web: Fix issue where linters collide. Update ignore file.

- Remove unused sort override for polyfills.
web: Use monorepo utilities when building.
2025-05-02 15:28:28 +02:00 · 2025-05-02 15:27:21 +02:00 · 2025-05-02 15:26:50 +02:00 · 2025-05-02 15:26:48 +02:00 · 2025-05-02 15:26:44 +02:00 · 2025-05-02 15:26:41 +02:00
286 changed files with 5300 additions and 12169 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -118,15 +118,3 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
-  - package-ecosystem: docker-compose
-    directories:
-      # - /scripts # Maybe
-      - /tests/e2e
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "core:"
-    labels:
-      - dependencies
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -200,7 +200,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
@ -208,7 +208,6 @@ jobs:
          npm ci
          make -C .. gen-client-ts
          npm run build
-          npm run build:sfe
      - name: run e2e
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -29,7 +29,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v7
        with:
          version: latest
          args: --timeout 5000s --verbose
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -16,7 +16,7 @@
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./node_modules/typescript/lib",
+    "typescript.tsdk": "./web/node_modules/typescript/lib",
    "typescript.enablePromptUseWorkspaceTsdk": true,
    "yaml.schemas": {
        "./blueprints/schema.json": "blueprints/**/*.yaml"
@ -30,5 +30,7 @@
        }
    ],
    "go.testFlags": ["-count=1"],
-    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"]
+    "github-actions.workflows.pinned.workflows": [
+        ".github/workflows/ci-main.yml"
+    ]
 }
--- a/10
+++ b/10
@ -40,8 +40,7 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api

-RUN npm run build && \
-    npm run build:sfe
+RUN npm run build

 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
@ -86,17 +85,18 @@ FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
+ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"

 USER root
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
    mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
+    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.3 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.2 AS uv
 # Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base

 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
--- a/README.md
+++ b/README.md
@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)

 ## Adoption and Contributions

-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -54,7 +54,7 @@ def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedCom
    return component


-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
    """Workaround to set a default response for endpoints.
    Workaround suggested at
    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -164,7 +164,9 @@ class BlueprintEntry:
        """Get the blueprint model, with yaml tags resolved if present"""
        return str(self.tag_resolver(self.model, blueprint))

-    def get_permissions(self, blueprint: "Blueprint") -> Generator[BlueprintEntryPermission]:
+    def get_permissions(
+        self, blueprint: "Blueprint"
+    ) -> Generator[BlueprintEntryPermission, None, None]:
        """Get permissions of this entry, with all yaml tags resolved"""
        for perm in self.permissions:
            yield BlueprintEntryPermission(
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@ -5,10 +5,10 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
+from sentry_sdk import get_current_span

 from authentik import get_full_version
 from authentik.brands.models import Brand
-from authentik.lib.sentry import get_http_meta
 from authentik.tenants.models import Tenant

 _q_default = Q(default=True)
@ -32,9 +32,13 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects brand object into every template"""
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
+    trace = ""
+    span = get_current_span()
+    if span:
+        trace = span.to_traceparent()
    return {
        "brand": brand,
        "footer_links": tenant.footer_links,
-        "html_meta": {**get_http_meta()},
+        "sentry_trace": trace,
        "version": get_full_version(),
    }
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -16,12 +16,10 @@ from drf_spectacular.utils import (
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
-from rest_framework.permissions import SAFE_METHODS, BasePermission
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ValidationError
 from rest_framework.validators import UniqueValidator
-from rest_framework.views import View
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
@ -87,6 +85,34 @@ class GroupSerializer(ModelSerializer):
            raise ValidationError(_("Cannot set group as parent of itself."))
        return parent

+    def validate_is_superuser(self, superuser: bool):
+        """Ensure that the user creating this group has permissions to set the superuser flag"""
+        request: Request = self.context.get("request", None)
+        if not request:
+            return superuser
+        # If we're updating an instance, and the state hasn't changed, we don't need to check perms
+        if self.instance and superuser == self.instance.is_superuser:
+            return superuser
+        user: User = request.user
+        perm = (
+            "authentik_core.enable_group_superuser"
+            if superuser
+            else "authentik_core.disable_group_superuser"
+        )
+        has_perm = user.has_perm(perm)
+        if self.instance and not has_perm:
+            has_perm = user.has_perm(perm, self.instance)
+        if not has_perm:
+            raise ValidationError(
+                _(
+                    (
+                        "User does not have permission to set "
+                        "superuser status to {superuser_status}."
+                    ).format_map({"superuser_status": superuser})
+                )
+            )
+        return superuser
+
    class Meta:
        model = Group
        fields = [
@ -154,36 +180,6 @@ class GroupFilter(FilterSet):
        fields = ["name", "is_superuser", "members_by_pk", "attributes", "members_by_username"]


-class SuperuserSetter(BasePermission):
-    """Check for enable_group_superuser or disable_group_superuser permissions"""
-
-    message = _("User does not have permission to set the given superuser status.")
-    enable_perm = "authentik_core.enable_group_superuser"
-    disable_perm = "authentik_core.disable_group_superuser"
-
-    def has_permission(self, request: Request, view: View):
-        if request.method != "POST":
-            return True
-
-        is_superuser = request.data.get("is_superuser", False)
-        if not is_superuser:
-            return True
-
-        return request.user.has_perm(self.enable_perm)
-
-    def has_object_permission(self, request: Request, view: View, object: Group):
-        if request.method in SAFE_METHODS:
-            return True
-
-        new_value = request.data.get("is_superuser")
-        old_value = object.is_superuser
-        if new_value is None or new_value == old_value:
-            return True
-
-        perm = self.enable_perm if new_value else self.disable_perm
-        return request.user.has_perm(perm) or request.user.has_perm(perm, object)
-
-
 class GroupViewSet(UsedByMixin, ModelViewSet):
    """Group Viewset"""

@ -196,7 +192,6 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
    serializer_class = GroupSerializer
    search_fields = ["name", "is_superuser"]
    filterset_class = GroupFilter
-    permission_classes = [SuperuserSetter]
    ordering = ["name"]

    def get_queryset(self):
--- a/authentik/core/management/commands/repair_permissions.py
+++ b/authentik/core/management/commands/repair_permissions.py
@ -2,7 +2,6 @@

 from django.apps import apps
 from django.contrib.auth.management import create_permissions
-from django.core.management import call_command
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user

@ -17,10 +16,6 @@ class Command(BaseCommand):
        """Check permissions for all apps"""
        for tenant in Tenant.objects.filter(ready=True):
            with tenant:
-                # See https://code.djangoproject.com/ticket/28417
-                # Remove potential lingering old permissions
-                call_command("remove_stale_contenttypes", "--no-input")
-
                for app in apps.get_app_configs():
                    self.stdout.write(f"Checking app {app.name} ({app.label})\n")
                    create_permissions(app, verbosity=0)
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -31,10 +31,7 @@ class PickleSerializer:

    def loads(self, data):
        """Unpickle data to be loaded from redis"""
-        try:
-            return pickle.loads(data)  # nosec
-        except Exception:
-            return {}
+        return pickle.loads(data)  # nosec


 def _migrate_session(
--- a/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
+++ b/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
@ -1,27 +0,0 @@
-# Generated by Django 5.1.9 on 2025-05-14 11:15
-
-from django.apps.registry import Apps
-from django.db import migrations
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def remove_old_authenticated_session_content_type(
-    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
-):
-    db_alias = schema_editor.connection.alias
-    ContentType = apps.get_model("contenttypes", "ContentType")
-
-    ContentType.objects.using(db_alias).filter(model="oldauthenticatedsession").delete()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0047_delete_oldauthenticatedsession"),
-    ]
-
-    operations = [
-        migrations.RunPython(
-            code=remove_old_authenticated_session_content_type,
-        ),
-    ]
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -21,9 +21,7 @@
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
        {% endblock %}
-        {% for key, value in html_meta.items %}
-        <meta name="{{key}}" content="{{ value }}" />
-        {% endfor %}
+        <meta name="sentry-trace" content="{{ sentry_trace }}" />
    </head>
    <body>
        {% block body %}
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -118,25 +118,12 @@ class TestGroupsAPI(APITestCase):
            reverse("authentik_api:group-list"),
            data={"name": generate_id(), "is_superuser": True},
        )
-        self.assertEqual(res.status_code, 403)
+        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(
            res.content,
-            {"detail": "User does not have permission to set the given superuser status."},
+            {"is_superuser": ["User does not have permission to set superuser status to True."]},
        )

-    def test_superuser_update_object_perm(self):
-        """Test updating a superuser group with object permission"""
-        group = Group.objects.create(name=generate_id(), is_superuser=False)
-        assign_perm("view_group", self.login_user, group)
-        assign_perm("change_group", self.login_user, group)
-        assign_perm("enable_group_superuser", self.login_user, group)
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"is_superuser": True},
-        )
-        self.assertEqual(res.status_code, 200)
-
    def test_superuser_update_no_perm(self):
        """Test updating a superuser group without permission"""
        group = Group.objects.create(name=generate_id(), is_superuser=True)
@ -147,10 +134,10 @@ class TestGroupsAPI(APITestCase):
            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
            data={"is_superuser": False},
        )
-        self.assertEqual(res.status_code, 403)
+        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(
            res.content,
-            {"detail": "User does not have permission to set the given superuser status."},
+            {"is_superuser": ["User does not have permission to set superuser status to False."]},
        )

    def test_superuser_update_no_change(self):
@ -176,27 +163,3 @@ class TestGroupsAPI(APITestCase):
            data={"name": generate_id(), "is_superuser": True},
        )
        self.assertEqual(res.status_code, 201)
-
-    def test_superuser_create_no_perm(self):
-        """Test creating a superuser group with no permission"""
-        assign_perm("authentik_core.add_group", self.login_user)
-        self.client.force_login(self.login_user)
-        res = self.client.post(
-            reverse("authentik_api:group-list"),
-            data={"name": generate_id(), "is_superuser": True},
-        )
-        self.assertEqual(res.status_code, 403)
-        self.assertJSONEqual(
-            res.content,
-            {"detail": "User does not have permission to set the given superuser status."},
-        )
-
-    def test_no_superuser_create_no_perm(self):
-        """Test creating a non-superuser group with no permission"""
-        assign_perm("authentik_core.add_group", self.login_user)
-        self.client.force_login(self.login_user)
-        res = self.client.post(
-            reverse("authentik_api:group-list"),
-            data={"name": generate_id()},
-        )
-        self.assertEqual(res.status_code, 201)
--- a/authentik/enterprise/license.py
+++ b/authentik/enterprise/license.py
@ -132,14 +132,13 @@ class LicenseKey:
        """Get a summarized version of all (not expired) licenses"""
        total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
        for lic in License.objects.all():
-            if lic.is_valid:
-                total.internal_users += lic.internal_users
-                total.external_users += lic.external_users
-                total.license_flags.extend(lic.status.license_flags)
+            total.internal_users += lic.internal_users
+            total.external_users += lic.external_users
            exp_ts = int(mktime(lic.expiry.timetuple()))
            if total.exp == 0:
                total.exp = exp_ts
            total.exp = max(total.exp, exp_ts)
+            total.license_flags.extend(lic.status.license_flags)
        return total

    @staticmethod
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@ -39,10 +39,6 @@ class License(SerializerModel):
    internal_users = models.BigIntegerField()
    external_users = models.BigIntegerField()

-    @property
-    def is_valid(self) -> bool:
-        return self.expiry >= now()
-
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.enterprise.api import LicenseSerializer
--- a/authentik/enterprise/tests/test_license.py
+++ b/authentik/enterprise/tests/test_license.py
@ -8,7 +8,6 @@ from django.test import TestCase
 from django.utils.timezone import now
 from rest_framework.exceptions import ValidationError

-from authentik.core.models import User
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import (
    THRESHOLD_READ_ONLY_WEEKS,
@ -72,9 +71,9 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_valid_multiple(self):
        """Check license verification"""
-        lic = License.objects.create(key=generate_id(), expiry=expiry_valid)
+        lic = License.objects.create(key=generate_id())
        self.assertTrue(lic.status.status().is_valid)
-        lic2 = License.objects.create(key=generate_id(), expiry=expiry_valid)
+        lic2 = License.objects.create(key=generate_id())
        self.assertTrue(lic2.status.status().is_valid)
        total = LicenseKey.get_total()
        self.assertEqual(total.internal_users, 200)
@ -233,9 +232,7 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_expiry_expired(self):
        """Check license verification"""
-        User.objects.all().delete()
-        License.objects.all().delete()
-        License.objects.create(key=generate_id(), expiry=expiry_expired)
+        License.objects.create(key=generate_id())
        self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.EXPIRED)

    @patch(
--- a/authentik/events/logs.py
+++ b/authentik/events/logs.py
@ -57,7 +57,7 @@ class LogEventSerializer(PassiveSerializer):


@contextmanager
-def capture_logs(log_default_output=True) -> Generator[list[LogEvent]]:
+def capture_logs(log_default_output=True) -> Generator[list[LogEvent], None, None]:
    """Capture log entries created"""
    logs = []
    cap = LogCapture()
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@ -15,7 +15,6 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
-        <link rel="prefetch" href="{{ flow_background_url }}" />
        {% include "base/header_js.html" %}
        <style>
          html,
@ -23,7 +22,7 @@
            height: 100%;
          }
          body {
-            background-image: url("{{ flow_background_url }}");
+            background-image: url("{{ flow.background_url }}");
            background-repeat: no-repeat;
            background-size: cover;
          }
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -5,7 +5,7 @@

 {% block head_before %}
 {{ block.super }}
-<link rel="prefetch" href="{{ flow_background_url }}" />
+<link rel="prefetch" href="{{ flow.background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
@ -21,7 +21,7 @@ window.authentik.flow = {
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style>
 :root {
-    --ak-flow-background: url("{{ flow_background_url }}");
+    --ak-flow-background: url("{{ flow.background_url }}");
 }
 </style>
 {% endblock %}
--- a/authentik/flows/views/interface.py
+++ b/authentik/flows/views/interface.py
@ -13,9 +13,7 @@ class FlowInterfaceView(InterfaceView):
    """Flow interface"""

    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
-        kwargs["flow"] = flow
-        kwargs["flow_background_url"] = flow.background_url(self.request)
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
        kwargs["inspector"] = "inspector" in self.request.GET
        return super().get_context_data(**kwargs)

--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -363,9 +363,6 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
        pool_options = config.get_dict_from_b64_json("postgresql.pool_options", True)
        if not pool_options:
            pool_options = True
-    # FIXME: Temporarily force pool to be deactivated.
-    # See https://github.com/goauthentik/authentik/issues/14320
-    pool_options = False

    db = {
        "default": {
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -17,7 +17,7 @@ from ldap3.core.exceptions import LDAPException
 from redis.exceptions import ConnectionError as RedisConnectionError
 from redis.exceptions import RedisError, ResponseError
 from rest_framework.exceptions import APIException
-from sentry_sdk import HttpTransport, get_current_scope
+from sentry_sdk import HttpTransport
 from sentry_sdk import init as sentry_sdk_init
 from sentry_sdk.api import set_tag
 from sentry_sdk.integrations.argv import ArgvIntegration
@ -27,7 +27,6 @@ from sentry_sdk.integrations.redis import RedisIntegration
 from sentry_sdk.integrations.socket import SocketIntegration
 from sentry_sdk.integrations.stdlib import StdlibIntegration
 from sentry_sdk.integrations.threading import ThreadingIntegration
-from sentry_sdk.tracing import BAGGAGE_HEADER_NAME, SENTRY_TRACE_HEADER_NAME
 from structlog.stdlib import get_logger
 from websockets.exceptions import WebSocketException

@ -96,8 +95,6 @@ def traces_sampler(sampling_context: dict) -> float:
        return 0
    if _type == "websocket":
        return 0
-    if CONFIG.get_bool("debug"):
-        return 1
    return float(CONFIG.get("error_reporting.sample_rate", 0.1))


@ -170,14 +167,3 @@ def before_send(event: dict, hint: dict) -> dict | None:
    if settings.DEBUG:
        return None
    return event
-
-
-def get_http_meta():
-    """Get sentry-related meta key-values"""
-    scope = get_current_scope()
-    meta = {
-        SENTRY_TRACE_HEADER_NAME: scope.get_traceparent() or "",
-    }
-    if bag := scope.get_baggage():
-        meta[BAGGAGE_HEADER_NAME] = bag.serialize()
-    return meta
--- a/authentik/lib/sync/mapper.py
+++ b/authentik/lib/sync/mapper.py
@ -59,7 +59,7 @@ class PropertyMappingManager:
        request: HttpRequest | None,
        return_mapping: bool = False,
        **kwargs,
-    ) -> Generator[tuple[dict, PropertyMapping]]:
+    ) -> Generator[tuple[dict, PropertyMapping], None]:
        """Iterate over all mappings that were pre-compiled and
        execute all of them with the given context"""
        if not self.__has_compiled:
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -494,88 +494,86 @@ class TestConfig(TestCase):
            },
        )

-    # FIXME: Temporarily force pool to be deactivated.
-    # See https://github.com/goauthentik/authentik/issues/14320
-    # def test_db_pool(self):
-    #     """Test DB Config with pool"""
-    #     config = ConfigLoader()
-    #     config.set("postgresql.host", "foo")
-    #     config.set("postgresql.name", "foo")
-    #     config.set("postgresql.user", "foo")
-    #     config.set("postgresql.password", "foo")
-    #     config.set("postgresql.port", "foo")
-    #     config.set("postgresql.test.name", "foo")
-    #     config.set("postgresql.use_pool", True)
-    #     conf = django_db_config(config)
-    #     self.assertEqual(
-    #         conf,
-    #         {
-    #             "default": {
-    #                 "ENGINE": "authentik.root.db",
-    #                 "HOST": "foo",
-    #                 "NAME": "foo",
-    #                 "OPTIONS": {
-    #                     "pool": True,
-    #                     "sslcert": None,
-    #                     "sslkey": None,
-    #                     "sslmode": None,
-    #                     "sslrootcert": None,
-    #                 },
-    #                 "PASSWORD": "foo",
-    #                 "PORT": "foo",
-    #                 "TEST": {"NAME": "foo"},
-    #                 "USER": "foo",
-    #                 "CONN_MAX_AGE": 0,
-    #                 "CONN_HEALTH_CHECKS": False,
-    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
-    #             }
-    #         },
-    #     )
+    def test_db_pool(self):
+        """Test DB Config with pool"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pool", True)
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "pool": True,
+                        "sslcert": None,
+                        "sslkey": None,
+                        "sslmode": None,
+                        "sslrootcert": None,
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                }
+            },
+        )

-    # def test_db_pool_options(self):
-    #     """Test DB Config with pool"""
-    #     config = ConfigLoader()
-    #     config.set("postgresql.host", "foo")
-    #     config.set("postgresql.name", "foo")
-    #     config.set("postgresql.user", "foo")
-    #     config.set("postgresql.password", "foo")
-    #     config.set("postgresql.port", "foo")
-    #     config.set("postgresql.test.name", "foo")
-    #     config.set("postgresql.use_pool", True)
-    #     config.set(
-    #         "postgresql.pool_options",
-    #         base64.b64encode(
-    #             dumps(
-    #                 {
-    #                     "max_size": 15,
-    #                 }
-    #             ).encode()
-    #         ).decode(),
-    #     )
-    #     conf = django_db_config(config)
-    #     self.assertEqual(
-    #         conf,
-    #         {
-    #             "default": {
-    #                 "ENGINE": "authentik.root.db",
-    #                 "HOST": "foo",
-    #                 "NAME": "foo",
-    #                 "OPTIONS": {
-    #                     "pool": {
-    #                         "max_size": 15,
-    #                     },
-    #                     "sslcert": None,
-    #                     "sslkey": None,
-    #                     "sslmode": None,
-    #                     "sslrootcert": None,
-    #                 },
-    #                 "PASSWORD": "foo",
-    #                 "PORT": "foo",
-    #                 "TEST": {"NAME": "foo"},
-    #                 "USER": "foo",
-    #                 "CONN_MAX_AGE": 0,
-    #                 "CONN_HEALTH_CHECKS": False,
-    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
-    #             }
-    #         },
-    #     )
+    def test_db_pool_options(self):
+        """Test DB Config with pool"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pool", True)
+        config.set(
+            "postgresql.pool_options",
+            base64.b64encode(
+                dumps(
+                    {
+                        "max_size": 15,
+                    }
+                ).encode()
+            ).decode(),
+        )
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "pool": {
+                            "max_size": 15,
+                        },
+                        "sslcert": None,
+                        "sslkey": None,
+                        "sslmode": None,
+                        "sslrootcert": None,
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                }
+            },
+        )
--- a/authentik/providers/scim/clients/groups.py
+++ b/authentik/providers/scim/clients/groups.py
@ -199,7 +199,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
            chunk_size = len(ops)
        if len(ops) < 1:
            return
-        for chunk in batched(ops, chunk_size, strict=False):
+        for chunk in batched(ops, chunk_size):
            req = PatchRequest(Operations=list(chunk))
            self._request(
                "PATCH",
--- a/go.mod
+++ b/go.mod
@ -19,18 +19,18 @@ require (
 	github.com/jellydator/ttlcache/v3 v3.3.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
-	github.com/pires/go-proxyproto v0.8.1
+	github.com/pires/go-proxyproto v0.8.0
 	github.com/prometheus/client_golang v1.22.0
 	github.com/redis/go-redis/v9 v9.8.0
-	github.com/sethvargo/go-envconfig v1.3.0
+	github.com/sethvargo/go-envconfig v1.2.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
 	goauthentik.io/api/v3 v3.2025040.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.14.0
+	golang.org/x/oauth2 v0.29.0
+	golang.org/x/sync v0.13.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@ -75,7 +75,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	golang.org/x/crypto v0.36.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -230,8 +230,8 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
 github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
-github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
-github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
+github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
+github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@ -251,8 +251,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sethvargo/go-envconfig v1.3.0 h1:gJs+Fuv8+f05omTpwWIu6KmuseFAXKrIaOZSh8RMt0U=
-github.com/sethvargo/go-envconfig v1.3.0/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/6nRidxI8YvGiHw=
+github.com/sethvargo/go-envconfig v1.2.0 h1:q3XkOZWkC+G1sMLCrw9oPGTjYexygLOXDmGUit1ti8Q=
+github.com/sethvargo/go-envconfig v1.2.0/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/6nRidxI8YvGiHw=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@ -358,16 +358,16 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
+golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -376,8 +376,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
-golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -412,8 +412,8 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/ldap.Dockerfile
+++ b/ldap.Dockerfile
@ -56,7 +56,6 @@ EXPOSE 3389 6636 9300

 USER 1000

-ENV TMPDIR=/dev/shm/ \
-    GOFIPS=1
+ENV GOFIPS=1

 ENTRYPOINT ["/ldap"]
--- a/lifecycle/ak
+++ b/lifecycle/ak
@ -97,7 +97,6 @@ elif [[ "$1" == "test-all" ]]; then
 elif [[ "$1" == "healthcheck" ]]; then
    run_authentik healthcheck $(cat $MODE_FILE)
 elif [[ "$1" == "dump_config" ]]; then
-    shift
    exec python -m authentik.lib.config $@
 elif [[ "$1" == "debug" ]]; then
    exec sleep infinity
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1014.0",
+                "aws-cdk": "^2.1013.0",
                "cross-env": "^7.0.3"
            },
            "engines": {
@ -17,9 +17,9 @@
            }
        },
        "node_modules/aws-cdk": {
-            "version": "2.1014.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1014.0.tgz",
-            "integrity": "sha512-es101rtRAClix9BncNL54iW90MiOyRv4iCC5tv/firGDnidS6pPinuK0IIFt0RO6w0+3heRxWBXg8HY+f9877w==",
+            "version": "2.1013.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1013.0.tgz",
+            "integrity": "sha512-cbq4cOoEIZueMWenGgfI4RujS+AQ9GaMCTlW/3CnvEIhMD8j/tgZx7PTtgMuvwYrRoEeb/wTxgLPgUd5FhsoHA==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@ -10,7 +10,7 @@
        "node": ">=20"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1014.0",
+        "aws-cdk": "^2.1013.0",
        "cross-env": "^7.0.3"
    }
 }
--- a/locale/it/LC_MESSAGES/django.mo
+++ b/locale/it/LC_MESSAGES/django.mo
--- a/locale/pt/LC_MESSAGES/django.mo
+++ b/locale/pt/LC_MESSAGES/django.mo
--- a/locale/pt/LC_MESSAGES/django.po
+++ b/locale/pt/LC_MESSAGES/django.po
--- a/locale/zh_TW/LC_MESSAGES/django.mo
+++ b/locale/zh_TW/LC_MESSAGES/django.mo
--- a/package-lock.json
+++ b/package-lock.json
@ -1,546 +1,12 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.4.0",
+    "version": "2025.2.1",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "@goauthentik/authentik",
-            "version": "2025.4.0",
-            "devDependencies": {
-                "@trivago/prettier-plugin-sort-imports": "^5.2.2",
-                "prettier": "^3.3.3",
-                "prettier-plugin-organize-imports": "^4.1.0",
-                "prettier-plugin-packagejson": "^2.5.10",
-                "typescript": "^5.6.2"
-            }
-        },
-        "node_modules/@babel/code-frame": {
-            "version": "7.26.2",
-            "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.26.2.tgz",
-            "integrity": "sha512-RJlIHRueQgwWitWgF8OdFYGZX328Ax5BCemNGlqHfplnRT9ESi8JkFlvaVYbS+UubVY6dpv87Fs2u5M29iNFVQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@babel/helper-validator-identifier": "^7.25.9",
-                "js-tokens": "^4.0.0",
-                "picocolors": "^1.0.0"
-            },
-            "engines": {
-                "node": ">=6.9.0"
-            }
-        },
-        "node_modules/@babel/generator": {
-            "version": "7.27.0",
-            "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.27.0.tgz",
-            "integrity": "sha512-VybsKvpiN1gU1sdMZIp7FcqphVVKEwcuj02x73uvcHE0PTihx1nlBcowYWhDwjpoAXRv43+gDzyggGnn1XZhVw==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@babel/parser": "^7.27.0",
-                "@babel/types": "^7.27.0",
-                "@jridgewell/gen-mapping": "^0.3.5",
-                "@jridgewell/trace-mapping": "^0.3.25",
-                "jsesc": "^3.0.2"
-            },
-            "engines": {
-                "node": ">=6.9.0"
-            }
-        },
-        "node_modules/@babel/helper-string-parser": {
-            "version": "7.25.9",
-            "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.25.9.tgz",
-            "integrity": "sha512-4A/SCr/2KLd5jrtOMFzaKjVtAei3+2r/NChoBNoZ3EyP/+GlhoaEGoWOZUmFmoITP7zOJyHIMm+DYRd8o3PvHA==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=6.9.0"
-            }
-        },
-        "node_modules/@babel/helper-validator-identifier": {
-            "version": "7.25.9",
-            "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.25.9.tgz",
-            "integrity": "sha512-Ed61U6XJc3CVRfkERJWDz4dJwKe7iLmmJsbOGu9wSloNSFttHV0I8g6UAgb7qnK5ly5bGLPd4oXZlxCdANBOWQ==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=6.9.0"
-            }
-        },
-        "node_modules/@babel/parser": {
-            "version": "7.27.0",
-            "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.27.0.tgz",
-            "integrity": "sha512-iaepho73/2Pz7w2eMS0Q5f83+0RKI7i4xmiYeBmDzfRVbQtTOG7Ts0S4HzJVsTMGI9keU8rNfuZr8DKfSt7Yyg==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@babel/types": "^7.27.0"
-            },
-            "bin": {
-                "parser": "bin/babel-parser.js"
-            },
-            "engines": {
-                "node": ">=6.0.0"
-            }
-        },
-        "node_modules/@babel/template": {
-            "version": "7.27.0",
-            "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.27.0.tgz",
-            "integrity": "sha512-2ncevenBqXI6qRMukPlXwHKHchC7RyMuu4xv5JBXRfOGVcTy1mXCD12qrp7Jsoxll1EV3+9sE4GugBVRjT2jFA==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@babel/code-frame": "^7.26.2",
-                "@babel/parser": "^7.27.0",
-                "@babel/types": "^7.27.0"
-            },
-            "engines": {
-                "node": ">=6.9.0"
-            }
-        },
-        "node_modules/@babel/traverse": {
-            "version": "7.27.0",
-            "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.27.0.tgz",
-            "integrity": "sha512-19lYZFzYVQkkHkl4Cy4WrAVcqBkgvV2YM2TU3xG6DIwO7O3ecbDPfW3yM3bjAGcqcQHi+CCtjMR3dIEHxsd6bA==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@babel/code-frame": "^7.26.2",
-                "@babel/generator": "^7.27.0",
-                "@babel/parser": "^7.27.0",
-                "@babel/template": "^7.27.0",
-                "@babel/types": "^7.27.0",
-                "debug": "^4.3.1",
-                "globals": "^11.1.0"
-            },
-            "engines": {
-                "node": ">=6.9.0"
-            }
-        },
-        "node_modules/@babel/types": {
-            "version": "7.27.0",
-            "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.27.0.tgz",
-            "integrity": "sha512-H45s8fVLYjbhFH62dIJ3WtmJ6RSPt/3DRO0ZcT2SUiYiQyz3BLVb9ADEnLl91m74aQPS3AzzeajZHYOalWe3bg==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@babel/helper-string-parser": "^7.25.9",
-                "@babel/helper-validator-identifier": "^7.25.9"
-            },
-            "engines": {
-                "node": ">=6.9.0"
-            }
-        },
-        "node_modules/@jridgewell/gen-mapping": {
-            "version": "0.3.8",
-            "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.8.tgz",
-            "integrity": "sha512-imAbBGkb+ebQyxKgzv5Hu2nmROxoDOXHh80evxdoXNOrvAnVx7zimzc1Oo5h9RlfV4vPXaE2iM5pOFbvOCClWA==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@jridgewell/set-array": "^1.2.1",
-                "@jridgewell/sourcemap-codec": "^1.4.10",
-                "@jridgewell/trace-mapping": "^0.3.24"
-            },
-            "engines": {
-                "node": ">=6.0.0"
-            }
-        },
-        "node_modules/@jridgewell/resolve-uri": {
-            "version": "3.1.2",
-            "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
-            "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=6.0.0"
-            }
-        },
-        "node_modules/@jridgewell/set-array": {
-            "version": "1.2.1",
-            "resolved": "https://registry.npmjs.org/@jridgewell/set-array/-/set-array-1.2.1.tgz",
-            "integrity": "sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=6.0.0"
-            }
-        },
-        "node_modules/@jridgewell/sourcemap-codec": {
-            "version": "1.5.0",
-            "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.0.tgz",
-            "integrity": "sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==",
-            "dev": true,
-            "license": "MIT"
-        },
-        "node_modules/@jridgewell/trace-mapping": {
-            "version": "0.3.25",
-            "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.25.tgz",
-            "integrity": "sha512-vNk6aEwybGtawWmy/PzwnGDOjCkLWSD2wqvjGGAgOAwCGWySYXfYoxt00IJkTF+8Lb57DwOb3Aa0o9CApepiYQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@jridgewell/resolve-uri": "^3.1.0",
-                "@jridgewell/sourcemap-codec": "^1.4.14"
-            }
-        },
-        "node_modules/@pkgr/core": {
-            "version": "0.1.2",
-            "resolved": "https://registry.npmjs.org/@pkgr/core/-/core-0.1.2.tgz",
-            "integrity": "sha512-fdDH1LSGfZdTH2sxdpVMw31BanV28K/Gry0cVFxaNP77neJSkd82mM8ErPNYs9e+0O7SdHBLTDzDgwUuy18RnQ==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": "^12.20.0 || ^14.18.0 || >=16.0.0"
-            },
-            "funding": {
-                "url": "https://opencollective.com/unts"
-            }
-        },
-        "node_modules/@trivago/prettier-plugin-sort-imports": {
-            "version": "5.2.2",
-            "resolved": "https://registry.npmjs.org/@trivago/prettier-plugin-sort-imports/-/prettier-plugin-sort-imports-5.2.2.tgz",
-            "integrity": "sha512-fYDQA9e6yTNmA13TLVSA+WMQRc5Bn/c0EUBditUHNfMMxN7M82c38b1kEggVE3pLpZ0FwkwJkUEKMiOi52JXFA==",
-            "dev": true,
-            "license": "Apache-2.0",
-            "dependencies": {
-                "@babel/generator": "^7.26.5",
-                "@babel/parser": "^7.26.7",
-                "@babel/traverse": "^7.26.7",
-                "@babel/types": "^7.26.7",
-                "javascript-natural-sort": "^0.7.1",
-                "lodash": "^4.17.21"
-            },
-            "engines": {
-                "node": ">18.12"
-            },
-            "peerDependencies": {
-                "@vue/compiler-sfc": "3.x",
-                "prettier": "2.x - 3.x",
-                "prettier-plugin-svelte": "3.x",
-                "svelte": "4.x || 5.x"
-            },
-            "peerDependenciesMeta": {
-                "@vue/compiler-sfc": {
-                    "optional": true
-                },
-                "prettier-plugin-svelte": {
-                    "optional": true
-                },
-                "svelte": {
-                    "optional": true
-                }
-            }
-        },
-        "node_modules/debug": {
-            "version": "4.4.0",
-            "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
-            "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "ms": "^2.1.3"
-            },
-            "engines": {
-                "node": ">=6.0"
-            },
-            "peerDependenciesMeta": {
-                "supports-color": {
-                    "optional": true
-                }
-            }
-        },
-        "node_modules/detect-indent": {
-            "version": "7.0.1",
-            "resolved": "https://registry.npmjs.org/detect-indent/-/detect-indent-7.0.1.tgz",
-            "integrity": "sha512-Mc7QhQ8s+cLrnUfU/Ji94vG/r8M26m8f++vyres4ZoojaRDpZ1eSIh/EpzLNwlWuvzSZ3UbDFspjFvTDXe6e/g==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=12.20"
-            }
-        },
-        "node_modules/detect-newline": {
-            "version": "4.0.1",
-            "resolved": "https://registry.npmjs.org/detect-newline/-/detect-newline-4.0.1.tgz",
-            "integrity": "sha512-qE3Veg1YXzGHQhlA6jzebZN2qVf6NX+A7m7qlhCGG30dJixrAQhYOsJjsnBjJkCSmuOPpCk30145fr8FV0bzog==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/sindresorhus"
-            }
-        },
-        "node_modules/fdir": {
-            "version": "6.4.4",
-            "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.4.tgz",
-            "integrity": "sha512-1NZP+GK4GfuAv3PqKvxQRDMjdSRZjnkq7KfhlNrCNNlZ0ygQFpebfrnfnq/W7fpUnAv9aGWmY1zKx7FYL3gwhg==",
-            "dev": true,
-            "license": "MIT",
-            "peerDependencies": {
-                "picomatch": "^3 || ^4"
-            },
-            "peerDependenciesMeta": {
-                "picomatch": {
-                    "optional": true
-                }
-            }
-        },
-        "node_modules/get-stdin": {
-            "version": "9.0.0",
-            "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-9.0.0.tgz",
-            "integrity": "sha512-dVKBjfWisLAicarI2Sf+JuBE/DghV4UzNAVe9yhEJuzeREd3JhOTE9cUaJTeSa77fsbQUK3pcOpJfM59+VKZaA==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=12"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/sindresorhus"
-            }
-        },
-        "node_modules/git-hooks-list": {
-            "version": "3.2.0",
-            "resolved": "https://registry.npmjs.org/git-hooks-list/-/git-hooks-list-3.2.0.tgz",
-            "integrity": "sha512-ZHG9a1gEhUMX1TvGrLdyWb9kDopCBbTnI8z4JgRMYxsijWipgjSEYoPWqBuIB0DnRnvqlQSEeVmzpeuPm7NdFQ==",
-            "dev": true,
-            "license": "MIT",
-            "funding": {
-                "url": "https://github.com/fisker/git-hooks-list?sponsor=1"
-            }
-        },
-        "node_modules/globals": {
-            "version": "11.12.0",
-            "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz",
-            "integrity": "sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=4"
-            }
-        },
-        "node_modules/is-plain-obj": {
-            "version": "4.1.0",
-            "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-4.1.0.tgz",
-            "integrity": "sha512-+Pgi+vMuUNkJyExiMBt5IlFoMyKnr5zhJ4Uspz58WOhBF5QoIZkFyNHIbBAtHwzVAgk5RtndVNsDRN61/mmDqg==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=12"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/sindresorhus"
-            }
-        },
-        "node_modules/javascript-natural-sort": {
-            "version": "0.7.1",
-            "resolved": "https://registry.npmjs.org/javascript-natural-sort/-/javascript-natural-sort-0.7.1.tgz",
-            "integrity": "sha512-nO6jcEfZWQXDhOiBtG2KvKyEptz7RVbpGP4vTD2hLBdmNQSsCiicO2Ioinv6UI4y9ukqnBpy+XZ9H6uLNgJTlw==",
-            "dev": true,
-            "license": "MIT"
-        },
-        "node_modules/js-tokens": {
-            "version": "4.0.0",
-            "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
-            "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==",
-            "dev": true,
-            "license": "MIT"
-        },
-        "node_modules/jsesc": {
-            "version": "3.1.0",
-            "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz",
-            "integrity": "sha512-/sM3dO2FOzXjKQhJuo0Q173wf2KOo8t4I8vHy6lF9poUp7bKT0/NHE8fPX23PwfhnykfqnC2xRxOnVw5XuGIaA==",
-            "dev": true,
-            "license": "MIT",
-            "bin": {
-                "jsesc": "bin/jsesc"
-            },
-            "engines": {
-                "node": ">=6"
-            }
-        },
-        "node_modules/lodash": {
-            "version": "4.17.21",
-            "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
-            "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
-            "dev": true,
-            "license": "MIT"
-        },
-        "node_modules/ms": {
-            "version": "2.1.3",
-            "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-            "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-            "dev": true,
-            "license": "MIT"
-        },
-        "node_modules/picocolors": {
-            "version": "1.1.1",
-            "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
-            "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
-            "dev": true,
-            "license": "ISC"
-        },
-        "node_modules/picomatch": {
-            "version": "4.0.2",
-            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz",
-            "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
-            "dev": true,
-            "license": "MIT",
-            "engines": {
-                "node": ">=12"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/jonschlinkert"
-            }
-        },
-        "node_modules/prettier": {
-            "version": "3.5.3",
-            "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.5.3.tgz",
-            "integrity": "sha512-QQtaxnoDJeAkDvDKWCLiwIXkTgRhwYDEQCghU9Z6q03iyek/rxRh/2lC3HB7P8sWT2xC/y5JDctPLBIGzHKbhw==",
-            "dev": true,
-            "license": "MIT",
-            "bin": {
-                "prettier": "bin/prettier.cjs"
-            },
-            "engines": {
-                "node": ">=14"
-            },
-            "funding": {
-                "url": "https://github.com/prettier/prettier?sponsor=1"
-            }
-        },
-        "node_modules/prettier-plugin-organize-imports": {
-            "version": "4.1.0",
-            "resolved": "https://registry.npmjs.org/prettier-plugin-organize-imports/-/prettier-plugin-organize-imports-4.1.0.tgz",
-            "integrity": "sha512-5aWRdCgv645xaa58X8lOxzZoiHAldAPChljr/MT0crXVOWTZ+Svl4hIWlz+niYSlO6ikE5UXkN1JrRvIP2ut0A==",
-            "dev": true,
-            "license": "MIT",
-            "peerDependencies": {
-                "prettier": ">=2.0",
-                "typescript": ">=2.9",
-                "vue-tsc": "^2.1.0"
-            },
-            "peerDependenciesMeta": {
-                "vue-tsc": {
-                    "optional": true
-                }
-            }
-        },
-        "node_modules/prettier-plugin-packagejson": {
-            "version": "2.5.10",
-            "resolved": "https://registry.npmjs.org/prettier-plugin-packagejson/-/prettier-plugin-packagejson-2.5.10.tgz",
-            "integrity": "sha512-LUxATI5YsImIVSaaLJlJ3aE6wTD+nvots18U3GuQMJpUyClChaZlQrqx3dBnbhF20OnKWZyx8EgyZypQtBDtgQ==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "sort-package-json": "2.15.1",
-                "synckit": "0.9.2"
-            },
-            "peerDependencies": {
-                "prettier": ">= 1.16.0"
-            },
-            "peerDependenciesMeta": {
-                "prettier": {
-                    "optional": true
-                }
-            }
-        },
-        "node_modules/semver": {
-            "version": "7.7.1",
-            "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.1.tgz",
-            "integrity": "sha512-hlq8tAfn0m/61p4BVRcPzIGr6LKiMwo4VM6dGi6pt4qcRkmNzTcWq6eCEjEh+qXjkMDvPlOFFSGwQjoEa6gyMA==",
-            "dev": true,
-            "license": "ISC",
-            "bin": {
-                "semver": "bin/semver.js"
-            },
-            "engines": {
-                "node": ">=10"
-            }
-        },
-        "node_modules/sort-object-keys": {
-            "version": "1.1.3",
-            "resolved": "https://registry.npmjs.org/sort-object-keys/-/sort-object-keys-1.1.3.tgz",
-            "integrity": "sha512-855pvK+VkU7PaKYPc+Jjnmt4EzejQHyhhF33q31qG8x7maDzkeFhAAThdCYay11CISO+qAMwjOBP+fPZe0IPyg==",
-            "dev": true,
-            "license": "MIT"
-        },
-        "node_modules/sort-package-json": {
-            "version": "2.15.1",
-            "resolved": "https://registry.npmjs.org/sort-package-json/-/sort-package-json-2.15.1.tgz",
-            "integrity": "sha512-9x9+o8krTT2saA9liI4BljNjwAbvUnWf11Wq+i/iZt8nl2UGYnf3TH5uBydE7VALmP7AGwlfszuEeL8BDyb0YA==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "detect-indent": "^7.0.1",
-                "detect-newline": "^4.0.0",
-                "get-stdin": "^9.0.0",
-                "git-hooks-list": "^3.0.0",
-                "is-plain-obj": "^4.1.0",
-                "semver": "^7.6.0",
-                "sort-object-keys": "^1.1.3",
-                "tinyglobby": "^0.2.9"
-            },
-            "bin": {
-                "sort-package-json": "cli.js"
-            }
-        },
-        "node_modules/synckit": {
-            "version": "0.9.2",
-            "resolved": "https://registry.npmjs.org/synckit/-/synckit-0.9.2.tgz",
-            "integrity": "sha512-vrozgXDQwYO72vHjUb/HnFbQx1exDjoKzqx23aXEg2a9VIg2TSFZ8FmeZpTjUCFMYw7mpX4BE2SFu8wI7asYsw==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "@pkgr/core": "^0.1.0",
-                "tslib": "^2.6.2"
-            },
-            "engines": {
-                "node": "^14.18.0 || >=16.0.0"
-            },
-            "funding": {
-                "url": "https://opencollective.com/unts"
-            }
-        },
-        "node_modules/tinyglobby": {
-            "version": "0.2.13",
-            "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.13.tgz",
-            "integrity": "sha512-mEwzpUgrLySlveBwEVDMKk5B57bhLPYovRfPAXD5gA/98Opn0rCDj3GtLwFvCvH5RK9uPCExUROW5NjDwvqkxw==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "fdir": "^6.4.4",
-                "picomatch": "^4.0.2"
-            },
-            "engines": {
-                "node": ">=12.0.0"
-            },
-            "funding": {
-                "url": "https://github.com/sponsors/SuperchupuDev"
-            }
-        },
-        "node_modules/tslib": {
-            "version": "2.8.1",
-            "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
-            "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
-            "dev": true,
-            "license": "0BSD"
-        },
-        "node_modules/typescript": {
-            "version": "5.8.3",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz",
-            "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==",
-            "dev": true,
-            "license": "Apache-2.0",
-            "bin": {
-                "tsc": "bin/tsc",
-                "tsserver": "bin/tsserver"
-            },
-            "engines": {
-                "node": ">=14.17"
-            }
+            "version": "2025.2.1"
        }
    }
 }
--- a/package.json
+++ b/package.json
@ -1,15 +1,5 @@
 {
    "name": "@goauthentik/authentik",
    "version": "2025.4.0",
-    "private": true,
-    "type": "module",
-    "devDependencies": {
-        "@trivago/prettier-plugin-sort-imports": "^5.2.2",
-        "prettier": "^3.3.3",
-        "prettier-plugin-organize-imports": "^4.1.0",
-        "prettier-plugin-packagejson": "^2.5.10",
-        "typescript": "^5.6.2"
-    },
-    "workspaces": [],
-    "prettier": "./packages/prettier-config/index.js"
+    "private": true
 }
--- a/packages/docusaurus-config/package-lock.json
+++ b/packages/docusaurus-config/package-lock.json
@ -1,12 +1,12 @@
 {
    "name": "@goauthentik/docusaurus-config",
-    "version": "1.0.6",
+    "version": "1.0.5",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "@goauthentik/docusaurus-config",
-            "version": "1.0.6",
+            "version": "1.0.5",
            "license": "MIT",
            "dependencies": {
                "deepmerge-ts": "^7.1.5",
--- a/packages/docusaurus-config/package.json
+++ b/packages/docusaurus-config/package.json
@ -1,6 +1,6 @@
 {
    "name": "@goauthentik/docusaurus-config",
-    "version": "1.0.6",
+    "version": "1.0.5",
    "description": "authentik's Docusaurus config",
    "license": "MIT",
    "scripts": {
--- a/proxy.Dockerfile
+++ b/proxy.Dockerfile
@ -76,7 +76,6 @@ EXPOSE 9000 9300 9443

 USER 1000

-ENV TMPDIR=/dev/shm/ \
-    GOFIPS=1
+ENV GOFIPS=1

 ENTRYPOINT ["/proxy"]
--- a/pyproject.toml
+++ b/pyproject.toml
@ -3,114 +3,102 @@ name = "authentik"
 version = "2025.4.0"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
-requires-python = "==3.13.*"
+requires-python = "==3.12.*"
 dependencies = [
-    "argon2-cffi==23.1.0",
-    "celery==5.5.2",
-    "channels==4.2.2",
-    "channels-redis==4.2.1",
-    "cryptography==44.0.3",
-    "dacite==1.9.2",
-    "deepmerge==2.0",
-    "defusedxml==0.7.1",
-    "django==5.1.9",
-    "django-countries==7.6.1",
-    "django-cte==1.3.3",
-    "django-filter==25.1",
-    "django-guardian<3.0.0",
-    "django-model-utils==5.0.0",
-    "django-pglock==1.7.1",
-    "django-prometheus==2.3.1",
-    "django-redis==5.4.0",
-    "django-storages[s3]==1.14.6",
-    "django-tenants==3.7.0",
-    "djangorestframework==3.16.0",
-    "djangorestframework-guardian==0.3.0",
-    "docker==7.1.0",
-    "drf-orjson-renderer==1.7.3",
-    "drf-spectacular==0.28.0",
-    "dumb-init==1.2.5.post1",
-    "duo-client==5.5.0",
-    "fido2==1.2.0",
-    "flower==2.0.1",
-    "geoip2==5.1.0",
-    "geopy==2.4.1",
-    "google-api-python-client==2.169.0",
-    "gssapi==1.9.0",
-    "gunicorn==23.0.0",
-    "jsonpatch==1.33",
-    "jwcrypto==1.5.6",
-    "kubernetes==32.0.1",
-    "ldap3==2.9.1",
-    "lxml==5.4.0",
-    "msgraph-sdk==1.30.0",
-    "opencontainers==0.0.14",
-    "packaging==25.0",
-    "paramiko==3.5.1",
-    "psycopg[c,pool]==3.2.9",
-    "pydantic==2.11.4",
-    "pydantic-scim==0.0.8",
-    "pyjwt==2.10.1",
-    "pyrad==2.4",
-    "python-kadmin-rs==0.6.0",
-    "pyyaml==6.0.2",
-    "requests-oauthlib==2.0.0",
-    "scim2-filter-parser==0.7.0",
-    "sentry-sdk==2.28.0",
-    "service-identity==24.2.0",
-    "setproctitle==1.3.6",
-    "structlog==25.3.0",
-    "swagger-spec-validator==3.0.4",
-    "tenant-schemas-celery==4.0.1",
-    "twilio==9.6.1",
-    "ua-parser==1.0.1",
-    "unidecode==1.4.0",
-    "urllib3<3",
-    "uvicorn[standard]==0.34.2",
-    "watchdog==6.0.0",
-    "webauthn==2.5.2",
-    "wsproto==1.2.0",
-    "xmlsec==1.3.15",
-    "zxcvbn==4.5.0",
+    "argon2-cffi",
+    "celery",
+    "channels",
+    "channels-redis",
+    "cryptography",
+    "dacite",
+    "deepmerge",
+    "defusedxml",
+    "django",
+    "django-countries",
+    "django-cte",
+    "django-filter",
+    "django-guardian",
+    "django-model-utils",
+    "django-pglock",
+    "django-prometheus",
+    "django-redis",
+    "django-storages[s3]",
+    "django-tenants",
+    "djangorestframework",
+    "djangorestframework-guardian",
+    "docker",
+    "drf-orjson-renderer",
+    "drf-spectacular",
+    "dumb-init",
+    "duo-client",
+    "fido2",
+    "flower",
+    "geoip2",
+    "geopy",
+    "google-api-python-client",
+    "gssapi",
+    "gunicorn",
+    "jsonpatch",
+    "jwcrypto",
+    "kubernetes",
+    "ldap3",
+    "lxml",
+    "msgraph-sdk",
+    "opencontainers",
+    "packaging",
+    "paramiko",
+    "psycopg[c, pool]",
+    "pydantic",
+    "pydantic-scim",
+    "pyjwt",
+    "pyrad",
+    "python-kadmin-rs ==0.6.0",
+    "pyyaml",
+    "requests-oauthlib",
+    "scim2-filter-parser",
+    "sentry-sdk",
+    "service_identity",
+    "setproctitle",
+    "structlog",
+    "swagger-spec-validator",
+    "tenant-schemas-celery",
+    "twilio",
+    "ua-parser",
+    "unidecode",
+    "urllib3 <3",
+    "uvicorn[standard]",
+    "watchdog",
+    "webauthn",
+    "wsproto",
+    "xmlsec <= 1.3.14",
+    "zxcvbn",
 ]

 [dependency-groups]
 dev = [
-    "aws-cdk-lib==2.188.0",
-    "bandit==1.8.3",
-    "black==25.1.0",
-    "bump2version==1.0.1",
-    "channels[daphne]==4.2.2",
-    "codespell==2.4.1",
-    "colorama==0.4.6",
-    "constructs==10.4.2",
-    "coverage[toml]==7.8.0",
-    "debugpy==1.8.14",
-    "drf-jsonschema-serializer==3.0.0",
-    "freezegun==1.5.1",
-    "importlib-metadata==8.6.1",
-    "k5test==0.10.4",
-    "pdoc==15.0.3",
-    "pytest==8.3.5",
-    "pytest-django==4.11.1",
-    "pytest-github-actions-annotate-failures==0.3.0",
-    "pytest-randomly==3.16.0",
-    "pytest-timeout==2.4.0",
-    "requests-mock==1.12.1",
-    "ruff==0.11.9",
-    "selenium==4.32.0",
-]
-
-[tool.uv]
-no-binary-package = [
-    # This differs from the no-binary packages in the Dockerfile. This is due to the fact
-    # that these packages are built from source for different reasons than cryptography and kadmin.
-    # These packages are built from source to link against the libxml2 on the system which is
-    # required for functionality and to stay up-to-date on both libraries.
-    # The other packages specified in the dockerfile are compiled from source to link against the
-    # correct FIPS OpenSSL libraries
-    "lxml",
-    "xmlsec",
+    "aws-cdk-lib",
+    "bandit",
+    "black",
+    "bump2version",
+    "channels[daphne]",
+    "codespell",
+    "colorama",
+    "constructs",
+    "coverage[toml]",
+    "debugpy",
+    "drf-jsonschema-serializer",
+    "freezegun",
+    "importlib-metadata",
+    "k5test",
+    "pdoc",
+    "pytest",
+    "pytest-django",
+    "pytest-github-actions-annotate-failures",
+    "pytest-randomly",
+    "pytest-timeout",
+    "requests-mock",
+    "ruff",
+    "selenium",
 ]

 [tool.uv.sources]
@ -155,12 +143,12 @@ ignore-words = ".github/codespell-words.txt"

 [tool.black]
 line-length = 100
-target-version = ['py313']
+target-version = ['py312']
 exclude = 'node_modules'

 [tool.ruff]
 line-length = 100
-target-version = "py313"
+target-version = "py312"
 exclude = ["**/migrations/**", "**/node_modules/**"]

 [tool.ruff.lint]
--- a/rac.Dockerfile
+++ b/rac.Dockerfile
@ -56,7 +56,6 @@ HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/rac", "healthch

 USER 1000

-ENV TMPDIR=/dev/shm/ \
-    GOFIPS=1
+ENV GOFIPS=1

 ENTRYPOINT ["/rac"]
--- a/radius.Dockerfile
+++ b/radius.Dockerfile
@ -56,7 +56,6 @@ EXPOSE 1812/udp 9300

 USER 1000

-ENV TMPDIR=/dev/shm/ \
-    GOFIPS=1
+ENV GOFIPS=1

 ENTRYPOINT ["/radius"]
--- a/tests/e2e/docker-compose.yml
+++ b/tests/e2e/docker-compose.yml
@ -1,12 +1,12 @@
 services:
  chrome:
-    image: docker.io/selenium/standalone-chrome:136.0
+    image: docker.io/selenium/standalone-chrome:122.0
    volumes:
      - /dev/shm:/dev/shm
    network_mode: host
    restart: always
  mailpit:
-    image: docker.io/axllent/mailpit:v1.24.2
+    image: docker.io/axllent/mailpit:v1.6.5
    ports:
      - 1025:1025
      - 8025:8025
--- a/tests/e2e/test_flows_login_sfe.py
+++ b/tests/e2e/test_flows_login_sfe.py
@ -1,51 +0,0 @@
-"""test default login (using SFE interface) flow"""
-
-from time import sleep
-
-from selenium.webdriver.common.by import By
-from selenium.webdriver.common.keys import Keys
-
-from authentik.blueprints.tests import apply_blueprint
-from tests.e2e.utils import SeleniumTestCase, retry
-
-
-class TestFlowsLoginSFE(SeleniumTestCase):
-    """test default login flow"""
-
-    def login(self):
-        """Do entire login flow adjusted for SFE"""
-        flow_executor = self.driver.find_element(By.ID, "flow-sfe-container")
-        identification_stage = flow_executor.find_element(By.ID, "ident-form")
-
-        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").click()
-        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
-            self.user.username
-        )
-        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
-            Keys.ENTER
-        )
-
-        password_stage = flow_executor.find_element(By.ID, "password-form")
-        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
-            self.user.username
-        )
-        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(Keys.ENTER)
-        sleep(1)
-
-    @retry()
-    @apply_blueprint(
-        "default/flow-default-authentication-flow.yaml",
-        "default/flow-default-invalidation-flow.yaml",
-    )
-    def test_login(self):
-        """test default login flow"""
-        self.driver.get(
-            self.url(
-                "authentik_core:if-flow",
-                flow_slug="default-authentication-flow",
-                query={"sfe": True},
-            )
-        )
-        self.login()
-        self.wait_for_url(self.if_user_url("/library"))
-        self.assert_user(self.user)
--- a/tests/e2e/utils.py
+++ b/tests/e2e/utils.py
@ -26,7 +26,6 @@ from selenium import webdriver
 from selenium.common.exceptions import NoSuchElementException, TimeoutException, WebDriverException
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
-from selenium.webdriver.remote.command import Command
 from selenium.webdriver.remote.webdriver import WebDriver
 from selenium.webdriver.remote.webelement import WebElement
 from selenium.webdriver.support.wait import WebDriverWait
@ -198,12 +197,7 @@ class SeleniumTestCase(DockerTestCase, StaticLiveServerTestCase):
        super().tearDown()
        if IS_CI:
            print("::group::Browser logs")
-        # Very verbose way to get browser logs
-        # https://github.com/SeleniumHQ/selenium/pull/15641
-        # for some reason this removes the `get_log` API from Remote Webdriver
-        # and only keeps it on the local Chrome web driver, even when using
-        # a remote chrome driver...? (nvm the fact this was released as a minor version)
-        for line in self.driver.execute(Command.GET_LOG, {"type": "browser"})["value"]:
+        for line in self.driver.get_log("browser"):
            print(line["message"])
        if IS_CI:
            print("::endgroup::")
@ -241,7 +235,7 @@ class SeleniumTestCase(DockerTestCase, StaticLiveServerTestCase):
        return element

    def login(self):
-        """Do entire login flow"""
+        """Do entire login flow and check user afterwards"""
        flow_executor = self.get_shadow_root("ak-flow-executor")
        identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)

--- a/tsconfig.json
+++ b/tsconfig.json
@ -1,28 +0,0 @@
-// TypeScript Project Configuration
-{
-    "extends": "./packages/tsconfig/tsconfig.json",
-    "compilerOptions": {
-        "baseUrl": "."
-    },
-    "watchOptions": {
-        "excludeDirectories": [
-            "**/.git", // Git
-            "**/.yarn", // Yarn
-            "**/.vscode", // VS Code
-            "**/.vscode-test-web", // VS Code Web Test
-            "**/dist", // Distributed build files
-            "**/out", // Output build files
-            "**/.drafts", // Drafts
-            "**/.github", // GitHub
-            "**/node_modules" // Node modules
-        ]
-    },
-
-    // The root project has no sources of its own. By setting `files` to an empty
-    // list, TS won't automatically include all sources below root (the default).
-    "files": [],
-    "references": [
-        // Note that references are in the order we want them to be built.
-        // TODO: Left blank until TypeScript workspaces are complete.
-    ]
-}
--- a/uv.lock
+++ b/uv.lock
--- a/web/package-lock.json
+++ b/web/package-lock.json
@ -7,6 +7,7 @@
        "": {
            "name": "@goauthentik/web",
            "version": "0.0.0",
+            "hasInstallScript": true,
            "license": "MIT",
            "workspaces": [
                ".",
@ -24,6 +25,7 @@
                "@formatjs/intl-listformat": "^7.5.7",
                "@fortawesome/fontawesome-free": "^6.6.0",
                "@goauthentik/api": "^2025.4.0-1746018955",
+                "@lit-labs/ssr": "3.2.2",
                "@lit/context": "^1.1.2",
                "@lit/localize": "^0.12.2",
                "@lit/reactive-element": "^2.0.4",
@ -64,7 +66,6 @@
                "remark-gfm": "^4.0.1",
                "remark-mdx-frontmatter": "^5.0.0",
                "style-mod": "^4.1.2",
-                "trusted-types": "^2.0.0",
                "ts-pattern": "^5.4.0",
                "unist-util-visit": "^5.0.0",
                "webcomponent-qr-code": "^1.2.0",
@ -2321,11 +2322,50 @@
                "@lezer/lr": "^1.0.0"
            }
        },
+        "node_modules/@lit-labs/ssr": {
+            "version": "3.2.2",
+            "resolved": "https://registry.npmjs.org/@lit-labs/ssr/-/ssr-3.2.2.tgz",
+            "integrity": "sha512-He5TzeNPM9ECmVpgXRYmVlz0UA5YnzHlT43kyLi2Lu6mUidskqJVonk9W5K699+2DKhoXp8Ra4EJmHR6KrcW1Q==",
+            "license": "BSD-3-Clause",
+            "dependencies": {
+                "@lit-labs/ssr-client": "^1.1.7",
+                "@lit-labs/ssr-dom-shim": "^1.2.0",
+                "@lit/reactive-element": "^2.0.4",
+                "@parse5/tools": "^0.3.0",
+                "@types/node": "^16.0.0",
+                "enhanced-resolve": "^5.10.0",
+                "lit": "^3.1.2",
+                "lit-element": "^4.0.4",
+                "lit-html": "^3.1.2",
+                "node-fetch": "^3.2.8",
+                "parse5": "^7.1.1"
+            },
+            "engines": {
+                "node": ">=13.9.0"
+            }
+        },
+        "node_modules/@lit-labs/ssr-client": {
+            "version": "1.1.7",
+            "resolved": "https://registry.npmjs.org/@lit-labs/ssr-client/-/ssr-client-1.1.7.tgz",
+            "integrity": "sha512-VvqhY/iif3FHrlhkzEPsuX/7h/NqnfxLwVf0p8ghNIlKegRyRqgeaJevZ57s/u/LiFyKgqksRP5n+LmNvpxN+A==",
+            "license": "BSD-3-Clause",
+            "dependencies": {
+                "@lit/reactive-element": "^2.0.4",
+                "lit": "^3.1.2",
+                "lit-html": "^3.1.2"
+            }
+        },
        "node_modules/@lit-labs/ssr-dom-shim": {
            "version": "1.2.1",
            "resolved": "https://registry.npmjs.org/@lit-labs/ssr-dom-shim/-/ssr-dom-shim-1.2.1.tgz",
            "integrity": "sha512-wx4aBmgeGvFmOKucFKY+8VFJSYZxs9poN3SDNQFF6lT6NrQUnHiPB2PWz2sc4ieEcAaYYzN+1uWahEeTq2aRIQ=="
        },
+        "node_modules/@lit-labs/ssr/node_modules/@types/node": {
+            "version": "16.18.114",
+            "resolved": "https://registry.npmjs.org/@types/node/-/node-16.18.114.tgz",
+            "integrity": "sha512-7oAtnxrgkMNzyzT443UDWwzkmYew81F1ZSPm3/lsITJfW/WludaSOpegTvUG+UdapcbrtWOtY/E4LyTkhPGJ5Q==",
+            "license": "MIT"
+        },
        "node_modules/@lit/context": {
            "version": "1.1.2",
            "resolved": "https://registry.npmjs.org/@lit/context/-/context-1.1.2.tgz",
@ -2935,7 +2975,6 @@
            "version": "0.3.0",
            "resolved": "https://registry.npmjs.org/@parse5/tools/-/tools-0.3.0.tgz",
            "integrity": "sha512-zxRyTHkqb7WQMV8kTNBKWb1BeOFUKXBXTBWuxg9H9hfvQB3IwP6Iw2U75Ia5eyRxPNltmY7E8YAlz6zWwUnjKg==",
-            "dev": true,
            "dependencies": {
                "parse5": "^7.0.0"
            }
@ -9471,9 +9510,9 @@
            }
        },
        "node_modules/caniuse-lite": {
-            "version": "1.0.30001716",
-            "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001716.tgz",
-            "integrity": "sha512-49/c1+x3Kwz7ZIWt+4DvK3aMJy9oYXXG6/97JKsnjdCk/6n9vVyWL8NAwVt95Lwt9eigI10Hl782kDfZUUlRXw==",
+            "version": "1.0.30001667",
+            "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001667.tgz",
+            "integrity": "sha512-7LTwJjcRkzKFmtqGsibMeuXmvFDfZq/nzIjnmgCGzKKRVzjD72selLDK1oPF/Oxzmt4fNcPvTDvGqSDG4tCALw==",
            "dev": true,
            "funding": [
                {
@ -9488,8 +9527,7 @@
                    "type": "github",
                    "url": "https://github.com/sponsors/ai"
                }
-            ],
-            "license": "CC-BY-4.0"
+            ]
        },
        "node_modules/ccount": {
            "version": "2.0.1",
@ -10784,7 +10822,6 @@
            "version": "4.0.1",
            "resolved": "https://registry.npmjs.org/data-uri-to-buffer/-/data-uri-to-buffer-4.0.1.tgz",
            "integrity": "sha512-0R9ikRb668HB7QDxT1vkpuUBtqc53YyAwMwGeUFKRojY/NWKvdZ+9UYtRfGmhqNbRkTSVpMbmyhXipFFv2cb/A==",
-            "dev": true,
            "engines": {
                "node": ">= 12"
            }
@ -11435,7 +11472,6 @@
            "version": "5.17.1",
            "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.17.1.tgz",
            "integrity": "sha512-LMHl3dXhTcfv8gM4kEzIUeTQ+7fpdA0l2tUf34BddXPkz2A5xJ5L/Pchd5BL6rdccM9QGvu0sWZzK1Z1t4wwyg==",
-            "dev": true,
            "dependencies": {
                "graceful-fs": "^4.2.4",
                "tapable": "^2.2.0"
@ -13987,8 +14023,7 @@
        "node_modules/graceful-fs": {
            "version": "4.2.11",
            "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz",
-            "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==",
-            "dev": true
+            "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ=="
        },
        "node_modules/grapheme-splitter": {
            "version": "1.0.4",
@ -18706,7 +18741,6 @@
            "version": "3.3.2",
            "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-3.3.2.tgz",
            "integrity": "sha512-dRB78srN/l6gqWulah9SrxeYnxeddIG30+GOqK/9OlLVyLg3HPnr6SqOWTWOXKRwC2eGYCkZ59NNuSgvSrpgOA==",
-            "dev": true,
            "dependencies": {
                "data-uri-to-buffer": "^4.0.0",
                "fetch-blob": "^3.1.4",
@ -22727,7 +22761,6 @@
            "version": "2.2.1",
            "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.2.1.tgz",
            "integrity": "sha512-GNzQvQTOIP6RyTfE2Qxb8ZVlNmw0n88vp1szwWRimP02mnTsx3Wtn5qRdqY9w2XduFNUgvOwhNnQsjwCp+kqaQ==",
-            "dev": true,
            "engines": {
                "node": ">=6"
            }
@ -23119,12 +23152,6 @@
                "url": "https://github.com/sponsors/wooorm"
            }
        },
-        "node_modules/trusted-types": {
-            "version": "2.0.0",
-            "resolved": "https://registry.npmjs.org/trusted-types/-/trusted-types-2.0.0.tgz",
-            "integrity": "sha512-Eam+AUp6lg04YjmYkuLNhEJX+6ByocrKTpY/TtfRK/gV6OmxeN0OwkIasor28SUJ606snArpPLGtPMGbqdaaUA==",
-            "license": "W3C-20150513"
-        },
        "node_modules/ts-api-utils": {
            "version": "1.3.0",
            "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-1.3.0.tgz",
--- a/web/package.json
+++ b/web/package.json
@ -19,6 +19,7 @@
        "lint:precommit": "wireit",
        "lint:types": "wireit",
        "lit-analyse": "wireit",
+        "postinstall": "bash scripts/patch-spotlight.sh",
        "precommit": "wireit",
        "prettier": "wireit",
        "prettier-check": "wireit",
@ -50,6 +51,7 @@
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.6.0",
        "@goauthentik/api": "^2025.4.0-1746018955",
+        "@lit-labs/ssr": "3.2.2",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
        "@lit/reactive-element": "^2.0.4",
@ -90,7 +92,6 @@
        "remark-gfm": "^4.0.1",
        "remark-mdx-frontmatter": "^5.0.0",
        "style-mod": "^4.1.2",
-        "trusted-types": "^2.0.0",
        "ts-pattern": "^5.4.0",
        "unist-util-visit": "^5.0.0",
        "webcomponent-qr-code": "^1.2.0",
--- a/web/packages/esbuild-plugin-live-reload/client/ESBuildObserver.js
+++ b/web/packages/esbuild-plugin-live-reload/client/ESBuildObserver.js
@ -6,7 +6,7 @@
 * @import { Message as ESBuildMessage } from "esbuild";
 */

-const logPrefix = "authentik/dev/web: ";
+const logPrefix = "👷 [ESBuild]";
 const log = console.debug.bind(console, logPrefix);

 /**
@ -76,7 +76,7 @@ export class ESBuildObserver extends EventSource {
     */
    #startListener = () => {
        this.#trackActivity();
-        log("⏰ Build started...");
+        log("⏰  Build started...");
    };

    #internalErrorListener = () => {
@ -86,7 +86,7 @@ export class ESBuildObserver extends EventSource {
            clearTimeout(this.#keepAliveInterval);

            this.close();
-            log("⛔️ Closing connection");
+            log("⛔️  Closing connection");
        }
    };

@ -126,13 +126,13 @@ export class ESBuildObserver extends EventSource {
        this.#trackActivity();

        if (!this.online) {
-            log("🚫 Build finished while offline.");
+            log("🚫  Build finished while offline.");
            this.deferredReload = true;

            return;
        }

-        log("🛎️ Build completed! Reloading...");
+        log("🛎️  Build completed! Reloading...");

        // We use an animation frame to keep the reload from happening before the
        // event loop has a chance to process the message.
@ -189,13 +189,13 @@ export class ESBuildObserver extends EventSource {

            if (!this.deferredReload) return;

-            log("🛎️ Reloading after offline build...");
+            log("🛎️  Reloading after offline build...");
            this.deferredReload = false;

            window.location.reload();
        });

-        log("🛎️ Listening for build changes...");
+        log("🛎️  Listening for build changes...");

        this.#keepAliveInterval = setInterval(() => {
            const now = Date.now();
@ -203,7 +203,7 @@ export class ESBuildObserver extends EventSource {
            if (now - this.lastUpdatedAt < 10_000) return;

            this.alive = false;
-            log("👋 Waiting for build to start...");
+            log("👋  Waiting for build to start...");
        }, 15_000);
    }

--- a/web/packages/sfe/src/index.ts
+++ b/web/packages/sfe/src/index.ts
@ -47,16 +47,7 @@ class SimpleFlowExecutor {
        return `${ak().api.base}api/v3/flows/executor/${this.flowSlug}/?query=${encodeURIComponent(window.location.search.substring(1))}`;
    }

-    loading() {
-        this.container.innerHTML = `<div class="d-flex justify-content-center">
-            <div class="spinner-border spinner-border-md" role="status">
-                <span class="sr-only">Loading...</span>
-            </div>
-        </div>`;
-    }
-
    start() {
-        this.loading();
        $.ajax({
            type: "GET",
            url: this.apiURL,
@ -210,9 +201,6 @@ class PasswordStage extends Stage<PasswordChallenge> {
            <form id="password-form">
                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
-                <div class="form-label-group my-3">
-                    <input type="text" readonly class="form-control-plaintext" value="Welcome, ${this.challenge?.pendingUser}.">
-                </div>
                <div class="form-label-group my-3 has-validation">
                    <input type="password" autofocus class="form-control ${this.error("password").length > 0 ? IS_INVALID : ""}" name="password" placeholder="Password">
                    ${this.renderInputError("password")}
--- a/web/scripts/patch-spotlight.sh
+++ b/web/scripts/patch-spotlight.sh
@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+TARGET="./node_modules/@spotlightjs/overlay/dist/index-"[0-9a-f]*.js
+
+if [[ $(grep -L "QX2" "$TARGET" > /dev/null 2> /dev/null) ]]; then
+    patch --forward -V none --no-backup-if-mismatch -p0 $TARGET <<EOF
+
+TARGET=$(find "./node_modules/@spotlightjs/overlay/dist/" -name "index-[0-9a-f]*.js");
+
+if ! grep -GL 'QX2 = ' "$TARGET" > /dev/null ; then
+patch --forward --no-backup-if-mismatch -p0 "$TARGET" <<EOF
+>>>>>>> main
+--- a/index-5682ce90.js	2024-06-13 16:19:28
+++ b/index-5682ce90.js	2024-06-13 16:20:23
+@@ -4958,11 +4958,10 @@
+     }
+   );
+ }
+-const q2 = w.lazy(() => import("./main-3257b7fc.js").then((n) => n.m));
+const q2 = w.lazy(() => import("./main-3257b7fc.js").then((n) => n.m)), QX2 = () => {};
+ function Gp({
+   data: n,
+-  onUpdateData: a = () => {
+-  },
+  onUpdateData: a = QX2,
+   editingEnabled: s = !1,
+   clipboardEnabled: o = !1,
+   displayDataTypes: c = !1,
+EOF
+
+else
+    echo "spotlight overlay.js patch already applied"
+fi
--- a/web/src/admin/AdminInterface/AboutModal.ts
+++ b/web/src/admin/AdminInterface/AboutModal.ts
@ -1,11 +1,11 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { VERSION } from "@goauthentik/common/constants";
 import { globalAK } from "@goauthentik/common/global";
-import { DefaultBrand } from "@goauthentik/common/ui/config";
 import "@goauthentik/elements/EmptyState";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
 import { WithLicenseSummary } from "@goauthentik/elements/Interface/licenseSummaryProvider";
 import { ModalButton } from "@goauthentik/elements/buttons/ModalButton";
+import { DefaultBrand } from "@goauthentik/elements/sidebar/SidebarBrand";

 import { msg } from "@lit/localize";
 import { TemplateResult, css, html } from "lit";
--- a/web/src/admin/AdminInterface/AdminSidebar.ts
+++ b/web/src/admin/AdminInterface/AdminSidebar.ts
@ -1,97 +1,186 @@
+import { EVENT_SIDEBAR_TOGGLE } from "@goauthentik/common/constants";
+import { me } from "@goauthentik/common/users";
+import { AKElement } from "@goauthentik/elements/Base";
+import {
+    CapabilitiesEnum,
+    WithCapabilitiesConfig,
+} from "@goauthentik/elements/Interface/capabilitiesProvider";
+import { WithVersion } from "@goauthentik/elements/Interface/versionProvider";
 import { ID_REGEX, SLUG_REGEX, UUID_REGEX } from "@goauthentik/elements/router/Route";
+import { getRootStyle } from "@goauthentik/elements/utils/getRootStyle";
 import { spread } from "@open-wc/lit-helpers";

 import { msg } from "@lit/localize";
 import { TemplateResult, html, nothing } from "lit";
-import { repeat } from "lit/directives/repeat.js";
+import { customElement, property, state } from "lit/decorators.js";
+import { map } from "lit/directives/map.js";

-// The second attribute type is of string[] to help with the 'activeWhen' control, which was
-// commonplace and singular enough to merit its own handler.
-type SidebarEntry = [
-    path: string | null,
-    label: string,
-    attributes?: Record<string, any> | string[] | null, // eslint-disable-line
-    children?: SidebarEntry[],
-];
+import { UiThemeEnum } from "@goauthentik/api";
+import type { SessionUser, UserSelf } from "@goauthentik/api";

-/**
- * Recursively renders a sidebar entry.
- */
-export function renderSidebarItem([
-    path,
-    label,
-    attributes,
-    children,
-]: SidebarEntry): TemplateResult {
-    const properties = Array.isArray(attributes)
-        ? { ".activeWhen": attributes }
-        : (attributes ?? {});
+@customElement("ak-admin-sidebar")
+export class AkAdminSidebar extends WithCapabilitiesConfig(WithVersion(AKElement)) {
+    @property({ type: Boolean, reflect: true })
+    open = true;

-    if (path) {
-        properties.path = path;
+    @state()
+    impersonation: UserSelf["username"] | null = null;
+
+    constructor() {
+        super();
+        me().then((user: SessionUser) => {
+            this.impersonation = user.original ? user.user.username : null;
+        });
+        this.toggleOpen = this.toggleOpen.bind(this);
+        this.checkWidth = this.checkWidth.bind(this);
    }

-    return html`<ak-sidebar-item ${spread(properties)}>
-        ${label ? html`<span slot="label">${label}</span>` : nothing}
-        ${children ? renderSidebarItems(children) : nothing}
-    </ak-sidebar-item>`;
+    // This has to be a bound method so the event listener can be removed on disconnection as
+    // needed.
+    toggleOpen() {
+        this.open = !this.open;
+    }
+
+    checkWidth() {
+        // This works just fine, but it assumes that the `--ak-sidebar--minimum-auto-width` is in
+        // REMs. If that changes, this code will have to be adjusted as well.
+        const minWidth =
+            parseFloat(getRootStyle("--ak-sidebar--minimum-auto-width")) *
+            parseFloat(getRootStyle("font-size"));
+        this.open = window.innerWidth >= minWidth;
+    }
+
+    connectedCallback() {
+        super.connectedCallback();
+        window.addEventListener(EVENT_SIDEBAR_TOGGLE, this.toggleOpen);
+        window.addEventListener("resize", this.checkWidth);
+        // After connecting to the DOM, we can now perform this check to see if the sidebar should
+        // be open by default.
+        this.checkWidth();
+    }
+
+    // The symmetry (☟, ☝) here is critical in that you want to start adding these handlers after
+    // connection, and removing them before disconnection.
+
+    disconnectedCallback() {
+        window.removeEventListener(EVENT_SIDEBAR_TOGGLE, this.toggleOpen);
+        window.removeEventListener("resize", this.checkWidth);
+        super.disconnectedCallback();
+    }
+
+    render() {
+        return html`
+            <ak-sidebar
+                class="pf-c-page__sidebar ${this.open ? "pf-m-expanded" : "pf-m-collapsed"} ${this
+                    .activeTheme === UiThemeEnum.Light
+                    ? "pf-m-light"
+                    : ""}"
+            >
+                ${this.renderSidebarItems()}
+            </ak-sidebar>
+        `;
+    }
+
+    updated() {
+        // This is permissible as`:host.classList` is not one of the properties Lit uses as a
+        // scheduling trigger. This sort of shenanigans can trigger an loop, in that it will trigger
+        // a browser reflow, which may trigger some other styling the application is monitoring,
+        // triggering a re-render which triggers a browser reflow, ad infinitum. But we've been
+        // living with that since jQuery, and it's both well-known and fortunately rare.
+
+        // eslint-disable-next-line wc/no-self-class
+        this.classList.remove("pf-m-expanded", "pf-m-collapsed");
+        // eslint-disable-next-line wc/no-self-class
+        this.classList.add(this.open ? "pf-m-expanded" : "pf-m-collapsed");
+    }
+
+    renderSidebarItems(): TemplateResult {
+        // The second attribute type is of string[] to help with the 'activeWhen' control, which was
+        // commonplace and singular enough to merit its own handler.
+        type SidebarEntry = [
+            path: string | null,
+            label: string,
+            attributes?: Record<string, any> | string[] | null, // eslint-disable-line
+            children?: SidebarEntry[],
+        ];
+
+        // prettier-ignore
+        const sidebarContent: SidebarEntry[] = [
+            [null, msg("Dashboards"), { "?expanded": true }, [
+                ["/administration/overview", msg("Overview")],
+                ["/administration/dashboard/users", msg("User Statistics")],
+                ["/administration/system-tasks", msg("System Tasks")]]],
+            [null, msg("Applications"), null, [
+                ["/core/applications", msg("Applications"), [`^/core/applications/(?<slug>${SLUG_REGEX})$`]],
+                ["/core/providers", msg("Providers"), [`^/core/providers/(?<id>${ID_REGEX})$`]],
+                ["/outpost/outposts", msg("Outposts")]]],
+            [null, msg("Events"), null, [
+                ["/events/log", msg("Logs"), [`^/events/log/(?<id>${UUID_REGEX})$`]],
+                ["/events/rules", msg("Notification Rules")],
+                ["/events/transports", msg("Notification Transports")]]],
+            [null, msg("Customization"), null, [
+                ["/policy/policies", msg("Policies")],
+                ["/core/property-mappings", msg("Property Mappings")],
+                ["/blueprints/instances", msg("Blueprints")],
+                ["/policy/reputation", msg("Reputation scores")]]],
+            [null, msg("Flows and Stages"), null, [
+                ["/flow/flows", msg("Flows"), [`^/flow/flows/(?<slug>${SLUG_REGEX})$`]],
+                ["/flow/stages", msg("Stages")],
+                ["/flow/stages/prompts", msg("Prompts")]]],
+            [null, msg("Directory"), null, [
+                ["/identity/users", msg("Users"), [`^/identity/users/(?<id>${ID_REGEX})$`]],
+                ["/identity/groups", msg("Groups"), [`^/identity/groups/(?<id>${UUID_REGEX})$`]],
+                ["/identity/roles", msg("Roles"), [`^/identity/roles/(?<id>${UUID_REGEX})$`]],
+                ["/identity/initial-permissions", msg("Initial Permissions"), [`^/identity/initial-permissions/(?<id>${ID_REGEX})$`]],
+                ["/core/sources", msg("Federation and Social login"), [`^/core/sources/(?<slug>${SLUG_REGEX})$`]],
+                ["/core/tokens", msg("Tokens and App passwords")],
+                ["/flow/stages/invitations", msg("Invitations")]]],
+            [null, msg("System"), null, [
+                ["/core/brands", msg("Brands")],
+                ["/crypto/certificates", msg("Certificates")],
+                ["/outpost/integrations", msg("Outpost Integrations")],
+                ["/admin/settings", msg("Settings")]]],
+        ];
+
+        // Typescript requires the type here to correctly type the recursive path
+        type SidebarRenderer = (_: SidebarEntry) => TemplateResult;
+
+        const renderOneSidebarItem: SidebarRenderer = ([path, label, attributes, children]) => {
+            const properties = Array.isArray(attributes)
+                ? { ".activeWhen": attributes }
+                : (attributes ?? {});
+            if (path) {
+                properties.path = path;
+            }
+            return html`<ak-sidebar-item ${spread(properties)}>
+                ${label ? html`<span slot="label">${label}</span>` : nothing}
+                ${map(children, renderOneSidebarItem)}
+            </ak-sidebar-item>`;
+        };
+
+        // prettier-ignore
+        return html`
+            ${map(sidebarContent, renderOneSidebarItem)}
+            ${this.renderEnterpriseMenu()}
+        `;
+    }
+
+    renderEnterpriseMenu() {
+        return this.can(CapabilitiesEnum.IsEnterprise)
+            ? html`
+                  <ak-sidebar-item>
+                      <span slot="label">${msg("Enterprise")}</span>
+                      <ak-sidebar-item path="/enterprise/licenses">
+                          <span slot="label">${msg("Licenses")}</span>
+                      </ak-sidebar-item>
+                  </ak-sidebar-item>
+              `
+            : nothing;
+    }
 }

-/**
- * Recursively renders a collection of sidebar entries.
- */
-export function renderSidebarItems(entries: readonly SidebarEntry[]) {
-    return repeat(entries, ([path, label]) => path || label, renderSidebarItem);
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-admin-sidebar": AkAdminSidebar;
+    }
 }
-
-// prettier-ignore
-export const AdminSidebarEntries: readonly SidebarEntry[] = [
-    [null, msg("Dashboards"), { "?expanded": true }, [
-        ["/administration/overview", msg("Overview")],
-        ["/administration/dashboard/users", msg("User Statistics")],
-        ["/administration/system-tasks", msg("System Tasks")]]
-    ],
-    [null, msg("Applications"), null, [
-        ["/core/applications", msg("Applications"), [`^/core/applications/(?<slug>${SLUG_REGEX})$`]],
-        ["/core/providers", msg("Providers"), [`^/core/providers/(?<id>${ID_REGEX})$`]],
-        ["/outpost/outposts", msg("Outposts")]]
-    ],
-    [null, msg("Events"), null, [
-        ["/events/log", msg("Logs"), [`^/events/log/(?<id>${UUID_REGEX})$`]],
-        ["/events/rules", msg("Notification Rules")],
-        ["/events/transports", msg("Notification Transports")]]
-    ],
-    [null, msg("Customization"), null, [
-        ["/policy/policies", msg("Policies")],
-        ["/core/property-mappings", msg("Property Mappings")],
-        ["/blueprints/instances", msg("Blueprints")],
-        ["/policy/reputation", msg("Reputation scores")]]
-    ],
-    [null, msg("Flows and Stages"), null, [
-        ["/flow/flows", msg("Flows"), [`^/flow/flows/(?<slug>${SLUG_REGEX})$`]],
-        ["/flow/stages", msg("Stages")],
-        ["/flow/stages/prompts", msg("Prompts")]]
-    ],
-    [null, msg("Directory"), null, [
-        ["/identity/users", msg("Users"), [`^/identity/users/(?<id>${ID_REGEX})$`]],
-        ["/identity/groups", msg("Groups"), [`^/identity/groups/(?<id>${UUID_REGEX})$`]],
-        ["/identity/roles", msg("Roles"), [`^/identity/roles/(?<id>${UUID_REGEX})$`]],
-        ["/identity/initial-permissions", msg("Initial Permissions"), [`^/identity/initial-permissions/(?<id>${ID_REGEX})$`]],
-        ["/core/sources", msg("Federation and Social login"), [`^/core/sources/(?<slug>${SLUG_REGEX})$`]],
-        ["/core/tokens", msg("Tokens and App passwords")],
-        ["/flow/stages/invitations", msg("Invitations")]]
-    ],
-    [null, msg("System"), null, [
-        ["/core/brands", msg("Brands")],
-        ["/crypto/certificates", msg("Certificates")],
-        ["/outpost/integrations", msg("Outpost Integrations")],
-        ["/admin/settings", msg("Settings")]]
-    ],
-];
-
-// prettier-ignore
-export const AdminSidebarEnterpriseEntries: readonly SidebarEntry[] = [
-    [null, msg("Enterprise"), null, [
-        ["/enterprise/licenses", msg("Licenses"), null]
-    ],
-]]
--- a/web/src/admin/AdminInterface/index.entrypoint.ts
+++ b/web/src/admin/AdminInterface/index.entrypoint.ts
@ -4,17 +4,13 @@ import { ROUTES } from "@goauthentik/admin/Routes";
 import {
    EVENT_API_DRAWER_TOGGLE,
    EVENT_NOTIFICATION_DRAWER_TOGGLE,
-    EVENT_SIDEBAR_TOGGLE,
 } from "@goauthentik/common/constants";
 import { configureSentry } from "@goauthentik/common/sentry";
 import { me } from "@goauthentik/common/users";
 import { WebsocketClient } from "@goauthentik/common/ws";
 import { AuthenticatedInterface } from "@goauthentik/elements/Interface";
-import { WithLicenseSummary } from "@goauthentik/elements/Interface/licenseSummaryProvider.js";
 import "@goauthentik/elements/ak-locale-context";
 import "@goauthentik/elements/banner/EnterpriseStatusBanner";
-import "@goauthentik/elements/banner/EnterpriseStatusBanner";
-import "@goauthentik/elements/banner/VersionBanner";
 import "@goauthentik/elements/banner/VersionBanner";
 import "@goauthentik/elements/messages/MessageContainer";
 import "@goauthentik/elements/messages/MessageContainer";
@ -25,32 +21,25 @@ import "@goauthentik/elements/router/RouterOutlet";
 import "@goauthentik/elements/sidebar/Sidebar";
 import "@goauthentik/elements/sidebar/SidebarItem";

-import { CSSResult, TemplateResult, css, html, nothing } from "lit";
+import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement, property, query, state } from "lit/decorators.js";
 import { classMap } from "lit/directives/class-map.js";

 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFDrawer from "@patternfly/patternfly/components/Drawer/drawer.css";
-import PFNav from "@patternfly/patternfly/components/Nav/nav.css";
 import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";

-import { LicenseSummaryStatusEnum, SessionUser, UiThemeEnum } from "@goauthentik/api";
+import { SessionUser, UiThemeEnum } from "@goauthentik/api";

-import {
-    AdminSidebarEnterpriseEntries,
-    AdminSidebarEntries,
-    renderSidebarItems,
-} from "./AdminSidebar.js";
+import "./AdminSidebar";

 if (process.env.NODE_ENV === "development") {
    await import("@goauthentik/esbuild-plugin-live-reload/client");
 }

@customElement("ak-interface-admin")
-export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
-    //#region Properties
-
+export class AdminInterface extends AuthenticatedInterface {
    @property({ type: Boolean })
    notificationDrawerOpen = getURLParam("notificationDrawerOpen", false);

@ -65,29 +54,12 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
    @query("ak-about-modal")
    aboutModal?: AboutModal;

-    @property({ type: Boolean, reflect: true })
-    public sidebarOpen: boolean;
-
-    #toggleSidebar = () => {
-        this.sidebarOpen = !this.sidebarOpen;
-    };
-
-    #sidebarMatcher: MediaQueryList;
-    #sidebarListener = (event: MediaQueryListEvent) => {
-        this.sidebarOpen = event.matches;
-    };
-
-    //#endregion
-
-    //#region Styles
-
    static get styles(): CSSResult[] {
        return [
            PFBase,
            PFPage,
            PFButton,
            PFDrawer,
-            PFNav,
            css`
                .pf-c-page__main,
                .pf-c-drawer__content,
@ -95,30 +67,23 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
                    z-index: auto !important;
                    background-color: transparent;
                }
-
                .display-none {
                    display: none;
                }
-
                .pf-c-page {
                    background-color: var(--pf-c-page--BackgroundColor) !important;
                }
-
-                :host([theme="dark"]) {
-                    /* Global page background colour */
-                    .pf-c-page {
-                        --pf-c-page--BackgroundColor: var(--ak-dark-background);
-                    }
+                /* Global page background colour */
+                :host([theme="dark"]) .pf-c-page {
+                    --pf-c-page--BackgroundColor: var(--ak-dark-background);
                }
-
-                ak-page-navbar {
+                ak-enterprise-status,
+                ak-version-banner {
                    grid-area: header;
                }
-
-                .ak-sidebar {
+                ak-admin-sidebar {
                    grid-area: nav;
                }
-
                .pf-c-drawer__panel {
                    z-index: var(--pf-global--ZIndex--xl);
                }
@ -126,22 +91,9 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
        ];
    }

-    //#endregion
-
-    //#region Lifecycle
-
    constructor() {
-        configureSentry(true);
        super();
        this.ws = new WebsocketClient();
-        this.#sidebarMatcher = window.matchMedia("(min-width: 1200px)");
-        this.sidebarOpen = this.#sidebarMatcher.matches;
-    }
-
-    public connectedCallback() {
-        super.connectedCallback();
-
-        window.addEventListener(EVENT_SIDEBAR_TOGGLE, this.#toggleSidebar);

        window.addEventListener(EVENT_NOTIFICATION_DRAWER_TOGGLE, () => {
            this.notificationDrawerOpen = !this.notificationDrawerOpen;
@ -156,24 +108,16 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
                apiDrawerOpen: this.apiDrawerOpen,
            });
        });
-
-        this.#sidebarMatcher.addEventListener("change", this.#sidebarListener);
-    }
-
-    public disconnectedCallback(): void {
-        super.disconnectedCallback();
-        window.removeEventListener(EVENT_SIDEBAR_TOGGLE, this.#toggleSidebar);
-        this.#sidebarMatcher.removeEventListener("change", this.#sidebarListener);
    }

    async firstUpdated(): Promise<void> {
+        configureSentry(true);
        this.user = await me();

        const canAccessAdmin =
            this.user.user.isSuperuser ||
            // TODO: somehow add `access_admin_interface` to the API schema
            this.user.user.systemPermissions.includes("access_admin_interface");
-
        if (!canAccessAdmin && this.user.user.pk > 0) {
            window.location.assign("/if/user/");
        }
@ -181,14 +125,10 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {

    render(): TemplateResult {
        const sidebarClasses = {
-            "pf-c-page__sidebar": true,
            "pf-m-light": this.activeTheme === UiThemeEnum.Light,
-            "pf-m-expanded": this.sidebarOpen,
-            "pf-m-collapsed": !this.sidebarOpen,
        };

        const drawerOpen = this.notificationDrawerOpen || this.apiDrawerOpen;
-
        const drawerClasses = {
            "pf-m-expanded": drawerOpen,
            "pf-m-collapsed": !drawerOpen,
@ -196,18 +136,11 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {

        return html` <ak-locale-context>
            <div class="pf-c-page">
-                <ak-page-navbar>
-                    <ak-version-banner></ak-version-banner>
-                    <ak-enterprise-status interface="admin"></ak-enterprise-status>
-                </ak-page-navbar>
-
-                <ak-sidebar class="${classMap(sidebarClasses)}">
-                    ${renderSidebarItems(AdminSidebarEntries)}
-                    ${this.licenseSummary?.status !== LicenseSummaryStatusEnum.Unlicensed
-                        ? renderSidebarItems(AdminSidebarEnterpriseEntries)
-                        : nothing}
-                </ak-sidebar>
-
+                <ak-enterprise-status interface="admin"></ak-enterprise-status>
+                <ak-version-banner></ak-version-banner>
+                <ak-admin-sidebar
+                    class="pf-c-page__sidebar ${classMap(sidebarClasses)}"
+                ></ak-admin-sidebar>
                <div class="pf-c-page__drawer">
                    <div class="pf-c-drawer ${classMap(drawerClasses)}">
                        <div class="pf-c-drawer__main">
--- a/web/src/admin/admin-overview/AdminOverviewPage.ts
+++ b/web/src/admin/admin-overview/AdminOverviewPage.ts
@ -94,13 +94,10 @@ export class AdminOverviewPage extends AdminOverviewBase {
    }

    render(): TemplateResult {
-        const username = this.user?.user.name || this.user?.user.username;
+        const name = this.user?.user.name ?? this.user?.user.username;

-        return html` <ak-page-header
-                header=${msg(str`Welcome, ${username || ""}.`)}
-                description=${msg("General system status")}
-                ?hasIcon=${false}
-            >
+        return html`<ak-page-header description=${msg("General system status")} ?hasIcon=${false}>
+                <span slot="header"> ${msg(str`Welcome, ${name || ""}.`)} </span>
            </ak-page-header>
            <section class="pf-c-page__main-section">
                <div class="pf-l-grid pf-m-gutter">
--- a/web/src/admin/admin-settings/AdminSettingsForm.ts
+++ b/web/src/admin/admin-settings/AdminSettingsForm.ts
@ -1,4 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-number-input";
 import "@goauthentik/components/ak-switch-input";
 import "@goauthentik/components/ak-text-input";
@ -183,14 +184,20 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                label=${msg("Reputation: lower limit")}
                required
                name="reputationLowerLimit"
-                value="${this._settings?.reputationLowerLimit ?? DEFAULT_REPUTATION_LOWER_LIMIT}"
+                value="${first(
+                    this._settings?.reputationLowerLimit,
+                    DEFAULT_REPUTATION_LOWER_LIMIT,
+                )}"
                help=${msg("Reputation cannot decrease lower than this value. Zero or negative.")}
            ></ak-number-input>
            <ak-number-input
                label=${msg("Reputation: upper limit")}
                required
                name="reputationUpperLimit"
-                value="${this._settings?.reputationUpperLimit ?? DEFAULT_REPUTATION_UPPER_LIMIT}"
+                value="${first(
+                    this._settings?.reputationUpperLimit,
+                    DEFAULT_REPUTATION_UPPER_LIMIT,
+                )}"
                help=${msg("Reputation cannot increase higher than this value. Zero or positive.")}
            ></ak-number-input>
            <ak-form-element-horizontal label=${msg("Footer links")} name="footerLinks">
@ -250,7 +257,7 @@ export class AdminSettingsForm extends Form<SettingsRequest> {
                label=${msg("Default token length")}
                required
                name="defaultTokenLength"
-                value="${this._settings?.defaultTokenLength ?? 60}"
+                value="${first(this._settings?.defaultTokenLength, 60)}"
                help=${msg("Default length of generated tokens")}
            ></ak-number-input>
        `;
--- a/web/src/admin/admin-settings/AdminSettingsPage.ts
+++ b/web/src/admin/admin-settings/AdminSettingsPage.ts
@ -83,10 +83,13 @@ export class AdminSettingsPage extends AKElement {
    }

    render() {
-        if (!this.settings) return nothing;
-
+        if (!this.settings) {
+            return nothing;
+        }
        return html`
-            <ak-page-header icon="fa fa-cog" header="${msg("System settings")}"> </ak-page-header>
+            <ak-page-header icon="fa fa-cog" header="" description="">
+                <span slot="header"> ${msg("System settings")} </span>
+            </ak-page-header>
            <section class="pf-c-page__main-section pf-m-no-padding-mobile pf-l-grid pf-m-gutter">
                <div class="pf-c-card">
                    <div class="pf-c-card__body">
--- a/web/src/admin/applications/ApplicationForm.ts
+++ b/web/src/admin/applications/ApplicationForm.ts
@ -1,6 +1,7 @@
 import "@goauthentik/admin/applications/ProviderSelectModal";
 import { iconHelperText } from "@goauthentik/admin/helperText";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-file-input";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-switch-input";
@ -193,7 +194,7 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
                    ></ak-text-input>
                    <ak-switch-input
                        name="openInNewTab"
-                        ?checked=${this.instance?.openInNewTab ?? false}
+                        ?checked=${first(this.instance?.openInNewTab, false)}
                        label=${msg("Open in new tab")}
                        help=${msg(
                            "If checked, the launch URL will open in a new browser tab or window from the user's application library.",
@ -220,7 +221,7 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
                        : html` <ak-text-input
                              label=${msg("Icon")}
                              name="metaIcon"
-                              value=${this.instance?.metaIcon ?? ""}
+                              value=${first(this.instance?.metaIcon, "")}
                              help=${iconHelperText}
                          >
                          </ak-text-input>`}
--- a/web/src/admin/applications/ApplicationViewPage.ts
+++ b/web/src/admin/applications/ApplicationViewPage.ts
@ -113,7 +113,8 @@ export class ApplicationViewPage extends AKElement {

    renderApp(): TemplateResult {
        if (!this.application) {
-            return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
+            return html`<ak-empty-state ?loading="${true}" header=${msg("Loading")}>
+            </ak-empty-state>`;
        }
        return html`<ak-tabs>
            ${this.missingOutpost
--- a/web/src/admin/applications/entitlements/ApplicationEntitlementForm.ts
+++ b/web/src/admin/applications/entitlements/ApplicationEntitlementForm.ts
@ -1,4 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -59,7 +60,7 @@ export class ApplicationEntitlementForm extends ModelForm<ApplicationEntitlement
        return html` <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
                <input
                    type="text"
-                    value="${this.instance?.name ?? ""}"
+                    value="${first(this.instance?.name, "")}"
                    class="pf-c-form-control"
                    required
                />
@ -71,7 +72,7 @@ export class ApplicationEntitlementForm extends ModelForm<ApplicationEntitlement
            >
                <ak-codemirror
                    mode=${CodeMirrorMode.YAML}
-                    value="${YAML.stringify(this.instance?.attributes ?? {})}"
+                    value="${YAML.stringify(first(this.instance?.attributes, {}))}"
                >
                </ak-codemirror>
                <p class="pf-c-form__helper-text">
--- a/web/src/admin/applications/wizard/steps/ak-application-wizard-application-step.ts
+++ b/web/src/admin/applications/wizard/steps/ak-application-wizard-application-step.ts
@ -1,6 +1,7 @@
 import { policyOptions } from "@goauthentik/admin/applications/PolicyOptions.js";
 import { ApplicationWizardStep } from "@goauthentik/admin/applications/wizard/ApplicationWizardStep.js";
 import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import { isSlug } from "@goauthentik/common/utils.js";
 import { camelToSnake } from "@goauthentik/common/utils.js";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-slug-input";
@ -10,7 +11,6 @@ import { type NavigableButton, type WizardButton } from "@goauthentik/components
 import { type KeyUnknown } from "@goauthentik/elements/forms/Form";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
-import { isSlug } from "@goauthentik/elements/router/utils.js";

 import { msg } from "@lit/localize";
 import { html } from "lit";
--- a/web/src/admin/blueprints/BlueprintForm.ts
+++ b/web/src/admin/blueprints/BlueprintForm.ts
@ -1,5 +1,6 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { docLink } from "@goauthentik/common/global";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-toggle-group";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
@ -79,7 +80,7 @@ export class BlueprintForm extends ModelForm<BlueprintInstance, string> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.enabled ?? true}
+                        ?checked=${first(this.instance?.enabled, true)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -183,7 +184,7 @@ export class BlueprintForm extends ModelForm<BlueprintInstance, string> {
                    <ak-form-element-horizontal label=${msg("Context")} name="context">
                        <ak-codemirror
                            mode=${CodeMirrorMode.YAML}
-                            value="${YAML.stringify(this.instance?.context ?? {})}"
+                            value="${YAML.stringify(first(this.instance?.context, {}))}"
                        >
                        </ak-codemirror>
                        <p class="pf-c-form__helper-text">
--- a/web/src/admin/brands/BrandForm.ts
+++ b/web/src/admin/brands/BrandForm.ts
@ -1,13 +1,14 @@
 import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { DefaultBrand } from "@goauthentik/common/ui/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 import "@goauthentik/elements/forms/SearchSelect";
+import { DefaultBrand } from "@goauthentik/elements/sidebar/SidebarBrand";
 import YAML from "yaml";

 import { msg } from "@lit/localize";
@ -53,7 +54,7 @@ export class BrandForm extends ModelForm<Brand, string> {
        return html` <ak-form-element-horizontal label=${msg("Domain")} required name="domain">
                <input
                    type="text"
-                    value="${this.instance?.domain ?? window.location.host}"
+                    value="${first(this.instance?.domain, window.location.host)}"
                    class="pf-c-form-control pf-m-monospace"
                    autocomplete="off"
                    spellcheck="false"
@ -71,7 +72,7 @@ export class BrandForm extends ModelForm<Brand, string> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?._default ?? false}
+                        ?checked=${first(this.instance?._default, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -91,7 +92,10 @@ export class BrandForm extends ModelForm<Brand, string> {
                    <ak-form-element-horizontal label=${msg("Title")} required name="brandingTitle">
                        <input
                            type="text"
-                            value="${this.instance?.brandingTitle ?? DefaultBrand.brandingTitle}"
+                            value="${first(
+                                this.instance?.brandingTitle,
+                                DefaultBrand.brandingTitle,
+                            )}"
                            class="pf-c-form-control"
                            required
                        />
@ -102,7 +106,7 @@ export class BrandForm extends ModelForm<Brand, string> {
                    <ak-form-element-horizontal label=${msg("Logo")} required name="brandingLogo">
                        <input
                            type="text"
-                            value="${this.instance?.brandingLogo ?? DefaultBrand.brandingLogo}"
+                            value="${first(this.instance?.brandingLogo, DefaultBrand.brandingLogo)}"
                            class="pf-c-form-control pf-m-monospace"
                            autocomplete="off"
                            spellcheck="false"
@ -119,8 +123,10 @@ export class BrandForm extends ModelForm<Brand, string> {
                    >
                        <input
                            type="text"
-                            value="${this.instance?.brandingFavicon ??
-                            DefaultBrand.brandingFavicon}"
+                            value="${first(
+                                this.instance?.brandingFavicon,
+                                DefaultBrand.brandingFavicon,
+                            )}"
                            class="pf-c-form-control pf-m-monospace"
                            autocomplete="off"
                            spellcheck="false"
@ -137,8 +143,10 @@ export class BrandForm extends ModelForm<Brand, string> {
                    >
                        <input
                            type="text"
-                            value="${this.instance?.brandingDefaultFlowBackground ??
-                            "/static/dist/assets/images/flow_background.jpg"}"
+                            value="${first(
+                                this.instance?.brandingDefaultFlowBackground,
+                                "/static/dist/assets/images/flow_background.jpg",
+                            )}"
                            class="pf-c-form-control pf-m-monospace"
                            autocomplete="off"
                            spellcheck="false"
@ -157,8 +165,10 @@ export class BrandForm extends ModelForm<Brand, string> {
                    >
                        <ak-codemirror
                            mode=${CodeMirrorMode.CSS}
-                            value="${this.instance?.brandingCustomCss ??
-                            DefaultBrand.brandingCustomCss}"
+                            value="${first(
+                                this.instance?.brandingCustomCss,
+                                DefaultBrand.brandingCustomCss,
+                            )}"
                        >
                        </ak-codemirror>
                        <p class="pf-c-form__helper-text">
@ -307,7 +317,7 @@ export class BrandForm extends ModelForm<Brand, string> {
                    <ak-form-element-horizontal label=${msg("Attributes")} name="attributes">
                        <ak-codemirror
                            mode=${CodeMirrorMode.YAML}
-                            value="${YAML.stringify(this.instance?.attributes ?? {})}"
+                            value="${YAML.stringify(first(this.instance?.attributes, {}))}"
                        >
                        </ak-codemirror>
                        <p class="pf-c-form__helper-text">
--- a/web/src/admin/events/TransportForm.ts
+++ b/web/src/admin/events/TransportForm.ts
@ -1,4 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 import "@goauthentik/elements/forms/Radio";
@ -184,7 +185,7 @@ export class TransportForm extends ModelForm<NotificationTransport, string> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.sendOnce ?? false}
+                        ?checked=${first(this.instance?.sendOnce, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
--- a/web/src/admin/flows/FlowForm.ts
+++ b/web/src/admin/flows/FlowForm.ts
@ -1,6 +1,7 @@
 import { DesignationToLabel, LayoutToLabel } from "@goauthentik/admin/flows/utils";
 import { AuthenticationEnum } from "@goauthentik/api/dist/models/AuthenticationEnum";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import {
    CapabilitiesEnum,
    WithCapabilitiesConfig,
@ -226,7 +227,7 @@ export class FlowForm extends WithCapabilitiesConfig(ModelForm<Flow, string>) {
                            <input
                                class="pf-c-switch__input"
                                type="checkbox"
-                                ?checked=${this.instance?.compatibilityMode ?? false}
+                                ?checked=${first(this.instance?.compatibilityMode, false)}
                            />
                            <span class="pf-c-switch__toggle">
                                <span class="pf-c-switch__toggle-icon">
@ -406,7 +407,7 @@ export class FlowForm extends WithCapabilitiesConfig(ModelForm<Flow, string>) {
                          >
                              <input
                                  type="text"
-                                  value="${this.instance?.background ?? ""}"
+                                  value="${first(this.instance?.background, "")}"
                                  class="pf-c-form-control"
                              />
                              <p class="pf-c-form__helper-text">
--- a/web/src/admin/flows/StageBindingForm.ts
+++ b/web/src/admin/flows/StageBindingForm.ts
@ -1,5 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { groupBy } from "@goauthentik/common/utils";
+import { first, groupBy } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 import "@goauthentik/elements/forms/Radio";
@ -123,7 +123,7 @@ export class StageBindingForm extends ModelForm<FlowStageBinding, string> {
            <ak-form-element-horizontal label=${msg("Order")} ?required=${true} name="order">
                <input
                    type="number"
-                    value="${this.instance?.order ?? this.defaultOrder}"
+                    value="${first(this.instance?.order, this.defaultOrder)}"
                    class="pf-c-form-control"
                    required
                />
@ -133,7 +133,7 @@ export class StageBindingForm extends ModelForm<FlowStageBinding, string> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.evaluateOnPlan ?? false}
+                        ?checked=${first(this.instance?.evaluateOnPlan, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -151,7 +151,7 @@ export class StageBindingForm extends ModelForm<FlowStageBinding, string> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.reEvaluatePolicies ?? true}
+                        ?checked=${first(this.instance?.reEvaluatePolicies, true)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
--- a/web/src/admin/groups/GroupForm.ts
+++ b/web/src/admin/groups/GroupForm.ts
@ -1,5 +1,6 @@
 import "@goauthentik/admin/groups/MemberSelectModal";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider";
@ -76,7 +77,7 @@ export class GroupForm extends ModelForm<Group, string> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.isSuperuser ?? false}
+                        ?checked=${first(this.instance?.isSuperuser, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -149,7 +150,7 @@ export class GroupForm extends ModelForm<Group, string> {
            >
                <ak-codemirror
                    mode=${CodeMirrorMode.YAML}
-                    value="${YAML.stringify(this.instance?.attributes ?? {})}"
+                    value="${YAML.stringify(first(this.instance?.attributes, {}))}"
                >
                </ak-codemirror>
                <p class="pf-c-form__helper-text">
--- a/web/src/admin/outposts/ServiceConnectionDockerForm.ts
+++ b/web/src/admin/outposts/ServiceConnectionDockerForm.ts
@ -1,5 +1,6 @@
 import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 import "@goauthentik/elements/forms/SearchSelect";
@ -52,7 +53,7 @@ export class ServiceConnectionDockerForm extends ModelForm<DockerServiceConnecti
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.local ?? false}
+                        ?checked=${first(this.instance?.local, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
--- a/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts
+++ b/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts
@ -1,4 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -56,7 +57,7 @@ export class ServiceConnectionKubernetesForm extends ModelForm<
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.local ?? false}
+                        ?checked=${first(this.instance?.local, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -74,7 +75,7 @@ export class ServiceConnectionKubernetesForm extends ModelForm<
            <ak-form-element-horizontal label=${msg("Kubeconfig")} name="kubeconfig">
                <ak-codemirror
                    mode=${CodeMirrorMode.YAML}
-                    value="${YAML.stringify(this.instance?.kubeconfig ?? {})}"
+                    value="${YAML.stringify(first(this.instance?.kubeconfig, {}))}"
                >
                </ak-codemirror>
                <p class="pf-c-form__helper-text">
@ -86,7 +87,7 @@ export class ServiceConnectionKubernetesForm extends ModelForm<
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.verifySsl ?? true}
+                        ?checked=${first(this.instance?.verifySsl, true)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
--- a/web/src/admin/policies/PolicyBindingForm.ts
+++ b/web/src/admin/policies/PolicyBindingForm.ts
@ -3,7 +3,7 @@ import {
    PolicyBindingCheckTargetToLabel,
 } from "@goauthentik/admin/policies/utils";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { groupBy } from "@goauthentik/common/utils";
+import { first, groupBy } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-toggle-group";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
@ -274,7 +274,7 @@ export class PolicyBindingForm extends ModelForm<PolicyBinding, string> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.enabled ?? true}
+                        ?checked=${first(this.instance?.enabled, true)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -289,7 +289,7 @@ export class PolicyBindingForm extends ModelForm<PolicyBinding, string> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.negate ?? false}
+                        ?checked=${first(this.instance?.negate, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -305,7 +305,7 @@ export class PolicyBindingForm extends ModelForm<PolicyBinding, string> {
            <ak-form-element-horizontal label=${msg("Order")} ?required=${true} name="order">
                <input
                    type="number"
-                    value="${this.instance?.order ?? this.defaultOrder}"
+                    value="${first(this.instance?.order, this.defaultOrder)}"
                    class="pf-c-form-control"
                    required
                />
@ -313,7 +313,7 @@ export class PolicyBindingForm extends ModelForm<PolicyBinding, string> {
            <ak-form-element-horizontal label=${msg("Timeout")} ?required=${true} name="timeout">
                <input
                    type="number"
-                    value="${this.instance?.timeout ?? 30}"
+                    value="${first(this.instance?.timeout, 30)}"
                    class="pf-c-form-control"
                    required
                />
--- a/web/src/admin/policies/PolicyTestForm.ts
+++ b/web/src/admin/policies/PolicyTestForm.ts
@ -1,4 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-status-label";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
@ -124,7 +125,7 @@ export class PolicyTestForm extends Form<PolicyTestRequest> {
            <ak-form-element-horizontal label=${msg("Context")} name="context">
                <ak-codemirror
                    mode=${CodeMirrorMode.YAML}
-                    value=${YAML.stringify(this.request?.context ?? {})}
+                    value=${YAML.stringify(first(this.request?.context, {}))}
                >
                </ak-codemirror>
                <p class="pf-c-form__helper-text">
--- a/web/src/admin/policies/dummy/DummyPolicyForm.ts
+++ b/web/src/admin/policies/dummy/DummyPolicyForm.ts
@ -1,5 +1,6 @@
 import { BasePolicyForm } from "@goauthentik/admin/policies/BasePolicyForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";

@ -50,7 +51,7 @@ export class DummyPolicyForm extends BasePolicyForm<DummyPolicy> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.executionLogging ?? false}
+                        ?checked=${first(this.instance?.executionLogging, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -73,7 +74,7 @@ export class DummyPolicyForm extends BasePolicyForm<DummyPolicy> {
                            <input
                                class="pf-c-switch__input"
                                type="checkbox"
-                                ?checked=${this.instance?.result ?? false}
+                                ?checked=${first(this.instance?.result, false)}
                            />
                            <span class="pf-c-switch__toggle">
                                <span class="pf-c-switch__toggle-icon">
@ -90,7 +91,7 @@ export class DummyPolicyForm extends BasePolicyForm<DummyPolicy> {
                    >
                        <input
                            type="number"
-                            value="${this.instance?.waitMin ?? 1}"
+                            value="${first(this.instance?.waitMin, 1)}"
                            class="pf-c-form-control"
                            required
                        />
@ -107,7 +108,7 @@ export class DummyPolicyForm extends BasePolicyForm<DummyPolicy> {
                    >
                        <input
                            type="number"
-                            value="${this.instance?.waitMax ?? 5}"
+                            value="${first(this.instance?.waitMax, 5)}"
                            class="pf-c-form-control"
                            required
                        />
--- a/web/src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
+++ b/web/src/admin/policies/event_matcher/EventMatcherPolicyForm.ts
@ -1,5 +1,6 @@
 import { BasePolicyForm } from "@goauthentik/admin/policies/BasePolicyForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/forms/SearchSelect";
@ -62,7 +63,7 @@ export class EventMatcherPolicyForm extends BasePolicyForm<EventMatcherPolicy> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.executionLogging ?? false}
+                        ?checked=${first(this.instance?.executionLogging, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
--- a/web/src/admin/policies/expiry/ExpiryPolicyForm.ts
+++ b/web/src/admin/policies/expiry/ExpiryPolicyForm.ts
@ -1,5 +1,6 @@
 import { BasePolicyForm } from "@goauthentik/admin/policies/BasePolicyForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";

@ -50,7 +51,7 @@ export class PasswordExpiryPolicyForm extends BasePolicyForm<PasswordExpiryPolic
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.executionLogging ?? false}
+                        ?checked=${first(this.instance?.executionLogging, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -85,7 +86,7 @@ export class PasswordExpiryPolicyForm extends BasePolicyForm<PasswordExpiryPolic
                            <input
                                class="pf-c-switch__input"
                                type="checkbox"
-                                ?checked=${this.instance?.denyOnly ?? false}
+                                ?checked=${first(this.instance?.denyOnly, false)}
                            />
                            <span class="pf-c-switch__toggle">
                                <span class="pf-c-switch__toggle-icon">
--- a/web/src/admin/policies/expression/ExpressionPolicyForm.ts
+++ b/web/src/admin/policies/expression/ExpressionPolicyForm.ts
@ -1,6 +1,7 @@
 import { BasePolicyForm } from "@goauthentik/admin/policies/BasePolicyForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { docLink } from "@goauthentik/common/global";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/FormGroup";
@ -53,7 +54,7 @@ export class ExpressionPolicyForm extends BasePolicyForm<ExpressionPolicy> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.executionLogging ?? false}
+                        ?checked=${first(this.instance?.executionLogging, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
--- a/web/src/admin/policies/geoip/GeoIPPolicyForm.ts
+++ b/web/src/admin/policies/geoip/GeoIPPolicyForm.ts
@ -1,5 +1,6 @@
 import { BasePolicyForm } from "@goauthentik/admin/policies/BasePolicyForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/ak-dual-select";
 import { DataProvision, DualSelectPair } from "@goauthentik/elements/ak-dual-select/types";
 import "@goauthentik/elements/forms/FormGroup";
@ -111,7 +112,7 @@ export class GeoIPPolicyForm extends BasePolicyForm<GeoIPPolicy> {
                        <input
                            type="number"
                            min="1"
-                            value="${this.instance?.historyMaxDistanceKm ?? 100}"
+                            value="${first(this.instance?.historyMaxDistanceKm, 100)}"
                            class="pf-c-form-control"
                        />
                        <p class="pf-c-form__helper-text">
@ -127,7 +128,7 @@ export class GeoIPPolicyForm extends BasePolicyForm<GeoIPPolicy> {
                        <input
                            type="number"
                            min="1"
-                            value="${this.instance?.distanceToleranceKm ?? 50}"
+                            value="${first(this.instance?.distanceToleranceKm, 50)}"
                            class="pf-c-form-control"
                        />
                        <p class="pf-c-form__helper-text">
@ -141,7 +142,7 @@ export class GeoIPPolicyForm extends BasePolicyForm<GeoIPPolicy> {
                        <input
                            type="number"
                            min="1"
-                            value="${this.instance?.historyLoginCount ?? 5}"
+                            value="${first(this.instance?.historyLoginCount, 5)}"
                            class="pf-c-form-control"
                        />
                        <p class="pf-c-form__helper-text">
@ -177,7 +178,7 @@ export class GeoIPPolicyForm extends BasePolicyForm<GeoIPPolicy> {
                        <input
                            type="number"
                            min="1"
-                            value="${this.instance?.impossibleToleranceKm ?? 50}"
+                            value="${first(this.instance?.impossibleToleranceKm, 50)}"
                            class="pf-c-form-control"
                        />
                        <p class="pf-c-form__helper-text">
--- a/web/src/admin/policies/password/PasswordPolicyForm.ts
+++ b/web/src/admin/policies/password/PasswordPolicyForm.ts
@ -1,5 +1,6 @@
 import { BasePolicyForm } from "@goauthentik/admin/policies/BasePolicyForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";

@ -55,7 +56,7 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
                >
                    <input
                        type="number"
-                        value="${this.instance?.lengthMin ?? 10}"
+                        value="${first(this.instance?.lengthMin, 10)}"
                        class="pf-c-form-control"
                        required
                    />
@ -67,7 +68,7 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
                >
                    <input
                        type="number"
-                        value="${this.instance?.amountUppercase ?? 2}"
+                        value="${first(this.instance?.amountUppercase, 2)}"
                        class="pf-c-form-control"
                        required
                    />
@ -79,7 +80,7 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
                >
                    <input
                        type="number"
-                        value="${this.instance?.amountLowercase ?? 2}"
+                        value="${first(this.instance?.amountLowercase, 2)}"
                        class="pf-c-form-control"
                        required
                    />
@ -91,7 +92,7 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
                >
                    <input
                        type="number"
-                        value="${this.instance?.amountDigits ?? 2}"
+                        value="${first(this.instance?.amountDigits, 2)}"
                        class="pf-c-form-control"
                        required
                    />
@ -103,7 +104,7 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
                >
                    <input
                        type="number"
-                        value="${this.instance?.amountSymbols ?? 2}"
+                        value="${first(this.instance?.amountSymbols, 2)}"
                        class="pf-c-form-control"
                        required
                    />
@ -153,7 +154,7 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
                    >
                        <input
                            type="number"
-                            value="${this.instance?.hibpAllowedCount ?? 0}"
+                            value="${first(this.instance?.hibpAllowedCount, 0)}"
                            class="pf-c-form-control"
                            required
                        />
@ -178,7 +179,7 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
                    >
                        <input
                            type="number"
-                            value="${this.instance?.zxcvbnScoreThreshold ?? 0}"
+                            value="${first(this.instance?.zxcvbnScoreThreshold, 0)}"
                            class="pf-c-form-control"
                            required
                        />
@ -235,7 +236,7 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.executionLogging ?? false}
+                        ?checked=${first(this.instance?.executionLogging, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -271,7 +272,7 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.checkStaticRules ?? true}
+                        ?checked=${first(this.instance?.checkStaticRules, true)}
                        @change=${(ev: Event) => {
                            const el = ev.target as HTMLInputElement;
                            this.showStatic = el.checked;
@ -290,7 +291,7 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.checkHaveIBeenPwned ?? true}
+                        ?checked=${first(this.instance?.checkHaveIBeenPwned, true)}
                        @change=${(ev: Event) => {
                            const el = ev.target as HTMLInputElement;
                            this.showHIBP = el.checked;
@ -315,7 +316,7 @@ export class PasswordPolicyForm extends BasePolicyForm<PasswordPolicy> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.checkZxcvbn ?? true}
+                        ?checked=${first(this.instance?.checkZxcvbn, true)}
                        @change=${(ev: Event) => {
                            const el = ev.target as HTMLInputElement;
                            this.showZxcvbn = el.checked;
--- a/web/src/admin/policies/reputation/ReputationPolicyForm.ts
+++ b/web/src/admin/policies/reputation/ReputationPolicyForm.ts
@ -1,5 +1,6 @@
 import { BasePolicyForm } from "@goauthentik/admin/policies/BasePolicyForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";

@ -60,7 +61,7 @@ doesn't pass when either or both of the selected options are equal or above the
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.executionLogging ?? false}
+                        ?checked=${first(this.instance?.executionLogging, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -83,7 +84,7 @@ doesn't pass when either or both of the selected options are equal or above the
                            <input
                                class="pf-c-switch__input"
                                type="checkbox"
-                                ?checked=${this.instance?.checkIp ?? true}
+                                ?checked=${first(this.instance?.checkIp, true)}
                            />
                            <span class="pf-c-switch__toggle">
                                <span class="pf-c-switch__toggle-icon">
@ -98,7 +99,7 @@ doesn't pass when either or both of the selected options are equal or above the
                            <input
                                class="pf-c-switch__input"
                                type="checkbox"
-                                ?checked=${this.instance?.checkUsername ?? false}
+                                ?checked=${first(this.instance?.checkUsername, false)}
                            />
                            <span class="pf-c-switch__toggle">
                                <span class="pf-c-switch__toggle-icon">
--- a/web/src/admin/policies/unique_password/UniquePasswordPolicyForm.ts
+++ b/web/src/admin/policies/unique_password/UniquePasswordPolicyForm.ts
@ -1,5 +1,6 @@
 import { BasePolicyForm } from "@goauthentik/admin/policies/BasePolicyForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";

@ -50,7 +51,7 @@ export class UniquePasswordPolicyForm extends BasePolicyForm<UniquePasswordPolic
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.executionLogging ?? false}
+                        ?checked=${first(this.instance?.executionLogging, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -87,7 +88,7 @@ export class UniquePasswordPolicyForm extends BasePolicyForm<UniquePasswordPolic
            >
                <input
                    type="number"
-                    value="${this.instance?.numHistoricalPasswords ?? 1}"
+                    value="${first(this.instance?.numHistoricalPasswords, 1)}"
                    class="pf-c-form-control"
                    required
                />
--- a/web/src/admin/property-mappings/PropertyMappingTestForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingTestForm.ts
@ -1,4 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import { Form } from "@goauthentik/elements/forms/Form";
@ -180,7 +181,7 @@ export class PolicyTestForm extends Form<PropertyMappingTestRequest> {
            <ak-form-element-horizontal label=${msg("Context")} name="context">
                <ak-codemirror
                    mode=${CodeMirrorMode.YAML}
-                    value=${YAML.stringify(this.request?.context ?? {})}
+                    value=${YAML.stringify(first(this.request?.context, {}))}
                >
                </ak-codemirror>
                <p class="pf-c-form__helper-text">${this.renderExampleButtons()}</p>
--- a/web/src/admin/providers/ProviderViewPage.ts
+++ b/web/src/admin/providers/ProviderViewPage.ts
@ -42,7 +42,7 @@ export class ProviderViewPage extends AKElement {

    renderProvider(): TemplateResult {
        if (!this.provider) {
-            return html`<ak-empty-state loading ?fullHeight=${true}></ak-empty-state>`;
+            return html`<ak-empty-state ?loading=${true} ?fullHeight=${true}></ak-empty-state>`;
        }
        switch (this.provider?.component) {
            case "ak-provider-saml-form":
--- a/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderForm.ts
+++ b/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderForm.ts
@ -4,6 +4,7 @@ import {
    propertyMappingsSelector,
 } from "@goauthentik/admin/providers/google_workspace/GoogleWorkspaceProviderFormHelpers.js";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
@ -67,7 +68,7 @@ export class GoogleWorkspaceProviderFormPage extends BaseProviderForm<GoogleWork
                    >
                        <ak-codemirror
                            mode=${CodeMirrorMode.JavaScript}
-                            .value="${this.instance?.credentials ?? {}}"
+                            .value="${first(this.instance?.credentials, {})}"
                        ></ak-codemirror>
                        <p class="pf-c-form__helper-text">
                            ${msg("Google Cloud credentials file.")}
@ -80,7 +81,7 @@ export class GoogleWorkspaceProviderFormPage extends BaseProviderForm<GoogleWork
                    >
                        <input
                            type="email"
-                            value="${this.instance?.delegatedSubject ?? ""}"
+                            value="${first(this.instance?.delegatedSubject, "")}"
                            class="pf-c-form-control pf-m-monospace"
                            required
                        />
@ -97,7 +98,7 @@ export class GoogleWorkspaceProviderFormPage extends BaseProviderForm<GoogleWork
                    >
                        <input
                            type="text"
-                            value="${this.instance?.defaultGroupEmailDomain ?? ""}"
+                            value="${first(this.instance?.defaultGroupEmailDomain, "")}"
                            class="pf-c-form-control pf-m-monospace"
                            required
                        />
@ -165,7 +166,7 @@ export class GoogleWorkspaceProviderFormPage extends BaseProviderForm<GoogleWork
                            <input
                                class="pf-c-switch__input"
                                type="checkbox"
-                                ?checked=${this.instance?.dryRun ?? false}
+                                ?checked=${first(this.instance?.dryRun, false)}
                            />
                            <span class="pf-c-switch__toggle">
                                <span class="pf-c-switch__toggle-icon">
@ -190,7 +191,7 @@ export class GoogleWorkspaceProviderFormPage extends BaseProviderForm<GoogleWork
                            <input
                                class="pf-c-switch__input"
                                type="checkbox"
-                                ?checked=${this.instance?.excludeUsersServiceAccount ?? true}
+                                ?checked=${first(this.instance?.excludeUsersServiceAccount, true)}
                            />
                            <span class="pf-c-switch__toggle">
                                <span class="pf-c-switch__toggle-icon">
--- a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderForm.ts
+++ b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderForm.ts
@ -4,6 +4,7 @@ import {
    propertyMappingsSelector,
 } from "@goauthentik/admin/providers/microsoft_entra/MicrosoftEntraProviderFormHelpers.js";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
@ -65,7 +66,7 @@ export class MicrosoftEntraProviderFormPage extends BaseProviderForm<MicrosoftEn
                    >
                        <input
                            type="text"
-                            value="${this.instance?.clientId ?? ""}"
+                            value="${first(this.instance?.clientId, "")}"
                            class="pf-c-form-control pf-m-monospace"
                            required
                        />
@ -80,7 +81,7 @@ export class MicrosoftEntraProviderFormPage extends BaseProviderForm<MicrosoftEn
                    >
                        <input
                            type="text"
-                            value="${this.instance?.clientSecret ?? ""}"
+                            value="${first(this.instance?.clientSecret, "")}"
                            class="pf-c-form-control pf-m-monospace"
                            required
                        />
@ -95,7 +96,7 @@ export class MicrosoftEntraProviderFormPage extends BaseProviderForm<MicrosoftEn
                    >
                        <input
                            type="text"
-                            value="${this.instance?.tenantId ?? ""}"
+                            value="${first(this.instance?.tenantId, "")}"
                            class="pf-c-form-control pf-m-monospace"
                            required
                        />
@ -154,7 +155,7 @@ export class MicrosoftEntraProviderFormPage extends BaseProviderForm<MicrosoftEn
                            <input
                                class="pf-c-switch__input"
                                type="checkbox"
-                                ?checked=${this.instance?.dryRun ?? false}
+                                ?checked=${first(this.instance?.dryRun, false)}
                            />
                            <span class="pf-c-switch__toggle">
                                <span class="pf-c-switch__toggle-icon">
@ -179,7 +180,7 @@ export class MicrosoftEntraProviderFormPage extends BaseProviderForm<MicrosoftEn
                            <input
                                class="pf-c-switch__input"
                                type="checkbox"
-                                ?checked=${this.instance?.excludeUsersServiceAccount ?? true}
+                                ?checked=${first(this.instance?.excludeUsersServiceAccount, true)}
                            />
                            <span class="pf-c-switch__toggle">
                                <span class="pf-c-switch__toggle-icon">
--- a/web/src/admin/providers/oauth2/OAuth2ProviderFormForm.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderFormForm.ts
@ -4,7 +4,7 @@ import {
    IRedirectURIInput,
    akOAuthRedirectURIInput,
 } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
-import { ascii_letters, digits, randomString } from "@goauthentik/common/utils";
+import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
@ -161,7 +161,7 @@ export function renderForm(
                <ak-text-input
                    name="clientId"
                    label=${msg("Client ID")}
-                    value="${provider?.clientId ?? randomString(40, ascii_letters + digits)}"
+                    value="${first(provider?.clientId, randomString(40, ascii_letters + digits))}"
                    required
                    inputHint="code"
                >
@ -169,7 +169,10 @@ export function renderForm(
                <ak-text-input
                    name="clientSecret"
                    label=${msg("Client Secret")}
-                    value="${provider?.clientSecret ?? randomString(128, ascii_letters + digits)}"
+                    value="${first(
+                        provider?.clientSecret,
+                        randomString(128, ascii_letters + digits),
+                    )}"
                    inputHint="code"
                    ?hidden=${!showClientSecret}
                >
@ -254,7 +257,7 @@ export function renderForm(
                    label=${msg("Access code validity")}
                    inputHint="code"
                    required
-                    value="${provider?.accessCodeValidity ?? "minutes=1"}"
+                    value="${first(provider?.accessCodeValidity, "minutes=1")}"
                    .bighelp=${html`<p class="pf-c-form__helper-text">
                            ${msg("Configure how long access codes are valid for.")}
                        </p>
@ -264,7 +267,7 @@ export function renderForm(
                <ak-text-input
                    name="accessTokenValidity"
                    label=${msg("Access Token validity")}
-                    value="${provider?.accessTokenValidity ?? "minutes=5"}"
+                    value="${first(provider?.accessTokenValidity, "minutes=5")}"
                    inputHint="code"
                    required
                    .bighelp=${html` <p class="pf-c-form__helper-text">
@ -277,7 +280,7 @@ export function renderForm(
                <ak-text-input
                    name="refreshTokenValidity"
                    label=${msg("Refresh Token validity")}
-                    value="${provider?.refreshTokenValidity ?? "days=30"}"
+                    value="${first(provider?.refreshTokenValidity, "days=30")}"
                    inputHint="code"
                    ?required=${true}
                    .bighelp=${html` <p class="pf-c-form__helper-text">
@ -314,7 +317,7 @@ export function renderForm(
                <ak-switch-input
                    name="includeClaimsInIdToken"
                    label=${msg("Include claims in id_token")}
-                    ?checked=${provider?.includeClaimsInIdToken ?? true}
+                    ?checked=${first(provider?.includeClaimsInIdToken, true)}
                    help=${msg(
                        "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.",
                    )}
--- a/web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
@ -432,7 +432,7 @@ export class OAuth2ProviderViewPage extends AKElement {
                <div class="pf-c-card__body">
                    ${this.preview
                        ? html`<pre>${JSON.stringify(this.preview?.preview, null, 4)}</pre>`
-                        : html` <ak-empty-state loading></ak-empty-state> `}
+                        : html` <ak-empty-state ?loading=${true}></ak-empty-state> `}
                </div>
            </div>
        </div>`;
--- a/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
@ -3,6 +3,7 @@ import "@goauthentik/admin/providers/proxy/ProxyProviderForm";
 import "@goauthentik/admin/rbac/ObjectPermissionsPage";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
+import { convertToSlug } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-status-label";
 import "@goauthentik/components/events/ObjectChangelog";
 import MDCaddyStandalone from "@goauthentik/docs/add-secure-apps/providers/proxy/_caddy_standalone.md";
@ -21,7 +22,6 @@ import type { Replacer } from "@goauthentik/elements/ak-mdx";
 import "@goauthentik/elements/buttons/ModalButton";
 import "@goauthentik/elements/buttons/SpinnerButton";
 import { getURLParam } from "@goauthentik/elements/router/RouteMatch";
-import { formatSlug } from "@goauthentik/elements/router/utils.js";

 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, css, html } from "lit";
@ -183,7 +183,7 @@ export class ProxyProviderViewPage extends AKElement {
        return html`<ak-tabs pageIdentifier="proxy-setup">
            ${servers.map((server) => {
                return html`<section
-                    slot="page-${formatSlug(server.label)}"
+                    slot="page-${convertToSlug(server.label)}"
                    data-tab-title="${server.label}"
                    class="pf-c-page__main-section pf-m-no-padding-mobile ak-markdown-section"
                >
--- a/web/src/admin/providers/rac/EndpointForm.ts
+++ b/web/src/admin/providers/rac/EndpointForm.ts
@ -1,4 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
@ -98,7 +99,7 @@ export class EndpointForm extends ModelForm<Endpoint, string> {
            >
                <input
                    type="number"
-                    value="${this.instance?.maximumConnections ?? 1}"
+                    value="${first(this.instance?.maximumConnections, 1)}"
                    class="pf-c-form-control"
                    required
                />
@ -122,7 +123,7 @@ export class EndpointForm extends ModelForm<Endpoint, string> {
                    <ak-form-element-horizontal label=${msg("Settings")} name="settings">
                        <ak-codemirror
                            mode="yaml"
-                            value="${YAML.stringify(this.instance?.settings ?? {})}"
+                            value="${YAML.stringify(first(this.instance?.settings, {}))}"
                        >
                        </ak-codemirror>
                        <p class="pf-c-form__helper-text">${msg("Connection settings.")}</p>
--- a/web/src/admin/providers/rac/RACProviderForm.ts
+++ b/web/src/admin/providers/rac/RACProviderForm.ts
@ -1,6 +1,7 @@
 import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
@ -81,7 +82,7 @@ export class RACProviderFormPage extends ModelForm<RACProvider, number> {
            >
                <input
                    type="text"
-                    value="${this.instance?.connectionExpiry ?? "hours=8"}"
+                    value="${first(this.instance?.connectionExpiry, "hours=8")}"
                    class="pf-c-form-control pf-m-monospace"
                    autocomplete="off"
                    spellcheck="false"
@ -99,7 +100,7 @@ export class RACProviderFormPage extends ModelForm<RACProvider, number> {
                    <input
                        class="pf-c-switch__input"
                        type="checkbox"
-                        ?checked=${this.instance?.deleteTokenOnDisconnect ?? false}
+                        ?checked=${first(this.instance?.deleteTokenOnDisconnect, false)}
                    />
                    <span class="pf-c-switch__toggle">
                        <span class="pf-c-switch__toggle-icon">
@ -134,7 +135,7 @@ export class RACProviderFormPage extends ModelForm<RACProvider, number> {
                    <ak-form-element-horizontal label=${msg("Settings")} name="settings">
                        <ak-codemirror
                            mode="yaml"
-                            value="${YAML.stringify(this.instance?.settings ?? {})}"
+                            value="${YAML.stringify(first(this.instance?.settings, {}))}"
                        >
                        </ak-codemirror>
                        <p class="pf-c-form__helper-text">${msg("Connection settings.")}</p>
--- a/web/src/admin/providers/radius/RadiusProviderFormForm.ts
+++ b/web/src/admin/providers/radius/RadiusProviderFormForm.ts
@ -1,6 +1,6 @@
 import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
-import { ascii_letters, digits, randomString } from "@goauthentik/common/utils";
+import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/forms/SearchSelect";
@ -78,14 +78,17 @@ export function renderForm(
                    name="sharedSecret"
                    label=${msg("Shared secret")}
                    .errorMessages=${errors?.sharedSecret ?? []}
-                    value=${provider?.sharedSecret ?? randomString(128, ascii_letters + digits)}
+                    value=${first(
+                        provider?.sharedSecret,
+                        randomString(128, ascii_letters + digits),
+                    )}
                    required
                    inputHint="code"
                ></ak-text-input>
                <ak-text-input
                    name="clientNetworks"
                    label=${msg("Client Networks")}
-                    value=${provider?.clientNetworks ?? "0.0.0.0/0, ::/0"}
+                    value=${first(provider?.clientNetworks, "0.0.0.0/0, ::/0")}
                    .errorMessages=${errors?.clientNetworks ?? []}
                    required
                    help=${clientNetworksHelp}
--- a/web/src/admin/providers/saml/SAMLProviderViewPage.ts
+++ b/web/src/admin/providers/saml/SAMLProviderViewPage.ts
@ -502,7 +502,7 @@ export class SAMLProviderViewPage extends AKElement {

    renderTabPreview(): TemplateResult {
        if (!this.preview) {
-            return html`<ak-empty-state loading></ak-empty-state>`;
+            return html`<ak-empty-state ?loading=${true}></ak-empty-state>`;
        }
        return html` <div
            class="pf-c-page__main-section pf-m-no-padding-mobile pf-l-grid pf-m-gutter"
--- a/web/src/admin/providers/scim/SCIMProviderFormForm.ts
+++ b/web/src/admin/providers/scim/SCIMProviderFormForm.ts
@ -1,4 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -36,7 +37,7 @@ export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationE
                <ak-text-input
                    name="url"
                    label=${msg("URL")}
-                    value="${provider?.url ?? ""}"
+                    value="${first(provider?.url, "")}"
                    .errorMessages=${errors?.url ?? []}
                    required
                    help=${msg("SCIM base url, usually ends in /v2.")}
@ -95,7 +96,7 @@ export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationE
                        <input
                            class="pf-c-switch__input"
                            type="checkbox"
-                            ?checked=${provider?.dryRun ?? false}
+                            ?checked=${first(provider?.dryRun, false)}
                        />
                        <span class="pf-c-switch__toggle">
                            <span class="pf-c-switch__toggle-icon">
@ -118,7 +119,7 @@ export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationE
                <ak-switch-input
                    name="excludeUsersServiceAccount"
                    label=${msg("Exclude service accounts")}
-                    ?checked=${provider?.excludeUsersServiceAccount ?? true}
+                    ?checked=${first(provider?.excludeUsersServiceAccount, true)}
                >
                </ak-switch-input>

--- a/web/src/admin/providers/ssf/SSFProviderFormPage.ts
+++ b/web/src/admin/providers/ssf/SSFProviderFormPage.ts
@ -5,6 +5,7 @@ import {
    oauth2ProvidersSelector,
 } from "@goauthentik/admin/providers/oauth2/OAuth2ProvidersProvider";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
@ -80,7 +81,7 @@ export class SSFProviderFormPage extends BaseProviderForm<SSFProvider> {
                    >
                        <input
                            type="text"
-                            value="${provider?.eventRetention ?? "days=30"}"
+                            value="${first(provider?.eventRetention, "days=30")}"
                            class="pf-c-form-control"
                            required
                        />
--- a/web/src/admin/rbac/RoleObjectPermissionForm.ts
+++ b/web/src/admin/rbac/RoleObjectPermissionForm.ts
@ -89,24 +89,19 @@ export class RoleObjectPermissionForm extends ModelForm<RoleAssignData, number>
                >
                </ak-search-select>
            </ak-form-element-horizontal>
-            ${this.modelPermissions?.results
-                .filter((perm) => {
-                    const [_app, model] = this.model?.split(".") || "";
-                    return perm.codename !== `add_${model}`;
-                })
-                .map((perm) => {
-                    return html` <ak-form-element-horizontal name="permissions.${perm.codename}">
-                        <label class="pf-c-switch">
-                            <input class="pf-c-switch__input" type="checkbox" />
-                            <span class="pf-c-switch__toggle">
-                                <span class="pf-c-switch__toggle-icon">
-                                    <i class="fas fa-check" aria-hidden="true"></i>
-                                </span>
+            ${this.modelPermissions?.results.map((perm) => {
+                return html` <ak-form-element-horizontal name="permissions.${perm.codename}">
+                    <label class="pf-c-switch">
+                        <input class="pf-c-switch__input" type="checkbox" />
+                        <span class="pf-c-switch__toggle">
+                            <span class="pf-c-switch__toggle-icon">
+                                <i class="fas fa-check" aria-hidden="true"></i>
                            </span>
-                            <span class="pf-c-switch__label">${perm.name}</span>
-                        </label>
-                    </ak-form-element-horizontal>`;
-                })}
+                        </span>
+                        <span class="pf-c-switch__label">${perm.name}</span>
+                    </label>
+                </ak-form-element-horizontal>`;
+            })}
        </form>`;
    }
 }
--- a/web/src/admin/rbac/RoleObjectPermissionTable.ts
+++ b/web/src/admin/rbac/RoleObjectPermissionTable.ts
@ -45,7 +45,7 @@ export class RoleAssignedObjectPermissionTable extends Table<RoleAssignedObjectP
            ordering: "codename",
        });
        modelPermissions.results = modelPermissions.results.filter((value) => {
-            return value.codename !== `add_${this.model?.split(".")[1]}`;
+            return !value.codename.startsWith("add_");
        });
        this.modelPermissions = modelPermissions;
        return perms;
--- a/web/src/admin/sources/SourceViewPage.ts
+++ b/web/src/admin/sources/SourceViewPage.ts
@ -34,7 +34,7 @@ export class SourceViewPage extends AKElement {

    renderSource(): TemplateResult {
        if (!this.source) {
-            return html`<ak-empty-state loading ?fullHeight=${true}></ak-empty-state>`;
+            return html`<ak-empty-state ?loading=${true} ?fullHeight=${true}></ak-empty-state>`;
        }
        switch (this.source?.component) {
            case "ak-source-kerberos-form":
--- a/web/src/admin/sources/kerberos/KerberosSourceForm.ts
+++ b/web/src/admin/sources/kerberos/KerberosSourceForm.ts
@ -6,6 +6,7 @@ import {
    UserMatchingModeToLabel,
 } from "@goauthentik/admin/sources/oauth/utils";
 import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-switch-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
@ -96,12 +97,12 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
            ></ak-text-input>
            <ak-switch-input
                name="enabled"
-                ?checked=${this.instance?.enabled ?? true}
+                ?checked=${first(this.instance?.enabled, true)}
                label=${msg("Enabled")}
            ></ak-switch-input>
            <ak-switch-input
                name="passwordLoginUpdateInternalPassword"
-                ?checked=${this.instance?.passwordLoginUpdateInternalPassword ?? false}
+                ?checked=${first(this.instance?.passwordLoginUpdateInternalPassword, false)}
                label=${msg("Update internal password on login")}
                help=${msg(
                    "When the user logs in to authentik using this source password backend, update their credentials in authentik.",
@ -109,12 +110,12 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
            ></ak-switch-input>
            <ak-switch-input
                name="syncUsers"
-                ?checked=${this.instance?.syncUsers ?? true}
+                ?checked=${first(this.instance?.syncUsers, true)}
                label=${msg("Sync users")}
            ></ak-switch-input>
            <ak-switch-input
                name="syncUsersPassword"
-                ?checked=${this.instance?.syncUsersPassword ?? true}
+                ?checked=${first(this.instance?.syncUsersPassword, true)}
                label=${msg("User password writeback")}
                help=${msg(
                    "Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.",
@ -394,8 +395,10 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
                    <ak-text-input
                        name="userPathTemplate"
                        label=${msg("User path")}
-                        value=${this.instance?.userPathTemplate ??
-                        "goauthentik.io/sources/%(slug)s"}
+                        value=${first(
+                            this.instance?.userPathTemplate,
+                            "goauthentik.io/sources/%(slug)s",
+                        )}
                        help=${placeholderHelperText}
                    ></ak-text-input>
                </div>
@ -440,7 +443,7 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
                    : html`<ak-form-element-horizontal label=${msg("Icon")} name="icon">
                          <input
                              type="text"
-                              value="${this.instance?.icon ?? ""}"
+                              value="${first(this.instance?.icon, "")}"
                              class="pf-c-form-control"
                          />
                          <p class="pf-c-form__helper-text">${iconHelperText}</p>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Teffen Ellis	c3789f583c	web: Fix issue where linters collide. Update ignore file. - Remove unused sort override for polyfills.	2025-05-02 15:28:28 +02:00
Teffen Ellis	621b0e642c	web: Use monorepo utilities when building.	2025-05-02 15:27:21 +02:00
Teffen Ellis	39f68b9c3f	web: WIP Add monorepo dependency.	2025-05-02 15:26:50 +02:00
Teffen Ellis	9382fdf8cd	web: Update build paths. Fix types.	2025-05-02 15:26:48 +02:00
Teffen Ellis	01b9369afb	web: WIP Prepare monorepo package for use.	2025-05-02 15:26:44 +02:00
Teffen Ellis	be2cb10f40	web: Build entrypoints with a single ESBuild context. Clean up entrypoints.	2025-05-02 15:26:41 +02:00
Teffen Ellis	af72a23d7c	web: Revise globals.	2025-05-02 15:26:39 +02:00
Teffen Ellis	aefe2d6eaf	web: Format package.json.	2025-05-02 15:26:27 +02:00
Teffen Ellis	c69d35b9f7	web: Format live reload package.	2025-05-02 15:26:19 +02:00