
    if !alerter.config.alert_types.is_empty()
-      && !alerter.config.alert_types.contains(&alert_type)
+      && !alerter.config.alert_types.contains(&alert_variant)
    {
      return Ok(());
    }
@@ -80,52 +103,83 @@ async fn send_alert(alerters: &[Alerter], alert: &Alert) {
    {
      return Ok(());
    }
+  }

-    match &alerter.config.endpoint {
-      AlerterEndpoint::Custom(CustomAlerterEndpoint { url }) => {
-        send_custom_alert(url, alert).await.with_context(|| {
-          format!(
-            "failed to send alert to custom alerter {}",
-            alerter.name
-          )
-        })
-      }
-      AlerterEndpoint::Slack(SlackAlerterEndpoint { url }) => {
-        slack::send_alert(url, alert).await.with_context(|| {
-          format!(
-            "failed to send alert to slack alerter {}",
-            alerter.name
-          )
-        })
-      }
-      AlerterEndpoint::Discord(DiscordAlerterEndpoint { url }) => {
-        discord::send_alert(url, alert).await.with_context(|| {
-          format!(
-            "failed to send alert to Discord alerter {}",
-            alerter.name
-          )
-        })
-      }
+  match &alerter.config.endpoint {
+    AlerterEndpoint::Custom(CustomAlerterEndpoint { url }) => {
+      send_custom_alert(url, alert).await.with_context(|| {
+        format!(
+          "Failed to send alert to Custom Alerter {}",
+          alerter.name
+        )
+      })
    }
-  });
-
-  join_all(handles)
-    .await
-    .into_iter()
-    .filter_map(|res| res.err())
-    .for_each(|e| error!("{e:#}"));
+    AlerterEndpoint::Slack(SlackAlerterEndpoint { url }) => {
+      slack::send_alert(url, alert).await.with_context(|| {
+        format!(
+          "Failed to send alert to Slack Alerter {}",
+          alerter.name
+        )
+      })
+    }
+    AlerterEndpoint::Discord(DiscordAlerterEndpoint { url }) => {
+      discord::send_alert(url, alert).await.with_context(|| {
+        format!(
+          "Failed to send alert to Discord Alerter {}",
+          alerter.name
+        )
+      })
+    }
+    AlerterEndpoint::Ntfy(NtfyAlerterEndpoint { url, email }) => {
+      ntfy::send_alert(url, email.as_deref(), alert)
+        .await
+        .with_context(|| {
+          format!(
+            "Failed to send alert to ntfy Alerter {}",
+            alerter.name
+          )
+        })
+    }
+    AlerterEndpoint::Pushover(PushoverAlerterEndpoint { url }) => {
+      pushover::send_alert(url, alert).await.with_context(|| {
+        format!(
+          "Failed to send alert to Pushover Alerter {}",
+          alerter.name
+        )
+      })
+    }
+  }
 }

-#[instrument(level = "debug")]
 async fn send_custom_alert(
  url: &str,
  alert: &Alert,
 ) -> anyhow::Result<()> {
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
+
  let res = reqwest::Client::new()
-    .post(url)
+    .post(url_interpolated)
    .json(alert)
    .send()
    .await
+    .map_err(|e| {
+      let replacers = interpolator
+        .secret_replacers
+        .into_iter()
+        .collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with request: {sanitized_error}"
+      ))
+    })
    .context("failed at post request to alerter")?;
  let status = res.status();
  if !status.is_success() {
@@ -179,35 +233,314 @@ fn resource_link(
  resource_type: ResourceTargetVariant,
  id: &str,
 ) -> String {
-  let path = match resource_type {
-    ResourceTargetVariant::System => unreachable!(),
-    ResourceTargetVariant::Build => format!("/builds/{id}"),
-    ResourceTargetVariant::Builder => {
-      format!("/builders/{id}")
-    }
-    ResourceTargetVariant::Deployment => {
-      format!("/deployments/{id}")
-    }
-    ResourceTargetVariant::Stack => {
-      format!("/stacks/{id}")
-    }
-    ResourceTargetVariant::Server => {
-      format!("/servers/{id}")
-    }
-    ResourceTargetVariant::Repo => format!("/repos/{id}"),
-    ResourceTargetVariant::Alerter => {
-      format!("/alerters/{id}")
-    }
-    ResourceTargetVariant::Procedure => {
-      format!("/procedures/{id}")
-    }
-    ResourceTargetVariant::ServerTemplate => {
-      format!("/server-templates/{id}")
-    }
-    ResourceTargetVariant::ResourceSync => {
-      format!("/resource-syncs/{id}")
-    }
-  };
-
-  format!("{}{path}", core_config().host)
+  komodo_client::entities::resource_link(
+    &core_config().host,
+    resource_type,
+    id,
+  )
+}
+
+/// Standard message content format
+/// used by Ntfy, Pushover.
+fn standard_alert_content(alert: &Alert) -> String {
+  let level = fmt_level(alert.level);
+  match &alert.data {
+    AlertData::Test { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Alerter, id);
+      format!(
+        "{level} | If you see this message, then Alerter {name} is working\n{link}",
+      )
+    }
+    AlertData::SwarmUnhealthy { id, name, err } => {
+      let link = resource_link(ResourceTargetVariant::Swarm, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!("{level} | Swarm {name} is now healthy\n{link}")
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e}"))
+            .unwrap_or_default();
+          format!("{level} | Swarm {name} is unhealthy ❌\n{link}{err}")
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | {name}{region} | Periphery version now matches Core version ✅\n{link}"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | {name}{region} | Version mismatch detected ⚠️\nPeriphery: {server_version} | Core: {core_version}\n{link}"
+          )
+        }
+      }
+    }
+    AlertData::ServerUnreachable {
+      id,
+      name,
+      region,
+      err,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!("{level} | {name}{region} is now connected\n{link}")
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e:#?}"))
+            .unwrap_or_default();
+          format!(
+            "{level} | {name}{region} is unreachable ❌\n{link}{err}"
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerCpu {
+      id,
+      name,
+      region,
+      percentage,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      format!(
+        "{level} | {name}{region} cpu usage at {percentage:.1}%\n{link}",
+      )
+    }
+    AlertData::ServerMem {
+      id,
+      name,
+      region,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | {name}{region} memory usage at {percentage:.1}%💾\n\nUsing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
+      )
+    }
+    AlertData::ServerDisk {
+      id,
+      name,
+      region,
+      path,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | {name}{region} disk usage at {percentage:.1}%💿\nmount point: {path:?}\nusing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
+      )
+    }
+    AlertData::ContainerStateChange {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let to_state = fmt_docker_container_state(to);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        format!("")
+      };
+      format!(
+        "📦Deployment {name} is now {to_state}{target}\nprevious: {from}\n{link}",
+      )
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        format!("")
+      };
+      format!(
+        "⬆ Deployment {name} has an update available{target}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        format!("")
+      };
+      format!(
+        "⬆ Deployment {name} was updated automatically{target}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::StackStateChange {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let to_state = fmt_stack_state(to);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        format!("")
+      };
+      format!(
+        "🥞 Stack {name} is now {to_state}{target}\nprevious: {from}\n{link}",
+      )
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      service,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        format!("")
+      };
+      format!(
+        "⬆ Stack {name} has an update available{target}\nservice: {service}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      images,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images_str = images.join(", ");
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        format!("")
+      };
+      format!(
+        "⬆ Stack {name} was updated automatically ⏫{target}\n{images_label}: {images_str}\n{link}",
+      )
+    }
+    AlertData::AwsBuilderTerminationFailed {
+      instance_id,
+      message,
+    } => {
+      format!(
+        "{level} | Failed to terminate AWS builder instance\ninstance id: {instance_id}\n{message}",
+      )
+    }
+    AlertData::ResourceSyncPendingUpdates { id, name } => {
+      let link =
+        resource_link(ResourceTargetVariant::ResourceSync, id);
+      format!(
+        "{level} | Pending resource sync updates on {name}\n{link}",
+      )
+    }
+    AlertData::BuildFailed { id, name, version } => {
+      let link = resource_link(ResourceTargetVariant::Build, id);
+      format!(
+        "{level} | Build {name} failed\nversion: v{version}\n{link}",
+      )
+    }
+    AlertData::RepoBuildFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Repo, id);
+      format!("{level} | Repo build for {name} failed\n{link}",)
+    }
+    AlertData::ProcedureFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Procedure, id);
+      format!("{level} | Procedure {name} failed\n{link}")
+    }
+    AlertData::ActionFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Action, id);
+      format!("{level} | Action {name} failed\n{link}")
+    }
+    AlertData::ScheduleRun {
+      resource_type,
+      id,
+      name,
+    } => {
+      let link = resource_link(*resource_type, id);
+      format!(
+        "{level} | {name} ({resource_type}) | Scheduled run started 🕝\n{link}"
+      )
+    }
+    AlertData::Custom { message, details } => {
+      format!(
+        "{level} | {message}{}",
+        if details.is_empty() {
+          String::new()
+        } else {
+          format!("\n{details}")
+        }
+      )
+    }
+    AlertData::None {} => Default::default(),
+  }
 }
--- a/bin/core/src/alert/ntfy.rs
+++ b/bin/core/src/alert/ntfy.rs
@@ -0,0 +1,75 @@
+use std::sync::OnceLock;
+
+use super::*;
+
+pub async fn send_alert(
+  url: &str,
+  email: Option<&str>,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let content = standard_alert_content(alert);
+  if content.is_empty() {
+    return Ok(());
+  }
+
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
+
+  send_message(&url_interpolated, email, content)
+    .await
+    .map_err(|e| {
+      let replacers = interpolator
+        .secret_replacers
+        .into_iter()
+        .collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with request to Ntfy: {sanitized_error}"
+      ))
+    })
+}
+
+async fn send_message(
+  url: &str,
+  email: Option<&str>,
+  content: String,
+) -> anyhow::Result<()> {
+  let mut request = http_client()
+    .post(url)
+    .header("Title", "Komodo Alert")
+    .body(content);
+
+  if let Some(email) = email {
+    request = request.header("X-Email", email);
+  }
+
+  let response =
+    request.send().await.context("Failed to send message")?;
+
+  let status = response.status();
+  if status.is_success() {
+    debug!("ntfy alert sent successfully: {}", status);
+    Ok(())
+  } else {
+    let text = response.text().await.with_context(|| {
+      format!(
+        "Failed to send message to ntfy | {status} | failed to get response text"
+      )
+    })?;
+    Err(anyhow!(
+      "Failed to send message to ntfy | {status} | {text}",
+    ))
+  }
+}
+
+fn http_client() -> &'static reqwest::Client {
+  static CLIENT: OnceLock<reqwest::Client> = OnceLock::new();
+  CLIENT.get_or_init(reqwest::Client::new)
+}
--- a/bin/core/src/alert/pushover.rs
+++ b/bin/core/src/alert/pushover.rs
@@ -0,0 +1,74 @@
+use std::sync::OnceLock;
+
+use super::*;
+
+pub async fn send_alert(
+  url: &str,
+  alert: &Alert,
+) -> anyhow::Result<()> {
+  let content = standard_alert_content(alert);
+  if content.is_empty() {
+    return Ok(());
+  }
+
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
+
+  send_message(&url_interpolated, content).await.map_err(|e| {
+    let replacers = interpolator
+      .secret_replacers
+      .into_iter()
+      .collect::<Vec<_>>();
+    let sanitized_error =
+      svi::replace_in_string(&format!("{e:?}"), &replacers);
+    anyhow::Error::msg(format!(
+      "Error with request to Pushover: {sanitized_error}"
+    ))
+  })
+}
+
+async fn send_message(
+  url: &str,
+  content: String,
+) -> anyhow::Result<()> {
+  // pushover needs all information to be encoded in the URL. At minimum they need
+  // the user key, the application token, and the message (url encoded).
+  // other optional params here: https://pushover.net/api (just add them to the
+  // webhook url along with the application token and the user key).
+  let content = [("message", content)];
+
+  let response = http_client()
+    .post(url)
+    .form(&content)
+    .send()
+    .await
+    .context("Failed to send message")?;
+
+  let status = response.status();
+  if status.is_success() {
+    debug!("pushover alert sent successfully: {}", status);
+    Ok(())
+  } else {
+    let text = response.text().await.with_context(|| {
+      format!(
+        "Failed to send message to pushover | {status} | failed to get response text"
+      )
+    })?;
+    Err(anyhow!(
+      "Failed to send message to pushover | {} | {}",
+      status,
+      text
+    ))
+  }
+}
+
+fn http_client() -> &'static reqwest::Client {
+  static CLIENT: OnceLock<reqwest::Client> = OnceLock::new();
+  CLIENT.get_or_init(reqwest::Client::new)
+}
--- a/bin/core/src/alert/slack.rs
+++ b/bin/core/src/alert/slack.rs
@@ -1,12 +1,93 @@
+use ::slack::types::OwnedBlock as Block;
+
 use super::*;

-#[instrument(level = "debug")]
 pub async fn send_alert(
  url: &str,
  alert: &Alert,
 ) -> anyhow::Result<()> {
  let level = fmt_level(alert.level);
  let (text, blocks): (_, Option<_>) = match &alert.data {
+    AlertData::Test { id, name } => {
+      let text = format!(
+        "{level} | If you see this message, then Alerter *{name}* is *working*"
+      );
+      let blocks = vec![
+        Block::header(level),
+        Block::section(format!(
+          "If you see this message, then Alerter *{name}* is *working*"
+        )),
+        Block::section(resource_link(
+          ResourceTargetVariant::Alerter,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::SwarmUnhealthy { id, name, err } => {
+      match alert.level {
+        SeverityLevel::Ok => {
+          let text =
+            format!("{level} | Swarm *{name}* is now *healthy*");
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "Swarm *{name}* is now *healthy*"
+            )),
+          ];
+          (text, blocks.into())
+        }
+        SeverityLevel::Critical => {
+          let text =
+            format!("{level} | Swarm *{name}* is *unhealthy* ❌");
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e}"))
+            .unwrap_or_default();
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "Swarm *{name}* is *unhealthy* ❌{err}"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let text = match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | *{name}*{region} | Periphery version now matches Core version ✅"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | *{name}*{region} | Version mismatch detected ⚠️\nPeriphery: {server_version} | Core: {core_version}"
+          )
+        }
+      };
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(
+          ResourceTargetVariant::Server,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
    AlertData::ServerUnreachable {
      id,
      name,
@@ -17,11 +98,11 @@ pub async fn send_alert(
      match alert.level {
        SeverityLevel::Ok => {
          let text =
-            format!("{level} | *{name}*{region} is now *reachable*");
+            format!("{level} | *{name}*{region} is now *connected*");
          let blocks = vec![
            Block::header(level),
            Block::section(format!(
-              "*{name}*{region} is now *reachable*"
+              "*{name}*{region} is now *connected*"
            )),
          ];
          (text, blocks.into())
@@ -57,7 +138,9 @@ pub async fn send_alert(
      let region = fmt_region(region);
      match alert.level {
        SeverityLevel::Ok => {
-          let text = format!("{level} | *{name}*{region} cpu usage at *{percentage:.1}%*");
+          let text = format!(
+            "{level} | *{name}*{region} cpu usage at *{percentage:.1}%*"
+          );
          let blocks = vec![
            Block::header(level),
            Block::section(format!(
@@ -71,7 +154,9 @@ pub async fn send_alert(
          (text, blocks.into())
        }
        _ => {
-          let text = format!("{level} | *{name}*{region} cpu usage at *{percentage:.1}%* 📈");
+          let text = format!(
+            "{level} | *{name}*{region} cpu usage at *{percentage:.1}%* 📈"
+          );
          let blocks = vec![
            Block::header(level),
            Block::section(format!(
@@ -97,7 +182,9 @@ pub async fn send_alert(
      let percentage = 100.0 * used_gb / total_gb;
      match alert.level {
        SeverityLevel::Ok => {
-          let text = format!("{level} | *{name}*{region} memory usage at *{percentage:.1}%* 💾");
+          let text = format!(
+            "{level} | *{name}*{region} memory usage at *{percentage:.1}%* 💾"
+          );
          let blocks = vec![
            Block::header(level),
            Block::section(format!(
@@ -114,7 +201,9 @@ pub async fn send_alert(
          (text, blocks.into())
        }
        _ => {
-          let text = format!("{level} | *{name}*{region} memory usage at *{percentage:.1}%* 💾");
+          let text = format!(
+            "{level} | *{name}*{region} memory usage at *{percentage:.1}%* 💾"
+          );
          let blocks = vec![
            Block::header(level),
            Block::section(format!(
@@ -144,7 +233,9 @@ pub async fn send_alert(
      let percentage = 100.0 * used_gb / total_gb;
      match alert.level {
        SeverityLevel::Ok => {
-          let text = format!("{level} | *{name}*{region} disk usage at *{percentage:.1}%* | mount point: *{path:?}* 💿");
+          let text = format!(
+            "{level} | *{name}*{region} disk usage at *{percentage:.1}%* | mount point: *{path:?}* 💿"
+          );
          let blocks = vec![
            Block::header(level),
            Block::section(format!(
@@ -153,12 +244,17 @@ pub async fn send_alert(
            Block::section(format!(
              "mount point: {path:?} | using *{used_gb:.1} GiB* / *{total_gb:.1} GiB*"
            )),
-            Block::section(resource_link(ResourceTargetVariant::Server, id)),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
          ];
          (text, blocks.into())
        }
        _ => {
-          let text = format!("{level} | *{name}*{region} disk usage at *{percentage:.1}%* | mount point: *{path:?}* 💿");
+          let text = format!(
+            "{level} | *{name}*{region} disk usage at *{percentage:.1}%* | mount point: *{path:?}* 💿"
+          );
          let blocks = vec![
            Block::header(level),
            Block::section(format!(
@@ -167,7 +263,10 @@ pub async fn send_alert(
            Block::section(format!(
              "mount point: {path:?} | using *{used_gb:.1} GiB* / *{total_gb:.1} GiB*"
            )),
-            Block::section(resource_link(ResourceTargetVariant::Server, id)),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
          ];
          (text, blocks.into())
        }
@@ -175,19 +274,82 @@ pub async fn send_alert(
    }
    AlertData::ContainerStateChange {
      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
      server_name,
      from,
      to,
      id,
-      ..
    } => {
      let to = fmt_docker_container_state(to);
-      let text = format!("📦 Container *{name}* is now {to}");
+      let text = format!("📦 Container *{name}* is now *{to}*");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        format!("")
+      };
      let blocks = vec![
        Block::header(text.clone()),
-        Block::section(format!(
-          "server: {server_name}\nprevious: {from}",
+        Block::section(format!("{target}previous: {from}",)),
+        Block::section(resource_link(
+          ResourceTargetVariant::Deployment,
+          id,
        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let text =
+        format!("⬆ Deployment *{name}* has an update available");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        format!("")
+      };
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!("{target}image: *{image}*",)),
+        Block::section(resource_link(
+          ResourceTargetVariant::Deployment,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let text =
+        format!("⬆ Deployment *{name}* was updated automatically ⏫");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        format!("")
+      };
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!("{target}image: *{image}*",)),
        Block::section(resource_link(
          ResourceTargetVariant::Deployment,
          id,
@@ -197,18 +359,55 @@ pub async fn send_alert(
    }
    AlertData::StackStateChange {
      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
      server_name,
      from,
      to,
      id,
-      ..
    } => {
      let to = fmt_stack_state(to);
-      let text = format!("🥞 Stack *{name}* is now {to}");
+      let text = format!("🥞 Stack *{name}* is now *{to}*");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        format!("")
+      };
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(format!("{target}previous: *{from}*",)),
+        Block::section(resource_link(
+          ResourceTargetVariant::Stack,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      service,
+      image,
+    } => {
+      let text = format!("⬆ Stack *{name}* has an update available");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        format!("")
+      };
      let blocks = vec![
        Block::header(text.clone()),
        Block::section(format!(
-          "server: {server_name}\nprevious: {from}",
+          "{target}service: *{service}*\nimage: *{image}*",
        )),
        Block::section(resource_link(
          ResourceTargetVariant::Stack,
@@ -217,6 +416,39 @@ pub async fn send_alert(
      ];
      (text, blocks.into())
    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      images,
+    } => {
+      let text =
+        format!("⬆ Stack *{name}* was updated automatically ⏫");
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images = images.join(", ");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        format!("")
+      };
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(
+          format!("{target}{images_label}: *{images}*",),
+        ),
+        Block::section(resource_link(
+          ResourceTargetVariant::Stack,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
    AlertData::AwsBuilderTerminationFailed {
      instance_id,
      message,
@@ -233,8 +465,9 @@ pub async fn send_alert(
      (text, blocks.into())
    }
    AlertData::ResourceSyncPendingUpdates { id, name } => {
-      let text =
-        format!("{level} | Pending resource sync updates on {name}");
+      let text = format!(
+        "{level} | Pending resource sync updates on *{name}*"
+      );
      let blocks = vec![
        Block::header(text.clone()),
        Block::section(format!(
@@ -251,21 +484,19 @@ pub async fn send_alert(
      let text = format!("{level} | Build {name} has failed");
      let blocks = vec![
        Block::header(text.clone()),
-        Block::section(format!(
-          "build id: *{id}*\nbuild name: *{name}*\nversion: v{version}",
+        Block::section(format!("version: *v{version}*",)),
+        Block::section(resource_link(
+          ResourceTargetVariant::Build,
+          id,
        )),
-        Block::section(resource_link(ResourceTargetVariant::Build, id))
      ];
      (text, blocks.into())
    }
    AlertData::RepoBuildFailed { id, name } => {
      let text =
-        format!("{level} | Repo build for {name} has failed");
+        format!("{level} | Repo build for *{name}* has *failed*");
      let blocks = vec![
        Block::header(text.clone()),
-        Block::section(format!(
-          "repo id: *{id}*\nrepo name: *{name}*",
-        )),
        Block::section(resource_link(
          ResourceTargetVariant::Repo,
          id,
@@ -273,11 +504,76 @@ pub async fn send_alert(
      ];
      (text, blocks.into())
    }
+    AlertData::ProcedureFailed { id, name } => {
+      let text = format!("{level} | Procedure *{name}* has *failed*");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(
+          ResourceTargetVariant::Procedure,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::ActionFailed { id, name } => {
+      let text = format!("{level} | Action *{name}* has *failed*");
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(
+          ResourceTargetVariant::Action,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::ScheduleRun {
+      resource_type,
+      id,
+      name,
+    } => {
+      let text = format!(
+        "{level} | *{name}* ({resource_type}) | Scheduled run started 🕝"
+      );
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(*resource_type, id)),
+      ];
+      (text, blocks.into())
+    }
+    AlertData::Custom { message, details } => {
+      let text = format!("{level} | {message}");
+      let blocks =
+        vec![Block::header(text.clone()), Block::section(details)];
+      (text, blocks.into())
+    }
    AlertData::None {} => Default::default(),
  };
-  if !text.is_empty() {
-    let slack = ::slack::Client::new(url);
-    slack.send_message(text, blocks).await?;
+  if text.is_empty() {
+    return Ok(());
  }
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
+
+  let slack = ::slack::Client::new(url_interpolated);
+  slack
+    .send_owned_message_single(&text, None, blocks.as_deref())
+    .await
+    .map_err(|e| {
+      let replacers = interpolator
+        .secret_replacers
+        .into_iter()
+        .collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with request to Slack: {sanitized_error}"
+      ))
+    })?;
  Ok(())
 }
--- a/bin/core/src/api/auth.rs
+++ b/bin/core/src/api/auth.rs
@@ -1,149 +0,0 @@
-use std::{sync::OnceLock, time::Instant};
-
-use anyhow::anyhow;
-use axum::{http::HeaderMap, routing::post, Router};
-use axum_extra::{headers::ContentType, TypedHeader};
-use komodo_client::{api::auth::*, entities::user::User};
-use reqwest::StatusCode;
-use resolver_api::{derive::Resolver, Resolve, Resolver};
-use serde::{Deserialize, Serialize};
-use serror::{AddStatusCode, Json};
-use typeshare::typeshare;
-use uuid::Uuid;
-
-use crate::{
-  auth::{
-    get_user_id_from_headers,
-    github::{self, client::github_oauth_client},
-    google::{self, client::google_oauth_client},
-    oidc,
-  },
-  config::core_config,
-  helpers::query::get_user,
-  state::{jwt_client, State},
-};
-
-#[typeshare]
-#[derive(Serialize, Deserialize, Debug, Clone, Resolver)]
-#[resolver_target(State)]
-#[resolver_args(HeaderMap)]
-#[serde(tag = "type", content = "params")]
-#[allow(clippy::enum_variant_names, clippy::large_enum_variant)]
-pub enum AuthRequest {
-  GetLoginOptions(GetLoginOptions),
-  CreateLocalUser(CreateLocalUser),
-  LoginLocalUser(LoginLocalUser),
-  ExchangeForJwt(ExchangeForJwt),
-  GetUser(GetUser),
-}
-
-pub fn router() -> Router {
-  let mut router = Router::new().route("/", post(handler));
-
-  if core_config().local_auth {
-    info!("🔑 Local Login Enabled");
-  }
-
-  if github_oauth_client().is_some() {
-    info!("🔑 Github Login Enabled");
-    router = router.nest("/github", github::router())
-  }
-
-  if google_oauth_client().is_some() {
-    info!("🔑 Github Login Enabled");
-    router = router.nest("/google", google::router())
-  }
-
-  if core_config().oidc_enabled {
-    info!("🔑 OIDC Login Enabled");
-    router = router.nest("/oidc", oidc::router())
-  }
-
-  router
-}
-
-#[instrument(name = "AuthHandler", level = "debug", skip(headers))]
-async fn handler(
-  headers: HeaderMap,
-  Json(request): Json<AuthRequest>,
-) -> serror::Result<(TypedHeader<ContentType>, String)> {
-  let timer = Instant::now();
-  let req_id = Uuid::new_v4();
-  debug!("/auth request {req_id} | METHOD: {}", request.req_type());
-  let res = State.resolve_request(request, headers).await.map_err(
-    |e| match e {
-      resolver_api::Error::Serialization(e) => {
-        anyhow!("{e:?}").context("response serialization error")
-      }
-      resolver_api::Error::Inner(e) => e,
-    },
-  );
-  if let Err(e) = &res {
-    debug!("/auth request {req_id} | error: {e:#}");
-  }
-  let elapsed = timer.elapsed();
-  debug!("/auth request {req_id} | resolve time: {elapsed:?}");
-  Ok((
-    TypedHeader(ContentType::json()),
-    res.status_code(StatusCode::UNAUTHORIZED)?,
-  ))
-}
-
-fn login_options_reponse() -> &'static GetLoginOptionsResponse {
-  static GET_LOGIN_OPTIONS_RESPONSE: OnceLock<
-    GetLoginOptionsResponse,
-  > = OnceLock::new();
-  GET_LOGIN_OPTIONS_RESPONSE.get_or_init(|| {
-    let config = core_config();
-    GetLoginOptionsResponse {
-      local: config.local_auth,
-      github: config.github_oauth.enabled
-        && !config.github_oauth.id.is_empty()
-        && !config.github_oauth.secret.is_empty(),
-      google: config.google_oauth.enabled
-        && !config.google_oauth.id.is_empty()
-        && !config.google_oauth.secret.is_empty(),
-      oidc: config.oidc_enabled
-        && !config.oidc_provider.is_empty()
-        && !config.oidc_client_id.is_empty()
-        && !config.oidc_client_secret.is_empty(),
-      registration_disabled: config.disable_user_registration,
-    }
-  })
-}
-
-impl Resolve<GetLoginOptions, HeaderMap> for State {
-  #[instrument(name = "GetLoginOptions", level = "debug", skip(self))]
-  async fn resolve(
-    &self,
-    _: GetLoginOptions,
-    _: HeaderMap,
-  ) -> anyhow::Result<GetLoginOptionsResponse> {
-    Ok(*login_options_reponse())
-  }
-}
-
-impl Resolve<ExchangeForJwt, HeaderMap> for State {
-  #[instrument(name = "ExchangeForJwt", level = "debug", skip(self))]
-  async fn resolve(
-    &self,
-    ExchangeForJwt { token }: ExchangeForJwt,
-    _: HeaderMap,
-  ) -> anyhow::Result<ExchangeForJwtResponse> {
-    let jwt = jwt_client().redeem_exchange_token(&token).await?;
-    let res = ExchangeForJwtResponse { jwt };
-    Ok(res)
-  }
-}
-
-impl Resolve<GetUser, HeaderMap> for State {
-  #[instrument(name = "GetUser", level = "debug", skip(self))]
-  async fn resolve(
-    &self,
-    GetUser {}: GetUser,
-    headers: HeaderMap,
-  ) -> anyhow::Result<User> {
-    let user_id = get_user_id_from_headers(&headers).await?;
-    get_user(&user_id).await
-  }
-}
--- a/bin/core/src/api/execute/action.rs
+++ b/bin/core/src/api/execute/action.rs
@@ -0,0 +1,457 @@
+use std::{
+  collections::HashSet,
+  path::{Path, PathBuf},
+  sync::OnceLock,
+};
+
+use anyhow::Context;
+use command::run_komodo_standard_command;
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_document,
+};
+use interpolate::Interpolator;
+use komodo_client::{
+  api::execute::{BatchExecutionResponse, BatchRunAction, RunAction},
+  entities::{
+    FileFormat, JsonObject,
+    action::Action,
+    alert::{Alert, AlertData, SeverityLevel},
+    config::core::CoreConfig,
+    komodo_timestamp,
+    permission::PermissionLevel,
+    random_string,
+    update::Update,
+    user::action_user,
+  },
+  parsers::parse_key_value_list,
+};
+use mogh_auth_client::api::manage::{
+  CreateApiKey, CreateApiKeyResponse,
+};
+use mogh_auth_server::api::manage::api_key::{
+  create_api_key, delete_api_key,
+};
+use mogh_config::merge_objects;
+use mogh_resolver::Resolve;
+use tokio::fs;
+
+use crate::{
+  alert::send_alerts,
+  api::execute::ExecuteRequest,
+  auth::KomodoAuthImpl,
+  config::core_config,
+  helpers::{
+    query::{VariablesAndSecrets, get_variables_and_secrets},
+    update::update_update,
+  },
+  permission::get_check_permissions,
+  resource::refresh_action_state_cache,
+  state::{action_states, db_client},
+};
+
+use super::ExecuteArgs;
+
+impl super::BatchExecute for BatchRunAction {
+  type Resource = Action;
+  fn single_request(action: String) -> ExecuteRequest {
+    ExecuteRequest::RunAction(RunAction {
+      action,
+      args: Default::default(),
+    })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchRunAction {
+  #[instrument(
+    "BatchRunAction",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchRunAction>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for RunAction {
+  #[instrument(
+    "RunAction",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      action = self.action,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let mut action = get_check_permissions::<Action>(
+      &self.action,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    // get the action state for the action (or insert default).
+    let action_state = action_states()
+      .action
+      .get_or_insert_default(&action.id)
+      .await;
+
+    // This will set action state back to default when dropped.
+    // Will also check to ensure action not already busy before updating.
+    let _action_guard = action_state.update_custom(
+      |state| state.running += 1,
+      |state| state.running -= 1,
+      false,
+    )?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let default_args = parse_action_arguments(
+      &action.config.arguments,
+      action.config.arguments_format,
+    )
+    .context("Failed to parse default Action arguments")?;
+
+    let args = merge_objects(
+      default_args,
+      self.args.unwrap_or_default(),
+      true,
+      true,
+    )
+    .context("Failed to merge request args with default args")?;
+
+    let args = serde_json::to_string(&args)
+      .context("Failed to serialize action run arguments")?;
+
+    let CreateApiKeyResponse { key, secret } = create_api_key(
+      &KomodoAuthImpl,
+      action_user().id.clone(),
+      CreateApiKey {
+        name: update.id.clone(),
+        expires: 0,
+      },
+    )
+    .await?;
+
+    // Do next steps in seperate error handling block,
+    // and delete the API key before unwrapping the error.
+    // If Komodo shuts down during these steps, there will
+    // be a dangling api key in the DB with user_id: "000000000000000000000002".
+    // These need to be
+    let res = async {
+      let contents = &mut action.config.file_contents;
+
+      // Wrap the file contents in the execution context.
+      *contents = full_contents(contents, &args, &key, &secret);
+
+      let replacers = interpolate(
+        contents,
+        &mut update,
+        key.clone(),
+        secret.clone(),
+      )
+      .await?
+      .into_iter()
+      .collect::<Vec<_>>();
+
+      let file = format!("{}.ts", random_string(10));
+      let path = core_config().action_directory.join(&file);
+
+      mogh_secret_file::write_async(&path, contents)
+        .await
+        .with_context(|| {
+          format!("Failed to write action file to {path:?}")
+        })?;
+
+      let CoreConfig { ssl_enabled, .. } = core_config();
+
+      let https_cert_flag = if *ssl_enabled {
+        " --unsafely-ignore-certificate-errors=localhost"
+      } else {
+        ""
+      };
+
+      let reload = if action.config.reload_deno_deps {
+        " --reload"
+      } else {
+        ""
+      };
+
+      let mut res = run_komodo_standard_command(
+        // Keep this stage name as is, the UI will find the latest update log by matching the stage name
+        "Execute Action",
+        None,
+        format!(
+          "deno run --allow-all{https_cert_flag}{reload} {}",
+          path.display()
+        ),
+      )
+      .await;
+
+      res.stdout = svi::replace_in_string(&res.stdout, &replacers)
+        .replace(&key, "<ACTION_API_KEY>");
+      res.stderr = svi::replace_in_string(&res.stderr, &replacers)
+        .replace(&secret, "<ACTION_API_SECRET>");
+
+      cleanup_run(file + ".js", &path).await;
+
+      update.logs.push(res);
+      update.finalize();
+
+      mogh_error::Ok(update)
+    }
+    .await;
+
+    if let Err(e) =
+      delete_api_key(&KomodoAuthImpl, &action_user().id, key).await
+    {
+      warn!(
+        "Failed to delete API key after action execution | {:#}",
+        e.error
+      );
+    };
+
+    let update = res?;
+
+    // Need to manually update the update before cache refresh,
+    // and before broadcast with update_update.
+    // The Err case of to_document should be unreachable,
+    // but will fail to update cache in that case.
+    if let Ok(update_doc) = to_document(&update) {
+      let _ = update_one_by_id(
+        &db_client().updates,
+        &update.id,
+        database::mungos::update::Update::Set(update_doc),
+        None,
+      )
+      .await;
+      refresh_action_state_cache().await;
+    }
+
+    update_update(update.clone()).await?;
+
+    if !update.success && action.config.failure_alert {
+      let target = update.target.clone();
+      tokio::spawn(async move {
+        let alert = Alert {
+          id: Default::default(),
+          target,
+          ts: komodo_timestamp(),
+          resolved_ts: Some(komodo_timestamp()),
+          resolved: true,
+          level: SeverityLevel::Warning,
+          data: AlertData::ActionFailed {
+            id: action.id,
+            name: action.name,
+          },
+        };
+        send_alerts(&[alert]).await
+      });
+    }
+
+    Ok(update)
+  }
+}
+
+#[instrument("Interpolate", skip(contents, update, secret))]
+async fn interpolate(
+  contents: &mut String,
+  update: &mut Update,
+  key: String,
+  secret: String,
+) -> mogh_error::Result<HashSet<(String, String)>> {
+  let VariablesAndSecrets {
+    variables,
+    mut secrets,
+  } = get_variables_and_secrets().await?;
+
+  secrets.insert(String::from("ACTION_API_KEY"), key);
+  secrets.insert(String::from("ACTION_API_SECRET"), secret);
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator
+    .interpolate_string(contents)?
+    .push_logs(&mut update.logs);
+
+  Ok(interpolator.secret_replacers)
+}
+
+fn full_contents(
+  contents: &str,
+  // Pre-serialized to JSON string.
+  args: &str,
+  key: &str,
+  secret: &str,
+) -> String {
+  let CoreConfig {
+    port, ssl_enabled, ..
+  } = core_config();
+  let protocol = if *ssl_enabled { "https" } else { "http" };
+  let base_url = format!("{protocol}://localhost:{port}");
+  format!(
+    "import {{ KomodoClient, Types }} from '{base_url}/client/lib.js';
+import * as __YAML__ from 'jsr:@std/yaml';
+import * as __TOML__ from 'jsr:@std/toml';
+
+const YAML = {{
+  stringify: __YAML__.stringify,
+  parse: __YAML__.parse,
+  parseAll: __YAML__.parseAll,
+  parseDockerCompose: __YAML__.parse,
+}}
+
+const TOML = {{
+  stringify: __TOML__.stringify,
+  parse: __TOML__.parse,
+  parseResourceToml: __TOML__.parse,
+  parseCargoToml: __TOML__.parse,
+}}
+
+const ARGS = {args};
+
+const komodo = KomodoClient('{base_url}', {{
+  type: 'api-key',
+  params: {{ key: '{key}', secret: '{secret}' }}
+}});
+
+async function main() {{
+{contents}
+
+console.log('🦎 Action completed successfully 🦎');
+}}
+
+main()
+.catch(error => {{
+  console.error('🚨 Action exited early with errors 🚨')
+  if (error.status !== undefined && error.result !== undefined) {{
+    console.error('Status:', error.status);
+    console.error(JSON.stringify(error.result, null, 2));
+  }} else {{
+    console.error(error);
+  }}
+  Deno.exit(1)
+}});"
+  )
+}
+
+/// Cleans up file at given path.
+/// ALSO if $DENO_DIR is set,
+/// will clean up the generated file matching "file"
+#[instrument("CleanupRun")]
+async fn cleanup_run(file: String, path: &Path) {
+  if let Err(e) = fs::remove_file(path).await {
+    warn!(
+      "Failed to delete action file after action execution | {e:#}"
+    );
+  }
+  // If $DENO_DIR is set (will be in container),
+  // will clean up the generated file matching "file" (NOT under path)
+  let Some(deno_dir) = deno_dir() else {
+    return;
+  };
+  delete_file(deno_dir.join("gen/file"), file).await;
+}
+
+fn deno_dir() -> Option<&'static Path> {
+  static DENO_DIR: OnceLock<Option<PathBuf>> = OnceLock::new();
+  DENO_DIR
+    .get_or_init(|| {
+      let deno_dir = std::env::var("DENO_DIR").ok()?;
+      Some(PathBuf::from(&deno_dir))
+    })
+    .as_deref()
+}
+
+/// file is just the terminating file path,
+/// it may be nested multiple folder under path,
+/// this will find the nested file and delete it.
+/// Assumes the file is only there once.
+fn delete_file(
+  dir: PathBuf,
+  file: String,
+) -> std::pin::Pin<Box<dyn std::future::Future<Output = bool> + Send>>
+{
+  Box::pin(async move {
+    let Ok(mut dir) = fs::read_dir(dir).await else {
+      return false;
+    };
+    // Collect the nested folders for recursing
+    // only after checking all the files in directory.
+    let mut folders = Vec::<PathBuf>::new();
+
+    while let Ok(Some(entry)) = dir.next_entry().await {
+      let Ok(meta) = entry.metadata().await else {
+        continue;
+      };
+      if meta.is_file() {
+        let Ok(name) = entry.file_name().into_string() else {
+          continue;
+        };
+        if name == file {
+          if let Err(e) = fs::remove_file(entry.path()).await {
+            warn!(
+              "Failed to clean up generated file after action execution | {e:#}"
+            );
+          };
+          return true;
+        }
+      } else {
+        folders.push(entry.path());
+      }
+    }
+
+    if folders.len() == 1 {
+      // unwrap ok, folders definitely is not empty
+      let folder = folders.pop().unwrap();
+      delete_file(folder, file).await
+    } else {
+      // Check folders with file.clone
+      for folder in folders {
+        if delete_file(folder, file.clone()).await {
+          return true;
+        }
+      }
+      false
+    }
+  })
+}
+
+fn parse_action_arguments(
+  args: &str,
+  format: FileFormat,
+) -> anyhow::Result<JsonObject> {
+  match format {
+    FileFormat::KeyValue => {
+      let args = parse_key_value_list(args)
+        .context("Failed to parse args as key value list")?
+        .into_iter()
+        .map(|(k, v)| (k, serde_json::Value::String(v)))
+        .collect();
+      Ok(args)
+    }
+    FileFormat::Toml => toml::from_str(args)
+      .context("Failed to parse Toml to Action args"),
+    FileFormat::Yaml => serde_yaml_ng::from_str(args)
+      .context("Failed to parse Yaml to action args"),
+    FileFormat::Json => serde_json::from_str(args)
+      .context("Failed to parse Json to action args"),
+  }
+}
--- a/bin/core/src/api/execute/alerter.rs
+++ b/bin/core/src/api/execute/alerter.rs
@@ -0,0 +1,191 @@
+use anyhow::{Context, anyhow};
+use formatting::format_serror;
+use futures_util::{
+  StreamExt, TryStreamExt, stream::FuturesUnordered,
+};
+use komodo_client::{
+  api::execute::{SendAlert, TestAlerter},
+  entities::{
+    alert::{Alert, AlertData, AlertDataVariant, SeverityLevel},
+    alerter::Alerter,
+    komodo_timestamp,
+    permission::PermissionLevel,
+  },
+};
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
+use reqwest::StatusCode;
+
+use crate::{
+  alert::send_alert_to_alerter, helpers::update::update_update,
+  permission::get_check_permissions, resource::list_full_for_user,
+};
+
+use super::ExecuteArgs;
+
+impl Resolve<ExecuteArgs> for TestAlerter {
+  #[instrument(
+    "TestAlerter",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      alerter = self.alerter,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let alerter = get_check_permissions::<Alerter>(
+      &self.alerter,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let mut update = update.clone();
+
+    if !alerter.config.enabled {
+      update.push_error_log(
+        "Test Alerter",
+        String::from(
+          "Alerter is disabled. Enable the Alerter to send alerts.",
+        ),
+      );
+      update.finalize();
+      update_update(update.clone()).await?;
+      return Ok(update);
+    }
+
+    let ts = komodo_timestamp();
+
+    let alert = Alert {
+      id: Default::default(),
+      ts,
+      resolved: true,
+      level: SeverityLevel::Ok,
+      target: update.target.clone(),
+      data: AlertData::Test {
+        id: alerter.id.clone(),
+        name: alerter.name.clone(),
+      },
+      resolved_ts: Some(ts),
+    };
+
+    if let Err(e) = send_alert_to_alerter(&alerter, &alert).await {
+      update.push_error_log("Test Alerter", format_serror(&e.into()));
+    } else {
+      update.push_simple_log("Test Alerter", String::from("Alert sent successfully. It should be visible at your alerting destination."));
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+//
+
+impl Resolve<ExecuteArgs> for SendAlert {
+  #[instrument(
+    "SendAlert",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      request = format!("{self:?}"),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let alerters = list_full_for_user::<Alerter>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await?
+    .into_iter()
+    .filter(|a| {
+      a.config.enabled
+        && (self.alerters.is_empty()
+          || self.alerters.contains(&a.name)
+          || self.alerters.contains(&a.id))
+        && (a.config.alert_types.is_empty()
+          || a.config.alert_types.contains(&AlertDataVariant::Custom))
+    })
+    .collect::<Vec<_>>();
+
+    let alerters = if user.admin {
+      alerters
+    } else {
+      // Only keep alerters with execute permissions
+      alerters
+        .into_iter()
+        .map(|alerter| async move {
+          get_check_permissions::<Alerter>(
+            &alerter.id,
+            user,
+            PermissionLevel::Execute.into(),
+          )
+          .await
+        })
+        .collect::<FuturesUnordered<_>>()
+        .collect::<Vec<_>>()
+        .await
+        .into_iter()
+        .flatten()
+        .collect()
+    };
+
+    if alerters.is_empty() {
+      return Err(anyhow!(
+        "Could not find any valid alerters to send to, this required Execute permissions on the Alerter"
+      ).status_code(StatusCode::BAD_REQUEST));
+    }
+
+    let mut update = update.clone();
+
+    let ts = komodo_timestamp();
+
+    let alert = Alert {
+      id: Default::default(),
+      ts,
+      resolved: true,
+      level: self.level,
+      target: update.target.clone(),
+      data: AlertData::Custom {
+        message: self.message,
+        details: self.details,
+      },
+      resolved_ts: Some(ts),
+    };
+
+    update.push_simple_log(
+      "Send alert",
+      serde_json::to_string_pretty(&alert)
+        .context("Failed to serialize alert to JSON")?,
+    );
+
+    if let Err(e) = alerters
+      .iter()
+      .map(|alerter| send_alert_to_alerter(alerter, &alert))
+      .collect::<FuturesUnordered<_>>()
+      .try_collect::<Vec<_>>()
+      .await
+    {
+      update.push_error_log("Send Error", format_serror(&e.into()));
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
--- a/bin/core/src/api/execute/build.rs
+++ b/bin/core/src/api/execute/build.rs
@@ -1,23 +1,11 @@
-use std::{collections::HashSet, future::IntoFuture, time::Duration};
-
-use anyhow::{anyhow, Context};
-use formatting::format_serror;
-use futures::future::join_all;
-use komodo_client::{
-  api::execute::{CancelBuild, Deploy, RunBuild},
-  entities::{
-    alert::{Alert, AlertData, SeverityLevel},
-    all_logs_success,
-    build::{Build, BuildConfig, ImageRegistryConfig},
-    builder::{Builder, BuilderConfig},
-    deployment::DeploymentState,
-    komodo_timestamp,
-    permission::PermissionLevel,
-    update::{Log, Update},
-    user::{auto_redeploy_user, User},
-  },
+use std::{
+  collections::{HashMap, HashSet},
+  future::IntoFuture,
+  time::Duration,
 };
-use mungos::{
+
+use anyhow::{Context, anyhow};
+use database::mungos::{
  by_id::update_one_by_id,
  find::find_collect,
  mongodb::{
@@ -25,49 +13,129 @@ use mungos::{
    options::FindOneOptions,
  },
 };
+use formatting::format_serror;
+use futures_util::future::join_all;
+use interpolate::Interpolator;
+use komodo_client::{
+  api::{
+    execute::{
+      BatchExecutionResponse, BatchRunBuild, CancelBuild, Deploy,
+      RunBuild,
+    },
+    write::RefreshBuildCache,
+  },
+  entities::{
+    alert::{Alert, AlertData, SeverityLevel},
+    all_logs_success,
+    build::{Build, BuildConfig},
+    builder::{Builder, BuilderConfig},
+    deployment::DeploymentState,
+    komodo_timestamp, optional_string,
+    permission::PermissionLevel,
+    repo::Repo,
+    update::{Log, Update},
+    user::auto_redeploy_user,
+  },
+};
+use mogh_resolver::Resolve;
 use periphery_client::api;
-use resolver_api::Resolve;
 use tokio_util::sync::CancellationToken;
+use uuid::Uuid;

 use crate::{
  alert::send_alerts,
+  api::write::WriteArgs,
  helpers::{
-    builder::{cleanup_builder_instance, get_builder_periphery},
+    build_git_token,
+    builder::{cleanup_builder_instance, connect_builder_periphery},
    channel::build_cancel_channel,
-    git_token,
-    interpolate::{
-      add_interp_update_log,
-      interpolate_variables_secrets_into_extra_args,
-      interpolate_variables_secrets_into_string,
-      interpolate_variables_secrets_into_system_command,
+    query::{
+      VariablesAndSecrets, get_deployment_state,
+      get_variables_and_secrets,
    },
-    query::{get_deployment_state, get_variables_and_secrets},
    registry_token,
    update::{init_execution_update, update_update},
  },
+  permission::get_check_permissions,
  resource::{self, refresh_build_state_cache},
-  state::{action_states, db_client, State},
+  state::{action_states, db_client},
 };

-use super::ExecuteRequest;
+use super::{ExecuteArgs, ExecuteRequest};

-impl Resolve<RunBuild, (User, Update)> for State {
-  #[instrument(name = "RunBuild", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+impl super::BatchExecute for BatchRunBuild {
+  type Resource = Build;
+  fn single_request(build: String) -> ExecuteRequest {
+    ExecuteRequest::RunBuild(RunBuild { build })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchRunBuild {
+  #[instrument(
+    "BatchRunBuild",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
  async fn resolve(
-    &self,
-    RunBuild { build }: RunBuild,
-    (user, mut update): (User, Update),
-  ) -> anyhow::Result<Update> {
-    let mut build = resource::get_check_permissions::<Build>(
-      &build,
-      &user,
-      PermissionLevel::Execute,
+    self,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchRunBuild>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for RunBuild {
+  #[instrument(
+    "RunBuild",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      build = self.build,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let mut build = get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Execute.into(),
    )
    .await?;
-    let mut vars_and_secrets = get_variables_and_secrets().await?;
+
+    let mut repo = if !build.config.files_on_host
+      && !build.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&build.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
+    let VariablesAndSecrets {
+      mut variables,
+      secrets,
+    } = get_variables_and_secrets().await?;
+
+    // Add the $VERSION to variables. Use with [[$VERSION]]
+    variables.insert(
+      String::from("$VERSION"),
+      build.config.version.to_string(),
+    );

    if build.config.builder_id.is_empty() {
-      return Err(anyhow!("Must attach builder to RunBuild"));
+      return Err(anyhow!("Must attach builder to RunBuild").into());
    }

    // get the action state for the build (or insert default).
@@ -82,29 +150,17 @@ impl Resolve<RunBuild, (User, Update)> for State {
    if build.config.auto_increment_version {
      build.config.version.increment();
    }
+
+    let mut update = update.clone();
+
    update.version = build.config.version;
    update_update(update.clone()).await?;

-    // Add the $VERSION to variables. Use with [[$VERSION]]
-    if !vars_and_secrets.variables.contains_key("$VERSION") {
-      vars_and_secrets.variables.insert(
-        String::from("$VERSION"),
-        build.config.version.to_string(),
-      );
-    }
+    let git_token =
+      build_git_token(&mut build, repo.as_mut()).await?;

-    let git_token = git_token(
-      &build.config.git_provider,
-      &build.config.git_account,
-      |https| build.config.git_https = https,
-    )
-    .await
-    .with_context(
-      || format!("Failed to get git token in call to db. This is a database error, not a token exisitence error. Stopping run. | {} | {}", build.config.git_provider, build.config.git_account),
-    )?;
-
-    let registry_token =
-      validate_account_extract_registry_token(&build).await?;
+    let registry_tokens =
+      validate_account_extract_registry_tokens(&build).await?;

    let cancel = CancellationToken::new();
    let cancel_clone = cancel.clone();
@@ -134,7 +190,7 @@ impl Resolve<RunBuild, (User, Update)> for State {
            update.finalize();
            let id = update.id.clone();
            if let Err(e) = update_update(update).await {
-              warn!("failed to modify Update {id} on db | {e:#}");
+              warn!("Failed to modify Update {id} on db | {e:#}");
            }
            if !is_server_builder {
              cancel_clone.cancel();
@@ -152,8 +208,7 @@ impl Resolve<RunBuild, (User, Update)> for State {
    });

    // GET BUILDER PERIPHERY
-
-    let (periphery, cleanup_data) = match get_builder_periphery(
+    let (periphery, cleanup_data) = match connect_builder_periphery(
      build.name.clone(),
      Some(build.config.version),
      builder,
@@ -164,12 +219,12 @@ impl Resolve<RunBuild, (User, Update)> for State {
      Ok(builder) => builder,
      Err(e) => {
        warn!(
-          "failed to get builder for build {} | {e:#}",
+          "Failed to get Builder for Build {} | {e:#}",
          build.name
        );
        update.logs.push(Log::error(
-          "get builder",
-          format_serror(&e.context("failed to get builder").into()),
+          "Get Builder",
+          format_serror(&e.context("Failed to get Builder").into()),
        ));
        return handle_early_return(
          update, build.id, build.name, false,
@@ -178,124 +233,93 @@ impl Resolve<RunBuild, (User, Update)> for State {
      }
    };

-    // CLONE REPO
+    // INTERPOLATE VARIABLES
    let secret_replacers = if !build.config.skip_secret_interp {
-      // Interpolate variables / secrets into pre build command
-      let mut global_replacers = HashSet::new();
-      let mut secret_replacers = HashSet::new();
+      let mut interpolator =
+        Interpolator::new(Some(&variables), &secrets);

-      interpolate_variables_secrets_into_system_command(
-        &vars_and_secrets,
-        &mut build.config.pre_build,
-        &mut global_replacers,
-        &mut secret_replacers,
-      )?;
+      interpolator.interpolate_build(&mut build)?;

-      add_interp_update_log(
-        &mut update,
-        &global_replacers,
-        &secret_replacers,
-      );
+      if let Some(repo) = repo.as_mut() {
+        interpolator.interpolate_repo(repo)?;
+      }

-      secret_replacers
+      interpolator.push_logs(&mut update.logs);
+
+      interpolator.secret_replacers
    } else {
      Default::default()
    };

-    let res = tokio::select! {
-      res = periphery
-        .request(api::git::CloneRepo {
-          args: (&build).into(),
-          git_token,
-          environment: Default::default(),
-          env_file_path: Default::default(),
-          skip_secret_interp: Default::default(),
-          replacers: secret_replacers.into_iter().collect(),
-        }) => res,
-      _ = cancel.cancelled() => {
-        debug!("build cancelled during clone, cleaning up builder");
-        update.push_error_log("build cancelled", String::from("user cancelled build during repo clone"));
-        cleanup_builder_instance(periphery, cleanup_data, &mut update)
-          .await;
-        info!("builder cleaned up");
-        return handle_early_return(update, build.id, build.name, true).await
-      },
-    };
-
-    let commit_message = match res {
-      Ok(res) => {
-        debug!("finished repo clone");
-        update.logs.extend(res.logs);
-        update.commit_hash =
-          res.commit_hash.unwrap_or_default().to_string();
-        res.commit_message.unwrap_or_default()
-      }
-      Err(e) => {
-        warn!("failed build at clone repo | {e:#}");
-        update.push_error_log(
-          "clone repo",
-          format_serror(&e.context("failed to clone repo").into()),
-        );
-        Default::default()
-      }
-    };
-
-    update_update(update.clone()).await?;
-
-    if all_logs_success(&update.logs) {
-      let secret_replacers = if !build.config.skip_secret_interp {
-        // Interpolate variables / secrets into build args
-        let mut global_replacers = HashSet::new();
-        let mut secret_replacers = HashSet::new();
-
-        interpolate_variables_secrets_into_string(
-          &vars_and_secrets,
-          &mut build.config.build_args,
-          &mut global_replacers,
-          &mut secret_replacers,
-        )?;
-
-        interpolate_variables_secrets_into_string(
-          &vars_and_secrets,
-          &mut build.config.secret_args,
-          &mut global_replacers,
-          &mut secret_replacers,
-        )?;
-
-        interpolate_variables_secrets_into_extra_args(
-          &vars_and_secrets,
-          &mut build.config.extra_args,
-          &mut global_replacers,
-          &mut secret_replacers,
-        )?;
-
-        add_interp_update_log(
-          &mut update,
-          &global_replacers,
-          &secret_replacers,
-        );
-
-        secret_replacers
-      } else {
-        Default::default()
+    let commit_message = if !build.config.files_on_host
+      && (!build.config.repo.is_empty()
+        || !build.config.linked_repo.is_empty())
+    {
+      // PULL OR CLONE REPO
+      let res = tokio::select! {
+        res = periphery
+          .request(api::git::PullOrCloneRepo {
+            args: repo.as_ref().map(Into::into).unwrap_or((&build).into()),
+            git_token,
+            environment: Default::default(),
+            env_file_path: Default::default(),
+            on_clone: None,
+            on_pull: None,
+            skip_secret_interp: Default::default(),
+            replacers: Default::default(),
+          }) => res,
+        _ = cancel.cancelled() => {
+          debug!("Build cancelled during clone, cleaning up builder");
+          update.push_error_log("Build cancelled", String::from("user cancelled build during repo clone"));
+          cleanup_builder_instance(periphery, cleanup_data, &mut update)
+            .await;
+          info!("Builder cleaned up");
+          return handle_early_return(update, build.id, build.name, true).await
+        },
      };

+      let commit_message = match res {
+        Ok(res) => {
+          debug!("Finished repo clone");
+          update.logs.extend(res.res.logs);
+          update.commit_hash =
+            res.res.commit_hash.unwrap_or_default().to_string();
+          res.res.commit_message.unwrap_or_default()
+        }
+        Err(e) => {
+          warn!("Failed build at clone repo | {e:#}");
+          update.push_error_log(
+            "Clone Repo",
+            format_serror(&e.context("Failed to clone repo").into()),
+          );
+          Default::default()
+        }
+      };
+
+      update_update(update.clone()).await?;
+
+      Some(commit_message)
+    } else {
+      None
+    };
+
+    if all_logs_success(&update.logs) {
+      // RUN BUILD
      let res = tokio::select! {
        res = periphery
          .request(api::build::Build {
            build: build.clone(),
-            registry_token,
+            repo,
+            registry_tokens,
            replacers: secret_replacers.into_iter().collect(),
-            // Push a commit hash tagged image
-            additional_tags: if update.commit_hash.is_empty() {
-              Default::default()
-            } else {
-              vec![update.commit_hash.clone()]
-            },
-          }) => res.context("failed at call to periphery to build"),
+            // To push a commit hash tagged image
+            commit_hash: optional_string(&update.commit_hash),
+            // Unused for now
+            additional_tags: Default::default(),
+          }) => res.context("Failed at call to Periphery to build"),
        _ = cancel.cancelled() => {
-          info!("build cancelled during build, cleaning up builder");
-          update.push_error_log("build cancelled", String::from("user cancelled build during docker build"));
+          info!("Build cancelled during build, cleaning up builder");
+          update.push_error_log("Build cancelled", String::from("User cancelled build during docker build"));
          cleanup_builder_instance(periphery, cleanup_data, &mut update)
            .await;
          return handle_early_return(update, build.id, build.name, true).await
@@ -308,10 +332,10 @@ impl Resolve<RunBuild, (User, Update)> for State {
          update.logs.extend(logs);
        }
        Err(e) => {
-          warn!("error in build | {e:#}");
+          warn!("Error in build | {e:#}");
          update.push_error_log(
-            "build",
-            format_serror(&e.context("failed to build").into()),
+            "Build Error",
+            format_serror(&e.context("Failed to build").into()),
          )
        }
      };
@@ -340,6 +364,8 @@ impl Resolve<RunBuild, (User, Update)> for State {
    // stop the cancel listening task from going forever
    cancel.cancel();

+    // If building on temporary cloud server (AWS),
+    // this will terminate the server.
    cleanup_builder_instance(periphery, cleanup_data, &mut update)
      .await;

@@ -351,7 +377,7 @@ impl Resolve<RunBuild, (User, Update)> for State {
      let _ = update_one_by_id(
        &db.updates,
        &update.id,
-        mungos::update::Update::Set(update_doc),
+        database::mungos::update::Update::Set(update_doc),
        None,
      )
      .await;
@@ -360,13 +386,15 @@ impl Resolve<RunBuild, (User, Update)> for State {

    update_update(update.clone()).await?;

+    let Build { id, name, .. } = build;
+
    if update.success {
      // don't hold response up for user
      tokio::spawn(async move {
-        handle_post_build_redeploy(&build.id).await;
+        handle_post_build_redeploy(&id).await;
      });
    } else {
-      warn!("build unsuccessful, alerting...");
+      let name = name.clone();
      let target = update.target.clone();
      let version = update.version;
      tokio::spawn(async move {
@@ -377,27 +405,33 @@ impl Resolve<RunBuild, (User, Update)> for State {
          resolved_ts: Some(komodo_timestamp()),
          resolved: true,
          level: SeverityLevel::Warning,
-          data: AlertData::BuildFailed {
-            id: build.id,
-            name: build.name,
-            version,
-          },
+          data: AlertData::BuildFailed { id, name, version },
        };
        send_alerts(&[alert]).await
      });
    }

-    Ok(update)
+    if let Err(e) = (RefreshBuildCache { build: name })
+      .resolve(&WriteArgs { user: user.clone() })
+      .await
+    {
+      update.push_error_log(
+        "Refresh build cache",
+        format_serror(&e.error.into()),
+      );
+    }
+
+    Ok(update.clone())
  }
 }

-#[instrument(skip(update))]
+#[instrument("HandleEarlyReturn", skip(update))]
 async fn handle_early_return(
  mut update: Update,
  build_id: String,
  build_name: String,
  is_cancel: bool,
-) -> anyhow::Result<Update> {
+) -> mogh_error::Result<Update> {
  update.finalize();
  // Need to manually update the update before cache refresh,
  // and before broadcast with add_update.
@@ -407,7 +441,7 @@ async fn handle_early_return(
    let _ = update_one_by_id(
      &db_client().updates,
      &update.id,
-      mungos::update::Update::Set(update_doc),
+      database::mungos::update::Update::Set(update_doc),
      None,
    )
    .await;
@@ -415,7 +449,6 @@ async fn handle_early_return(
  }
  update_update(update.clone()).await?;
  if !update.success && !is_cancel {
-    warn!("build unsuccessful, alerting...");
    let target = update.target.clone();
    let version = update.version;
    tokio::spawn(async move {
@@ -435,10 +468,9 @@ async fn handle_early_return(
      send_alerts(&[alert]).await
    });
  }
-  Ok(update)
+  Ok(update.clone())
 }

-#[instrument(skip_all)]
 pub async fn validate_cancel_build(
  request: &ExecuteRequest,
 ) -> anyhow::Result<()> {
@@ -485,17 +517,25 @@ pub async fn validate_cancel_build(
  Ok(())
 }

-impl Resolve<CancelBuild, (User, Update)> for State {
-  #[instrument(name = "CancelBuild", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+impl Resolve<ExecuteArgs> for CancelBuild {
+  #[instrument(
+    "CancelBuild",
+    skip(user, update),
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      build = self.build,
+    )
+  )]
  async fn resolve(
-    &self,
-    CancelBuild { build }: CancelBuild,
-    (user, mut update): (User, Update),
-  ) -> anyhow::Result<Update> {
-    let build = resource::get_check_permissions::<Build>(
-      &build,
-      &user,
-      PermissionLevel::Execute,
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let build = get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Execute.into(),
    )
    .await?;

@@ -507,9 +547,11 @@ impl Resolve<CancelBuild, (User, Update)> for State {
      .and_then(|s| s.get().ok().map(|s| s.building))
      .unwrap_or_default()
    {
-      return Err(anyhow!("Build is not building."));
+      return Err(anyhow!("Build is not building.").into());
    }

+    let mut update = update.clone();
+
    update.push_simple_log(
      "cancel triggered",
      "the build cancel has been triggered",
@@ -535,7 +577,9 @@ impl Resolve<CancelBuild, (User, Update)> for State {
      )
      .await
      {
-        warn!("failed to set CancelBuild Update status Complete after timeout | {e:#}")
+        warn!(
+          "Failed to set CancelBuild Update status Complete after timeout | {e:#}"
+        )
      }
    });

@@ -543,7 +587,7 @@ impl Resolve<CancelBuild, (User, Update)> for State {
  }
 }

-#[instrument]
+#[instrument("PostBuildRedeploy")]
 async fn handle_post_build_redeploy(build_id: &str) {
  let Ok(redeploy_deployments) = find_collect(
    &db_client().deployments,
@@ -562,8 +606,9 @@ async fn handle_post_build_redeploy(build_id: &str) {
    redeploy_deployments
      .into_iter()
      .map(|deployment| async move {
-        let state =
-          get_deployment_state(&deployment).await.unwrap_or_default();
+        let state = get_deployment_state(&deployment.id)
+          .await
+          .unwrap_or_default();
        if state == DeploymentState::Running {
          let req = super::ExecuteRequest::Deploy(Deploy {
            deployment: deployment.id.clone(),
@@ -573,16 +618,17 @@ async fn handle_post_build_redeploy(build_id: &str) {
          let user = auto_redeploy_user().to_owned();
          let res = async {
            let update = init_execution_update(&req, &user).await?;
-            State
-              .resolve(
-                Deploy {
-                  deployment: deployment.id.clone(),
-                  stop_signal: None,
-                  stop_time: None,
-                },
-                (user, update),
-              )
-              .await
+            Deploy {
+              deployment: deployment.id.clone(),
+              stop_signal: None,
+              stop_time: None,
+            }
+            .resolve(&ExecuteArgs {
+              user,
+              update,
+              id: Uuid::new_v4(),
+            })
+            .await
          }
          .await;
          Some((deployment.id.clone(), res))
@@ -596,7 +642,10 @@ async fn handle_post_build_redeploy(build_id: &str) {
      continue;
    };
    if let Err(e) = res {
-      warn!("failed post build redeploy for deployment {id}: {e:#}");
+      warn!(
+        "failed post build redeploy for deployment {id}: {:#}",
+        e.error
+      );
    }
  }
 }
@@ -604,31 +653,49 @@ async fn handle_post_build_redeploy(build_id: &str) {
 /// This will make sure that a build with non-none image registry has an account attached,
 /// and will check the core config for a token matching requirements.
 /// Otherwise it is left to periphery.
-async fn validate_account_extract_registry_token(
+#[instrument("ValidateRegistryTokens")]
+async fn validate_account_extract_registry_tokens(
  Build {
-    config:
-      BuildConfig {
-        image_registry:
-          ImageRegistryConfig {
-            domain, account, ..
-          },
-        ..
-      },
+    config: BuildConfig { image_registry, .. },
    ..
  }: &Build,
-) -> anyhow::Result<Option<String>> {
-  if domain.is_empty() {
-    return Ok(None);
-  }
-  if account.is_empty() {
-    return Err(anyhow!(
-      "Must attach account to use registry provider {domain}"
-    ));
+  // Maps (domain, account) -> token
+) -> mogh_error::Result<Vec<(String, String, String)>> {
+  let mut res = HashMap::with_capacity(image_registry.capacity());
+
+  for (domain, account) in image_registry
+    .iter()
+    .map(|r| (r.domain.as_str(), r.account.as_str()))
+    // This ensures uniqueness / prevents redundant logins
+    .collect::<HashSet<_>>()
+  {
+    if domain.is_empty() {
+      continue;
+    }
+    if account.is_empty() {
+      return Err(
+        anyhow!(
+          "Must attach account to use registry provider {domain}"
+        )
+        .into(),
+      );
+    }
+    let Some(registry_token) = registry_token(domain, account).await.with_context(
+      || format!("Failed to get registry token in call to db. Stopping run. | {domain} | {account}"),
+    )? else {
+      continue;
+    };
+
+    res.insert(
+      (domain.to_string(), account.to_string()),
+      registry_token,
+    );
  }

-  let registry_token = registry_token(domain, account).await.with_context(
-    || format!("Failed to get registry token in call to db. Stopping run. | {domain} | {account}"),
-  )?;
-
-  Ok(registry_token)
+  Ok(
+    res
+      .into_iter()
+      .map(|((domain, account), token)| (domain, account, token))
+      .collect(),
+  )
 }
--- a/bin/core/src/api/execute/deployment.rs
+++ b/bin/core/src/api/execute/deployment.rs
--- a/bin/core/src/api/execute/maintenance.rs
+++ b/bin/core/src/api/execute/maintenance.rs
@@ -0,0 +1,609 @@
+use std::{fmt::Write as _, sync::OnceLock};
+
+use anyhow::{Context, anyhow};
+use command::run_komodo_standard_command;
+use database::{
+  bson::{Document, doc},
+  mungos::find::find_collect,
+};
+use formatting::{bold, format_serror};
+use futures_util::{StreamExt, stream::FuturesOrdered};
+use komodo_client::{
+  api::execute::{
+    BackupCoreDatabase, ClearRepoCache, GlobalAutoUpdate,
+    RotateAllServerKeys, RotateCoreKeys,
+  },
+  entities::{
+    SwarmOrServer, deployment::DeploymentState, server::ServerState,
+    stack::StackState,
+  },
+};
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
+use periphery_client::api;
+use reqwest::StatusCode;
+use tokio::sync::Mutex;
+
+use crate::{
+  api::{
+    execute::ExecuteArgs,
+    write::{
+      check_deployment_for_update_inner, check_stack_for_update_inner,
+    },
+  },
+  config::{core_config, core_keys},
+  helpers::{
+    periphery_client, query::find_swarm_or_server,
+    update::update_update,
+  },
+  resource::rotate_server_keys,
+  state::{
+    db_client, deployment_status_cache, server_status_cache,
+    stack_status_cache,
+  },
+};
+
+/// Makes sure the method can only be called once at a time
+fn clear_repo_cache_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for ClearRepoCache {
+  #[instrument(
+    "ClearRepoCache",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = clear_repo_cache_lock()
+      .try_lock()
+      .context("Clear already in progress...")?;
+
+    let mut update = update.clone();
+
+    let mut contents =
+      tokio::fs::read_dir(&core_config().repo_directory)
+        .await
+        .context("Failed to read repo cache directory")?;
+
+    loop {
+      let path = match contents
+        .next_entry()
+        .await
+        .context("Failed to read contents at path")
+      {
+        Ok(Some(contents)) => contents.path(),
+        Ok(None) => break,
+        Err(e) => {
+          update.push_error_log(
+            "Read Directory",
+            format_serror(&e.into()),
+          );
+          continue;
+        }
+      };
+      if path.is_dir() {
+        match tokio::fs::remove_dir_all(&path)
+          .await
+          .context("Failed to clear contents at path")
+        {
+          Ok(_) => {}
+          Err(e) => {
+            update.push_error_log(
+              "Clear Directory",
+              format_serror(&e.into()),
+            );
+          }
+        };
+      }
+    }
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+//
+
+/// Makes sure the method can only be called once at a time
+fn backup_database_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for BackupCoreDatabase {
+  #[instrument(
+    "BackupCoreDatabase",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = backup_database_lock()
+      .try_lock()
+      .context("Backup already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let res = run_komodo_standard_command(
+      "Backup Core Database",
+      None,
+      "km database backup --yes",
+    )
+    .await;
+
+    update.logs.push(res);
+    update.finalize();
+
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+//
+
+/// Makes sure the method can only be called once at a time
+fn global_update_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
+  #[instrument(
+    "GlobalAutoUpdate",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = global_update_lock()
+      .try_lock()
+      .context("Global update already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    // This is all done in sequence because there is no rush,
+    // the pulls / deploys happen spaced out to ease the load on system.
+    let servers = find_collect(&db_client().servers, None, None)
+      .await
+      .context("Failed to query for servers from database")?;
+    let swarms = find_collect(&db_client().swarms, None, None)
+      .await
+      .context("Failed to query for swarms from database")?;
+
+    let query = doc! {
+      "$or": [
+        { "config.poll_for_updates": true },
+        { "config.auto_update": true }
+      ]
+    };
+
+    let stacks =
+      find_collect(&db_client().stacks, query.clone(), None)
+        .await
+        .context("Failed to query for stacks from database")?;
+
+    let server_status_cache = server_status_cache();
+    let stack_status_cache = stack_status_cache();
+
+    // Will be edited later at update.logs[0]
+    update.push_simple_log("Auto Pull", String::new());
+
+    for stack in stacks {
+      let Some(status) = stack_status_cache.get(&stack.id).await
+      else {
+        continue;
+      };
+
+      // Only pull running stacks.
+      if !matches!(status.curr.state, StackState::Running) {
+        continue;
+      }
+
+      let swarm_or_server = find_swarm_or_server(
+        &stack.config.swarm_id,
+        &swarms,
+        &stack.config.server_id,
+        &servers,
+      )?;
+
+      if let SwarmOrServer::None = &swarm_or_server {
+        continue;
+      }
+
+      if let Some(server) =
+        servers.iter().find(|s| s.id == stack.config.server_id)
+        // This check is probably redundant along with running check
+        // but shouldn't hurt
+        && server_status_cache
+          .get(&server.id)
+          .await
+          .map(|s| matches!(s.state, ServerState::Ok))
+          .unwrap_or_default()
+      {
+        if let Err(e) = check_stack_for_update_inner(
+          stack.id,
+          &swarm_or_server,
+          self.skip_auto_update,
+          true,
+          false,
+        )
+        .await
+        {
+          update.push_error_log(
+            &format!("Check Stack {}", stack.name),
+            format_serror(&e.into()),
+          );
+        } else {
+          if !update.logs[0].stdout.is_empty() {
+            update.logs[0].stdout.push('\n');
+          }
+
+          update.logs[0].stdout.push_str(&format!(
+            "Checked Stack {} ✅",
+            bold(&stack.name)
+          ));
+        }
+      }
+    }
+
+    let deployment_status_cache = deployment_status_cache();
+    let deployments =
+      find_collect(&db_client().deployments, query, None)
+        .await
+        .context("Failed to query for deployments from database")?;
+
+    for deployment in deployments {
+      let Some(status) =
+        deployment_status_cache.get(&deployment.id).await
+      else {
+        continue;
+      };
+
+      // Only pull running deployments.
+      if !matches!(status.curr.state, DeploymentState::Running) {
+        continue;
+      }
+
+      let swarm_or_server = find_swarm_or_server(
+        &deployment.config.swarm_id,
+        &swarms,
+        &deployment.config.server_id,
+        &servers,
+      )?;
+
+      if let SwarmOrServer::None = &swarm_or_server {
+        continue;
+      }
+
+      let name = deployment.name.clone();
+
+      if let Err(e) = check_deployment_for_update_inner(
+        deployment,
+        &swarm_or_server,
+        self.skip_auto_update,
+        true,
+      )
+      .await
+      {
+        update.push_error_log(
+          &format!("Check Deployment {name}"),
+          format_serror(&e.into()),
+        );
+      } else {
+        if !update.logs[0].stdout.is_empty() {
+          update.logs[0].stdout.push('\n');
+        }
+        update.logs[0]
+          .stdout
+          .push_str(&format!("Checked Deployment {} ✅", bold(name)));
+      }
+    }
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+//
+
+/// Makes sure the method can only be called once at a time
+fn global_rotate_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for RotateAllServerKeys {
+  #[instrument(
+    "RotateAllServerKeys",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = global_rotate_lock()
+      .try_lock()
+      .context("Key rotation already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let mut servers = db_client()
+      .servers
+      .find(Document::new())
+      .await
+      .context("Failed to query servers from database")?;
+
+    let server_status_cache = server_status_cache();
+
+    let mut log = String::new();
+
+    while let Some(server) = servers.next().await {
+      let server = match server {
+        Ok(server) => server,
+        Err(e) => {
+          warn!("Failed to parse Server | {e:#}");
+          continue;
+        }
+      };
+      if !server.config.auto_rotate_keys {
+        let _ = write!(
+          &mut log,
+          "\nSkipping {}: Key Rotation Disabled ⚙️",
+          bold(&server.name)
+        );
+        continue;
+      }
+      let Some(status) = server_status_cache.get(&server.id).await
+      else {
+        let _ = write!(
+          &mut log,
+          "\nSkipping {}: No Status ⚠️",
+          bold(&server.name)
+        );
+        continue;
+      };
+      match status.state {
+        ServerState::Disabled => {
+          let _ = write!(
+            &mut log,
+            "\nSkipping {}: Server Disabled ⚙️",
+            bold(&server.name)
+          );
+          continue;
+        }
+        ServerState::NotOk => {
+          let _ = write!(
+            &mut log,
+            "\nSkipping {}: Server Not Ok ⚠️",
+            bold(&server.name)
+          );
+          continue;
+        }
+        _ => {}
+      }
+      match rotate_server_keys(&server).await {
+        Ok(_) => {
+          let _ = write!(
+            &mut log,
+            "\nRotated keys for {} ✅",
+            bold(&server.name)
+          );
+        }
+        Err(e) => {
+          update.push_error_log(
+            "Key Rotation Failure",
+            format_serror(
+              &e.context(format!(
+                "Failed to rotate {} keys",
+                bold(&server.name)
+              ))
+              .into(),
+            ),
+          );
+        }
+      }
+    }
+
+    update.push_simple_log("Rotate Server Keys", log);
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RotateCoreKeys {
+  #[instrument(
+    "RotateCoreKeys",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      force = self.force,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = global_rotate_lock()
+      .try_lock()
+      .context("Key rotation already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let core_keys = core_keys();
+
+    if !core_keys.rotatable() {
+      return Err(anyhow!("Core `private_key` must be pointing to file, for example 'file:/config/keys/core.key'").into());
+    };
+
+    let server_status_cache = server_status_cache();
+    let servers =
+      find_collect(&db_client().servers, Document::new(), None)
+        .await
+        .context("Failed to query servers from database")?
+        .into_iter()
+        .map(|server| async move {
+          let state = server_status_cache
+            .get(&server.id)
+            .await
+            .map(|s| s.state)
+            .unwrap_or(ServerState::NotOk);
+          (server, state)
+        })
+        .collect::<FuturesOrdered<_>>()
+        .collect::<Vec<_>>()
+        .await;
+
+    if !self.force
+      && let Some((server, _)) = servers
+        .iter()
+        .find(|(_, state)| matches!(state, ServerState::NotOk))
+    {
+      return Err(
+        anyhow!("Server {} is NotOk, stopping key rotation. Pass `force: true` to continue anyways.", server.name).into(),
+      );
+    }
+
+    let public_key = core_keys
+      .rotate(mogh_pki::PkiKind::Mutual)
+      .await?
+      .into_inner();
+
+    info!("New Public Key: {public_key}");
+
+    let mut log = format!("New Public Key: {public_key}\n");
+
+    for (server, state) in servers {
+      match state {
+        ServerState::Disabled => {
+          let _ = write!(
+            &mut log,
+            "\nSkipping {}: Server Disabled ⚙️",
+            bold(&server.name)
+          );
+          continue;
+        }
+        ServerState::NotOk => {
+          // Shouldn't be reached unless 'force: true'
+          let _ = write!(
+            &mut log,
+            "\nSkipping {}: Server Not Ok ⚠️",
+            bold(&server.name)
+          );
+          continue;
+        }
+        _ => {}
+      }
+      let periphery = periphery_client(&server).await?;
+      let res = periphery
+        .request(api::keys::RotateCorePublicKey {
+          public_key: public_key.clone(),
+        })
+        .await;
+      match res {
+        Ok(_) => {
+          let _ = write!(
+            &mut log,
+            "\nRotated key for {} ✅",
+            bold(&server.name)
+          );
+        }
+        Err(e) => {
+          update.push_error_log(
+            "Key Rotation Failure",
+            format_serror(
+              &e.context(format!(
+                "Failed to rotate for {}. The new Core public key will have to be added manually.",
+                bold(&server.name)
+              ))
+              .into(),
+            ),
+          );
+        }
+      }
+    }
+
+    update.push_simple_log("Rotate Core Keys", log);
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
--- a/bin/core/src/api/execute/mod.rs
+++ b/bin/core/src/api/execute/mod.rs
@@ -1,47 +1,128 @@
-use std::time::Instant;
+use std::pin::Pin;

-use anyhow::{anyhow, Context};
-use axum::{middleware, routing::post, Extension, Router};
-use derive_variants::{EnumVariants, ExtractVariant};
+use anyhow::Context;
+use axum::{
+  Extension, Router, extract::Path, middleware, routing::post,
+};
+use axum_extra::{TypedHeader, headers::ContentType};
+use database::mungos::by_id::find_one_by_id;
 use formatting::format_serror;
+use futures_util::future::join_all;
 use komodo_client::{
  api::execute::*,
  entities::{
+    Operation,
+    permission::PermissionLevel,
    update::{Log, Update},
    user::User,
  },
 };
-use mungos::by_id::find_one_by_id;
-use resolver_api::{derive::Resolver, Resolver};
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Json;
+use mogh_error::JsonString;
+use mogh_resolver::Resolve;
 use serde::{Deserialize, Serialize};
-use serror::Json;
+use serde_json::json;
+use strum::{Display, EnumDiscriminants};
 use typeshare::typeshare;
 use uuid::Uuid;

 use crate::{
-  auth::auth_request,
+  auth::KomodoAuthImpl,
  helpers::update::{init_execution_update, update_update},
-  state::{db_client, State},
+  resource::{KomodoResource, list_full_for_user_using_pattern},
+  state::db_client,
 };

+mod action;
+mod alerter;
 mod build;
 mod deployment;
+mod maintenance;
 mod procedure;
 mod repo;
 mod server;
-mod server_template;
 mod stack;
+mod swarm;
 mod sync;

+use super::Variant;
+
+pub struct ExecuteArgs {
+  /// The execution id.
+  /// Unique for every /execute call.
+  pub id: Uuid,
+  pub user: User,
+  pub update: Update,
+}
+
 #[typeshare]
 #[derive(
-  Serialize, Deserialize, Debug, Clone, Resolver, EnumVariants,
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumDiscriminants,
 )]
-#[variant_derive(Debug)]
-#[resolver_target(State)]
-#[resolver_args((User, Update))]
+#[strum_discriminants(name(ExecuteRequestVariant), derive(Display))]
+#[args(ExecuteArgs)]
+#[response(JsonString)]
+#[error(mogh_error::Error)]
 #[serde(tag = "type", content = "params")]
 pub enum ExecuteRequest {
+  // ==== STACK ====
+  DeployStack(DeployStack),
+  BatchDeployStack(BatchDeployStack),
+  DeployStackIfChanged(DeployStackIfChanged),
+  BatchDeployStackIfChanged(BatchDeployStackIfChanged),
+  PullStack(PullStack),
+  BatchPullStack(BatchPullStack),
+  StartStack(StartStack),
+  RestartStack(RestartStack),
+  StopStack(StopStack),
+  PauseStack(PauseStack),
+  UnpauseStack(UnpauseStack),
+  DestroyStack(DestroyStack),
+  BatchDestroyStack(BatchDestroyStack),
+  RunStackService(RunStackService),
+
+  // ==== DEPLOYMENT ====
+  Deploy(Deploy),
+  BatchDeploy(BatchDeploy),
+  PullDeployment(PullDeployment),
+  StartDeployment(StartDeployment),
+  RestartDeployment(RestartDeployment),
+  PauseDeployment(PauseDeployment),
+  UnpauseDeployment(UnpauseDeployment),
+  StopDeployment(StopDeployment),
+  DestroyDeployment(DestroyDeployment),
+  BatchDestroyDeployment(BatchDestroyDeployment),
+
+  // ==== BUILD ====
+  RunBuild(RunBuild),
+  BatchRunBuild(BatchRunBuild),
+  CancelBuild(CancelBuild),
+
+  // ==== REPO ====
+  CloneRepo(CloneRepo),
+  BatchCloneRepo(BatchCloneRepo),
+  PullRepo(PullRepo),
+  BatchPullRepo(BatchPullRepo),
+  BuildRepo(BuildRepo),
+  BatchBuildRepo(BatchBuildRepo),
+  CancelRepoBuild(CancelRepoBuild),
+
+  // ==== PROCEDURE ====
+  RunProcedure(RunProcedure),
+  BatchRunProcedure(BatchRunProcedure),
+
+  // ==== ACTION ====
+  RunAction(RunAction),
+  BatchRunAction(BatchRunAction),
+
+  // ==== SYNC ====
+  RunSync(RunSync),
+
+  // ==== ALERTER ====
+  TestAlerter(TestAlerter),
+  SendAlert(SendAlert),
+
  // ==== SERVER ====
  StartContainer(StartContainer),
  RestartContainer(RestartContainer),
@@ -65,134 +146,213 @@ pub enum ExecuteRequest {
  PruneBuildx(PruneBuildx),
  PruneSystem(PruneSystem),

-  // ==== DEPLOYMENT ====
-  Deploy(Deploy),
-  StartDeployment(StartDeployment),
-  RestartDeployment(RestartDeployment),
-  PauseDeployment(PauseDeployment),
-  UnpauseDeployment(UnpauseDeployment),
-  StopDeployment(StopDeployment),
-  DestroyDeployment(DestroyDeployment),
+  // ==== SWARM ====
+  RemoveSwarmNodes(RemoveSwarmNodes),
+  RemoveSwarmStacks(RemoveSwarmStacks),
+  RemoveSwarmServices(RemoveSwarmServices),
+  CreateSwarmConfig(CreateSwarmConfig),
+  RotateSwarmConfig(RotateSwarmConfig),
+  RemoveSwarmConfigs(RemoveSwarmConfigs),
+  CreateSwarmSecret(CreateSwarmSecret),
+  RotateSwarmSecret(RotateSwarmSecret),
+  RemoveSwarmSecrets(RemoveSwarmSecrets),

-  // ==== STACK ====
-  DeployStack(DeployStack),
-  DeployStackIfChanged(DeployStackIfChanged),
-  StartStack(StartStack),
-  RestartStack(RestartStack),
-  StopStack(StopStack),
-  PauseStack(PauseStack),
-  UnpauseStack(UnpauseStack),
-  DestroyStack(DestroyStack),
-
-  // ==== BUILD ====
-  RunBuild(RunBuild),
-  CancelBuild(CancelBuild),
-
-  // ==== REPO ====
-  CloneRepo(CloneRepo),
-  PullRepo(PullRepo),
-  BuildRepo(BuildRepo),
-  CancelRepoBuild(CancelRepoBuild),
-
-  // ==== PROCEDURE ====
-  RunProcedure(RunProcedure),
-
-  // ==== SERVER TEMPLATE ====
-  LaunchServer(LaunchServer),
-
-  // ==== SYNC ====
-  RunSync(RunSync),
+  // ==== MAINTENANCE ====
+  ClearRepoCache(ClearRepoCache),
+  BackupCoreDatabase(BackupCoreDatabase),
+  GlobalAutoUpdate(GlobalAutoUpdate),
+  RotateAllServerKeys(RotateAllServerKeys),
+  RotateCoreKeys(RotateCoreKeys),
 }

 pub fn router() -> Router {
  Router::new()
    .route("/", post(handler))
-    .layer(middleware::from_fn(auth_request))
+    .route("/{variant}", post(variant_handler))
+    .layer(middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, true>,
+    ))
+}
+
+async fn variant_handler(
+  user: Extension<User>,
+  Path(Variant { variant }): Path<Variant>,
+  Json(params): Json<serde_json::Value>,
+) -> mogh_error::Result<(TypedHeader<ContentType>, String)> {
+  let req: ExecuteRequest = serde_json::from_value(json!({
+    "type": variant,
+    "params": params,
+  }))?;
+  handler(user, Json(req)).await
 }

 async fn handler(
  Extension(user): Extension<User>,
  Json(request): Json<ExecuteRequest>,
-) -> serror::Result<Json<Update>> {
-  let req_id = Uuid::new_v4();
-
-  // need to validate no cancel is active before any update is created.
-  build::validate_cancel_build(&request).await?;
-
-  let update = init_execution_update(&request, &user).await?;
-
-  let handle =
-    tokio::spawn(task(req_id, request, user, update.clone()));
-
-  tokio::spawn({
-    let update_id = update.id.clone();
-    async move {
-      let log = match handle.await {
-        Ok(Err(e)) => {
-          warn!("/execute request {req_id} task error: {e:#}",);
-          Log::error("task error", format_serror(&e.into()))
-        }
-        Err(e) => {
-          warn!("/execute request {req_id} spawn error: {e:?}",);
-          Log::error("spawn error", format!("{e:#?}"))
-        }
-        _ => return,
-      };
-      let res = async {
-        let mut update =
-          find_one_by_id(&db_client().updates, &update_id)
-            .await
-            .context("failed to query to db")?
-            .context("no update exists with given id")?;
-        update.logs.push(log);
-        update.finalize();
-        update_update(update).await
-      }
-      .await;
-
-      if let Err(e) = res {
-        warn!("failed to update update with task error log | {e:#}");
-      }
-    }
-  });
-
-  Ok(Json(update))
+) -> mogh_error::Result<(TypedHeader<ContentType>, String)> {
+  let res = match inner_handler(request, user).await? {
+    ExecutionResult::Single(update) => serde_json::to_string(&update)
+      .context("Failed to serialize Update")?,
+    ExecutionResult::Batch(res) => res,
+  };
+  Ok((TypedHeader(ContentType::json()), res))
+}
+
+#[typeshare(serialized_as = "Update")]
+type BoxUpdate = Box<Update>;
+
+pub enum ExecutionResult {
+  Single(BoxUpdate),
+  /// The batch contents will be pre serialized here
+  Batch(String),
+}
+
+pub fn inner_handler(
+  request: ExecuteRequest,
+  user: User,
+) -> Pin<
+  Box<
+    dyn std::future::Future<Output = anyhow::Result<ExecutionResult>>
+      + Send,
+  >,
+> {
+  Box::pin(async move {
+    let task_id = Uuid::new_v4();
+
+    // Need to validate no cancel is active before any update is created.
+    // This ensures no double update created if Cancel is called more than once for the same request.
+    build::validate_cancel_build(&request).await?;
+    repo::validate_cancel_repo_build(&request).await?;
+
+    let update = init_execution_update(&request, &user).await?;
+
+    // This will be the case for the Batch exections,
+    // they don't have their own updates.
+    // The batch calls also call "inner_handler" themselves,
+    // and in their case will spawn tasks, so that isn't necessary
+    // here either.
+    if update.operation == Operation::None {
+      return Ok(ExecutionResult::Batch(
+        task(task_id, request, user, update).await?,
+      ));
+    }
+
+    // Spawn a task for the execution which continues
+    // running after this method returns.
+    let handle =
+      tokio::spawn(task(task_id, request, user, update.clone()));
+
+    // Spawns another task to monitor the first for failures,
+    // and add the log to Update about it (which primary task can't do because it errored out)
+    tokio::spawn({
+      let update_id = update.id.clone();
+      async move {
+        let log = match handle.await {
+          Ok(Err(e)) => {
+            warn!("/execute request {task_id} task error: {e:#}",);
+            Log::error("Task Error", format_serror(&e.into()))
+          }
+          Err(e) => {
+            warn!("/execute request {task_id} spawn error: {e:?}",);
+            Log::error("Spawn Error", format!("{e:#?}"))
+          }
+          _ => return,
+        };
+        let res = async {
+          // Nothing to do if update was never actually created,
+          // which is the case when the id is empty.
+          if update_id.is_empty() {
+            return Ok(());
+          }
+          let mut update =
+            find_one_by_id(&db_client().updates, &update_id)
+              .await
+              .context("Failed to query to db")?
+              .context("No update exists with given id")?;
+          update.logs.push(log);
+          update.finalize();
+          update_update(update).await
+        }
+        .await;
+
+        if let Err(e) = res {
+          warn!(
+            "Failed to update update with task error log | {e:#}"
+          );
+        }
+      }
+    });
+
+    Ok(ExecutionResult::Single(update.into()))
+  })
 }

-#[instrument(
-  name = "ExecuteRequest",
-  skip(user, update),
-  fields(
-    user_id = user.id,
-    update_id = update.id,
-    request = format!("{:?}", request.extract_variant()))
-  )
-]
 async fn task(
-  req_id: Uuid,
+  id: Uuid,
  request: ExecuteRequest,
  user: User,
  update: Update,
 ) -> anyhow::Result<String> {
-  info!("/execute request {req_id} | user: {}", user.username);
-  let timer = Instant::now();
+  let variant: ExecuteRequestVariant = (&request).into();

-  let res = State
-    .resolve_request(request, (user, update))
-    .await
-    .map_err(|e| match e {
-      resolver_api::Error::Serialization(e) => {
-        anyhow!("{e:?}").context("response serialization error")
-      }
-      resolver_api::Error::Inner(e) => e,
-    });
+  info!(
+    "EXECUTE REQUEST {id} | METHOD: {variant} | USER: {} ({})",
+    user.username, user.id
+  );
+
+  let res =
+    match request.resolve(&ExecuteArgs { user, update, id }).await {
+      Err(e) => Err(e.error),
+      Ok(JsonString::Err(e)) => Err(
+        anyhow::Error::from(e)
+          .context("failed to serialize response"),
+      ),
+      Ok(JsonString::Ok(res)) => Ok(res),
+    };

  if let Err(e) = &res {
-    warn!("/execute request {req_id} error: {e:#}");
+    warn!("EXECUTE REQUEST {id} | METHOD: {variant} | ERROR: {e:#}");
  }

-  let elapsed = timer.elapsed();
-  debug!("/execute request {req_id} | resolve time: {elapsed:?}");
-
  res
 }
+
+trait BatchExecute {
+  type Resource: KomodoResource;
+  fn single_request(name: String) -> ExecuteRequest;
+}
+
+#[instrument("BatchExecute", skip(user))]
+async fn batch_execute<E: BatchExecute>(
+  pattern: &str,
+  user: &User,
+) -> anyhow::Result<BatchExecutionResponse> {
+  let resources = list_full_for_user_using_pattern::<E::Resource>(
+    pattern,
+    Default::default(),
+    user,
+    PermissionLevel::Execute.into(),
+    &[],
+  )
+  .await?;
+
+  let futures = resources.into_iter().map(|resource| {
+    let user = user.clone();
+    async move {
+      inner_handler(E::single_request(resource.name.clone()), user)
+        .await
+        .map(|r| {
+          let ExecutionResult::Single(update) = r else {
+            unreachable!()
+          };
+          update
+        })
+        .map_err(|e| BatchExecutionResponseItemErr {
+          name: resource.name,
+          error: e.into(),
+        })
+        .into()
+    }
+  });
+  Ok(join_all(futures).await)
+}
--- a/bin/core/src/api/execute/procedure.rs
+++ b/bin/core/src/api/execute/procedure.rs
@@ -1,31 +1,78 @@
 use std::pin::Pin;

-use formatting::{bold, colored, format_serror, muted, Color};
+use database::mungos::{
+  by_id::update_one_by_id, mongodb::bson::to_document,
+};
+use formatting::{Color, bold, colored, format_serror, muted};
 use komodo_client::{
-  api::execute::RunProcedure,
+  api::execute::{
+    BatchExecutionResponse, BatchRunProcedure, RunProcedure,
+  },
  entities::{
-    permission::PermissionLevel, procedure::Procedure,
-    update::Update, user::User,
+    alert::{Alert, AlertData, SeverityLevel},
+    komodo_timestamp,
+    permission::PermissionLevel,
+    procedure::Procedure,
+    update::Update,
+    user::User,
  },
 };
-use mungos::{by_id::update_one_by_id, mongodb::bson::to_document};
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 use tokio::sync::Mutex;

 use crate::{
+  alert::send_alerts,
  helpers::{procedure::execute_procedure, update::update_update},
-  resource::{self, refresh_procedure_state_cache},
-  state::{action_states, db_client, State},
+  permission::get_check_permissions,
+  resource::refresh_procedure_state_cache,
+  state::{action_states, db_client},
 };

-impl Resolve<RunProcedure, (User, Update)> for State {
-  #[instrument(name = "RunProcedure", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+use super::{ExecuteArgs, ExecuteRequest};
+
+impl super::BatchExecute for BatchRunProcedure {
+  type Resource = Procedure;
+  fn single_request(procedure: String) -> ExecuteRequest {
+    ExecuteRequest::RunProcedure(RunProcedure { procedure })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchRunProcedure {
+  #[instrument(
+    "BatchRunProcedure",
+    skip_all,
+    fields(operator = user.id)
+  )]
  async fn resolve(
-    &self,
-    RunProcedure { procedure }: RunProcedure,
-    (user, update): (User, Update),
-  ) -> anyhow::Result<Update> {
-    resolve_inner(procedure, user, update).await
+    self,
+    ExecuteArgs { user, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchRunProcedure>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for RunProcedure {
+  #[instrument(
+    "RunProcedure",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      procedure = self.procedure,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    Ok(
+      resolve_inner(self.procedure, user.clone(), update.clone())
+        .await?,
+    )
  }
 }

@@ -39,10 +86,10 @@ fn resolve_inner(
  >,
 > {
  Box::pin(async move {
-    let procedure = resource::get_check_permissions::<Procedure>(
+    let procedure = get_check_permissions::<Procedure>(
      &procedure,
      &user,
-      PermissionLevel::Execute,
+      PermissionLevel::Execute.into(),
    )
    .await?;

@@ -102,7 +149,7 @@ fn resolve_inner(
      let _ = update_one_by_id(
        &db_client().updates,
        &update.id,
-        mungos::update::Update::Set(update_doc),
+        database::mungos::update::Update::Set(update_doc),
        None,
      )
      .await;
@@ -111,6 +158,25 @@ fn resolve_inner(

    update_update(update.clone()).await?;

+    if !update.success && procedure.config.failure_alert {
+      let target = update.target.clone();
+      tokio::spawn(async move {
+        let alert = Alert {
+          id: Default::default(),
+          target,
+          ts: komodo_timestamp(),
+          resolved_ts: Some(komodo_timestamp()),
+          resolved: true,
+          level: SeverityLevel::Warning,
+          data: AlertData::ProcedureFailed {
+            id: procedure.id,
+            name: procedure.name,
+          },
+        };
+        send_alerts(&[alert]).await
+      });
+    }
+
    Ok(update)
  })
 }
--- a/bin/core/src/api/execute/repo.rs
+++ b/bin/core/src/api/execute/repo.rs
@@ -1,9 +1,17 @@
 use std::{collections::HashSet, future::IntoFuture, time::Duration};

-use anyhow::{anyhow, Context};
+use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::update_one_by_id,
+  mongodb::{
+    bson::{doc, to_document},
+    options::FindOneOptions,
+  },
+};
 use formatting::format_serror;
+use interpolate::Interpolator;
 use komodo_client::{
-  api::execute::*,
+  api::{execute::*, write::RefreshRepoCache},
  entities::{
    alert::{Alert, AlertData, SeverityLevel},
    builder::{Builder, BuilderConfig},
@@ -12,52 +20,76 @@ use komodo_client::{
    repo::Repo,
    server::Server,
    update::{Log, Update},
-    user::User,
-  },
-};
-use mungos::{
-  by_id::update_one_by_id,
-  mongodb::{
-    bson::{doc, to_document},
-    options::FindOneOptions,
  },
 };
+use mogh_resolver::Resolve;
 use periphery_client::api;
-use resolver_api::Resolve;
 use tokio_util::sync::CancellationToken;

 use crate::{
  alert::send_alerts,
+  api::write::WriteArgs,
  helpers::{
-    builder::{cleanup_builder_instance, get_builder_periphery},
+    builder::{cleanup_builder_instance, connect_builder_periphery},
    channel::repo_cancel_channel,
-    git_token,
-    interpolate::{
-      add_interp_update_log,
-      interpolate_variables_secrets_into_string,
-      interpolate_variables_secrets_into_system_command,
-    },
-    periphery_client,
-    query::get_variables_and_secrets,
+    git_token, periphery_client,
+    query::{VariablesAndSecrets, get_variables_and_secrets},
    update::update_update,
  },
+  permission::get_check_permissions,
  resource::{self, refresh_repo_state_cache},
-  state::{action_states, db_client, State},
+  state::{action_states, db_client},
 };

-use super::ExecuteRequest;
+use super::{ExecuteArgs, ExecuteRequest};

-impl Resolve<CloneRepo, (User, Update)> for State {
-  #[instrument(name = "CloneRepo", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+impl super::BatchExecute for BatchCloneRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchCloneRepo {
+  #[instrument(
+    "BatchCloneRepo",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
  async fn resolve(
-    &self,
-    CloneRepo { repo }: CloneRepo,
-    (user, mut update): (User, Update),
-  ) -> anyhow::Result<Update> {
-    let mut repo = resource::get_check_permissions::<Repo>(
-      &repo,
-      &user,
-      PermissionLevel::Execute,
+    self,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchCloneRepo>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for CloneRepo {
+  #[instrument(
+    "CloneRepo",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      repo = self.repo,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let mut repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Execute.into(),
    )
    .await?;

@@ -70,10 +102,11 @@ impl Resolve<CloneRepo, (User, Update)> for State {
    let _action_guard =
      action_state.update(|state| state.cloning = true)?;

+    let mut update = update.clone();
    update_update(update.clone()).await?;

    if repo.config.server_id.is_empty() {
-      return Err(anyhow!("repo has no server attached"));
+      return Err(anyhow!("repo has no server attached").into());
    }

    let git_token = git_token(
@@ -89,7 +122,7 @@ impl Resolve<CloneRepo, (User, Update)> for State {
    let server =
      resource::get::<Server>(&repo.config.server_id).await?;

-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;

    // interpolate variables / secrets, returning the sanitizing replacers to send to
    // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
@@ -102,16 +135,18 @@ impl Resolve<CloneRepo, (User, Update)> for State {
        git_token,
        environment: repo.config.env_vars()?,
        env_file_path: repo.config.env_file_path,
+        on_clone: repo.config.on_clone.into(),
+        on_pull: repo.config.on_pull.into(),
        skip_secret_interp: repo.config.skip_secret_interp,
        replacers: secret_replacers.into_iter().collect(),
      })
      .await
    {
-      Ok(res) => res.logs,
+      Ok(res) => res.res.logs,
      Err(e) => {
        vec![Log::error(
-          "clone repo",
-          format_serror(&e.context("failed to clone repo").into()),
+          "Clone Repo",
+          format_serror(&e.context("Failed to clone repo").into()),
        )]
      }
    };
@@ -123,21 +158,69 @@ impl Resolve<CloneRepo, (User, Update)> for State {
      update_last_pulled_time(&repo.name).await;
    }

-    handle_server_update_return(update).await
+    if let Err(e) = (RefreshRepoCache { repo: repo.id })
+      .resolve(&WriteArgs { user: user.clone() })
+      .await
+      .map_err(|e| e.error)
+      .context("Failed to refresh repo cache")
+    {
+      update.push_error_log(
+        "Refresh Repo cache",
+        format_serror(&e.into()),
+      );
+    };
+
+    handle_repo_update_return(update).await
  }
 }

-impl Resolve<PullRepo, (User, Update)> for State {
-  #[instrument(name = "PullRepo", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+impl super::BatchExecute for BatchPullRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::PullRepo(PullRepo { repo })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchPullRepo {
+  #[instrument(
+    "BatchPullRepo",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern
+    )
+  )]
  async fn resolve(
-    &self,
-    PullRepo { repo }: PullRepo,
-    (user, mut update): (User, Update),
-  ) -> anyhow::Result<Update> {
-    let mut repo = resource::get_check_permissions::<Repo>(
-      &repo,
-      &user,
-      PermissionLevel::Execute,
+    self,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchPullRepo>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for PullRepo {
+  #[instrument(
+    "PullRepo",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      repo = self.repo,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let mut repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Execute.into(),
    )
    .await?;

@@ -150,10 +233,12 @@ impl Resolve<PullRepo, (User, Update)> for State {
    let _action_guard =
      action_state.update(|state| state.pulling = true)?;

+    let mut update = update.clone();
+
    update_update(update.clone()).await?;

    if repo.config.server_id.is_empty() {
-      return Err(anyhow!("repo has no server attached"));
+      return Err(anyhow!("repo has no server attached").into());
    }

    let git_token = git_token(
@@ -169,7 +254,7 @@ impl Resolve<PullRepo, (User, Update)> for State {
    let server =
      resource::get::<Server>(&repo.config.server_id).await?;

-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;

    // interpolate variables / secrets, returning the sanitizing replacers to send to
    // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
@@ -182,14 +267,15 @@ impl Resolve<PullRepo, (User, Update)> for State {
        git_token,
        environment: repo.config.env_vars()?,
        env_file_path: repo.config.env_file_path,
+        on_pull: repo.config.on_pull.into(),
        skip_secret_interp: repo.config.skip_secret_interp,
        replacers: secret_replacers.into_iter().collect(),
      })
      .await
    {
      Ok(res) => {
-        update.commit_hash = res.commit_hash.unwrap_or_default();
-        res.logs
+        update.commit_hash = res.res.commit_hash.unwrap_or_default();
+        res.res.logs
      }
      Err(e) => {
        vec![Log::error(
@@ -207,14 +293,30 @@ impl Resolve<PullRepo, (User, Update)> for State {
      update_last_pulled_time(&repo.name).await;
    }

-    handle_server_update_return(update).await
+    if let Err(e) = (RefreshRepoCache { repo: repo.id })
+      .resolve(&WriteArgs { user: user.clone() })
+      .await
+      .map_err(|e| e.error)
+      .context("Failed to refresh repo cache")
+    {
+      update.push_error_log(
+        "Refresh Repo cache",
+        format_serror(&e.into()),
+      );
+    };
+
+    handle_repo_update_return(update).await
  }
 }

-#[instrument(skip_all, fields(update_id = update.id))]
-async fn handle_server_update_return(
+#[instrument(
+  "HandleRepoEarlyReturn",
+  skip_all,
+  fields(update_id = update.id)
+)]
+async fn handle_repo_update_return(
  update: Update,
-) -> anyhow::Result<Update> {
+) -> mogh_error::Result<Update> {
  // Need to manually update the update before cache refresh,
  // and before broadcast with add_update.
  // The Err case of to_document should be unreachable,
@@ -223,7 +325,7 @@ async fn handle_server_update_return(
    let _ = update_one_by_id(
      &db_client().updates,
      &update.id,
-      mungos::update::Update::Set(update_doc),
+      database::mungos::update::Update::Set(update_doc),
      None,
    )
    .await;
@@ -233,7 +335,7 @@ async fn handle_server_update_return(
  Ok(update)
 }

-#[instrument]
+#[instrument("UpdateLastPulledTime")]
 async fn update_last_pulled_time(repo_name: &str) {
  let res = db_client()
    .repos
@@ -249,22 +351,58 @@ async fn update_last_pulled_time(repo_name: &str) {
  }
 }

-impl Resolve<BuildRepo, (User, Update)> for State {
-  #[instrument(name = "BuildRepo", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+impl super::BatchExecute for BatchBuildRepo {
+  type Resource = Repo;
+  fn single_request(repo: String) -> ExecuteRequest {
+    ExecuteRequest::CloneRepo(CloneRepo { repo })
+  }
+}
+
+impl Resolve<ExecuteArgs> for BatchBuildRepo {
+  #[instrument(
+    "BatchBuildRepo",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
  async fn resolve(
-    &self,
-    BuildRepo { repo }: BuildRepo,
-    (user, mut update): (User, Update),
-  ) -> anyhow::Result<Update> {
-    let mut repo = resource::get_check_permissions::<Repo>(
-      &repo,
-      &user,
-      PermissionLevel::Execute,
+    self,
+    ExecuteArgs { user, id, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
+    Ok(
+      super::batch_execute::<BatchBuildRepo>(&self.pattern, user)
+        .await?,
+    )
+  }
+}
+
+impl Resolve<ExecuteArgs> for BuildRepo {
+  #[instrument(
+    "BuildRepo",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      repo = self.repo,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let mut repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Execute.into(),
    )
    .await?;

    if repo.config.builder_id.is_empty() {
-      return Err(anyhow!("Must attach builder to BuildRepo"));
+      return Err(anyhow!("Must attach builder to BuildRepo").into());
    }

    // get the action state for the repo (or insert default).
@@ -276,6 +414,7 @@ impl Resolve<BuildRepo, (User, Update)> for State {
    let _action_guard =
      action_state.update(|state| state.building = true)?;

+    let mut update = update.clone();
    update_update(update.clone()).await?;

    let git_token = git_token(
@@ -335,7 +474,7 @@ impl Resolve<BuildRepo, (User, Update)> for State {

    // GET BUILDER PERIPHERY

-    let (periphery, cleanup_data) = match get_builder_periphery(
+    let (periphery, cleanup_data) = match connect_builder_periphery(
      repo.name.clone(),
      None,
      builder,
@@ -371,6 +510,8 @@ impl Resolve<BuildRepo, (User, Update)> for State {
          git_token,
          environment: repo.config.env_vars()?,
          env_file_path: repo.config.env_file_path,
+          on_clone: repo.config.on_clone.into(),
+          on_pull: repo.config.on_pull.into(),
          skip_secret_interp: repo.config.skip_secret_interp,
          replacers: secret_replacers.into_iter().collect()
        }) => res,
@@ -387,14 +528,15 @@ impl Resolve<BuildRepo, (User, Update)> for State {
    let commit_message = match res {
      Ok(res) => {
        debug!("finished repo clone");
-        update.logs.extend(res.logs);
-        update.commit_hash = res.commit_hash.unwrap_or_default();
-        res.commit_message.unwrap_or_default()
+        update.logs.extend(res.res.logs);
+        update.commit_hash = res.res.commit_hash.unwrap_or_default();
+
+        res.res.commit_message.unwrap_or_default()
      }
      Err(e) => {
        update.push_error_log(
-          "clone repo",
-          format_serror(&e.context("failed to clone repo").into()),
+          "Clone Repo",
+          format_serror(&e.context("Failed to clone repo").into()),
        );
        Default::default()
      }
@@ -421,6 +563,8 @@ impl Resolve<BuildRepo, (User, Update)> for State {
    // stop the cancel listening task from going forever
    cancel.cancel();

+    // If building on temporary cloud server (AWS),
+    // this will terminate the server.
    cleanup_builder_instance(periphery, cleanup_data, &mut update)
      .await;

@@ -432,7 +576,7 @@ impl Resolve<BuildRepo, (User, Update)> for State {
      let _ = update_one_by_id(
        &db.updates,
        &update.id,
-        mungos::update::Update::Set(update_doc),
+        database::mungos::update::Update::Set(update_doc),
        None,
      )
      .await;
@@ -442,7 +586,6 @@ impl Resolve<BuildRepo, (User, Update)> for State {
    update_update(update.clone()).await?;

    if !update.success {
-      warn!("repo build unsuccessful, alerting...");
      let target = update.target.clone();
      tokio::spawn(async move {
        let alert = Alert {
@@ -465,13 +608,13 @@ impl Resolve<BuildRepo, (User, Update)> for State {
  }
 }

-#[instrument(skip(update))]
+#[instrument("HandleRepoBuildEarlyReturn", skip(update))]
 async fn handle_builder_early_return(
  mut update: Update,
  repo_id: String,
  repo_name: String,
  is_cancel: bool,
-) -> anyhow::Result<Update> {
+) -> mogh_error::Result<Update> {
  update.finalize();
  // Need to manually update the update before cache refresh,
  // and before broadcast with add_update.
@@ -481,7 +624,7 @@ async fn handle_builder_early_return(
    let _ = update_one_by_id(
      &db_client().updates,
      &update.id,
-      mungos::update::Update::Set(update_doc),
+      database::mungos::update::Update::Set(update_doc),
      None,
    )
    .await;
@@ -489,7 +632,6 @@ async fn handle_builder_early_return(
  }
  update_update(update.clone()).await?;
  if !update.success && !is_cancel {
-    warn!("repo build unsuccessful, alerting...");
    let target = update.target.clone();
    tokio::spawn(async move {
      let alert = Alert {
@@ -510,7 +652,6 @@ async fn handle_builder_early_return(
  Ok(update)
 }

-#[instrument(skip_all)]
 pub async fn validate_cancel_repo_build(
  request: &ExecuteRequest,
 ) -> anyhow::Result<()> {
@@ -559,17 +700,25 @@ pub async fn validate_cancel_repo_build(
  Ok(())
 }

-impl Resolve<CancelRepoBuild, (User, Update)> for State {
-  #[instrument(name = "CancelRepoBuild", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+impl Resolve<ExecuteArgs> for CancelRepoBuild {
+  #[instrument(
+    "CancelRepoBuild",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      repo = self.repo,
+    )
+  )]
  async fn resolve(
-    &self,
-    CancelRepoBuild { repo }: CancelRepoBuild,
-    (user, mut update): (User, Update),
-  ) -> anyhow::Result<Update> {
-    let repo = resource::get_check_permissions::<Repo>(
-      &repo,
-      &user,
-      PermissionLevel::Execute,
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Execute.into(),
    )
    .await?;

@@ -581,9 +730,11 @@ impl Resolve<CancelRepoBuild, (User, Update)> for State {
      .and_then(|s| s.get().ok().map(|s| s.building))
      .unwrap_or_default()
    {
-      return Err(anyhow!("Repo is not building."));
+      return Err(anyhow!("Repo is not building.").into());
    }

+    let mut update = update.clone();
+
    update.push_simple_log(
      "cancel triggered",
      "the repo build cancel has been triggered",
@@ -609,7 +760,9 @@ impl Resolve<CancelRepoBuild, (User, Update)> for State {
      )
      .await
      {
-        warn!("failed to set CancelRepoBuild Update status Complete after timeout | {e:#}")
+        warn!(
+          "failed to set CancelRepoBuild Update status Complete after timeout | {e:#}"
+        )
      }
    });

@@ -617,44 +770,29 @@ impl Resolve<CancelRepoBuild, (User, Update)> for State {
  }
 }

+#[instrument(
+  "Interpolate",
+  skip_all,
+  fields(
+    skip_secret_interp = repo.config.skip_secret_interp
+  )
+)]
 async fn interpolate(
  repo: &mut Repo,
  update: &mut Update,
 ) -> anyhow::Result<HashSet<(String, String)>> {
  if !repo.config.skip_secret_interp {
-    let vars_and_secrets = get_variables_and_secrets().await?;
+    let VariablesAndSecrets { variables, secrets } =
+      get_variables_and_secrets().await?;

-    let mut global_replacers = HashSet::new();
-    let mut secret_replacers = HashSet::new();
+    let mut interpolator =
+      Interpolator::new(Some(&variables), &secrets);

-    interpolate_variables_secrets_into_string(
-      &vars_and_secrets,
-      &mut repo.config.environment,
-      &mut global_replacers,
-      &mut secret_replacers,
-    )?;
+    interpolator
+      .interpolate_repo(repo)?
+      .push_logs(&mut update.logs);

-    interpolate_variables_secrets_into_system_command(
-      &vars_and_secrets,
-      &mut repo.config.on_clone,
-      &mut global_replacers,
-      &mut secret_replacers,
-    )?;
-
-    interpolate_variables_secrets_into_system_command(
-      &vars_and_secrets,
-      &mut repo.config.on_pull,
-      &mut global_replacers,
-      &mut secret_replacers,
-    )?;
-
-    add_interp_update_log(
-      update,
-      &global_replacers,
-      &secret_replacers,
-    );
-
-    Ok(secret_replacers)
+    Ok(interpolator.secret_replacers)
  } else {
    Ok(Default::default())
  }
--- a/bin/core/src/api/execute/server.rs
+++ b/bin/core/src/api/execute/server.rs
--- a/bin/core/src/api/execute/server_template.rs
+++ b/bin/core/src/api/execute/server_template.rs
@@ -1,148 +0,0 @@
-use anyhow::{anyhow, Context};
-use formatting::format_serror;
-use komodo_client::{
-  api::{execute::LaunchServer, write::CreateServer},
-  entities::{
-    permission::PermissionLevel,
-    server::PartialServerConfig,
-    server_template::{ServerTemplate, ServerTemplateConfig},
-    update::Update,
-    user::User,
-  },
-};
-use mungos::mongodb::bson::doc;
-use resolver_api::Resolve;
-
-use crate::{
-  cloud::{
-    aws::ec2::launch_ec2_instance, hetzner::launch_hetzner_server,
-  },
-  helpers::update::update_update,
-  resource,
-  state::{db_client, State},
-};
-
-impl Resolve<LaunchServer, (User, Update)> for State {
-  #[instrument(name = "LaunchServer", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
-  async fn resolve(
-    &self,
-    LaunchServer {
-      name,
-      server_template,
-    }: LaunchServer,
-    (user, mut update): (User, Update),
-  ) -> anyhow::Result<Update> {
-    // validate name isn't already taken by another server
-    if db_client()
-      .servers
-      .find_one(doc! {
-        "name": &name
-      })
-      .await
-      .context("failed to query db for servers")?
-      .is_some()
-    {
-      return Err(anyhow!("name is already taken"));
-    }
-
-    let template = resource::get_check_permissions::<ServerTemplate>(
-      &server_template,
-      &user,
-      PermissionLevel::Execute,
-    )
-    .await?;
-
-    update.push_simple_log(
-      "launching server",
-      format!("{:#?}", template.config),
-    );
-    update_update(update.clone()).await?;
-
-    let config = match template.config {
-      ServerTemplateConfig::Aws(config) => {
-        let region = config.region.clone();
-        let use_https = config.use_https;
-        let port = config.port;
-        let instance = match launch_ec2_instance(&name, config).await
-        {
-          Ok(instance) => instance,
-          Err(e) => {
-            update.push_error_log(
-              "launch server",
-              format!("failed to launch aws instance\n\n{e:#?}"),
-            );
-            update.finalize();
-            update_update(update.clone()).await?;
-            return Ok(update);
-          }
-        };
-        update.push_simple_log(
-          "launch server",
-          format!(
-            "successfully launched server {name} on ip {}",
-            instance.ip
-          ),
-        );
-        let protocol = if use_https { "https" } else { "http" };
-        PartialServerConfig {
-          address: format!("{protocol}://{}:{port}", instance.ip)
-            .into(),
-          region: region.into(),
-          ..Default::default()
-        }
-      }
-      ServerTemplateConfig::Hetzner(config) => {
-        let datacenter = config.datacenter;
-        let use_https = config.use_https;
-        let port = config.port;
-        let server = match launch_hetzner_server(&name, config).await
-        {
-          Ok(server) => server,
-          Err(e) => {
-            update.push_error_log(
-              "launch server",
-              format!("failed to launch hetzner server\n\n{e:#?}"),
-            );
-            update.finalize();
-            update_update(update.clone()).await?;
-            return Ok(update);
-          }
-        };
-        update.push_simple_log(
-          "launch server",
-          format!(
-            "successfully launched server {name} on ip {}",
-            server.ip
-          ),
-        );
-        let protocol = if use_https { "https" } else { "http" };
-        PartialServerConfig {
-          address: format!("{protocol}://{}:{port}", server.ip)
-            .into(),
-          region: datacenter.as_ref().to_string().into(),
-          ..Default::default()
-        }
-      }
-    };
-
-    match self.resolve(CreateServer { name, config }, user).await {
-      Ok(server) => {
-        update.push_simple_log(
-          "create server",
-          format!("created server {} ({})", server.name, server.id),
-        );
-        update.other_data = server.id;
-      }
-      Err(e) => {
-        update.push_error_log(
-          "create server",
-          format_serror(&e.context("failed to create server").into()),
-        );
-      }
-    };
-
-    update.finalize();
-    update_update(update.clone()).await?;
-    Ok(update)
-  }
-}
--- a/bin/core/src/api/execute/stack.rs
+++ b/bin/core/src/api/execute/stack.rs
--- a/bin/core/src/api/execute/swarm.rs
+++ b/bin/core/src/api/execute/swarm.rs
@@ -0,0 +1,516 @@
+use formatting::format_serror;
+use komodo_client::{
+  api::execute::{
+    CreateSwarmConfig, CreateSwarmSecret, RemoveSwarmConfigs,
+    RemoveSwarmNodes, RemoveSwarmSecrets, RemoveSwarmServices,
+    RemoveSwarmStacks, RotateSwarmConfig, RotateSwarmSecret,
+  },
+  entities::{permission::PermissionLevel, swarm::Swarm},
+};
+use mogh_resolver::Resolve;
+
+use crate::{
+  api::execute::ExecuteArgs,
+  helpers::{swarm::swarm_request, update::update_update},
+  monitor::update_cache_for_swarm,
+  permission::get_check_permissions,
+};
+
+impl Resolve<ExecuteArgs> for RemoveSwarmNodes {
+  #[instrument(
+    "RemoveSwarmNodes",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      nodes = serde_json::to_string(&self.nodes).unwrap_or_else(|e| e.to_string()),
+      force = self.force,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmNodes {
+        nodes: self.nodes,
+        force: self.force,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Nodes",
+        format_serror(
+          &e.context("Failed to remove swarm nodes").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RemoveSwarmStacks {
+  #[instrument(
+    "RemoveSwarmStacks",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      stacks = serde_json::to_string(&self.stacks).unwrap_or_else(|e| e.to_string()),
+      detach = self.detach,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmStacks {
+        stacks: self.stacks,
+        detach: self.detach,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Stacks",
+        format_serror(
+          &e.context("Failed to remove swarm stacks").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RemoveSwarmServices {
+  #[instrument(
+    "RemoveSwarmServices",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      services = serde_json::to_string(&self.services).unwrap_or_else(|e| e.to_string()),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmServices {
+        services: self.services,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Services",
+        format_serror(
+          &e.context("Failed to remove swarm services").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for CreateSwarmConfig {
+  #[instrument(
+    "CreateSwarmConfig",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      config = self.name,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::CreateSwarmConfig {
+        name: self.name,
+        data: self.data,
+        labels: self.labels,
+        template_driver: self.template_driver,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Create Swarm Config",
+        format_serror(
+          &e.context("Failed to create swarm config").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RotateSwarmConfig {
+  #[instrument(
+    "RotateSwarmConfig",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      config = self.config,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RotateSwarmConfig {
+        config: self.config,
+        data: self.data,
+      },
+    )
+    .await
+    {
+      Ok(logs) => {
+        update.logs.extend(logs);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Rotate Swarm Config",
+        format_serror(
+          &e.context("Failed to rotate swarm config").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RemoveSwarmConfigs {
+  #[instrument(
+    "RemoveSwarmConfigs",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      configs = serde_json::to_string(&self.configs).unwrap_or_else(|e| e.to_string()),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmConfigs {
+        configs: self.configs,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Configs",
+        format_serror(
+          &e.context("Failed to remove swarm configs").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for CreateSwarmSecret {
+  #[instrument(
+    "CreateSwarmSecret",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      secret = self.name,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::CreateSwarmSecret {
+        name: self.name,
+        data: self.data,
+        driver: self.driver,
+        labels: self.labels,
+        template_driver: self.template_driver,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Create Swarm Secret",
+        format_serror(
+          &e.context("Failed to create swarm secret").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RotateSwarmSecret {
+  #[instrument(
+    "RotateSwarmSecret",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      secret = self.secret,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RotateSwarmSecret {
+        secret: self.secret,
+        data: self.data,
+      },
+    )
+    .await
+    {
+      Ok(logs) => {
+        update.logs.extend(logs);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Rotate Swarm Secret",
+        format_serror(
+          &e.context("Failed to rotate swarm secret").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RemoveSwarmSecrets {
+  #[instrument(
+    "RemoveSwarmSecrets",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      secrets = serde_json::to_string(&self.secrets).unwrap_or_else(|e| e.to_string()),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmSecrets {
+        secrets: self.secrets,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        update_cache_for_swarm(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Secrets",
+        format_serror(
+          &e.context("Failed to remove swarm secrets").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
--- a/bin/core/src/api/execute/sync.rs
+++ b/bin/core/src/api/execute/sync.rs
@@ -1,11 +1,16 @@
 use std::{collections::HashMap, str::FromStr};

-use anyhow::{anyhow, Context};
-use formatting::{colored, format_serror, Color};
+use anyhow::{Context, anyhow};
+use database::mungos::{
+  by_id::update_one_by_id,
+  mongodb::bson::{doc, oid::ObjectId},
+};
+use formatting::{Color, colored, format_serror};
 use komodo_client::{
  api::{execute::RunSync, write::RefreshResourceSyncPending},
  entities::{
-    self,
+    self, ResourceTargetVariant,
+    action::Action,
    alerter::Alerter,
    build::Build,
    builder::Builder,
@@ -15,62 +20,84 @@ use komodo_client::{
    procedure::Procedure,
    repo::Repo,
    server::Server,
-    server_template::ServerTemplate,
    stack::Stack,
    sync::ResourceSync,
    update::{Log, Update},
-    user::{sync_user, User},
-    ResourceTargetVariant,
+    user::sync_user,
  },
 };
-use mongo_indexed::doc;
-use mungos::{
-  by_id::update_one_by_id,
-  mongodb::bson::{oid::ObjectId, to_document},
-};
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
-  helpers::{query::get_id_to_tags, update::update_update},
-  resource::{self, refresh_resource_sync_state_cache},
-  state::{action_states, db_client, State},
+  api::write::WriteArgs,
+  helpers::{
+    all_resources::AllResourcesById, query::get_id_to_tags,
+    update::update_update,
+  },
+  permission::get_check_permissions,
+  state::{action_states, db_client},
  sync::{
+    ResourceSyncTrait,
    deploy::{
-      build_deploy_cache, deploy_from_cache, SyncDeployParams,
+      SyncDeployParams, build_deploy_cache, deploy_from_cache,
    },
-    execute::{get_updates_for_execution, ExecuteResourceSync},
+    execute::{ExecuteResourceSync, get_updates_for_execution},
    remote::RemoteResources,
-    AllResourcesById, ResourceSyncTrait,
  },
 };

-impl Resolve<RunSync, (User, Update)> for State {
-  #[instrument(name = "RunSync", skip(self, user, update), fields(user_id = user.id, update_id = update.id))]
+use super::ExecuteArgs;
+
+impl Resolve<ExecuteArgs> for RunSync {
+  #[instrument(
+    "RunSync",
+    skip_all,
+    fields(
+      id = id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      sync = self.sync,
+      resource_type = format!("{:?}", self.resource_type),
+      resources = format!("{:?}", self.resources),
+    )
+  )]
  async fn resolve(
-    &self,
-    RunSync {
+    self,
+    ExecuteArgs { user, update, id }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let RunSync {
      sync,
      resource_type: match_resource_type,
      resources: match_resources,
-    }: RunSync,
-    (user, mut update): (User, Update),
-  ) -> anyhow::Result<Update> {
-    let sync = resource::get_check_permissions::<
-      entities::sync::ResourceSync,
-    >(&sync, &user, PermissionLevel::Execute)
+    } = self;
+    let sync = get_check_permissions::<entities::sync::ResourceSync>(
+      &sync,
+      user,
+      PermissionLevel::Execute.into(),
+    )
    .await?;

+    let repo = if !sync.config.files_on_host
+      && !sync.config.linked_repo.is_empty()
+    {
+      crate::resource::get::<Repo>(&sync.config.linked_repo)
+        .await?
+        .into()
+    } else {
+      None
+    };
+
    // get the action state for the sync (or insert default).
-    let action_state = action_states()
-      .resource_sync
-      .get_or_insert_default(&sync.id)
-      .await;
+    let action_state =
+      action_states().sync.get_or_insert_default(&sync.id).await;

    // This will set action state back to default when dropped.
    // Will also check to ensure sync not already busy before updating.
    let _action_guard =
      action_state.update(|state| state.syncing = true)?;

+    let mut update = update.clone();
+
    // Send update here for FE to recheck action state
    update_update(update.clone()).await?;

@@ -81,15 +108,18 @@ impl Resolve<RunSync, (User, Update)> for State {
      message,
      file_errors,
      ..
-    } = crate::sync::remote::get_remote_resources(&sync)
-      .await
-      .context("failed to get remote resources")?;
+    } =
+      crate::sync::remote::get_remote_resources(&sync, repo.as_ref())
+        .await
+        .context("failed to get remote resources")?;

    update.logs.extend(logs);
    update_update(update.clone()).await?;

    if !file_errors.is_empty() {
-      return Err(anyhow!("Found file errors. Cannot execute sync."));
+      return Err(
+        anyhow!("Found file errors. Cannot execute sync.").into(),
+      );
    }

    let resources = resources?;
@@ -106,46 +136,50 @@ impl Resolve<RunSync, (User, Update)> for State {
          };
          match ObjectId::from_str(&name_or_id) {
            Ok(_) => match resource_type {
-              ResourceTargetVariant::Alerter => all_resources
-                .alerters
+              ResourceTargetVariant::Swarm => all_resources
+                .swarms
                .get(&name_or_id)
-                .map(|a| a.name.clone()),
-              ResourceTargetVariant::Build => all_resources
-                .builds
-                .get(&name_or_id)
-                .map(|b| b.name.clone()),
-              ResourceTargetVariant::Builder => all_resources
-                .builders
-                .get(&name_or_id)
-                .map(|b| b.name.clone()),
-              ResourceTargetVariant::Deployment => all_resources
-                .deployments
-                .get(&name_or_id)
-                .map(|d| d.name.clone()),
-              ResourceTargetVariant::Procedure => all_resources
-                .procedures
-                .get(&name_or_id)
-                .map(|p| p.name.clone()),
-              ResourceTargetVariant::Repo => all_resources
-                .repos
-                .get(&name_or_id)
-                .map(|r| r.name.clone()),
+                .map(|s| s.name.clone()),
              ResourceTargetVariant::Server => all_resources
                .servers
                .get(&name_or_id)
                .map(|s| s.name.clone()),
-              ResourceTargetVariant::ServerTemplate => all_resources
-                .templates
-                .get(&name_or_id)
-                .map(|t| t.name.clone()),
              ResourceTargetVariant::Stack => all_resources
                .stacks
                .get(&name_or_id)
                .map(|s| s.name.clone()),
+              ResourceTargetVariant::Deployment => all_resources
+                .deployments
+                .get(&name_or_id)
+                .map(|d| d.name.clone()),
+              ResourceTargetVariant::Build => all_resources
+                .builds
+                .get(&name_or_id)
+                .map(|b| b.name.clone()),
+              ResourceTargetVariant::Repo => all_resources
+                .repos
+                .get(&name_or_id)
+                .map(|r| r.name.clone()),
+              ResourceTargetVariant::Procedure => all_resources
+                .procedures
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
+              ResourceTargetVariant::Action => all_resources
+                .actions
+                .get(&name_or_id)
+                .map(|p| p.name.clone()),
              ResourceTargetVariant::ResourceSync => all_resources
                .syncs
                .get(&name_or_id)
                .map(|s| s.name.clone()),
+              ResourceTargetVariant::Builder => all_resources
+                .builders
+                .get(&name_or_id)
+                .map(|b| b.name.clone()),
+              ResourceTargetVariant::Alerter => all_resources
+                .alerters
+                .get(&name_or_id)
+                .map(|a| a.name.clone()),
              ResourceTargetVariant::System => None,
            },
            Err(_) => Some(name_or_id),
@@ -192,134 +226,141 @@ impl Resolve<RunSync, (User, Update)> for State {
      deployment_map: &deployments_by_name,
      stacks: &resources.stacks,
      stack_map: &stacks_by_name,
-      all_resources: &all_resources,
    })
    .await?;

    let delete = sync.config.managed || sync.config.delete;

-    let (servers_to_create, servers_to_update, servers_to_delete) =
+    let server_deltas = if sync.config.include_resources {
      get_updates_for_execution::<Server>(
        resources.servers,
        delete,
-        &all_resources,
        match_resource_type,
        match_resources.as_deref(),
        &id_to_tags,
        &sync.config.match_tags,
      )
-      .await?;
-    let (
-      deployments_to_create,
-      deployments_to_update,
-      deployments_to_delete,
-    ) = get_updates_for_execution::<Deployment>(
-      resources.deployments,
-      delete,
-      &all_resources,
-      match_resource_type,
-      match_resources.as_deref(),
-      &id_to_tags,
-      &sync.config.match_tags,
-    )
-    .await?;
-    let (stacks_to_create, stacks_to_update, stacks_to_delete) =
+      .await?
+    } else {
+      Default::default()
+    };
+    let stack_deltas = if sync.config.include_resources {
      get_updates_for_execution::<Stack>(
        resources.stacks,
        delete,
-        &all_resources,
        match_resource_type,
        match_resources.as_deref(),
        &id_to_tags,
        &sync.config.match_tags,
      )
-      .await?;
-    let (builds_to_create, builds_to_update, builds_to_delete) =
+      .await?
+    } else {
+      Default::default()
+    };
+    let deployment_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Deployment>(
+        resources.deployments,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let build_deltas = if sync.config.include_resources {
      get_updates_for_execution::<Build>(
        resources.builds,
        delete,
-        &all_resources,
        match_resource_type,
        match_resources.as_deref(),
        &id_to_tags,
        &sync.config.match_tags,
      )
-      .await?;
-    let (repos_to_create, repos_to_update, repos_to_delete) =
+      .await?
+    } else {
+      Default::default()
+    };
+    let repo_deltas = if sync.config.include_resources {
      get_updates_for_execution::<Repo>(
        resources.repos,
        delete,
-        &all_resources,
        match_resource_type,
        match_resources.as_deref(),
        &id_to_tags,
        &sync.config.match_tags,
      )
-      .await?;
-    let (
-      procedures_to_create,
-      procedures_to_update,
-      procedures_to_delete,
-    ) = get_updates_for_execution::<Procedure>(
-      resources.procedures,
-      delete,
-      &all_resources,
-      match_resource_type,
-      match_resources.as_deref(),
-      &id_to_tags,
-      &sync.config.match_tags,
-    )
-    .await?;
-    let (builders_to_create, builders_to_update, builders_to_delete) =
+      .await?
+    } else {
+      Default::default()
+    };
+    let procedure_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Procedure>(
+        resources.procedures,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let action_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<Action>(
+        resources.actions,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };
+    let builder_deltas = if sync.config.include_resources {
      get_updates_for_execution::<Builder>(
        resources.builders,
        delete,
-        &all_resources,
        match_resource_type,
        match_resources.as_deref(),
        &id_to_tags,
        &sync.config.match_tags,
      )
-      .await?;
-    let (alerters_to_create, alerters_to_update, alerters_to_delete) =
+      .await?
+    } else {
+      Default::default()
+    };
+    let alerter_deltas = if sync.config.include_resources {
      get_updates_for_execution::<Alerter>(
        resources.alerters,
        delete,
-        &all_resources,
        match_resource_type,
        match_resources.as_deref(),
        &id_to_tags,
        &sync.config.match_tags,
      )
-      .await?;
-    let (
-      server_templates_to_create,
-      server_templates_to_update,
-      server_templates_to_delete,
-    ) = get_updates_for_execution::<ServerTemplate>(
-      resources.server_templates,
-      delete,
-      &all_resources,
-      match_resource_type,
-      match_resources.as_deref(),
-      &id_to_tags,
-      &sync.config.match_tags,
-    )
-    .await?;
-    let (
-      resource_syncs_to_create,
-      resource_syncs_to_update,
-      resource_syncs_to_delete,
-    ) = get_updates_for_execution::<entities::sync::ResourceSync>(
-      resources.resource_syncs,
-      delete,
-      &all_resources,
-      match_resource_type,
-      match_resources.as_deref(),
-      &id_to_tags,
-      &sync.config.match_tags,
-    )
-    .await?;
+      .await?
+    } else {
+      Default::default()
+    };
+    let resource_sync_deltas = if sync.config.include_resources {
+      get_updates_for_execution::<entities::sync::ResourceSync>(
+        resources.resource_syncs,
+        delete,
+        match_resource_type,
+        match_resources.as_deref(),
+        &id_to_tags,
+        &sync.config.match_tags,
+      )
+      .await?
+    } else {
+      Default::default()
+    };

    let (
      variables_to_create,
@@ -327,12 +368,11 @@ impl Resolve<RunSync, (User, Update)> for State {
      variables_to_delete,
    ) = if match_resource_type.is_none()
      && match_resources.is_none()
-      && sync.config.match_tags.is_empty()
+      && sync.config.include_variables
    {
      crate::sync::variables::get_updates_for_execution(
        resources.variables,
-        // Delete doesn't work with variables when match tags are set
-        sync.config.match_tags.is_empty() && delete,
+        delete,
      )
      .await?
    } else {
@@ -344,13 +384,11 @@ impl Resolve<RunSync, (User, Update)> for State {
      user_groups_to_delete,
    ) = if match_resource_type.is_none()
      && match_resources.is_none()
-      && sync.config.match_tags.is_empty()
+      && sync.config.include_user_groups
    {
      crate::sync::user_groups::get_updates_for_execution(
        resources.user_groups,
-        // Delete doesn't work with user groups when match tags are set
-        sync.config.match_tags.is_empty() && delete,
-        &all_resources,
+        delete,
      )
      .await?
    } else {
@@ -358,36 +396,16 @@ impl Resolve<RunSync, (User, Update)> for State {
    };

    if deploy_cache.is_empty()
-      && resource_syncs_to_create.is_empty()
-      && resource_syncs_to_update.is_empty()
-      && resource_syncs_to_delete.is_empty()
-      && server_templates_to_create.is_empty()
-      && server_templates_to_update.is_empty()
-      && server_templates_to_delete.is_empty()
-      && servers_to_create.is_empty()
-      && servers_to_update.is_empty()
-      && servers_to_delete.is_empty()
-      && deployments_to_create.is_empty()
-      && deployments_to_update.is_empty()
-      && deployments_to_delete.is_empty()
-      && stacks_to_create.is_empty()
-      && stacks_to_update.is_empty()
-      && stacks_to_delete.is_empty()
-      && builds_to_create.is_empty()
-      && builds_to_update.is_empty()
-      && builds_to_delete.is_empty()
-      && builders_to_create.is_empty()
-      && builders_to_update.is_empty()
-      && builders_to_delete.is_empty()
-      && alerters_to_create.is_empty()
-      && alerters_to_update.is_empty()
-      && alerters_to_delete.is_empty()
-      && repos_to_create.is_empty()
-      && repos_to_update.is_empty()
-      && repos_to_delete.is_empty()
-      && procedures_to_create.is_empty()
-      && procedures_to_update.is_empty()
-      && procedures_to_delete.is_empty()
+      && resource_sync_deltas.no_changes()
+      && server_deltas.no_changes()
+      && deployment_deltas.no_changes()
+      && stack_deltas.no_changes()
+      && build_deltas.no_changes()
+      && builder_deltas.no_changes()
+      && alerter_deltas.no_changes()
+      && repo_deltas.no_changes()
+      && procedure_deltas.no_changes()
+      && action_deltas.no_changes()
      && user_groups_to_create.is_empty()
      && user_groups_to_update.is_empty()
      && user_groups_to_delete.is_empty()
@@ -430,102 +448,52 @@ impl Resolve<RunSync, (User, Update)> for State {
    );
    maybe_extend(
      &mut update.logs,
-      ResourceSync::execute_sync_updates(
-        resource_syncs_to_create,
-        resource_syncs_to_update,
-        resource_syncs_to_delete,
-      )
-      .await,
+      ResourceSync::execute_sync_updates(resource_sync_deltas).await,
    );
    maybe_extend(
      &mut update.logs,
-      ServerTemplate::execute_sync_updates(
-        server_templates_to_create,
-        server_templates_to_update,
-        server_templates_to_delete,
-      )
-      .await,
+      Server::execute_sync_updates(server_deltas).await,
    );
    maybe_extend(
      &mut update.logs,
-      Server::execute_sync_updates(
-        servers_to_create,
-        servers_to_update,
-        servers_to_delete,
-      )
-      .await,
+      Alerter::execute_sync_updates(alerter_deltas).await,
    );
    maybe_extend(
      &mut update.logs,
-      Alerter::execute_sync_updates(
-        alerters_to_create,
-        alerters_to_update,
-        alerters_to_delete,
-      )
-      .await,
+      Action::execute_sync_updates(action_deltas).await,
    );

    // Dependent on server
    maybe_extend(
      &mut update.logs,
-      Builder::execute_sync_updates(
-        builders_to_create,
-        builders_to_update,
-        builders_to_delete,
-      )
-      .await,
+      Builder::execute_sync_updates(builder_deltas).await,
    );
    maybe_extend(
      &mut update.logs,
-      Repo::execute_sync_updates(
-        repos_to_create,
-        repos_to_update,
-        repos_to_delete,
-      )
-      .await,
+      Repo::execute_sync_updates(repo_deltas).await,
    );

    // Dependant on builder
    maybe_extend(
      &mut update.logs,
-      Build::execute_sync_updates(
-        builds_to_create,
-        builds_to_update,
-        builds_to_delete,
-      )
-      .await,
+      Build::execute_sync_updates(build_deltas).await,
    );

    // Dependant on server / build
    maybe_extend(
      &mut update.logs,
-      Deployment::execute_sync_updates(
-        deployments_to_create,
-        deployments_to_update,
-        deployments_to_delete,
-      )
-      .await,
+      Deployment::execute_sync_updates(deployment_deltas).await,
    );
    // stack only depends on server, but maybe will depend on build later.
    maybe_extend(
      &mut update.logs,
-      Stack::execute_sync_updates(
-        stacks_to_create,
-        stacks_to_update,
-        stacks_to_delete,
-      )
-      .await,
+      Stack::execute_sync_updates(stack_deltas).await,
    );

    // Dependant on everything
    maybe_extend(
      &mut update.logs,
-      Procedure::execute_sync_updates(
-        procedures_to_create,
-        procedures_to_update,
-        procedures_to_delete,
-      )
-      .await,
+      Procedure::execute_sync_updates(procedure_deltas).await,
    );

    // Execute the deploy cache
@@ -553,39 +521,27 @@ impl Resolve<RunSync, (User, Update)> for State {
      )
    }

-    if let Err(e) = State
-      .resolve(
-        RefreshResourceSyncPending { sync: sync.id },
-        sync_user().to_owned(),
-      )
+    if let Err(e) = (RefreshResourceSyncPending { sync: sync.id })
+      .resolve(&WriteArgs {
+        user: sync_user().to_owned(),
+      })
      .await
    {
-      warn!("failed to refresh sync {} after run | {e:#}", sync.name);
+      warn!(
+        "failed to refresh sync {} after run | {:#}",
+        sync.name, e.error
+      );
      update.push_error_log(
        "refresh sync",
        format_serror(
-          &e.context("failed to refresh sync pending after run")
+          &e.error
+            .context("failed to refresh sync pending after run")
            .into(),
        ),
      );
    }

    update.finalize();
-
-    // Need to manually update the update before cache refresh,
-    // and before broadcast with add_update.
-    // The Err case of to_document should be unreachable,
-    // but will fail to update cache in that case.
-    if let Ok(update_doc) = to_document(&update) {
-      let _ = update_one_by_id(
-        &db.updates,
-        &update.id,
-        mungos::update::Update::Set(update_doc),
-        None,
-      )
-      .await;
-      refresh_resource_sync_state_cache().await;
-    }
    update_update(update.clone()).await?;

    Ok(update)
--- a/bin/core/src/api/listener/integrations/github.rs
+++ b/bin/core/src/api/listener/integrations/github.rs
@@ -0,0 +1,63 @@
+use anyhow::{Context, anyhow};
+use axum::http::HeaderMap;
+use hex::ToHex;
+use hmac::{Hmac, Mac};
+use serde::Deserialize;
+use sha2::Sha256;
+
+use crate::config::core_config;
+
+use super::{ExtractBranch, VerifySecret};
+
+type HmacSha256 = Hmac<Sha256>;
+
+/// Listener implementation for Github type API, including Gitea
+pub struct Github;
+
+impl VerifySecret for Github {
+  #[instrument("VerifyGithubSecret", skip_all)]
+  fn verify_secret(
+    headers: &HeaderMap,
+    body: &str,
+    custom_secret: &str,
+  ) -> anyhow::Result<()> {
+    let signature = headers
+      .get("x-hub-signature-256")
+      .context("No github signature in headers")?;
+    let signature = signature
+      .to_str()
+      .context("Failed to get signature as string")?;
+    let signature =
+      signature.strip_prefix("sha256=").unwrap_or(signature);
+    let secret_bytes = if custom_secret.is_empty() {
+      core_config().webhook_secret.as_bytes()
+    } else {
+      custom_secret.as_bytes()
+    };
+    let mut mac = HmacSha256::new_from_slice(secret_bytes)
+      .context("Failed to create hmac sha256 from secret")?;
+    mac.update(body.as_bytes());
+    let expected = mac.finalize().into_bytes().encode_hex::<String>();
+    if signature == expected {
+      Ok(())
+    } else {
+      Err(anyhow!("Signature does not equal expected"))
+    }
+  }
+}
+
+#[derive(Deserialize)]
+struct GithubWebhookBody {
+  #[serde(rename = "ref")]
+  branch: String,
+}
+
+impl ExtractBranch for Github {
+  fn extract_branch(body: &str) -> anyhow::Result<String> {
+    let branch = serde_json::from_str::<GithubWebhookBody>(body)
+      .context("Failed to parse github request body")?
+      .branch
+      .replace("refs/heads/", "");
+    Ok(branch)
+  }
+}
--- a/bin/core/src/api/listener/integrations/gitlab.rs
+++ b/bin/core/src/api/listener/integrations/gitlab.rs
@@ -0,0 +1,51 @@
+use anyhow::{Context, anyhow};
+use axum::http::HeaderMap;
+use serde::Deserialize;
+
+use crate::config::core_config;
+
+use super::{ExtractBranch, VerifySecret};
+
+/// Listener implementation for Gitlab type API
+pub struct Gitlab;
+
+impl VerifySecret for Gitlab {
+  #[instrument("VerifyGitlabSecret", skip_all)]
+  fn verify_secret(
+    headers: &HeaderMap,
+    _body: &str,
+    custom_secret: &str,
+  ) -> anyhow::Result<()> {
+    let token = headers
+      .get("x-gitlab-token")
+      .context("No gitlab token in headers")?;
+    let token =
+      token.to_str().context("Failed to get token as string")?;
+    let secret = if custom_secret.is_empty() {
+      core_config().webhook_secret.as_str()
+    } else {
+      custom_secret
+    };
+    if token == secret {
+      Ok(())
+    } else {
+      Err(anyhow!("Webhook secret does not match expected."))
+    }
+  }
+}
+
+#[derive(Deserialize)]
+struct GitlabWebhookBody {
+  #[serde(rename = "ref")]
+  branch: String,
+}
+
+impl ExtractBranch for Gitlab {
+  fn extract_branch(body: &str) -> anyhow::Result<String> {
+    let branch = serde_json::from_str::<GitlabWebhookBody>(body)
+      .context("Failed to parse gitlab request body")?
+      .branch
+      .replace("refs/heads/", "");
+    Ok(branch)
+  }
+}
--- a/bin/core/src/api/listener/integrations/mod.rs
+++ b/bin/core/src/api/listener/integrations/mod.rs
@@ -0,0 +1,4 @@
+pub mod github;
+pub mod gitlab;
+
+use super::{ExtractBranch, VerifySecret};
--- a/bin/core/src/api/listener/mod.rs
+++ b/bin/core/src/api/listener/mod.rs
@@ -0,0 +1,57 @@
+use std::sync::Arc;
+
+use anyhow::anyhow;
+use axum::{Router, http::HeaderMap};
+use komodo_client::entities::resource::Resource;
+use mogh_cache::CloneCache;
+use tokio::sync::Mutex;
+
+use crate::resource::KomodoResource;
+
+mod integrations;
+mod resources;
+mod router;
+
+use integrations::*;
+
+pub fn router() -> Router {
+  Router::new()
+    .nest("/github", router::router::<github::Github>())
+    .nest("/gitlab", router::router::<gitlab::Gitlab>())
+}
+
+type ListenerLockCache = CloneCache<String, Arc<Mutex<()>>>;
+
+/// Implemented for all resources which can recieve webhook.
+trait CustomSecret: KomodoResource {
+  fn custom_secret(
+    resource: &Resource<Self::Config, Self::Info>,
+  ) -> &str;
+}
+
+/// Implemented on the integration struct, eg [integrations::github::Github]
+trait VerifySecret {
+  fn verify_secret(
+    headers: &HeaderMap,
+    body: &str,
+    custom_secret: &str,
+  ) -> anyhow::Result<()>;
+}
+
+/// Implemented on the integration struct, eg [integrations::github::Github]
+trait ExtractBranch {
+  fn extract_branch(body: &str) -> anyhow::Result<String>;
+  fn verify_branch(body: &str, expected: &str) -> anyhow::Result<()> {
+    let branch = Self::extract_branch(body)?;
+    if branch == expected {
+      Ok(())
+    } else {
+      Err(anyhow!("request branch does not match expected"))
+    }
+  }
+}
+
+/// For Procedures and Actions, incoming webhook
+/// can be triggered by any branch by using `__ANY__`
+/// as the branch in the webhook URL.
+const ANY_BRANCH: &str = "__ANY__";
--- a/bin/core/src/api/listener/resources.rs
+++ b/bin/core/src/api/listener/resources.rs
@@ -0,0 +1,591 @@
+use std::{str::FromStr, sync::OnceLock};
+
+use anyhow::{Context, anyhow};
+use komodo_client::{
+  api::{
+    execute::*,
+    write::{RefreshResourceSyncPending, RefreshStackCache},
+  },
+  entities::{
+    action::Action, build::Build, procedure::Procedure, repo::Repo,
+    stack::Stack, sync::ResourceSync, user::git_webhook_user,
+  },
+};
+use mogh_resolver::Resolve;
+use serde::Deserialize;
+use serde_json::json;
+use uuid::Uuid;
+
+use crate::{
+  api::{
+    execute::{ExecuteArgs, ExecuteRequest},
+    write::WriteArgs,
+  },
+  helpers::update::init_execution_update,
+  resource,
+};
+
+use super::{ANY_BRANCH, ListenerLockCache};
+
+// =======
+//  BUILD
+// =======
+
+impl super::CustomSecret for Build {
+  fn custom_secret(resource: &Self) -> &str {
+    &resource.config.webhook_secret
+  }
+}
+
+fn build_locks() -> &'static ListenerLockCache {
+  static BUILD_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
+  BUILD_LOCKS.get_or_init(Default::default)
+}
+
+pub async fn handle_build_webhook<B: super::ExtractBranch>(
+  build: Build,
+  body: String,
+) -> anyhow::Result<()> {
+  if !build.config.webhook_enabled {
+    return Ok(());
+  }
+
+  // Acquire and hold lock to make a task queue for
+  // subsequent listener calls on same resource.
+  // It would fail if we let it go through from action state busy.
+  let lock = build_locks().get_or_insert_default(&build.id).await;
+  let _lock = lock.lock().await;
+
+  // Use the correct target branch when using linked repo.
+  let branch = if build.config.linked_repo.is_empty() {
+    build.config.branch
+  } else {
+    resource::get::<Repo>(&build.config.linked_repo)
+      .await
+      .context("Failed to find 'linked_repo'")?
+      .config
+      .branch
+  };
+
+  B::verify_branch(&body, &branch)?;
+
+  let user = git_webhook_user().to_owned();
+  let req = ExecuteRequest::RunBuild(RunBuild { build: build.id });
+  let update = init_execution_update(&req, &user).await?;
+  let ExecuteRequest::RunBuild(req) = req else {
+    unreachable!()
+  };
+  req
+    .resolve(&ExecuteArgs {
+      user,
+      update,
+      id: Uuid::new_v4(),
+    })
+    .await
+    .map_err(|e| e.error)?;
+  Ok(())
+}
+
+// ======
+//  REPO
+// ======
+
+impl super::CustomSecret for Repo {
+  fn custom_secret(resource: &Self) -> &str {
+    &resource.config.webhook_secret
+  }
+}
+
+fn repo_locks() -> &'static ListenerLockCache {
+  static REPO_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
+  REPO_LOCKS.get_or_init(Default::default)
+}
+
+pub trait RepoExecution {
+  async fn resolve(repo: Repo) -> anyhow::Result<()>;
+}
+
+impl RepoExecution for CloneRepo {
+  async fn resolve(repo: Repo) -> anyhow::Result<()> {
+    let user = git_webhook_user().to_owned();
+    let req =
+      crate::api::execute::ExecuteRequest::CloneRepo(CloneRepo {
+        repo: repo.id,
+      });
+    let update = init_execution_update(&req, &user).await?;
+    let crate::api::execute::ExecuteRequest::CloneRepo(req) = req
+    else {
+      unreachable!()
+    };
+    req
+      .resolve(&ExecuteArgs {
+        user,
+        update,
+        id: Uuid::new_v4(),
+      })
+      .await
+      .map_err(|e| e.error)?;
+    Ok(())
+  }
+}
+
+impl RepoExecution for PullRepo {
+  async fn resolve(repo: Repo) -> anyhow::Result<()> {
+    let user = git_webhook_user().to_owned();
+    let req =
+      crate::api::execute::ExecuteRequest::PullRepo(PullRepo {
+        repo: repo.id,
+      });
+    let update = init_execution_update(&req, &user).await?;
+    let crate::api::execute::ExecuteRequest::PullRepo(req) = req
+    else {
+      unreachable!()
+    };
+    req
+      .resolve(&ExecuteArgs {
+        user,
+        update,
+        id: Uuid::new_v4(),
+      })
+      .await
+      .map_err(|e| e.error)?;
+    Ok(())
+  }
+}
+
+impl RepoExecution for BuildRepo {
+  async fn resolve(repo: Repo) -> anyhow::Result<()> {
+    let user = git_webhook_user().to_owned();
+    let req =
+      crate::api::execute::ExecuteRequest::BuildRepo(BuildRepo {
+        repo: repo.id,
+      });
+    let update = init_execution_update(&req, &user).await?;
+    let crate::api::execute::ExecuteRequest::BuildRepo(req) = req
+    else {
+      unreachable!()
+    };
+    req
+      .resolve(&ExecuteArgs {
+        user,
+        update,
+        id: Uuid::new_v4(),
+      })
+      .await
+      .map_err(|e| e.error)?;
+    Ok(())
+  }
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum RepoWebhookOption {
+  Clone,
+  Pull,
+  Build,
+}
+
+pub async fn handle_repo_webhook<B: super::ExtractBranch>(
+  option: RepoWebhookOption,
+  repo: Repo,
+  body: String,
+) -> anyhow::Result<()> {
+  match option {
+    RepoWebhookOption::Clone => {
+      handle_repo_webhook_inner::<B, CloneRepo>(repo, body).await
+    }
+    RepoWebhookOption::Pull => {
+      handle_repo_webhook_inner::<B, PullRepo>(repo, body).await
+    }
+    RepoWebhookOption::Build => {
+      handle_repo_webhook_inner::<B, BuildRepo>(repo, body).await
+    }
+  }
+}
+
+async fn handle_repo_webhook_inner<
+  B: super::ExtractBranch,
+  E: RepoExecution,
+>(
+  repo: Repo,
+  body: String,
+) -> anyhow::Result<()> {
+  if !repo.config.webhook_enabled {
+    return Ok(());
+  }
+
+  // Acquire and hold lock to make a task queue for
+  // subsequent listener calls on same resource.
+  // It would fail if we let it go through from action state busy.
+  let lock = repo_locks().get_or_insert_default(&repo.id).await;
+  let _lock = lock.lock().await;
+
+  B::verify_branch(&body, &repo.config.branch)?;
+
+  E::resolve(repo).await
+}
+
+// =======
+//  STACK
+// =======
+
+impl super::CustomSecret for Stack {
+  fn custom_secret(resource: &Self) -> &str {
+    &resource.config.webhook_secret
+  }
+}
+
+fn stack_locks() -> &'static ListenerLockCache {
+  static STACK_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
+  STACK_LOCKS.get_or_init(Default::default)
+}
+
+pub trait StackExecution {
+  async fn resolve(stack: Stack) -> mogh_error::Result<()>;
+}
+
+impl StackExecution for RefreshStackCache {
+  async fn resolve(stack: Stack) -> mogh_error::Result<()> {
+    RefreshStackCache { stack: stack.id }
+      .resolve(&WriteArgs {
+        user: git_webhook_user().to_owned(),
+      })
+      .await?;
+    Ok(())
+  }
+}
+
+impl StackExecution for DeployStack {
+  async fn resolve(stack: Stack) -> mogh_error::Result<()> {
+    let user = git_webhook_user().to_owned();
+    if stack.config.webhook_force_deploy {
+      let req = ExecuteRequest::DeployStack(DeployStack {
+        stack: stack.id,
+        services: Vec::new(),
+        stop_time: None,
+      });
+      let update = init_execution_update(&req, &user).await?;
+      let ExecuteRequest::DeployStack(req) = req else {
+        unreachable!()
+      };
+      req
+        .resolve(&ExecuteArgs {
+          user,
+          update,
+          id: Uuid::new_v4(),
+        })
+        .await
+        .map_err(|e| e.error)?;
+    } else {
+      let req =
+        ExecuteRequest::DeployStackIfChanged(DeployStackIfChanged {
+          stack: stack.id,
+          stop_time: None,
+        });
+      let update = init_execution_update(&req, &user).await?;
+      let ExecuteRequest::DeployStackIfChanged(req) = req else {
+        unreachable!()
+      };
+      req
+        .resolve(&ExecuteArgs {
+          user,
+          update,
+          id: Uuid::new_v4(),
+        })
+        .await
+        .map_err(|e| e.error)?;
+    }
+
+    Ok(())
+  }
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum StackWebhookOption {
+  Refresh,
+  Deploy,
+}
+
+pub async fn handle_stack_webhook<B: super::ExtractBranch>(
+  option: StackWebhookOption,
+  stack: Stack,
+  body: String,
+) -> anyhow::Result<()> {
+  match option {
+    StackWebhookOption::Refresh => {
+      handle_stack_webhook_inner::<B, RefreshStackCache>(stack, body)
+        .await
+    }
+    StackWebhookOption::Deploy => {
+      handle_stack_webhook_inner::<B, DeployStack>(stack, body).await
+    }
+  }
+}
+
+pub async fn handle_stack_webhook_inner<
+  B: super::ExtractBranch,
+  E: StackExecution,
+>(
+  stack: Stack,
+  body: String,
+) -> anyhow::Result<()> {
+  if !stack.config.webhook_enabled {
+    return Ok(());
+  }
+
+  // Acquire and hold lock to make a task queue for
+  // subsequent listener calls on same resource.
+  // It would fail if we let it go through, from "action state busy".
+  let lock = stack_locks().get_or_insert_default(&stack.id).await;
+  let _lock = lock.lock().await;
+
+  // Use the correct target branch when using linked repo.
+  let branch = if stack.config.linked_repo.is_empty() {
+    stack.config.branch.clone()
+  } else {
+    resource::get::<Repo>(&stack.config.linked_repo)
+      .await
+      .context("Failed to find 'linked_repo'")?
+      .config
+      .branch
+  };
+
+  B::verify_branch(&body, &branch)?;
+
+  E::resolve(stack).await.map_err(|e| e.error)
+}
+
+// ======
+//  SYNC
+// ======
+
+impl super::CustomSecret for ResourceSync {
+  fn custom_secret(resource: &Self) -> &str {
+    &resource.config.webhook_secret
+  }
+}
+
+fn sync_locks() -> &'static ListenerLockCache {
+  static SYNC_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
+  SYNC_LOCKS.get_or_init(Default::default)
+}
+
+pub trait SyncExecution {
+  async fn resolve(sync: ResourceSync) -> anyhow::Result<()>;
+}
+
+impl SyncExecution for RefreshResourceSyncPending {
+  async fn resolve(sync: ResourceSync) -> anyhow::Result<()> {
+    RefreshResourceSyncPending { sync: sync.id }
+      .resolve(&WriteArgs {
+        user: git_webhook_user().to_owned(),
+      })
+      .await
+      .map_err(|e| e.error)?;
+    Ok(())
+  }
+}
+
+impl SyncExecution for RunSync {
+  async fn resolve(sync: ResourceSync) -> anyhow::Result<()> {
+    let user = git_webhook_user().to_owned();
+    let req = ExecuteRequest::RunSync(RunSync {
+      sync: sync.id,
+      resource_type: None,
+      resources: None,
+    });
+    let update = init_execution_update(&req, &user).await?;
+    let ExecuteRequest::RunSync(req) = req else {
+      unreachable!()
+    };
+    req
+      .resolve(&ExecuteArgs {
+        user,
+        update,
+        id: Uuid::new_v4(),
+      })
+      .await
+      .map_err(|e| e.error)?;
+    Ok(())
+  }
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum SyncWebhookOption {
+  Refresh,
+  Sync,
+}
+
+pub async fn handle_sync_webhook<B: super::ExtractBranch>(
+  option: SyncWebhookOption,
+  sync: ResourceSync,
+  body: String,
+) -> anyhow::Result<()> {
+  match option {
+    SyncWebhookOption::Refresh => {
+      handle_sync_webhook_inner::<B, RefreshResourceSyncPending>(
+        sync, body,
+      )
+      .await
+    }
+    SyncWebhookOption::Sync => {
+      handle_sync_webhook_inner::<B, RunSync>(sync, body).await
+    }
+  }
+}
+
+async fn handle_sync_webhook_inner<
+  B: super::ExtractBranch,
+  E: SyncExecution,
+>(
+  sync: ResourceSync,
+  body: String,
+) -> anyhow::Result<()> {
+  if !sync.config.webhook_enabled {
+    return Ok(());
+  }
+
+  // Acquire and hold lock to make a task queue for
+  // subsequent listener calls on same resource.
+  // It would fail if we let it go through from action state busy.
+  let lock = sync_locks().get_or_insert_default(&sync.id).await;
+  let _lock = lock.lock().await;
+
+  // Use the correct target branch when using linked repo.
+  let branch = if sync.config.linked_repo.is_empty() {
+    sync.config.branch.clone()
+  } else {
+    resource::get::<Repo>(&sync.config.linked_repo)
+      .await
+      .context("Failed to find 'linked_repo'")?
+      .config
+      .branch
+  };
+
+  B::verify_branch(&body, &branch)?;
+
+  E::resolve(sync).await
+}
+
+// ===========
+//  PROCEDURE
+// ===========
+
+impl super::CustomSecret for Procedure {
+  fn custom_secret(resource: &Self) -> &str {
+    &resource.config.webhook_secret
+  }
+}
+
+fn procedure_locks() -> &'static ListenerLockCache {
+  static PROCEDURE_LOCKS: OnceLock<ListenerLockCache> =
+    OnceLock::new();
+  PROCEDURE_LOCKS.get_or_init(Default::default)
+}
+
+pub async fn handle_procedure_webhook<B: super::ExtractBranch>(
+  procedure: Procedure,
+  target_branch: &str,
+  body: String,
+) -> anyhow::Result<()> {
+  if !procedure.config.webhook_enabled {
+    return Ok(());
+  }
+
+  // Acquire and hold lock to make a task queue for
+  // subsequent listener calls on same resource.
+  // It would fail if we let it go through from action state busy.
+  let lock =
+    procedure_locks().get_or_insert_default(&procedure.id).await;
+  let _lock = lock.lock().await;
+
+  if target_branch != ANY_BRANCH {
+    B::verify_branch(&body, target_branch)?;
+  }
+
+  let user = git_webhook_user().to_owned();
+  let req = ExecuteRequest::RunProcedure(RunProcedure {
+    procedure: procedure.id,
+  });
+  let update = init_execution_update(&req, &user).await?;
+  let ExecuteRequest::RunProcedure(req) = req else {
+    unreachable!()
+  };
+  req
+    .resolve(&ExecuteArgs {
+      user,
+      update,
+      id: Uuid::new_v4(),
+    })
+    .await
+    .map_err(|e| e.error)?;
+  Ok(())
+}
+
+// ========
+//  ACTION
+// ========
+
+impl super::CustomSecret for Action {
+  fn custom_secret(resource: &Self) -> &str {
+    &resource.config.webhook_secret
+  }
+}
+
+fn action_locks() -> &'static ListenerLockCache {
+  static ACTION_LOCKS: OnceLock<ListenerLockCache> = OnceLock::new();
+  ACTION_LOCKS.get_or_init(Default::default)
+}
+
+pub async fn handle_action_webhook<B: super::ExtractBranch>(
+  action: Action,
+  target_branch: &str,
+  body: String,
+) -> anyhow::Result<()> {
+  if !action.config.webhook_enabled {
+    return Ok(());
+  }
+
+  // Acquire and hold lock to make a task queue for
+  // subsequent listener calls on same resource.
+  // It would fail if we let it go through from action state busy.
+  let lock = action_locks().get_or_insert_default(&action.id).await;
+  let _lock = lock.lock().await;
+
+  let branch = B::extract_branch(&body)?;
+
+  if target_branch != ANY_BRANCH && branch != target_branch {
+    return Err(anyhow!("request branch does not match expected"));
+  }
+
+  let user = git_webhook_user().to_owned();
+
+  let body = serde_json::Value::from_str(&body)
+    .context("Failed to deserialize webhook body")?;
+  let serde_json::Value::Object(args) = json!({
+    "WEBHOOK_BRANCH": branch,
+    "WEBHOOK_BODY": body,
+  }) else {
+    return Err(anyhow!("Something is wrong with serde_json..."));
+  };
+
+  let req = ExecuteRequest::RunAction(RunAction {
+    action: action.id,
+    args: args.into(),
+  });
+  let update = init_execution_update(&req, &user).await?;
+  let ExecuteRequest::RunAction(req) = req else {
+    unreachable!()
+  };
+  req
+    .resolve(&ExecuteArgs {
+      user,
+      update,
+      id: Uuid::new_v4(),
+    })
+    .await
+    .map_err(|e| e.error)?;
+  Ok(())
+}
--- a/bin/core/src/api/listener/router.rs
+++ b/bin/core/src/api/listener/router.rs
@@ -0,0 +1,229 @@
+use std::net::IpAddr;
+
+use axum::{Router, extract::Path, http::HeaderMap, routing::post};
+use komodo_client::entities::{
+  action::Action, build::Build, procedure::Procedure, repo::Repo,
+  resource::Resource, stack::Stack, sync::ResourceSync,
+};
+use mogh_auth_server::request_ip::RequestIp;
+use mogh_error::AddStatusCode;
+use mogh_rate_limit::WithFailureRateLimit;
+use reqwest::StatusCode;
+use serde::Deserialize;
+use tracing::Instrument;
+
+use crate::{auth::GENERAL_RATE_LIMITER, resource::KomodoResource};
+
+use super::{
+  CustomSecret, ExtractBranch, VerifySecret,
+  resources::{
+    RepoWebhookOption, StackWebhookOption, SyncWebhookOption,
+    handle_action_webhook, handle_build_webhook,
+    handle_procedure_webhook, handle_repo_webhook,
+    handle_stack_webhook, handle_sync_webhook,
+  },
+};
+
+#[derive(Deserialize)]
+struct Id {
+  id: String,
+}
+
+#[derive(Deserialize)]
+struct IdAndOption<T> {
+  id: String,
+  option: T,
+}
+
+#[derive(Deserialize)]
+struct IdAndBranch {
+  id: String,
+  #[serde(default = "default_branch")]
+  branch: String,
+}
+
+fn default_branch() -> String {
+  String::from("main")
+}
+
+pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
+  Router::new()
+  .route(
+    "/build/{id}",
+    post(
+      |Path(Id { id }), RequestIp(ip), headers: HeaderMap, body: String| async move {
+        let build =
+          auth_webhook::<P, Build>(&id, &headers, ip, &body).await?;
+        tokio::spawn(async move {
+          let span = info_span!("BuildWebhook", id);
+          async {
+            let res = handle_build_webhook::<P>(
+              build, body,
+            )
+            .await;
+            if let Err(e) = res {
+              warn!(
+                "Failed at running webhook for build {id} | {e:#}"
+              );
+            }
+          }
+          .instrument(span)
+          .await
+        });
+        mogh_error::Result::Ok(())
+      },
+    ),
+  )
+  .route(
+    "/repo/{id}/{option}",
+    post(
+      |Path(IdAndOption::<RepoWebhookOption> { id, option }), RequestIp(ip), headers: HeaderMap, body: String| async move {
+        let repo =
+          auth_webhook::<P, Repo>(&id, &headers, ip, &body).await?;
+        tokio::spawn(async move {
+          let span = info_span!("RepoWebhook", id);
+          async {
+            let res = handle_repo_webhook::<P>(
+              option, repo, body,
+            )
+            .await;
+            if let Err(e) = res {
+              warn!(
+                "Failed at running webhook for repo {id} | {e:#}"
+              );
+            }
+          }
+          .instrument(span)
+          .await
+        });
+        mogh_error::Result::Ok(())
+      },
+    ),
+  )
+  .route(
+    "/stack/{id}/{option}",
+    post(
+      |Path(IdAndOption::<StackWebhookOption> { id, option }), RequestIp(ip), headers: HeaderMap, body: String| async move {
+        let stack =
+          auth_webhook::<P, Stack>(&id, &headers, ip, &body).await?;
+        tokio::spawn(async move {
+          let span = info_span!("StackWebhook", id);
+          async {
+            let res = handle_stack_webhook::<P>(
+              option, stack, body,
+            )
+            .await;
+            if let Err(e) = res {
+              warn!(
+                "Failed at running webhook for stack {id} | {e:#}"
+              );
+            }
+          }
+          .instrument(span)
+          .await
+        });
+        mogh_error::Result::Ok(())
+      },
+    ),
+  )
+  .route(
+    "/sync/{id}/{option}",
+    post(
+      |Path(IdAndOption::<SyncWebhookOption> { id, option }), RequestIp(ip), headers: HeaderMap, body: String| async move {
+        let sync =
+          auth_webhook::<P, ResourceSync>(&id, &headers, ip, &body).await?;
+        tokio::spawn(async move {
+          let span = info_span!("ResourceSyncWebhook", id);
+          async {
+            let res = handle_sync_webhook::<P>(
+              option, sync, body,
+            )
+            .await;
+            if let Err(e) = res {
+              warn!(
+                "Failed at running webhook for resource sync {id} | {e:#}"
+              );
+            }
+          }
+          .instrument(span)
+          .await
+        });
+        mogh_error::Result::Ok(())
+      },
+    ),
+  )
+  .route(
+    "/procedure/{id}/{branch}",
+    post(
+      |Path(IdAndBranch { id, branch }), RequestIp(ip), headers: HeaderMap, body: String| async move {
+        let procedure =
+          auth_webhook::<P, Procedure>(&id, &headers, ip, &body).await?;
+        tokio::spawn(async move {
+          let span = info_span!("ProcedureWebhook", id);
+          async {
+            let res = handle_procedure_webhook::<P>(
+              procedure, &branch, body,
+            )
+            .await;
+            if let Err(e) = res {
+              warn!(
+                "Failed at running webhook for procedure {id} | target branch: {branch} | {e:#}"
+              );
+            }
+          }
+          .instrument(span)
+          .await
+        });
+        mogh_error::Result::Ok(())
+      },
+    ),
+  )
+  .route(
+    "/action/{id}/{branch}",
+    post(
+      |Path(IdAndBranch { id, branch }), RequestIp(ip), headers: HeaderMap, body: String| async move {
+        let action =
+          auth_webhook::<P, Action>(&id, &headers, ip, &body).await?;
+        tokio::spawn(async move {
+          let span = info_span!("ActionWebhook", id);
+          async {
+            let res = handle_action_webhook::<P>(
+              action, &branch, body,
+            )
+            .await;
+            if let Err(e) = res {
+              warn!(
+                "Failed at running webhook for action {id} | target branch: {branch} | {e:#}"
+              );
+            }
+          }
+          .instrument(span)
+          .await
+        });
+        mogh_error::Result::Ok(())
+      },
+    ),
+  )
+}
+
+async fn auth_webhook<P, R>(
+  id: &str,
+  headers: &HeaderMap,
+  ip: IpAddr,
+  body: &str,
+) -> mogh_error::Result<Resource<R::Config, R::Info>>
+where
+  P: VerifySecret,
+  R: KomodoResource + CustomSecret,
+{
+  async {
+    let resource = crate::resource::get::<R>(id)
+      .await
+      .status_code(StatusCode::BAD_REQUEST)?;
+    P::verify_secret(headers, body, R::custom_secret(&resource))
+      .status_code(StatusCode::UNAUTHORIZED)?;
+    mogh_error::Result::Ok(resource)
+  }
+  .with_failure_rate_limit_using_ip(&GENERAL_RATE_LIMITER, &ip)
+  .await
+}
--- a/bin/core/src/api/mod.rs
+++ b/bin/core/src/api/mod.rs
@@ -1,5 +1,57 @@
-pub mod auth;
+use axum::{Extension, Router, routing::get};
+use komodo_client::entities::user::User;
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Json;
+use mogh_server::{
+  cors::cors_layer, session::memory_session_layer,
+  ui::serve_static_ui,
+};
+
+use crate::{auth::KomodoAuthImpl, config::core_config, ts_client};
+
 pub mod execute;
 pub mod read;
-pub mod user;
 pub mod write;
+
+mod listener;
+mod openapi;
+mod terminal;
+mod ws;
+
+#[derive(serde::Deserialize)]
+struct Variant {
+  variant: String,
+}
+
+pub fn app() -> Router {
+  let config = core_config();
+  Router::new()
+    .merge(openapi::serve_docs())
+    .route("/version", get(|| async { env!("CARGO_PKG_VERSION") }))
+    .nest("/auth", mogh_auth_server::api::router::<KomodoAuthImpl>())
+    .nest("/user", user_router())
+    .nest("/read", read::router())
+    .nest("/write", write::router())
+    .nest("/execute", execute::router())
+    .nest("/terminal", terminal::router())
+    .nest("/listener", listener::router())
+    .nest("/ws", ws::router())
+    .nest("/client", ts_client::router())
+    .layer(memory_session_layer(config))
+    .fallback_service(serve_static_ui(
+      &config.frontend_path,
+      config.ui_index_force_no_cache,
+    ))
+    .layer(cors_layer(config))
+}
+
+fn user_router() -> Router {
+  Router::new()
+    .route(
+      "/",
+      get(|Extension(user): Extension<User>| async { Json(user) }),
+    )
+    .layer(axum::middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, false>,
+    ))
+}
--- a/bin/core/src/api/openapi/docs.html
+++ b/bin/core/src/api/openapi/docs.html
@@ -0,0 +1,18 @@
+<!doctype html>
+<html>
+
+<head>
+  <title>Komodo API Docs</title>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+</head>
+
+<body>
+
+  <script id="api-reference" type="application/json">
+    $spec
+</script>
+  <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"></script>
+</body>
+
+</html>
--- a/bin/core/src/api/openapi/mod.rs
+++ b/bin/core/src/api/openapi/mod.rs
@@ -0,0 +1,8 @@
+use komodo_client::openapi::KomodoApi;
+use utoipa::OpenApi as _;
+use utoipa_scalar::{Scalar, Servable as _};
+
+pub fn serve_docs() -> Scalar<utoipa::openapi::OpenApi> {
+  Scalar::with_url("/docs", KomodoApi::openapi())
+    .custom_html(include_str!("docs.html"))
+}
--- a/bin/core/src/api/read/action.rs
+++ b/bin/core/src/api/read/action.rs
@@ -0,0 +1,147 @@
+use anyhow::Context;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    action::{
+      Action, ActionActionState, ActionListItem, ActionState,
+    },
+    permission::PermissionLevel,
+  },
+};
+use mogh_resolver::Resolve;
+
+use crate::{
+  helpers::query::get_all_tags,
+  permission::get_check_permissions,
+  resource,
+  state::{action_state_cache, action_states},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetAction {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Action> {
+    Ok(
+      get_check_permissions::<Action>(
+        &self.action,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListActions {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Vec<ActionListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Action>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullActions {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListFullActionsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Action>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetActionActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ActionActionState> {
+    let action = get_check_permissions::<Action>(
+      &self.action,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .action
+      .get(&action.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetActionsSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetActionsSummaryResponse> {
+    let actions = resource::list_full_for_user::<Action>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get actions from db")?;
+
+    let mut res = GetActionsSummaryResponse::default();
+
+    let cache = action_state_cache();
+    let action_states = action_states();
+
+    for action in actions {
+      res.total += 1;
+
+      match (
+        cache.get(&action.id).await.unwrap_or_default(),
+        action_states
+          .action
+          .get(&action.id)
+          .await
+          .unwrap_or_default()
+          .get()?,
+      ) {
+        (_, action_states) if action_states.running > 0 => {
+          res.running += action_states.running;
+        }
+        (ActionState::Ok, _) => res.ok += 1,
+        (ActionState::Failed, _) => res.failed += 1,
+        (ActionState::Unknown, _) => res.unknown += 1,
+        // will never come off the cache in the running state, since that comes from action states
+        (ActionState::Running, _) => unreachable!(),
+      }
+    }
+
+    Ok(res)
+  }
+}
--- a/bin/core/src/api/read/alert.rs
+++ b/bin/core/src/api/read/alert.rs
@@ -1,44 +1,38 @@
 use anyhow::Context;
-use komodo_client::{
-  api::read::{
-    GetAlert, GetAlertResponse, ListAlerts, ListAlertsResponse,
-  },
-  entities::{deployment::Deployment, server::Server, user::User},
-};
-use mungos::{
+use database::mungos::{
  by_id::find_one_by_id,
  find::find_collect,
  mongodb::{bson::doc, options::FindOptions},
 };
-use resolver_api::Resolve;
+use komodo_client::{
+  api::read::{
+    GetAlert, GetAlertResponse, ListAlerts, ListAlertsResponse,
+  },
+  entities::permission::PermissionLevel,
+};
+use mogh_resolver::Resolve;

 use crate::{
  config::core_config,
-  resource::get_resource_ids_for_user,
-  state::{db_client, State},
+  permission::{
+    check_user_target_access, user_resource_target_query,
+  },
+  state::db_client,
 };

+use super::ReadArgs;
+
 const NUM_ALERTS_PER_PAGE: u64 = 100;

-impl Resolve<ListAlerts, User> for State {
+impl Resolve<ReadArgs> for ListAlerts {
  async fn resolve(
-    &self,
-    ListAlerts { query, page }: ListAlerts,
-    user: User,
-  ) -> anyhow::Result<ListAlertsResponse> {
-    let mut query = query.unwrap_or_default();
-    if !user.admin && !core_config().transparent_mode {
-      let server_ids =
-        get_resource_ids_for_user::<Server>(&user).await?;
-      let deployment_ids =
-        get_resource_ids_for_user::<Deployment>(&user).await?;
-      query.extend(doc! {
-        "$or": [
-          { "target.type": "Server", "target.id": { "$in": &server_ids } },
-          { "target.type": "Deployment", "target.id": { "$in": &deployment_ids } },
-        ]
-      });
-    }
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListAlertsResponse> {
+    // Alerts
+    let query = user_resource_target_query(user, self.query)
+      .await?
+      .unwrap_or_default();

    let alerts = find_collect(
      &db_client().alerts,
@@ -46,7 +40,7 @@ impl Resolve<ListAlerts, User> for State {
      FindOptions::builder()
        .sort(doc! { "ts": -1 })
        .limit(NUM_ALERTS_PER_PAGE as i64)
-        .skip(page * NUM_ALERTS_PER_PAGE)
+        .skip(self.page * NUM_ALERTS_PER_PAGE)
        .build(),
    )
    .await
@@ -55,7 +49,7 @@ impl Resolve<ListAlerts, User> for State {
    let next_page = if alerts.len() < NUM_ALERTS_PER_PAGE as usize {
      None
    } else {
-      Some((page + 1) as i64)
+      Some((self.page + 1) as i64)
    };

    let res = ListAlertsResponse { next_page, alerts };
@@ -64,15 +58,24 @@ impl Resolve<ListAlerts, User> for State {
  }
 }

-impl Resolve<GetAlert, User> for State {
+impl Resolve<ReadArgs> for GetAlert {
  async fn resolve(
-    &self,
-    GetAlert { id }: GetAlert,
-    _: User,
-  ) -> anyhow::Result<GetAlertResponse> {
-    find_one_by_id(&db_client().alerts, &id)
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetAlertResponse> {
+    let alert = find_one_by_id(&db_client().alerts, &self.id)
      .await
      .context("failed to query db for alert")?
-      .context("no alert found with given id")
+      .context("no alert found with given id")?;
+    if user.admin || core_config().transparent_mode {
+      return Ok(alert);
+    }
+    check_user_target_access(
+      &alert.target,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    Ok(alert)
  }
 }
--- a/bin/core/src/api/read/alerter.rs
+++ b/bin/core/src/api/read/alerter.rs
@@ -1,71 +1,101 @@
 use anyhow::Context;
+use database::mongo_indexed::Document;
+use database::mungos::mongodb::bson::doc;
 use komodo_client::{
  api::read::*,
  entities::{
    alerter::{Alerter, AlerterListItem},
    permission::PermissionLevel,
-    user::User,
  },
 };
-use mongo_indexed::Document;
-use mungos::mongodb::bson::doc;
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
+  helpers::query::get_all_tags,
+  permission::{get_check_permissions, list_resource_ids_for_user},
  resource,
-  state::{db_client, State},
+  state::db_client,
 };

-impl Resolve<GetAlerter, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetAlerter {
  async fn resolve(
-    &self,
-    GetAlerter { alerter }: GetAlerter,
-    user: User,
-  ) -> anyhow::Result<Alerter> {
-    resource::get_check_permissions::<Alerter>(
-      &alerter,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Alerter> {
+    Ok(
+      get_check_permissions::<Alerter>(
+        &self.alerter,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
    )
-    .await
  }
 }

-impl Resolve<ListAlerters, User> for State {
+impl Resolve<ReadArgs> for ListAlerters {
  async fn resolve(
-    &self,
-    ListAlerters { query }: ListAlerters,
-    user: User,
-  ) -> anyhow::Result<Vec<AlerterListItem>> {
-    resource::list_for_user::<Alerter>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Vec<AlerterListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Alerter>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<ListFullAlerters, User> for State {
+impl Resolve<ReadArgs> for ListFullAlerters {
  async fn resolve(
-    &self,
-    ListFullAlerters { query }: ListFullAlerters,
-    user: User,
-  ) -> anyhow::Result<ListFullAlertersResponse> {
-    resource::list_full_for_user::<Alerter>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListFullAlertersResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Alerter>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<GetAlertersSummary, User> for State {
+impl Resolve<ReadArgs> for GetAlertersSummary {
  async fn resolve(
-    &self,
-    GetAlertersSummary {}: GetAlertersSummary,
-    user: User,
-  ) -> anyhow::Result<GetAlertersSummaryResponse> {
-    let query =
-      match resource::get_resource_ids_for_user::<Alerter>(&user)
-        .await?
-      {
-        Some(ids) => doc! {
-          "_id": { "$in": ids }
-        },
-        None => Document::new(),
-      };
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetAlertersSummaryResponse> {
+    let query = match list_resource_ids_for_user::<Alerter>(
+      None,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?
+    {
+      Some(ids) => doc! {
+        "_id": { "$in": ids }
+      },
+      None => Document::new(),
+    };
    let total = db_client()
      .alerters
      .count_documents(query)
--- a/bin/core/src/api/read/build.rs
+++ b/bin/core/src/api/read/build.rs
@@ -2,77 +2,100 @@ use std::collections::{HashMap, HashSet};

 use anyhow::Context;
 use async_timing_util::unix_timestamp_ms;
-use futures::TryStreamExt;
-use komodo_client::{
-  api::read::*,
-  entities::{
-    build::{Build, BuildActionState, BuildListItem, BuildState},
-    config::core::CoreConfig,
-    permission::PermissionLevel,
-    update::UpdateStatus,
-    user::User,
-    Operation,
-  },
-};
-use mungos::{
+use database::mungos::{
  find::find_collect,
  mongodb::{bson::doc, options::FindOptions},
 };
-use resolver_api::Resolve;
-
-use crate::{
-  config::core_config,
-  resource,
-  state::{
-    action_states, build_state_cache, db_client, github_client, State,
+use futures_util::TryStreamExt;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    Operation,
+    build::{Build, BuildActionState, BuildListItem, BuildState},
+    permission::PermissionLevel,
+    update::UpdateStatus,
  },
 };
+use mogh_resolver::Resolve;

-impl Resolve<GetBuild, User> for State {
+use crate::{
+  helpers::query::get_all_tags,
+  permission::get_check_permissions,
+  resource,
+  state::{action_states, build_state_cache, db_client},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetBuild {
  async fn resolve(
-    &self,
-    GetBuild { build }: GetBuild,
-    user: User,
-  ) -> anyhow::Result<Build> {
-    resource::get_check_permissions::<Build>(
-      &build,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Build> {
+    Ok(
+      get_check_permissions::<Build>(
+        &self.build,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
    )
-    .await
  }
 }

-impl Resolve<ListBuilds, User> for State {
+impl Resolve<ReadArgs> for ListBuilds {
  async fn resolve(
-    &self,
-    ListBuilds { query }: ListBuilds,
-    user: User,
-  ) -> anyhow::Result<Vec<BuildListItem>> {
-    resource::list_for_user::<Build>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Vec<BuildListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Build>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<ListFullBuilds, User> for State {
+impl Resolve<ReadArgs> for ListFullBuilds {
  async fn resolve(
-    &self,
-    ListFullBuilds { query }: ListFullBuilds,
-    user: User,
-  ) -> anyhow::Result<ListFullBuildsResponse> {
-    resource::list_full_for_user::<Build>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListFullBuildsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Build>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<GetBuildActionState, User> for State {
+impl Resolve<ReadArgs> for GetBuildActionState {
  async fn resolve(
-    &self,
-    GetBuildActionState { build }: GetBuildActionState,
-    user: User,
-  ) -> anyhow::Result<BuildActionState> {
-    let build = resource::get_check_permissions::<Build>(
-      &build,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<BuildActionState> {
+    let build = get_check_permissions::<Build>(
+      &self.build,
+      user,
+      PermissionLevel::Read.into(),
    )
    .await?;
    let action_state = action_states()
@@ -85,15 +108,16 @@ impl Resolve<GetBuildActionState, User> for State {
  }
 }

-impl Resolve<GetBuildsSummary, User> for State {
+impl Resolve<ReadArgs> for GetBuildsSummary {
  async fn resolve(
-    &self,
-    GetBuildsSummary {}: GetBuildsSummary,
-    user: User,
-  ) -> anyhow::Result<GetBuildsSummaryResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetBuildsSummaryResponse> {
    let builds = resource::list_full_for_user::<Build>(
      Default::default(),
-      &user,
+      user,
+      PermissionLevel::Read.into(),
+      &[],
    )
    .await
    .context("failed to get all builds")?;
@@ -132,16 +156,15 @@ impl Resolve<GetBuildsSummary, User> for State {

 const ONE_DAY_MS: i64 = 86400000;

-impl Resolve<GetBuildMonthlyStats, User> for State {
+impl Resolve<ReadArgs> for GetBuildMonthlyStats {
  async fn resolve(
-    &self,
-    GetBuildMonthlyStats { page }: GetBuildMonthlyStats,
-    _: User,
-  ) -> anyhow::Result<GetBuildMonthlyStatsResponse> {
+    self,
+    _: &ReadArgs,
+  ) -> mogh_error::Result<GetBuildMonthlyStatsResponse> {
    let curr_ts = unix_timestamp_ms() as i64;
    let next_day = curr_ts - curr_ts % ONE_DAY_MS + ONE_DAY_MS;

-    let close_ts = next_day - page as i64 * 30 * ONE_DAY_MS;
+    let close_ts = next_day - self.page as i64 * 30 * ONE_DAY_MS;
    let open_ts = close_ts - 30 * ONE_DAY_MS;

    let mut build_updates = db_client()
@@ -189,22 +212,22 @@ fn ms_to_hour(duration: i64) -> f64 {
  duration as f64 / MS_TO_HOUR_DIVISOR
 }

-impl Resolve<ListBuildVersions, User> for State {
+impl Resolve<ReadArgs> for ListBuildVersions {
  async fn resolve(
-    &self,
-    ListBuildVersions {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Vec<BuildVersionResponseItem>> {
+    let ListBuildVersions {
      build,
      major,
      minor,
      patch,
      limit,
-    }: ListBuildVersions,
-    user: User,
-  ) -> anyhow::Result<Vec<BuildVersionResponseItem>> {
-    let build = resource::get_check_permissions::<Build>(
+    } = self;
+    let build = get_check_permissions::<Build>(
      &build,
-      &user,
-      PermissionLevel::Read,
+      user,
+      PermissionLevel::Read.into(),
    )
    .await?;

@@ -246,15 +269,24 @@ impl Resolve<ListBuildVersions, User> for State {
  }
 }

-impl Resolve<ListCommonBuildExtraArgs, User> for State {
+impl Resolve<ReadArgs> for ListCommonBuildExtraArgs {
  async fn resolve(
-    &self,
-    ListCommonBuildExtraArgs { query }: ListCommonBuildExtraArgs,
-    user: User,
-  ) -> anyhow::Result<ListCommonBuildExtraArgsResponse> {
-    let builds = resource::list_full_for_user::<Build>(query, &user)
-      .await
-      .context("failed to get resources matching query")?;
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListCommonBuildExtraArgsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let builds = resource::list_full_for_user::<Build>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await
+    .context("failed to get resources matching query")?;

    // first collect with guaranteed uniqueness
    let mut res = HashSet::<String>::new();
@@ -270,82 +302,3 @@ impl Resolve<ListCommonBuildExtraArgs, User> for State {
    Ok(res)
  }
 }
-
-impl Resolve<GetBuildWebhookEnabled, User> for State {
-  async fn resolve(
-    &self,
-    GetBuildWebhookEnabled { build }: GetBuildWebhookEnabled,
-    user: User,
-  ) -> anyhow::Result<GetBuildWebhookEnabledResponse> {
-    let Some(github) = github_client() else {
-      return Ok(GetBuildWebhookEnabledResponse {
-        managed: false,
-        enabled: false,
-      });
-    };
-
-    let build = resource::get_check_permissions::<Build>(
-      &build,
-      &user,
-      PermissionLevel::Read,
-    )
-    .await?;
-
-    if build.config.git_provider != "github.com"
-      || build.config.repo.is_empty()
-    {
-      return Ok(GetBuildWebhookEnabledResponse {
-        managed: false,
-        enabled: false,
-      });
-    }
-
-    let mut split = build.config.repo.split('/');
-    let owner = split.next().context("Build repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Ok(GetBuildWebhookEnabledResponse {
-        managed: false,
-        enabled: false,
-      });
-    };
-
-    let repo =
-      split.next().context("Build repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let url = format!("{host}/listener/github/build/{}", build.id);
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == url {
-        return Ok(GetBuildWebhookEnabledResponse {
-          managed: true,
-          enabled: true,
-        });
-      }
-    }
-
-    Ok(GetBuildWebhookEnabledResponse {
-      managed: true,
-      enabled: false,
-    })
-  }
-}
--- a/bin/core/src/api/read/builder.rs
+++ b/bin/core/src/api/read/builder.rs
@@ -1,71 +1,101 @@
 use anyhow::Context;
+use database::mongo_indexed::Document;
+use database::mungos::mongodb::bson::doc;
 use komodo_client::{
  api::read::*,
  entities::{
    builder::{Builder, BuilderListItem},
    permission::PermissionLevel,
-    user::User,
  },
 };
-use mongo_indexed::Document;
-use mungos::mongodb::bson::doc;
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
+  helpers::query::get_all_tags,
+  permission::{get_check_permissions, list_resource_ids_for_user},
  resource,
-  state::{db_client, State},
+  state::db_client,
 };

-impl Resolve<GetBuilder, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetBuilder {
  async fn resolve(
-    &self,
-    GetBuilder { builder }: GetBuilder,
-    user: User,
-  ) -> anyhow::Result<Builder> {
-    resource::get_check_permissions::<Builder>(
-      &builder,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Builder> {
+    Ok(
+      get_check_permissions::<Builder>(
+        &self.builder,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
    )
-    .await
  }
 }

-impl Resolve<ListBuilders, User> for State {
+impl Resolve<ReadArgs> for ListBuilders {
  async fn resolve(
-    &self,
-    ListBuilders { query }: ListBuilders,
-    user: User,
-  ) -> anyhow::Result<Vec<BuilderListItem>> {
-    resource::list_for_user::<Builder>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Vec<BuilderListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Builder>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<ListFullBuilders, User> for State {
+impl Resolve<ReadArgs> for ListFullBuilders {
  async fn resolve(
-    &self,
-    ListFullBuilders { query }: ListFullBuilders,
-    user: User,
-  ) -> anyhow::Result<ListFullBuildersResponse> {
-    resource::list_full_for_user::<Builder>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListFullBuildersResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Builder>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<GetBuildersSummary, User> for State {
+impl Resolve<ReadArgs> for GetBuildersSummary {
  async fn resolve(
-    &self,
-    GetBuildersSummary {}: GetBuildersSummary,
-    user: User,
-  ) -> anyhow::Result<GetBuildersSummaryResponse> {
-    let query =
-      match resource::get_resource_ids_for_user::<Builder>(&user)
-        .await?
-      {
-        Some(ids) => doc! {
-          "_id": { "$in": ids }
-        },
-        None => Document::new(),
-      };
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetBuildersSummaryResponse> {
+    let query = match list_resource_ids_for_user::<Builder>(
+      None,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?
+    {
+      Some(ids) => doc! {
+        "_id": { "$in": ids }
+      },
+      None => Document::new(),
+    };
    let total = db_client()
      .builders
      .count_documents(query)
--- a/bin/core/src/api/read/deployment.rs
+++ b/bin/core/src/api/read/deployment.rs
@@ -1,74 +1,118 @@
 use std::{cmp, collections::HashSet};

-use anyhow::{anyhow, Context};
+use anyhow::{Context, anyhow};
 use komodo_client::{
  api::read::*,
  entities::{
+    SwarmOrServer,
    deployment::{
      Deployment, DeploymentActionState, DeploymentConfig,
      DeploymentListItem, DeploymentState,
    },
-    docker::container::ContainerStats,
+    docker::{
+      container::{Container, ContainerStats},
+      service::SwarmService,
+    },
    permission::PermissionLevel,
-    server::Server,
+    server::{Server, ServerState},
    update::Log,
-    user::User,
  },
 };
-use periphery_client::api;
-use resolver_api::Resolve;
+use mogh_error::AddStatusCodeError as _;
+use mogh_resolver::Resolve;
+use periphery_client::api::{self, container::InspectContainer};
+use reqwest::StatusCode;

 use crate::{
-  helpers::periphery_client,
-  resource,
-  state::{action_states, deployment_status_cache, State},
+  helpers::{
+    periphery_client, query::get_all_tags, swarm::swarm_request,
+  },
+  permission::get_check_permissions,
+  resource::{self, setup_deployment_execution},
+  state::{
+    action_states, deployment_status_cache, server_status_cache,
+  },
 };

-impl Resolve<GetDeployment, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetDeployment {
  async fn resolve(
-    &self,
-    GetDeployment { deployment }: GetDeployment,
-    user: User,
-  ) -> anyhow::Result<Deployment> {
-    resource::get_check_permissions::<Deployment>(
-      &deployment,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Deployment> {
+    Ok(
+      get_check_permissions::<Deployment>(
+        &self.deployment,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
    )
-    .await
  }
 }

-impl Resolve<ListDeployments, User> for State {
+impl Resolve<ReadArgs> for ListDeployments {
  async fn resolve(
-    &self,
-    ListDeployments { query }: ListDeployments,
-    user: User,
-  ) -> anyhow::Result<Vec<DeploymentListItem>> {
-    resource::list_for_user::<Deployment>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Vec<DeploymentListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let only_update_available = self.query.specific.update_available;
+    let deployments = resource::list_for_user::<Deployment>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?;
+    let deployments = if only_update_available {
+      deployments
+        .into_iter()
+        .filter(|deployment| deployment.info.update_available)
+        .collect()
+    } else {
+      deployments
+    };
+    Ok(deployments)
  }
 }

-impl Resolve<ListFullDeployments, User> for State {
+impl Resolve<ReadArgs> for ListFullDeployments {
  async fn resolve(
-    &self,
-    ListFullDeployments { query }: ListFullDeployments,
-    user: User,
-  ) -> anyhow::Result<ListFullDeploymentsResponse> {
-    resource::list_full_for_user::<Deployment>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListFullDeploymentsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Deployment>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<GetDeploymentContainer, User> for State {
+impl Resolve<ReadArgs> for GetDeploymentContainer {
  async fn resolve(
-    &self,
-    GetDeploymentContainer { deployment }: GetDeploymentContainer,
-    user: User,
-  ) -> anyhow::Result<GetDeploymentContainerResponse> {
-    let deployment = resource::get_check_permissions::<Deployment>(
-      &deployment,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetDeploymentContainerResponse> {
+    let deployment = get_check_permissions::<Deployment>(
+      &self.deployment,
+      user,
+      PermissionLevel::Read.into(),
    )
    .await?;
    let status = deployment_status_cache()
@@ -85,117 +129,232 @@ impl Resolve<GetDeploymentContainer, User> for State {

 const MAX_LOG_LENGTH: u64 = 5000;

-impl Resolve<GetDeploymentLog, User> for State {
+impl Resolve<ReadArgs> for GetDeploymentLog {
  async fn resolve(
-    &self,
-    GetDeploymentLog {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Log> {
+    let GetDeploymentLog {
      deployment,
      tail,
      timestamps,
-    }: GetDeploymentLog,
-    user: User,
-  ) -> anyhow::Result<Log> {
-    let Deployment {
-      name,
-      config: DeploymentConfig { server_id, .. },
-      ..
-    } = resource::get_check_permissions::<Deployment>(
+    } = self;
+
+    let (deployment, swarm_or_server) = setup_deployment_execution(
      &deployment,
-      &user,
-      PermissionLevel::Read,
+      user,
+      PermissionLevel::Read.logs(),
    )
    .await?;
-    if server_id.is_empty() {
-      return Ok(Log::default());
-    }
-    let server = resource::get::<Server>(&server_id).await?;
-    periphery_client(&server)?
-      .request(api::container::GetContainerLog {
-        name,
-        tail: cmp::min(tail, MAX_LOG_LENGTH),
-        timestamps,
-      })
+
+    swarm_or_server.verify_has_target()?;
+
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => swarm_request(
+        &swarm.config.server_ids,
+        periphery_client::api::swarm::GetSwarmServiceLog {
+          service: deployment.name,
+          tail,
+          timestamps,
+          no_task_ids: false,
+          no_resolve: false,
+          details: false,
+        },
+      )
      .await
-      .context("failed at call to periphery")
+      .context("Failed to get service log from swarm")?,
+      SwarmOrServer::Server(server) => periphery_client(&server)
+        .await?
+        .request(api::container::GetContainerLog {
+          name: deployment.name,
+          tail: cmp::min(tail, MAX_LOG_LENGTH),
+          timestamps,
+        })
+        .await
+        .context("failed at call to periphery")?,
+    };
+
+    Ok(log)
  }
 }

-impl Resolve<SearchDeploymentLog, User> for State {
+impl Resolve<ReadArgs> for SearchDeploymentLog {
  async fn resolve(
-    &self,
-    SearchDeploymentLog {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Log> {
+    let SearchDeploymentLog {
      deployment,
      terms,
      combinator,
      invert,
      timestamps,
-    }: SearchDeploymentLog,
-    user: User,
-  ) -> anyhow::Result<Log> {
-    let Deployment {
-      name,
-      config: DeploymentConfig { server_id, .. },
-      ..
-    } = resource::get_check_permissions::<Deployment>(
+    } = self;
+
+    let (deployment, swarm_or_server) = setup_deployment_execution(
      &deployment,
-      &user,
-      PermissionLevel::Read,
+      user,
+      PermissionLevel::Read.logs(),
    )
    .await?;
-    if server_id.is_empty() {
-      return Ok(Log::default());
+
+    swarm_or_server.verify_has_target()?;
+
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => swarm_request(
+        &swarm.config.server_ids,
+        periphery_client::api::swarm::GetSwarmServiceLogSearch {
+          service: deployment.name,
+          terms,
+          combinator,
+          invert,
+          timestamps,
+          no_task_ids: false,
+          no_resolve: false,
+          details: false,
+        },
+      )
+      .await
+      .context("Failed to search service log from swarm")?,
+      SwarmOrServer::Server(server) => periphery_client(&server)
+        .await?
+        .request(api::container::GetContainerLogSearch {
+          name: deployment.name,
+          terms,
+          combinator,
+          invert,
+          timestamps,
+        })
+        .await
+        .context("Failed to search container log from server")?,
+    };
+
+    Ok(log)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectDeploymentContainer {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Container> {
+    let InspectDeploymentContainer { deployment } = self;
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &deployment,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "InspectDeploymentContainer should not be called for Deployment in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
+    let cache = server_status_cache()
+      .get_or_insert_default(&server.id)
+      .await;
+
+    if cache.state != ServerState::Ok {
+      return Err(
+        anyhow!(
+          "Cannot inspect container: Server is {:?}",
+          cache.state
+        )
+        .into(),
+      );
    }
-    let server = resource::get::<Server>(&server_id).await?;
-    periphery_client(&server)?
-      .request(api::container::GetContainerLogSearch {
-        name,
-        terms,
-        combinator,
-        invert,
-        timestamps,
+
+    periphery_client(&server)
+      .await?
+      .request(InspectContainer {
+        name: deployment.name,
      })
      .await
-      .context("failed at call to periphery")
+      .context("Failed to inspect container on server")
+      .map_err(Into::into)
  }
 }

-impl Resolve<GetDeploymentStats, User> for State {
+impl Resolve<ReadArgs> for InspectDeploymentSwarmService {
  async fn resolve(
-    &self,
-    GetDeploymentStats { deployment }: GetDeploymentStats,
-    user: User,
-  ) -> anyhow::Result<ContainerStats> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SwarmService> {
+    let InspectDeploymentSwarmService { deployment } = self;
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &deployment,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+
+    let SwarmOrServer::Swarm(swarm) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "InspectDeploymentSwarmService should only be called for Deployment in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmService {
+        service: deployment.name,
+      },
+    )
+    .await
+    .context("Failed to inspect service on swarm")
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for GetDeploymentStats {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ContainerStats> {
    let Deployment {
      name,
      config: DeploymentConfig { server_id, .. },
      ..
-    } = resource::get_check_permissions::<Deployment>(
-      &deployment,
-      &user,
-      PermissionLevel::Read,
+    } = get_check_permissions::<Deployment>(
+      &self.deployment,
+      user,
+      PermissionLevel::Read.into(),
    )
    .await?;
    if server_id.is_empty() {
-      return Err(anyhow!("deployment has no server attached"));
+      return Err(
+        anyhow!("deployment has no server attached").into(),
+      );
    }
    let server = resource::get::<Server>(&server_id).await?;
-    periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
      .request(api::container::GetContainerStats { name })
      .await
-      .context("failed to get stats from periphery")
+      .context("failed to get stats from periphery")?;
+    Ok(res)
  }
 }

-impl Resolve<GetDeploymentActionState, User> for State {
+impl Resolve<ReadArgs> for GetDeploymentActionState {
  async fn resolve(
-    &self,
-    GetDeploymentActionState { deployment }: GetDeploymentActionState,
-    user: User,
-  ) -> anyhow::Result<DeploymentActionState> {
-    let deployment = resource::get_check_permissions::<Deployment>(
-      &deployment,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<DeploymentActionState> {
+    let deployment = get_check_permissions::<Deployment>(
+      &self.deployment,
+      user,
+      PermissionLevel::Read.into(),
    )
    .await?;
    let action_state = action_states()
@@ -208,15 +367,16 @@ impl Resolve<GetDeploymentActionState, User> for State {
  }
 }

-impl Resolve<GetDeploymentsSummary, User> for State {
+impl Resolve<ReadArgs> for GetDeploymentsSummary {
  async fn resolve(
-    &self,
-    GetDeploymentsSummary {}: GetDeploymentsSummary,
-    user: User,
-  ) -> anyhow::Result<GetDeploymentsSummaryResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetDeploymentsSummaryResponse> {
    let deployments = resource::list_full_for_user::<Deployment>(
      Default::default(),
-      &user,
+      user,
+      PermissionLevel::Read.into(),
+      &[],
    )
    .await
    .context("failed to get deployments from db")?;
@@ -237,7 +397,9 @@ impl Resolve<GetDeploymentsSummary, User> for State {
          res.not_deployed += 1;
        }
        DeploymentState::Unknown => {
-          res.unknown += 1;
+          if !deployment.template {
+            res.unknown += 1;
+          }
        }
        _ => {
          res.unhealthy += 1;
@@ -248,16 +410,24 @@ impl Resolve<GetDeploymentsSummary, User> for State {
  }
 }

-impl Resolve<ListCommonDeploymentExtraArgs, User> for State {
+impl Resolve<ReadArgs> for ListCommonDeploymentExtraArgs {
  async fn resolve(
-    &self,
-    ListCommonDeploymentExtraArgs { query }: ListCommonDeploymentExtraArgs,
-    user: User,
-  ) -> anyhow::Result<ListCommonDeploymentExtraArgsResponse> {
-    let deployments =
-      resource::list_full_for_user::<Deployment>(query, &user)
-        .await
-        .context("failed to get resources matching query")?;
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListCommonDeploymentExtraArgsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let deployments = resource::list_full_for_user::<Deployment>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await
+    .context("failed to get resources matching query")?;

    // first collect with guaranteed uniqueness
    let mut res = HashSet::<String>::new();
--- a/bin/core/src/api/read/mod.rs
+++ b/bin/core/src/api/read/mod.rs
@@ -1,127 +1,158 @@
-use std::{collections::HashSet, sync::OnceLock, time::Instant};
+use std::collections::HashSet;

-use anyhow::{anyhow, Context};
-use axum::{middleware, routing::post, Extension, Router};
-use axum_extra::{headers::ContentType, TypedHeader};
+use anyhow::{Context, anyhow};
+use axum::{
+  Extension, Router, extract::Path, middleware, routing::post,
+};
 use komodo_client::{
  api::read::*,
  entities::{
+    ResourceTarget,
    build::Build,
    builder::{Builder, BuilderConfig},
    config::{DockerRegistry, GitProvider},
+    permission::PermissionLevel,
    repo::Repo,
    server::Server,
    sync::ResourceSync,
    user::User,
-    ResourceTarget,
  },
 };
-use resolver_api::{
-  derive::Resolver, Resolve, ResolveToString, Resolver,
-};
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Response;
+use mogh_error::{AddStatusCodeError, Json};
+use mogh_resolver::Resolve;
+use reqwest::StatusCode;
 use serde::{Deserialize, Serialize};
-use serror::Json;
+use serde_json::json;
+use strum::{Display, EnumDiscriminants};
 use typeshare::typeshare;
 use uuid::Uuid;

 use crate::{
-  auth::auth_request, config::core_config, helpers::periphery_client,
-  resource, state::State,
+  auth::KomodoAuthImpl,
+  config::{core_config, core_keys},
+  helpers::periphery_client,
+  resource,
 };

+use super::Variant;
+
+mod action;
 mod alert;
 mod alerter;
 mod build;
 mod builder;
 mod deployment;
+mod onboarding_key;
 mod permission;
 mod procedure;
 mod provider;
 mod repo;
-mod search;
+mod schedule;
 mod server;
-mod server_template;
 mod stack;
+mod swarm;
 mod sync;
 mod tag;
+mod terminal;
 mod toml;
 mod update;
 mod user;
 mod user_group;
 mod variable;

+pub struct ReadArgs {
+  pub user: User,
+}
+
 #[typeshare]
-#[derive(Serialize, Deserialize, Debug, Clone, Resolver)]
-#[resolver_target(State)]
-#[resolver_args(User)]
+#[derive(
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumDiscriminants,
+)]
+#[strum_discriminants(name(ReadRequestVariant), derive(Display))]
+#[args(ReadArgs)]
+#[response(Response)]
+#[error(mogh_error::Error)]
 #[serde(tag = "type", content = "params")]
 enum ReadRequest {
-  #[to_string_resolver]
  GetVersion(GetVersion),
-  #[to_string_resolver]
  GetCoreInfo(GetCoreInfo),
  ListSecrets(ListSecrets),
  ListGitProvidersFromConfig(ListGitProvidersFromConfig),
  ListDockerRegistriesFromConfig(ListDockerRegistriesFromConfig),

-  // ==== USER ====
-  GetUsername(GetUsername),
-  GetPermissionLevel(GetPermissionLevel),
-  FindUser(FindUser),
-  ListUsers(ListUsers),
-  ListApiKeys(ListApiKeys),
-  ListApiKeysForServiceUser(ListApiKeysForServiceUser),
-  ListPermissions(ListPermissions),
-  ListUserTargetPermissions(ListUserTargetPermissions),
-
-  // ==== USER GROUP ====
-  GetUserGroup(GetUserGroup),
-  ListUserGroups(ListUserGroups),
-
-  // ==== SEARCH ====
-  FindResources(FindResources),
-
-  // ==== PROCEDURE ====
-  GetProceduresSummary(GetProceduresSummary),
-  GetProcedure(GetProcedure),
-  GetProcedureActionState(GetProcedureActionState),
-  ListProcedures(ListProcedures),
-  ListFullProcedures(ListFullProcedures),
-
-  // ==== SERVER TEMPLATE ====
-  GetServerTemplate(GetServerTemplate),
-  GetServerTemplatesSummary(GetServerTemplatesSummary),
-  ListServerTemplates(ListServerTemplates),
-  ListFullServerTemplates(ListFullServerTemplates),
+  // ==== SWARM ====
+  GetSwarmsSummary(GetSwarmsSummary),
+  GetSwarm(GetSwarm),
+  GetSwarmActionState(GetSwarmActionState),
+  ListSwarms(ListSwarms),
+  InspectSwarm(InspectSwarm),
+  ListFullSwarms(ListFullSwarms),
+  ListSwarmNodes(ListSwarmNodes),
+  InspectSwarmNode(InspectSwarmNode),
+  ListSwarmConfigs(ListSwarmConfigs),
+  InspectSwarmConfig(InspectSwarmConfig),
+  ListSwarmSecrets(ListSwarmSecrets),
+  InspectSwarmSecret(InspectSwarmSecret),
+  ListSwarmStacks(ListSwarmStacks),
+  InspectSwarmStack(InspectSwarmStack),
+  ListSwarmTasks(ListSwarmTasks),
+  InspectSwarmTask(InspectSwarmTask),
+  ListSwarmServices(ListSwarmServices),
+  InspectSwarmService(InspectSwarmService),
+  GetSwarmServiceLog(GetSwarmServiceLog),
+  SearchSwarmServiceLog(SearchSwarmServiceLog),
+  ListSwarmNetworks(ListSwarmNetworks),

  // ==== SERVER ====
  GetServersSummary(GetServersSummary),
  GetServer(GetServer),
  GetServerState(GetServerState),
-  GetPeripheryVersion(GetPeripheryVersion),
+  GetPeripheryInformation(GetPeripheryInformation),
  GetServerActionState(GetServerActionState),
-  GetHistoricalServerStats(GetHistoricalServerStats),
  ListServers(ListServers),
  ListFullServers(ListFullServers),
+
+  // ==== TERMINAL ====
+  ListTerminals(ListTerminals),
+
+  // ==== DOCKER ====
+  GetDockerContainersSummary(GetDockerContainersSummary),
+  ListAllDockerContainers(ListAllDockerContainers),
+  ListDockerContainers(ListDockerContainers),
  InspectDockerContainer(InspectDockerContainer),
  GetResourceMatchingContainer(GetResourceMatchingContainer),
  GetContainerLog(GetContainerLog),
  SearchContainerLog(SearchContainerLog),
+  ListComposeProjects(ListComposeProjects),
+  ListDockerNetworks(ListDockerNetworks),
  InspectDockerNetwork(InspectDockerNetwork),
+  ListDockerImages(ListDockerImages),
  InspectDockerImage(InspectDockerImage),
  ListDockerImageHistory(ListDockerImageHistory),
-  InspectDockerVolume(InspectDockerVolume),
-  ListAllDockerContainers(ListAllDockerContainers),
-  #[to_string_resolver]
-  ListDockerContainers(ListDockerContainers),
-  #[to_string_resolver]
-  ListDockerNetworks(ListDockerNetworks),
-  #[to_string_resolver]
-  ListDockerImages(ListDockerImages),
-  #[to_string_resolver]
  ListDockerVolumes(ListDockerVolumes),
-  #[to_string_resolver]
-  ListComposeProjects(ListComposeProjects),
+  InspectDockerVolume(InspectDockerVolume),
+
+  // ==== SERVER STATS ====
+  GetSystemInformation(GetSystemInformation),
+  GetSystemStats(GetSystemStats),
+  GetHistoricalServerStats(GetHistoricalServerStats),
+  ListSystemProcesses(ListSystemProcesses),
+
+  // ==== STACK ====
+  GetStacksSummary(GetStacksSummary),
+  GetStack(GetStack),
+  GetStackActionState(GetStackActionState),
+  GetStackLog(GetStackLog),
+  SearchStackLog(SearchStackLog),
+  InspectStackContainer(InspectStackContainer),
+  InspectStackSwarmService(InspectStackSwarmService),
+  ListStacks(ListStacks),
+  ListFullStacks(ListFullStacks),
+  ListStackServices(ListStackServices),
+  ListCommonStackExtraArgs(ListCommonStackExtraArgs),
+  ListCommonStackBuildExtraArgs(ListCommonStackBuildExtraArgs),

  // ==== DEPLOYMENT ====
  GetDeploymentsSummary(GetDeploymentsSummary),
@@ -131,6 +162,8 @@ enum ReadRequest {
  GetDeploymentStats(GetDeploymentStats),
  GetDeploymentLog(GetDeploymentLog),
  SearchDeploymentLog(SearchDeploymentLog),
+  InspectDeploymentContainer(InspectDeploymentContainer),
+  InspectDeploymentSwarmService(InspectDeploymentSwarmService),
  ListDeployments(ListDeployments),
  ListFullDeployments(ListFullDeployments),
  ListCommonDeploymentExtraArgs(ListCommonDeploymentExtraArgs),
@@ -141,7 +174,6 @@ enum ReadRequest {
  GetBuildActionState(GetBuildActionState),
  GetBuildMonthlyStats(GetBuildMonthlyStats),
  ListBuildVersions(ListBuildVersions),
-  GetBuildWebhookEnabled(GetBuildWebhookEnabled),
  ListBuilds(ListBuilds),
  ListFullBuilds(ListFullBuilds),
  ListCommonBuildExtraArgs(ListCommonBuildExtraArgs),
@@ -150,31 +182,33 @@ enum ReadRequest {
  GetReposSummary(GetReposSummary),
  GetRepo(GetRepo),
  GetRepoActionState(GetRepoActionState),
-  GetRepoWebhooksEnabled(GetRepoWebhooksEnabled),
  ListRepos(ListRepos),
  ListFullRepos(ListFullRepos),

+  // ==== PROCEDURE ====
+  GetProceduresSummary(GetProceduresSummary),
+  GetProcedure(GetProcedure),
+  GetProcedureActionState(GetProcedureActionState),
+  ListProcedures(ListProcedures),
+  ListFullProcedures(ListFullProcedures),
+
+  // ==== ACTION ====
+  GetActionsSummary(GetActionsSummary),
+  GetAction(GetAction),
+  GetActionActionState(GetActionActionState),
+  ListActions(ListActions),
+  ListFullActions(ListFullActions),
+
+  // ==== SCHEDULE ====
+  ListSchedules(ListSchedules),
+
  // ==== SYNC ====
  GetResourceSyncsSummary(GetResourceSyncsSummary),
  GetResourceSync(GetResourceSync),
  GetResourceSyncActionState(GetResourceSyncActionState),
-  GetSyncWebhooksEnabled(GetSyncWebhooksEnabled),
  ListResourceSyncs(ListResourceSyncs),
  ListFullResourceSyncs(ListFullResourceSyncs),

-  // ==== STACK ====
-  GetStacksSummary(GetStacksSummary),
-  GetStack(GetStack),
-  GetStackActionState(GetStackActionState),
-  GetStackWebhooksEnabled(GetStackWebhooksEnabled),
-  GetStackServiceLog(GetStackServiceLog),
-  SearchStackServiceLog(SearchStackServiceLog),
-  ListStacks(ListStacks),
-  ListFullStacks(ListFullStacks),
-  ListStackServices(ListStackServices),
-  ListCommonStackExtraArgs(ListCommonStackExtraArgs),
-  ListCommonStackBuildExtraArgs(ListCommonStackBuildExtraArgs),
-
  // ==== BUILDER ====
  GetBuildersSummary(GetBuildersSummary),
  GetBuilder(GetBuilder),
@@ -195,6 +229,20 @@ enum ReadRequest {
  GetTag(GetTag),
  ListTags(ListTags),

+  // ==== USER ====
+  GetUsername(GetUsername),
+  GetPermission(GetPermission),
+  FindUser(FindUser),
+  ListUsers(ListUsers),
+  ListApiKeys(ListApiKeys),
+  ListApiKeysForServiceUser(ListApiKeysForServiceUser),
+  ListPermissions(ListPermissions),
+  ListUserTargetPermissions(ListUserTargetPermissions),
+
+  // ==== USER GROUP ====
+  GetUserGroup(GetUserGroup),
+  ListUserGroups(ListUserGroups),
+
  // ==== UPDATE ====
  GetUpdate(GetUpdate),
  ListUpdates(ListUpdates),
@@ -203,14 +251,6 @@ enum ReadRequest {
  ListAlerts(ListAlerts),
  GetAlert(GetAlert),

-  // ==== SERVER STATS ====
-  #[to_string_resolver]
-  GetSystemInformation(GetSystemInformation),
-  #[to_string_resolver]
-  GetSystemStats(GetSystemStats),
-  #[to_string_resolver]
-  ListSystemProcesses(ListSystemProcesses),
-
  // ==== VARIABLE ====
  GetVariable(GetVariable),
  ListVariables(ListVariables),
@@ -220,64 +260,74 @@ enum ReadRequest {
  ListGitProviderAccounts(ListGitProviderAccounts),
  GetDockerRegistryAccount(GetDockerRegistryAccount),
  ListDockerRegistryAccounts(ListDockerRegistryAccounts),
+
+  // ==== ONBOARDING KEY ====
+  ListOnboardingKeys(ListOnboardingKeys),
 }

 pub fn router() -> Router {
  Router::new()
    .route("/", post(handler))
-    .layer(middleware::from_fn(auth_request))
+    .route("/{variant}", post(variant_handler))
+    .layer(middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, true>,
+    ))
+}
+
+async fn variant_handler(
+  user: Extension<User>,
+  Path(Variant { variant }): Path<Variant>,
+  Json(params): Json<serde_json::Value>,
+) -> mogh_error::Result<axum::response::Response> {
+  let req: ReadRequest = serde_json::from_value(json!({
+    "type": variant,
+    "params": params,
+  }))?;
+  handler(user, Json(req)).await
 }

-#[instrument(name = "ReadHandler", level = "debug", skip(user), fields(user_id = user.id))]
 async fn handler(
  Extension(user): Extension<User>,
  Json(request): Json<ReadRequest>,
-) -> serror::Result<(TypedHeader<ContentType>, String)> {
-  let timer = Instant::now();
+) -> mogh_error::Result<axum::response::Response> {
  let req_id = Uuid::new_v4();
-  debug!("/read request | user: {}", user.username);
-  let res =
-    State
-      .resolve_request(request, user)
-      .await
-      .map_err(|e| match e {
-        resolver_api::Error::Serialization(e) => {
-          anyhow!("{e:?}").context("response serialization error")
-        }
-        resolver_api::Error::Inner(e) => e,
-      });
+  let variant: ReadRequestVariant = (&request).into();
+
+  debug!(
+    "READ REQUEST {req_id} | METHOD: {variant} | USER: {} ({})",
+    user.username, user.id
+  );
+
+  let res = request.resolve(&ReadArgs { user }).await;
+
  if let Err(e) = &res {
-    debug!("/read request {req_id} error: {e:#}");
+    debug!(
+      "READ REQUEST {req_id} | METHOD: {variant} | ERROR: {:#}",
+      e.error
+    );
  }
-  let elapsed = timer.elapsed();
-  debug!("/read request {req_id} | resolve time: {elapsed:?}");
-  Ok((TypedHeader(ContentType::json()), res?))
+
+  res.map(|res| res.0)
 }

-fn version() -> &'static String {
-  static VERSION: OnceLock<String> = OnceLock::new();
-  VERSION.get_or_init(|| {
-    serde_json::to_string(&GetVersionResponse {
+impl Resolve<ReadArgs> for GetVersion {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> mogh_error::Result<GetVersionResponse> {
+    Ok(GetVersionResponse {
      version: env!("CARGO_PKG_VERSION").to_string(),
    })
-    .context("failed to serialize GetVersionResponse")
-    .unwrap()
-  })
-}
-
-impl ResolveToString<GetVersion, User> for State {
-  async fn resolve_to_string(
-    &self,
-    GetVersion {}: GetVersion,
-    _: User,
-  ) -> anyhow::Result<String> {
-    Ok(version().to_string())
  }
 }

-fn core_info() -> &'static String {
-  static CORE_INFO: OnceLock<String> = OnceLock::new();
-  CORE_INFO.get_or_init(|| {
+//
+
+impl Resolve<ReadArgs> for GetCoreInfo {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> mogh_error::Result<GetCoreInfoResponse> {
    let config = core_config();
    let info = GetCoreInfoResponse {
      title: config.title.clone(),
@@ -291,46 +341,34 @@ fn core_info() -> &'static String {
      ui_write_disabled: config.ui_write_disabled,
      disable_confirm_dialog: config.disable_confirm_dialog,
      disable_non_admin_create: config.disable_non_admin_create,
-      github_webhook_owners: config
-        .github_webhook_app
-        .installations
-        .iter()
-        .map(|i| i.namespace.to_string())
-        .collect(),
+      disable_websocket_reconnect: config.disable_websocket_reconnect,
+      enable_fancy_toml: config.enable_fancy_toml,
+      timezone: config.timezone.clone(),
+      public_key: core_keys().load().public.to_string(),
    };
-    serde_json::to_string(&info)
-      .context("failed to serialize GetCoreInfoResponse")
-      .unwrap()
-  })
-}
-
-impl ResolveToString<GetCoreInfo, User> for State {
-  async fn resolve_to_string(
-    &self,
-    GetCoreInfo {}: GetCoreInfo,
-    _: User,
-  ) -> anyhow::Result<String> {
-    Ok(core_info().to_string())
+    Ok(info)
  }
 }

-impl Resolve<ListSecrets, User> for State {
+//
+
+impl Resolve<ReadArgs> for ListSecrets {
  async fn resolve(
-    &self,
-    ListSecrets { target }: ListSecrets,
-    _: User,
-  ) -> anyhow::Result<ListSecretsResponse> {
+    self,
+    _: &ReadArgs,
+  ) -> mogh_error::Result<ListSecretsResponse> {
    let mut secrets = core_config()
      .secrets
      .keys()
      .cloned()
      .collect::<HashSet<_>>();

-    if let Some(target) = target {
+    if let Some(target) = self.target {
      let server_id = match target {
        ResourceTarget::Server(id) => Some(id),
        ResourceTarget::Builder(id) => {
          match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => None,
            BuilderConfig::Server(config) => Some(config.server_id),
            BuilderConfig::Aws(config) => {
              secrets.extend(config.secrets);
@@ -339,12 +377,16 @@ impl Resolve<ListSecrets, User> for State {
          }
        }
        _ => {
-          return Err(anyhow!("target must be `Server` or `Builder`"))
+          return Err(
+            anyhow!("target must be `Server` or `Builder`")
+              .status_code(StatusCode::BAD_REQUEST),
+          );
        }
      };
      if let Some(id) = server_id {
        let server = resource::get::<Server>(&id).await?;
-        let more = periphery_client(&server)?
+        let more = periphery_client(&server)
+          .await?
          .request(periphery_client::api::ListSecrets {})
          .await
          .with_context(|| {
@@ -364,21 +406,23 @@ impl Resolve<ListSecrets, User> for State {
  }
 }

-impl Resolve<ListGitProvidersFromConfig, User> for State {
+//
+
+impl Resolve<ReadArgs> for ListGitProvidersFromConfig {
  async fn resolve(
-    &self,
-    ListGitProvidersFromConfig { target }: ListGitProvidersFromConfig,
-    user: User,
-  ) -> anyhow::Result<ListGitProvidersFromConfigResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListGitProvidersFromConfigResponse> {
    let mut providers = core_config().git_providers.clone();

-    if let Some(target) = target {
+    if let Some(target) = self.target {
      match target {
        ResourceTarget::Server(id) => {
          merge_git_providers_for_server(&mut providers, &id).await?;
        }
        ResourceTarget::Builder(id) => {
          match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => {}
            BuilderConfig::Server(config) => {
              merge_git_providers_for_server(
                &mut providers,
@@ -395,7 +439,10 @@ impl Resolve<ListGitProvidersFromConfig, User> for State {
          }
        }
        _ => {
-          return Err(anyhow!("target must be `Server` or `Builder`"))
+          return Err(
+            anyhow!("target must be `Server` or `Builder`")
+              .status_code(StatusCode::BAD_REQUEST),
+          );
        }
      }
    }
@@ -403,12 +450,21 @@ impl Resolve<ListGitProvidersFromConfig, User> for State {
    let (builds, repos, syncs) = tokio::try_join!(
      resource::list_full_for_user::<Build>(
        Default::default(),
-        &user
+        user,
+        PermissionLevel::Read.into(),
+        &[]
+      ),
+      resource::list_full_for_user::<Repo>(
+        Default::default(),
+        user,
+        PermissionLevel::Read.into(),
+        &[]
      ),
-      resource::list_full_for_user::<Repo>(Default::default(), &user),
      resource::list_full_for_user::<ResourceSync>(
        Default::default(),
-        &user
+        user,
+        PermissionLevel::Read.into(),
+        &[]
      ),
    )?;

@@ -455,15 +511,16 @@ impl Resolve<ListGitProvidersFromConfig, User> for State {
  }
 }

-impl Resolve<ListDockerRegistriesFromConfig, User> for State {
+//
+
+impl Resolve<ReadArgs> for ListDockerRegistriesFromConfig {
  async fn resolve(
-    &self,
-    ListDockerRegistriesFromConfig { target }: ListDockerRegistriesFromConfig,
-    _: User,
-  ) -> anyhow::Result<ListDockerRegistriesFromConfigResponse> {
+    self,
+    _: &ReadArgs,
+  ) -> mogh_error::Result<ListDockerRegistriesFromConfigResponse> {
    let mut registries = core_config().docker_registries.clone();

-    if let Some(target) = target {
+    if let Some(target) = self.target {
      match target {
        ResourceTarget::Server(id) => {
          merge_docker_registries_for_server(&mut registries, &id)
@@ -471,6 +528,7 @@ impl Resolve<ListDockerRegistriesFromConfig, User> for State {
        }
        ResourceTarget::Builder(id) => {
          match resource::get::<Builder>(&id).await?.config {
+            BuilderConfig::Url(_) => {}
            BuilderConfig::Server(config) => {
              merge_docker_registries_for_server(
                &mut registries,
@@ -487,7 +545,9 @@ impl Resolve<ListDockerRegistriesFromConfig, User> for State {
          }
        }
        _ => {
-          return Err(anyhow!("target must be `Server` or `Builder`"))
+          return Err(
+            anyhow!("target must be `Server` or `Builder`").into(),
+          );
        }
      }
    }
@@ -501,9 +561,10 @@ impl Resolve<ListDockerRegistriesFromConfig, User> for State {
 async fn merge_git_providers_for_server(
  providers: &mut Vec<GitProvider>,
  server_id: &str,
-) -> anyhow::Result<()> {
+) -> mogh_error::Result<()> {
  let server = resource::get::<Server>(server_id).await?;
-  let more = periphery_client(&server)?
+  let more = periphery_client(&server)
+    .await?
    .request(periphery_client::api::ListGitProviders {})
    .await
    .with_context(|| {
@@ -539,9 +600,10 @@ fn merge_git_providers(
 async fn merge_docker_registries_for_server(
  registries: &mut Vec<DockerRegistry>,
  server_id: &str,
-) -> anyhow::Result<()> {
+) -> mogh_error::Result<()> {
  let server = resource::get::<Server>(server_id).await?;
-  let more = periphery_client(&server)?
+  let more = periphery_client(&server)
+    .await?
    .request(periphery_client::api::ListDockerRegistries {})
    .await
    .with_context(|| {
--- a/bin/core/src/api/read/onboarding_key.rs
+++ b/bin/core/src/api/read/onboarding_key.rs
@@ -0,0 +1,51 @@
+use std::cmp::Ordering;
+
+use anyhow::{Context, anyhow};
+use database::mungos::find::find_collect;
+use komodo_client::api::read::{
+  ListOnboardingKeys, ListOnboardingKeysResponse,
+};
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
+use reqwest::StatusCode;
+
+use crate::{api::read::ReadArgs, state::db_client};
+
+//
+
+impl Resolve<ReadArgs> for ListOnboardingKeys {
+  async fn resolve(
+    self,
+    ReadArgs { user: admin }: &ReadArgs,
+  ) -> mogh_error::Result<ListOnboardingKeysResponse> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This call is admin only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let mut keys =
+      find_collect(&db_client().onboarding_keys, None, None)
+        .await
+        .context(
+          "Failed to query database for Server onboarding keys",
+        )?;
+
+    // No expiry keys first, followed
+    keys.sort_by(|a, b| {
+      if a.expires == b.expires {
+        Ordering::Equal
+      } else if a.expires == 0 {
+        Ordering::Less
+      } else if b.expires == 0 {
+        Ordering::Greater
+      } else {
+        // Descending
+        b.expires.cmp(&a.expires)
+      }
+    });
+
+    Ok(keys)
+  }
+}
--- a/bin/core/src/api/read/permission.rs
+++ b/bin/core/src/api/read/permission.rs
@@ -1,27 +1,27 @@
-use anyhow::{anyhow, Context};
+use anyhow::{Context, anyhow};
+use database::mungos::{find::find_collect, mongodb::bson::doc};
 use komodo_client::{
  api::read::{
-    GetPermissionLevel, GetPermissionLevelResponse, ListPermissions,
+    GetPermission, GetPermissionResponse, ListPermissions,
    ListPermissionsResponse, ListUserTargetPermissions,
    ListUserTargetPermissionsResponse,
  },
-  entities::{permission::PermissionLevel, user::User},
+  entities::permission::PermissionLevel,
 };
-use mungos::{find::find_collect, mongodb::bson::doc};
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
-  helpers::query::get_user_permission_on_target,
-  state::{db_client, State},
+  helpers::query::get_user_permission_on_target, state::db_client,
 };

-impl Resolve<ListPermissions, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for ListPermissions {
  async fn resolve(
-    &self,
-    ListPermissions {}: ListPermissions,
-    user: User,
-  ) -> anyhow::Result<ListPermissionsResponse> {
-    find_collect(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListPermissionsResponse> {
+    let res = find_collect(
      &db_client().permissions,
      doc! {
        "user_target.type": "User",
@@ -30,34 +30,33 @@ impl Resolve<ListPermissions, User> for State {
      None,
    )
    .await
-    .context("failed to query db for permissions")
+    .context("failed to query db for permissions")?;
+    Ok(res)
  }
 }

-impl Resolve<GetPermissionLevel, User> for State {
+impl Resolve<ReadArgs> for GetPermission {
  async fn resolve(
-    &self,
-    GetPermissionLevel { target }: GetPermissionLevel,
-    user: User,
-  ) -> anyhow::Result<GetPermissionLevelResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetPermissionResponse> {
    if user.admin {
-      return Ok(PermissionLevel::Write);
+      return Ok(PermissionLevel::Write.all());
    }
-    get_user_permission_on_target(&user, &target).await
+    Ok(get_user_permission_on_target(user, &self.target).await?)
  }
 }

-impl Resolve<ListUserTargetPermissions, User> for State {
+impl Resolve<ReadArgs> for ListUserTargetPermissions {
  async fn resolve(
-    &self,
-    ListUserTargetPermissions { user_target }: ListUserTargetPermissions,
-    user: User,
-  ) -> anyhow::Result<ListUserTargetPermissionsResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListUserTargetPermissionsResponse> {
    if !user.admin {
-      return Err(anyhow!("this method is admin only"));
+      return Err(anyhow!("this method is admin only").into());
    }
-    let (variant, id) = user_target.extract_variant_id();
-    find_collect(
+    let (variant, id) = self.user_target.extract_variant_id();
+    let res = find_collect(
      &db_client().permissions,
      doc! {
        "user_target.type": variant.as_ref(),
@@ -66,6 +65,7 @@ impl Resolve<ListUserTargetPermissions, User> for State {
      None,
    )
    .await
-    .context("failed to query db for permissions")
+    .context("failed to query db for permissions")?;
+    Ok(res)
  }
 }
--- a/bin/core/src/api/read/procedure.rs
+++ b/bin/core/src/api/read/procedure.rs
@@ -4,60 +4,89 @@ use komodo_client::{
  entities::{
    permission::PermissionLevel,
    procedure::{Procedure, ProcedureState},
-    user::User,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
+  helpers::query::get_all_tags,
+  permission::get_check_permissions,
  resource,
-  state::{action_states, procedure_state_cache, State},
+  state::{action_states, procedure_state_cache},
 };

-impl Resolve<GetProcedure, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetProcedure {
  async fn resolve(
-    &self,
-    GetProcedure { procedure }: GetProcedure,
-    user: User,
-  ) -> anyhow::Result<GetProcedureResponse> {
-    resource::get_check_permissions::<Procedure>(
-      &procedure,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetProcedureResponse> {
+    Ok(
+      get_check_permissions::<Procedure>(
+        &self.procedure,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
    )
-    .await
  }
 }

-impl Resolve<ListProcedures, User> for State {
+impl Resolve<ReadArgs> for ListProcedures {
  async fn resolve(
-    &self,
-    ListProcedures { query }: ListProcedures,
-    user: User,
-  ) -> anyhow::Result<ListProceduresResponse> {
-    resource::list_for_user::<Procedure>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListProceduresResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Procedure>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<ListFullProcedures, User> for State {
+impl Resolve<ReadArgs> for ListFullProcedures {
  async fn resolve(
-    &self,
-    ListFullProcedures { query }: ListFullProcedures,
-    user: User,
-  ) -> anyhow::Result<ListFullProceduresResponse> {
-    resource::list_full_for_user::<Procedure>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListFullProceduresResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Procedure>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<GetProceduresSummary, User> for State {
+impl Resolve<ReadArgs> for GetProceduresSummary {
  async fn resolve(
-    &self,
-    GetProceduresSummary {}: GetProceduresSummary,
-    user: User,
-  ) -> anyhow::Result<GetProceduresSummaryResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetProceduresSummaryResponse> {
    let procedures = resource::list_full_for_user::<Procedure>(
      Default::default(),
-      &user,
+      user,
+      PermissionLevel::Read.into(),
+      &[],
    )
    .await
    .context("failed to get procedures from db")?;
@@ -94,16 +123,15 @@ impl Resolve<GetProceduresSummary, User> for State {
  }
 }

-impl Resolve<GetProcedureActionState, User> for State {
+impl Resolve<ReadArgs> for GetProcedureActionState {
  async fn resolve(
-    &self,
-    GetProcedureActionState { procedure }: GetProcedureActionState,
-    user: User,
-  ) -> anyhow::Result<GetProcedureActionStateResponse> {
-    let procedure = resource::get_check_permissions::<Procedure>(
-      &procedure,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetProcedureActionStateResponse> {
+    let procedure = get_check_permissions::<Procedure>(
+      &self.procedure,
+      user,
+      PermissionLevel::Read.into(),
    )
    .await?;
    let action_state = action_states()
--- a/bin/core/src/api/read/provider.rs
+++ b/bin/core/src/api/read/provider.rs
@@ -1,59 +1,54 @@
-use anyhow::{anyhow, Context};
-use komodo_client::{
-  api::read::{
-    GetDockerRegistryAccount, GetDockerRegistryAccountResponse,
-    GetGitProviderAccount, GetGitProviderAccountResponse,
-    ListDockerRegistryAccounts, ListDockerRegistryAccountsResponse,
-    ListGitProviderAccounts, ListGitProviderAccountsResponse,
-  },
-  entities::user::User,
-};
-use mongo_indexed::{doc, Document};
-use mungos::{
+use anyhow::{Context, anyhow};
+use database::mongo_indexed::{Document, doc};
+use database::mungos::{
  by_id::find_one_by_id, find::find_collect,
  mongodb::options::FindOptions,
 };
-use resolver_api::Resolve;
+use komodo_client::api::read::*;
+use mogh_resolver::Resolve;

-use crate::state::{db_client, State};
+use crate::state::db_client;

-impl Resolve<GetGitProviderAccount, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetGitProviderAccount {
  async fn resolve(
-    &self,
-    GetGitProviderAccount { id }: GetGitProviderAccount,
-    user: User,
-  ) -> anyhow::Result<GetGitProviderAccountResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetGitProviderAccountResponse> {
    if !user.admin {
-      return Err(anyhow!(
-        "Only admins can read git provider accounts"
-      ));
+      return Err(
+        anyhow!("Only admins can read git provider accounts").into(),
+      );
    }
-    find_one_by_id(&db_client().git_accounts, &id)
+    let res = find_one_by_id(&db_client().git_accounts, &self.id)
      .await
      .context("failed to query db for git provider accounts")?
-      .context("did not find git provider account with the given id")
+      .context(
+        "did not find git provider account with the given id",
+      )?;
+    Ok(res)
  }
 }

-impl Resolve<ListGitProviderAccounts, User> for State {
+impl Resolve<ReadArgs> for ListGitProviderAccounts {
  async fn resolve(
-    &self,
-    ListGitProviderAccounts { domain, username }: ListGitProviderAccounts,
-    user: User,
-  ) -> anyhow::Result<ListGitProviderAccountsResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListGitProviderAccountsResponse> {
    if !user.admin {
-      return Err(anyhow!(
-        "Only admins can read git provider accounts"
-      ));
+      return Err(
+        anyhow!("Only admins can read git provider accounts").into(),
+      );
    }
    let mut filter = Document::new();
-    if let Some(domain) = domain {
+    if let Some(domain) = self.domain {
      filter.insert("domain", domain);
    }
-    if let Some(username) = username {
+    if let Some(username) = self.username {
      filter.insert("username", username);
    }
-    find_collect(
+    let res = find_collect(
      &db_client().git_accounts,
      filter,
      FindOptions::builder()
@@ -61,49 +56,52 @@ impl Resolve<ListGitProviderAccounts, User> for State {
        .build(),
    )
    .await
-    .context("failed to query db for git provider accounts")
+    .context("failed to query db for git provider accounts")?;
+    Ok(res)
  }
 }

-impl Resolve<GetDockerRegistryAccount, User> for State {
+impl Resolve<ReadArgs> for GetDockerRegistryAccount {
  async fn resolve(
-    &self,
-    GetDockerRegistryAccount { id }: GetDockerRegistryAccount,
-    user: User,
-  ) -> anyhow::Result<GetDockerRegistryAccountResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetDockerRegistryAccountResponse> {
    if !user.admin {
-      return Err(anyhow!(
-        "Only admins can read docker registry accounts"
-      ));
+      return Err(
+        anyhow!("Only admins can read docker registry accounts")
+          .into(),
+      );
    }
-    find_one_by_id(&db_client().registry_accounts, &id)
-      .await
-      .context("failed to query db for docker registry accounts")?
-      .context(
-        "did not find docker registry account with the given id",
-      )
+    let res =
+      find_one_by_id(&db_client().registry_accounts, &self.id)
+        .await
+        .context("failed to query db for docker registry accounts")?
+        .context(
+          "did not find docker registry account with the given id",
+        )?;
+    Ok(res)
  }
 }

-impl Resolve<ListDockerRegistryAccounts, User> for State {
+impl Resolve<ReadArgs> for ListDockerRegistryAccounts {
  async fn resolve(
-    &self,
-    ListDockerRegistryAccounts { domain, username }: ListDockerRegistryAccounts,
-    user: User,
-  ) -> anyhow::Result<ListDockerRegistryAccountsResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListDockerRegistryAccountsResponse> {
    if !user.admin {
-      return Err(anyhow!(
-        "Only admins can read docker registry accounts"
-      ));
+      return Err(
+        anyhow!("Only admins can read docker registry accounts")
+          .into(),
+      );
    }
    let mut filter = Document::new();
-    if let Some(domain) = domain {
+    if let Some(domain) = self.domain {
      filter.insert("domain", domain);
    }
-    if let Some(username) = username {
+    if let Some(username) = self.username {
      filter.insert("username", username);
    }
-    find_collect(
+    let res = find_collect(
      &db_client().registry_accounts,
      filter,
      FindOptions::builder()
@@ -111,6 +109,7 @@ impl Resolve<ListDockerRegistryAccounts, User> for State {
        .build(),
    )
    .await
-    .context("failed to query db for docker registry accounts")
+    .context("failed to query db for docker registry accounts")?;
+    Ok(res)
  }
 }
--- a/bin/core/src/api/read/repo.rs
+++ b/bin/core/src/api/read/repo.rs
@@ -2,65 +2,90 @@ use anyhow::Context;
 use komodo_client::{
  api::read::*,
  entities::{
-    config::core::CoreConfig,
    permission::PermissionLevel,
    repo::{Repo, RepoActionState, RepoListItem, RepoState},
-    user::User,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
-  config::core_config,
+  helpers::query::get_all_tags,
+  permission::get_check_permissions,
  resource,
-  state::{action_states, github_client, repo_state_cache, State},
+  state::{action_states, repo_state_cache},
 };

-impl Resolve<GetRepo, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetRepo {
  async fn resolve(
-    &self,
-    GetRepo { repo }: GetRepo,
-    user: User,
-  ) -> anyhow::Result<Repo> {
-    resource::get_check_permissions::<Repo>(
-      &repo,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Repo> {
+    Ok(
+      get_check_permissions::<Repo>(
+        &self.repo,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
    )
-    .await
  }
 }

-impl Resolve<ListRepos, User> for State {
+impl Resolve<ReadArgs> for ListRepos {
  async fn resolve(
-    &self,
-    ListRepos { query }: ListRepos,
-    user: User,
-  ) -> anyhow::Result<Vec<RepoListItem>> {
-    resource::list_for_user::<Repo>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Vec<RepoListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Repo>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<ListFullRepos, User> for State {
+impl Resolve<ReadArgs> for ListFullRepos {
  async fn resolve(
-    &self,
-    ListFullRepos { query }: ListFullRepos,
-    user: User,
-  ) -> anyhow::Result<ListFullReposResponse> {
-    resource::list_full_for_user::<Repo>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListFullReposResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Repo>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<GetRepoActionState, User> for State {
+impl Resolve<ReadArgs> for GetRepoActionState {
  async fn resolve(
-    &self,
-    GetRepoActionState { repo }: GetRepoActionState,
-    user: User,
-  ) -> anyhow::Result<RepoActionState> {
-    let repo = resource::get_check_permissions::<Repo>(
-      &repo,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<RepoActionState> {
+    let repo = get_check_permissions::<Repo>(
+      &self.repo,
+      user,
+      PermissionLevel::Read.into(),
    )
    .await?;
    let action_state = action_states()
@@ -73,16 +98,19 @@ impl Resolve<GetRepoActionState, User> for State {
  }
 }

-impl Resolve<GetReposSummary, User> for State {
+impl Resolve<ReadArgs> for GetReposSummary {
  async fn resolve(
-    &self,
-    GetReposSummary {}: GetReposSummary,
-    user: User,
-  ) -> anyhow::Result<GetReposSummaryResponse> {
-    let repos =
-      resource::list_full_for_user::<Repo>(Default::default(), &user)
-        .await
-        .context("failed to get repos from db")?;
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetReposSummaryResponse> {
+    let repos = resource::list_full_for_user::<Repo>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get repos from db")?;

    let mut res = GetReposSummaryResponse::default();

@@ -112,7 +140,11 @@ impl Resolve<GetReposSummary, User> for State {
        }
        (RepoState::Ok, _) => res.ok += 1,
        (RepoState::Failed, _) => res.failed += 1,
-        (RepoState::Unknown, _) => res.unknown += 1,
+        (RepoState::Unknown, _) => {
+          if !repo.template {
+            res.unknown += 1
+          }
+        }
        // will never come off the cache in the building state, since that comes from action states
        (RepoState::Cloning, _)
        | (RepoState::Pulling, _)
@@ -125,105 +157,3 @@ impl Resolve<GetReposSummary, User> for State {
    Ok(res)
  }
 }
-
-impl Resolve<GetRepoWebhooksEnabled, User> for State {
-  async fn resolve(
-    &self,
-    GetRepoWebhooksEnabled { repo }: GetRepoWebhooksEnabled,
-    user: User,
-  ) -> anyhow::Result<GetRepoWebhooksEnabledResponse> {
-    let Some(github) = github_client() else {
-      return Ok(GetRepoWebhooksEnabledResponse {
-        managed: false,
-        clone_enabled: false,
-        pull_enabled: false,
-        build_enabled: false,
-      });
-    };
-
-    let repo = resource::get_check_permissions::<Repo>(
-      &repo,
-      &user,
-      PermissionLevel::Read,
-    )
-    .await?;
-
-    if repo.config.git_provider != "github.com"
-      || repo.config.repo.is_empty()
-    {
-      return Ok(GetRepoWebhooksEnabledResponse {
-        managed: false,
-        clone_enabled: false,
-        pull_enabled: false,
-        build_enabled: false,
-      });
-    }
-
-    let mut split = repo.config.repo.split('/');
-    let owner = split.next().context("Repo repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Ok(GetRepoWebhooksEnabledResponse {
-        managed: false,
-        clone_enabled: false,
-        pull_enabled: false,
-        build_enabled: false,
-      });
-    };
-
-    let repo_name =
-      split.next().context("Repo repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo_name)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let clone_url =
-      format!("{host}/listener/github/repo/{}/clone", repo.id);
-    let pull_url =
-      format!("{host}/listener/github/repo/{}/pull", repo.id);
-    let build_url =
-      format!("{host}/listener/github/repo/{}/build", repo.id);
-
-    let mut clone_enabled = false;
-    let mut pull_enabled = false;
-    let mut build_enabled = false;
-
-    for webhook in webhooks {
-      if !webhook.active {
-        continue;
-      }
-      if webhook.config.url == clone_url {
-        clone_enabled = true
-      }
-      if webhook.config.url == pull_url {
-        pull_enabled = true
-      }
-      if webhook.config.url == build_url {
-        build_enabled = true
-      }
-    }
-
-    Ok(GetRepoWebhooksEnabledResponse {
-      managed: true,
-      clone_enabled,
-      pull_enabled,
-      build_enabled,
-    })
-  }
-}
--- a/bin/core/src/api/read/schedule.rs
+++ b/bin/core/src/api/read/schedule.rs
@@ -0,0 +1,107 @@
+use futures_util::future::join_all;
+use komodo_client::{
+  api::read::*,
+  entities::{
+    ResourceTarget,
+    action::Action,
+    permission::PermissionLevel,
+    procedure::Procedure,
+    resource::{ResourceQuery, TemplatesQueryBehavior},
+    schedule::Schedule,
+  },
+};
+use mogh_resolver::Resolve;
+
+use crate::{
+  helpers::query::{get_all_tags, get_last_run_at},
+  resource::list_full_for_user,
+  schedule::get_schedule_item_info,
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for ListSchedules {
+  async fn resolve(
+    self,
+    args: &ReadArgs,
+  ) -> mogh_error::Result<Vec<Schedule>> {
+    let all_tags = get_all_tags(None).await?;
+    let (actions, procedures) = tokio::try_join!(
+      list_full_for_user::<Action>(
+        ResourceQuery {
+          names: Default::default(),
+          templates: TemplatesQueryBehavior::Include,
+          tag_behavior: self.tag_behavior,
+          tags: self.tags.clone(),
+          specific: Default::default(),
+        },
+        &args.user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      ),
+      list_full_for_user::<Procedure>(
+        ResourceQuery {
+          names: Default::default(),
+          templates: TemplatesQueryBehavior::Include,
+          tag_behavior: self.tag_behavior,
+          tags: self.tags.clone(),
+          specific: Default::default(),
+        },
+        &args.user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+    )?;
+    let actions = actions.into_iter().map(async |action| {
+      let (next_scheduled_run, schedule_error) =
+        get_schedule_item_info(&ResourceTarget::Action(
+          action.id.clone(),
+        ));
+      let last_run_at =
+        get_last_run_at::<Action>(&action.id).await.unwrap_or(None);
+      Schedule {
+        target: ResourceTarget::Action(action.id),
+        name: action.name,
+        enabled: action.config.schedule_enabled,
+        schedule_format: action.config.schedule_format,
+        schedule: action.config.schedule,
+        schedule_timezone: action.config.schedule_timezone,
+        tags: action.tags,
+        last_run_at,
+        next_scheduled_run,
+        schedule_error,
+      }
+    });
+    let procedures = procedures.into_iter().map(async |procedure| {
+      let (next_scheduled_run, schedule_error) =
+        get_schedule_item_info(&ResourceTarget::Procedure(
+          procedure.id.clone(),
+        ));
+      let last_run_at = get_last_run_at::<Procedure>(&procedure.id)
+        .await
+        .unwrap_or(None);
+      Schedule {
+        target: ResourceTarget::Procedure(procedure.id),
+        name: procedure.name,
+        enabled: procedure.config.schedule_enabled,
+        schedule_format: procedure.config.schedule_format,
+        schedule: procedure.config.schedule,
+        schedule_timezone: procedure.config.schedule_timezone,
+        tags: procedure.tags,
+        last_run_at,
+        next_scheduled_run,
+        schedule_error,
+      }
+    });
+    let (actions, procedures) =
+      tokio::join!(join_all(actions), join_all(procedures));
+
+    Ok(
+      actions
+        .into_iter()
+        .chain(procedures)
+        .filter(|s| !s.schedule.is_empty())
+        .collect(),
+    )
+  }
+}
--- a/bin/core/src/api/read/search.rs
+++ b/bin/core/src/api/read/search.rs
@@ -1,82 +0,0 @@
-use komodo_client::{
-  api::read::{FindResources, FindResourcesResponse},
-  entities::{
-    build::Build, deployment::Deployment, procedure::Procedure,
-    repo::Repo, server::Server, user::User, ResourceTargetVariant,
-  },
-};
-use resolver_api::Resolve;
-
-use crate::{resource, state::State};
-
-const FIND_RESOURCE_TYPES: [ResourceTargetVariant; 5] = [
-  ResourceTargetVariant::Server,
-  ResourceTargetVariant::Build,
-  ResourceTargetVariant::Deployment,
-  ResourceTargetVariant::Repo,
-  ResourceTargetVariant::Procedure,
-];
-
-impl Resolve<FindResources, User> for State {
-  async fn resolve(
-    &self,
-    FindResources { query, resources }: FindResources,
-    user: User,
-  ) -> anyhow::Result<FindResourcesResponse> {
-    let mut res = FindResourcesResponse::default();
-    let resource_types = if resources.is_empty() {
-      FIND_RESOURCE_TYPES.to_vec()
-    } else {
-      resources
-        .into_iter()
-        .filter(|r| {
-          !matches!(
-            r,
-            ResourceTargetVariant::System
-              | ResourceTargetVariant::Builder
-              | ResourceTargetVariant::Alerter
-          )
-        })
-        .collect()
-    };
-    for resource_type in resource_types {
-      match resource_type {
-        ResourceTargetVariant::Server => {
-          res.servers = resource::list_for_user_using_document::<
-            Server,
-          >(query.clone(), &user)
-          .await?;
-        }
-        ResourceTargetVariant::Deployment => {
-          res.deployments = resource::list_for_user_using_document::<
-            Deployment,
-          >(query.clone(), &user)
-          .await?;
-        }
-        ResourceTargetVariant::Build => {
-          res.builds =
-            resource::list_for_user_using_document::<Build>(
-              query.clone(),
-              &user,
-            )
-            .await?;
-        }
-        ResourceTargetVariant::Repo => {
-          res.repos = resource::list_for_user_using_document::<Repo>(
-            query.clone(),
-            &user,
-          )
-          .await?;
-        }
-        ResourceTargetVariant::Procedure => {
-          res.procedures = resource::list_for_user_using_document::<
-            Procedure,
-          >(query.clone(), &user)
-          .await?;
-        }
-        _ => {}
-      }
-    }
-    Ok(res)
-  }
-}
--- a/bin/core/src/api/read/server.rs
+++ b/bin/core/src/api/read/server.rs
--- a/bin/core/src/api/read/server_template.rs
+++ b/bin/core/src/api/read/server_template.rs
@@ -1,79 +0,0 @@
-use anyhow::Context;
-use komodo_client::{
-  api::read::*,
-  entities::{
-    permission::PermissionLevel, server_template::ServerTemplate,
-    user::User,
-  },
-};
-use mongo_indexed::Document;
-use mungos::mongodb::bson::doc;
-use resolver_api::Resolve;
-
-use crate::{
-  resource,
-  state::{db_client, State},
-};
-
-impl Resolve<GetServerTemplate, User> for State {
-  async fn resolve(
-    &self,
-    GetServerTemplate { server_template }: GetServerTemplate,
-    user: User,
-  ) -> anyhow::Result<GetServerTemplateResponse> {
-    resource::get_check_permissions::<ServerTemplate>(
-      &server_template,
-      &user,
-      PermissionLevel::Read,
-    )
-    .await
-  }
-}
-
-impl Resolve<ListServerTemplates, User> for State {
-  async fn resolve(
-    &self,
-    ListServerTemplates { query }: ListServerTemplates,
-    user: User,
-  ) -> anyhow::Result<ListServerTemplatesResponse> {
-    resource::list_for_user::<ServerTemplate>(query, &user).await
-  }
-}
-
-impl Resolve<ListFullServerTemplates, User> for State {
-  async fn resolve(
-    &self,
-    ListFullServerTemplates { query }: ListFullServerTemplates,
-    user: User,
-  ) -> anyhow::Result<ListFullServerTemplatesResponse> {
-    resource::list_full_for_user::<ServerTemplate>(query, &user).await
-  }
-}
-
-impl Resolve<GetServerTemplatesSummary, User> for State {
-  async fn resolve(
-    &self,
-    GetServerTemplatesSummary {}: GetServerTemplatesSummary,
-    user: User,
-  ) -> anyhow::Result<GetServerTemplatesSummaryResponse> {
-    let query = match resource::get_resource_ids_for_user::<
-      ServerTemplate,
-    >(&user)
-    .await?
-    {
-      Some(ids) => doc! {
-        "_id": { "$in": ids }
-      },
-      None => Document::new(),
-    };
-    let total = db_client()
-      .server_templates
-      .count_documents(query)
-      .await
-      .context("failed to count all server template documents")?;
-    let res = GetServerTemplatesSummaryResponse {
-      total: total as u32,
-    };
-    Ok(res)
-  }
-}
--- a/bin/core/src/api/read/stack.rs
+++ b/bin/core/src/api/read/stack.rs
@@ -1,53 +1,62 @@
 use std::collections::HashSet;

-use anyhow::Context;
+use anyhow::{Context, anyhow};
 use komodo_client::{
  api::read::*,
  entities::{
-    config::core::CoreConfig,
+    SwarmOrServer,
+    docker::{
+      container::Container, service::SwarmService, stack::SwarmStack,
+    },
    permission::PermissionLevel,
    stack::{Stack, StackActionState, StackListItem, StackState},
-    user::User,
  },
 };
-use periphery_client::api::compose::{
-  GetComposeServiceLog, GetComposeServiceLogSearch,
+use mogh_error::AddStatusCodeError as _;
+use mogh_resolver::Resolve;
+use periphery_client::api::{
+  compose::{GetComposeLog, GetComposeLogSearch},
+  container::InspectContainer,
 };
-use resolver_api::Resolve;
+use reqwest::StatusCode;

 use crate::{
-  config::core_config,
-  helpers::periphery_client,
+  helpers::{
+    periphery_client, query::get_all_tags, swarm::swarm_request,
+  },
+  permission::get_check_permissions,
  resource,
-  stack::get_stack_and_server,
-  state::{action_states, github_client, stack_status_cache, State},
+  stack::setup_stack_execution,
+  state::{action_states, stack_status_cache},
 };

-impl Resolve<GetStack, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetStack {
  async fn resolve(
-    &self,
-    GetStack { stack }: GetStack,
-    user: User,
-  ) -> anyhow::Result<Stack> {
-    resource::get_check_permissions::<Stack>(
-      &stack,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Stack> {
+    Ok(
+      get_check_permissions::<Stack>(
+        &self.stack,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
    )
-    .await
  }
 }

-impl Resolve<ListStackServices, User> for State {
+impl Resolve<ReadArgs> for ListStackServices {
  async fn resolve(
-    &self,
-    ListStackServices { stack }: ListStackServices,
-    user: User,
-  ) -> anyhow::Result<ListStackServicesResponse> {
-    let stack = resource::get_check_permissions::<Stack>(
-      &stack,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListStackServicesResponse> {
+    let stack = get_check_permissions::<Stack>(
+      &self.stack,
+      user,
+      PermissionLevel::Read.into(),
    )
    .await?;

@@ -63,79 +72,279 @@ impl Resolve<ListStackServices, User> for State {
  }
 }

-impl Resolve<GetStackServiceLog, User> for State {
+impl Resolve<ReadArgs> for GetStackLog {
  async fn resolve(
-    &self,
-    GetStackServiceLog {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetStackLogResponse> {
+    let GetStackLog {
      stack,
-      service,
+      mut services,
      tail,
      timestamps,
-    }: GetStackServiceLog,
-    user: User,
-  ) -> anyhow::Result<GetStackServiceLogResponse> {
-    let (stack, server) = get_stack_and_server(
+    } = self;
+    let (stack, swarm_or_server) = setup_stack_execution(
      &stack,
-      &user,
-      PermissionLevel::Read,
-      true,
+      user,
+      PermissionLevel::Read.logs(),
    )
    .await?;
-    periphery_client(&server)?
-      .request(GetComposeServiceLog {
-        project: stack.project_name(false),
-        service,
-        tail,
-        timestamps,
-      })
-      .await
-      .context("failed to get stack service log from periphery")
+
+    swarm_or_server.verify_has_target()?;
+
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        let service = services.pop().context(
+          "Must pass single service for Swarm mode Stack logs",
+        )?;
+        swarm_request(
+          &swarm.config.server_ids,
+          periphery_client::api::swarm::GetSwarmServiceLog {
+            // The actual service name on swarm will be stackname_servicename
+            service: format!(
+              "{}_{service}",
+              stack.project_name(false)
+            ),
+            tail,
+            timestamps,
+            no_task_ids: false,
+            no_resolve: false,
+            details: false,
+          },
+        )
+        .await
+        .context("Failed to get stack service log from swarm")?
+      }
+      SwarmOrServer::Server(server) => periphery_client(&server)
+        .await?
+        .request(GetComposeLog {
+          project: stack.project_name(false),
+          services,
+          tail,
+          timestamps,
+        })
+        .await
+        .context("Failed to get stack log from periphery")?,
+    };
+
+    Ok(log)
  }
 }

-impl Resolve<SearchStackServiceLog, User> for State {
+impl Resolve<ReadArgs> for SearchStackLog {
  async fn resolve(
-    &self,
-    SearchStackServiceLog {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SearchStackLogResponse> {
+    let SearchStackLog {
      stack,
-      service,
+      mut services,
      terms,
      combinator,
      invert,
      timestamps,
-    }: SearchStackServiceLog,
-    user: User,
-  ) -> anyhow::Result<SearchStackServiceLogResponse> {
-    let (stack, server) = get_stack_and_server(
+    } = self;
+    let (stack, swarm_or_server) = setup_stack_execution(
      &stack,
-      &user,
-      PermissionLevel::Read,
-      true,
+      user,
+      PermissionLevel::Read.logs(),
    )
    .await?;
-    periphery_client(&server)?
-      .request(GetComposeServiceLogSearch {
-        project: stack.project_name(false),
-        service,
-        terms,
-        combinator,
-        invert,
-        timestamps,
-      })
-      .await
-      .context("failed to get stack service log from periphery")
+
+    swarm_or_server.verify_has_target()?;
+
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        let service = services.pop().context(
+          "Must pass single service for Swarm mode Stack logs",
+        )?;
+        swarm_request(
+          &swarm.config.server_ids,
+          periphery_client::api::swarm::GetSwarmServiceLogSearch {
+            service,
+            terms,
+            combinator,
+            invert,
+            timestamps,
+            no_task_ids: false,
+            no_resolve: false,
+            details: false,
+          },
+        )
+        .await
+        .context("Failed to get stack service log from swarm")?
+      }
+      SwarmOrServer::Server(server) => periphery_client(&server)
+        .await?
+        .request(GetComposeLogSearch {
+          project: stack.project_name(false),
+          services,
+          terms,
+          combinator,
+          invert,
+          timestamps,
+        })
+        .await
+        .context("Failed to search stack log from periphery")?,
+    };
+
+    Ok(log)
  }
 }

-impl Resolve<ListCommonStackExtraArgs, User> for State {
+impl Resolve<ReadArgs> for InspectStackContainer {
  async fn resolve(
-    &self,
-    ListCommonStackExtraArgs { query }: ListCommonStackExtraArgs,
-    user: User,
-  ) -> anyhow::Result<ListCommonStackExtraArgsResponse> {
-    let stacks = resource::list_full_for_user::<Stack>(query, &user)
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Container> {
+    let InspectStackContainer { stack, service } = self;
+    let (stack, swarm_or_server) = setup_stack_execution(
+      &stack,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "InspectStackContainer should not be called for Stack in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
+    let services = &stack_status_cache()
+      .get(&stack.id)
      .await
-      .context("failed to get resources matching query")?;
+      .unwrap_or_default()
+      .curr
+      .services;
+
+    let Some(name) = services
+      .iter()
+      .find(|s| s.service == service)
+      .and_then(|s| s.container.as_ref().map(|c| c.name.clone()))
+    else {
+      return Err(anyhow!(
+        "No service found matching '{service}'. Was the stack last deployed manually?"
+      ).into());
+    };
+
+    let res = periphery_client(&server)
+      .await?
+      .request(InspectContainer { name })
+      .await
+      .context("Failed to inspect container on server")?;
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectStackSwarmService {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SwarmService> {
+    let InspectStackSwarmService { stack, service } = self;
+    let (stack, swarm_or_server) = setup_stack_execution(
+      &stack,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+
+    let SwarmOrServer::Swarm(swarm) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "InspectStackSwarmService should only be called for Stack in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
+    let services = &stack_status_cache()
+      .get(&stack.id)
+      .await
+      .unwrap_or_default()
+      .curr
+      .services;
+
+    let Some(service) = services
+      .iter()
+      .find(|s| s.service == service)
+      .and_then(|s| {
+        s.swarm_service.as_ref().and_then(|c| c.name.clone())
+      })
+    else {
+      return Err(anyhow!(
+        "No service found matching '{service}'. Was the stack last deployed manually?"
+      ).into());
+    };
+
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmService { service },
+    )
+    .await
+    .context("Failed to inspect service on swarm")
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectStackSwarmInfo {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SwarmStack> {
+    let (stack, swarm_or_server) = setup_stack_execution(
+      &self.stack,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+
+    let SwarmOrServer::Swarm(swarm) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "InspectStackSwarmInfo should only be called for Stack in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmStack {
+        stack: stack.project_name(false),
+      },
+    )
+    .await
+    .context("Failed to inspect stack info on swarm")
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListCommonStackExtraArgs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListCommonStackExtraArgsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let stacks = resource::list_full_for_user::<Stack>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await
+    .context("Failed to get resources matching query")?;

    // first collect with guaranteed uniqueness
    let mut res = HashSet::<String>::new();
@@ -152,15 +361,24 @@ impl Resolve<ListCommonStackExtraArgs, User> for State {
  }
 }

-impl Resolve<ListCommonStackBuildExtraArgs, User> for State {
+impl Resolve<ReadArgs> for ListCommonStackBuildExtraArgs {
  async fn resolve(
-    &self,
-    ListCommonStackBuildExtraArgs { query }: ListCommonStackBuildExtraArgs,
-    user: User,
-  ) -> anyhow::Result<ListCommonStackBuildExtraArgsResponse> {
-    let stacks = resource::list_full_for_user::<Stack>(query, &user)
-      .await
-      .context("failed to get resources matching query")?;
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListCommonStackBuildExtraArgsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let stacks = resource::list_full_for_user::<Stack>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await
+    .context("Failed to get resources matching query")?;

    // first collect with guaranteed uniqueness
    let mut res = HashSet::<String>::new();
@@ -177,36 +395,73 @@ impl Resolve<ListCommonStackBuildExtraArgs, User> for State {
  }
 }

-impl Resolve<ListStacks, User> for State {
+impl Resolve<ReadArgs> for ListStacks {
  async fn resolve(
-    &self,
-    ListStacks { query }: ListStacks,
-    user: User,
-  ) -> anyhow::Result<Vec<StackListItem>> {
-    resource::list_for_user::<Stack>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Vec<StackListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    let only_update_available = self.query.specific.update_available;
+    let stacks = resource::list_for_user::<Stack>(
+      self.query,
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?;
+    let stacks = if only_update_available {
+      stacks
+        .into_iter()
+        .filter(|stack| {
+          stack
+            .info
+            .services
+            .iter()
+            .any(|service| service.update_available)
+        })
+        .collect()
+    } else {
+      stacks
+    };
+    Ok(stacks)
  }
 }

-impl Resolve<ListFullStacks, User> for State {
+impl Resolve<ReadArgs> for ListFullStacks {
  async fn resolve(
-    &self,
-    ListFullStacks { query }: ListFullStacks,
-    user: User,
-  ) -> anyhow::Result<ListFullStacksResponse> {
-    resource::list_full_for_user::<Stack>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListFullStacksResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Stack>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<GetStackActionState, User> for State {
+impl Resolve<ReadArgs> for GetStackActionState {
  async fn resolve(
-    &self,
-    GetStackActionState { stack }: GetStackActionState,
-    user: User,
-  ) -> anyhow::Result<StackActionState> {
-    let stack = resource::get_check_permissions::<Stack>(
-      &stack,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<StackActionState> {
+    let stack = get_check_permissions::<Stack>(
+      &self.stack,
+      user,
+      PermissionLevel::Read.into(),
    )
    .await?;
    let action_state = action_states()
@@ -219,18 +474,19 @@ impl Resolve<GetStackActionState, User> for State {
  }
 }

-impl Resolve<GetStacksSummary, User> for State {
+impl Resolve<ReadArgs> for GetStacksSummary {
  async fn resolve(
-    &self,
-    GetStacksSummary {}: GetStacksSummary,
-    user: User,
-  ) -> anyhow::Result<GetStacksSummaryResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetStacksSummaryResponse> {
    let stacks = resource::list_full_for_user::<Stack>(
      Default::default(),
-      &user,
+      user,
+      PermissionLevel::Read.into(),
+      &[],
    )
    .await
-    .context("failed to get stacks from db")?;
+    .context("Failed to get stacks from database")?;

    let mut res = GetStacksSummaryResponse::default();

@@ -243,7 +499,11 @@ impl Resolve<GetStacksSummary, User> for State {
        StackState::Running => res.running += 1,
        StackState::Stopped | StackState::Paused => res.stopped += 1,
        StackState::Down => res.down += 1,
-        StackState::Unknown => res.unknown += 1,
+        StackState::Unknown => {
+          if !stack.template {
+            res.unknown += 1
+          }
+        }
        _ => res.unhealthy += 1,
      }
    }
@@ -251,92 +511,3 @@ impl Resolve<GetStacksSummary, User> for State {
    Ok(res)
  }
 }
-
-impl Resolve<GetStackWebhooksEnabled, User> for State {
-  async fn resolve(
-    &self,
-    GetStackWebhooksEnabled { stack }: GetStackWebhooksEnabled,
-    user: User,
-  ) -> anyhow::Result<GetStackWebhooksEnabledResponse> {
-    let Some(github) = github_client() else {
-      return Ok(GetStackWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        deploy_enabled: false,
-      });
-    };
-
-    let stack = resource::get_check_permissions::<Stack>(
-      &stack,
-      &user,
-      PermissionLevel::Read,
-    )
-    .await?;
-
-    if stack.config.git_provider != "github.com"
-      || stack.config.repo.is_empty()
-    {
-      return Ok(GetStackWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        deploy_enabled: false,
-      });
-    }
-
-    let mut split = stack.config.repo.split('/');
-    let owner = split.next().context("Sync repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Ok(GetStackWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        deploy_enabled: false,
-      });
-    };
-
-    let repo_name =
-      split.next().context("Repo repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo_name)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let refresh_url =
-      format!("{host}/listener/github/stack/{}/refresh", stack.id);
-    let deploy_url =
-      format!("{host}/listener/github/stack/{}/deploy", stack.id);
-
-    let mut refresh_enabled = false;
-    let mut deploy_enabled = false;
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == refresh_url {
-        refresh_enabled = true
-      }
-      if webhook.active && webhook.config.url == deploy_url {
-        deploy_enabled = true
-      }
-    }
-
-    Ok(GetStackWebhooksEnabledResponse {
-      managed: true,
-      refresh_enabled,
-      deploy_enabled,
-    })
-  }
-}
--- a/bin/core/src/api/read/swarm.rs
+++ b/bin/core/src/api/read/swarm.rs
@@ -0,0 +1,522 @@
+use anyhow::{Context, anyhow};
+use komodo_client::{
+  api::read::*,
+  entities::{
+    permission::PermissionLevel,
+    swarm::{Swarm, SwarmActionState, SwarmListItem, SwarmState},
+  },
+};
+use mogh_resolver::Resolve;
+
+use crate::{
+  helpers::{query::get_all_tags, swarm::swarm_request},
+  permission::get_check_permissions,
+  resource,
+  state::{action_states, server_status_cache, swarm_status_cache},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetSwarm {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Swarm> {
+    Ok(
+      get_check_permissions::<Swarm>(
+        &self.swarm,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarms {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Vec<SwarmListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Swarm>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullSwarms {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListFullSwarmsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Swarm>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetSwarmActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SwarmActionState> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .swarm
+      .get(&swarm.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSwarmsSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetSwarmsSummaryResponse> {
+    let swarms = resource::list_full_for_user::<Swarm>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get swarms from db")?;
+
+    let mut res = GetSwarmsSummaryResponse::default();
+
+    let cache = swarm_status_cache();
+
+    for swarm in swarms {
+      res.total += 1;
+
+      match cache
+        .get(&swarm.id)
+        .await
+        .map(|status| status.state)
+        .unwrap_or_default()
+      {
+        SwarmState::Unknown => {
+          res.unknown += 1;
+        }
+        SwarmState::Healthy => {
+          res.healthy += 1;
+        }
+        SwarmState::Unhealthy => {
+          res.unhealthy += 1;
+        }
+        SwarmState::Down => {
+          res.down += 1;
+        }
+      }
+    }
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarm {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    let inspect = cache
+      .inspect
+      .as_ref()
+      .cloned()
+      .context("SwarmInspectInfo not available")?;
+    Ok(inspect)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmNodes {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmNodesResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.nodes.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmNode {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmNodeResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmNode {
+        node: self.node,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmServices {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmServicesResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.services.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmService {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmServiceResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmService {
+        service: self.service,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSwarmServiceLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetSwarmServiceLogResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::GetSwarmServiceLog {
+        service: self.service,
+        tail: self.tail,
+        timestamps: self.timestamps,
+        no_task_ids: self.no_task_ids,
+        no_resolve: self.no_resolve,
+        details: self.details,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for SearchSwarmServiceLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SearchSwarmServiceLogResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::GetSwarmServiceLogSearch {
+        service: self.service,
+        terms: self.terms,
+        combinator: self.combinator,
+        invert: self.invert,
+        timestamps: self.timestamps,
+        no_task_ids: self.no_task_ids,
+        no_resolve: self.no_resolve,
+        details: self.details,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmTasks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmTasksResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.tasks.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmTask {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmTaskResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmTask {
+        task: self.task,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmSecrets {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmSecretsResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.secrets.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmSecret {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmSecretResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmSecret {
+        secret: self.secret,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmConfigs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmConfigsResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.configs.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmConfig {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmConfigResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmConfig {
+        config: self.config,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmStacks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmStacksResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.stacks.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmStack {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmStackResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmStack {
+        stack: self.stack,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmNetworks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+
+    let cache = server_status_cache();
+
+    for server_id in swarm.config.server_ids {
+      let Some(status) = cache.get(&server_id).await else {
+        continue;
+      };
+      let Some(docker) = &status.docker else {
+        continue;
+      };
+      let networks = docker
+        .networks
+        .iter()
+        .filter(|network| {
+          network.driver.as_deref() == Some("overlay")
+        })
+        .cloned()
+        .collect::<Vec<_>>();
+      return Ok(networks);
+    }
+
+    Err(
+      anyhow!(
+        "Failed to retrieve swarm networks from any manager node."
+      )
+      .into(),
+    )
+  }
+}
--- a/bin/core/src/api/read/sync.rs
+++ b/bin/core/src/api/read/sync.rs
@@ -2,74 +2,94 @@ use anyhow::Context;
 use komodo_client::{
  api::read::*,
  entities::{
-    config::core::CoreConfig,
    permission::PermissionLevel,
    sync::{
      ResourceSync, ResourceSyncActionState, ResourceSyncListItem,
-      ResourceSyncState,
    },
-    user::User,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
-  config::core_config,
-  resource,
-  state::{
-    action_states, github_client, resource_sync_state_cache, State,
-  },
+  helpers::query::get_all_tags, permission::get_check_permissions,
+  resource, state::action_states,
 };

-impl Resolve<GetResourceSync, User> for State {
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetResourceSync {
  async fn resolve(
-    &self,
-    GetResourceSync { sync }: GetResourceSync,
-    user: User,
-  ) -> anyhow::Result<ResourceSync> {
-    resource::get_check_permissions::<ResourceSync>(
-      &sync,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ResourceSync> {
+    Ok(
+      get_check_permissions::<ResourceSync>(
+        &self.sync,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
    )
-    .await
  }
 }

-impl Resolve<ListResourceSyncs, User> for State {
+impl Resolve<ReadArgs> for ListResourceSyncs {
  async fn resolve(
-    &self,
-    ListResourceSyncs { query }: ListResourceSyncs,
-    user: User,
-  ) -> anyhow::Result<Vec<ResourceSyncListItem>> {
-    resource::list_for_user::<ResourceSync>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Vec<ResourceSyncListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<ResourceSync>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<ListFullResourceSyncs, User> for State {
+impl Resolve<ReadArgs> for ListFullResourceSyncs {
  async fn resolve(
-    &self,
-    ListFullResourceSyncs { query }: ListFullResourceSyncs,
-    user: User,
-  ) -> anyhow::Result<ListFullResourceSyncsResponse> {
-    resource::list_full_for_user::<ResourceSync>(query, &user).await
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListFullResourceSyncsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<ResourceSync>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
  }
 }

-impl Resolve<GetResourceSyncActionState, User> for State {
+impl Resolve<ReadArgs> for GetResourceSyncActionState {
  async fn resolve(
-    &self,
-    GetResourceSyncActionState { sync }: GetResourceSyncActionState,
-    user: User,
-  ) -> anyhow::Result<ResourceSyncActionState> {
-    let sync = resource::get_check_permissions::<ResourceSync>(
-      &sync,
-      &user,
-      PermissionLevel::Read,
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ResourceSyncActionState> {
+    let sync = get_check_permissions::<ResourceSync>(
+      &self.sync,
+      user,
+      PermissionLevel::Read.into(),
    )
    .await?;
    let action_state = action_states()
-      .resource_sync
+      .sync
      .get(&sync.id)
      .await
      .unwrap_or_default()
@@ -78,23 +98,23 @@ impl Resolve<GetResourceSyncActionState, User> for State {
  }
 }

-impl Resolve<GetResourceSyncsSummary, User> for State {
+impl Resolve<ReadArgs> for GetResourceSyncsSummary {
  async fn resolve(
-    &self,
-    GetResourceSyncsSummary {}: GetResourceSyncsSummary,
-    user: User,
-  ) -> anyhow::Result<GetResourceSyncsSummaryResponse> {
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetResourceSyncsSummaryResponse> {
    let resource_syncs =
      resource::list_full_for_user::<ResourceSync>(
        Default::default(),
-        &user,
+        user,
+        PermissionLevel::Read.into(),
+        &[],
      )
      .await
      .context("failed to get resource_syncs from db")?;

    let mut res = GetResourceSyncsSummaryResponse::default();

-    let cache = resource_sync_state_cache();
    let action_states = action_states();

    for resource_sync in resource_syncs {
@@ -113,121 +133,20 @@ impl Resolve<GetResourceSyncsSummary, User> for State {
        res.failed += 1;
        continue;
      }
-
-      match (
-        cache.get(&resource_sync.id).await.unwrap_or_default(),
-        action_states
-          .resource_sync
-          .get(&resource_sync.id)
-          .await
-          .unwrap_or_default()
-          .get()?,
-      ) {
-        (_, action_states) if action_states.syncing => {
-          res.syncing += 1;
-        }
-        (ResourceSyncState::Ok, _) => res.ok += 1,
-        (ResourceSyncState::Failed, _) => res.failed += 1,
-        (ResourceSyncState::Unknown, _) => res.unknown += 1,
-        // will never come off the cache in the building state, since that comes from action states
-        (ResourceSyncState::Syncing, _) => {
-          unreachable!()
-        }
-        (ResourceSyncState::Pending, _) => {
-          unreachable!()
-        }
+      if action_states
+        .sync
+        .get(&resource_sync.id)
+        .await
+        .unwrap_or_default()
+        .get()?
+        .syncing
+      {
+        res.syncing += 1;
+        continue;
      }
+      res.ok += 1;
    }

    Ok(res)
  }
 }
-
-impl Resolve<GetSyncWebhooksEnabled, User> for State {
-  async fn resolve(
-    &self,
-    GetSyncWebhooksEnabled { sync }: GetSyncWebhooksEnabled,
-    user: User,
-  ) -> anyhow::Result<GetSyncWebhooksEnabledResponse> {
-    let Some(github) = github_client() else {
-      return Ok(GetSyncWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        sync_enabled: false,
-      });
-    };
-
-    let sync = resource::get_check_permissions::<ResourceSync>(
-      &sync,
-      &user,
-      PermissionLevel::Read,
-    )
-    .await?;
-
-    if sync.config.git_provider != "github.com"
-      || sync.config.repo.is_empty()
-    {
-      return Ok(GetSyncWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        sync_enabled: false,
-      });
-    }
-
-    let mut split = sync.config.repo.split('/');
-    let owner = split.next().context("Sync repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Ok(GetSyncWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        sync_enabled: false,
-      });
-    };
-
-    let repo_name =
-      split.next().context("Repo repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo_name)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let refresh_url =
-      format!("{host}/listener/github/sync/{}/refresh", sync.id);
-    let sync_url =
-      format!("{host}/listener/github/sync/{}/sync", sync.id);
-
-    let mut refresh_enabled = false;
-    let mut sync_enabled = false;
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == refresh_url {
-        refresh_enabled = true
-      }
-      if webhook.active && webhook.config.url == sync_url {
-        sync_enabled = true
-      }
-    }
-
-    Ok(GetSyncWebhooksEnabledResponse {
-      managed: true,
-      refresh_enabled,
-      sync_enabled,
-    })
-  }
-}
--- a/bin/core/src/api/read/tag.rs
+++ b/bin/core/src/api/read/tag.rs
@@ -1,39 +1,36 @@
 use anyhow::Context;
+use database::mongo_indexed::doc;
+use database::mungos::{
+  find::find_collect, mongodb::options::FindOptions,
+};
 use komodo_client::{
  api::read::{GetTag, ListTags},
-  entities::{tag::Tag, user::User},
+  entities::tag::Tag,
 };
-use mongo_indexed::doc;
-use mungos::{find::find_collect, mongodb::options::FindOptions};
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

-use crate::{
-  helpers::query::get_tag,
-  state::{db_client, State},
-};
+use crate::{helpers::query::get_tag, state::db_client};

-impl Resolve<GetTag, User> for State {
-  async fn resolve(
-    &self,
-    GetTag { tag }: GetTag,
-    _: User,
-  ) -> anyhow::Result<Tag> {
-    get_tag(&tag).await
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetTag {
+  async fn resolve(self, _: &ReadArgs) -> mogh_error::Result<Tag> {
+    Ok(get_tag(&self.tag).await?)
  }
 }

-impl Resolve<ListTags, User> for State {
+impl Resolve<ReadArgs> for ListTags {
  async fn resolve(
-    &self,
-    ListTags { query }: ListTags,
-    _: User,
-  ) -> anyhow::Result<Vec<Tag>> {
-    find_collect(
+    self,
+    _: &ReadArgs,
+  ) -> mogh_error::Result<Vec<Tag>> {
+    let res = find_collect(
      &db_client().tags,
-      query,
+      self.query,
      FindOptions::builder().sort(doc! { "name": 1 }).build(),
    )
    .await
-    .context("failed to get tags from db")
+    .context("failed to get tags from db")?;
+    Ok(res)
  }
 }
--- a/bin/core/src/api/read/terminal.rs
+++ b/bin/core/src/api/read/terminal.rs
@@ -0,0 +1,247 @@
+use anyhow::Context as _;
+use futures_util::{
+  FutureExt, StreamExt as _, stream::FuturesUnordered,
+};
+use komodo_client::{
+  api::read::{ListTerminals, ListTerminalsResponse},
+  entities::{
+    deployment::Deployment,
+    permission::PermissionLevel,
+    server::Server,
+    stack::Stack,
+    terminal::{Terminal, TerminalTarget},
+    user::User,
+  },
+};
+use mogh_error::AddStatusCode;
+use mogh_resolver::Resolve;
+use reqwest::StatusCode;
+
+use crate::{
+  helpers::periphery_client, permission::get_check_permissions,
+  resource,
+};
+
+use super::ReadArgs;
+
+//
+
+impl Resolve<ReadArgs> for ListTerminals {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListTerminalsResponse> {
+    let Some(target) = self.target else {
+      return list_all_terminals_for_user(user, self.use_names).await;
+    };
+    match &target {
+      TerminalTarget::Server { server } => {
+        let server = server
+          .as_ref()
+          .context("Must provide 'target.params.server'")
+          .status_code(StatusCode::BAD_REQUEST)?;
+        let server = get_check_permissions::<Server>(
+          server,
+          user,
+          PermissionLevel::Read.terminal(),
+        )
+        .await?;
+        list_terminals_on_server(&server, Some(target)).await
+      }
+      TerminalTarget::Container { server, .. } => {
+        let server = get_check_permissions::<Server>(
+          server,
+          user,
+          PermissionLevel::Read.terminal(),
+        )
+        .await?;
+        list_terminals_on_server(&server, Some(target)).await
+      }
+      TerminalTarget::Stack { stack, .. } => {
+        let server = get_check_permissions::<Stack>(
+          stack,
+          user,
+          PermissionLevel::Read.terminal(),
+        )
+        .await?
+        .config
+        .server_id;
+        let server = resource::get::<Server>(&server).await?;
+        list_terminals_on_server(&server, Some(target)).await
+      }
+      TerminalTarget::Deployment { deployment } => {
+        let server = get_check_permissions::<Deployment>(
+          deployment,
+          user,
+          PermissionLevel::Read.terminal(),
+        )
+        .await?
+        .config
+        .server_id;
+        let server = resource::get::<Server>(&server).await?;
+        list_terminals_on_server(&server, Some(target)).await
+      }
+    }
+  }
+}
+
+async fn list_all_terminals_for_user(
+  user: &User,
+  use_names: bool,
+) -> mogh_error::Result<Vec<Terminal>> {
+  let (mut servers, stacks, deployments) = tokio::try_join!(
+    resource::list_full_for_user::<Server>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.terminal(),
+      &[]
+    )
+    .map(|res| res.map(|servers| servers
+      .into_iter()
+      // true denotes user actually has permission on this Server.
+      .map(|server| (server, true))
+      .collect::<Vec<_>>())),
+    resource::list_full_for_user::<Stack>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.terminal(),
+      &[]
+    ),
+    resource::list_full_for_user::<Deployment>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.terminal(),
+      &[]
+    ),
+  )?;
+
+  // Ensure any missing servers are present to query
+  for stack in &stacks {
+    if !stack.config.server_id.is_empty()
+      && !servers
+        .iter()
+        .any(|(server, _)| server.id == stack.config.server_id)
+    {
+      let server =
+        resource::get::<Server>(&stack.config.server_id).await?;
+      servers.push((server, false));
+    }
+  }
+  for deployment in &deployments {
+    if !deployment.config.server_id.is_empty()
+      && !servers
+        .iter()
+        .any(|(server, _)| server.id == deployment.config.server_id)
+    {
+      let server =
+        resource::get::<Server>(&deployment.config.server_id).await?;
+      servers.push((server, false));
+    }
+  }
+
+  let mut terminals = servers
+    .into_iter()
+    .map(|(server, server_permission)| async move {
+      (
+        list_terminals_on_server(&server, None).await,
+        (server.id, server.name, server_permission),
+      )
+    })
+    .collect::<FuturesUnordered<_>>()
+    .collect::<Vec<_>>()
+    .await
+    .into_iter()
+    .flat_map(
+      |(terminals, (server_id, server_name, server_permission))| {
+        let terminals = terminals
+          .ok()?
+          .into_iter()
+          .filter_map(|mut terminal| {
+            // Only keep terminals with appropriate perms.
+            match terminal.target.clone() {
+              TerminalTarget::Server { .. } => server_permission
+                .then(|| {
+                  terminal.target = TerminalTarget::Server {
+                    server: Some(if use_names {
+                      server_name.clone()
+                    } else {
+                      server_id.clone()
+                    }),
+                  };
+                  terminal
+                }),
+              TerminalTarget::Container { container, .. } => {
+                server_permission.then(|| {
+                  terminal.target = TerminalTarget::Container {
+                    server: if use_names {
+                      server_name.clone()
+                    } else {
+                      server_id.clone()
+                    },
+                    container,
+                  };
+                  terminal
+                })
+              }
+              TerminalTarget::Stack { stack, service } => {
+                stacks.iter().find(|s| s.id == stack).map(|s| {
+                  terminal.target = TerminalTarget::Stack {
+                    stack: if use_names {
+                      s.name.clone()
+                    } else {
+                      s.id.clone()
+                    },
+                    service,
+                  };
+                  terminal
+                })
+              }
+              TerminalTarget::Deployment { deployment } => {
+                deployments.iter().find(|d| d.id == deployment).map(
+                  |d| {
+                    terminal.target = TerminalTarget::Deployment {
+                      deployment: if use_names {
+                        d.name.clone()
+                      } else {
+                        d.id.clone()
+                      },
+                    };
+                    terminal
+                  },
+                )
+              }
+            }
+          })
+          .collect::<Vec<_>>();
+
+        Some(terminals)
+      },
+    )
+    .flatten()
+    .collect::<Vec<_>>();
+
+  terminals.sort_by(|a, b| {
+    a.target.cmp(&b.target).then(a.name.cmp(&b.name))
+  });
+
+  Ok(terminals)
+}
+
+async fn list_terminals_on_server(
+  server: &Server,
+  target: Option<TerminalTarget>,
+) -> mogh_error::Result<Vec<Terminal>> {
+  periphery_client(server)
+    .await?
+    .request(periphery_client::api::terminal::ListTerminals {
+      target,
+    })
+    .await
+    .with_context(|| {
+      format!(
+        "Failed to get Terminal list from Server {} ({})",
+        server.name, server.id
+      )
+    })
+    .map_err(Into::into)
+}
--- a/bin/core/src/api/read/toml.rs
+++ b/bin/core/src/api/read/toml.rs
@@ -1,207 +1,346 @@
-use std::collections::HashMap;
-
 use anyhow::Context;
+use database::mungos::find::find_collect;
 use komodo_client::{
  api::read::{
    ExportAllResourcesToToml, ExportAllResourcesToTomlResponse,
    ExportResourcesToToml, ExportResourcesToTomlResponse,
-    GetUserGroup, ListUserTargetPermissions,
+    ListUserGroups,
  },
  entities::{
-    alerter::Alerter,
-    build::Build,
-    builder::Builder,
-    deployment::Deployment,
-    permission::{PermissionLevel, UserTarget},
-    procedure::Procedure,
-    repo::Repo,
-    resource::ResourceQuery,
-    server::Server,
-    server_template::ServerTemplate,
-    stack::Stack,
-    sync::ResourceSync,
-    toml::{PermissionToml, ResourcesToml, UserGroupToml},
+    ResourceTarget, action::Action, alerter::Alerter, build::Build,
+    builder::Builder, deployment::Deployment,
+    permission::PermissionLevel, procedure::Procedure, repo::Repo,
+    resource::ResourceQuery, server::Server, stack::Stack,
+    swarm::Swarm, sync::ResourceSync, toml::ResourcesToml,
    user::User,
-    ResourceTarget,
  },
 };
-use mungos::find::find_collect;
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
-  helpers::query::{get_id_to_tags, get_user_user_group_ids},
+  helpers::query::{
+    get_all_tags, get_id_to_tags, get_user_user_group_ids,
+  },
+  permission::get_check_permissions,
  resource,
-  state::{db_client, State},
+  state::db_client,
  sync::{
-    toml::{convert_resource, ToToml, TOML_PRETTY_OPTIONS},
-    AllResourcesById,
+    toml::{ToToml, convert_resource},
+    user_groups::{convert_user_groups, user_group_to_toml},
+    variables::variable_to_toml,
  },
 };

-impl Resolve<ExportAllResourcesToToml, User> for State {
-  async fn resolve(
-    &self,
-    ExportAllResourcesToToml { tags }: ExportAllResourcesToToml,
-    user: User,
-  ) -> anyhow::Result<ExportAllResourcesToTomlResponse> {
-    let mut targets = Vec::<ResourceTarget>::new();
+use super::ReadArgs;

-    targets.extend(
-      resource::list_for_user::<Alerter>(
-        ResourceQuery::builder().tags(tags.clone()).build(),
-        &user,
-      )
-      .await?
-      .into_iter()
-      .map(|resource| ResourceTarget::Alerter(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Builder>(
-        ResourceQuery::builder().tags(tags.clone()).build(),
-        &user,
-      )
-      .await?
-      .into_iter()
-      .map(|resource| ResourceTarget::Builder(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Server>(
-        ResourceQuery::builder().tags(tags.clone()).build(),
-        &user,
-      )
-      .await?
-      .into_iter()
-      .map(|resource| ResourceTarget::Server(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Deployment>(
-        ResourceQuery::builder().tags(tags.clone()).build(),
-        &user,
-      )
-      .await?
-      .into_iter()
-      .map(|resource| ResourceTarget::Deployment(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Stack>(
-        ResourceQuery::builder().tags(tags.clone()).build(),
-        &user,
-      )
-      .await?
-      .into_iter()
-      .map(|resource| ResourceTarget::Stack(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Build>(
-        ResourceQuery::builder().tags(tags.clone()).build(),
-        &user,
-      )
-      .await?
-      .into_iter()
-      .map(|resource| ResourceTarget::Build(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Repo>(
-        ResourceQuery::builder().tags(tags.clone()).build(),
-        &user,
-      )
-      .await?
-      .into_iter()
-      .map(|resource| ResourceTarget::Repo(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<Procedure>(
-        ResourceQuery::builder().tags(tags.clone()).build(),
-        &user,
-      )
-      .await?
-      .into_iter()
-      .map(|resource| ResourceTarget::Procedure(resource.id)),
-    );
-    targets.extend(
-      resource::list_for_user::<ServerTemplate>(
-        ResourceQuery::builder().tags(tags.clone()).build(),
-        &user,
-      )
-      .await?
-      .into_iter()
-      .map(|resource| ResourceTarget::ServerTemplate(resource.id)),
-    );
-    targets.extend(
-      resource::list_full_for_user::<ResourceSync>(
-        ResourceQuery::builder().tags(tags.clone()).build(),
-        &user,
-      )
-      .await?
-      .into_iter()
-      // These will already be filtered by [ExportResourcesToToml]
-      .map(|resource| ResourceTarget::ResourceSync(resource.id)),
-    );
-
-    let user_groups = if user.admin && tags.is_empty() {
-      find_collect(&db_client().user_groups, None, None)
-        .await
-        .context("failed to query db for user groups")?
-        .into_iter()
-        .map(|user_group| user_group.id)
-        .collect()
-    } else {
-      get_user_user_group_ids(&user.id).await?
-    };
-
-    self
-      .resolve(
-        ExportResourcesToToml {
-          targets,
-          user_groups,
-          include_variables: tags.is_empty(),
-        },
-        user,
-      )
-      .await
-  }
+async fn get_all_targets(
+  tags: &[String],
+  user: &User,
+) -> anyhow::Result<Vec<ResourceTarget>> {
+  let mut targets = Vec::<ResourceTarget>::new();
+  let all_tags = if tags.is_empty() {
+    vec![]
+  } else {
+    get_all_tags(None).await?
+  };
+  targets.extend(
+    resource::list_full_for_user::<Alerter>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Alerter(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Builder>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Builder(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Server>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Server(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Stack>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Stack(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Deployment>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Deployment(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Build>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Build(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Repo>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Repo(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Procedure>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Procedure(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<Action>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    .map(|resource| ResourceTarget::Action(resource.id)),
+  );
+  targets.extend(
+    resource::list_full_for_user::<ResourceSync>(
+      ResourceQuery::builder().tags(tags).build(),
+      user,
+      PermissionLevel::Read.into(),
+      &all_tags,
+    )
+    .await?
+    .into_iter()
+    // These will already be filtered by [ExportResourcesToToml]
+    .map(|resource| ResourceTarget::ResourceSync(resource.id)),
+  );
+  Ok(targets)
 }

-impl Resolve<ExportResourcesToToml, User> for State {
+impl Resolve<ReadArgs> for ExportAllResourcesToToml {
  async fn resolve(
-    &self,
+    self,
+    args: &ReadArgs,
+  ) -> mogh_error::Result<ExportAllResourcesToTomlResponse> {
+    let targets = if self.include_resources {
+      get_all_targets(&self.tags, &args.user).await?
+    } else {
+      Vec::new()
+    };
+
+    let user_groups = if self.include_user_groups {
+      if args.user.admin {
+        find_collect(&db_client().user_groups, None, None)
+          .await
+          .context("failed to query db for user groups")?
+          .into_iter()
+          .map(|user_group| user_group.id)
+          .collect()
+      } else {
+        get_user_user_group_ids(&args.user.id).await?
+      }
+    } else {
+      Vec::new()
+    };
+
    ExportResourcesToToml {
+      targets,
+      user_groups,
+      include_variables: self.include_variables,
+    }
+    .resolve(args)
+    .await
+  }
+}
+
+impl Resolve<ReadArgs> for ExportResourcesToToml {
+  async fn resolve(
+    self,
+    args: &ReadArgs,
+  ) -> mogh_error::Result<ExportResourcesToTomlResponse> {
+    let ExportResourcesToToml {
      targets,
      user_groups,
      include_variables,
-    }: ExportResourcesToToml,
-    user: User,
-  ) -> anyhow::Result<ExportResourcesToTomlResponse> {
+    } = self;
    let mut res = ResourcesToml::default();
-    let all = AllResourcesById::load().await?;
    let id_to_tags = get_id_to_tags(None).await?;
+    let ReadArgs { user } = args;
    for target in targets {
      match target {
-        ResourceTarget::Alerter(id) => {
-          let alerter = resource::get_check_permissions::<Alerter>(
+        ResourceTarget::Swarm(id) => {
+          let mut swarm = get_check_permissions::<Swarm>(
            &id,
-            &user,
-            PermissionLevel::Read,
+            user,
+            PermissionLevel::Read.into(),
          )
          .await?;
-          res.alerters.push(convert_resource::<Alerter>(
-            alerter,
+          Swarm::replace_ids(&mut swarm);
+          res.swarms.push(convert_resource::<Swarm>(
+            swarm,
            false,
            vec![],
            &id_to_tags,
          ))
        }
-        ResourceTarget::ResourceSync(id) => {
-          let sync = resource::get_check_permissions::<ResourceSync>(
+        ResourceTarget::Server(id) => {
+          let mut server = get_check_permissions::<Server>(
            &id,
-            &user,
-            PermissionLevel::Read,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Server::replace_ids(&mut server);
+          res.servers.push(convert_resource::<Server>(
+            server,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Stack(id) => {
+          let mut stack = get_check_permissions::<Stack>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Stack::replace_ids(&mut stack);
+          res.stacks.push(convert_resource::<Stack>(
+            stack,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Deployment(id) => {
+          let mut deployment = get_check_permissions::<Deployment>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Deployment::replace_ids(&mut deployment);
+          res.deployments.push(convert_resource::<Deployment>(
+            deployment,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Build(id) => {
+          let mut build = get_check_permissions::<Build>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Build::replace_ids(&mut build);
+          res.builds.push(convert_resource::<Build>(
+            build,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Repo(id) => {
+          let mut repo = get_check_permissions::<Repo>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Repo::replace_ids(&mut repo);
+          res.repos.push(convert_resource::<Repo>(
+            repo,
+            false,
+            vec![],
+            &id_to_tags,
+          ))
+        }
+        ResourceTarget::Procedure(id) => {
+          let mut procedure = get_check_permissions::<Procedure>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Procedure::replace_ids(&mut procedure);
+          res.procedures.push(convert_resource::<Procedure>(
+            procedure,
+            false,
+            vec![],
+            &id_to_tags,
+          ));
+        }
+        ResourceTarget::Action(id) => {
+          let mut action = get_check_permissions::<Action>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Action::replace_ids(&mut action);
+          res.actions.push(convert_resource::<Action>(
+            action,
+            false,
+            vec![],
+            &id_to_tags,
+          ));
+        }
+        ResourceTarget::ResourceSync(id) => {
+          let mut sync = get_check_permissions::<ResourceSync>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
          )
          .await?;
          if sync.config.file_contents.is_empty()
            && (sync.config.files_on_host
-              || !sync.config.repo.is_empty())
+              || !sync.config.repo.is_empty()
+              || !sync.config.linked_repo.is_empty())
          {
+            ResourceSync::replace_ids(&mut sync);
            res.resource_syncs.push(convert_resource::<ResourceSync>(
              sync,
              false,
@@ -210,45 +349,14 @@ impl Resolve<ExportResourcesToToml, User> for State {
            ))
          }
        }
-        ResourceTarget::ServerTemplate(id) => {
-          let template = resource::get_check_permissions::<
-            ServerTemplate,
-          >(
-            &id, &user, PermissionLevel::Read
-          )
-          .await?;
-          res.server_templates.push(
-            convert_resource::<ServerTemplate>(
-              template,
-              false,
-              vec![],
-              &id_to_tags,
-            ),
-          )
-        }
-        ResourceTarget::Server(id) => {
-          let server = resource::get_check_permissions::<Server>(
-            &id,
-            &user,
-            PermissionLevel::Read,
-          )
-          .await?;
-          res.servers.push(convert_resource::<Server>(
-            server,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
        ResourceTarget::Builder(id) => {
-          let mut builder =
-            resource::get_check_permissions::<Builder>(
-              &id,
-              &user,
-              PermissionLevel::Read,
-            )
-            .await?;
-          Builder::replace_ids(&mut builder, &all);
+          let mut builder = get_check_permissions::<Builder>(
+            &id,
+            user,
+            PermissionLevel::Read.into(),
+          )
+          .await?;
+          Builder::replace_ids(&mut builder);
          res.builders.push(convert_resource::<Builder>(
            builder,
            false,
@@ -256,86 +364,26 @@ impl Resolve<ExportResourcesToToml, User> for State {
            &id_to_tags,
          ))
        }
-        ResourceTarget::Build(id) => {
-          let mut build = resource::get_check_permissions::<Build>(
+        ResourceTarget::Alerter(id) => {
+          let mut alerter = get_check_permissions::<Alerter>(
            &id,
-            &user,
-            PermissionLevel::Read,
+            user,
+            PermissionLevel::Read.into(),
          )
          .await?;
-          Build::replace_ids(&mut build, &all);
-          res.builds.push(convert_resource::<Build>(
-            build,
+          Alerter::replace_ids(&mut alerter);
+          res.alerters.push(convert_resource::<Alerter>(
+            alerter,
            false,
            vec![],
            &id_to_tags,
          ))
        }
-        ResourceTarget::Deployment(id) => {
-          let mut deployment = resource::get_check_permissions::<
-            Deployment,
-          >(
-            &id, &user, PermissionLevel::Read
-          )
-          .await?;
-          Deployment::replace_ids(&mut deployment, &all);
-          res.deployments.push(convert_resource::<Deployment>(
-            deployment,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
-        ResourceTarget::Repo(id) => {
-          let mut repo = resource::get_check_permissions::<Repo>(
-            &id,
-            &user,
-            PermissionLevel::Read,
-          )
-          .await?;
-          Repo::replace_ids(&mut repo, &all);
-          res.repos.push(convert_resource::<Repo>(
-            repo,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
-        ResourceTarget::Stack(id) => {
-          let mut stack = resource::get_check_permissions::<Stack>(
-            &id,
-            &user,
-            PermissionLevel::Read,
-          )
-          .await?;
-          Stack::replace_ids(&mut stack, &all);
-          res.stacks.push(convert_resource::<Stack>(
-            stack,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
-        ResourceTarget::Procedure(id) => {
-          let mut procedure = resource::get_check_permissions::<
-            Procedure,
-          >(
-            &id, &user, PermissionLevel::Read
-          )
-          .await?;
-          Procedure::replace_ids(&mut procedure, &all);
-          res.procedures.push(convert_resource::<Procedure>(
-            procedure,
-            false,
-            vec![],
-            &id_to_tags,
-          ));
-        }
        ResourceTarget::System(_) => continue,
      };
    }

-    add_user_groups(user_groups, &mut res, &all, &user)
+    add_user_groups(user_groups, &mut res, args)
      .await
      .context("failed to add user groups")?;

@@ -364,125 +412,20 @@ impl Resolve<ExportResourcesToToml, User> for State {
 async fn add_user_groups(
  user_groups: Vec<String>,
  res: &mut ResourcesToml,
-  all: &AllResourcesById,
-  user: &User,
+  args: &ReadArgs,
 ) -> anyhow::Result<()> {
-  let db = db_client();
-
-  let usernames = find_collect(&db.users, None, None)
-    .await?
+  let user_groups = ListUserGroups {}
+    .resolve(args)
+    .await
+    .map_err(|e| e.error)?
    .into_iter()
-    .map(|user| (user.id, user.username))
-    .collect::<HashMap<_, _>>();
-
-  for user_group in user_groups {
-    let ug = State
-      .resolve(GetUserGroup { user_group }, user.clone())
-      .await?;
-    // this method is admin only, but we already know user can see user group if above does not return Err
-    let permissions = State
-      .resolve(
-        ListUserTargetPermissions {
-          user_target: UserTarget::UserGroup(ug.id),
-        },
-        User {
-          admin: true,
-          ..Default::default()
-        },
-      )
-      .await?
-      .into_iter()
-      .map(|mut permission| {
-        match &mut permission.resource_target {
-          ResourceTarget::Build(id) => {
-            *id = all
-              .builds
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Builder(id) => {
-            *id = all
-              .builders
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Deployment(id) => {
-            *id = all
-              .deployments
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Server(id) => {
-            *id = all
-              .servers
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Repo(id) => {
-            *id = all
-              .repos
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Alerter(id) => {
-            *id = all
-              .alerters
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Procedure(id) => {
-            *id = all
-              .procedures
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::ServerTemplate(id) => {
-            *id = all
-              .templates
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::ResourceSync(id) => {
-            *id = all
-              .syncs
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::Stack(id) => {
-            *id = all
-              .stacks
-              .get(id)
-              .map(|r| r.name.clone())
-              .unwrap_or_default()
-          }
-          ResourceTarget::System(_) => {}
-        }
-        PermissionToml {
-          target: permission.resource_target,
-          level: permission.level,
-        }
-      })
-      .collect();
-    res.user_groups.push(UserGroupToml {
-      name: ug.name,
-      users: ug
-        .users
-        .into_iter()
-        .filter_map(|user_id| usernames.get(&user_id).cloned())
-        .collect(),
-      all: ug.all,
-      permissions,
+    .filter(|ug| {
+      user_groups.contains(&ug.name) || user_groups.contains(&ug.id)
    });
-  }
+  let mut ug = Vec::with_capacity(user_groups.size_hint().0);
+  convert_user_groups(user_groups, &mut ug).await?;
+  res.user_groups = ug.into_iter().map(|ug| ug.1).collect();
+
  Ok(())
 }

@@ -539,6 +482,14 @@ fn serialize_resources_toml(
    Procedure::push_to_toml_string(procedure, &mut toml)?;
  }

+  for action in resources.actions {
+    if !toml.is_empty() {
+      toml.push_str("\n\n##\n\n");
+    }
+    toml.push_str("[[action]]\n");
+    Action::push_to_toml_string(action, &mut toml)?;
+  }
+
  for alerter in resources.alerters {
    if !toml.is_empty() {
      toml.push_str("\n\n##\n\n");
@@ -555,14 +506,6 @@ fn serialize_resources_toml(
    Builder::push_to_toml_string(builder, &mut toml)?;
  }

-  for server_template in resources.server_templates {
-    if !toml.is_empty() {
-      toml.push_str("\n\n##\n\n");
-    }
-    toml.push_str("[[server_template]]\n");
-    ServerTemplate::push_to_toml_string(server_template, &mut toml)?;
-  }
-
  for resource_sync in resources.resource_syncs {
    if !toml.is_empty() {
      toml.push_str("\n\n##\n\n");
@@ -575,22 +518,14 @@ fn serialize_resources_toml(
    if !toml.is_empty() {
      toml.push_str("\n\n##\n\n");
    }
-    toml.push_str("[[variable]]\n");
-    toml.push_str(
-      &toml_pretty::to_string(variable, TOML_PRETTY_OPTIONS)
-        .context("failed to serialize variables to toml")?,
-    );
+    toml.push_str(&variable_to_toml(variable)?);
  }

-  for user_group in &resources.user_groups {
+  for user_group in resources.user_groups {
    if !toml.is_empty() {
      toml.push_str("\n\n##\n\n");
    }
-    toml.push_str("[[user_group]]\n");
-    toml.push_str(
-      &toml_pretty::to_string(user_group, TOML_PRETTY_OPTIONS)
-        .context("failed to serialize user_groups to toml")?,
-    );
+    toml.push_str(&user_group_to_toml(user_group)?);
  }

  Ok(toml)
--- a/bin/core/src/api/read/update.rs
+++ b/bin/core/src/api/read/update.rs
@@ -1,168 +1,39 @@
 use std::collections::HashMap;

-use anyhow::{anyhow, Context};
-use komodo_client::{
-  api::read::{GetUpdate, ListUpdates, ListUpdatesResponse},
-  entities::{
-    alerter::Alerter,
-    build::Build,
-    builder::Builder,
-    deployment::Deployment,
-    permission::PermissionLevel,
-    procedure::Procedure,
-    repo::Repo,
-    server::Server,
-    server_template::ServerTemplate,
-    stack::Stack,
-    sync::ResourceSync,
-    update::{Update, UpdateListItem},
-    user::User,
-    ResourceTarget,
-  },
-};
-use mungos::{
+use anyhow::Context;
+use database::mungos::{
  by_id::find_one_by_id,
  find::find_collect,
  mongodb::{bson::doc, options::FindOptions},
 };
-use resolver_api::Resolve;
+use komodo_client::{
+  api::read::{GetUpdate, ListUpdates, ListUpdatesResponse},
+  entities::{
+    permission::PermissionLevel,
+    update::{Update, UpdateListItem},
+    user::User,
+  },
+};
+use mogh_resolver::Resolve;

 use crate::{
  config::core_config,
-  resource,
-  state::{db_client, State},
+  permission::{
+    check_user_target_access, user_resource_target_query,
+  },
+  state::db_client,
 };

+use super::ReadArgs;
+
 const UPDATES_PER_PAGE: i64 = 100;

-impl Resolve<ListUpdates, User> for State {
+impl Resolve<ReadArgs> for ListUpdates {
  async fn resolve(
-    &self,
-    ListUpdates { query, page }: ListUpdates,
-    user: User,
-  ) -> anyhow::Result<ListUpdatesResponse> {
-    let query = if user.admin || core_config().transparent_mode {
-      query
-    } else {
-      let server_query =
-        resource::get_resource_ids_for_user::<Server>(&user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Server", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Server" });
-
-      let deployment_query =
-        resource::get_resource_ids_for_user::<Deployment>(&user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Deployment", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Deployment" });
-
-      let stack_query =
-        resource::get_resource_ids_for_user::<Stack>(&user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Stack", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Stack" });
-
-      let build_query =
-        resource::get_resource_ids_for_user::<Build>(&user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Build", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Build" });
-
-      let repo_query =
-        resource::get_resource_ids_for_user::<Repo>(&user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Repo", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Repo" });
-
-      let procedure_query =
-        resource::get_resource_ids_for_user::<Procedure>(&user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Procedure", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Procedure" });
-
-      let builder_query =
-        resource::get_resource_ids_for_user::<Builder>(&user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Builder", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Builder" });
-
-      let alerter_query =
-        resource::get_resource_ids_for_user::<Alerter>(&user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Alerter", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Alerter" });
-
-      let server_template_query = resource::get_resource_ids_for_user::<ServerTemplate>(
-        &user,
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "ServerTemplate", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "ServerTemplate" });
-
-      let resource_sync_query = resource::get_resource_ids_for_user::<ResourceSync>(
-        &user,
-      )
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "ResourceSync", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
-
-      let mut query = query.unwrap_or_default();
-      query.extend(doc! {
-        "$or": [
-          server_query,
-          deployment_query,
-          stack_query,
-          build_query,
-          repo_query,
-          procedure_query,
-          alerter_query,
-          builder_query,
-          server_template_query,
-          resource_sync_query,
-        ]
-      });
-      query.into()
-    };
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListUpdatesResponse> {
+    let query = user_resource_target_query(user, self.query).await?;

    let usernames = find_collect(&db_client().users, None, None)
      .await
@@ -176,7 +47,7 @@ impl Resolve<ListUpdates, User> for State {
      query,
      FindOptions::builder()
        .sort(doc! { "start_ts": -1 })
-        .skip(page as u64 * UPDATES_PER_PAGE as u64)
+        .skip(self.page as u64 * UPDATES_PER_PAGE as u64)
        .limit(UPDATES_PER_PAGE)
        .build(),
    )
@@ -208,7 +79,7 @@ impl Resolve<ListUpdates, User> for State {
    .collect::<Vec<_>>();

    let next_page = if updates.len() == UPDATES_PER_PAGE as usize {
-      Some(page + 1)
+      Some(self.page + 1)
    } else {
      None
    };
@@ -217,106 +88,24 @@ impl Resolve<ListUpdates, User> for State {
  }
 }

-impl Resolve<GetUpdate, User> for State {
+impl Resolve<ReadArgs> for GetUpdate {
  async fn resolve(
-    &self,
-    GetUpdate { id }: GetUpdate,
-    user: User,
-  ) -> anyhow::Result<Update> {
-    let update = find_one_by_id(&db_client().updates, &id)
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Update> {
+    let update = find_one_by_id(&db_client().updates, &self.id)
      .await
      .context("failed to query to db")?
      .context("no update exists with given id")?;
    if user.admin || core_config().transparent_mode {
      return Ok(update);
    }
-    match &update.target {
-      ResourceTarget::System(_) => {
-        return Err(anyhow!(
-          "user must be admin to view system updates"
-        ))
-      }
-      ResourceTarget::Server(id) => {
-        resource::get_check_permissions::<Server>(
-          id,
-          &user,
-          PermissionLevel::Read,
-        )
-        .await?;
-      }
-      ResourceTarget::Deployment(id) => {
-        resource::get_check_permissions::<Deployment>(
-          id,
-          &user,
-          PermissionLevel::Read,
-        )
-        .await?;
-      }
-      ResourceTarget::Build(id) => {
-        resource::get_check_permissions::<Build>(
-          id,
-          &user,
-          PermissionLevel::Read,
-        )
-        .await?;
-      }
-      ResourceTarget::Repo(id) => {
-        resource::get_check_permissions::<Repo>(
-          id,
-          &user,
-          PermissionLevel::Read,
-        )
-        .await?;
-      }
-      ResourceTarget::Builder(id) => {
-        resource::get_check_permissions::<Builder>(
-          id,
-          &user,
-          PermissionLevel::Read,
-        )
-        .await?;
-      }
-      ResourceTarget::Alerter(id) => {
-        resource::get_check_permissions::<Alerter>(
-          id,
-          &user,
-          PermissionLevel::Read,
-        )
-        .await?;
-      }
-      ResourceTarget::Procedure(id) => {
-        resource::get_check_permissions::<Procedure>(
-          id,
-          &user,
-          PermissionLevel::Read,
-        )
-        .await?;
-      }
-      ResourceTarget::ServerTemplate(id) => {
-        resource::get_check_permissions::<ServerTemplate>(
-          id,
-          &user,
-          PermissionLevel::Read,
-        )
-        .await?;
-      }
-      ResourceTarget::ResourceSync(id) => {
-        resource::get_check_permissions::<ResourceSync>(
-          id,
-          &user,
-          PermissionLevel::Read,
-        )
-        .await?;
-      }
-      ResourceTarget::Stack(id) => {
-        resource::get_check_permissions::<Stack>(
-          id,
-          &user,
-          PermissionLevel::Read,
-        )
-        .await?;
-      }
-    }
+    check_user_target_access(
+      &update.target,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
    Ok(update)
  }
 }
--- a/Show More
+++ b/Show More