2.0.0 (#889 )

* modularize openapi structs * most of execute openapi * server / stack exec openapi * most of write openapi * more write openapi * add the write openapi definitions * fmt and bump mogh auth * gen types * remove user api, mogh auth handles api keys * clean up * cache latest image digests and use this for image update alerting / auto update * deploy 2.0.0-dev-108 * deploy 2.0.0-dev-109 * add back legacy Action "exec" method calling convention * typegen * improve config quick links styling * improve config styling a bit more * deploy 2.0.0-dev-110 * finish version upgrades page, and use prism theme oneLight and oneDark * stack level terminal page * fix Action import from terminal * clean up dangling action api keys on startup * improve swarm service / stack state inference * deploy 2.0.0-dev-111 * add api docs link * bump ts types and fix SwarmConfig type name conflict * use mogh auth for passkey conversion * align dashboard icon with sidebar * bump frontend node version * bump node version in all the dockerfiles * fix tailwind config module * fix require to import * skip auto update for images with pinned digest * dev 112 * cleanup * batch check for updates, add check to table multi select actions * dev-113 * mogh_server = "1.2.0" * serve static ui index.html with ETag / no-cache * check update available against all digests for image * deploy 2.0.0-dev-114 * bump rust to 1.93.0 * bump mogh server and auth * configure session allow cross site * deploy 2.0.0-dev-115 * add new config value to example config * Stack check for update prefers check against deployed service image * deploy 2.0.0-dev-116 * only send auto updated alert after verifying the deploy was successful * 2.0.0 UI (#1220) * new ui using mantine * resources page * prog on resource page * resources and resource layouts * confirm button and modal * tweaks * update details * topbar updates * add skeletons for resource implementations * add resource tables * add tags to recents cards * resource page table scrolling * table component + tags filter * export toml * New Resource button * Fix update details capture closing * tweaks * omni search * refine config * config tweaks * implement more configs / resource selector * add profile page * provider / account selectors * container table page * build config * deployment config * fix deployment build version selector * fix secrets selector * resource sync config * mobile topbar and updates * update details fz sm * stack config * terminals page * create terminal in prog * create terminal menu * finish create terminal menu * terminal pages working * stack tabs / info * add executions * add server header info * confirm pubkey modal * improve resource header styling * FileSource component * stack service table, move icons.ts * basic procedure config * tweak procedure config * container / image pages * network / volume pages * clean up docker resource pages * basic log / terminal ui * reusable log section * styling * clean up resource components * delete in resource header * log auto select stderr * fix some bgs * stack logs with service selector * stack terminals * add deployment executions * use correct icon * useResource hooks * build info * build info * tweaks * server tabs * fix terminal section target * prog on server tabs * server stats * light theme * start on historical stats * stack service page * resource sync tabs * sync tabs * more topbar icons * add settings basic * add topbar alerts * tweak stream selector behavior * tweak alert icon topbar * improve styling smaller screen * schedules page and other progress * onboarding keys * improve schedule page descriptions * improve update notifications * schedule timezone selector * tag color selector * finish settings / providers * use shared-text-update component so settings tables aren't janky * updates page * refine updates page * alert page * standardize borders * theme and swarm * swarm tabs * swarm node page * swarm config page * swarm pages * swarm task and secret pages * swarm stack page * fix stack log service selector in swarm mode * standard inspect section * swarm inspect tab * server and swarm resources tab * add disable confirm dialog (modal) option for executions * stack update available indicator * deployment update available * add template switch to resource headers * ResourceHeader + rename * set editing name onclick * repo tabs * server stats table * refine a bit * refine deployment / stack header info * show server stats dashboard. dashboard tables * action last run in config * SettingsUsers page * user page etc * manage api key * user base permissions * color the table multi select * user group page * UserAddUserGroup * active includes deployments / stacks * improve small screen view * fix docker pages execution showing * clean up * rename frontend to UI * align profile page styling * config maintenance windows * finish maintenance windows * builder config * add batch execute dropdown / confirm menu * batch execute styling * deploy 2.0.0-dev-117 * improve stats card light theme * add update page * improve mobile * terminal group nowrap * mobile improvements * allow unused again * improve mobile font sizing * improve mobile updates / alerts * mobile tabs * alert page * add server version mismatch color * new resource, clearable selector * Fix build show info tab * copy resources * keyboard shortcuts * server resource header version mismatch * fix type errors * container page server multi select * confirm button clear timeout * hash compare force uses first 8 for short hash * fix log height * copy webhooks * responsive tweaks * add icons to server stat sections * add historical server stats charts * server stat current card shows usage numbers * refine current stats more * fix shortcuts interfering with monaco brave * clean up unused * remove v1 frontend * bump rust version to 1.93.1 and dep versions * deploy 2.0.0-dev-118 * bump chef rust version * improve login no auth configured and passkey pending * Load Average is first historical stat * procedure / action webhook branch mobile style * dashboard active styling * hide actions when none * Select Template * execution buttons disabled when loading * Fix config input issue * improve tab styling * rename ConfigSwitch onChange -> onCheckedChange * ensure section headers consistent spacing * edit swarm join command * fix batch executions width * stack stopped and deployment exited warning instead of critical * smaller more consistent gaps * add close button to update / alert details drawer * stack and deployment state color include update available. Ensure server version mismatch color applied everywhere * deploy 2.0.0-dev-120 * topbar user dropdown shows user avatar if available * post link redirect should be to profile * deploy 2.0.0-dev-121 * improve profile delete styling * standard api key modal size * improve login styling * fix login github / google icon color * fix some wrapping stuff in tables and tag text disappear * fix terminal height - same as logs * single delete terminal * Update / Alert table filter selector formatted * tweaks for lg size * taller data table and blue omnisearch * refine lg screen size view * fix sidebar margin right * "never" -> "Never" * Add hoverable disk info * improve disk usage hover card styling * rename for clarity * thinner topbar * config sidebar save * setters use maps instead of mutations * notification green contents written success * fmt * read request are trace * deploy 2.0.0-dev-122 * debug level core <> periphery auth identifiers logs * mogh auth server 1.2.10 * mogh auth 1.2.11 * deploy 2.0.0-dev-123 * Deploy / DeployStack updates invalidate corresponding list query * confirm action / save modals don't need ConfirmButton * deploy 2.0.0-dev-124 * proper base64url decode * fix init admin user * improve mobile friendly tabs width, and onboardng key copy * rename resource invalidates * better maxheight for mobile friendly tabs * km cli needs to install crypto provider for tls ws * better responsive confirm save width * confirm modal better responsiveness * Fix api key modal too thin * better api key create * improve batch execs * improve tabs * sidebar more compact * add missing Repo header Info * Fix Pull repo * fix repo Links config * improve procedure config UI including run stack service * improve deployment network, restart, termination signal config * fix confirm update showing entries which have not changed * example execute terminal uses bash * Update deployments description * move build server * [Docs] Update connect-servers.mdx (#1256) * Update connect-servers.mdx * Update connect-servers.mdx * clean up connect servers * feat(ci): build (#1018) * fmt * fix: more verbose logging (#1017) * use .with_context for stack run directory canonicalize log * fix failing doc test * Improve server resource header hover info * service selector support swarm stack icon * fix stack terminals sometimes not disabled when it should be * add terminal create and delete messages * bump packages and add Mogh Tech copyright * revamp docsite * soften the borders * clean up stack config * fix config group header too much gap * procedure stage menu easier to reach * deploy 2.0.0-dev-125 * increase universal resource polling * improve server stats * fix data table * down node is critical * cli add print core info * add docker swarm feature card * improve toml resource repetition using macros, and fix Swarm toml support * swarm config: configure alerting options * add swarm header info * Implement New Swarm Config and New Swarm Secret * brighten tag colors * continue docs revamp * fmt * set more refetch intervals to keep display data fresh * fix copy not showing copy source when there are no templates * rename onboarding key fix_existing_servers to privileged * fix Privileged spelling * fmt * more docs improvement * improve docs intro * update the curl instructions with easier call method * fix clippy lints * refresh the server cache after every server connection successful login * deploy 2.0.0-dev-126 * add polling to dashboard summary data * tweak tag opacity * improve server stat table disk hover * fix change historical stat length collapse stats * KOMODO_DISABLE_INIT_RESOURCES * stack Project Missing should be red * Fix files on host stacks showing down after reboot until refresh cache * silence user level write logs SetLastSeenUpdate and PushRecentlyViewed * See the v2 migration guide * Improve api logging using more fields * deploy 2.0.0-dev-127 * cli create api key on database, can use with docker exec into core container * deploy 2.0.0-dev-128 * advanced km create api-key options * create onboarding key with cli * tweak * onboarding keys use tag name * deploy 2.0.0-dev-129 * stack procedure stages can select specific services to apply to (default all services) * docsite dockerfile * ./docusaurus.config.ts * need to yarn build * fix broken link * improve alert (dropdown) icons * fix docs sidebar collapse * add local search functionality * docs search nice * homepage features navigate to docs * only show build cancel when canCancel * more confirm button confirmprops red * fix docsite buttons and list more features * fix sidebar cmd click opens in new tab (is a link) * execute withBorder * cleaner execute section * swap docker compose and deploy containers * make docs logo align with app * better mobile button layout * linked logins / 2fa confirm red styling * bump rust version to 1.94.0 * move bollard::secret to bollard::config * deploy 2.0.0-dev-130 * feat: add compose_cmd_wrapper_include for selective command wrapping (#1124) - Add compose_cmd_wrapper_include field to StackConfig. - Fix wrapper placeholder text not displaying in MonacoEditor. * align configuration by removing bold label stuff * confirm update monaco readonly * dockerfile binaries / ui images default to :2 * fmt * refresh server cache lint * fmt * disabling send alerts should also disable in UI * clean up disabled alerting * deploy 2.0.0-dev-131 * mogh_pki 1.1.3 safer copy from slice * fix dev container issues on 2.0.0 (#1238) * fix node version and yarn build in dev container * ensure keys directories exist and are writable in dev container * update dev container image (necessary to fix compiler error) * fix CORS error in dev container * more dev container fixes KOMODO_SESSION_ALLOW_CROSS_SITE: true needed to properly run on Firefox * fix devcontainer port * update config pages to use "Webhooks" consistently and fix acronym casing (#1239) Co-authored-by: Maxwell Becker <49575486+mbecker20@users.noreply.github.com> * update local dev setup instructions (#1240) * example mongo deploy dev * check binary URL (#1116) * install script improve failed download binary log * align cli installer with periphery installer * improve terminal page create experience * deploy 2.0.0-dev-132 * improve mobile updates with full size query * fix some internal table wrapping * fix schedule expression examples * Add swarm updates / alerts filter * filter by update available uses location hash instead of localstorage * sync commit preserve meta "deploy" and "after" * UI fixes and tweaks * deploy 2.0.0-dev-133 * add error to warn log * Stack / deployment should inherit specific Swarm permissions * Fix inline span formatting (used in logs / errors) * refactor resource sync pending deploy for better display * deploy 2.0.0-dev-134 * improve terminal error handling * deploy 2.0.0-dev-135 * dedicated docs page for v2 * warning about failing to include init: true * Limit Periphery IPs in Advanced config * refine setup guide * 2.0.0 --------- Co-authored-by: Shlee <github@shl.ee> Co-authored-by: Yujia Qiao <code@rapiz.me> Co-authored-by: ChanningHe <52875777+ChanningHe@users.noreply.github.com> Co-authored-by: Steven Loria <sloria1@pm.me> Co-authored-by: Andreas Brett <andreasbrett@users.noreply.github.com>
1.19.5 (#846 )
2026-03-24 17:40:10 -05:00 · 2026-03-24 05:50:10 -07:00 · 2025-09-27 13:29:16 -07:00 · 2025-09-14 14:05:43 -07:00 · 2025-09-14 12:32:58 -07:00 · 2025-09-14 12:32:06 -07:00
1082 changed files with 104582 additions and 62014 deletions
--- a/.devcontainer/dev.compose.yaml
+++ b/.devcontainer/dev.compose.yaml
@@ -1,6 +1,6 @@
 services:
  dev:
-    image: mcr.microsoft.com/devcontainers/rust:1-1-bullseye
+    image: mcr.microsoft.com/devcontainers/rust:1-bookworm 
    volumes:
      # Mount the root folder that contains .git
      - ../:/workspace:cached
@@ -10,13 +10,19 @@ services:
      - stacks:/etc/komodo/stacks
    command: sleep infinity
    ports:
-      - "9121:9121"
+      - "9120:9120"
    environment:
+      KOMODO_HOST: http://localhost:9120
      KOMODO_FIRST_SERVER: http://localhost:8120
      KOMODO_DATABASE_ADDRESS: db
      KOMODO_ENABLE_NEW_USERS: true
      KOMODO_LOCAL_AUTH: true
      KOMODO_JWT_SECRET: a_random_secret
+      VITE_KOMODO_HOST: http://localhost:9120
+      KOMODO_CORS_ALLOWED_ORIGINS: http://localhost:5173
+      KOMODO_CORS_ALLOW_CREDENTIALS: true
+      PERIPHERY_SSL_ENABLED: false
+      KOMODO_SESSION_ALLOW_CROSS_SITE: true
    links:
      - db
    # ...
@@ -30,4 +36,4 @@ volumes:
  data:
  repo-cache:
  repos:
-  stacks:
+  stacks:
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -10,7 +10,7 @@
 	// Features to add to the dev container. More info: https://containers.dev/features.
 	"features": {
 		"ghcr.io/devcontainers/features/node:1": {
-			"version": "20.12.2"
+			"version": "22.12.0" 
 		},
 		"ghcr.io/devcontainers-community/features/deno:1": {

@@ -28,7 +28,8 @@

 	// Use 'forwardPorts' to make a list of ports inside the container available locally.
 	"forwardPorts": [
-		9121
+		5173,
+		9120
 	],

 	// Use 'postCreateCommand' to run commands after the container is created.
@@ -36,11 +37,16 @@

 	"runServices": [
 		"db"
-	]
+	],

 	// Configure tool-specific properties.
 	// "customizations": {},

 	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
 	// "remoteUser": "root"
+	
+	 "remoteEnv": {
+		// Avoid out of memory error when running `yarn build`
+		"NODE_OPTIONS": "--max-old-space-size=4096"
+	}
 }
--- a/.devcontainer/postCreate.sh
+++ b/.devcontainer/postCreate.sh
@@ -1,3 +1,9 @@
 #!/bin/sh

-cargo install typeshare-cli
+cargo install typeshare-cli
+
+sudo mkdir -p /etc/komodo/keys
+sudo chown -R $(whoami) /etc/komodo
+
+sudo mkdir -p /config/keys
+sudo chown -R $(whoami) /config
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,56 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build:
+    name: Build & Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: stable
+
+      - name: Cache cargo registry
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-
+
+      - name: Build
+        run: cargo build --verbose
+
+      - name: Run tests
+        run: cargo test --verbose
+
+  fmt:
+    name: Format
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: stable
+          components: rustfmt
+
+      - name: Check formatting
+        run: cargo fmt --all -- --check
--- a/.gitignore
+++ b/.gitignore
@@ -6,8 +6,4 @@ deno.lock
 .env.development
 .DS_Store
 .idea
-
-/frontend/build
-/lib/ts_client/build
-
 .dev
--- a/.vscode/resolver.code-snippets
+++ b/.vscode/resolver.code-snippets
@@ -3,8 +3,8 @@
 		"scope": "rust",
 		"prefix": "resolve",
 		"body": [
-			"impl Resolve<${1}, User> for State {",
-			"\tasync fn resolve(&self, ${1} { ${0} }: ${1}, _: User) -> anyhow::Result<${2}> {",
+			"impl Resolve<${0}> for ${1} {",
+			"\tasync fn resolve(self, _: &${0}) -> Result<Self::Response, Self::Error> {",
 			"\t\ttodo!()",
 			"\t}",
 			"}"
@@ -15,9 +15,9 @@
 		"prefix": "static",
 		"body": [
 			"fn ${1}() -> &'static ${2} {",
-			"\tstatic ${3}: OnceLock<${2}> = OnceLock::new();",
-			"\t${3}.get_or_init(|| {",
-			"\t\t${0}",
+			"\tstatic ${0}: OnceLock<${2}> = OnceLock::new();",
+			"\t${0}.get_or_init(|| {",
+			"\t\ttodo!()",
 			"\t})",
 			"}"
 		]
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -106,62 +106,62 @@
            "problemMatcher": []
        },
        {
-            "label": "Init Frontend Client",
+            "label": "Init UI Client",
            "type": "shell",
            "command": "yarn link komodo_client && yarn install",
            "options": {
-                "cwd": "${workspaceFolder}/frontend",
+                "cwd": "${workspaceFolder}/ui",
            },
            "problemMatcher": []
        },
        {
-            "label": "Init Frontend",
+            "label": "Init UI",
            "dependsOn": [
                "Build TS Client Types",
                "Init TS Client",
-                "Init Frontend Client"
+                "Init UI Client"
            ],
            "dependsOrder": "sequence",
            "problemMatcher": []
        },
        {
-            "label": "Build Frontend",
+            "label": "Build UI",
            "type": "shell",
            "command": "yarn build",
            "options": {
-                "cwd": "${workspaceFolder}/frontend",
+                "cwd": "${workspaceFolder}/ui",
            },
            "problemMatcher": []
        },
        {
-            "label": "Prepare Frontend For Run",
+            "label": "Prepare UI For Run",
            "type": "shell",
-            "command": "cp -r ./client/core/ts/dist/. frontend/public/client/.",
+            "command": "cp -r ./client/core/ts/dist/. ui/public/client/.",
            "options": {
                "cwd": "${workspaceFolder}",
            },
            "dependsOn": [
                "Build TS Client Types",
-                "Build Frontend"
+                "Build UI"
            ],
            "dependsOrder": "sequence",
            "problemMatcher": []
        },
        {
-            "label": "Run Frontend",
+            "label": "Run UI",
            "type": "shell",
            "command": "yarn dev",
            "options": {
-                "cwd": "${workspaceFolder}/frontend",
+                "cwd": "${workspaceFolder}/ui",
            },
-            "dependsOn": ["Prepare Frontend For Run"],
+            "dependsOn": ["Prepare UI For Run"],
            "problemMatcher": []
        },
        {
            "label": "Init",
            "dependsOn": [
                "Build Backend",
-                "Init Frontend"
+                "Init UI"
            ],
            "dependsOrder": "sequence",
            "problemMatcher": []
@@ -171,7 +171,7 @@
            "dependsOn": [
                "Run Core",
                "Run Periphery",
-                "Run Frontend"
+                "Run UI"
            ],
            "problemMatcher": []
        },
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,128 +8,131 @@ members = [
 ]

 [workspace.package]
-version = "1.19.0"
+version = "2.0.0"
 edition = "2024"
 authors = ["mbecker20 <becker.maxh@gmail.com>"]
 license = "GPL-3.0-or-later"
 repository = "https://github.com/moghtech/komodo"
 homepage = "https://komo.do"

+[profile.release]
+strip = "debuginfo"
+
 [workspace.dependencies]
 # LOCAL
 komodo_client = { path = "client/core/rs" }
 periphery_client = { path = "client/periphery/rs" }
-environment_file = { path = "lib/environment_file" }
 environment = { path = "lib/environment" }
 interpolate = { path = "lib/interpolate" }
 formatting = { path = "lib/formatting" }
+transport = { path = "lib/transport" }
 database = { path = "lib/database" }
-response = { path = "lib/response" }
+encoding = { path = "lib/encoding" }
 command = { path = "lib/command" }
-config = { path = "lib/config" }
-logger = { path = "lib/logger" }
-cache = { path = "lib/cache" }
 git = { path = "lib/git" }

 # MOGH
-run_command = { version = "0.0.6", features = ["async_tokio"] }
-serror = { version = "0.5.0", default-features = false }
-slack = { version = "0.4.0", package = "slack_client_rs", default-features = false, features = ["rustls"] }
+slack = { version = "2.0.0", package = "slack_client_rs", default-features = false, features = ["rustls"] }
+mogh_error = { version = "1.0.3", default-features = false }
 derive_default_builder = "0.1.8"
-derive_empty_traits = "0.1.0"
-async_timing_util = "1.0.0"
-partial_derive2 = "0.4.3"
-derive_variants = "1.0.0"
+async_timing_util = "1.1.0"
+mogh_auth_client = "1.2.2"
+mogh_auth_server = "1.2.13"
+mogh_secret_file = "1.0.1"
+mogh_validations = "1.0.1"
+mogh_rate_limit = "1.0.1"
+partial_derive2 = "0.4.5"
 mongo_indexed = "2.0.2"
-resolver_api = "3.0.0"
-toml_pretty = "1.2.0"
-mungos = "3.2.1"
+mogh_resolver = "1.0.0"
+mogh_config = "1.0.4"
+mogh_logger = "1.3.2"
+mogh_server = "1.4.5"
+toml_pretty = "2.0.0"
+mogh_cache = "1.1.1"
+mogh_pki = "1.1.3"
+mungos = "3.2.2"
 svi = "1.2.0"

 # ASYNC
-reqwest = { version = "0.12.22", default-features = false, features = ["json", "stream", "rustls-tls-native-roots"] }
-tokio = { version = "1.47.1", features = ["full"] }
-tokio-util = { version = "0.7.16", features = ["io", "codec"] }
-tokio-stream = { version = "0.1.17", features = ["sync"] }
-pin-project-lite = "0.2.16"
-futures = "0.3.31"
-futures-util = "0.3.31"
-arc-swap = "1.7.1"
+reqwest = { version = "0.13.2", default-features = false, features = ["json", "stream", "form", "query", "rustls"] }
+tokio = { version = "1.50.0", features = ["full"] }
+tokio-util = { version = "0.7.18", features = ["io", "codec"] }
+tokio-stream = { version = "0.1.18", features = ["sync"] }
+pin-project-lite = "0.2.17"
+futures-util = "0.3.32"
+arc-swap = "1.9.0"

 # SERVER
-tokio-tungstenite = { version = "0.27.0", features = ["rustls-tls-native-roots"] }
-axum-extra = { version = "0.10.1", features = ["typed-header"] }
-tower-http = { version = "0.6.4", features = ["fs", "cors"] }
-axum-server = { version = "0.7.2", features = ["tls-rustls"] }
-axum = { version = "0.8.4", features = ["ws", "json", "macros"] }
+tokio-tungstenite = { version = "0.29.0", features = ["rustls-tls-native-roots"] }
+axum = { version = "0.8.8", features = ["ws", "json", "macros"] }
+axum-extra = { version = "0.12.5", features = ["typed-header"] }
+
+# OPENAPI
+utoipa-scalar = { version = "0.3.0", features = ["axum"] }
+utoipa = "5.4.0"

 # SER/DE
 ipnetwork = { version = "0.21.1", features = ["serde"] }
-indexmap = { version = "2.10.0", features = ["serde"] }
-serde = { version = "1.0.219", features = ["derive"] }
-strum = { version = "0.27.2", features = ["derive"] }
+indexmap = { version = "2.13.0", features = ["serde"] }
+serde = { version = "1.0.227", features = ["derive"] }
+strum = { version = "0.28.0", features = ["derive"] }
+bson = { version = "2.15.0" } # must keep in sync with mongodb version
+toml = "1.1.0"
 serde_yaml_ng = "0.10.0"
-serde_json = "1.0.142"
-serde_qs = "0.15.0"
-toml = "0.9.5"
+serde_json = "1.0.149"
+serde_qs = "1.1.0"
+url = "2.5.8"

 # ERROR
-anyhow = "1.0.99"
-thiserror = "2.0.14"
+anyhow = "1.0.102"
+thiserror = "2.0.18"

 # LOGGING
-opentelemetry-otlp = { version = "0.30.0", features = ["tls-roots", "reqwest-rustls"] }
-opentelemetry_sdk = { version = "0.30.0", features = ["rt-tokio"] }
-tracing-subscriber = { version = "0.3.19", features = ["json"] }
-opentelemetry-semantic-conventions = "0.30.0"
-tracing-opentelemetry = "0.31.0"
-opentelemetry = "0.30.0"
-tracing = "0.1.41"
+tracing = "0.1.44"

 # CONFIG
-clap = { version = "4.5.43", features = ["derive"] }
+clap = { version = "4.5.60", features = ["derive"] }
 dotenvy = "0.15.7"
 envy = "0.4.2"

 # CRYPTO / AUTH
-uuid = { version = "1.17.0", features = ["v4", "fast-rng", "serde"] }
-jsonwebtoken = { version = "9.3.1", default-features = false }
-openidconnect = "4.0.1"
+uuid = { version = "1.21.0", features = ["v4", "fast-rng", "serde"] }
+rustls = { version = "0.23.37", features = ["aws-lc-rs"] }
+data-encoding = "2.10.0"
 urlencoding = "2.1.3"
-nom_pem = "4.0.0"
-bcrypt = "0.17.0"
-base64 = "0.22.1"
-rustls = "0.23.31"
+bcrypt = "0.19.0"
 hmac = "0.12.1"
+sha1 = "0.10.6"
 sha2 = "0.10.9"
-rand = "0.9.2"
+rand = "0.10.0"
 hex = "0.4.3"

 # SYSTEM
+hickory-resolver = "0.25.2"
 portable-pty = "0.9.0"
-bollard = "0.19.2"
-sysinfo = "0.37.0"
+shell-escape = "0.1.5"
+crossterm = "0.29.0"
+bollard = "0.20.2"
+sysinfo = "0.38.4"
+shlex = "1.3.0"

 # CLOUD
-aws-config = "1.8.5"
-aws-sdk-ec2 = "1.159.0"
-aws-credential-types = "1.2.5"
+aws-config = "1.8.15"
+aws-sdk-ec2 = "1.220.0"
+aws-credential-types = "1.2.14"

 ## CRON
-english-to-cron = "0.1.6"
+english-to-cron = "0.1.7"
 chrono-tz = "0.10.4"
-chrono = "0.4.41"
-croner = "3.0.0"
+chrono = "0.4.44"
+croner = "3.0.1"

 # MISC
-async-compression = { version = "0.4.27", features = ["tokio", "gzip"] }
+async-compression = { version = "0.4.41", features = ["tokio", "gzip"] }
 derive_builder = "0.20.2"
-comfy-table = "7.1.4"
-typeshare = "1.0.4"
-octorust = "0.10.0"
-dashmap = "6.1.0"
+comfy-table = "7.2.2"
+typeshare = "1.0.5"
 wildcard = "0.3.0"
-colored = "3.0.0"
-regex = "1.11.1"
-bytes = "1.10.1"
-bson = "2.15.0"
+colored = "3.1.1"
+bytes = "1.11.1"
+regex = "1.12.3"
--- a/action/build.ts
+++ b/action/build.ts
@@ -0,0 +1,2 @@
+import { run } from "./run.ts";
+await run("build-komodo");
--- a/action/deno.json
+++ b/action/deno.json
@@ -0,0 +1,5 @@
+{
+  "imports": {
+    "@std/toml": "jsr:@std/toml"
+  }
+}
--- a/action/deploy-fe.ts
+++ b/action/deploy-fe.ts
@@ -0,0 +1,4 @@
+const cmd = "km run -y action deploy-komodo-fe-change";
+new Deno.Command("bash", {
+  args: ["-c", cmd],
+}).spawn();
--- a/action/deploy.ts
+++ b/action/deploy.ts
@@ -0,0 +1,2 @@
+import { run } from "./run.ts";
+await run("deploy-komodo");
--- a/action/run.ts
+++ b/action/run.ts
@@ -0,0 +1,52 @@
+import * as TOML from "@std/toml";
+
+export const run = async (action: string) => {
+  const branch = await new Deno.Command("bash", {
+    args: ["-c", "git rev-parse --abbrev-ref HEAD"],
+  })
+    .output()
+    .then((r) => new TextDecoder("utf-8").decode(r.stdout).trim());
+
+  const cargo_toml_str = await Deno.readTextFile("Cargo.toml");
+  const prev_version = (
+    TOML.parse(cargo_toml_str) as {
+      workspace: { package: { version: string } };
+    }
+  ).workspace.package.version;
+
+  const [version, tag, count] = prev_version.split("-");
+  const next_count = Number(count) + 1;
+
+  const next_version = `${version}-${tag}-${next_count}`;
+
+  await Deno.writeTextFile(
+    "Cargo.toml",
+    cargo_toml_str.replace(
+      `version = "${prev_version}"`,
+      `version = "${next_version}"`
+    )
+  );
+
+  // Cargo check first here to make sure lock file is updated before commit.
+  const cmd = `
+cargo check
+echo ""
+
+git add --all
+git commit --all --message "deploy ${version}-${tag}-${next_count}"
+
+echo ""
+git push
+echo ""
+
+km run -y action ${action} "KOMODO_BRANCH=${branch}&KOMODO_VERSION=${version}&KOMODO_TAG=${tag}-${next_count}"
+`
+    .split("\n")
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0 && !line.startsWith("//"))
+    .join(" && ");
+
+  new Deno.Command("bash", {
+    args: ["-c", cmd],
+  }).spawn();
+};
--- a/bin/binaries.Dockerfile
+++ b/bin/binaries.Dockerfile
@@ -1,7 +1,8 @@
 ## Builds the Komodo Core, Periphery, and Util binaries
-## for a specific architecture.
+## for a specific architecture. Requires OpenSSL 3 or later.

-FROM rust:1.89.0-bullseye AS builder
+FROM rust:1.94.0-bookworm AS builder
+RUN cargo install cargo-strip

 WORKDIR /builder
 COPY Cargo.toml Cargo.lock ./
@@ -16,7 +17,8 @@ COPY ./bin/cli ./bin/cli
 RUN \
  cargo build -p komodo_core --release && \
  cargo build -p komodo_periphery --release && \
-  cargo build -p komodo_cli --release
+  cargo build -p komodo_cli --release && \
+  cargo strip

 # Copy just the binaries to scratch image
 FROM scratch
@@ -25,6 +27,6 @@ COPY --from=builder /builder/target/release/core /core
 COPY --from=builder /builder/target/release/periphery /periphery
 COPY --from=builder /builder/target/release/km /km

-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
 LABEL org.opencontainers.image.description="Komodo Binaries"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/chef.binaries.Dockerfile
+++ b/bin/chef.binaries.Dockerfile
@@ -1,9 +1,9 @@
 ## Builds the Komodo Core, Periphery, and Util binaries
-## for a specific architecture.
+## for a specific architecture. Requires OpenSSL 3 or later.

 ## Uses chef for dependency caching to help speed up back-to-back builds.

-FROM lukemathwalker/cargo-chef:latest-rust-1.89.0-bullseye AS chef
+FROM lukemathwalker/cargo-chef:latest-rust-1.94.0-bookworm AS chef
 WORKDIR /builder

 # Plan just the RECIPE to see if things have changed
@@ -12,6 +12,7 @@ COPY . .
 RUN cargo chef prepare --recipe-path recipe.json

 FROM chef AS builder
+RUN cargo install cargo-strip
 COPY --from=planner /builder/recipe.json recipe.json
 # Build JUST dependencies - cached layer
 RUN cargo chef cook --release --recipe-path recipe.json
@@ -20,7 +21,8 @@ COPY . .
 RUN \
  cargo build --release --bin core && \
  cargo build --release --bin periphery && \
-  cargo build --release --bin km
+  cargo build --release --bin km && \
+  cargo strip

 # Copy just the binaries to scratch image
 FROM scratch
@@ -29,6 +31,6 @@ COPY --from=builder /builder/target/release/core /core
 COPY --from=builder /builder/target/release/periphery /periphery
 COPY --from=builder /builder/target/release/km /km

-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
 LABEL org.opencontainers.image.description="Komodo Binaries"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/cli/Cargo.toml
+++ b/bin/cli/Cargo.toml
@@ -14,22 +14,27 @@ path = "src/main.rs"

 [dependencies]
 # local
-environment_file.workspace = true
-komodo_client.workspace = true
+komodo_client = { workspace = true, features = ["cli"] }
+mogh_secret_file.workspace = true
+mogh_pki.workspace = true
 database.workspace = true
-config.workspace = true
-logger.workspace = true
+mogh_config.workspace = true
+mogh_logger.workspace = true
 # external
 futures-util.workspace = true
 comfy-table.workspace = true
+tokio-util.workspace = true
 serde_json.workspace = true
+crossterm.workspace = true
 serde_qs.workspace = true
 wildcard.workspace = true
 tracing.workspace = true
 colored.workspace = true
 dotenvy.workspace = true
 anyhow.workspace = true
+bcrypt.workspace = true
 chrono.workspace = true
+rustls.workspace = true
 tokio.workspace = true
 serde.workspace = true
 clap.workspace = true
--- a/bin/cli/aio.Dockerfile
+++ b/bin/cli/aio.Dockerfile
@@ -1,4 +1,5 @@
-FROM rust:1.89.0-bullseye AS builder
+FROM rust:1.94.0-bullseye AS builder
+RUN cargo install cargo-strip

 WORKDIR /builder
 COPY Cargo.toml Cargo.lock ./
@@ -8,7 +9,7 @@ COPY ./client/periphery ./client/periphery
 COPY ./bin/cli ./bin/cli

 # Compile bin
-RUN cargo build -p komodo_cli --release
+RUN cargo build -p komodo_cli --release && cargo strip

 # Copy binaries to distroless base
 FROM gcr.io/distroless/cc
@@ -19,6 +20,6 @@ ENV KOMODO_CLI_CONFIG_PATHS="/config"

 CMD [ "km" ]

-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
 LABEL org.opencontainers.image.description="Komodo CLI"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/cli/multi-arch.Dockerfile
+++ b/bin/cli/multi-arch.Dockerfile
@@ -1,7 +1,7 @@
 ## Assumes the latest binaries for x86_64 and aarch64 are already built (by binaries.Dockerfile).
 ## Since theres no heavy build here, QEMU multi-arch builds are fine for this image.

-ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:2
 ARG X86_64_BINARIES=${BINARIES_IMAGE}-x86_64
 ARG AARCH64_BINARIES=${BINARIES_IMAGE}-aarch64

@@ -24,6 +24,6 @@ ENV KOMODO_CLI_CONFIG_PATHS="/config"

 CMD [ "km" ]

-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
 LABEL org.opencontainers.image.description="Komodo CLI"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/cli/single-arch.Dockerfile
+++ b/bin/cli/single-arch.Dockerfile
@@ -1,6 +1,6 @@
 ## Assumes the latest binaries for the required arch are already built (by binaries.Dockerfile).

-ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:2

 # This is required to work with COPY --from
 FROM ${BINARIES_IMAGE} AS binaries
@@ -13,6 +13,6 @@ ENV KOMODO_CLI_CONFIG_PATHS="/config"

 CMD [ "km" ]

-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
 LABEL org.opencontainers.image.description="Komodo CLI"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/cli/src/command/container.rs
+++ b/bin/cli/src/command/container.rs
@@ -61,7 +61,8 @@ async fn list_containers(
        .map(|s| (s.id.clone(), s))
        .collect::<HashMap<_, _>>())),
    client.read(ListAllDockerContainers {
-      servers: Default::default()
+      servers: Default::default(),
+      containers: Default::default(),
    }),
  )?;

@@ -145,7 +146,8 @@ pub async fn inspect_container(
        .map(|s| (s.id.clone(), s))
        .collect::<HashMap<_, _>>())),
    client.read(ListAllDockerContainers {
-      servers: Default::default()
+      servers: Default::default(),
+      containers: Default::default()
    }),
  )?;

@@ -292,7 +294,7 @@ impl PrintTable for (Option<&'_ str>, ContainerListItem) {
      Cell::new(self.0.unwrap_or("Unknown")),
      ports,
      Cell::new(networks.join(", ")),
-      Cell::new(clamp_sha(&image)),
+      Cell::new(clamp_sha(image)),
    ];
    if !links {
      return res;
--- a/bin/cli/src/command/core_info.rs
+++ b/bin/cli/src/command/core_info.rs
@@ -0,0 +1,13 @@
+use anyhow::Context as _;
+use komodo_client::api::read::GetCoreInfo;
+
+pub async fn handle() -> anyhow::Result<()> {
+  let client = super::komodo_client().await?;
+  let info = client.read(GetCoreInfo {}).await?;
+  println!(
+    "{}",
+    serde_json::to_string_pretty(&info)
+      .context("Failed to serialize core info to JSON")?
+  );
+  Ok(())
+}
--- a/bin/cli/src/command/create/api_key.rs
+++ b/bin/cli/src/command/create/api_key.rs
@@ -0,0 +1,101 @@
+use anyhow::Context as _;
+use database::bson::doc;
+use komodo_client::{
+  api::read::FindUser,
+  entities::{
+    api_key::ApiKey, config::cli::args::create::CreateApiKey,
+    komodo_timestamp, random_string,
+  },
+};
+use serde_json::json;
+
+use crate::config::cli_config;
+
+pub async fn create(
+  CreateApiKey {
+    name,
+    for_user,
+    expires,
+    use_api,
+  }: &CreateApiKey,
+) -> anyhow::Result<()> {
+  let expires = if let Some(expires_days) = expires {
+    // now + expires in ms
+    komodo_timestamp() + expires_days * 24 * 60 * 60 * 1000
+  } else {
+    0
+  };
+
+  if *use_api {
+    // USE API
+    let client = crate::command::komodo_client().await?;
+
+    let keys = if let Some(username) = for_user {
+      // For service user
+      let user = client
+        .read(FindUser {
+          user: username.to_string(),
+        })
+        .await?;
+      client
+        .write(
+          komodo_client::api::write::CreateApiKeyForServiceUser {
+            user_id: user.id,
+            name: name.clone().unwrap_or_default(),
+            expires,
+          },
+        )
+        .await?
+    } else {
+      // For self
+      client
+        .auth_manage(komodo_client::api::auth::manage::CreateApiKey {
+          name: name.clone().unwrap_or_default(),
+          expires: expires as u64,
+        })
+        .await?
+    };
+
+    println!(
+      "{}",
+      serde_json::to_string_pretty(&keys)
+        .context("Failed to serialize api keys to JSON")?
+    );
+  } else {
+    // USE DATABASE
+    let db = database::Client::new(&cli_config().database).await?;
+
+    let user = db
+      .users
+      .find_one(doc! { "username": for_user })
+      .await
+      .context("Failed to query database for user")?
+      .context("No user found with given username")?;
+
+    let key = format!("K_{}_K", random_string(40));
+    let secret = format!("S_{}_S", random_string(40));
+    let hashed_secret = bcrypt::hash(&secret, 10)
+      .context("Failed at hashing secret string")?;
+
+    db.api_keys
+      .insert_one(&ApiKey {
+        name: name.clone().unwrap_or_default(),
+        user_id: user.id,
+        key: key.clone(),
+        secret: hashed_secret.clone(),
+        created_at: komodo_timestamp(),
+        expires,
+      })
+      .await?;
+
+    println!(
+      "{}",
+      serde_json::to_string_pretty(
+        &json!({ "key": key, "secret": secret })
+      )
+      .context("Failed to serialize api keys to JSON")?
+    );
+  }
+
+  Ok(())
+}
--- a/bin/cli/src/command/create/mod.rs
+++ b/bin/cli/src/command/create/mod.rs
@@ -0,0 +1,13 @@
+use komodo_client::entities::config::cli::args::create::CreateCommand;
+
+mod api_key;
+mod onboarding_key;
+
+pub async fn handle(command: &CreateCommand) -> anyhow::Result<()> {
+  match command {
+    CreateCommand::ApiKey(api_key) => api_key::create(api_key).await,
+    CreateCommand::OnboardingKey(onboarding_key) => {
+      onboarding_key::create(onboarding_key).await
+    }
+  }
+}
--- a/bin/cli/src/command/create/onboarding_key.rs
+++ b/bin/cli/src/command/create/onboarding_key.rs
@@ -0,0 +1,46 @@
+use anyhow::Context as _;
+use komodo_client::entities::{
+  config::cli::args::create::CreateOnboardingKey, komodo_timestamp,
+};
+
+pub async fn create(
+  CreateOnboardingKey {
+    name,
+    expires,
+    private_key,
+    tags,
+    privileged,
+    copy_server,
+    create_builder,
+  }: &CreateOnboardingKey,
+) -> anyhow::Result<()> {
+  let expires = if let Some(expires_days) = expires {
+    // now + expires in ms
+    komodo_timestamp() + expires_days * 24 * 60 * 60 * 1000
+  } else {
+    0
+  };
+
+  // USE API
+  let client = crate::command::komodo_client().await?;
+
+  let key = client
+    .write(komodo_client::api::write::CreateOnboardingKey {
+      name: name.clone().unwrap_or_default(),
+      expires,
+      private_key: private_key.clone(),
+      tags: tags.clone(),
+      privileged: *privileged,
+      copy_server: copy_server.clone().unwrap_or_default(),
+      create_builder: *create_builder,
+    })
+    .await?;
+
+  println!(
+    "{}",
+    serde_json::to_string_pretty(&key)
+      .context("Failed to serialize onboarding key to JSON")?
+  );
+
+  Ok(())
+}
--- a/bin/cli/src/command/database.rs
+++ b/bin/cli/src/command/database.rs
@@ -2,6 +2,7 @@ use std::path::Path;

 use anyhow::Context;
 use colored::Colorize;
+use database::mungos::mongodb::bson::{Document, doc};
 use komodo_client::entities::{
  config::cli::args::database::DatabaseCommand, optional_string,
 };
@@ -21,6 +22,7 @@ pub async fn handle(command: &DatabaseCommand) -> anyhow::Result<()> {
    DatabaseCommand::Copy { yes, index, .. } => {
      copy(*index, *yes).await
    }
+    DatabaseCommand::V1Downgrade { yes } => v1_downgrade(*yes).await,
  }
 }

@@ -318,3 +320,52 @@ async fn copy(index: bool, yes: bool) -> anyhow::Result<()> {

  database::utils::copy(&source_db, &target_db).await
 }
+
+async fn v1_downgrade(yes: bool) -> anyhow::Result<()> {
+  let config = cli_config();
+
+  println!(
+    "\n🦎  {} Database {}  🦎",
+    "Komodo".bold(),
+    "V1 Downgrade".purple().bold()
+  );
+  println!(
+    "\n{}\n",
+    " - Downgrade the database to V1 compatible data structures."
+      .dimmed()
+  );
+  if let Some(uri) = optional_string(&config.database.uri) {
+    println!("{}: {}", " - URI".dimmed(), sanitize_uri(&uri));
+  }
+  if let Some(address) = optional_string(&config.database.address) {
+    println!("{}: {address}", " - Address".dimmed());
+  }
+  if let Some(username) = optional_string(&config.database.username) {
+    println!("{}: {username}", " - Username".dimmed());
+  }
+  println!(
+    "{}: {}\n",
+    " - Db Name".dimmed(),
+    config.database.db_name,
+  );
+
+  crate::command::wait_for_enter("run downgrade", yes)?;
+
+  let db = database::init(&config.database).await?;
+
+  db.collection::<Document>("Server")
+    .update_many(doc! {}, doc! { "$set": { "info": null } })
+    .await
+    .context("Failed to downgrade Server schema")?;
+
+  db.collection::<Document>("Deployment")
+    .update_many(doc! {}, doc! { "$set": { "info": null } })
+    .await
+    .context("Failed to downgrade Deployment schema")?;
+
+  info!(
+    "V1 Downgrade complete. Ready to downgrade to komodo-core:1 ✅"
+  );
+
+  Ok(())
+}
--- a/bin/cli/src/command/execute.rs
+++ b/bin/cli/src/command/execute.rs
@@ -212,9 +212,42 @@ pub async fn handle(
    Execution::BatchDestroyStack(data) => {
      println!("{}: {data:?}", "Data".dimmed())
    }
+    Execution::RunStackService(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
    Execution::TestAlerter(data) => {
      println!("{}: {data:?}", "Data".dimmed())
    }
+    Execution::SendAlert(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmNodes(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmStacks(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmServices(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CreateSwarmConfig(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RotateSwarmConfig(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmConfigs(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::CreateSwarmSecret(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RotateSwarmSecret(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RemoveSwarmSecrets(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
    Execution::ClearRepoCache(data) => {
      println!("{}: {data:?}", "Data".dimmed())
    }
@@ -224,6 +257,12 @@ pub async fn handle(
    Execution::GlobalAutoUpdate(data) => {
      println!("{}: {data:?}", "Data".dimmed())
    }
+    Execution::RotateAllServerKeys(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
+    Execution::RotateCoreKeys(data) => {
+      println!("{}: {data:?}", "Data".dimmed())
+    }
    Execution::Sleep(data) => {
      println!("{}: {data:?}", "Data".dimmed())
    }
@@ -464,10 +503,54 @@ pub async fn handle(
    Execution::BatchDestroyStack(request) => {
      client.execute(request).await.map(ExecutionResult::Batch)
    }
+    Execution::RunStackService(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
    Execution::TestAlerter(request) => client
      .execute(request)
      .await
      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::SendAlert(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmNodes(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmStacks(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmServices(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::CreateSwarmConfig(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RotateSwarmConfig(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmConfigs(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::CreateSwarmSecret(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RotateSwarmSecret(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RemoveSwarmSecrets(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
    Execution::ClearRepoCache(request) => client
      .execute(request)
      .await
@@ -480,6 +563,14 @@ pub async fn handle(
      .execute(request)
      .await
      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RotateAllServerKeys(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
+    Execution::RotateCoreKeys(request) => client
+      .execute(request)
+      .await
+      .map(|u| ExecutionResult::Single(u.into())),
    Execution::Sleep(request) => {
      let duration =
        Duration::from_millis(request.duration_ms as u64);
@@ -535,20 +626,20 @@ async fn poll_update_until_complete(
  } else {
    format!("{}/updates/{}", cli_config().host, update.id)
  };
-  info!("Link: '{}'", link.bold());
+  println!("Link: '{}'", link.bold());

  let client = super::komodo_client().await?;

  let timer = tokio::time::Instant::now();
  let update = client.poll_update_until_complete(&update.id).await?;
  if update.success {
-    info!(
+    println!(
      "FINISHED in {}: {}",
      format!("{:.1?}", timer.elapsed()).bold(),
      "EXECUTION SUCCESSFUL".green(),
    );
  } else {
-    warn!(
+    eprintln!(
      "FINISHED in {}: {}",
      format!("{:.1?}", timer.elapsed()).bold(),
      "EXECUTION FAILED".red(),
--- a/bin/cli/src/command/list.rs
+++ b/bin/cli/src/command/list.rs
@@ -7,7 +7,7 @@ use komodo_client::{
  api::read::{
    ListActions, ListAlerters, ListBuilders, ListBuilds,
    ListDeployments, ListProcedures, ListRepos, ListResourceSyncs,
-    ListSchedules, ListServers, ListStacks, ListTags,
+    ListSchedules, ListServers, ListStacks, ListTags, ListTerminals,
  },
  entities::{
    ResourceTargetVariant,
@@ -35,6 +35,7 @@ use komodo_client::{
      ResourceSyncListItem, ResourceSyncListItemInfo,
      ResourceSyncState,
    },
+    terminal::Terminal,
  },
 };
 use serde::Serialize;
@@ -74,15 +75,18 @@ pub async fn handle(list: &args::list::List) -> anyhow::Result<()> {
    Some(ListCommand::Syncs(filters)) => {
      list_resources::<ResourceSyncListItem>(filters, false).await
    }
+    Some(ListCommand::Terminals(filters)) => {
+      list_terminals(filters).await
+    }
+    Some(ListCommand::Schedules(filters)) => {
+      list_schedules(filters).await
+    }
    Some(ListCommand::Builders(filters)) => {
      list_resources::<BuilderListItem>(filters, false).await
    }
    Some(ListCommand::Alerters(filters)) => {
      list_resources::<AlerterListItem>(filters, false).await
    }
-    Some(ListCommand::Schedules(filters)) => {
-      list_schedules(filters).await
-    }
  }
 }

@@ -189,6 +193,26 @@ where
  Ok(())
 }

+async fn list_terminals(
+  filters: &ResourceFilters,
+) -> anyhow::Result<()> {
+  let client = crate::command::komodo_client().await?;
+  // let query = ResourceQuery::builder()
+  //   .tags(filters.tags.clone())
+  //   .templates(TemplatesQueryBehavior::Exclude)
+  //   .build();
+  let terminals = client
+    .read(ListTerminals {
+      target: None,
+      use_names: true,
+    })
+    .await?;
+  if !terminals.is_empty() {
+    print_items(terminals, filters.format, filters.links)?;
+  }
+  Ok(())
+}
+
 async fn list_schedules(
  filters: &ResourceFilters,
 ) -> anyhow::Result<()> {
@@ -233,7 +257,7 @@ async fn list_schedules(
 }

 fn fix_tags<T>(
-  resources: &mut Vec<ResourceListItem<T>>,
+  resources: &mut [ResourceListItem<T>],
  tags: &HashMap<String, String>,
 ) {
  resources.iter_mut().for_each(|resource| {
@@ -794,7 +818,7 @@ impl PrintTable for ResourceListItem<ServerListItemInfo> {
      Cell::new(self.info.state.to_string())
        .fg(color)
        .add_attribute(Attribute::Bold),
-      Cell::new(self.info.address),
+      Cell::new(self.info.address.as_deref().unwrap_or("inbound")),
      Cell::new(self.tags.join(", ")),
    ];
    if links {
@@ -1134,6 +1158,28 @@ impl PrintTable for ResourceListItem<AlerterListItemInfo> {
  }
 }

+impl PrintTable for Terminal {
+  fn header(_links: bool) -> &'static [&'static str] {
+    &["Terminal", "Target", "Command", "Size", "Created"]
+  }
+  fn row(self, _links: bool) -> Vec<comfy_table::Cell> {
+    vec![
+      Cell::new(self.name).add_attribute(Attribute::Bold),
+      Cell::new(format!("{:?}", self.target)),
+      Cell::new(self.command),
+      Cell::new(if self.stored_size_kb < 1.0 {
+        format!("{:.1} KiB", self.stored_size_kb)
+      } else {
+        format!("{:.} KiB", self.stored_size_kb)
+      }),
+      Cell::new(
+        format_timetamp(self.created_at)
+          .unwrap_or_else(|_| String::from("Invalid created at")),
+      ),
+    ]
+  }
+}
+
 impl PrintTable for Schedule {
  fn header(links: bool) -> &'static [&'static str] {
    if links {
@@ -1146,7 +1192,7 @@ impl PrintTable for Schedule {
    let next_run = if let Some(ts) = self.next_scheduled_run {
      Cell::new(
        format_timetamp(ts)
-          .unwrap_or(String::from("Invalid next ts")),
+          .unwrap_or_else(|_| String::from("Invalid next ts")),
      )
      .add_attribute(Attribute::Bold)
    } else {
--- a/bin/cli/src/command/mod.rs
+++ b/bin/cli/src/command/mod.rs
@@ -15,9 +15,12 @@ use wildcard::Wildcard;
 use crate::config::cli_config;

 pub mod container;
+pub mod core_info;
+pub mod create;
 pub mod database;
 pub mod execute;
 pub mod list;
+pub mod terminal;
 pub mod update;

 async fn komodo_client() -> anyhow::Result<&'static KomodoClient> {
@@ -111,7 +114,7 @@ fn print_items<T: PrintTable + Serialize>(
      };
      table.load_preset(preset).set_header(
        T::header(links)
-          .into_iter()
+          .iter()
          .map(|h| Cell::new(h).add_attribute(Attribute::Bold)),
      );
      for item in items {
--- a/bin/cli/src/command/terminal.rs
+++ b/bin/cli/src/command/terminal.rs
@@ -0,0 +1,376 @@
+use anyhow::{Context, anyhow};
+use colored::Colorize;
+use komodo_client::{
+  api::{
+    read::{ListAllDockerContainers, ListServers},
+    terminal::InitTerminal,
+  },
+  entities::{
+    config::cli::args::terminal::{Attach, Connect, Exec},
+    server::ServerQuery,
+    terminal::{
+      ContainerTerminalMode, TerminalRecreateMode,
+      TerminalResizeMessage, TerminalStdinMessage,
+    },
+  },
+  ws::terminal::TerminalWebsocket,
+};
+use tokio::io::{AsyncReadExt as _, AsyncWriteExt as _};
+use tokio_util::sync::CancellationToken;
+
+pub async fn handle_connect(
+  Connect {
+    server,
+    name,
+    command,
+    recreate,
+  }: &Connect,
+) -> anyhow::Result<()> {
+  handle_terminal_forwarding(server, async {
+    super::komodo_client()
+      .await?
+      .connect_server_terminal(
+        server.to_string(),
+        Some(name.to_string()),
+        Some(InitTerminal {
+          command: command.clone(),
+          recreate: if *recreate {
+            TerminalRecreateMode::Always
+          } else {
+            TerminalRecreateMode::DifferentCommand
+          },
+          mode: None,
+        }),
+      )
+      .await
+  })
+  .await
+}
+
+pub async fn handle_exec(
+  Exec {
+    server,
+    container,
+    shell,
+    recreate,
+  }: &Exec,
+) -> anyhow::Result<()> {
+  let server = get_server(server.clone(), container).await?;
+  handle_terminal_forwarding(
+    &format!("{server}/{container}"),
+    async {
+      super::komodo_client()
+        .await?
+        .connect_container_terminal(
+          server,
+          container.to_string(),
+          None,
+          Some(InitTerminal {
+            command: Some(shell.to_string()),
+            recreate: if *recreate {
+              TerminalRecreateMode::Always
+            } else {
+              TerminalRecreateMode::DifferentCommand
+            },
+            mode: Some(ContainerTerminalMode::Exec),
+          }),
+        )
+        .await
+    },
+  )
+  .await
+}
+
+pub async fn handle_attach(
+  Attach {
+    server,
+    container,
+    recreate,
+  }: &Attach,
+) -> anyhow::Result<()> {
+  let server = get_server(server.clone(), container).await?;
+  handle_terminal_forwarding(
+    &format!("{server}/{container}-attach"),
+    async {
+      super::komodo_client()
+        .await?
+        .connect_container_terminal(
+          server,
+          container.to_string(),
+          None,
+          Some(InitTerminal {
+            command: None,
+            recreate: if *recreate {
+              TerminalRecreateMode::Always
+            } else {
+              TerminalRecreateMode::DifferentCommand
+            },
+            mode: Some(ContainerTerminalMode::Attach),
+          }),
+        )
+        .await
+    },
+  )
+  .await
+}
+
+async fn get_server(
+  server: Option<String>,
+  container: &str,
+) -> anyhow::Result<String> {
+  if let Some(server) = server {
+    return Ok(server);
+  }
+
+  let client = super::komodo_client().await?;
+
+  let mut containers = client
+    .read(ListAllDockerContainers {
+      servers: Default::default(),
+      containers: vec![container.to_string()],
+    })
+    .await?;
+
+  if containers.is_empty() {
+    return Err(anyhow!(
+      "Did not find any container matching {container}"
+    ));
+  }
+
+  if containers.len() == 1 {
+    return containers
+      .pop()
+      .context("Shouldn't happen")?
+      .server_id
+      .context("Container doesn't have server_id");
+  }
+
+  let servers = containers
+    .into_iter()
+    .flat_map(|container| container.server_id)
+    .collect::<Vec<_>>();
+
+  let servers = client
+    .read(ListServers {
+      query: ServerQuery::builder().names(servers).build(),
+    })
+    .await?
+    .into_iter()
+    .map(|server| format!("\t- {}", server.name.bold()))
+    .collect::<Vec<_>>()
+    .join("\n");
+
+  Err(anyhow!(
+    "Multiple containers matching '{}' on Servers:\n{servers}",
+    container.bold(),
+  ))
+}
+
+async fn handle_terminal_forwarding<
+  C: Future<Output = anyhow::Result<TerminalWebsocket>>,
+>(
+  label: &str,
+  connect: C,
+) -> anyhow::Result<()> {
+  // Need to forward multiple sources into ws write
+  let (write_tx, mut write_rx) =
+    tokio::sync::mpsc::channel::<TerminalStdinMessage>(1024);
+
+  // ================
+  //  SETUP RESIZING
+  // ================
+
+  // Subscribe to SIGWINCH for resize messages
+  let mut sigwinch = tokio::signal::unix::signal(
+    tokio::signal::unix::SignalKind::window_change(),
+  )
+  .context("failed to register SIGWINCH handler")?;
+
+  // Send first resize messsage, bailing if it fails to get the size.
+  write_tx.send(resize_message()?).await?;
+
+  let cancel = CancellationToken::new();
+
+  let forward_resize = async {
+    while future_or_cancel(sigwinch.recv(), &cancel)
+      .await
+      .flatten()
+      .is_some()
+    {
+      if let Ok(resize_message) = resize_message()
+        && write_tx.send(resize_message).await.is_err()
+      {
+        break;
+      }
+    }
+    cancel.cancel();
+  };
+
+  let forward_stdin = async {
+    let mut stdin = tokio::io::stdin();
+    let mut buf = [0u8; 8192];
+    while let Some(Ok(n)) =
+      future_or_cancel(stdin.read(&mut buf), &cancel).await
+    {
+      // EOF
+      if n == 0 {
+        break;
+      }
+      let bytes = &buf[..n];
+      // Check for disconnect sequence (alt + q)
+      if bytes == [197, 147] {
+        break;
+      }
+      // Forward bytes
+      if write_tx
+        .send(TerminalStdinMessage::Forward(bytes.to_vec()))
+        .await
+        .is_err()
+      {
+        break;
+      };
+    }
+    cancel.cancel();
+  };
+
+  // =====================
+  //  CONNECT AND FORWARD
+  // =====================
+
+  let (mut ws_write, mut ws_read) = connect.await?.split();
+
+  let forward_write = async {
+    while let Some(message) =
+      future_or_cancel(write_rx.recv(), &cancel).await.flatten()
+    {
+      if let Err(e) = ws_write.send_stdin_message(message).await {
+        cancel.cancel();
+        return Some(e);
+      };
+    }
+    cancel.cancel();
+    None
+  };
+
+  let forward_read = async {
+    let mut stdout = tokio::io::stdout();
+
+    // Write connection message
+    if let Err(e) = write_connection_message(&mut stdout, label)
+      .await
+      .context("Failed to write text to stdout")
+    {
+      cancel.cancel();
+      return Some(e);
+    }
+
+    while let Some(msg) =
+      future_or_cancel(ws_read.receive_stdout(), &cancel).await
+    {
+      let bytes = match msg {
+        Ok(Some(bytes)) => bytes,
+        Ok(None) => break,
+        Err(e) => {
+          cancel.cancel();
+          return Some(e.context("Websocket read error"));
+        }
+      };
+      if let Err(e) = stdout
+        .write_all(&bytes)
+        .await
+        .context("Failed to write text to stdout")
+      {
+        cancel.cancel();
+        return Some(e);
+      }
+      let _ = stdout.flush().await;
+    }
+    cancel.cancel();
+    None
+  };
+
+  let guard = RawModeGuard::enable_raw_mode()?;
+
+  let (_, _, write_error, read_error) = tokio::join!(
+    forward_resize,
+    forward_stdin,
+    forward_write,
+    forward_read
+  );
+
+  drop(guard);
+
+  if let Some(e) = write_error {
+    eprintln!("\nFailed to forward stdin | {e:#}");
+  }
+
+  if let Some(e) = read_error {
+    eprintln!("\nFailed to forward stdout | {e:#}");
+  }
+
+  println!("\n\n{} {}", "connection".bold(), "closed".red().bold());
+
+  // It doesn't seem to exit by itself after the raw mode stuff.
+  std::process::exit(0)
+}
+
+async fn write_connection_message(
+  stdout: &mut tokio::io::Stdout,
+  label: &str,
+) -> anyhow::Result<()> {
+  // Use message without ansi for correct length
+  let message_clean = format!("# Connected to {label} (km) #");
+  let bounder = "=".repeat(message_clean.chars().count());
+
+  let message = format!(
+    "# {} to {} {} #",
+    "Connected".green().bold(),
+    label.bold(),
+    "(km)".dimmed()
+  );
+
+  stdout
+    .write_all(
+      format!("\n{bounder}\r\n{message}\r\n{bounder}\r\n").as_bytes(),
+    )
+    .await?;
+  let _ = stdout.flush().await;
+
+  Ok(())
+}
+
+fn resize_message() -> anyhow::Result<TerminalStdinMessage> {
+  let (cols, rows) = crossterm::terminal::size()
+    .context("Failed to get terminal size")?;
+  Ok(TerminalStdinMessage::Resize(TerminalResizeMessage {
+    rows,
+    cols,
+  }))
+}
+
+struct RawModeGuard;
+
+impl RawModeGuard {
+  fn enable_raw_mode() -> anyhow::Result<Self> {
+    crossterm::terminal::enable_raw_mode()
+      .context("Failed to enable terminal raw mode")?;
+    Ok(Self)
+  }
+}
+impl Drop for RawModeGuard {
+  fn drop(&mut self) {
+    if let Err(e) = crossterm::terminal::disable_raw_mode() {
+      eprintln!("Failed to disable terminal raw mode | {e:?}");
+    }
+  }
+}
+
+async fn future_or_cancel<T, F: Future<Output = T>>(
+  fut: F,
+  cancel: &CancellationToken,
+) -> Option<T> {
+  tokio::select! {
+    res = fut => Some(res),
+    _ = cancel.cancelled() => None
+  }
+}
--- a/bin/cli/src/command/update/user.rs
+++ b/bin/cli/src/command/update/user.rs
@@ -26,6 +26,9 @@ pub async fn update(
    UpdateUserCommand::SuperAdmin { enabled, yes } => {
      update_super_admin(username, *enabled, *yes).await
    }
+    UpdateUserCommand::Clear2fa { yes } => {
+      clear_2fa(username, *yes).await
+    }
  }
 }

@@ -120,3 +123,20 @@ async fn update_super_admin(

  Ok(())
 }
+
+async fn clear_2fa(username: &str, yes: bool) -> anyhow::Result<()> {
+  println!("\n{}: Clear 2FA Methods\n", "Mode".dimmed());
+  println!(" - {}: {username}", "Username".dimmed());
+
+  crate::command::wait_for_enter("clear user 2FA methods", yes)?;
+
+  info!("Clearing 2FA methods...");
+
+  let db = database::Client::new(&cli_config().database).await?;
+
+  db.clear_user_2fa_methods(username).await?;
+
+  info!("2FA methods cleared ✅");
+
+  Ok(())
+}
--- a/bin/cli/src/config.rs
+++ b/bin/cli/src/config.rs
@@ -3,7 +3,6 @@ use std::{path::PathBuf, sync::OnceLock};
 use anyhow::Context;
 use clap::Parser;
 use colored::Colorize;
-use environment_file::maybe_read_item_from_file;
 use komodo_client::entities::{
  config::{
    DatabaseConfig,
@@ -14,6 +13,7 @@ use komodo_client::entities::{
  },
  logger::LogConfig,
 };
+use mogh_secret_file::maybe_read_item_from_file;

 pub fn cli_args() -> &'static CliArgs {
  static CLI_ARGS: OnceLock<CliArgs> = OnceLock::new();
@@ -28,7 +28,7 @@ pub fn cli_env() -> &'static Env {
    {
      Ok(env) => env,
      Err(e) => {
-        panic!("{e:?}");
+        panic!("{e:?}")
      }
    }
  })
@@ -74,7 +74,7 @@ pub fn cli_config() -> &'static CliConfig {
        "Config File Keywords".dimmed(),
      );
    }
-    let mut unparsed_config = (config::ConfigLoader {
+    let mut unparsed_config = (mogh_config::ConfigLoader {
      paths: &config_paths
        .iter()
        .map(PathBuf::as_path)
@@ -166,7 +166,7 @@ pub fn cli_config() -> &'static CliConfig {
      else {
        panic!("Profile config is not Object type.");
      };
-      config::merge_config(
+      mogh_config::merge_config(
        unparsed_config,
        profile_config.clone(),
        env.komodo_cli_merge_nested_config,
@@ -261,12 +261,18 @@ pub fn cli_config() -> &'static CliConfig {
          .komodo_cli_logging_pretty
          .unwrap_or(config.cli_logging.pretty),
        location: false,
+        ansi: env
+          .komodo_cli_logging_ansi
+          .unwrap_or(config.cli_logging.ansi),
        otlp_endpoint: env
          .komodo_cli_logging_otlp_endpoint
          .unwrap_or(config.cli_logging.otlp_endpoint),
        opentelemetry_service_name: env
          .komodo_cli_logging_opentelemetry_service_name
          .unwrap_or(config.cli_logging.opentelemetry_service_name),
+        opentelemetry_scope_name: env
+          .komodo_cli_logging_opentelemetry_scope_name
+          .unwrap_or(config.cli_logging.opentelemetry_scope_name),
      },
      profile: config.profile,
    }
--- a/bin/cli/src/main.rs
+++ b/bin/cli/src/main.rs
@@ -2,6 +2,7 @@
 extern crate tracing;

 use anyhow::Context;
+use colored::Colorize;
 use komodo_client::entities::config::cli::args;

 use crate::config::cli_config;
@@ -11,7 +12,10 @@ mod config;

 async fn app() -> anyhow::Result<()> {
  dotenvy::dotenv().ok();
-  logger::init(&config::cli_config().cli_logging)?;
+  rustls::crypto::aws_lc_rs::default_provider()
+    .install_default()
+    .expect("Failed to install default crypto provider");
+  mogh_logger::init(&config::cli_config().cli_logging)?;
  let args = config::cli_args();
  let env = config::cli_env();
  let debug_load =
@@ -41,6 +45,7 @@ async fn app() -> anyhow::Result<()> {
      }
      Ok(())
    }
+    args::Command::CoreInfo => command::core_info::handle().await,
    args::Command::Container(container) => {
      command::container::handle(container).await
    }
@@ -51,9 +56,24 @@ async fn app() -> anyhow::Result<()> {
    args::Command::Execute(args) => {
      command::execute::handle(&args.execution, args.yes).await
    }
+    args::Command::Create { command } => {
+      command::create::handle(command).await
+    }
    args::Command::Update { command } => {
      command::update::handle(command).await
    }
+    args::Command::Connect(connect) => {
+      command::terminal::handle_connect(connect).await
+    }
+    args::Command::Exec(exec) => {
+      command::terminal::handle_exec(exec).await
+    }
+    args::Command::Attach(attach) => {
+      command::terminal::handle_attach(attach).await
+    }
+    args::Command::Key { command } => {
+      mogh_pki::cli::handle(command, mogh_pki::PkiKind::Mutual).await
+    }
    args::Command::Database { command } => {
      command::database::handle(command).await
    }
@@ -66,7 +86,18 @@ async fn main() -> anyhow::Result<()> {
    tokio::signal::unix::SignalKind::terminate(),
  )?;
  tokio::select! {
-    res = tokio::spawn(app()) => res?,
-    _ = term_signal.recv() => Ok(()),
+    res = tokio::spawn(app()) => match res {
+      Ok(Err(e)) => {
+        eprintln!("{}: {e}", "ERROR".red());
+        std::process::exit(1)
+      }
+      Err(e) => {
+        eprintln!("{}: {e}", "ERROR".red());
+        std::process::exit(1)
+      },
+      Ok(_) => {}
+    },
+    _ = term_signal.recv() => {},
  }
+  Ok(())
 }
--- a/bin/core/Cargo.toml
+++ b/bin/core/Cargo.toml
@@ -15,69 +15,72 @@ path = "src/main.rs"

 [dependencies]
 # local
-komodo_client = { workspace = true, features = ["mongo"] }
+komodo_client = { workspace = true, features = ["core"] }
 periphery_client.workspace = true
-environment_file.workspace = true
+mogh_validations.workspace = true
 interpolate.workspace = true
+mogh_secret_file.workspace = true
 formatting.workspace = true
+mogh_rate_limit.workspace = true
+transport.workspace = true
 database.workspace = true
-response.workspace = true
+encoding.workspace = true
 command.workspace = true
-config.workspace = true
-logger.workspace = true
-cache.workspace = true
+mogh_config.workspace = true
+mogh_logger.workspace = true
+mogh_cache.workspace = true
+mogh_pki.workspace = true
 git.workspace = true
 # mogh
-serror = { workspace = true, features = ["axum"] }
+mogh_error = { workspace = true, features = ["axum"] }
+mogh_auth_client = { workspace = true, features = ["utoipa"] }
+mogh_auth_server.workspace = true
 async_timing_util.workspace = true
 partial_derive2.workspace = true
-derive_variants.workspace = true
-resolver_api.workspace = true
+mogh_resolver.workspace = true
+mogh_server.workspace = true
 toml_pretty.workspace = true
 slack.workspace = true
 svi.workspace = true
 # external
 aws-credential-types.workspace = true
-tokio-tungstenite.workspace = true
 english-to-cron.workspace = true
-openidconnect.workspace = true
-jsonwebtoken.workspace = true
-axum-server.workspace = true
-urlencoding.workspace = true
+data-encoding.workspace = true
+serde_yaml_ng.workspace = true
+utoipa-scalar.workspace = true
+futures-util.workspace = true
 aws-sdk-ec2.workspace = true
+urlencoding.workspace = true
 aws-config.workspace = true
 tokio-util.workspace = true
 axum-extra.workspace = true
-tower-http.workspace = true
 serde_json.workspace = true
-serde_yaml_ng.workspace = true
 typeshare.workspace = true
 chrono-tz.workspace = true
 indexmap.workspace = true
-octorust.workspace = true
 wildcard.workspace = true
 arc-swap.workspace = true
+serde_qs.workspace = true
 colored.workspace = true
-dashmap.workspace = true
 tracing.workspace = true
 reqwest.workspace = true
-futures.workspace = true
-nom_pem.workspace = true
 dotenvy.workspace = true
 anyhow.workspace = true
+bcrypt.workspace = true
 croner.workspace = true
 chrono.workspace = true
-bcrypt.workspace = true
-base64.workspace = true
 rustls.workspace = true
+utoipa.workspace = true
+bytes.workspace = true
 tokio.workspace = true
 serde.workspace = true
+strum.workspace = true
 regex.workspace = true
 axum.workspace = true
 toml.workspace = true
 uuid.workspace = true
 envy.workspace = true
-rand.workspace = true
 hmac.workspace = true
 sha2.workspace = true
 hex.workspace = true
+url.workspace = true
--- a/bin/core/aio.Dockerfile
+++ b/bin/core/aio.Dockerfile
@@ -1,7 +1,8 @@
 ## All in one, multi stage compile + runtime Docker build for your architecture.

 # Build Core
-FROM rust:1.89.0-bullseye AS core-builder
+FROM rust:1.94.0-trixie AS core-builder
+RUN cargo install cargo-strip

 WORKDIR /builder
 COPY Cargo.toml Cargo.lock ./
@@ -13,18 +14,19 @@ COPY ./bin/cli ./bin/cli

 # Compile app
 RUN cargo build -p komodo_core --release && \
-  cargo build -p komodo_cli --release
+  cargo build -p komodo_cli --release && \
+  cargo strip

-# Build Frontend
-FROM node:20.12-alpine AS frontend-builder
+# Build UI
+FROM node:22.12-alpine AS ui-builder
 WORKDIR /builder
-COPY ./frontend ./frontend
+COPY ./ui ./ui
 COPY ./client/core/ts ./client
 RUN cd client && yarn && yarn build && yarn link
-RUN cd frontend && yarn link komodo_client && yarn && yarn build
+RUN cd ui && yarn link komodo_client && yarn && yarn build

 # Final Image
-FROM debian:bullseye-slim
+FROM debian:trixie-slim

 COPY ./bin/core/starship.toml /starship.toml
 COPY ./bin/core/debian-deps.sh .
@@ -35,7 +37,7 @@ WORKDIR /app

 # Copy
 COPY ./config/core.config.toml /config/.default.config.toml
-COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=ui-builder /builder/ui/dist /app/ui
 COPY --from=core-builder /builder/target/release/core /usr/local/bin/core
 COPY --from=core-builder /builder/target/release/km /usr/local/bin/km
 COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
@@ -46,6 +48,9 @@ RUN mkdir /action-cache && \
  cd /action-cache && \
  deno install jsr:@std/yaml jsr:@std/toml

+COPY ./bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
 # Hint at the port
 EXPOSE 9120

@@ -53,9 +58,11 @@ ENV KOMODO_CLI_CONFIG_PATHS="/config"
 # This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
 ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"

-CMD [ "core" ]
+CMD [ "/bin/bash", "-c", "update-ca-certificates && core" ]

+# Label to prevent Komodo from stopping with StopAllContainers
+LABEL komodo.skip="true"
 # Label for Ghcr
-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
 LABEL org.opencontainers.image.description="Komodo Core"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/core/multi-arch.Dockerfile
+++ b/bin/core/multi-arch.Dockerfile
@@ -2,18 +2,18 @@
 ## Sets up the necessary runtime container dependencies for Komodo Core.
 ## Since theres no heavy build here, QEMU multi-arch builds are fine for this image.

-ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
-ARG FRONTEND_IMAGE=ghcr.io/moghtech/komodo-frontend:latest
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:2
+ARG UI_IMAGE=ghcr.io/moghtech/komodo-ui:2
 ARG X86_64_BINARIES=${BINARIES_IMAGE}-x86_64
 ARG AARCH64_BINARIES=${BINARIES_IMAGE}-aarch64

 # This is required to work with COPY --from
 FROM ${X86_64_BINARIES} AS x86_64
 FROM ${AARCH64_BINARIES} AS aarch64
-FROM ${FRONTEND_IMAGE} AS frontend
+FROM ${UI_IMAGE} AS ui

 # Final Image
-FROM debian:bullseye-slim
+FROM debian:trixie-slim

 COPY ./bin/core/starship.toml /starship.toml
 COPY ./bin/core/debian-deps.sh .
@@ -28,14 +28,14 @@ COPY --from=x86_64 /core /app/core/linux/amd64
 COPY --from=aarch64 /core /app/core/linux/arm64
 RUN mv /app/core/${TARGETPLATFORM} /usr/local/bin/core && rm -r /app/core

-# Same for util
+# Same for km
 COPY --from=x86_64 /km /app/km/linux/amd64
 COPY --from=aarch64 /km /app/km/linux/arm64
 RUN mv /app/km/${TARGETPLATFORM} /usr/local/bin/km && rm -r /app/km

-# Copy default config / static frontend / deno binary
+# Copy default config / static ui / deno binary
 COPY ./config/core.config.toml /config/.default.config.toml
-COPY --from=frontend /frontend /app/frontend
+COPY --from=ui /ui /app/ui
 COPY --from=denoland/deno:bin /deno /usr/local/bin/deno

 # Set $DENO_DIR and preload external Deno deps
@@ -44,6 +44,9 @@ RUN mkdir /action-cache && \
  cd /action-cache && \
  deno install jsr:@std/yaml jsr:@std/toml

+COPY ./bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
 # Hint at the port
 EXPOSE 9120

@@ -51,9 +54,12 @@ ENV KOMODO_CLI_CONFIG_PATHS="/config"
 # This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
 ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"

+ENTRYPOINT [ "entrypoint.sh" ]
 CMD [ "core" ]

+# Label to prevent Komodo from stopping with StopAllContainers
+LABEL komodo.skip="true"
 # Label for Ghcr
-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
 LABEL org.opencontainers.image.description="Komodo Core"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/core/single-arch.Dockerfile
+++ b/bin/core/single-arch.Dockerfile
@@ -1,20 +1,20 @@
 ## Assumes the latest binaries for the required arch are already built (by binaries.Dockerfile).
 ## Sets up the necessary runtime container dependencies for Komodo Core.

-ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:latest
+ARG BINARIES_IMAGE=ghcr.io/moghtech/komodo-binaries:2

 # This is required to work with COPY --from
 FROM ${BINARIES_IMAGE} AS binaries

-# Build Frontend
-FROM node:20.12-alpine AS frontend-builder
+# Build UI
+FROM node:22.12-alpine AS ui-builder
 WORKDIR /builder
-COPY ./frontend ./frontend
+COPY ./ui ./ui
 COPY ./client/core/ts ./client
 RUN cd client && yarn && yarn build && yarn link
-RUN cd frontend && yarn link komodo_client && yarn && yarn build
+RUN cd ui && yarn link komodo_client && yarn && yarn build

-FROM debian:bullseye-slim
+FROM debian:trixie-slim

 COPY ./bin/core/starship.toml /starship.toml
 COPY ./bin/core/debian-deps.sh .
@@ -22,7 +22,7 @@ RUN sh ./debian-deps.sh && rm ./debian-deps.sh
 	
 # Copy
 COPY ./config/core.config.toml /config/.default.config.toml
-COPY --from=frontend-builder /builder/frontend/dist /app/frontend
+COPY --from=ui-builder /builder/ui/dist /app/ui
 COPY --from=binaries /core /usr/local/bin/core
 COPY --from=binaries /km /usr/local/bin/km
 COPY --from=denoland/deno:bin /deno /usr/local/bin/deno
@@ -33,6 +33,9 @@ RUN mkdir /action-cache && \
 	cd /action-cache && \
 	deno install jsr:@std/yaml jsr:@std/toml

+COPY ./bin/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
 # Hint at the port
 EXPOSE 9120

@@ -40,9 +43,12 @@ ENV KOMODO_CLI_CONFIG_PATHS="/config"
 # This ensures any `komodo.cli.*` takes precedence over the Core `/config/*config.*`
 ENV KOMODO_CLI_CONFIG_KEYWORDS="*config.*,*komodo.cli*.*"

+ENTRYPOINT [ "entrypoint.sh" ]
 CMD [ "core" ]

+# Label to prevent Komodo from stopping with StopAllContainers
+LABEL komodo.skip="true"
 # Label for Ghcr
-LABEL org.opencontainers.image.source=https://github.com/moghtech/komodo
+LABEL org.opencontainers.image.source="https://github.com/moghtech/komodo"
 LABEL org.opencontainers.image.description="Komodo Core"
-LABEL org.opencontainers.image.licenses=GPL-3.0
+LABEL org.opencontainers.image.licenses="GPL-3.0"
--- a/bin/core/src/alert/discord.rs
+++ b/bin/core/src/alert/discord.rs
@@ -4,7 +4,6 @@ use serde::Serialize;

 use super::*;

-#[instrument(level = "debug")]
 pub async fn send_alert(
  url: &str,
  alert: &Alert,
@@ -17,6 +16,48 @@ pub async fn send_alert(
        "{level} | If you see this message, then Alerter **{name}** is **working**\n{link}"
      )
    }
+    AlertData::SwarmUnhealthy { id, name, err } => {
+      let link = resource_link(ResourceTargetVariant::Swarm, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | Swarm **{name}** is now **healthy**\n{link}"
+          )
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\n**error**: {e}"))
+            .unwrap_or_default();
+          format!(
+            "{level} | Swarm **{name}** is **unhealthy** ❌\n{link}{err}"
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | **{name}**{region} | Periphery version now matches Core version ✅\n{link}"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | **{name}**{region} | Version mismatch detected ⚠️\nPeriphery: **{server_version}** | Core: **{core_version}**\n{link}"
+          )
+        }
+      }
+    }
    AlertData::ServerUnreachable {
      id,
      name,
@@ -28,7 +69,7 @@ pub async fn send_alert(
      match alert.level {
        SeverityLevel::Ok => {
          format!(
-            "{level} | **{name}**{region} is now **reachable**\n{link}"
+            "{level} | **{name}**{region} is now **connected**\n{link}"
          )
        }
        SeverityLevel::Critical => {
@@ -87,6 +128,8 @@ pub async fn send_alert(
    AlertData::ContainerStateChange {
      id,
      name,
+      swarm_id: _swarm_id,
+      swarm_name,
      server_id: _server_id,
      server_name,
      from,
@@ -94,37 +137,64 @@ pub async fn send_alert(
    } => {
      let link = resource_link(ResourceTargetVariant::Deployment, id);
      let to = fmt_docker_container_state(to);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        String::new()
+      };
      format!(
-        "📦 Deployment **{name}** is now **{to}**\nserver: **{server_name}**\nprevious: **{from}**\n{link}"
+        "📦 Deployment **{name}** is now **{to}**{target}\nprevious: **{from}**\n{link}"
      )
    }
    AlertData::DeploymentImageUpdateAvailable {
      id,
      name,
+      swarm_id: _swarm_id,
+      swarm_name,
      server_id: _server_id,
      server_name,
      image,
    } => {
      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        String::new()
+      };
      format!(
-        "⬆ Deployment **{name}** has an update available\nserver: **{server_name}**\nimage: **{image}**\n{link}"
+        "⬆ Deployment **{name}** has an update available{target}\nimage: **{image}**\n{link}"
      )
    }
    AlertData::DeploymentAutoUpdated {
      id,
      name,
+      swarm_id: _swarm_id,
+      swarm_name,
      server_id: _server_id,
      server_name,
      image,
    } => {
      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        String::new()
+      };
      format!(
-        "⬆ Deployment **{name}** was updated automatically ⏫\nserver: **{server_name}**\nimage: **{image}**\n{link}"
+        "⬆ Deployment **{name}** was updated automatically ⏫{target}\nimage: **{image}**\n{link}"
      )
    }
    AlertData::StackStateChange {
      id,
      name,
+      swarm_id: _swarm_id,
+      swarm_name,
      server_id: _server_id,
      server_name,
      from,
@@ -132,26 +202,44 @@ pub async fn send_alert(
    } => {
      let link = resource_link(ResourceTargetVariant::Stack, id);
      let to = fmt_stack_state(to);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        String::new()
+      };
      format!(
-        "🥞 Stack **{name}** is now {to}\nserver: **{server_name}**\nprevious: **{from}**\n{link}"
+        "🥞 Stack **{name}** is now {to}{target}\nprevious: **{from}**\n{link}"
      )
    }
    AlertData::StackImageUpdateAvailable {
      id,
      name,
+      swarm_id: _swarm_id,
+      swarm_name,
      server_id: _server_id,
      server_name,
      service,
      image,
    } => {
      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        String::new()
+      };
      format!(
-        "⬆ Stack **{name}** has an update available\nserver: **{server_name}**\nservice: **{service}**\nimage: **{image}**\n{link}"
+        "⬆ Stack **{name}** has an update available{target}\nservice: **{service}**\nimage: **{image}**\n{link}"
      )
    }
    AlertData::StackAutoUpdated {
      id,
      name,
+      swarm_id: _swarm_id,
+      swarm_name,
      server_id: _server_id,
      server_name,
      images,
@@ -160,8 +248,15 @@ pub async fn send_alert(
      let images_label =
        if images.len() > 1 { "images" } else { "image" };
      let images = images.join(", ");
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: **{swarm}**")
+      } else if let Some(server) = server_name {
+        format!("\nserver: **{server}**")
+      } else {
+        String::new()
+      };
      format!(
-        "⬆ Stack **{name}** was updated automatically ⏫\nserver: **{server_name}**\n{images_label}: **{images}**\n{link}"
+        "⬆ Stack **{name}** was updated automatically ⏫{target}\n{images_label}: **{images}**\n{link}"
      )
    }
    AlertData::AwsBuilderTerminationFailed {
@@ -207,33 +302,45 @@ pub async fn send_alert(
        "{level} | **{name}** ({resource_type}) | Scheduled run started 🕝\n{link}"
      )
    }
+    AlertData::Custom { message, details } => {
+      format!(
+        "{level} | {message}{}",
+        if details.is_empty() {
+          String::new()
+        } else {
+          format!("\n{details}")
+        }
+      )
+    }
    AlertData::None {} => Default::default(),
  };
-  if !content.is_empty() {
-    let VariablesAndSecrets { variables, secrets } =
-      get_variables_and_secrets().await?;
-    let mut url_interpolated = url.to_string();

-    let mut interpolator =
-      Interpolator::new(Some(&variables), &secrets);
-
-    interpolator.interpolate_string(&mut url_interpolated)?;
-
-    send_message(&url_interpolated, &content)
-      .await
-      .map_err(|e| {
-        let replacers = interpolator
-          .secret_replacers
-          .into_iter()
-          .collect::<Vec<_>>();
-        let sanitized_error =
-          svi::replace_in_string(&format!("{e:?}"), &replacers);
-        anyhow::Error::msg(format!(
-          "Error with slack request: {sanitized_error}"
-        ))
-      })?;
+  if content.is_empty() {
+    return Ok(());
  }
-  Ok(())
+
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
+
+  send_message(&url_interpolated, &content)
+    .await
+    .map_err(|e| {
+      let replacers = interpolator
+        .secret_replacers
+        .into_iter()
+        .collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with request to Discord: {sanitized_error}"
+      ))
+    })
 }

 async fn send_message(
--- a/bin/core/src/alert/mod.rs
+++ b/bin/core/src/alert/mod.rs
@@ -1,8 +1,6 @@
-use ::slack::types::Block;
 use anyhow::{Context, anyhow};
 use database::mungos::{find::find_collect, mongodb::bson::doc};
-use derive_variants::ExtractVariant;
-use futures::future::join_all;
+use futures_util::future::join_all;
 use interpolate::Interpolator;
 use komodo_client::entities::{
  ResourceTargetVariant,
@@ -12,7 +10,6 @@ use komodo_client::entities::{
  komodo_timestamp,
  stack::StackState,
 };
-use tracing::Instrument;

 use crate::helpers::query::get_variables_and_secrets;
 use crate::helpers::{
@@ -25,40 +22,33 @@ mod ntfy;
 mod pushover;
 mod slack;

-#[instrument(level = "debug")]
 pub async fn send_alerts(alerts: &[Alert]) {
  if alerts.is_empty() {
    return;
  }

-  let span =
-    info_span!("send_alerts", alerts = format!("{alerts:?}"));
-  async {
-    let Ok(alerters) = find_collect(
-      &db_client().alerters,
-      doc! { "config.enabled": true },
-      None,
-    )
-    .await
-    .inspect_err(|e| {
-      error!(
+  let Ok(alerters) = find_collect(
+    &db_client().alerters,
+    doc! { "config.enabled": true },
+    None,
+  )
+  .await
+  .inspect_err(|e| {
+    error!(
      "ERROR sending alerts | failed to get alerters from db | {e:#}"
    )
-    }) else {
-      return;
-    };
+  }) else {
+    return;
+  };

-    let handles =
-      alerts.iter().map(|alert| send_alert(&alerters, alert));
+  let handles = alerts
+    .iter()
+    .map(|alert| send_alert_to_alerters(&alerters, alert));

-    join_all(handles).await;
-  }
-  .instrument(span)
-  .await
+  join_all(handles).await;
 }

-#[instrument(level = "debug")]
-async fn send_alert(alerters: &[Alerter], alert: &Alert) {
+async fn send_alert_to_alerters(alerters: &[Alerter], alert: &Alert) {
  if alerters.is_empty() {
    return;
  }
@@ -90,14 +80,14 @@ pub async fn send_alert_to_alerter(
    return Ok(());
  }

-  let alert_type = alert.data.extract_variant();
+  let alert_variant: AlertDataVariant = (&alert.data).into();

  // In the test case, we don't want the filters inside this
  // block to stop the test from being sent to the alerting endpoint.
-  if alert_type != AlertDataVariant::Test {
+  if alert_variant != AlertDataVariant::Test {
    // Don't send if alert type not configured on the alerter
    if !alerter.config.alert_types.is_empty()
-      && !alerter.config.alert_types.contains(&alert_type)
+      && !alerter.config.alert_types.contains(&alert_variant)
    {
      return Ok(());
    }
@@ -161,7 +151,6 @@ pub async fn send_alert_to_alerter(
  }
 }

-#[instrument(level = "debug")]
 async fn send_custom_alert(
  url: &str,
  alert: &Alert,
@@ -250,3 +239,310 @@ fn resource_link(
    id,
  )
 }
+
+/// Standard message content format
+/// used by Ntfy, Pushover.
+fn standard_alert_content(alert: &Alert) -> String {
+  let level = fmt_level(alert.level);
+  match &alert.data {
+    AlertData::Test { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Alerter, id);
+      format!(
+        "{level} | If you see this message, then Alerter {name} is working\n{link}",
+      )
+    }
+    AlertData::SwarmUnhealthy { id, name, err } => {
+      let link = resource_link(ResourceTargetVariant::Swarm, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!("{level} | Swarm {name} is now healthy\n{link}")
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e}"))
+            .unwrap_or_default();
+          format!(
+            "{level} | Swarm {name} is unhealthy ❌\n{link}{err}"
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | {name}{region} | Periphery version now matches Core version ✅\n{link}"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | {name}{region} | Version mismatch detected ⚠️\nPeriphery: {server_version} | Core: {core_version}\n{link}"
+          )
+        }
+      }
+    }
+    AlertData::ServerUnreachable {
+      id,
+      name,
+      region,
+      err,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      match alert.level {
+        SeverityLevel::Ok => {
+          format!("{level} | {name}{region} is now connected\n{link}")
+        }
+        SeverityLevel::Critical => {
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e:#?}"))
+            .unwrap_or_default();
+          format!(
+            "{level} | {name}{region} is unreachable ❌\n{link}{err}"
+          )
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerCpu {
+      id,
+      name,
+      region,
+      percentage,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      format!(
+        "{level} | {name}{region} cpu usage at {percentage:.1}%\n{link}",
+      )
+    }
+    AlertData::ServerMem {
+      id,
+      name,
+      region,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | {name}{region} memory usage at {percentage:.1}%💾\n\nUsing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
+      )
+    }
+    AlertData::ServerDisk {
+      id,
+      name,
+      region,
+      path,
+      used_gb,
+      total_gb,
+    } => {
+      let region = fmt_region(region);
+      let link = resource_link(ResourceTargetVariant::Server, id);
+      let percentage = 100.0 * used_gb / total_gb;
+      format!(
+        "{level} | {name}{region} disk usage at {percentage:.1}%💿\nmount point: {path:?}\nusing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
+      )
+    }
+    AlertData::ContainerStateChange {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let to_state = fmt_docker_container_state(to);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        String::new()
+      };
+      format!(
+        "📦Deployment {name} is now {to_state}{target}\nprevious: {from}\n{link}",
+      )
+    }
+    AlertData::DeploymentImageUpdateAvailable {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        String::new()
+      };
+      format!(
+        "⬆ Deployment {name} has an update available{target}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::DeploymentAutoUpdated {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Deployment, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        String::new()
+      };
+      format!(
+        "⬆ Deployment {name} was updated automatically{target}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::StackStateChange {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      from,
+      to,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let to_state = fmt_stack_state(to);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        String::new()
+      };
+      format!(
+        "🥞 Stack {name} is now {to_state}{target}\nprevious: {from}\n{link}",
+      )
+    }
+    AlertData::StackImageUpdateAvailable {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      service,
+      image,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        String::new()
+      };
+      format!(
+        "⬆ Stack {name} has an update available{target}\nservice: {service}\nimage: {image}\n{link}",
+      )
+    }
+    AlertData::StackAutoUpdated {
+      id,
+      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
+      server_name,
+      images,
+    } => {
+      let link = resource_link(ResourceTargetVariant::Stack, id);
+      let images_label =
+        if images.len() > 1 { "images" } else { "image" };
+      let images_str = images.join(", ");
+      let target = if let Some(swarm) = swarm_name {
+        format!("\nswarm: {swarm}")
+      } else if let Some(server) = server_name {
+        format!("\nserver: {server}")
+      } else {
+        String::new()
+      };
+      format!(
+        "⬆ Stack {name} was updated automatically ⏫{target}\n{images_label}: {images_str}\n{link}",
+      )
+    }
+    AlertData::AwsBuilderTerminationFailed {
+      instance_id,
+      message,
+    } => {
+      format!(
+        "{level} | Failed to terminate AWS builder instance\ninstance id: {instance_id}\n{message}",
+      )
+    }
+    AlertData::ResourceSyncPendingUpdates { id, name } => {
+      let link =
+        resource_link(ResourceTargetVariant::ResourceSync, id);
+      format!(
+        "{level} | Pending resource sync updates on {name}\n{link}",
+      )
+    }
+    AlertData::BuildFailed { id, name, version } => {
+      let link = resource_link(ResourceTargetVariant::Build, id);
+      format!(
+        "{level} | Build {name} failed\nversion: v{version}\n{link}",
+      )
+    }
+    AlertData::RepoBuildFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Repo, id);
+      format!("{level} | Repo build for {name} failed\n{link}",)
+    }
+    AlertData::ProcedureFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Procedure, id);
+      format!("{level} | Procedure {name} failed\n{link}")
+    }
+    AlertData::ActionFailed { id, name } => {
+      let link = resource_link(ResourceTargetVariant::Action, id);
+      format!("{level} | Action {name} failed\n{link}")
+    }
+    AlertData::ScheduleRun {
+      resource_type,
+      id,
+      name,
+    } => {
+      let link = resource_link(*resource_type, id);
+      format!(
+        "{level} | {name} ({resource_type}) | Scheduled run started 🕝\n{link}"
+      )
+    }
+    AlertData::Custom { message, details } => {
+      format!(
+        "{level} | {message}{}",
+        if details.is_empty() {
+          String::new()
+        } else {
+          format!("\n{details}")
+        }
+      )
+    }
+    AlertData::None {} => Default::default(),
+  }
+}
--- a/bin/core/src/alert/ntfy.rs
+++ b/bin/core/src/alert/ntfy.rs
@@ -2,215 +2,38 @@ use std::sync::OnceLock;

 use super::*;

-#[instrument(level = "debug")]
 pub async fn send_alert(
  url: &str,
  email: Option<&str>,
  alert: &Alert,
 ) -> anyhow::Result<()> {
-  let level = fmt_level(alert.level);
-  let content = match &alert.data {
-    AlertData::Test { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Alerter, id);
-      format!(
-        "{level} | If you see this message, then Alerter {name} is working\n{link}",
-      )
-    }
-    AlertData::ServerUnreachable {
-      id,
-      name,
-      region,
-      err,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      match alert.level {
-        SeverityLevel::Ok => {
-          format!("{level} | {name}{region} is now reachable\n{link}")
-        }
-        SeverityLevel::Critical => {
-          let err = err
-            .as_ref()
-            .map(|e| format!("\nerror: {e:#?}"))
-            .unwrap_or_default();
-          format!(
-            "{level} | {name}{region} is unreachable ❌\n{link}{err}"
-          )
-        }
-        _ => unreachable!(),
-      }
-    }
-    AlertData::ServerCpu {
-      id,
-      name,
-      region,
-      percentage,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      format!(
-        "{level} | {name}{region} cpu usage at {percentage:.1}%\n{link}",
-      )
-    }
-    AlertData::ServerMem {
-      id,
-      name,
-      region,
-      used_gb,
-      total_gb,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      let percentage = 100.0 * used_gb / total_gb;
-      format!(
-        "{level} | {name}{region} memory usage at {percentage:.1}%💾\n\nUsing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
-      )
-    }
-    AlertData::ServerDisk {
-      id,
-      name,
-      region,
-      path,
-      used_gb,
-      total_gb,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      let percentage = 100.0 * used_gb / total_gb;
-      format!(
-        "{level} | {name}{region} disk usage at {percentage:.1}%💿\nmount point: {path:?}\nusing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
-      )
-    }
-    AlertData::ContainerStateChange {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      from,
-      to,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Deployment, id);
-      let to_state = fmt_docker_container_state(to);
-      format!(
-        "📦Deployment {name} is now {to_state}\nserver: {server_name}\nprevious: {from}\n{link}",
-      )
-    }
-    AlertData::DeploymentImageUpdateAvailable {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      image,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Deployment, id);
-      format!(
-        "⬆ Deployment {name} has an update available\nserver: {server_name}\nimage: {image}\n{link}",
-      )
-    }
-    AlertData::DeploymentAutoUpdated {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      image,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Deployment, id);
-      format!(
-        "⬆ Deployment {name} was updated automatically\nserver: {server_name}\nimage: {image}\n{link}",
-      )
-    }
-    AlertData::StackStateChange {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      from,
-      to,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Stack, id);
-      let to_state = fmt_stack_state(to);
-      format!(
-        "🥞 Stack {name} is now {to_state}\nserver: {server_name}\nprevious: {from}\n{link}",
-      )
-    }
-    AlertData::StackImageUpdateAvailable {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      service,
-      image,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Stack, id);
-      format!(
-        "⬆ Stack {name} has an update available\nserver: {server_name}\nservice: {service}\nimage: {image}\n{link}",
-      )
-    }
-    AlertData::StackAutoUpdated {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      images,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Stack, id);
-      let images_label =
-        if images.len() > 1 { "images" } else { "image" };
-      let images_str = images.join(", ");
-      format!(
-        "⬆ Stack {name} was updated automatically ⏫\nserver: {server_name}\n{images_label}: {images_str}\n{link}",
-      )
-    }
-    AlertData::AwsBuilderTerminationFailed {
-      instance_id,
-      message,
-    } => {
-      format!(
-        "{level} | Failed to terminate AWS builder instance\ninstance id: {instance_id}\n{message}",
-      )
-    }
-    AlertData::ResourceSyncPendingUpdates { id, name } => {
-      let link =
-        resource_link(ResourceTargetVariant::ResourceSync, id);
-      format!(
-        "{level} | Pending resource sync updates on {name}\n{link}",
-      )
-    }
-    AlertData::BuildFailed { id, name, version } => {
-      let link = resource_link(ResourceTargetVariant::Build, id);
-      format!(
-        "{level} | Build {name} failed\nversion: v{version}\n{link}",
-      )
-    }
-    AlertData::RepoBuildFailed { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Repo, id);
-      format!("{level} | Repo build for {name} failed\n{link}",)
-    }
-    AlertData::ProcedureFailed { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Procedure, id);
-      format!("{level} | Procedure {name} failed\n{link}")
-    }
-    AlertData::ActionFailed { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Action, id);
-      format!("{level} | Action {name} failed\n{link}")
-    }
-    AlertData::ScheduleRun {
-      resource_type,
-      id,
-      name,
-    } => {
-      let link = resource_link(*resource_type, id);
-      format!(
-        "{level} | {name} ({resource_type}) | Scheduled run started 🕝\n{link}"
-      )
-    }
-    AlertData::None {} => Default::default(),
-  };
-
-  if !content.is_empty() {
-    send_message(url, email, content).await?;
+  let content = standard_alert_content(alert);
+  if content.is_empty() {
+    return Ok(());
  }
-  Ok(())
+
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
+
+  send_message(&url_interpolated, email, content)
+    .await
+    .map_err(|e| {
+      let replacers = interpolator
+        .secret_replacers
+        .into_iter()
+        .collect::<Vec<_>>();
+      let sanitized_error =
+        svi::replace_in_string(&format!("{e:?}"), &replacers);
+      anyhow::Error::msg(format!(
+        "Error with request to Ntfy: {sanitized_error}"
+      ))
+    })
 }

 async fn send_message(
@@ -220,7 +43,7 @@ async fn send_message(
 ) -> anyhow::Result<()> {
  let mut request = http_client()
    .post(url)
-    .header("Title", "ntfy Alert")
+    .header("Title", "Komodo Alert")
    .body(content);

  if let Some(email) = email {
@@ -241,9 +64,7 @@ async fn send_message(
      )
    })?;
    Err(anyhow!(
-      "Failed to send message to ntfy | {} | {}",
-      status,
-      text
+      "Failed to send message to ntfy | {status} | {text}",
    ))
  }
 }
--- a/bin/core/src/alert/pushover.rs
+++ b/bin/core/src/alert/pushover.rs
@@ -2,214 +2,35 @@ use std::sync::OnceLock;

 use super::*;

-#[instrument(level = "debug")]
 pub async fn send_alert(
  url: &str,
  alert: &Alert,
 ) -> anyhow::Result<()> {
-  let level = fmt_level(alert.level);
-  let content = match &alert.data {
-    AlertData::Test { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Alerter, id);
-      format!(
-        "{level} | If you see this message, then Alerter {name} is working\n{link}",
-      )
-    }
-    AlertData::ServerUnreachable {
-      id,
-      name,
-      region,
-      err,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      match alert.level {
-        SeverityLevel::Ok => {
-          format!("{level} | {name}{region} is now reachable\n{link}")
-        }
-        SeverityLevel::Critical => {
-          let err = err
-            .as_ref()
-            .map(|e| format!("\nerror: {e:#?}"))
-            .unwrap_or_default();
-          format!(
-            "{level} | {name}{region} is unreachable ❌\n{link}{err}"
-          )
-        }
-        _ => unreachable!(),
-      }
-    }
-    AlertData::ServerCpu {
-      id,
-      name,
-      region,
-      percentage,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      format!(
-        "{level} | {name}{region} cpu usage at {percentage:.1}%\n{link}",
-      )
-    }
-    AlertData::ServerMem {
-      id,
-      name,
-      region,
-      used_gb,
-      total_gb,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      let percentage = 100.0 * used_gb / total_gb;
-      format!(
-        "{level} | {name}{region} memory usage at {percentage:.1}%💾\n\nUsing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
-      )
-    }
-    AlertData::ServerDisk {
-      id,
-      name,
-      region,
-      path,
-      used_gb,
-      total_gb,
-    } => {
-      let region = fmt_region(region);
-      let link = resource_link(ResourceTargetVariant::Server, id);
-      let percentage = 100.0 * used_gb / total_gb;
-      format!(
-        "{level} | {name}{region} disk usage at {percentage:.1}%💿\nmount point: {path:?}\nusing {used_gb:.1} GiB / {total_gb:.1} GiB\n{link}",
-      )
-    }
-    AlertData::ContainerStateChange {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      from,
-      to,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Deployment, id);
-      let to_state = fmt_docker_container_state(to);
-      format!(
-        "📦Deployment {name} is now {to_state}\nserver: {server_name}\nprevious: {from}\n{link}",
-      )
-    }
-    AlertData::DeploymentImageUpdateAvailable {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      image,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Deployment, id);
-      format!(
-        "⬆ Deployment {name} has an update available\nserver: {server_name}\nimage: {image}\n{link}",
-      )
-    }
-    AlertData::DeploymentAutoUpdated {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      image,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Deployment, id);
-      format!(
-        "⬆ Deployment {name} was updated automatically\nserver: {server_name}\nimage: {image}\n{link}",
-      )
-    }
-    AlertData::StackStateChange {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      from,
-      to,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Stack, id);
-      let to_state = fmt_stack_state(to);
-      format!(
-        "🥞 Stack {name} is now {to_state}\nserver: {server_name}\nprevious: {from}\n{link}",
-      )
-    }
-    AlertData::StackImageUpdateAvailable {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      service,
-      image,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Stack, id);
-      format!(
-        "⬆ Stack {name} has an update available\nserver: {server_name}\nservice: {service}\nimage: {image}\n{link}",
-      )
-    }
-    AlertData::StackAutoUpdated {
-      id,
-      name,
-      server_id: _server_id,
-      server_name,
-      images,
-    } => {
-      let link = resource_link(ResourceTargetVariant::Stack, id);
-      let images_label =
-        if images.len() > 1 { "images" } else { "image" };
-      let images_str = images.join(", ");
-      format!(
-        "⬆ Stack {name} was updated automatically ⏫\nserver: {server_name}\n{images_label}: {images_str}\n{link}",
-      )
-    }
-    AlertData::AwsBuilderTerminationFailed {
-      instance_id,
-      message,
-    } => {
-      format!(
-        "{level} | Failed to terminate AWS builder instance\ninstance id: {instance_id}\n{message}",
-      )
-    }
-    AlertData::ResourceSyncPendingUpdates { id, name } => {
-      let link =
-        resource_link(ResourceTargetVariant::ResourceSync, id);
-      format!(
-        "{level} | Pending resource sync updates on {name}\n{link}",
-      )
-    }
-    AlertData::BuildFailed { id, name, version } => {
-      let link = resource_link(ResourceTargetVariant::Build, id);
-      format!(
-        "{level} | Build {name} failed\nversion: v{version}\n{link}",
-      )
-    }
-    AlertData::RepoBuildFailed { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Repo, id);
-      format!("{level} | Repo build for {name} failed\n{link}",)
-    }
-    AlertData::ProcedureFailed { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Procedure, id);
-      format!("{level} | Procedure {name} failed\n{link}")
-    }
-    AlertData::ActionFailed { id, name } => {
-      let link = resource_link(ResourceTargetVariant::Action, id);
-      format!("{level} | Action {name} failed\n{link}")
-    }
-    AlertData::ScheduleRun {
-      resource_type,
-      id,
-      name,
-    } => {
-      let link = resource_link(*resource_type, id);
-      format!(
-        "{level} | {name} ({resource_type}) | Scheduled run started 🕝\n{link}"
-      )
-    }
-    AlertData::None {} => Default::default(),
-  };
-
-  if !content.is_empty() {
-    send_message(url, content).await?;
+  let content = standard_alert_content(alert);
+  if content.is_empty() {
+    return Ok(());
  }
-  Ok(())
+
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();
+
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);
+
+  interpolator.interpolate_string(&mut url_interpolated)?;
+
+  send_message(&url_interpolated, content).await.map_err(|e| {
+    let replacers = interpolator
+      .secret_replacers
+      .into_iter()
+      .collect::<Vec<_>>();
+    let sanitized_error =
+      svi::replace_in_string(&format!("{e:?}"), &replacers);
+    anyhow::Error::msg(format!(
+      "Error with request to Pushover: {sanitized_error}"
+    ))
+  })
 }

 async fn send_message(
--- a/bin/core/src/alert/slack.rs
+++ b/bin/core/src/alert/slack.rs
@@ -1,6 +1,7 @@
+use ::slack::types::OwnedBlock as Block;
+
 use super::*;

-#[instrument(level = "debug")]
 pub async fn send_alert(
  url: &str,
  alert: &Alert,
@@ -23,6 +24,70 @@ pub async fn send_alert(
      ];
      (text, blocks.into())
    }
+    AlertData::SwarmUnhealthy { id, name, err } => {
+      match alert.level {
+        SeverityLevel::Ok => {
+          let text =
+            format!("{level} | Swarm *{name}* is now *healthy*");
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "Swarm *{name}* is now *healthy*"
+            )),
+          ];
+          (text, blocks.into())
+        }
+        SeverityLevel::Critical => {
+          let text =
+            format!("{level} | Swarm *{name}* is *unhealthy* ❌");
+          let err = err
+            .as_ref()
+            .map(|e| format!("\nerror: {e}"))
+            .unwrap_or_default();
+          let blocks = vec![
+            Block::header(level),
+            Block::section(format!(
+              "Swarm *{name}* is *unhealthy* ❌{err}"
+            )),
+            Block::section(resource_link(
+              ResourceTargetVariant::Server,
+              id,
+            )),
+          ];
+          (text, blocks.into())
+        }
+        _ => unreachable!(),
+      }
+    }
+    AlertData::ServerVersionMismatch {
+      id,
+      name,
+      region,
+      server_version,
+      core_version,
+    } => {
+      let region = fmt_region(region);
+      let text = match alert.level {
+        SeverityLevel::Ok => {
+          format!(
+            "{level} | *{name}*{region} | Periphery version now matches Core version ✅"
+          )
+        }
+        _ => {
+          format!(
+            "{level} | *{name}*{region} | Version mismatch detected ⚠️\nPeriphery: {server_version} | Core: {core_version}"
+          )
+        }
+      };
+      let blocks = vec![
+        Block::header(text.clone()),
+        Block::section(resource_link(
+          ResourceTargetVariant::Server,
+          id,
+        )),
+      ];
+      (text, blocks.into())
+    }
    AlertData::ServerUnreachable {
      id,
      name,
@@ -33,11 +98,11 @@ pub async fn send_alert(
      match alert.level {
        SeverityLevel::Ok => {
          let text =
-            format!("{level} | *{name}*{region} is now *reachable*");
+            format!("{level} | *{name}*{region} is now *connected*");
          let blocks = vec![
            Block::header(level),
            Block::section(format!(
-              "*{name}*{region} is now *reachable*"
+              "*{name}*{region} is now *connected*"
            )),
          ];
          (text, blocks.into())
@@ -209,19 +274,26 @@ pub async fn send_alert(
    }
    AlertData::ContainerStateChange {
      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
      server_name,
      from,
      to,
      id,
-      ..
    } => {
      let to = fmt_docker_container_state(to);
      let text = format!("📦 Container *{name}* is now *{to}*");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        String::new()
+      };
      let blocks = vec![
        Block::header(text.clone()),
-        Block::section(format!(
-          "server: {server_name}\nprevious: {from}",
-        )),
+        Block::section(format!("{target}previous: {from}",)),
        Block::section(resource_link(
          ResourceTargetVariant::Deployment,
          id,
@@ -232,17 +304,24 @@ pub async fn send_alert(
    AlertData::DeploymentImageUpdateAvailable {
      id,
      name,
-      server_name,
+      swarm_id: _swarm_id,
+      swarm_name,
      server_id: _server_id,
+      server_name,
      image,
    } => {
      let text =
        format!("⬆ Deployment *{name}* has an update available");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        String::new()
+      };
      let blocks = vec![
        Block::header(text.clone()),
-        Block::section(format!(
-          "server: *{server_name}*\nimage: *{image}*",
-        )),
+        Block::section(format!("{target}image: *{image}*",)),
        Block::section(resource_link(
          ResourceTargetVariant::Deployment,
          id,
@@ -253,17 +332,24 @@ pub async fn send_alert(
    AlertData::DeploymentAutoUpdated {
      id,
      name,
-      server_name,
+      swarm_id: _swarm_id,
+      swarm_name,
      server_id: _server_id,
+      server_name,
      image,
    } => {
      let text =
        format!("⬆ Deployment *{name}* was updated automatically ⏫");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        String::new()
+      };
      let blocks = vec![
        Block::header(text.clone()),
-        Block::section(format!(
-          "server: *{server_name}*\nimage: *{image}*",
-        )),
+        Block::section(format!("{target}image: *{image}*",)),
        Block::section(resource_link(
          ResourceTargetVariant::Deployment,
          id,
@@ -273,19 +359,26 @@ pub async fn send_alert(
    }
    AlertData::StackStateChange {
      name,
+      swarm_id: _swarm_id,
+      swarm_name,
+      server_id: _server_id,
      server_name,
      from,
      to,
      id,
-      ..
    } => {
      let to = fmt_stack_state(to);
      let text = format!("🥞 Stack *{name}* is now *{to}*");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        String::new()
+      };
      let blocks = vec![
        Block::header(text.clone()),
-        Block::section(format!(
-          "server: *{server_name}*\nprevious: *{from}*",
-        )),
+        Block::section(format!("{target}previous: *{from}*",)),
        Block::section(resource_link(
          ResourceTargetVariant::Stack,
          id,
@@ -296,16 +389,25 @@ pub async fn send_alert(
    AlertData::StackImageUpdateAvailable {
      id,
      name,
-      server_name,
+      swarm_id: _swarm_id,
+      swarm_name,
      server_id: _server_id,
+      server_name,
      service,
      image,
    } => {
      let text = format!("⬆ Stack *{name}* has an update available");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        String::new()
+      };
      let blocks = vec![
        Block::header(text.clone()),
        Block::section(format!(
-          "server: *{server_name}*\nservice: *{service}*\nimage: *{image}*",
+          "{target}service: *{service}*\nimage: *{image}*",
        )),
        Block::section(resource_link(
          ResourceTargetVariant::Stack,
@@ -317,8 +419,10 @@ pub async fn send_alert(
    AlertData::StackAutoUpdated {
      id,
      name,
-      server_name,
+      swarm_id: _swarm_id,
+      swarm_name,
      server_id: _server_id,
+      server_name,
      images,
    } => {
      let text =
@@ -326,11 +430,18 @@ pub async fn send_alert(
      let images_label =
        if images.len() > 1 { "images" } else { "image" };
      let images = images.join(", ");
+      let target = if let Some(swarm) = swarm_name {
+        format!("swarm: *{swarm}*\n")
+      } else if let Some(server) = server_name {
+        format!("server: *{server}*\n")
+      } else {
+        String::new()
+      };
      let blocks = vec![
        Block::header(text.clone()),
-        Block::section(format!(
-          "server: *{server_name}*\n{images_label}: *{images}*",
-        )),
+        Block::section(
+          format!("{target}{images_label}: *{images}*",),
+        ),
        Block::section(resource_link(
          ResourceTargetVariant::Stack,
          id,
@@ -429,20 +540,31 @@ pub async fn send_alert(
      ];
      (text, blocks.into())
    }
+    AlertData::Custom { message, details } => {
+      let text = format!("{level} | {message}");
+      let blocks =
+        vec![Block::header(text.clone()), Block::section(details)];
+      (text, blocks.into())
+    }
    AlertData::None {} => Default::default(),
  };
-  if !text.is_empty() {
-    let VariablesAndSecrets { variables, secrets } =
-      get_variables_and_secrets().await?;
-    let mut url_interpolated = url.to_string();
+  if text.is_empty() {
+    return Ok(());
+  }
+  let VariablesAndSecrets { variables, secrets } =
+    get_variables_and_secrets().await?;
+  let mut url_interpolated = url.to_string();

-    let mut interpolator =
-      Interpolator::new(Some(&variables), &secrets);
+  let mut interpolator =
+    Interpolator::new(Some(&variables), &secrets);

-    interpolator.interpolate_string(&mut url_interpolated)?;
+  interpolator.interpolate_string(&mut url_interpolated)?;

-    let slack = ::slack::Client::new(url_interpolated);
-    slack.send_message(text, blocks).await.map_err(|e| {
+  let slack = ::slack::Client::new(url_interpolated);
+  slack
+    .send_owned_message_single(&text, None, blocks.as_deref())
+    .await
+    .map_err(|e| {
      let replacers = interpolator
        .secret_replacers
        .into_iter()
@@ -450,9 +572,8 @@ pub async fn send_alert(
      let sanitized_error =
        svi::replace_in_string(&format!("{e:?}"), &replacers);
      anyhow::Error::msg(format!(
-        "Error with slack request: {sanitized_error}"
+        "Error with request to Slack: {sanitized_error}"
      ))
    })?;
-  }
  Ok(())
 }
--- a/bin/core/src/api/auth.rs
+++ b/bin/core/src/api/auth.rs
@@ -1,158 +0,0 @@
-use std::{sync::OnceLock, time::Instant};
-
-use axum::{Router, extract::Path, http::HeaderMap, routing::post};
-use derive_variants::{EnumVariants, ExtractVariant};
-use komodo_client::{api::auth::*, entities::user::User};
-use resolver_api::Resolve;
-use response::Response;
-use serde::{Deserialize, Serialize};
-use serde_json::json;
-use serror::Json;
-use typeshare::typeshare;
-use uuid::Uuid;
-
-use crate::{
-  auth::{
-    get_user_id_from_headers,
-    github::{self, client::github_oauth_client},
-    google::{self, client::google_oauth_client},
-    oidc::{self, client::oidc_client},
-  },
-  config::core_config,
-  helpers::query::get_user,
-  state::jwt_client,
-};
-
-use super::Variant;
-
-#[derive(Default)]
-pub struct AuthArgs {
-  pub headers: HeaderMap,
-}
-
-#[typeshare]
-#[derive(
-  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
-)]
-#[args(AuthArgs)]
-#[response(Response)]
-#[error(serror::Error)]
-#[variant_derive(Debug)]
-#[serde(tag = "type", content = "params")]
-#[allow(clippy::enum_variant_names, clippy::large_enum_variant)]
-pub enum AuthRequest {
-  GetLoginOptions(GetLoginOptions),
-  SignUpLocalUser(SignUpLocalUser),
-  LoginLocalUser(LoginLocalUser),
-  ExchangeForJwt(ExchangeForJwt),
-  GetUser(GetUser),
-}
-
-pub fn router() -> Router {
-  let mut router = Router::new()
-    .route("/", post(handler))
-    .route("/{variant}", post(variant_handler));
-
-  if core_config().local_auth {
-    info!("🔑 Local Login Enabled");
-  }
-
-  if github_oauth_client().is_some() {
-    info!("🔑 Github Login Enabled");
-    router = router.nest("/github", github::router())
-  }
-
-  if google_oauth_client().is_some() {
-    info!("🔑 Google Login Enabled");
-    router = router.nest("/google", google::router())
-  }
-
-  if core_config().oidc_enabled {
-    info!("🔑 OIDC Login Enabled");
-    router = router.nest("/oidc", oidc::router())
-  }
-
-  router
-}
-
-async fn variant_handler(
-  headers: HeaderMap,
-  Path(Variant { variant }): Path<Variant>,
-  Json(params): Json<serde_json::Value>,
-) -> serror::Result<axum::response::Response> {
-  let req: AuthRequest = serde_json::from_value(json!({
-    "type": variant,
-    "params": params,
-  }))?;
-  handler(headers, Json(req)).await
-}
-
-#[instrument(name = "AuthHandler", level = "debug", skip(headers))]
-async fn handler(
-  headers: HeaderMap,
-  Json(request): Json<AuthRequest>,
-) -> serror::Result<axum::response::Response> {
-  let timer = Instant::now();
-  let req_id = Uuid::new_v4();
-  debug!(
-    "/auth request {req_id} | METHOD: {:?}",
-    request.extract_variant()
-  );
-  let res = request.resolve(&AuthArgs { headers }).await;
-  if let Err(e) = &res {
-    debug!("/auth request {req_id} | error: {:#}", e.error);
-  }
-  let elapsed = timer.elapsed();
-  debug!("/auth request {req_id} | resolve time: {elapsed:?}");
-  res.map(|res| res.0)
-}
-
-fn login_options_reponse() -> &'static GetLoginOptionsResponse {
-  static GET_LOGIN_OPTIONS_RESPONSE: OnceLock<
-    GetLoginOptionsResponse,
-  > = OnceLock::new();
-  GET_LOGIN_OPTIONS_RESPONSE.get_or_init(|| {
-    let config = core_config();
-    GetLoginOptionsResponse {
-      local: config.local_auth,
-      github: github_oauth_client().is_some(),
-      google: google_oauth_client().is_some(),
-      oidc: oidc_client().load().is_some(),
-      registration_disabled: config.disable_user_registration,
-    }
-  })
-}
-
-impl Resolve<AuthArgs> for GetLoginOptions {
-  #[instrument(name = "GetLoginOptions", level = "debug", skip(self))]
-  async fn resolve(
-    self,
-    _: &AuthArgs,
-  ) -> serror::Result<GetLoginOptionsResponse> {
-    Ok(*login_options_reponse())
-  }
-}
-
-impl Resolve<AuthArgs> for ExchangeForJwt {
-  #[instrument(name = "ExchangeForJwt", level = "debug", skip(self))]
-  async fn resolve(
-    self,
-    _: &AuthArgs,
-  ) -> serror::Result<ExchangeForJwtResponse> {
-    jwt_client()
-      .redeem_exchange_token(&self.token)
-      .await
-      .map_err(Into::into)
-  }
-}
-
-impl Resolve<AuthArgs> for GetUser {
-  #[instrument(name = "GetUser", level = "debug", skip(self))]
-  async fn resolve(
-    self,
-    AuthArgs { headers }: &AuthArgs,
-  ) -> serror::Result<User> {
-    let user_id = get_user_id_from_headers(headers).await?;
-    Ok(get_user(&user_id).await?)
-  }
-}
--- a/bin/core/src/api/execute/action.rs
+++ b/bin/core/src/api/execute/action.rs
@@ -1,22 +1,17 @@
 use std::{
  collections::HashSet,
  path::{Path, PathBuf},
-  str::FromStr,
  sync::OnceLock,
 };

 use anyhow::Context;
-use command::run_komodo_command;
-use config::merge_objects;
+use command::run_komodo_standard_command;
 use database::mungos::{
  by_id::update_one_by_id, mongodb::bson::to_document,
 };
 use interpolate::Interpolator;
 use komodo_client::{
-  api::{
-    execute::{BatchExecutionResponse, BatchRunAction, RunAction},
-    user::{CreateApiKey, CreateApiKeyResponse, DeleteApiKey},
-  },
+  api::execute::{BatchExecutionResponse, BatchRunAction, RunAction},
  entities::{
    FileFormat, JsonObject,
    action::Action,
@@ -24,21 +19,29 @@ use komodo_client::{
    config::core::CoreConfig,
    komodo_timestamp,
    permission::PermissionLevel,
+    random_string,
    update::Update,
    user::action_user,
  },
  parsers::parse_key_value_list,
 };
-use resolver_api::Resolve;
+use mogh_auth_client::api::manage::{
+  CreateApiKey, CreateApiKeyResponse,
+};
+use mogh_auth_server::api::manage::api_key::{
+  create_api_key, delete_api_key,
+};
+use mogh_config::merge_objects;
+use mogh_resolver::Resolve;
 use tokio::fs;

 use crate::{
  alert::send_alerts,
-  api::{execute::ExecuteRequest, user::UserArgs},
+  api::execute::ExecuteRequest,
+  auth::KomodoAuthImpl,
  config::core_config,
  helpers::{
    query::{VariablesAndSecrets, get_variables_and_secrets},
-    random_string,
    update::update_update,
  },
  permission::get_check_permissions,
@@ -59,11 +62,19 @@ impl super::BatchExecute for BatchRunAction {
 }

 impl Resolve<ExecuteArgs> for BatchRunAction {
-  #[instrument(name = "BatchRunAction", skip(self, user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchRunAction",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+    ExecuteArgs { user, task_id, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
    Ok(
      super::batch_execute::<BatchRunAction>(&self.pattern, user)
        .await?,
@@ -72,11 +83,24 @@ impl Resolve<ExecuteArgs> for BatchRunAction {
 }

 impl Resolve<ExecuteArgs> for RunAction {
-  #[instrument(name = "RunAction", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "RunAction",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      action = self.action,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
    let mut action = get_check_permissions::<Action>(
      &self.action,
      user,
@@ -92,8 +116,11 @@ impl Resolve<ExecuteArgs> for RunAction {

    // This will set action state back to default when dropped.
    // Will also check to ensure action not already busy before updating.
-    let _action_guard =
-      action_state.update(|state| state.running = true)?;
+    let _action_guard = action_state.update_custom(
+      |state| state.running += 1,
+      |state| state.running -= 1,
+      false,
+    )?;

    let mut update = update.clone();

@@ -116,76 +143,87 @@ impl Resolve<ExecuteArgs> for RunAction {
    let args = serde_json::to_string(&args)
      .context("Failed to serialize action run arguments")?;

-    let CreateApiKeyResponse { key, secret } = CreateApiKey {
-      name: update.id.clone(),
-      expires: 0,
-    }
-    .resolve(&UserArgs {
-      user: action_user().to_owned(),
-    })
+    let CreateApiKeyResponse { key, secret } = create_api_key(
+      &KomodoAuthImpl,
+      action_user().id.clone(),
+      CreateApiKey {
+        name: update.id.clone(),
+        expires: 0,
+      },
+    )
    .await?;

-    let contents = &mut action.config.file_contents;
+    // Do next steps in seperate error handling block,
+    // and delete the API key before unwrapping the error.
+    // If Komodo shuts down during these steps, there will
+    // be a dangling api key in the DB with user_id: "000000000000000000000002".
+    // These need to be
+    let res = async {
+      let contents = &mut action.config.file_contents;

-    // Wrap the file contents in the execution context.
-    *contents = full_contents(contents, &args, &key, &secret);
+      // Wrap the file contents in the execution context.
+      *contents = full_contents(contents, &args, &key, &secret);

-    let replacers =
-      interpolate(contents, &mut update, key.clone(), secret.clone())
-        .await?
-        .into_iter()
-        .collect::<Vec<_>>();
+      let replacers = interpolate(
+        contents,
+        &mut update,
+        key.clone(),
+        secret.clone(),
+      )
+      .await?
+      .into_iter()
+      .collect::<Vec<_>>();

-    let file = format!("{}.ts", random_string(10));
-    let path = core_config().action_directory.join(&file);
+      let file = format!("{}.ts", random_string(10));
+      let path = core_config().action_directory.join(&file);

-    if let Some(parent) = path.parent() {
-      fs::create_dir_all(parent)
+      mogh_secret_file::write_async(&path, contents)
        .await
-        .with_context(|| format!("Failed to initialize Action file parent directory {parent:?}"))?;
+        .with_context(|| {
+          format!("Failed to write action file to {path:?}")
+        })?;
+
+      let CoreConfig { ssl_enabled, .. } = core_config();
+
+      let https_cert_flag = if *ssl_enabled {
+        " --unsafely-ignore-certificate-errors=localhost"
+      } else {
+        ""
+      };
+
+      let reload = if action.config.reload_deno_deps {
+        " --reload"
+      } else {
+        ""
+      };
+
+      let mut res = run_komodo_standard_command(
+        // Keep this stage name as is, the UI will find the latest update log by matching the stage name
+        "Execute Action",
+        None,
+        format!(
+          "deno run --allow-all{https_cert_flag}{reload} {}",
+          path.display()
+        ),
+      )
+      .await;
+
+      res.stdout = svi::replace_in_string(&res.stdout, &replacers)
+        .replace(&key, "<ACTION_API_KEY>");
+      res.stderr = svi::replace_in_string(&res.stderr, &replacers)
+        .replace(&secret, "<ACTION_API_SECRET>");
+
+      cleanup_run(file + ".js", &path).await;
+
+      update.logs.push(res);
+      update.finalize();
+
+      mogh_error::Ok(update)
    }
-
-    fs::write(&path, contents).await.with_context(|| {
-      format!("Failed to write action file to {path:?}")
-    })?;
-
-    let CoreConfig { ssl_enabled, .. } = core_config();
-
-    let https_cert_flag = if *ssl_enabled {
-      " --unsafely-ignore-certificate-errors=localhost"
-    } else {
-      ""
-    };
-
-    let reload = if action.config.reload_deno_deps {
-      " --reload"
-    } else {
-      ""
-    };
-
-    let mut res = run_komodo_command(
-      // Keep this stage name as is, the UI will find the latest update log by matching the stage name
-      "Execute Action",
-      None,
-      format!(
-        "deno run --allow-all{https_cert_flag}{reload} {}",
-        path.display()
-      ),
-    )
    .await;

-    res.stdout = svi::replace_in_string(&res.stdout, &replacers)
-      .replace(&key, "<ACTION_API_KEY>");
-    res.stderr = svi::replace_in_string(&res.stderr, &replacers)
-      .replace(&secret, "<ACTION_API_SECRET>");
-
-    cleanup_run(file + ".js", &path).await;
-
-    if let Err(e) = (DeleteApiKey { key })
-      .resolve(&UserArgs {
-        user: action_user().to_owned(),
-      })
-      .await
+    if let Err(e) =
+      delete_api_key(&KomodoAuthImpl, &action_user().id, key).await
    {
      warn!(
        "Failed to delete API key after action execution | {:#}",
@@ -193,8 +231,7 @@ impl Resolve<ExecuteArgs> for RunAction {
      );
    };

-    update.logs.push(res);
-    update.finalize();
+    let update = res?;

    // Need to manually update the update before cache refresh,
    // and before broadcast with update_update.
@@ -214,7 +251,6 @@ impl Resolve<ExecuteArgs> for RunAction {
    update_update(update.clone()).await?;

    if !update.success && action.config.failure_alert {
-      warn!("action unsuccessful, alerting...");
      let target = update.target.clone();
      tokio::spawn(async move {
        let alert = Alert {
@@ -237,12 +273,13 @@ impl Resolve<ExecuteArgs> for RunAction {
  }
 }

+#[instrument("Interpolate", skip(contents, update, secret))]
 async fn interpolate(
  contents: &mut String,
  update: &mut Update,
  key: String,
  secret: String,
-) -> serror::Result<HashSet<(String, String)>> {
+) -> mogh_error::Result<HashSet<(String, String)>> {
  let VariablesAndSecrets {
    variables,
    mut secrets,
@@ -322,6 +359,7 @@ main()
 /// Cleans up file at given path.
 /// ALSO if $DENO_DIR is set,
 /// will clean up the generated file matching "file"
+#[instrument("CleanupRun")]
 async fn cleanup_run(file: String, path: &Path) {
  if let Err(e) = fs::remove_file(path).await {
    warn!(
@@ -341,7 +379,7 @@ fn deno_dir() -> Option<&'static Path> {
  DENO_DIR
    .get_or_init(|| {
      let deno_dir = std::env::var("DENO_DIR").ok()?;
-      PathBuf::from_str(&deno_dir).ok()
+      Some(PathBuf::from(&deno_dir))
    })
    .as_deref()
 }
--- a/bin/core/src/api/execute/alerter.rs
+++ b/bin/core/src/api/execute/alerter.rs
@@ -1,27 +1,46 @@
+use anyhow::{Context, anyhow};
 use formatting::format_serror;
+use futures_util::{
+  StreamExt, TryStreamExt, stream::FuturesUnordered,
+};
 use komodo_client::{
-  api::execute::TestAlerter,
+  api::execute::{SendAlert, TestAlerter},
  entities::{
-    alert::{Alert, AlertData, SeverityLevel},
+    alert::{Alert, AlertData, AlertDataVariant, SeverityLevel},
    alerter::Alerter,
    komodo_timestamp,
    permission::PermissionLevel,
  },
 };
-use resolver_api::Resolve;
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
+use reqwest::StatusCode;

 use crate::{
  alert::send_alert_to_alerter, helpers::update::update_update,
-  permission::get_check_permissions,
+  permission::get_check_permissions, resource::list_full_for_user,
 };

 use super::ExecuteArgs;

 impl Resolve<ExecuteArgs> for TestAlerter {
-  #[instrument(name = "TestAlerter", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "TestAlerter",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      alerter = self.alerter,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
  ) -> Result<Self::Response, Self::Error> {
    let alerter = get_check_permissions::<Alerter>(
      &self.alerter,
@@ -71,3 +90,110 @@ impl Resolve<ExecuteArgs> for TestAlerter {
    Ok(update)
  }
 }
+
+//
+
+impl Resolve<ExecuteArgs> for SendAlert {
+  #[instrument(
+    "SendAlert",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      request = format!("{self:?}"),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let alerters = list_full_for_user::<Alerter>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await?
+    .into_iter()
+    .filter(|a| {
+      a.config.enabled
+        && (self.alerters.is_empty()
+          || self.alerters.contains(&a.name)
+          || self.alerters.contains(&a.id))
+        && (a.config.alert_types.is_empty()
+          || a.config.alert_types.contains(&AlertDataVariant::Custom))
+    })
+    .collect::<Vec<_>>();
+
+    let alerters = if user.admin {
+      alerters
+    } else {
+      // Only keep alerters with execute permissions
+      alerters
+        .into_iter()
+        .map(|alerter| async move {
+          get_check_permissions::<Alerter>(
+            &alerter.id,
+            user,
+            PermissionLevel::Execute.into(),
+          )
+          .await
+        })
+        .collect::<FuturesUnordered<_>>()
+        .collect::<Vec<_>>()
+        .await
+        .into_iter()
+        .flatten()
+        .collect()
+    };
+
+    if alerters.is_empty() {
+      return Err(anyhow!(
+        "Could not find any valid alerters to send to, this required Execute permissions on the Alerter"
+      ).status_code(StatusCode::BAD_REQUEST));
+    }
+
+    let mut update = update.clone();
+
+    let ts = komodo_timestamp();
+
+    let alert = Alert {
+      id: Default::default(),
+      ts,
+      resolved: true,
+      level: self.level,
+      target: update.target.clone(),
+      data: AlertData::Custom {
+        message: self.message,
+        details: self.details,
+      },
+      resolved_ts: Some(ts),
+    };
+
+    update.push_simple_log(
+      "Send alert",
+      serde_json::to_string_pretty(&alert)
+        .context("Failed to serialize alert to JSON")?,
+    );
+
+    if let Err(e) = alerters
+      .iter()
+      .map(|alerter| send_alert_to_alerter(alerter, &alert))
+      .collect::<FuturesUnordered<_>>()
+      .try_collect::<Vec<_>>()
+      .await
+    {
+      update.push_error_log("Send Error", format_serror(&e.into()));
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
--- a/bin/core/src/api/execute/build.rs
+++ b/bin/core/src/api/execute/build.rs
@@ -1,4 +1,8 @@
-use std::{future::IntoFuture, time::Duration};
+use std::{
+  collections::{HashMap, HashSet},
+  future::IntoFuture,
+  time::Duration,
+};

 use anyhow::{Context, anyhow};
 use database::mungos::{
@@ -10,35 +14,40 @@ use database::mungos::{
  },
 };
 use formatting::format_serror;
-use futures::future::join_all;
+use futures_util::future::join_all;
 use interpolate::Interpolator;
 use komodo_client::{
-  api::execute::{
-    BatchExecutionResponse, BatchRunBuild, CancelBuild, Deploy,
-    RunBuild,
+  api::{
+    execute::{
+      BatchExecutionResponse, BatchRunBuild, CancelBuild, Deploy,
+      RunBuild,
+    },
+    write::RefreshBuildCache,
  },
  entities::{
    alert::{Alert, AlertData, SeverityLevel},
    all_logs_success,
-    build::{Build, BuildConfig, ImageRegistryConfig},
+    build::{Build, BuildConfig},
    builder::{Builder, BuilderConfig},
    deployment::DeploymentState,
-    komodo_timestamp,
+    komodo_timestamp, optional_string,
    permission::PermissionLevel,
    repo::Repo,
    update::{Log, Update},
    user::auto_redeploy_user,
  },
 };
+use mogh_resolver::Resolve;
 use periphery_client::api;
-use resolver_api::Resolve;
 use tokio_util::sync::CancellationToken;
+use uuid::Uuid;

 use crate::{
  alert::send_alerts,
+  api::write::WriteArgs,
  helpers::{
    build_git_token,
-    builder::{cleanup_builder_instance, get_builder_periphery},
+    builder::{cleanup_builder_instance, connect_builder_periphery},
    channel::build_cancel_channel,
    query::{
      VariablesAndSecrets, get_deployment_state,
@@ -62,11 +71,19 @@ impl super::BatchExecute for BatchRunBuild {
 }

 impl Resolve<ExecuteArgs> for BatchRunBuild {
-  #[instrument(name = "BatchRunBuild", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchRunBuild",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+    ExecuteArgs { user, task_id, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
    Ok(
      super::batch_execute::<BatchRunBuild>(&self.pattern, user)
        .await?,
@@ -75,11 +92,24 @@ impl Resolve<ExecuteArgs> for BatchRunBuild {
 }

 impl Resolve<ExecuteArgs> for RunBuild {
-  #[instrument(name = "RunBuild", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "RunBuild",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      build = self.build,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
    let mut build = get_check_permissions::<Build>(
      &self.build,
      user,
@@ -133,8 +163,8 @@ impl Resolve<ExecuteArgs> for RunBuild {
    let git_token =
      build_git_token(&mut build, repo.as_mut()).await?;

-    let registry_token =
-      validate_account_extract_registry_token(&build).await?;
+    let registry_tokens =
+      validate_account_extract_registry_tokens(&build).await?;

    let cancel = CancellationToken::new();
    let cancel_clone = cancel.clone();
@@ -164,7 +194,7 @@ impl Resolve<ExecuteArgs> for RunBuild {
            update.finalize();
            let id = update.id.clone();
            if let Err(e) = update_update(update).await {
-              warn!("failed to modify Update {id} on db | {e:#}");
+              warn!("Failed to modify Update {id} on db | {e:#}");
            }
            if !is_server_builder {
              cancel_clone.cancel();
@@ -182,7 +212,7 @@ impl Resolve<ExecuteArgs> for RunBuild {
    });

    // GET BUILDER PERIPHERY
-    let (periphery, cleanup_data) = match get_builder_periphery(
+    let (periphery, cleanup_data) = match connect_builder_periphery(
      build.name.clone(),
      Some(build.config.version),
      builder,
@@ -193,12 +223,12 @@ impl Resolve<ExecuteArgs> for RunBuild {
      Ok(builder) => builder,
      Err(e) => {
        warn!(
-          "failed to get builder for build {} | {e:#}",
+          "Failed to get Builder for Build {} | {e:#}",
          build.name
        );
        update.logs.push(Log::error(
-          "get builder",
-          format_serror(&e.context("failed to get builder").into()),
+          "Get Builder",
+          format_serror(&e.context("Failed to get Builder").into()),
        ));
        return handle_early_return(
          update, build.id, build.name, false,
@@ -243,18 +273,18 @@ impl Resolve<ExecuteArgs> for RunBuild {
            replacers: Default::default(),
          }) => res,
        _ = cancel.cancelled() => {
-          debug!("build cancelled during clone, cleaning up builder");
-          update.push_error_log("build cancelled", String::from("user cancelled build during repo clone"));
-          cleanup_builder_instance(cleanup_data, &mut update)
+          debug!("Build cancelled during clone, cleaning up builder");
+          update.push_error_log("Build cancelled", String::from("user cancelled build during repo clone"));
+          cleanup_builder_instance(periphery, cleanup_data, &mut update)
            .await;
-          info!("builder cleaned up");
+          info!("Builder cleaned up");
          return handle_early_return(update, build.id, build.name, true).await
        },
      };

      let commit_message = match res {
        Ok(res) => {
-          debug!("finished repo clone");
+          debug!("Finished repo clone");
          update.logs.extend(res.res.logs);
          update.commit_hash =
            res.res.commit_hash.unwrap_or_default().to_string();
@@ -284,19 +314,17 @@ impl Resolve<ExecuteArgs> for RunBuild {
          .request(api::build::Build {
            build: build.clone(),
            repo,
-            registry_token,
+            registry_tokens,
            replacers: secret_replacers.into_iter().collect(),
-            // Push a commit hash tagged image
-            additional_tags: if update.commit_hash.is_empty() {
-              Default::default()
-            } else {
-              vec![update.commit_hash.clone()]
-            },
-          }) => res.context("failed at call to periphery to build"),
+            // To push a commit hash tagged image
+            commit_hash: optional_string(&update.commit_hash),
+            // Unused for now
+            additional_tags: Default::default(),
+          }) => res.context("Failed at call to Periphery to build"),
        _ = cancel.cancelled() => {
-          info!("build cancelled during build, cleaning up builder");
-          update.push_error_log("build cancelled", String::from("user cancelled build during docker build"));
-          cleanup_builder_instance(cleanup_data, &mut update)
+          info!("Build cancelled during build, cleaning up builder");
+          update.push_error_log("Build cancelled", String::from("User cancelled build during docker build"));
+          cleanup_builder_instance(periphery, cleanup_data, &mut update)
            .await;
          return handle_early_return(update, build.id, build.name, true).await
        },
@@ -308,10 +336,10 @@ impl Resolve<ExecuteArgs> for RunBuild {
          update.logs.extend(logs);
        }
        Err(e) => {
-          warn!("error in build | {e:#}");
+          warn!("Error in build | {e:#}");
          update.push_error_log(
-            "build",
-            format_serror(&e.context("failed to build").into()),
+            "Build Error",
+            format_serror(&e.context("Failed to build").into()),
          )
        }
      };
@@ -342,7 +370,8 @@ impl Resolve<ExecuteArgs> for RunBuild {

    // If building on temporary cloud server (AWS),
    // this will terminate the server.
-    cleanup_builder_instance(cleanup_data, &mut update).await;
+    cleanup_builder_instance(periphery, cleanup_data, &mut update)
+      .await;

    // Need to manually update the update before cache refresh,
    // and before broadcast with add_update.
@@ -361,13 +390,15 @@ impl Resolve<ExecuteArgs> for RunBuild {

    update_update(update.clone()).await?;

+    let Build { id, name, .. } = build;
+
    if update.success {
      // don't hold response up for user
      tokio::spawn(async move {
-        handle_post_build_redeploy(&build.id).await;
+        handle_post_build_redeploy(&id).await;
      });
    } else {
-      warn!("build unsuccessful, alerting...");
+      let name = name.clone();
      let target = update.target.clone();
      let version = update.version;
      tokio::spawn(async move {
@@ -378,27 +409,33 @@ impl Resolve<ExecuteArgs> for RunBuild {
          resolved_ts: Some(komodo_timestamp()),
          resolved: true,
          level: SeverityLevel::Warning,
-          data: AlertData::BuildFailed {
-            id: build.id,
-            name: build.name,
-            version,
-          },
+          data: AlertData::BuildFailed { id, name, version },
        };
        send_alerts(&[alert]).await
      });
    }

+    if let Err(e) = (RefreshBuildCache { build: name })
+      .resolve(&WriteArgs { user: user.clone() })
+      .await
+    {
+      update.push_error_log(
+        "Refresh build cache",
+        format_serror(&e.error.into()),
+      );
+    }
+
    Ok(update.clone())
  }
 }

-#[instrument(skip(update))]
+#[instrument("HandleEarlyReturn", skip(update))]
 async fn handle_early_return(
  mut update: Update,
  build_id: String,
  build_name: String,
  is_cancel: bool,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
  update.finalize();
  // Need to manually update the update before cache refresh,
  // and before broadcast with add_update.
@@ -416,7 +453,6 @@ async fn handle_early_return(
  }
  update_update(update.clone()).await?;
  if !update.success && !is_cancel {
-    warn!("build unsuccessful, alerting...");
    let target = update.target.clone();
    let version = update.version;
    tokio::spawn(async move {
@@ -486,11 +522,24 @@ pub async fn validate_cancel_build(
 }

 impl Resolve<ExecuteArgs> for CancelBuild {
-  #[instrument(name = "CancelBuild", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "CancelBuild",
+    skip(user, update),
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      build = self.build,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
    let build = get_check_permissions::<Build>(
      &self.build,
      user,
@@ -537,7 +586,7 @@ impl Resolve<ExecuteArgs> for CancelBuild {
      .await
      {
        warn!(
-          "failed to set CancelBuild Update status Complete after timeout | {e:#}"
+          "Failed to set CancelBuild Update status Complete after timeout | {e:#}"
        )
      }
    });
@@ -546,7 +595,7 @@ impl Resolve<ExecuteArgs> for CancelBuild {
  }
 }

-#[instrument]
+#[instrument("PostBuildRedeploy")]
 async fn handle_post_build_redeploy(build_id: &str) {
  let Ok(redeploy_deployments) = find_collect(
    &db_client().deployments,
@@ -582,7 +631,11 @@ async fn handle_post_build_redeploy(build_id: &str) {
              stop_signal: None,
              stop_time: None,
            }
-            .resolve(&ExecuteArgs { user, update })
+            .resolve(&ExecuteArgs {
+              user,
+              update,
+              task_id: Uuid::new_v4(),
+            })
            .await
          }
          .await;
@@ -608,34 +661,49 @@ async fn handle_post_build_redeploy(build_id: &str) {
 /// This will make sure that a build with non-none image registry has an account attached,
 /// and will check the core config for a token matching requirements.
 /// Otherwise it is left to periphery.
-async fn validate_account_extract_registry_token(
+#[instrument("ValidateRegistryTokens")]
+async fn validate_account_extract_registry_tokens(
  Build {
-    config:
-      BuildConfig {
-        image_registry:
-          ImageRegistryConfig {
-            domain, account, ..
-          },
-        ..
-      },
+    config: BuildConfig { image_registry, .. },
    ..
  }: &Build,
-) -> serror::Result<Option<String>> {
-  if domain.is_empty() {
-    return Ok(None);
-  }
-  if account.is_empty() {
-    return Err(
-      anyhow!(
-        "Must attach account to use registry provider {domain}"
-      )
-      .into(),
+  // Maps (domain, account) -> token
+) -> mogh_error::Result<Vec<(String, String, String)>> {
+  let mut res = HashMap::with_capacity(image_registry.capacity());
+
+  for (domain, account) in image_registry
+    .iter()
+    .map(|r| (r.domain.as_str(), r.account.as_str()))
+    // This ensures uniqueness / prevents redundant logins
+    .collect::<HashSet<_>>()
+  {
+    if domain.is_empty() {
+      continue;
+    }
+    if account.is_empty() {
+      return Err(
+        anyhow!(
+          "Must attach account to use registry provider {domain}"
+        )
+        .into(),
+      );
+    }
+    let Some(registry_token) = registry_token(domain, account).await.with_context(
+      || format!("Failed to get registry token in call to db. Stopping run. | {domain} | {account}"),
+    )? else {
+      continue;
+    };
+
+    res.insert(
+      (domain.to_string(), account.to_string()),
+      registry_token,
    );
  }

-  let registry_token = registry_token(domain, account).await.with_context(
-    || format!("Failed to get registry token in call to db. Stopping run. | {domain} | {account}"),
-  )?;
-
-  Ok(registry_token)
+  Ok(
+    res
+      .into_iter()
+      .map(|((domain, account), token)| (domain, account, token))
+      .collect(),
+  )
 }
--- a/bin/core/src/api/execute/deployment.rs
+++ b/bin/core/src/api/execute/deployment.rs
@@ -1,37 +1,39 @@
 use std::sync::OnceLock;

 use anyhow::{Context, anyhow};
-use cache::TimeoutCache;
 use formatting::format_serror;
 use interpolate::Interpolator;
 use komodo_client::{
  api::execute::*,
  entities::{
-    Version,
+    SwarmOrServer, Version,
    build::{Build, ImageRegistryConfig},
    deployment::{
-      Deployment, DeploymentImage, extract_registry_domain,
+      Deployment, DeploymentImage, DeploymentInfo,
+      extract_registry_domain,
    },
-    get_image_name, komodo_timestamp, optional_string,
+    komodo_timestamp, optional_string,
    permission::PermissionLevel,
    server::Server,
    update::{Log, Update},
-    user::User,
  },
 };
+use mogh_cache::TimeoutCache;
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
 use periphery_client::api;
-use resolver_api::Resolve;
+use reqwest::StatusCode;

 use crate::{
  helpers::{
    periphery_client,
    query::{VariablesAndSecrets, get_variables_and_secrets},
    registry_token,
+    swarm::swarm_request,
    update::update_update,
  },
-  monitor::update_cache_for_server,
-  permission::get_check_permissions,
-  resource,
+  monitor::{refresh_server_cache, refresh_swarm_cache},
+  resource::{self, setup_deployment_execution},
  state::action_states,
 };

@@ -49,11 +51,19 @@ impl super::BatchExecute for BatchDeploy {
 }

 impl Resolve<ExecuteArgs> for BatchDeploy {
-  #[instrument(name = "BatchDeploy", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchDeploy",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+    ExecuteArgs { user, task_id, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
    Ok(
      super::batch_execute::<BatchDeploy>(&self.pattern, user)
        .await?,
@@ -61,39 +71,36 @@ impl Resolve<ExecuteArgs> for BatchDeploy {
  }
 }

-async fn setup_deployment_execution(
-  deployment: &str,
-  user: &User,
-) -> anyhow::Result<(Deployment, Server)> {
-  let deployment = get_check_permissions::<Deployment>(
-    deployment,
-    user,
-    PermissionLevel::Execute.into(),
-  )
-  .await?;
-
-  if deployment.config.server_id.is_empty() {
-    return Err(anyhow!("Deployment has no Server configured"));
-  }
-
-  let server =
-    resource::get::<Server>(&deployment.config.server_id).await?;
-
-  if !server.config.enabled {
-    return Err(anyhow!("Attached Server is not enabled"));
-  }
-
-  Ok((deployment, server))
-}
-
 impl Resolve<ExecuteArgs> for Deploy {
-  #[instrument(name = "Deploy", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "Deploy",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+      stop_signal = format!("{:?}", self.stop_signal),
+      stop_time = self.stop_time,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (mut deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let (mut deployment, swarm_or_server) =
+      setup_deployment_execution(
+        &self.deployment,
+        user,
+        PermissionLevel::Execute.into(),
+      )
+      .await?;
+
+    swarm_or_server.verify_has_target()?;

    // get the action state for the deployment (or insert default).
    let action_state = action_states()
@@ -108,15 +115,18 @@ impl Resolve<ExecuteArgs> for Deploy {

    let mut update = update.clone();

-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
    update_update(update.clone()).await?;

    // This block resolves the attached Build to an actual versioned image
    let (version, registry_token) = match &deployment.config.image {
      DeploymentImage::Build { build_id, version } => {
        let build = resource::get::<Build>(build_id).await?;
-        let image_name = get_image_name(&build)
-          .context("failed to create image name")?;
+        let image_names = build.get_image_names();
+        let image_name = image_names
+          .first()
+          .context("No image name could be created")
+          .context("Failed to create image name")?;
        let version = if version.is_none() {
          build.config.version
        } else {
@@ -133,21 +143,27 @@ impl Resolve<ExecuteArgs> for Deploy {
        deployment.config.image = DeploymentImage::Image {
          image: format!("{image_name}:{version_str}"),
        };
-        if build.config.image_registry.domain.is_empty() {
+        let first_registry = build
+          .config
+          .image_registry
+          .first()
+          .unwrap_or(ImageRegistryConfig::static_default());
+        if first_registry.domain.is_empty() {
          (version, None)
        } else {
          let ImageRegistryConfig {
            domain, account, ..
-          } = build.config.image_registry;
+          } = first_registry;
          if deployment.config.image_registry_account.is_empty() {
-            deployment.config.image_registry_account = account
+            deployment.config.image_registry_account =
+              account.to_string();
          }
          let token = if !deployment
            .config
            .image_registry_account
            .is_empty()
          {
-            registry_token(&domain, &deployment.config.image_registry_account).await.with_context(
+            registry_token(domain, &deployment.config.image_registry_account).await.with_context(
              || format!("Failed to get git token in call to db. Stopping run. | {domain} | {}", deployment.config.image_registry_account),
            )?
          } else {
@@ -194,26 +210,72 @@ impl Resolve<ExecuteArgs> for Deploy {
    update.version = version;
    update_update(update.clone()).await?;

-    match periphery_client(&server)?
-      .request(api::container::Deploy {
-        deployment,
-        stop_signal: self.stop_signal,
-        stop_time: self.stop_time,
-        registry_token,
-        replacers: secret_replacers.into_iter().collect(),
-      })
-      .await
-    {
-      Ok(log) => update.logs.push(log),
-      Err(e) => {
-        update.push_error_log(
-          "Deploy Container",
-          format_serror(&e.into()),
-        );
-      }
-    };
+    let deployment_id = deployment.id.clone();

-    update_cache_for_server(&server).await;
+    match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        match swarm_request(
+          &swarm.config.server_ids,
+          api::swarm::CreateSwarmService {
+            deployment,
+            registry_token,
+            replacers: secret_replacers.into_iter().collect(),
+          },
+        )
+        .await
+        {
+          Ok(logs) => {
+            refresh_swarm_cache(&swarm, true).await;
+            update.logs.extend(logs)
+          }
+          Err(e) => {
+            update.push_error_log(
+              "Create Swarm Service",
+              format_serror(&e.into()),
+            );
+          }
+        };
+      }
+      SwarmOrServer::Server(server) => {
+        match periphery_client(&server)
+          .await?
+          .request(api::container::RunContainer {
+            deployment,
+            stop_signal: self.stop_signal,
+            stop_time: self.stop_time,
+            registry_token,
+            replacers: secret_replacers.into_iter().collect(),
+          })
+          .await
+        {
+          Ok(log) => {
+            refresh_server_cache(&server, true).await;
+            update.logs.push(log)
+          }
+          Err(e) => {
+            update.push_error_log(
+              "Deploy Container",
+              format_serror(&e.into()),
+            );
+          }
+        };
+      }
+    }
+
+    if let Err(e) = resource::update_info::<Deployment>(
+      &deployment_id,
+      &DeploymentInfo {
+        latest_image_digest: Default::default(),
+      },
+    )
+    .await
+    {
+      warn!(
+        "Failed to update deployment {} info after deploy | {e:#}",
+        deployment_id
+      );
+    }

    update.finalize();
    update_update(update.clone()).await?;
@@ -233,6 +295,14 @@ fn pull_cache() -> &'static PullCache {
  PULL_CACHE.get_or_init(Default::default)
 }

+#[instrument(
+  "PullDeploymentInner",
+  skip_all,
+  fields(
+    deployment = deployment.id,
+    server = server.id
+  )
+)]
 pub async fn pull_deployment_inner(
  deployment: Deployment,
  server: &Server,
@@ -240,8 +310,11 @@ pub async fn pull_deployment_inner(
  let (image, account, token) = match deployment.config.image {
    DeploymentImage::Build { build_id, version } => {
      let build = resource::get::<Build>(&build_id).await?;
-      let image_name = get_image_name(&build)
-        .context("failed to create image name")?;
+      let image_names = build.get_image_names();
+      let image_name = image_names
+        .first()
+        .context("No image name could be created")
+        .context("Failed to create image name")?;
      let version = if version.is_none() {
        build.config.version.to_string()
      } else {
@@ -255,26 +328,31 @@ pub async fn pull_deployment_inner(
      };
      // replace image with corresponding build image.
      let image = format!("{image_name}:{version}");
-      if build.config.image_registry.domain.is_empty() {
+      let first_registry = build
+        .config
+        .image_registry
+        .first()
+        .unwrap_or(ImageRegistryConfig::static_default());
+      if first_registry.domain.is_empty() {
        (image, None, None)
      } else {
        let ImageRegistryConfig {
          domain, account, ..
-        } = build.config.image_registry;
+        } = first_registry;
        let account =
          if deployment.config.image_registry_account.is_empty() {
            account
          } else {
-            deployment.config.image_registry_account
+            &deployment.config.image_registry_account
          };
        let token = if !account.is_empty() {
-          registry_token(&domain, &account).await.with_context(
+          registry_token(domain, account).await.with_context(
              || format!("Failed to get git token in call to db. Stopping run. | {domain} | {account}"),
            )?
        } else {
          None
        };
-        (image, optional_string(&account), token)
+        (image, optional_string(account), token)
      }
    }
    DeploymentImage::Image { image } => {
@@ -314,8 +392,9 @@ pub async fn pull_deployment_inner(
  }

  let res = async {
-    let log = match periphery_client(server)?
-      .request(api::image::PullImage {
+    let log = match periphery_client(server)
+      .await?
+      .request(api::docker::PullImage {
        name: image,
        account,
        token,
@@ -326,7 +405,7 @@ pub async fn pull_deployment_inner(
      Err(e) => Log::error("Pull image", format_serror(&e.into())),
    };

-    update_cache_for_server(server).await;
+    refresh_server_cache(server, true).await;
    anyhow::Ok(log)
  }
  .await;
@@ -339,13 +418,37 @@ pub async fn pull_deployment_inner(
 }

 impl Resolve<ExecuteArgs> for PullDeployment {
-  #[instrument(name = "PullDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PullDeployment",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!("PullDeployment should not be called for Deployment in Swarm Mode")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
+    };

    // get the action state for the deployment (or insert default).
    let action_state = action_states()
@@ -359,7 +462,7 @@ impl Resolve<ExecuteArgs> for PullDeployment {
      action_state.update(|state| state.pulling = true)?;

    let mut update = update.clone();
-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
    update_update(update.clone()).await?;

    let log = pull_deployment_inner(deployment, &server).await?;
@@ -373,13 +476,37 @@ impl Resolve<ExecuteArgs> for PullDeployment {
 }

 impl Resolve<ExecuteArgs> for StartDeployment {
-  #[instrument(name = "StartDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "StartDeployment",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!("StartDeployment should not be called for Deployment in Swarm Mode")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
+    };

    // get the action state for the deployment (or insert default).
    let action_state = action_states()
@@ -394,10 +521,11 @@ impl Resolve<ExecuteArgs> for StartDeployment {

    let mut update = update.clone();

-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
    update_update(update.clone()).await?;

-    let log = match periphery_client(&server)?
+    let log = match periphery_client(&server)
+      .await?
      .request(api::container::StartContainer {
        name: deployment.name,
      })
@@ -411,7 +539,7 @@ impl Resolve<ExecuteArgs> for StartDeployment {
    };

    update.logs.push(log);
-    update_cache_for_server(&server).await;
+    refresh_server_cache(&server, true).await;
    update.finalize();
    update_update(update.clone()).await?;

@@ -420,13 +548,37 @@ impl Resolve<ExecuteArgs> for StartDeployment {
 }

 impl Resolve<ExecuteArgs> for RestartDeployment {
-  #[instrument(name = "RestartDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "RestartDeployment",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!("RestartDeployment should not be called for Deployment in Swarm Mode")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
+    };

    // get the action state for the deployment (or insert default).
    let action_state = action_states()
@@ -441,10 +593,11 @@ impl Resolve<ExecuteArgs> for RestartDeployment {

    let mut update = update.clone();

-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
    update_update(update.clone()).await?;

-    let log = match periphery_client(&server)?
+    let log = match periphery_client(&server)
+      .await?
      .request(api::container::RestartContainer {
        name: deployment.name,
      })
@@ -460,7 +613,7 @@ impl Resolve<ExecuteArgs> for RestartDeployment {
    };

    update.logs.push(log);
-    update_cache_for_server(&server).await;
+    refresh_server_cache(&server, true).await;
    update.finalize();
    update_update(update.clone()).await?;

@@ -469,13 +622,37 @@ impl Resolve<ExecuteArgs> for RestartDeployment {
 }

 impl Resolve<ExecuteArgs> for PauseDeployment {
-  #[instrument(name = "PauseDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PauseDeployment",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!("PauseDeployment should not be called for Deployment in Swarm Mode")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
+    };

    // get the action state for the deployment (or insert default).
    let action_state = action_states()
@@ -490,10 +667,11 @@ impl Resolve<ExecuteArgs> for PauseDeployment {

    let mut update = update.clone();

-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
    update_update(update.clone()).await?;

-    let log = match periphery_client(&server)?
+    let log = match periphery_client(&server)
+      .await?
      .request(api::container::PauseContainer {
        name: deployment.name,
      })
@@ -507,7 +685,7 @@ impl Resolve<ExecuteArgs> for PauseDeployment {
    };

    update.logs.push(log);
-    update_cache_for_server(&server).await;
+    refresh_server_cache(&server, true).await;
    update.finalize();
    update_update(update.clone()).await?;

@@ -516,13 +694,37 @@ impl Resolve<ExecuteArgs> for PauseDeployment {
 }

 impl Resolve<ExecuteArgs> for UnpauseDeployment {
-  #[instrument(name = "UnpauseDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "UnpauseDeployment",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!("UnpauseDeployment should not be called for Deployment in Swarm Mode")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
+    };

    // get the action state for the deployment (or insert default).
    let action_state = action_states()
@@ -537,10 +739,11 @@ impl Resolve<ExecuteArgs> for UnpauseDeployment {

    let mut update = update.clone();

-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
    update_update(update.clone()).await?;

-    let log = match periphery_client(&server)?
+    let log = match periphery_client(&server)
+      .await?
      .request(api::container::UnpauseContainer {
        name: deployment.name,
      })
@@ -556,7 +759,7 @@ impl Resolve<ExecuteArgs> for UnpauseDeployment {
    };

    update.logs.push(log);
-    update_cache_for_server(&server).await;
+    refresh_server_cache(&server, true).await;
    update.finalize();
    update_update(update.clone()).await?;

@@ -565,13 +768,39 @@ impl Resolve<ExecuteArgs> for UnpauseDeployment {
 }

 impl Resolve<ExecuteArgs> for StopDeployment {
-  #[instrument(name = "StopDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "StopDeployment",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+      signal = format!("{:?}", self.signal),
+      time = self.time,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
+      return Err(
+        anyhow!("StopDeployment should not be called for Deployment in Swarm Mode")
+          .status_code(StatusCode::BAD_REQUEST),
+      );
+    };

    // get the action state for the deployment (or insert default).
    let action_state = action_states()
@@ -586,10 +815,11 @@ impl Resolve<ExecuteArgs> for StopDeployment {

    let mut update = update.clone();

-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
    update_update(update.clone()).await?;

-    let log = match periphery_client(&server)?
+    let log = match periphery_client(&server)
+      .await?
      .request(api::container::StopContainer {
        name: deployment.name,
        signal: self
@@ -611,7 +841,7 @@ impl Resolve<ExecuteArgs> for StopDeployment {
    };

    update.logs.push(log);
-    update_cache_for_server(&server).await;
+    refresh_server_cache(&server, true).await;
    update.finalize();
    update_update(update.clone()).await?;

@@ -631,11 +861,19 @@ impl super::BatchExecute for BatchDestroyDeployment {
 }

 impl Resolve<ExecuteArgs> for BatchDestroyDeployment {
-  #[instrument(name = "BatchDestroyDeployment", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchDestroyDeployment",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+    ExecuteArgs { user, task_id, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
    Ok(
      super::batch_execute::<BatchDestroyDeployment>(
        &self.pattern,
@@ -647,13 +885,34 @@ impl Resolve<ExecuteArgs> for BatchDestroyDeployment {
 }

 impl Resolve<ExecuteArgs> for DestroyDeployment {
-  #[instrument(name = "DestroyDeployment", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "DestroyDeployment",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      deployment = self.deployment,
+      signal = format!("{:?}", self.signal),
+      time = self.time,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
-    let (deployment, server) =
-      setup_deployment_execution(&self.deployment, user).await?;
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    swarm_or_server.verify_has_target()?;

    // get the action state for the deployment (or insert default).
    let action_state = action_states()
@@ -668,33 +927,65 @@ impl Resolve<ExecuteArgs> for DestroyDeployment {

    let mut update = update.clone();

-    // Send update after setting action state, this way frontend gets correct state.
+    // Send update after setting action state, this way UI gets correct state.
    update_update(update.clone()).await?;

-    let log = match periphery_client(&server)?
-      .request(api::container::RemoveContainer {
-        name: deployment.name,
-        signal: self
-          .signal
-          .unwrap_or(deployment.config.termination_signal)
-          .into(),
-        time: self
-          .time
-          .unwrap_or(deployment.config.termination_timeout)
-          .into(),
-      })
-      .await
-    {
-      Ok(log) => log,
-      Err(e) => Log::error(
-        "stop container",
-        format_serror(&e.context("failed to stop container").into()),
-      ),
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        match swarm_request(
+          &swarm.config.server_ids,
+          api::swarm::RemoveSwarmServices {
+            services: vec![deployment.name],
+          },
+        )
+        .await
+        {
+          Ok(log) => {
+            refresh_swarm_cache(&swarm, true).await;
+            log
+          }
+          Err(e) => Log::error(
+            "Remove Swarm Service",
+            format_serror(
+              &e.context("Failed to remove swarm service").into(),
+            ),
+          ),
+        }
+      }
+      SwarmOrServer::Server(server) => {
+        match periphery_client(&server)
+          .await?
+          .request(api::container::RemoveContainer {
+            name: deployment.name,
+            signal: self
+              .signal
+              .unwrap_or(deployment.config.termination_signal)
+              .into(),
+            time: self
+              .time
+              .unwrap_or(deployment.config.termination_timeout)
+              .into(),
+          })
+          .await
+        {
+          Ok(log) => {
+            refresh_server_cache(&server, true).await;
+            log
+          }
+          Err(e) => Log::error(
+            "Destroy Container",
+            format_serror(
+              &e.context("Failed to destroy container").into(),
+            ),
+          ),
+        }
+      }
    };

    update.logs.push(log);
    update.finalize();
-    update_cache_for_server(&server).await;
+
    update_update(update.clone()).await?;

    Ok(update)
--- a/bin/core/src/api/execute/maintenance.rs
+++ b/bin/core/src/api/execute/maintenance.rs
@@ -1,29 +1,42 @@
-use std::sync::OnceLock;
+use std::{fmt::Write as _, sync::OnceLock};

 use anyhow::{Context, anyhow};
-use command::run_komodo_command;
-use database::mungos::{find::find_collect, mongodb::bson::doc};
+use command::run_komodo_standard_command;
+use database::{
+  bson::{Document, doc},
+  mungos::find::find_collect,
+};
 use formatting::{bold, format_serror};
+use futures_util::{StreamExt, stream::FuturesOrdered};
 use komodo_client::{
  api::execute::{
    BackupCoreDatabase, ClearRepoCache, GlobalAutoUpdate,
+    RotateAllServerKeys, RotateCoreKeys,
  },
  entities::{
-    deployment::DeploymentState, server::ServerState,
+    SwarmOrServer, deployment::DeploymentState, server::ServerState,
    stack::StackState,
  },
 };
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
+use periphery_client::api;
 use reqwest::StatusCode;
-use resolver_api::Resolve;
-use serror::AddStatusCodeError;
 use tokio::sync::Mutex;

 use crate::{
-  api::execute::{
-    ExecuteArgs, pull_deployment_inner, pull_stack_inner,
+  api::{
+    execute::ExecuteArgs,
+    write::{
+      check_deployment_for_update_inner, check_stack_for_update_inner,
+    },
  },
-  config::core_config,
-  helpers::update::update_update,
+  config::{core_config, core_keys},
+  helpers::{
+    periphery_client, query::find_swarm_or_server,
+    update::update_update,
+  },
+  resource::rotate_server_keys,
  state::{
    db_client, deployment_status_cache, server_status_cache,
    stack_status_cache,
@@ -38,18 +51,26 @@ fn clear_repo_cache_lock() -> &'static Mutex<()> {

 impl Resolve<ExecuteArgs> for ClearRepoCache {
  #[instrument(
-    name = "ClearRepoCache",
-    skip(user, update),
-    fields(user_id = user.id, update_id = update.id)
+    "ClearRepoCache",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id
+    )
  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
  ) -> Result<Self::Response, Self::Error> {
    if !user.admin {
      return Err(
        anyhow!("This method is admin only.")
-          .status_code(StatusCode::UNAUTHORIZED),
+          .status_code(StatusCode::FORBIDDEN),
      );
    }

@@ -113,18 +134,26 @@ fn backup_database_lock() -> &'static Mutex<()> {

 impl Resolve<ExecuteArgs> for BackupCoreDatabase {
  #[instrument(
-    name = "BackupCoreDatabase",
-    skip(user, update),
-    fields(user_id = user.id, update_id = update.id)
+    "BackupCoreDatabase",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+    )
  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
  ) -> Result<Self::Response, Self::Error> {
    if !user.admin {
      return Err(
        anyhow!("This method is admin only.")
-          .status_code(StatusCode::UNAUTHORIZED),
+          .status_code(StatusCode::FORBIDDEN),
      );
    }

@@ -136,7 +165,7 @@ impl Resolve<ExecuteArgs> for BackupCoreDatabase {

    update_update(update.clone()).await?;

-    let res = run_komodo_command(
+    let res = run_komodo_standard_command(
      "Backup Core Database",
      None,
      "km database backup --yes",
@@ -162,18 +191,26 @@ fn global_update_lock() -> &'static Mutex<()> {

 impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
  #[instrument(
-    name = "GlobalAutoUpdate",
-    skip(user, update),
-    fields(user_id = user.id, update_id = update.id)
+    "GlobalAutoUpdate",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+    )
  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
  ) -> Result<Self::Response, Self::Error> {
    if !user.admin {
      return Err(
        anyhow!("This method is admin only.")
-          .status_code(StatusCode::UNAUTHORIZED),
+          .status_code(StatusCode::FORBIDDEN),
      );
    }

@@ -190,6 +227,9 @@ impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
    let servers = find_collect(&db_client().servers, None, None)
      .await
      .context("Failed to query for servers from database")?;
+    let swarms = find_collect(&db_client().swarms, None, None)
+      .await
+      .context("Failed to query for swarms from database")?;

    let query = doc! {
      "$or": [
@@ -198,11 +238,10 @@ impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
      ]
    };

-    let (stacks, repos) = tokio::try_join!(
-      find_collect(&db_client().stacks, query.clone(), None),
-      find_collect(&db_client().repos, None, None)
-    )
-    .context("Failed to query for resources from database")?;
+    let stacks =
+      find_collect(&db_client().stacks, query.clone(), None)
+        .await
+        .context("Failed to query for stacks from database")?;

    let server_status_cache = server_status_cache();
    let stack_status_cache = stack_status_cache();
@@ -215,10 +254,23 @@ impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
      else {
        continue;
      };
+
      // Only pull running stacks.
      if !matches!(status.curr.state, StackState::Running) {
        continue;
      }
+
+      let swarm_or_server = find_swarm_or_server(
+        &stack.config.swarm_id,
+        &swarms,
+        &stack.config.server_id,
+        &servers,
+      )?;
+
+      if let SwarmOrServer::None = &swarm_or_server {
+        continue;
+      }
+
      if let Some(server) =
        servers.iter().find(|s| s.id == stack.config.server_id)
        // This check is probably redundant along with running check
@@ -229,39 +281,28 @@ impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
          .map(|s| matches!(s.state, ServerState::Ok))
          .unwrap_or_default()
      {
-        let name = stack.name.clone();
-        let repo = if stack.config.linked_repo.is_empty() {
-          None
-        } else {
-          let Some(repo) =
-            repos.iter().find(|r| r.id == stack.config.linked_repo)
-          else {
-            update.push_error_log(
-              &format!("Pull Stack {name}"),
-              format!(
-                "Did not find any Repo matching {}",
-                stack.config.linked_repo
-              ),
-            );
-            continue;
-          };
-          Some(repo.clone())
-        };
-        if let Err(e) =
-          pull_stack_inner(stack, Vec::new(), server, repo, None)
-            .await
+        if let Err(e) = check_stack_for_update_inner(
+          stack.id,
+          &swarm_or_server,
+          self.skip_auto_update,
+          true,
+          false,
+        )
+        .await
        {
          update.push_error_log(
-            &format!("Pull Stack {name}"),
+            &format!("Check Stack {}", stack.name),
            format_serror(&e.into()),
          );
        } else {
          if !update.logs[0].stdout.is_empty() {
            update.logs[0].stdout.push('\n');
          }
-          update.logs[0]
-            .stdout
-            .push_str(&format!("Pulled Stack {} ✅", bold(name)));
+
+          update.logs[0].stdout.push_str(&format!(
+            "Checked Stack {} ✅",
+            bold(&stack.name)
+          ));
        }
      }
    }
@@ -271,43 +312,51 @@ impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
      find_collect(&db_client().deployments, query, None)
        .await
        .context("Failed to query for deployments from database")?;
+
    for deployment in deployments {
      let Some(status) =
        deployment_status_cache.get(&deployment.id).await
      else {
        continue;
      };
+
      // Only pull running deployments.
      if !matches!(status.curr.state, DeploymentState::Running) {
        continue;
      }
-      if let Some(server) =
-        servers.iter().find(|s| s.id == deployment.config.server_id)
-        // This check is probably redundant along with running check
-        // but shouldn't hurt
-        && server_status_cache
-          .get(&server.id)
-          .await
-          .map(|s| matches!(s.state, ServerState::Ok))
-          .unwrap_or_default()
+
+      let swarm_or_server = find_swarm_or_server(
+        &deployment.config.swarm_id,
+        &swarms,
+        &deployment.config.server_id,
+        &servers,
+      )?;
+
+      if let SwarmOrServer::None = &swarm_or_server {
+        continue;
+      }
+
+      let name = deployment.name.clone();
+
+      if let Err(e) = check_deployment_for_update_inner(
+        deployment,
+        &swarm_or_server,
+        self.skip_auto_update,
+        true,
+      )
+      .await
      {
-        let name = deployment.name.clone();
-        if let Err(e) =
-          pull_deployment_inner(deployment, server).await
-        {
-          update.push_error_log(
-            &format!("Pull Deployment {name}"),
-            format_serror(&e.into()),
-          );
-        } else {
-          if !update.logs[0].stdout.is_empty() {
-            update.logs[0].stdout.push('\n');
-          }
-          update.logs[0].stdout.push_str(&format!(
-            "Pulled Deployment {} ✅",
-            bold(name)
-          ));
+        update.push_error_log(
+          &format!("Check Deployment {name}"),
+          format_serror(&e.into()),
+        );
+      } else {
+        if !update.logs[0].stdout.is_empty() {
+          update.logs[0].stdout.push('\n');
        }
+        update.logs[0]
+          .stdout
+          .push_str(&format!("Checked Deployment {} ✅", bold(name)));
      }
    }

@@ -317,3 +366,264 @@ impl Resolve<ExecuteArgs> for GlobalAutoUpdate {
    Ok(update)
  }
 }
+
+//
+
+/// Makes sure the method can only be called once at a time
+fn global_rotate_lock() -> &'static Mutex<()> {
+  static LOCK: OnceLock<Mutex<()>> = OnceLock::new();
+  LOCK.get_or_init(Default::default)
+}
+
+impl Resolve<ExecuteArgs> for RotateAllServerKeys {
+  #[instrument(
+    "RotateAllServerKeys",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = global_rotate_lock()
+      .try_lock()
+      .context("Key rotation already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let mut servers = db_client()
+      .servers
+      .find(Document::new())
+      .await
+      .context("Failed to query servers from database")?;
+
+    let server_status_cache = server_status_cache();
+
+    let mut log = String::new();
+
+    while let Some(server) = servers.next().await {
+      let server = match server {
+        Ok(server) => server,
+        Err(e) => {
+          warn!("Failed to parse Server | {e:#}");
+          continue;
+        }
+      };
+      if !server.config.auto_rotate_keys {
+        let _ = write!(
+          &mut log,
+          "\nSkipping {}: Key Rotation Disabled ⚙️",
+          bold(&server.name)
+        );
+        continue;
+      }
+      let Some(status) = server_status_cache.get(&server.id).await
+      else {
+        let _ = write!(
+          &mut log,
+          "\nSkipping {}: No Status ⚠️",
+          bold(&server.name)
+        );
+        continue;
+      };
+      match status.state {
+        ServerState::Disabled => {
+          let _ = write!(
+            &mut log,
+            "\nSkipping {}: Server Disabled ⚙️",
+            bold(&server.name)
+          );
+          continue;
+        }
+        ServerState::NotOk => {
+          let _ = write!(
+            &mut log,
+            "\nSkipping {}: Server Not Ok ⚠️",
+            bold(&server.name)
+          );
+          continue;
+        }
+        _ => {}
+      }
+      match rotate_server_keys(&server).await {
+        Ok(_) => {
+          let _ = write!(
+            &mut log,
+            "\nRotated keys for {} ✅",
+            bold(&server.name)
+          );
+        }
+        Err(e) => {
+          update.push_error_log(
+            "Key Rotation Failure",
+            format_serror(
+              &e.context(format!(
+                "Failed to rotate {} keys",
+                bold(&server.name)
+              ))
+              .into(),
+            ),
+          );
+        }
+      }
+    }
+
+    update.push_simple_log("Rotate Server Keys", log);
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RotateCoreKeys {
+  #[instrument(
+    "RotateCoreKeys",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      force = self.force,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !user.admin {
+      return Err(
+        anyhow!("This method is admin only.")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let _lock = global_rotate_lock()
+      .try_lock()
+      .context("Key rotation already in progress...")?;
+
+    let mut update = update.clone();
+
+    update_update(update.clone()).await?;
+
+    let core_keys = core_keys();
+
+    if !core_keys.rotatable() {
+      return Err(anyhow!("Core `private_key` must be pointing to file, for example 'file:/config/keys/core.key'").into());
+    };
+
+    let server_status_cache = server_status_cache();
+    let servers =
+      find_collect(&db_client().servers, Document::new(), None)
+        .await
+        .context("Failed to query servers from database")?
+        .into_iter()
+        .map(|server| async move {
+          let state = server_status_cache
+            .get(&server.id)
+            .await
+            .map(|s| s.state)
+            .unwrap_or(ServerState::NotOk);
+          (server, state)
+        })
+        .collect::<FuturesOrdered<_>>()
+        .collect::<Vec<_>>()
+        .await;
+
+    if !self.force
+      && let Some((server, _)) = servers
+        .iter()
+        .find(|(_, state)| matches!(state, ServerState::NotOk))
+    {
+      return Err(
+        anyhow!("Server {} is NotOk, stopping key rotation. Pass `force: true` to continue anyways.", server.name).into(),
+      );
+    }
+
+    let public_key = core_keys
+      .rotate(mogh_pki::PkiKind::Mutual)
+      .await?
+      .into_inner();
+
+    info!("New Public Key: {public_key}");
+
+    let mut log = format!("New Public Key: {public_key}\n");
+
+    for (server, state) in servers {
+      match state {
+        ServerState::Disabled => {
+          let _ = write!(
+            &mut log,
+            "\nSkipping {}: Server Disabled ⚙️",
+            bold(&server.name)
+          );
+          continue;
+        }
+        ServerState::NotOk => {
+          // Shouldn't be reached unless 'force: true'
+          let _ = write!(
+            &mut log,
+            "\nSkipping {}: Server Not Ok ⚠️",
+            bold(&server.name)
+          );
+          continue;
+        }
+        _ => {}
+      }
+      let periphery = periphery_client(&server).await?;
+      let res = periphery
+        .request(api::keys::RotateCorePublicKey {
+          public_key: public_key.clone(),
+        })
+        .await;
+      match res {
+        Ok(_) => {
+          let _ = write!(
+            &mut log,
+            "\nRotated key for {} ✅",
+            bold(&server.name)
+          );
+        }
+        Err(e) => {
+          update.push_error_log(
+            "Key Rotation Failure",
+            format_serror(
+              &e.context(format!(
+                "Failed to rotate for {}. The new Core public key will have to be added manually.",
+                bold(&server.name)
+              ))
+              .into(),
+            ),
+          );
+        }
+      }
+    }
+
+    update.push_simple_log("Rotate Core Keys", log);
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
--- a/bin/core/src/api/execute/mod.rs
+++ b/bin/core/src/api/execute/mod.rs
@@ -1,4 +1,4 @@
-use std::{pin::Pin, time::Instant};
+use std::pin::Pin;

 use anyhow::Context;
 use axum::{
@@ -6,9 +6,8 @@ use axum::{
 };
 use axum_extra::{TypedHeader, headers::ContentType};
 use database::mungos::by_id::find_one_by_id;
-use derive_variants::{EnumVariants, ExtractVariant};
 use formatting::format_serror;
-use futures::future::join_all;
+use futures_util::future::join_all;
 use komodo_client::{
  api::execute::*,
  entities::{
@@ -18,16 +17,18 @@ use komodo_client::{
    user::User,
  },
 };
-use resolver_api::Resolve;
-use response::JsonString;
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Json;
+use mogh_error::JsonString;
+use mogh_resolver::Resolve;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
-use serror::Json;
+use strum::{Display, EnumDiscriminants};
 use typeshare::typeshare;
 use uuid::Uuid;

 use crate::{
-  auth::auth_request,
+  auth::KomodoAuthImpl,
  helpers::update::{init_execution_update, update_update},
  resource::{KomodoResource, list_full_for_user_using_pattern},
  state::db_client,
@@ -42,52 +43,29 @@ mod procedure;
 mod repo;
 mod server;
 mod stack;
+mod swarm;
 mod sync;

 use super::Variant;

-pub use {
-  deployment::pull_deployment_inner, stack::pull_stack_inner,
-};
-
 pub struct ExecuteArgs {
+  /// The task id.
+  /// Unique for every '/execute' call.
+  pub task_id: Uuid,
  pub user: User,
  pub update: Update,
 }

 #[typeshare]
 #[derive(
-  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumDiscriminants,
 )]
-#[variant_derive(Debug)]
+#[strum_discriminants(name(ExecuteRequestMethod), derive(Display))]
 #[args(ExecuteArgs)]
 #[response(JsonString)]
-#[error(serror::Error)]
+#[error(mogh_error::Error)]
 #[serde(tag = "type", content = "params")]
 pub enum ExecuteRequest {
-  // ==== SERVER ====
-  StartContainer(StartContainer),
-  RestartContainer(RestartContainer),
-  PauseContainer(PauseContainer),
-  UnpauseContainer(UnpauseContainer),
-  StopContainer(StopContainer),
-  DestroyContainer(DestroyContainer),
-  StartAllContainers(StartAllContainers),
-  RestartAllContainers(RestartAllContainers),
-  PauseAllContainers(PauseAllContainers),
-  UnpauseAllContainers(UnpauseAllContainers),
-  StopAllContainers(StopAllContainers),
-  PruneContainers(PruneContainers),
-  DeleteNetwork(DeleteNetwork),
-  PruneNetworks(PruneNetworks),
-  DeleteImage(DeleteImage),
-  PruneImages(PruneImages),
-  DeleteVolume(DeleteVolume),
-  PruneVolumes(PruneVolumes),
-  PruneDockerBuilders(PruneDockerBuilders),
-  PruneBuildx(PruneBuildx),
-  PruneSystem(PruneSystem),
-
  // ==== STACK ====
  DeployStack(DeployStack),
  BatchDeployStack(BatchDeployStack),
@@ -102,6 +80,7 @@ pub enum ExecuteRequest {
  UnpauseStack(UnpauseStack),
  DestroyStack(DestroyStack),
  BatchDestroyStack(BatchDestroyStack),
+  RunStackService(RunStackService),

  // ==== DEPLOYMENT ====
  Deploy(Deploy),
@@ -137,30 +116,69 @@ pub enum ExecuteRequest {
  RunAction(RunAction),
  BatchRunAction(BatchRunAction),

-  // ==== ALERTER ====
-  TestAlerter(TestAlerter),
-
  // ==== SYNC ====
  RunSync(RunSync),

+  // ==== ALERTER ====
+  TestAlerter(TestAlerter),
+  SendAlert(SendAlert),
+
+  // ==== SERVER ====
+  StartContainer(StartContainer),
+  RestartContainer(RestartContainer),
+  PauseContainer(PauseContainer),
+  UnpauseContainer(UnpauseContainer),
+  StopContainer(StopContainer),
+  DestroyContainer(DestroyContainer),
+  StartAllContainers(StartAllContainers),
+  RestartAllContainers(RestartAllContainers),
+  PauseAllContainers(PauseAllContainers),
+  UnpauseAllContainers(UnpauseAllContainers),
+  StopAllContainers(StopAllContainers),
+  PruneContainers(PruneContainers),
+  DeleteNetwork(DeleteNetwork),
+  PruneNetworks(PruneNetworks),
+  DeleteImage(DeleteImage),
+  PruneImages(PruneImages),
+  DeleteVolume(DeleteVolume),
+  PruneVolumes(PruneVolumes),
+  PruneDockerBuilders(PruneDockerBuilders),
+  PruneBuildx(PruneBuildx),
+  PruneSystem(PruneSystem),
+
+  // ==== SWARM ====
+  RemoveSwarmNodes(RemoveSwarmNodes),
+  RemoveSwarmStacks(RemoveSwarmStacks),
+  RemoveSwarmServices(RemoveSwarmServices),
+  CreateSwarmConfig(CreateSwarmConfig),
+  RotateSwarmConfig(RotateSwarmConfig),
+  RemoveSwarmConfigs(RemoveSwarmConfigs),
+  CreateSwarmSecret(CreateSwarmSecret),
+  RotateSwarmSecret(RotateSwarmSecret),
+  RemoveSwarmSecrets(RemoveSwarmSecrets),
+
  // ==== MAINTENANCE ====
  ClearRepoCache(ClearRepoCache),
  BackupCoreDatabase(BackupCoreDatabase),
  GlobalAutoUpdate(GlobalAutoUpdate),
+  RotateAllServerKeys(RotateAllServerKeys),
+  RotateCoreKeys(RotateCoreKeys),
 }

 pub fn router() -> Router {
  Router::new()
    .route("/", post(handler))
    .route("/{variant}", post(variant_handler))
-    .layer(middleware::from_fn(auth_request))
+    .layer(middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, true>,
+    ))
 }

 async fn variant_handler(
  user: Extension<User>,
  Path(Variant { variant }): Path<Variant>,
  Json(params): Json<serde_json::Value>,
-) -> serror::Result<(TypedHeader<ContentType>, String)> {
+) -> mogh_error::Result<(TypedHeader<ContentType>, String)> {
  let req: ExecuteRequest = serde_json::from_value(json!({
    "type": variant,
    "params": params,
@@ -171,7 +189,7 @@ async fn variant_handler(
 async fn handler(
  Extension(user): Extension<User>,
  Json(request): Json<ExecuteRequest>,
-) -> serror::Result<(TypedHeader<ContentType>, String)> {
+) -> mogh_error::Result<(TypedHeader<ContentType>, String)> {
  let res = match inner_handler(request, user).await? {
    ExecutionResult::Single(update) => serde_json::to_string(&update)
      .context("Failed to serialize Update")?,
@@ -199,7 +217,7 @@ pub fn inner_handler(
  >,
 > {
  Box::pin(async move {
-    let req_id = Uuid::new_v4();
+    let task_id = Uuid::new_v4();

    // Need to validate no cancel is active before any update is created.
    // This ensures no double update created if Cancel is called more than once for the same request.
@@ -215,33 +233,50 @@ pub fn inner_handler(
    // here either.
    if update.operation == Operation::None {
      return Ok(ExecutionResult::Batch(
-        task(req_id, request, user, update).await?,
+        task(task_id, request, user, update).await?,
      ));
    }

+    // Spawn a task for the execution which continues
+    // running after this method returns.
    let handle =
-      tokio::spawn(task(req_id, request, user, update.clone()));
+      tokio::spawn(task(task_id, request, user, update.clone()));

+    // Spawns another task to monitor the first for failures,
+    // and add the log to Update about it (which primary task can't do because it errored out)
    tokio::spawn({
      let update_id = update.id.clone();
      async move {
        let log = match handle.await {
          Ok(Err(e)) => {
-            warn!("/execute request {req_id} task error: {e:#}",);
-            Log::error("task error", format_serror(&e.into()))
+            warn!(
+              api = "Execute",
+              task_id = task_id.to_string(),
+              "/execute request task error: {e:#}",
+            );
+            Log::error("Task Error", format_serror(&e.into()))
          }
          Err(e) => {
-            warn!("/execute request {req_id} spawn error: {e:?}",);
-            Log::error("spawn error", format!("{e:#?}"))
+            warn!(
+              api = "Execute",
+              task_id = task_id.to_string(),
+              "/execute request spawn error: {e:?}",
+            );
+            Log::error("Spawn Error", format!("{e:#?}"))
          }
          _ => return,
        };
        let res = async {
+          // Nothing to do if update was never actually created,
+          // which is the case when the id is empty.
+          if update_id.is_empty() {
+            return Ok(());
+          }
          let mut update =
            find_one_by_id(&db_client().updates, &update_id)
              .await
-              .context("failed to query to db")?
-              .context("no update exists with given id")?;
+              .context("Failed to query to db")?
+              .context("No Update exists with given id")?;
          update.logs.push(log);
          update.finalize();
          update_update(update).await
@@ -250,7 +285,10 @@ pub fn inner_handler(

        if let Err(e) = res {
          warn!(
-            "failed to update update with task error log | {e:#}"
+            api = "Execute",
+            task_id = task_id.to_string(),
+            update_id,
+            "Failed to modify Update with task error log | {e:#}"
          );
        }
      }
@@ -260,25 +298,33 @@ pub fn inner_handler(
  })
 }

-#[instrument(
-  name = "ExecuteRequest",
-  skip(user, update),
-  fields(
-    user_id = user.id,
-    update_id = update.id,
-    request = format!("{:?}", request.extract_variant()))
-  )
-]
 async fn task(
-  req_id: Uuid,
+  id: Uuid,
  request: ExecuteRequest,
  user: User,
  update: Update,
 ) -> anyhow::Result<String> {
-  info!("/execute request {req_id} | user: {}", user.username);
-  let timer = Instant::now();
+  let method: ExecuteRequestMethod = (&request).into();

-  let res = match request.resolve(&ExecuteArgs { user, update }).await
+  let user_id = user.id.clone();
+  let username = user.username.clone();
+
+  info!(
+    api = "Execute",
+    task_id = id.to_string(),
+    method = method.to_string(),
+    user_id,
+    username,
+    "EXECUTE REQUEST",
+  );
+
+  let res = match request
+    .resolve(&ExecuteArgs {
+      user,
+      update,
+      task_id: id,
+    })
+    .await
  {
    Err(e) => Err(e.error),
    Ok(JsonString::Err(e)) => Err(
@@ -288,12 +334,16 @@ async fn task(
  };

  if let Err(e) = &res {
-    warn!("/execute request {req_id} error: {e:#}");
+    warn!(
+      api = "Execute",
+      task_id = id.to_string(),
+      method = method.to_string(),
+      user_id,
+      username,
+      "EXECUTE REQUEST | ERROR: {e:#}"
+    );
  }

-  let elapsed = timer.elapsed();
-  debug!("/execute request {req_id} | resolve time: {elapsed:?}");
-
  res
 }

@@ -302,6 +352,7 @@ trait BatchExecute {
  fn single_request(name: String) -> ExecuteRequest;
 }

+#[instrument("BatchExecute", skip(user))]
 async fn batch_execute<E: BatchExecute>(
  pattern: &str,
  user: &User,
@@ -314,6 +365,7 @@ async fn batch_execute<E: BatchExecute>(
    &[],
  )
  .await?;
+
  let futures = resources.into_iter().map(|resource| {
    let user = user.clone();
    async move {
--- a/bin/core/src/api/execute/procedure.rs
+++ b/bin/core/src/api/execute/procedure.rs
@@ -17,7 +17,7 @@ use komodo_client::{
    user::User,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 use tokio::sync::Mutex;

 use crate::{
@@ -38,11 +38,15 @@ impl super::BatchExecute for BatchRunProcedure {
 }

 impl Resolve<ExecuteArgs> for BatchRunProcedure {
-  #[instrument(name = "BatchRunProcedure", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchRunProcedure",
+    skip_all,
+    fields(operator = user.id)
+  )]
  async fn resolve(
    self,
    ExecuteArgs { user, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+  ) -> mogh_error::Result<BatchExecutionResponse> {
    Ok(
      super::batch_execute::<BatchRunProcedure>(&self.pattern, user)
        .await?,
@@ -51,11 +55,24 @@ impl Resolve<ExecuteArgs> for BatchRunProcedure {
 }

 impl Resolve<ExecuteArgs> for RunProcedure {
-  #[instrument(name = "RunProcedure", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "RunProcedure",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      procedure = self.procedure,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
    Ok(
      resolve_inner(self.procedure, user.clone(), update.clone())
        .await?,
@@ -146,7 +163,6 @@ fn resolve_inner(
    update_update(update.clone()).await?;

    if !update.success && procedure.config.failure_alert {
-      warn!("procedure unsuccessful, alerting...");
      let target = update.target.clone();
      tokio::spawn(async move {
        let alert = Alert {
--- a/bin/core/src/api/execute/repo.rs
+++ b/bin/core/src/api/execute/repo.rs
@@ -22,15 +22,15 @@ use komodo_client::{
    update::{Log, Update},
  },
 };
+use mogh_resolver::Resolve;
 use periphery_client::api;
-use resolver_api::Resolve;
 use tokio_util::sync::CancellationToken;

 use crate::{
  alert::send_alerts,
  api::write::WriteArgs,
  helpers::{
-    builder::{cleanup_builder_instance, get_builder_periphery},
+    builder::{cleanup_builder_instance, connect_builder_periphery},
    channel::repo_cancel_channel,
    git_token, periphery_client,
    query::{VariablesAndSecrets, get_variables_and_secrets},
@@ -51,11 +51,19 @@ impl super::BatchExecute for BatchCloneRepo {
 }

 impl Resolve<ExecuteArgs> for BatchCloneRepo {
-  #[instrument(name = "BatchCloneRepo", skip( user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchCloneRepo",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+    ExecuteArgs { user, task_id, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
    Ok(
      super::batch_execute::<BatchCloneRepo>(&self.pattern, user)
        .await?,
@@ -64,11 +72,24 @@ impl Resolve<ExecuteArgs> for BatchCloneRepo {
 }

 impl Resolve<ExecuteArgs> for CloneRepo {
-  #[instrument(name = "CloneRepo", skip( user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "CloneRepo",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      repo = self.repo,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
    let mut repo = get_check_permissions::<Repo>(
      &self.repo,
      user,
@@ -105,7 +126,7 @@ impl Resolve<ExecuteArgs> for CloneRepo {
    let server =
      resource::get::<Server>(&repo.config.server_id).await?;

-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;

    // interpolate variables / secrets, returning the sanitizing replacers to send to
    // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
@@ -165,11 +186,19 @@ impl super::BatchExecute for BatchPullRepo {
 }

 impl Resolve<ExecuteArgs> for BatchPullRepo {
-  #[instrument(name = "BatchPullRepo", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchPullRepo",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      pattern = self.pattern
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+    ExecuteArgs { user, task_id, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
    Ok(
      super::batch_execute::<BatchPullRepo>(&self.pattern, user)
        .await?,
@@ -178,11 +207,24 @@ impl Resolve<ExecuteArgs> for BatchPullRepo {
 }

 impl Resolve<ExecuteArgs> for PullRepo {
-  #[instrument(name = "PullRepo", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "PullRepo",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      repo = self.repo,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
    let mut repo = get_check_permissions::<Repo>(
      &self.repo,
      user,
@@ -220,7 +262,7 @@ impl Resolve<ExecuteArgs> for PullRepo {
    let server =
      resource::get::<Server>(&repo.config.server_id).await?;

-    let periphery = periphery_client(&server)?;
+    let periphery = periphery_client(&server).await?;

    // interpolate variables / secrets, returning the sanitizing replacers to send to
    // periphery so it may sanitize the final command for safe logging (avoids exposing secret values)
@@ -275,10 +317,14 @@ impl Resolve<ExecuteArgs> for PullRepo {
  }
 }

-#[instrument(skip_all, fields(update_id = update.id))]
+#[instrument(
+  "HandleRepoEarlyReturn",
+  skip_all,
+  fields(update_id = update.id)
+)]
 async fn handle_repo_update_return(
  update: Update,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
  // Need to manually update the update before cache refresh,
  // and before broadcast with add_update.
  // The Err case of to_document should be unreachable,
@@ -297,7 +343,7 @@ async fn handle_repo_update_return(
  Ok(update)
 }

-#[instrument]
+#[instrument("UpdateLastPulledTime")]
 async fn update_last_pulled_time(repo_name: &str) {
  let res = db_client()
    .repos
@@ -321,11 +367,19 @@ impl super::BatchExecute for BatchBuildRepo {
 }

 impl Resolve<ExecuteArgs> for BatchBuildRepo {
-  #[instrument(name = "BatchBuildRepo", skip(user), fields(user_id = user.id))]
+  #[instrument(
+    "BatchBuildRepo",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      pattern = self.pattern,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, .. }: &ExecuteArgs,
-  ) -> serror::Result<BatchExecutionResponse> {
+    ExecuteArgs { user, task_id, .. }: &ExecuteArgs,
+  ) -> mogh_error::Result<BatchExecutionResponse> {
    Ok(
      super::batch_execute::<BatchBuildRepo>(&self.pattern, user)
        .await?,
@@ -334,11 +388,24 @@ impl Resolve<ExecuteArgs> for BatchBuildRepo {
 }

 impl Resolve<ExecuteArgs> for BuildRepo {
-  #[instrument(name = "BuildRepo", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "BuildRepo",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      repo = self.repo,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
    let mut repo = get_check_permissions::<Repo>(
      &self.repo,
      user,
@@ -419,7 +486,7 @@ impl Resolve<ExecuteArgs> for BuildRepo {

    // GET BUILDER PERIPHERY

-    let (periphery, cleanup_data) = match get_builder_periphery(
+    let (periphery, cleanup_data) = match connect_builder_periphery(
      repo.name.clone(),
      None,
      builder,
@@ -463,7 +530,7 @@ impl Resolve<ExecuteArgs> for BuildRepo {
      _ = cancel.cancelled() => {
        debug!("build cancelled during clone, cleaning up builder");
        update.push_error_log("build cancelled", String::from("user cancelled build during repo clone"));
-        cleanup_builder_instance(cleanup_data, &mut update)
+        cleanup_builder_instance(periphery, cleanup_data, &mut update)
          .await;
        info!("builder cleaned up");
        return handle_builder_early_return(update, repo.id, repo.name, true).await
@@ -510,7 +577,8 @@ impl Resolve<ExecuteArgs> for BuildRepo {

    // If building on temporary cloud server (AWS),
    // this will terminate the server.
-    cleanup_builder_instance(cleanup_data, &mut update).await;
+    cleanup_builder_instance(periphery, cleanup_data, &mut update)
+      .await;

    // Need to manually update the update before cache refresh,
    // and before broadcast with add_update.
@@ -530,7 +598,6 @@ impl Resolve<ExecuteArgs> for BuildRepo {
    update_update(update.clone()).await?;

    if !update.success {
-      warn!("repo build unsuccessful, alerting...");
      let target = update.target.clone();
      tokio::spawn(async move {
        let alert = Alert {
@@ -553,13 +620,13 @@ impl Resolve<ExecuteArgs> for BuildRepo {
  }
 }

-#[instrument(skip(update))]
+#[instrument("HandleRepoBuildEarlyReturn", skip(update))]
 async fn handle_builder_early_return(
  mut update: Update,
  repo_id: String,
  repo_name: String,
  is_cancel: bool,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
  update.finalize();
  // Need to manually update the update before cache refresh,
  // and before broadcast with add_update.
@@ -577,7 +644,6 @@ async fn handle_builder_early_return(
  }
  update_update(update.clone()).await?;
  if !update.success && !is_cancel {
-    warn!("repo build unsuccessful, alerting...");
    let target = update.target.clone();
    tokio::spawn(async move {
      let alert = Alert {
@@ -598,7 +664,6 @@ async fn handle_builder_early_return(
  Ok(update)
 }

-#[instrument(skip_all)]
 pub async fn validate_cancel_repo_build(
  request: &ExecuteRequest,
 ) -> anyhow::Result<()> {
@@ -648,11 +713,24 @@ pub async fn validate_cancel_repo_build(
 }

 impl Resolve<ExecuteArgs> for CancelRepoBuild {
-  #[instrument(name = "CancelRepoBuild", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "CancelRepoBuild",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      repo = self.repo,
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
    let repo = get_check_permissions::<Repo>(
      &self.repo,
      user,
@@ -708,6 +786,13 @@ impl Resolve<ExecuteArgs> for CancelRepoBuild {
  }
 }

+#[instrument(
+  "Interpolate",
+  skip_all,
+  fields(
+    skip_secret_interp = repo.config.skip_secret_interp
+  )
+)]
 async fn interpolate(
  repo: &mut Repo,
  update: &mut Update,
--- a/bin/core/src/api/execute/server.rs
+++ b/bin/core/src/api/execute/server.rs
--- a/bin/core/src/api/execute/stack.rs
+++ b/bin/core/src/api/execute/stack.rs
--- a/bin/core/src/api/execute/swarm.rs
+++ b/bin/core/src/api/execute/swarm.rs
@@ -0,0 +1,552 @@
+use formatting::format_serror;
+use komodo_client::{
+  api::execute::{
+    CreateSwarmConfig, CreateSwarmSecret, RemoveSwarmConfigs,
+    RemoveSwarmNodes, RemoveSwarmSecrets, RemoveSwarmServices,
+    RemoveSwarmStacks, RotateSwarmConfig, RotateSwarmSecret,
+  },
+  entities::{permission::PermissionLevel, swarm::Swarm},
+};
+use mogh_resolver::Resolve;
+
+use crate::{
+  api::execute::ExecuteArgs,
+  helpers::{swarm::swarm_request, update::update_update},
+  monitor::refresh_swarm_cache,
+  permission::get_check_permissions,
+};
+
+impl Resolve<ExecuteArgs> for RemoveSwarmNodes {
+  #[instrument(
+    "RemoveSwarmNodes",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      nodes = serde_json::to_string(&self.nodes).unwrap_or_else(|e| e.to_string()),
+      force = self.force,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmNodes {
+        nodes: self.nodes,
+        force: self.force,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        refresh_swarm_cache(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Nodes",
+        format_serror(
+          &e.context("Failed to remove swarm nodes").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RemoveSwarmStacks {
+  #[instrument(
+    "RemoveSwarmStacks",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      stacks = serde_json::to_string(&self.stacks).unwrap_or_else(|e| e.to_string()),
+      detach = self.detach,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmStacks {
+        stacks: self.stacks,
+        detach: self.detach,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        refresh_swarm_cache(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Stacks",
+        format_serror(
+          &e.context("Failed to remove swarm stacks").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RemoveSwarmServices {
+  #[instrument(
+    "RemoveSwarmServices",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      services = serde_json::to_string(&self.services).unwrap_or_else(|e| e.to_string()),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmServices {
+        services: self.services,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        refresh_swarm_cache(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Services",
+        format_serror(
+          &e.context("Failed to remove swarm services").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for CreateSwarmConfig {
+  #[instrument(
+    "CreateSwarmConfig",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      config = self.name,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::CreateSwarmConfig {
+        name: self.name,
+        data: self.data,
+        labels: self.labels,
+        template_driver: self.template_driver,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        refresh_swarm_cache(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Create Swarm Config",
+        format_serror(
+          &e.context("Failed to create swarm config").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RotateSwarmConfig {
+  #[instrument(
+    "RotateSwarmConfig",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      config = self.config,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RotateSwarmConfig {
+        config: self.config,
+        data: self.data,
+      },
+    )
+    .await
+    {
+      Ok(logs) => {
+        update.logs.extend(logs);
+        refresh_swarm_cache(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Rotate Swarm Config",
+        format_serror(
+          &e.context("Failed to rotate swarm config").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RemoveSwarmConfigs {
+  #[instrument(
+    "RemoveSwarmConfigs",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      configs = serde_json::to_string(&self.configs).unwrap_or_else(|e| e.to_string()),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmConfigs {
+        configs: self.configs,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        refresh_swarm_cache(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Configs",
+        format_serror(
+          &e.context("Failed to remove swarm configs").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for CreateSwarmSecret {
+  #[instrument(
+    "CreateSwarmSecret",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      secret = self.name,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::CreateSwarmSecret {
+        name: self.name,
+        data: self.data,
+        driver: self.driver,
+        labels: self.labels,
+        template_driver: self.template_driver,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        refresh_swarm_cache(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Create Swarm Secret",
+        format_serror(
+          &e.context("Failed to create swarm secret").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RotateSwarmSecret {
+  #[instrument(
+    "RotateSwarmSecret",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      secret = self.secret,
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RotateSwarmSecret {
+        secret: self.secret,
+        data: self.data,
+      },
+    )
+    .await
+    {
+      Ok(logs) => {
+        update.logs.extend(logs);
+        refresh_swarm_cache(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Rotate Swarm Secret",
+        format_serror(
+          &e.context("Failed to rotate swarm secret").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
+
+impl Resolve<ExecuteArgs> for RemoveSwarmSecrets {
+  #[instrument(
+    "RemoveSwarmSecrets",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      swarm = self.swarm,
+      secrets = serde_json::to_string(&self.secrets).unwrap_or_else(|e| e.to_string()),
+    )
+  )]
+  async fn resolve(
+    self,
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    update_update(update.clone()).await?;
+
+    let mut update = update.clone();
+
+    match swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::RemoveSwarmSecrets {
+        secrets: self.secrets,
+      },
+    )
+    .await
+    {
+      Ok(log) => {
+        update.logs.push(log);
+        refresh_swarm_cache(&swarm, true).await;
+      }
+      Err(e) => update.push_error_log(
+        "Remove Swarm Secrets",
+        format_serror(
+          &e.context("Failed to remove swarm secrets").into(),
+        ),
+      ),
+    };
+
+    update.finalize();
+    update_update(update.clone()).await?;
+
+    Ok(update)
+  }
+}
--- a/bin/core/src/api/execute/sync.rs
+++ b/bin/core/src/api/execute/sync.rs
@@ -21,12 +21,13 @@ use komodo_client::{
    repo::Repo,
    server::Server,
    stack::Stack,
+    swarm::Swarm,
    sync::ResourceSync,
    update::{Log, Update},
    user::sync_user,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
  api::write::WriteArgs,
@@ -49,11 +50,26 @@ use crate::{
 use super::ExecuteArgs;

 impl Resolve<ExecuteArgs> for RunSync {
-  #[instrument(name = "RunSync", skip(user, update), fields(user_id = user.id, update_id = update.id))]
+  #[instrument(
+    "RunSync",
+    skip_all,
+    fields(
+      task_id = task_id.to_string(),
+      operator = user.id,
+      update_id = update.id,
+      sync = self.sync,
+      resource_type = format!("{:?}", self.resource_type),
+      resources = format!("{:?}", self.resources),
+    )
+  )]
  async fn resolve(
    self,
-    ExecuteArgs { user, update }: &ExecuteArgs,
-  ) -> serror::Result<Update> {
+    ExecuteArgs {
+      user,
+      update,
+      task_id,
+    }: &ExecuteArgs,
+  ) -> mogh_error::Result<Update> {
    let RunSync {
      sync,
      resource_type: match_resource_type,
@@ -77,10 +93,8 @@ impl Resolve<ExecuteArgs> for RunSync {
    };

    // get the action state for the sync (or insert default).
-    let action_state = action_states()
-      .resource_sync
-      .get_or_insert_default(&sync.id)
-      .await;
+    let action_state =
+      action_states().sync.get_or_insert_default(&sync.id).await;

    // This will set action state back to default when dropped.
    // Will also check to ensure sync not already busy before updating.
@@ -125,52 +139,36 @@ impl Resolve<ExecuteArgs> for RunSync {
          let Some(resource_type) = match_resource_type else {
            return Some(name_or_id);
          };
-          match ObjectId::from_str(&name_or_id) {
-            Ok(_) => match resource_type {
-              ResourceTargetVariant::Alerter => all_resources
-                .alerters
-                .get(&name_or_id)
-                .map(|a| a.name.clone()),
-              ResourceTargetVariant::Build => all_resources
-                .builds
-                .get(&name_or_id)
-                .map(|b| b.name.clone()),
-              ResourceTargetVariant::Builder => all_resources
-                .builders
-                .get(&name_or_id)
-                .map(|b| b.name.clone()),
-              ResourceTargetVariant::Deployment => all_resources
-                .deployments
-                .get(&name_or_id)
-                .map(|d| d.name.clone()),
-              ResourceTargetVariant::Procedure => all_resources
-                .procedures
-                .get(&name_or_id)
-                .map(|p| p.name.clone()),
-              ResourceTargetVariant::Action => all_resources
-                .actions
-                .get(&name_or_id)
-                .map(|p| p.name.clone()),
-              ResourceTargetVariant::Repo => all_resources
-                .repos
-                .get(&name_or_id)
-                .map(|r| r.name.clone()),
-              ResourceTargetVariant::Server => all_resources
-                .servers
-                .get(&name_or_id)
-                .map(|s| s.name.clone()),
-              ResourceTargetVariant::Stack => all_resources
-                .stacks
-                .get(&name_or_id)
-                .map(|s| s.name.clone()),
-              ResourceTargetVariant::ResourceSync => all_resources
-                .syncs
-                .get(&name_or_id)
-                .map(|s| s.name.clone()),
-              ResourceTargetVariant::System => None,
-            },
-            Err(_) => Some(name_or_id),
+          macro_rules! resolve_id_to_name {
+            ($(($Variant:ident, $field:ident)),* $(,)?) => {
+              match ObjectId::from_str(&name_or_id) {
+                Ok(_) => match resource_type {
+                  $(
+                    ResourceTargetVariant::$Variant => all_resources
+                      .$field
+                      .get(&name_or_id)
+                      .map(|r| r.name.clone()),
+                  )*
+                  ResourceTargetVariant::System => None,
+                },
+                Err(_) => Some(name_or_id),
+              }
+            };
          }
+          // New resource types need to be added here manually.
+          resolve_id_to_name!(
+            (Server, servers),
+            (Swarm, swarms),
+            (Stack, stacks),
+            (Deployment, deployments),
+            (Build, builds),
+            (Repo, repos),
+            (Procedure, procedures),
+            (Action, actions),
+            (ResourceSync, syncs),
+            (Builder, builders),
+            (Alerter, alerters),
+          )
        })
        .collect::<Vec<_>>()
    });
@@ -218,136 +216,39 @@ impl Resolve<ExecuteArgs> for RunSync {

    let delete = sync.config.managed || sync.config.delete;

-    let server_deltas = if sync.config.include_resources {
-      get_updates_for_execution::<Server>(
-        resources.servers,
-        delete,
-        match_resource_type,
-        match_resources.as_deref(),
-        &id_to_tags,
-        &sync.config.match_tags,
-      )
-      .await?
-    } else {
-      Default::default()
-    };
-    let stack_deltas = if sync.config.include_resources {
-      get_updates_for_execution::<Stack>(
-        resources.stacks,
-        delete,
-        match_resource_type,
-        match_resources.as_deref(),
-        &id_to_tags,
-        &sync.config.match_tags,
-      )
-      .await?
-    } else {
-      Default::default()
-    };
-    let deployment_deltas = if sync.config.include_resources {
-      get_updates_for_execution::<Deployment>(
-        resources.deployments,
-        delete,
-        match_resource_type,
-        match_resources.as_deref(),
-        &id_to_tags,
-        &sync.config.match_tags,
-      )
-      .await?
-    } else {
-      Default::default()
-    };
-    let build_deltas = if sync.config.include_resources {
-      get_updates_for_execution::<Build>(
-        resources.builds,
-        delete,
-        match_resource_type,
-        match_resources.as_deref(),
-        &id_to_tags,
-        &sync.config.match_tags,
-      )
-      .await?
-    } else {
-      Default::default()
-    };
-    let repo_deltas = if sync.config.include_resources {
-      get_updates_for_execution::<Repo>(
-        resources.repos,
-        delete,
-        match_resource_type,
-        match_resources.as_deref(),
-        &id_to_tags,
-        &sync.config.match_tags,
-      )
-      .await?
-    } else {
-      Default::default()
-    };
-    let procedure_deltas = if sync.config.include_resources {
-      get_updates_for_execution::<Procedure>(
-        resources.procedures,
-        delete,
-        match_resource_type,
-        match_resources.as_deref(),
-        &id_to_tags,
-        &sync.config.match_tags,
-      )
-      .await?
-    } else {
-      Default::default()
-    };
-    let action_deltas = if sync.config.include_resources {
-      get_updates_for_execution::<Action>(
-        resources.actions,
-        delete,
-        match_resource_type,
-        match_resources.as_deref(),
-        &id_to_tags,
-        &sync.config.match_tags,
-      )
-      .await?
-    } else {
-      Default::default()
-    };
-    let builder_deltas = if sync.config.include_resources {
-      get_updates_for_execution::<Builder>(
-        resources.builders,
-        delete,
-        match_resource_type,
-        match_resources.as_deref(),
-        &id_to_tags,
-        &sync.config.match_tags,
-      )
-      .await?
-    } else {
-      Default::default()
-    };
-    let alerter_deltas = if sync.config.include_resources {
-      get_updates_for_execution::<Alerter>(
-        resources.alerters,
-        delete,
-        match_resource_type,
-        match_resources.as_deref(),
-        &id_to_tags,
-        &sync.config.match_tags,
-      )
-      .await?
-    } else {
-      Default::default()
-    };
-    let resource_sync_deltas = if sync.config.include_resources {
-      get_updates_for_execution::<entities::sync::ResourceSync>(
-        resources.resource_syncs,
-        delete,
-        match_resource_type,
-        match_resources.as_deref(),
-        &id_to_tags,
-        &sync.config.match_tags,
-      )
-      .await?
-    } else {
-      Default::default()
-    };
+    macro_rules! get_deltas {
+      ($(($var:ident, $Type:ident, $field:ident)),* $(,)?) => {
+        $(
+          let $var = if sync.config.include_resources {
+            get_updates_for_execution::<$Type>(
+              resources.$field,
+              delete,
+              match_resource_type,
+              match_resources.as_deref(),
+              &id_to_tags,
+              &sync.config.match_tags,
+            )
+            .await?
+          } else {
+            Default::default()
+          };
+        )*
+      };
+    }
+    // New resource types need to be added here manually.
+    get_deltas!(
+      (server_deltas, Server, servers),
+      (swarm_deltas, Swarm, swarms),
+      (stack_deltas, Stack, stacks),
+      (deployment_deltas, Deployment, deployments),
+      (build_deltas, Build, builds),
+      (repo_deltas, Repo, repos),
+      (procedure_deltas, Procedure, procedures),
+      (action_deltas, Action, actions),
+      (builder_deltas, Builder, builders),
+      (alerter_deltas, Alerter, alerters),
+      (resource_sync_deltas, ResourceSync, resource_syncs),
+    );

    let (
      variables_to_create,
@@ -385,6 +286,7 @@ impl Resolve<ExecuteArgs> for RunSync {
    if deploy_cache.is_empty()
      && resource_sync_deltas.no_changes()
      && server_deltas.no_changes()
+      && swarm_deltas.no_changes()
      && deployment_deltas.no_changes()
      && stack_deltas.no_changes()
      && build_deltas.no_changes()
@@ -412,7 +314,11 @@ impl Resolve<ExecuteArgs> for RunSync {
      return Ok(update);
    }

-    // =================
+    // =====================================================
+    // The ordering these are executed does matter, since
+    // latter resources may depend on prior synced resources
+    // already being updated with the declared state.
+    // =====================================================

    // No deps
    maybe_extend(
@@ -451,6 +357,10 @@ impl Resolve<ExecuteArgs> for RunSync {
    );

    // Dependent on server
+    maybe_extend(
+      &mut update.logs,
+      Swarm::execute_sync_updates(swarm_deltas).await,
+    );
    maybe_extend(
      &mut update.logs,
      Builder::execute_sync_updates(builder_deltas).await,
--- a/bin/core/src/api/listener/integrations/github.rs
+++ b/bin/core/src/api/listener/integrations/github.rs
@@ -5,10 +5,9 @@ use hmac::{Hmac, Mac};
 use serde::Deserialize;
 use sha2::Sha256;

-use crate::{
-  config::core_config,
-  listener::{ExtractBranch, VerifySecret},
-};
+use crate::config::core_config;
+
+use super::{ExtractBranch, VerifySecret};

 type HmacSha256 = Hmac<Sha256>;

@@ -18,7 +17,7 @@ pub struct Github;
 impl VerifySecret for Github {
  #[instrument("VerifyGithubSecret", skip_all)]
  fn verify_secret(
-    headers: HeaderMap,
+    headers: &HeaderMap,
    body: &str,
    custom_secret: &str,
  ) -> anyhow::Result<()> {
--- a/bin/core/src/api/listener/integrations/gitlab.rs
+++ b/bin/core/src/api/listener/integrations/gitlab.rs
@@ -1,10 +1,10 @@
 use anyhow::{Context, anyhow};
+use axum::http::HeaderMap;
 use serde::Deserialize;

-use crate::{
-  config::core_config,
-  listener::{ExtractBranch, VerifySecret},
-};
+use crate::config::core_config;
+
+use super::{ExtractBranch, VerifySecret};

 /// Listener implementation for Gitlab type API
 pub struct Gitlab;
@@ -12,7 +12,7 @@ pub struct Gitlab;
 impl VerifySecret for Gitlab {
  #[instrument("VerifyGitlabSecret", skip_all)]
  fn verify_secret(
-    headers: axum::http::HeaderMap,
+    headers: &HeaderMap,
    _body: &str,
    custom_secret: &str,
  ) -> anyhow::Result<()> {
--- a/bin/core/src/api/listener/integrations/mod.rs
+++ b/bin/core/src/api/listener/integrations/mod.rs
@@ -0,0 +1,4 @@
+pub mod github;
+pub mod gitlab;
+
+use super::{ExtractBranch, VerifySecret};
--- a/bin/core/src/api/listener/mod.rs
+++ b/bin/core/src/api/listener/mod.rs
@@ -3,9 +3,10 @@ use std::sync::Arc;
 use anyhow::anyhow;
 use axum::{Router, http::HeaderMap};
 use komodo_client::entities::resource::Resource;
+use mogh_cache::CloneCache;
 use tokio::sync::Mutex;

-use crate::{helpers::cache::Cache, resource::KomodoResource};
+use crate::resource::KomodoResource;

 mod integrations;
 mod resources;
@@ -19,7 +20,7 @@ pub fn router() -> Router {
    .nest("/gitlab", router::router::<gitlab::Gitlab>())
 }

-type ListenerLockCache = Cache<String, Arc<Mutex<()>>>;
+type ListenerLockCache = CloneCache<String, Arc<Mutex<()>>>;

 /// Implemented for all resources which can recieve webhook.
 trait CustomSecret: KomodoResource {
@@ -31,7 +32,7 @@ trait CustomSecret: KomodoResource {
 /// Implemented on the integration struct, eg [integrations::github::Github]
 trait VerifySecret {
  fn verify_secret(
-    headers: HeaderMap,
+    headers: &HeaderMap,
    body: &str,
    custom_secret: &str,
  ) -> anyhow::Result<()>;
--- a/bin/core/src/api/listener/resources.rs
+++ b/bin/core/src/api/listener/resources.rs
@@ -11,9 +11,10 @@ use komodo_client::{
    stack::Stack, sync::ResourceSync, user::git_webhook_user,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;
 use serde::Deserialize;
 use serde_json::json;
+use uuid::Uuid;

 use crate::{
  api::{
@@ -21,6 +22,7 @@ use crate::{
    write::WriteArgs,
  },
  helpers::update::init_execution_update,
+  resource,
 };

 use super::{ANY_BRANCH, ListenerLockCache};
@@ -54,7 +56,18 @@ pub async fn handle_build_webhook<B: super::ExtractBranch>(
  let lock = build_locks().get_or_insert_default(&build.id).await;
  let _lock = lock.lock().await;

-  B::verify_branch(&body, &build.config.branch)?;
+  // Use the correct target branch when using linked repo.
+  let branch = if build.config.linked_repo.is_empty() {
+    build.config.branch
+  } else {
+    resource::get::<Repo>(&build.config.linked_repo)
+      .await
+      .context("Failed to find 'linked_repo'")?
+      .config
+      .branch
+  };
+
+  B::verify_branch(&body, &branch)?;

  let user = git_webhook_user().to_owned();
  let req = ExecuteRequest::RunBuild(RunBuild { build: build.id });
@@ -63,7 +76,11 @@ pub async fn handle_build_webhook<B: super::ExtractBranch>(
    unreachable!()
  };
  req
-    .resolve(&ExecuteArgs { user, update })
+    .resolve(&ExecuteArgs {
+      user,
+      update,
+      task_id: Uuid::new_v4(),
+    })
    .await
    .map_err(|e| e.error)?;
  Ok(())
@@ -101,7 +118,11 @@ impl RepoExecution for CloneRepo {
      unreachable!()
    };
    req
-      .resolve(&ExecuteArgs { user, update })
+      .resolve(&ExecuteArgs {
+        user,
+        update,
+        task_id: Uuid::new_v4(),
+      })
      .await
      .map_err(|e| e.error)?;
    Ok(())
@@ -121,7 +142,11 @@ impl RepoExecution for PullRepo {
      unreachable!()
    };
    req
-      .resolve(&ExecuteArgs { user, update })
+      .resolve(&ExecuteArgs {
+        user,
+        update,
+        task_id: Uuid::new_v4(),
+      })
      .await
      .map_err(|e| e.error)?;
    Ok(())
@@ -141,7 +166,11 @@ impl RepoExecution for BuildRepo {
      unreachable!()
    };
    req
-      .resolve(&ExecuteArgs { user, update })
+      .resolve(&ExecuteArgs {
+        user,
+        update,
+        task_id: Uuid::new_v4(),
+      })
      .await
      .map_err(|e| e.error)?;
    Ok(())
@@ -212,11 +241,11 @@ fn stack_locks() -> &'static ListenerLockCache {
 }

 pub trait StackExecution {
-  async fn resolve(stack: Stack) -> serror::Result<()>;
+  async fn resolve(stack: Stack) -> mogh_error::Result<()>;
 }

 impl StackExecution for RefreshStackCache {
-  async fn resolve(stack: Stack) -> serror::Result<()> {
+  async fn resolve(stack: Stack) -> mogh_error::Result<()> {
    RefreshStackCache { stack: stack.id }
      .resolve(&WriteArgs {
        user: git_webhook_user().to_owned(),
@@ -227,7 +256,7 @@ impl StackExecution for RefreshStackCache {
 }

 impl StackExecution for DeployStack {
-  async fn resolve(stack: Stack) -> serror::Result<()> {
+  async fn resolve(stack: Stack) -> mogh_error::Result<()> {
    let user = git_webhook_user().to_owned();
    if stack.config.webhook_force_deploy {
      let req = ExecuteRequest::DeployStack(DeployStack {
@@ -240,7 +269,11 @@ impl StackExecution for DeployStack {
        unreachable!()
      };
      req
-        .resolve(&ExecuteArgs { user, update })
+        .resolve(&ExecuteArgs {
+          user,
+          update,
+          task_id: Uuid::new_v4(),
+        })
        .await
        .map_err(|e| e.error)?;
    } else {
@@ -254,7 +287,11 @@ impl StackExecution for DeployStack {
        unreachable!()
      };
      req
-        .resolve(&ExecuteArgs { user, update })
+        .resolve(&ExecuteArgs {
+          user,
+          update,
+          task_id: Uuid::new_v4(),
+        })
        .await
        .map_err(|e| e.error)?;
    }
@@ -303,7 +340,18 @@ pub async fn handle_stack_webhook_inner<
  let lock = stack_locks().get_or_insert_default(&stack.id).await;
  let _lock = lock.lock().await;

-  B::verify_branch(&body, &stack.config.branch)?;
+  // Use the correct target branch when using linked repo.
+  let branch = if stack.config.linked_repo.is_empty() {
+    stack.config.branch.clone()
+  } else {
+    resource::get::<Repo>(&stack.config.linked_repo)
+      .await
+      .context("Failed to find 'linked_repo'")?
+      .config
+      .branch
+  };
+
+  B::verify_branch(&body, &branch)?;

  E::resolve(stack).await.map_err(|e| e.error)
 }
@@ -352,7 +400,11 @@ impl SyncExecution for RunSync {
      unreachable!()
    };
    req
-      .resolve(&ExecuteArgs { user, update })
+      .resolve(&ExecuteArgs {
+        user,
+        update,
+        task_id: Uuid::new_v4(),
+      })
      .await
      .map_err(|e| e.error)?;
    Ok(())
@@ -401,7 +453,18 @@ async fn handle_sync_webhook_inner<
  let lock = sync_locks().get_or_insert_default(&sync.id).await;
  let _lock = lock.lock().await;

-  B::verify_branch(&body, &sync.config.branch)?;
+  // Use the correct target branch when using linked repo.
+  let branch = if sync.config.linked_repo.is_empty() {
+    sync.config.branch.clone()
+  } else {
+    resource::get::<Repo>(&sync.config.linked_repo)
+      .await
+      .context("Failed to find 'linked_repo'")?
+      .config
+      .branch
+  };
+
+  B::verify_branch(&body, &branch)?;

  E::resolve(sync).await
 }
@@ -451,7 +514,11 @@ pub async fn handle_procedure_webhook<B: super::ExtractBranch>(
    unreachable!()
  };
  req
-    .resolve(&ExecuteArgs { user, update })
+    .resolve(&ExecuteArgs {
+      user,
+      update,
+      task_id: Uuid::new_v4(),
+    })
    .await
    .map_err(|e| e.error)?;
  Ok(())
@@ -513,7 +580,11 @@ pub async fn handle_action_webhook<B: super::ExtractBranch>(
    unreachable!()
  };
  req
-    .resolve(&ExecuteArgs { user, update })
+    .resolve(&ExecuteArgs {
+      user,
+      update,
+      task_id: Uuid::new_v4(),
+    })
    .await
    .map_err(|e| e.error)?;
  Ok(())
--- a/bin/core/src/api/listener/router.rs
+++ b/bin/core/src/api/listener/router.rs
@@ -1,14 +1,18 @@
+use std::net::IpAddr;
+
 use axum::{Router, extract::Path, http::HeaderMap, routing::post};
 use komodo_client::entities::{
  action::Action, build::Build, procedure::Procedure, repo::Repo,
  resource::Resource, stack::Stack, sync::ResourceSync,
 };
+use mogh_auth_server::request_ip::RequestIp;
+use mogh_error::AddStatusCode;
+use mogh_rate_limit::WithFailureRateLimit;
 use reqwest::StatusCode;
 use serde::Deserialize;
-use serror::AddStatusCode;
 use tracing::Instrument;

-use crate::resource::KomodoResource;
+use crate::{auth::GENERAL_RATE_LIMITER, resource::KomodoResource};

 use super::{
  CustomSecret, ExtractBranch, VerifySecret,
@@ -47,9 +51,9 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
  .route(
    "/build/{id}",
    post(
-      |Path(Id { id }), headers: HeaderMap, body: String| async move {
+      |Path(Id { id }), RequestIp(ip), headers: HeaderMap, body: String| async move {
        let build =
-          auth_webhook::<P, Build>(&id, headers, &body).await?;
+          auth_webhook::<P, Build>(&id, &headers, ip, &body).await?;
        tokio::spawn(async move {
          let span = info_span!("BuildWebhook", id);
          async {
@@ -66,16 +70,16 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
          .instrument(span)
          .await
        });
-        serror::Result::Ok(())
+        mogh_error::Result::Ok(())
      },
    ),
  )
  .route(
    "/repo/{id}/{option}",
    post(
-      |Path(IdAndOption::<RepoWebhookOption> { id, option }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndOption::<RepoWebhookOption> { id, option }), RequestIp(ip), headers: HeaderMap, body: String| async move {
        let repo =
-          auth_webhook::<P, Repo>(&id, headers, &body).await?;
+          auth_webhook::<P, Repo>(&id, &headers, ip, &body).await?;
        tokio::spawn(async move {
          let span = info_span!("RepoWebhook", id);
          async {
@@ -92,16 +96,16 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
          .instrument(span)
          .await
        });
-        serror::Result::Ok(())
+        mogh_error::Result::Ok(())
      },
    ),
  )
  .route(
    "/stack/{id}/{option}",
    post(
-      |Path(IdAndOption::<StackWebhookOption> { id, option }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndOption::<StackWebhookOption> { id, option }), RequestIp(ip), headers: HeaderMap, body: String| async move {
        let stack =
-          auth_webhook::<P, Stack>(&id, headers, &body).await?;
+          auth_webhook::<P, Stack>(&id, &headers, ip, &body).await?;
        tokio::spawn(async move {
          let span = info_span!("StackWebhook", id);
          async {
@@ -118,16 +122,16 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
          .instrument(span)
          .await
        });
-        serror::Result::Ok(())
+        mogh_error::Result::Ok(())
      },
    ),
  )
  .route(
    "/sync/{id}/{option}",
    post(
-      |Path(IdAndOption::<SyncWebhookOption> { id, option }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndOption::<SyncWebhookOption> { id, option }), RequestIp(ip), headers: HeaderMap, body: String| async move {
        let sync =
-          auth_webhook::<P, ResourceSync>(&id, headers, &body).await?;
+          auth_webhook::<P, ResourceSync>(&id, &headers, ip, &body).await?;
        tokio::spawn(async move {
          let span = info_span!("ResourceSyncWebhook", id);
          async {
@@ -144,16 +148,16 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
          .instrument(span)
          .await
        });
-        serror::Result::Ok(())
+        mogh_error::Result::Ok(())
      },
    ),
  )
  .route(
    "/procedure/{id}/{branch}",
    post(
-      |Path(IdAndBranch { id, branch }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndBranch { id, branch }), RequestIp(ip), headers: HeaderMap, body: String| async move {
        let procedure =
-          auth_webhook::<P, Procedure>(&id, headers, &body).await?;
+          auth_webhook::<P, Procedure>(&id, &headers, ip, &body).await?;
        tokio::spawn(async move {
          let span = info_span!("ProcedureWebhook", id);
          async {
@@ -170,16 +174,16 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
          .instrument(span)
          .await
        });
-        serror::Result::Ok(())
+        mogh_error::Result::Ok(())
      },
    ),
  )
  .route(
    "/action/{id}/{branch}",
    post(
-      |Path(IdAndBranch { id, branch }), headers: HeaderMap, body: String| async move {
+      |Path(IdAndBranch { id, branch }), RequestIp(ip), headers: HeaderMap, body: String| async move {
        let action =
-          auth_webhook::<P, Action>(&id, headers, &body).await?;
+          auth_webhook::<P, Action>(&id, &headers, ip, &body).await?;
        tokio::spawn(async move {
          let span = info_span!("ActionWebhook", id);
          async {
@@ -196,7 +200,7 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {
          .instrument(span)
          .await
        });
-        serror::Result::Ok(())
+        mogh_error::Result::Ok(())
      },
    ),
  )
@@ -204,17 +208,45 @@ pub fn router<P: VerifySecret + ExtractBranch>() -> Router {

 async fn auth_webhook<P, R>(
  id: &str,
-  headers: HeaderMap,
+  headers: &HeaderMap,
+  ip: IpAddr,
  body: &str,
-) -> serror::Result<Resource<R::Config, R::Info>>
+) -> mogh_error::Result<Resource<R::Config, R::Info>>
 where
  P: VerifySecret,
  R: KomodoResource + CustomSecret,
 {
-  let resource = crate::resource::get::<R>(id)
-    .await
-    .status_code(StatusCode::BAD_REQUEST)?;
-  P::verify_secret(headers, body, R::custom_secret(&resource))
-    .status_code(StatusCode::UNAUTHORIZED)?;
-  Ok(resource)
+  async {
+    let resource = crate::resource::get::<R>(id)
+      .await
+      .status_code(StatusCode::BAD_REQUEST)?;
+    P::verify_secret(headers, body, R::custom_secret(&resource))
+      .status_code(StatusCode::UNAUTHORIZED)?;
+
+    info!(
+      resource_type = R::resource_type().to_string(),
+      resource_id = id,
+      source_ip = ip.to_string(),
+      "Successfully authenticated incoming webhook"
+    );
+
+    debug!(
+      resource_type = R::resource_type().to_string(),
+      resource_id = id,
+      source_ip = ip.to_string(),
+      "Webhook body: {body}"
+    );
+
+    mogh_error::Result::Ok(resource)
+  }
+  .with_failure_rate_limit_using_ip(&GENERAL_RATE_LIMITER, &ip)
+  .await
+  .inspect_err(|e| {
+    warn!(
+      resource_id = id,
+      source_ip = ip.to_string(),
+      "Incoming webhook failed | ERROR: {:#}",
+      e.error
+    );
+  })
 }
--- a/bin/core/src/api/mod.rs
+++ b/bin/core/src/api/mod.rs
@@ -1,11 +1,57 @@
-pub mod auth;
+use axum::{Extension, Router, routing::get};
+use komodo_client::entities::user::User;
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Json;
+use mogh_server::{
+  cors::cors_layer, session::memory_session_layer,
+  ui::serve_static_ui,
+};
+
+use crate::{auth::KomodoAuthImpl, config::core_config, ts_client};
+
 pub mod execute;
 pub mod read;
-pub mod terminal;
-pub mod user;
 pub mod write;

+mod listener;
+mod openapi;
+mod terminal;
+mod ws;
+
 #[derive(serde::Deserialize)]
 struct Variant {
  variant: String,
 }
+
+pub fn app() -> Router {
+  let config = core_config();
+  Router::new()
+    .merge(openapi::serve_docs())
+    .route("/version", get(|| async { env!("CARGO_PKG_VERSION") }))
+    .nest("/auth", mogh_auth_server::api::router::<KomodoAuthImpl>())
+    .nest("/user", user_router())
+    .nest("/read", read::router())
+    .nest("/write", write::router())
+    .nest("/execute", execute::router())
+    .nest("/terminal", terminal::router())
+    .nest("/listener", listener::router())
+    .nest("/ws", ws::router())
+    .nest("/client", ts_client::router())
+    .layer(memory_session_layer(config))
+    .fallback_service(serve_static_ui(
+      &config.ui_path,
+      config.ui_index_force_no_cache,
+    ))
+    .layer(cors_layer(config))
+}
+
+fn user_router() -> Router {
+  Router::new()
+    .route(
+      "/",
+      get(|Extension(user): Extension<User>| async { Json(user) }),
+    )
+    .layer(axum::middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, false>,
+    ))
+}
--- a/bin/core/src/api/openapi/docs.html
+++ b/bin/core/src/api/openapi/docs.html
@@ -0,0 +1,18 @@
+<!doctype html>
+<html>
+
+<head>
+  <title>Komodo API Docs</title>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+</head>
+
+<body>
+
+  <script id="api-reference" type="application/json">
+    $spec
+</script>
+  <script src="https://cdn.jsdelivr.net/npm/@scalar/api-reference"></script>
+</body>
+
+</html>
--- a/bin/core/src/api/openapi/mod.rs
+++ b/bin/core/src/api/openapi/mod.rs
@@ -0,0 +1,8 @@
+use komodo_client::openapi::KomodoApi;
+use utoipa::OpenApi as _;
+use utoipa_scalar::{Scalar, Servable as _};
+
+pub fn serve_docs() -> Scalar<utoipa::openapi::OpenApi> {
+  Scalar::with_url("/docs", KomodoApi::openapi())
+    .custom_html(include_str!("docs.html"))
+}
--- a/bin/core/src/api/read/action.rs
+++ b/bin/core/src/api/read/action.rs
@@ -8,7 +8,7 @@ use komodo_client::{
    permission::PermissionLevel,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
  helpers::query::get_all_tags,
@@ -23,7 +23,7 @@ impl Resolve<ReadArgs> for GetAction {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Action> {
+  ) -> mogh_error::Result<Action> {
    Ok(
      get_check_permissions::<Action>(
        &self.action,
@@ -39,7 +39,7 @@ impl Resolve<ReadArgs> for ListActions {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<ActionListItem>> {
+  ) -> mogh_error::Result<Vec<ActionListItem>> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -61,7 +61,7 @@ impl Resolve<ReadArgs> for ListFullActions {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullActionsResponse> {
+  ) -> mogh_error::Result<ListFullActionsResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -83,7 +83,7 @@ impl Resolve<ReadArgs> for GetActionActionState {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ActionActionState> {
+  ) -> mogh_error::Result<ActionActionState> {
    let action = get_check_permissions::<Action>(
      &self.action,
      user,
@@ -104,7 +104,7 @@ impl Resolve<ReadArgs> for GetActionsSummary {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetActionsSummaryResponse> {
+  ) -> mogh_error::Result<GetActionsSummaryResponse> {
    let actions = resource::list_full_for_user::<Action>(
      Default::default(),
      user,
@@ -131,8 +131,8 @@ impl Resolve<ReadArgs> for GetActionsSummary {
          .unwrap_or_default()
          .get()?,
      ) {
-        (_, action_states) if action_states.running => {
-          res.running += 1;
+        (_, action_states) if action_states.running > 0 => {
+          res.running += action_states.running;
        }
        (ActionState::Ok, _) => res.ok += 1,
        (ActionState::Failed, _) => res.failed += 1,
--- a/bin/core/src/api/read/alert.rs
+++ b/bin/core/src/api/read/alert.rs
@@ -8,15 +8,15 @@ use komodo_client::{
  api::read::{
    GetAlert, GetAlertResponse, ListAlerts, ListAlertsResponse,
  },
-  entities::{
-    deployment::Deployment, server::Server, stack::Stack,
-    sync::ResourceSync,
-  },
+  entities::permission::PermissionLevel,
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
-  config::core_config, permission::get_resource_ids_for_user,
+  config::core_config,
+  permission::{
+    check_user_target_access, user_resource_target_query,
+  },
  state::db_client,
 };

@@ -28,26 +28,11 @@ impl Resolve<ReadArgs> for ListAlerts {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListAlertsResponse> {
-    let mut query = self.query.unwrap_or_default();
-    if !user.admin && !core_config().transparent_mode {
-      let server_ids =
-        get_resource_ids_for_user::<Server>(user).await?;
-      let stack_ids =
-        get_resource_ids_for_user::<Stack>(user).await?;
-      let deployment_ids =
-        get_resource_ids_for_user::<Deployment>(user).await?;
-      let sync_ids =
-        get_resource_ids_for_user::<ResourceSync>(user).await?;
-      query.extend(doc! {
-        "$or": [
-          { "target.type": "Server", "target.id": { "$in": &server_ids } },
-          { "target.type": "Stack", "target.id": { "$in": &stack_ids } },
-          { "target.type": "Deployment", "target.id": { "$in": &deployment_ids } },
-          { "target.type": "ResourceSync", "target.id": { "$in": &sync_ids } },
-        ]
-      });
-    }
+  ) -> mogh_error::Result<ListAlertsResponse> {
+    // Alerts
+    let query = user_resource_target_query(user, self.query)
+      .await?
+      .unwrap_or_default();

    let alerts = find_collect(
      &db_client().alerts,
@@ -76,13 +61,21 @@ impl Resolve<ReadArgs> for ListAlerts {
 impl Resolve<ReadArgs> for GetAlert {
  async fn resolve(
    self,
-    _: &ReadArgs,
-  ) -> serror::Result<GetAlertResponse> {
-    Ok(
-      find_one_by_id(&db_client().alerts, &self.id)
-        .await
-        .context("failed to query db for alert")?
-        .context("no alert found with given id")?,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetAlertResponse> {
+    let alert = find_one_by_id(&db_client().alerts, &self.id)
+      .await
+      .context("failed to query db for alert")?
+      .context("no alert found with given id")?;
+    if user.admin || core_config().transparent_mode {
+      return Ok(alert);
+    }
+    check_user_target_access(
+      &alert.target,
+      user,
+      PermissionLevel::Read.into(),
    )
+    .await?;
+    Ok(alert)
  }
 }
--- a/bin/core/src/api/read/alerter.rs
+++ b/bin/core/src/api/read/alerter.rs
@@ -8,11 +8,13 @@ use komodo_client::{
    permission::PermissionLevel,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
-  helpers::query::get_all_tags, permission::get_check_permissions,
-  resource, state::db_client,
+  helpers::query::get_all_tags,
+  permission::{get_check_permissions, list_resource_ids_for_user},
+  resource,
+  state::db_client,
 };

 use super::ReadArgs;
@@ -21,7 +23,7 @@ impl Resolve<ReadArgs> for GetAlerter {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Alerter> {
+  ) -> mogh_error::Result<Alerter> {
    Ok(
      get_check_permissions::<Alerter>(
        &self.alerter,
@@ -37,7 +39,7 @@ impl Resolve<ReadArgs> for ListAlerters {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<AlerterListItem>> {
+  ) -> mogh_error::Result<Vec<AlerterListItem>> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -59,7 +61,7 @@ impl Resolve<ReadArgs> for ListFullAlerters {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullAlertersResponse> {
+  ) -> mogh_error::Result<ListFullAlertersResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -81,10 +83,12 @@ impl Resolve<ReadArgs> for GetAlertersSummary {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetAlertersSummaryResponse> {
-    let query = match resource::get_resource_object_ids_for_user::<
-      Alerter,
-    >(user)
+  ) -> mogh_error::Result<GetAlertersSummaryResponse> {
+    let query = match list_resource_ids_for_user::<Alerter>(
+      None,
+      user,
+      PermissionLevel::Read.into(),
+    )
    .await?
    {
      Some(ids) => doc! {
--- a/bin/core/src/api/read/build.rs
+++ b/bin/core/src/api/read/build.rs
@@ -6,27 +6,23 @@ use database::mungos::{
  find::find_collect,
  mongodb::{bson::doc, options::FindOptions},
 };
-use futures::TryStreamExt;
+use futures_util::TryStreamExt;
 use komodo_client::{
  api::read::*,
  entities::{
    Operation,
    build::{Build, BuildActionState, BuildListItem, BuildState},
-    config::core::CoreConfig,
    permission::PermissionLevel,
    update::UpdateStatus,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
-  config::core_config,
  helpers::query::get_all_tags,
  permission::get_check_permissions,
  resource,
-  state::{
-    action_states, build_state_cache, db_client, github_client,
-  },
+  state::{action_states, build_state_cache, db_client},
 };

 use super::ReadArgs;
@@ -35,7 +31,7 @@ impl Resolve<ReadArgs> for GetBuild {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Build> {
+  ) -> mogh_error::Result<Build> {
    Ok(
      get_check_permissions::<Build>(
        &self.build,
@@ -51,7 +47,7 @@ impl Resolve<ReadArgs> for ListBuilds {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<BuildListItem>> {
+  ) -> mogh_error::Result<Vec<BuildListItem>> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -73,7 +69,7 @@ impl Resolve<ReadArgs> for ListFullBuilds {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullBuildsResponse> {
+  ) -> mogh_error::Result<ListFullBuildsResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -95,7 +91,7 @@ impl Resolve<ReadArgs> for GetBuildActionState {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<BuildActionState> {
+  ) -> mogh_error::Result<BuildActionState> {
    let build = get_check_permissions::<Build>(
      &self.build,
      user,
@@ -116,7 +112,7 @@ impl Resolve<ReadArgs> for GetBuildsSummary {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetBuildsSummaryResponse> {
+  ) -> mogh_error::Result<GetBuildsSummaryResponse> {
    let builds = resource::list_full_for_user::<Build>(
      Default::default(),
      user,
@@ -164,7 +160,7 @@ impl Resolve<ReadArgs> for GetBuildMonthlyStats {
  async fn resolve(
    self,
    _: &ReadArgs,
-  ) -> serror::Result<GetBuildMonthlyStatsResponse> {
+  ) -> mogh_error::Result<GetBuildMonthlyStatsResponse> {
    let curr_ts = unix_timestamp_ms() as i64;
    let next_day = curr_ts - curr_ts % ONE_DAY_MS + ONE_DAY_MS;

@@ -220,7 +216,7 @@ impl Resolve<ReadArgs> for ListBuildVersions {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<BuildVersionResponseItem>> {
+  ) -> mogh_error::Result<Vec<BuildVersionResponseItem>> {
    let ListBuildVersions {
      build,
      major,
@@ -277,7 +273,7 @@ impl Resolve<ReadArgs> for ListCommonBuildExtraArgs {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListCommonBuildExtraArgsResponse> {
+  ) -> mogh_error::Result<ListCommonBuildExtraArgsResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -306,81 +302,3 @@ impl Resolve<ReadArgs> for ListCommonBuildExtraArgs {
    Ok(res)
  }
 }
-
-impl Resolve<ReadArgs> for GetBuildWebhookEnabled {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetBuildWebhookEnabledResponse> {
-    let Some(github) = github_client() else {
-      return Ok(GetBuildWebhookEnabledResponse {
-        managed: false,
-        enabled: false,
-      });
-    };
-
-    let build = get_check_permissions::<Build>(
-      &self.build,
-      user,
-      PermissionLevel::Read.into(),
-    )
-    .await?;
-
-    if build.config.git_provider != "github.com"
-      || build.config.repo.is_empty()
-    {
-      return Ok(GetBuildWebhookEnabledResponse {
-        managed: false,
-        enabled: false,
-      });
-    }
-
-    let mut split = build.config.repo.split('/');
-    let owner = split.next().context("Build repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Ok(GetBuildWebhookEnabledResponse {
-        managed: false,
-        enabled: false,
-      });
-    };
-
-    let repo =
-      split.next().context("Build repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let url = format!("{host}/listener/github/build/{}", build.id);
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == url {
-        return Ok(GetBuildWebhookEnabledResponse {
-          managed: true,
-          enabled: true,
-        });
-      }
-    }
-
-    Ok(GetBuildWebhookEnabledResponse {
-      managed: true,
-      enabled: false,
-    })
-  }
-}
--- a/bin/core/src/api/read/builder.rs
+++ b/bin/core/src/api/read/builder.rs
@@ -8,11 +8,13 @@ use komodo_client::{
    permission::PermissionLevel,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
-  helpers::query::get_all_tags, permission::get_check_permissions,
-  resource, state::db_client,
+  helpers::query::get_all_tags,
+  permission::{get_check_permissions, list_resource_ids_for_user},
+  resource,
+  state::db_client,
 };

 use super::ReadArgs;
@@ -21,7 +23,7 @@ impl Resolve<ReadArgs> for GetBuilder {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Builder> {
+  ) -> mogh_error::Result<Builder> {
    Ok(
      get_check_permissions::<Builder>(
        &self.builder,
@@ -37,7 +39,7 @@ impl Resolve<ReadArgs> for ListBuilders {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<BuilderListItem>> {
+  ) -> mogh_error::Result<Vec<BuilderListItem>> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -59,7 +61,7 @@ impl Resolve<ReadArgs> for ListFullBuilders {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullBuildersResponse> {
+  ) -> mogh_error::Result<ListFullBuildersResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -81,10 +83,12 @@ impl Resolve<ReadArgs> for GetBuildersSummary {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetBuildersSummaryResponse> {
-    let query = match resource::get_resource_object_ids_for_user::<
-      Builder,
-    >(user)
+  ) -> mogh_error::Result<GetBuildersSummaryResponse> {
+    let query = match list_resource_ids_for_user::<Builder>(
+      None,
+      user,
+      PermissionLevel::Read.into(),
+    )
    .await?
    {
      Some(ids) => doc! {
--- a/bin/core/src/api/read/deployment.rs
+++ b/bin/core/src/api/read/deployment.rs
@@ -4,23 +4,31 @@ use anyhow::{Context, anyhow};
 use komodo_client::{
  api::read::*,
  entities::{
+    SwarmOrServer,
    deployment::{
      Deployment, DeploymentActionState, DeploymentConfig,
      DeploymentListItem, DeploymentState,
    },
-    docker::container::{Container, ContainerStats},
+    docker::{
+      container::{Container, ContainerStats},
+      service::SwarmService,
+    },
    permission::PermissionLevel,
    server::{Server, ServerState},
    update::Log,
  },
 };
+use mogh_error::AddStatusCodeError as _;
+use mogh_resolver::Resolve;
 use periphery_client::api::{self, container::InspectContainer};
-use resolver_api::Resolve;
+use reqwest::StatusCode;

 use crate::{
-  helpers::{periphery_client, query::get_all_tags},
+  helpers::{
+    periphery_client, query::get_all_tags, swarm::swarm_request,
+  },
  permission::get_check_permissions,
-  resource,
+  resource::{self, setup_deployment_execution},
  state::{
    action_states, deployment_status_cache, server_status_cache,
  },
@@ -32,7 +40,7 @@ impl Resolve<ReadArgs> for GetDeployment {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Deployment> {
+  ) -> mogh_error::Result<Deployment> {
    Ok(
      get_check_permissions::<Deployment>(
        &self.deployment,
@@ -48,7 +56,7 @@ impl Resolve<ReadArgs> for ListDeployments {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<DeploymentListItem>> {
+  ) -> mogh_error::Result<Vec<DeploymentListItem>> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -78,7 +86,7 @@ impl Resolve<ReadArgs> for ListFullDeployments {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullDeploymentsResponse> {
+  ) -> mogh_error::Result<ListFullDeploymentsResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -100,7 +108,7 @@ impl Resolve<ReadArgs> for GetDeploymentContainer {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetDeploymentContainerResponse> {
+  ) -> mogh_error::Result<GetDeploymentContainerResponse> {
    let deployment = get_check_permissions::<Deployment>(
      &self.deployment,
      user,
@@ -125,35 +133,49 @@ impl Resolve<ReadArgs> for GetDeploymentLog {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Log> {
+  ) -> mogh_error::Result<Log> {
    let GetDeploymentLog {
      deployment,
      tail,
      timestamps,
    } = self;
-    let Deployment {
-      name,
-      config: DeploymentConfig { server_id, .. },
-      ..
-    } = get_check_permissions::<Deployment>(
+
+    let (deployment, swarm_or_server) = setup_deployment_execution(
      &deployment,
      user,
      PermissionLevel::Read.logs(),
    )
    .await?;
-    if server_id.is_empty() {
-      return Ok(Log::default());
-    }
-    let server = resource::get::<Server>(&server_id).await?;
-    let res = periphery_client(&server)?
-      .request(api::container::GetContainerLog {
-        name,
-        tail: cmp::min(tail, MAX_LOG_LENGTH),
-        timestamps,
-      })
+
+    swarm_or_server.verify_has_target()?;
+
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => swarm_request(
+        &swarm.config.server_ids,
+        periphery_client::api::swarm::GetSwarmServiceLog {
+          service: deployment.name,
+          tail,
+          timestamps,
+          no_task_ids: false,
+          no_resolve: false,
+          details: false,
+        },
+      )
      .await
-      .context("failed at call to periphery")?;
-    Ok(res)
+      .context("Failed to get service log from swarm")?,
+      SwarmOrServer::Server(server) => periphery_client(&server)
+        .await?
+        .request(api::container::GetContainerLog {
+          name: deployment.name,
+          tail: cmp::min(tail, MAX_LOG_LENGTH),
+          timestamps,
+        })
+        .await
+        .context("failed at call to periphery")?,
+    };
+
+    Ok(log)
  }
 }

@@ -161,7 +183,7 @@ impl Resolve<ReadArgs> for SearchDeploymentLog {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Log> {
+  ) -> mogh_error::Result<Log> {
    let SearchDeploymentLog {
      deployment,
      terms,
@@ -169,31 +191,47 @@ impl Resolve<ReadArgs> for SearchDeploymentLog {
      invert,
      timestamps,
    } = self;
-    let Deployment {
-      name,
-      config: DeploymentConfig { server_id, .. },
-      ..
-    } = get_check_permissions::<Deployment>(
+
+    let (deployment, swarm_or_server) = setup_deployment_execution(
      &deployment,
      user,
      PermissionLevel::Read.logs(),
    )
    .await?;
-    if server_id.is_empty() {
-      return Ok(Log::default());
-    }
-    let server = resource::get::<Server>(&server_id).await?;
-    let res = periphery_client(&server)?
-      .request(api::container::GetContainerLogSearch {
-        name,
-        terms,
-        combinator,
-        invert,
-        timestamps,
-      })
+
+    swarm_or_server.verify_has_target()?;
+
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => swarm_request(
+        &swarm.config.server_ids,
+        periphery_client::api::swarm::GetSwarmServiceLogSearch {
+          service: deployment.name,
+          terms,
+          combinator,
+          invert,
+          timestamps,
+          no_task_ids: false,
+          no_resolve: false,
+          details: false,
+        },
+      )
      .await
-      .context("failed at call to periphery")?;
-    Ok(res)
+      .context("Failed to search service log from swarm")?,
+      SwarmOrServer::Server(server) => periphery_client(&server)
+        .await?
+        .request(api::container::GetContainerLogSearch {
+          name: deployment.name,
+          terms,
+          combinator,
+          invert,
+          timestamps,
+        })
+        .await
+        .context("Failed to search container log from server")?,
+    };
+
+    Ok(log)
  }
 }

@@ -201,43 +239,80 @@ impl Resolve<ReadArgs> for InspectDeploymentContainer {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Container> {
+  ) -> mogh_error::Result<Container> {
    let InspectDeploymentContainer { deployment } = self;
-    let Deployment {
-      name,
-      config: DeploymentConfig { server_id, .. },
-      ..
-    } = get_check_permissions::<Deployment>(
+    let (deployment, swarm_or_server) = setup_deployment_execution(
      &deployment,
      user,
      PermissionLevel::Read.inspect(),
    )
    .await?;
-    if server_id.is_empty() {
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
      return Err(
        anyhow!(
-          "Cannot inspect deployment, not attached to any server"
+          "InspectDeploymentContainer should not be called for Deployment in Swarm Mode"
        )
-        .into(),
+        .status_code(StatusCode::BAD_REQUEST),
      );
-    }
-    let server = resource::get::<Server>(&server_id).await?;
+    };
+
    let cache = server_status_cache()
      .get_or_insert_default(&server.id)
      .await;
+
    if cache.state != ServerState::Ok {
      return Err(
        anyhow!(
-          "Cannot inspect container: server is {:?}",
+          "Cannot inspect container: Server is {:?}",
          cache.state
        )
        .into(),
      );
    }
-    let res = periphery_client(&server)?
-      .request(InspectContainer { name })
-      .await?;
-    Ok(res)
+
+    periphery_client(&server)
+      .await?
+      .request(InspectContainer {
+        name: deployment.name,
+      })
+      .await
+      .context("Failed to inspect container on server")
+      .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectDeploymentSwarmService {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SwarmService> {
+    let InspectDeploymentSwarmService { deployment } = self;
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &deployment,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+
+    let SwarmOrServer::Swarm(swarm) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "InspectDeploymentSwarmService should only be called for Deployment in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmService {
+        service: deployment.name,
+      },
+    )
+    .await
+    .context("Failed to inspect service on swarm")
+    .map_err(Into::into)
  }
 }

@@ -245,7 +320,7 @@ impl Resolve<ReadArgs> for GetDeploymentStats {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ContainerStats> {
+  ) -> mogh_error::Result<ContainerStats> {
    let Deployment {
      name,
      config: DeploymentConfig { server_id, .. },
@@ -262,7 +337,8 @@ impl Resolve<ReadArgs> for GetDeploymentStats {
      );
    }
    let server = resource::get::<Server>(&server_id).await?;
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
      .request(api::container::GetContainerStats { name })
      .await
      .context("failed to get stats from periphery")?;
@@ -274,7 +350,7 @@ impl Resolve<ReadArgs> for GetDeploymentActionState {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<DeploymentActionState> {
+  ) -> mogh_error::Result<DeploymentActionState> {
    let deployment = get_check_permissions::<Deployment>(
      &self.deployment,
      user,
@@ -295,7 +371,7 @@ impl Resolve<ReadArgs> for GetDeploymentsSummary {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetDeploymentsSummaryResponse> {
+  ) -> mogh_error::Result<GetDeploymentsSummaryResponse> {
    let deployments = resource::list_full_for_user::<Deployment>(
      Default::default(),
      user,
@@ -321,7 +397,9 @@ impl Resolve<ReadArgs> for GetDeploymentsSummary {
          res.not_deployed += 1;
        }
        DeploymentState::Unknown => {
-          res.unknown += 1;
+          if !deployment.template {
+            res.unknown += 1;
+          }
        }
        _ => {
          res.unhealthy += 1;
@@ -336,7 +414,7 @@ impl Resolve<ReadArgs> for ListCommonDeploymentExtraArgs {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListCommonDeploymentExtraArgsResponse> {
+  ) -> mogh_error::Result<ListCommonDeploymentExtraArgsResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
--- a/bin/core/src/api/read/mod.rs
+++ b/bin/core/src/api/read/mod.rs
@@ -1,4 +1,4 @@
-use std::{collections::HashSet, sync::OnceLock, time::Instant};
+use std::collections::HashSet;

 use anyhow::{Context, anyhow};
 use axum::{
@@ -18,16 +18,21 @@ use komodo_client::{
    user::User,
  },
 };
-use resolver_api::Resolve;
-use response::Response;
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Response;
+use mogh_error::{AddStatusCodeError, Json};
+use mogh_resolver::Resolve;
+use reqwest::StatusCode;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
-use serror::Json;
+use strum::{Display, EnumDiscriminants};
 use typeshare::typeshare;
 use uuid::Uuid;

 use crate::{
-  auth::auth_request, config::core_config, helpers::periphery_client,
+  auth::KomodoAuthImpl,
+  config::{core_config, core_keys},
+  helpers::periphery_client,
  resource,
 };

@@ -39,6 +44,7 @@ mod alerter;
 mod build;
 mod builder;
 mod deployment;
+mod onboarding_key;
 mod permission;
 mod procedure;
 mod provider;
@@ -46,8 +52,10 @@ mod repo;
 mod schedule;
 mod server;
 mod stack;
+mod swarm;
 mod sync;
 mod tag;
+mod terminal;
 mod toml;
 mod update;
 mod user;
@@ -59,10 +67,13 @@ pub struct ReadArgs {
 }

 #[typeshare]
-#[derive(Serialize, Deserialize, Debug, Clone, Resolve)]
+#[derive(
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumDiscriminants,
+)]
+#[strum_discriminants(name(ReadRequestMethod), derive(Display))]
 #[args(ReadArgs)]
 #[response(Response)]
-#[error(serror::Error)]
+#[error(mogh_error::Error)]
 #[serde(tag = "type", content = "params")]
 enum ReadRequest {
  GetVersion(GetVersion),
@@ -71,19 +82,108 @@ enum ReadRequest {
  ListGitProvidersFromConfig(ListGitProvidersFromConfig),
  ListDockerRegistriesFromConfig(ListDockerRegistriesFromConfig),

-  // ==== USER ====
-  GetUsername(GetUsername),
-  GetPermission(GetPermission),
-  FindUser(FindUser),
-  ListUsers(ListUsers),
-  ListApiKeys(ListApiKeys),
-  ListApiKeysForServiceUser(ListApiKeysForServiceUser),
-  ListPermissions(ListPermissions),
-  ListUserTargetPermissions(ListUserTargetPermissions),
+  // ==== SWARM ====
+  GetSwarmsSummary(GetSwarmsSummary),
+  GetSwarm(GetSwarm),
+  GetSwarmActionState(GetSwarmActionState),
+  ListSwarms(ListSwarms),
+  InspectSwarm(InspectSwarm),
+  ListFullSwarms(ListFullSwarms),
+  ListSwarmNodes(ListSwarmNodes),
+  InspectSwarmNode(InspectSwarmNode),
+  ListSwarmConfigs(ListSwarmConfigs),
+  InspectSwarmConfig(InspectSwarmConfig),
+  ListSwarmSecrets(ListSwarmSecrets),
+  InspectSwarmSecret(InspectSwarmSecret),
+  ListSwarmStacks(ListSwarmStacks),
+  InspectSwarmStack(InspectSwarmStack),
+  ListSwarmTasks(ListSwarmTasks),
+  InspectSwarmTask(InspectSwarmTask),
+  ListSwarmServices(ListSwarmServices),
+  InspectSwarmService(InspectSwarmService),
+  GetSwarmServiceLog(GetSwarmServiceLog),
+  SearchSwarmServiceLog(SearchSwarmServiceLog),
+  ListSwarmNetworks(ListSwarmNetworks),

-  // ==== USER GROUP ====
-  GetUserGroup(GetUserGroup),
-  ListUserGroups(ListUserGroups),
+  // ==== SERVER ====
+  GetServersSummary(GetServersSummary),
+  GetServer(GetServer),
+  GetServerState(GetServerState),
+  GetPeripheryInformation(GetPeripheryInformation),
+  GetServerActionState(GetServerActionState),
+  ListServers(ListServers),
+  ListFullServers(ListFullServers),
+
+  // ==== TERMINAL ====
+  ListTerminals(ListTerminals),
+
+  // ==== DOCKER ====
+  GetDockerContainersSummary(GetDockerContainersSummary),
+  ListAllDockerContainers(ListAllDockerContainers),
+  ListDockerContainers(ListDockerContainers),
+  InspectDockerContainer(InspectDockerContainer),
+  GetResourceMatchingContainer(GetResourceMatchingContainer),
+  GetContainerLog(GetContainerLog),
+  SearchContainerLog(SearchContainerLog),
+  ListComposeProjects(ListComposeProjects),
+  ListDockerNetworks(ListDockerNetworks),
+  InspectDockerNetwork(InspectDockerNetwork),
+  ListDockerImages(ListDockerImages),
+  InspectDockerImage(InspectDockerImage),
+  ListDockerImageHistory(ListDockerImageHistory),
+  ListDockerVolumes(ListDockerVolumes),
+  InspectDockerVolume(InspectDockerVolume),
+
+  // ==== SERVER STATS ====
+  GetSystemInformation(GetSystemInformation),
+  GetSystemStats(GetSystemStats),
+  GetHistoricalServerStats(GetHistoricalServerStats),
+  ListSystemProcesses(ListSystemProcesses),
+
+  // ==== STACK ====
+  GetStacksSummary(GetStacksSummary),
+  GetStack(GetStack),
+  GetStackActionState(GetStackActionState),
+  GetStackLog(GetStackLog),
+  SearchStackLog(SearchStackLog),
+  InspectStackContainer(InspectStackContainer),
+  InspectStackSwarmService(InspectStackSwarmService),
+  ListStacks(ListStacks),
+  ListFullStacks(ListFullStacks),
+  ListStackServices(ListStackServices),
+  ListCommonStackExtraArgs(ListCommonStackExtraArgs),
+  ListCommonStackBuildExtraArgs(ListCommonStackBuildExtraArgs),
+
+  // ==== DEPLOYMENT ====
+  GetDeploymentsSummary(GetDeploymentsSummary),
+  GetDeployment(GetDeployment),
+  GetDeploymentContainer(GetDeploymentContainer),
+  GetDeploymentActionState(GetDeploymentActionState),
+  GetDeploymentStats(GetDeploymentStats),
+  GetDeploymentLog(GetDeploymentLog),
+  SearchDeploymentLog(SearchDeploymentLog),
+  InspectDeploymentContainer(InspectDeploymentContainer),
+  InspectDeploymentSwarmService(InspectDeploymentSwarmService),
+  ListDeployments(ListDeployments),
+  ListFullDeployments(ListFullDeployments),
+  ListCommonDeploymentExtraArgs(ListCommonDeploymentExtraArgs),
+
+  // ==== BUILD ====
+  GetBuildsSummary(GetBuildsSummary),
+  GetBuild(GetBuild),
+  GetBuildActionState(GetBuildActionState),
+  GetBuildMonthlyStats(GetBuildMonthlyStats),
+  ListBuildVersions(ListBuildVersions),
+  ListBuilds(ListBuilds),
+  ListFullBuilds(ListFullBuilds),
+  ListCommonBuildExtraArgs(ListCommonBuildExtraArgs),
+
+  // ==== REPO ====
+  GetReposSummary(GetReposSummary),
+  GetRepo(GetRepo),
+  GetRepoActionState(GetRepoActionState),
+  ListRepos(ListRepos),
+  ListFullRepos(ListFullRepos),

  // ==== PROCEDURE ====
  GetProceduresSummary(GetProceduresSummary),
@@ -102,88 +202,10 @@ enum ReadRequest {
  // ==== SCHEDULE ====
  ListSchedules(ListSchedules),

-  // ==== SERVER ====
-  GetServersSummary(GetServersSummary),
-  GetServer(GetServer),
-  GetServerState(GetServerState),
-  GetPeripheryVersion(GetPeripheryVersion),
-  GetServerActionState(GetServerActionState),
-  GetHistoricalServerStats(GetHistoricalServerStats),
-  ListServers(ListServers),
-  ListFullServers(ListFullServers),
-  InspectDockerContainer(InspectDockerContainer),
-  GetResourceMatchingContainer(GetResourceMatchingContainer),
-  GetContainerLog(GetContainerLog),
-  SearchContainerLog(SearchContainerLog),
-  InspectDockerNetwork(InspectDockerNetwork),
-  InspectDockerImage(InspectDockerImage),
-  ListDockerImageHistory(ListDockerImageHistory),
-  InspectDockerVolume(InspectDockerVolume),
-  GetDockerContainersSummary(GetDockerContainersSummary),
-  ListAllDockerContainers(ListAllDockerContainers),
-  ListDockerContainers(ListDockerContainers),
-  ListDockerNetworks(ListDockerNetworks),
-  ListDockerImages(ListDockerImages),
-  ListDockerVolumes(ListDockerVolumes),
-  ListComposeProjects(ListComposeProjects),
-  ListTerminals(ListTerminals),
-
-  // ==== SERVER STATS ====
-  GetSystemInformation(GetSystemInformation),
-  GetSystemStats(GetSystemStats),
-  ListSystemProcesses(ListSystemProcesses),
-
-  // ==== STACK ====
-  GetStacksSummary(GetStacksSummary),
-  GetStack(GetStack),
-  GetStackActionState(GetStackActionState),
-  GetStackWebhooksEnabled(GetStackWebhooksEnabled),
-  GetStackLog(GetStackLog),
-  SearchStackLog(SearchStackLog),
-  InspectStackContainer(InspectStackContainer),
-  ListStacks(ListStacks),
-  ListFullStacks(ListFullStacks),
-  ListStackServices(ListStackServices),
-  ListCommonStackExtraArgs(ListCommonStackExtraArgs),
-  ListCommonStackBuildExtraArgs(ListCommonStackBuildExtraArgs),
-
-  // ==== DEPLOYMENT ====
-  GetDeploymentsSummary(GetDeploymentsSummary),
-  GetDeployment(GetDeployment),
-  GetDeploymentContainer(GetDeploymentContainer),
-  GetDeploymentActionState(GetDeploymentActionState),
-  GetDeploymentStats(GetDeploymentStats),
-  GetDeploymentLog(GetDeploymentLog),
-  SearchDeploymentLog(SearchDeploymentLog),
-  InspectDeploymentContainer(InspectDeploymentContainer),
-  ListDeployments(ListDeployments),
-  ListFullDeployments(ListFullDeployments),
-  ListCommonDeploymentExtraArgs(ListCommonDeploymentExtraArgs),
-
-  // ==== BUILD ====
-  GetBuildsSummary(GetBuildsSummary),
-  GetBuild(GetBuild),
-  GetBuildActionState(GetBuildActionState),
-  GetBuildMonthlyStats(GetBuildMonthlyStats),
-  ListBuildVersions(ListBuildVersions),
-  GetBuildWebhookEnabled(GetBuildWebhookEnabled),
-  ListBuilds(ListBuilds),
-  ListFullBuilds(ListFullBuilds),
-  ListCommonBuildExtraArgs(ListCommonBuildExtraArgs),
-
-  // ==== REPO ====
-  GetReposSummary(GetReposSummary),
-  GetRepo(GetRepo),
-  GetRepoActionState(GetRepoActionState),
-  GetRepoWebhooksEnabled(GetRepoWebhooksEnabled),
-  ListRepos(ListRepos),
-  ListFullRepos(ListFullRepos),
-
  // ==== SYNC ====
  GetResourceSyncsSummary(GetResourceSyncsSummary),
  GetResourceSync(GetResourceSync),
  GetResourceSyncActionState(GetResourceSyncActionState),
-  GetSyncWebhooksEnabled(GetSyncWebhooksEnabled),
  ListResourceSyncs(ListResourceSyncs),
  ListFullResourceSyncs(ListFullResourceSyncs),

@@ -207,6 +229,20 @@ enum ReadRequest {
  GetTag(GetTag),
  ListTags(ListTags),

+  // ==== USER ====
+  GetUsername(GetUsername),
+  GetPermission(GetPermission),
+  FindUser(FindUser),
+  ListUsers(ListUsers),
+  ListApiKeys(ListApiKeys),
+  ListApiKeysForServiceUser(ListApiKeysForServiceUser),
+  ListPermissions(ListPermissions),
+  ListUserTargetPermissions(ListUserTargetPermissions),
+
+  // ==== USER GROUP ====
+  GetUserGroup(GetUserGroup),
+  ListUserGroups(ListUserGroups),
+
  // ==== UPDATE ====
  GetUpdate(GetUpdate),
  ListUpdates(ListUpdates),
@@ -224,20 +260,25 @@ enum ReadRequest {
  ListGitProviderAccounts(ListGitProviderAccounts),
  GetDockerRegistryAccount(GetDockerRegistryAccount),
  ListDockerRegistryAccounts(ListDockerRegistryAccounts),
+
+  // ==== ONBOARDING KEY ====
+  ListOnboardingKeys(ListOnboardingKeys),
 }

 pub fn router() -> Router {
  Router::new()
    .route("/", post(handler))
    .route("/{variant}", post(variant_handler))
-    .layer(middleware::from_fn(auth_request))
+    .layer(middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, true>,
+    ))
 }

 async fn variant_handler(
  user: Extension<User>,
  Path(Variant { variant }): Path<Variant>,
  Json(params): Json<serde_json::Value>,
-) -> serror::Result<axum::response::Response> {
+) -> mogh_error::Result<axum::response::Response> {
  let req: ReadRequest = serde_json::from_value(json!({
    "type": variant,
    "params": params,
@@ -245,20 +286,37 @@ async fn variant_handler(
  handler(user, Json(req)).await
 }

-#[instrument(name = "ReadHandler", level = "debug", skip(user), fields(user_id = user.id))]
 async fn handler(
  Extension(user): Extension<User>,
  Json(request): Json<ReadRequest>,
-) -> serror::Result<axum::response::Response> {
-  let timer = Instant::now();
+) -> mogh_error::Result<axum::response::Response> {
  let req_id = Uuid::new_v4();
-  debug!("/read request | user: {}", user.username);
+  let method: ReadRequestMethod = (&request).into();
+
+  let user_id = user.id.clone();
+  let username = user.username.clone();
+
+  trace!(
+    req_id = req_id.to_string(),
+    method = method.to_string(),
+    user_id,
+    username,
+    "READ REQUEST",
+  );
+
  let res = request.resolve(&ReadArgs { user }).await;
+
  if let Err(e) = &res {
-    debug!("/read request {req_id} error: {:#}", e.error);
+    trace!(
+      req_id = req_id.to_string(),
+      method = method.to_string(),
+      user_id,
+      username,
+      "READ REQUEST | ERROR: {:#}",
+      e.error
+    );
  }
-  let elapsed = timer.elapsed();
-  debug!("/read request {req_id} | resolve time: {elapsed:?}");
+
  res.map(|res| res.0)
 }

@@ -266,18 +324,22 @@ impl Resolve<ReadArgs> for GetVersion {
  async fn resolve(
    self,
    _: &ReadArgs,
-  ) -> serror::Result<GetVersionResponse> {
+  ) -> mogh_error::Result<GetVersionResponse> {
    Ok(GetVersionResponse {
      version: env!("CARGO_PKG_VERSION").to_string(),
    })
  }
 }

-fn core_info() -> &'static GetCoreInfoResponse {
-  static CORE_INFO: OnceLock<GetCoreInfoResponse> = OnceLock::new();
-  CORE_INFO.get_or_init(|| {
+//
+
+impl Resolve<ReadArgs> for GetCoreInfo {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> mogh_error::Result<GetCoreInfoResponse> {
    let config = core_config();
-    GetCoreInfoResponse {
+    let info = GetCoreInfoResponse {
      title: config.title.clone(),
      monitoring_interval: config.monitoring_interval,
      webhook_base_url: if config.webhook_base_url.is_empty() {
@@ -291,31 +353,20 @@ fn core_info() -> &'static GetCoreInfoResponse {
      disable_non_admin_create: config.disable_non_admin_create,
      disable_websocket_reconnect: config.disable_websocket_reconnect,
      enable_fancy_toml: config.enable_fancy_toml,
-      github_webhook_owners: config
-        .github_webhook_app
-        .installations
-        .iter()
-        .map(|i| i.namespace.to_string())
-        .collect(),
      timezone: config.timezone.clone(),
-    }
-  })
-}
-
-impl Resolve<ReadArgs> for GetCoreInfo {
-  async fn resolve(
-    self,
-    _: &ReadArgs,
-  ) -> serror::Result<GetCoreInfoResponse> {
-    Ok(core_info().clone())
+      public_key: core_keys().load().public.to_string(),
+    };
+    Ok(info)
  }
 }

+//
+
 impl Resolve<ReadArgs> for ListSecrets {
  async fn resolve(
    self,
    _: &ReadArgs,
-  ) -> serror::Result<ListSecretsResponse> {
+  ) -> mogh_error::Result<ListSecretsResponse> {
    let mut secrets = core_config()
      .secrets
      .keys()
@@ -337,13 +388,15 @@ impl Resolve<ReadArgs> for ListSecrets {
        }
        _ => {
          return Err(
-            anyhow!("target must be `Server` or `Builder`").into(),
+            anyhow!("target must be `Server` or `Builder`")
+              .status_code(StatusCode::BAD_REQUEST),
          );
        }
      };
      if let Some(id) = server_id {
        let server = resource::get::<Server>(&id).await?;
-        let more = periphery_client(&server)?
+        let more = periphery_client(&server)
+          .await?
          .request(periphery_client::api::ListSecrets {})
          .await
          .with_context(|| {
@@ -363,11 +416,13 @@ impl Resolve<ReadArgs> for ListSecrets {
  }
 }

+//
+
 impl Resolve<ReadArgs> for ListGitProvidersFromConfig {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListGitProvidersFromConfigResponse> {
+  ) -> mogh_error::Result<ListGitProvidersFromConfigResponse> {
    let mut providers = core_config().git_providers.clone();

    if let Some(target) = self.target {
@@ -395,7 +450,8 @@ impl Resolve<ReadArgs> for ListGitProvidersFromConfig {
        }
        _ => {
          return Err(
-            anyhow!("target must be `Server` or `Builder`").into(),
+            anyhow!("target must be `Server` or `Builder`")
+              .status_code(StatusCode::BAD_REQUEST),
          );
        }
      }
@@ -465,11 +521,13 @@ impl Resolve<ReadArgs> for ListGitProvidersFromConfig {
  }
 }

+//
+
 impl Resolve<ReadArgs> for ListDockerRegistriesFromConfig {
  async fn resolve(
    self,
    _: &ReadArgs,
-  ) -> serror::Result<ListDockerRegistriesFromConfigResponse> {
+  ) -> mogh_error::Result<ListDockerRegistriesFromConfigResponse> {
    let mut registries = core_config().docker_registries.clone();

    if let Some(target) = self.target {
@@ -513,9 +571,10 @@ impl Resolve<ReadArgs> for ListDockerRegistriesFromConfig {
 async fn merge_git_providers_for_server(
  providers: &mut Vec<GitProvider>,
  server_id: &str,
-) -> serror::Result<()> {
+) -> mogh_error::Result<()> {
  let server = resource::get::<Server>(server_id).await?;
-  let more = periphery_client(&server)?
+  let more = periphery_client(&server)
+    .await?
    .request(periphery_client::api::ListGitProviders {})
    .await
    .with_context(|| {
@@ -551,9 +610,10 @@ fn merge_git_providers(
 async fn merge_docker_registries_for_server(
  registries: &mut Vec<DockerRegistry>,
  server_id: &str,
-) -> serror::Result<()> {
+) -> mogh_error::Result<()> {
  let server = resource::get::<Server>(server_id).await?;
-  let more = periphery_client(&server)?
+  let more = periphery_client(&server)
+    .await?
    .request(periphery_client::api::ListDockerRegistries {})
    .await
    .with_context(|| {
--- a/bin/core/src/api/read/onboarding_key.rs
+++ b/bin/core/src/api/read/onboarding_key.rs
@@ -0,0 +1,51 @@
+use std::cmp::Ordering;
+
+use anyhow::{Context, anyhow};
+use database::mungos::find::find_collect;
+use komodo_client::api::read::{
+  ListOnboardingKeys, ListOnboardingKeysResponse,
+};
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
+use reqwest::StatusCode;
+
+use crate::{api::read::ReadArgs, state::db_client};
+
+//
+
+impl Resolve<ReadArgs> for ListOnboardingKeys {
+  async fn resolve(
+    self,
+    ReadArgs { user: admin }: &ReadArgs,
+  ) -> mogh_error::Result<ListOnboardingKeysResponse> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This call is admin only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let mut keys =
+      find_collect(&db_client().onboarding_keys, None, None)
+        .await
+        .context(
+          "Failed to query database for Server onboarding keys",
+        )?;
+
+    // No expiry keys first, followed
+    keys.sort_by(|a, b| {
+      if a.expires == b.expires {
+        Ordering::Equal
+      } else if a.expires == 0 {
+        Ordering::Less
+      } else if b.expires == 0 {
+        Ordering::Greater
+      } else {
+        // Descending
+        b.expires.cmp(&a.expires)
+      }
+    });
+
+    Ok(keys)
+  }
+}
--- a/bin/core/src/api/read/permission.rs
+++ b/bin/core/src/api/read/permission.rs
@@ -8,7 +8,7 @@ use komodo_client::{
  },
  entities::permission::PermissionLevel,
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
  helpers::query::get_user_permission_on_target, state::db_client,
@@ -20,7 +20,7 @@ impl Resolve<ReadArgs> for ListPermissions {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListPermissionsResponse> {
+  ) -> mogh_error::Result<ListPermissionsResponse> {
    let res = find_collect(
      &db_client().permissions,
      doc! {
@@ -39,7 +39,7 @@ impl Resolve<ReadArgs> for GetPermission {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetPermissionResponse> {
+  ) -> mogh_error::Result<GetPermissionResponse> {
    if user.admin {
      return Ok(PermissionLevel::Write.all());
    }
@@ -51,7 +51,7 @@ impl Resolve<ReadArgs> for ListUserTargetPermissions {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListUserTargetPermissionsResponse> {
+  ) -> mogh_error::Result<ListUserTargetPermissionsResponse> {
    if !user.admin {
      return Err(anyhow!("this method is admin only").into());
    }
--- a/bin/core/src/api/read/procedure.rs
+++ b/bin/core/src/api/read/procedure.rs
@@ -6,7 +6,7 @@ use komodo_client::{
    procedure::{Procedure, ProcedureState},
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
  helpers::query::get_all_tags,
@@ -21,7 +21,7 @@ impl Resolve<ReadArgs> for GetProcedure {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetProcedureResponse> {
+  ) -> mogh_error::Result<GetProcedureResponse> {
    Ok(
      get_check_permissions::<Procedure>(
        &self.procedure,
@@ -37,7 +37,7 @@ impl Resolve<ReadArgs> for ListProcedures {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListProceduresResponse> {
+  ) -> mogh_error::Result<ListProceduresResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -59,7 +59,7 @@ impl Resolve<ReadArgs> for ListFullProcedures {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullProceduresResponse> {
+  ) -> mogh_error::Result<ListFullProceduresResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -81,7 +81,7 @@ impl Resolve<ReadArgs> for GetProceduresSummary {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetProceduresSummaryResponse> {
+  ) -> mogh_error::Result<GetProceduresSummaryResponse> {
    let procedures = resource::list_full_for_user::<Procedure>(
      Default::default(),
      user,
@@ -127,7 +127,7 @@ impl Resolve<ReadArgs> for GetProcedureActionState {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetProcedureActionStateResponse> {
+  ) -> mogh_error::Result<GetProcedureActionStateResponse> {
    let procedure = get_check_permissions::<Procedure>(
      &self.procedure,
      user,
--- a/bin/core/src/api/read/provider.rs
+++ b/bin/core/src/api/read/provider.rs
@@ -5,7 +5,7 @@ use database::mungos::{
  mongodb::options::FindOptions,
 };
 use komodo_client::api::read::*;
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::state::db_client;

@@ -15,7 +15,7 @@ impl Resolve<ReadArgs> for GetGitProviderAccount {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetGitProviderAccountResponse> {
+  ) -> mogh_error::Result<GetGitProviderAccountResponse> {
    if !user.admin {
      return Err(
        anyhow!("Only admins can read git provider accounts").into(),
@@ -35,7 +35,7 @@ impl Resolve<ReadArgs> for ListGitProviderAccounts {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListGitProviderAccountsResponse> {
+  ) -> mogh_error::Result<ListGitProviderAccountsResponse> {
    if !user.admin {
      return Err(
        anyhow!("Only admins can read git provider accounts").into(),
@@ -65,7 +65,7 @@ impl Resolve<ReadArgs> for GetDockerRegistryAccount {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetDockerRegistryAccountResponse> {
+  ) -> mogh_error::Result<GetDockerRegistryAccountResponse> {
    if !user.admin {
      return Err(
        anyhow!("Only admins can read docker registry accounts")
@@ -87,7 +87,7 @@ impl Resolve<ReadArgs> for ListDockerRegistryAccounts {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListDockerRegistryAccountsResponse> {
+  ) -> mogh_error::Result<ListDockerRegistryAccountsResponse> {
    if !user.admin {
      return Err(
        anyhow!("Only admins can read docker registry accounts")
--- a/bin/core/src/api/read/repo.rs
+++ b/bin/core/src/api/read/repo.rs
@@ -2,19 +2,17 @@ use anyhow::Context;
 use komodo_client::{
  api::read::*,
  entities::{
-    config::core::CoreConfig,
    permission::PermissionLevel,
    repo::{Repo, RepoActionState, RepoListItem, RepoState},
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
-  config::core_config,
  helpers::query::get_all_tags,
  permission::get_check_permissions,
  resource,
-  state::{action_states, github_client, repo_state_cache},
+  state::{action_states, repo_state_cache},
 };

 use super::ReadArgs;
@@ -23,7 +21,7 @@ impl Resolve<ReadArgs> for GetRepo {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Repo> {
+  ) -> mogh_error::Result<Repo> {
    Ok(
      get_check_permissions::<Repo>(
        &self.repo,
@@ -39,7 +37,7 @@ impl Resolve<ReadArgs> for ListRepos {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<RepoListItem>> {
+  ) -> mogh_error::Result<Vec<RepoListItem>> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -61,7 +59,7 @@ impl Resolve<ReadArgs> for ListFullRepos {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullReposResponse> {
+  ) -> mogh_error::Result<ListFullReposResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -83,7 +81,7 @@ impl Resolve<ReadArgs> for GetRepoActionState {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<RepoActionState> {
+  ) -> mogh_error::Result<RepoActionState> {
    let repo = get_check_permissions::<Repo>(
      &self.repo,
      user,
@@ -104,7 +102,7 @@ impl Resolve<ReadArgs> for GetReposSummary {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetReposSummaryResponse> {
+  ) -> mogh_error::Result<GetReposSummaryResponse> {
    let repos = resource::list_full_for_user::<Repo>(
      Default::default(),
      user,
@@ -142,7 +140,11 @@ impl Resolve<ReadArgs> for GetReposSummary {
        }
        (RepoState::Ok, _) => res.ok += 1,
        (RepoState::Failed, _) => res.failed += 1,
-        (RepoState::Unknown, _) => res.unknown += 1,
+        (RepoState::Unknown, _) => {
+          if !repo.template {
+            res.unknown += 1
+          }
+        }
        // will never come off the cache in the building state, since that comes from action states
        (RepoState::Cloning, _)
        | (RepoState::Pulling, _)
@@ -155,104 +157,3 @@ impl Resolve<ReadArgs> for GetReposSummary {
    Ok(res)
  }
 }
-
-impl Resolve<ReadArgs> for GetRepoWebhooksEnabled {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetRepoWebhooksEnabledResponse> {
-    let Some(github) = github_client() else {
-      return Ok(GetRepoWebhooksEnabledResponse {
-        managed: false,
-        clone_enabled: false,
-        pull_enabled: false,
-        build_enabled: false,
-      });
-    };
-
-    let repo = get_check_permissions::<Repo>(
-      &self.repo,
-      user,
-      PermissionLevel::Read.into(),
-    )
-    .await?;
-
-    if repo.config.git_provider != "github.com"
-      || repo.config.repo.is_empty()
-    {
-      return Ok(GetRepoWebhooksEnabledResponse {
-        managed: false,
-        clone_enabled: false,
-        pull_enabled: false,
-        build_enabled: false,
-      });
-    }
-
-    let mut split = repo.config.repo.split('/');
-    let owner = split.next().context("Repo repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Ok(GetRepoWebhooksEnabledResponse {
-        managed: false,
-        clone_enabled: false,
-        pull_enabled: false,
-        build_enabled: false,
-      });
-    };
-
-    let repo_name =
-      split.next().context("Repo repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo_name)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let clone_url =
-      format!("{host}/listener/github/repo/{}/clone", repo.id);
-    let pull_url =
-      format!("{host}/listener/github/repo/{}/pull", repo.id);
-    let build_url =
-      format!("{host}/listener/github/repo/{}/build", repo.id);
-
-    let mut clone_enabled = false;
-    let mut pull_enabled = false;
-    let mut build_enabled = false;
-
-    for webhook in webhooks {
-      if !webhook.active {
-        continue;
-      }
-      if webhook.config.url == clone_url {
-        clone_enabled = true
-      }
-      if webhook.config.url == pull_url {
-        pull_enabled = true
-      }
-      if webhook.config.url == build_url {
-        build_enabled = true
-      }
-    }
-
-    Ok(GetRepoWebhooksEnabledResponse {
-      managed: true,
-      clone_enabled,
-      pull_enabled,
-      build_enabled,
-    })
-  }
-}
--- a/bin/core/src/api/read/schedule.rs
+++ b/bin/core/src/api/read/schedule.rs
@@ -1,4 +1,4 @@
-use futures::future::join_all;
+use futures_util::future::join_all;
 use komodo_client::{
  api::read::*,
  entities::{
@@ -10,7 +10,7 @@ use komodo_client::{
    schedule::Schedule,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
  helpers::query::{get_all_tags, get_last_run_at},
@@ -24,7 +24,7 @@ impl Resolve<ReadArgs> for ListSchedules {
  async fn resolve(
    self,
    args: &ReadArgs,
-  ) -> serror::Result<Vec<Schedule>> {
+  ) -> mogh_error::Result<Vec<Schedule>> {
    let all_tags = get_all_tags(None).await?;
    let (actions, procedures) = tokio::try_join!(
      list_full_for_user::<Action>(
--- a/bin/core/src/api/read/server.rs
+++ b/bin/core/src/api/read/server.rs
@@ -25,33 +25,31 @@ use komodo_client::{
      network::Network,
      volume::Volume,
    },
-    komodo_timestamp,
    permission::PermissionLevel,
    server::{
-      Server, ServerActionState, ServerListItem, ServerState,
-      TerminalInfo,
+      Server, ServerActionState, ServerListItem, ServerQuery,
+      ServerState,
    },
    stack::{Stack, StackServiceNames},
    stats::{SystemInformation, SystemProcess},
    update::Log,
  },
 };
+use mogh_error::AddStatusCode;
+use mogh_resolver::Resolve;
 use periphery_client::api::{
  self as periphery,
  container::InspectContainer,
-  image::{ImageHistory, InspectImage},
-  network::InspectNetwork,
-  volume::InspectVolume,
+  docker::{
+    ImageHistory, InspectImage, InspectNetwork, InspectVolume,
+  },
 };
-use resolver_api::Resolve;
+use reqwest::StatusCode;
 use tokio::sync::Mutex;

 use crate::{
-  helpers::{
-    periphery_client,
-    query::{get_all_tags, get_system_info},
-  },
-  permission::get_check_permissions,
+  helpers::{periphery_client, query::get_all_tags},
+  permission::{get_check_permissions, list_resources_for_user},
  resource,
  stack::compose_container_match_regex,
  state::{action_states, db_client, server_status_cache},
@@ -63,7 +61,7 @@ impl Resolve<ReadArgs> for GetServersSummary {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetServersSummaryResponse> {
+  ) -> mogh_error::Result<GetServersSummaryResponse> {
    let servers = resource::list_for_user::<Server>(
      Default::default(),
      user,
@@ -71,18 +69,29 @@ impl Resolve<ReadArgs> for GetServersSummary {
      &[],
    )
    .await?;
+
+    let core_version = env!("CARGO_PKG_VERSION");
    let mut res = GetServersSummaryResponse::default();
+
    for server in servers {
      res.total += 1;
      match server.info.state {
        ServerState::Ok => {
-          res.healthy += 1;
+          // Check for version mismatch
+          if matches!(&server.info.version, Some(version) if version != core_version)
+          {
+            res.warning += 1;
+          } else {
+            res.healthy += 1;
+          }
        }
        ServerState::NotOk => {
          res.unhealthy += 1;
        }
        ServerState::Disabled => {
-          res.disabled += 1;
+          if !server.template {
+            res.disabled += 1;
+          }
        }
      }
    }
@@ -90,31 +99,11 @@ impl Resolve<ReadArgs> for GetServersSummary {
  }
 }

-impl Resolve<ReadArgs> for GetPeripheryVersion {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetPeripheryVersionResponse> {
-    let server = get_check_permissions::<Server>(
-      &self.server,
-      user,
-      PermissionLevel::Read.into(),
-    )
-    .await?;
-    let version = server_status_cache()
-      .get(&server.id)
-      .await
-      .map(|s| s.version.clone())
-      .unwrap_or(String::from("unknown"));
-    Ok(GetPeripheryVersionResponse { version })
-  }
-}
-
 impl Resolve<ReadArgs> for GetServer {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Server> {
+  ) -> mogh_error::Result<Server> {
    Ok(
      get_check_permissions::<Server>(
        &self.server,
@@ -130,7 +119,7 @@ impl Resolve<ReadArgs> for ListServers {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<ServerListItem>> {
+  ) -> mogh_error::Result<Vec<ServerListItem>> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -152,7 +141,7 @@ impl Resolve<ReadArgs> for ListFullServers {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullServersResponse> {
+  ) -> mogh_error::Result<ListFullServersResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -174,7 +163,7 @@ impl Resolve<ReadArgs> for GetServerState {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetServerStateResponse> {
+  ) -> mogh_error::Result<GetServerStateResponse> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -196,7 +185,7 @@ impl Resolve<ReadArgs> for GetServerActionState {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ServerActionState> {
+  ) -> mogh_error::Result<ServerActionState> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -213,18 +202,50 @@ impl Resolve<ReadArgs> for GetServerActionState {
  }
 }

-impl Resolve<ReadArgs> for GetSystemInformation {
+impl Resolve<ReadArgs> for GetPeripheryInformation {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<SystemInformation> {
+  ) -> mogh_error::Result<GetPeripheryInformationResponse> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
      PermissionLevel::Read.into(),
    )
    .await?;
-    get_system_info(&server).await.map_err(Into::into)
+    server_status_cache()
+      .get(&server.id)
+      .await
+      .context("Missing server status")?
+      .periphery_info
+      .as_ref()
+      .cloned()
+      .context("Server status missing Periphery Info. The Server may be disconnected.")
+      .status_code(StatusCode::INTERNAL_SERVER_ERROR)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSystemInformation {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SystemInformation> {
+    let server = get_check_permissions::<Server>(
+      &self.server,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await
+    .status_code(StatusCode::BAD_REQUEST)?;
+    server_status_cache()
+      .get(&server.id)
+      .await
+      .context("Missing server status")?
+      .system_info
+      .as_ref()
+      .cloned()
+      .context("Server status missing system Info. The Server may be disconnected.")
+      .status_code(StatusCode::INTERNAL_SERVER_ERROR)
  }
 }

@@ -232,22 +253,22 @@ impl Resolve<ReadArgs> for GetSystemStats {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetSystemStatsResponse> {
+  ) -> mogh_error::Result<GetSystemStatsResponse> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
      PermissionLevel::Read.into(),
    )
    .await?;
-    let status =
-      server_status_cache().get(&server.id).await.with_context(
-        || format!("did not find status for server at {}", server.id),
-      )?;
-    let stats = status
-      .stats
+    server_status_cache()
+      .get(&server.id)
+      .await
+      .context("Missing server status")?
+      .system_stats
      .as_ref()
-      .context("server stats not available")?;
-    Ok(stats.clone())
+      .cloned()
+      .context("Server status missing system stats. The Server may be disconnected.")
+      .status_code(StatusCode::INTERNAL_SERVER_ERROR)
  }
 }

@@ -264,7 +285,7 @@ impl Resolve<ReadArgs> for ListSystemProcesses {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListSystemProcessesResponse> {
+  ) -> mogh_error::Result<ListSystemProcessesResponse> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -277,7 +298,8 @@ impl Resolve<ReadArgs> for ListSystemProcesses {
        cached.0.clone()
      }
      _ => {
-        let stats = periphery_client(&server)?
+        let stats = periphery_client(&server)
+          .await?
          .request(periphery::stats::GetSystemProcesses {})
          .await?;
        lock.insert(
@@ -298,7 +320,7 @@ impl Resolve<ReadArgs> for GetHistoricalServerStats {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetHistoricalServerStatsResponse> {
+  ) -> mogh_error::Result<GetHistoricalServerStatsResponse> {
    let GetHistoricalServerStats {
      server,
      granularity,
@@ -351,7 +373,7 @@ impl Resolve<ReadArgs> for ListDockerContainers {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListDockerContainersResponse> {
+  ) -> mogh_error::Result<ListDockerContainersResponse> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -361,8 +383,8 @@ impl Resolve<ReadArgs> for ListDockerContainers {
    let cache = server_status_cache()
      .get_or_insert_default(&server.id)
      .await;
-    if let Some(containers) = &cache.containers {
-      Ok(containers.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.containers.clone())
    } else {
      Ok(Vec::new())
    }
@@ -373,20 +395,14 @@ impl Resolve<ReadArgs> for ListAllDockerContainers {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListAllDockerContainersResponse> {
+  ) -> mogh_error::Result<ListAllDockerContainersResponse> {
    let servers = resource::list_for_user::<Server>(
-      Default::default(),
+      ServerQuery::builder().names(self.servers.clone()).build(),
      user,
      PermissionLevel::Read.into(),
      &[],
    )
-    .await?
-    .into_iter()
-    .filter(|server| {
-      self.servers.is_empty()
-        || self.servers.contains(&server.id)
-        || self.servers.contains(&server.name)
-    });
+    .await?;

    let mut containers = Vec::<ContainerListItem>::new();

@@ -394,9 +410,18 @@ impl Resolve<ReadArgs> for ListAllDockerContainers {
      let cache = server_status_cache()
        .get_or_insert_default(&server.id)
        .await;
-      if let Some(more_containers) = &cache.containers {
-        containers.extend(more_containers.clone());
-      }
+      let Some(docker) = &cache.docker else {
+        continue;
+      };
+      let more = docker
+        .containers
+        .iter()
+        .filter(|container| {
+          self.containers.is_empty()
+            || self.containers.contains(&container.name)
+        })
+        .cloned();
+      containers.extend(more);
    }

    Ok(containers)
@@ -407,7 +432,7 @@ impl Resolve<ReadArgs> for GetDockerContainersSummary {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetDockerContainersSummaryResponse> {
+  ) -> mogh_error::Result<GetDockerContainersSummaryResponse> {
    let servers = resource::list_full_for_user::<Server>(
      Default::default(),
      user,
@@ -424,8 +449,8 @@ impl Resolve<ReadArgs> for GetDockerContainersSummary {
        .get_or_insert_default(&server.id)
        .await;

-      if let Some(containers) = &cache.containers {
-        for container in containers {
+      if let Some(docker) = &cache.docker {
+        for container in &docker.containers {
          res.total += 1;
          match container.state {
            ContainerStateStatusEnum::Created
@@ -447,7 +472,7 @@ impl Resolve<ReadArgs> for InspectDockerContainer {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Container> {
+  ) -> mogh_error::Result<Container> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -466,7 +491,8 @@ impl Resolve<ReadArgs> for InspectDockerContainer {
        .into(),
      );
    }
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
      .request(InspectContainer {
        name: self.container,
      })
@@ -481,7 +507,7 @@ impl Resolve<ReadArgs> for GetContainerLog {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Log> {
+  ) -> mogh_error::Result<Log> {
    let GetContainerLog {
      server,
      container,
@@ -494,7 +520,8 @@ impl Resolve<ReadArgs> for GetContainerLog {
      PermissionLevel::Read.logs(),
    )
    .await?;
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
      .request(periphery::container::GetContainerLog {
        name: container,
        tail: cmp::min(tail, MAX_LOG_LENGTH),
@@ -510,7 +537,7 @@ impl Resolve<ReadArgs> for SearchContainerLog {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Log> {
+  ) -> mogh_error::Result<Log> {
    let SearchContainerLog {
      server,
      container,
@@ -525,7 +552,8 @@ impl Resolve<ReadArgs> for SearchContainerLog {
      PermissionLevel::Read.logs(),
    )
    .await?;
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
      .request(periphery::container::GetContainerLogSearch {
        name: container,
        terms,
@@ -543,7 +571,7 @@ impl Resolve<ReadArgs> for GetResourceMatchingContainer {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetResourceMatchingContainerResponse> {
+  ) -> mogh_error::Result<GetResourceMatchingContainerResponse> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -560,12 +588,12 @@ impl Resolve<ReadArgs> for GetResourceMatchingContainer {
    }

    // then check stacks
-    let stacks =
-      resource::list_full_for_user_using_document::<Stack>(
-        doc! { "config.server_id": &server.id },
-        user,
-      )
-      .await?;
+    let stacks = list_resources_for_user::<Stack>(
+      doc! { "config.server_id": &server.id },
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;

    // check matching stack
    for stack in stacks {
@@ -604,7 +632,7 @@ impl Resolve<ReadArgs> for ListDockerNetworks {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListDockerNetworksResponse> {
+  ) -> mogh_error::Result<ListDockerNetworksResponse> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -614,8 +642,8 @@ impl Resolve<ReadArgs> for ListDockerNetworks {
    let cache = server_status_cache()
      .get_or_insert_default(&server.id)
      .await;
-    if let Some(networks) = &cache.networks {
-      Ok(networks.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.networks.clone())
    } else {
      Ok(Vec::new())
    }
@@ -626,7 +654,7 @@ impl Resolve<ReadArgs> for InspectDockerNetwork {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Network> {
+  ) -> mogh_error::Result<Network> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -645,7 +673,8 @@ impl Resolve<ReadArgs> for InspectDockerNetwork {
        .into(),
      );
    }
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
      .request(InspectNetwork { name: self.network })
      .await?;
    Ok(res)
@@ -656,7 +685,7 @@ impl Resolve<ReadArgs> for ListDockerImages {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListDockerImagesResponse> {
+  ) -> mogh_error::Result<ListDockerImagesResponse> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -666,8 +695,8 @@ impl Resolve<ReadArgs> for ListDockerImages {
    let cache = server_status_cache()
      .get_or_insert_default(&server.id)
      .await;
-    if let Some(images) = &cache.images {
-      Ok(images.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.images.clone())
    } else {
      Ok(Vec::new())
    }
@@ -678,7 +707,7 @@ impl Resolve<ReadArgs> for InspectDockerImage {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Image> {
+  ) -> mogh_error::Result<Image> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -694,7 +723,8 @@ impl Resolve<ReadArgs> for InspectDockerImage {
          .into(),
      );
    }
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
      .request(InspectImage { name: self.image })
      .await?;
    Ok(res)
@@ -705,7 +735,7 @@ impl Resolve<ReadArgs> for ListDockerImageHistory {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<ImageHistoryResponseItem>> {
+  ) -> mogh_error::Result<Vec<ImageHistoryResponseItem>> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -724,7 +754,8 @@ impl Resolve<ReadArgs> for ListDockerImageHistory {
        .into(),
      );
    }
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
      .request(ImageHistory { name: self.image })
      .await?;
    Ok(res)
@@ -735,7 +766,7 @@ impl Resolve<ReadArgs> for ListDockerVolumes {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListDockerVolumesResponse> {
+  ) -> mogh_error::Result<ListDockerVolumesResponse> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -745,8 +776,8 @@ impl Resolve<ReadArgs> for ListDockerVolumes {
    let cache = server_status_cache()
      .get_or_insert_default(&server.id)
      .await;
-    if let Some(volumes) = &cache.volumes {
-      Ok(volumes.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.volumes.clone())
    } else {
      Ok(Vec::new())
    }
@@ -757,7 +788,7 @@ impl Resolve<ReadArgs> for InspectDockerVolume {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Volume> {
+  ) -> mogh_error::Result<Volume> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -773,7 +804,8 @@ impl Resolve<ReadArgs> for InspectDockerVolume {
          .into(),
      );
    }
-    let res = periphery_client(&server)?
+    let res = periphery_client(&server)
+      .await?
      .request(InspectVolume { name: self.volume })
      .await?;
    Ok(res)
@@ -784,7 +816,7 @@ impl Resolve<ReadArgs> for ListComposeProjects {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListComposeProjectsResponse> {
+  ) -> mogh_error::Result<ListComposeProjectsResponse> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -794,73 +826,54 @@ impl Resolve<ReadArgs> for ListComposeProjects {
    let cache = server_status_cache()
      .get_or_insert_default(&server.id)
      .await;
-    if let Some(projects) = &cache.projects {
-      Ok(projects.clone())
+    if let Some(docker) = &cache.docker {
+      Ok(docker.projects.clone())
    } else {
      Ok(Vec::new())
    }
  }
 }

-#[derive(Default)]
-struct TerminalCacheItem {
-  list: Vec<TerminalInfo>,
-  ttl: i64,
-}
+// impl Resolve<ReadArgs> for ListAllTerminals {
+//   async fn resolve(
+//     self,
+//     args: &ReadArgs,
+//   ) -> Result<Self::Response, Self::Error> {
+//     // match self.tar
+//     let mut terminals = resource::list_full_for_user::<Server>(
+//       self.query, &args.user, &all_tags,
+//     )
+//     .await?
+//     .into_iter()
+//     .map(|server| async move {
+//       (
+//         list_terminals_inner(&server, self.fresh).await,
+//         (server.id, server.name),
+//       )
+//     })
+//     .collect::<FuturesUnordered<_>>()
+//     .collect::<Vec<_>>()
+//     .await
+//     .into_iter()
+//     .flat_map(|(terminals, server)| {
+//       let terminals = terminals.ok()?;
+//       Some((terminals, server))
+//     })
+//     .flat_map(|(terminals, (server_id, server_name))| {
+//       terminals.into_iter().map(move |info| {
+//         TerminalInfoWithServer::from_terminal_info(
+//           &server_id,
+//           &server_name,
+//           info,
+//         )
+//       })
+//     })
+//     .collect::<Vec<_>>();

-const TERMINAL_CACHE_TIMEOUT: i64 = 30_000;
+//     terminals.sort_by(|a, b| {
+//       a.server_name.cmp(&b.server_name).then(a.name.cmp(&b.name))
+//     });

-#[derive(Default)]
-struct TerminalCache(
-  std::sync::Mutex<
-    HashMap<String, Arc<tokio::sync::Mutex<TerminalCacheItem>>>,
-  >,
-);
-
-impl TerminalCache {
-  fn get_or_insert(
-    &self,
-    server_id: String,
-  ) -> Arc<tokio::sync::Mutex<TerminalCacheItem>> {
-    if let Some(cached) =
-      self.0.lock().unwrap().get(&server_id).cloned()
-    {
-      return cached;
-    }
-    let to_cache =
-      Arc::new(tokio::sync::Mutex::new(TerminalCacheItem::default()));
-    self.0.lock().unwrap().insert(server_id, to_cache.clone());
-    to_cache
-  }
-}
-
-fn terminals_cache() -> &'static TerminalCache {
-  static TERMINALS: OnceLock<TerminalCache> = OnceLock::new();
-  TERMINALS.get_or_init(Default::default)
-}
-
-impl Resolve<ReadArgs> for ListTerminals {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListTerminalsResponse> {
-    let server = get_check_permissions::<Server>(
-      &self.server,
-      user,
-      PermissionLevel::Read.terminal(),
-    )
-    .await?;
-    let cache = terminals_cache().get_or_insert(server.id.clone());
-    let mut cache = cache.lock().await;
-    if self.fresh || komodo_timestamp() > cache.ttl {
-      cache.list = periphery_client(&server)?
-        .request(periphery_client::api::terminal::ListTerminals {})
-        .await
-        .context("Failed to get fresh terminal list")?;
-      cache.ttl = komodo_timestamp() + TERMINAL_CACHE_TIMEOUT;
-      Ok(cache.list.clone())
-    } else {
-      Ok(cache.list.clone())
-    }
-  }
-}
+//     Ok(terminals)
+//   }
+// }
--- a/bin/core/src/api/read/stack.rs
+++ b/bin/core/src/api/read/stack.rs
@@ -4,29 +4,30 @@ use anyhow::{Context, anyhow};
 use komodo_client::{
  api::read::*,
  entities::{
-    config::core::CoreConfig,
-    docker::container::Container,
+    SwarmOrServer,
+    docker::{
+      container::Container, service::SwarmService, stack::SwarmStack,
+    },
    permission::PermissionLevel,
-    server::{Server, ServerState},
    stack::{Stack, StackActionState, StackListItem, StackState},
  },
 };
+use mogh_error::AddStatusCodeError as _;
+use mogh_resolver::Resolve;
 use periphery_client::api::{
  compose::{GetComposeLog, GetComposeLogSearch},
  container::InspectContainer,
 };
-use resolver_api::Resolve;
+use reqwest::StatusCode;

 use crate::{
-  config::core_config,
-  helpers::{periphery_client, query::get_all_tags},
+  helpers::{
+    periphery_client, query::get_all_tags, swarm::swarm_request,
+  },
  permission::get_check_permissions,
  resource,
-  stack::get_stack_and_server,
-  state::{
-    action_states, github_client, server_status_cache,
-    stack_status_cache,
-  },
+  stack::setup_stack_execution,
+  state::{action_states, stack_status_cache},
 };

 use super::ReadArgs;
@@ -35,7 +36,7 @@ impl Resolve<ReadArgs> for GetStack {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Stack> {
+  ) -> mogh_error::Result<Stack> {
    Ok(
      get_check_permissions::<Stack>(
        &self.stack,
@@ -51,7 +52,7 @@ impl Resolve<ReadArgs> for ListStackServices {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListStackServicesResponse> {
+  ) -> mogh_error::Result<ListStackServicesResponse> {
    let stack = get_check_permissions::<Stack>(
      &self.stack,
      user,
@@ -75,30 +76,59 @@ impl Resolve<ReadArgs> for GetStackLog {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetStackLogResponse> {
+  ) -> mogh_error::Result<GetStackLogResponse> {
    let GetStackLog {
      stack,
-      services,
+      mut services,
      tail,
      timestamps,
    } = self;
-    let (stack, server) = get_stack_and_server(
+    let (stack, swarm_or_server) = setup_stack_execution(
      &stack,
      user,
      PermissionLevel::Read.logs(),
-      true,
    )
    .await?;
-    let res = periphery_client(&server)?
-      .request(GetComposeLog {
-        project: stack.project_name(false),
-        services,
-        tail,
-        timestamps,
-      })
-      .await
-      .context("Failed to get stack log from periphery")?;
-    Ok(res)
+
+    swarm_or_server.verify_has_target()?;
+
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        let service = services.pop().context(
+          "Must pass single service for Swarm mode Stack logs",
+        )?;
+        swarm_request(
+          &swarm.config.server_ids,
+          periphery_client::api::swarm::GetSwarmServiceLog {
+            // The actual service name on swarm will be stackname_servicename
+            service: format!(
+              "{}_{service}",
+              stack.project_name(false)
+            ),
+            tail,
+            timestamps,
+            no_task_ids: false,
+            no_resolve: false,
+            details: false,
+          },
+        )
+        .await
+        .context("Failed to get stack service log from swarm")?
+      }
+      SwarmOrServer::Server(server) => periphery_client(&server)
+        .await?
+        .request(GetComposeLog {
+          project: stack.project_name(false),
+          services,
+          tail,
+          timestamps,
+        })
+        .await
+        .context("Failed to get stack log from periphery")?,
+    };
+
+    Ok(log)
  }
 }

@@ -106,34 +136,61 @@ impl Resolve<ReadArgs> for SearchStackLog {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<SearchStackLogResponse> {
+  ) -> mogh_error::Result<SearchStackLogResponse> {
    let SearchStackLog {
      stack,
-      services,
+      mut services,
      terms,
      combinator,
      invert,
      timestamps,
    } = self;
-    let (stack, server) = get_stack_and_server(
+    let (stack, swarm_or_server) = setup_stack_execution(
      &stack,
      user,
      PermissionLevel::Read.logs(),
-      true,
    )
    .await?;
-    let res = periphery_client(&server)?
-      .request(GetComposeLogSearch {
-        project: stack.project_name(false),
-        services,
-        terms,
-        combinator,
-        invert,
-        timestamps,
-      })
-      .await
-      .context("Failed to search stack log from periphery")?;
-    Ok(res)
+
+    swarm_or_server.verify_has_target()?;
+
+    let log = match swarm_or_server {
+      SwarmOrServer::None => unreachable!(),
+      SwarmOrServer::Swarm(swarm) => {
+        let service = services.pop().context(
+          "Must pass single service for Swarm mode Stack logs",
+        )?;
+        swarm_request(
+          &swarm.config.server_ids,
+          periphery_client::api::swarm::GetSwarmServiceLogSearch {
+            service,
+            terms,
+            combinator,
+            invert,
+            timestamps,
+            no_task_ids: false,
+            no_resolve: false,
+            details: false,
+          },
+        )
+        .await
+        .context("Failed to get stack service log from swarm")?
+      }
+      SwarmOrServer::Server(server) => periphery_client(&server)
+        .await?
+        .request(GetComposeLogSearch {
+          project: stack.project_name(false),
+          services,
+          terms,
+          combinator,
+          invert,
+          timestamps,
+        })
+        .await
+        .context("Failed to search stack log from periphery")?,
+    };
+
+    Ok(log)
  }
 }

@@ -141,40 +198,31 @@ impl Resolve<ReadArgs> for InspectStackContainer {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Container> {
+  ) -> mogh_error::Result<Container> {
    let InspectStackContainer { stack, service } = self;
-    let stack = get_check_permissions::<Stack>(
+    let (stack, swarm_or_server) = setup_stack_execution(
      &stack,
      user,
      PermissionLevel::Read.inspect(),
    )
    .await?;
-    if stack.config.server_id.is_empty() {
-      return Err(
-        anyhow!("Cannot inspect stack, not attached to any server")
-          .into(),
-      );
-    }
-    let server =
-      resource::get::<Server>(&stack.config.server_id).await?;
-    let cache = server_status_cache()
-      .get_or_insert_default(&server.id)
-      .await;
-    if cache.state != ServerState::Ok {
+
+    let SwarmOrServer::Server(server) = swarm_or_server else {
      return Err(
        anyhow!(
-          "Cannot inspect container: server is {:?}",
-          cache.state
+          "InspectStackContainer should not be called for Stack in Swarm Mode"
        )
-        .into(),
+        .status_code(StatusCode::BAD_REQUEST),
      );
-    }
+    };
+
    let services = &stack_status_cache()
      .get(&stack.id)
      .await
      .unwrap_or_default()
      .curr
      .services;
+
    let Some(name) = services
      .iter()
      .find(|s| s.service == service)
@@ -184,18 +232,106 @@ impl Resolve<ReadArgs> for InspectStackContainer {
        "No service found matching '{service}'. Was the stack last deployed manually?"
      ).into());
    };
-    let res = periphery_client(&server)?
+
+    let res = periphery_client(&server)
+      .await?
      .request(InspectContainer { name })
-      .await?;
+      .await
+      .context("Failed to inspect container on server")?;
+
    Ok(res)
  }
 }

+impl Resolve<ReadArgs> for InspectStackSwarmService {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SwarmService> {
+    let InspectStackSwarmService { stack, service } = self;
+    let (stack, swarm_or_server) = setup_stack_execution(
+      &stack,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+
+    let SwarmOrServer::Swarm(swarm) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "InspectStackSwarmService should only be called for Stack in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
+    let services = &stack_status_cache()
+      .get(&stack.id)
+      .await
+      .unwrap_or_default()
+      .curr
+      .services;
+
+    let Some(service) = services
+      .iter()
+      .find(|s| s.service == service)
+      .and_then(|s| {
+        s.swarm_service.as_ref().and_then(|c| c.name.clone())
+      })
+    else {
+      return Err(anyhow!(
+        "No service found matching '{service}'. Was the stack last deployed manually?"
+      ).into());
+    };
+
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmService { service },
+    )
+    .await
+    .context("Failed to inspect service on swarm")
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectStackSwarmInfo {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SwarmStack> {
+    let (stack, swarm_or_server) = setup_stack_execution(
+      &self.stack,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+
+    let SwarmOrServer::Swarm(swarm) = swarm_or_server else {
+      return Err(
+        anyhow!(
+          "InspectStackSwarmInfo should only be called for Stack in Swarm Mode"
+        )
+        .status_code(StatusCode::BAD_REQUEST),
+      );
+    };
+
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmStack {
+        stack: stack.project_name(false),
+      },
+    )
+    .await
+    .context("Failed to inspect stack info on swarm")
+    .map_err(Into::into)
+  }
+}
+
 impl Resolve<ReadArgs> for ListCommonStackExtraArgs {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListCommonStackExtraArgsResponse> {
+  ) -> mogh_error::Result<ListCommonStackExtraArgsResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -208,7 +344,7 @@ impl Resolve<ReadArgs> for ListCommonStackExtraArgs {
      &all_tags,
    )
    .await
-    .context("failed to get resources matching query")?;
+    .context("Failed to get resources matching query")?;

    // first collect with guaranteed uniqueness
    let mut res = HashSet::<String>::new();
@@ -229,7 +365,7 @@ impl Resolve<ReadArgs> for ListCommonStackBuildExtraArgs {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListCommonStackBuildExtraArgsResponse> {
+  ) -> mogh_error::Result<ListCommonStackBuildExtraArgsResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -242,7 +378,7 @@ impl Resolve<ReadArgs> for ListCommonStackBuildExtraArgs {
      &all_tags,
    )
    .await
-    .context("failed to get resources matching query")?;
+    .context("Failed to get resources matching query")?;

    // first collect with guaranteed uniqueness
    let mut res = HashSet::<String>::new();
@@ -263,7 +399,7 @@ impl Resolve<ReadArgs> for ListStacks {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<StackListItem>> {
+  ) -> mogh_error::Result<Vec<StackListItem>> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -299,7 +435,7 @@ impl Resolve<ReadArgs> for ListFullStacks {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullStacksResponse> {
+  ) -> mogh_error::Result<ListFullStacksResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -321,7 +457,7 @@ impl Resolve<ReadArgs> for GetStackActionState {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<StackActionState> {
+  ) -> mogh_error::Result<StackActionState> {
    let stack = get_check_permissions::<Stack>(
      &self.stack,
      user,
@@ -342,7 +478,7 @@ impl Resolve<ReadArgs> for GetStacksSummary {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetStacksSummaryResponse> {
+  ) -> mogh_error::Result<GetStacksSummaryResponse> {
    let stacks = resource::list_full_for_user::<Stack>(
      Default::default(),
      user,
@@ -350,7 +486,7 @@ impl Resolve<ReadArgs> for GetStacksSummary {
      &[],
    )
    .await
-    .context("failed to get stacks from db")?;
+    .context("Failed to get stacks from database")?;

    let mut res = GetStacksSummaryResponse::default();

@@ -363,7 +499,11 @@ impl Resolve<ReadArgs> for GetStacksSummary {
        StackState::Running => res.running += 1,
        StackState::Stopped | StackState::Paused => res.stopped += 1,
        StackState::Down => res.down += 1,
-        StackState::Unknown => res.unknown += 1,
+        StackState::Unknown => {
+          if !stack.template {
+            res.unknown += 1
+          }
+        }
        _ => res.unhealthy += 1,
      }
    }
@@ -371,91 +511,3 @@ impl Resolve<ReadArgs> for GetStacksSummary {
    Ok(res)
  }
 }
-
-impl Resolve<ReadArgs> for GetStackWebhooksEnabled {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetStackWebhooksEnabledResponse> {
-    let Some(github) = github_client() else {
-      return Ok(GetStackWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        deploy_enabled: false,
-      });
-    };
-
-    let stack = get_check_permissions::<Stack>(
-      &self.stack,
-      user,
-      PermissionLevel::Read.into(),
-    )
-    .await?;
-
-    if stack.config.git_provider != "github.com"
-      || stack.config.repo.is_empty()
-    {
-      return Ok(GetStackWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        deploy_enabled: false,
-      });
-    }
-
-    let mut split = stack.config.repo.split('/');
-    let owner = split.next().context("Sync repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Ok(GetStackWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        deploy_enabled: false,
-      });
-    };
-
-    let repo_name =
-      split.next().context("Repo repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo_name)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let refresh_url =
-      format!("{host}/listener/github/stack/{}/refresh", stack.id);
-    let deploy_url =
-      format!("{host}/listener/github/stack/{}/deploy", stack.id);
-
-    let mut refresh_enabled = false;
-    let mut deploy_enabled = false;
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == refresh_url {
-        refresh_enabled = true
-      }
-      if webhook.active && webhook.config.url == deploy_url {
-        deploy_enabled = true
-      }
-    }
-
-    Ok(GetStackWebhooksEnabledResponse {
-      managed: true,
-      refresh_enabled,
-      deploy_enabled,
-    })
-  }
-}
--- a/bin/core/src/api/read/swarm.rs
+++ b/bin/core/src/api/read/swarm.rs
@@ -0,0 +1,522 @@
+use anyhow::{Context, anyhow};
+use komodo_client::{
+  api::read::*,
+  entities::{
+    permission::PermissionLevel,
+    swarm::{Swarm, SwarmActionState, SwarmListItem, SwarmState},
+  },
+};
+use mogh_resolver::Resolve;
+
+use crate::{
+  helpers::{query::get_all_tags, swarm::swarm_request},
+  permission::get_check_permissions,
+  resource,
+  state::{action_states, server_status_cache, swarm_status_cache},
+};
+
+use super::ReadArgs;
+
+impl Resolve<ReadArgs> for GetSwarm {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Swarm> {
+    Ok(
+      get_check_permissions::<Swarm>(
+        &self.swarm,
+        user,
+        PermissionLevel::Read.into(),
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarms {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<Vec<SwarmListItem>> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_for_user::<Swarm>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for ListFullSwarms {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListFullSwarmsResponse> {
+    let all_tags = if self.query.tags.is_empty() {
+      vec![]
+    } else {
+      get_all_tags(None).await?
+    };
+    Ok(
+      resource::list_full_for_user::<Swarm>(
+        self.query,
+        user,
+        PermissionLevel::Read.into(),
+        &all_tags,
+      )
+      .await?,
+    )
+  }
+}
+
+impl Resolve<ReadArgs> for GetSwarmActionState {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SwarmActionState> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let action_state = action_states()
+      .swarm
+      .get(&swarm.id)
+      .await
+      .unwrap_or_default()
+      .get()?;
+    Ok(action_state)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSwarmsSummary {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetSwarmsSummaryResponse> {
+    let swarms = resource::list_full_for_user::<Swarm>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.into(),
+      &[],
+    )
+    .await
+    .context("failed to get swarms from db")?;
+
+    let mut res = GetSwarmsSummaryResponse::default();
+
+    let cache = swarm_status_cache();
+
+    for swarm in swarms {
+      res.total += 1;
+
+      match cache
+        .get(&swarm.id)
+        .await
+        .map(|status| status.state)
+        .unwrap_or_default()
+      {
+        SwarmState::Unknown => {
+          res.unknown += 1;
+        }
+        SwarmState::Healthy => {
+          res.healthy += 1;
+        }
+        SwarmState::Unhealthy => {
+          res.unhealthy += 1;
+        }
+        SwarmState::Down => {
+          res.down += 1;
+        }
+      }
+    }
+
+    Ok(res)
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarm {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    let inspect = cache
+      .inspect
+      .as_ref()
+      .cloned()
+      .context("SwarmInspectInfo not available")?;
+    Ok(inspect)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmNodes {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmNodesResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.nodes.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmNode {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmNodeResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmNode {
+        node: self.node,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmServices {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmServicesResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.services.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmService {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmServiceResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmService {
+        service: self.service,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for GetSwarmServiceLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<GetSwarmServiceLogResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::GetSwarmServiceLog {
+        service: self.service,
+        tail: self.tail,
+        timestamps: self.timestamps,
+        no_task_ids: self.no_task_ids,
+        no_resolve: self.no_resolve,
+        details: self.details,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for SearchSwarmServiceLog {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<SearchSwarmServiceLogResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.logs(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::GetSwarmServiceLogSearch {
+        service: self.service,
+        terms: self.terms,
+        combinator: self.combinator,
+        invert: self.invert,
+        timestamps: self.timestamps,
+        no_task_ids: self.no_task_ids,
+        no_resolve: self.no_resolve,
+        details: self.details,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmTasks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmTasksResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.tasks.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmTask {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmTaskResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmTask {
+        task: self.task,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmSecrets {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmSecretsResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.secrets.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmSecret {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmSecretResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmSecret {
+        secret: self.secret,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmConfigs {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmConfigsResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.configs.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmConfig {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmConfigResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmConfig {
+        config: self.config,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmStacks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListSwarmStacksResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+    let cache =
+      swarm_status_cache().get_or_insert_default(&swarm.id).await;
+    if let Some(lists) = &cache.lists {
+      Ok(lists.stacks.clone())
+    } else {
+      Ok(Vec::new())
+    }
+  }
+}
+
+impl Resolve<ReadArgs> for InspectSwarmStack {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<InspectSwarmStackResponse> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.inspect(),
+    )
+    .await?;
+    swarm_request(
+      &swarm.config.server_ids,
+      periphery_client::api::swarm::InspectSwarmStack {
+        stack: self.stack,
+      },
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+impl Resolve<ReadArgs> for ListSwarmNetworks {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let swarm = get_check_permissions::<Swarm>(
+      &self.swarm,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
+
+    let cache = server_status_cache();
+
+    for server_id in swarm.config.server_ids {
+      let Some(status) = cache.get(&server_id).await else {
+        continue;
+      };
+      let Some(docker) = &status.docker else {
+        continue;
+      };
+      let networks = docker
+        .networks
+        .iter()
+        .filter(|network| {
+          network.driver.as_deref() == Some("overlay")
+        })
+        .cloned()
+        .collect::<Vec<_>>();
+      return Ok(networks);
+    }
+
+    Err(
+      anyhow!(
+        "Failed to retrieve swarm networks from any manager node."
+      )
+      .into(),
+    )
+  }
+}
--- a/bin/core/src/api/read/sync.rs
+++ b/bin/core/src/api/read/sync.rs
@@ -2,21 +2,17 @@ use anyhow::Context;
 use komodo_client::{
  api::read::*,
  entities::{
-    config::core::CoreConfig,
    permission::PermissionLevel,
    sync::{
      ResourceSync, ResourceSyncActionState, ResourceSyncListItem,
    },
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
-  config::core_config,
-  helpers::query::get_all_tags,
-  permission::get_check_permissions,
-  resource,
-  state::{action_states, github_client},
+  helpers::query::get_all_tags, permission::get_check_permissions,
+  resource, state::action_states,
 };

 use super::ReadArgs;
@@ -25,7 +21,7 @@ impl Resolve<ReadArgs> for GetResourceSync {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ResourceSync> {
+  ) -> mogh_error::Result<ResourceSync> {
    Ok(
      get_check_permissions::<ResourceSync>(
        &self.sync,
@@ -41,7 +37,7 @@ impl Resolve<ReadArgs> for ListResourceSyncs {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Vec<ResourceSyncListItem>> {
+  ) -> mogh_error::Result<Vec<ResourceSyncListItem>> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -63,7 +59,7 @@ impl Resolve<ReadArgs> for ListFullResourceSyncs {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListFullResourceSyncsResponse> {
+  ) -> mogh_error::Result<ListFullResourceSyncsResponse> {
    let all_tags = if self.query.tags.is_empty() {
      vec![]
    } else {
@@ -85,7 +81,7 @@ impl Resolve<ReadArgs> for GetResourceSyncActionState {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ResourceSyncActionState> {
+  ) -> mogh_error::Result<ResourceSyncActionState> {
    let sync = get_check_permissions::<ResourceSync>(
      &self.sync,
      user,
@@ -93,7 +89,7 @@ impl Resolve<ReadArgs> for GetResourceSyncActionState {
    )
    .await?;
    let action_state = action_states()
-      .resource_sync
+      .sync
      .get(&sync.id)
      .await
      .unwrap_or_default()
@@ -106,7 +102,7 @@ impl Resolve<ReadArgs> for GetResourceSyncsSummary {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetResourceSyncsSummaryResponse> {
+  ) -> mogh_error::Result<GetResourceSyncsSummaryResponse> {
    let resource_syncs =
      resource::list_full_for_user::<ResourceSync>(
        Default::default(),
@@ -124,7 +120,7 @@ impl Resolve<ReadArgs> for GetResourceSyncsSummary {
    for resource_sync in resource_syncs {
      res.total += 1;

-      if !(resource_sync.info.pending_deploy.to_deploy == 0
+      if !(resource_sync.info.pending_deploys.is_empty()
        && resource_sync.info.resource_updates.is_empty()
        && resource_sync.info.variable_updates.is_empty()
        && resource_sync.info.user_group_updates.is_empty())
@@ -138,7 +134,7 @@ impl Resolve<ReadArgs> for GetResourceSyncsSummary {
        continue;
      }
      if action_states
-        .resource_sync
+        .sync
        .get(&resource_sync.id)
        .await
        .unwrap_or_default()
@@ -154,91 +150,3 @@ impl Resolve<ReadArgs> for GetResourceSyncsSummary {
    Ok(res)
  }
 }
-
-impl Resolve<ReadArgs> for GetSyncWebhooksEnabled {
-  async fn resolve(
-    self,
-    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetSyncWebhooksEnabledResponse> {
-    let Some(github) = github_client() else {
-      return Ok(GetSyncWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        sync_enabled: false,
-      });
-    };
-
-    let sync = get_check_permissions::<ResourceSync>(
-      &self.sync,
-      user,
-      PermissionLevel::Read.into(),
-    )
-    .await?;
-
-    if sync.config.git_provider != "github.com"
-      || sync.config.repo.is_empty()
-    {
-      return Ok(GetSyncWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        sync_enabled: false,
-      });
-    }
-
-    let mut split = sync.config.repo.split('/');
-    let owner = split.next().context("Sync repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Ok(GetSyncWebhooksEnabledResponse {
-        managed: false,
-        refresh_enabled: false,
-        sync_enabled: false,
-      });
-    };
-
-    let repo_name =
-      split.next().context("Repo repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo_name)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let refresh_url =
-      format!("{host}/listener/github/sync/{}/refresh", sync.id);
-    let sync_url =
-      format!("{host}/listener/github/sync/{}/sync", sync.id);
-
-    let mut refresh_enabled = false;
-    let mut sync_enabled = false;
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == refresh_url {
-        refresh_enabled = true
-      }
-      if webhook.active && webhook.config.url == sync_url {
-        sync_enabled = true
-      }
-    }
-
-    Ok(GetSyncWebhooksEnabledResponse {
-      managed: true,
-      refresh_enabled,
-      sync_enabled,
-    })
-  }
-}
--- a/bin/core/src/api/read/tag.rs
+++ b/bin/core/src/api/read/tag.rs
@@ -7,20 +7,23 @@ use komodo_client::{
  api::read::{GetTag, ListTags},
  entities::tag::Tag,
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{helpers::query::get_tag, state::db_client};

 use super::ReadArgs;

 impl Resolve<ReadArgs> for GetTag {
-  async fn resolve(self, _: &ReadArgs) -> serror::Result<Tag> {
+  async fn resolve(self, _: &ReadArgs) -> mogh_error::Result<Tag> {
    Ok(get_tag(&self.tag).await?)
  }
 }

 impl Resolve<ReadArgs> for ListTags {
-  async fn resolve(self, _: &ReadArgs) -> serror::Result<Vec<Tag>> {
+  async fn resolve(
+    self,
+    _: &ReadArgs,
+  ) -> mogh_error::Result<Vec<Tag>> {
    let res = find_collect(
      &db_client().tags,
      self.query,
--- a/bin/core/src/api/read/terminal.rs
+++ b/bin/core/src/api/read/terminal.rs
@@ -0,0 +1,247 @@
+use anyhow::Context as _;
+use futures_util::{
+  FutureExt, StreamExt as _, stream::FuturesUnordered,
+};
+use komodo_client::{
+  api::read::{ListTerminals, ListTerminalsResponse},
+  entities::{
+    deployment::Deployment,
+    permission::PermissionLevel,
+    server::Server,
+    stack::Stack,
+    terminal::{Terminal, TerminalTarget},
+    user::User,
+  },
+};
+use mogh_error::AddStatusCode;
+use mogh_resolver::Resolve;
+use reqwest::StatusCode;
+
+use crate::{
+  helpers::periphery_client, permission::get_check_permissions,
+  resource,
+};
+
+use super::ReadArgs;
+
+//
+
+impl Resolve<ReadArgs> for ListTerminals {
+  async fn resolve(
+    self,
+    ReadArgs { user }: &ReadArgs,
+  ) -> mogh_error::Result<ListTerminalsResponse> {
+    let Some(target) = self.target else {
+      return list_all_terminals_for_user(user, self.use_names).await;
+    };
+    match &target {
+      TerminalTarget::Server { server } => {
+        let server = server
+          .as_ref()
+          .context("Must provide 'target.params.server'")
+          .status_code(StatusCode::BAD_REQUEST)?;
+        let server = get_check_permissions::<Server>(
+          server,
+          user,
+          PermissionLevel::Read.terminal(),
+        )
+        .await?;
+        list_terminals_on_server(&server, Some(target)).await
+      }
+      TerminalTarget::Container { server, .. } => {
+        let server = get_check_permissions::<Server>(
+          server,
+          user,
+          PermissionLevel::Read.terminal(),
+        )
+        .await?;
+        list_terminals_on_server(&server, Some(target)).await
+      }
+      TerminalTarget::Stack { stack, .. } => {
+        let server = get_check_permissions::<Stack>(
+          stack,
+          user,
+          PermissionLevel::Read.terminal(),
+        )
+        .await?
+        .config
+        .server_id;
+        let server = resource::get::<Server>(&server).await?;
+        list_terminals_on_server(&server, Some(target)).await
+      }
+      TerminalTarget::Deployment { deployment } => {
+        let server = get_check_permissions::<Deployment>(
+          deployment,
+          user,
+          PermissionLevel::Read.terminal(),
+        )
+        .await?
+        .config
+        .server_id;
+        let server = resource::get::<Server>(&server).await?;
+        list_terminals_on_server(&server, Some(target)).await
+      }
+    }
+  }
+}
+
+async fn list_all_terminals_for_user(
+  user: &User,
+  use_names: bool,
+) -> mogh_error::Result<Vec<Terminal>> {
+  let (mut servers, stacks, deployments) = tokio::try_join!(
+    resource::list_full_for_user::<Server>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.terminal(),
+      &[]
+    )
+    .map(|res| res.map(|servers| servers
+      .into_iter()
+      // true denotes user actually has permission on this Server.
+      .map(|server| (server, true))
+      .collect::<Vec<_>>())),
+    resource::list_full_for_user::<Stack>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.terminal(),
+      &[]
+    ),
+    resource::list_full_for_user::<Deployment>(
+      Default::default(),
+      user,
+      PermissionLevel::Read.terminal(),
+      &[]
+    ),
+  )?;
+
+  // Ensure any missing servers are present to query
+  for stack in &stacks {
+    if !stack.config.server_id.is_empty()
+      && !servers
+        .iter()
+        .any(|(server, _)| server.id == stack.config.server_id)
+    {
+      let server =
+        resource::get::<Server>(&stack.config.server_id).await?;
+      servers.push((server, false));
+    }
+  }
+  for deployment in &deployments {
+    if !deployment.config.server_id.is_empty()
+      && !servers
+        .iter()
+        .any(|(server, _)| server.id == deployment.config.server_id)
+    {
+      let server =
+        resource::get::<Server>(&deployment.config.server_id).await?;
+      servers.push((server, false));
+    }
+  }
+
+  let mut terminals = servers
+    .into_iter()
+    .map(|(server, server_permission)| async move {
+      (
+        list_terminals_on_server(&server, None).await,
+        (server.id, server.name, server_permission),
+      )
+    })
+    .collect::<FuturesUnordered<_>>()
+    .collect::<Vec<_>>()
+    .await
+    .into_iter()
+    .flat_map(
+      |(terminals, (server_id, server_name, server_permission))| {
+        let terminals = terminals
+          .ok()?
+          .into_iter()
+          .filter_map(|mut terminal| {
+            // Only keep terminals with appropriate perms.
+            match terminal.target.clone() {
+              TerminalTarget::Server { .. } => server_permission
+                .then(|| {
+                  terminal.target = TerminalTarget::Server {
+                    server: Some(if use_names {
+                      server_name.clone()
+                    } else {
+                      server_id.clone()
+                    }),
+                  };
+                  terminal
+                }),
+              TerminalTarget::Container { container, .. } => {
+                server_permission.then(|| {
+                  terminal.target = TerminalTarget::Container {
+                    server: if use_names {
+                      server_name.clone()
+                    } else {
+                      server_id.clone()
+                    },
+                    container,
+                  };
+                  terminal
+                })
+              }
+              TerminalTarget::Stack { stack, service } => {
+                stacks.iter().find(|s| s.id == stack).map(|s| {
+                  terminal.target = TerminalTarget::Stack {
+                    stack: if use_names {
+                      s.name.clone()
+                    } else {
+                      s.id.clone()
+                    },
+                    service,
+                  };
+                  terminal
+                })
+              }
+              TerminalTarget::Deployment { deployment } => {
+                deployments.iter().find(|d| d.id == deployment).map(
+                  |d| {
+                    terminal.target = TerminalTarget::Deployment {
+                      deployment: if use_names {
+                        d.name.clone()
+                      } else {
+                        d.id.clone()
+                      },
+                    };
+                    terminal
+                  },
+                )
+              }
+            }
+          })
+          .collect::<Vec<_>>();
+
+        Some(terminals)
+      },
+    )
+    .flatten()
+    .collect::<Vec<_>>();
+
+  terminals.sort_by(|a, b| {
+    a.target.cmp(&b.target).then(a.name.cmp(&b.name))
+  });
+
+  Ok(terminals)
+}
+
+async fn list_terminals_on_server(
+  server: &Server,
+  target: Option<TerminalTarget>,
+) -> mogh_error::Result<Vec<Terminal>> {
+  periphery_client(server)
+    .await?
+    .request(periphery_client::api::terminal::ListTerminals {
+      target,
+    })
+    .await
+    .with_context(|| {
+      format!(
+        "Failed to get Terminal list from Server {} ({})",
+        server.name, server.id
+      )
+    })
+    .map_err(Into::into)
+}
--- a/bin/core/src/api/read/toml.rs
+++ b/bin/core/src/api/read/toml.rs
@@ -11,10 +11,11 @@ use komodo_client::{
    builder::Builder, deployment::Deployment,
    permission::PermissionLevel, procedure::Procedure, repo::Repo,
    resource::ResourceQuery, server::Server, stack::Stack,
-    sync::ResourceSync, toml::ResourcesToml, user::User,
+    swarm::Swarm, sync::ResourceSync, toml::ResourcesToml,
+    user::User,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
  helpers::query::{
@@ -37,122 +38,45 @@ async fn get_all_targets(
  user: &User,
 ) -> anyhow::Result<Vec<ResourceTarget>> {
  let mut targets = Vec::<ResourceTarget>::new();
+
  let all_tags = if tags.is_empty() {
    vec![]
  } else {
    get_all_tags(None).await?
  };
-  targets.extend(
-    resource::list_full_for_user::<Alerter>(
-      ResourceQuery::builder().tags(tags).build(),
-      user,
-      PermissionLevel::Read.into(),
-      &all_tags,
-    )
-    .await?
-    .into_iter()
-    .map(|resource| ResourceTarget::Alerter(resource.id)),
-  );
-  targets.extend(
-    resource::list_full_for_user::<Builder>(
-      ResourceQuery::builder().tags(tags).build(),
-      user,
-      PermissionLevel::Read.into(),
-      &all_tags,
-    )
-    .await?
-    .into_iter()
-    .map(|resource| ResourceTarget::Builder(resource.id)),
-  );
-  targets.extend(
-    resource::list_full_for_user::<Server>(
-      ResourceQuery::builder().tags(tags).build(),
-      user,
-      PermissionLevel::Read.into(),
-      &all_tags,
-    )
-    .await?
-    .into_iter()
-    .map(|resource| ResourceTarget::Server(resource.id)),
-  );
-  targets.extend(
-    resource::list_full_for_user::<Stack>(
-      ResourceQuery::builder().tags(tags).build(),
-      user,
-      PermissionLevel::Read.into(),
-      &all_tags,
-    )
-    .await?
-    .into_iter()
-    .map(|resource| ResourceTarget::Stack(resource.id)),
-  );
-  targets.extend(
-    resource::list_full_for_user::<Deployment>(
-      ResourceQuery::builder().tags(tags).build(),
-      user,
-      PermissionLevel::Read.into(),
-      &all_tags,
-    )
-    .await?
-    .into_iter()
-    .map(|resource| ResourceTarget::Deployment(resource.id)),
-  );
-  targets.extend(
-    resource::list_full_for_user::<Build>(
-      ResourceQuery::builder().tags(tags).build(),
-      user,
-      PermissionLevel::Read.into(),
-      &all_tags,
-    )
-    .await?
-    .into_iter()
-    .map(|resource| ResourceTarget::Build(resource.id)),
-  );
-  targets.extend(
-    resource::list_full_for_user::<Repo>(
-      ResourceQuery::builder().tags(tags).build(),
-      user,
-      PermissionLevel::Read.into(),
-      &all_tags,
-    )
-    .await?
-    .into_iter()
-    .map(|resource| ResourceTarget::Repo(resource.id)),
-  );
-  targets.extend(
-    resource::list_full_for_user::<Procedure>(
-      ResourceQuery::builder().tags(tags).build(),
-      user,
-      PermissionLevel::Read.into(),
-      &all_tags,
-    )
-    .await?
-    .into_iter()
-    .map(|resource| ResourceTarget::Procedure(resource.id)),
-  );
-  targets.extend(
-    resource::list_full_for_user::<Action>(
-      ResourceQuery::builder().tags(tags).build(),
-      user,
-      PermissionLevel::Read.into(),
-      &all_tags,
-    )
-    .await?
-    .into_iter()
-    .map(|resource| ResourceTarget::Action(resource.id)),
-  );
-  targets.extend(
-    resource::list_full_for_user::<ResourceSync>(
-      ResourceQuery::builder().tags(tags).build(),
-      user,
-      PermissionLevel::Read.into(),
-      &all_tags,
-    )
-    .await?
-    .into_iter()
-    // These will already be filtered by [ExportResourcesToToml]
-    .map(|resource| ResourceTarget::ResourceSync(resource.id)),
+
+  macro_rules! extend_targets {
+    ($($Type:ident),* $(,)?) => {
+      $(
+        targets.extend(
+          resource::list_full_for_user::<$Type>(
+            ResourceQuery::builder().tags(tags).build(),
+            user,
+            PermissionLevel::Read.into(),
+            &all_tags,
+          )
+          .await?
+          .into_iter()
+          .map(|resource| ResourceTarget::$Type(resource.id)),
+        );
+      )*
+    };
+  }
+
+  extend_targets!(
+    Alerter,
+    Builder,
+    Server,
+    Swarm,
+    Stack,
+    Deployment,
+    Build,
+    Repo,
+    Procedure,
+    Action,
+    ResourceSync,
  );
+
  Ok(targets)
 }

@@ -160,7 +84,7 @@ impl Resolve<ReadArgs> for ExportAllResourcesToToml {
  async fn resolve(
    self,
    args: &ReadArgs,
-  ) -> serror::Result<ExportAllResourcesToTomlResponse> {
+  ) -> mogh_error::Result<ExportAllResourcesToTomlResponse> {
    let targets = if self.include_resources {
      get_all_targets(&self.tags, &args.user).await?
    } else {
@@ -186,6 +110,7 @@ impl Resolve<ReadArgs> for ExportAllResourcesToToml {
      targets,
      user_groups,
      include_variables: self.include_variables,
+      existing: self.existing,
    }
    .resolve(args)
    .await
@@ -196,31 +121,69 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
  async fn resolve(
    self,
    args: &ReadArgs,
-  ) -> serror::Result<ExportResourcesToTomlResponse> {
+  ) -> mogh_error::Result<ExportResourcesToTomlResponse> {
    let ExportResourcesToToml {
      targets,
      user_groups,
      include_variables,
+      existing,
    } = self;
    let mut res = ResourcesToml::default();
    let id_to_tags = get_id_to_tags(None).await?;
    let ReadArgs { user } = args;
+    macro_rules! convert_target {
+      ($id:expr, $Type:ident, $field:ident) => {{
+        let mut resource = get_check_permissions::<$Type>(
+          &$id,
+          user,
+          PermissionLevel::Read.into(),
+        )
+        .await?;
+        $Type::replace_ids(&mut resource);
+        let (deploy, after) = existing
+          .as_ref()
+          .and_then(|e| {
+            e.$field.iter().find(|r| r.name == resource.name)
+          })
+          .map(|r| (r.deploy, r.after.clone()))
+          .unwrap_or_default();
+        res.$field.push(convert_resource::<$Type>(
+          resource,
+          deploy,
+          after,
+          &id_to_tags,
+        ));
+      }};
+    }
    for target in targets {
      match target {
+        ResourceTarget::Server(id) => {
+          convert_target!(id, Server, servers)
+        }
+        ResourceTarget::Swarm(id) => {
+          convert_target!(id, Swarm, swarms)
+        }
+        ResourceTarget::Stack(id) => {
+          convert_target!(id, Stack, stacks)
+        }
+        ResourceTarget::Deployment(id) => {
+          convert_target!(id, Deployment, deployments)
+        }
+        ResourceTarget::Build(id) => {
+          convert_target!(id, Build, builds)
+        }
+        ResourceTarget::Repo(id) => convert_target!(id, Repo, repos),
+        ResourceTarget::Procedure(id) => {
+          convert_target!(id, Procedure, procedures)
+        }
+        ResourceTarget::Action(id) => {
+          convert_target!(id, Action, actions)
+        }
+        ResourceTarget::Builder(id) => {
+          convert_target!(id, Builder, builders)
+        }
        ResourceTarget::Alerter(id) => {
-          let mut alerter = get_check_permissions::<Alerter>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Alerter::replace_ids(&mut alerter);
-          res.alerters.push(convert_resource::<Alerter>(
-            alerter,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
+          convert_target!(id, Alerter, alerters)
        }
        ResourceTarget::ResourceSync(id) => {
          let mut sync = get_check_permissions::<ResourceSync>(
@@ -243,126 +206,6 @@ impl Resolve<ReadArgs> for ExportResourcesToToml {
            ))
          }
        }
-        ResourceTarget::Server(id) => {
-          let mut server = get_check_permissions::<Server>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Server::replace_ids(&mut server);
-          res.servers.push(convert_resource::<Server>(
-            server,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
-        ResourceTarget::Builder(id) => {
-          let mut builder = get_check_permissions::<Builder>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Builder::replace_ids(&mut builder);
-          res.builders.push(convert_resource::<Builder>(
-            builder,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
-        ResourceTarget::Build(id) => {
-          let mut build = get_check_permissions::<Build>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Build::replace_ids(&mut build);
-          res.builds.push(convert_resource::<Build>(
-            build,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
-        ResourceTarget::Deployment(id) => {
-          let mut deployment = get_check_permissions::<Deployment>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Deployment::replace_ids(&mut deployment);
-          res.deployments.push(convert_resource::<Deployment>(
-            deployment,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
-        ResourceTarget::Repo(id) => {
-          let mut repo = get_check_permissions::<Repo>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Repo::replace_ids(&mut repo);
-          res.repos.push(convert_resource::<Repo>(
-            repo,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
-        ResourceTarget::Stack(id) => {
-          let mut stack = get_check_permissions::<Stack>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Stack::replace_ids(&mut stack);
-          res.stacks.push(convert_resource::<Stack>(
-            stack,
-            false,
-            vec![],
-            &id_to_tags,
-          ))
-        }
-        ResourceTarget::Procedure(id) => {
-          let mut procedure = get_check_permissions::<Procedure>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Procedure::replace_ids(&mut procedure);
-          res.procedures.push(convert_resource::<Procedure>(
-            procedure,
-            false,
-            vec![],
-            &id_to_tags,
-          ));
-        }
-        ResourceTarget::Action(id) => {
-          let mut action = get_check_permissions::<Action>(
-            &id,
-            user,
-            PermissionLevel::Read.into(),
-          )
-          .await?;
-          Action::replace_ids(&mut action);
-          res.actions.push(convert_resource::<Action>(
-            action,
-            false,
-            vec![],
-            &id_to_tags,
-          ));
-        }
        ResourceTarget::System(_) => continue,
      };
    }
@@ -418,85 +261,32 @@ fn serialize_resources_toml(
 ) -> anyhow::Result<String> {
  let mut toml = String::new();

-  for server in resources.servers {
-    if !toml.is_empty() {
-      toml.push_str("\n\n##\n\n");
-    }
-    toml.push_str("[[server]]\n");
-    Server::push_to_toml_string(server, &mut toml)?;
-  }
-
-  for stack in resources.stacks {
-    if !toml.is_empty() {
-      toml.push_str("\n\n##\n\n");
-    }
-    toml.push_str("[[stack]]\n");
-    Stack::push_to_toml_string(stack, &mut toml)?;
-  }
-
-  for deployment in resources.deployments {
-    if !toml.is_empty() {
-      toml.push_str("\n\n##\n\n");
-    }
-    toml.push_str("[[deployment]]\n");
-    Deployment::push_to_toml_string(deployment, &mut toml)?;
-  }
-
-  for build in resources.builds {
-    if !toml.is_empty() {
-      toml.push_str("\n\n##\n\n");
-    }
-    toml.push_str("[[build]]\n");
-    Build::push_to_toml_string(build, &mut toml)?;
-  }
-
-  for repo in resources.repos {
-    if !toml.is_empty() {
-      toml.push_str("\n\n##\n\n");
-    }
-    toml.push_str("[[repo]]\n");
-    Repo::push_to_toml_string(repo, &mut toml)?;
-  }
-
-  for procedure in resources.procedures {
-    if !toml.is_empty() {
-      toml.push_str("\n\n##\n\n");
-    }
-    toml.push_str("[[procedure]]\n");
-    Procedure::push_to_toml_string(procedure, &mut toml)?;
-  }
-
-  for action in resources.actions {
-    if !toml.is_empty() {
-      toml.push_str("\n\n##\n\n");
-    }
-    toml.push_str("[[action]]\n");
-    Action::push_to_toml_string(action, &mut toml)?;
-  }
-
-  for alerter in resources.alerters {
-    if !toml.is_empty() {
-      toml.push_str("\n\n##\n\n");
-    }
-    toml.push_str("[[alerter]]\n");
-    Alerter::push_to_toml_string(alerter, &mut toml)?;
-  }
-
-  for builder in resources.builders {
-    if !toml.is_empty() {
-      toml.push_str("\n\n##\n\n");
-    }
-    toml.push_str("[[builder]]\n");
-    Builder::push_to_toml_string(builder, &mut toml)?;
-  }
-
-  for resource_sync in resources.resource_syncs {
-    if !toml.is_empty() {
-      toml.push_str("\n\n##\n\n");
-    }
-    toml.push_str("[[resource_sync]]\n");
-    ResourceSync::push_to_toml_string(resource_sync, &mut toml)?;
+  macro_rules! serialize_resources {
+    ($(($Type:ident, $field:ident, $header:literal)),* $(,)?) => {
+      $(
+        for resource in resources.$field {
+          if !toml.is_empty() {
+            toml.push_str("\n\n##\n\n");
+          }
+          toml.push_str(concat!("[[",$header,"]]\n"));
+          $Type::push_to_toml_string(resource, &mut toml)?;
+        }
+      )*
+    };
  }
+  serialize_resources!(
+    (Server, servers, "server"),
+    (Swarm, swarms, "swarm"),
+    (Stack, stacks, "stack"),
+    (Deployment, deployments, "deployment"),
+    (Build, builds, "build"),
+    (Repo, repos, "repo"),
+    (Procedure, procedures, "procedure"),
+    (Action, actions, "action"),
+    (Alerter, alerters, "alerter"),
+    (Builder, builders, "builder"),
+    (ResourceSync, resource_syncs, "resource_sync"),
+  );

  for variable in &resources.variables {
    if !toml.is_empty() {
--- a/bin/core/src/api/read/update.rs
+++ b/bin/core/src/api/read/update.rs
@@ -1,6 +1,6 @@
 use std::collections::HashMap;

-use anyhow::{Context, anyhow};
+use anyhow::Context;
 use database::mungos::{
  by_id::find_one_by_id,
  find::find_collect,
@@ -9,27 +9,18 @@ use database::mungos::{
 use komodo_client::{
  api::read::{GetUpdate, ListUpdates, ListUpdatesResponse},
  entities::{
-    ResourceTarget,
-    action::Action,
-    alerter::Alerter,
-    build::Build,
-    builder::Builder,
-    deployment::Deployment,
    permission::PermissionLevel,
-    procedure::Procedure,
-    repo::Repo,
-    server::Server,
-    stack::Stack,
-    sync::ResourceSync,
    update::{Update, UpdateListItem},
    user::User,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{
  config::core_config,
-  permission::{get_check_permissions, get_resource_ids_for_user},
+  permission::{
+    check_user_target_access, user_resource_target_query,
+  },
  state::db_client,
 };

@@ -41,121 +32,8 @@ impl Resolve<ReadArgs> for ListUpdates {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListUpdatesResponse> {
-    let query = if user.admin || core_config().transparent_mode {
-      self.query
-    } else {
-      let server_query = get_resource_ids_for_user::<Server>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Server", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Server" });
-
-      let deployment_query =
-        get_resource_ids_for_user::<Deployment>(user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Deployment", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Deployment" });
-
-      let stack_query = get_resource_ids_for_user::<Stack>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Stack", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Stack" });
-
-      let build_query = get_resource_ids_for_user::<Build>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Build", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Build" });
-
-      let repo_query = get_resource_ids_for_user::<Repo>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Repo", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Repo" });
-
-      let procedure_query =
-        get_resource_ids_for_user::<Procedure>(user)
-          .await?
-          .map(|ids| {
-            doc! {
-              "target.type": "Procedure", "target.id": { "$in": ids }
-            }
-          })
-          .unwrap_or_else(|| doc! { "target.type": "Procedure" });
-
-      let action_query = get_resource_ids_for_user::<Action>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Action", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Action" });
-
-      let builder_query = get_resource_ids_for_user::<Builder>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Builder", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Builder" });
-
-      let alerter_query = get_resource_ids_for_user::<Alerter>(user)
-        .await?
-        .map(|ids| {
-          doc! {
-            "target.type": "Alerter", "target.id": { "$in": ids }
-          }
-        })
-        .unwrap_or_else(|| doc! { "target.type": "Alerter" });
-
-      let resource_sync_query = get_resource_ids_for_user::<
-        ResourceSync,
-      >(user)
-      .await?
-      .map(|ids| {
-        doc! {
-          "target.type": "ResourceSync", "target.id": { "$in": ids }
-        }
-      })
-      .unwrap_or_else(|| doc! { "target.type": "ResourceSync" });
-
-      let mut query = self.query.unwrap_or_default();
-      query.extend(doc! {
-        "$or": [
-          server_query,
-          deployment_query,
-          stack_query,
-          build_query,
-          repo_query,
-          procedure_query,
-          action_query,
-          alerter_query,
-          builder_query,
-          resource_sync_query,
-        ]
-      });
-      query.into()
-    };
+  ) -> mogh_error::Result<ListUpdatesResponse> {
+    let query = user_resource_target_query(user, self.query).await?;

    let usernames = find_collect(&db_client().users, None, None)
      .await
@@ -214,7 +92,7 @@ impl Resolve<ReadArgs> for GetUpdate {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
    let update = find_one_by_id(&db_client().updates, &self.id)
      .await
      .context("failed to query to db")?
@@ -222,93 +100,12 @@ impl Resolve<ReadArgs> for GetUpdate {
    if user.admin || core_config().transparent_mode {
      return Ok(update);
    }
-    match &update.target {
-      ResourceTarget::System(_) => {
-        return Err(
-          anyhow!("user must be admin to view system updates").into(),
-        );
-      }
-      ResourceTarget::Server(id) => {
-        get_check_permissions::<Server>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Deployment(id) => {
-        get_check_permissions::<Deployment>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Build(id) => {
-        get_check_permissions::<Build>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Repo(id) => {
-        get_check_permissions::<Repo>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Builder(id) => {
-        get_check_permissions::<Builder>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Alerter(id) => {
-        get_check_permissions::<Alerter>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Procedure(id) => {
-        get_check_permissions::<Procedure>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Action(id) => {
-        get_check_permissions::<Action>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::ResourceSync(id) => {
-        get_check_permissions::<ResourceSync>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-      ResourceTarget::Stack(id) => {
-        get_check_permissions::<Stack>(
-          id,
-          user,
-          PermissionLevel::Read.into(),
-        )
-        .await?;
-      }
-    }
+    check_user_target_access(
+      &update.target,
+      user,
+      PermissionLevel::Read.into(),
+    )
+    .await?;
    Ok(update)
  }
 }
--- a/bin/core/src/api/read/user.rs
+++ b/bin/core/src/api/read/user.rs
@@ -13,7 +13,7 @@ use komodo_client::{
  },
  entities::user::{UserConfig, admin_service_user},
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{helpers::query::get_user, state::db_client};

@@ -23,7 +23,7 @@ impl Resolve<ReadArgs> for GetUsername {
  async fn resolve(
    self,
    _: &ReadArgs,
-  ) -> serror::Result<GetUsernameResponse> {
+  ) -> mogh_error::Result<GetUsernameResponse> {
    if let Some(user) = admin_service_user(&self.user_id) {
      return Ok(GetUsernameResponse {
        username: user.username,
@@ -53,7 +53,7 @@ impl Resolve<ReadArgs> for FindUser {
  async fn resolve(
    self,
    ReadArgs { user: admin }: &ReadArgs,
-  ) -> serror::Result<FindUserResponse> {
+  ) -> mogh_error::Result<FindUserResponse> {
    if !admin.admin {
      return Err(anyhow!("This method is admin only.").into());
    }
@@ -65,15 +65,26 @@ impl Resolve<ReadArgs> for ListUsers {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListUsersResponse> {
+  ) -> mogh_error::Result<ListUsersResponse> {
    if !user.admin {
      return Err(
        anyhow!("this route is only accessable by admins").into(),
      );
    }
+    let filter = match self.service_users {
+      komodo_client::api::read::ServiceUserQueryBehavior::Include => {
+        None
+      }
+      komodo_client::api::read::ServiceUserQueryBehavior::Exclude => {
+        Some(doc! { "config.type": { "$ne": "Service" } })
+      }
+      komodo_client::api::read::ServiceUserQueryBehavior::Only => {
+        Some(doc! { "config.type": "Service" })
+      }
+    };
    let mut users = find_collect(
      &db_client().users,
-      None,
+      filter,
      FindOptions::builder().sort(doc! { "username": 1 }).build(),
    )
    .await
@@ -87,7 +98,7 @@ impl Resolve<ReadArgs> for ListApiKeys {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListApiKeysResponse> {
+  ) -> mogh_error::Result<ListApiKeysResponse> {
    let api_keys = find_collect(
      &db_client().api_keys,
      doc! { "user_id": &user.id },
@@ -109,7 +120,7 @@ impl Resolve<ReadArgs> for ListApiKeysForServiceUser {
  async fn resolve(
    self,
    ReadArgs { user: admin }: &ReadArgs,
-  ) -> serror::Result<ListApiKeysForServiceUserResponse> {
+  ) -> mogh_error::Result<ListApiKeysForServiceUserResponse> {
    if !admin.admin {
      return Err(anyhow!("This method is admin only.").into());
    }
--- a/bin/core/src/api/read/user_group.rs
+++ b/bin/core/src/api/read/user_group.rs
@@ -9,7 +9,7 @@ use database::mungos::{
  },
 };
 use komodo_client::api::read::*;
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::state::db_client;

@@ -19,7 +19,7 @@ impl Resolve<ReadArgs> for GetUserGroup {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetUserGroupResponse> {
+  ) -> mogh_error::Result<GetUserGroupResponse> {
    let mut filter = match ObjectId::from_str(&self.user_group) {
      Ok(id) => doc! { "_id": id },
      Err(_) => doc! { "name": &self.user_group },
@@ -43,7 +43,7 @@ impl Resolve<ReadArgs> for ListUserGroups {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListUserGroupsResponse> {
+  ) -> mogh_error::Result<ListUserGroupsResponse> {
    let mut filter = Document::new();
    if !user.admin {
      filter.insert("users", &user.id);
--- a/bin/core/src/api/read/variable.rs
+++ b/bin/core/src/api/read/variable.rs
@@ -4,7 +4,7 @@ use database::mungos::{
  find::find_collect, mongodb::options::FindOptions,
 };
 use komodo_client::api::read::*;
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{helpers::query::get_variable, state::db_client};

@@ -14,7 +14,7 @@ impl Resolve<ReadArgs> for GetVariable {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<GetVariableResponse> {
+  ) -> mogh_error::Result<GetVariableResponse> {
    let mut variable = get_variable(&self.name).await?;
    if !variable.is_secret || user.admin {
      return Ok(variable);
@@ -28,7 +28,7 @@ impl Resolve<ReadArgs> for ListVariables {
  async fn resolve(
    self,
    ReadArgs { user }: &ReadArgs,
-  ) -> serror::Result<ListVariablesResponse> {
+  ) -> mogh_error::Result<ListVariablesResponse> {
    let variables = find_collect(
      &db_client().variables,
      None,
--- a/bin/core/src/api/terminal.rs
+++ b/bin/core/src/api/terminal.rs
@@ -1,299 +1,56 @@
 use anyhow::Context;
 use axum::{Extension, Router, middleware, routing::post};
-use komodo_client::{
-  api::terminal::*,
-  entities::{
-    deployment::Deployment, permission::PermissionLevel,
-    server::Server, stack::Stack, user::User,
-  },
-};
-use serror::Json;
-use uuid::Uuid;
+use komodo_client::{api::terminal::*, entities::user::User};
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Json;

 use crate::{
-  auth::auth_request, helpers::periphery_client,
-  permission::get_check_permissions, resource::get,
-  state::stack_status_cache,
+  auth::KomodoAuthImpl, helpers::terminal::setup_target_for_user,
 };

 pub fn router() -> Router {
  Router::new()
    .route("/execute", post(execute_terminal))
-    .route("/execute/container", post(execute_container_exec))
-    .route("/execute/deployment", post(execute_deployment_exec))
-    .route("/execute/stack", post(execute_stack_exec))
-    .layer(middleware::from_fn(auth_request))
+    .layer(middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, true>,
+    ))
 }

 // =================
 //  ExecuteTerminal
 // =================

-async fn execute_terminal(
-  Extension(user): Extension<User>,
-  Json(request): Json<ExecuteTerminalBody>,
-) -> serror::Result<axum::body::Body> {
-  execute_terminal_inner(Uuid::new_v4(), request, user).await
-}
-
 #[instrument(
  name = "ExecuteTerminal",
-  skip(user),
+  skip_all,
  fields(
-    user_id = user.id,
+    operator = user.id,
+    target,
+    terminal,
+    init = format!("{init:?}")
  )
 )]
-async fn execute_terminal_inner(
-  req_id: Uuid,
-  ExecuteTerminalBody {
-    server,
+async fn execute_terminal(
+  Extension(user): Extension<User>,
+  Json(ExecuteTerminalBody {
+    target,
    terminal,
    command,
-  }: ExecuteTerminalBody,
-  user: User,
-) -> serror::Result<axum::body::Body> {
-  info!("/terminal/execute request | user: {}", user.username);
-
-  let res = async {
-    let server = get_check_permissions::<Server>(
-      &server,
-      &user,
-      PermissionLevel::Read.terminal(),
-    )
-    .await?;
-
-    let periphery = periphery_client(&server)?;
-
-    let stream = periphery
-      .execute_terminal(terminal, command)
-      .await
-      .context("Failed to execute command on periphery")?;
-
-    anyhow::Ok(stream)
-  }
-  .await;
-
-  let stream = match res {
-    Ok(stream) => stream,
-    Err(e) => {
-      warn!("/terminal/execute request {req_id} error: {e:#}");
-      return Err(e.into());
-    }
-  };
-
-  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
-}
-
-// ======================
-//  ExecuteContainerExec
-// ======================
-
-async fn execute_container_exec(
-  Extension(user): Extension<User>,
-  Json(request): Json<ExecuteContainerExecBody>,
-) -> serror::Result<axum::body::Body> {
-  execute_container_exec_inner(Uuid::new_v4(), request, user).await
-}
-
-#[instrument(
-  name = "ExecuteContainerExec",
-  skip(user),
-  fields(
-    user_id = user.id,
-  )
-)]
-async fn execute_container_exec_inner(
-  req_id: Uuid,
-  ExecuteContainerExecBody {
-    server,
-    container,
-    shell,
-    command,
-  }: ExecuteContainerExecBody,
-  user: User,
-) -> serror::Result<axum::body::Body> {
+    init,
+  }): Json<ExecuteTerminalBody>,
+) -> mogh_error::Result<axum::body::Body> {
  info!(
-    "/terminal/execute/container request | user: {}",
-    user.username
+    "TERMINAL EXECUTE REQUEST | USER: {} ({})",
+    user.username, user.id
  );

-  let res = async {
-    let server = get_check_permissions::<Server>(
-      &server,
-      &user,
-      PermissionLevel::Read.terminal(),
-    )
-    .await?;
+  let (target, terminal, periphery) =
+    setup_target_for_user(target, terminal, init, &user).await?;

-    let periphery = periphery_client(&server)?;
+  let stream = periphery
+    .execute_terminal(target, terminal, command)
+    .await
+    .context("Failed to execute command on Terminal")?;

-    let stream = periphery
-      .execute_container_exec(container, shell, command)
-      .await
-      .context(
-        "Failed to execute container exec command on periphery",
-      )?;
-
-    anyhow::Ok(stream)
-  }
-  .await;
-
-  let stream = match res {
-    Ok(stream) => stream,
-    Err(e) => {
-      warn!(
-        "/terminal/execute/container request {req_id} error: {e:#}"
-      );
-      return Err(e.into());
-    }
-  };
-
-  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
-}
-
-// =======================
-//  ExecuteDeploymentExec
-// =======================
-
-async fn execute_deployment_exec(
-  Extension(user): Extension<User>,
-  Json(request): Json<ExecuteDeploymentExecBody>,
-) -> serror::Result<axum::body::Body> {
-  execute_deployment_exec_inner(Uuid::new_v4(), request, user).await
-}
-
-#[instrument(
-  name = "ExecuteDeploymentExec",
-  skip(user),
-  fields(
-    user_id = user.id,
-  )
-)]
-async fn execute_deployment_exec_inner(
-  req_id: Uuid,
-  ExecuteDeploymentExecBody {
-    deployment,
-    shell,
-    command,
-  }: ExecuteDeploymentExecBody,
-  user: User,
-) -> serror::Result<axum::body::Body> {
-  info!(
-    "/terminal/execute/deployment request | user: {}",
-    user.username
-  );
-
-  let res = async {
-    let deployment = get_check_permissions::<Deployment>(
-      &deployment,
-      &user,
-      PermissionLevel::Read.terminal(),
-    )
-    .await?;
-
-    let server = get::<Server>(&deployment.config.server_id).await?;
-
-    let periphery = periphery_client(&server)?;
-
-    let stream = periphery
-      .execute_container_exec(deployment.name, shell, command)
-      .await
-      .context(
-        "Failed to execute container exec command on periphery",
-      )?;
-
-    anyhow::Ok(stream)
-  }
-  .await;
-
-  let stream = match res {
-    Ok(stream) => stream,
-    Err(e) => {
-      warn!(
-        "/terminal/execute/deployment request {req_id} error: {e:#}"
-      );
-      return Err(e.into());
-    }
-  };
-
-  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
-}
-
-// ==================
-//  ExecuteStackExec
-// ==================
-
-async fn execute_stack_exec(
-  Extension(user): Extension<User>,
-  Json(request): Json<ExecuteStackExecBody>,
-) -> serror::Result<axum::body::Body> {
-  execute_stack_exec_inner(Uuid::new_v4(), request, user).await
-}
-
-#[instrument(
-  name = "ExecuteStackExec",
-  skip(user),
-  fields(
-    user_id = user.id,
-  )
-)]
-async fn execute_stack_exec_inner(
-  req_id: Uuid,
-  ExecuteStackExecBody {
-    stack,
-    service,
-    shell,
-    command,
-  }: ExecuteStackExecBody,
-  user: User,
-) -> serror::Result<axum::body::Body> {
-  info!("/terminal/execute/stack request | user: {}", user.username);
-
-  let res = async {
-    let stack = get_check_permissions::<Stack>(
-      &stack,
-      &user,
-      PermissionLevel::Read.terminal(),
-    )
-    .await?;
-
-    let server = get::<Server>(&stack.config.server_id).await?;
-
-    let container = stack_status_cache()
-      .get(&stack.id)
-      .await
-      .context("could not get stack status")?
-      .curr
-      .services
-      .iter()
-      .find(|s| s.service == service)
-      .context("could not find service")?
-      .container
-      .as_ref()
-      .context("could not find service container")?
-      .name
-      .clone();
-
-    let periphery = periphery_client(&server)?;
-
-    let stream = periphery
-      .execute_container_exec(container, shell, command)
-      .await
-      .context(
-        "Failed to execute container exec command on periphery",
-      )?;
-
-    anyhow::Ok(stream)
-  }
-  .await;
-
-  let stream = match res {
-    Ok(stream) => stream,
-    Err(e) => {
-      warn!("/terminal/execute/stack request {req_id} error: {e:#}");
-      return Err(e.into());
-    }
-  };
-
-  Ok(axum::body::Body::from_stream(stream.into_line_stream()))
+  Ok(axum::body::Body::from_stream(stream))
 }
--- a/bin/core/src/api/user.rs
+++ b/bin/core/src/api/user.rs
@@ -1,213 +0,0 @@
-use std::{collections::VecDeque, time::Instant};
-
-use anyhow::{Context, anyhow};
-use axum::{
-  Extension, Json, Router, extract::Path, middleware, routing::post,
-};
-use database::mongo_indexed::doc;
-use database::mungos::{
-  by_id::update_one_by_id, mongodb::bson::to_bson,
-};
-use derive_variants::EnumVariants;
-use komodo_client::{
-  api::user::*,
-  entities::{api_key::ApiKey, komodo_timestamp, user::User},
-};
-use resolver_api::Resolve;
-use response::Response;
-use serde::{Deserialize, Serialize};
-use serde_json::json;
-use typeshare::typeshare;
-use uuid::Uuid;
-
-use crate::{
-  auth::auth_request,
-  helpers::{query::get_user, random_string},
-  state::db_client,
-};
-
-use super::Variant;
-
-pub struct UserArgs {
-  pub user: User,
-}
-
-#[typeshare]
-#[derive(
-  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
-)]
-#[args(UserArgs)]
-#[response(Response)]
-#[error(serror::Error)]
-#[serde(tag = "type", content = "params")]
-enum UserRequest {
-  PushRecentlyViewed(PushRecentlyViewed),
-  SetLastSeenUpdate(SetLastSeenUpdate),
-  CreateApiKey(CreateApiKey),
-  DeleteApiKey(DeleteApiKey),
-}
-
-pub fn router() -> Router {
-  Router::new()
-    .route("/", post(handler))
-    .route("/{variant}", post(variant_handler))
-    .layer(middleware::from_fn(auth_request))
-}
-
-async fn variant_handler(
-  user: Extension<User>,
-  Path(Variant { variant }): Path<Variant>,
-  Json(params): Json<serde_json::Value>,
-) -> serror::Result<axum::response::Response> {
-  let req: UserRequest = serde_json::from_value(json!({
-    "type": variant,
-    "params": params,
-  }))?;
-  handler(user, Json(req)).await
-}
-
-#[instrument(name = "UserHandler", level = "debug", skip(user))]
-async fn handler(
-  Extension(user): Extension<User>,
-  Json(request): Json<UserRequest>,
-) -> serror::Result<axum::response::Response> {
-  let timer = Instant::now();
-  let req_id = Uuid::new_v4();
-  debug!(
-    "/user request {req_id} | user: {} ({})",
-    user.username, user.id
-  );
-  let res = request.resolve(&UserArgs { user }).await;
-  if let Err(e) = &res {
-    warn!("/user request {req_id} error: {:#}", e.error);
-  }
-  let elapsed = timer.elapsed();
-  debug!("/user request {req_id} | resolve time: {elapsed:?}");
-  res.map(|res| res.0)
-}
-
-const RECENTLY_VIEWED_MAX: usize = 10;
-
-impl Resolve<UserArgs> for PushRecentlyViewed {
-  #[instrument(
-    name = "PushRecentlyViewed",
-    level = "debug",
-    skip(user)
-  )]
-  async fn resolve(
-    self,
-    UserArgs { user }: &UserArgs,
-  ) -> serror::Result<PushRecentlyViewedResponse> {
-    let user = get_user(&user.id).await?;
-
-    let (resource_type, id) = self.resource.extract_variant_id();
-    let update = match user.recents.get(&resource_type) {
-      Some(recents) => {
-        let mut recents = recents
-          .iter()
-          .filter(|_id| !id.eq(*_id))
-          .take(RECENTLY_VIEWED_MAX - 1)
-          .collect::<VecDeque<_>>();
-        recents.push_front(id);
-        doc! { format!("recents.{resource_type}"): to_bson(&recents)? }
-      }
-      None => {
-        doc! { format!("recents.{resource_type}"): [id] }
-      }
-    };
-    update_one_by_id(
-      &db_client().users,
-      &user.id,
-      database::mungos::update::Update::Set(update),
-      None,
-    )
-    .await
-    .with_context(|| {
-      format!("failed to update recents.{resource_type}")
-    })?;
-
-    Ok(PushRecentlyViewedResponse {})
-  }
-}
-
-impl Resolve<UserArgs> for SetLastSeenUpdate {
-  #[instrument(
-    name = "SetLastSeenUpdate",
-    level = "debug",
-    skip(user)
-  )]
-  async fn resolve(
-    self,
-    UserArgs { user }: &UserArgs,
-  ) -> serror::Result<SetLastSeenUpdateResponse> {
-    update_one_by_id(
-      &db_client().users,
-      &user.id,
-      database::mungos::update::Update::Set(doc! {
-        "last_update_view": komodo_timestamp()
-      }),
-      None,
-    )
-    .await
-    .context("failed to update user last_update_view")?;
-    Ok(SetLastSeenUpdateResponse {})
-  }
-}
-
-const SECRET_LENGTH: usize = 40;
-const BCRYPT_COST: u32 = 10;
-
-impl Resolve<UserArgs> for CreateApiKey {
-  #[instrument(name = "CreateApiKey", level = "debug", skip(user))]
-  async fn resolve(
-    self,
-    UserArgs { user }: &UserArgs,
-  ) -> serror::Result<CreateApiKeyResponse> {
-    let user = get_user(&user.id).await?;
-
-    let key = format!("K-{}", random_string(SECRET_LENGTH));
-    let secret = format!("S-{}", random_string(SECRET_LENGTH));
-    let secret_hash = bcrypt::hash(&secret, BCRYPT_COST)
-      .context("failed at hashing secret string")?;
-
-    let api_key = ApiKey {
-      name: self.name,
-      key: key.clone(),
-      secret: secret_hash,
-      user_id: user.id.clone(),
-      created_at: komodo_timestamp(),
-      expires: self.expires,
-    };
-    db_client()
-      .api_keys
-      .insert_one(api_key)
-      .await
-      .context("failed to create api key on db")?;
-    Ok(CreateApiKeyResponse { key, secret })
-  }
-}
-
-impl Resolve<UserArgs> for DeleteApiKey {
-  #[instrument(name = "DeleteApiKey", level = "debug", skip(user))]
-  async fn resolve(
-    self,
-    UserArgs { user }: &UserArgs,
-  ) -> serror::Result<DeleteApiKeyResponse> {
-    let client = db_client();
-    let key = client
-      .api_keys
-      .find_one(doc! { "key": &self.key })
-      .await
-      .context("failed at db query")?
-      .context("no api key with key found")?;
-    if user.id != key.user_id {
-      return Err(anyhow!("api key does not belong to user").into());
-    }
-    client
-      .api_keys
-      .delete_one(doc! { "key": key.key })
-      .await
-      .context("failed to delete api key from db")?;
-    Ok(DeleteApiKeyResponse {})
-  }
-}
--- a/bin/core/src/api/write/action.rs
+++ b/bin/core/src/api/write/action.rs
@@ -4,67 +4,105 @@ use komodo_client::{
    action::Action, permission::PermissionLevel, update::Update,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{permission::get_check_permissions, resource};

 use super::WriteArgs;

 impl Resolve<WriteArgs> for CreateAction {
-  #[instrument(name = "CreateAction", skip(user))]
+  #[instrument(
+    "CreateAction",
+    skip_all,
+    fields(
+      operator = user.id,
+      action = self.name,
+      config = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Action> {
-    Ok(
-      resource::create::<Action>(&self.name, self.config, user)
-        .await?,
-    )
+  ) -> mogh_error::Result<Action> {
+    resource::create::<Action>(&self.name, self.config, None, user)
+      .await
  }
 }

 impl Resolve<WriteArgs> for CopyAction {
-  #[instrument(name = "CopyAction", skip(user))]
+  #[instrument(
+    "CopyAction",
+    skip_all,
+    fields(
+      operator = user.id,
+      action = self.name,
+      copy_action = self.id,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Action> {
+  ) -> mogh_error::Result<Action> {
    let Action { config, .. } = get_check_permissions::<Action>(
      &self.id,
      user,
      PermissionLevel::Write.into(),
    )
    .await?;
-    Ok(
-      resource::create::<Action>(&self.name, config.into(), user)
-        .await?,
-    )
+    resource::create::<Action>(&self.name, config.into(), None, user)
+      .await
  }
 }

 impl Resolve<WriteArgs> for UpdateAction {
-  #[instrument(name = "UpdateAction", skip(user))]
+  #[instrument(
+    "UpdateAction",
+    skip_all,
+    fields(
+      operator = user.id,
+      action = self.id,
+      update = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Action> {
+  ) -> mogh_error::Result<Action> {
    Ok(resource::update::<Action>(&self.id, self.config, user).await?)
  }
 }

 impl Resolve<WriteArgs> for RenameAction {
-  #[instrument(name = "RenameAction", skip(user))]
+  #[instrument(
+    "RenameAction",
+    skip_all,
+    fields(
+      operator = user.id,
+      action = self.id,
+      new_name = self.name,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
    Ok(resource::rename::<Action>(&self.id, &self.name, user).await?)
  }
 }

 impl Resolve<WriteArgs> for DeleteAction {
-  #[instrument(name = "DeleteAction", skip(args))]
-  async fn resolve(self, args: &WriteArgs) -> serror::Result<Action> {
-    Ok(resource::delete::<Action>(&self.id, args).await?)
+  #[instrument(
+    "DeleteAction",
+    skip_all,
+    fields(
+      operator = user.id,
+      action = self.id
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Action> {
+    Ok(resource::delete::<Action>(&self.id, user).await?)
  }
 }
--- a/bin/core/src/api/write/alert.rs
+++ b/bin/core/src/api/write/alert.rs
@@ -0,0 +1,41 @@
+use std::str::FromStr;
+
+use anyhow::{Context, anyhow};
+use database::mungos::mongodb::bson::{doc, oid::ObjectId};
+use komodo_client::{api::write::CloseAlert, entities::NoData};
+use mogh_error::AddStatusCodeError;
+use mogh_resolver::Resolve;
+use reqwest::StatusCode;
+
+use crate::{api::write::WriteArgs, state::db_client};
+
+impl Resolve<WriteArgs> for CloseAlert {
+  #[instrument(
+    "CloseAlert",
+    skip_all,
+    fields(
+      operator = admin.id,
+      alert_id = self.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This call is admin only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+    db_client()
+      .alerts
+      .update_one(
+        doc! { "_id": ObjectId::from_str(&self.id)? },
+        doc! { "$set": { "resolved": true } },
+      )
+      .await
+      .context("Failed to close Alert on database")?;
+    Ok(NoData {})
+  }
+}
--- a/bin/core/src/api/write/alerter.rs
+++ b/bin/core/src/api/write/alerter.rs
@@ -4,60 +4,87 @@ use komodo_client::{
    alerter::Alerter, permission::PermissionLevel, update::Update,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{permission::get_check_permissions, resource};

 use super::WriteArgs;

 impl Resolve<WriteArgs> for CreateAlerter {
-  #[instrument(name = "CreateAlerter", skip(user))]
+  #[instrument(
+    "CreateAlerter",
+    skip_all,
+    fields(
+      operator = user.id,
+      alerter = self.name,
+      config = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Alerter> {
-    Ok(
-      resource::create::<Alerter>(&self.name, self.config, user)
-        .await?,
-    )
+  ) -> mogh_error::Result<Alerter> {
+    resource::create::<Alerter>(&self.name, self.config, None, user)
+      .await
  }
 }

 impl Resolve<WriteArgs> for CopyAlerter {
-  #[instrument(name = "CopyAlerter", skip(user))]
+  #[instrument(
+    "CopyAlerter",
+    skip_all,
+    fields(
+      operator = user.id,
+      alerter = self.name,
+      copy_alerter = self.id,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Alerter> {
+  ) -> mogh_error::Result<Alerter> {
    let Alerter { config, .. } = get_check_permissions::<Alerter>(
      &self.id,
      user,
      PermissionLevel::Write.into(),
    )
    .await?;
-    Ok(
-      resource::create::<Alerter>(&self.name, config.into(), user)
-        .await?,
-    )
+    resource::create::<Alerter>(&self.name, config.into(), None, user)
+      .await
  }
 }

 impl Resolve<WriteArgs> for DeleteAlerter {
-  #[instrument(name = "DeleteAlerter", skip(args))]
+  #[instrument(
+    "DeleteAlerter",
+    skip_all,
+    fields(
+      operator = user.id,
+      alerter = self.id,
+    )
+  )]
  async fn resolve(
    self,
-    args: &WriteArgs,
-  ) -> serror::Result<Alerter> {
-    Ok(resource::delete::<Alerter>(&self.id, args).await?)
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Alerter> {
+    Ok(resource::delete::<Alerter>(&self.id, user).await?)
  }
 }

 impl Resolve<WriteArgs> for UpdateAlerter {
-  #[instrument(name = "UpdateAlerter", skip(user))]
+  #[instrument(
+    "UpdateAlerter",
+    skip_all,
+    fields(
+      operator = user.id,
+      alerter = self.id,
+      update = serde_json::to_string(&self.config).unwrap()
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Alerter> {
+  ) -> mogh_error::Result<Alerter> {
    Ok(
      resource::update::<Alerter>(&self.id, self.config, user)
        .await?,
@@ -66,11 +93,19 @@ impl Resolve<WriteArgs> for UpdateAlerter {
 }

 impl Resolve<WriteArgs> for RenameAlerter {
-  #[instrument(name = "RenameAlerter", skip(user))]
+  #[instrument(
+    "RenameAlerter",
+    skip_all,
+    fields(
+      operator = user.id,
+      alerter = self.id,
+      new_name = self.name,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
    Ok(resource::rename::<Alerter>(&self.id, &self.name, user).await?)
  }
 }
--- a/bin/core/src/api/write/build.rs
+++ b/bin/core/src/api/write/build.rs
@@ -1,68 +1,79 @@
-use std::{path::PathBuf, str::FromStr, time::Duration};
+use std::{path::PathBuf, time::Duration};

 use anyhow::{Context, anyhow};
-use database::mongo_indexed::doc;
 use database::mungos::mongodb::bson::to_document;
+use database::{
+  mongo_indexed::doc, mungos::mongodb::bson::oid::ObjectId,
+};
 use formatting::format_serror;
 use komodo_client::{
  api::write::*,
  entities::{
    FileContents, NoData, Operation, RepoExecutionArgs,
    all_logs_success,
-    build::{Build, BuildInfo, PartialBuildConfig},
+    build::{Build, BuildInfo},
    builder::{Builder, BuilderConfig},
-    config::core::CoreConfig,
    permission::PermissionLevel,
    repo::Repo,
    server::ServerState,
    update::Update,
  },
 };
-use octorust::types::{
-  ReposCreateWebhookRequest, ReposCreateWebhookRequestConfig,
+use mogh_resolver::Resolve;
+use periphery_client::api::build::{
+  GetDockerfileContentsOnHost, WriteDockerfileContentsToHost,
 };
-use periphery_client::{
-  PeripheryClient,
-  api::build::{
-    GetDockerfileContentsOnHost, WriteDockerfileContentsToHost,
-  },
-};
-use resolver_api::Resolve;
 use tokio::fs;

 use crate::{
  config::core_config,
+  connection::PeripheryConnectionArgs,
  helpers::{
    git_token, periphery_client,
    query::get_server_with_state,
    update::{add_update, make_update},
  },
+  periphery::PeripheryClient,
  permission::get_check_permissions,
  resource,
-  state::{db_client, github_client},
+  state::db_client,
 };

 use super::WriteArgs;

 impl Resolve<WriteArgs> for CreateBuild {
-  #[instrument(name = "CreateBuild", skip(user))]
+  #[instrument(
+    "CreateBuild",
+    skip_all,
+    fields(
+      operator = user.id,
+      build = self.name,
+      config = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Build> {
-    Ok(
-      resource::create::<Build>(&self.name, self.config, user)
-        .await?,
-    )
+  ) -> mogh_error::Result<Build> {
+    resource::create::<Build>(&self.name, self.config, None, user)
+      .await
  }
 }

 impl Resolve<WriteArgs> for CopyBuild {
-  #[instrument(name = "CopyBuild", skip(user))]
+  #[instrument(
+    "CopyBuild",
+    skip_all,
+    fields(
+      operator = user.id,
+      build = self.name,
+      copy_build = self.id,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Build> {
+  ) -> mogh_error::Result<Build> {
    let Build { mut config, .. } = get_check_permissions::<Build>(
      &self.id,
      user,
@@ -71,43 +82,77 @@ impl Resolve<WriteArgs> for CopyBuild {
    .await?;
    // reset version to 0.0.0
    config.version = Default::default();
-    Ok(
-      resource::create::<Build>(&self.name, config.into(), user)
-        .await?,
-    )
+    resource::create::<Build>(&self.name, config.into(), None, user)
+      .await
  }
 }

 impl Resolve<WriteArgs> for DeleteBuild {
-  #[instrument(name = "DeleteBuild", skip(args))]
-  async fn resolve(self, args: &WriteArgs) -> serror::Result<Build> {
-    Ok(resource::delete::<Build>(&self.id, args).await?)
+  #[instrument(
+    "DeleteBuild",
+    skip_all,
+    fields(
+      operator = user.id,
+      build = self.id,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Build> {
+    Ok(resource::delete::<Build>(&self.id, user).await?)
  }
 }

 impl Resolve<WriteArgs> for UpdateBuild {
-  #[instrument(name = "UpdateBuild", skip(user))]
+  #[instrument(
+    "UpdateBuild",
+    skip_all,
+    fields(
+      operator = user.id,
+      build = self.id,
+      update = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Build> {
+  ) -> mogh_error::Result<Build> {
    Ok(resource::update::<Build>(&self.id, self.config, user).await?)
  }
 }

 impl Resolve<WriteArgs> for RenameBuild {
-  #[instrument(name = "RenameBuild", skip(user))]
+  #[instrument(
+    "RenameBuild",
+    skip_all,
+    fields(
+      operator = user.id,
+      build = self.id,
+      new_name = self.name,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
    Ok(resource::rename::<Build>(&self.id, &self.name, user).await?)
  }
 }

 impl Resolve<WriteArgs> for WriteBuildFileContents {
-  #[instrument(name = "WriteBuildFileContents", skip(args))]
-  async fn resolve(self, args: &WriteArgs) -> serror::Result<Update> {
+  #[instrument(
+    "WriteBuildFileContents",
+    skip_all,
+    fields(
+      operator = args.user.id,
+      build = self.build,
+    )
+  )]
+  async fn resolve(
+    self,
+    args: &WriteArgs,
+  ) -> mogh_error::Result<Update> {
    let build = get_check_permissions::<Build>(
      &self.build,
      &args.user,
@@ -178,15 +223,16 @@ impl Resolve<WriteArgs> for WriteBuildFileContents {
  }
 }

+#[instrument("WriteDockerfileContentsGit", skip_all)]
 async fn write_dockerfile_contents_git(
  req: WriteBuildFileContents,
  args: &WriteArgs,
  build: Build,
  mut update: Update,
-) -> serror::Result<Update> {
+) -> mogh_error::Result<Update> {
  let WriteBuildFileContents { build: _, contents } = req;

-  let mut clone_args: RepoExecutionArgs = if !build
+  let mut repo_args: RepoExecutionArgs = if !build
    .config
    .files_on_host
    && !build.config.linked_repo.is_empty()
@@ -196,8 +242,8 @@ async fn write_dockerfile_contents_git(
  } else {
    (&build).into()
  };
-  let root = clone_args.unique_path(&core_config().repo_directory)?;
-  clone_args.destination = Some(root.display().to_string());
+  let root = repo_args.unique_path(&core_config().repo_directory)?;
+  repo_args.destination = Some(root.display().to_string());

  let build_path = build
    .config
@@ -220,11 +266,11 @@ async fn write_dockerfile_contents_git(
    })?;
  }

-  let access_token = if let Some(account) = &clone_args.account {
-    git_token(&clone_args.provider, account, |https| clone_args.https = https)
+  let access_token = if let Some(account) = &repo_args.account {
+    git_token(&repo_args.provider, account, |https| repo_args.https = https)
    .await
    .with_context(
-      || format!("Failed to get git token in call to db. Stopping run. | {} | {account}", clone_args.provider),
+      || format!("Failed to get git token in call to db. Stopping run. | {} | {account}", repo_args.provider),
    )?
  } else {
    None
@@ -235,7 +281,7 @@ async fn write_dockerfile_contents_git(
  if !root.join(".git").exists() {
    git::init_folder_as_repo(
      &root,
-      &clone_args,
+      &repo_args,
      access_token.as_deref(),
      &mut update.logs,
    )
@@ -249,9 +295,11 @@ async fn write_dockerfile_contents_git(
    }
  }

+  // Save this for later -- repo_args moved next.
+  let branch = repo_args.branch.clone();
  // Pull latest changes to repo to ensure linear commit history
  match git::pull_or_clone(
-    clone_args,
+    repo_args,
    &core_config().repo_directory,
    access_token,
  )
@@ -273,8 +321,9 @@ async fn write_dockerfile_contents_git(
    return Ok(update);
  }

-  if let Err(e) =
-    fs::write(&full_path, &contents).await.with_context(|| {
+  if let Err(e) = mogh_secret_file::write_async(&full_path, &contents)
+    .await
+    .with_context(|| {
      format!("Failed to write dockerfile contents to {full_path:?}")
    })
  {
@@ -298,7 +347,7 @@ async fn write_dockerfile_contents_git(
    &format!("{}: Commit Dockerfile", args.user.username),
    &root,
    &build_path.join(&dockerfile_path),
-    &build.config.branch,
+    &branch,
  )
  .await;

@@ -321,15 +370,10 @@ async fn write_dockerfile_contents_git(
 }

 impl Resolve<WriteArgs> for RefreshBuildCache {
-  #[instrument(
-    name = "RefreshBuildCache",
-    level = "debug",
-    skip(user)
-  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<NoData> {
+  ) -> mogh_error::Result<NoData> {
    // Even though this is a write request, this doesn't change any config. Anyone that can execute the
    // build should be able to do this.
    let build = get_check_permissions::<Build>(
@@ -349,23 +393,28 @@ impl Resolve<WriteArgs> for RefreshBuildCache {
      None
    };

-    let (
-      remote_path,
-      remote_contents,
-      remote_error,
-      latest_hash,
-      latest_message,
-    ) = if build.config.files_on_host {
+    let RemoteDockerfileContents {
+      path,
+      contents,
+      error,
+      hash,
+      message,
+    } = if build.config.files_on_host {
      // =============
      // FILES ON HOST
      // =============
      match get_on_host_dockerfile(&build).await {
        Ok(FileContents { path, contents }) => {
-          (Some(path), Some(contents), None, None, None)
-        }
-        Err(e) => {
-          (None, None, Some(format_serror(&e.into())), None, None)
+          RemoteDockerfileContents {
+            path: Some(path),
+            contents: Some(contents),
+            ..Default::default()
+          }
        }
+        Err(e) => RemoteDockerfileContents {
+          error: Some(format_serror(&e.into())),
+          ..Default::default()
+        },
      }
    } else if let Some(repo) = &repo {
      let Some(res) = get_git_remote(&build, repo.into()).await?
@@ -385,7 +434,7 @@ impl Resolve<WriteArgs> for RefreshBuildCache {
      // =============
      // UI BASED FILE
      // =============
-      (None, None, None, None, None)
+      RemoteDockerfileContents::default()
    };

    let info = BuildInfo {
@@ -393,11 +442,11 @@ impl Resolve<WriteArgs> for RefreshBuildCache {
      built_hash: build.info.built_hash,
      built_message: build.info.built_message,
      built_contents: build.info.built_contents,
-      remote_path,
-      remote_contents,
-      remote_error,
-      latest_hash,
-      latest_message,
+      remote_path: path,
+      remote_contents: contents,
+      remote_error: error,
+      latest_hash: hash,
+      latest_message: message,
    };

    let info = to_document(&info)
@@ -432,13 +481,26 @@ async fn get_on_host_periphery(
      Err(anyhow!("Files on host doesn't work with AWS builder"))
    }
    BuilderConfig::Url(config) => {
+      // TODO: Ensure connection is actually established.
+      // Builder id no good because it may be active for multiple connections.
      let periphery = PeripheryClient::new(
-        config.address,
-        config.passkey,
-        Duration::from_secs(3),
-      );
-      periphery.health_check().await?;
-      Ok(periphery)
+        PeripheryConnectionArgs::from_url_builder(
+          &ObjectId::new().to_hex(),
+          &config,
+        ),
+        config.insecure_tls,
+      )
+      .await?;
+      // Poll for connection to be estalished
+      let mut err = None;
+      for _ in 0..10 {
+        tokio::time::sleep(Duration::from_secs(1)).await;
+        match periphery.health_check().await {
+          Ok(_) => return Ok(periphery),
+          Err(e) => err = Some(e),
+        };
+      }
+      Err(err.context("Missing error")?)
    }
    BuilderConfig::Server(config) => {
      if config.server_id.is_empty() {
@@ -453,7 +515,7 @@ async fn get_on_host_periphery(
          "Builder server is disabled or not reachable"
        ));
      };
-      periphery_client(&server)
+      periphery_client(&server).await
    }
  }
 }
@@ -476,15 +538,7 @@ async fn get_on_host_dockerfile(
 async fn get_git_remote(
  build: &Build,
  mut clone_args: RepoExecutionArgs,
-) -> anyhow::Result<
-  Option<(
-    Option<String>,
-    Option<String>,
-    Option<String>,
-    Option<String>,
-    Option<String>,
-  )>,
-> {
+) -> anyhow::Result<Option<RemoteDockerfileContents>> {
  if clone_args.provider.is_empty() {
    // Nothing to do here
    return Ok(None);
@@ -511,10 +565,19 @@ async fn get_git_remote(
    access_token,
  )
  .await
-  .context("failed to clone build repo")?;
+  .context("Failed to clone Build repo")?;

-  let relative_path = PathBuf::from_str(&build.config.build_path)
-    .context("Invalid build path")?
+  // Ensure clone / pull successful,
+  // propogate error log -> 'errored' and return.
+  if let Some(failure) = res.logs.iter().find(|log| !log.success) {
+    return Ok(Some(RemoteDockerfileContents {
+      path: Some(format!("Failed at: {}", failure.stage)),
+      error: Some(failure.combined()),
+      ..Default::default()
+    }));
+  }
+
+  let relative_path = PathBuf::from(&build.config.build_path)
    .join(&build.config.dockerfile_path);

  let full_path = repo_path.join(&relative_path);
@@ -525,209 +588,20 @@ async fn get_git_remote(
      Ok(contents) => (Some(contents), None),
      Err(e) => (None, Some(format_serror(&e.into()))),
    };
-  Ok(Some((
-    Some(relative_path.display().to_string()),
+  Ok(Some(RemoteDockerfileContents {
+    path: Some(relative_path.display().to_string()),
    contents,
    error,
-    res.commit_hash,
-    res.commit_message,
-  )))
+    hash: res.commit_hash,
+    message: res.commit_message,
+  }))
 }

-impl Resolve<WriteArgs> for CreateBuildWebhook {
-  #[instrument(name = "CreateBuildWebhook", skip(args))]
-  async fn resolve(
-    self,
-    args: &WriteArgs,
-  ) -> serror::Result<CreateBuildWebhookResponse> {
-    let Some(github) = github_client() else {
-      return Err(
-        anyhow!(
-          "github_webhook_app is not configured in core config toml"
-        )
-        .into(),
-      );
-    };
-
-    let WriteArgs { user } = args;
-
-    let build = get_check_permissions::<Build>(
-      &self.build,
-      user,
-      PermissionLevel::Write.into(),
-    )
-    .await?;
-
-    if build.config.repo.is_empty() {
-      return Err(
-        anyhow!("No repo configured, can't create webhook").into(),
-      );
-    }
-
-    let mut split = build.config.repo.split('/');
-    let owner = split.next().context("Build repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Err(
-        anyhow!("Cannot manage repo webhooks under owner {owner}")
-          .into(),
-      );
-    };
-
-    let repo =
-      split.next().context("Build repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    // First make sure the webhook isn't already created (inactive ones are ignored)
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      webhook_secret,
-      ..
-    } = core_config();
-
-    let webhook_secret = if build.config.webhook_secret.is_empty() {
-      webhook_secret
-    } else {
-      &build.config.webhook_secret
-    };
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let url = format!("{host}/listener/github/build/{}", build.id);
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == url {
-        return Ok(NoData {});
-      }
-    }
-
-    // Now good to create the webhook
-    let request = ReposCreateWebhookRequest {
-      active: Some(true),
-      config: Some(ReposCreateWebhookRequestConfig {
-        url,
-        secret: webhook_secret.to_string(),
-        content_type: String::from("json"),
-        insecure_ssl: None,
-        digest: Default::default(),
-        token: Default::default(),
-      }),
-      events: vec![String::from("push")],
-      name: String::from("web"),
-    };
-    github_repos
-      .create_webhook(owner, repo, &request)
-      .await
-      .context("failed to create webhook")?;
-
-    if !build.config.webhook_enabled {
-      UpdateBuild {
-        id: build.id,
-        config: PartialBuildConfig {
-          webhook_enabled: Some(true),
-          ..Default::default()
-        },
-      }
-      .resolve(args)
-      .await
-      .map_err(|e| e.error)
-      .context("failed to update build to enable webhook")?;
-    }
-
-    Ok(NoData {})
-  }
-}
-
-impl Resolve<WriteArgs> for DeleteBuildWebhook {
-  #[instrument(name = "DeleteBuildWebhook", skip(user))]
-  async fn resolve(
-    self,
-    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<DeleteBuildWebhookResponse> {
-    let Some(github) = github_client() else {
-      return Err(
-        anyhow!(
-          "github_webhook_app is not configured in core config toml"
-        )
-        .into(),
-      );
-    };
-
-    let build = get_check_permissions::<Build>(
-      &self.build,
-      user,
-      PermissionLevel::Write.into(),
-    )
-    .await?;
-
-    if build.config.git_provider != "github.com" {
-      return Err(
-        anyhow!("Can only manage github.com repo webhooks").into(),
-      );
-    }
-
-    if build.config.repo.is_empty() {
-      return Err(
-        anyhow!("No repo configured, can't delete webhook").into(),
-      );
-    }
-
-    let mut split = build.config.repo.split('/');
-    let owner = split.next().context("Build repo has no owner")?;
-
-    let Some(github) = github.get(owner) else {
-      return Err(
-        anyhow!("Cannot manage repo webhooks under owner {owner}")
-          .into(),
-      );
-    };
-
-    let repo =
-      split.next().context("Build repo has no repo after the /")?;
-
-    let github_repos = github.repos();
-
-    let webhooks = github_repos
-      .list_all_webhooks(owner, repo)
-      .await
-      .context("failed to list all webhooks on repo")?
-      .body;
-
-    let CoreConfig {
-      host,
-      webhook_base_url,
-      ..
-    } = core_config();
-
-    let host = if webhook_base_url.is_empty() {
-      host
-    } else {
-      webhook_base_url
-    };
-    let url = format!("{host}/listener/github/build/{}", build.id);
-
-    for webhook in webhooks {
-      if webhook.active && webhook.config.url == url {
-        github_repos
-          .delete_webhook(owner, repo, webhook.id)
-          .await
-          .context("failed to delete webhook")?;
-        return Ok(NoData {});
-      }
-    }
-
-    // No webhook to delete, all good
-    Ok(NoData {})
-  }
+#[derive(Default)]
+pub struct RemoteDockerfileContents {
+  pub path: Option<String>,
+  pub contents: Option<String>,
+  pub error: Option<String>,
+  pub hash: Option<String>,
+  pub message: Option<String>,
 }
--- a/bin/core/src/api/write/builder.rs
+++ b/bin/core/src/api/write/builder.rs
@@ -4,60 +4,87 @@ use komodo_client::{
    builder::Builder, permission::PermissionLevel, update::Update,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{permission::get_check_permissions, resource};

 use super::WriteArgs;

 impl Resolve<WriteArgs> for CreateBuilder {
-  #[instrument(name = "CreateBuilder", skip(user))]
+  #[instrument(
+    "CreateBuilder",
+    skip_all,
+    fields(
+      operator = user.id,
+      builder = self.name,
+      config = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Builder> {
-    Ok(
-      resource::create::<Builder>(&self.name, self.config, user)
-        .await?,
-    )
+  ) -> mogh_error::Result<Builder> {
+    resource::create::<Builder>(&self.name, self.config, None, user)
+      .await
  }
 }

 impl Resolve<WriteArgs> for CopyBuilder {
-  #[instrument(name = "CopyBuilder", skip(user))]
+  #[instrument(
+    "CopyBuilder",
+    skip_all,
+    fields(
+      operator = user.id,
+      builder = self.name,
+      copy_builder = self.id,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Builder> {
+  ) -> mogh_error::Result<Builder> {
    let Builder { config, .. } = get_check_permissions::<Builder>(
      &self.id,
      user,
      PermissionLevel::Write.into(),
    )
    .await?;
-    Ok(
-      resource::create::<Builder>(&self.name, config.into(), user)
-        .await?,
-    )
+    resource::create::<Builder>(&self.name, config.into(), None, user)
+      .await
  }
 }

 impl Resolve<WriteArgs> for DeleteBuilder {
-  #[instrument(name = "DeleteBuilder", skip(args))]
+  #[instrument(
+    "DeleteBuilder",
+    skip_all,
+    fields(
+      operator = user.id,
+      builder = self.id,
+    )
+  )]
  async fn resolve(
    self,
-    args: &WriteArgs,
-  ) -> serror::Result<Builder> {
-    Ok(resource::delete::<Builder>(&self.id, args).await?)
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Builder> {
+    Ok(resource::delete::<Builder>(&self.id, user).await?)
  }
 }

 impl Resolve<WriteArgs> for UpdateBuilder {
-  #[instrument(name = "UpdateBuilder", skip(user))]
+  #[instrument(
+    "UpdateBuilder",
+    skip_all,
+    fields(
+      operator = user.id,
+      builder = self.id,
+      update = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Builder> {
+  ) -> mogh_error::Result<Builder> {
    Ok(
      resource::update::<Builder>(&self.id, self.config, user)
        .await?,
@@ -66,11 +93,19 @@ impl Resolve<WriteArgs> for UpdateBuilder {
 }

 impl Resolve<WriteArgs> for RenameBuilder {
-  #[instrument(name = "RenameBuilder", skip(user))]
+  #[instrument(
+    "RenameBuilder",
+    skip_all,
+    fields(
+      operator = user.id,
+      builder = self.id,
+      new_name = self.name
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
    Ok(resource::rename::<Builder>(&self.id, &self.name, user).await?)
  }
 }
--- a/bin/core/src/api/write/deployment.rs
+++ b/bin/core/src/api/write/deployment.rs
@@ -1,56 +1,90 @@
+use std::sync::OnceLock;
+
 use anyhow::{Context, anyhow};
 use database::mungos::{by_id::update_one_by_id, mongodb::bson::doc};
+use futures_util::{StreamExt as _, stream::FuturesOrdered};
 use komodo_client::{
-  api::write::*,
+  api::{execute::Deploy, write::*},
  entities::{
-    Operation,
+    Operation, ResourceTarget, SwarmOrServer,
+    alert::{Alert, AlertData, SeverityLevel},
    deployment::{
-      Deployment, DeploymentImage, DeploymentState,
-      PartialDeploymentConfig, RestartMode,
+      Deployment, DeploymentImage, DeploymentInfo, DeploymentState,
+      PartialDeploymentConfig, RestartMode, extract_registry_domain,
    },
    docker::container::RestartPolicyNameEnum,
-    komodo_timestamp,
+    komodo_timestamp, optional_string,
    permission::PermissionLevel,
    server::{Server, ServerState},
    to_container_compatible_name,
    update::Update,
+    user::{auto_redeploy_user, system_user},
  },
 };
+use mogh_cache::SetCache;
+use mogh_resolver::Resolve;
 use periphery_client::api::{self, container::InspectContainer};
-use resolver_api::Resolve;

 use crate::{
+  alert::send_alerts,
+  api::execute::{self, ExecuteRequest, ExecutionResult},
  helpers::{
    periphery_client,
-    query::get_deployment_state,
-    update::{add_update, make_update},
+    query::{get_deployment_state, get_swarm_or_server},
+    registry_token,
+    update::{add_update, make_update, poll_update_until_complete},
  },
  permission::get_check_permissions,
-  resource,
-  state::{action_states, db_client, server_status_cache},
+  resource::{
+    self, list_full_for_user_using_pattern,
+    setup_deployment_execution,
+  },
+  state::{
+    action_states, db_client, deployment_status_cache,
+    image_digest_cache, server_status_cache,
+  },
 };

 use super::WriteArgs;

 impl Resolve<WriteArgs> for CreateDeployment {
-  #[instrument(name = "CreateDeployment", skip(user))]
+  #[instrument(
+    "CreateDeployment",
+    skip_all,
+    fields(
+      operator = user.id,
+      deployment = self.name,
+      config = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Deployment> {
-    Ok(
-      resource::create::<Deployment>(&self.name, self.config, user)
-        .await?,
+  ) -> mogh_error::Result<Deployment> {
+    resource::create::<Deployment>(
+      &self.name,
+      self.config,
+      None,
+      user,
    )
+    .await
  }
 }

 impl Resolve<WriteArgs> for CopyDeployment {
-  #[instrument(name = "CopyDeployment", skip(user))]
+  #[instrument(
+    "CopyDeployment",
+    skip_all,
+    fields(
+      operator = user.id,
+      deployment = self.name,
+      copy_deployment = self.id,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Deployment> {
+  ) -> mogh_error::Result<Deployment> {
    let Deployment { config, .. } =
      get_check_permissions::<Deployment>(
        &self.id,
@@ -58,19 +92,30 @@ impl Resolve<WriteArgs> for CopyDeployment {
        PermissionLevel::Read.into(),
      )
      .await?;
-    Ok(
-      resource::create::<Deployment>(&self.name, config.into(), user)
-        .await?,
+    resource::create::<Deployment>(
+      &self.name,
+      config.into(),
+      None,
+      user,
    )
+    .await
  }
 }

 impl Resolve<WriteArgs> for CreateDeploymentFromContainer {
-  #[instrument(name = "CreateDeploymentFromContainer", skip(user))]
+  #[instrument(
+    "CreateDeploymentFromContainer",
+    skip_all,
+    fields(
+      operator = user.id,
+      server = self.server,
+      deployment = self.name,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Deployment> {
+  ) -> mogh_error::Result<Deployment> {
    let server = get_check_permissions::<Server>(
      &self.server,
      user,
@@ -89,7 +134,8 @@ impl Resolve<WriteArgs> for CreateDeploymentFromContainer {
        .into(),
      );
    }
-    let container = periphery_client(&server)?
+    let container = periphery_client(&server)
+      .await?
      .request(InspectContainer {
        name: self.name.clone(),
      })
@@ -153,42 +199,87 @@ impl Resolve<WriteArgs> for CreateDeploymentFromContainer {
      });
    }

-    Ok(
-      resource::create::<Deployment>(&self.name, config, user)
-        .await?,
-    )
+    resource::create::<Deployment>(&self.name, config, None, user)
+      .await
  }
 }

 impl Resolve<WriteArgs> for DeleteDeployment {
-  #[instrument(name = "DeleteDeployment", skip(args))]
+  #[instrument(
+    "DeleteDeployment",
+    skip_all,
+    fields(
+      operator = user.id,
+      deployment = self.id
+    )
+  )]
  async fn resolve(
    self,
-    args: &WriteArgs,
-  ) -> serror::Result<Deployment> {
-    Ok(resource::delete::<Deployment>(&self.id, args).await?)
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Deployment> {
+    Ok(resource::delete::<Deployment>(&self.id, user).await?)
  }
 }

 impl Resolve<WriteArgs> for UpdateDeployment {
-  #[instrument(name = "UpdateDeployment", skip(user))]
+  #[instrument(
+    "UpdateDeployment",
+    skip_all,
+    fields(
+      operator = user.id,
+      deployment = self.id,
+      update = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Deployment> {
-    Ok(
+  ) -> mogh_error::Result<Deployment> {
+    // If the update changes image,
+    // also update the stored latest image digest.
+    let image_update = self
+      .config
+      .image
+      .as_ref()
+      .map(|image| image.as_image().is_some())
+      .unwrap_or_default();
+
+    let deployment =
      resource::update::<Deployment>(&self.id, self.config, user)
-        .await?,
-    )
+        .await?;
+
+    if image_update {
+      tokio::spawn(async move {
+        let _ = (CheckDeploymentForUpdate {
+          deployment: self.id,
+          skip_auto_update: false,
+          wait_for_auto_update: false,
+        })
+        .resolve(&WriteArgs {
+          user: system_user().to_owned(),
+        })
+        .await;
+      });
+    }
+
+    Ok(deployment)
  }
 }

 impl Resolve<WriteArgs> for RenameDeployment {
-  #[instrument(name = "RenameDeployment", skip(user))]
+  #[instrument(
+    "RenameDeployment",
+    skip_all,
+    fields(
+      operator = user.id,
+      deployment = self.id,
+      new_name = self.name,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
    let deployment = get_check_permissions::<Deployment>(
      &self.id,
      user,
@@ -238,7 +329,8 @@ impl Resolve<WriteArgs> for RenameDeployment {
    if container_state != DeploymentState::NotDeployed {
      let server =
        resource::get::<Server>(&deployment.config.server_id).await?;
-      let log = periphery_client(&server)?
+      let log = periphery_client(&server)
+        .await?
        .request(api::container::RenameContainer {
          curr_name: deployment.name.clone(),
          new_name: name.clone(),
@@ -261,3 +353,322 @@ impl Resolve<WriteArgs> for RenameDeployment {
    Ok(update)
  }
 }
+
+//
+
+impl Resolve<WriteArgs> for CheckDeploymentForUpdate {
+  #[instrument(
+    "CheckDeploymentForUpdate",
+    skip_all,
+    fields(
+      operator = user.id,
+      deployment = self.deployment,
+      skip_auto_update = self.skip_auto_update,
+      wait_for_auto_update = self.wait_for_auto_update,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<Self::Response> {
+    // Even though this is a write request, this doesn't change any config. Anyone that can execute the
+    // deployment should be able to do this.
+    let (deployment, swarm_or_server) = setup_deployment_execution(
+      &self.deployment,
+      user,
+      PermissionLevel::Execute.into(),
+    )
+    .await?;
+
+    swarm_or_server.verify_has_target()?;
+
+    check_deployment_for_update_inner(
+      deployment,
+      &swarm_or_server,
+      self.skip_auto_update,
+      self.wait_for_auto_update,
+    )
+    .await
+    .map_err(Into::into)
+  }
+}
+
+/// If it goes down the "update available" path,
+/// only send alert if deployment id is not in this cache.
+/// If alert is sent, add ID to cache.
+/// If later it goes down non "update available" path,
+/// remove the id from cache, so next time it does another alert
+/// will be sent.
+fn deployment_alert_sent_cache() -> &'static SetCache<String> {
+  static CACHE: OnceLock<SetCache<String>> = OnceLock::new();
+  CACHE.get_or_init(Default::default)
+}
+
+/// Checks remote registry for latest image digest,
+/// and saves it to database associated with the deployment.
+///
+/// Returns true if update is available and auto deploy is false.
+/// If auto deploy is true, this will deploy.
+#[instrument(
+  "CheckDeploymentForUpdateInner",
+  skip_all,
+  fields(
+    deployment = deployment.id,
+    skip_auto_update,
+    wait_for_auto_update,
+  )
+)]
+pub async fn check_deployment_for_update_inner(
+  deployment: Deployment,
+  swarm_or_server: &SwarmOrServer,
+  skip_auto_update: bool,
+  // Otherwise spawns task to run in background
+  wait_for_auto_update: bool,
+) -> anyhow::Result<CheckDeploymentForUpdateResponse> {
+  let alert_cache = deployment_alert_sent_cache();
+
+  let (image, account, token) = match &deployment.config.image {
+    DeploymentImage::Image { image } => {
+      if image.contains('@') {
+        // Images with a hardcoded digest can't have update.
+        return Ok(CheckDeploymentForUpdateResponse {
+          deployment: deployment.id,
+          update_available: false,
+        });
+      }
+      let domain = extract_registry_domain(image)?;
+      let account =
+        optional_string(&deployment.config.image_registry_account);
+      let token = if let Some(account) = &account {
+        registry_token(&domain, account).await?
+      } else {
+        None
+      };
+      (image, account, token)
+    }
+    DeploymentImage::Build { .. } => {
+      alert_cache.remove(&deployment.id).await;
+      // This method not used for build based deployments
+      // as deployed version vs built version can be inferred from Updates.
+      return Ok(CheckDeploymentForUpdateResponse {
+        deployment: deployment.id,
+        update_available: false,
+      });
+    }
+  };
+
+  let latest_digest = image_digest_cache()
+    .get(swarm_or_server, image, account, token)
+    .await?;
+
+  resource::update_info::<Deployment>(
+    &deployment.id,
+    &DeploymentInfo {
+      latest_image_digest: latest_digest.clone(),
+    },
+  )
+  .await?;
+
+  let Some((state, Some(current_digests))) =
+    deployment_status_cache()
+      .get(&deployment.id)
+      .await
+      .map(|s| (s.curr.state, s.curr.image_digests.clone()))
+  else {
+    alert_cache.remove(&deployment.id).await;
+    return Ok(CheckDeploymentForUpdateResponse {
+      deployment: deployment.id,
+      update_available: false,
+    });
+  };
+
+  // If not running or latest digest matches current, early return
+  if !matches!(state, DeploymentState::Running)
+    || !latest_digest.update_available(&current_digests)
+  {
+    alert_cache.remove(&deployment.id).await;
+    return Ok(CheckDeploymentForUpdateResponse {
+      deployment: deployment.id,
+      update_available: false,
+    });
+  }
+
+  if !skip_auto_update && deployment.config.auto_update {
+    // Trigger deploy + alert
+
+    // Conservatively remove from alert cache so 'skip_auto_update'
+    // doesn't cause alerts not to be sent on subsequent calls.
+    alert_cache.remove(&deployment.id).await;
+
+    let swarm_id = swarm_or_server.swarm_id().map(str::to_string);
+    let swarm_name = swarm_or_server.swarm_name().map(str::to_string);
+    let server_id = swarm_or_server.server_id().map(str::to_string);
+    let server_name =
+      swarm_or_server.server_name().map(str::to_string);
+    let id = deployment.id.clone();
+    let name = deployment.name.clone();
+    let image = image.clone();
+
+    let run = async move {
+      match execute::inner_handler(
+        ExecuteRequest::Deploy(Deploy {
+          deployment: name.clone(),
+          stop_signal: None,
+          stop_time: None,
+        }),
+        auto_redeploy_user().to_owned(),
+      )
+      .await
+      {
+        Ok(res) => {
+          let ExecutionResult::Single(update) = res else {
+            unreachable!()
+          };
+          let Ok(update) =
+            poll_update_until_complete(&update.id).await
+          else {
+            return;
+          };
+          if update.success {
+            let ts = komodo_timestamp();
+            let alert = Alert {
+              id: Default::default(),
+              ts,
+              resolved: true,
+              resolved_ts: ts.into(),
+              level: SeverityLevel::Ok,
+              target: ResourceTarget::Deployment(id.clone()),
+              data: AlertData::DeploymentAutoUpdated {
+                id,
+                name,
+                swarm_id,
+                swarm_name,
+                server_id,
+                server_name,
+                image,
+              },
+            };
+            let res = db_client().alerts.insert_one(&alert).await;
+            if let Err(e) = res {
+              error!(
+                "Failed to record DeploymentAutoUpdated to db | {e:#}"
+              );
+            }
+            send_alerts(&[alert]).await;
+          }
+        }
+        Err(e) => {
+          warn!("Failed to auto update Deployment {name} | {e:#}",)
+        }
+      }
+    };
+
+    if wait_for_auto_update {
+      run.await
+    } else {
+      tokio::spawn(run);
+    }
+  } else {
+    // Avoid spamming alerts
+    if alert_cache.contains(&deployment.id).await {
+      return Ok(CheckDeploymentForUpdateResponse {
+        deployment: deployment.id,
+        update_available: true,
+      });
+    }
+    alert_cache.insert(deployment.id.clone()).await;
+    let ts = komodo_timestamp();
+    let alert = Alert {
+      id: Default::default(),
+      ts,
+      resolved: true,
+      resolved_ts: ts.into(),
+      level: SeverityLevel::Ok,
+      target: ResourceTarget::Deployment(deployment.id.clone()),
+      data: AlertData::DeploymentImageUpdateAvailable {
+        id: deployment.id.clone(),
+        name: deployment.name.clone(),
+        swarm_id: swarm_or_server.swarm_id().map(str::to_string),
+        swarm_name: swarm_or_server.swarm_name().map(str::to_string),
+        server_id: swarm_or_server.server_id().map(str::to_string),
+        server_name: swarm_or_server
+          .server_name()
+          .map(str::to_string),
+        image: image.clone(),
+      },
+    };
+    let res = db_client().alerts.insert_one(&alert).await;
+    if let Err(e) = res {
+      error!(
+        "Failed to record DeploymentImageUpdateAvailable to db | {e:#}"
+      );
+    }
+    send_alerts(&[alert]).await;
+  }
+
+  Ok(CheckDeploymentForUpdateResponse {
+    deployment: deployment.id,
+    update_available: !deployment.config.auto_update,
+  })
+}
+
+//
+
+impl Resolve<WriteArgs> for BatchCheckDeploymentForUpdate {
+  #[instrument(
+    "BatchCheckDeploymentForUpdate",
+    skip_all,
+    fields(
+      operator = user.id,
+      pattern = self.pattern,
+      skip_auto_update = self.skip_auto_update,
+      wait_for_auto_update = self.wait_for_auto_update,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user }: &WriteArgs,
+  ) -> Result<Self::Response, Self::Error> {
+    let deployments = list_full_for_user_using_pattern::<Deployment>(
+      &self.pattern,
+      Default::default(),
+      user,
+      PermissionLevel::Execute.into(),
+      &[],
+    )
+    .await?;
+
+    let res = deployments
+      .into_iter()
+      .map(|deployment| async move {
+        let swarm_or_server = get_swarm_or_server(
+          &deployment.config.swarm_id,
+          &deployment.config.server_id,
+        )
+        .await?;
+        swarm_or_server.verify_has_target().map_err(|e| e.error)?;
+        check_deployment_for_update_inner(
+          deployment,
+          &swarm_or_server,
+          self.skip_auto_update,
+          self.wait_for_auto_update,
+        )
+        .await
+      })
+      .collect::<FuturesOrdered<_>>()
+      .collect::<Vec<_>>()
+      .await
+      .into_iter()
+      .filter_map(|res| {
+        res
+          .inspect_err(|e| {
+            warn!(
+              "Failed to check deployment for update in batch run | {e:#}"
+            )
+          })
+          .ok()
+      })
+      .collect();
+    Ok(res)
+  }
+}
--- a/bin/core/src/api/write/mod.rs
+++ b/bin/core/src/api/write/mod.rs
@@ -1,28 +1,30 @@
-use std::time::Instant;
-
 use anyhow::Context;
 use axum::{
  Extension, Router, extract::Path, middleware, routing::post,
 };
-use derive_variants::{EnumVariants, ExtractVariant};
 use komodo_client::{api::write::*, entities::user::User};
-use resolver_api::Resolve;
-use response::Response;
+use mogh_auth_server::middleware::authenticate_request;
+use mogh_error::Json;
+use mogh_error::Response;
+use mogh_resolver::Resolve;
 use serde::{Deserialize, Serialize};
 use serde_json::json;
-use serror::Json;
+use strum::Display;
+use strum::EnumDiscriminants;
 use typeshare::typeshare;
 use uuid::Uuid;

-use crate::auth::auth_request;
+use crate::auth::KomodoAuthImpl;

 use super::Variant;

 mod action;
+mod alert;
 mod alerter;
 mod build;
 mod builder;
 mod deployment;
+mod onboarding;
 mod permissions;
 mod procedure;
 mod provider;
@@ -31,56 +33,43 @@ mod resource;
 mod server;
 mod service_user;
 mod stack;
+mod swarm;
 mod sync;
 mod tag;
+mod terminal;
 mod user;
 mod user_group;
 mod variable;

+pub use {
+  deployment::check_deployment_for_update_inner,
+  stack::check_stack_for_update_inner,
+};
+
 pub struct WriteArgs {
  pub user: User,
 }

 #[typeshare]
 #[derive(
-  Serialize, Deserialize, Debug, Clone, Resolve, EnumVariants,
+  Serialize, Deserialize, Debug, Clone, Resolve, EnumDiscriminants,
 )]
-#[variant_derive(Debug)]
+#[strum_discriminants(name(WriteRequestMethod), derive(Display))]
 #[args(WriteArgs)]
 #[response(Response)]
-#[error(serror::Error)]
+#[error(mogh_error::Error)]
 #[serde(tag = "type", content = "params")]
 pub enum WriteRequest {
-  // ==== USER ====
-  CreateLocalUser(CreateLocalUser),
-  UpdateUserUsername(UpdateUserUsername),
-  UpdateUserPassword(UpdateUserPassword),
-  DeleteUser(DeleteUser),
-
-  // ==== SERVICE USER ====
-  CreateServiceUser(CreateServiceUser),
-  UpdateServiceUserDescription(UpdateServiceUserDescription),
-  CreateApiKeyForServiceUser(CreateApiKeyForServiceUser),
-  DeleteApiKeyForServiceUser(DeleteApiKeyForServiceUser),
-
-  // ==== USER GROUP ====
-  CreateUserGroup(CreateUserGroup),
-  RenameUserGroup(RenameUserGroup),
-  DeleteUserGroup(DeleteUserGroup),
-  AddUserToUserGroup(AddUserToUserGroup),
-  RemoveUserFromUserGroup(RemoveUserFromUserGroup),
-  SetUsersInUserGroup(SetUsersInUserGroup),
-  SetEveryoneUserGroup(SetEveryoneUserGroup),
-
-  // ==== PERMISSIONS ====
-  UpdateUserAdmin(UpdateUserAdmin),
-  UpdateUserBasePermissions(UpdateUserBasePermissions),
-  UpdatePermissionOnResourceType(UpdatePermissionOnResourceType),
-  UpdatePermissionOnTarget(UpdatePermissionOnTarget),
-
  // ==== RESOURCE ====
  UpdateResourceMeta(UpdateResourceMeta),

+  // ==== SWARM ====
+  CreateSwarm(CreateSwarm),
+  CopySwarm(CopySwarm),
+  DeleteSwarm(DeleteSwarm),
+  UpdateSwarm(UpdateSwarm),
+  RenameSwarm(RenameSwarm),
+
  // ==== SERVER ====
  CreateServer(CreateServer),
  CopyServer(CopyServer),
@@ -88,9 +77,14 @@ pub enum WriteRequest {
  UpdateServer(UpdateServer),
  RenameServer(RenameServer),
  CreateNetwork(CreateNetwork),
+  UpdateServerPublicKey(UpdateServerPublicKey),
+  RotateServerKeys(RotateServerKeys),
+
+  // ==== TERMINAL ====
  CreateTerminal(CreateTerminal),
  DeleteTerminal(DeleteTerminal),
  DeleteAllTerminals(DeleteAllTerminals),
+  BatchDeleteAllTerminals(BatchDeleteAllTerminals),

  // ==== STACK ====
  CreateStack(CreateStack),
@@ -100,8 +94,8 @@ pub enum WriteRequest {
  RenameStack(RenameStack),
  WriteStackFileContents(WriteStackFileContents),
  RefreshStackCache(RefreshStackCache),
-  CreateStackWebhook(CreateStackWebhook),
-  DeleteStackWebhook(DeleteStackWebhook),
+  CheckStackForUpdate(CheckStackForUpdate),
+  BatchCheckStackForUpdate(BatchCheckStackForUpdate),

  // ==== DEPLOYMENT ====
  CreateDeployment(CreateDeployment),
@@ -110,6 +104,8 @@ pub enum WriteRequest {
  DeleteDeployment(DeleteDeployment),
  UpdateDeployment(UpdateDeployment),
  RenameDeployment(RenameDeployment),
+  CheckDeploymentForUpdate(CheckDeploymentForUpdate),
+  BatchCheckDeploymentForUpdate(BatchCheckDeploymentForUpdate),

  // ==== BUILD ====
  CreateBuild(CreateBuild),
@@ -119,15 +115,6 @@ pub enum WriteRequest {
  RenameBuild(RenameBuild),
  WriteBuildFileContents(WriteBuildFileContents),
  RefreshBuildCache(RefreshBuildCache),
-  CreateBuildWebhook(CreateBuildWebhook),
-  DeleteBuildWebhook(DeleteBuildWebhook),
-
-  // ==== BUILDER ====
-  CreateBuilder(CreateBuilder),
-  CopyBuilder(CopyBuilder),
-  DeleteBuilder(DeleteBuilder),
-  UpdateBuilder(UpdateBuilder),
-  RenameBuilder(RenameBuilder),

  // ==== REPO ====
  CreateRepo(CreateRepo),
@@ -136,15 +123,6 @@ pub enum WriteRequest {
  UpdateRepo(UpdateRepo),
  RenameRepo(RenameRepo),
  RefreshRepoCache(RefreshRepoCache),
-  CreateRepoWebhook(CreateRepoWebhook),
-  DeleteRepoWebhook(DeleteRepoWebhook),
-
-  // ==== ALERTER ====
-  CreateAlerter(CreateAlerter),
-  CopyAlerter(CopyAlerter),
-  DeleteAlerter(DeleteAlerter),
-  UpdateAlerter(UpdateAlerter),
-  RenameAlerter(RenameAlerter),

  // ==== PROCEDURE ====
  CreateProcedure(CreateProcedure),
@@ -169,8 +147,52 @@ pub enum WriteRequest {
  WriteSyncFileContents(WriteSyncFileContents),
  CommitSync(CommitSync),
  RefreshResourceSyncPending(RefreshResourceSyncPending),
-  CreateSyncWebhook(CreateSyncWebhook),
-  DeleteSyncWebhook(DeleteSyncWebhook),
+
+  // ==== BUILDER ====
+  CreateBuilder(CreateBuilder),
+  CopyBuilder(CopyBuilder),
+  DeleteBuilder(DeleteBuilder),
+  UpdateBuilder(UpdateBuilder),
+  RenameBuilder(RenameBuilder),
+
+  // ==== ALERTER ====
+  CreateAlerter(CreateAlerter),
+  CopyAlerter(CopyAlerter),
+  DeleteAlerter(DeleteAlerter),
+  UpdateAlerter(UpdateAlerter),
+  RenameAlerter(RenameAlerter),
+
+  // ==== ONBOARDING KEY ====
+  CreateOnboardingKey(CreateOnboardingKey),
+  UpdateOnboardingKey(UpdateOnboardingKey),
+  DeleteOnboardingKey(DeleteOnboardingKey),
+
+  // ==== USER ====
+  PushRecentlyViewed(PushRecentlyViewed),
+  SetLastSeenUpdate(SetLastSeenUpdate),
+  CreateLocalUser(CreateLocalUser),
+  DeleteUser(DeleteUser),
+
+  // ==== SERVICE USER ====
+  CreateServiceUser(CreateServiceUser),
+  UpdateServiceUserDescription(UpdateServiceUserDescription),
+  CreateApiKeyForServiceUser(CreateApiKeyForServiceUser),
+  DeleteApiKeyForServiceUser(DeleteApiKeyForServiceUser),
+
+  // ==== USER GROUP ====
+  CreateUserGroup(CreateUserGroup),
+  RenameUserGroup(RenameUserGroup),
+  DeleteUserGroup(DeleteUserGroup),
+  AddUserToUserGroup(AddUserToUserGroup),
+  RemoveUserFromUserGroup(RemoveUserFromUserGroup),
+  SetUsersInUserGroup(SetUsersInUserGroup),
+  SetEveryoneUserGroup(SetEveryoneUserGroup),
+
+  // ==== PERMISSIONS ====
+  UpdateUserAdmin(UpdateUserAdmin),
+  UpdateUserBasePermissions(UpdateUserBasePermissions),
+  UpdatePermissionOnResourceType(UpdatePermissionOnResourceType),
+  UpdatePermissionOnTarget(UpdatePermissionOnTarget),

  // ==== TAG ====
  CreateTag(CreateTag),
@@ -185,27 +207,32 @@ pub enum WriteRequest {
  UpdateVariableIsSecret(UpdateVariableIsSecret),
  DeleteVariable(DeleteVariable),

-  // ==== PROVIDERS ====
+  // ==== PROVIDER ====
  CreateGitProviderAccount(CreateGitProviderAccount),
  UpdateGitProviderAccount(UpdateGitProviderAccount),
  DeleteGitProviderAccount(DeleteGitProviderAccount),
  CreateDockerRegistryAccount(CreateDockerRegistryAccount),
  UpdateDockerRegistryAccount(UpdateDockerRegistryAccount),
  DeleteDockerRegistryAccount(DeleteDockerRegistryAccount),
+
+  // ==== ALERT ====
+  CloseAlert(CloseAlert),
 }

 pub fn router() -> Router {
  Router::new()
    .route("/", post(handler))
    .route("/{variant}", post(variant_handler))
-    .layer(middleware::from_fn(auth_request))
+    .layer(middleware::from_fn(
+      authenticate_request::<KomodoAuthImpl, true>,
+    ))
 }

 async fn variant_handler(
  user: Extension<User>,
  Path(Variant { variant }): Path<Variant>,
  Json(params): Json<serde_json::Value>,
-) -> serror::Result<axum::response::Response> {
+) -> mogh_error::Result<axum::response::Response> {
  let req: WriteRequest = serde_json::from_value(json!({
    "type": variant,
    "params": params,
@@ -216,41 +243,50 @@ async fn variant_handler(
 async fn handler(
  Extension(user): Extension<User>,
  Json(request): Json<WriteRequest>,
-) -> serror::Result<axum::response::Response> {
-  let req_id = Uuid::new_v4();
-
-  let res = tokio::spawn(task(req_id, request, user))
+) -> mogh_error::Result<axum::response::Response> {
+  let res = tokio::spawn(task(request, user))
    .await
    .context("failure in spawned task");

  res?
 }

-#[instrument(
-  name = "WriteRequest",
-  skip(user, request),
-  fields(
-    user_id = user.id,
-    request = format!("{:?}", request.extract_variant())
-  )
-)]
 async fn task(
-  req_id: Uuid,
  request: WriteRequest,
  user: User,
-) -> serror::Result<axum::response::Response> {
-  info!("/write request | user: {}", user.username);
+) -> mogh_error::Result<axum::response::Response> {
+  let task_id = Uuid::new_v4();
+  let method: WriteRequestMethod = (&request).into();

-  let timer = Instant::now();
+  let user_id = user.id.clone();
+  let username = user.username.clone();
+
+  if !matches!(
+    request,
+    WriteRequest::SetLastSeenUpdate(_)
+      | WriteRequest::PushRecentlyViewed(_)
+  ) {
+    info!(
+      task_id = task_id.to_string(),
+      method = method.to_string(),
+      user_id,
+      username,
+      "WRITE REQUEST",
+    );
+  }

  let res = request.resolve(&WriteArgs { user }).await;

  if let Err(e) = &res {
-    warn!("/write request {req_id} error: {:#}", e.error);
+    warn!(
+      task_id = task_id.to_string(),
+      method = method.to_string(),
+      user_id,
+      username,
+      "WRITE REQUEST | ERROR: {:#}",
+      e.error
+    );
  }

-  let elapsed = timer.elapsed();
-  debug!("/write request {req_id} | resolve time: {elapsed:?}");
-
  res.map(|res| res.0)
 }
--- a/bin/core/src/api/write/onboarding.rs
+++ b/bin/core/src/api/write/onboarding.rs
@@ -0,0 +1,241 @@
+use anyhow::{Context, anyhow};
+use database::mungos::mongodb::bson::{Document, doc};
+use komodo_client::{
+  api::write::{
+    CreateOnboardingKey, CreateOnboardingKeyResponse,
+    DeleteOnboardingKey, DeleteOnboardingKeyResponse,
+    UpdateOnboardingKey, UpdateOnboardingKeyResponse,
+  },
+  entities::{
+    komodo_timestamp, onboarding_key::OnboardingKey, random_string,
+  },
+};
+use mogh_error::{AddStatusCode, AddStatusCodeError};
+use mogh_pki::EncodedKeyPair;
+use mogh_resolver::Resolve;
+use reqwest::StatusCode;
+
+use crate::{
+  api::write::WriteArgs, helpers::query::get_all_tags,
+  state::db_client,
+};
+
+//
+
+impl Resolve<WriteArgs> for CreateOnboardingKey {
+  #[instrument(
+    "CreateOnboardingKey",
+    skip_all,
+    fields(
+      operator = admin.id,
+      name = self.name,
+      expires = self.expires,
+      tags = format!("{:?}", self.tags),
+      copy_server = self.copy_server,
+      create_builder = self.create_builder,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> mogh_error::Result<CreateOnboardingKeyResponse> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This call is admin only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+    let private_key = if let Some(private_key) = self.private_key {
+      private_key
+    } else {
+      format!("O_{}_O", random_string(28))
+    };
+    let public_key = EncodedKeyPair::from_private_key(
+      mogh_pki::PkiKind::Mutual,
+      &private_key,
+    )?
+    .public
+    .into_inner();
+    let tags = if self.tags.is_empty() {
+      self.tags
+    } else {
+      // fix_tags by ensuring existence, and force replace with tag name.
+      let all_tags = get_all_tags(None).await?;
+      self
+        .tags
+        .into_iter()
+        .filter_map(|tag| {
+          let tag =
+            all_tags.iter().find(|t| t.id == tag || t.name == tag)?;
+          Some(tag.name.clone())
+        })
+        .collect()
+    };
+    let onboarding_key = OnboardingKey {
+      public_key,
+      name: self.name,
+      enabled: true,
+      onboarded: Default::default(),
+      created_at: komodo_timestamp(),
+      expires: self.expires,
+      tags,
+      privileged: self.privileged,
+      copy_server: self.copy_server,
+      create_builder: self.create_builder,
+    };
+    let db = db_client();
+    // Create the key
+    db.onboarding_keys
+      .insert_one(&onboarding_key)
+      .await
+      .context(
+        "Failed to create Server onboarding key on database",
+      )?;
+    let created = db
+      .onboarding_keys
+      .find_one(doc! { "public_key": &onboarding_key.public_key })
+      .await
+      .context("Failed to query database for Server onboarding keys")?
+      .context(
+        "No Server onboarding key found on database after create",
+      )?;
+    Ok(CreateOnboardingKeyResponse {
+      private_key,
+      created,
+    })
+  }
+}
+
+//
+
+impl Resolve<WriteArgs> for UpdateOnboardingKey {
+  #[instrument(
+    "UpdateOnboardingKey",
+    skip_all,
+    fields(
+      operator = admin.id,
+      public_key = self.public_key,
+      update = format!("{:?}", self),
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> mogh_error::Result<UpdateOnboardingKeyResponse> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This call is admin only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+
+    let query = doc! { "public_key": &self.public_key };
+
+    // No changes
+    if self.is_none() {
+      return db_client()
+        .onboarding_keys
+        .find_one(query)
+        .await
+        .context("Failed to query database for onboarding key")?
+        .context("No matching onboarding key found")
+        .status_code(StatusCode::NOT_FOUND);
+    }
+
+    let mut update = Document::new();
+
+    if let Some(enabled) = self.enabled {
+      update.insert("enabled", enabled);
+    }
+
+    if let Some(name) = self.name {
+      update.insert("name", name);
+    }
+
+    if let Some(expires) = self.expires {
+      update.insert("expires", expires);
+    }
+
+    if let Some(tags) = self.tags {
+      let tags = if tags.is_empty() {
+        tags
+      } else {
+        // fix_tags by ensuring existence, and force replace with tag name.
+        let all_tags = get_all_tags(None).await?;
+        tags
+          .into_iter()
+          .filter_map(|tag| {
+            let tag = all_tags
+              .iter()
+              .find(|t| t.id == tag || t.name == tag)?;
+            Some(tag.name.clone())
+          })
+          .collect()
+      };
+      update.insert("tags", tags);
+    }
+
+    if let Some(privileged) = self.privileged {
+      update.insert("privileged", privileged);
+    }
+
+    if let Some(copy_server) = self.copy_server {
+      update.insert("copy_server", copy_server);
+    }
+
+    if let Some(create_builder) = self.create_builder {
+      update.insert("create_builder", create_builder);
+    }
+
+    db_client()
+      .onboarding_keys
+      .update_one(query.clone(), doc! { "$set": update })
+      .await
+      .context("Failed to update onboarding key on database")?;
+
+    db_client()
+      .onboarding_keys
+      .find_one(query)
+      .await
+      .context("Failed to query database for onboarding key")?
+      .context("No matching onboarding key found")
+      .status_code(StatusCode::NOT_FOUND)
+  }
+}
+
+//
+
+impl Resolve<WriteArgs> for DeleteOnboardingKey {
+  #[instrument(
+    "DeleteOnboardingKey",
+    skip_all,
+    fields(
+      operator = admin.id,
+      public_key = self.public_key,
+    )
+  )]
+  async fn resolve(
+    self,
+    WriteArgs { user: admin }: &WriteArgs,
+  ) -> mogh_error::Result<DeleteOnboardingKeyResponse> {
+    if !admin.admin {
+      return Err(
+        anyhow!("This call is admin only")
+          .status_code(StatusCode::FORBIDDEN),
+      );
+    }
+    let db = db_client();
+    let query = doc! { "public_key": &self.public_key };
+    let creation_key = db
+      .onboarding_keys
+      .find_one(query.clone())
+      .await
+      .context("Failed to query database for Server onboarding keys")?
+      .context("Server onboarding key matching provided public key not found")
+      .status_code(StatusCode::NOT_FOUND)?;
+    db.onboarding_keys.delete_one(query).await.context(
+      "Failed to delete Server onboarding key from database",
+    )?;
+    Ok(creation_key)
+  }
+}
--- a/bin/core/src/api/write/permissions.rs
+++ b/bin/core/src/api/write/permissions.rs
@@ -15,18 +15,26 @@ use komodo_client::{
    permission::{UserTarget, UserTargetVariant},
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{helpers::query::get_user, state::db_client};

 use super::WriteArgs;

 impl Resolve<WriteArgs> for UpdateUserAdmin {
-  #[instrument(name = "UpdateUserAdmin", skip(super_admin))]
+  #[instrument(
+    "UpdateUserAdmin",
+    skip_all,
+    fields(
+      operator = super_admin.id,
+      target_user = self.user_id,
+      admin = self.admin,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user: super_admin }: &WriteArgs,
-  ) -> serror::Result<UpdateUserAdminResponse> {
+  ) -> mogh_error::Result<UpdateUserAdminResponse> {
    if !super_admin.super_admin {
      return Err(
        anyhow!("Only super admins can call this method.").into(),
@@ -60,11 +68,21 @@ impl Resolve<WriteArgs> for UpdateUserAdmin {
 }

 impl Resolve<WriteArgs> for UpdateUserBasePermissions {
-  #[instrument(name = "UpdateUserBasePermissions", skip(admin))]
+  #[instrument(
+    "UpdateUserBasePermissions",
+    skip_all,
+    fields(
+      operator = admin.id,
+      target_user = self.user_id,
+      enabled = self.enabled,
+      create_servers = self.create_servers,
+      create_builds = self.create_builds,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UpdateUserBasePermissionsResponse> {
+  ) -> mogh_error::Result<UpdateUserBasePermissionsResponse> {
    if !admin.admin {
      return Err(anyhow!("this method is admin only").into());
    }
@@ -117,11 +135,20 @@ impl Resolve<WriteArgs> for UpdateUserBasePermissions {
 }

 impl Resolve<WriteArgs> for UpdatePermissionOnResourceType {
-  #[instrument(name = "UpdatePermissionOnResourceType", skip(admin))]
+  #[instrument(
+    "UpdatePermissionOnResourceType",
+    skip_all,
+    fields(
+      operator = admin.id,
+      user_target = format!("{:?}", self.user_target),
+      resource_type = self.resource_type.to_string(),
+      permission = format!("{:?}", self.permission),
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UpdatePermissionOnResourceTypeResponse> {
+  ) -> mogh_error::Result<UpdatePermissionOnResourceTypeResponse> {
    if !admin.admin {
      return Err(anyhow!("this method is admin only").into());
    }
@@ -185,11 +212,21 @@ impl Resolve<WriteArgs> for UpdatePermissionOnResourceType {
 }

 impl Resolve<WriteArgs> for UpdatePermissionOnTarget {
-  #[instrument(name = "UpdatePermissionOnTarget", skip(admin))]
+  #[instrument(
+    "UpdatePermissionOnTarget",
+    skip_all,
+    fields(
+      operator = admin.id,
+      user_target = format!("{:?}", self.user_target),
+      resource_type = self.resource_target.extract_variant().to_string(),
+      resource_id = self.resource_target.extract_variant_id().1,
+      permission = format!("{:?}", self.permission),
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user: admin }: &WriteArgs,
-  ) -> serror::Result<UpdatePermissionOnTargetResponse> {
+  ) -> mogh_error::Result<UpdatePermissionOnTargetResponse> {
    if !admin.admin {
      return Err(anyhow!("this method is admin only").into());
    }
@@ -258,7 +295,7 @@ impl Resolve<WriteArgs> for UpdatePermissionOnTarget {
 /// checks if inner id is actually a `name`, and replaces it with id if so.
 async fn extract_user_target_with_validation(
  user_target: &UserTarget,
-) -> serror::Result<(UserTargetVariant, String)> {
+) -> mogh_error::Result<(UserTargetVariant, String)> {
  match user_target {
    UserTarget::User(ident) => {
      let filter = match ObjectId::from_str(ident) {
@@ -269,8 +306,8 @@ async fn extract_user_target_with_validation(
        .users
        .find_one(filter)
        .await
-        .context("failed to query db for users")?
-        .context("no matching user found")?
+        .context("Failed to query db for users")?
+        .context("No matching user found")?
        .id;
      Ok((UserTargetVariant::User, id))
    }
@@ -283,8 +320,8 @@ async fn extract_user_target_with_validation(
        .user_groups
        .find_one(filter)
        .await
-        .context("failed to query db for user_groups")?
-        .context("no matching user_group found")?
+        .context("Failed to query db for user_groups")?
+        .context("No matching user_group found")?
        .id;
      Ok((UserTargetVariant::UserGroup, id))
    }
@@ -294,53 +331,25 @@ async fn extract_user_target_with_validation(
 /// checks if inner id is actually a `name`, and replaces it with id if so.
 async fn extract_resource_target_with_validation(
  resource_target: &ResourceTarget,
-) -> serror::Result<(ResourceTargetVariant, String)> {
+) -> mogh_error::Result<(ResourceTargetVariant, String)> {
  match resource_target {
    ResourceTarget::System(_) => {
      let res = resource_target.extract_variant_id();
      Ok((res.0, res.1.clone()))
    }
-    ResourceTarget::Build(ident) => {
+    ResourceTarget::Swarm(ident) => {
      let filter = match ObjectId::from_str(ident) {
        Ok(id) => doc! { "_id": id },
        Err(_) => doc! { "name": ident },
      };
      let id = db_client()
-        .builds
+        .swarms
        .find_one(filter)
        .await
-        .context("failed to query db for builds")?
-        .context("no matching build found")?
+        .context("Failed to query db for swarms")?
+        .context("No matching server found")?
        .id;
-      Ok((ResourceTargetVariant::Build, id))
-    }
-    ResourceTarget::Builder(ident) => {
-      let filter = match ObjectId::from_str(ident) {
-        Ok(id) => doc! { "_id": id },
-        Err(_) => doc! { "name": ident },
-      };
-      let id = db_client()
-        .builders
-        .find_one(filter)
-        .await
-        .context("failed to query db for builders")?
-        .context("no matching builder found")?
-        .id;
-      Ok((ResourceTargetVariant::Builder, id))
-    }
-    ResourceTarget::Deployment(ident) => {
-      let filter = match ObjectId::from_str(ident) {
-        Ok(id) => doc! { "_id": id },
-        Err(_) => doc! { "name": ident },
-      };
-      let id = db_client()
-        .deployments
-        .find_one(filter)
-        .await
-        .context("failed to query db for deployments")?
-        .context("no matching deployment found")?
-        .id;
-      Ok((ResourceTargetVariant::Deployment, id))
+      Ok((ResourceTargetVariant::Server, id))
    }
    ResourceTarget::Server(ident) => {
      let filter = match ObjectId::from_str(ident) {
@@ -351,11 +360,53 @@ async fn extract_resource_target_with_validation(
        .servers
        .find_one(filter)
        .await
-        .context("failed to query db for servers")?
-        .context("no matching server found")?
+        .context("Failed to query db for servers")?
+        .context("No matching server found")?
        .id;
      Ok((ResourceTargetVariant::Server, id))
    }
+    ResourceTarget::Stack(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .stacks
+        .find_one(filter)
+        .await
+        .context("Failed to query db for stacks")?
+        .context("No matching stack found")?
+        .id;
+      Ok((ResourceTargetVariant::Stack, id))
+    }
+    ResourceTarget::Deployment(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .deployments
+        .find_one(filter)
+        .await
+        .context("Failed to query db for deployments")?
+        .context("No matching deployment found")?
+        .id;
+      Ok((ResourceTargetVariant::Deployment, id))
+    }
+    ResourceTarget::Build(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .builds
+        .find_one(filter)
+        .await
+        .context("Failed to query db for builds")?
+        .context("No matching build found")?
+        .id;
+      Ok((ResourceTargetVariant::Build, id))
+    }
    ResourceTarget::Repo(ident) => {
      let filter = match ObjectId::from_str(ident) {
        Ok(id) => doc! { "_id": id },
@@ -365,25 +416,11 @@ async fn extract_resource_target_with_validation(
        .repos
        .find_one(filter)
        .await
-        .context("failed to query db for repos")?
-        .context("no matching repo found")?
+        .context("Failed to query db for repos")?
+        .context("No matching repo found")?
        .id;
      Ok((ResourceTargetVariant::Repo, id))
    }
-    ResourceTarget::Alerter(ident) => {
-      let filter = match ObjectId::from_str(ident) {
-        Ok(id) => doc! { "_id": id },
-        Err(_) => doc! { "name": ident },
-      };
-      let id = db_client()
-        .alerters
-        .find_one(filter)
-        .await
-        .context("failed to query db for alerters")?
-        .context("no matching alerter found")?
-        .id;
-      Ok((ResourceTargetVariant::Alerter, id))
-    }
    ResourceTarget::Procedure(ident) => {
      let filter = match ObjectId::from_str(ident) {
        Ok(id) => doc! { "_id": id },
@@ -393,8 +430,8 @@ async fn extract_resource_target_with_validation(
        .procedures
        .find_one(filter)
        .await
-        .context("failed to query db for procedures")?
-        .context("no matching procedure found")?
+        .context("Failed to query db for procedures")?
+        .context("No matching procedure found")?
        .id;
      Ok((ResourceTargetVariant::Procedure, id))
    }
@@ -407,8 +444,8 @@ async fn extract_resource_target_with_validation(
        .actions
        .find_one(filter)
        .await
-        .context("failed to query db for actions")?
-        .context("no matching action found")?
+        .context("Failed to query db for actions")?
+        .context("No matching action found")?
        .id;
      Ok((ResourceTargetVariant::Action, id))
    }
@@ -421,24 +458,38 @@ async fn extract_resource_target_with_validation(
        .resource_syncs
        .find_one(filter)
        .await
-        .context("failed to query db for resource syncs")?
-        .context("no matching resource sync found")?
+        .context("Failed to query db for resource syncs")?
+        .context("No matching resource sync found")?
        .id;
      Ok((ResourceTargetVariant::ResourceSync, id))
    }
-    ResourceTarget::Stack(ident) => {
+    ResourceTarget::Builder(ident) => {
      let filter = match ObjectId::from_str(ident) {
        Ok(id) => doc! { "_id": id },
        Err(_) => doc! { "name": ident },
      };
      let id = db_client()
-        .stacks
+        .builders
        .find_one(filter)
        .await
-        .context("failed to query db for stacks")?
-        .context("no matching stack found")?
+        .context("Failed to query db for builders")?
+        .context("No matching builder found")?
        .id;
-      Ok((ResourceTargetVariant::Stack, id))
+      Ok((ResourceTargetVariant::Builder, id))
+    }
+    ResourceTarget::Alerter(ident) => {
+      let filter = match ObjectId::from_str(ident) {
+        Ok(id) => doc! { "_id": id },
+        Err(_) => doc! { "name": ident },
+      };
+      let id = db_client()
+        .alerters
+        .find_one(filter)
+        .await
+        .context("Failed to query db for alerters")?
+        .context("No matching alerter found")?
+        .id;
+      Ok((ResourceTargetVariant::Alerter, id))
    }
  }
 }
--- a/bin/core/src/api/write/procedure.rs
+++ b/bin/core/src/api/write/procedure.rs
@@ -4,31 +4,45 @@ use komodo_client::{
    permission::PermissionLevel, procedure::Procedure, update::Update,
  },
 };
-use resolver_api::Resolve;
+use mogh_resolver::Resolve;

 use crate::{permission::get_check_permissions, resource};

 use super::WriteArgs;

 impl Resolve<WriteArgs> for CreateProcedure {
-  #[instrument(name = "CreateProcedure", skip(user))]
+  #[instrument(
+    "CreateProcedure",
+    skip_all,
+    fields(
+      operator = user.id,
+      procedure = self.name,
+      config = serde_json::to_string(&self.config).unwrap()
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<CreateProcedureResponse> {
-    Ok(
-      resource::create::<Procedure>(&self.name, self.config, user)
-        .await?,
-    )
+  ) -> mogh_error::Result<CreateProcedureResponse> {
+    resource::create::<Procedure>(&self.name, self.config, None, user)
+      .await
  }
 }

 impl Resolve<WriteArgs> for CopyProcedure {
-  #[instrument(name = "CopyProcedure", skip(user))]
+  #[instrument(
+    "CopyProcedure",
+    skip_all,
+    fields(
+      operator = user.id,
+      procedure = self.name,
+      copy_procedure = self.id,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<CopyProcedureResponse> {
+  ) -> mogh_error::Result<CopyProcedureResponse> {
    let Procedure { config, .. } =
      get_check_permissions::<Procedure>(
        &self.id,
@@ -36,19 +50,30 @@ impl Resolve<WriteArgs> for CopyProcedure {
        PermissionLevel::Write.into(),
      )
      .await?;
-    Ok(
-      resource::create::<Procedure>(&self.name, config.into(), user)
-        .await?,
+    resource::create::<Procedure>(
+      &self.name,
+      config.into(),
+      None,
+      user,
    )
+    .await
  }
 }

 impl Resolve<WriteArgs> for UpdateProcedure {
-  #[instrument(name = "UpdateProcedure", skip(user))]
+  #[instrument(
+    "UpdateProcedure",
+    skip_all,
+    fields(
+      operator = user.id,
+      procedure = self.id,
+      update = serde_json::to_string(&self.config).unwrap(),
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<UpdateProcedureResponse> {
+  ) -> mogh_error::Result<UpdateProcedureResponse> {
    Ok(
      resource::update::<Procedure>(&self.id, self.config, user)
        .await?,
@@ -57,11 +82,19 @@ impl Resolve<WriteArgs> for UpdateProcedure {
 }

 impl Resolve<WriteArgs> for RenameProcedure {
-  #[instrument(name = "RenameProcedure", skip(user))]
+  #[instrument(
+    "RenameProcedure",
+    skip_all,
+    fields(
+      operator = user.id,
+      procedure = self.id,
+      new_name = self.name,
+    )
+  )]
  async fn resolve(
    self,
    WriteArgs { user }: &WriteArgs,
-  ) -> serror::Result<Update> {
+  ) -> mogh_error::Result<Update> {
    Ok(
      resource::rename::<Procedure>(&self.id, &self.name, user)
        .await?,
@@ -70,11 +103,18 @@ impl Resolve<WriteArgs> for RenameProcedure {
 }

 impl Resolve<WriteArgs> for DeleteProcedure {
-  #[instrument(name = "DeleteProcedure", skip(args))]
+  #[instrument(
+    "DeleteProcedure",
+    skip_all,
+    fields(
+      operator = user.id,
+      procedure = self.id
+    )
+  )]
  async fn resolve(
    self,
-    args: &WriteArgs,
-  ) -> serror::Result<DeleteProcedureResponse> {
-    Ok(resource::delete::<Procedure>(&self.id, args).await?)
+    WriteArgs { user }: &WriteArgs,
+  ) -> mogh_error::Result<DeleteProcedureResponse> {
+    Ok(resource::delete::<Procedure>(&self.id, user).await?)
  }
 }
--- a/Show More
+++ b/Show More