tweak

still trying to remove generated links
added info API Ref docs
2024-09-13 12:55:20 -05:00 · 2024-09-13 12:38:49 -05:00 · 2024-09-13 12:17:54 -05:00 · 2024-09-13 13:49:42 +02:00 · 2024-09-13 13:30:43 +02:00 · 2024-09-13 13:30:32 +02:00
1105 changed files with 480225 additions and 2945 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.8.0
+current_version = 2024.8.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@ -40,7 +40,7 @@ jobs:
        run: |
          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
        id: cpr
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -120,6 +120,12 @@ jobs:
        with:
          flags: unit
          token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: unit
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
  test-integration:
    runs-on: ubuntu-latest
    timeout-minutes: 30
@ -138,6 +144,12 @@ jobs:
        with:
          flags: integration
          token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: integration
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
  test-e2e:
    name: test-e2e (${{ matrix.job.name }})
    runs-on: ubuntu-latest
@ -190,6 +202,12 @@ jobs:
        with:
          flags: e2e
          token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: e2e
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
  ci-core-mark:
    needs:
      - lint
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@ -24,7 +24,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - run: poetry run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
        id: cpr
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/image-compress.yml
+++ b/.github/workflows/image-compress.yml
@ -42,7 +42,7 @@ jobs:
        with:
          githubToken: ${{ steps.generate_token.outputs.token }}
          compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
        id: cpr
        with:
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -32,7 +32,7 @@ jobs:
          poetry run ak compilemessages
          make web-check-compile
      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
          branch: extract-compile-backend-translation
--- a/4
+++ b/4
@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.6-slim-bookworm-fips-full AS python-deps

 ARG TARGETARCH
 ARG TARGETVARIANT
@ -124,7 +124,7 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    pip install --force-reinstall /wheels/*"

 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.6-slim-bookworm-fips-full AS final-image

 ARG VERSION
 ARG GIT_BUILD_HASH
--- a/2
+++ b/2
@ -205,7 +205,7 @@ gen: gen-build gen-client-ts
 web-build: web-install  ## Build the Authentik UI
 	cd web && npm run build

-web: web-lint-fix web-lint web-check-compile web-test  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
+web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it

 web-install:  ## Install the necessary libraries to build the Authentik UI
 	cd web && npm ci
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2024.8.0"
+__version__ = "2024.8.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -1,10 +1,8 @@
 """authentik admin tasks"""

-import re
-
 from django.core.cache import cache
-from django.core.validators import URLValidator
 from django.db import DatabaseError, InternalError, ProgrammingError
+from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
 from structlog.stdlib import get_logger
@ -21,8 +19,6 @@ LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
-# Chop of the first ^ because we want to search the entire string
-URL_FINDER = URLValidator.regex.pattern[1:]
 LOCAL_VERSION = parse(__version__)


@ -78,10 +74,16 @@ def update_latest_version(self: SystemTask):
                context__new_version=upstream_version,
            ).exists():
                return
-            event_dict = {"new_version": upstream_version}
-            if match := re.search(URL_FINDER, data.get("stable", {}).get("changelog", "")):
-                event_dict["message"] = f"Changelog: {match.group()}"
-            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
+            Event.new(
+                EventAction.UPDATE_AVAILABLE,
+                message=_(
+                    "New version {version} available!".format(
+                        version=upstream_version,
+                    )
+                ),
+                new_version=upstream_version,
+                changelog=data.get("stable", {}).get("changelog_url"),
+            ).save()
    except (RequestException, IndexError) as exc:
        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
        self.set_error(exc)
--- a/authentik/admin/tests/test_tasks.py
+++ b/authentik/admin/tests/test_tasks.py
@ -17,6 +17,7 @@ RESPONSE_VALID = {
    "stable": {
        "version": "99999999.9999999",
        "changelog": "See https://goauthentik.io/test",
+        "changelog_url": "https://goauthentik.io/test",
        "reason": "bugfix",
    },
 }
@ -35,7 +36,7 @@ class TestAdminTasks(TestCase):
                Event.objects.filter(
                    action=EventAction.UPDATE_AVAILABLE,
                    context__new_version="99999999.9999999",
-                    context__message="Changelog: https://goauthentik.io/test",
+                    context__message="New version 99999999.9999999 available!",
                ).exists()
            )
            # test that a consecutive check doesn't create a duplicate event
@ -45,7 +46,7 @@ class TestAdminTasks(TestCase):
                    Event.objects.filter(
                        action=EventAction.UPDATE_AVAILABLE,
                        context__new_version="99999999.9999999",
-                        context__message="Changelog: https://goauthentik.io/test",
+                        context__message="New version 99999999.9999999 available!",
                    )
                ),
                1,
--- a/authentik/brands/middleware.py
+++ b/authentik/brands/middleware.py
@ -25,31 +25,3 @@ class BrandMiddleware:
            if locale != "":
                activate(locale)
        return self.get_response(request)
-
-
-class BrandCORSAPIMiddleware:
-    """CORS for API requests depending on Brand"""
-
-    get_response: Callable[[HttpRequest], HttpResponse]
-
-    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
-        self.get_response = get_response
-
-    def set_headers(self, request: HttpRequest, response: HttpResponse):
-        response["Access-Control-Allow-Origin"] = "http://localhost:8080"
-        response["Access-Control-Allow-Credentials"] = "true"
-
-    def __call__(self, request: HttpRequest) -> HttpResponse:
-        if request.method == "OPTIONS":
-            response = HttpResponse(
-                status=200,
-            )
-            self.set_headers(request, response)
-            response["Access-Control-Allow-Headers"] = (
-                "authorization,sentry-trace,x-authentik-csrf,content-type"
-            )
-            response["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS"
-            return response
-        response = self.get_response(request)
-        self.set_headers(request, response)
-        return response
--- a/authentik/core/api/property_mappings.py
+++ b/authentik/core/api/property_mappings.py
@ -30,8 +30,10 @@ from authentik.core.api.utils import (
    PassiveSerializer,
 )
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import Group, PropertyMapping, User
 from authentik.events.utils import sanitize_item
+from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.api.exec import PolicyTestSerializer
 from authentik.rbac.decorators import permission_required

@ -162,12 +164,15 @@ class PropertyMappingViewSet(

        response_data = {"successful": True, "result": ""}
        try:
-            result = mapping.evaluate(**context)
+            result = mapping.evaluate(dry_run=True, **context)
            response_data["result"] = dumps(
                sanitize_item(result), indent=(4 if format_result else None)
            )
+        except PropertyMappingExpressionException as exc:
+            response_data["result"] = exception_to_string(exc.exc)
+            response_data["successful"] = False
        except Exception as exc:
-            response_data["result"] = str(exc)
+            response_data["result"] = exception_to_string(exc)
            response_data["successful"] = False
        response = PropertyMappingTestResultSerializer(response_data)
        return Response(response.data)
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -678,10 +678,10 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if not request.tenant.impersonation:
            LOGGER.debug("User attempted to impersonate", user=request.user)
            return Response(status=401)
-        if not request.user.has_perm("impersonate"):
+        user_to_be = self.get_object()
+        if not request.user.has_perm("impersonate", user_to_be):
            LOGGER.debug("User attempted to impersonate without permissions", user=request.user)
            return Response(status=401)
-        user_to_be = self.get_object()
        if user_to_be.pk == self.request.user.pk:
            LOGGER.debug("User attempted to impersonate themselves", user=request.user)
            return Response(status=401)
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -466,8 +466,6 @@ class ApplicationQuerySet(QuerySet):
    def with_provider(self) -> "QuerySet[Application]":
        qs = self.select_related("provider")
        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-            if LOOKUP_SEP in subclass:
-                continue
            qs = qs.select_related(f"provider__{subclass}")
        return qs

@ -545,15 +543,24 @@ class Application(SerializerModel, PolicyBindingModel):
        if not self.provider:
            return None

-        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-            # We don't care about recursion, skip nested models
-            if LOOKUP_SEP in subclass:
+        candidates = []
+        base_class = Provider
+        for subclass in base_class.objects.get_queryset()._get_subclasses_recurse(base_class):
+            parent = self.provider
+            for level in subclass.split(LOOKUP_SEP):
+                try:
+                    parent = getattr(parent, level)
+                except AttributeError:
+                    break
+            if parent in candidates:
                continue
-            try:
-                return getattr(self.provider, subclass)
-            except AttributeError:
-                pass
-        return None
+            idx = subclass.count(LOOKUP_SEP)
+            if type(parent) is not base_class:
+                idx += 1
+            candidates.insert(idx, parent)
+        if not candidates:
+            return None
+        return candidates[-1]

    def __str__(self):
        return str(self.name)
@ -901,7 +908,7 @@ class PropertyMapping(SerializerModel, ManagedModel):
        except ControlFlowException as exc:
            raise exc
        except Exception as exc:
-            raise PropertyMappingExpressionException(self, exc) from exc
+            raise PropertyMappingExpressionException(exc, self) from exc

    def __str__(self):
        return f"Property Mapping {self.name}"
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -13,7 +13,6 @@
        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
        {% block head_before %}
        {% endblock %}
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
        {% versioned_script "dist/poly-%v.js" %}
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -9,9 +9,12 @@ from rest_framework.test import APITestCase

 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.proxy.models import ProxyProvider
+from authentik.providers.saml.models import SAMLProvider


 class TestApplicationsAPI(APITestCase):
@ -222,3 +225,31 @@ class TestApplicationsAPI(APITestCase):
                ],
            },
        )
+
+    def test_get_provider(self):
+        """Ensure that proxy providers (at the time of writing that is the only provider
+        that inherits from another proxy type (OAuth) instead of inheriting from the root
+        provider class) is correctly looked up and selected from the database"""
+        slug = generate_id()
+        provider = ProxyProvider.objects.create(name=generate_id())
+        Application.objects.create(
+            name=generate_id(),
+            slug=slug,
+            provider=provider,
+        )
+        self.assertEqual(Application.objects.get(slug=slug).get_provider(), provider)
+        self.assertEqual(
+            Application.objects.with_provider().get(slug=slug).get_provider(), provider
+        )
+
+        slug = generate_id()
+        provider = SAMLProvider.objects.create(name=generate_id())
+        Application.objects.create(
+            name=generate_id(),
+            slug=slug,
+            provider=provider,
+        )
+        self.assertEqual(Application.objects.get(slug=slug).get_provider(), provider)
+        self.assertEqual(
+            Application.objects.with_provider().get(slug=slug).get_provider(), provider
+        )
--- a/authentik/core/tests/test_impersonation.py
+++ b/authentik/core/tests/test_impersonation.py
@ -3,10 +3,10 @@
 from json import loads

 from django.urls import reverse
+from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase

-from authentik.core.models import User
-from authentik.core.tests.utils import create_test_admin_user
+from authentik.core.tests.utils import create_test_admin_user, create_test_user
 from authentik.tenants.utils import get_current_tenant


@ -15,7 +15,7 @@ class TestImpersonation(APITestCase):

    def setUp(self) -> None:
        super().setUp()
-        self.other_user = User.objects.create(username="to-impersonate")
+        self.other_user = create_test_user()
        self.user = create_test_admin_user()

    def test_impersonate_simple(self):
@ -44,6 +44,26 @@ class TestImpersonation(APITestCase):
        self.assertEqual(response_body["user"]["username"], self.user.username)
        self.assertNotIn("original", response_body)

+    def test_impersonate_scoped(self):
+        """Test impersonation with scoped permissions"""
+        new_user = create_test_user()
+        assign_perm("authentik_core.impersonate", new_user, self.other_user)
+        assign_perm("authentik_core.view_user", new_user, self.other_user)
+        self.client.force_login(new_user)
+
+        response = self.client.post(
+            reverse(
+                "authentik_api:user-impersonate",
+                kwargs={"pk": self.other_user.pk},
+            )
+        )
+        self.assertEqual(response.status_code, 201)
+
+        response = self.client.get(reverse("authentik_api:user-me"))
+        response_body = loads(response.content.decode())
+        self.assertEqual(response_body["user"]["username"], self.other_user.username)
+        self.assertEqual(response_body["original"]["username"], new_user.username)
+
    def test_impersonate_denied(self):
        """test impersonation without permissions"""
        self.client.force_login(self.other_user)
--- a/authentik/enterprise/api.py
+++ b/authentik/enterprise/api.py
@ -18,7 +18,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
-from authentik.enterprise.models import License, LicenseUsageStatus
+from authentik.enterprise.models import License
 from authentik.rbac.decorators import permission_required
 from authentik.tenants.utils import get_unique_identifier

@ -29,7 +29,7 @@ class EnterpriseRequiredMixin:

    def validate(self, attrs: dict) -> dict:
        """Check that a valid license exists"""
-        if LicenseKey.cached_summary().status != LicenseUsageStatus.UNLICENSED:
+        if not LicenseKey.cached_summary().status.is_valid:
            raise ValidationError(_("Enterprise is required to create/update this object."))
        return super().validate(attrs)

--- a/authentik/enterprise/license.py
+++ b/authentik/enterprise/license.py
@ -121,6 +121,9 @@ class LicenseKey:
                ),
            )
        except PyJWTError:
+            unverified = decode(jwt, options={"verify_signature": False})
+            if unverified["aud"] != get_license_aud():
+                raise ValidationError("Invalid Install ID in license") from None
            raise ValidationError("Unable to verify license") from None
        return body

--- a/authentik/enterprise/signals.py
+++ b/authentik/enterprise/signals.py
@ -3,7 +3,7 @@
 from datetime import datetime

 from django.core.cache import cache
-from django.db.models.signals import post_save, pre_save
+from django.db.models.signals import post_delete, post_save, pre_save
 from django.dispatch import receiver
 from django.utils.timezone import get_current_timezone

@ -27,3 +27,9 @@ def post_save_license(sender: type[License], instance: License, **_):
    """Trigger license usage calculation when license is saved"""
    cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)
    enterprise_update_usage.delay()
+
+
+@receiver(post_delete, sender=License)
+def post_delete_license(sender: type[License], instance: License, **_):
+    """Clear license cache when license is deleted"""
+    cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)
--- a/authentik/events/api/notifications.py
+++ b/authentik/events/api/notifications.py
@ -69,8 +69,5 @@ class NotificationViewSet(
    @action(detail=False, methods=["post"])
    def mark_all_seen(self, request: Request) -> Response:
        """Mark all the user's notifications as seen"""
-        notifications = Notification.objects.filter(user=request.user)
-        for notification in notifications:
-            notification.seen = True
-        Notification.objects.bulk_update(notifications, ["seen"])
+        Notification.objects.filter(user=request.user, seen=False).update(seen=True)
        return Response({}, status=204)
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -13,7 +13,7 @@ from authentik.events.apps import SYSTEM_TASK_STATUS
 from authentik.events.models import Event, EventAction, SystemTask
 from authentik.events.tasks import event_notification_handler, gdpr_cleanup
 from authentik.flows.models import Stage
-from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
+from authentik.flows.planner import PLAN_CONTEXT_OUTPOST, PLAN_CONTEXT_SOURCE, FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.root.monitoring import monitoring_set
 from authentik.stages.invitation.models import Invitation
@ -38,6 +38,9 @@ def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
            # Save the login method used
            kwargs[PLAN_CONTEXT_METHOD] = flow_plan.context[PLAN_CONTEXT_METHOD]
            kwargs[PLAN_CONTEXT_METHOD_ARGS] = flow_plan.context.get(PLAN_CONTEXT_METHOD_ARGS, {})
+        if PLAN_CONTEXT_OUTPOST in flow_plan.context:
+            # Save outpost context
+            kwargs[PLAN_CONTEXT_OUTPOST] = flow_plan.context[PLAN_CONTEXT_OUTPOST]
    event = Event.new(EventAction.LOGIN, **kwargs).from_http(request, user=user)
    request.session[SESSION_LOGIN_EVENT] = event

--- a/authentik/events/tests/test_notifications.py
+++ b/authentik/events/tests/test_notifications.py
@ -2,7 +2,8 @@

 from unittest.mock import MagicMock, patch

-from django.test import TestCase
+from django.urls import reverse
+from rest_framework.test import APITestCase

 from authentik.core.models import Group, User
 from authentik.events.models import (
@ -10,6 +11,7 @@ from authentik.events.models import (
    EventAction,
    Notification,
    NotificationRule,
+    NotificationSeverity,
    NotificationTransport,
    NotificationWebhookMapping,
    TransportMode,
@ -20,7 +22,7 @@ from authentik.policies.exceptions import PolicyException
 from authentik.policies.models import PolicyBinding


-class TestEventsNotifications(TestCase):
+class TestEventsNotifications(APITestCase):
    """Test Event Notifications"""

    def setUp(self) -> None:
@ -131,3 +133,15 @@ class TestEventsNotifications(TestCase):
        Notification.objects.all().delete()
        Event.new(EventAction.CUSTOM_PREFIX).save()
        self.assertEqual(Notification.objects.first().body, "foo")
+
+    def test_api_mark_all_seen(self):
+        """Test mark_all_seen"""
+        self.client.force_login(self.user)
+
+        Notification.objects.create(
+            severity=NotificationSeverity.NOTICE, body="foo", user=self.user, seen=False
+        )
+
+        response = self.client.post(reverse("authentik_api:notification-mark-all-seen"))
+        self.assertEqual(response.status_code, 204)
+        self.assertFalse(Notification.objects.filter(body="foo", seen=False).exists())
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -23,6 +23,7 @@ from authentik.flows.models import (
    in_memory_stage,
 )
 from authentik.lib.config import CONFIG
+from authentik.outposts.models import Outpost
 from authentik.policies.engine import PolicyEngine
 from authentik.root.middleware import ClientIPMiddleware

@ -32,6 +33,7 @@ PLAN_CONTEXT_SSO = "is_sso"
 PLAN_CONTEXT_REDIRECT = "redirect"
 PLAN_CONTEXT_APPLICATION = "application"
 PLAN_CONTEXT_SOURCE = "source"
+PLAN_CONTEXT_OUTPOST = "outpost"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
@ -143,10 +145,23 @@ class FlowPlanner:
            and not request.user.is_superuser
        ):
            raise FlowNonApplicableException()
+        outpost_user = ClientIPMiddleware.get_outpost_user(request)
        if self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_OUTPOST:
-            outpost_user = ClientIPMiddleware.get_outpost_user(request)
            if not outpost_user:
                raise FlowNonApplicableException()
+        if outpost_user:
+            outpost = Outpost.objects.filter(
+                # TODO: Since Outpost and user are not directly connected, we have to look up a user
+                # like this. This should ideally by in authentik/outposts/models.py
+                pk=outpost_user.username.replace("ak-outpost-", "")
+            ).first()
+            if outpost:
+                return {
+                    PLAN_CONTEXT_OUTPOST: {
+                        "instance": outpost,
+                    }
+                }
+        return {}

    def plan(self, request: HttpRequest, default_context: dict[str, Any] | None = None) -> FlowPlan:
        """Check each of the flows' policies, check policies for each stage with PolicyBinding
@ -159,11 +174,12 @@ class FlowPlanner:
            self._logger.debug(
                "f(plan): starting planning process",
            )
+            context = default_context or {}
            # Bit of a workaround here, if there is a pending user set in the default context
            # we use that user for our cache key
            # to make sure they don't get the generic response
-            if default_context and PLAN_CONTEXT_PENDING_USER in default_context:
-                user = default_context[PLAN_CONTEXT_PENDING_USER]
+            if context and PLAN_CONTEXT_PENDING_USER in context:
+                user = context[PLAN_CONTEXT_PENDING_USER]
            else:
                user = request.user
                # We only need to check the flow authentication if it's planned without a user
@ -171,14 +187,13 @@ class FlowPlanner:
                # or if a flow is restarted due to `invalid_response_action` being set to
                # `restart_with_context`, which can only happen if the user was already authorized
                # to use the flow
-                self._check_authentication(request)
+                context.update(self._check_authentication(request))
            # First off, check the flow's direct policy bindings
            # to make sure the user even has access to the flow
            engine = PolicyEngine(self.flow, user, request)
            engine.use_cache = self.use_cache
-            if default_context:
-                span.set_data("default_context", cleanse_dict(default_context))
-                engine.request.context.update(default_context)
+            span.set_data("context", cleanse_dict(context))
+            engine.request.context.update(context)
            engine.build()
            result = engine.result
            if not result.passing:
@ -195,12 +210,12 @@ class FlowPlanner:
                        key=cached_plan_key,
                    )
                    # Reset the context as this isn't factored into caching
-                    cached_plan.context = default_context or {}
+                    cached_plan.context = context
                    return cached_plan
            self._logger.debug(
                "f(plan): building plan",
            )
-            plan = self._build_plan(user, request, default_context)
+            plan = self._build_plan(user, request, context)
            if self.use_cache:
                cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT)
            if not plan.bindings and not self.allow_empty_flows:
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -16,14 +16,12 @@ from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.generic import View
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, PolymorphicProxySerializer, extend_schema
-from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.permissions import AllowAny
 from rest_framework.views import APIView
 from sentry_sdk import capture_exception, start_span
 from sentry_sdk.api import set_tag
 from structlog.stdlib import BoundLogger, get_logger

-from authentik.api.authentication import bearer_auth, get_authorization_header
 from authentik.brands.models import Brand
 from authentik.core.models import Application
 from authentik.events.models import Event, EventAction, cleanse_dict
@ -118,14 +116,6 @@ class FlowExecutorView(APIView):
        super().setup(request, flow_slug=flow_slug)
        self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
        self._logger = get_logger().bind(flow_slug=flow_slug)
-        # Usually flows are authenticated by session, we don't really use rest_framework's
-        # authentication method.
-        try:
-            user = bearer_auth(get_authorization_header(request))
-            if user:
-                request.user = user
-        except AuthenticationFailed:
-            pass
        set_tag("authentik.flow", self.flow.slug)

    def handle_invalid_flow(self, exc: FlowNonApplicableException) -> HttpResponse:
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -2,7 +2,6 @@

 import re
 import socket
-from collections.abc import Iterable
 from ipaddress import ip_address, ip_network
 from textwrap import indent
 from types import CodeType
@ -28,6 +27,12 @@ from authentik.stages.authenticator import devices_for_user

 LOGGER = get_logger()

+ARG_SANITIZE = re.compile(r"[:.-]")
+
+
+def sanitize_arg(arg_name: str) -> str:
+    return re.sub(ARG_SANITIZE, "_", arg_name)
+

 class BaseEvaluator:
    """Validate and evaluate python-based expressions"""
@ -177,9 +182,9 @@ class BaseEvaluator:
        proc = PolicyProcess(PolicyBinding(policy=policy), request=req, connection=None)
        return proc.profiling_wrapper()

-    def wrap_expression(self, expression: str, params: Iterable[str]) -> str:
+    def wrap_expression(self, expression: str) -> str:
        """Wrap expression in a function, call it, and save the result as `result`"""
-        handler_signature = ",".join(params)
+        handler_signature = ",".join(sanitize_arg(x) for x in self._context.keys())
        full_expression = ""
        full_expression += f"def handler({handler_signature}):\n"
        full_expression += indent(expression, "    ")
@ -188,8 +193,8 @@ class BaseEvaluator:

    def compile(self, expression: str) -> CodeType:
        """Parse expression. Raises SyntaxError or ValueError if the syntax is incorrect."""
-        param_keys = self._context.keys()
-        return compile(self.wrap_expression(expression, param_keys), self._filename, "exec")
+        expression = self.wrap_expression(expression)
+        return compile(expression, self._filename, "exec")

    def evaluate(self, expression_source: str) -> Any:
        """Parse and evaluate expression. If the syntax is incorrect, a SyntaxError is raised.
@ -205,7 +210,7 @@ class BaseEvaluator:
                self.handle_error(exc, expression_source)
                raise exc
            try:
-                _locals = self._context
+                _locals = {sanitize_arg(x): y for x, y in self._context.items()}
                # Yes this is an exec, yes it is potentially bad. Since we limit what variables are
                # available here, and these policies can only be edited by admins, this is a risk
                # we're willing to take.
--- a/authentik/providers/ldap/migrations/0004_alter_ldapprovider_options_and_more.py
+++ b/authentik/providers/ldap/migrations/0004_alter_ldapprovider_options_and_more.py
@ -4,13 +4,13 @@ from django.apps.registry import Apps
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor

 from django.db import migrations
-from django.contrib.auth.management import create_permissions


 def migrate_search_group(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from guardian.shortcuts import assign_perm
    from authentik.core.models import User
    from django.apps import apps as real_apps
+    from django.contrib.auth.management import create_permissions
+    from guardian.shortcuts import UserObjectPermission

    db_alias = schema_editor.connection.alias

@ -20,16 +20,25 @@ def migrate_search_group(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    create_permissions(real_apps.get_app_config("authentik_providers_ldap"), using=db_alias)

    LDAPProvider = apps.get_model("authentik_providers_ldap", "ldapprovider")
+    Permission = apps.get_model("auth", "Permission")
+    UserObjectPermission = apps.get_model("guardian", "UserObjectPermission")
+    ContentType = apps.get_model("contenttypes", "ContentType")
+
+    new_prem = Permission.objects.using(db_alias).get(codename="search_full_directory")
+    ct = ContentType.objects.using(db_alias).get(
+        app_label="authentik_providers_ldap",
+        model="ldapprovider",
+    )

    for provider in LDAPProvider.objects.using(db_alias).all():
        if not provider.search_group:
            continue
-        for user_pk in (
-            provider.search_group.users.using(db_alias).all().values_list("pk", flat=True)
-        ):
-            # We need the correct user model instance to assign the permission
-            assign_perm(
-                "search_full_directory", User.objects.using(db_alias).get(pk=user_pk), provider
+        for user in provider.search_group.users.using(db_alias).all():
+            UserObjectPermission.objects.using(db_alias).create(
+                user=user,
+                permission=new_prem,
+                object_pk=provider.pk,
+                content_type=ct,
            )


@ -37,6 +46,7 @@ class Migration(migrations.Migration):

    dependencies = [
        ("authentik_providers_ldap", "0003_ldapprovider_mfa_support_and_more"),
+        ("guardian", "0002_generic_permissions_index"),
    ]

    operations = [
--- a/authentik/root/celery.py
+++ b/authentik/root/celery.py
@ -87,7 +87,11 @@ def task_error_hook(task_id: str, exception: Exception, traceback, *args, **kwar

 def _get_startup_tasks_default_tenant() -> list[Callable]:
    """Get all tasks to be run on startup for the default tenant"""
-    return []
+    from authentik.outposts.tasks import outpost_connection_discovery
+
+    return [
+        outpost_connection_discovery,
+    ]


 def _get_startup_tasks_all_tenants() -> list[Callable]:
--- a/authentik/root/middleware.py
+++ b/authentik/root/middleware.py
@ -221,9 +221,9 @@ class ClientIPMiddleware:
            )
            return None
        # Update sentry scope to include correct IP
-        user = Scope.get_isolation_scope()._user or {}
-        user["ip_address"] = delegated_ip
-        Scope.get_isolation_scope().set_user(user)
+        sentry_user = Scope.get_isolation_scope()._user or {}
+        sentry_user["ip_address"] = delegated_ip
+        Scope.get_isolation_scope().set_user(sentry_user)
        # Set the outpost service account on the request
        setattr(request, self.request_attr_outpost_user, user)
        return delegated_ip
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -248,7 +248,6 @@ MIDDLEWARE = [
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "authentik.core.middleware.RequestIDMiddleware",
    "authentik.brands.middleware.BrandMiddleware",
-    "authentik.brands.middleware.BrandCORSAPIMiddleware",
    "authentik.events.middleware.AuditMiddleware",
    "django.middleware.security.SecurityMiddleware",
    "django.middleware.common.CommonMiddleware",
--- a/authentik/root/storages.py
+++ b/authentik/root/storages.py
@ -1,6 +1,7 @@
 """authentik storage backends"""

 import os
+from urllib.parse import parse_qsl, urlsplit

 from django.conf import settings
 from django.core.exceptions import SuspiciousOperation
@ -110,3 +111,34 @@ class S3Storage(BaseS3Storage):
        if self.querystring_auth:
            return url
        return self._strip_signing_parameters(url)
+
+    def _strip_signing_parameters(self, url):
+        # Boto3 does not currently support generating URLs that are unsigned. Instead
+        # we take the signed URLs and strip any querystring params related to signing
+        # and expiration.
+        # Note that this may end up with URLs that are still invalid, especially if
+        # params are passed in that only work with signed URLs, e.g. response header
+        # params.
+        # The code attempts to strip all query parameters that match names of known
+        # parameters from v2 and v4 signatures, regardless of the actual signature
+        # version used.
+        split_url = urlsplit(url)
+        qs = parse_qsl(split_url.query, keep_blank_values=True)
+        blacklist = {
+            "x-amz-algorithm",
+            "x-amz-credential",
+            "x-amz-date",
+            "x-amz-expires",
+            "x-amz-signedheaders",
+            "x-amz-signature",
+            "x-amz-security-token",
+            "awsaccesskeyid",
+            "expires",
+            "signature",
+        }
+        filtered_qs = ((key, val) for key, val in qs if key.lower() not in blacklist)
+        # Note: Parameters that did not have a value in the original query string will
+        # have an '=' sign appended to it, e.g ?foo&bar becomes ?foo=&bar=
+        joined_qs = ("=".join(keyval) for keyval in filtered_qs)
+        split_url = split_url._replace(query="&".join(joined_qs))
+        return split_url.geturl()
--- a/authentik/sources/ldap/sync/groups.py
+++ b/authentik/sources/ldap/sync/groups.py
@ -38,7 +38,11 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
            search_base=self.base_dn_groups,
            search_filter=self._source.group_object_filter,
            search_scope=SUBTREE,
-            attributes=[ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES],
+            attributes=[
+                ALL_ATTRIBUTES,
+                ALL_OPERATIONAL_ATTRIBUTES,
+                self._source.object_uniqueness_field,
+            ],
            **kwargs,
        )

@ -53,9 +57,9 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                continue
            attributes = group.get("attributes", {})
            group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
-            if self._source.object_uniqueness_field not in attributes:
+            if not attributes.get(self._source.object_uniqueness_field):
                self.message(
-                    f"Cannot find uniqueness field in attributes: '{group_dn}'",
+                    f"Uniqueness field not found/not set in attributes: '{group_dn}'",
                    attributes=attributes.keys(),
                    dn=group_dn,
                )
--- a/authentik/sources/ldap/sync/users.py
+++ b/authentik/sources/ldap/sync/users.py
@ -40,7 +40,11 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
            search_base=self.base_dn_users,
            search_filter=self._source.user_object_filter,
            search_scope=SUBTREE,
-            attributes=[ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES],
+            attributes=[
+                ALL_ATTRIBUTES,
+                ALL_OPERATIONAL_ATTRIBUTES,
+                self._source.object_uniqueness_field,
+            ],
            **kwargs,
        )

@ -55,9 +59,9 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                continue
            attributes = user.get("attributes", {})
            user_dn = flatten(user.get("entryDN", user.get("dn")))
-            if self._source.object_uniqueness_field not in attributes:
+            if not attributes.get(self._source.object_uniqueness_field):
                self.message(
-                    f"Cannot find uniqueness field in attributes: '{user_dn}'",
+                    f"Uniqueness field not found/not set in attributes: '{user_dn}'",
                    attributes=attributes.keys(),
                    dn=user_dn,
                )
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2024.8.0 Blueprint schema",
+    "title": "authentik 2024.8.1 Blueprint schema",
    "required": [
        "version",
        "entries"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.1}
    restart: unless-stopped
    command: server
    environment:
@ -52,7 +52,7 @@ services:
      - postgresql
      - redis
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.1}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -7,7 +7,7 @@ toolchain go1.23.0
 require (
 	beryju.io/ldap v0.1.0
 	github.com/coreos/go-oidc/v3 v3.11.0
-	github.com/getsentry/sentry-go v0.28.1
+	github.com/getsentry/sentry-go v0.29.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.8
 	github.com/go-openapi/runtime v0.28.0
@ -22,16 +22,16 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.7.0
-	github.com/prometheus/client_golang v1.20.2
+	github.com/prometheus/client_golang v1.20.3
 	github.com/redis/go-redis/v9 v9.6.1
 	github.com/sethvargo/go-envconfig v1.1.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024064.1
+	goauthentik.io/api/v3 v3.2024081.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.22.0
+	golang.org/x/oauth2 v0.23.0
 	golang.org/x/sync v0.8.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
--- a/go.sum
+++ b/go.sum
@ -69,8 +69,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.28.1 h1:zzaSm/vHmGllRM6Tpx1492r0YDzauArdBfkJRtY6P5k=
-github.com/getsentry/sentry-go v0.28.1/go.mod h1:1fQZ+7l7eeJ3wYi82q5Hg8GqAPgefRq+FP/QhafYVgg=
+github.com/getsentry/sentry-go v0.29.0 h1:YtWluuCFg9OfcqnaujpY918N/AhCCwarIDWOYSBAjCA=
+github.com/getsentry/sentry-go v0.29.0/go.mod h1:jhPesDAL0Q0W2+2YEuVOvdWmVtdsr1+jtBrlDEVWwLY=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@ -239,8 +239,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg=
-github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
+github.com/prometheus/client_golang v1.20.3 h1:oPksm4K8B+Vt35tUhw6GbSNSgVlVSBH0qELP/7u83l4=
+github.com/prometheus/client_golang v1.20.3/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024064.1 h1:vxquklgDGD+nGFhWRAsQ7ezQKg17MRq6bzEk25fbsb4=
-goauthentik.io/api/v3 v3.2024064.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024081.1 h1:2LgcmicnzGp76xyFPkJiH0KsMFS59bsAYecnMARRkAs=
+goauthentik.io/api/v3 v3.2024081.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -388,8 +388,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
-golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2024.8.0"
+const VERSION = "2024.8.1"
--- a/internal/outpost/ak/api_utils.go
+++ b/internal/outpost/ak/api_utils.go
@ -35,10 +35,11 @@ func Paginator[Tobj any, Treq any, Tres PaginatorResponse[Tobj]](
 	req PaginatorRequest[Treq, Tres],
 	opts PaginatorOptions,
 ) ([]Tobj, error) {
+	var bfreq, cfreq interface{}
 	fetchOffset := func(page int32) (Tres, error) {
-		req.Page(page)
-		req.PageSize(int32(opts.PageSize))
-		res, _, err := req.Execute()
+		bfreq = req.Page(page)
+		cfreq = bfreq.(PaginatorRequest[Treq, Tres]).PageSize(int32(opts.PageSize))
+		res, _, err := cfreq.(PaginatorRequest[Treq, Tres]).Execute()
 		if err != nil {
 			opts.Logger.WithError(err).WithField("page", page).Warning("failed to fetch page")
 		}
--- a/internal/outpost/ak/api_utils_test.go
+++ b/internal/outpost/ak/api_utils_test.go
@ -0,0 +1,26 @@
+package ak
+
+// func Test_PaginatorCompile(t *testing.T) {
+// 	req := api.ApiCoreUsersListRequest{}
+// 	Paginator(req, PaginatorOptions{
+// 		PageSize: 100,
+// 	})
+// }
+
+// func Test_PaginatorCompileExplicit(t *testing.T) {
+// 	req := api.ApiCoreUsersListRequest{}
+// 	Paginator[
+// 		api.User,
+// 		api.ApiCoreUsersListRequest,
+// 		*api.PaginatedUserList,
+// 	](req, PaginatorOptions{
+// 		PageSize: 100,
+// 	})
+// }
+
+// func Test_PaginatorCompileOther(t *testing.T) {
+// 	req := api.ApiOutpostsProxyListRequest{}
+// 	Paginator(req, PaginatorOptions{
+// 		PageSize: 100,
+// 	})
+// }
--- a/internal/outpost/ldap/bind/direct/bind.go
+++ b/internal/outpost/ldap/bind/direct/bind.go
@ -96,7 +96,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 		return ldap.LDAPResultOperationsError, nil
 	}
 	flags.UserPk = userInfo.User.Pk
-	flags.CanSearch = access.HasSearchPermission != nil
+	flags.CanSearch = access.GetHasSearchPermission()
 	db.si.SetFlags(req.BindDN, &flags)
 	if flags.CanSearch {
 		req.Log().Debug("Allowed access to search")
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -193,7 +193,17 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server) (*A
 	})

 	mux.HandleFunc("/outpost.goauthentik.io/start", func(w http.ResponseWriter, r *http.Request) {
-		a.handleAuthStart(w, r, "")
+		fwd := ""
+		// This should only really be hit for nginx forward_auth
+		// as for that the auth start redirect URL is generated by the
+		// reverse proxy, and as such we won't have a request we just
+		// denied to reference for final URL
+		rd, ok := a.checkRedirectParam(r)
+		if ok {
+			a.log.WithField("rd", rd).Trace("Setting redirect")
+			fwd = rd
+		}
+		a.handleAuthStart(w, r, fwd)
 	})
 	mux.HandleFunc("/outpost.goauthentik.io/callback", a.handleAuthCallback)
 	mux.HandleFunc("/outpost.goauthentik.io/sign_out", a.handleSignOut)
--- a/internal/outpost/proxyv2/application/oauth.go
+++ b/internal/outpost/proxyv2/application/oauth.go
@ -15,36 +15,6 @@ const (
 	LogoutSignature   = "X-authentik-logout"
 )

-func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
-	rd := r.URL.Query().Get(redirectParam)
-	if rd == "" {
-		return "", false
-	}
-	u, err := url.Parse(rd)
-	if err != nil {
-		a.log.WithError(err).Warning("Failed to parse redirect URL")
-		return "", false
-	}
-	// Check to make sure we only redirect to allowed places
-	if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
-		ext, err := url.Parse(a.proxyConfig.ExternalHost)
-		if err != nil {
-			return "", false
-		}
-		ext.Scheme = ""
-		if !strings.Contains(u.String(), ext.String()) {
-			a.log.WithField("url", u.String()).WithField("ext", ext.String()).Warning("redirect URI did not contain external host")
-			return "", false
-		}
-	} else {
-		if !strings.HasSuffix(u.Host, *a.proxyConfig.CookieDomain) {
-			a.log.WithField("host", u.Host).WithField("dom", *a.proxyConfig.CookieDomain).Warning("redirect URI Host was not included in cookie domain")
-			return "", false
-		}
-	}
-	return u.String(), true
-}
-
 func (a *Application) handleAuthStart(rw http.ResponseWriter, r *http.Request, fwd string) {
 	state, err := a.createState(r, fwd)
 	if err != nil {
--- a/internal/outpost/proxyv2/application/oauth_state.go
+++ b/internal/outpost/proxyv2/application/oauth_state.go
@ -5,10 +5,13 @@ import (
 	"encoding/base64"
 	"fmt"
 	"net/http"
+	"net/url"
+	"strings"

 	"github.com/golang-jwt/jwt/v5"
 	"github.com/gorilla/securecookie"
 	"github.com/mitchellh/mapstructure"
+	"goauthentik.io/api/v3"
 )

 type OAuthState struct {
@ -27,6 +30,44 @@ func (oas *OAuthState) GetAudience() (jwt.ClaimStrings, error)       { return ni

 var base32RawStdEncoding = base32.StdEncoding.WithPadding(base32.NoPadding)

+// Validate that the given redirect parameter (?rd=...) is valid and can be used
+// For proxy/forward_single this checks that if the `rd` param has a Hostname (and is a full URL)
+// the hostname matches what's configured, or no hostname must be given
+// For forward_domain this checks if the domain of the URL in `rd` ends with the configured domain
+func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
+	rd := r.URL.Query().Get(redirectParam)
+	if rd == "" {
+		return "", false
+	}
+	u, err := url.Parse(rd)
+	if err != nil {
+		a.log.WithError(err).Warning("Failed to parse redirect URL")
+		return "", false
+	}
+	// Check to make sure we only redirect to allowed places
+	if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
+		ext, err := url.Parse(a.proxyConfig.ExternalHost)
+		if err != nil {
+			return "", false
+		}
+		// Either hostname needs to match the configured domain, or host name must be empty for just a path
+		if u.Host == "" {
+			u.Host = ext.Host
+			u.Scheme = ext.Scheme
+		}
+		if u.Host != ext.Host {
+			a.log.WithField("url", u.String()).WithField("ext", ext.String()).Warning("redirect URI did not contain external host")
+			return "", false
+		}
+	} else {
+		if !strings.HasSuffix(u.Host, *a.proxyConfig.CookieDomain) {
+			a.log.WithField("host", u.Host).WithField("dom", *a.proxyConfig.CookieDomain).Warning("redirect URI Host was not included in cookie domain")
+			return "", false
+		}
+	}
+	return u.String(), true
+}
+
 func (a *Application) createState(r *http.Request, fwd string) (string, error) {
 	s, _ := a.sessions.Get(r, a.SessionName())
 	if s.ID == "" {
@ -39,17 +80,6 @@ func (a *Application) createState(r *http.Request, fwd string) (string, error) {
 		SessionID: s.ID,
 		Redirect:  fwd,
 	}
-	if fwd == "" {
-		// This should only really be hit for nginx forward_auth
-		// as for that the auth start redirect URL is generated by the
-		// reverse proxy, and as such we won't have a request we just
-		// denied to reference for final URL
-		rd, ok := a.checkRedirectParam(r)
-		if ok {
-			a.log.WithField("rd", rd).Trace("Setting redirect")
-			st.Redirect = rd
-		}
-	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, st)
 	tokenString, err := token.SignedString([]byte(a.proxyConfig.GetCookieSecret()))
 	if err != nil {
--- a/internal/outpost/proxyv2/application/oauth_test.go
+++ b/internal/outpost/proxyv2/application/oauth_test.go
@ -8,25 +8,45 @@ import (
 	"goauthentik.io/api/v3"
 )

-func TestCheckRedirectParam(t *testing.T) {
+func TestCheckRedirectParam_None(t *testing.T) {
 	a := newTestApplication()
+	// Test no rd param
 	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/start", nil)

 	rd, ok := a.checkRedirectParam(req)

 	assert.Equal(t, false, ok)
 	assert.Equal(t, "", rd)
+}

-	req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://google.com", nil)
+func TestCheckRedirectParam_Invalid(t *testing.T) {
+	a := newTestApplication()
+	// Test invalid rd param
+	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://google.com", nil)

-	rd, ok = a.checkRedirectParam(req)
+	rd, ok := a.checkRedirectParam(req)

 	assert.Equal(t, false, ok)
 	assert.Equal(t, "", rd)
+}

-	req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://ext.t.goauthentik.io/test?foo", nil)
+func TestCheckRedirectParam_ValidFull(t *testing.T) {
+	a := newTestApplication()
+	// Test valid full rd param
+	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://ext.t.goauthentik.io/test?foo", nil)

-	rd, ok = a.checkRedirectParam(req)
+	rd, ok := a.checkRedirectParam(req)
+
+	assert.Equal(t, true, ok)
+	assert.Equal(t, "https://ext.t.goauthentik.io/test?foo", rd)
+}
+
+func TestCheckRedirectParam_ValidPartial(t *testing.T) {
+	a := newTestApplication()
+	// Test valid partial rd param
+	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=/test?foo", nil)
+
+	rd, ok := a.checkRedirectParam(req)

 	assert.Equal(t, true, ok)
 	assert.Equal(t, "https://ext.t.goauthentik.io/test?foo", rd)
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-18 00:08+0000\n"
+"POT-Creation-Date: 2024-09-08 00:09+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -18,6 +18,11 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"

+#: authentik/admin/tasks.py
+#, python-brace-format
+msgid "New version {version} available!"
+msgstr ""
+
 #: authentik/api/schema.py
 msgid "Generic API Error"
 msgstr ""
--- a/locale/fr/LC_MESSAGES/django.mo
+++ b/locale/fr/LC_MESSAGES/django.mo
--- a/locale/fr/LC_MESSAGES/django.po
+++ b/locale/fr/LC_MESSAGES/django.po
@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-12 13:45+0000\n"
+"POT-Creation-Date: 2024-09-08 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2024\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@ -29,6 +29,11 @@ msgstr ""
 "Language: fr\n"
 "Plural-Forms: nplurals=3; plural=(n == 0 || n == 1) ? 0 : n != 0 && n % 1000000 == 0 ? 1 : 2;\n"

+#: authentik/admin/tasks.py
+#, python-brace-format
+msgid "New version {version} available!"
+msgstr "Une nouvelle version {version} est disponible !"
+
 #: authentik/api/schema.py
 msgid "Generic API Error"
 msgstr "Erreur d'API Générique"
@ -1342,14 +1347,6 @@ msgstr "Impossible de résoudre l'application"
 msgid "DN under which objects are accessible."
 msgstr "DN sous lequel les objets sont accessibles."

-#: authentik/providers/ldap/models.py
-msgid ""
-"Users in this group can do search queries. If not set, every user can "
-"execute search queries."
-msgstr ""
-"Les utilisateurs dans ce groupe peuvent faire des requêtes de recherche. Si "
-"laissé vide, tous les utilisateurs peuvent faire des requêtes de recherche."
-
 #: authentik/providers/ldap/models.py
 msgid ""
 "The start for uidNumbers, this number is added to the user.pk to make sure "
@ -1396,6 +1393,10 @@ msgstr "Fournisseur LDAP"
 msgid "LDAP Providers"
 msgstr "Fournisseurs LDAP"

+#: authentik/providers/ldap/models.py
+msgid "Search full LDAP directory"
+msgstr "Rechercher dans l'annuaire LDAP complet"
+
 #: authentik/providers/oauth2/id_token.py
 msgid "Based on the Hashed User ID"
 msgstr "Basé sur le hash de l'ID utilisateur"
@ -1796,6 +1797,14 @@ msgstr "Mappage de propriété fournisseur Radius"
 msgid "Radius Provider Property Mappings"
 msgstr "Mappages de propriété fournisseur Radius"

+#: authentik/providers/saml/api/providers.py
+msgid ""
+"With a signing keypair selected, at least one of 'Sign assertion' and 'Sign "
+"Response' must be selected."
+msgstr ""
+"Quand une clé de signature est sélectionnée, au moins l'un de « Signer les "
+"assertions » et « Signer les réponses » doit être sélectionné."
+
 #: authentik/providers/saml/api/providers.py
 msgid "Invalid XML Syntax"
 msgstr "Syntaxe XML Invalide"
@ -1944,6 +1953,20 @@ msgstr ""
 msgid "Signing Keypair"
 msgstr "Paire de clés de Signature"

+#: authentik/providers/saml/models.py authentik/sources/saml/models.py
+msgid ""
+"When selected, incoming assertions are encrypted by the IdP using the public"
+" key of the encryption keypair. The assertion is decrypted by the SP using "
+"the the private key."
+msgstr ""
+"Si activé, les assertions entrantes seront chiffrées par l'IdP avec la clé "
+"publique de la paire de clé de chiffrement. L'assertion est déchiffrée par "
+"le SP en utilisant la clé privée."
+
+#: authentik/providers/saml/models.py authentik/sources/saml/models.py
+msgid "Encryption Keypair"
+msgstr "Paire de clés de chiffrement"
+
 #: authentik/providers/saml/models.py
 msgid "Default relay_state value for IDP-initiated logins"
 msgstr "Valeur par défaut de relay_state des connexions initiées par l'IdP"
@ -2466,20 +2489,6 @@ msgstr ""
 "Paire de clés utilisées pour signer les réponses sortantes allant vers le "
 "fournisseur d'identité."

-#: authentik/sources/saml/models.py
-msgid ""
-"When selected, incoming assertions are encrypted by the IdP using the public"
-" key of the encryption keypair. The assertion is decrypted by the SP using "
-"the the private key."
-msgstr ""
-"Si activé, les assertions entrantes seront chiffrées par l'IdP avec la clé "
-"publique de la paire de clé de chiffrement. L'assertion est déchiffrée par "
-"le SP en utilisant la clé privée."
-
-#: authentik/sources/saml/models.py
-msgid "Encryption Keypair"
-msgstr "Paire de clés de chiffrement"
-
 #: authentik/sources/saml/models.py
 msgid "SAML Source"
 msgstr "Source SAML"
--- a/locale/zh-Hans/LC_MESSAGES/django.po
+++ b/locale/zh-Hans/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-18 00:08+0000\n"
+"POT-Creation-Date: 2024-09-08 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@ -25,6 +25,11 @@ msgstr ""
 "Language: zh-Hans\n"
 "Plural-Forms: nplurals=1; plural=0;\n"

+#: authentik/admin/tasks.py
+#, python-brace-format
+msgid "New version {version} available!"
+msgstr "新版本 {version} 可用！"
+
 #: authentik/api/schema.py
 msgid "Generic API Error"
 msgstr "通用 API 错误"
--- a/locale/zh_CN/LC_MESSAGES/django.mo
+++ b/locale/zh_CN/LC_MESSAGES/django.mo
--- a/locale/zh_CN/LC_MESSAGES/django.po
+++ b/locale/zh_CN/LC_MESSAGES/django.po
@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-18 00:08+0000\n"
+"POT-Creation-Date: 2024-09-08 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@ -24,6 +24,11 @@ msgstr ""
 "Language: zh_CN\n"
 "Plural-Forms: nplurals=1; plural=0;\n"

+#: authentik/admin/tasks.py
+#, python-brace-format
+msgid "New version {version} available!"
+msgstr "新版本 {version} 可用！"
+
 #: authentik/api/schema.py
 msgid "Generic API Error"
 msgstr "通用 API 错误"
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2024.8.0",
+    "version": "2024.8.1",
    "private": true
 }
--- a/poetry.lock
+++ b/poetry.lock
@ -1053,38 +1053,38 @@ toml = ["tomli"]

 [[package]]
 name = "cryptography"
-version = "43.0.0"
+version = "43.0.1"
 description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "cryptography-43.0.0-cp37-abi3-macosx_10_9_universal2.whl", hash = "sha256:64c3f16e2a4fc51c0d06af28441881f98c5d91009b8caaff40cf3548089e9c74"},
-    {file = "cryptography-43.0.0-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3dcdedae5c7710b9f97ac6bba7e1052b95c7083c9d0e9df96e02a1932e777895"},
-    {file = "cryptography-43.0.0-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3d9a1eca329405219b605fac09ecfc09ac09e595d6def650a437523fcd08dd22"},
-    {file = "cryptography-43.0.0-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:ea9e57f8ea880eeea38ab5abf9fbe39f923544d7884228ec67d666abd60f5a47"},
-    {file = "cryptography-43.0.0-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:9a8d6802e0825767476f62aafed40532bd435e8a5f7d23bd8b4f5fd04cc80ecf"},
-    {file = "cryptography-43.0.0-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:cc70b4b581f28d0a254d006f26949245e3657d40d8857066c2ae22a61222ef55"},
-    {file = "cryptography-43.0.0-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:4a997df8c1c2aae1e1e5ac49c2e4f610ad037fc5a3aadc7b64e39dea42249431"},
-    {file = "cryptography-43.0.0-cp37-abi3-win32.whl", hash = "sha256:6e2b11c55d260d03a8cf29ac9b5e0608d35f08077d8c087be96287f43af3ccdc"},
-    {file = "cryptography-43.0.0-cp37-abi3-win_amd64.whl", hash = "sha256:31e44a986ceccec3d0498e16f3d27b2ee5fdf69ce2ab89b52eaad1d2f33d8778"},
-    {file = "cryptography-43.0.0-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:7b3f5fe74a5ca32d4d0f302ffe6680fcc5c28f8ef0dc0ae8f40c0f3a1b4fca66"},
-    {file = "cryptography-43.0.0-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ac1955ce000cb29ab40def14fd1bbfa7af2017cca696ee696925615cafd0dce5"},
-    {file = "cryptography-43.0.0-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:299d3da8e00b7e2b54bb02ef58d73cd5f55fb31f33ebbf33bd00d9aa6807df7e"},
-    {file = "cryptography-43.0.0-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:ee0c405832ade84d4de74b9029bedb7b31200600fa524d218fc29bfa371e97f5"},
-    {file = "cryptography-43.0.0-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:cb013933d4c127349b3948aa8aaf2f12c0353ad0eccd715ca789c8a0f671646f"},
-    {file = "cryptography-43.0.0-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:fdcb265de28585de5b859ae13e3846a8e805268a823a12a4da2597f1f5afc9f0"},
-    {file = "cryptography-43.0.0-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:2905ccf93a8a2a416f3ec01b1a7911c3fe4073ef35640e7ee5296754e30b762b"},
-    {file = "cryptography-43.0.0-cp39-abi3-win32.whl", hash = "sha256:47ca71115e545954e6c1d207dd13461ab81f4eccfcb1345eac874828b5e3eaaf"},
-    {file = "cryptography-43.0.0-cp39-abi3-win_amd64.whl", hash = "sha256:0663585d02f76929792470451a5ba64424acc3cd5227b03921dab0e2f27b1709"},
-    {file = "cryptography-43.0.0-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:2c6d112bf61c5ef44042c253e4859b3cbbb50df2f78fa8fae6747a7814484a70"},
-    {file = "cryptography-43.0.0-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:844b6d608374e7d08f4f6e6f9f7b951f9256db41421917dfb2d003dde4cd6b66"},
-    {file = "cryptography-43.0.0-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:51956cf8730665e2bdf8ddb8da0056f699c1a5715648c1b0144670c1ba00b48f"},
-    {file = "cryptography-43.0.0-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:aae4d918f6b180a8ab8bf6511a419473d107df4dbb4225c7b48c5c9602c38c7f"},
-    {file = "cryptography-43.0.0-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:232ce02943a579095a339ac4b390fbbe97f5b5d5d107f8a08260ea2768be8cc2"},
-    {file = "cryptography-43.0.0-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:5bcb8a5620008a8034d39bce21dc3e23735dfdb6a33a06974739bfa04f853947"},
-    {file = "cryptography-43.0.0-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:08a24a7070b2b6804c1940ff0f910ff728932a9d0e80e7814234269f9d46d069"},
-    {file = "cryptography-43.0.0-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:e9c5266c432a1e23738d178e51c2c7a5e2ddf790f248be939448c0ba2021f9d1"},
-    {file = "cryptography-43.0.0.tar.gz", hash = "sha256:b88075ada2d51aa9f18283532c9f60e72170041bba88d7f37e49cbb10275299e"},
+    {file = "cryptography-43.0.1-cp37-abi3-macosx_10_9_universal2.whl", hash = "sha256:8385d98f6a3bf8bb2d65a73e17ed87a3ba84f6991c155691c51112075f9ffc5d"},
+    {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:27e613d7077ac613e399270253259d9d53872aaf657471473ebfc9a52935c062"},
+    {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:68aaecc4178e90719e95298515979814bda0cbada1256a4485414860bd7ab962"},
+    {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:de41fd81a41e53267cb020bb3a7212861da53a7d39f863585d13ea11049cf277"},
+    {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:f98bf604c82c416bc829e490c700ca1553eafdf2912a91e23a79d97d9801372a"},
+    {file = "cryptography-43.0.1-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:61ec41068b7b74268fa86e3e9e12b9f0c21fcf65434571dbb13d954bceb08042"},
+    {file = "cryptography-43.0.1-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:014f58110f53237ace6a408b5beb6c427b64e084eb451ef25a28308270086494"},
+    {file = "cryptography-43.0.1-cp37-abi3-win32.whl", hash = "sha256:2bd51274dcd59f09dd952afb696bf9c61a7a49dfc764c04dd33ef7a6b502a1e2"},
+    {file = "cryptography-43.0.1-cp37-abi3-win_amd64.whl", hash = "sha256:666ae11966643886c2987b3b721899d250855718d6d9ce41b521252a17985f4d"},
+    {file = "cryptography-43.0.1-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:ac119bb76b9faa00f48128b7f5679e1d8d437365c5d26f1c2c3f0da4ce1b553d"},
+    {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1bbcce1a551e262dfbafb6e6252f1ae36a248e615ca44ba302df077a846a8806"},
+    {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58d4e9129985185a06d849aa6df265bdd5a74ca6e1b736a77959b498e0505b85"},
+    {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:d03a475165f3134f773d1388aeb19c2d25ba88b6a9733c5c590b9ff7bbfa2e0c"},
+    {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:511f4273808ab590912a93ddb4e3914dfd8a388fed883361b02dea3791f292e1"},
+    {file = "cryptography-43.0.1-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:80eda8b3e173f0f247f711eef62be51b599b5d425c429b5d4ca6a05e9e856baa"},
+    {file = "cryptography-43.0.1-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:38926c50cff6f533f8a2dae3d7f19541432610d114a70808f0926d5aaa7121e4"},
+    {file = "cryptography-43.0.1-cp39-abi3-win32.whl", hash = "sha256:a575913fb06e05e6b4b814d7f7468c2c660e8bb16d8d5a1faf9b33ccc569dd47"},
+    {file = "cryptography-43.0.1-cp39-abi3-win_amd64.whl", hash = "sha256:d75601ad10b059ec832e78823b348bfa1a59f6b8d545db3a24fd44362a1564cb"},
+    {file = "cryptography-43.0.1-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:ea25acb556320250756e53f9e20a4177515f012c9eaea17eb7587a8c4d8ae034"},
+    {file = "cryptography-43.0.1-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:c1332724be35d23a854994ff0b66530119500b6053d0bd3363265f7e5e77288d"},
+    {file = "cryptography-43.0.1-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:fba1007b3ef89946dbbb515aeeb41e30203b004f0b4b00e5e16078b518563289"},
+    {file = "cryptography-43.0.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:5b43d1ea6b378b54a1dc99dd8a2b5be47658fe9a7ce0a58ff0b55f4b43ef2b84"},
+    {file = "cryptography-43.0.1-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:88cce104c36870d70c49c7c8fd22885875d950d9ee6ab54df2745f83ba0dc365"},
+    {file = "cryptography-43.0.1-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:9d3cdb25fa98afdd3d0892d132b8d7139e2c087da1712041f6b762e4f807cc96"},
+    {file = "cryptography-43.0.1-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:e710bf40870f4db63c3d7d929aa9e09e4e7ee219e703f949ec4073b4294f6172"},
+    {file = "cryptography-43.0.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:7c05650fe8023c5ed0d46793d4b7d7e6cd9c04e68eabe5b0aeea836e37bdcec2"},
+    {file = "cryptography-43.0.1.tar.gz", hash = "sha256:203e92a75716d8cfb491dc47c79e17d0d9207ccffcbcb35f598fbe463ae3444d"},
 ]

 [package.dependencies]
@ -1097,7 +1097,7 @@ nox = ["nox"]
 pep8test = ["check-sdist", "click", "mypy", "ruff"]
 sdist = ["build"]
 ssh = ["bcrypt (>=3.1.5)"]
-test = ["certifi", "cryptography-vectors (==43.0.0)", "pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"]
+test = ["certifi", "cryptography-vectors (==43.0.1)", "pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"]
 test-randomorder = ["pytest-randomly"]

 [[package]]
@ -1207,13 +1207,13 @@ dev = ["PyTest", "PyTest-Cov", "bump2version (<1)", "sphinx (<2)", "tox"]

 [[package]]
 name = "django"
-version = "5.0.8"
+version = "5.0.9"
 description = "A high-level Python web framework that encourages rapid development and clean, pragmatic design."
 optional = false
 python-versions = ">=3.10"
 files = [
-    {file = "Django-5.0.8-py3-none-any.whl", hash = "sha256:333a7988f7ca4bc14d360d3d8f6b793704517761ae3813b95432043daec22a45"},
-    {file = "Django-5.0.8.tar.gz", hash = "sha256:ebe859c9da6fead9c9ee6dbfa4943b04f41342f4cea2c4d8c978ef0d10694f2b"},
+    {file = "Django-5.0.9-py3-none-any.whl", hash = "sha256:f219576ba53be4e83f485130a7283f0efde06a9f2e3a7c3c5180327549f078fa"},
+    {file = "Django-5.0.9.tar.gz", hash = "sha256:6333870d342329b60174da3a60dbd302e533f3b0bb0971516750e974a99b5a39"},
 ]

 [package.dependencies]
@ -1287,13 +1287,13 @@ Django = ">=2.2"

 [[package]]
 name = "django-model-utils"
-version = "4.5.1"
+version = "5.0.0"
 description = "Django model mixins and utilities"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "django_model_utils-4.5.1-py3-none-any.whl", hash = "sha256:f1141fc71796242edeffed5ad53a8cc57f00d345eb5a3a63e3f69401cd562ee2"},
-    {file = "django_model_utils-4.5.1.tar.gz", hash = "sha256:1220f22d9a467d53a1e0f4cda4857df0b2f757edf9a29955c42461988caa648a"},
+    {file = "django_model_utils-5.0.0-py3-none-any.whl", hash = "sha256:fec78e6c323d565a221f7c4edc703f4567d7bb1caeafe1acd16a80c5ff82056b"},
+    {file = "django_model_utils-5.0.0.tar.gz", hash = "sha256:041cdd6230d2fbf6cd943e1969318bce762272077f4ecd333ab2263924b4e5eb"},
 ]

 [package.dependencies]
@ -1315,13 +1315,13 @@ django = ">=3"

 [[package]]
 name = "django-pglock"
-version = "1.6.0"
+version = "1.6.1"
 description = "Postgres locking routines and lock table access."
 optional = false
 python-versions = "<4,>=3.8.0"
 files = [
-    {file = "django_pglock-1.6.0-py3-none-any.whl", hash = "sha256:41c98d0bd3738d11e6eaefcc3e5146028f118a593ac58c13d663b751170f01de"},
-    {file = "django_pglock-1.6.0.tar.gz", hash = "sha256:724450ecc9886f39af599c477d84ad086545a5373215ef7a670cd25faca25a61"},
+    {file = "django_pglock-1.6.1-py3-none-any.whl", hash = "sha256:2ba592c4df1d6c8033c80297fb46252c774e347c3087d34279f1a47d07346dc3"},
+    {file = "django_pglock-1.6.1.tar.gz", hash = "sha256:01c1592dae0affc7d7710a53a03cf22653d870f362ef7ae84312cb7fa9c2cb5e"},
 ]

 [package.dependencies]
@ -1761,13 +1761,13 @@ grpcio-gcp = ["grpcio-gcp (>=0.2.2,<1.0.dev0)"]

 [[package]]
 name = "google-api-python-client"
-version = "2.143.0"
+version = "2.145.0"
 description = "Google API Client Library for Python"
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "google_api_python_client-2.143.0-py2.py3-none-any.whl", hash = "sha256:d5654134522b9b574b82234e96f7e0aeeabcbf33643fbabcd449ef0068e3a476"},
-    {file = "google_api_python_client-2.143.0.tar.gz", hash = "sha256:6a75441f9078e6e2fcdf4946a153fda1e2cc81b5e9c8d6e8c0750c85c7f8a566"},
+    {file = "google_api_python_client-2.145.0-py2.py3-none-any.whl", hash = "sha256:d74da1358f3f2d63daf3c6f26bd96d89652051183bc87cf10a56ceb2a70beb50"},
+    {file = "google_api_python_client-2.145.0.tar.gz", hash = "sha256:8b84dde11aaccadc127e4846f5cd932331d804ea324e353131595e3f25376e97"},
 ]

 [package.dependencies]
@ -2848,13 +2848,13 @@ dev = ["bumpver", "isort", "mypy", "pylint", "pytest", "yapf"]

 [[package]]
 name = "msgraph-sdk"
-version = "1.5.4"
+version = "1.7.0"
 description = "The Microsoft Graph Python SDK"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "msgraph_sdk-1.5.4-py3-none-any.whl", hash = "sha256:9ea349f30cc4a03edb587e26554c7a4839a38c2ef30d4b5396882fd2be82dcac"},
-    {file = "msgraph_sdk-1.5.4.tar.gz", hash = "sha256:b0e146328d136d1db175938d8fc901f3bb32acf3ea6fe93c0dc7c5a0abc45e39"},
+    {file = "msgraph_sdk-1.7.0-py3-none-any.whl", hash = "sha256:66683b361eb1230b315e57c75a144e2f93c8a7e70f11c6a8c6c150dd59fa0235"},
+    {file = "msgraph_sdk-1.7.0.tar.gz", hash = "sha256:40b7776e2f02825ddb51d390490858e7d1c065a36e2a21b7655b392c78565b43"},
 ]

 [package.dependencies]
@ -3204,13 +3204,13 @@ files = [

 [[package]]
 name = "pdoc"
-version = "14.6.1"
+version = "14.7.0"
 description = "API Documentation for Python Projects"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pdoc-14.6.1-py3-none-any.whl", hash = "sha256:efbed433655264392c60551615a3d42b8f21e492373419756d20234c667b54bc"},
-    {file = "pdoc-14.6.1.tar.gz", hash = "sha256:ee598f30d5c55dd4702086dabc412a26022acc35aa88aa382cda8ac655fead98"},
+    {file = "pdoc-14.7.0-py3-none-any.whl", hash = "sha256:72377a907efc6b2c5b3c56b717ef34f11d93621dced3b663f3aede0b844c0ad2"},
+    {file = "pdoc-14.7.0.tar.gz", hash = "sha256:2d28af9c0acc39180744ad0543e4bbc3223ecba0d1302db315ec521c51f71f93"},
 ]

 [package.dependencies]
@ -3507,120 +3507,121 @@ files = [

 [[package]]
 name = "pydantic"
-version = "2.8.2"
+version = "2.9.1"
 description = "Data validation using Python type hints"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pydantic-2.8.2-py3-none-any.whl", hash = "sha256:73ee9fddd406dc318b885c7a2eab8a6472b68b8fb5ba8150949fc3db939f23c8"},
-    {file = "pydantic-2.8.2.tar.gz", hash = "sha256:6f62c13d067b0755ad1c21a34bdd06c0c12625a22b0fc09c6b149816604f7c2a"},
+    {file = "pydantic-2.9.1-py3-none-any.whl", hash = "sha256:7aff4db5fdf3cf573d4b3c30926a510a10e19a0774d38fc4967f78beb6deb612"},
+    {file = "pydantic-2.9.1.tar.gz", hash = "sha256:1363c7d975c7036df0db2b4a61f2e062fbc0aa5ab5f2772e0ffc7191a4f4bce2"},
 ]

 [package.dependencies]
-annotated-types = ">=0.4.0"
+annotated-types = ">=0.6.0"
 email-validator = {version = ">=2.0.0", optional = true, markers = "extra == \"email\""}
-pydantic-core = "2.20.1"
+pydantic-core = "2.23.3"
 typing-extensions = {version = ">=4.6.1", markers = "python_version < \"3.13\""}

 [package.extras]
 email = ["email-validator (>=2.0.0)"]
+timezone = ["tzdata"]

 [[package]]
 name = "pydantic-core"
-version = "2.20.1"
+version = "2.23.3"
 description = "Core functionality for Pydantic validation and serialization"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pydantic_core-2.20.1-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:3acae97ffd19bf091c72df4d726d552c473f3576409b2a7ca36b2f535ffff4a3"},
-    {file = "pydantic_core-2.20.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:41f4c96227a67a013e7de5ff8f20fb496ce573893b7f4f2707d065907bffdbd6"},
-    {file = "pydantic_core-2.20.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5f239eb799a2081495ea659d8d4a43a8f42cd1fe9ff2e7e436295c38a10c286a"},
-    {file = "pydantic_core-2.20.1-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:53e431da3fc53360db73eedf6f7124d1076e1b4ee4276b36fb25514544ceb4a3"},
-    {file = "pydantic_core-2.20.1-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f1f62b2413c3a0e846c3b838b2ecd6c7a19ec6793b2a522745b0869e37ab5bc1"},
-    {file = "pydantic_core-2.20.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5d41e6daee2813ecceea8eda38062d69e280b39df793f5a942fa515b8ed67953"},
-    {file = "pydantic_core-2.20.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3d482efec8b7dc6bfaedc0f166b2ce349df0011f5d2f1f25537ced4cfc34fd98"},
-    {file = "pydantic_core-2.20.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:e93e1a4b4b33daed65d781a57a522ff153dcf748dee70b40c7258c5861e1768a"},
-    {file = "pydantic_core-2.20.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:e7c4ea22b6739b162c9ecaaa41d718dfad48a244909fe7ef4b54c0b530effc5a"},
-    {file = "pydantic_core-2.20.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:4f2790949cf385d985a31984907fecb3896999329103df4e4983a4a41e13e840"},
-    {file = "pydantic_core-2.20.1-cp310-none-win32.whl", hash = "sha256:5e999ba8dd90e93d57410c5e67ebb67ffcaadcea0ad973240fdfd3a135506250"},
-    {file = "pydantic_core-2.20.1-cp310-none-win_amd64.whl", hash = "sha256:512ecfbefef6dac7bc5eaaf46177b2de58cdf7acac8793fe033b24ece0b9566c"},
-    {file = "pydantic_core-2.20.1-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:d2a8fa9d6d6f891f3deec72f5cc668e6f66b188ab14bb1ab52422fe8e644f312"},
-    {file = "pydantic_core-2.20.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:175873691124f3d0da55aeea1d90660a6ea7a3cfea137c38afa0a5ffabe37b88"},
-    {file = "pydantic_core-2.20.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:37eee5b638f0e0dcd18d21f59b679686bbd18917b87db0193ae36f9c23c355fc"},
-    {file = "pydantic_core-2.20.1-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:25e9185e2d06c16ee438ed39bf62935ec436474a6ac4f9358524220f1b236e43"},
-    {file = "pydantic_core-2.20.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:150906b40ff188a3260cbee25380e7494ee85048584998c1e66df0c7a11c17a6"},
-    {file = "pydantic_core-2.20.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8ad4aeb3e9a97286573c03df758fc7627aecdd02f1da04516a86dc159bf70121"},
-    {file = "pydantic_core-2.20.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d3f3ed29cd9f978c604708511a1f9c2fdcb6c38b9aae36a51905b8811ee5cbf1"},
-    {file = "pydantic_core-2.20.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:b0dae11d8f5ded51699c74d9548dcc5938e0804cc8298ec0aa0da95c21fff57b"},
-    {file = "pydantic_core-2.20.1-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:faa6b09ee09433b87992fb5a2859efd1c264ddc37280d2dd5db502126d0e7f27"},
-    {file = "pydantic_core-2.20.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:9dc1b507c12eb0481d071f3c1808f0529ad41dc415d0ca11f7ebfc666e66a18b"},
-    {file = "pydantic_core-2.20.1-cp311-none-win32.whl", hash = "sha256:fa2fddcb7107e0d1808086ca306dcade7df60a13a6c347a7acf1ec139aa6789a"},
-    {file = "pydantic_core-2.20.1-cp311-none-win_amd64.whl", hash = "sha256:40a783fb7ee353c50bd3853e626f15677ea527ae556429453685ae32280c19c2"},
-    {file = "pydantic_core-2.20.1-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:595ba5be69b35777474fa07f80fc260ea71255656191adb22a8c53aba4479231"},
-    {file = "pydantic_core-2.20.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:a4f55095ad087474999ee28d3398bae183a66be4823f753cd7d67dd0153427c9"},
-    {file = "pydantic_core-2.20.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f9aa05d09ecf4c75157197f27cdc9cfaeb7c5f15021c6373932bf3e124af029f"},
-    {file = "pydantic_core-2.20.1-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:e97fdf088d4b31ff4ba35db26d9cc472ac7ef4a2ff2badeabf8d727b3377fc52"},
-    {file = "pydantic_core-2.20.1-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:bc633a9fe1eb87e250b5c57d389cf28998e4292336926b0b6cdaee353f89a237"},
-    {file = "pydantic_core-2.20.1-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d573faf8eb7e6b1cbbcb4f5b247c60ca8be39fe2c674495df0eb4318303137fe"},
-    {file = "pydantic_core-2.20.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:26dc97754b57d2fd00ac2b24dfa341abffc380b823211994c4efac7f13b9e90e"},
-    {file = "pydantic_core-2.20.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:33499e85e739a4b60c9dac710c20a08dc73cb3240c9a0e22325e671b27b70d24"},
-    {file = "pydantic_core-2.20.1-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:bebb4d6715c814597f85297c332297c6ce81e29436125ca59d1159b07f423eb1"},
-    {file = "pydantic_core-2.20.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:516d9227919612425c8ef1c9b869bbbee249bc91912c8aaffb66116c0b447ebd"},
-    {file = "pydantic_core-2.20.1-cp312-none-win32.whl", hash = "sha256:469f29f9093c9d834432034d33f5fe45699e664f12a13bf38c04967ce233d688"},
-    {file = "pydantic_core-2.20.1-cp312-none-win_amd64.whl", hash = "sha256:035ede2e16da7281041f0e626459bcae33ed998cca6a0a007a5ebb73414ac72d"},
-    {file = "pydantic_core-2.20.1-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:0827505a5c87e8aa285dc31e9ec7f4a17c81a813d45f70b1d9164e03a813a686"},
-    {file = "pydantic_core-2.20.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:19c0fa39fa154e7e0b7f82f88ef85faa2a4c23cc65aae2f5aea625e3c13c735a"},
-    {file = "pydantic_core-2.20.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4aa223cd1e36b642092c326d694d8bf59b71ddddc94cdb752bbbb1c5c91d833b"},
-    {file = "pydantic_core-2.20.1-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c336a6d235522a62fef872c6295a42ecb0c4e1d0f1a3e500fe949415761b8a19"},
-    {file = "pydantic_core-2.20.1-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7eb6a0587eded33aeefea9f916899d42b1799b7b14b8f8ff2753c0ac1741edac"},
-    {file = "pydantic_core-2.20.1-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:70c8daf4faca8da5a6d655f9af86faf6ec2e1768f4b8b9d0226c02f3d6209703"},
-    {file = "pydantic_core-2.20.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e9fa4c9bf273ca41f940bceb86922a7667cd5bf90e95dbb157cbb8441008482c"},
-    {file = "pydantic_core-2.20.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:11b71d67b4725e7e2a9f6e9c0ac1239bbc0c48cce3dc59f98635efc57d6dac83"},
-    {file = "pydantic_core-2.20.1-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:270755f15174fb983890c49881e93f8f1b80f0b5e3a3cc1394a255706cabd203"},
-    {file = "pydantic_core-2.20.1-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:c81131869240e3e568916ef4c307f8b99583efaa60a8112ef27a366eefba8ef0"},
-    {file = "pydantic_core-2.20.1-cp313-none-win32.whl", hash = "sha256:b91ced227c41aa29c672814f50dbb05ec93536abf8f43cd14ec9521ea09afe4e"},
-    {file = "pydantic_core-2.20.1-cp313-none-win_amd64.whl", hash = "sha256:65db0f2eefcaad1a3950f498aabb4875c8890438bc80b19362cf633b87a8ab20"},
-    {file = "pydantic_core-2.20.1-cp38-cp38-macosx_10_12_x86_64.whl", hash = "sha256:4745f4ac52cc6686390c40eaa01d48b18997cb130833154801a442323cc78f91"},
-    {file = "pydantic_core-2.20.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:a8ad4c766d3f33ba8fd692f9aa297c9058970530a32c728a2c4bfd2616d3358b"},
-    {file = "pydantic_core-2.20.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:41e81317dd6a0127cabce83c0c9c3fbecceae981c8391e6f1dec88a77c8a569a"},
-    {file = "pydantic_core-2.20.1-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:04024d270cf63f586ad41fff13fde4311c4fc13ea74676962c876d9577bcc78f"},
-    {file = "pydantic_core-2.20.1-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:eaad4ff2de1c3823fddf82f41121bdf453d922e9a238642b1dedb33c4e4f98ad"},
-    {file = "pydantic_core-2.20.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:26ab812fa0c845df815e506be30337e2df27e88399b985d0bb4e3ecfe72df31c"},
-    {file = "pydantic_core-2.20.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3c5ebac750d9d5f2706654c638c041635c385596caf68f81342011ddfa1e5598"},
-    {file = "pydantic_core-2.20.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:2aafc5a503855ea5885559eae883978c9b6d8c8993d67766ee73d82e841300dd"},
-    {file = "pydantic_core-2.20.1-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:4868f6bd7c9d98904b748a2653031fc9c2f85b6237009d475b1008bfaeb0a5aa"},
-    {file = "pydantic_core-2.20.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:aa2f457b4af386254372dfa78a2eda2563680d982422641a85f271c859df1987"},
-    {file = "pydantic_core-2.20.1-cp38-none-win32.whl", hash = "sha256:225b67a1f6d602de0ce7f6c1c3ae89a4aa25d3de9be857999e9124f15dab486a"},
-    {file = "pydantic_core-2.20.1-cp38-none-win_amd64.whl", hash = "sha256:6b507132dcfc0dea440cce23ee2182c0ce7aba7054576efc65634f080dbe9434"},
-    {file = "pydantic_core-2.20.1-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:b03f7941783b4c4a26051846dea594628b38f6940a2fdc0df00b221aed39314c"},
-    {file = "pydantic_core-2.20.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:1eedfeb6089ed3fad42e81a67755846ad4dcc14d73698c120a82e4ccf0f1f9f6"},
-    {file = "pydantic_core-2.20.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:635fee4e041ab9c479e31edda27fcf966ea9614fff1317e280d99eb3e5ab6fe2"},
-    {file = "pydantic_core-2.20.1-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:77bf3ac639c1ff567ae3b47f8d4cc3dc20f9966a2a6dd2311dcc055d3d04fb8a"},
-    {file = "pydantic_core-2.20.1-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7ed1b0132f24beeec5a78b67d9388656d03e6a7c837394f99257e2d55b461611"},
-    {file = "pydantic_core-2.20.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c6514f963b023aeee506678a1cf821fe31159b925c4b76fe2afa94cc70b3222b"},
-    {file = "pydantic_core-2.20.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:10d4204d8ca33146e761c79f83cc861df20e7ae9f6487ca290a97702daf56006"},
-    {file = "pydantic_core-2.20.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:2d036c7187b9422ae5b262badb87a20a49eb6c5238b2004e96d4da1231badef1"},
-    {file = "pydantic_core-2.20.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:9ebfef07dbe1d93efb94b4700f2d278494e9162565a54f124c404a5656d7ff09"},
-    {file = "pydantic_core-2.20.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:6b9d9bb600328a1ce523ab4f454859e9d439150abb0906c5a1983c146580ebab"},
-    {file = "pydantic_core-2.20.1-cp39-none-win32.whl", hash = "sha256:784c1214cb6dd1e3b15dd8b91b9a53852aed16671cc3fbe4786f4f1db07089e2"},
-    {file = "pydantic_core-2.20.1-cp39-none-win_amd64.whl", hash = "sha256:d2fe69c5434391727efa54b47a1e7986bb0186e72a41b203df8f5b0a19a4f669"},
-    {file = "pydantic_core-2.20.1-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:a45f84b09ac9c3d35dfcf6a27fd0634d30d183205230a0ebe8373a0e8cfa0906"},
-    {file = "pydantic_core-2.20.1-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:d02a72df14dfdbaf228424573a07af10637bd490f0901cee872c4f434a735b94"},
-    {file = "pydantic_core-2.20.1-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d2b27e6af28f07e2f195552b37d7d66b150adbaa39a6d327766ffd695799780f"},
-    {file = "pydantic_core-2.20.1-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:084659fac3c83fd674596612aeff6041a18402f1e1bc19ca39e417d554468482"},
-    {file = "pydantic_core-2.20.1-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:242b8feb3c493ab78be289c034a1f659e8826e2233786e36f2893a950a719bb6"},
-    {file = "pydantic_core-2.20.1-pp310-pypy310_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:38cf1c40a921d05c5edc61a785c0ddb4bed67827069f535d794ce6bcded919fc"},
-    {file = "pydantic_core-2.20.1-pp310-pypy310_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:e0bbdd76ce9aa5d4209d65f2b27fc6e5ef1312ae6c5333c26db3f5ade53a1e99"},
-    {file = "pydantic_core-2.20.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:254ec27fdb5b1ee60684f91683be95e5133c994cc54e86a0b0963afa25c8f8a6"},
-    {file = "pydantic_core-2.20.1-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:407653af5617f0757261ae249d3fba09504d7a71ab36ac057c938572d1bc9331"},
-    {file = "pydantic_core-2.20.1-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:c693e916709c2465b02ca0ad7b387c4f8423d1db7b4649c551f27a529181c5ad"},
-    {file = "pydantic_core-2.20.1-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5b5ff4911aea936a47d9376fd3ab17e970cc543d1b68921886e7f64bd28308d1"},
-    {file = "pydantic_core-2.20.1-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:177f55a886d74f1808763976ac4efd29b7ed15c69f4d838bbd74d9d09cf6fa86"},
-    {file = "pydantic_core-2.20.1-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:964faa8a861d2664f0c7ab0c181af0bea66098b1919439815ca8803ef136fc4e"},
-    {file = "pydantic_core-2.20.1-pp39-pypy39_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:4dd484681c15e6b9a977c785a345d3e378d72678fd5f1f3c0509608da24f2ac0"},
-    {file = "pydantic_core-2.20.1-pp39-pypy39_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:f6d6cff3538391e8486a431569b77921adfcdef14eb18fbf19b7c0a5294d4e6a"},
-    {file = "pydantic_core-2.20.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:a6d511cc297ff0883bc3708b465ff82d7560193169a8b93260f74ecb0a5e08a7"},
-    {file = "pydantic_core-2.20.1.tar.gz", hash = "sha256:26ca695eeee5f9f1aeeb211ffc12f10bcb6f71e2989988fda61dabd65db878d4"},
+    {file = "pydantic_core-2.23.3-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:7f10a5d1b9281392f1bf507d16ac720e78285dfd635b05737c3911637601bae6"},
+    {file = "pydantic_core-2.23.3-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:3c09a7885dd33ee8c65266e5aa7fb7e2f23d49d8043f089989726391dd7350c5"},
+    {file = "pydantic_core-2.23.3-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6470b5a1ec4d1c2e9afe928c6cb37eb33381cab99292a708b8cb9aa89e62429b"},
+    {file = "pydantic_core-2.23.3-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:9172d2088e27d9a185ea0a6c8cebe227a9139fd90295221d7d495944d2367700"},
+    {file = "pydantic_core-2.23.3-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:86fc6c762ca7ac8fbbdff80d61b2c59fb6b7d144aa46e2d54d9e1b7b0e780e01"},
+    {file = "pydantic_core-2.23.3-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f0cb80fd5c2df4898693aa841425ea1727b1b6d2167448253077d2a49003e0ed"},
+    {file = "pydantic_core-2.23.3-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:03667cec5daf43ac4995cefa8aaf58f99de036204a37b889c24a80927b629cec"},
+    {file = "pydantic_core-2.23.3-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:047531242f8e9c2db733599f1c612925de095e93c9cc0e599e96cf536aaf56ba"},
+    {file = "pydantic_core-2.23.3-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:5499798317fff7f25dbef9347f4451b91ac2a4330c6669821c8202fd354c7bee"},
+    {file = "pydantic_core-2.23.3-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:bbb5e45eab7624440516ee3722a3044b83fff4c0372efe183fd6ba678ff681fe"},
+    {file = "pydantic_core-2.23.3-cp310-none-win32.whl", hash = "sha256:8b5b3ed73abb147704a6e9f556d8c5cb078f8c095be4588e669d315e0d11893b"},
+    {file = "pydantic_core-2.23.3-cp310-none-win_amd64.whl", hash = "sha256:2b603cde285322758a0279995b5796d64b63060bfbe214b50a3ca23b5cee3e83"},
+    {file = "pydantic_core-2.23.3-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:c889fd87e1f1bbeb877c2ee56b63bb297de4636661cc9bbfcf4b34e5e925bc27"},
+    {file = "pydantic_core-2.23.3-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:ea85bda3189fb27503af4c45273735bcde3dd31c1ab17d11f37b04877859ef45"},
+    {file = "pydantic_core-2.23.3-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a7f7f72f721223f33d3dc98a791666ebc6a91fa023ce63733709f4894a7dc611"},
+    {file = "pydantic_core-2.23.3-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:2b2b55b0448e9da68f56b696f313949cda1039e8ec7b5d294285335b53104b61"},
+    {file = "pydantic_core-2.23.3-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c24574c7e92e2c56379706b9a3f07c1e0c7f2f87a41b6ee86653100c4ce343e5"},
+    {file = "pydantic_core-2.23.3-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f2b05e6ccbee333a8f4b8f4d7c244fdb7a979e90977ad9c51ea31261e2085ce0"},
+    {file = "pydantic_core-2.23.3-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e2c409ce1c219c091e47cb03feb3c4ed8c2b8e004efc940da0166aaee8f9d6c8"},
+    {file = "pydantic_core-2.23.3-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d965e8b325f443ed3196db890d85dfebbb09f7384486a77461347f4adb1fa7f8"},
+    {file = "pydantic_core-2.23.3-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:f56af3a420fb1ffaf43ece3ea09c2d27c444e7c40dcb7c6e7cf57aae764f2b48"},
+    {file = "pydantic_core-2.23.3-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:5b01a078dd4f9a52494370af21aa52964e0a96d4862ac64ff7cea06e0f12d2c5"},
+    {file = "pydantic_core-2.23.3-cp311-none-win32.whl", hash = "sha256:560e32f0df04ac69b3dd818f71339983f6d1f70eb99d4d1f8e9705fb6c34a5c1"},
+    {file = "pydantic_core-2.23.3-cp311-none-win_amd64.whl", hash = "sha256:c744fa100fdea0d000d8bcddee95213d2de2e95b9c12be083370b2072333a0fa"},
+    {file = "pydantic_core-2.23.3-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:e0ec50663feedf64d21bad0809f5857bac1ce91deded203efc4a84b31b2e4305"},
+    {file = "pydantic_core-2.23.3-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:db6e6afcb95edbe6b357786684b71008499836e91f2a4a1e55b840955b341dbb"},
+    {file = "pydantic_core-2.23.3-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:98ccd69edcf49f0875d86942f4418a4e83eb3047f20eb897bffa62a5d419c8fa"},
+    {file = "pydantic_core-2.23.3-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:a678c1ac5c5ec5685af0133262103defb427114e62eafeda12f1357a12140162"},
+    {file = "pydantic_core-2.23.3-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:01491d8b4d8db9f3391d93b0df60701e644ff0894352947f31fff3e52bd5c801"},
+    {file = "pydantic_core-2.23.3-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:fcf31facf2796a2d3b7fe338fe8640aa0166e4e55b4cb108dbfd1058049bf4cb"},
+    {file = "pydantic_core-2.23.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7200fd561fb3be06827340da066df4311d0b6b8eb0c2116a110be5245dceb326"},
+    {file = "pydantic_core-2.23.3-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:dc1636770a809dee2bd44dd74b89cc80eb41172bcad8af75dd0bc182c2666d4c"},
+    {file = "pydantic_core-2.23.3-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:67a5def279309f2e23014b608c4150b0c2d323bd7bccd27ff07b001c12c2415c"},
+    {file = "pydantic_core-2.23.3-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:748bdf985014c6dd3e1e4cc3db90f1c3ecc7246ff5a3cd4ddab20c768b2f1dab"},
+    {file = "pydantic_core-2.23.3-cp312-none-win32.whl", hash = "sha256:255ec6dcb899c115f1e2a64bc9ebc24cc0e3ab097775755244f77360d1f3c06c"},
+    {file = "pydantic_core-2.23.3-cp312-none-win_amd64.whl", hash = "sha256:40b8441be16c1e940abebed83cd006ddb9e3737a279e339dbd6d31578b802f7b"},
+    {file = "pydantic_core-2.23.3-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:6daaf5b1ba1369a22c8b050b643250e3e5efc6a78366d323294aee54953a4d5f"},
+    {file = "pydantic_core-2.23.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:d015e63b985a78a3d4ccffd3bdf22b7c20b3bbd4b8227809b3e8e75bc37f9cb2"},
+    {file = "pydantic_core-2.23.3-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a3fc572d9b5b5cfe13f8e8a6e26271d5d13f80173724b738557a8c7f3a8a3791"},
+    {file = "pydantic_core-2.23.3-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:f6bd91345b5163ee7448bee201ed7dd601ca24f43f439109b0212e296eb5b423"},
+    {file = "pydantic_core-2.23.3-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:fc379c73fd66606628b866f661e8785088afe2adaba78e6bbe80796baf708a63"},
+    {file = "pydantic_core-2.23.3-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:fbdce4b47592f9e296e19ac31667daed8753c8367ebb34b9a9bd89dacaa299c9"},
+    {file = "pydantic_core-2.23.3-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fc3cf31edf405a161a0adad83246568647c54404739b614b1ff43dad2b02e6d5"},
+    {file = "pydantic_core-2.23.3-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:8e22b477bf90db71c156f89a55bfe4d25177b81fce4aa09294d9e805eec13855"},
+    {file = "pydantic_core-2.23.3-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:0a0137ddf462575d9bce863c4c95bac3493ba8e22f8c28ca94634b4a1d3e2bb4"},
+    {file = "pydantic_core-2.23.3-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:203171e48946c3164fe7691fc349c79241ff8f28306abd4cad5f4f75ed80bc8d"},
+    {file = "pydantic_core-2.23.3-cp313-none-win32.whl", hash = "sha256:76bdab0de4acb3f119c2a4bff740e0c7dc2e6de7692774620f7452ce11ca76c8"},
+    {file = "pydantic_core-2.23.3-cp313-none-win_amd64.whl", hash = "sha256:37ba321ac2a46100c578a92e9a6aa33afe9ec99ffa084424291d84e456f490c1"},
+    {file = "pydantic_core-2.23.3-cp38-cp38-macosx_10_12_x86_64.whl", hash = "sha256:d063c6b9fed7d992bcbebfc9133f4c24b7a7f215d6b102f3e082b1117cddb72c"},
+    {file = "pydantic_core-2.23.3-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:6cb968da9a0746a0cf521b2b5ef25fc5a0bee9b9a1a8214e0a1cfaea5be7e8a4"},
+    {file = "pydantic_core-2.23.3-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:edbefe079a520c5984e30e1f1f29325054b59534729c25b874a16a5048028d16"},
+    {file = "pydantic_core-2.23.3-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:cbaaf2ef20d282659093913da9d402108203f7cb5955020bd8d1ae5a2325d1c4"},
+    {file = "pydantic_core-2.23.3-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:fb539d7e5dc4aac345846f290cf504d2fd3c1be26ac4e8b5e4c2b688069ff4cf"},
+    {file = "pydantic_core-2.23.3-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7e6f33503c5495059148cc486867e1d24ca35df5fc064686e631e314d959ad5b"},
+    {file = "pydantic_core-2.23.3-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:04b07490bc2f6f2717b10c3969e1b830f5720b632f8ae2f3b8b1542394c47a8e"},
+    {file = "pydantic_core-2.23.3-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:03795b9e8a5d7fda05f3873efc3f59105e2dcff14231680296b87b80bb327295"},
+    {file = "pydantic_core-2.23.3-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:c483dab0f14b8d3f0df0c6c18d70b21b086f74c87ab03c59250dbf6d3c89baba"},
+    {file = "pydantic_core-2.23.3-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:8b2682038e255e94baf2c473dca914a7460069171ff5cdd4080be18ab8a7fd6e"},
+    {file = "pydantic_core-2.23.3-cp38-none-win32.whl", hash = "sha256:f4a57db8966b3a1d1a350012839c6a0099f0898c56512dfade8a1fe5fb278710"},
+    {file = "pydantic_core-2.23.3-cp38-none-win_amd64.whl", hash = "sha256:13dd45ba2561603681a2676ca56006d6dee94493f03d5cadc055d2055615c3ea"},
+    {file = "pydantic_core-2.23.3-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:82da2f4703894134a9f000e24965df73cc103e31e8c31906cc1ee89fde72cbd8"},
+    {file = "pydantic_core-2.23.3-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:dd9be0a42de08f4b58a3cc73a123f124f65c24698b95a54c1543065baca8cf0e"},
+    {file = "pydantic_core-2.23.3-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:89b731f25c80830c76fdb13705c68fef6a2b6dc494402987c7ea9584fe189f5d"},
+    {file = "pydantic_core-2.23.3-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c6de1ec30c4bb94f3a69c9f5f2182baeda5b809f806676675e9ef6b8dc936f28"},
+    {file = "pydantic_core-2.23.3-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:bb68b41c3fa64587412b104294b9cbb027509dc2f6958446c502638d481525ef"},
+    {file = "pydantic_core-2.23.3-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1c3980f2843de5184656aab58698011b42763ccba11c4a8c35936c8dd6c7068c"},
+    {file = "pydantic_core-2.23.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:94f85614f2cba13f62c3c6481716e4adeae48e1eaa7e8bac379b9d177d93947a"},
+    {file = "pydantic_core-2.23.3-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:510b7fb0a86dc8f10a8bb43bd2f97beb63cffad1203071dc434dac26453955cd"},
+    {file = "pydantic_core-2.23.3-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:1eba2f7ce3e30ee2170410e2171867ea73dbd692433b81a93758ab2de6c64835"},
+    {file = "pydantic_core-2.23.3-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:4b259fd8409ab84b4041b7b3f24dcc41e4696f180b775961ca8142b5b21d0e70"},
+    {file = "pydantic_core-2.23.3-cp39-none-win32.whl", hash = "sha256:40d9bd259538dba2f40963286009bf7caf18b5112b19d2b55b09c14dde6db6a7"},
+    {file = "pydantic_core-2.23.3-cp39-none-win_amd64.whl", hash = "sha256:5a8cd3074a98ee70173a8633ad3c10e00dcb991ecec57263aacb4095c5efb958"},
+    {file = "pydantic_core-2.23.3-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:f399e8657c67313476a121a6944311fab377085ca7f490648c9af97fc732732d"},
+    {file = "pydantic_core-2.23.3-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:6b5547d098c76e1694ba85f05b595720d7c60d342f24d5aad32c3049131fa5c4"},
+    {file = "pydantic_core-2.23.3-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0dda0290a6f608504882d9f7650975b4651ff91c85673341789a476b1159f211"},
+    {file = "pydantic_core-2.23.3-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:65b6e5da855e9c55a0c67f4db8a492bf13d8d3316a59999cfbaf98cc6e401961"},
+    {file = "pydantic_core-2.23.3-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:09e926397f392059ce0afdcac920df29d9c833256354d0c55f1584b0b70cf07e"},
+    {file = "pydantic_core-2.23.3-pp310-pypy310_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:87cfa0ed6b8c5bd6ae8b66de941cece179281239d482f363814d2b986b79cedc"},
+    {file = "pydantic_core-2.23.3-pp310-pypy310_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:e61328920154b6a44d98cabcb709f10e8b74276bc709c9a513a8c37a18786cc4"},
+    {file = "pydantic_core-2.23.3-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:ce3317d155628301d649fe5e16a99528d5680af4ec7aa70b90b8dacd2d725c9b"},
+    {file = "pydantic_core-2.23.3-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:e89513f014c6be0d17b00a9a7c81b1c426f4eb9224b15433f3d98c1a071f8433"},
+    {file = "pydantic_core-2.23.3-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:4f62c1c953d7ee375df5eb2e44ad50ce2f5aff931723b398b8bc6f0ac159791a"},
+    {file = "pydantic_core-2.23.3-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2718443bc671c7ac331de4eef9b673063b10af32a0bb385019ad61dcf2cc8f6c"},
+    {file = "pydantic_core-2.23.3-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a0d90e08b2727c5d01af1b5ef4121d2f0c99fbee692c762f4d9d0409c9da6541"},
+    {file = "pydantic_core-2.23.3-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:2b676583fc459c64146debea14ba3af54e540b61762dfc0613dc4e98c3f66eeb"},
+    {file = "pydantic_core-2.23.3-pp39-pypy39_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:50e4661f3337977740fdbfbae084ae5693e505ca2b3130a6d4eb0f2281dc43b8"},
+    {file = "pydantic_core-2.23.3-pp39-pypy39_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:68f4cf373f0de6abfe599a38307f4417c1c867ca381c03df27c873a9069cda25"},
+    {file = "pydantic_core-2.23.3-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:59d52cf01854cb26c46958552a21acb10dd78a52aa34c86f284e66b209db8cab"},
+    {file = "pydantic_core-2.23.3.tar.gz", hash = "sha256:3cb0f65d8b4121c1b015c60104a685feb929a29d7cf204387c7f2688c7974690"},
 ]

 [package.dependencies]
@ -3764,13 +3765,13 @@ files = [

 [[package]]
 name = "pytest"
-version = "8.3.2"
+version = "8.3.3"
 description = "pytest: simple powerful testing with Python"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pytest-8.3.2-py3-none-any.whl", hash = "sha256:4ba08f9ae7dcf84ded419494d229b48d0903ea6407b030eaec46df5e6a73bba5"},
-    {file = "pytest-8.3.2.tar.gz", hash = "sha256:c132345d12ce551242c87269de812483f5bcc87cdbb4722e48487ba194f9fdce"},
+    {file = "pytest-8.3.3-py3-none-any.whl", hash = "sha256:a6853c7375b2663155079443d2e45de913a911a11d669df02a50814944db57b2"},
+    {file = "pytest-8.3.3.tar.gz", hash = "sha256:70b98107bd648308a7952b06e6ca9a50bc660be218d53c257cc1fc94fda10181"},
 ]

 [package.dependencies]
@ -4198,29 +4199,29 @@ pyasn1 = ">=0.1.3"

 [[package]]
 name = "ruff"
-version = "0.6.3"
+version = "0.6.4"
 description = "An extremely fast Python linter and code formatter, written in Rust."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "ruff-0.6.3-py3-none-linux_armv6l.whl", hash = "sha256:97f58fda4e309382ad30ede7f30e2791d70dd29ea17f41970119f55bdb7a45c3"},
-    {file = "ruff-0.6.3-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:3b061e49b5cf3a297b4d1c27ac5587954ccb4ff601160d3d6b2f70b1622194dc"},
-    {file = "ruff-0.6.3-py3-none-macosx_11_0_arm64.whl", hash = "sha256:34e2824a13bb8c668c71c1760a6ac7d795ccbd8d38ff4a0d8471fdb15de910b1"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bddfbb8d63c460f4b4128b6a506e7052bad4d6f3ff607ebbb41b0aa19c2770d1"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ced3eeb44df75353e08ab3b6a9e113b5f3f996bea48d4f7c027bc528ba87b672"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:47021dff5445d549be954eb275156dfd7c37222acc1e8014311badcb9b4ec8c1"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:7d7bd20dc07cebd68cc8bc7b3f5ada6d637f42d947c85264f94b0d1cd9d87384"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:500f166d03fc6d0e61c8e40a3ff853fa8a43d938f5d14c183c612df1b0d6c58a"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:42844ff678f9b976366b262fa2d1d1a3fe76f6e145bd92c84e27d172e3c34500"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:70452a10eb2d66549de8e75f89ae82462159855e983ddff91bc0bce6511d0470"},
-    {file = "ruff-0.6.3-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:65a533235ed55f767d1fc62193a21cbf9e3329cf26d427b800fdeacfb77d296f"},
-    {file = "ruff-0.6.3-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d2e2c23cef30dc3cbe9cc5d04f2899e7f5e478c40d2e0a633513ad081f7361b5"},
-    {file = "ruff-0.6.3-py3-none-musllinux_1_2_i686.whl", hash = "sha256:d8a136aa7d228975a6aee3dd8bea9b28e2b43e9444aa678fb62aeb1956ff2351"},
-    {file = "ruff-0.6.3-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:f92fe93bc72e262b7b3f2bba9879897e2d58a989b4714ba6a5a7273e842ad2f8"},
-    {file = "ruff-0.6.3-py3-none-win32.whl", hash = "sha256:7a62d3b5b0d7f9143d94893f8ba43aa5a5c51a0ffc4a401aa97a81ed76930521"},
-    {file = "ruff-0.6.3-py3-none-win_amd64.whl", hash = "sha256:746af39356fee2b89aada06c7376e1aa274a23493d7016059c3a72e3b296befb"},
-    {file = "ruff-0.6.3-py3-none-win_arm64.whl", hash = "sha256:14a9528a8b70ccc7a847637c29e56fd1f9183a9db743bbc5b8e0c4ad60592a82"},
-    {file = "ruff-0.6.3.tar.gz", hash = "sha256:183b99e9edd1ef63be34a3b51fee0a9f4ab95add123dbf89a71f7b1f0c991983"},
+    {file = "ruff-0.6.4-py3-none-linux_armv6l.whl", hash = "sha256:c4b153fc152af51855458e79e835fb6b933032921756cec9af7d0ba2aa01a258"},
+    {file = "ruff-0.6.4-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:bedff9e4f004dad5f7f76a9d39c4ca98af526c9b1695068198b3bda8c085ef60"},
+    {file = "ruff-0.6.4-py3-none-macosx_11_0_arm64.whl", hash = "sha256:d02a4127a86de23002e694d7ff19f905c51e338c72d8e09b56bfb60e1681724f"},
+    {file = "ruff-0.6.4-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7862f42fc1a4aca1ea3ffe8a11f67819d183a5693b228f0bb3a531f5e40336fc"},
+    {file = "ruff-0.6.4-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:eebe4ff1967c838a1a9618a5a59a3b0a00406f8d7eefee97c70411fefc353617"},
+    {file = "ruff-0.6.4-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:932063a03bac394866683e15710c25b8690ccdca1cf192b9a98260332ca93408"},
+    {file = "ruff-0.6.4-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:50e30b437cebef547bd5c3edf9ce81343e5dd7c737cb36ccb4fe83573f3d392e"},
+    {file = "ruff-0.6.4-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c44536df7b93a587de690e124b89bd47306fddd59398a0fb12afd6133c7b3818"},
+    {file = "ruff-0.6.4-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0ea086601b22dc5e7693a78f3fcfc460cceabfdf3bdc36dc898792aba48fbad6"},
+    {file = "ruff-0.6.4-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0b52387d3289ccd227b62102c24714ed75fbba0b16ecc69a923a37e3b5e0aaaa"},
+    {file = "ruff-0.6.4-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:0308610470fcc82969082fc83c76c0d362f562e2f0cdab0586516f03a4e06ec6"},
+    {file = "ruff-0.6.4-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:803b96dea21795a6c9d5bfa9e96127cc9c31a1987802ca68f35e5c95aed3fc0d"},
+    {file = "ruff-0.6.4-py3-none-musllinux_1_2_i686.whl", hash = "sha256:66dbfea86b663baab8fcae56c59f190caba9398df1488164e2df53e216248baa"},
+    {file = "ruff-0.6.4-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:34d5efad480193c046c86608dbba2bccdc1c5fd11950fb271f8086e0c763a5d1"},
+    {file = "ruff-0.6.4-py3-none-win32.whl", hash = "sha256:f0f8968feea5ce3777c0d8365653d5e91c40c31a81d95824ba61d871a11b8523"},
+    {file = "ruff-0.6.4-py3-none-win_amd64.whl", hash = "sha256:549daccee5227282289390b0222d0fbee0275d1db6d514550d65420053021a58"},
+    {file = "ruff-0.6.4-py3-none-win_arm64.whl", hash = "sha256:ac4b75e898ed189b3708c9ab3fc70b79a433219e1e87193b4f2b77251d058d14"},
+    {file = "ruff-0.6.4.tar.gz", hash = "sha256:ac3b5bfbee99973f80aa1b7cbd1c9cbce200883bdd067300c22a6cc1c7fba212"},
 ]

 [[package]]
@ -4278,13 +4279,13 @@ websocket-client = ">=1.8,<2.0"

 [[package]]
 name = "sentry-sdk"
-version = "2.13.0"
+version = "2.14.0"
 description = "Python client for Sentry (https://sentry.io)"
 optional = false
 python-versions = ">=3.6"
 files = [
-    {file = "sentry_sdk-2.13.0-py2.py3-none-any.whl", hash = "sha256:6beede8fc2ab4043da7f69d95534e320944690680dd9a963178a49de71d726c6"},
-    {file = "sentry_sdk-2.13.0.tar.gz", hash = "sha256:8d4a576f7a98eb2fdb40e13106e41f330e5c79d72a68be1316e7852cf4995260"},
+    {file = "sentry_sdk-2.14.0-py2.py3-none-any.whl", hash = "sha256:b8bc3dc51d06590df1291b7519b85c75e2ced4f28d9ea655b6d54033503b5bf4"},
+    {file = "sentry_sdk-2.14.0.tar.gz", hash = "sha256:1e0e2eaf6dad918c7d1e0edac868a7bf20017b177f242cefe2a6bcd47955961d"},
 ]

 [package.dependencies]
@ -4655,13 +4656,13 @@ wsproto = ">=0.14"

 [[package]]
 name = "twilio"
-version = "9.2.4"
+version = "9.3.0"
 description = "Twilio API client and TwiML generator"
 optional = false
 python-versions = ">=3.7.0"
 files = [
-    {file = "twilio-9.2.4-py2.py3-none-any.whl", hash = "sha256:490da2518c0da370d738d436f9086b2463902707a811cd306ec8dcc8ce831758"},
-    {file = "twilio-9.2.4.tar.gz", hash = "sha256:454b7d075c6bee3b64c81c39151be1f9105c695df6dbb0021b0c43e2930263e7"},
+    {file = "twilio-9.3.0-py2.py3-none-any.whl", hash = "sha256:01e6cbc6d7eaf02918250918140cc764866d62b048a5732c097b12ab5ed4560e"},
+    {file = "twilio-9.3.0.tar.gz", hash = "sha256:538b260ab464cdfd8e7dc890337ef581fd59ceac92de9f58a678db93474323f4"},
 ]

 [package.dependencies]
@ -4770,13 +4771,13 @@ files = [

 [[package]]
 name = "urllib3"
-version = "2.2.2"
+version = "2.2.3"
 description = "HTTP library with thread-safe connection pooling, file post, and more."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "urllib3-2.2.2-py3-none-any.whl", hash = "sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472"},
-    {file = "urllib3-2.2.2.tar.gz", hash = "sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168"},
+    {file = "urllib3-2.2.3-py3-none-any.whl", hash = "sha256:ca899ca043dcb1bafa3e262d73aa25c465bfb49e0bd9dd5d59f1d0acba2f8fac"},
+    {file = "urllib3-2.2.3.tar.gz", hash = "sha256:e7d814a81dad81e6caf2ec9fdedb284ecc9c73076b62654547cc64ccdcae26e9"},
 ]

 [package.dependencies]
@ -4870,41 +4871,41 @@ files = [

 [[package]]
 name = "watchdog"
-version = "5.0.1"
+version = "5.0.2"
 description = "Filesystem events monitoring"
 optional = false
 python-versions = ">=3.9"
 files = [
-    {file = "watchdog-5.0.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:a6b8c6c82ada78479a0df568d27d69aa07105aba9301ac66d1ae162645f4ba34"},
-    {file = "watchdog-5.0.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:1e8ca9b7f5f03d2f0556a43db1e9adf1e5af6adf52e0890f781324514b67a612"},
-    {file = "watchdog-5.0.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c92812a358eabebe92b12b9290d16dc95c8003654658f6b2676c9a2103a73ceb"},
-    {file = "watchdog-5.0.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:a03a6ccb846ead406a25a0b702d0a6b88fdfa77becaf907cfcfce7737ebbda1f"},
-    {file = "watchdog-5.0.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:39f0de161a822402f0f00c68b82349a4d71c9814e749148ca2b083a25606dbf9"},
-    {file = "watchdog-5.0.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:5541a8765c4090decb4dba55d3dceb57724748a717ceaba8dc4f213edb0026e0"},
-    {file = "watchdog-5.0.1-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:e321f1561adea30e447130882efe451af519646178d04189d6ba91a8cd7d88a5"},
-    {file = "watchdog-5.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c4ae0b3e95455fa9d959aa3b253c87845ad454ef188a4bf5a69cab287c131216"},
-    {file = "watchdog-5.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:b2d56425dfa0c1e6f8a510f21d3d54ef7fe50bbc29638943c2cb1394b7b49156"},
-    {file = "watchdog-5.0.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:70e30116849f4ec52240eb1fad83d27e525eae179bfe1c09b3bf120163d731b6"},
-    {file = "watchdog-5.0.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:f66df2c152edf5a2fe472bb2f8a5d562165bcf6cf9686cee5d75e524c21ca895"},
-    {file = "watchdog-5.0.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:6bb68d9adb9c45f0dc1c2b12f4fb6eab0463a8f9741e371e4ede6769064e0785"},
-    {file = "watchdog-5.0.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:6fbb4dd5ace074a2969825fde10034b35b31efcb6973defb22eb945b1d3acc37"},
-    {file = "watchdog-5.0.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:753c6a4c1eea9d3b96cd58159b49103e66cb288216a414ab9ad234ccc7642ec2"},
-    {file = "watchdog-5.0.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:20a28c8b0b3edf4ea2b27fb3527fc0a348e983f22a4317d316bb561524391932"},
-    {file = "watchdog-5.0.1-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:a1cd7c919940b15f253db8279a579fb81e4e4e434b39b11a1cb7f54fe3fa46a6"},
-    {file = "watchdog-5.0.1-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:a791dfc050ed24b82f7f100ae794192594fe863a7e9bdafcdfa5c6e405a981e5"},
-    {file = "watchdog-5.0.1-pp39-pypy39_pp73-macosx_10_15_x86_64.whl", hash = "sha256:8ba1472b5fa7c644e49641f70d7ccc567f70b54d776defa5d6f755dc2edc3fbb"},
-    {file = "watchdog-5.0.1-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:b21e6601efe8453514c2fc21aca57fb5413c3d8b157bfe520b05b57b1788a167"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_aarch64.whl", hash = "sha256:763c6f82bb65504b47d4aea268462b2fb662676676356e04787f332a11f03eb0"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_armv7l.whl", hash = "sha256:664917cd513538728875a42d5654584b533da88cf06680452c98e73b45466968"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_i686.whl", hash = "sha256:39e828c4270452b966bc9d814911a3c7e24c62d726d2a3245f5841664ff56b5e"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_ppc64.whl", hash = "sha256:59ec6111f3750772badae3403ef17263489ed6f27ac01ec50c0244b2afa258fb"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_ppc64le.whl", hash = "sha256:f3006361dba2005552cc8aa49c44d16a10e0a1939bb3286e888a14f722122808"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_s390x.whl", hash = "sha256:72dbdffe4aa0c36c59f4a5190bceeb7fdfdf849ab98a562b3a783a64cc6dacdd"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_x86_64.whl", hash = "sha256:c93aa24899cb4e8a51492c7ccc420bea45ced502fe9ef2e83f9ab1107e5a13b5"},
-    {file = "watchdog-5.0.1-py3-none-win32.whl", hash = "sha256:2b8cd627b76194e725ed6f48d9524b1ad93a51a0dc3bd0225c56023716245091"},
-    {file = "watchdog-5.0.1-py3-none-win_amd64.whl", hash = "sha256:4eaebff2f938f5325788cef26521891b2d8ecc8e7852aa123a9b458815f93875"},
-    {file = "watchdog-5.0.1-py3-none-win_ia64.whl", hash = "sha256:9b1b32f89f95162f09aea6e15d9384f6e0490152f10d7ed241f8a85cddc50658"},
-    {file = "watchdog-5.0.1.tar.gz", hash = "sha256:f0180e84e6493ef7c82e051334e8c9b00ffd89fa9de5e0613d3c267f6ccf2d38"},
+    {file = "watchdog-5.0.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:d961f4123bb3c447d9fcdcb67e1530c366f10ab3a0c7d1c0c9943050936d4877"},
+    {file = "watchdog-5.0.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:72990192cb63872c47d5e5fefe230a401b87fd59d257ee577d61c9e5564c62e5"},
+    {file = "watchdog-5.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:6bec703ad90b35a848e05e1b40bf0050da7ca28ead7ac4be724ae5ac2653a1a0"},
+    {file = "watchdog-5.0.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:dae7a1879918f6544201d33666909b040a46421054a50e0f773e0d870ed7438d"},
+    {file = "watchdog-5.0.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:c4a440f725f3b99133de610bfec93d570b13826f89616377715b9cd60424db6e"},
+    {file = "watchdog-5.0.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:f8b2918c19e0d48f5f20df458c84692e2a054f02d9df25e6c3c930063eca64c1"},
+    {file = "watchdog-5.0.2-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:aa9cd6e24126d4afb3752a3e70fce39f92d0e1a58a236ddf6ee823ff7dba28ee"},
+    {file = "watchdog-5.0.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:f627c5bf5759fdd90195b0c0431f99cff4867d212a67b384442c51136a098ed7"},
+    {file = "watchdog-5.0.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:d7594a6d32cda2b49df3fd9abf9b37c8d2f3eab5df45c24056b4a671ac661619"},
+    {file = "watchdog-5.0.2-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:ba32efcccfe2c58f4d01115440d1672b4eb26cdd6fc5b5818f1fb41f7c3e1889"},
+    {file = "watchdog-5.0.2-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:963f7c4c91e3f51c998eeff1b3fb24a52a8a34da4f956e470f4b068bb47b78ee"},
+    {file = "watchdog-5.0.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:8c47150aa12f775e22efff1eee9f0f6beee542a7aa1a985c271b1997d340184f"},
+    {file = "watchdog-5.0.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:14dd4ed023d79d1f670aa659f449bcd2733c33a35c8ffd88689d9d243885198b"},
+    {file = "watchdog-5.0.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:b84bff0391ad4abe25c2740c7aec0e3de316fdf7764007f41e248422a7760a7f"},
+    {file = "watchdog-5.0.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:3e8d5ff39f0a9968952cce548e8e08f849141a4fcc1290b1c17c032ba697b9d7"},
+    {file = "watchdog-5.0.2-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:fb223456db6e5f7bd9bbd5cd969f05aae82ae21acc00643b60d81c770abd402b"},
+    {file = "watchdog-5.0.2-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:9814adb768c23727a27792c77812cf4e2fd9853cd280eafa2bcfa62a99e8bd6e"},
+    {file = "watchdog-5.0.2-pp39-pypy39_pp73-macosx_10_15_x86_64.whl", hash = "sha256:901ee48c23f70193d1a7bc2d9ee297df66081dd5f46f0ca011be4f70dec80dab"},
+    {file = "watchdog-5.0.2-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:638bcca3d5b1885c6ec47be67bf712b00a9ab3d4b22ec0881f4889ad870bc7e8"},
+    {file = "watchdog-5.0.2-py3-none-manylinux2014_aarch64.whl", hash = "sha256:5597c051587f8757798216f2485e85eac583c3b343e9aa09127a3a6f82c65ee8"},
+    {file = "watchdog-5.0.2-py3-none-manylinux2014_armv7l.whl", hash = "sha256:53ed1bf71fcb8475dd0ef4912ab139c294c87b903724b6f4a8bd98e026862e6d"},
+    {file = "watchdog-5.0.2-py3-none-manylinux2014_i686.whl", hash = "sha256:29e4a2607bd407d9552c502d38b45a05ec26a8e40cc7e94db9bb48f861fa5abc"},
+    {file = "watchdog-5.0.2-py3-none-manylinux2014_ppc64.whl", hash = "sha256:b6dc8f1d770a8280997e4beae7b9a75a33b268c59e033e72c8a10990097e5fde"},
+    {file = "watchdog-5.0.2-py3-none-manylinux2014_ppc64le.whl", hash = "sha256:d2ab34adc9bf1489452965cdb16a924e97d4452fcf88a50b21859068b50b5c3b"},
+    {file = "watchdog-5.0.2-py3-none-manylinux2014_s390x.whl", hash = "sha256:7d1aa7e4bb0f0c65a1a91ba37c10e19dabf7eaaa282c5787e51371f090748f4b"},
+    {file = "watchdog-5.0.2-py3-none-manylinux2014_x86_64.whl", hash = "sha256:726eef8f8c634ac6584f86c9c53353a010d9f311f6c15a034f3800a7a891d941"},
+    {file = "watchdog-5.0.2-py3-none-win32.whl", hash = "sha256:bda40c57115684d0216556671875e008279dea2dc00fcd3dde126ac8e0d7a2fb"},
+    {file = "watchdog-5.0.2-py3-none-win_amd64.whl", hash = "sha256:d010be060c996db725fbce7e3ef14687cdcc76f4ca0e4339a68cc4532c382a73"},
+    {file = "watchdog-5.0.2-py3-none-win_ia64.whl", hash = "sha256:3960136b2b619510569b90f0cd96408591d6c251a75c97690f4553ca88889769"},
+    {file = "watchdog-5.0.2.tar.gz", hash = "sha256:dcebf7e475001d2cdeb020be630dc5b687e9acdd60d16fea6bb4508e7b94cf76"},
 ]

 [package.extras]
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.8.0"
+version = "2024.8.1"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]

--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2024.8.0
+  version: 2024.8.1
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
--- a/tests/e2e/test_provider_ldap.py
+++ b/tests/e2e/test_provider_ldap.py
@ -11,6 +11,7 @@ from ldap3.core.exceptions import LDAPInvalidCredentialsResult

 from authentik.blueprints.tests import apply_blueprint, reconcile_app
 from authentik.core.models import Application, User
+from authentik.core.tests.utils import create_test_user
 from authentik.events.models import Event, EventAction
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
@ -331,6 +332,83 @@ class TestProviderLDAP(SeleniumTestCase):
        ]
        self.assert_list_dict_equal(expected, response)

+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @reconcile_app("authentik_tenants")
+    @reconcile_app("authentik_outposts")
+    def test_ldap_bind_search_no_perms(self):
+        """Test simple bind + search"""
+        user = create_test_user()
+        self._prepare()
+        server = Server("ldap://localhost:3389", get_info=ALL)
+        _connection = Connection(
+            server,
+            raise_exceptions=True,
+            user=f"cn={user.username},ou=users,dc=ldap,dc=goauthentik,dc=io",
+            password=user.username,
+        )
+        _connection.bind()
+        self.assertTrue(
+            Event.objects.filter(
+                action=EventAction.LOGIN,
+                user={
+                    "pk": user.pk,
+                    "email": user.email,
+                    "username": user.username,
+                },
+            )
+        )
+
+        _connection.search(
+            "ou=Users,DC=ldaP,dc=goauthentik,dc=io",
+            "(objectClass=user)",
+            search_scope=SUBTREE,
+            attributes=[ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES],
+        )
+        response: list = _connection.response
+        # Remove raw_attributes to make checking easier
+        for obj in response:
+            del obj["raw_attributes"]
+            del obj["raw_dn"]
+            obj["attributes"] = dict(obj["attributes"])
+        expected = [
+            {
+                "dn": f"cn={user.username},ou=users,dc=ldap,dc=goauthentik,dc=io",
+                "attributes": {
+                    "cn": user.username,
+                    "sAMAccountName": user.username,
+                    "uid": user.uid,
+                    "name": user.name,
+                    "displayName": user.name,
+                    "sn": user.name,
+                    "mail": user.email,
+                    "objectClass": [
+                        "top",
+                        "person",
+                        "organizationalPerson",
+                        "inetOrgPerson",
+                        "user",
+                        "posixAccount",
+                        "goauthentik.io/ldap/user",
+                    ],
+                    "uidNumber": 2000 + user.pk,
+                    "gidNumber": 2000 + user.pk,
+                    "memberOf": [
+                        f"cn={group.name},ou=groups,dc=ldap,dc=goauthentik,dc=io"
+                        for group in user.ak_groups.all()
+                    ],
+                    "homeDirectory": f"/home/{user.username}",
+                    "ak-active": True,
+                    "ak-superuser": False,
+                },
+                "type": "searchResEntry",
+            },
+        ]
+        self.assert_list_dict_equal(expected, response)
+
    def assert_list_dict_equal(self, expected: list[dict], actual: list[dict], match_key="dn"):
        """Assert a list of dictionaries is identical, ignoring the ordering of items"""
        self.assertEqual(len(expected), len(actual))
--- a/tests/wdio/package-lock.json
+++ b/tests/wdio/package-lock.json
@ -6,13 +6,13 @@
        "": {
            "name": "@goauthentik/web-tests",
            "dependencies": {
-                "chromedriver": "^128.0.1",
+                "chromedriver": "^128.0.3",
                "lockfile-lint": "^4.14.0",
                "syncpack": "^13.0.0"
            },
            "devDependencies": {
                "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-                "@types/mocha": "^10.0.7",
+                "@types/mocha": "^10.0.8",
                "@typescript-eslint/eslint-plugin": "^7.17.0",
                "@typescript-eslint/parser": "^7.17.0",
                "@wdio/cli": "^9.0.3",
@ -25,7 +25,7 @@
                "npm-run-all": "^4.1.5",
                "prettier": "^3.3.3",
                "ts-node": "^10.9.2",
-                "typescript": "^5.5.4",
+                "typescript": "^5.6.2",
                "wdio-wait-for": "^3.0.11"
            },
            "engines": {
@ -1529,9 +1529,9 @@
            }
        },
        "node_modules/@types/mocha": {
-            "version": "10.0.7",
-            "resolved": "https://registry.npmjs.org/@types/mocha/-/mocha-10.0.7.tgz",
-            "integrity": "sha512-GN8yJ1mNTcFcah/wKEFIJckJx9iJLoMSzWcfRRuxz/Jk+U6KQNnml+etbtxFK8lPjzOw3zp4Ha/kjSst9fsHYw==",
+            "version": "10.0.8",
+            "resolved": "https://registry.npmjs.org/@types/mocha/-/mocha-10.0.8.tgz",
+            "integrity": "sha512-HfMcUmy9hTMJh66VNcmeC9iVErIZJli2bszuXc6julh5YGuRb/W5OnkHjwLNYdFlMis0sY3If5SEAp+PktdJjw==",
            "dev": true
        },
        "node_modules/@types/mute-stream": {
@ -2999,9 +2999,9 @@
            }
        },
        "node_modules/chromedriver": {
-            "version": "128.0.1",
-            "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-128.0.1.tgz",
-            "integrity": "sha512-UmWqZXXAyuRa37pE+lnU46vJcCM/y0ddF015LHxycEOYfuqsK7k9ZxJuXCQNWbws9e7FAMQj/GJZT92WPgis0g==",
+            "version": "128.0.3",
+            "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-128.0.3.tgz",
+            "integrity": "sha512-Xn/bknOpGlY9tKinwS/hVWeNblSeZvbbJbF8XZ73X1jeWfAFPRXx3fMLdNNz8DqruDbx3cKEJ5wR3mnst6G3iw==",
            "hasInstallScript": true,
            "dependencies": {
                "@testim/chrome-version": "^1.1.4",
@ -9773,9 +9773,9 @@
            }
        },
        "node_modules/typescript": {
-            "version": "5.5.4",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.5.4.tgz",
-            "integrity": "sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q==",
+            "version": "5.6.2",
+            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.6.2.tgz",
+            "integrity": "sha512-NW8ByodCSNCwZeghjN3o+JX5OFH0Ojg6sadjEKY4huZ52TqbJTJnDo5+Tw98lSy63NZvi4n+ez5m2u5d4PkZyw==",
            "devOptional": true,
            "bin": {
                "tsc": "bin/tsc",
--- a/tests/wdio/package.json
+++ b/tests/wdio/package.json
@ -1,13 +1,13 @@
 {
    "name": "@goauthentik/web-tests",
    "dependencies": {
-        "chromedriver": "^128.0.1",
+        "chromedriver": "^128.0.3",
        "lockfile-lint": "^4.14.0",
        "syncpack": "^13.0.0"
    },
    "devDependencies": {
        "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-        "@types/mocha": "^10.0.7",
+        "@types/mocha": "^10.0.8",
        "@typescript-eslint/eslint-plugin": "^7.17.0",
        "@typescript-eslint/parser": "^7.17.0",
        "@wdio/cli": "^9.0.3",
@ -20,7 +20,7 @@
        "npm-run-all": "^4.1.5",
        "prettier": "^3.3.3",
        "ts-node": "^10.9.2",
-        "typescript": "^5.5.4",
+        "typescript": "^5.6.2",
        "wdio-wait-for": "^3.0.11"
    },
    "engines": {
--- a/web/build.mjs
+++ b/web/build.mjs
@ -41,7 +41,6 @@ const definitions = {

 const otherFiles = [
    ["node_modules/@patternfly/patternfly/patternfly.min.css", "."],
-    ["node_modules/@patternfly/patternfly/patternfly-base.css", "."],
    ["node_modules/@patternfly/patternfly/assets/**", ".", "node_modules/@patternfly/patternfly/"],
    ["src/custom.css", "."],
    ["src/common/styles/**", "."],
@ -80,12 +79,6 @@ const interfaces = [
    ["polyfill/poly.ts", "."],
 ];

-const extraTargets = [
-    ["sdk/index.ts", "sdk", { entryNames: "[dir]/[name]" }],
-    ["sdk/user-settings.ts", "sdk/user-settings", { entryNames: "[dir]/[name]" }],
-    ["sdk/flow.ts", "sdk/flow", { entryNames: "[dir]/[name]" }],
-];
-
 const baseArgs = {
    bundle: true,
    write: true,
@ -108,11 +101,7 @@ function getVersion() {
    return version;
 }

-function getAllTargets() {
-    return [...interfaces, ...extraTargets];
-}
-
-async function buildSingleTarget(source, dest, options) {
+async function buildOneSource(source, dest) {
    const DIST = path.join(__dirname, "./dist", dest);
    console.log(`[${new Date(Date.now()).toISOString()}] Starting build for target ${source}`);

@ -123,7 +112,6 @@ async function buildSingleTarget(source, dest, options) {
            entryPoints: [`./src/${source}`],
            entryNames: `[dir]/[name]-${getVersion()}`,
            outdir: DIST,
-            ...options,
        });
        const end = Date.now();
        console.log(
@ -136,10 +124,8 @@ async function buildSingleTarget(source, dest, options) {
    }
 }

-async function buildTargets(targets) {
-    await Promise.allSettled(
-        targets.map(([source, dest, options]) => buildSingleTarget(source, dest, options)),
-    );
+async function buildAuthentik(interfaces) {
+    await Promise.allSettled(interfaces.map(([source, dest]) => buildOneSource(source, dest)));
 }

 let timeoutId = null;
@ -149,7 +135,7 @@ function debouncedBuild() {
    }
    timeoutId = setTimeout(() => {
        console.clear();
-        buildTargets(getAllTargets());
+        buildAuthentik(interfaces);
    }, 250);
 }

@ -157,7 +143,7 @@ if (process.argv.length > 2 && (process.argv[2] === "-h" || process.argv[2] ===
    console.log(`Build the authentikUI

 options:
-  -w, --watch: Build all ${getAllTargets().length} interfaces
+  -w, --watch: Build all ${interfaces.length} interfaces
  -p, --proxy: Build only the polyfills and the loading application
  -h, --help: This help message
 `);
@ -177,11 +163,11 @@ if (process.argv.length > 2 && (process.argv[2] === "-w" || process.argv[2] ===
    });
 } else if (process.argv.length > 2 && (process.argv[2] === "-p" || process.argv[2] === "--proxy")) {
    // There's no watch-for-proxy, sorry.
-    await buildTargets(
+    await buildAuthentik(
        interfaces.filter(([_, dest]) => ["standalone/loading", "."].includes(dest)),
    );
    process.exit(0);
 } else {
    // And the fallback: just build it.
-    await buildTargets(interfaces);
+    await buildAuthentik(interfaces);
 }
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/package.json
+++ b/web/package.json
@ -11,7 +11,7 @@
        "@floating-ui/dom": "^1.6.9",
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2024.8.0-1725367323",
+        "@goauthentik/api": "^2024.8.1-1725752132",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
        "@lit/reactive-element": "^2.0.4",
@ -19,7 +19,7 @@
        "@open-wc/lit-helpers": "^0.7.0",
        "@patternfly/elements": "^4.0.1",
        "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^8.27.0",
+        "@sentry/browser": "^8.30.0",
        "@webcomponents/webcomponentsjs": "^2.8.0",
        "base64-js": "^1.5.1",
        "chart.js": "^4.4.4",
@ -32,13 +32,13 @@
        "guacamole-common-js": "^1.5.0",
        "lit": "^3.2.0",
        "md-front-matter": "^1.0.4",
-        "mermaid": "^11.1.0",
+        "mermaid": "^11.2.0",
        "rapidoc": "^9.3.4",
        "showdown": "^2.1.0",
        "style-mod": "^4.1.2",
        "ts-pattern": "^5.3.1",
        "webcomponent-qr-code": "^1.2.0",
-        "yaml": "^2.5.0"
+        "yaml": "^2.5.1"
    },
    "devDependencies": {
        "@babel/core": "^7.25.2",
@ -49,29 +49,29 @@
        "@babel/plugin-transform-runtime": "^7.25.4",
        "@babel/preset-env": "^7.25.4",
        "@babel/preset-typescript": "^7.24.7",
-        "@changesets/cli": "^2.27.5",
+        "@changesets/cli": "^2.27.8",
        "@custom-elements-manifest/analyzer": "^0.10.2",
-        "@eslint/js": "^9.9.1",
+        "@eslint/js": "^9.10.0",
        "@genesiscommunitysuccess/custom-elements-lsp": "^5.0.3",
        "@hcaptcha/types": "^1.0.4",
        "@jeysal/storybook-addon-css-user-preferences": "^0.2.0",
        "@lit/localize-tools": "^0.8.0",
        "@rollup/plugin-replace": "^5.0.7",
-        "@spotlightjs/spotlight": "^2.3.2",
-        "@storybook/addon-essentials": "^8.2.9",
-        "@storybook/addon-links": "^8.2.9",
+        "@spotlightjs/spotlight": "^2.4.1",
+        "@storybook/addon-essentials": "^8.3.0",
+        "@storybook/addon-links": "^8.3.0",
        "@storybook/api": "^7.6.17",
        "@storybook/blocks": "^8.0.8",
-        "@storybook/manager-api": "^8.2.9",
-        "@storybook/web-components": "^8.2.9",
-        "@storybook/web-components-vite": "^8.2.9",
+        "@storybook/manager-api": "^8.3.0",
+        "@storybook/web-components": "^8.3.0",
+        "@storybook/web-components-vite": "^8.3.0",
        "@trivago/prettier-plugin-sort-imports": "^4.3.0",
        "@types/chart.js": "^2.9.41",
        "@types/codemirror": "5.60.15",
        "@types/eslint__js": "^8.42.3",
        "@types/grecaptcha": "^3.0.9",
        "@types/guacamole-common-js": "1.5.2",
-        "@types/node": "^22.5.0",
+        "@types/node": "^22.5.4",
        "@types/showdown": "^2.0.6",
        "@typescript-eslint/eslint-plugin": "^8.0.1",
        "@typescript-eslint/parser": "^8.0.1",
@ -81,7 +81,7 @@
        "@wdio/spec-reporter": "^8.36.1",
        "babel-plugin-macros": "^3.1.0",
        "babel-plugin-tsconfig-paths": "^1.0.3",
-        "chokidar": "^3.6.0",
+        "chokidar": "^4.0.0",
        "cross-env": "^7.0.3",
        "esbuild": "^0.23.1",
        "eslint": "^9.8.0",
@ -91,7 +91,7 @@
        "github-slugger": "^2.0.0",
        "glob": "^11.0.0",
        "globals": "^15.9.0",
-        "knip": "^5.27.4",
+        "knip": "^5.30.1",
        "lit-analyzer": "^2.0.3",
        "lockfile-lint": "^4.14.0",
        "npm-run-all": "^4.1.5",
@ -108,11 +108,11 @@
        "ts-node": "^10.9.2",
        "tslib": "^2.7.0",
        "turnstile-types": "^1.2.2",
-        "typescript": "^5.5.4",
-        "typescript-eslint": "^8.4.0",
+        "typescript": "^5.6.2",
+        "typescript-eslint": "^8.5.0",
        "vite-tsconfig-paths": "^5.0.1",
        "wdio-wait-for": "^3.0.11",
-        "wireit": "^0.14.8"
+        "wireit": "^0.14.9"
    },
    "engines": {
        "node": ">=20"
@ -122,9 +122,9 @@
        "@esbuild/darwin-arm64": "^0.23.0",
        "@esbuild/linux-amd64": "^0.18.11",
        "@esbuild/linux-arm64": "^0.23.0",
-        "@rollup/rollup-darwin-arm64": "4.21.2",
-        "@rollup/rollup-linux-arm64-gnu": "4.21.2",
-        "@rollup/rollup-linux-x64-gnu": "4.21.2"
+        "@rollup/rollup-darwin-arm64": "4.21.3",
+        "@rollup/rollup-linux-arm64-gnu": "4.21.3",
+        "@rollup/rollup-linux-x64-gnu": "4.21.3"
    },
    "private": true,
    "scripts": {
--- a/web/packages/sfe/package.json
+++ b/web/packages/sfe/package.json
@ -12,20 +12,20 @@
    "devDependencies": {
        "@rollup/plugin-commonjs": "^26.0.1",
        "@rollup/plugin-node-resolve": "^15.2.3",
-        "@rollup/plugin-swc": "^0.3.1",
+        "@rollup/plugin-swc": "^0.4.0",
        "@swc/cli": "^0.4.0",
-        "@swc/core": "^1.7.23",
+        "@swc/core": "^1.7.26",
        "@trivago/prettier-plugin-sort-imports": "^4.3.0",
        "@types/jquery": "^3.5.30",
        "lockfile-lint": "^4.14.0",
        "prettier": "^3.3.2",
-        "rollup": "^4.21.2",
+        "rollup": "^4.21.3",
        "rollup-plugin-copy": "^3.5.0",
-        "wireit": "^0.14.8"
+        "wireit": "^0.14.9"
    },
    "license": "MIT",
    "optionalDependencies": {
-        "@swc/core": "^1.7.23",
+        "@swc/core": "^1.7.26",
        "@swc/core-darwin-arm64": "^1.6.13",
        "@swc/core-darwin-x64": "^1.6.13",
        "@swc/core-linux-arm-gnueabihf": "^1.6.13",
--- a/web/sfe/package-lock.json
+++ b/web/sfe/package-lock.json
--- a/web/sfe/package.json
+++ b/web/sfe/package.json
@ -0,0 +1,28 @@
+{
+    "name": "@goauthentik/web-sfe",
+    "version": "0.0.0",
+    "private": true,
+    "license": "MIT",
+    "dependencies": {
+        "@goauthentik/api": "^2024.6.3-1724414734",
+        "base64-js": "^1.5.1",
+        "bootstrap": "^4.6.1",
+        "formdata-polyfill": "^4.0.10",
+        "jquery": "^3.7.1",
+        "weakmap-polyfill": "^2.0.4"
+    },
+    "scripts": {
+        "build": "rollup -c rollup.config.js --bundleConfigAsCjs",
+        "watch": "rollup -w -c rollup.config.js --bundleConfigAsCjs"
+    },
+    "devDependencies": {
+        "@rollup/plugin-commonjs": "^26.0.1",
+        "@rollup/plugin-node-resolve": "^15.2.3",
+        "@rollup/plugin-swc": "^0.4.0",
+        "@swc/cli": "^0.4.0",
+        "@swc/core": "^1.7.26",
+        "@types/jquery": "^3.5.30",
+        "rollup": "^4.21.3",
+        "rollup-plugin-copy": "^3.5.0"
+    }
+}
--- a/web/src/admin/applications/wizard/commit/ak-application-wizard-commit-application.ts
+++ b/web/src/admin/applications/wizard/commit/ak-application-wizard-commit-application.ts
@ -1,5 +1,6 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
+import { parseAPIError } from "@goauthentik/common/errors";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-switch-input";
 import "@goauthentik/components/ak-text-input";
@ -24,7 +25,6 @@ import {
    type TransactionApplicationRequest,
    type TransactionApplicationResponse,
    ValidationError,
-    ValidationErrorFromJSON,
 } from "@goauthentik/api";

 import BasePanel from "../BasePanel";
@ -59,7 +59,7 @@ const runningState: State = {
 };
 const errorState: State = {
    state: "error",
-    label: msg("Authentik was unable to save this application:"),
+    label: msg("authentik was unable to save this application:"),
    icon: ["fa-times-circle", "pf-m-danger"],
 };

@ -133,9 +133,7 @@ export class ApplicationWizardCommitApplication extends BasePanel {
            })
            // eslint-disable-next-line @typescript-eslint/no-explicit-any
            .catch(async (resolution: any) => {
-                const errors = (this.errors = ValidationErrorFromJSON(
-                    await resolution.response.json(),
-                ));
+                const errors = await parseAPIError(resolution);
                this.dispatchWizardUpdate({
                    update: {
                        ...this.wizard,
--- a/web/src/admin/applications/wizard/methods/oauth/ak-application-wizard-authentication-by-oauth.ts
+++ b/web/src/admin/applications/wizard/methods/oauth/ak-application-wizard-authentication-by-oauth.ts
@ -11,7 +11,10 @@ import {
    redirectUriHelp,
    subjectModeOptions,
 } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderForm";
-import { oauth2SourcesProvider } from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
+import {
+    makeSourceSelector,
+    oauth2SourcesProvider,
+} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-number-input";
@ -263,12 +266,12 @@ export class ApplicationWizardAuthenticationByOauth extends BaseProviderPanel {
                            name="jwksSources"
                            .errorMessages=${errors?.jwksSources ?? []}
                        >
-                            <ak-dual-select-provider
+                            <ak-dual-select-dynamic-selected
                                .provider=${oauth2SourcesProvider}
-                                .selected=${provider?.jwksSources ?? []}
+                                .selector=${makeSourceSelector(provider?.jwksSources)}
                                available-label=${msg("Available Sources")}
                                selected-label=${msg("Selected Sources")}
-                            ></ak-dual-select-provider>
+                            ></ak-dual-select-dynamic-selected>
                            <p class="pf-c-form__helper-text">
                                ${msg(
                                    "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
--- a/web/src/admin/applications/wizard/methods/proxy/AuthenticationByProxyPage.ts
+++ b/web/src/admin/applications/wizard/methods/proxy/AuthenticationByProxyPage.ts
@ -1,5 +1,8 @@
 import "@goauthentik/admin/applications/wizard/ak-wizard-title";
-import { oauth2SourcesProvider } from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
+import {
+    makeSourceSelector,
+    oauth2SourcesProvider,
+} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
 import {
    makeProxyPropertyMappingsSelector,
    proxyPropertyMappingsProvider,
@ -11,7 +14,6 @@ import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
 import "@goauthentik/components/ak-toggle-group";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
 import "@goauthentik/elements/forms/HorizontalFormElement";

 import { msg } from "@lit/localize";
@ -228,12 +230,12 @@ export class AkTypeProxyApplicationWizardPage extends BaseProviderPanel {
                            name="jwksSources"
                            .errorMessages=${errors?.jwksSources ?? []}
                        >
-                            <ak-dual-select-provider
+                            <ak-dual-select-dynamic-selected
                                .provider=${oauth2SourcesProvider}
-                                .selected=${this.instance?.jwksSources ?? []}
+                                .selector=${makeSourceSelector(this.instance?.jwksSources)}
                                available-label=${msg("Available Sources")}
                                selected-label=${msg("Selected Sources")}
-                            ></ak-dual-select-provider>
+                            ></ak-dual-select-dynamic-selected>
                            <p class="pf-c-form__helper-text">
                                ${msg(
                                    "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
--- a/web/src/admin/events/RuleForm.ts
+++ b/web/src/admin/events/RuleForm.ts
@ -1,5 +1,7 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { severityToLabel } from "@goauthentik/common/labels";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 import "@goauthentik/elements/forms/Radio";
@ -16,6 +18,7 @@ import {
    EventsApi,
    Group,
    NotificationRule,
+    NotificationTransport,
    PaginatedNotificationTransportList,
    SeverityEnum,
 } from "@goauthentik/api";
@ -34,6 +37,13 @@ async function eventTransportsProvider(page = 1, search = "") {
    };
 }

+export function makeTransportSelector(instanceTransports: string[] | undefined) {
+    const localTransports = instanceTransports ? new Set(instanceTransports) : undefined;
+
+    return localTransports
+        ? ([pk, _]: DualSelectPair) => localTransports.has(pk)
+        : ([_0, _1, _2, stage]: DualSelectPair<NotificationTransport>) => stage !== undefined;
+}
@customElement("ak-event-rule-form")
 export class RuleForm extends ModelForm<NotificationRule, string> {
    eventTransports?: PaginatedNotificationTransportList;
@ -114,12 +124,12 @@ export class RuleForm extends ModelForm<NotificationRule, string> {
                ?required=${true}
                name="transports"
            >
-                <ak-dual-select-provider
+                <ak-dual-select-dynamic-selected
                    .provider=${eventTransportsProvider}
-                    .selected=${this.instance?.transports}
+                    .selector=${makeTransportSelector(this.instance?.transports)}
                    available-label="${msg("Available Transports")}"
                    selected-label="${msg("Selected Transports")}"
-                ></ak-dual-select-provider>
+                ></ak-dual-select-dynamic-selected>
                <p class="pf-c-form__helper-text">
                    ${msg(
                        "Select which transports should be used to notify the user. If none are selected, the notification will only be shown in the authentik UI.",
--- a/web/src/admin/property-mappings/BasePropertyMappingForm.ts
+++ b/web/src/admin/property-mappings/BasePropertyMappingForm.ts
@ -8,7 +8,7 @@ import { ifDefined } from "lit/directives/if-defined.js";

 interface PropertyMapping {
    name: string;
-    expression: string;
+    expression?: string;
 }

 export abstract class BasePropertyMappingForm<T extends PropertyMapping> extends ModelForm<
--- a/web/src/admin/property-mappings/PropertyMappingNotification.ts
+++ b/web/src/admin/property-mappings/PropertyMappingNotification.ts
@ -1,14 +1,14 @@
+import { BasePropertyMappingForm } from "@goauthentik/admin/property-mappings/BasePropertyMappingForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/HorizontalFormElement";
-import { ModelForm } from "@goauthentik/elements/forms/ModelForm";

 import { customElement } from "lit/decorators.js";

 import { NotificationWebhookMapping, PropertymappingsApi } from "@goauthentik/api";

@customElement("ak-property-mapping-notification-form")
-export class PropertyMappingNotification extends ModelForm<NotificationWebhookMapping, string> {
+export class PropertyMappingNotification extends BasePropertyMappingForm<NotificationWebhookMapping> {
    loadInstance(pk: string): Promise<NotificationWebhookMapping> {
        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsNotificationRetrieve({
            pmUuid: pk,
--- a/web/src/admin/property-mappings/PropertyMappingProviderRACForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingProviderRACForm.ts
@ -1,10 +1,10 @@
+import { BasePropertyMappingForm } from "@goauthentik/admin/property-mappings/BasePropertyMappingForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { docLink } from "@goauthentik/common/global";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
-import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 import "@goauthentik/elements/forms/Radio";
 import type { RadioOption } from "@goauthentik/elements/forms/Radio";

@ -33,21 +33,13 @@ export const staticSettingOptions: RadioOption<string | undefined>[] = [
 ];

@customElement("ak-property-mapping-provider-rac-form")
-export class PropertyMappingProviderRACForm extends ModelForm<RACPropertyMapping, string> {
+export class PropertyMappingProviderRACForm extends BasePropertyMappingForm<RACPropertyMapping> {
    loadInstance(pk: string): Promise<RACPropertyMapping> {
        return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderRacRetrieve({
            pmUuid: pk,
        });
    }

-    getSuccessMessage(): string {
-        if (this.instance) {
-            return msg("Successfully updated mapping.");
-        } else {
-            return msg("Successfully created mapping.");
-        }
-    }
-
    async send(data: RACPropertyMapping): Promise<RACPropertyMapping> {
        if (this.instance) {
            return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderRacUpdate({
--- a/web/src/admin/property-mappings/PropertyMappingSourceLDAPForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSourceLDAPForm.ts
@ -10,7 +10,7 @@ import { LDAPSourcePropertyMapping, PropertymappingsApi } from "@goauthentik/api
@customElement("ak-property-mapping-source-ldap-form")
 export class PropertyMappingSourceLDAPForm extends BasePropertyMappingForm<LDAPSourcePropertyMapping> {
    docLink(): string {
-        return "/docs/sources/property-mappings/expression?utm_source=authentik";
+        return "/docs/sources/property-mappings/expressions?utm_source=authentik";
    }

    loadInstance(pk: string): Promise<LDAPSourcePropertyMapping> {
--- a/web/src/admin/property-mappings/PropertyMappingSourceOAuthForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSourceOAuthForm.ts
@ -10,7 +10,7 @@ import { OAuthSourcePropertyMapping, PropertymappingsApi } from "@goauthentik/ap
@customElement("ak-property-mapping-source-oauth-form")
 export class PropertyMappingSourceOAuthForm extends BasePropertyMappingForm<OAuthSourcePropertyMapping> {
    docLink(): string {
-        return "/docs/sources/property-mappings/expression?utm_source=authentik";
+        return "/docs/sources/property-mappings/expressions?utm_source=authentik";
    }

    loadInstance(pk: string): Promise<OAuthSourcePropertyMapping> {
--- a/web/src/admin/property-mappings/PropertyMappingSourcePlexForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSourcePlexForm.ts
@ -10,7 +10,7 @@ import { PlexSourcePropertyMapping, PropertymappingsApi } from "@goauthentik/api
@customElement("ak-property-mapping-source-plex-form")
 export class PropertyMappingSourcePlexForm extends BasePropertyMappingForm<PlexSourcePropertyMapping> {
    docLink(): string {
-        return "/docs/sources/property-mappings/expression?utm_source=authentik";
+        return "/docs/sources/property-mappings/expressions?utm_source=authentik";
    }

    loadInstance(pk: string): Promise<PlexSourcePropertyMapping> {
--- a/web/src/admin/property-mappings/PropertyMappingSourceSAMLForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSourceSAMLForm.ts
@ -10,7 +10,7 @@ import { PropertymappingsApi, SAMLSourcePropertyMapping } from "@goauthentik/api
@customElement("ak-property-mapping-source-saml-form")
 export class PropertyMappingSourceSAMLForm extends BasePropertyMappingForm<SAMLSourcePropertyMapping> {
    docLink(): string {
-        return "/docs/sources/property-mappings/expression?utm_source=authentik";
+        return "/docs/sources/property-mappings/expressions?utm_source=authentik";
    }

    loadInstance(pk: string): Promise<SAMLSourcePropertyMapping> {
--- a/web/src/admin/property-mappings/PropertyMappingSourceSCIMForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingSourceSCIMForm.ts
@ -10,7 +10,7 @@ import { PropertymappingsApi, SCIMSourcePropertyMapping } from "@goauthentik/api
@customElement("ak-property-mapping-source-scim-form")
 export class PropertyMappingSourceSCIMForm extends BasePropertyMappingForm<SCIMSourcePropertyMapping> {
    docLink(): string {
-        return "/docs/sources/property-mappings/expression?utm_source=authentik";
+        return "/docs/sources/property-mappings/expressions?utm_source=authentik";
    }

    loadInstance(pk: string): Promise<SCIMSourcePropertyMapping> {
--- a/web/src/admin/property-mappings/PropertyMappingTestForm.ts
+++ b/web/src/admin/property-mappings/PropertyMappingTestForm.ts
@ -61,7 +61,9 @@ export class PolicyTestForm extends Form<PropertyMappingTestRequest> {
                  </ak-codemirror>`
                : html` <div class="pf-c-form__group-label">
                      <div class="c-form__horizontal-group">
-                          <span class="pf-c-form__label-text">${this.result?.result}</span>
+                          <span class="pf-c-form__label-text">
+                              <pre>${this.result?.result}</pre>
+                          </span>
                      </div>
                  </div>`}
        </ak-form-element-horizontal>`;
--- a/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderGroupList.ts
+++ b/web/src/admin/providers/google_workspace/GoogleWorkspaceProviderGroupList.ts
@ -27,7 +27,7 @@ export class GoogleWorkspaceProviderGroupList extends Table<GoogleWorkspaceProvi
    renderToolbar(): TemplateResult {
        return html`<ak-forms-modal cancelText=${msg("Close")} ?closeAfterSuccessfulSubmit=${false}>
                <span slot="submit">${msg("Sync")}</span>
-                <span slot="header">${msg("Sync User")}</span>
+                <span slot="header">${msg("Sync Group")}</span>
                <ak-sync-object-form
                    .provider=${this.providerId}
                    model=${SyncObjectModelEnum.Group}
--- a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderGroupList.ts
+++ b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderGroupList.ts
@ -24,7 +24,7 @@ export class MicrosoftEntraProviderGroupList extends Table<MicrosoftEntraProvide
    renderToolbar(): TemplateResult {
        return html`<ak-forms-modal cancelText=${msg("Close")} ?closeAfterSuccessfulSubmit=${false}>
                <span slot="submit">${msg("Sync")}</span>
-                <span slot="header">${msg("Sync User")}</span>
+                <span slot="header">${msg("Sync Group")}</span>
                <ak-sync-object-form
                    .provider=${this.providerId}
                    model=${SyncObjectModelEnum.Group}
--- a/web/src/admin/providers/oauth2/OAuth2PropertyMappings.ts
+++ b/web/src/admin/providers/oauth2/OAuth2PropertyMappings.ts
@ -3,6 +3,12 @@ import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types.js";

 import { PropertymappingsApi, ScopeMapping } from "@goauthentik/api";

+export const defaultScopes = [
+    "goauthentik.io/providers/oauth2/scope-openid",
+    "goauthentik.io/providers/oauth2/scope-email",
+    "goauthentik.io/providers/oauth2/scope-profile",
+];
+
 export async function oauth2PropertyMappingsProvider(page = 1, search = "") {
    const propertyMappings = await new PropertymappingsApi(
        DEFAULT_CONFIG,
@ -23,6 +29,5 @@ export function makeOAuth2PropertyMappingsSelector(instanceMappings: string[] |
    return localMappings
        ? ([pk, _]: DualSelectPair) => localMappings.has(pk)
        : ([_0, _1, _2, scope]: DualSelectPair<ScopeMapping>) =>
-              scope?.managed?.startsWith("goauthentik.io/providers/oauth2/scope-") &&
-              scope?.managed !== "goauthentik.io/providers/oauth2/scope-offline_access";
+              scope?.managed && defaultScopes.includes(scope?.managed);
 }
--- a/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderForm.ts
@ -32,7 +32,7 @@ import {
    makeOAuth2PropertyMappingsSelector,
    oauth2PropertyMappingsProvider,
 } from "./OAuth2PropertyMappings.js";
-import { oauth2SourcesProvider } from "./OAuth2Sources.js";
+import { makeSourceSelector, oauth2SourcesProvider } from "./OAuth2Sources.js";

 export const clientTypeOptions = [
    {
@ -52,12 +52,6 @@ export const clientTypeOptions = [
    },
 ];

-export const defaultScopes = [
-    "goauthentik.io/providers/oauth2/scope-openid",
-    "goauthentik.io/providers/oauth2/scope-email",
-    "goauthentik.io/providers/oauth2/scope-profile",
-];
-
 export const subjectModeOptions = [
    {
        label: msg("Based on the User's hashed ID"),
@ -335,12 +329,12 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
                        label=${msg("Trusted OIDC Sources")}
                        name="jwksSources"
                    >
-                        <ak-dual-select-provider
+                        <ak-dual-select-dynamic-selected
                            .provider=${oauth2SourcesProvider}
-                            .selected=${provider?.jwksSources}
+                            .selector=${makeSourceSelector(provider?.jwksSources)}
                            available-label=${msg("Available Sources")}
                            selected-label=${msg("Selected Sources")}
-                        ></ak-dual-select-provider>
+                        ></ak-dual-select-dynamic-selected>
                        <p class="pf-c-form__helper-text">
                            ${msg(
                                "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
--- a/web/src/admin/providers/oauth2/OAuth2Sources.ts
+++ b/web/src/admin/providers/oauth2/OAuth2Sources.ts
@ -1,6 +1,7 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types";

-import { SourcesApi } from "@goauthentik/api";
+import { OAuthSource, SourcesApi } from "@goauthentik/api";

 export async function oauth2SourcesProvider(page = 1, search = "") {
    const oauthSources = await new SourcesApi(DEFAULT_CONFIG).sourcesOauthList({
@ -19,3 +20,11 @@ export async function oauth2SourcesProvider(page = 1, search = "") {
        ]),
    };
 }
+
+export function makeSourceSelector(instanceSources: string[] | undefined) {
+    const localSources = instanceSources ? new Set(instanceSources) : undefined;
+
+    return localSources
+        ? ([pk, _]: DualSelectPair) => localSources.has(pk)
+        : ([_0, _1, _2, prompt]: DualSelectPair<OAuthSource>) => prompt !== undefined;
+}
--- a/web/src/admin/providers/proxy/ProxyProviderForm.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderForm.ts
@ -1,12 +1,14 @@
 import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
-import { oauth2SourcesProvider } from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
+import {
+    makeSourceSelector,
+    oauth2SourcesProvider,
+} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { first } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-toggle-group";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/forms/SearchSelect";
@ -403,12 +405,12 @@ ${this.instance?.skipPathRegex}</textarea
                        label=${msg("Trusted OIDC Sources")}
                        name="jwksSources"
                    >
-                        <ak-dual-select-provider
+                        <ak-dual-select-dynamic-selected
                            .provider=${oauth2SourcesProvider}
-                            .selected=${this.instance?.jwksSources}
+                            .selector=${makeSourceSelector(this.instance?.jwksSources)}
                            available-label=${msg("Available Sources")}
                            selected-label=${msg("Selected Sources")}
-                        ></ak-dual-select-provider>
+                        ></ak-dual-select-dynamic-selected>
                        <p class="pf-c-form__helper-text">
                            ${msg(
                                "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
--- a/web/src/admin/providers/scim/SCIMProviderGroupList.ts
+++ b/web/src/admin/providers/scim/SCIMProviderGroupList.ts
@ -1,12 +1,14 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/forms/DeleteBulkForm";
+import "@goauthentik/elements/forms/ModalForm";
+import "@goauthentik/elements/sync/SyncObjectForm";
 import { PaginatedResponse, Table, TableColumn } from "@goauthentik/elements/table/Table";

 import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
 import { customElement, property } from "lit/decorators.js";

-import { ProvidersApi, SCIMProviderGroup } from "@goauthentik/api";
+import { ProvidersApi, SCIMProviderGroup, SyncObjectModelEnum } from "@goauthentik/api";

@customElement("ak-provider-scim-groups-list")
 export class SCIMProviderGroupList extends Table<SCIMProviderGroup> {
@ -20,6 +22,22 @@ export class SCIMProviderGroupList extends Table<SCIMProviderGroup> {
    checkbox = true;
    clearOnRefresh = true;

+    renderToolbar(): TemplateResult {
+        return html`<ak-forms-modal cancelText=${msg("Close")} ?closeAfterSuccessfulSubmit=${false}>
+                <span slot="submit">${msg("Sync")}</span>
+                <span slot="header">${msg("Sync Group")}</span>
+                <ak-sync-object-form
+                    .provider=${this.providerId}
+                    model=${SyncObjectModelEnum.Group}
+                    .sync=${new ProvidersApi(DEFAULT_CONFIG).providersScimSyncObjectCreate}
+                    slot="form"
+                >
+                </ak-sync-object-form>
+                <button slot="trigger" class="pf-c-button pf-m-primary">${msg("Sync")}</button>
+            </ak-forms-modal>
+            ${super.renderToolbar()}`;
+    }
+
    renderToolbarSelected(): TemplateResult {
        const disabled = this.selectedElements.length < 1;
        return html`<ak-forms-delete-bulk
--- a/web/src/admin/providers/scim/SCIMProviderUserList.ts
+++ b/web/src/admin/providers/scim/SCIMProviderUserList.ts
@ -1,12 +1,14 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/forms/DeleteBulkForm";
+import "@goauthentik/elements/forms/ModalForm";
+import "@goauthentik/elements/sync/SyncObjectForm";
 import { PaginatedResponse, Table, TableColumn } from "@goauthentik/elements/table/Table";

 import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
 import { customElement, property } from "lit/decorators.js";

-import { ProvidersApi, SCIMProviderUser } from "@goauthentik/api";
+import { ProvidersApi, SCIMProviderUser, SyncObjectModelEnum } from "@goauthentik/api";

@customElement("ak-provider-scim-users-list")
 export class SCIMProviderUserList extends Table<SCIMProviderUser> {
@ -20,6 +22,22 @@ export class SCIMProviderUserList extends Table<SCIMProviderUser> {
    checkbox = true;
    clearOnRefresh = true;

+    renderToolbar(): TemplateResult {
+        return html`<ak-forms-modal cancelText=${msg("Close")} ?closeAfterSuccessfulSubmit=${false}>
+                <span slot="submit">${msg("Sync")}</span>
+                <span slot="header">${msg("Sync User")}</span>
+                <ak-sync-object-form
+                    .provider=${this.providerId}
+                    model=${SyncObjectModelEnum.User}
+                    .sync=${new ProvidersApi(DEFAULT_CONFIG).providersScimSyncObjectCreate}
+                    slot="form"
+                >
+                </ak-sync-object-form>
+                <button slot="trigger" class="pf-c-button pf-m-primary">${msg("Sync")}</button>
+            </ak-forms-modal>
+            ${super.renderToolbar()}`;
+    }
+
    renderToolbarSelected(): TemplateResult {
        const disabled = this.selectedElements.length < 1;
        return html`<ak-forms-delete-bulk
--- a/web/src/admin/sources/utils.ts
+++ b/web/src/admin/sources/utils.ts
@ -7,9 +7,6 @@ export function renderSourceIcon(name: string, iconUrl: string | undefined | nul
            const url = iconUrl.replaceAll("fa://", "");
            return html`<i class="fas ${url}" title="${name}"></i>`;
        }
-        if (window.authentik_sdk?.base) {
-            return html`<img src="${window.authentik_sdk?.base}${iconUrl}" alt="${name}" />`;
-        }
        return html`<img src="${iconUrl}" alt="${name}" />`;
    }
    return icon;
--- a/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
+++ b/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
@ -2,7 +2,9 @@ import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
 import { deviceTypeRestrictionPair } from "@goauthentik/admin/stages/authenticator_webauthn/utils";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/Alert";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider";
+import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/forms/Radio";
@ -18,6 +20,7 @@ import {
    DeviceClassesEnum,
    NotConfiguredActionEnum,
    PaginatedStageList,
+    Stage,
    StagesApi,
    UserVerificationEnum,
 } from "@goauthentik/api";
@ -36,6 +39,14 @@ async function stagesProvider(page = 1, search = "") {
    };
 }

+export function makeStageSelector(instanceStages: string[] | undefined) {
+    const localStages = instanceStages ? new Set(instanceStages) : undefined;
+
+    return localStages
+        ? ([pk, _]: DualSelectPair) => localStages.has(pk)
+        : ([_0, _1, _2, stage]: DualSelectPair<Stage>) => stage !== undefined;
+}
+
 async function authenticatorWebauthnDeviceTypesListProvider(page = 1, search = "") {
    const devicetypes = await new StagesApi(
        DEFAULT_CONFIG,
@ -205,14 +216,14 @@ export class AuthenticatorValidateStageForm extends BaseStageForm<AuthenticatorV
                                  label=${msg("Configuration stages")}
                                  name="configurationStages"
                              >
-                                  <ak-dual-select-provider
+                                  <ak-dual-select-dynamic-selected
                                      .provider=${stagesProvider}
-                                      .selected=${Array.from(
-                                          this.instance?.configurationStages ?? [],
+                                      .selector=${makeStageSelector(
+                                          this.instance?.configurationStages,
                                      )}
                                      available-label="${msg("Available Stages")}"
                                      selected-label="${msg("Selected Stages")}"
-                                  ></ak-dual-select-provider>
+                                  ></ak-dual-select-dynamic-selected>
                                  <p class="pf-c-form__helper-text">
                                      ${msg(
                                          "Stages used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again.",
--- a/web/src/admin/stages/identification/IdentificationStageForm.ts
+++ b/web/src/admin/stages/identification/IdentificationStageForm.ts
@ -41,7 +41,7 @@ async function sourcesProvider(page = 1, search = "") {
    };
 }

-async function makeSourcesSelector(instanceSources: string[] | undefined) {
+function makeSourcesSelector(instanceSources: string[] | undefined) {
    const localSources = instanceSources ? new Set(instanceSources) : undefined;

    return localSources
--- a/web/src/admin/stages/prompt/PromptForm.ts
+++ b/web/src/admin/stages/prompt/PromptForm.ts
@ -1,4 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { parseAPIError } from "@goauthentik/common/errors";
 import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
@ -22,7 +23,7 @@ import {
    PromptTypeEnum,
    ResponseError,
    StagesApi,
-    ValidationErrorFromJSON,
+    ValidationError,
 } from "@goauthentik/api";

 class PreviewStageHost implements StageHost {
@ -83,10 +84,8 @@ export class PromptForm extends ModelForm<Prompt, string> {
            });
            this.previewError = undefined;
        } catch (exc) {
-            const errorMessage = ValidationErrorFromJSON(
-                await (exc as ResponseError).response.json(),
-            );
-            this.previewError = errorMessage.nonFieldErrors;
+            const errorMessage = parseAPIError(exc as ResponseError);
+            this.previewError = (errorMessage as ValidationError).nonFieldErrors;
        }
    }

--- a/web/src/admin/stages/prompt/PromptStageForm.ts
+++ b/web/src/admin/stages/prompt/PromptStageForm.ts
@ -2,6 +2,8 @@ import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
 import "@goauthentik/admin/stages/prompt/PromptForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { PFSize } from "@goauthentik/common/enums";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/forms/ModalForm";
@ -11,9 +13,9 @@ import { TemplateResult, html, nothing } from "lit";
 import { customElement } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";

-import { PoliciesApi, PromptStage, StagesApi } from "@goauthentik/api";
+import { PoliciesApi, Policy, Prompt, PromptStage, StagesApi } from "@goauthentik/api";

-async function promptsProvider(page = 1, search = "") {
+async function promptFieldsProvider(page = 1, search = "") {
    const prompts = await new StagesApi(DEFAULT_CONFIG).stagesPromptPromptsList({
        ordering: "field_name",
        pageSize: 20,
@ -25,11 +27,19 @@ async function promptsProvider(page = 1, search = "") {
        pagination: prompts.pagination,
        options: prompts.results.map((prompt) => [
            prompt.pk,
-            str`${prompt.name} ("${prompt.fieldKey}", of type ${prompt.type})`,
+            msg(str`${prompt.name} ("${prompt.fieldKey}", of type ${prompt.type})`),
        ]),
    };
 }

+function makeFieldSelector(instanceFields: string[] | undefined) {
+    const localFields = instanceFields ? new Set(instanceFields) : undefined;
+
+    return localFields
+        ? ([pk, _]: DualSelectPair) => localFields.has(pk)
+        : ([_0, _1, _2, prompt]: DualSelectPair<Prompt>) => prompt !== undefined;
+}
+
 async function policiesProvider(page = 1, search = "") {
    const policies = await new PoliciesApi(DEFAULT_CONFIG).policiesAllList({
        ordering: "name",
@ -47,6 +57,14 @@ async function policiesProvider(page = 1, search = "") {
    };
 }

+function makePoliciesSelector(instancePolicies: string[] | undefined) {
+    const localPolicies = instancePolicies ? new Set(instancePolicies) : undefined;
+
+    return localPolicies
+        ? ([pk, _]: DualSelectPair) => localPolicies.has(pk)
+        : ([_0, _1, _2, policy]: DualSelectPair<Policy>) => policy !== undefined;
+}
+
@customElement("ak-stage-prompt-form")
 export class PromptStageForm extends BaseStageForm<PromptStage> {
    loadInstance(pk: string): Promise<PromptStage> {
@ -90,12 +108,12 @@ export class PromptStageForm extends BaseStageForm<PromptStage> {
                        ?required=${true}
                        name="fields"
                    >
-                        <ak-dual-select-provider
-                            .provider=${promptsProvider}
-                            .selected=${this.instance?.fields}
+                        <ak-dual-select-dynamic-selected
+                            .provider=${promptFieldsProvider}
+                            .selector=${makeFieldSelector(this.instance?.fields)}
                            available-label="${msg("Available Fields")}"
                            selected-label="${msg("Selected Fields")}"
-                        ></ak-dual-select-provider>
+                        ></ak-dual-select-dynamic-selected>
                        ${this.instance
                            ? html`<ak-forms-modal size=${PFSize.XLarge}>
                                  <span slot="submit"> ${msg("Create")} </span>
@ -115,12 +133,12 @@ export class PromptStageForm extends BaseStageForm<PromptStage> {
                        label=${msg("Validation Policies")}
                        name="validationPolicies"
                    >
-                        <ak-dual-select-provider
+                        <ak-dual-select-dynamic-selected
                            .provider=${policiesProvider}
-                            .selected=${this.instance?.validationPolicies}
+                            .selector=${makePoliciesSelector(this.instance?.validationPolicies)}
                            available-label="${msg("Available Fields")}"
                            selected-label="${msg("Selected Fields")}"
-                        ></ak-dual-select-provider>
+                        ></ak-dual-select-dynamic-selected>
                        <p class="pf-c-form__helper-text">
                            ${msg(
                                "Selected policies are executed when the stage is submitted to validate the data.",
--- a/web/src/common/api/config.ts
+++ b/web/src/common/api/config.ts
@ -2,7 +2,6 @@ import {
    CSRFMiddleware,
    EventMiddleware,
    LoggingMiddleware,
-    SDKMiddleware,
 } from "@goauthentik/common/api/middleware";
 import { EVENT_LOCALE_REQUEST, VERSION } from "@goauthentik/common/constants";
 import { globalAK } from "@goauthentik/common/global";
@ -68,18 +67,8 @@ export function getMetaContent(key: string): string {
    return metaEl.content;
 }

-export function apiBase(): string {
-    if (process.env.AK_API_BASE_PATH) {
-        return process.env.AK_API_BASE_PATH;
-    }
-    if (window.authentik_sdk?.base) {
-        return window.authentik_sdk?.base;
-    }
-    return window.location.origin;
-}
-
 export const DEFAULT_CONFIG = new Configuration({
-    basePath: `${apiBase()}/api/v3`,
+    basePath: (process.env.AK_API_BASE_PATH || window.location.origin) + "/api/v3",
    headers: {
        "sentry-trace": getMetaContent("sentry-trace"),
    },
@ -87,7 +76,6 @@ export const DEFAULT_CONFIG = new Configuration({
        new CSRFMiddleware(),
        new EventMiddleware(),
        new LoggingMiddleware(globalAK().brand),
-        new SDKMiddleware(),
    ],
 });

--- a/web/src/common/api/middleware.ts
+++ b/web/src/common/api/middleware.ts
@ -44,21 +44,6 @@ export class CSRFMiddleware implements Middleware {
    }
 }

-export class SDKMiddleware implements Middleware {
-    token?: string;
-    constructor() {
-        this.token = window.authentik_sdk?.token;
-    }
-    pre?(context: RequestContext): Promise<FetchParams | void> {
-        if (this.token) {
-            context.init.credentials = "include";
-            // @ts-ignore
-            context.init.headers["Authorization"] = `Bearer ${this.token}`;
-        }
-        return Promise.resolve(context);
-    }
-}
-
 export class EventMiddleware implements Middleware {
    post?(context: ResponseContext): Promise<Response | void> {
        const request: RequestInfo = {
--- a/web/src/common/constants.ts
+++ b/web/src/common/constants.ts
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.8.0";
+export const VERSION = "2024.8.1";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";

--- a/web/src/common/errors.ts
+++ b/web/src/common/errors.ts
@ -12,11 +12,17 @@ export class RequestError extends Error {}

 export type APIErrorTypes = ValidationError | GenericError;

+export const HTTP_BAD_REQUEST = 400;
+export const HTTP_INTERNAL_SERVICE_ERROR = 500;
+
 export async function parseAPIError(error: Error): Promise<APIErrorTypes> {
    if (!(error instanceof ResponseError)) {
        return error;
    }
-    if (error.response.status < 400 || error.response.status > 499) {
+    if (
+        error.response.status < HTTP_BAD_REQUEST ||
+        error.response.status >= HTTP_INTERNAL_SERVICE_ERROR
+    ) {
        return error;
    }
    const body = await error.response.json();
--- a/web/src/common/global.ts
+++ b/web/src/common/global.ts
@ -1,11 +1,4 @@
-import {
-    Config,
-    ConfigFromJSON,
-    CurrentBrand,
-    CurrentBrandFromJSON,
-    ErrorReportingConfigFromJSON,
-    UiThemeEnum,
-} from "@goauthentik/api";
+import { Config, ConfigFromJSON, CurrentBrand, CurrentBrandFromJSON } from "@goauthentik/api";

 export interface GlobalAuthentik {
    _converted?: boolean;
@ -35,12 +28,9 @@ export function globalAK(): GlobalAuthentik {
        return {
            config: ConfigFromJSON({
                capabilities: [],
-                error_reporting: ErrorReportingConfigFromJSON({}),
            }),
            brand: CurrentBrandFromJSON({
-                matched_domain: window.location.host,
                ui_footer_links: [],
-                ui_theme: window.authentik_sdk?.forceTheme ?? UiThemeEnum.Automatic,
            }),
            versionFamily: "",
            versionSubdomain: "",
@ -50,10 +40,6 @@ export function globalAK(): GlobalAuthentik {
    return ak;
 }

-export function isEmbedded() {
-    return !!window.authentik_sdk;
-}
-
 export function docLink(path: string): string {
    const ak = globalAK();
    // Default case or beta build which should always point to latest
--- a/web/src/common/styles/theme-dark.css
+++ b/web/src/common/styles/theme-dark.css
@ -155,7 +155,7 @@ select[multiple] option:checked {
    background-color: var(--ak-dark-background-light);
 }
 .pf-c-form-control[readonly] {
-    background-color: var(--ak-dark-background-light);
+    background-color: var(--ak-dark-background-light) !important;
 }
 .pf-c-switch__input:checked ~ .pf-c-switch__label {
    --pf-c-switch__input--checked__label--Color: var(--ak-dark-foreground);
--- a/web/src/common/ws.ts
+++ b/web/src/common/ws.ts
@ -21,12 +21,9 @@ export class WebsocketClient {

    connect(): void {
        if (navigator.webdriver) return;
-        let wsUrl = `${window.location.protocol.replace("http", "ws")}//${
+        const wsUrl = `${window.location.protocol.replace("http", "ws")}//${
            window.location.host
        }/ws/client/`;
-        if (window.authentik_sdk?.base) {
-            wsUrl = `${window.authentik_sdk?.base.replace("http", "ws")}/ws/client/`;
-        }
        this.messageSocket = new WebSocket(wsUrl);
        this.messageSocket.addEventListener("open", () => {
            console.debug(`authentik/ws: connected to ${wsUrl}`);
--- a/web/src/components/ak-event-info.ts
+++ b/web/src/components/ak-event-info.ts
@ -513,16 +513,14 @@ ${JSON.stringify(value.new_value, null, 4)}</pre
    }

    renderUpdateAvailable() {
+        let url = `https://github.com/goauthentik/authentik/releases/tag/version%2F${this.event.context.new_version}`;
+        if (this.event.context.changelog) {
+            url = this.event.context.changelog as string;
+        }
        return html`<div class="pf-c-card__title">${msg("New version available")}</div>
-            <a
-                target="_blank"
-                href="https://github.com/goauthentik/authentik/releases/tag/version%2F${this.event
-                    .context.new_version}"
-            >
-                ${this.event.context.new_version}
-            </a>`;
-        // Action types which typically don't record any extra context.
-        // If context is not empty, we fall to the default response.
+            <div class="pf-c-card__body">
+                <a target="_blank" href=${url}> ${this.event.context.new_version} </a>
+            </div>`;
    }

    renderLogin() {
--- a/web/src/elements/Interface/Interface.ts
+++ b/web/src/elements/Interface/Interface.ts
@ -1,11 +1,10 @@
-import { isEmbedded } from "@goauthentik/common/global";
 import { UIConfig, uiConfig } from "@goauthentik/common/ui/config";
 import { ModalOrchestrationController } from "@goauthentik/elements/controllers/ModalOrchestrationController.js";
 import { ensureCSSStyleSheet } from "@goauthentik/elements/utils/ensureCSSStyleSheet";

 import { state } from "lit/decorators.js";

-import PFVariables from "@patternfly/patternfly/base/patternfly-variables.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";

 import type { Config, CurrentBrand, LicenseSummary } from "@goauthentik/api";
 import { UiThemeEnum } from "@goauthentik/api";
@ -44,10 +43,7 @@ export class Interface extends AKElement implements AkInterface {

    constructor() {
        super();
-        document.adoptedStyleSheets = [
-            ...document.adoptedStyleSheets,
-            ensureCSSStyleSheet(PFVariables),
-        ];
+        document.adoptedStyleSheets = [...document.adoptedStyleSheets, ensureCSSStyleSheet(PFBase)];
        this[brandContext] = new BrandContextController(this);
        this[configContext] = new ConfigContextController(this);
        this[modalController] = new ModalOrchestrationController(this);
@ -65,9 +61,7 @@ export class Interface extends AKElement implements AkInterface {
        // Instead of calling ._activateTheme() twice, we insert the root document in the call
        // since multiple calls to ._activateTheme() would not do anything after the first call
        // as the theme is already enabled.
-        if (!isEmbedded()) {
-            roots.unshift(document as unknown as DocumentOrShadowRoot);
-        }
+        roots.unshift(document as unknown as DocumentOrShadowRoot);
        super._activateTheme(theme, ...roots);
    }

--- a/Show More
+++ b/Show More