Merge branch 'main' into stages/prompt/dry-run

Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # authentik/stages/prompt/stage.py # schema.yml
stages/prompt: add dry-run
2025-06-07 09:34:53 +02:00 · 2023-06-14 11:07:16 +02:00
262 changed files with 6811 additions and 8309 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2025.6.1
+current_version = 2025.6.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize = 
+serialize =
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}

 [bumpversion:part:rc_t]
-values = 
+values =
 	rc
 	final
 optional_value = final
--- a/.dockerignore
+++ b/.dockerignore
@ -11,4 +11,3 @@ blueprints/local
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
 !gen-go-api/
-.venv
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -100,13 +100,6 @@ updates:
      goauthentik:
        patterns:
          - "@goauthentik/*"
-      eslint:
-        patterns:
-          - "@eslint/*"
-          - "@typescript-eslint/*"
-          - "eslint-*"
-          - "eslint"
-          - "typescript-eslint"
  - package-ecosystem: npm
    directory: "/lifecycle/aws"
    schedule:
--- a/4
+++ b/4
@ -75,9 +75,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.13 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.11 AS uv
 # Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.4-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base

 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.6.1"
+__version__ = "2025.6.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/api/metrics.py
+++ b/authentik/admin/api/metrics.py
@ -0,0 +1,79 @@
+"""authentik administration metrics"""
+
+from datetime import timedelta
+
+from django.db.models.functions import ExtractHour
+from drf_spectacular.utils import extend_schema, extend_schema_field
+from guardian.shortcuts import get_objects_for_user
+from rest_framework.fields import IntegerField, SerializerMethodField
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.core.api.utils import PassiveSerializer
+from authentik.events.models import EventAction
+
+
+class CoordinateSerializer(PassiveSerializer):
+    """Coordinates for diagrams"""
+
+    x_cord = IntegerField(read_only=True)
+    y_cord = IntegerField(read_only=True)
+
+
+class LoginMetricsSerializer(PassiveSerializer):
+    """Login Metrics per 1h"""
+
+    logins = SerializerMethodField()
+    logins_failed = SerializerMethodField()
+    authorizations = SerializerMethodField()
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins(self, _):
+        """Get successful logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins_failed(self, _):
+        """Get failed logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN_FAILED
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_authorizations(self, _):
+        """Get successful authorizations per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        return (
+            get_objects_for_user(user, "authentik_events.view_event").filter(
+                action=EventAction.AUTHORIZE_APPLICATION
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+
+class AdministrationMetricsViewSet(APIView):
+    """Login Metrics per 1h"""
+
+    permission_classes = [IsAuthenticated]
+
+    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
+    def get(self, request: Request) -> Response:
+        """Login Metrics per 1h"""
+        serializer = LoginMetricsSerializer(True)
+        serializer.context["user"] = request.user
+        return Response(serializer.data)
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -36,6 +36,11 @@ class TestAdminAPI(TestCase):
        body = loads(response.content)
        self.assertEqual(len(body), 0)

+    def test_metrics(self):
+        """Test metrics API"""
+        response = self.client.get(reverse("authentik_api:admin_metrics"))
+        self.assertEqual(response.status_code, 200)
+
    def test_apps(self):
        """Test apps API"""
        response = self.client.get(reverse("authentik_api:apps-list"))
--- a/authentik/admin/urls.py
+++ b/authentik/admin/urls.py
@ -3,6 +3,7 @@
 from django.urls import path

 from authentik.admin.api.meta import AppsViewSet, ModelViewSet
+from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.version_history import VersionHistoryViewSet
@ -11,6 +12,11 @@ from authentik.admin.api.workers import WorkerView
 api_urlpatterns = [
    ("admin/apps", AppsViewSet, "apps"),
    ("admin/models", ModelViewSet, "models"),
+    path(
+        "admin/metrics/",
+        AdministrationMetricsViewSet.as_view(),
+        name="admin_metrics",
+    ),
    path("admin/version/", VersionView.as_view(), name="admin_version"),
    ("admin/version/history", VersionHistoryViewSet, "version_history"),
    path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -134,7 +134,7 @@ class Command(BaseCommand):
                "id": {"type": "string"},
                "state": {
                    "type": "string",
-                    "enum": sorted([s.value for s in BlueprintEntryDesiredState]),
+                    "enum": [s.value for s in BlueprintEntryDesiredState],
                    "default": "present",
                },
                "conditions": {"type": "array", "items": {"type": "boolean"}},
@ -205,7 +205,7 @@ class Command(BaseCommand):
                "type": "object",
                "required": ["permission"],
                "properties": {
-                    "permission": {"type": "string", "enum": sorted(perms)},
+                    "permission": {"type": "string", "enum": perms},
                    "user": {"type": "integer"},
                    "role": {"type": "string"},
                },
--- a/authentik/blueprints/v1/meta/registry.py
+++ b/authentik/blueprints/v1/meta/registry.py
@ -47,7 +47,7 @@ class MetaModelRegistry:
        models = apps.get_models()
        for _, value in self.models.items():
            models.append(value)
-        return sorted(models, key=str)
+        return models

    def get_model(self, app_label: str, model_id: str) -> type[Model]:
        """Get model checks if any virtual models are registered, and falls back
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@ -148,14 +148,3 @@ class TestBrands(APITestCase):
                "default_locale": "",
            },
        )
-
-    def test_custom_css(self):
-        """Test custom_css"""
-        brand = create_test_brand()
-        brand.branding_custom_css = """* {
-            font-family: "Foo bar";
-        }"""
-        brand.save()
-        res = self.client.get(reverse("authentik_core:if-user"))
-        self.assertEqual(res.status_code, 200)
-        self.assertIn(brand.branding_custom_css, res.content.decode())
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@ -5,8 +5,6 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from django.utils.html import _json_script_escapes
-from django.utils.safestring import mark_safe

 from authentik import get_full_version
 from authentik.brands.models import Brand
@ -34,13 +32,8 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects brand object into every template"""
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
-    # similarly to `json_script` we escape everything HTML-related, however django
-    # only directly exposes this as a function that also wraps it in a <script> tag
-    # which we dont want for CSS
-    brand_css = mark_safe(str(brand.branding_custom_css).translate(_json_script_escapes))  # nosec
    return {
        "brand": brand,
-        "brand_css": brand_css,
        "footer_links": tenant.footer_links,
        "html_meta": {**get_http_meta()},
        "version": get_full_version(),
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -2,9 +2,11 @@

 from collections.abc import Iterator
 from copy import copy
+from datetime import timedelta

 from django.core.cache import cache
 from django.db.models import QuerySet
+from django.db.models.functions import ExtractHour
 from django.shortcuts import get_object_or_404
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
@ -18,6 +20,7 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

+from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
@ -25,6 +28,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
+from authentik.events.models import EventAction
 from authentik.lib.utils.file import (
    FilePathSerializer,
    FileUploadSerializer,
@ -317,3 +321,18 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        """Set application icon (as URL)"""
        app: Application = self.get_object()
        return set_file_url(request, app, "meta_icon")
+
+    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
+    @extend_schema(responses={200: CoordinateSerializer(many=True)})
+    @action(detail=True, pagination_class=None, filter_backends=[])
+    def metrics(self, request: Request, slug: str):
+        """Metrics for application logins"""
+        app = self.get_object()
+        return Response(
+            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+                action=EventAction.AUTHORIZE_APPLICATION,
+                context__authorized_application__pk=app.pk.hex,
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -6,6 +6,7 @@ from typing import Any

 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
+from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
@ -51,6 +52,7 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

+from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
@ -315,6 +317,53 @@ class SessionUserSerializer(PassiveSerializer):
    original = UserSelfSerializer(required=False)


+class UserMetricsSerializer(PassiveSerializer):
+    """User Metrics"""
+
+    logins = SerializerMethodField()
+    logins_failed = SerializerMethodField()
+    authorizations = SerializerMethodField()
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins(self, _):
+        """Get successful logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        request = self.context["request"]
+        return (
+            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN, user__pk=user.pk
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_logins_failed(self, _):
+        """Get failed logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        request = self.context["request"]
+        return (
+            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+                action=EventAction.LOGIN_FAILED, context__username=user.username
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+    @extend_schema_field(CoordinateSerializer(many=True))
+    def get_authorizations(self, _):
+        """Get failed logins per 8 hours for the last 7 days"""
+        user = self.context["user"]
+        request = self.context["request"]
+        return (
+            get_objects_for_user(request.user, "authentik_events.view_event").filter(
+                action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk
+            )
+            # 3 data points per day, so 8 hour spans
+            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
+        )
+
+
 class UsersFilter(FilterSet):
    """Filter for users"""

@ -558,6 +607,17 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            update_session_auth_hash(self.request, user)
        return Response(status=204)

+    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
+    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
+    @action(detail=True, pagination_class=None, filter_backends=[])
+    def metrics(self, request: Request, pk: int) -> Response:
+        """User metrics per 1h"""
+        user: User = self.get_object()
+        serializer = UserMetricsSerializer(instance={})
+        serializer.context["user"] = user
+        serializer.context["request"] = request
+        return Response(serializer.data)
+
    @permission_required("authentik_core.reset_user_password")
    @extend_schema(
        responses={
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -16,7 +16,7 @@
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand_css }}</style>
+        <style>{{ brand.branding_custom_css }}</style>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -81,6 +81,22 @@ class TestUsersAPI(APITestCase):
        response = self.client.get(reverse("authentik_api:user-list"), {"include_groups": "true"})
        self.assertEqual(response.status_code, 200)

+    def test_metrics(self):
+        """Test user's metrics"""
+        self.client.force_login(self.admin)
+        response = self.client.get(
+            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_metrics_denied(self):
+        """Test user's metrics (non-superuser)"""
+        self.client.force_login(self.user)
+        response = self.client.get(
+            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
+        )
+        self.assertEqual(response.status_code, 403)
+
    def test_recovery_no_flow(self):
        """Test user recovery link (no recovery flow set)"""
        self.client.force_login(self.admin)
--- a/authentik/events/api/events.py
+++ b/authentik/events/api/events.py
@ -1,36 +1,28 @@
 """Events API Views"""

 from datetime import timedelta
+from json import loads

 import django_filters
-from django.db.models import Count, ExpressionWrapper, F, QuerySet
-from django.db.models import DateTimeField as DjangoDateTimeField
+from django.db.models.aggregates import Count
 from django.db.models.fields.json import KeyTextTransform, KeyTransform
-from django.db.models.functions import TruncHour
+from django.db.models.functions import ExtractDay, ExtractHour
 from django.db.models.query_utils import Q
-from django.utils.timezone import now
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import ChoiceField, DateTimeField, DictField, IntegerField
+from rest_framework.fields import DictField, IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet

+from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.core.api.object_types import TypeCreateSerializer
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.events.models import Event, EventAction


-class EventVolumeSerializer(PassiveSerializer):
-    """Count of events of action created on day"""
-
-    action = ChoiceField(choices=EventAction.choices)
-    time = DateTimeField()
-    count = IntegerField()
-
-
 class EventSerializer(ModelSerializer):
    """Event Serializer"""

@ -61,7 +53,7 @@ class EventsFilter(django_filters.FilterSet):
    """Filter for events"""

    username = django_filters.CharFilter(
-        field_name="user", label="Username", method="filter_username"
+        field_name="user", lookup_expr="username", label="Username"
    )
    context_model_pk = django_filters.CharFilter(
        field_name="context",
@ -86,19 +78,12 @@ class EventsFilter(django_filters.FilterSet):
        field_name="action",
        lookup_expr="icontains",
    )
-    actions = django_filters.MultipleChoiceFilter(
-        field_name="action",
-        choices=EventAction.choices,
-    )
    brand_name = django_filters.CharFilter(
        field_name="brand",
        lookup_expr="name",
        label="Brand name",
    )

-    def filter_username(self, queryset, name, value):
-        return queryset.filter(Q(user__username=value) | Q(context__username=value))
-
    def filter_context_model_pk(self, queryset, name, value):
        """Because we store the PK as UUID.hex,
        we need to remove the dashes that a client may send. We can't use a
@ -171,37 +156,45 @@ class EventViewSet(ModelViewSet):
        return Response(EventTopPerUserSerializer(instance=events, many=True).data)

    @extend_schema(
-        responses={200: EventVolumeSerializer(many=True)},
-        parameters=[
-            OpenApiParameter(
-                "history_days",
-                type=OpenApiTypes.NUMBER,
-                location=OpenApiParameter.QUERY,
-                required=False,
-                default=7,
-            ),
-        ],
+        responses={200: CoordinateSerializer(many=True)},
    )
    @action(detail=False, methods=["GET"], pagination_class=None)
    def volume(self, request: Request) -> Response:
        """Get event volume for specified filters and timeframe"""
-        queryset: QuerySet[Event] = self.filter_queryset(self.get_queryset())
-        delta = timedelta(days=7)
-        time_delta = request.query_params.get("history_days", 7)
-        if time_delta:
-            delta = timedelta(days=min(int(time_delta), 60))
+        queryset = self.filter_queryset(self.get_queryset())
+        return Response(queryset.get_events_per(timedelta(days=7), ExtractHour, 7 * 3))
+
+    @extend_schema(
+        responses={200: CoordinateSerializer(many=True)},
+        filters=[],
+        parameters=[
+            OpenApiParameter(
+                "action",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.QUERY,
+                required=False,
+            ),
+            OpenApiParameter(
+                "query",
+                type=OpenApiTypes.STR,
+                location=OpenApiParameter.QUERY,
+                required=False,
+            ),
+        ],
+    )
+    @action(detail=False, methods=["GET"], pagination_class=None)
+    def per_month(self, request: Request):
+        """Get the count of events per month"""
+        filtered_action = request.query_params.get("action", EventAction.LOGIN)
+        try:
+            query = loads(request.query_params.get("query", "{}"))
+        except ValueError:
+            return Response(status=400)
        return Response(
-            queryset.filter(created__gte=now() - delta)
-            .annotate(hour=TruncHour("created"))
-            .annotate(
-                time=ExpressionWrapper(
-                    F("hour") - (F("hour__hour") % 6) * timedelta(hours=1),
-                    output_field=DjangoDateTimeField(),
-                )
-            )
-            .values("time", "action")
-            .annotate(count=Count("pk"))
-            .order_by("time", "action")
+            get_objects_for_user(request.user, "authentik_events.view_event")
+            .filter(action=filtered_action)
+            .filter(**query)
+            .get_events_per(timedelta(weeks=4), ExtractDay, 30)
        )

    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -1,5 +1,7 @@
 """authentik events models"""

+import time
+from collections import Counter
 from datetime import timedelta
 from difflib import get_close_matches
 from functools import lru_cache
@ -9,6 +11,11 @@ from uuid import uuid4

 from django.apps import apps
 from django.db import connection, models
+from django.db.models import Count, ExpressionWrapper, F
+from django.db.models.fields import DurationField
+from django.db.models.functions import Extract
+from django.db.models.manager import Manager
+from django.db.models.query import QuerySet
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.utils.timezone import now
@ -117,6 +124,60 @@ class EventAction(models.TextChoices):
    CUSTOM_PREFIX = "custom_"


+class EventQuerySet(QuerySet):
+    """Custom events query set with helper functions"""
+
+    def get_events_per(
+        self,
+        time_since: timedelta,
+        extract: Extract,
+        data_points: int,
+    ) -> list[dict[str, int]]:
+        """Get event count by hour in the last day, fill with zeros"""
+        _now = now()
+        max_since = timedelta(days=60)
+        # Allow maximum of 60 days to limit load
+        if time_since.total_seconds() > max_since.total_seconds():
+            time_since = max_since
+        date_from = _now - time_since
+        result = (
+            self.filter(created__gte=date_from)
+            .annotate(age=ExpressionWrapper(_now - F("created"), output_field=DurationField()))
+            .annotate(age_interval=extract("age"))
+            .values("age_interval")
+            .annotate(count=Count("pk"))
+            .order_by("age_interval")
+        )
+        data = Counter({int(d["age_interval"]): d["count"] for d in result})
+        results = []
+        interval_delta = time_since / data_points
+        for interval in range(1, -data_points, -1):
+            results.append(
+                {
+                    "x_cord": time.mktime((_now + (interval_delta * interval)).timetuple()) * 1000,
+                    "y_cord": data[interval * -1],
+                }
+            )
+        return results
+
+
+class EventManager(Manager):
+    """Custom helper methods for Events"""
+
+    def get_queryset(self) -> QuerySet:
+        """use custom queryset"""
+        return EventQuerySet(self.model, using=self._db)
+
+    def get_events_per(
+        self,
+        time_since: timedelta,
+        extract: Extract,
+        data_points: int,
+    ) -> list[dict[str, int]]:
+        """Wrap method from queryset"""
+        return self.get_queryset().get_events_per(time_since, extract, data_points)
+
+
 class Event(SerializerModel, ExpiringModel):
    """An individual Audit/Metrics/Notification/Error Event"""

@ -132,6 +193,8 @@ class Event(SerializerModel, ExpiringModel):
    # Shadow the expires attribute from ExpiringModel to override the default duration
    expires = models.DateTimeField(default=default_event_duration)

+    objects = EventManager()
+
    @staticmethod
    def _get_app_from_request(request: HttpRequest) -> str:
        if not isinstance(request, HttpRequest):
--- a/authentik/outposts/consumer.py
+++ b/authentik/outposts/consumer.py
@ -37,9 +37,6 @@ class WebsocketMessageInstruction(IntEnum):
    # Provider specific message
    PROVIDER_SPECIFIC = 3

-    # Session ended
-    SESSION_END = 4
-

@dataclass(slots=True)
 class WebsocketMessage:
@ -148,14 +145,6 @@ class OutpostConsumer(JsonWebsocketConsumer):
            asdict(WebsocketMessage(instruction=WebsocketMessageInstruction.TRIGGER_UPDATE))
        )

-    def event_session_end(self, event):
-        """Event handler which is called when a session is ended"""
-        self.send_json(
-            asdict(
-                WebsocketMessage(instruction=WebsocketMessageInstruction.SESSION_END, args=event)
-            )
-        )
-
    def event_provider_specific(self, event):
        """Event handler which can be called by provider-specific
        implementations to send specific messages to the outpost"""
--- a/authentik/outposts/signals.py
+++ b/authentik/outposts/signals.py
@ -1,24 +1,17 @@
 """authentik outpost signals"""

-from django.contrib.auth.signals import user_logged_out
 from django.core.cache import cache
 from django.db.models import Model
 from django.db.models.signals import m2m_changed, post_save, pre_delete, pre_save
 from django.dispatch import receiver
-from django.http import HttpRequest
 from structlog.stdlib import get_logger

 from authentik.brands.models import Brand
-from authentik.core.models import AuthenticatedSession, Provider, User
+from authentik.core.models import Provider
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.utils.reflection import class_to_path
 from authentik.outposts.models import Outpost, OutpostServiceConnection
-from authentik.outposts.tasks import (
-    CACHE_KEY_OUTPOST_DOWN,
-    outpost_controller,
-    outpost_post_save,
-    outpost_session_end,
-)
+from authentik.outposts.tasks import CACHE_KEY_OUTPOST_DOWN, outpost_controller, outpost_post_save

 LOGGER = get_logger()
 UPDATE_TRIGGERING_MODELS = (
@ -80,17 +73,3 @@ def pre_delete_cleanup(sender, instance: Outpost, **_):
    instance.user.delete()
    cache.set(CACHE_KEY_OUTPOST_DOWN % instance.pk.hex, instance)
    outpost_controller.delay(instance.pk.hex, action="down", from_cache=True)
-
-
-@receiver(user_logged_out)
-def logout_revoke_direct(sender: type[User], request: HttpRequest, **_):
-    """Catch logout by direct logout and forward to providers"""
-    if not request.session or not request.session.session_key:
-        return
-    outpost_session_end.delay(request.session.session_key)
-
-
-@receiver(pre_delete, sender=AuthenticatedSession)
-def logout_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
-    """Catch logout by expiring sessions being deleted"""
-    outpost_session_end.delay(instance.session.session_key)
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@ -1,6 +1,5 @@
 """outpost tasks"""

-from hashlib import sha256
 from os import R_OK, access
 from pathlib import Path
 from socket import gethostname
@ -50,11 +49,6 @@ LOGGER = get_logger()
 CACHE_KEY_OUTPOST_DOWN = "goauthentik.io/outposts/teardown/%s"


-def hash_session_key(session_key: str) -> str:
-    """Hash the session key for sending session end signals"""
-    return sha256(session_key.encode("ascii")).hexdigest()
-
-
 def controller_for_outpost(outpost: Outpost) -> type[BaseController] | None:
    """Get a controller for the outpost, when a service connection is defined"""
    if not outpost.service_connection:
@ -295,20 +289,3 @@ def outpost_connection_discovery(self: SystemTask):
                url=unix_socket_path,
            )
    self.set_status(TaskStatus.SUCCESSFUL, *messages)
-
-
-@CELERY_APP.task()
-def outpost_session_end(session_id: str):
-    """Update outpost instances connected to a single outpost"""
-    layer = get_channel_layer()
-    hashed_session_id = hash_session_key(session_id)
-    for outpost in Outpost.objects.all():
-        LOGGER.info("Sending session end signal to outpost", outpost=outpost)
-        group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
-        async_to_sync(layer.group_send)(
-            group,
-            {
-                "type": "event.session.end",
-                "session_id": hashed_session_id,
-            },
-        )
--- a/authentik/outposts/tests/test_ws.py
+++ b/authentik/outposts/tests/test_ws.py
@ -1,9 +1,11 @@
 """Websocket tests"""

 from dataclasses import asdict
+from unittest.mock import patch

 from channels.routing import URLRouter
 from channels.testing import WebsocketCommunicator
+from django.contrib.contenttypes.models import ContentType
 from django.test import TransactionTestCase

 from authentik import __version__
@ -14,6 +16,12 @@ from authentik.providers.proxy.models import ProxyProvider
 from authentik.root import websocket


+def patched__get_ct_cached(app_label, codename):
+    """Caches `ContentType` instances like its `QuerySet` does."""
+    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
+
+
+@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestOutpostWS(TransactionTestCase):
    """Websocket tests"""

--- a/authentik/providers/proxy/signals.py
+++ b/authentik/providers/proxy/signals.py
@ -0,0 +1,23 @@
+"""Proxy provider signals"""
+
+from django.contrib.auth.signals import user_logged_out
+from django.db.models.signals import pre_delete
+from django.dispatch import receiver
+from django.http import HttpRequest
+
+from authentik.core.models import AuthenticatedSession, User
+from authentik.providers.proxy.tasks import proxy_on_logout
+
+
+@receiver(user_logged_out)
+def logout_proxy_revoke_direct(sender: type[User], request: HttpRequest, **_):
+    """Catch logout by direct logout and forward to proxy providers"""
+    if not request.session or not request.session.session_key:
+        return
+    proxy_on_logout.delay(request.session.session_key)
+
+
+@receiver(pre_delete, sender=AuthenticatedSession)
+def logout_proxy_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
+    """Catch logout by expiring sessions being deleted"""
+    proxy_on_logout.delay(instance.session.session_key)
--- a/authentik/providers/proxy/tasks.py
+++ b/authentik/providers/proxy/tasks.py
@ -0,0 +1,26 @@
+"""proxy provider tasks"""
+
+from asgiref.sync import async_to_sync
+from channels.layers import get_channel_layer
+
+from authentik.outposts.consumer import OUTPOST_GROUP
+from authentik.outposts.models import Outpost, OutpostType
+from authentik.providers.oauth2.id_token import hash_session_key
+from authentik.root.celery import CELERY_APP
+
+
+@CELERY_APP.task()
+def proxy_on_logout(session_id: str):
+    """Update outpost instances connected to a single outpost"""
+    layer = get_channel_layer()
+    hashed_session_id = hash_session_key(session_id)
+    for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
+        group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
+        async_to_sync(layer.group_send)(
+            group,
+            {
+                "type": "event.provider.specific",
+                "sub_type": "logout",
+                "session_id": hashed_session_id,
+            },
+        )
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@ -20,9 +20,6 @@ from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider
-from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-
-PLAN_CONNECTION_SETTINGS = "connection_settings"


 class RACStartView(PolicyAccessView):
@ -112,15 +109,10 @@ class RACFinalStage(RedirectStage):
        return super().dispatch(request, *args, **kwargs)

    def get_challenge(self, *args, **kwargs) -> RedirectChallenge:
-        settings = self.executor.plan.context.get(PLAN_CONNECTION_SETTINGS)
-        if not settings:
-            settings = self.executor.plan.context.get(PLAN_CONTEXT_PROMPT, {}).get(
-                PLAN_CONNECTION_SETTINGS
-            )
        token = ConnectionToken.objects.create(
            provider=self.provider,
            endpoint=self.endpoint,
-            settings=settings or {},
+            settings=self.executor.plan.context.get("connection_settings", {}),
            session=self.request.session["authenticatedsession"],
            expires=now() + timedelta_from_string(self.provider.connection_expiry),
            expiring=True,
--- a/authentik/rbac/tests/test_decorators.py
+++ b/authentik/rbac/tests/test_decorators.py
@ -1,29 +1,12 @@
 """test decorators api"""

+from django.urls import reverse
 from guardian.shortcuts import assign_perm
-from rest_framework.decorators import action
-from rest_framework.request import Request
-from rest_framework.response import Response
 from rest_framework.test import APITestCase
-from rest_framework.viewsets import ModelViewSet

 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_user
 from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import get_request
-from authentik.rbac.decorators import permission_required
-
-
-class MVS(ModelViewSet):
-
-    queryset = Application.objects.all()
-    lookup_field = "slug"
-
-    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
-    @action(detail=True, pagination_class=None, filter_backends=[])
-    def test(self, request: Request, slug: str):
-        self.get_object()
-        return Response(status=200)


 class TestAPIDecorators(APITestCase):
@ -35,33 +18,41 @@ class TestAPIDecorators(APITestCase):

    def test_obj_perm_denied(self):
        """Test object perm denied"""
-        request = get_request("", user=self.user)
+        self.client.force_login(self.user)
        app = Application.objects.create(name=generate_id(), slug=generate_id())
-        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
+        response = self.client.get(
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
+        )
        self.assertEqual(response.status_code, 403)

    def test_obj_perm_global(self):
        """Test object perm successful (global)"""
        assign_perm("authentik_core.view_application", self.user)
        assign_perm("authentik_events.view_event", self.user)
+        self.client.force_login(self.user)
        app = Application.objects.create(name=generate_id(), slug=generate_id())
-        request = get_request("", user=self.user)
-        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
-        self.assertEqual(response.status_code, 200, response.data)
+        response = self.client.get(
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
+        )
+        self.assertEqual(response.status_code, 200)

    def test_obj_perm_scoped(self):
        """Test object perm successful (scoped)"""
        assign_perm("authentik_events.view_event", self.user)
        app = Application.objects.create(name=generate_id(), slug=generate_id())
        assign_perm("authentik_core.view_application", self.user, app)
-        request = get_request("", user=self.user)
-        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
+        self.client.force_login(self.user)
+        response = self.client.get(
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
+        )
        self.assertEqual(response.status_code, 200)

    def test_other_perm_denied(self):
        """Test other perm denied"""
+        self.client.force_login(self.user)
        app = Application.objects.create(name=generate_id(), slug=generate_id())
        assign_perm("authentik_core.view_application", self.user, app)
-        request = get_request("", user=self.user)
-        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
+        response = self.client.get(
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
+        )
        self.assertEqual(response.status_code, 403)
--- a/authentik/root/test_runner.py
+++ b/authentik/root/test_runner.py
@ -3,44 +3,25 @@
 import os
 from argparse import ArgumentParser
 from unittest import TestCase
-from unittest.mock import patch

 import pytest
 from django.conf import settings
-from django.contrib.contenttypes.models import ContentType
 from django.test.runner import DiscoverRunner
-from structlog.stdlib import get_logger

 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import sentry_init
 from authentik.root.signals import post_startup, pre_startup, startup
+from tests.e2e.utils import get_docker_tag

 # globally set maxDiff to none to show full assert error
 TestCase.maxDiff = None


-def get_docker_tag() -> str:
-    """Get docker-tag based off of CI variables"""
-    env_pr_branch = "GITHUB_HEAD_REF"
-    default_branch = "GITHUB_REF"
-    branch_name = os.environ.get(default_branch, "main")
-    if os.environ.get(env_pr_branch, "") != "":
-        branch_name = os.environ[env_pr_branch]
-    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
-    return f"gh-{branch_name}"
-
-
-def patched__get_ct_cached(app_label, codename):
-    """Caches `ContentType` instances like its `QuerySet` does."""
-    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
-
-
 class PytestTestRunner(DiscoverRunner):  # pragma: no cover
    """Runs pytest to discover and run tests."""

    def __init__(self, **kwargs):
        super().__init__(**kwargs)
-        self.logger = get_logger().bind(runner="pytest")

        self.args = []
        if self.failfast:
@ -53,33 +34,22 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
        if kwargs.get("no_capture", False):
            self.args.append("--capture=no")

-        self._setup_test_environment()
-
-    def _setup_test_environment(self):
-        """Configure test environment settings"""
        settings.TEST = True
        settings.CELERY["task_always_eager"] = True
-
-        # Test-specific configuration
-        test_config = {
-            "events.context_processors.geoip": "tests/GeoLite2-City-Test.mmdb",
-            "events.context_processors.asn": "tests/GeoLite2-ASN-Test.mmdb",
-            "blueprints_dir": "./blueprints",
-            "outposts.container_image_base": f"ghcr.io/goauthentik/dev-%(type)s:{get_docker_tag()}",
-            "tenants.enabled": False,
-            "outposts.disable_embedded_outpost": False,
-            "error_reporting.sample_rate": 0,
-            "error_reporting.environment": "testing",
-            "error_reporting.send_pii": True,
-        }
-
-        for key, value in test_config.items():
-            CONFIG.set(key, value)
-
+        CONFIG.set("events.context_processors.geoip", "tests/GeoLite2-City-Test.mmdb")
+        CONFIG.set("events.context_processors.asn", "tests/GeoLite2-ASN-Test.mmdb")
+        CONFIG.set("blueprints_dir", "./blueprints")
+        CONFIG.set(
+            "outposts.container_image_base",
+            f"ghcr.io/goauthentik/dev-%(type)s:{get_docker_tag()}",
+        )
+        CONFIG.set("tenants.enabled", False)
+        CONFIG.set("outposts.disable_embedded_outpost", False)
+        CONFIG.set("error_reporting.sample_rate", 0)
+        CONFIG.set("error_reporting.environment", "testing")
+        CONFIG.set("error_reporting.send_pii", True)
        sentry_init()
-        self.logger.debug("Test environment configured")

-        # Send startup signals
        pre_startup.send(sender=self, mode="test")
        startup.send(sender=self, mode="test")
        post_startup.send(sender=self, mode="test")
@ -102,21 +72,7 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
            help="Disable any capturing of stdout/stderr during tests.",
        )

-    def _validate_test_label(self, label: str) -> bool:
-        """Validate test label format"""
-        if not label:
-            return False
-
-        # Check for invalid characters, but allow forward slashes and colons
-        # for paths and pytest markers
-        invalid_chars = set('\\*?"<>|')
-        if any(c in label for c in invalid_chars):
-            self.logger.error("Invalid characters in test label", label=label)
-            return False
-
-        return True
-
-    def run_tests(self, test_labels: list[str], extra_tests=None, **kwargs):
+    def run_tests(self, test_labels, extra_tests=None, **kwargs):
        """Run pytest and return the exitcode.

        It translates some of Django's test command option to pytest's.
@ -126,17 +82,10 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
        The extra_tests argument has been deprecated since Django 5.x
        It is kept for compatibility with PyCharm's Django test runner.
        """
-        if not test_labels:
-            self.logger.error("No test files specified")
-            return 1

        for label in test_labels:
-            if not self._validate_test_label(label):
-                return 1
-
            valid_label_found = False
            label_as_path = os.path.abspath(label)
-
            # File path has been specified
            if os.path.exists(label_as_path):
                self.args.append(label_as_path)
@ -144,31 +93,24 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
            elif "::" in label:
                self.args.append(label)
                valid_label_found = True
+            # Convert dotted module path to file_path::class::method
            else:
-                # Check if the label is a dotted module path
                path_pieces = label.split(".")
+                # Check whether only class or class and method are specified
                for i in range(-1, -3, -1):
-                    try:
-                        path = os.path.join(*path_pieces[:i]) + ".py"
-                        if os.path.exists(path):
-                            if i < -1:
-                                path_method = path + "::" + "::".join(path_pieces[i:])
-                                self.args.append(path_method)
-                            else:
-                                self.args.append(path)
-                            valid_label_found = True
-                            break
-                    except (TypeError, IndexError):
-                        continue
+                    path = os.path.join(*path_pieces[:i]) + ".py"
+                    label_as_path = os.path.abspath(path)
+                    if os.path.exists(label_as_path):
+                        path_method = label_as_path + "::" + "::".join(path_pieces[i:])
+                        self.args.append(path_method)
+                        valid_label_found = True
+                        break

            if not valid_label_found:
-                self.logger.error("Test file not found", label=label)
-                return 1
+                raise RuntimeError(
+                    f"One of the test labels: {label!r}, "
+                    f"is not supported. Use a dotted module name or "
+                    f"path instead."
+                )

-        self.logger.info("Running tests", test_files=self.args)
-        with patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached):
-            try:
-                return pytest.main(self.args)
-            except Exception as e:
-                self.logger.error("Error running tests", error=str(e), test_files=self.args)
-                return 1
+        return pytest.main(self.args)
--- a/authentik/stages/email/tasks.py
+++ b/authentik/stages/email/tasks.py
@ -100,11 +100,9 @@ def send_mail(
        # Because we use the Message-ID as UID for the task, manually assign it
        message_object.extra_headers["Message-ID"] = message_id

-        # Add the logo if it is used in the email body (we can't add it in the
-        # previous message since MIMEImage can't be converted to json)
-        body = get_email_body(message_object)
-        if "cid:logo" in body:
-            message_object.attach(logo_data())
+        # Add the logo (we can't add it in the previous message since MIMEImage
+        # can't be converted to json)
+        message_object.attach(logo_data())

        if (
            message_object.to
--- a/authentik/stages/email/templates/email/base.html
+++ b/authentik/stages/email/templates/email/base.html
@ -96,7 +96,7 @@
                <table width="100%" style="background-color: #FFFFFF; border-spacing: 0; margin-top: 15px;">
                  <tr height="80">
                    <td align="center" style="padding: 20px 0;">
-                      <img src="{% block logo_url %}cid:logo{% endblock %}" border="0=" alt="authentik logo" class="flexibleImage logo">
+                      <img src="{% block logo_url %}cid:logo.png{% endblock %}" border="0=" alt="authentik logo" class="flexibleImage logo">
                    </td>
                  </tr>
                  {% block content %}
--- a/authentik/stages/email/utils.py
+++ b/authentik/stages/email/utils.py
@ -19,8 +19,7 @@ def logo_data() -> MIMEImage:
        path = Path("web/dist/assets/icons/icon_left_brand.png")
    with open(path, "rb") as _logo_file:
        logo = MIMEImage(_logo_file.read())
-    logo.add_header("Content-ID", "<logo>")
-    logo.add_header("Content-Disposition", "inline", filename="logo.png")
+    logo.add_header("Content-ID", "logo.png")
    return logo


--- a/authentik/stages/prompt/stage.py
+++ b/authentik/stages/prompt/stage.py
@ -22,11 +22,12 @@ from rest_framework.serializers import ValidationError

 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User
-from authentik.flows.challenge import Challenge, ChallengeResponse
+from authentik.flows.challenge import Challenge, ChallengeResponse, HttpChallengeResponse
 from authentik.flows.planner import FlowPlan
 from authentik.flows.stage import ChallengeStageView
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.models import PolicyBinding, PolicyBindingModel, PolicyEngineMode
+from authentik.policies.types import PolicyResult
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
 from authentik.stages.prompt.signals import password_validate

@ -36,7 +37,7 @@ PLAN_CONTEXT_PROMPT = "prompt_data"
 class StagePromptSerializer(PassiveSerializer):
    """Serializer for a single Prompt field"""

-    field_key = CharField()
+    field_key = CharField(required=True)
    label = CharField(allow_blank=True)
    type = ChoiceField(choices=FieldTypes.choices)
    required = BooleanField()
@ -47,21 +48,39 @@ class StagePromptSerializer(PassiveSerializer):
    choices = ListField(child=CharField(allow_blank=True), allow_empty=True, allow_null=True)


+class PromptChallengeMeta(PassiveSerializer):
+    """Additional context sent with the initial challenge, which might contain
+    info when doing dry-runs or other validation fails"""
+
+    field_key = CharField(required=True)
+
+
 class PromptChallenge(Challenge):
    """Initial challenge being sent, define fields"""

    fields = StagePromptSerializer(many=True)
+    meta = PromptChallengeMeta(many=True)
    component = CharField(default="ak-stage-prompt")


+class PromptChallengeResponseMeta(PassiveSerializer):
+    """Additional context sent back by the flow executor when submitting
+    the prompt stage"""
+
+    dry_run = BooleanField(required=True)
+
+
 class PromptChallengeResponse(ChallengeResponse):
    """Validate response, fields are dynamically created based
    on the stage"""

    stage_instance: PromptStage
+    validation_result: PolicyResult

    component = CharField(default="ak-stage-prompt")

+    meta = PromptChallengeResponseMeta()
+
    def __init__(self, *args, **kwargs):
        stage: PromptStage = kwargs.pop("stage_instance", None)
        plan: FlowPlan = kwargs.pop("plan", None)
@ -145,11 +164,12 @@ class PromptChallengeResponse(ChallengeResponse):
        engine.request.context[PLAN_CONTEXT_PROMPT] = attrs
        engine.use_cache = False
        engine.build()
-        result = engine.result
-        if not result.passing:
-            raise ValidationError(list(result.messages))
+
+        self.validation_result = engine.result
+        if not self.validation_result.passing:
+            raise ValidationError(list(self.validation_result.messages))
        else:
-            for msg in result.messages:
+            for msg in self.validation_result.messages:
                add_message(self.request, INFO, msg)
        return attrs

@ -250,8 +270,17 @@ class PromptStageView(ChallengeStageView):
            user=self.get_pending_user(),
        )

-    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
-        if PLAN_CONTEXT_PROMPT not in self.executor.plan.context:
-            self.executor.plan.context[PLAN_CONTEXT_PROMPT] = {}
+    def challenge_dry_run(self, response: PromptChallengeResponse, result: PolicyResult) -> HttpResponse:
+        challenge = self.get_challenge()
+        # TODO update challenge.meta
+        return HttpChallengeResponse(challenge)
+
+    def challenge_valid(self, response: PromptChallengeResponse) -> HttpResponse:
+        if response.validated_data["meta"]["dry_run"]:
+            # If we get to this point, the serializer must have a .validation_result attribute
+            # as if any other validation fails, it would've raised a validation error
+            # which is handled in the challenge stage base class
+            return self.challenge_dry_run(response, response.validation_result)
+        self.executor.plan.context.setdefault(PLAN_CONTEXT_PROMPT, {})
        self.executor.plan.context[PLAN_CONTEXT_PROMPT].update(response.validated_data)
        return self.executor.stage_ok()
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.0}
    restart: unless-stopped
    command: server
    environment:
@ -55,7 +55,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.0}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -4,7 +4,6 @@ go 1.24.0

 require (
 	beryju.io/ldap v0.1.0
-	github.com/avast/retry-go/v4 v4.6.1
 	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/getsentry/sentry-go v0.33.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
@ -23,16 +22,16 @@ require (
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.1
 	github.com/prometheus/client_golang v1.22.0
-	github.com/redis/go-redis/v9 v9.10.0
+	github.com/redis/go-redis/v9 v9.9.0
 	github.com/sethvargo/go-envconfig v1.3.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025061.2
+	goauthentik.io/api/v3 v3.2025060.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.15.0
+	golang.org/x/sync v0.14.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
--- a/go.sum
+++ b/go.sum
@ -41,8 +41,6 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
-github.com/avast/retry-go/v4 v4.6.1 h1:VkOLRubHdisGrHnTu89g08aQEWEgRU7LVEop3GbIcMk=
-github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
@ -251,8 +249,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redis/go-redis/v9 v9.10.0 h1:FxwK3eV8p/CQa0Ch276C7u2d0eNC9kCmAYQ7mCXCzVs=
-github.com/redis/go-redis/v9 v9.10.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/redis/go-redis/v9 v9.9.0 h1:URbPQ4xVQSQhZ27WMQVmZSo3uT3pL+4IdHVcYq2nVfM=
+github.com/redis/go-redis/v9 v9.9.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@ -298,8 +296,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025061.2 h1:bKmrl82Gz6J8lz3f+QIH9g+MEkl3MvkMXF34GktesA0=
-goauthentik.io/api/v3 v3.2025061.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025060.1 h1:H/TDuroJlQicuxrWEnLcO3lzQaHuR28xrUb1L2362Vo=
+goauthentik.io/api/v3 v3.2025060.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -384,8 +382,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -33,4 +33,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2025.6.1"
+const VERSION = "2025.6.0"
--- a/internal/outpost/ak/api.go
+++ b/internal/outpost/ak/api.go
@ -13,7 +13,6 @@ import (
 	"syscall"
 	"time"

-	"github.com/avast/retry-go/v4"
 	"github.com/getsentry/sentry-go"
 	"github.com/google/uuid"
 	"github.com/gorilla/websocket"
@ -26,6 +25,8 @@ import (
 	"goauthentik.io/internal/utils/web"
 )

+type WSHandler func(ctx context.Context, args map[string]interface{})
+
 const ConfigLogLevel = "log_level"

 // APIController main controller which connects to the authentik api via http and ws
@ -42,11 +43,12 @@ type APIController struct {

 	reloadOffset time.Duration

-	eventConn        *websocket.Conn
-	lastWsReconnect  time.Time
-	wsIsReconnecting bool
-	eventHandlers    []EventHandler
-	refreshHandlers  []func()
+	wsConn              *websocket.Conn
+	lastWsReconnect     time.Time
+	wsIsReconnecting    bool
+	wsBackoffMultiplier int
+	wsHandlers          []WSHandler
+	refreshHandlers     []func()

 	instanceUUID uuid.UUID
 }
@ -81,19 +83,20 @@ func NewAPIController(akURL url.URL, token string) *APIController {

 	// Because we don't know the outpost UUID, we simply do a list and pick the first
 	// The service account this token belongs to should only have access to a single outpost
-	outposts, _ := retry.DoWithData[*api.PaginatedOutpostList](
-		func() (*api.PaginatedOutpostList, error) {
-			outposts, _, err := apiClient.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
-			return outposts, err
-		},
-		retry.Attempts(0),
-		retry.Delay(time.Second*3),
-		retry.OnRetry(func(attempt uint, err error) {
-			log.WithError(err).Error("Failed to fetch outpost configuration, retrying in 3 seconds")
-		}),
-	)
+	var outposts *api.PaginatedOutpostList
+	var err error
+	for {
+		outposts, _, err = apiClient.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
+
+		if err == nil {
+			break
+		}
+
+		log.WithError(err).Error("Failed to fetch outpost configuration, retrying in 3 seconds")
+		time.Sleep(time.Second * 3)
+	}
 	if len(outposts.Results) < 1 {
-		log.Panic("No outposts found with given token, ensure the given token corresponds to an authenitk Outpost")
+		panic("No outposts found with given token, ensure the given token corresponds to an authenitk Outpost")
 	}
 	outpost := outposts.Results[0]

@ -116,16 +119,17 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 		token:  token,
 		logger: log,

-		reloadOffset:    time.Duration(rand.Intn(10)) * time.Second,
-		instanceUUID:    uuid.New(),
-		Outpost:         outpost,
-		eventHandlers:   []EventHandler{},
-		refreshHandlers: make([]func(), 0),
+		reloadOffset:        time.Duration(rand.Intn(10)) * time.Second,
+		instanceUUID:        uuid.New(),
+		Outpost:             outpost,
+		wsHandlers:          []WSHandler{},
+		wsBackoffMultiplier: 1,
+		refreshHandlers:     make([]func(), 0),
 	}
 	ac.logger.WithField("offset", ac.reloadOffset.String()).Debug("HA Reload offset")
-	err = ac.initEvent(akURL, outpost.Pk)
+	err = ac.initWS(akURL, outpost.Pk)
 	if err != nil {
-		go ac.recentEvents()
+		go ac.reconnectWS()
 	}
 	ac.configureRefreshSignal()
 	return ac
@ -196,7 +200,7 @@ func (a *APIController) OnRefresh() error {
 	return err
 }

-func (a *APIController) getEventPingArgs() map[string]interface{} {
+func (a *APIController) getWebsocketPingArgs() map[string]interface{} {
 	args := map[string]interface{}{
 		"version":        constants.VERSION,
 		"buildHash":      constants.BUILD(""),
@ -222,12 +226,12 @@ func (a *APIController) StartBackgroundTasks() error {
 		"build":        constants.BUILD(""),
 	}).Set(1)
 	go func() {
-		a.logger.Debug("Starting Event Handler...")
-		a.startEventHandler()
+		a.logger.Debug("Starting WS Handler...")
+		a.startWSHandler()
 	}()
 	go func() {
-		a.logger.Debug("Starting Event health notifier...")
-		a.startEventHealth()
+		a.logger.Debug("Starting WS Health notifier...")
+		a.startWSHealth()
 	}()
 	go func() {
 		a.logger.Debug("Starting Interval updater...")
--- a/internal/outpost/ak/api_event_msg.go
+++ b/internal/outpost/ak/api_event_msg.go
@ -1,37 +0,0 @@
-package ak
-
-import (
-	"context"
-
-	"github.com/mitchellh/mapstructure"
-)
-
-type EventKind int
-
-const (
-	// Code used to acknowledge a previous message
-	EventKindAck EventKind = 0
-	// Code used to send a healthcheck keepalive
-	EventKindHello EventKind = 1
-	// Code received to trigger a config update
-	EventKindTriggerUpdate EventKind = 2
-	// Code received to trigger some provider specific function
-	EventKindProviderSpecific EventKind = 3
-	// Code received to identify the end of a session
-	EventKindSessionEnd EventKind = 4
-)
-
-type EventHandler func(ctx context.Context, msg Event) error
-
-type Event struct {
-	Instruction EventKind   `json:"instruction"`
-	Args        interface{} `json:"args"`
-}
-
-func (wm Event) ArgsAs(out interface{}) error {
-	return mapstructure.Decode(wm.Args, out)
-}
-
-type EventArgsSessionEnd struct {
-	SessionID string `mapstructure:"session_id"`
-}
--- a/internal/outpost/ak/api_event.go
+++ b/internal/outpost/ak/api_event.go
@ -11,7 +11,6 @@ import (
 	"strings"
 	"time"

-	"github.com/avast/retry-go/v4"
 	"github.com/gorilla/websocket"
 	"github.com/prometheus/client_golang/prometheus"
 	"goauthentik.io/internal/config"
@ -31,7 +30,7 @@ func (ac *APIController) getWebsocketURL(akURL url.URL, outpostUUID string, quer
 	return wsUrl
 }

-func (ac *APIController) initEvent(akURL url.URL, outpostUUID string) error {
+func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
 	query := akURL.Query()
 	query.Set("instance_uuid", ac.instanceUUID.String())

@ -58,19 +57,19 @@ func (ac *APIController) initEvent(akURL url.URL, outpostUUID string) error {
 		return err
 	}

-	ac.eventConn = ws
+	ac.wsConn = ws
 	// Send hello message with our version
-	msg := Event{
-		Instruction: EventKindHello,
-		Args:        ac.getEventPingArgs(),
+	msg := websocketMessage{
+		Instruction: WebsocketInstructionHello,
+		Args:        ac.getWebsocketPingArgs(),
 	}
 	err = ws.WriteJSON(msg)
 	if err != nil {
-		ac.logger.WithField("logger", "authentik.outpost.events").WithError(err).Warning("Failed to hello to authentik")
+		ac.logger.WithField("logger", "authentik.outpost.ak-ws").WithError(err).Warning("Failed to hello to authentik")
 		return err
 	}
 	ac.lastWsReconnect = time.Now()
-	ac.logger.WithField("logger", "authentik.outpost.events").WithField("outpost", outpostUUID).Info("Successfully connected websocket")
+	ac.logger.WithField("logger", "authentik.outpost.ak-ws").WithField("outpost", outpostUUID).Info("Successfully connected websocket")
 	return nil
 }

@ -78,19 +77,19 @@ func (ac *APIController) initEvent(akURL url.URL, outpostUUID string) error {
 func (ac *APIController) Shutdown() {
 	// Cleanly close the connection by sending a close message and then
 	// waiting (with timeout) for the server to close the connection.
-	err := ac.eventConn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
+	err := ac.wsConn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
 	if err != nil {
 		ac.logger.WithError(err).Warning("failed to write close message")
 		return
 	}
-	err = ac.eventConn.Close()
+	err = ac.wsConn.Close()
 	if err != nil {
 		ac.logger.WithError(err).Warning("failed to close websocket")
 	}
 	ac.logger.Info("finished shutdown")
 }

-func (ac *APIController) recentEvents() {
+func (ac *APIController) reconnectWS() {
 	if ac.wsIsReconnecting {
 		return
 	}
@ -101,47 +100,46 @@ func (ac *APIController) recentEvents() {
 		Path:   strings.ReplaceAll(ac.Client.GetConfig().Servers[0].URL, "api/v3", ""),
 	}
 	attempt := 1
-	_ = retry.Do(
-		func() error {
-			q := u.Query()
-			q.Set("attempt", strconv.Itoa(attempt))
-			u.RawQuery = q.Encode()
-			err := ac.initEvent(u, ac.Outpost.Pk)
-			attempt += 1
-			if err != nil {
-				return err
+	for {
+		q := u.Query()
+		q.Set("attempt", strconv.Itoa(attempt))
+		u.RawQuery = q.Encode()
+		err := ac.initWS(u, ac.Outpost.Pk)
+		attempt += 1
+		if err != nil {
+			ac.logger.Infof("waiting %d seconds to reconnect", ac.wsBackoffMultiplier)
+			time.Sleep(time.Duration(ac.wsBackoffMultiplier) * time.Second)
+			ac.wsBackoffMultiplier = ac.wsBackoffMultiplier * 2
+			// Limit to 300 seconds (5m)
+			if ac.wsBackoffMultiplier >= 300 {
+				ac.wsBackoffMultiplier = 300
 			}
+		} else {
 			ac.wsIsReconnecting = false
-			return nil
-		},
-		retry.Delay(1*time.Second),
-		retry.MaxDelay(5*time.Minute),
-		retry.DelayType(retry.BackOffDelay),
-		retry.Attempts(0),
-		retry.OnRetry(func(attempt uint, err error) {
-			ac.logger.Infof("waiting %d seconds to reconnect", attempt)
-		}),
-	)
+			ac.wsBackoffMultiplier = 1
+			return
+		}
+	}
 }

-func (ac *APIController) startEventHandler() {
-	logger := ac.logger.WithField("loop", "event-handler")
+func (ac *APIController) startWSHandler() {
+	logger := ac.logger.WithField("loop", "ws-handler")
 	for {
-		var wsMsg Event
-		if ac.eventConn == nil {
-			go ac.recentEvents()
+		var wsMsg websocketMessage
+		if ac.wsConn == nil {
+			go ac.reconnectWS()
 			time.Sleep(time.Second * 5)
 			continue
 		}
-		err := ac.eventConn.ReadJSON(&wsMsg)
+		err := ac.wsConn.ReadJSON(&wsMsg)
 		if err != nil {
 			ConnectionStatus.With(prometheus.Labels{
 				"outpost_name": ac.Outpost.Name,
 				"outpost_type": ac.Server.Type(),
 				"uuid":         ac.instanceUUID.String(),
 			}).Set(0)
-			logger.WithError(err).Warning("event read error")
-			go ac.recentEvents()
+			logger.WithError(err).Warning("ws read error")
+			go ac.reconnectWS()
 			time.Sleep(time.Second * 5)
 			continue
 		}
@ -151,8 +149,7 @@ func (ac *APIController) startEventHandler() {
 			"uuid":         ac.instanceUUID.String(),
 		}).Set(1)
 		switch wsMsg.Instruction {
-		case EventKindAck:
-		case EventKindTriggerUpdate:
+		case WebsocketInstructionTriggerUpdate:
 			time.Sleep(ac.reloadOffset)
 			logger.Debug("Got update trigger...")
 			err := ac.OnRefresh()
@ -167,33 +164,30 @@ func (ac *APIController) startEventHandler() {
 					"build":        constants.BUILD(""),
 				}).SetToCurrentTime()
 			}
-		default:
-			for _, h := range ac.eventHandlers {
-				err := h(context.Background(), wsMsg)
-				if err != nil {
-					ac.logger.WithError(err).Warning("failed to run event handler")
-				}
+		case WebsocketInstructionProviderSpecific:
+			for _, h := range ac.wsHandlers {
+				h(context.Background(), wsMsg.Args)
 			}
 		}
 	}
 }

-func (ac *APIController) startEventHealth() {
+func (ac *APIController) startWSHealth() {
 	ticker := time.NewTicker(time.Second * 10)
 	for ; true; <-ticker.C {
-		if ac.eventConn == nil {
-			go ac.recentEvents()
+		if ac.wsConn == nil {
+			go ac.reconnectWS()
 			time.Sleep(time.Second * 5)
 			continue
 		}
-		err := ac.SendEventHello(map[string]interface{}{})
+		err := ac.SendWSHello(map[string]interface{}{})
 		if err != nil {
-			ac.logger.WithField("loop", "event-health").WithError(err).Warning("event write error")
-			go ac.recentEvents()
+			ac.logger.WithField("loop", "ws-health").WithError(err).Warning("ws write error")
+			go ac.reconnectWS()
 			time.Sleep(time.Second * 5)
 			continue
 		} else {
-			ac.logger.WithField("loop", "event-health").Trace("hello'd")
+			ac.logger.WithField("loop", "ws-health").Trace("hello'd")
 			ConnectionStatus.With(prometheus.Labels{
 				"outpost_name": ac.Outpost.Name,
 				"outpost_type": ac.Server.Type(),
@ -236,19 +230,19 @@ func (ac *APIController) startIntervalUpdater() {
 	}
 }

-func (a *APIController) AddEventHandler(handler EventHandler) {
-	a.eventHandlers = append(a.eventHandlers, handler)
+func (a *APIController) AddWSHandler(handler WSHandler) {
+	a.wsHandlers = append(a.wsHandlers, handler)
 }

-func (a *APIController) SendEventHello(args map[string]interface{}) error {
-	allArgs := a.getEventPingArgs()
+func (a *APIController) SendWSHello(args map[string]interface{}) error {
+	allArgs := a.getWebsocketPingArgs()
 	for key, value := range args {
 		allArgs[key] = value
 	}
-	aliveMsg := Event{
-		Instruction: EventKindHello,
+	aliveMsg := websocketMessage{
+		Instruction: WebsocketInstructionHello,
 		Args:        allArgs,
 	}
-	err := a.eventConn.WriteJSON(aliveMsg)
+	err := a.wsConn.WriteJSON(aliveMsg)
 	return err
 }
--- a/internal/outpost/ak/api_ws_msg.go
+++ b/internal/outpost/ak/api_ws_msg.go
@ -0,0 +1,19 @@
+package ak
+
+type websocketInstruction int
+
+const (
+	// WebsocketInstructionAck Code used to acknowledge a previous message
+	WebsocketInstructionAck websocketInstruction = 0
+	// WebsocketInstructionHello Code used to send a healthcheck keepalive
+	WebsocketInstructionHello websocketInstruction = 1
+	// WebsocketInstructionTriggerUpdate Code received to trigger a config update
+	WebsocketInstructionTriggerUpdate websocketInstruction = 2
+	// WebsocketInstructionProviderSpecific Code received to trigger some provider specific function
+	WebsocketInstructionProviderSpecific websocketInstruction = 3
+)
+
+type websocketMessage struct {
+	Instruction websocketInstruction   `json:"instruction"`
+	Args        map[string]interface{} `json:"args"`
+}
--- a/internal/outpost/ak/api_event_test.go
+++ b/internal/outpost/ak/api_event_test.go
@ -15,7 +15,7 @@ func URLMustParse(u string) *url.URL {
 	return ur
 }

-func TestEventWebsocketURL(t *testing.T) {
+func TestWebsocketURL(t *testing.T) {
 	u := URLMustParse("http://localhost:9000?foo=bar")
 	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
 	ac := &APIController{}
@ -23,7 +23,7 @@ func TestEventWebsocketURL(t *testing.T) {
 	assert.Equal(t, "ws://localhost:9000/ws/outpost/23470845-7263-4fe3-bd79-ec1d7bf77d77/?foo=bar", nu.String())
 }

-func TestEventWebsocketURL_Query(t *testing.T) {
+func TestWebsocketURL_Query(t *testing.T) {
 	u := URLMustParse("http://localhost:9000?foo=bar")
 	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
 	ac := &APIController{}
@ -33,7 +33,7 @@ func TestEventWebsocketURL_Query(t *testing.T) {
 	assert.Equal(t, "ws://localhost:9000/ws/outpost/23470845-7263-4fe3-bd79-ec1d7bf77d77/?bar=baz&foo=bar", nu.String())
 }

-func TestEventWebsocketURL_Subpath(t *testing.T) {
+func TestWebsocketURL_Subpath(t *testing.T) {
 	u := URLMustParse("http://localhost:9000/foo/bar/")
 	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
 	ac := &APIController{}
--- a/internal/outpost/ak/test.go
+++ b/internal/outpost/ak/test.go
@ -55,10 +55,11 @@ func MockAK(outpost api.Outpost, globalConfig api.Config) *APIController {
 		token:  token,
 		logger: log,

-		reloadOffset:    time.Duration(rand.Intn(10)) * time.Second,
-		instanceUUID:    uuid.New(),
-		Outpost:         outpost,
-		refreshHandlers: make([]func(), 0),
+		reloadOffset:        time.Duration(rand.Intn(10)) * time.Second,
+		instanceUUID:        uuid.New(),
+		Outpost:             outpost,
+		wsBackoffMultiplier: 1,
+		refreshHandlers:     make([]func(), 0),
 	}
 	ac.logger.WithField("offset", ac.reloadOffset.String()).Debug("HA Reload offset")
 	return ac
--- a/internal/outpost/flow/executor.go
+++ b/internal/outpost/flow/executor.go
@ -127,7 +127,7 @@ func (fe *FlowExecutor) getAnswer(stage StageComponent) string {
 	return ""
 }

-func (fe *FlowExecutor) SessionCookie() *http.Cookie {
+func (fe *FlowExecutor) GetSession() *http.Cookie {
 	return fe.session
 }

--- a/internal/outpost/flow/session.go
+++ b/internal/outpost/flow/session.go
@ -1,19 +0,0 @@
-package flow
-
-import "github.com/golang-jwt/jwt/v5"
-
-type SessionCookieClaims struct {
-	jwt.Claims
-
-	SessionID     string `json:"sid"`
-	Authenticated bool   `json:"authenticated"`
-}
-
-func (fe *FlowExecutor) Session() *jwt.Token {
-	sc := fe.SessionCookie()
-	if sc == nil {
-		return nil
-	}
-	t, _, _ := jwt.NewParser().ParseUnverified(sc.Value, &SessionCookieClaims{})
-	return t
-}
--- a/internal/outpost/ldap/bind.go
+++ b/internal/outpost/ldap/bind.go
@ -38,14 +38,7 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
 		username, err := instance.binder.GetUsername(bindDN)
 		if err == nil {
 			selectedApp = instance.GetAppSlug()
-			c, err := instance.binder.Bind(username, req)
-			if c == ldap.LDAPResultSuccess {
-				f := instance.GetFlags(req.BindDN)
-				ls.connectionsSync.Lock()
-				ls.connections[f.SessionID()] = conn
-				ls.connectionsSync.Unlock()
-			}
-			return c, err
+			return instance.binder.Bind(username, req)
 		} else {
 			req.Log().WithError(err).Debug("Username not for instance")
 		}
--- a/internal/outpost/ldap/bind/direct/bind.go
+++ b/internal/outpost/ldap/bind/direct/bind.go
@ -27,9 +27,8 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul

 	passed, err := fe.Execute()
 	flags := flags.UserFlags{
-		Session:    fe.SessionCookie(),
-		SessionJWT: fe.Session(),
-		UserPk:     flags.InvalidUserPK,
+		Session: fe.GetSession(),
+		UserPk:  flags.InvalidUserPK,
 	}
 	// only set flags if we don't have flags for this DN yet
 	// as flags are only checked during the bind, we can remember whether a certain DN
--- a/internal/outpost/ldap/close.go
+++ b/internal/outpost/ldap/close.go
@ -1,20 +0,0 @@
-package ldap
-
-import "net"
-
-func (ls *LDAPServer) Close(dn string, conn net.Conn) error {
-	ls.connectionsSync.Lock()
-	defer ls.connectionsSync.Unlock()
-	key := ""
-	for k, c := range ls.connections {
-		if c == conn {
-			key = k
-			break
-		}
-	}
-	if key == "" {
-		return nil
-	}
-	delete(ls.connections, key)
-	return nil
-}
--- a/internal/outpost/ldap/flags/flags.go
+++ b/internal/outpost/ldap/flags/flags.go
@ -1,30 +1,16 @@
 package flags

 import (
-	"crypto/sha256"
-	"encoding/hex"
 	"net/http"

-	"github.com/golang-jwt/jwt/v5"
 	"goauthentik.io/api/v3"
-	"goauthentik.io/internal/outpost/flow"
 )

 const InvalidUserPK = -1

 type UserFlags struct {
-	UserInfo   *api.User
-	UserPk     int32
-	CanSearch  bool
-	Session    *http.Cookie
-	SessionJWT *jwt.Token
-}
-
-func (uf UserFlags) SessionID() string {
-	if uf.SessionJWT == nil {
-		return ""
-	}
-	h := sha256.New()
-	h.Write([]byte(uf.SessionJWT.Claims.(*flow.SessionCookieClaims).SessionID))
-	return hex.EncodeToString(h.Sum(nil))
+	UserInfo  *api.User
+	UserPk    int32
+	CanSearch bool
+	Session   *http.Cookie
 }
--- a/internal/outpost/ldap/ldap.go
+++ b/internal/outpost/ldap/ldap.go
@ -18,26 +18,21 @@ import (
 )

 type LDAPServer struct {
-	s               *ldap.Server
-	log             *log.Entry
-	ac              *ak.APIController
-	cs              *ak.CryptoStore
-	defaultCert     *tls.Certificate
-	providers       []*ProviderInstance
-	connections     map[string]net.Conn
-	connectionsSync sync.Mutex
+	s           *ldap.Server
+	log         *log.Entry
+	ac          *ak.APIController
+	cs          *ak.CryptoStore
+	defaultCert *tls.Certificate
+	providers   []*ProviderInstance
 }

 func NewServer(ac *ak.APIController) ak.Outpost {
 	ls := &LDAPServer{
-		log:             log.WithField("logger", "authentik.outpost.ldap"),
-		ac:              ac,
-		cs:              ak.NewCryptoStore(ac.Client.CryptoApi),
-		providers:       []*ProviderInstance{},
-		connections:     map[string]net.Conn{},
-		connectionsSync: sync.Mutex{},
+		log:       log.WithField("logger", "authentik.outpost.ldap"),
+		ac:        ac,
+		cs:        ak.NewCryptoStore(ac.Client.CryptoApi),
+		providers: []*ProviderInstance{},
 	}
-	ac.AddEventHandler(ls.handleWSSessionEnd)
 	s := ldap.NewServer()
 	s.EnforceLDAP = true

@ -55,7 +50,6 @@ func NewServer(ac *ak.APIController) ak.Outpost {
 	s.BindFunc("", ls)
 	s.UnbindFunc("", ls)
 	s.SearchFunc("", ls)
-	s.CloseFunc("", ls)
 	return ls
 }

@ -123,23 +117,3 @@ func (ls *LDAPServer) TimerFlowCacheExpiry(ctx context.Context) {
 		p.binder.TimerFlowCacheExpiry(ctx)
 	}
 }
-
-func (ls *LDAPServer) handleWSSessionEnd(ctx context.Context, msg ak.Event) error {
-	if msg.Instruction != ak.EventKindSessionEnd {
-		return nil
-	}
-	mmsg := ak.EventArgsSessionEnd{}
-	err := msg.ArgsAs(&mmsg)
-	if err != nil {
-		return err
-	}
-	ls.connectionsSync.Lock()
-	defer ls.connectionsSync.Unlock()
-	ls.log.Info("Disconnecting session due to session end event")
-	conn, ok := ls.connections[mmsg.SessionID]
-	if !ok {
-		return nil
-	}
-	delete(ls.connections, mmsg.SessionID)
-	return conn.Close()
-}
--- a/internal/outpost/ldap/search/direct/schema.go
+++ b/internal/outpost/ldap/search/direct/schema.go
@ -44,40 +44,38 @@ func (ds *DirectSearcher) SearchSubschema(req *search.Request) (ldap.ServerSearc
 					{
 						Name: "attributeTypes",
 						Values: []string{
-							"( 0.9.2342.19200300.100.1.1 NAME 'uid' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 0.9.2342.19200300.100.1.3 NAME 'mail' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 0.9.2342.19200300.100.1.41 NAME 'mobile' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' NO-USER-MODIFICATION )",
-							"( 1.2.840.113556.1.2.13 NAME 'displayName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 1.2.840.113556.1.2.131 NAME 'co' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 1.2.840.113556.1.2.141 NAME 'department' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 1.2.840.113556.1.2.146 NAME 'company' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 1.2.840.113556.1.4.1 NAME 'name' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE NO-USER-MODIFICATION )",
-							"( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 1.2.840.113556.1.4.261 NAME 'division' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 1.2.840.113556.1.4.44 NAME 'homeDirectory' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 1.2.840.113556.1.4.750 NAME 'groupType' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )",
-							"( 1.2.840.113556.1.4.782 NAME 'objectCategory' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )",
-							"( 1.3.6.1.1.1.1.0 NAME 'uidNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )",
-							"( 1.3.6.1.1.1.1.1 NAME 'gidNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )",
-							"( 1.3.6.1.1.1.1.12 NAME 'memberUid' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )",
-							"( 2.5.18.1 NAME 'createTimestamp' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION )",
-							"( 2.5.18.2 NAME 'modifyTimestamp' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION )",
-							"( 2.5.21.2 NAME 'dITContentRules' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' NO-USER-MODIFICATION )",
-							"( 2.5.21.5 NAME 'attributeTypes' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' NO-USER-MODIFICATION )",
-							"( 2.5.21.6 NAME 'objectClasses' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' NO-USER-MODIFICATION )",
 							"( 2.5.4.0 NAME 'objectClass' SYNTAX '1.3.6.1.4.1.1466.115.121.1.38' NO-USER-MODIFICATION )",
+							"( 2.5.4.4 NAME 'sn' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 2.5.4.3 NAME 'cn' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 2.5.4.6 NAME 'c' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 2.5.4.7 NAME 'l' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 2.5.4.10 NAME 'o' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )",
 							"( 2.5.4.11 NAME 'ou' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )",
 							"( 2.5.4.12 NAME 'title' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 2.5.4.13 NAME 'description' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )",
 							"( 2.5.4.20 NAME 'telephoneNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 2.5.4.3 NAME 'cn' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 2.5.4.31 NAME 'member' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' )",
-							"( 2.5.4.4 NAME 'sn' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 2.5.4.42 NAME 'givenName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 2.5.4.6 NAME 'c' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 2.5.4.7 NAME 'l' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 2.5.21.2 NAME 'dITContentRules' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' NO-USER-MODIFICATION )",
+							"( 2.5.21.5 NAME 'attributeTypes' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' NO-USER-MODIFICATION )",
+							"( 2.5.21.6 NAME 'objectClasses' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' NO-USER-MODIFICATION )",
+							"( 0.9.2342.19200300.100.1.1 NAME 'uid' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 0.9.2342.19200300.100.1.3 NAME 'mail' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 0.9.2342.19200300.100.1.41 NAME 'mobile' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 1.2.840.113556.1.2.13 NAME 'displayName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 1.2.840.113556.1.2.146 NAME 'company' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' NO-USER-MODIFICATION )",
+							"( 1.2.840.113556.1.2.131 NAME 'co' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 1.2.840.113556.1.2.141 NAME 'department' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 1.2.840.113556.1.4.1 NAME 'name' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE NO-USER-MODIFICATION )",
+							"( 1.2.840.113556.1.4.44 NAME 'homeDirectory' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 1.2.840.113556.1.4.261 NAME 'division' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 1.2.840.113556.1.4.750 NAME 'groupType' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )",
+							"( 1.2.840.113556.1.4.782 NAME 'objectCategory' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )",
+							"( 1.3.6.1.1.1.1.0 NAME 'uidNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )",
+							"( 1.3.6.1.1.1.1.1 NAME 'gidNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )",
+							"( 1.3.6.1.1.1.1.12 NAME 'memberUid' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )",

 							// Custom attributes
 							// Temporarily use 1.3.6.1.4.1.26027.1.1 as a base
--- a/internal/outpost/ldap/search/request.go
+++ b/internal/outpost/ldap/search/request.go
@ -53,14 +53,6 @@ func NewRequest(bindDN string, searchReq ldap.SearchRequest, conn net.Conn) (*Re
 	if err != nil && len(searchReq.Filter) > 0 {
 		l.WithError(err).WithField("objectClass", filterOC).Warning("invalid filter object class")
 	}
-
-	// Handle comma-separated attributes
-	normalizedAttributes := normalizeAttributes(searchReq.Attributes)
-	if len(normalizedAttributes) != len(searchReq.Attributes) {
-		// Create a copy of the search request with normalized attributes
-		searchReq.Attributes = normalizedAttributes
-	}
-
 	return &Request{
 		SearchRequest:     searchReq,
 		BindDN:            bindDN,
@ -72,31 +64,6 @@ func NewRequest(bindDN string, searchReq ldap.SearchRequest, conn net.Conn) (*Re
 	}, span
 }

-// normalizeAttributes handles the case where attributes might be passed as comma-separated strings
-// rather than as individual array elements
-func normalizeAttributes(attributes []string) []string {
-	if len(attributes) == 0 {
-		return attributes
-	}
-
-	result := make([]string, 0, len(attributes))
-	for _, attr := range attributes {
-		if strings.Contains(attr, ",") {
-			// Split comma-separated attributes and add them individually
-			parts := strings.Split(attr, ",")
-			for _, part := range parts {
-				part = strings.TrimSpace(part)
-				if part != "" {
-					result = append(result, part)
-				}
-			}
-		} else {
-			result = append(result, attr)
-		}
-	}
-	return result
-}
-
 func (r *Request) Context() context.Context {
 	return r.ctx
 }
--- a/internal/outpost/ldap/search/request_test.go
+++ b/internal/outpost/ldap/search/request_test.go
@ -1,98 +0,0 @@
-package search
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestNormalizeAttributes(t *testing.T) {
-	tests := []struct {
-		name           string
-		input          []string
-		expectedOutput []string
-	}{
-		{
-			name:           "Empty input",
-			input:          []string{},
-			expectedOutput: []string{},
-		},
-		{
-			name:           "No commas",
-			input:          []string{"uid", "cn", "sn"},
-			expectedOutput: []string{"uid", "cn", "sn"},
-		},
-		{
-			name:           "Single comma-separated string",
-			input:          []string{"uid,cn,sn"},
-			expectedOutput: []string{"uid", "cn", "sn"},
-		},
-		{
-			name:           "Mixed input",
-			input:          []string{"uid,cn", "sn"},
-			expectedOutput: []string{"uid", "cn", "sn"},
-		},
-		{
-			name:           "With spaces",
-			input:          []string{"uid, cn, sn"},
-			expectedOutput: []string{"uid", "cn", "sn"},
-		},
-		{
-			name:           "Empty parts",
-			input:          []string{"uid,, cn"},
-			expectedOutput: []string{"uid", "cn"},
-		},
-		{
-			name:           "Single element",
-			input:          []string{"uid"},
-			expectedOutput: []string{"uid"},
-		},
-		{
-			name:           "Only commas",
-			input:          []string{",,,"},
-			expectedOutput: []string{},
-		},
-		{
-			name:           "Multiple comma-separated attributes",
-			input:          []string{"uid,cn", "sn,mail", "givenName"},
-			expectedOutput: []string{"uid", "cn", "sn", "mail", "givenName"},
-		},
-		{
-			name:           "Case preservation",
-			input:          []string{"uid,CN,sAMAccountName"},
-			expectedOutput: []string{"uid", "CN", "sAMAccountName"},
-		},
-		{
-			name:           "Leading and trailing spaces",
-			input:          []string{" uid , cn , sn "},
-			expectedOutput: []string{"uid", "cn", "sn"},
-		},
-		{
-			name:           "Real-world LDAP attribute examples",
-			input:          []string{"objectClass,memberOf,mail", "sAMAccountName,userPrincipalName"},
-			expectedOutput: []string{"objectClass", "memberOf", "mail", "sAMAccountName", "userPrincipalName"},
-		},
-		{
-			name:           "Jira-style attribute format",
-			input:          []string{"uid,cn,sn"},
-			expectedOutput: []string{"uid", "cn", "sn"},
-		},
-		{
-			name:           "Single string with single attribute",
-			input:          []string{"cn"},
-			expectedOutput: []string{"cn"},
-		},
-		{
-			name:           "Mix of standard and operational attributes",
-			input:          []string{"uid,+", "createTimestamp"},
-			expectedOutput: []string{"uid", "+", "createTimestamp"},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := normalizeAttributes(tt.input)
-			assert.Equal(t, tt.expectedOutput, result)
-		})
-	}
-}
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -5,7 +5,6 @@ import (
 	"crypto/sha256"
 	"crypto/tls"
 	"encoding/gob"
-	"encoding/hex"
 	"fmt"
 	"html/template"
 	"net/http"
@ -119,8 +118,8 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
 	mux := mux.NewRouter()

 	// Save cookie name, based on hashed client ID
-	hs := sha256.Sum256([]byte(*p.ClientId))
-	bs := hex.EncodeToString(hs[:])
+	h := sha256.New()
+	bs := string(h.Sum([]byte(*p.ClientId)))
 	sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8])

 	// When HOST_BROWSER is set, use that as Host header for token requests to make the issuer match
--- a/internal/outpost/proxyv2/proxyv2.go
+++ b/internal/outpost/proxyv2/proxyv2.go
@ -66,7 +66,7 @@ func NewProxyServer(ac *ak.APIController) ak.Outpost {
 	globalMux.PathPrefix("/outpost.goauthentik.io/static").HandlerFunc(s.HandleStatic)
 	globalMux.Path("/outpost.goauthentik.io/ping").HandlerFunc(sentryutils.SentryNoSample(s.HandlePing))
 	rootMux.PathPrefix("/").HandlerFunc(s.Handle)
-	ac.AddEventHandler(s.handleWSMessage)
+	ac.AddWSHandler(s.handleWSMessage)
 	return s
 }

--- a/internal/outpost/proxyv2/ws.go
+++ b/internal/outpost/proxyv2/ws.go
@ -3,27 +3,48 @@ package proxyv2
 import (
 	"context"

-	"goauthentik.io/internal/outpost/ak"
+	"github.com/mitchellh/mapstructure"
 	"goauthentik.io/internal/outpost/proxyv2/application"
 )

-func (ps *ProxyServer) handleWSMessage(ctx context.Context, msg ak.Event) error {
-	if msg.Instruction != ak.EventKindSessionEnd {
-		return nil
-	}
-	mmsg := ak.EventArgsSessionEnd{}
-	err := msg.ArgsAs(&mmsg)
-	if err != nil {
-		return err
-	}
-	for _, p := range ps.apps {
-		ps.log.WithField("provider", p.Host).Debug("Logging out")
-		err := p.Logout(ctx, func(c application.Claims) bool {
-			return c.Sid == mmsg.SessionID
-		})
-		if err != nil {
-			ps.log.WithField("provider", p.Host).WithError(err).Warning("failed to logout")
-		}
-	}
-	return nil
+type WSProviderSubType string
+
+const (
+	WSProviderSubTypeLogout WSProviderSubType = "logout"
+)
+
+type WSProviderMsg struct {
+	SubType   WSProviderSubType `mapstructure:"sub_type"`
+	SessionID string            `mapstructure:"session_id"`
+}
+
+func ParseWSProvider(args map[string]interface{}) (*WSProviderMsg, error) {
+	msg := &WSProviderMsg{}
+	err := mapstructure.Decode(args, &msg)
+	if err != nil {
+		return nil, err
+	}
+	return msg, nil
+}
+
+func (ps *ProxyServer) handleWSMessage(ctx context.Context, args map[string]interface{}) {
+	msg, err := ParseWSProvider(args)
+	if err != nil {
+		ps.log.WithError(err).Warning("invalid provider-specific ws message")
+		return
+	}
+	switch msg.SubType {
+	case WSProviderSubTypeLogout:
+		for _, p := range ps.apps {
+			ps.log.WithField("provider", p.Host).Debug("Logging out")
+			err := p.Logout(ctx, func(c application.Claims) bool {
+				return c.Sid == msg.SessionID
+			})
+			if err != nil {
+				ps.log.WithField("provider", p.Host).WithError(err).Warning("failed to logout")
+			}
+		}
+	default:
+		ps.log.WithField("sub_type", msg.SubType).Warning("invalid sub_type")
+	}
 }
--- a/internal/outpost/rac/rac.go
+++ b/internal/outpost/rac/rac.go
@ -6,6 +6,7 @@ import (
 	"strconv"
 	"sync"

+	"github.com/mitchellh/mapstructure"
 	log "github.com/sirupsen/logrus"
 	"github.com/wwt/guac"

@ -29,7 +30,7 @@ func NewServer(ac *ak.APIController) ak.Outpost {
 		connm: sync.RWMutex{},
 		conns: map[string]connection.Connection{},
 	}
-	ac.AddEventHandler(rs.wsHandler)
+	ac.AddWSHandler(rs.wsHandler)
 	return rs
 }

@ -51,14 +52,12 @@ func parseIntOrZero(input string) int {
 	return x
 }

-func (rs *RACServer) wsHandler(ctx context.Context, msg ak.Event) error {
-	if msg.Instruction != ak.EventKindProviderSpecific {
-		return nil
-	}
+func (rs *RACServer) wsHandler(ctx context.Context, args map[string]interface{}) {
 	wsm := WSMessage{}
-	err := msg.ArgsAs(&wsm)
+	err := mapstructure.Decode(args, &wsm)
 	if err != nil {
-		return err
+		rs.log.WithError(err).Warning("invalid ws message")
+		return
 	}
 	config := guac.NewGuacamoleConfiguration()
 	config.Protocol = wsm.Protocol
@ -72,23 +71,23 @@ func (rs *RACServer) wsHandler(ctx context.Context, msg ak.Event) error {
 	}
 	cc, err := connection.NewConnection(rs.ac, wsm.DestChannelID, config)
 	if err != nil {
-		return err
+		rs.log.WithError(err).Warning("failed to setup connection")
+		return
 	}
 	cc.OnError = func(err error) {
 		rs.connm.Lock()
 		delete(rs.conns, wsm.ConnID)
-		_ = rs.ac.SendEventHello(map[string]interface{}{
+		_ = rs.ac.SendWSHello(map[string]interface{}{
 			"active_connections": len(rs.conns),
 		})
 		rs.connm.Unlock()
 	}
 	rs.connm.Lock()
 	rs.conns[wsm.ConnID] = *cc
-	_ = rs.ac.SendEventHello(map[string]interface{}{
+	_ = rs.ac.SendWSHello(map[string]interface{}{
 		"active_connections": len(rs.conns),
 	})
 	rs.connm.Unlock()
-	return nil
 }

 func (rs *RACServer) Start() error {
--- a/internal/outpost/radius/handler.go
+++ b/internal/outpost/radius/handler.go
@ -2,7 +2,6 @@ package radius

 import (
 	"crypto/sha512"
-	"encoding/hex"
 	"time"

 	"github.com/getsentry/sentry-go"
@ -69,9 +68,7 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
 		}
 	}
 	if pi == nil {
-		hs := sha512.Sum512([]byte(r.Secret))
-		bs := hex.EncodeToString(hs[:])
-		nr.Log().WithField("hashed_secret", bs).Warning("No provider found")
+		nr.Log().WithField("hashed_secret", string(sha512.New().Sum(r.Secret))).Warning("No provider found")
 		_ = w.Write(r.Response(radius.CodeAccessReject))
 		return
 	}
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1018.1",
+                "aws-cdk": "^2.1017.1",
                "cross-env": "^7.0.3"
            },
            "engines": {
@ -17,16 +17,16 @@
            }
        },
        "node_modules/aws-cdk": {
-            "version": "2.1018.1",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1018.1.tgz",
-            "integrity": "sha512-kFPRox5kSm+ktJ451o0ng9rD+60p5Kt1CZIWw8kXnvqbsxN2xv6qbmyWSXw7sGVXVwqrRKVj+71/JeDr+LMAZw==",
+            "version": "2.1017.1",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1017.1.tgz",
+            "integrity": "sha512-KtDdkMhfVjDeexjpMrVoSlz2mTYI5BE/KotvJ7iFbZy1G0nkpW1ImZ54TdBefeeFmZ+8DAjU3I6nUFtymyOI1A==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
                "cdk": "bin/cdk"
            },
            "engines": {
-                "node": ">= 18.0.0"
+                "node": ">= 14.15.0"
            },
            "optionalDependencies": {
                "fsevents": "2.3.2"
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@ -10,7 +10,7 @@
        "node": ">=20"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1018.1",
+        "aws-cdk": "^2.1017.1",
        "cross-env": "^7.0.3"
    }
 }
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2025.6.1
+    Default: 2025.6.0
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/locale/fr/LC_MESSAGES/django.mo
+++ b/locale/fr/LC_MESSAGES/django.mo
--- a/locale/pt_PT/LC_MESSAGES/django.mo
+++ b/locale/pt_PT/LC_MESSAGES/django.mo
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.6.1",
+    "version": "2025.6.0",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "@goauthentik/authentik",
-            "version": "2025.6.1",
+            "version": "2025.6.0",
            "devDependencies": {
                "@trivago/prettier-plugin-sort-imports": "^5.2.2",
                "prettier": "^3.3.3",
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.6.1",
+    "version": "2025.6.0",
    "private": true,
    "type": "module",
    "devDependencies": {
--- a/packages/eslint-config/package-lock.json
+++ b/packages/eslint-config/package-lock.json
@ -576,17 +576,17 @@
            "license": "MIT"
        },
        "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.34.0.tgz",
-            "integrity": "sha512-QXwAlHlbcAwNlEEMKQS2RCgJsgXrTJdjXT08xEgbPFa2yYQgVjBymxP5DrfrE7X7iodSzd9qBUHUycdyVJTW1w==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.33.0.tgz",
+            "integrity": "sha512-CACyQuqSHt7ma3Ns601xykeBK/rDeZa3w6IS6UtMQbixO5DWy+8TilKkviGDH6jtWCo8FGRKEK5cLLkPvEammQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@eslint-community/regexpp": "^4.10.0",
-                "@typescript-eslint/scope-manager": "8.34.0",
-                "@typescript-eslint/type-utils": "8.34.0",
-                "@typescript-eslint/utils": "8.34.0",
-                "@typescript-eslint/visitor-keys": "8.34.0",
+                "@typescript-eslint/scope-manager": "8.33.0",
+                "@typescript-eslint/type-utils": "8.33.0",
+                "@typescript-eslint/utils": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0",
                "graphemer": "^1.4.0",
                "ignore": "^7.0.0",
                "natural-compare": "^1.4.0",
@ -600,7 +600,7 @@
                "url": "https://opencollective.com/typescript-eslint"
            },
            "peerDependencies": {
-                "@typescript-eslint/parser": "^8.34.0",
+                "@typescript-eslint/parser": "^8.33.0",
                "eslint": "^8.57.0 || ^9.0.0",
                "typescript": ">=4.8.4 <5.9.0"
            }
@ -616,16 +616,16 @@
            }
        },
        "node_modules/@typescript-eslint/parser": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.34.0.tgz",
-            "integrity": "sha512-vxXJV1hVFx3IXz/oy2sICsJukaBrtDEQSBiV48/YIV5KWjX1dO+bcIr/kCPrW6weKXvsaGKFNlwH0v2eYdRRbA==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.33.0.tgz",
+            "integrity": "sha512-JaehZvf6m0yqYp34+RVnihBAChkqeH+tqqhS0GuX1qgPpwLvmTPheKEs6OeCK6hVJgXZHJ2vbjnC9j119auStQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/scope-manager": "8.34.0",
-                "@typescript-eslint/types": "8.34.0",
-                "@typescript-eslint/typescript-estree": "8.34.0",
-                "@typescript-eslint/visitor-keys": "8.34.0",
+                "@typescript-eslint/scope-manager": "8.33.0",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/typescript-estree": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0",
                "debug": "^4.3.4"
            },
            "engines": {
@ -641,14 +641,14 @@
            }
        },
        "node_modules/@typescript-eslint/project-service": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.34.0.tgz",
-            "integrity": "sha512-iEgDALRf970/B2YExmtPMPF54NenZUf4xpL3wsCRx/lgjz6ul/l13R81ozP/ZNuXfnLCS+oPmG7JIxfdNYKELw==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.33.0.tgz",
+            "integrity": "sha512-d1hz0u9l6N+u/gcrk6s6gYdl7/+pp8yHheRTqP6X5hVDKALEaTn8WfGiit7G511yueBEL3OpOEpD+3/MBdoN+A==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/tsconfig-utils": "^8.34.0",
-                "@typescript-eslint/types": "^8.34.0",
+                "@typescript-eslint/tsconfig-utils": "^8.33.0",
+                "@typescript-eslint/types": "^8.33.0",
                "debug": "^4.3.4"
            },
            "engines": {
@ -657,20 +657,17 @@
            "funding": {
                "type": "opencollective",
                "url": "https://opencollective.com/typescript-eslint"
-            },
-            "peerDependencies": {
-                "typescript": ">=4.8.4 <5.9.0"
            }
        },
        "node_modules/@typescript-eslint/scope-manager": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.34.0.tgz",
-            "integrity": "sha512-9Ac0X8WiLykl0aj1oYQNcLZjHgBojT6cW68yAgZ19letYu+Hxd0rE0veI1XznSSst1X5lwnxhPbVdwjDRIomRw==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.33.0.tgz",
+            "integrity": "sha512-LMi/oqrzpqxyO72ltP+dBSP6V0xiUb4saY7WLtxSfiNEBI8m321LLVFU9/QDJxjDQG9/tjSqKz/E3380TEqSTw==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/types": "8.34.0",
-                "@typescript-eslint/visitor-keys": "8.34.0"
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0"
            },
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -681,9 +678,9 @@
            }
        },
        "node_modules/@typescript-eslint/tsconfig-utils": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.34.0.tgz",
-            "integrity": "sha512-+W9VYHKFIzA5cBeooqQxqNriAP0QeQ7xTiDuIOr71hzgffm3EL2hxwWBIIj4GuofIbKxGNarpKqIq6Q6YrShOA==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.33.0.tgz",
+            "integrity": "sha512-sTkETlbqhEoiFmGr1gsdq5HyVbSOF0145SYDJ/EQmXHtKViCaGvnyLqWFFHtEXoS0J1yU8Wyou2UGmgW88fEug==",
            "dev": true,
            "license": "MIT",
            "engines": {
@ -698,14 +695,14 @@
            }
        },
        "node_modules/@typescript-eslint/type-utils": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.34.0.tgz",
-            "integrity": "sha512-n7zSmOcUVhcRYC75W2pnPpbO1iwhJY3NLoHEtbJwJSNlVAZuwqu05zY3f3s2SDWWDSo9FdN5szqc73DCtDObAg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.33.0.tgz",
+            "integrity": "sha512-lScnHNCBqL1QayuSrWeqAL5GmqNdVUQAAMTaCwdYEdWfIrSrOGzyLGRCHXcCixa5NK6i5l0AfSO2oBSjCjf4XQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/typescript-estree": "8.34.0",
-                "@typescript-eslint/utils": "8.34.0",
+                "@typescript-eslint/typescript-estree": "8.33.0",
+                "@typescript-eslint/utils": "8.33.0",
                "debug": "^4.3.4",
                "ts-api-utils": "^2.1.0"
            },
@ -722,9 +719,9 @@
            }
        },
        "node_modules/@typescript-eslint/types": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.34.0.tgz",
-            "integrity": "sha512-9V24k/paICYPniajHfJ4cuAWETnt7Ssy+R0Rbcqo5sSFr3QEZ/8TSoUi9XeXVBGXCaLtwTOKSLGcInCAvyZeMA==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.33.0.tgz",
+            "integrity": "sha512-DKuXOKpM5IDT1FA2g9x9x1Ug81YuKrzf4mYX8FAVSNu5Wo/LELHWQyM1pQaDkI42bX15PWl0vNPt1uGiIFUOpg==",
            "dev": true,
            "license": "MIT",
            "engines": {
@ -736,16 +733,16 @@
            }
        },
        "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.34.0.tgz",
-            "integrity": "sha512-rOi4KZxI7E0+BMqG7emPSK1bB4RICCpF7QD3KCLXn9ZvWoESsOMlHyZPAHyG04ujVplPaHbmEvs34m+wjgtVtg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.33.0.tgz",
+            "integrity": "sha512-vegY4FQoB6jL97Tu/lWRsAiUUp8qJTqzAmENH2k59SJhw0Th1oszb9Idq/FyyONLuNqT1OADJPXfyUNOR8SzAQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/project-service": "8.34.0",
-                "@typescript-eslint/tsconfig-utils": "8.34.0",
-                "@typescript-eslint/types": "8.34.0",
-                "@typescript-eslint/visitor-keys": "8.34.0",
+                "@typescript-eslint/project-service": "8.33.0",
+                "@typescript-eslint/tsconfig-utils": "8.33.0",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0",
                "debug": "^4.3.4",
                "fast-glob": "^3.3.2",
                "is-glob": "^4.0.3",
@ -804,16 +801,16 @@
            }
        },
        "node_modules/@typescript-eslint/utils": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.34.0.tgz",
-            "integrity": "sha512-8L4tWatGchV9A1cKbjaavS6mwYwp39jql8xUmIIKJdm+qiaeHy5KMKlBrf30akXAWBzn2SqKsNOtSENWUwg7XQ==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.33.0.tgz",
+            "integrity": "sha512-lPFuQaLA9aSNa7D5u2EpRiqdAUhzShwGg/nhpBlc4GR6kcTABttCuyjFs8BcEZ8VWrjCBof/bePhP3Q3fS+Yrw==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@eslint-community/eslint-utils": "^4.7.0",
-                "@typescript-eslint/scope-manager": "8.34.0",
-                "@typescript-eslint/types": "8.34.0",
-                "@typescript-eslint/typescript-estree": "8.34.0"
+                "@typescript-eslint/scope-manager": "8.33.0",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/typescript-estree": "8.33.0"
            },
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -828,13 +825,13 @@
            }
        },
        "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.34.0.tgz",
-            "integrity": "sha512-qHV7pW7E85A0x6qyrFn+O+q1k1p3tQCsqIZ1KZ5ESLXY57aTvUd3/a4rdPTeXisvhXn2VQG0VSKUqs8KHF2zcA==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.33.0.tgz",
+            "integrity": "sha512-7RW7CMYoskiz5OOGAWjJFxgb7c5UNjTG292gYhWeOAcFmYCtVCSqjqSBj5zMhxbXo2JOW95YYrUWJfU0zrpaGQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/types": "8.34.0",
+                "@typescript-eslint/types": "8.33.0",
                "eslint-visitor-keys": "^4.2.0"
            },
            "engines": {
@ -4035,15 +4032,15 @@
            }
        },
        "node_modules/typescript-eslint": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.34.0.tgz",
-            "integrity": "sha512-MRpfN7uYjTrTGigFCt8sRyNqJFhjN0WwZecldaqhWm+wy0gaRt8Edb/3cuUy0zdq2opJWT6iXINKAtewnDOltQ==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.33.0.tgz",
+            "integrity": "sha512-5YmNhF24ylCsvdNW2oJwMzTbaeO4bg90KeGtMjUw0AGtHksgEPLRTUil+coHwCfiu4QjVJFnjp94DmU6zV7DhQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/eslint-plugin": "8.34.0",
-                "@typescript-eslint/parser": "8.34.0",
-                "@typescript-eslint/utils": "8.34.0"
+                "@typescript-eslint/eslint-plugin": "8.33.0",
+                "@typescript-eslint/parser": "8.33.0",
+                "@typescript-eslint/utils": "8.33.0"
            },
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [project]
 name = "authentik"
-version = "2025.6.1"
+version = "2025.6.0"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.13.*"
@ -9,11 +9,11 @@ dependencies = [
    "celery==5.5.3",
    "channels==4.2.2",
    "channels-redis==4.2.1",
-    "cryptography==45.0.4",
+    "cryptography==45.0.3",
    "dacite==1.9.2",
    "deepmerge==2.0",
    "defusedxml==0.7.1",
-    "django==5.1.11",
+    "django==5.1.10",
    "django-countries==7.6.1",
    "django-cte==1.3.3",
    "django-filter==25.1",
@ -35,15 +35,15 @@ dependencies = [
    "flower==2.0.1",
    "geoip2==5.1.0",
    "geopy==2.4.1",
-    "google-api-python-client==2.172.0",
+    "google-api-python-client==2.171.0",
    "gssapi==1.9.0",
    "gunicorn==23.0.0",
    "jsonpatch==1.33",
    "jwcrypto==1.5.6",
-    "kubernetes==33.1.0",
+    "kubernetes==32.0.1",
    "ldap3==2.9.1",
    "lxml==5.4.0",
-    "msgraph-sdk==1.33.0",
+    "msgraph-sdk==1.32.0",
    "opencontainers==0.0.14",
    "packaging==25.0",
    "paramiko==3.5.1",
@ -56,13 +56,13 @@ dependencies = [
    "pyyaml==6.0.2",
    "requests-oauthlib==2.0.0",
    "scim2-filter-parser==0.7.0",
-    "sentry-sdk==2.30.0",
+    "sentry-sdk==2.29.1",
    "service-identity==24.2.0",
    "setproctitle==1.3.6",
    "structlog==25.4.0",
    "swagger-spec-validator==3.0.4",
    "tenant-schemas-celery==3.0.0",
-    "twilio==9.6.3",
+    "twilio==9.6.2",
    "ua-parser==1.0.1",
    "unidecode==1.4.0",
    "urllib3<3",
@ -140,7 +140,6 @@ skip = [
    "**/storybook-static",
    "**/web/src/locales",
    "**/web/xliff",
-    "**/web/out",
    "./web/storybook-static",
    "./web/custom-elements.json",
    "./website/build",
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2025.6.1
+  version: 2025.6.0
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
@ -38,6 +38,33 @@ paths:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
+  /admin/metrics/:
+    get:
+      operationId: admin_metrics_retrieve
+      description: Login Metrics per 1h
+      tags:
+      - admin
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/LoginMetrics'
+          description: ''
+        '400':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ValidationError'
+          description: ''
+        '403':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/GenericError'
+          description: ''
  /admin/models/:
    get:
      operationId: admin_models_list
@ -4109,6 +4136,42 @@ paths:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
+  /core/applications/{slug}/metrics/:
+    get:
+      operationId: core_applications_metrics_list
+      description: Metrics for application logins
+      parameters:
+      - in: path
+        name: slug
+        schema:
+          type: string
+          description: Internal application name, used in URLs.
+        required: true
+      tags:
+      - core
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/Coordinate'
+          description: ''
+        '400':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ValidationError'
+          description: ''
+        '403':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/GenericError'
+          description: ''
  /core/applications/{slug}/set_icon/:
    post:
      operationId: core_applications_set_icon_create
@ -6008,6 +6071,40 @@ paths:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
+  /core/users/{id}/metrics/:
+    get:
+      operationId: core_users_metrics_retrieve
+      description: User metrics per 1h
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this User.
+        required: true
+      tags:
+      - core
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/UserMetrics'
+          description: ''
+        '400':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ValidationError'
+          description: ''
+        '403':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/GenericError'
+          description: ''
  /core/users/{id}/recovery/:
    post:
      operationId: core_users_recovery_create
@ -7015,42 +7112,6 @@ paths:
        name: action
        schema:
          type: string
-      - in: query
-        name: actions
-        schema:
-          type: array
-          items:
-            type: string
-            enum:
-            - authorize_application
-            - configuration_error
-            - custom_
-            - email_sent
-            - flow_execution
-            - impersonation_ended
-            - impersonation_started
-            - invitation_used
-            - login
-            - login_failed
-            - logout
-            - model_created
-            - model_deleted
-            - model_updated
-            - password_set
-            - policy_exception
-            - policy_execution
-            - property_mapping_exception
-            - secret_rotate
-            - secret_view
-            - source_linked
-            - suspicious_request
-            - system_exception
-            - system_task_exception
-            - system_task_execution
-            - update_available
-            - user_write
-        explode: true
-        style: form
      - in: query
        name: brand_name
        schema:
@ -7337,6 +7398,44 @@ paths:
              schema:
                $ref: '#/components/schemas/GenericError'
          description: ''
+  /events/events/per_month/:
+    get:
+      operationId: events_events_per_month_list
+      description: Get the count of events per month
+      parameters:
+      - in: query
+        name: action
+        schema:
+          type: string
+      - in: query
+        name: query
+        schema:
+          type: string
+      tags:
+      - events
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/Coordinate'
+          description: ''
+        '400':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ValidationError'
+          description: ''
+        '403':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/GenericError'
+          description: ''
  /events/events/top_per_user/:
    get:
      operationId: events_events_top_per_user_list
@ -7384,42 +7483,6 @@ paths:
        name: action
        schema:
          type: string
-      - in: query
-        name: actions
-        schema:
-          type: array
-          items:
-            type: string
-            enum:
-            - authorize_application
-            - configuration_error
-            - custom_
-            - email_sent
-            - flow_execution
-            - impersonation_ended
-            - impersonation_started
-            - invitation_used
-            - login
-            - login_failed
-            - logout
-            - model_created
-            - model_deleted
-            - model_updated
-            - password_set
-            - policy_exception
-            - policy_execution
-            - property_mapping_exception
-            - secret_rotate
-            - secret_view
-            - source_linked
-            - suspicious_request
-            - system_exception
-            - system_task_exception
-            - system_task_execution
-            - update_available
-            - user_write
-        explode: true
-        style: form
      - in: query
        name: brand_name
        schema:
@ -7449,11 +7512,6 @@ paths:
        schema:
          type: string
        description: Context Model Primary Key
-      - in: query
-        name: history_days
-        schema:
-          type: number
-          default: 7
      - name: ordering
        required: false
        in: query
@ -7482,7 +7540,7 @@ paths:
              schema:
                type: array
                items:
-                  $ref: '#/components/schemas/EventVolume'
+                  $ref: '#/components/schemas/Coordinate'
          description: ''
        '400':
          content:
@ -43538,6 +43596,19 @@ components:
      - sidebar_left
      - sidebar_right
      type: string
+    Coordinate:
+      type: object
+      description: Coordinates for diagrams
+      properties:
+        x_cord:
+          type: integer
+          readOnly: true
+        y_cord:
+          type: integer
+          readOnly: true
+      required:
+      - x_cord
+      - y_cord
    CountryCodeEnum:
      enum:
      - AF
@ -44915,21 +44986,6 @@ components:
      - application
      - counted_events
      - unique_users
-    EventVolume:
-      type: object
-      description: Count of events of action created on day
-      properties:
-        action:
-          $ref: '#/components/schemas/EventActions'
-        time:
-          type: string
-          format: date-time
-        count:
-          type: integer
-      required:
-      - action
-      - count
-      - time
    EventsRequestedEnum:
      enum:
      - https://schemas.openid.net/secevent/caep/event-type/session-revoked
@ -48241,6 +48297,29 @@ components:
          xak-flow-redirect: '#/components/schemas/RedirectChallenge'
          ak-source-oauth-apple: '#/components/schemas/AppleLoginChallenge'
          ak-source-plex: '#/components/schemas/PlexAuthenticationChallenge'
+    LoginMetrics:
+      type: object
+      description: Login Metrics per 1h
+      properties:
+        logins:
+          type: array
+          items:
+            $ref: '#/components/schemas/Coordinate'
+          readOnly: true
+        logins_failed:
+          type: array
+          items:
+            $ref: '#/components/schemas/Coordinate'
+          readOnly: true
+        authorizations:
+          type: array
+          items:
+            $ref: '#/components/schemas/Coordinate'
+          readOnly: true
+      required:
+      - authorizations
+      - logins
+      - logins_failed
    LoginSource:
      type: object
      description: Serializer for Login buttons of sources
@ -55805,8 +55884,33 @@ components:
          type: array
          items:
            $ref: '#/components/schemas/StagePrompt'
+        meta:
+          type: array
+          items:
+            $ref: '#/components/schemas/PromptChallengeMeta'
      required:
      - fields
+      - meta
+    PromptChallengeMeta:
+      type: object
+      description: |-
+        Additional context sent with the initial challenge, which might contain
+        info when doing dry-runs or other validation fails
+      properties:
+        field_key:
+          type: string
+      required:
+      - field_key
+    PromptChallengeResponseMetaRequest:
+      type: object
+      description: |-
+        Additional context sent back by the flow executor when submitting
+        the prompt stage
+      properties:
+        dry_run:
+          type: boolean
+      required:
+      - dry_run
    PromptChallengeResponseRequest:
      type: object
      description: |-
@ -55817,6 +55921,10 @@ components:
          type: string
          minLength: 1
          default: ak-stage-prompt
+        meta:
+          $ref: '#/components/schemas/PromptChallengeResponseMetaRequest'
+      required:
+      - meta
      additionalProperties: {}
    PromptRequest:
      type: object
@ -60650,6 +60758,29 @@ components:
      - username_link
      - username_deny
      type: string
+    UserMetrics:
+      type: object
+      description: User Metrics
+      properties:
+        logins:
+          type: array
+          items:
+            $ref: '#/components/schemas/Coordinate'
+          readOnly: true
+        logins_failed:
+          type: array
+          items:
+            $ref: '#/components/schemas/Coordinate'
+          readOnly: true
+        authorizations:
+          type: array
+          items:
+            $ref: '#/components/schemas/Coordinate'
+          readOnly: true
+      required:
+      - authorizations
+      - logins
+      - logins_failed
    UserOAuthSourceConnection:
      type: object
      description: User source connection
--- a/tests/e2e/docker-compose.yml
+++ b/tests/e2e/docker-compose.yml
@ -1,13 +1,13 @@
 services:
  chrome:
    platform: linux/x86_64
-    image: docker.io/selenium/standalone-chrome:137.0
+    image: docker.io/selenium/standalone-chrome:136.0
    volumes:
      - /dev/shm:/dev/shm
    network_mode: host
    restart: always
  mailpit:
-    image: docker.io/axllent/mailpit:v1.26.0
+    image: docker.io/axllent/mailpit:v1.25.1
    ports:
      - 1025:1025
      - 8025:8025
--- a/tests/e2e/test_provider_ldap.py
+++ b/tests/e2e/test_provider_ldap.py
@ -2,6 +2,7 @@

 from dataclasses import asdict
 from time import sleep
+from unittest.mock import patch

 from guardian.shortcuts import assign_perm
 from ldap3 import ALL, ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE, Connection, Server
@ -15,10 +16,12 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost, OutpostConfig, OutpostType
+from authentik.outposts.tests.test_ws import patched__get_ct_cached
 from authentik.providers.ldap.models import APIAccessMode, LDAPProvider
 from tests.e2e.utils import SeleniumTestCase, retry


+@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestProviderLDAP(SeleniumTestCase):
    """LDAP and Outpost e2e tests"""

--- a/tests/e2e/test_provider_proxy.py
+++ b/tests/e2e/test_provider_proxy.py
@ -6,6 +6,7 @@ from json import loads
 from sys import platform
 from time import sleep
 from unittest.case import skip, skipUnless
+from unittest.mock import patch

 from channels.testing import ChannelsLiveServerTestCase
 from jwt import decode
@ -17,10 +18,12 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.models import DockerServiceConnection, Outpost, OutpostConfig, OutpostType
 from authentik.outposts.tasks import outpost_connection_discovery
+from authentik.outposts.tests.test_ws import patched__get_ct_cached
 from authentik.providers.proxy.models import ProxyProvider
 from tests.e2e.utils import SeleniumTestCase, retry


+@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestProviderProxy(SeleniumTestCase):
    """Proxy and Outpost e2e tests"""

--- a/tests/e2e/test_provider_proxy_forward.py
+++ b/tests/e2e/test_provider_proxy_forward.py
@ -4,6 +4,7 @@ from json import loads
 from pathlib import Path
 from time import sleep
 from unittest import skip
+from unittest.mock import patch

 from selenium.webdriver.common.by import By

@ -12,10 +13,12 @@ from authentik.core.models import Application
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.models import Outpost, OutpostType
+from authentik.outposts.tests.test_ws import patched__get_ct_cached
 from authentik.providers.proxy.models import ProxyMode, ProxyProvider
 from tests.e2e.utils import SeleniumTestCase, retry


+@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestProviderProxyForward(SeleniumTestCase):
    """Proxy and Outpost e2e tests"""

--- a/tests/e2e/test_provider_radius.py
+++ b/tests/e2e/test_provider_radius.py
@ -2,6 +2,7 @@

 from dataclasses import asdict
 from time import sleep
+from unittest.mock import patch

 from pyrad.client import Client
 from pyrad.dictionary import Dictionary
@ -12,10 +13,12 @@ from authentik.core.models import Application, User
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.outposts.models import Outpost, OutpostConfig, OutpostType
+from authentik.outposts.tests.test_ws import patched__get_ct_cached
 from authentik.providers.radius.models import RadiusProvider
 from tests.e2e.utils import SeleniumTestCase, retry


+@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestProviderRadius(SeleniumTestCase):
    """Radius Outpost e2e tests"""

--- a/tests/e2e/utils.py
+++ b/tests/e2e/utils.py
@ -1,6 +1,7 @@
 """authentik e2e testing utilities"""

 import json
+import os
 import socket
 from collections.abc import Callable
 from functools import lru_cache, wraps
@ -36,12 +37,22 @@ from authentik.core.api.users import UserSerializer
 from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
-from authentik.root.test_runner import get_docker_tag

 IS_CI = "CI" in environ
 RETRIES = int(environ.get("RETRIES", "3")) if IS_CI else 1


+def get_docker_tag() -> str:
+    """Get docker-tag based off of CI variables"""
+    env_pr_branch = "GITHUB_HEAD_REF"
+    default_branch = "GITHUB_REF"
+    branch_name = os.environ.get(default_branch, "main")
+    if os.environ.get(env_pr_branch, "") != "":
+        branch_name = os.environ[env_pr_branch]
+    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
+    return f"gh-{branch_name}"
+
+
 def get_local_ip() -> str:
    """Get the local machine's IP"""
    hostname = socket.gethostname()
--- a/uv.lock
+++ b/uv.lock
@ -165,7 +165,7 @@ wheels = [

 [[package]]
 name = "authentik"
-version = "2025.6.1"
+version = "2025.6.0"
 source = { editable = "." }
 dependencies = [
    { name = "argon2-cffi" },
@ -270,11 +270,11 @@ requires-dist = [
    { name = "celery", specifier = "==5.5.3" },
    { name = "channels", specifier = "==4.2.2" },
    { name = "channels-redis", specifier = "==4.2.1" },
-    { name = "cryptography", specifier = "==45.0.4" },
+    { name = "cryptography", specifier = "==45.0.3" },
    { name = "dacite", specifier = "==1.9.2" },
    { name = "deepmerge", specifier = "==2.0" },
    { name = "defusedxml", specifier = "==0.7.1" },
-    { name = "django", specifier = "==5.1.11" },
+    { name = "django", specifier = "==5.1.10" },
    { name = "django-countries", specifier = "==7.6.1" },
    { name = "django-cte", specifier = "==1.3.3" },
    { name = "django-filter", specifier = "==25.1" },
@ -296,15 +296,15 @@ requires-dist = [
    { name = "flower", specifier = "==2.0.1" },
    { name = "geoip2", specifier = "==5.1.0" },
    { name = "geopy", specifier = "==2.4.1" },
-    { name = "google-api-python-client", specifier = "==2.172.0" },
+    { name = "google-api-python-client", specifier = "==2.171.0" },
    { name = "gssapi", specifier = "==1.9.0" },
    { name = "gunicorn", specifier = "==23.0.0" },
    { name = "jsonpatch", specifier = "==1.33" },
    { name = "jwcrypto", specifier = "==1.5.6" },
-    { name = "kubernetes", specifier = "==33.1.0" },
+    { name = "kubernetes", specifier = "==32.0.1" },
    { name = "ldap3", specifier = "==2.9.1" },
    { name = "lxml", specifier = "==5.4.0" },
-    { name = "msgraph-sdk", specifier = "==1.33.0" },
+    { name = "msgraph-sdk", specifier = "==1.32.0" },
    { name = "opencontainers", git = "https://github.com/vsoch/oci-python?rev=ceb4fcc090851717a3069d78e85ceb1e86c2740c" },
    { name = "packaging", specifier = "==25.0" },
    { name = "paramiko", specifier = "==3.5.1" },
@ -317,13 +317,13 @@ requires-dist = [
    { name = "pyyaml", specifier = "==6.0.2" },
    { name = "requests-oauthlib", specifier = "==2.0.0" },
    { name = "scim2-filter-parser", specifier = "==0.7.0" },
-    { name = "sentry-sdk", specifier = "==2.30.0" },
+    { name = "sentry-sdk", specifier = "==2.29.1" },
    { name = "service-identity", specifier = "==24.2.0" },
    { name = "setproctitle", specifier = "==1.3.6" },
    { name = "structlog", specifier = "==25.4.0" },
    { name = "swagger-spec-validator", specifier = "==3.0.4" },
    { name = "tenant-schemas-celery", specifier = "==3.0.0" },
-    { name = "twilio", specifier = "==9.6.3" },
+    { name = "twilio", specifier = "==9.6.2" },
    { name = "ua-parser", specifier = "==1.0.1" },
    { name = "unidecode", specifier = "==1.4.0" },
    { name = "urllib3", specifier = "<3" },
@ -870,37 +870,37 @@ wheels = [

 [[package]]
 name = "cryptography"
-version = "45.0.4"
+version = "45.0.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "cffi", marker = "platform_python_implementation != 'PyPy'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/fe/c8/a2a376a8711c1e11708b9c9972e0c3223f5fc682552c82d8db844393d6ce/cryptography-45.0.4.tar.gz", hash = "sha256:7405ade85c83c37682c8fe65554759800a4a8c54b2d96e0f8ad114d31b808d57", size = 744890, upload-time = "2025-06-10T00:03:51.297Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/13/1f/9fa001e74a1993a9cadd2333bb889e50c66327b8594ac538ab8a04f915b7/cryptography-45.0.3.tar.gz", hash = "sha256:ec21313dd335c51d7877baf2972569f40a4291b76a0ce51391523ae358d05899", size = 744738, upload-time = "2025-05-25T14:17:24.777Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/cc/1c/92637793de053832523b410dbe016d3f5c11b41d0cf6eef8787aabb51d41/cryptography-45.0.4-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:425a9a6ac2823ee6e46a76a21a4e8342d8fa5c01e08b823c1f19a8b74f096069", size = 7055712, upload-time = "2025-06-10T00:02:38.826Z" },
-    { url = "https://files.pythonhosted.org/packages/ba/14/93b69f2af9ba832ad6618a03f8a034a5851dc9a3314336a3d71c252467e1/cryptography-45.0.4-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:680806cf63baa0039b920f4976f5f31b10e772de42f16310a6839d9f21a26b0d", size = 4205335, upload-time = "2025-06-10T00:02:41.64Z" },
-    { url = "https://files.pythonhosted.org/packages/67/30/fae1000228634bf0b647fca80403db5ca9e3933b91dd060570689f0bd0f7/cryptography-45.0.4-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:4ca0f52170e821bc8da6fc0cc565b7bb8ff8d90d36b5e9fdd68e8a86bdf72036", size = 4431487, upload-time = "2025-06-10T00:02:43.696Z" },
-    { url = "https://files.pythonhosted.org/packages/6d/5a/7dffcf8cdf0cb3c2430de7404b327e3db64735747d641fc492539978caeb/cryptography-45.0.4-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:f3fe7a5ae34d5a414957cc7f457e2b92076e72938423ac64d215722f6cf49a9e", size = 4208922, upload-time = "2025-06-10T00:02:45.334Z" },
-    { url = "https://files.pythonhosted.org/packages/c6/f3/528729726eb6c3060fa3637253430547fbaaea95ab0535ea41baa4a6fbd8/cryptography-45.0.4-cp311-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:25eb4d4d3e54595dc8adebc6bbd5623588991d86591a78c2548ffb64797341e2", size = 3900433, upload-time = "2025-06-10T00:02:47.359Z" },
-    { url = "https://files.pythonhosted.org/packages/d9/4a/67ba2e40f619e04d83c32f7e1d484c1538c0800a17c56a22ff07d092ccc1/cryptography-45.0.4-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:ce1678a2ccbe696cf3af15a75bb72ee008d7ff183c9228592ede9db467e64f1b", size = 4464163, upload-time = "2025-06-10T00:02:49.412Z" },
-    { url = "https://files.pythonhosted.org/packages/7e/9a/b4d5aa83661483ac372464809c4b49b5022dbfe36b12fe9e323ca8512420/cryptography-45.0.4-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:49fe9155ab32721b9122975e168a6760d8ce4cffe423bcd7ca269ba41b5dfac1", size = 4208687, upload-time = "2025-06-10T00:02:50.976Z" },
-    { url = "https://files.pythonhosted.org/packages/db/b7/a84bdcd19d9c02ec5807f2ec2d1456fd8451592c5ee353816c09250e3561/cryptography-45.0.4-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:2882338b2a6e0bd337052e8b9007ced85c637da19ef9ecaf437744495c8c2999", size = 4463623, upload-time = "2025-06-10T00:02:52.542Z" },
-    { url = "https://files.pythonhosted.org/packages/d8/84/69707d502d4d905021cac3fb59a316344e9f078b1da7fb43ecde5e10840a/cryptography-45.0.4-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:23b9c3ea30c3ed4db59e7b9619272e94891f8a3a5591d0b656a7582631ccf750", size = 4332447, upload-time = "2025-06-10T00:02:54.63Z" },
-    { url = "https://files.pythonhosted.org/packages/f3/ee/d4f2ab688e057e90ded24384e34838086a9b09963389a5ba6854b5876598/cryptography-45.0.4-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:b0a97c927497e3bc36b33987abb99bf17a9a175a19af38a892dc4bbb844d7ee2", size = 4572830, upload-time = "2025-06-10T00:02:56.689Z" },
-    { url = "https://files.pythonhosted.org/packages/70/d4/994773a261d7ff98034f72c0e8251fe2755eac45e2265db4c866c1c6829c/cryptography-45.0.4-cp311-abi3-win32.whl", hash = "sha256:e00a6c10a5c53979d6242f123c0a97cff9f3abed7f064fc412c36dc521b5f257", size = 2932769, upload-time = "2025-06-10T00:02:58.467Z" },
-    { url = "https://files.pythonhosted.org/packages/5a/42/c80bd0b67e9b769b364963b5252b17778a397cefdd36fa9aa4a5f34c599a/cryptography-45.0.4-cp311-abi3-win_amd64.whl", hash = "sha256:817ee05c6c9f7a69a16200f0c90ab26d23a87701e2a284bd15156783e46dbcc8", size = 3410441, upload-time = "2025-06-10T00:03:00.14Z" },
-    { url = "https://files.pythonhosted.org/packages/ce/0b/2488c89f3a30bc821c9d96eeacfcab6ff3accc08a9601ba03339c0fd05e5/cryptography-45.0.4-cp37-abi3-macosx_10_9_universal2.whl", hash = "sha256:964bcc28d867e0f5491a564b7debb3ffdd8717928d315d12e0d7defa9e43b723", size = 7031836, upload-time = "2025-06-10T00:03:01.726Z" },
-    { url = "https://files.pythonhosted.org/packages/fe/51/8c584ed426093aac257462ae62d26ad61ef1cbf5b58d8b67e6e13c39960e/cryptography-45.0.4-cp37-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:6a5bf57554e80f75a7db3d4b1dacaa2764611ae166ab42ea9a72bcdb5d577637", size = 4195746, upload-time = "2025-06-10T00:03:03.94Z" },
-    { url = "https://files.pythonhosted.org/packages/5c/7d/4b0ca4d7af95a704eef2f8f80a8199ed236aaf185d55385ae1d1610c03c2/cryptography-45.0.4-cp37-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:46cf7088bf91bdc9b26f9c55636492c1cce3e7aaf8041bbf0243f5e5325cfb2d", size = 4424456, upload-time = "2025-06-10T00:03:05.589Z" },
-    { url = "https://files.pythonhosted.org/packages/1d/45/5fabacbc6e76ff056f84d9f60eeac18819badf0cefc1b6612ee03d4ab678/cryptography-45.0.4-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:7bedbe4cc930fa4b100fc845ea1ea5788fcd7ae9562e669989c11618ae8d76ee", size = 4198495, upload-time = "2025-06-10T00:03:09.172Z" },
-    { url = "https://files.pythonhosted.org/packages/55/b7/ffc9945b290eb0a5d4dab9b7636706e3b5b92f14ee5d9d4449409d010d54/cryptography-45.0.4-cp37-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:eaa3e28ea2235b33220b949c5a0d6cf79baa80eab2eb5607ca8ab7525331b9ff", size = 3885540, upload-time = "2025-06-10T00:03:10.835Z" },
-    { url = "https://files.pythonhosted.org/packages/7f/e3/57b010282346980475e77d414080acdcb3dab9a0be63071efc2041a2c6bd/cryptography-45.0.4-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:7ef2dde4fa9408475038fc9aadfc1fb2676b174e68356359632e980c661ec8f6", size = 4452052, upload-time = "2025-06-10T00:03:12.448Z" },
-    { url = "https://files.pythonhosted.org/packages/37/e6/ddc4ac2558bf2ef517a358df26f45bc774a99bf4653e7ee34b5e749c03e3/cryptography-45.0.4-cp37-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:6a3511ae33f09094185d111160fd192c67aa0a2a8d19b54d36e4c78f651dc5ad", size = 4198024, upload-time = "2025-06-10T00:03:13.976Z" },
-    { url = "https://files.pythonhosted.org/packages/3a/c0/85fa358ddb063ec588aed4a6ea1df57dc3e3bc1712d87c8fa162d02a65fc/cryptography-45.0.4-cp37-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:06509dc70dd71fa56eaa138336244e2fbaf2ac164fc9b5e66828fccfd2b680d6", size = 4451442, upload-time = "2025-06-10T00:03:16.248Z" },
-    { url = "https://files.pythonhosted.org/packages/33/67/362d6ec1492596e73da24e669a7fbbaeb1c428d6bf49a29f7a12acffd5dc/cryptography-45.0.4-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:5f31e6b0a5a253f6aa49be67279be4a7e5a4ef259a9f33c69f7d1b1191939872", size = 4325038, upload-time = "2025-06-10T00:03:18.4Z" },
-    { url = "https://files.pythonhosted.org/packages/53/75/82a14bf047a96a1b13ebb47fb9811c4f73096cfa2e2b17c86879687f9027/cryptography-45.0.4-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:944e9ccf67a9594137f942d5b52c8d238b1b4e46c7a0c2891b7ae6e01e7c80a4", size = 4560964, upload-time = "2025-06-10T00:03:20.06Z" },
-    { url = "https://files.pythonhosted.org/packages/cd/37/1a3cba4c5a468ebf9b95523a5ef5651244693dc712001e276682c278fc00/cryptography-45.0.4-cp37-abi3-win32.whl", hash = "sha256:c22fe01e53dc65edd1945a2e6f0015e887f84ced233acecb64b4daadb32f5c97", size = 2924557, upload-time = "2025-06-10T00:03:22.563Z" },
-    { url = "https://files.pythonhosted.org/packages/2a/4b/3256759723b7e66380397d958ca07c59cfc3fb5c794fb5516758afd05d41/cryptography-45.0.4-cp37-abi3-win_amd64.whl", hash = "sha256:627ba1bc94f6adf0b0a2e35d87020285ead22d9f648c7e75bb64f367375f3b22", size = 3395508, upload-time = "2025-06-10T00:03:24.586Z" },
+    { url = "https://files.pythonhosted.org/packages/82/b2/2345dc595998caa6f68adf84e8f8b50d18e9fc4638d32b22ea8daedd4b7a/cryptography-45.0.3-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:7573d9eebaeceeb55285205dbbb8753ac1e962af3d9640791d12b36864065e71", size = 7056239, upload-time = "2025-05-25T14:16:12.22Z" },
+    { url = "https://files.pythonhosted.org/packages/71/3d/ac361649a0bfffc105e2298b720d8b862330a767dab27c06adc2ddbef96a/cryptography-45.0.3-cp311-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d377dde61c5d67eb4311eace661c3efda46c62113ff56bf05e2d679e02aebb5b", size = 4205541, upload-time = "2025-05-25T14:16:14.333Z" },
+    { url = "https://files.pythonhosted.org/packages/70/3e/c02a043750494d5c445f769e9c9f67e550d65060e0bfce52d91c1362693d/cryptography-45.0.3-cp311-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fae1e637f527750811588e4582988932c222f8251f7b7ea93739acb624e1487f", size = 4433275, upload-time = "2025-05-25T14:16:16.421Z" },
+    { url = "https://files.pythonhosted.org/packages/40/7a/9af0bfd48784e80eef3eb6fd6fde96fe706b4fc156751ce1b2b965dada70/cryptography-45.0.3-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:ca932e11218bcc9ef812aa497cdf669484870ecbcf2d99b765d6c27a86000942", size = 4209173, upload-time = "2025-05-25T14:16:18.163Z" },
+    { url = "https://files.pythonhosted.org/packages/31/5f/d6f8753c8708912df52e67969e80ef70b8e8897306cd9eb8b98201f8c184/cryptography-45.0.3-cp311-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:af3f92b1dc25621f5fad065288a44ac790c5798e986a34d393ab27d2b27fcff9", size = 3898150, upload-time = "2025-05-25T14:16:20.34Z" },
+    { url = "https://files.pythonhosted.org/packages/8b/50/f256ab79c671fb066e47336706dc398c3b1e125f952e07d54ce82cf4011a/cryptography-45.0.3-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:2f8f8f0b73b885ddd7f3d8c2b2234a7d3ba49002b0223f58cfde1bedd9563c56", size = 4466473, upload-time = "2025-05-25T14:16:22.605Z" },
+    { url = "https://files.pythonhosted.org/packages/62/e7/312428336bb2df0848d0768ab5a062e11a32d18139447a76dfc19ada8eed/cryptography-45.0.3-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:9cc80ce69032ffa528b5e16d217fa4d8d4bb7d6ba8659c1b4d74a1b0f4235fca", size = 4211890, upload-time = "2025-05-25T14:16:24.738Z" },
+    { url = "https://files.pythonhosted.org/packages/e7/53/8a130e22c1e432b3c14896ec5eb7ac01fb53c6737e1d705df7e0efb647c6/cryptography-45.0.3-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:c824c9281cb628015bfc3c59335163d4ca0540d49de4582d6c2637312907e4b1", size = 4466300, upload-time = "2025-05-25T14:16:26.768Z" },
+    { url = "https://files.pythonhosted.org/packages/ba/75/6bb6579688ef805fd16a053005fce93944cdade465fc92ef32bbc5c40681/cryptography-45.0.3-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:5833bb4355cb377ebd880457663a972cd044e7f49585aee39245c0d592904578", size = 4332483, upload-time = "2025-05-25T14:16:28.316Z" },
+    { url = "https://files.pythonhosted.org/packages/2f/11/2538f4e1ce05c6c4f81f43c1ef2bd6de7ae5e24ee284460ff6c77e42ca77/cryptography-45.0.3-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:9bb5bf55dcb69f7067d80354d0a348368da907345a2c448b0babc4215ccd3497", size = 4573714, upload-time = "2025-05-25T14:16:30.474Z" },
+    { url = "https://files.pythonhosted.org/packages/f5/bb/e86e9cf07f73a98d84a4084e8fd420b0e82330a901d9cac8149f994c3417/cryptography-45.0.3-cp311-abi3-win32.whl", hash = "sha256:3ad69eeb92a9de9421e1f6685e85a10fbcfb75c833b42cc9bc2ba9fb00da4710", size = 2934752, upload-time = "2025-05-25T14:16:32.204Z" },
+    { url = "https://files.pythonhosted.org/packages/c7/75/063bc9ddc3d1c73e959054f1fc091b79572e716ef74d6caaa56e945b4af9/cryptography-45.0.3-cp311-abi3-win_amd64.whl", hash = "sha256:97787952246a77d77934d41b62fb1b6f3581d83f71b44796a4158d93b8f5c490", size = 3412465, upload-time = "2025-05-25T14:16:33.888Z" },
+    { url = "https://files.pythonhosted.org/packages/71/9b/04ead6015229a9396890d7654ee35ef630860fb42dc9ff9ec27f72157952/cryptography-45.0.3-cp37-abi3-macosx_10_9_universal2.whl", hash = "sha256:c92519d242703b675ccefd0f0562eb45e74d438e001f8ab52d628e885751fb06", size = 7031892, upload-time = "2025-05-25T14:16:36.214Z" },
+    { url = "https://files.pythonhosted.org/packages/46/c7/c7d05d0e133a09fc677b8a87953815c522697bdf025e5cac13ba419e7240/cryptography-45.0.3-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c5edcb90da1843df85292ef3a313513766a78fbbb83f584a5a58fb001a5a9d57", size = 4196181, upload-time = "2025-05-25T14:16:37.934Z" },
+    { url = "https://files.pythonhosted.org/packages/08/7a/6ad3aa796b18a683657cef930a986fac0045417e2dc428fd336cfc45ba52/cryptography-45.0.3-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:38deed72285c7ed699864f964a3f4cf11ab3fb38e8d39cfcd96710cd2b5bb716", size = 4423370, upload-time = "2025-05-25T14:16:39.502Z" },
+    { url = "https://files.pythonhosted.org/packages/4f/58/ec1461bfcb393525f597ac6a10a63938d18775b7803324072974b41a926b/cryptography-45.0.3-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:5555365a50efe1f486eed6ac7062c33b97ccef409f5970a0b6f205a7cfab59c8", size = 4197839, upload-time = "2025-05-25T14:16:41.322Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/3d/5185b117c32ad4f40846f579369a80e710d6146c2baa8ce09d01612750db/cryptography-45.0.3-cp37-abi3-manylinux_2_28_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:9e4253ed8f5948a3589b3caee7ad9a5bf218ffd16869c516535325fece163dcc", size = 3886324, upload-time = "2025-05-25T14:16:43.041Z" },
+    { url = "https://files.pythonhosted.org/packages/67/85/caba91a57d291a2ad46e74016d1f83ac294f08128b26e2a81e9b4f2d2555/cryptography-45.0.3-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:cfd84777b4b6684955ce86156cfb5e08d75e80dc2585e10d69e47f014f0a5342", size = 4450447, upload-time = "2025-05-25T14:16:44.759Z" },
+    { url = "https://files.pythonhosted.org/packages/ae/d1/164e3c9d559133a38279215c712b8ba38e77735d3412f37711b9f8f6f7e0/cryptography-45.0.3-cp37-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:a2b56de3417fd5f48773ad8e91abaa700b678dc7fe1e0c757e1ae340779acf7b", size = 4200576, upload-time = "2025-05-25T14:16:46.438Z" },
+    { url = "https://files.pythonhosted.org/packages/71/7a/e002d5ce624ed46dfc32abe1deff32190f3ac47ede911789ee936f5a4255/cryptography-45.0.3-cp37-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:57a6500d459e8035e813bd8b51b671977fb149a8c95ed814989da682314d0782", size = 4450308, upload-time = "2025-05-25T14:16:48.228Z" },
+    { url = "https://files.pythonhosted.org/packages/87/ad/3fbff9c28cf09b0a71e98af57d74f3662dea4a174b12acc493de00ea3f28/cryptography-45.0.3-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:f22af3c78abfbc7cbcdf2c55d23c3e022e1a462ee2481011d518c7fb9c9f3d65", size = 4325125, upload-time = "2025-05-25T14:16:49.844Z" },
+    { url = "https://files.pythonhosted.org/packages/f5/b4/51417d0cc01802304c1984d76e9592f15e4801abd44ef7ba657060520bf0/cryptography-45.0.3-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:232954730c362638544758a8160c4ee1b832dc011d2c41a306ad8f7cccc5bb0b", size = 4560038, upload-time = "2025-05-25T14:16:51.398Z" },
+    { url = "https://files.pythonhosted.org/packages/80/38/d572f6482d45789a7202fb87d052deb7a7b136bf17473ebff33536727a2c/cryptography-45.0.3-cp37-abi3-win32.whl", hash = "sha256:cb6ab89421bc90e0422aca911c69044c2912fc3debb19bb3c1bfe28ee3dff6ab", size = 2924070, upload-time = "2025-05-25T14:16:53.472Z" },
+    { url = "https://files.pythonhosted.org/packages/91/5a/61f39c0ff4443651cc64e626fa97ad3099249152039952be8f344d6b0c86/cryptography-45.0.3-cp37-abi3-win_amd64.whl", hash = "sha256:d54ae41e6bd70ea23707843021c778f151ca258081586f0cfa31d936ae43d1b2", size = 3395005, upload-time = "2025-05-25T14:16:55.134Z" },
 ]

 [[package]]
@ -968,16 +968,16 @@ wheels = [

 [[package]]
 name = "django"
-version = "5.1.11"
+version = "5.1.10"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "asgiref" },
    { name = "sqlparse" },
    { name = "tzdata", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/83/80/bf0f9b0aa434fca2b46fc6a31c39b08ea714b87a0a72a16566f053fb05a8/django-5.1.11.tar.gz", hash = "sha256:3bcdbd40e4d4623b5e04f59c28834323f3086df583058e65ebce99f9982385ce", size = 10734926, upload-time = "2025-06-10T10:12:48.229Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/73/ca/1c724be89e603eb8b5587ea24c63a8c30094c8ff4d990780b5033ee15c40/django-5.1.10.tar.gz", hash = "sha256:73e5d191421d177803dbd5495d94bc7d06d156df9561f4eea9e11b4994c07137", size = 10714538, upload-time = "2025-06-04T13:53:18.805Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/59/91/2972ce330c6c0bd5b3200d4c2ad5cbf47eecff5243220c5a56444d3267a0/django-5.1.11-py3-none-any.whl", hash = "sha256:e48091f364007068728aca938e7450fbfe3f2217079bfd2b8af45122585acf64", size = 8277453, upload-time = "2025-06-10T10:12:42.236Z" },
+    { url = "https://files.pythonhosted.org/packages/9e/fc/80dc741ba0acb3241aac1213d7272c573d52d8a62ec2c69e9b3bef1547f2/django-5.1.10-py3-none-any.whl", hash = "sha256:19c9b771e9cf4de91101861aadd2daaa159bcf10698ca909c5755c88e70ccb84", size = 8277457, upload-time = "2025-06-04T13:53:07.676Z" },
 ]

 [[package]]
@ -1386,7 +1386,7 @@ wheels = [

 [[package]]
 name = "google-api-python-client"
-version = "2.172.0"
+version = "2.171.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "google-api-core" },
@ -1395,10 +1395,7 @@ dependencies = [
    { name = "httplib2" },
    { name = "uritemplate" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/02/69/c0cec6be5878d4de161f64096edb3d4a2d1a838f036b8425ea8358d0dfb3/google_api_python_client-2.172.0.tar.gz", hash = "sha256:dcb3b7e067154b2aa41f1776cf86584a5739c0ac74e6ff46fc665790dca0e6a6", size = 13074841, upload-time = "2025-06-10T16:58:41.181Z" }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/15/fc/8850ccf21c5df43faeaf8bba8c4149ee880b41b8dc7066e3259bcfd921ca/google_api_python_client-2.172.0-py3-none-any.whl", hash = "sha256:9f1b9a268d5dc1228207d246c673d3a09ee211b41a11521d38d9212aeaa43af7", size = 13595800, upload-time = "2025-06-10T16:58:38.143Z" },
-]
+sdist = { url = "https://files.pythonhosted.org/packages/35/99/237cd2510aecca9fabb54007e58553274cc43cb3c18512ee1ea574d11b87/google_api_python_client-2.171.0.tar.gz", hash = "sha256:057a5c08d28463c6b9eb89746355de5f14b7ed27a65c11fdbf1d06c66bb66b23", size = 13028937, upload-time = "2025-06-03T18:57:38.732Z" }

 [[package]]
 name = "google-auth"
@ -1772,7 +1769,7 @@ wheels = [

 [[package]]
 name = "kubernetes"
-version = "33.1.0"
+version = "32.0.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "certifi" },
@ -1787,9 +1784,9 @@ dependencies = [
    { name = "urllib3" },
    { name = "websocket-client" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/ae/52/19ebe8004c243fdfa78268a96727c71e08f00ff6fe69a301d0b7fcbce3c2/kubernetes-33.1.0.tar.gz", hash = "sha256:f64d829843a54c251061a8e7a14523b521f2dc5c896cf6d65ccf348648a88993", size = 1036779, upload-time = "2025-06-09T21:57:58.521Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/b7/e8/0598f0e8b4af37cd9b10d8b87386cf3173cb8045d834ab5f6ec347a758b3/kubernetes-32.0.1.tar.gz", hash = "sha256:42f43d49abd437ada79a79a16bd48a604d3471a117a8347e87db693f2ba0ba28", size = 946691, upload-time = "2025-02-18T21:06:34.148Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/89/43/d9bebfc3db7dea6ec80df5cb2aad8d274dd18ec2edd6c4f21f32c237cbbb/kubernetes-33.1.0-py2.py3-none-any.whl", hash = "sha256:544de42b24b64287f7e0aa9513c93cb503f7f40eea39b20f66810011a86eabc5", size = 1941335, upload-time = "2025-06-09T21:57:56.327Z" },
+    { url = "https://files.pythonhosted.org/packages/08/10/9f8af3e6f569685ce3af7faab51c8dd9d93b9c38eba339ca31c746119447/kubernetes-32.0.1-py2.py3-none-any.whl", hash = "sha256:35282ab8493b938b08ab5526c7ce66588232df00ef5e1dbe88a419107dc10998", size = 1988070, upload-time = "2025-02-18T21:06:31.391Z" },
 ]

 [[package]]
@ -2055,7 +2052,7 @@ wheels = [

 [[package]]
 name = "msgraph-sdk"
-version = "1.33.0"
+version = "1.32.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "azure-identity" },
@ -2065,9 +2062,9 @@ dependencies = [
    { name = "microsoft-kiota-serialization-text" },
    { name = "msgraph-core" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/61/2b/41ae74a4277210a0f7b102f8c34c6304f8a2aeb3ccc94c7c4cb14542ebba/msgraph_sdk-1.33.0.tar.gz", hash = "sha256:3f92d55eee4816e554831d1f6d8db6842ce1717f6f6d92bbb8ba98c4802821df", size = 6628201, upload-time = "2025-06-10T18:43:18.811Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/e0/2a/a5d67f631f8a0a9daa9059eed0f6703002efdf75f1d7575a289e23aceb5e/msgraph_sdk-1.32.0.tar.gz", hash = "sha256:485b25420ec4b3bf9c9d7abea166f9c51da99d9aad1bd57c191f84569af35143", size = 6628831, upload-time = "2025-06-03T18:22:21.526Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/fd/b3/6eca02d93c4b47b7a3b4388b65c4390eba5962379b2a9e27685b052dc428/msgraph_sdk-1.33.0-py3-none-any.whl", hash = "sha256:d42b8c39e2cdc386243d1d80df9481e9bc660db0803307a17fb3783085b19a42", size = 27215918, upload-time = "2025-06-10T18:43:15.155Z" },
+    { url = "https://files.pythonhosted.org/packages/b9/59/7e0f170611eb1a213940816703522ecca47ddffc149ef8e001e4789ddf13/msgraph_sdk-1.32.0-py3-none-any.whl", hash = "sha256:d1256f1669706c2703963ef0103470ce7a1b8a06f555506fc6b5f1069847877b", size = 27190465, upload-time = "2025-06-03T18:22:18.944Z" },
 ]

 [[package]]
@ -2931,15 +2928,15 @@ wheels = [

 [[package]]
 name = "sentry-sdk"
-version = "2.30.0"
+version = "2.29.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "certifi" },
    { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/04/4c/af31e0201b48469786ddeb1bf6fd3dfa3a291cc613a0fe6a60163a7535f9/sentry_sdk-2.30.0.tar.gz", hash = "sha256:436369b02afef7430efb10300a344fb61a11fe6db41c2b11f41ee037d2dd7f45", size = 326767, upload-time = "2025-06-12T10:34:34.733Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/22/67/d552a5f8e5a6a56b2feea6529e2d8ccd54349084c84176d5a1f7295044bc/sentry_sdk-2.29.1.tar.gz", hash = "sha256:8d4a0206b95fa5fe85e5e7517ed662e3888374bdc342c00e435e10e6d831aa6d", size = 325518, upload-time = "2025-05-19T14:27:38.512Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/5a/99/31ac6faaae33ea698086692638f58d14f121162a8db0039e68e94135e7f1/sentry_sdk-2.30.0-py2.py3-none-any.whl", hash = "sha256:59391db1550662f746ea09b483806a631c3ae38d6340804a1a4c0605044f6877", size = 343149, upload-time = "2025-06-12T10:34:32.896Z" },
+    { url = "https://files.pythonhosted.org/packages/f0/e5/da07b0bd832cefd52d16f2b9bbbe31624d57552602c06631686b93ccb1bd/sentry_sdk-2.29.1-py2.py3-none-any.whl", hash = "sha256:90862fe0616ded4572da6c9dadb363121a1ae49a49e21c418f0634e9d10b4c19", size = 341553, upload-time = "2025-05-19T14:27:36.882Z" },
 ]

 [[package]]
@ -3151,7 +3148,7 @@ wheels = [

 [[package]]
 name = "twilio"
-version = "9.6.3"
+version = "9.6.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "aiohttp" },
@ -3159,9 +3156,9 @@ dependencies = [
    { name = "pyjwt" },
    { name = "requests" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/fb/af/1b401bc4cfd3eb41c7e2a98d0040d2bcfd2ad3217f3163401121179b3fb3/twilio-9.6.3.tar.gz", hash = "sha256:16a8c2ab9550343c25c8a195f31db9e230d9b341eca31ebdd301109910fd9730", size = 1041494, upload-time = "2025-06-12T10:40:55.63Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/fa/c9/441a07f6552f2b504812501d56c41bd85b02afeef6c23ab8baf41ed6c70e/twilio-9.6.2.tar.gz", hash = "sha256:5da13bb497e39ece34cb9f2b3bc911f3288928612748f7688b3bda262c2767a1", size = 1041300, upload-time = "2025-05-29T12:25:04.59Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/c9/35/d61a3581eb223e5e1fc0add1c397d7bb60014b22790e8f89aa5eb4e41e04/twilio-9.6.3-py2.py3-none-any.whl", hash = "sha256:a9b2cf11b0718394f12c43585ca25b9094f12b82ff975f1561fcec7f0f6f49b2", size = 1909549, upload-time = "2025-06-12T10:40:53.67Z" },
+    { url = "https://files.pythonhosted.org/packages/67/91/382e83e5d205a7ae4325b66d40cd2fa6ce85526f2ed8fc553265e19abbe4/twilio-9.6.2-py2.py3-none-any.whl", hash = "sha256:8d4af6f42850734a921857df42940f7fed84e3e4a508d0d6bef5b9fb7dc08357", size = 1909253, upload-time = "2025-05-29T12:25:02.521Z" },
 ]

 [[package]]
--- a/web/package-lock.json
+++ b/web/package-lock.json
@ -15,14 +15,14 @@
                "@codemirror/lang-css": "^6.3.1",
                "@codemirror/lang-html": "^6.4.9",
                "@codemirror/lang-javascript": "^6.2.4",
-                "@codemirror/lang-python": "^6.2.1",
+                "@codemirror/lang-python": "^6.1.6",
                "@codemirror/lang-xml": "^6.1.0",
                "@codemirror/legacy-modes": "^6.4.1",
                "@codemirror/theme-one-dark": "^6.1.2",
                "@floating-ui/dom": "^1.6.11",
                "@formatjs/intl-listformat": "^7.7.11",
-                "@fortawesome/fontawesome-free": "^6.7.2",
-                "@goauthentik/api": "^2025.6.1-1749515784",
+                "@fortawesome/fontawesome-free": "^6.6.0",
+                "@goauthentik/api": "^2025.6.0-1749054550",
                "@lit/context": "^1.1.2",
                "@lit/localize": "^0.12.2",
                "@lit/reactive-element": "^2.0.4",
@ -31,8 +31,8 @@
                "@open-wc/lit-helpers": "^0.7.0",
                "@patternfly/elements": "^4.1.0",
                "@patternfly/patternfly": "^4.224.2",
-                "@sentry/browser": "^9.28.1",
-                "@spotlightjs/spotlight": "^3.0.0",
+                "@sentry/browser": "^9.24.0",
+                "@spotlightjs/spotlight": "^2.13.3",
                "@webcomponents/webcomponentsjs": "^2.8.0",
                "base64-js": "^1.5.1",
                "change-case": "^5.4.4",
@ -50,8 +50,7 @@
                "hastscript": "^9.0.1",
                "lit": "^3.2.0",
                "md-front-matter": "^1.0.4",
-                "mermaid": "^11.6.0",
-                "ninja-keys": "^1.2.2",
+                "mermaid": "^11.4.1",
                "rapidoc": "^9.3.8",
                "react": "^19.1.0",
                "react-dom": "^19.1.0",
@ -65,7 +64,7 @@
                "remark-mdx-frontmatter": "^5.0.0",
                "style-mod": "^4.1.2",
                "trusted-types": "^2.0.0",
-                "ts-pattern": "^5.7.1",
+                "ts-pattern": "^5.4.0",
                "unist-util-visit": "^5.0.0",
                "webcomponent-qr-code": "^1.2.0",
                "yaml": "^2.8.0"
@ -94,7 +93,7 @@
                "@types/dompurify": "^3.0.5",
                "@types/grecaptcha": "^3.0.9",
                "@types/guacamole-common-js": "^1.5.3",
-                "@types/mocha": "^10.0.10",
+                "@types/mocha": "^10.0.8",
                "@types/node": "^22.15.21",
                "@types/react": "^19.1.5",
                "@types/react-dom": "^19.1.5",
@ -124,7 +123,7 @@
                "storybook-addon-mock": "^5.0.0",
                "turnstile-types": "^1.2.3",
                "typescript": "^5.8.3",
-                "typescript-eslint": "^8.34.0",
+                "typescript-eslint": "^8.33.0",
                "vite-plugin-lit-css": "^2.0.0",
                "vite-tsconfig-paths": "^5.0.1",
                "wireit": "^0.14.12"
@ -797,7 +796,6 @@
            "version": "11.0.3",
            "resolved": "https://registry.npmjs.org/@chevrotain/cst-dts-gen/-/cst-dts-gen-11.0.3.tgz",
            "integrity": "sha512-BvIKpRLeS/8UbfxXxgC33xOumsacaeCKAjAeLyOn7Pcp95HiRbrpl14S+9vaZLolnbssPIUuiUd8IvgkRyt6NQ==",
-            "license": "Apache-2.0",
            "dependencies": {
                "@chevrotain/gast": "11.0.3",
                "@chevrotain/types": "11.0.3",
@ -808,7 +806,6 @@
            "version": "11.0.3",
            "resolved": "https://registry.npmjs.org/@chevrotain/gast/-/gast-11.0.3.tgz",
            "integrity": "sha512-+qNfcoNk70PyS/uxmj3li5NiECO+2YKZZQMbmjTqRI3Qchu8Hig/Q9vgkHpI3alNjr7M+a2St5pw5w5F6NL5/Q==",
-            "license": "Apache-2.0",
            "dependencies": {
                "@chevrotain/types": "11.0.3",
                "lodash-es": "4.17.21"
@ -817,20 +814,17 @@
        "node_modules/@chevrotain/regexp-to-ast": {
            "version": "11.0.3",
            "resolved": "https://registry.npmjs.org/@chevrotain/regexp-to-ast/-/regexp-to-ast-11.0.3.tgz",
-            "integrity": "sha512-1fMHaBZxLFvWI067AVbGJav1eRY7N8DDvYCTwGBiE/ytKBgP8azTdgyrKyWZ9Mfh09eHWb5PgTSO8wi7U824RA==",
-            "license": "Apache-2.0"
+            "integrity": "sha512-1fMHaBZxLFvWI067AVbGJav1eRY7N8DDvYCTwGBiE/ytKBgP8azTdgyrKyWZ9Mfh09eHWb5PgTSO8wi7U824RA=="
        },
        "node_modules/@chevrotain/types": {
            "version": "11.0.3",
            "resolved": "https://registry.npmjs.org/@chevrotain/types/-/types-11.0.3.tgz",
-            "integrity": "sha512-gsiM3G8b58kZC2HaWR50gu6Y1440cHiJ+i3JUvcp/35JchYejb2+5MVeJK0iKThYpAa/P2PYFV4hoi44HD+aHQ==",
-            "license": "Apache-2.0"
+            "integrity": "sha512-gsiM3G8b58kZC2HaWR50gu6Y1440cHiJ+i3JUvcp/35JchYejb2+5MVeJK0iKThYpAa/P2PYFV4hoi44HD+aHQ=="
        },
        "node_modules/@chevrotain/utils": {
            "version": "11.0.3",
            "resolved": "https://registry.npmjs.org/@chevrotain/utils/-/utils-11.0.3.tgz",
-            "integrity": "sha512-YslZMgtJUyuMbZ+aKvfF3x1f5liK4mWNxghFRv7jqRR9C3R3fAOGTTKvxXDa2Y1s9zSbcpuO0cAxDYsc9SrXoQ==",
-            "license": "Apache-2.0"
+            "integrity": "sha512-YslZMgtJUyuMbZ+aKvfF3x1f5liK4mWNxghFRv7jqRR9C3R3fAOGTTKvxXDa2Y1s9zSbcpuO0cAxDYsc9SrXoQ=="
        },
        "node_modules/@codemirror/autocomplete": {
            "version": "6.18.1",
@ -905,10 +899,9 @@
            }
        },
        "node_modules/@codemirror/lang-python": {
-            "version": "6.2.1",
-            "resolved": "https://registry.npmjs.org/@codemirror/lang-python/-/lang-python-6.2.1.tgz",
-            "integrity": "sha512-IRjC8RUBhn9mGR9ywecNhB51yePWCGgvHfY1lWN/Mrp3cKuHr0isDKia+9HnvhiWNnMpbGhWrkhuWOc09exRyw==",
-            "license": "MIT",
+            "version": "6.1.6",
+            "resolved": "https://registry.npmjs.org/@codemirror/lang-python/-/lang-python-6.1.6.tgz",
+            "integrity": "sha512-ai+01WfZhWqM92UqjnvorkxosZ2aq2u28kHvr+N3gu012XqY2CThD67JPMHnGceRfXPDBmn1HnyqowdpF57bNg==",
            "dependencies": {
                "@codemirror/autocomplete": "^6.3.2",
                "@codemirror/language": "^6.8.0",
@ -1706,10 +1699,9 @@
            }
        },
        "node_modules/@fortawesome/fontawesome-free": {
-            "version": "6.7.2",
-            "resolved": "https://registry.npmjs.org/@fortawesome/fontawesome-free/-/fontawesome-free-6.7.2.tgz",
-            "integrity": "sha512-JUOtgFW6k9u4Y+xeIaEiLr3+cjoUPiAuLXoyKOJSia6Duzb7pq+A76P9ZdPDoAoxHdHzq6gE9/jKBGXlZT8FbA==",
-            "license": "(CC-BY-4.0 AND OFL-1.1 AND MIT)",
+            "version": "6.6.0",
+            "resolved": "https://registry.npmjs.org/@fortawesome/fontawesome-free/-/fontawesome-free-6.6.0.tgz",
+            "integrity": "sha512-60G28ke/sXdtS9KZCpZSHHkCbdsOGEhIUGlwq6yhY74UpTiToIh8np7A8yphhM4BWsvNFtIvLpi4co+h9Mr9Ow==",
            "engines": {
                "node": ">=6"
            }
@ -1729,9 +1721,9 @@
            }
        },
        "node_modules/@goauthentik/api": {
-            "version": "2025.6.1-1749515784",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.6.1-1749515784.tgz",
-            "integrity": "sha512-0yN4vJ2/grtNz6OVNMW34gd6TylBeyTSoH1Zlr7e2yeAbg+oZB8WmpLLCZGqvOguYGN6vYEYrPQF1k3RJohmlQ=="
+            "version": "2025.6.0-1749054550",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.6.0-1749054550.tgz",
+            "integrity": "sha512-4HrejUEsPTcM97VRkl+KhsueBpCrfjLoG+qr43I3Ea71YVzi/U1cefUl6HOxIr5Z2MMv67kieAzbE4MrFzhbgg=="
        },
        "node_modules/@goauthentik/core": {
            "resolved": "packages/core",
@ -2588,57 +2580,6 @@
                "@lit/reactive-element": "^1.0.0 || ^2.0.0"
            }
        },
-        "node_modules/@material/mwc-icon": {
-            "version": "0.25.3",
-            "resolved": "https://registry.npmjs.org/@material/mwc-icon/-/mwc-icon-0.25.3.tgz",
-            "integrity": "sha512-36076AWZIRSr8qYOLjuDDkxej/HA0XAosrj7TS1ZeLlUBnLUtbDtvc1S7KSa0hqez7ouzOqGaWK24yoNnTa2OA==",
-            "deprecated": "MWC beta is longer supported. Please upgrade to @material/web",
-            "license": "Apache-2.0",
-            "dependencies": {
-                "lit": "^2.0.0",
-                "tslib": "^2.0.1"
-            }
-        },
-        "node_modules/@material/mwc-icon/node_modules/@lit/reactive-element": {
-            "version": "1.6.3",
-            "resolved": "https://registry.npmjs.org/@lit/reactive-element/-/reactive-element-1.6.3.tgz",
-            "integrity": "sha512-QuTgnG52Poic7uM1AN5yJ09QMe0O28e10XzSvWDz02TJiiKee4stsiownEIadWm8nYzyDAyT+gKzUoZmiWQtsQ==",
-            "license": "BSD-3-Clause",
-            "dependencies": {
-                "@lit-labs/ssr-dom-shim": "^1.0.0"
-            }
-        },
-        "node_modules/@material/mwc-icon/node_modules/lit": {
-            "version": "2.8.0",
-            "resolved": "https://registry.npmjs.org/lit/-/lit-2.8.0.tgz",
-            "integrity": "sha512-4Sc3OFX9QHOJaHbmTMk28SYgVxLN3ePDjg7hofEft2zWlehFL3LiAuapWc4U/kYwMYJSh2hTCPZ6/LIC7ii0MA==",
-            "license": "BSD-3-Clause",
-            "dependencies": {
-                "@lit/reactive-element": "^1.6.0",
-                "lit-element": "^3.3.0",
-                "lit-html": "^2.8.0"
-            }
-        },
-        "node_modules/@material/mwc-icon/node_modules/lit-element": {
-            "version": "3.3.3",
-            "resolved": "https://registry.npmjs.org/lit-element/-/lit-element-3.3.3.tgz",
-            "integrity": "sha512-XbeRxmTHubXENkV4h8RIPyr8lXc+Ff28rkcQzw3G6up2xg5E8Zu1IgOWIwBLEQsu3cOVFqdYwiVi0hv0SlpqUA==",
-            "license": "BSD-3-Clause",
-            "dependencies": {
-                "@lit-labs/ssr-dom-shim": "^1.1.0",
-                "@lit/reactive-element": "^1.3.0",
-                "lit-html": "^2.8.0"
-            }
-        },
-        "node_modules/@material/mwc-icon/node_modules/lit-html": {
-            "version": "2.8.0",
-            "resolved": "https://registry.npmjs.org/lit-html/-/lit-html-2.8.0.tgz",
-            "integrity": "sha512-o9t+MQM3P4y7M7yNzqAyjp7z+mQGa4NS4CxiyLqFPyFWyc4O+nodLrkrxSaCTrla6M5YOLaT3RpbbqjszB5g3Q==",
-            "license": "BSD-3-Clause",
-            "dependencies": {
-                "@types/trusted-types": "^2.0.2"
-            }
-        },
        "node_modules/@mdx-js/mdx": {
            "version": "3.1.0",
            "resolved": "https://registry.npmjs.org/@mdx-js/mdx/-/mdx-3.1.0.tgz",
@ -2703,12 +2644,11 @@
            }
        },
        "node_modules/@mermaid-js/parser": {
-            "version": "0.4.0",
-            "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-0.4.0.tgz",
-            "integrity": "sha512-wla8XOWvQAwuqy+gxiZqY+c7FokraOTHRWMsbB4AgRx9Sy7zKslNyejy7E+a77qHfey5GXw/ik3IXv/NHMJgaA==",
-            "license": "MIT",
+            "version": "0.3.0",
+            "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-0.3.0.tgz",
+            "integrity": "sha512-HsvL6zgE5sUPGgkIDlmAWR1HTNHz2Iy11BAWPTa4Jjabkpguy4Ze2gzfLrg6pdRuBvFwgUYyxiaNqZwrEEXepA==",
            "dependencies": {
-                "langium": "3.3.1"
+                "langium": "3.0.0"
            }
        },
        "node_modules/@napi-rs/nice": {
@ -4530,75 +4470,75 @@
            "dev": true
        },
        "node_modules/@sentry-internal/browser-utils": {
-            "version": "9.28.1",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-9.28.1.tgz",
-            "integrity": "sha512-P/FEZkT7UqTw9P/2n/Y4Aa1OtGP6dnCvyqzPPkjiRdVa7Ep7S5ElBJloGv7077TLLBtAfCsEUVRlM1F6/jQoaA==",
+            "version": "9.24.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-9.24.0.tgz",
+            "integrity": "sha512-fWIrHyui8KKufnbqhGyDvvr+u9wiOEEzxXEjs/CKp+6fa+jej6Mk8K+su1f/mz7R3HVzhxvht/gZ+y193uK4qw==",
            "license": "MIT",
            "dependencies": {
-                "@sentry/core": "9.28.1"
+                "@sentry/core": "9.24.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry-internal/feedback": {
-            "version": "9.28.1",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-9.28.1.tgz",
-            "integrity": "sha512-HOk/c26D3nlClO/xEefev8fIJzRA621PFQvNFPu/y0Z5HujEqSmIsrff0cXszPPYD95h4Mwk63E0ZYdspdeXcw==",
+            "version": "9.24.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-9.24.0.tgz",
+            "integrity": "sha512-Z9jQqKzRppwAEqiytLWNV8JOo52vlxcSGz52FjKx3KXG75PXwk0M3sBXh762WoGLisUIRLTp8LOk6304L/O8dg==",
            "license": "MIT",
            "dependencies": {
-                "@sentry/core": "9.28.1"
+                "@sentry/core": "9.24.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry-internal/replay": {
-            "version": "9.28.1",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-9.28.1.tgz",
-            "integrity": "sha512-Tv9pkfAX+1bmhxF42TL0c4uTiK2+rp5LMYEPdz6JBfpfvG/Z1unPGsuB7fQmHYKyfHBQJmi92DZV+smljm7w/g==",
+            "version": "9.24.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-9.24.0.tgz",
+            "integrity": "sha512-312wMPeQI8K2vO/lA/CF6Uv5UReoZC7RarsNUJEoOKa9Bq1BXWUq929oTHzu/2NDv194H2u3eqSGsSp6xiuKTw==",
            "license": "MIT",
            "dependencies": {
-                "@sentry-internal/browser-utils": "9.28.1",
-                "@sentry/core": "9.28.1"
+                "@sentry-internal/browser-utils": "9.24.0",
+                "@sentry/core": "9.24.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry-internal/replay-canvas": {
-            "version": "9.28.1",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-9.28.1.tgz",
-            "integrity": "sha512-RtkogfcIpXLFCyV8CTnXmVTH2QauT/KwmUAXBbeOz3rRWsM19yjN1moHrsjxn7OdjTv+D4qWSCA8Ka1aKSpr7g==",
+            "version": "9.24.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-9.24.0.tgz",
+            "integrity": "sha512-506RdDF6iE8hMyzpzp9Vc0GM7kELxxs7UCoi/6KpvXFftcydWI3S2bru8dEZsxVoKh2hdle6SpbNgl+iPI0DSQ==",
            "license": "MIT",
            "dependencies": {
-                "@sentry-internal/replay": "9.28.1",
-                "@sentry/core": "9.28.1"
+                "@sentry-internal/replay": "9.24.0",
+                "@sentry/core": "9.24.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry/browser": {
-            "version": "9.28.1",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-9.28.1.tgz",
-            "integrity": "sha512-XAS46iQSq8lXTnv9udQP025JTf3PwSVRE9ePJVQhx25QBWxedqGhEOv5qqX9b1Ijf8KiZYXXhBWMQxBBXVzUaw==",
+            "version": "9.24.0",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-9.24.0.tgz",
+            "integrity": "sha512-RP+27/owvIqD4J0TibIHK1UcA7iObxLOXBEilDKjaJOZMLhv3JkpU8A+UI9pFzEYqeIGVDDaBzYgbCHrLWcoCA==",
            "license": "MIT",
            "dependencies": {
-                "@sentry-internal/browser-utils": "9.28.1",
-                "@sentry-internal/feedback": "9.28.1",
-                "@sentry-internal/replay": "9.28.1",
-                "@sentry-internal/replay-canvas": "9.28.1",
-                "@sentry/core": "9.28.1"
+                "@sentry-internal/browser-utils": "9.24.0",
+                "@sentry-internal/feedback": "9.24.0",
+                "@sentry-internal/replay": "9.24.0",
+                "@sentry-internal/replay-canvas": "9.24.0",
+                "@sentry/core": "9.24.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry/core": {
-            "version": "9.28.1",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-9.28.1.tgz",
-            "integrity": "sha512-6q59r/71MeE+4StkvwdKAAyhBBNpWcii0HeiWBZ3l1gaFYQlb6bChjZJRZmxSzF5dnvkdF4duQbAC3JmjeIbPA==",
+            "version": "9.24.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-9.24.0.tgz",
+            "integrity": "sha512-uRWrB4Y49ZOWcDLCXqdjd2Fs6Onill0GQI+JgXMw7wa+i03+QRiQvUAUyde8O62jR4dvP3GDo9PDWnDNhi3z5A==",
            "license": "MIT",
            "engines": {
                "node": ">=18"
@ -4769,15 +4709,15 @@
            }
        },
        "node_modules/@spotlightjs/overlay": {
-            "version": "3.0.0",
-            "resolved": "https://registry.npmjs.org/@spotlightjs/overlay/-/overlay-3.0.0.tgz",
-            "integrity": "sha512-0b03WtsykqpcOKmjDRnRZf0GGfaEB6ZHGctLZZxFK4NHTDBNJ6BaQZjunr4XU35kKR5BT2OFp5E/DPKluih0Hg==",
+            "version": "2.15.1",
+            "resolved": "https://registry.npmjs.org/@spotlightjs/overlay/-/overlay-2.15.1.tgz",
+            "integrity": "sha512-5TpHWFRiTm8rrNINOQs9iFsqVnguFGHU1cK/bmhrysNzts4tYQT9d+kWvl++GlItKezIPbu5xPD9VoapO30cyw==",
            "license": "Apache-2.0"
        },
        "node_modules/@spotlightjs/sidecar": {
-            "version": "1.11.4",
-            "resolved": "https://registry.npmjs.org/@spotlightjs/sidecar/-/sidecar-1.11.4.tgz",
-            "integrity": "sha512-8uDJNhvt6uVNvIoBltjRBqb0a//SxkKoyPACtNjq9k9qMYSfFhE0RVtgqnJNBineXeJfxzK5uvzeG/X7pEhYeQ==",
+            "version": "1.11.3",
+            "resolved": "https://registry.npmjs.org/@spotlightjs/sidecar/-/sidecar-1.11.3.tgz",
+            "integrity": "sha512-2FNZjnvJH71pAsYlJA/LIaEZ0jdtjqrlD58F/xJ5ZhI7z6US5zIqE7DMrqaK/tvObFam71CyCncKHRG6M0l6Cg==",
            "license": "Apache-2.0",
            "dependencies": {
                "@jridgewell/trace-mapping": "^0.3.25",
@ -4793,21 +4733,21 @@
            }
        },
        "node_modules/@spotlightjs/spotlight": {
-            "version": "3.0.0",
-            "resolved": "https://registry.npmjs.org/@spotlightjs/spotlight/-/spotlight-3.0.0.tgz",
-            "integrity": "sha512-dkMineYpONLUmkHh7gvBhjf34ES8a08KDQXNem9/0JzAMy/bXSDlC95sqkX9wDfKWjq2rJKYjJulNtCuGHDaeA==",
+            "version": "2.13.3",
+            "resolved": "https://registry.npmjs.org/@spotlightjs/spotlight/-/spotlight-2.13.3.tgz",
+            "integrity": "sha512-wDnXJaSVexPC/+blgXXx2AYCk7S+5lT4TCJmu0HZAVtYd2sDgNub/wAOitsKYxvpRtIQnPe55IlvL4r1X7goSg==",
            "license": "Apache-2.0",
            "dependencies": {
                "@sentry/node": "^8.49.0",
-                "@spotlightjs/overlay": "3.0.0",
-                "@spotlightjs/sidecar": "1.11.4",
+                "@spotlightjs/overlay": "2.15.1",
+                "@spotlightjs/sidecar": "1.11.3",
                "import-meta-resolve": "^4.1.0"
            },
            "bin": {
                "spotlight": "bin/run.js"
            },
            "engines": {
-                "node": ">=20"
+                "node": ">=18"
            }
        },
        "node_modules/@stencil/core": {
@ -7139,11 +7079,10 @@
            "dev": true
        },
        "node_modules/@types/mocha": {
-            "version": "10.0.10",
-            "resolved": "https://registry.npmjs.org/@types/mocha/-/mocha-10.0.10.tgz",
-            "integrity": "sha512-xPyYSz1cMPnJQhl0CLMH68j3gprKZaTjG3s5Vi+fDgx+uhG9NOXwbVt52eFS8ECyXhyKcjDLCBEqBExKuiZb7Q==",
-            "dev": true,
-            "license": "MIT"
+            "version": "10.0.8",
+            "resolved": "https://registry.npmjs.org/@types/mocha/-/mocha-10.0.8.tgz",
+            "integrity": "sha512-HfMcUmy9hTMJh66VNcmeC9iVErIZJli2bszuXc6julh5YGuRb/W5OnkHjwLNYdFlMis0sY3If5SEAp+PktdJjw==",
+            "dev": true
        },
        "node_modules/@types/ms": {
            "version": "2.1.0",
@ -7389,17 +7328,17 @@
            }
        },
        "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.34.0.tgz",
-            "integrity": "sha512-QXwAlHlbcAwNlEEMKQS2RCgJsgXrTJdjXT08xEgbPFa2yYQgVjBymxP5DrfrE7X7iodSzd9qBUHUycdyVJTW1w==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.33.0.tgz",
+            "integrity": "sha512-CACyQuqSHt7ma3Ns601xykeBK/rDeZa3w6IS6UtMQbixO5DWy+8TilKkviGDH6jtWCo8FGRKEK5cLLkPvEammQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@eslint-community/regexpp": "^4.10.0",
-                "@typescript-eslint/scope-manager": "8.34.0",
-                "@typescript-eslint/type-utils": "8.34.0",
-                "@typescript-eslint/utils": "8.34.0",
-                "@typescript-eslint/visitor-keys": "8.34.0",
+                "@typescript-eslint/scope-manager": "8.33.0",
+                "@typescript-eslint/type-utils": "8.33.0",
+                "@typescript-eslint/utils": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0",
                "graphemer": "^1.4.0",
                "ignore": "^7.0.0",
                "natural-compare": "^1.4.0",
@ -7413,7 +7352,7 @@
                "url": "https://opencollective.com/typescript-eslint"
            },
            "peerDependencies": {
-                "@typescript-eslint/parser": "^8.34.0",
+                "@typescript-eslint/parser": "^8.33.0",
                "eslint": "^8.57.0 || ^9.0.0",
                "typescript": ">=4.8.4 <5.9.0"
            }
@ -7429,16 +7368,16 @@
            }
        },
        "node_modules/@typescript-eslint/parser": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.34.0.tgz",
-            "integrity": "sha512-vxXJV1hVFx3IXz/oy2sICsJukaBrtDEQSBiV48/YIV5KWjX1dO+bcIr/kCPrW6weKXvsaGKFNlwH0v2eYdRRbA==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.33.0.tgz",
+            "integrity": "sha512-JaehZvf6m0yqYp34+RVnihBAChkqeH+tqqhS0GuX1qgPpwLvmTPheKEs6OeCK6hVJgXZHJ2vbjnC9j119auStQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/scope-manager": "8.34.0",
-                "@typescript-eslint/types": "8.34.0",
-                "@typescript-eslint/typescript-estree": "8.34.0",
-                "@typescript-eslint/visitor-keys": "8.34.0",
+                "@typescript-eslint/scope-manager": "8.33.0",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/typescript-estree": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0",
                "debug": "^4.3.4"
            },
            "engines": {
@ -7454,14 +7393,14 @@
            }
        },
        "node_modules/@typescript-eslint/project-service": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.34.0.tgz",
-            "integrity": "sha512-iEgDALRf970/B2YExmtPMPF54NenZUf4xpL3wsCRx/lgjz6ul/l13R81ozP/ZNuXfnLCS+oPmG7JIxfdNYKELw==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.33.0.tgz",
+            "integrity": "sha512-d1hz0u9l6N+u/gcrk6s6gYdl7/+pp8yHheRTqP6X5hVDKALEaTn8WfGiit7G511yueBEL3OpOEpD+3/MBdoN+A==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/tsconfig-utils": "^8.34.0",
-                "@typescript-eslint/types": "^8.34.0",
+                "@typescript-eslint/tsconfig-utils": "^8.33.0",
+                "@typescript-eslint/types": "^8.33.0",
                "debug": "^4.3.4"
            },
            "engines": {
@ -7470,20 +7409,17 @@
            "funding": {
                "type": "opencollective",
                "url": "https://opencollective.com/typescript-eslint"
-            },
-            "peerDependencies": {
-                "typescript": ">=4.8.4 <5.9.0"
            }
        },
        "node_modules/@typescript-eslint/scope-manager": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.34.0.tgz",
-            "integrity": "sha512-9Ac0X8WiLykl0aj1oYQNcLZjHgBojT6cW68yAgZ19letYu+Hxd0rE0veI1XznSSst1X5lwnxhPbVdwjDRIomRw==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.33.0.tgz",
+            "integrity": "sha512-LMi/oqrzpqxyO72ltP+dBSP6V0xiUb4saY7WLtxSfiNEBI8m321LLVFU9/QDJxjDQG9/tjSqKz/E3380TEqSTw==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/types": "8.34.0",
-                "@typescript-eslint/visitor-keys": "8.34.0"
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0"
            },
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -7494,9 +7430,9 @@
            }
        },
        "node_modules/@typescript-eslint/tsconfig-utils": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.34.0.tgz",
-            "integrity": "sha512-+W9VYHKFIzA5cBeooqQxqNriAP0QeQ7xTiDuIOr71hzgffm3EL2hxwWBIIj4GuofIbKxGNarpKqIq6Q6YrShOA==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.33.0.tgz",
+            "integrity": "sha512-sTkETlbqhEoiFmGr1gsdq5HyVbSOF0145SYDJ/EQmXHtKViCaGvnyLqWFFHtEXoS0J1yU8Wyou2UGmgW88fEug==",
            "dev": true,
            "license": "MIT",
            "engines": {
@ -7511,14 +7447,14 @@
            }
        },
        "node_modules/@typescript-eslint/type-utils": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.34.0.tgz",
-            "integrity": "sha512-n7zSmOcUVhcRYC75W2pnPpbO1iwhJY3NLoHEtbJwJSNlVAZuwqu05zY3f3s2SDWWDSo9FdN5szqc73DCtDObAg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.33.0.tgz",
+            "integrity": "sha512-lScnHNCBqL1QayuSrWeqAL5GmqNdVUQAAMTaCwdYEdWfIrSrOGzyLGRCHXcCixa5NK6i5l0AfSO2oBSjCjf4XQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/typescript-estree": "8.34.0",
-                "@typescript-eslint/utils": "8.34.0",
+                "@typescript-eslint/typescript-estree": "8.33.0",
+                "@typescript-eslint/utils": "8.33.0",
                "debug": "^4.3.4",
                "ts-api-utils": "^2.1.0"
            },
@ -7535,9 +7471,9 @@
            }
        },
        "node_modules/@typescript-eslint/types": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.34.0.tgz",
-            "integrity": "sha512-9V24k/paICYPniajHfJ4cuAWETnt7Ssy+R0Rbcqo5sSFr3QEZ/8TSoUi9XeXVBGXCaLtwTOKSLGcInCAvyZeMA==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.33.0.tgz",
+            "integrity": "sha512-DKuXOKpM5IDT1FA2g9x9x1Ug81YuKrzf4mYX8FAVSNu5Wo/LELHWQyM1pQaDkI42bX15PWl0vNPt1uGiIFUOpg==",
            "dev": true,
            "license": "MIT",
            "engines": {
@ -7549,16 +7485,16 @@
            }
        },
        "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.34.0.tgz",
-            "integrity": "sha512-rOi4KZxI7E0+BMqG7emPSK1bB4RICCpF7QD3KCLXn9ZvWoESsOMlHyZPAHyG04ujVplPaHbmEvs34m+wjgtVtg==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.33.0.tgz",
+            "integrity": "sha512-vegY4FQoB6jL97Tu/lWRsAiUUp8qJTqzAmENH2k59SJhw0Th1oszb9Idq/FyyONLuNqT1OADJPXfyUNOR8SzAQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/project-service": "8.34.0",
-                "@typescript-eslint/tsconfig-utils": "8.34.0",
-                "@typescript-eslint/types": "8.34.0",
-                "@typescript-eslint/visitor-keys": "8.34.0",
+                "@typescript-eslint/project-service": "8.33.0",
+                "@typescript-eslint/tsconfig-utils": "8.33.0",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/visitor-keys": "8.33.0",
                "debug": "^4.3.4",
                "fast-glob": "^3.3.2",
                "is-glob": "^4.0.3",
@ -7578,16 +7514,16 @@
            }
        },
        "node_modules/@typescript-eslint/utils": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.34.0.tgz",
-            "integrity": "sha512-8L4tWatGchV9A1cKbjaavS6mwYwp39jql8xUmIIKJdm+qiaeHy5KMKlBrf30akXAWBzn2SqKsNOtSENWUwg7XQ==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.33.0.tgz",
+            "integrity": "sha512-lPFuQaLA9aSNa7D5u2EpRiqdAUhzShwGg/nhpBlc4GR6kcTABttCuyjFs8BcEZ8VWrjCBof/bePhP3Q3fS+Yrw==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@eslint-community/eslint-utils": "^4.7.0",
-                "@typescript-eslint/scope-manager": "8.34.0",
-                "@typescript-eslint/types": "8.34.0",
-                "@typescript-eslint/typescript-estree": "8.34.0"
+                "@typescript-eslint/scope-manager": "8.33.0",
+                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/typescript-estree": "8.33.0"
            },
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -7602,13 +7538,13 @@
            }
        },
        "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.34.0.tgz",
-            "integrity": "sha512-qHV7pW7E85A0x6qyrFn+O+q1k1p3tQCsqIZ1KZ5ESLXY57aTvUd3/a4rdPTeXisvhXn2VQG0VSKUqs8KHF2zcA==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.33.0.tgz",
+            "integrity": "sha512-7RW7CMYoskiz5OOGAWjJFxgb7c5UNjTG292gYhWeOAcFmYCtVCSqjqSBj5zMhxbXo2JOW95YYrUWJfU0zrpaGQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/types": "8.34.0",
+                "@typescript-eslint/types": "8.33.0",
                "eslint-visitor-keys": "^4.2.0"
            },
            "engines": {
@ -7620,9 +7556,9 @@
            }
        },
        "node_modules/@typescript-eslint/visitor-keys/node_modules/eslint-visitor-keys": {
-            "version": "4.2.1",
-            "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz",
-            "integrity": "sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==",
+            "version": "4.2.0",
+            "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.0.tgz",
+            "integrity": "sha512-UyLnSehNt62FFhSwjZlHmeokpRK59rcz29j+F1/aDgbkbRTk7wIc9XzdoasMUbRNKDM0qQt/+BJ4BrpFeABemw==",
            "dev": true,
            "license": "Apache-2.0",
            "engines": {
@ -11806,7 +11742,6 @@
            "version": "11.0.3",
            "resolved": "https://registry.npmjs.org/chevrotain/-/chevrotain-11.0.3.tgz",
            "integrity": "sha512-ci2iJH6LeIkvP9eJW6gpueU8cnZhv85ELY8w8WiFtNjMHA5ad6pQLaJo9mEly/9qUyCpvqX8/POVUTf18/HFdw==",
-            "license": "Apache-2.0",
            "dependencies": {
                "@chevrotain/cst-dts-gen": "11.0.3",
                "@chevrotain/gast": "11.0.3",
@ -11820,7 +11755,6 @@
            "version": "0.3.1",
            "resolved": "https://registry.npmjs.org/chevrotain-allstar/-/chevrotain-allstar-0.3.1.tgz",
            "integrity": "sha512-b7g+y9A0v4mxCW1qUhf3BSVPg+/NvGErk/dOkrDaHA0nQIQGAtrOjlX//9OQtRlSCy+x9rfB5N8yC71lH1nvMw==",
-            "license": "MIT",
            "dependencies": {
                "lodash-es": "^4.17.21"
            },
@ -16992,12 +16926,6 @@
            "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==",
            "dev": true
        },
-        "node_modules/hotkeys-js": {
-            "version": "3.8.7",
-            "resolved": "https://registry.npmjs.org/hotkeys-js/-/hotkeys-js-3.8.7.tgz",
-            "integrity": "sha512-ckAx3EkUr5XjDwjEHDorHxRO2Kb7z6Z2Sxul4MbBkN8Nho7XDslQsgMJT+CiJ5Z4TgRxxvKHEpuLE3imzqy4Lg==",
-            "license": "MIT"
-        },
        "node_modules/html-escaper": {
            "version": "2.0.2",
            "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
@ -17201,9 +17129,9 @@
            }
        },
        "node_modules/import-in-the-middle": {
-            "version": "1.14.0",
-            "resolved": "https://registry.npmjs.org/import-in-the-middle/-/import-in-the-middle-1.14.0.tgz",
-            "integrity": "sha512-g5zLT0HaztRJWysayWYiUq/7E5H825QIiecMD2pI5QO7Wzr847l6GDvPvmZaDIdrDtS2w7qRczywxiK6SL5vRw==",
+            "version": "1.13.2",
+            "resolved": "https://registry.npmjs.org/import-in-the-middle/-/import-in-the-middle-1.13.2.tgz",
+            "integrity": "sha512-Yjp9X7s2eHSXvZYQ0aye6UvwYPrVB5C2k47fuXjFKnYinAByaDZjh4t9MT2wEga9775n6WaIqyHnQhBxYtX2mg==",
            "license": "Apache-2.0",
            "dependencies": {
                "acorn": "^8.14.0",
@ -19131,10 +19059,9 @@
            "integrity": "sha512-Y+60/zizpJ3HRH8DCss+q95yr6145JXZo46OTpFvDZWLfRCE4qChOyk1b26nMaNpfHHgxagk9dXT5OP0Tfe+dQ=="
        },
        "node_modules/langium": {
-            "version": "3.3.1",
-            "resolved": "https://registry.npmjs.org/langium/-/langium-3.3.1.tgz",
-            "integrity": "sha512-QJv/h939gDpvT+9SiLVlY7tZC3xB2qK57v0J04Sh9wpMb6MP1q8gB21L3WIo8T5P1MSMg3Ep14L7KkDCFG3y4w==",
-            "license": "MIT",
+            "version": "3.0.0",
+            "resolved": "https://registry.npmjs.org/langium/-/langium-3.0.0.tgz",
+            "integrity": "sha512-+Ez9EoiByeoTu/2BXmEaZ06iPNXM6thWJp02KfBO/raSMyCJ4jw7AkWWa+zBCTm0+Tw1Fj9FOxdqSskyN5nAwg==",
            "dependencies": {
                "chevrotain": "~11.0.3",
                "chevrotain-allstar": "~0.3.0",
@ -19766,10 +19693,9 @@
            }
        },
        "node_modules/marked": {
-            "version": "15.0.12",
-            "resolved": "https://registry.npmjs.org/marked/-/marked-15.0.12.tgz",
-            "integrity": "sha512-8dD6FusOQSrpv9Z1rdNMdlSgQOIP880DHqnohobOmYLElGEqAL/JvxvuxZO16r4HtjTlfPRDC1hbvxC9dPN2nA==",
-            "license": "MIT",
+            "version": "13.0.3",
+            "resolved": "https://registry.npmjs.org/marked/-/marked-13.0.3.tgz",
+            "integrity": "sha512-rqRix3/TWzE9rIoFGIn8JmsVfhiuC8VIQ8IdX5TfzmeBucdY05/0UlzKaw0eVtpcN/OdVFpBk7CjKGo9iHJ/zA==",
            "bin": {
                "marked": "bin/marked.js"
            },
@ -20222,31 +20148,31 @@
            }
        },
        "node_modules/mermaid": {
-            "version": "11.6.0",
-            "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.6.0.tgz",
-            "integrity": "sha512-PE8hGUy1LDlWIHWBP05SFdqUHGmRcCcK4IzpOKPE35eOw+G9zZgcnMpyunJVUEOgb//KBORPjysKndw8bFLuRg==",
+            "version": "11.4.1",
+            "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.4.1.tgz",
+            "integrity": "sha512-Mb01JT/x6CKDWaxigwfZYuYmDZ6xtrNwNlidKZwkSrDaY9n90tdrJTV5Umk+wP1fZscGptmKFXHsXMDEVZ+Q6A==",
            "license": "MIT",
            "dependencies": {
-                "@braintree/sanitize-url": "^7.0.4",
-                "@iconify/utils": "^2.1.33",
-                "@mermaid-js/parser": "^0.4.0",
+                "@braintree/sanitize-url": "^7.0.1",
+                "@iconify/utils": "^2.1.32",
+                "@mermaid-js/parser": "^0.3.0",
                "@types/d3": "^7.4.3",
-                "cytoscape": "^3.29.3",
+                "cytoscape": "^3.29.2",
                "cytoscape-cose-bilkent": "^4.1.0",
                "cytoscape-fcose": "^2.2.0",
                "d3": "^7.9.0",
                "d3-sankey": "^0.12.3",
                "dagre-d3-es": "7.0.11",
-                "dayjs": "^1.11.13",
-                "dompurify": "^3.2.4",
+                "dayjs": "^1.11.10",
+                "dompurify": "^3.2.1",
                "katex": "^0.16.9",
                "khroma": "^2.1.0",
                "lodash-es": "^4.17.21",
-                "marked": "^15.0.7",
+                "marked": "^13.0.2",
                "roughjs": "^4.6.6",
-                "stylis": "^4.3.6",
+                "stylis": "^4.3.1",
                "ts-dedent": "^2.2.0",
-                "uuid": "^11.1.0"
+                "uuid": "^9.0.1"
            }
        },
        "node_modules/mermaid-isomorphic": {
@ -20270,19 +20196,6 @@
                }
            }
        },
-        "node_modules/mermaid/node_modules/uuid": {
-            "version": "11.1.0",
-            "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz",
-            "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==",
-            "funding": [
-                "https://github.com/sponsors/broofa",
-                "https://github.com/sponsors/ctavan"
-            ],
-            "license": "MIT",
-            "bin": {
-                "uuid": "dist/esm/bin/uuid"
-            }
-        },
        "node_modules/micromark": {
            "version": "4.0.2",
            "resolved": "https://registry.npmjs.org/micromark/-/micromark-4.0.2.tgz",
@ -21690,57 +21603,6 @@
            "integrity": "sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==",
            "dev": true
        },
-        "node_modules/ninja-keys": {
-            "version": "1.2.2",
-            "resolved": "https://registry.npmjs.org/ninja-keys/-/ninja-keys-1.2.2.tgz",
-            "integrity": "sha512-ylo8jzKowi3XBHkgHRjBJaKQkl32WRLr7kRiA0ajiku11vHRDJ2xANtTScR5C7XlDwKEOYvUPesCKacUeeLAYw==",
-            "license": "MIT",
-            "dependencies": {
-                "@material/mwc-icon": "0.25.3",
-                "hotkeys-js": "3.8.7",
-                "lit": "2.2.6"
-            }
-        },
-        "node_modules/ninja-keys/node_modules/@lit/reactive-element": {
-            "version": "1.6.3",
-            "resolved": "https://registry.npmjs.org/@lit/reactive-element/-/reactive-element-1.6.3.tgz",
-            "integrity": "sha512-QuTgnG52Poic7uM1AN5yJ09QMe0O28e10XzSvWDz02TJiiKee4stsiownEIadWm8nYzyDAyT+gKzUoZmiWQtsQ==",
-            "license": "BSD-3-Clause",
-            "dependencies": {
-                "@lit-labs/ssr-dom-shim": "^1.0.0"
-            }
-        },
-        "node_modules/ninja-keys/node_modules/lit": {
-            "version": "2.2.6",
-            "resolved": "https://registry.npmjs.org/lit/-/lit-2.2.6.tgz",
-            "integrity": "sha512-K2vkeGABfSJSfkhqHy86ujchJs3NR9nW1bEEiV+bXDkbiQ60Tv5GUausYN2mXigZn8lC1qXuc46ArQRKYmumZw==",
-            "license": "BSD-3-Clause",
-            "dependencies": {
-                "@lit/reactive-element": "^1.3.0",
-                "lit-element": "^3.2.0",
-                "lit-html": "^2.2.0"
-            }
-        },
-        "node_modules/ninja-keys/node_modules/lit-element": {
-            "version": "3.3.3",
-            "resolved": "https://registry.npmjs.org/lit-element/-/lit-element-3.3.3.tgz",
-            "integrity": "sha512-XbeRxmTHubXENkV4h8RIPyr8lXc+Ff28rkcQzw3G6up2xg5E8Zu1IgOWIwBLEQsu3cOVFqdYwiVi0hv0SlpqUA==",
-            "license": "BSD-3-Clause",
-            "dependencies": {
-                "@lit-labs/ssr-dom-shim": "^1.1.0",
-                "@lit/reactive-element": "^1.3.0",
-                "lit-html": "^2.8.0"
-            }
-        },
-        "node_modules/ninja-keys/node_modules/lit-html": {
-            "version": "2.8.0",
-            "resolved": "https://registry.npmjs.org/lit-html/-/lit-html-2.8.0.tgz",
-            "integrity": "sha512-o9t+MQM3P4y7M7yNzqAyjp7z+mQGa4NS4CxiyLqFPyFWyc4O+nodLrkrxSaCTrla6M5YOLaT3RpbbqjszB5g3Q==",
-            "license": "BSD-3-Clause",
-            "dependencies": {
-                "@types/trusted-types": "^2.0.2"
-            }
-        },
        "node_modules/node-abort-controller": {
            "version": "3.1.1",
            "resolved": "https://registry.npmjs.org/node-abort-controller/-/node-abort-controller-3.1.1.tgz",
@ -25994,10 +25856,9 @@
            }
        },
        "node_modules/stylis": {
-            "version": "4.3.6",
-            "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.3.6.tgz",
-            "integrity": "sha512-yQ3rwFWRfwNUY7H5vpU0wfdkNSnvnJinhF9830Swlaxl03zsOjCfmX0ugac+3LtK0lYSgwL/KXc8oYL3mG4YFQ==",
-            "license": "MIT"
+            "version": "4.3.4",
+            "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.3.4.tgz",
+            "integrity": "sha512-osIBl6BGUmSfDkyH2mB7EFvCJntXDrLhKjHTRj/rK6xLH0yuPrHULDRQzKokSOD4VoorhtKpfcfW1GAntu8now=="
        },
        "node_modules/supports-color": {
            "version": "5.5.0",
@ -26484,10 +26345,9 @@
            "license": "MIT"
        },
        "node_modules/ts-pattern": {
-            "version": "5.7.1",
-            "resolved": "https://registry.npmjs.org/ts-pattern/-/ts-pattern-5.7.1.tgz",
-            "integrity": "sha512-EGs8PguQqAAUIcQfK4E9xdXxB6s2GK4sJfT/vcc9V1ELIvC4LH/zXu2t/5fajtv6oiRCxdv7BgtVK3vWgROxag==",
-            "license": "MIT"
+            "version": "5.4.0",
+            "resolved": "https://registry.npmjs.org/ts-pattern/-/ts-pattern-5.4.0.tgz",
+            "integrity": "sha512-hgfOMfjlrARCnYtGD/xEAkFHDXuSyuqjzFSltyQCbN689uNvoQL20TVN2XFcLMjfNuwSsQGU+xtH6MrjIwhwUg=="
        },
        "node_modules/ts-simple-type": {
            "version": "2.0.0-next.0",
@ -27194,15 +27054,15 @@
            }
        },
        "node_modules/typescript-eslint": {
-            "version": "8.34.0",
-            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.34.0.tgz",
-            "integrity": "sha512-MRpfN7uYjTrTGigFCt8sRyNqJFhjN0WwZecldaqhWm+wy0gaRt8Edb/3cuUy0zdq2opJWT6iXINKAtewnDOltQ==",
+            "version": "8.33.0",
+            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.33.0.tgz",
+            "integrity": "sha512-5YmNhF24ylCsvdNW2oJwMzTbaeO4bg90KeGtMjUw0AGtHksgEPLRTUil+coHwCfiu4QjVJFnjp94DmU6zV7DhQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
-                "@typescript-eslint/eslint-plugin": "8.34.0",
-                "@typescript-eslint/parser": "8.34.0",
-                "@typescript-eslint/utils": "8.34.0"
+                "@typescript-eslint/eslint-plugin": "8.33.0",
+                "@typescript-eslint/parser": "8.33.0",
+                "@typescript-eslint/utils": "8.33.0"
            },
            "engines": {
                "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -27690,7 +27550,6 @@
            "version": "9.0.1",
            "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
            "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
-            "dev": true,
            "funding": [
                "https://github.com/sponsors/broofa",
                "https://github.com/sponsors/ctavan"
@ -28351,7 +28210,6 @@
            "version": "8.2.0",
            "resolved": "https://registry.npmjs.org/vscode-jsonrpc/-/vscode-jsonrpc-8.2.0.tgz",
            "integrity": "sha512-C+r0eKJUIfiDIfwJhria30+TYWPtuHJXHtI7J0YlOmKAo7ogxP20T0zxB7HZQIFhIyvoBPwWskjxrvAtfjyZfA==",
-            "license": "MIT",
            "engines": {
                "node": ">=14.0.0"
            }
@ -28360,7 +28218,6 @@
            "version": "9.0.1",
            "resolved": "https://registry.npmjs.org/vscode-languageserver/-/vscode-languageserver-9.0.1.tgz",
            "integrity": "sha512-woByF3PDpkHFUreUa7Hos7+pUWdeWMXRd26+ZX2A8cFx6v/JPTtd4/uN0/jB6XQHYaOlHbio03NTHCqrgG5n7g==",
-            "license": "MIT",
            "dependencies": {
                "vscode-languageserver-protocol": "3.17.5"
            },
@ -28372,7 +28229,6 @@
            "version": "3.17.5",
            "resolved": "https://registry.npmjs.org/vscode-languageserver-protocol/-/vscode-languageserver-protocol-3.17.5.tgz",
            "integrity": "sha512-mb1bvRJN8SVznADSGWM9u/b07H7Ecg0I3OgXDuLdn307rl/J3A9YD6/eYOssqhecL27hK1IPZAsaqh00i/Jljg==",
-            "license": "MIT",
            "dependencies": {
                "vscode-jsonrpc": "8.2.0",
                "vscode-languageserver-types": "3.17.5"
@ -28381,8 +28237,7 @@
        "node_modules/vscode-languageserver-protocol/node_modules/vscode-languageserver-types": {
            "version": "3.17.5",
            "resolved": "https://registry.npmjs.org/vscode-languageserver-types/-/vscode-languageserver-types-3.17.5.tgz",
-            "integrity": "sha512-Ld1VelNuX9pdF39h2Hgaeb5hEZM2Z3jUrrMgWQAu82jMtZp7p3vJT3BzToKtZI7NgQssZje5o0zryOrhQvzQAg==",
-            "license": "MIT"
+            "integrity": "sha512-Ld1VelNuX9pdF39h2Hgaeb5hEZM2Z3jUrrMgWQAu82jMtZp7p3vJT3BzToKtZI7NgQssZje5o0zryOrhQvzQAg=="
        },
        "node_modules/vscode-languageserver-textdocument": {
            "version": "1.0.12",
@ -28404,8 +28259,7 @@
        "node_modules/vscode-uri": {
            "version": "3.0.8",
            "resolved": "https://registry.npmjs.org/vscode-uri/-/vscode-uri-3.0.8.tgz",
-            "integrity": "sha512-AyFQ0EVmsOZOlAnxoFOGOq1SQDWAB7C6aqMGS23svWAllfOaxbuFvcT8D1i8z3Gyn8fraVeZNNmN6e9bxxXkKw==",
-            "license": "MIT"
+            "integrity": "sha512-AyFQ0EVmsOZOlAnxoFOGOq1SQDWAB7C6aqMGS23svWAllfOaxbuFvcT8D1i8z3Gyn8fraVeZNNmN6e9bxxXkKw=="
        },
        "node_modules/w3c-keyname": {
            "version": "2.2.8",
--- a/web/package.json
+++ b/web/package.json
@ -86,14 +86,14 @@
        "@codemirror/lang-css": "^6.3.1",
        "@codemirror/lang-html": "^6.4.9",
        "@codemirror/lang-javascript": "^6.2.4",
-        "@codemirror/lang-python": "^6.2.1",
+        "@codemirror/lang-python": "^6.1.6",
        "@codemirror/lang-xml": "^6.1.0",
        "@codemirror/legacy-modes": "^6.4.1",
        "@codemirror/theme-one-dark": "^6.1.2",
        "@floating-ui/dom": "^1.6.11",
        "@formatjs/intl-listformat": "^7.7.11",
-        "@fortawesome/fontawesome-free": "^6.7.2",
-        "@goauthentik/api": "^2025.6.1-1749515784",
+        "@fortawesome/fontawesome-free": "^6.6.0",
+        "@goauthentik/api": "^2025.6.0-1749054550",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
        "@lit/reactive-element": "^2.0.4",
@ -102,8 +102,8 @@
        "@open-wc/lit-helpers": "^0.7.0",
        "@patternfly/elements": "^4.1.0",
        "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^9.28.1",
-        "@spotlightjs/spotlight": "^3.0.0",
+        "@sentry/browser": "^9.24.0",
+        "@spotlightjs/spotlight": "^2.13.3",
        "@webcomponents/webcomponentsjs": "^2.8.0",
        "base64-js": "^1.5.1",
        "change-case": "^5.4.4",
@ -121,8 +121,7 @@
        "hastscript": "^9.0.1",
        "lit": "^3.2.0",
        "md-front-matter": "^1.0.4",
-        "mermaid": "^11.6.0",
-        "ninja-keys": "^1.2.2",
+        "mermaid": "^11.4.1",
        "rapidoc": "^9.3.8",
        "react": "^19.1.0",
        "react-dom": "^19.1.0",
@ -136,7 +135,7 @@
        "remark-mdx-frontmatter": "^5.0.0",
        "style-mod": "^4.1.2",
        "trusted-types": "^2.0.0",
-        "ts-pattern": "^5.7.1",
+        "ts-pattern": "^5.4.0",
        "unist-util-visit": "^5.0.0",
        "webcomponent-qr-code": "^1.2.0",
        "yaml": "^2.8.0"
@ -165,7 +164,7 @@
        "@types/dompurify": "^3.0.5",
        "@types/grecaptcha": "^3.0.9",
        "@types/guacamole-common-js": "^1.5.3",
-        "@types/mocha": "^10.0.10",
+        "@types/mocha": "^10.0.8",
        "@types/node": "^22.15.21",
        "@types/react": "^19.1.5",
        "@types/react-dom": "^19.1.5",
@ -195,7 +194,7 @@
        "storybook-addon-mock": "^5.0.0",
        "turnstile-types": "^1.2.3",
        "typescript": "^5.8.3",
-        "typescript-eslint": "^8.34.0",
+        "typescript-eslint": "^8.33.0",
        "vite-plugin-lit-css": "^2.0.0",
        "vite-tsconfig-paths": "^5.0.1",
        "wireit": "^0.14.12"
--- a/web/src/admin/AdminInterface/AdminCommands.ts
+++ b/web/src/admin/AdminInterface/AdminCommands.ts
@ -1,172 +0,0 @@
-import { navigate } from "@goauthentik/elements/router/RouterOutlet";
-import { INinjaAction } from "ninja-keys/dist/interfaces/ininja-action.js";
-
-import { msg } from "@lit/localize";
-
-export const adminCommands: INinjaAction[] = [
-    {
-        id: msg("Overview"),
-        title: msg("Dashboard"),
-        handler: () => navigate("/administration/overview"),
-        section: msg("Dashboards"),
-    },
-    {
-        handler: () => navigate("/administration/dashboard/users"),
-        id: msg("User Statistics"),
-        title: msg("User Statistics"),
-        icon: '<i class="pf-icon pf-icon-user"></i>',
-        section: msg("Dashboards"),
-    },
-    {
-        handler: () => navigate("/administration/system-tasks"),
-        id: msg("System Tasks"),
-        title: msg("System Tasks"),
-        section: msg("Dashboards"),
-    },
-    {
-        handler: () => navigate("/core/applications"),
-        id: msg("Applications"),
-        title: msg("Applications"),
-        section: msg("Applications"),
-    },
-    {
-        handler: () => navigate("/core/providers"),
-        id: msg("Providers"),
-        title: msg("Providers"),
-        section: msg("Applications"),
-    },
-    {
-        handler: () => navigate("/outpost/outposts"),
-        id: msg("Outposts"),
-        title: msg("Outposts"),
-        section: msg("Applications"),
-    },
-    {
-        handler: () => navigate("/events/log"),
-        id: msg("Logs"),
-        title: msg("Logs"),
-        section: msg("Events"),
-    },
-    {
-        handler: () => navigate("/events/rules"),
-        id: msg("Notification Rules"),
-        title: msg("Notification Rules"),
-        section: msg("Events"),
-    },
-    {
-        handler: () => navigate("/events/transports"),
-        id: msg("Notification Transports"),
-        title: msg("Notification Transports"),
-        section: msg("Events"),
-    },
-
-    {
-        handler: () => navigate("/policy/policies"),
-        id: msg("Policies"),
-        title: msg("Policies"),
-        section: msg("Customization"),
-    },
-    {
-        handler: () => navigate("/core/property-mappings"),
-        id: msg("Property Mappings"),
-        title: msg("Property Mappings"),
-        section: msg("Customization"),
-    },
-    {
-        handler: () => navigate("/blueprints/instances"),
-        id: msg("Blueprints"),
-        title: msg("Blueprints"),
-        section: msg("Customization"),
-    },
-    {
-        handler: () => navigate("/policy/reputation"),
-        id: msg("Reputation scores"),
-        title: msg("Reputation scores"),
-        section: msg("Customization"),
-    },
-    {
-        handler: () => navigate("/flow/flows"),
-        id: msg("Flows"),
-        title: msg("Flows"),
-        section: msg("Flows"),
-    },
-    {
-        handler: () => navigate("/flow/stages"),
-        id: msg("Stages"),
-        title: msg("Stages"),
-        section: msg("Flows"),
-    },
-    {
-        handler: () => navigate("/flow/stages/prompts"),
-        id: msg("Prompts"),
-        title: msg("Prompts"),
-        section: msg("Flows"),
-    },
-
-    {
-        handler: () => navigate("/identity/users"),
-        id: msg("Users"),
-        title: msg("Users"),
-        section: msg("Directory"),
-    },
-    {
-        handler: () => navigate("/identity/groups"),
-        id: msg("Groups"),
-        title: msg("Groups"),
-        section: msg("Directory"),
-    },
-    {
-        handler: () => navigate("/identity/roles"),
-        id: msg("Roles"),
-        title: msg("Roles"),
-        section: msg("Directory"),
-    },
-    {
-        handler: () => navigate("/core/sources"),
-        id: msg("Federation and Social login"),
-        title: msg("Federation and Social login"),
-        section: msg("Directory"),
-    },
-    {
-        handler: () => navigate("/core/tokens"),
-        id: msg("Tokens and App passwords"),
-        title: msg("Tokens and App passwords"),
-        section: msg("Directory"),
-    },
-    {
-        handler: () => navigate("/flow/stages/invitations"),
-        id: msg("Invitations"),
-        title: msg("Invitations"),
-        section: msg("Directory"),
-    },
-
-    {
-        handler: () => navigate("/core/brands"),
-        id: msg("Brands"),
-        title: msg("Brands"),
-        section: msg("System"),
-    },
-    {
-        handler: () => navigate("/crypto/certificates"),
-        id: msg("Certificates"),
-        title: msg("Certificates"),
-        section: msg("System"),
-    },
-    {
-        handler: () => navigate("/outpost/integrations"),
-        id: msg("Outpost Integrations"),
-        title: msg("Outpost Integrations"),
-        section: msg("System"),
-    },
-    {
-        handler: () => navigate("/admin/settings"),
-        id: msg("Settings"),
-        title: msg("Settings"),
-        section: msg("System"),
-    },
-    {
-        handler: () => window.location.assign("/if/user/"),
-        id: msg("User interface"),
-        title: msg("Go to my User page"),
-    },
-];
--- a/web/src/admin/AdminInterface/index.entrypoint.ts
+++ b/web/src/admin/AdminInterface/index.entrypoint.ts
@ -1,6 +1,5 @@
 import "#admin/AdminInterface/AboutModal";
 import type { AboutModal } from "#admin/AdminInterface/AboutModal";
-import { adminCommands } from "#admin/AdminInterface/AdminCommands";
 import { ROUTES } from "#admin/Routes";
 import { EVENT_API_DRAWER_TOGGLE, EVENT_NOTIFICATION_DRAWER_TOGGLE } from "#common/constants";
 import { configureSentry } from "#common/sentry/index";
@ -22,7 +21,6 @@ import { getURLParam, updateURLParams } from "#elements/router/RouteMatch";
 import "#elements/router/RouterOutlet";
 import "#elements/sidebar/Sidebar";
 import "#elements/sidebar/SidebarItem";
-import "ninja-keys";

 import { CSSResult, TemplateResult, css, html, nothing } from "lit";
 import { customElement, eventOptions, property, query } from "lit/decorators.js";
@ -121,10 +119,6 @@ export class AdminInterface extends WithCapabilitiesConfig(AuthenticatedInterfac
            .pf-c-drawer__panel {
                z-index: var(--pf-global--ZIndex--xl);
            }
-            ninja-keys {
-                --ninja-z-index: 99999;
-                --ninja-accent-color: var(--ak-accent);
-            }
        `,
    ];

@ -196,11 +190,6 @@ export class AdminInterface extends WithCapabilitiesConfig(AuthenticatedInterfac
        };

        return html` <ak-locale-context>
-            <ninja-keys
-                .data=${adminCommands}
-                noAutoLoadMdicons
-                class="${this.activeTheme === UiThemeEnum.Dark ? "dark" : ""}"
-            ></ninja-keys>
            <div class="pf-c-page">
                <ak-page-navbar ?open=${this.sidebarOpen} @sidebar-toggle=${this.sidebarListener}>
                    <ak-version-banner></ak-version-banner>
--- a/web/src/admin/admin-overview/DashboardUserPage.ts
+++ b/web/src/admin/admin-overview/DashboardUserPage.ts
@ -13,7 +13,7 @@ import PFList from "@patternfly/patternfly/components/List/list.css";
 import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";

-import { EventActions, EventsEventsVolumeListRequest } from "@goauthentik/api";
+import { EventActions } from "@goauthentik/api";

@customElement("ak-admin-dashboard-users")
 export class DashboardUserPage extends AKElement {
@ -46,9 +46,9 @@ export class DashboardUserPage extends AKElement {
                        <ak-aggregate-card header=${msg("Users created per day in the last month")}>
                            <ak-charts-admin-model-per-day
                                .query=${{
-                                    contextModelApp: "authentik_core",
-                                    contextModelName: "user",
-                                } as EventsEventsVolumeListRequest}
+                                    context__model__app: "authentik_core",
+                                    context__model__model_name: "user",
+                                }}
                                label=${msg("Users created")}
                            >
                            </ak-charts-admin-model-per-day>
--- a/web/src/admin/admin-overview/charts/AdminLoginAuthorizeChart.ts
+++ b/web/src/admin/admin-overview/charts/AdminLoginAuthorizeChart.ts
@ -1,51 +1,68 @@
-import { EventChart } from "#elements/charts/EventChart";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { ChartData, ChartDataset } from "chart.js";
+import { AKChart, RGBAColor } from "@goauthentik/elements/charts/Chart";
+import { ChartData } from "chart.js";

 import { msg } from "@lit/localize";
 import { customElement } from "lit/decorators.js";

-import { EventActions, EventVolume, EventsApi } from "@goauthentik/api";
+import { AdminApi, LoginMetrics } from "@goauthentik/api";

@customElement("ak-charts-admin-login-authorization")
-export class AdminLoginAuthorizeChart extends EventChart {
-    async apiRequest(): Promise<EventVolume[]> {
-        return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList({
-            actions: [
-                EventActions.AuthorizeApplication,
-                EventActions.Login,
-                EventActions.LoginFailed,
-            ],
-        });
+export class AdminLoginAuthorizeChart extends AKChart<LoginMetrics> {
+    async apiRequest(): Promise<LoginMetrics> {
+        return new AdminApi(DEFAULT_CONFIG).adminMetricsRetrieve();
    }

-    getChartData(data: EventVolume[]): ChartData {
-        const optsMap = new Map<EventActions, Partial<ChartDataset>>();
-        optsMap.set(EventActions.AuthorizeApplication, {
-            label: msg("Authorizations"),
-            spanGaps: true,
-            fill: "origin",
-            cubicInterpolationMode: "monotone",
-            tension: 0.4,
-        });
-        optsMap.set(EventActions.Login, {
-            label: msg("Successful Logins"),
-            spanGaps: true,
-            fill: "origin",
-            cubicInterpolationMode: "monotone",
-            tension: 0.4,
-        });
-        optsMap.set(EventActions.LoginFailed, {
-            label: msg("Failed Logins"),
-            spanGaps: true,
-            fill: "origin",
-            cubicInterpolationMode: "monotone",
-            tension: 0.4,
-        });
-        return this.eventVolume(data, {
-            optsMap: optsMap,
-            padToDays: 7,
-        });
+    getChartData(data: LoginMetrics): ChartData {
+        return {
+            datasets: [
+                {
+                    label: msg("Authorizations"),
+                    backgroundColor: new RGBAColor(43, 154, 243, 0.5).toString(),
+                    borderColor: new RGBAColor(43, 154, 243, 1).toString(),
+                    spanGaps: true,
+                    fill: "origin",
+                    cubicInterpolationMode: "monotone",
+                    tension: 0.4,
+                    data: data.authorizations.map((cord) => {
+                        return {
+                            x: cord.xCord,
+                            y: cord.yCord,
+                        };
+                    }),
+                },
+                {
+                    label: msg("Failed Logins"),
+                    backgroundColor: new RGBAColor(201, 24, 11, 0.5).toString(),
+                    borderColor: new RGBAColor(201, 24, 11, 1).toString(),
+                    spanGaps: true,
+                    fill: "origin",
+                    cubicInterpolationMode: "monotone",
+                    tension: 0.4,
+                    data: data.loginsFailed.map((cord) => {
+                        return {
+                            x: cord.xCord,
+                            y: cord.yCord,
+                        };
+                    }),
+                },
+                {
+                    label: msg("Successful Logins"),
+                    backgroundColor: new RGBAColor(62, 134, 53, 0.5).toString(),
+                    borderColor: new RGBAColor(62, 134, 53, 1).toString(),
+                    spanGaps: true,
+                    fill: "origin",
+                    cubicInterpolationMode: "monotone",
+                    tension: 0.4,
+                    data: data.logins.map((cord) => {
+                        return {
+                            x: cord.xCord,
+                            y: cord.yCord,
+                        };
+                    }),
+                },
+            ],
+        };
    }
 }

--- a/web/src/admin/admin-overview/charts/AdminModelPerDay.ts
+++ b/web/src/admin/admin-overview/charts/AdminModelPerDay.ts
@ -1,19 +1,14 @@
-import { EventChart } from "#elements/charts/EventChart";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { ChartData } from "chart.js";
+import { AKChart } from "@goauthentik/elements/charts/Chart";
+import { ChartData, Tick } from "chart.js";

-import { msg } from "@lit/localize";
+import { msg, str } from "@lit/localize";
 import { customElement, property } from "lit/decorators.js";

-import {
-    EventActions,
-    EventVolume,
-    EventsApi,
-    EventsEventsVolumeListRequest,
-} from "@goauthentik/api";
+import { Coordinate, EventActions, EventsApi } from "@goauthentik/api";

@customElement("ak-charts-admin-model-per-day")
-export class AdminModelPerDay extends EventChart {
+export class AdminModelPerDay extends AKChart<Coordinate[]> {
    @property()
    action: EventActions = EventActions.ModelCreated;

@ -21,29 +16,39 @@ export class AdminModelPerDay extends EventChart {
    label?: string;

    @property({ attribute: false })
-    query?: EventsEventsVolumeListRequest;
+    query?: { [key: string]: unknown } | undefined;

-    async apiRequest(): Promise<EventVolume[]> {
-        return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList({
+    async apiRequest(): Promise<Coordinate[]> {
+        return new EventsApi(DEFAULT_CONFIG).eventsEventsPerMonthList({
            action: this.action,
-            historyDays: 30,
-            ...this.query,
+            query: JSON.stringify(this.query || {}),
        });
    }

-    getChartData(data: EventVolume[]): ChartData {
-        return this.eventVolume(data, {
-            optsMap: new Map([
-                [
-                    this.action,
-                    {
-                        label: this.label || msg("Objects created"),
-                        spanGaps: true,
-                    },
-                ],
-            ]),
-            padToDays: 30,
-        });
+    timeTickCallback(tickValue: string | number, index: number, ticks: Tick[]): string {
+        const valueStamp = ticks[index];
+        const delta = Date.now() - valueStamp.value;
+        const ago = Math.round(delta / 1000 / 3600 / 24);
+        return msg(str`${ago} days ago`);
+    }
+
+    getChartData(data: Coordinate[]): ChartData {
+        return {
+            datasets: [
+                {
+                    label: this.label || msg("Objects created"),
+                    backgroundColor: "rgba(189, 229, 184, .5)",
+                    spanGaps: true,
+                    data:
+                        data.map((cord) => {
+                            return {
+                                x: cord.xCord || 0,
+                                y: cord.yCord || 0,
+                            };
+                        }) || [],
+                },
+            ],
+        };
    }
 }

--- a/web/src/admin/admin-overview/charts/OutpostStatusChart.ts
+++ b/web/src/admin/admin-overview/charts/OutpostStatusChart.ts
@ -1,4 +1,3 @@
-import { actionToColor } from "#elements/charts/EventChart";
 import { SummarizedSyncStatus } from "@goauthentik/admin/admin-overview/charts/SyncStatusChart";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { AKChart } from "@goauthentik/elements/charts/Chart";
@ -8,7 +7,7 @@ import { ChartData, ChartOptions } from "chart.js";
 import { msg } from "@lit/localize";
 import { customElement } from "lit/decorators.js";

-import { EventActions, OutpostsApi } from "@goauthentik/api";
+import { OutpostsApi } from "@goauthentik/api";

@customElement("ak-admin-status-chart-outpost")
 export class OutpostStatusChart extends AKChart<SummarizedSyncStatus[]> {
@ -66,11 +65,7 @@ export class OutpostStatusChart extends AKChart<SummarizedSyncStatus[]> {
            labels: [msg("Healthy outposts"), msg("Outdated outposts"), msg("Unhealthy outposts")],
            datasets: data.map((d) => {
                return {
-                    backgroundColor: [
-                        actionToColor(EventActions.Login),
-                        actionToColor(EventActions.SuspiciousRequest),
-                        actionToColor(EventActions.AuthorizeApplication),
-                    ],
+                    backgroundColor: ["#3e8635", "#C9190B", "#2b9af3"],
                    spanGaps: true,
                    data: [d.healthy, d.failed, d.unsynced],
                    label: d.label,
--- a/web/src/admin/admin-overview/charts/SyncStatusChart.ts
+++ b/web/src/admin/admin-overview/charts/SyncStatusChart.ts
@ -1,4 +1,3 @@
-import { actionToColor } from "#elements/charts/EventChart";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { AKChart } from "@goauthentik/elements/charts/Chart";
 import "@goauthentik/elements/forms/ConfirmationForm";
@ -8,13 +7,7 @@ import { ChartData, ChartOptions } from "chart.js";
 import { msg } from "@lit/localize";
 import { customElement } from "lit/decorators.js";

-import {
-    EventActions,
-    ProvidersApi,
-    SourcesApi,
-    SyncStatus,
-    SystemTaskStatusEnum,
-} from "@goauthentik/api";
+import { ProvidersApi, SourcesApi, SyncStatus, SystemTaskStatusEnum } from "@goauthentik/api";

 export interface SummarizedSyncStatus {
    healthy: number;
@ -143,11 +136,7 @@ export class SyncStatusChart extends AKChart<SummarizedSyncStatus[]> {
            labels: [msg("Healthy"), msg("Failed"), msg("Unsynced / N/A")],
            datasets: data.map((d) => {
                return {
-                    backgroundColor: [
-                        actionToColor(EventActions.Login),
-                        actionToColor(EventActions.SuspiciousRequest),
-                        actionToColor(EventActions.AuthorizeApplication),
-                    ],
+                    backgroundColor: ["#3e8635", "#C9190B", "#2b9af3"],
                    spanGaps: true,
                    data: [d.healthy, d.failed, d.unsynced],
                    label: d.label,
--- a/web/src/admin/applications/ApplicationAuthorizeChart.ts
+++ b/web/src/admin/applications/ApplicationAuthorizeChart.ts
@ -1,37 +1,47 @@
-import { EventChart } from "#elements/charts/EventChart";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { ChartData } from "chart.js";
+import { AKChart } from "@goauthentik/elements/charts/Chart";
+import { ChartData, Tick } from "chart.js";

-import { msg } from "@lit/localize";
+import { msg, str } from "@lit/localize";
 import { customElement, property } from "lit/decorators.js";

-import { EventActions, EventVolume, EventsApi } from "@goauthentik/api";
+import { Coordinate, CoreApi } from "@goauthentik/api";

@customElement("ak-charts-application-authorize")
-export class ApplicationAuthorizeChart extends EventChart {
-    @property({ attribute: "application-id" })
-    applicationId!: string;
+export class ApplicationAuthorizeChart extends AKChart<Coordinate[]> {
+    @property()
+    applicationSlug!: string;

-    async apiRequest(): Promise<EventVolume[]> {
-        return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList({
-            action: EventActions.AuthorizeApplication,
-            contextAuthorizedApp: this.applicationId.replaceAll("-", ""),
+    async apiRequest(): Promise<Coordinate[]> {
+        return new CoreApi(DEFAULT_CONFIG).coreApplicationsMetricsList({
+            slug: this.applicationSlug,
        });
    }

-    getChartData(data: EventVolume[]): ChartData {
-        return this.eventVolume(data, {
-            optsMap: new Map([
-                [
-                    EventActions.AuthorizeApplication,
-                    {
-                        label: msg("Authorizations"),
-                        spanGaps: true,
-                    },
-                ],
-            ]),
-            padToDays: 7,
-        });
+    timeTickCallback(tickValue: string | number, index: number, ticks: Tick[]): string {
+        const valueStamp = ticks[index];
+        const delta = Date.now() - valueStamp.value;
+        const ago = Math.round(delta / 1000 / 3600 / 24);
+        return msg(str`${ago} days ago`);
+    }
+
+    getChartData(data: Coordinate[]): ChartData {
+        return {
+            datasets: [
+                {
+                    label: msg("Authorizations"),
+                    backgroundColor: "rgba(189, 229, 184, .5)",
+                    spanGaps: true,
+                    data:
+                        data.map((cord) => {
+                            return {
+                                x: cord.xCord || 0,
+                                y: cord.yCord || 0,
+                            };
+                        }) || [],
+                },
+            ],
+        };
    }
 }

--- a/web/src/admin/applications/ApplicationForm.ts
+++ b/web/src/admin/applications/ApplicationForm.ts
@ -1,7 +1,6 @@
 import { CapabilitiesEnum, WithCapabilitiesConfig } from "#elements/mixins/capabilities";
 import "@goauthentik/admin/applications/ProviderSelectModal";
 import { iconHelperText } from "@goauthentik/admin/helperText";
-import { policyEngineModes } from "@goauthentik/admin/policies/PolicyEngineModes";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-file-input";
 import "@goauthentik/components/ak-radio-input";
@ -25,6 +24,7 @@ import { ifDefined } from "lit/directives/if-defined.js";

 import { Application, CoreApi, Provider } from "@goauthentik/api";

+import { policyOptions } from "./PolicyOptions.js";
 import "./components/ak-backchannel-input";
 import "./components/ak-provider-search-input";

@ -173,7 +173,7 @@ export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Applicatio
                label=${msg("Policy engine mode")}
                required
                name="policyEngineMode"
-                .options=${policyEngineModes}
+                .options=${policyOptions}
                .value=${this.instance?.policyEngineMode}
            ></ak-radio-input>
            <ak-form-group>
--- a/web/src/admin/applications/ApplicationViewPage.ts
+++ b/web/src/admin/applications/ApplicationViewPage.ts
@ -282,7 +282,7 @@ export class ApplicationViewPage extends AKElement {
                        <div class="pf-c-card__body">
                            ${this.application &&
                            html` <ak-charts-application-authorize
-                                application-id=${this.application.pk}
+                                applicationSlug=${this.application.slug}
                            >
                            </ak-charts-application-authorize>`}
                        </div>
@ -331,10 +331,7 @@ export class ApplicationViewPage extends AKElement {
                    <div class="pf-c-card__title">
                        ${msg("These policies control which users can access this application.")}
                    </div>
-                    <ak-bound-policies-list
-                        .target=${this.application.pk}
-                        .policyEngineMode=${this.application.policyEngineMode}
-                    >
+                    <ak-bound-policies-list .target=${this.application.pk}>
                    </ak-bound-policies-list>
                </div>
            </section>
--- a/web/src/admin/applications/PolicyOptions.ts
+++ b/web/src/admin/applications/PolicyOptions.ts
@ -3,7 +3,7 @@ import { html } from "lit";

 import { PolicyEngineMode } from "@goauthentik/api";

-export const policyEngineModes = [
+export const policyOptions = [
    {
        label: "any",
        value: PolicyEngineMode.Any,
--- a/web/src/admin/applications/wizard/steps/ak-application-wizard-application-step.ts
+++ b/web/src/admin/applications/wizard/steps/ak-application-wizard-application-step.ts
@ -1,6 +1,6 @@
+import { policyOptions } from "@goauthentik/admin/applications/PolicyOptions.js";
 import { ApplicationWizardStep } from "@goauthentik/admin/applications/wizard/ApplicationWizardStep.js";
 import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
-import { policyEngineModes } from "@goauthentik/admin/policies/PolicyEngineModes";
 import { camelToSnake } from "@goauthentik/common/utils.js";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-slug-input";
@ -144,7 +144,7 @@ export class ApplicationWizardApplicationStep extends ApplicationWizardStep {
                    label=${msg("Policy engine mode")}
                    required
                    name="policyEngineMode"
-                    .options=${policyEngineModes}
+                    .options=${policyOptions}
                    .value=${app.policyEngineMode}
                    .errorMessages=${errors.policyEngineMode ?? []}
                ></ak-radio-input>
--- a/web/src/admin/crypto/CertificateKeyPairForm.ts
+++ b/web/src/admin/crypto/CertificateKeyPairForm.ts
@ -1,5 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-secret-textarea-input.js";
+import "@goauthentik/components/ak-private-textarea-input.js";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
@ -46,7 +46,7 @@ export class CertificateKeyPairForm extends ModelForm<CertificateKeyPair, string
                    required
                />
            </ak-form-element-horizontal>
-            <ak-secret-textarea-input
+            <ak-private-textarea-input
                label=${msg("Certificate")}
                name="certificateData"
                input-hint="code"
@ -54,8 +54,8 @@ export class CertificateKeyPairForm extends ModelForm<CertificateKeyPair, string
                required
                ?revealed=${this.instance === undefined}
                help=${msg("PEM-encoded Certificate data.")}
-            ></ak-secret-textarea-input>
-            <ak-secret-textarea-input
+            ></ak-private-textarea-input>
+            <ak-private-textarea-input
                label=${msg("Private Key")}
                name="keyData"
                input-hint="code"
@ -63,7 +63,7 @@ export class CertificateKeyPairForm extends ModelForm<CertificateKeyPair, string
                help=${msg(
                    "Optional Private Key. If this is set, you can use this keypair for encryption.",
                )}
-            ></ak-secret-textarea-input>`;
+            ></ak-private-textarea-input>`;
    }
 }

--- a/web/src/admin/crypto/CertificateKeyPairListPage.ts
+++ b/web/src/admin/crypto/CertificateKeyPairListPage.ts
@ -214,14 +214,14 @@ export class CertificateKeyPairListPage extends TablePage<CertificateKeyPair> {
    renderObjectCreate(): TemplateResult {
        return html`
            <ak-forms-modal>
-                <span slot="submit"> ${msg("Import")} </span>
-                <span slot="header"> ${msg("Import Existing Certificate-Key Pair")} </span>
+                <span slot="submit"> ${msg("Create")} </span>
+                <span slot="header"> ${msg("Create Certificate-Key Pair")} </span>
                <ak-crypto-certificate-form slot="form"> </ak-crypto-certificate-form>
-                <button slot="trigger" class="pf-c-button pf-m-primary">${msg("Import")}</button>
+                <button slot="trigger" class="pf-c-button pf-m-primary">${msg("Create")}</button>
            </ak-forms-modal>
            <ak-forms-modal>
                <span slot="submit"> ${msg("Generate")} </span>
-                <span slot="header"> ${msg("Generate New Certificate-Key Pair")} </span>
+                <span slot="header"> ${msg("Generate Certificate-Key Pair")} </span>
                <ak-crypto-certificate-generate-form slot="form">
                </ak-crypto-certificate-generate-form>
                <button slot="trigger" class="pf-c-button pf-m-secondary">
--- a/web/src/admin/enterprise/EnterpriseLicenseForm.ts
+++ b/web/src/admin/enterprise/EnterpriseLicenseForm.ts
@ -1,6 +1,6 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH_ENTERPRISE } from "@goauthentik/common/constants";
-import "@goauthentik/components/ak-secret-textarea-input.js";
+import "@goauthentik/components/ak-private-textarea-input.js";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
@ -62,13 +62,13 @@ export class EnterpriseLicenseForm extends ModelForm<License, string> {
                    value="${ifDefined(this.installID)}"
                />
            </ak-form-element-horizontal>
-            <ak-secret-textarea-input
+            <ak-private-textarea-input
                name="key"
                ?revealed=${this.instance === undefined}
                label=${msg("License key")}
                input-hint="code"
            >
-            </ak-secret-textarea-input>`;
+            </ak-private-textarea-input>`;
    }
 }

--- a/web/src/admin/events/EventVolumeChart.ts
+++ b/web/src/admin/events/EventVolumeChart.ts
@ -1,21 +1,21 @@
-import { EventChart } from "#elements/charts/EventChart";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { AKChart } from "@goauthentik/elements/charts/Chart";
 import { ChartData } from "chart.js";

+import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement, property } from "lit/decorators.js";

 import PFCard from "@patternfly/patternfly/components/Card/card.css";

-import { EventVolume, EventsApi, EventsEventsListRequest } from "@goauthentik/api";
+import { Coordinate, EventsApi, EventsEventsListRequest } from "@goauthentik/api";

@customElement("ak-events-volume-chart")
-export class EventVolumeChart extends EventChart {
+export class EventVolumeChart extends AKChart<Coordinate[]> {
    _query?: EventsEventsListRequest;

    @property({ attribute: false })
    set query(value: EventsEventsListRequest | undefined) {
-        if (JSON.stringify(this._query) === JSON.stringify(value)) return;
        this._query = value;
        this.refreshHandler();
    }
@ -24,28 +24,39 @@ export class EventVolumeChart extends EventChart {
        return super.styles.concat(
            PFCard,
            css`
-                .pf-c-card {
-                    height: 20rem;
+                .pf-c-card__body {
+                    height: 12rem;
                }
            `,
        );
    }

-    apiRequest(): Promise<EventVolume[]> {
-        return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList({
-            historyDays: 7,
-            ...this._query,
-        });
+    apiRequest(): Promise<Coordinate[]> {
+        return new EventsApi(DEFAULT_CONFIG).eventsEventsVolumeList(this._query);
    }

-    getChartData(data: EventVolume[]): ChartData {
-        return this.eventVolume(data, {
-            padToDays: 7,
-        });
+    getChartData(data: Coordinate[]): ChartData {
+        return {
+            datasets: [
+                {
+                    label: msg("Events"),
+                    backgroundColor: "rgba(189, 229, 184, .5)",
+                    spanGaps: true,
+                    data:
+                        data.map((cord) => {
+                            return {
+                                x: cord.xCord || 0,
+                                y: cord.yCord || 0,
+                            };
+                        }) || [],
+                },
+            ],
+        };
    }

    render(): TemplateResult {
        return html`<div class="pf-c-card">
+            <div class="pf-c-card__title">${msg("Event volume")}</div>
            <div class="pf-c-card__body">${super.render()}</div>
        </div>`;
    }
--- a/web/src/admin/flows/BoundStagesList.ts
+++ b/web/src/admin/flows/BoundStagesList.ts
@ -123,10 +123,7 @@ export class BoundStagesList extends Table<FlowStageBinding> {
                                "These bindings control if this stage will be applied to the flow.",
                            )}
                        </p>
-                        <ak-bound-policies-list
-                            .target=${item.policybindingmodelPtrId}
-                            .policyEngineMode=${item.policyEngineMode}
-                        >
+                        <ak-bound-policies-list .target=${item.policybindingmodelPtrId}>
                        </ak-bound-policies-list>
                    </div>
                </div>
--- a/web/src/admin/flows/FlowForm.ts
+++ b/web/src/admin/flows/FlowForm.ts
@ -1,6 +1,5 @@
 import { CapabilitiesEnum, WithCapabilitiesConfig } from "#elements/mixins/capabilities";
 import { DesignationToLabel, LayoutToLabel } from "@goauthentik/admin/flows/utils";
-import { policyEngineModes } from "@goauthentik/admin/policies/PolicyEngineModes";
 import { AuthenticationEnum } from "@goauthentik/api/dist/models/AuthenticationEnum";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/forms/FormGroup";
@ -19,6 +18,7 @@ import {
    FlowDesignationEnum,
    FlowLayoutEnum,
    FlowsApi,
+    PolicyEngineMode,
 } from "@goauthentik/api";

@customElement("ak-flow-form")
@ -279,7 +279,23 @@ export class FlowForm extends WithCapabilitiesConfig(ModelForm<Flow, string>) {
                        name="policyEngineMode"
                    >
                        <ak-radio
-                            .options=${policyEngineModes}
+                            .options=${[
+                                {
+                                    label: "any",
+                                    value: PolicyEngineMode.Any,
+                                    default: true,
+                                    description: html`${msg(
+                                        "Any policy must match to grant access",
+                                    )}`,
+                                },
+                                {
+                                    label: "all",
+                                    value: PolicyEngineMode.All,
+                                    description: html`${msg(
+                                        "All policies must match to grant access",
+                                    )}`,
+                                },
+                            ]}
                            .value=${this.instance?.policyEngineMode}
                        >
                        </ak-radio>
--- a/web/src/admin/flows/FlowViewPage.ts
+++ b/web/src/admin/flows/FlowViewPage.ts
@ -270,10 +270,7 @@ export class FlowViewPage extends AKElement {
                            ${msg("These bindings control which users can access this flow.")}
                        </div>
                        <div class="pf-c-card__body">
-                            <ak-bound-policies-list
-                                .target=${this.flow.policybindingmodelPtrId}
-                                .policyEngineMode=${this.flow.policyEngineMode}
-                            >
+                            <ak-bound-policies-list .target=${this.flow.policybindingmodelPtrId}>
                            </ak-bound-policies-list>
                        </div>
                    </div>
--- a/web/src/admin/policies/BoundPoliciesList.ts
+++ b/web/src/admin/policies/BoundPoliciesList.ts
@ -1,7 +1,6 @@
 import "@goauthentik/admin/groups/GroupForm";
 import "@goauthentik/admin/policies/PolicyBindingForm";
 import { PolicyBindingNotice } from "@goauthentik/admin/policies/PolicyBindingForm";
-import { policyEngineModes } from "@goauthentik/admin/policies/PolicyEngineModes";
 import "@goauthentik/admin/policies/PolicyWizard";
 import {
    PolicyBindingCheckTarget,
@ -35,9 +34,6 @@ export class BoundPoliciesList extends Table<PolicyBinding> {
    @property()
    target?: string;

-    @property()
-    policyEngineMode: string = "";
-
    @property({ type: Array })
    allowedTypes: PolicyBindingCheckTarget[] = [
        PolicyBindingCheckTarget.policy,
@ -248,23 +244,6 @@ export class BoundPoliciesList extends Table<PolicyBinding> {
                </button>
            </ak-forms-modal> `;
    }
-
-    renderPolicyEngineMode() {
-        const policyEngineMode = policyEngineModes.find(
-            (pem) => pem.value === this.policyEngineMode,
-        );
-        if (policyEngineMode === undefined) {
-            return nothing;
-        }
-        return html`<p>
-            ${msg(str`The currently selected policy engine mode is ${policyEngineMode.label}:`)}
-            ${policyEngineMode.description}
-        </p>`;
-    }
-
-    renderToolbarContainer(): TemplateResult {
-        return html`${this.renderPolicyEngineMode()} ${super.renderToolbarContainer()}`;
-    }
 }

 declare global {
--- a/web/src/admin/sources/kerberos/KerberosSourceForm.ts
+++ b/web/src/admin/sources/kerberos/KerberosSourceForm.ts
@ -7,8 +7,8 @@ import {
    UserMatchingModeToLabel,
 } from "@goauthentik/admin/sources/oauth/utils";
 import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-secret-text-input.js";
-import "@goauthentik/components/ak-secret-textarea-input.js";
+import "@goauthentik/components/ak-private-text-input.js";
+import "@goauthentik/components/ak-private-textarea-input.js";
 import "@goauthentik/components/ak-switch-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
@ -248,22 +248,22 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
                        value=${ifDefined(this.instance?.syncPrincipal)}
                        help=${msg("Principal used to authenticate to the KDC for syncing.")}
                    ></ak-text-input>
-                    <ak-secret-text-input
+                    <ak-private-text-input
                        name="syncPassword"
                        label=${msg("Sync password")}
                        ?revealed=${this.instance === undefined}
                        help=${msg(
                            "Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.",
                        )}
-                    ></ak-secret-text-input>
-                    <ak-secret-textarea-input
+                    ></ak-private-text-input>
+                    <ak-private-textarea-input
                        name="syncKeytab"
                        label=${msg("Sync keytab")}
                        ?revealed=${this.instance === undefined}
                        help=${msg(
                            "Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.",
                        )}
-                    ></ak-secret-textarea-input>
+                    ></ak-private-textarea-input>
                    <ak-text-input
                        name="syncCcache"
                        label=${msg("Sync credentials cache")}
@ -285,14 +285,14 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
                            "Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain",
                        )}
                    ></ak-text-input>
-                    <ak-secret-textarea-input
+                    <ak-private-textarea-input
                        name="spnegoKeytab"
                        label=${msg("SPNEGO keytab")}
                        ?revealed=${this.instance === undefined}
                        help=${msg(
                            "Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.",
                        )}
-                    ></ak-secret-textarea-input>
+                    ></ak-private-textarea-input>
                    <ak-text-input
                        name="spnegoCcache"
                        label=${msg("SPNEGO credentials cache")}
--- a/web/src/admin/sources/ldap/LDAPSourceForm.ts
+++ b/web/src/admin/sources/ldap/LDAPSourceForm.ts
@ -2,7 +2,7 @@ import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import { placeholderHelperText } from "@goauthentik/admin/helperText";
 import { BaseSourceForm } from "@goauthentik/admin/sources/BaseSourceForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-secret-text-input.js";
+import "@goauthentik/components/ak-private-text-input.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -260,11 +260,11 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                            class="pf-c-form-control"
                        />
                    </ak-form-element-horizontal>
-                    <ak-secret-text-input
+                    <ak-private-text-input
                        label=${msg("Bind Password")}
                        name="bindPassword"
                        ?revealed=${this.instance === undefined}
-                    ></ak-secret-text-input>
+                    ></ak-private-text-input>
                    <ak-form-element-horizontal label=${msg("Base DN")} required name="baseDn">
                        <input
                            type="text"
--- a/web/src/admin/sources/oauth/OAuthSourceForm.ts
+++ b/web/src/admin/sources/oauth/OAuthSourceForm.ts
@ -1,15 +1,14 @@
 import { CapabilitiesEnum, WithCapabilitiesConfig } from "#elements/mixins/capabilities";
 import "@goauthentik/admin/common/ak-flow-search/ak-source-flow-search";
 import { iconHelperText, placeholderHelperText } from "@goauthentik/admin/helperText";
-import { policyEngineModes } from "@goauthentik/admin/policies/PolicyEngineModes";
 import { BaseSourceForm } from "@goauthentik/admin/sources/BaseSourceForm";
 import {
    GroupMatchingModeToLabel,
    UserMatchingModeToLabel,
 } from "@goauthentik/admin/sources/oauth/utils";
 import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
+import "@goauthentik/components/ak-private-textarea-input.js";
 import "@goauthentik/components/ak-radio-input";
-import "@goauthentik/components/ak-secret-textarea-input.js";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
@ -441,14 +440,14 @@ export class OAuthSourceForm extends WithCapabilitiesConfig(BaseSourceForm<OAuth
                        />
                        <p class="pf-c-form__helper-text">${msg("Also known as Client ID.")}</p>
                    </ak-form-element-horizontal>
-                    <ak-secret-textarea-input
+                    <ak-private-textarea-input
                        label=${msg("Consumer secret")}
                        name="consumerSecret"
                        input-hint="code"
                        help=${msg("Also known as Client Secret.")}
                        required
                        ?revealed=${this.instance === undefined}
-                    ></ak-secret-textarea-input>
+                    ></ak-private-textarea-input>
                    <ak-form-element-horizontal label=${msg("Scopes")} name="additionalScopes">
                        <input
                            type="text"
@ -535,22 +534,6 @@ export class OAuthSourceForm extends WithCapabilitiesConfig(BaseSourceForm<OAuth
                        </p>
                    </ak-form-element-horizontal>
                </div>
-            </ak-form-group>
-            <ak-form-group>
-                <span slot="header"> ${msg("Advanced settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${msg("Policy engine mode")}
-                        required
-                        name="policyEngineMode"
-                    >
-                        <ak-radio
-                            .options=${policyEngineModes}
-                            .value=${this.instance?.policyEngineMode}
-                        >
-                        </ak-radio>
-                    </ak-form-element-horizontal>
-                </div>
            </ak-form-group>`;
    }
 }
--- a/web/src/admin/sources/oauth/OAuthSourceViewPage.ts
+++ b/web/src/admin/sources/oauth/OAuthSourceViewPage.ts
@ -244,7 +244,6 @@ export class OAuthSourceViewPage extends AKElement {
                            <ak-bound-policies-list
                                .target=${this.source.pk}
                                .typeNotices=${sourceBindingTypeNotices()}
-                                .policyEngineMode=${this.source.policyEngineMode}
                            >
                            </ak-bound-policies-list>
                        </div>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jens Langhammer	7e376106c1	Merge branch 'main' into stages/prompt/dry-run Signed-off-by: Jens Langhammer <jens@goauthentik.io> # Conflicts: # authentik/stages/prompt/stage.py # schema.yml	2025-06-07 09:34:53 +02:00
Jens Langhammer	4a6efc338e	stages/prompt: add dry-run Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2023-06-14 11:07:16 +02:00